]> Git — Sourcephile - julm/julm-nix.git/blob - hosts/aubergine/printing.nix
aubergine: nftables: fix DHCP renewal
[julm/julm-nix.git] / hosts / aubergine / printing.nix
1 { pkgs, lib, config, ... }:
2 {
3 imports = [
4 ../../nixos/profiles/printing.nix
5 ../../nixos/profiles/hardware/HP_Deskjet_1510.nix
6 ];
7 services.printing = {
8 listenAddresses = ["*:631"];
9 defaultShared = true;
10 webInterface = true;
11 allowFrom = ["all"];
12 openFirewall = true;
13 browsing = true;
14 extraConf = ''
15 DefaultEncryption IfRequested
16 ServerAlias *
17 '';
18 };
19 # DebugNote: SANE_DEBUG_NET=128 SANE_NET_HOSTS=aubergine.local scanimage -L
20 services.saned = {
21 enable = true;
22 extraConfig = ''
23 data_portrange = 40000 - 40100
24 0.0.0.0/0
25 '';
26 };
27 systemd.services."saned@" = {
28 #environment.SANE_DEBUG_HPAIO = "128";
29 #environment.SANE_DEBUG_NET = "128";
30 };
31 networking.nftables.ruleset =
32 lib.optionalString config.services.printing.openFirewall ''
33 table inet filter {
34 chain input-lan {
35 tcp dport ipp counter accept comment "cupsd: IPP"
36 }
37 }
38 '' + lib.optionalString config.services.saned.enable ''
39 table inet filter {
40 ct helper conntrack-sane {
41 type "sane" protocol tcp;
42 }
43 chain prerouting {
44 # This will track saned's data port for `ct related`
45 tcp dport sane-port counter ct helper set "conntrack-sane"
46 }
47 chain input-lan {
48 tcp dport sane-port counter accept comment "saned: control port"
49 # NoticeNote: not actually useful because there is a rule `ct related accept` before
50 ct helper "sane" counter accept comment "saned: data ports"
51 }
52 }
53 '';
54 }