diff --git a/defaults/main.yml b/defaults/main.yml index 609c142..448b196 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -12,6 +12,9 @@ cups_listen_address: print.example.org cups_log_level: warn cups_server_admin: admin@example.com cups_remote_admin_enabled: False +cups_system_groups: + - sys + - root cups_iptables_enabled: False cups_open_ports: diff --git a/tasks/install.yml b/tasks/install.yml index 7603eb5..0e77048 100644 --- a/tasks/install.yml +++ b/tasks/install.yml @@ -23,9 +23,12 @@ - name: Deploy global config files template: - src: "etc/cups/cupsd.conf.j2" - dest: "/etc/cups/cupsd.conf" + src: "{{ item }}.j2" + dest: "/{{ item }}" mode: 0640 + loop: + - etc/cups/cupsd.conf + - etc/cups/cups-files.conf notify: __cupsd_restart - name: Update pamd rule's control in /etc/pam.d/cups diff --git a/templates/etc/cups/cups-files.conf.j2 b/templates/etc/cups/cups-files.conf.j2 new file mode 100644 index 0000000..ae66ccc --- /dev/null +++ b/templates/etc/cups/cups-files.conf.j2 @@ -0,0 +1,95 @@ +#jinja2: lstrip_blocks: True +# {{ ansible_managed }} +# +# File/directory/user/group configuration file for the CUPS scheduler. +# See "man cups-files.conf" for a complete description of this file. +# + +# List of events that are considered fatal errors for the scheduler... +#FatalErrors config + +# Do we call fsync() after writing configuration or status files? +#SyncOnClose No + +# Default user and group for filters/backends/helper programs; this cannot be +# any user or group that resolves to ID 0 for security reasons... +#User lp +#Group lp + +# Administrator user group, used to match @SYSTEM in cupsd.conf policy rules... +# This cannot contain the Group value for security reasons... +SystemGroup {{ cups_system_groups }} + + +# User that is substituted for unauthenticated (remote) root accesses... +#RemoteRoot remroot + +# Do we allow file: device URIs other than to /dev/null? +#FileDevice No + +# Permissions for configuration and log files... +#ConfigFilePerm 0640 +#LogFilePerm 0644 + +# Location of the file logging all access to the scheduler; may be the name +# "syslog". If not an absolute path, the value of ServerRoot is used as the +# root directory. Also see the "AccessLogLevel" directive in cupsd.conf. +AccessLog /var/log/cups/access_log + +# Location of cache files used by the scheduler... +#CacheDir /var/cache/cups + +# Location of data files used by the scheduler... +#DataDir /usr/share/cups + +# Location of the static web content served by the scheduler... +#DocumentRoot /usr/share/doc/cups + +# Location of the file logging all messages produced by the scheduler and any +# helper programs; may be the name "syslog". If not an absolute path, the value +# of ServerRoot is used as the root directory. Also see the "LogLevel" +# directive in cupsd.conf. +ErrorLog /var/log/cups/error_log + +# Location of fonts used by older print filters... +#FontPath /usr/share/cups/fonts + +# Location of LPD configuration +#LPDConfigFile xinetd:///etc/xinetd.d/cups-lpd + +# Location of the file logging all pages printed by the scheduler and any +# helper programs; may be the name "syslog". If not an absolute path, the value +# of ServerRoot is used as the root directory. Also see the "PageLogFormat" +# directive in cupsd.conf. +PageLog /var/log/cups/page_log + +# Location of the file listing all of the local printers... +#Printcap /etc/printcap + +# Format of the Printcap file... +#PrintcapFormat bsd +#PrintcapFormat plist +#PrintcapFormat solaris + +# Location of all spool files... +#RequestRoot /var/spool/cups + +# Location of helper programs... +#ServerBin /usr/lib/cups + +# SSL/TLS keychain for the scheduler... +#ServerKeychain ssl + +# Location of other configuration files... +#ServerRoot /etc/cups + +# Location of Samba configuration file... +#SMBConfigFile + +# Location of scheduler state files... +#StateDir /var/run/cups + +# Location of scheduler/helper temporary files. This directory is emptied on +# scheduler startup and cannot be one of the standard (public) temporary +# directory locations for security reasons... +#TempDir /var/spool/cups/tmp diff --git a/templates/etc/cups/cupsd.conf.j2 b/templates/etc/cups/cupsd.conf.j2 index 84f022f..e0fe7ef 100644 --- a/templates/etc/cups/cupsd.conf.j2 +++ b/templates/etc/cups/cupsd.conf.j2 @@ -7,6 +7,7 @@ ServerAdmin {{ cups_server_admin }} ServerAlias {{ cups_listen_address }} +DefaultEncryption Never # Log general information in error_log - change "warn" to "debug" # for troubleshooting...