From 25211d342e8ff85bff1dc8c39ffdf567e0885a4a Mon Sep 17 00:00:00 2001 From: Blondel MONDESIR <16546989+deldesir@users.noreply.github.com> Date: Fri, 30 Apr 2021 12:36:28 -0400 Subject: [PATCH 01/25] Update cups.conf Reverse-proxy cups with nginx --- roles/cups/templates/cups.conf | 20 ++++++++++++++++++-- 1 file changed, 18 insertions(+), 2 deletions(-) diff --git a/roles/cups/templates/cups.conf b/roles/cups/templates/cups.conf index 8cf2b199f..af5fef5e3 100644 --- a/roles/cups/templates/cups.conf +++ b/roles/cups/templates/cups.conf @@ -1,2 +1,18 @@ -ProxyPass /cups http://localhost:631 -ProxyPassReverse /cups http://localhost:631 +location ~ /cups/(.*) { + proxy_pass https://127.0.0.1:631/$1; + + proxy_http_version 1.1; + proxy_set_header Accept-Encoding ""; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection 'upgrade'; + proxy_set_header Host '127.0.0.1'; + proxy_cache_bypass $http_upgrade; + + proxy_set_header X-Real-IP $remote_addr; + + sub_filter ' href="/' ' href="/cups/'; + sub_filter ' action="/' ' action="/cups/'; + sub_filter ' src="/' ' src="/cups/'; + sub_filter_types *; + sub_filter_once off; +} From 4d88529770c677ce61ddf561d878b546da6c8784 Mon Sep 17 00:00:00 2001 From: Blondel MONDESIR <16546989+deldesir@users.noreply.github.com> Date: Fri, 30 Apr 2021 13:32:42 -0400 Subject: [PATCH 02/25] Create nginx.yml --- roles/cups/tasks/nginx.yml | 16 ++++++++++++++++ 1 file changed, 16 insertions(+) create mode 100644 roles/cups/tasks/nginx.yml diff --git a/roles/cups/tasks/nginx.yml b/roles/cups/tasks/nginx.yml new file mode 100644 index 000000000..f1fb802b1 --- /dev/null +++ b/roles/cups/tasks/nginx.yml @@ -0,0 +1,16 @@ +- name: Enable http://box/print via NGINX, by installing {{ nginx_conf_dir }}/cups.conf from template + template: + src: cups.conf + dest: "{{ nginx_conf_dir }}/cups.conf" # /etc/nginx/conf.d + when: cups_enabled + +- name: Disable http://box/print via NGINX, by removing {{ nginx_conf_dir }}/cups.conf + file: + path: "{{ nginx_conf_dir }}/cups.conf" # /etc/nginx/conf.d + state: absent + when: not cups_enabled + +- name: Restart 'nginx' systemd service + systemd: + name: nginx + state: restarted From 6e4984cdba15795542bff64d23ea626fe5479214 Mon Sep 17 00:00:00 2001 From: Blondel MONDESIR <16546989+deldesir@users.noreply.github.com> Date: Sat, 1 May 2021 18:38:18 -0400 Subject: [PATCH 03/25] Update cups.conf --- roles/cups/templates/cups.conf | 31 +++++++++++++++++-------------- 1 file changed, 17 insertions(+), 14 deletions(-) diff --git a/roles/cups/templates/cups.conf b/roles/cups/templates/cups.conf index af5fef5e3..30cb7de11 100644 --- a/roles/cups/templates/cups.conf +++ b/roles/cups/templates/cups.conf @@ -1,18 +1,21 @@ -location ~ /cups/(.*) { - proxy_pass https://127.0.0.1:631/$1; +server { + listen 631; + location ~ /cups/(.*) { + proxy_pass http://127.0.0.1:631/$1; - proxy_http_version 1.1; - proxy_set_header Accept-Encoding ""; - proxy_set_header Upgrade $http_upgrade; - proxy_set_header Connection 'upgrade'; - proxy_set_header Host '127.0.0.1'; - proxy_cache_bypass $http_upgrade; + proxy_http_version 1.1; + proxy_set_header Accept-Encoding ""; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection 'upgrade'; + proxy_set_header Host '127.0.0.1'; + proxy_cache_bypass $http_upgrade; - proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Real-IP $remote_addr; - sub_filter ' href="/' ' href="/cups/'; - sub_filter ' action="/' ' action="/cups/'; - sub_filter ' src="/' ' src="/cups/'; - sub_filter_types *; - sub_filter_once off; + sub_filter ' href="/' ' href="/cups/'; + sub_filter ' action="/' ' action="/cups/'; + sub_filter ' src="/' ' src="/cups/'; + sub_filter_types *; + sub_filter_once off; + } } From 73cea8a15c2a6fc26e7b7c0ca11d768fd985e69c Mon Sep 17 00:00:00 2001 From: Blondel MONDESIR <16546989+deldesir@users.noreply.github.com> Date: Sat, 1 May 2021 18:39:20 -0400 Subject: [PATCH 04/25] Update cups.conf --- roles/cups/templates/cups.conf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/cups/templates/cups.conf b/roles/cups/templates/cups.conf index 30cb7de11..e72556e47 100644 --- a/roles/cups/templates/cups.conf +++ b/roles/cups/templates/cups.conf @@ -1,6 +1,6 @@ server { listen 631; - location ~ /cups/(.*) { + location /cups/(.*) { proxy_pass http://127.0.0.1:631/$1; proxy_http_version 1.1; From f343834206ee9d668d9cb0a111e33e14af9322db Mon Sep 17 00:00:00 2001 From: Blondel MONDESIR <16546989+deldesir@users.noreply.github.com> Date: Sat, 1 May 2021 22:16:00 -0400 Subject: [PATCH 05/25] Update cups.conf --- roles/cups/templates/cups.conf | 33 +++++++++++++++------------------ 1 file changed, 15 insertions(+), 18 deletions(-) diff --git a/roles/cups/templates/cups.conf b/roles/cups/templates/cups.conf index e72556e47..2e76e1e2b 100644 --- a/roles/cups/templates/cups.conf +++ b/roles/cups/templates/cups.conf @@ -1,21 +1,18 @@ -server { - listen 631; - location /cups/(.*) { - proxy_pass http://127.0.0.1:631/$1; +location ~ /cups/(.*) { + proxy_pass http://127.0.0.1:631/$1; - proxy_http_version 1.1; - proxy_set_header Accept-Encoding ""; - proxy_set_header Upgrade $http_upgrade; - proxy_set_header Connection 'upgrade'; - proxy_set_header Host '127.0.0.1'; - proxy_cache_bypass $http_upgrade; + proxy_http_version 1.1; + proxy_set_header Accept-Encoding ""; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection 'upgrade'; + proxy_set_header Host '127.0.0.1'; + proxy_cache_bypass $http_upgrade; - proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Real-IP $remote_addr; - sub_filter ' href="/' ' href="/cups/'; - sub_filter ' action="/' ' action="/cups/'; - sub_filter ' src="/' ' src="/cups/'; - sub_filter_types *; - sub_filter_once off; - } -} + sub_filter ' href="/' ' href="/cups/'; + sub_filter ' action="/' ' action="/cups/'; + sub_filter ' src="/' ' src="/cups/'; + sub_filter_types *; + sub_filter_once off; +} From 5f8514af7752e7333c750a9f96a3a44706276ac6 Mon Sep 17 00:00:00 2001 From: Blondel MONDESIR <16546989+deldesir@users.noreply.github.com> Date: Tue, 4 May 2021 10:55:27 -0400 Subject: [PATCH 06/25] Update cups.conf --- roles/cups/templates/cups.conf | 18 +++++------------- 1 file changed, 5 insertions(+), 13 deletions(-) diff --git a/roles/cups/templates/cups.conf b/roles/cups/templates/cups.conf index 2e76e1e2b..07e754ac7 100644 --- a/roles/cups/templates/cups.conf +++ b/roles/cups/templates/cups.conf @@ -1,18 +1,10 @@ -location ~ /cups/(.*) { +location ~ /print/(.*) { proxy_pass http://127.0.0.1:631/$1; - - proxy_http_version 1.1; - proxy_set_header Accept-Encoding ""; - proxy_set_header Upgrade $http_upgrade; - proxy_set_header Connection 'upgrade'; proxy_set_header Host '127.0.0.1'; - proxy_cache_bypass $http_upgrade; - - proxy_set_header X-Real-IP $remote_addr; - - sub_filter ' href="/' ' href="/cups/'; - sub_filter ' action="/' ' action="/cups/'; - sub_filter ' src="/' ' src="/cups/'; + + sub_filter ' href="/' ' href="/print/'; + sub_filter ' action="/' ' action="/print/'; + sub_filter ' src="/' ' src="/print/'; sub_filter_types *; sub_filter_once off; } From 374e0ad3ee611ea90ba497526e6f7ccb18f1f0f9 Mon Sep 17 00:00:00 2001 From: Blondel MONDESIR <16546989+deldesir@users.noreply.github.com> Date: Tue, 4 May 2021 11:09:32 -0400 Subject: [PATCH 07/25] Update nginx.yml --- roles/cups/tasks/nginx.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/cups/tasks/nginx.yml b/roles/cups/tasks/nginx.yml index f1fb802b1..3c10ada76 100644 --- a/roles/cups/tasks/nginx.yml +++ b/roles/cups/tasks/nginx.yml @@ -1,6 +1,6 @@ - name: Enable http://box/print via NGINX, by installing {{ nginx_conf_dir }}/cups.conf from template template: - src: cups.conf + src: cups.conf.j2 dest: "{{ nginx_conf_dir }}/cups.conf" # /etc/nginx/conf.d when: cups_enabled From ba874673f67facf6997ce174f7d9e1c05f4bc410 Mon Sep 17 00:00:00 2001 From: Blondel MONDESIR <16546989+deldesir@users.noreply.github.com> Date: Tue, 4 May 2021 11:13:30 -0400 Subject: [PATCH 08/25] Rename cups.conf to cups.conf.j2 --- roles/cups/templates/{cups.conf => cups.conf.j2} | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename roles/cups/templates/{cups.conf => cups.conf.j2} (100%) diff --git a/roles/cups/templates/cups.conf b/roles/cups/templates/cups.conf.j2 similarity index 100% rename from roles/cups/templates/cups.conf rename to roles/cups/templates/cups.conf.j2 From ae34a2009a67b61b70f9da6a67ad3baf89bd7d6a Mon Sep 17 00:00:00 2001 From: Blondel MONDESIR <16546989+deldesir@users.noreply.github.com> Date: Tue, 4 May 2021 11:19:54 -0400 Subject: [PATCH 09/25] Update nginx.yml --- roles/cups/tasks/nginx.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/roles/cups/tasks/nginx.yml b/roles/cups/tasks/nginx.yml index 3c10ada76..0e93f08ff 100644 --- a/roles/cups/tasks/nginx.yml +++ b/roles/cups/tasks/nginx.yml @@ -1,7 +1,7 @@ - name: Enable http://box/print via NGINX, by installing {{ nginx_conf_dir }}/cups.conf from template template: - src: cups.conf.j2 - dest: "{{ nginx_conf_dir }}/cups.conf" # /etc/nginx/conf.d + src: cups.conf + dest: /etc/nginx/conf.d/cups.conf when: cups_enabled - name: Disable http://box/print via NGINX, by removing {{ nginx_conf_dir }}/cups.conf From 974b221a87eed014c4bcca5368b56a21d7a3c4d3 Mon Sep 17 00:00:00 2001 From: Blondel MONDESIR <16546989+deldesir@users.noreply.github.com> Date: Tue, 4 May 2021 11:21:01 -0400 Subject: [PATCH 10/25] Update nginx.yml --- roles/cups/tasks/nginx.