From e7d9599150dc4df6e90adfaf40c36184fae3d9af Mon Sep 17 00:00:00 2001
From: Gregor Kleen <pngwjpgh@users.noreply.github.com>
Date: Sun, 4 Sep 2016 19:20:04 +0200
Subject: use media@hel key on vali

---
 vali.nix | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/vali.nix b/vali.nix
index d96ec7db..63f28fbd 100644
--- a/vali.nix
+++ b/vali.nix
@@ -176,7 +176,7 @@ rec {
       where = "/var/media";
       what = "gkleen@hel.asgard.yggdrasil:/var/media";
       type = "fuse.sshfs";
-      options = "users,idmap=gkleen,IdentityFile=/home/user/.ssh/id_ed25519,allow_other,reconnect,_netdev";
+      options = "users,idmap=gkleen,IdentityFile=/home/user/.ssh/id_media@hel,allow_other,reconnect,_netdev";
       mountConfig = {
         DirectoryMode = "555";
       };
-- 
cgit v1.2.3


From 156473a609c35006f81bd7bdf68daf35bba03239 Mon Sep 17 00:00:00 2001
From: Gregor Kleen <pngwjpgh@users.noreply.github.com>
Date: Sun, 4 Sep 2016 19:21:05 +0200
Subject: idmap does not take a username

---
 vali.nix | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/vali.nix b/vali.nix
index 63f28fbd..2d8fe6b7 100644
--- a/vali.nix
+++ b/vali.nix
@@ -174,9 +174,9 @@ rec {
   systemd.mounts = [
     { enable = true;
       where = "/var/media";
-      what = "gkleen@hel.asgard.yggdrasil:/var/media";
+      what = "media@hel.asgard.yggdrasil:/var/media";
       type = "fuse.sshfs";
-      options = "users,idmap=gkleen,IdentityFile=/home/user/.ssh/id_media@hel,allow_other,reconnect,_netdev";
+      options = "users,idmap=user,IdentityFile=/home/user/.ssh/id_media@hel,allow_other,reconnect,_netdev";
       mountConfig = {
         DirectoryMode = "555";
       };
-- 
cgit v1.2.3


From 9bd8491456db17d48639a11d2868632dd084ebc0 Mon Sep 17 00:00:00 2001
From: Gregor Kleen <pngwjpgh@users.noreply.github.com>
Date: Sun, 4 Sep 2016 19:26:25 +0200
Subject: media on hel

---
 hel.nix | 23 +++++++++++++++++++++--
 1 file changed, 21 insertions(+), 2 deletions(-)

diff --git a/hel.nix b/hel.nix
index aa276f8f..533a6bc0 100644
--- a/hel.nix
+++ b/hel.nix
@@ -99,7 +99,17 @@
       HandleSuspendKey=sleep
     '';
 
-    openssh.enable = true;
+    openssh = {
+      enable = true;
+      extraConfig = ''
+        Match User media
+          ForceCommand ${pkgs.openssh}/libexec/sftp-server
+          PermitTTY no
+          AllowPortForwarding no
+          AllowX11Forwarding no
+          AllowAgentForwarding no
+      '';
+    };
 
     xserver = {
       enable = true;
@@ -238,10 +248,19 @@
   
     extraUsers.root = { inherit (import ./users/gkleen.nix) shell hashedPassword; };
 
+    extraUsers.media = {
+      group = "media";
+      home = "/var/media";
+      isSystemUser = true;
+      openssh.authorizedKeys.keyFiles = [
+        users/keys/gkleen-media@hel.pub
+      ];
+    };
+
     extraGroups = {
       network = {};
       media = {
-        members = [ "gkleen" "uucp" ];
+        members = [ "gkleen" "uucp" "media" ];
       };
       networkmanager = {
         members = [ "gkleen" ];
-- 
cgit v1.2.3


From a1793a824a2960862bfb77bb8463e666e778f2fc Mon Sep 17 00:00:00 2001
From: Gregor Kleen <pngwjpgh@users.noreply.github.com>
Date: Sun, 4 Sep 2016 19:27:17 +0200
Subject: syntax

---
 hel.nix | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/hel.nix b/hel.nix
index 533a6bc0..c29f4cbb 100644
--- a/hel.nix
+++ b/hel.nix
@@ -253,7 +253,7 @@
       home = "/var/media";
       isSystemUser = true;
       openssh.authorizedKeys.keyFiles = [
-        users/keys/gkleen-media@hel.pub
+        "./users/keys/gkleen-media@hel.pub"
       ];
     };
 
-- 
cgit v1.2.3


From c5db0558b88801ccd74f0f69a38fef873a949839 Mon Sep 17 00:00:00 2001
From: Gregor Kleen <pngwjpgh@users.noreply.github.com>
Date: Sun, 4 Sep 2016 19:28:42 +0200
Subject: escaping?

