redisign ..
This commit is contained in:
28
roles/common/templates/etc/apt/sources.list.Debian.j2
Normal file
28
roles/common/templates/etc/apt/sources.list.Debian.j2
Normal file
@ -0,0 +1,28 @@
|
||||
# {{ ansible_managed }}
|
||||
|
||||
deb {{ apt_debian_mirror }} {{ ansible_lsb.codename }} main
|
||||
{{ '# ' if not apt_src_enable else '' }}deb-src {{ apt_debian_mirror }} {{ ansible_lsb.codename }} main
|
||||
|
||||
deb http://security.debian.org/ {{ ansible_lsb.codename }}/updates main
|
||||
{{ '# ' if not apt_src_enable else '' }}deb-src http://security.debian.org/ {{ ansible_lsb.codename }}/updates main
|
||||
|
||||
# {{ ansible_lsb.codename }}-updates, previously known as 'volatile'
|
||||
deb {{ apt_debian_mirror }} {{ ansible_lsb.codename }}-updates main
|
||||
{{ '# ' if not apt_src_enable else '' }}deb-src {{ apt_debian_mirror }} {{ ansible_lsb.codename }}-updates main
|
||||
|
||||
# Contrib packages contain DFSG-compliant software,
|
||||
# but have dependencies not in main (possibly packaged for Debian in non-free).
|
||||
# Non-free contains software that does not comply with the DFSG.
|
||||
{% if apt_debian_contrib_nonfree_enable %}
|
||||
deb {{ apt_debian_mirror }} {{ ansible_lsb.codename }} contrib non-free
|
||||
{{ '# ' if not apt_src_enable else '' }}deb-src {{ apt_debian_mirror }} {{ ansible_lsb.codename }} contrib non-free
|
||||
{% endif %}
|
||||
|
||||
# # N.B. software from this repository may not have been tested as
|
||||
# # extensively as that contained in the main release, although it includes
|
||||
# # newer versions of some applications which may provide useful features.
|
||||
{% if apt_backports_enable %}
|
||||
deb {{ apt_debian_mirror }} {{ ansible_distribution_release }}-backports main contrib non-free
|
||||
{{ '# ' if not apt_src_enable else '' }}deb-src {{ apt_debian_mirror }} {{ ansible_distribution_release }}-backports main contrib non-free
