From eeb8f2545384b5bc1f8b3c5fb8c36be8515309b1 Mon Sep 17 00:00:00 2001
From: Simon Bruder <simon@sbruder.de>
Date: Mon, 12 Sep 2022 20:34:52 +0200
Subject: [PATCH] fuuko/scan: Drop

---
 machines/fuuko/configuration.nix |  1 -
 machines/fuuko/services/scan.nix | 89 --------------------------------
 2 files changed, 90 deletions(-)
 delete mode 100644 machines/fuuko/services/scan.nix

diff --git a/machines/fuuko/configuration.nix b/machines/fuuko/configuration.nix
index 5baea96..db87ac4 100644
--- a/machines/fuuko/configuration.nix
+++ b/machines/fuuko/configuration.nix
@@ -9,7 +9,6 @@
     ./services/fritzbox-exporter.nix
     ./services/media-backup.nix
     ./services/media.nix
-    ./services/scan.nix
     ./services/torrent.nix
     ./services/wordclock-dimmer.nix
   ];
diff --git a/machines/fuuko/services/scan.nix b/machines/fuuko/services/scan.nix
deleted file mode 100644
index 6380b97..0000000
--- a/machines/fuuko/services/scan.nix
+++ /dev/null
@@ -1,89 +0,0 @@
-{ lib, pkgs, ... }:
-{
-  users.users.scan = {
-    home = "/var/lib/scans";
-    isSystemUser = true;
-    group = "scan";
-    # this is a low-risk account and since the only thing the account can do is
-    # login to the ftp server from my home network, you can also sniff the
-    # password since the connection is unencrypted
-    password = "meeB3laodoo8na3z";
-  };
-  users.groups.scan = { };
-
-  systemd.tmpfiles.rules = [
-    "d /var/lib/scans 0755 scan root 7d"
-  ];
-
-  sbruder.restic.system.extraExcludes = [ "/var/lib/scans" ];
-
-  services.vsftpd = {
-    enable = true;
-    writeEnable = true;
-    localUsers = true;
-    userlist = [ "scan" ];
-    extraConfig = ''
-      # I only want this to be reachable from within my home network. Since
-      # IPv6 has all ports forwarded, it is disabled here.
-      listen=YES
-      listen_ipv6=NO
-
-      # user’s shell is nologin
-      check_shell=NO
-
-      # scans should be readable
-      local_umask=022
-
-      pasv_min_port=30000
-      pasv_max_port=30009
-    '';
-  };
-
-  services.nginx.virtualHosts."scan.sbruder.de" = {
-    enableACME = true;
-    forceSSL = true;
-
-    locations."/" = {
-      root = "/var/lib/scans";
-
-      extraConfig = ''
-        autoindex on;
-
-        allow 192.168.100.0/24;
-        allow 2001:470:1f0b:abc::/64;
-        deny all;
-      '';
-    };
-  };
-
-  networking.firewall = {
-    allowedTCPPorts = [ 21 ];
-    allowedTCPPortRanges = [{ from = 30000; to = 30009; }];
-  };
-
-  systemd.services.scan-converter = {
-    wantedBy = [ "multi-user.target" ];
-    script = ''
-      set -euo pipefail
-      ${pkgs.inotify-tools}/bin/inotifywait -m --include "\.tif$" -e close_write /var/lib/scans | while read path action file; do
-          echo "Converting ''${file}…"
-          ${pkgs.imagemagick}/bin/convert -strip "/var/lib/scans/$file" "/var/lib/scans/''${file%.*}.png"
-          rm "/var/lib/scans/$file"
-      done
-    '';
-    serviceConfig = {
-      User = "scan";
-      Restart = "always";
-
-      # systemd-analyze --no-pager security scan-converter.service
-      CapabilityBoundingSet = null;
-      PrivateDevices = true;
-      PrivateNetwork = true;
-      PrivateTmp = true;
-      PrivateUsers = true;
-      ProtectHome = true;
-      RestrictNamespaces = true;
-      SystemCallFilter = "@system-service";
-    };
-  };
-}