[perso/Immae/Config/Nix.git] / modules / private / ftp.nix

{ lib, pkgs, config, ... }:
let
  package = pkgs.pure-ftpd.override { ldapFtpId = "immaeFtp"; };
  pure-ftpd-enabled = config.myServices.ftp.pure-ftpd.enable;
  proftpd-enabled = config.myServices.ftp.proftpd.enable;
in
{
  options = {
    myServices.ftp.enable = lib.mkOption {
      type = lib.types.bool;
      default = false;
      description = ''
        Whether to enable ftp.
      '';
    };
    myServices.ftp.pure-ftpd.enable = lib.mkOption {
      type = lib.types.bool;
      default = false;
      description = ''
        Whether to enable pure-ftpd.
      '';
    };
    myServices.ftp.proftpd.enable = lib.mkOption {
      type = lib.types.bool;
      default = true;
      description = ''
        Whether to enable proftpd.
      '';
    };
  };

  config = lib.mkIf config.myServices.ftp.enable {
    security.acme.certs."ftp" = config.myServices.certificates.certConfig // {
      domain = "eldiron.immae.eu";
      postRun = (lib.optionalString pure-ftpd-enabled ''
        systemctl restart pure-ftpd.service
      '') + (lib.optionalString proftpd-enabled ''
        systemctl restart proftpd.service
      '');
      extraDomains = { "ftp.immae.eu" = null; };
    };

    networking = {
      firewall = {
        allowedTCPPorts = [ 21 115 ];
        allowedTCPPortRanges = [ { from = 40000; to = 50000; } ];
      };
    };

    users.users.ftp = {
      uid = config.ids.uids.ftp; # 8
      group = "ftp";
      description = "Anonymous FTP user";
      home = "/homeless-shelter";
      extraGroups = [ "keys" ];
    };

    users.groups.ftp.gid = config.ids.gids.ftp;

    system.activationScripts.ftp = ''
      install -m 0755 -o ftp -g ftp -d /var/lib/ftp
    '' + (lib.optionalString proftpd-enabled ''
      install -m 0755 -o nobody -g nogroup -d /var/lib/proftpd/authorized_keys
      '');

    secrets.keys."pure-ftpd-ldap" = lib.mkIf pure-ftpd-enabled {
      permissions = "0400";
      user = "ftp";
      group = "ftp";
      text = ''
        LDAPServer          ${config.myEnv.ftp.ldap.host}
        LDAPPort            389
        LDAPUseTLS          True
        LDAPBaseDN          ${config.myEnv.ftp.ldap.base}
        LDAPBindDN          ${config.myEnv.ftp.ldap.dn}
        LDAPBindPW          ${config.myEnv.ftp.ldap.password}
        LDAPDefaultUID      500
        LDAPForceDefaultUID False
        LDAPDefaultGID      100
        LDAPForceDefaultGID False
        LDAPFilter          ${config.myEnv.ftp.ldap.pure-ftpd_filter}

        LDAPAuthMethod      BIND

        # Pas de possibilite de donner l'Uid/Gid !
        # Compile dans pure-ftpd directement avec immaeFtpUid / immaeFtpGid
        LDAPHomeDir         immaeFtpDirectory
        '';
    };
    secrets.keys."proftpd-ldap.conf" = lib.mkIf proftpd-enabled {
      permissions = "0400";
      user = "ftp";
      group = "ftp";
      text = ''
        LDAPServer          ldaps://${config.myEnv.ftp.ldap.host}:636/??sub
        LDAPUseTLS          on
        LDAPAuthBinds       on
        LDAPBindDN          "${config.myEnv.ftp.ldap.dn}" "${config.myEnv.ftp.ldap.password}"
        LDAPSearchScope     subtree
        LDAPAuthBinds       on
        LDAPDefaultGID      100
        LDAPDefaultUID      500
        LDAPForceDefaultUID off
        LDAPForceDefaultGID off
        LDAPAttr            gidNumber immaeFtpGid
        LDAPAttr            uidNumber immaeFtpUid
        LDAPAttr            homeDirectory immaeFtpDirectory
        LDAPUsers           "${config.myEnv.ftp.ldap.base}" "${config.myEnv.ftp.ldap.proftpd_filter}"
        LDAPGroups          "${config.myEnv.ftp.ldap.base}"
      '';
    };

    services.filesWatcher.pure-ftpd = lib.mkIf pure-ftpd-enabled {
      restart = true;
      paths = [ config.secrets.fullPaths."pure-ftpd-ldap" ];
    };
    services.filesWatcher.proftpd = lib.mkIf proftpd-enabled {
      restart = true;
      paths = [ config.secrets.fullPaths."proftpd-ldap.conf" ];
    };

