From bba8c8e446fd6fc883be9feeec7b5d5ded98d861 Mon Sep 17 00:00:00 2001
From: Timo Makinen <tmakinen@foo.sh>
Date: Thu, 2 Sep 2021 22:19:12 +0000
Subject: [PATCH] cups-server: Require SSL when connecting to CUPS

---
 roles/cups-server/tasks/main.yml | 20 +++++++++++++++++---
 1 file changed, 17 insertions(+), 3 deletions(-)

diff --git a/roles/cups-server/tasks/main.yml b/roles/cups-server/tasks/main.yml
index 221589c..7fa1bae 100644
--- a/roles/cups-server/tasks/main.yml
+++ b/roles/cups-server/tasks/main.yml
@@ -27,11 +27,25 @@
     line: "DefaultAuthType Negotiate"
   notify: restart cups
 
-- name: configure cups listen port
+- name: disable cups plain text port
   lineinfile:
     path: /etc/cups/cupsd.conf
-    regexp: "^Listen (.*:)?631"
-    line: "Listen 631"
+    regexp: "^#?Listen (.*:)?631"
+    line: "#Listen 631"
+  notify: restart cups
+
+- name: set ssl listen port
+  lineinfile:
+    path: /etc/cups/cupsd.conf
+    line: "SSLListen 631"
+    insertafter: "Listen /var/run/cups/cups.sock"
+  notify: restart cups
+
+- name: require tls 1.2
+  lineinfile:
+    path: /etc/cups/cupsd.conf
+    line: "SSLOptions MinTLS1.3"
+    insertafter: "SSLListen 631"
   notify: restart cups
 
 - name: write all requests to cups access log