Jason B.Remote

CUPS Server-Side Release Setup

Project-Based

Description

  1. Base Environment

Create an isolated environment for printing (dedicated VM preferred, otherwise constrained container or host service). Confirm AlmaLinux 9.x, hostname, internal DNS, and time sync.

Outcome: print stack is isolated from web, mail, and Nextcloud workloads.

  1. Install Core Packages

Install CUPS, cups-filters, IPP support packages, and PDF utilities (e.g. poppler-utils, qpdf). Disable unused print backends.

Outcome: cupsd is running and reachable locally.

  1. Secure Transport (IPPS)

Enable IPP over TLS (IPPS on port 631). Generate or import TLS certificates. Disable non-TLS IPP access. Restrict firewall access to trusted networks.

Outcome: all printing occurs over IPPS.

  1. CUPS Core Configuration

Configure cupsd.conf to restrict admin access, disable unnecessary sharing, and set sensible logging levels. Define job limits (MaxJobs, MaxJobsPerUser) to avoid runaway queues.

Outcome: CUPS accepts jobs securely and predictably.

  1. Printer Setup

Add physical printers as device queues (IPP preferred). Verify printing and media support for each printer. Apply a consistent naming convention.

Outcome: all printers are reachable and functional.

  1. Logical / Hold Queues

Create logical hold queues (per tenant or site). Ensure jobs are held on submission and do not print automatically.

Outcome: jobs reliably enter a held state awaiting release.

  1. Default Printer Routing Logic

Define default printer mappings per user, group, or site. Implement printer health checks. Attempt automatic release only when the default printer is healthy; otherwise leave the job held.

Outcome: jobs print automatically when safe, and never fail silently.

  1. Manual Fallback Release

Provide a mechanism to manually release jobs to an alternative printer. Ensure jobs are either re-routed cleanly or duplicated and cleaned up correctly.

Outcome: users can recover from printer failures without reprinting.

  1. Release Portal

Deploy a lightweight web portal. Implement authentication (OIDC, LDAP, or local as appropriate). Allow users to view, release, re-route, or delete their own jobs. Provide basic admin views for printer status and default mappings.

Outcome: users self-manage held jobs securely.

  1. Job Retention & Cleanup

Automatically purge unreleased jobs after a short expiry window. Delete job files immediately after successful printing. Disable long-term job and file preservation.

Outcome: no print data is retained beyond operational need.

  1. Resource Protection

Apply CPU, memory, and I/O limits to print services. Ensure print workloads cannot starve web hosting, SMTP, or Nextcloud.

Outcome: other services remain responsive under print load.

  1. Security Hardening

Restrict access to spool directories. Enforce per-user job visibility in the portal. Prevent direct access to job content. Disallow silent automatic rerouting to other printers.

Outcome: print data remains private and controlled.

  1. Routing Rules (Optional)

Implement routing by page size (A4 vs A3) or page count if required. Ensure routing behaviour is visible and predictable.

Outcome: advanced routing works without surprises.

  1. Monitoring & Health Checks

Monitor queue depth, failed jobs, and printer availability. Alert on sustained queue growth or repeated errors.

Outcome: issues are detected before users are impacted.

  1. Validation

Test normal printing, printer failure handling, manual fallback, and job expiry. Confirm no performance degradation to web hosting, mail, or Nextcloud.

Outcome: behaviour matches requirements under load.

Final Acceptance Statement

Print jobs are securely held, released to a default printer when available, manually re-released when not, automatically cleaned up, and isolated so they do not impact other server services.

Budget: GBP 30 (Fixed Price)

Proposals: 3 freelancers have applied

Skills

TlsSecurity