[CUPS] Rewrite based on @zajac-grzegorz work

MaxWinterstein · Nov 16, 2023 · 3656399 · 3656399
1 parent 932affd
commit 3656399
Show file tree

Hide file tree

Showing 29 changed files with 174 additions and 180 deletions.
diff --git a/cups/CHANGELOG.md b/cups/CHANGELOG.md
@@ -1,5 +1,9 @@
 # Changelog
 
+## 3.0.0 -- 16.11.2023
+
+- Rewrite based on the work of [zajac-grzegorz](https://github.com/zajac-grzegorz/homeassistant-addon-cups-airprint) - thanks for letting me steal it ❤️
+
 ## 2.2.0 -- 09.06.2023
 
 - Try to fix startup issues with OS 10* / \_Docker v23* - - see [#152](https://github.com/MaxWinterstein/homeassistant-addons/issues/152) for more

diff --git a/cups/Dockerfile b/cups/Dockerfile
@@ -1,37 +1,51 @@
 ARG BUILD_FROM
 FROM $BUILD_FROM
 
-LABEL io.hass.version="1" io.hass.type="addon" io.hass.arch="armhf|aarch64|i386|amd64"
+LABEL io.hass.version="1.0" io.hass.type="addon" io.hass.arch="aarch64|amd64"
+
+# Set shell
+SHELL ["/bin/bash", "-o", "pipefail", "-c"]
 
 RUN apt-get update \
     && apt-get install -y --no-install-recommends \
+        sudo \
+        locales \
         cups \
         avahi-daemon \
         libnss-mdns \
         dbus \
         colord \
-        printer-driver-all-enforce \
+        printer-driver-all \
+        printer-driver-gutenprint \
         openprinting-ppds \
         hpijs-ppds \
         hp-ppd  \
         hplip \
+        printer-driver-foo2zjs \
+        cups-pdf \
         gnupg2 \
         lsb-release \
         nano \
         samba \
         bash-completion \
-        nginx \
+        procps \
     && apt-get clean -y \
     && rm -rf /var/lib/apt/lists/*
 
 COPY rootfs /
 
-# Corrects permissions for s6 v3
-RUN if [ -d /etc/cont-init.d ]; then chmod -R 755 /etc/cont-init.d; fi && \
-    if [ -d /etc/services.d ]; then chmod -R 755 /etc/services.d; fi && \
-    if [ -f /entrypoint.sh ]; then chmod 755 /entrypoint.sh; fi
+# Add user and disable sudo password checking
+RUN useradd \
+  --groups=sudo,lp,lpadmin \
+  --create-home \
+  --home-dir=/home/print \
+  --shell=/bin/bash \
+  --password=$(mkpasswd print) \
+  print \
+&& sed -i '/%sudo[[:space:]]/ s/ALL[[:space:]]*$/NOPASSWD:ALL/' /etc/sudoers
 
-EXPOSE 631 445 137 139
+EXPOSE 631
 
 RUN chmod a+x /run.sh
+
 CMD ["/run.sh"]
diff --git a/cups/README.md b/cups/README.md
@@ -1,12 +1,16 @@
-# Home Assistant Add-on: CUPS Printer server
+**Based on the work of [zajac-grzegorz](https://github.com/zajac-grzegorz/homeassistant-addon-cups-airprint) - thanks for letting me steal it ❤️**
 
-<a href='https://ko-fi.com/MaxWinterstein' target='_blank'><img height='35' style='border:0px;height:46px;' src='https://az743702.vo.msecnd.net/cdn/kofi3.png?v=0' border='0' alt='Buy Me a Coffee at ko-fi.com'></a>
+---
 
-## Credits
+Original README.md
 
-This Add-On is based on the work of https://github.com/Luk164/addon-repository - and just slighty adjusted to make it work. Thanks <3
+# homeassistant addon cups airprint
+CUPS addon with working Avahi in reflector mode 
 
