[perso/Immae/Config/Nix.git] / modules / private / ftp.nix

{ lib, pkgs, config, ... }:
let
  package = pkgs.pure-ftpd.override { ldapFtpId = "immaeFtp"; };
  pure-ftpd-enabled = config.myServices.ftp.pure-ftpd.enable;
  proftpd-enabled = config.myServices.ftp.proftpd.enable;
in
{
  options = {
    myServices.ftp.enable = lib.mkOption {
      type = lib.types.bool;
      default = false;
      description = ''
        Whether to enable ftp.
      '';
    };
    myServices.ftp.pure-ftpd.enable = lib.mkOption {
      type = lib.types.bool;
      default = false;
      description = ''
        Whether to enable pure-ftpd.
      '';
    };
    myServices.ftp.proftpd.enable = lib.mkOption {
      type = lib.types.bool;
      default = true;
      description = ''
        Whether to enable proftpd.
      '';
    };
  };

  config = lib.mkIf config.myServices.ftp.enable {
    services.duplyBackup.profiles.ftp = {
      rootDir = "/var/lib/ftp";
      remotes = [ "eriomem" "ovh" ];
    };
    security.acme.certs."ftp" = config.myServices.certificates.certConfig // {
      domain = "eldiron.immae.eu";
      postRun = (lib.optionalString pure-ftpd-enabled ''
        systemctl restart pure-ftpd.service
      '') + (lib.optionalString proftpd-enabled ''
        systemctl restart proftpd.service
      '');
      extraDomains = { "ftp.immae.eu" = null; };
    };

    networking = {
      firewall = {
        allowedTCPPorts = [ 21 115 ];
        allowedTCPPortRanges = [ { from = 40000; to = 50000; } ];
      };
    };

    users.users.ftp = {
      uid = config.ids.uids.ftp; # 8
      group = "ftp";
      description = "Anonymous FTP user";
      home = "/homeless-shelter";
      extraGroups = [ "keys" ];
    };

    users.groups.ftp.gid = config.ids.gids.ftp;

    system.activationScripts.ftp = ''
      install -m 0755 -o ftp -g ftp -d /var/lib/ftp
    '' + (lib.optionalString proftpd-enabled ''
      install -m 0755 -o nobody -g nogroup -d /var/lib/proftpd/authorized_keys
      '');

    secrets.keys."pure-ftpd-ldap" = lib.mkIf pure-ftpd-enabled {
      permissions = "0400";
      user = "ftp";
      group = "ftp";
      text = ''
        LDAPServer          ${config.myEnv.ftp.ldap.host}
        LDAPPort            389
        LDAPUseTLS          True
        LDAPBaseDN          ${config.myEnv.ftp.ldap.base}
        LDAPBindDN          ${config.myEnv.ftp.ldap.dn}
        LDAPBindPW          ${config.myEnv.ftp.ldap.password}
        LDAPDefaultUID      500
        LDAPForceDefaultUID False
        LDAPDefaultGID      100
        LDAPForceDefaultGID False
        LDAPFilter          ${config.myEnv.ftp.ldap.pure-ftpd_filter}

        LDAPAuthMethod      BIND

        # Pas de possibilite de donner l'Uid/Gid !
        # Compile dans pure-ftpd directement avec immaeFtpUid / immaeFtpGid
        LDAPHomeDir         immaeFtpDirectory
        '';
    };
    secrets.keys."proftpd-ldap.conf" = lib.mkIf proftpd-enabled {
      permissions = "0400";
      user = "ftp";
      group = "ftp";
      text = ''
        LDAPServer          ldaps://${config.myEnv.ftp.ldap.host}:636/??sub
        LDAPUseTLS          on
        LDAPAuthBinds       on
        LDAPBindDN          "${config.myEnv.ftp.ldap.dn}" "${config.myEnv.ftp.ldap.password}"
        LDAPSearchScope     subtree
        LDAPAuthBinds       on
        LDAPDefaultGID      100
        LDAPDefaultUID      500
        LDAPForceDefaultUID off
        LDAPForceDefaultGID off
        LDAPAttr            gidNumber immaeFtpGid
        LDAPAttr            uidNumber immaeFtpUid
        LDAPAttr            homeDirectory immaeFtpDirectory
        LDAPUsers           "${config.myEnv.ftp.ldap.base}" "${config.myEnv.ftp.ldap.proftpd_filter}"
        LDAPGroups          "${config.myEnv.ftp.ldap.base}"
      '';
    };

