diff --git a/roles/cups-server/tasks/main.yml b/roles/cups-server/tasks/main.yml
index 221589c..7fa1bae 100644
--- a/roles/cups-server/tasks/main.yml
+++ b/roles/cups-server/tasks/main.yml
@@ -27,11 +27,25 @@
     line: "DefaultAuthType Negotiate"
   notify: restart cups
 
-- name: configure cups listen port
+- name: disable cups plain text port
   lineinfile:
     path: /etc/cups/cupsd.conf
-    regexp: "^Listen (.*:)?631"
-    line: "Listen 631"
+    regexp: "^#?Listen (.*:)?631"
+    line: "#Listen 631"
+  notify: restart cups
+
+- name: set ssl listen port
+  lineinfile:
+    path: /etc/cups/cupsd.conf
+    line: "SSLListen 631"
+    insertafter: "Listen /var/run/cups/cups.sock"
+  notify: restart cups
+
+- name: require tls 1.2
+  lineinfile:
+    path: /etc/cups/cupsd.conf
+    line: "SSLOptions MinTLS1.3"
+    insertafter: "SSLListen 631"
   notify: restart cups
 
 - name: write all requests to cups access log