From adcf8d43e465d9d4905df8162e1b5edb288553a6 Mon Sep 17 00:00:00 2001
From: Gregor Kleen <gkleen@yggdrasil.li>
Date: Wed, 6 Dec 2017 13:26:21 +0100
Subject: Revert to FTP

---
 custom/ymir-nginx.nix | 35 ++---------------------------------
 users/gkleen.nix      |  2 +-
 ymir.nix              | 41 +++++++++++++++++++++++++++++++++++------
 3 files changed, 38 insertions(+), 40 deletions(-)

diff --git a/custom/ymir-nginx.nix b/custom/ymir-nginx.nix
index 00c83af8..a1de81c3 100644
--- a/custom/ymir-nginx.nix
+++ b/custom/ymir-nginx.nix
@@ -175,6 +175,8 @@ in {
         listen [::]:443 ssl;
         server_name ~^(.*\.)?bragi\.(yggdrasil\.li|141\.li)$;
 
+        include ${acme};
+
         location / {
           auth_basic "Reverse proxy to bragi";
           auth_basic_user_file /srv/www/bragi/htpasswd;
@@ -182,39 +184,6 @@ in {
           proxy_pass http://bragi.asgard.yggdrasil/;
         }
       }
-
-      server {
-        listen *:80;
-        listen [::]:80;
-        server_name ~^webdav\.(yggdrasil\.li|141\.li|praseodym\.org)$;
-
-        include ${acme};
-
-        location / {
-          return 301 https://$host$request_uri;
-        }
-      }
-
-      server {
-        listen *:443 ssl;
-        listen [::]:443 ssl;
-
-        server_name ~^webdav\.(yggdrasil\.li|141\.li|praseodym\.org)$;
-
-        client_body_temp_path /tmp/webdav;
-
-        location ~ ^/(.+?)(/.*)?$ {
-          alias /srv/www/webdav/$1$2;
-          autoindex on;
-        
-          auth_basic "WebDAV directory ‘$1’";
-          auth_basic_user_file /srv/www/webdav/$1.htpasswd;
-
-          dav_methods PUT DELETE MKCOL COPY MOVE;
-          create_full_put_path on;
-          dav_access user:rw group:r all:r;
-        }
-      }
     '';
   };
 }
diff --git a/users/gkleen.nix b/users/gkleen.nix
index a71a2905..1beaf1c3 100644
--- a/users/gkleen.nix
+++ b/users/gkleen.nix
@@ -1,7 +1,7 @@
 {
   name = "gkleen";
   description = "Gregor Kleen";
-  extraGroups = [ "wheel" "network" "lp" "dialout" "audio" "xmpp" "mail" "webdav" "ssh" "vboxusers" ];
+  extraGroups = [ "wheel" "network" "lp" "dialout" "audio" "xmpp" "mail" "ftp" "ssh" "vboxusers" ];
   group = "users";
   uid = 1000;
   createHome = true;
diff --git a/ymir.nix b/ymir.nix
index c38259b4..0d7de78d 100644
--- a/ymir.nix
+++ b/ymir.nix
@@ -14,10 +14,10 @@ let
     };
   };
   myDomains = [ "dirty-haskell.org" "www.dirty-haskell.org" "lists.dirty-haskell.org" "l.dirty-haskell.org"
-                "webdav.141.li" "files.141.li" "f.141.li" "ymir.141.li" "141.li" "www.141.li" "lists.141.li" "l.141.li" "bragi.141.li"
+                "files.141.li" "f.141.li" "ymir.141.li" "141.li" "www.141.li" "lists.141.li" "l.141.li" "bragi.141.li"
                 "ymir.xmpp.li" "xmpp.li" "www.xmpp.li" "lists.xmpp.li" "l.xmpp.li" "muc.xmpp.li" "proxy.xmpp.li"
-                "webdav.yggdrasil.li" "files.yggdrasil.li" "f.yggdrasil.li" "ymir.yggdrasil.li" "git.yggdrasil.li" "www.yggdrasil.li" "yggdrasil.li" "lists.yggdrasil.li" "l.yggdrasil.li" "bragi.yggdrasil.li"
-                "webdav.praseodym.org" "files.praseodym.org" "f.praseodym.org" "ymir.praseodym.org" "praseodym.org" "www.praseodym.org" "lists.praseodym.org" "l.praseodym.org"
+                "files.yggdrasil.li" "f.yggdrasil.li" "ymir.yggdrasil.li" "git.yggdrasil.li" "www.yggdrasil.li" "yggdrasil.li" "lists.yggdrasil.li" "l.yggdrasil.li" "bragi.yggdrasil.li"
+                "files.praseodym.org" "f.praseodym.org" "ymir.praseodym.org" "praseodym.org" "www.praseodym.org" "lists.praseodym.org" "l.praseodym.org"
                 "git.rheperire.org" "api.rheperire.org" "www.rheperire.org" "rheperire.org"
                 "ymir.kleen.li" "kleen.li" "www.kleen.li"
                 "ymir.nights.email" "nights.email" "www.nights.email"
@@ -140,7 +140,8 @@ in rec {
     firewall = {
       enable = true;
       allowPing = true;
-      allowedTCPPorts = [ 22 # ssh
+      allowedTCPPorts = [ 21 # ftp
+                          22 # ssh
                           25 # smtp
                           143 # imap
                           993 # imaps
@@ -159,6 +160,8 @@ in rec {
       allowedUDPPorts = [ 64738 # murmur
                           53 # DNS
                         ];
+      allowedTCPPortRanges = [ { from = 20000; to = 21000; } # ftp
+                             ];
       allowedUDPPortRanges = [ { from = 60000; to = 61000; } # mosh
                              ];
     };
@@ -961,7 +964,33 @@ in rec {
     onFailure = [ "nixos-upgrade" "postfix" "dovecot2" "prosody" "opendkim" "nsd" "unbound" "tinc.yggdrasil" "postsrsd" ];
   };
 
-  users.extraGroups."webdav" = {
-    members = [ "nginx" ];
+  services.vsftpd = {
+    enable = true;
+    forceLocalLoginsSSL = true;
+    forceLocalDataSSL = true;
+    localUsers = true;
+    writeEnable = true;
+    chrootlocalUser = true;
+    rsaKeyFile = "/var/lib/acme/yggdrasil.li/key.pem";
+    rsaCertFile = "/var/lib/acme/yggdrasil.li/fullchain.pem";
+    extraConfig = ''
+      pam_service_name=vsftpd
+
+      port_enable=no
+
+      pasv_enable=yes
+      pasv_max_port=21000
+      pasv_min_port=20000
+
+      allow_writeable_chroot=yes
+    '';
   };
+
+  security.pam.services."vsftpd".text = ''
+    auth requisite  pam_succeed_if.so user ingroup ftp
+
+    auth include ftp
+    account include ftp
+    session include ftp
+  '';
 }
-- 
cgit v1.2.3