[perso/Immae/Config/Nix.git] / modules / private / ftp.nix

{ lib, pkgs, config, myconfig, ... }:
let
  package = pkgs.pure-ftpd.override { ldapFtpId = "immaeFtp"; };
in
{
  options = {
    services.pure-ftpd.enable = lib.mkOption {
      type = lib.types.bool;
      default = false;
      description = ''
        Whether to enable pure-ftpd.
      '';
    };
  };

  config = lib.mkIf config.services.pure-ftpd.enable {
    services.backup.profiles.ftp = {
      rootDir = "/var/lib/ftp";
    };
    security.acme.certs."ftp" = config.myServices.certificates.certConfig // {
      domain = "eldiron.immae.eu";
      postRun = ''
        systemctl restart pure-ftpd.service
      '';
      extraDomains = { "ftp.immae.eu" = null; };
    };

    networking = {
      firewall = {
        allowedTCPPorts = [ 21 ];
        allowedTCPPortRanges = [ { from = 40000; to = 50000; } ];
      };
    };

    users.users = [
      {
        name = "ftp";
        uid = config.ids.uids.ftp; # 8
        group = "ftp";
        description = "Anonymous FTP user";
        home = "/homeless-shelter";
        extraGroups = [ "keys" ];
      }
    ];

    users.groups.ftp.gid = config.ids.gids.ftp;

    system.activationScripts.pure-ftpd = ''
      install -m 0755 -o ftp -g ftp -d /var/lib/ftp
      '';

    secrets.keys = [{
      dest = "pure-ftpd-ldap";
      permissions = "0400";
      user = "ftp";
      group = "ftp";
      text = ''
        LDAPServer          ${myconfig.env.ftp.ldap.host}
        LDAPPort            389
        LDAPUseTLS          True
        LDAPBaseDN          ${myconfig.env.ftp.ldap.base}
        LDAPBindDN          ${myconfig.env.ftp.ldap.dn}
        LDAPBindPW          ${myconfig.env.ftp.ldap.password}
        LDAPDefaultUID      500
        LDAPForceDefaultUID False
        LDAPDefaultGID      100
        LDAPForceDefaultGID False
        LDAPFilter          ${myconfig.env.ftp.ldap.filter}

        LDAPAuthMethod      BIND

        # Pas de possibilite de donner l'Uid/Gid !
        # Compile dans pure-ftpd directement avec immaeFtpUid / immaeFtpGid
        LDAPHomeDir         immaeFtpDirectory
        '';
    }];

    services.filesWatcher.pure-ftpd = {
      restart = true;
      paths = [ "/var/secrets/pure-ftpd-ldap" ];
    };

    systemd.services.pure-ftpd = let
      configFile = pkgs.writeText "pure-ftpd.conf" ''
        PassivePortRange             40000 50000
        ChrootEveryone               yes
        CreateHomeDir                yes
        BrokenClientsCompatibility   yes
        MaxClientsNumber             50
        Daemonize                    yes
        MaxClientsPerIP              8
        VerboseLog                   no
        DisplayDotFiles              yes
        AnonymousOnly                no
        NoAnonymous                  no
        SyslogFacility               ftp
        DontResolve                  yes
        MaxIdleTime                  15
        LDAPConfigFile               /var/secrets/pure-ftpd-ldap
        LimitRecursion               10000 8
        AnonymousCanCreateDirs       no
        MaxLoad                      4
        AntiWarez                    yes
        Umask                        133:022
        # ftp
        MinUID                       8
        AllowUserFXP                 no
        AllowAnonymousFXP            no
        ProhibitDotFilesWrite        no
        ProhibitDotFilesRead         no
        AutoRename                   no
        AnonymousCantUpload          no
        MaxDiskUsage                 99
        CustomerProof                yes
        TLS                          1
        CertFile                     ${config.security.acme.directory}/ftp/full.pem
        '';
    in {
      description = "Pure-FTPd server";
      wantedBy = [ "multi-user.target" ];
      after = [ "network.target" ];

      serviceConfig.ExecStart = "${package}/bin/pure-ftpd ${configFile}";
      serviceConfig.Type = "forking";
      serviceConfig.PIDFile = "/run/pure-ftpd.pid";
    };
  };

