Compare commits
28 Commits
version3.0
...
master
Author | SHA1 | Date | |
---|---|---|---|
4f7bb5a53f | |||
0f7077008c | |||
2f18463180 | |||
099e533a54 | |||
013d1aad51 | |||
d7c0eed703 | |||
b4d84bb28a | |||
86233b2a0a | |||
d1b70a75dd | |||
1510a0644c | |||
6b8d8cbb47 | |||
e273f3c676 | |||
22debc7ce7 | |||
1bdc5ccde0 | |||
742aa8fa1e | |||
951adc1305 | |||
7c95eb2920 | |||
5bcd9619f1 | |||
b266e8b498 | |||
743b11b991 | |||
8597f7edef | |||
3ece55523e | |||
541d2e3213 | |||
3bb3d2c5fa | |||
5ef3975468 | |||
ced8abb228 | |||
524c6e99a9 | |||
dddf240da8 |
29
README.md
29
README.md
@ -1,23 +1,28 @@
|
||||
# Printscan server
|
||||
## Version 3.0
|
||||
## Version 3.1
|
||||
|
||||
This repository contains files used to set up our printscan server on a freshly installed Armbian. Target is Bullseye.
|
||||
This repository contains files used to set up our printscan server.
|
||||
|
||||
### Introduction
|
||||
(see wiki for need and concept explanation)
|
||||
|
||||
Version 3.0 implementation works roughly as follows:
|
||||
Version 3.1 implementation works roughly as follows
|
||||
##### SBC
|
||||
* the Armbian-based device is connected to local network, and an all-in-one printer is connected to it via USB;
|
||||
* SANE and CUPS services are installed and running on the device;
|
||||
* CUPS is configured to provide a remote printer to network;
|
||||
* SANE is configured to provide network scan to a specific host only.
|
||||
|
||||
##### Applicative container
|
||||
* this specific host is an applicative container running [scanservjs](https://github.com/sbs20/scanservjs);
|
||||
* it is configured to use the scanner provided by the SBC.
|
||||
* the Armbian-based device is connected to local network, and an all-in-one printer is connected to it via USB
|
||||
* SANE and CUPS services are installed and running on the device
|
||||
* CUPS is configured to provide a remote printer to network
|
||||
* SANE is configured to provide local scan
|
||||
* [scanservjs](https://github.com/sbs20/scanservjs) runs on the SBC, providing a web interface for scan
|
||||
* if you need adjustments (as in https://github.com/sbs20/scanservjs/blob/master/docs/10-configuration.md), first do:
|
||||
* `sudo ln -s /usr/share/webapps/scanservjs /usr/lib/scanservjs`
|
||||
|
||||
### Files
|
||||
Files in this repository only cover the SBC setup.
|
||||
Files in this repository cover only the server setup. SBC setup is now handled by `armbian-setup`
|
||||
#### Installation
|
||||
* `setup.sh` is a script automating the installation and configuration of required software
|
||||
* `cupsd.conf` is the config file for CUPS, set by setup script
|
||||
* `scanservjs.conf` is an Apache HTTP vhost file for scanservjs
|
||||
* `printers.conf.pi2last` is the last known working CUPS printers configuration which allowed to share HP printer
|
||||
|
||||
### TODO
|
||||
* Add a firewall rule to block access to port 8080
|
||||
|
13
apache-sites/scanservjs.conf
Normal file
13
apache-sites/scanservjs.conf
Normal file
@ -0,0 +1,13 @@
|
||||
<VirtualHost *:443>
|
||||
ServerName printscan
|
||||
|
||||
SSLEngine on
|
||||
SSLCertificateFile "/etc/ssl/cert.crt"
|
||||
SSLCertificateKeyFile "/etc/ssl/cert.key"
|
||||
|
||||
<Location />
|
||||
ProxyPass "http://127.0.0.1:8080/"
|
||||
ProxyPassReverse "http://127.0.0.1:8080/"
