fuuko: Add ftp server and scan converter
This commit is contained in:
parent
d1cf0f698f
commit
878bdd30d5
|
@ -7,6 +7,7 @@
|
|||
|
||||
./services/grafana.nix
|
||||
./services/prometheus.nix
|
||||
./services/scan.nix
|
||||
];
|
||||
|
||||
sbruder = {
|
||||
|
|
85
machines/fuuko/services/scan.nix
Normal file
85
machines/fuuko/services/scan.nix
Normal file
|
@ -0,0 +1,85 @@
|
|||
{ lib, pkgs, ... }:
|
||||
{
|
||||
users.users.scan = {
|
||||
home = "/var/lib/scans";
|
||||
isSystemUser = true;
|
||||
# this is a low-risk account and since the only thing the account can do is
|
||||
# login to the ftp server from my home network, you can also sniff the
|
||||
# password since the connection is unencrypted
|
||||
password = "meeB3laodoo8na3z";
|
||||
};
|
||||
|
||||
systemd.tmpfiles.rules = [
|
||||
"d /var/lib/scans 0755 scan root 7d"
|
||||
];
|
||||
|
||||
services.vsftpd = {
|
||||
enable = true;
|
||||
writeEnable = true;
|
||||
localUsers = true;
|
||||
userlist = [ "scan" ];
|
||||
extraConfig = ''
|
||||
# I only want this to be reachable from within my home network. Since
|
||||
# IPv6 has all ports forwarded, it is disabled here.
|
||||
listen=YES
|
||||
listen_ipv6=NO
|
||||
|
||||
# user’s shell is nologin
|
||||
check_shell=NO
|
||||
|
||||
# scans should be readable
|
||||
local_umask=022
|
||||
|
||||
pasv_min_port=30000
|
||||
pasv_max_port=30009
|
||||
'';
|
||||
};
|
||||
|
||||
services.nginx.virtualHosts."scan.sbruder.de" = {
|
||||
enableACME = true;
|
||||
forceSSL = true;
|
||||
|
||||
locations."/" = {
|
||||
root = "/var/lib/scans";
|
||||
|
||||
extraConfig = ''
|
||||
autoindex on;
|
||||
|
||||
allow 192.168.100.0/24;
|
||||
allow 2001:470:1f0b:abc::/64;
|
||||
deny all;
|
||||
'';
|
||||
};
|
||||
};
|
||||
|
||||
networking.firewall = {
|
||||
allowedTCPPorts = [ 21 ];
|
||||
allowedTCPPortRanges = [{ from = 30000; to = 30009; }];
|
||||
};
|
||||
|
||||
systemd.services.scan-converter = {
|
||||
wantedBy = [ "multi-user.target" ];
|
||||
script = ''
|
||||
set -euo pipefail
|
||||
${pkgs.inotify-tools}/bin/inotifywait -m --include "\.tif$" -e close_write /var/lib/scans | while read path action file; do
|
||||
echo "Converting ''${file}…"
|
||||
${pkgs.imagemagick}/bin/convert -strip "/var/lib/scans/$file" "/var/lib/scans/''${file%.*}.png"
|
||||
rm "/var/lib/scans/$file"
|
||||
done
|
||||
'';
|
||||
serviceConfig = {
|
||||
User = "scan";
|
||||
Restart = "always";
|
||||
|
||||
# systemd-analyze --no-pager security scan-converter.service
|
||||
CapabilityBoundingSet = null;
|
||||
PrivateDevices = true;
|
||||
PrivateNetwork = true;
|
||||
PrivateTmp = true;
|
||||
PrivateUsers = true;
|
||||
ProtectHome = true;
|
||||
RestrictNamespaces = true;
|
||||
SystemCallFilter = "@system-service";
|
||||
};
|
||||
};
|
||||
}
|
|
@ -3,7 +3,6 @@ let
|
|||
port = 8888;
|
||||
services = {
|
||||
"media" = config.krops.secrets.media-proxy-auth.path;
|
||||
"scan" = config.krops.secrets.media-proxy-auth.path;
|
||||
"torrent" = config.krops.secrets.torrent-proxy-auth.path;
|
||||
};
|
||||
in
|
||||
|
|
Loading…
Reference in a new issue