# {{ ansible_managed }}

#
# Configuration file for the CUPS scheduler.  See "man cupsd.conf" for a
# complete description of this file.
#

# Log general information in error_log - change "warn" to "debug"
# for troubleshooting...
LogLevel warn
PageLogFormat

# Deactivate CUPS' internal logrotating, as we provide a better one, especially
# LogLevel debug2 gets usable now
MaxLogSize 0

# Only listen for connections from the local machine.
#Listen localhost:631
# Allow remote access
Port 631
Listen /var/run/cups/cups.sock

ServerAlias *
HostNameLookups Off

# - Show shared printers on the local network.
Browsing On

# Default authentication type, when authentication is required...
DefaultAuthType Basic

# Web interface setting...
WebInterface Yes

# Restrict access to the server...
<Location />
  # Allow remote administration...
  Order allow,deny
  Allow @LOCAL
  Allow 127.0.0.0/8
  Allow 192.168.0.0/16
  Allow 172.16.0.0/16
  Allow 10.0.0.0/8
</Location>

# Restrict access to the admin pages...
<Location /admin>
  # Allow remote administration...
  Order allow,deny
  Allow @LOCAL
  Allow 127.0.0.0/8
  Allow 192.168.0.0/16
  Allow 172.16.0.0/16
  Allow 10.0.0.0/8
</Location>

# Restrict access to configuration files...
<Location /admin/conf>
  AuthType Default
  Require user @SYSTEM
  # Allow remote access to the configuration files...
  Order allow,deny
  Allow @LOCAL
  Allow 127.0.0.0/8
  Allow 192.168.0.0/16
  Allow 172.16.0.0/16
  Allow 10.0.0.0/8
</Location>

# Restrict access to log files...
<Location /admin/log>
  AuthType Default
  Require user @SYSTEM
  # Allow remote access to the configuration files...
  Order allow,deny
  Allow @LOCAL
  Allow 127.0.0.0/8
  Allow 192.168.0.0/16
  Allow 172.16.0.0/16
  Allow 10.0.0.0/8
</Location>

# Set the default printer/job policies...
<Policy default>

  # Job/subscription privacy...
  JobPrivateAccess default
  JobPrivateValues default
  SubscriptionPrivateAccess default
  SubscriptionPrivateValues default

  # Job-related operations must be done by the owner or an administrator...
  <Limit Create-Job Print-Job Print-URI Validate-Job>
    Order deny,allow
    Allow @LOCAL
    Allow 127.0.0.0/8
    Allow 192.168.0.0/16
    Allow 172.16.0.0/16
    Allow 10.0.0.0/8
  </Limit>

  <Limit Send-Document Send-URI Hold-Job Release-Job Restart-Job Purge-Jobs Set-Job-Attributes Create-Job-Subscription Renew-Subscription Cancel-Subscription Get-Notifications Reprocess-Job Cancel-Current-Job Suspend-Current-Job Resume-Job Cancel-My-Jobs Close-Job CUPS-Move-Job CUPS-Get-Document>
    Require user @OWNER @SYSTEM
    Order deny,allow
    Allow @LOCAL
    Allow 127.0.0.0/8
    Allow 192.168.0.0/16
    Allow 172.16.0.0/16
    Allow 10.0.0.0/8
  </Limit>

  # All administration operations require an administrator to authenticate...
  <Limit CUPS-Add-Modify-Printer CUPS-Delete-Printer CUPS-Add-Modify-Class CUPS-Delete-Class CUPS-Set-Default CUPS-Get-Devices>
    AuthType Default
    Require user @SYSTEM
    Order deny,allow
    Allow @LOCAL
    Allow 127.0.0.0/8
    Allow 192.168.0.0/16
    Allow 172.16.0.0/16
    Allow 10.0.0.0/8
  </Limit>

  # All printer operations require a printer operator to authenticate...
  <Limit Pause-Printer Resume-Printer Enable-Printer Disable-Printer Pause-Printer-After-Current-Job Hold-New-Jobs Release-Held-New-Jobs Deactivate-Printer Activate-Printer Restart-Printer Shutdown-Printer Startup-Printer Promote-Job Schedule-Job-After Cancel-Jobs CUPS-Accept-Jobs CUPS-Reject-Jobs>
    AuthType Default
    Require user @SYSTEM
    Order deny,allow
    Allow @LOCAL
    Allow 127.0.0.0/8
    Allow 192.168.0.0/16
    Allow 172.16.0.0/16
    Allow 10.0.0.0/8
  </Limit>

  # Only the owner or an administrator can cancel or authenticate a job...
  <Limit Cancel-Job CUPS-Authenticate-Job>
    Require user @OWNER @SYSTEM
    Order deny,allow
    Allow @LOCAL
    Allow 127.0.0.0/8
    Allow 192.168.0.0/16
    Allow 172.16.0.0/16
    Allow 10.0.0.0/8
  </Limit>

  <Limit All>
    Order deny,allow
    Allow @LOCAL
    Allow 127.0.0.0/8
    Allow 192.168.0.0/16
    Allow 172.16.0.0/16
    Allow 10.0.0.0/8
  </Limit>
</Policy>

# Set the authenticated printer/job policies...
<Policy authenticated>
  # Job/subscription privacy...
  JobPrivateAccess default
  JobPrivateValues default
  SubscriptionPrivateAccess default
  SubscriptionPrivateValues default

  # Job-related operations must be done by the owner or an administrator...
  <Limit Create-Job Print-Job Print-URI Validate-Job>
    AuthType Default
    Order deny,allow
    Allow @LOCAL
    Allow 127.0.0.0/8
    Allow 192.168.0.0/16
    Allow 172.16.0.0/16
    Allow 10.0.0.0/8
  </Limit>

