From 0261e875679f1bf63c8d689da7fc7e014597885d Mon Sep 17 00:00:00 2001
From: Stonewall Jackson <stonewall@sacredheartsc.com>
Date: Sat, 4 Feb 2023 01:23:43 -0500
Subject: initial commit

---
 roles/cups_server/defaults/main.yml                |  3 +
 roles/cups_server/handlers/main.yml                |  4 +
 roles/cups_server/tasks/freeipa.yml                | 58 ++++++++++++++
 roles/cups_server/tasks/main.yml                   | 70 ++++++++++++++++
 .../templates/etc/cups/cups-files.conf.j2          |  9 +++
 roles/cups_server/templates/etc/cups/cupsd.conf.j2 | 93 ++++++++++++++++++++++
 roles/cups_server/vars/main.yml                    | 14 ++++
 7 files changed, 251 insertions(+)
 create mode 100644 roles/cups_server/defaults/main.yml
 create mode 100644 roles/cups_server/handlers/main.yml
 create mode 100644 roles/cups_server/tasks/freeipa.yml
 create mode 100644 roles/cups_server/tasks/main.yml
 create mode 100644 roles/cups_server/templates/etc/cups/cups-files.conf.j2
 create mode 100644 roles/cups_server/templates/etc/cups/cupsd.conf.j2
 create mode 100644 roles/cups_server/vars/main.yml

(limited to 'roles/cups_server')

diff --git a/roles/cups_server/defaults/main.yml b/roles/cups_server/defaults/main.yml
new file mode 100644
index 0000000..c032530
--- /dev/null
+++ b/roles/cups_server/defaults/main.yml
@@ -0,0 +1,3 @@
+cups_server_aliases: '{{ cnames }}'
+cups_server_admin: root@{{ email_domain }}
+cups_admin_group: role-cups-admin
diff --git a/roles/cups_server/handlers/main.yml b/roles/cups_server/handlers/main.yml
new file mode 100644
index 0000000..9c3bada
--- /dev/null
+++ b/roles/cups_server/handlers/main.yml
@@ -0,0 +1,4 @@
+- name: restart cups
+  systemd:
+    name: cups
+    state: restarted
diff --git a/roles/cups_server/tasks/freeipa.yml b/roles/cups_server/tasks/freeipa.yml
new file mode 100644
index 0000000..0acb36d
--- /dev/null
+++ b/roles/cups_server/tasks/freeipa.yml
@@ -0,0 +1,58 @@
+- name: create admin group
+  ipagroup:
+    ipaadmin_principal: '{{ ipa_user }}'
+    ipaadmin_password: '{{ ipa_pass }}'
+    name: '{{ cups_admin_group }}'
+    nonposix: no
+    state: present
+  run_once: yes
+
+- name: create HBAC service
+  ipahbacsvc:
+    ipaadmin_principal: '{{ ipa_user }}'
+    ipaadmin_password: '{{ ipa_pass }}'
+    name: '{{ cups_hbac_service }}'
+    description: CUPS Print Server
+    state: present
+  run_once: yes
+
+- name: create cups-servers hostgroup
+  ipahostgroup:
+    ipaadmin_principal: '{{ ipa_user }}'
+    ipaadmin_password: '{{ ipa_pass }}'
+    name: '{{ cups_hbac_hostgroup }}'
+    description: CUPS Servers
+    host: "{{ groups[cups_hostgroup] | map('regex_replace', '$', '.' ~ ansible_domain) }}"
+  run_once: yes
+
+- name: create HBAC rule for cups-admin
+  ipahbacrule:
+    ipaadmin_principal: '{{ ipa_user }}'
+    ipaadmin_password: '{{ ipa_pass }}'
+    name: allow_cups_on_cups_servers
+    description: Allow CUPS admin on CUPS servers
+    hostgroup: '{{ cups_hbac_hostgroup }}'
+    group: '{{ cups_admin_group }}'
+    hbacsvc: '{{ cups_hbac_service }}'
+  run_once: yes
+
+- name: generate pam configuration
+  copy:
+    content: |
+      auth    required pam_sss.so
