Merge pull request #2858 from holta/cups-nginx

CUPS Printing: Spring Cleaning + NGINX fix for URL's like http://box/print + hardening of URL's like http://box/print/admin
2025-02-12 11:12:06 +00:00 · 2021-07-14 00:30:36 -04:00 · 2021-07-14 00:30:36 -04:00 · 7fccd87fed
commit 7fccd87fed
parent 9955aeddd4 4fb858bcf2
20 changed files with 364 additions and 105 deletions
--- a/roles/cups/README.md
+++ b/roles/cups/README.md
@ -0,0 +1,44 @@
+# CUPS Printing README
+
+## Web Administration
+
+Please administer CUPS at http://box/print using:
+
+- Username: `Admin`
+- Password: `changeme`
+
+Or use any Linux user that is a member of the Linux group: `lpadmin`
+
+## Security
+
+The above uses 'SystemGroup lpadmin' in `/etc/cups/cups-files.conf` &mdash; in coordination with about 15 '@SYSTEM' lines and 'DefaultAuthType Basic' in `/etc/cups/cupsd.conf`
+
+CUPS creates a 10-year (unsigned) https certificate during installation, that will be very confusing to non-technical users when they log in, as a result of modern browser warnings.
+
+## How it Works
+
+http://localhost:631 can be useful if NGINX redirects or CUPS permissions are set wrong.
+
+Beware that http://box:631 and http://box.lan:631 will not work, due to a [known issue](https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=530027) with CUPS since 2009.
+
+Understand how IIAB configures CUPS for all IP addresses and all hostnames (despite the above CUPS problem!) by reading these in-line explanations:
+
+- [/opt/iiab/iiab/roles/cups/tasks/install.yml](tasks/install.yml)
+
+Modify these 2 files at your own risk:
+
+- [/etc/cups/cupsd.conf](https://www.cups.org/doc/man-cupsd.conf.html) (run `sudo cupsctl` and `sudo cupsd -t` to verify the file!)
+- [/etc/nginx/conf.d/cups.conf](templates/cups.conf.j2)
+
+If you make modifications to the above files, don't forget to restart systemd services:
+
+```
+systemctl restart cups cups-browsed nginx
+```
+
+## Docs and Updates
+
+- https://www.cups.org/documentation.html
+  - https://github.com/apple/cups/releases
+- https://openprinting.github.io/cups/
+  - https://github.com/OpenPrinting/cups/releases/
--- a/roles/cups/tasks/enable-or-disable.yml
+++ b/roles/cups/tasks/enable-or-disable.yml
@ -1,9 +1,6 @@
- name: systemd daemon-reload
-  systemd:
-    daemon_reload: yes
-
- name: Enable & (Re)Start 'cups' and 'cups-browsed' systemd services (OS's other than Fedora 18)
+- name: Enable & (Re)Start 'cups' and 'cups-browsed' systemd services (if cups_enabled)
  systemd:
+    #daemon_reload: yes
    name: "{{ item }}"
    enabled: yes
    state: restarted
@ -11,21 +8,10 @@
    - cups
    - cups-browsed
  when: cups_enabled
-  #when: cups_enabled and not is_F18

-# - name: Enable & Start 'cups' systemd service (Fedora 18, for XO laptops)
-#   systemd:
-#     name: cups
-#     state: started
-#     enabled: yes
-#   when: cups_enabled and is_F18
-
- name: Permit headless admin of CUPS -- only works when CUPS daemon is running (if cups_enabled)
-  shell: "cupsctl --remote-admin"
-  when: cups_enabled
-
- name: Disable & Stop 'cups' & 'cups-browsed' systemd services (OS's other than Fedora 18)
+- name: Disable & Stop 'cups' & 'cups-browsed' systemd services (if not cups_enabled)
  systemd:
+    #daemon_reload: yes
    name: "{{ item }}"
    enabled: no
    state: stopped
@ -33,11 +19,7 @@
    - cups
    - cups-browsed
  when: not cups_enabled
-  #when: not cups_enabled and not is_F18

-# - name: Disable & Stop 'cups' systemd service (Fedora 18, for XO laptops)
-#   systemd:
-#     name: cups
-#     enabled: no
-#     state: stopped
-#   when: not cups_enabled and is_F18
+
+- name: Enable/Disable/Restart NGINX
+  include_tasks: nginx.yml
--- a/roles/cups/tasks/install.yml
+++ b/roles/cups/tasks/install.yml
@ -1,12 +1,125 @@
+# ADMINISTER CUPS AT http://box/print -- USERNAME 'Admin' & PASSWORD 'changeme'
+# (OR ANY MEMBER OF LINUX GROUP 'lpadmin') AS SET UP BELOW...
+
+
 - name: Install 'cups' package
  package:
    name: cups
    state: present

