[perso/Immae/Config/Nix.git] / systems / eldiron / ftp.nix

{ lib, pkgs, config, ... }:
let
  package = pkgs.pure-ftpd.override { ldapFtpId = "immaeFtp"; };
  pure-ftpd-enabled = config.myServices.ftp.pure-ftpd.enable;
  proftpd-enabled = config.myServices.ftp.proftpd.enable;
in
{
  options = {
    myServices.ftp.enable = lib.mkOption {
      type = lib.types.bool;
      default = false;
      description = ''
        Whether to enable ftp.
      '';
    };
    myServices.ftp.pure-ftpd.enable = lib.mkOption {
      type = lib.types.bool;
      default = false;
      description = ''
        Whether to enable pure-ftpd.
      '';
    };
    myServices.ftp.proftpd.enable = lib.mkOption {
      type = lib.types.bool;
      default = true;
      description = ''
        Whether to enable proftpd.
      '';
    };
  };

  config = lib.mkIf config.myServices.ftp.enable {
    myServices.dns.zones."immae.eu".subdomains.ftp =
      with config.myServices.dns.helpers; ips servers.eldiron.ips.main;

    myServices.chatonsProperties.services.espace-de-stockage = {
      file.datetime = "2022-08-22T01:00:00";
      service = {
        name = "Espace de stockage";
        description = "Compte FTP/SFTP";
        logo = if pure-ftpd-enabled
          then "https://www.pureftpd.org/project/pure-ftpd/images/favicon.png"
          else if proftpd-enabled
          then "http://proftpd.org/proftpd.png"
          else "";
        website = "ftp.immae.eu";
        status.level = "OK";
        status.description = "OK";
        registration."" = ["MEMBER" "CLIENT"];
        registration.load = "OPEN";
        install.type = "PACKAGE";
      };
      software = if pure-ftpd-enabled then {
        name = "Pure-ftpd";
        website = "https://www.pureftpd.org/project/pure-ftpd/";
        license.url = "https://github.com/jedisct1/pure-ftpd/blob/master/COPYING";
        license.name = "MIT Licence";
        version = package.version;
        source.url = "https://github.com/jedisct1/pure-ftpd/";
        modules = "openssh";
      } else if proftpd-enabled then {
        name = "ProFTPD";
        website = "http://proftpd.org/";
        license.url = "https://github.com/proftpd/proftpd/blob/master/COPYING";
        license.name = "GNU General Public License v2.0";
        version = pkgs.proftpd.version;
        source.url = "https://github.com/proftpd/proftpd/";
        modules = "openssh";
      } else {};
    };
    #myServices.chatonsProperties.services.ftp = {
    #  file.datetime = "2022-08-22T01:00:00";
    #  service = {
    #    name = "Comptes FTP";
    #    description = "Compte FTP/SFTP";
    #    logo = if pure-ftpd-enabled
    #      then "https://www.pureftpd.org/project/pure-ftpd/images/favicon.png"
    #      else if proftpd-enabled
    #      then "http://proftpd.org/proftpd.png"
    #      else "";
    #    website = "ftp.immae.eu";
    #    status.level = "OK";
    #    status.description = "OK";
    #    registration."" = ["MEMBER" "CLIENT"];
    #    registration.load = "OPEN";
    #    install.type = "PACKAGE";
    #  };
    #  software = if pure-ftpd-enabled then {
    #    name = "Pure-ftpd";
    #    website = "https://www.pureftpd.org/project/pure-ftpd/";
    #    license.url = "https://github.com/jedisct1/pure-ftpd/blob/master/COPYING";
    #    license.name = "MIT Licence";
    #    version = package.version;
    #    source.url = "https://github.com/jedisct1/pure-ftpd/";
    #  } else if proftpd-enabled then {
    #    name = "ProFTPD";
    #    website = "http://proftpd.org/";
    #    license.url = "https://github.com/proftpd/proftpd/blob/master/COPYING";
    #    license.name = "GNU General Public License v2.0";
    #    version = pkgs.proftpd.version;
    #    source.url = "https://github.com/proftpd/proftpd/";
    #  } else {};
    #};
    security.acme.certs."ftp" = {
      domain = "eldiron.immae.eu";
      # FIXME: make it global
      extraLegoRunFlags = ["--preferred-chain" "ISRG Root X1"];
      extraLegoRenewFlags = ["--preferred-chain" "ISRG Root X1"];
      postRun = (lib.optionalString pure-ftpd-enabled ''
        systemctl restart pure-ftpd.service
      '') + (lib.optionalString proftpd-enabled ''
        systemctl restart proftpd.service
      '');
      extraDomainNames = [ "ftp.immae.eu" ];
    };

