pyrox.dev / nixpkgs
lol
fork atom
nixpkgs / nixos / modules / services / networking / vsftpd.nix
at 25.11-pre 11 kB view raw
1{ 2 config, 3 lib, 4 pkgs, 5 ... 6}: 7 8with lib; 9 10let 11 12 /* 13 minimal secure setup: 14 15 enable = true; 16 forceLocalLoginsSSL = true; 17 forceLocalDataSSL = true; 18 userlistDeny = false; 19 localUsers = true; 20 userlist = ["non-root-user" "other-non-root-user"]; 21 rsaCertFile = "/var/vsftpd/vsftpd.pem"; 22 */ 23 24 cfg = config.services.vsftpd; 25 26 inherit (pkgs) vsftpd; 27 28 yesNoOption = nixosName: vsftpdName: default: description: { 29 cfgText = "${vsftpdName}=${if getAttr nixosName cfg then "YES" else "NO"}"; 30 31 nixosOption = { 32 type = types.bool; 33 name = nixosName; 34 value = mkOption { 35 description = description; 36 inherit default; 37 type = types.bool; 38 }; 39 }; 40 }; 41 42 optionDescription = [ 43 (yesNoOption "allowWriteableChroot" "allow_writeable_chroot" false '' 44 Allow the use of writeable root inside chroot(). 45 '') 46 (yesNoOption "virtualUseLocalPrivs" "virtual_use_local_privs" false '' 47 If enabled, virtual users will use the same privileges as local 48 users. By default, virtual users will use the same privileges as 49 anonymous users, which tends to be more restrictive (especially 50 in terms of write access). 51 '') 52 (yesNoOption "anonymousUser" "anonymous_enable" false '' 53 Whether to enable the anonymous FTP user. 54 '') 55 (yesNoOption "anonymousUserNoPassword" "no_anon_password" false '' 56 Whether to disable the password for the anonymous FTP user. 57 '') 58 (yesNoOption "localUsers" "local_enable" false '' 59 Whether to enable FTP for local users. 60 '') 61 (yesNoOption "writeEnable" "write_enable" false '' 62 Whether any write activity is permitted to users. 63 '') 64 (yesNoOption "anonymousUploadEnable" "anon_upload_enable" false '' 65 Whether any uploads are permitted to anonymous users. 66 '') 67 (yesNoOption "anonymousMkdirEnable" "anon_mkdir_write_enable" false '' 68 Whether any uploads are permitted to anonymous users. 69 '') 70 (yesNoOption "chrootlocalUser" "chroot_local_user" false '' 71 Whether local users are confined to their home directory. 72 '') 73 (yesNoOption "userlistEnable" "userlist_enable" false '' 74 Whether users are included. 75 '') 76 (yesNoOption "userlistDeny" "userlist_deny" false '' 77 Specifies whether {option}`userlistFile` is a list of user 78 names to allow or deny access. 79 The default `false` means whitelist/allow. 80 '') 81 (yesNoOption "forceLocalLoginsSSL" "force_local_logins_ssl" false '' 82 Only applies if {option}`sslEnable` is true. Non anonymous (local) users 83 must use a secure SSL connection to send a password. 84 '') 85 (yesNoOption "forceLocalDataSSL" "force_local_data_ssl" false '' 86 Only applies if {option}`sslEnable` is true. Non anonymous (local) users 87 must use a secure SSL connection for sending/receiving data on data connection. 88 '') 89 (yesNoOption "portPromiscuous" "port_promiscuous" false '' 90 Set to YES if you want to disable the PORT security check that ensures that 91 outgoing data connections can only connect to the client. Only enable if you 92 know what you are doing! 93 '') 94 (yesNoOption "ssl_tlsv1" "ssl_tlsv1" true '' 95 Only applies if {option}`ssl_enable` is activated. If 96 enabled, this option will permit TLS v1 protocol connections. 