]> git.immae.eu Git - perso/Immae/Config/Nix.git/blob - nixops/modules/ftp/default.nix
Add ftp connection
[perso/Immae/Config/Nix.git] / nixops / modules / ftp / default.nix
1 { lib, pkgs, config, myconfig, ... }:
2 {
3 options = {
4 services.pure-ftpd.enable = lib.mkOption {
5 type = lib.types.bool;
6 default = false;
7 description = ''
8 Whether to enable pure-ftpd.
9 '';
10 };
11 };
12
13 config = lib.mkIf config.services.pure-ftpd.enable {
14 security.acme.certs."ftp" = config.services.myCertificates.certConfig // {
15 domain = "eldiron.immae.eu";
16 };
17
18 nixpkgs.config.packageOverrides = oldpkgs: rec {
19 pure-ftpd = pkgs.callPackage ./pure-ftpd.nix {};
20 };
21
22 networking = {
23 firewall = {
24 allowedTCPPorts = [ 21 ];
25 allowedTCPPortRanges = [ { from = 40000; to = 50000; } ];
26 };
27 };
28
29 users.users = [
30 {
31 name = "ftp";
32 uid = config.ids.uids.ftp;
33 group = "ftp";
34 description = "Anonymous FTP user";
35 home = "/homeless-shelter";
36 }
37 ];
38
39 users.groups.ftp.gid = config.ids.gids.ftp;
40
41 system.activationScripts.pure-ftpd = ''
42 install -m 0755 -o ftp -g ftp -d /var/lib/ftp
43 '';
44
45 systemd.services.pure-ftpd = let
46 ldapConfigFile = pkgs.writeText "pure-ftpd-ldap.conf" ''
47 LDAPServer ${myconfig.env.ftp.ldap.host}
48 LDAPPort 389
49 LDAPUseTLS True
50 LDAPBaseDN ${myconfig.env.ftp.ldap.base}
51 LDAPBindDN ${myconfig.env.ftp.ldap.dn}
52 LDAPBindPW ${myconfig.env.ftp.ldap.password}
53 LDAPDefaultUID 500
54 LDAPForceDefaultUID False
55 LDAPDefaultGID 100
56 LDAPForceDefaultGID False
57 LDAPFilter ${myconfig.env.ftp.ldap.filter}
58
59 LDAPAuthMethod BIND
60
61 # Pas de possibilité de donner l'Uid/Gid !
62 # Compilé dans pure-ftpd directement avec immaeFtpUid / immaeFtpGid
63 LDAPHomeDir immaeFtpDirectory
64 '';
65 configFile = pkgs.writeText "pure-ftpd.conf" ''
66 PassivePortRange 40000 50000
67 ChrootEveryone yes
68 CreateHomeDir yes
69 BrokenClientsCompatibility yes
70 MaxClientsNumber 50
71 Daemonize yes
72 MaxClientsPerIP 8
73 VerboseLog no
74 DisplayDotFiles yes
75 AnonymousOnly no
76 NoAnonymous no
77 SyslogFacility ftp
78 DontResolve yes
79 MaxIdleTime 15
80 LDAPConfigFile ${ldapConfigFile}
81 LimitRecursion 10000 8
82 AnonymousCanCreateDirs no
83 MaxLoad 4
84 AntiWarez yes
85 Umask 133:022
86 # ftp
87 MinUID 8
88 AllowUserFXP no
89 AllowAnonymousFXP no
90 ProhibitDotFilesWrite no
91 ProhibitDotFilesRead no
92 AutoRename no
93 AnonymousCantUpload no
94 MaxDiskUsage 99
95 CustomerProof yes
96 TLS 1
97 CertFile /var/lib/acme/ftp/full.pem
98 '';
99 in {
100 description = "Pure-FTPd server";
101 wantedBy = [ "multi-user.target" ];
102 after = [ "network.target" ];
103
104 serviceConfig.ExecStart = "${pkgs.pure-ftpd}/bin/pure-ftpd ${configFile}";
105 serviceConfig.Type = "forking";
106 serviceConfig.PIDFile = "/run/pure-ftpd.pid";
107 };
108 };
109
110 }