Compare commits
1 Commits
Author | SHA1 | Date | |
---|---|---|---|
bf3a51500b |
35
README.md
35
README.md
@ -1,28 +1,27 @@
|
|||||||
# Printscan server
|
# Printscan server
|
||||||
## Version 3.1
|
## Version 2 (OBSOLETE)
|
||||||
|
|
||||||
This repository contains files used to set up our printscan server.
|
This repository contains files used to set up our printscan server on a freshly installed Armbian. Confirmed to work
|
||||||
|
with Buster.
|
||||||
|
|
||||||
### Introduction
|
### Introduction
|
||||||
(see wiki for need and concept explanation)
|
(see wiki for need and concept explanation)
|
||||||
|
|
||||||
Version 3.1 implementation works roughly as follows
|
Version 2 implementation works roughly as follows:
|
||||||
##### SBC
|
* the Armbian-based device is connected to local network, and an all-in-one printer is connected to it via USB;
|
||||||
* the Armbian-based device is connected to local network, and an all-in-one printer is connected to it via USB
|
* SANE and CUPS services are installed and running on the device;
|
||||||
* SANE and CUPS services are installed and running on the device
|
* CUPS is configured to provide a remote printer to network;
|
||||||
* CUPS is configured to provide a remote printer to network
|
* SANE is configured for local use only (default behaviour);
|
||||||
* SANE is configured to provide local scan
|
* An headless X server is activable via [noVNC](https://github.com/novnc/noVNC);
|
||||||
* [scanservjs](https://github.com/sbs20/scanservjs) runs on the SBC, providing a web interface for scan
|
* This X session presents [Simple Scan](https://github.com/GNOME/simple-scan) tool, allowing users to perform scans;
|
||||||
* if you need adjustments (as in https://github.com/sbs20/scanservjs/blob/master/docs/10-configuration.md), first do:
|
* The resulted document is automatically uploaded to Kloud, in a temporary directory;
|
||||||
* `sudo ln -s /usr/share/webapps/scanservjs /usr/lib/scanservjs`
|
* Every night, the directory from previous day is removed from Kloud.
|
||||||
|
|
||||||
### Files
|
### Files
|
||||||
Files in this repository cover only the server setup. SBC setup is now handled by `armbian-setup`
|
|
||||||
#### Installation
|
#### Installation
|
||||||
* `setup.sh` is a script automating the installation and configuration of required software
|
* `setup.sh` is a script automating the installation and configuration of required software
|
||||||
* `cupsd.conf` is the config file for CUPS, set by setup script
|
#### Run
|
||||||
* `scanservjs.conf` is an Apache HTTP vhost file for scanservjs
|
* `novnc.service`, `vnc.socket` and `vnc@.service` manage the headless X session
|
||||||
* `printers.conf.pi2last` is the last known working CUPS printers configuration which allowed to share HP printer
|
* `scan.mount` configures a tmpfs at boot where to store scanned documents before they're sent to Kloud
|
||||||
|
* `scan-to-cloud.{sh,service,path}` trigger and manage the upload to Kloud
|
||||||
### TODO
|
* `clean-cloud.{sh,service,timer}` trigger and manage the removal of previous directory from Kloud
|
||||||
* Add a firewall rule to block access to port 8080
|
|
||||||
|
@ -1,13 +0,0 @@
|
|||||||
<VirtualHost *:443>
|
|
||||||
ServerName printscan
|
|
||||||
|
|
||||||
SSLEngine on
|
|
||||||
SSLCertificateFile "/etc/ssl/cert.crt"
|
|
||||||
SSLCertificateKeyFile "/etc/ssl/cert.key"
|
|
||||||
|
|
||||||
<Location />
|
|
||||||
ProxyPass "http://127.0.0.1:8080/"
|
|
||||||
ProxyPassReverse "http://127.0.0.1:8080/"
|
|
||||||
</Location>
|
|
||||||
</VirtualHost>
|
|
||||||
|
|
7
clean-cloud.service
Normal file
7
clean-cloud.service
Normal file
@ -0,0 +1,7 @@
|
|||||||
|
[Unit]
|
||||||
|
Description=Clean remote dropbox
|
||||||
|
|
||||||
|
[Service]
|
||||||
|
User=scan
|
||||||
|
Type=oneshot
|
||||||
|
ExecStart=/home/scan/.sync/clean-cloud.sh
|
25
clean-cloud.sh
Normal file
25
clean-cloud.sh
Normal file
@ -0,0 +1,25 @@
|
|||||||
|
#!/bin/bash
|
||||||
|
|
||||||
|
# The purpose of this script is to automatically empty our remote sandbox.
|
||||||
|
# This script is not to be run as root, rather as the user responsible for scanning.
|
||||||
|
|
||||||
|
# Only run if the user is not root
|
||||||
|
if [[ $USER = 'root' ]] ; then
|
||||||
|
echo "You must not run this script as root!"
