add nginx vhost and base cupsd config

defaults/main.yml

@@ -1,3 +1,26 @@
 ---
 # not working currently
 cups_version: 2.2.10
+
+cups_bind_url:
+ - localhost:631
+
+cups_listen_address: print.rknet.org
+
+cups_log_level: warn
+cups_server_admin: admin@example.com
+
+cups_tls_cert_path: "{{ cups_base_dir }}/tls/certs/mycert.pem"
+cups_tls_key_path: "{{ cups_base_dir }}/tls/private/mykey.pem"
+cups_tls_cert_source: mycert.pem
+cups_tls_key_source: mykey.pem
+
+cups_nginx_vhost_enabled: False
+cups_nginx_server: localhost
+cups_nginx_proxy_url: "{{ cups_bind_url[0] }}"
+cups_nginx_vhost_dir: /etc/nginx/sites-available
+cups_nginx_vhost_symlink: /etc/nginx/sites-enabled
+cups_nginx_iptables_enabled: False
+cups_nginx_tls_enabled: False
+cups_nginx_tls_cert_file: cups-cert.pem
+cups_nginx_tls_key_file: cups-key.pem

handlers/main.yml

@@ -1,10 +1,19 @@
 ---
 - name: Restart service
   systemd:
-    name: cupsd
+    name: org.cups.cupsd
     state: restarted
     daemon_reload: yes
     enabled: yes
   listen: __cupsd_restart
   become: True
   become_user: root
+
+- name: Reload nginx
+  systemd:
+    state: reloaded
+    name: nginx
+  listen: __nginx_reload
+  delegate_to: "{{ cups_nginx_server }}"
+  become: True
+  become_user: root

tasks/install.yml

@@ -13,5 +13,12 @@
       yum:
         name: "{{ __cups_rpm_files }}"
         state: present
+
+    - name: Deploy global config files
+      template:
+        src: "etc/cups/cupsd.conf.j2"
+        dest: "/etc/cups/cupsd.conf"
+        mode: 0640
+      notify: __cupsd_restart
   become: True
   become_user: root

tasks/main.yml

@@ -1,2 +1,5 @@
 ---
 - include_tasks: install.yml
+- import_tasks: nginx.yml
+  when: cups_nginx_vhost_enabled
+- include_tasks: post_tasks.yml

tasks/nginx.yml

@@ -0,0 +1,48 @@
+---
+- block:
+    - name: Copy certs and private key to nginx proxy
+      copy:
+        src: "{{ item.src }}"
+        dest: "{{ item.dest }}"
+        mode: "{{ item.mode }}"
+      with_items:
+        - { src: "{{ cups_tls_key_source }}", dest: '/etc/pki/tls/private/{{ cups_nginx_tls_key_file }}', mode: '0600' }
+        - { src: "{{ cups_tls_cert_source }}", dest: '/etc/pki/tls/certs/{{ cups_nginx_tls_cert_file }}', mode: '0750' }
+      loop_control:
+        label: "{{ item.dest }}"
+      notify: __nginx_reload
+  delegate_to: "{{ cups_nginx_server }}"
+  when: cups_nginx_tls_enabled
+  become: True
+  become_user: root
+  tags: tls_renewal
+
+- block:
+    - name: Add vhost configuration file
+      template:
+        src: nginx/vhost.j2
+        dest: "{{ cups_nginx_vhost_dir }}/cups"
+        owner: root
+        group: root
+        mode: 0640
+      notify: __nginx_reload
+
+    - name: Enable cups vhost
+      file:
+        src: "{{ cups_nginx_vhost_dir }}/cups"
+        dest: "{{ cups_nginx_vhost_symlink }}/cups"
+        owner: root
+        group: root
+        state: link
+      notify: __nginx_reload
+      when: cups_nginx_vhost_symlink is defined
+
+    - name: Open ports in iptables
+      iptables_raw:
+        name: allow_cups_nginx_proxy
+        state: present
+        rules: '-A OUTPUT -m state --state NEW -p tcp -d {{ cups_nginx_proxy_url | urlsplit("hostname") }} --dport {{ cups_nginx_proxy_url | urlsplit("port") }} -j ACCEPT'
+      when: cups_nginx_iptables_enabled
+  delegate_to: "{{ cups_nginx_server }}"
+  become: True
+  become_user: root

tasks/post_tasks.yml

@@ -0,0 +1,9 @@
+---
+- name: Ensure cups service is up and running
+  systemd:
+    name: org.cups.cupsd
+    state: started
+    daemon_reload: yes
+    enabled: yes
+  become: True
+  become_user: root