    networking = {
      firewall = {
        allowedTCPPorts = [ 21 115 ];
        allowedTCPPortRanges = [ { from = 40000; to = 50000; } ];
      };
    };

    users.users.ftp = {
      uid = config.ids.uids.ftp; # 8
      group = "ftp";
      description = "Anonymous FTP user";
      home = "/homeless-shelter";
      extraGroups = [ "keys" ];
    };

    users.groups.ftp.gid = config.ids.gids.ftp;

    system.activationScripts.ftp = ''
      install -m 0755 -o ftp -g ftp -d /var/lib/ftp
    '' + (lib.optionalString proftpd-enabled ''
      install -m 0755 -o nobody -g nogroup -d /var/lib/proftpd/authorized_keys
      '');

    secrets.keys."pure-ftpd-ldap" = lib.mkIf pure-ftpd-enabled {
      permissions = "0400";
      user = "ftp";
      group = "ftp";
      text = ''
        LDAPServer          ${config.myEnv.ftp.ldap.host}
        LDAPPort            389
        LDAPUseTLS          True
        LDAPBaseDN          ${config.myEnv.ftp.ldap.base}
        LDAPBindDN          ${config.myEnv.ftp.ldap.dn}
        LDAPBindPW          ${config.myEnv.ftp.ldap.password}
        LDAPDefaultUID      500
        LDAPForceDefaultUID False
        LDAPDefaultGID      100
        LDAPForceDefaultGID False
        LDAPFilter          ${config.myEnv.ftp.ldap.pure-ftpd_filter}

        LDAPAuthMethod      BIND

        # Pas de possibilite de donner l'Uid/Gid !
        # Compile dans pure-ftpd directement avec immaeFtpUid / immaeFtpGid
        LDAPHomeDir         immaeFtpDirectory
        '';
    };
    secrets.keys."proftpd-ldap.conf" = lib.mkIf proftpd-enabled {
      permissions = "0400";
      user = "ftp";
      group = "ftp";
      text = ''
        LDAPServer          ldaps://${config.myEnv.ftp.ldap.host}:636/??sub
        LDAPUseTLS          on
        LDAPAuthBinds       on
        LDAPBindDN          "${config.myEnv.ftp.ldap.dn}" "${config.myEnv.ftp.ldap.password}"
        LDAPSearchScope     subtree
        LDAPAuthBinds       on
        LDAPDefaultGID      100
        LDAPDefaultUID      500
        LDAPForceDefaultUID off
        LDAPForceDefaultGID off
        LDAPAttr            gidNumber immaeFtpGid
        LDAPAttr            uidNumber immaeFtpUid
        LDAPAttr            homeDirectory immaeFtpDirectory
        LDAPUsers           "${config.myEnv.ftp.ldap.base}" "${config.myEnv.ftp.ldap.proftpd_filter}"
        LDAPGroups          "${config.myEnv.ftp.ldap.base}"
      '';
    };

    services.filesWatcher.pure-ftpd = lib.mkIf pure-ftpd-enabled {
      restart = true;
      paths = [ config.secrets.fullPaths."pure-ftpd-ldap" ];
    };
    services.filesWatcher.proftpd = lib.mkIf proftpd-enabled {
      restart = true;
      paths = [ config.secrets.fullPaths."proftpd-ldap.conf" ];
    };

