Add cups back to the image and disable it by default. Include a just command to enable it if the user chooses.

config/common/common-packages.yml

@@ -21,14 +21,6 @@ remove:
   - toolbox
   - distrobox
   - podman
-  - hplip
-  - braille-printer-app
-  - libppd
-  - cups
-  - gutenprint-cups
-  - cups-browsed
-  - bluez-cups
-  - cups-filters
   - open-vm-tools
   - open-vm-tools-desktop
   - fedora-flathub-remote

config/common/common-scripts.yml

@@ -1,5 +1,6 @@
 type: script
 scripts:
   - authselect.sh
+  - disablecups.sh
   # this sets up the proper policy & signing files for signed images to work
   - signing.sh

config/files/usr/share/ublue-os/firstboot/yafti.yml

@@ -19,6 +19,15 @@ screens:
       actions:
         - run: just set-kargs-hardening
 
+  can-we-enable-printing:
+    source: yafti.screen.consent
+    values:
+      title: Printing
+      description: |
+        The cups printing service is disabled by default to reduce attack surface. If you need printing support, run "just enable-cups" manually.
+      actions:
+        - run: just enable-cups
+
   can-we-harden-your-flatpaks:
     source: yafti.screen.consent
     values:

config/files/usr/share/ublue-os/just/60-custom.just

@@ -6,3 +6,10 @@ set-kargs-hardening:
 
 harden-flatpak:
     flatpak override --user --filesystem=host-os:ro --env=LD_PRELOAD=/var/run/host/usr/lib64/libhardened_malloc.so
+
+enable-cups:
+    firewall-cmd --add-service=cups --permanent 
+    firewall-cmd --reload 
+    systemctl unmask cups
+    systemctl enable cups
+    systemctl start cups

config/scripts/disablecups.sh

@@ -0,0 +1,3 @@
+echo "Disabling the print service"
+systemctl disable cups
+systemctl mask cups