From 098cd2051e2ad32cb26f7ef4dbdc4807029c26d0 Mon Sep 17 00:00:00 2001
From: Colin <colin@uninsane.org>
Date: Thu, 14 Mar 2024 12:38:13 +0000
Subject: [PATCH] sftpgo: expose to the WAN

---
 .../by-name/servo/services/export/sftpgo.nix  | 20 +++++++++----------
 1 file changed, 10 insertions(+), 10 deletions(-)

diff --git a/hosts/by-name/servo/services/export/sftpgo.nix b/hosts/by-name/servo/services/export/sftpgo.nix
index 38b277bde..3ff33a8d1 100644
--- a/hosts/by-name/servo/services/export/sftpgo.nix
+++ b/hosts/by-name/servo/services/export/sftpgo.nix
@@ -6,9 +6,6 @@
 # - nixos example: <repo:nixos/nixpkgs:nixos/tests/sftpgo.nix>
 #
 # sftpgo is a FTP server that also supports WebDAV, SFTP, and web clients.
-#
-# TODO: change umask so sftpgo-created files default to 644.
-# - it does indeed appear that the 600 is not something sftpgo is explicitly doing.
 
 { config, lib, pkgs, sane-lib, ... }:
 let
@@ -22,10 +19,12 @@ in
   # - this handles the client -> server commands, and the server -> client status, but not the actual data
   # - file data, directory listings, etc need to be transferred on an ephemeral "data port".
   # - 50000-50100 is a common port range for this.
+  #   50000 is used by soulseek.
   sane.ports.ports = {
     "21" = {
       protocol = [ "tcp" ];
       visibleTo.lan = true;
+      visibleTo.wan = true;
       description = "colin-FTP server";
     };
   } // (sane-lib.mapToAttrs
@@ -34,10 +33,11 @@ in
       value = {
         protocol = [ "tcp" ];
         visibleTo.lan = true;
+        visibleTo.wan = true;
         description = "colin-FTP server data port range";
       };
     })
-    (lib.range 50000 50100)
+    (lib.range 50050 50100)
   );
 
   services.sftpgo = {
@@ -53,7 +53,7 @@ in
             debug = true;
           }
           {
-            # binding this means any LAN client can connect
+            # binding this means any LAN client can connect (also WAN traffic forwarded from the gateway)
             address = "10.78.79.51";
             port = 21;
             debug = true;
@@ -64,18 +64,18 @@ in
         disable_active_mode = true;
         hash_support = true;
         passive_port_range = {
-          start = 50000;
+          start = 50050;
           end = 50100;
         };
 
         banner = ''
           Welcome, friends, to Colin's FTP server! Also available via NFS on the same host, but LAN-only.
 
-          Read-only access:
+          Read-only access (LAN-restricted):
           Username: "anonymous"
           Password: "anonymous"
 
-          CONFIGURE YOUR CLIENT FOR "PASSIVE" mode, e.g. `ftp --passive uninsane.org`
+          CONFIGURE YOUR CLIENT FOR "PASSIVE" mode, e.g. `ftp --passive uninsane.org`.
           Please let me know if anything's broken or not as it should be. Otherwise, browse and transfer freely :)
         '';
 
@@ -98,11 +98,11 @@ in
     after = [ "network-online.target" ];
     wants = [ "network-online.target" ];
     serviceConfig = {
-      ReadOnlyPaths = [ "/var/export" ];
-      ReadWritePaths = [ "/var/export/playground" ];
+      ReadWritePaths = [ "/var/export" ];
 
       Restart = "always";
       RestartSec = "20s";
+      UMask = lib.mkForce "0002";
     };
   };
 }