---
 hel.nix | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/hel.nix b/hel.nix
index c29f4cbb..3f5017dc 100644
--- a/hel.nix
+++ b/hel.nix
@@ -253,7 +253,7 @@
       home = "/var/media";
       isSystemUser = true;
       openssh.authorizedKeys.keyFiles = [
-        "./users/keys/gkleen-media@hel.pub"
+        ./users/keys/gkleen-media\@hel.pub
       ];
     };
 
-- 
cgit v1.2.3


From 8441452e63066a83c1eab4164e2eeb6adef1bd62 Mon Sep 17 00:00:00 2001
From: Gregor Kleen <pngwjpgh@users.noreply.github.com>
Date: Sun, 4 Sep 2016 19:29:14 +0200
Subject: =?UTF-8?q?fine=E2=80=A6?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 hel.nix                         | 2 +-
 users/keys/gkleen-media-hel.pub | 1 +
 users/keys/gkleen-media@hel.pub | 1 -
 3 files changed, 2 insertions(+), 2 deletions(-)
 create mode 100644 users/keys/gkleen-media-hel.pub
 delete mode 100644 users/keys/gkleen-media@hel.pub

diff --git a/hel.nix b/hel.nix
index 3f5017dc..41d9ab02 100644
--- a/hel.nix
+++ b/hel.nix
@@ -253,7 +253,7 @@
       home = "/var/media";
       isSystemUser = true;
       openssh.authorizedKeys.keyFiles = [
-        ./users/keys/gkleen-media\@hel.pub
+        ./users/keys/gkleen-media-hel.pub
       ];
     };
 
diff --git a/users/keys/gkleen-media-hel.pub b/users/keys/gkleen-media-hel.pub
new file mode 100644
index 00000000..064eaaf7
--- /dev/null
+++ b/users/keys/gkleen-media-hel.pub
@@ -0,0 +1 @@
+ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGiOnX9vAYN11HMv+6jq+b8JYO/x/K9bIlcxy/5V914V gkleen@vali
diff --git a/users/keys/gkleen-media@hel.pub b/users/keys/gkleen-media@hel.pub
deleted file mode 100644
index 064eaaf7..00000000
--- a/users/keys/gkleen-media@hel.pub
+++ /dev/null
@@ -1 +0,0 @@
-ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGiOnX9vAYN11HMv+6jq+b8JYO/x/K9bIlcxy/5V914V gkleen@vali
-- 
cgit v1.2.3


From e2cde1f2db2d55409c9ad5fa526abd763153fbb8 Mon Sep 17 00:00:00 2001
From: Gregor Kleen <pngwjpgh@users.noreply.github.com>
Date: Sun, 4 Sep 2016 19:32:03 +0200
Subject: sshd syntax is crap.

---
 hel.nix | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/hel.nix b/hel.nix
index 41d9ab02..5d4eb207 100644
--- a/hel.nix
+++ b/hel.nix
@@ -105,8 +105,9 @@
         Match User media
           ForceCommand ${pkgs.openssh}/libexec/sftp-server
           PermitTTY no
-          AllowPortForwarding no
-          AllowX11Forwarding no
+          AllowTcpForwarding no
+          AllowStreamLocalForwarding no
+          X11Forwarding no
           AllowAgentForwarding no
       '';
     };
-- 
cgit v1.2.3


From 3ba89d0aee54598b2d6bf93f56ba58f0faad23b4 Mon Sep 17 00:00:00 2001
From: Gregor Kleen <pngwjpgh@users.noreply.github.com>
Date: Sun, 4 Sep 2016 19:34:16 +0200
Subject: default shell for media

