[perso/Immae/Config/Nix.git] / modules / private / ftp.nix

{ lib, pkgs, config, ... }:
let
  package = pkgs.pure-ftpd.override { ldapFtpId = "immaeFtp"; };
in
{
  options = {
    services.pure-ftpd.enable = lib.mkOption {
      type = lib.types.bool;
      default = false;
      description = ''
        Whether to enable pure-ftpd.
      '';
    };
  };

  config = lib.mkIf config.services.pure-ftpd.enable {
    services.duplyBackup.profiles.ftp = {
      rootDir = "/var/lib/ftp";
    };
    security.acme.certs."ftp" = config.myServices.certificates.certConfig // {
      domain = "eldiron.immae.eu";
      postRun = ''
        systemctl restart pure-ftpd.service
      '';
      extraDomains = { "ftp.immae.eu" = null; };
    };

    networking = {
      firewall = {
        allowedTCPPorts = [ 21 ];
        allowedTCPPortRanges = [ { from = 40000; to = 50000; } ];
      };
    };

    users.users.ftp = {
      uid = config.ids.uids.ftp; # 8
      group = "ftp";
      description = "Anonymous FTP user";
      home = "/homeless-shelter";
      extraGroups = [ "keys" ];
    };

    users.groups.ftp.gid = config.ids.gids.ftp;

    system.activationScripts.pure-ftpd = ''
      install -m 0755 -o ftp -g ftp -d /var/lib/ftp
      '';

    secrets.keys = [{
      dest = "pure-ftpd-ldap";
      permissions = "0400";
      user = "ftp";
      group = "ftp";
      text = ''
        LDAPServer          ${config.myEnv.ftp.ldap.host}
        LDAPPort            389
        LDAPUseTLS          True
        LDAPBaseDN          ${config.myEnv.ftp.ldap.base}
        LDAPBindDN          ${config.myEnv.ftp.ldap.dn}
        LDAPBindPW          ${config.myEnv.ftp.ldap.password}
        LDAPDefaultUID      500
        LDAPForceDefaultUID False
        LDAPDefaultGID      100
        LDAPForceDefaultGID False
        LDAPFilter          ${config.myEnv.ftp.ldap.filter}

        LDAPAuthMethod      BIND

        # Pas de possibilite de donner l'Uid/Gid !
        # Compile dans pure-ftpd directement avec immaeFtpUid / immaeFtpGid
        LDAPHomeDir         immaeFtpDirectory
        '';
    }];

    services.filesWatcher.pure-ftpd = {
      restart = true;
      paths = [ "/var/secrets/pure-ftpd-ldap" ];
    };

    systemd.services.pure-ftpd = let
      configFile = pkgs.writeText "pure-ftpd.conf" ''
        PassivePortRange             40000 50000
        ChrootEveryone               yes
        CreateHomeDir                yes
        BrokenClientsCompatibility   yes
        MaxClientsNumber             50
        Daemonize                    yes
        MaxClientsPerIP              8
        VerboseLog                   no
        DisplayDotFiles              yes
        AnonymousOnly                no
        NoAnonymous                  no
        SyslogFacility               ftp
        DontResolve                  yes
        MaxIdleTime                  15
        LDAPConfigFile               /var/secrets/pure-ftpd-ldap
        LimitRecursion               10000 8
        AnonymousCanCreateDirs       no
        MaxLoad                      4
        AntiWarez                    yes
        Umask                        133:022
        # ftp
        MinUID                       8
        AllowUserFXP                 no
        AllowAnonymousFXP            no
        ProhibitDotFilesWrite        no
        ProhibitDotFilesRead         no
        AutoRename                   no
        AnonymousCantUpload          no
        MaxDiskUsage                 99
        CustomerProof                yes
        TLS                          1
        CertFile                     ${config.security.acme.certs.ftp.directory}/full.pem
        '';
    in {
      description = "Pure-FTPd server";
      wantedBy = [ "multi-user.target" ];
      after = [ "network.target" ];

      serviceConfig.ExecStart = "${package}/bin/pure-ftpd ${configFile}";
      serviceConfig.Type = "forking";
      serviceConfig.PIDFile = "/run/pure-ftpd.pid";
    };
  };

