Compare commits

...

28 Commits

Author SHA1 Message Date
4f7bb5a53f Add printers.conf.pi2last 2024-10-06 19:16:53 +02:00
0f7077008c Update due to change to Arch 2024-09-24 20:24:28 +02:00
2f18463180 Fix error: missing command 2024-08-12 20:59:49 +02:00
099e533a54 Update setup.sh for scanservjs 2023-11-12 13:43:30 +01:00
013d1aad51 Fix previous commit 2023-11-11 16:33:55 +01:00
d7c0eed703 Update scanservjs install script location 2023-11-11 16:31:46 +01:00
b4d84bb28a Add x bit to setup.sh 2023-07-08 15:26:25 +02:00
86233b2a0a Adapt script to only cover server setup 2023-07-08 14:38:38 +02:00
d1b70a75dd Fix error in README 2023-07-08 14:14:09 +02:00
1510a0644c Update README 2023-07-02 11:57:13 +02:00
6b8d8cbb47 Remove and prepare to remove obsolete code, and correct get_sync call 2022-05-14 16:56:54 +02:00
e273f3c676 Few fixes, new password defintion at setup, and sshd conf 2022-04-27 20:17:21 +02:00
22debc7ce7 Remove old function for scanservjs install 2022-04-27 15:09:37 +02:00
1bdc5ccde0 Remove TODO item following last commits 2022-03-21 12:51:02 +01:00
742aa8fa1e Correct error in conf-sync deployment 2022-03-21 12:42:28 +01:00
951adc1305 Add new script to update scanservjs and alter setup accordingly 2022-03-21 12:36:26 +01:00
7c95eb2920 Adapt get_conf() with new conf-sync 2022-03-21 12:13:39 +01:00
5bcd9619f1 Move Apache site conf file to a dedicated directory 2022-03-21 12:02:33 +01:00
b266e8b498 Add a TODO item in README 2022-03-21 12:00:57 +01:00
743b11b991 Update shebang 2022-03-13 13:04:12 +01:00
8597f7edef Add Apache conf file in README 2022-03-12 12:43:44 +01:00
3ece55523e Add a point in TODO 2022-03-12 12:42:37 +01:00
541d2e3213 Remove rcs_links(), replaced by an install script in rcs-general 2022-03-12 12:41:10 +01:00
3bb3d2c5fa Add TODO in README 2022-03-12 11:29:46 +01:00
5ef3975468 Add scanservjs install to setup 2022-03-11 20:07:05 +01:00
ced8abb228 clean old code and prepare ground for future conf-sync 2022-03-11 16:09:06 +01:00
524c6e99a9 Add cupsd.conf and TODOs in setup.sh 2022-03-11 12:54:43 +01:00
dddf240da8 Set new README for 3.1 2022-03-11 10:45:26 +01:00
6 changed files with 229 additions and 139 deletions

View File

@ -1,23 +1,28 @@
# Printscan server # Printscan server
## Version 3 ## Version 3.1
This repository contains files used to set up our printscan server on a freshly installed Armbian. Target is Bullseye. This repository contains files used to set up our printscan server.
### Introduction ### Introduction
(see wiki for need and concept explanation) (see wiki for need and concept explanation)
Version 3 implementation works roughly as follows: Version 3.1 implementation works roughly as follows
##### SBC ##### SBC
* the Armbian-based device is connected to local network, and an all-in-one printer is connected to it via USB; * the Armbian-based device is connected to local network, and an all-in-one printer is connected to it via USB
* SANE and CUPS services are installed and running on the device; * SANE and CUPS services are installed and running on the device
* CUPS is configured to provide a remote printer to network; * CUPS is configured to provide a remote printer to network
* SANE is configured to provide network scan to a specific host only. * SANE is configured to provide local scan
* [scanservjs](https://github.com/sbs20/scanservjs) runs on the SBC, providing a web interface for scan
##### Applicative container * if you need adjustments (as in https://github.com/sbs20/scanservjs/blob/master/docs/10-configuration.md), first do:
* this specific host is an applicative container running [scanservjs](https://github.com/sbs20/scanservjs); * `sudo ln -s /usr/share/webapps/scanservjs /usr/lib/scanservjs`
* it is configured to use the scanner provided by the SBC.
### Files ### Files
Files in this repository only cover the SBC setup. Files in this repository cover only the server setup. SBC setup is now handled by `armbian-setup`
#### Installation #### Installation
* `setup.sh` is a script automating the installation and configuration of required software * `setup.sh` is a script automating the installation and configuration of required software
* `cupsd.conf` is the config file for CUPS, set by setup script
* `scanservjs.conf` is an Apache HTTP vhost file for scanservjs
* `printers.conf.pi2last` is the last known working CUPS printers configuration which allowed to share HP printer
### TODO
* Add a firewall rule to block access to port 8080

