]>
Commit | Line | Data |
---|---|---|
439049e5 IB |
1 | { lib, pkgs, config, myconfig, ... }: |
2 | { | |
3 | options = { | |
4 | services.pure-ftpd.enable = lib.mkOption { | |
5 | type = lib.types.bool; | |
6 | default = false; | |
7 | description = '' | |
8 | Whether to enable pure-ftpd. | |
9 | ''; | |
10 | }; | |
11 | }; | |
12 | ||
13 | config = lib.mkIf config.services.pure-ftpd.enable { | |
14 | security.acme.certs."ftp" = config.services.myCertificates.certConfig // { | |
15 | domain = "eldiron.immae.eu"; | |
740f9843 IB |
16 | postRun = '' |
17 | systemctl restart pure-ftpd.service | |
18 | ''; | |
439049e5 IB |
19 | }; |
20 | ||
21 | nixpkgs.config.packageOverrides = oldpkgs: rec { | |
22 | pure-ftpd = pkgs.callPackage ./pure-ftpd.nix {}; | |
23 | }; | |
24 | ||
25 | networking = { | |
26 | firewall = { | |
27 | allowedTCPPorts = [ 21 ]; | |
28 | allowedTCPPortRanges = [ { from = 40000; to = 50000; } ]; | |
29 | }; | |
30 | }; | |
31 | ||
32 | users.users = [ | |
33 | { | |
34 | name = "ftp"; | |
35 | uid = config.ids.uids.ftp; | |
36 | group = "ftp"; | |
37 | description = "Anonymous FTP user"; | |
38 | home = "/homeless-shelter"; | |
39 | } | |
40 | ]; | |
41 | ||
42 | users.groups.ftp.gid = config.ids.gids.ftp; | |
43 | ||
44 | system.activationScripts.pure-ftpd = '' | |
45 | install -m 0755 -o ftp -g ftp -d /var/lib/ftp | |
46 | ''; | |
47 | ||
48 | systemd.services.pure-ftpd = let | |
49 | ldapConfigFile = pkgs.writeText "pure-ftpd-ldap.conf" '' | |
50 | LDAPServer ${myconfig.env.ftp.ldap.host} | |
51 | LDAPPort 389 | |
52 | LDAPUseTLS True | |
53 | LDAPBaseDN ${myconfig.env.ftp.ldap.base} | |
54 | LDAPBindDN ${myconfig.env.ftp.ldap.dn} | |
55 | LDAPBindPW ${myconfig.env.ftp.ldap.password} | |
56 | LDAPDefaultUID 500 | |
57 | LDAPForceDefaultUID False | |
58 | LDAPDefaultGID 100 | |
59 | LDAPForceDefaultGID False | |
60 | LDAPFilter ${myconfig.env.ftp.ldap.filter} | |
61 | ||
62 | LDAPAuthMethod BIND | |
63 | ||
64 | # Pas de possibilité de donner l'Uid/Gid ! | |
65 | # Compilé dans pure-ftpd directement avec immaeFtpUid / immaeFtpGid | |
66 | LDAPHomeDir immaeFtpDirectory | |
67 | ''; | |
68 | configFile = pkgs.writeText "pure-ftpd.conf" '' | |
69 | PassivePortRange 40000 50000 | |
70 | ChrootEveryone yes | |
71 | CreateHomeDir yes | |
72 | BrokenClientsCompatibility yes | |
73 | MaxClientsNumber 50 | |
74 | Daemonize yes | |
75 | MaxClientsPerIP 8 | |
76 | VerboseLog no | |
77 | DisplayDotFiles yes | |
78 | AnonymousOnly no | |
79 | NoAnonymous no | |
80 | SyslogFacility ftp | |
81 | DontResolve yes | |
82 | MaxIdleTime 15 | |
83 | LDAPConfigFile ${ldapConfigFile} | |
84 | LimitRecursion 10000 8 | |
85 | AnonymousCanCreateDirs no | |
86 | MaxLoad 4 | |
87 | AntiWarez yes | |
88 | Umask 133:022 | |
89 | # ftp | |
90 | MinUID 8 | |
91 | AllowUserFXP no | |
92 | AllowAnonymousFXP no | |
93 | ProhibitDotFilesWrite no | |
94 | ProhibitDotFilesRead no | |
95 | AutoRename no | |
96 | AnonymousCantUpload no | |
97 | MaxDiskUsage 99 | |
98 | CustomerProof yes | |
99 | TLS 1 | |
100 | CertFile /var/lib/acme/ftp/full.pem | |
101 | ''; | |
102 | in { | |
103 | description = "Pure-FTPd server"; | |
104 | wantedBy = [ "multi-user.target" ]; | |
105 | after = [ "network.target" ]; | |
106 | ||
107 | serviceConfig.ExecStart = "${pkgs.pure-ftpd}/bin/pure-ftpd ${configFile}"; | |
108 | serviceConfig.Type = "forking"; | |
109 | serviceConfig.PIDFile = "/run/pure-ftpd.pid"; | |
110 | }; | |
111 | }; | |
112 | ||
113 | } |