diff --git a/hosts/nixos/garp/sftp.nix b/hosts/nixos/garp/sftp.nix
index 902bad9..980b761 100644
--- a/hosts/nixos/garp/sftp.nix
+++ b/hosts/nixos/garp/sftp.nix
@@ -1,22 +1,35 @@
 { lib, config, ...}:
 
 let
+  chroot-path = "/run/sftp-chroot";
   sftp-paths."ifield" = "/opt/ifield";
-
-  # user = config.users.users."sftp";
-  user.home = "/home/sftp"; # ininite recursion...
-
 in
 
 {
+
+  systemd.tmpfiles.settings."10-sftp-chroot" = {
+    "${chroot-path}".d = {
+      user = "root";
+      group = "root";
+      mode = "0755";
+    };
+  };
+
+  users.groups."sftp_users" = {
+    members = [ "pbsds" ];
+  };
   users.users."sftp" = {
-    isNormalUser = true;
-    createHome = true;
-    uid = 3000;
-    inherit (user) home;
+    isSystemUser = true;
+    createHome = false;
+    home = chroot-path;
+    shell = null;
+    password = null; # deny password login
+    #hashedPassword = ""; # use mkpasswd
+
+    group = "sftp_users";
     # TODO: can I somehow idmap instead?
     extraGroups = [ "users" "pbsds" ];
-    #hashedPassword = ""; # use mkpasswd
+
     openssh.authorizedKeys.keys = lib.mkMerge [
       [
         "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKaE4W5Qe+ZBRtsY2KiIHbpx6v+8KrgrVT8ZgFvSVbvz ifield-sftp"
@@ -29,7 +42,7 @@ in
   services.openssh.sftpServerExecutable = "internal-sftp";
   services.openssh.extraConfig = ''
     Match User sftp
-      ChrootDirectory ${user.home}
+      ChrootDirectory ${chroot-path}
       ForceCommand internal-sftp
       PasswordAuthentication no
       PubkeyAuthentication yes
@@ -40,7 +53,7 @@ in
   '';
 
   imports = lib.flip lib.mapAttrsToList sftp-paths (target: source: {
-    fileSystems."${user.home}/${target}" = {
+    fileSystems."${chroot-path}/${target}" = {
       device = source;
       options = ["ro" "bind"]; # Read only
       # depends = [ "/" ];