etorres/nixos
1
0
Fork 0
Code Issues 4 Pull Requests Actions Packages Projects Releases Wiki Activity

Merge branch 'roles/printserver'

Browse Source
This commit is contained in:
Eric Torres
2025-08-08 00:31:38 -07:00
parent 47cee51f93 40f44b0b1b
commit f2e35ae4db
2 changed files with 125 additions and 27 deletions
Download Patch File Download Diff File Expand all files Collapse all files

10
hosts/print-01/default.nix
View File

@@ -11,10 +11,18 @@
qemu.enable = true;
spice.enable = true;
printserver.enable = true;
printserver = {
enable = true;
allowedWebClients = [
"100.64.5.1"
"100.64.5.2"
"100.64.5.3"
];
};
base.userSSHKeys = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGZizFOCecyfHqJDDinCl9XTXvCd8RBEM6VN76nGZfSj etorres@xenon"
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFV9iQLPBN3aK88aGN3EL4kSP6rMOfiN84KjIdt7jdVn etorres@radon"
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICk6WQFO39tY3CZnXr6jF0wwkHH3isWWLFityvObui0L etorres@erics-macbook-pro"
];
}

142
roles/printserver.nix
View File

@@ -29,37 +29,127 @@ in
description = "Refer to services.printing.allowFrom";
example = [ "all" ];
};
allowedWebClients = mkOption {
type = types.listOf types.str;
default = [ ];
description = "Hosts to add to ServerAlias directive";
example = [ "192.168.1.2" ];
};
};
config = mkIf cfg.enable {
environment.systemPackages = with pkgs; [
cups
gutenprint
];
config =
let
serverAliasesText = lib.concatStringsSep "\n" (
map (client: "ServerAlias ${client}") cfg.allowedWebClients
);
in
mkIf cfg.enable {
environment.systemPackages = with pkgs; [
cups
gutenprint
];
services.avahi = {
enable = true;
nssmdns4 = true;
openFirewall = true;
publish = {
services.avahi = {
enable = true;
userServices = true;
addresses = true;
workstation = true;
hinfo = true;
domain = true;
nssmdns4 = true;
openFirewall = true;
publish = {
enable = true;
userServices = true;
addresses = true;
workstation = true;
hinfo = true;
domain = true;
};
};
};
services.printing = {
enable = true;
listenAddresses = cfg.ippAddresses;
allowFrom = cfg.allowFromAddresses;
browsing = true;
defaultShared = true;
openFirewall = true;
webInterface = true;
drivers = [ pkgs.gutenprint ];
services.printing = {
enable = true;
listenAddresses = cfg.ippAddresses;
allowFrom = cfg.allowFromAddresses;
browsing = true;
defaultShared = true;
openFirewall = true;
webInterface = true;
drivers = [ pkgs.gutenprint ];
extraConf = ''
Listen 0.0.0.0:631
BrowseLocalProtocols dnssd
${lib.optionalString (cfg.allowedWebClients != [ ]) serverAliasesText}
DefaultAuthType Basic
# Allow general access to the CUPS web interface
<Location />
Order allow,deny
Allow 127.0.0.1
Allow 192.168.1.*
Allow 100.64.5.0/24
</Location>
# Admin access (requires login)
<Location /admin>
AuthType Default
Require valid-user
Order allow,deny
Allow 127.0.0.1
Allow 192.168.1.*
Allow 100.64.5.0/24
</Location>
# Access to admin config files (also requires login)
<Location /admin/conf>
AuthType Default
Require valid-user
Order allow,deny
Allow 127.0.0.1
Allow 192.168.1.*
Allow 100.64.5.0/24
</Location>
'';
};
services.traefik = {
enable = true;
staticConfigOptions = {
entryPoints = {
web = {
address = ":80";
asDefault = true;
http.redirections.entrypoint = {
to = "websecure";
scheme = "https";
};
};
websecure = {
address = ":443";
asDefault = true;
http.tls.certResolver = "tailscale";
};
};
certificatesResolvers.tailscale."tailscale" = { };
};
dynamicConfigOptions = {
http.routers.cups = {
entrypoints = [ "websecure" ];
rule = "Host(`${config.networking.hostName}.tail755c5.ts.net`)";
service = "cups-gui";
tls.certResolver = "tailscale";
};
http.services.cups-gui = {
loadBalancer.servers = [ { url = "http://localhost:631"; } ];
};
};
};
services.tailscale.permitCertUid = "traefik";
};
};
}