-## Known Issues 🚨
+Tested with Home Assistant version **2023.9**
 
-- mDNS is not working, therefore e.g. printeres are not announced via Avahi / Bonjour - see [#128](https://github.com/MaxWinterstein/homeassistant-addons/issues/128)
-- Ingress is not working, so I disabled it for now. Please access the Webinterface via port 631, e.g. https://192.168.1.2:631 - see [#129](https://github.com/MaxWinterstein/homeassistant-addons/issues/129)
+CUPS administrator login: **print**, password: **print** (can be changed in the Dockerfile)
+
+Configuration data is stored in **/data/cups** folder
+
+[![Open your Home Assistant instance and show the add add-on repository dialog with a specific repository URL pre-filled.](https://my.home-assistant.io/badges/supervisor_add_addon_repository.svg)](https://my.home-assistant.io/redirect/supervisor_add_addon_repository/?repository_url=https%3A%2F%2Fgithub.com%2Fzajac-grzegorz%2Fhomeassistant-addon-cups-airprint)
diff --git a/cups/build.json b/cups/build.json
@@ -1,6 +1,5 @@
 {
   "build_from": {
-    "armv7": "ghcr.io/home-assistant/armv7-base-debian:bullseye",
     "aarch64": "ghcr.io/home-assistant/aarch64-base-debian:bullseye",
     "amd64": "ghcr.io/home-assistant/amd64-base-debian:bullseye"
   }

diff --git a/cups/config.yaml b/cups/config.yaml
@@ -1,19 +1,16 @@
----
-name: CUPS Print Server
-version: "2.2.0"
-stage: experimental
-slug: cups
-image: ghcr.io/maxwinterstein/homeassistant-addon-cups-{arch}
-description: A CUPS print server with Avahi installed
+name: CUPS
+version: 3.0.0
 url: https://github.com/MaxWinterstein/homeassistant-addons/
+image: ghcr.io/maxwinterstein/homeassistant-addon-cups-{arch}
+slug: cups
+description: A CUPS print server with working AirPrint
 arch:
   - amd64
-  - armv7
   - aarch64
 usb: true
 init: false
 homeassistant_api: true
-# host_network: true
+host_network: true
 ports:
   631/tcp: 631
   631/udp: 631
@@ -22,15 +19,6 @@ ports_description:
   631/udp: For other devices on the local network to print to this server
 # ingress: false
 map:
-  - ssl
-options:
-  ssl: true
-  certfile: fullchain.pem
-  keyfile: privkey.pem
-  require_ssl: true
-schema:
-  ssl: bool
-  cafile: str?
-  certfile: str
-  keyfile: str
-  require_ssl: bool
+  - config:rw
+stage: experimental
+
diff --git a/...rootfs/usr/share/avahi-daemon.conf.tempio → cups/rootfs/etc/avahi/avahi-daemon.conf b/...rootfs/usr/share/avahi-daemon.conf.tempio → cups/rootfs/etc/avahi/avahi-daemon.conf
@@ -19,7 +19,7 @@
 # file!
 
 [server]
-host-name={{.hostname}}
+#host-name=foo
 #domain-name=local
 #browse-domains=0pointer.de, zeroconf.org
 use-ipv4=yes
@@ -45,18 +45,19 @@ enable-wide-area=yes
 #disable-publishing=no
 #disable-user-service-publishing=no
 #add-service-cookie=no
-publish-addresses=no
+#publish-addresses=yes
 publish-hinfo=no
 publish-workstation=no
-publish-domain=no
+#publish-domain=yes
 #publish-dns-servers=192.168.50.1, 192.168.50.2
 #publish-resolv-conf-dns-servers=yes
 #publish-aaaa-on-ipv4=yes
 #publish-a-on-ipv6=no
 
 [reflector]
-#enable-reflector=no
+enable-reflector=yes
 #reflect-ipv=no
+#reflect-filters=_airplay._tcp.local,_raop._tcp.local
 
 [rlimits]
 #rlimit-as=

diff --git a/cups/rootfs/etc/cont-init.d/dbus-setup b/cups/rootfs/etc/cont-init.d/dbus-setup
diff --git a/cups/rootfs/usr/share/cupsd.conf.tempio → cups/rootfs/etc/cups/cupsd.conf b/cups/rootfs/usr/share/cupsd.conf.tempio → cups/rootfs/etc/cups/cupsd.conf
@@ -1,58 +1,60 @@
 #
-#
-# Sample configuration file for the CUPS scheduler.  See "man cupsd.conf" for a
+# Configuration file for the CUPS scheduler.  See "man cupsd.conf" for a
 # complete description of this file.
 #
 
