HCoop / jackhill / guix / guix.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
Merge branch 'master' into core-updates
[jackhill/guix/guix.git] / gnu / services / cups.scm
CommitLineData
f2ec23d1
AW		 1;;; GNU Guix --- Functional package management for GNU
2;;; Copyright © 2016 Andy Wingo <wingo@pobox.com>
e57bd0be 3;;; Copyright © 2017 Clément Lassieur <clement@lassieur.org>
86cd3f97 4;;; Copyright © 2018 Ricardo Wurmus <rekado@elephly.net>
f2ec23d1
AW		 5;;;
6;;; This file is part of GNU Guix.
7;;;
8;;; GNU Guix is free software; you can redistribute it and/or modify it
9;;; under the terms of the GNU General Public License as published by
10;;; the Free Software Foundation; either version 3 of the License, or (at
11;;; your option) any later version.
12;;;
13;;; GNU Guix is distributed in the hope that it will be useful, but
14;;; WITHOUT ANY WARRANTY; without even the implied warranty of
15;;; MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
16;;; GNU General Public License for more details.
17;;;
18;;; You should have received a copy of the GNU General Public License
19;;; along with GNU Guix. If not, see <http://www.gnu.org/licenses/>.
20
21(define-module (gnu services cups)
22 #:use-module (gnu services)
23 #:use-module (gnu services shepherd)
5305ed20 24 #:use-module (gnu services configuration)
f2ec23d1
AW		 25 #:use-module (gnu system shadow)
26 #:use-module (gnu packages admin)
27 #:use-module (gnu packages cups)
28 #:use-module (gnu packages tls)
29 #:use-module (guix packages)
30 #:use-module (guix records)
31 #:use-module (guix gexp)
f2ec23d1
AW		 32 #:use-module (ice-9 match)
33 #:use-module ((srfi srfi-1) #:select (append-map))
5305ed20 34 #:export (cups-service-type
f2ec23d1
AW		 35 cups-configuration
36 opaque-cups-configuration
37
38 files-configuration
39 policy-configuration
40 location-access-control
41 operation-access-control
42 method-access-control))
43
44;;; Commentary:
45;;;
46;;; Service defininition for the CUPS printing system.
47;;;
48;;; Code:
49
f2ec23d1
AW		 50(define %cups-accounts
51 (list (user-group (name "lp") (system? #t))
52 (user-group (name "lpadmin") (system? #t))
53 (user-account
54 (name "lp")
55 (group "lp")
56 (system? #t)
57 (comment "System user for invoking printing helper programs")
58 (home-directory "/var/empty")
59 (shell (file-append shadow "/sbin/nologin")))))
60
720cb10c
CL		 61(define (uglify-field-name field-name)
62 (let ((str (symbol->string field-name)))
63 (string-concatenate
64 (map string-titlecase
65 (string-split (if (string-suffix? "?" str)
66 (substring str 0 (1- (string-length str)))
67 str)
68 #\-)))))
69
70(define (serialize-field field-name val)
71 (format #t "~a ~a\n" (uglify-field-name field-name) val))
72
73(define (serialize-string field-name val)
74 (serialize-field field-name val))
75
f2ec23d1
AW		 76(define (multiline-string-list? val)
77 (and (list? val)
78 (and-map (lambda (x)
79 (and (string? x) (not (string-index x #\space))))
80 val)))
81(define (serialize-multiline-string-list field-name val)
82 (for-each (lambda (str) (serialize-field field-name str)) val))
83
720cb10c
CL		 84(define (space-separated-string-list? val)
85 (and (list? val)
86 (and-map (lambda (x)
87 (and (string? x) (not (string-index x #\space))))
88 val)))
89(define (serialize-space-separated-string-list field-name val)
90 (serialize-field field-name (string-join val " ")))
91
f2ec23d1
AW		 92(define (space-separated-symbol-list? val)
93 (and (list? val) (and-map symbol? val)))
94(define (serialize-space-separated-symbol-list field-name val)
95 (serialize-field field-name (string-join (map symbol->string val) " ")))
96
720cb10c
CL		 97(define (file-name? val)
98 (and (string? val)
99 (string-prefix? "/" val)))
100(define (serialize-file-name field-name val)
101 (serialize-string field-name val))
102
103(define (serialize-boolean field-name val)
104 (serialize-string field-name (if val "yes" "no")))
105
f2ec23d1
AW		 106(define (non-negative-integer? val)
107 (and (exact-integer? val) (not (negative? val))))
108(define (serialize-non-negative-integer field-name val)
109 (serialize-field field-name val))
110
111(define-syntax define-enumerated-field-type
112 (lambda (x)
113 (define (id-append ctx . parts)
114 (datum->syntax ctx (apply symbol-append (map syntax->datum parts))))
115 (syntax-case x ()
116 ((_ name (option ...))
117 #`(begin
118 (define (#,(id-append #'name #'name #'?) x)
119 (memq x '(option ...)))
