From c87c860ae554bfaf2f9449aba7af12540b1ababc Mon Sep 17 00:00:00 2001
From: Yohann D'ANELLO <ynerant@crans.org>
Date: Mon, 21 Mar 2022 00:25:59 +0100
Subject: [PATCH] Update settings

Signed-off-by: Yohann D'ANELLO <ynerant@crans.org>
---
 group_vars/printer.yml                        | 19 +++++--
 roles/printer/tasks/main.yml                  |  4 +-
 .../django-printer/settings_local.py.j2       | 52 +++++++++++++++++++
 3 files changed, 71 insertions(+), 4 deletions(-)

diff --git a/group_vars/printer.yml b/group_vars/printer.yml
index 1c0ae57f..24caf111 100644
--- a/group_vars/printer.yml
+++ b/group_vars/printer.yml
@@ -27,12 +27,22 @@ glob_printer:
     note_id: 2088
     note_alias: 'Crans'
   printer_name: 'Lexmark_X950_Series'
+  domain: "{{ query('ldap', 'ip', 'printer', 'lp') | ipv4 | first }}"
+  scan_server:
+    address: "{{ query('ldap', 'ip', ansible_hostname, 'lp') | ipv4 | first }}"
+    port: 9751
   debug: false
   owner: root
   group: _nounou
   version: main
   settings_local_owner: www-data
   settings_local_group: _nounou
+  ldap:
+    uri: "ldaps://{{ query('ldap', 'ip', 'tealc', 'adm') | ipv4 | first }}/"
+    dn_template: uid=%(user)s,ou=passwd,dc=crans,dc=org
+    group_search: ou=group,dc=crans,dc=org
+    read_group: cn=_user,ou=group,dc=crans,dc=org
+    write_group: cn=_nounou,ou=group,dc=crans,dc=org
 
 loc_nginx:
   service_name: printer
@@ -43,14 +53,17 @@ loc_nginx:
       server_name:
         - "helloworld.crans.org"
         - "imprimante.crans.org"
+      additional_params:
+        - "client_max_body_size 100M"
       locations:
         - filter: "/static"
           params:
-            - "alias {% if printer.version == 'main' %}/var/lib/django-printer/static/{% else %}/var/local/django-printer/static/{% endif %}"
+            - "alias /var/lib/django-printer/static/"
 
-        - filter: "/media"
+        - filter: "/protected/files"
           params:
-            - "alias {% if printer.version == 'main' %}/var/lib/django-printer/media/{% else %}/var/local/django-printer/media/{% endif %}"
+            - "internal"
+            - "alias /var/lib/django-printer/files/"
 
         - filter: "/doc"
           params:
diff --git a/roles/printer/tasks/main.yml b/roles/printer/tasks/main.yml
index 2f61ae2a..9412bcd6 100644
--- a/roles/printer/tasks/main.yml
+++ b/roles/printer/tasks/main.yml
@@ -12,12 +12,14 @@
       - cups
       - gettext
       - python3-authlib
+      - python3-cups
       - python3-django
+      - python3-django-auth-ldap
+      - python3-django-crispy-forms
       - python3-django-extensions
       - python3-docutils
       - python3-ipython
       - python3-pip
-      - python3-cups
       - python3-psycopg2
       - python3-pypdf2
       - python3-requests
diff --git a/roles/printer/templates/django-printer/settings_local.py.j2 b/roles/printer/templates/django-printer/settings_local.py.j2
index f206cf28..bba2029a 100644
--- a/roles/printer/templates/django-printer/settings_local.py.j2
+++ b/roles/printer/templates/django-printer/settings_local.py.j2
@@ -1,5 +1,9 @@
 {{ ansible_header | comment }}
 
+# Uncomment if you use LDAP login
+import ldap
+from django_auth_ldap.config import LDAPSearch, PosixGroupType
+
 # A secret key used by the server.
 SECRET_KEY = "{{ printer.django_secret_key }}"
 
@@ -13,6 +17,10 @@ ADMINS = [{% for admin in printer.admins %}{{ admin }}, {% endfor %}]
 # The list of hostname the server will respond to.
 ALLOWED_HOSTS = [{% for host in printer.allowed_hosts %}'{{ host }}', {% endfor %}]
 
+OPTIONAL_APPS = [
+    'django_extensions',
+]
+
 # The storage systems parameters to use
 DATABASES = {
     'default': {  # The DB
@@ -44,3 +52,47 @@ DEFAULT_FROM_EMAIL = '{{ printer.email.from_full }}'
 NOTE_KFET_URL = "{{ printer.note.url }}"
 NOTE_KFET_CLIENT_ID = "{{ printer.note.client_id }}"
 NOTE_KFET_CLIENT_SECRET = "{{ printer.note.client_secret }}"
+
+# This is the common name of the printer that is installed in the CUPS server
+PRINTER_NAME = 'Lexmark_X950_Series'
+
+# Is contacted for scanning. May be HTTP or HTTPS.
+PRINTER_HTTP_SERVER = 'https://{{ printer.domain }}'
+# Certificates may be not verified because they are unverifiable
+# due to obsolete machines.
+CHECK_HTTPS_CERTIFICATE = False
+
+# To avoid spam, you can define the maximum scanning jobs a user can request.
+# If set to 0, no limit is applied.
+MAX_SIMULTANEOUS_SCANNING_JOBS = 5
+
+# This address is the address of the server that will receive the scanned file.
+# This may be allowed in your firewall and contactable by the printer.
+SCANNER_SERVER_ADDRESS = {{ printer.scan_server.address|tojson }}
+SCANNER_SERVER_PORT = {{ printer.scan_server.port }}
+
+# Uncomment and adapt to use a LDAP server for authentication
+AUTHENTICATION_BACKENDS = ["django_auth_ldap.backend.LDAPBackend"]
+AUTH_LDAP_SERVER_URI = {{ printer.ldap.uri|tojson }}
+AUTH_LDAP_CONNECTION_OPTIONS = {
+    ldap.OPT_X_TLS_REQUIRE_CERT: ldap.OPT_X_TLS_ALLOW,
+    ldap.OPT_X_TLS_NEWCTX: 0,
+    ldap.OPT_REFERRALS: 0,
+}
+AUTH_LDAP_USER_DN_TEMPLATE = {{ printer.ldap.dn_template|tojson }}
+
+AUTH_LDAP_GROUP_SEARCH = LDAPSearch(
+    {{ printer.ldap.group_search|tojson }},
+    ldap.SCOPE_SUBTREE,
+    "(objectClass=posixGroup)",
+# )
+
+AUTH_LDAP_GROUP_TYPE = PosixGroupType()
+
+AUTH_LDAP_MIRROR_GROUPS = True
+
+AUTH_LDAP_USER_FLAGS_BY_GROUP = {
+    "is_active": {{ printer.ldap.read_group|tojson }},
+    "is_staff": {{ printer.ldap.read_group|tojson }},
+    "is_superuser": {{ printer.ldap.write_group|tojson }},
+}