fuuko/paperless: Add FTP server

This commit is contained in:
Simon Bruder 2024-09-22 12:54:23 +02:00
parent b55cc2deaf
commit d678da8454
Signed by: simon
GPG key ID: 347FF8699CDA0776

View file

@ -1,4 +1,4 @@
# SPDX-FileCopyrightText: 2024 Simon Bruder <simon@sbruder.de> # SPDX-FileCopyrightText: 2021-2024 Simon Bruder <simon@sbruder.de>
# #
# SPDX-License-Identifier: AGPL-3.0-or-later # SPDX-License-Identifier: AGPL-3.0-or-later
@ -23,9 +23,14 @@
PAPERLESS_TASK_WORKERS = 4; PAPERLESS_TASK_WORKERS = 4;
PAPERLESS_TIME_ZONE = "Europe/Berlin"; PAPERLESS_TIME_ZONE = "Europe/Berlin";
PAPERLESS_FILENAME_FORMAT = "{correspondent}/{document_type}/{created}_{title}_{doc_pk}"; PAPERLESS_FILENAME_FORMAT = "{correspondent}/{document_type}/{created}_{title}_{doc_pk}";
PAPERLESS_CONSUMER_RECURSIVE = true;
}; };
}; };
systemd.services.paperless-task-queue.serviceConfig = {
ReadWritePaths = [ "/var/lib/scans/paperless" ];
};
services.nginx = { services.nginx = {
enable = true; enable = true;
@ -41,5 +46,62 @@
"/static".root = "${config.services.paperless.package}/lib/paperless-ngx"; "/static".root = "${config.services.paperless.package}/lib/paperless-ngx";
}; };
}; };
virtualHosts."fuuko.lan.shinonome-lab.de" = {
enableACME = true;
forceSSL = true;
};
};
users.users.scan = {
home = "/var/lib/scans";
isSystemUser = true;
group = "scan";
hashedPassword = "$y$jCT$5kP87kZLYQs4SRtB5oDYT0$TbcyiO.HuFZ.5e9LPu4vqGAjGXbmfOTJefPvTlsVzm3";
};
users.groups.scan = { };
systemd.tmpfiles.rules = [
"d /var/lib/scans 0555 scan root -"
"d /var/lib/scans/paperless 0775 scan paperless -"
"L /var/lib/paperless/consume/ftp - - - - /var/lib/scans/paperless"
];
sbruder.restic.backups.system.extraExcludes = [ "/var/lib/scans" ];
services.vsftpd = {
enable = true;
writeEnable = true;
localUsers = true;
chrootlocalUser = true;
userlist = [ "scan" ];
rsaCertFile = "${config.security.acme.certs."fuuko.lan.shinonome-lab.de".directory}/full.pem";
forceLocalLoginsSSL = true;
forceLocalDataSSL = true;
ssl_tlsv1 = false; # only allow TLS 1.2+
extraConfig = ''
listen_ipv6=YES
# users shell is nologin
check_shell=NO
# scans should be readable
local_umask=022
pasv_min_port=30000
pasv_max_port=30009
# generated 2024-09-22, Mozilla Guideline v5.7, adapted, OpenSSL 3.0.14, intermediate configuration
# https://ssl-config.mozilla.org
ssl_enable=YES
ssl_ciphers=ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305
'';
};
networking.firewall = {
allowedTCPPorts = [ 21 ];
allowedTCPPortRanges = [{ from = 30000; to = 30009; }];
}; };
} }