Added more CSP conditions

filter_plugins/csp_filters.py

@@ -93,6 +93,7 @@ class FilterModule(object):
                 'style-src',
                 'font-src',
                 'worker-src',
+                'manifest-src',
             ]
             parts = []
 

group_vars/all/03_domains.yml

@@ -27,8 +27,8 @@ defaults_domains:
   mastodon_alternates:     
     - "mastodon.{{primary_domain}}"
   matomo:                  "matomo.{{primary_domain}}"
-  matrix_synapse:          "matrix.{{primary_domain}}"
-  matrix_element:          "element.{{primary_domain}}"
+  synapse:                 "matrix.{{primary_domain}}"
+  element:                 "element.{{primary_domain}}"
   moodle:                  "academy.{{primary_domain}}"
   mediawiki:               "wiki.{{primary_domain}}"
   nextcloud:               "cloud.{{primary_domain}}"

group_vars/all/08_ports.yml

@@ -36,8 +36,8 @@ ports:
       matomo:           8018
       listmonk:         8019
       discourse:        8020
-      matrix_synapse:   8021
-      matrix_element:   8022
+      synapse:          8021
+      element:          8022
       openproject:      8023
       gitlab:           8024
       akaunting:        8025

group_vars/all/15_about.yml

@@ -19,7 +19,7 @@ defaults_service_provider:
     bluesky: "{{ '@' ~ users.administrator.username ~ '.' ~ domains.bluesky_api if 'bluesky' in group_names else '' }}"
     email: "contact@{{ primary_domain }}"
     mastodon: "{{ '@' ~ users.administrator.username ~ '@' ~ domains.mastodon if 'mastodon' in group_names else '' }}"
-    matrix: "{{ '@' ~ users.administrator.username ~ ':' ~ domains.matrix_synapse if 'matrix' in group_names else '' }}"
+    matrix: "{{ '@' ~ users.administrator.username ~ ':' ~ domains.synapse if 'matrix' in group_names else '' }}"
     peertube: "{{ '@' ~ users.administrator.username ~ '@' ~ domains.peertube if 'peertube' in group_names else '' }}"
     pixelfed: "{{ '@' ~ users.administrator.username ~ '@' ~ domains.pixelfed if 'pixelfed' in group_names else '' }}"
     phone: "+0 000 000 404"

roles/docker-gitea/vars/configuration.yml

@@ -20,4 +20,6 @@ csp:
       - "data:"
       - "blob:"
     worker-src:
-      - "blob:"
+      - "blob:"
+    manifest-src:
+      - "data:"

roles/docker-matrix-ansible/tasks/main.yml

@@ -3,8 +3,8 @@
   include_role: 
     name: nginx-domain-setup
   loop:
-    - "{{domains.matrix_element}}"
-    - "{{domains.matrix_synapse}}"
+    - "{{domains.element}}"
+    - "{{domains.synapse}}"
   loop_control:
     loop_var: domain
 
@@ -129,13 +129,13 @@
 #- name: add log.config
 #  template: 
 #    src:  "log.config.j2" 
-#    dest: "{{docker_compose.directories.instance}}{{domains.matrix_synapse}}.log.config"
+#    dest: "{{docker_compose.directories.instance}}{{domains.synapse}}.log.config"
 #  notify: recreate matrix
 #
 ## https://github.com/matrix-org/synapse/issues/6303
 #- name: set correct folder permissions
 #  command:
-#    cmd: "docker run --rm --mount type=volume,src=matrix_synapse_data,dst=/data -e SYNAPSE_SERVER_NAME={{domains.matrix_synapse}} -e SYNAPSE_REPORT_STATS=no --entrypoint /bin/sh matrixdotorg/synapse:latest -c 'chown -vR 991:991 /data'"
+#    cmd: "docker run --rm --mount type=volume,src=matrix_synapse_data,dst=/data -e SYNAPSE_SERVER_NAME={{domains.synapse}} -e SYNAPSE_REPORT_STATS=no --entrypoint /bin/sh matrixdotorg/synapse:latest -c 'chown -vR 991:991 /data'"
 #
 #- name: add docker-compose.yml
 #  template: 

roles/docker-matrix-ansible/templates/vars.yml.j2

@@ -8,7 +8,7 @@
 # because you can't change the Domain after deployment.
 #
 # Example value: example.com
-matrix_domain: "{{domains.matrix_synapse}}"
+matrix_domain: "{{domains.synapse}}"
 