|
||||||
|
exit 1
|
||||||
|
fi
|
||||||
|
|
||||||
|
# Set parameters
|
||||||
|
remote_path='https://cloud.kto.black/remote.php/webdav/Scans'
|
||||||
|
remote_user='scan'
|
||||||
|
remote_passwd='rB2TgFpNXk3BbZ44'
|
||||||
|
subdirectories_prefix='scans'
|
||||||
|
|
||||||
|
yesterday=$(date -d "-1 days" +"%Y%m%d")
|
||||||
|
today=$(date +"%Y%m%d")
|
||||||
|
|
||||||
|
curl -s -u $remote_user:$remote_passwd -X DELETE $remote_path/$subdirectories_prefix-$yesterday
|
||||||
|
curl -s -u $remote_user:$remote_passwd -X MKCOL $remote_path/$subdirectories_prefix-$today
|
||||||
|
|
||||||
|
echo "Cleaning done."
|
||||||
|
exit 0
|
9
clean-cloud.timer
Normal file
9
clean-cloud.timer
Normal file
@ -0,0 +1,9 @@
|
|||||||
|
[Unit]
|
||||||
|
Description=Run clean-cloud regularly
|
||||||
|
|
||||||
|
[Timer]
|
||||||
|
OnCalendar=*-*-* 02:00:00
|
||||||
|
Persistent=true
|
||||||
|
|
||||||
|
[Install]
