HCoop / jackhill / guix / guix.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
services: 'references-file' depends on Guile-Gcrypt.
[jackhill/guix/guix.git] / gnu / services / cups.scm
CommitLineData
f2ec23d1
AW		 1;;; GNU Guix --- Functional package management for GNU
2;;; Copyright © 2016 Andy Wingo <wingo@pobox.com>
e57bd0be 3;;; Copyright © 2017 Clément Lassieur <clement@lassieur.org>
86cd3f97 4;;; Copyright © 2018 Ricardo Wurmus <rekado@elephly.net>
36273ebd 5;;; Copyright © 2019 Alex Griffin <a@ajgrf.com>
f9c1ebdb 6;;; Copyright © 2019 Tobias Geerinckx-Rice <me@tobias.gr>
f2ec23d1
AW		 7;;;
8;;; This file is part of GNU Guix.
9;;;
10;;; GNU Guix is free software; you can redistribute it and/or modify it
11;;; under the terms of the GNU General Public License as published by
12;;; the Free Software Foundation; either version 3 of the License, or (at
13;;; your option) any later version.
14;;;
15;;; GNU Guix is distributed in the hope that it will be useful, but
16;;; WITHOUT ANY WARRANTY; without even the implied warranty of
17;;; MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
18;;; GNU General Public License for more details.
19;;;
20;;; You should have received a copy of the GNU General Public License
21;;; along with GNU Guix. If not, see <http://www.gnu.org/licenses/>.
22
23(define-module (gnu services cups)
24 #:use-module (gnu services)
25 #:use-module (gnu services shepherd)
5305ed20 26 #:use-module (gnu services configuration)
f2ec23d1
AW		 27 #:use-module (gnu system shadow)
28 #:use-module (gnu packages admin)
29 #:use-module (gnu packages cups)
30 #:use-module (gnu packages tls)
31 #:use-module (guix packages)
32 #:use-module (guix records)
33 #:use-module (guix gexp)
f2ec23d1
AW		 34 #:use-module (ice-9 match)
35 #:use-module ((srfi srfi-1) #:select (append-map))
5305ed20 36 #:export (cups-service-type
f2ec23d1
AW		 37 cups-configuration
38 opaque-cups-configuration
39
40 files-configuration
41 policy-configuration
42 location-access-control
43 operation-access-control
44 method-access-control))
45
46;;; Commentary:
47;;;
48;;; Service defininition for the CUPS printing system.
49;;;
50;;; Code:
51
f2ec23d1
AW		 52(define %cups-accounts
53 (list (user-group (name "lp") (system? #t))
54 (user-group (name "lpadmin") (system? #t))
55 (user-account
56 (name "lp")
57 (group "lp")
58 (system? #t)
59 (comment "System user for invoking printing helper programs")
60 (home-directory "/var/empty")
61 (shell (file-append shadow "/sbin/nologin")))))
62
720cb10c
CL		 63(define (uglify-field-name field-name)
64 (let ((str (symbol->string field-name)))
65 (string-concatenate
66 (map string-titlecase
67 (string-split (if (string-suffix? "?" str)
68 (substring str 0 (1- (string-length str)))
69 str)
70 #\-)))))
71
72(define (serialize-field field-name val)
73 (format #t "~a ~a\n" (uglify-field-name field-name) val))
74
75(define (serialize-string field-name val)
76 (serialize-field field-name val))
77
f2ec23d1
AW		 78(define (multiline-string-list? val)
79 (and (list? val)
80 (and-map (lambda (x)
81 (and (string? x) (not (string-index x #\space))))
82 val)))
83(define (serialize-multiline-string-list field-name val)
84 (for-each (lambda (str) (serialize-field field-name str)) val))
85
ee0de994
TGR		 86(define (comma-separated-string-list? val)
87 (and (list? val)
88 (and-map (lambda (x)
89 (and (string? x) (not (string-index x #\,))))
90 val)))
91(define (serialize-comma-separated-string-list field-name val)
92 (serialize-field field-name (string-join val ",")))
93
720cb10c
CL		 94(define (space-separated-string-list? val)
95 (and (list? val)
96 (and-map (lambda (x)
97 (and (string? x) (not (string-index x #\space))))
98 val)))
99(define (serialize-space-separated-string-list field-name val)
100 (serialize-field field-name (string-join val " ")))
101
f2ec23d1
AW		 102(define (space-separated-symbol-list? val)
103 (and (list? val) (and-map symbol? val)))
104(define (serialize-space-separated-symbol-list field-name val)
105 (serialize-field field-name (string-join (map symbol->string val) " ")))
106
720cb10c
CL		 107(define (file-name? val)
108 (and (string? val)
109 (string-prefix? "/" val)))
110(define (serialize-file-name field-name val)
111 (serialize-string field-name val))
112
113(define (serialize-boolean field-name val)
114 (serialize-string field-name (if val "yes" "no")))
115
f2ec23d1
AW		 116(define (non-negative-integer? val)
117 (and (exact-integer? val) (not (negative? val))))
118(define (serialize-non-negative-integer field-name val)
119 (serialize-field field-name val))
120
121(define-syntax define-enumerated-field-type
122 (lambda (x)
123 (define (id-append ctx . parts)
124 (datum->syntax ctx (apply symbol-append (map syntax->datum parts))))
125 (syntax-case x ()
126 ((_ name (option ...))
127 #`(begin
128 (define (#,(id-append #'name #'name #'?) x)
129 (memq x '(option ...)))
