From 20020cca9292d70d63b3f2f2d0c8054c60b878bc Mon Sep 17 00:00:00 2001 From: Kevin Veen-Birkenbach Date: Thu, 15 May 2025 12:56:22 +0200 Subject: [PATCH] Added more CSP conditions --- filter_plugins/csp_filters.py | 1 + group_vars/all/03_domains.yml | 4 ++-- group_vars/all/08_ports.yml | 4 ++-- group_vars/all/15_about.yml | 2 +- roles/docker-gitea/vars/configuration.yml | 4 +++- roles/docker-matrix-ansible/tasks/main.yml | 8 ++++---- .../templates/vars.yml.j2 | 2 +- roles/docker-matrix-compose/tasks/main.yml | 20 +++++++++---------- .../templates/docker-compose.yml.j2 | 10 +++++----- .../templates/element.config.json.j2 | 4 ++-- .../templates/mautrix/facebook.config.yml.j2 | 2 +- .../templates/mautrix/instagram.config.yml.j2 | 2 +- .../templates/mautrix/signal.config.yml.j2 | 2 +- .../templates/mautrix/slack.config.yml.j2 | 2 +- .../templates/mautrix/telegram.config.yml.j2 | 2 +- .../templates/mautrix/whatsapp.config.yml.j2 | 2 +- .../templates/nginx.conf.j2 | 6 +++--- .../templates/synapse/homeserver.yaml.j2 | 12 +++++------ .../templates/synapse/log.config.j2 | 2 +- .../templates/well-known.j2 | 2 +- .../vars/configuration.yml | 9 ++++++++- roles/docker-moodle/vars/configuration.yml | 3 ++- roles/docker-wordpress/vars/configuration.yml | 10 +++++++--- 23 files changed, 65 insertions(+), 50 deletions(-) diff --git a/filter_plugins/csp_filters.py b/filter_plugins/csp_filters.py index 970b47df..a6fbeb54 100644 --- a/filter_plugins/csp_filters.py +++ b/filter_plugins/csp_filters.py @@ -93,6 +93,7 @@ class FilterModule(object): 'style-src', 'font-src', 'worker-src', + 'manifest-src', ] parts = [] diff --git a/group_vars/all/03_domains.yml b/group_vars/all/03_domains.yml index e68e4890..ef72d3a4 100644 --- a/group_vars/all/03_domains.yml +++ b/group_vars/all/03_domains.yml @@ -27,8 +27,8 @@ defaults_domains: mastodon_alternates: - "mastodon.{{primary_domain}}" matomo: "matomo.{{primary_domain}}" - matrix_synapse: "matrix.{{primary_domain}}" - matrix_element: "element.{{primary_domain}}" + synapse: "matrix.{{primary_domain}}" + element: "element.{{primary_domain}}" moodle: "academy.{{primary_domain}}" mediawiki: "wiki.{{primary_domain}}" nextcloud: "cloud.{{primary_domain}}" diff --git a/group_vars/all/08_ports.yml b/group_vars/all/08_ports.yml index 4c6b3376..4b059ae0 100644 --- a/group_vars/all/08_ports.yml +++ b/group_vars/all/08_ports.yml @@ -36,8 +36,8 @@ ports: matomo: 8018 listmonk: 8019 discourse: 8020 - matrix_synapse: 8021 - matrix_element: 8022 + synapse: 8021 + element: 8022 openproject: 8023 gitlab: 8024 akaunting: 8025 diff --git a/group_vars/all/15_about.yml b/group_vars/all/15_about.yml index e8342592..d8764748 100644 --- a/group_vars/all/15_about.yml +++ b/group_vars/all/15_about.yml @@ -19,7 +19,7 @@ defaults_service_provider: bluesky: "{{ '@' ~ users.administrator.username ~ '.' ~ domains.bluesky_api if 'bluesky' in group_names else '' }}" email: "contact@{{ primary_domain }}" mastodon: "{{ '@' ~ users.administrator.username ~ '@' ~ domains.mastodon if 'mastodon' in group_names else '' }}" - matrix: "{{ '@' ~ users.administrator.username ~ ':' ~ domains.matrix_synapse if 'matrix' in group_names else '' }}" + matrix: "{{ '@' ~ users.administrator.username ~ ':' ~ domains.synapse if 'matrix' in group_names else '' }}" peertube: "{{ '@' ~ users.administrator.username ~ '@' ~ domains.peertube if 'peertube' in group_names else '' }}" pixelfed: "{{ '@' ~ users.administrator.username ~ '@' ~ domains.pixelfed if 'pixelfed' in