    systemd.services.pure-ftpd = let
      configFile = pkgs.writeText "pure-ftpd.conf" ''
        PassivePortRange             40000 50000
        Bind                         42
        ChrootEveryone               yes
        CreateHomeDir                yes
        BrokenClientsCompatibility   yes
        MaxClientsNumber             50
        Daemonize                    yes
        MaxClientsPerIP              8
        VerboseLog                   no
        DisplayDotFiles              yes
        AnonymousOnly                no
        NoAnonymous                  no
        SyslogFacility               ftp
        DontResolve                  yes
        MaxIdleTime                  15
        LDAPConfigFile               ${config.secrets.fullPaths."pure-ftpd-ldap"}
        LimitRecursion               10000 8
        AnonymousCanCreateDirs       no
        MaxLoad                      4
        AntiWarez                    yes
        Umask                        133:022
        # ftp
        MinUID                       8
        AllowUserFXP                 no
        AllowAnonymousFXP            no
        ProhibitDotFilesWrite        no
        ProhibitDotFilesRead         no
        AutoRename                   no
        AnonymousCantUpload          no
        MaxDiskUsage                 99
        CustomerProof                yes
        TLS                          1
        CertFile                     ${config.security.acme.certs.ftp.directory}/full.pem
        '';
    in lib.mkIf pure-ftpd-enabled {
      description = "Pure-FTPd server";
      wantedBy = [ "multi-user.target" ];
      after = [ "network.target" ];

      serviceConfig.ExecStart = "${package}/bin/pure-ftpd ${configFile}";
      serviceConfig.Type = "forking";
      serviceConfig.PIDFile = "/run/pure-ftpd.pid";
    };

    systemd.services.proftpd = let
      configFile = pkgs.writeText "proftpd.conf" ''
        ServerName		"ProFTPD"
        ServerType		standalone
        DefaultServer		on

        Port			21
        UseIPv6			on
        Umask			022
        MaxInstances		30
        MaxClients		50
        MaxClientsPerHost	8

        # Set the user and group under which the server will run.
        User			ftp
        Group			ftp

        CreateHome		on
        DefaultRoot		~

        AllowOverwrite		on

        TLSEngine		on
        TLSRequired		off
        TLSProtocol		TLSv1.1 TLSv1.2 TLSv1.3

        TLSCertificateChainFile	${config.security.acme.certs.ftp.directory}/fullchain.pem
        TLSECCertificateFile	${config.security.acme.certs.ftp.directory}/cert.pem
        TLSECCertificateKeyFile	${config.security.acme.certs.ftp.directory}/key.pem
        TLSRenegotiate none
        PidFile			/run/proftpd/proftpd.pid

        ScoreboardFile		/run/proftpd/proftpd.scoreboard

        PassivePorts		40000 50000
        #DebugLevel		10
        Include			${config.secrets.fullPaths."proftpd-ldap.conf"}

        RequireValidShell	off

        # Bar use of SITE CHMOD by default
        <Limit SITE_CHMOD>
          DenyAll
        </Limit>

        <VirtualHost 0.0.0.0>
          Umask				022
          Port				115
          SFTPEngine			on
          CreateHome			on
          DefaultRoot			~

          AllowOverwrite		on

          SFTPHostKey			/etc/ssh/ssh_host_ed25519_key
          SFTPHostKey			/etc/ssh/ssh_host_rsa_key
          Include			${config.secrets.fullPaths."proftpd-ldap.conf"}
          RequireValidShell		off
          SFTPAuthorizedUserKeys	file:/var/lib/proftpd/authorized_keys/%u
          SFTPAuthMethods		password publickey