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/cups/tasks/nginx.yml b/roles/cups/tasks/nginx.yml index 0e93f08ff..25ee45b8c 100644 --- a/roles/cups/tasks/nginx.yml +++ b/roles/cups/tasks/nginx.yml @@ -6,7 +6,7 @@ - name: Disable http://box/print via NGINX, by removing {{ nginx_conf_dir }}/cups.conf file: - path: "{{ nginx_conf_dir }}/cups.conf" # /etc/nginx/conf.d + path: /etc/nginx/conf.d/cups.conf state: absent when: not cups_enabled From 26d8c620fd04233e5f6e73c93d33933520ecbad1 Mon Sep 17 00:00:00 2001 From: Blondel MONDESIR <16546989+deldesir@users.noreply.github.com> Date: Tue, 4 May 2021 11:23:22 -0400 Subject: [PATCH 11/25] Rename cups.conf.j2 to cups.conf --- roles/cups/templates/{cups.conf.j2 => cups.conf} | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename roles/cups/templates/{cups.conf.j2 => cups.conf} (100%) diff --git a/roles/cups/templates/cups.conf.j2 b/roles/cups/templates/cups.conf similarity index 100% rename from roles/cups/templates/cups.conf.j2 rename to roles/cups/templates/cups.conf From da1d147fc9cf4eec4cbdd10aa470f160705936d8 Mon Sep 17 00:00:00 2001 From: Blondel MONDESIR <16546989+deldesir@users.noreply.github.com> Date: Tue, 4 May 2021 11:51:20 -0400 Subject: [PATCH 12/25] Update to work with http://box/cups/ --- roles/cups/templates/cups.conf | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/roles/cups/templates/cups.conf b/roles/cups/templates/cups.conf index 07e754ac7..bd8d04c7f 100644 --- a/roles/cups/templates/cups.conf +++ b/roles/cups/templates/cups.conf @@ -7,4 +7,15 @@ location ~ /print/(.*) { sub_filter ' src="/' ' src="/print/'; sub_filter_types *; sub_filter_once off; +} + +location ~ /cups/(.*) { + proxy_pass http://127.0.0.1:631/$1; + proxy_set_header Host '127.0.0.1'; + + sub_filter ' href="/' ' href="/cups/'; + sub_filter ' action="/' ' action="/cups/'; + sub_filter ' src="/' ' src="/cups/'; + sub_filter_types *; + sub_filter_once off; } From 4141991a0b77394d558fbc1c5a6984895b8a28ee Mon Sep 17 00:00:00 2001 From: Blondel MONDESIR <16546989+deldesir@users.noreply.github.com> Date: Tue, 4 May 2021 16:32:26 -0400 Subject: [PATCH 13/25] Update cups.conf --- roles/cups/templates/cups.conf | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/roles/cups/templates/cups.conf b/roles/cups/templates/cups.conf index bd8d04c7f..1f286da4c 100644 --- a/roles/cups/templates/cups.conf +++ b/roles/cups/templates/cups.conf @@ -1,6 +1,8 @@ location ~ /print/(.*) { proxy_pass http://127.0.0.1:631/$1; proxy_set_header Host '127.0.0.1'; + proxy_cache_bypass $http_upgrade; + proxy_set_header X-Real-IP $remote_addr; sub_filter ' href="/' ' href="/print/'; sub_filter ' action="/' ' action="/print/'; @@ -12,6 +14,8 @@ location ~ /print/(.*) { location ~ /cups/(.*) { proxy_pass http://127.0.0.1:631/$1; proxy_set_header Host '127.0.0.1'; + proxy_cache_bypass $http_upgrade; + proxy_set_header X-Real-IP $remote_addr; sub_filter ' href="/' ' href="/cups/'; sub_filter ' action="/' ' action="/cups/'; From f45856eb3124f982cb44e5b5a9c6fcba03917efe Mon Sep 17 00:00:00 2001 From: Blondel MONDESIR <16546989+deldesir@users.noreply.github.com> Date: Mon, 10 May 2021 15:31:36 -0400 Subject: [PATCH 14/25] Update cupsd.conf --- roles/cups/templates/cupsd.conf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/cups/templates/cupsd.conf b/roles/cups/templates/cupsd.conf index 92a395cb8..b7f84ab42 100644 --- a/roles/cups/templates/cupsd.conf +++ b/roles/cups/templates/cupsd.conf @@ -1,7 +1,7 @@ ServerAlias * LogLevel warn MaxLogSize 1m -Listen {{ lan_ip }}:631 +#Listen {{ lan_ip }}:631 Listen localhost:631 Listen /var/run/cups/cups.sock Browsing On From 7c9f72fd1a34309bd7c603802c76cd7d5de3260a Mon Sep 17 00:00:00 2001 From: Blondel MONDESIR <16546989+deldesir@users.noreply.github.com> Date: Mon, 10 May 2021 15:47:23 -0400 Subject: [PATCH 15/25] Update cupsd.conf --- roles/cups/templates/cupsd.conf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/cups/templates/cupsd.conf b/roles/cups/templates/cupsd.conf index b7f84ab42..254f7d4a8 100644 --- a/roles/cups/templates/cupsd.conf +++ b/roles/cups/templates/cupsd.conf @@ -2,7 +2,7 @@ ServerAlias * LogLevel warn MaxLogSize 1m #Listen {{ lan_ip }}:631 -Listen localhost:631 +Listen 127.0.0.1:631 Listen /var/run/cups/cups.sock Browsing On BrowseLocalProtocols dnssd From 573fdb10566248d3c6358e1232ec1acbdc4324f9 Mon Sep 17 00:00:00 2001 From: root Date: Mon, 12 Jul 2021 02:01:54 -0400 Subject: [PATCH 16/25] CUPS Modernization + Spring Cleaning (WIP) --- roles/cups/tasks/enable-or-disable.yml | 32 ++----- roles/cups/tasks/install.yml | 87 ++++++++++++++++++- roles/cups/tasks/nginx.yml | 8 +- .../{cupsd.conf => cupsd.conf.j2.unused} | 0 4 files changed, 95 insertions(+), 32 deletions(-) rename roles/cups/templates/{cupsd.conf => cupsd.conf.j2.unused} (100%) diff --git a/roles/cups/tasks/enable-or-disable.yml b/roles/cups/tasks/enable-or-disable.yml index 74a9ee702..2fb18c59d 100644 --- a/roles/cups/tasks/enable-or-disable.yml +++ b/roles/cups/tasks/enable-or-disable.yml @@ -1,9 +1,6 @@ -- name: systemd daemon-reload - systemd: - daemon_reload: yes - -- name: Enable & (Re)Start 'cups' and 'cups-browsed' systemd services (OS's other than Fedora 18) +- name: Enable & (Re)Start 'cups' and 'cups-browsed' systemd services (if cups_enabled) systemd: + #daemon_reload: yes name: "{{ item }}" enabled: yes state: restarted @@ -11,21 +8,10 @@ - cups - cups-browsed when: cups_enabled - #when: cups_enabled and not is_F18 -# - name: Enable & Start 'cups' systemd service (Fedora 18, for XO laptops) -# systemd: -# name: cups -# state: started -# enabled: yes -# when: cups_enabled and is_F18 - -- name: Permit headless admin of CUPS -- only works when CUPS daemon is running (if cups_enabled) - shell: "cupsctl --remote-admin" - when: cups_enabled - -- name: Disable & Stop 'cups' & 'cups-browsed' systemd services (OS's other than Fedora 18) +- name: Disable & Stop 'cups' & 'cups-browsed' systemd services (if not cups_enabled) systemd: + #daemon_reload: yes name: "{{ item }}" enabled: no state: stopped @@ -33,11 +19,7 @@ - cups - cups-browsed when: not cups_enabled - #when: not cups_enabled and not is_F18 -# - name: Disable & Stop 'cups' systemd service (Fedora 18, for XO laptops) -# systemd: -# name: cups -# enabled: no -# state: stopped -# when: not cups_enabled and is_F18 + +- name: Enable/Disable/Restart NGINX + include_tasks: nginx.yml diff --git a/roles/cups/tasks/install.yml b/roles/cups/tasks/install.yml index 91655f789..8dd2304ed 100644 --- a/roles/cups/tasks/install.yml +++ b/roles/cups/tasks/install.yml @@ -1,12 +1,93 @@ +# 2021-07-11: (1) WE NEED TO GET http://box:631 AND http://box.lan:631 WORKING. +# /var/log/cups/error_log* shows "400 Bad Request" errors as follows: +# +# Request from "localhost" using invalid Host: field "box:631". +# Request from "localhost" using invalid Host: field "box.lan:631". +# +# (2) WE NEED NGINX PROXY TO GET http://box/print WORKING RELIABLY ON ALL OS's. + - name: Install 'cups' package package: name: cups state: present -- name: Install our own /etc/cups/cupsd.conf from template, to permit local LAN admin - template: - src: cupsd.conf +- name: Add user '{{ iiab_admin_user }}' to Linux group 'lpadmin' for remote administration (or modify default 'SystemGroup lpadmin' in /etc/cups/cups-files.conf -- in coordination with ~14 '@SYSTEM' lines in /etc/cups/cupsd.conf) + command: "gpasswd -a {{ iiab_admin_user | quote }} lpadmin" # iiab-admin + #command: "gpasswd -d {{ iiab_admin_user | quote }} lpadmin" + + +# WARNING: 'apt install cups' AND 'apt install --reinstall cups' +# UNFORTUNATELY DO *NOT* RECREATE /etc/cups/cupsd.conf IF A PRIOR +# INSTALL OF CUPS EXISTED! SO OPTION #1 OR #2 ARE NEEDED BELOW: + +# OPTION #1: OLD WAY (BRITTLE) +# +# - name: Install our own /etc/cups/cupsd.conf from template, to permit local LAN admin +# template: +# src: cupsd.conf.j2 +# dest: /etc/cups/cupsd.conf + +# OPTION #2: NEW WAY (MORE FUTURE-PROOF, WE HOPE!) + +- name: Copy /usr/share/cups/cupsd.conf.default to /etc/cups/cupsd.conf (root:lp, 0640) -- a timestamped backup of the prior 'cupsd.conf' is saved in /etc/cups + copy: + src: /usr/share/cups/cupsd.conf.default dest: /etc/cups/cupsd.conf + owner: root + group: lp + mode: 0640 + backup: yes + +- name: (Re)Start 'cups' and 'cups-browsed' systemd services -- CUPS DAEMON MUST BE RUNNING FOR 'cupsctl' COMMAND JUST BELOW + systemd: + daemon_reload: yes + name: "{{ item }}" + state: restarted + with_items: + - cups + - cups-browsed + +- name: Run 'cupsctl --remote-admin --share-printers --user-cancel-any --debug-logging' for /var/log/cups/error_log (if cups_enabled) -- PLEASE ALSO MANUALLY RUN 'sudo cupsctl' AND 'sudo cupsd -t' TO VERIFY /etc/cups/cupsd.conf + command: cupsctl --remote-admin --share-printers --user-cancel-any --debug-logging # RISKY: REPEATED USE OF 'cupsctl' CAN *DAMAGE* /etc/cups/cupsd.conf BY ADDING DUPLICATE LINES. FYI IT ALSO MANGLES COMMENTS AND SPACING. + +# 2021-07-11: BOTH FLAGS *CANNOT* BE USED TOGETHER -- CHOOSE ONE OR THE OTHER: +# (1) '--remote-admin' AS ABOVE, OR (2) '--remote-any' AS BELOW. +# (RUN 'cupsctl' WITHOUT PARAMETERS TO CONFIRM THIS!) + +# - name: Run 'cupsctl --remote-any --share-printers --user-cancel-any --debug-logging' for /var/log/cups/error_log (if cups_enabled) -- PLEASE ALSO MANUALLY RUN 'sudo cupsctl' AND 'sudo cupsd -t' TO VERIFY /etc/cups/cupsd.conf +# command: cupsctl --remote-any --share-printers --user-cancel-any --debug-logging # RISKY: REPEATED USE OF 'cupsctl' CAN *DAMAGE* /etc/cups/cupsd.conf BY ADDING DUPLICATE LINES. FYI IT ALSO MANGLES COMMENTS AND SPACING. + +# 2021-07-11: In theory 'cupsctl' stanzas could be put to enable-or-disable.yml +# BUT LET'S AVOID THAT -- AS REPEATED USE OF 'cupsctl' CAN *DAMAGE* +# /etc/cups/cupsd.conf BY ADDING DUPLICATE LINES (AND WORSE!) +# +# - name: Run 'cupsctl --no-remote-admin --no-remote-any --no-share-printers --no-user-cancel-any --no-debug-logging' (if not cups_enabled) -- PLEASE ALSO MANUALLY RUN 'sudo cupsctl' AND 'sudo cupsd -t' TO VERIFY /etc/cups/cupsd.conf +# command: cupsctl --no-remote-admin --no-remote-any --no-share-printers --no-user-cancel-any --no-debug-logging # RISKY: REPEATED USE OF 'cupsctl' CAN *DAMAGE* /etc/cups/cupsd.conf BY ADDING DUPLICATE LINES. FYI IT ALSO MANGLES COMMENTS AND SPACING. +# when: not cups_enabled + +- name: "2021-07-11: UNFORTUNATELY http://box:631 AND http://box/print DO NOT YET WORK RELIABLY -- CUPS NEEDS TO WORK FROM MANY MORE URL'S THAN JUST http://localhost:631 AND http://192.168.0.x:631 AND http://172.18.96.1:631 -- please help us find the correct directive(s) for /etc/cups/cupsd.conf and /etc/nginx/conf.d/cups.conf followed by 'systemctl restart cups' and 'systemctl restart nginx'" + lineinfile: + path: /etc/cups/cupsd.conf + line: "{{ item }}" + insertbefore: '^Listen .*/run/cups/cups.sock$' # Also matches old form: '^Listen /var/run/cups/cups.sock$' + with_items: + - "#ServerAlias *" + - "#ServerName {{ iiab_hostname }}.