|
||||||
|
WantedBy=timers.target
|
102
cupsd.conf
102
cupsd.conf
@ -1,102 +0,0 @@
|
|||||||
LogLevel debug
|
|
||||||
PageLogFormat
|
|
||||||
MaxLogSize 0
|
|
||||||
# Allow remote access
|
|
||||||
Port 631
|
|
||||||
Listen /var/run/cups/cups.sock
|
|
||||||
Browsing On
|
|
||||||
BrowseLocalProtocols dnssd
|
|
||||||
DefaultAuthType Basic
|
|
||||||
WebInterface Yes
|
|
||||||
<Location />
|
|
||||||
# Allow remote administration...
|
|
||||||
Order allow,deny
|
|
||||||
Allow @LOCAL
|
|
||||||
</Location>
|
|
||||||
<Location /admin>
|
|
||||||
# Allow remote administration...
|
|
||||||
Order allow,deny
|
|
||||||
Allow @LOCAL
|
|
||||||
</Location>
|
|
||||||
<Location /admin/conf>
|
|
||||||
AuthType Default
|
|
||||||
Require user @SYSTEM
|
|
||||||
# Allow remote access to the configuration files...
|
|
||||||
Order allow,deny
|
|
||||||
Allow @LOCAL
|
|
||||||
</Location>
|
|
||||||
<Location /admin/log>
|
|
||||||
AuthType Default
|
|
||||||
Require user @SYSTEM
|
|
||||||
Order allow,deny
|
|
||||||
# Allow remote access to the log files...
|
|
||||||
Order allow,deny
|
|
||||||
Allow @LOCAL
|
|
||||||
</Location>
|
|
||||||
<Policy default>
|
|
||||||
JobPrivateAccess default
|
|
||||||
JobPrivateValues default
|
|
||||||
SubscriptionPrivateAccess default
|
|
||||||
SubscriptionPrivateValues default
|
|
||||||
<Limit Create-Job Print-Job Print-URI Validate-Job>
|
|
||||||
Order deny,allow
|
|
||||||
</Limit>
|
|
||||||
<Limit Send-Document Send-URI Hold-Job Release-Job Restart-Job Purge-Jobs Set-Job-Attributes Create-Job-Subscription Renew-Subscription Cancel-Subscription Get-Notifications Reprocess-Job Cancel-Current-Job Suspend-Current-Job Resume-Job Cancel-My-Jobs Close-Job CUPS-Move-Job CUPS-Get-Document>
|
|
||||||
Require user @OWNER @SYSTEM
|
|
||||||
Order deny,allow
|
|
||||||
</Limit>
|
|
||||||
<Limit CUPS-Add-Modify-Printer CUPS-Delete-Printer CUPS-Add-Modify-Class CUPS-Delete-Class CUPS-Set-Default CUPS-Get-Devices>
|
|
||||||
AuthType Default
|
|
||||||
Require user @SYSTEM
|
|
||||||
Order deny,allow
|
|
||||||
</Limit>
|
|
||||||
<Limit Pause-Printer Resume-Printer Enable-Printer Disable-Printer Pause-Printer-After-Current-Job Hold-New-Jobs Release-Held-New-Jobs Deactivate-Printer Activate-Printer Restart-Printer Shutdown-Printer Startup-Printer Promote-Job Schedule-Job-After Cancel-Jobs CUPS-Accept-Jobs CUPS-Reject-Jobs>
|
|
||||||
AuthType Default
|
|
||||||
Require user @SYSTEM
|
|
||||||
Order deny,allow
|
|
||||||
</Limit>
|
|
||||||
<Limit Cancel-Job CUPS-Authenticate-Job>
|
|
||||||
Require user @OWNER @SYSTEM
|
|
||||||
Order deny,allow
|
|
||||||
</Limit>
|
|
||||||
<Limit All>
|
|
||||||
Order deny,allow
|
|
||||||
</Limit>
|
|
||||||
</Policy>
|
|
||||||
<Policy authenticated>
|
|
||||||
JobPrivateAccess default
|
|
||||||
JobPrivateValues default
|
|
||||||
SubscriptionPrivateAccess default
|
|
||||||
SubscriptionPrivateValues default
|
|
||||||
<Limit Create-Job Print-Job Print-URI Validate-Job>
|
|
||||||
AuthType Default
|
|
||||||
Order deny,allow
|
|
||||||
</Limit>
|
|
||||||
<Limit Send-Document Send-URI Hold-Job Release-Job Restart-Job Purge-Jobs Set-Job-Attributes Create-Job-Subscription Renew-Subscription Cancel-Subscription Get-Notifications Reprocess-Job Cancel-Current-Job Suspend-Current-Job Resume-Job Cancel-My-Jobs Close-Job CUPS-Move-Job CUPS-Get-Document>
|
|
||||||
AuthType Default
|
|
||||||
Require user @OWNER @SYSTEM
|
|
||||||
Order deny,allow
|
|
||||||
</Limit>
|
|
||||||
<Limit CUPS-Add-Modify-Printer CUPS-Delete-Printer CUPS-Add-Modify-Class CUPS-Delete-Class CUPS-Set-Default>
|
|
||||||
AuthType Default
|
|
||||||
Require user @SYSTEM
|
|
||||||
Order deny,allow
|
|
||||||
</Limit>
|
|
||||||