    systemd.services.pure-ftpd = let
      configFile = pkgs.writeText "pure-ftpd.conf" ''
        PassivePortRange             40000 50000
        Bind                         42
        ChrootEveryone               yes
        CreateHomeDir                yes
        BrokenClientsCompatibility   yes
        MaxClientsNumber             50
        Daemonize                    yes
        MaxClientsPerIP              8
        VerboseLog                   no
        DisplayDotFiles              yes
        AnonymousOnly                no
        NoAnonymous                  no
        SyslogFacility               ftp
        DontResolve                  yes
        MaxIdleTime                  15
        LDAPConfigFile               ${config.secrets.fullPaths."pure-ftpd-ldap"}
        LimitRecursion               10000 8
        AnonymousCanCreateDirs       no
        MaxLoad                      4
        AntiWarez                    yes
        Umask                        133:022
        # ftp
        MinUID                       8
        AllowUserFXP                 no
        AllowAnonymousFXP            no
        ProhibitDotFilesWrite        no
        ProhibitDotFilesRead         no
        AutoRename                   no
        AnonymousCantUpload          no
        MaxDiskUsage                 99
        CustomerProof                yes
        TLS                          1
        CertFile                     ${config.security.acme.certs.ftp.directory}/full.pem
        '';
    in lib.mkIf pure-ftpd-enabled {
      description = "Pure-FTPd server";
      wantedBy = [ "multi-user.target" ];
      after = [ "network.target" ];

      serviceConfig.ExecStart = "${package}/bin/pure-ftpd ${configFile}";
      serviceConfig.Type = "forking";
      serviceConfig.PIDFile = "/run/pure-ftpd.pid";
    };

    systemd.services.proftpd = let
      configFile = pkgs.writeText "proftpd.conf" ''
        ServerName		"ProFTPD"
        ServerType		standalone
        DefaultServer		on

        Port			21
        UseIPv6			on
        Umask			022
        MaxInstances		30
        MaxClients		50
        MaxClientsPerHost	8

        # Set the user and group under which the server will run.
        User			ftp
        Group			ftp

        CreateHome		on
        DefaultRoot		~

        AllowOverwrite		on

        TLSEngine		on
        TLSRequired		off
        TLSProtocol		TLSv1.1 TLSv1.2 TLSv1.3

        TLSCertificateChainFile	${config.security.acme.certs.ftp.directory}/fullchain.pem
        TLSECCertificateFile	${config.security.acme.certs.ftp.directory}/cert.pem
        TLSECCertificateKeyFile	${config.security.acme.certs.ftp.directory}/key.pem
        TLSRenegotiate none
        PidFile			/run/proftpd/proftpd.pid

        ScoreboardFile		/run/proftpd/proftpd.scoreboard

        PassivePorts		40000 50000
        #DebugLevel		10
        Include			${config.secrets.fullPaths."proftpd-ldap.conf"}

        RequireValidShell	off

        # Bar use of SITE CHMOD by default
        <Limit SITE_CHMOD>
          DenyAll
        </Limit>

        <VirtualHost 0.0.0.0>
          Umask				022
          Port				115
          SFTPEngine			on
          CreateHome			on
          DefaultRoot			~

          AllowOverwrite		on

          SFTPHostKey			/etc/ssh/ssh_host_ed25519_key
          SFTPHostKey			/etc/ssh/ssh_host_rsa_key
          Include			${config.secrets.fullPaths."proftpd-ldap.conf"}
          RequireValidShell		off
          SFTPAuthorizedUserKeys	file:/var/lib/proftpd/authorized_keys/%u
          SFTPAuthMethods		password publickey
        </VirtualHost>
        '';
    in lib.mkIf proftpd-enabled {
      description = "ProFTPD server";
      wantedBy = [ "multi-user.target" ];
      after = [ "network.target" ];

      serviceConfig.ExecStart = "${pkgs.proftpd}/bin/proftpd -c ${configFile}";
      serviceConfig.Type = "forking";
      serviceConfig.PIDFile = "/run/proftpd/proftpd.pid";
      serviceConfig.RuntimeDirectory = "proftpd";
    };

    services.cron.systemCronJobs = lib.mkIf proftpd-enabled [
      "*/2 * * * * nobody ${./ftp_sync.sh}"
    ];
  };

