sftp-server-ci: setup on v-ps-fal

Author: xddxdd

dns/domains/xuyh0120.win.nix

@@ -132,6 +132,12 @@ let
       target = "v-ps-fal.ltnet.xuyh0120.win.";
       ttl = "1h";
     }
+    {
+      recordType = "CNAME";
+      name = "sftp-ci";
+      target = "v-ps-fal";
+      ttl = "1h";
+    }
     {
       recordType = "CNAME";
       name = "stats";

flake.lock

@@ -26,6 +26,7 @@
     ../../nixos/optional-apps/plausible
     ../../nixos/optional-apps/quassel.nix
     ../../nixos/optional-apps/rsshub.nix
+    ../../nixos/optional-apps/sftp-server-ci.nix
     ../../nixos/optional-apps/tg-bot-cleaner-bot
     ../../nixos/optional-apps/waline.nix
 

hosts/v-ps-fal/configuration.nix

@@ -0,0 +1,51 @@
+{
+  pkgs,
+  lib,
+  LT,
+  config,
+  utils,
+  inputs,
+  ...
+}@args:
+let
+  sshKeys = import (inputs.secrets + "/ssh/sftp-ci.nix");
+in
+{
+  users.users.ci = {
+    home = "/run/sftp-ci";
+    group = "ci";
+    createHome = true;
+    isSystemUser = true;
+    openssh.authorizedKeys.keys = sshKeys;
+  };
+
+  users.groups.ci = { };
+
+  services.openssh.extraConfig = ''
+    Match User ci
+      ForceCommand internal-sftp
+      PasswordAuthentication no
+      ChrootDirectory ${config.users.users.ci.home}
+      PermitTunnel no
+      AllowAgentForwarding no
+      AllowTcpForwarding no
+      X11Forwarding no
+  '';
+
+  fileSystems."/run/sftp-ci" = {
+    device = "/nix/persistent/sync-servers";
+    fsType = "fuse.bindfs";
+    options = [
+      "force-user=ci"
+      "force-group=ci"
+      "perms=755"
+      "create-for-user=root"
+      "create-for-group=root"
+      "chmod-ignore"
+      "chown-ignore"
+      "chgrp-ignore"
+      "xattr-none"
+      "x-gvfs-hide"
+    ];
+  };
+}