[perso/Immae/Config/Nix.git] / modules / private / ftp.nix

{ lib, pkgs, config, ... }:
let
  package = pkgs.pure-ftpd.override { ldapFtpId = "immaeFtp"; };
  pure-ftpd-enabled = config.myServices.ftp.pure-ftpd.enable;
  proftpd-enabled = config.myServices.ftp.proftpd.enable;
in
{
  options = {
    myServices.ftp.enable = lib.mkOption {
      type = lib.types.bool;
      default = false;
      description = ''
        Whether to enable ftp.
      '';
    };
    myServices.ftp.pure-ftpd.enable = lib.mkOption {
      type = lib.types.bool;
      default = false;
      description = ''
        Whether to enable pure-ftpd.
      '';
    };
    myServices.ftp.proftpd.enable = lib.mkOption {
      type = lib.types.bool;
      default = true;
      description = ''
        Whether to enable proftpd.
      '';
    };
  };

  config = lib.mkIf config.myServices.ftp.enable {
    security.acme.certs."ftp" = config.myServices.certificates.certConfig // {
      domain = "eldiron.immae.eu";
      postRun = (lib.optionalString pure-ftpd-enabled ''
        systemctl restart pure-ftpd.service
      '') + (lib.optionalString proftpd-enabled ''
        systemctl restart proftpd.service
      '');
      extraDomains = { "ftp.immae.eu" = null; };
    };

    networking = {
      firewall = {
        allowedTCPPorts = [ 21 115 ];
        allowedTCPPortRanges = [ { from = 40000; to = 50000; } ];
      };
    };

    users.users.ftp = {
      uid = config.ids.uids.ftp; # 8
      group = "ftp";
      description = "Anonymous FTP user";
      home = "/homeless-shelter";
      extraGroups = [ "keys" ];
    };

    users.groups.ftp.gid = config.ids.gids.ftp;

    system.activationScripts.ftp = ''
      install -m 0755 -o ftp -g ftp -d /var/lib/ftp
    '' + (lib.optionalString proftpd-enabled ''
      install -m 0755 -o nobody -g nogroup -d /var/lib/proftpd/authorized_keys
      '');

    secrets.keys."pure-ftpd-ldap" = lib.mkIf pure-ftpd-enabled {
      permissions = "0400";
      user = "ftp";
      group = "ftp";
      text = ''
        LDAPServer          ${config.myEnv.ftp.ldap.host}
        LDAPPort            389
        LDAPUseTLS          True
        LDAPBaseDN          ${config.myEnv.ftp.ldap.base}
        LDAPBindDN          ${config.myEnv.ftp.ldap.dn}
        LDAPBindPW          ${config.myEnv.ftp.ldap.password}
        LDAPDefaultUID      500
        LDAPForceDefaultUID False
        LDAPDefaultGID      100
        LDAPForceDefaultGID False
        LDAPFilter          ${config.myEnv.ftp.ldap.pure-ftpd_filter}

        LDAPAuthMethod      BIND

        # Pas de possibilite de donner l'Uid/Gid !
        # Compile dans pure-ftpd directement avec immaeFtpUid / immaeFtpGid
        LDAPHomeDir         immaeFtpDirectory
        '';
    };
    secrets.keys."proftpd-ldap.conf" = lib.mkIf proftpd-enabled {
      permissions = "0400";
      user = "ftp";
      group = "ftp";
      text = ''
        LDAPServer          ldaps://${config.myEnv.ftp.ldap.host}:636/??sub
        LDAPUseTLS          on
        LDAPAuthBinds       on
        LDAPBindDN          "${config.myEnv.ftp.ldap.dn}" "${config.myEnv.ftp.ldap.password}"
        LDAPSearchScope     subtree
        LDAPAuthBinds       on
        LDAPDefaultGID      100
        LDAPDefaultUID      500
        LDAPForceDefaultUID off
        LDAPForceDefaultGID off
        LDAPAttr            gidNumber immaeFtpGid
        LDAPAttr            uidNumber immaeFtpUid
        LDAPAttr            homeDirectory immaeFtpDirectory
        LDAPUsers           "${config.myEnv.ftp.ldap.base}" "${config.myEnv.ftp.ldap.proftpd_filter}"
        LDAPGroups          "${config.myEnv.ftp.ldap.base}"
      '';
    };