 # The Matrix homeserver software to install.
 # See:

roles/docker-matrix-compose/tasks/main.yml

@@ -7,8 +7,8 @@
   include_role:
     name: nginx-https-get-cert-modify-all
   vars:
-    domain:     "{{domains.matrix_synapse}}"
-    http_port:  "{{ports.localhost.http.matrix_synapse}}"
+    domain:     "{{domains.synapse}}"
+    http_port:  "{{ports.localhost.http.synapse}}"
 
 - name: create {{well_known_directory}}
   file:
@@ -21,21 +21,21 @@
     src:  "well-known.j2" 
     dest: "{{well_known_directory}}server"
 
-- name: create {{domains.matrix_synapse}}.conf
+- name: create {{domains.synapse}}.conf
   template: 
     src:  "templates/nginx.conf.j2" 
-    dest: "{{nginx.directories.http.servers}}{{domains.matrix_synapse}}.conf"
+    dest: "{{nginx.directories.http.servers}}{{domains.synapse}}.conf"
   vars:
-    domain:     "{{domains.matrix_synapse}}" # Didn't work in the past. May it works now. This does not seem to work @todo Check how to solve without declaring set_fact, seems a bug at templates
-    http_port:  "{{ports.localhost.http.matrix_synapse}}"
+    domain:     "{{domains.synapse}}" # Didn't work in the past. May it works now. This does not seem to work @todo Check how to solve without declaring set_fact, seems a bug at templates
+    http_port:  "{{ports.localhost.http.synapse}}"
   notify: restart nginx
         
 - name: "include role nginx-domain-setup for {{application_id}}"
   include_role: 
     name: nginx-domain-setup
   vars:        
-    domain:     "{{domains.matrix_element}}"
-    http_port:  "{{ports.localhost.http.matrix_element}}"
+    domain:     "{{domains.element}}"
+    http_port:  "{{ports.localhost.http.element}}"
 
 - name: include create-and-seed-database.yml for multiple bridges
   include_tasks: create-and-seed-database.yml
@@ -85,13 +85,13 @@
 - name: add synapse log configuration
   template: 
     src:  "synapse/log.config.j2" 
-    dest: "{{docker_compose.directories.instance}}{{domains.matrix_synapse}}.log.config"
+    dest: "{{docker_compose.directories.instance}}{{domains.synapse}}.log.config"
   notify: docker compose project setup
 
 # https://github.com/matrix-org/synapse/issues/6303
 - name: set correct folder permissions
   command:
-    cmd: "docker run --rm --mount type=volume,src=matrix_synapse_data,dst=/data -e SYNAPSE_SERVER_NAME={{domains.matrix_synapse}} -e SYNAPSE_REPORT_STATS=no --entrypoint /bin/sh matrixdotorg/synapse:latest -c 'chown -vR 991:991 /data'"
+    cmd: "docker run --rm --mount type=volume,src=matrix_synapse_data,dst=/data -e SYNAPSE_SERVER_NAME={{domains.synapse}} -e SYNAPSE_REPORT_STATS=no --entrypoint /bin/sh matrixdotorg/synapse:latest -c 'chown -vR 991:991 /data'"
 
 - name: add docker-compose.yml
   template: 

roles/docker-matrix-compose/templates/docker-compose.yml.j2

@@ -11,15 +11,15 @@ services:
     volumes:
       - synapse_data:/data
       - ./homeserver.yaml:/data/homeserver.yaml:ro
-      - ./{{domains.matrix_synapse}}.log.config:/data/{{domains.matrix_synapse}}.log.config:ro
+      - ./{{domains.synapse}}.log.config:/data/{{domains.synapse}}.log.config:ro
 {% for item in bridges %}
       - {{docker_compose.directories.instance}}mautrix/{{item.bridge_name}}/registration.yaml:{{registration_file_folder}}{{item.bridge_name}}.registration.yaml:ro
 {% endfor %}
     environment:
-      - SYNAPSE_SERVER_NAME={{domains.matrix_synapse}}
+      - SYNAPSE_SERVER_NAME={{domains.synapse}}
       - SYNAPSE_REPORT_STATS=no
     ports:
-      - "127.0.0.1:{{ports.localhost.http.matrix_synapse}}:8008"
+      - "127.0.0.1:{{ports.localhost.http.synapse}}:8008"
     healthcheck:
       test: ["CMD", "curl", "-f", "http://localhost:8008/"]
       interval: 1m
@@ -39,7 +39,7 @@ services:
     volumes:
       - ./element-config.json:/app/config.json
     ports:
-      - "127.0.0.1:{{ports.localhost.http.matrix_element}}:80"
+      - "127.0.0.1:{{ports.localhost.http.element}}:80"
     healthcheck:
       test: ["CMD", "wget", "--spider", "-q", "http://localhost:80/"]
       interval: 1m
@@ -89,7 +89,7 @@ services:
 #      KEYV_URL: ''
 #      KEYV_BOT_ENCRYPTION: 'false'
 #      KEYV_BOT_STORAGE: 'true'
-#      MATRIX_HOMESERVER_URL: 'https://{{domains.matrix_synapse}}'
+#      MATRIX_HOMESERVER_URL: 'https://{{domains.synapse}}'
 #      MATRIX_BOT_USERNAME: '@chatgptbot:{{applications.matrix.server_name}}'
 #      MATRIX_ACCESS_TOKEN: '{{ applications[application_id].credentials.chatgpt_bridge_access_token | default('') }}'
 #      MATRIX_BOT_PASSWORD: '{{applications[application_id].credentials.chatgpt_bridge_user_password}}'