- name: Install our own /etc/cups/cupsd.conf from template, to permit local LAN admin
-  template:
-    src: cupsd.conf
+# WARNING: 'apt install cups' AND 'apt install --reinstall cups'
+# UNFORTUNATELY DO *NOT* RECREATE /etc/cups/cupsd.conf IF A PRIOR
+# INSTALL OF CUPS EXISTED!  SO OPTION #1 OR #2 ARE NEEDED BELOW:
+
+# OPTION #1: OLD WAY (BRITTLE)
+#
+# - name: Install our own /etc/cups/cupsd.conf from template, to permit local LAN admin
+#   template:
+#     src: cupsd.conf.j2
+#     dest: /etc/cups/cupsd.conf
+
+# OPTION #2: NEW WAY (MORE FUTURE-PROOF, WE HOPE!)
+
+- name: PLEASE RUN 'sudo cupsctl' AND 'sudo cupsd -t' TO VERIFY /etc/cups/cupsd.conf IF YOU MODIFY IT!  The file will now be created -- by ~4 stanzas below.  Also keep an eye on /var/log/cups/error_log
+  meta: noop
+
+- name: Copy /usr/share/cups/cupsd.conf.default to /etc/cups/cupsd.conf (root:lp, 0640) -- a timestamped backup of the prior 'cupsd.conf' will be saved in /etc/cups
+  copy:
+    src: /usr/share/cups/cupsd.conf.default
    dest: /etc/cups/cupsd.conf
+    owner: root
+    group: lp
+    mode: 0640
+    backup: yes
+
+# 2021-07-12: lineinfile fails to insert the needed lines, as these same 2 lines
+# already appear throughout /etc/cups/cupsd.conf -- so we use blockinfile below.
+#
+# - name: Insert 2 lines into /etc/cups/cupsd.conf to LOCK DOWN URL'S LIKE http://box/print/admin -- REQUIRING '{{ iiab_admin_user }}' AND ITS LINUX PASSWORD (to avoid accidental damage to /etc/cups/cupsd.conf and other CUPS settings)
+#   lineinfile:
+#     path: /etc/cups/cupsd.conf
+#     #regexp:
+#     line: "{{ item }}"
+#     insertafter: '^<Location /admin>$'
+#   with_items:
+#     - "  Require user @SYSTEM"    # Will appear BELOW, in /etc/cups/cupsd.conf
+#     - "  AuthType Default"        # Will appear ABOVE, in /etc/cups/cupsd.conf
+
+- name: "CUPS web administration: Insert 2-line block into /etc/cups/cupsd.conf to LOCK DOWN URL'S LIKE http://box/print/admin TO LINUX GROUP 'lpadmin' -- to avoid accidental damage to /etc/cups/cupsd.conf and other CUPS settings.  This uses 'SystemGroup lpadmin' in /etc/cups/cups-files.conf -- in coordination with ~14 -> ~15 '@SYSTEM' lines and 'DefaultAuthType Basic' in /etc/cups/cupsd.conf"
+  blockinfile:
+    path: /etc/cups/cupsd.conf
+    insertafter: '^<Location /admin>$'
+    block: |2    # Indent with 2 spaces, and surround block with 2 comment lines: "# BEGIN ANSIBLE MANAGED BLOCK", "# END ANSIBLE MANAGED BLOCK"
+        AuthType Default
+        Require user @SYSTEM
+
+- name: "CUPS web administration: Create Linux username 'Admin' with password 'changeme' in Linux group 'lpadmin' (shell: /usr/sbin/nologin, create_home: no)"
+  user:
+    name: Admin
+    append: yes    # Don't clobber other groups, that other IIAB Apps might need.
+    groups: lpadmin
+    password: "{{ 'changeme' | password_hash('sha512') }}"    # Random salt.  Presumably runs 5000 rounds of SHA-512 per /etc/login.defs & /etc/pam.d/common-password -- https://docs.ansible.com/ansible/latest/user_guide/playbooks_filters.html#encrypting-and-checksumming-strings-and-passwords
+    create_home: no
+    shell: /usr/sbin/nologin    # Debian/Ubuntu norm -- instead of /sbin/nologin, /bin/false
+
+# - name: Add user '{{ iiab_admin_user }}' to Linux group 'lpadmin' -- for CUPS web administration (or modify default 'SystemGroup lpadmin' in /etc/cups/cups-files.conf -- in coordination with ~14 -> ~15 '@SYSTEM' lines in /etc/cups/cupsd.conf)
+#   #command: "gpasswd -a {{ iiab_admin_user | quote }} lpadmin"
+#   #command: "gpasswd -d {{ iiab_admin_user | quote }} lpadmin"
+#   user:
+#     name: "{{ iiab_admin_user }}"    # iiab-admin
+#     append: yes
+#     groups: lpadmin
+
+- name: Start 'cups' systemd service as nec -- CUPS DAEMON MUST BE RUNNING FOR 'cupsctl' COMMAND JUST BELOW
+  systemd:
+    #daemon_reload: yes
+    name: cups
+    state: started
+
