aboutsummaryrefslogtreecommitdiff
path: root/files/usr/local
diff options
context:
space:
mode:
Diffstat (limited to 'files/usr/local')
-rw-r--r--files/usr/local/etc/cups/cups-files.conf.cups_server8
-rw-r--r--files/usr/local/etc/cups/cupsd.conf.cups_server102
-rw-r--r--files/usr/local/etc/nslcd.conf.common2
-rw-r--r--files/usr/local/etc/poudriere.d/make.conf.pkg_repository1
-rw-r--r--files/usr/local/etc/poudriere.d/pkglist.pkg_repository2
-rw-r--r--files/usr/local/etc/saslauthd.conf.znc_server7
6 files changed, 120 insertions, 2 deletions
diff --git a/files/usr/local/etc/cups/cups-files.conf.cups_server b/files/usr/local/etc/cups/cups-files.conf.cups_server
new file mode 100644
index 0000000..c8dc430
--- /dev/null
+++ b/files/usr/local/etc/cups/cups-files.conf.cups_server
@@ -0,0 +1,8 @@
+SystemGroup ${cups_admin_group}
+
+ServerKeychain ${cups_tls_dir}
+CreateSelfSignedCerts no
+
+AccessLog syslog
+ErrorLog syslog
+PageLog syslog
diff --git a/files/usr/local/etc/cups/cupsd.conf.cups_server b/files/usr/local/etc/cups/cupsd.conf.cups_server
new file mode 100644
index 0000000..25e2107
--- /dev/null
+++ b/files/usr/local/etc/cups/cupsd.conf.cups_server
@@ -0,0 +1,102 @@
+LogLevel info
+PageLogFormat %p %u %j %P %C %{job-originating-host-name} %{job-name} %{media} %{sides}
+
+ServerName ${fqdn}
+ServerAdmin ${cups_server_admin}
+$([ -n "${cnames:-}" ] && printf "ServerAlias %s.${domain}\n" $cnames)
+
+# Specifies the maximum size of the log files before they are rotated. The value "0" disables log rotation.
+MaxLogSize 1m
+
+# Default error policy for printers
+ErrorPolicy retry-job
+
+# Only listen for connections from the local machine.
+Listen 80
+Listen 631
+Listen /var/run/cups/cups.sock
+SSLPort 443
+
+# Show shared printers on the local network.
+Browsing Off
+BrowseLocalProtocols none
+
+# Default authentication type, when authentication is required...
+DefaultAuthType Basic
+DefaultShared yes
+DefaultEncryption Required
+
+# Web interface setting...
+WebInterface Yes
+
+# Timeout after cupsd exits if idle (applied only if cupsd runs on-demand - with -l)
+IdleExitTimeout 60
+
+# Restrict access to the server...
+<Location />
+ Order allow,deny
+ Allow from All
+</Location>
+
+# Restrict access to the admin pages...
+<Location /admin>
+ AuthType Default
+ Allow from All
+ Require user @SYSTEM
+ Order allow,deny
+</Location>
+
+# Set the default printer/job policies...
+<Policy default>
+ # Job/subscription privacy...
+ JobPrivateAccess default
+ JobPrivateValues default
+ SubscriptionPrivateAccess default
+ SubscriptionPrivateValues default
+
+ # Job-related operations must be done by the owner or an administrator...
+ <Limit Create-Job Print-Job Print-URI Validate-Job>
+ Order deny,allow
+ </Limit>
+
+ <Limit Send-Document Send-URI Hold-Job Release-Job Restart-Job Purge-Jobs Set-Job-Attributes Create-Job-Subscription Renew-Subscription Cancel-Subscription Get-Notifications Reprocess-Job Cancel-Current-Job Suspend-Current-Job Resume-Job Cancel-My-Jobs Close-Job CUPS-Move-Job>
+ Require user @OWNER @SYSTEM
+ Order deny,allow
+ </Limit>
+
+ <Limit CUPS-Get-Document>
+ AuthType Default
+ Require user @OWNER @SYSTEM
+ Order deny,allow
+ </Limit>
+
+ # All administration operations require an administrator to authenticate...
