diff --git a/hosts/www/default.nix b/hosts/www/default.nix
index 342b7fa..d2ffd0c 100644
--- a/hosts/www/default.nix
+++ b/hosts/www/default.nix
@@ -5,6 +5,8 @@
     ../common.nix
     ../../services/openssh.nix
     ../../services/nginx.nix
+    ./nginx.nix
+    ./ssh.nix
   ];
 
   networking = {
diff --git a/hosts/www/ssh.nix b/hosts/www/ssh.nix
new file mode 100644
index 0000000..0ea5426
--- /dev/null
+++ b/hosts/www/ssh.nix
@@ -0,0 +1,16 @@
+{ pkgs, ... }:
+
+{
+  users.users.deploy = {
+    description = "deploys static websites from forgejo";
+    shell = pkgs.nologin;
+    packages = [
+      pkgs.rsync
+    ];
+    openssh.authorizedKeys.keys = [
+      "command='rsync --server --daemon . /srv/http/www/',restrict ssh-ed25519 AAAAB3NzaC1yc2EAAAADAQABAAABAQCy... git.berlin.ccc.de/cccb/www"
+    ];
+    #extraGroups = ["nginx"];
+  };
+}
+