97 TLS v1 connections are preferred. 98 '') 99 (yesNoOption "ssl_sslv2" "ssl_sslv2" false '' 100 Only applies if {option}`ssl_enable` is activated. If 101 enabled, this option will permit SSL v2 protocol connections. 102 TLS v1 connections are preferred. 103 '') 104 (yesNoOption "ssl_sslv3" "ssl_sslv3" false '' 105 Only applies if {option}`ssl_enable` is activated. If 106 enabled, this option will permit SSL v3 protocol connections. 107 TLS v1 connections are preferred. 108 '') 109 ]; 110 111 configFile = pkgs.writeText "vsftpd.conf" '' 112 ${concatMapStrings (x: "${x.cfgText}\n") optionDescription} 113 ${optionalString (cfg.rsaCertFile != null) '' 114 ssl_enable=YES 115 rsa_cert_file=${cfg.rsaCertFile} 116 ''} 117 ${optionalString (cfg.rsaKeyFile != null) '' 118 rsa_private_key_file=${cfg.rsaKeyFile} 119 ''} 120 ${optionalString (cfg.userlistFile != null) '' 121 userlist_file=${cfg.userlistFile} 122 ''} 123 background=YES 124 listen=NO 125 listen_ipv6=YES 126 nopriv_user=vsftpd 127 secure_chroot_dir=/var/empty 128 ${optionalString (cfg.localRoot != null) '' 129 local_root=${cfg.localRoot} 130 ''} 131 syslog_enable=YES 132 ${optionalString (pkgs.stdenv.hostPlatform.system == "x86_64-linux") '' 133 seccomp_sandbox=NO 134 ''} 135 anon_umask=${cfg.anonymousUmask} 136 ${optionalString cfg.anonymousUser '' 137 anon_root=${cfg.anonymousUserHome} 138 ''} 139 ${optionalString cfg.enableVirtualUsers '' 140 guest_enable=YES 141 guest_username=vsftpd 142 ''} 143 pam_service_name=vsftpd 144 ${cfg.extraConfig} 145 ''; 146 147in 148 149{ 150 151 ###### interface 152 153 options = { 154 155 services.vsftpd = { 156 157 enable = mkEnableOption "vsftpd"; 158 159 userlist = mkOption { 160 default = [ ]; 161 type = types.listOf types.str; 162 description = "See {option}`userlistFile`."; 163 }; 164 165 userlistFile = mkOption { 166 type = types.path; 167 default = pkgs.writeText "userlist" (concatMapStrings (x: "${x}\n") cfg.userlist); 168 defaultText = literalExpression ''pkgs.writeText "userlist" (concatMapStrings (x: "''${x}\n") cfg.userlist)''; 169 description = '' 170 Newline separated list of names to be allowed/denied if {option}`userlistEnable` 171 is `true`. Meaning see {option}`userlistDeny`. 172 173 The default is a file containing the users from {option}`userlist`. 174 175 If explicitly set to null userlist_file will not be set in vsftpd's config file. 176 ''; 177 }; 178 179 enableVirtualUsers = mkOption { 180 type = types.bool; 181 default = false; 182 description = '' 183 Whether to enable the `pam_userdb`-based 184 virtual user system 185 ''; 186 }; 187 188 userDbPath = mkOption { 189 type = types.nullOr types.str; 190 example = "/etc/vsftpd/userDb"; 191 default = null; 192 description = '' 193 Only applies if {option}`enableVirtualUsers` is true. 194 Path pointing to the `pam_userdb` user 195 database used by vsftpd to authenticate the virtual users. 196 197 This user list should be stored in the Berkeley DB database 198 format. 199 200 To generate a new user database, create a text file, add 201 your users using the following format: 202 ``` 203 user1 204 password1 205 user2 206 password2 207 ``` 208 209 You can then install `pkgs.db` to generate 210 the Berkeley DB using 211 ``` 212 db_load -T -t hash -f logins.txt userDb.db 213 ``` 214 215 Caution: `pam_userdb` will automatically 216 append a `.db` suffix to the filename you 217 provide though this option. This option shouldn't include 218 this filetype suffix. 