From 8b54908fa4e5cfaada6c8dc6f6ee91f61e7f1fa5 Mon Sep 17 00:00:00 2001 From: Christoph Date: Sun, 27 Sep 2020 03:03:03 +0200 Subject: [PATCH] Update.. --- group_vars/all/main.yml | 14 +- host_vars/192.168.82.20.yml | 8 +- roles/common/handlers/main.yml | 18 + roles/common/tasks/basic.yml | 29 + roles/common/tasks/cups-install.yml | 120 +++ roles/common/tasks/main.yml | 15 + roles/common/tasks/nfs.yml | 17 + roles/common/tasks/nis-install-client.yml | 2 +- roles/common/tasks/nis-install-server.yml | 25 +- roles/common/tasks/ntp.yml | 47 ++ roles/common/tasks/root_files_scripts.yml | 51 ++ roles/common/tasks/samba-install.yml | 2 + .../etc/cups/cups-browsed.conf.client.j2 | 746 +++++++++++++++++ .../etc/cups/cups-browsed.conf.server.j2 | 747 ++++++++++++++++++ .../templates/etc/cups/cups-files.conf.j2 | 95 +++ .../templates/etc/cups/cupsd.conf.client.j2 | 307 +++++++ .../templates/etc/cups/cupsd.conf.server.j2 | 307 +++++++ roles/common/templates/etc/ntp.conf.j2 | 64 ++ .../templates/root/bin/wakeup_lan.sh.j2 | 52 ++ 19 files changed, 2655 insertions(+), 11 deletions(-) create mode 100644 roles/common/tasks/ntp.yml create mode 100644 roles/common/tasks/root_files_scripts.yml create mode 100644 roles/common/templates/etc/cups/cups-browsed.conf.client.j2 create mode 100644 roles/common/templates/etc/cups/cups-browsed.conf.server.j2 create mode 100644 roles/common/templates/etc/cups/cups-files.conf.j2 create mode 100644 roles/common/templates/etc/cups/cupsd.conf.client.j2 create mode 100644 roles/common/templates/etc/cups/cupsd.conf.server.j2 create mode 100644 roles/common/templates/etc/ntp.conf.j2 create mode 100755 roles/common/templates/root/bin/wakeup_lan.sh.j2 diff --git a/group_vars/all/main.yml b/group_vars/all/main.yml index abb3489..7b325e6 100644 --- a/group_vars/all/main.yml +++ b/group_vars/all/main.yml @@ -665,6 +665,15 @@ apt_install_client_cups: - printer-driver-hpcups +# ========== +# vars used by roles/common/tasks/ntp.yml +# ========== + +# name or ip-adress from the (local) ntp server, mostly the gateway +# +ntp_server: gw-akb.akb.netz + + # ========== # vars used by roles/common/tasks/nfs.yml # ========== @@ -674,6 +683,9 @@ nfs_server: 192.168.82.10 # Set 'fs_encrypted' to true if filesystem lives on an encrypted # partition. # +# NOTE !! +# Take car to increase 'fsid' in case of more than one export +# nfs_exports: - src: 192.168.82.10:/data/home path: /data/home @@ -689,7 +701,7 @@ nfs_exports: - src: 192.168.82.10:/data/samba path: /data/samba mount_opts: user,exec,rsize=8192,wsize=8192,hard,intr - export_opt: rw,fsid=0,root_squash,sync,subtree_check + export_opt: rw,fsid=1,root_squash,sync,subtree_check export_networks: - 192.168.82.0/24 - 10.0.82.0/24 diff --git a/host_vars/192.168.82.20.yml b/host_vars/192.168.82.20.yml index 900ffd6..3944b23 100644 --- a/host_vars/192.168.82.20.yml +++ b/host_vars/192.168.82.20.yml @@ -31,6 +31,10 @@ nfs_server: 192.168.82.20 # Set 'fs_encrypted' to true if filesystem lives on an encrypted # partition. +# partition. +# +# NOTE !! +# Take car to increase 'fsid' in case of more than one export # nfs_exports: - src: 192.168.82.20:/data/home @@ -47,7 +51,7 @@ nfs_exports: - src: 192.168.82.20:/data/samba path: /data/samba mount_opts: user,exec,rsize=8192,wsize=8192,hard,intr - export_opt: rw,fsid=0,root_squash,sync,subtree_check + export_opt: rw,fsid=1,root_squash,sync,subtree_check export_networks: - 192.168.82.0/24 - 10.0.82.0/24 @@ -63,5 +67,5 @@ nfs_exports: # also used by template # - yp.conf.j2 -nis_server_address: 192.168.82.10 +nis_server_address: 192.168.82.20 diff --git a/roles/common/handlers/main.yml b/roles/common/handlers/main.yml index e33dc86..f9391f6 100644 --- a/roles/common/handlers/main.yml +++ b/roles/common/handlers/main.yml @@ -41,3 +41,21 @@ name: nmbd daemon_reload: yes state: restarted + +- name: Restart cups + service: + name: cups + daemon_reload: yes + state: restarted + +- name: Restart ntp + service: + name: ntp + daemon_reload: yes + state: restarted + +- name: Restart cups-browsed + service: + name: cups-browsed + daemon_reload: yes + state: restarted diff --git a/roles/common/tasks/basic.yml b/roles/common/tasks/basic.yml index 3ece4ba..d58b47d 100644 --- a/roles/common/tasks/basic.yml +++ b/roles/common/tasks/basic.yml @@ -70,3 +70,32 @@ tags: - limits-conf +# - /etc/hosts + +- name: (basic.yml) Check file '/etc/hosts.ORIG' exists + stat: + path: /etc/hosts.ORIG + register: etc_hosts_ORIG + when: + - "groups['file_server']|string is search(inventory_hostname)" + tags: + - etc_hosts + +- name: (basic.yml) Backup installation version of file '/etc/hosts' + command: cp -a /etc/hosts /etc/hosts.ORIG + when: + - "groups['file_server']|string is search(inventory_hostname)" + - etc_hosts_ORIG.stat.exists == False + tags: + - etc_hosts + +- name: (basic.yml) addjust '/etc/hosts' add nis-server .. + lineinfile: + path: /etc/hosts + regexp: '^192\.168\.82\.' + line: '{{ nis_server_address }} {{ nis_server_name }} {{ nis_server_name.split(".")[0] }}' + when: + - "groups['nis_server']|string is search(inventory_hostname)" + tags: + - etc_hosts + diff --git a/roles/common/tasks/cups-install.yml b/roles/common/tasks/cups-install.yml index 5e6a63f..2e82e8f 100644 --- a/roles/common/tasks/cups-install.yml +++ b/roles/common/tasks/cups-install.yml @@ -1,5 +1,6 @@ --- + # --- # Cups Server # --- @@ -14,6 +15,7 @@ tags: - cups-server + # --- # Cups clients # --- @@ -30,3 +32,121 @@ +# -- file /etc/cups/cups-browsed.conf +- name: (cups.yml) Check if file '/etc/cups/cups-browsed.conf.ORIGi' exists + stat: + path: /etc/cups/cups-browsed.conf.ORIG + register: cups_browsed_conf_orig_exists + tags: + - cups-server + - cups-client + +- name: (cups.yml) Backup /etc/cups/cups-browsed.conf file + command: cp /etc/cups/cups-browsed.conf /etc/cups/cups-browsed.conf.ORIG + when: cups_browsed_conf_orig_exists.stat.exists == False + tags: + - cups-server + - cups-client + +- name: (cups.yml) update configuration file server - /etc/cups/cups-browsed.conf + template: + src: "etc/cups/cups-browsed.conf.server.j2" + dest: /etc/cups/cups-browsed.conf + owner: root + group: root + mode: 0644 + notify: + Restart cups-browsed + when: + - groups['file_server']|string is search(inventory_hostname) + tags: + - cups-server + +- name: (cups.yml) update configuration file client - /etc/cups/cups-browsed.conf + template: + src: "etc/cups/cups-browsed.conf.client.j2" + dest: /etc/cups/cups-browsed.conf + owner: root + group: root + mode: 0644 + notify: + Restart cups-browsed + when: + - groups['client_pc']|string is search(inventory_hostname) + tags: + - cups-client + + +# -- file /etc/cups/cupsd.conf +- name: (cups.yml) Check if file '/etc/cups/cupsd.conf.ORIGi' exists + stat: + path: /etc/cups/cupsd.conf.ORIG + register: cupsd_conf_orig_exists + tags: + - cups-server + - cups-client + +- name: (cups.yml) Backup /etc/cups/cupsd.conf file + command: cp /etc/cups/cupsd.conf /etc/cups/cupsd.conf.ORIG + when: cupsd_conf_orig_exists.stat.exists == False + tags: + - cups-server + - cups-client + +- name: (cups.yml) update configuration file server - /etc/cups/cupsd.conf + template: + src: "etc/cups/cupsd.conf.server.j2" + dest: /etc/cups/cupsd.conf + owner: root + group: root + mode: 0644 + notify: + Restart cups + when: + - groups['file_server']|string is search(inventory_hostname) + tags: + - cups-server + +- name: (cups.yml) update configuration file client - /etc/cups/cupsd.conf + template: + src: "etc/cups/cupsd.conf.client.j2" + dest: /etc/cups/cupsd.conf + owner: root + group: root + mode: 0644 + notify: + Restart cups + when: + - groups['client_pc']|string is search(inventory_hostname) + tags: + - cups-server + +# -- file /etc/cups/cups-files.conf +- name: (cups.yml) Check if file '/etc/cups/cups-files.conf.ORIGi' exists + stat: + path: /etc/cups/cups-files.conf.ORIG + register: cups_files_conf_orig_exists + tags: + - cups-server + - cups-client + +- name: (cups.yml) Backup /etc/cups/cups-files.conf file + command: cp /etc/cups/cups-files.conf /etc/cups/cups-files.conf.ORIG + when: cups_files_conf_orig_exists.stat.exists == False + tags: + - cups-server + - cups-client + +- name: (cups.yml) update configuration file server - /etc/cups/cups-files.conf + template: + src: "etc/cups/cups-files.conf.j2" + dest: /etc/cups/cups-files.conf + owner: root + group: root + mode: 0644 + notify: + Restart cups + tags: + - cups-server + - cups-client + diff --git a/roles/common/tasks/main.yml b/roles/common/tasks/main.yml index c801259..cba68be 100644 --- a/roles/common/tasks/main.yml +++ b/roles/common/tasks/main.yml @@ -40,6 +40,13 @@ tags: git +# tags supported inside ntp.yml: +# +# ntp-server +- import_tasks: ntp.yml + tags: + - ntp + # tags supported inside cups-install.yml: # # cups-server @@ -142,6 +149,14 @@ - user-systemfiles +# tags supported root_files_scripts.yml: + +# wakeup_lan +- import_tasks: root_files_scripts.yml + tags: + - root-files-scripts + + # tags supported inside sudoers.yml: # # sudoers-remove diff --git a/roles/common/tasks/nfs.yml b/roles/common/tasks/nfs.yml index 00bf1c0..0960de8 100644 --- a/roles/common/tasks/nfs.yml +++ b/roles/common/tasks/nfs.yml @@ -44,6 +44,23 @@ tags: - nfs-server +- name: Enable service rpc-statd and ensure it is not masked + systemd: + name: rpc-statd + enabled: yes + masked: no + when: + - "groups['nfs_server']|string is search(inventory_hostname)" + +- name: Make sure service rpc-statd is running + systemd: + state: started + name: rpc-statd + when: + - "groups['nfs_server']|string is search(inventory_hostname)" + tags: + - nfs-server + # --- # NFS clients # --- diff --git a/roles/common/tasks/nis-install-client.yml b/roles/common/tasks/nis-install-client.yml index 9e627c3..9bb7f7f 100644 --- a/roles/common/tasks/nis-install-client.yml +++ b/roles/common/tasks/nis-install-client.yml @@ -145,7 +145,7 @@ - name: (nis-install-client.yml) Add nis-server to file /etc/hosts lineinfile: path: /etc/hosts - line: '{{ nis_server_address }} {{ nis_server_name }} {{ nis_server_name.split(".")[1] }}' + line: '{{ nis_server_address }} {{ nis_server_name }} {{ nis_server_name.split(".")