Set version number to 3.0

README.md

@@ -1,28 +1,23 @@
 # Printscan server
-## Version 3.1
+## Version 3.0
 
-This repository contains files used to set up our printscan server.
+This repository contains files used to set up our printscan server on a freshly installed Armbian. Target is Bullseye.
 
 ### Introduction
 (see wiki for need and concept explanation)
 
-Version 3.1 implementation works roughly as follows
+Version 3.0 implementation works roughly as follows:
 ##### SBC
-* the Armbian-based device is connected to local network, and an all-in-one printer is connected to it via USB
-* SANE and CUPS services are installed and running on the device
-* CUPS is configured to provide a remote printer to network
-* SANE is configured to provide local scan
-* [scanservjs](https://github.com/sbs20/scanservjs) runs on the SBC, providing a web interface for scan
-  * if you need adjustments (as in https://github.com/sbs20/scanservjs/blob/master/docs/10-configuration.md), first do:
-  * `sudo ln -s /usr/share/webapps/scanservjs /usr/lib/scanservjs`
+* the Armbian-based device is connected to local network, and an all-in-one printer is connected to it via USB;
+* SANE and CUPS services are installed and running on the device;
+* CUPS is configured to provide a remote printer to network;
+* SANE is configured to provide network scan to a specific host only.
+
+##### Applicative container
+* this specific host is an applicative container running [scanservjs](https://github.com/sbs20/scanservjs);
+* it is configured to use the scanner provided by the SBC.
 
 ### Files
-Files in this repository cover only the server setup. SBC setup is now handled by `armbian-setup`
+Files in this repository only cover the SBC setup.
 #### Installation
 * `setup.sh` is a script automating the installation and configuration of required software
-* `cupsd.conf` is the config file for CUPS, set by setup script
-* `scanservjs.conf` is an Apache HTTP vhost file for scanservjs
-* `printers.conf.pi2last` is the last known working CUPS printers configuration which allowed to share HP printer
-
-### TODO
-* Add a firewall rule to block access to port 8080

apache-sites/scanservjs.conf

@@ -1,13 +0,0 @@
-<VirtualHost *:443>
-  ServerName printscan
-
-  SSLEngine on
-  SSLCertificateFile "/etc/ssl/cert.crt"
-  SSLCertificateKeyFile "/etc/ssl/cert.key"
-
-  <Location />
-    ProxyPass "http://127.0.0.1:8080/"
-    ProxyPassReverse "http://127.0.0.1:8080/"
-  </Location>
-</VirtualHost>
-