{{ iiab_domain }}" # box.lan + - "#Listen {{ lan_ip }}:631" # 172.18.96.1 + - "Listen 127.0.0.1:631" + - "#Listen 0.0.0.0:631" + - "#Listen *:631" + +- name: Change 'MaxLogSize 0' (no log rotation) to 'MaxLogSize 1m' (log rotation at 1MB) in /etc/cups/cupsd.conf (EITHER WAY LOG BLOAT IS A RISK!) + lineinfile: + path: /etc/cups/cupsd.conf + regexp: '^MaxLogSize ' + insertbefore: 'Listen ' + firstmatch: yes + line: "MaxLogSize 1m" # Documentation (claims!) log rotation at "1m" is the default. But In Practice: 'MaxLogSize 0' (no log rotation) is now part of /usr/share/cups/cupsd.conf.default + +# REMINDER: 3 systemd services should be restarted (cups, cups-browsed, nginx) +# within enable-or-disable.yml, so /etc/cups/cupsd.conf (ETC) take effect! # RECORD CUPS AS INSTALLED diff --git a/roles/cups/tasks/nginx.yml b/roles/cups/tasks/nginx.yml index 25ee45b8c..9a80ded0f 100644 --- a/roles/cups/tasks/nginx.yml +++ b/roles/cups/tasks/nginx.yml @@ -1,12 +1,12 @@ -- name: Enable http://box/print via NGINX, by installing {{ nginx_conf_dir }}/cups.conf from template +- name: Enable http://box/print and http://box/cups via NGINX, by installing {{ nginx_conf_dir }}/cups.conf from template template: src: cups.conf - dest: /etc/nginx/conf.d/cups.conf + dest: "{{ nginx_conf_dir }}/cups.conf" # /etc/nginx/conf.d when: cups_enabled -- name: Disable http://box/print via NGINX, by removing {{ nginx_conf_dir }}/cups.conf +- name: Disable http://box/print and http://box/cups via NGINX, by removing {{ nginx_conf_dir }}/cups.conf file: - path: /etc/nginx/conf.d/cups.conf + path: "{{ nginx_conf_dir }}/cups.conf" state: absent when: not cups_enabled diff --git a/roles/cups/templates/cupsd.conf b/roles/cups/templates/cupsd.conf.j2.unused similarity index 100% rename from roles/cups/templates/cupsd.conf rename to roles/cups/templates/cupsd.conf.j2.unused From bb116d48ccf4440968c62ecb6e1df3aace021b17 Mon Sep 17 00:00:00 2001 From: root Date: Mon, 12 Jul 2021 02:47:28 -0400 Subject: [PATCH 17/25] cups/tasks/install.yml Ansible output explanations --- roles/cups/tasks/install.yml | 27 +++++++++++++++++---------- 1 file changed, 17 insertions(+), 10 deletions(-) diff --git a/roles/cups/tasks/install.yml b/roles/cups/tasks/install.yml index 8dd2304ed..06f47575f 100644 --- a/roles/cups/tasks/install.yml +++ b/roles/cups/tasks/install.yml @@ -29,6 +29,11 @@ # OPTION #2: NEW WAY (MORE FUTURE-PROOF, WE HOPE!) +- name: FILE /etc/cups/cupsd.conf WILL BE CREATED BY THE ~5 STANZAS BELOW... + meta: noop +# - debug: +# msg: FILE /etc/cups/cupsd.conf WILL BE CREATED BY THE ~5 STANZAS BELOW... + - name: Copy /usr/share/cups/cupsd.conf.default to /etc/cups/cupsd.conf (root:lp, 0640) -- a timestamped backup of the prior 'cupsd.conf' is saved in /etc/cups copy: src: /usr/share/cups/cupsd.conf.default @@ -47,22 +52,24 @@ - cups - cups-browsed -- name: Run 'cupsctl --remote-admin --share-printers --user-cancel-any --debug-logging' for /var/log/cups/error_log (if cups_enabled) -- PLEASE ALSO MANUALLY RUN 'sudo cupsctl' AND 'sudo cupsd -t' TO VERIFY /etc/cups/cupsd.conf - command: cupsctl --remote-admin --share-printers --user-cancel-any --debug-logging # RISKY: REPEATED USE OF 'cupsctl' CAN *DAMAGE* /etc/cups/cupsd.conf BY ADDING DUPLICATE LINES. FYI IT ALSO MANGLES COMMENTS AND SPACING. +- name: Run 'cupsctl --remote-admin --share-printers --user-cancel-any --debug-logging' for /var/log/cups/error_log (if cups_enabled) -- REPEATED USE OF 'cupsctl' COMMANDS CAN *DAMAGE* /etc/cups/cupsd.conf BY ADDING DUPLICATE LINES (AND WORSE!) -- SO PLEASE ALSO MANUALLY RUN 'sudo cupsctl' AND 'sudo cupsd -t' TO VERIFY /etc/cups/cupsd.conf + command: cupsctl --remote-admin --share-printers --user-cancel-any --debug-logging # 2021-07-11: BOTH FLAGS *CANNOT* BE USED TOGETHER -- CHOOSE ONE OR THE OTHER: # (1) '--remote-admin' AS ABOVE, OR (2) '--remote-any' AS BELOW. # (RUN 'cupsctl' WITHOUT PARAMETERS TO CONFIRM THIS!) -# - name: Run 'cupsctl --remote-any --share-printers --user-cancel-any --debug-logging' for /var/log/cups/error_log (if cups_enabled) -- PLEASE ALSO MANUALLY RUN 'sudo cupsctl' AND 'sudo cupsd -t' TO VERIFY /etc/cups/cupsd.conf -# command: cupsctl --remote-any --share-printers --user-cancel-any --debug-logging # RISKY: REPEATED USE OF 'cupsctl' CAN *DAMAGE* /etc/cups/cupsd.conf BY ADDING DUPLICATE LINES. FYI IT ALSO MANGLES COMMENTS AND SPACING. +# - name: Run 'cupsctl --remote-any --share-printers --user-cancel-any --debug-logging' for /var/log/cups/error_log (if cups_enabled) -- REPEATED USE OF 'cupsctl' COMMANDS CAN *DAMAGE* /etc/cups/cupsd.conf BY ADDING DUPLICATE LINES (AND WORSE!) -- SO PLEASE ALSO MANUALLY RUN 'sudo cupsctl' AND 'sudo cupsd -t' TO VERIFY /etc/cups/cupsd.conf +# command: cupsctl --remote-any --share-printers --user-cancel-any --debug-logging -# 2021-07-11: In theory 'cupsctl' stanzas could be put to enable-or-disable.yml -# BUT LET'S AVOID THAT -- AS REPEATED USE OF 'cupsctl' CAN *DAMAGE* +# 2021-07-11: In theory 'cupsctl' stanzas could be put in enable-or-disable.yml +# BUT LET'S AVOID THAT -- AS REPEATED USE OF 'cupsctl' COMMANDS CAN *DAMAGE* # /etc/cups/cupsd.conf BY ADDING DUPLICATE LINES (AND WORSE!) # -# - name: Run 'cupsctl --no-remote-admin --no-remote-any --no-share-printers --no-user-cancel-any --no-debug-logging' (if not cups_enabled) -- PLEASE ALSO MANUALLY RUN 'sudo cupsctl' AND 'sudo cupsd -t' TO VERIFY /etc/cups/cupsd.conf -# command: cupsctl --no-remote-admin --no-remote-any --no-share-printers --no-user-cancel-any --no-debug-logging # RISKY: REPEATED USE OF 'cupsctl' CAN *DAMAGE* /etc/cups/cupsd.conf BY ADDING DUPLICATE LINES. FYI IT ALSO MANGLES COMMENTS AND SPACING. +# FYI repeated use of 'cupsctl' commands also removes comments and blank lines. +# +# - name: Run 'cupsctl --no-remote-admin --no-remote-any --no-share-printers --no-user-cancel-any --no-debug-logging' (if not cups_enabled) -- REPEATED USE OF 'cupsctl' COMMANDS CAN *DAMAGE* /etc/cups/cupsd.conf BY ADDING DUPLICATE LINES (AND WORSE!) -- SO PLEASE ALSO MANUALLY RUN 'sudo cupsctl' AND 'sudo cupsd -t' TO VERIFY /etc/cups/cupsd.conf +# command: cupsctl --no-remote-admin --no-remote-any --no-share-printers --no-user-cancel-any --no-debug-logging # when: not cups_enabled - name: "2021-07-11: UNFORTUNATELY http://box:631 AND http://box/print DO NOT YET WORK RELIABLY -- CUPS NEEDS TO WORK FROM MANY MORE URL'S THAN JUST http://localhost:631 AND http://192.168.0.x:631 AND http://172.18.96.1:631 -- please help us find the correct directive(s) for /etc/cups/cupsd.conf and /etc/nginx/conf.d/cups.conf followed by 'systemctl restart cups' and 'systemctl restart nginx'" @@ -78,13 +85,13 @@ - "#Listen 0.0.0.0:631" - "#Listen *:631" -- name: Change 'MaxLogSize 0' (no log rotation) to 'MaxLogSize 1m' (log rotation at 1MB) in /etc/cups/cupsd.conf (EITHER WAY LOG BLOAT IS A RISK!) +- name: "OPTIONAL: Change 'MaxLogSize 0' (no log rotation) to 'MaxLogSize 1m' (log rotation at 1MB) in /etc/cups/cupsd.conf (EITHER WAY LOG BLOAT IS A RISK!)" lineinfile: path: /etc/cups/cupsd.conf regexp: '^MaxLogSize ' insertbefore: 'Listen ' firstmatch: yes - line: "MaxLogSize 1m" # Documentation (claims!) log rotation at "1m" is the default. But In Practice: 'MaxLogSize 0' (no log rotation) is now part of /usr/share/cups/cupsd.conf.default + line: "MaxLogSize 1m" # CUPS Documentation (claims!) log rotation at "1m" is the default. But In Practice: 'MaxLogSize 0' (no log rotation) is now part of /usr/share/cups/cupsd.conf.default # REMINDER: 3 systemd services should be restarted (cups, cups-browsed, nginx) # within enable-or-disable.yml, so /etc/cups/cupsd.conf (ETC) take effect! From 0cd7ccc81693e8e2aceb233679e8a77f48673255 Mon Sep 17 00:00:00 2001 From: root Date: Mon, 12 Jul 2021 15:52:15 -0400 Subject: [PATCH 18/25] CUPS: Fix box/print URLs, Secure box/print/admin URLs, Lint NGINX .conf's --- roles/cups/tasks/install.yml | 164 ++++++++++-------- roles/cups/tasks/main.yml | 8 +- roles/cups/tasks/nginx.yml | 4 +- roles/cups/templates/cups.conf | 33 ++-- roles/gitea/templates/gitea-nginx.conf.j2 | 2 +- roles/kiwix/templates/kiwix-nginx.conf.j2 | 18 +- roles/kolibri/templates/kolibri-nginx.conf.j2 | 8 +- roles/lokole/templates/lokole-nginx.conf.j2 | 12 +- .../templates/mediawiki-nginx.conf.j2 | 22 +-- roles/munin/templates/munin24-nginx.conf.j2 | 6 +- roles/nginx/templates/iiab.conf.j2 | 8 +- .../templates/osm-vector-maps-nginx.conf.j2 | 12 +- .../templates/sugarizer-nginx.conf.j2 | 10 +- .../templates/wordpress-nginx.conf.j2 | 29 ++-- 14 files changed, 179 insertions(+), 157 deletions(-) diff --git a/roles/cups/tasks/install.yml b/roles/cups/tasks/install.yml index 06f47575f..14b3aaba2 100644 --- a/roles/cups/tasks/install.yml +++ b/roles/cups/tasks/install.yml @@ -1,38 +1,29 @@ -# 2021-07-11: (1) WE NEED TO GET http://box:631 AND http://box.lan:631 WORKING. -# /var/log/cups/error_log* shows "400 Bad Request" errors as follows: -# -# Request from "localhost" using invalid Host: field "box:631". -# Request from "localhost" using invalid Host: field "box.lan:631". -# -# (2) WE NEED NGINX PROXY TO GET http://box/print WORKING RELIABLY ON ALL OS's. - - name: Install 'cups' package package: name: cups state: present -- name: Add user '{{ iiab_admin_user }}' to Linux group 'lpadmin' for remote administration (or modify default 'SystemGroup lpadmin' in /etc/cups/cups-files.conf -- in coordination with ~14 '@SYSTEM' lines in /etc/cups/cupsd.conf) - command: "gpasswd -a {{ iiab_admin_user | quote }} lpadmin" # iiab-admin - #command: "gpasswd -d {{ iiab_admin_user | quote }} lpadmin" +# 2021-07-12: LET'S STICK CLOSE TO THE DEFAULT /etc/cups/cupsd.conf SO WE CAN +# SKIP MOST OF THE NEXT ~100 LINES, THX TO NEW NGINX (cups/templates/cups.conf) +# # WARNING: 'apt install cups' AND 'apt install --reinstall cups' +# # UNFORTUNATELY DO *NOT* RECREATE /etc/cups/cupsd.conf IF A PRIOR +# # INSTALL OF CUPS EXISTED! SO OPTION #1 OR #2 ARE NEEDED BELOW: -# WARNING: 'apt install cups' AND 'apt install --reinstall cups' -# UNFORTUNATELY DO *NOT* RECREATE /etc/cups/cupsd.conf IF A PRIOR -# INSTALL OF CUPS EXISTED! SO OPTION #1 OR #2 ARE NEEDED BELOW: +# # OPTION #1: OLD WAY (BRITTLE) +# # +# # - name: Install our own /etc/cups/cupsd.conf from template, to permit local LAN admin +# # template: +# # src: cupsd.conf.j2 +# # dest: /etc/cups/cupsd.conf -# OPTION #1: OLD WAY (BRITTLE) -# -# - name: Install our own /etc/cups/cupsd.conf from template, to permit local LAN admin -# template: -# src: cupsd.conf.j2 -# dest: /etc/cups/cupsd.conf +# # OPTION #2: NEW WAY (MORE FUTURE-PROOF, WE HOPE!) -# OPTION #2: NEW WAY (MORE FUTURE-PROOF, WE HOPE!) +# # - name: FILE /etc/cups/cupsd.conf WILL BE CREATED BY THE ~2 STANZAS BELOW... +# # meta: noop -- name: FILE /etc/cups/cupsd.conf WILL BE CREATED BY THE ~5 STANZAS BELOW... - meta: noop -# - debug: -# msg: FILE /etc/cups/cupsd.conf WILL BE CREATED BY THE ~5 STANZAS BELOW... +# # - debug: +# # msg: FILE /etc/cups/cupsd.conf WILL BE CREATED BY THE ~5 STANZAS BELOW... - name: Copy /usr/share/cups/cupsd.conf.default to /etc/cups/cupsd.conf (root:lp, 0640) -- a timestamped backup of the prior 'cupsd.conf' is saved in /etc/cups copy: @@ -43,58 +34,87 @@ mode: 0640 backup: yes -- name: (Re)Start 'cups' and 'cups-browsed' systemd services -- CUPS DAEMON MUST BE RUNNING FOR 'cupsctl' COMMAND JUST BELOW - systemd: - daemon_reload: yes - name: "{{ item }}" - state: restarted - with_items: - - cups - - cups-browsed - -- name: Run 'cupsctl --remote-admin --share-printers --user-cancel-any --debug-logging' for /var/log/cups/error_log (if cups_enabled) -- REPEATED USE OF 'cupsctl' COMMANDS CAN *DAMAGE* /etc/cups/cupsd.conf BY ADDING DUPLICATE LINES (AND WORSE!) -- SO PLEASE ALSO MANUALLY RUN 'sudo cupsctl' AND 'sudo cupsd -t' TO VERIFY /etc/cups/cupsd.conf - command: cupsctl --remote-admin --share-printers --user-cancel-any --debug-logging - -# 2021-07-11: BOTH FLAGS *CANNOT* BE USED TOGETHER -- CHOOSE ONE OR THE OTHER: -# (1) '--remote-admin' AS ABOVE, OR (2) '--remote-any' AS BELOW. -# (RUN 'cupsctl' WITHOUT PARAMETERS TO CONFIRM THIS!) - -# - name: Run 'cupsctl --remote-any --share-printers --user-cancel-any --debug-logging' for /var/log/cups/error_log (if cups_enabled) -- REPEATED USE OF 'cupsctl' COMMANDS CAN *DAMAGE* /etc/cups/cupsd.conf BY ADDING DUPLICATE LINES (AND WORSE!) -- SO PLEASE ALSO MANUALLY RUN 'sudo cupsctl' AND 'sudo cupsd -t' TO VERIFY /etc/cups/cupsd.conf -# command: cupsctl --remote-any --share-printers --user-cancel-any --debug-logging - -# 2021-07-11: In theory 'cupsctl' stanzas could be put in enable-or-disable.yml -# BUT LET'S AVOID THAT -- AS REPEATED USE OF 'cupsctl' COMMANDS CAN *DAMAGE* -# /etc/cups/cupsd.conf BY ADDING DUPLICATE LINES (AND WORSE!) +# 2021-07-12: lineinfile fails to insert the needed lines, as these same 2 lines +# already appear throughout /etc/cups/cupsd.conf -- so we use blockinfile below. # -# FYI repeated use of 'cupsctl' commands also removes comments and blank lines. +# - name: Insert 2 lines into /etc/cups/cupsd.conf to LOCK DOWN URL'S LIKE http://box/print/admin -- REQUIRING '{{ iiab_admin_user }}' AND ITS LINUX PASSWORD (to avoid accidental damage to /etc/cups/cupsd.conf and other CUPS settings) +# lineinfile: +# path: /etc/cups/cupsd.conf +# #regexp: +# line: "{{ item }}" +# insertafter: '^$' +# with_items: +# - " Require user @SYSTEM" # Will appear BELOW, in /etc/cups/cupsd.conf +# - " AuthType Default" # Will appear ABOVE, in /etc/cups/cupsd.conf + +- name: Insert 2-line block into /etc/cups/cupsd.conf to LOCK DOWN URL'S LIKE http://box/print/admin -- REQUIRING '{{ iiab_admin_user }}' AND ITS LINUX PASSWORD (to avoid accidental damage to /etc/cups/cupsd.conf and other CUPS settings) + blockinfile: + path: /etc/cups/cupsd.conf + insertafter: '^$' + block: |2 # Indent with 2 spaces, and surround block with 2 comment lines: "# BEGIN ANSIBLE MANAGED BLOCK", "# END ANSIBLE MANAGED BLOCK" + AuthType Default + Require user @SYSTEM + +- name: Add user '{{ iiab_admin_user }}' to Linux group 'lpadmin' for web administration (or modify default 'SystemGroup lpadmin' in /etc/cups/cups-files.conf -- in coordination with ~14 -> ~15 '@SYSTEM' lines in /etc/cups/cupsd.conf) + command: "gpasswd -a {{ iiab_admin_user | quote }} lpadmin" # iiab-admin + #command: "gpasswd -d {{ iiab_admin_user | quote }} lpadmin" + +# - name: (Re)Start 'cups' and 'cups-browsed' systemd services -- CUPS DAEMON MUST BE RUNNING FOR 'cupsctl' COMMAND JUST BELOW +# systemd: +# daemon_reload: yes +# name: "{{ item }}" +# state: restarted +# with_items: +# - cups +# - cups-browsed + +# 2021-07-12: 'cupsctl --remote-admin && systemctl restart cups' enables +# http://10.8.0.x:631 -- but this is even less useful than ever, now that +# http://10.8.0.x/print works -- thx to the new /etc/nginx/conf.d/cups.conf # -# - name: Run 'cupsctl --no-remote-admin --no-remote-any --no-share-printers --no-user-cancel-any --no-debug-logging' (if not cups_enabled) -- REPEATED USE OF 'cupsctl' COMMANDS CAN *DAMAGE* /etc/cups/cupsd.conf BY ADDING DUPLICATE LINES (AND WORSE!) -- SO PLEASE ALSO MANUALLY RUN 'sudo cupsctl' AND 'sudo cupsd -t' TO VERIFY /etc/cups/cupsd.conf -# command: cupsctl --no-remote-admin --no-remote-any --no-share-printers --no-user-cancel-any --no-debug-logging -# when: not cups_enabled +# - name: Run 'cupsctl --remote-admin --share-printers --user-cancel-any --debug-logging' for /var/log/cups/error_log (if cups_enabled) -- REPEATED USE OF 'cupsctl' COMMANDS CAN *DAMAGE* /etc/cups/cupsd.conf BY ADDING DUPLICATE LINES (AND WORSE!) -- SO PLEASE ALSO MANUALLY RUN 'sudo cupsctl' AND 'sudo cupsd -t' TO VERIFY /etc/cups/cupsd.conf +# command: cupsctl --remote-admin --share-printers --user-cancel-any --debug-logging -- name: "2021-07-11: UNFORTUNATELY http://box:631 AND http://box/print DO NOT YET WORK RELIABLY -- CUPS NEEDS TO WORK FROM MANY MORE URL'S THAN JUST http://localhost:631 AND http://192.168.0.x:631 AND http://172.18.96.1:631 -- please help us find the correct directive(s) for /etc/cups/cupsd.conf and /etc/nginx/conf.d/cups.conf followed by 'systemctl restart cups' and 'systemctl restart nginx'" - lineinfile: - path: /etc/cups/cupsd.conf - line: "{{ item }}" - insertbefore: '^Listen .*/run/cups/cups.sock$' # Also matches old form: '^Listen /var/run/cups/cups.sock$' - with_items: - - "#ServerAlias *" - - "#ServerName {{ iiab_hostname }}.{{ iiab_domain }}" # box.lan - - "#Listen {{ lan_ip }}:631" # 172.18.96.1 - - "Listen 127.0.0.1:631" - - "#Listen 0.0.0.0:631" - - "#Listen *:631" +# # 2021-07-11: BOTH FLAGS *CANNOT* BE USED TOGETHER -- CHOOSE ONE OR THE OTHER: +# # (1) '--remote-admin' AS ABOVE, OR (2) '--remote-any' AS BELOW. +# # (RUN 'cupsctl' WITHOUT PARAMETERS TO CONFIRM THIS!) -- name: "OPTIONAL: Change 'MaxLogSize 0' (no log rotation) to 'MaxLogSize 1m' (log rotation at 1MB) in /etc/cups/cupsd.conf (EITHER WAY LOG BLOAT IS A RISK!)" - lineinfile: - path: /etc/cups/cupsd.conf - regexp: '^MaxLogSize ' - insertbefore: 'Listen ' - firstmatch: yes - line: "MaxLogSize 1m" # CUPS Documentation (claims!) log rotation at "1m" is the default. But In Practice: 'MaxLogSize 0' (no log rotation) is now part of /usr/share/cups/cupsd.conf.default +# # - name: Run 'cupsctl --remote-any --share-printers --user-cancel-any --debug-logging' for /var/log/cups/error_log (if cups_enabled) -- REPEATED USE OF 'cupsctl' COMMANDS CAN *DAMAGE* /etc/cups/cupsd.conf BY ADDING DUPLICATE LINES (AND WORSE!) -- SO PLEASE ALSO MANUALLY RUN 'sudo cupsctl' AND 'sudo cupsd -t' TO VERIFY /etc/cups/cupsd.conf +# # command: cupsctl --remote-any --share-printers --user-cancel-any --debug-logging -# REMINDER: 3 systemd services should be restarted (cups, cups-browsed, nginx) -# within enable-or-disable.yml, so /etc/cups/cupsd.conf (ETC) take effect! +# # 2021-07-11: In theory 'cupsctl' stanzas could be put in enable-or-disable.yml +# # BUT LET'S AVOID THAT -- AS REPEATED USE OF 'cupsctl' COMMANDS CAN *DAMAGE* +# # /etc/cups/cupsd.conf BY ADDING DUPLICATE LINES (AND WORSE!) +# # +# # FYI repeated use of 'cupsctl' commands also removes comments and blank lines. +# # +# # - name: Run 'cupsctl --no-remote-admin --no-remote-any --no-share-printers --no-user-cancel-any --no-debug-logging' (if not cups_enabled) -- REPEATED USE OF 'cupsctl' COMMANDS CAN *DAMAGE* /etc/cups/cupsd.conf BY ADDING DUPLICATE LINES (AND WORSE!) -- SO PLEASE ALSO MANUALLY RUN 'sudo cupsctl' AND 'sudo cupsd -t' TO VERIFY /etc/cups/cupsd.conf +# # command: cupsctl --no-remote-admin --no-remote-any --no-share-printers --no-user-cancel-any --no-debug-logging +# # when: not cups_enabled + +# - name: "2021-07-12: EXPERIMENTALLY ADD DIRECTIVES TO /etc/cups/cupsd.conf followed by 'systemctl restart cups'. As should no longer be nec thanks to NEW cups/templates/cups.conf for /etc/nginx/conf.d/cups.conf (followed by 'systemctl restart nginx'). Which FIXED URL'S LIKE: http://box/print, http://box.lan/print, http://192.168.0.x/print, http://172.18.96.1/print and http://10.8.0.x/print (WITH OR WITHOUT THE TRAILING SLASH!) RECAP: (1) So be it that these 2 URL'S STILL DON'T WORK: http://box:631, http://box.lan:631 (due to CUPS' internal web server's overly stringent hostname checks, i.e. '400 Bad Request') -- (2) While these 2 URL'S STILL DO WORK: http://localhost:631, http://127.0.0.1:631 -- (3) Whereas these 3 URL'S NO LONGER WORK: http://192.168.0.x:631, http://172.18.96.1:631, http://10.8.0.x:631 (now that we're suddenly hewing closer to the default /etc/cups/cupsd.conf)" +# lineinfile: +# path: /etc/cups/cupsd.conf +# line: "{{ item }}" +# insertbefore: '^Listen .*/run/cups/cups.sock$' # Also matches old form: '^Listen /var/run/cups/cups.sock$' +# with_items: +# - "#ServerAlias *" +# - "#ServerName {{ iiab_hostname }}.