X-Git-Url: https://git.immae.eu/?a=blobdiff_plain;ds=sidebyside;f=modules%2Fprivate%2Fftp.nix;h=cae25c1dc5fdc2828efa59701213e15ffcba4f3f;hb=965b61c2d82ce9df9d71b5a2b3a550eb1ee09646;hp=842d2d6540bbe65d0347c3989d0f243a24884b9f;hpb=8d213e2b1c934f6861f76aad5eb7c11097fa97de;p=perso%2FImmae%2FConfig%2FNix.git
diff --git a/modules/private/ftp.nix b/modules/private/ftp.nix
index 842d2d6..cae25c1 100644
--- a/modules/private/ftp.nix
+++ b/modules/private/ftp.nix
@@ -1,65 +1,84 @@
-{ lib, pkgs, config, myconfig, ... }:
+{ lib, pkgs, config, ... }:
+let
+ package = pkgs.pure-ftpd.override { ldapFtpId = "immaeFtp"; };
+ pure-ftpd-enabled = config.myServices.ftp.pure-ftpd.enable;
+ proftpd-enabled = config.myServices.ftp.proftpd.enable;
+in
{
options = {
- services.pure-ftpd.enable = lib.mkOption {
+ myServices.ftp.enable = lib.mkOption {
+ type = lib.types.bool;
+ default = false;
+ description = ''
+ Whether to enable ftp.
+ '';
+ };
+ myServices.ftp.pure-ftpd.enable = lib.mkOption {
type = lib.types.bool;
default = false;
description = ''
Whether to enable pure-ftpd.
'';
};
+ myServices.ftp.proftpd.enable = lib.mkOption {
+ type = lib.types.bool;
+ default = true;
+ description = ''
+ Whether to enable proftpd.
+ '';
+ };
};
- config = lib.mkIf config.services.pure-ftpd.enable {
- security.acme.certs."ftp" = config.services.myCertificates.certConfig // {
+ config = lib.mkIf config.myServices.ftp.enable {
+ security.acme.certs."ftp" = config.myServices.certificates.certConfig // {
domain = "eldiron.immae.eu";
- postRun = ''
+ postRun = (lib.optionalString pure-ftpd-enabled ''
systemctl restart pure-ftpd.service
- '';
+ '') + (lib.optionalString proftpd-enabled ''
+ systemctl restart proftpd.service
+ '');
extraDomains = { "ftp.immae.eu" = null; };
};
networking = {
firewall = {
- allowedTCPPorts = [ 21 ];
+ allowedTCPPorts = [ 21 115 ];
allowedTCPPortRanges = [ { from = 40000; to = 50000; } ];
};
};
- users.users = [
- {
- name = "ftp";
- uid = config.ids.uids.ftp; # 8
- group = "ftp";
- description = "Anonymous FTP user";
- home = "/homeless-shelter";
- extraGroups = [ "keys" ];
- }
- ];
+ users.users.ftp = {
+ uid = config.ids.uids.ftp; # 8
+ group = "ftp";
+ description = "Anonymous FTP user";
+ home = "/homeless-shelter";
+ extraGroups = [ "keys" ];
+ };
users.groups.ftp.gid = config.ids.gids.ftp;
- system.activationScripts.pure-ftpd = ''
+ system.activationScripts.ftp = ''
install -m 0755 -o ftp -g ftp -d /var/lib/ftp
- '';
+ '' + (lib.optionalString proftpd-enabled ''
+ install -m 0755 -o nobody -g nogroup -d /var/lib/proftpd/authorized_keys
+ '');
- secrets.keys = [{
- dest = "pure-ftpd-ldap";
+ secrets.keys."pure-ftpd-ldap" = lib.mkIf pure-ftpd-enabled {
permissions = "0400";
user = "ftp";
group = "ftp";
text = ''
- LDAPServer ${myconfig.env.ftp.ldap.host}
+ LDAPServer ${config.myEnv.ftp.ldap.host}
LDAPPort 389
LDAPUseTLS True
- LDAPBaseDN ${myconfig.env.ftp.ldap.base}
- LDAPBindDN ${myconfig.env.ftp.ldap.dn}
- LDAPBindPW ${myconfig.env.ftp.ldap.password}
+ LDAPBaseDN ${config.myEnv.ftp.ldap.base}
+ LDAPBindDN ${config.myEnv.ftp.ldap.dn}
+ LDAPBindPW ${config.myEnv.ftp.ldap.password}
LDAPDefaultUID 500
LDAPForceDefaultUID False
LDAPDefaultGID 100
LDAPForceDefaultGID False
- LDAPFilter ${myconfig.env.ftp.ldap.filter}
+ LDAPFilter ${config.myEnv.ftp.ldap.pure-ftpd_filter}
LDAPAuthMethod BIND
@@ -67,11 +86,43 @@
# Compile dans pure-ftpd directement avec immaeFtpUid / immaeFtpGid
LDAPHomeDir immaeFtpDirectory
'';
- }];
+ };
+ secrets.keys."proftpd-ldap.conf" = lib.mkIf proftpd-enabled {
+ permissions = "0400";
+ user = "ftp";
+ group = "ftp";
+ text = ''
+ LDAPServer ldaps://${config.myEnv.ftp.ldap.host}:636/??sub
