Compare commits
2 Commits
bd92076291
...
d0de6a9254
Author | SHA1 | Date | |
---|---|---|---|
d0de6a9254 | |||
12f2798140 |
|
@ -2,7 +2,7 @@
|
||||||
{
|
{
|
||||||
imports = [
|
imports = [
|
||||||
./nfs.nix
|
./nfs.nix
|
||||||
./sftpgo.nix
|
./sftpgo
|
||||||
];
|
];
|
||||||
|
|
||||||
users.groups.export = {};
|
users.groups.export = {};
|
||||||
|
|
|
@ -9,17 +9,19 @@
|
||||||
|
|
||||||
{ config, lib, pkgs, sane-lib, ... }:
|
{ config, lib, pkgs, sane-lib, ... }:
|
||||||
let
|
let
|
||||||
sftpgo_external_auth_hook = pkgs.static-nix-shell.mkPython3Bin {
|
external_auth_hook = pkgs.static-nix-shell.mkPython3Bin {
|
||||||
pname = "sftpgo_external_auth_hook";
|
pname = "external_auth_hook";
|
||||||
srcRoot = ./.;
|
srcRoot = ./.;
|
||||||
};
|
};
|
||||||
in
|
|
||||||
{
|
|
||||||
# Client initiates a FTP "control connection" on port 21.
|
# Client initiates a FTP "control connection" on port 21.
|
||||||
# - this handles the client -> server commands, and the server -> client status, but not the actual data
|
# - this handles the client -> server commands, and the server -> client status, but not the actual data
|
||||||
# - file data, directory listings, etc need to be transferred on an ephemeral "data port".
|
# - file data, directory listings, etc need to be transferred on an ephemeral "data port".
|
||||||
# - 50000-50100 is a common port range for this.
|
# - 50000-50100 is a common port range for this.
|
||||||
# 50000 is used by soulseek.
|
# 50000 is used by soulseek.
|
||||||
|
passiveStart = 50050;
|
||||||
|
passiveEnd = 50070;
|
||||||
|
in
|
||||||
|
{
|
||||||
sane.ports.ports = {
|
sane.ports.ports = {
|
||||||
"21" = {
|
"21" = {
|
||||||
protocol = [ "tcp" ];
|
protocol = [ "tcp" ];
|
||||||
|
@ -43,7 +45,7 @@ in
|
||||||
description = "colin-FTP server data port range";
|
description = "colin-FTP server data port range";
|
||||||
};
|
};
|
||||||
})
|
})
|
||||||
(lib.range 50050 50100)
|
(lib.range passiveStart passiveEnd)
|
||||||
);
|
);
|
||||||
|
|
||||||
# use nginx/acme to produce a cert for FTPS
|
# use nginx/acme to produce a cert for FTPS
|
||||||
|
@ -75,7 +77,7 @@ in
|
||||||
# however not all clients understand all mode bits (like that `g`, indicating SGID / group sticky bit).
|
# however not all clients understand all mode bits (like that `g`, indicating SGID / group sticky bit).
|
||||||
# instead, only send mode bits which are well-understood.
|
# instead, only send mode bits which are well-understood.
|
||||||
# the full set of bits, from which i filter, is found here: <https://pkg.go.dev/io/fs#FileMode>
|
# the full set of bits, from which i filter, is found here: <https://pkg.go.dev/io/fs#FileMode>
|
||||||
./sftpgo_safe_fileinfo.patch
|
./safe_fileinfo.patch
|
||||||
];
|
];
|
||||||
};
|
};
|
||||||
|
|
||||||
|
@ -114,8 +116,8 @@ in
|
||||||
disable_active_mode = true;
|
disable_active_mode = true;
|
||||||
hash_support = true;
|
hash_support = true;
|
||||||
passive_port_range = {
|
passive_port_range = {
|
||||||
start = 50050;
|
start = passiveStart;
|
||||||
end = 50100;
|
end = passiveEnd;
|
||||||
};
|
};
|
||||||
|
|
||||||
certificate_file = "/var/lib/acme/ftp.uninsane.org/full.pem";
|
certificate_file = "/var/lib/acme/ftp.uninsane.org/full.pem";
|
||||||
|
@ -135,7 +137,7 @@ in
|
||||||
};
|
};
|
||||||
data_provider = {
|
data_provider = {
|
||||||
driver = "memory";
|
driver = "memory";
|
||||||
external_auth_hook = "${sftpgo_external_auth_hook}/bin/sftpgo_external_auth_hook";
|
external_auth_hook = "${external_auth_hook}/bin/external_auth_hook";
|
||||||
# track_quota:
|
# track_quota:
|
||||||
# - 0: disable quota tracking
|
# - 0: disable quota tracking
|
||||||
# - 1: quota is updated on every upload/delete, even if user has no quota restriction
|
# - 1: quota is updated on every upload/delete, even if user has no quota restriction
|
Loading…
Reference in New Issue
Block a user