diff options
Diffstat (limited to 'nixops/modules/ftp/default.nix')
| -rw-r--r-- | nixops/modules/ftp/default.nix | 110 |
1 files changed, 110 insertions, 0 deletions
diff --git a/nixops/modules/ftp/default.nix b/nixops/modules/ftp/default.nix new file mode 100644 index 0000000..c717bfd --- /dev/null +++ b/nixops/modules/ftp/default.nix | |||
| @@ -0,0 +1,110 @@ | |||
| 1 | { lib, pkgs, config, myconfig, ... }: | ||
| 2 | { | ||
| 3 | options = { | ||
| 4 | services.pure-ftpd.enable = lib.mkOption { | ||
| 5 | type = lib.types.bool; | ||
| 6 | default = false; | ||
| 7 | description = '' | ||
| 8 | Whether to enable pure-ftpd. | ||
| 9 | ''; | ||
| 10 | }; | ||
| 11 | }; | ||
| 12 | |||
| 13 | config = lib.mkIf config.services.pure-ftpd.enable { | ||
| 14 | security.acme.certs."ftp" = config.services.myCertificates.certConfig // { | ||
| 15 | domain = "eldiron.immae.eu"; | ||
| 16 | }; | ||
| 17 | |||
| 18 | nixpkgs.config.packageOverrides = oldpkgs: rec { | ||
| 19 | pure-ftpd = pkgs.callPackage ./pure-ftpd.nix {}; | ||
| 20 | }; | ||
| 21 | |||
| 22 | networking = { | ||
| 23 | firewall = { | ||
| 24 | allowedTCPPorts = [ 21 ]; | ||
| 25 | allowedTCPPortRanges = [ { from = 40000; to = 50000; } ]; | ||
| 26 | }; | ||
| 27 | }; | ||
| 28 | |||
| 29 | users.users = [ | ||
| 30 | { | ||
| 31 | name = "ftp"; | ||
| 32 | uid = config.ids.uids.ftp; | ||
| 33 | group = "ftp"; | ||
| 34 | description = "Anonymous FTP user"; | ||
| 35 | home = "/homeless-shelter"; | ||
| 36 | } | ||
| 37 | ]; | ||
| 38 | |||
| 39 | users.groups.ftp.gid = config.ids.gids.ftp; | ||
| 40 | |||
| 41 | system.activationScripts.pure-ftpd = '' | ||
| 42 | install -m 0755 -o ftp -g ftp -d /var/lib/ftp | ||
| 43 | ''; | ||
| 44 | |||
| 45 | systemd.services.pure-ftpd = let | ||
| 46 | ldapConfigFile = pkgs.writeText "pure-ftpd-ldap.conf" '' | ||
| 47 | LDAPServer ${myconfig.env.ftp.ldap.host} | ||
| 48 | LDAPPort 389 | ||
| 49 | LDAPUseTLS True | ||
| 50 | LDAPBaseDN ${myconfig.env.ftp.ldap.base} | ||
| 51 | LDAPBindDN ${myconfig.env.ftp.ldap.dn} | ||
| 52 | LDAPBindPW ${myconfig.env.ftp.ldap.password} | ||
| 53 | LDAPDefaultUID 500 | ||
| 54 | LDAPForceDefaultUID False | ||
| 55 | LDAPDefaultGID 100 | ||
| 56 | LDAPForceDefaultGID False | ||
| 57 | LDAPFilter ${myconfig.env.ftp.ldap.filter} | ||
| 58 | |||
| 59 | LDAPAuthMethod BIND | ||
| 60 | |||
| 61 | # Pas de possibilité de donner l'Uid/Gid ! | ||
| 62 | # Compilé dans pure-ftpd directement avec immaeFtpUid / immaeFtpGid | ||
| 63 | LDAPHomeDir immaeFtpDirectory | ||
| 64 | ''; | ||
| 65 | configFile = pkgs.writeText "pure-ftpd.conf" '' | ||
| 66 | PassivePortRange 40000 50000 | ||
| 67 | ChrootEveryone yes | ||
| 68 | CreateHomeDir yes | ||
| 69 | BrokenClientsCompatibility yes | ||
| 70 | MaxClientsNumber 50 | ||
| 71 | Daemonize yes | ||
| 72 | MaxClientsPerIP 8 | ||
| 73 | VerboseLog no | ||
| 74 | DisplayDotFiles yes | ||
| 75 | AnonymousOnly no | ||
| 76 | NoAnonymous no | ||
| 77 | SyslogFacility ftp | ||
| 78 | DontResolve yes | ||
| 79 | MaxIdleTime 15 | ||
| 80 | LDAPConfigFile ${ldapConfigFile} | ||
| 81 | LimitRecursion 10000 8 | ||
| 82 | AnonymousCanCreateDirs no | ||
| 83 | MaxLoad 4 | ||
| 84 | AntiWarez yes | ||
| 85 | Umask 133:022 | ||
| 86 | # ftp | ||
| 87 | MinUID 8 | ||
| 88 | AllowUserFXP no | ||
| 89 | AllowAnonymousFXP no | ||
| 90 | ProhibitDotFilesWrite no | ||
| 91 | ProhibitDotFilesRead no | ||
| 92 | AutoRename no | ||
| 93 | AnonymousCantUpload no | ||
| 94 | MaxDiskUsage 99 | ||
| 95 | CustomerProof yes | ||
| 96 | TLS 1 | ||
| 97 | CertFile /var/lib/acme/ftp/full.pem | ||
| 98 | ''; | ||
| 99 | in { | ||
| 100 | description = "Pure-FTPd server"; | ||
| 101 | wantedBy = [ "multi-user.target" ]; | ||
| 102 | after = [ "network.target" ]; | ||
| 103 | |||
| 104 | serviceConfig.ExecStart = "${pkgs.pure-ftpd}/bin/pure-ftpd ${configFile}"; | ||
| 105 | serviceConfig.Type = "forking"; | ||
| 106 | serviceConfig.PIDFile = "/run/pure-ftpd.pid"; | ||
| 107 | }; | ||
| 108 | }; | ||
| 109 | |||
| 110 | } | ||