+# - name: Run 'cupsctl --remote-admin --share-printers --user-cancel-any' to enable http://192.168.0.x:631 AND http://172.18.96.1:631 (if cups_enabled) -- REPEATED USE OF 'cupsctl' COMMANDS CAN *DAMAGE* /etc/cups/cupsd.conf BY ADDING DUPLICATE LINES (AND WORSE!) -- SO PLEASE ALSO MANUALLY RUN 'sudo cupsctl' AND 'sudo cupsd -t' TO VERIFY /etc/cups/cupsd.conf
+#   command: cupsctl --remote-admin --share-printers --user-cancel-any
+
+# 2021-07-11: BOTH FLAGS *CANNOT* BE USED TOGETHER -- CHOOSE ONE OR THE OTHER:
+# (1) '--remote-admin' AS ABOVE, OR (2) '--remote-any' AS BELOW.
+# (RUN 'cupsctl' WITHOUT PARAMETERS TO CONFIRM THIS!)
+
+- name: Run 'cupsctl --remote-any --share-printers --user-cancel-any' to enable http://192.168.0.x:631 AND http://172.18.96.1:631 AND http://10.8.0.y:631 (if cups_enabled) -- REPEATED USE OF 'cupsctl' COMMANDS CAN *DAMAGE* /etc/cups/cupsd.conf BY ADDING DUPLICATE LINES (AND WORSE!) -- SO PLEASE ALSO MANUALLY RUN 'sudo cupsctl' AND 'sudo cupsd -t' TO VERIFY /etc/cups/cupsd.conf
+  command: cupsctl --remote-any --share-printers --user-cancel-any
+
+# 2021-07-11: In theory 'cupsctl' stanzas could be put in enable-or-disable.yml
+# BUT LET'S AVOID THAT -- AS REPEATED USE OF 'cupsctl' COMMANDS CAN *DAMAGE*
+# /etc/cups/cupsd.conf BY ADDING DUPLICATE LINES (AND WORSE!)
+#
+# FYI repeated use of 'cupsctl' commands also removes comments and blank lines.
+#
+# - name: Run 'cupsctl --no-remote-admin --no-remote-any --no-share-printers --no-user-cancel-any --no-debug-logging' (if not cups_enabled) -- REPEATED USE OF 'cupsctl' COMMANDS CAN *DAMAGE* /etc/cups/cupsd.conf BY ADDING DUPLICATE LINES (AND WORSE!) -- SO PLEASE ALSO MANUALLY RUN 'sudo cupsctl' AND 'sudo cupsd -t' TO VERIFY /etc/cups/cupsd.conf
+#   command: cupsctl --no-remote-admin --no-remote-any --no-share-printers --no-user-cancel-any --no-debug-logging
+#   when: not cups_enabled
+
+# - name: "2021-07-12: EXPERIMENTALLY ADD DIRECTIVES TO /etc/cups/cupsd.conf followed by 'systemctl restart cups'.  As should no longer be nec thanks to NEW cups/templates/cups.conf for /etc/nginx/conf.d/cups.conf (followed by 'systemctl restart nginx').  Which FIXED URL'S LIKE: http://box/print, http://box.lan/print, http://192.168.0.x/print, http://172.18.96.1/print and http://10.8.0.x/print (WITH OR WITHOUT THE TRAILING SLASH!)  RECAP: (1) So be it that these 2 URL'S STILL DON'T WORK: http://box:631, http://box.lan:631 (due to CUPS' internal web server's overly stringent hostname checks, i.e. '400 Bad Request' and 'Request from \"localhost\" using invalid Host: field \"box[.lan]:631\".' in /var/log/cups/error_log) -- (2) While these 2 URL'S STILL DO WORK: http://localhost:631, http://127.0.0.1:631 -- (3) Whereas these 3 URL'S NO LONGER WORK: http://192.168.0.x:631, http://172.18.96.1:631, http://10.8.0.x:631 (now that we're suddenly hewing closer to the default /etc/cups/cupsd.conf)"
+#   lineinfile:
+#     path: /etc/cups/cupsd.conf
+#     line: "{{ item }}"
+#     insertbefore: '^Listen .*/run/cups/cups.sock$'    # Also matches old form: '^Listen /var/run/cups/cups.sock$'
+#   with_items:
+#     - "HostNameLookups On"    # More False Leads: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=530027
+#     - "ServerAlias *"
+#     - "#ServerName {{ iiab_hostname }}.{{ iiab_domain }}"    # box.lan
+#     - "#Listen {{ lan_ip }}:631"    # 172.18.96.1
+#     - "#Listen 127.0.0.1:631"
+#     - "#Listen 0.0.0.0:631"
+#     - "#Listen *:631"
+
+# - name: "OPTIONAL: Change 'MaxLogSize 0' (no log rotation) to 'MaxLogSize 1m' (log rotation at 1MB) in /etc/cups/cupsd.conf (EITHER WAY LOG BLOAT IS A RISK!)"
+#   lineinfile:
+#     path: /etc/cups/cupsd.conf
+#     regexp: '^MaxLogSize '
+#     insertbefore: 'Listen '
+#     firstmatch: yes
+#     line: "MaxLogSize 1m"    # CUPS Documentation (claims!) log rotation at "1m" is the default.  But In Practice: 'MaxLogSize 0' (no log rotation) is now part of /usr/share/cups/cupsd.conf.default
+
+# REMINDER: 3 SYSTEMD SERVICES WILL BE RESTARTED (cups, cups-browsed, nginx)
+# LATER IN enable-or-disable.yml, SO /etc/cups/cupsd.conf (ETC) TAKE EFFECT!