templates/etc/cups/cupsd.conf.j2

@@ -0,0 +1,188 @@
+#jinja2: lstrip_blocks: True
+# {{ ansible_managed }}
+#
+# Configuration file for the CUPS scheduler.  See "man cupsd.conf" for a
+# complete description of this file.
+#
+
+ServerAdmin {{ cups_server_admin }}
+
+# Log general information in error_log - change "warn" to "debug"
+# for troubleshooting...
+LogLevel {{ cups_log_level | lower }}
+PageLogFormat
+
+# Only listen for connections from the local machine.
+{% for item in cups_bind_url %}
+Listen {{ item }}
+{% endfor %}
+Listen /var/run/cups/cups.sock
+
+# Show shared printers on the local network.
+Browsing On
+BrowseLocalProtocols dnssd
+
+# Default authentication type, when authentication is required...
+DefaultAuthType Basic
+
+# Web interface setting...
+WebInterface Yes
+
+# Restrict access to the server...
+<Location />
+  Order allow,deny
+</Location>
+
+# Restrict access to the admin pages...
+<Location /admin>
+  Order allow,deny
+</Location>
+
+# Restrict access to configuration files...
+<Location /admin/conf>
+  AuthType Default
+  Require user @SYSTEM
+  Order allow,deny
+</Location>
+
+# Restrict access to log files...
+<Location /admin/log>
+  AuthType Default
+  Require user @SYSTEM
+  Order allow,deny
+</Location>
+
+# Set the default printer/job policies...
+<Policy default>
+  # Job/subscription privacy...
+  JobPrivateAccess default
+  JobPrivateValues default
+  SubscriptionPrivateAccess default
+  SubscriptionPrivateValues default
+
+  # Job-related operations must be done by the owner or an administrator...
+  <Limit Create-Job Print-Job Print-URI Validate-Job>
+    Order deny,allow
+  </Limit>
+
+  <Limit Send-Document Send-URI Hold-Job Release-Job Restart-Job Purge-Jobs Set-Job-Attributes Create-Job-Subscription Renew-Subscription Cancel-Subscription Get-Notifications Reprocess-Job Cancel-Current-Job Suspend-Current-Job Resume-Job Cancel-My-Jobs Close-Job CUPS-Move-Job CUPS-Get-Document>
+    Require user @OWNER @SYSTEM
+    Order deny,allow
+  </Limit>
+
+  # All administration operations require an administrator to authenticate...
+  <Limit CUPS-Add-Modify-Printer CUPS-Delete-Printer CUPS-Add-Modify-Class CUPS-Delete-Class CUPS-Set-Default CUPS-Get-Devices>
+    AuthType Default
+    Require user @SYSTEM
+    Order deny,allow
+  </Limit>
+
+  # All printer operations require a printer operator to authenticate...
+  <Limit Pause-Printer Resume-Printer Enable-Printer Disable-Printer Pause-Printer-After-Current-Job Hold-New-Jobs Release-Held-New-Jobs Deactivate-Printer Activate-Printer Restart-Printer Shutdown-Printer Startup-Printer Promote-Job Schedule-Job-After Cancel-Jobs CUPS-Accept-Jobs CUPS-Reject-Jobs>
+    AuthType Default
+    Require user @SYSTEM
+    Order deny,allow
+  </Limit>
+
+    # Only the owner or an administrator can cancel or authenticate a job...
+  <Limit Cancel-Job CUPS-Authenticate-Job>
+    Require user @OWNER @SYSTEM
+    Order deny,allow
+  </Limit>
+
+  <Limit All>
+    Order deny,allow
+  </Limit>
+</Policy>
+
+# Set the authenticated printer/job policies...
+<Policy authenticated>
+  # Job/subscription privacy...
+  JobPrivateAccess default
+  JobPrivateValues default
+  SubscriptionPrivateAccess default
+  SubscriptionPrivateValues default
+
+  # Job-related operations must be done by the owner or an administrator...
+  <Limit Create-Job Print-Job Print-URI Validate-Job>
+    AuthType Default
+    Order deny,allow
+  </Limit>
+
+  <Limit Send-Document Send-URI Hold-Job Release-Job Restart-Job Purge-Jobs Set-Job-Attributes Create-Job-Subscription Renew-Subscription Cancel-Subscription Get-Notifications Reprocess-Job Cancel-Current-Job Suspend-Current-Job Resume-Job Cancel-My-Jobs Close-Job CUPS-Move-Job CUPS-Get-Document>
+    AuthType Default
+    Require user @OWNER @SYSTEM
+    Order deny,allow
+  </Limit>