130 (define (#,(id-append #'name #'serialize- #'name) field-name val)
131 (serialize-field field-name val)))))))
132
133(define-enumerated-field-type access-log-level
134 (config actions all))
135(define-enumerated-field-type browse-local-protocols
136 (all dnssd none))
137(define-enumerated-field-type default-auth-type
138 (Basic Negotiate))
139(define-enumerated-field-type default-encryption
140 (Never IfRequested Required))
141(define-enumerated-field-type error-policy
5a097cdd 142 (abort-job retry-job retry-current-job stop-printer))
f2ec23d1
AW		 143(define-enumerated-field-type log-level
144 (none emerg alert crit error warn notice info debug debug2))
145(define-enumerated-field-type log-time-format
146 (standard usecs))
147(define-enumerated-field-type server-tokens
148 (None ProductOnly Major Minor Minimal OS Full))
149(define-enumerated-field-type method
150 (DELETE GET HEAD OPTIONS POST PUT TRACE))
151(define-enumerated-field-type sandboxing
152 (relaxed strict))
153
154(define (method-list? val)
155 (and (list? val) (and-map method? val)))
156(define (serialize-method-list field-name val)
157 (serialize-field field-name (string-join (map symbol->string val) " ")))
158
159(define (host-name-lookups? val)
160 (memq val '(#f #t 'double)))
161(define (serialize-host-name-lookups field-name val)
162 (serialize-field field-name
163 (match val (#f "No") (#t "Yes") ('double "Double"))))
164
165(define (host-name-list-or-*? x)
166 (or (eq? x '*)
167 (and (list? x) (and-map string? x))))
168(define (serialize-host-name-list-or-* field-name val)
169 (serialize-field field-name (match val
170 ('* '*)
171 (names (string-join names " ")))))
172
173(define (boolean-or-non-negative-integer? x)
174 (or (boolean? x) (non-negative-integer? x)))
175(define (serialize-boolean-or-non-negative-integer field-name x)
176 (if (boolean? x)
177 (serialize-boolean field-name x)
178 (serialize-non-negative-integer field-name x)))
179
180(define (ssl-options? x)
181 (and (list? x)
f9c1ebdb
TGR		 182 (and-map (lambda (elt) (memq elt '(AllowRC4
183 AllowSSL3
184 DenyCBC
185 DenyTLS1.0))) x)))
f2ec23d1
AW		 186(define (serialize-ssl-options field-name val)
187 (serialize-field field-name
188 (match val
189 (() "None")
190 (opts (string-join (map symbol->string opts) " ")))))
191
192(define (serialize-access-control x)
193 (display x)
194 (newline))
195(define (serialize-access-control-list field-name val)
196 (for-each serialize-access-control val))
197(define (access-control-list? val)
198 (and (list? val) (and-map string? val)))
199
200(define-configuration operation-access-control
201 (operations
202 (space-separated-symbol-list '())
203 "IPP operations to which this access control applies.")
204 (access-controls
205 (access-control-list '())
206 "Access control directives, as a list of strings. Each string should be one directive, such as \"Order allow,deny\"."))
207
208(define-configuration method-access-control
209 (reverse?
210 (boolean #f)
211 "If @code{#t}, apply access controls to all methods except the listed
212methods. Otherwise apply to only the listed methods.")
213 (methods
214 (method-list '())
215 "Methods to which this access control applies.")
216 (access-controls
217 (access-control-list '())
218 "Access control directives, as a list of strings. Each string should be one directive, such as \"Order allow,deny\"."))
219
220(define (serialize-operation-access-control x)
221 (format #t "<Limit ~a>\n"
222 (string-join (map symbol->string
223 (operation-access-control-operations x)) " "))
224 (serialize-configuration
225 x
226 (filter (lambda (field)
227 (not (eq? (configuration-field-name field) 'operations)))
228 operation-access-control-fields))
229 (format #t "</Limit>\n"))
230
231(define (serialize-method-access-control x)
232 (let ((limit (if (method-access-control-reverse? x) "LimitExcept" "Limit")))
233 (format #t "<~a ~a>\n" limit
234 (string-join (map symbol->string
235 (method-access-control-methods x)) " "))
236 (serialize-configuration
237 x
238 (filter (lambda (field)
239 (case (configuration-field-name field)
240 ((reverse? methods) #f)
241 (else #t)))
242 method-access-control-fields))
243 (format #t "</~a>\n" limit)))
244
245(define (operation-access-control-list? val)
246 (and (list? val) (and-map operation-access-control? val)))
247(define (serialize-operation-access-control-list field-name val)
248 (for-each serialize-operation-access-control val))
249
250(define (method-access-control-list? val)
251 (and (list? val) (and-map method-access-control? val)))
252(define (serialize-method-access-control-list field-name val)
253 (for-each serialize-method-access-control val))
254
255(define-configuration location-access-control
256 (path
5305ed20 257 (file-name (configuration-missing-field 'location-access-control 'path))
f2ec23d1
AW		 258 "Specifies the URI path to which the access control applies.")
259 (access-controls
260 (access-control-list '())
261 "Access controls for all access to this path, in the same format as the
262@code{access-controls} of @code{operation-access-control}.")
263 (method-access-controls
264 (method-access-control-list '())
265 "Access controls for method-specific access to this path."))
266
267(define (serialize-location-access-control x)
268 (format #t "<Location ~a>\n" (location-access-control-path x))
269 (serialize-configuration
270 x
271 (filter (lambda (field)
272 (not (eq? (configuration-field-name field) 'path)))
273 location-access-control-fields))
274 (format #t "</Location>\n"))
275
276(define (location-access-control-list? val)
277 (and (list? val) (and-map location-access-control? val)))
278(define (serialize-location-access-control-list field-name val)
279 (for-each serialize-location-access-control val))
280
281(define-configuration policy-configuration
282 (name
5305ed20 283 (string (configuration-missing-field 'policy-configuration 'name))
f2ec23d1
AW		 284 "Name of the policy.")