[0] }}' insertafter: EOF state: present owner: root diff --git a/roles/common/tasks/nis-install-server.yml b/roles/common/tasks/nis-install-server.yml index 46c1f42..b86cf2a 100644 --- a/roles/common/tasks/nis-install-server.yml +++ b/roles/common/tasks/nis-install-server.yml @@ -4,6 +4,16 @@ # Install nis # --- +- name: (nis-install-server.yml) Install nis common packages + package: + name: "{{ item }}" + state: present + with_items: "{{ nis_common_packages }}" + register: nis_installed + tags: + - nis-install + - nis-install-server + - name: (nis-install-server.yml) Set (nis) default domain (/etc/defaultdomain) template: dest: /etc/defaultdomain @@ -15,15 +25,16 @@ - nis-install - nis-install-server -- name: (nis-install-server.yml) Install nis common packages - package: - name: "{{ item }}" - state: present - with_items: "{{ nis_common_packages }}" - register: nis_installed +- name: (nis-install-server.yml) Create preconfigured /etc/yp.conf on nis clients + template: + dest: /etc/yp.conf + src: etc/yp.conf.j2 + owner: root + group: root + mode: 0644 tags: - nis-install - - nis-install-server + - nis-install-client # --- diff --git a/roles/common/tasks/ntp.yml b/roles/common/tasks/ntp.yml new file mode 100644 index 0000000..cb28fd4 --- /dev/null +++ b/roles/common/tasks/ntp.yml @@ -0,0 +1,47 @@ +--- + +# --- +# NTP Server +# --- + +- name: (ntp.yml) Ensure ntp package is installed. + apt: + name: + - ntp + state: present + when: + - ansible_os_family == "Debian" + - "groups['file_server']|string is search(inventory_hostname)" + tags: + - ntp-server + +- name: (ntp.yml) Check file '/etc/ntp.conf.ORIG' exists + stat: + path: /etc/ntp.conf.ORIG + register: etc_ntp_conf_ORIG + when: + - "groups['file_server']|string is search(inventory_hostname)" + tags: + - ntp-server + +- name: (ntp.yml) Backup installation version of file '/etc/ntp.conf' + command: cp -a /etc/ntp.conf /etc/ntp.conf.ORIG + when: + - "groups['file_server']|string is search(inventory_hostname)" + - etc_ntp_conf_ORIG.stat.exists == False + tags: + - ntp-server + +- name: (ntp.yml) Update '/etc/ntp.conf' + template: + src: "etc/ntp.conf.j2" + dest: /etc/ntp.conf + owner: root + group: root + mode: 0644 + notify: Restart ntp + when: + - groups['file_server']|string is search(inventory_hostname) + tags: + - ntp-server + diff --git a/roles/common/tasks/root_files_scripts.yml b/roles/common/tasks/root_files_scripts.yml new file mode 100644 index 0000000..b4e654b --- /dev/null +++ b/roles/common/tasks/root_files_scripts.yml @@ -0,0 +1,51 @@ +--- + +- name: (root_files_scripts.yml) Ensure directory /root/bin exists + file: + path: /root/bin + owner: root + group: root + mode: '0700' + state: directory + when: + - groups['file_server']|string is search(inventory_hostname) + +- name: (root_files_scripts.yml) Ensure script 'wakeup_lan.sh' is present + template: + src: "root/bin/wakeup_lan.sh.j2" + dest: /root/bin/wakeup_lan.sh + owner: root + group: root + mode: 0755 + when: + - groups['file_server']|string is search(inventory_hostname) + tags: + - wakeup_lan + +- name: (root_files_scripts.yml) Check file '/etc/motd.ORIG' exists + stat: + path: /etc/motd.ORIG + register: etc_motd_ORIG + when: + - "groups['file_server']|string is search(inventory_hostname)" + tags: + - etc_motd + +- name: (basic.yml) Backup installation version of file '/etc/motd' + command: cp -a /etc/motd /etc/motd.ORIG + when: + - "groups['file_server']|string is search(inventory_hostname)" + - etc_motd_ORIG.stat.exists == False + tags: + - etc_motd + + +- name: (root_files_scripts.yml) Write new '/etc/motd' file.. + shell: > + figlet '{{ nis_server_name.split(".")[0] }}' > /etc/motd + when: + - "groups['file_server']|string is search(inventory_hostname)" + - etc_motd_ORIG.stat.exists == False + tags: + - etc_motd + diff --git a/roles/common/tasks/samba-install.yml b/roles/common/tasks/samba-install.yml index 30659b4..524f379 100644 --- a/roles/common/tasks/samba-install.yml +++ b/roles/common/tasks/samba-install.yml @@ -58,6 +58,8 @@ owner: root group: root mode: 0644 + when: + - "groups['samba_server']|string is search(inventory_hostname)" notify: - Restart smbd - Restart nmbd diff --git a/roles/common/templates/etc/cups/cups-browsed.conf.client.j2 b/roles/common/templates/etc/cups/cups-browsed.conf.client.j2 new file mode 100644 index 0000000..76ba0dc --- /dev/null +++ b/roles/common/templates/etc/cups/cups-browsed.conf.client.j2 @@ -0,0 +1,746 @@ +# {{ ansible_managed }} + +# All configuration options described here can also be supplied on the +# command line of cups-browsed via the "-o" option. In case of +# contradicting settings the setting defined in the configuration file +# will get used. + +# Unknown directives are ignored, also unknown values. + + +# Where should cups-browsed save information about the print queues it had +# generated when shutting down, like whether one of these queues was the +# default printer, or default option settings of the queues? + +# CacheDir /var/cache/cups + + +# Where should cups-browsed create its debug log file (if "DebugLogging file" +# is set)? + +# LogDir /var/log/cups + + +# How should debug logging be done? Into the file +# /var/log/cups/cups-browsed_log ('file'), to stderr ('stderr'), or +# not at all ('none')? + +# Note that if cups-browsed is running as a system service (for +# example via systemd) logging to stderr makes the log output going to +# the journal or syslog. Only if you run cups-browsed from the command +# line (for development or debugging) it will actually appear on +# stderr. + +# DebugLogging file +# DebugLogging stderr +# DebugLogging file stderr +# DebugLogging none + + +# Which protocols will we use to discover printers on the network? +# Can use DNSSD and/or CUPS and/or LDAP, or 'none' for neither. + +#BrowseRemoteProtocols dnssd cups +BrowseRemoteProtocols CUPS + + +# Which protocols will we use to broadcast shared local printers to the network? +# Can use DNSSD and/or CUPS, or 'none' for neither. +# Only CUPS is actually supported, as DNSSD is done by CUPS itself (we ignore +# DNSSD in this directive). + +# BrowseLocalProtocols none + + +# Settings of this directive apply to both BrowseRemoteProtocols and +# BrowseLocalProtocols. +# Can use DNSSD and/or CUPS and/or LDAP, or 'none' for neither. + +# BrowseProtocols none + + +# Only browse remote printers (via DNS-SD or CUPS browsing) from +# selected servers using the "BrowseAllow", "BrowseDeny", and +# "BrowseOrder" directives + +# This serves for restricting the choice of printers in print dialogs +# to trusted servers or to reduce the number of listed printers in the +# print dialogs to a more user-friendly amount in large networks with +# very many shared printers. + +# This only filters the selection of remote printers for which +# cups-browsed creates local queues. If the print dialog uses other +# mechanisms to list remote printers as for example direct DNS-SD +# access, cups-browsed has no influence. cups-browsed also does not +# prevent the user from manually accessing non-listed printers. + +# "BrowseAllow": Accept printers from these hosts or networks. If +# there are only "BrowseAllow" lines and no "BrowseOrder" and/or +# "BrowseDeny" lines, only servers matching at last one "BrowseAllow" +# line are accepted. + +# "BrowseDeny": Deny printers from these hosts or networks. If there +# are only "BrowseDeny" lines and no "BrowseOrder" and/or +# "BrowseAllow" lines, all servers NOT matching any of the +# "BrowseDeny" lines are accepted. + +# "BrowseOrder": Determine the order in which "BrowseAllow" and +# "BrowseDeny" lines are applied. With "BrowseOrder Deny,Allow" in the +# beginning all servers are accepted, then the "BrowseDeny" lines are +# applied to exclude unwished servers or networks and after that the +# "BrowseAllow" lines to re-include servers or networks. With +# "BrowseOrder Allow,Deny" we start with denying all servers, then +# applying the "BrowseAllow" lines and afterwards the "BrowseDeny" +# lines. + +# Default for "BrowseOrder" is "Deny.Allow" if there are both +# "BrowseAllow" and "BrowseDeny" lines. + +# If there are no "Browse..." lines at all, all servers are accepted. + +# BrowseAllow All +# BrowseAllow cups.example.com +# BrowseAllow 192.168.1.12 +# BrowseAllow 192.168.1.0/24 +# BrowseAllow 192.168.1.0/255.255.255.0 + +# BrowseDeny All +# BrowseDeny printserver.example.com +# BrowseDeny 192.168.1.13 +# BrowseDeny 192.168.3.0/24 +# BrowseDeny 192.168.3.0/255.255.255.0 + +# BrowseOrder Deny,Allow +# BrowseOrder Allow,Deny + + +# The interval between browsing/broadcasting cycles, local and/or +# remote, can be adjusted with the BrowseInterval directive. + +# BrowseInterval 60 + + +# Browsing-related operations such as adding or removing printer queues +# and broadcasting are each allowed to take up to a given amount of time. +# It can be configured, in seconds, with the BrowseTimeout directive. +# Especially queues discovered by CUPS broadcasts will be removed after +# this timeout if no further broadcast from the server happens. + +# BrowseTimeout 300 + +# Filtering of remote printers by other properties than IP addresses +# of their servers + +# Often the desired selection of printers cannot be reached by only +# taking into account the IP addresses of the servers. For these cases +# there is the BrowseFilter directive to filter by most of the known +# properties of the printer. + +# By default there is no BrowseFilter line meaning that no filtering +# is applied. + +# To do filtering one can supply one or more BrowseFilter directives +# like this: + +# BrowseFilter [NOT] [EXACT] [] + +# The BrowseFilter directive always starts with the word +# "BrowseFilter" and it must at least contain the name of the data +# field () of the printer's properties to which it should +# apply. + +# Available field names are: + +# name: Name of the local print queue to be created +# host: Host name of the remote print server +# port: Port through which the printer is accessed on the server +# service: DNS/SD service name of the remote printer +# domain: Domain of the remote print server + +# Also all field names in the TXT records of DNS-SD-advertised printers +# are valid, like "color", "duplex", "pdl", ... If the field name of +# the filter rule does not exist for the printer, the rule is skipped. + +# The optional field is either the exact value (when the +# option EXACT is supplied) or a regular expression (Run "man 7 regex" +# in a terminal window) to be matched with the data field. + +# If no filed is supplied, rules with field names of the TXT +# record are considered for boolean matching (true/false) of boolean +# field (like duplex, which can have the values "T" for true and "F" +# for false). + +# If the option NOT is supplied, the filter rule is fulfilled if the +# regular expression or the exact value DOES NOT match the content of +# the data field. In a boolean rule (without ) the rule matches +# false. + +# Regular expressions are always considered case-insensitive and +# extended POSIX regular expressions. Field names and options (NOT, +# EXACT) are all evaluated case-insensitive. If there is an error in a +# regular expression, the BrowseFilter line gets ignored. + +# Especially to note is that supplying any simple string consisting of +# only letters, numbers, spaces, and some basic special characters as +# a regular expression matches if it is contained somewhere in the +# data field. + +# If there is more than one BrowseFilter directive, ALL the directives +# need to be fulfilled for the remote printer to be accepted. If one +# is not fulfilled, the printer will get ignored. + +# Examples: + +# Rules for standard data items which are supplied with any remote +# printer advertised via DNS-SD: + +# Print queue name must contain "hum_res_", this matches +# "hum_res_mono" or "hum_res_color" but also "old_hum_res_mono": + +# BrowseFilter name hum_res_ + +# This matches if the remote host name contains "printserver", like +# "printserver.local", "printserver2.example.com", "newprintserver": + +# BrowseFilter host printserver + +# This matches all ports with 631 int its number, for example 631, +# 8631, 10631,...: + +# BrowseFilter port 631 + +# This rule matches if the DNS-SD service name contains "@ printserver": + +# Browsefilter service @ printserver + +# Matches all domains with "local" in their names, not only "local" but +# also things like "printlocally.com": + +# BrowseFilter domain local + +# Examples for rules applying to items of the TXT record: + +# This rule selects PostScript printers, as the "PDL" field in the TXT +# record contains "postscript" then. This includes also remote CUPS +# queues which accept PostScript, independent of whether the physical +# printer behind the CUPS queue accepts PostScript or not. + +# BrowseFilter pdl postscript + +# Color printers usually contain a "Color" entry set to "T" (for true) +# in the TXT record. This rule selects them: + +# BrowseFilter color + +# This is a similar rule to select only duplex (automatic double-sided +# printing) printers: + +# BrowseFilter duplex + +# Rules with the NOT option: + +# This rule EXCLUDES printers from all hosts containing "financial" in +# their names, nice to get rid of the 100s of printers of the +# financial department: + +# BrowseFilter NOT host financial + +# Get only monochrome printers ("Color" set to "F", meaning false, in +# the TXT record): + +# BrowseFilter