Configure CUPS for network access via cupsd.conf

Default cupsd.conf listens on Port 631 (not localhost only) and grants
Allow @Local to all Location and Policy blocks, so containers on cups-net
and LAN hosts can browse, submit, and manage print jobs.

Made-with: Cursor

Author: romkey

apps/cups/README.md

@@ -28,7 +28,8 @@ which ships with a comprehensive set of print filters and supporting programs:
 
 | Mount | Purpose |
 |---|---|
-| `../../lib/cups` → `/config` | All CUPS state: config, spool, logs, per-queue PPDs |
+| `../../lib/cups` → `/config` | All CUPS state: spool, logs, per-queue PPDs |
+| `./config/cupsd.conf` → `/etc/cups/cupsd.conf` (read-only) | Scheduler config; pre-configured to accept connections from `@LOCAL` (all Docker networks and LAN hosts) |
 | `./ppds` → `/usr/share/cups/model/custom` (read-only) | Custom PPD files; any PPD placed here appears as an available driver in the CUPS add-printer wizard |
 
 ## Adding custom PPDs
@@ -49,6 +50,10 @@ cp /path/to/Printer80.ppd apps/cups/ppds/
 ```sh
 cp .env.example .env
 # Edit .env if you need non-default PUID/PGID or TZ
+
+cp config/cupsd.conf.default config/cupsd.conf
+# Edit config/cupsd.conf if you need to restrict or expand access
+
 docker compose up -d
 ```
 

apps/cups/config/cupsd.conf.default

@@ -0,0 +1,96 @@
+# CUPS scheduler configuration
+# Configured for network access from Docker containers and the local subnet.
+# See https://www.cups.org/doc/man-cupsd.conf.html for full reference.
+
+# Listen on all interfaces so other containers and LAN hosts can connect.
+# The default "Listen localhost:631" would block all external access.
+Port 631
+Listen /run/cups/cups.sock
+
+# Allow mDNS/DNS-SD printer discovery on the LAN.
+Browsing Yes
+BrowseLocalProtocols dnssd
+
+# Default log destinations.
+AccessLog syslog
+ErrorLog syslog
+LogLevel warn
+
+# Paths
+ServerRoot /etc/cups
+StateDir /var/lib/cups
+RequestRoot /var/spool/cups
+TempDir /var/spool/cups/tmp
+
+MaxLogSize 0
+
+# Restrict access to the local subnet and Docker networks.
+# @LOCAL matches any interface that is not the loopback and any
+# address on those interfaces — covers both the host LAN and
+# all attached Docker bridge networks.
+<Location />
+  Order allow,deny
+  Allow @LOCAL
+</Location>
+
+<Location /admin>
+  Order allow,deny
+  Allow @LOCAL
+</Location>
+
+<Location /admin/conf>
+  AuthType Default
+  Require user @SYSTEM
+  Order allow,deny
+  Allow @LOCAL
+</Location>
+
+<Location /admin/log>
+  AuthType Default
+  Require user @SYSTEM
+  Order allow,deny
+  Allow @LOCAL
+</Location>
+
+<Policy default>
+  JobPrivateAccess default
+  JobPrivateValues default
+  SubscriptionPrivateAccess default
+  SubscriptionPrivateValues default
+
+  <Limit Create-Job Print-Job Print-URI Validate-Job>
+    Order deny,allow
+    Allow @LOCAL
+  </Limit>
+
+  <Limit Send-Document Send-URI Hold-Job Release-Job Restart-Job Purge-Jobs Set-Job-Attributes Create-Job-Subscription Renew-Subscription Cancel-Subscription Get-Notifications Reprocess-Job Cancel-Current-Job Suspend-Current-Job Resume-Job Cancel-My-Jobs Close-Job CUPS-Move-Job CUPS-Get-Document>
+    Require user @OWNER @SYSTEM
+    Order deny,allow
+    Allow @LOCAL
+  </Limit>
+
+  <Limit CUPS-Add-Modify-Printer CUPS-Delete-Printer CUPS-Add-Modify-Class CUPS-Delete-Class CUPS-Set-Default CUPS-Get-Devices>
+    AuthType Default
+    Require user @SYSTEM
+    Order deny,allow
+    Allow @LOCAL
+  </Limit>
+
+  <Limit Pause-Printer Resume-Printer Enable-Printer Disable-Printer Pause-Printer-After-Current-Job Hold-New-Jobs Release-Held-New-Jobs Deactivate-Printer Activate-Printer Restart-Printer Shutdown-Printer Startup-Printer Promote-Job Schedule-Job-After Cancel-Jobs CUPS-Accept-Jobs CUPS-Reject-Jobs>
+    AuthType Default
+    Require user @SYSTEM
+    Order deny,allow
+    Allow @LOCAL
+  </Limit>
+
+  <Limit Cancel-Job CUPS-Authenticate-Job>
+    Require user @OWNER @SYSTEM
+    Order deny,allow
+    Allow @LOCAL
+  </Limit>
+
+  <Limit All>
+    Order deny,allow
+    Allow @LOCAL
+  </Limit>
+</Policy>

apps/cups/docker-compose.yml

@@ -10,6 +10,7 @@ services:
       TZ: ${TZ:-America/Los_Angeles}
     volumes:
       - ../../lib/cups:/config
+      - ./config/cupsd.conf:/etc/cups/cupsd.conf:ro
       - ./ppds:/usr/share/cups/model/custom:ro
 #   ports:
 #     - 631:631