From 875968bf14798a0c6f9281926e44183a3f27de58 Mon Sep 17 00:00:00 2001
From: Alexandre CATTEAU <alexandre.catteau@gmail.com>
Date: Fri, 22 Oct 2021 16:04:48 +0200
Subject: [PATCH] Initial commit, existing project

---
 clean-cloud.service   |   7 ++
 clean-cloud.sh        |  25 +++++++
 clean-cloud.timer     |   9 +++
 novnc.service         |  10 +++
 scan-to-cloud.path    |   8 +++
 scan-to-cloud.service |   7 ++
 scan-to-cloud.sh      |  33 +++++++++
 scan.mount            |  11 +++
 setup.sh              | 163 ++++++++++++++++++++++++++++++++++++++++++
 vnc.socket            |  10 +++
 vnc@.service          |  14 ++++
 11 files changed, 297 insertions(+)
 create mode 100644 clean-cloud.service
 create mode 100644 clean-cloud.sh
 create mode 100644 clean-cloud.timer
 create mode 100644 novnc.service
 create mode 100644 scan-to-cloud.path
 create mode 100644 scan-to-cloud.service
 create mode 100644 scan-to-cloud.sh
 create mode 100644 scan.mount
 create mode 100644 setup.sh
 create mode 100644 vnc.socket
 create mode 100644 vnc@.service

diff --git a/clean-cloud.service b/clean-cloud.service
new file mode 100644
index 0000000..908adce
--- /dev/null
+++ b/clean-cloud.service
@@ -0,0 +1,7 @@
+[Unit]
+Description=Clean remote dropbox
+
+[Service]
+User=scan
+Type=oneshot
+ExecStart=/home/scan/.sync/clean-cloud.sh
diff --git a/clean-cloud.sh b/clean-cloud.sh
new file mode 100644
index 0000000..a01dd7c
--- /dev/null
+++ b/clean-cloud.sh
@@ -0,0 +1,25 @@
+#!/bin/bash
+
+# The purpose of this script is to automatically empty our remote sandbox.
+# This script is not to be run as root, rather as the user responsible for scanning.
+
+# Only run if the user is not root
+if [[ $USER = 'root' ]] ; then
+  echo "You must not run this script as root!"
+  exit 1
+fi
+
+# Set parameters
+remote_path='https://cloud.kto.black/remote.php/webdav/Scans'
+remote_user='scan'
+remote_passwd='rB2TgFpNXk3BbZ44'
+subdirectories_prefix='scans'
+
+yesterday=$(date -d "-1 days" +"%Y%m%d")
+today=$(date +"%Y%m%d")
+
+curl -s -u $remote_user:$remote_passwd -X DELETE $remote_path/$subdirectories_prefix-$yesterday
+curl -s -u $remote_user:$remote_passwd -X MKCOL $remote_path/$subdirectories_prefix-$today
+
+echo "Cleaning done."
+exit 0
diff --git a/clean-cloud.timer b/clean-cloud.timer
new file mode 100644
index 0000000..8a8e428
--- /dev/null
+++ b/clean-cloud.timer
@@ -0,0 +1,9 @@
+[Unit]
+Description=Run clean-cloud regularly
+
+[Timer]
+OnCalendar=*-*-* 02:00:00
+Persistent=true
+
+[Install]
+WantedBy=timers.target
diff --git a/novnc.service b/novnc.service
new file mode 100644
index 0000000..cff13cd
--- /dev/null
+++ b/novnc.service
@@ -0,0 +1,10 @@
+[Unit]
+Description=noVNC proxy with Websockify
+
+[Service]
+User=scan
+Type=simple
+ExecStart=/usr/bin/websockify --ssl-only --cert /etc/ssl/cert.crt --key /etc/ssl/cert.key  --web /usr/share/novnc 8080 localhost:5900
+
+[Install]
+WantedBy=default.target
diff --git a/scan-to-cloud.path b/scan-to-cloud.path
new file mode 100644
index 0000000..0a182b4
--- /dev/null
+++ b/scan-to-cloud.path
@@ -0,0 +1,8 @@
+[Unit]
+Description=Run scan-to-cloud when a new document is scanned
+
+[Path]
+DirectoryNotEmpty=/scan
+
+[Install]
+WantedBy=paths.target
diff --git a/scan-to-cloud.service b/scan-to-cloud.service
new file mode 100644
index 0000000..a9b7500
--- /dev/null
+++ b/scan-to-cloud.service
@@ -0,0 +1,7 @@
+[Unit]
+Description=Upload scanned document to dropbox
+
+[Service]
+User=scan
+Type=oneshot
+ExecStart=/home/scan/.sync/scan-to-cloud.sh
diff --git a/scan-to-cloud.sh b/scan-to-cloud.sh
new file mode 100644
index 0000000..69fd292
--- /dev/null
+++ b/scan-to-cloud.sh
@@ -0,0 +1,33 @@
+#!/bin/bash
+
+# The purpose of this script is to automaticaly upload scanned documents to a remote dropbox.