+ <Limit CUPS-Add-Modify-Printer CUPS-Delete-Printer CUPS-Add-Modify-Class CUPS-Delete-Class CUPS-Set-Default CUPS-Get-Devices>
+ AuthType Default
+ Require user @SYSTEM
+ Order deny,allow
+ </Limit>
+
+ # All printer operations require a printer operator to authenticate...
+ <Limit Pause-Printer Resume-Printer Enable-Printer Disable-Printer Pause-Printer-After-Current-Job Hold-New-Jobs Release-Held-New-Jobs Deactivate-Printer Activate-Printer Restart-Printer Shutdown-Printer Startup-Printer Promote-Job Schedule-Job-After Cancel-Jobs CUPS-Accept-Jobs CUPS-Reject-Jobs>
+ AuthType Default
+ Require user @SYSTEM
+ Order deny,allow
+ </Limit>
+
+ # Only the owner or an administrator can cancel or authenticate a job...
+ <Limit Cancel-Job>
+ Require user @OWNER @SYSTEM
+ Order deny,allow
+ </Limit>
+
+ <Limit CUPS-Authenticate-Job>
+ AuthType Default
+ Require user @OWNER @SYSTEM
+ Order deny,allow
+ </Limit>
+
+ <Limit All>
+ Order deny,allow
+ </Limit>
+</Policy>
diff --git a/files/usr/local/etc/nslcd.conf.common b/files/usr/local/etc/nslcd.conf.common
index 9798ba9..ca27337 100644
--- a/files/usr/local/etc/nslcd.conf.common
+++ b/files/usr/local/etc/nslcd.conf.common
@@ -12,5 +12,3 @@ sasl_mech GSSAPI
nss_min_uid ${nslcd_min_uid}
nss_initgroups_ignoreusers ALLLOCAL
nss_nested_groups yes
-
-pam_authz_search (&(uid=\$username)(memberOf=cn=\$service-access,${roles_basedn}))
diff --git a/files/usr/local/etc/poudriere.d/make.conf.pkg_repository b/files/usr/local/etc/poudriere.d/make.conf.pkg_repository
index fd35928..6ef6f4a 100644
--- a/files/usr/local/etc/poudriere.d/make.conf.pkg_repository
+++ b/files/usr/local/etc/poudriere.d/make.conf.pkg_repository
@@ -56,6 +56,7 @@ net_openldap26-server_UNSET=SMBPWD
print_cups-filters_UNSET=COLORD
print_freetype2_SET=LCD_FILTERING
print_freetype2_UNSET=LCD_RENDERING
+security_cyrus-sasl2-saslauthd_SET=OPENLDAP
security_cyrus-sasl2-saslauthd_UNSET=BDB1
security_heimdal-devel_SET=LDAP
security_heimdal-devel_UNSET=BDB
diff --git a/files/usr/local/etc/poudriere.d/pkglist.pkg_repository b/files/usr/local/etc/poudriere.d/pkglist.pkg_repository
index 848e558..ec63f48 100644
--- a/files/usr/local/etc/poudriere.d/pkglist.pkg_repository
+++ b/files/usr/local/etc/poudriere.d/pkglist.pkg_repository
@@ -52,6 +52,8 @@ net/turnserver
net-im/prosody
net-im/prosody-modules
ports-mgmt/poudriere
+print/cups
+print/cups-filters
security/acme.sh
security/cyrus-sasl2-saslauthd
security/kstart
diff --git a/files/usr/local/etc/saslauthd.conf.znc_server b/files/usr/local/etc/saslauthd.conf.znc_server
new file mode 100644
index 0000000..f7a4708
--- /dev/null
+++ b/files/usr/local/etc/saslauthd.conf.znc_server
@@ -0,0 +1,7 @@
+ldap_servers: ${ldaps_uri}
+ldap_use_sasl: yes
+ldap_mech: PLAIN
+ldap_auth_method: fastbind
+ldap_group_search_base: ${users_basedn}
+ldap_group_match_method: filter
+ldap_group_filter: (&(uid=%u)(memberOf=cn=${znc_access_role},${roles_basedn}))