<Limit Pause-Printer Resume-Printer Enable-Printer Disable-Printer Pause-Printer-After-Current-Job Hold-New-Jobs Release-Held-New-Jobs Deactivate-Printer Activate-Printer Restart-Printer Shutdown-Printer Startup-Printer Promote-Job Schedule-Job-After Cancel-Jobs CUPS-Accept-Jobs CUPS-Reject-Jobs>
|
|
||||||
AuthType Default
|
|
||||||
Require user @SYSTEM
|
|
||||||
Order deny,allow
|
|
||||||
</Limit>
|
|
||||||
<Limit Cancel-Job CUPS-Authenticate-Job>
|
|
||||||
AuthType Default
|
|
||||||
Require user @OWNER @SYSTEM
|
|
||||||
Order deny,allow
|
|
||||||
</Limit>
|
|
||||||
<Limit All>
|
|
||||||
Order deny,allow
|
|
||||||
</Limit>
|
|
||||||
</Policy>
|
|
||||||
JobPrivateAccess default
|
|
||||||
JobPrivateValues default
|
|
||||||
SubscriptionPrivateAccess default
|
|
||||||
SubscriptionPrivateValues default
|
|
10
novnc.service
Normal file
10
novnc.service
Normal file
@ -0,0 +1,10 @@
|
|||||||
|
[Unit]
|
||||||
|
Description=noVNC proxy with Websockify
|
||||||
|
|
||||||
|
[Service]
|
||||||
|
User=scan
|
||||||
|
Type=simple
|
||||||
|
ExecStart=/usr/bin/websockify --ssl-only --cert /etc/ssl/cert.crt --key /etc/ssl/cert.key --web /usr/share/novnc 8080 localhost:5900
|
||||||
|
|
||||||
|
[Install]
|
||||||
|
WantedBy=default.target
|
@ -1,24 +0,0 @@
|
|||||||
# Printer configuration file for CUPS v2.4.1
|
|
||||||
# Written by cupsd
|
|
||||||
# DO NOT EDIT THIS FILE WHEN CUPSD IS RUNNING
|
|
||||||
NextPrinterId 2
|
|
||||||
<Printer Deskjet>
|
|
||||||
PrinterId 1
|
|
||||||
UUID urn:uuid:e05e1e4c-fd3d-38e2-5d3b-596903a56af4
|
|
||||||
Info HP Deskjet 2050 J510 series
|
|
||||||
Location
|
|
||||||
MakeModel HP Deskjet 2050 j510 Series, hpcups 3.21.12
|
|
||||||
DeviceURI hp:/usb/Deskjet_2050_J510_series?serial=CN22T184ZP05QV
|
|
||||||
State Idle
|
|
||||||
StateTime 1723482301
|
|
||||||
ConfigTime 1720358534
|
|
||||||
Type 36876
|
|
||||||
Accepting Yes
|
|
||||||
Shared Yes
|
|
||||||
JobSheets none none
|
|
||||||
QuotaPeriod 0
|
|
||||||
PageLimit 0
|
|
||||||
KLimit 0
|
|
||||||
OpPolicy default
|
|
||||||
ErrorPolicy retry-job
|
|
||||||
</Printer>
|
|
8
scan-to-cloud.path
Normal file
8
scan-to-cloud.path
Normal file
@ -0,0 +1,8 @@
|
|||||||
|
[Unit]
|
||||||
|
Description=Run scan-to-cloud when a new document is scanned
|
||||||
|
|
||||||
|
[Path]
|
||||||
|
DirectoryNotEmpty=/scan
|
||||||
|
|
||||||
|
[Install]
|
||||||
|
WantedBy=paths.target
|
7
scan-to-cloud.service
Normal file
7
scan-to-cloud.service
Normal file
@ -0,0 +1,7 @@
|
|||||||
|
[Unit]
|
||||||
|
Description=Upload scanned document to dropbox
|
||||||
|
|
||||||
|
[Service]
|
||||||
|
User=scan
|
||||||
|
Type=oneshot
|
||||||
|
ExecStart=/home/scan/.sync/scan-to-cloud.sh
|
33
scan-to-cloud.sh
Normal file
33
scan-to-cloud.sh
Normal file
@ -0,0 +1,33 @@
|
|||||||
|
#!/bin/bash
|
||||||
|
|
||||||
|
# The purpose of this script is to automaticaly upload scanned documents to a remote dropbox.
|
||||||
|
# This script is not to be run as root, rather as the user responsible for scanning.
|
||||||
|
|
||||||
|
# Only run if the user is not root
|
||||||
|
if [[ $USER = 'root' ]] ; then
|
||||||
|
echo "You must not run this script as root!"
|
||||||
|
exit 1
|
||||||
|
fi
|
||||||
|
|
||||||
|
# Set parameters
|
||||||
|
scan_directory='/scan'
|
||||||
|
remote_path='https://cloud.kto.black/remote.php/webdav/Scans'
|
||||||
|
remote_user='scan'
|
||||||
|
remote_passwd='rB2TgFpNXk3BbZ44'
|
||||||
|
subdirectories_prefix='scans'
|
||||||
|
|
||||||
|
today=$(date +"%Y%m%d")
|
||||||
|
|
||||||
|
# The script is executed a bit too early, so we need to wait a few seconds.
|
||||||
|
sleep 5s
|
||||||
|
|
||||||
|
for filename in $scan_directory/*; do
|
||||||
|
#echo "Creating today's directory..." # I'd like to remove these 2 lines
|
||||||
|
#curl -s -u $remote_user:$remote_passwd -X MKCOL $remote_path/$subdirectories_prefix-$today
|
||||||
|
echo "Uploading $filename..."
