From dd490121b60782d0570ff60e4c49e11043c6c37f Mon Sep 17 00:00:00 2001
From: Sebastien Bourdeauducq <sb@m-labs.hk>
Date: Tue, 15 Oct 2019 19:20:32 +0800
Subject: [PATCH] nixbld: filter CUPS access using firewall

CUPS listenAddresses is problematic.
---
 nixbld-etc-nixos/configuration.nix | 7 ++++---
 1 file changed, 4 insertions(+), 3 deletions(-)

diff --git a/nixbld-etc-nixos/configuration.nix b/nixbld-etc-nixos/configuration.nix
index 7be59ae..7e93eac 100644
--- a/nixbld-etc-nixos/configuration.nix
+++ b/nixbld-etc-nixos/configuration.nix
@@ -38,8 +38,9 @@ in
   networking = {
     hostName = "nixbld";
     firewall = {
-      allowedTCPPorts = [ 80 443 631 ];
-      allowedUDPPorts = [ 53 67 631 ];
+      allowedTCPPorts = [ 80 443 ];
+      allowedUDPPorts = [ 53 67 ];
+      trustedInterfaces = [ netifLan ];
     };
     networkmanager.unmanaged = [ "interface-name:${netifLan}" "interface-name:${netifWifi}" ];
     interfaces."${netifLan}".ipv4.addresses = [{
@@ -133,7 +134,7 @@ in
   services.printing.enable = true;
   services.printing.drivers = [ pkgs.hplipWithPlugin ];
   services.printing.browsing = true;
-  services.printing.listenAddresses = [ "192.168.1.1:631" ];
+  services.printing.listenAddresses = [ "*:631" ];
   services.printing.defaultShared = true;
   hardware.sane.enable = true;
   hardware.sane.extraBackends = [ pkgs.hplipWithPlugin ];