From 878bdd30d515fd5984670e67f4a7452940761020 Mon Sep 17 00:00:00 2001
From: Simon Bruder <simon@sbruder.de>
Date: Thu, 18 Feb 2021 14:59:17 +0100
Subject: [PATCH] fuuko: Add ftp server and scan converter

---
 machines/fuuko/configuration.nix |  1 +
 machines/fuuko/services/scan.nix | 85 ++++++++++++++++++++++++++++++++
 modules/media-proxy.nix          |  1 -
 3 files changed, 86 insertions(+), 1 deletion(-)
 create mode 100644 machines/fuuko/services/scan.nix

diff --git a/machines/fuuko/configuration.nix b/machines/fuuko/configuration.nix
index e90f52a..5ce4f3f 100644
--- a/machines/fuuko/configuration.nix
+++ b/machines/fuuko/configuration.nix
@@ -7,6 +7,7 @@
 
     ./services/grafana.nix
     ./services/prometheus.nix
+    ./services/scan.nix
   ];
 
   sbruder = {
diff --git a/machines/fuuko/services/scan.nix b/machines/fuuko/services/scan.nix
new file mode 100644
index 0000000..38e7cdf
--- /dev/null
+++ b/machines/fuuko/services/scan.nix
@@ -0,0 +1,85 @@
+{ lib, pkgs, ... }:
+{
+  users.users.scan = {
+    home = "/var/lib/scans";
+    isSystemUser = true;
+    # this is a low-risk account and since the only thing the account can do is
+    # login to the ftp server from my home network, you can also sniff the
+    # password since the connection is unencrypted
+    password = "meeB3laodoo8na3z";
+  };
+
+  systemd.tmpfiles.rules = [
+    "d /var/lib/scans 0755 scan root 7d"
+  ];
+
+  services.vsftpd = {
+    enable = true;
+    writeEnable = true;
+    localUsers = true;
+    userlist = [ "scan" ];
+    extraConfig = ''
+      # I only want this to be reachable from within my home network. Since
+      # IPv6 has all ports forwarded, it is disabled here.
+      listen=YES
+      listen_ipv6=NO
+
+      # user’s shell is nologin
+      check_shell=NO
+
+      # scans should be readable
+      local_umask=022
+
+      pasv_min_port=30000
+      pasv_max_port=30009
+    '';
+  };
+
+  services.nginx.virtualHosts."scan.sbruder.de" = {
+    enableACME = true;
+    forceSSL = true;
+
+    locations."/" = {
+      root = "/var/lib/scans";
+
+      extraConfig = ''
+        autoindex on;
+
+        allow 192.168.100.0/24;
+        allow 2001:470:1f0b:abc::/64;
+        deny all;
+      '';
+    };
+  };
+
+  networking.firewall = {
+    allowedTCPPorts = [ 21 ];
+    allowedTCPPortRanges = [{ from = 30000; to = 30009; }];
+  };
+
+  systemd.services.scan-converter = {
+    wantedBy = [ "multi-user.target" ];
+    script = ''
+      set -euo pipefail
+      ${pkgs.inotify-tools}/bin/inotifywait -m --include "\.tif$" -e close_write /var/lib/scans | while read path action file; do
+          echo "Converting ''${file}…"
+          ${pkgs.imagemagick}/bin/convert -strip "/var/lib/scans/$file" "/var/lib/scans/''${file%.*}.png"
+          rm "/var/lib/scans/$file"
+      done
+    '';
+    serviceConfig = {
+      User = "scan";
+      Restart = "always";
+
+      # systemd-analyze --no-pager security scan-converter.service
+      CapabilityBoundingSet = null;
+      PrivateDevices = true;
+      PrivateNetwork = true;
+      PrivateTmp = true;
+      PrivateUsers = true;
+      ProtectHome = true;
+      RestrictNamespaces = true;
+      SystemCallFilter = "@system-service";
+    };
+  };
+}
diff --git a/modules/media-proxy.nix b/modules/media-proxy.nix
index 6abdabb..c6e0699 100644
--- a/modules/media-proxy.nix
+++ b/modules/media-proxy.nix
@@ -3,7 +3,6 @@ let
   port = 8888;
   services = {
     "media" = config.krops.secrets.media-proxy-auth.path;
-    "scan" = config.krops.secrets.media-proxy-auth.path;
     "torrent" = config.krops.secrets.torrent-proxy-auth.path;
   };
 in