285 (job-private-access
286 (string "@OWNER @SYSTEM")
287 "Specifies an access list for a job's private values. @code{@@ACL} maps to
288the printer's requesting-user-name-allowed or requesting-user-name-denied
289values. @code{@@OWNER} maps to the job's owner. @code{@@SYSTEM} maps to the
290groups listed for the @code{system-group} field of the @code{files-config}
291configuration, which is reified into the @code{cups-files.conf(5)} file.
292Other possible elements of the access list include specific user names, and
293@code{@@@var{group}} to indicate members of a specific group. The access list
294may also be simply @code{all} or @code{default}.")
295 (job-private-values
296 (string (string-join '("job-name" "job-originating-host-name"
297 "job-originating-user-name" "phone")))
298 "Specifies the list of job values to make private, or @code{all},
299@code{default}, or @code{none}.")
300
301 (subscription-private-access
302 (string "@OWNER @SYSTEM")
303 "Specifies an access list for a subscription's private values.
304@code{@@ACL} maps to the printer's requesting-user-name-allowed or
305requesting-user-name-denied values. @code{@@OWNER} maps to the job's owner.
306@code{@@SYSTEM} maps to the groups listed for the @code{system-group} field of
307the @code{files-config} configuration, which is reified into the
308@code{cups-files.conf(5)} file. Other possible elements of the access list
309include specific user names, and @code{@@@var{group}} to indicate members of a
310specific group. The access list may also be simply @code{all} or
311@code{default}.")
312 (subscription-private-values
313 (string (string-join '("notify-events" "notify-pull-method"
314 "notify-recipient-uri" "notify-subscriber-user-name"
315 "notify-user-data")
316 " "))
317 "Specifies the list of job values to make private, or @code{all},
318@code{default}, or @code{none}.")
319
320 (access-controls
321 (operation-access-control-list '())
322 "Access control by IPP operation."))
323
324(define (serialize-policy-configuration x)
325 (format #t "<Policy ~a>\n" (policy-configuration-name x))
326 (serialize-configuration
327 x
328 (filter (lambda (field)
329 (not (eq? (configuration-field-name field) 'name)))
330 policy-configuration-fields))
331 (format #t "</Policy>\n"))
332
333(define (policy-configuration-list? x)
334 (and (list? x) (and-map policy-configuration? x)))
335(define (serialize-policy-configuration-list field-name x)
336 (for-each serialize-policy-configuration x))
337
338(define (log-location? x)
339 (or (file-name? x)
340 (eq? x 'stderr)
341 (eq? x 'syslog)))
342(define (serialize-log-location field-name x)
343 (if (string? x)
344 (serialize-file-name field-name x)
345 (serialize-field field-name x)))
346
347(define-configuration files-configuration
348 (access-log
349 (log-location "/var/log/cups/access_log")
350 "Defines the access log filename. Specifying a blank filename disables
351access log generation. The value @code{stderr} causes log entries to be sent
352to the standard error file when the scheduler is running in the foreground, or
353to the system log daemon when run in the background. The value @code{syslog}
354causes log entries to be sent to the system log daemon. The server name may
355be included in filenames using the string @code{%s}, as in
356@code{/var/log/cups/%s-access_log}.")
357 (cache-dir
358 (file-name "/var/cache/cups")
359 "Where CUPS should cache data.")
360 (config-file-perm
361 (string "0640")
362 "Specifies the permissions for all configuration files that the scheduler
363writes.
364
365Note that the permissions for the printers.conf file are currently masked to
366only allow access from the scheduler user (typically root). This is done
367because printer device URIs sometimes contain sensitive authentication
368information that should not be generally known on the system. There is no way
369to disable this security feature.")
370 ;; Not specifying data-dir and server-bin options as we handle these
371 ;; manually. For document-root, the CUPS package has that path
372 ;; preconfigured.
373 (error-log
374 (log-location "/var/log/cups/error_log")
375 "Defines the error log filename. Specifying a blank filename disables
376access log generation. The value @code{stderr} causes log entries to be sent
377to the standard error file when the scheduler is running in the foreground, or
378to the system log daemon when run in the background. The value @code{syslog}
379causes log entries to be sent to the system log daemon. The server name may
380be included in filenames using the string @code{%s}, as in
381@code{/var/log/cups/%s-error_log}.")
382 (fatal-errors
383 (string "all -browse")
384 "Specifies which errors are fatal, causing the scheduler to exit. The kind
385strings are:
386@table @code
387@item none
388No errors are fatal.
389@item all
390All of the errors below are fatal.
391@item browse
392Browsing initialization errors are fatal, for example failed connections to
393the DNS-SD daemon.
394@item config
395Configuration file syntax errors are fatal.
396@item listen
397Listen or Port errors are fatal, except for IPv6 failures on the loopback or
398@code{any} addresses.
399@item log
400Log file creation or write errors are fatal.
401@item permissions
402Bad startup file permissions are fatal, for example shared TLS certificate and
403key files with world-read permissions.
404@end table")
405 (file-device?
406 (boolean #f)
407 "Specifies whether the file pseudo-device can be used for new printer
408queues. The URI @url{file:///dev/null} is always allowed.")
409 (group
410 (string "lp")
411 "Specifies the group name or ID that will be used when executing external
412programs.")
413 (log-file-perm
414 (string "0644")
415 "Specifies the permissions for all log files that the scheduler writes.")
