[perso/Immae/Config/Nix.git] / nixops / modules / ftp.nix

{ lib, pkgs, config, myconfig, ... }:
{
  options = {
    services.pure-ftpd.enable = lib.mkOption {
      type = lib.types.bool;
      default = false;
      description = ''
        Whether to enable pure-ftpd.
      '';
    };
  };

  config = lib.mkIf config.services.pure-ftpd.enable {
    security.acme.certs."ftp" = config.services.myCertificates.certConfig // {
      domain = "eldiron.immae.eu";
      postRun = ''
        systemctl restart pure-ftpd.service
      '';
      extraDomains = { "ftp.immae.eu" = null; };
    };

    networking = {
      firewall = {
        allowedTCPPorts = [ 21 ];
        allowedTCPPortRanges = [ { from = 40000; to = 50000; } ];
      };
    };

    users.users = [
      {
        name = "ftp";
        uid = config.ids.uids.ftp; # 8
        group = "ftp";
        description = "Anonymous FTP user";
        home = "/homeless-shelter";
        extraGroups = [ "keys" ];
      }
    ];

    users.groups.ftp.gid = config.ids.gids.ftp;

    system.activationScripts.pure-ftpd = ''
      install -m 0755 -o ftp -g ftp -d /var/lib/ftp
      '';

    secrets.keys = [{
      dest = "pure-ftpd-ldap";
      permissions = "0400";
      user = "ftp";
      group = "ftp";
      text = ''
        LDAPServer          ${myconfig.env.ftp.ldap.host}
        LDAPPort            389
        LDAPUseTLS          True
        LDAPBaseDN          ${myconfig.env.ftp.ldap.base}
        LDAPBindDN          ${myconfig.env.ftp.ldap.dn}
        LDAPBindPW          ${myconfig.env.ftp.ldap.password}
        LDAPDefaultUID      500
        LDAPForceDefaultUID False
        LDAPDefaultGID      100
        LDAPForceDefaultGID False
        LDAPFilter          ${myconfig.env.ftp.ldap.filter}

        LDAPAuthMethod      BIND

        # Pas de possibilite de donner l'Uid/Gid !
        # Compile dans pure-ftpd directement avec immaeFtpUid / immaeFtpGid
        LDAPHomeDir         immaeFtpDirectory
        '';
    }];

    systemd.services.pure-ftpd = let
      configFile = pkgs.writeText "pure-ftpd.conf" ''
        PassivePortRange             40000 50000
        ChrootEveryone               yes
        CreateHomeDir                yes
        BrokenClientsCompatibility   yes
        MaxClientsNumber             50
        Daemonize                    yes
        MaxClientsPerIP              8
        VerboseLog                   no
        DisplayDotFiles              yes
        AnonymousOnly                no
        NoAnonymous                  no
        SyslogFacility               ftp
        DontResolve                  yes
        MaxIdleTime                  15
        LDAPConfigFile               /var/secrets/pure-ftpd-ldap
        LimitRecursion               10000 8
        AnonymousCanCreateDirs       no
        MaxLoad                      4
        AntiWarez                    yes
        Umask                        133:022
        # ftp
        MinUID                       8
        AllowUserFXP                 no
        AllowAnonymousFXP            no
        ProhibitDotFilesWrite        no
        ProhibitDotFilesRead         no
        AutoRename                   no
        AnonymousCantUpload          no
        MaxDiskUsage                 99
        CustomerProof                yes
        TLS                          1
        CertFile                     /var/lib/acme/ftp/full.pem
        '';
    in {
      description = "Pure-FTPd server";
      wantedBy = [ "multi-user.target" ];
      after = [ "network.target" ];

      serviceConfig.ExecStart = "${pkgs.pure-ftpd}/bin/pure-ftpd ${configFile}";
      serviceConfig.Type = "forking";
      serviceConfig.PIDFile = "/run/pure-ftpd.pid";
    };
  };

