From c3d87fcfba2a7f59c27c75e92b2ca8926439b124 Mon Sep 17 00:00:00 2001
From: Florian Zirker <florian.zirker@kapsweyer.de>
Date: Sat, 1 Oct 2022 23:25:04 +0200
Subject: [PATCH] Print server via cups

---
 print/Dockerfile          |  40 +++++++++++
 print/cupsd.conf          | 135 ++++++++++++++++++++++++++++++++++++++
 print/docker-compose.yaml |  29 ++++++++
 start-all.sh              |   2 +-
 4 files changed, 205 insertions(+), 1 deletion(-)
 create mode 100644 print/Dockerfile
 create mode 100644 print/cupsd.conf
 create mode 100644 print/docker-compose.yaml

diff --git a/print/Dockerfile b/print/Dockerfile
new file mode 100644
index 0000000..1ea1351
--- /dev/null
+++ b/print/Dockerfile
@@ -0,0 +1,40 @@
+ARG MAINTAINER
+FROM debian:bullseye
+MAINTAINER $MAINTAINER
+
+# Install Packages (basic tools, cups, basic drivers, HP drivers)
+RUN apt-get update \
+&& apt-get install -y \
+  sudo \
+  whois \
+  usbutils \
+  cups \
+  cups-client \
+  cups-bsd \
+  cups-filters \
+  foomatic-db-compressed-ppds \
+  printer-driver-all \
+  openprinting-ppds \
+  hpijs-ppds \
+  hp-ppd \
+  hplip \
+  smbclient \
+  printer-driver-cups-pdf \
+&& apt-get clean \
+&& rm -rf /var/lib/apt/lists/*
+
+# Add user and disable sudo password checking
+RUN useradd \
+  --groups=sudo,lp,lpadmin \
+  --create-home \
+  --home-dir=/home/print \
+  --shell=/bin/bash \
+  --password=$(mkpasswd print) \
+  print \
+&& sed -i '/%sudo[[:space:]]/ s/ALL[[:space:]]*$/NOPASSWD:ALL/' /etc/sudoers
+
+# Copy the default configuration file
+COPY --chown=root:lp cupsd.conf /etc/cups/cupsd.conf
+
+# Default shell
+CMD ["/usr/sbin/cupsd", "-f"]
diff --git a/print/cupsd.conf b/print/cupsd.conf
new file mode 100644
index 0000000..a482ccb
--- /dev/null
+++ b/print/cupsd.conf
@@ -0,0 +1,135 @@
+LogLevel warn
+PageLogFormat
+MaxLogSize 0
+ErrorPolicy retry-job
+# Allow remote access
+Port 631
+Listen /run/cups/cups.sock
+# Share local printers on the local network.
+Browsing On
+BrowseLocalProtocols dnssd
+DefaultAuthType Basic
+WebInterface Yes
+DefaultEncryption IfRequested
+<Location />
+  # Allow shared printing and remote administration...
+  Order allow,deny
+  Allow all
+</Location>
+<Location /admin>
+  # Allow remote administration...
+  Order allow,deny
+  Allow all
+</Location>
+<Location /admin/conf>
+  AuthType Default
+  Require user @SYSTEM
+  # Allow remote access to the configuration files...
+  Order allow,deny
+  Allow all
+</Location>
+<Location /admin/log>
+  AuthType Default
+  Require user @SYSTEM
+  # Allow remote access to the log files...
+  Order allow,deny
+  Allow all
+</Location>
+<Policy default>
+  JobPrivateAccess default
+  JobPrivateValues default
+  SubscriptionPrivateAccess default
+  SubscriptionPrivateValues default
+  <Limit Create-Job Print-Job Print-URI Validate-Job>
+    Order deny,allow
+  </Limit>
+  <Limit Send-Document Send-URI Hold-Job Release-Job Restart-Job Purge-Jobs Set-Job-Attributes Create-Job-Subscription Renew-Subscription Cancel-Subscription Get-Notifications Reprocess-Job Cancel-Current-Job Suspend-Current-Job Resume-Job Cancel-My-Jobs Close-Job CUPS-Move-Job CUPS-Get-Document>
+    Require user @OWNER @SYSTEM
+    Order deny,allow
+  </Limit>
+  <Limit CUPS-Add-Modify-Printer CUPS-Delete-Printer CUPS-Add-Modify-Class CUPS-Delete-Class CUPS-Set-Default CUPS-Get-Devices>
+    AuthType Default
+    Require user @SYSTEM
+    Order deny,allow
+  </Limit>
+  <Limit Pause-Printer Resume-Printer Enable-Printer Disable-Printer Pause-Printer-After-Current-Job Hold-New-Jobs Release-Held-New-Jobs Deactivate-Printer Activate-Printer Restart-Printer Shutdown-Printer Startup-Printer Promote-Job Schedule-Job-After Cancel-Jobs CUPS-Accept-Jobs CUPS-Reject-Jobs>
+    AuthType Default
+    Require user @SYSTEM
+    Order deny,allow
+  </Limit>
+  <Limit Cancel-Job CUPS-Authenticate-Job>
+    Require user @OWNER @SYSTEM
+    Order deny,allow
+  </Limit>
