fuuko: Add ftp server and scan converter

2021-02-18 14:59:17 +01:00 · 2021-02-18 14:59:17 +01:00 · 878bdd30d5
parent d1cf0f698f
commit 878bdd30d5
3 changed files with 86 additions and 1 deletions
--- a/machines/fuuko/configuration.nix
+++ b/machines/fuuko/configuration.nix
@ -7,6 +7,7 @@

    ./services/grafana.nix
    ./services/prometheus.nix
+    ./services/scan.nix
  ];

  sbruder = {
--- a/machines/fuuko/services/scan.nix
+++ b/machines/fuuko/services/scan.nix
@ -0,0 +1,85 @@
+{ lib, pkgs, ... }:
+{
+  users.users.scan = {
+    home = "/var/lib/scans";
+    isSystemUser = true;
+    # this is a low-risk account and since the only thing the account can do is
+    # login to the ftp server from my home network, you can also sniff the
+    # password since the connection is unencrypted
+    password = "meeB3laodoo8na3z";
+  };
+
+  systemd.tmpfiles.rules = [
+    "d /var/lib/scans 0755 scan root 7d"
+  ];
+
+  services.vsftpd = {
+    enable = true;
+    writeEnable = true;
+    localUsers = true;
+    userlist = [ "scan" ];
+    extraConfig = ''
+      # I only want this to be reachable from within my home network. Since
+      # IPv6 has all ports forwarded, it is disabled here.
+      listen=YES
+      listen_ipv6=NO
+
+      # user’s shell is nologin
+      check_shell=NO
+
+      # scans should be readable
+      local_umask=022
+
+      pasv_min_port=30000
+      pasv_max_port=30009
+    '';
+  };
+
+  services.nginx.virtualHosts."scan.sbruder.de" = {
+    enableACME = true;
+    forceSSL = true;
+
+    locations."/" = {
+      root = "/var/lib/scans";
+
+      extraConfig = ''
+        autoindex on;
+
+        allow 192.168.100.0/24;
+        allow 2001:470:1f0b:abc::/64;
+        deny all;
+      '';
+    };
+  };
+
+  networking.firewall = {
+    allowedTCPPorts = [ 21 ];
+    allowedTCPPortRanges = [{ from = 30000; to = 30009; }];
+  };
+
+  systemd.services.scan-converter = {
+    wantedBy = [ "multi-user.target" ];
+    script = ''
+      set -euo pipefail
+      ${pkgs.inotify-tools}/bin/inotifywait -m --include "\.tif$" -e close_write /var/lib/scans | while read path action file; do
+          echo "Converting ''${file}…"
+          ${pkgs.imagemagick}/bin/convert -strip "/var/lib/scans/$file" "/var/lib/scans/''${file%.*}.png"
+          rm "/var/lib/scans/$file"
+      done
+    '';
+    serviceConfig = {
+      User = "scan";
+      Restart = "always";
+
+      # systemd-analyze --no-pager security scan-converter.service
+      CapabilityBoundingSet = null;
+      PrivateDevices = true;
+      PrivateNetwork = true;
+      PrivateTmp = true;
+      PrivateUsers = true;
+      ProtectHome = true;
+      RestrictNamespaces = true;
+      SystemCallFilter = "@system-service";
+    };
+  };
+}
--- a/modules/media-proxy.nix
+++ b/modules/media-proxy.nix
@ -3,7 +3,6 @@ let
  port = 8888;
  services = {
    "media" = config.krops.secrets.media-proxy-auth.path;
-    "scan" = config.krops.secrets.media-proxy-auth.path;
    "torrent" = config.krops.secrets.torrent-proxy-auth.path;
  };
 in