|
||||||
|
curl -s -u $remote_user:$remote_passwd -T "$filename" $remote_path/$subdirectories_prefix-$today/
|
||||||
|
rm "$filename"
|
||||||
|
done
|
||||||
|
|
||||||
|
echo "Upload done."
|
||||||
|
exit 0
|
11
scan.mount
Normal file
11
scan.mount
Normal file
@ -0,0 +1,11 @@
|
|||||||
|
[Unit]
|
||||||
|
Description=tmpfs for scanned documents
|
||||||
|
|
||||||
|
[Mount]
|
||||||
|
What=tmpfs
|
||||||
|
Where=/scan
|
||||||
|
Type=tmpfs
|
||||||
|
Options=noatime,uid=1001,gid=1001
|
||||||
|
|
||||||
|
[Install]
|
||||||
|
WantedBy=default.target
|
@ -1,12 +0,0 @@
|
|||||||
#!/usr/bin/env bash
|
|
||||||
|
|
||||||
if [[ $user != 'root' ]]; then
|
|
||||||
sudo="sudo"
|
|
||||||
else
|
|
||||||
sudo=""
|
|
||||||
fi
|
|
||||||
|
|
||||||
echo "Installing scanservjs directly from GitHub..."
|
|
||||||
curl -s https://raw.githubusercontent.com/sbs20/scanservjs/master/bootstrap.sh | sudo bash -s -- -v latest
|
|
||||||
|
|
||||||
exit 0
|
|
206
setup.sh
Executable file → Normal file
206
setup.sh
Executable file → Normal file
@ -1,69 +1,163 @@
|
|||||||
#!/usr/bin/env bash
|
#!/bin/bash
|
||||||
|
|
||||||
run_directory=$(dirname $(readlink -f "$0"))
|
# The purpose of this script is to setup our print-scan server on a blank Armbian.
|
||||||
user=$(whoami)
|
# This script is to be run as root.
|
||||||
|
|
||||||
if [[ $user != 'root' ]]; then
|
# (Keep in mind that default root password is 1234)
|
||||||
sudo="sudo"
|
# Flash SBC's SD with Armbian and copy this script as well as conf-sync.sh to /root
|
||||||
else
|
|
||||||
sudo=""
|
|
||||||
fi
|
|
||||||
|
|
||||||
distro=$(lsb_release -si)
|
# YOU SHOULD REMOVE THIS SCRIPT AFTER SETUP
|
||||||
|
|
||||||
# TODO if Arch
|
# Functions
|
||||||
if [[ $distro == "Debian" ]]; then
|
init() {
|
||||||
|
echo "Starting initialization"
|
||||||
|
echo $fqdn > /etc/hostname
|
||||||
|
sed -i -e "s/$default_hostname/$fqdn $hostname/g" /etc/hosts
|
||||||
|
localectl set-keymap $keymap
|
||||||
|
timedatectl set-timezone $timezone
|
||||||
|
systemctl disable apt-daily-upgrade.timer
|
||||||
|
}
|
||||||
|
|
||||||
|
install_packages() {
|
||||||
|
echo "Starting packages installation"
|
||||||
|
sed -i -e "s/$deb_apt_default_repo/$deb_apt_repo/g" /etc/apt/sources.list
|
||||||
|
apt update
|
||||||
|
apt upgrade -y
|
||||||
|
apt install -y vim tree tmux neofetch simple-scan sane hplip novnc x11vnc xvfb xinit libglib2.0-bin dbus-x11
|
||||||
|
}
|
||||||
|
|
||||||
|
add_users() {
|
||||||
|
echo "Adding users"
|
||||||
|
useradd -U -G sudo,lpadmin -m -s /bin/bash $user
|
||||||
|
chmod 700 /home/$user
|
||||||
|
useradd -U -G scanner,lp -m -s /sbin/nologin $scan_user
|
||||||
|
chmod 700 /home/$scan_user
|
||||||
|
}
|
||||||
|
|
||||||
|
get_conf() {
|
||||||
|
echo "Getting configuration"
|
||||||
|
sudo -H -u $user mkdir $sync_directory_path
|
||||||
|