|
||||
</Location>
|
||||
</VirtualHost>
|
||||
|
102
cupsd.conf
Normal file
102
cupsd.conf
Normal file
@ -0,0 +1,102 @@
|
||||
LogLevel debug
|
||||
PageLogFormat
|
||||
MaxLogSize 0
|
||||
# Allow remote access
|
||||
Port 631
|
||||
Listen /var/run/cups/cups.sock
|
||||
Browsing On
|
||||
BrowseLocalProtocols dnssd
|
||||
DefaultAuthType Basic
|
||||
WebInterface Yes
|
||||
<Location />
|
||||
# Allow remote administration...
|
||||
Order allow,deny
|
||||
Allow @LOCAL
|
||||
</Location>
|
||||
<Location /admin>
|
||||
# Allow remote administration...
|
||||
Order allow,deny
|
||||
Allow @LOCAL
|
||||
</Location>
|
||||
<Location /admin/conf>
|
||||
AuthType Default
|
||||
Require user @SYSTEM
|
||||
# Allow remote access to the configuration files...
|
||||
Order allow,deny
|
||||
Allow @LOCAL
|
||||
</Location>
|
||||
<Location /admin/log>
|
||||
AuthType Default
|
||||
Require user @SYSTEM
|
||||
Order allow,deny
|
||||
# Allow remote access to the log files...
|
||||
Order allow,deny
|
||||
Allow @LOCAL
|
||||
</Location>
|
||||
<Policy default>
|
||||
JobPrivateAccess default
|
||||
JobPrivateValues default
|
||||
SubscriptionPrivateAccess default
|
||||
SubscriptionPrivateValues default
|
||||
<Limit Create-Job Print-Job Print-URI Validate-Job>
|
||||
Order deny,allow
|
||||
</Limit>
|
||||
<Limit Send-Document Send-URI Hold-Job Release-Job Restart-Job Purge-Jobs Set-Job-Attributes Create-Job-Subscription Renew-Subscription Cancel-Subscription Get-Notifications Reprocess-Job Cancel-Current-Job Suspend-Current-Job Resume-Job Cancel-My-Jobs Close-Job CUPS-Move-Job CUPS-Get-Document>
|
||||
Require user @OWNER @SYSTEM
|
||||
Order deny,allow
|
||||
</Limit>
|
||||
<Limit CUPS-Add-Modify-Printer CUPS-Delete-Printer CUPS-Add-Modify-Class CUPS-Delete-Class CUPS-Set-Default CUPS-Get-Devices>
|
||||
AuthType Default
|
||||
Require user @SYSTEM
|
||||
Order deny,allow
|
||||
</Limit>
|
||||
<Limit Pause-Printer Resume-Printer Enable-Printer Disable-Printer Pause-Printer-After-Current-Job Hold-New-Jobs Release-Held-New-Jobs Deactivate-Printer Activate-Printer Restart-Printer Shutdown-Printer Startup-Printer Promote-Job Schedule-Job-After Cancel-Jobs CUPS-Accept-Jobs CUPS-Reject-Jobs>
|
||||
AuthType Default
|
||||
Require user @SYSTEM
|
||||
Order deny,allow
|
||||
</Limit>
|
||||
<Limit Cancel-Job CUPS-Authenticate-Job>
|
||||
Require user @OWNER @SYSTEM
|
||||
Order deny,allow
|
||||
</Limit>
|
||||
<Limit All>
|
||||
Order deny,allow
|
||||
</Limit>
|
||||
</Policy>
|
||||
<Policy authenticated>
|
||||
JobPrivateAccess default
|
||||
JobPrivateValues default
|
||||
SubscriptionPrivateAccess default
|
||||
SubscriptionPrivateValues default
|
||||
<Limit Create-Job Print-Job Print-URI Validate-Job>
|
||||
AuthType Default
|
||||
Order deny,allow
|
||||
</Limit>
|
||||
<Limit Send-Document Send-URI Hold-Job Release-Job Restart-Job Purge-Jobs Set-Job-Attributes Create-Job-Subscription Renew-Subscription Cancel-Subscription Get-Notifications Reprocess-Job Cancel-Current-Job Suspend-Current-Job Resume-Job Cancel-My-Jobs Close-Job CUPS-Move-Job CUPS-Get-Document>
|
||||
AuthType Default
|
||||
Require user @OWNER @SYSTEM
|
||||
Order deny,allow
|
||||
</Limit>
|
||||
<Limit CUPS-Add-Modify-Printer CUPS-Delete-Printer CUPS-Add-Modify-Class CUPS-Delete-Class CUPS-Set-Default>
|
||||
AuthType Default
|
||||
Require user @SYSTEM
|
||||
Order deny,allow
|
||||
</Limit>
|
||||
