diff --git a/defaults/main.yml b/defaults/main.yml
index 7f37292..c2d0191 100644
--- a/defaults/main.yml
+++ b/defaults/main.yml
@@ -1,3 +1,26 @@
---
# not working currently
cups_version: 2.2.10
+
+cups_bind_url:
+ - localhost:631
+
+cups_listen_address: print.rknet.org
+
+cups_log_level: warn
+cups_server_admin: admin@example.com
+
+cups_tls_cert_path: "{{ cups_base_dir }}/tls/certs/mycert.pem"
+cups_tls_key_path: "{{ cups_base_dir }}/tls/private/mykey.pem"
+cups_tls_cert_source: mycert.pem
+cups_tls_key_source: mykey.pem
+
+cups_nginx_vhost_enabled: False
+cups_nginx_server: localhost
+cups_nginx_proxy_url: "{{ cups_bind_url[0] }}"
+cups_nginx_vhost_dir: /etc/nginx/sites-available
+cups_nginx_vhost_symlink: /etc/nginx/sites-enabled
+cups_nginx_iptables_enabled: False
+cups_nginx_tls_enabled: False
+cups_nginx_tls_cert_file: cups-cert.pem
+cups_nginx_tls_key_file: cups-key.pem
diff --git a/handlers/main.yml b/handlers/main.yml
index 7808a2a..43fba61 100644
--- a/handlers/main.yml
+++ b/handlers/main.yml
@@ -1,10 +1,19 @@
---
- name: Restart service
systemd:
- name: cupsd
+ name: org.cups.cupsd
state: restarted
daemon_reload: yes
enabled: yes
listen: __cupsd_restart
become: True
become_user: root
+
+- name: Reload nginx
+ systemd:
+ state: reloaded
+ name: nginx
+ listen: __nginx_reload
+ delegate_to: "{{ cups_nginx_server }}"
+ become: True
+ become_user: root
diff --git a/tasks/install.yml b/tasks/install.yml
index 63a641a..8729c4a 100644
--- a/tasks/install.yml
+++ b/tasks/install.yml
@@ -13,5 +13,12 @@
yum:
name: "{{ __cups_rpm_files }}"
state: present
+
+ - name: Deploy global config files
+ template:
+ src: "etc/cups/cupsd.conf.j2"
+ dest: "/etc/cups/cupsd.conf"
+ mode: 0640
+ notify: __cupsd_restart
become: True
become_user: root
diff --git a/tasks/main.yml b/tasks/main.yml
index a48ceb8..2e8e76c 100644
--- a/tasks/main.yml
+++ b/tasks/main.yml
@@ -1,2 +1,5 @@
---
- include_tasks: install.yml
+- import_tasks: nginx.yml
+ when: cups_nginx_vhost_enabled
+- include_tasks: post_tasks.yml
diff --git a/tasks/nginx.yml b/tasks/nginx.yml
new file mode 100644
index 0000000..ab5c641
--- /dev/null
+++ b/tasks/nginx.yml
@@ -0,0 +1,48 @@
+---
+- block:
+ - name: Copy certs and private key to nginx proxy
+ copy:
+ src: "{{ item.src }}"
+ dest: "{{ item.dest }}"
+ mode: "{{ item.mode }}"
+ with_items:
+ - { src: "{{ cups_tls_key_source }}", dest: '/etc/pki/tls/private/{{ cups_nginx_tls_key_file }}', mode: '0600' }
+ - { src: "{{ cups_tls_cert_source }}", dest: '/etc/pki/tls/certs/{{ cups_nginx_tls_cert_file }}', mode: '0750' }
+ loop_control:
+ label: "{{ item.dest }}"
+ notify: __nginx_reload
+ delegate_to: "{{ cups_nginx_server }}"
+ when: cups_nginx_tls_enabled
+ become: True
+ become_user: root
+ tags: tls_renewal
+
+- block:
+ - name: Add vhost configuration file
+ template:
+ src: nginx/vhost.j2
+ dest: "{{ cups_nginx_vhost_dir }}/cups"
+ owner: root
+ group: root
+ mode: 0640
+ notify: __nginx_reload
+
+ - name: Enable cups vhost
+ file:
+ src: "{{ cups_nginx_vhost_dir }}/cups"
+ dest: "{{ cups_nginx_vhost_symlink }}/cups"
+ owner: root
+ group: root
+ state: link
+ notify: __nginx_reload
+ when: cups_nginx_vhost_symlink is defined
+
+ - name: Open ports in iptables
+ iptables_raw:
+ name: allow_cups_nginx_proxy
+ state: present
+ rules: '-A OUTPUT -m state --state NEW -p tcp -d {{ cups_nginx_proxy_url | urlsplit("hostname") }} --dport {{ cups_nginx_proxy_url | urlsplit("port") }} -j ACCEPT'
+ when: cups_nginx_iptables_enabled
+ delegate_to: "{{ cups_nginx_server }}"
+ become: True
+ become_user: root
diff --git a/tasks/post_tasks.yml b/tasks/post_tasks.yml
new file mode 100644
index 0000000..266720b
--- /dev/null
+++ b/tasks/post_tasks.yml
@@ -0,0 +1,9 @@
+---
+- name: Ensure cups service is up and running
+ systemd:
+ name: org.cups.cupsd
+ state: started
+ daemon_reload: yes
+ enabled: yes
+ become: True
+ become_user: root
diff --git a/templates/etc/cups/cupsd.conf.j2 b/templates/etc/cups/cupsd.conf.j2
new file mode 100644
index 0000000..bd35603
--- /dev/null
+++ b/templates/etc/cups/cupsd.conf.j2
@@ -0,0 +1,188 @@
+#jinja2: lstrip_blocks: True
+# {{ ansible_managed }}
+#
+# Configuration file for the CUPS scheduler. See "man cupsd.conf" for a
+# complete description of this file.
