diff --git a/machines/fuuko/services/paperless.nix b/machines/fuuko/services/paperless.nix index 2d2f106..f0e7182 100644 --- a/machines/fuuko/services/paperless.nix +++ b/machines/fuuko/services/paperless.nix @@ -1,4 +1,4 @@ -# SPDX-FileCopyrightText: 2024 Simon Bruder +# SPDX-FileCopyrightText: 2021-2024 Simon Bruder # # SPDX-License-Identifier: AGPL-3.0-or-later @@ -23,9 +23,14 @@ PAPERLESS_TASK_WORKERS = 4; PAPERLESS_TIME_ZONE = "Europe/Berlin"; PAPERLESS_FILENAME_FORMAT = "{correspondent}/{document_type}/{created}_{title}_{doc_pk}"; + PAPERLESS_CONSUMER_RECURSIVE = true; }; }; + systemd.services.paperless-task-queue.serviceConfig = { + ReadWritePaths = [ "/var/lib/scans/paperless" ]; + }; + services.nginx = { enable = true; @@ -41,5 +46,62 @@ "/static".root = "${config.services.paperless.package}/lib/paperless-ngx"; }; }; + + virtualHosts."fuuko.lan.shinonome-lab.de" = { + enableACME = true; + forceSSL = true; + }; + }; + + users.users.scan = { + home = "/var/lib/scans"; + isSystemUser = true; + group = "scan"; + hashedPassword = "$y$jCT$5kP87kZLYQs4SRtB5oDYT0$TbcyiO.HuFZ.5e9LPu4vqGAjGXbmfOTJefPvTlsVzm3"; + }; + users.groups.scan = { }; + + systemd.tmpfiles.rules = [ + "d /var/lib/scans 0555 scan root -" + "d /var/lib/scans/paperless 0775 scan paperless -" + "L /var/lib/paperless/consume/ftp - - - - /var/lib/scans/paperless" + ]; + + sbruder.restic.backups.system.extraExcludes = [ "/var/lib/scans" ]; + + services.vsftpd = { + enable = true; + writeEnable = true; + localUsers = true; + chrootlocalUser = true; + userlist = [ "scan" ]; + + rsaCertFile = "${config.security.acme.certs."fuuko.lan.shinonome-lab.de".directory}/full.pem"; + forceLocalLoginsSSL = true; + forceLocalDataSSL = true; + ssl_tlsv1 = false; # only allow TLS 1.2+ + + extraConfig = '' + listen_ipv6=YES + + # user’s shell is nologin + check_shell=NO + + # scans should be readable + local_umask=022 + + pasv_min_port=30000 + pasv_max_port=30009 + + # generated 2024-09-22, Mozilla Guideline v5.7, adapted, OpenSSL 3.0.14, intermediate configuration + # https://ssl-config.mozilla.org + ssl_enable=YES + ssl_ciphers=ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305 + ''; + }; + + networking.firewall = { + allowedTCPPorts = [ 21 ]; + allowedTCPPortRanges = [{ from = 30000; to = 30009; }]; }; }