From bee997577b828bda45b9d84e7717346048a7af31 Mon Sep 17 00:00:00 2001
From: qoijjj <129108030+qoijjj@users.noreply.github.com>
Date: Sat, 9 Dec 2023 23:41:20 -0800
Subject: [PATCH] Add cups back to the image and disable it by default. Include
 a just command to enable it if the user chooses.

---
 config/common/common-packages.yml                   | 8 --------
 config/common/common-scripts.yml                    | 1 +
 config/files/usr/share/ublue-os/firstboot/yafti.yml | 9 +++++++++
 config/files/usr/share/ublue-os/just/60-custom.just | 7 +++++++
 config/scripts/disablecups.sh                       | 3 +++
 5 files changed, 20 insertions(+), 8 deletions(-)
 create mode 100644 config/scripts/disablecups.sh

diff --git a/config/common/common-packages.yml b/config/common/common-packages.yml
index e820ce7..0d0bd35 100644
--- a/config/common/common-packages.yml
+++ b/config/common/common-packages.yml
@@ -21,14 +21,6 @@ remove:
   - toolbox
   - distrobox
   - podman
-  - hplip
-  - braille-printer-app
-  - libppd
-  - cups
-  - gutenprint-cups
-  - cups-browsed
-  - bluez-cups
-  - cups-filters
   - open-vm-tools
   - open-vm-tools-desktop
   - fedora-flathub-remote
diff --git a/config/common/common-scripts.yml b/config/common/common-scripts.yml
index ad1b152..407b31b 100644
--- a/config/common/common-scripts.yml
+++ b/config/common/common-scripts.yml
@@ -1,5 +1,6 @@
 type: script
 scripts:
   - authselect.sh
+  - disablecups.sh
   # this sets up the proper policy & signing files for signed images to work
   - signing.sh
\ No newline at end of file
diff --git a/config/files/usr/share/ublue-os/firstboot/yafti.yml b/config/files/usr/share/ublue-os/firstboot/yafti.yml
index ebf3968..5724ab1 100644
--- a/config/files/usr/share/ublue-os/firstboot/yafti.yml
+++ b/config/files/usr/share/ublue-os/firstboot/yafti.yml
@@ -19,6 +19,15 @@ screens:
       actions:
         - run: just set-kargs-hardening
 
+  can-we-enable-printing:
+    source: yafti.screen.consent
+    values:
+      title: Printing
+      description: |
+        The cups printing service is disabled by default to reduce attack surface. If you need printing support, run "just enable-cups" manually.
+      actions:
+        - run: just enable-cups
+
   can-we-harden-your-flatpaks:
     source: yafti.screen.consent
     values:
diff --git a/config/files/usr/share/ublue-os/just/60-custom.just b/config/files/usr/share/ublue-os/just/60-custom.just
index 989534f..6c9164d 100644
--- a/config/files/usr/share/ublue-os/just/60-custom.just
+++ b/config/files/usr/share/ublue-os/just/60-custom.just
@@ -6,3 +6,10 @@ set-kargs-hardening:
 
 harden-flatpak:
     flatpak override --user --filesystem=host-os:ro --env=LD_PRELOAD=/var/run/host/usr/lib64/libhardened_malloc.so
+
+enable-cups:
+    firewall-cmd --add-service=cups --permanent 
+    firewall-cmd --reload 
+    systemctl unmask cups
+    systemctl enable cups
+    systemctl start cups
diff --git a/config/scripts/disablecups.sh b/config/scripts/disablecups.sh
new file mode 100644
index 0000000..68d8206
--- /dev/null
+++ b/config/scripts/disablecups.sh
@@ -0,0 +1,3 @@
+echo "Disabling the print service"
+systemctl disable cups
+systemctl mask cups