    services.filesWatcher.pure-ftpd = lib.mkIf pure-ftpd-enabled {
      restart = true;
      paths = [ config.secrets.fullPaths."pure-ftpd-ldap" ];
    };
    services.filesWatcher.proftpd = lib.mkIf proftpd-enabled {
      restart = true;
      paths = [ config.secrets.fullPaths."proftpd-ldap.conf" ];
    };

    systemd.services.pure-ftpd = let
      configFile = pkgs.writeText "pure-ftpd.conf" ''
        PassivePortRange             40000 50000
        Bind                         42
        ChrootEveryone               yes
        CreateHomeDir                yes
        BrokenClientsCompatibility   yes
        MaxClientsNumber             50
        Daemonize                    yes
        MaxClientsPerIP              8
        VerboseLog                   no
        DisplayDotFiles              yes
        AnonymousOnly                no
        NoAnonymous                  no
        SyslogFacility               ftp
        DontResolve                  yes
        MaxIdleTime                  15
        LDAPConfigFile               ${config.secrets.fullPaths."pure-ftpd-ldap"}
        LimitRecursion               10000 8
        AnonymousCanCreateDirs       no
        MaxLoad                      4
        AntiWarez                    yes
        Umask                        133:022
        # ftp
        MinUID                       8
        AllowUserFXP                 no
        AllowAnonymousFXP            no
        ProhibitDotFilesWrite        no
        ProhibitDotFilesRead         no
        AutoRename                   no
        AnonymousCantUpload          no
        MaxDiskUsage                 99
        CustomerProof                yes
        TLS                          1
        CertFile                     ${config.security.acme.certs.ftp.directory}/full.pem
        '';
    in lib.mkIf pure-ftpd-enabled {
      description = "Pure-FTPd server";
      wantedBy = [ "multi-user.target" ];
      after = [ "network.target" ];

      serviceConfig.ExecStart = "${package}/bin/pure-ftpd ${configFile}";
      serviceConfig.Type = "forking";
      serviceConfig.PIDFile = "/run/pure-ftpd.pid";
    };

    systemd.services.proftpd = let
      configFile = pkgs.writeText "proftpd.conf" ''
        ServerName		"ProFTPD"
        ServerType		standalone
        DefaultServer		on

        Port			21
        UseIPv6			on
        Umask			022
        MaxInstances		30
        MaxClients		50
        MaxClientsPerHost	8

        # Set the user and group under which the server will run.
        User			ftp
        Group			ftp

        CreateHome		on
        DefaultRoot		~

        AllowOverwrite		on

        TLSEngine		on
        TLSRequired		off
        TLSProtocol		TLSv1.1 TLSv1.2 TLSv1.3

        TLSCertificateChainFile	${config.security.acme.certs.ftp.directory}/fullchain.pem
        TLSECCertificateFile	${config.security.acme.certs.ftp.directory}/cert.pem
        TLSECCertificateKeyFile	${config.security.acme.certs.ftp.directory}/key.pem
        TLSRenegotiate none
        PidFile			/run/proftpd/proftpd.pid

        ScoreboardFile		/run/proftpd/proftpd.scoreboard

        PassivePorts		40000 50000
        #DebugLevel		10
        Include			${config.secrets.fullPaths."proftpd-ldap.conf"}

        RequireValidShell	off

        # Bar use of SITE CHMOD by default
        <Limit SITE_CHMOD>
          DenyAll
        </Limit>

        <VirtualHost 0.0.0.0>
          Umask				022
          Port				115
          SFTPEngine			on
          CreateHome			on
          DefaultRoot			~