View File

@ -0,0 +1,13 @@
<VirtualHost *:443>
ServerName printscan
SSLEngine on
SSLCertificateFile "/etc/ssl/cert.crt"
SSLCertificateKeyFile "/etc/ssl/cert.key"
<Location />
ProxyPass "http://127.0.0.1:8080/"
ProxyPassReverse "http://127.0.0.1:8080/"
</Location>
</VirtualHost>

102
cupsd.conf Normal file
View File

@ -0,0 +1,102 @@
LogLevel debug
PageLogFormat
MaxLogSize 0
# Allow remote access
Port 631
Listen /var/run/cups/cups.sock
Browsing On
BrowseLocalProtocols dnssd
DefaultAuthType Basic
WebInterface Yes
<Location />
# Allow remote administration...
Order allow,deny
Allow @LOCAL
</Location>
<Location /admin>
# Allow remote administration...
Order allow,deny
Allow @LOCAL
</Location>
<Location /admin/conf>
AuthType Default
Require user @SYSTEM
# Allow remote access to the configuration files...
Order allow,deny
Allow @LOCAL
</Location>
<Location /admin/log>
AuthType Default
Require user @SYSTEM
Order allow,deny
# Allow remote access to the log files...
Order allow,deny
Allow @LOCAL
</Location>
<Policy default>
JobPrivateAccess default
JobPrivateValues default
SubscriptionPrivateAccess default
SubscriptionPrivateValues default
<Limit Create-Job Print-Job Print-URI Validate-Job>
Order deny,allow
</Limit>
<Limit Send-Document Send-URI Hold-Job Release-Job Restart-Job Purge-Jobs Set-Job-Attributes Create-Job-Subscription Renew-Subscription Cancel-Subscription Get-Notifications Reprocess-Job Cancel-Current-Job Suspend-Current-Job Resume-Job Cancel-My-Jobs Close-Job CUPS-Move-Job CUPS-Get-Document>
Require user @OWNER @SYSTEM
Order deny,allow
</Limit>
<Limit CUPS-Add-Modify-Printer CUPS-Delete-Printer CUPS-Add-Modify-Class CUPS-Delete-Class CUPS-Set-Default CUPS-Get-Devices>
AuthType Default
Require user @SYSTEM
Order deny,allow
</Limit>
<Limit Pause-Printer Resume-Printer Enable-Printer Disable-Printer Pause-Printer-After-Current-Job Hold-New-Jobs Release-Held-New-Jobs Deactivate-Printer Activate-Printer Restart-Printer Shutdown-Printer Startup-Printer Promote-Job Schedule-Job-After Cancel-Jobs CUPS-Accept-Jobs CUPS-Reject-Jobs>
AuthType Default
Require user @SYSTEM
Order deny,allow
</Limit>
<Limit Cancel-Job CUPS-Authenticate-Job>
Require user @OWNER @SYSTEM
Order deny,allow
</Limit>
<Limit All>
Order deny,allow
</Limit>
</Policy>
<Policy authenticated>
JobPrivateAccess default
JobPrivateValues default
SubscriptionPrivateAccess default
SubscriptionPrivateValues default
<Limit Create-Job Print-Job Print-URI Validate-Job>
AuthType Default
Order deny,allow
</Limit>
<Limit Send-Document Send-URI Hold-Job Release-Job Restart-Job Purge-Jobs Set-Job-Attributes Create-Job-Subscription Renew-Subscription Cancel-Subscription Get-Notifications Reprocess-Job Cancel-Current-Job Suspend-Current-Job Resume-Job Cancel-My-Jobs Close-Job CUPS-Move-Job CUPS-Get-Document>
AuthType Default
Require user @OWNER @SYSTEM
Order deny,allow
</Limit>
<Limit CUPS-Add-Modify-Printer CUPS-Delete-Printer CUPS-Add-Modify-Class CUPS-Delete-Class CUPS-Set-Default>
AuthType Default
Require user @SYSTEM
Order deny,allow
</Limit>
<Limit Pause-Printer Resume-Printer Enable-Printer Disable-Printer Pause-Printer-After-Current-Job Hold-New-Jobs Release-Held-New-Jobs Deactivate-Printer Activate-Printer Restart-Printer Shutdown-Printer Startup-Printer Promote-Job Schedule-Job-After Cancel-Jobs CUPS-Accept-Jobs CUPS-Reject-Jobs>
AuthType Default
Require user @SYSTEM
Order deny,allow
</Limit>
<Limit Cancel-Job CUPS-Authenticate-Job>
AuthType Default
Require user @OWNER @SYSTEM
Order deny,allow
</Limit>
<Limit All>
Order deny,allow
</Limit>
</Policy>
JobPrivateAccess default
JobPrivateValues default
SubscriptionPrivateAccess default
SubscriptionPrivateValues default

