fuuko/paperless: Add FTP server
This commit is contained in:
parent
b55cc2deaf
commit
d678da8454
|
@ -1,4 +1,4 @@
|
||||||
# SPDX-FileCopyrightText: 2024 Simon Bruder <simon@sbruder.de>
|
# SPDX-FileCopyrightText: 2021-2024 Simon Bruder <simon@sbruder.de>
|
||||||
#
|
#
|
||||||
# SPDX-License-Identifier: AGPL-3.0-or-later
|
# SPDX-License-Identifier: AGPL-3.0-or-later
|
||||||
|
|
||||||
|
@ -23,9 +23,14 @@
|
||||||
PAPERLESS_TASK_WORKERS = 4;
|
PAPERLESS_TASK_WORKERS = 4;
|
||||||
PAPERLESS_TIME_ZONE = "Europe/Berlin";
|
PAPERLESS_TIME_ZONE = "Europe/Berlin";
|
||||||
PAPERLESS_FILENAME_FORMAT = "{correspondent}/{document_type}/{created}_{title}_{doc_pk}";
|
PAPERLESS_FILENAME_FORMAT = "{correspondent}/{document_type}/{created}_{title}_{doc_pk}";
|
||||||
|
PAPERLESS_CONSUMER_RECURSIVE = true;
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
|
||||||
|
systemd.services.paperless-task-queue.serviceConfig = {
|
||||||
|
ReadWritePaths = [ "/var/lib/scans/paperless" ];
|
||||||
|
};
|
||||||
|
|
||||||
services.nginx = {
|
services.nginx = {
|
||||||
enable = true;
|
enable = true;
|
||||||
|
|
||||||
|
@ -41,5 +46,62 @@
|
||||||
"/static".root = "${config.services.paperless.package}/lib/paperless-ngx";
|
"/static".root = "${config.services.paperless.package}/lib/paperless-ngx";
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
|
||||||
|
virtualHosts."fuuko.lan.shinonome-lab.de" = {
|
||||||
|
enableACME = true;
|
||||||
|
forceSSL = true;
|
||||||
|
};
|
||||||
|
};
|
||||||
|
|
||||||
|
users.users.scan = {
|
||||||
|
home = "/var/lib/scans";
|
||||||
|
isSystemUser = true;
|
||||||
|
group = "scan";
|
||||||
|
hashedPassword = "$y$jCT$5kP87kZLYQs4SRtB5oDYT0$TbcyiO.HuFZ.5e9LPu4vqGAjGXbmfOTJefPvTlsVzm3";
|
||||||
|
};
|
||||||
|
users.groups.scan = { };
|
||||||
|
|
||||||
|
systemd.tmpfiles.rules = [
|
||||||
|
"d /var/lib/scans 0555 scan root -"
|
||||||
|
"d /var/lib/scans/paperless 0775 scan paperless -"
|
||||||
|
"L /var/lib/paperless/consume/ftp - - - - /var/lib/scans/paperless"
|
||||||
|
];
|
||||||
|
|
||||||
|
sbruder.restic.backups.system.extraExcludes = [ "/var/lib/scans" ];
|
||||||
|
|
||||||
|
services.vsftpd = {
|
||||||
|
enable = true;
|
||||||
|
writeEnable = true;
|
||||||
|
localUsers = true;
|
||||||
|
chrootlocalUser = true;
|
||||||
|
userlist = [ "scan" ];
|
||||||
|
|
||||||
|
rsaCertFile = "${config.security.acme.certs."fuuko.lan.shinonome-lab.de".directory}/full.pem";
|
||||||
|
forceLocalLoginsSSL = true;
|
||||||
|
forceLocalDataSSL = true;
|
||||||
|
ssl_tlsv1 = false; # only allow TLS 1.2+
|
||||||
|
|
||||||
|
extraConfig = ''
|
||||||
|
listen_ipv6=YES
|
||||||
|
|
||||||
|
# user’s shell is nologin
|
||||||
|
check_shell=NO
|
||||||
|
|
||||||
|
# scans should be readable
|
||||||
|
local_umask=022
|
||||||
|
|
||||||
|
pasv_min_port=30000
|
||||||
|
pasv_max_port=30009
|
||||||
|
|
||||||
|
# generated 2024-09-22, Mozilla Guideline v5.7, adapted, OpenSSL 3.0.14, intermediate configuration
|
||||||
|
# https://ssl-config.mozilla.org
|
||||||
|
ssl_enable=YES
|
||||||
|
ssl_ciphers=ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305
|
||||||
|
'';
|
||||||
|
};
|
||||||
|
|
||||||
|
networking.firewall = {
|
||||||
|
allowedTCPPorts = [ 21 ];
|
||||||
|
allowedTCPPortRanges = [{ from = 30000; to = 30009; }];
|
||||||
};
|
};
|
||||||
}
|
}
|
||||||
|
|
Loading…
Reference in a new issue