          SFTPOptions			IgnoreSFTPSetOwners
          AllowChrootSymlinks		off
        </VirtualHost>
        '';
    in lib.mkIf proftpd-enabled {
      description = "ProFTPD server";
      wantedBy = [ "multi-user.target" ];
      after = [ "network.target" ];

      serviceConfig.ExecStart = "${pkgs.proftpd}/bin/proftpd -c ${configFile}";
      serviceConfig.Type = "forking";
      serviceConfig.PIDFile = "/run/proftpd/proftpd.pid";
      serviceConfig.RuntimeDirectory = "proftpd";
    };

    services.cron.systemCronJobs = lib.mkIf proftpd-enabled [
      "*/2 * * * * nobody ${./ftp_sync.sh}"
    ];

    myServices.monitoring.fromMasterActivatedPlugins = [ "ftp" ];
    myServices.monitoring.fromMasterObjects.service = [
      {
        service_description = "ftp has access to database for authentication";
        host_name = config.hostEnv.fqdn;
        use = "external-service";
        check_command = "check_ftp_database";

        servicegroups = "webstatus-remote-services";
        _webstatus_name = "FTP";
        _webstatus_url = "ftp.immae.eu";
      }

    ];

  };

}
Commit	Line	Data
ab8f306d	1	{ lib, pkgs, config, ... }:
fe696f35 IB	2	let
fe696f35 IB	3	package = pkgs.pure-ftpd.override { ldapFtpId = "immaeFtp"; };
fcbdf67a IB	4	pure-ftpd-enabled = config.myServices.ftp.pure-ftpd.enable;
fcbdf67a IB	5	proftpd-enabled = config.myServices.ftp.proftpd.enable;
fe696f35	6	in
439049e5 IB	7	{
439049e5 IB	8	options = {
fcbdf67a IB	9	myServices.ftp.enable = lib.mkOption {
	10	type = lib.types.bool;
	11	default = false;
	12	description = ''
	13	Whether to enable ftp.
	14	'';
	15	};
	16	myServices.ftp.pure-ftpd.enable = lib.mkOption {
439049e5 IB	17	type = lib.types.bool;
	18	default = false;
	19	description = ''
	20	Whether to enable pure-ftpd.
	21	'';
	22	};
fcbdf67a IB	23	myServices.ftp.proftpd.enable = lib.mkOption {
	24	type = lib.types.bool;
	25	default = true;
	26	description = ''
	27	Whether to enable proftpd.
	28	'';
	29	};
439049e5 IB	30	};
439049e5 IB	31
fcbdf67a	32	config = lib.mkIf config.myServices.ftp.enable {
1a64deeb IB	33	myServices.dns.zones."immae.eu".subdomains.ftp =
	34	with config.myServices.dns.helpers; ips servers.eldiron.ips.main;
	35
	36	myServices.chatonsProperties.services.espace-de-stockage = {
	37	file.datetime = "2022-08-22T01:00:00";
	38	service = {
	39	name = "Espace de stockage";
	40	description = "Compte FTP/SFTP";
	41	logo = if pure-ftpd-enabled
	42	then "https://www.pureftpd.org/project/pure-ftpd/images/favicon.png"
	43	else if proftpd-enabled
	44	then "http://proftpd.org/proftpd.png"
	45	else "";
	46	website = "ftp.immae.eu";
	47	status.level = "OK";
	48	status.description = "OK";
	49	registration."" = ["MEMBER" "CLIENT"];
	50	registration.load = "OPEN";
	51	install.type = "PACKAGE";
	52	};
	53	software = if pure-ftpd-enabled then {
	54	name = "Pure-ftpd";
	55	website = "https://www.pureftpd.org/project/pure-ftpd/";
	56	license.url = "https://github.com/jedisct1/pure-ftpd/blob/master/COPYING";
	57	license.name = "MIT Licence";
	58	version = package.version;