    services.filesWatcher.pure-ftpd = lib.mkIf pure-ftpd-enabled {
      restart = true;
      paths = [ config.secrets.fullPaths."pure-ftpd-ldap" ];
    };
    services.filesWatcher.proftpd = lib.mkIf proftpd-enabled {
      restart = true;
      paths = [ config.secrets.fullPaths."proftpd-ldap.conf" ];
    };

    systemd.services.pure-ftpd = let
      configFile = pkgs.writeText "pure-ftpd.conf" ''
        PassivePortRange             40000 50000
        Bind                         42
        ChrootEveryone               yes
        CreateHomeDir                yes
        BrokenClientsCompatibility   yes
        MaxClientsNumber             50
        Daemonize                    yes
        MaxClientsPerIP              8
        VerboseLog                   no
        DisplayDotFiles              yes
        AnonymousOnly                no
        NoAnonymous                  no
        SyslogFacility               ftp
        DontResolve                  yes
        MaxIdleTime                  15
        LDAPConfigFile               ${config.secrets.fullPaths."pure-ftpd-ldap"}
        LimitRecursion               10000 8
        AnonymousCanCreateDirs       no
        MaxLoad                      4
        AntiWarez                    yes
        Umask                        133:022
        # ftp
        MinUID                       8
        AllowUserFXP                 no
        AllowAnonymousFXP            no
        ProhibitDotFilesWrite        no
        ProhibitDotFilesRead         no
        AutoRename                   no
        AnonymousCantUpload          no
        MaxDiskUsage                 99
        CustomerProof                yes
        TLS                          1
        CertFile                     ${config.security.acme.certs.ftp.directory}/full.pem
        '';
    in lib.mkIf pure-ftpd-enabled {
      description = "Pure-FTPd server";
      wantedBy = [ "multi-user.target" ];
      after = [ "network.target" ];

      serviceConfig.ExecStart = "${package}/bin/pure-ftpd ${configFile}";
      serviceConfig.Type = "forking";
      serviceConfig.PIDFile = "/run/pure-ftpd.pid";
    };

    systemd.services.proftpd = let
      configFile = pkgs.writeText "proftpd.conf" ''
        ServerName		"ProFTPD"
        ServerType		standalone
        DefaultServer		on

        Port			21
        UseIPv6			on
        Umask			022
        MaxInstances		30
        MaxClients		50
        MaxClientsPerHost	8

        # Set the user and group under which the server will run.
        User			ftp
        Group			ftp

        CreateHome		on
        DefaultRoot		~

        AllowOverwrite		on

        TLSEngine		on
        TLSRequired		off
        TLSProtocol		TLSv1.1 TLSv1.2 TLSv1.3

        TLSCertificateChainFile	${config.security.acme.certs.ftp.directory}/fullchain.pem
        TLSECCertificateFile	${config.security.acme.certs.ftp.directory}/cert.pem
        TLSECCertificateKeyFile	${config.security.acme.certs.ftp.directory}/key.pem
        TLSRenegotiate none
        PidFile			/run/proftpd/proftpd.pid

        ScoreboardFile		/run/proftpd/proftpd.scoreboard

        PassivePorts		40000 50000
        #DebugLevel		10
        Include			${config.secrets.fullPaths."proftpd-ldap.conf"}

        RequireValidShell	off

        # Bar use of SITE CHMOD by default
        <Limit SITE_CHMOD>
          DenyAll
        </Limit>

        <VirtualHost 0.0.0.0>
          Umask				022
          Port				115
          SFTPEngine			on
          CreateHome			on
          DefaultRoot			~