24
printers.conf.pi2last Normal file
View File

@ -0,0 +1,24 @@
# Printer configuration file for CUPS v2.4.1
# Written by cupsd
# DO NOT EDIT THIS FILE WHEN CUPSD IS RUNNING
NextPrinterId 2
<Printer Deskjet>
PrinterId 1
UUID urn:uuid:e05e1e4c-fd3d-38e2-5d3b-596903a56af4
Info HP Deskjet 2050 J510 series
Location
MakeModel HP Deskjet 2050 j510 Series, hpcups 3.21.12
DeviceURI hp:/usb/Deskjet_2050_J510_series?serial=CN22T184ZP05QV
State Idle
StateTime 1723482301
ConfigTime 1720358534
Type 36876
Accepting Yes
Shared Yes
JobSheets none none
QuotaPeriod 0
PageLimit 0
KLimit 0
OpPolicy default
ErrorPolicy retry-job
</Printer>

12
scanservjs-update.sh Executable file
View File

@ -0,0 +1,12 @@
#!/usr/bin/env bash
if [[ $user != 'root' ]]; then
sudo="sudo"
else
sudo=""
fi
echo "Installing scanservjs directly from GitHub..."
curl -s https://raw.githubusercontent.com/sbs20/scanservjs/master/bootstrap.sh | sudo bash -s -- -v latest
exit 0