	59	source.url = "https://github.com/jedisct1/pure-ftpd/";
	60	modules = "openssh";
	61	} else if proftpd-enabled then {
	62	name = "ProFTPD";
	63	website = "http://proftpd.org/";
	64	license.url = "https://github.com/proftpd/proftpd/blob/master/COPYING";
	65	license.name = "GNU General Public License v2.0";
	66	version = pkgs.proftpd.version;
	67	source.url = "https://github.com/proftpd/proftpd/";
	68	modules = "openssh";
	69	} else {};
	70	};
	71	#myServices.chatonsProperties.services.ftp = {
	72	# file.datetime = "2022-08-22T01:00:00";
	73	# service = {
	74	# name = "Comptes FTP";
	75	# description = "Compte FTP/SFTP";
	76	# logo = if pure-ftpd-enabled
	77	# then "https://www.pureftpd.org/project/pure-ftpd/images/favicon.png"
	78	# else if proftpd-enabled
	79	# then "http://proftpd.org/proftpd.png"
	80	# else "";
	81	# website = "ftp.immae.eu";
	82	# status.level = "OK";
	83	# status.description = "OK";
	84	# registration."" = ["MEMBER" "CLIENT"];
	85	# registration.load = "OPEN";
	86	# install.type = "PACKAGE";
	87	# };
	88	# software = if pure-ftpd-enabled then {
	89	# name = "Pure-ftpd";
	90	# website = "https://www.pureftpd.org/project/pure-ftpd/";
	91	# license.url = "https://github.com/jedisct1/pure-ftpd/blob/master/COPYING";
	92	# license.name = "MIT Licence";
	93	# version = package.version;
	94	# source.url = "https://github.com/jedisct1/pure-ftpd/";
	95	# } else if proftpd-enabled then {
	96	# name = "ProFTPD";
97	# website = "http://proftpd.org/";
98	# license.url = "https://github.com/proftpd/proftpd/blob/master/COPYING";
99	# license.name = "GNU General Public License v2.0";
100	# version = pkgs.proftpd.version;
101	# source.url = "https://github.com/proftpd/proftpd/";
102	# } else {};
103	#};
104	security.acme.certs."ftp" = {
439049e5	105	domain = "eldiron.immae.eu";
1a64deeb IB	106	# FIXME: make it global
	107	extraLegoRunFlags = ["--preferred-chain" "ISRG Root X1"];
	108	extraLegoRenewFlags = ["--preferred-chain" "ISRG Root X1"];
fcbdf67a	109	postRun = (lib.optionalString pure-ftpd-enabled ''
740f9843	110	systemctl restart pure-ftpd.service
fcbdf67a IB	111	'') + (lib.optionalString proftpd-enabled ''
	112	systemctl restart proftpd.service
	113	'');
1a64deeb	114	extraDomainNames = [ "ftp.immae.eu" ];
439049e5 IB	115	};
439049e5 IB	116
439049e5 IB	117	networking = {
439049e5 IB	118	firewall = {
fcbdf67a	119	allowedTCPPorts = [ 21 115 ];
439049e5 IB	120	allowedTCPPortRanges = [ { from = 40000; to = 50000; } ];
	121	};
	122	};
	123
258dd18b IB	124	users.users.ftp = {
	125	uid = config.ids.uids.ftp; # 8
	126	group = "ftp";
	127	description = "Anonymous FTP user";
	128	home = "/homeless-shelter";
	129	extraGroups = [ "keys" ];
	130	};
439049e5 IB	131
	132	users.groups.ftp.gid = config.ids.gids.ftp;
	133
fcbdf67a	134	system.activationScripts.ftp = ''
439049e5	135	install -m 0755 -o ftp -g ftp -d /var/lib/ftp
fcbdf67a IB	136	'' + (lib.optionalString proftpd-enabled ''
	137	install -m 0755 -o nobody -g nogroup -d /var/lib/proftpd/authorized_keys
	138	'');
439049e5	139
fcbdf67a	140	secrets.keys."pure-ftpd-ldap" = lib.mkIf pure-ftpd-enabled {
