diff options
Diffstat (limited to 'files/usr/local')
-rw-r--r-- | files/usr/local/etc/cups/cups-files.conf.cups_server | 8 | ||||
-rw-r--r-- | files/usr/local/etc/cups/cupsd.conf.cups_server | 102 | ||||
-rw-r--r-- | files/usr/local/etc/nslcd.conf.common | 2 | ||||
-rw-r--r-- | files/usr/local/etc/poudriere.d/make.conf.pkg_repository | 1 | ||||
-rw-r--r-- | files/usr/local/etc/poudriere.d/pkglist.pkg_repository | 2 | ||||
-rw-r--r-- | files/usr/local/etc/saslauthd.conf.znc_server | 7 |
6 files changed, 120 insertions, 2 deletions
diff --git a/files/usr/local/etc/cups/cups-files.conf.cups_server b/files/usr/local/etc/cups/cups-files.conf.cups_server new file mode 100644 index 0000000..c8dc430 --- /dev/null +++ b/files/usr/local/etc/cups/cups-files.conf.cups_server @@ -0,0 +1,8 @@ +SystemGroup ${cups_admin_group} + +ServerKeychain ${cups_tls_dir} +CreateSelfSignedCerts no + +AccessLog syslog +ErrorLog syslog +PageLog syslog diff --git a/files/usr/local/etc/cups/cupsd.conf.cups_server b/files/usr/local/etc/cups/cupsd.conf.cups_server new file mode 100644 index 0000000..25e2107 --- /dev/null +++ b/files/usr/local/etc/cups/cupsd.conf.cups_server @@ -0,0 +1,102 @@ +LogLevel info +PageLogFormat %p %u %j %P %C %{job-originating-host-name} %{job-name} %{media} %{sides} + +ServerName ${fqdn} +ServerAdmin ${cups_server_admin} +$([ -n "${cnames:-}" ] && printf "ServerAlias %s.${domain}\n" $cnames) + +# Specifies the maximum size of the log files before they are rotated. The value "0" disables log rotation. +MaxLogSize 1m + +# Default error policy for printers +ErrorPolicy retry-job + +# Only listen for connections from the local machine. +Listen 80 +Listen 631 +Listen /var/run/cups/cups.sock +SSLPort 443 + +# Show shared printers on the local network. +Browsing Off +BrowseLocalProtocols none + +# Default authentication type, when authentication is required... +DefaultAuthType Basic +DefaultShared yes +DefaultEncryption Required + +# Web interface setting... +WebInterface Yes + +# Timeout after cupsd exits if idle (applied only if cupsd runs on-demand - with -l) +IdleExitTimeout 60 + +# Restrict access to the server... +<Location /> + Order allow,deny + Allow from All +</Location> + +# Restrict access to the admin pages... +<Location /admin> + AuthType Default + Allow from All + Require user @SYSTEM + Order allow,deny +</Location> + +# Set the default printer/job policies... +<Policy default> + # Job/subscription privacy... + JobPrivateAccess default + JobPrivateValues default + SubscriptionPrivateAccess default + SubscriptionPrivateValues default + + # Job-related operations must be done by the owner or an administrator... + <Limit Create-Job Print-Job Print-URI Validate-Job> + Order deny,allow + </Limit> + + <Limit Send-Document Send-URI Hold-Job Release-Job Restart-Job Purge-Jobs Set-Job-Attributes Create-Job-Subscription Renew-Subscription Cancel-Subscription Get-Notifications Reprocess-Job Cancel-Current-Job Suspend-Current-Job Resume-Job Cancel-My-Jobs Close-Job CUPS-Move-Job> + Require user @OWNER @SYSTEM + Order deny,allow + </Limit> + + <Limit