|
||||
{% endif %}
|
||||
|
||||
746
roles/common/templates/etc/cups/cups-browsed.conf.client.j2
Normal file
746
roles/common/templates/etc/cups/cups-browsed.conf.client.j2
Normal file
@ -0,0 +1,746 @@
|
||||
# {{ ansible_managed }}
|
||||
|
||||
# All configuration options described here can also be supplied on the
|
||||
# command line of cups-browsed via the "-o" option. In case of
|
||||
# contradicting settings the setting defined in the configuration file
|
||||
# will get used.
|
||||
|
||||
# Unknown directives are ignored, also unknown values.
|
||||
|
||||
|
||||
# Where should cups-browsed save information about the print queues it had
|
||||
# generated when shutting down, like whether one of these queues was the
|
||||
# default printer, or default option settings of the queues?
|
||||
|
||||
# CacheDir /var/cache/cups
|
||||
|
||||
|
||||
# Where should cups-browsed create its debug log file (if "DebugLogging file"
|
||||
# is set)?
|
||||
|
||||
# LogDir /var/log/cups
|
||||
|
||||
|
||||
# How should debug logging be done? Into the file
|
||||
# /var/log/cups/cups-browsed_log ('file'), to stderr ('stderr'), or
|
||||
# not at all ('none')?
|
||||
|
||||
# Note that if cups-browsed is running as a system service (for
|
||||
# example via systemd) logging to stderr makes the log output going to
|
||||
# the journal or syslog. Only if you run cups-browsed from the command
|
||||
# line (for development or debugging) it will actually appear on
|
||||
# stderr.
|
||||
|
||||
# DebugLogging file
|
||||
# DebugLogging stderr
|
||||
# DebugLogging file stderr
|
||||
# DebugLogging none
|
||||
|
||||
|
||||
# Which protocols will we use to discover printers on the network?
|
||||
# Can use DNSSD and/or CUPS and/or LDAP, or 'none' for neither.
|
||||
|
||||
#BrowseRemoteProtocols dnssd cups
|
||||
BrowseRemoteProtocols CUPS
|
||||
|
||||
|
||||
# Which protocols will we use to broadcast shared local printers to the network?
|
||||
# Can use DNSSD and/or CUPS, or 'none' for neither.
|
||||
# Only CUPS is actually supported, as DNSSD is done by CUPS itself (we ignore
|
||||
# DNSSD in this directive).
|
||||
|
||||
# BrowseLocalProtocols none
|
||||
|
||||
|
||||
# Settings of this directive apply to both BrowseRemoteProtocols and
|
||||
# BrowseLocalProtocols.
|
||||
# Can use DNSSD and/or CUPS and/or LDAP, or 'none' for neither.
|
||||
|
||||
# BrowseProtocols none
|
||||
|
||||
|
||||
# Only browse remote printers (via DNS-SD or CUPS browsing) from
|
||||
# selected servers using the "BrowseAllow", "BrowseDeny", and
|
||||
# "BrowseOrder" directives
|
||||
|
||||
# This serves for restricting the choice of printers in print dialogs
|
||||
# to trusted servers or to reduce the number of listed printers in the
|
||||
# print dialogs to a more user-friendly amount in large networks with
|
||||
# very many shared printers.
|
||||
|
||||
# This only filters the selection of remote printers for which
|
||||
# cups-browsed creates local queues. If the print dialog uses other
|
||||
# mechanisms to list remote printers as for example direct DNS-SD
|
||||
# access, cups-browsed has no influence. cups-browsed also does not
|
||||
# prevent the user from manually accessing non-listed printers.
|
||||
|
||||
# "BrowseAllow": Accept printers from these hosts or networks. If
|
||||
# there are only "BrowseAllow" lines and no "BrowseOrder" and/or
|
||||
# "BrowseDeny" lines, only servers matching at last one "BrowseAllow"
|
||||
# line are accepted.
|
||||
|
||||
# "BrowseDeny": Deny printers from these hosts or networks. If there
|
||||
# are only "BrowseDeny" lines and no "BrowseOrder" and/or
|
||||
# "BrowseAllow" lines, all servers NOT matching any of the
|
||||
# "BrowseDeny" lines are accepted.
|
||||
|
||||
# "BrowseOrder": Determine the order in which "BrowseAllow" and
|
||||
# "BrowseDeny" lines are applied. With "BrowseOrder Deny,Allow" in the
|
||||
# beginning all servers are accepted, then the "BrowseDeny" lines are
|
||||
# applied to exclude unwished servers or networks and after that the
|
||||
# "BrowseAllow" lines to re-include servers or networks. With
|
||||
# "BrowseOrder Allow,Deny" we start with denying all servers, then
|
||||
# applying the "BrowseAllow" lines and afterwards the "BrowseDeny"
|
||||
# lines.
|
||||
|
||||
# Default for "BrowseOrder" is "Deny.Allow" if there are both
|
||||
# "BrowseAllow" and "BrowseDeny" lines.
|
||||
|
||||
# If there are no "Browse..." lines at all, all servers are accepted.
|
||||
|
||||
# BrowseAllow All
|
||||
# BrowseAllow cups.example.com
|
||||
# BrowseAllow 192.168.1.12
|
||||
# BrowseAllow 192.168.1.0/24
|
||||
# BrowseAllow 192.168.1.0/255.255.255.0
|
||||
|
||||
# BrowseDeny All
|
||||
# BrowseDeny printserver.example.com
|
||||
# BrowseDeny 192.168.1.13
|
||||
# BrowseDeny 192.168.3.0/24
|
||||
# BrowseDeny 192.168.3.0/255.255.255.0
|
||||
|
||||
# BrowseOrder Deny,Allow
|
||||
# BrowseOrder Allow,Deny
|
||||
|
||||
|
||||
# The interval between browsing/broadcasting cycles, local and/or
|
||||
# remote, can be adjusted with the BrowseInterval directive.
|
||||
|
||||
# BrowseInterval 60
|
||||
|
||||
|
||||
# Browsing-related operations such as adding or removing printer queues
|
||||
# and broadcasting are each allowed to take up to a given amount of time.
|
||||
# It can be configured, in seconds, with the BrowseTimeout directive.
|
||||
# Especially queues discovered by CUPS broadcasts will be removed after
|
||||
# this timeout if no further broadcast from the server happens.
|
||||
|
||||
# BrowseTimeout 300
|
||||
|
||||
# Filtering of remote printers by other properties than IP addresses
|
||||
# of their servers
|
||||
|
||||
# Often the desired selection of printers cannot be reached by only
|
||||
# taking into account the IP addresses of the servers. For these cases
|
||||
# there is the BrowseFilter directive to filter by most of the known
|
||||
# properties of the printer.
|
||||
|
||||
# By default there is no BrowseFilter line meaning that no filtering
|
||||
# is applied.
|
||||
|
||||
# To do filtering one can supply one or more BrowseFilter directives
|
||||
# like this:
|
||||
|
||||
# BrowseFilter [NOT] [EXACT] <FIELD> [<VALUE>]
|
||||
|
||||
# The BrowseFilter directive always starts with the word
|
||||
# "BrowseFilter" and it must at least contain the name of the data
|
||||
# field (<FIELD>) of the printer's properties to which it should
|
||||
# apply.
|
||||
|
||||
# Available field names are:
|
||||
|
||||
# name: Name of the local print queue to be created
|
||||
# host: Host name of the remote print server
|
||||
# port: Port through which the printer is accessed on the server
|
||||
# service: DNS/SD service name of the remote printer
|
||||
# domain: Domain of the remote print server
|
||||
|
||||
# Also all field names in the TXT records of DNS-SD-advertised printers
|
||||
# are valid, like "color", "duplex", "pdl", ... If the field name of
|
||||
# the filter rule does not exist for the printer, the rule is skipped.
|
||||
|
||||
# The optional <VALUE> field is either the exact value (when the
|
||||
# option EXACT is supplied) or a regular expression (Run "man 7 regex"
|
||||
# in a terminal window) to be matched with the data field.
|
||||
|
||||
# If no <VALUE> filed is supplied, rules with field names of the TXT
|
||||
# record are considered for boolean matching (true/false) of boolean
|
||||
# field (like duplex, which can have the values "T" for true and "F"
|
||||
# for false).
|
||||
|
||||
# If the option NOT is supplied, the filter rule is fulfilled if the
|
||||
# regular expression or the exact value DOES NOT match the content of
|
||||
# the data field. In a boolean rule (without <VALUE>) the rule matches
|
||||
# false.
|
||||
|
||||
# Regular expressions are always considered case-insensitive and
|
||||
# extended POSIX regular expressions. Field names and options (NOT,
|
||||
# EXACT) are all evaluated case-insensitive. If there is an error in a
|
||||
# regular expression, the BrowseFilter line gets ignored.
|
||||
|
||||
# Especially to note is that supplying any simple string consisting of
|
||||
# only letters, numbers, spaces, and some basic special characters as
|
||||
# a regular expression matches if it is contained somewhere in the
|
||||
# data field.
|
||||
|
||||
# If there is more than one BrowseFilter directive, ALL the directives
|
||||
# need to be fulfilled for the remote printer to be accepted. If one
|
||||
# is not fulfilled, the printer will get ignored.
|
||||
|
||||
# Examples:
|
||||
|
||||
# Rules for standard data items which are supplied with any remote
|
||||
# printer advertised via DNS-SD:
|
||||
|
||||
# Print queue name must contain "hum_res_", this matches
|
||||
# "hum_res_mono" or "hum_res_color" but also "old_hum_res_mono":
|
||||
|
||||
# BrowseFilter name hum_res_
|
||||
|
||||
# This matches if the remote host name contains "printserver", like
|
||||
# "printserver.local", "printserver2.example.com", "newprintserver":
|
||||
|
||||
# BrowseFilter host printserver
|
||||
|
||||
# This matches all ports with 631 int its number, for example 631,
|
||||
# 8631, 10631,...:
|
||||
|
||||
# BrowseFilter port 631
|
||||
|
||||
# This rule matches if the DNS-SD service name contains "@ printserver":
|
||||
|
||||
# Browsefilter service @ printserver
|
||||
|
||||
# Matches all domains with "local" in their names, not only "local" but
|
||||
# also things like "printlocally.com":
|
||||
|
||||
# BrowseFilter domain local
|
||||
|
||||
# Examples for rules applying to items of the TXT record:
|
||||
|
||||
# This rule selects PostScript printers, as the "PDL" field in the TXT
|
||||
# record contains "postscript" then. This includes also remote CUPS
|
||||
# queues which accept PostScript, independent of whether the physical
|
||||
# printer behind the CUPS queue accepts PostScript or not.
|
||||
|
||||
# BrowseFilter pdl postscript
|
||||
|
||||
# Color printers usually contain a "Color" entry set to "T" (for true)
|
||||
# in the TXT record. This rule selects them:
|
||||
|
||||
# BrowseFilter color
|
||||
|
||||
# This is a similar rule to select only duplex (automatic double-sided
|
||||
# printing) printers:
|
||||
|
||||
# BrowseFilter duplex
|
||||
|
||||
# Rules with the NOT option:
|
||||
|
||||
# This rule EXCLUDES printers from all hosts containing "financial" in
|
||||
# their names, nice to get rid of the 100s of printers of the
|
||||
# financial department:
|
||||
|
||||
# BrowseFilter NOT host financial
|
||||
|
||||
# Get only monochrome printers ("Color" set to "F", meaning false, in
|
||||
# the TXT record):
|
||||
|
||||
# BrowseFilter NOT color
|
||||
|
||||
# Rules with more advanced use of regular expressions:
|
||||
|
||||
# Only queue names which BEGIN WITH "hum_res_" are accepted now, so we
|
||||
# still get "hum_res_mono" or "hum_res_color" but not
|
||||
# "old_hum_res_mono" any more:
|
||||
|
||||
# BrowseFilter name ^hum_res_
|
||||
|
||||
# Server names is accepted if it contains "print_server" OR
|
||||
# "graphics_dep_server":
|
||||
|
||||
# BrowseFilter host print_server|graphics_dep_server
|
||||
|
||||
# "printserver1", "printserver2", and "printserver3", nothing else:
|
||||
|
||||
# BrowseFilter host ^printserver[1-3]$
|
||||
|
||||
# Printers understanding at least one of PostScript, PCL, or PDF:
|
||||
|
||||
# BrowseFilter pdl postscript|pcl|pdf
|
||||
|
||||
# Examples for the EXACT option:
|
||||
|
||||
# Only printers from "printserver.local" are accepted:
|
||||
|
||||
# BrowseFilter EXACT host printserver.local
|
||||
|
||||
# Printers from all servers except "prinserver2.local" are accepted:
|
||||
|
||||
# BrowseFilter NOT EXACT host prinserver2.local
|
||||
|
||||
|
||||
# Use BrowsePoll to poll a particular CUPS server
|
||||
|
||||
# BrowsePoll cups.example.com
|
||||
# BrowsePoll cups.example.com:631
|
||||
# BrowsePoll cups.example.com:631/version=1.1
|
||||
|
||||
|
||||
# LDAP browsing configuration
|
||||
# The default value for all options is an empty string. Example configuration:
|
||||
|
||||
# BrowseLDAPBindDN cn=cups-browsed,dc=domain,dc=tld
|
||||
# BrowseLDAPCACertFile /path/to/server/certificate.pem
|
||||
# BrowseLDAPDN ou=printers,dc=domain,dc=tld
|
||||
# BrowseLDAPFilter (printerLocation=/Office 1/*)
|
||||
# BrowseLDAPPassword s3cret
|
||||
# BrowseLDAPServer ldaps://ldap.domain.tld
|
||||
|
||||
|
||||
# Use DomainSocket to access the local CUPS daemon via another than the
|
||||
# default domain socket. "None" or "Off" lets cups-browsed not use CUPS'
|
||||
# domain socket.
|
||||
|
||||
# DomainSocket /var/run/cups/cups.sock
|
||||
# DomainSocket None
|
||||
# DomainSocket Off
|
||||
|
||||
|
||||
# Set HTTP timeout (in seconds) for requests sent to local/remote
|
||||
# resources Note that too short timeouts can make services getting
|
||||
# missed when they are present and operations be unneccessarily
|
||||
# repeated and too long timeouts can make operations take too long
|
||||
# when the server does not respond.
|
||||
|
||||
# HttpLocalTimeout 5
|
||||
# HttpRemoteTimeout 10
|
||||
|
||||
# Set how many retries (N) should cups-browsed do for creating print
|
||||
# queues for remote printers which receive timeouts during print queue
|
||||
# creation. The printers which are not successfuly set up even after
|
||||
# N retries, are skipped until the next restart of the service. Note
|
||||
# that too many retries can cause high CPU load.
|
||||
|
||||
# HttpMaxRetries 5
|
||||
|
||||
# Set OnlyUnsupportedByCUPS to "Yes" will make cups-browsed not create
|
||||
# local queues for remote printers for which CUPS creates queues by
|
||||
# itself. These printers are printers advertised via DNS-SD and doing
|
||||
# CUPS-supported (currently PWG Raster and Apple Raster) driverless
|
||||
# printing, including remote CUPS queues. Queues for other printers
|
||||
# (like for legacy PostScript/PCL printers) are always created
|
||||
# (depending on the other configuration settings of cups-browsed).
|
||||
|
||||
# With OnlyUnsupportedByCUPS set to "No", cups-browsed creates queues
|
||||
# for all printers which it supports, including printers for which
|
||||
# CUPS would create queues by itself. Temporary queues created by CUPS
|
||||
# will get overwritten. This way it is assured that any extra
|
||||
# functionality of cups-browsed will apply to these queues. As queues
|
||||
# created by cups-browsed are permanent CUPS queues this setting is
|
||||
# also recommended if applications/print dialogs which do not support
|
||||
# temporary CUPS queues are installed. This setting is the default.
|
||||
|
||||
# OnlyUnsupportedByCUPS Yes
|
||||
|
||||
|
||||
# With UseCUPSGeneratedPPDs set to "Yes" cups-browsed creates queues
|
||||
# for IPP printers with PPDs generated by the PPD generator of CUPS
|
||||
# and not with the one of cups-browsed. So any new development in
|
||||
# CUPS' PPD generator gets available. As CUPS' PPD generator is not
|
||||
# directly accessible, we need to make CUPS generate a temporary print
|
||||
# queue with the desired PPD. Therefore we can only use these PPDs
|
||||
# when our queue replaces a temporary CUPS queue, meaning that the
|
||||
# queue is for a printer on which CUPS supports driverless printing
|
||||
# (IPP 2.x, PDLs: PDF, PWG Raster, and/or Apple Raster) and that its
|
||||
# name is the same as CUPS uses for the temporary queue
|
||||
# ("LocalQueueNamingIPPPrinter DNS-SD" must be set). The directive
|
||||
# applies only to IPP printers, not to remote CUPS queues, to not
|
||||
# break clustering. Setting this directive to "No" lets cups-browsed
|
||||
# generate the PPD file. Default setting is "No".
|
||||
|
||||
# UseCUPSGeneratedPPDs No
|
||||
|
||||
|
||||
# With the directives LocalQueueNamingRemoteCUPS and
|
||||
# LocalQueueNamingIPPPrinter you can determine how the names for local
|
||||
# queues generated by cups-browsed are generated, separately for
|
||||
# remote CUPS printers and IPP printers.
|
||||
|
||||
# DNS-SD (the default in both cases) bases the naming on the service
|
||||
# name of the printer's advertised DNS-SD record. This is exactly the
|
||||
# same naming scheme as CUPS uses for its temporary queues, so the
|
||||
# local queue from cups-browsed prevents CUPS from listing and
|
||||
# creating an additional queue. As DNS-SD service names have to be
|
||||
# unique, queue names of printers from different servers will also be
|
||||
# unique and so there is no automatic clustering for load-balanced
|
||||
# printing.
|
||||
|
||||
# MakeModel bases the queue name on the printer's manufacturer and
|
||||
# model names. This scheme cups-browsed used formerly for IPP
|
||||
# printers.
|
||||
|
||||
# RemoteName is only available for remote CUPS queues and uses the
|
||||
# name of the queue on the remote CUPS server as the local queue's
|
||||
# name. This makes printers on different CUPS servers with equal queue
|
||||
# names automatically forming a load-balancing cluster as CUPS did
|
||||
# formerly (CUPS 1.5.x and older) with CUPS-broadcasted remote
|
||||
# printers. This scheme cups-browsed used formerly for remote CUPS
|
||||
# printers.
|
||||
|
||||
# LocalQueueNamingRemoteCUPS DNS-SD
|
||||
# LocalQueueNamingRemoteCUPS MakeModel
|
||||
# LocalQueueNamingRemoteCUPS RemoteName
|
||||
# LocalQueueNamingIPPPrinter DNS-SD
|
||||
# LocalQueueNamingIPPPrinter MakeModel
|
||||
|
||||
|
||||
# Set DNSSDBasedDeviceURIs to "Yes" if cups-browsed should use
|
||||
# DNS-SD-service-name-based device URIs for its local queues, as CUPS
|
||||
# also does. These queues use the DNS-SD service name of the
|
||||
# discovered printer. With this the URI is independent of network
|
||||
# interfaces and ports, giving reliable connections to always the same
|
||||
# physical device. This setting is the default.
|
||||
|
||||
# Set DNSSDBasedDeviceURIs to "No" if cups-browsed should use the
|
||||
# conventional host-name/IP-based URIs.
|
||||
|
||||
# Note that this option has only influence on URIs for printers
|
||||
# discovered via DNS-SD, not via legacy CUPS broewsing or LDAP.
|
||||
# Those printers get always assigned the conventional URIs.
|
||||
|
||||
# DNSSDBasedDeviceURIs Yes
|
||||
|
||||
|
||||
# Set IPBasedDeviceURIs to "Yes" if cups-browsed should create its
|
||||
# local queues with device URIs with the IP addresses instead of the
|
||||
# host names of the remote servers. This mode is there for any
|
||||
# problems with host name resolution in the network, especially also
|
||||
# if avahi-daemon is only run for printer discovery and already
|
||||
# stopped while still printing. By default this mode is turned off,
|
||||
# meaning that we use URIs with host names.
|
||||
|
||||
# Note that the IP addresses depend on the network interface through
|
||||
# which the printer is accessed. So do not use IP-based URIs on systems
|
||||
# with many network interfaces and where interfaces can appear and
|
||||
# disappear frequently.
|
||||
|
||||
# This mode could also be useful for development and debugging.
|
||||
|
||||
# If you prefer IPv4 or IPv6 IP addresses in the URIs, you can set
|
||||
# IPBasedDeviceURIs to "IPv4" to only get IPv4 IP addresses or
|
||||
# IPBasedDeviceURIs to "IPv6" to only get IPv6 IP addresses.
|
||||
|
||||
# IPBasedDeviceURIs No
|
||||
# IPBasedDeviceURIs Yes
|
||||
# IPBasedDeviceURIs IPv4
|
||||
# IPBasedDeviceURIs IPv6
|
||||
|
||||
# The AllowResharingRemoteCUPSPrinters directive determines whether a
|
||||
# print queue pointing to a remote CUPS queue will be re-shared to the
|
||||
# local network or not. Since the queues generated using the BrowsePoll
|
||||
# directive are also pointing to remote queues, they are also shared
|
||||
# automatically if the following option is set. Default is not to share
|
||||
# remote printers.
|
||||
|
||||
# AllowResharingRemoteCUPSPrinters Yes
|
||||
|
||||
# The NewBrowsePollQueuesShared directive determines whether a print
|
||||
# queue for a newly discovered printer (discovered by the BrowsePoll directive)
|
||||
# will be shared to the local network or not. This directive will only work
|
||||
# if AllowResharingRemoteCUPSPrinters is set to yes. Default is
|
||||
# not to share printers discovered using BrowsePoll.
|
||||
|
||||
# NewBrowsePollQueuesShared Yes
|
||||
|
||||
# Set CreateRemoteRawPrinterQueues to "Yes" to let cups-browsed also
|
||||
# create local queues pointing to remote raw CUPS queues. Normally,
|
||||
# only queues pointing to remote queues with PPD/driver are created
|
||||
# as we do not use drivers on the client side, but in some cases
|
||||
# accessing a remote raw queue can make sense, for example if the
|
||||
# queue forwards the jobs by a special backend like Tea4CUPS.
|
||||
|
||||
# CreateRemoteRawPrinterQueues Yes
|
||||
|
||||
|
||||
# cups-browsed by default creates local print queues for each shared
|
||||
# CUPS print queue which it discovers on remote machines in the local
|
||||
# network(s). Set CreateRemoteCUPSPrinterQueues to "No" if you do not
|
||||
# want cups-browsed to do this. For example you can set cups-browsed
|
||||
# to only create queues for IPP network printers setting
|
||||
# CreateIPPPrinterQueues not to "No" and CreateRemoteCUPSPrinterQueues
|
||||
# to "No".
|
||||
|
||||
# CreateRemoteCUPSPrinterQueues No
|
||||
|
||||
|
||||
# Set CreateIPPPrinterQueues to "All" to let cups-browsed discover IPP
|
||||
# network printers (native printers, not CUPS queues) with known page
|
||||
# description languages (PWG Raster, PDF, PostScript, PCL XL, PCL
|
||||
# 5c/e) in the local network and auto-create print queues for them.
|
||||
|
||||
# Set CreateIPPPrinterQueues to "Everywhere" to let cups-browsed
|
||||
# discover IPP Everywhere printers in the local network (native
|
||||
# printers, not CUPS queues) and auto-create print queues for them.
|