+#
+
+ServerAdmin {{ cups_server_admin }}
+
+# Log general information in error_log - change "warn" to "debug"
+# for troubleshooting...
+LogLevel {{ cups_log_level | lower }}
+PageLogFormat
+
+# Only listen for connections from the local machine.
+{% for item in cups_bind_url %}
+Listen {{ item }}
+{% endfor %}
+Listen /var/run/cups/cups.sock
+
+# Show shared printers on the local network.
+Browsing On
+BrowseLocalProtocols dnssd
+
+# Default authentication type, when authentication is required...
+DefaultAuthType Basic
+
+# Web interface setting...
+WebInterface Yes
+
+# Restrict access to the server...
+
+ Order allow,deny
+
+
+# Restrict access to the admin pages...
+
+ Order allow,deny
+
+
+# Restrict access to configuration files...
+
+ AuthType Default
+ Require user @SYSTEM
+ Order allow,deny
+
+
+# Restrict access to log files...
+
+ AuthType Default
+ Require user @SYSTEM
+ Order allow,deny
+
+
+# Set the default printer/job policies...
+
+ # Job/subscription privacy...
+ JobPrivateAccess default
+ JobPrivateValues default
+ SubscriptionPrivateAccess default
+ SubscriptionPrivateValues default
+
+ # Job-related operations must be done by the owner or an administrator...
+
+ Order deny,allow
+
+
+
+ Require user @OWNER @SYSTEM
+ Order deny,allow
+
+
+ # All administration operations require an administrator to authenticate...
+
+ AuthType Default
+ Require user @SYSTEM
+ Order deny,allow
+
+
+ # All printer operations require a printer operator to authenticate...
+
+ AuthType Default
+ Require user @SYSTEM
+ Order deny,allow
+
+
+ # Only the owner or an administrator can cancel or authenticate a job...
+
+ Require user @OWNER @SYSTEM
+ Order deny,allow
+
+
+
+ Order deny,allow
+
+
+
+# Set the authenticated printer/job policies...
+
+ # Job/subscription privacy...
+ JobPrivateAccess default
+ JobPrivateValues default
+ SubscriptionPrivateAccess default
+ SubscriptionPrivateValues default
+
+ # Job-related operations must be done by the owner or an administrator...
+
+ AuthType Default
+ Order deny,allow
+
+
+
+ AuthType Default
+ Require user @OWNER @SYSTEM
+ Order deny,allow
+
+
+ # All administration operations require an administrator to authenticate...
+
+ AuthType Default
+ Require user @SYSTEM
+ Order deny,allow
+
+
+ # All printer operations require a printer operator to authenticate...
+
+ AuthType Default
+ Require user @SYSTEM
+ Order deny,allow
+
+
+ # Only the owner or an administrator can cancel or authenticate a job...
+
+ AuthType Default
+ Require user @OWNER @SYSTEM
+ Order deny,allow
+
+
+
+ Order deny,allow
+
+
+
+# Set the kerberized printer/job policies...
+
+ # Job/subscription privacy...
+ JobPrivateAccess default
+ JobPrivateValues default
+ SubscriptionPrivateAccess default
+ SubscriptionPrivateValues default
+
+ # Job-related operations must be done by the owner or an administrator...
+
+ AuthType Negotiate
+ Order deny,allow
+
+
+
+ AuthType Negotiate
+ Require user @OWNER @SYSTEM
+ Order deny,allow
+
+
+ # All administration operations require an administrator to authenticate...
+
+ AuthType Default
+ Require user @SYSTEM
+ Order deny,allow
+
+
+ # All printer operations require a printer operator to authenticate...
+
+ AuthType Default
+ Require user @SYSTEM
+ Order deny,allow
+
+
+ # Only the owner or an administrator can cancel or authenticate a job...
+
+ AuthType Negotiate
+ Require user @OWNER @SYSTEM
+ Order deny,allow
+
+
+
+ Order deny,allow
+
+
diff --git a/templates/nginx/vhost.j2 b/templates/nginx/vhost.j2
new file mode 100644
index 0000000..1c9d8df
--- /dev/null
+++ b/templates/nginx/vhost.j2
@@ -0,0 +1,42 @@
+#jinja2: lstrip_blocks: True
+# {{ ansible_managed }}
+upstream backend_cups {
+ server {{ cups_nginx_proxy_url }};
+}
+
+server {
+ listen 80;
+ server_name {{ cups_listen_address }};
+
+ {% if cups_nginx_tls_enabled %}
+ return 301 https://$server_name$request_uri;
+ {% else %}
+ location / {
+ proxy_pass http://backend_cups;
+
+ proxy_set_header Host $host;
+ proxy_set_header X-Real-IP $remote_addr;
+ proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+ proxy_set_header X-Forwarded-Proto $scheme;
+ }
+ {% endif %}
+}
+
+{% if cups_nginx_tls_enabled %}
+server {
+ listen 443 ssl;
+ server_name {{ cups_listen_address }};
+
+ location / {
+ proxy_pass http://backend_cups;
+
+ proxy_set_header Host $host;
+ proxy_set_header X-Real-IP $remote_addr;
+ proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+ proxy_set_header X-Forwarded-Proto $scheme;
+ }
+
+ ssl_certificate /etc/pki/tls/certs/{{ cups_nginx_tls_cert_file }};
+ ssl_certificate_key /etc/pki/tls/private/{{ cups_nginx_tls_key_file }};
+}
+{% endif %}