Merge branch 'main' of github.com:romkey/pdxhackerspace-hackstack

Author: romkey

.gitignore

@@ -11,141 +11,10 @@
 
 *~
 
-lib/**
-log/**
-run/**
-
 avahi-dns/services
 
 home-assistant/config/
 
 redis/conf/
 
 upsd/config/
-
-# Patterns from dnsmasq/.gitignore
-dnsmasq/config/dnsmasq.conf
-dnsmasq/config/hosts.d/
-
-# Patterns from rtlamr2mqtt/.gitignore
-rtlamr2mqtt/config.yaml
-
-# Patterns from autogenerate-hosts/.gitignore
-autogenerate-hosts/.env
-autogenerate-hosts/app/npm-hosts
-
-# Patterns from influxdb/.gitignore
-influxdb/config/influx-configs
-
-# Patterns from zigbee2mqtt/.gitignore
-zigbee2mqtt/data/configuration.yaml
-zigbee2mqtt/data/state.json
-zigbee2mqtt/data/database.db
-zigbee2mqtt/data/log/
-
-# Patterns from telegraf/.gitignore
-telegraf/config/telegraf.conf
-
-# Patterns from wiki/.gitignore
-wiki/config.yml
-
-# Patterns from jellyfin/.gitignore
-jellyfin/config/
-
-# Patterns from mopidy/.gitignore
-mopidy/config/mopidy.conf
-
-# Patterns from auto_planka/.gitignore
-auto_planka/*.gem
-auto_planka/*.rbc
-auto_planka//.config
-auto_planka//coverage/
-auto_planka//InstalledFiles
-auto_planka//pkg/
-auto_planka//spec/reports/
-auto_planka//spec/examples.txt
-auto_planka//test/tmp/
-auto_planka//test/version_tmp/
-auto_planka//tmp/
-auto_planka/
-auto_planka/# Used by dotenv library to load environment variables.
-auto_planka/.env*
-auto_planka/
-auto_planka/## Specific to RubyMotion:
-auto_planka/.dat*
-auto_planka/.repl_history
-auto_planka/build/
-auto_planka/*.bridgesupport
-auto_planka/build-iPhoneOS/
-auto_planka/build-iPhoneSimulator/
-auto_planka/
-auto_planka/## Specific to RubyMotion (use of CocoaPods):
-auto_planka/#
-auto_planka/# We recommend against adding the Pods directory to your .gitignore. However
-auto_planka/# you should judge for yourself, the pros and cons are mentioned at:
-auto_planka/# https://guides.cocoapods.org/using/using-cocoapods.html#should-i-check-the-pods-directory-into-source-control
-auto_planka/#
-auto_planka/# vendor/Pods/
-auto_planka/
-auto_planka/## Documentation cache and generated files:
-auto_planka//.yardoc/
-auto_planka//_yardoc/
-auto_planka//doc/
-auto_planka//rdoc/
-auto_planka/
-auto_planka/## Environment normalization:
-auto_planka//.bundle/
-auto_planka//vendor/bundle
-auto_planka//lib/bundler/man/
-auto_planka/
-auto_planka/# for a library or gem, you might want to ignore these files since the code is
-auto_planka/# intended to run in multiple environments; otherwise, check them in:
-auto_planka/# Gemfile.lock
-auto_planka/# .ruby-version
-auto_planka/# .ruby-gemset
-auto_planka/
-auto_planka/# unless supporting rvm < 1.11.0 or doing something fancy, ignore this:
-auto_planka/.rvmrc
-auto_planka/
-auto_planka/*.json
-auto_planka/
-auto_planka/app/.env
-
-# Patterns from backrest/.gitignore
-backrest/config/config.json*
-
-# Patterns from access-control-webhook/.gitignore
-access-control-webhook/config/.ssh/
-access-control-webhook/config/hooks.json
-access-control-webhook/config/run/automation_rsa
-
-# Patterns from glances/.gitignore
-glances/glances.conf
-glances/glances.pwd
-
-# Patterns from shairport-sync/.gitignore
-shairport-sync/config/shairport-sync.conf
-
-# Patterns from invidious/.gitignore
-invidious/config/config.yml
-invidious/config/sql/
-
-# Patterns from snapserver/.gitignore
-snapserver/config/snapcast.conf
-
-# Patterns from airconnect/.gitignore
-airconnect/config/*.xml
-
-# Patterns from grafana/.gitignore
-grafana/config/grafana.ini
-
-# Patterns from mqtt-explorer/.gitignore
-mqtt-explorer/config/settings.json
-
-# Patterns from mosquitto/.gitignore
-mosquitto/config/mosquitto.conf
-mosquitto/config/mos_passwd
-
-# Patterns from nginx-proxy-manager/.gitignore
-nginx-proxy-manager/config/
-nginx-proxy-manager/letsencrypt/