416 (page-log
417 (log-location "/var/log/cups/page_log")
418 "Defines the page log filename. Specifying a blank filename disables
419access log generation. The value @code{stderr} causes log entries to be sent
420to the standard error file when the scheduler is running in the foreground, or
421to the system log daemon when run in the background. The value @code{syslog}
422causes log entries to be sent to the system log daemon. The server name may
423be included in filenames using the string @code{%s}, as in
424@code{/var/log/cups/%s-page_log}.")
425 (remote-root
426 (string "remroot")
427 "Specifies the username that is associated with unauthenticated accesses by
428clients claiming to be the root user. The default is @code{remroot}.")
429 (request-root
430 (file-name "/var/spool/cups")
431 "Specifies the directory that contains print jobs and other HTTP request
432data.")
433 (sandboxing
434 (sandboxing 'strict)
435 "Specifies the level of security sandboxing that is applied to print
436filters, backends, and other child processes of the scheduler; either
437@code{relaxed} or @code{strict}. This directive is currently only
438used/supported on macOS.")
439 (server-keychain
440 (file-name "/etc/cups/ssl")
441 "Specifies the location of TLS certificates and private keys. CUPS will
442look for public and private keys in this directory: a @code{.crt} files for
443PEM-encoded certificates and corresponding @code{.key} files for PEM-encoded
444private keys.")
445 (server-root
446 (file-name "/etc/cups")
447 "Specifies the directory containing the server configuration files.")
448 (sync-on-close?
449 (boolean #f)
450 "Specifies whether the scheduler calls fsync(2) after writing configuration
451or state files.")
452 (system-group
453 (space-separated-string-list '("lpadmin" "wheel" "root"))
454 "Specifies the group(s) to use for @code{@@SYSTEM} group authentication.")
455 (temp-dir
456 (file-name "/var/spool/cups/tmp")
457 "Specifies the directory where temporary files are stored.")
458 (user
459 (string "lp")
460 "Specifies the user name or ID that is used when running external
70186c24
TGR		 461programs.")
462 (set-env
463 (string "variable value")
464 "Set the specified environment variable to be passed to child processes."))
f2ec23d1
AW		 465
466(define (serialize-files-configuration field-name val)
467 #f)
468
469(define (environment-variables? vars)
470 (space-separated-string-list? vars))
471(define (serialize-environment-variables field-name vars)
472 (unless (null? vars)
473 (serialize-space-separated-string-list field-name vars)))
474
475(define (package-list? val)
476 (and (list? val) (and-map package? val)))
477(define (serialize-package-list field-name val)
478 #f)
479
480(define-configuration cups-configuration
481 (cups
482 (package cups)
483 "The CUPS package.")
484 (extensions
0b57c1b0 485 (package-list (list cups-filters epson-inkjet-printer-escpr
13180f6a 486 foomatic-filters hplip-minimal splix))
f2ec23d1
AW		 487 "Drivers and other extensions to the CUPS package.")
488 (files-configuration
489 (files-configuration (files-configuration))
490 "Configuration of where to write logs, what directories to use for print
491spools, and related privileged configuration parameters.")
492 (access-log-level
493 (access-log-level 'actions)
494 "Specifies the logging level for the AccessLog file. The @code{config}
495level logs when printers and classes are added, deleted, or modified and when
496configuration files are accessed or updated. The @code{actions} level logs
497when print jobs are submitted, held, released, modified, or canceled, and any
498of the conditions for @code{config}. The @code{all} level logs all
499requests.")
500 (auto-purge-jobs?
501 (boolean #f)
502 "Specifies whether to purge job history data automatically when it is no
503longer required for quotas.")
ee0de994
TGR		 504 (browse-dns-sd-sub-types
505 (comma-separated-string-list (list "_cups"))
506 "Specifies a list of DNS-SD sub-types to advertise for each shared printer.
507For example, @samp{\"_cups\" \"_print\"} will tell network clients that both
508CUPS sharing and IPP Everywhere are supported.")
f2ec23d1
AW		 509 (browse-local-protocols
510 (browse-local-protocols 'dnssd)
511 "Specifies which protocols to use for local printer sharing.")
512 (browse-web-if?
513 (boolean #f)
514 "Specifies whether the CUPS web interface is advertised.")
515 (browsing?
516 (boolean #f)
517 "Specifies whether shared printers are advertised.")
518 (classification
519 (string "")
520 "Specifies the security classification of the server.
521Any valid banner name can be used, including \"classified\", \"confidential\",
522\"secret\", \"topsecret\", and \"unclassified\", or the banner can be omitted
523to disable secure printing functions.")
524 (classify-override?
525 (boolean #f)
526 "Specifies whether users may override the classification (cover page) of
527individual print jobs using the @code{job-sheets} option.")
528 (default-auth-type
529 (default-auth-type 'Basic)
530 "Specifies the default type of authentication to use.")
531 (default-encryption
532 (default-encryption 'Required)
533 "Specifies whether encryption will be used for authenticated requests.")
534 (default-language
535 (string "en")
536 "Specifies the default language to use for text and web content.")
537 (default-paper-size
538 (string "Auto")
539 "Specifies the default paper size for new print queues. @samp{\"Auto\"}
540uses a locale-specific default, while @samp{\"None\"} specifies there is no
541default paper size. Specific size names are typically @samp{\"Letter\"} or
542@samp{\"A4\"}.")
543 (default-policy
544 (string "default")
545 "Specifies the default access policy to use.")
546 (default-shared?
547 (boolean #t)
548 "Specifies whether local printers are shared by default.")
549 (dirty-clean-interval
550 (non-negative-integer 30)
551 "Specifies the delay for updating of configuration and state files, in
552seconds. A value of 0 causes the update to happen as soon as possible,
553typically within a few milliseconds.")