cupsd.conf

@@ -1,102 +0,0 @@
-LogLevel debug
-PageLogFormat
-MaxLogSize 0
-# Allow remote access
-Port 631
-Listen /var/run/cups/cups.sock
-Browsing On
-BrowseLocalProtocols dnssd
-DefaultAuthType Basic
-WebInterface Yes
-<Location />
-  # Allow remote administration...
-  Order allow,deny
-  Allow @LOCAL
-</Location>
-<Location /admin>
-  # Allow remote administration...
-  Order allow,deny
-  Allow @LOCAL
-</Location>
-<Location /admin/conf>
-  AuthType Default
-  Require user @SYSTEM
-  # Allow remote access to the configuration files...
-  Order allow,deny
-  Allow @LOCAL
-</Location>
-<Location /admin/log>
-  AuthType Default
-  Require user @SYSTEM
-  Order allow,deny
-  # Allow remote access to the log files...
-  Order allow,deny
-  Allow @LOCAL
-</Location>
-<Policy default>
-  JobPrivateAccess default
-  JobPrivateValues default
-  SubscriptionPrivateAccess default
-  SubscriptionPrivateValues default
-  <Limit Create-Job Print-Job Print-URI Validate-Job>
-    Order deny,allow
-  </Limit>
-  <Limit Send-Document Send-URI Hold-Job Release-Job Restart-Job Purge-Jobs Set-Job-Attributes Create-Job-Subscription Renew-Subscription Cancel-Subscription Get-Notifications Reprocess-Job Cancel-Current-Job Suspend-Current-Job Resume-Job Cancel-My-Jobs Close-Job CUPS-Move-Job CUPS-Get-Document>
-    Require user @OWNER @SYSTEM
-    Order deny,allow
-  </Limit>
-  <Limit CUPS-Add-Modify-Printer CUPS-Delete-Printer CUPS-Add-Modify-Class CUPS-Delete-Class CUPS-Set-Default CUPS-Get-Devices>
-    AuthType Default
-    Require user @SYSTEM
-    Order deny,allow
-  </Limit>
-  <Limit Pause-Printer Resume-Printer Enable-Printer Disable-Printer Pause-Printer-After-Current-Job Hold-New-Jobs Release-Held-New-Jobs Deactivate-Printer Activate-Printer Restart-Printer Shutdown-Printer Startup-Printer Promote-Job Schedule-Job-After Cancel-Jobs CUPS-Accept-Jobs CUPS-Reject-Jobs>
-    AuthType Default
-    Require user @SYSTEM
-    Order deny,allow
-  </Limit>
-  <Limit Cancel-Job CUPS-Authenticate-Job>
-    Require user @OWNER @SYSTEM
-    Order deny,allow
-  </Limit>
-  <Limit All>
-    Order deny,allow
-  </Limit>
-</Policy>
-<Policy authenticated>
-  JobPrivateAccess default
-  JobPrivateValues default
-  SubscriptionPrivateAccess default
-  SubscriptionPrivateValues default
-  <Limit Create-Job Print-Job Print-URI Validate-Job>
-    AuthType Default
-    Order deny,allow
-  </Limit>
-  <Limit Send-Document Send-URI Hold-Job Release-Job Restart-Job Purge-Jobs Set-Job-Attributes Create-Job-Subscription Renew-Subscription Cancel-Subscription Get-Notifications Reprocess-Job Cancel-Current-Job Suspend-Current-Job Resume-Job Cancel-My-Jobs Close-Job CUPS-Move-Job CUPS-Get-Document>
-    AuthType Default
-    Require user @OWNER @SYSTEM
-    Order deny,allow
-  </Limit>
-  <Limit CUPS-Add-Modify-Printer CUPS-Delete-Printer CUPS-Add-Modify-Class CUPS-Delete-Class CUPS-Set-Default>
-    AuthType Default
-    Require user @SYSTEM
-    Order deny,allow
-  </Limit>
-  <Limit Pause-Printer Resume-Printer Enable-Printer Disable-Printer Pause-Printer-After-Current-Job Hold-New-Jobs Release-Held-New-Jobs Deactivate-Printer Activate-Printer Restart-Printer Shutdown-Printer Startup-Printer Promote-Job Schedule-Job-After Cancel-Jobs CUPS-Accept-Jobs CUPS-Reject-Jobs>
-    AuthType Default
-    Require user @SYSTEM
-    Order deny,allow
-  </Limit>
-  <Limit Cancel-Job CUPS-Authenticate-Job>
-    AuthType Default
-    Require user @OWNER @SYSTEM
-    Order deny,allow
-  </Limit>
-  <Limit All>
-    Order deny,allow
-  </Limit>
-</Policy>
-JobPrivateAccess default
-JobPrivateValues default
-SubscriptionPrivateAccess default
-SubscriptionPrivateValues default

printers.conf.pi2last

@@ -1,24 +0,0 @@
-# Printer configuration file for CUPS v2.4.1
-# Written by cupsd
-# DO NOT EDIT THIS FILE WHEN CUPSD IS RUNNING
-NextPrinterId 2
-<Printer Deskjet>
-PrinterId 1
-UUID urn:uuid:e05e1e4c-fd3d-38e2-5d3b-596903a56af4
-Info HP Deskjet 2050 J510 series
-Location 
-MakeModel HP Deskjet 2050 j510 Series, hpcups 3.21.12
-DeviceURI hp:/usb/Deskjet_2050_J510_series?serial=CN22T184ZP05QV
-State Idle
-StateTime 1723482301
-ConfigTime 1720358534
-Type 36876
-Accepting Yes
-Shared Yes
-JobSheets none none
-QuotaPeriod 0
-PageLimit 0
-KLimit 0
-OpPolicy default
-ErrorPolicy retry-job
-</Printer>

scanservjs-update.sh

@@ -1,12 +0,0 @@
-#!/usr/bin/env bash
-
-if [[ $user != 'root' ]]; then
-  sudo="sudo"
-else
-  sudo=""
-fi
-
-echo "Installing scanservjs directly from GitHub..."
-curl -s https://raw.githubusercontent.com/sbs20/scanservjs/master/bootstrap.sh | sudo bash -s -- -v latest
-
-exit 0

setup.sh

@@ -1,69 +1,135 @@
-#!/usr/bin/env bash
+#!/bin/bash
 
-run_directory=$(dirname $(readlink -f "$0"))
-user=$(whoami)
+# The purpose of this script is to setup our print-scan server on a blank Armbian.
+# This script is to be run as root.
 