---
 hel.nix | 1 +
 1 file changed, 1 insertion(+)

diff --git a/hel.nix b/hel.nix
index 5d4eb207..3dfbe6f4 100644
--- a/hel.nix
+++ b/hel.nix
@@ -256,6 +256,7 @@
       openssh.authorizedKeys.keyFiles = [
         ./users/keys/gkleen-media-hel.pub
       ];
+      useDefaultShell = true;
     };
 
     extraGroups = {
-- 
cgit v1.2.3


From af90c204cf2e5691835005c470522ffcf39dff32 Mon Sep 17 00:00:00 2001
From: Gregor Kleen <pngwjpgh@users.noreply.github.com>
Date: Sun, 4 Sep 2016 19:36:13 +0200
Subject: media can only access /var/media

---
 hel.nix | 1 +
 1 file changed, 1 insertion(+)

diff --git a/hel.nix b/hel.nix
index 3dfbe6f4..3ab495b7 100644
--- a/hel.nix
+++ b/hel.nix
@@ -109,6 +109,7 @@
           AllowStreamLocalForwarding no
           X11Forwarding no
           AllowAgentForwarding no
+          ChrootDirectory %h
       '';
     };
 
-- 
cgit v1.2.3


From e882dec1dac888862824b3d0c0619f78669613fd Mon Sep 17 00:00:00 2001
From: Gregor Kleen <pngwjpgh@users.noreply.github.com>
Date: Sun, 4 Sep 2016 19:39:11 +0200
Subject: no user writable authorized_keys

---
 hel.nix | 1 +
 1 file changed, 1 insertion(+)

diff --git a/hel.nix b/hel.nix
index 3ab495b7..759441f7 100644
--- a/hel.nix
+++ b/hel.nix
@@ -110,6 +110,7 @@
           X11Forwarding no
           AllowAgentForwarding no
           ChrootDirectory %h
+          AuthorizedKeysFile /etc/ssh/authorized_keys.d/%u
       '';
     };
 
-- 
cgit v1.2.3


From 4b648422c3a78897e4855734aa962f255afab30e Mon Sep 17 00:00:00 2001
From: Gregor Kleen <pngwjpgh@users.noreply.github.com>
Date: Sun, 4 Sep 2016 19:44:12 +0200
Subject: bind mount

---
 hel.nix | 23 ++++++++++++++++++++++-
 1 file changed, 22 insertions(+), 1 deletion(-)

diff --git a/hel.nix b/hel.nix
index 759441f7..bc2d520f 100644
--- a/hel.nix
+++ b/hel.nix
@@ -109,7 +109,7 @@
           AllowStreamLocalForwarding no
           X11Forwarding no
           AllowAgentForwarding no
-          ChrootDirectory %h
+          ChrootDirectory /run/%u
           AuthorizedKeysFile /etc/ssh/authorized_keys.d/%u
       '';
     };
@@ -353,5 +353,26 @@
   virtualisation.virtualbox.host = {
     enable = true;
   };
+
+  systemd.automounts = [
+    { enable = true;
+      where = "/run/media";
+      automountConfig = {
+        DirectoryMode = "700";
+      };
+    }
+  ];
+
+  systemd.mounts = [
+    { enable = true;
+      where = "/run/media";
+      what = "/var/media";
+      type = "none";
+      options = "bind";
+      mountConfig = {
+        DirectoryMode = "700";
+      };
+    }
+  ];
 }
 
-- 
cgit v1.2.3


From 09dfe36a3c02f3731c7171936a7f297d09c23ff0 Mon Sep 17 00:00:00 2001
From: Gregor Kleen <pngwjpgh@users.noreply.github.com>
Date: Sun, 4 Sep 2016 19:45:13 +0200
Subject: start automount

---
 hel.nix | 1 +
 1 file changed, 1 insertion(+)

diff --git a/hel.nix b/hel.nix
index bc2d520f..77601a5e 100644
--- a/hel.nix
+++ b/hel.nix
@@ -360,6 +360,7 @@
       automountConfig = {
         DirectoryMode = "700";
       };
+      wantedBy = "local-fs.target";
     }
   ];
 
-- 
cgit v1.2.3


From 69792c7c2748f77ac461b1e7f7385f3c410e4d93 Mon Sep 17 00:00:00 2001
From: Gregor Kleen <pngwjpgh@users.noreply.github.com>
Date: Sun, 4 Sep 2016 19:45:29 +0200
Subject: syntax