+
+  # All administration operations require an administrator to authenticate...
+  <Limit CUPS-Add-Modify-Printer CUPS-Delete-Printer CUPS-Add-Modify-Class CUPS-Delete-Class CUPS-Set-Default>
+    AuthType Default
+    Require user @SYSTEM
+    Order deny,allow
+  </Limit>
+
+    # All printer operations require a printer operator to authenticate...
+  <Limit Pause-Printer Resume-Printer Enable-Printer Disable-Printer Pause-Printer-After-Current-Job Hold-New-Jobs Release-Held-New-Jobs Deactivate-Printer Activate-Printer Restart-Printer Shutdown-Printer Startup-Printer Promote-Job Schedule-Job-After Cancel-Jobs CUPS-Accept-Jobs CUPS-Reject-Jobs>
+    AuthType Default
+    Require user @SYSTEM
+    Order deny,allow
+  </Limit>
+
+  # Only the owner or an administrator can cancel or authenticate a job...
+  <Limit Cancel-Job CUPS-Authenticate-Job>
+    AuthType Default
+    Require user @OWNER @SYSTEM
+    Order deny,allow
+  </Limit>
+
+  <Limit All>
+    Order deny,allow
+  </Limit>
+</Policy>
+
+# Set the kerberized printer/job policies...
+<Policy kerberos>
+  # Job/subscription privacy...
+  JobPrivateAccess default
+  JobPrivateValues default
+  SubscriptionPrivateAccess default
+  SubscriptionPrivateValues default
+
+  # Job-related operations must be done by the owner or an administrator...
+  <Limit Create-Job Print-Job Print-URI Validate-Job>
+    AuthType Negotiate
+    Order deny,allow
+  </Limit>
+
+  <Limit Send-Document Send-URI Hold-Job Release-Job Restart-Job Purge-Jobs Set-Job-Attributes Create-Job-Subscription Renew-Subscription Cancel-Subscription Get-Notifications Reprocess-Job Cancel-Current-Job Suspend-Current-Job Resume-Job Cancel-My-Jobs Close-Job CUPS-Move-Job CUPS-Get-Document>
+    AuthType Negotiate
+    Require user @OWNER @SYSTEM
+    Order deny,allow
+  </Limit>
+
+  # All administration operations require an administrator to authenticate...
+  <Limit CUPS-Add-Modify-Printer CUPS-Delete-Printer CUPS-Add-Modify-Class CUPS-Delete-Class CUPS-Set-Default>
+    AuthType Default
+    Require user @SYSTEM
+    Order deny,allow
+  </Limit>
+
+  # All printer operations require a printer operator to authenticate...
+  <Limit Pause-Printer Resume-Printer Enable-Printer Disable-Printer Pause-Printer-After-Current-Job Hold-New-Jobs Release-Held-New-Jobs Deactivate-Printer Activate-Printer Restart-Printer Shutdown-Printer Startup-Printer Promote-Job Schedule-Job-After Cancel-Jobs CUPS-Accept-Jobs CUPS-Reject-Jobs>
+    AuthType Default
+    Require user @SYSTEM
+    Order deny,allow
+  </Limit>
+
+  # Only the owner or an administrator can cancel or authenticate a job...
+  <Limit Cancel-Job CUPS-Authenticate-Job>
+    AuthType Negotiate
+    Require user @OWNER @SYSTEM
+    Order deny,allow
+  </Limit>
+
+  <Limit All>
+    Order deny,allow
+  </Limit>
+</Policy>

templates/nginx/vhost.j2

@@ -0,0 +1,42 @@
+#jinja2: lstrip_blocks: True
+# {{ ansible_managed }}
+upstream backend_cups {
+    server {{ cups_nginx_proxy_url }};
+}
+
+server {
+    listen 80;
+    server_name {{ cups_listen_address }};
+
+    {% if cups_nginx_tls_enabled %}
+    return 301 https://$server_name$request_uri;
+    {% else %}
+    location / {
+        proxy_pass http://backend_cups;
+
+        proxy_set_header Host $host;
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Proto $scheme;
+    }
+    {% endif %}
+}
+
+{% if cups_nginx_tls_enabled %}
+server {
+    listen              443 ssl;
+    server_name         {{ cups_listen_address }};
+
+    location / {
+        proxy_pass http://backend_cups;
+
+        proxy_set_header Host $host;
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Proto $scheme;
+    }
+
+    ssl_certificate /etc/pki/tls/certs/{{ cups_nginx_tls_cert_file }};
+    ssl_certificate_key /etc/pki/tls/private/{{ cups_nginx_tls_key_file }};
+}
+{% endif %}