I have a server that runs borg-backup nightly to another server over SSH. For security, I restrict the backup SSH user to only the borg service on the backup server by editing the authorized_keys file:
command="borg serve --restrict-to-path /home/borg/backupdir",restrict ssh-rsa DKGWIE....
With the above configuration, the backup user can’t use SSH for normal commands. Is there a way to do something similar when using Tailscale SSH?