554 (error-policy
555 (error-policy 'stop-printer)
556 "Specifies what to do when an error occurs. Possible values are
557@code{abort-job}, which will discard the failed print job; @code{retry-job},
5a097cdd 558which will retry the job at a later time; @code{retry-current-job}, which retries
f2ec23d1
AW		 559the failed job immediately; and @code{stop-printer}, which stops the
560printer.")
561 (filter-limit
562 (non-negative-integer 0)
563 "Specifies the maximum cost of filters that are run concurrently, which can
564be used to minimize disk, memory, and CPU resource problems. A limit of 0
565disables filter limiting. An average print to a non-PostScript printer needs
566a filter limit of about 200. A PostScript printer needs about half
567that (100). Setting the limit below these thresholds will effectively limit
568the scheduler to printing a single job at any time.")
569 (filter-nice
570 (non-negative-integer 0)
571 "Specifies the scheduling priority of filters that are run to print a job.
572The nice value ranges from 0, the highest priority, to 19, the lowest
573priority.")
574 ;; Add this option if the package is built with Kerberos support.
575 ;; (gss-service-name
576 ;; (string "http")
577 ;; "Specifies the service name when using Kerberos authentication.")
578 (host-name-lookups
579 (host-name-lookups #f)
580 "Specifies whether to do reverse lookups on connecting clients.
581The @code{double} setting causes @code{cupsd} to verify that the hostname
582resolved from the address matches one of the addresses returned for that
583hostname. Double lookups also prevent clients with unregistered addresses
584from connecting to your server. Only set this option to @code{#t} or
585@code{double} if absolutely required.")
586 ;; Add this option if the package is built with launchd/systemd support.
587 ;; (idle-exit-timeout
588 ;; (non-negative-integer 60)
589 ;; "Specifies the length of time to wait before shutting down due to
590 ;; inactivity. Note: Only applicable when @code{cupsd} is run on-demand
591 ;; (e.g., with @code{-l}).")
592 (job-kill-delay
593 (non-negative-integer 30)
594 "Specifies the number of seconds to wait before killing the filters and
595backend associated with a canceled or held job.")
596 (job-retry-interval
597 (non-negative-integer 30)
598 "Specifies the interval between retries of jobs in seconds. This is
599typically used for fax queues but can also be used with normal print queues
600whose error policy is @code{retry-job} or @code{retry-current-job}.")
601 (job-retry-limit
602 (non-negative-integer 5)
603 "Specifies the number of retries that are done for jobs. This is typically
604used for fax queues but can also be used with normal print queues whose error
605policy is @code{retry-job} or @code{retry-current-job}.")
606 (keep-alive?
607 (boolean #t)
608 "Specifies whether to support HTTP keep-alive connections.")
609 (keep-alive-timeout
610 (non-negative-integer 30)
611 "Specifies how long an idle client connection remains open, in seconds.")
612 (limit-request-body
613 (non-negative-integer 0)
614 "Specifies the maximum size of print files, IPP requests, and HTML form
615data. A limit of 0 disables the limit check.")
616 (listen
617 (multiline-string-list '("localhost:631" "/var/run/cups/cups.sock"))
618 "Listens on the specified interfaces for connections. Valid values are of
619the form @var{address}:@var{port}, where @var{address} is either an IPv6
620address enclosed in brackets, an IPv4 address, or @code{*} to indicate all
621addresses. Values can also be file names of local UNIX domain sockets. The
622Listen directive is similar to the Port directive but allows you to restrict
623access to specific interfaces or networks.")
624 (listen-back-log
625 (non-negative-integer 128)
626 "Specifies the number of pending connections that will be allowed. This
627normally only affects very busy servers that have reached the MaxClients
628limit, but can also be triggered by large numbers of simultaneous connections.
629When the limit is reached, the operating system will refuse additional
630connections until the scheduler can accept the pending ones.")
631 (location-access-controls
632 (location-access-control-list
633 (list (location-access-control
634 (path "/")
635 (access-controls '("Order allow,deny"
636 "Allow localhost")))
637 (location-access-control
638 (path "/admin")
639 (access-controls '("Order allow,deny"
640 "Allow localhost")))
641 (location-access-control
642 (path "/admin/conf")
643 (access-controls '("Order allow,deny"
644 "AuthType Basic"
645 "Require user @SYSTEM"
646 "Allow localhost")))))
647 "Specifies a set of additional access controls.")
648 (log-debug-history
649 (non-negative-integer 100)
650 "Specifies the number of debugging messages that are retained for logging
651if an error occurs in a print job. Debug messages are logged regardless of
652the LogLevel setting.")
653 (log-level
654 (log-level 'info)
655 "Specifies the level of logging for the ErrorLog file. The value
656@code{none} stops all logging while @code{debug2} logs everything.")
657 (log-time-format
658 (log-time-format 'standard)
659 "Specifies the format of the date and time in the log files. The value
660@code{standard} logs whole seconds while @code{usecs} logs microseconds.")
661 (max-clients
662 (non-negative-integer 100)
663 "Specifies the maximum number of simultaneous clients that are allowed by
664the scheduler.")
665 (max-clients-per-host
666 (non-negative-integer 100)
667 "Specifies the maximum number of simultaneous clients that are allowed from
668a single address.")
669 (max-copies
670 (non-negative-integer 9999)
671 "Specifies the maximum number of copies that a user can print of each
672job.")
673 (max-hold-time
674 (non-negative-integer 0)
675 "Specifies the maximum time a job may remain in the @code{indefinite} hold
676state before it is canceled. A value of 0 disables cancellation of held
677jobs.")