 # RECORD CUPS AS INSTALLED
--- a/roles/cups/tasks/main.yml
+++ b/roles/cups/tasks/main.yml
@ -1,10 +1,5 @@
-# Administer CUPS at http://box:631
-# Above URL does NOT work over OpenVPN (ANYONE KNOW WHY?)
-
-# TO DO:
-#
-# - CREATE /etc/nginx/conf.d/cups-nginx.conf as SHIM to Apache on port 8090.
-#   SEE OTHERS @ https://github.com/iiab/iiab/blob/master/roles/nginx/README.md
+# ADMINISTER CUPS AT http://box/print -- USERNAME 'Admin' & PASSWORD 'changeme'
+# (OR ANY MEMBER OF LINUX GROUP 'lpadmin') PER cups/tasks/install.yml


 # "How do i fail a task in Ansible if the variable contains a boolean value?
--- a/roles/cups/tasks/nginx.yml
+++ b/roles/cups/tasks/nginx.yml
@ -0,0 +1,16 @@
+- name: Enable http://box/print via NGINX, by installing {{ nginx_conf_dir }}/cups.conf from template
+  template:
+    src: cups.conf.j2
+    dest: "{{ nginx_conf_dir }}/cups.conf"    # /etc/nginx/conf.d
+  when: cups_enabled
+
+- name: Disable http://box/print via NGINX, by removing {{ nginx_conf_dir }}/cups.conf
+  file:
+    path: "{{ nginx_conf_dir }}/cups.conf"
+    state: absent
+  when: not cups_enabled
+
+- name: Restart 'nginx' systemd service
+  systemd:
+    name: nginx
+    state: restarted
--- a/roles/cups/templates/cups.conf
+++ b/roles/cups/templates/cups.conf
@ -1,2 +0,0 @@
-ProxyPass /cups http://localhost:631
-ProxyPassReverse /cups http://localhost:631
--- a/roles/cups/templates/cups.conf.j2
+++ b/roles/cups/templates/cups.conf.j2
@ -0,0 +1,73 @@
+# ADMINISTER CUPS AT http://box/print -- USERNAME 'Admin' & PASSWORD 'changeme'
+# (OR ANY MEMBER OF LINUX GROUP 'lpadmin') PER cups/tasks/install.yml
+
+
+# 2021-07-13: Let's redirect to CUPS' own web server for now, as proxying
+# (commented out below) has many glitches, e.g. CUPS' https connections etc.
+
+location ~ ^/print(|/.*)$ {    # '~' -> '~*' for case-insensitive regex
+
+    # 2021-07-13: Work around CUPS failure to serve http://box[.lan]:631 "since
+    # 2009" -- e.g. '400 Bad Request' error 'Request from "localhost" using
+    # invalid Host: field "box[.lan]:631".' in /var/log/cups/error_log, DESPITE
+    # adding 'HostNameLookups On', 'ServerAlias *' etc to /etc/cups/cupsd.conf
+    # https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=530027
+
+    if ($host ~ '{{ iiab_hostname }}(|.{{ iiab_domain }})') {
+        return 301 http://localhost:631;    # Or http://127.0.0.1:631
+    }
+
+    if ($host ~ 'box(|.lan)') {    # /etc/hosts may have BOTH above AND box.lan
+        return 301 http://localhost:631;
+    }
+
+    return 301 http://$host:631;   # For 192.168.0.x, 172.18.96.1, 10.8.0.y ETC
+}
+
+
+# https://anthe.studio/blog/en/cups-nginx-reverse-proxy
+# https://toggen.com.au/it-tips/reverse-proxy-cups-in-nginx/
+# https://www.robpeck.com/2020/09/proxying-cups-ipp-using-nginx/
+
+# location = /print {
+#     return 301 /print/;    # "Moved Permanently" redirect
+#     #rewrite /print /print/;    # Faster, if links are fixed!
+# }
+
+## location ~ ^/print(|/.*)$ {
+##     proxy_pass https://127.0.0.1:631$1;    # Fails: trailing slash nec here
+# location ~ ^/print/(.*) {
+#     proxy_pass https://127.0.0.1:631/$1;
+#
+#     #proxy_http_version 1.1;
+#     #proxy_set_header Accept-Encoding "";
