CUPS service (#79)

Co-authored-by: Lucas Vazquez <lucas.vazquez@enviame.io>
agritheory · Jan 24, 2024 · ac2c3ad · ac2c3ad
1 parent d6d1b5f
commit ac2c3ad
Show file tree

Hide file tree

Showing 11 changed files with 507 additions and 0 deletions.
diff --git a/cups/.env.example b/cups/.env.example
@@ -0,0 +1,14 @@
+# Prefix for services and networks.
+CONTAINER_NAME_PREFIX=printers
+
+CONTAINER_CADDY_SERVICE_HTTP_PORT=80
+CONTAINER_CADDY_SERVICE_HTTPS_PORT=443
+
+# The CONTAINER_TARGET could be `localhost` or `production`.
+# Production mode requires a DOMAIN and EMAIL for certbot.
+CONTAINER_TARGET=localhost
+CERTBOT_EMAIL=
+CERTBOT_DOMAIN=
+
+CUPS_ADMIN_USER=admin
+CUPS_ADMIN_PASSWORD=root
diff --git a/cups/README.md b/cups/README.md
@@ -0,0 +1,109 @@
+# Printers
+
+Printers service containerized.
+Caddy (with TLS) + CUPS.
+
+<details><summary>Podman</summary>
+
+## Initial Setup
+
+```sh
+echo 'unqualified-search-registries = ["docker.io"]' | sudo tee -a /etc/containers/registries.conf
+cp .env.example .env
+podman-compose build
+```
+
+## Run the container containers
+
+### Develop
+
+1) Ensure the `CONTAINER_TARGET` env variable is `localhost`.
+2) Run the container:
+```sh
+podman-compose up --remove-orphans --abort-on-container-exit
+```
+
+### Production
+
+1) Ensure the `CONTAINER_TARGET` env variable is `production`.
+2) Complete the `CERTBOT_EMAIL` and `CERTBOT_DOMAIN` env variables.
+3) Run the container in background:
+```sh
+podman-compose up --remove-orphans -d
+```
+
+## Handle containers
+
+Stop the containers:
+```sh
+prefix="$(grep -E '^CONTAINER_NAME_PREFIX=' .env | cut -d '=' -f2)" \
+   podman ps --format="{{.Names}}" | grep "$prefix" | xargs -r podman kill
+```
+
+Delete everything related to containers (requires them to be stopped):
+```sh
+prefix="$(grep -E '^CONTAINER_NAME_PREFIX=' .env | cut -d '=' -f2)" \
+  && # Delete containers:
+     podman ps -a --format="{{.Names}}" | grep "$prefix" | xargs -r podman rm \
+  && # Delete volumes:
+     podman volume ls --format="{{.Name}}" | grep "$prefix" | xargs -r podman volume rm \
+  && # Delete bind mounts:
+     awk '/volumes:/ { while (getline > 0) { if ($1 ~ /^-/) { split($2, parts, ":"); if (parts[1] ~ /^\.\//) { print parts[1] } } else { break } } }' podman-compose.yml \
+     | xargs -I {} sudo rm -rf {} \
+  && # Delete networks:
+     podman network ls --format="{{.Name}}" | grep "$prefix" | xargs -r podman network rm
+```
+
+</details>
+
+<details><summary>Docker</summary>
+
+## Initial Setup
+
+```sh
+cp .env.example .env
+docker compose build
+```
+
+## Run the container containers
+
+### Develop
+
+1) Ensure the `CONTAINER_TARGET` env variable is `localhost`.
+2) Run the container:
+```sh
+docker compose up --remove-orphans --abort-on-container-exit
+```
+
+### Production
+
+1) Ensure the `CONTAINER_TARGET` env variable is `production`.
+2) Complete the `CERTBOT_EMAIL` and `CERTBOT_DOMAIN` env variables.
+3) Run the container in background:
+```sh
+docker compose up --remove-orphans -d
+```
+
+## Handle containers
+
+Stop the containers:
+```sh
+prefix="$(grep -E '^CONTAINER_NAME_PREFIX=' .env | cut -d '=' -f2)" \
+   docker ps --format="{{.Names}}" | grep "$prefix" | xargs -r docker kill
+```
+
+Delete everything related to containers (requires them to be stopped):
+```sh
+prefix="$(grep -E '^CONTAINER_NAME_PREFIX=' .env | cut -d '=' -f2)" \
+  && # Delete containers:
+     docker ps -a --format="{{.Names}}" | grep "$prefix" | xargs -r docker rm \
+  && # Delete volumes:
+     docker volume ls --format="{{.Name}}" | grep "$prefix" | xargs -r docker volume rm \
+  && # Delete bind mounts:
+     awk '/volumes:/ { while (getline > 0) { if ($1 ~ /^-/) { split($2, parts, ":"); if (parts[1] ~ /^\.\//) { print parts[1] } } else { break } } }' docker-compose.yml \
