---
- name: Install cups packages
  ansible.builtin.package:
    name: cups
    state: installed

- name: Create cups systemd override directory
  ansible.builtin.file:
    path: /etc/systemd/system/cups.service.d
    state: directory
    mode: "0755"
    owner: root
    group: "{{ ansible_wheel }}"

- name: Configure cups keytab location
  ansible.builtin.copy:
    dest: /etc/systemd/system/cups.service.d/keytab.conf
    content: |
      [Service]
      Environment=KRB5_KTNAME=FILE:/etc/cups/cups.keytab
    mode: "0644"
    owner: root
    group: "{{ ansible_wheel }}"

- name: Enable gssapi authentication from cups
  ansible.builtin.lineinfile:
    path: /etc/cups/cupsd.conf
    regexp: "^DefaultAuthType .*"
    line: "DefaultAuthType Negotiate"
  notify: Restart cups

- name: Disable cups plain text port
  ansible.builtin.lineinfile:
    path: /etc/cups/cupsd.conf
    regexp: "^#?Listen (.*:)?631"
    line: "#Listen 631"
  notify: Restart cups

- name: Share printers
  ansible.builtin.lineinfile:
    path: /etc/cups/cupsd.conf
    line: "Port 631"
    insertbefore: "^Listen .*.sock"
  notify: Restart cups

- name: Set ssl listen port
  ansible.builtin.lineinfile:
    path: /etc/cups/cupsd.conf
    line: "SSLListen 631"
    insertafter: "^Listen .*.sock"
  notify: Restart cups

- name: Require tls 1.3
  ansible.builtin.lineinfile:
    path: /etc/cups/cupsd.conf
    line: "SSLOptions MinTLS1.3"
    insertafter: "SSLListen 631"
  notify: Restart cups

- name: Write all requests to cups access log
  ansible.builtin.lineinfile:
    path: /etc/cups/cupsd.conf
    line: "AccessLogLevel all"
    insertafter: "LogLevel warn"
  notify: Restart cups

- name: Disable printer advertisements
  ansible.builtin.lineinfile:
    path: /etc/cups/cupsd.conf
    regexp: "^BrowseLocalProtocols .*"
    line: "BrowseLocalProtocols none"
  notify: Restart cups

- name: Link private key
  ansible.builtin.file:
    dest: "/etc/cups/ssl/{{ inventory_hostname }}.key"
    src: "{{ tls_private }}/{{ inventory_hostname }}.key"
    state: link
    owner: root
    group: "{{ ansible_wheel }}"
    follow: false
    force: true
  notify: Restart cups

- name: Link certificate
  ansible.builtin.file:
    dest: "/etc/cups/ssl/{{ inventory_hostname }}.crt"
    src: "{{ tls_certs }}/{{ inventory_hostname }}.crt"
    state: link
    owner: root
    group: "{{ ansible_wheel }}"
    follow: false
    force: true
  notify: Restart cups

- name: Enable printer sharing
  ansible.builtin.lineinfile:
    path: /etc/cups/cupsd.conf
    regexp: "^Browsing .*"
    line: "Browsing Yes"
  notify: Restart cups

- name: Disable unauthenticated access from cups
  ansible.builtin.blockinfile:
    path: /etc/cups/cupsd.conf
    marker: "{mark}"
    marker_begin: "<Location />"
    marker_end: "</Location>"
    block: |2
        AuthType Default
        Require group foosh
        Order deny,allow
      </Location>
      <Location /admin>
        AuthType Default
        Require group sysadm
        Order deny,allow
  notify: Restart cups

- name: Configure cups admin group
  ansible.builtin.lineinfile:
    path: /etc/cups/cups-files.conf
    regexp: "^SystemGroup .*"
    line: "SystemGroup root sysadm"
  notify: Restart cups

- name: Add static files to cups web interface
  ansible.builtin.copy:
    dest: "/usr/share/cups/www/{{ item }}"
    src: "{{ item }}"
    mode: "0644"
    owner: root
    group: "{{ ansible_wheel }}"
  with_items:
    - logo.png
    - local.css

- name: Create custom header for cups web interface
  ansible.builtin.copy:
    dest: /usr/share/cups/templates/header.tmpl
    src: header.tmpl
    mode: "0644"
    owner: root
    group: "{{ ansible_wheel }}"

- name: Disable cups socket service
  ansible.builtin.systemd:
    name: cups.socket
    enabled: false
    state: stopped

- name: Enable cups service
  ansible.builtin.service:
    name: cups
    enabled: true
    state: started

- name: Copy ppd files
  ansible.builtin.copy:
    dest: /usr/local/share/cups-ppd/
    src: cups-ppd/
    mode: "0644"
    owner: root
    group: "{{ ansible_wheel }}"

- name: Get printers from LDAP
  community.general.ldap_search:
    attrs:
      - cn
      - description
      - l
    client_cert: >-
      {{ hostvars[ansible_server]['tls_certs'] + '/' + ansible_server }}.crt
    client_key: >-
      {{ hostvars[ansible_server]['tls_private'] + '/' + ansible_server }}.key
    dn: "{{ ldap_basedn }}"
    filter: "(&(objectClass=device)(cn=*.print.foo.sh))"
    scope: subordinate
    server_uri: "ldaps://{{ ldap_server[0] }}"
  delegate_to: localhost
  register: printers

- name: Get printers list
  ansible.builtin.command:
    argv:
      - lpstat
      - -e
  changed_when: false
  register: result

- name: Add printers
  ansible.builtin.command:
    argv:
      - lpadmin
      - -D
      - "{{ item.description }}"
      - -i
      - >-
        {{
          '/usr/local/share/cups-ppd/' +
          item.description | regex_replace(' ', '_') +
          '.ppd'
        }}
      - -L
      - "{{ item.l }}"
      - -o
      - media=a4
      - -o
      - cupsSNMPSupplies=true
      - -o
      - printer-error-policy=abort-job
      - -o
      - printer-is-shared=true
      - -v
      - "http://{{ item.cn }}:631"
      - -p
      - "{{ item.cn | split('.') | first }}"
      - -E
  with_items: >-
    {{
      printers.results | rejectattr(
        'cn',
        'in',
        result.stdout_lines | map('regex_replace', '$', '.print.foo.sh'
      ) | list) | list
    }}

- name: Remove printers
  ansible.builtin.command:
    argv:
      - lpadmin
      - -x
      - "{{ item }}"
  with_items: >-
    {{
      result.stdout_lines | reject(
        'in',
        printers.results | map(attribute='cn') | map(
          'regex_replace',
          '.print.foo.sh$',
          ''
        ) | list
      ) | list
    }}