From 2a3cd04a312620b0216e9e14c8cdfa0a598939a4 Mon Sep 17 00:00:00 2001
From: DuN0z <dun0z@porzh.me>
Date: Fri, 26 Sep 2025 08:36:37 +0200
Subject: [PATCH] Add: sftp ftpuser config

---
 modules/services/ftp.nix       | 12 +++++++++++-
 profiles/server-selfhosted.nix |  8 +++++++-
 secrets/admin-passwd           |  3 +++
 3 files changed, 21 insertions(+), 2 deletions(-)
 create mode 100755 secrets/admin-passwd

diff --git a/modules/services/ftp.nix b/modules/services/ftp.nix
index bceeba4..f1b3d89 100644
--- a/modules/services/ftp.nix
+++ b/modules/services/ftp.nix
@@ -8,10 +8,20 @@
     home          = "/srv/ftp/ftpuser";
     createHome    = true;
     group         = "ftpuser";
-    shell         = "/usr/sbin/nologin";
+    shell         = "/usr/bin/nologin";
   };
   users.groups.ftpuser = {};
 
+  services.openssh = {
+    extraConfig = ''
+      Match User ftpuser
+        ChrootDirectory /srv/ftp/ftpuser
+        ForceCommand internal-sftp 
+        AllowTcpForwarding no 
+        X11Forwarding no
+    '';
+    };
+
   # -------------------------------------------------
   # 2️⃣ Permissions du répertoire home (méthode A)
   # -------------------------------------------------
diff --git a/profiles/server-selfhosted.nix b/profiles/server-selfhosted.nix
index 3243482..0b642e5 100644
--- a/profiles/server-selfhosted.nix
+++ b/profiles/server-selfhosted.nix
@@ -9,7 +9,13 @@
     ../modules/sites/levr.porzh.me.nix
   ];
 
-  services.openssh.enable = true;
+  services.openssh = {
+    enable = true;
+    settings = {
+      PasswordAuthentication = false ;
+      PubkeyAuthentication = true ;
+      };
+  };
 
   environment.systemPackages = with pkgs; [
     btrfs-progs
diff --git a/secrets/admin-passwd b/secrets/admin-passwd
new file mode 100755
index 0000000..0942495
--- /dev/null
+++ b/secrets/admin-passwd
@@ -0,0 +1,3 @@
+basicauth * {
+            admin $2a$14$RFcSei0IvYK.B7DJ3s6Yn.1i/bjiU.67TrV1RLaL4pxWniHhM8d62
+          }