||||
|
||||
# Set CreateIPPPrinterQueues to "AppleRaster" to let cups-browsed
|
||||
# discover Apple Raster printers in the local network (native
|
||||
# printers, not CUPS queues) and auto-create print queues for them.
|
||||
|
||||
# Set CreateIPPPrinterQueues to "Driverless" to let cups-browsed
|
||||
# discover printers designed for driverless use (currently IPP
|
||||
# Everywhere and Apple Raster) in the local network (native printers,
|
||||
# not CUPS queues) and auto-create print queues for them.
|
||||
|
||||
# Set CreateIPPPrinterQueues to "LocalOnly" to auto-create print
|
||||
# queues only for local printers made available as IPP printers. These
|
||||
# are for example IPP-over-USB printers, made available via
|
||||
# ippusbxd. This is the default.
|
||||
|
||||
# Set CreateIPPPrinterQueues to "No" to not auto-create print queues
|
||||
# for IPP network printers.
|
||||
|
||||
# If queues with PPD file are created (see IPPPrinterQueueType
|
||||
# directive below) the PPDs are auto-generated by cups-browsed based
|
||||
# on properties of the printer polled via IPP. In case of missing
|
||||
# information, info from the Bonjour record is used asd as last mean
|
||||
# default values.
|
||||
|
||||
# If queues without PPD (see IPPPrinterQueueType directive below) are
|
||||
# created clients have to IPP-poll the capabilities of the printer and
|
||||
# send option settings as standard IPP attributes. Then we do not poll
|
||||
# the capabilities by ourselves to not wake up the printer from
|
||||
# power-saving mode when creating the queues. Jobs have to be sent in
|
||||
# one of PDF, PWG Raster, or JPEG format. Other formats are not
|
||||
# accepted.
|
||||
|
||||
# This functionality is primarily for mobile devices running
|
||||
# CUPS to not need a printer setup tool nor a collection of printer
|
||||
# drivers and PPDs.
|
||||
|
||||
# CreateIPPPrinterQueues No
|
||||
# CreateIPPPrinterQueues LocalOnly
|
||||
# CreateIPPPrinterQueues Everywhere
|
||||
# CreateIPPPrinterQueues AppleRaster
|
||||
# CreateIPPPrinterQueues Everywhere AppleRaster
|
||||
# CreateIPPPrinterQueues Driverless
|
||||
# CreateIPPPrinterQueues All
|
||||
|
||||
|
||||
# If cups-browsed is automatically creating print queues for native
|
||||
# IPP network printers ("CreateIPPPrinterQueues Yes"), the type of
|
||||
# queue to be created can be selected by the "IPPPrinterQueueType"
|
||||
# directive. The "PPD" (default) setting makes queues with PPD file
|
||||
# being created. With "Interface" or "NoPPD" the queue is created with
|
||||
# a System V interface script (Not supported with CUPS 2.2.x or
|
||||
# later). "Auto" is for backward compatibility and also lets queues
|
||||
# with PPD get created.
|
||||
|
||||
# IPPPrinterQueueType PPD
|
||||
# IPPPrinterQueueType NoPPD
|
||||
# IPPPrinterQueueType Interface
|
||||
# IPPPrinterQueueType Auto
|
||||
|
||||
|
||||
# The NewIPPPrinterQueuesShared directive determines whether a print
|
||||
# queue for a newly discovered IPP network printer (not remote CUPS
|
||||
# queue) will be shared to the local network or not. This is only
|
||||
# valid for newly discovered printers. For printers discovered in an
|
||||
# earlier cups-browsed session, cups-browsed will remember whether the
|
||||
# printer was shared, so changes by the user get conserved. Default is
|
||||
# not to share newly discovered IPP printers.
|
||||
|
||||
# NewIPPPrinterQueuesShared Yes
|
||||
|
||||
|
||||
# If there is more than one remote CUPS printer whose local queue
|
||||
# would get the same name and AutoClustering is set to "Yes" (the
|
||||
# default) only one local queue is created which makes up a
|
||||
# load-balancing cluster of the remote printers which would get this
|
||||
# queue name (implicit class). This means that when several jobs are
|
||||
# sent to this queue they get distributed between the printers, using
|
||||
# the method chosen by the LoadBalancing directive.
|
||||
|
||||
# Note that the forming of clusters depends on the naming scheme for
|
||||
# local queues created by cups-browsed. If you have set
|
||||
# LocalQueueNamingRemoteCUPS to "DNSSD" you will not get automatic
|
||||
# clustering as the DNS-SD service names are always unique. With
|
||||
# LocalQueueNamingRemoteCUPS set to "RemoteName" local queues are
|
||||
# named as the CUPS queues on the remote servers are named and so
|
||||
# equally named queues on different servers get clustered (this is how
|
||||
# CUPS did it in version 1.5.x or older). LocalQueueNamingRemoteCUPS
|
||||
# set to "MakeModel" makes remote printers of the same model get
|
||||
# clustered. Note that then a cluster can contain more than one queue
|
||||
# of the same server.
|
||||
|
||||
# With AutoClustering set to "No", for each remote CUPS printer an
|
||||
# individual local queue is created, and to avoid name clashes when
|
||||
# using the LocalQueueNamingRemoteCUPS settings "RemoteName" or
|
||||
# "MakeModel" "@<server name>" is added to the local queue name.
|
||||
|
||||
# Only remote CUPS printers get clustered, not IPP network printers or
|
||||
# IPP-over-USB printers.
|
||||
|
||||
# AutoClustering Yes
|
||||
# AutoClustering No
|
||||
|
||||
|
||||
# Load-balancing printer cluster formation can also be manually
|
||||
# controlled by defining explicitly which remote CUPS printers should
|
||||
# get clustered together.
|
||||
|
||||
# This is done by the "Cluster" directive:
|
||||
|
||||
# Cluster <QUEUENAME>: <EXPRESSION1> <EXPRESSION2> ...
|
||||
# Cluster <QUEUENAME>
|
||||
|
||||
# If no expressions are given, <QUEUENAME> is used as the first and
|
||||
# only expression for this cluster.
|
||||
|
||||
# Discovered printers are matched against all the expressions of all
|
||||
# defined clusters. The first expression which matches the discovered
|
||||
# printer determines to which cluster it belongs. Note that this way a
|
||||
# printer can only belong to one cluster. Once matched, further
|
||||
# cluster definitions will not checked any more.
|
||||
|
||||
# With the first printer matching a cluster's expression a local queue
|
||||
# with the name <QUEUENAME> is created. If more printers are
|
||||
# discovered and match this cluster, they join the cluster. Printing
|
||||
# to this queue prints to all these printers in a load-balancing
|
||||
# manner, according to to the setting of the LoadBalancing directive.
|
||||
|
||||
# Each expression must be a string of characters without spaces. If
|
||||
# spaces are needed, replace them by underscores ('_').
|
||||
|
||||
# An expression can be matched in three ways:
|
||||
|
||||
# 1. By the name of the CUPS queue on the remote server
|
||||
# 2. By make and model name of the remote printer
|
||||
# 3. By the DNS-SD service name of the remote printer
|
||||
|
||||
# Note that the matching is done case-insensitively and any group of
|
||||
# non-alphanumerical characters is replaced by a single underscore.
|
||||
|
||||
# So if an expression is "HP_DeskJet_2540" and the remote server
|
||||
# reports "hp Deskjet-2540" the printer gets matched to this cluster.
|
||||
|
||||
# If "AutoClustering" is not set to "No" both your manual cluster
|
||||
# definitions will be followed and automatic clustering of
|
||||
# equally-named remote queues will be performed. If a printer matches
|
||||
# in both categories the match to the manually defined cluster has
|
||||
# priority. Automatic clustering of equally-named remote printers is
|
||||
# not performed if there is a manually defined cluster with this name
|
||||
# (at least as the printers do not match this cluster).
|
||||
|
||||
# Examples:
|
||||
|
||||
# To cluster all remote CUPS queues named "laserprinter" in your local
|
||||
# network but not cluster any other equally-named remote CUPS printers
|
||||
# use (Local queue will get named "laserprinter"):
|
||||
|
||||
# AutoClustering No
|
||||
# Cluster laserprinter
|
||||
|
||||
# To cluster all remote CUPS queues of HP LaserJet 4050 printers in a
|
||||
# local queue named "LJ4050":
|
||||
|
||||
# Cluster LJ4050: HP_LaserJet_4050
|
||||
|
||||
# As DNS-SD service names are unique in a network you can create a
|
||||
# cluster from exactly specified printers (spaces replaced by
|
||||
# underscors):
|
||||
|
||||
# Cluster hrdep: oldlaser_@_hr-server1 newlaser_@_hr-server2
|
||||
|
||||
|
||||
# The LoadBalancing directive switches between two methods of handling
|
||||
# load balancing between equally-named remote queues which are
|
||||
# represented by one local print queue making up a cluster of them
|
||||
# (implicit class).
|
||||
|
||||
# The two methods are:
|
||||
|
||||
# Queuing of jobs on the client (LoadBalancing QueueOnClient):
|
||||
|
||||
# Here we queue up the jobs on the client and regularly check the
|
||||
# clustered remote print queues. If we find an idle queue, we pass
|
||||
# on a job to it.
|
||||
|
||||
# This is also the method which CUPS uses for classes. Advantage is a
|
||||
# more even distribution of the job workload on the servers
|
||||
# (especially if the printing speed of the servers is very different),
|
||||
# and if a server fails, there are not several jobs stuck or
|
||||
# lost. Disadvantage is that if one takes the client (laptop, mobile
|
||||
# phone, ...) out of the local network, printing stops with the jobs
|
||||
# waiting in the local queue.
|
||||
|
||||
# Queuing of jobs on the servers (LoadBalancing QueueOnServers):
|
||||
|
||||
# Here we check the number of jobs on each of the clustered remote
|
||||
# printers and send an incoming job immediately to the remote printer
|
||||
# with the lowest amount of jobs in its queue. This way no jobs queue
|
||||
# up locally, all jobs which are waiting are waiting on one of the
|
||||
# remote servers.
|
||||
|
||||
# Not having jobs waiting locally has the advantage that we can take
|
||||
# the local machine from the network and all jobs get printed.
|
||||
# Disadvantage is that if a server with a full queue of jobs goes
|
||||
# away, the jobs go away, too.
|
||||
|
||||
# Default is queuing the jobs on the client as this is what CUPS does
|
||||
# with classes.
|
||||
|
||||
# LoadBalancing QueueOnClient
|
||||
# LoadBalancing QueueOnServers
|
||||
|
||||
|
||||
# With the DefaultOptions directive one or more option settings can be
|
||||
# defined to be applied to every print queue newly created by
|
||||
# cups-browsed. Each option is supplied as one supplies options with
|
||||
# the "-o" command line argument to the "lpadmin" command (Run "man
|
||||
# lpadmin" for more details). More than one option can be supplied
|
||||
# separating the options by spaces. By default no option settings are
|
||||
# pre-defined.
|
||||
|
||||
# Note that print queues which cups-browsed already created before
|
||||
# remember their previous settings and so these settings do not get
|
||||
# applied.
|
||||
|
||||
# DefaultOptions Option1=Value1 Option2=Value2 Option3 noOption4
|
||||
|
||||
|
||||
# The AutoShutdown directive specifies whether cups-browsed should
|
||||
# automatically terminate when it has no local raw queues set up
|
||||
# pointing to any discovered remote printers or no jobs on such queues
|
||||
# depending on AutoShutdownOn setting (auto shutdown mode). Setting it
|
||||
# to "On" activates the auto-shutdown mode, setting it to "Off"
|
||||
# deactiivates it (the default). The special mode "avahi" turns auto
|
||||
# shutdown off while avahi-daemon is running and on when avahi-daemon
|
||||
# stops. This allows running cups-browsed on-demand when avahi-daemon
|
||||
# is run on-demand.
|
||||
|
||||
# AutoShutdown Off
|
||||
# AutoShutdown On
|
||||
# AutoShutdown avahi
|
||||
|
||||
|
||||
# The AutoShutdownOn directive determines what event cups-browsed
|
||||
# considers as inactivity in auto shutdown mode. "NoQueues" (the
|
||||
# default) means that auto shutdown is initiated when there are no
|
||||
# queues for discovered remote printers generated by cups-browsed any
|
||||
# more. "NoJobs" means that all queues generated by cups-browsed are
|
||||
# without jobs.
|
||||
|
||||
# AutoShutdownOn NoQueues
|
||||
# AutoShutdownOn NoJobs
|
||||
|
||||
|
||||
# The AutoShutdownTimeout directive specifies after how many seconds
|
||||
# without local raw queues set up pointing to any discovered remote
|
||||
# printers or jobs on these queues cups-browsed should actually shut
|
||||
# down in auto shutdown mode. Default is 30 seconds, 0 means immediate
|
||||
# shutdown.
|
||||
|
||||
# AutoShutdownTimeout 30
|
||||
747
roles/common/templates/etc/cups/cups-browsed.conf.server.j2
Normal file
747
roles/common/templates/etc/cups/cups-browsed.conf.server.j2
Normal file
@ -0,0 +1,747 @@
|
||||
# {{ ansible_managed }}
|
||||
|
||||
# All configuration options described here can also be supplied on the
|
||||
# command line of cups-browsed via the "-o" option. In case of
|
||||
# contradicting settings the setting defined in the configuration file
|
||||
# will get used.
|
||||
|
||||
# Unknown directives are ignored, also unknown values.
|
||||
|
||||
|
||||
# Where should cups-browsed save information about the print queues it had
|
||||
# generated when shutting down, like whether one of these queues was the
|
||||
# default printer, or default option settings of the queues?
|
||||
|
||||
# CacheDir /var/cache/cups
|
||||
|
||||
|
||||
# Where should cups-browsed create its debug log file (if "DebugLogging file"
|
||||
# is set)?
|
||||
|
||||
# LogDir /var/log/cups
|
||||
|
||||
|
||||
# How should debug logging be done? Into the file
|
||||
# /var/log/cups/cups-browsed_log ('file'), to stderr ('stderr'), or
|
||||
# not at all ('none')?
|
||||
|
||||
# Note that if cups-browsed is running as a system service (for
|
||||
# example via systemd) logging to stderr makes the log output going to
|
||||
# the journal or syslog. Only if you run cups-browsed from the command
|
||||
# line (for development or debugging) it will actually appear on
|
||||
# stderr.
|
||||
|
||||
# DebugLogging file
|
||||
# DebugLogging stderr
|
||||
# DebugLogging file stderr
|
||||
# DebugLogging none
|
||||
|
||||
|
||||
# Which protocols will we use to discover printers on the network?
|
||||
# Can use DNSSD and/or CUPS and/or LDAP, or 'none' for neither.
|
||||
|
||||
#BrowseRemoteProtocols dnssd cups
|
||||
BrowseRemoteProtocols none
|
||||
|
||||
|
||||
# Which protocols will we use to broadcast shared local printers to the network?
|
||||
# Can use DNSSD and/or CUPS, or 'none' for neither.
|
||||
# Only CUPS is actually supported, as DNSSD is done by CUPS itself (we ignore
|
||||
# DNSSD in this directive).
|
||||
|
||||
# BrowseLocalProtocols none
|
||||
BrowseLocalProtocols CUPS
|
||||
|
||||
|
||||
# Settings of this directive apply to both BrowseRemoteProtocols and
|
||||
# BrowseLocalProtocols.
|
||||
# Can use DNSSD and/or CUPS and/or LDAP, or 'none' for neither.
|
||||
|
||||
# BrowseProtocols none
|
||||
|
||||
|
||||
# Only browse remote printers (via DNS-SD or CUPS browsing) from
|
||||
# selected servers using the "BrowseAllow", "BrowseDeny", and
|
||||
# "BrowseOrder" directives
|
||||
|
||||
# This serves for restricting the choice of printers in print dialogs
|
||||
# to trusted servers or to reduce the number of listed printers in the
|
||||
# print dialogs to a more user-friendly amount in large networks with
|
||||
# very many shared printers.
|
||||
|
||||
# This only filters the selection of remote printers for which
|
||||
# cups-browsed creates local queues. If the print dialog uses other
|
||||
# mechanisms to list remote printers as for example direct DNS-SD
|
||||
# access, cups-browsed has no influence. cups-browsed also does not
|
||||
# prevent the user from manually accessing non-listed printers.
|
||||
|
||||
# "BrowseAllow": Accept printers from these hosts or networks. If
|
||||
# there are only "BrowseAllow" lines and no "BrowseOrder" and/or
|
||||
# "BrowseDeny" lines, only servers matching at last one "BrowseAllow"
|
||||
# line are accepted.
|
||||
|
||||
# "BrowseDeny": Deny printers from these hosts or networks. If there
|
||||
# are only "BrowseDeny" lines and no "BrowseOrder" and/or
|
||||
# "BrowseAllow" lines, all servers NOT matching any of the
|
||||
# "BrowseDeny" lines are accepted.
|
||||
|
||||
# "BrowseOrder": Determine the order in which "BrowseAllow" and
|
||||
# "BrowseDeny" lines are applied. With "BrowseOrder Deny,Allow" in the
|
||||
# beginning all servers are accepted, then the "BrowseDeny" lines are
|
||||
# applied to exclude unwished servers or networks and after that the
|
||||
# "BrowseAllow" lines to re-include servers or networks. With
|
||||
# "BrowseOrder Allow,Deny" we start with denying all servers, then
|
||||
# applying the "BrowseAllow" lines and afterwards the "BrowseDeny"
|
||||
# lines.
|
||||
|
||||
# Default for "BrowseOrder" is "Deny.Allow" if there are both
|
||||
# "BrowseAllow" and "BrowseDeny" lines.
|
||||
|
||||
# If there are no "Browse..." lines at all, all servers are accepted.
|
||||
|
||||
# BrowseAllow All
|
||||
# BrowseAllow cups.example.com
|
||||
# BrowseAllow 192.168.1.12
|
||||
# BrowseAllow 192.168.1.0/24
|
||||
# BrowseAllow 192.168.1.0/255.255.255.0
|
||||
|
||||
# BrowseDeny All
|
||||
# BrowseDeny printserver.example.com
|
||||
# BrowseDeny 192.168.1.13
|
||||
# BrowseDeny 192.168.3.0/24
|
||||
# BrowseDeny 192.168.3.0/255.255.255.0
|
||||
|
||||
# BrowseOrder Deny,Allow
|
||||
# BrowseOrder Allow,Deny
|
||||
|
||||
|
||||
# The interval between browsing/broadcasting cycles, local and/or
|
||||
# remote, can be adjusted with the BrowseInterval directive.
|
||||
|
||||
# BrowseInterval 60
|
||||
|
||||
|
||||
# Browsing-related operations such as adding or removing printer queues
|
||||
# and broadcasting are each allowed to take up to a given amount of time.
|
||||
# It can be configured, in seconds, with the BrowseTimeout directive.
|
||||
# Especially queues discovered by CUPS broadcasts will be removed after
|
||||
# this timeout if no further broadcast from the server happens.
|
||||
|
||||
# BrowseTimeout 300
|
||||
|
||||
# Filtering of remote printers by other properties than IP addresses
|
||||
# of their servers
|
||||
|
||||
# Often the desired selection of printers cannot be reached by only
|
||||
# taking into account the IP addresses of the servers. For these cases
|
||||
# there is the BrowseFilter directive to filter by most of the known
|
||||
# properties of the printer.
|
||||
|
||||
# By default there is no BrowseFilter line meaning that no filtering
|
||||
# is applied.
|
||||
|
||||
# To do filtering one can supply one or more BrowseFilter directives
|
||||
# like this:
|
||||
|
||||
# BrowseFilter [NOT] [EXACT] <FIELD> [<VALUE>]
|
||||
|
||||
# The BrowseFilter directive always starts with the word
|
||||
# "BrowseFilter" and it must at least contain the name of the data
|
||||
# field (<FIELD>) of the printer's properties to which it should
|
||||
# apply.
|
||||
|
||||
# Available field names are:
|
||||
|
||||
# name: Name of the local print queue to be created
|
||||
# host: Host name of the remote print server
|
||||
# port: Port through which the printer is accessed on the server
|
||||
# service: DNS/SD service name of the remote printer
|
||||
# domain: Domain of the remote print server
|
||||
|
||||
# Also all field names in the TXT records of DNS-SD-advertised printers
|
||||
# are valid, like "color", "duplex", "pdl", ... If the field name of
|
||||
# the filter rule does not exist for the printer, the rule is skipped.
|
||||
|
||||
# The optional <VALUE> field is either the exact value (when the
|
||||
# option EXACT is supplied) or a regular expression (Run "man 7 regex"
|
||||
# in a terminal window) to be matched with the data field.
|
||||
|
||||
# If no <VALUE> filed is supplied, rules with field names of the TXT
|
||||
# record are considered for boolean matching (true/false) of boolean
|
||||
# field (like duplex, which can have the values "T" for true and "F"
|
||||
# for false).
|
||||
|
||||
# If the option NOT is supplied, the filter rule is fulfilled if the
|
||||
# regular expression or the exact value DOES NOT match the content of
|
||||
# the data field. In a boolean rule (without <VALUE>) the rule matches
|
||||
# false.
|
||||
|
||||
# Regular expressions are always considered case-insensitive and
|
||||
# extended POSIX regular expressions. Field names and options (NOT,
|
||||
# EXACT) are all evaluated case-insensitive. If there is an error in a
|
||||
# regular expression, the BrowseFilter line gets ignored.
|
||||
|
||||
# Especially to note is that supplying any simple string consisting of
|
||||
# only letters, numbers, spaces, and some basic special characters as
|
||||
# a regular expression matches if it is contained somewhere in the
|
||||
# data field.
|
||||
|
||||
# If there is more than one BrowseFilter directive, ALL the directives
|
||||
# need to be fulfilled for the remote printer to be accepted. If one
|
||||
# is not fulfilled, the printer will get ignored.
|
||||
|
||||
# Examples:
|
||||
|
||||
# Rules for standard data items which are supplied with any remote
|
||||
# printer advertised via DNS-SD:
|
||||
|
||||
# Print queue name must contain "hum_res_", this matches
|
||||
# "hum_res_mono" or "hum_res_color" but also "old_hum_res_mono":
|
||||
|
||||
# BrowseFilter name hum_res_
|
||||
|
||||
# This matches if the remote host name contains "printserver", like
|
||||
# "printserver.local", "printserver2.example.com", "newprintserver":
|
||||
|
||||
# BrowseFilter host printserver
|
||||
|
||||
# This matches all ports with 631 int its number, for example 631,
|
||||
# 8631, 10631,...:
|
||||
|
||||
# BrowseFilter port 631
|
||||
|
||||
# This rule matches if the DNS-SD service name contains "@ printserver":
|
