]> git.immae.eu Git - perso/Immae/Config/Nix.git/blob - nixops/modules/ftp/default.nix
projects / perso / Immae / Config / Nix.git / blob
? search:


321e032c0e05ccbebf25547e8a35084609decbb0
[perso/Immae/Config/Nix.git] / nixops / modules / ftp / default.nix
1 { lib, pkgs, config, myconfig, ... }:
2 {
3 options = {
4 services.pure-ftpd.enable = lib.mkOption {
5 type = lib.types.bool;
6 default = false;
7 description = ''
8 Whether to enable pure-ftpd.
9 '';
10 };
11 };
12
13 config = lib.mkIf config.services.pure-ftpd.enable {
14 security.acme.certs."ftp" = config.services.myCertificates.certConfig // {
15 domain = "eldiron.immae.eu";
16 postRun = ''
17 systemctl restart pure-ftpd.service
18 '';
19 };
20
21 nixpkgs.config.packageOverrides = oldpkgs: rec {
22 pure-ftpd = pkgs.callPackage ./pure-ftpd.nix {};
23 };
24
25 networking = {
26 firewall = {
27 allowedTCPPorts = [ 21 ];
28 allowedTCPPortRanges = [ { from = 40000; to = 50000; } ];
29 };
30 };
31
32 users.users = [
33 {
34 name = "ftp";
35 uid = config.ids.uids.ftp;
36 group = "ftp";
37 description = "Anonymous FTP user";
38 home = "/homeless-shelter";
39 }
40 ];
41
42 users.groups.ftp.gid = config.ids.gids.ftp;
43
44 system.activationScripts.pure-ftpd = ''
45 install -m 0755 -o ftp -g ftp -d /var/lib/ftp
46 '';
47
48 systemd.services.pure-ftpd = let
49 ldapConfigFile = pkgs.writeText "pure-ftpd-ldap.conf" ''
50 LDAPServer ${myconfig.env.ftp.ldap.host}
51 LDAPPort 389
52 LDAPUseTLS True
53 LDAPBaseDN ${myconfig.env.ftp.ldap.base}
54 LDAPBindDN ${myconfig.env.ftp.ldap.dn}
55 LDAPBindPW ${myconfig.env.ftp.ldap.password}
56 LDAPDefaultUID 500
57 LDAPForceDefaultUID False
58 LDAPDefaultGID 100
59 LDAPForceDefaultGID False
60 LDAPFilter ${myconfig.env.ftp.ldap.filter}
61
62 LDAPAuthMethod BIND
63
64 # Pas de possibilité de donner l'Uid/Gid !
65 # Compilé dans pure-ftpd directement avec immaeFtpUid / immaeFtpGid
66 LDAPHomeDir immaeFtpDirectory
67 '';
68 configFile = pkgs.writeText "pure-ftpd.conf" ''
69 PassivePortRange 40000 50000
70 ChrootEveryone yes
71 CreateHomeDir yes
72 BrokenClientsCompatibility yes
73 MaxClientsNumber 50
74 Daemonize yes
75 MaxClientsPerIP 8
76 VerboseLog no
77 DisplayDotFiles yes
78 AnonymousOnly no
79 NoAnonymous no
80 SyslogFacility ftp
81 DontResolve yes
82 MaxIdleTime 15
83 LDAPConfigFile ${ldapConfigFile}
84 LimitRecursion 10000 8
85 AnonymousCanCreateDirs no
86 MaxLoad 4
87 AntiWarez yes
88 Umask 133:022
89 # ftp
90 MinUID 8
91 AllowUserFXP no
92 AllowAnonymousFXP no
93 ProhibitDotFilesWrite no
94 ProhibitDotFilesRead no
95 AutoRename no
96 AnonymousCantUpload no
97 MaxDiskUsage 99
98 CustomerProof yes
99 TLS 1
100 CertFile /var/lib/acme/ftp/full.pem
101 '';
102 in {
103 description = "Pure-FTPd server";
104 wantedBy = [ "multi-user.target" ];
105 after = [ "network.target" ];
106
107 serviceConfig.ExecStart = "${pkgs.pure-ftpd}/bin/pure-ftpd ${configFile}";
108 serviceConfig.Type = "forking";
109 serviceConfig.PIDFile = "/run/pure-ftpd.pid";
110 };
111 };
112
113 }
My infrastructure configuration