 # Log general information in error_log - change "warn" to "debug"
 # for troubleshooting...
 LogLevel warn
+PageLogFormat
 
-# Deactivate CUPS' internal logrotating, as we provide a better one, especially
-# LogLevel debug2 gets usable now
+# Specifies the maximum size of the log files before they are rotated.  The value "0" disables log rotation.
 MaxLogSize 0
 
-# Listen to all
+# Default error policy for printers
+ErrorPolicy retry-job
+
+# Only listen for connections from the local machine.
 Port 631
-Listen /var/run/cups/cups.sock
+Listen /run/cups/cups.sock
 
 # Show shared printers on the local network.
-Browsing On
+Browsing Yes
 BrowseLocalProtocols all
 
 # Default authentication type, when authentication is required...
 DefaultAuthType Basic
-DefaultEncryption Required
-
-# Host header validation
-
-ServerAlias {{.hostname}}.local {{.internal}} {{.external}}
-
-ServerName {{.hostname}}
 
 # Web interface setting...
 WebInterface Yes
 
+# Timeout after cupsd exits if idle (applied only if cupsd runs on-demand - with -l)
+IdleExitTimeout 60
+
 # Restrict access to the server...
 <Location />
   Order allow,deny
-  Allow all
-  Encryption {{if .require_ssl}}Required{{else}}IfRequested{{end}}
+  Allow @LOCAL
 </Location>
 
 # Restrict access to the admin pages...
 <Location /admin>
   Order allow,deny
-  Allow all
+  Allow @LOCAL
 </Location>
 
 # Restrict access to configuration files...
 <Location /admin/conf>
   AuthType Default
   Require user @SYSTEM
   Order allow,deny
-  Allow 172.0.0.1
-  Satisfy any
+</Location>
+
+# Restrict access to log files...
+<Location /admin/log>
+  AuthType Default
+  Require user @SYSTEM
+  Order allow,deny
 </Location>
 
 # Set the default printer/job policies...
@@ -70,35 +72,27 @@ WebInterface Yes
 
   <Limit Send-Document Send-URI Hold-Job Release-Job Restart-Job Purge-Jobs Set-Job-Attributes Create-Job-Subscription Renew-Subscription Cancel-Subscription Get-Notifications Reprocess-Job Cancel-Current-Job Suspend-Current-Job Resume-Job Cancel-My-Jobs Close-Job CUPS-Move-Job CUPS-Get-Document>
     Require user @OWNER @SYSTEM
-    Order allow,deny
-    Allow 172.0.0.1
-    Satisfy any
+    Order deny,allow
   </Limit>
 
   # All administration operations require an administrator to authenticate...
   <Limit CUPS-Add-Modify-Printer CUPS-Delete-Printer CUPS-Add-Modify-Class CUPS-Delete-Class CUPS-Set-Default CUPS-Get-Devices>
     AuthType Default
     Require user @SYSTEM
-    Order allow,deny
-    Allow 172.0.0.1
-    Satisfy any
+    Order deny,allow
   </Limit>
 
   # All printer operations require a printer operator to authenticate...
   <Limit Pause-Printer Resume-Printer Enable-Printer Disable-Printer Pause-Printer-After-Current-Job Hold-New-Jobs Release-Held-New-Jobs Deactivate-Printer Activate-Printer Restart-Printer Shutdown-Printer Startup-Printer Promote-Job Schedule-Job-After Cancel-Jobs CUPS-Accept-Jobs CUPS-Reject-Jobs>
     AuthType Default
     Require user @SYSTEM
-    Order allow,deny
-    Allow 172.0.0.1
-    Satisfy any
+    Order deny,allow
   </Limit>
 
   # Only the owner or an administrator can cancel or authenticate a job...
   <Limit Cancel-Job CUPS-Authenticate-Job>
     Require user @OWNER @SYSTEM
-    Order allow,deny
-    Allow 172.0.0.1
-    Satisfy any
+    Order deny,allow
   </Limit>
 