+#     #proxy_set_header Upgrade $http_upgrade;
+#     #proxy_set_header Connection 'upgrade';
+#     proxy_set_header Host '127.0.0.1';
+#     proxy_cache_bypass $http_upgrade;
+#
+#     proxy_set_header X-Real-IP $remote_addr;
+#     #proxy_set_header X-Forward-For $proxy_add_x_forwarded_for;
+#     #proxy_set_header X-Forwarded-Host $server_name;
+#
+#     sub_filter ' href="/' ' href="/print/';
+#     sub_filter ' action="/' ' action="/print/';
+#     sub_filter ' src="/' ' src="/print/';
+#     #sub_filter 'ACTION="/' 'ACTION="/print/';
+#     #sub_filter 'URL=/' 'URL=/print/';
+#     sub_filter_types *;
+#     sub_filter_once off;
+# }
+
+# location ~ /cups/(.*) {
+#     proxy_pass http://127.0.0.1:631/$1;
+#     proxy_set_header Host '127.0.0.1';
+#     proxy_cache_bypass $http_upgrade;
+#     proxy_set_header X-Real-IP $remote_addr;
+#
+#     sub_filter ' href="/' ' href="/cups/';
+#     sub_filter ' action="/' ' action="/cups/';
+#     sub_filter ' src="/' ' src="/cups/';
+#     sub_filter_types *;
+#     sub_filter_once off;
+# }
--- a/roles/cups/templates/cupsd.conf.j2.unused
+++ b/roles/cups/templates/cupsd.conf.j2.unused
@ -1,8 +1,8 @@
 ServerAlias *
 LogLevel warn
 MaxLogSize 1m
-Listen {{ lan_ip }}:631
-Listen localhost:631
+#Listen {{ lan_ip }}:631
+Listen 127.0.0.1:631
 Listen /var/run/cups/cups.sock
 Browsing On
 BrowseLocalProtocols dnssd
--- a/roles/gitea/templates/gitea-nginx.conf.j2
+++ b/roles/gitea/templates/gitea-nginx.conf.j2
@ -1,3 +1,3 @@
 location {{ gitea_url }}/ {
-  proxy_pass http://127.0.0.1:{{ gitea_port }}/;
+    proxy_pass http://127.0.0.1:{{ gitea_port }}/;
 }
--- a/roles/kiwix/templates/kiwix-nginx.conf.j2
+++ b/roles/kiwix/templates/kiwix-nginx.conf.j2
@ -1,11 +1,11 @@
 location {{ kiwix_url }} {
-  proxy_set_header   X-Real-IP $remote_addr;
-  proxy_set_header   Host      $http_host;
-  proxy_http_version 1.1;
-  proxy_set_header Connection "";
-  proxy_connect_timeout {{ kiwix_nginx_timeout }};
-  proxy_send_timeout {{ kiwix_nginx_timeout }};
-  proxy_read_timeout {{ kiwix_nginx_timeout }};
-  send_timeout {{ kiwix_nginx_timeout }};
-  proxy_pass http://127.0.0.1:3000;
+    proxy_set_header X-Real-IP $remote_addr;
+    proxy_set_header Host      $http_host;
+    proxy_http_version 1.1;
+    proxy_set_header Connection "";
+    proxy_connect_timeout {{ kiwix_nginx_timeout }};
+    proxy_send_timeout {{ kiwix_nginx_timeout }};
+    proxy_read_timeout {{ kiwix_nginx_timeout }};
+    send_timeout {{ kiwix_nginx_timeout }};
+    proxy_pass http://127.0.0.1:3000;
 }
--- a/roles/kolibri/templates/kolibri-nginx.conf.j2
+++ b/roles/kolibri/templates/kolibri-nginx.conf.j2
@ -1,8 +1,8 @@
 location {{ kolibri_url }} {
-    proxy_set_header        Host            $http_host;
-    proxy_set_header        X-Forwarded-For $proxy_add_x_forwarded_for;
-    proxy_set_header        X-Scheme        $scheme;
-    proxy_set_header        X-Script-Name   {{ kolibri_url_without_slash }};
+    proxy_set_header Host            $http_host;
+    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+    proxy_set_header X-Scheme        $scheme;
+    proxy_set_header X-Script-Name   {{ kolibri_url_without_slash }};
    proxy_pass http://127.0.0.1:8009;
 }

