Initial add of cups add-on

cups/rootfs/etc/cont-init.d/dbus-setup

@@ -0,0 +1,2 @@
+#!/bin/sh
+mkdir -p /var/run/dbus

cups/rootfs/etc/nginx/nginx.conf

@@ -0,0 +1,19 @@
+events {
+}
+
+http {
+
+    server {
+        listen 8099;
+
+        location / {
+            proxy_pass https://localhost:631;
+            proxy_hide_header X-Frame-Options;
+            proxy_hide_header Content-Security-Policy;
+            add_header Content-Security-Policy "sandbox allow-forms allow-modals allow-popups allow-popups-to-escape-sandbox allow-scripts";
+            sub_filter '"/' '"$http_x_ingress_path/';
+            sub_filter "'/" "'$http_x_ingress_path/";
+            sub_filter_once off;
+        }
+    }
+}

cups/rootfs/etc/services.d/avahi/run

@@ -0,0 +1,8 @@
+#!/bin/sh
+
+# Wait until D-Bus is up and the init script has mapped in the external hostname
+until [ -e /var/run/dbus/system_bus_socket ] && [ -e /var/run/avahi_configured ]; do
+  sleep 1s
+done
+
+exec avahi-daemon

cups/rootfs/etc/services.d/dbus/run

@@ -0,0 +1,2 @@
+#!/bin/sh
+exec dbus-daemon --system --nofork

cups/rootfs/etc/services.d/nginx/run

@@ -0,0 +1,2 @@
+#!/bin/sh
+exec nginx -g "daemon off;"

cups/rootfs/run.sh

@@ -0,0 +1,57 @@
+#!/usr/bin/with-contenv bashio
+
+# Create links for certificates with CUPS' expected filenames
+bashio::config.require.ssl
+
+keyfile=$(bashio::config keyfile)
+certfile=$(bashio::config certfile)
+cafile=$(bashio::config cafile)
+hostname=$(bashio::info.hostname)
+fqdn=$(hostname --fqdn)
+
+mkdir -p /data/ssl
+
+if [ $cafile != null ] && [ -e "/ssl/$cafile" ]; then
+    rm -f /data/ssl/site.crt
+    ln -s "/ssl/$cafile" /data/ssl/site.crt
+fi
+
+if bashio::config.true ssl; then
+    rm -f "/data/ssl/$fqdn.key"
+    rm -f "/data/ssl/$fqdn.crt"
+    ln -s "/ssl/$keyfile" "/data/ssl/$fqdn.key"
+    ln -s "/ssl/$certfile" "/data/ssl/$fqdn.crt"
+fi
+
+# Get all possible hostnames from configuration
+result=$(bashio::api.supervisor GET /core/api/config true || true)
+internal=$(bashio::jq "$result" '.internal_url' | cut -d'/' -f3 | cut -d':' -f1)
+external=$(bashio::jq "$result" '.external_url' | cut -d'/' -f3 | cut -d':' -f1)
+
+# Fill config file templates with runtime data
+config=$(jq --arg internal "$internal" --arg external "$external" --arg hostname "$hostname" \
+    '{ssl: .ssl, require_ssl: .require_ssl, internal: $internal, external: $external, hostname: $hostname}' \
+    /data/options.json)
+
+echo "$config" | tempio \
+    -template /usr/share/cupsd.conf.tempio \
+    -out /etc/cups/cupsd.conf
+
+echo "$config" | tempio \
+    -template /usr/share/cups-files.conf.tempio \
+    -out /etc/cups/cups-files.conf
+
+echo "$config" | tempio \
+    -template /usr/share/avahi-daemon.conf.tempio \
+    -out /etc/avahi/avahi-daemon.conf
+
+mkdir -p /data/cups
+
+# Start Avahi, wait for it to start up
+touch /var/run/avahi_configured
+until [ -e /var/run/avahi-daemon/socket ]; do
+  sleep 1s
+done
+
+# Start CUPS
+/usr/sbin/cupsd -f

