Move ftp password file to secure location

Related issue: https://git.immae.eu/mantisbt/view.php?id=122

1 files changed, 13 insertions, 6 deletions

diff --git a/nixops/modules/ftp/default.nix b/nixops/modules/ftp/default.nix
index af9a75c..0409f23 100644
--- a/nixops/modules/ftp/default.nix
+++ b/nixops/modules/ftp/default.nix
@@ -33,10 +33,11 @@
     users.users = [
       {
         name = "ftp";
-        uid = config.ids.uids.ftp;
+        uid = config.ids.uids.ftp; # 8
         group = "ftp";
         description = "Anonymous FTP user";
         home = "/homeless-shelter";
+        extraGroups = [ "keys" ];
       }
     ];
 
@@ -46,8 +47,11 @@
       install -m 0755 -o ftp -g ftp -d /var/lib/ftp
       '';
 
-    systemd.services.pure-ftpd = let
-      ldapConfigFile = pkgs.writeText "pure-ftpd-ldap.conf" ''
+    deployment.keys.pure-ftpd-ldap = {
+      permissions = "0400";
+      user = "ftp";
+      group = "ftp";
+      text = ''
         LDAPServer          ${myconfig.env.ftp.ldap.host}
         LDAPPort            389
         LDAPUseTLS          True
@@ -62,10 +66,13 @@
 
         LDAPAuthMethod      BIND
 
-        # Pas de possibilité de donner l'Uid/Gid !
-        # Compilé dans pure-ftpd directement avec immaeFtpUid / immaeFtpGid
+        # Pas de possibilite de donner l'Uid/Gid !
+        # Compile dans pure-ftpd directement avec immaeFtpUid / immaeFtpGid
         LDAPHomeDir         immaeFtpDirectory
         '';
+    };
+
+    systemd.services.pure-ftpd = let
       configFile = pkgs.writeText "pure-ftpd.conf" ''
         PassivePortRange             40000 50000
         ChrootEveryone               yes
@@ -81,7 +88,7 @@
         SyslogFacility               ftp
         DontResolve                  yes
         MaxIdleTime                  15
-        LDAPConfigFile               ${ldapConfigFile}
+        LDAPConfigFile               /run/keys/pure-ftpd-ldap
         LimitRecursion               10000 8
         AnonymousCanCreateDirs       no
         MaxLoad                      4