From b2af400a1098ebf445575d169e11a6717867045f Mon Sep 17 00:00:00 2001
From: Cullum Smith <cullum@sacredheartsc.com>
Date: Sun, 13 Oct 2024 22:43:31 -0400
Subject: add cups

---
 .../usr/local/etc/cups/cups-files.conf.cups_server |   8 ++
 files/usr/local/etc/cups/cupsd.conf.cups_server    | 102 +++++++++++++++++++++
 2 files changed, 110 insertions(+)
 create mode 100644 files/usr/local/etc/cups/cups-files.conf.cups_server
 create mode 100644 files/usr/local/etc/cups/cupsd.conf.cups_server

(limited to 'files/usr/local/etc/cups')

diff --git a/files/usr/local/etc/cups/cups-files.conf.cups_server b/files/usr/local/etc/cups/cups-files.conf.cups_server
new file mode 100644
index 0000000..c8dc430
--- /dev/null
+++ b/files/usr/local/etc/cups/cups-files.conf.cups_server
@@ -0,0 +1,8 @@
+SystemGroup ${cups_admin_group}
+
+ServerKeychain ${cups_tls_dir}
+CreateSelfSignedCerts no
+
+AccessLog syslog
+ErrorLog syslog
+PageLog syslog
diff --git a/files/usr/local/etc/cups/cupsd.conf.cups_server b/files/usr/local/etc/cups/cupsd.conf.cups_server
new file mode 100644
index 0000000..25e2107
--- /dev/null
+++ b/files/usr/local/etc/cups/cupsd.conf.cups_server
@@ -0,0 +1,102 @@
+LogLevel info
+PageLogFormat %p %u %j %P %C %{job-originating-host-name} %{job-name} %{media} %{sides}
+
+ServerName ${fqdn}
+ServerAdmin ${cups_server_admin}
+$([ -n "${cnames:-}" ] && printf "ServerAlias %s.${domain}\n" $cnames)
+
+# Specifies the maximum size of the log files before they are rotated.  The value "0" disables log rotation.
+MaxLogSize 1m
+
+# Default error policy for printers
+ErrorPolicy retry-job
+
+# Only listen for connections from the local machine.
+Listen 80
+Listen 631
+Listen /var/run/cups/cups.sock
+SSLPort 443
+
+# Show shared printers on the local network.
+Browsing Off
+BrowseLocalProtocols  none
+
+# Default authentication type, when authentication is required...
+DefaultAuthType Basic
+DefaultShared yes
+DefaultEncryption Required
+
+# Web interface setting...
+WebInterface Yes
+
+# Timeout after cupsd exits if idle (applied only if cupsd runs on-demand - with -l)
+IdleExitTimeout 60
+
+# Restrict access to the server...
+<Location />
+  Order allow,deny
+  Allow from All
+</Location>
+
+# Restrict access to the admin pages...
+<Location /admin>
+  AuthType Default
+  Allow from All
+  Require user @SYSTEM
+  Order allow,deny
+</Location>
+
+# Set the default printer/job policies...
+<Policy default>
+  # Job/subscription privacy...
+  JobPrivateAccess default
+  JobPrivateValues default
+  SubscriptionPrivateAccess default
+  SubscriptionPrivateValues default
+
+  # Job-related operations must be done by the owner or an administrator...
+  <Limit Create-Job Print-Job Print-URI Validate-Job>
+    Order deny,allow
+  </Limit>
+
+  <Limit Send-Document Send-URI Hold-Job Release-Job Restart-Job Purge-Jobs Set-Job-Attributes Create-Job-Subscription Renew-Subscription Cancel-Subscription Get-Notifications Reprocess-Job Cancel-Current-Job Suspend-Current-Job Resume-Job Cancel-My-Jobs Close-Job CUPS-Move-Job>
+    Require user @OWNER @SYSTEM
+    Order deny,allow
+  </Limit>
+
+  <Limit CUPS-Get-Document>
+    AuthType Default
+    Require user @OWNER @SYSTEM
+    Order deny,allow
+  </Limit>
+
+  # All administration operations require an administrator to authenticate...
+  <Limit CUPS-Add-Modify-Printer CUPS-Delete-Printer CUPS-Add-Modify-Class CUPS-Delete-Class CUPS-Set-Default CUPS-Get-Devices>
+    AuthType Default
+    Require user @SYSTEM
+    Order deny,allow
+  </Limit>
+
+  # All printer operations require a printer operator to authenticate...
+  <Limit Pause-Printer Resume-Printer Enable-Printer Disable-Printer Pause-Printer-After-Current-Job Hold-New-Jobs Release-Held-New-Jobs Deactivate-Printer Activate-Printer Restart-Printer Shutdown-Printer Startup-Printer Promote-Job Schedule-Job-After Cancel-Jobs CUPS-Accept-Jobs CUPS-Reject-Jobs>
+    AuthType Default
+    Require user @SYSTEM
+    Order deny,allow
+  </Limit>
+
+  # Only the owner or an administrator can cancel or authenticate a job...
+  <Limit Cancel-Job>
+    Require user @OWNER @SYSTEM
+    Order deny,allow
+  </Limit>
+
+  <Limit CUPS-Authenticate-Job>
+    AuthType Default
+    Require user @OWNER @SYSTEM
+    Order deny,allow
+  </Limit>
+
+  <Limit All>
+    Order deny,allow
+  </Limit>
+</Policy>
-- 
cgit v1.2.3