926a4007 IB	141	permissions = "0400";
	142	user = "ftp";
	143	group = "ftp";
	144	text = ''
ab8f306d	145	LDAPServer ${config.myEnv.ftp.ldap.host}
439049e5 IB	146	LDAPPort 389
439049e5 IB	147	LDAPUseTLS True
ab8f306d IB	148	LDAPBaseDN ${config.myEnv.ftp.ldap.base}
	149	LDAPBindDN ${config.myEnv.ftp.ldap.dn}
	150	LDAPBindPW ${config.myEnv.ftp.ldap.password}
439049e5 IB	151	LDAPDefaultUID 500
	152	LDAPForceDefaultUID False
	153	LDAPDefaultGID 100
	154	LDAPForceDefaultGID False
fcbdf67a	155	LDAPFilter ${config.myEnv.ftp.ldap.pure-ftpd_filter}
439049e5 IB	156
	157	LDAPAuthMethod BIND
	158
926a4007 IB	159	# Pas de possibilite de donner l'Uid/Gid !
926a4007 IB	160	# Compile dans pure-ftpd directement avec immaeFtpUid / immaeFtpGid
439049e5 IB	161	LDAPHomeDir immaeFtpDirectory
439049e5 IB	162	'';
4c4652aa	163	};
fcbdf67a IB	164	secrets.keys."proftpd-ldap.conf" = lib.mkIf proftpd-enabled {
	165	permissions = "0400";
	166	user = "ftp";
	167	group = "ftp";
	168	text = ''
	169	LDAPServer ldaps://${config.myEnv.ftp.ldap.host}:636/??sub
	170	LDAPUseTLS on
	171	LDAPAuthBinds on
	172	LDAPBindDN "${config.myEnv.ftp.ldap.dn}" "${config.myEnv.ftp.ldap.password}"
	173	LDAPSearchScope subtree
	174	LDAPAuthBinds on
	175	LDAPDefaultGID 100
	176	LDAPDefaultUID 500
	177	LDAPForceDefaultUID off
	178	LDAPForceDefaultGID off
	179	LDAPAttr gidNumber immaeFtpGid
	180	LDAPAttr uidNumber immaeFtpUid
	181	LDAPAttr homeDirectory immaeFtpDirectory
	182	LDAPUsers "${config.myEnv.ftp.ldap.base}" "${config.myEnv.ftp.ldap.proftpd_filter}"
	183	LDAPGroups "${config.myEnv.ftp.ldap.base}"
	184	'';
	185	};
926a4007	186
fcbdf67a	187	services.filesWatcher.pure-ftpd = lib.mkIf pure-ftpd-enabled {
17f6eae9	188	restart = true;
da30ae4f	189	paths = [ config.secrets.fullPaths."pure-ftpd-ldap" ];
17f6eae9	190	};
fcbdf67a IB	191	services.filesWatcher.proftpd = lib.mkIf proftpd-enabled {
	192	restart = true;
	193	paths = [ config.secrets.fullPaths."proftpd-ldap.conf" ];
	194	};
17f6eae9	195
926a4007	196	systemd.services.pure-ftpd = let
439049e5 IB	197	configFile = pkgs.writeText "pure-ftpd.conf" ''
439049e5 IB	198	PassivePortRange 40000 50000
fcbdf67a	199	Bind 42
439049e5 IB	200	ChrootEveryone yes
	201	CreateHomeDir yes
	202	BrokenClientsCompatibility yes
	203	MaxClientsNumber 50
	204	Daemonize yes
	205	MaxClientsPerIP 8
	206	VerboseLog no
	207	DisplayDotFiles yes
	208	AnonymousOnly no
	209	NoAnonymous no
	210	SyslogFacility ftp
	211	DontResolve yes
	212	MaxIdleTime 15
da30ae4f	213	LDAPConfigFile ${config.secrets.fullPaths."pure-ftpd-ldap"}
439049e5 IB	214	LimitRecursion 10000 8
	215	AnonymousCanCreateDirs no
	216	MaxLoad 4
	217	AntiWarez yes
	218	Umask 133:022
	219	# ftp
	220	MinUID 8
	221	AllowUserFXP no
	222	AllowAnonymousFXP no
	223	ProhibitDotFilesWrite no
	224	ProhibitDotFilesRead no
	225	AutoRename no
	226	AnonymousCantUpload no
	227	MaxDiskUsage 99
	228	CustomerProof yes
	229	TLS 1
5400b9b6	230	CertFile ${config.security.acme.certs.ftp.directory}/full.pem
439049e5	231	'';
fcbdf67a	232	in lib.mkIf pure-ftpd-enabled {