--- a/roles/lokole/templates/lokole-nginx.conf.j2
+++ b/roles/lokole/templates/lokole-nginx.conf.j2
@ -1,14 +1,14 @@
 location = {{ lokole_url }}/favicon.ico {
-  alias {{ lokole_venv }}/lib/python{{ python_ver }}/site-packages/opwen_email_client/webapp/static/favicon.ico;
+    alias {{ lokole_venv }}/lib/python{{ python_ver }}/site-packages/opwen_email_client/webapp/static/favicon.ico;
 }

 location ~ ^{{ lokole_url }}/static/(.*)$ {
-  alias {{ lokole_venv }}/lib/python{{ python_ver }}/site-packages/opwen_email_client/webapp/static/$1;
+    alias {{ lokole_venv }}/lib/python{{ python_ver }}/site-packages/opwen_email_client/webapp/static/$1;
 }

 location {{ lokole_url }}/ {
-  proxy_set_header Host $http_host;
-  proxy_set_header X-Real-IP $remote_addr;
-  proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
-  proxy_pass http://unix:/{{ lokole_domain_socket }};
+    proxy_set_header Host $http_host;
+    proxy_set_header X-Real-IP $remote_addr;
+    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+    proxy_pass http://unix:/{{ lokole_domain_socket }};
 }
--- a/roles/mediawiki/templates/mediawiki-nginx.conf.j2
+++ b/roles/mediawiki/templates/mediawiki-nginx.conf.j2
@ -5,25 +5,28 @@
 # $wgUsePathInfo = true;

 location ~ ^/{{ mediawiki_symlink }}/(index|load|api|thumb|opensearch_desc)\.php$ {
-		include fastcgi_params;
-		fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
-		fastcgi_pass php; # or whatever port your PHP-FPM listens on
+    include fastcgi_params;
+    fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
+    fastcgi_pass php; # or whatever port your PHP-FPM listens on
 }

 # Images
 location /{{ mediawiki_symlink }}/images {
    # Separate location for images/ so .php execution won't apply
 }
+
 location /{{ mediawiki_symlink }}/images/deleted {
    # Deny access to deleted images folder
    deny all;
 }
+
 # MediaWiki assets (usually images)
 location ~ ^/{{ mediawiki_symlink }}/resources/(assets|lib|src) {
    try_files $uri 404;
    add_header Cache-Control "public";
    expires 7d;
 }
+
 # Assets, scripts and styles from skins and extensions
 location ~ ^/{{ mediawiki_symlink }}/(skins|extensions)/.+\.(css|js|gif|jpg|jpeg|png|svg|ttf|woff|woff2)$ {
    try_files $uri 404;
@ -31,16 +34,15 @@ location ~ ^/{{ mediawiki_symlink }}/(skins|extensions)/.+\.(css|js|gif|jpg|jpeg
    expires 7d;
 }