group_names else '' }}" phone: "+0 000 000 404" diff --git a/roles/docker-gitea/vars/configuration.yml b/roles/docker-gitea/vars/configuration.yml index 479f66a2..c999f82b 100644 --- a/roles/docker-gitea/vars/configuration.yml +++ b/roles/docker-gitea/vars/configuration.yml @@ -20,4 +20,6 @@ csp: - "data:" - "blob:" worker-src: - - "blob:" \ No newline at end of file + - "blob:" + manifest-src: + - "data:" \ No newline at end of file diff --git a/roles/docker-matrix-ansible/tasks/main.yml b/roles/docker-matrix-ansible/tasks/main.yml index ec997068..c67782f4 100644 --- a/roles/docker-matrix-ansible/tasks/main.yml +++ b/roles/docker-matrix-ansible/tasks/main.yml @@ -3,8 +3,8 @@ include_role: name: nginx-domain-setup loop: - - "{{domains.matrix_element}}" - - "{{domains.matrix_synapse}}" + - "{{domains.element}}" + - "{{domains.synapse}}" loop_control: loop_var: domain @@ -129,13 +129,13 @@ #- name: add log.config # template: # src: "log.config.j2" -# dest: "{{docker_compose.directories.instance}}{{domains.matrix_synapse}}.log.config" +# dest: "{{docker_compose.directories.instance}}{{domains.synapse}}.log.config" # notify: recreate matrix # ## https://github.com/matrix-org/synapse/issues/6303 #- name: set correct folder permissions # command: -# cmd: "docker run --rm --mount type=volume,src=matrix_synapse_data,dst=/data -e SYNAPSE_SERVER_NAME={{domains.matrix_synapse}} -e SYNAPSE_REPORT_STATS=no --entrypoint /bin/sh matrixdotorg/synapse:latest -c 'chown -vR 991:991 /data'" +# cmd: "docker run --rm --mount type=volume,src=matrix_synapse_data,dst=/data -e SYNAPSE_SERVER_NAME={{domains.synapse}} -e SYNAPSE_REPORT_STATS=no --entrypoint /bin/sh matrixdotorg/synapse:latest -c 'chown -vR 991:991 /data'" # #- name: add docker-compose.yml # template: diff --git a/roles/docker-matrix-ansible/templates/vars.yml.j2 b/roles/docker-matrix-ansible/templates/vars.yml.j2 index 259fa5f1..71d87bac 100644 --- a/roles/docker-matrix-ansible/templates/vars.yml.j2 +++ b/roles/docker-matrix-ansible/templates/vars.yml.j2 @@ -8,7 +8,7 @@ # because you can't change the Domain after deployment. # # Example value: example.com -matrix_domain: "{{domains.matrix_synapse}}" +matrix_domain: "{{domains.synapse}}" # The Matrix homeserver software to install. # See: diff --git a/roles/docker-matrix-compose/tasks/main.yml b/roles/docker-matrix-compose/tasks/main.yml index 0e42f3c1..729fe1a2 100644 --- a/roles/docker-matrix-compose/tasks/main.yml +++ b/roles/docker-matrix-compose/tasks/main.yml @@ -7,8 +7,8 @@ include_role: name: nginx-https-get-cert-modify-all vars: - domain: "{{domains.matrix_synapse}}" - http_port: "{{ports.localhost.http.matrix_synapse}}" + domain: "{{domains.synapse}}" + http_port: "{{ports.localhost.http.synapse}}" - name: create {{well_known_directory}} file: @@ -21,21 +21,21 @@ src: "well-known.j2" dest: "{{well_known_directory}}server" -- name: create {{domains.matrix_synapse}}.conf +- name: create {{domains.synapse}}.conf template: src: "templates/nginx.conf.j2" - dest: "{{nginx.directories.http.servers}}{{domains.matrix_synapse}}.conf" + dest: "{{nginx.directories.http.servers}}{{domains.synapse}}.conf" vars: - domain: "{{domains.matrix_synapse}}" # Didn't work in the past. May it works now. This does not seem to work @todo Check how to solve without declaring set_fact, seems a bug at templates - http_port: "{{ports.localhost.http.matrix_synapse}}" + domain: "{{domains.synapse}}" # Didn't work in the past. May it works now. This does not seem