From 44024e8e52b490e9f61f5c87a50da0dac9cf1a4f Mon Sep 17 00:00:00 2001
From: Leonardo <noreply@leoflo.me>
Date: Mon, 23 Mar 2026 18:00:48 +0100
Subject: git user

---
 components/services/openssh.nix |  9 +++++++++
 systems/afrodite/default.nix    | 28 +++++++++++++++++++++++-----
 2 files changed, 32 insertions(+), 5 deletions(-)

diff --git a/components/services/openssh.nix b/components/services/openssh.nix
index 66a6499..eb52bf1 100644
--- a/components/services/openssh.nix
+++ b/components/services/openssh.nix
@@ -10,6 +10,15 @@
         PasswordAuthentication = false;
         PrintMotd = false;
       };
+
+      extraConfig = ''
+        Match user git
+          AllowTcpForwarding no
+          AllowAgentForwarding no
+          PasswordAuthentication no
+          PermitTTY no
+          X11Forwarding no
+      '';
     };
   };
 }
diff --git a/systems/afrodite/default.nix b/systems/afrodite/default.nix
index 3e7adfa..3962f17 100644
--- a/systems/afrodite/default.nix
+++ b/systems/afrodite/default.nix
@@ -13,11 +13,29 @@
   nix.settings.experimental-features = [ "nix-command" "flakes" ];
 
   # Users
-  users.users.leo = {
-    isNormalUser = true;
-    shell = pkgs.zsh;
-
-    extraGroups = [ "wheel" "networkmanager" ];
+  users = {
+    users = {
+      "leo" = {
+        isNormalUser = true;
+        shell = pkgs.zsh;
+
+        extraGroups = [ "wheel" "networkmanager" ];
+      };
+      "git" = {
+        isSystemUser = true;
+        shell = "${pkgs.git}/bin/git-shell";
+        group = "git";
+
+        home = "/var/lib/git";
+        createHome = true;
+
+        openssh.authorizedKeys.keys = [
+          "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJ/jRKQiRkGmtDRp/LniFVtl3M9r8VOaSWcyDT4Bl1R9 leo@hermes"
+        ];
+      };
+    };
+
+    groups."git" = {};
   };
 
   # Shell
-- 
cgit v1.3