[CUPS] Rewrite based on @zajac-grzegorz work (#218)

* [CUPS] Rewrite based on @zajac-grzegorz work

* [pre-commit.ci] auto fixes from pre-commit.com hooks

for more information, see https://pre-commit.ci

---------

Co-authored-by: pre-commit-ci[bot] <66853113+pre-commit-ci[bot]@users.noreply.github.com>

cups/rootfs/etc/avahi/avahi-daemon.conf

@@ -19,7 +19,7 @@
 # file!
 
 [server]
-host-name={{.hostname}}
+#host-name=foo
 #domain-name=local
 #browse-domains=0pointer.de, zeroconf.org
 use-ipv4=yes
@@ -45,18 +45,19 @@ enable-wide-area=yes
 #disable-publishing=no
 #disable-user-service-publishing=no
 #add-service-cookie=no
-publish-addresses=no
+#publish-addresses=yes
 publish-hinfo=no
 publish-workstation=no
-publish-domain=no
+#publish-domain=yes
 #publish-dns-servers=192.168.50.1, 192.168.50.2
 #publish-resolv-conf-dns-servers=yes
 #publish-aaaa-on-ipv4=yes
 #publish-a-on-ipv6=no
 
 [reflector]
-#enable-reflector=no
+enable-reflector=yes
 #reflect-ipv=no
+#reflect-filters=_airplay._tcp.local,_raop._tcp.local
 
 [rlimits]
 #rlimit-as=

cups/rootfs/etc/cont-init.d/dbus-setup

@@ -1,2 +0,0 @@
-#!/bin/sh
-mkdir -p /var/run/dbus

cups/rootfs/etc/cups/cupsd.conf

@@ -1,49 +1,46 @@
 #
-#
-# Sample configuration file for the CUPS scheduler.  See "man cupsd.conf" for a
+# Configuration file for the CUPS scheduler.  See "man cupsd.conf" for a
 # complete description of this file.
 #
 
 # Log general information in error_log - change "warn" to "debug"
 # for troubleshooting...
 LogLevel warn
+PageLogFormat
 
-# Deactivate CUPS' internal logrotating, as we provide a better one, especially
-# LogLevel debug2 gets usable now
+# Specifies the maximum size of the log files before they are rotated.  The value "0" disables log rotation.
 MaxLogSize 0
 
-# Listen to all
+# Default error policy for printers
+ErrorPolicy retry-job
+
+# Only listen for connections from the local machine.
 Port 631
-Listen /var/run/cups/cups.sock
+Listen /run/cups/cups.sock
 
 # Show shared printers on the local network.
-Browsing On
+Browsing Yes
 BrowseLocalProtocols all
 
 # Default authentication type, when authentication is required...
 DefaultAuthType Basic
-DefaultEncryption Required
-
-# Host header validation
-
-ServerAlias {{.hostname}}.local {{.internal}} {{.external}}
-
-ServerName {{.hostname}}
 
 # Web interface setting...
 WebInterface Yes
 
+# Timeout after cupsd exits if idle (applied only if cupsd runs on-demand - with -l)
+IdleExitTimeout 60
+
 # Restrict access to the server...
 <Location />
   Order allow,deny
-  Allow all
-  Encryption {{if .require_ssl}}Required{{else}}IfRequested{{end}}
+  Allow @LOCAL
 </Location>
 
 # Restrict access to the admin pages...
 <Location /admin>
   Order allow,deny
-  Allow all
+  Allow @LOCAL
 </Location>
 
 # Restrict access to configuration files...
@@ -51,8 +48,13 @@ WebInterface Yes
   AuthType Default
   Require user @SYSTEM
   Order allow,deny
-  Allow 172.0.0.1
-  Satisfy any
+</Location>
+
+# Restrict access to log files...
+<Location /admin/log>
+  AuthType Default
+  Require user @SYSTEM
+  Order allow,deny
 </Location>
 
 # Set the default printer/job policies...
@@ -70,35 +72,27 @@ WebInterface Yes
 
   <Limit Send-Document Send-URI Hold-Job Release-Job Restart-Job Purge-Jobs Set-Job-Attributes Create-Job-Subscription Renew-Subscription Cancel-Subscription Get-Notifications Reprocess-Job Cancel-Current-Job Suspend-Current-Job Resume-Job Cancel-My-Jobs Close-Job CUPS-Move-Job CUPS-Get-Document>
     Require user @OWNER @SYSTEM
-    Order allow,deny
-    Allow 172.0.0.1
-    Satisfy any
+    Order deny,allow
   </Limit>
 