}
Commit	Line	Data
	1	{ lib, pkgs, config, ... }:
	2	let
	3	package = pkgs.pure-ftpd.override { ldapFtpId = "immaeFtp"; };
	4	pure-ftpd-enabled = config.myServices.ftp.pure-ftpd.enable;
	5	proftpd-enabled = config.myServices.ftp.proftpd.enable;
	6	in
	7	{
	8	options = {
	9	myServices.ftp.enable = lib.mkOption {
	10	type = lib.types.bool;
	11	default = false;
	12	description = ''
	13	Whether to enable ftp.
	14	'';
	15	};
	16	myServices.ftp.pure-ftpd.enable = lib.mkOption {
	17	type = lib.types.bool;
	18	default = false;
	19	description = ''
	20	Whether to enable pure-ftpd.
	21	'';
	22	};
	23	myServices.ftp.proftpd.enable = lib.mkOption {
	24	type = lib.types.bool;
	25	default = true;
	26	description = ''
	27	Whether to enable proftpd.
	28	'';
	29	};
	30	};
	31
	32	config = lib.mkIf config.myServices.ftp.enable {
	33	security.acme.certs."ftp" = config.myServices.certificates.certConfig // {
	34	domain = "eldiron.immae.eu";
	35	postRun = (lib.optionalString pure-ftpd-enabled ''
	36	systemctl restart pure-ftpd.service
	37	'') + (lib.optionalString proftpd-enabled ''
	38	systemctl restart proftpd.service
	39	'');
	40	extraDomains = { "ftp.immae.eu" = null; };
	41	};
	42
	43	networking = {
	44	firewall = {
	45	allowedTCPPorts = [ 21 115 ];
	46	allowedTCPPortRanges = [ { from = 40000; to = 50000; } ];
	47	};
	48	};
	49
	50	users.users.ftp = {
	51	uid = config.ids.uids.ftp; # 8
	52	group = "ftp";
	53	description = "Anonymous FTP user";
	54	home = "/homeless-shelter";
	55	extraGroups = [ "keys" ];
	56	};
	57
	58	users.groups.ftp.gid = config.ids.gids.ftp;
	59
	60	system.activationScripts.ftp = ''
	61	install -m 0755 -o ftp -g ftp -d /var/lib/ftp
	62	'' + (lib.optionalString proftpd-enabled ''
	63	install -m 0755 -o nobody -g nogroup -d /var/lib/proftpd/authorized_keys
	64	'');
	65
	66	secrets.keys."pure-ftpd-ldap" = lib.mkIf pure-ftpd-enabled {
	67	permissions = "0400";
	68	user = "ftp";
	69	group = "ftp";
	70	text = ''
	71	LDAPServer ${config.myEnv.ftp.ldap.host}
	72	LDAPPort 389
	73	LDAPUseTLS True
	74	LDAPBaseDN ${config.myEnv.ftp.ldap.base}
	75	LDAPBindDN ${config.myEnv.ftp.ldap.dn}
	76	LDAPBindPW ${config.myEnv.ftp.ldap.password}
	77	LDAPDefaultUID 500
	78	LDAPForceDefaultUID False
	79	LDAPDefaultGID 100
	80	LDAPForceDefaultGID False
	81	LDAPFilter ${config.myEnv.ftp.ldap.pure-ftpd_filter}
	82
	83	LDAPAuthMethod BIND
	84
	85	# Pas de possibilite de donner l'Uid/Gid !
	86	# Compile dans pure-ftpd directement avec immaeFtpUid / immaeFtpGid
	87	LDAPHomeDir immaeFtpDirectory
	88	'';
	89	};
	90	secrets.keys."proftpd-ldap.conf" = lib.mkIf proftpd-enabled {
	91	permissions = "0400";
	92	user = "ftp";
	93	group = "ftp";
	94	text = ''
	95	LDAPServer ldaps://${config.myEnv.ftp.ldap.host}:636/??sub
	96	LDAPUseTLS on
	97	LDAPAuthBinds on
	98	LDAPBindDN "${config.myEnv.ftp.ldap.dn}" "${config.myEnv.ftp.ldap.password}"
	99	LDAPSearchScope subtree
	100	LDAPAuthBinds on
	101	LDAPDefaultGID 100
	102	LDAPDefaultUID 500
	103	LDAPForceDefaultUID off
	104	LDAPForceDefaultGID off
	105	LDAPAttr gidNumber immaeFtpGid
	106	LDAPAttr uidNumber immaeFtpUid
	107	LDAPAttr homeDirectory immaeFtpDirectory
	108	LDAPUsers "${config.myEnv.ftp.ldap.base}" "${config.myEnv.ftp.ldap.proftpd_filter}"
	109	LDAPGroups "${config.myEnv.ftp.ldap.base}"
	110	'';
	111	};
	112
	113	services.filesWatcher.pure-ftpd = lib.mkIf pure-ftpd-enabled {
	114	restart = true;
	115	paths = [ config.secrets.fullPaths."pure-ftpd-ldap" ];
	116	};
	117	services.filesWatcher.proftpd = lib.mkIf proftpd-enabled {