NOT color + +# Rules with more advanced use of regular expressions: + +# Only queue names which BEGIN WITH "hum_res_" are accepted now, so we +# still get "hum_res_mono" or "hum_res_color" but not +# "old_hum_res_mono" any more: + +# BrowseFilter name ^hum_res_ + +# Server names is accepted if it contains "print_server" OR +# "graphics_dep_server": + +# BrowseFilter host print_server|graphics_dep_server + +# "printserver1", "printserver2", and "printserver3", nothing else: + +# BrowseFilter host ^printserver[1-3]$ + +# Printers understanding at least one of PostScript, PCL, or PDF: + +# BrowseFilter pdl postscript|pcl|pdf + +# Examples for the EXACT option: + +# Only printers from "printserver.local" are accepted: + +# BrowseFilter EXACT host printserver.local + +# Printers from all servers except "prinserver2.local" are accepted: + +# BrowseFilter NOT EXACT host prinserver2.local + + +# Use BrowsePoll to poll a particular CUPS server + +# BrowsePoll cups.example.com +# BrowsePoll cups.example.com:631 +# BrowsePoll cups.example.com:631/version=1.1 + + +# LDAP browsing configuration +# The default value for all options is an empty string. Example configuration: + +# BrowseLDAPBindDN cn=cups-browsed,dc=domain,dc=tld +# BrowseLDAPCACertFile /path/to/server/certificate.pem +# BrowseLDAPDN ou=printers,dc=domain,dc=tld +# BrowseLDAPFilter (printerLocation=/Office 1/*) +# BrowseLDAPPassword s3cret +# BrowseLDAPServer ldaps://ldap.domain.tld + + +# Use DomainSocket to access the local CUPS daemon via another than the +# default domain socket. "None" or "Off" lets cups-browsed not use CUPS' +# domain socket. + +# DomainSocket /var/run/cups/cups.sock +# DomainSocket None +# DomainSocket Off + + +# Set HTTP timeout (in seconds) for requests sent to local/remote +# resources Note that too short timeouts can make services getting +# missed when they are present and operations be unneccessarily +# repeated and too long timeouts can make operations take too long +# when the server does not respond. + +# HttpLocalTimeout 5 +# HttpRemoteTimeout 10 + +# Set how many retries (N) should cups-browsed do for creating print +# queues for remote printers which receive timeouts during print queue +# creation. The printers which are not successfuly set up even after +# N retries, are skipped until the next restart of the service. Note +# that too many retries can cause high CPU load. + +# HttpMaxRetries 5 + +# Set OnlyUnsupportedByCUPS to "Yes" will make cups-browsed not create +# local queues for remote printers for which CUPS creates queues by +# itself. These printers are printers advertised via DNS-SD and doing +# CUPS-supported (currently PWG Raster and Apple Raster) driverless +# printing, including remote CUPS queues. Queues for other printers +# (like for legacy PostScript/PCL printers) are always created +# (depending on the other configuration settings of cups-browsed). + +# With OnlyUnsupportedByCUPS set to "No", cups-browsed creates queues +# for all printers which it supports, including printers for which +# CUPS would create queues by itself. Temporary queues created by CUPS +# will get overwritten. This way it is assured that any extra +# functionality of cups-browsed will apply to these queues. As queues +# created by cups-browsed are permanent CUPS queues this setting is +# also recommended if applications/print dialogs which do not support +# temporary CUPS queues are installed. This setting is the default. + +# OnlyUnsupportedByCUPS Yes + + +# With UseCUPSGeneratedPPDs set to "Yes" cups-browsed creates queues +# for IPP printers with PPDs generated by the PPD generator of CUPS +# and not with the one of cups-browsed. So any new development in +# CUPS' PPD generator gets available. As CUPS' PPD generator is not +# directly accessible, we need to make CUPS generate a temporary print +# queue with the desired PPD. Therefore we can only use these PPDs +# when our queue replaces a temporary CUPS queue, meaning that the +# queue is for a printer on which CUPS supports driverless printing +# (IPP 2.x, PDLs: PDF, PWG Raster, and/or Apple Raster) and that its +# name is the same as CUPS uses for the temporary queue +# ("LocalQueueNamingIPPPrinter DNS-SD" must be set). The directive +# applies only to IPP printers, not to remote CUPS queues, to not +# break clustering. Setting this directive to "No" lets cups-browsed +# generate the PPD file. Default setting is "No". + +# UseCUPSGeneratedPPDs No + + +# With the directives LocalQueueNamingRemoteCUPS and +# LocalQueueNamingIPPPrinter you can determine how the names for local +# queues generated by cups-browsed are generated, separately for +# remote CUPS printers and IPP printers. + +# DNS-SD (the default in both cases) bases the naming on the service +# name of the printer's advertised DNS-SD record. This is exactly the +# same naming scheme as CUPS uses for its temporary queues, so the +# local queue from cups-browsed prevents CUPS from listing and +# creating an additional queue. As DNS-SD service names have to be +# unique, queue names of printers from different servers will also be +# unique and so there is no automatic clustering for load-balanced +# printing. + +# MakeModel bases the queue name on the printer's manufacturer and +# model names. This scheme cups-browsed used formerly for IPP +# printers. + +# RemoteName is only available for remote CUPS queues and uses the +# name of the queue on the remote CUPS server as the local queue's +# name. This makes printers on different CUPS servers with equal queue +# names automatically forming a load-balancing cluster as CUPS did +# formerly (CUPS 1.5.x and older) with CUPS-broadcasted remote +# printers. This scheme cups-browsed used formerly for remote CUPS +# printers. + +# LocalQueueNamingRemoteCUPS DNS-SD +# LocalQueueNamingRemoteCUPS MakeModel +# LocalQueueNamingRemoteCUPS RemoteName +# LocalQueueNamingIPPPrinter DNS-SD +# LocalQueueNamingIPPPrinter MakeModel + + +# Set DNSSDBasedDeviceURIs to "Yes" if cups-browsed should use +# DNS-SD-service-name-based device URIs for its local queues, as CUPS +# also does. These queues use the DNS-SD service name of the +# discovered printer. With this the URI is independent of network +# interfaces and ports, giving reliable connections to always the same +# physical device. This setting is the default. + +# Set DNSSDBasedDeviceURIs to "No" if cups-browsed should use the +# conventional host-name/IP-based URIs. + +# Note that this option has only influence on URIs for printers +# discovered via DNS-SD, not via legacy CUPS broewsing or LDAP. +# Those printers get always assigned the conventional URIs. + +# DNSSDBasedDeviceURIs Yes + + +# Set IPBasedDeviceURIs to "Yes" if cups-browsed should create its +# local queues with device URIs with the IP addresses instead of the +# host names of the remote servers. This mode is there for any +# problems with host name resolution in the network, especially also +# if avahi-daemon is only run for printer discovery and already +# stopped while still printing. By default this mode is turned off, +# meaning that we use URIs with host names. + +# Note that the IP addresses depend on the network interface through +# which the printer is accessed. So do not use IP-based URIs on systems +# with many network interfaces and where interfaces can appear and +# disappear frequently. + +# This mode could also be useful for development and debugging. + +# If you prefer IPv4 or IPv6 IP addresses in the URIs, you can set +# IPBasedDeviceURIs to "IPv4" to only get IPv4 IP addresses or +# IPBasedDeviceURIs to "IPv6" to only get IPv6 IP addresses. + +# IPBasedDeviceURIs No +# IPBasedDeviceURIs Yes +# IPBasedDeviceURIs IPv4 +# IPBasedDeviceURIs IPv6 + +# The AllowResharingRemoteCUPSPrinters directive determines whether a +# print queue pointing to a remote CUPS queue will be re-shared to the +# local network or not. Since the queues generated using the BrowsePoll +# directive are also pointing to remote queues, they are also shared +# automatically if the following option is set. Default is not to share +# remote printers. + +# AllowResharingRemoteCUPSPrinters Yes + +# The NewBrowsePollQueuesShared directive determines whether a print +# queue for a newly discovered printer (discovered by the BrowsePoll directive) +# will be shared to the local network or not. This directive will only work +# if AllowResharingRemoteCUPSPrinters is set to yes. Default is +# not to share printers discovered using BrowsePoll. + +# NewBrowsePollQueuesShared Yes + +# Set CreateRemoteRawPrinterQueues to "Yes" to let cups-browsed also +# create local queues pointing to remote raw CUPS queues. Normally, +# only queues pointing to remote queues with PPD/driver are created +# as we do not use drivers on the client side, but in some cases +# accessing a remote raw queue can make sense, for example if the +# queue forwards the jobs by a special backend like Tea4CUPS. + +# CreateRemoteRawPrinterQueues Yes + + +# cups-browsed by default creates local print queues for each shared +# CUPS print queue which it discovers on remote machines in the local +# network(s). Set CreateRemoteCUPSPrinterQueues to "No" if you do not +# want cups-browsed to do this. For example you can set cups-browsed +# to only create queues for IPP network printers setting +# CreateIPPPrinterQueues not to "No" and CreateRemoteCUPSPrinterQueues +# to "No". + +# CreateRemoteCUPSPrinterQueues No + + +# Set CreateIPPPrinterQueues to "All" to let cups-browsed discover IPP +# network printers (native printers, not CUPS queues) with known page +# description languages (PWG Raster, PDF, PostScript, PCL XL, PCL +# 5c/e) in the local network and auto-create print queues for them. + +# Set CreateIPPPrinterQueues to "Everywhere" to let cups-browsed +# discover IPP Everywhere printers in the local network (native +# printers, not CUPS queues) and auto-create print queues for them. + +# Set CreateIPPPrinterQueues to "AppleRaster" to let cups-browsed +# discover Apple Raster printers in the local network (native +# printers, not CUPS queues) and auto-create print queues for them. + +# Set CreateIPPPrinterQueues to "Driverless" to let cups-browsed +# discover printers designed for driverless use (currently IPP +# Everywhere and Apple Raster) in the local network (native printers, +# not CUPS queues) and auto-create print queues for them. + +# Set CreateIPPPrinterQueues to "LocalOnly" to auto-create print +# queues only for local printers made available as IPP printers. These +# are for example IPP-over-USB printers, made available via +# ippusbxd. This is the default. + +# Set CreateIPPPrinterQueues to "No" to not auto-create print queues +# for IPP network printers. + +# If queues with PPD file are created (see IPPPrinterQueueType +# directive below) the PPDs are auto-generated by cups-browsed based +# on properties of the printer polled via IPP. In case of missing +# information, info from the Bonjour record is used asd as last mean +# default values. + +# If queues without PPD (see IPPPrinterQueueType directive below) are +# created clients have to IPP-poll the capabilities of the printer and +# send option settings as standard IPP attributes. Then we do not poll +# the capabilities by ourselves to not wake up the printer from +# power-saving mode when creating the queues. Jobs have to be sent in +# one of PDF, PWG Raster, or JPEG format. Other formats are not +# accepted. + +# This functionality is primarily for mobile devices running +# CUPS to not need a printer setup tool nor a collection of printer +# drivers and PPDs. + +# CreateIPPPrinterQueues No +# CreateIPPPrinterQueues LocalOnly +# CreateIPPPrinterQueues Everywhere +# CreateIPPPrinterQueues AppleRaster +# CreateIPPPrinterQueues Everywhere AppleRaster +# CreateIPPPrinterQueues Driverless +# CreateIPPPrinterQueues All + + +# If cups-browsed is automatically creating print queues for native +# IPP network printers ("CreateIPPPrinterQueues Yes"), the type of +# queue to be created can be selected by the "IPPPrinterQueueType" +# directive. The "PPD" (default) setting makes queues with PPD file +# being created. With "Interface" or "NoPPD" the queue is created with +# a System V interface script (Not supported with CUPS 2.2.x or +# later). "Auto" is for backward compatibility and also lets queues +# with PPD get created. + +# IPPPrinterQueueType PPD +# IPPPrinterQueueType NoPPD +# IPPPrinterQueueType Interface +# IPPPrinterQueueType Auto + + +# The NewIPPPrinterQueuesShared directive determines whether a print +# queue for a newly discovered IPP network printer (not remote CUPS +# queue) will be shared to the local network or not. This is only +# valid for newly discovered printers. For printers discovered in an +# earlier cups-browsed session, cups-browsed will remember whether the +# printer was shared, so changes by the user get conserved. Default is +# not to share newly discovered IPP printers. + +# NewIPPPrinterQueuesShared Yes + + +# If there is more than one remote CUPS printer whose local queue +# would get the same name and AutoClustering is set to "Yes" (the +# default) only one local queue is created which makes up a +# load-balancing cluster of the remote printers which would get this +# queue name (implicit class). This means that when several jobs are +# sent to this queue they get distributed between the printers, using +# the method chosen by the LoadBalancing directive. + +# Note that the forming of clusters depends on the naming scheme for +# local queues created by cups-browsed. If you have set +# LocalQueueNamingRemoteCUPS to "DNSSD" you will not get automatic +# clustering as the DNS-SD service names are always unique. With +# LocalQueueNamingRemoteCUPS set to "RemoteName" local queues are +# named as the CUPS queues on the remote servers are named and so +# equally named queues on different servers get clustered (this is how +# CUPS did it in version 1.5.x or older). LocalQueueNamingRemoteCUPS +# set to "MakeModel" makes remote printers of the same model get +# clustered. Note that then a cluster can contain more than one queue +# of the same server. + +# With AutoClustering set to "No", for each remote CUPS printer an +# individual local queue is created, and to avoid name clashes when +# using the LocalQueueNamingRemoteCUPS settings "RemoteName" or +# "MakeModel" "@" is added to the local queue name. + +# Only remote CUPS printers get clustered, not IPP network printers or +# IPP-over-USB printers. + +# AutoClustering Yes +# AutoClustering No + + +# Load-balancing printer cluster formation can also be manually +# controlled by defining explicitly which remote CUPS printers should +# get clustered together. + +# This is done by the "Cluster" directive: + +# Cluster : ... +# Cluster + +# If no expressions are given, is used as the first and +# only expression for this cluster. + +# Discovered printers are matched against all the expressions of all +# defined clusters. The first expression which matches the discovered +# printer determines to which cluster it belongs. Note that this way a +# printer can only belong to one cluster. Once matched, further +# cluster definitions will not checked any more. + +# With the first printer matching a cluster's expression a local queue +# with the name is created. If more printers are +# discovered and match this cluster, they join the cluster. Printing +# to this queue prints to all these printers in a load-balancing +# manner, according to to the setting of the LoadBalancing directive. + +# Each expression must be a string of characters without spaces. If +# spaces are needed, replace them by underscores ('_'). + +# An expression can be matched in three ways: + +# 1. By the name of the CUPS queue on the remote server +# 2. By make and model name of the remote printer +# 3. By the DNS-SD service name of the remote printer + +# Note that the matching is done case-insensitively and any group of +# non-alphanumerical characters is replaced by a single underscore. + +# So if an expression is "HP_DeskJet_2540" and the remote server +# reports "hp Deskjet-2540" the printer gets matched to this cluster. + +# If "AutoClustering" is not set to "No" both your manual cluster +# definitions will be followed and automatic clustering of +# equally-named remote queues will be performed. If a printer matches +# in both categories the match to the manually defined cluster has +# priority. Automatic clustering of equally-named remote printers is +# not performed if there is a manually defined cluster with this name +# (at least as the printers do not match this cluster). + +# Examples: + +# To cluster all remote CUPS queues named "laserprinter" in your local +# network but not cluster any other equally-named remote CUPS printers +# use (Local queue will get named "laserprinter"): + +# AutoClustering No +# Cluster laserprinter + +# To cluster all remote CUPS queues of HP LaserJet 4050 printers in a +# local queue named "LJ4050": + +# Cluster LJ4050: HP_LaserJet_4050 + +# As DNS-SD service names are unique in a network you can create a +# cluster from exactly specified printers (spaces replaced by +# underscors): + +# Cluster hrdep: oldlaser_@_hr-server1 newlaser_@_hr-server2 + + +# The LoadBalancing directive switches between two methods of handling +# load balancing between equally-named remote queues which are +# represented by one local print queue making up a cluster of them +# (implicit class). + +# The two methods are: + +# Queuing of jobs on the client (LoadBalancing QueueOnClient): + +# Here we queue up the jobs on the client and regularly check the +# clustered remote print queues. If we find an idle queue, we pass +# on a job to it. + +# This is also the method which CUPS uses for classes. Advantage is a +# more even distribution of the job workload on the servers +# (especially if the printing speed of the servers is very different), +# and if a server fails, there are not several jobs stuck or +# lost. Disadvantage is that if one takes the client (laptop, mobile +# phone, ...) out of the local network, printing stops with the jobs +# waiting in the local queue. + +# Queuing of jobs on the servers (LoadBalancing QueueOnServers): + +# Here we check the number of jobs on each of the clustered remote +# printers and send an incoming job immediately to the remote printer +# with the lowest amount of jobs in its queue. This way no jobs queue +# up locally, all jobs which are waiting are waiting on one of the +# remote servers. + +# Not having jobs waiting locally has the advantage that we can take +# the local machine from the network and all jobs get printed. +# Disadvantage is that if a server with a full queue of jobs goes +# away, the jobs go away, too. + +# Default is queuing the jobs on the client as this is what CUPS does +# with classes. + +# LoadBalancing QueueOnClient +# LoadBalancing QueueOnServers + + +# With the DefaultOptions directive one or more option settings can be +# defined to be applied to every print queue newly created by +# cups-browsed. Each option is supplied as one supplies options with +# the "-o" command line argument to the "lpadmin" command (Run "man +# lpadmin" for more details). More than one option can be supplied +# separating the options by spaces. By default no option settings are +# pre-defined. + +# Note that print queues which cups-browsed already created before +# remember their previous settings and so these settings do not get +# applied. + +# DefaultOptions Option1=Value1 Option2=Value2 Option3 noOption4 + + +# The AutoShutdown directive specifies whether cups-browsed should +# automatically terminate when it has no local raw queues set up +# pointing to any discovered remote printers or no jobs on such queues +# depending on AutoShutdownOn setting (auto shutdown mode). Setting it +# to "On" activates the auto-shutdown mode, setting it to "Off" +# deactiivates it (the default). The special mode "avahi" turns auto +# shutdown off while avahi-daemon is running and on when avahi-daemon +# stops. This allows running cups-browsed on-demand when avahi-daemon +# is run on-demand. + +# AutoShutdown Off +# AutoShutdown On +# AutoShutdown avahi + + +# The AutoShutdownOn directive determines what event cups-browsed +# considers as inactivity in auto shutdown mode. "NoQueues" (the +# default) means that auto shutdown is initiated when there are no +# queues for discovered remote printers generated by cups-browsed any +# more. "NoJobs" means that all queues generated by cups-browsed are +# without jobs. + +# AutoShutdownOn NoQueues +# AutoShutdownOn NoJobs + + +# The AutoShutdownTimeout directive specifies after how many seconds +# without local raw queues set up pointing to any discovered remote +# printers or jobs on these queues cups-browsed should actually shut +# down in auto shutdown mode. Default is 30 seconds, 0 means immediate +# shutdown. + +# AutoShutdownTimeout 30 diff --git a/roles/common/templates/etc/cups/cups-browsed.conf.server.j2 b/roles/common/templates/etc/cups/cups-browsed.conf.server.j2 new file mode 100644 index 0000000..de67dc9 --- /dev/null +++ b/roles/common/templates/etc/cups/cups-browsed.conf.server.j2 @@ -0,0 +1,747 @@ +# {{ ansible_managed }} + +# All configuration options described here can also be supplied on the +# command line of cups-browsed via the "-o" option. In case of +# contradicting settings the setting defined in the configuration file +# will get used. + +# Unknown directives are ignored, also unknown values. + + +# Where should cups-browsed save information about the print queues it had +# generated when shutting down, like whether one of these queues was the +# default printer, or default option settings of the queues? + +# CacheDir /var/cache/cups + + +# Where should cups-browsed create its debug log file (if "DebugLogging file" +# is set)? + +# LogDir /var/log/cups + + +# How should debug logging be done? Into the file +# /var/log/cups/cups-browsed_log ('file'), to stderr ('stderr'), or +# not at all ('none')? + +# Note that if cups-browsed is running as a system service (for +# example via systemd) logging to stderr makes the log output going to +# the journal or syslog. Only if you run cups-browsed from the command +# line (for development or debugging) it will actually appear on +# stderr. + +# DebugLogging file +# DebugLogging stderr +# DebugLogging file stderr +# DebugLogging none + + +# Which protocols will we use to discover printers on the network? +# Can use DNSSD and/or CUPS and/or LDAP, or 'none' for neither. + +#BrowseRemoteProtocols dnssd cups +BrowseRemoteProtocols none + + +# Which protocols will we use to broadcast shared local printers to the network? +# Can use DNSSD and/or CUPS, or 'none' for neither. +# Only CUPS is actually supported, as DNSSD is done by CUPS itself (we ignore +# DNSSD in this directive). + +# BrowseLocalProtocols none +BrowseLocalProtocols CUPS + + +# Settings of this directive apply to both BrowseRemoteProtocols and +# BrowseLocalProtocols. +# Can use DNSSD and/or CUPS and/or LDAP, or 'none' for neither. + +# BrowseProtocols none + + +# Only browse remote printers (via DNS-SD or CUPS browsing) from +# selected servers using the "BrowseAllow", "BrowseDeny", and +# "BrowseOrder" directives + +# This serves for restricting the choice of printers in print dialogs +# to trusted servers or to reduce the number of listed printers in the +# print dialogs to a more user-friendly amount in large networks with +# very many shared printers. + +# This only filters the selection of