439049e5 IB	233	description = "Pure-FTPd server";
	234	wantedBy = [ "multi-user.target" ];
	235	after = [ "network.target" ];
	236
fe696f35	237	serviceConfig.ExecStart = "${package}/bin/pure-ftpd ${configFile}";
439049e5 IB	238	serviceConfig.Type = "forking";
	239	serviceConfig.PIDFile = "/run/pure-ftpd.pid";
	240	};
fcbdf67a IB	241
	242	systemd.services.proftpd = let
	243	configFile = pkgs.writeText "proftpd.conf" ''
	244	ServerName "ProFTPD"
	245	ServerType standalone
	246	DefaultServer on
	247
	248	Port 21
	249	UseIPv6 on
	250	Umask 022
	251	MaxInstances 30
	252	MaxClients 50
	253	MaxClientsPerHost 8
	254
	255	# Set the user and group under which the server will run.
	256	User ftp
	257	Group ftp
	258
	259	CreateHome on
	260	DefaultRoot ~
	261
	262	AllowOverwrite on
	263
	264	TLSEngine on
	265	TLSRequired off
	266	TLSProtocol TLSv1.1 TLSv1.2 TLSv1.3
	267
	268	TLSCertificateChainFile ${config.security.acme.certs.ftp.directory}/fullchain.pem
	269	TLSECCertificateFile ${config.security.acme.certs.ftp.directory}/cert.pem
	270	TLSECCertificateKeyFile ${config.security.acme.certs.ftp.directory}/key.pem
	271	TLSRenegotiate none
	272	PidFile /run/proftpd/proftpd.pid
	273
	274	ScoreboardFile /run/proftpd/proftpd.scoreboard
	275
	276	PassivePorts 40000 50000
	277	#DebugLevel 10
	278	Include ${config.secrets.fullPaths."proftpd-ldap.conf"}
	279
	280	RequireValidShell off
	281
	282	# Bar use of SITE CHMOD by default
	283	<Limit SITE_CHMOD>
	284	DenyAll
	285	</Limit>
	286
	287	<VirtualHost 0.0.0.0>
	288	Umask 022
	289	Port 115
	290	SFTPEngine on
	291	CreateHome on
	292	DefaultRoot ~
	293
	294	AllowOverwrite on
	295
	296	SFTPHostKey /etc/ssh/ssh_host_ed25519_key
	297	SFTPHostKey /etc/ssh/ssh_host_rsa_key
	298	Include ${config.secrets.fullPaths."proftpd-ldap.conf"}
	299	RequireValidShell off
	300	SFTPAuthorizedUserKeys file:/var/lib/proftpd/authorized_keys/%u
	301	SFTPAuthMethods password publickey
87e1ff0f IB	302
87e1ff0f IB	303	SFTPOptions IgnoreSFTPSetOwners
1a64deeb	304	AllowChrootSymlinks off
fcbdf67a IB	305	</VirtualHost>
	306	'';
	307	in lib.mkIf proftpd-enabled {
	308	description = "ProFTPD server";
	309	wantedBy = [ "multi-user.target" ];
	310	after = [ "network.target" ];
	311
	312	serviceConfig.ExecStart = "${pkgs.proftpd}/bin/proftpd -c ${configFile}";
	313	serviceConfig.Type = "forking";
	314	serviceConfig.PIDFile = "/run/proftpd/proftpd.pid";
	315	serviceConfig.RuntimeDirectory = "proftpd";
	316	};
	317
	318	services.cron.systemCronJobs = lib.mkIf proftpd-enabled [
	319	"/2 * * * nobody ${./ftp_sync.sh}"
	320	];
1a64deeb IB	321
	322	myServices.monitoring.fromMasterActivatedPlugins = [ "ftp" ];
	323	myServices.monitoring.fromMasterObjects.service = [
	324	{
	325	service_description = "ftp has access to database for authentication";
	326	host_name = config.hostEnv.fqdn;
	327	use = "external-service";
	328	check_command = "check_ftp_database";
	329
	330	servicegroups = "webstatus-remote-services";
	331	_webstatus_name = "FTP";
	332	_webstatus_url = "ftp.immae.eu";
	333	}
	334
	335	];
	336
439049e5 IB	337	};
	338
	339	}