[perso/Immae/Config/Nix.git] / nixops / modules / ftp / default.nix

{ lib, pkgs, config, myconfig, ... }:
{
  options = {
    services.pure-ftpd.enable = lib.mkOption {
      type = lib.types.bool;
      default = false;
      description = ''
        Whether to enable pure-ftpd.
      '';
    };
  };

  config = lib.mkIf config.services.pure-ftpd.enable {
    security.acme.certs."ftp" = config.services.myCertificates.certConfig // {
      domain = "eldiron.immae.eu";
      postRun = ''
        systemctl restart pure-ftpd.service
      '';
      extraDomains = { "ftp.immae.eu" = null; };
    };

    nixpkgs.overlays = [ (self: super: {
      pure-ftpd = self.callPackage ./pure-ftpd.nix {};
    }) ];

    networking = {
      firewall = {
        allowedTCPPorts = [ 21 ];
        allowedTCPPortRanges = [ { from = 40000; to = 50000; } ];
      };
    };

    users.users = [
      {
        name = "ftp";
        uid = config.ids.uids.ftp; # 8
        group = "ftp";
        description = "Anonymous FTP user";
        home = "/homeless-shelter";
        extraGroups = [ "keys" ];
      }
    ];

    users.groups.ftp.gid = config.ids.gids.ftp;

    system.activationScripts.pure-ftpd = ''
      install -m 0755 -o ftp -g ftp -d /var/lib/ftp
      '';

    deployment.keys.pure-ftpd-ldap = {
      permissions = "0400";
      user = "ftp";
      group = "ftp";
      text = ''
        LDAPServer          ${myconfig.env.ftp.ldap.host}
        LDAPPort            389
        LDAPUseTLS          True
        LDAPBaseDN          ${myconfig.env.ftp.ldap.base}
        LDAPBindDN          ${myconfig.env.ftp.ldap.dn}
        LDAPBindPW          ${myconfig.env.ftp.ldap.password}
        LDAPDefaultUID      500
        LDAPForceDefaultUID False
        LDAPDefaultGID      100
        LDAPForceDefaultGID False
        LDAPFilter          ${myconfig.env.ftp.ldap.filter}

        LDAPAuthMethod      BIND

        # Pas de possibilite de donner l'Uid/Gid !
        # Compile dans pure-ftpd directement avec immaeFtpUid / immaeFtpGid
        LDAPHomeDir         immaeFtpDirectory
        '';
    };

    systemd.services.pure-ftpd = let
      configFile = pkgs.writeText "pure-ftpd.conf" ''
        PassivePortRange             40000 50000
        ChrootEveryone               yes
        CreateHomeDir                yes
        BrokenClientsCompatibility   yes
        MaxClientsNumber             50
        Daemonize                    yes
        MaxClientsPerIP              8
        VerboseLog                   no
        DisplayDotFiles              yes
        AnonymousOnly                no
        NoAnonymous                  no
        SyslogFacility               ftp
        DontResolve                  yes
        MaxIdleTime                  15
        LDAPConfigFile               /run/keys/pure-ftpd-ldap
        LimitRecursion               10000 8
        AnonymousCanCreateDirs       no
        MaxLoad                      4
        AntiWarez                    yes
        Umask                        133:022
        # ftp
        MinUID                       8
        AllowUserFXP                 no
        AllowAnonymousFXP            no
        ProhibitDotFilesWrite        no
        ProhibitDotFilesRead         no
        AutoRename                   no
        AnonymousCantUpload          no
        MaxDiskUsage                 99
        CustomerProof                yes
        TLS                          1
        CertFile                     /var/lib/acme/ftp/full.pem
        '';
    in {
      description = "Pure-FTPd server";
      wantedBy = [ "multi-user.target" ];
      after = [ "network.target" ];

      serviceConfig.ExecStart = "${pkgs.pure-ftpd}/bin/pure-ftpd ${configFile}";
      serviceConfig.Type = "forking";
      serviceConfig.PIDFile = "/run/pure-ftpd.pid";
    };
  };