678 (max-jobs
679 (non-negative-integer 500)
680 "Specifies the maximum number of simultaneous jobs that are allowed. Set
681to 0 to allow an unlimited number of jobs.")
682 (max-jobs-per-printer
683 (non-negative-integer 0)
684 "Specifies the maximum number of simultaneous jobs that are allowed per
685printer. A value of 0 allows up to MaxJobs jobs per printer.")
686 (max-jobs-per-user
687 (non-negative-integer 0)
688 "Specifies the maximum number of simultaneous jobs that are allowed per
689user. A value of 0 allows up to MaxJobs jobs per user.")
690 (max-job-time
691 (non-negative-integer 10800)
692 "Specifies the maximum time a job may take to print before it is canceled,
693in seconds. Set to 0 to disable cancellation of \"stuck\" jobs.")
694 (max-log-size
695 (non-negative-integer 1048576)
696 "Specifies the maximum size of the log files before they are rotated, in
697bytes. The value 0 disables log rotation.")
698 (multiple-operation-timeout
699 (non-negative-integer 300)
700 "Specifies the maximum amount of time to allow between files in a multiple
701file print job, in seconds.")
702 (page-log-format
703 (string "")
704 "Specifies the format of PageLog lines. Sequences beginning with
705percent (@samp{%}) characters are replaced with the corresponding information,
706while all other characters are copied literally. The following percent
707sequences are recognized:
708
709@table @samp
710@item %%
711insert a single percent character
712@item %@{name@}
713insert the value of the specified IPP attribute
714@item %C
715insert the number of copies for the current page
716@item %P
717insert the current page number
718@item %T
719insert the current date and time in common log format
720@item %j
721insert the job ID
722@item %p
723insert the printer name
724@item %u
725insert the username
726@end table
727
728A value of the empty string disables page logging. The string @code{%p %u %j
729%T %P %C %@{job-billing@} %@{job-originating-host-name@} %@{job-name@}
730%@{media@} %@{sides@}} creates a page log with the standard items.")
731 (environment-variables
732 (environment-variables '())
733 "Passes the specified environment variable(s) to child processes; a list of
734strings.")
735 (policies
736 (policy-configuration-list
737 (list (policy-configuration
738 (name "default")
739 (access-controls
740 (list
741 (operation-access-control
742 (operations
743 '(Send-Document
744 Send-URI Hold-Job Release-Job Restart-Job Purge-Jobs
745 Cancel-Job Close-Job Cancel-My-Jobs Set-Job-Attributes
746 Create-Job-Subscription Renew-Subscription
747 Cancel-Subscription Get-Notifications
748 Reprocess-Job Cancel-Current-Job Suspend-Current-Job
749 Resume-Job CUPS-Move-Job Validate-Job
750 CUPS-Get-Document))
751 (access-controls '("Require user @OWNER @SYSTEM"
752 "Order deny,allow")))
753 (operation-access-control
754 (operations
755 '(Pause-Printer
756 Cancel-Jobs
757 Resume-Printer Set-Printer-Attributes Enable-Printer
758 Disable-Printer Pause-Printer-After-Current-Job
759 Hold-New-Jobs Release-Held-New-Jobs Deactivate-Printer
760 Activate-Printer Restart-Printer Shutdown-Printer
761 Startup-Printer Promote-Job Schedule-Job-After
762 CUPS-Authenticate-Job CUPS-Add-Printer
763 CUPS-Delete-Printer CUPS-Add-Class CUPS-Delete-Class
764 CUPS-Accept-Jobs CUPS-Reject-Jobs CUPS-Set-Default))
765 (access-controls '("AuthType Basic"
766 "Require user @SYSTEM"
767 "Order deny,allow")))
768 (operation-access-control
769 (operations '(All))
770 (access-controls '("Order deny,allow"))))))))
771 "Specifies named access control policies.")
772 #;
773 (port
774 (non-negative-integer 631)
775 "Listens to the specified port number for connections.")
776 (preserve-job-files
777 (boolean-or-non-negative-integer 86400)
778 "Specifies whether job files (documents) are preserved after a job is
779printed. If a numeric value is specified, job files are preserved for the
780indicated number of seconds after printing. Otherwise a boolean value applies
781indefinitely.")
782 (preserve-job-history
783 (boolean-or-non-negative-integer #t)
784 "Specifies whether the job history is preserved after a job is printed.
785If a numeric value is specified, the job history is preserved for the
786indicated number of seconds after printing. If @code{#t}, the job history is
787preserved until the MaxJobs limit is reached.")
788 (reload-timeout
789 (non-negative-integer 30)
790 "Specifies the amount of time to wait for job completion before restarting
791the scheduler.")
792 (rip-cache
793 (string "128m")
794 "Specifies the maximum amount of memory to use when converting documents into bitmaps for a printer.")
795 (server-admin
796 (string "root@localhost.localdomain")
797 "Specifies the email address of the server administrator.")
798 (server-alias
799 (host-name-list-or-* '*)
800 "The ServerAlias directive is used for HTTP Host header validation when
801clients connect to the scheduler from external interfaces. Using the special
802name @code{*} can expose your system to known browser-based DNS rebinding
803attacks, even when accessing sites through a firewall. If the auto-discovery
804of alternate names does not work, we recommend listing each alternate name
805with a ServerAlias directive instead of using @code{*}.")
806 (server-name
807 (string "localhost")
808 "Specifies the fully-qualified host name of the server.")