          AllowOverwrite		on

          SFTPHostKey			/etc/ssh/ssh_host_ed25519_key
          SFTPHostKey			/etc/ssh/ssh_host_rsa_key
          Include			${config.secrets.fullPaths."proftpd-ldap.conf"}
          RequireValidShell		off
          SFTPAuthorizedUserKeys	file:/var/lib/proftpd/authorized_keys/%u
          SFTPAuthMethods		password publickey
        </VirtualHost>
        '';
    in lib.mkIf proftpd-enabled {
      description = "ProFTPD server";
      wantedBy = [ "multi-user.target" ];
      after = [ "network.target" ];

      serviceConfig.ExecStart = "${pkgs.proftpd}/bin/proftpd -c ${configFile}";
      serviceConfig.Type = "forking";
      serviceConfig.PIDFile = "/run/proftpd/proftpd.pid";
      serviceConfig.RuntimeDirectory = "proftpd";
    };

    services.cron.systemCronJobs = lib.mkIf proftpd-enabled [
      "*/2 * * * * nobody ${./ftp_sync.sh}"
    ];
  };

}
Commit	Line	Data
ab8f306d	1	{ lib, pkgs, config, ... }:
fe696f35 IB	2	let
fe696f35 IB	3	package = pkgs.pure-ftpd.override { ldapFtpId = "immaeFtp"; };
fcbdf67a IB	4	pure-ftpd-enabled = config.myServices.ftp.pure-ftpd.enable;
fcbdf67a IB	5	proftpd-enabled = config.myServices.ftp.proftpd.enable;
fe696f35	6	in
439049e5 IB	7	{
439049e5 IB	8	options = {
fcbdf67a IB	9	myServices.ftp.enable = lib.mkOption {
	10	type = lib.types.bool;
	11	default = false;
	12	description = ''
	13	Whether to enable ftp.
	14	'';
	15	};
	16	myServices.ftp.pure-ftpd.enable = lib.mkOption {
439049e5 IB	17	type = lib.types.bool;
	18	default = false;
	19	description = ''
	20	Whether to enable pure-ftpd.
	21	'';
	22	};
fcbdf67a IB	23	myServices.ftp.proftpd.enable = lib.mkOption {
	24	type = lib.types.bool;
	25	default = true;
	26	description = ''
	27	Whether to enable proftpd.
	28	'';
	29	};
439049e5 IB	30	};
439049e5 IB	31
fcbdf67a	32	config = lib.mkIf config.myServices.ftp.enable {
d2e703c5	33	services.duplyBackup.profiles.ftp = {
6a8252b1	34	rootDir = "/var/lib/ftp";
546864bc	35	remotes = [ "eriomem" "ovh" ];
6a8252b1	36	};
5400b9b6	37	security.acme.certs."ftp" = config.myServices.certificates.certConfig // {
439049e5	38	domain = "eldiron.immae.eu";
fcbdf67a	39	postRun = (lib.optionalString pure-ftpd-enabled ''
740f9843	40	systemctl restart pure-ftpd.service
fcbdf67a IB	41	'') + (lib.optionalString proftpd-enabled ''
	42	systemctl restart proftpd.service
	43	'');
19be5cd2	44	extraDomains = { "ftp.immae.eu" = null; };
439049e5 IB	45	};
439049e5 IB	46
439049e5 IB	47	networking = {
439049e5 IB	48	firewall = {
fcbdf67a	49	allowedTCPPorts = [ 21 115 ];
439049e5 IB	50	allowedTCPPortRanges = [ { from = 40000; to = 50000; } ];
	51	};
	52	};
	53
258dd18b IB	54	users.users.ftp = {
	55	uid = config.ids.uids.ftp; # 8
	56	group = "ftp";
	57	description = "Anonymous FTP user";
	58	home = "/homeless-shelter";
	59	extraGroups = [ "keys" ];
	60	};
439049e5 IB	61
	62	users.groups.ftp.gid = config.ids.gids.ftp;
	63