}
Commit	Line	Data
439049e5 IB	1	{ lib, pkgs, config, myconfig, ... }:
	2	{
	3	options = {
	4	services.pure-ftpd.enable = lib.mkOption {
	5	type = lib.types.bool;
	6	default = false;
	7	description = ''
	8	Whether to enable pure-ftpd.
	9	'';
	10	};
	11	};
	12
	13	config = lib.mkIf config.services.pure-ftpd.enable {
	14	security.acme.certs."ftp" = config.services.myCertificates.certConfig // {
	15	domain = "eldiron.immae.eu";
740f9843 IB	16	postRun = ''
	17	systemctl restart pure-ftpd.service
	18	'';
19be5cd2	19	extraDomains = { "ftp.immae.eu" = null; };
439049e5 IB	20	};
439049e5 IB	21
2368a4b7 IB	22	nixpkgs.overlays = [ (self: super: {
	23	pure-ftpd = self.callPackage ./pure-ftpd.nix {};
	24	}) ];
439049e5 IB	25
	26	networking = {
	27	firewall = {
	28	allowedTCPPorts = [ 21 ];
	29	allowedTCPPortRanges = [ { from = 40000; to = 50000; } ];
	30	};
	31	};
	32
	33	users.users = [
	34	{
	35	name = "ftp";
926a4007	36	uid = config.ids.uids.ftp; # 8
439049e5 IB	37	group = "ftp";
	38	description = "Anonymous FTP user";
	39	home = "/homeless-shelter";
926a4007	40	extraGroups = [ "keys" ];
439049e5 IB	41	}
	42	];
	43
	44	users.groups.ftp.gid = config.ids.gids.ftp;
	45
	46	system.activationScripts.pure-ftpd = ''
	47	install -m 0755 -o ftp -g ftp -d /var/lib/ftp
	48	'';
	49
926a4007 IB	50	deployment.keys.pure-ftpd-ldap = {
	51	permissions = "0400";
	52	user = "ftp";
	53	group = "ftp";
	54	text = ''
439049e5 IB	55	LDAPServer ${myconfig.env.ftp.ldap.host}
	56	LDAPPort 389
	57	LDAPUseTLS True
	58	LDAPBaseDN ${myconfig.env.ftp.ldap.base}
	59	LDAPBindDN ${myconfig.env.ftp.ldap.dn}
	60	LDAPBindPW ${myconfig.env.ftp.ldap.password}
	61	LDAPDefaultUID 500
	62	LDAPForceDefaultUID False
	63	LDAPDefaultGID 100
	64	LDAPForceDefaultGID False
	65	LDAPFilter ${myconfig.env.ftp.ldap.filter}
	66
	67	LDAPAuthMethod BIND
	68
926a4007 IB	69	# Pas de possibilite de donner l'Uid/Gid !
926a4007 IB	70	# Compile dans pure-ftpd directement avec immaeFtpUid / immaeFtpGid
439049e5 IB	71	LDAPHomeDir immaeFtpDirectory
439049e5 IB	72	'';
926a4007 IB	73	};
	74
	75	systemd.services.pure-ftpd = let
439049e5 IB	76	configFile = pkgs.writeText "pure-ftpd.conf" ''
	77	PassivePortRange 40000 50000
	78	ChrootEveryone yes
	79	CreateHomeDir yes
	80	BrokenClientsCompatibility yes
	81	MaxClientsNumber 50
	82	Daemonize yes
	83	MaxClientsPerIP 8
	84	VerboseLog no
	85	DisplayDotFiles yes
	86	AnonymousOnly no
	87	NoAnonymous no
	88	SyslogFacility ftp
	89	DontResolve yes
	90	MaxIdleTime 15
926a4007	91	LDAPConfigFile /run/keys/pure-ftpd-ldap
439049e5 IB	92	LimitRecursion 10000 8
	93	AnonymousCanCreateDirs no
	94	MaxLoad 4
	95	AntiWarez yes
	96	Umask 133:022
	97	# ftp
	98	MinUID 8
	99	AllowUserFXP no
	100	AllowAnonymousFXP no
	101	ProhibitDotFilesWrite no
	102	ProhibitDotFilesRead no
	103	AutoRename no
	104	AnonymousCantUpload no
	105	MaxDiskUsage 99
	106	CustomerProof yes
	107	TLS 1
	108	CertFile /var/lib/acme/ftp/full.pem
	109	'';
	110	in {
	111	description = "Pure-FTPd server";
	112	wantedBy = [ "multi-user.target" ];
	113	after = [ "network.target" ];
	114
	115	serviceConfig.ExecStart = "${pkgs.pure-ftpd}/bin/pure-ftpd ${configFile}";
	116	serviceConfig.Type = "forking";
	117	serviceConfig.PIDFile = "/run/pure-ftpd.pid";
	118	};
	119	};
	120
	121	}