diff --git a/hosts/fw/modules/cloonar-assistant-config-server.nix b/hosts/fw/modules/cloonar-assistant-config-server.nix
index 20717b3..d229c8f 100644
--- a/hosts/fw/modules/cloonar-assistant-config-server.nix
+++ b/hosts/fw/modules/cloonar-assistant-config-server.nix
@@ -10,14 +10,13 @@
     }
   ];
 in {
-  imports = builtins.map create_users users;
   environment.etc = {
     # our single user+key file
     "cloonar_assistant_ssh/sftp_users_keys" = {
       text = lib.concatStringsSep "\n"
         (map (u: "${u.username} ${u.key}") users);
       mode  = "0600";
-      owner = "root";
+      user = "root";
       group = "root";
     };
 
@@ -28,16 +27,22 @@ in {
         awk -v u="$1" '$1==u { $1=""; sub(/^ +/, ""); print }' /etc/cloonar_assistant_ssh/sftp_users_keys
       '';
       mode  = "0700";
-      owner = "root";
+      user = "root";
       group = "root";
     };
   };
 
+  systemd.tmpfiles.rules = map (u:
+    # Type 'd' = create directory if missing
+    # Mode 0755, owner root:root
+    "d /home/cloonar-assistant-configs/${u.username} 0755 root root -"
+  ) users;
+
   services.openssh.extraConfig = ''
     Match Exec "/bin/grep -qE '^%u[[:space:]]' /etc/cloonar_assistant_ssh/sftp_users_keys"
        X11Forwarding no
        AllowTcpForwarding no
-       ChrootDirectory %h
+       ChrootDirectory /home/cloonar-assistant-configs/%u
        ForceCommand internal-sftp
 
        # ← only for those matched users: