diff options
author | Ismaël Bouya <ismael.bouya@normalesup.org> | 2023-10-04 01:35:06 +0200 |
---|---|---|
committer | Ismaël Bouya <ismael.bouya@normalesup.org> | 2023-10-04 02:11:48 +0200 |
commit | 1a64deeb894dc95e2645a75771732c6cc53a79ad (patch) | |
tree | 1b9df4838f894577a09b9b260151756272efeb53 /modules/private/ftp.nix | |
parent | fa25ffd4583cc362075cd5e1b4130f33306103f0 (diff) | |
download | Nix-1a64deeb894dc95e2645a75771732c6cc53a79ad.tar.gz Nix-1a64deeb894dc95e2645a75771732c6cc53a79ad.tar.zst Nix-1a64deeb894dc95e2645a75771732c6cc53a79ad.zip |
Squash changes containing private information
There were a lot of changes since the previous commit, but a lot of them
contained personnal information about users. All thos changes got
stashed into a single commit (history is kept in a different place) and
private information was moved in a separate private repository
Diffstat (limited to 'modules/private/ftp.nix')
-rw-r--r-- | modules/private/ftp.nix | 248 |
1 files changed, 0 insertions, 248 deletions
diff --git a/modules/private/ftp.nix b/modules/private/ftp.nix deleted file mode 100644 index cae25c1..0000000 --- a/modules/private/ftp.nix +++ /dev/null | |||
@@ -1,248 +0,0 @@ | |||
1 | { lib, pkgs, config, ... }: | ||
2 | let | ||
3 | package = pkgs.pure-ftpd.override { ldapFtpId = "immaeFtp"; }; | ||
4 | pure-ftpd-enabled = config.myServices.ftp.pure-ftpd.enable; | ||
5 | proftpd-enabled = config.myServices.ftp.proftpd.enable; | ||
6 | in | ||
7 | { | ||
8 | options = { | ||
9 | myServices.ftp.enable = lib.mkOption { | ||
10 | type = lib.types.bool; | ||
11 | default = false; | ||
12 | description = '' | ||
13 | Whether to enable ftp. | ||
14 | ''; | ||
15 | }; | ||
16 | myServices.ftp.pure-ftpd.enable = lib.mkOption { | ||
17 | type = lib.types.bool; | ||
18 | default = false; | ||
19 | description = '' | ||
20 | Whether to enable pure-ftpd. | ||
21 | ''; | ||
22 | }; | ||
23 | myServices.ftp.proftpd.enable = lib.mkOption { | ||
24 | type = lib.types.bool; | ||
25 | default = true; | ||
26 | description = '' | ||
27 | Whether to enable proftpd. | ||
28 | ''; | ||
29 | }; | ||
30 | }; | ||
31 | |||
32 | config = lib.mkIf config.myServices.ftp.enable { | ||
33 | security.acme.certs."ftp" = config.myServices.certificates.certConfig // { | ||
34 | domain = "eldiron.immae.eu"; | ||
35 | postRun = (lib.optionalString pure-ftpd-enabled '' | ||
36 | systemctl restart pure-ftpd.service | ||
37 | '') + (lib.optionalString proftpd-enabled '' | ||
38 | systemctl restart proftpd.service | ||
39 | ''); | ||
40 | extraDomains = { "ftp.immae.eu" = null; }; | ||
41 | }; | ||
42 | |||
43 | networking = { | ||
44 | firewall = { | ||
45 | allowedTCPPorts = [ 21 115 ]; | ||
46 | allowedTCPPortRanges = [ { from = 40000; to = 50000; } ]; | ||
47 | }; | ||
48 | }; | ||
49 | |||
50 | users.users.ftp = { | ||
51 | uid = config.ids.uids.ftp; # 8 | ||
52 | group = "ftp"; | ||
53 | description = "Anonymous FTP user"; | ||
54 | home = "/homeless-shelter"; | ||
55 | extraGroups = [ "keys" ]; | ||
56 | }; | ||
57 | |||
58 | users.groups.ftp.gid = config.ids.gids.ftp; | ||
59 | |||
60 | system.activationScripts.ftp = '' | ||
61 | install -m 0755 -o ftp -g ftp -d /var/lib/ftp | ||
62 | '' + (lib.optionalString proftpd-enabled '' | ||
63 | install -m 0755 -o nobody -g nogroup -d /var/lib/proftpd/authorized_keys | ||
64 | ''); | ||
65 | |||
66 | secrets.keys."pure-ftpd-ldap" = lib.mkIf pure-ftpd-enabled { | ||
67 | permissions = "0400"; | ||
68 | user = "ftp"; | ||
69 | group = "ftp"; | ||
70 | text = '' | ||
71 | LDAPServer ${config.myEnv.ftp.ldap.host} | ||
72 | LDAPPort 389 | ||
73 | LDAPUseTLS True | ||
74 | LDAPBaseDN ${config.myEnv.ftp.ldap.base} | ||
75 | LDAPBindDN ${config.myEnv.ftp.ldap.dn} | ||
76 | LDAPBindPW ${config.myEnv.ftp.ldap.password} | ||
77 | LDAPDefaultUID 500 | ||
78 | LDAPForceDefaultUID False | ||
79 | LDAPDefaultGID 100 | ||
80 | LDAPForceDefaultGID False | ||
81 | LDAPFilter ${config.myEnv.ftp.ldap.pure-ftpd_filter} | ||
82 | |||
83 | LDAPAuthMethod BIND | ||
84 | |||
85 | # Pas de possibilite de donner l'Uid/Gid ! | ||
86 | # Compile dans pure-ftpd directement avec immaeFtpUid / immaeFtpGid | ||
87 | LDAPHomeDir immaeFtpDirectory | ||
88 | ''; | ||
89 | }; | ||
90 | secrets.keys."proftpd-ldap.conf" = lib.mkIf proftpd-enabled { | ||
91 | permissions = "0400"; | ||
92 | user = "ftp"; | ||
93 | group = "ftp"; | ||
94 | text = '' | ||
95 | LDAPServer ldaps://${config.myEnv.ftp.ldap.host}:636/??sub | ||
96 | LDAPUseTLS on | ||
97 | LDAPAuthBinds on | ||
98 | LDAPBindDN "${config.myEnv.ftp.ldap.dn}" "${config.myEnv.ftp.ldap.password}" | ||
99 | LDAPSearchScope subtree | ||
100 | LDAPAuthBinds on | ||
101 | LDAPDefaultGID 100 | ||
102 | LDAPDefaultUID 500 | ||
103 | LDAPForceDefaultUID off | ||
104 | LDAPForceDefaultGID off | ||
105 | LDAPAttr gidNumber immaeFtpGid | ||
106 | LDAPAttr uidNumber immaeFtpUid | ||
107 | LDAPAttr homeDirectory immaeFtpDirectory | ||
108 | LDAPUsers "${config.myEnv.ftp.ldap.base}" "${config.myEnv.ftp.ldap.proftpd_filter}" | ||
109 | LDAPGroups "${config.myEnv.ftp.ldap.base}" | ||
110 | ''; | ||
111 | }; | ||
112 | |||
113 | services.filesWatcher.pure-ftpd = lib.mkIf pure-ftpd-enabled { | ||
114 | restart = true; | ||
115 | paths = [ config.secrets.fullPaths."pure-ftpd-ldap" ]; | ||
116 | }; | ||
117 | services.filesWatcher.proftpd = lib.mkIf proftpd-enabled { | ||
118 | restart = true; | ||
119 | paths = [ config.secrets.fullPaths."proftpd-ldap.conf" ]; | ||
120 | }; | ||
121 | |||
122 | systemd.services.pure-ftpd = let | ||
123 | configFile = pkgs.writeText "pure-ftpd.conf" '' | ||
124 | PassivePortRange 40000 50000 | ||
125 | Bind 42 | ||
126 | ChrootEveryone yes | ||
127 | CreateHomeDir yes | ||
128 | BrokenClientsCompatibility yes | ||
129 | MaxClientsNumber 50 | ||
130 | Daemonize yes | ||
131 | MaxClientsPerIP 8 | ||
132 | VerboseLog no | ||
133 | DisplayDotFiles yes | ||
134 | AnonymousOnly no | ||
135 | NoAnonymous no | ||
136 | SyslogFacility ftp | ||
137 | DontResolve yes | ||
138 | MaxIdleTime 15 | ||
139 | LDAPConfigFile ${config.secrets.fullPaths."pure-ftpd-ldap"} | ||
140 | LimitRecursion 10000 8 | ||
141 | AnonymousCanCreateDirs no | ||
142 | MaxLoad 4 | ||
143 | AntiWarez yes | ||
144 | Umask 133:022 | ||
145 | # ftp | ||
146 | MinUID 8 | ||
147 | AllowUserFXP no | ||
148 | AllowAnonymousFXP no | ||
149 | ProhibitDotFilesWrite no | ||
150 | ProhibitDotFilesRead no | ||
151 | AutoRename no | ||
152 | AnonymousCantUpload no | ||
153 | MaxDiskUsage 99 | ||
154 | CustomerProof yes | ||
155 | TLS 1 | ||
156 | CertFile ${config.security.acme.certs.ftp.directory}/full.pem | ||
157 | ''; | ||
158 | in lib.mkIf pure-ftpd-enabled { | ||
159 | description = "Pure-FTPd server"; | ||
160 | wantedBy = [ "multi-user.target" ]; | ||
161 | after = [ "network.target" ]; | ||
162 | |||
163 | serviceConfig.ExecStart = "${package}/bin/pure-ftpd ${configFile}"; | ||
164 | serviceConfig.Type = "forking"; | ||
165 | serviceConfig.PIDFile = "/run/pure-ftpd.pid"; | ||
166 | }; | ||
167 | |||
168 | systemd.services.proftpd = let | ||
169 | configFile = pkgs.writeText "proftpd.conf" '' | ||
170 | ServerName "ProFTPD" | ||
171 | ServerType standalone | ||
172 | DefaultServer on | ||
173 | |||
174 | Port 21 | ||
175 | UseIPv6 on | ||
176 | Umask 022 | ||
177 | MaxInstances 30 | ||
178 | MaxClients 50 | ||
179 | MaxClientsPerHost 8 | ||
180 | |||
181 | # Set the user and group under which the server will run. | ||
182 | User ftp | ||
183 | Group ftp | ||
184 | |||
185 | CreateHome on | ||
186 | DefaultRoot ~ | ||
187 | |||
188 | AllowOverwrite on | ||
189 | |||
190 | TLSEngine on | ||
191 | TLSRequired off | ||
192 | TLSProtocol TLSv1.1 TLSv1.2 TLSv1.3 | ||
193 | |||
194 | TLSCertificateChainFile ${config.security.acme.certs.ftp.directory}/fullchain.pem | ||
195 | TLSECCertificateFile ${config.security.acme.certs.ftp.directory}/cert.pem | ||
196 | TLSECCertificateKeyFile ${config.security.acme.certs.ftp.directory}/key.pem | ||
197 | TLSRenegotiate none | ||
198 | PidFile /run/proftpd/proftpd.pid | ||
199 | |||
200 | ScoreboardFile /run/proftpd/proftpd.scoreboard | ||
201 | |||
202 | PassivePorts 40000 50000 | ||
203 | #DebugLevel 10 | ||
204 | Include ${config.secrets.fullPaths."proftpd-ldap.conf"} | ||
205 | |||
206 | RequireValidShell off | ||
207 | |||
208 | # Bar use of SITE CHMOD by default | ||
209 | <Limit SITE_CHMOD> | ||
210 | DenyAll | ||
211 | </Limit> | ||
212 | |||
213 | <VirtualHost 0.0.0.0> | ||
214 | Umask 022 | ||
215 | Port 115 | ||
216 | SFTPEngine on | ||
217 | CreateHome on | ||
218 | DefaultRoot ~ | ||
219 | |||
220 | AllowOverwrite on | ||
221 | |||
222 | SFTPHostKey /etc/ssh/ssh_host_ed25519_key | ||
223 | SFTPHostKey /etc/ssh/ssh_host_rsa_key | ||
224 | Include ${config.secrets.fullPaths."proftpd-ldap.conf"} | ||
225 | RequireValidShell off | ||
226 | SFTPAuthorizedUserKeys file:/var/lib/proftpd/authorized_keys/%u | ||
227 | SFTPAuthMethods password publickey | ||
228 | |||
229 | SFTPOptions IgnoreSFTPSetOwners | ||
230 | </VirtualHost> | ||
231 | ''; | ||
232 | in lib.mkIf proftpd-enabled { | ||
233 | description = "ProFTPD server"; | ||
234 | wantedBy = [ "multi-user.target" ]; | ||
235 | after = [ "network.target" ]; | ||
236 | |||
237 | serviceConfig.ExecStart = "${pkgs.proftpd}/bin/proftpd -c ${configFile}"; | ||
238 | serviceConfig.Type = "forking"; | ||
239 | serviceConfig.PIDFile = "/run/proftpd/proftpd.pid"; | ||
240 | serviceConfig.RuntimeDirectory = "proftpd"; | ||
241 | }; | ||
242 | |||
243 | services.cron.systemCronJobs = lib.mkIf proftpd-enabled [ | ||
244 | "*/2 * * * * nobody ${./ftp_sync.sh}" | ||
245 | ]; | ||
246 | }; | ||
247 | |||
248 | } | ||