init

.env

@@ -0,0 +1,2 @@
+ADMIN_USER=print
+ADMIN_PWD=print

.gitignore

@@ -0,0 +1,3 @@
+/data
+/cups/drivers
+.idea

README.md

@@ -0,0 +1,15 @@
+Installation
+============
+
+Replace/set the following in `.env`:
+- `ADMIN_USER`: The admin username
+- `ADMIN_PWD`: The password for the `${ADMIN_USER}` admin user
+
+Copy the default cups config and run compose.
+
+WARNING: Cups will fail and exit immediately if there is no valid `cupsd.conf` in `data/cups/config`.
+
+```shell
+cp -ar data_example data
+docker-compose up --build -d
+```

cups/Dockerfile

@@ -0,0 +1,43 @@
+FROM debian:buster
+
+RUN apt-get update && \
+      DEBIAN_FRONTEND=noninteractive apt-get install --no-install-recommends -yq \
+      locales \
+      sudo \
+      whois \
+      cups \
+      printer-driver-all \
+      foomatic-db-compressed-ppds \
+      openprinting-ppds \
+      gutenprint-locales \
+      && \
+      apt-get clean && \
+      rm -rf /var/lib/apt/lists/*
+
+RUN echo "en_US.UTF-8 UTF-8" > /etc/locale.gen && locale-gen en_US.UTF-8
+ENV LANG en_US.UTF-8
+ENV LANGUAGE en_US:en
+ENV LC_ALL en_US.UTF-8
+
+ARG ADMIN_USER=print
+ARG ADMIN_PWD=print
+
+RUN useradd \
+  --groups=sudo,lp,lpadmin \
+  --create-home \
+  --home-dir=/home/${ADMIN_USER} \
+  --shell=/bin/bash \
+  --password=$(mkpasswd ${ADMIN_PWD}) \
+  ${ADMIN_USER} \
+  && sed -i '/%sudo[[:space:]]/ s/ALL[[:space:]]*$/NOPASSWD:ALL/' /etc/sudoers
+
+COPY ./drivers /tmp/drivers
+
+COPY ./bin /usr/local/bin
+
+RUN install_drivers -d /tmp/drivers && \
+    rm -rf /tmp/drivers
+
+EXPOSE 631
+
+ENTRYPOINT ["/usr/sbin/cupsd", "-f"]

cups/bin/install_drivers

@@ -0,0 +1,54 @@
+#! /bin/bash
+
+main() {
+
+  drivers_dir=""
+
+  while getopts "hd:" arg; do
+    case "${arg}" in
+    h)
+      echo '--help'
+      ;;
+    d)
+      drivers_dir="${OPTARG}"
+      ;;
+    *)
+      echo '??'
+      ;;
+    esac
+  done
+
+  shopt -s nullglob
+  set -e
+
+  echo "==== Driver dir: ${drivers_dir}"
+
+  for file in "${drivers_dir}"/*; do
+    echo "==== Processing ${file}..."
+    case "${file}" in
+    *.deb)
+      dpkg -i "${file}" || :
+      ;;
+    *.sh)
+      "${file}"
+      ;;
+    *.ppd)
+      cp "${file}" /usr/share/ppd/
+      ;;
+    *)
+      echo "==== Ignoring ${file}"
+      ;;
+    esac
+  done
+
+  if ! apt-get install; then
+    echo "==== Apt seems broken. Fixing..."
+    apt-get update &&
+      DEBIAN_FRONTEND=noninteractive apt-get install --no-install-recommends -yqf &&
+      apt-get clean &&
+      rm -rf /var/lib/apt/lists/*
+  fi
+
+}
+
+main "${@}"