          AllowOverwrite		on

          SFTPHostKey			/etc/ssh/ssh_host_ed25519_key
          SFTPHostKey			/etc/ssh/ssh_host_rsa_key
          Include			${config.secrets.fullPaths."proftpd-ldap.conf"}
          RequireValidShell		off
          SFTPAuthorizedUserKeys	file:/var/lib/proftpd/authorized_keys/%u
          SFTPAuthMethods		password publickey
        </VirtualHost>
        '';
    in lib.mkIf proftpd-enabled {
      description = "ProFTPD server";
      wantedBy = [ "multi-user.target" ];
      after = [ "network.target" ];

      serviceConfig.ExecStart = "${pkgs.proftpd}/bin/proftpd -c ${configFile}";
      serviceConfig.Type = "forking";
      serviceConfig.PIDFile = "/run/proftpd/proftpd.pid";
      serviceConfig.RuntimeDirectory = "proftpd";
    };

    services.cron.systemCronJobs = lib.mkIf proftpd-enabled [
      "*/2 * * * * nobody ${./ftp_sync.sh}"
    ];
  };

}
Commit	Line	Data
ab8f306d	1	{ lib, pkgs, config, ... }:
fe696f35 IB	2	let
fe696f35 IB	3	package = pkgs.pure-ftpd.override { ldapFtpId = "immaeFtp"; };
fcbdf67a IB	4	pure-ftpd-enabled = config.myServices.ftp.pure-ftpd.enable;
fcbdf67a IB	5	proftpd-enabled = config.myServices.ftp.proftpd.enable;
fe696f35	6	in
439049e5 IB	7	{
439049e5 IB	8	options = {
fcbdf67a IB	9	myServices.ftp.enable = lib.mkOption {
	10	type = lib.types.bool;
	11	default = false;
	12	description = ''
	13	Whether to enable ftp.
	14	'';
	15	};
	16	myServices.ftp.pure-ftpd.enable = lib.mkOption {
439049e5 IB	17	type = lib.types.bool;
	18	default = false;
	19	description = ''
	20	Whether to enable pure-ftpd.
	21	'';
	22	};
fcbdf67a IB	23	myServices.ftp.proftpd.enable = lib.mkOption {
	24	type = lib.types.bool;
	25	default = true;
	26	description = ''
	27	Whether to enable proftpd.
	28	'';
	29	};
439049e5 IB	30	};
439049e5 IB	31
fcbdf67a	32	config = lib.mkIf config.myServices.ftp.enable {
5400b9b6	33	security.acme.certs."ftp" = config.myServices.certificates.certConfig // {
439049e5	34	domain = "eldiron.immae.eu";
fcbdf67a	35	postRun = (lib.optionalString pure-ftpd-enabled ''
740f9843	36	systemctl restart pure-ftpd.service
fcbdf67a IB	37	'') + (lib.optionalString proftpd-enabled ''
	38	systemctl restart proftpd.service
	39	'');
19be5cd2	40	extraDomains = { "ftp.immae.eu" = null; };
439049e5 IB	41	};
439049e5 IB	42
439049e5 IB	43	networking = {
439049e5 IB	44	firewall = {
fcbdf67a	45	allowedTCPPorts = [ 21 115 ];
439049e5 IB	46	allowedTCPPortRanges = [ { from = 40000; to = 50000; } ];
	47	};
	48	};
	49
258dd18b IB	50	users.users.ftp = {
	51	uid = config.ids.uids.ftp; # 8
	52	group = "ftp";
	53	description = "Anonymous FTP user";
	54	home = "/homeless-shelter";
	55	extraGroups = [ "keys" ];
	56	};
439049e5 IB	57
	58	users.groups.ftp.gid = config.ids.gids.ftp;
	59
fcbdf67a	60	system.activationScripts.ftp = ''
439049e5	61	install -m 0755 -o ftp -g ftp -d /var/lib/ftp
