feat(bluesky): fix CORS by serving /config same-origin and pinning BAPP_CONFIG_URL

- Add `server.config_upstream_url` default in `roles/web-app-bluesky/config/main.yml`
  to define upstream for /config (defaults to https://ip.bsky.app/config).
- Introduce front-proxy injection `extra_locations.conf.j2` that:
  - proxies `/config` to the upstream,
  - sets SNI and correct Host header,
  - normalizes CORS headers for same-origin consumption.
- Wire the proxy injection only for the Web domain in
  `roles/web-app-bluesky/tasks/main.yml` via `proxy_extra_configuration`.
- Force fresh social-app checkout and patch
  `src/state/geolocation.tsx` to `const BAPP_CONFIG_URL = '/config'`
  in `roles/web-app-bluesky/tasks/02_social_app.yml`; notify `docker compose build` and `up`.
- Tidy and re-group PDS env in `roles/web-app-bluesky/templates/env.j2` (no functional change).
- Add vars in `roles/web-app-bluesky/vars/main.yml`:
  - `BLUESKY_FRONT_PROXY_CONTENT` (renders the extra locations),
  - `BLUESKY_CONFIG_UPSTREAM_URL` (reads `server.config_upstream_url`).

Security/Scope:
- Only affects the Bluesky web frontend (same-origin `/config`); PDS/API and AppView remain unchanged.

Refs:
- Conversation: https://chatgpt.com/share/68b8dd3a-2100-800f-959e-1495f6320aab

roles/web-app-bluesky/config/main.yml

@@ -5,6 +5,7 @@ features:
   central_database: false
   logout:           true
 server:
+  config_upstream_url: "https://ip.bsky.app/config"
   domains:
     canonical:
       web:  "bskyweb.{{ PRIMARY_DOMAIN }}"
@@ -33,7 +34,7 @@ docker:
     database:
       enabled: false
     web:
-      enabled: true # @see https://github.com/bluesky-social/social-app
+      enabled: true  # @see https://github.com/bluesky-social/social-app
     view:
       enabled: false
     pds:

roles/web-app-bluesky/tasks/02_social_app.yml

@@ -3,6 +3,16 @@
     repo: "https://github.com/bluesky-social/social-app.git"
     dest: "{{ BLUESKY_SOCIAL_APP_DIR }}"
     version: "main"
+    force: true
   notify:
     - docker compose up
     - docker compose build
+
+- name: Force BAPP_CONFIG_URL to same-origin /config
+  ansible.builtin.replace:
+    path: "{{ BLUESKY_SOCIAL_APP_DIR }}/src/state/geolocation.tsx"
+    regexp: '^\s*const\s+BAPP_CONFIG_URL\s*=\s*.*$'
+    replace: "const BAPP_CONFIG_URL = '/config'"
+  notify:
+    - docker compose build
+    - docker compose up

roles/web-app-bluesky/tasks/main.yml

@@ -15,8 +15,9 @@
   include_role:
     name: sys-stk-front-proxy
   vars:
-    domain: "{{ BLUESKY_WEB_DOMAIN }}"
+    domain:                     "{{ BLUESKY_WEB_DOMAIN }}"
-    http_port: "{{ BLUESKY_WEB_PORT }}"
+    http_port:                  "{{ BLUESKY_WEB_PORT }}"
+    proxy_extra_configuration:  "{{ BLUESKY_FRONT_PROXY_CONTENT }}"
   when: BLUESKY_WEB_ENABLED | bool
 
 - name: "Include front proxy for {{ BLUESKY_VIEW_DOMAIN }}:{{ BLUESKY_VIEW_PORT }}"

