[perso/Immae/Config/Nix.git] / nixops / modules / ftp / default.nix

{ lib, pkgs, config, myconfig, ... }:
{
  options = {
    services.pure-ftpd.enable = lib.mkOption {
      type = lib.types.bool;
      default = false;
      description = ''
        Whether to enable pure-ftpd.
      '';
    };
  };

  config = lib.mkIf config.services.pure-ftpd.enable {
    security.acme.certs."ftp" = config.services.myCertificates.certConfig // {
      domain = "eldiron.immae.eu";
      postRun = ''
        systemctl restart pure-ftpd.service
      '';
      extraDomains = { "ftp.immae.eu" = null; };
    };

    nixpkgs.config.packageOverrides = oldpkgs: rec {
      pure-ftpd = pkgs.callPackage ./pure-ftpd.nix {};
    };

    networking = {
      firewall = {
        allowedTCPPorts = [ 21 ];
        allowedTCPPortRanges = [ { from = 40000; to = 50000; } ];
      };
    };

    users.users = [
      {
        name = "ftp";
        uid = config.ids.uids.ftp;
        group = "ftp";
        description = "Anonymous FTP user";
        home = "/homeless-shelter";
      }
    ];

    users.groups.ftp.gid = config.ids.gids.ftp;

    system.activationScripts.pure-ftpd = ''
      install -m 0755 -o ftp -g ftp -d /var/lib/ftp
      '';

    systemd.services.pure-ftpd = let
      ldapConfigFile = pkgs.writeText "pure-ftpd-ldap.conf" ''
        LDAPServer          ${myconfig.env.ftp.ldap.host}
        LDAPPort            389
        LDAPUseTLS          True
        LDAPBaseDN          ${myconfig.env.ftp.ldap.base}
        LDAPBindDN          ${myconfig.env.ftp.ldap.dn}
        LDAPBindPW          ${myconfig.env.ftp.ldap.password}
        LDAPDefaultUID      500
        LDAPForceDefaultUID False
        LDAPDefaultGID      100
        LDAPForceDefaultGID False
        LDAPFilter          ${myconfig.env.ftp.ldap.filter}

        LDAPAuthMethod      BIND

        # Pas de possibilité de donner l'Uid/Gid !
        # Compilé dans pure-ftpd directement avec immaeFtpUid / immaeFtpGid
        LDAPHomeDir         immaeFtpDirectory
        '';
      configFile = pkgs.writeText "pure-ftpd.conf" ''
        PassivePortRange             40000 50000
        ChrootEveryone               yes
        CreateHomeDir                yes
        BrokenClientsCompatibility   yes
        MaxClientsNumber             50
        Daemonize                    yes
        MaxClientsPerIP              8
        VerboseLog                   no
        DisplayDotFiles              yes
        AnonymousOnly                no
        NoAnonymous                  no
        SyslogFacility               ftp
        DontResolve                  yes
        MaxIdleTime                  15
        LDAPConfigFile               ${ldapConfigFile}
        LimitRecursion               10000 8
        AnonymousCanCreateDirs       no
        MaxLoad                      4
        AntiWarez                    yes
        Umask                        133:022
        # ftp
        MinUID                       8
        AllowUserFXP                 no
        AllowAnonymousFXP            no
        ProhibitDotFilesWrite        no
        ProhibitDotFilesRead         no
        AutoRename                   no
        AnonymousCantUpload          no
        MaxDiskUsage                 99
        CustomerProof                yes
        TLS                          1
        CertFile                     /var/lib/acme/ftp/full.pem
        '';
    in {
      description = "Pure-FTPd server";
      wantedBy = [ "multi-user.target" ];
      after = [ "network.target" ];

      serviceConfig.ExecStart = "${pkgs.pure-ftpd}/bin/pure-ftpd ${configFile}";
      serviceConfig.Type = "forking";
      serviceConfig.PIDFile = "/run/pure-ftpd.pid";
    };
  };