}
Commit	Line	Data
439049e5	1	{ lib, pkgs, config, myconfig, ... }:
fe696f35 IB	2	let
	3	package = pkgs.pure-ftpd.override { ldapFtpId = "immaeFtp"; };
	4	in
439049e5 IB	5	{
	6	options = {
	7	services.pure-ftpd.enable = lib.mkOption {
	8	type = lib.types.bool;
	9	default = false;
	10	description = ''
	11	Whether to enable pure-ftpd.
	12	'';
	13	};
	14	};
	15
	16	config = lib.mkIf config.services.pure-ftpd.enable {
6a8252b1 IB	17	services.backup.profiles.ftp = {
	18	rootDir = "/var/lib/ftp";
	19	};
8415083e	20	security.acme.certs."ftp" = config.myServices.certificates.certConfig // {
439049e5	21	domain = "eldiron.immae.eu";
740f9843 IB	22	postRun = ''
	23	systemctl restart pure-ftpd.service
	24	'';
19be5cd2	25	extraDomains = { "ftp.immae.eu" = null; };
439049e5 IB	26	};
439049e5 IB	27
439049e5 IB	28	networking = {
	29	firewall = {
	30	allowedTCPPorts = [ 21 ];
	31	allowedTCPPortRanges = [ { from = 40000; to = 50000; } ];
	32	};
	33	};
	34
	35	users.users = [
	36	{
	37	name = "ftp";
926a4007	38	uid = config.ids.uids.ftp; # 8
439049e5 IB	39	group = "ftp";
	40	description = "Anonymous FTP user";
	41	home = "/homeless-shelter";
926a4007	42	extraGroups = [ "keys" ];
439049e5 IB	43	}
	44	];
	45
	46	users.groups.ftp.gid = config.ids.gids.ftp;
	47
	48	system.activationScripts.pure-ftpd = ''
	49	install -m 0755 -o ftp -g ftp -d /var/lib/ftp
	50	'';
	51
1a718805	52	secrets.keys = [{
742697c9	53	dest = "pure-ftpd-ldap";
926a4007 IB	54	permissions = "0400";
	55	user = "ftp";
	56	group = "ftp";
	57	text = ''
439049e5 IB	58	LDAPServer ${myconfig.env.ftp.ldap.host}
	59	LDAPPort 389
	60	LDAPUseTLS True
	61	LDAPBaseDN ${myconfig.env.ftp.ldap.base}
	62	LDAPBindDN ${myconfig.env.ftp.ldap.dn}
	63	LDAPBindPW ${myconfig.env.ftp.ldap.password}
	64	LDAPDefaultUID 500
	65	LDAPForceDefaultUID False
	66	LDAPDefaultGID 100
	67	LDAPForceDefaultGID False
	68	LDAPFilter ${myconfig.env.ftp.ldap.filter}
	69
	70	LDAPAuthMethod BIND
	71
926a4007 IB	72	# Pas de possibilite de donner l'Uid/Gid !
926a4007 IB	73	# Compile dans pure-ftpd directement avec immaeFtpUid / immaeFtpGid
439049e5 IB	74	LDAPHomeDir immaeFtpDirectory
439049e5 IB	75	'';
742697c9	76	}];
926a4007	77
17f6eae9 IB	78	services.filesWatcher.pure-ftpd = {
	79	restart = true;
	80	paths = [ "/var/secrets/pure-ftpd-ldap" ];
	81	};
	82
926a4007	83	systemd.services.pure-ftpd = let
439049e5 IB	84	configFile = pkgs.writeText "pure-ftpd.conf" ''
	85	PassivePortRange 40000 50000
	86	ChrootEveryone yes
	87	CreateHomeDir yes
	88	BrokenClientsCompatibility yes
	89	MaxClientsNumber 50
	90	Daemonize yes
	91	MaxClientsPerIP 8
	92	VerboseLog no
	93	DisplayDotFiles yes
	94	AnonymousOnly no
	95	NoAnonymous no
	96	SyslogFacility ftp
	97	DontResolve yes
	98	MaxIdleTime 15
742697c9	99	LDAPConfigFile /var/secrets/pure-ftpd-ldap
439049e5 IB	100	LimitRecursion 10000 8
	101	AnonymousCanCreateDirs no
	102	MaxLoad 4
	103	AntiWarez yes
	104	Umask 133:022
	105	# ftp
	106	MinUID 8
	107	AllowUserFXP no
	108	AllowAnonymousFXP no
	109	ProhibitDotFilesWrite no
	110	ProhibitDotFilesRead no
	111	AutoRename no
	112	AnonymousCantUpload no
	113	MaxDiskUsage 99
	114	CustomerProof yes
	115	TLS 1
9ade8f6e	116	CertFile ${config.security.acme.directory}/ftp/full.pem
439049e5 IB	117	'';
	118	in {
	119	description = "Pure-FTPd server";
	120	wantedBy = [ "multi-user.target" ];
	121	after = [ "network.target" ];
	122
fe696f35	123	serviceConfig.ExecStart = "${package}/bin/pure-ftpd ${configFile}";
439049e5 IB	124	serviceConfig.Type = "forking";
	125	serviceConfig.PIDFile = "/run/pure-ftpd.pid";
	126	};
	127	};
	128
	129	}