Add printers.conf.pi2last

README.md

@@ -1,27 +1,28 @@
 # Printscan server
-## Version 2 (OBSOLETE)
+## Version 3.1
 
-This repository contains files used to set up our printscan server on a freshly installed Armbian. Confirmed to work
+This repository contains files used to set up our printscan server.
-with Buster.
 
 ### Introduction
 (see wiki for need and concept explanation)
 
-Version 2 implementation works roughly as follows:
+Version 3.1 implementation works roughly as follows
-* the Armbian-based device is connected to local network, and an all-in-one printer is connected to it via USB;
+##### SBC
-* SANE and CUPS services are installed and running on the device;
+* the Armbian-based device is connected to local network, and an all-in-one printer is connected to it via USB
-* CUPS is configured to provide a remote printer to network;
+* SANE and CUPS services are installed and running on the device
-* SANE is configured for local use only (default behaviour);
+* CUPS is configured to provide a remote printer to network
-* An headless X server is activable via [noVNC](https://github.com/novnc/noVNC);
+* SANE is configured to provide local scan
-* This X session presents [Simple Scan](https://github.com/GNOME/simple-scan) tool, allowing users to perform scans;
+* [scanservjs](https://github.com/sbs20/scanservjs) runs on the SBC, providing a web interface for scan
-* The resulted document is automatically uploaded to Kloud, in a temporary directory;
+  * if you need adjustments (as in https://github.com/sbs20/scanservjs/blob/master/docs/10-configuration.md), first do:
-* Every night, the directory from previous day is removed from Kloud.
+  * `sudo ln -s /usr/share/webapps/scanservjs /usr/lib/scanservjs`
 
 ### Files
+Files in this repository cover only the server setup. SBC setup is now handled by `armbian-setup`
 #### Installation
 * `setup.sh` is a script automating the installation and configuration of required software
-#### Run
+* `cupsd.conf` is the config file for CUPS, set by setup script
-* `novnc.service`, `vnc.socket` and `vnc@.service` manage the headless X session
+* `scanservjs.conf` is an Apache HTTP vhost file for scanservjs
-* `scan.mount` configures a tmpfs at boot where to store scanned documents before they're sent to Kloud
+* `printers.conf.pi2last` is the last known working CUPS printers configuration which allowed to share HP printer
-* `scan-to-cloud.{sh,service,path}` trigger and manage the upload to Kloud
+
-* `clean-cloud.{sh,service,timer}` trigger and manage the removal of previous directory from Kloud
+### TODO
+* Add a firewall rule to block access to port 8080

apache-sites/scanservjs.conf

@@ -0,0 +1,13 @@
+<VirtualHost *:443>
+  ServerName printscan
+
+  SSLEngine on
+  SSLCertificateFile "/etc/ssl/cert.crt"
+  SSLCertificateKeyFile "/etc/ssl/cert.key"
+
+  <Location />
+    ProxyPass "http://127.0.0.1:8080/"
+    ProxyPassReverse "http://127.0.0.1:8080/"
+  </Location>
+</VirtualHost>
+

clean-cloud.service

@@ -1,7 +0,0 @@
-[Unit]
-Description=Clean remote dropbox
-
-[Service]
-User=scan
-Type=oneshot
-ExecStart=/home/scan/.sync/clean-cloud.sh

clean-cloud.sh

@@ -1,25 +0,0 @@
-#!/bin/bash
-
-# The purpose of this script is to automatically empty our remote sandbox.
-# This script is not to be run as root, rather as the user responsible for scanning.
-
-# Only run if the user is not root
-if [[ $USER = 'root' ]] ; then
-  echo "You must not run this script as root!"
-  exit 1
-fi
-
-# Set parameters
-remote_path='https://cloud.kto.black/remote.php/webdav/Scans'
-remote_user='scan'
-remote_passwd='rB2TgFpNXk3BbZ44'
-subdirectories_prefix='scans'
-
-yesterday=$(date -d "-1 days" +"%Y%m%d")
-today=$(date +"%Y%m%d")
-
-curl -s -u $remote_user:$remote_passwd -X DELETE $remote_path/$subdirectories_prefix-$yesterday
-curl -s -u $remote_user:$remote_passwd -X MKCOL $remote_path/$subdirectories_prefix-$today
-
-echo "Cleaning done."
-exit 0

