nixos/modules/services/printing/ipp-usb.nix

   1 { config, lib, pkgs, ... }: {
   2   options = {
   3     services.ipp-usb = {
   4       enable = lib.mkEnableOption "ipp-usb, a daemon to turn an USB printer/scanner supporting IPP everywhere (aka AirPrint, WSD, AirScan) into a locally accessible network printer/scanner";
   5     };
   6   };
   7   config = lib.mkIf config.services.ipp-usb.enable {
   8     systemd.services.ipp-usb = {
   9       description = "Daemon for IPP over USB printer support";
  10       after = [ "cups.service" "avahi-daemon.service" ];
  11       wants = [ "avahi-daemon.service" ];
  12       serviceConfig = {
  13         ExecStart = [ "${pkgs.ipp-usb}/bin/ipp-usb" ];
  14         Type = "simple";
  15         Restart = "on-failure";
  16         StateDirectory = "ipp-usb";
  17         LogsDirectory = "ipp-usb";
  18
  19         # hardening.
  20         ProtectHome = true;
  21         PrivateTmp = true;
  22         PrivateUsers = true;
  23         ProtectControlGroups = true;
  24         MemoryDenyWriteExecute = true;
  25         # breaks the daemon, presumably because it messes with DeviceAllow
  26         ProtectClock = false;
  27         ProtectKernelTunables = true;
  28         ProtectKernelLogs = true;
  29         ProtectSystem = "strict";
  30         RestrictRealtime = true;
  31         RestrictSUIDSGID = true;
  32         SystemCallArchitectures = "native";
  33         PrivateMounts = true;
  34         ProtectHostname = true;
  35         ProtectKernelModules = true;
  36         RemoveIPC = true;
  37         RestrictNamespaces = true;
  38         AmbientCapabilities = "";
  39         CapabilityBoundingSet = "";
  40         NoNewPrivileges = true;
  41         RestrictAddressFamilies = [ "AF_UNIX" "AF_NETLINK" "AF_INET" "AF_INET6" ];
  42         ProtectProc = "noaccess";
  43       };
  44     };
  45
  46     # starts the systemd service
  47     services.udev.packages = [ pkgs.ipp-usb ];
  48     services.avahi = {
  49       enable = true;
  50       publish = {
  51         enable = true;
  52         userServices = true;
  53       };
  54     };
  55     # enable printing and scanning by default, but not required.
  56     services.printing.enable = lib.mkDefault true;
  57     hardware.sane.enable = lib.mkDefault true;
  58     # so that sane discovers scanners
  59     hardware.sane.extraBackends = [ pkgs.sane-airscan ];
  60   };
  61 }
  62
  63