   # All administration operations require an administrator to authenticate...
   <Limit CUPS-Add-Modify-Printer CUPS-Delete-Printer CUPS-Add-Modify-Class CUPS-Delete-Class CUPS-Set-Default CUPS-Get-Devices>
     AuthType Default
     Require user @SYSTEM
-    Order allow,deny
-    Allow 172.0.0.1
-    Satisfy any
+    Order deny,allow
   </Limit>
 
   # All printer operations require a printer operator to authenticate...
   <Limit Pause-Printer Resume-Printer Enable-Printer Disable-Printer Pause-Printer-After-Current-Job Hold-New-Jobs Release-Held-New-Jobs Deactivate-Printer Activate-Printer Restart-Printer Shutdown-Printer Startup-Printer Promote-Job Schedule-Job-After Cancel-Jobs CUPS-Accept-Jobs CUPS-Reject-Jobs>
     AuthType Default
     Require user @SYSTEM
-    Order allow,deny
-    Allow 172.0.0.1
-    Satisfy any
+    Order deny,allow
   </Limit>
 
   # Only the owner or an administrator can cancel or authenticate a job...
   <Limit Cancel-Job CUPS-Authenticate-Job>
     Require user @OWNER @SYSTEM
-    Order allow,deny
-    Allow 172.0.0.1
-    Satisfy any
+    Order deny,allow
   </Limit>
 
   <Limit All>
@@ -123,36 +117,74 @@ WebInterface Yes
   <Limit Send-Document Send-URI Hold-Job Release-Job Restart-Job Purge-Jobs Set-Job-Attributes Create-Job-Subscription Renew-Subscription Cancel-Subscription Get-Notifications Reprocess-Job Cancel-Current-Job Suspend-Current-Job Resume-Job Cancel-My-Jobs Close-Job CUPS-Move-Job CUPS-Get-Document>
     AuthType Default
     Require user @OWNER @SYSTEM
-    Order allow,deny
-    Allow 172.0.0.1
-    Satisfy any
+    Order deny,allow
   </Limit>
 
   # All administration operations require an administrator to authenticate...
   <Limit CUPS-Add-Modify-Printer CUPS-Delete-Printer CUPS-Add-Modify-Class CUPS-Delete-Class CUPS-Set-Default>
     AuthType Default
     Require user @SYSTEM
-    Order allow,deny
-    Allow 172.0.0.1
-    Satisfy any
+    Order deny,allow
   </Limit>
 
   # All printer operations require a printer operator to authenticate...
   <Limit Pause-Printer Resume-Printer Enable-Printer Disable-Printer Pause-Printer-After-Current-Job Hold-New-Jobs Release-Held-New-Jobs Deactivate-Printer Activate-Printer Restart-Printer Shutdown-Printer Startup-Printer Promote-Job Schedule-Job-After Cancel-Jobs CUPS-Accept-Jobs CUPS-Reject-Jobs>
     AuthType Default
     Require user @SYSTEM
-    Order allow,deny
-    Allow 172.0.0.1
-    Satisfy any
+    Order deny,allow
   </Limit>
 
