pumpkin: steam-run: install

[julm/julm-nix.git] / nixos / profiles / printing.nix

diff --git a/nixos/profiles/printing.nix b/nixos/profiles/printing.nix
index ece0a8ac043c39c6c9edead1129872cff7f91ef9..2c014c1a31ec13a8db707f0df2732cd9061c16cb 100644 (file)
--- a/nixos/profiles/printing.nix
+++ b/nixos/profiles/printing.nix
@@ -1,4 +1,9 @@
-{ pkgs, lib, ... }:
+{
+  pkgs,
+  lib,
+  config,
+  ...
+}:
 {
   imports = [
     ./avahi.nix
@@ -17,19 +22,27 @@
     pkgs.hplipWithPlugin
     pkgs.sane-airscan
   ];
+  services.colord.enable = true;
   # ExplanationNote: cups-browsed only supports avahi, not systemd-resolved
   services.avahi.enable = lib.mkDefault true;
   services.resolved.extraConfig = ''
     MulticastDNS=false
   '';
-  networking.nftables.ruleset = ''
-    table inet filter {
-      chain output-lan {
-        meta l4proto { udp, tcp } th dport { ipp, ipps } counter accept comment "IPP"
+  networking.nftables.ruleset =
+    ''
+      table inet filter {
+        chain output-lan {
+          tcp dport { ipp, ipps } counter accept comment "printing: IPP"
+          tcp dport sane-port counter accept comment "sane-net: control port"
+          tcp dport {40000 - 40100} counter accept comment "saned: data ports"
+        }
       }
-      chain output-net {
-        meta l4proto { udp, tcp } th dport { ipp, ipps } counter accept comment "IPP"
+    ''
+    + lib.optionalString config.hardware.sane.openFirewall ''
+      table inet filter {
+        chain input-lan {
+          udp canon-bjnp2 counter accept comment "sane: discovery of scanners on the local network"
+        }
       }
-    }
-  '';
+    '';
 }