  <Limit Send-Document Send-URI Hold-Job Release-Job Restart-Job Purge-Jobs Set-Job-Attributes Create-Job-Subscription Renew-Subscription Cancel-Subscription Get-Notifications Reprocess-Job Cancel-Current-Job Suspend-Current-Job Resume-Job Cancel-My-Jobs Close-Job CUPS-Move-Job CUPS-Get-Document>
    AuthType Default
    Require user @OWNER @SYSTEM
    Order deny,allow
    Allow @LOCAL
    Allow 127.0.0.0/8
    Allow 192.168.0.0/16
    Allow 172.16.0.0/16
    Allow 10.0.0.0/8
  </Limit>

  # All administration operations require an administrator to authenticate...
  <Limit CUPS-Add-Modify-Printer CUPS-Delete-Printer CUPS-Add-Modify-Class CUPS-Delete-Class CUPS-Set-Default>
    AuthType Default
    Require user @SYSTEM
    Order deny,allow
    Allow @LOCAL
    Allow 127.0.0.0/8
    Allow 192.168.0.0/16
    Allow 172.16.0.0/16
    Allow 10.0.0.0/8
  </Limit>

  # All printer operations require a printer operator to authenticate...
  <Limit Pause-Printer Resume-Printer Enable-Printer Disable-Printer Pause-Printer-After-Current-Job Hold-New-Jobs Release-Held-New-Jobs Deactivate-Printer Activate-Printer Restart-Printer Shutdown-Printer Startup-Printer Promote-Job Schedule-Job-After Cancel-Jobs CUPS-Accept-Jobs CUPS-Reject-Jobs>
    AuthType Default
    Require user @SYSTEM
    Order deny,allow
    Allow @LOCAL
    Allow 127.0.0.0/8
    Allow 192.168.0.0/16
    Allow 172.16.0.0/16
    Allow 10.0.0.0/8
  </Limit>

  # Only the owner or an administrator can cancel or authenticate a job...
  <Limit Cancel-Job CUPS-Authenticate-Job>
    AuthType Default
    Require user @OWNER @SYSTEM
    Order deny,allow
    Allow @LOCAL
    Allow 127.0.0.0/8
    Allow 192.168.0.0/16
    Allow 172.16.0.0/16
    Allow 10.0.0.0/8
  </Limit>

  <Limit All>
    Order deny,allow
    Allow @LOCAL
    Allow 127.0.0.0/8
    Allow 192.168.0.0/16
    Allow 172.16.0.0/16
    Allow 10.0.0.0/8
  </Limit>
</Policy>

# Set the kerberized printer/job policies...
<Policy kerberos>
  # Job/subscription privacy...
  JobPrivateAccess default
  JobPrivateValues default
  SubscriptionPrivateAccess default
  SubscriptionPrivateValues default

  # Job-related operations must be done by the owner or an administrator...
  <Limit Create-Job Print-Job Print-URI Validate-Job>
    AuthType Negotiate
    Order deny,allow
    Allow @LOCAL
    Allow 127.0.0.0/8
    Allow 192.168.0.0/16
    Allow 172.16.0.0/16
    Allow 10.0.0.0/8
  </Limit>

  <Limit Send-Document Send-URI Hold-Job Release-Job Restart-Job Purge-Jobs Set-Job-Attributes Create-Job-Subscription Renew-Subscription Cancel-Subscription Get-Notifications Reprocess-Job Cancel-Current-Job Suspend-Current-Job Resume-Job Cancel-My-Jobs Close-Job CUPS-Move-Job CUPS-Get-Document>
    AuthType Negotiate
    Require user @OWNER @SYSTEM
    Order deny,allow
    Allow @LOCAL
    Allow 127.0.0.0/8
    Allow 192.168.0.0/16
    Allow 172.16.0.0/16
    Allow 10.0.0.0/8
  </Limit>

  # All administration operations require an administrator to authenticate...
  <Limit CUPS-Add-Modify-Printer CUPS-Delete-Printer CUPS-Add-Modify-Class CUPS-Delete-Class CUPS-Set-Default>
    AuthType Default
    Require user @SYSTEM
    Order deny,allow
    Allow @LOCAL
    Allow 127.0.0.0/8
    Allow 192.168.0.0/16
    Allow 172.16.0.0/16
    Allow 10.0.0.0/8
  </Limit>

  # All printer operations require a printer operator to authenticate...
  <Limit Pause-Printer Resume-Printer Enable-Printer Disable-Printer Pause-Printer-After-Current-Job Hold-New-Jobs Release-Held-New-Jobs Deactivate-Printer Activate-Printer Restart-Printer Shutdown-Printer Startup-Printer Promote-Job Schedule-Job-After Cancel-Jobs CUPS-Accept-Jobs CUPS-Reject-Jobs>
    AuthType Default
    Require user @SYSTEM
    Order deny,allow
    Allow @LOCAL
    Allow 127.0.0.0/8
    Allow 192.168.0.0/16
    Allow 172.16.0.0/16
    Allow 10.0.0.0/8
  </Limit>

  # Only the owner or an administrator can cancel or authenticate a job...
  <Limit Cancel-Job CUPS-Authenticate-Job>
    AuthType Negotiate
    Require user @OWNER @SYSTEM
    Order deny,allow
    Allow @LOCAL
    Allow 127.0.0.0/8
    Allow 192.168.0.0/16
    Allow 172.16.0.0/16
    Allow 10.0.0.0/8
  </Limit>

  <Limit All>
    Order deny,allow
    Allow @LOCAL
    Allow 127.0.0.0/8
    Allow 192.168.0.0/16
    Allow 172.16.0.0/16
    Allow 10.0.0.0/8
  </Limit>
</Policy>