	118	restart = true;
	119	paths = [ config.secrets.fullPaths."proftpd-ldap.conf" ];
	120	};
	121
	122	systemd.services.pure-ftpd = let
	123	configFile = pkgs.writeText "pure-ftpd.conf" ''
	124	PassivePortRange 40000 50000
	125	Bind 42
	126	ChrootEveryone yes
	127	CreateHomeDir yes
	128	BrokenClientsCompatibility yes
	129	MaxClientsNumber 50
	130	Daemonize yes
	131	MaxClientsPerIP 8
	132	VerboseLog no
	133	DisplayDotFiles yes
	134	AnonymousOnly no
	135	NoAnonymous no
	136	SyslogFacility ftp
	137	DontResolve yes
	138	MaxIdleTime 15
	139	LDAPConfigFile ${config.secrets.fullPaths."pure-ftpd-ldap"}
	140	LimitRecursion 10000 8
	141	AnonymousCanCreateDirs no
	142	MaxLoad 4
	143	AntiWarez yes
	144	Umask 133:022
	145	# ftp
	146	MinUID 8
	147	AllowUserFXP no
	148	AllowAnonymousFXP no
	149	ProhibitDotFilesWrite no
	150	ProhibitDotFilesRead no
	151	AutoRename no
	152	AnonymousCantUpload no
	153	MaxDiskUsage 99
	154	CustomerProof yes
	155	TLS 1
	156	CertFile ${config.security.acme.certs.ftp.directory}/full.pem
	157	'';
	158	in lib.mkIf pure-ftpd-enabled {
	159	description = "Pure-FTPd server";
	160	wantedBy = [ "multi-user.target" ];
	161	after = [ "network.target" ];
	162
	163	serviceConfig.ExecStart = "${package}/bin/pure-ftpd ${configFile}";
	164	serviceConfig.Type = "forking";
	165	serviceConfig.PIDFile = "/run/pure-ftpd.pid";
	166	};
	167
	168	systemd.services.proftpd = let
	169	configFile = pkgs.writeText "proftpd.conf" ''
	170	ServerName "ProFTPD"
	171	ServerType standalone
	172	DefaultServer on
	173
	174	Port 21
	175	UseIPv6 on
	176	Umask 022
	177	MaxInstances 30
	178	MaxClients 50
	179	MaxClientsPerHost 8
	180
	181	# Set the user and group under which the server will run.
	182	User ftp
	183	Group ftp
	184
	185	CreateHome on
	186	DefaultRoot ~
	187
	188	AllowOverwrite on
	189
	190	TLSEngine on
	191	TLSRequired off
	192	TLSProtocol TLSv1.1 TLSv1.2 TLSv1.3
	193
	194	TLSCertificateChainFile ${config.security.acme.certs.ftp.directory}/fullchain.pem
	195	TLSECCertificateFile ${config.security.acme.certs.ftp.directory}/cert.pem
	196	TLSECCertificateKeyFile ${config.security.acme.certs.ftp.directory}/key.pem
	197	TLSRenegotiate none
	198	PidFile /run/proftpd/proftpd.pid
	199
	200	ScoreboardFile /run/proftpd/proftpd.scoreboard
	201
	202	PassivePorts 40000 50000
	203	#DebugLevel 10
	204	Include ${config.secrets.fullPaths."proftpd-ldap.conf"}
	205
	206	RequireValidShell off
	207
	208	# Bar use of SITE CHMOD by default
	209	<Limit SITE_CHMOD>
	210	DenyAll
	211	</Limit>
	212
	213	<VirtualHost 0.0.0.0>
	214	Umask 022
	215	Port 115
	216	SFTPEngine on
	217	CreateHome on
	218	DefaultRoot ~
	219
	220	AllowOverwrite on
	221
	222	SFTPHostKey /etc/ssh/ssh_host_ed25519_key
	223	SFTPHostKey /etc/ssh/ssh_host_rsa_key
	224	Include ${config.secrets.fullPaths."proftpd-ldap.conf"}
	225	RequireValidShell off
	226	SFTPAuthorizedUserKeys file:/var/lib/proftpd/authorized_keys/%u
	227	SFTPAuthMethods password publickey
	228	</VirtualHost>
	229	'';
	230	in lib.mkIf proftpd-enabled {
	231	description = "ProFTPD server";
	232	wantedBy = [ "multi-user.target" ];
	233	after = [ "network.target" ];
	234
	235	serviceConfig.ExecStart = "${pkgs.proftpd}/bin/proftpd -c ${configFile}";
	236	serviceConfig.Type = "forking";
	237	serviceConfig.PIDFile = "/run/proftpd/proftpd.pid";
	238	serviceConfig.RuntimeDirectory = "proftpd";
	239	};
	240
	241	services.cron.systemCronJobs = lib.mkIf proftpd-enabled [
	242	"/2 * * * nobody ${./ftp_sync.sh}"
	243	];
	244	};
	245
	246	}