diff options
Diffstat (limited to 'roles/cups_server')
| -rw-r--r-- | roles/cups_server/defaults/main.yml | 3 | ||||
| -rw-r--r-- | roles/cups_server/handlers/main.yml | 4 | ||||
| -rw-r--r-- | roles/cups_server/tasks/freeipa.yml | 58 | ||||
| -rw-r--r-- | roles/cups_server/tasks/main.yml | 70 | ||||
| -rw-r--r-- | roles/cups_server/templates/etc/cups/cups-files.conf.j2 | 9 | ||||
| -rw-r--r-- | roles/cups_server/templates/etc/cups/cupsd.conf.j2 | 93 | ||||
| -rw-r--r-- | roles/cups_server/vars/main.yml | 14 |
7 files changed, 251 insertions, 0 deletions
diff --git a/roles/cups_server/defaults/main.yml b/roles/cups_server/defaults/main.yml new file mode 100644 index 0000000..c032530 --- /dev/null +++ b/roles/cups_server/defaults/main.yml @@ -0,0 +1,3 @@ +cups_server_aliases: '{{ cnames }}' +cups_server_admin: root@{{ email_domain }} +cups_admin_group: role-cups-admin diff --git a/roles/cups_server/handlers/main.yml b/roles/cups_server/handlers/main.yml new file mode 100644 index 0000000..9c3bada --- /dev/null +++ b/roles/cups_server/handlers/main.yml @@ -0,0 +1,4 @@ +- name: restart cups + systemd: + name: cups + state: restarted diff --git a/roles/cups_server/tasks/freeipa.yml b/roles/cups_server/tasks/freeipa.yml new file mode 100644 index 0000000..0acb36d --- /dev/null +++ b/roles/cups_server/tasks/freeipa.yml @@ -0,0 +1,58 @@ +- name: create admin group + ipagroup: + ipaadmin_principal: '{{ ipa_user }}' + ipaadmin_password: '{{ ipa_pass }}' + name: '{{ cups_admin_group }}' + nonposix: no + state: present + run_once: yes + +- name: create HBAC service + ipahbacsvc: + ipaadmin_principal: '{{ ipa_user }}' + ipaadmin_password: '{{ ipa_pass }}' + name: '{{ cups_hbac_service }}' + description: CUPS Print Server + state: present + run_once: yes + +- name: create cups-servers hostgroup + ipahostgroup: + ipaadmin_principal: '{{ ipa_user }}' + ipaadmin_password: '{{ ipa_pass }}' + name: '{{ cups_hbac_hostgroup }}' + description: CUPS Servers + host: "{{ groups[cups_hostgroup] | map('regex_replace', '$', '.' ~ ansible_domain) }}" + run_once: yes + +- name: create HBAC rule for cups-admin + ipahbacrule: + ipaadmin_principal: '{{ ipa_user }}' + ipaadmin_password: '{{ ipa_pass }}' + name: allow_cups_on_cups_servers + description: Allow CUPS admin on CUPS servers + hostgroup: '{{ cups_hbac_hostgroup }}' + group: '{{ cups_admin_group }}' + hbacsvc: '{{ cups_hbac_service }}' + run_once: yes + +- name: generate pam configuration + copy: + content: | + auth required pam_sss.so + account required pam_sss.so + dest: /etc/pam.d/cups + +- name: create HTTP service principal + ipaservice: + ipaadmin_principal: '{{ ipa_user }}' + ipaadmin_password: '{{ ipa_pass }}' + name: 'HTTP/{{ ansible_fqdn }}' + state: present + +- name: retrieve HTTP keytab + include_role: + name: freeipa_keytab + vars: + keytab_principal: 'HTTP/{{ ansible_fqdn }}' + keytab_path: /etc/krb5.keytab diff --git a/roles/cups_server/tasks/main.yml b/roles/cups_server/tasks/main.yml new file mode 100644 index 0000000..b03916e --- /dev/null +++ b/roles/cups_server/tasks/main.yml @@ -0,0 +1,70 @@ +- name: install cups + dnf: + name: cups + state: present + +- name: create certificate directory + file: + path: /etc/pki/tls/cups + state: directory + +- name: request TLS certificate + include_role: + name: getcert_request + vars: + certificate_service: cups + certificate_path: '{{ cups_certificate_path }}' + certificate_key_path: '{{ cups_certificate_key_path }}' + certificate_hook: systemctl restart cups + +- name: generate config files + template: + src: etc/cups/{{ item }}.j2 + dest: /etc/cups/{{ item }} + owner: root + group: lp + mode: 0640 + loop: + - cupsd.conf + - cups-files.conf + notify: restart cups + +- name: allow cups to listen on port 443 + seport: + ports: 443 + proto: tcp + setype: ipp_port_t + state: present + tags: selinux + +- import_tasks: freeipa.yml + tags: freeipa + +- name: enable cups + systemd: + name: cups + enabled: yes + state: started + +- name: forward port 80 to port 631 + firewalld: + permanent: yes + immediate: yes + rich_rule: 'rule family={{ item }} forward-port port=80 protocol=tcp to-port=631' + state: enabled + loop: + - ipv4 + - ipv6 + tags: firewalld + +- name: open firewall ports + firewalld: + permanent: yes + immediate: yes + service: '{{ item }}' + state: enabled + loop: + - ipp + - http + - https + tags: firewalld diff --git a/roles/cups_server/templates/etc/cups/cups-files.conf.j2 b/roles/cups_server/templates/etc/cups/cups-files.conf.j2 new file mode 100644 index 0000000..4550bad --- /dev/null +++ b/roles/cups_server/templates/etc/cups/cups-files.conf.j2 @@ -0,0 +1,9 @@ +# Administrator user group, used to match @SYSTEM in cupsd.conf policy rules... +SystemGroup {{ cups_admin_group }} + +ServerKeychain /etc/pki/tls/cups +CreateSelfSignedCerts no + +AccessLog syslog +ErrorLog syslog +PageLog syslog diff --git a/roles/cups_server/templates/etc/cups/cupsd.conf.j2 b/roles/cups_server/templates/etc/cups/cupsd.conf.j2 new file mode 100644 index 0000000..a2a1032 --- /dev/null +++ b/roles/cups_server/templates/etc/cups/cupsd.conf.j2 @@ -0,0 +1,93 @@ +LogLevel info + +ServerName {{ ansible_fqdn }} +ServerAdmin {{ cups_server_admin }} +{% if cups_server_aliases %} +ServerAlias {{ cups_server_aliases | join(' ') }} +{% endif %} + +# Specifies the maximum size of the log files before they are rotated. The value "0" disables log rotation. +MaxLogSize 1m + +# Default error policy for printers +ErrorPolicy retry-job + +# Only listen for connections from the local machine. +Listen 631 +Listen /run/cups/cups.sock +SSLPort 443 + +# Show shared printers on the local network. +Browsing Off +BrowseLocalProtocols none + +# Default authentication type, when authentication is required... +# Kerberos appears to be broken in cups >=2.2: +# https://github.com/apple/cups/issues/5596 +DefaultAuthType Basic +DefaultEncryption Required + +DefaultShared yes + +# Web interface setting... +WebInterface Yes + +# Timeout after cupsd exits if idle (applied only if cupsd runs on-demand - with -l) +IdleExitTimeout 0 + +# Restrict access to the server... +<Location /> + Order allow,deny + Allow from All +</Location> + +# Restrict access to the admin pages... +<Location /admin> + AuthType Default + Allow from All + Require user @SYSTEM + Order allow,deny +</Location> + +# Set the default printer/job policies... +<Policy default> + # Job/subscription privacy... + JobPrivateAccess default + JobPrivateValues default + SubscriptionPrivateAccess default + SubscriptionPrivateValues default + + # Job-related operations must be done by the owner or an administrator... + <Limit Create-Job Print-Job Print-URI Validate-Job> + Order deny,allow + </Limit> + + <Limit Send-Document Send-URI Hold-Job Release-Job Restart-Job Purge-Jobs Set-Job-Attributes Create-Job-Subscription Renew-Subscription Cancel-Subscription Get-Notifications Reprocess-Job Cancel-Current-Job Suspend-Current-Job Resume-Job Cancel-My-Jobs Close-Job CUPS-Move-Job CUPS-Get-Document> + Require user @OWNER @SYSTEM + Order deny,allow + </Limit> + + # All administration operations require an administrator to authenticate... + <Limit CUPS-Add-Modify-Printer CUPS-Delete-Printer CUPS-Add-Modify-Class CUPS-Delete-Class CUPS-Set-Default CUPS-Get-Devices> + AuthType Default + Require user @SYSTEM + Order deny,allow + </Limit> + + # All printer operations require a printer operator to authenticate... + <Limit Pause-Printer Resume-Printer Enable-Printer Disable-Printer Pause-Printer-After-Current-Job Hold-New-Jobs Release-Held-New-Jobs Deactivate-Printer Activate-Printer Restart-Printer Shutdown-Printer Startup-Printer Promote-Job Schedule-Job-After Cancel-Jobs CUPS-Accept-Jobs CUPS-Reject-Jobs> + AuthType Default + Require user @SYSTEM + Order deny,allow + </Limit> + + # Only the owner or an administrator can cancel or authenticate a job... + <Limit Cancel-Job CUPS-Authenticate-Job> + Require user @OWNER @SYSTEM + Order deny,allow + </Limit> + + <Limit All> + Order deny,allow + </Limit> +</Policy> diff --git a/roles/cups_server/vars/main.yml b/roles/cups_server/vars/main.yml new file mode 100644 index 0000000..98525bf --- /dev/null +++ b/roles/cups_server/vars/main.yml @@ -0,0 +1,14 @@ +cups_hostgroup: cups_servers +cups_certificate_path: /etc/pki/tls/cups/{{ ansible_fqdn }}.crt +cups_certificate_key_path: /etc/pki/tls/cups/{{ ansible_fqdn }}.key + +cups_hbac_hostgroup: cups-servers +cups_hbac_service: cups + +cups_archive_shell: >- + TIMESTAMP=$(date +%Y%m%d%H%M%S); + tar czf "cups-${TIMESTAMP}.tar.gz" + --transform "s|^\.|cups-${TIMESTAMP}|" + -C /etc/cups + ./ppd + ./printers.conf |