+# This script is not to be run as root, rather as the user responsible for scanning.
+
+# Only run if the user is not root
+if [[ $USER = 'root' ]] ; then
+  echo "You must not run this script as root!"
+  exit 1
+fi
+
+# Set parameters
+scan_directory='/scan'
+remote_path='https://cloud.kto.black/remote.php/webdav/Scans'
+remote_user='scan'
+remote_passwd='rB2TgFpNXk3BbZ44'
+subdirectories_prefix='scans'
+
+today=$(date +"%Y%m%d")
+
+# The script is executed a bit too early, so we need to wait a few seconds.
+sleep 5s
+
+for filename in $scan_directory/*; do
+  #echo "Creating today's directory..." # I'd like to remove these 2 lines
+  #curl -s -u $remote_user:$remote_passwd -X MKCOL $remote_path/$subdirectories_prefix-$today
+  echo "Uploading $filename..."
+  curl -s -u $remote_user:$remote_passwd -T "$filename" $remote_path/$subdirectories_prefix-$today/
+  rm "$filename"
+done
+
+echo "Upload done."
+exit 0
diff --git a/scan.mount b/scan.mount
new file mode 100644
index 0000000..dd32fd2
--- /dev/null
+++ b/scan.mount
@@ -0,0 +1,11 @@
+[Unit]
+Description=tmpfs for scanned documents
+
+[Mount]
+What=tmpfs
+Where=/scan
+Type=tmpfs
+Options=noatime,uid=1001,gid=1001
+
+[Install]
+WantedBy=default.target
diff --git a/setup.sh b/setup.sh
new file mode 100644
index 0000000..3b58c13
--- /dev/null
+++ b/setup.sh
@@ -0,0 +1,163 @@
+#!/bin/bash
+
+# The purpose of this script is to setup our print-scan server on a blank Armbian.
+# This script is to be run as root.
+
+# (Keep in mind that default root password is 1234)
+# Flash SBC's SD with Armbian and copy this script as well as conf-sync.sh to /root
+
+# YOU SHOULD REMOVE THIS SCRIPT AFTER SETUP
+
+# Functions
+init() {
+  echo "Starting initialization"
+  echo $fqdn > /etc/hostname
+  sed -i -e "s/$default_hostname/$fqdn $hostname/g" /etc/hosts
+  localectl set-keymap $keymap
+  timedatectl set-timezone $timezone
+  systemctl disable apt-daily-upgrade.timer
+}
+
+install_packages() {
+  echo "Starting packages installation"
+  sed -i -e "s/$deb_apt_default_repo/$deb_apt_repo/g" /etc/apt/sources.list
+  apt update
+  apt upgrade -y
+  apt install -y vim tree tmux neofetch simple-scan sane hplip novnc x11vnc xvfb xinit libglib2.0-bin dbus-x11
+}
+
+add_users() {
+  echo "Adding users"
+  useradd -U -G sudo,lpadmin -m -s /bin/bash $user
+  chmod 700 /home/$user
+  useradd -U -G scanner,lp -m -s /sbin/nologin $scan_user
+  chmod 700 /home/$scan_user
+}
+
+get_conf() {
+  echo "Getting configuration"
+  sudo -H -u $user mkdir $sync_directory_path
+  cp $run_directory_path/conf-sync.sh $sync_directory_path/
+  chown $user:$user $sync_directory_path/conf-sync.sh
+  sudo -H -u $user chmod u+x $sync_directory_path/conf-sync.sh
+  sudo -H -u $user $sync_directory_path/conf-sync.sh
+}
+
+set_conf() {
+  echo "Setting configuration"
+  sudo -H -u $user chmod uo+x $sync_directory_path/clean-cloud.sh $sync_directory_path/scan-to-cloud.sh
+  ln -s $sync_directory_path/*.service $systemd_units_path/
+  ln -s $sync_directory_path/*.timer $systemd_units_path/
+  ln -s $sync_directory_path/*.socket $systemd_units_path/
+  ln -s $sync_directory_path/*.mount $systemd_units_path/
+  ln -s $sync_directory_path/*.path $systemd_units_path/
+  systemctl daemon-reload
+  systemctl enable novnc.service vnc.socket conf-sync.timer clean-cloud.timer scan.mount #scan-to-cloud.path
+}
+
+set_scan_conf() {
+  echo "Setting scan configuration"
+  sudo -H -u $scan_user sh -c "echo 'simple-scan' > $scan_user_home_directory/.xinitrc" # TODO this should be done another way
+  touch $passwd_file
+  chown $scan_user:$scan_user $passwd_file
+  sudo -H -u $scan_user x11vnc -storepasswd $vnc_passwd $passwd_file
+  touch $x11vnc_logfile
+  chown $scan_user:$scan_user $x11vnc_logfile
+  mkdir $scan_tmpfs
+  chown $scan_user:$scan_user $scan_tmpfs
