Add ftp connection

[perso/Immae/Config/Nix.git] / nixops / modules / ftp / default.nix
diff --git a/nixops/modules/ftp/default.nix b/nixops/modules/ftp/default.nix

new file mode 100644 (file)

index 0000000..c717bfd
--- /dev/null
+++ b/nixops/modules/ftp/default.nix
@@ -0,0 +1,110 @@
+{ lib, pkgs, config, myconfig, ... }:
+{
+  options = {
+    services.pure-ftpd.enable = lib.mkOption {
+      type = lib.types.bool;
+      default = false;
+      description = ''
+        Whether to enable pure-ftpd.
+      '';
+    };
+  };
+
+  config = lib.mkIf config.services.pure-ftpd.enable {
+    security.acme.certs."ftp" = config.services.myCertificates.certConfig // {
+      domain = "eldiron.immae.eu";
+    };
+
+    nixpkgs.config.packageOverrides = oldpkgs: rec {
+      pure-ftpd = pkgs.callPackage ./pure-ftpd.nix {};
+    };
+
+    networking = {
+      firewall = {
+        allowedTCPPorts = [ 21 ];
+        allowedTCPPortRanges = [ { from = 40000; to = 50000; } ];
+      };
+    };
+
+    users.users = [
+      {
+        name = "ftp";
+        uid = config.ids.uids.ftp;
+        group = "ftp";
+        description = "Anonymous FTP user";
+        home = "/homeless-shelter";
+      }
+    ];
+
+    users.groups.ftp.gid = config.ids.gids.ftp;
+
+    system.activationScripts.pure-ftpd = ''
+      install -m 0755 -o ftp -g ftp -d /var/lib/ftp
+      '';
+
+    systemd.services.pure-ftpd = let
+      ldapConfigFile = pkgs.writeText "pure-ftpd-ldap.conf" ''
+        LDAPServer          ${myconfig.env.ftp.ldap.host}
+        LDAPPort            389
+        LDAPUseTLS          True
+        LDAPBaseDN          ${myconfig.env.ftp.ldap.base}
+        LDAPBindDN          ${myconfig.env.ftp.ldap.dn}
+        LDAPBindPW          ${myconfig.env.ftp.ldap.password}
+        LDAPDefaultUID      500
+        LDAPForceDefaultUID False
+        LDAPDefaultGID      100
+        LDAPForceDefaultGID False
+        LDAPFilter          ${myconfig.env.ftp.ldap.filter}
+
+        LDAPAuthMethod      BIND
+
+        # Pas de possibilité de donner l'Uid/Gid !
+        # Compilé dans pure-ftpd directement avec immaeFtpUid / immaeFtpGid
+        LDAPHomeDir         immaeFtpDirectory
+        '';
+      configFile = pkgs.writeText "pure-ftpd.conf" ''
+        PassivePortRange             40000 50000
+        ChrootEveryone               yes
+        CreateHomeDir                yes
+        BrokenClientsCompatibility   yes
+        MaxClientsNumber             50
+        Daemonize                    yes
+        MaxClientsPerIP              8
+        VerboseLog                   no
+        DisplayDotFiles              yes
+        AnonymousOnly                no
+        NoAnonymous                  no
+        SyslogFacility               ftp
+        DontResolve                  yes
+        MaxIdleTime                  15
+        LDAPConfigFile               ${ldapConfigFile}
+        LimitRecursion               10000 8
+        AnonymousCanCreateDirs       no
+        MaxLoad                      4
+        AntiWarez                    yes
+        Umask                        133:022
+        # ftp
+        MinUID                       8
+        AllowUserFXP                 no
+        AllowAnonymousFXP            no
+        ProhibitDotFilesWrite        no
+        ProhibitDotFilesRead         no
+        AutoRename                   no
+        AnonymousCantUpload          no
+        MaxDiskUsage                 99
+        CustomerProof                yes
+        TLS                          1
+        CertFile                     /var/lib/acme/ftp/full.pem
+        '';
+    in {
+      description = "Pure-FTPd server";
+      wantedBy = [ "multi-user.target" ];
+      after = [ "network.target" ];
+
+      serviceConfig.ExecStart = "${pkgs.pure-ftpd}/bin/pure-ftpd ${configFile}";
+      serviceConfig.Type = "forking";
+      serviceConfig.PIDFile = "/run/pure-ftpd.pid";
+    };
+  };
+
+}