<Limit Pause-Printer Resume-Printer Enable-Printer Disable-Printer Pause-Printer-After-Current-Job Hold-New-Jobs Release-Held-New-Jobs Deactivate-Printer Activate-Printer Restart-Printer Shutdown-Printer Startup-Printer Promote-Job Schedule-Job-After Cancel-Jobs CUPS-Accept-Jobs CUPS-Reject-Jobs>
|
||||
AuthType Default
|
||||
Require user @SYSTEM
|
||||
Order deny,allow
|
||||
</Limit>
|
||||
<Limit Cancel-Job CUPS-Authenticate-Job>
|
||||
AuthType Default
|
||||
Require user @OWNER @SYSTEM
|
||||
Order deny,allow
|
||||
</Limit>
|
||||
<Limit All>
|
||||
Order deny,allow
|
||||
</Limit>
|
||||
</Policy>
|
||||
JobPrivateAccess default
|
||||
JobPrivateValues default
|
||||
SubscriptionPrivateAccess default
|
||||
SubscriptionPrivateValues default
|
24
printers.conf.pi2last
Normal file
24
printers.conf.pi2last
Normal file
@ -0,0 +1,24 @@
|
||||
# Printer configuration file for CUPS v2.4.1
|
||||
# Written by cupsd
|
||||
# DO NOT EDIT THIS FILE WHEN CUPSD IS RUNNING
|
||||
NextPrinterId 2
|
||||
<Printer Deskjet>
|
||||
PrinterId 1
|
||||
UUID urn:uuid:e05e1e4c-fd3d-38e2-5d3b-596903a56af4
|
||||
Info HP Deskjet 2050 J510 series
|
||||
Location
|
||||
MakeModel HP Deskjet 2050 j510 Series, hpcups 3.21.12
|
||||
DeviceURI hp:/usb/Deskjet_2050_J510_series?serial=CN22T184ZP05QV
|
||||
State Idle
|
||||
StateTime 1723482301
|
||||
ConfigTime 1720358534
|
||||
Type 36876
|
||||
Accepting Yes
|
||||
Shared Yes
|
||||
JobSheets none none
|
||||
QuotaPeriod 0
|
||||
PageLimit 0
|
||||
KLimit 0
|
||||
OpPolicy default
|
||||
ErrorPolicy retry-job
|
||||
</Printer>
|
12
scanservjs-update.sh
Executable file
12
scanservjs-update.sh
Executable file
@ -0,0 +1,12 @@
|
||||
#!/usr/bin/env bash
|
||||
|
||||
if [[ $user != 'root' ]]; then
|
||||
sudo="sudo"
|
||||
else
|
||||
sudo=""
|
||||
fi
|
||||
|
||||
echo "Installing scanservjs directly from GitHub..."
|
||||
curl -s https://raw.githubusercontent.com/sbs20/scanservjs/master/bootstrap.sh | sudo bash -s -- -v latest
|
||||
|
||||
exit 0
|
188
setup.sh
Normal file → Executable file
188
setup.sh
Normal file → Executable file
@ -1,135 +1,69 @@
|
||||
#!/bin/bash
|
||||
#!/usr/bin/env bash
|
||||
|
||||
# The purpose of this script is to setup our print-scan server on a blank Armbian.
|
||||
# This script is to be run as root.
|
||||
run_directory=$(dirname $(readlink -f "$0"))
|
||||
user=$(whoami)
|
||||
|
||||
# (Keep in mind that default root password is 1234)
|
||||
# Flash SBC's SD with Armbian and copy this script as well as conf-sync.sh to /root
|
||||
|
||||
# YOU SHOULD REMOVE THIS SCRIPT AFTER SETUP
|
||||
|
||||
# Functions
|
||||
init() {
|
||||
echo "Starting initialization"
|
||||
echo $fqdn > /etc/hostname
|
||||
sed -i -e "s/$default_hostname/$fqdn $hostname/g" /etc/hosts
|
||||
localectl set-keymap $keymap
|
||||
timedatectl set-timezone $timezone
|
||||
systemctl disable apt-daily-upgrade.timer
|
||||
}
|
||||
|
||||
install_packages() {
|
||||
echo "Starting packages installation"
|
||||
sed -i -e "s/$deb_apt_default_repo/$deb_apt_repo/g" /etc/apt/sources.list
|
||||
apt update
|
||||
apt upgrade -y
|
||||
apt install -y vim tree tmux neofetch sane sane-utils hplip
|
||||
}
|
||||
|
||||
add_users() {
|
||||
echo "Adding users"
|
||||
useradd -U -G sudo,lpadmin -m -s /bin/bash $user
|
||||
chmod 700 /home/$user
|
||||
usermod -a -G lp saned
|
||||
}
|
||||
|
||||
get_conf() {
|
||||
echo "Getting configuration"
|
||||
sudo -H -u $user mkdir $sync_directory_path
|
||||
cp $run_directory_path/conf-sync.sh $sync_directory_path/
