migrate printhost to nix

hosts/servers/tule.nix

@@ -0,0 +1,55 @@
+{ config, ... }:
+
+{
+  imports = [ ../../hardware/virtualized.nix ];
+
+  networking.hostName = "tule";
+
+  ocf.network = {
+    enable = true;
+    lastOctet = 127;
+  };
+
+  ocf.acme.enable = true;
+
+  ocf.printhost = {
+    enable = true;
+    mysqlPasswordFile = config.age.secrets.printhost-mysql-password.path;
+    wayoutPasswordFile = config.age.secrets.printhost-wayout-password.path;
+    redisPasswordFile = config.age.secrets.printhost-redis-password.path;
+    # TODO: change to "printhost.ocf.berkeley.edu" once tule replaces whiteout
+    printhostUrl = "printhost-dev.ocf.berkeley.edu";
+  };
+
+  # Secrets — create with: agenix -e secrets/master-keyed/printhost/<name>.age
+  age.secrets.printhost-mysql-password = {
+    rekeyFile = ../../secrets/master-keyed/printhost/mysql-password.age;
+    mode = "0440";
+    group = "lp";
+  };
+  age.secrets.printhost-wayout-password = {
+    rekeyFile = ../../secrets/master-keyed/printhost/wayout-password.age;
+    mode = "0440";
+    group = "lp";
+  };
+  age.secrets.printhost-redis-password = {
+    rekeyFile = ../../secrets/master-keyed/printhost/redis-password.age;
+    mode = "0440";
+    group = "lp";
+  };
+
+  # Postfix relay so ocflib can send mail via sendmail.
+  services.postfix = {
+    enable = true;
+    settings.main = {
+      mydomain = "ocf.berkeley.edu";
+      myorigin = "ocf.berkeley.edu";
+      mydestination = "";
+      inet_interfaces = "loopback-only";
+      relayhost = [ "smtp.ocf.berkeley.edu" ];
+      sender_canonical_maps = "static:root@ocf.berkeley.edu";
+    };
+  };
+
+  system.stateVersion = "25.05";
+}

modules/graphical/apps/browsers.nix

@@ -94,6 +94,23 @@ in
         };
 
         Preferences = {
+          "print.printer_color-double.print_paper_height" = {
+            Value = "279.4";
+            Status = "default";
+          };
+          "print.printer_color-double.print_paper_id" = {
+            Value = "na_letter";
+            Status = "default";
+          };
+          "print.printer_color-double.print_paper_size_unit" = {
+            Value = 1;
+            Status = "default";
+            Type = "number";
+          };
+          "print.printer_color-double.print_paper_width" = {
+            Value = "215.9";
+            Status = "default";
+          };
           "print.printer_color-single.print_paper_height" = {
             Value = "279.4";
             Status = "default";

modules/printhost/conf/cups-files.conf

@@ -0,0 +1,4 @@
+SystemGroup ocfstaff opstaff
+
+ConfigFilePerm 0644
+LogFilePerm 0644

modules/printhost/conf/cupsd.conf

@@ -0,0 +1,104 @@
+ServerName @cups-url@
+ServerAlias *
+
+SSLPort 443
+
+# Temporary: enable debug logging
+LogLevel debug2
+
+LimitRequestBody 256m
+
+Browsing Off
+BrowseLocalProtocols dnssd
+HostNameLookups On
+DefaultAuthType Basic
+
+<Location />
+  Order allow,deny
+  Allow from 169.229.226.0/24
+  Allow from [2607:f140:8801::]/48
+  Allow from 127.0.0.0/8
+  Allow from [::1]
+</Location>
+<Location /jobs>
+  AuthType Default
+  Require user @SYSTEM
+  Order allow,deny
+  Allow from 169.229.226.0/24
+  Allow from [2607:f140:8801::]/48
+  Allow from 127.0.0.0/8
+  Allow from [::1]
+</Location>
+<Location /admin>
+  Encryption Required
+  Order allow,deny
+  Allow from 169.229.226.0/24
+  Allow from [2607:f140:8801::]/48
+  Allow from 127.0.0.0/8
+  Allow from [::1]
+</Location>
+<Location /admin/conf>
+  AuthType Default
+  Require user @SYSTEM
+  Order allow,deny
+  Allow from 169.229.226.0/24
+  Allow from [2607:f140:8801::]/48
+  Allow from 127.0.0.0/8
+  Allow from [::1]
+</Location>
+
+<Policy default>
+  JobPrivateAccess all
+  JobPrivateValues none
+  <Limit Send-Document Send-URI Hold-Job Release-Job Restart-Job Purge-Jobs Set-Job-Attributes Create-Job-Subscription Renew-Subscription Cancel-Subscription Get-Notifications Reprocess-Job Cancel-Current-Job Suspend-Current-Job Resume-Job CUPS-Move-Job CUPS-Get-Document>
+    Require user @OWNER @SYSTEM
+    Order deny,allow
+  </Limit>
+  <Limit CUPS-Add-Modify-Printer CUPS-Delete-Printer CUPS-Add-Modify-Class CUPS-Delete-Class CUPS-Set-Default CUPS-Get-Devices>
+    AuthType Default
+    Require user @SYSTEM
+    Order deny,allow
+  </Limit>
+  <Limit Pause-Printer Resume-Printer Enable-Printer Disable-Printer Pause-Printer-After-Current-Job Hold-New-Jobs Release-Held-New-Jobs Deactivate-Printer Activate-Printer Restart-Printer Shutdown-Printer Startup-Printer Promote-Job Schedule-Job-After CUPS-Accept-Jobs CUPS-Reject-Jobs>
+    AuthType Default
+    Require user @SYSTEM
+    Order deny,allow
+  </Limit>
+  <Limit CUPS-Authenticate-Job>
+    Require user @OWNER @SYSTEM
+    Order deny,allow
+  </Limit>
+  <Limit All>
+    Order deny,allow
+  </Limit>
+</Policy>
+
+<Policy authenticated>
+  <Limit Create-Job Print-Job Print-URI>
+    AuthType Default
+    Order deny,allow
+  </Limit>
+  <Limit Send-Document Send-URI Hold-Job Release-Job Restart-Job Purge-Jobs Set-Job-Attributes Create-Job-Subscription Renew-Subscription Cancel-Subscription Get-Notifications Reprocess-Job Cancel-Current-Job Suspend-Current-Job Resume-Job CUPS-Move-Job CUPS-Get-Document>
+    AuthType Default
+    Require user @OWNER @SYSTEM
+    Order deny,allow
+  </Limit>
+  <Limit CUPS-Add-Modify-Printer CUPS-Delete-Printer CUPS-Add-Modify-Class CUPS-Delete-Class CUPS-Set-Default>
+    AuthType Default
+    Require user @SYSTEM
+    Order deny,allow
+  </Limit>
+  <Limit Pause-Printer Resume-Printer Enable-Printer Disable-Printer Pause-Printer-After-Current-Job Hold-New-Jobs Release-Held-New-Jobs Deactivate-Printer Activate-Printer Restart-Printer Shutdown-Printer Startup-Printer Promote-Job Schedule-Job-After CUPS-Accept-Jobs CUPS-Reject-Jobs>
+    AuthType Default
+    Require user @SYSTEM
+    Order deny,allow
+  </Limit>
+  <Limit Cancel-Job CUPS-Authenticate-Job>
+    AuthType Default
+    Require user @OWNER @SYSTEM
+    Order deny,allow
+  </Limit>
+  <Limit All>
+    Order deny,allow
+  </Limit>
+</Policy>