remote printers for which +# cups-browsed creates local queues. If the print dialog uses other +# mechanisms to list remote printers as for example direct DNS-SD +# access, cups-browsed has no influence. cups-browsed also does not +# prevent the user from manually accessing non-listed printers. + +# "BrowseAllow": Accept printers from these hosts or networks. If +# there are only "BrowseAllow" lines and no "BrowseOrder" and/or +# "BrowseDeny" lines, only servers matching at last one "BrowseAllow" +# line are accepted. + +# "BrowseDeny": Deny printers from these hosts or networks. If there +# are only "BrowseDeny" lines and no "BrowseOrder" and/or +# "BrowseAllow" lines, all servers NOT matching any of the +# "BrowseDeny" lines are accepted. + +# "BrowseOrder": Determine the order in which "BrowseAllow" and +# "BrowseDeny" lines are applied. With "BrowseOrder Deny,Allow" in the +# beginning all servers are accepted, then the "BrowseDeny" lines are +# applied to exclude unwished servers or networks and after that the +# "BrowseAllow" lines to re-include servers or networks. With +# "BrowseOrder Allow,Deny" we start with denying all servers, then +# applying the "BrowseAllow" lines and afterwards the "BrowseDeny" +# lines. + +# Default for "BrowseOrder" is "Deny.Allow" if there are both +# "BrowseAllow" and "BrowseDeny" lines. + +# If there are no "Browse..." lines at all, all servers are accepted. + +# BrowseAllow All +# BrowseAllow cups.example.com +# BrowseAllow 192.168.1.12 +# BrowseAllow 192.168.1.0/24 +# BrowseAllow 192.168.1.0/255.255.255.0 + +# BrowseDeny All +# BrowseDeny printserver.example.com +# BrowseDeny 192.168.1.13 +# BrowseDeny 192.168.3.0/24 +# BrowseDeny 192.168.3.0/255.255.255.0 + +# BrowseOrder Deny,Allow +# BrowseOrder Allow,Deny + + +# The interval between browsing/broadcasting cycles, local and/or +# remote, can be adjusted with the BrowseInterval directive. + +# BrowseInterval 60 + + +# Browsing-related operations such as adding or removing printer queues +# and broadcasting are each allowed to take up to a given amount of time. +# It can be configured, in seconds, with the BrowseTimeout directive. +# Especially queues discovered by CUPS broadcasts will be removed after +# this timeout if no further broadcast from the server happens. + +# BrowseTimeout 300 + +# Filtering of remote printers by other properties than IP addresses +# of their servers + +# Often the desired selection of printers cannot be reached by only +# taking into account the IP addresses of the servers. For these cases +# there is the BrowseFilter directive to filter by most of the known +# properties of the printer. + +# By default there is no BrowseFilter line meaning that no filtering +# is applied. + +# To do filtering one can supply one or more BrowseFilter directives +# like this: + +# BrowseFilter [NOT] [EXACT] [] + +# The BrowseFilter directive always starts with the word +# "BrowseFilter" and it must at least contain the name of the data +# field () of the printer's properties to which it should +# apply. + +# Available field names are: + +# name: Name of the local print queue to be created +# host: Host name of the remote print server +# port: Port through which the printer is accessed on the server +# service: DNS/SD service name of the remote printer +# domain: Domain of the remote print server + +# Also all field names in the TXT records of DNS-SD-advertised printers +# are valid, like "color", "duplex", "pdl", ... If the field name of +# the filter rule does not exist for the printer, the rule is skipped. + +# The optional field is either the exact value (when the +# option EXACT is supplied) or a regular expression (Run "man 7 regex" +# in a terminal window) to be matched with the data field. + +# If no filed is supplied, rules with field names of the TXT +# record are considered for boolean matching (true/false) of boolean +# field (like duplex, which can have the values "T" for true and "F" +# for false). + +# If the option NOT is supplied, the filter rule is fulfilled if the +# regular expression or the exact value DOES NOT match the content of +# the data field. In a boolean rule (without ) the rule matches +# false. + +# Regular expressions are always considered case-insensitive and +# extended POSIX regular expressions. Field names and options (NOT, +# EXACT) are all evaluated case-insensitive. If there is an error in a +# regular expression, the BrowseFilter line gets ignored. + +# Especially to note is that supplying any simple string consisting of +# only letters, numbers, spaces, and some basic special characters as +# a regular expression matches if it is contained somewhere in the +# data field. + +# If there is more than one BrowseFilter directive, ALL the directives +# need to be fulfilled for the remote printer to be accepted. If one +# is not fulfilled, the printer will get ignored. + +# Examples: + +# Rules for standard data items which are supplied with any remote +# printer advertised via DNS-SD: + +# Print queue name must contain "hum_res_", this matches +# "hum_res_mono" or "hum_res_color" but also "old_hum_res_mono": + +# BrowseFilter name hum_res_ + +# This matches if the remote host name contains "printserver", like +# "printserver.local", "printserver2.example.com", "newprintserver": + +# BrowseFilter host printserver + +# This matches all ports with 631 int its number, for example 631, +# 8631, 10631,...: + +# BrowseFilter port 631 + +# This rule matches if the DNS-SD service name contains "@ printserver": + +# Browsefilter service @ printserver + +# Matches all domains with "local" in their names, not only "local" but +# also things like "printlocally.com": + +# BrowseFilter domain local + +# Examples for rules applying to items of the TXT record: + +# This rule selects PostScript printers, as the "PDL" field in the TXT +# record contains "postscript" then. This includes also remote CUPS +# queues which accept PostScript, independent of whether the physical +# printer behind the CUPS queue accepts PostScript or not. + +# BrowseFilter pdl postscript + +# Color printers usually contain a "Color" entry set to "T" (for true) +# in the TXT record. This rule selects them: + +# BrowseFilter color + +# This is a similar rule to select only duplex (automatic double-sided +# printing) printers: + +# BrowseFilter duplex + +# Rules with the NOT option: + +# This rule EXCLUDES printers from all hosts containing "financial" in +# their names, nice to get rid of the 100s of printers of the +# financial department: + +# BrowseFilter NOT host financial + +# Get only monochrome printers ("Color" set to "F", meaning false, in +# the TXT record): + +# BrowseFilter NOT color + +# Rules with more advanced use of regular expressions: + +# Only queue names which BEGIN WITH "hum_res_" are accepted now, so we +# still get "hum_res_mono" or "hum_res_color" but not +# "old_hum_res_mono" any more: + +# BrowseFilter name ^hum_res_ + +# Server names is accepted if it contains "print_server" OR +# "graphics_dep_server": + +# BrowseFilter host print_server|graphics_dep_server + +# "printserver1", "printserver2", and "printserver3", nothing else: + +# BrowseFilter host ^printserver[1-3]$ + +# Printers understanding at least one of PostScript, PCL, or PDF: + +# BrowseFilter pdl postscript|pcl|pdf + +# Examples for the EXACT option: + +# Only printers from "printserver.local" are accepted: + +# BrowseFilter EXACT host printserver.local + +# Printers from all servers except "prinserver2.local" are accepted: + +# BrowseFilter NOT EXACT host prinserver2.local + + +# Use BrowsePoll to poll a particular CUPS server + +# BrowsePoll cups.example.com +# BrowsePoll cups.example.com:631 +# BrowsePoll cups.example.com:631/version=1.1 + + +# LDAP browsing configuration +# The default value for all options is an empty string. Example configuration: + +# BrowseLDAPBindDN cn=cups-browsed,dc=domain,dc=tld +# BrowseLDAPCACertFile /path/to/server/certificate.pem +# BrowseLDAPDN ou=printers,dc=domain,dc=tld +# BrowseLDAPFilter (printerLocation=/Office 1/*) +# BrowseLDAPPassword s3cret +# BrowseLDAPServer ldaps://ldap.domain.tld + + +# Use DomainSocket to access the local CUPS daemon via another than the +# default domain socket. "None" or "Off" lets cups-browsed not use CUPS' +# domain socket. + +# DomainSocket /var/run/cups/cups.sock +# DomainSocket None +# DomainSocket Off + + +# Set HTTP timeout (in seconds) for requests sent to local/remote +# resources Note that too short timeouts can make services getting +# missed when they are present and operations be unneccessarily +# repeated and too long timeouts can make operations take too long +# when the server does not respond. + +# HttpLocalTimeout 5 +# HttpRemoteTimeout 10 + +# Set how many retries (N) should cups-browsed do for creating print +# queues for remote printers which receive timeouts during print queue +# creation. The printers which are not successfuly set up even after +# N retries, are skipped until the next restart of the service. Note +# that too many retries can cause high CPU load. + +# HttpMaxRetries 5 + +# Set OnlyUnsupportedByCUPS to "Yes" will make cups-browsed not create +# local queues for remote printers for which CUPS creates queues by +# itself. These printers are printers advertised via DNS-SD and doing +# CUPS-supported (currently PWG Raster and Apple Raster) driverless +# printing, including remote CUPS queues. Queues for other printers +# (like for legacy PostScript/PCL printers) are always created +# (depending on the other configuration settings of cups-browsed). + +# With OnlyUnsupportedByCUPS set to "No", cups-browsed creates queues +# for all printers which it supports, including printers for which +# CUPS would create queues by itself. Temporary queues created by CUPS +# will get overwritten. This way it is assured that any extra +# functionality of cups-browsed will apply to these queues. As queues +# created by cups-browsed are permanent CUPS queues this setting is +# also recommended if applications/print dialogs which do not support +# temporary CUPS queues are installed. This setting is the default. + +# OnlyUnsupportedByCUPS Yes + + +# With UseCUPSGeneratedPPDs set to "Yes" cups-browsed creates queues +# for IPP printers with PPDs generated by the PPD generator of CUPS +# and not with the one of cups-browsed. So any new development in +# CUPS' PPD generator gets available. As CUPS' PPD generator is not +# directly accessible, we need to make CUPS generate a temporary print +# queue with the desired PPD. Therefore we can only use these PPDs +# when our queue replaces a temporary CUPS queue, meaning that the +# queue is for a printer on which CUPS supports driverless printing +# (IPP 2.x, PDLs: PDF, PWG Raster, and/or Apple Raster) and that its +# name is the same as CUPS uses for the temporary queue +# ("LocalQueueNamingIPPPrinter DNS-SD" must be set). The directive +# applies only to IPP printers, not to remote CUPS queues, to not +# break clustering. Setting this directive to "No" lets cups-browsed +# generate the PPD file. Default setting is "No". + +# UseCUPSGeneratedPPDs No + + +# With the directives LocalQueueNamingRemoteCUPS and +# LocalQueueNamingIPPPrinter you can determine how the names for local +# queues generated by cups-browsed are generated, separately for +# remote CUPS printers and IPP printers. + +# DNS-SD (the default in both cases) bases the naming on the service +# name of the printer's advertised DNS-SD record. This is exactly the +# same naming scheme as CUPS uses for its temporary queues, so the +# local queue from cups-browsed prevents CUPS from listing and +# creating an additional queue. As DNS-SD service names have to be +# unique, queue names of printers from different servers will also