roles/web-app-bluesky/templates/env.j2

@@ -1,21 +1,30 @@
+# General
 PDS_HOSTNAME="{{ BLUESKY_API_DOMAIN }}"
-PDS_ADMIN_EMAIL="{{ BLUESKY_ADMIN_EMAIL }}"
-PDS_SERVICE_DID="did:web:{{ BLUESKY_API_DOMAIN }}"
-
-# See https://mattdyson.org/blog/2024/11/self-hosting-bluesky-pds/
-PDS_SERVICE_HANDLE_DOMAINS=".{{ PRIMARY_DOMAIN }}"
-PDS_JWT_SECRET="{{ BLUESKY_JWT_SECRET }}"
-PDS_ADMIN_PASSWORD="{{ BLUESKY_ADMIN_PASSWORD }}"
-PDS_PLC_ROTATION_KEY_K256_PRIVATE_KEY_HEX="{{ BLUESKY_ROTATION_KEY }}"
 PDS_CRAWLERS=https://bsky.network
-PDS_EMAIL_SMTP_URL=smtps://{{ users['no-reply'].email }}:{{ users['no-reply'].mailu_token }}@{{ SYSTEM_EMAIL.HOST }}:{{ SYSTEM_EMAIL.PORT }}/
-PDS_EMAIL_FROM_ADDRESS={{ users['no-reply'].email }}
 LOG_ENABLED={{ MODE_DEBUG | string | lower }}
 PDS_BLOBSTORE_DISK_LOCATION={{ BLUESKY_PDS_BLOBSTORE_LOCATION }}
 PDS_DATA_DIRECTORY={{ BLUESKY_PDS_DATA_DIR }}
 PDS_BLOB_UPLOAD_LIMIT=52428800
 PDS_DID_PLC_URL=https://plc.directory
+
+# See https://mattdyson.org/blog/2024/11/self-hosting-bluesky-pds/
+PDS_SERVICE_HANDLE_DOMAINS=".{{ PRIMARY_DOMAIN }}"
+PDS_SERVICE_DID="did:web:{{ BLUESKY_API_DOMAIN }}"
+
+# Email
+PDS_ADMIN_EMAIL="{{ BLUESKY_ADMIN_EMAIL }}"
+PDS_EMAIL_SMTP_URL=smtps://{{ users['no-reply'].email }}:{{ users['no-reply'].mailu_token }}@{{ SYSTEM_EMAIL.HOST }}:{{ SYSTEM_EMAIL.PORT }}/
+PDS_EMAIL_FROM_ADDRESS={{ users['no-reply'].email }}
+
+# Credentials
+PDS_JWT_SECRET="{{ BLUESKY_JWT_SECRET }}"
+PDS_ADMIN_PASSWORD="{{ BLUESKY_ADMIN_PASSWORD }}"
+PDS_PLC_ROTATION_KEY_K256_PRIVATE_KEY_HEX="{{ BLUESKY_ROTATION_KEY }}"
+
+# View
 PDS_BSKY_APP_VIEW_URL={{ BLUESKY_VIEW_URL }}
 PDS_BSKY_APP_VIEW_DID={{ BLUESKY_VIEW_DID }}
+
+# Report
 PDS_REPORT_SERVICE_URL=https://mod.bsky.app
 PDS_REPORT_SERVICE_DID=did:plc:ar7c4by46qjdydhdevvrndac

roles/web-app-bluesky/templates/extra_locations.conf.j2

@@ -0,0 +1,16 @@
+# Injected by web-app-bluesky (same pattern as web-app-yourls)
+# Exposes a same-origin /config to avoid CORS when the social-app fetches config.
+location = /config {
+    proxy_pass {{ BLUESKY_CONFIG_UPSTREAM_URL }};
+    # Nur Hostname extrahieren:
+    set $up_host "{{ BLUESKY_CONFIG_UPSTREAM_URL | regex_replace('^https?://', '') | regex_replace('/.*$', '') }}";
+    proxy_set_header Host $up_host;
+    proxy_http_version 1.1;
+    proxy_set_header Connection "";
+    proxy_ssl_server_name on;
+
+    # Make response clearly same-origin for browsers
+    proxy_hide_header Access-Control-Allow-Origin;
+    add_header Access-Control-Allow-Origin $scheme://$host always;
+    add_header Vary Origin always;
+}

roles/web-app-bluesky/vars/main.yml

@@ -43,3 +43,6 @@ BLUESKY_ROTATION_KEY:           "{{ applications | get_app_conf(application_id,
 BLUESKY_ADMIN_EMAIL:            "{{ users.administrator.email }}"
 BLUESKY_ADMIN_PASSWORD:         "{{ users.administrator.password }}"
 
+# Front proxy
+BLUESKY_FRONT_PROXY_CONTENT:    "{{ lookup('template', 'extra_locations.conf.j2') }}"
+BLUESKY_CONFIG_UPSTREAM_URL:    "{{ applications | get_app_conf(application_id, 'server.config_upstream_url') }}"