sftpgo: expose to the WAN

2024-03-14 12:38:13 +00:00
parent 691a7d7ff7
commit 098cd2051e
1 changed files with 10 additions and 10 deletions
--- a/hosts/by-name/servo/services/export/sftpgo.nix
+++ b/hosts/by-name/servo/services/export/sftpgo.nix
@@ -6,9 +6,6 @@
 # - nixos example: <repo:nixos/nixpkgs:nixos/tests/sftpgo.nix>
 #
 # sftpgo is a FTP server that also supports WebDAV, SFTP, and web clients.
-#
-# TODO: change umask so sftpgo-created files default to 644.
-# - it does indeed appear that the 600 is not something sftpgo is explicitly doing.

 { config, lib, pkgs, sane-lib, ... }:
 let
@@ -22,10 +19,12 @@ in
  # - this handles the client -> server commands, and the server -> client status, but not the actual data
  # - file data, directory listings, etc need to be transferred on an ephemeral "data port".
  # - 50000-50100 is a common port range for this.
+  #   50000 is used by soulseek.
  sane.ports.ports = {
    "21" = {
      protocol = [ "tcp" ];
      visibleTo.lan = true;
+      visibleTo.wan = true;
      description = "colin-FTP server";
    };
  } // (sane-lib.mapToAttrs
@@ -34,10 +33,11 @@ in
      value = {
        protocol = [ "tcp" ];
        visibleTo.lan = true;
+        visibleTo.wan = true;
        description = "colin-FTP server data port range";
      };
    })
-    (lib.range 50000 50100)
+    (lib.range 50050 50100)
  );

  services.sftpgo = {
@@ -53,7 +53,7 @@ in
            debug = true;
          }
          {
-            # binding this means any LAN client can connect
+            # binding this means any LAN client can connect (also WAN traffic forwarded from the gateway)
            address = "10.78.79.51";
            port = 21;
            debug = true;
@@ -64,18 +64,18 @@ in
        disable_active_mode = true;
        hash_support = true;
        passive_port_range = {
-          start = 50000;
+          start = 50050;
          end = 50100;
        };

        banner = ''
          Welcome, friends, to Colin's FTP server! Also available via NFS on the same host, but LAN-only.

-          Read-only access:
+          Read-only access (LAN-restricted):
          Username: "anonymous"
          Password: "anonymous"

-          CONFIGURE YOUR CLIENT FOR "PASSIVE" mode, e.g. `ftp --passive uninsane.org`
+          CONFIGURE YOUR CLIENT FOR "PASSIVE" mode, e.g. `ftp --passive uninsane.org`.
          Please let me know if anything's broken or not as it should be. Otherwise, browse and transfer freely :)
        '';

@@ -98,11 +98,11 @@ in
    after = [ "network-online.target" ];
    wants = [ "network-online.target" ];
    serviceConfig = {
-      ReadOnlyPaths = [ "/var/export" ];
-      ReadWritePaths = [ "/var/export/playground" ];
+      ReadWritePaths = [ "/var/export" ];

      Restart = "always";
      RestartSec = "20s";
+      UMask = lib.mkForce "0002";
    };
  };
 }