diff options
| author | Guillaume Girol <symphorien+git@xlumurb.eu> | 2022-11-25 12:00:00 +0000 |
|---|---|---|
| committer | Guillaume Girol <symphorien+git@xlumurb.eu> | 2022-12-06 21:06:54 +0100 |
| commit | 8e7a32d061e46dad083548a0d4e5cec443439000 (patch) | |
| tree | fd378e60d3339ff1d5e74db751979ac1a6cc0538 /nixos/modules/services/printing | |
| parent | c3c187bfd680e89b5fa5e4d7814fea149609d03a (diff) | |
| download | nixlib-8e7a32d061e46dad083548a0d4e5cec443439000.tar nixlib-8e7a32d061e46dad083548a0d4e5cec443439000.tar.gz nixlib-8e7a32d061e46dad083548a0d4e5cec443439000.tar.bz2 nixlib-8e7a32d061e46dad083548a0d4e5cec443439000.tar.lz nixlib-8e7a32d061e46dad083548a0d4e5cec443439000.tar.xz nixlib-8e7a32d061e46dad083548a0d4e5cec443439000.tar.zst nixlib-8e7a32d061e46dad083548a0d4e5cec443439000.zip | |
nixos/ipp-usb: add module
Diffstat (limited to 'nixos/modules/services/printing')
| -rw-r--r-- | nixos/modules/services/printing/ipp-usb.nix | 63 |
1 files changed, 63 insertions, 0 deletions
diff --git a/nixos/modules/services/printing/ipp-usb.nix b/nixos/modules/services/printing/ipp-usb.nix new file mode 100644 index 000000000000..0425eb913731 --- /dev/null +++ b/nixos/modules/services/printing/ipp-usb.nix @@ -0,0 +1,63 @@ +{ config, lib, pkgs, ... }: { + options = { + services.ipp-usb = { + enable = lib.mkEnableOption (lib.mdDoc "ipp-usb, a daemon to turn an USB printer/scanner supporting IPP everywhere (aka AirPrint, WSD, AirScan) into a locally accessible network printer/scanner"); + }; + }; + config = lib.mkIf config.services.ipp-usb.enable { + systemd.services.ipp-usb = { + description = "Daemon for IPP over USB printer support"; + after = [ "cups.service" "avahi-deamon.service" ]; + wants = [ "avahi-daemon.service" ]; + serviceConfig = { + ExecStart = [ "${pkgs.ipp-usb}/bin/ipp-usb" ]; + Type = "simple"; + Restart = "on-failure"; + StateDirectory = "ipp-usb"; + LogsDirectory = "ipp-usb"; + + # hardening. + ProtectHome = true; + PrivateTmp = true; + PrivateUsers = true; + ProtectControlGroups = true; + MemoryDenyWriteExecute = true; + # breaks the daemon, presumably because it messes with DeviceAllow + ProtectClock = false; + ProtectKernelTunables = true; + ProtectKernelLogs = true; + ProtectSystem = "strict"; + RestrictRealtime = true; + RestrictSUIDSGID = true; + SystemCallArchitectures = "native"; + PrivateMounts = true; + ProtectHostname = true; + ProtectKernelModules = true; + RemoveIPC = true; + RestrictNamespaces = true; + AmbientCapabilities = ""; + CapabilityBoundingSet = ""; + NoNewPrivileges = true; + RestrictAddressFamilies = [ "AF_UNIX" "AF_NETLINK" "AF_INET" "AF_INET6" ]; + ProtectProc = "noaccess"; + }; + }; + + # starts the systemd service + services.udev.packages = [ pkgs.ipp-usb ]; + services.avahi = { + enable = true; + publish = { + enable = true; + userServices = true; + }; + }; + # enable printing and scanning by default, but not required. + services.printing.enable = lib.mkDefault true; + hardware.sane.enable = lib.mkDefault true; + # so that sane discovers scanners + hardware.sane.extraBackends = [ pkgs.sane-airscan ]; + }; +} + + |