cp $run_directory_path/conf-sync.sh $sync_directory_path/
|
||||||
|
chown $user:$user $sync_directory_path/conf-sync.sh
|
||||||
|
sudo -H -u $user chmod u+x $sync_directory_path/conf-sync.sh
|
||||||
|
sudo -H -u $user $sync_directory_path/conf-sync.sh
|
||||||
|
}
|
||||||
|
|
||||||
|
set_conf() {
|
||||||
|
echo "Setting configuration"
|
||||||
|
sudo -H -u $user chmod uo+x $sync_directory_path/clean-cloud.sh $sync_directory_path/scan-to-cloud.sh
|
||||||
|
ln -s $sync_directory_path/*.service $systemd_units_path/
|
||||||
|
ln -s $sync_directory_path/*.timer $systemd_units_path/
|
||||||
|
ln -s $sync_directory_path/*.socket $systemd_units_path/
|
||||||
|
ln -s $sync_directory_path/*.mount $systemd_units_path/
|
||||||
|
ln -s $sync_directory_path/*.path $systemd_units_path/
|
||||||
|
systemctl daemon-reload
|
||||||
|
systemctl enable novnc.service vnc.socket conf-sync.timer clean-cloud.timer scan.mount #scan-to-cloud.path
|
||||||
|
}
|
||||||
|
|
||||||
|
set_scan_conf() {
|
||||||
|
echo "Setting scan configuration"
|
||||||
|
sudo -H -u $scan_user sh -c "echo 'simple-scan' > $scan_user_home_directory/.xinitrc" # TODO this should be done another way
|
||||||
|
touch $passwd_file
|
||||||
|
chown $scan_user:$scan_user $passwd_file
|
||||||
|
sudo -H -u $scan_user x11vnc -storepasswd $vnc_passwd $passwd_file
|
||||||
|
touch $x11vnc_logfile
|
||||||
|
chown $scan_user:$scan_user $x11vnc_logfile
|
||||||
|
mkdir $scan_tmpfs
|
||||||
|
chown $scan_user:$scan_user $scan_tmpfs
|
||||||
|
sudo -H -u $scan_user gsettings set org.gnome.SimpleScan paper-height 2970 # those don't work
|
||||||
|
sudo -H -u $scan_user gsettings set org.gnome.SimpleScan paper-width 2100
|
||||||
|
sudo -H -u $scan_user gsettings set org.gnome.SimpleScan save-directory $scan_tmpfs
|
||||||
|
cp $novnc_webroot/vnc.html $novnc_webroot/index.html
|
||||||
|
}
|
||||||
|
|
||||||
|
set_cups_conf() {
|
||||||
echo "Setting CUPS configuration"
|
echo "Setting CUPS configuration"
|
||||||
$sudo mv /etc/cups/cupsd.conf /etc/cups/cupsd.conf.orig
|
mv $cups_conf_path/cupsd.conf $cups_conf_path/cupsd.conf.orig
|
||||||
$sudo cp $run_directory/cupsd.conf /etc/cups/cupsd.conf
|
ln -s $sync_directory_path/cupsd.conf $cups_conf_path/cupsd.conf
|
||||||
else
|
}
|
||||||
echo "TODO: Edit cupsd.conf so as to allow remote access (see Arch wiki)."
|
|
||||||
fi
|
|
||||||
|
|
||||||
if [[ $distro == "Debian" ]]; then
|
rcs_links() {
|
||||||
echo "Installing scanservjs directly from GitHub..."
|
echo "Linking rcs"
|
||||||
curl -s https://raw.githubusercontent.com/sbs20/scanservjs/master/bootstrap.sh | sudo bash -s -- -v latest
|
rm /home/$user/.bashrc
|
||||||
fi
|
rm /root/.bashrc
|
||||||
if [[ $distro == "Arch" ]]; then
|
sudo -H -u $user ln -s $sync_directory_path/bashrc /home/$user/.bashrc
|
||||||
echo "Starting and enabling scanservjs..."
