From b5b1dbf3fe670b7a8cc3064264d1f48e39cebeac Mon Sep 17 00:00:00 2001
From: "Ricardo (XenGi) Band" <email@ricardo.band>
Date: Tue, 17 Feb 2026 23:56:46 +0100
Subject: [PATCH] fix www

---
 hosts/www/openssh.nix | 15 ++++++++-------
 1 file changed, 8 insertions(+), 7 deletions(-)

diff --git a/hosts/www/openssh.nix b/hosts/www/openssh.nix
index 0a3844f..2a91325 100644
--- a/hosts/www/openssh.nix
+++ b/hosts/www/openssh.nix
@@ -4,19 +4,20 @@
   users = {
     users.deploy = {
       description = "deploys static websites from forgejo";
-      shell = "/run/current-system/sw/bin/nologin";
+      shell = pkgs.dash; # gets restricted by authorized_keys
       isSystemUser = true;
       group = "deploy";
-      packages = [
-        pkgs.rsync
-      ];
       openssh.authorizedKeys.keys = [
-        #"command='rsync --server --daemon . /srv/http/www/',restrict ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPtN5miFqjb585xuM89PXo3yxtY7WS159BvYS26HbZxC git.berlin.ccc.de/cccb/www"
-        "command='rsync --server --daemon . /srv/http/www-staging/',restrict ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPtN5miFqjb585xuM89PXo3yxtY7WS159BvYS26HbZxC git.berlin.ccc.de/cccb/www"
+        "command=\"${pkgs.rsync}/bin/rsync --server -vlogDtpre.iLsfxCIvu . /srv/http/www/\",restrict ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIM35LG+xuDaoHQ2bYD4eRc3P6Cl3JVYntoP5Gu9R+mZC deploy@www.berlin.ccc.de production"
+        "command=\"${pkgs.rsync}/bin/rsync --server -vlogDtpre.iLsfxCIvu . /srv/http/www-staging/\",restrict ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKjjLtnGf7w5D/ON+P2HpMZ5HA2fWp5YSQMGMuu5CjUt deploy@www.berlin.ccc.de staging"
       ];
-      #extraGroups = ["nginx"];
     };
     groups.deploy = {};
   };
+
+  services.openssh.extraConfig = ''
+    Match User deploy
+      Banner none
+  '';
 }