to work @todo Check how to solve without declaring set_fact, seems a bug at templates + http_port: "{{ports.localhost.http.synapse}}" notify: restart nginx - name: "include role nginx-domain-setup for {{application_id}}" include_role: name: nginx-domain-setup vars: - domain: "{{domains.matrix_element}}" - http_port: "{{ports.localhost.http.matrix_element}}" + domain: "{{domains.element}}" + http_port: "{{ports.localhost.http.element}}" - name: include create-and-seed-database.yml for multiple bridges include_tasks: create-and-seed-database.yml @@ -85,13 +85,13 @@ - name: add synapse log configuration template: src: "synapse/log.config.j2" - dest: "{{docker_compose.directories.instance}}{{domains.matrix_synapse}}.log.config" + dest: "{{docker_compose.directories.instance}}{{domains.synapse}}.log.config" notify: docker compose project setup # https://github.com/matrix-org/synapse/issues/6303 - name: set correct folder permissions command: - cmd: "docker run --rm --mount type=volume,src=matrix_synapse_data,dst=/data -e SYNAPSE_SERVER_NAME={{domains.matrix_synapse}} -e SYNAPSE_REPORT_STATS=no --entrypoint /bin/sh matrixdotorg/synapse:latest -c 'chown -vR 991:991 /data'" + cmd: "docker run --rm --mount type=volume,src=matrix_synapse_data,dst=/data -e SYNAPSE_SERVER_NAME={{domains.synapse}} -e SYNAPSE_REPORT_STATS=no --entrypoint /bin/sh matrixdotorg/synapse:latest -c 'chown -vR 991:991 /data'" - name: add docker-compose.yml template: diff --git a/roles/docker-matrix-compose/templates/docker-compose.yml.j2 b/roles/docker-matrix-compose/templates/docker-compose.yml.j2 index fe154d57..92080ba8 100644 --- a/roles/docker-matrix-compose/templates/docker-compose.yml.j2 +++ b/roles/docker-matrix-compose/templates/docker-compose.yml.j2 @@ -11,15 +11,15 @@ services: volumes: - synapse_data:/data - ./homeserver.yaml:/data/homeserver.yaml:ro - - ./{{domains.matrix_synapse}}.log.config:/data/{{domains.matrix_synapse}}.log.config:ro + - ./{{domains.synapse}}.log.config:/data/{{domains.synapse}}.log.config:ro {% for item in bridges %} - {{docker_compose.directories.instance}}mautrix/{{item.bridge_name}}/registration.yaml:{{registration_file_folder}}{{item.bridge_name}}.registration.yaml:ro {% endfor %} environment: - - SYNAPSE_SERVER_NAME={{domains.matrix_synapse}} + - SYNAPSE_SERVER_NAME={{domains.synapse}} - SYNAPSE_REPORT_STATS=no ports: - - "127.0.0.1:{{ports.localhost.http.matrix_synapse}}:8008" + - "127.0.0.1:{{ports.localhost.http.synapse}}:8008" healthcheck: test: ["CMD", "curl", "-f", "http://localhost:8008/"] interval: 1m @@ -39,7 +39,7 @@ services: volumes: - ./element-config.json:/app/config.json ports: - - "127.0.0.1:{{ports.localhost.http.matrix_element}}:80" + - "127.0.0.1:{{ports.localhost.http.element}}:80" healthcheck: test: ["CMD", "wget", "--spider", "-q", "http://localhost:80/"] interval: 1m @@ -89,7 +89,7 @@ services: # KEYV_URL: '' # KEYV_BOT_ENCRYPTION: 'false' # KEYV_BOT_STORAGE: 'true' -# MATRIX_HOMESERVER_URL: 'https://{{domains.matrix_synapse}}' +# MATRIX_HOMESERVER_URL: 'https://{{domains.synapse}}' # MATRIX_BOT_USERNAME: '@chatgptbot:{{applications.matrix.server_name}}' # MATRIX_ACCESS_TOKEN: '{{ applications[application_id].credentials.chatgpt_bridge_access_token | default('') }}' # MATRIX_BOT_PASSWORD: '{{applications[application_id].credentials.chatgpt_bridge_user_password}}' diff --git a/roles/docker-matrix-compose/templates/element.config.json.j2 b/roles/docker-matrix-compose/templates/element.config.json.j2 index 