+      account required pam_sss.so
+    dest: /etc/pam.d/cups
+
+- name: create HTTP service principal
+  ipaservice:
+    ipaadmin_principal: '{{ ipa_user }}'
+    ipaadmin_password: '{{ ipa_pass }}'
+    name: 'HTTP/{{ ansible_fqdn }}'
+    state: present
+
+- name: retrieve HTTP keytab
+  include_role:
+    name: freeipa_keytab
+  vars:
+    keytab_principal: 'HTTP/{{ ansible_fqdn }}'
+    keytab_path: /etc/krb5.keytab
diff --git a/roles/cups_server/tasks/main.yml b/roles/cups_server/tasks/main.yml
new file mode 100644
index 0000000..b03916e
--- /dev/null
+++ b/roles/cups_server/tasks/main.yml
@@ -0,0 +1,70 @@
+- name: install cups
+  dnf:
+    name: cups
+    state: present
+
+- name: create certificate directory
+  file:
+    path: /etc/pki/tls/cups
+    state: directory
+
+- name: request TLS certificate
+  include_role:
+    name: getcert_request
+  vars:
+    certificate_service: cups
+    certificate_path: '{{ cups_certificate_path }}'
+    certificate_key_path: '{{ cups_certificate_key_path }}'
+    certificate_hook: systemctl restart cups
+
+- name: generate config files
+  template:
+    src: etc/cups/{{ item }}.j2
+    dest: /etc/cups/{{ item }}
+    owner: root
+    group: lp
+    mode: 0640
+  loop:
+    - cupsd.conf
+    - cups-files.conf
+  notify: restart cups
+
+- name: allow cups to listen on port 443
+  seport:
+    ports: 443
+    proto: tcp
+    setype: ipp_port_t
+    state: present
+  tags: selinux
+
+- import_tasks: freeipa.yml
+  tags: freeipa
+
+- name: enable cups
+  systemd:
+    name: cups
+    enabled: yes
+    state: started
+
+- name: forward port 80 to port 631
+  firewalld:
+    permanent: yes
+    immediate: yes
+    rich_rule: 'rule family={{ item }} forward-port port=80 protocol=tcp to-port=631'
+    state: enabled
+  loop:
+    - ipv4
+    - ipv6
+  tags: firewalld
+
+- name: open firewall ports
+  firewalld:
+    permanent: yes
+    immediate: yes
+    service: '{{ item }}'
+    state: enabled
+  loop:
+    - ipp
+    - http
+    - https
+  tags: firewalld
diff --git a/roles/cups_server/templates/etc/cups/cups-files.conf.j2 b/roles/cups_server/templates/etc/cups/cups-files.conf.j2
new file mode 100644
index 0000000..4550bad
--- /dev/null
+++ b/roles/cups_server/templates/etc/cups/cups-files.conf.j2
@@ -0,0 +1,9 @@
+# Administrator user group, used to match @SYSTEM in cupsd.conf policy rules...
+SystemGroup {{ cups_admin_group }}
+
+ServerKeychain /etc/pki/tls/cups
+CreateSelfSignedCerts no
+
+AccessLog syslog
+ErrorLog syslog
+PageLog syslog
diff --git a/roles/cups_server/templates/etc/cups/cupsd.conf.j2 b/roles/cups_server/templates/etc/cups/cupsd.conf.j2
new file mode 100644
index 0000000..a2a1032
--- /dev/null
+++ b/roles/cups_server/templates/etc/cups/cupsd.conf.j2
@@ -0,0 +1,93 @@
+LogLevel info
+
+ServerName {{ ansible_fqdn }}
+ServerAdmin {{ cups_server_admin }}
+{% if cups_server_aliases %}
+ServerAlias {{ cups_server_aliases | join(' ') }}
+{% endif %}
+
+# Specifies the maximum size of the log files before they are rotated.  The value "0" disables log rotation.
+MaxLogSize 1m
+
+# Default error policy for printers
+ErrorPolicy retry-job
+
+# Only listen for connections from the local machine.
