From 561046779758d2db6af5609b0a66aed134d86275 Mon Sep 17 00:00:00 2001
From: Gregor Kleen <gkleen@yggdrasil.li>
Date: Sun, 5 Mar 2023 13:11:57 +0100
Subject: ...

---
 hosts/vidhar/network/ruleset.nft  |  4 ++--
 hosts/vidhar/printing/default.nix | 50 +++++++++++++++++++++++++++++++++++++--
 2 files changed, 50 insertions(+), 4 deletions(-)

(limited to 'hosts/vidhar')

diff --git a/hosts/vidhar/network/ruleset.nft b/hosts/vidhar/network/ruleset.nft
index deeadeef..2080cf64 100644
--- a/hosts/vidhar/network/ruleset.nft
+++ b/hosts/vidhar/network/ruleset.nft
@@ -146,8 +146,8 @@ table inet filter {
     iifname lan oifname ve-printing ip daddr 10.141.5.1 tcp dport 631 counter name fw-cups accept
     iifname lan oifname ve-printing ip6 daddr 2a03:4000:52:ada:5::1 tcp dport 631 counter name fw-cups accept
 
-    iifname ve-printing oifname dsl meta l4proto . th dport { tcp . 80, tcp . 443 } counter name fw-printing accept
-    iifname dsl oifname { lan, ve-printing } ct state { established, related } counter name fw-dsl accept
+    # iifname ve-printing oifname dsl meta l4proto . th dport { tcp . 80, tcp . 443 } counter name fw-printing accept
+    # iifname dsl oifname ve-printing ct state { established, related } counter name fw-dsl accept
 
     iifname ve-printing oifname lan ct state { established, related } counter name fw-printing accept
     iifname dsl oifname lan ct state { established, related } counter name fw-dsl accept
diff --git a/hosts/vidhar/printing/default.nix b/hosts/vidhar/printing/default.nix
index d844823b..55c55b37 100644
--- a/hosts/vidhar/printing/default.nix
+++ b/hosts/vidhar/printing/default.nix
@@ -78,10 +78,56 @@ in {
               listenAddresses = [
                 "*:631"
               ];
-              allowFrom = [ "all" ];
-              extraConf = ''
+              logLevel = "all";
+              extraConf = mkForce ''
                 ServerName printing
                 ServerAlias 10.141.5.1 2a03:4000:52:ada:5::1 printing.vidhar.yggdrasil printing.vidhar.lan.yggdrasil
+
+                DefaultEncryption Never
+
+                <Location />
+                  Order allow,deny
+                  Allow from 10.0.0.0/8
+                  Satisfy any
+                </Location>
+
+                <Location /admin>
+                  Order allow,deny
+                  Allow from 10.0.0.0/8
+                  Satisfy any
+                </Location>
+
+                <Location /admin/conf>
+                  Order allow,deny
+                  Allow from 10.0.0.0/8
+                  Satisfy any
+                </Location>
+
+                <Policy default>
+                  <Limit Send-Document Send-URI Hold-Job Release-Job Restart-Job Purge-Jobs Set-Job-Attributes Create-Job-Subscription Renew-Subscription Cancel-Subscription Get-Notifications Reprocess-Job Cancel-Current-Job Suspend-Current-Job Resume-Job CUPS-Move-Job>
+                    Order allow,deny
+                    Allow from 10.0.0.0/8
+                    Satisfy any
+                  </Limit>
+
+                  <Limit Pause-Printer Resume-Printer Set-Printer-Attributes Enable-Printer Disable-Printer Pause-Printer-After-Current-Job Hold-New-Jobs Release-Held-New-Jobs Deactivate-Printer Activate-Printer Restart-Printer Shutdown-Printer Startup-Printer Promote-Job Schedule-Job-After CUPS-Add-Printer CUPS-Delete-Printer CUPS-Add-Class CUPS-Delete-Class CUPS-Accept-Jobs CUPS-Reject-Jobs CUPS-Set-Default>
+                    Order allow,deny
+                    Allow from 10.0.0.0/8
+                    Satisfy any
+                  </Limit>
+
+                  <Limit Cancel-Job CUPS-Authenticate-Job>
+                    Order allow,deny
+                    Allow from 10.0.0.0/8
+                    Satisfy any
+                  </Limit>
+
+                  <Limit All>
+                    Order allow,deny
+                    Allow from 10.0.0.0/8
+                    Satisfy any
+                  </Limit>
+                </Policy>
               '';
             };
 
-- 
cgit v1.2.3