6960a15c..87674664 100644 --- a/roles/docker-matrix-compose/templates/element.config.json.j2 +++ b/roles/docker-matrix-compose/templates/element.config.json.j2 @@ -1,8 +1,8 @@ { "default_server_config": { "m.homeserver": { - "base_url": "{{ web_protocol }}://{{domains.matrix_synapse}}", - "server_name": "{{domains.matrix_synapse}}" + "base_url": "{{ web_protocol }}://{{domains.synapse}}", + "server_name": "{{domains.synapse}}" }, "m.identity_server": { "base_url": "{{ web_protocol }}://{{primary_domain}}" diff --git a/roles/docker-matrix-compose/templates/mautrix/facebook.config.yml.j2 b/roles/docker-matrix-compose/templates/mautrix/facebook.config.yml.j2 index ea9abf4e..826370f4 100644 --- a/roles/docker-matrix-compose/templates/mautrix/facebook.config.yml.j2 +++ b/roles/docker-matrix-compose/templates/mautrix/facebook.config.yml.j2 @@ -143,7 +143,7 @@ bridge: sync_direct_chat_list: false # Servers to always allow double puppeting from double_puppet_server_map: - {{applications.matrix.server_name}}: {{domains.matrix_synapse}} + {{applications.matrix.server_name}}: {{domains.synapse}} # Allow using double puppeting from any server with a valid client .well-known file. double_puppet_allow_discovery: false # Shared secrets for https://github.com/devture/matrix-synapse-shared-secret-auth diff --git a/roles/docker-matrix-compose/templates/mautrix/instagram.config.yml.j2 b/roles/docker-matrix-compose/templates/mautrix/instagram.config.yml.j2 index 43192e97..5065007b 100644 --- a/roles/docker-matrix-compose/templates/mautrix/instagram.config.yml.j2 +++ b/roles/docker-matrix-compose/templates/mautrix/instagram.config.yml.j2 @@ -134,7 +134,7 @@ bridge: double_puppet_allow_discovery: false # Servers to allow double puppeting from, even if double_puppet_allow_discovery is false. double_puppet_server_map: - {{applications.matrix.server_name}}: https://{{domains.matrix_synapse}} + {{applications.matrix.server_name}}: https://{{domains.synapse}} # Shared secret for https://github.com/devture/matrix-synapse-shared-secret-auth # # If set, custom puppets will be enabled automatically for local users diff --git a/roles/docker-matrix-compose/templates/mautrix/signal.config.yml.j2 b/roles/docker-matrix-compose/templates/mautrix/signal.config.yml.j2 index 369cafcc..5d468a25 100644 --- a/roles/docker-matrix-compose/templates/mautrix/signal.config.yml.j2 +++ b/roles/docker-matrix-compose/templates/mautrix/signal.config.yml.j2 @@ -141,7 +141,7 @@ bridge: federate_rooms: true # Servers to always allow double puppeting from double_puppet_server_map: - {{applications.matrix.server_name}}: https://{{domains.matrix_synapse}} + {{applications.matrix.server_name}}: https://{{domains.synapse}} # Allow using double puppeting from any server with a valid client .well-known file. double_puppet_allow_discovery: false # Shared secrets for https://github.com/devture/matrix-synapse-shared-secret-auth diff --git a/roles/docker-matrix-compose/templates/mautrix/slack.config.yml.j2 b/roles/docker-matrix-compose/templates/mautrix/slack.config.yml.j2 index d2ecf717..cc266787 100644 --- a/roles/docker-matrix-compose/templates/mautrix/slack.config.yml.j2 +++ b/roles/docker-matrix-compose/templates/mautrix/slack.config.yml.j2 @@ -118,7 +118,7 @@ bridge: # Servers to always allow double puppeting from double_puppet_server_map: - {{applications.matrix.server_name}}: https://{{domains.matrix_synapse}} + {{applications.matrix.server_name}}: https://{{domains.synapse}} # Allow using