colin/nix-files
1
0
Fork 1
Code Issues Pull Requests Projects Releases Wiki Activity

sftpgo: expose to the WAN

Browse Source
This commit is contained in:
Colin
2024-03-14 12:38:13 +00:00
parent 691a7d7ff7
commit 098cd2051e
1 changed files with 10 additions and 10 deletions
Download Patch File Download Diff File Expand all files Collapse all files

20
hosts/by-name/servo/services/export/sftpgo.nix
View File

@@ -6,9 +6,6 @@
# - nixos example: <repo:nixos/nixpkgs:nixos/tests/sftpgo.nix> # - nixos example: <repo:nixos/nixpkgs:nixos/tests/sftpgo.nix>
# #
# sftpgo is a FTP server that also supports WebDAV, SFTP, and web clients. # sftpgo is a FTP server that also supports WebDAV, SFTP, and web clients.
#
# TODO: change umask so sftpgo-created files default to 644.
# - it does indeed appear that the 600 is not something sftpgo is explicitly doing.
{ config, lib, pkgs, sane-lib, ... }: { config, lib, pkgs, sane-lib, ... }:
let let
@@ -22,10 +19,12 @@ in
# - this handles the client -> server commands, and the server -> client status, but not the actual data # - this handles the client -> server commands, and the server -> client status, but not the actual data
# - file data, directory listings, etc need to be transferred on an ephemeral "data port". # - file data, directory listings, etc need to be transferred on an ephemeral "data port".
# - 50000-50100 is a common port range for this. # - 50000-50100 is a common port range for this.
# 50000 is used by soulseek.
sane.ports.ports = { sane.ports.ports = {
"21" = { "21" = {
protocol = [ "tcp" ]; protocol = [ "tcp" ];
visibleTo.lan = true; visibleTo.lan = true;
visibleTo.wan = true;
description = "colin-FTP server"; description = "colin-FTP server";
}; };
} // (sane-lib.mapToAttrs } // (sane-lib.mapToAttrs
@@ -34,10 +33,11 @@ in
value = { value = {
protocol = [ "tcp" ]; protocol = [ "tcp" ];
visibleTo.lan = true; visibleTo.lan = true;
visibleTo.wan = true;
description = "colin-FTP server data port range"; description = "colin-FTP server data port range";
}; };
}) })
(lib.range 50000 50100) (lib.range 50050 50100)
); );
services.sftpgo = { services.sftpgo = {
@@ -53,7 +53,7 @@ in
debug = true; debug = true;
} }
{ {
# binding this means any LAN client can connect # binding this means any LAN client can connect (also WAN traffic forwarded from the gateway)
address = "10.78.79.51"; address = "10.78.79.51";
port = 21; port = 21;
debug = true; debug = true;
@@ -64,18 +64,18 @@ in
disable_active_mode = true; disable_active_mode = true;
hash_support = true; hash_support = true;
passive_port_range = { passive_port_range = {
start = 50000; start = 50050;
end = 50100; end = 50100;
}; };
banner = '' banner = ''
Welcome, friends, to Colin's FTP server! Also available via NFS on the same host, but LAN-only. Welcome, friends, to Colin's FTP server! Also available via NFS on the same host, but LAN-only.
Read-only access: Read-only access (LAN-restricted):
Username: "anonymous" Username: "anonymous"
Password: "anonymous" Password: "anonymous"
CONFIGURE YOUR CLIENT FOR "PASSIVE" mode, e.g. `ftp --passive uninsane.org` CONFIGURE YOUR CLIENT FOR "PASSIVE" mode, e.g. `ftp --passive uninsane.org`.
Please let me know if anything's broken or not as it should be. Otherwise, browse and transfer freely :) Please let me know if anything's broken or not as it should be. Otherwise, browse and transfer freely :)
''; '';
@@ -98,11 +98,11 @@ in
after = [ "network-online.target" ]; after = [ "network-online.target" ];
wants = [ "network-online.target" ]; wants = [ "network-online.target" ];
serviceConfig = { serviceConfig = {
ReadOnlyPaths = [ "/var/export" ]; ReadWritePaths = [ "/var/export" ];
ReadWritePaths = [ "/var/export/playground" ];
Restart = "always"; Restart = "always";
RestartSec = "20s"; RestartSec = "20s";
UMask = lib.mkForce "0002";
}; };
}; };
} }