hosts/aubergine/printing.nix

   1 {
   2   pkgs,
   3   lib,
   4   config,
   5   ...
   6 }:
   7 {
   8   imports = [
   9     ../../nixos/profiles/printing.nix
  10     ../../nixos/profiles/hardware/HP_Deskjet_1510.nix
  11   ];
  12   services.printing = {
  13     listenAddresses = [ "*:631" ];
  14     defaultShared = true;
  15     webInterface = true;
  16     allowFrom = [ "all" ];
  17     openFirewall = true;
  18     browsing = true;
  19     extraConf = ''
  20       DefaultEncryption IfRequested
  21       ServerAlias *
  22     '';
  23   };
  24   # DebugNote: SANE_DEBUG_NET=128 SANE_NET_HOSTS=aubergine.local scanimage -L
  25   services.saned = {
  26     enable = true;
  27     extraConfig = ''
  28       data_portrange = 40000 - 40100
  29       0.0.0.0/0
  30     '';
  31   };
  32   systemd.services."saned@" = {
  33     #environment.SANE_DEBUG_HPAIO = "128";
  34     #environment.SANE_DEBUG_NET   = "128";
  35   };
  36   networking.nftables.ruleset =
  37     lib.optionalString config.services.printing.openFirewall ''
  38       table inet filter {
  39         chain input-lan {
  40           tcp dport ipp counter accept comment "cupsd: IPP"
  41         }
  42       }
  43     ''
  44     + lib.optionalString config.services.saned.enable ''
  45       table inet filter {
  46         ct helper conntrack-sane {
  47           type "sane" protocol tcp;
  48         }
  49         chain prerouting {
  50           # This will track saned's data port for `ct related`
  51           tcp dport sane-port counter ct helper set "conntrack-sane"
  52         }
  53         chain input-lan {
  54           tcp dport sane-port counter accept comment "saned: control port"
  55           # NoticeNote: not actually useful because there is a rule `ct related accept` before
  56           ct helper "sane" counter accept comment "saned: data ports"
  57         }
  58       }
  59     '';
  60 }