-
 ## Uncomment the following code if you wish to use the installer/updater
 ## installer/updater
 #location /{{ mediawiki_symlink }}/mw-config/ {
-#	# Do this inside of a location so it can be negated
-#	location ~ \.php$ {
-#		include /etc/nginx/fastcgi_params;
-#		fastcgi_param SCRIPT_FILENAME $document_root/{{ mediawiki_symlink }}/mw-config/$fastcgi_script_name;
-#		fastcgi_pass 127.0.0.1:9000; # or whatever port your PHP-FPM listens on
-#	}
+#    # Do this inside of a location so it can be negated
+#    location ~ \.php$ {
+#        include /etc/nginx/fastcgi_params;
+#        fastcgi_param SCRIPT_FILENAME $document_root/{{ mediawiki_symlink }}/mw-config/$fastcgi_script_name;
+#        fastcgi_pass 127.0.0.1:9000; # or whatever port your PHP-FPM listens on
+#    }
 #}

 # Handling for the article path (pretty URLs)
--- a/roles/munin/templates/munin24-nginx.conf.j2
+++ b/roles/munin/templates/munin24-nginx.conf.j2
@ -1,4 +1,4 @@
-location  /munin {
-  alias /var/cache/munin/www/ ;
-  try_files $uri $uri/ /index.html;
+location /munin {
+    alias /var/cache/munin/www/ ;
+    try_files $uri $uri/ /index.html;
 }
--- a/roles/nginx/README.md
+++ b/roles/nginx/README.md
@ -10,7 +10,7 @@

 2. Without PHP available via FastCGI, any function at all for PHP-based applications validates NGINX.

-3. Current state of IIAB App/Service migrations as of 2021-07-06: *(SEE ALSO [#2762](https://github.com/iiab/iiab/issues/2762))*
+3. Current state of IIAB App/Service migrations as of 2021-07-13: *(SEE ALSO [#2762](https://github.com/iiab/iiab/issues/2762))*

   1. These support "Native" NGINX but ***NOT*** Apache

@ -41,13 +41,13 @@

   3. These support Apache but ***NOT*** "Native" NGINX.  They use a "Shim" to [proxy_pass](https://docs.nginx.com/nginx/admin-guide/web-server/reverse-proxy/) from NGINX to Apache on port 8090.  See [roles/3-base-server/tasks/main.yml#L11](../3-base-server/tasks/main.yml#L11) for a list of ~6 IIAB Apps/Services that auto-enable Apache.

-      * elgg
+      * elgg [*, should be deprecated, or considered for a complete overhaul from ancient Elgg 2.x to 4.x?]

   4. These each run their own web server or non-web / backend services, e.g. off of their own [unique port(s)](https://github.com/iiab/iiab/wiki/IIAB-Networking#list-of-ports--services) (IIAB home pages link directly to these destinations).  In future we'd like mnemonic URL's for all of these: (e.g. http://box/calibre, http://box/archive, http://box/kalite)

      * bluetooth
      * calibre (menu goes directly to port 8080)
-      * cups (menu goes directly to port 631) [*, shim not yet in place, [PR #2775](https://github.com/iiab/iiab/pull/2775)]
+      * cups (NGINX redirects http://box/print to port 631, changing hostname as appropriate, per [PR #2858](https://github.com/iiab/iiab/pull/2858))
      * internetarchive (menu goes directly to port 4244) [*, [PR #2120](https://github.com/iiab/iiab/pull/2120)]
      * kalite (menu goes directly to ports 8006-8008)
      * minetest
@ -60,4 +60,4 @@
      * transmission
      * vnstat

-[*] The 4 above starred roles could use improvement, as of 2021-07-06.
+[*] The 4 above starred roles could use improvement, as of 2021-07-13.
--- a/roles/nginx/templates/iiab.conf.j2
+++ b/roles/nginx/templates/iiab.conf.j2
@ -30,11 +30,11 @@ location /js-menu/ {
 location /software/ {
    fancyindex on;              # Enable fancy indexes.
    fancyindex_exact_size off;  # Output human-readable file sizes.
-     location ~* \.(apk)$ {
+    location ~* \.(apk)$ {
        add_header Content-Type application/vnd.android.package-archive;
-        }
+    }