double puppeting from any server with a valid client .well-known file. double_puppet_allow_discovery: false # Shared secrets for https://github.com/devture/matrix-synapse-shared-secret-auth diff --git a/roles/docker-matrix-compose/templates/mautrix/telegram.config.yml.j2 b/roles/docker-matrix-compose/templates/mautrix/telegram.config.yml.j2 index 13f31b04..316f0345 100644 --- a/roles/docker-matrix-compose/templates/mautrix/telegram.config.yml.j2 +++ b/roles/docker-matrix-compose/templates/mautrix/telegram.config.yml.j2 @@ -198,7 +198,7 @@ bridge: sync_direct_chat_list: false # Servers to always allow double puppeting from double_puppet_server_map: - {{applications.matrix.server_name}}: https://{{domains.matrix_synapse}} + {{applications.matrix.server_name}}: https://{{domains.synapse}} # Allow using double puppeting from any server with a valid client .well-known file. double_puppet_allow_discovery: false # Shared secrets for https://github.com/devture/matrix-synapse-shared-secret-auth diff --git a/roles/docker-matrix-compose/templates/mautrix/whatsapp.config.yml.j2 b/roles/docker-matrix-compose/templates/mautrix/whatsapp.config.yml.j2 index cfb20402..eed9a95a 100644 --- a/roles/docker-matrix-compose/templates/mautrix/whatsapp.config.yml.j2 +++ b/roles/docker-matrix-compose/templates/mautrix/whatsapp.config.yml.j2 @@ -236,7 +236,7 @@ bridge: force_active_delivery_receipts: false # Servers to always allow double puppeting from double_puppet_server_map: - {{applications.matrix.server_name}}: https://{{domains.matrix_synapse}} + {{applications.matrix.server_name}}: https://{{domains.synapse}} # Allow using double puppeting from any server with a valid client .well-known file. double_puppet_allow_discovery: false # Shared secrets for https://github.com/devture/matrix-synapse-shared-secret-auth diff --git a/roles/docker-matrix-compose/templates/nginx.conf.j2 b/roles/docker-matrix-compose/templates/nginx.conf.j2 index 48010d36..7b526dee 100644 --- a/roles/docker-matrix-compose/templates/nginx.conf.j2 +++ b/roles/docker-matrix-compose/templates/nginx.conf.j2 @@ -1,10 +1,10 @@ server { {# Somehow .j2 doesn't interpretate the passed variable right. For this reasons this redeclaration is necessary #} {# Could be that this is related to the set_fact use #} - {% set domain = domains.matrix_synapse %} - {% set http_port = ports.localhost.http.matrix_synapse %} + {% set domain = domains.synapse %} + {% set http_port = ports.localhost.http.synapse %} - server_name {{domains.matrix_synapse}}; + server_name {{domains.synapse}}; {% include 'roles/letsencrypt/templates/ssl_header.j2' %} # For the federation port diff --git a/roles/docker-matrix-compose/templates/synapse/homeserver.yaml.j2 b/roles/docker-matrix-compose/templates/synapse/homeserver.yaml.j2 index 2bf4a163..b77ed1fa 100644 --- a/roles/docker-matrix-compose/templates/synapse/homeserver.yaml.j2 +++ b/roles/docker-matrix-compose/templates/synapse/homeserver.yaml.j2 @@ -17,15 +17,15 @@ database: host: "{{database_host}}" cp_min: 5 cp_max: 10 -log_config: "/data/{{domains.matrix_synapse}}.log.config" +log_config: "/data/{{domains.synapse}}.log.config" media_store_path: "/data/media_store" registration_shared_secret: "{{applications[application_id].credentials.registration_shared_secret}}" report_stats: true macaroon_secret_key: "{{applications[application_id].credentials.macaroon_secret_key}}" form_secret: "{{applications[application_id].credentials.form_secret}}" -signing_key_path: "/data/{{domains.matrix_synapse}}.signing.key" -web_client_location: "{{ web_protocol }}://{{domains.matrix_element}}" -public_baseurl: "{{ web_protocol }}://{{domains.matrix_synapse}}" +signing_key_path: "/data/{{domains.synapse}}.signing.key" +web_client_location: "{{ web_protocol }}://{{domains.element}}" +public_baseurl: "{{ web_protocol }}://{{domains.synapse}}" trusted_key_servers: - server_name: "matrix.org" admin_contact: 'mailto:{{users.administrator.email}}' @@ -39,10 +39,10 @@ email: #require_transport_security: true enable_tls: "{{ system_email.tls | upper }}" notif_from: "Your Friendly %(app)s homeserver <{{ users['no-reply'].email }}>" - app_name: "Matrix on {{domains.matrix_synapse}}" + app_name: "Matrix on {{domains.synapse}}" enable_notifs: true notif_for_new_users: false - client_base_url: "{{domains.matrix_synapse}}" + client_base_url: "{{domains.synapse}}" validation_token_lifetime: 15m {% if applications[application_id].features.oidc | bool %} diff --git a/roles/docker-matrix-compose/templates/synapse/log.config.j2 b/roles/docker-matrix-compose/templates/synapse/log.config.j2 index 7a9db843..8865f35a 100644 --- a/roles/docker-matrix-compose/templates/synapse/log.config.j2 +++ b/roles/docker-matrix-compose/templates/synapse/log.config.j2 @@ -8,7 +8,7 @@ handlers: file: class: logging.handlers.RotatingFileHandler formatter: precise - filename: /data/{{domains.matrix_synapse}}.homeserver.log + filename: /data/{{domains.synapse}}.homeserver.log maxBytes: 10485760 backupCount: 3 console: diff --git a/roles/docker-matrix-compose/templates/well-known.j2 b/roles/docker-matrix-compose/templates/well-known.j2 index 2deef963..c3da68b3 100644 --- a/roles/docker-matrix-compose/templates/well-known.j2 +++ b/roles/docker-matrix-compose/templates/well-known.j2 @@ -1,3 +1,3 @@ { - "m.server": "{{domains.matrix_synapse}}:443" + "m.server": "{{domains.synapse}}:443" } \ No newline at end of file diff --git a/roles/docker-matrix-compose/vars/configuration.yml b/roles/docker-matrix-compose/vars/configuration.yml index fa589784..789d5244 100644 --- a/roles/docker-matrix-compose/vars/configuration.yml +++ b/roles/docker-matrix-compose/vars/configuration.yml @@ -21,4 +21,11 @@ csp: script-src: unsafe-inline: true style-src: - unsafe-inline: true \ No newline at end of file + unsafe-inline: true + whitelist: + connect-src: + - "{{ domains.element }}" + - "{{ domains.synapse }}" + script-src: + - "{{ domains.element }}" + - "{{ domains.synapse }}" diff --git a/roles/docker-moodle/vars/configuration.yml b/roles/docker-moodle/vars/configuration.yml index a8230ecc..d9d1ba69 100644 --- a/roles/docker-moodle/vars/configuration.yml +++ b/roles/docker-moodle/vars/configuration.yml @@ -19,4 +19,5 @@ csp: whitelist: font-src: - "data:" - - "blob:" \ No newline at end of file + - "blob:" + - "https://cdn.jsdelivr.net" \ No newline at end of file diff --git a/roles/docker-wordpress/vars/configuration.yml b/roles/docker-wordpress/vars/configuration.yml index a4bf56e6..3a89206b 100644 --- a/roles/docker-wordpress/vars/configuration.yml +++ b/roles/docker-wordpress/vars/configuration.yml @@ -19,11 +19,15 @@ features: csp: flags: style-src: - unsafe-inline: true + unsafe-inline: true script-src: - unsafe-inline: true + unsafe-inline: true + unsafe-eval: true whitelist: worker-src: - "blob:" font-src: - - "data:" \ No newline at end of file + - "data:" + script-src: + - "https://cdn.gtranslate.net" + - "{{ domains[application_id] }}" \ No newline at end of file