120 (define (#,(id-append #'name #'serialize- #'name) field-name val)
121 (serialize-field field-name val)))))))
122
123(define-enumerated-field-type access-log-level
124 (config actions all))
125(define-enumerated-field-type browse-local-protocols
126 (all dnssd none))
127(define-enumerated-field-type default-auth-type
128 (Basic Negotiate))
129(define-enumerated-field-type default-encryption
130 (Never IfRequested Required))
131(define-enumerated-field-type error-policy
132 (abort-job retry-job retry-this-job stop-printer))
133(define-enumerated-field-type log-level
134 (none emerg alert crit error warn notice info debug debug2))
135(define-enumerated-field-type log-time-format
136 (standard usecs))
137(define-enumerated-field-type server-tokens
138 (None ProductOnly Major Minor Minimal OS Full))
139(define-enumerated-field-type method
140 (DELETE GET HEAD OPTIONS POST PUT TRACE))
141(define-enumerated-field-type sandboxing
142 (relaxed strict))
143
144(define (method-list? val)
145 (and (list? val) (and-map method? val)))
146(define (serialize-method-list field-name val)
147 (serialize-field field-name (string-join (map symbol->string val) " ")))
148
149(define (host-name-lookups? val)
150 (memq val '(#f #t 'double)))
151(define (serialize-host-name-lookups field-name val)
152 (serialize-field field-name
153 (match val (#f "No") (#t "Yes") ('double "Double"))))
154
155(define (host-name-list-or-*? x)
156 (or (eq? x '*)
157 (and (list? x) (and-map string? x))))
158(define (serialize-host-name-list-or-* field-name val)
159 (serialize-field field-name (match val
160 ('* '*)
161 (names (string-join names " ")))))
162
163(define (boolean-or-non-negative-integer? x)
164 (or (boolean? x) (non-negative-integer? x)))
165(define (serialize-boolean-or-non-negative-integer field-name x)
166 (if (boolean? x)
167 (serialize-boolean field-name x)
168 (serialize-non-negative-integer field-name x)))
169
170(define (ssl-options? x)
171 (and (list? x)
172 (and-map (lambda (elt) (memq elt '(AllowRC4 AllowSSL3))) x)))
173(define (serialize-ssl-options field-name val)
174 (serialize-field field-name
175 (match val
176 (() "None")
177 (opts (string-join (map symbol->string opts) " ")))))
178
179(define (serialize-access-control x)
180 (display x)
181 (newline))
182(define (serialize-access-control-list field-name val)
183 (for-each serialize-access-control val))
184(define (access-control-list? val)
185 (and (list? val) (and-map string? val)))
186
187(define-configuration operation-access-control
188 (operations
189 (space-separated-symbol-list '())
190 "IPP operations to which this access control applies.")
191 (access-controls
192 (access-control-list '())
193 "Access control directives, as a list of strings. Each string should be one directive, such as \"Order allow,deny\"."))
194
195(define-configuration method-access-control
196 (reverse?
197 (boolean #f)
198 "If @code{#t}, apply access controls to all methods except the listed
199methods. Otherwise apply to only the listed methods.")
200 (methods
201 (method-list '())
202 "Methods to which this access control applies.")
203 (access-controls
204 (access-control-list '())
205 "Access control directives, as a list of strings. Each string should be one directive, such as \"Order allow,deny\"."))
206
207(define (serialize-operation-access-control x)
208 (format #t "<Limit ~a>\n"
209 (string-join (map symbol->string
210 (operation-access-control-operations x)) " "))
211 (serialize-configuration
212 x
213 (filter (lambda (field)
214 (not (eq? (configuration-field-name field) 'operations)))
215 operation-access-control-fields))
216 (format #t "</Limit>\n"))
217
218(define (serialize-method-access-control x)
219 (let ((limit (if (method-access-control-reverse? x) "LimitExcept" "Limit")))
220 (format #t "<~a ~a>\n" limit
221 (string-join (map symbol->string
222 (method-access-control-methods x)) " "))
223 (serialize-configuration
224 x
225 (filter (lambda (field)
226 (case (configuration-field-name field)
227 ((reverse? methods) #f)
228 (else #t)))
229 method-access-control-fields))
230 (format #t "</~a>\n" limit)))
231
232(define (operation-access-control-list? val)
233 (and (list? val) (and-map operation-access-control? val)))
234(define (serialize-operation-access-control-list field-name val)
235 (for-each serialize-operation-access-control val))
236
237(define (method-access-control-list? val)
238 (and (list? val) (and-map method-access-control? val)))
239(define (serialize-method-access-control-list field-name val)
240 (for-each serialize-method-access-control val))
241
242(define-configuration location-access-control
243 (path
5305ed20 244 (file-name (configuration-missing-field 'location-access-control 'path))
f2ec23d1
AW		 245 "Specifies the URI path to which the access control applies.")
246 (access-controls
247 (access-control-list '())
248 "Access controls for all access to this path, in the same format as the
249@code{access-controls} of @code{operation-access-control}.")
250 (method-access-controls
251 (method-access-control-list '())
252 "Access controls for method-specific access to this path."))
253
254(define (serialize-location-access-control x)
255 (format #t "<Location ~a>\n" (location-access-control-path x))
256 (serialize-configuration
257 x
258 (filter (lambda (field)
259 (not (eq? (configuration-field-name field) 'path)))
260 location-access-control-fields))
261 (format #t "</Location>\n"))
262
263(define (location-access-control-list? val)
264 (and (list? val) (and-map location-access-control? val)))
265(define (serialize-location-access-control-list field-name val)
266 (for-each serialize-location-access-control val))
267
268(define-configuration policy-configuration
269 (name
5305ed20 270 (string (configuration-missing-field 'policy-configuration 'name))
f2ec23d1
AW		 271 "Name of the policy.")