||||
|
||||
# Browsefilter service @ printserver
|
||||
|
||||
# Matches all domains with "local" in their names, not only "local" but
|
||||
# also things like "printlocally.com":
|
||||
|
||||
# BrowseFilter domain local
|
||||
|
||||
# Examples for rules applying to items of the TXT record:
|
||||
|
||||
# This rule selects PostScript printers, as the "PDL" field in the TXT
|
||||
# record contains "postscript" then. This includes also remote CUPS
|
||||
# queues which accept PostScript, independent of whether the physical
|
||||
# printer behind the CUPS queue accepts PostScript or not.
|
||||
|
||||
# BrowseFilter pdl postscript
|
||||
|
||||
# Color printers usually contain a "Color" entry set to "T" (for true)
|
||||
# in the TXT record. This rule selects them:
|
||||
|
||||
# BrowseFilter color
|
||||
|
||||
# This is a similar rule to select only duplex (automatic double-sided
|
||||
# printing) printers:
|
||||
|
||||
# BrowseFilter duplex
|
||||
|
||||
# Rules with the NOT option:
|
||||
|
||||
# This rule EXCLUDES printers from all hosts containing "financial" in
|
||||
# their names, nice to get rid of the 100s of printers of the
|
||||
# financial department:
|
||||
|
||||
# BrowseFilter NOT host financial
|
||||
|
||||
# Get only monochrome printers ("Color" set to "F", meaning false, in
|
||||
# the TXT record):
|
||||
|
||||
# BrowseFilter NOT color
|
||||
|
||||
# Rules with more advanced use of regular expressions:
|
||||
|
||||
# Only queue names which BEGIN WITH "hum_res_" are accepted now, so we
|
||||
# still get "hum_res_mono" or "hum_res_color" but not
|
||||
# "old_hum_res_mono" any more:
|
||||
|
||||
# BrowseFilter name ^hum_res_
|
||||
|
||||
# Server names is accepted if it contains "print_server" OR
|
||||
# "graphics_dep_server":
|
||||
|
||||
# BrowseFilter host print_server|graphics_dep_server
|
||||
|
||||
# "printserver1", "printserver2", and "printserver3", nothing else:
|
||||
|
||||
# BrowseFilter host ^printserver[1-3]$
|
||||
|
||||
# Printers understanding at least one of PostScript, PCL, or PDF:
|
||||
|
||||
# BrowseFilter pdl postscript|pcl|pdf
|
||||
|
||||
# Examples for the EXACT option:
|
||||
|
||||
# Only printers from "printserver.local" are accepted:
|
||||
|
||||
# BrowseFilter EXACT host printserver.local
|
||||
|
||||
# Printers from all servers except "prinserver2.local" are accepted:
|
||||
|
||||
# BrowseFilter NOT EXACT host prinserver2.local
|
||||
|
||||
|
||||
# Use BrowsePoll to poll a particular CUPS server
|
||||
|
||||
# BrowsePoll cups.example.com
|
||||
# BrowsePoll cups.example.com:631
|
||||
# BrowsePoll cups.example.com:631/version=1.1
|
||||
|
||||
|
||||
# LDAP browsing configuration
|
||||
# The default value for all options is an empty string. Example configuration:
|
||||
|
||||
# BrowseLDAPBindDN cn=cups-browsed,dc=domain,dc=tld
|
||||
# BrowseLDAPCACertFile /path/to/server/certificate.pem
|
||||
# BrowseLDAPDN ou=printers,dc=domain,dc=tld
|
||||
# BrowseLDAPFilter (printerLocation=/Office 1/*)
|
||||
# BrowseLDAPPassword s3cret
|
||||
# BrowseLDAPServer ldaps://ldap.domain.tld
|
||||
|
||||
|
||||
# Use DomainSocket to access the local CUPS daemon via another than the
|
||||
# default domain socket. "None" or "Off" lets cups-browsed not use CUPS'
|
||||
# domain socket.
|
||||
|
||||
# DomainSocket /var/run/cups/cups.sock
|
||||
# DomainSocket None
|
||||
# DomainSocket Off
|
||||
|
||||
|
||||
# Set HTTP timeout (in seconds) for requests sent to local/remote
|
||||
# resources Note that too short timeouts can make services getting
|
||||
# missed when they are present and operations be unneccessarily
|
||||
# repeated and too long timeouts can make operations take too long
|
||||
# when the server does not respond.
|
||||
|
||||
# HttpLocalTimeout 5
|
||||
# HttpRemoteTimeout 10
|
||||
|
||||
# Set how many retries (N) should cups-browsed do for creating print
|
||||
# queues for remote printers which receive timeouts during print queue
|
||||
# creation. The printers which are not successfuly set up even after
|
||||
# N retries, are skipped until the next restart of the service. Note
|
||||
# that too many retries can cause high CPU load.
|
||||
|
||||
# HttpMaxRetries 5
|
||||
|
||||
# Set OnlyUnsupportedByCUPS to "Yes" will make cups-browsed not create
|
||||
# local queues for remote printers for which CUPS creates queues by
|
||||
# itself. These printers are printers advertised via DNS-SD and doing
|
||||
# CUPS-supported (currently PWG Raster and Apple Raster) driverless
|
||||
# printing, including remote CUPS queues. Queues for other printers
|
||||
# (like for legacy PostScript/PCL printers) are always created
|
||||
# (depending on the other configuration settings of cups-browsed).
|
||||
|
||||
# With OnlyUnsupportedByCUPS set to "No", cups-browsed creates queues
|
||||
# for all printers which it supports, including printers for which
|
||||
# CUPS would create queues by itself. Temporary queues created by CUPS
|
||||
# will get overwritten. This way it is assured that any extra
|
||||
# functionality of cups-browsed will apply to these queues. As queues
|
||||
# created by cups-browsed are permanent CUPS queues this setting is
|
||||
# also recommended if applications/print dialogs which do not support
|
||||
# temporary CUPS queues are installed. This setting is the default.
|
||||
|
||||
# OnlyUnsupportedByCUPS Yes
|
||||
|
||||
|
||||
# With UseCUPSGeneratedPPDs set to "Yes" cups-browsed creates queues
|
||||
# for IPP printers with PPDs generated by the PPD generator of CUPS
|
||||
# and not with the one of cups-browsed. So any new development in
|
||||
# CUPS' PPD generator gets available. As CUPS' PPD generator is not
|
||||
# directly accessible, we need to make CUPS generate a temporary print
|
||||
# queue with the desired PPD. Therefore we can only use these PPDs
|
||||
# when our queue replaces a temporary CUPS queue, meaning that the
|
||||
# queue is for a printer on which CUPS supports driverless printing
|
||||
# (IPP 2.x, PDLs: PDF, PWG Raster, and/or Apple Raster) and that its
|
||||
# name is the same as CUPS uses for the temporary queue
|
||||
# ("LocalQueueNamingIPPPrinter DNS-SD" must be set). The directive
|
||||
# applies only to IPP printers, not to remote CUPS queues, to not
|
||||
# break clustering. Setting this directive to "No" lets cups-browsed
|
||||
# generate the PPD file. Default setting is "No".
|
||||
|
||||
# UseCUPSGeneratedPPDs No
|
||||
|
||||
|
||||
# With the directives LocalQueueNamingRemoteCUPS and
|
||||
# LocalQueueNamingIPPPrinter you can determine how the names for local
|
||||
# queues generated by cups-browsed are generated, separately for
|
||||
# remote CUPS printers and IPP printers.
|
||||
|
||||
# DNS-SD (the default in both cases) bases the naming on the service
|
||||
# name of the printer's advertised DNS-SD record. This is exactly the
|
||||
# same naming scheme as CUPS uses for its temporary queues, so the
|
||||
# local queue from cups-browsed prevents CUPS from listing and
|
||||
# creating an additional queue. As DNS-SD service names have to be
|
||||
# unique, queue names of printers from different servers will also be
|
||||
# unique and so there is no automatic clustering for load-balanced
|
||||
# printing.
|
||||
|
||||
# MakeModel bases the queue name on the printer's manufacturer and
|
||||
# model names. This scheme cups-browsed used formerly for IPP
|
||||
# printers.
|
||||
|
||||
# RemoteName is only available for remote CUPS queues and uses the
|
||||
# name of the queue on the remote CUPS server as the local queue's
|
||||
# name. This makes printers on different CUPS servers with equal queue
|
||||
# names automatically forming a load-balancing cluster as CUPS did
|
||||
# formerly (CUPS 1.5.x and older) with CUPS-broadcasted remote
|
||||
# printers. This scheme cups-browsed used formerly for remote CUPS
|
||||
# printers.
|
||||
|
||||
# LocalQueueNamingRemoteCUPS DNS-SD
|
||||
# LocalQueueNamingRemoteCUPS MakeModel
|
||||
# LocalQueueNamingRemoteCUPS RemoteName
|
||||
# LocalQueueNamingIPPPrinter DNS-SD
|
||||
# LocalQueueNamingIPPPrinter MakeModel
|
||||
|
||||
|
||||
# Set DNSSDBasedDeviceURIs to "Yes" if cups-browsed should use
|
||||
# DNS-SD-service-name-based device URIs for its local queues, as CUPS
|
||||
# also does. These queues use the DNS-SD service name of the
|
||||
# discovered printer. With this the URI is independent of network
|
||||
# interfaces and ports, giving reliable connections to always the same
|
||||
# physical device. This setting is the default.
|
||||
|
||||
# Set DNSSDBasedDeviceURIs to "No" if cups-browsed should use the
|
||||
# conventional host-name/IP-based URIs.
|
||||
|
||||
# Note that this option has only influence on URIs for printers
|
||||
# discovered via DNS-SD, not via legacy CUPS broewsing or LDAP.
|
||||
# Those printers get always assigned the conventional URIs.
|
||||
|
||||
# DNSSDBasedDeviceURIs Yes
|
||||
|
||||
|
||||
# Set IPBasedDeviceURIs to "Yes" if cups-browsed should create its
|
||||
# local queues with device URIs with the IP addresses instead of the
|
||||
# host names of the remote servers. This mode is there for any
|
||||
# problems with host name resolution in the network, especially also
|
||||
# if avahi-daemon is only run for printer discovery and already
|
||||
# stopped while still printing. By default this mode is turned off,
|
||||
# meaning that we use URIs with host names.
|
||||
|
||||
# Note that the IP addresses depend on the network interface through
|
||||
# which the printer is accessed. So do not use IP-based URIs on systems
|
||||
# with many network interfaces and where interfaces can appear and
|
||||
# disappear frequently.
|
||||
|
||||
# This mode could also be useful for development and debugging.
|
||||
|
||||
# If you prefer IPv4 or IPv6 IP addresses in the URIs, you can set
|
||||
# IPBasedDeviceURIs to "IPv4" to only get IPv4 IP addresses or
|
||||
# IPBasedDeviceURIs to "IPv6" to only get IPv6 IP addresses.
|
||||
|
||||
# IPBasedDeviceURIs No
|
||||
# IPBasedDeviceURIs Yes
|
||||
# IPBasedDeviceURIs IPv4
|
||||
# IPBasedDeviceURIs IPv6
|
||||
|
||||
# The AllowResharingRemoteCUPSPrinters directive determines whether a
|
||||
# print queue pointing to a remote CUPS queue will be re-shared to the
|
||||
# local network or not. Since the queues generated using the BrowsePoll
|
||||
# directive are also pointing to remote queues, they are also shared
|
||||
# automatically if the following option is set. Default is not to share
|
||||
# remote printers.
|
||||
|
||||
# AllowResharingRemoteCUPSPrinters Yes
|
||||
|
||||
# The NewBrowsePollQueuesShared directive determines whether a print
|
||||
# queue for a newly discovered printer (discovered by the BrowsePoll directive)
|
||||
# will be shared to the local network or not. This directive will only work
|
||||
# if AllowResharingRemoteCUPSPrinters is set to yes. Default is
|
||||
# not to share printers discovered using BrowsePoll.
|
||||
|
||||
# NewBrowsePollQueuesShared Yes
|
||||
|
||||
# Set CreateRemoteRawPrinterQueues to "Yes" to let cups-browsed also
|
||||
# create local queues pointing to remote raw CUPS queues. Normally,
|
||||
# only queues pointing to remote queues with PPD/driver are created
|
||||
# as we do not use drivers on the client side, but in some cases
|
||||
# accessing a remote raw queue can make sense, for example if the
|
||||
# queue forwards the jobs by a special backend like Tea4CUPS.
|
||||
|
||||
# CreateRemoteRawPrinterQueues Yes
|
||||
|
||||
|
||||
# cups-browsed by default creates local print queues for each shared
|
||||
# CUPS print queue which it discovers on remote machines in the local
|
||||
# network(s). Set CreateRemoteCUPSPrinterQueues to "No" if you do not
|
||||
# want cups-browsed to do this. For example you can set cups-browsed
|
||||
# to only create queues for IPP network printers setting
|
||||
# CreateIPPPrinterQueues not to "No" and CreateRemoteCUPSPrinterQueues
|
||||
# to "No".
|
||||
|
||||
# CreateRemoteCUPSPrinterQueues No
|
||||
|
||||
|
||||
# Set CreateIPPPrinterQueues to "All" to let cups-browsed discover IPP
|
||||
# network printers (native printers, not CUPS queues) with known page
|
||||
# description languages (PWG Raster, PDF, PostScript, PCL XL, PCL
|
||||
# 5c/e) in the local network and auto-create print queues for them.
|
||||
|
||||
# Set CreateIPPPrinterQueues to "Everywhere" to let cups-browsed
|
||||
# discover IPP Everywhere printers in the local network (native
|
||||
# printers, not CUPS queues) and auto-create print queues for them.
|
||||
|
||||
# Set CreateIPPPrinterQueues to "AppleRaster" to let cups-browsed
|
||||
# discover Apple Raster printers in the local network (native
|
||||
# printers, not CUPS queues) and auto-create print queues for them.
|
||||
|
||||
# Set CreateIPPPrinterQueues to "Driverless" to let cups-browsed
|
||||
# discover printers designed for driverless use (currently IPP
|
||||
# Everywhere and Apple Raster) in the local network (native printers,
|
||||
# not CUPS queues) and auto-create print queues for them.
|
||||
|
||||
# Set CreateIPPPrinterQueues to "LocalOnly" to auto-create print
|
||||
# queues only for local printers made available as IPP printers. These
|
||||
# are for example IPP-over-USB printers, made available via
|
||||
# ippusbxd. This is the default.
|
||||
|
||||
# Set CreateIPPPrinterQueues to "No" to not auto-create print queues
|
||||
# for IPP network printers.
|
||||
|
||||
# If queues with PPD file are created (see IPPPrinterQueueType
|
||||
# directive below) the PPDs are auto-generated by cups-browsed based
|
||||
# on properties of the printer polled via IPP. In case of missing
|
||||
# information, info from the Bonjour record is used asd as last mean
|
||||
# default values.
|
||||
|
||||
# If queues without PPD (see IPPPrinterQueueType directive below) are
|
||||
# created clients have to IPP-poll the capabilities of the printer and
|
||||
# send option settings as standard IPP attributes. Then we do not poll
|
||||
# the capabilities by ourselves to not wake up the printer from
|
||||
# power-saving mode when creating the queues. Jobs have to be sent in
|
||||
# one of PDF, PWG Raster, or JPEG format. Other formats are not
|
||||
# accepted.
|
||||
|
||||
# This functionality is primarily for mobile devices running
|
||||
# CUPS to not need a printer setup tool nor a collection of printer
|
||||
# drivers and PPDs.
|
||||
|
||||
# CreateIPPPrinterQueues No
|
||||
# CreateIPPPrinterQueues LocalOnly
|
||||
# CreateIPPPrinterQueues Everywhere
|
||||
# CreateIPPPrinterQueues AppleRaster
|
||||
# CreateIPPPrinterQueues Everywhere AppleRaster
|
||||
# CreateIPPPrinterQueues Driverless
|
||||
# CreateIPPPrinterQueues All
|
||||
|
||||
|
||||
# If cups-browsed is automatically creating print queues for native
|
||||
# IPP network printers ("CreateIPPPrinterQueues Yes"), the type of
|
||||
# queue to be created can be selected by the "IPPPrinterQueueType"
|
||||
# directive. The "PPD" (default) setting makes queues with PPD file
|
||||
# being created. With "Interface" or "NoPPD" the queue is created with
|
||||
# a System V interface script (Not supported with CUPS 2.2.x or
|
||||
# later). "Auto" is for backward compatibility and also lets queues
|
||||
# with PPD get created.
|
||||
|
||||
# IPPPrinterQueueType PPD
|
||||
# IPPPrinterQueueType NoPPD
|
||||
# IPPPrinterQueueType Interface
|
||||
# IPPPrinterQueueType Auto
|
||||
|
||||
|
||||
# The NewIPPPrinterQueuesShared directive determines whether a print
|
||||
# queue for a newly discovered IPP network printer (not remote CUPS
|
||||
# queue) will be shared to the local network or not. This is only
|
||||
# valid for newly discovered printers. For printers discovered in an
|
||||
# earlier cups-browsed session, cups-browsed will remember whether the
|
||||
# printer was shared, so changes by the user get conserved. Default is
|
||||
# not to share newly discovered IPP printers.
|
||||
|
||||
# NewIPPPrinterQueuesShared Yes
|
||||
|
||||
|
||||
# If there is more than one remote CUPS printer whose local queue
|
||||
# would get the same name and AutoClustering is set to "Yes" (the
|
||||
# default) only one local queue is created which makes up a
|
||||
# load-balancing cluster of the remote printers which would get this
|
||||
# queue name (implicit class). This means that when several jobs are
|
||||
# sent to this queue they get distributed between the printers, using
|
||||
# the method chosen by the LoadBalancing directive.
|
||||
|
||||
# Note that the forming of clusters depends on the naming scheme for
|
||||
# local queues created by cups-browsed. If you have set
|
||||
# LocalQueueNamingRemoteCUPS to "DNSSD" you will not get automatic
|
||||
# clustering as the DNS-SD service names are always unique. With
|
||||
# LocalQueueNamingRemoteCUPS set to "RemoteName" local queues are
|
||||
# named as the CUPS queues on the remote servers are named and so
|
||||
# equally named queues on different servers get clustered (this is how
|
||||
# CUPS did it in version 1.5.x or older). LocalQueueNamingRemoteCUPS
|
||||
# set to "MakeModel" makes remote printers of the same model get
|
||||
# clustered. Note that then a cluster can contain more than one queue
|
||||
# of the same server.
|
||||
|
||||
# With AutoClustering set to "No", for each remote CUPS printer an
|
||||
# individual local queue is created, and to avoid name clashes when
|
||||
# using the LocalQueueNamingRemoteCUPS settings "RemoteName" or
|
||||
# "MakeModel" "@<server name>" is added to the local queue name.
|
||||
|
||||
# Only remote CUPS printers get clustered, not IPP network printers or
|
||||
# IPP-over-USB printers.
|
||||
|
||||
# AutoClustering Yes
|
||||
# AutoClustering No
|
||||
|
||||
|
||||
# Load-balancing printer cluster formation can also be manually
|
||||
# controlled by defining explicitly which remote CUPS printers should
|
||||
# get clustered together.
|
||||
|
||||
# This is done by the "Cluster" directive:
|
||||
|
||||
# Cluster <QUEUENAME>: <EXPRESSION1> <EXPRESSION2> ...
|
||||
# Cluster <QUEUENAME>
|
||||
|
||||
# If no expressions are given, <QUEUENAME> is used as the first and
|
||||
# only expression for this cluster.
|
||||
|
||||
# Discovered printers are matched against all the expressions of all
|
||||
# defined clusters. The first expression which matches the discovered
|
||||
# printer determines to which cluster it belongs. Note that this way a
|
||||
# printer can only belong to one cluster. Once matched, further
|
||||
# cluster definitions will not checked any more.
|
||||
|
||||
# With the first printer matching a cluster's expression a local queue
|
||||
# with the name <QUEUENAME> is created. If more printers are
|
||||
# discovered and match this cluster, they join the cluster. Printing
|
||||
# to this queue prints to all these printers in a load-balancing
|
||||
# manner, according to to the setting of the LoadBalancing directive.
|
||||
|
||||
# Each expression must be a string of characters without spaces. If
|
||||
# spaces are needed, replace them by underscores ('_').
|
||||
|
||||
# An expression can be matched in three ways:
|
||||
|
||||
# 1. By the name of the CUPS queue on the remote server
|
||||
# 2. By make and model name of the remote printer
|
||||
# 3. By the DNS-SD service name of the remote printer
|
||||
|
||||
# Note that the matching is done case-insensitively and any group of
|
||||
# non-alphanumerical characters is replaced by a single underscore.
|
||||
|
||||
# So if an expression is "HP_DeskJet_2540" and the remote server
|
||||
# reports "hp Deskjet-2540" the printer gets matched to this cluster.
|
||||
|
||||
# If "AutoClustering" is not set to "No" both your manual cluster
|
||||
# definitions will be followed and automatic clustering of
|
||||
# equally-named remote queues will be performed. If a printer matches
|
||||
# in both categories the match to the manually defined cluster has
|
||||
# priority. Automatic clustering of equally-named remote printers is
|
||||
# not performed if there is a manually defined cluster with this name
|
||||
# (at least as the printers do not match this cluster).
|
||||
|
||||
# Examples:
|
||||
|
||||
# To cluster all remote CUPS queues named "laserprinter" in your local
|
||||
# network but not cluster any other equally-named remote CUPS printers
|
||||
# use (Local queue will get named "laserprinter"):
|
||||
|
||||
# AutoClustering No
|
||||
# Cluster laserprinter
|
||||
|
||||
# To cluster all remote CUPS queues of HP LaserJet 4050 printers in a
|
||||
# local queue named "LJ4050":
|
||||
|
||||
# Cluster LJ4050: HP_LaserJet_4050
|
||||
|
||||
# As DNS-SD service names are unique in a network you can create a
|
||||
# cluster from exactly specified printers (spaces replaced by
|
||||
# underscors):
|
||||
|
||||
# Cluster hrdep: oldlaser_@_hr-server1 newlaser_@_hr-server2
|
||||
|
||||
|
||||
# The LoadBalancing directive switches between two methods of handling
|
||||
# load balancing between equally-named remote queues which are
|
||||
# represented by one local print queue making up a cluster of them
|
||||
# (implicit class).
|
||||
|
||||
# The two methods are:
|
||||
|
||||
# Queuing of jobs on the client (LoadBalancing QueueOnClient):
|
||||
|
||||
# Here we queue up the jobs on the client and regularly check the
|
||||
# clustered remote print queues. If we find an idle queue, we pass
|
||||
# on a job to it.
|
||||
|
||||
# This is also the method which CUPS uses for classes. Advantage is a
|
||||
# more even distribution of the job workload on the servers
|
||||
# (especially if the printing speed of the servers is very different),
|
||||
# and if a server fails, there are not several jobs stuck or
|
||||
# lost. Disadvantage is that if one takes the client (laptop, mobile
|
