diff options
author | Stonewall Jackson <stonewall@sacredheartsc.com> | 2023-02-04 01:23:43 -0500 |
---|---|---|
committer | Stonewall Jackson <stonewall@sacredheartsc.com> | 2023-02-04 01:52:13 -0500 |
commit | 0261e875679f1bf63c8d689da7fc7e014597885d (patch) | |
tree | 3f19cd74a0c1070944f75437f30b098d6ef2ffcb /roles/cups_server/templates | |
download | selfhosted-0261e875679f1bf63c8d689da7fc7e014597885d.tar.gz selfhosted-0261e875679f1bf63c8d689da7fc7e014597885d.zip |
initial commit
Diffstat (limited to 'roles/cups_server/templates')
-rw-r--r-- | roles/cups_server/templates/etc/cups/cups-files.conf.j2 | 9 | ||||
-rw-r--r-- | roles/cups_server/templates/etc/cups/cupsd.conf.j2 | 93 |
2 files changed, 102 insertions, 0 deletions
diff --git a/roles/cups_server/templates/etc/cups/cups-files.conf.j2 b/roles/cups_server/templates/etc/cups/cups-files.conf.j2 new file mode 100644 index 0000000..4550bad --- /dev/null +++ b/roles/cups_server/templates/etc/cups/cups-files.conf.j2 @@ -0,0 +1,9 @@ +# Administrator user group, used to match @SYSTEM in cupsd.conf policy rules... +SystemGroup {{ cups_admin_group }} + +ServerKeychain /etc/pki/tls/cups +CreateSelfSignedCerts no + +AccessLog syslog +ErrorLog syslog +PageLog syslog diff --git a/roles/cups_server/templates/etc/cups/cupsd.conf.j2 b/roles/cups_server/templates/etc/cups/cupsd.conf.j2 new file mode 100644 index 0000000..a2a1032 --- /dev/null +++ b/roles/cups_server/templates/etc/cups/cupsd.conf.j2 @@ -0,0 +1,93 @@ +LogLevel info + +ServerName {{ ansible_fqdn }} +ServerAdmin {{ cups_server_admin }} +{% if cups_server_aliases %} +ServerAlias {{ cups_server_aliases | join(' ') }} +{% endif %} + +# Specifies the maximum size of the log files before they are rotated. The value "0" disables log rotation. +MaxLogSize 1m + +# Default error policy for printers +ErrorPolicy retry-job + +# Only listen for connections from the local machine. +Listen 631 +Listen /run/cups/cups.sock +SSLPort 443 + +# Show shared printers on the local network. +Browsing Off +BrowseLocalProtocols none + +# Default authentication type, when authentication is required... +# Kerberos appears to be broken in cups >=2.2: +# https://github.com/apple/cups/issues/5596 +DefaultAuthType Basic +DefaultEncryption Required + +DefaultShared yes + +# Web interface setting... +WebInterface Yes + +# Timeout after cupsd exits if idle (applied only if cupsd runs on-demand - with -l) +IdleExitTimeout 0 + +# Restrict access to the server... +<Location /> + Order allow,deny + Allow from All +</Location> + +# Restrict access to the admin pages... +<Location /admin> + AuthType Default + Allow from All + Require user @SYSTEM + Order allow,deny +</Location> + +# Set the default printer/job policies... +<Policy default> + # Job/subscription privacy... + JobPrivateAccess default + JobPrivateValues default + SubscriptionPrivateAccess default + SubscriptionPrivateValues default + + # Job-related operations must be done by the owner or an administrator... + <Limit Create-Job Print-Job Print-URI Validate-Job> + Order deny,allow + </Limit> + + <Limit Send-Document Send-URI Hold-Job Release-Job Restart-Job Purge-Jobs Set-Job-Attributes Create-Job-Subscription Renew-Subscription Cancel-Subscription Get-Notifications Reprocess-Job Cancel-Current-Job Suspend-Current-Job Resume-Job Cancel-My-Jobs Close-Job CUPS-Move-Job CUPS-Get-Document> + Require user @OWNER @SYSTEM + Order deny,allow + </Limit> + + # All administration operations require an administrator to authenticate... + <Limit CUPS-Add-Modify-Printer CUPS-Delete-Printer CUPS-Add-Modify-Class CUPS-Delete-Class CUPS-Set-Default CUPS-Get-Devices> + AuthType Default + Require user @SYSTEM + Order deny,allow + </Limit> + + # All printer operations require a printer operator to authenticate... + <Limit Pause-Printer Resume-Printer Enable-Printer Disable-Printer Pause-Printer-After-Current-Job Hold-New-Jobs Release-Held-New-Jobs Deactivate-Printer Activate-Printer Restart-Printer Shutdown-Printer Startup-Printer Promote-Job Schedule-Job-After Cancel-Jobs CUPS-Accept-Jobs CUPS-Reject-Jobs> + AuthType Default + Require user @SYSTEM + Order deny,allow + </Limit> + + # Only the owner or an administrator can cancel or authenticate a job... + <Limit Cancel-Job CUPS-Authenticate-Job> + Require user @OWNER @SYSTEM + Order deny,allow + </Limit> + + <Limit All> + Order deny,allow + </Limit> +</Policy> |