From 301667e66aa403e4699fa9c895b994e6213e55f6 Mon Sep 17 00:00:00 2001
From: Silvio Rhatto <rhatto@riseup.net>
Date: Wed, 31 Dec 2014 14:45:02 -0200
Subject: Scanning over network support

---
 files/etc/default/saned               |  7 ++++
 files/etc/sane.d/saned.conf           | 33 ++++++++++++++++++
 manifests/subsystem/scanner.pp        | 66 +++++++++++++++++++++++++++++++++++
 manifests/subsystem/scanner/client.pp | 14 ++++++++
 templates/sane.d/saned.erb            | 15 ++++++++
 5 files changed, 135 insertions(+)
 create mode 100644 files/etc/default/saned
 create mode 100644 files/etc/sane.d/saned.conf
 create mode 100644 manifests/subsystem/scanner.pp
 create mode 100644 manifests/subsystem/scanner/client.pp
 create mode 100644 templates/sane.d/saned.erb

diff --git a/files/etc/default/saned b/files/etc/default/saned
new file mode 100644
index 0000000..444096e
--- /dev/null
+++ b/files/etc/default/saned
@@ -0,0 +1,7 @@
+# Defaults for the saned initscript, from sane-utils
+
+# Set to yes to start saned
+RUN=yes
+
+# Set to the user saned should run as
+RUN_AS_USER=saned
diff --git a/files/etc/sane.d/saned.conf b/files/etc/sane.d/saned.conf
new file mode 100644
index 0000000..f61de7a
--- /dev/null
+++ b/files/etc/sane.d/saned.conf
@@ -0,0 +1,33 @@
+# saned.conf
+# Configuration for the saned daemon
+
+## Daemon options
+# Port range for the data connection. Choose a range inside [1024 - 65535].
+# Avoid specifying too large a range, for performance reasons.
+#
+# ONLY use this if your saned server is sitting behind a firewall. If your
+# firewall is a Linux machine, we strongly recommend using the
+# Netfilter nf_conntrack_sane connection tracking module instead.
+#
+# data_portrange = 10000 - 10100
+data_portrange = 10000 - 10100
+
+
+## Access list
+# A list of host names, IP addresses or IP subnets (CIDR notation) that
+# are permitted to use local SANE devices. IPv6 addresses must be enclosed
+# in brackets, and should always be specified in their compressed form.
+#
+# The hostname matching is not case-sensitive.
+
+#scan-client.somedomain.firm
+#192.168.0.1
+#192.168.0.1/29
+#[2001:7a8:185e::42:12]
+#[2001:7a8:185e::42:12]/64
+192.168.1.0/24
+
+# NOTE: /etc/inetd.conf (or /etc/xinetd.conf) and
+# /etc/services must also be properly configured to start
+# the saned daemon as documented in saned(8), services(4)
+# and inetd.conf(4) (or xinetd.conf(5)).
diff --git a/manifests/subsystem/scanner.pp b/manifests/subsystem/scanner.pp
new file mode 100644
index 0000000..26622e9
--- /dev/null
+++ b/manifests/subsystem/scanner.pp
@@ -0,0 +1,66 @@
+class nodo::subsystem::scanner {
+  package { 'sane':
+    ensure  => present,
+  }
+
+  group { [ 'lp', 'saned', 'scanner' ]:
+    ensure    => present,
+    allowdupe => false,
+  }
+
+  user { 'saned':
+    ensure    => present,
+    comment   => 'saned',
+    gid       => 'saned',
+    home      => '/home/saned',
+    shell     => '/bin/false',
+    allowdupe => false,
+    require   => Group['lp', 'saned', 'scanner'],
+  }
+
+  file { '/etc/default/saned' :
+    ensure  => present,
+    owner   => 'root',
+    group   => 'root',
+    mode    => '0644',
+    source  => 'puppet:///modules/nodo/etc/default/saned',
+    require => Package['saned'],
+  }
+
+  file { '/etc/sane.d/saned.conf' :
+    ensure  => present,
+    owner   => 'root',
+    group   => 'root',
+    mode    => '0644',
+    source  => 'puppet:///modules/nodo/etc/sane.d/saned.conf',
+    require => Package['sane'],
+  }
+
+  service { 'saned' :
+    ensure    => running,
+    enable    => true,
+    require   => Package['saned'],
+    subscribe => [ File['/etc/default/saned/', '/etc/sane.d/saned.conf'], User['saned'] ],
+  }
+
+  # Firewall
+  shorewall::rule { "saned":
+    action          => 'ACCEPT',
+    source          => 'net',
+    destination     => '$FW',
+    proto           => 'tcp',
+    destinationport => "6566",
+    ratelimit       => '-',
+    order           => 200,
+  }
+
+  shorewall::rule { "saned-range":
+    action          => 'ACCEPT',
+    source          => 'net',
+    destination     => '$FW',
+    proto           => 'tcp',
+    destinationport => "10000:10100",
+    ratelimit       => '-',
+    order           => 200,
+  }
+}
diff --git a/manifests/subsystem/scanner/client.pp b/manifests/subsystem/scanner/client.pp
new file mode 100644
index 0000000..873f8b9
--- /dev/null
+++ b/manifests/subsystem/scanner/client.pp
@@ -0,0 +1,14 @@
+class nodo::subsystem::scanner::client($server = hiera('nodo::subsystem::scanner::client::hostname', 'localhost')) {
+  package { 'sane':
+    ensure  => present,
+  }
+
+  file { '/etc/sane.d/net.conf':
+    ensure  => present,
+    owner   => 'root',
+    group   => 'root',
+    mode    => '0644',
+    content => template('nodo/sane.d/net.conf.erb'),
+    require => Package['sane'],
+  }
+}
diff --git a/templates/sane.d/saned.erb b/templates/sane.d/saned.erb
new file mode 100644
index 0000000..6d9f10c
--- /dev/null
+++ b/templates/sane.d/saned.erb
@@ -0,0 +1,15 @@
+# This is the net backend config file.
+
+## net backend options
+# Timeout for the initial connection to saned. This will prevent the backend
+# from blocking for several minutes trying to connect to an unresponsive
+# saned host (network outage, host down, ...). Value in seconds.
+# connect_timeout = 60
+
+## saned hosts
+# Each line names a host to attach to.
+# If you list "localhost" then your backends can be accessed either
+# directly or through the net backend.  Going through the net backend
+# may be necessary to access devices that need special privileges.
+# localhost
+<%= server %>
-- 
cgit v1.2.3