272 (job-private-access
273 (string "@OWNER @SYSTEM")
274 "Specifies an access list for a job's private values. @code{@@ACL} maps to
275the printer's requesting-user-name-allowed or requesting-user-name-denied
276values. @code{@@OWNER} maps to the job's owner. @code{@@SYSTEM} maps to the
277groups listed for the @code{system-group} field of the @code{files-config}
278configuration, which is reified into the @code{cups-files.conf(5)} file.
279Other possible elements of the access list include specific user names, and
280@code{@@@var{group}} to indicate members of a specific group. The access list
281may also be simply @code{all} or @code{default}.")
282 (job-private-values
283 (string (string-join '("job-name" "job-originating-host-name"
284 "job-originating-user-name" "phone")))
285 "Specifies the list of job values to make private, or @code{all},
286@code{default}, or @code{none}.")
287
288 (subscription-private-access
289 (string "@OWNER @SYSTEM")
290 "Specifies an access list for a subscription's private values.
291@code{@@ACL} maps to the printer's requesting-user-name-allowed or
292requesting-user-name-denied values. @code{@@OWNER} maps to the job's owner.
293@code{@@SYSTEM} maps to the groups listed for the @code{system-group} field of
294the @code{files-config} configuration, which is reified into the
295@code{cups-files.conf(5)} file. Other possible elements of the access list
296include specific user names, and @code{@@@var{group}} to indicate members of a
297specific group. The access list may also be simply @code{all} or
298@code{default}.")
299 (subscription-private-values
300 (string (string-join '("notify-events" "notify-pull-method"
301 "notify-recipient-uri" "notify-subscriber-user-name"
302 "notify-user-data")
303 " "))
304 "Specifies the list of job values to make private, or @code{all},
305@code{default}, or @code{none}.")
306
307 (access-controls
308 (operation-access-control-list '())
309 "Access control by IPP operation."))
310
311(define (serialize-policy-configuration x)
312 (format #t "<Policy ~a>\n" (policy-configuration-name x))
313 (serialize-configuration
314 x
315 (filter (lambda (field)
316 (not (eq? (configuration-field-name field) 'name)))
317 policy-configuration-fields))
318 (format #t "</Policy>\n"))
319
320(define (policy-configuration-list? x)
321 (and (list? x) (and-map policy-configuration? x)))
322(define (serialize-policy-configuration-list field-name x)
323 (for-each serialize-policy-configuration x))
324
325(define (log-location? x)
326 (or (file-name? x)
327 (eq? x 'stderr)
328 (eq? x 'syslog)))
329(define (serialize-log-location field-name x)
330 (if (string? x)
331 (serialize-file-name field-name x)
332 (serialize-field field-name x)))
333
334(define-configuration files-configuration
335 (access-log
336 (log-location "/var/log/cups/access_log")
337 "Defines the access log filename. Specifying a blank filename disables
338access log generation. The value @code{stderr} causes log entries to be sent
339to the standard error file when the scheduler is running in the foreground, or
340to the system log daemon when run in the background. The value @code{syslog}
341causes log entries to be sent to the system log daemon. The server name may
342be included in filenames using the string @code{%s}, as in
343@code{/var/log/cups/%s-access_log}.")
344 (cache-dir
345 (file-name "/var/cache/cups")
346 "Where CUPS should cache data.")
347 (config-file-perm
348 (string "0640")
349 "Specifies the permissions for all configuration files that the scheduler
350writes.
351
352Note that the permissions for the printers.conf file are currently masked to
353only allow access from the scheduler user (typically root). This is done
354because printer device URIs sometimes contain sensitive authentication
355information that should not be generally known on the system. There is no way
356to disable this security feature.")
357 ;; Not specifying data-dir and server-bin options as we handle these
358 ;; manually. For document-root, the CUPS package has that path
359 ;; preconfigured.
360 (error-log
361 (log-location "/var/log/cups/error_log")
362 "Defines the error log filename. Specifying a blank filename disables
363access log generation. The value @code{stderr} causes log entries to be sent
364to the standard error file when the scheduler is running in the foreground, or
365to the system log daemon when run in the background. The value @code{syslog}
366causes log entries to be sent to the system log daemon. The server name may
367be included in filenames using the string @code{%s}, as in
368@code{/var/log/cups/%s-error_log}.")
369 (fatal-errors
370 (string "all -browse")
371 "Specifies which errors are fatal, causing the scheduler to exit. The kind
372strings are:
373@table @code
374@item none
375No errors are fatal.
376@item all
377All of the errors below are fatal.
378@item browse
379Browsing initialization errors are fatal, for example failed connections to
380the DNS-SD daemon.
381@item config
382Configuration file syntax errors are fatal.
383@item listen
384Listen or Port errors are fatal, except for IPv6 failures on the loopback or
385@code{any} addresses.
386@item log
387Log file creation or write errors are fatal.
388@item permissions
389Bad startup file permissions are fatal, for example shared TLS certificate and
390key files with world-read permissions.
391@end table")
392 (file-device?
393 (boolean #f)
394 "Specifies whether the file pseudo-device can be used for new printer
395queues. The URI @url{file:///dev/null} is always allowed.")
396 (group
397 (string "lp")
398 "Specifies the group name or ID that will be used when executing external
399programs.")
400 (log-file-perm
401 (string "0644")
402 "Specifies the permissions for all log files that the scheduler writes.")