||||
# phone, ...) out of the local network, printing stops with the jobs
|
||||
# waiting in the local queue.
|
||||
|
||||
# Queuing of jobs on the servers (LoadBalancing QueueOnServers):
|
||||
|
||||
# Here we check the number of jobs on each of the clustered remote
|
||||
# printers and send an incoming job immediately to the remote printer
|
||||
# with the lowest amount of jobs in its queue. This way no jobs queue
|
||||
# up locally, all jobs which are waiting are waiting on one of the
|
||||
# remote servers.
|
||||
|
||||
# Not having jobs waiting locally has the advantage that we can take
|
||||
# the local machine from the network and all jobs get printed.
|
||||
# Disadvantage is that if a server with a full queue of jobs goes
|
||||
# away, the jobs go away, too.
|
||||
|
||||
# Default is queuing the jobs on the client as this is what CUPS does
|
||||
# with classes.
|
||||
|
||||
# LoadBalancing QueueOnClient
|
||||
# LoadBalancing QueueOnServers
|
||||
|
||||
|
||||
# With the DefaultOptions directive one or more option settings can be
|
||||
# defined to be applied to every print queue newly created by
|
||||
# cups-browsed. Each option is supplied as one supplies options with
|
||||
# the "-o" command line argument to the "lpadmin" command (Run "man
|
||||
# lpadmin" for more details). More than one option can be supplied
|
||||
# separating the options by spaces. By default no option settings are
|
||||
# pre-defined.
|
||||
|
||||
# Note that print queues which cups-browsed already created before
|
||||
# remember their previous settings and so these settings do not get
|
||||
# applied.
|
||||
|
||||
# DefaultOptions Option1=Value1 Option2=Value2 Option3 noOption4
|
||||
|
||||
|
||||
# The AutoShutdown directive specifies whether cups-browsed should
|
||||
# automatically terminate when it has no local raw queues set up
|
||||
# pointing to any discovered remote printers or no jobs on such queues
|
||||
# depending on AutoShutdownOn setting (auto shutdown mode). Setting it
|
||||
# to "On" activates the auto-shutdown mode, setting it to "Off"
|
||||
# deactiivates it (the default). The special mode "avahi" turns auto
|
||||
# shutdown off while avahi-daemon is running and on when avahi-daemon
|
||||
# stops. This allows running cups-browsed on-demand when avahi-daemon
|
||||
# is run on-demand.
|
||||
|
||||
# AutoShutdown Off
|
||||
# AutoShutdown On
|
||||
# AutoShutdown avahi
|
||||
|
||||
|
||||
# The AutoShutdownOn directive determines what event cups-browsed
|
||||
# considers as inactivity in auto shutdown mode. "NoQueues" (the
|
||||
# default) means that auto shutdown is initiated when there are no
|
||||
# queues for discovered remote printers generated by cups-browsed any
|
||||
# more. "NoJobs" means that all queues generated by cups-browsed are
|
||||
# without jobs.
|
||||
|
||||
# AutoShutdownOn NoQueues
|
||||
# AutoShutdownOn NoJobs
|
||||
|
||||
|
||||
# The AutoShutdownTimeout directive specifies after how many seconds
|
||||
# without local raw queues set up pointing to any discovered remote
|
||||
# printers or jobs on these queues cups-browsed should actually shut
|
||||
# down in auto shutdown mode. Default is 30 seconds, 0 means immediate
|
||||
# shutdown.
|
||||
|
||||
# AutoShutdownTimeout 30
|
||||
95
roles/common/templates/etc/cups/cups-files.conf.j2
Normal file
95
roles/common/templates/etc/cups/cups-files.conf.j2
Normal file
@ -0,0 +1,95 @@
|
||||
# {{ ansible_managed }}
|
||||
|
||||
#
|
||||
# File/directory/user/group configuration file for the CUPS scheduler.
|
||||
# See "man cups-files.conf" for a complete description of this file.
|
||||
#
|
||||
|
||||
# List of events that are considered fatal errors for the scheduler...
|
||||
#FatalErrors config
|
||||
|
||||
# Do we call fsync() after writing configuration or status files?
|
||||
#SyncOnClose Yes
|
||||
|
||||
# Default user and group for filters/backends/helper programs; this cannot be
|
||||
# any user or group that resolves to ID 0 for security reasons...
|
||||
#User lp
|
||||
#Group lp
|
||||
|
||||
# Administrator user group, used to match @SYSTEM in cupsd.conf policy rules...
|
||||
# This cannot contain the Group value for security reasons...
|
||||
SystemGroup lpadmin
|
||||
|
||||
|
||||
# User that is substituted for unauthenticated (remote) root accesses...
|
||||
#RemoteRoot remroot
|
||||
|
||||
# Do we allow file: device URIs other than to /dev/null?
|
||||
#FileDevice No
|
||||
|
||||
# Permissions for configuration and log files...
|
||||
#ConfigFilePerm 0640
|
||||
#LogFilePerm 00640
|
||||
|
||||
# Location of the file logging all access to the scheduler; may be the name
|
||||
# "syslog". If not an absolute path, the value of ServerRoot is used as the
|
||||
# root directory. Also see the "AccessLogLevel" directive in cupsd.conf.
|
||||
AccessLog /var/log/cups/access_log
|
||||
|
||||
# Location of cache files used by the scheduler...
|
||||
#CacheDir /var/cache/cups
|
||||
|
||||
# Location of data files used by the scheduler...
|
||||
#DataDir /usr/share/cups
|
||||
|
||||
# Location of the static web content served by the scheduler...
|
||||
#DocumentRoot /usr/share/cups/doc-root
|
||||
|
||||
# Location of the file logging all messages produced by the scheduler and any
|
||||
# helper programs; may be the name "syslog". If not an absolute path, the value
|
||||
# of ServerRoot is used as the root directory. Also see the "LogLevel"
|
||||
# directive in cupsd.conf.
|
||||
ErrorLog /var/log/cups/error_log
|
||||
|
||||
# Location of fonts used by older print filters...
|
||||
#FontPath /usr/share/cups/fonts
|
||||
|
||||
# Location of LPD configuration
|
||||
#LPDConfigFile
|
||||
|
||||
# Location of the file logging all pages printed by the scheduler and any
|
||||
# helper programs; may be the name "syslog". If not an absolute path, the value
|
||||
# of ServerRoot is used as the root directory. Also see the "PageLogFormat"
|
||||
# directive in cupsd.conf.
|
||||
PageLog /var/log/cups/page_log
|
||||
|
||||
# Location of the file listing all of the local printers...
|
||||
#Printcap /run/cups/printcap
|
||||
|
||||
# Format of the Printcap file...
|
||||
#PrintcapFormat bsd
|
||||
#PrintcapFormat plist
|
||||
#PrintcapFormat solaris
|
||||
|
||||
# Location of all spool files...
|
||||
#RequestRoot /var/spool/cups
|
||||
|
||||
# Location of helper programs...
|
||||
#ServerBin /usr/lib/cups
|
||||
|
||||
# SSL/TLS keychain for the scheduler...
|
||||
#ServerKeychain ssl
|
||||
|
||||
# Location of other configuration files...
|
||||
#ServerRoot /etc/cups
|
||||
|
||||
# Location of Samba configuration file...
|
||||
#SMBConfigFile
|
||||
|
||||
# Location of scheduler state files...
|
||||
#StateDir /run/cups
|
||||
|
||||
# Location of scheduler/helper temporary files. This directory is emptied on
|
||||
# scheduler startup and cannot be one of the standard (public) temporary
|
||||
# directory locations for security reasons...
|
||||
#TempDir /var/spool/cups/tmp
|
||||
307
roles/common/templates/etc/cups/cupsd.conf.client.j2
Normal file
307
roles/common/templates/etc/cups/cupsd.conf.client.j2
Normal file
@ -0,0 +1,307 @@
|
||||
# {{ ansible_managed }}
|
||||
|
||||
#
|
||||
# Configuration file for the CUPS scheduler. See "man cupsd.conf" for a
|
||||
# complete description of this file.
|
||||
#
|
||||
|
||||
# Log general information in error_log - change "warn" to "debug"
|
||||
# for troubleshooting...
|
||||
LogLevel warn
|
||||
PageLogFormat
|
||||
|
||||
# Deactivate CUPS' internal logrotating, as we provide a better one, especially
|
||||
# LogLevel debug2 gets usable now
|
||||
MaxLogSize 0
|
||||
|
||||
# Only listen for connections from the local machine.
|
||||
#Listen localhost:631
|
||||
# Allow remote access
|
||||
Port 631
|
||||
Listen /var/run/cups/cups.sock
|
||||
|
||||
ServerAlias *
|
||||
HostNameLookups Off
|
||||
|
||||
## - Show shared printers on the local network.
|
||||
Browsing Off
|
||||
|
||||
# Default authentication type, when authentication is required...
|
||||
DefaultAuthType Basic
|
||||
|
||||
# Web interface setting...
|
||||
WebInterface Yes
|
||||
|
||||
# Restrict access to the server...
|
||||
<Location />
|
||||
# Allow remote administration...
|
||||
Order allow,deny
|
||||
Allow @LOCAL
|
||||
Allow 127.0.0.0/8
|
||||
Allow 192.168.0.0/16
|
||||
Allow 172.16.0.0/16
|
||||
Allow 10.0.0.0/8
|
||||
</Location>
|
||||
|
||||
# Restrict access to the admin pages...
|
||||
<Location /admin>
|
||||
# Allow remote administration...
|
||||
Order allow,deny
|
||||
Allow @LOCAL
|
||||
Allow 127.0.0.0/8
|
||||
Allow 192.168.0.0/16
|
||||
Allow 172.16.0.0/16
|
||||
Allow 10.0.0.0/8
|
||||
</Location>
|
||||
|
||||
# Restrict access to configuration files...
|
||||
<Location /admin/conf>
|
||||
AuthType Default
|
||||
Require user @SYSTEM
|
||||
# Allow remote access to the configuration files...
|
||||
Order allow,deny
|
||||
Allow @LOCAL
|
||||
Allow 127.0.0.0/8
|
||||
Allow 192.168.0.0/16
|
||||
Allow 172.16.0.0/16
|
||||
Allow 10.0.0.0/8
|
||||
</Location>
|
||||
|
||||
# Restrict access to log files...
|
||||
<Location /admin/log>
|
||||
AuthType Default
|
||||
Require user @SYSTEM
|
||||
# Allow remote access to the configuration files...
|
||||
Order allow,deny
|
||||
Allow @LOCAL
|
||||
Allow 127.0.0.0/8
|
||||
Allow 192.168.0.0/16
|
||||
Allow 172.16.0.0/16
|
||||
Allow 10.0.0.0/8
|
||||
</Location>
|
||||
|
||||
# Set the default printer/job policies...
|
||||
<Policy default>
|
||||
|
||||
# Job/subscription privacy...
|
||||
JobPrivateAccess default
|
||||
JobPrivateValues default
|
||||
SubscriptionPrivateAccess default
|
||||
SubscriptionPrivateValues default
|
||||
|
||||
# Job-related operations must be done by the owner or an administrator...
|
||||
<Limit Create-Job Print-Job Print-URI Validate-Job>
|
||||
Order deny,allow
|
||||
Allow @LOCAL
|
||||
Allow 127.0.0.0/8
|
||||
Allow 192.168.0.0/16
|
||||
Allow 172.16.0.0/16
|
||||
Allow 10.0.0.0/8
|
||||
</Limit>
|
||||
|
||||
<Limit Send-Document Send-URI Hold-Job Release-Job Restart-Job Purge-Jobs Set-Job-Attributes Create-Job-Subscription Renew-Subscription Cancel-Subscription Get-Notifications Reprocess-Job Cancel-Current-Job Suspend-Current-Job Resume-Job Cancel-My-Jobs Close-Job CUPS-Move-Job CUPS-Get-Document>
|
||||
Require user @OWNER @SYSTEM
|
||||
Order deny,allow
|
||||
Allow @LOCAL
|
||||
Allow 127.0.0.0/8
|
||||
Allow 192.168.0.0/16
|
||||
Allow 172.16.0.0/16
|
||||
Allow 10.0.0.0/8
|
||||
</Limit>
|
||||
|
||||
# All administration operations require an administrator to authenticate...
|
||||
<Limit CUPS-Add-Modify-Printer CUPS-Delete-Printer CUPS-Add-Modify-Class CUPS-Delete-Class CUPS-Set-Default CUPS-Get-Devices>
|
||||
AuthType Default
|
||||
Require user @SYSTEM
|
||||
Order deny,allow
|
||||
Allow @LOCAL
|
||||
Allow 127.0.0.0/8
|
||||
Allow 192.168.0.0/16
|
||||
Allow 172.16.0.0/16
|
||||
Allow 10.0.0.0/8
|
||||
</Limit>
|
||||
|
||||
# All printer operations require a printer operator to authenticate...
|
||||
<Limit Pause-Printer Resume-Printer Enable-Printer Disable-Printer Pause-Printer-After-Current-Job Hold-New-Jobs Release-Held-New-Jobs Deactivate-Printer Activate-Printer Restart-Printer Shutdown-Printer Startup-Printer Promote-Job Schedule-Job-After Cancel-Jobs CUPS-Accept-Jobs CUPS-Reject-Jobs>
|
||||
AuthType Default
|
||||
Require user @SYSTEM
|
||||
Order deny,allow
|
||||
Allow @LOCAL
|
||||
Allow 127.0.0.0/8
|
||||
Allow 192.168.0.0/16
|
||||
Allow 172.16.0.0/16
|
||||
Allow 10.0.0.0/8
|
||||
</Limit>
|
||||
|
||||
# Only the owner or an administrator can cancel or authenticate a job...
|
||||
<Limit Cancel-Job CUPS-Authenticate-Job>
|
||||
Require user @OWNER @SYSTEM
|
||||
Order deny,allow
|
||||
Allow @LOCAL
|
||||
Allow 127.0.0.0/8
|
||||
Allow 192.168.0.0/16
|
||||
Allow 172.16.0.0/16
|
||||
Allow 10.0.0.0/8
|
||||
</Limit>
|
||||
|
||||
<Limit All>
|
||||
Order deny,allow
|
||||
Allow @LOCAL
|
||||
Allow 127.0.0.0/8
|
||||
Allow 192.168.0.0/16
|
||||
Allow 172.16.0.0/16
|
||||
Allow 10.0.0.0/8
|
||||
</Limit>
|
||||
</Policy>
|
||||
|
||||
# Set the authenticated printer/job policies...
|
||||
<Policy authenticated>
|
||||
# Job/subscription privacy...
|
||||
JobPrivateAccess default
|
||||
JobPrivateValues default
|
||||
SubscriptionPrivateAccess default
|
||||
SubscriptionPrivateValues default
|
||||
|
||||
# Job-related operations must be done by the owner or an administrator...
|
||||
<Limit Create-Job Print-Job Print-URI Validate-Job>
|
||||
AuthType Default
|
||||
Order deny,allow
|
||||
Allow @LOCAL
|
||||
Allow 127.0.0.0/8
|
||||
Allow 192.168.0.0/16
|
||||
Allow 172.16.0.0/16
|
||||
Allow 10.0.0.0/8
|
||||
</Limit>
|
||||
|
||||
<Limit Send-Document Send-URI Hold-Job Release-Job Restart-Job Purge-Jobs Set-Job-Attributes Create-Job-Subscription Renew-Subscription Cancel-Subscription Get-Notifications Reprocess-Job Cancel-Current-Job Suspend-Current-Job Resume-Job Cancel-My-Jobs Close-Job CUPS-Move-Job CUPS-Get-Document>
|
||||
AuthType Default
|
||||
Require user @OWNER @SYSTEM
|
||||
Order deny,allow
|
||||
Allow @LOCAL
|
||||
Allow 127.0.0.0/8
|
||||
Allow 192.168.0.0/16
|
||||
Allow 172.16.0.0/16
|
||||
Allow 10.0.0.0/8
|
||||
</Limit>
|
||||
|
||||
# All administration operations require an administrator to authenticate...
|
||||
<Limit CUPS-Add-Modify-Printer CUPS-Delete-Printer CUPS-Add-Modify-Class CUPS-Delete-Class CUPS-Set-Default>
|
||||
AuthType Default
|
||||
Require user @SYSTEM
|
||||
Order deny,allow
|
||||
Allow @LOCAL
|
||||
Allow 127.0.0.0/8
|
||||
Allow 192.168.0.0/16
|
||||
Allow 172.16.0.0/16
|
||||
Allow 10.0.0.0/8
|
||||
</Limit>
|
||||
|
||||
# All printer operations require a printer operator to authenticate...
|
||||
<Limit Pause-Printer Resume-Printer Enable-Printer Disable-Printer Pause-Printer-After-Current-Job Hold-New-Jobs Release-Held-New-Jobs Deactivate-Printer Activate-Printer Restart-Printer Shutdown-Printer Startup-Printer Promote-Job Schedule-Job-After Cancel-Jobs CUPS-Accept-Jobs CUPS-Reject-Jobs>
|
||||
AuthType Default
|
||||
Require user @SYSTEM
|
||||
Order deny,allow
|
||||
Allow @LOCAL
|
||||
Allow 127.0.0.0/8
|
||||
Allow 192.168.0.0/16
|
||||
Allow 172.16.0.0/16
|
||||
Allow 10.0.0.0/8
|
||||
</Limit>
|
||||
|
||||
# Only the owner or an administrator can cancel or authenticate a job...
|
||||
<Limit Cancel-Job CUPS-Authenticate-Job>
|
||||
AuthType Default
|
||||
Require user @OWNER @SYSTEM
|
||||
Order deny,allow
|
||||
Allow @LOCAL
|
||||
Allow 127.0.0.0/8
|
||||
Allow 192.168.0.0/16
|
||||
Allow 172.16.0.0/16
|
||||
Allow 10.0.0.0/8
|
||||
</Limit>
|
||||
|
||||
<Limit All>
|
||||
Order deny,allow
|
||||
Allow @LOCAL
|
||||
Allow 127.0.0.0/8
|
||||
Allow 192.168.0.0/16
|
||||
Allow 172.16.0.0/16
|
||||
Allow 10.0.0.0/8
|
||||
</Limit>
|
||||
</Policy>
|
||||
|
||||
# Set the kerberized printer/job policies...
|
||||
<Policy kerberos>
|
||||
# Job/subscription privacy...
|
||||
JobPrivateAccess default
|
||||
JobPrivateValues default
|
||||
SubscriptionPrivateAccess default
|
||||
SubscriptionPrivateValues default
|
||||
|
||||
# Job-related operations must be done by the owner or an administrator...
|
||||
<Limit Create-Job Print-Job Print-URI Validate-Job>
|
||||
AuthType Negotiate
|
||||
Order deny,allow
|
||||
Allow @LOCAL
|
||||
Allow 127.0.0.0/8
|
||||
Allow 192.168.0.0/16
|
||||
Allow 172.16.0.0/16
|
||||
Allow 10.0.0.0/8
|
||||
</Limit>
|
||||
|
||||
<Limit Send-Document Send-URI Hold-Job Release-Job Restart-Job Purge-Jobs Set-Job-Attributes Create-Job-Subscription Renew-Subscription Cancel-Subscription Get-Notifications Reprocess-Job Cancel-Current-Job Suspend-Current-Job Resume-Job Cancel-My-Jobs Close-Job CUPS-Move-Job CUPS-Get-Document>
|
||||
AuthType Negotiate
|
||||
Require user @OWNER @SYSTEM
|
||||
Order deny,allow
|
||||
Allow @LOCAL
|
||||
Allow 127.0.0.0/8
|
||||
Allow 192.168.0.0/16
|
||||
Allow 172.16.0.0/16
|
||||
Allow 10.0.0.0/8
|
||||
</Limit>
|
||||
|
||||
# All administration operations require an administrator to authenticate...
|
||||
<Limit CUPS-Add-Modify-Printer CUPS-Delete-Printer CUPS-Add-Modify-Class CUPS-Delete-Class CUPS-Set-Default>
|
||||
AuthType Default
|
||||
Require user @SYSTEM
|
||||
Order deny,allow
|
||||
Allow @LOCAL
|
||||
Allow 127.0.0.0/8
|
||||
Allow 192.168.0.0/16
|
||||
Allow 172.16.0.0/16
|
||||
Allow 10.0.0.0/8
|
||||
</Limit>
|
||||
|
||||
# All printer operations require a printer operator to authenticate...
|
||||
<Limit Pause-Printer Resume-Printer Enable-Printer Disable-Printer Pause-Printer-After-Current-Job Hold-New-Jobs Release-Held-New-Jobs Deactivate-Printer Activate-Printer Restart-Printer Shutdown-Printer Startup-Printer Promote-Job Schedule-Job-After Cancel-Jobs CUPS-Accept-Jobs CUPS-Reject-Jobs>
|
||||
AuthType Default
|
||||
Require user @SYSTEM
|
||||
Order deny,allow
|
||||
Allow @LOCAL
|
||||
Allow 127.0.0.0/8
|
||||
Allow 192.168.0.0/16
|
||||
Allow 172.16.0.0/16
|
||||
Allow 10.0.0.0/8
|
||||
</Limit>
|
||||
|
||||
# Only the owner or an administrator can cancel or authenticate a job...
|
||||
<Limit Cancel-Job CUPS-Authenticate-Job>
|
||||
AuthType Negotiate
|
||||
Require user @OWNER @SYSTEM
|
||||
Order deny,allow
|
||||
Allow @LOCAL
|
||||
Allow 127.0.0.0/8
|
||||
Allow 192.168.0.0/16
|
||||
Allow 172.16.0.0/16
|
||||
Allow 10.0.0.0/8
|
||||
</Limit>
|
||||
|
||||
<Limit All>
|
||||
Order deny,allow
|
||||
Allow @LOCAL
|
||||
Allow 127.0.0.0/8
|
||||
Allow 192.168.0.0/16
|
||||
Allow 172.16.0.0/16
|
||||
Allow 10.0.0.0/8
|
||||
</Limit>
|
||||
</Policy>
|
||||
307
roles/common/templates/etc/cups/cupsd.conf.server.j2
Normal file
307
roles/common/templates/etc/cups/cupsd.conf.server.j2
Normal file
@ -0,0 +1,307 @@
|
||||
# {{ ansible_managed }}
|
||||
|
||||
#
|
||||
# Configuration file for the CUPS scheduler. See "man cupsd.conf" for a
|
||||
# complete description of this file.
|
||||
#
|
||||
|
||||
# Log general information in error_log - change "warn" to "debug"
|
||||
# for troubleshooting...
|
||||
LogLevel warn
|
||||
PageLogFormat
|
||||
|
||||
# Deactivate CUPS' internal logrotating, as we provide a better one, especially
|
||||
# LogLevel debug2 gets usable now
|
||||
MaxLogSize 0
|
||||
|
||||
# Only listen for connections from the local machine.
|
||||
#Listen localhost:631
|
||||
# Allow remote access
|
||||
Port 631
|
||||
Listen /var/run/cups/cups.sock
|
||||
|
||||
ServerAlias *
|
||||
HostNameLookups Off
|
||||
|
||||
# - Show shared printers on the local network.
|
||||
Browsing On
|
||||
|
||||
# Default authentication type, when authentication is required...
|
||||
DefaultAuthType Basic
|
||||
|
||||
# Web interface setting...
|
||||
WebInterface Yes
|
||||
|
||||
# Restrict access to the server...
|
||||
<Location />
|
||||
# Allow remote administration...
|
||||
Order allow,deny
|
||||
Allow @LOCAL
|
||||
Allow 127.0.0.0/8
|
||||
Allow 192.168.0.0/16
|
||||
Allow 172.16.0.0/16
|
||||
Allow 10.0.0.0/8
|
||||
</Location>
|
||||
|
||||
# Restrict access to the admin pages...
|
||||
<Location /admin>
|
||||
# Allow remote administration...
|
||||
Order allow,deny
|
||||
Allow @LOCAL
|
||||
Allow 127.0.0.0/8
|
||||
Allow 192.168.0.0/16
|
||||
Allow 172.16.0.0/16
|
||||
Allow 10.0.0.0/8
|
||||
</Location>
|
||||
|
||||
# Restrict access to configuration files...
|
||||
<Location /admin/conf>
|
||||
AuthType Default
|
||||
Require user @SYSTEM
|
||||
# Allow remote access to the configuration files...
|
||||
Order allow,deny
|
||||
Allow @LOCAL
|
||||
Allow 127.0.0.0/8
|
||||
Allow 192.168.0.0/16
|
||||
Allow 172.16.0.0/16
|
||||
Allow 10.0.0.0/8
|
||||
</Location>
|
||||
|
||||
# Restrict access to log files...
|
||||
<Location /admin/log>
|
||||
AuthType Default
|
||||
Require user @SYSTEM
|
||||
# Allow remote access to the configuration files...
|
||||
Order allow,deny
|
||||
Allow @LOCAL
|
||||
Allow 127.0.0.0/8
|
||||
Allow 192.168.0.0/16
|
||||
Allow 172.16.0.0/16
|
||||
Allow 10.0.0.0/8
|
||||
</Location>
|
||||
|
||||
# Set the default printer/job policies...
|
||||
<Policy default>
|
||||
|
||||
# Job/subscription privacy...
|
||||
JobPrivateAccess default
|
||||
JobPrivateValues default
|
||||
SubscriptionPrivateAccess default
|
||||
SubscriptionPrivateValues default
|
||||
|
||||
# Job-related operations must be done by the owner or an administrator...
|
||||
<Limit Create-Job Print-Job Print-URI Validate-Job>
|
||||
Order deny,allow
|
||||
Allow @LOCAL
|
||||
Allow 127.0.0.0/8
|
||||
Allow 192.168.0.0/16
|
||||
Allow 172.16.0.0/16
|
||||
Allow 10.0.0.0/8
|
||||
</Limit>
|
||||
|
||||
<Limit Send-Document Send-URI Hold-Job Release-Job Restart-Job Purge-Jobs Set-Job-Attributes Create-Job-Subscription Renew-Subscription Cancel-Subscription Get-Notifications Reprocess-Job Cancel-Current-Job Suspend-Current-Job Resume-Job Cancel-My-Jobs Close-Job CUPS-Move-Job CUPS-Get-Document>
|
||||
Require user @OWNER @SYSTEM
|
||||
Order deny,allow
|
||||
Allow @LOCAL
|
||||
Allow 127.0.0.0/8
|
||||
Allow 192.168.0.0/16
|
||||
Allow 172.16.0.0/16
|
||||
Allow 10.0.0.0/8
|
||||
</Limit>
|
||||
|
||||
# All administration operations require an administrator to authenticate...
|
||||
<Limit CUPS-Add-Modify-Printer CUPS-Delete-Printer CUPS-Add-Modify-Class CUPS-Delete-Class CUPS-Set-Default CUPS-Get-Devices>
|
||||
AuthType Default
|
||||
Require user @SYSTEM
|
||||
Order deny,allow
|
||||
Allow @LOCAL
|
||||
Allow 127.0.0.0/8
|
||||
Allow 192.168.0.0/16
|
||||
Allow 172.16.0.0/16
|
||||
Allow 10.0.0.0/8
|
||||
</Limit>
|
||||
|
||||
# All printer operations require a printer operator to authenticate...
|
||||
<Limit Pause-Printer Resume-Printer Enable-Printer Disable-Printer Pause-Printer-After-Current-Job Hold-New-Jobs Release-Held-New-Jobs Deactivate-Printer Activate-Printer Restart-Printer Shutdown-Printer Startup-Printer Promote-Job Schedule-Job-After Cancel-Jobs CUPS-Accept-Jobs CUPS-Reject-Jobs>