188
setup.sh Normal file → Executable file
View File

@ -1,135 +1,69 @@
#!/bin/bash #!/usr/bin/env bash
# The purpose of this script is to setup our print-scan server on a blank Armbian. run_directory=$(dirname $(readlink -f "$0"))
# This script is to be run as root. user=$(whoami)
# (Keep in mind that default root password is 1234) if [[ $user != 'root' ]]; then
# Flash SBC's SD with Armbian and copy this script as well as conf-sync.sh to /root sudo="sudo"
else
# YOU SHOULD REMOVE THIS SCRIPT AFTER SETUP sudo=""
# Functions
init() {
echo "Starting initialization"
echo $fqdn > /etc/hostname
sed -i -e "s/$default_hostname/$fqdn $hostname/g" /etc/hosts
localectl set-keymap $keymap
timedatectl set-timezone $timezone
systemctl disable apt-daily-upgrade.timer
}
install_packages() {
echo "Starting packages installation"
sed -i -e "s/$deb_apt_default_repo/$deb_apt_repo/g" /etc/apt/sources.list
apt update
apt upgrade -y
apt install -y vim tree tmux neofetch sane sane-utils hplip
}
add_users() {
echo "Adding users"
useradd -U -G sudo,lpadmin -m -s /bin/bash $user
chmod 700 /home/$user
usermod -a -G lp saned
}
get_conf() {
echo "Getting configuration"
sudo -H -u $user mkdir $sync_directory_path
cp $run_directory_path/conf-sync.sh $sync_directory_path/
chown $user:$user $sync_directory_path/conf-sync.sh
sudo -H -u $user chmod u+x $sync_directory_path/conf-sync.sh
sudo -H -u $user $sync_directory_path/conf-sync.sh
}
set_conf() {
echo "Setting configuration"
ln -s $sync_directory_path/conf-sync-server.timer $systemd_units_path/conf-sync.timer
ln -s $sync_directory_path/*.service $systemd_units_path/
systemctl daemon-reload
systemctl enable conf-sync.timer
}
set_cups_conf() {
echo "Setting CUPS configuration"
mv $cups_conf_path/cupsd.conf $cups_conf_path/cupsd.conf.orig
ln -s $sync_directory_path/cupsd.conf $cups_conf_path/cupsd.conf
}
set_sane_conf() {
echo $printscan_container_ip >> /etc/sane.d/saned.conf
systemctl enable saned.socket
}
rcs_links() {
echo "Linking rcs"
rm /home/$user/.bashrc
rm /root/.bashrc
sudo -H -u $user ln -s $sync_directory_path/bashrc /home/$user/.bashrc
ln -s /home/$user/.bashrc /root/.bashrc
sudo -H -u $user ln -s $sync_directory_path/vimrc /home/$user/.vimrc
ln -s /home/$user/.vimrc /root/.vimrc
sudo -H -u $user ln -s $sync_directory_path/tmux.conf /home/$user/.tmux.conf
ln -s /home/$user/.tmux.conf /root/.tmux.conf
}
ssh_pubkey() {
echo "Getting SSH public key"
sudo -H -u $user mkdir /home/$user/.ssh
sudo -H -u $user wget -P /home/$user/.ssh $remote_pubkey_location/$remote_pubkey
sudo -H -u $user mv /home/$user/.ssh/$remote_pubkey /home/$user/.ssh/authorized_keys
}
# Only run if the user is root
if [[ $USER != 'root' ]] ; then
echo "You must run this script as root!"
exit 1
fi fi
run_directory_path=$(pwd) distro=$(lsb_release -si)
# Set parameters # TODO if Arch
default_hostname='pine64' if [[ $distro == "Debian" ]]; then
hostname='pn1' echo "Setting CUPS configuration"
fqdn='pn1.kto.black' $sudo mv /etc/cups/cupsd.conf /etc/cups/cupsd.conf.orig
keymap='fr' $sudo cp $run_directory/cupsd.conf /etc/cups/cupsd.conf
timezone='Europe/Paris' else
deb_apt_default_repo='deb.debian.org' echo "TODO: Edit cupsd.conf so as to allow remote access (see Arch wiki)."
deb_apt_repo='ftp.fr.debian.org' fi
user='alex'
scan_user='scan'
scan_user_home_directory="/home/$scan_user"
sync_directory_path="/home/$user/.sync"
systemd_units_path='/etc/systemd/system'