+  sudo -H -u $scan_user gsettings set org.gnome.SimpleScan paper-height 2970 # those don't work
+  sudo -H -u $scan_user gsettings set org.gnome.SimpleScan paper-width 2100
+  sudo -H -u $scan_user gsettings set org.gnome.SimpleScan save-directory $scan_tmpfs
+  cp $novnc_webroot/vnc.html $novnc_webroot/index.html
+}
+
+set_cups_conf() {
+  echo "Setting CUPS configuration"
+  mv $cups_conf_path/cupsd.conf $cups_conf_path/cupsd.conf.orig
+  ln -s $sync_directory_path/cupsd.conf $cups_conf_path/cupsd.conf
+}
+
+rcs_links() {
+  echo "Linking rcs"
+  rm /home/$user/.bashrc
+  rm /root/.bashrc
+  sudo -H -u $user ln -s $sync_directory_path/bashrc /home/$user/.bashrc
+  ln -s /home/$user/.bashrc /root/.bashrc
+  sudo -H -u $user ln -s $sync_directory_path/vimrc /home/$user/.vimrc
+  ln -s /home/$user/.vimrc /root/.vimrc
+}
+
+ssh_pubkey() {
+  echo "Getting SSH public key"
+  sudo -H -u $user mkdir /home/$user/.ssh
+  sudo -H -u $user wget -P /home/$user/.ssh $remote_pubkey_location/$remote_pubkey
+  sudo -H -u $user mv /home/$user/.ssh/$remote_pubkey /home/$user/.ssh/authorized_keys
+}
+
+tls_cert() {
+  echo "Generating TLS certificate"
+  openssl req -newkey rsa:4096 -x509 -sha256 -days 999 -nodes -out $tls_directory/$cert -keyout $tls_directory/$cert_key -subj "/C=/ST=/L=/O=/OU=/CN="
+  chmod o+r $tls_directory/$cert_key
+}
+
+# Only run if the user is root
+if [[ $USER != 'root' ]] ; then
+  echo "You must run this script as root!"
+  exit 1
+fi
+
+run_directory_path=$(pwd)
+
+# Set parameters
+default_hostname='pine64'
+hostname='pn1'
+fqdn='pn1.kto.black'
+keymap='fr'
+timezone='Europe/Paris'
+deb_apt_default_repo='httpredir.debian.org'
+deb_apt_repo='ftp.fr.debian.org'
+user='alex'
+scan_user='scan'
+scan_user_home_directory="/home/$scan_user"
+sync_directory_path="/home/$user/.sync"
+systemd_units_path='/etc/systemd/system'
+cups_conf_path='/etc/cups'
+vnc_passwd='windows'
+passwd_file='/etc/passwdd'
+x11vnc_logfile='/var/log/x11vnc.log'
+scan_tmpfs='/scan'
+novnc_webroot='/usr/share/novnc'
+remote_pubkey_location='https://keys.kto.black'
+remote_pubkey='home.pub'
+tls_directory='/etc/ssl/'
+cert='cert.crt'
+cert_key='cert.key'
+
+# Main process
+# You should comment below what you do not want to happen
+init
+install_packages
+add_users
+get_conf
+set_conf
+set_scan_conf
+set_cups_conf
+rcs_links
+ssh_pubkey
+tls_cert
+
+echo ""
+echo "We're all good here!"
+echo "You should now:"
+echo "* set $user's password"
+echo "* lock root account"
+echo "* remove setup.sh"
+echo "* reboot the SBC"
+echo "And perhaps:"
+echo "* connect to http://$hostname:631/ and add a printer"
+echo "* set htop at your convenience"
+echo "* remove password for sudo" # TODO we should automate that, with a flag
+echo "* use below commands to edit SSH config:"
+echo "sed -i 's/PermitRootLogin yes/PermitRootLogin no/' /etc/ssh/sshd_config"
+echo "sed -i 's/#PasswordAuthentication yes/PasswordAuthentication no/' /etc/ssh/sshd_config"
+exit 0
diff --git a/vnc.socket b/vnc.socket
new file mode 100644
index 0000000..a4b577e
--- /dev/null
+++ b/vnc.socket
@@ -0,0 +1,10 @@
+[Unit]
+Description=VNC incoming socket
+
+[Socket]
+ListenStream=127.0.0.1:5900
+Accept=yes
+MaxConnections=5
+
+[Install]
+WantedBy=sockets.target
diff --git a/vnc@.service b/vnc@.service
new file mode 100644
index 0000000..35ff490
--- /dev/null
+++ b/vnc@.service
@@ -0,0 +1,14 @@
+# VNC password should be set in /etc/passwdd
+# TODO we still need to handle session termination
+
+[Unit]
+Description=Specific x11vnc session
+OnFailure=scan-to-cloud.service
+
+[Service]
+User=scan
+Type=simple
+ExecStart=/usr/bin/x11vnc -once -create -localhost -inetd -bg -o /var/log/x11vnc.log -rfbauth /etc/passwdd
+#ExecStop=/usr/bin/x11vnc -R stop # TODO test that, unless it prevents OnFailure from working
+StandardInput=socket
+StandardError=syslog