apps/cups/.env.example

@@ -0,0 +1,8 @@
+# UID/GID the CUPS process runs as inside the container.
+# Match the host user that owns ../../lib/cups if you care about file permissions.
+PUID=1000
+PGID=1000
+
+TZ=America/Los_Angeles
+
+#IMAGE_VERSION=latest

apps/cups/.rsync-exclude

@@ -0,0 +1,87 @@
+# cups
+
+Containerised CUPS print server using the
+[LinuxServer CUPS image](https://docs.linuxserver.io/images/docker-cups/),
+which ships with a comprehensive set of print filters and supporting programs:
+
+| Package | Purpose |
+|---|---|
+| `cups` | Core print server and IPP listener |
+| `cups-filters` | PDF, PostScript, raster, and text filter chain |
+| `ghostscript` | PS/PDF rendering |
+| `poppler-utils` | PDF inspection and conversion |
+| `qpdf` | PDF linearisation and repair |
+| `imagemagick` | Image format conversion (PNG, JPEG, TIFF, …) |
+| `foomatic-db` + `foomatic-db-engine` | Generic printer driver database |
+| `printer-driver-gutenprint` | High-quality open-source raster drivers |
+| `hplip` | HP printer drivers |
+| `libcupsimage2t64` | CUPS raster image library |
+
+## Networks
+
+| Network alias | Actual network | Purpose |
+|---|---|---|
+| `cups` | `cups-net` | Other containers join this to submit print jobs |
+| `proxy` | `nginx-proxy-net` | Reverse proxy access to the CUPS web UI |
+
+## Volumes
+
+| Mount | Purpose |
+|---|---|
+| `../../lib/cups` → `/config` | All CUPS state: spool, logs, per-queue PPDs |
+| `./config/cupsd.conf` → `/etc/cups/cupsd.conf` (read-only) | Scheduler config; pre-configured to accept connections from `@LOCAL` (all Docker networks and LAN hosts) |
+| `./ppds` → `/usr/share/cups/model/custom` (read-only) | Custom PPD files; any PPD placed here appears as an available driver in the CUPS add-printer wizard |
+
+## Adding custom PPDs
+
+Drop `.ppd` files into the `ppds/` directory next to this file.  They are
+mounted read-only into CUPS's model directory and appear automatically under
+**Administration → Add Printer → Choose Driver** the next time you open the
+wizard (no restart required).
+
+Example — adding the Rongta RP326 driver:
+
+```sh
+cp /path/to/Printer80.ppd apps/cups/ppds/
+```
+
+## First-time setup
+
+```sh
+cp .env.example .env
+# Edit .env if you need non-default PUID/PGID or TZ
+
+cp config/cupsd.conf.default config/cupsd.conf
+# Edit config/cupsd.conf if you need to restrict or expand access
+
+docker compose up -d
+```
+
+The CUPS web UI is available at `http://cups:631` from other containers on
+`cups-net`, or via nginx-proxy-manager if you set up a proxy host pointing
+to `cups:631`.
+
+To allow other containers to print without credentials, open the CUPS web UI
+and under **Administration → Server** enable:
+
+- Allow printing from the Internet
+- Allow remote administration
+
+## Adding a printer from another container
+
+Any container that needs to print should join `cups-net`:
+
+```yaml
+networks:
+  cups:
+    external: true
+    name: cups-net
+```
+
+Then configure the app's printer URL as `ipp://cups:631/printers/<queue-name>`.
+
+## Stopping safely
+
+```sh
+docker compose down
+```

