diff options
author | Stonewall Jackson <stonewall@sacredheartsc.com> | 2023-02-04 01:23:43 -0500 |
---|---|---|
committer | Stonewall Jackson <stonewall@sacredheartsc.com> | 2023-02-04 01:52:13 -0500 |
commit | 0261e875679f1bf63c8d689da7fc7e014597885d (patch) | |
tree | 3f19cd74a0c1070944f75437f30b098d6ef2ffcb /roles/cups_server/tasks | |
download | selfhosted-0261e875679f1bf63c8d689da7fc7e014597885d.tar.gz selfhosted-0261e875679f1bf63c8d689da7fc7e014597885d.zip |
initial commit
Diffstat (limited to 'roles/cups_server/tasks')
-rw-r--r-- | roles/cups_server/tasks/freeipa.yml | 58 | ||||
-rw-r--r-- | roles/cups_server/tasks/main.yml | 70 |
2 files changed, 128 insertions, 0 deletions
diff --git a/roles/cups_server/tasks/freeipa.yml b/roles/cups_server/tasks/freeipa.yml new file mode 100644 index 0000000..0acb36d --- /dev/null +++ b/roles/cups_server/tasks/freeipa.yml @@ -0,0 +1,58 @@ +- name: create admin group + ipagroup: + ipaadmin_principal: '{{ ipa_user }}' + ipaadmin_password: '{{ ipa_pass }}' + name: '{{ cups_admin_group }}' + nonposix: no + state: present + run_once: yes + +- name: create HBAC service + ipahbacsvc: + ipaadmin_principal: '{{ ipa_user }}' + ipaadmin_password: '{{ ipa_pass }}' + name: '{{ cups_hbac_service }}' + description: CUPS Print Server + state: present + run_once: yes + +- name: create cups-servers hostgroup + ipahostgroup: + ipaadmin_principal: '{{ ipa_user }}' + ipaadmin_password: '{{ ipa_pass }}' + name: '{{ cups_hbac_hostgroup }}' + description: CUPS Servers + host: "{{ groups[cups_hostgroup] | map('regex_replace', '$', '.' ~ ansible_domain) }}" + run_once: yes + +- name: create HBAC rule for cups-admin + ipahbacrule: + ipaadmin_principal: '{{ ipa_user }}' + ipaadmin_password: '{{ ipa_pass }}' + name: allow_cups_on_cups_servers + description: Allow CUPS admin on CUPS servers + hostgroup: '{{ cups_hbac_hostgroup }}' + group: '{{ cups_admin_group }}' + hbacsvc: '{{ cups_hbac_service }}' + run_once: yes + +- name: generate pam configuration + copy: + content: | + auth required pam_sss.so + account required pam_sss.so + dest: /etc/pam.d/cups + +- name: create HTTP service principal + ipaservice: + ipaadmin_principal: '{{ ipa_user }}' + ipaadmin_password: '{{ ipa_pass }}' + name: 'HTTP/{{ ansible_fqdn }}' + state: present + +- name: retrieve HTTP keytab + include_role: + name: freeipa_keytab + vars: + keytab_principal: 'HTTP/{{ ansible_fqdn }}' + keytab_path: /etc/krb5.keytab diff --git a/roles/cups_server/tasks/main.yml b/roles/cups_server/tasks/main.yml new file mode 100644 index 0000000..b03916e --- /dev/null +++ b/roles/cups_server/tasks/main.yml @@ -0,0 +1,70 @@ +- name: install cups + dnf: + name: cups + state: present + +- name: create certificate directory + file: + path: /etc/pki/tls/cups + state: directory + +- name: request TLS certificate + include_role: + name: getcert_request + vars: + certificate_service: cups + certificate_path: '{{ cups_certificate_path }}' + certificate_key_path: '{{ cups_certificate_key_path }}' + certificate_hook: systemctl restart cups + +- name: generate config files + template: + src: etc/cups/{{ item }}.j2 + dest: /etc/cups/{{ item }} + owner: root + group: lp + mode: 0640 + loop: + - cupsd.conf + - cups-files.conf + notify: restart cups + +- name: allow cups to listen on port 443 + seport: + ports: 443 + proto: tcp + setype: ipp_port_t + state: present + tags: selinux + +- import_tasks: freeipa.yml + tags: freeipa + +- name: enable cups + systemd: + name: cups + enabled: yes + state: started + +- name: forward port 80 to port 631 + firewalld: + permanent: yes + immediate: yes + rich_rule: 'rule family={{ item }} forward-port port=80 protocol=tcp to-port=631' + state: enabled + loop: + - ipv4 + - ipv6 + tags: firewalld + +- name: open firewall ports + firewalld: + permanent: yes + immediate: yes + service: '{{ item }}' + state: enabled + loop: + - ipp + - http + - https + tags: firewalld |