]> git.immae.eu Git - perso/Immae/Config/Nix.git/blob - modules/private/ftp.nix
projects / perso / Immae / Config / Nix.git / blob
? search:


842d2d6540bbe65d0347c3989d0f243a24884b9f
[perso/Immae/Config/Nix.git] / modules / private / ftp.nix
1 { lib, pkgs, config, myconfig, ... }:
2 {
3 options = {
4 services.pure-ftpd.enable = lib.mkOption {
5 type = lib.types.bool;
6 default = false;
7 description = ''
8 Whether to enable pure-ftpd.
9 '';
10 };
11 };
12
13 config = lib.mkIf config.services.pure-ftpd.enable {
14 security.acme.certs."ftp" = config.services.myCertificates.certConfig // {
15 domain = "eldiron.immae.eu";
16 postRun = ''
17 systemctl restart pure-ftpd.service
18 '';
19 extraDomains = { "ftp.immae.eu" = null; };
20 };
21
22 networking = {
23 firewall = {
24 allowedTCPPorts = [ 21 ];
25 allowedTCPPortRanges = [ { from = 40000; to = 50000; } ];
26 };
27 };
28
29 users.users = [
30 {
31 name = "ftp";
32 uid = config.ids.uids.ftp; # 8
33 group = "ftp";
34 description = "Anonymous FTP user";
35 home = "/homeless-shelter";
36 extraGroups = [ "keys" ];
37 }
38 ];
39
40 users.groups.ftp.gid = config.ids.gids.ftp;
41
42 system.activationScripts.pure-ftpd = ''
43 install -m 0755 -o ftp -g ftp -d /var/lib/ftp
44 '';
45
46 secrets.keys = [{
47 dest = "pure-ftpd-ldap";
48 permissions = "0400";
49 user = "ftp";
50 group = "ftp";
51 text = ''
52 LDAPServer ${myconfig.env.ftp.ldap.host}
53 LDAPPort 389
54 LDAPUseTLS True
55 LDAPBaseDN ${myconfig.env.ftp.ldap.base}
56 LDAPBindDN ${myconfig.env.ftp.ldap.dn}
57 LDAPBindPW ${myconfig.env.ftp.ldap.password}
58 LDAPDefaultUID 500
59 LDAPForceDefaultUID False
60 LDAPDefaultGID 100
61 LDAPForceDefaultGID False
62 LDAPFilter ${myconfig.env.ftp.ldap.filter}
63
64 LDAPAuthMethod BIND
65
66 # Pas de possibilite de donner l'Uid/Gid !
67 # Compile dans pure-ftpd directement avec immaeFtpUid / immaeFtpGid
68 LDAPHomeDir immaeFtpDirectory
69 '';
70 }];
71
72 systemd.services.pure-ftpd = let
73 configFile = pkgs.writeText "pure-ftpd.conf" ''
74 PassivePortRange 40000 50000
75 ChrootEveryone yes
76 CreateHomeDir yes
77 BrokenClientsCompatibility yes
78 MaxClientsNumber 50
79 Daemonize yes
80 MaxClientsPerIP 8
81 VerboseLog no
82 DisplayDotFiles yes
83 AnonymousOnly no
84 NoAnonymous no
85 SyslogFacility ftp
86 DontResolve yes
87 MaxIdleTime 15
88 LDAPConfigFile /var/secrets/pure-ftpd-ldap
89 LimitRecursion 10000 8
90 AnonymousCanCreateDirs no
91 MaxLoad 4
92 AntiWarez yes
93 Umask 133:022
94 # ftp
95 MinUID 8
96 AllowUserFXP no
97 AllowAnonymousFXP no
98 ProhibitDotFilesWrite no
99 ProhibitDotFilesRead no
100 AutoRename no
101 AnonymousCantUpload no
102 MaxDiskUsage 99
103 CustomerProof yes
104 TLS 1
105 CertFile ${config.security.acme.directory}/ftp/full.pem
106 '';
107 in {
108 description = "Pure-FTPd server";
109 wantedBy = [ "multi-user.target" ];
110 after = [ "network.target" ];
111
112 serviceConfig.ExecStart = "${pkgs.pure-ftpd}/bin/pure-ftpd ${configFile}";
113 serviceConfig.Type = "forking";
114 serviceConfig.PIDFile = "/run/pure-ftpd.pid";
115 };
116 };
117
118 }
My infrastructure configuration