   # Only the owner or an administrator can cancel or authenticate a job...
   <Limit Cancel-Job CUPS-Authenticate-Job>
     AuthType Default
     Require user @OWNER @SYSTEM
-    Order allow,deny
-    Allow 172.0.0.1
-    Satisfy any
+    Order deny,allow
+  </Limit>
+
+  <Limit All>
+    Order deny,allow
+  </Limit>
+</Policy>
+
+# Set the kerberized printer/job policies...
+<Policy kerberos>
+  # Job/subscription privacy...
+  JobPrivateAccess default
+  JobPrivateValues default
+  SubscriptionPrivateAccess default
+  SubscriptionPrivateValues default
+
+  # Job-related operations must be done by the owner or an administrator...
+  <Limit Create-Job Print-Job Print-URI Validate-Job>
+    AuthType Negotiate
+    Order deny,allow
+  </Limit>
+
+  <Limit Send-Document Send-URI Hold-Job Release-Job Restart-Job Purge-Jobs Set-Job-Attributes Create-Job-Subscription Renew-Subscription Cancel-Subscription Get-Notifications Reprocess-Job Cancel-Current-Job Suspend-Current-Job Resume-Job Cancel-My-Jobs Close-Job CUPS-Move-Job CUPS-Get-Document>
+    AuthType Negotiate
+    Require user @OWNER @SYSTEM
+    Order deny,allow
+  </Limit>
+
+  # All administration operations require an administrator to authenticate...
+  <Limit CUPS-Add-Modify-Printer CUPS-Delete-Printer CUPS-Add-Modify-Class CUPS-Delete-Class CUPS-Set-Default>
+    AuthType Default
+    Require user @SYSTEM
+    Order deny,allow
+  </Limit>
+
+  # All printer operations require a printer operator to authenticate...
+  <Limit Pause-Printer Resume-Printer Enable-Printer Disable-Printer Pause-Printer-After-Current-Job Hold-New-Jobs Release-Held-New-Jobs Deactivate-Printer Activate-Printer Restart-Printer Shutdown-Printer Startup-Printer Promote-Job Schedule-Job-After Cancel-Jobs CUPS-Accept-Jobs CUPS-Reject-Jobs>
+    AuthType Default
+    Require user @SYSTEM
+    Order deny,allow
+  </Limit>
+
+  # Only the owner or an administrator can cancel or authenticate a job...
+  <Limit Cancel-Job CUPS-Authenticate-Job>
+    AuthType Negotiate
+    Require user @OWNER @SYSTEM
+    Order deny,allow
   </Limit>
 
   <Limit All>
@@ -160,5 +192,3 @@ WebInterface Yes
   </Limit>
 </Policy>
 
-#
-#

cups/rootfs/etc/nginx/nginx.conf

@@ -1,19 +0,0 @@
-events {
-}
-
-http {
-
-    server {
-        listen 8099;
-
-        location / {
-            proxy_pass https://localhost:631;
-            proxy_hide_header X-Frame-Options;
-            proxy_hide_header Content-Security-Policy;
-            add_header Content-Security-Policy "sandbox allow-forms allow-modals allow-popups allow-popups-to-escape-sandbox allow-scripts";
-            sub_filter '"/' '"$http_x_ingress_path/';
-            sub_filter "'/" "'$http_x_ingress_path/";
-            sub_filter_once off;
-        }
-    }
-}

cups/rootfs/etc/s6-overlay/s6-rc.d/avahi-daemon/run

@@ -0,0 +1,11 @@
+#!/usr/bin/with-contenv bashio
+
+ulimit -n 1048576
+
+bashio::log.info "Starting Avahi daemon from S6"
+
+until [ -e /run/dbus/system_bus_socket ]; do
+  sleep 1s
+done
+
+avahi-daemon

cups/rootfs/etc/s6-overlay/s6-rc.d/avahi-daemon/type

@@ -0,0 +1 @@
+longrun

cups/rootfs/etc/s6-overlay/s6-rc.d/cups-server/run

@@ -0,0 +1,12 @@
+#!/usr/bin/with-contenv bashio
+
+ulimit -n 1048576
+
+bashio::log.info "Starting CUPS server from S6"
+
+until [ -e /var/run/avahi-daemon/socket ]; do
+  sleep 1s
+done
+
+cupsd -f
+

cups/rootfs/etc/s6-overlay/s6-rc.d/cups-server/type

@@ -0,0 +1 @@
+longrun

cups/rootfs/etc/s6-overlay/s6-rc.d/dbus-daemon/run

@@ -0,0 +1,7 @@
+#!/usr/bin/with-contenv bashio
+
+ulimit -n 1048576
+
+bashio::log.info "Starting DBUS daemon from S6"
+
+dbus-daemon --system --nofork