-if [[ $user != 'root' ]]; then
-  sudo="sudo"
-else
-  sudo=""
-fi
+# (Keep in mind that default root password is 1234)
+# Flash SBC's SD with Armbian and copy this script as well as conf-sync.sh to /root
 
-distro=$(lsb_release -si)
+# YOU SHOULD REMOVE THIS SCRIPT AFTER SETUP
 
-# TODO if Arch
-if [[ $distro == "Debian" ]]; then
+# Functions
+init() {
+  echo "Starting initialization"
+  echo $fqdn > /etc/hostname
+  sed -i -e "s/$default_hostname/$fqdn $hostname/g" /etc/hosts
+  localectl set-keymap $keymap
+  timedatectl set-timezone $timezone
+  systemctl disable apt-daily-upgrade.timer
+}
+
+install_packages() {
+  echo "Starting packages installation"
+  sed -i -e "s/$deb_apt_default_repo/$deb_apt_repo/g" /etc/apt/sources.list
+  apt update
+  apt upgrade -y
+  apt install -y vim tree tmux neofetch sane sane-utils hplip
+}
+
+add_users() {
+  echo "Adding users"
+  useradd -U -G sudo,lpadmin -m -s /bin/bash $user
+  chmod 700 /home/$user
+  usermod -a -G lp saned
+}
+
+get_conf() {
+  echo "Getting configuration"
+  sudo -H -u $user mkdir $sync_directory_path
+  cp $run_directory_path/conf-sync.sh $sync_directory_path/
+  chown $user:$user $sync_directory_path/conf-sync.sh
+  sudo -H -u $user chmod u+x $sync_directory_path/conf-sync.sh
+  sudo -H -u $user $sync_directory_path/conf-sync.sh
+}
+
+set_conf() {
+  echo "Setting configuration"
+  ln -s $sync_directory_path/conf-sync-server.timer $systemd_units_path/conf-sync.timer
+  ln -s $sync_directory_path/*.service $systemd_units_path/
+  systemctl daemon-reload
+  systemctl enable conf-sync.timer
+}
+
+set_cups_conf() {
   echo "Setting CUPS configuration"
-  $sudo mv /etc/cups/cupsd.conf /etc/cups/cupsd.conf.orig
-  $sudo cp $run_directory/cupsd.conf /etc/cups/cupsd.conf
-else
-  echo "TODO: Edit cupsd.conf so as to allow remote access (see Arch wiki)."
+  mv $cups_conf_path/cupsd.conf $cups_conf_path/cupsd.conf.orig
+  ln -s $sync_directory_path/cupsd.conf $cups_conf_path/cupsd.conf
+}
+
+set_sane_conf() {
+  echo $printscan_container_ip >> /etc/sane.d/saned.conf
+  systemctl enable saned.socket
+}
+
+rcs_links() {
+  echo "Linking rcs"
+  rm /home/$user/.bashrc
+  rm /root/.bashrc
+  sudo -H -u $user ln -s $sync_directory_path/bashrc /home/$user/.bashrc
+  ln -s /home/$user/.bashrc /root/.bashrc
+  sudo -H -u $user ln -s $sync_directory_path/vimrc /home/$user/.vimrc
+  ln -s /home/$user/.vimrc /root/.vimrc
+  sudo -H -u $user ln -s $sync_directory_path/tmux.conf /home/$user/.tmux.conf
+  ln -s /home/$user/.tmux.conf /root/.tmux.conf
+}
+
+ssh_pubkey() {
+  echo "Getting SSH public key"
+  sudo -H -u $user mkdir /home/$user/.ssh
+  sudo -H -u $user wget -P /home/$user/.ssh $remote_pubkey_location/$remote_pubkey
+  sudo -H -u $user mv /home/$user/.ssh/$remote_pubkey /home/$user/.ssh/authorized_keys
+}
+
+# Only run if the user is root
+if [[ $USER != 'root' ]] ; then
+  echo "You must run this script as root!"
+  exit 1
 fi
 
-if [[ $distro == "Debian" ]]; then
-  echo "Installing scanservjs directly from GitHub..."
-  curl -s https://raw.githubusercontent.com/sbs20/scanservjs/master/bootstrap.sh | sudo bash -s -- -v latest
-fi
-if [[ $distro == "Arch" ]]; then
-  echo "Starting and enabling scanservjs..."
-  $sudo systemctl enable --now scanservjs.service
-fi
+run_directory_path=$(pwd)
 