}
Commit	Line	Data
439049e5 IB	1	{ lib, pkgs, config, myconfig, ... }:
	2	{
	3	options = {
	4	services.pure-ftpd.enable = lib.mkOption {
	5	type = lib.types.bool;
	6	default = false;
	7	description = ''
	8	Whether to enable pure-ftpd.
	9	'';
	10	};
	11	};
	12
	13	config = lib.mkIf config.services.pure-ftpd.enable {
	14	security.acme.certs."ftp" = config.services.myCertificates.certConfig // {
	15	domain = "eldiron.immae.eu";
740f9843 IB	16	postRun = ''
	17	systemctl restart pure-ftpd.service
	18	'';
19be5cd2	19	extraDomains = { "ftp.immae.eu" = null; };
439049e5 IB	20	};
439049e5 IB	21
439049e5 IB	22	networking = {
	23	firewall = {
	24	allowedTCPPorts = [ 21 ];
	25	allowedTCPPortRanges = [ { from = 40000; to = 50000; } ];
	26	};
	27	};
	28
	29	users.users = [
	30	{
	31	name = "ftp";
926a4007	32	uid = config.ids.uids.ftp; # 8
439049e5 IB	33	group = "ftp";
	34	description = "Anonymous FTP user";
	35	home = "/homeless-shelter";
926a4007	36	extraGroups = [ "keys" ];
439049e5 IB	37	}
	38	];
	39
	40	users.groups.ftp.gid = config.ids.gids.ftp;
	41
	42	system.activationScripts.pure-ftpd = ''
	43	install -m 0755 -o ftp -g ftp -d /var/lib/ftp
	44	'';
	45
1a718805	46	secrets.keys = [{
742697c9	47	dest = "pure-ftpd-ldap";
926a4007 IB	48	permissions = "0400";
	49	user = "ftp";
	50	group = "ftp";
	51	text = ''
439049e5 IB	52	LDAPServer ${myconfig.env.ftp.ldap.host}
	53	LDAPPort 389
	54	LDAPUseTLS True
	55	LDAPBaseDN ${myconfig.env.ftp.ldap.base}
	56	LDAPBindDN ${myconfig.env.ftp.ldap.dn}
	57	LDAPBindPW ${myconfig.env.ftp.ldap.password}
	58	LDAPDefaultUID 500
	59	LDAPForceDefaultUID False
	60	LDAPDefaultGID 100
	61	LDAPForceDefaultGID False
	62	LDAPFilter ${myconfig.env.ftp.ldap.filter}
	63
	64	LDAPAuthMethod BIND
	65
926a4007 IB	66	# Pas de possibilite de donner l'Uid/Gid !
926a4007 IB	67	# Compile dans pure-ftpd directement avec immaeFtpUid / immaeFtpGid
439049e5 IB	68	LDAPHomeDir immaeFtpDirectory
439049e5 IB	69	'';
742697c9	70	}];
926a4007 IB	71
926a4007 IB	72	systemd.services.pure-ftpd = let
439049e5 IB	73	configFile = pkgs.writeText "pure-ftpd.conf" ''
	74	PassivePortRange 40000 50000
	75	ChrootEveryone yes
	76	CreateHomeDir yes
	77	BrokenClientsCompatibility yes
	78	MaxClientsNumber 50
	79	Daemonize yes
	80	MaxClientsPerIP 8
	81	VerboseLog no
	82	DisplayDotFiles yes
	83	AnonymousOnly no
	84	NoAnonymous no
	85	SyslogFacility ftp
	86	DontResolve yes
	87	MaxIdleTime 15
742697c9	88	LDAPConfigFile /var/secrets/pure-ftpd-ldap
439049e5 IB	89	LimitRecursion 10000 8
	90	AnonymousCanCreateDirs no
	91	MaxLoad 4
	92	AntiWarez yes
	93	Umask 133:022
	94	# ftp
	95	MinUID 8
	96	AllowUserFXP no
	97	AllowAnonymousFXP no
	98	ProhibitDotFilesWrite no
	99	ProhibitDotFilesRead no
	100	AutoRename no
	101	AnonymousCantUpload no
	102	MaxDiskUsage 99
	103	CustomerProof yes
	104	TLS 1
	105	CertFile /var/lib/acme/ftp/full.pem
	106	'';
	107	in {
	108	description = "Pure-FTPd server";
	109	wantedBy = [ "multi-user.target" ];
	110	after = [ "network.target" ];
	111
	112	serviceConfig.ExecStart = "${pkgs.pure-ftpd}/bin/pure-ftpd ${configFile}";
	113	serviceConfig.Type = "forking";
	114	serviceConfig.PIDFile = "/run/pure-ftpd.pid";
	115	};
	116	};
	117
	118	}