clean-cloud.timer

@@ -1,9 +0,0 @@
-[Unit]
-Description=Run clean-cloud regularly
-
-[Timer]
-OnCalendar=*-*-* 02:00:00
-Persistent=true
-
-[Install]
-WantedBy=timers.target

cupsd.conf

@@ -0,0 +1,102 @@
+LogLevel debug
+PageLogFormat
+MaxLogSize 0
+# Allow remote access
+Port 631
+Listen /var/run/cups/cups.sock
+Browsing On
+BrowseLocalProtocols dnssd
+DefaultAuthType Basic
+WebInterface Yes
+<Location />
+  # Allow remote administration...
+  Order allow,deny
+  Allow @LOCAL
+</Location>
+<Location /admin>
+  # Allow remote administration...
+  Order allow,deny
+  Allow @LOCAL
+</Location>
+<Location /admin/conf>
+  AuthType Default
+  Require user @SYSTEM
+  # Allow remote access to the configuration files...
+  Order allow,deny
+  Allow @LOCAL
+</Location>
+<Location /admin/log>
+  AuthType Default
+  Require user @SYSTEM
+  Order allow,deny
+  # Allow remote access to the log files...
+  Order allow,deny
+  Allow @LOCAL
+</Location>
+<Policy default>
+  JobPrivateAccess default
+  JobPrivateValues default
+  SubscriptionPrivateAccess default
+  SubscriptionPrivateValues default
+  <Limit Create-Job Print-Job Print-URI Validate-Job>
+    Order deny,allow
+  </Limit>
+  <Limit Send-Document Send-URI Hold-Job Release-Job Restart-Job Purge-Jobs Set-Job-Attributes Create-Job-Subscription Renew-Subscription Cancel-Subscription Get-Notifications Reprocess-Job Cancel-Current-Job Suspend-Current-Job Resume-Job Cancel-My-Jobs Close-Job CUPS-Move-Job CUPS-Get-Document>
+    Require user @OWNER @SYSTEM
+    Order deny,allow
+  </Limit>
+  <Limit CUPS-Add-Modify-Printer CUPS-Delete-Printer CUPS-Add-Modify-Class CUPS-Delete-Class CUPS-Set-Default CUPS-Get-Devices>
+    AuthType Default
+    Require user @SYSTEM
+    Order deny,allow
+  </Limit>
+  <Limit Pause-Printer Resume-Printer Enable-Printer Disable-Printer Pause-Printer-After-Current-Job Hold-New-Jobs Release-Held-New-Jobs Deactivate-Printer Activate-Printer Restart-Printer Shutdown-Printer Startup-Printer Promote-Job Schedule-Job-After Cancel-Jobs CUPS-Accept-Jobs CUPS-Reject-Jobs>
+    AuthType Default
+    Require user @SYSTEM
+    Order deny,allow
+  </Limit>
+  <Limit Cancel-Job CUPS-Authenticate-Job>
+    Require user @OWNER @SYSTEM
+    Order deny,allow
+  </Limit>
+  <Limit All>
+    Order deny,allow
+  </Limit>
+</Policy>
+<Policy authenticated>
+  JobPrivateAccess default
+  JobPrivateValues default
+  SubscriptionPrivateAccess default
+  SubscriptionPrivateValues default
+  <Limit Create-Job Print-Job Print-URI Validate-Job>
+    AuthType Default
+    Order deny,allow
+  </Limit>
+  <Limit Send-Document Send-URI Hold-Job Release-Job Restart-Job Purge-Jobs Set-Job-Attributes Create-Job-Subscription Renew-Subscription Cancel-Subscription Get-Notifications Reprocess-Job Cancel-Current-Job Suspend-Current-Job Resume-Job Cancel-My-Jobs Close-Job CUPS-Move-Job CUPS-Get-Document>
+    AuthType Default
+    Require user @OWNER @SYSTEM
+    Order deny,allow
+  </Limit>
+  <Limit CUPS-Add-Modify-Printer CUPS-Delete-Printer CUPS-Add-Modify-Class CUPS-Delete-Class CUPS-Set-Default>
+    AuthType Default
+    Require user @SYSTEM
+    Order deny,allow
+  </Limit>
+  <Limit Pause-Printer Resume-Printer Enable-Printer Disable-Printer Pause-Printer-After-Current-Job Hold-New-Jobs Release-Held-New-Jobs Deactivate-Printer Activate-Printer Restart-Printer Shutdown-Printer Startup-Printer Promote-Job Schedule-Job-After Cancel-Jobs CUPS-Accept-Jobs CUPS-Reject-Jobs>
+    AuthType Default
+    Require user @SYSTEM
+    Order deny,allow
+  </Limit>
+  <Limit Cancel-Job CUPS-Authenticate-Job>
+    AuthType Default
+    Require user @OWNER @SYSTEM
+    Order deny,allow
+  </Limit>
+  <Limit All>
+    Order deny,allow
+  </Limit>
+</Policy>
+JobPrivateAccess default
+JobPrivateValues default
+SubscriptionPrivateAccess default
+SubscriptionPrivateValues default