+  <Limit All>
+    Order deny,allow
+  </Limit>
+</Policy>
+<Policy authenticated>
+  JobPrivateAccess default
+  JobPrivateValues default
+  SubscriptionPrivateAccess default
+  SubscriptionPrivateValues default
+  <Limit Create-Job Print-Job Print-URI Validate-Job>
+    AuthType Default
+    Order deny,allow
+  </Limit>
+  <Limit Send-Document Send-URI Hold-Job Release-Job Restart-Job Purge-Jobs Set-Job-Attributes Create-Job-Subscription Renew-Subscription Cancel-Subscription Get-Notifications Reprocess-Job Cancel-Current-Job Suspend-Current-Job Resume-Job Cancel-My-Jobs Close-Job CUPS-Move-Job CUPS-Get-Document>
+    AuthType Default
+    Require user @OWNER @SYSTEM
+    Order deny,allow
+  </Limit>
+  <Limit CUPS-Add-Modify-Printer CUPS-Delete-Printer CUPS-Add-Modify-Class CUPS-Delete-Class CUPS-Set-Default>
+    AuthType Default
+    Require user @SYSTEM
+    Order deny,allow
+  </Limit>
+  <Limit Pause-Printer Resume-Printer Enable-Printer Disable-Printer Pause-Printer-After-Current-Job Hold-New-Jobs Release-Held-New-Jobs Deactivate-Printer Activate-Printer Restart-Printer Shutdown-Printer Startup-Printer Promote-Job Schedule-Job-After Cancel-Jobs CUPS-Accept-Jobs CUPS-Reject-Jobs>
+    AuthType Default
+    Require user @SYSTEM
+    Order deny,allow
+  </Limit>
+  <Limit Cancel-Job CUPS-Authenticate-Job>
+    AuthType Default
+    Require user @OWNER @SYSTEM
+    Order deny,allow
+  </Limit>
+  <Limit All>
+    Order deny,allow
+  </Limit>
+</Policy>
+<Policy kerberos>
+  JobPrivateAccess default
+  JobPrivateValues default
+  SubscriptionPrivateAccess default
+  SubscriptionPrivateValues default
+  <Limit Create-Job Print-Job Print-URI Validate-Job>
+    AuthType Negotiate
+    Order deny,allow
+  </Limit>
+  <Limit Send-Document Send-URI Hold-Job Release-Job Restart-Job Purge-Jobs Set-Job-Attributes Create-Job-Subscription Renew-Subscription Cancel-Subscription Get-Notifications Reprocess-Job Cancel-Current-Job Suspend-Current-Job Resume-Job Cancel-My-Jobs Close-Job CUPS-Move-Job CUPS-Get-Document>
+    AuthType Negotiate
+    Require user @OWNER @SYSTEM
+    Order deny,allow
+  </Limit>
+  <Limit CUPS-Add-Modify-Printer CUPS-Delete-Printer CUPS-Add-Modify-Class CUPS-Delete-Class CUPS-Set-Default>
+    AuthType Default
+    Require user @SYSTEM
+    Order deny,allow
+  </Limit>
+  <Limit Pause-Printer Resume-Printer Enable-Printer Disable-Printer Pause-Printer-After-Current-Job Hold-New-Jobs Release-Held-New-Jobs Deactivate-Printer Activate-Printer Restart-Printer Shutdown-Printer Startup-Printer Promote-Job Schedule-Job-After Cancel-Jobs CUPS-Accept-Jobs CUPS-Reject-Jobs>
+    AuthType Default
+    Require user @SYSTEM
+    Order deny,allow
+  </Limit>
+  <Limit Cancel-Job CUPS-Authenticate-Job>
+    AuthType Negotiate
+    Require user @OWNER @SYSTEM
+    Order deny,allow
+  </Limit>
+  <Limit All>
+    Order deny,allow
+  </Limit>
+</Policy>
+
+ServerAlias *
diff --git a/print/docker-compose.yaml b/print/docker-compose.yaml
new file mode 100644
index 0000000..bd1f2e0
--- /dev/null
+++ b/print/docker-compose.yaml
@@ -0,0 +1,29 @@
+version: "3.3"
+
+services:
+
+  cups:
+    image: olbat/cupsd
+    volumes:
+      - /var/run/dbus:/var/run/dbus
+      - ${VOLUMES_PATH}/cups:/etc/cups
+    devices:
+      - /dev/usblp0
+    privileged: true
+    network_mode: host
+#    networks:
+#      - web
+#    ports:
+#      - 631:631
+    labels:
+      - "traefik.enable=true"
+      - "traefik.http.routers.cups.rule=Host(`print.${DOMAIN}`)"
+      - "traefik.http.routers.cups.entrypoints=web"
+      - "traefik.http.services.cups.loadbalancer.server.port=631"
+      - "docker.group=print"
+    restart: unless-stopped
+
+networks:
+  web:
+    external: true
+
diff --git a/start-all.sh b/start-all.sh
index e43afa9..9a8cd65 100755
--- a/start-all.sh
+++ b/start-all.sh
@@ -13,4 +13,4 @@ up dashboard;
 up download;
 up portainer;
 up torrent;
-
+up print;