+
+ systemd.services.proftpd = let
+ configFile = pkgs.writeText "proftpd.conf" ''
+ ServerName "ProFTPD"
+ ServerType standalone
+ DefaultServer on
+
+ Port 21
+ UseIPv6 on
+ Umask 022
+ MaxInstances 30
+ MaxClients 50
+ MaxClientsPerHost 8
+
+ # Set the user and group under which the server will run.
+ User ftp
+ Group ftp
+
+ CreateHome on
+ DefaultRoot ~
+
+ AllowOverwrite on
+
+ TLSEngine on
+ TLSRequired off
+ TLSProtocol TLSv1.1 TLSv1.2 TLSv1.3
+
+ TLSCertificateChainFile ${config.security.acme.certs.ftp.directory}/fullchain.pem
+ TLSECCertificateFile ${config.security.acme.certs.ftp.directory}/cert.pem
+ TLSECCertificateKeyFile ${config.security.acme.certs.ftp.directory}/key.pem
+ TLSRenegotiate none
+ PidFile /run/proftpd/proftpd.pid
+
+ ScoreboardFile /run/proftpd/proftpd.scoreboard
+
+ PassivePorts 40000 50000
+ #DebugLevel 10
+ Include ${config.secrets.fullPaths."proftpd-ldap.conf"}
+
+ RequireValidShell off
+
+ # Bar use of SITE CHMOD by default
+ <Limit SITE_CHMOD>
+ DenyAll
+ </Limit>
+
+ <VirtualHost 0.0.0.0>
+ Umask 022
+ Port 115
+ SFTPEngine on
+ CreateHome on
+ DefaultRoot ~
+
+ AllowOverwrite on
+
+ SFTPHostKey /etc/ssh/ssh_host_ed25519_key
+ SFTPHostKey /etc/ssh/ssh_host_rsa_key
+ Include ${config.secrets.fullPaths."proftpd-ldap.conf"}
+ RequireValidShell off
+ SFTPAuthorizedUserKeys file:/var/lib/proftpd/authorized_keys/%u
+ SFTPAuthMethods password publickey
+ </VirtualHost>
+ '';
+ in lib.mkIf proftpd-enabled {
+ description = "ProFTPD server";
+ wantedBy = [ "multi-user.target" ];
+ after = [ "network.target" ];
+
+ serviceConfig.ExecStart = "${pkgs.proftpd}/bin/proftpd -c ${configFile}";
+ serviceConfig.Type = "forking";
+ serviceConfig.PIDFile = "/run/proftpd/proftpd.pid";
+ serviceConfig.RuntimeDirectory = "proftpd";
+ };
+
+ services.cron.systemCronJobs = lib.mkIf proftpd-enabled [
+ "*/2 * * * * nobody ${./ftp_sync.sh}"
+ ];