3 files changed, 59 insertions, 4 deletions

diff --git a/hel.nix b/hel.nix
index aa276f8f..f4ab6d70 100644
--- a/hel.nix
+++ b/hel.nix
@@ -99,7 +99,20 @@
       HandleSuspendKey=sleep
     '';
 
-    openssh.enable = true;
+    openssh = {
+      enable = true;
+      extraConfig = ''
+        Match User media
+          ForceCommand internal-sftp
+          PermitTTY no
+          AllowTcpForwarding no
+          AllowStreamLocalForwarding no
+          X11Forwarding no
+          AllowAgentForwarding no
+          ChrootDirectory /run/%u
+          AuthorizedKeysFile /etc/ssh/authorized_keys.d/%u
+      '';
+    };
 
     xserver = {
       enable = true;
@@ -238,10 +251,20 @@
   
     extraUsers.root = { inherit (import ./users/gkleen.nix) shell hashedPassword; };
 
+    extraUsers.media = {
+      group = "media";
+      home = "/var/media";
+      isSystemUser = true;
+      openssh.authorizedKeys.keyFiles = [
+        ./users/keys/gkleen-media-hel.pub
+      ];
+      useDefaultShell = true;
+    };
+
     extraGroups = {
       network = {};
       media = {
-        members = [ "gkleen" "uucp" ];
+        members = [ "gkleen" "uucp" "media" ];
       };
       networkmanager = {
         members = [ "gkleen" ];
@@ -330,5 +353,27 @@
   virtualisation.virtualbox.host = {
     enable = true;
   };
+
+  systemd.automounts = [
+    { enable = true;
+      where = "/run/media/var/media";
+      automountConfig = {
+        DirectoryMode = "700";
+      };
+      wantedBy = [ "local-fs.target" ];
+    }
+  ];
+
+  systemd.mounts = [
+    { enable = true;
+      where = "/run/media/var/media";
+      what = "/var/media";
+      type = "none";
+      options = "bind";
+      mountConfig = {
+        DirectoryMode = "700";
+      };
+    }
+  ];
 }
 
diff --git a/users/keys/gkleen-media@hel.pub b/users/keys/gkleen-media-hel.pub
index 064eaaf7..064eaaf7 100644
--- a/users/keys/gkleen-media@hel.pub
+++ b/users/keys/gkleen-media-hel.pub
diff --git a/vali.nix b/vali.nix
index 958faf2f..d6e6df4c 100644
--- a/vali.nix
+++ b/vali.nix
@@ -55,6 +55,7 @@ rec {
     tmux
     mosh
     ntfs3g
+    sshfsFuse
   ];
 
   # List services that you want to enable:
@@ -74,6 +75,8 @@ rec {
   # services.xserver.displayManager.kdm.enable = true;
   # services.xserver.desktopManager.kde4.enable = true;
 
+  users.mutableUsers = false;
+
   users.extraUsers.root = let
     template = (import users/gkleen.nix);
     in {
@@ -81,6 +84,11 @@ rec {
         openssh.authorizedKeys.keyFiles = template.openssh.authorizedKeys.keyFiles;
       };
 
+  users.extraGroups.media = {
+    gid = 498;
+    members = [ "gkleen" ];
+  };
+
   system.activationScripts = let
     setupUsers = pkgs.callPackage custom/dotfiles.nix {};
     toRec = name : {
@@ -168,16 +176,18 @@ rec {
   #     automountConfig = {
   #       DirectoryMode = "555";
   #     };
+  #     wantedBy = [ "remote-fs.target" ];
   #   }
   # ];
 
   # systemd.mounts = [
   #   { enable = true;
   #     where = "/var/media";
-  #     what = "gkleen@hel.asgard.yggdrasil:/var/media";
+  #     what = "media@hel.asgard.yggdrasil:/var/media";
   #     type = "fuse.sshfs";
-  #     options = "users,idmap=gkleen,IdentityFile=/home/user/.ssh/id_ed25519,allow_other,reconnect,_netdev";
+  #     options = "idmap=user,IdentityFile=/home/gkleen/.ssh/media@hel,allow_other,reconnect,_netdev";
   #     mountConfig = {
+  #       Environment = "PATH=/run/current-system/sw/bin:/run/current/system/sw/sbin";
   #       DirectoryMode = "555";
   #     };
   #   }