2025-10-05 08:20:57 +02:00
|
|
|
|
_: {
|
2025-09-20 14:57:06 +02:00
|
|
|
|
# -------------------------------------------------
|
|
|
|
|
|
# 1️⃣ Création de l’utilisateur système dédié FTP
|
|
|
|
|
|
# -------------------------------------------------
|
|
|
|
|
|
users.users.ftpuser = {
|
2025-10-05 08:20:57 +02:00
|
|
|
|
isSystemUser = true; # pas de login shell
|
|
|
|
|
|
description = "Compte FTP dédié";
|
|
|
|
|
|
home = "/srv/ftp/ftpuser";
|
|
|
|
|
|
createHome = true;
|
|
|
|
|
|
group = "ftpuser";
|
|
|
|
|
|
shell = "/usr/bin/nologin";
|
2025-09-20 14:57:06 +02:00
|
|
|
|
};
|
|
|
|
|
|
users.groups.ftpuser = {};
|
|
|
|
|
|
|
2025-09-26 08:36:37 +02:00
|
|
|
|
services.openssh = {
|
|
|
|
|
|
extraConfig = ''
|
|
|
|
|
|
Match User ftpuser
|
|
|
|
|
|
ChrootDirectory /srv/ftp/ftpuser
|
2025-10-05 08:20:57 +02:00
|
|
|
|
ForceCommand internal-sftp
|
|
|
|
|
|
AllowTcpForwarding no
|
2025-09-26 08:36:37 +02:00
|
|
|
|
X11Forwarding no
|
|
|
|
|
|
'';
|
2025-10-05 08:20:57 +02:00
|
|
|
|
};
|
2025-09-26 08:36:37 +02:00
|
|
|
|
|
2025-09-20 14:57:06 +02:00
|
|
|
|
# -------------------------------------------------
|
|
|
|
|
|
# 2️⃣ Permissions du répertoire home (méthode A)
|
|
|
|
|
|
# -------------------------------------------------
|
|
|
|
|
|
system.activationScripts.setupFtp = ''
|
|
|
|
|
|
# Répertoire racine du chroot – lecture‑seule
|
|
|
|
|
|
chmod a-w /srv/ftp/ftpuser
|
|
|
|
|
|
# Sous‑répertoire où l’on peut écrire
|
|
|
|
|
|
mkdir -p /srv/ftp/ftpuser/upload
|
|
|
|
|
|
chown ftpuser:ftpuser /srv/ftp/ftpuser/upload
|
|
|
|
|
|
chmod 755 /srv/ftp/ftpuser/upload
|
|
|
|
|
|
'';
|
|
|
|
|
|
|
|
|
|
|
|
# -------------------------------------------------
|
|
|
|
|
|
# 3️⃣ Configuration du serveur vsftpd
|
|
|
|
|
|
# -------------------------------------------------
|
|
|
|
|
|
services.vsftpd = {
|
|
|
|
|
|
enable = true;
|
|
|
|
|
|
|
|
|
|
|
|
# Autoriser les comptes locaux (system users)
|
2025-09-22 08:41:35 +02:00
|
|
|
|
localUsers = true;
|
2025-09-20 14:57:06 +02:00
|
|
|
|
|
|
|
|
|
|
# Refuser l’accès anonyme (sécurité renforcée)
|
|
|
|
|
|
anonymousUser = false;
|
|
|
|
|
|
|
|
|
|
|
|
# Chroot chaque utilisateur local dans son $HOME
|
|
|
|
|
|
chrootlocalUser = true;
|
2025-10-05 08:20:57 +02:00
|
|
|
|
allowWriteableChroot = true;
|
2025-09-20 14:57:06 +02:00
|
|
|
|
|
2025-10-05 08:20:57 +02:00
|
|
|
|
extraConfig = ''
|
|
|
|
|
|
pasv_min_port=40000
|
|
|
|
|
|
pasv_max_port=40004
|
|
|
|
|
|
'';
|
2025-09-20 14:57:06 +02:00
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
|
|
# -------------------------------------------------
|
|
|
|
|
|
# 4️⃣ Ouverture des ports dans le firewall NixOS
|
|
|
|
|
|
# -------------------------------------------------
|
|
|
|
|
|
networking.firewall = {
|
2025-10-05 08:20:57 +02:00
|
|
|
|
allowedTCPPorts = [21 40000 40001 40002 40003 40004];
|
2025-09-20 14:57:06 +02:00
|
|
|
|
# Si vous utilisez FTPS implicite (port 990) :
|
|
|
|
|
|
# allowedTCPPorts = [ 21 990 40000 40001 40002 40003 40004 ];
|
|
|
|
|
|
};
|
|
|
|
|
|
}
|