cups/rootfs/etc/s6-overlay/s6-rc.d/dbus-daemon/type

@@ -0,0 +1 @@
+longrun

cups/rootfs/etc/s6-overlay/s6-rc.d/initialization/type

@@ -0,0 +1 @@
+oneshot

cups/rootfs/etc/s6-overlay/s6-rc.d/initialization/up

@@ -0,0 +1,4 @@
+#!/usr/bin/env bashio
+
+mkdir -p /var/run/dbus
+

cups/rootfs/etc/services.d/avahi/run

@@ -1,10 +0,0 @@
-#!/bin/sh
-
-ulimit -n 1048576
-
-# Wait until D-Bus is up and the init script has mapped in the external hostname
-until [ -e /var/run/dbus/system_bus_socket ] && [ -e /var/run/avahi_configured ]; do
-  sleep 1s
-done
-
-avahi-daemon 2>&1 | mawk -W interactive '{printf "%c[34m[avahi]%c[0m %s\n", 27, 27, $0}'

cups/rootfs/etc/services.d/dbus/run

@@ -1,5 +0,0 @@
-#!/bin/sh
-
-ulimit -n 1048576
-
-dbus-daemon --system --nofork 2>&1 | mawk -W interactive '{printf "%c[31m[dbus]%c[0m %s\n", 27, 27, $0}'

cups/rootfs/etc/services.d/nginx/run

@@ -1,5 +0,0 @@
-#!/bin/sh
-
-ulimit -n 1048576
-
-nginx -g "daemon off;" 2>&1 | mawk -W interactive '{printf "%c[35m[nginx]%c[0m %s\n", 27, 27, $0}'

cups/rootfs/run.sh

@@ -1,57 +1,17 @@
 #!/usr/bin/with-contenv bashio
 
-# Create links for certificates with CUPS' expected filenames
-bashio::config.require.ssl
+ulimit -n 1048576
 
-keyfile=$(bashio::config keyfile)
-certfile=$(bashio::config certfile)
-cafile=$(bashio::config cafile)
-hostname=$(bashio::info.hostname)
-fqdn=$(hostname --fqdn)
-
-mkdir -p /data/ssl
-
-if [ $cafile != null ] && [ -e "/ssl/$cafile" ]; then
-    rm -f /data/ssl/site.crt
-    ln -s "/ssl/$cafile" /data/ssl/site.crt
-fi
-
-if bashio::config.true ssl; then
-    rm -f "/data/ssl/$fqdn.key"
-    rm -f "/data/ssl/$fqdn.crt"
-    ln -s "/ssl/$keyfile" "/data/ssl/$fqdn.key"
-    ln -s "/ssl/$certfile" "/data/ssl/$fqdn.crt"
-fi
-
-# Get all possible hostnames from configuration
-result=$(bashio::api.supervisor GET /core/api/config true || true)
-internal=$(bashio::jq "$result" '.internal_url' | cut -d'/' -f3 | cut -d':' -f1)
-external=$(bashio::jq "$result" '.external_url' | cut -d'/' -f3 | cut -d':' -f1)
-
-# Fill config file templates with runtime data
-config=$(jq --arg internal "$internal" --arg external "$external" --arg hostname "$hostname" \
-    '{ssl: .ssl, require_ssl: .require_ssl, internal: $internal, external: $external, hostname: $hostname}' \
-    /data/options.json)
-
-echo "$config" | tempio \
-    -template /usr/share/cupsd.conf.tempio \
-    -out /etc/cups/cupsd.conf
-
-echo "$config" | tempio \
-    -template /usr/share/cups-files.conf.tempio \
-    -out /etc/cups/cups-files.conf
-
-echo "$config" | tempio \
-    -template /usr/share/avahi-daemon.conf.tempio \
-    -out /etc/avahi/avahi-daemon.conf
-
-mkdir -p /data/cups
-
-# Start Avahi, wait for it to start up
-touch /var/run/avahi_configured
 until [ -e /var/run/avahi-daemon/socket ]; do
   sleep 1s
 done
 
-# Start CUPS
-/usr/sbin/cupsd -f
+bashio::log.info "Preparing directories"
+cp -v -R /etc/cups /data
+rm -v -fR /etc/cups
+
+ln -v -s /data/cups /etc/cups
+
+bashio::log.info "Starting CUPS server as CMD from S6"
+
+cupsd -f

cups/rootfs/usr/share/cups-files.conf.tempio

@@ -1,3 +0,0 @@
-ServerRoot /data/cups
-ServerKeychain /data/ssl
-CreateSelfSignedCerts {{if .ssl}}no{{else}}yes{{end}}