809 (server-tokens
810 (server-tokens 'Minimal)
811 "Specifies what information is included in the Server header of HTTP
812responses. @code{None} disables the Server header. @code{ProductOnly}
813reports @code{CUPS}. @code{Major} reports @code{CUPS 2}. @code{Minor}
814reports @code{CUPS 2.0}. @code{Minimal} reports @code{CUPS 2.0.0}. @code{OS}
815reports @code{CUPS 2.0.0 (@var{uname})} where @var{uname} is the output of the
816@code{uname} command. @code{Full} reports @code{CUPS 2.0.0 (@var{uname})
817IPP/2.0}.")
f2ec23d1
AW		 818 (ssl-listen
819 (multiline-string-list '())
820 "Listens on the specified interfaces for encrypted connections. Valid
821values are of the form @var{address}:@var{port}, where @var{address} is either
822an IPv6 address enclosed in brackets, an IPv4 address, or @code{*} to indicate
823all addresses.")
824 (ssl-options
825 (ssl-options '())
9e3ef6f3
TGR		 826 "Sets encryption options. By default, CUPS only supports encryption
827using TLS v1.0 or higher using known secure cipher suites. Security is
828reduced when @code{Allow} options are used, and enhanced when @code{Deny}
829options are used. The @code{AllowRC4} option enables the 128-bit RC4 cipher
830suites, which are required for some older clients. The @code{AllowSSL3} option
831enables SSL v3.0, which is required for some older clients that do not support
832TLS v1.0. The @code{DenyCBC} option disables all CBC cipher suites. The
833@code{DenyTLS1.0} option disables TLS v1.0 support - this sets the minimum
834protocol version to TLS v1.1.")
f2ec23d1
AW		 835 #;
836 (ssl-port
837 (non-negative-integer 631)
838 "Listens on the specified port for encrypted connections.")
839 (strict-conformance?
840 (boolean #f)
841 "Specifies whether the scheduler requires clients to strictly adhere to the
842IPP specifications.")
843 (timeout
844 (non-negative-integer 300)
845 "Specifies the HTTP request timeout, in seconds.")
846 (web-interface?
847 (boolean #f)
848 "Specifies whether the web interface is enabled."))
849
850(define-configuration opaque-cups-configuration
851 (cups
852 (package cups)
853 "The CUPS package.")
854 (extensions
855 (package-list '())
856 "Drivers and other extensions to the CUPS package.")
857 (cupsd.conf
5305ed20
JL		 858 (string (configuration-missing-field 'opaque-cups-configuration
859 'cupsd.conf))
f2ec23d1
AW		 860 "The contents of the @code{cupsd.conf} to use.")
861 (cups-files.conf
5305ed20
JL		 862 (string (configuration-missing-field 'opaque-cups-configuration
863 'cups-files.conf))
f2ec23d1
AW		 864 "The contents of the @code{cups-files.conf} to use."))
865
866(define %cups-activation
867 ;; Activation gexp.
868 (with-imported-modules '((guix build utils))
869 #~(begin
e57bd0be 870 (use-modules (guix build utils))
f2ec23d1
AW		 871 (define (mkdir-p/perms directory owner perms)
872 (mkdir-p directory)
6ac7526e 873 (chown directory (passwd:uid owner) (passwd:gid owner))
f2ec23d1
AW		 874 (chmod directory perms))
875 (define (build-subject parameters)
876 (string-concatenate
877 (map (lambda (pair)
878 (let ((k (car pair)) (v (cdr pair)))
879 (define (escape-char str chr)
880 (string-join (string-split str chr) (string #\\ chr)))
881 (string-append "/" k "="
882 (escape-char (escape-char v #\=) #\/))))
883 (filter (lambda (pair) (cdr pair)) parameters))))
884 (define* (create-self-signed-certificate-if-absent
885 #:key private-key public-key (owner (getpwnam "root"))
886 (common-name (gethostname))
59e80445 887 (organization-name "Guix")
f2ec23d1
AW		 888 (organization-unit-name "Default Self-Signed Certificate")
889 (subject-parameters `(("CN" . ,common-name)
890 ("O" . ,organization-name)
891 ("OU" . ,organization-unit-name)))
892 (subject (build-subject subject-parameters)))
893 ;; Note that by default, OpenSSL outputs keys in PEM format. This
894 ;; is what we want.
895 (unless (file-exists? private-key)
896 (cond
897 ((zero? (system* (string-append #$openssl "/bin/openssl")
898 "genrsa" "-out" private-key "2048"))
899 (chown private-key (passwd:uid owner) (passwd:gid owner))
900 (chmod private-key #o400))
901 (else
902 (format (current-error-port)
903 "Failed to create private key at ~a.\n" private-key))))
904 (unless (file-exists? public-key)
905 (cond
906 ((zero? (system* (string-append #$openssl "/bin/openssl")
907 "req" "-new" "-x509" "-key" private-key
908 "-out" public-key "-days" "3650"
909 "-batch" "-subj" subject))
910 (chown public-key (passwd:uid owner) (passwd:gid owner))
911 (chmod public-key #o444))
912 (else
913 (format (current-error-port)
914 "Failed to create public key at ~a.\n" public-key)))))
915 (let ((user (getpwnam "lp")))
916 (mkdir-p/perms "/var/run/cups" user #o755)
917 (mkdir-p/perms "/var/spool/cups" user #o755)
918 (mkdir-p/perms "/var/spool/cups/tmp" user #o755)
919 (mkdir-p/perms "/var/log/cups" user #o755)
36273ebd 920 (mkdir-p/perms "/var/cache/cups" user #o770)
f2ec23d1
AW		 921 (mkdir-p/perms "/etc/cups" user #o755)
922 (mkdir-p/perms "/etc/cups/ssl" user #o700)
923 ;; This certificate is used for HTTPS connections to the CUPS web
924 ;; interface.