403 (page-log
404 (log-location "/var/log/cups/page_log")
405 "Defines the page log filename. Specifying a blank filename disables
406access log generation. The value @code{stderr} causes log entries to be sent
407to the standard error file when the scheduler is running in the foreground, or
408to the system log daemon when run in the background. The value @code{syslog}
409causes log entries to be sent to the system log daemon. The server name may
410be included in filenames using the string @code{%s}, as in
411@code{/var/log/cups/%s-page_log}.")
412 (remote-root
413 (string "remroot")
414 "Specifies the username that is associated with unauthenticated accesses by
415clients claiming to be the root user. The default is @code{remroot}.")
416 (request-root
417 (file-name "/var/spool/cups")
418 "Specifies the directory that contains print jobs and other HTTP request
419data.")
420 (sandboxing
421 (sandboxing 'strict)
422 "Specifies the level of security sandboxing that is applied to print
423filters, backends, and other child processes of the scheduler; either
424@code{relaxed} or @code{strict}. This directive is currently only
425used/supported on macOS.")
426 (server-keychain
427 (file-name "/etc/cups/ssl")
428 "Specifies the location of TLS certificates and private keys. CUPS will
429look for public and private keys in this directory: a @code{.crt} files for
430PEM-encoded certificates and corresponding @code{.key} files for PEM-encoded
431private keys.")
432 (server-root
433 (file-name "/etc/cups")
434 "Specifies the directory containing the server configuration files.")
435 (sync-on-close?
436 (boolean #f)
437 "Specifies whether the scheduler calls fsync(2) after writing configuration
438or state files.")
439 (system-group
440 (space-separated-string-list '("lpadmin" "wheel" "root"))
441 "Specifies the group(s) to use for @code{@@SYSTEM} group authentication.")
442 (temp-dir
443 (file-name "/var/spool/cups/tmp")
444 "Specifies the directory where temporary files are stored.")
445 (user
446 (string "lp")
447 "Specifies the user name or ID that is used when running external
448programs."))
449
450(define (serialize-files-configuration field-name val)
451 #f)
452
453(define (environment-variables? vars)
454 (space-separated-string-list? vars))
455(define (serialize-environment-variables field-name vars)
456 (unless (null? vars)
457 (serialize-space-separated-string-list field-name vars)))
458
459(define (package-list? val)
460 (and (list? val) (and-map package? val)))
461(define (serialize-package-list field-name val)
462 #f)
463
464(define-configuration cups-configuration
465 (cups
466 (package cups)
467 "The CUPS package.")
468 (extensions
469 (package-list (list cups-filters))
470 "Drivers and other extensions to the CUPS package.")
471 (files-configuration
472 (files-configuration (files-configuration))
473 "Configuration of where to write logs, what directories to use for print
474spools, and related privileged configuration parameters.")
475 (access-log-level
476 (access-log-level 'actions)
477 "Specifies the logging level for the AccessLog file. The @code{config}
478level logs when printers and classes are added, deleted, or modified and when
479configuration files are accessed or updated. The @code{actions} level logs
480when print jobs are submitted, held, released, modified, or canceled, and any
481of the conditions for @code{config}. The @code{all} level logs all
482requests.")
483 (auto-purge-jobs?
484 (boolean #f)
485 "Specifies whether to purge job history data automatically when it is no
486longer required for quotas.")
487 (browse-local-protocols
488 (browse-local-protocols 'dnssd)
489 "Specifies which protocols to use for local printer sharing.")
490 (browse-web-if?
491 (boolean #f)
492 "Specifies whether the CUPS web interface is advertised.")
493 (browsing?
494 (boolean #f)
495 "Specifies whether shared printers are advertised.")
496 (classification
497 (string "")
498 "Specifies the security classification of the server.
499Any valid banner name can be used, including \"classified\", \"confidential\",
500\"secret\", \"topsecret\", and \"unclassified\", or the banner can be omitted
501to disable secure printing functions.")
502 (classify-override?
503 (boolean #f)
504 "Specifies whether users may override the classification (cover page) of
505individual print jobs using the @code{job-sheets} option.")
506 (default-auth-type
507 (default-auth-type 'Basic)
508 "Specifies the default type of authentication to use.")
509 (default-encryption
510 (default-encryption 'Required)
511 "Specifies whether encryption will be used for authenticated requests.")
512 (default-language
513 (string "en")
514 "Specifies the default language to use for text and web content.")
515 (default-paper-size
516 (string "Auto")
517 "Specifies the default paper size for new print queues. @samp{\"Auto\"}
518uses a locale-specific default, while @samp{\"None\"} specifies there is no
519default paper size. Specific size names are typically @samp{\"Letter\"} or
520@samp{\"A4\"}.")
521 (default-policy
522 (string "default")
523 "Specifies the default access policy to use.")
524 (default-shared?
525 (boolean #t)
526 "Specifies whether local printers are shared by default.")
527 (dirty-clean-interval
528 (non-negative-integer 30)
529 "Specifies the delay for updating of configuration and state files, in
530seconds. A value of 0 causes the update to happen as soon as possible,
531typically within a few milliseconds.")
532 (error-policy
533 (error-policy 'stop-printer)
534 "Specifies what to do when an error occurs. Possible values are
535@code{abort-job}, which will discard the failed print job; @code{retry-job},
536which will retry the job at a later time; @code{retry-this-job}, which retries
537the failed job immediately; and @code{stop-printer}, which stops the
538printer.")