novnc.service

@@ -1,10 +0,0 @@
-[Unit]
-Description=noVNC proxy with Websockify
-
-[Service]
-User=scan
-Type=simple
-ExecStart=/usr/bin/websockify --ssl-only --cert /etc/ssl/cert.crt --key /etc/ssl/cert.key  --web /usr/share/novnc 8080 localhost:5900
-
-[Install]
-WantedBy=default.target

printers.conf.pi2last

@@ -0,0 +1,24 @@
+# Printer configuration file for CUPS v2.4.1
+# Written by cupsd
+# DO NOT EDIT THIS FILE WHEN CUPSD IS RUNNING
+NextPrinterId 2
+<Printer Deskjet>
+PrinterId 1
+UUID urn:uuid:e05e1e4c-fd3d-38e2-5d3b-596903a56af4
+Info HP Deskjet 2050 J510 series
+Location 
+MakeModel HP Deskjet 2050 j510 Series, hpcups 3.21.12
+DeviceURI hp:/usb/Deskjet_2050_J510_series?serial=CN22T184ZP05QV
+State Idle
+StateTime 1723482301
+ConfigTime 1720358534
+Type 36876
+Accepting Yes
+Shared Yes
+JobSheets none none
+QuotaPeriod 0
+PageLimit 0
+KLimit 0
+OpPolicy default
+ErrorPolicy retry-job
+</Printer>

scan-to-cloud.path

@@ -1,8 +0,0 @@
-[Unit]
-Description=Run scan-to-cloud when a new document is scanned
-
-[Path]
-DirectoryNotEmpty=/scan
-
-[Install]
-WantedBy=paths.target

scan-to-cloud.service

@@ -1,7 +0,0 @@
-[Unit]
-Description=Upload scanned document to dropbox
-
-[Service]
-User=scan
-Type=oneshot
-ExecStart=/home/scan/.sync/scan-to-cloud.sh

scan-to-cloud.sh

@@ -1,33 +0,0 @@
-#!/bin/bash
-
-# The purpose of this script is to automaticaly upload scanned documents to a remote dropbox.
-# This script is not to be run as root, rather as the user responsible for scanning.
-
-# Only run if the user is not root
-if [[ $USER = 'root' ]] ; then
-  echo "You must not run this script as root!"
-  exit 1
-fi
-
-# Set parameters
-scan_directory='/scan'
-remote_path='https://cloud.kto.black/remote.php/webdav/Scans'
-remote_user='scan'
-remote_passwd='rB2TgFpNXk3BbZ44'
-subdirectories_prefix='scans'
-
-today=$(date +"%Y%m%d")
-
-# The script is executed a bit too early, so we need to wait a few seconds.
-sleep 5s
-
-for filename in $scan_directory/*; do
-  #echo "Creating today's directory..." # I'd like to remove these 2 lines
-  #curl -s -u $remote_user:$remote_passwd -X MKCOL $remote_path/$subdirectories_prefix-$today
-  echo "Uploading $filename..."
-  curl -s -u $remote_user:$remote_passwd -T "$filename" $remote_path/$subdirectories_prefix-$today/
-  rm "$filename"
-done
-
-echo "Upload done."
-exit 0

scan.mount

@@ -1,11 +0,0 @@
-[Unit]
-Description=tmpfs for scanned documents
-
-[Mount]
-What=tmpfs
-Where=/scan
-Type=tmpfs
-Options=noatime,uid=1001,gid=1001
-
-[Install]
-WantedBy=default.target

