2023-06-19 03:49:42 +00:00
|
|
|
# docs:
|
|
|
|
# - <https://github.com/drakkan/sftpgo>
|
|
|
|
# - config options: <https://github.com/drakkan/sftpgo/blob/main/docs/full-configuration.md>
|
|
|
|
# - config defaults: <https://github.com/drakkan/sftpgo/blob/main/sftpgo.json>
|
|
|
|
# - nixos options: <repo:nixos/nixpkgs:nixos/modules/services/web-apps/sftpgo.nix>
|
2023-08-31 12:55:45 +00:00
|
|
|
# - nixos example: <repo:nixos/nixpkgs:nixos/tests/sftpgo.nix>
|
2023-06-19 03:49:42 +00:00
|
|
|
#
|
|
|
|
# sftpgo is a FTP server that also supports WebDAV, SFTP, and web clients.
|
|
|
|
|
2023-09-01 00:35:43 +00:00
|
|
|
{ config, lib, pkgs, sane-lib, ... }:
|
2023-06-19 03:49:42 +00:00
|
|
|
let
|
2024-03-14 11:59:30 +00:00
|
|
|
sftpgo_external_auth_hook = pkgs.static-nix-shell.mkPython3Bin {
|
2023-06-19 03:49:42 +00:00
|
|
|
pname = "sftpgo_external_auth_hook";
|
2024-02-25 17:37:38 +00:00
|
|
|
srcRoot = ./.;
|
2023-06-19 03:49:42 +00:00
|
|
|
};
|
|
|
|
in
|
|
|
|
{
|
|
|
|
# Client initiates a FTP "control connection" on port 21.
|
|
|
|
# - this handles the client -> server commands, and the server -> client status, but not the actual data
|
|
|
|
# - file data, directory listings, etc need to be transferred on an ephemeral "data port".
|
|
|
|
# - 50000-50100 is a common port range for this.
|
2024-03-14 12:38:13 +00:00
|
|
|
# 50000 is used by soulseek.
|
2023-06-19 03:49:42 +00:00
|
|
|
sane.ports.ports = {
|
|
|
|
"21" = {
|
|
|
|
protocol = [ "tcp" ];
|
|
|
|
visibleTo.lan = true;
|
2024-03-14 12:38:13 +00:00
|
|
|
visibleTo.wan = true;
|
2023-06-19 03:49:42 +00:00
|
|
|
description = "colin-FTP server";
|
|
|
|
};
|
|
|
|
} // (sane-lib.mapToAttrs
|
|
|
|
(port: {
|
|
|
|
name = builtins.toString port;
|
|
|
|
value = {
|
|
|
|
protocol = [ "tcp" ];
|
|
|
|
visibleTo.lan = true;
|
2024-03-14 12:38:13 +00:00
|
|
|
visibleTo.wan = true;
|
2023-06-19 03:49:42 +00:00
|
|
|
description = "colin-FTP server data port range";
|
|
|
|
};
|
|
|
|
})
|
2024-03-14 12:38:13 +00:00
|
|
|
(lib.range 50050 50100)
|
2023-06-19 03:49:42 +00:00
|
|
|
);
|
|
|
|
|
|
|
|
services.sftpgo = {
|
|
|
|
enable = true;
|
2023-09-01 03:37:33 +00:00
|
|
|
group = "export";
|
2023-06-19 03:49:42 +00:00
|
|
|
settings = {
|
|
|
|
ftpd = {
|
2023-08-31 06:44:04 +00:00
|
|
|
bindings = [
|
|
|
|
{
|
|
|
|
# binding this means any wireguard client can connect
|
|
|
|
address = "10.0.10.5";
|
|
|
|
port = 21;
|
|
|
|
debug = true;
|
|
|
|
}
|
|
|
|
{
|
2024-03-14 12:38:13 +00:00
|
|
|
# binding this means any LAN client can connect (also WAN traffic forwarded from the gateway)
|
2023-08-31 06:44:04 +00:00
|
|
|
address = "10.78.79.51";
|
|
|
|
port = 21;
|
|
|
|
debug = true;
|
|
|
|
}
|
|
|
|
];
|
2023-06-19 03:49:42 +00:00
|
|
|
|
|
|
|
# active mode is susceptible to "bounce attacks", without much benefit over passive mode
|
|
|
|
disable_active_mode = true;
|
|
|
|
hash_support = true;
|
|
|
|
passive_port_range = {
|
2024-03-14 12:38:13 +00:00
|
|
|
start = 50050;
|
2023-06-19 03:49:42 +00:00
|
|
|
end = 50100;
|
|
|
|
};
|
|
|
|
|
|
|
|
banner = ''
|
2024-03-14 12:36:18 +00:00
|
|
|
Welcome, friends, to Colin's FTP server! Also available via NFS on the same host, but LAN-only.
|
|
|
|
|
2024-03-14 12:38:13 +00:00
|
|
|
Read-only access (LAN-restricted):
|
2023-08-31 08:30:19 +00:00
|
|
|
Username: "anonymous"
|
|
|
|
Password: "anonymous"
|
2024-03-14 12:36:18 +00:00
|
|
|
|
2024-03-14 12:38:13 +00:00
|
|
|
CONFIGURE YOUR CLIENT FOR "PASSIVE" mode, e.g. `ftp --passive uninsane.org`.
|
2024-03-14 12:36:18 +00:00
|
|
|
Please let me know if anything's broken or not as it should be. Otherwise, browse and transfer freely :)
|
2023-06-19 03:49:42 +00:00
|
|
|
'';
|
|
|
|
|
|
|
|
};
|
|
|
|
data_provider = {
|
|
|
|
driver = "memory";
|
2024-03-14 11:59:30 +00:00
|
|
|
external_auth_hook = "${sftpgo_external_auth_hook}/bin/sftpgo_external_auth_hook";
|
2023-08-31 12:55:45 +00:00
|
|
|
# track_quota:
|
|
|
|
# - 0: disable quota tracking
|
|
|
|
# - 1: quota is updated on every upload/delete, even if user has no quota restriction
|
|
|
|
# - 2: quota is updated on every upload/delete, but only if user/folder has a quota restriction (default, i think)
|
|
|
|
# track_quota = 2;
|
2023-06-19 03:49:42 +00:00
|
|
|
};
|
|
|
|
};
|
|
|
|
};
|
2023-08-31 12:55:45 +00:00
|
|
|
|
2024-03-28 23:14:40 +00:00
|
|
|
users.users.sftpgo.extraGroups = [
|
|
|
|
"export"
|
|
|
|
"media"
|
|
|
|
];
|
2023-09-01 03:37:33 +00:00
|
|
|
|
2023-12-12 02:14:45 +00:00
|
|
|
systemd.services.sftpgo = {
|
2023-10-17 09:41:07 +00:00
|
|
|
after = [ "network-online.target" ];
|
|
|
|
wants = [ "network-online.target" ];
|
2023-12-12 02:14:45 +00:00
|
|
|
serviceConfig = {
|
2024-03-14 12:38:13 +00:00
|
|
|
ReadWritePaths = [ "/var/export" ];
|
2023-11-03 07:21:09 +00:00
|
|
|
|
2023-12-12 02:14:45 +00:00
|
|
|
Restart = "always";
|
|
|
|
RestartSec = "20s";
|
2024-03-14 12:38:13 +00:00
|
|
|
UMask = lib.mkForce "0002";
|
2023-12-12 02:14:45 +00:00
|
|
|
};
|
2023-09-01 03:37:33 +00:00
|
|
|
};
|
2023-06-19 03:49:42 +00:00
|
|
|
}
|