   <Limit All>
@@ -123,42 +117,78 @@ WebInterface Yes
   <Limit Send-Document Send-URI Hold-Job Release-Job Restart-Job Purge-Jobs Set-Job-Attributes Create-Job-Subscription Renew-Subscription Cancel-Subscription Get-Notifications Reprocess-Job Cancel-Current-Job Suspend-Current-Job Resume-Job Cancel-My-Jobs Close-Job CUPS-Move-Job CUPS-Get-Document>
     AuthType Default
     Require user @OWNER @SYSTEM
-    Order allow,deny
-    Allow 172.0.0.1
-    Satisfy any
+    Order deny,allow
   </Limit>
 
   # All administration operations require an administrator to authenticate...
   <Limit CUPS-Add-Modify-Printer CUPS-Delete-Printer CUPS-Add-Modify-Class CUPS-Delete-Class CUPS-Set-Default>
     AuthType Default
     Require user @SYSTEM
-    Order allow,deny
-    Allow 172.0.0.1
-    Satisfy any
+    Order deny,allow
   </Limit>
 
   # All printer operations require a printer operator to authenticate...
   <Limit Pause-Printer Resume-Printer Enable-Printer Disable-Printer Pause-Printer-After-Current-Job Hold-New-Jobs Release-Held-New-Jobs Deactivate-Printer Activate-Printer Restart-Printer Shutdown-Printer Startup-Printer Promote-Job Schedule-Job-After Cancel-Jobs CUPS-Accept-Jobs CUPS-Reject-Jobs>
     AuthType Default
     Require user @SYSTEM
-    Order allow,deny
-    Allow 172.0.0.1
-    Satisfy any
+    Order deny,allow
   </Limit>
 
   # Only the owner or an administrator can cancel or authenticate a job...
   <Limit Cancel-Job CUPS-Authenticate-Job>
     AuthType Default
     Require user @OWNER @SYSTEM
-    Order allow,deny
-    Allow 172.0.0.1
-    Satisfy any
+    Order deny,allow
+  </Limit>
+
+  <Limit All>
+    Order deny,allow
+  </Limit>
+</Policy>
+
+# Set the kerberized printer/job policies...
+<Policy kerberos>
+  # Job/subscription privacy...
+  JobPrivateAccess default
+  JobPrivateValues default
+  SubscriptionPrivateAccess default
+  SubscriptionPrivateValues default
+
+  # Job-related operations must be done by the owner or an administrator...
+  <Limit Create-Job Print-Job Print-URI Validate-Job>
+    AuthType Negotiate
+    Order deny,allow
+  </Limit>
+
+  <Limit Send-Document Send-URI Hold-Job Release-Job Restart-Job Purge-Jobs Set-Job-Attributes Create-Job-Subscription Renew-Subscription Cancel-Subscription Get-Notifications Reprocess-Job Cancel-Current-Job Suspend-Current-Job Resume-Job Cancel-My-Jobs Close-Job CUPS-Move-Job CUPS-Get-Document>
+    AuthType Negotiate
+    Require user @OWNER @SYSTEM
+    Order deny,allow
+  </Limit>
+
+  # All administration operations require an administrator to authenticate...
+  <Limit CUPS-Add-Modify-Printer CUPS-Delete-Printer CUPS-Add-Modify-Class CUPS-Delete-Class CUPS-Set-Default>
+    AuthType Default
+    Require user @SYSTEM
+    Order deny,allow
+  </Limit>
+
+  # All printer operations require a printer operator to authenticate...
+  <Limit Pause-Printer Resume-Printer Enable-Printer Disable-Printer Pause-Printer-After-Current-Job Hold-New-Jobs Release-Held-New-Jobs Deactivate-Printer Activate-Printer Restart-Printer Shutdown-Printer Startup-Printer Promote-Job Schedule-Job-After Cancel-Jobs CUPS-Accept-Jobs CUPS-Reject-Jobs>
+    AuthType Default
+    Require user @SYSTEM
+    Order deny,allow
+  </Limit>
+
+  # Only the owner or an administrator can cancel or authenticate a job...
+  <Limit Cancel-Job CUPS-Authenticate-Job>
+    AuthType Negotiate
+    Require user @OWNER @SYSTEM
+    Order deny,allow
   </Limit>
 
   <Limit All>
     Order deny,allow
   </Limit>
 </Policy>
 
-#
-#