539 (filter-limit
540 (non-negative-integer 0)
541 "Specifies the maximum cost of filters that are run concurrently, which can
542be used to minimize disk, memory, and CPU resource problems. A limit of 0
543disables filter limiting. An average print to a non-PostScript printer needs
544a filter limit of about 200. A PostScript printer needs about half
545that (100). Setting the limit below these thresholds will effectively limit
546the scheduler to printing a single job at any time.")
547 (filter-nice
548 (non-negative-integer 0)
549 "Specifies the scheduling priority of filters that are run to print a job.
550The nice value ranges from 0, the highest priority, to 19, the lowest
551priority.")
552 ;; Add this option if the package is built with Kerberos support.
553 ;; (gss-service-name
554 ;; (string "http")
555 ;; "Specifies the service name when using Kerberos authentication.")
556 (host-name-lookups
557 (host-name-lookups #f)
558 "Specifies whether to do reverse lookups on connecting clients.
559The @code{double} setting causes @code{cupsd} to verify that the hostname
560resolved from the address matches one of the addresses returned for that
561hostname. Double lookups also prevent clients with unregistered addresses
562from connecting to your server. Only set this option to @code{#t} or
563@code{double} if absolutely required.")
564 ;; Add this option if the package is built with launchd/systemd support.
565 ;; (idle-exit-timeout
566 ;; (non-negative-integer 60)
567 ;; "Specifies the length of time to wait before shutting down due to
568 ;; inactivity. Note: Only applicable when @code{cupsd} is run on-demand
569 ;; (e.g., with @code{-l}).")
570 (job-kill-delay
571 (non-negative-integer 30)
572 "Specifies the number of seconds to wait before killing the filters and
573backend associated with a canceled or held job.")
574 (job-retry-interval
575 (non-negative-integer 30)
576 "Specifies the interval between retries of jobs in seconds. This is
577typically used for fax queues but can also be used with normal print queues
578whose error policy is @code{retry-job} or @code{retry-current-job}.")
579 (job-retry-limit
580 (non-negative-integer 5)
581 "Specifies the number of retries that are done for jobs. This is typically
582used for fax queues but can also be used with normal print queues whose error
583policy is @code{retry-job} or @code{retry-current-job}.")
584 (keep-alive?
585 (boolean #t)
586 "Specifies whether to support HTTP keep-alive connections.")
587 (keep-alive-timeout
588 (non-negative-integer 30)
589 "Specifies how long an idle client connection remains open, in seconds.")
590 (limit-request-body
591 (non-negative-integer 0)
592 "Specifies the maximum size of print files, IPP requests, and HTML form
593data. A limit of 0 disables the limit check.")
594 (listen
595 (multiline-string-list '("localhost:631" "/var/run/cups/cups.sock"))
596 "Listens on the specified interfaces for connections. Valid values are of
597the form @var{address}:@var{port}, where @var{address} is either an IPv6
598address enclosed in brackets, an IPv4 address, or @code{*} to indicate all
599addresses. Values can also be file names of local UNIX domain sockets. The
600Listen directive is similar to the Port directive but allows you to restrict
601access to specific interfaces or networks.")
602 (listen-back-log
603 (non-negative-integer 128)
604 "Specifies the number of pending connections that will be allowed. This
605normally only affects very busy servers that have reached the MaxClients
606limit, but can also be triggered by large numbers of simultaneous connections.
607When the limit is reached, the operating system will refuse additional
608connections until the scheduler can accept the pending ones.")
609 (location-access-controls
610 (location-access-control-list
611 (list (location-access-control
612 (path "/")
613 (access-controls '("Order allow,deny"
614 "Allow localhost")))
615 (location-access-control
616 (path "/admin")
617 (access-controls '("Order allow,deny"
618 "Allow localhost")))
619 (location-access-control
620 (path "/admin/conf")
621 (access-controls '("Order allow,deny"
622 "AuthType Basic"
623 "Require user @SYSTEM"
624 "Allow localhost")))))
625 "Specifies a set of additional access controls.")
626 (log-debug-history
627 (non-negative-integer 100)
628 "Specifies the number of debugging messages that are retained for logging
629if an error occurs in a print job. Debug messages are logged regardless of
630the LogLevel setting.")
631 (log-level
632 (log-level 'info)
633 "Specifies the level of logging for the ErrorLog file. The value
634@code{none} stops all logging while @code{debug2} logs everything.")
635 (log-time-format
636 (log-time-format 'standard)
637 "Specifies the format of the date and time in the log files. The value
638@code{standard} logs whole seconds while @code{usecs} logs microseconds.")
639 (max-clients
640 (non-negative-integer 100)
641 "Specifies the maximum number of simultaneous clients that are allowed by
642the scheduler.")
643 (max-clients-per-host
644 (non-negative-integer 100)
645 "Specifies the maximum number of simultaneous clients that are allowed from
646a single address.")
647 (max-copies
648 (non-negative-integer 9999)
649 "Specifies the maximum number of copies that a user can print of each
650job.")
651 (max-hold-time
652 (non-negative-integer 0)
653 "Specifies the maximum time a job may remain in the @code{indefinite} hold
654state before it is canceled. A value of 0 disables cancellation of held
655jobs.")
656 (max-jobs
657 (non-negative-integer 500)
658 "Specifies the maximum number of simultaneous jobs that are allowed. Set
659to 0 to allow an unlimited number of jobs.")
660 (max-jobs-per-printer
661 (non-negative-integer 0)
662 "Specifies the maximum number of simultaneous jobs that are allowed per
663printer. A value of 0 allows up to MaxJobs jobs per printer.")
