aboutsummaryrefslogtreecommitdiff
path: root/nixops
diff options
context:
space:
mode:
Diffstat (limited to 'nixops')
-rw-r--r--nixops/eldiron.nix2
-rw-r--r--nixops/modules/ftp/default.nix110
-rw-r--r--nixops/modules/ftp/pure-ftpd.nix29
3 files changed, 141 insertions, 0 deletions
diff --git a/nixops/eldiron.nix b/nixops/eldiron.nix
index b54702e..2893335 100644
--- a/nixops/eldiron.nix
+++ b/nixops/eldiron.nix
@@ -25,12 +25,14 @@
25 ./modules/databases 25 ./modules/databases
26 ./modules/websites 26 ./modules/websites
27 ./modules/mail 27 ./modules/mail
28 ./modules/ftp
28 ]; 29 ];
29 services.myGitolite.enable = true; 30 services.myGitolite.enable = true;
30 services.myDatabases.enable = true; 31 services.myDatabases.enable = true;
31 services.myWebsites.production.enable = true; 32 services.myWebsites.production.enable = true;
32 services.myWebsites.integration.enable = true; 33 services.myWebsites.integration.enable = true;
33 services.myWebsites.tools.enable = true; 34 services.myWebsites.tools.enable = true;
35 services.pure-ftpd.enable = true;
34 36
35 networking = { 37 networking = {
36 firewall = { 38 firewall = {
diff --git a/nixops/modules/ftp/default.nix b/nixops/modules/ftp/default.nix
new file mode 100644
index 0000000..c717bfd
--- /dev/null
+++ b/nixops/modules/ftp/default.nix
@@ -0,0 +1,110 @@
1{ lib, pkgs, config, myconfig, ... }:
2{
3 options = {
4 services.pure-ftpd.enable = lib.mkOption {
5 type = lib.types.bool;
6 default = false;
7 description = ''
8 Whether to enable pure-ftpd.
9 '';
10 };
11 };
12
13 config = lib.mkIf config.services.pure-ftpd.enable {
14 security.acme.certs."ftp" = config.services.myCertificates.certConfig // {
15 domain = "eldiron.immae.eu";
16 };
17
18 nixpkgs.config.packageOverrides = oldpkgs: rec {
19 pure-ftpd = pkgs.callPackage ./pure-ftpd.nix {};
20 };
21
22 networking = {
23 firewall = {
24 allowedTCPPorts = [ 21 ];
25 allowedTCPPortRanges = [ { from = 40000; to = 50000; } ];
26 };
27 };
28
29 users.users = [
30 {
31 name = "ftp";
32 uid = config.ids.uids.ftp;
33 group = "ftp";
34 description = "Anonymous FTP user";
35 home = "/homeless-shelter";
36 }
37 ];
38
39 users.groups.ftp.gid = config.ids.gids.ftp;
40
41 system.activationScripts.pure-ftpd = ''
42 install -m 0755 -o ftp -g ftp -d /var/lib/ftp
43 '';
44
45 systemd.services.pure-ftpd = let
46 ldapConfigFile = pkgs.writeText "pure-ftpd-ldap.conf" ''
47 LDAPServer ${myconfig.env.ftp.ldap.host}
48 LDAPPort 389
49 LDAPUseTLS True
50 LDAPBaseDN ${myconfig.env.ftp.ldap.base}
51 LDAPBindDN ${myconfig.env.ftp.ldap.dn}
52 LDAPBindPW ${myconfig.env.ftp.ldap.password}
53 LDAPDefaultUID 500
54 LDAPForceDefaultUID False
55 LDAPDefaultGID 100
56 LDAPForceDefaultGID False
57 LDAPFilter ${myconfig.env.ftp.ldap.filter}
58
59 LDAPAuthMethod BIND
60
61 # Pas de possibilité de donner l'Uid/Gid !
62 # Compilé dans pure-ftpd directement avec immaeFtpUid / immaeFtpGid
63 LDAPHomeDir immaeFtpDirectory
64 '';
65 configFile = pkgs.writeText "pure-ftpd.conf" ''
66 PassivePortRange 40000 50000
67 ChrootEveryone yes
68 CreateHomeDir yes
69 BrokenClientsCompatibility yes
70 MaxClientsNumber 50
71 Daemonize yes
72 MaxClientsPerIP 8
73 VerboseLog no
74 DisplayDotFiles yes
75 AnonymousOnly no
76 NoAnonymous no
77 SyslogFacility ftp
78 DontResolve yes
79 MaxIdleTime 15
80 LDAPConfigFile ${ldapConfigFile}
81 LimitRecursion 10000 8
82 AnonymousCanCreateDirs no
83 MaxLoad 4
84 AntiWarez yes
85 Umask 133:022
86 # ftp
87 MinUID 8
88 AllowUserFXP no
89 AllowAnonymousFXP no
90 ProhibitDotFilesWrite no
91 ProhibitDotFilesRead no
92 AutoRename no
93 AnonymousCantUpload no
94 MaxDiskUsage 99
95 CustomerProof yes
96 TLS 1
97 CertFile /var/lib/acme/ftp/full.pem
98 '';
99 in {
100 description = "Pure-FTPd server";
101 wantedBy = [ "multi-user.target" ];
102 after = [ "network.target" ];
103
104 serviceConfig.ExecStart = "${pkgs.pure-ftpd}/bin/pure-ftpd ${configFile}";
105 serviceConfig.Type = "forking";
106 serviceConfig.PIDFile = "/run/pure-ftpd.pid";
107 };
108 };
109
110}
diff --git a/nixops/modules/ftp/pure-ftpd.nix b/nixops/modules/ftp/pure-ftpd.nix
new file mode 100644
index 0000000..37ce695
--- /dev/null
+++ b/nixops/modules/ftp/pure-ftpd.nix
@@ -0,0 +1,29 @@
1{ stdenv, fetchurl, openssl, postgresql, openldap }:
2
3stdenv.mkDerivation rec {
4 name = "pure-ftpd-1.0.47";
5
6 src = fetchurl {
7 url = "https://download.pureftpd.org/pub/pure-ftpd/releases/${name}.tar.gz";
8 sha256 = "1b97ixva8m10vln8xrfwwwzi344bkgxqji26d0nrm1yzylbc6h27";
9 };
10
11 preConfigure = ''
12 sed -i -e "s#FTPuid#immaeFtpUid#" src/log_ldap.h
13 sed -i -e "s#FTPgid#immaeFtpGid#" src/log_ldap.h
14 '';
15 postConfigure = ''
16 sed -i 's/define MAX_DATA_SIZE (40/define MAX_DATA_SIZE (70/' src/ftpd.h
17 '';
18 buildInputs = [ openssl postgresql openldap ];
19
20 configureFlags = [ "--with-everything" "--with-tls" "--with-pgsql" "--with-ldap" ];
21
22 meta = with stdenv.lib; {
23 description = "A free, secure, production-quality and standard-conformant FTP server";
24 homepage = https://www.pureftpd.org;
25 license = licenses.isc; # with some parts covered by BSD3(?)
26 maintainers = [ maintainers.lethalman ];
27 platforms = platforms.linux;
28 };
29}