{{ iiab_domain }}" # box.lan +# - "#Listen {{ lan_ip }}:631" # 172.18.96.1 +# - "Listen 127.0.0.1:631" +# - "#Listen 0.0.0.0:631" +# - "#Listen *:631" + +# - name: "OPTIONAL: Change 'MaxLogSize 0' (no log rotation) to 'MaxLogSize 1m' (log rotation at 1MB) in /etc/cups/cupsd.conf (EITHER WAY LOG BLOAT IS A RISK!)" +# lineinfile: +# path: /etc/cups/cupsd.conf +# regexp: '^MaxLogSize ' +# insertbefore: 'Listen ' +# firstmatch: yes +# line: "MaxLogSize 1m" # CUPS Documentation (claims!) log rotation at "1m" is the default. But In Practice: 'MaxLogSize 0' (no log rotation) is now part of /usr/share/cups/cupsd.conf.default + +# REMINDER: 3 SYSTEMD SERVICES WILL BE RESTARTED (cups, cups-browsed, nginx) +# LATER IN enable-or-disable.yml, SO /etc/cups/cupsd.conf (ETC) TAKE EFFECT! # RECORD CUPS AS INSTALLED diff --git a/roles/cups/tasks/main.yml b/roles/cups/tasks/main.yml index 32e65e4e6..b9bbe9866 100644 --- a/roles/cups/tasks/main.yml +++ b/roles/cups/tasks/main.yml @@ -1,10 +1,4 @@ -# Administer CUPS at http://box:631 -# Above URL does NOT work over OpenVPN (ANYONE KNOW WHY?) - -# TO DO: -# -# - CREATE /etc/nginx/conf.d/cups-nginx.conf as SHIM to Apache on port 8090. -# SEE OTHERS @ https://github.com/iiab/iiab/blob/master/roles/nginx/README.md +# ADMINISTER CUPS AT http://box/print/admin WITH iiab-admin + ITS LINUX PASSWORD # "How do i fail a task in Ansible if the variable contains a boolean value? diff --git a/roles/cups/tasks/nginx.yml b/roles/cups/tasks/nginx.yml index 9a80ded0f..80921e99f 100644 --- a/roles/cups/tasks/nginx.yml +++ b/roles/cups/tasks/nginx.yml @@ -1,10 +1,10 @@ -- name: Enable http://box/print and http://box/cups via NGINX, by installing {{ nginx_conf_dir }}/cups.conf from template +- name: Enable http://box/print via NGINX, by installing {{ nginx_conf_dir }}/cups.conf from template template: src: cups.conf dest: "{{ nginx_conf_dir }}/cups.conf" # /etc/nginx/conf.d when: cups_enabled -- name: Disable http://box/print and http://box/cups via NGINX, by removing {{ nginx_conf_dir }}/cups.conf +- name: Disable http://box/print via NGINX, by removing {{ nginx_conf_dir }}/cups.conf file: path: "{{ nginx_conf_dir }}/cups.conf" state: absent diff --git a/roles/cups/templates/cups.conf b/roles/cups/templates/cups.conf index 1f286da4c..e61d87f34 100644 --- a/roles/cups/templates/cups.conf +++ b/roles/cups/templates/cups.conf @@ -1,25 +1,30 @@ +location = /print { + return 301 /print/; # "Moved Permanently" redirect + #rewrite /print /print/; # Faster, if links are fixed! +} + location ~ /print/(.*) { proxy_pass http://127.0.0.1:631/$1; proxy_set_header Host '127.0.0.1'; proxy_cache_bypass $http_upgrade; proxy_set_header X-Real-IP $remote_addr; - + sub_filter ' href="/' ' href="/print/'; sub_filter ' action="/' ' action="/print/'; sub_filter ' src="/' ' src="/print/'; sub_filter_types *; sub_filter_once off; -} +} -location ~ /cups/(.*) { - proxy_pass http://127.0.0.1:631/$1; - proxy_set_header Host '127.0.0.1'; - proxy_cache_bypass $http_upgrade; - proxy_set_header X-Real-IP $remote_addr; - - sub_filter ' href="/' ' href="/cups/'; - sub_filter ' action="/' ' action="/cups/'; - sub_filter ' src="/' ' src="/cups/'; - sub_filter_types *; - sub_filter_once off; -} +# location ~ /cups/(.*) { +# proxy_pass http://127.0.0.1:631/$1; +# proxy_set_header Host '127.0.0.1'; +# proxy_cache_bypass $http_upgrade; +# proxy_set_header X-Real-IP $remote_addr; +# +# sub_filter ' href="/' ' href="/cups/'; +# sub_filter ' action="/' ' action="/cups/'; +# sub_filter ' src="/' ' src="/cups/'; +# sub_filter_types *; +# sub_filter_once off; +# } diff --git a/roles/gitea/templates/gitea-nginx.conf.j2 b/roles/gitea/templates/gitea-nginx.conf.j2 index 7276bd543..18c3185bd 100644 --- a/roles/gitea/templates/gitea-nginx.conf.j2 +++ b/roles/gitea/templates/gitea-nginx.conf.j2 @@ -1,3 +1,3 @@ location {{ gitea_url }}/ { - proxy_pass http://127.0.0.1:{{ gitea_port }}/; + proxy_pass http://127.0.0.1:{{ gitea_port }}/; } diff --git a/roles/kiwix/templates/kiwix-nginx.conf.j2 b/roles/kiwix/templates/kiwix-nginx.conf.j2 index 000a3dcc2..0b830daf2 100644 --- a/roles/kiwix/templates/kiwix-nginx.conf.j2 +++ b/roles/kiwix/templates/kiwix-nginx.conf.j2 @@ -1,11 +1,11 @@ location {{ kiwix_url }} { - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header Host $http_host; - proxy_http_version 1.1; - proxy_set_header Connection ""; - proxy_connect_timeout {{ kiwix_nginx_timeout }}; - proxy_send_timeout {{ kiwix_nginx_timeout }}; - proxy_read_timeout {{ kiwix_nginx_timeout }}; - send_timeout {{ kiwix_nginx_timeout }}; - proxy_pass http://127.0.0.1:3000; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header Host $http_host; + proxy_http_version 1.1; + proxy_set_header Connection ""; + proxy_connect_timeout {{ kiwix_nginx_timeout }}; + proxy_send_timeout {{ kiwix_nginx_timeout }}; + proxy_read_timeout {{ kiwix_nginx_timeout }}; + send_timeout {{ kiwix_nginx_timeout }}; + proxy_pass http://127.0.0.1:3000; } diff --git a/roles/kolibri/templates/kolibri-nginx.conf.j2 b/roles/kolibri/templates/kolibri-nginx.conf.j2 index c3326aeaf..e82f23478 100644 --- a/roles/kolibri/templates/kolibri-nginx.conf.j2 +++ b/roles/kolibri/templates/kolibri-nginx.conf.j2 @@ -1,8 +1,8 @@ location {{ kolibri_url }} { - proxy_set_header Host $http_host; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header X-Scheme $scheme; - proxy_set_header X-Script-Name {{ kolibri_url_without_slash }}; + proxy_set_header Host $http_host; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Scheme $scheme; + proxy_set_header X-Script-Name {{ kolibri_url_without_slash }}; proxy_pass http://127.0.0.1:8009; } diff --git a/roles/lokole/templates/lokole-nginx.conf.j2 b/roles/lokole/templates/lokole-nginx.conf.j2 index 1cd58eb80..a2084a160 100644 --- a/roles/lokole/templates/lokole-nginx.conf.j2 +++ b/roles/lokole/templates/lokole-nginx.conf.j2 @@ -1,14 +1,14 @@ location = {{ lokole_url }}/favicon.ico { - alias {{ lokole_venv }}/lib/python{{ python_ver }}/site-packages/opwen_email_client/webapp/static/favicon.ico; + alias {{ lokole_venv }}/lib/python{{ python_ver }}/site-packages/opwen_email_client/webapp/static/favicon.ico; } location ~ ^{{ lokole_url }}/static/(.*)$ { - alias {{ lokole_venv }}/lib/python{{ python_ver }}/site-packages/opwen_email_client/webapp/static/$1; + alias {{ lokole_venv }}/lib/python{{ python_ver }}/site-packages/opwen_email_client/webapp/static/$1; } location {{ lokole_url }}/ { - proxy_set_header Host $http_host; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_pass http://unix:/{{ lokole_domain_socket }}; + proxy_set_header Host $http_host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_pass http://unix:/{{ lokole_domain_socket }}; } diff --git a/roles/mediawiki/templates/mediawiki-nginx.conf.j2 b/roles/mediawiki/templates/mediawiki-nginx.conf.j2 index fdb19dba2..877982c49 100644 --- a/roles/mediawiki/templates/mediawiki-nginx.conf.j2 +++ b/roles/mediawiki/templates/mediawiki-nginx.conf.j2 @@ -5,25 +5,28 @@ # $wgUsePathInfo = true; location ~ ^/{{ mediawiki_symlink }}/(index|load|api|thumb|opensearch_desc)\.php$ { - include fastcgi_params; - fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; - fastcgi_pass php; # or whatever port your PHP-FPM listens on + include fastcgi_params; + fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; + fastcgi_pass php; # or whatever port your PHP-FPM listens on } # Images location /{{ mediawiki_symlink }}/images { # Separate location for images/ so .php execution won't apply } + location /{{ mediawiki_symlink }}/images/deleted { # Deny access to deleted images folder deny all; } + # MediaWiki assets (usually images) location ~ ^/{{ mediawiki_symlink }}/resources/(assets|lib|src) { try_files $uri 404; add_header Cache-Control "public"; expires 7d; } + # Assets, scripts and styles from skins and extensions location ~ ^/{{ mediawiki_symlink }}/(skins|extensions)/.+\.(css|js|gif|jpg|jpeg|png|svg|ttf|woff|woff2)$ { try_files $uri 404; @@ -31,16 +34,15 @@ location ~ ^/{{ mediawiki_symlink }}/(skins|extensions)/.+\.(css|js|gif|jpg|jpeg expires 7d; } - ## Uncomment the following code if you wish to use the installer/updater ## installer/updater #location /{{ mediawiki_symlink }}/mw-config/ { -# # Do this inside of a location so it can be negated -# location ~ \.php$ { -# include /etc/nginx/fastcgi_params; -# fastcgi_param SCRIPT_FILENAME $document_root/{{ mediawiki_symlink }}/mw-config/$fastcgi_script_name; -# fastcgi_pass 127.0.0.1:9000; # or whatever port your PHP-FPM listens on -# } +# # Do this inside of a location so it can be negated +# location ~ \.php$ { +# include /etc/nginx/fastcgi_params; +# fastcgi_param SCRIPT_FILENAME $document_root/{{ mediawiki_symlink }}/mw-config/$fastcgi_script_name; +# fastcgi_pass 127.0.0.1:9000; # or whatever port your PHP-FPM listens on +# } #} # Handling for the article path (pretty URLs) diff --git a/roles/munin/templates/munin24-nginx.conf.j2 b/roles/munin/templates/munin24-nginx.conf.j2 index dbbcc2795..28a930f8f 100644 --- a/roles/munin/templates/munin24-nginx.conf.j2 +++ b/roles/munin/templates/munin24-nginx.conf.j2 @@ -1,4 +1,4 @@ -location /munin { - alias /var/cache/munin/www/ ; - try_files $uri $uri/ /index.html; +location /munin { + alias /var/cache/munin/www/ ; + try_files $uri $uri/ /index.html; } diff --git a/roles/nginx/templates/iiab.conf.j2 b/roles/nginx/templates/iiab.conf.j2 index 954d0f805..b66f69cfa 100644 --- a/roles/nginx/templates/iiab.conf.j2 +++ b/roles/nginx/templates/iiab.conf.j2 @@ -30,11 +30,11 @@ location /js-menu/ { location /software/ { fancyindex on; # Enable fancy indexes. fancyindex_exact_size off; # Output human-readable file sizes. - location ~* \.(apk)$ { + location ~* \.(apk)$ { add_header Content-Type application/vnd.android.package-archive; - } + } - location ~* \.(zim)$ { + location ~* \.(zim)$ { add_header Content-Type application/zip; - } + } } diff --git a/roles/osm-vector-maps/templates/osm-vector-maps-nginx.conf.j2 b/roles/osm-vector-maps/templates/osm-vector-maps-nginx.conf.j2 index b9c3b634e..c130e75d5 100644 --- a/roles/osm-vector-maps/templates/osm-vector-maps-nginx.conf.j2 +++ b/roles/osm-vector-maps/templates/osm-vector-maps-nginx.conf.j2 @@ -1,7 +1,8 @@ # For downloadable regional vector tilesets location ~ ^/maps { - rewrite ^/maps(.*)$ /osm-vector-maps/viewer$1; + rewrite ^/maps(.*)$ /osm-vector-maps/viewer$1; } + location ~ ^/osm-vector-maps(.*)\.php(.*)$ { alias /library/www/osm-vector-maps$1.php$2; # /library/www/osm-vector-maps proxy_set_header X-Real-IP $remote_addr; @@ -11,10 +12,11 @@ location ~ ^/osm-vector-maps(.*)\.php(.*)$ { fastcgi_index index.html; include fastcgi_params; fastcgi_split_path_info ^(.+\.php)(.