169 lines
4.2 KiB
Nix
169 lines
4.2 KiB
Nix
# Module: roles/printserver
|
|
# Enables a CUPS print server for sharing connected printers on the network
|
|
{
|
|
config,
|
|
lib,
|
|
pkgs,
|
|
pkgsUnstable,
|
|
inputs,
|
|
...
|
|
}:
|
|
|
|
with lib;
|
|
|
|
let
|
|
cfg = config.printserver;
|
|
in
|
|
{
|
|
options.printserver = {
|
|
enable = mkEnableOption "Enables printserver role";
|
|
|
|
ippAddresses = mkOption {
|
|
type = types.listOf types.str;
|
|
default = [ "*:631" ];
|
|
description = "Refer to services.printing.listenAddresses";
|
|
example = [ "*:631" ];
|
|
};
|
|
|
|
allowFromAddresses = mkOption {
|
|
type = types.listOf types.str;
|
|
default = [ "all" ];
|
|
description = "Refer to services.printing.allowFrom";
|
|
example = [ "all" ];
|
|
};
|
|
|
|
allowedHosts = mkOption {
|
|
type = types.listOf types.str;
|
|
default = [ ];
|
|
description = "Hosts/subnets we want to give access to the print server to";
|
|
example = [
|
|
"192.168.0.1/24"
|
|
"10.0.0.5"
|
|
];
|
|
};
|
|
|
|
serverName = mkOption {
|
|
type = types.str;
|
|
default = "localhost";
|
|
description = "Name of server to indicate to CUPS";
|
|
example = "print.example.com";
|
|
};
|
|
|
|
serverAliases = mkOption {
|
|
type = types.listOf types.str;
|
|
default = [ ];
|
|
description = "Hosts to add to ServerAlias directive";
|
|
example = [ "192.168.1.2" ];
|
|
};
|
|
};
|
|
|
|
config =
|
|
let
|
|
allowedHostsText = lib.concatStringsSep "\n" (map (host: "Allow ${host}") cfg.allowedHosts);
|
|
serverAliasesText = lib.concatStringsSep "\n" (
|
|
map (client: "ServerAlias ${client}") cfg.serverAliases
|
|
);
|
|
in
|
|
mkIf cfg.enable {
|
|
environment.systemPackages = with pkgsUnstable; [
|
|
cups
|
|
gutenprint
|
|
];
|
|
|
|
services.avahi = {
|
|
enable = true;
|
|
nssmdns4 = true;
|
|
openFirewall = true;
|
|
publish = {
|
|
enable = true;
|
|
userServices = true;
|
|
addresses = true;
|
|
workstation = true;
|
|
hinfo = true;
|
|
domain = true;
|
|
};
|
|
};
|
|
|
|
services.printing = {
|
|
enable = true;
|
|
listenAddresses = cfg.ippAddresses;
|
|
allowFrom = cfg.allowFromAddresses;
|
|
browsing = true;
|
|
defaultShared = true;
|
|
openFirewall = true;
|
|
webInterface = true;
|
|
drivers = [ pkgs.gutenprint ];
|
|
|
|
extraConf = ''
|
|
BrowseLocalProtocols dnssd
|
|
|
|
ServerName ${cfg.serverName}
|
|
${lib.optionalString (cfg.serverAliases != [ ]) serverAliasesText}
|
|
|
|
DefaultAuthType Basic
|
|
|
|
# Allow general access to the CUPS web interface
|
|
<Location />
|
|
Order allow,deny
|
|
${lib.optionalString (cfg.allowedHosts != [ ]) allowedHostsText}
|
|
</Location>
|
|
|
|
# Admin access (requires login)
|
|
<Location /admin>
|
|
AuthType Default
|
|
Require valid-user
|
|
Order allow,deny
|
|
${lib.optionalString (cfg.allowedHosts != [ ]) allowedHostsText}
|
|
</Location>
|
|
|
|
# Access to admin config files (also requires login)
|
|
<Location /admin/conf>
|
|
AuthType Default
|
|
Require valid-user
|
|
Order allow,deny
|
|
</Location>
|
|
'';
|
|
};
|
|
|
|
services.traefik = {
|
|
enable = true;
|
|
|
|
staticConfigOptions = {
|
|
entryPoints = {
|
|
web = {
|
|
address = ":80";
|
|
asDefault = true;
|
|
http.redirections.entrypoint = {
|
|
to = "websecure";
|
|
scheme = "https";
|
|
};
|
|
};
|
|
|
|
websecure = {
|
|
address = ":443";
|
|
asDefault = true;
|
|
http.tls.certResolver = "tailscale";
|
|
};
|
|
};
|
|
|
|
certificatesResolvers.tailscale."tailscale" = { };
|
|
};
|
|
|
|
dynamicConfigOptions = {
|
|
http.routers.cups = {
|
|
entrypoints = [ "websecure" ];
|
|
rule = "Host(`${config.networking.hostName}.tail755c5.ts.net`)";
|
|
service = "cups-gui";
|
|
tls.certResolver = "tailscale";
|
|
};
|
|
|
|
http.services.cups-gui = {
|
|
loadBalancer.servers = [ { url = "http://localhost:631"; } ];
|
|
};
|
|
};
|
|
};
|
|
|
|
services.tailscale.permitCertUid = "traefik";
|
|
};
|
|
}
|