diff --git a/hosts/fw/configuration.nix b/hosts/fw/configuration.nix
index f1fa1f7..193a412 100644
--- a/hosts/fw/configuration.nix
+++ b/hosts/fw/configuration.nix
@@ -24,6 +24,7 @@
     ./modules/podman.nix
     ./modules/omada.nix
     ./modules/ddclient.nix
+    ./modules/cloonar-assistant-config-server.nix
     # ./modules/wol.nix
 
 
diff --git a/hosts/fw/modules/cloonar-assistant-config-server.nix b/hosts/fw/modules/cloonar-assistant-config-server.nix
new file mode 100644
index 0000000..20717b3
--- /dev/null
+++ b/hosts/fw/modules/cloonar-assistant-config-server.nix
@@ -0,0 +1,47 @@
+{
+  lib,
+  pkgs,
+  ...
+}: let
+  users = [
+    {
+      username = "ca-test";
+      key = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGzJRWe8hsqAVnGSjPrcheloteWMzORoQ5Gj4IfhCROF";
+    }
+  ];
+in {
+  imports = builtins.map create_users users;
+  environment.etc = {
+    # our single user+key file
+    "cloonar_assistant_ssh/sftp_users_keys" = {
+      text = lib.concatStringsSep "\n"
+        (map (u: "${u.username} ${u.key}") users);
+      mode  = "0600";
+      owner = "root";
+      group = "root";
+    };
+
+    # the little awk script to extract the key for $1
+    "ssh/sftp-fetch-key.sh" = {
+      text = ''
+        #!/usr/bin/env bash
+        awk -v u="$1" '$1==u { $1=""; sub(/^ +/, ""); print }' /etc/cloonar_assistant_ssh/sftp_users_keys
+      '';
+      mode  = "0700";
+      owner = "root";
+      group = "root";
+    };
+  };
+
+  services.openssh.extraConfig = ''
+    Match Exec "/bin/grep -qE '^%u[[:space:]]' /etc/cloonar_assistant_ssh/sftp_users_keys"
+       X11Forwarding no
+       AllowTcpForwarding no
+       ChrootDirectory %h
+       ForceCommand internal-sftp
+
+       # ← only for those matched users:
+       AuthorizedKeysCommand /etc/cloonar_assistant_ssh/sftp-fetch-key.sh %u
+       AuthorizedKeysCommandUser root
+  '';
+}