CUPS-Get-Document> + AuthType Default + Require user @OWNER @SYSTEM + Order deny,allow + </Limit> + + # All administration operations require an administrator to authenticate... + <Limit CUPS-Add-Modify-Printer CUPS-Delete-Printer CUPS-Add-Modify-Class CUPS-Delete-Class CUPS-Set-Default CUPS-Get-Devices> + AuthType Default + Require user @SYSTEM + Order deny,allow + </Limit> + + # All printer operations require a printer operator to authenticate... + <Limit Pause-Printer Resume-Printer Enable-Printer Disable-Printer Pause-Printer-After-Current-Job Hold-New-Jobs Release-Held-New-Jobs Deactivate-Printer Activate-Printer Restart-Printer Shutdown-Printer Startup-Printer Promote-Job Schedule-Job-After Cancel-Jobs CUPS-Accept-Jobs CUPS-Reject-Jobs> + AuthType Default + Require user @SYSTEM + Order deny,allow + </Limit> + + # Only the owner or an administrator can cancel or authenticate a job... + <Limit Cancel-Job> + Require user @OWNER @SYSTEM + Order deny,allow + </Limit> + + <Limit CUPS-Authenticate-Job> + AuthType Default + Require user @OWNER @SYSTEM + Order deny,allow + </Limit> + + <Limit All> + Order deny,allow + </Limit> +</Policy> diff --git a/files/usr/local/etc/nslcd.conf.common b/files/usr/local/etc/nslcd.conf.common index 9798ba9..ca27337 100644 --- a/files/usr/local/etc/nslcd.conf.common +++ b/files/usr/local/etc/nslcd.conf.common @@ -12,5 +12,3 @@ sasl_mech GSSAPI nss_min_uid ${nslcd_min_uid} nss_initgroups_ignoreusers ALLLOCAL nss_nested_groups yes - -pam_authz_search (&(uid=\$username)(memberOf=cn=\$service-access,${roles_basedn})) diff --git a/files/usr/local/etc/poudriere.d/make.conf.pkg_repository b/files/usr/local/etc/poudriere.d/make.conf.pkg_repository index fd35928..6ef6f4a 100644 --- a/files/usr/local/etc/poudriere.d/make.conf.pkg_repository +++ b/files/usr/local/etc/poudriere.d/make.conf.pkg_repository @@ -56,6 +56,7 @@ net_openldap26-server_UNSET=SMBPWD print_cups-filters_UNSET=COLORD print_freetype2_SET=LCD_FILTERING print_freetype2_UNSET=LCD_RENDERING +security_cyrus-sasl2-saslauthd_SET=OPENLDAP security_cyrus-sasl2-saslauthd_UNSET=BDB1 security_heimdal-devel_SET=LDAP security_heimdal-devel_UNSET=BDB diff --git a/files/usr/local/etc/poudriere.d/pkglist.pkg_repository b/files/usr/local/etc/poudriere.d/pkglist.pkg_repository index 848e558..ec63f48 100644 --- a/files/usr/local/etc/poudriere.d/pkglist.pkg_repository +++ b/files/usr/local/etc/poudriere.d/pkglist.pkg_repository @@ -52,6 +52,8 @@ net/turnserver net-im/prosody net-im/prosody-modules ports-mgmt/poudriere +print/cups +print/cups-filters security/acme.sh security/cyrus-sasl2-saslauthd security/kstart diff --git a/files/usr/local/etc/saslauthd.conf.znc_server b/files/usr/local/etc/saslauthd.conf.znc_server new file mode 100644 index 0000000..f7a4708 --- /dev/null +++ b/files/usr/local/etc/saslauthd.conf.znc_server @@ -0,0 +1,7 @@ +ldap_servers: ${ldaps_uri} +ldap_use_sasl: yes +ldap_mech: PLAIN +ldap_auth_method: fastbind +ldap_group_search_base: ${users_basedn} +ldap_group_match_method: filter +ldap_group_filter: (&(uid=%u)(memberOf=cn=${znc_access_role},${roles_basedn})) |