---
 hel.nix | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/hel.nix b/hel.nix
index 77601a5e..37e5144c 100644
--- a/hel.nix
+++ b/hel.nix
@@ -360,7 +360,7 @@
       automountConfig = {
         DirectoryMode = "700";
       };
-      wantedBy = "local-fs.target";
+      wantedBy = [ "local-fs.target" ];
     }
   ];
 
-- 
cgit v1.2.3


From 664d7aa4bdb48c15abb236fba86d21619595ee54 Mon Sep 17 00:00:00 2001
From: Gregor Kleen <pngwjpgh@users.noreply.github.com>
Date: Sun, 4 Sep 2016 19:46:39 +0200
Subject: better bind mount location

---
 hel.nix | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/hel.nix b/hel.nix
index 37e5144c..26d55ca9 100644
--- a/hel.nix
+++ b/hel.nix
@@ -356,7 +356,7 @@
 
   systemd.automounts = [
     { enable = true;
-      where = "/run/media";
+      where = "/run/media/var/media";
       automountConfig = {
         DirectoryMode = "700";
       };
@@ -366,7 +366,7 @@
 
   systemd.mounts = [
     { enable = true;
-      where = "/run/media";
+      where = "/run/media/var/media";
       what = "/var/media";
       type = "none";
       options = "bind";
-- 
cgit v1.2.3


From 208f52e95bd5fe2d42c8356e4b524a95afe60611 Mon Sep 17 00:00:00 2001
From: Gregor Kleen <pngwjpgh@users.noreply.github.com>
Date: Sun, 4 Sep 2016 19:51:26 +0200
Subject: use internal sftp

---
 hel.nix | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/hel.nix b/hel.nix
index 26d55ca9..f4ab6d70 100644
--- a/hel.nix
+++ b/hel.nix
@@ -103,7 +103,7 @@
       enable = true;
       extraConfig = ''
         Match User media
-          ForceCommand ${pkgs.openssh}/libexec/sftp-server
+          ForceCommand internal-sftp
           PermitTTY no
           AllowTcpForwarding no
           AllowStreamLocalForwarding no
-- 
cgit v1.2.3


From 20baa66fb5dcaa08fcbcbc1c8cc0cf7f3a0be3ae Mon Sep 17 00:00:00 2001
From: Gregor Kleen <pngwjpgh@users.noreply.github.com>
Date: Sun, 4 Sep 2016 19:53:32 +0200
Subject: autostart /var/media mounting

---
 vali.nix | 1 +
 1 file changed, 1 insertion(+)

diff --git a/vali.nix b/vali.nix
index 2d8fe6b7..ce210b88 100644
--- a/vali.nix
+++ b/vali.nix
@@ -168,6 +168,7 @@ rec {
       automountConfig = {
         DirectoryMode = "555";
       };
+      wantedBy = [ "remote-fs.target" ];
     }
   ];
 
-- 
cgit v1.2.3


From 1d3b455a805cdf06716e8b88999e4adfec17a8df Mon Sep 17 00:00:00 2001
From: Gregor Kleen <pngwjpgh@users.noreply.github.com>
Date: Sun, 4 Sep 2016 19:54:43 +0200
Subject: system wide sshfs

---
 vali.nix | 1 +
 1 file changed, 1 insertion(+)

diff --git a/vali.nix b/vali.nix
index ce210b88..698837d7 100644
--- a/vali.nix
+++ b/vali.nix
@@ -55,6 +55,7 @@ rec {
     tmux
     mosh
     ntfs3g
+    sshfs
   ];
 
   # List services that you want to enable:
-- 
cgit v1.2.3


From 59a48109fa0bb49d9ba68f41558b5de7247e2ee9 Mon Sep 17 00:00:00 2001
From: Gregor Kleen <pngwjpgh@users.noreply.github.com>
Date: Sun, 4 Sep 2016 19:55:12 +0200
Subject: ditto

---
 vali.nix | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/vali.nix b/vali.nix
index 698837d7..abc2b9d8 100644
--- a/vali.nix
+++ b/vali.nix
@@ -55,7 +55,7 @@ rec {
     tmux
     mosh
     ntfs3g
-    sshfs
+    sshfsFuse
   ];
 
