Compare commits

...

4 Commits

4 changed files with 171 additions and 31 deletions

View File

@ -1,23 +1,21 @@
# Printscan server # Printscan server
## Version 3 ## Version 3.1
This repository contains files used to set up our printscan server on a freshly installed Armbian. Target is Bullseye. This repository contains files used to set up our printscan server on a freshly installed Armbian. Target is Bullseye.
### Introduction ### Introduction
(see wiki for need and concept explanation) (see wiki for need and concept explanation)
Version 3 implementation works roughly as follows: Version 3.1 implementation works roughly as follows:
##### SBC ##### SBC
* the Armbian-based device is connected to local network, and an all-in-one printer is connected to it via USB; * the Armbian-based device is connected to local network, and an all-in-one printer is connected to it via USB;
* SANE and CUPS services are installed and running on the device; * SANE and CUPS services are installed and running on the device;
* CUPS is configured to provide a remote printer to network; * CUPS is configured to provide a remote printer to network;
* SANE is configured to provide network scan to a specific host only. * SANE is configured to provide local scan;
* [scanservjs](https://github.com/sbs20/scanservjs) runs on the SBC, providing a web interface for scan.
##### Applicative container
* this specific host is an applicative container running [scanservjs](https://github.com/sbs20/scanservjs);
* it is configured to use the scanner provided by the SBC.
### Files ### Files
Files in this repository only cover the SBC setup. Files in this repository cover all the SBC setup.
#### Installation #### Installation
* `setup.sh` is a script automating the installation and configuration of required software * `setup.sh` is a script automating the installation and configuration of required software
* `cupsd.conf` is the config file for CUPS, set by setup script

102
cupsd.conf Normal file
View File

@ -0,0 +1,102 @@
LogLevel debug
PageLogFormat
MaxLogSize 0
# Allow remote access
Port 631
Listen /var/run/cups/cups.sock
Browsing On
BrowseLocalProtocols dnssd
DefaultAuthType Basic
WebInterface Yes
<Location />
# Allow remote administration...
Order allow,deny
Allow @LOCAL
</Location>
<Location /admin>
# Allow remote administration...
Order allow,deny
Allow @LOCAL
</Location>
<Location /admin/conf>
AuthType Default
Require user @SYSTEM
# Allow remote access to the configuration files...
Order allow,deny
Allow @LOCAL
</Location>
<Location /admin/log>
AuthType Default
Require user @SYSTEM
Order allow,deny
# Allow remote access to the log files...
Order allow,deny
Allow @LOCAL
</Location>
<Policy default>
JobPrivateAccess default
JobPrivateValues default
SubscriptionPrivateAccess default
SubscriptionPrivateValues default
<Limit Create-Job Print-Job Print-URI Validate-Job>
Order deny,allow
</Limit>
<Limit Send-Document Send-URI Hold-Job Release-Job Restart-Job Purge-Jobs Set-Job-Attributes Create-Job-Subscription Renew-Subscription Cancel-Subscription Get-Notifications Reprocess-Job Cancel-Current-Job Suspend-Current-Job Resume-Job Cancel-My-Jobs Close-Job CUPS-Move-Job CUPS-Get-Document>
Require user @OWNER @SYSTEM
Order deny,allow
</Limit>
<Limit CUPS-Add-Modify-Printer CUPS-Delete-Printer CUPS-Add-Modify-Class CUPS-Delete-Class CUPS-Set-Default CUPS-Get-Devices>
AuthType Default
Require user @SYSTEM
Order deny,allow
</Limit>
<Limit Pause-Printer Resume-Printer Enable-Printer Disable-Printer Pause-Printer-After-Current-Job Hold-New-Jobs Release-Held-New-Jobs Deactivate-Printer Activate-Printer Restart-Printer Shutdown-Printer Startup-Printer Promote-Job Schedule-Job-After Cancel-Jobs CUPS-Accept-Jobs CUPS-Reject-Jobs>
AuthType Default
Require user @SYSTEM
Order deny,allow
</Limit>
<Limit Cancel-Job CUPS-Authenticate-Job>
Require user @OWNER @SYSTEM
Order deny,allow
</Limit>
<Limit All>
Order deny,allow
</Limit>
</Policy>
<Policy authenticated>
JobPrivateAccess default
JobPrivateValues default
SubscriptionPrivateAccess default
SubscriptionPrivateValues default
<Limit Create-Job Print-Job Print-URI Validate-Job>
AuthType Default
Order deny,allow
</Limit>
<Limit Send-Document Send-URI Hold-Job Release-Job Restart-Job Purge-Jobs Set-Job-Attributes Create-Job-Subscription Renew-Subscription Cancel-Subscription Get-Notifications Reprocess-Job Cancel-Current-Job Suspend-Current-Job Resume-Job Cancel-My-Jobs Close-Job CUPS-Move-Job CUPS-Get-Document>
AuthType Default
Require user @OWNER @SYSTEM
Order deny,allow
</Limit>
<Limit CUPS-Add-Modify-Printer CUPS-Delete-Printer CUPS-Add-Modify-Class CUPS-Delete-Class CUPS-Set-Default>
AuthType Default
Require user @SYSTEM
Order deny,allow
</Limit>
<Limit Pause-Printer Resume-Printer Enable-Printer Disable-Printer Pause-Printer-After-Current-Job Hold-New-Jobs Release-Held-New-Jobs Deactivate-Printer Activate-Printer Restart-Printer Shutdown-Printer Startup-Printer Promote-Job Schedule-Job-After Cancel-Jobs CUPS-Accept-Jobs CUPS-Reject-Jobs>
AuthType Default
Require user @SYSTEM
Order deny,allow
</Limit>
<Limit Cancel-Job CUPS-Authenticate-Job>
AuthType Default
Require user @OWNER @SYSTEM
Order deny,allow
</Limit>
<Limit All>
Order deny,allow
</Limit>
</Policy>
JobPrivateAccess default
JobPrivateValues default
SubscriptionPrivateAccess default
SubscriptionPrivateValues default