apps/cups/README.md

@@ -0,0 +1,96 @@
+# CUPS scheduler configuration
+# Configured for network access from Docker containers and the local subnet.
+# See https://www.cups.org/doc/man-cupsd.conf.html for full reference.
+
+# Listen on all interfaces so other containers and LAN hosts can connect.
+# The default "Listen localhost:631" would block all external access.
+Port 631
+Listen /run/cups/cups.sock
+
+# Allow mDNS/DNS-SD printer discovery on the LAN.
+Browsing Yes
+BrowseLocalProtocols dnssd
+
+# Default log destinations.
+AccessLog syslog
+ErrorLog syslog
+LogLevel warn
+
+# Paths
+ServerRoot /etc/cups
+StateDir /var/lib/cups
+RequestRoot /var/spool/cups
+TempDir /var/spool/cups/tmp
+
+MaxLogSize 0
+
+# Restrict access to the local subnet and Docker networks.
+# @LOCAL matches any interface that is not the loopback and any
+# address on those interfaces — covers both the host LAN and
+# all attached Docker bridge networks.
+<Location />
+  Order allow,deny
+  Allow @LOCAL
+</Location>
+
+<Location /admin>
+  Order allow,deny
+  Allow @LOCAL
+</Location>
+
+<Location /admin/conf>
+  AuthType Default
+  Require user @SYSTEM
+  Order allow,deny
+  Allow @LOCAL
+</Location>
+
+<Location /admin/log>
+  AuthType Default
+  Require user @SYSTEM
+  Order allow,deny
+  Allow @LOCAL
+</Location>
+
+<Policy default>
+  JobPrivateAccess default
+  JobPrivateValues default
+  SubscriptionPrivateAccess default
+  SubscriptionPrivateValues default
+
+  <Limit Create-Job Print-Job Print-URI Validate-Job>
+    Order deny,allow
+    Allow @LOCAL
+  </Limit>
+
+  <Limit Send-Document Send-URI Hold-Job Release-Job Restart-Job Purge-Jobs Set-Job-Attributes Create-Job-Subscription Renew-Subscription Cancel-Subscription Get-Notifications Reprocess-Job Cancel-Current-Job Suspend-Current-Job Resume-Job Cancel-My-Jobs Close-Job CUPS-Move-Job CUPS-Get-Document>
+    Require user @OWNER @SYSTEM
+    Order deny,allow
+    Allow @LOCAL
+  </Limit>
+
+  <Limit CUPS-Add-Modify-Printer CUPS-Delete-Printer CUPS-Add-Modify-Class CUPS-Delete-Class CUPS-Set-Default CUPS-Get-Devices>
+    AuthType Default
+    Require user @SYSTEM
+    Order deny,allow
+    Allow @LOCAL
+  </Limit>
+
+  <Limit Pause-Printer Resume-Printer Enable-Printer Disable-Printer Pause-Printer-After-Current-Job Hold-New-Jobs Release-Held-New-Jobs Deactivate-Printer Activate-Printer Restart-Printer Shutdown-Printer Startup-Printer Promote-Job Schedule-Job-After Cancel-Jobs CUPS-Accept-Jobs CUPS-Reject-Jobs>
+    AuthType Default
+    Require user @SYSTEM
+    Order deny,allow
+    Allow @LOCAL
+  </Limit>
+
+  <Limit Cancel-Job CUPS-Authenticate-Job>
+    Require user @OWNER @SYSTEM
+    Order deny,allow
+    Allow @LOCAL
+  </Limit>
+
+  <Limit All>
+    Order deny,allow
+    Allow @LOCAL
+  </Limit>
+</Policy>

apps/cups/config/cupsd.conf.default

@@ -0,0 +1,32 @@
+services:
+  cups:
+    image: lscr.io/linuxserver/cups:${IMAGE_VERSION:-latest}
+    container_name: cups
+    hostname: cups
+    restart: unless-stopped
+    environment:
+      PUID: ${PUID:-1000}
+      PGID: ${PGID:-1000}
+      TZ: ${TZ:-America/Los_Angeles}
+    volumes:
+      - ../../lib/cups:/config
+      - ./config/cupsd.conf:/etc/cups/cupsd.conf:ro
+      - ./ppds:/usr/share/cups/model/custom:ro
+#   ports:
+#     - 631:631
+    networks:
+      - cups
+      - proxy
+    healthcheck:
+      test: ["CMD-SHELL", "curl -fSs http://localhost:631/ || exit 1"]
+      interval: 30s
+      timeout: 10s
+      retries: 3
+      start_period: 15s
+
+networks:
+  cups:
+    name: cups-net
+  proxy:
+    external: true
+    name: nginx-proxy-net