2021-02-18 14:59:17 +01:00
|
|
|
|
{ lib, pkgs, ... }:
|
|
|
|
|
|
{
|
|
|
|
|
|
users.users.scan = {
|
|
|
|
|
|
home = "/var/lib/scans";
|
|
|
|
|
|
isSystemUser = true;
|
2021-12-01 17:56:53 +01:00
|
|
|
|
group = "scan";
|
2021-02-18 14:59:17 +01:00
|
|
|
|
# this is a low-risk account and since the only thing the account can do is
|
|
|
|
|
|
# login to the ftp server from my home network, you can also sniff the
|
|
|
|
|
|
# password since the connection is unencrypted
|
|
|
|
|
|
password = "meeB3laodoo8na3z";
|
|
|
|
|
|
};
|
2021-12-01 17:56:53 +01:00
|
|
|
|
users.groups.scan = { };
|
2021-02-18 14:59:17 +01:00
|
|
|
|
|
|
|
|
|
|
systemd.tmpfiles.rules = [
|
|
|
|
|
|
"d /var/lib/scans 0755 scan root 7d"
|
|
|
|
|
|
];
|
|
|
|
|
|
|
2021-03-10 11:27:56 +01:00
|
|
|
|
sbruder.restic.system.extraExcludes = [ "/var/lib/scans" ];
|
|
|
|
|
|
|
2021-02-18 14:59:17 +01:00
|
|
|
|
services.vsftpd = {
|
|
|
|
|
|
enable = true;
|
|
|
|
|
|
writeEnable = true;
|
|
|
|
|
|
localUsers = true;
|
|
|
|
|
|
userlist = [ "scan" ];
|
|
|
|
|
|
extraConfig = ''
|
|
|
|
|
|
# I only want this to be reachable from within my home network. Since
|
|
|
|
|
|
# IPv6 has all ports forwarded, it is disabled here.
|
|
|
|
|
|
listen=YES
|
|
|
|
|
|
listen_ipv6=NO
|
|
|
|
|
|
|
|
|
|
|
|
# user’s shell is nologin
|
|
|
|
|
|
check_shell=NO
|
|
|
|
|
|
|
|
|
|
|
|
# scans should be readable
|
|
|
|
|
|
local_umask=022
|
|
|
|
|
|
|
|
|
|
|
|
pasv_min_port=30000
|
|
|
|
|
|
pasv_max_port=30009
|
|
|
|
|
|
'';
|
|
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
|
|
services.nginx.virtualHosts."scan.sbruder.de" = {
|
|
|
|
|
|
enableACME = true;
|
|
|
|
|
|
forceSSL = true;
|
|
|
|
|
|
|
|
|
|
|
|
locations."/" = {
|
|
|
|
|
|
root = "/var/lib/scans";
|
|
|
|
|
|
|
|
|
|
|
|
extraConfig = ''
|
|
|
|
|
|
autoindex on;
|
|
|
|
|
|
|
|
|
|
|
|
allow 192.168.100.0/24;
|
|
|
|
|
|
allow 2001:470:1f0b:abc::/64;
|
|
|
|
|
|
deny all;
|
|
|
|
|
|
'';
|
|
|
|
|
|
};
|
|
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
|
|
networking.firewall = {
|
|
|
|
|
|
allowedTCPPorts = [ 21 ];
|
|
|
|
|
|
allowedTCPPortRanges = [{ from = 30000; to = 30009; }];
|
|
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
|
|
systemd.services.scan-converter = {
|
|
|
|
|
|
wantedBy = [ "multi-user.target" ];
|
|
|
|
|
|
script = ''
|
|
|
|
|
|
set -euo pipefail
|
|
|
|
|
|
${pkgs.inotify-tools}/bin/inotifywait -m --include "\.tif$" -e close_write /var/lib/scans | while read path action file; do
|
|
|
|
|
|
echo "Converting ''${file}…"
|
|
|
|
|
|
${pkgs.imagemagick}/bin/convert -strip "/var/lib/scans/$file" "/var/lib/scans/''${file%.*}.png"
|
|
|
|
|
|
rm "/var/lib/scans/$file"
|
|
|
|
|
|
done
|
|
|
|
|
|
'';
|
|
|
|
|
|
serviceConfig = {
|
|
|
|
|
|
User = "scan";
|
|
|
|
|
|
Restart = "always";
|
|
|
|
|
|
|
|
|
|
|
|
# systemd-analyze --no-pager security scan-converter.service
|
|
|
|
|
|
CapabilityBoundingSet = null;
|
|
|
|
|
|
PrivateDevices = true;
|
|
|
|
|
|
PrivateNetwork = true;
|
|
|
|
|
|
PrivateTmp = true;
|
|
|
|
|
|
PrivateUsers = true;
|
|
|
|
|
|
ProtectHome = true;
|
|
|
|
|
|
RestrictNamespaces = true;
|
|
|
|
|
|
SystemCallFilter = "@system-service";
|
|
|
|
|
|
};
|
|
|
|
|
|
};
|
|
|
|
|
|
}
|