fcbdf67a	64	system.activationScripts.ftp = ''
439049e5	65	install -m 0755 -o ftp -g ftp -d /var/lib/ftp
fcbdf67a IB	66	'' + (lib.optionalString proftpd-enabled ''
	67	install -m 0755 -o nobody -g nogroup -d /var/lib/proftpd/authorized_keys
	68	'');
439049e5	69
fcbdf67a	70	secrets.keys."pure-ftpd-ldap" = lib.mkIf pure-ftpd-enabled {
926a4007 IB	71	permissions = "0400";
	72	user = "ftp";
	73	group = "ftp";
	74	text = ''
ab8f306d	75	LDAPServer ${config.myEnv.ftp.ldap.host}
439049e5 IB	76	LDAPPort 389
439049e5 IB	77	LDAPUseTLS True
ab8f306d IB	78	LDAPBaseDN ${config.myEnv.ftp.ldap.base}
	79	LDAPBindDN ${config.myEnv.ftp.ldap.dn}
	80	LDAPBindPW ${config.myEnv.ftp.ldap.password}
439049e5 IB	81	LDAPDefaultUID 500
	82	LDAPForceDefaultUID False
	83	LDAPDefaultGID 100
	84	LDAPForceDefaultGID False
fcbdf67a	85	LDAPFilter ${config.myEnv.ftp.ldap.pure-ftpd_filter}
439049e5 IB	86
	87	LDAPAuthMethod BIND
	88
926a4007 IB	89	# Pas de possibilite de donner l'Uid/Gid !
926a4007 IB	90	# Compile dans pure-ftpd directement avec immaeFtpUid / immaeFtpGid
439049e5 IB	91	LDAPHomeDir immaeFtpDirectory
439049e5 IB	92	'';
4c4652aa	93	};
fcbdf67a IB	94	secrets.keys."proftpd-ldap.conf" = lib.mkIf proftpd-enabled {
	95	permissions = "0400";
	96	user = "ftp";
	97	group = "ftp";
	98	text = ''
	99	LDAPServer ldaps://${config.myEnv.ftp.ldap.host}:636/??sub
	100	LDAPUseTLS on
	101	LDAPAuthBinds on
	102	LDAPBindDN "${config.myEnv.ftp.ldap.dn}" "${config.myEnv.ftp.ldap.password}"
	103	LDAPSearchScope subtree
	104	LDAPAuthBinds on
	105	LDAPDefaultGID 100
	106	LDAPDefaultUID 500
	107	LDAPForceDefaultUID off
	108	LDAPForceDefaultGID off
	109	LDAPAttr gidNumber immaeFtpGid
	110	LDAPAttr uidNumber immaeFtpUid
	111	LDAPAttr homeDirectory immaeFtpDirectory
	112	LDAPUsers "${config.myEnv.ftp.ldap.base}" "${config.myEnv.ftp.ldap.proftpd_filter}"
	113	LDAPGroups "${config.myEnv.ftp.ldap.base}"
	114	'';
	115	};
926a4007	116
fcbdf67a	117	services.filesWatcher.pure-ftpd = lib.mkIf pure-ftpd-enabled {
17f6eae9	118	restart = true;
da30ae4f	119	paths = [ config.secrets.fullPaths."pure-ftpd-ldap" ];
17f6eae9	120	};
fcbdf67a IB	121	services.filesWatcher.proftpd = lib.mkIf proftpd-enabled {
	122	restart = true;
	123	paths = [ config.secrets.fullPaths."proftpd-ldap.conf" ];
	124	};
17f6eae9	125
926a4007	126	systemd.services.pure-ftpd = let
439049e5 IB	127	configFile = pkgs.writeText "pure-ftpd.conf" ''
439049e5 IB	128	PassivePortRange 40000 50000
fcbdf67a	129	Bind 42
439049e5 IB	130	ChrootEveryone yes
	131	CreateHomeDir yes
	132	BrokenClientsCompatibility yes
	133	MaxClientsNumber 50
	134	Daemonize yes
	135	MaxClientsPerIP 8
	136	VerboseLog no
	137	DisplayDotFiles yes
	138	AnonymousOnly no
	139	NoAnonymous no
	140	SyslogFacility ftp
	141	DontResolve yes
	142	MaxIdleTime 15
da30ae4f	143	LDAPConfigFile ${config.secrets.fullPaths."pure-ftpd-ldap"}
439049e5 IB	144	LimitRecursion 10000 8
	145	AnonymousCanCreateDirs no