+ LDAPUseTLS on
+ LDAPAuthBinds on
+ LDAPBindDN "${config.myEnv.ftp.ldap.dn}" "${config.myEnv.ftp.ldap.password}"
+ LDAPSearchScope subtree
+ LDAPAuthBinds on
+ LDAPDefaultGID 100
+ LDAPDefaultUID 500
+ LDAPForceDefaultUID off
+ LDAPForceDefaultGID off
+ LDAPAttr gidNumber immaeFtpGid
+ LDAPAttr uidNumber immaeFtpUid
+ LDAPAttr homeDirectory immaeFtpDirectory
+ LDAPUsers "${config.myEnv.ftp.ldap.base}" "${config.myEnv.ftp.ldap.proftpd_filter}"
+ LDAPGroups "${config.myEnv.ftp.ldap.base}"
+ '';
+ };
+
+ services.filesWatcher.pure-ftpd = lib.mkIf pure-ftpd-enabled {
+ restart = true;
+ paths = [ config.secrets.fullPaths."pure-ftpd-ldap" ];
+ };
+ services.filesWatcher.proftpd = lib.mkIf proftpd-enabled {
+ restart = true;
+ paths = [ config.secrets.fullPaths."proftpd-ldap.conf" ];
+ };
systemd.services.pure-ftpd = let
configFile = pkgs.writeText "pure-ftpd.conf" ''
PassivePortRange 40000 50000
+ Bind 42
ChrootEveryone yes
CreateHomeDir yes
BrokenClientsCompatibility yes
@@ -85,7 +136,7 @@
SyslogFacility ftp
DontResolve yes
MaxIdleTime 15
- LDAPConfigFile /var/secrets/pure-ftpd-ldap
+ LDAPConfigFile ${config.secrets.fullPaths."pure-ftpd-ldap"}
LimitRecursion 10000 8
AnonymousCanCreateDirs no
MaxLoad 4
@@ -102,17 +153,96 @@
MaxDiskUsage 99
CustomerProof yes
TLS 1
- CertFile ${config.security.acme.directory}/ftp/full.pem
+ CertFile ${config.security.acme.certs.ftp.directory}/full.pem
'';
- in {
+ in lib.mkIf pure-ftpd-enabled {
description = "Pure-FTPd server";
wantedBy = [ "multi-user.target" ];
after = [ "network.target" ];
- serviceConfig.ExecStart = "${pkgs.pure-ftpd}/bin/pure-ftpd ${configFile}";
+ serviceConfig.ExecStart = "${package}/bin/pure-ftpd ${configFile}";
serviceConfig.Type = "forking";
serviceConfig.PIDFile = "/run/pure-ftpd.pid";
};
+
+ systemd.services.proftpd = let
+ configFile = pkgs.writeText "proftpd.conf" ''
+ ServerName "ProFTPD"
+ ServerType standalone
+ DefaultServer on
+
+ Port 21
+ UseIPv6 on
+ Umask 022
+ MaxInstances 30
+ MaxClients 50
+ MaxClientsPerHost 8
+
+ # Set the user and group under which the server will run.
+ User ftp
+ Group ftp
+
+ CreateHome on
+ DefaultRoot ~
+
+ AllowOverwrite on
+
+ TLSEngine on
+ TLSRequired off
+ TLSProtocol TLSv1.1 TLSv1.2 TLSv1.3
+
+ TLSCertificateChainFile ${config.security.acme.certs.ftp.directory}/fullchain.pem
+ TLSECCertificateFile ${config.security.acme.certs.ftp.directory}/cert.pem
+ TLSECCertificateKeyFile ${config.security.acme.certs.ftp.directory}/key.pem
+ TLSRenegotiate none
+ PidFile /run/proftpd/proftpd.pid
+
+ ScoreboardFile /run/proftpd/proftpd.scoreboard
+
+ PassivePorts 40000 50000
+ #DebugLevel 10
+ Include ${config.secrets.fullPaths."proftpd-ldap.conf"}
+
+ RequireValidShell off
+
+ # Bar use of SITE CHMOD by default
+
+ DenyAll
+
+
+
+ Umask 022
+ Port 115
+ SFTPEngine on
+ CreateHome on
+ DefaultRoot ~
+
+ AllowOverwrite on
+
+ SFTPHostKey /etc/ssh/ssh_host_ed25519_key
+ SFTPHostKey /etc/ssh/ssh_host_rsa_key
+ Include ${config.secrets.fullPaths."proftpd-ldap.conf"}
+ RequireValidShell off
+ SFTPAuthorizedUserKeys file:/var/lib/proftpd/authorized_keys/%u
+ SFTPAuthMethods password publickey
+
+ SFTPOptions IgnoreSFTPSetOwners
+
+ '';
+ in lib.mkIf proftpd-enabled {
+ description = "ProFTPD server";
+ wantedBy = [ "multi-user.target" ];
+ after = [ "network.target" ];
+
+ serviceConfig.ExecStart = "${pkgs.proftpd}/bin/proftpd -c ${configFile}";
+ serviceConfig.Type = "forking";
+ serviceConfig.PIDFile = "/run/proftpd/proftpd.pid";
+ serviceConfig.RuntimeDirectory = "proftpd";
+ };
+
+ services.cron.systemCronJobs = lib.mkIf proftpd-enabled [
+ "*/2 * * * * nobody ${./ftp_sync.sh}"
+ ];
};
}