fuuko: Add ftp server and scan converter

This commit is contained in:
Simon Bruder 2021-02-18 14:59:17 +01:00
parent d1cf0f698f
commit 878bdd30d5
Signed by: simon
GPG key ID: 8D3C82F9F309F8EC
3 changed files with 86 additions and 1 deletions

View file

@ -7,6 +7,7 @@
./services/grafana.nix
./services/prometheus.nix
./services/scan.nix
];
sbruder = {

View file

@ -0,0 +1,85 @@
{ lib, pkgs, ... }:
{
users.users.scan = {
home = "/var/lib/scans";
isSystemUser = true;
# this is a low-risk account and since the only thing the account can do is
# login to the ftp server from my home network, you can also sniff the
# password since the connection is unencrypted
password = "meeB3laodoo8na3z";
};
systemd.tmpfiles.rules = [
"d /var/lib/scans 0755 scan root 7d"
];
services.vsftpd = {
enable = true;
writeEnable = true;
localUsers = true;
userlist = [ "scan" ];
extraConfig = ''
# I only want this to be reachable from within my home network. Since
# IPv6 has all ports forwarded, it is disabled here.
listen=YES
listen_ipv6=NO
# users shell is nologin
check_shell=NO
# scans should be readable
local_umask=022
pasv_min_port=30000
pasv_max_port=30009
'';
};
services.nginx.virtualHosts."scan.sbruder.de" = {
enableACME = true;
forceSSL = true;
locations."/" = {
root = "/var/lib/scans";
extraConfig = ''
autoindex on;
allow 192.168.100.0/24;
allow 2001:470:1f0b:abc::/64;
deny all;
'';
};
};
networking.firewall = {
allowedTCPPorts = [ 21 ];
allowedTCPPortRanges = [{ from = 30000; to = 30009; }];
};
systemd.services.scan-converter = {
wantedBy = [ "multi-user.target" ];
script = ''
set -euo pipefail
${pkgs.inotify-tools}/bin/inotifywait -m --include "\.tif$" -e close_write /var/lib/scans | while read path action file; do
echo "Converting ''${file}"
${pkgs.imagemagick}/bin/convert -strip "/var/lib/scans/$file" "/var/lib/scans/''${file%.*}.png"
rm "/var/lib/scans/$file"
done
'';
serviceConfig = {
User = "scan";
Restart = "always";
# systemd-analyze --no-pager security scan-converter.service
CapabilityBoundingSet = null;
PrivateDevices = true;
PrivateNetwork = true;
PrivateTmp = true;
PrivateUsers = true;
ProtectHome = true;
RestrictNamespaces = true;
SystemCallFilter = "@system-service";
};
};
}

View file

@ -3,7 +3,6 @@ let
port = 8888;
services = {
"media" = config.krops.secrets.media-proxy-auth.path;
"scan" = config.krops.secrets.media-proxy-auth.path;
"torrent" = config.krops.secrets.torrent-proxy-auth.path;
};
in