{ lib, pkgs, ... }: { users.users.scan = { home = "/var/lib/scans"; isSystemUser = true; group = "scan"; # this is a low-risk account and since the only thing the account can do is # login to the ftp server from my home network, you can also sniff the # password since the connection is unencrypted password = "meeB3laodoo8na3z"; }; users.groups.scan = { }; systemd.tmpfiles.rules = [ "d /var/lib/scans 0755 scan root 7d" ]; sbruder.restic.system.extraExcludes = [ "/var/lib/scans" ]; services.vsftpd = { enable = true; writeEnable = true; localUsers = true; userlist = [ "scan" ]; extraConfig = '' # I only want this to be reachable from within my home network. Since # IPv6 has all ports forwarded, it is disabled here. listen=YES listen_ipv6=NO # user’s shell is nologin check_shell=NO # scans should be readable local_umask=022 pasv_min_port=30000 pasv_max_port=30009 ''; }; services.nginx.virtualHosts."scan.sbruder.de" = { enableACME = true; forceSSL = true; locations."/" = { root = "/var/lib/scans"; extraConfig = '' autoindex on; allow 192.168.100.0/24; allow 2001:470:1f0b:abc::/64; deny all; ''; }; }; networking.firewall = { allowedTCPPorts = [ 21 ]; allowedTCPPortRanges = [{ from = 30000; to = 30009; }]; }; systemd.services.scan-converter = { wantedBy = [ "multi-user.target" ]; script = '' set -euo pipefail ${pkgs.inotify-tools}/bin/inotifywait -m --include "\.tif$" -e close_write /var/lib/scans | while read path action file; do echo "Converting ''${file}…" ${pkgs.imagemagick}/bin/convert -strip "/var/lib/scans/$file" "/var/lib/scans/''${file%.*}.png" rm "/var/lib/scans/$file" done ''; serviceConfig = { User = "scan"; Restart = "always"; # systemd-analyze --no-pager security scan-converter.service CapabilityBoundingSet = null; PrivateDevices = true; PrivateNetwork = true; PrivateTmp = true; PrivateUsers = true; ProtectHome = true; RestrictNamespaces = true; SystemCallFilter = "@system-service"; }; }; }