1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
|
{ config, lib, pkgs, ... }:
with lib;
let
/* minimal secure setup:
enable = true;
forceLocalLoginsSSL = true;
forceLocalDataSSL = true;
userlistDeny = false;
localUsers = true;
userlist = ["non-root-user" "other-non-root-user"];
rsaCertFile = "/var/vsftpd/vsftpd.pem";
*/
cfg = config.services.vsftpd;
inherit (pkgs) vsftpd;
yesNoOption = nixosName: vsftpdName: default: description: {
cfgText = "${vsftpdName}=${if getAttr nixosName cfg then "YES" else "NO"}";
nixosOption = {
type = types.bool;
name = nixosName;
value = mkOption {
inherit description default;
type = types.bool;
};
};
};
optionDescription = [
(yesNoOption "allowWriteableChroot" "allow_writeable_chroot" false ''
Allow the use of writeable root inside chroot().
'')
(yesNoOption "virtualUseLocalPrivs" "virtual_use_local_privs" false ''
If enabled, virtual users will use the same privileges as local
users. By default, virtual users will use the same privileges as
anonymous users, which tends to be more restrictive (especially
in terms of write access).
'')
(yesNoOption "anonymousUser" "anonymous_enable" false ''
Whether to enable the anonymous FTP user.
'')
(yesNoOption "anonymousUserNoPassword" "no_anon_password" false ''
Whether to disable the password for the anonymous FTP user.
'')
(yesNoOption "localUsers" "local_enable" false ''
Whether to enable FTP for local users.
'')
(yesNoOption "writeEnable" "write_enable" false ''
Whether any write activity is permitted to users.
'')
(yesNoOption "anonymousUploadEnable" "anon_upload_enable" false ''
Whether any uploads are permitted to anonymous users.
'')
(yesNoOption "anonymousMkdirEnable" "anon_mkdir_write_enable" false ''
Whether any uploads are permitted to anonymous users.
'')
(yesNoOption "chrootlocalUser" "chroot_local_user" false ''
Whether local users are confined to their home directory.
'')
(yesNoOption "userlistEnable" "userlist_enable" false ''
Whether users are included.
'')
(yesNoOption "userlistDeny" "userlist_deny" false ''
Specifies whether <option>userlistFile</option> is a list of user
names to allow or deny access.
The default <literal>false</literal> means whitelist/allow.
'')
(yesNoOption "forceLocalLoginsSSL" "force_local_logins_ssl" false ''
Only applies if <option>sslEnable</option> is true. Non anonymous (local) users
must use a secure SSL connection to send a password.
'')
(yesNoOption "forceLocalDataSSL" "force_local_data_ssl" false ''
Only applies if <option>sslEnable</option> is true. Non anonymous (local) users
must use a secure SSL connection for sending/receiving data on data connection.
'')
(yesNoOption "portPromiscuous" "port_promiscuous" false ''
Set to YES if you want to disable the PORT security check that ensures that
outgoing data connections can only connect to the client. Only enable if you
know what you are doing!
'')
(yesNoOption "ssl_tlsv1" "ssl_tlsv1" true ''
Only applies if <option>ssl_enable</option> is activated. If
enabled, this option will permit TLS v1 protocol connections.
TLS v1 connections are preferred.
'')
(yesNoOption "ssl_sslv2" "ssl_sslv2" false ''
Only applies if <option>ssl_enable</option> is activated. If
enabled, this option will permit SSL v2 protocol connections.
TLS v1 connections are preferred.
'')
(yesNoOption "ssl_sslv3" "ssl_sslv3" false ''
Only applies if <option>ssl_enable</option> is activated. If
enabled, this option will permit SSL v3 protocol connections.
TLS v1 connections are preferred.
'')
];
configFile = pkgs.writeText "vsftpd.conf"
''
${concatMapStrings (x: "${x.cfgText}\n") optionDescription}
${optionalString (cfg.rsaCertFile != null) ''
ssl_enable=YES
rsa_cert_file=${cfg.rsaCertFile}
''}
${optionalString (cfg.rsaKeyFile != null) ''
rsa_private_key_file=${cfg.rsaKeyFile}
''}
${optionalString (cfg.userlistFile != null) ''
userlist_file=${cfg.userlistFile}
''}
background=YES
listen=NO
listen_ipv6=YES
nopriv_user=vsftpd
secure_chroot_dir=/var/empty
${optionalString (cfg.localRoot != null) ''
local_root=${cfg.localRoot}
''}
syslog_enable=YES
${optionalString (pkgs.stdenv.hostPlatform.system == "x86_64-linux") ''
seccomp_sandbox=NO
''}
anon_umask=${cfg.anonymousUmask}
${optionalString cfg.anonymousUser ''
anon_root=${cfg.anonymousUserHome}
''}
${optionalString cfg.enableVirtualUsers ''
guest_enable=YES
guest_username=vsftpd
''}
pam_service_name=vsftpd
${cfg.extraConfig}
'';
in
{
###### interface
options = {
services.vsftpd = {
enable = mkEnableOption "vsftpd";
userlist = mkOption {
default = [];
type = types.listOf types.str;
description = "See <option>userlistFile</option>.";
};
userlistFile = mkOption {
type = types.path;
default = pkgs.writeText "userlist" (concatMapStrings (x: "${x}\n") cfg.userlist);
defaultText = literalExpression ''pkgs.writeText "userlist" (concatMapStrings (x: "''${x}\n") cfg.userlist)'';
description = ''
Newline separated list of names to be allowed/denied if <option>userlistEnable</option>
is <literal>true</literal>. Meaning see <option>userlistDeny</option>.
