29027fd1e1
Using pkgs.lib on the spine of module evaluation is problematic because the pkgs argument depends on the result of module evaluation. To prevent an infinite recursion, pkgs and some of the modules are evaluated twice, which is inefficient. Using ‘with lib’ prevents this problem.
205 lines
5.9 KiB
Nix
205 lines
5.9 KiB
Nix
{ config, lib, pkgs, ... }:
|
|
|
|
with lib;
|
|
|
|
let
|
|
|
|
/* minimal secure setup:
|
|
|
|
enable = true;
|
|
forceLocalLoginsSSL = true;
|
|
forceLocalDataSSL = true;
|
|
userlistDeny = false;
|
|
localUsers = true;
|
|
userlist = ["non-root-user" "other-non-root-user"];
|
|
rsaCertFile = "/var/vsftpd/vsftpd.pem";
|
|
|
|
*/
|
|
|
|
cfg = config.services.vsftpd;
|
|
|
|
inherit (pkgs) vsftpd;
|
|
|
|
yesNoOption = nixosName: vsftpdName: default: description: {
|
|
cfgText = "${vsftpdName}=${if getAttr nixosName cfg then "YES" else "NO"}";
|
|
|
|
nixosOption = {
|
|
type = types.bool;
|
|
name = nixosName;
|
|
value = mkOption {
|
|
inherit description default;
|
|
type = types.bool;
|
|
};
|
|
};
|
|
};
|
|
|
|
optionDescription = [
|
|
(yesNoOption "anonymousUser" "anonymous_enable" false ''
|
|
Whether to enable the anonymous FTP user.
|
|
'')
|
|
(yesNoOption "localUsers" "local_enable" false ''
|
|
Whether to enable FTP for local users.
|
|
'')
|
|
(yesNoOption "writeEnable" "write_enable" false ''
|
|
Whether any write activity is permitted to users.
|
|
'')
|
|
(yesNoOption "anonymousUploadEnable" "anon_upload_enable" false ''
|
|
Whether any uploads are permitted to anonymous users.
|
|
'')
|
|
(yesNoOption "anonymousMkdirEnable" "anon_mkdir_write_enable" false ''
|
|
Whether any uploads are permitted to anonymous users.
|
|
'')
|
|
(yesNoOption "chrootlocalUser" "chroot_local_user" false ''
|
|
Whether local users are confined to their home directory.
|
|
'')
|
|
(yesNoOption "userlistEnable" "userlist_enable" false ''
|
|
Whether users are included.
|
|
'')
|
|
(yesNoOption "userlistDeny" "userlist_deny" false ''
|
|
Specifies whether <option>userlistFile</option> is a list of user
|
|
names to allow or deny access.
|
|
The default <literal>false</literal> means whitelist/allow.
|
|
'')
|
|
(yesNoOption "forceLocalLoginsSSL" "force_local_logins_ssl" false ''
|
|
Only applies if <option>sslEnable</option> is true. Non anonymous (local) users
|
|
must use a secure SSL connection to send a password.
|
|
'')
|
|
(yesNoOption "forceLocalDataSSL" "force_local_data_ssl" false ''
|
|
Only applies if <option>sslEnable</option> is true. Non anonymous (local) users
|
|
must use a secure SSL connection for sending/receiving data on data connection.