*)$; - fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; - fastcgi_param SCRIPT_NAME $fastcgi_script_name; - fastcgi_param PATH_INFO $2; + fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; + fastcgi_param SCRIPT_NAME $fastcgi_script_name; + fastcgi_param PATH_INFO $2; } + location ~ ^/osm-vector-maps/ { - root /library/www; + root /library/www; } diff --git a/roles/sugarizer/templates/sugarizer-nginx.conf.j2 b/roles/sugarizer/templates/sugarizer-nginx.conf.j2 index 29fb7a212..a4f936119 100644 --- a/roles/sugarizer/templates/sugarizer-nginx.conf.j2 +++ b/roles/sugarizer/templates/sugarizer-nginx.conf.j2 @@ -2,9 +2,9 @@ # If you need to change this, edit /etc/iiab/local_vars.yml prior to installing location /sugarizer { - proxy_set_header Host $http_host; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header X-Scheme $scheme; - proxy_set_header X-Script-Name /sugarizer; - proxy_pass http://127.0.0.1:{{ sugarizer_port }}; + proxy_set_header Host $http_host; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Scheme $scheme; + proxy_set_header X-Script-Name /sugarizer; + proxy_pass http://127.0.0.1:{{ sugarizer_port }}; } diff --git a/roles/wordpress/templates/wordpress-nginx.conf.j2 b/roles/wordpress/templates/wordpress-nginx.conf.j2 index 2c023dc2e..d3dd4e789 100644 --- a/roles/wordpress/templates/wordpress-nginx.conf.j2 +++ b/roles/wordpress/templates/wordpress-nginx.conf.j2 @@ -1,20 +1,19 @@ -location {{ wp_url }} { +location {{ wp_url }} { #rewrite_log on; root {{ content_base }}; try_files $uri $uri/ /wordpress/index.php$is_args$args; - + location ~ .*\.php$ { - - include fastcgi_params; - fastcgi_pass php; - fastcgi_index index.php; - fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; - } - - location ~ ^({{ wp_url }})(/.*)/$ { - include fastcgi_params; - fastcgi_pass php; - fastcgi_index index.php; - fastcgi_param SCRIPT_FILENAME {{ wp_abs_path }}/index.php; - } + include fastcgi_params; + fastcgi_pass php; + fastcgi_index index.php; + fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; + } + + location ~ ^({{ wp_url }})(/.*)/$ { + include fastcgi_params; + fastcgi_pass php; + fastcgi_index index.php; + fastcgi_param SCRIPT_FILENAME {{ wp_abs_path }}/index.php; + } } From b0c8124f5100dea680fed0ff901fb92f53556433 Mon Sep 17 00:00:00 2001 From: root Date: Tue, 13 Jul 2021 01:41:21 -0400 Subject: [PATCH 19/25] Restrict box/print/admin CUPS URLs to Linux user Admin/changeme (Linux group lpadmin) --- roles/cups/tasks/install.yml | 37 ++++++++++++++++++++++++++---------- roles/cups/tasks/main.yml | 3 ++- 2 files changed, 29 insertions(+), 11 deletions(-) diff --git a/roles/cups/tasks/install.yml b/roles/cups/tasks/install.yml index 14b3aaba2..a0bec1f86 100644 --- a/roles/cups/tasks/install.yml +++ b/roles/cups/tasks/install.yml @@ -1,10 +1,14 @@ +# ADMINISTER CUPS AT http://box/print/admin WITH USERNAME 'Admin' AND PASSWORD +# 'changeme' (OR ANY MEMBER OF LINUX GROUP 'lpadmin') AS SET UP BELOW... + + - name: Install 'cups' package package: name: cups state: present -# 2021-07-12: LET'S STICK CLOSE TO THE DEFAULT /etc/cups/cupsd.conf SO WE CAN -# SKIP MOST OF THE NEXT ~100 LINES, THX TO NEW NGINX (cups/templates/cups.conf) +# 2021-07-12: LET'S STICK CLOSER TO THE DEFAULT /etc/cups/cupsd.conf SO WE CAN +# SKIP MOST OF THE NEXT ~120 LINES, THX TO NEW NGINX (cups/templates/cups.conf) # # WARNING: 'apt install cups' AND 'apt install --reinstall cups' # # UNFORTUNATELY DO *NOT* RECREATE /etc/cups/cupsd.conf IF A PRIOR @@ -19,13 +23,13 @@ # # OPTION #2: NEW WAY (MORE FUTURE-PROOF, WE HOPE!) -# # - name: FILE /etc/cups/cupsd.conf WILL BE CREATED BY THE ~2 STANZAS BELOW... -# # meta: noop - # # - debug: # # msg: FILE /etc/cups/cupsd.conf WILL BE CREATED BY THE ~5 STANZAS BELOW... -- name: Copy /usr/share/cups/cupsd.conf.default to /etc/cups/cupsd.conf (root:lp, 0640) -- a timestamped backup of the prior 'cupsd.conf' is saved in /etc/cups +- name: PLEASE RUN 'sudo cupsctl' AND 'sudo cupsd -t' TO VERIFY /etc/cups/cupsd.conf IF YOU MODIFY IT! The file will now be created -- by the ~2 stanzas below. + meta: noop + +- name: Copy /usr/share/cups/cupsd.conf.default to /etc/cups/cupsd.conf (root:lp, 0640) -- a timestamped backup of the prior 'cupsd.conf' will be saved in /etc/cups copy: src: /usr/share/cups/cupsd.conf.default dest: /etc/cups/cupsd.conf @@ -47,7 +51,7 @@ # - " Require user @SYSTEM" # Will appear BELOW, in /etc/cups/cupsd.conf # - " AuthType Default" # Will appear ABOVE, in /etc/cups/cupsd.conf -- name: Insert 2-line block into /etc/cups/cupsd.conf to LOCK DOWN URL'S LIKE http://box/print/admin -- REQUIRING '{{ iiab_admin_user }}' AND ITS LINUX PASSWORD (to avoid accidental damage to /etc/cups/cupsd.conf and other CUPS settings) +- name: "CUPS web administration: Insert 2-line block into /etc/cups/cupsd.conf to LOCK DOWN URL'S LIKE http://box/print/admin TO LINUX GROUP 'lpadmin' -- to avoid accidental damage to /etc/cups/cupsd.conf and other CUPS settings. This uses 'SystemGroup lpadmin' in /etc/cups/cups-files.conf -- in coordination with ~14 -> ~15 '@SYSTEM' lines and 'DefaultAuthType Basic' in /etc/cups/cupsd.conf" blockinfile: path: /etc/cups/cupsd.conf insertafter: '^$' @@ -55,9 +59,22 @@ AuthType Default Require user @SYSTEM -- name: Add user '{{ iiab_admin_user }}' to Linux group 'lpadmin' for web administration (or modify default 'SystemGroup lpadmin' in /etc/cups/cups-files.conf -- in coordination with ~14 -> ~15 '@SYSTEM' lines in /etc/cups/cupsd.conf) - command: "gpasswd -a {{ iiab_admin_user | quote }} lpadmin" # iiab-admin - #command: "gpasswd -d {{ iiab_admin_user | quote }} lpadmin" +- name: "CUPS web administration: Create Linux username 'Admin' with password 'changeme' in Linux group 'lpadmin' (shell: /usr/sbin/nologin, create_home: no)" + user: + name: Admin + append: yes # Don't clobber other groups, that other IIAB Apps might need. + groups: lpadmin + password: "{{ 'changeme' | password_hash('sha512') }}" # Random salt. Presumably runs 5000 rounds of SHA-512 per /etc/login.defs & /etc/pam.d/common-password -- https://docs.ansible.com/ansible/latest/user_guide/playbooks_filters.html#encrypting-and-checksumming-strings-and-passwords + create_home: no + shell: /usr/sbin/nologin # Debian/Ubuntu norm -- instead of /sbin/nologin, /bin/false + +# - name: Add user '{{ iiab_admin_user }}' to Linux group 'lpadmin' -- for CUPS web administration (or modify default 'SystemGroup lpadmin' in /etc/cups/cups-files.conf -- in coordination with ~14 -> ~15 '@SYSTEM' lines in /etc/cups/cupsd.conf) +# #command: "gpasswd -a {{ iiab_admin_user | quote }} lpadmin" +# #command: "gpasswd -d {{ iiab_admin_user | quote }} lpadmin" +# user: +# name: "{{ iiab_admin_user }}" # iiab-admin +# append: yes +# groups: lpadmin # - name: (Re)Start 'cups' and 'cups-browsed' systemd services -- CUPS DAEMON MUST BE RUNNING FOR 'cupsctl' COMMAND JUST BELOW # systemd: diff --git a/roles/cups/tasks/main.yml b/roles/cups/tasks/main.yml index b9bbe9866..301da4133 100644 --- a/roles/cups/tasks/main.yml +++ b/roles/cups/tasks/main.yml @@ -1,4 +1,5 @@ -# ADMINISTER CUPS AT http://box/print/admin WITH iiab-admin + ITS LINUX PASSWORD +# ADMINISTER CUPS AT http://box/print/admin WITH USERNAME 'Admin' AND PASSWORD +# 'changeme' (OR ANY MEMBER OF LINUX GROUP 'lpadmin') PER cups/tasks/install.yml # "How do i fail a task in Ansible if the variable contains a boolean value? From 77f93e2fa3b42bb576ac69a5a729327839242111 Mon Sep 17 00:00:00 2001 From: root Date: Tue, 13 Jul 2021 01:42:49 -0400 Subject: [PATCH 20/25] /opt/iiab/iiab/test.yml for rapid testing of Ansible commands/modules/syntax --- test.yml | 30 ++++++++++++++++++++++++++++++ 1 file changed, 30 insertions(+) create mode 100644 test.yml diff --git a/test.yml b/test.yml new file mode 100644 index 000000000..70a40e74d --- /dev/null +++ b/test.yml @@ -0,0 +1,30 @@ +# TEST ANSIBLE COMMANDS/MODULES IN SECONDS -- BY RUNNING: +# ansible-playbook -i ansible_hosts test.yml --connection=local + +- hosts: all + become: yes # Optional privilege escalation + + #vars_files: + #- roles/0-init/defaults/main.yml + #- vars/default_vars.yml + #- vars/{{ ansible_local.local_facts.os_ver }}.yml + #- /etc/iiab/local_vars.yml + #- /etc/iiab/iiab_state.yml + + #roles: + # - { role: 0-init } + + tasks: + + #- include_role: + # name: 0-init + + - debug: + msg: YO! + + #- pause: + + - debug: + msg: "{{ 'changeme' | password_hash('sha512') }}" + + # TEST ANSIBLE COMMANDS/MODULES HERE! From 13f01d059047273b4ae17b30d041b65fb93f0145 Mon Sep 17 00:00:00 2001 From: root Date: Tue, 13 Jul 2021 17:56:02 -0400 Subject: [PATCH 21/25] http://box/print finally works despite CUPS bug, via sneaky redirect --- roles/cups/tasks/install.yml | 88 +++++++++++++------------------ roles/cups/tasks/nginx.yml | 2 +- roles/cups/templates/cups.conf | 30 ----------- roles/cups/templates/cups.conf.j2 | 73 +++++++++++++++++++++++++ test.yml | 11 ++-- 5 files changed, 120 insertions(+), 84 deletions(-) delete mode 100644 roles/cups/templates/cups.conf create mode 100644 roles/cups/templates/cups.conf.j2 diff --git a/roles/cups/tasks/install.yml b/roles/cups/tasks/install.yml index a0bec1f86..a4166bb08 100644 --- a/roles/cups/tasks/install.yml +++ b/roles/cups/tasks/install.yml @@ -7,26 +7,20 @@ name: cups state: present -# 2021-07-12: LET'S STICK CLOSER TO THE DEFAULT /etc/cups/cupsd.conf SO WE CAN -# SKIP MOST OF THE NEXT ~120 LINES, THX TO NEW NGINX (cups/templates/cups.conf) +# WARNING: 'apt install cups' AND 'apt install --reinstall cups' +# UNFORTUNATELY DO *NOT* RECREATE /etc/cups/cupsd.conf IF A PRIOR +# INSTALL OF CUPS EXISTED! SO OPTION #1 OR #2 ARE NEEDED BELOW: -# # WARNING: 'apt install cups' AND 'apt install --reinstall cups' -# # UNFORTUNATELY DO *NOT* RECREATE /etc/cups/cupsd.conf IF A PRIOR -# # INSTALL OF CUPS EXISTED! SO OPTION #1 OR #2 ARE NEEDED BELOW: +# OPTION #1: OLD WAY (BRITTLE) +# +# - name: Install our own /etc/cups/cupsd.conf from template, to permit local LAN admin +# template: +# src: cupsd.conf.j2 +# dest: /etc/cups/cupsd.conf -# # OPTION #1: OLD WAY (BRITTLE) -# # -# # - name: Install our own /etc/cups/cupsd.conf from template, to permit local LAN admin -# # template: -# # src: cupsd.conf.j2 -# # dest: /etc/cups/cupsd.conf +# OPTION #2: NEW WAY (MORE FUTURE-PROOF, WE HOPE!) -# # OPTION #2: NEW WAY (MORE FUTURE-PROOF, WE HOPE!) - -# # - debug: -# # msg: FILE /etc/cups/cupsd.conf WILL BE CREATED BY THE ~5 STANZAS BELOW... - -- name: PLEASE RUN 'sudo cupsctl' AND 'sudo cupsd -t' TO VERIFY /etc/cups/cupsd.conf IF YOU MODIFY IT! The file will now be created -- by the ~2 stanzas below. +- name: PLEASE RUN 'sudo cupsctl' AND 'sudo cupsd -t' TO VERIFY /etc/cups/cupsd.conf IF YOU MODIFY IT! The file will now be created -- by ~4 stanzas below. Also keep an eye on /var/log/cups/error_log meta: noop - name: Copy /usr/share/cups/cupsd.conf.default to /etc/cups/cupsd.conf (root:lp, 0640) -- a timestamped backup of the prior 'cupsd.conf' will be saved in /etc/cups @@ -76,49 +70,43 @@ # append: yes # groups: lpadmin -# - name: (Re)Start 'cups' and 'cups-browsed' systemd services -- CUPS DAEMON MUST BE RUNNING FOR 'cupsctl' COMMAND JUST BELOW -# systemd: -# daemon_reload: yes -# name: "{{ item }}" -# state: restarted -# with_items: -# - cups -# - cups-browsed +- name: Start 'cups' systemd service as nec -- CUPS DAEMON MUST BE RUNNING FOR 'cupsctl' COMMAND JUST BELOW + systemd: + #daemon_reload: yes + name: cups + state: started -# 2021-07-12: 'cupsctl --remote-admin && systemctl restart cups' enables -# http://10.8.0.x:631 -- but this is even less useful than ever, now that -# http://10.8.0.x/print works -- thx to the new /etc/nginx/conf.d/cups.conf +# - name: Run 'cupsctl --remote-admin --share-printers --user-cancel-any' to enable http://192.168.0.x:631 AND http://172.18.96.1:631 (if cups_enabled) -- REPEATED USE OF 'cupsctl' COMMANDS CAN *DAMAGE* /etc/cups/cupsd.conf BY ADDING DUPLICATE LINES (AND WORSE!) -- SO PLEASE ALSO MANUALLY RUN 'sudo cupsctl' AND 'sudo cupsd -t' TO VERIFY /etc/cups/cupsd.conf +# command: cupsctl --remote-admin --share-printers --user-cancel-any + +# 2021-07-11: BOTH FLAGS *CANNOT* BE USED TOGETHER -- CHOOSE ONE OR THE OTHER: +# (1) '--remote-admin' AS ABOVE, OR (2) '--remote-any' AS BELOW. +# (RUN 'cupsctl' WITHOUT PARAMETERS TO CONFIRM THIS!) + +- name: Run 'cupsctl --remote-any --share-printers --user-cancel-any' to enable http://192.168.0.x:631 AND http://172.18.96.1:631 AND http://10.8.0.y:631 (if cups_enabled) -- REPEATED USE OF 'cupsctl' COMMANDS CAN *DAMAGE* /etc/cups/cupsd.conf BY ADDING DUPLICATE LINES (AND WORSE!) -- SO PLEASE ALSO MANUALLY RUN 'sudo cupsctl' AND 'sudo cupsd -t' TO VERIFY /etc/cups/cupsd.conf + command: cupsctl --remote-any --share-printers --user-cancel-any + +# 2021-07-11: In theory 'cupsctl' stanzas could be put in enable-or-disable.yml +# BUT LET'S AVOID THAT -- AS REPEATED USE OF 'cupsctl' COMMANDS CAN *DAMAGE* +# /etc/cups/cupsd.conf BY ADDING DUPLICATE LINES (AND WORSE!) # -# - name: Run 'cupsctl --remote-admin --share-printers --user-cancel-any --debug-logging' for /var/log/cups/error_log (if cups_enabled) -- REPEATED USE OF 'cupsctl' COMMANDS CAN *DAMAGE* /etc/cups/cupsd.conf BY ADDING DUPLICATE LINES (AND WORSE!) -- SO PLEASE ALSO MANUALLY RUN 'sudo cupsctl' AND 'sudo cupsd -t' TO VERIFY /etc/cups/cupsd.conf -# command: cupsctl --remote-admin --share-printers --user-cancel-any --debug-logging +# FYI repeated use of 'cupsctl' commands also removes comments and blank lines. +# +# - name: Run 'cupsctl --no-remote-admin --no-remote-any --no-share-printers --no-user-cancel-any --no-debug-logging' (if not cups_enabled) -- REPEATED USE OF 'cupsctl' COMMANDS CAN *DAMAGE* /etc/cups/cupsd.conf BY ADDING DUPLICATE LINES (AND WORSE!) -- SO PLEASE ALSO MANUALLY RUN 'sudo cupsctl' AND 'sudo cupsd -t' TO VERIFY /etc/cups/cupsd.conf +# command: cupsctl --no-remote-admin --no-remote-any --no-share-printers --no-user-cancel-any --no-debug-logging +# when: not cups_enabled -# # 2021-07-11: BOTH FLAGS *CANNOT* BE USED TOGETHER -- CHOOSE ONE OR THE OTHER: -# # (1) '--remote-admin' AS ABOVE, OR (2) '--remote-any' AS BELOW. -# # (RUN 'cupsctl' WITHOUT PARAMETERS TO CONFIRM THIS!) - -# # - name: Run 'cupsctl --remote-any --share-printers --user-cancel-any --debug-logging' for /var/log/cups/error_log (if cups_enabled) -- REPEATED USE OF 'cupsctl' COMMANDS CAN *DAMAGE* /etc/cups/cupsd.conf BY ADDING DUPLICATE LINES (AND WORSE!) -- SO PLEASE ALSO MANUALLY RUN 'sudo cupsctl' AND 'sudo cupsd -t' TO VERIFY /etc/cups/cupsd.conf -# # command: cupsctl --remote-any --share-printers --user-cancel-any --debug-logging - -# # 2021-07-11: In theory 'cupsctl' stanzas could be put in enable-or-disable.yml -# # BUT LET'S AVOID THAT -- AS REPEATED USE OF 'cupsctl' COMMANDS CAN *DAMAGE* -# # /etc/cups/cupsd.conf BY ADDING DUPLICATE LINES (AND WORSE!) -# # -# # FYI repeated use of 'cupsctl' commands also removes comments and blank lines. -# # -# # - name: Run 'cupsctl --no-remote-admin --no-remote-any --no-share-printers --no-user-cancel-any --no-debug-logging' (if not cups_enabled) -- REPEATED USE OF 'cupsctl' COMMANDS CAN *DAMAGE* /etc/cups/cupsd.conf BY ADDING DUPLICATE LINES (AND WORSE!) -- SO PLEASE ALSO MANUALLY RUN 'sudo cupsctl' AND 'sudo cupsd -t' TO VERIFY /etc/cups/cupsd.conf -# # command: cupsctl --no-remote-admin --no-remote-any --no-share-printers --no-user-cancel-any --no-debug-logging -# # when: not cups_enabled - -# - name: "2021-07-12: EXPERIMENTALLY ADD DIRECTIVES TO /etc/cups/cupsd.conf followed by 'systemctl restart cups'. As should no longer be nec thanks to NEW cups/templates/cups.conf for /etc/nginx/conf.d/cups.conf (followed by 'systemctl restart nginx'). Which FIXED URL'S LIKE: http://box/print, http://box.lan/print, http://192.168.0.x/print, http://172.18.96.1/print and http://10.8.0.x/print (WITH OR WITHOUT THE TRAILING SLASH!) RECAP: (1) So be it that these 2 URL'S STILL DON'T WORK: http://box:631, http://box.lan:631 (due to CUPS' internal web server's overly stringent hostname checks, i.e. '400 Bad Request') -- (2) While these 2 URL'S STILL DO WORK: http://localhost:631, http://127.0.0.1:631 -- (3) Whereas these 3 URL'S NO LONGER WORK: http://192.168.0.x:631, http://172.18.96.1:631, http://10.8.0.x:631 (now that we're suddenly hewing closer to the default /etc/cups/cupsd.conf)" +# - name: "2021-07-12: EXPERIMENTALLY ADD DIRECTIVES TO /etc/cups/cupsd.conf followed by 'systemctl restart cups'. As should no longer be nec thanks to NEW cups/templates/cups.conf for /etc/nginx/conf.d/cups.conf (followed by 'systemctl restart nginx'). Which FIXED URL'S LIKE: http://box/print, http://box.lan/print, http://192.168.0.x/print, http://172.18.96.1/print and http://10.8.0.x/print (WITH OR WITHOUT THE TRAILING SLASH!) RECAP: (1) So be it that these 2 URL'S STILL DON'T WORK: http://box:631, http://box.lan:631 (due to CUPS' internal web server's overly stringent hostname checks, i.e. '400 Bad Request' and 'Request from \"localhost\" using invalid Host: field \"box[.lan]:631\".' in /var/log/cups/error_log) -- (2) While these 2 URL'S STILL DO WORK: http://localhost:631, http://127.0.0.1:631 -- (3) Whereas these 3 URL'S NO LONGER WORK: http://192.168.0.x:631, http://172.18.96.1:631, http://10.8.0.x:631 (now that we're suddenly hewing closer to the default /etc/cups/cupsd.conf)" # lineinfile: # path: /etc/cups/cupsd.conf # line: "{{ item }}" # insertbefore: '^Listen .*/run/cups/cups.sock$' # Also matches old form: '^Listen /var/run/cups/cups.sock$' # with_items: -# - "#ServerAlias *" +# - "HostNameLookups On" # More False Leads: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=530027 +# - "ServerAlias *" # - "#ServerName {{ iiab_hostname }}.{{ iiab_domain }}" # box.lan # - "#Listen {{ lan_ip }}:631" # 172.18.96.1 -# - "Listen 127.0.0.1:631" +# - "#Listen 127.0.0.1:631" # - "#Listen 0.0.0.0:631" # - "#Listen *:631" diff --git a/roles/cups/tasks/nginx.yml b/roles/cups/tasks/nginx.yml index 80921e99f..886a15c14 100644 --- a/roles/cups/tasks/nginx.yml +++ b/roles/cups/tasks/nginx.yml @@ -1,6 +1,6 @@ - name: Enable http://box/print via NGINX, by installing {{ nginx_conf_dir }}/cups.conf from template template: - src: cups.conf + src: cups.conf.j2 dest: "{{ nginx_conf_dir }}/cups.conf" # /etc/nginx/conf.d when: cups_enabled diff --git a/roles/cups/templates/cups.conf b/roles/cups/templates/cups.conf deleted file mode 100644 index e61d87f34..000000000 --- a/roles/cups/templates/cups.conf +++ /dev/null @@ -1,30 +0,0 @@ -location = /print { - return 301 /print/; # "Moved Permanently" redirect - #rewrite /print /print/; # Faster, if links are fixed! -} - -location ~ /print/(.*) { - proxy_pass http://127.0.0.1:631/$1; - proxy_set_header Host '127.0.0.1'; - proxy_cache_bypass $http_upgrade; - proxy_set_header X-Real-IP $remote_addr; - - sub_filter ' href="/' ' href="/print/'; - sub_filter ' action="/' ' action="/print/'; - sub_filter ' src="/' ' src="/print/'; - sub_filter_types *; - sub_filter_once off; -} - -# location ~ /cups/(.*) { -# proxy_pass http://127.0.0.1:631/$1; -# proxy_set_header Host '127.0.0.1'; -# proxy_cache_bypass $http_upgrade; -# proxy_set_header X-Real-IP $remote_addr; -# -# sub_filter ' href="/' ' href="/cups/'; -# sub_filter ' action="/' ' action="/cups/'; -# sub_filter ' src="/' ' src="/cups/'; -# sub_filter_types *; -# sub_filter_once off; -# } diff --git a/roles/cups/templates/cups.conf.j2 b/roles/cups/templates/cups.conf.j2 new file mode 100644 index 000000000..7efd33266 --- /dev/null +++ b/roles/cups/templates/cups.conf.j2 @@ -0,0 +1,73 @@ +# ADMINISTER CUPS AT http://box/print/admin WITH USERNAME 'Admin' AND PASSWORD +# 'changeme' (OR ANY MEMBER OF LINUX GROUP 'lpadmin') PER cups/tasks/install.yml + + +# 2021-07-13: Let's redirect to CUPS' own web server for now, as proxying +# (commented out below) has many glitches, e.g. CUPS' https connections etc. + +location ~ ^/print(|/.*)$ { # '~' -> '~*' for case-insensitive regex + + # 2021-07-13: Work around CUPS failure to serve http://box[.lan]:631 "since + # 2009" -- e.g. '400 Bad Request' error 'Request from "localhost" using + # invalid Host: field "box[.lan]:631".' in /var/log/cups/error_log, DESPITE + # adding 'HostNameLookups On', 'ServerAlias *' etc to /etc/cups/cupsd.conf + # https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=530027 + + if ($host ~ '{{ iiab_hostname }}(|.