13
scanservjs.conf Normal file
View File

@ -0,0 +1,13 @@
<VirtualHost *:443>
ServerName printscan.hp3.kto.black
SSLEngine on
SSLCertificateFile "/etc/ssl/cert.crt"
SSLCertificateKeyFile "/etc/ssl/cert.key"
<Location />
ProxyPass "http://127.0.0.1:8080/"
ProxyPassReverse "http://127.0.0.1:8080/"
</Location>
</VirtualHost>

View File

@ -4,7 +4,7 @@
# This script is to be run as root. # This script is to be run as root.
# (Keep in mind that default root password is 1234) # (Keep in mind that default root password is 1234)
# Flash SBC's SD with Armbian and copy this script as well as conf-sync.sh to /root # Flash SBC's SD with Armbian and clone this repository in /root
# YOU SHOULD REMOVE THIS SCRIPT AFTER SETUP # YOU SHOULD REMOVE THIS SCRIPT AFTER SETUP
@ -23,7 +23,7 @@ install_packages() {
sed -i -e "s/$deb_apt_default_repo/$deb_apt_repo/g" /etc/apt/sources.list sed -i -e "s/$deb_apt_default_repo/$deb_apt_repo/g" /etc/apt/sources.list
apt update apt update
apt upgrade -y apt upgrade -y
apt install -y vim tree tmux neofetch sane sane-utils hplip apt install -y vim tree tmux neofetch sane sane-utils hplip apache2
} }
add_users() { add_users() {
@ -33,43 +33,38 @@ add_users() {
usermod -a -G lp saned usermod -a -G lp saned
} }
get_conf() { get_conf() { # TODO when new conf-sync will be available
echo "Getting configuration" echo "Getting configuration"
sudo -H -u $user mkdir $sync_directory_path sudo -H -u $user mkdir $sync_directory_path
cp $run_directory_path/conf-sync.sh $sync_directory_path/
chown $user:$user $sync_directory_path/conf-sync.sh git clone https://gitea.kto.black/adminconf/rcs-general.git $sync_directory_path/rcs-general
sudo -H -u $user chmod u+x $sync_directory_path/conf-sync.sh # git clone confsync-du-futur
sudo -H -u $user $sync_directory_path/conf-sync.sh
} }
set_conf() { set_conf() { # TODO when new conf-sync will be available
echo "Setting configuration" echo "Setting configuration"
ln -s $sync_directory_path/conf-sync-server.timer $systemd_units_path/conf-sync.timer # deploy confsync-du-futur
ln -s $sync_directory_path/*.service $systemd_units_path/
systemctl daemon-reload
systemctl enable conf-sync.timer
} }
set_cups_conf() { set_cups_conf() {
echo "Setting CUPS configuration" echo "Setting CUPS configuration"
mv $cups_conf_path/cupsd.conf $cups_conf_path/cupsd.conf.orig mv $cups_conf_path/cupsd.conf $cups_conf_path/cupsd.conf.orig
ln -s $sync_directory_path/cupsd.conf $cups_conf_path/cupsd.conf cp $run_directory_path/cupsd.conf $cups_conf_path/cupsd.conf
} }
set_sane_conf() { set_sane_conf() {
echo $printscan_container_ip >> /etc/sane.d/saned.conf
systemctl enable saned.socket systemctl enable saned.socket
} }
rcs_links() { rcs_links() { # NOTE this should be handled by an install script in rcs-general
echo "Linking rcs" echo "Linking rcs"
rm /home/$user/.bashrc rm /home/$user/.bashrc
rm /root/.bashrc rm /root/.bashrc
sudo -H -u $user ln -s $sync_directory_path/bashrc /home/$user/.bashrc sudo -H -u $user ln -s $sync_directory_path/rcs-general/bashrc /home/$user/.bashrc
ln -s /home/$user/.bashrc /root/.bashrc ln -s /home/$user/.bashrc /root/.bashrc
sudo -H -u $user ln -s $sync_directory_path/vimrc /home/$user/.vimrc sudo -H -u $user ln -s $sync_directory_path/rcs-general/vimrc /home/$user/.vimrc
ln -s /home/$user/.vimrc /root/.vimrc ln -s /home/$user/.vimrc /root/.vimrc
sudo -H -u $user ln -s $sync_directory_path/tmux.conf /home/$user/.tmux.conf sudo -H -u $user ln -s $sync_directory_path/rcs-general/tmux.conf /home/$user/.tmux.conf
ln -s /home/$user/.tmux.conf /root/.tmux.conf ln -s /home/$user/.tmux.conf /root/.tmux.conf
} }
@ -80,6 +75,33 @@ ssh_pubkey() {
