diff --git a/machines/fuuko/configuration.nix b/machines/fuuko/configuration.nix index e90f52a..5ce4f3f 100644 --- a/machines/fuuko/configuration.nix +++ b/machines/fuuko/configuration.nix @@ -7,6 +7,7 @@ ./services/grafana.nix ./services/prometheus.nix + ./services/scan.nix ]; sbruder = { diff --git a/machines/fuuko/services/scan.nix b/machines/fuuko/services/scan.nix new file mode 100644 index 0000000..38e7cdf --- /dev/null +++ b/machines/fuuko/services/scan.nix @@ -0,0 +1,85 @@ +{ lib, pkgs, ... }: +{ + users.users.scan = { + home = "/var/lib/scans"; + isSystemUser = true; + # this is a low-risk account and since the only thing the account can do is + # login to the ftp server from my home network, you can also sniff the + # password since the connection is unencrypted + password = "meeB3laodoo8na3z"; + }; + + systemd.tmpfiles.rules = [ + "d /var/lib/scans 0755 scan root 7d" + ]; + + services.vsftpd = { + enable = true; + writeEnable = true; + localUsers = true; + userlist = [ "scan" ]; + extraConfig = '' + # I only want this to be reachable from within my home network. Since + # IPv6 has all ports forwarded, it is disabled here. + listen=YES + listen_ipv6=NO + + # user’s shell is nologin + check_shell=NO + + # scans should be readable + local_umask=022 + + pasv_min_port=30000 + pasv_max_port=30009 + ''; + }; + + services.nginx.virtualHosts."scan.sbruder.de" = { + enableACME = true; + forceSSL = true; + + locations."/" = { + root = "/var/lib/scans"; + + extraConfig = '' + autoindex on; + + allow 192.168.100.0/24; + allow 2001:470:1f0b:abc::/64; + deny all; + ''; + }; + }; + + networking.firewall = { + allowedTCPPorts = [ 21 ]; + allowedTCPPortRanges = [{ from = 30000; to = 30009; }]; + }; + + systemd.services.scan-converter = { + wantedBy = [ "multi-user.target" ]; + script = '' + set -euo pipefail + ${pkgs.inotify-tools}/bin/inotifywait -m --include "\.tif$" -e close_write /var/lib/scans | while read path action file; do + echo "Converting ''${file}…" + ${pkgs.imagemagick}/bin/convert -strip "/var/lib/scans/$file" "/var/lib/scans/''${file%.*}.png" + rm "/var/lib/scans/$file" + done + ''; + serviceConfig = { + User = "scan"; + Restart = "always"; + + # systemd-analyze --no-pager security scan-converter.service + CapabilityBoundingSet = null; + PrivateDevices = true; + PrivateNetwork = true; + PrivateTmp = true; + PrivateUsers = true; + ProtectHome = true; + RestrictNamespaces = true; + SystemCallFilter = "@system-service"; + }; + }; +} diff --git a/modules/media-proxy.nix b/modules/media-proxy.nix index 6abdabb..c6e0699 100644 --- a/modules/media-proxy.nix +++ b/modules/media-proxy.nix @@ -3,7 +3,6 @@ let port = 8888; services = { "media" = config.krops.secrets.media-proxy-auth.path; - "scan" = config.krops.secrets.media-proxy-auth.path; "torrent" = config.krops.secrets.torrent-proxy-auth.path; }; in