cups/rootfs/usr/share/avahi-daemon.conf.tempio

@@ -0,0 +1,68 @@
+# This file is part of avahi.
+#
+# avahi is free software; you can redistribute it and/or modify it
+# under the terms of the GNU Lesser General Public License as
+# published by the Free Software Foundation; either version 2 of the
+# License, or (at your option) any later version.
+#
+# avahi is distributed in the hope that it will be useful, but WITHOUT
+# ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+# or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public
+# License for more details.
+#
+# You should have received a copy of the GNU Lesser General Public
+# License along with avahi; if not, write to the Free Software
+# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307
+# USA.
+
+# See avahi-daemon.conf(5) for more information on this configuration
+# file!
+
+[server]
+host-name={{.hostname}}
+#domain-name=local
+#browse-domains=0pointer.de, zeroconf.org
+use-ipv4=yes
+use-ipv6=yes
+#allow-interfaces=eth0
+#deny-interfaces=eth1
+#check-response-ttl=no
+#use-iff-running=no
+#enable-dbus=yes
+#disallow-other-stacks=no
+#allow-point-to-point=no
+#cache-entries-max=4096
+#clients-max=4096
+#objects-per-client-max=1024
+#entries-per-entry-group-max=32
+ratelimit-interval-usec=1000000
+ratelimit-burst=1000
+
+[wide-area]
+enable-wide-area=yes
+
+[publish]
+#disable-publishing=no
+#disable-user-service-publishing=no
+#add-service-cookie=no
+publish-addresses=no
+publish-hinfo=no
+publish-workstation=no
+publish-domain=no
+#publish-dns-servers=192.168.50.1, 192.168.50.2
+#publish-resolv-conf-dns-servers=yes
+#publish-aaaa-on-ipv4=yes
+#publish-a-on-ipv6=no
+
+[reflector]
+#enable-reflector=no
+#reflect-ipv=no
+
+[rlimits]
+#rlimit-as=
+#rlimit-core=0
+#rlimit-data=8388608
+#rlimit-fsize=0
+#rlimit-nofile=768
+#rlimit-stack=8388608
+#rlimit-nproc=3

cups/rootfs/usr/share/cups-files.conf.tempio

@@ -0,0 +1,3 @@
+ServerRoot /data/cups
+ServerKeychain /data/ssl
+CreateSelfSignedCerts {{if .ssl}}no{{else}}yes{{end}}

