class nodo::subsystem::scanner($access_list = lookup('nodo::subsystem::scanner::access_list', undef, undef, '')) {
  package { [ 'sane', 'sane-utils' ]:
    ensure  => present,
  }

  if !defined(Group['scanner']) {
    group { 'scanner':
      ensure    => present,
      allowdupe => false,
    }
  }

  group { [ 'lp', 'saned' ]:
    ensure    => present,
    allowdupe => false,
  }

  user { 'saned':
    ensure    => present,
    comment   => 'saned',
    gid       => 'saned',
    groups    => 'lp',
    home      => '/var/lib/saned',
    shell     => '/bin/false',
    allowdupe => false,
    require   => Group['lp', 'saned', 'scanner'],
  }

  file { '/etc/default/saned' :
    ensure  => present,
    owner   => 'root',
    group   => 'root',
    mode    => '0644',
    source  => 'puppet:///modules/nodo/etc/default/saned',
    require => Package['sane'],
  }

  file { '/etc/sane.d/saned.conf' :
    ensure  => present,
    owner   => 'root',
    group   => 'root',
    mode    => '0644',
    content => template('nodo/sane.d/saned.conf.erb'),
    require => Package['sane'],
  }

  service { 'saned' :
    ensure    => running,
    enable    => true,
    require   => Package['sane'],
    subscribe => [ File['/etc/default/saned/', '/etc/sane.d/saned.conf'], User['saned'] ],
  }

  # Firewall
  shorewall::rule { "saned":
    action          => 'ACCEPT',
    source          => 'net',
    destination     => '$FW',
    proto           => 'tcp',
    destinationport => "6566",
    ratelimit       => '-',
    order           => 200,
  }

  shorewall::rule { "saned-range":
    action          => 'ACCEPT',
    source          => 'net',
    destination     => '$FW',
    proto           => 'tcp',
    destinationport => "10000:10100",
    ratelimit       => '-',
    order           => 200,
  }
}