fcbdf67a IB	62	'' + (lib.optionalString proftpd-enabled ''
	63	install -m 0755 -o nobody -g nogroup -d /var/lib/proftpd/authorized_keys
	64	'');
439049e5	65
fcbdf67a	66	secrets.keys."pure-ftpd-ldap" = lib.mkIf pure-ftpd-enabled {
926a4007 IB	67	permissions = "0400";
	68	user = "ftp";
	69	group = "ftp";
	70	text = ''
ab8f306d	71	LDAPServer ${config.myEnv.ftp.ldap.host}
439049e5 IB	72	LDAPPort 389
439049e5 IB	73	LDAPUseTLS True
ab8f306d IB	74	LDAPBaseDN ${config.myEnv.ftp.ldap.base}
	75	LDAPBindDN ${config.myEnv.ftp.ldap.dn}
	76	LDAPBindPW ${config.myEnv.ftp.ldap.password}
439049e5 IB	77	LDAPDefaultUID 500
	78	LDAPForceDefaultUID False
	79	LDAPDefaultGID 100
	80	LDAPForceDefaultGID False
fcbdf67a	81	LDAPFilter ${config.myEnv.ftp.ldap.pure-ftpd_filter}
439049e5 IB	82
	83	LDAPAuthMethod BIND
	84
926a4007 IB	85	# Pas de possibilite de donner l'Uid/Gid !
926a4007 IB	86	# Compile dans pure-ftpd directement avec immaeFtpUid / immaeFtpGid
439049e5 IB	87	LDAPHomeDir immaeFtpDirectory
439049e5 IB	88	'';
4c4652aa	89	};
fcbdf67a IB	90	secrets.keys."proftpd-ldap.conf" = lib.mkIf proftpd-enabled {
	91	permissions = "0400";
	92	user = "ftp";
	93	group = "ftp";
	94	text = ''
	95	LDAPServer ldaps://${config.myEnv.ftp.ldap.host}:636/??sub
	96	LDAPUseTLS on
	97	LDAPAuthBinds on
	98	LDAPBindDN "${config.myEnv.ftp.ldap.dn}" "${config.myEnv.ftp.ldap.password}"
	99	LDAPSearchScope subtree
	100	LDAPAuthBinds on
	101	LDAPDefaultGID 100
	102	LDAPDefaultUID 500
	103	LDAPForceDefaultUID off
	104	LDAPForceDefaultGID off
	105	LDAPAttr gidNumber immaeFtpGid
	106	LDAPAttr uidNumber immaeFtpUid
	107	LDAPAttr homeDirectory immaeFtpDirectory
	108	LDAPUsers "${config.myEnv.ftp.ldap.base}" "${config.myEnv.ftp.ldap.proftpd_filter}"
	109	LDAPGroups "${config.myEnv.ftp.ldap.base}"
	110	'';
	111	};
926a4007	112
fcbdf67a	113	services.filesWatcher.pure-ftpd = lib.mkIf pure-ftpd-enabled {
17f6eae9	114	restart = true;
da30ae4f	115	paths = [ config.secrets.fullPaths."pure-ftpd-ldap" ];
17f6eae9	116	};
fcbdf67a IB	117	services.filesWatcher.proftpd = lib.mkIf proftpd-enabled {
	118	restart = true;
	119	paths = [ config.secrets.fullPaths."proftpd-ldap.conf" ];
	120	};
17f6eae9	121
926a4007	122	systemd.services.pure-ftpd = let
439049e5 IB	123	configFile = pkgs.writeText "pure-ftpd.conf" ''
439049e5 IB	124	PassivePortRange 40000 50000
fcbdf67a	125	Bind 42
439049e5 IB	126	ChrootEveryone yes
	127	CreateHomeDir yes
	128	BrokenClientsCompatibility yes
	129	MaxClientsNumber 50
	130	Daemonize yes
	131	MaxClientsPerIP 8
	132	VerboseLog no
	133	DisplayDotFiles yes
	134	AnonymousOnly no
	135	NoAnonymous no
	136	SyslogFacility ftp
	137	DontResolve yes
	138	MaxIdleTime 15
da30ae4f	139	LDAPConfigFile ${config.secrets.fullPaths."pure-ftpd-ldap"}
439049e5 IB	140	LimitRecursion 10000 8
	141	AnonymousCanCreateDirs no
	142	MaxLoad 4
	143	AntiWarez yes
