From 97e829e24e9fdb68d8e989c2703cee9803a2e82f Mon Sep 17 00:00:00 2001
From: Alejandro Soto <alejandro@34project.org>
Date: Thu, 15 Aug 2024 14:50:15 -0600
Subject: sys/hardware/printing: limit interfaces on which port 5353 is open

---
 sys/hardware/printing.nix | 17 ++++++++++++++++-
 1 file changed, 16 insertions(+), 1 deletion(-)

(limited to 'sys/hardware/printing.nix')

diff --git a/sys/hardware/printing.nix b/sys/hardware/printing.nix
index 8280da9..30c6962 100644
--- a/sys/hardware/printing.nix
+++ b/sys/hardware/printing.nix
@@ -1,6 +1,7 @@
 { config, lib, ... }:
 with lib; let
   cfg = config.local.hardware.printing;
+  inherit (config.local.net) dhcpInterface;
 in
 {
   options.local.hardware.printing = {
@@ -13,13 +14,27 @@ in
   };
 
   config = mkIf cfg.enable {
+    assertions = [
+      {
+        assertion = config.local.net.enable;
+        message = "Printing requires net";
+      }
+    ];
+
     services.avahi = {
       enable = true;
       nssmdns4 = true;
-      openFirewall = true;
+
+      # Abre 5353 en todas las interfaces (!!!)
+      openFirewall = false;
     };
 
     hardware.sane.enable = true;
+
+    networking.firewall.interfaces = mkIf (dhcpInterface != null) {
+      ${dhcpInterface}.allowedUDPPorts = [ 5353 ];
+    };
+
     services.printing.enable = true;
 
     users.users = listToAttrs (map
-- 
cgit v1.2.3