|
||||
chown $user:$user $sync_directory_path/conf-sync.sh
|
||||
sudo -H -u $user chmod u+x $sync_directory_path/conf-sync.sh
|
||||
sudo -H -u $user $sync_directory_path/conf-sync.sh
|
||||
}
|
||||
|
||||
set_conf() {
|
||||
echo "Setting configuration"
|
||||
ln -s $sync_directory_path/conf-sync-server.timer $systemd_units_path/conf-sync.timer
|
||||
ln -s $sync_directory_path/*.service $systemd_units_path/
|
||||
systemctl daemon-reload
|
||||
systemctl enable conf-sync.timer
|
||||
}
|
||||
|
||||
set_cups_conf() {
|
||||
echo "Setting CUPS configuration"
|
||||
mv $cups_conf_path/cupsd.conf $cups_conf_path/cupsd.conf.orig
|
||||
ln -s $sync_directory_path/cupsd.conf $cups_conf_path/cupsd.conf
|
||||
}
|
||||
|
||||
set_sane_conf() {
|
||||
echo $printscan_container_ip >> /etc/sane.d/saned.conf
|
||||
systemctl enable saned.socket
|
||||
}
|
||||
|
||||
rcs_links() {
|
||||
echo "Linking rcs"
|
||||
rm /home/$user/.bashrc
|
||||
rm /root/.bashrc
|
||||
sudo -H -u $user ln -s $sync_directory_path/bashrc /home/$user/.bashrc
|
||||
ln -s /home/$user/.bashrc /root/.bashrc
|
||||
sudo -H -u $user ln -s $sync_directory_path/vimrc /home/$user/.vimrc
|
||||
ln -s /home/$user/.vimrc /root/.vimrc
|
||||
sudo -H -u $user ln -s $sync_directory_path/tmux.conf /home/$user/.tmux.conf
|
||||
ln -s /home/$user/.tmux.conf /root/.tmux.conf
|
||||
}
|
||||
|
||||
ssh_pubkey() {
|
||||
echo "Getting SSH public key"
|
||||
sudo -H -u $user mkdir /home/$user/.ssh
|
||||
sudo -H -u $user wget -P /home/$user/.ssh $remote_pubkey_location/$remote_pubkey
|
||||
sudo -H -u $user mv /home/$user/.ssh/$remote_pubkey /home/$user/.ssh/authorized_keys
|
||||
}
|
||||
|
||||
# Only run if the user is root
|
||||
if [[ $USER != 'root' ]] ; then
|
||||
echo "You must run this script as root!"
|
||||
exit 1
|
||||
if [[ $user != 'root' ]]; then
|
||||
sudo="sudo"
|
||||
else
|
||||
sudo=""
|
||||
fi
|
||||
|
||||
run_directory_path=$(pwd)
|
||||
distro=$(lsb_release -si)
|
||||
|
||||
# Set parameters
|
||||
default_hostname='pine64'
|
||||
hostname='pn1'
|
||||
fqdn='pn1.kto.black'
|
||||
keymap='fr'
|
||||
timezone='Europe/Paris'
|
||||
deb_apt_default_repo='deb.debian.org'
|
||||
deb_apt_repo='ftp.fr.debian.org'
|
||||
user='alex'
|
||||
scan_user='scan'
|
||||
scan_user_home_directory="/home/$scan_user"
|
||||
sync_directory_path="/home/$user/.sync"
|
||||
systemd_units_path='/etc/systemd/system'
|
||||
cups_conf_path='/etc/cups'
|
||||
printscan_container_ip='192.168.0.91'
|
||||
remote_pubkey_location='https://keys.kto.black'
|
||||
remote_pubkey='home.pub'
|
||||
# TODO if Arch
|
||||
if [[ $distro == "Debian" ]]; then
|
||||
echo "Setting CUPS configuration"
|
||||
$sudo mv /etc/cups/cupsd.conf /etc/cups/cupsd.conf.orig
|
||||
$sudo cp $run_directory/cupsd.conf /etc/cups/cupsd.conf
|
||||
else
|
||||
echo "TODO: Edit cupsd.conf so as to allow remote access (see Arch wiki)."
|
||||
fi
|
||||
|
||||
# Main process
|
||||
# You should comment below what you do not want to happen
|
||||
init
|
||||
install_packages
|
||||
add_users
|
||||
get_conf
|
||||
set_conf
|
||||
set_cups_conf
|
||||
set_sane_conf
|
||||
rcs_links
|
||||
ssh_pubkey
|
||||
if [[ $distro == "Debian" ]]; then
|
||||
echo "Installing scanservjs directly from GitHub..."
|
||||
curl -s https://raw.githubusercontent.com/sbs20/scanservjs/master/bootstrap.sh | sudo bash -s -- -v latest
|
||||
fi
|
||||
if [[ $distro == "Arch" ]]; then
|
||||
echo "Starting and enabling scanservjs..."