The default is a file containing the users from <option>userlist</option>.
If explicitely set to null userlist_file will not be set in vsftpd's config file.
'';
};
enableVirtualUsers = mkOption {
type = types.bool;
default = false;
description = ''
Whether to enable the <literal>pam_userdb</literal>-based
virtual user system
'';
};
userDbPath = mkOption {
type = types.nullOr types.str;
example = "/etc/vsftpd/userDb";
default = null;
description = ''
Only applies if <option>enableVirtualUsers</option> is true.
Path pointing to the <literal>pam_userdb</literal> user
database used by vsftpd to authenticate the virtual users.
This user list should be stored in the Berkeley DB database
format.
To generate a new user database, create a text file, add
your users using the following format:
<programlisting>
user1
password1
user2
password2
</programlisting>
You can then install <literal>pkgs.db</literal> to generate
the Berkeley DB using
<programlisting>
db_load -T -t hash -f logins.txt userDb.db
</programlisting>
Caution: <literal>pam_userdb</literal> will automatically
append a <literal>.db</literal> suffix to the filename you
provide though this option. This option shouldn't include
this filetype suffix.
'';
};
localRoot = mkOption {
type = types.nullOr types.str;
default = null;
example = "/var/www/$USER";
description = ''
This option represents a directory which vsftpd will try to
change into after a local (i.e. non- anonymous) login.
Failure is silently ignored.
'';
};
anonymousUserHome = mkOption {
type = types.path;
default = "/home/ftp/";
description = ''
Directory to consider the HOME of the anonymous user.
'';
};
rsaCertFile = mkOption {
type = types.nullOr types.path;
default = null;
description = "RSA certificate file.";
};
rsaKeyFile = mkOption {
type = types.nullOr types.path;
default = null;
description = "RSA private key file.";
};
anonymousUmask = mkOption {
type = types.str;
default = "077";
example = "002";
description = "Anonymous write umask.";
};
extraConfig = mkOption {
type = types.lines;
default = "";
example = "ftpd_banner=Hello";
description = "Extra configuration to add at the bottom of the generated configuration file.";
};
} // (listToAttrs (catAttrs "nixosOption" optionDescription));
};
###### implementation
config = mkIf cfg.enable {
assertions = [
{ assertion =
(cfg.forceLocalLoginsSSL -> cfg.rsaCertFile != null)
&& (cfg.forceLocalDataSSL -> cfg.rsaCertFile != null);
message = "vsftpd: If forceLocalLoginsSSL or forceLocalDataSSL is true then a rsaCertFile must be provided!";
}
{
assertion = (cfg.enableVirtualUsers -> cfg.userDbPath != null)
&& (cfg.enableVirtualUsers -> cfg.localUsers != null);
message = "vsftpd: If enableVirtualUsers is true, you need to setup both the userDbPath and localUsers options.";
}];
users.users = {
"vsftpd" = {
group = "vsftpd";
isSystemUser = true;
description = "VSFTPD user";
home = if cfg.localRoot != null
then cfg.localRoot # <= Necessary for virtual users.
else "/homeless-shelter";
};
} // optionalAttrs cfg.anonymousUser {
"ftp" = { name = "ftp";
uid = config.ids.uids.ftp;
group = "ftp";
description = "Anonymous FTP user";
home = cfg.anonymousUserHome;
};
};
users.groups.vsftpd = {};
users.groups.ftp.gid = config.ids.gids.ftp;
# If you really have to access root via FTP use mkOverride or userlistDeny
# = false and whitelist root
services.vsftpd.userlist = if cfg.userlistDeny then ["root"] else [];
systemd = {
tmpfiles.rules = optional cfg.anonymousUser
#Type Path Mode User Gr Age Arg
"d '${builtins.toString cfg.anonymousUserHome}' 0555 'ftp' 'ftp' - -";
services.vsftpd = {
description = "Vsftpd Server";
wantedBy = [ "multi-user.target" ];
serviceConfig.ExecStart = "@${vsftpd}/sbin/vsftpd vsftpd ${configFile}";
serviceConfig.Restart = "always";
serviceConfig.Type = "forking";
};
};
security.pam.services.vsftpd.text = mkIf (cfg.enableVirtualUsers && cfg.userDbPath != null)''
auth required pam_userdb.so db=${cfg.userDbPath}
account required pam_userdb.so db=${cfg.userDbPath}
'';
};
}
|