[perso/Immae/Config/Nix.git] / modules / private / ftp.nix

{ lib, pkgs, config, ... }:
let
  package = pkgs.pure-ftpd.override { ldapFtpId = "immaeFtp"; };
in
{
  options = {
    services.pure-ftpd.enable = lib.mkOption {
      type = lib.types.bool;
      default = false;
      description = ''
        Whether to enable pure-ftpd.
      '';
    };
  };

  config = lib.mkIf config.services.pure-ftpd.enable {
    services.duplyBackup.profiles.ftp = {
      rootDir = "/var/lib/ftp";
      remotes = [ "eriomem" "ovh" ];
    };
    security.acme.certs."ftp" = config.myServices.certificates.certConfig // {
      domain = "eldiron.immae.eu";
      postRun = ''
        systemctl restart pure-ftpd.service
      '';
      extraDomains = { "ftp.immae.eu" = null; };
    };

    networking = {
      firewall = {
        allowedTCPPorts = [ 21 ];
        allowedTCPPortRanges = [ { from = 40000; to = 50000; } ];
      };
    };

    users.users.ftp = {
      uid = config.ids.uids.ftp; # 8
      group = "ftp";
      description = "Anonymous FTP user";
      home = "/homeless-shelter";
      extraGroups = [ "keys" ];
    };

    users.groups.ftp.gid = config.ids.gids.ftp;

    system.activationScripts.pure-ftpd = ''
      install -m 0755 -o ftp -g ftp -d /var/lib/ftp
      '';

    secrets.keys = [{
      dest = "pure-ftpd-ldap";
      permissions = "0400";
      user = "ftp";
      group = "ftp";
      text = ''
        LDAPServer          ${config.myEnv.ftp.ldap.host}
        LDAPPort            389
        LDAPUseTLS          True
        LDAPBaseDN          ${config.myEnv.ftp.ldap.base}
        LDAPBindDN          ${config.myEnv.ftp.ldap.dn}
        LDAPBindPW          ${config.myEnv.ftp.ldap.password}
        LDAPDefaultUID      500
        LDAPForceDefaultUID False
        LDAPDefaultGID      100
        LDAPForceDefaultGID False
        LDAPFilter          ${config.myEnv.ftp.ldap.filter}

        LDAPAuthMethod      BIND

        # Pas de possibilite de donner l'Uid/Gid !
        # Compile dans pure-ftpd directement avec immaeFtpUid / immaeFtpGid
        LDAPHomeDir         immaeFtpDirectory
        '';
    }];

    services.filesWatcher.pure-ftpd = {
      restart = true;
      paths = [ config.secrets.fullPaths."pure-ftpd-ldap" ];
    };

    systemd.services.pure-ftpd = let
      configFile = pkgs.writeText "pure-ftpd.conf" ''
        PassivePortRange             40000 50000
        ChrootEveryone               yes
        CreateHomeDir                yes
        BrokenClientsCompatibility   yes
        MaxClientsNumber             50
        Daemonize                    yes
        MaxClientsPerIP              8
        VerboseLog                   no
        DisplayDotFiles              yes
        AnonymousOnly                no
        NoAnonymous                  no
        SyslogFacility               ftp
        DontResolve                  yes
        MaxIdleTime                  15
        LDAPConfigFile               ${config.secrets.fullPaths."pure-ftpd-ldap"}
        LimitRecursion               10000 8
        AnonymousCanCreateDirs       no
        MaxLoad                      4
        AntiWarez                    yes
        Umask                        133:022
        # ftp
        MinUID                       8
        AllowUserFXP                 no
        AllowAnonymousFXP            no
        ProhibitDotFilesWrite        no
        ProhibitDotFilesRead         no
        AutoRename                   no
        AnonymousCantUpload          no
        MaxDiskUsage                 99
        CustomerProof                yes
        TLS                          1
        CertFile                     ${config.security.acme.certs.ftp.directory}/full.pem
        '';
    in {
      description = "Pure-FTPd server";
      wantedBy = [ "multi-user.target" ];
      after = [ "network.target" ];

      serviceConfig.ExecStart = "${package}/bin/pure-ftpd ${configFile}";
      serviceConfig.Type = "forking";
      serviceConfig.PIDFile = "/run/pure-ftpd.pid";
    };
  };