scanservjs-update.sh

@@ -0,0 +1,12 @@
+#!/usr/bin/env bash
+
+if [[ $user != 'root' ]]; then
+  sudo="sudo"
+else
+  sudo=""
+fi
+
+echo "Installing scanservjs directly from GitHub..."
+curl -s https://raw.githubusercontent.com/sbs20/scanservjs/master/bootstrap.sh | sudo bash -s -- -v latest
+
+exit 0

setup.sh

@@ -1,163 +1,69 @@
-#!/bin/bash
+#!/usr/bin/env bash
 
-# The purpose of this script is to setup our print-scan server on a blank Armbian.
+run_directory=$(dirname $(readlink -f "$0"))
-# This script is to be run as root.
+user=$(whoami)
 
-# (Keep in mind that default root password is 1234)
+if [[ $user != 'root' ]]; then
-# Flash SBC's SD with Armbian and copy this script as well as conf-sync.sh to /root
+  sudo="sudo"
-
+else
-# YOU SHOULD REMOVE THIS SCRIPT AFTER SETUP
+  sudo=""
-
-# Functions
-init() {
-  echo "Starting initialization"
-  echo $fqdn > /etc/hostname
-  sed -i -e "s/$default_hostname/$fqdn $hostname/g" /etc/hosts
-  localectl set-keymap $keymap
-  timedatectl set-timezone $timezone
-  systemctl disable apt-daily-upgrade.timer
-}
-
-install_packages() {
-  echo "Starting packages installation"
-  sed -i -e "s/$deb_apt_default_repo/$deb_apt_repo/g" /etc/apt/sources.list
-  apt update
-  apt upgrade -y
-  apt install -y vim tree tmux neofetch simple-scan sane hplip novnc x11vnc xvfb xinit libglib2.0-bin dbus-x11
-}
-
-add_users() {
-  echo "Adding users"
-  useradd -U -G sudo,lpadmin -m -s /bin/bash $user
-  chmod 700 /home/$user
-  useradd -U -G scanner,lp -m -s /sbin/nologin $scan_user
-  chmod 700 /home/$scan_user
-}
-
-get_conf() {
-  echo "Getting configuration"
-  sudo -H -u $user mkdir $sync_directory_path
-  cp $run_directory_path/conf-sync.sh $sync_directory_path/
-  chown $user:$user $sync_directory_path/conf-sync.sh
-  sudo -H -u $user chmod u+x $sync_directory_path/conf-sync.sh
-  sudo -H -u $user $sync_directory_path/conf-sync.sh
-}
-
-set_conf() {
-  echo "Setting configuration"
-  sudo -H -u $user chmod uo+x $sync_directory_path/clean-cloud.sh $sync_directory_path/scan-to-cloud.sh
-  ln -s $sync_directory_path/*.service $systemd_units_path/
-  ln -s $sync_directory_path/*.timer $systemd_units_path/
-  ln -s $sync_directory_path/*.socket $systemd_units_path/
-  ln -s $sync_directory_path/*.mount $systemd_units_path/
-  ln -s $sync_directory_path/*.path $systemd_units_path/
-  systemctl daemon-reload
-  systemctl enable novnc.service vnc.socket conf-sync.timer clean-cloud.timer scan.mount #scan-to-cloud.path
-}
-
-set_scan_conf() {
-  echo "Setting scan configuration"
-  sudo -H -u $scan_user sh -c "echo 'simple-scan' > $scan_user_home_directory/.xinitrc" # TODO this should be done another way
-  touch $passwd_file
-  chown $scan_user:$scan_user $passwd_file
-  sudo -H -u $scan_user x11vnc -storepasswd $vnc_passwd $passwd_file
-  touch $x11vnc_logfile
-  chown $scan_user:$scan_user $x11vnc_logfile
-  mkdir $scan_tmpfs
-  chown $scan_user:$scan_user $scan_tmpfs
-  sudo -H -u $scan_user gsettings set org.gnome.SimpleScan paper-height 2970 # those don't work
-  sudo -H -u $scan_user gsettings set org.gnome.SimpleScan paper-width 2100
-  sudo -H -u $scan_user gsettings set org.gnome.SimpleScan save-directory $scan_tmpfs
-  cp $novnc_webroot/vnc.html $novnc_webroot/index.html
-}
-
-set_cups_conf() {
-  echo "Setting CUPS configuration"
-  mv $cups_conf_path/cupsd.conf $cups_conf_path/cupsd.conf.orig
-  ln -s $sync_directory_path/cupsd.conf $cups_conf_path/cupsd.conf
-}
-
-rcs_links() {
-  echo "Linking rcs"
-  rm /home/$user/.bashrc
-  rm /root/.bashrc
-  sudo -H -u $user ln -s $sync_directory_path/bashrc /home/$user/.bashrc
-  ln -s /home/$user/.bashrc /root/.bashrc
-  sudo -H -u $user ln -s $sync_directory_path/vimrc /home/$user/.vimrc
-  ln -s /home/$user/.vimrc /root/.vimrc
-}
-
-ssh_pubkey() {
-  echo "Getting SSH public key"
-  sudo -H -u $user mkdir /home/$user/.ssh
-  sudo -H -u $user wget -P /home/$user/.ssh $remote_pubkey_location/$remote_pubkey
-  sudo -H -u $user mv /home/$user/.ssh/$remote_pubkey /home/$user/.ssh/authorized_keys
-}
-
-tls_cert() {
-  echo "Generating TLS certificate"
-  openssl req -newkey rsa:4096 -x509 -sha256 -days 999 -nodes -out $tls_directory/$cert -keyout $tls_directory/$cert_key -subj "/C=/ST=/L=/O=/OU=/CN="
-  chmod o+r $tls_directory/$cert_key
-}
-
-# Only run if the user is root
-if [[ $USER != 'root' ]] ; then
-  echo "You must run this script as root!"
-  exit 1
 fi
 