cups/rootfs/usr/share/cupsd.conf.tempio

@@ -0,0 +1,164 @@
+#
+#
+# Sample configuration file for the CUPS scheduler.  See "man cupsd.conf" for a
+# complete description of this file.
+#
+
+# Log general information in error_log - change "warn" to "debug"
+# for troubleshooting...
+LogLevel warn
+
+# Deactivate CUPS' internal logrotating, as we provide a better one, especially
+# LogLevel debug2 gets usable now
+MaxLogSize 0
+
+# Listen to all
+Port 631
+Listen /var/run/cups/cups.sock
+
+# Show shared printers on the local network.
+Browsing On
+BrowseLocalProtocols all
+
+# Default authentication type, when authentication is required...
+DefaultAuthType Basic
+DefaultEncryption Required
+
+# Host header validation
+
+ServerAlias {{.hostname}}.local {{.internal}} {{.external}}
+
+ServerName {{.hostname}}
+
+# Web interface setting...
+WebInterface Yes
+
+# Restrict access to the server...
+<Location />
+  Order allow,deny
+  Allow all
+  Encryption {{if .require_ssl}}Required{{else}}IfRequested{{end}}
+</Location>
+
+# Restrict access to the admin pages...
+<Location /admin>
+  Order allow,deny
+  Allow all
+</Location>
+
+# Restrict access to configuration files...
+<Location /admin/conf>
+  AuthType Default
+  Require user @SYSTEM
+  Order allow,deny
+  Allow 172.0.0.1
+  Satisfy any
+</Location>
+
+# Set the default printer/job policies...
+<Policy default>
+  # Job/subscription privacy...
+  JobPrivateAccess default
+  JobPrivateValues default
+  SubscriptionPrivateAccess default
+  SubscriptionPrivateValues default
+
+  # Job-related operations must be done by the owner or an administrator...
+  <Limit Create-Job Print-Job Print-URI Validate-Job>
+    Order deny,allow
+  </Limit>
+
+  <Limit Send-Document Send-URI Hold-Job Release-Job Restart-Job Purge-Jobs Set-Job-Attributes Create-Job-Subscription Renew-Subscription Cancel-Subscription Get-Notifications Reprocess-Job Cancel-Current-Job Suspend-Current-Job Resume-Job Cancel-My-Jobs Close-Job CUPS-Move-Job CUPS-Get-Document>
+    Require user @OWNER @SYSTEM
+    Order allow,deny
+    Allow 172.0.0.1
+    Satisfy any
+  </Limit>
+
+  # All administration operations require an administrator to authenticate...
+  <Limit CUPS-Add-Modify-Printer CUPS-Delete-Printer CUPS-Add-Modify-Class CUPS-Delete-Class CUPS-Set-Default CUPS-Get-Devices>
+    AuthType Default
+    Require user @SYSTEM
+    Order allow,deny
+    Allow 172.0.0.1
+    Satisfy any
+  </Limit>
+
+  # All printer operations require a printer operator to authenticate...
+  <Limit Pause-Printer Resume-Printer Enable-Printer Disable-Printer Pause-Printer-After-Current-Job Hold-New-Jobs Release-Held-New-Jobs Deactivate-Printer Activate-Printer Restart-Printer Shutdown-Printer Startup-Printer Promote-Job Schedule-Job-After Cancel-Jobs CUPS-Accept-Jobs CUPS-Reject-Jobs>
+    AuthType Default
+    Require user @SYSTEM
+    Order allow,deny
+    Allow 172.0.0.1
+    Satisfy any
+  </Limit>
+
+  # Only the owner or an administrator can cancel or authenticate a job...
+  <Limit Cancel-Job CUPS-Authenticate-Job>
+    Require user @OWNER @SYSTEM
+    Order allow,deny
+    Allow 172.0.0.1
+    Satisfy any
+  </Limit>
+
+  <Limit All>
+    Order deny,allow
+  </Limit>
+</Policy>
+
+# Set the authenticated printer/job policies...
+<Policy authenticated>
+  # Job/subscription privacy...
+  JobPrivateAccess default
+  JobPrivateValues default
+  SubscriptionPrivateAccess default
+  SubscriptionPrivateValues default
+
+  # Job-related operations must be done by the owner or an administrator...
+  <Limit Create-Job Print-Job Print-URI Validate-Job>
+    AuthType Default
+    Order deny,allow
+  </Limit>
+
+  <Limit Send-Document Send-URI Hold-Job Release-Job Restart-Job Purge-Jobs Set-Job-Attributes Create-Job-Subscription Renew-Subscription Cancel-Subscription Get-Notifications Reprocess-Job Cancel-Current-Job Suspend-Current-Job Resume-Job Cancel-My-Jobs Close-Job CUPS-Move-Job CUPS-Get-Document>
+    AuthType Default
+    Require user @OWNER @SYSTEM
+    Order allow,deny
+    Allow 172.0.0.1
+    Satisfy any
+  </Limit>
+
+  # All administration operations require an administrator to authenticate...
+  <Limit CUPS-Add-Modify-Printer CUPS-Delete-Printer CUPS-Add-Modify-Class CUPS-Delete-Class CUPS-Set-Default>
+    AuthType Default
+    Require user @SYSTEM
+    Order allow,deny
+    Allow 172.0.0.1
+    Satisfy any
+  </Limit>
+
+  # All printer operations require a printer operator to authenticate...
+  <Limit Pause-Printer Resume-Printer Enable-Printer Disable-Printer Pause-Printer-After-Current-Job Hold-New-Jobs Release-Held-New-Jobs Deactivate-Printer Activate-Printer Restart-Printer Shutdown-Printer Startup-Printer Promote-Job Schedule-Job-After Cancel-Jobs CUPS-Accept-Jobs CUPS-Reject-Jobs>
+    AuthType Default
+    Require user @SYSTEM
+    Order allow,deny
+    Allow 172.0.0.1
+    Satisfy any
+  </Limit>
+
+  # Only the owner or an administrator can cancel or authenticate a job...
+  <Limit Cancel-Job CUPS-Authenticate-Job>
+    AuthType Default
+    Require user @OWNER @SYSTEM
+    Order allow,deny
+    Allow 172.0.0.1
+    Satisfy any
+  </Limit>
+
+  <Limit All>
+    Order deny,allow
+  </Limit>
+</Policy>
+
+#
+#