{{ iiab_domain }})') { + return 301 http://localhost:631; # Or http://127.0.0.1:631 + } + + if ($host ~ 'box(|.lan)') { # /etc/hosts may have BOTH above AND box.lan + return 301 http://localhost:631; + } + + return 301 http://$host:631; # Can work with 192.168.0.x & 10.8.0.y ETC +} + + +# https://anthe.studio/blog/en/cups-nginx-reverse-proxy +# https://toggen.com.au/it-tips/reverse-proxy-cups-in-nginx/ +# https://www.robpeck.com/2020/09/proxying-cups-ipp-using-nginx/ + +# location = /print { +# return 301 /print/; # "Moved Permanently" redirect +# #rewrite /print /print/; # Faster, if links are fixed! +# } + +## location ~ ^/print(|/.*)$ { +## proxy_pass https://127.0.0.1:631$1; # Fails: trailing slash nec here +# location ~ ^/print/(.*) { +# proxy_pass https://127.0.0.1:631/$1; +# +# #proxy_http_version 1.1; +# #proxy_set_header Accept-Encoding ""; +# #proxy_set_header Upgrade $http_upgrade; +# #proxy_set_header Connection 'upgrade'; +# proxy_set_header Host '127.0.0.1'; +# proxy_cache_bypass $http_upgrade; +# +# proxy_set_header X-Real-IP $remote_addr; +# #proxy_set_header X-Forward-For $proxy_add_x_forwarded_for; +# #proxy_set_header X-Forwarded-Host $server_name; +# +# sub_filter ' href="/' ' href="/print/'; +# sub_filter ' action="/' ' action="/print/'; +# sub_filter ' src="/' ' src="/print/'; +# #sub_filter 'ACTION="/' 'ACTION="/print/'; +# #sub_filter 'URL=/' 'URL=/print/'; +# sub_filter_types *; +# sub_filter_once off; +# } + +# location ~ /cups/(.*) { +# proxy_pass http://127.0.0.1:631/$1; +# proxy_set_header Host '127.0.0.1'; +# proxy_cache_bypass $http_upgrade; +# proxy_set_header X-Real-IP $remote_addr; +# +# sub_filter ' href="/' ' href="/cups/'; +# sub_filter ' action="/' ' action="/cups/'; +# sub_filter ' src="/' ' src="/cups/'; +# sub_filter_types *; +# sub_filter_once off; +# } diff --git a/test.yml b/test.yml index 70a40e74d..be808dc92 100644 --- a/test.yml +++ b/test.yml @@ -20,11 +20,16 @@ # name: 0-init - debug: - msg: YO! + msg: "{{ 'changeme' | password_hash('sha512') }}" #- pause: - - debug: - msg: "{{ 'changeme' | password_hash('sha512') }}" + - name: DOUBLE UP to escape single quotes... '"''"' e.g. iiab.ini Munin description + debug: + msg: '"''"' # FAILS: '"\'"' + + - name: BACKSLASH to escape double quotes... "'\"'" e.g. cups/tasks/install.yml + debug: + msg: "'\"'" # FAILS: "'""'" # TEST ANSIBLE COMMANDS/MODULES HERE! From 2b06b17e7404aca94f3e6b79072b7f0a943116fa Mon Sep 17 00:00:00 2001 From: root Date: Tue, 13 Jul 2021 18:29:03 -0400 Subject: [PATCH 22/25] http://box/print CUPS administration (redirects to https) --- roles/cups/tasks/install.yml | 4 ++-- roles/cups/tasks/main.yml | 4 ++-- roles/cups/templates/cups.conf.j2 | 6 +++--- 3 files changed, 7 insertions(+), 7 deletions(-) diff --git a/roles/cups/tasks/install.yml b/roles/cups/tasks/install.yml index a4166bb08..46856c37f 100644 --- a/roles/cups/tasks/install.yml +++ b/roles/cups/tasks/install.yml @@ -1,5 +1,5 @@ -# ADMINISTER CUPS AT http://box/print/admin WITH USERNAME 'Admin' AND PASSWORD -# 'changeme' (OR ANY MEMBER OF LINUX GROUP 'lpadmin') AS SET UP BELOW... +# ADMINISTER CUPS AT http://box/print -- USERNAME 'Admin' & PASSWORD 'changeme' +# (OR ANY MEMBER OF LINUX GROUP 'lpadmin') AS SET UP BELOW... - name: Install 'cups' package diff --git a/roles/cups/tasks/main.yml b/roles/cups/tasks/main.yml index 301da4133..2c9531814 100644 --- a/roles/cups/tasks/main.yml +++ b/roles/cups/tasks/main.yml @@ -1,5 +1,5 @@ -# ADMINISTER CUPS AT http://box/print/admin WITH USERNAME 'Admin' AND PASSWORD -# 'changeme' (OR ANY MEMBER OF LINUX GROUP 'lpadmin') PER cups/tasks/install.yml +# ADMINISTER CUPS AT http://box/print -- USERNAME 'Admin' & PASSWORD 'changeme' +# (OR ANY MEMBER OF LINUX GROUP 'lpadmin') PER cups/tasks/install.yml # "How do i fail a task in Ansible if the variable contains a boolean value? diff --git a/roles/cups/templates/cups.conf.j2 b/roles/cups/templates/cups.conf.j2 index 7efd33266..abec5152d 100644 --- a/roles/cups/templates/cups.conf.j2 +++ b/roles/cups/templates/cups.conf.j2 @@ -1,5 +1,5 @@ -# ADMINISTER CUPS AT http://box/print/admin WITH USERNAME 'Admin' AND PASSWORD -# 'changeme' (OR ANY MEMBER OF LINUX GROUP 'lpadmin') PER cups/tasks/install.yml +# ADMINISTER CUPS AT http://box/print -- USERNAME 'Admin' & PASSWORD 'changeme' +# (OR ANY MEMBER OF LINUX GROUP 'lpadmin') PER cups/tasks/install.yml # 2021-07-13: Let's redirect to CUPS' own web server for now, as proxying @@ -21,7 +21,7 @@ location ~ ^/print(|/.*)$ { # '~' -> '~*' for case-insensitive regex return 301 http://localhost:631; } - return 301 http://$host:631; # Can work with 192.168.0.x & 10.8.0.y ETC + return 301 http://$host:631; # For 192.168.0.x, 172.18.96.1, 10.8.0.y ETC } From 79f2ef8b7396da64c13653e72fa8bbaf3ffbc07e Mon Sep 17 00:00:00 2001 From: A Holt Date: Tue, 13 Jul 2021 18:46:21 -0400 Subject: [PATCH 23/25] Create roles/cups/README.md --- roles/cups/README.md | 21 +++++++++++++++++++++ 1 file changed, 21 insertions(+) create mode 100644 roles/cups/README.md diff --git a/roles/cups/README.md b/roles/cups/README.md new file mode 100644 index 000000000..15c8eec74 --- /dev/null +++ b/roles/cups/README.md @@ -0,0 +1,21 @@ +# CUPS Printing README + +## Web Administration + +Please administer CUPS at http://box/print using: + +- Username: Admin +- Password: changeme + +Or use any Linux user that is a member of the Linux group: `lpadmin` + +## Troubleshooting + +Please read the in-line comments at: [/opt/iiab/iiab/roles/cups/tasks/install.yml](tasks/install.yml) + +## Links + +- https://www.cups.org/documentation.html + - https://github.com/apple/cups/releases +- https://openprinting.github.io/cups/ + - https://github.com/OpenPrinting/cups/releases/ From 7f52da4d99fd84a3a4f9f0535cbfcb1fbde13509 Mon Sep 17 00:00:00 2001 From: A Holt Date: Tue, 13 Jul 2021 19:29:36 -0400 Subject: [PATCH 24/25] Update roles/cups/README.md --- roles/cups/README.md | 33 ++++++++++++++++++++++++++++----- 1 file changed, 28 insertions(+), 5 deletions(-) diff --git a/roles/cups/README.md b/roles/cups/README.md index 15c8eec74..ce0a736b0 100644 --- a/roles/cups/README.md +++ b/roles/cups/README.md @@ -4,16 +4,39 @@ Please administer CUPS at http://box/print using: -- Username: Admin -- Password: changeme +- Username: `Admin` +- Password: `changeme` Or use any Linux user that is a member of the Linux group: `lpadmin` -## Troubleshooting +## Security -Please read the in-line comments at: [/opt/iiab/iiab/roles/cups/tasks/install.yml](tasks/install.yml) +The above uses 'SystemGroup lpadmin' in `/etc/cups/cups-files.conf` — in coordination with about 15 '@SYSTEM' lines and 'DefaultAuthType Basic' in `/etc/cups/cupsd.conf` -## Links +CUPS creates a 10-year (unsigned) https certificate during installation, that will be very confusing to non-technical users when they log in, as a result of modern browser warnings. + +## How it Works + +http://localhost:631 can be useful if NGINX redirects or CUPS permissions are set wrong. + +Beware that http://box:631 and http://box.lan:631 will not work, due to a [known issue](https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=530027) with CUPS since 2009. + +Understand how IIAB configures CUPS for all IP addresses and all hostnames (despite the above CUPS problem!) by reading these in-line explanations: + +- [/opt/iiab/iiab/roles/cups/tasks/install.yml](tasks/install.yml) + +Modify these 2 files at your own risk: + +- [/etc/cups/cupsd.conf](https://www.cups.org/doc/man-cupsd.conf.html) (run `sudo cupsctl` and `sudo cupsd -t` to verify the file!) +- [/etc/nginx/conf.d/cups.conf](templates/cups.conf.j2) + +If you make modifications to the above files, don't forget to restart systemd services: + +``` +systemctl restart cups cups-browsed nginx +``` + +## Docs and Updates - https://www.cups.org/documentation.html - https://github.com/apple/cups/releases From 4fb858bcf28cc1564bbb10a34bccf1f7dc1dd62b Mon Sep 17 00:00:00 2001 From: A Holt Date: Tue, 13 Jul 2021 22:24:59 -0400 Subject: [PATCH 25/25] Update roles/nginx/README.md --- roles/nginx/README.md | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/roles/nginx/README.md b/roles/nginx/README.md index 235a2ffda..d00bf4cd7 100644 --- a/roles/nginx/README.md +++ b/roles/nginx/README.md @@ -10,7 +10,7 @@ 2. Without PHP available via FastCGI, any function at all for PHP-based applications validates NGINX. -3. Current state of IIAB App/Service migrations as of 2021-07-06: *(SEE ALSO [#2762](https://github.com/iiab/iiab/issues/2762))* +3. Current state of IIAB App/Service migrations as of 2021-07-13: *(SEE ALSO [#2762](https://github.com/iiab/iiab/issues/2762))* 1. These support "Native" NGINX but ***NOT*** Apache @@ -41,13 +41,13 @@ 3. These support Apache but ***NOT*** "Native" NGINX. They use a "Shim" to [proxy_pass](https://docs.nginx.com/nginx/admin-guide/web-server/reverse-proxy/) from NGINX to Apache on port 8090. See [roles/3-base-server/tasks/main.yml#L11](../3-base-server/tasks/main.yml#L11) for a list of ~6 IIAB Apps/Services that auto-enable Apache. - * elgg + * elgg [*, should be deprecated, or considered for a complete overhaul from ancient Elgg 2.x to 4.x?] 4. These each run their own web server or non-web / backend services, e.g. off of their own [unique port(s)](https://github.com/iiab/iiab/wiki/IIAB-Networking#list-of-ports--services) (IIAB home pages link directly to these destinations). In future we'd like mnemonic URL's for all of these: (e.g. http://box/calibre, http://box/archive, http://box/kalite) * bluetooth * calibre (menu goes directly to port 8080) - * cups (menu goes directly to port 631) [*, shim not yet in place, [PR #2775](https://github.com/iiab/iiab/pull/2775)] + * cups (NGINX redirects http://box/print to port 631, changing hostname as appropriate, per [PR #2858](https://github.com/iiab/iiab/pull/2858)) * internetarchive (menu goes directly to port 4244) [*, [PR #2120](https://github.com/iiab/iiab/pull/2120)] * kalite (menu goes directly to ports 8006-8008) * minetest @@ -60,4 +60,4 @@ * transmission * vnstat -[*] The 4 above starred roles could use improvement, as of 2021-07-06. +[*] The 4 above starred roles could use improvement, as of 2021-07-13.