|
ln -s /home/$user/.bashrc /root/.bashrc
|
||||||
$sudo systemctl enable --now scanservjs.service
|
sudo -H -u $user ln -s $sync_directory_path/vimrc /home/$user/.vimrc
|
||||||
fi
|
ln -s /home/$user/.vimrc /root/.vimrc
|
||||||
|
}
|
||||||
|
|
||||||
|
ssh_pubkey() {
|
||||||
|
echo "Getting SSH public key"
|
||||||
|
sudo -H -u $user mkdir /home/$user/.ssh
|
||||||
|
sudo -H -u $user wget -P /home/$user/.ssh $remote_pubkey_location/$remote_pubkey
|
||||||
|
sudo -H -u $user mv /home/$user/.ssh/$remote_pubkey /home/$user/.ssh/authorized_keys
|
||||||
|
}
|
||||||
|
|
||||||
|
tls_cert() {
|
||||||
echo "Generating TLS certificate"
|
echo "Generating TLS certificate"
|
||||||
$sudo openssl req -newkey rsa:4096 -x509 -sha256 -days 999 -nodes -out /etc/ssl/cert.crt -keyout /etc/ssl/cert.key \
|
openssl req -newkey rsa:4096 -x509 -sha256 -days 999 -nodes -out $tls_directory/$cert -keyout $tls_directory/$cert_key -subj "/C=/ST=/L=/O=/OU=/CN="
|
||||||
-subj "/C=/ST=/L=/O=/OU=/CN="
|
chmod o+r $tls_directory/$cert_key
|
||||||
$sudo chmod o+r /etc/ssl/cert.key
|
}
|
||||||
|
|
||||||
echo "Setting up Apache HTTP Server"
|
# Only run if the user is root
|
||||||
if [[ $distro == "Arch" ]]; then
|
if [[ $USER != 'root' ]] ; then
|
||||||
$sudo cp $run_directory/apache-sites/scanservjs.conf /etc/apache2/sites-available/scanservjs.conf
|
echo "You must run this script as root!"
|
||||||
$sudo a2dissite 000-default
|
exit 1
|
||||||
$sudo a2ensite scanservjs
|
|
||||||
$sudo a2enmod ssl proxy proxy_http proxy_http2
|
|
||||||
fi
|
|
||||||
if [[ $distro == "Arch" ]]; then
|
|
||||||
$sudo cp $run_directory/apache-sites/scanservjs.conf /etc/httpd/conf/scanservjs.conf
|
|
||||||
$sudo sed -i -e "s/#ServerName www.example.com:80/#ServerName www.example.com:80\nServerName mn2.hr.kto.black/g" \
|
|
||||||
/etc/httpd/conf/httpd.conf
|
|
||||||
$sudo sed -i -e "s:#LoadModule ssl_module modules/mod_ssl.so:LoadModule ssl_module modules/mod_ssl.so:g" \
|
|
||||||
/etc/httpd/conf/httpd.conf
|
|
||||||
$sudo sed -i -e "s:#LoadModule socache_shmcb_module modules/mod_socache_shmcb.so:LoadModule socache_shmcb_module modules/mod_socache_shmcb.so:g" \
|
|
||||||
/etc/httpd/conf/httpd.conf
|
|
||||||
$sudo sed -i -e "s/Listen 80/Listen 443/g" /etc/httpd/conf/httpd.conf
|
|
||||||
$sudo sed -i -e "s:#LoadModule proxy_module modules/mod_proxy.so:LoadModule proxy_module modules/mod_proxy.so:g" \
|
|
||||||
/etc/httpd/conf/httpd.conf
|
|
||||||
$sudo sed -i -e "s:#LoadModule proxy_http_module modules/mod_proxy_http.so:LoadModule proxy_http_module modules/mod_proxy_http.so:g" \
|
|
||||||
/etc/httpd/conf/httpd.conf
|
|
||||||
$sudo sed -i -e "s:#LoadModule proxy_balancer_module modules/mod_proxy_balancer.so:LoadModule proxy_balancer_module modules/mod_proxy_balancer.so:g" \
|
|
||||||
/etc/httpd/conf/httpd.conf
|
|
||||||
$sudo sed -i -e "s:#LoadModule proxy_hcheck_module modules/mod_proxy_hcheck.so:LoadModule proxy_hcheck_module modules/mod_proxy_hcheck.so:g" \
|
|
||||||
/etc/httpd/conf/httpd.conf
|
|
||||||
$sudo sed -i -e "s:#LoadModule watchdog_module modules/mod_watchdog.so:LoadModule watchdog_module modules/mod_watchdog.so:g" \
|
|
||||||
/etc/httpd/conf/httpd.conf
|
|
||||||
$sudo bash -c 'echo "Include conf/scanservjs.conf" >> /etc/httpd/conf/httpd.conf'