data_example/cups/config/cupsd.conf

@@ -0,0 +1,142 @@
+#
+#
+# Sample configuration file for the CUPS scheduler.  See "man cupsd.conf" for a
+# complete description of this file.
+#
+
+ServerAlias *
+
+# Log general information in error_log - change "warn" to "debug"
+# for troubleshooting...
+LogLevel warn
+
+# Deactivate CUPS' internal logrotating, as we provide a better one, especially
+# LogLevel debug2 gets usable now
+MaxLogSize 0
+
+# Listen to all
+Port 631
+Listen /var/run/cups/cups.sock
+
+# Show shared printers on the local network.
+Browsing On
+BrowseLocalProtocols dnssd
+
+# Default authentication type, when authentication is required...
+DefaultAuthType Basic
+DefaultEncryption IfRequested
+
+# Web interface setting...
+WebInterface Yes
+
+# Restrict access to the server...
+<Location />
+  Order allow,deny
+  Allow all
+</Location>
+
+# Restrict access to the admin pages...
+<Location /admin>
+  Order allow,deny
+  Allow all
+</Location>
+
+# Restrict access to configuration files...
+<Location /admin/conf>
+  AuthType Default
+  Require user @SYSTEM
+  Order allow,deny
+  Allow all
+</Location>
+
+# Set the default printer/job policies...
+<Policy default>
+  # Job/subscription privacy...
+  JobPrivateAccess default
+  JobPrivateValues default
+  SubscriptionPrivateAccess default
+  SubscriptionPrivateValues default
+
+  # Job-related operations must be done by the owner or an administrator...
+  <Limit Create-Job Print-Job Print-URI Validate-Job>
+    Order deny,allow
+  </Limit>
+
+  <Limit Send-Document Send-URI Hold-Job Release-Job Restart-Job Purge-Jobs Set-Job-Attributes Create-Job-Subscription Renew-Subscription Cancel-Subscription Get-Notifications Reprocess-Job Cancel-Current-Job Suspend-Current-Job Resume-Job Cancel-My-Jobs Close-Job CUPS-Move-Job CUPS-Get-Document>
+    Require user @OWNER @SYSTEM
+    Order deny,allow
+  </Limit>
+
+  # All administration operations require an administrator to authenticate...
+  <Limit CUPS-Add-Modify-Printer CUPS-Delete-Printer CUPS-Add-Modify-Class CUPS-Delete-Class CUPS-Set-Default CUPS-Get-Devices>
+    AuthType Default
+    Require user @SYSTEM
+    Order deny,allow
+  </Limit>
+
+  # All printer operations require a printer operator to authenticate...
+  <Limit Pause-Printer Resume-Printer Enable-Printer Disable-Printer Pause-Printer-After-Current-Job Hold-New-Jobs Release-Held-New-Jobs Deactivate-Printer Activate-Printer Restart-Printer Shutdown-Printer Startup-Printer Promote-Job Schedule-Job-After Cancel-Jobs CUPS-Accept-Jobs CUPS-Reject-Jobs>
+    AuthType Default
+    Require user @SYSTEM
+    Order deny,allow
+  </Limit>
+
+  # Only the owner or an administrator can cancel or authenticate a job...
+  <Limit Cancel-Job CUPS-Authenticate-Job>
+    Require user @OWNER @SYSTEM
+    Order deny,allow
+  </Limit>
+
+  <Limit All>
+    Order deny,allow
+  </Limit>
+</Policy>
+
+# Set the authenticated printer/job policies...
+<Policy authenticated>
+  # Job/subscription privacy...
+  JobPrivateAccess default
+  JobPrivateValues default
+  SubscriptionPrivateAccess default
+  SubscriptionPrivateValues default
+
+  # Job-related operations must be done by the owner or an administrator...
+  <Limit Create-Job Print-Job Print-URI Validate-Job>
+    AuthType Default
+    Order deny,allow
+  </Limit>
+
+  <Limit Send-Document Send-URI Hold-Job Release-Job Restart-Job Purge-Jobs Set-Job-Attributes Create-Job-Subscription Renew-Subscription Cancel-Subscription Get-Notifications Reprocess-Job Cancel-Current-Job Suspend-Current-Job Resume-Job Cancel-My-Jobs Close-Job CUPS-Move-Job CUPS-Get-Document>
+    AuthType Default
+    Require user @OWNER @SYSTEM
+    Order deny,allow
+  </Limit>
+
+  # All administration operations require an administrator to authenticate...
+  <Limit CUPS-Add-Modify-Printer CUPS-Delete-Printer CUPS-Add-Modify-Class CUPS-Delete-Class CUPS-Set-Default>
+    AuthType Default
+    Require user @SYSTEM
+    Order deny,allow
+  </Limit>
+
+  # All printer operations require a printer operator to authenticate...
+  <Limit Pause-Printer Resume-Printer Enable-Printer Disable-Printer Pause-Printer-After-Current-Job Hold-New-Jobs Release-Held-New-Jobs Deactivate-Printer Activate-Printer Restart-Printer Shutdown-Printer Startup-Printer Promote-Job Schedule-Job-After Cancel-Jobs CUPS-Accept-Jobs CUPS-Reject-Jobs>
+    AuthType Default
+    Require user @SYSTEM
+    Order deny,allow
+  </Limit>
+
+  # Only the owner or an administrator can cancel or authenticate a job...
+  <Limit Cancel-Job CUPS-Authenticate-Job>
+    AuthType Default
+    Require user @OWNER @SYSTEM
+    Order deny,allow
+  </Limit>
+
+  <Limit All>
+    Order deny,allow
+  </Limit>
+</Policy>
+
+#
+#

docker-compose.yml

@@ -0,0 +1,18 @@
+version: '2'
+services:
+  cups:
+    build:
+      context: ./cups
+      args:
+        ADMIN_USER: ${ADMIN_USER}
+        ADMIN_PWD: ${ADMIN_PWD}
+    restart: unless-stopped
+    ports:
+      - "127.0.0.1:35631:631"
+    volumes:
+      - /var/run/dbus:/var/run/dbus
+      - /dev/bus/usb:/dev/bus/usb
+      - ./data/cups/config:/etc/cups
+      - ./data/cups/cache:/var/cache/cups
+      - ./data/cups/log:/var/log/cups
+    privileged: true