diff --git a/hosts/nixos/garp/configuration.nix b/hosts/nixos/garp/configuration.nix
index ead2080..70e88e4 100644
--- a/hosts/nixos/garp/configuration.nix
+++ b/hosts/nixos/garp/configuration.nix
@@ -34,6 +34,8 @@
     ../../../users/h7x4
     ../../../users/adrlau
 
+    ./sftp.nix
+
     ../../../profiles/shell.nix
 
     ../../../profiles/domeneshop-dyndns.nix
diff --git a/hosts/nixos/garp/sftp.nix b/hosts/nixos/garp/sftp.nix
new file mode 100644
index 0000000..902bad9
--- /dev/null
+++ b/hosts/nixos/garp/sftp.nix
@@ -0,0 +1,50 @@
+{ lib, config, ...}:
+
+let
+  sftp-paths."ifield" = "/opt/ifield";
+
+  # user = config.users.users."sftp";
+  user.home = "/home/sftp"; # ininite recursion...
+
+in
+
+{
+  users.users."sftp" = {
+    isNormalUser = true;
+    createHome = true;
+    uid = 3000;
+    inherit (user) home;
+    # TODO: can I somehow idmap instead?
+    extraGroups = [ "users" "pbsds" ];
+    #hashedPassword = ""; # use mkpasswd
+    openssh.authorizedKeys.keys = lib.mkMerge [
+      [
+        "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKaE4W5Qe+ZBRtsY2KiIHbpx6v+8KrgrVT8ZgFvSVbvz ifield-sftp"
+      ]
+      # no work?
+      # config.users.users."pbsds".authorizedKeys.keys
+    ];
+  };
+
+  services.openssh.sftpServerExecutable = "internal-sftp";
+  services.openssh.extraConfig = ''
+    Match User sftp
+      ChrootDirectory ${user.home}
+      ForceCommand internal-sftp
+      PasswordAuthentication no
+      PubkeyAuthentication yes
+      PermitTunnel no
+      AllowAgentForwarding no
+      AllowTcpForwarding no
+      X11Forwarding no
+  '';
+
+  imports = lib.flip lib.mapAttrsToList sftp-paths (target: source: {
+    fileSystems."${user.home}/${target}" = {
+      device = source;
+      options = ["ro" "bind"]; # Read only
+      # depends = [ "/" ];
+      noCheck = true; # skip fsck
+    };
+  });
+}