|
|
'')
|
|
(yesNoOption "ssl_tlsv1" "ssl_tlsv1" true '' '')
|
|
(yesNoOption "ssl_sslv2" "ssl_sslv2" false '' '')
|
|
(yesNoOption "ssl_sslv3" "ssl_sslv3" false '' '')
|
|
];
|
|
|
|
configFile = pkgs.writeText "vsftpd.conf"
|
|
''
|
|
${concatMapStrings (x: "${x.cfgText}\n") optionDescription}
|
|
${optionalString (cfg.rsaCertFile != null) ''
|
|
ssl_enable=YES
|
|
rsa_cert_file=${cfg.rsaCertFile}
|
|
''}
|
|
${optionalString (cfg.userlistFile != null) ''
|
|
userlist_file=${cfg.userlistFile}
|
|
''}
|
|
background=YES
|
|
listen=YES
|
|
nopriv_user=vsftpd
|
|
secure_chroot_dir=/var/empty
|
|
syslog_enable=YES
|
|
${optionalString (pkgs.stdenv.system == "x86_64-linux") ''
|
|
seccomp_sandbox=NO
|
|
''}
|
|
anon_umask=${cfg.anonymousUmask}
|
|
'';
|
|
|
|
in
|
|
|
|
{
|
|
|
|
###### interface
|
|
|
|
options = {
|
|
|
|
services.vsftpd = {
|
|
|
|
enable = mkOption {
|
|
default = false;
|
|
description = "Whether to enable the vsftpd FTP server.";
|
|
};
|
|
|
|
userlist = mkOption {
|
|
default = [];
|
|
description = "See <option>userlistFile</option>.";
|
|
};
|
|
|
|
userlistFile = mkOption {
|
|
default = pkgs.writeText "userlist" (concatMapStrings (x: "${x}\n") cfg.userlist);
|
|
description = ''
|
|
Newline separated list of names to be allowed/denied if <option>userlistEnable</option>
|
|
is <literal>true</literal>. Meaning see <option>userlistDeny</option>.
|
|
|
|
The default is a file containing the users from <option>userlist</option>.
|
|
|
|
If explicitely set to null userlist_file will not be set in vsftpd's config file.
|
|
'';
|
|
};
|
|
|
|
anonymousUserHome = mkOption {
|
|
type = types.path;
|
|
default = "/home/ftp/";
|
|
description = ''
|
|
Directory to consider the HOME of the anonymous user.
|
|
'';
|
|
};
|
|
|
|
rsaCertFile = mkOption {
|
|
type = types.nullOr types.path;
|
|
default = null;
|
|
description = "RSA certificate file.";
|
|
};
|
|
|
|
anonymousUmask = mkOption {
|
|
type = types.string;
|
|
default = "077";
|
|
example = "002";
|
|
description = "Anonymous write umask.";
|
|
};
|
|
|
|
} // (listToAttrs (catAttrs "nixosOption" optionDescription));
|
|
|
|
};
|
|
|
|
|
|
###### implementation
|
|
|
|
config = mkIf cfg.enable {
|
|
|
|
assertions = singleton
|
|
{ assertion =
|
|
(cfg.forceLocalLoginsSSL -> cfg.rsaCertFile != null)
|
|
&& (cfg.forceLocalDataSSL -> cfg.rsaCertFile != null);
|
|
message = "vsftpd: If forceLocalLoginsSSL or forceLocalDataSSL is true then a rsaCertFile must be provided!";
|
|
};
|
|
|
|
users.extraUsers =
|
|
[ { name = "vsftpd";
|
|
uid = config.ids.uids.vsftpd;
|
|
description = "VSFTPD user";
|
|
home = "/homeless-shelter";
|
|
}
|
|
] ++ optional cfg.anonymousUser
|
|
{ name = "ftp";
|
|
uid = config.ids.uids.ftp;
|
|
group = "ftp";
|
|
description = "Anonymous FTP user";
|
|
home = cfg.anonymousUserHome;
|
|
};
|
|
|
|
users.extraGroups.ftp.gid = config.ids.gids.ftp;
|
|
|
|
# If you really have to access root via FTP use mkOverride or userlistDeny
|
|
# = false and whitelist root
|
|
services.vsftpd.userlist = if cfg.userlistDeny then ["root"] else [];
|
|
|
|
systemd.services.vsftpd =
|
|
{ description = "Vsftpd Server";
|
|
|
|
wantedBy = [ "multi-user.target" ];
|
|
|
|
preStart =
|
|
optionalString cfg.anonymousUser
|
|
''
|
|
mkdir -p -m 555 ${cfg.anonymousUserHome}
|
|
chown -R ftp:ftp ${cfg.anonymousUserHome}
|
|
'';
|
|
|
|
serviceConfig.ExecStart = "@${vsftpd}/sbin/vsftpd vsftpd ${configFile}";
|
|
serviceConfig.Restart = "always";
|
|
serviceConfig.Type = "forking";
|
|
};
|
|
|
|
};
|
|
|
|
}
|