	144	Umask 133:022
	145	# ftp
	146	MinUID 8
	147	AllowUserFXP no
	148	AllowAnonymousFXP no
	149	ProhibitDotFilesWrite no
	150	ProhibitDotFilesRead no
	151	AutoRename no
	152	AnonymousCantUpload no
	153	MaxDiskUsage 99
	154	CustomerProof yes
	155	TLS 1
5400b9b6	156	CertFile ${config.security.acme.certs.ftp.directory}/full.pem
439049e5	157	'';
fcbdf67a	158	in lib.mkIf pure-ftpd-enabled {
439049e5 IB	159	description = "Pure-FTPd server";
	160	wantedBy = [ "multi-user.target" ];
	161	after = [ "network.target" ];
	162
fe696f35	163	serviceConfig.ExecStart = "${package}/bin/pure-ftpd ${configFile}";
439049e5 IB	164	serviceConfig.Type = "forking";
	165	serviceConfig.PIDFile = "/run/pure-ftpd.pid";
	166	};
fcbdf67a IB	167
	168	systemd.services.proftpd = let
	169	configFile = pkgs.writeText "proftpd.conf" ''
	170	ServerName "ProFTPD"
	171	ServerType standalone
	172	DefaultServer on
	173
	174	Port 21
	175	UseIPv6 on
	176	Umask 022
	177	MaxInstances 30
	178	MaxClients 50
	179	MaxClientsPerHost 8
	180
	181	# Set the user and group under which the server will run.
	182	User ftp
	183	Group ftp
	184
	185	CreateHome on
	186	DefaultRoot ~
	187
	188	AllowOverwrite on
	189
	190	TLSEngine on
	191	TLSRequired off
	192	TLSProtocol TLSv1.1 TLSv1.2 TLSv1.3
	193
	194	TLSCertificateChainFile ${config.security.acme.certs.ftp.directory}/fullchain.pem
	195	TLSECCertificateFile ${config.security.acme.certs.ftp.directory}/cert.pem
	196	TLSECCertificateKeyFile ${config.security.acme.certs.ftp.directory}/key.pem
	197	TLSRenegotiate none
	198	PidFile /run/proftpd/proftpd.pid
	199
	200	ScoreboardFile /run/proftpd/proftpd.scoreboard
	201
	202	PassivePorts 40000 50000
	203	#DebugLevel 10
	204	Include ${config.secrets.fullPaths."proftpd-ldap.conf"}
	205
	206	RequireValidShell off
	207
	208	# Bar use of SITE CHMOD by default
	209	<Limit SITE_CHMOD>
	210	DenyAll
	211	</Limit>
	212
	213	<VirtualHost 0.0.0.0>
	214	Umask 022
	215	Port 115
	216	SFTPEngine on
	217	CreateHome on
	218	DefaultRoot ~
	219
	220	AllowOverwrite on
	221
	222	SFTPHostKey /etc/ssh/ssh_host_ed25519_key
	223	SFTPHostKey /etc/ssh/ssh_host_rsa_key
	224	Include ${config.secrets.fullPaths."proftpd-ldap.conf"}
	225	RequireValidShell off
	226	SFTPAuthorizedUserKeys file:/var/lib/proftpd/authorized_keys/%u
	227	SFTPAuthMethods password publickey
	228	</VirtualHost>
	229	'';
	230	in lib.mkIf proftpd-enabled {
231	description = "ProFTPD server";
232	wantedBy = [ "multi-user.target" ];
233	after = [ "network.target" ];
234
235	serviceConfig.ExecStart = "${pkgs.proftpd}/bin/proftpd -c ${configFile}";
236	serviceConfig.Type = "forking";
237	serviceConfig.PIDFile = "/run/proftpd/proftpd.pid";
238	serviceConfig.RuntimeDirectory = "proftpd";
239	};
240
241	services.cron.systemCronJobs = lib.mkIf proftpd-enabled [
242	"/2 * * * nobody ${./ftp_sync.sh}"
243	];
439049e5 IB	244	};
	245
	246	}