From 36bf705b23628f27a91979cbc6fe635fdfb7307b Mon Sep 17 00:00:00 2001
From: Gregor Kleen <gkleen@yggdrasil.li>
Date: Tue, 5 Dec 2017 21:48:16 +0100
Subject: vsftpd on ymir

---
 users/gkleen.nix |  2 +-
 ymir.nix         | 19 +++++++++++++++++++
 2 files changed, 20 insertions(+), 1 deletion(-)

diff --git a/users/gkleen.nix b/users/gkleen.nix
index 648f4ab1..1beaf1c3 100644
--- a/users/gkleen.nix
+++ b/users/gkleen.nix
@@ -1,7 +1,7 @@
 {
   name = "gkleen";
   description = "Gregor Kleen";
-  extraGroups = [ "wheel" "network" "lp" "dialout" "audio" "xmpp" "mail" "ssh" "vboxusers" ];
+  extraGroups = [ "wheel" "network" "lp" "dialout" "audio" "xmpp" "mail" "ftp" "ssh" "vboxusers" ];
   group = "users";
   uid = 1000;
   createHome = true;
diff --git a/ymir.nix b/ymir.nix
index fbe45e03..dd2c35c7 100644
--- a/ymir.nix
+++ b/ymir.nix
@@ -959,4 +959,23 @@ in rec {
   systemd.status-mail = {
     onFailure = [ "nixos-upgrade" "postfix" "dovecot2" "prosody" "opendkim" "nsd" "unbound" "tinc.yggdrasil" "postsrsd" ];
   };
+
+  services.vsftpd = {
+    enable = true;
+    forceLocalLoginSSL = true;
+    forceLocalDataSSL = true;
+    localUsers = true;
+    writeEnable = true;
+    chrootLocalUser = true;
+    rsaKeyFile = "/var/lib/acme/yggdrasil.li/key.pem";
+    rsaCertFile = "/var/lib/acme/yggdrasil.li/fullchain.pem";
+    extraConfig = ''
+      pam_service_name=vsftpd
+    '';
+  };
+
+  security.pam.services."vsftpd".text = ''
+    auth requisite  pam_succeed_if.so user ingroup ftp
+    auth required   pam_unix.so audit
+  '';
 }
-- 
cgit v1.2.3