cups_conf_path='/etc/cups'
printscan_container_ip='192.168.0.91'
remote_pubkey_location='https://keys.kto.black'
remote_pubkey='home.pub'
# Main process if [[ $distro == "Debian" ]]; then
# You should comment below what you do not want to happen echo "Installing scanservjs directly from GitHub..."
init curl -s https://raw.githubusercontent.com/sbs20/scanservjs/master/bootstrap.sh | sudo bash -s -- -v latest
install_packages fi
add_users if [[ $distro == "Arch" ]]; then
get_conf echo "Starting and enabling scanservjs..."
set_conf $sudo systemctl enable --now scanservjs.service
set_cups_conf fi
set_sane_conf
rcs_links echo "Generating TLS certificate"
ssh_pubkey $sudo openssl req -newkey rsa:4096 -x509 -sha256 -days 999 -nodes -out /etc/ssl/cert.crt -keyout /etc/ssl/cert.key \
-subj "/C=/ST=/L=/O=/OU=/CN="
$sudo chmod o+r /etc/ssl/cert.key
echo "Setting up Apache HTTP Server"
if [[ $distro == "Arch" ]]; then
$sudo cp $run_directory/apache-sites/scanservjs.conf /etc/apache2/sites-available/scanservjs.conf
$sudo a2dissite 000-default
$sudo a2ensite scanservjs
$sudo a2enmod ssl proxy proxy_http proxy_http2
fi
if [[ $distro == "Arch" ]]; then
$sudo cp $run_directory/apache-sites/scanservjs.conf /etc/httpd/conf/scanservjs.conf
$sudo sed -i -e "s/#ServerName www.example.com:80/#ServerName www.example.com:80\nServerName mn2.hr.kto.black/g" \
/etc/httpd/conf/httpd.conf
$sudo sed -i -e "s:#LoadModule ssl_module modules/mod_ssl.so:LoadModule ssl_module modules/mod_ssl.so:g" \
/etc/httpd/conf/httpd.conf
$sudo sed -i -e "s:#LoadModule socache_shmcb_module modules/mod_socache_shmcb.so:LoadModule socache_shmcb_module modules/mod_socache_shmcb.so:g" \
/etc/httpd/conf/httpd.conf
$sudo sed -i -e "s/Listen 80/Listen 443/g" /etc/httpd/conf/httpd.conf
$sudo sed -i -e "s:#LoadModule proxy_module modules/mod_proxy.so:LoadModule proxy_module modules/mod_proxy.so:g" \
/etc/httpd/conf/httpd.conf
$sudo sed -i -e "s:#LoadModule proxy_http_module modules/mod_proxy_http.so:LoadModule proxy_http_module modules/mod_proxy_http.so:g" \
/etc/httpd/conf/httpd.conf
$sudo sed -i -e "s:#LoadModule proxy_balancer_module modules/mod_proxy_balancer.so:LoadModule proxy_balancer_module modules/mod_proxy_balancer.so:g" \
/etc/httpd/conf/httpd.conf
$sudo sed -i -e "s:#LoadModule proxy_hcheck_module modules/mod_proxy_hcheck.so:LoadModule proxy_hcheck_module modules/mod_proxy_hcheck.so:g" \
/etc/httpd/conf/httpd.conf
$sudo sed -i -e "s:#LoadModule watchdog_module modules/mod_watchdog.so:LoadModule watchdog_module modules/mod_watchdog.so:g" \
/etc/httpd/conf/httpd.conf
$sudo bash -c 'echo "Include conf/scanservjs.conf" >> /etc/httpd/conf/httpd.conf'
$sudo systemctl enable --now httpd.service
fi
# TODO add a firewall rule to prevent access to http:8080 from other than local
echo ""
echo "We're all good here!"
echo "You should now:"
echo "* set $user's password"
echo "* lock root account"
echo "* remove setup.sh and conf-sync.sh"
echo "* reboot the SBC"
echo "And perhaps:"
echo "* connect to http://$hostname:631/ and add a printer"
echo "* set htop at your convenience"
echo "* remove password for sudo" # TODO we should automate that, with a flag
echo "* use below commands to edit SSH config:"
echo " sed -i 's/PermitRootLogin yes/PermitRootLogin no/' /etc/ssh/sshd_config"
echo " sed -i 's/#PasswordAuthentication yes/PasswordAuthentication no/' /etc/ssh/sshd_config"
exit 0 exit 0