|
|
||||||
$sudo systemctl enable --now httpd.service
|
|
||||||
fi
|
fi
|
||||||
|
|
||||||
# TODO add a firewall rule to prevent access to http:8080 from other than local
|
run_directory_path=$(pwd)
|
||||||
|
|
||||||
|
# Set parameters
|
||||||
|
default_hostname='pine64'
|
||||||
|
hostname='pn1'
|
||||||
|
fqdn='pn1.kto.black'
|
||||||
|
keymap='fr'
|
||||||
|
timezone='Europe/Paris'
|
||||||
|
deb_apt_default_repo='httpredir.debian.org'
|
||||||
|
deb_apt_repo='ftp.fr.debian.org'
|
||||||
|
user='alex'
|
||||||
|
scan_user='scan'
|
||||||
|
scan_user_home_directory="/home/$scan_user"
|
||||||
|
sync_directory_path="/home/$user/.sync"
|
||||||
|
systemd_units_path='/etc/systemd/system'
|
||||||
|
cups_conf_path='/etc/cups'
|
||||||
|
vnc_passwd='windows'
|
||||||
|
passwd_file='/etc/passwdd'
|
||||||
|
x11vnc_logfile='/var/log/x11vnc.log'
|
||||||
|
scan_tmpfs='/scan'
|
||||||
|
novnc_webroot='/usr/share/novnc'
|
||||||
|
remote_pubkey_location='https://keys.kto.black'
|
||||||
|
remote_pubkey='home.pub'
|
||||||
|
tls_directory='/etc/ssl/'
|
||||||
|
cert='cert.crt'
|
||||||
|
cert_key='cert.key'
|
||||||
|
|
||||||
|
# Main process
|
||||||
|
# You should comment below what you do not want to happen
|
||||||
|
init
|
||||||
|
install_packages
|
||||||
|
add_users
|
||||||
|
get_conf
|
||||||
|
set_conf
|
||||||
|
set_scan_conf
|
||||||
|
set_cups_conf
|
||||||
|
rcs_links
|
||||||
|
ssh_pubkey
|
||||||
|
tls_cert
|
||||||
|
|
||||||
|
echo ""
|
||||||
|
echo "We're all good here!"
|
||||||
|
echo "You should now:"
|
||||||
|
echo "* set $user's password"
|
||||||
|
echo "* lock root account"
|
||||||
|
echo "* remove setup.sh"
|
||||||
|
echo "* reboot the SBC"
|
||||||
|
echo "And perhaps:"
|
||||||
|
echo "* connect to http://$hostname:631/ and add a printer"
|
||||||
|
echo "* set htop at your convenience"
|
||||||
|
echo "* remove password for sudo" # TODO we should automate that, with a flag
|
||||||
|
echo "* use below commands to edit SSH config:"
|
||||||
|
echo "sed -i 's/PermitRootLogin yes/PermitRootLogin no/' /etc/ssh/sshd_config"
|
||||||
|
echo "sed -i 's/#PasswordAuthentication yes/PasswordAuthentication no/' /etc/ssh/sshd_config"
|
||||||
exit 0
|
exit 0
|
||||||
|
10
vnc.socket
Normal file
10
vnc.socket
Normal file
@ -0,0 +1,10 @@
|
|||||||
|
[Unit]
|
||||||
|
Description=VNC incoming socket
|
||||||
|
|
||||||
|
[Socket]
|
||||||
|
ListenStream=127.0.0.1:5900
|
||||||
|
Accept=yes
|
||||||
|
MaxConnections=5
|
||||||
|
|
||||||
|
[Install]
|
||||||
|
WantedBy=sockets.target
|
14
vnc@.service
Normal file
14
vnc@.service
Normal file
@ -0,0 +1,14 @@
|
|||||||
|
# VNC password should be set in /etc/passwdd
|
||||||
|
# TODO we still need to handle session termination
|
||||||
|
|
||||||
|
[Unit]
|
||||||
|
Description=Specific x11vnc session
|
||||||
|
OnFailure=scan-to-cloud.service
|
||||||
|
|
||||||
|
[Service]
|
||||||
|
User=scan
|
||||||
|
Type=simple
|
||||||
|
ExecStart=/usr/bin/x11vnc -once -create -localhost -inetd -bg -o /var/log/x11vnc.log -rfbauth /etc/passwdd
|
||||||
|
#ExecStop=/usr/bin/x11vnc -R stop # TODO test that, unless it prevents OnFailure from working
|
||||||
|
StandardInput=socket
|
||||||
|
StandardError=syslog
|
Loading…
Reference in New Issue
Block a user