be +# unique and so there is no automatic clustering for load-balanced +# printing. + +# MakeModel bases the queue name on the printer's manufacturer and +# model names. This scheme cups-browsed used formerly for IPP +# printers. + +# RemoteName is only available for remote CUPS queues and uses the +# name of the queue on the remote CUPS server as the local queue's +# name. This makes printers on different CUPS servers with equal queue +# names automatically forming a load-balancing cluster as CUPS did +# formerly (CUPS 1.5.x and older) with CUPS-broadcasted remote +# printers. This scheme cups-browsed used formerly for remote CUPS +# printers. + +# LocalQueueNamingRemoteCUPS DNS-SD +# LocalQueueNamingRemoteCUPS MakeModel +# LocalQueueNamingRemoteCUPS RemoteName +# LocalQueueNamingIPPPrinter DNS-SD +# LocalQueueNamingIPPPrinter MakeModel + + +# Set DNSSDBasedDeviceURIs to "Yes" if cups-browsed should use +# DNS-SD-service-name-based device URIs for its local queues, as CUPS +# also does. These queues use the DNS-SD service name of the +# discovered printer. With this the URI is independent of network +# interfaces and ports, giving reliable connections to always the same +# physical device. This setting is the default. + +# Set DNSSDBasedDeviceURIs to "No" if cups-browsed should use the +# conventional host-name/IP-based URIs. + +# Note that this option has only influence on URIs for printers +# discovered via DNS-SD, not via legacy CUPS broewsing or LDAP. +# Those printers get always assigned the conventional URIs. + +# DNSSDBasedDeviceURIs Yes + + +# Set IPBasedDeviceURIs to "Yes" if cups-browsed should create its +# local queues with device URIs with the IP addresses instead of the +# host names of the remote servers. This mode is there for any +# problems with host name resolution in the network, especially also +# if avahi-daemon is only run for printer discovery and already +# stopped while still printing. By default this mode is turned off, +# meaning that we use URIs with host names. + +# Note that the IP addresses depend on the network interface through +# which the printer is accessed. So do not use IP-based URIs on systems +# with many network interfaces and where interfaces can appear and +# disappear frequently. + +# This mode could also be useful for development and debugging. + +# If you prefer IPv4 or IPv6 IP addresses in the URIs, you can set +# IPBasedDeviceURIs to "IPv4" to only get IPv4 IP addresses or +# IPBasedDeviceURIs to "IPv6" to only get IPv6 IP addresses. + +# IPBasedDeviceURIs No +# IPBasedDeviceURIs Yes +# IPBasedDeviceURIs IPv4 +# IPBasedDeviceURIs IPv6 + +# The AllowResharingRemoteCUPSPrinters directive determines whether a +# print queue pointing to a remote CUPS queue will be re-shared to the +# local network or not. Since the queues generated using the BrowsePoll +# directive are also pointing to remote queues, they are also shared +# automatically if the following option is set. Default is not to share +# remote printers. + +# AllowResharingRemoteCUPSPrinters Yes + +# The NewBrowsePollQueuesShared directive determines whether a print +# queue for a newly discovered printer (discovered by the BrowsePoll directive) +# will be shared to the local network or not. This directive will only work +# if AllowResharingRemoteCUPSPrinters is set to yes. Default is +# not to share printers discovered using BrowsePoll. + +# NewBrowsePollQueuesShared Yes + +# Set CreateRemoteRawPrinterQueues to "Yes" to let cups-browsed also +# create local queues pointing to remote raw CUPS queues. Normally, +# only queues pointing to remote queues with PPD/driver are created +# as we do not use drivers on the client side, but in some cases +# accessing a remote raw queue can make sense, for example if the +# queue forwards the jobs by a special backend like Tea4CUPS. + +# CreateRemoteRawPrinterQueues Yes + + +# cups-browsed by default creates local print queues for each shared +# CUPS print queue which it discovers on remote machines in the local +# network(s). Set CreateRemoteCUPSPrinterQueues to "No" if you do not +# want cups-browsed to do this. For example you can set cups-browsed +# to only create queues for IPP network printers setting +# CreateIPPPrinterQueues not to "No" and CreateRemoteCUPSPrinterQueues +# to "No". + +# CreateRemoteCUPSPrinterQueues No + + +# Set CreateIPPPrinterQueues to "All" to let cups-browsed discover IPP +# network printers (native printers, not CUPS queues) with known page +# description languages (PWG Raster, PDF, PostScript, PCL XL, PCL +# 5c/e) in the local network and auto-create print queues for them. + +# Set CreateIPPPrinterQueues to "Everywhere" to let cups-browsed +# discover IPP Everywhere printers in the local network (native +# printers, not CUPS queues) and auto-create print queues for them. + +# Set CreateIPPPrinterQueues to "AppleRaster" to let cups-browsed +# discover Apple Raster printers in the local network (native +# printers, not CUPS queues) and auto-create print queues for them. + +# Set CreateIPPPrinterQueues to "Driverless" to let cups-browsed +# discover printers designed for driverless use (currently IPP +# Everywhere and Apple Raster) in the local network (native printers, +# not CUPS queues) and auto-create print queues for them. + +# Set CreateIPPPrinterQueues to "LocalOnly" to auto-create print +# queues only for local printers made available as IPP printers. These +# are for example IPP-over-USB printers, made available via +# ippusbxd. This is the default. + +# Set CreateIPPPrinterQueues to "No" to not auto-create print queues +# for IPP network printers. + +# If queues with PPD file are created (see IPPPrinterQueueType +# directive below) the PPDs are auto-generated by cups-browsed based +# on properties of the printer polled via IPP. In case of missing +# information, info from the Bonjour record is used asd as last mean +# default values. + +# If queues without PPD (see IPPPrinterQueueType directive below) are +# created clients have to IPP-poll the capabilities of the printer and +# send option settings as standard IPP attributes. Then we do not poll +# the capabilities by ourselves to not wake up the printer from +# power-saving mode when creating the queues. Jobs have to be sent in +# one of PDF, PWG Raster, or JPEG format. Other formats are not +# accepted. + +# This functionality is primarily for mobile devices running +# CUPS to not need a printer setup tool nor a collection of printer +# drivers and PPDs. + +# CreateIPPPrinterQueues No +# CreateIPPPrinterQueues LocalOnly +# CreateIPPPrinterQueues Everywhere +# CreateIPPPrinterQueues AppleRaster +# CreateIPPPrinterQueues Everywhere AppleRaster +# CreateIPPPrinterQueues Driverless +# CreateIPPPrinterQueues All + + +# If cups-browsed is automatically creating print queues for native +# IPP network printers ("CreateIPPPrinterQueues Yes"), the type of +# queue to be created can be selected by the "IPPPrinterQueueType" +# directive. The "PPD" (default) setting makes queues with PPD file +# being created. With "Interface" or "NoPPD" the queue is created with +# a System V interface script (Not supported with CUPS 2.2.x or +# later). "Auto" is for backward compatibility and also lets queues +# with PPD get created. + +# IPPPrinterQueueType PPD +# IPPPrinterQueueType NoPPD +# IPPPrinterQueueType Interface +# IPPPrinterQueueType Auto + + +# The NewIPPPrinterQueuesShared directive determines whether a print +# queue for a newly discovered IPP network printer (not remote CUPS +# queue) will be shared to the local network or not. This is only +# valid for newly discovered printers. For printers discovered in an +# earlier cups-browsed session, cups-browsed will remember whether the +# printer was shared, so changes by the user get conserved. Default is +# not to share newly discovered IPP printers. + +# NewIPPPrinterQueuesShared Yes + + +# If there is more than one remote CUPS printer whose local queue +# would get the same name and AutoClustering is set to "Yes" (the +# default) only one local queue is created which makes up a +# load-balancing cluster of the remote printers which would get this +# queue name (implicit class). This means that when several jobs are +# sent to this queue they get distributed between the printers, using +# the method chosen by the LoadBalancing directive. + +# Note that the forming of clusters depends on the naming scheme for +# local queues created by cups-browsed. If you have set +# LocalQueueNamingRemoteCUPS to "DNSSD" you will not get automatic +# clustering as the DNS-SD service names are always unique. With +# LocalQueueNamingRemoteCUPS set to "RemoteName" local queues are +# named as the CUPS queues on the remote servers are named and so +# equally named queues on different servers get clustered (this is how +# CUPS did it in version 1.5.x or older). LocalQueueNamingRemoteCUPS +# set to "MakeModel" makes remote printers of the same model get +# clustered. Note that then a cluster can contain more than one queue +# of the same server. + +# With AutoClustering set to "No", for each remote CUPS printer an +# individual local queue is created, and to avoid name clashes when +# using the LocalQueueNamingRemoteCUPS settings "RemoteName" or +# "MakeModel" "@" is added to the local queue name. + +# Only remote CUPS printers get clustered, not IPP network printers or +# IPP-over-USB printers. + +# AutoClustering Yes +# AutoClustering No + + +# Load-balancing printer cluster formation can also be manually +# controlled by defining explicitly which remote CUPS printers should +# get clustered together. + +# This is done by the "Cluster" directive: + +# Cluster : ... +# Cluster + +# If no expressions are given, is used as the first and +# only expression for this cluster. + +# Discovered printers are matched against all the expressions of all +# defined clusters. The first expression which matches the discovered +# printer determines to which cluster it belongs. Note that this way a +# printer can only belong to one cluster. Once matched, further +# cluster definitions will not checked any more. + +# With the first printer matching a cluster's expression a local queue +# with the name is created. If more printers are +# discovered and match this cluster, they join the cluster. Printing +# to this queue prints to all these printers in a load-balancing +# manner, according to to the setting of the LoadBalancing directive. + +# Each expression must be a string of characters without spaces. If +# spaces are needed, replace them by underscores ('_'). + +# An expression can be matched in three ways: + +# 1. By the name of the CUPS queue on the remote server +# 2. By make and model name of the remote printer +# 3. By the DNS-SD service name of the remote printer + +# Note that the matching is done case-insensitively and any group of +# non-alphanumerical characters is replaced by a single underscore. + +# So if an expression is "HP_DeskJet_2540" and the remote server +# reports "hp Deskjet-2540" the printer gets matched to this cluster. + +# If "AutoClustering" is not set to "No" both your manual cluster +# definitions will be followed and automatic clustering of +# equally-named remote queues will be performed. If a printer matches +# in both categories the match to the manually defined cluster has +# priority. Automatic clustering of equally-named remote printers is +# not performed if there is a manually defined cluster with this name +# (at least as the printers do not match this cluster). + +# Examples: + +# To cluster all remote CUPS queues named "laserprinter" in your local +# network but not cluster any other equally-named remote CUPS printers +# use (Local queue will get named "laserprinter"): + +# AutoClustering No +# Cluster laserprinter + +# To cluster all remote CUPS queues of HP LaserJet 4050 printers in a +# local queue named "LJ4050": + +# Cluster LJ4050: HP_LaserJet_4050 + +# As DNS-SD service names are unique in a network you can create a +# cluster from exactly specified printers (spaces replaced by +# underscors): + +# Cluster hrdep: oldlaser_@_hr-server1 newlaser_@_hr-server2 + + +# The LoadBalancing directive switches between two methods of handling +# load balancing between equally-named remote queues which are +# represented by one local print queue making up a cluster of them +# (implicit class). + +# The two methods are: + +# Queuing of jobs on the client (LoadBalancing QueueOnClient): + +# Here we queue up the jobs on the client and regularly check the +# clustered remote print queues. If we find an idle queue, we pass +# on a job to it. + +# This is also the method which CUPS uses for classes. Advantage is a +# more even distribution of the job workload on the servers +# (especially if the printing speed of the servers is very different), +# and if a server fails, there are not several jobs stuck or +# lost. Disadvantage is that if one takes the client (laptop, mobile +# phone, ...) out of the local network, printing stops with the jobs +# waiting in the local queue. + +# Queuing of jobs on the servers (LoadBalancing QueueOnServers): + +# Here we check the number of jobs on each of the clustered remote +# printers and send an incoming job immediately to the remote printer +# with the lowest amount of jobs in its queue. This way no jobs queue +# up locally, all jobs which are waiting are waiting on one of the +# remote servers. + +# Not having jobs waiting locally has the advantage that we can take +# the local machine from the network and all jobs get printed. +# Disadvantage is that if a server with a full queue of jobs goes +# away, the jobs go away, too. + +# Default is queuing the jobs on the client as this is what CUPS does +# with classes. + +# LoadBalancing QueueOnClient +# LoadBalancing QueueOnServers + + +# With the DefaultOptions directive one or more option settings can be +# defined to be applied to every print queue newly created by +# cups-browsed. Each option is supplied as one supplies options with +# the "-o" command line argument to the "lpadmin" command (Run "man +# lpadmin" for more details). More than one option can be supplied +# separating the options by spaces. By default no option settings are +# pre-defined. + +# Note that print queues which cups-browsed already created before +# remember their previous settings and so these settings do not get +# applied. + +# DefaultOptions Option1=Value1 Option2=Value2 Option3 noOption4 + + +# The AutoShutdown directive specifies whether cups-browsed should +# automatically terminate when it has no local raw queues set up +# pointing to any discovered remote printers or no jobs on such queues +# depending on AutoShutdownOn setting (auto shutdown mode). Setting it +# to "On" activates the auto-shutdown mode, setting it to "Off" +# deactiivates it (the default). The special mode "avahi" turns auto +# shutdown off while avahi-daemon is running and on when avahi-daemon +# stops. This allows running cups-browsed on-demand when avahi-daemon +# is run on-demand. + +# AutoShutdown Off +# AutoShutdown On +# AutoShutdown avahi + + +# The AutoShutdownOn directive determines what event cups-browsed +# considers as inactivity in auto shutdown mode. "NoQueues" (the +# default) means that auto shutdown is initiated when there are no +# queues for discovered remote printers generated by cups-browsed any +# more. "NoJobs" means that all queues generated by cups-browsed are +# without jobs. + +# AutoShutdownOn NoQueues +# AutoShutdownOn NoJobs + + +# The AutoShutdownTimeout directive specifies after how many seconds +# without local raw queues set up pointing to any discovered remote +# printers or jobs on these queues cups-browsed should actually shut +# down in auto shutdown mode. Default is 30 seconds, 0 means immediate +# shutdown. + +# AutoShutdownTimeout 30 diff --git a/roles/common/templates/etc/cups/cups-files.conf.j2 b/roles/common/templates/etc/cups/cups-files.conf.j2 new file mode 100644 index 0000000..ec34696 --- /dev/null +++ b/roles/common/templates/etc/cups/cups-files.conf.j2 @@ -0,0 +1,95 @@ +# {{ ansible_managed }} + +# +# File/directory/user/group configuration file for the CUPS scheduler. +# See "man cups-files.conf" for a complete description of this file. +# + +# List of events that are considered fatal errors for the scheduler... +#FatalErrors config + +# Do we call fsync() after writing configuration or status files? +#SyncOnClose Yes + +# Default user and group for filters/backends/helper programs; this cannot be +# any user or group that resolves to ID 0 for security reasons... +#User lp +#Group lp + +# Administrator user group, used to match @SYSTEM in cupsd.conf policy rules... +# This cannot contain the Group value for security reasons... +SystemGroup lpadmin + + +# User that is substituted for unauthenticated (remote) root accesses... +#RemoteRoot remroot + +# Do we allow file: device URIs other than to /dev/null? +#FileDevice No + +# Permissions for configuration and log files... +#ConfigFilePerm 0640 +#LogFilePerm 00640 + +# Location of the file logging all access to the scheduler; may be the name +# "syslog". If not an absolute path, the value of ServerRoot is used as the +# root directory. Also see the "AccessLogLevel" directive in cupsd.conf. +AccessLog /var/log/cups/access_log + +# Location of cache files used by the scheduler... +#CacheDir /var/cache/cups + +# Location of data files used by the scheduler... +#DataDir /usr/share/cups + +# Location of the static web content served by the scheduler... +#DocumentRoot /usr/share/cups/doc-root + +# Location of the file logging all messages produced by the scheduler and any +# helper programs; may be the name "syslog". If not an absolute path, the value +# of ServerRoot is used as the root directory. Also see the "LogLevel" +# directive in cupsd.conf. +ErrorLog /var/log/cups/error_log + +# Location of fonts used by older print filters... +#FontPath /usr/share/cups/fonts + +# Location of LPD configuration +#LPDConfigFile + +# Location of the file logging all pages printed by the scheduler and any +# helper programs; may be the name "syslog". If not an absolute path, the value +# of ServerRoot is used as the root directory. Also see the "PageLogFormat" +# directive in cupsd.conf. +PageLog /var/log/cups/page_log + +# Location of the file listing all of the local printers... +#Printcap /run/cups/printcap + +# Format of the Printcap file... +#PrintcapFormat bsd +#PrintcapFormat plist +#PrintcapFormat solaris + +# Location of all spool files... +#RequestRoot /var/spool/cups + +# Location of helper programs... +#ServerBin /usr/lib/cups + +# SSL/TLS keychain for the scheduler... +#ServerKeychain ssl + +# Location of other configuration files... +#ServerRoot /etc/cups + +# Location of Samba configuration file... +#SMBConfigFile + +# Location of scheduler state files... +#StateDir /run/cups + +# Location of scheduler/helper temporary files. This directory is emptied on +# scheduler startup and cannot be one of the standard (public) temporary +# directory locations for security reasons... +#TempDir /var/spool/cups/tmp diff --git a/roles/common/templates/etc/cups/cupsd.conf.client.j2 b/roles/common/templates/etc/cups/cupsd.conf.client.j2 new file mode 100644 index 0000000..62e6e9e --- /dev/null +++ b/roles/common/templates/etc/cups/cupsd.conf.client.j2 @@ -0,0 +1,307 @@ +# {{ ansible_managed }} + +# +# Configuration file for the CUPS scheduler. See "man cupsd.conf" for a +# complete description of this file. +# + +# Log general information in error_log - change "warn" to "debug" +# for troubleshooting... +LogLevel warn +PageLogFormat + +# Deactivate CUPS' internal logrotating, as we provide a better one, especially +# LogLevel debug2 gets usable now +MaxLogSize 0 + +# Only listen for connections from the local machine. +#Listen localhost:631 +# Allow remote access +Port 631 +Listen /var/run/cups/cups.sock + +ServerAlias * +HostNameLookups Off + +## - Show shared printers on the local network. +Browsing Off + +# Default authentication type, when authentication is required... +DefaultAuthType Basic + +# Web interface setting... +WebInterface Yes + +# Restrict access to the server... + + # Allow remote administration... + Order allow,deny + Allow @LOCAL + Allow 127.0.0.0/8 + Allow 192.168.0.0/16 + Allow 172.16.0.0/16 + Allow 10.0.0.0/8 + + +# Restrict access to the admin pages... + + # Allow remote administration... + Order allow,deny + Allow @LOCAL + Allow 127.0.0.0/8 + Allow 192.168.0.0/16 + Allow 172.16.0.0/16 + Allow 10.0.0.0/8 + + +# Restrict access to configuration files... + + AuthType Default + Require user @SYSTEM + # Allow remote access to the configuration files... + Order allow,deny + Allow @LOCAL + Allow 127.0.0.0/8 + Allow 192.168.0.0/16 + Allow 172.16.0.0/16 + Allow 10.0.0.0/8 + + +# Restrict access to log files... + + AuthType Default + Require user @SYSTEM + # Allow remote access to the configuration files... + Order allow,deny + Allow @LOCAL + Allow 127.0.0.0/8 + Allow 192.168.0.0/16 + Allow 172.16.0.0/16 + Allow 10.0.0.0/8 + + +# Set the default printer/job policies... + + + # Job/subscription privacy... + JobPrivateAccess default + JobPrivateValues default + SubscriptionPrivateAccess default + SubscriptionPrivateValues default + + # Job-related operations must be done by the owner or an administrator... + + Order deny,allow + Allow @LOCAL + Allow 127.0.0.0/8 + Allow 192.168.0.0/16 + Allow 172.16.0.0/16 + Allow 10.0.0.0/8 + + + + Require user @OWNER @SYSTEM + Order deny,allow + Allow @LOCAL + Allow 127.0.0.0/8 + Allow 192.168.0.0/16 + Allow 172.16.0.0/16 + Allow 10.0.0.0/8 + + + # All administration operations require an administrator to authenticate... + + AuthType Default + Require user @SYSTEM + Order deny,allow + Allow @LOCAL + Allow 127.0.0.0/8 + Allow 192.168.0.0/16 + Allow 172.16.0.0/16 + Allow 10.0.0.0/8 + + + # All printer operations require a printer operator to authenticate... + + AuthType Default + Require user @SYSTEM + Order deny,allow + Allow @LOCAL + Allow 127.0.0.0/8 + Allow 192.168.0.0/16 + Allow 172.16.0.0/16 + Allow 10.0.0.0/8 + + + # Only the owner or an administrator can cancel or authenticate a job... + + Require user @OWNER @SYSTEM + Order deny,allow + Allow @LOCAL + Allow 127.0.0.0/8 + Allow 192.168.0.0/16 + Allow 172.16.0.0/16 + Allow 10.0.0.0/8 + + + + Order deny,allow + Allow @LOCAL + Allow 127.0.0.0/8 + Allow 192.168.0.0/16 + Allow 172.16.0.0/16 + Allow 10.0.0.0/8 + + + +# Set the authenticated printer/job policies... + + # Job/subscription privacy... + JobPrivateAccess default + JobPrivateValues default + SubscriptionPrivateAccess default + SubscriptionPrivateValues default + + # Job-related operations must be done by the owner or an administrator... + + AuthType Default + Order deny,allow + Allow @LOCAL + Allow 127.0.0.0/8 + Allow 192.168.0.0/16 + Allow 172.16.0.0/16 + Allow 10.0.0.0/8 + + + + AuthType Default + Require user @OWNER @SYSTEM + Order deny,allow + Allow @LOCAL + Allow 127.0.0.0/8 + Allow 192.168.0.0/16 + Allow 172.16.0.0/16 + Allow 10.0.0.0/8 + + + # All administration operations require an administrator to authenticate... + + AuthType Default + Require user @SYSTEM + Order deny,allow + Allow @LOCAL + Allow 127.0.0.0/8 + Allow 192.168.0.0/16 + Allow 172.16.0.0/16 + Allow 10.0.0.0/8 + + + # All printer operations require a printer operator to authenticate... + + AuthType Default + Require user @SYSTEM + Order deny,allow + Allow @LOCAL + Allow 127.0.0.0/8 + Allow 192.168.0.0/16 + Allow 172.16.0.0/16 + Allow 10.0.0.0/8 + + + # Only the owner