+++ /dev/null
-{ lib, pkgs, config, myconfig, ... }:
-{
- options = {
- services.pure-ftpd.enable = lib.mkOption {
- type = lib.types.bool;
- default = false;
- description = ''
- Whether to enable pure-ftpd.
- '';
- };
- };
-
- config = lib.mkIf config.services.pure-ftpd.enable {
- security.acme.certs."ftp" = config.services.myCertificates.certConfig // {
- domain = "eldiron.immae.eu";
- postRun = ''
- systemctl restart pure-ftpd.service
- '';
- extraDomains = { "ftp.immae.eu" = null; };
- };
-
- networking = {
- firewall = {
- allowedTCPPorts = [ 21 ];
- allowedTCPPortRanges = [ { from = 40000; to = 50000; } ];
- };
- };
-
- users.users = [
- {
- name = "ftp";
- uid = config.ids.uids.ftp; # 8
- group = "ftp";
- description = "Anonymous FTP user";
- home = "/homeless-shelter";
- extraGroups = [ "keys" ];
- }
- ];
-
- users.groups.ftp.gid = config.ids.gids.ftp;
-
- system.activationScripts.pure-ftpd = ''
- install -m 0755 -o ftp -g ftp -d /var/lib/ftp
- '';
-
- secrets.keys = [{
- dest = "pure-ftpd-ldap";
- permissions = "0400";
- user = "ftp";
- group = "ftp";
- text = ''
- LDAPServer ${myconfig.env.ftp.ldap.host}
- LDAPPort 389
- LDAPUseTLS True
- LDAPBaseDN ${myconfig.env.ftp.ldap.base}
- LDAPBindDN ${myconfig.env.ftp.ldap.dn}
- LDAPBindPW ${myconfig.env.ftp.ldap.password}
- LDAPDefaultUID 500
- LDAPForceDefaultUID False
- LDAPDefaultGID 100
- LDAPForceDefaultGID False
- LDAPFilter ${myconfig.env.ftp.ldap.filter}
-
- LDAPAuthMethod BIND
-
- # Pas de possibilite de donner l'Uid/Gid !
- # Compile dans pure-ftpd directement avec immaeFtpUid / immaeFtpGid
- LDAPHomeDir immaeFtpDirectory
- '';
- }];
-
- systemd.services.pure-ftpd = let
- configFile = pkgs.writeText "pure-ftpd.conf" ''
- PassivePortRange 40000 50000
- ChrootEveryone yes
- CreateHomeDir yes
- BrokenClientsCompatibility yes
- MaxClientsNumber 50
- Daemonize yes
- MaxClientsPerIP 8
- VerboseLog no
- DisplayDotFiles yes
- AnonymousOnly no
- NoAnonymous no
- SyslogFacility ftp
- DontResolve yes
- MaxIdleTime 15
- LDAPConfigFile /var/secrets/pure-ftpd-ldap
- LimitRecursion 10000 8
- AnonymousCanCreateDirs no
- MaxLoad 4
- AntiWarez yes
- Umask 133:022
- # ftp
- MinUID 8
- AllowUserFXP no
- AllowAnonymousFXP no
- ProhibitDotFilesWrite no
- ProhibitDotFilesRead no
- AutoRename no
- AnonymousCantUpload no
- MaxDiskUsage 99
- CustomerProof yes
- TLS 1
- CertFile ${config.security.acme.directory}/ftp/full.pem
- '';
- in {
- description = "Pure-FTPd server";
- wantedBy = [ "multi-user.target" ];
- after = [ "network.target" ];
-
- serviceConfig.ExecStart = "${pkgs.pure-ftpd}/bin/pure-ftpd ${configFile}";
- serviceConfig.Type = "forking";
- serviceConfig.PIDFile = "/run/pure-ftpd.pid";
- };
- };
-
-}