From 7089f389997032072da02188146557ceb2c2ea5b Mon Sep 17 00:00:00 2001
From: Timo Makinen <tmakinen@foo.sh>
Date: Sun, 15 Dec 2024 21:24:28 +0000
Subject: [PATCH] cups_server: Fix authentication and authorization

---
 roles/cups_server/tasks/main.yml | 22 ++++++++++++++++------
 1 file changed, 16 insertions(+), 6 deletions(-)

diff --git a/roles/cups_server/tasks/main.yml b/roles/cups_server/tasks/main.yml
index 5b98c24..9b4bcc3 100644
--- a/roles/cups_server/tasks/main.yml
+++ b/roles/cups_server/tasks/main.yml
@@ -15,7 +15,9 @@
 - name: Configure cups keytab location
   ansible.builtin.copy:
     dest: /etc/systemd/system/cups.service.d/keytab.conf
-    content: "[Service]\nEnvironment=KRB5_KTNAME=FILE:/etc/cups/cups.keytab\n"
+    content: |
+      [Service]
+      Environment=KRB5_KTNAME=FILE:/etc/cups/cups.keytab
     mode: "0644"
     owner: root
     group: "{{ ansible_wheel }}"
@@ -38,7 +40,7 @@
   ansible.builtin.lineinfile:
     path: /etc/cups/cupsd.conf
     line: "SSLListen 631"
-    insertafter: "Listen /var/run/cups/cups.sock"
+    insertafter: "^Listen .*.sock"
   notify: Restart cups
 
 - name: Require tls 1.3
@@ -94,10 +96,18 @@
 - name: Disable unauthenticated access from cups
   ansible.builtin.blockinfile:
     path: /etc/cups/cupsd.conf
-    insertafter: "^<Location />"
-    block: |
-      AuthType Default
-      Require user @foosh
+    marker: "{mark}"
+    marker_begin: "<Location />"
+    marker_end: "</Location>"
+    block: |2
+        AuthType Default
+        Require group foosh
+        Order deny,allow
+      </Location>
+      <Location /admin>
+        AuthType Default
+        Require group sysadm
+        Order deny,allow
   notify: Restart cups
 
 - name: Configure cups admin group