219 ''; 220 }; 221 222 localRoot = mkOption { 223 type = types.nullOr types.str; 224 default = null; 225 example = "/var/www/$USER"; 226 description = '' 227 This option represents a directory which vsftpd will try to 228 change into after a local (i.e. non- anonymous) login. 229 230 Failure is silently ignored. 231 ''; 232 }; 233 234 anonymousUserHome = mkOption { 235 type = types.path; 236 default = "/home/ftp/"; 237 description = '' 238 Directory to consider the HOME of the anonymous user. 239 ''; 240 }; 241 242 rsaCertFile = mkOption { 243 type = types.nullOr types.path; 244 default = null; 245 description = "RSA certificate file."; 246 }; 247 248 rsaKeyFile = mkOption { 249 type = types.nullOr types.path; 250 default = null; 251 description = "RSA private key file."; 252 }; 253 254 anonymousUmask = mkOption { 255 type = types.str; 256 default = "077"; 257 example = "002"; 258 description = "Anonymous write umask."; 259 }; 260 261 extraConfig = mkOption { 262 type = types.lines; 263 default = ""; 264 example = "ftpd_banner=Hello"; 265 description = "Extra configuration to add at the bottom of the generated configuration file."; 266 }; 267 268 } // (listToAttrs (catAttrs "nixosOption" optionDescription)); 269 270 }; 271 272 ###### implementation 273 274 config = mkIf cfg.enable { 275 276 assertions = [ 277 { 278 assertion = 279 (cfg.forceLocalLoginsSSL -> cfg.rsaCertFile != null) 280 && (cfg.forceLocalDataSSL -> cfg.rsaCertFile != null); 281 message = "vsftpd: If forceLocalLoginsSSL or forceLocalDataSSL is true then a rsaCertFile must be provided!"; 282 } 283 { 284 assertion = 285 (cfg.enableVirtualUsers -> cfg.userDbPath != null) && (cfg.enableVirtualUsers -> cfg.localUsers); 286 message = "vsftpd: If enableVirtualUsers is true, you need to setup both the userDbPath and localUsers options."; 287 } 288 ]; 289 290 users.users = 291 { 292 "vsftpd" = { 293 group = "vsftpd"; 294 isSystemUser = true; 295 description = "VSFTPD user"; 296 home = 297 if cfg.localRoot != null then 298 cfg.localRoot # <= Necessary for virtual users. 299 else 300 "/homeless-shelter"; 301 }; 302 } 303 // optionalAttrs cfg.anonymousUser { 304 "ftp" = { 305 name = "ftp"; 306 uid = config.ids.uids.ftp; 307 group = "ftp"; 308 description = "Anonymous FTP user"; 309 home = cfg.anonymousUserHome; 310 }; 311 }; 312 313 users.groups.vsftpd = { }; 314 users.groups.ftp.gid = config.ids.gids.ftp; 315 316 # If you really have to access root via FTP use mkOverride or userlistDeny 317 # = false and whitelist root 318 services.vsftpd.userlist = optional cfg.userlistDeny "root"; 319 320 systemd = { 321 tmpfiles.rules = 322 optional cfg.anonymousUser 323 #Type Path Mode User Gr Age Arg 324 "d '${builtins.toString cfg.anonymousUserHome}' 0555 'ftp' 'ftp' - -"; 325 services.vsftpd = { 326 description = "Vsftpd Server"; 327 328 wantedBy = [ "multi-user.target" ]; 329 330 serviceConfig.ExecStart = "@${vsftpd}/sbin/vsftpd vsftpd ${configFile}"; 331 serviceConfig.Restart = "always"; 332 serviceConfig.Type = "forking"; 333 }; 334 }; 335 336 security.pam.services.vsftpd.text = mkIf (cfg.enableVirtualUsers && cfg.userDbPath != null) '' 337 auth required pam_userdb.so db=${cfg.userDbPath} 338 account required pam_userdb.so db=${cfg.userDbPath} 339 ''; 340 }; 341}