}
Commit	Line	Data
ab8f306d	1	{ lib, pkgs, config, ... }:
fe696f35 IB	2	let
	3	package = pkgs.pure-ftpd.override { ldapFtpId = "immaeFtp"; };
	4	in
439049e5 IB	5	{
	6	options = {
	7	services.pure-ftpd.enable = lib.mkOption {
	8	type = lib.types.bool;
	9	default = false;
	10	description = ''
	11	Whether to enable pure-ftpd.
	12	'';
	13	};
	14	};
	15
	16	config = lib.mkIf config.services.pure-ftpd.enable {
d2e703c5	17	services.duplyBackup.profiles.ftp = {
6a8252b1 IB	18	rootDir = "/var/lib/ftp";
6a8252b1 IB	19	};
5400b9b6	20	security.acme.certs."ftp" = config.myServices.certificates.certConfig // {
439049e5	21	domain = "eldiron.immae.eu";
740f9843 IB	22	postRun = ''
	23	systemctl restart pure-ftpd.service
	24	'';
19be5cd2	25	extraDomains = { "ftp.immae.eu" = null; };
439049e5 IB	26	};
439049e5 IB	27
439049e5 IB	28	networking = {
	29	firewall = {
	30	allowedTCPPorts = [ 21 ];
	31	allowedTCPPortRanges = [ { from = 40000; to = 50000; } ];
	32	};
	33	};
	34
258dd18b IB	35	users.users.ftp = {
	36	uid = config.ids.uids.ftp; # 8
	37	group = "ftp";
	38	description = "Anonymous FTP user";
	39	home = "/homeless-shelter";
	40	extraGroups = [ "keys" ];
	41	};
439049e5 IB	42
	43	users.groups.ftp.gid = config.ids.gids.ftp;
	44
	45	system.activationScripts.pure-ftpd = ''
	46	install -m 0755 -o ftp -g ftp -d /var/lib/ftp
	47	'';
	48
1a718805	49	secrets.keys = [{
742697c9	50	dest = "pure-ftpd-ldap";
926a4007 IB	51	permissions = "0400";
	52	user = "ftp";
	53	group = "ftp";
	54	text = ''
ab8f306d	55	LDAPServer ${config.myEnv.ftp.ldap.host}
439049e5 IB	56	LDAPPort 389
439049e5 IB	57	LDAPUseTLS True
ab8f306d IB	58	LDAPBaseDN ${config.myEnv.ftp.ldap.base}
	59	LDAPBindDN ${config.myEnv.ftp.ldap.dn}
	60	LDAPBindPW ${config.myEnv.ftp.ldap.password}
439049e5 IB	61	LDAPDefaultUID 500
	62	LDAPForceDefaultUID False
	63	LDAPDefaultGID 100
	64	LDAPForceDefaultGID False
ab8f306d	65	LDAPFilter ${config.myEnv.ftp.ldap.filter}
439049e5 IB	66
	67	LDAPAuthMethod BIND
	68
926a4007 IB	69	# Pas de possibilite de donner l'Uid/Gid !
926a4007 IB	70	# Compile dans pure-ftpd directement avec immaeFtpUid / immaeFtpGid
439049e5 IB	71	LDAPHomeDir immaeFtpDirectory
439049e5 IB	72	'';
742697c9	73	}];
926a4007	74
17f6eae9 IB	75	services.filesWatcher.pure-ftpd = {
	76	restart = true;
	77	paths = [ "/var/secrets/pure-ftpd-ldap" ];
	78	};
	79
926a4007	80	systemd.services.pure-ftpd = let
439049e5 IB	81	configFile = pkgs.writeText "pure-ftpd.conf" ''
	82	PassivePortRange 40000 50000
	83	ChrootEveryone yes
	84	CreateHomeDir yes
	85	BrokenClientsCompatibility yes
	86	MaxClientsNumber 50
	87	Daemonize yes
	88	MaxClientsPerIP 8
	89	VerboseLog no
	90	DisplayDotFiles yes
	91	AnonymousOnly no
	92	NoAnonymous no
	93	SyslogFacility ftp
	94	DontResolve yes
	95	MaxIdleTime 15
742697c9	96	LDAPConfigFile /var/secrets/pure-ftpd-ldap
439049e5 IB	97	LimitRecursion 10000 8
	98	AnonymousCanCreateDirs no
	99	MaxLoad 4
	100	AntiWarez yes
	101	Umask 133:022
	102	# ftp
	103	MinUID 8
	104	AllowUserFXP no
	105	AllowAnonymousFXP no
	106	ProhibitDotFilesWrite no
	107	ProhibitDotFilesRead no
	108	AutoRename no
	109	AnonymousCantUpload no
	110	MaxDiskUsage 99
	111	CustomerProof yes
	112	TLS 1
5400b9b6	113	CertFile ${config.security.acme.certs.ftp.directory}/full.pem
439049e5 IB	114	'';
	115	in {
	116	description = "Pure-FTPd server";
	117	wantedBy = [ "multi-user.target" ];
	118	after = [ "network.target" ];
	119
fe696f35	120	serviceConfig.ExecStart = "${package}/bin/pure-ftpd ${configFile}";
439049e5 IB	121	serviceConfig.Type = "forking";
	122	serviceConfig.PIDFile = "/run/pure-ftpd.pid";
	123	};
	124	};
	125
	126	}