roles/docker-matrix-compose/templates/element.config.json.j2

@@ -1,8 +1,8 @@
 {
     "default_server_config": {
         "m.homeserver": {
-            "base_url": "{{ web_protocol }}://{{domains.matrix_synapse}}",
-            "server_name": "{{domains.matrix_synapse}}"
+            "base_url": "{{ web_protocol }}://{{domains.synapse}}",
+            "server_name": "{{domains.synapse}}"
         },
         "m.identity_server": {
             "base_url": "{{ web_protocol }}://{{primary_domain}}"

roles/docker-matrix-compose/templates/mautrix/facebook.config.yml.j2

@@ -143,7 +143,7 @@ bridge:
     sync_direct_chat_list: false
     # Servers to always allow double puppeting from
     double_puppet_server_map:
-        {{applications.matrix.server_name}}: {{domains.matrix_synapse}}
+        {{applications.matrix.server_name}}: {{domains.synapse}}
     # Allow using double puppeting from any server with a valid client .well-known file.
     double_puppet_allow_discovery: false
     # Shared secrets for https://github.com/devture/matrix-synapse-shared-secret-auth

roles/docker-matrix-compose/templates/mautrix/instagram.config.yml.j2

@@ -134,7 +134,7 @@ bridge:
     double_puppet_allow_discovery: false
     # Servers to allow double puppeting from, even if double_puppet_allow_discovery is false.
     double_puppet_server_map:
-        {{applications.matrix.server_name}}: https://{{domains.matrix_synapse}}
+        {{applications.matrix.server_name}}: https://{{domains.synapse}}
     # Shared secret for https://github.com/devture/matrix-synapse-shared-secret-auth
     #
     # If set, custom puppets will be enabled automatically for local users

roles/docker-matrix-compose/templates/mautrix/signal.config.yml.j2

@@ -141,7 +141,7 @@ bridge:
     federate_rooms: true
     # Servers to always allow double puppeting from
     double_puppet_server_map:
-        {{applications.matrix.server_name}}: https://{{domains.matrix_synapse}}
+        {{applications.matrix.server_name}}: https://{{domains.synapse}}
     # Allow using double puppeting from any server with a valid client .well-known file.
     double_puppet_allow_discovery: false
     # Shared secrets for https://github.com/devture/matrix-synapse-shared-secret-auth

roles/docker-matrix-compose/templates/mautrix/slack.config.yml.j2

@@ -118,7 +118,7 @@ bridge:
 
     # Servers to always allow double puppeting from
     double_puppet_server_map:
-        {{applications.matrix.server_name}}: https://{{domains.matrix_synapse}}
+        {{applications.matrix.server_name}}: https://{{domains.synapse}}
     # Allow using double puppeting from any server with a valid client .well-known file.
     double_puppet_allow_discovery: false
     # Shared secrets for https://github.com/devture/matrix-synapse-shared-secret-auth

roles/docker-matrix-compose/templates/mautrix/telegram.config.yml.j2

@@ -198,7 +198,7 @@ bridge:
     sync_direct_chat_list: false
     # Servers to always allow double puppeting from
     double_puppet_server_map:
-        {{applications.matrix.server_name}}: https://{{domains.matrix_synapse}}
+        {{applications.matrix.server_name}}: https://{{domains.synapse}}
     # Allow using double puppeting from any server with a valid client .well-known file.
     double_puppet_allow_discovery: false
     # Shared secrets for https://github.com/devture/matrix-synapse-shared-secret-auth

roles/docker-matrix-compose/templates/mautrix/whatsapp.config.yml.j2

@@ -236,7 +236,7 @@ bridge:
     force_active_delivery_receipts: false
     # Servers to always allow double puppeting from
     double_puppet_server_map:
-        {{applications.matrix.server_name}}: https://{{domains.matrix_synapse}}
+        {{applications.matrix.server_name}}: https://{{domains.synapse}}
     # Allow using double puppeting from any server with a valid client .well-known file.
     double_puppet_allow_discovery: false
     # Shared secrets for https://github.com/devture/matrix-synapse-shared-secret-auth

roles/docker-matrix-compose/templates/nginx.conf.j2

@@ -1,10 +1,10 @@
 server {
     {# Somehow .j2 doesn't interpretate the passed variable right. For this reasons this redeclaration is necessary #}
     {# Could be that this is related to the set_fact use #}
-    {% set domain = domains.matrix_synapse %}
-    {% set http_port = ports.localhost.http.matrix_synapse %}
+    {% set domain = domains.synapse %}
+    {% set http_port = ports.localhost.http.synapse %}
 
