From 2920d0cd348bb94b30ba3ac8415367ad90a5470a Mon Sep 17 00:00:00 2001
From: Agatha Lovelace <agatha@technogothic.net>
Date: Mon, 6 Mar 2023 20:44:41 +0100
Subject: [PATCH] Set up TLS for VSFTPD

---
 common/fragments/vsftpd.nix | 16 +++++++++++++++-
 1 file changed, 15 insertions(+), 1 deletion(-)

diff --git a/common/fragments/vsftpd.nix b/common/fragments/vsftpd.nix
index fbe15b2..4eadae7 100644
--- a/common/fragments/vsftpd.nix
+++ b/common/fragments/vsftpd.nix
@@ -1,11 +1,25 @@
-{ ... }: {
+{ config, ... }: {
   services.vsftpd = {
     enable = true;
     anonymousUser = true;
     anonymousUserNoPassword = true;
+
+    rsaCertFile = "${
+        config.security.acme.certs."technogothic.net".directory
+      }/fullchain.pem";
+    rsaKeyFile =
+      "${config.security.acme.certs."technogothic.net".directory}/key.pem";
+
+    forceLocalLoginsSSL = true;
+    forceLocalDataSSL = true;
+
     extraConfig = ''
       pasv_min_port=40000
       pasv_max_port=40200
+
+      allow_anon_ssl=YES
+      require_ssl_reuse=NO
+      ssl_ciphers=HIGH
     '';
   };
 }