}
Commit	Line	Data
439049e5 IB	1	{ lib, pkgs, config, myconfig, ... }:
	2	{
	3	options = {
	4	services.pure-ftpd.enable = lib.mkOption {
	5	type = lib.types.bool;
	6	default = false;
	7	description = ''
	8	Whether to enable pure-ftpd.
	9	'';
	10	};
	11	};
	12
	13	config = lib.mkIf config.services.pure-ftpd.enable {
	14	security.acme.certs."ftp" = config.services.myCertificates.certConfig // {
	15	domain = "eldiron.immae.eu";
740f9843 IB	16	postRun = ''
	17	systemctl restart pure-ftpd.service
	18	'';
19be5cd2	19	extraDomains = { "ftp.immae.eu" = null; };
439049e5 IB	20	};
	21
	22	nixpkgs.config.packageOverrides = oldpkgs: rec {
	23	pure-ftpd = pkgs.callPackage ./pure-ftpd.nix {};
	24	};
	25
	26	networking = {
	27	firewall = {
	28	allowedTCPPorts = [ 21 ];
	29	allowedTCPPortRanges = [ { from = 40000; to = 50000; } ];
	30	};
	31	};
	32
	33	users.users = [
	34	{
	35	name = "ftp";
	36	uid = config.ids.uids.ftp;
	37	group = "ftp";
	38	description = "Anonymous FTP user";
	39	home = "/homeless-shelter";
	40	}
	41	];
	42
	43	users.groups.ftp.gid = config.ids.gids.ftp;
	44
	45	system.activationScripts.pure-ftpd = ''
	46	install -m 0755 -o ftp -g ftp -d /var/lib/ftp
	47	'';
	48
	49	systemd.services.pure-ftpd = let
	50	ldapConfigFile = pkgs.writeText "pure-ftpd-ldap.conf" ''
	51	LDAPServer ${myconfig.env.ftp.ldap.host}
	52	LDAPPort 389
	53	LDAPUseTLS True
	54	LDAPBaseDN ${myconfig.env.ftp.ldap.base}
	55	LDAPBindDN ${myconfig.env.ftp.ldap.dn}
	56	LDAPBindPW ${myconfig.env.ftp.ldap.password}
	57	LDAPDefaultUID 500
	58	LDAPForceDefaultUID False
	59	LDAPDefaultGID 100
	60	LDAPForceDefaultGID False
	61	LDAPFilter ${myconfig.env.ftp.ldap.filter}
	62
	63	LDAPAuthMethod BIND
	64
	65	# Pas de possibilité de donner l'Uid/Gid !
	66	# Compilé dans pure-ftpd directement avec immaeFtpUid / immaeFtpGid
	67	LDAPHomeDir immaeFtpDirectory
	68	'';
	69	configFile = pkgs.writeText "pure-ftpd.conf" ''
	70	PassivePortRange 40000 50000
	71	ChrootEveryone yes
	72	CreateHomeDir yes
	73	BrokenClientsCompatibility yes
	74	MaxClientsNumber 50
	75	Daemonize yes
	76	MaxClientsPerIP 8
	77	VerboseLog no
	78	DisplayDotFiles yes
	79	AnonymousOnly no
	80	NoAnonymous no
	81	SyslogFacility ftp
	82	DontResolve yes
	83	MaxIdleTime 15
84	LDAPConfigFile ${ldapConfigFile}
85	LimitRecursion 10000 8
86	AnonymousCanCreateDirs no
87	MaxLoad 4
88	AntiWarez yes
89	Umask 133:022
90	# ftp
91	MinUID 8
92	AllowUserFXP no
93	AllowAnonymousFXP no
94	ProhibitDotFilesWrite no
95	ProhibitDotFilesRead no
96	AutoRename no
97	AnonymousCantUpload no
98	MaxDiskUsage 99
99	CustomerProof yes
100	TLS 1
101	CertFile /var/lib/acme/ftp/full.pem
102	'';
103	in {
104	description = "Pure-FTPd server";
105	wantedBy = [ "multi-user.target" ];
106	after = [ "network.target" ];
107
108	serviceConfig.ExecStart = "${pkgs.pure-ftpd}/bin/pure-ftpd ${configFile}";
109	serviceConfig.Type = "forking";
110	serviceConfig.PIDFile = "/run/pure-ftpd.pid";
111	};
112	};
113
114	}