infrastructure/hosts/kinda.sus.lol/sftp_jail.nix

{
  services.openssh.extraConfig = ''
    Match Group sftponly
      ChrootDirectory /sftp_jail
      ForceCommand internal-sftp
      AllowTcpForwarding no
  '';

  users.groups.sftponly = {};
}