]> git.immae.eu Git - perso/Immae/Config/Nix.git/blob - nixops/modules/ftp/default.nix
projects / perso / Immae / Config / Nix.git / blob
? search:


ff067f8d16445ae1553362098e363d66ee8ef67a
[perso/Immae/Config/Nix.git] / nixops / modules / ftp / default.nix
1 { lib, pkgs, config, myconfig, ... }:
2 {
3 options = {
4 services.pure-ftpd.enable = lib.mkOption {
5 type = lib.types.bool;
6 default = false;
7 description = ''
8 Whether to enable pure-ftpd.
9 '';
10 };
11 };
12
13 config = lib.mkIf config.services.pure-ftpd.enable {
14 security.acme.certs."ftp" = config.services.myCertificates.certConfig // {
15 domain = "eldiron.immae.eu";
16 postRun = ''
17 systemctl restart pure-ftpd.service
18 '';
19 extraDomains = { "ftp.immae.eu" = null; };
20 };
21
22 nixpkgs.overlays = [ (self: super: {
23 pure-ftpd = self.callPackage ./pure-ftpd.nix {};
24 }) ];
25
26 networking = {
27 firewall = {
28 allowedTCPPorts = [ 21 ];
29 allowedTCPPortRanges = [ { from = 40000; to = 50000; } ];
30 };
31 };
32
33 users.users = [
34 {
35 name = "ftp";
36 uid = config.ids.uids.ftp; # 8
37 group = "ftp";
38 description = "Anonymous FTP user";
39 home = "/homeless-shelter";
40 extraGroups = [ "keys" ];
41 }
42 ];
43
44 users.groups.ftp.gid = config.ids.gids.ftp;
45
46 system.activationScripts.pure-ftpd = ''
47 install -m 0755 -o ftp -g ftp -d /var/lib/ftp
48 '';
49
50 mySecrets.keys = [{
51 dest = "pure-ftpd-ldap";
52 permissions = "0400";
53 user = "ftp";
54 group = "ftp";
55 text = ''
56 LDAPServer ${myconfig.env.ftp.ldap.host}
57 LDAPPort 389
58 LDAPUseTLS True
59 LDAPBaseDN ${myconfig.env.ftp.ldap.base}
60 LDAPBindDN ${myconfig.env.ftp.ldap.dn}
61 LDAPBindPW ${myconfig.env.ftp.ldap.password}
62 LDAPDefaultUID 500
63 LDAPForceDefaultUID False
64 LDAPDefaultGID 100
65 LDAPForceDefaultGID False
66 LDAPFilter ${myconfig.env.ftp.ldap.filter}
67
68 LDAPAuthMethod BIND
69
70 # Pas de possibilite de donner l'Uid/Gid !
71 # Compile dans pure-ftpd directement avec immaeFtpUid / immaeFtpGid
72 LDAPHomeDir immaeFtpDirectory
73 '';
74 }];
75
76 systemd.services.pure-ftpd = let
77 configFile = pkgs.writeText "pure-ftpd.conf" ''
78 PassivePortRange 40000 50000
79 ChrootEveryone yes
80 CreateHomeDir yes
81 BrokenClientsCompatibility yes
82 MaxClientsNumber 50
83 Daemonize yes
84 MaxClientsPerIP 8
85 VerboseLog no
86 DisplayDotFiles yes
87 AnonymousOnly no
88 NoAnonymous no
89 SyslogFacility ftp
90 DontResolve yes
91 MaxIdleTime 15
92 LDAPConfigFile /var/secrets/pure-ftpd-ldap
93 LimitRecursion 10000 8
94 AnonymousCanCreateDirs no
95 MaxLoad 4
96 AntiWarez yes
97 Umask 133:022
98 # ftp
99 MinUID 8
100 AllowUserFXP no
101 AllowAnonymousFXP no
102 ProhibitDotFilesWrite no
103 ProhibitDotFilesRead no
104 AutoRename no
105 AnonymousCantUpload no
106 MaxDiskUsage 99
107 CustomerProof yes
108 TLS 1
109 CertFile /var/lib/acme/ftp/full.pem
110 '';
111 in {
112 description = "Pure-FTPd server";
113 wantedBy = [ "multi-user.target" ];
114 after = [ "network.target" ];
115
116 serviceConfig.ExecStart = "${pkgs.pure-ftpd}/bin/pure-ftpd ${configFile}";
117 serviceConfig.Type = "forking";
118 serviceConfig.PIDFile = "/run/pure-ftpd.pid";
119 };
120 };
121
122 }
My infrastructure configuration