|
||||
$sudo systemctl enable --now scanservjs.service
|
||||
fi
|
||||
|
||||
echo "Generating TLS certificate"
|
||||
$sudo openssl req -newkey rsa:4096 -x509 -sha256 -days 999 -nodes -out /etc/ssl/cert.crt -keyout /etc/ssl/cert.key \
|
||||
-subj "/C=/ST=/L=/O=/OU=/CN="
|
||||
$sudo chmod o+r /etc/ssl/cert.key
|
||||
|
||||
echo "Setting up Apache HTTP Server"
|
||||
if [[ $distro == "Arch" ]]; then
|
||||
$sudo cp $run_directory/apache-sites/scanservjs.conf /etc/apache2/sites-available/scanservjs.conf
|
||||
$sudo a2dissite 000-default
|
||||
$sudo a2ensite scanservjs
|
||||
$sudo a2enmod ssl proxy proxy_http proxy_http2
|
||||
fi
|
||||
if [[ $distro == "Arch" ]]; then
|
||||
$sudo cp $run_directory/apache-sites/scanservjs.conf /etc/httpd/conf/scanservjs.conf
|
||||
$sudo sed -i -e "s/#ServerName www.example.com:80/#ServerName www.example.com:80\nServerName mn2.hr.kto.black/g" \
|
||||
/etc/httpd/conf/httpd.conf
|
||||
$sudo sed -i -e "s:#LoadModule ssl_module modules/mod_ssl.so:LoadModule ssl_module modules/mod_ssl.so:g" \
|
||||
/etc/httpd/conf/httpd.conf
|
||||
$sudo sed -i -e "s:#LoadModule socache_shmcb_module modules/mod_socache_shmcb.so:LoadModule socache_shmcb_module modules/mod_socache_shmcb.so:g" \
|
||||
/etc/httpd/conf/httpd.conf
|
||||
$sudo sed -i -e "s/Listen 80/Listen 443/g" /etc/httpd/conf/httpd.conf
|
||||
$sudo sed -i -e "s:#LoadModule proxy_module modules/mod_proxy.so:LoadModule proxy_module modules/mod_proxy.so:g" \
|
||||
/etc/httpd/conf/httpd.conf
|
||||
$sudo sed -i -e "s:#LoadModule proxy_http_module modules/mod_proxy_http.so:LoadModule proxy_http_module modules/mod_proxy_http.so:g" \
|
||||
/etc/httpd/conf/httpd.conf
|
||||
$sudo sed -i -e "s:#LoadModule proxy_balancer_module modules/mod_proxy_balancer.so:LoadModule proxy_balancer_module modules/mod_proxy_balancer.so:g" \
|
||||
/etc/httpd/conf/httpd.conf
|
||||
$sudo sed -i -e "s:#LoadModule proxy_hcheck_module modules/mod_proxy_hcheck.so:LoadModule proxy_hcheck_module modules/mod_proxy_hcheck.so:g" \
|
||||
/etc/httpd/conf/httpd.conf
|
||||
$sudo sed -i -e "s:#LoadModule watchdog_module modules/mod_watchdog.so:LoadModule watchdog_module modules/mod_watchdog.so:g" \
|
||||
/etc/httpd/conf/httpd.conf
|
||||
$sudo bash -c 'echo "Include conf/scanservjs.conf" >> /etc/httpd/conf/httpd.conf'
|
||||
$sudo systemctl enable --now httpd.service
|
||||
fi
|
||||
|
||||
# TODO add a firewall rule to prevent access to http:8080 from other than local
|
||||
|
||||
echo ""
|
||||
echo "We're all good here!"
|
||||
echo "You should now:"
|
||||
echo "* set $user's password"
|
||||
echo "* lock root account"
|
||||
echo "* remove setup.sh and conf-sync.sh"
|
||||
echo "* reboot the SBC"
|
||||
echo "And perhaps:"
|
||||
echo "* connect to http://$hostname:631/ and add a printer"
|
||||
echo "* set htop at your convenience"
|
||||
echo "* remove password for sudo" # TODO we should automate that, with a flag
|
||||
echo "* use below commands to edit SSH config:"
|
||||
echo " sed -i 's/PermitRootLogin yes/PermitRootLogin no/' /etc/ssh/sshd_config"
|
||||
echo " sed -i 's/#PasswordAuthentication yes/PasswordAuthentication no/' /etc/ssh/sshd_config"
|
||||
exit 0
|
||||
|
Loading…
Reference in New Issue
Block a user