925 (create-self-signed-certificate-if-absent
926 #:private-key "/etc/cups/ssl/localhost.key"
927 #:public-key "/etc/cups/ssl/localhost.crt"
928 #:owner (getpwnam "root")
929 #:common-name (format #f "CUPS service on ~a" (gethostname)))))))
930
931(define (union-directory name packages paths)
932 (computed-file
933 name
934 (with-imported-modules '((guix build utils))
935 #~(begin
936 (use-modules (guix build utils)
937 (srfi srfi-1))
938 (mkdir #$output)
939 (for-each
940 (lambda (package)
941 (for-each
942 (lambda (path)
943 (for-each
944 (lambda (src)
945 (let* ((tail (substring src (string-length package)))
946 (dst (string-append #$output tail)))
947 (mkdir-p (dirname dst))
948 ;; CUPS currently symlinks in some data from cups-filters
949 ;; to its output dir. Probably we should stop doing this
950 ;; and instead rely only on the CUPS service to union the
951 ;; relevant set of CUPS packages.
952 (if (file-exists? dst)
953 (format (current-error-port) "warning: ~a exists\n" dst)
954 (symlink src dst))))
4ce8860d 955 (find-files (string-append package path) #:stat stat)))
f2ec23d1
AW		 956 (list #$@paths)))
957 (list #$@packages))
958 #t))))
959
960(define (cups-server-bin-directory extensions)
961 "Return the CUPS ServerBin directory, containing binaries for CUPS and all
962extensions that it uses."
963 (union-directory "cups-server-bin" extensions
964 ;; /bin
965 '("/lib/cups" "/share/ppd" "/share/cups")))
966
967(define (cups-shepherd-service config)
968 "Return a list of <shepherd-service> for CONFIG."
969 (let* ((cupsd.conf-str
970 (cond
971 ((opaque-cups-configuration? config)
972 (opaque-cups-configuration-cupsd.conf config))
973 (else
974 (with-output-to-string
975 (lambda ()
976 (serialize-configuration config
977 cups-configuration-fields))))))
978 (cups-files.conf-str
979 (cond
980 ((opaque-cups-configuration? config)
981 (opaque-cups-configuration-cups-files.conf config))
982 (else
983 (with-output-to-string
984 (lambda ()
985 (serialize-configuration
986 (cups-configuration-files-configuration config)
987 files-configuration-fields))))))
988 (cups (if (opaque-cups-configuration? config)
989 (opaque-cups-configuration-cups config)
990 (cups-configuration-cups config)))
991 (server-bin
992 (cups-server-bin-directory
993 (cons cups
994 (cond
995 ((opaque-cups-configuration? config)
996 (opaque-cups-configuration-extensions config))
997 (else
998 (cups-configuration-extensions config))))))
999 ;;"SetEnv PATH " server-bin "/bin" "\n"
1000 (cupsd.conf
1001 (plain-file "cupsd.conf" cupsd.conf-str))
1002 (cups-files.conf
1003 (mixed-text-file
1004 "cups-files.conf"
1005 cups-files.conf-str
1006 "CacheDir /var/cache/cups\n"
1007 "StateDir /var/run/cups\n"
1008 "DataDir " server-bin "/share/cups" "\n"
1009 "ServerBin " server-bin "/lib/cups" "\n")))
1010 (list (shepherd-service
1011 (documentation "Run the CUPS print server.")
1012 (provision '(cups))
1013 (requirement '(networking))
1014 (start #~(make-forkexec-constructor
1015 (list (string-append #$cups "/sbin/cupsd")
1016 "-f" "-c" #$cupsd.conf "-s" #$cups-files.conf)))
1017 (stop #~(make-kill-destructor))))))
1018
1019(define cups-service-type
1020 (service-type (name 'cups)
1021 (extensions
1022 (list (service-extension shepherd-root-service-type
1023 cups-shepherd-service)
1024 (service-extension activation-service-type
1025 (const %cups-activation))
1026 (service-extension account-service-type
1027 (const %cups-accounts))))
1028
1029 ;; Extensions consist of lists of packages (representing CUPS
1030 ;; drivers, etc) that we just concatenate.
1031 (compose append)
1032
1033 ;; Add extension packages by augmenting the cups-configuration
1034 ;; 'extensions' field.
1035 (extend
1036 (lambda (config extensions)
1037 (cond
1038 ((cups-configuration? config)
1039 (cups-configuration
1040 (inherit config)
1041 (extensions
1042 (append (cups-configuration-extensions config)
1043 extensions))))
1044 (else
1045 (opaque-cups-configuration
1046 (inherit config)
1047 (extensions
1048 (append (opaque-cups-configuration-extensions config)
3d3c5650
LC		 1049 extensions)))))))
1050
86cd3f97
RW		 1051 (default-value (cups-configuration))
1052 (description
1053 "Run the CUPS print server.")))
f2ec23d1
AW		 1054
1055;; A little helper to make it easier to document all those fields.
5305ed20
JL		 1056(define (generate-cups-documentation)
1057 (generate-documentation
f2ec23d1
AW		 1058 `((cups-configuration
1059 ,cups-configuration-fields
1060 (files-configuration files-configuration)
1061 (policies policy-configuration)
1062 (location-access-controls location-access-controls))
1063 (files-configuration ,files-configuration-fields)
1064 (policy-configuration
1065 ,policy-configuration-fields
1066 (operation-access-controls operation-access-controls))
1067 (location-access-controls
1068 ,location-access-control-fields
1069 (method-access-controls method-access-controls))
1070 (operation-access-controls ,operation-access-control-fields)
5305ed20
JL		 1071 (method-access-controls ,method-access-control-fields))
1072 'cups-configuration))
jackhill's copy of GNU Guix: https://guix.gnu.org/