|
||||
AuthType Default
|
||||
Require user @SYSTEM
|
||||
Order deny,allow
|
||||
Allow @LOCAL
|
||||
Allow 127.0.0.0/8
|
||||
Allow 192.168.0.0/16
|
||||
Allow 172.16.0.0/16
|
||||
Allow 10.0.0.0/8
|
||||
</Limit>
|
||||
|
||||
# Only the owner or an administrator can cancel or authenticate a job...
|
||||
<Limit Cancel-Job CUPS-Authenticate-Job>
|
||||
Require user @OWNER @SYSTEM
|
||||
Order deny,allow
|
||||
Allow @LOCAL
|
||||
Allow 127.0.0.0/8
|
||||
Allow 192.168.0.0/16
|
||||
Allow 172.16.0.0/16
|
||||
Allow 10.0.0.0/8
|
||||
</Limit>
|
||||
|
||||
<Limit All>
|
||||
Order deny,allow
|
||||
Allow @LOCAL
|
||||
Allow 127.0.0.0/8
|
||||
Allow 192.168.0.0/16
|
||||
Allow 172.16.0.0/16
|
||||
Allow 10.0.0.0/8
|
||||
</Limit>
|
||||
</Policy>
|
||||
|
||||
# Set the authenticated printer/job policies...
|
||||
<Policy authenticated>
|
||||
# Job/subscription privacy...
|
||||
JobPrivateAccess default
|
||||
JobPrivateValues default
|
||||
SubscriptionPrivateAccess default
|
||||
SubscriptionPrivateValues default
|
||||
|
||||
# Job-related operations must be done by the owner or an administrator...
|
||||
<Limit Create-Job Print-Job Print-URI Validate-Job>
|
||||
AuthType Default
|
||||
Order deny,allow
|
||||
Allow @LOCAL
|
||||
Allow 127.0.0.0/8
|
||||
Allow 192.168.0.0/16
|
||||
Allow 172.16.0.0/16
|
||||
Allow 10.0.0.0/8
|
||||
</Limit>
|
||||
|
||||
<Limit Send-Document Send-URI Hold-Job Release-Job Restart-Job Purge-Jobs Set-Job-Attributes Create-Job-Subscription Renew-Subscription Cancel-Subscription Get-Notifications Reprocess-Job Cancel-Current-Job Suspend-Current-Job Resume-Job Cancel-My-Jobs Close-Job CUPS-Move-Job CUPS-Get-Document>
|
||||
AuthType Default
|
||||
Require user @OWNER @SYSTEM
|
||||
Order deny,allow
|
||||
Allow @LOCAL
|
||||
Allow 127.0.0.0/8
|
||||
Allow 192.168.0.0/16
|
||||
Allow 172.16.0.0/16
|
||||
Allow 10.0.0.0/8
|
||||
</Limit>
|
||||
|
||||
# All administration operations require an administrator to authenticate...
|
||||
<Limit CUPS-Add-Modify-Printer CUPS-Delete-Printer CUPS-Add-Modify-Class CUPS-Delete-Class CUPS-Set-Default>
|
||||
AuthType Default
|
||||
Require user @SYSTEM
|
||||
Order deny,allow
|
||||
Allow @LOCAL
|
||||
Allow 127.0.0.0/8
|
||||
Allow 192.168.0.0/16
|
||||
Allow 172.16.0.0/16
|
||||
Allow 10.0.0.0/8
|
||||
</Limit>
|
||||
|
||||
# All printer operations require a printer operator to authenticate...
|
||||
<Limit Pause-Printer Resume-Printer Enable-Printer Disable-Printer Pause-Printer-After-Current-Job Hold-New-Jobs Release-Held-New-Jobs Deactivate-Printer Activate-Printer Restart-Printer Shutdown-Printer Startup-Printer Promote-Job Schedule-Job-After Cancel-Jobs CUPS-Accept-Jobs CUPS-Reject-Jobs>
|
||||
AuthType Default
|
||||
Require user @SYSTEM
|
||||
Order deny,allow
|
||||
Allow @LOCAL
|
||||
Allow 127.0.0.0/8
|
||||
Allow 192.168.0.0/16
|
||||
Allow 172.16.0.0/16
|
||||
Allow 10.0.0.0/8
|
||||
</Limit>
|
||||
|
||||
# Only the owner or an administrator can cancel or authenticate a job...
|
||||
<Limit Cancel-Job CUPS-Authenticate-Job>
|
||||
AuthType Default
|
||||
Require user @OWNER @SYSTEM
|
||||
Order deny,allow
|
||||
Allow @LOCAL
|
||||
Allow 127.0.0.0/8
|
||||
Allow 192.168.0.0/16
|
||||
Allow 172.16.0.0/16
|
||||
Allow 10.0.0.0/8
|
||||
</Limit>
|
||||
|
||||
<Limit All>
|
||||
Order deny,allow
|
||||
Allow @LOCAL
|
||||
Allow 127.0.0.0/8
|
||||
Allow 192.168.0.0/16
|
||||
Allow 172.16.0.0/16
|
||||
Allow 10.0.0.0/8
|
||||
</Limit>
|
||||
</Policy>
|
||||
|
||||
# Set the kerberized printer/job policies...
|
||||
<Policy kerberos>
|
||||
# Job/subscription privacy...
|
||||
JobPrivateAccess default
|
||||
JobPrivateValues default
|
||||
SubscriptionPrivateAccess default
|
||||
SubscriptionPrivateValues default
|
||||
|
||||
# Job-related operations must be done by the owner or an administrator...
|
||||
<Limit Create-Job Print-Job Print-URI Validate-Job>
|
||||
AuthType Negotiate
|
||||
Order deny,allow
|
||||
Allow @LOCAL
|
||||
Allow 127.0.0.0/8
|
||||
Allow 192.168.0.0/16
|
||||
Allow 172.16.0.0/16
|
||||
Allow 10.0.0.0/8
|
||||
</Limit>
|
||||
|
||||
<Limit Send-Document Send-URI Hold-Job Release-Job Restart-Job Purge-Jobs Set-Job-Attributes Create-Job-Subscription Renew-Subscription Cancel-Subscription Get-Notifications Reprocess-Job Cancel-Current-Job Suspend-Current-Job Resume-Job Cancel-My-Jobs Close-Job CUPS-Move-Job CUPS-Get-Document>
|
||||
AuthType Negotiate
|
||||
Require user @OWNER @SYSTEM
|
||||
Order deny,allow
|
||||
Allow @LOCAL
|
||||
Allow 127.0.0.0/8
|
||||
Allow 192.168.0.0/16
|
||||
Allow 172.16.0.0/16
|
||||
Allow 10.0.0.0/8
|
||||
</Limit>
|
||||
|
||||
# All administration operations require an administrator to authenticate...
|
||||
<Limit CUPS-Add-Modify-Printer CUPS-Delete-Printer CUPS-Add-Modify-Class CUPS-Delete-Class CUPS-Set-Default>
|
||||
AuthType Default
|
||||
Require user @SYSTEM
|
||||
Order deny,allow
|
||||
Allow @LOCAL
|
||||
Allow 127.0.0.0/8
|
||||
Allow 192.168.0.0/16
|
||||
Allow 172.16.0.0/16
|
||||
Allow 10.0.0.0/8
|
||||
</Limit>
|
||||
|
||||
# All printer operations require a printer operator to authenticate...
|
||||
<Limit Pause-Printer Resume-Printer Enable-Printer Disable-Printer Pause-Printer-After-Current-Job Hold-New-Jobs Release-Held-New-Jobs Deactivate-Printer Activate-Printer Restart-Printer Shutdown-Printer Startup-Printer Promote-Job Schedule-Job-After Cancel-Jobs CUPS-Accept-Jobs CUPS-Reject-Jobs>
|
||||
AuthType Default
|
||||
Require user @SYSTEM
|
||||
Order deny,allow
|
||||
Allow @LOCAL
|
||||
Allow 127.0.0.0/8
|
||||
Allow 192.168.0.0/16
|
||||
Allow 172.16.0.0/16
|
||||
Allow 10.0.0.0/8
|
||||
</Limit>
|
||||
|
||||
# Only the owner or an administrator can cancel or authenticate a job...
|
||||
<Limit Cancel-Job CUPS-Authenticate-Job>
|
||||
AuthType Negotiate
|
||||
Require user @OWNER @SYSTEM
|
||||
Order deny,allow
|
||||
Allow @LOCAL
|
||||
Allow 127.0.0.0/8
|
||||
Allow 192.168.0.0/16
|
||||
Allow 172.16.0.0/16
|
||||
Allow 10.0.0.0/8
|
||||
</Limit>
|
||||
|
||||
<Limit All>
|
||||
Order deny,allow
|
||||
Allow @LOCAL
|
||||
Allow 127.0.0.0/8
|
||||
Allow 192.168.0.0/16
|
||||
Allow 172.16.0.0/16
|
||||
Allow 10.0.0.0/8
|
||||
</Limit>
|
||||
</Policy>
|
||||
@ -18,7 +18,7 @@
|
||||
|
||||
{% set count.nfs_exports = count.nfs_exports + 10 %}
|
||||
{% for network in export.export_networks %}
|
||||
{% if export.fs_encrypted is defined and export.fs_encrypted is sameas true %}
|
||||
{% if export.use_fsid_option is defined and export.use_fsid_option is sameas true %}
|
||||
{% set export_str.nfs_exports = export_str.nfs_exports~" "~network~"("~export.export_opt~",fsid="~count.nfs_exports~")" %}
|
||||
#{{ export.src.split(":")[1] }} {{ network }}({{ export.export_opt }},fsid={{ count.nfs_exports }})
|
||||
{% else %}
|
||||
|
||||
64
roles/common/templates/etc/ntp.conf.j2
Normal file
64
roles/common/templates/etc/ntp.conf.j2
Normal file
@ -0,0 +1,64 @@
|
||||
# {{ ansible_managed }}
|
||||
|
||||
# /etc/ntp.conf, configuration for ntpd; see ntp.conf(5) for help
|
||||
|
||||
driftfile /var/lib/ntp/ntp.drift
|
||||
|
||||
# Leap seconds definition provided by tzdata
|
||||
leapfile /usr/share/zoneinfo/leap-seconds.list
|
||||
|
||||
# Enable this if you want statistics to be logged.
|
||||
#statsdir /var/log/ntpstats/
|
||||
|
||||
statistics loopstats peerstats clockstats
|
||||
filegen loopstats file loopstats type day enable
|
||||
filegen peerstats file peerstats type day enable
|
||||
filegen clockstats file clockstats type day enable
|
||||
|
||||
|
||||
# You do need to talk to an NTP server or two (or three).
|
||||
#server ntp.your-provider.example
|
||||
|
||||
# pool.ntp.org maps to about 1000 low-stratum NTP servers. Your server will
|
||||
# pick a different set every time it starts up. Please consider joining the
|
||||
# pool: <http://www.pool.ntp.org/join.html>
|
||||
#pool 0.debian.pool.ntp.org iburst
|
||||
#pool 1.debian.pool.ntp.org iburst
|
||||
#pool 2.debian.pool.ntp.org iburst
|
||||
#pool 3.debian.pool.ntp.org iburst
|
||||
server {{ ntp_server }}
|
||||
|
||||
|
||||
# Access control configuration; see /usr/share/doc/ntp-doc/html/accopt.html for
|
||||
# details. The web page <http://support.ntp.org/bin/view/Support/AccessRestrictions>
|
||||
# might also be helpful.
|
||||
#
|
||||
# Note that "restrict" applies to both servers and clients, so a configuration
|
||||
# that might be intended to block requests from certain clients could also end
|
||||
# up blocking replies from your own upstream servers.
|
||||
|
||||
# By default, exchange time with everybody, but don't allow configuration.
|
||||
restrict -4 default kod notrap nomodify nopeer noquery limited
|
||||
restrict -6 default kod notrap nomodify nopeer noquery limited
|
||||
|
||||
# Local users may interrogate the ntp server more closely.
|
||||
restrict 127.0.0.1
|
||||
restrict ::1
|
||||
|
||||
# Needed for adding pool entries
|
||||
restrict source notrap nomodify noquery
|
||||
|
||||
# Clients from this (example!) subnet have unlimited access, but only if
|
||||
# cryptographically authenticated.
|
||||
#restrict 192.168.123.0 mask 255.255.255.0 notrust
|
||||
|
||||
|
||||
# If you want to provide time to your local subnet, change the next line.
|
||||
# (Again, the address is an example only.)
|
||||
#broadcast 192.168.123.255
|
||||
|
||||
# If you want to listen to time broadcasts on your local subnet, de-comment the
|
||||
# next lines. Please do this only if you trust everybody on the network!
|
||||
#disable auth
|
||||
#broadcastclient
|
||||
|
||||
384
roles/common/templates/etc/samba/smb.conf.j2
Normal file
384
roles/common/templates/etc/samba/smb.conf.j2
Normal file
@ -0,0 +1,384 @@
|
||||
# {{ ansible_managed }}
|
||||
|
||||
#
|
||||
# Sample configuration file for the Samba suite for Debian GNU/Linux.
|
||||
#
|
||||
#
|
||||
# This is the main Samba configuration file. You should read the
|
||||
# smb.conf(5) manual page in order to understand the options listed
|
||||
# here. Samba has a huge number of configurable options most of which
|
||||
# are not shown in this example
|
||||
#
|
||||
# Some options that are often worth tuning have been included as
|
||||
# commented-out examples in this file.
|
||||
# - When such options are commented with ";", the proposed setting
|
||||
# differs from the default Samba behaviour
|
||||
# - When commented with "#", the proposed setting is the default
|
||||
# behaviour of Samba but the option is considered important
|
||||
# enough to be mentioned here
|
||||
#
|
||||
# NOTE: Whenever you modify this file you should run the command
|
||||
# "testparm" to check that you have not made any basic syntactic
|
||||
# errors.
|
||||
|
||||
#======================= Global Settings =======================
|
||||
|
||||
[global]
|
||||
|
||||
## Browsing/Identification ###
|
||||
|
||||
# Change this to the workgroup/NT-domain name your Samba server will part of
|
||||
; workgroup = WORKGROUP
|
||||
workgroup = {{ samba_workgroup|default('WORKGROUP') }}
|
||||
|
||||
# Option 'netbios name' added to debian's default smb.conf
|
||||
#
|
||||
# This sets the NetBIOS name by which a Samba server is known. By default it
|
||||
# is the same as the first component of the host's DNS name. If a machine is
|
||||
# a browse server or logon server this name (or the first component of the
|
||||
# hosts DNS name) will be the name that these services are advertised under.
|
||||
#
|
||||
# Note that the maximum length for a NetBIOS name is 15 characters.
|
||||
#
|
||||
# Default: netbios name = # machine DNS name
|
||||
; netbios name = FILE
|
||||
netbios name = {{ samba_netbios_name|default('FILE') }}
|
||||
|
||||
|
||||
#### Networking ####
|
||||
|
||||
# The specific set of interfaces / networks to bind to
|
||||
# This can be either the interface name or an IP address/netmask;
|
||||
# interface names are normally preferred
|
||||
; interfaces = 127.0.0.0/8 eth0
|
||||
interfaces = {{ ansible_default_ipv4.address }}/24 127.0.0.1/8
|
||||
|
||||
# Option 'hosts deny' and 'hosts allow' added to debian's default smb.conf
|
||||
hosts deny = 0.0.0.0/0
|
||||
hosts allow = 192.168.0.0/16 10.0.0.0/8 127.0.0.0/8
|
||||
|
||||
# Only bind to the named interfaces and/or networks; you must use the
|
||||
# 'interfaces' option above to use this.
|
||||
# It is recommended that you enable this feature if your Samba machine is
|
||||
# not protected by a firewall or is a firewall itself. However, this
|
||||
# option cannot handle dynamic or non-broadcast interfaces correctly.
|
||||
#
|
||||
# Notice:
|
||||
# If bind interfaces only is set and the network address 127.0.0.1 is not added to the
|
||||
# interfaces parameter list smbpasswd(8) may not work as expected due to the reasons
|
||||
# covered below.
|
||||
#
|
||||
# Default: bind interfaces only = no
|
||||
bind interfaces only = yes
|
||||
|
||||
|
||||
#### Debugging/Accounting ####
|
||||
|
||||
# This tells Samba to use a separate log file for each machine
|
||||
# that connects
|
||||
; log file = /var/log/samba/log.%m
|
||||
log file = /var/log/samba/%I.log
|
||||
|
||||
# Cap the size of the individual log files (in KiB).
|
||||
; max log size = 1000
|
||||
max log size = 10000
|
||||
|
||||
# We want Samba to only log to /var/log/samba/log.{smbd,nmbd}.
|
||||
# Append syslog@1 if you want important messages to be sent to syslog too.
|
||||
logging = file
|
||||
|
||||
# Option 'log level' added to debian's default smb.conf
|
||||
#
|
||||
# The value of the parameter (a astring) allows the debug level (logging level) to be
|
||||
# specified in the smb.conf file.
|
||||
#
|
||||
# This parameter has been extended since the 2.2.x series, now it allows one to specify
|
||||
# the debug level for multiple debug classes. This is to give greater flexibility in
|
||||
# the configuration of the system.
|
||||
#
|
||||
# See manpage for implemented debug classes
|
||||
#
|
||||
# Default: log level = 0
|
||||
#
|
||||
# Example: log level = 3 passdb:5 auth:10 winbind:2
|
||||
log level = 0
|
||||
|
||||
# Do something sensible when Samba crashes: mail the admin a backtrace
|
||||
panic action = /usr/share/samba/panic-action %d
|
||||
|
||||
|
||||
####### Authentication #######
|
||||
|
||||
# Option 'ntlm auth' added to debian's default smb.conf
|
||||
#
|
||||
# This parameter determines whether or not smbd(8) will attempt to authenticate
|
||||
# users using the NTLM encrypted password response for this local passdb (SAM
|
||||
# or account database).
|
||||
#
|
||||
# If disabled, both NTLM and LanMan authencication against the local passdb is
|
||||
# disabled.
|
||||
#
|
||||
# Note that these settings apply only to local users, authentication will still
|
||||
# be forwarded to and NTLM authentication accepted against any domain we are
|
||||
# joined to, and any trusted domain, even if disabled or if NTLMv2-only is
|
||||
# enforced here. To control NTLM authentiation for domain users, this must option
|
||||
# must be configured on each DC.
|
||||
#
|
||||
# By default with lanman auth set to no and ntlm auth set to ntlmv2-only only
|
||||
# NTLMv2 logins will be permited. Most clients support NTLMv2 by default, but some
|
||||
# older clients will require special configuration to use it.
|
||||
#
|
||||
# The primary user of NTLMv1 is MSCHAPv2 for VPNs and 802.1x.
|
||||
#
|
||||
# The available settings are:
|
||||
#
|
||||
# ntlmv1-permitted (alias yes) - Allow NTLMv1 and above for all clients.
|
||||
#
|
||||
# ntlmv2-only (alias no) - Do not allow NTLMv1 to be used, but permit NTLMv2.
|
||||
#
|
||||
# mschapv2-and-ntlmv2-only - Only allow NTLMv1 when the client promises that
|
||||
# it is providing MSCHAPv2 authentication (such as the ntlm_auth tool).
|
||||
#
|
||||
# disabled - Do not accept NTLM (or LanMan) authentication of any level, nor
|
||||
# permit NTLM password changes.
|
||||
#
|
||||
# The default changed from yes to no with Samba 4.5. The default chagned again to
|
||||
# ntlmv2-only with Samba 4.7, however the behaviour is unchanged.
|
||||
#
|
||||
# Default: ntlm auth = ntlmv2-only
|
||||
ntlm auth = ntlmv1-permitted
|
||||
|
||||
# Server role. Defines in which mode Samba will operate. Possible
|
||||
# values are "standalone server", "member server", "classic primary
|
||||
# domain controller", "classic backup domain controller", "active
|
||||
# directory domain controller".
|
||||
#
|
||||
# Most people will want "standalone server" or "member server".
|
||||
# Running as "active directory domain controller" will require first
|
||||
# running "samba-tool domain provision" to wipe databases and create a
|
||||
# new domain.
|
||||
server role = standalone server
|
||||
|
||||
obey pam restrictions = yes
|
||||
|
||||
# This boolean parameter controls whether Samba attempts to sync the Unix
|
||||
# password with the SMB password when the encrypted SMB password in the
|
||||
# passdb is changed.
|
||||
unix password sync = yes
|
||||
|
||||
# For Unix password sync to work on a Debian GNU/Linux system, the following
|
||||
# parameters must be set (thanks to Ian Kahan <<kahan@informatik.tu-muenchen.de> for
|
||||
# sending the correct chat script for the passwd program in Debian Sarge).
|
||||
passwd program = /usr/bin/passwd %u
|
||||
passwd chat = *Enter\snew\s*\spassword:* %n\n *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* .