   # List services that you want to enable:
-- 
cgit v1.2.3


From 3c3eb52e6417c3c8fa14062bf2ade3924ee2cd68 Mon Sep 17 00:00:00 2001
From: Gregor Kleen <pngwjpgh@users.noreply.github.com>
Date: Sun, 4 Sep 2016 20:00:45 +0200
Subject: more sensible PATH

---
 vali.nix | 1 +
 1 file changed, 1 insertion(+)

diff --git a/vali.nix b/vali.nix
index abc2b9d8..fbdad4e4 100644
--- a/vali.nix
+++ b/vali.nix
@@ -180,6 +180,7 @@ rec {
       type = "fuse.sshfs";
       options = "users,idmap=user,IdentityFile=/home/user/.ssh/id_media@hel,allow_other,reconnect,_netdev";
       mountConfig = {
+        Environment = "PATH=/run/current-system/sw/bin:/run/current/system/sw/sbin";
         DirectoryMode = "555";
       };
     }
-- 
cgit v1.2.3


From 5529433b0db6d41b26a888a1ad3dfc7bd2348e19 Mon Sep 17 00:00:00 2001
From: Gregor Kleen <pngwjpgh@users.noreply.github.com>
Date: Sun, 4 Sep 2016 20:06:31 +0200
Subject: media group on vali

---
 vali.nix | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/vali.nix b/vali.nix
index fbdad4e4..cc914eb9 100644
--- a/vali.nix
+++ b/vali.nix
@@ -82,6 +82,10 @@ rec {
         openssh.authorizedKeys.keyFiles = template.openssh.authorizedKeys.keyFiles;
       };
 
+  users.extraGroups.media = {
+    members = [ "gkleen" ];
+  };
+
   system.activationScripts = let
     setupUsers = pkgs.callPackage custom/dotfiles.nix {};
     toRec = name : {
-- 
cgit v1.2.3


From c24f17889267f904e7db76a6990c58599906740d Mon Sep 17 00:00:00 2001
From: Gregor Kleen <pngwjpgh@users.noreply.github.com>
Date: Sun, 4 Sep 2016 20:07:00 +0200
Subject: match hel's gid

---
 vali.nix | 1 +
 1 file changed, 1 insertion(+)

diff --git a/vali.nix b/vali.nix
index cc914eb9..e208be60 100644
--- a/vali.nix
+++ b/vali.nix
@@ -83,6 +83,7 @@ rec {
       };
 
   users.extraGroups.media = {
+    gid = 498;
     members = [ "gkleen" ];
   };
 
-- 
cgit v1.2.3


From d468eae5abfd3c083f7d44a2fdcfcea3fd5c9d5b Mon Sep 17 00:00:00 2001
From: Gregor Kleen <pngwjpgh@users.noreply.github.com>
Date: Sun, 4 Sep 2016 20:08:20 +0200
Subject: users are not mutable on vali

---
 vali.nix | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/vali.nix b/vali.nix
index e208be60..53ced636 100644
--- a/vali.nix
+++ b/vali.nix
@@ -75,6 +75,8 @@ rec {
   # services.xserver.displayManager.kdm.enable = true;
   # services.xserver.desktopManager.kde4.enable = true;
 
+  users.mutableUsers = false;
+
   users.extraUsers.root = let
     template = (import users/gkleen.nix);
     in {
-- 
cgit v1.2.3


From 2c5a6fd3a476ae80996f4072cf5bba4f45bedf59 Mon Sep 17 00:00:00 2001
From: Gregor Kleen <pngwjpgh@users.noreply.github.com>
Date: Sun, 4 Sep 2016 20:09:55 +0200
Subject: typos

---
 vali.nix | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/vali.nix b/vali.nix
index 53ced636..6711e0f8 100644
--- a/vali.nix
+++ b/vali.nix
@@ -185,7 +185,7 @@ rec {
       where = "/var/media";
       what = "media@hel.asgard.yggdrasil:/var/media";
       type = "fuse.sshfs";
-      options = "users,idmap=user,IdentityFile=/home/user/.ssh/id_media@hel,allow_other,reconnect,_netdev";
+      options = "idmap=user,IdentityFile=/home/gkleen/.ssh/media@hel,allow_other,reconnect,_netdev";
       mountConfig = {
         Environment = "PATH=/run/current-system/sw/bin:/run/current/system/sw/sbin";
         DirectoryMode = "555";
-- 
cgit v1.2.3