diff options
author | Ismaël Bouya <ismael.bouya@normalesup.org> | 2019-04-20 17:13:41 +0200 |
---|---|---|
committer | Ismaël Bouya <ismael.bouya@normalesup.org> | 2019-04-20 17:13:41 +0200 |
commit | 926a4007ae464c08363c75aa177d978d803366a6 (patch) | |
tree | 0043d1ddb0eaa245af453e61405028a0b9bf0f26 /nixops/modules | |
parent | 914dd76ceccc2de3bd5ffa176cf7984ad1bd5581 (diff) | |
download | Nix-926a4007ae464c08363c75aa177d978d803366a6.tar.gz Nix-926a4007ae464c08363c75aa177d978d803366a6.tar.zst Nix-926a4007ae464c08363c75aa177d978d803366a6.zip |
Move ftp password file to secure location
Related issue: https://git.immae.eu/mantisbt/view.php?id=122
Diffstat (limited to 'nixops/modules')
-rw-r--r-- | nixops/modules/ftp/default.nix | 19 |
1 files changed, 13 insertions, 6 deletions
diff --git a/nixops/modules/ftp/default.nix b/nixops/modules/ftp/default.nix index af9a75c..0409f23 100644 --- a/nixops/modules/ftp/default.nix +++ b/nixops/modules/ftp/default.nix | |||
@@ -33,10 +33,11 @@ | |||
33 | users.users = [ | 33 | users.users = [ |
34 | { | 34 | { |
35 | name = "ftp"; | 35 | name = "ftp"; |
36 | uid = config.ids.uids.ftp; | 36 | uid = config.ids.uids.ftp; # 8 |
37 | group = "ftp"; | 37 | group = "ftp"; |
38 | description = "Anonymous FTP user"; | 38 | description = "Anonymous FTP user"; |
39 | home = "/homeless-shelter"; | 39 | home = "/homeless-shelter"; |
40 | extraGroups = [ "keys" ]; | ||
40 | } | 41 | } |
41 | ]; | 42 | ]; |
42 | 43 | ||
@@ -46,8 +47,11 @@ | |||
46 | install -m 0755 -o ftp -g ftp -d /var/lib/ftp | 47 | install -m 0755 -o ftp -g ftp -d /var/lib/ftp |
47 | ''; | 48 | ''; |
48 | 49 | ||
49 | systemd.services.pure-ftpd = let | 50 | deployment.keys.pure-ftpd-ldap = { |
50 | ldapConfigFile = pkgs.writeText "pure-ftpd-ldap.conf" '' | 51 | permissions = "0400"; |
52 | user = "ftp"; | ||
53 | group = "ftp"; | ||
54 | text = '' | ||
51 | LDAPServer ${myconfig.env.ftp.ldap.host} | 55 | LDAPServer ${myconfig.env.ftp.ldap.host} |
52 | LDAPPort 389 | 56 | LDAPPort 389 |
53 | LDAPUseTLS True | 57 | LDAPUseTLS True |
@@ -62,10 +66,13 @@ | |||
62 | 66 | ||
63 | LDAPAuthMethod BIND | 67 | LDAPAuthMethod BIND |
64 | 68 | ||
65 | # Pas de possibilité de donner l'Uid/Gid ! | 69 | # Pas de possibilite de donner l'Uid/Gid ! |
66 | # Compilé dans pure-ftpd directement avec immaeFtpUid / immaeFtpGid | 70 | # Compile dans pure-ftpd directement avec immaeFtpUid / immaeFtpGid |
67 | LDAPHomeDir immaeFtpDirectory | 71 | LDAPHomeDir immaeFtpDirectory |
68 | ''; | 72 | ''; |
73 | }; | ||
74 | |||
75 | systemd.services.pure-ftpd = let | ||
69 | configFile = pkgs.writeText "pure-ftpd.conf" '' | 76 | configFile = pkgs.writeText "pure-ftpd.conf" '' |
70 | PassivePortRange 40000 50000 | 77 | PassivePortRange 40000 50000 |
71 | ChrootEveryone yes | 78 | ChrootEveryone yes |
@@ -81,7 +88,7 @@ | |||
81 | SyslogFacility ftp | 88 | SyslogFacility ftp |
82 | DontResolve yes | 89 | DontResolve yes |
83 | MaxIdleTime 15 | 90 | MaxIdleTime 15 |
84 | LDAPConfigFile ${ldapConfigFile} | 91 | LDAPConfigFile /run/keys/pure-ftpd-ldap |
85 | LimitRecursion 10000 8 | 92 | LimitRecursion 10000 8 |
86 | AnonymousCanCreateDirs no | 93 | AnonymousCanCreateDirs no |
87 | MaxLoad 4 | 94 | MaxLoad 4 |