|
||||
|
||||
# This boolean controls whether PAM will be used for password changes
|
||||
# when requested by an SMB client instead of the program listed in
|
||||
# 'passwd program'. The default is 'no'.
|
||||
pam password change = yes
|
||||
|
||||
# This option controls how unsuccessful authentication attempts are mapped
|
||||
# to anonymous connections
|
||||
map to guest = bad user
|
||||
|
||||
# Option 'username map' added to debian's default smb.conf
|
||||
#
|
||||
username map = /etc/samba/users.map
|
||||
|
||||
########## Domains ###########
|
||||
|
||||
#
|
||||
# The following settings only takes effect if 'server role = primary
|
||||
# classic domain controller', 'server role = backup domain controller'
|
||||
# or 'domain logons' is set
|
||||
#
|
||||
|
||||
# It specifies the location of the user's
|
||||
# profile directory from the client point of view) The following
|
||||
# required a [profiles] share to be setup on the samba server (see
|
||||
# below)
|
||||
; logon path = \\%N\profiles\%U
|
||||
# Another common choice is storing the profile in the user's home directory
|
||||
# (this is Samba's default)
|
||||
# logon path = \\%N\%U\profile
|
||||
|
||||
# The following setting only takes effect if 'domain logons' is set
|
||||
# It specifies the location of a user's home directory (from the client
|
||||
# point of view)
|
||||
; logon drive = H:
|
||||
# logon home = \\%N\%U
|
||||
|
||||
# The following setting only takes effect if 'domain logons' is set
|
||||
# It specifies the script to run during logon. The script must be stored
|
||||
# in the [netlogon] share
|
||||
# NOTE: Must be store in 'DOS' file format convention
|
||||
; logon script = logon.cmd
|
||||
|
||||
# This allows Unix users to be created on the domain controller via the SAMR
|
||||
# RPC pipe. The example command creates a user account with a disabled Unix
|
||||
# password; please adapt to your needs
|
||||
; add user script = /usr/sbin/adduser --quiet --disabled-password --gecos "" %u
|
||||
|
||||
# This allows machine accounts to be created on the domain controller via the
|
||||
# SAMR RPC pipe.
|
||||
# The following assumes a "machines" group exists on the system
|
||||
; add machine script = /usr/sbin/useradd -g machines -c "%u machine account" -d /var/lib/samba -s /bin/false %u
|
||||
|
||||
# This allows Unix groups to be created on the domain controller via the SAMR
|
||||
# RPC pipe.
|
||||
; add group script = /usr/sbin/addgroup --force-badname %g
|
||||
|
||||
############ Misc ############
|
||||
|
||||
# Using the following line enables you to customise your configuration
|
||||
# on a per machine basis. The %m gets replaced with the netbios name
|
||||
# of the machine that is connecting
|
||||
; include = /home/samba/etc/smb.conf.%m
|
||||
|
||||
# Some defaults for winbind (make sure you're not using the ranges
|
||||
# for something else.)
|
||||
; idmap config * : backend = tdb
|
||||
; idmap config * : range = 3000-7999
|
||||
; idmap config YOURDOMAINHERE : backend = tdb
|
||||
; idmap config YOURDOMAINHERE : range = 100000-999999
|
||||
; template shell = /bin/bash
|
||||
|
||||
# Setup usershare options to enable non-root users to share folders
|
||||
# with the net usershare command.
|
||||
|
||||
# Maximum number of usershare. 0 means that usershare is disabled.
|
||||
# usershare max shares = 100
|
||||
|
||||
# Allow users who've been granted usershare privileges to create
|
||||
# public shares, not just authenticated ones
|
||||
usershare allow guests = yes
|
||||
|
||||
#======================= Share Definitions =======================
|
||||
|
||||
# {{ ansible_managed }}
|
||||
|
||||
[homes]
|
||||
comment = Home Directories
|
||||
browseable = no
|
||||
|
||||
# By default, the home directories are exported read-only. Change the
|
||||
# next parameter to 'no' if you want to be able to write to them.
|
||||
read only = yes
|
||||
|
||||
# File creation mask is set to 0700 for security reasons. If you want to
|
||||
# create files with group=rw permissions, set next parameter to 0775.
|
||||
create mask = 0700
|
||||
|
||||
# Directory creation mask is set to 0700 for security reasons. If you want to
|
||||
# create dirs. with group=rw permissions, set next parameter to 0775.
|
||||
directory mask = 0700
|
||||
|
||||
# By default, \\server\username shares can be connected to by anyone
|
||||
# with access to the samba server.
|
||||
# The following parameter makes sure that only "username" can connect
|
||||
# to \\server\username
|
||||
# This might need tweaking when using external authentication schemes
|
||||
valid users = %S
|
||||
|
||||
# Un-comment the following and create the netlogon directory for Domain Logons
|
||||
# (you need to configure Samba to act as a domain controller too.)
|
||||
;[netlogon]
|
||||
; comment = Network Logon Service
|
||||
; path = /home/samba/netlogon
|
||||
; guest ok = yes
|
||||
; read only = yes
|
||||
|
||||
# Un-comment the following and create the profiles directory to store
|
||||
# users profiles (see the "logon path" option above)
|
||||
# (you need to configure Samba to act as a domain controller too.)
|
||||
# The path below should be writable by all users so that their
|
||||
# profile directory may be created the first time they log on
|
||||
;[profiles]
|
||||
; comment = Users profiles
|
||||
; path = /home/samba/profiles
|
||||
; guest ok = no
|
||||
; browseable = no
|
||||
; create mask = 0600
|
||||
; directory mask = 0700
|
||||
|
||||
{% for item in samba_shares | default([]) %}
|
||||
|
||||
[{{ item.name }}]
|
||||
comment = {{ item.name }}
|
||||
path = {{ item.path }}
|
||||
|
||||
browseable = yes
|
||||
read only = no
|
||||
writeable = Yes
|
||||
|
||||
create mask = {{ item.file_create_mask | default('0660') }}
|
||||
force create mode = {{ item.file_create_mask | default('0660') }}
|
||||
directory mask = {{ item.dir_create_mask | default('2770') }}
|
||||
force directory mode = {{ item.dir_create_mask | default('2770') }}
|
||||
|
||||
# can login into that share
|
||||
valid users = @{{ item.group_valid_users }}
|
||||
# allow to write
|
||||
write list = @{{ item.group_write_list }}
|
||||
|
||||
force group = +{{ item.group_write_list }}
|
||||
{% if item.vfs_object_recycle is defined and item.vfs_object_recycle|bool %}
|
||||
|
||||
vfs objects = recycle
|
||||
recycle:keeptree = yes
|
||||
# touch access time from this file
|
||||
# note: this is not the modified time, which is
|
||||
# outdatet by ls-command
|
||||
# so yo can delete files older then n day with the following command:
|
||||
# find /data/samba/share/<share>/.Trash -atime +<n> -exec rm -rf {} \;
|
||||
#
|
||||
recycle:touch = yes
|
||||
recycle:touch_mtime = no
|
||||
recycle:versions = yes
|
||||
recycle:directory_mode = 2770
|
||||
|
||||
# - Dateien gößer als 10MB werden nicht
|
||||
#recycle:maxsize = 10485760 # around 10MB
|
||||
|
||||
# - Keine Begrenzung der Dateigröße.
|
||||
recycle:maxsize = 0
|
||||
|
||||
recycle:exclude = *.tmp,*.temp,*.o,*.obj,~$*,*.~??
|
||||
recycle:excludedir = /tmp,/temp,/cache,.Trash
|
||||
recycle:repository = {{ item.recycle_path | default('@Recycle.Bin') }}
|
||||
|
||||
# - This is a list of files and directories that are neither visible nor accessible.
|
||||
# - Each entry in the list must be separated by a '/', which allows spaces to be
|
||||
# - included in the entry. '*' and '?' can be used to specify multiple files or
|
||||
# - directories as in DOS wildcards.
|
||||
# -
|
||||
veto files = /.Trash/
|
||||
delete veto files = yes
|
||||
{% endif %}
|
||||
|
||||
{% endfor %}
|
||||
|
||||
;[printers]
|
||||
; comment = All Printers
|
||||
; browseable = no
|
||||
; path = /var/spool/samba
|
||||
; printable = yes
|
||||
; guest ok = no
|
||||
; read only = yes
|
||||
; create mask = 0700
|
||||
|
||||
# Windows clients look for this share name as a source of downloadable
|
||||
# printer drivers
|
||||
;[print$]
|
||||
; comment = Printer Drivers
|
||||
; path = /var/lib/samba/printers
|
||||
; browseable = yes
|
||||
; read only = yes
|
||||
; guest ok = no
|
||||
# Uncomment to allow remote administration of Windows print drivers.
|
||||
# You may need to replace 'lpadmin' with the name of the group your
|
||||
# admin users are members of.
|
||||
# Please note that you also need to set appropriate Unix permissions
|
||||
# to the drivers directory for these users to have write rights in it
|
||||
; write list = root, @lpadmin
|
||||
|
||||
62
roles/common/templates/etc/security/limits.conf.j2
Normal file
62
roles/common/templates/etc/security/limits.conf.j2
Normal file
@ -0,0 +1,62 @@
|
||||
# {{ ansible_managed }}
|
||||
|
||||
# /etc/security/limits.conf
|
||||
#
|
||||
#Each line describes a limit for a user in the form:
|
||||
#
|
||||
#<domain> <type> <item> <value>
|
||||
#
|
||||
#Where:
|
||||
#<domain> can be:
|
||||
# - a user name
|
||||
# - a group name, with @group syntax
|
||||
# - the wildcard *, for default entry
|
||||
# - the wildcard %, can be also used with %group syntax,
|
||||
# for maxlogin limit
|
||||
# - NOTE: group and wildcard limits are not applied to root.
|
||||
# To apply a limit to the root user, <domain> must be
|
||||
# the literal username root.
|
||||
#
|
||||
#<type> can have the two values:
|
||||
# - "soft" for enforcing the soft limits
|
||||
# - "hard" for enforcing hard limits
|
||||
#
|
||||
#<item> can be one of the following:
|
||||
# - core - limits the core file size (KB)
|
||||
# - data - max data size (KB)
|
||||
# - fsize - maximum filesize (KB)
|
||||
# - memlock - max locked-in-memory address space (KB)
|
||||
# - nofile - max number of open file descriptors
|
||||
# - rss - max resident set size (KB)
|
||||
# - stack - max stack size (KB)
|
||||
# - cpu - max CPU time (MIN)
|
||||
# - nproc - max number of processes
|
||||
# - as - address space limit (KB)
|
||||
# - maxlogins - max number of logins for this user
|
||||
# - maxsyslogins - max number of logins on the system
|
||||
# - priority - the priority to run user process with
|
||||
# - locks - max number of file locks the user can hold
|
||||
# - sigpending - max number of pending signals
|
||||
# - msgqueue - max memory used by POSIX message queues (bytes)
|
||||
# - nice - max nice priority allowed to raise to values: [-20, 19]
|
||||
# - rtprio - max realtime priority
|
||||
# - chroot - change root to directory (Debian-specific)
|
||||
#
|
||||
#<domain> <type> <item> <value>
|
||||
#
|
||||
|
||||
#* soft core 0
|
||||
#root hard core 100000
|
||||
#* hard rss 10000
|
||||
#@student hard nproc 20
|
||||
#@faculty soft nproc 20
|
||||
#@faculty hard nproc 50
|
||||
#ftp hard nproc 0
|
||||
#ftp - chroot /ftp
|
||||
#@student - maxlogins 4
|
||||
|
||||
* - nofile 1048576
|
||||
root - nofile 1048576
|
||||
|
||||
|
||||
# End of file
|
||||
349
roles/common/templates/etc/ssh/sshd_config.j2
Normal file
349
roles/common/templates/etc/ssh/sshd_config.j2
Normal file
@ -0,0 +1,349 @@
|
||||
# {{ ansible_managed }}
|
||||
|
||||
#-----------------------------
|
||||
# Daemon
|
||||
#-----------------------------
|
||||
|
||||
# What ports, IPs and protocols we listen for
|
||||
{% for item in sshd_ports %}
|
||||
Port {{ item }}
|
||||
{% endfor %}
|
||||
|
||||
# Specifies the local addresses sshd(8) should listen on. The following forms may be used:
|
||||
#
|
||||
# ListenAddress host|IPv4_addr|IPv6_addr
|
||||
# ListenAddress host|IPv4_addr:port
|
||||
# ListenAddress [host|IPv6_addr]:port
|
||||
#
|
||||
# If port is not specified, sshd will listen on the address and all Port options specified. The default
|
||||
# is to listen on all local addresses. Multiple ListenAddress options are permitted.
|
||||
#
|
||||
# ListenAddress ::
|
||||
# ListenAddress 0.0.0.0
|
||||
# ListenAddress 159.69.72.24
|
||||
# ListenAddress 2a01:4f8:231:171f::2
|
||||
#
|
||||
{% if (sshd_listen_address is defined) and sshd_listen_address %}
|
||||
{% for item in sshd_listen_address %}
|
||||
ListenAddress {{ item }}
|
||||
{% endfor %}
|
||||
{% endif %}
|
||||
|
||||
# Specifies the protocol versions sshd(8) supports.
|
||||
# The possible values are ‘1’ , `2' and ‘1,2’.
|
||||
# The default is ‘2’.
|
||||
Protocol 2
|
||||
|
||||
# HostKeys for protocol version 2
|
||||
{% for item in sshd_host_keys %}
|
||||
HostKey {{ item }}
|
||||
{% endfor %}
|
||||
|
||||
# Lifetime and size of ephemeral version 1 server key
|
||||
#
|
||||
# Note:
|
||||
# Deprecated option KeyRegenerationInterval
|
||||
# Deprecated option ServerKeyBits
|
||||
#
|
||||
#KeyRegenerationInterval 3600
|
||||
#ServerKeyBits 768
|
||||
|
||||
# Specifies the maximum number of concurrent unauthenticated connections
|
||||
# to the SSH daemon. See sshd_config(5) for specifiing the three colon
|
||||
# separated values.
|
||||
# The default is 10.
|
||||
#MaxStartups 10:30:100
|
||||
#MaxStartups 3
|
||||
MaxStartups {{ sshd_max_startups }}
|
||||
|
||||
# Specifies the maximum number of authentication attempts permitted per
|
||||
# connection.
|
||||
# The default is 6.
|
||||
MaxAuthTries {{ sshd_max_auth_tries }}
|
||||
|
||||
# Specifies the maximum number of open sessions permitted per network
|
||||
# connection.
|
||||
# The default is 10.
|
||||
MaxSessions {{ sshd_max_sessions }}
|
||||
|
||||
|
||||
#-----------------------------
|
||||
# Authentication
|
||||
#-----------------------------
|
||||
|
||||
# Specifies whether sshd(8) separates privileges by creating an unprivileged
|
||||
# child process to deal with incoming network traffic.
|
||||
# The default is "yes" (for security).
|
||||
{% if (ansible_facts['distribution'] == "Debian") and (ansible_facts['distribution_major_version']|int > 9) %}
