initial commit

2 files changed, 128 insertions, 0 deletions

diff --git a/roles/cups_server/tasks/freeipa.yml b/roles/cups_server/tasks/freeipa.yml
new file mode 100644
index 0000000..0acb36d
--- /dev/null
+++ b/roles/cups_server/tasks/freeipa.yml
@@ -0,0 +1,58 @@
+- name: create admin group
+  ipagroup:
+    ipaadmin_principal: '{{ ipa_user }}'
+    ipaadmin_password: '{{ ipa_pass }}'
+    name: '{{ cups_admin_group }}'
+    nonposix: no
+    state: present
+  run_once: yes
+
+- name: create HBAC service
+  ipahbacsvc:
+    ipaadmin_principal: '{{ ipa_user }}'
+    ipaadmin_password: '{{ ipa_pass }}'
+    name: '{{ cups_hbac_service }}'
+    description: CUPS Print Server
+    state: present
+  run_once: yes
+
+- name: create cups-servers hostgroup
+  ipahostgroup:
+    ipaadmin_principal: '{{ ipa_user }}'
+    ipaadmin_password: '{{ ipa_pass }}'
+    name: '{{ cups_hbac_hostgroup }}'
+    description: CUPS Servers
+    host: "{{ groups[cups_hostgroup] | map('regex_replace', '$', '.' ~ ansible_domain) }}"
+  run_once: yes
+
+- name: create HBAC rule for cups-admin
+  ipahbacrule:
+    ipaadmin_principal: '{{ ipa_user }}'
+    ipaadmin_password: '{{ ipa_pass }}'
+    name: allow_cups_on_cups_servers
+    description: Allow CUPS admin on CUPS servers
+    hostgroup: '{{ cups_hbac_hostgroup }}'
+    group: '{{ cups_admin_group }}'
+    hbacsvc: '{{ cups_hbac_service }}'
+  run_once: yes
+
+- name: generate pam configuration
+  copy:
+    content: |
+      auth    required pam_sss.so
+      account required pam_sss.so
+    dest: /etc/pam.d/cups
+
+- name: create HTTP service principal
+  ipaservice:
+    ipaadmin_principal: '{{ ipa_user }}'
+    ipaadmin_password: '{{ ipa_pass }}'
+    name: 'HTTP/{{ ansible_fqdn }}'
+    state: present
+
+- name: retrieve HTTP keytab
+  include_role:
+    name: freeipa_keytab
+  vars:
+    keytab_principal: 'HTTP/{{ ansible_fqdn }}'
+    keytab_path: /etc/krb5.keytab
diff --git a/roles/cups_server/tasks/main.yml b/roles/cups_server/tasks/main.yml
new file mode 100644
index 0000000..b03916e
--- /dev/null
+++ b/roles/cups_server/tasks/main.yml
@@ -0,0 +1,70 @@
+- name: install cups
+  dnf:
+    name: cups
+    state: present
+
+- name: create certificate directory
+  file:
+    path: /etc/pki/tls/cups
+    state: directory
+
+- name: request TLS certificate
+  include_role:
+    name: getcert_request
+  vars:
+    certificate_service: cups
+    certificate_path: '{{ cups_certificate_path }}'
+    certificate_key_path: '{{ cups_certificate_key_path }}'
+    certificate_hook: systemctl restart cups
+
+- name: generate config files
+  template:
+    src: etc/cups/{{ item }}.j2
+    dest: /etc/cups/{{ item }}
+    owner: root
+    group: lp
+    mode: 0640
+  loop:
+    - cupsd.conf
+    - cups-files.conf
+  notify: restart cups
+
+- name: allow cups to listen on port 443
+  seport:
+    ports: 443
+    proto: tcp
+    setype: ipp_port_t
+    state: present
+  tags: selinux
+
+- import_tasks: freeipa.yml
+  tags: freeipa
+
+- name: enable cups
+  systemd:
+    name: cups
+    enabled: yes
+    state: started
+
+- name: forward port 80 to port 631
+  firewalld:
+    permanent: yes
+    immediate: yes
+    rich_rule: 'rule family={{ item }} forward-port port=80 protocol=tcp to-port=631'
+    state: enabled
+  loop:
+    - ipv4
+    - ipv6
+  tags: firewalld
+
+- name: open firewall ports
+  firewalld:
+    permanent: yes
+    immediate: yes
+    service: '{{ item }}'
+    state: enabled
+  loop:
+    - ipp
+    - http
+    - https
+  tags: firewalld