-run_directory_path=$(pwd)
+distro=$(lsb_release -si)
 
-# Set parameters
+# TODO if Arch
-default_hostname='pine64'
+if [[ $distro == "Debian" ]]; then
-hostname='pn1'
+  echo "Setting CUPS configuration"
-fqdn='pn1.kto.black'
+  $sudo mv /etc/cups/cupsd.conf /etc/cups/cupsd.conf.orig
-keymap='fr'
+  $sudo cp $run_directory/cupsd.conf /etc/cups/cupsd.conf
-timezone='Europe/Paris'
+else
-deb_apt_default_repo='httpredir.debian.org'
+  echo "TODO: Edit cupsd.conf so as to allow remote access (see Arch wiki)."
-deb_apt_repo='ftp.fr.debian.org'
+fi
-user='alex'
-scan_user='scan'
-scan_user_home_directory="/home/$scan_user"
-sync_directory_path="/home/$user/.sync"
-systemd_units_path='/etc/systemd/system'
-cups_conf_path='/etc/cups'
-vnc_passwd='windows'
-passwd_file='/etc/passwdd'
-x11vnc_logfile='/var/log/x11vnc.log'
-scan_tmpfs='/scan'
-novnc_webroot='/usr/share/novnc'
-remote_pubkey_location='https://keys.kto.black'
-remote_pubkey='home.pub'
-tls_directory='/etc/ssl/'
-cert='cert.crt'
-cert_key='cert.key'
 