|
||||
#
|
||||
# Note: (Release 7.5)
|
||||
# Deprecated option UsePrivilegeSeparation
|
||||
# Privilege separation has been on by default for almost 15 years
|
||||
# sandboxing has been on by default for almost the last five
|
||||
#
|
||||
#UsePrivilegeSeparation sandbox
|
||||
{% else %}
|
||||
UsePrivilegeSeparation sandbox
|
||||
{% endif %}
|
||||
|
||||
# The server disconnects after this time if the user has not
|
||||
# successfully logged in.
|
||||
# The default is 120 seconds.
|
||||
LoginGraceTime 120
|
||||
|
||||
# Specifies whether root can log in using ssh(1).
|
||||
# The default is "yes".
|
||||
# Possible values: yes, no, prohibit-password (or teh older one: without-password)
|
||||
#PermitRootLogin yes
|
||||
PermitRootLogin {{ sshd_permit_root_login }}
|
||||
|
||||
# Specifies whether sshd(8) should check file modes and ownership of the
|
||||
# user's files and home directory before accepting login. This is normally
|
||||
# desirable because novices sometimes accidentally leave their directory or
|
||||
# files world-writable. Note that this does not apply to ChrootDirectory,
|
||||
# whose permissions and ownership are checked unconditionally.
|
||||
# The default is “yes”.
|
||||
StrictModes yes
|
||||
|
||||
# Specifies whether pure RSA authentication is allowed. This option
|
||||
# applies to protocol version 1 only.
|
||||
# The default is “yes”.
|
||||
#
|
||||
# Note:
|
||||
# Deprecated option RSAAuthentication
|
||||
#
|
||||
#RSAAuthentication yes
|
||||
|
||||
# Specifies whether public key authentication is allowed. Note that this
|
||||
# option applies to protocol version 2 only.
|
||||
# The default is “yes”.
|
||||
PubkeyAuthentication {{ sshd_pubkey_authentication }}
|
||||
|
||||
# Specifies the file that contains the public keys that can be used for
|
||||
# user authentication. The format is described in the AUTHORIZED_KEYS FILE
|
||||
# FORMAT section of sshd(8).
|
||||
# AuthorizedKeysFile may contain tokens of the form %T which are substituted
|
||||
# during connection setup. The following tokens are defined: %% is replaced
|
||||
# by a literal '%', %h is replaced by the home directory of the user being
|
||||
# authenticated, and %u is replaced by the username of that user. After
|
||||
# expansion, AuthorizedKeysFile is taken to be an absolute path or one relative
|
||||
# to the user's home directory. Multiple files may be listed, separated by
|
||||
# whitespace.
|
||||
# The default is “.ssh/authorized_keys .ssh/authorized_keys2”.
|
||||
#AuthorizedKeysFile %h/.ssh/authorized_keys
|
||||
AuthorizedKeysFile {{ sshd_authorized_keys_file }}
|
||||
|
||||
# Specifies whether password authentication is allowed.
|
||||
# Change to no to disable tunnelled clear text passwords
|
||||
# The default is "yes".
|
||||
#PasswordAuthentication yes
|
||||
PasswordAuthentication {{ sshd_password_authentication }}
|
||||
|
||||
# When password authentication is allowed, it specifies whether the
|
||||
# server allows login to accounts with empty password strings.
|
||||
# The default is “no”.
|
||||
PermitEmptyPasswords no
|
||||
|
||||
# Specifies whether challenge-response authentication is allowed (e.g. via PAM).
|
||||
# The default is “yes”.
|
||||
ChallengeResponseAuthentication no
|
||||
|
||||
# Don't read the user's ~/.rhosts and ~/.shosts files
|
||||
IgnoreRhosts yes
|
||||
# For this to work you will also need host keys in /etc/ssh_known_hosts
|
||||
#
|
||||
# Note:
|
||||
# Deprecated option RhostsRSAAuthentication
|
||||
#
|
||||
#RhostsRSAAuthentication no
|
||||
|
||||
# similar for protocol version 2
|
||||
HostbasedAuthentication no
|
||||
|
||||
# Specifies whether sshd(8) should ignore the user's ~/.ssh/known_hosts
|
||||
# during RhostsRSAAuthentication or HostbasedAuthentication.
|
||||
# The default is “no”.
|
||||
# Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication
|
||||
#IgnoreUserKnownHosts yes
|
||||
|
||||
# If specified, login is allowed only for user names that match one of
|
||||
# the patterns.
|
||||
# The allow/deny directives are processed in the following order: DenyUsers,
|
||||
# AllowUsers, DenyGroups, and finally AllowGroups.
|
||||
# By default, login is allowed for all users.
|
||||
{% if (fact_sshd_allowed_users is defined) and fact_sshd_allowed_users %}
|
||||
AllowUsers {{ fact_sshd_allowed_users }}
|
||||
{% else %}
|
||||
#AllowUsers back chris sysadm cityslang christoph
|
||||
{% endif %}
|
||||
|
||||
# Set this to 'yes' to enable PAM authentication, account processing,
|
||||
# and session processing. If this is enabled, PAM authentication will
|
||||
# be allowed through the ChallengeResponseAuthentication and
|
||||
# PasswordAuthentication. Depending on your PAM configuration,
|
||||
# PAM authentication via ChallengeResponseAuthentication may bypass
|
||||
# the setting of "PermitRootLogin without-password".
|
||||
# If you just want the PAM account and session checks to run without
|
||||
# PAM authentication, then enable this but set PasswordAuthentication
|
||||
# and ChallengeResponseAuthentication to 'no'.
|
||||
UsePAM {{ sshd_use_pam }}
|
||||
|
||||
# Specifies whether login(1) is used for interactive login sessions.
|
||||
# Note that login(1) is never used for remote command execution.
|
||||
# Note also, that if this is enabled, X11Forwarding will be disabled
|
||||
# because login(1) does not know how to handle xauth(1) cookies. If
|
||||
# UsePrivilegeSeparation is specified, it will be disabled after
|
||||
# authentication.
|
||||
# The default is “no”.
|
||||
#UseLogin no
|
||||
|
||||
|
||||
#-----------------------------
|
||||
# Cryptography
|
||||
#-----------------------------
|
||||
|
||||
# Specifies the available KEX (Key Exchange) algorithms.
|
||||
# The default is:
|
||||
## curve25519-sha256@libssh.org,
|
||||
## ecdh-sha2-nistp256,
|
||||
## ecdh-sha2-nistp384,
|
||||
## ecdh-sha2-nistp521,
|
||||
## diffie-hellman-group-exchange-sha256,
|
||||
## diffie-hellman-group14-sha1.
|
||||
{% if (fact_sshd_kexalgorithms is defined) and fact_sshd_kexalgorithms %}
|
||||
KexAlgorithms {{ fact_sshd_kexalgorithms }}
|
||||
{% else %}
|
||||
#KexAlgorithms curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256
|
||||
{% endif %}
|
||||
|
||||
# Specifies the ciphers allowed for protocol version 2.
|
||||
# The default is:
|
||||
## aes128-ctr,
|
||||
## aes192-ctr,
|
||||
## aes256-ctr,
|
||||
## aes128-gcm@openssh.com,
|
||||
## aes256-gcm@openssh.com,
|
||||
## chacha20-poly1305@openssh.com.
|
||||
{% if (fact_sshd_ciphers is defined) and fact_sshd_ciphers %}
|
||||
Ciphers {{ fact_sshd_ciphers }}
|
||||
{% else %}
|
||||
#Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes256-ctr
|
||||
{% endif %}
|
||||
|
||||
# Specifies the available MAC (message authentication code) algorithms.
|
||||
# The default is:
|
||||
## umac-64-etm@openssh.com,
|
||||
## umac-128-etm@openssh.com,
|
||||
## hmac-sha2-256-etm@openssh.com,
|
||||
## hmac-sha2-512-etm@openssh.com,
|
||||
## umac-64@openssh.com,
|
||||
## umac-128@openssh.com,
|
||||
## hmac-sha2-256,
|
||||
## hmac-sha2-512.
|
||||
{% if (fact_sshd_macs is defined) and fact_sshd_macs %}
|
||||
MACs {{ fact_sshd_macs }}
|
||||
{% else %}
|
||||
#MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-ripemd160-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,hmac-ripemd160,umac-128@openssh.com
|
||||
{% endif %}
|
||||
|
||||
|
||||
#-----------------------------
|
||||
# Logging
|
||||
#-----------------------------
|
||||
|
||||
# Gives the facility code that is used when logging messages from sshd(8).
|
||||
# The possible values are: DAEMON, USER, AUTH, LOCAL0, LOCAL1, LOCAL2,
|
||||
# LOCAL3, LOCAL4, LOCAL5, LOCAL6, LOCAL7.
|
||||
# The default is AUTH.
|
||||
SyslogFacility AUTH
|
||||
|
||||
# Gives the verbosity level that is used when logging messages from
|
||||
# sshd(8).
|
||||
# The default is INFO.
|
||||
LogLevel INFO
|
||||
|
||||
|
||||
#-----------------------------
|
||||
# Behavior
|
||||
#-----------------------------
|
||||
|
||||
# Specifies whether the distribution-specified extra version suffix is included
|
||||
# during initial protocol handshake.
|
||||
# The default is "yes".
|
||||
DebianBanner no
|
||||
|
||||
# The contents of the specified file are sent to the remote user before
|
||||
# authentication is allowed.
|
||||
# By default, no banner is displayed.
|
||||
#Banner /etc/issue.net
|
||||
|
||||
# Specifies whether sshd(8) should print /etc/motd when a user logs in
|
||||
# interactively. (On some systems it is also printed by the shell,
|
||||
# /etc/profile, or equivalent.)
|
||||
# The default is “yes”.
|
||||
PrintMotd {{ sshd_print_motd }}
|
||||
|
||||
# Specifies what environment variables sent by the client will be copied
|
||||
# into the session's environ(7).
|
||||
# The default is not to accept any environment variables.
|
||||
AcceptEnv LANG LC_*
|
||||
|
||||
# Configures an external subsystem (e.g. file transfer daemon).
|
||||
# By default no subsystems are defined.
|
||||
Subsystem sftp /usr/lib/openssh/sftp-server
|
||||
|
||||
# Specifies whether sshd(8) should look up the remote host name and check
|
||||
# that the resolved host name for the remote IP address maps back to the
|
||||
# very same IP address.
|
||||
# The default is “yes”.
|
||||
UseDNS {{ sshd_use_dns }}
|
||||
|
||||
# Specifies whether X11 forwarding is permitted. The argument must be
|
||||
# “yes” or “no”. See sshd_config(5) for further expalnation
|
||||
# The default is “no”.
|
||||
#X11Forwarding yes
|
||||
|
||||
# Specifies the first display number available for sshd(8)'s X11
|
||||
# forwarding. This prevents sshd from interfering with real X11 servers.
|
||||
# The default is 10.
|
||||
X11DisplayOffset 10
|
||||
|
||||
# Specifies whether the system should send TCP keepalive messages to the
|
||||
# other side. If they are sent, death of the connection or crash of one
|
||||
# of the machines will be properly noticed. However, this means
|
||||
# that connections will die if the route is down temporarily, and some
|
||||
# people find it annoying. On the other hand, if TCP keepalives are not
|
||||
# sent, sessions may hang indefinitely on the server, leaving “ghost” users
|
||||
# and consuming server resources.
|
||||
#
|
||||
# The default is “yes” (to send TCP keepalive messages), and the server
|
||||
# will notice if the network goes down or the client host crashes. This
|
||||
# avoids infinitely hanging sessions.
|
||||
TCPKeepAlive yes
|
||||
|
||||
#Specifies whether sshd(8) should print the date and time of the last
|
||||
# user login when a user logs in interactively.
|
||||
# The default is “yes”.
|
||||
PrintLastLog yes
|
||||
|
||||
|
||||
#-----------------------------
|
||||
# Kerberos options
|
||||
#-----------------------------
|
||||
#KerberosAuthentication no
|
||||
#KerberosGetAFSToken no
|
||||
#KerberosOrLocalPasswd yes
|
||||
#KerberosTicketCleanup yes
|
||||
|
||||
|
||||
#-----------------------------
|
||||
# GSSAPI options
|
||||
#-----------------------------
|
||||
|
||||
#GSSAPIAuthentication no
|
||||
#GSSAPICleanupCredentials yes
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
34
roles/common/templates/etc/sudoers.d/50-user.pc.j2
Normal file
34
roles/common/templates/etc/sudoers.d/50-user.pc.j2
Normal file
@ -0,0 +1,34 @@
|
||||
# {{ ansible_managed }}
|
||||
|
||||
{% for item in sudoers_pc_file_defaults | default([]) %}
|
||||
Defaults {{ item }}
|
||||
{% endfor %}
|
||||
|
||||
# Host alias specification
|
||||
{% for item in sudoers_pc_file_host_aliases | default([]) %}
|
||||
Host_Alias {{ item.name }} = {{ item.entry }}
|
||||
{% endfor %}
|
||||
|
||||
# User alias specification
|
||||
{% for item in sudoers_pc_file_user_aliases | default([]) %}
|
||||
User_Alias {{ item.name }} = {{ item.entry }}
|
||||
{% endfor %}
|
||||
|
||||
# Cmnd alias specification
|
||||
{% for item in sudoers_pc_file_cmnd_aliases | default([]) %}
|
||||
Cmnd_Alias {{ item.name }} = {{ item.entry }}
|
||||
{% endfor %}
|
||||
|
||||
# Runas alias specification
|
||||
{% for item in sudoers_pc_file_runas_aliases | default([]) %}
|
||||
Runas_Alias {{ item.name }} = {{ item.entry }}
|
||||
{% endfor %}
|
||||
|
||||
# User privilege specification
|
||||
|
||||
{# rules for nis users #}
|
||||
{% for item in nis_user | default([]) %}
|
||||
{{ item.name }} ALL=(root)NOPASSWD: MOUNT
|
||||
{% endfor %}
|
||||
|
||||
# Group privilege specification
|
||||
53
roles/common/templates/etc/sudoers.d/50-user.server.j2
Normal file
53
roles/common/templates/etc/sudoers.d/50-user.server.j2
Normal file
@ -0,0 +1,53 @@
|
||||
# {{ ansible_managed }}
|
||||
|
||||
{% for item in sudoers_server_file_defaults | default([]) %}
|
||||
Defaults {{ item }}
|
||||
{% endfor %}
|
||||
|
||||
# Host alias specification
|
||||
{% for item in sudoers_server_file_host_aliases | default([]) %}
|
||||
Host_Alias {{ item.name }} = {{ item.entry }}
|
||||
{% endfor %}
|
||||
|
||||
# User alias specification
|
||||
{% for item in sudoers_server_file_user_aliases | default([]) %}
|
||||
User_Alias {{ item.name }} = {{ item.entry }}
|
||||
{% endfor %}
|
||||
|
||||
# Cmnd alias specification
|
||||
{% for item in sudoers_server_file_cmnd_aliases | default([]) %}
|
||||
Cmnd_Alias {{ item.name }} = {{ item.entry }}
|
||||
{% endfor %}
|
||||
|
||||
# Runas alias specification
|
||||
{% for item in sudoers_server_file_runas_aliases | default([]) %}
|
||||
Runas_Alias {{ item.name }} = {{ item.entry }}
|
||||
{% endfor %}
|
||||
|
||||
# User privilege specification
|
||||
|
||||
{# rule for user 'back' #}
|
||||
{% for item in sudoers_server_file_user_back_privileges | default([]) %}
|
||||
back {{ item }}
|
||||
{% endfor -%}
|
||||
|
||||
|
||||
{%- if ansible_virtualization_role == 'host' %}
|
||||
|
||||
{% for item in sudoers_server_file_user_back_disk_privileges | default([]) %}
|
||||
back {{ item }}
|
||||
{% endfor %}
|
||||
{% endif -%}
|
||||
|
||||
{# other (host specific) rules #}
|
||||
{%- if (sudoers_server_file_user_privileges is defined and sudoers_server_file_user_privileges) %}
|
||||
|
||||
{% for item in sudoers_server_file_user_privileges | default([]) %}
|
||||
{{ item.name }} {{ item.entry }}
|
||||
{% endfor %}
|
||||
{% endif %}
|
||||
|
||||
# Group privilege specification
|
||||
{% for item in sudoers_server_file_group_privileges | default([]) %}
|
||||
{{ item.name }} {{ item.entry }}
|
||||
{% endfor -%}
|
||||
@ -7,34 +7,34 @@
|
||||
#
|
||||
# See the man page for details on how to write a sudoers file.
|
||||
#
|
||||
{% for item in sudoers_defaults %}
|
||||
{% for item in sudoers_pc_defaults %}
|
||||
{% if item != '' %}
|
||||
Defaults {{ item }}
|
||||
{% endif %}
|
||||
{% endfor %}
|
||||
|
||||
# Host alias specification
|
||||
{% for item in sudoers_host_aliases | default([]) %}
|
||||
{% for item in sudoers_pc_host_aliases | default([]) %}
|
||||
Host_Alias {{ item.name }} = {{ item.entry }}
|
||||
{% endfor %}
|
||||
|
||||
# User alias specification
|
||||
{% for item in sudoers_user_aliases | default([]) %}
|
||||
{% for item in sudoers_pc_user_aliases | default([]) %}
|
||||
User_Alias {{ item.name }} = {{ item.entry }}
|
||||
{% endfor %}
|
||||
|
||||
# Cmnd alias specification
|
||||
{% for item in sudoers_cmnd_aliases | default([]) %}
|
||||
{% for item in sudoers_pc_cmnd_aliases | default([]) %}
|
||||
Cmnd_Alias {{ item.name }} = {{ item.entry }}
|
||||
{% endfor %}
|
||||
|
||||
# Runas alias specification
|
||||
{% for item in sudoers_runas_aliases | default([]) %}
|
||||
{% for item in sudoers_pc_runas_aliases | default([]) %}
|
||||
Runas_Alias {{ item.name }} = {{ item.entry }}
|
||||
{% endfor %}
|
||||
|
||||
# User privilege specification
|
||||
{% for item in sudoers_user_privileges | default([]) %}
|
||||
{% for item in sudoers_pc_user_privileges | default([]) %}
|
||||
{{ item.name }} {{ item.entry }}
|
||||
{% endfor %}
|
||||
|
||||
@ -46,7 +46,7 @@ Runas_Alias {{ item.name }} = {{ item.entry }}
|
||||
|
||||
# Group privilege specification
|
||||
|
||||
{% for item in sudoers_group_privileges | default([]) %}
|
||||
{% for item in sudoers_pc_group_privileges | default([]) %}
|
||||
{{ item.name }} {{ item.entry }}
|
||||
{% endfor %}
|
||||
|
||||
53
roles/common/templates/etc/sudoers.server.j2
Normal file
53
roles/common/templates/etc/sudoers.server.j2
Normal file
@ -0,0 +1,53 @@
|
||||
# {{ ansible_managed }}
|
||||
|
||||
# This file MUST be edited with the 'visudo' command as root.
|
||||
#
|
||||
# Please consider adding local content in /etc/sudoers.d/ instead of
|
||||
# directly modifying this file.
|
||||
#
|
||||
# See the man page for details on how to write a sudoers file.
|
||||
#
|
||||
{% for item in sudoers_server_defaults %}
|
||||
{% if item != '' %}
|
||||
Defaults {{ item }}
|
||||
{% endif %}
|
||||
{% endfor %}
|
||||
|
||||
# Host alias specification
|
||||
{% for item in sudoers_server_host_aliases | default([]) %}
|
||||
Host_Alias {{ item.name }} = {{ item.entry }}
|
||||
{% endfor %}
|
||||
|
||||
# User alias specification
|
||||
{% for item in sudoers_server_user_aliases | default([]) %}
|
||||
User_Alias {{ item.name }} = {{ item.entry }}
|
||||
{% endfor %}
|
||||
|
||||
# Cmnd alias specification
|
||||
{% for item in sudoers_server_cmnd_aliases | default([]) %}
|
||||
Cmnd_Alias {{ item.name }} = {{ item.entry }}
|
||||
{% endfor %}
|
||||
|
||||
# Runas alias specification
|
||||
{% for item in sudoers_server_runas_aliases | default([]) %}
|
||||
Runas_Alias {{ item.name }} = {{ item.entry }}
|
||||
{% endfor %}
|
||||
|
||||
# User privilege specification
|
||||
{% for item in sudoers_server_user_privileges | default([]) %}
|
||||
{{ item.name }} {{ item.entry }}
|
||||
{% endfor %}
|
||||
|
||||
# Allow members of group sudo to execute any command
|
||||
%sudo ALL=(ALL:ALL) ALL
|
||||
|
||||
# Group privilege specification
|
||||
|
||||
{% for item in sudoers_server_group_privileges | default([]) %}
|
||||
{{ item.name }} {{ item.entry }}
|
||||
{% endfor %}
|
||||
|
||||
# See sudoers(5) for more information on "#include" directives:
|
||||
|
||||
#includedir /etc/sudoers.d
|
||||
|
||||
@ -0,0 +1,40 @@
|
||||
# {{ ansible_managed }}
|
||||
|
||||
# ------------------------------------
|
||||
# - Settings for script clean_trash.sh
|
||||
# ------------------------------------
|
||||
|
||||
# - days
|
||||
# -
|
||||
# - Files older then 'days' will be deleted.
|
||||
# -
|
||||
# - Defaults to: days=31
|
||||
# -
|
||||
#days=31
|
||||
|
||||
# - trash_dirs
|
||||
# -
|
||||
# - Directories where files older than given days will be deleted.
|
||||
# -
|
||||
# - Example:
|
||||
# - trash_dirs="/data/samba/transfer/.Trash /data/samba/no-backup-share/multimedia/.Trash"
|
||||
# -
|
||||
#trash_dirs=""
|
||||
|
||||
{%- set count = namespace(trash_dirs=0) %}
|
||||
|
||||
{%- for item in samba_shares | default([]) %}
|
||||
{% if (item.vfs_object_recycle is defined and item.vfs_object_recycle|bool) %}
|
||||
{% set count.trash_dirs = count.trash_dirs + 1 %}
|
||||
{% endif %}
|
||||
{% endfor %}
|
||||
|
||||
{% if count.trash_dirs > 0 %}
|
||||
trash_dirs="
|
||||
{% for item in samba_shares %}
|
||||
{% if (item.vfs_object_recycle is defined and item.vfs_object_recycle|bool) %}
|
||||
{{ item.path }}/{{ item.recycle_path }}
|
||||
{% endif %}
|
||||
{% endfor %}
|
||||
"
|
||||
{% endif %}
|
||||
@ -0,0 +1,33 @@
|
||||
# {{ ansible_managed }}
|
||||
|
||||
# -----------------------------------------------------
|
||||
# - Settings for script set_permissions_samba_shares.sh
|
||||
# -----------------------------------------------------
|
||||
|
||||
# - dir_permissions
|
||||
# -
|
||||
# - Recursive set Permissions (group and file- and directory-mode)
|
||||
# -
|
||||
# - Multiple options are possible. Use semicolon separated list.
|
||||
# -
|
||||
# - Usage:
|
||||
# - dir_permissions="<directory>:<group>:<file-mod>:<dir-mod>;[<directory>:<group>:<file-mod>:<dir-mod>];[.."
|
||||
# -
|
||||
# - Example:
|
||||
# - dir_permissions="/data/samba/transfer:buero:664:2775;/data/samba/verwaltung:intern:660:2770"
|
||||
# -
|
||||
#dir_permissions=""
|
||||
|
||||
{%- set count = namespace(samba_shares=0) %}
|
||||
|
||||
{%- for item in samba_shares | default([]) %}
|
||||
{% set count.samba_shares = count.samba_shares + 1 %}
|
||||
{% endfor %}
|
||||
|
||||
{% if count.samba_shares > 0 %}
|
||||
dir_permissions="
|
||||
{% for item in samba_shares | default([]) %}
|
||||
{{ item.path }}:{{ item.group_write_list }}:{{ item.file_create_mask | default('0660') }}:{{ item.dir_create_mask | default('2770') }};
|
||||
{% endfor %}
|
||||
"
|
||||
{% endif %}
|
||||
62
roles/common/templates/root/bin/wakeup_lan.sh.j2
Executable file
62
roles/common/templates/root/bin/wakeup_lan.sh.j2
Executable file
@ -0,0 +1,62 @@
|
||||
#!/usr/bin/env bash
|
||||
|
||||
# {{ ansible_managed }}
|
||||
|
||||
cl101="80:ee:73:c5:e9:b9"
|
||||
cl101_alt="70:71:bc:72:25:98"
|
||||
cl102="80:ee:73:c5:d3:87"
|
||||
cl103="80:ee:73:bb:da:93"
|
||||
cl103_alt="70:71:bc:72:24:cc"
|
||||
cl104="74:d4:35:ac:78:19"
|
||||
cl105_alt="70:71:bc:72:25:93"
|
||||
cl105="80:ee:73:c5:2c:97"
|
||||
cl106_alt="70:71:bc:72:26:e4"
|
||||
cl106="80:ee:73:c5:2d:8d"
|
||||
cl107_alt="e0:69:95:45:71:4b"
|
||||
cl107="80:ee:73:c5:2e:83"
|
||||
cl108_alt="70:71:bc:72:25:85"
|
||||
cl108="80:ee:73:d0:a3:30"
|
||||
cl109="38:60:77:39:f2:49"
|
||||
cl110="38:60:77:4e:34:fe"
|
||||
|
||||
if [ $# = "1" ]; then
|
||||
_nic=`eval eval echo '$'$1`
|
||||
wakeonlan $_nic
|
||||
else
|
||||
wakeonlan $cl101
|
||||
sleep 2
|
||||
wakeonlan $cl101_alt
|
||||
sleep 2
|
||||
wakeonlan $cl102
|
||||
sleep 2
|
||||
wakeonlan $cl103
|
||||
sleep 2
|
||||
wakeonlan $cl103_alt
|
||||
sleep 2
|
||||
wakeonlan $cl104
|
||||
sleep 2
|
||||
wakeonlan $cl105
|
||||
sleep 2
|
||||
wakeonlan $cl105_alt
|
||||
sleep 2
|
||||
wakeonlan $cl106
|
||||
sleep 2
|
||||
wakeonlan $cl106_alt
|
||||
sleep 2
|
||||
wakeonlan $cl107
|
||||
sleep 2
|
||||
wakeonlan $cl107_alt
|
||||
sleep 2
|
||||
wakeonlan $cl108
|
||||
sleep 2
|
||||
wakeonlan $cl108_alt
|
||||
sleep 2
|
||||
wakeonlan $cl109
|
||||
sleep 2
|
||||
wakeonlan $cl110
|
||||
sleep 2
|
||||
fi
|
||||
|
||||
|
||||
exit 0
|
||||
|
||||
Reference in New Issue
Block a user