frumar: move paperless stuff to separate file, fix scanner firewall

2023-07-05 14:50:43 +02:00 · 2023-07-05 14:50:43 +02:00 · 98959934ff
parent 4adf2f5ab3
commit 98959934ff
2 changed files with 58 additions and 6 deletions
--- a/nixos/machines/frumar/default.nix
+++ b/nixos/machines/frumar/default.nix
@ -3,6 +3,7 @@
    ./fractal.nix
    ../../roles/server.nix
    ../../roles/homeserver.nix
+    ./paperless.nix
  ];

  system.stateVersion = "15.09";
@ -137,12 +138,19 @@
    #   unifiPassword = "ReadOnlyPassword";
    # };
  };
+  services.yorick.paperless = {
+    enable = true;
+    openFirewall = true;
+    scanner_ip = "192.168.2.49";
+  };
  boot.zfs.requestEncryptionCredentials = false;
-  networking.firewall.interfaces.wg-y.allowedTCPPorts = [ 3000 9090 8443 ];
-  # mqtt, wsdd, ??, minecraft
-  networking.firewall.allowedTCPPorts = [ 1883 5357 443 25565 ];
-  # mqtt, wsdd, minecraft
-  networking.firewall.allowedUDPPorts = [ 1883 3702 25565 ];
+  networking.firewall = {
+    interfaces.wg-y.allowedTCPPorts = [ 3000 9090 8443 ];
+    # mqtt, wsdd, ??, minecraft
+    allowedTCPPorts = [ 1883 5357 443 25565 ];
+    # mqtt, wsdd, minecraft
+    allowedUDPPorts = [ 1883 3702 25565 ];
+  };
  services.rabbitmq = {
    enable = true;
    plugins = [ "rabbitmq_mqtt" "rabbitmq_management" ];
@ -315,5 +323,4 @@
    TRANSIP_Username = "yorickvp";
    TRANSIP_Key_File = config.age.secrets.transip-key.path;
  };
-
 }
--- a/nixos/machines/frumar/paperless.nix
+++ b/nixos/machines/frumar/paperless.nix
@ -0,0 +1,45 @@
+{ config, lib, pkgs, ... }:
+let cfg = config.services.yorick.paperless;
+in {
+  options.services.yorick.paperless = with lib; {
+    enable = mkEnableOption "yorick paperless";
+    openFirewall = mkEnableOption "open firewall for scanner";
+    scanner_ip = mkOption {
+      type = types.str;
+    };
+  };
+  config = lib.mkIf cfg.enable {
+    networking.firewall = lib.mkIf cfg.openFirewall {
+      connectionTrackingModules = [ "ftp" ];
+      extraCommands = ''
+        iptables -t raw -A PREROUTING -i eno1 -s ${cfg.scanner_ip}/32 -p tcp --dport 21 -j CT --helper ftp
+        iptables -A nixos-fw -p tcp -m tcp --dport 21 -s ${cfg.scanner_ip}/32 -j nixos-fw-accept
+      '';
+      extraStopCommands = ''
+        iptables -t raw -D PREROUTING -i eno1 -s ${cfg.scanner_ip}/32 -p tcp --dport 21 -j CT --helper ftp
+        iptables -D nixos-fw -p tcp -m tcp --dport 21 -s ${cfg.scanner_ip}/32 -j nixos-fw-accept
+      '';
+    };
+
+    users.users.ads1600w = {
+      home = "/var/ads1600w";
+      group = "ads1600w";
+      initialHashedPassword =
+        "$6$q7E6hnTHHt9v.$OHZjuWISanANGwfhznWwfDlHAqbXBjqcr/q0lGe9ff2r.X9xCSoLP4giME5J9WoEUNuWssMLGBPMfXowBjXg70";
+      isSystemUser = true;
+      shell = "${pkgs.shadow}/bin/nologin";
+      createHome = true;
+    };
+    users.groups.ads1600w = { };
+
+    services.vsftpd = {
+      enable = true;
+      localUsers = true;
+      writeEnable = true;
+      chrootlocalUser = true;
+      allowWriteableChroot = true;
+      userlist = [ "ads1600w" ];
+    };
+    # todo: back up this dir
+  };
+}