blob: 871e9efad87fa0848997ee277cd576f1d9002fae (
plain) (
tree)
|
|
{ lib, pkgs, config, myconfig, ... }:
{
options = {
services.pure-ftpd.enable = lib.mkOption {
type = lib.types.bool;
default = false;
description = ''
Whether to enable pure-ftpd.
'';
};
};
config = lib.mkIf config.services.pure-ftpd.enable {
security.acme.certs."ftp" = config.services.myCertificates.certConfig // {
domain = "eldiron.immae.eu";
postRun = ''
systemctl restart pure-ftpd.service
'';
extraDomains = { "ftp.immae.eu" = null; };
};
networking = {
firewall = {
allowedTCPPorts = [ 21 ];
allowedTCPPortRanges = [ { from = 40000; to = 50000; } ];
};
};
users.users = [
{
name = "ftp";
uid = config.ids.uids.ftp; # 8
group = "ftp";
description = "Anonymous FTP user";
home = "/homeless-shelter";
extraGroups = [ "keys" ];
}
];
users.groups.ftp.gid = config.ids.gids.ftp;
system.activationScripts.pure-ftpd = ''
install -m 0755 -o ftp -g ftp -d /var/lib/ftp
'';
secrets.keys = [{
dest = "pure-ftpd-ldap";
permissions = "0400";
user = "ftp";
group = "ftp";
text = ''
LDAPServer ${myconfig.env.ftp.ldap.host}
LDAPPort 389
LDAPUseTLS True
LDAPBaseDN ${myconfig.env.ftp.ldap.base}
LDAPBindDN ${myconfig.env.ftp.ldap.dn}
LDAPBindPW ${myconfig.env.ftp.ldap.password}
LDAPDefaultUID 500
LDAPForceDefaultUID False
LDAPDefaultGID 100
LDAPForceDefaultGID False
LDAPFilter ${myconfig.env.ftp.ldap.filter}
LDAPAuthMethod BIND
# Pas de possibilite de donner l'Uid/Gid !
# Compile dans pure-ftpd directement avec immaeFtpUid / immaeFtpGid
LDAPHomeDir immaeFtpDirectory
'';
}];
systemd.services.pure-ftpd = let
configFile = pkgs.writeText "pure-ftpd.conf" ''
PassivePortRange 40000 50000
ChrootEveryone yes
CreateHomeDir yes
BrokenClientsCompatibility yes
MaxClientsNumber 50
Daemonize yes
MaxClientsPerIP 8
VerboseLog no
DisplayDotFiles yes
AnonymousOnly no
NoAnonymous no
SyslogFacility ftp
DontResolve yes
MaxIdleTime 15
LDAPConfigFile /var/secrets/pure-ftpd-ldap
LimitRecursion 10000 8
AnonymousCanCreateDirs no
MaxLoad 4
AntiWarez yes
Umask 133:022
# ftp
MinUID 8
AllowUserFXP no
AllowAnonymousFXP no
ProhibitDotFilesWrite no
ProhibitDotFilesRead no
AutoRename no
AnonymousCantUpload no
MaxDiskUsage 99
CustomerProof yes
TLS 1
CertFile /var/lib/acme/ftp/full.pem
'';
in {
description = "Pure-FTPd server";
wantedBy = [ "multi-user.target" ];
after = [ "network.target" ];
serviceConfig.ExecStart = "${pkgs.pure-ftpd}/bin/pure-ftpd ${configFile}";
serviceConfig.Type = "forking";
serviceConfig.PIDFile = "/run/pure-ftpd.pid";
};
};
}
|