sudo -H -u $user mv /home/$user/.ssh/$remote_pubkey /home/$user/.ssh/authorized_keys sudo -H -u $user mv /home/$user/.ssh/$remote_pubkey /home/$user/.ssh/authorized_keys
} }
# based on https://github.com/sbs20/scanservjs/blob/master/docs/install.md
install_scanservjs() {
wget -O $run_directory_path/scanservjs.tar.gz $(curl -s \
https://api.github.com/repos/sbs20/scanservjs/releases/latest | grep browser_download_url | cut -d '"' -f 4)
mkdir $run_directory_path/scanservjs
tar -xf scanservjs.tar.gz -C $run_directory_path/scanservjs/
sudo $run_directory_path/scanservjs/installer.sh -i
rm $run_directory_path/scanservjs.tar.gz
rm -r $run_directory_path/scanservjs
}
tls_cert() {
echo "Generating TLS certificate"
openssl req -newkey rsa:4096 -x509 -sha256 -days 999 -nodes -out $tls_directory/$cert -keyout $tls_directory/$cert_key -subj "/C=/ST=/L=/O=/OU=/CN="
chmod o+r $tls_directory/$cert_key
}
set_apache() {
echo "Setting up Apache HTTP Server"
cp $run_directory_path/scanservjs.conf $apache_sites_directory_path/
a2dissite *
a2ensite scanservjs
a2enmod ssl proxy proxy_http proxy_http2
}
# TODO add a firewall rule to prevent access to http:8080 from other than local
# Only run if the user is root # Only run if the user is root
if [[ $USER != 'root' ]] ; then if [[ $USER != 'root' ]] ; then
echo "You must run this script as root!" echo "You must run this script as root!"
@ -91,20 +113,22 @@ run_directory_path=$(pwd)
# Set parameters # Set parameters
default_hostname='pine64' default_hostname='pine64'
hostname='pn1' hostname='pn1'
fqdn='pn1.kto.black' fqdn='pn1.hr.kto.black'
keymap='fr' keymap='fr'
timezone='Europe/Paris' timezone='Europe/Paris'
deb_apt_default_repo='deb.debian.org' deb_apt_default_repo='deb.debian.org'
deb_apt_repo='ftp.fr.debian.org' deb_apt_repo='ftp.fr.debian.org'
user='alex' user='alex'
scan_user='scan'
scan_user_home_directory="/home/$scan_user"
sync_directory_path="/home/$user/.sync" sync_directory_path="/home/$user/.sync"
systemd_units_path='/etc/systemd/system' systemd_units_path='/etc/systemd/system'
cups_conf_path='/etc/cups' cups_conf_path='/etc/cups'
printscan_container_ip='192.168.0.91'
remote_pubkey_location='https://keys.kto.black' remote_pubkey_location='https://keys.kto.black'
remote_pubkey='home.pub' remote_pubkey='home.pub'
scanservjs_dest='/srv/scanservjs'
tls_directory='/etc/ssl/'
cert='cert.crt'
cert_key='cert.key'
apache_sites_directory_path='/etc/apache2/sites-available'
# Main process # Main process
# You should comment below what you do not want to happen # You should comment below what you do not want to happen
@ -117,13 +141,15 @@ set_cups_conf
set_sane_conf set_sane_conf
rcs_links rcs_links
ssh_pubkey ssh_pubkey
install_scanservjs
tls_cert
set_apache
echo "" echo ""
echo "We're all good here!" echo "We're all good here!"
echo "You should now:" echo "You should now:"
echo "* set $user's password" echo "* set $user's password"
echo "* lock root account" echo "* lock root account"
echo "* remove setup.sh and conf-sync.sh"
echo "* reboot the SBC" echo "* reboot the SBC"
echo "And perhaps:" echo "And perhaps:"
echo "* connect to http://$hostname:631/ and add a printer" echo "* connect to http://$hostname:631/ and add a printer"
@ -132,4 +158,5 @@ echo "* remove password for sudo" # TODO we should automate that, with a flag
echo "* use below commands to edit SSH config:" echo "* use below commands to edit SSH config:"
echo " sed -i 's/PermitRootLogin yes/PermitRootLogin no/' /etc/ssh/sshd_config" echo " sed -i 's/PermitRootLogin yes/PermitRootLogin no/' /etc/ssh/sshd_config"
echo " sed -i 's/#PasswordAuthentication yes/PasswordAuthentication no/' /etc/ssh/sshd_config" echo " sed -i 's/#PasswordAuthentication yes/PasswordAuthentication no/' /etc/ssh/sshd_config"
echo "* MIND THAT CONF-SYNC IS NOT SET"
exit 0 exit 0