servo: sftpgo: allow read-only media access via password auth

2024-08-27 13:52:40 +00:00
parent 861014bca3
commit 29886d7f10
2 changed files with 23 additions and 5 deletions
--- a/hosts/by-name/servo/services/export/default.nix
+++ b/hosts/by-name/servo/services/export/default.nix
@@ -37,15 +37,15 @@
    wantedBy = [ "nfs.service" "sftpgo.service" ];
    file.text = ''
      - media/         read-only:  Videos, Music, Books, etc
-      - playground/    read-write: use it to share files with other users of this server, inaccessible from the www
-      - pub/           read-only:  content made to be shared with the www
+      - playground/    read-write*: use it to share files with other users of this server, inaccessible from the www
+                                    *if you can't write to it, make sure you're connected to the WiFi and not mobile.
    '';
  };

  sane.fs."/var/export/playground/README.md" = {
    wantedBy = [ "nfs.service" "sftpgo.service" ];
    file.text = ''
-      this directory is intentionally read+write by anyone with access (i.e. on the LAN).
+      this directory is intentionally read+write by anyone with access.
      - share files
      - write poetry
      - be a friendly troll
--- a/hosts/by-name/servo/services/export/sftpgo/external_auth_hook
+++ b/hosts/by-name/servo/services/export/sftpgo/external_auth_hook
@@ -71,6 +71,9 @@ TRUSTED_CREDS = [
  # $<method>$<salt>$<hash>
  "$6$Zq3c2u4ghUH4S6EP$pOuRt13sEKfX31OqPbbd1LuhS21C9MICMc94iRdTAgdAcJ9h95gQH/6Jf6Ie4Obb0oxQtojRJ1Pd/9QHOlFMW."  #< m. rocket boy
 ]
+TRUSTED_VIEWING_OR_PLAYGROUND_CREDS = [
+  "$6$iikDajz5b.YH1.on$tfSzzBEtX8IeDiJJXCasOTxRTd7cFDKXU6dhlWYVhK6xDeJhV2fh6bmm1WIHItjIth9Eh9zNgUB8xibMIWCm/."
+];

 def mkAuthOk(username: str, permissions: dict[str, list[str]]) -> dict:
  return dict(
@@ -112,8 +115,8 @@ def isLan(ip: str) -> bool:
 def isWireguard(ip: str) -> bool:
  return ip.startswith("10.0.10.")

-def isTrustedCred(password: str) -> bool:
-  for cred in TRUSTED_CREDS:
+def isTrustedCred(password: str, credlist: list[str] = TRUSTED_CREDS) -> bool:
+  for cred in credlist:
    if passlib.hosts.linux_context.verify(password, cred):
      return True

@@ -131,6 +134,21 @@ def getAuthResponse(ip: str, username: str, password: str) -> dict:
      "/playground": PERM_RW,
      "/.public_for_test": PERM_RO,
    })
+  if isTrustedCred(password, TRUSTED_VIEWING_OR_PLAYGROUND_CREDS) and username != "colin":
+    return mkAuthOk(username, permissions = {
+      # error prone, but... not the worst if i miss something
+      "/": PERM_LIST,
+      "/media/archive": PERM_DENY,
+      "/media/Books": PERM_RO,
+      "/media/collections": PERM_DENY,
+      "/media/games": PERM_RO,
+      "/media/Music": PERM_RO,
+      "/media/Pictures": PERM_RO,
+      "/media/torrents": PERM_DENY,
+      "/media/Videos": PERM_RO,
+      "/playground": PERM_RW,
+      "/.public_for_test": PERM_RO,
+    })
  if isWireguard(ip):
    # allow any user from wireguard
    return mkAuthOk(username, permissions = {