Decommissioned 2026-05-02. VM-SW-03 ran Windows Server 2016 Datacenter and hosted the Windows Print Spooler that served the two HOME-VLAN printers (PI-IO-01 Brother Color, PI-IO-03 Brother Generic). It is replaced by a CUPS container on VM-HM-SVC-PROD-01 (cups.blackreset.com). Spooler service is stopped and disabled; the VM is shut down. Final destruction (Proxmox qm destroy) is deferred until the new CUPS path has been observed stable for ~14 days.
VM-SW-03 was a Windows Server 2016 Datacenter member of the xio.bio AD domain, role: print server. It ran the standard Windows Print Spooler with two queues:
| Queue | Driver | Target device | Network |
|---|---|---|---|
PI-IO-01 |
Brother Color (vendor PCL) | 10.110.100.40:9100 (JetDirect / RAW) |
IO VLAN (10.110.100.0/24) |
PI-IO-03 |
Brother Generic | 10.110.100.43:9100 (JetDirect / RAW) |
IO VLAN |
Clients reached the queues via Windows shares (\\VM-SW-03\PI-IO-01, \\VM-SW-03\PI-IO-03) advertised over WSD on the LAN. Access control was based on the share-level Windows ACL plus the Print permission on each queue.
Reasons for decommission:
VM-HM-SVC-PROD-01, VM-HM-SVC-PROD-02) where possible, and Linux is preferred over Windows when there is no hard Windows-only dependency.GS-Print-Home, GS-Print-Lager, GS-Print-Admin) work just as well via libnss-ldapd + libpam-ldapd against the same DC, so user identity continues to live in AD without any change for the end-user side. See Printer Access Policy.Nothing on the Windows side. The spooler queues, drivers, and share ACLs are discarded. The printers themselves are unchanged (DHCP reservations on the IO VLAN, RAW/9100 listener) and are now driven by CUPS over IPP.
VM-HM-SVC-PROD-01 (/opt/cups/, compose.yml + bind-mounted data/etc, data/spool, etc.). Initial image: harbor.blackreset.com/dockerhub/olbat/cupsd:stable-2026-04-27-amd64.https://cups.blackreset.com/admin:
PI-IO-01 -> socket://10.110.100.40:9100, Brother Color driverPI-IO-03 -> socket://10.110.100.43:9100, Brother Generic driverVM-HM-EDGE-01: cups.blackreset.com -> 10.100.100.102:631, LE cert via HTTP-01 (per policy). Authentik proxy outpost wraps the host for SSO at the perimeter.cups.blackreset.com A record -> HM-WAN.Infrastructure -> CUPS (tools/stacks/homepage/data/config/services.yaml).xio.bio -> CN=Users,DC=xio,DC=bio:
GS-Print-Home (Family / Home printer): A.Korff, F.Korff, H.Korff, L.Korff, M.Korff, R.KorffGS-Print-Lager (Lager printer): A.Korff, J.Placzek, K.EkeltGS-Print-Admin (CUPS admin): A.Korffharbor.blackreset.com/blackreset/cups:2026-05-02-ldap. It extends the olbat/cupsd base with libnss-ldapd + libpam-ldapd + nslcd, an entrypoint that templates /etc/nslcd.conf from env vars, and a PAM cups service stack (pam_ldap.so -> pam_unix.so).compose.yml updated to use the custom image, with env vars LDAP_URI=ldaps://10.100.0.10:636, LDAP_BASE=DC=xio,DC=bio, LDAP_BIND_DN=CN=LDAP,OU=Service,OU=People,DC=xio,DC=bio, LDAP_DOMAIN_SID=S-1-5-21-1772646891-3344536544-2798815798. Bind password is mounted as a Docker secret from /opt/cups/data/secrets/ldap_bind_pw (mode 0400, owner root).cupsd.conf patched (idempotent script tools/patch-cups-acl.py):
<Location /admin> now Require user @GS-Print-Admin.<Policy default> <Limit Create-Job Print-Job ...> block now sets AuthType Default + Require valid-user so the per-printer Location ACL is consulted at print time instead of being bypassed.<Location /printers/PI-IO-01> Require user @GS-Print-Home.<Location /printers/PI-IO-03> Require user @GS-Print-Lager.docker compose up -d with the new image. Container log shows [entrypoint] nss/ldap OK -- GS-Print-Admin resolves. getent group GS-Print-Home returns the AD member list. cupsd -t reports cupsd.conf is OK./printers/PI-IO-01 -> HTTP 403 (was 200).pam_authenticate() returned 7 (Authentication failure) -> proves PAM/LDAP path is active.https://cups.blackreset.com/admin -> HTTP 302 -> Authentik forward-auth challenge (perimeter SSO) -> CUPS Basic-auth challenge against GS-Print-Admin (in-app ACL).VM-SW-03 decom:
Stop-Service Spooler ; Set-Service Spooler -StartupType DisabledSet-Printer ... -Shared $false on both queues (defensive in case anyone wakes the VM)VM-SW-03: powered off, Spooler stopped + disabled. Still defined in Proxmox-Home (PBS will keep the latest image for one retention cycle).VM-HM-SVC-PROD-01: cups container running harbor.blackreset.com/blackreset/cups:2026-05-02-ldap, healthy, both queues idle/accepting.cups.blackreset.com: live, LE cert, behind Authentik perimeter SSO + in-app Require user @GS-Print-* ACL.GS-Print-Home, GS-Print-Lager, GS-Print-Admin) populated per the membership policy.VM-SW-03 from Proxmox (qm destroy <vmid>). Until then, the VM is left defined but powered off so a roll-back is one qm start away.VM-SW-03$ from xio.bio once the VM is destroyed (Remove-ADComputer -Identity VM-SW-03).inventory/vm-sw-03/ to the GitLab archive/ group and drop the local copy.inventory/vm-sw-03/ -- pre-decom audit (printer drivers, share permissions, services).