}
Commit	Line	Data
ab8f306d	1	{ lib, pkgs, config, ... }:
fe696f35 IB	2	let
	3	package = pkgs.pure-ftpd.override { ldapFtpId = "immaeFtp"; };
	4	in
439049e5 IB	5	{
	6	options = {
	7	services.pure-ftpd.enable = lib.mkOption {
	8	type = lib.types.bool;
	9	default = false;
	10	description = ''
	11	Whether to enable pure-ftpd.
	12	'';
	13	};
	14	};
	15
	16	config = lib.mkIf config.services.pure-ftpd.enable {
d2e703c5	17	services.duplyBackup.profiles.ftp = {
6a8252b1	18	rootDir = "/var/lib/ftp";
546864bc	19	remotes = [ "eriomem" "ovh" ];
6a8252b1	20	};
5400b9b6	21	security.acme.certs."ftp" = config.myServices.certificates.certConfig // {
439049e5	22	domain = "eldiron.immae.eu";
740f9843 IB	23	postRun = ''
	24	systemctl restart pure-ftpd.service
	25	'';
19be5cd2	26	extraDomains = { "ftp.immae.eu" = null; };
439049e5 IB	27	};
439049e5 IB	28
439049e5 IB	29	networking = {
	30	firewall = {
	31	allowedTCPPorts = [ 21 ];
	32	allowedTCPPortRanges = [ { from = 40000; to = 50000; } ];
	33	};
	34	};
	35
258dd18b IB	36	users.users.ftp = {
	37	uid = config.ids.uids.ftp; # 8
	38	group = "ftp";
	39	description = "Anonymous FTP user";
	40	home = "/homeless-shelter";
	41	extraGroups = [ "keys" ];
	42	};
439049e5 IB	43
	44	users.groups.ftp.gid = config.ids.gids.ftp;
	45
	46	system.activationScripts.pure-ftpd = ''
	47	install -m 0755 -o ftp -g ftp -d /var/lib/ftp
	48	'';
	49
1a718805	50	secrets.keys = [{
742697c9	51	dest = "pure-ftpd-ldap";
926a4007 IB	52	permissions = "0400";
	53	user = "ftp";
	54	group = "ftp";
	55	text = ''
ab8f306d	56	LDAPServer ${config.myEnv.ftp.ldap.host}
439049e5 IB	57	LDAPPort 389
439049e5 IB	58	LDAPUseTLS True
ab8f306d IB	59	LDAPBaseDN ${config.myEnv.ftp.ldap.base}
	60	LDAPBindDN ${config.myEnv.ftp.ldap.dn}
	61	LDAPBindPW ${config.myEnv.ftp.ldap.password}
439049e5 IB	62	LDAPDefaultUID 500
	63	LDAPForceDefaultUID False
	64	LDAPDefaultGID 100
	65	LDAPForceDefaultGID False
ab8f306d	66	LDAPFilter ${config.myEnv.ftp.ldap.filter}
439049e5 IB	67
	68	LDAPAuthMethod BIND
	69
926a4007 IB	70	# Pas de possibilite de donner l'Uid/Gid !
926a4007 IB	71	# Compile dans pure-ftpd directement avec immaeFtpUid / immaeFtpGid
439049e5 IB	72	LDAPHomeDir immaeFtpDirectory
439049e5 IB	73	'';
742697c9	74	}];
926a4007	75
17f6eae9 IB	76	services.filesWatcher.pure-ftpd = {
17f6eae9 IB	77	restart = true;
da30ae4f	78	paths = [ config.secrets.fullPaths."pure-ftpd-ldap" ];
17f6eae9 IB	79	};
17f6eae9 IB	80
926a4007	81	systemd.services.pure-ftpd = let
439049e5 IB	82	configFile = pkgs.writeText "pure-ftpd.conf" ''
	83	PassivePortRange 40000 50000
	84	ChrootEveryone yes
	85	CreateHomeDir yes
	86	BrokenClientsCompatibility yes
	87	MaxClientsNumber 50
	88	Daemonize yes
	89	MaxClientsPerIP 8
	90	VerboseLog no
	91	DisplayDotFiles yes
	92	AnonymousOnly no
	93	NoAnonymous no
	94	SyslogFacility ftp
	95	DontResolve yes
	96	MaxIdleTime 15
da30ae4f	97	LDAPConfigFile ${config.secrets.fullPaths."pure-ftpd-ldap"}
439049e5 IB	98	LimitRecursion 10000 8
	99	AnonymousCanCreateDirs no
	100	MaxLoad 4
	101	AntiWarez yes
	102	Umask 133:022
	103	# ftp
	104	MinUID 8
	105	AllowUserFXP no
	106	AllowAnonymousFXP no
	107	ProhibitDotFilesWrite no
	108	ProhibitDotFilesRead no
	109	AutoRename no
	110	AnonymousCantUpload no
	111	MaxDiskUsage 99
	112	CustomerProof yes
	113	TLS 1
5400b9b6	114	CertFile ${config.security.acme.certs.ftp.directory}/full.pem
439049e5 IB	115	'';
	116	in {
	117	description = "Pure-FTPd server";
	118	wantedBy = [ "multi-user.target" ];
	119	after = [ "network.target" ];
	120
fe696f35	121	serviceConfig.ExecStart = "${package}/bin/pure-ftpd ${configFile}";
439049e5 IB	122	serviceConfig.Type = "forking";
	123	serviceConfig.PIDFile = "/run/pure-ftpd.pid";
	124	};
	125	};
	126
	127	}