+     | xargs -I {} sudo rm -rf {} \
+  && # Delete networks:
+     docker network ls --format="{{.Name}}" | grep "$prefix" | xargs -r docker network rm
+```
+
+</details>
diff --git a/cups/caddy/Caddyfile.localhost b/cups/caddy/Caddyfile.localhost
@@ -0,0 +1,8 @@
+http://localhost:80 {
+        reverse_proxy * cups:631
+}
+
+https://localhost:443 {
+        redir http://{host}{uri}
+        tls internal
+}
diff --git a/cups/caddy/Caddyfile.not_ssl b/cups/caddy/Caddyfile.not_ssl
@@ -0,0 +1,7 @@
+http://<DOMAIN>:80 {
+        route /.well-known/acme-challenge/* {
+                root * /var/www/html
+                file_server
+        }
+        reverse_proxy * cups:631
+}
diff --git a/cups/caddy/Caddyfile.ssl b/cups/caddy/Caddyfile.ssl
@@ -0,0 +1,8 @@
+https://<DOMAIN>:443 {
+        route /.well-known/acme-challenge/* {
+                root * /var/www/html
+                file_server
+        }
+        reverse_proxy * cups:631
+        tls /var/www/certs/fullchain.pem /var/www/certs/privkey.pem
+}
diff --git a/cups/caddy/Containerfile b/cups/caddy/Containerfile
@@ -0,0 +1,28 @@
+FROM caddy:2.7.5-alpine AS base
+
+RUN apk update \
+    && apk add --no-cache \
+        certbot
+
+COPY \
+        Caddyfile.ssl \
+        Caddyfile.not_ssl \
+        Caddyfile.localhost \
+    /etc/caddy/
+
+RUN cd /etc/caddy \
+    && sed -i "s/<DOMAIN>/${DOMAIN}/g" Caddyfile.*
+
+FROM base AS localhost
+
+CMD [\
+    "caddy", \
+    "run", \
+    "--config=/etc/caddy/Caddyfile.localhost" \
+]
+
+FROM base AS production
+
+COPY entrypoint.sh /entrypoint.sh
+RUN chmod +x /entrypoint.sh
+ENTRYPOINT ["/entrypoint.sh"]
diff --git a/cups/caddy/entrypoint.sh b/cups/caddy/entrypoint.sh
@@ -0,0 +1,23 @@
+#!/bin/sh
+set -e
+
+# Generate and validate the certificate for the first time.
+if [ ! -d /var/www/certs ] || [ -z "$(ls -A /var/www/certs)" ]; then
+    mkdir /var/www/certs
+    mkdir -p /var/www/html/.well-known/acme-challenge
+
+    caddy run --config /etc/caddy/Caddyfile.not_ssl > caddy.log 2>&1 &
+    echo $! > caddy.pid
+
+    certbot certonly --webroot -w /var/www/html -d "$CERTBOT_DOMAIN" --email "$CERTBOT_EMAIL" --agree-tos
+    cp /etc/letsencrypt/live/"$CERTBOT_DOMAIN"/fullchain.pem /var/www/certs/fullchain.pem
+    cp /etc/letsencrypt/live/"$CERTBOT_DOMAIN"/privkey.pem /var/www/certs/privkey.pem
+
+    kill -SIGINT "$(cat caddy.pid)"
+    rm caddy.pid
+fi
+
+# Try to renew the certificate every day.
+echo "0 0 * * * certbot renew --quiet" | crontab -
+
+caddy run --config /etc/caddy/Caddyfile.ssl
diff --git a/cups/cups/Containerfile b/cups/cups/Containerfile
@@ -0,0 +1,47 @@
+FROM debian:testing-slim
+
+# Install Packages (basic tools, cups, basic drivers, HP drivers)
+RUN apt-get update \
+    && apt-get install -y \
+        sudo \
+        whois \
+        usbutils \
+        cups \
+        cups-client \
+        cups-bsd \
+        cups-filters \
+        foomatic-db-compressed-ppds \
+        printer-driver-all \
+        openprinting-ppds \
+        hpijs-ppds \
+        hp-ppd \
+        hplip \
+        smbclient \
+        printer-driver-cups-pdf \
+        hplip \
+        printer-driver-gutenprint \
+        avahi-daemon \
+    && apt-get clean \
+    && rm -rf /var/lib/apt/lists/*
+
+ARG CUPS_ADMIN_USER
+ARG CUPS_ADMIN_PASSWORD
+RUN useradd \
+        --create-home \
+        --groups sudo,lp,lpadmin \
+        --shell=/bin/bash \
+        --password=$(mkpasswd $CUPS_ADMIN_PASSWORD) \
+        $CUPS_ADMIN_USER \
+    && echo "$CUPS_ADMIN_USER ALL=(ALL) NOPASSWD: ALL" >> /etc/sudoers
+USER $CUPS_ADMIN_USER
+
+COPY cupsd.conf /etc/cups/cupsd.conf
+RUN sudo chmod -R a+rwx /var/spool \
+    && sudo chmod -R a+rwx /etc/cups
+
+COPY avahi-daemon.conf /etc/avahi/avahi-daemon.conf
+
+CMD [\
+    "/usr/sbin/cupsd", \
+    "-f" \
+]