-# Main process
+if [[ $distro == "Debian" ]]; then
-# You should comment below what you do not want to happen
+  echo "Installing scanservjs directly from GitHub..."
-init
+  curl -s https://raw.githubusercontent.com/sbs20/scanservjs/master/bootstrap.sh | sudo bash -s -- -v latest
-install_packages
+fi
-add_users
+if [[ $distro == "Arch" ]]; then
-get_conf
+  echo "Starting and enabling scanservjs..."
-set_conf
+  $sudo systemctl enable --now scanservjs.service
-set_scan_conf
+fi
-set_cups_conf
+
-rcs_links
+echo "Generating TLS certificate"
-ssh_pubkey
+$sudo openssl req -newkey rsa:4096 -x509 -sha256 -days 999 -nodes -out /etc/ssl/cert.crt -keyout /etc/ssl/cert.key \
-tls_cert
+  -subj "/C=/ST=/L=/O=/OU=/CN="
+$sudo chmod o+r /etc/ssl/cert.key
+
+echo "Setting up Apache HTTP Server"
+if [[ $distro == "Arch" ]]; then
+  $sudo cp $run_directory/apache-sites/scanservjs.conf /etc/apache2/sites-available/scanservjs.conf
+  $sudo a2dissite 000-default
+  $sudo a2ensite scanservjs
+  $sudo a2enmod ssl proxy proxy_http proxy_http2
+fi
+if [[ $distro == "Arch" ]]; then
+  $sudo cp $run_directory/apache-sites/scanservjs.conf /etc/httpd/conf/scanservjs.conf
+  $sudo sed -i -e "s/#ServerName www.example.com:80/#ServerName www.example.com:80\nServerName mn2.hr.kto.black/g" \
+    /etc/httpd/conf/httpd.conf
+  $sudo sed -i -e "s:#LoadModule ssl_module modules/mod_ssl.so:LoadModule ssl_module modules/mod_ssl.so:g" \
+    /etc/httpd/conf/httpd.conf
+  $sudo sed -i -e "s:#LoadModule socache_shmcb_module modules/mod_socache_shmcb.so:LoadModule socache_shmcb_module modules/mod_socache_shmcb.so:g" \
+    /etc/httpd/conf/httpd.conf
+  $sudo sed -i -e "s/Listen 80/Listen 443/g" /etc/httpd/conf/httpd.conf
+  $sudo sed -i -e "s:#LoadModule proxy_module modules/mod_proxy.so:LoadModule proxy_module modules/mod_proxy.so:g" \
+    /etc/httpd/conf/httpd.conf
+  $sudo sed -i -e "s:#LoadModule proxy_http_module modules/mod_proxy_http.so:LoadModule proxy_http_module modules/mod_proxy_http.so:g" \
+    /etc/httpd/conf/httpd.conf
+  $sudo sed -i -e "s:#LoadModule proxy_balancer_module modules/mod_proxy_balancer.so:LoadModule proxy_balancer_module modules/mod_proxy_balancer.so:g" \
+    /etc/httpd/conf/httpd.conf
+  $sudo sed -i -e "s:#LoadModule proxy_hcheck_module modules/mod_proxy_hcheck.so:LoadModule proxy_hcheck_module modules/mod_proxy_hcheck.so:g" \
+    /etc/httpd/conf/httpd.conf
+  $sudo sed -i -e "s:#LoadModule watchdog_module modules/mod_watchdog.so:LoadModule watchdog_module modules/mod_watchdog.so:g" \
+    /etc/httpd/conf/httpd.conf
+  $sudo bash -c 'echo "Include conf/scanservjs.conf" >> /etc/httpd/conf/httpd.conf'
+  $sudo systemctl enable --now httpd.service
+fi
+
+# TODO add a firewall rule to prevent access to http:8080 from other than local
 
-echo ""
-echo "We're all good here!"
-echo "You should now:"
-echo "* set $user's password"
-echo "* lock root account"
-echo "* remove setup.sh"
-echo "* reboot the SBC"
-echo "And perhaps:"
-echo "* connect to http://$hostname:631/ and add a printer"
-echo "* set htop at your convenience"
-echo "* remove password for sudo" # TODO we should automate that, with a flag
-echo "* use below commands to edit SSH config:"
-echo "sed -i 's/PermitRootLogin yes/PermitRootLogin no/' /etc/ssh/sshd_config"
-echo "sed -i 's/#PasswordAuthentication yes/PasswordAuthentication no/' /etc/ssh/sshd_config"
 exit 0

vnc.socket

@@ -1,10 +0,0 @@
-[Unit]
-Description=VNC incoming socket
-
-[Socket]
-ListenStream=127.0.0.1:5900
-Accept=yes
-MaxConnections=5
-
-[Install]
-WantedBy=sockets.target

vnc@.service

@@ -1,14 +0,0 @@
-# VNC password should be set in /etc/passwdd
-# TODO we still need to handle session termination
-
-[Unit]
-Description=Specific x11vnc session
-OnFailure=scan-to-cloud.service
-
-[Service]
-User=scan
-Type=simple
-ExecStart=/usr/bin/x11vnc -once -create -localhost -inetd -bg -o /var/log/x11vnc.log -rfbauth /etc/passwdd
-#ExecStop=/usr/bin/x11vnc -R stop # TODO test that, unless it prevents OnFailure from working
-StandardInput=socket
-StandardError=syslog