664 (max-jobs-per-user
665 (non-negative-integer 0)
666 "Specifies the maximum number of simultaneous jobs that are allowed per
667user. A value of 0 allows up to MaxJobs jobs per user.")
668 (max-job-time
669 (non-negative-integer 10800)
670 "Specifies the maximum time a job may take to print before it is canceled,
671in seconds. Set to 0 to disable cancellation of \"stuck\" jobs.")
672 (max-log-size
673 (non-negative-integer 1048576)
674 "Specifies the maximum size of the log files before they are rotated, in
675bytes. The value 0 disables log rotation.")
676 (multiple-operation-timeout
677 (non-negative-integer 300)
678 "Specifies the maximum amount of time to allow between files in a multiple
679file print job, in seconds.")
680 (page-log-format
681 (string "")
682 "Specifies the format of PageLog lines. Sequences beginning with
683percent (@samp{%}) characters are replaced with the corresponding information,
684while all other characters are copied literally. The following percent
685sequences are recognized:
686
687@table @samp
688@item %%
689insert a single percent character
690@item %@{name@}
691insert the value of the specified IPP attribute
692@item %C
693insert the number of copies for the current page
694@item %P
695insert the current page number
696@item %T
697insert the current date and time in common log format
698@item %j
699insert the job ID
700@item %p
701insert the printer name
702@item %u
703insert the username
704@end table
705
706A value of the empty string disables page logging. The string @code{%p %u %j
707%T %P %C %@{job-billing@} %@{job-originating-host-name@} %@{job-name@}
708%@{media@} %@{sides@}} creates a page log with the standard items.")
709 (environment-variables
710 (environment-variables '())
711 "Passes the specified environment variable(s) to child processes; a list of
712strings.")
713 (policies
714 (policy-configuration-list
715 (list (policy-configuration
716 (name "default")
717 (access-controls
718 (list
719 (operation-access-control
720 (operations
721 '(Send-Document
722 Send-URI Hold-Job Release-Job Restart-Job Purge-Jobs
723 Cancel-Job Close-Job Cancel-My-Jobs Set-Job-Attributes
724 Create-Job-Subscription Renew-Subscription
725 Cancel-Subscription Get-Notifications
726 Reprocess-Job Cancel-Current-Job Suspend-Current-Job
727 Resume-Job CUPS-Move-Job Validate-Job
728 CUPS-Get-Document))
729 (access-controls '("Require user @OWNER @SYSTEM"
730 "Order deny,allow")))
731 (operation-access-control
732 (operations
733 '(Pause-Printer
734 Cancel-Jobs
735 Resume-Printer Set-Printer-Attributes Enable-Printer
736 Disable-Printer Pause-Printer-After-Current-Job
737 Hold-New-Jobs Release-Held-New-Jobs Deactivate-Printer
738 Activate-Printer Restart-Printer Shutdown-Printer
739 Startup-Printer Promote-Job Schedule-Job-After
740 CUPS-Authenticate-Job CUPS-Add-Printer
741 CUPS-Delete-Printer CUPS-Add-Class CUPS-Delete-Class
742 CUPS-Accept-Jobs CUPS-Reject-Jobs CUPS-Set-Default))
743 (access-controls '("AuthType Basic"
744 "Require user @SYSTEM"
745 "Order deny,allow")))
746 (operation-access-control
747 (operations '(All))
748 (access-controls '("Order deny,allow"))))))))
749 "Specifies named access control policies.")
750 #;
751 (port
752 (non-negative-integer 631)
753 "Listens to the specified port number for connections.")
754 (preserve-job-files
755 (boolean-or-non-negative-integer 86400)
756 "Specifies whether job files (documents) are preserved after a job is
757printed. If a numeric value is specified, job files are preserved for the
758indicated number of seconds after printing. Otherwise a boolean value applies
759indefinitely.")
760 (preserve-job-history
761 (boolean-or-non-negative-integer #t)
762 "Specifies whether the job history is preserved after a job is printed.
763If a numeric value is specified, the job history is preserved for the
764indicated number of seconds after printing. If @code{#t}, the job history is
765preserved until the MaxJobs limit is reached.")
766 (reload-timeout
767 (non-negative-integer 30)
768 "Specifies the amount of time to wait for job completion before restarting
769the scheduler.")
770 (rip-cache
771 (string "128m")
772 "Specifies the maximum amount of memory to use when converting documents into bitmaps for a printer.")
773 (server-admin
774 (string "root@localhost.localdomain")
775 "Specifies the email address of the server administrator.")
776 (server-alias
777 (host-name-list-or-* '*)
778 "The ServerAlias directive is used for HTTP Host header validation when
779clients connect to the scheduler from external interfaces. Using the special
780name @code{*} can expose your system to known browser-based DNS rebinding
781attacks, even when accessing sites through a firewall. If the auto-discovery
782of alternate names does not work, we recommend listing each alternate name
783with a ServerAlias directive instead of using @code{*}.")
784 (server-name
785 (string "localhost")
786 "Specifies the fully-qualified host name of the server.")