-      location ~* \.(zim)$ {
+    location ~* \.(zim)$ {
        add_header Content-Type application/zip;
-        }
+    }
 }
--- a/roles/osm-vector-maps/templates/osm-vector-maps-nginx.conf.j2
+++ b/roles/osm-vector-maps/templates/osm-vector-maps-nginx.conf.j2
@ -1,7 +1,8 @@
 # For downloadable regional vector tilesets
 location ~ ^/maps {
-   rewrite ^/maps(.*)$ /osm-vector-maps/viewer$1;
+    rewrite ^/maps(.*)$ /osm-vector-maps/viewer$1;
 }
+
 location ~ ^/osm-vector-maps(.*)\.php(.*)$ {
    alias /library/www/osm-vector-maps$1.php$2;    # /library/www/osm-vector-maps
    proxy_set_header X-Real-IP  $remote_addr;
@ -11,10 +12,11 @@ location ~ ^/osm-vector-maps(.*)\.php(.*)$ {
    fastcgi_index index.html;
    include fastcgi_params;
    fastcgi_split_path_info ^(.+\.php)(.*)$;
-    fastcgi_param   SCRIPT_FILENAME    $document_root$fastcgi_script_name;
-    fastcgi_param   SCRIPT_NAME        $fastcgi_script_name;
-    fastcgi_param   PATH_INFO          $2;
+    fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
+    fastcgi_param SCRIPT_NAME     $fastcgi_script_name;
+    fastcgi_param PATH_INFO       $2;
 }
+
 location ~ ^/osm-vector-maps/ {
-   root /library/www;
+    root /library/www;
 }
--- a/roles/sugarizer/templates/sugarizer-nginx.conf.j2
+++ b/roles/sugarizer/templates/sugarizer-nginx.conf.j2
@ -2,9 +2,9 @@
 # If you need to change this, edit /etc/iiab/local_vars.yml prior to installing

 location /sugarizer {
-   proxy_set_header Host            $http_host;
-   proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
-   proxy_set_header X-Scheme        $scheme;
-   proxy_set_header X-Script-Name   /sugarizer;
-   proxy_pass http://127.0.0.1:{{ sugarizer_port }};
+    proxy_set_header Host            $http_host;
+    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+    proxy_set_header X-Scheme        $scheme;
+    proxy_set_header X-Script-Name   /sugarizer;
+    proxy_pass http://127.0.0.1:{{ sugarizer_port }};
 }
--- a/roles/wordpress/templates/wordpress-nginx.conf.j2
+++ b/roles/wordpress/templates/wordpress-nginx.conf.j2
@ -1,20 +1,19 @@
-location {{ wp_url }} { 
+location {{ wp_url }} {
    #rewrite_log on;
    root {{ content_base }};
    try_files $uri $uri/ /wordpress/index.php$is_args$args;
-    
+
    location ~ .*\.php$ {
-          
-          include fastcgi_params;
-          fastcgi_pass php;
-          fastcgi_index index.php;         
-          fastcgi_param   SCRIPT_FILENAME    $document_root$fastcgi_script_name;          
-       }
-    
-    location ~ ^({{ wp_url }})(/.*)/$ {           
-          include fastcgi_params;
-          fastcgi_pass php;
-          fastcgi_index index.php;          
-          fastcgi_param   SCRIPT_FILENAME    {{ wp_abs_path }}/index.php;          
-       }         
+        include fastcgi_params;
+        fastcgi_pass php;
+        fastcgi_index index.php;
+        fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
+    }
+
+    location ~ ^({{ wp_url }})(/.*)/$ {
+        include fastcgi_params;
+        fastcgi_pass php;
+        fastcgi_index index.php;
+        fastcgi_param SCRIPT_FILENAME {{ wp_abs_path }}/index.php;
+    }
 }
--- a/test.yml
+++ b/test.yml
@ -0,0 +1,35 @@
+# TEST ANSIBLE COMMANDS/MODULES IN SECONDS -- BY RUNNING:
+# ansible-playbook -i ansible_hosts test.yml --connection=local
+
+- hosts: all
+  become: yes    # Optional privilege escalation
+
+  #vars_files:
+  #- roles/0-init/defaults/main.yml
+  #- vars/default_vars.yml
+  #- vars/{{ ansible_local.local_facts.os_ver }}.yml
+  #- /etc/iiab/local_vars.yml
+  #- /etc/iiab/iiab_state.yml
+
+  #roles:
+  #  - { role: 0-init }
+
+  tasks:
+
+  #- include_role:
+  #    name: 0-init
+
+  - debug:
+      msg: "{{ 'changeme' | password_hash('sha512') }}"
+
+  #- pause:
+
+  - name: DOUBLE UP to escape single quotes... '"''"' e.g. iiab.ini Munin description
+    debug:
+      msg: '"''"'    # FAILS: '"\'"'
+
+  - name: BACKSLASH to escape double quotes... "'\"'" e.g. cups/tasks/install.yml
+    debug:
+      msg: "'\"'"    # FAILS: "'""'"
+
+  # TEST ANSIBLE COMMANDS/MODULES HERE!