-    server_name {{domains.matrix_synapse}};
+    server_name {{domains.synapse}};
     {% include 'roles/letsencrypt/templates/ssl_header.j2' %}
     
     # For the federation port

roles/docker-matrix-compose/templates/synapse/homeserver.yaml.j2

@@ -17,15 +17,15 @@ database:
     host: "{{database_host}}"
     cp_min: 5
     cp_max: 10
-log_config:                     "/data/{{domains.matrix_synapse}}.log.config"
+log_config:                     "/data/{{domains.synapse}}.log.config"
 media_store_path:               "/data/media_store"
 registration_shared_secret:     "{{applications[application_id].credentials.registration_shared_secret}}"
 report_stats:                   true
 macaroon_secret_key:            "{{applications[application_id].credentials.macaroon_secret_key}}"
 form_secret:                    "{{applications[application_id].credentials.form_secret}}"
-signing_key_path:               "/data/{{domains.matrix_synapse}}.signing.key"
-web_client_location:            "{{ web_protocol }}://{{domains.matrix_element}}"
-public_baseurl:                 "{{ web_protocol }}://{{domains.matrix_synapse}}"
+signing_key_path:               "/data/{{domains.synapse}}.signing.key"
+web_client_location:            "{{ web_protocol }}://{{domains.element}}"
+public_baseurl:                 "{{ web_protocol }}://{{domains.synapse}}"
 trusted_key_servers:
   - server_name: "matrix.org"
 admin_contact: 'mailto:{{users.administrator.email}}'
@@ -39,10 +39,10 @@ email:
   #require_transport_security:   true
   enable_tls:                   "{{ system_email.tls | upper }}"
   notif_from:                   "Your Friendly %(app)s homeserver <{{ users['no-reply'].email }}>"
-  app_name:                     "Matrix on {{domains.matrix_synapse}}"
+  app_name:                     "Matrix on {{domains.synapse}}"
   enable_notifs:                true
   notif_for_new_users:          false
-  client_base_url:              "{{domains.matrix_synapse}}"
+  client_base_url:              "{{domains.synapse}}"
   validation_token_lifetime:    15m
 
 {% if applications[application_id].features.oidc | bool %}

roles/docker-matrix-compose/templates/synapse/log.config.j2

@@ -8,7 +8,7 @@ handlers:
   file:
     class: logging.handlers.RotatingFileHandler
     formatter: precise
-    filename: /data/{{domains.matrix_synapse}}.homeserver.log
+    filename: /data/{{domains.synapse}}.homeserver.log
     maxBytes: 10485760
     backupCount: 3
   console:

roles/docker-matrix-compose/templates/well-known.j2

@@ -1,3 +1,3 @@
 {
-    "m.server": "{{domains.matrix_synapse}}:443"
+    "m.server": "{{domains.synapse}}:443"
 }

roles/docker-matrix-compose/vars/configuration.yml

@@ -21,4 +21,11 @@ csp:
     script-src:
       unsafe-inline: true
     style-src:
-      unsafe-inline: true
+      unsafe-inline: true
+  whitelist:
+    connect-src:
+      - "{{ domains.element }}"
+      - "{{ domains.synapse }}"
+    script-src:
+      - "{{ domains.element }}"
+      - "{{ domains.synapse }}"  

roles/docker-moodle/vars/configuration.yml

@@ -19,4 +19,5 @@ csp:
   whitelist:
     font-src:
       - "data:"
-      - "blob:"
+      - "blob:"
+      - "https://cdn.jsdelivr.net"

roles/docker-wordpress/vars/configuration.yml

@@ -19,11 +19,15 @@ features:
 csp:
   flags:
     style-src:
-      unsafe-inline: true
+      unsafe-inline:  true
     script-src:
-      unsafe-inline: true
+      unsafe-inline:  true
+      unsafe-eval:    true
   whitelist:
     worker-src:
       - "blob:"
     font-src:
-      - "data:"
+      - "data:"
+    script-src:
+      - "https://cdn.gtranslate.net"
+      - "{{ domains[application_id] }}"