hosts/aubergine/printing.nix

   1 { pkgs, lib, config, ... }:
   2 {
   3   imports = [
   4     ../../nixos/profiles/printing.nix
   5     ../../nixos/profiles/hardware/HP_Deskjet_1510.nix
   6   ];
   7   services.printing = {
   8     listenAddresses = ["*:631"];
   9     defaultShared = true;
  10     webInterface = true;
  11     allowFrom = ["all"];
  12     openFirewall = true;
  13     browsing = true;
  14     extraConf = ''
  15       DefaultEncryption IfRequested
  16       ServerAlias *
  17     '';
  18   };
  19   # DebugNote: SANE_DEBUG_NET=128 SANE_NET_HOSTS=aubergine.local scanimage -L
  20   services.saned = {
  21     enable = true;
  22     extraConfig = ''
  23       data_portrange = 40000 - 40100
  24       0.0.0.0/0
  25     '';
  26   };
  27   systemd.services."saned@" = {
  28     #environment.SANE_DEBUG_HPAIO = "128";
  29     #environment.SANE_DEBUG_NET   = "128";
  30   };
  31   networking.nftables.ruleset =
  32     lib.optionalString config.services.printing.openFirewall ''
  33       table inet filter {
  34         chain input-lan {
  35           tcp dport ipp counter accept comment "cupsd: IPP"
  36         }
  37       }
  38     '' + lib.optionalString config.services.saned.enable ''
  39       table inet filter {
  40         ct helper conntrack-sane {
  41           type "sane" protocol tcp;
  42         }
  43         chain prerouting {
  44           # This will track saned's data port for `ct related`
  45           tcp dport sane-port counter ct helper set "conntrack-sane"
  46         }
  47         chain input-lan {
  48           tcp dport sane-port counter accept comment "saned: control port"
  49           # NoticeNote: not actually useful because there is a rule `ct related accept` before
  50           ct helper "sane" counter accept comment "saned: data ports"
  51         }
  52       }
  53     '';
  54 }