or an administrator can cancel or authenticate a job... + + AuthType Default + Require user @OWNER @SYSTEM + Order deny,allow + Allow @LOCAL + Allow 127.0.0.0/8 + Allow 192.168.0.0/16 + Allow 172.16.0.0/16 + Allow 10.0.0.0/8 + + + + Order deny,allow + Allow @LOCAL + Allow 127.0.0.0/8 + Allow 192.168.0.0/16 + Allow 172.16.0.0/16 + Allow 10.0.0.0/8 + + + +# Set the kerberized printer/job policies... + + # Job/subscription privacy... + JobPrivateAccess default + JobPrivateValues default + SubscriptionPrivateAccess default + SubscriptionPrivateValues default + + # Job-related operations must be done by the owner or an administrator... + + AuthType Negotiate + Order deny,allow + Allow @LOCAL + Allow 127.0.0.0/8 + Allow 192.168.0.0/16 + Allow 172.16.0.0/16 + Allow 10.0.0.0/8 + + + + AuthType Negotiate + Require user @OWNER @SYSTEM + Order deny,allow + Allow @LOCAL + Allow 127.0.0.0/8 + Allow 192.168.0.0/16 + Allow 172.16.0.0/16 + Allow 10.0.0.0/8 + + + # All administration operations require an administrator to authenticate... + + AuthType Default + Require user @SYSTEM + Order deny,allow + Allow @LOCAL + Allow 127.0.0.0/8 + Allow 192.168.0.0/16 + Allow 172.16.0.0/16 + Allow 10.0.0.0/8 + + + # All printer operations require a printer operator to authenticate... + + AuthType Default + Require user @SYSTEM + Order deny,allow + Allow @LOCAL + Allow 127.0.0.0/8 + Allow 192.168.0.0/16 + Allow 172.16.0.0/16 + Allow 10.0.0.0/8 + + + # Only the owner or an administrator can cancel or authenticate a job... + + AuthType Negotiate + Require user @OWNER @SYSTEM + Order deny,allow + Allow @LOCAL + Allow 127.0.0.0/8 + Allow 192.168.0.0/16 + Allow 172.16.0.0/16 + Allow 10.0.0.0/8 + + + + Order deny,allow + Allow @LOCAL + Allow 127.0.0.0/8 + Allow 192.168.0.0/16 + Allow 172.16.0.0/16 + Allow 10.0.0.0/8 + + diff --git a/roles/common/templates/etc/cups/cupsd.conf.server.j2 b/roles/common/templates/etc/cups/cupsd.conf.server.j2 new file mode 100644 index 0000000..fe1f192 --- /dev/null +++ b/roles/common/templates/etc/cups/cupsd.conf.server.j2 @@ -0,0 +1,307 @@ +# {{ ansible_managed }} + +# +# Configuration file for the CUPS scheduler. See "man cupsd.conf" for a +# complete description of this file. +# + +# Log general information in error_log - change "warn" to "debug" +# for troubleshooting... +LogLevel warn +PageLogFormat + +# Deactivate CUPS' internal logrotating, as we provide a better one, especially +# LogLevel debug2 gets usable now +MaxLogSize 0 + +# Only listen for connections from the local machine. +#Listen localhost:631 +# Allow remote access +Port 631 +Listen /var/run/cups/cups.sock + +ServerAlias * +HostNameLookups Off + +# - Show shared printers on the local network. +Browsing On + +# Default authentication type, when authentication is required... +DefaultAuthType Basic + +# Web interface setting... +WebInterface Yes + +# Restrict access to the server... + + # Allow remote administration... + Order allow,deny + Allow @LOCAL + Allow 127.0.0.0/8 + Allow 192.168.0.0/16 + Allow 172.16.0.0/16 + Allow 10.0.0.0/8 + + +# Restrict access to the admin pages... + + # Allow remote administration... + Order allow,deny + Allow @LOCAL + Allow 127.0.0.0/8 + Allow 192.168.0.0/16 + Allow 172.16.0.0/16 + Allow 10.0.0.0/8 + + +# Restrict access to configuration files... + + AuthType Default + Require user @SYSTEM + # Allow remote access to the configuration files... + Order allow,deny + Allow @LOCAL + Allow 127.0.0.0/8 + Allow 192.168.0.0/16 + Allow 172.16.0.0/16 + Allow 10.0.0.0/8 + + +# Restrict access to log files... + + AuthType Default + Require user @SYSTEM + # Allow remote access to the configuration files... + Order allow,deny + Allow @LOCAL + Allow 127.0.0.0/8 + Allow 192.168.0.0/16 + Allow 172.16.0.0/16 + Allow 10.0.0.0/8 + + +# Set the default printer/job policies... + + + # Job/subscription privacy... + JobPrivateAccess default + JobPrivateValues default + SubscriptionPrivateAccess default + SubscriptionPrivateValues default + + # Job-related operations must be done by the owner or an administrator... + + Order deny,allow + Allow @LOCAL + Allow 127.0.0.0/8 + Allow 192.168.0.0/16 + Allow 172.16.0.0/16 + Allow 10.0.0.0/8 + + + + Require user @OWNER @SYSTEM + Order deny,allow + Allow @LOCAL + Allow 127.0.0.0/8 + Allow 192.168.0.0/16 + Allow 172.16.0.0/16 + Allow 10.0.0.0/8 + + + # All administration operations require an administrator to authenticate... + + AuthType Default + Require user @SYSTEM + Order deny,allow + Allow @LOCAL + Allow 127.0.0.0/8 + Allow 192.168.0.0/16 + Allow 172.16.0.0/16 + Allow 10.0.0.0/8 + + + # All printer operations require a printer operator to authenticate... + + AuthType Default + Require user @SYSTEM + Order deny,allow + Allow @LOCAL + Allow 127.0.0.0/8 + Allow 192.168.0.0/16 + Allow 172.16.0.0/16 + Allow 10.0.0.0/8 + + + # Only the owner or an administrator can cancel or authenticate a job... + + Require user @OWNER @SYSTEM + Order deny,allow + Allow @LOCAL + Allow 127.0.0.0/8 + Allow 192.168.0.0/16 + Allow 172.16.0.0/16 + Allow 10.0.0.0/8 + + + + Order deny,allow + Allow @LOCAL + Allow 127.0.0.0/8 + Allow 192.168.0.0/16 + Allow 172.16.0.0/16 + Allow 10.0.0.0/8 + + + +# Set the authenticated printer/job policies... + + # Job/subscription privacy... + JobPrivateAccess default + JobPrivateValues default + SubscriptionPrivateAccess default + SubscriptionPrivateValues default + + # Job-related operations must be done by the owner or an administrator... + + AuthType Default + Order deny,allow + Allow @LOCAL + Allow 127.0.0.0/8 + Allow 192.168.0.0/16 + Allow 172.16.0.0/16 + Allow 10.0.0.0/8 + + + + AuthType Default + Require user @OWNER @SYSTEM + Order deny,allow + Allow @LOCAL + Allow 127.0.0.0/8 + Allow 192.168.0.0/16 + Allow 172.16.0.0/16 + Allow 10.0.0.0/8 + + + # All administration operations require an administrator to authenticate... + + AuthType Default + Require user @SYSTEM + Order deny,allow + Allow @LOCAL + Allow 127.0.0.0/8 + Allow 192.168.0.0/16 + Allow 172.16.0.0/16 + Allow 10.0.0.0/8 + + + # All printer operations require a printer operator to authenticate... + + AuthType Default + Require user @SYSTEM + Order deny,allow + Allow @LOCAL + Allow 127.0.0.0/8 + Allow 192.168.0.0/16 + Allow 172.16.0.0/16 + Allow 10.0.0.0/8 + + + # Only the owner or an administrator can cancel or authenticate a job... + + AuthType Default + Require user @OWNER @SYSTEM + Order deny,allow + Allow @LOCAL + Allow 127.0.0.0/8 + Allow 192.168.0.0/16 + Allow 172.16.0.0/16 + Allow 10.0.0.0/8 + + + + Order deny,allow + Allow @LOCAL + Allow 127.0.0.0/8 + Allow 192.168.0.0/16 + Allow 172.16.0.0/16 + Allow 10.0.0.0/8 + + + +# Set the kerberized printer/job policies... + + # Job/subscription privacy... + JobPrivateAccess default + JobPrivateValues default + SubscriptionPrivateAccess default + SubscriptionPrivateValues default + + # Job-related operations must be done by the owner or an administrator... + + AuthType Negotiate + Order deny,allow + Allow @LOCAL + Allow 127.0.0.0/8 + Allow 192.168.0.0/16 + Allow 172.16.0.0/16 + Allow 10.0.0.0/8 + + + + AuthType Negotiate + Require user @OWNER @SYSTEM + Order deny,allow + Allow @LOCAL + Allow 127.0.0.0/8 + Allow 192.168.0.0/16 + Allow 172.16.0.0/16 + Allow 10.0.0.0/8 + + + # All administration operations require an administrator to authenticate... + + AuthType Default + Require user @SYSTEM + Order deny,allow + Allow @LOCAL + Allow 127.0.0.0/8 + Allow 192.168.0.0/16 + Allow 172.16.0.0/16 + Allow 10.0.0.0/8 + + + # All printer operations require a printer operator to authenticate... + + AuthType Default + Require user @SYSTEM + Order deny,allow + Allow @LOCAL + Allow 127.0.0.0/8 + Allow 192.168.0.0/16 + Allow 172.16.0.0/16 + Allow 10.0.0.0/8 + + + # Only the owner or an administrator can cancel or authenticate a job... + + AuthType Negotiate + Require user @OWNER @SYSTEM + Order deny,allow + Allow @LOCAL + Allow 127.0.0.0/8 + Allow 192.168.0.0/16 + Allow 172.16.0.0/16 + Allow 10.0.0.0/8 + + + + Order deny,allow + Allow @LOCAL + Allow 127.0.0.0/8 + Allow 192.168.0.0/16 + Allow 172.16.0.0/16 + Allow 10.0.0.0/8 + + diff --git a/roles/common/templates/etc/ntp.conf.j2 b/roles/common/templates/etc/ntp.conf.j2 new file mode 100644 index 0000000..87ff1b1 --- /dev/null +++ b/roles/common/templates/etc/ntp.conf.j2 @@ -0,0 +1,64 @@ +# {{ ansible_managed }} + +# /etc/ntp.conf, configuration for ntpd; see ntp.conf(5) for help + +driftfile /var/lib/ntp/ntp.drift + +# Leap seconds definition provided by tzdata +leapfile /usr/share/zoneinfo/leap-seconds.list + +# Enable this if you want statistics to be logged. +#statsdir /var/log/ntpstats/ + +statistics loopstats peerstats clockstats +filegen loopstats file loopstats type day enable +filegen peerstats file peerstats type day enable +filegen clockstats file clockstats type day enable + + +# You do need to talk to an NTP server or two (or three). +#server ntp.your-provider.example + +# pool.ntp.org maps to about 1000 low-stratum NTP servers. Your server will +# pick a different set every time it starts up. Please consider joining the +# pool: +#pool 0.debian.pool.ntp.org iburst +#pool 1.debian.pool.ntp.org iburst +#pool 2.debian.pool.ntp.org iburst +#pool 3.debian.pool.ntp.org iburst +server {{ ntp_server }} + + +# Access control configuration; see /usr/share/doc/ntp-doc/html/accopt.html for +# details. The web page +# might also be helpful. +# +# Note that "restrict" applies to both servers and clients, so a configuration +# that might be intended to block requests from certain clients could also end +# up blocking replies from your own upstream servers. + +# By default, exchange time with everybody, but don't allow configuration. +restrict -4 default kod notrap nomodify nopeer noquery limited +restrict -6 default kod notrap nomodify nopeer noquery limited + +# Local users may interrogate the ntp server more closely. +restrict 127.0.0.1 +restrict ::1 + +# Needed for adding pool entries +restrict source notrap nomodify noquery + +# Clients from this (example!) subnet have unlimited access, but only if +# cryptographically authenticated. +#restrict 192.168.123.0 mask 255.255.255.0 notrust + + +# If you want to provide time to your local subnet, change the next line. +# (Again, the address is an example only.) +#broadcast 192.168.123.255 + +# If you want to listen to time broadcasts on your local subnet, de-comment the +# next lines. Please do this only if you trust everybody on the network! +#disable auth +#broadcastclient + diff --git a/roles/common/templates/root/bin/wakeup_lan.sh.j2 b/roles/common/templates/root/bin/wakeup_lan.sh.j2 new file mode 100755 index 0000000..29f3a33 --- /dev/null +++ b/roles/common/templates/root/bin/wakeup_lan.sh.j2 @@ -0,0 +1,52 @@ +#!/usr/bin/env bash + +# {{ ansible_managed }} + +declare -i pc_nr=1 +pc_nr_max=10 +brcast_ip="192.168.82.255" + +ab1="38:60:77:39:9e:9f" +#ab2="38:60:77:39:9a:a3" +ab3="00:22:15:aa:88:b9" +ab4="00:22:4d:b0:f3:d6" +ab5="80:ee:73:b9:8b:d3 80:ee:73:b9:8b:d4" +ab6="80:ee:73:c0:80:22" +ab7="80:ee:73:c5:2e:fb 80:ee:73:c5:2e:fc" +ab8="80:ee:73:d0:a5:71 80:ee:73:d0:a5:72" +ab9="80:ee:73:e0:0e:8a 80:ee:73:e0:0e:8b" +ab10="00:d8:61:c9:c8:3d" + +if [ $# = "1" ]; then + echo "" + echo -e " \033[32mWake up PC '$1'\033[m.." + _nic=`eval eval echo '$'$1` + if [[ -n "$_nic" ]]; then + for _mac in $_nic ; do + echo -n " " + wakeonlan -i $brcast_ip $_mac + sleep 1 + done + else + echo -e " \033[1;31mPC '$1' NOT found!\033[m" + fi + echo "" +else + while [[ $pc_nr -le $pc_nr_max ]]; do + [[ -z "$pc_nr" ]] && continue + _nic=$(eval eval echo '$ab'$pc_nr) + if [[ -n "$_nic" ]]; then + echo "" + echo -e " \033[32mWake up PC 'ab$pc_nr'\033[m.." + for _mac in $_nic ; do + echo -n " " + /usr/bin/wakeonlan -i $brcast_ip $_mac + sleep 1 + done + fi + (( pc_nr++ )) + done + echo "" +fi + +