fuuko/paperless: Add FTP server

2024-09-22 12:54:23 +02:00 · 2024-09-22 12:54:23 +02:00 · d678da8454
parent b55cc2deaf
commit d678da8454
1 changed files with 63 additions and 1 deletions
--- a/machines/fuuko/services/paperless.nix
+++ b/machines/fuuko/services/paperless.nix
@ -1,4 +1,4 @@
-# SPDX-FileCopyrightText: 2024 Simon Bruder <simon@sbruder.de>
+# SPDX-FileCopyrightText: 2021-2024 Simon Bruder <simon@sbruder.de>
 #
 # SPDX-License-Identifier: AGPL-3.0-or-later

@ -23,9 +23,14 @@
      PAPERLESS_TASK_WORKERS = 4;
      PAPERLESS_TIME_ZONE = "Europe/Berlin";
      PAPERLESS_FILENAME_FORMAT = "{correspondent}/{document_type}/{created}_{title}_{doc_pk}";
+      PAPERLESS_CONSUMER_RECURSIVE = true;
    };
  };

+  systemd.services.paperless-task-queue.serviceConfig = {
+    ReadWritePaths = [ "/var/lib/scans/paperless" ];
+  };
+
  services.nginx = {
    enable = true;

@ -41,5 +46,62 @@
        "/static".root = "${config.services.paperless.package}/lib/paperless-ngx";
      };
    };
+
+    virtualHosts."fuuko.lan.shinonome-lab.de" = {
+      enableACME = true;
+      forceSSL = true;
+    };
+  };
+
+  users.users.scan = {
+    home = "/var/lib/scans";
+    isSystemUser = true;
+    group = "scan";
+    hashedPassword = "$y$jCT$5kP87kZLYQs4SRtB5oDYT0$TbcyiO.HuFZ.5e9LPu4vqGAjGXbmfOTJefPvTlsVzm3";
+  };
+  users.groups.scan = { };
+
+  systemd.tmpfiles.rules = [
+    "d /var/lib/scans 0555 scan root -"
+    "d /var/lib/scans/paperless 0775 scan paperless -"
+    "L /var/lib/paperless/consume/ftp - - - - /var/lib/scans/paperless"
+  ];
+
+  sbruder.restic.backups.system.extraExcludes = [ "/var/lib/scans" ];
+
+  services.vsftpd = {
+    enable = true;
+    writeEnable = true;
+    localUsers = true;
+    chrootlocalUser = true;
+    userlist = [ "scan" ];
+
+    rsaCertFile = "${config.security.acme.certs."fuuko.lan.shinonome-lab.de".directory}/full.pem";
+    forceLocalLoginsSSL = true;
+    forceLocalDataSSL = true;
+    ssl_tlsv1 = false; # only allow TLS 1.2+
+
+    extraConfig = ''
+      listen_ipv6=YES
+
+      # user’s shell is nologin
+      check_shell=NO
+
+      # scans should be readable
+      local_umask=022
+
+      pasv_min_port=30000
+      pasv_max_port=30009
+
+      # generated 2024-09-22, Mozilla Guideline v5.7, adapted, OpenSSL 3.0.14, intermediate configuration
+      # https://ssl-config.mozilla.org
+      ssl_enable=YES
+      ssl_ciphers=ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305
+    '';
+  };
+
+  networking.firewall = {
+    allowedTCPPorts = [ 21 ];
+    allowedTCPPortRanges = [{ from = 30000; to = 30009; }];
  };
 }