+Listen 631
+Listen /run/cups/cups.sock
+SSLPort 443
+
+# Show shared printers on the local network.
+Browsing Off
+BrowseLocalProtocols none
+
+# Default authentication type, when authentication is required...
+# Kerberos appears to be broken in cups >=2.2:
+# https://github.com/apple/cups/issues/5596
+DefaultAuthType Basic
+DefaultEncryption Required
+
+DefaultShared yes
+
+# Web interface setting...
+WebInterface Yes
+
+# Timeout after cupsd exits if idle (applied only if cupsd runs on-demand - with -l)
+IdleExitTimeout 0
+
+# Restrict access to the server...
+<Location />
+  Order allow,deny
+  Allow from All
+</Location>
+
+# Restrict access to the admin pages...
+<Location /admin>
+  AuthType Default
+  Allow from All
+  Require user @SYSTEM
+  Order allow,deny
+</Location>
+
+# Set the default printer/job policies...
+<Policy default>
+  # Job/subscription privacy...
+  JobPrivateAccess default
+  JobPrivateValues default
+  SubscriptionPrivateAccess default
+  SubscriptionPrivateValues default
+
+  # Job-related operations must be done by the owner or an administrator...
+  <Limit Create-Job Print-Job Print-URI Validate-Job>
+    Order deny,allow
+  </Limit>
+
+  <Limit Send-Document Send-URI Hold-Job Release-Job Restart-Job Purge-Jobs Set-Job-Attributes Create-Job-Subscription Renew-Subscription Cancel-Subscription Get-Notifications Reprocess-Job Cancel-Current-Job Suspend-Current-Job Resume-Job Cancel-My-Jobs Close-Job CUPS-Move-Job CUPS-Get-Document>
+    Require user @OWNER @SYSTEM
+    Order deny,allow
+  </Limit>
+
+  # All administration operations require an administrator to authenticate...
+  <Limit CUPS-Add-Modify-Printer CUPS-Delete-Printer CUPS-Add-Modify-Class CUPS-Delete-Class CUPS-Set-Default CUPS-Get-Devices>
+    AuthType Default
+    Require user @SYSTEM
+    Order deny,allow
+  </Limit>
+
+  # All printer operations require a printer operator to authenticate...
+  <Limit Pause-Printer Resume-Printer Enable-Printer Disable-Printer Pause-Printer-After-Current-Job Hold-New-Jobs Release-Held-New-Jobs Deactivate-Printer Activate-Printer Restart-Printer Shutdown-Printer Startup-Printer Promote-Job Schedule-Job-After Cancel-Jobs CUPS-Accept-Jobs CUPS-Reject-Jobs>
+    AuthType Default
+    Require user @SYSTEM
+    Order deny,allow
+  </Limit>
+
+  # Only the owner or an administrator can cancel or authenticate a job...
+  <Limit Cancel-Job CUPS-Authenticate-Job>
+    Require user @OWNER @SYSTEM
+    Order deny,allow
+  </Limit>
+
+  <Limit All>
+    Order deny,allow
+  </Limit>
+</Policy>
diff --git a/roles/cups_server/vars/main.yml b/roles/cups_server/vars/main.yml
new file mode 100644
index 0000000..98525bf
--- /dev/null
+++ b/roles/cups_server/vars/main.yml
@@ -0,0 +1,14 @@
+cups_hostgroup: cups_servers
+cups_certificate_path: /etc/pki/tls/cups/{{ ansible_fqdn }}.crt
+cups_certificate_key_path: /etc/pki/tls/cups/{{ ansible_fqdn }}.key
+
+cups_hbac_hostgroup: cups-servers
+cups_hbac_service: cups
+
+cups_archive_shell: >-
+  TIMESTAMP=$(date +%Y%m%d%H%M%S);
+  tar czf "cups-${TIMESTAMP}.tar.gz"
+  --transform "s|^\.|cups-${TIMESTAMP}|"
+  -C /etc/cups
+  ./ppd
+  ./printers.conf
-- 
cgit