787 (server-tokens
788 (server-tokens 'Minimal)
789 "Specifies what information is included in the Server header of HTTP
790responses. @code{None} disables the Server header. @code{ProductOnly}
791reports @code{CUPS}. @code{Major} reports @code{CUPS 2}. @code{Minor}
792reports @code{CUPS 2.0}. @code{Minimal} reports @code{CUPS 2.0.0}. @code{OS}
793reports @code{CUPS 2.0.0 (@var{uname})} where @var{uname} is the output of the
794@code{uname} command. @code{Full} reports @code{CUPS 2.0.0 (@var{uname})
795IPP/2.0}.")
796 (set-env
797 (string "variable value")
798 "Set the specified environment variable to be passed to child processes.")
799 (ssl-listen
800 (multiline-string-list '())
801 "Listens on the specified interfaces for encrypted connections. Valid
802values are of the form @var{address}:@var{port}, where @var{address} is either
803an IPv6 address enclosed in brackets, an IPv4 address, or @code{*} to indicate
804all addresses.")
805 (ssl-options
806 (ssl-options '())
807 "Sets encryption options.
808By default, CUPS only supports encryption using TLS v1.0 or higher using known
809secure cipher suites. The @code{AllowRC4} option enables the 128-bit RC4
810cipher suites, which are required for some older clients that do not implement
811newer ones. The @code{AllowSSL3} option enables SSL v3.0, which is required
812for some older clients that do not support TLS v1.0.")
813 #;
814 (ssl-port
815 (non-negative-integer 631)
816 "Listens on the specified port for encrypted connections.")
817 (strict-conformance?
818 (boolean #f)
819 "Specifies whether the scheduler requires clients to strictly adhere to the
820IPP specifications.")
821 (timeout
822 (non-negative-integer 300)
823 "Specifies the HTTP request timeout, in seconds.")
824 (web-interface?
825 (boolean #f)
826 "Specifies whether the web interface is enabled."))
827
828(define-configuration opaque-cups-configuration
829 (cups
830 (package cups)
831 "The CUPS package.")
832 (extensions
833 (package-list '())
834 "Drivers and other extensions to the CUPS package.")
835 (cupsd.conf
5305ed20
JL		 836 (string (configuration-missing-field 'opaque-cups-configuration
837 'cupsd.conf))
f2ec23d1
AW		 838 "The contents of the @code{cupsd.conf} to use.")
839 (cups-files.conf
5305ed20
JL		 840 (string (configuration-missing-field 'opaque-cups-configuration
841 'cups-files.conf))
f2ec23d1
AW		 842 "The contents of the @code{cups-files.conf} to use."))
843
844(define %cups-activation
845 ;; Activation gexp.
846 (with-imported-modules '((guix build utils))
847 #~(begin
e57bd0be 848 (use-modules (guix build utils))
f2ec23d1
AW		 849 (define (mkdir-p/perms directory owner perms)
850 (mkdir-p directory)
851 (chown "/var/run/cups" (passwd:uid owner) (passwd:gid owner))
852 (chmod directory perms))
853 (define (build-subject parameters)
854 (string-concatenate
855 (map (lambda (pair)
856 (let ((k (car pair)) (v (cdr pair)))
857 (define (escape-char str chr)
858 (string-join (string-split str chr) (string #\\ chr)))
859 (string-append "/" k "="
860 (escape-char (escape-char v #\=) #\/))))
861 (filter (lambda (pair) (cdr pair)) parameters))))
862 (define* (create-self-signed-certificate-if-absent
863 #:key private-key public-key (owner (getpwnam "root"))
864 (common-name (gethostname))
865 (organization-name "GuixSD")
866 (organization-unit-name "Default Self-Signed Certificate")
867 (subject-parameters `(("CN" . ,common-name)
868 ("O" . ,organization-name)
869 ("OU" . ,organization-unit-name)))
870 (subject (build-subject subject-parameters)))
871 ;; Note that by default, OpenSSL outputs keys in PEM format. This
872 ;; is what we want.
873 (unless (file-exists? private-key)
874 (cond
875 ((zero? (system* (string-append #$openssl "/bin/openssl")
876 "genrsa" "-out" private-key "2048"))
877 (chown private-key (passwd:uid owner) (passwd:gid owner))
878 (chmod private-key #o400))
879 (else
880 (format (current-error-port)
881 "Failed to create private key at ~a.\n" private-key))))
882 (unless (file-exists? public-key)
883 (cond
884 ((zero? (system* (string-append #$openssl "/bin/openssl")
885 "req" "-new" "-x509" "-key" private-key
886 "-out" public-key "-days" "3650"
887 "-batch" "-subj" subject))
888 (chown public-key (passwd:uid owner) (passwd:gid owner))
889 (chmod public-key #o444))
890 (else
891 (format (current-error-port)
892 "Failed to create public key at ~a.\n" public-key)))))
893 (let ((user (getpwnam "lp")))
894 (mkdir-p/perms "/var/run/cups" user #o755)
895 (mkdir-p/perms "/var/spool/cups" user #o755)
896 (mkdir-p/perms "/var/spool/cups/tmp" user #o755)
897 (mkdir-p/perms "/var/log/cups" user #o755)
898 (mkdir-p/perms "/etc/cups" user #o755)
899 (mkdir-p/perms "/etc/cups/ssl" user #o700)
900 ;; This certificate is used for HTTPS connections to the CUPS web
901 ;; interface.