	146	MaxLoad 4
	147	AntiWarez yes
	148	Umask 133:022
	149	# ftp
	150	MinUID 8
	151	AllowUserFXP no
	152	AllowAnonymousFXP no
	153	ProhibitDotFilesWrite no
	154	ProhibitDotFilesRead no
	155	AutoRename no
	156	AnonymousCantUpload no
	157	MaxDiskUsage 99
	158	CustomerProof yes
	159	TLS 1
5400b9b6	160	CertFile ${config.security.acme.certs.ftp.directory}/full.pem
439049e5	161	'';
fcbdf67a	162	in lib.mkIf pure-ftpd-enabled {
439049e5 IB	163	description = "Pure-FTPd server";
	164	wantedBy = [ "multi-user.target" ];
	165	after = [ "network.target" ];
	166
fe696f35	167	serviceConfig.ExecStart = "${package}/bin/pure-ftpd ${configFile}";
439049e5 IB	168	serviceConfig.Type = "forking";
	169	serviceConfig.PIDFile = "/run/pure-ftpd.pid";
	170	};
fcbdf67a IB	171
	172	systemd.services.proftpd = let
	173	configFile = pkgs.writeText "proftpd.conf" ''
	174	ServerName "ProFTPD"
	175	ServerType standalone
	176	DefaultServer on
	177
	178	Port 21
	179	UseIPv6 on
	180	Umask 022
	181	MaxInstances 30
	182	MaxClients 50
	183	MaxClientsPerHost 8
	184
	185	# Set the user and group under which the server will run.
	186	User ftp
	187	Group ftp
	188
	189	CreateHome on
	190	DefaultRoot ~
	191
	192	AllowOverwrite on
	193
	194	TLSEngine on
	195	TLSRequired off
	196	TLSProtocol TLSv1.1 TLSv1.2 TLSv1.3
	197
	198	TLSCertificateChainFile ${config.security.acme.certs.ftp.directory}/fullchain.pem
	199	TLSECCertificateFile ${config.security.acme.certs.ftp.directory}/cert.pem
	200	TLSECCertificateKeyFile ${config.security.acme.certs.ftp.directory}/key.pem
	201	TLSRenegotiate none
	202	PidFile /run/proftpd/proftpd.pid
	203
	204	ScoreboardFile /run/proftpd/proftpd.scoreboard
	205
	206	PassivePorts 40000 50000
	207	#DebugLevel 10
	208	Include ${config.secrets.fullPaths."proftpd-ldap.conf"}
	209
	210	RequireValidShell off
	211
	212	# Bar use of SITE CHMOD by default
	213	<Limit SITE_CHMOD>
	214	DenyAll
	215	</Limit>
	216
	217	<VirtualHost 0.0.0.0>
	218	Umask 022
	219	Port 115
	220	SFTPEngine on
	221	CreateHome on
	222	DefaultRoot ~
	223
	224	AllowOverwrite on
	225
	226	SFTPHostKey /etc/ssh/ssh_host_ed25519_key
	227	SFTPHostKey /etc/ssh/ssh_host_rsa_key
	228	Include ${config.secrets.fullPaths."proftpd-ldap.conf"}
	229	RequireValidShell off
	230	SFTPAuthorizedUserKeys file:/var/lib/proftpd/authorized_keys/%u
	231	SFTPAuthMethods password publickey
	232	</VirtualHost>
	233	'';
	234	in lib.mkIf proftpd-enabled {
235	description = "ProFTPD server";
236	wantedBy = [ "multi-user.target" ];
237	after = [ "network.target" ];
238
239	serviceConfig.ExecStart = "${pkgs.proftpd}/bin/proftpd -c ${configFile}";
240	serviceConfig.Type = "forking";
241	serviceConfig.PIDFile = "/run/proftpd/proftpd.pid";
242	serviceConfig.RuntimeDirectory = "proftpd";
243	};
244
245	services.cron.systemCronJobs = lib.mkIf proftpd-enabled [
246	"/2 * * * nobody ${./ftp_sync.sh}"
247	];
439049e5 IB	248	};
	249
	250	}