-echo "Generating TLS certificate"
-$sudo openssl req -newkey rsa:4096 -x509 -sha256 -days 999 -nodes -out /etc/ssl/cert.crt -keyout /etc/ssl/cert.key \
-  -subj "/C=/ST=/L=/O=/OU=/CN="
-$sudo chmod o+r /etc/ssl/cert.key
+# Set parameters
+default_hostname='pine64'
+hostname='pn1'
+fqdn='pn1.kto.black'
+keymap='fr'
+timezone='Europe/Paris'
+deb_apt_default_repo='deb.debian.org'
+deb_apt_repo='ftp.fr.debian.org'
+user='alex'
+scan_user='scan'
+scan_user_home_directory="/home/$scan_user"
+sync_directory_path="/home/$user/.sync"
+systemd_units_path='/etc/systemd/system'
+cups_conf_path='/etc/cups'
+printscan_container_ip='192.168.0.91'
+remote_pubkey_location='https://keys.kto.black'
+remote_pubkey='home.pub'
 
-echo "Setting up Apache HTTP Server"
-if [[ $distro == "Arch" ]]; then
-  $sudo cp $run_directory/apache-sites/scanservjs.conf /etc/apache2/sites-available/scanservjs.conf
-  $sudo a2dissite 000-default
-  $sudo a2ensite scanservjs
-  $sudo a2enmod ssl proxy proxy_http proxy_http2
-fi
-if [[ $distro == "Arch" ]]; then
-  $sudo cp $run_directory/apache-sites/scanservjs.conf /etc/httpd/conf/scanservjs.conf
-  $sudo sed -i -e "s/#ServerName www.example.com:80/#ServerName www.example.com:80\nServerName mn2.hr.kto.black/g" \
-    /etc/httpd/conf/httpd.conf
-  $sudo sed -i -e "s:#LoadModule ssl_module modules/mod_ssl.so:LoadModule ssl_module modules/mod_ssl.so:g" \
-    /etc/httpd/conf/httpd.conf
-  $sudo sed -i -e "s:#LoadModule socache_shmcb_module modules/mod_socache_shmcb.so:LoadModule socache_shmcb_module modules/mod_socache_shmcb.so:g" \
-    /etc/httpd/conf/httpd.conf
-  $sudo sed -i -e "s/Listen 80/Listen 443/g" /etc/httpd/conf/httpd.conf
-  $sudo sed -i -e "s:#LoadModule proxy_module modules/mod_proxy.so:LoadModule proxy_module modules/mod_proxy.so:g" \
-    /etc/httpd/conf/httpd.conf
-  $sudo sed -i -e "s:#LoadModule proxy_http_module modules/mod_proxy_http.so:LoadModule proxy_http_module modules/mod_proxy_http.so:g" \
-    /etc/httpd/conf/httpd.conf
-  $sudo sed -i -e "s:#LoadModule proxy_balancer_module modules/mod_proxy_balancer.so:LoadModule proxy_balancer_module modules/mod_proxy_balancer.so:g" \
-    /etc/httpd/conf/httpd.conf
-  $sudo sed -i -e "s:#LoadModule proxy_hcheck_module modules/mod_proxy_hcheck.so:LoadModule proxy_hcheck_module modules/mod_proxy_hcheck.so:g" \
-    /etc/httpd/conf/httpd.conf
-  $sudo sed -i -e "s:#LoadModule watchdog_module modules/mod_watchdog.so:LoadModule watchdog_module modules/mod_watchdog.so:g" \
-    /etc/httpd/conf/httpd.conf
-  $sudo bash -c 'echo "Include conf/scanservjs.conf" >> /etc/httpd/conf/httpd.conf'
-  $sudo systemctl enable --now httpd.service
-fi
-
-# TODO add a firewall rule to prevent access to http:8080 from other than local
+# Main process
+# You should comment below what you do not want to happen
+init
+install_packages
+add_users
+get_conf
+set_conf
+set_cups_conf
+set_sane_conf
+rcs_links
+ssh_pubkey
 
+echo ""
+echo "We're all good here!"
+echo "You should now:"
+echo "* set $user's password"
+echo "* lock root account"
+echo "* remove setup.sh and conf-sync.sh"
+echo "* reboot the SBC"
+echo "And perhaps:"
+echo "* connect to http://$hostname:631/ and add a printer"
+echo "* set htop at your convenience"
+echo "* remove password for sudo" # TODO we should automate that, with a flag
+echo "* use below commands to edit SSH config:"
+echo "    sed -i 's/PermitRootLogin yes/PermitRootLogin no/' /etc/ssh/sshd_config"
+echo "    sed -i 's/#PasswordAuthentication yes/PasswordAuthentication no/' /etc/ssh/sshd_config"
 exit 0