902 (create-self-signed-certificate-if-absent
903 #:private-key "/etc/cups/ssl/localhost.key"
904 #:public-key "/etc/cups/ssl/localhost.crt"
905 #:owner (getpwnam "root")
906 #:common-name (format #f "CUPS service on ~a" (gethostname)))))))
907
908(define (union-directory name packages paths)
909 (computed-file
910 name
911 (with-imported-modules '((guix build utils))
912 #~(begin
913 (use-modules (guix build utils)
914 (srfi srfi-1))
915 (mkdir #$output)
916 (for-each
917 (lambda (package)
918 (for-each
919 (lambda (path)
920 (for-each
921 (lambda (src)
922 (let* ((tail (substring src (string-length package)))
923 (dst (string-append #$output tail)))
924 (mkdir-p (dirname dst))
925 ;; CUPS currently symlinks in some data from cups-filters
926 ;; to its output dir. Probably we should stop doing this
927 ;; and instead rely only on the CUPS service to union the
928 ;; relevant set of CUPS packages.
929 (if (file-exists? dst)
930 (format (current-error-port) "warning: ~a exists\n" dst)
931 (symlink src dst))))
4ce8860d 932 (find-files (string-append package path) #:stat stat)))
f2ec23d1
AW		 933 (list #$@paths)))
934 (list #$@packages))
935 #t))))
936
937(define (cups-server-bin-directory extensions)
938 "Return the CUPS ServerBin directory, containing binaries for CUPS and all
939extensions that it uses."
940 (union-directory "cups-server-bin" extensions
941 ;; /bin
942 '("/lib/cups" "/share/ppd" "/share/cups")))
943
944(define (cups-shepherd-service config)
945 "Return a list of <shepherd-service> for CONFIG."
946 (let* ((cupsd.conf-str
947 (cond
948 ((opaque-cups-configuration? config)
949 (opaque-cups-configuration-cupsd.conf config))
950 (else
951 (with-output-to-string
952 (lambda ()
953 (serialize-configuration config
954 cups-configuration-fields))))))
955 (cups-files.conf-str
956 (cond
957 ((opaque-cups-configuration? config)
958 (opaque-cups-configuration-cups-files.conf config))
959 (else
960 (with-output-to-string
961 (lambda ()
962 (serialize-configuration
963 (cups-configuration-files-configuration config)
964 files-configuration-fields))))))
965 (cups (if (opaque-cups-configuration? config)
966 (opaque-cups-configuration-cups config)
967 (cups-configuration-cups config)))
968 (server-bin
969 (cups-server-bin-directory
970 (cons cups
971 (cond
972 ((opaque-cups-configuration? config)
973 (opaque-cups-configuration-extensions config))
974 (else
975 (cups-configuration-extensions config))))))
976 ;;"SetEnv PATH " server-bin "/bin" "\n"
977 (cupsd.conf
978 (plain-file "cupsd.conf" cupsd.conf-str))
979 (cups-files.conf
980 (mixed-text-file
981 "cups-files.conf"
982 cups-files.conf-str
983 "CacheDir /var/cache/cups\n"
984 "StateDir /var/run/cups\n"
985 "DataDir " server-bin "/share/cups" "\n"
986 "ServerBin " server-bin "/lib/cups" "\n")))
987 (list (shepherd-service
988 (documentation "Run the CUPS print server.")
989 (provision '(cups))
990 (requirement '(networking))
991 (start #~(make-forkexec-constructor
992 (list (string-append #$cups "/sbin/cupsd")
993 "-f" "-c" #$cupsd.conf "-s" #$cups-files.conf)))
994 (stop #~(make-kill-destructor))))))
995
996(define cups-service-type
997 (service-type (name 'cups)
998 (extensions
999 (list (service-extension shepherd-root-service-type
1000 cups-shepherd-service)
1001 (service-extension activation-service-type
1002 (const %cups-activation))
1003 (service-extension account-service-type
1004 (const %cups-accounts))))
1005
1006 ;; Extensions consist of lists of packages (representing CUPS
1007 ;; drivers, etc) that we just concatenate.
1008 (compose append)
1009
1010 ;; Add extension packages by augmenting the cups-configuration
1011 ;; 'extensions' field.
1012 (extend
1013 (lambda (config extensions)
1014 (cond
1015 ((cups-configuration? config)
1016 (cups-configuration
1017 (inherit config)
1018 (extensions
1019 (append (cups-configuration-extensions config)
1020 extensions))))
1021 (else
1022 (opaque-cups-configuration
1023 (inherit config)
1024 (extensions
1025 (append (opaque-cups-configuration-extensions config)
3d3c5650
LC		 1026 extensions)))))))
1027
86cd3f97
RW		 1028 (default-value (cups-configuration))
1029 (description
1030 "Run the CUPS print server.")))
f2ec23d1
AW		 1031
1032;; A little helper to make it easier to document all those fields.
5305ed20
JL		 1033(define (generate-cups-documentation)
1034 (generate-documentation
f2ec23d1
AW		 1035 `((cups-configuration
1036 ,cups-configuration-fields
1037 (files-configuration files-configuration)
1038 (policies policy-configuration)
1039 (location-access-controls location-access-controls))
1040 (files-configuration ,files-configuration-fields)
1041 (policy-configuration
1042 ,policy-configuration-fields
1043 (operation-access-controls operation-access-controls))
1044 (location-access-controls
1045 ,location-access-control-fields
1046 (method-access-controls method-access-controls))
1047 (operation-access-controls ,operation-access-control-fields)
5305ed20
JL		 1048 (method-access-controls ,method-access-control-fields))
1049 'cups-configuration))
jackhill's copy of GNU Guix: https://guix.gnu.org/