feat(frontend): rename inj roles to sys-front-*, add sys-svc-cdn, cache-busting lookup

Introduce sys-svc-cdn (cdn_paths/cdn_urls/cdn_dirs) and ensure CDN directories + latest symlink.

Rename sys-srv-web-inj-* → sys-front-inj-*; update includes/templates; serve shared/per-app CSS & JS via CDN.

Add lookup_plugins/local_mtime_qs.py for mtime-based cache busting; split CSS into default.css/bootstrap.css + optional per-app style.css.

CSP: use style-src-elem; drop unsafe-inline for styles. Services: fix SYS_SERVICE_ALL_ENABLED bool and controlled flush.

BREAKING CHANGE: role names changed; replace includes and references accordingly.

Conversation: https://chatgpt.com/share/68b55494-9ec4-800f-b559-44707029141d

roles/sys-front-inj-matomo/README.md

@@ -0,0 +1,21 @@
+# Nginx Matomo Tracking Role
+
+This Ansible role automates the integration of Matomo tracking code into Nginx-served websites. It simplifies the process of adding the Matomo analytics tracking script and image tracker to all your web pages served through Nginx.
+
+## Features
+- Automated insertion of Matomo tracking script into the `</head>` tag of HTML pages.
+- Integration of a noscript image tracker before the `</body>` tag for tracking users with JavaScript disabled.
+- Configuration to apply changes on every request, ensuring that dynamic content and single-page applications are also tracked.
+
+## Requirements
+- Nginx installed on the target server.
+- Matomo analytics platform set up and accessible.
+
+## Dependencies
+- None. This role is designed to be included in Nginx server block configurations.
+
+## Customization
+You can customize the tracking script and the noscript image tracker by editing the `matomo-tracking.js.j2` and `matomo.subfilter.conf.j2` templates.
+
+## Author Information
+This role was created in 2023 by [Kevin Veen Birkenbach](https://www.veen.world/), providing a seamless way to add Matomo analytics to any website served via Nginx.

roles/sys-front-inj-matomo/meta/main.yml

@@ -0,0 +1,20 @@
+galaxy_info:
+  author: "Kevin Veen-Birchenbach"
+  description: "Injects Matomo analytics tracking code and noscript image tracker into Nginx-served HTML pages."
+  license: "Infinito.Nexus NonCommercial License"
+  license_url: "https://s.infinito.nexus/license"
+  company: |
+    Kevin Veen-Birchenbach
+    Consulting & Coaching Solutions
+    https://www.veen.world
+  galaxy_tags:
+  - nginx
+  - matomo
+  - analytics
+  repository: "https://s.infinito.nexus/code"
+  issue_tracker_url: "https://s.infinito.nexus/issues"
+  documentation: "https://s.infinito.nexus/code/tree/main/roles/sys-front-inj-matomo"
+  min_ansible_version: "2.9"
+  platforms:
+  - name: Any
+    versions: [all]

roles/sys-front-inj-matomo/tasks/main.yml

@@ -0,0 +1,69 @@
+- block:
+  - name: Include dependency 'srv-core'
+    include_role:
+      name: srv-core
+    when: run_once_srv_core is not defined
+  - include_tasks: utils/run_once.yml
+  when: run_once_sys_front_inj_matomo is not defined
+
+- name: "Relevant variables for role: {{ role_path | basename }}"
+  debug:
+    msg:
+      domain: "{{ domain }}"
+      base_domain: "{{ base_domain }}"
+      matomo_verification_url: "{{ matomo_verification_url }}"
+  when: MODE_DEBUG | bool
+  no_log: "{{ MASK_CREDENTIALS_IN_LOGS | bool }}"
+
+- name: "Check if site {{ domain }} is allready registered at Matomo"
+  uri:
+    url: "{{ matomo_verification_url }}"
+    method: GET
+    return_content: yes
+    status_code: 200
+    validate_certs: yes
+  register: site_check
+  no_log: "{{ MASK_CREDENTIALS_IN_LOGS | bool }}"
+
+- name: Set matomo_site_id to Null
+  set_fact:
+    matomo_site_id:
+
+- name: Set fact for site ID if site already exists
+  set_fact:
+    matomo_site_id: "{{ site_check.json[0].idsite }}"
+  when: "(site_check.json | length) > 0"
+  changed_when: false
+
+- name: Add site to Matomo and get ID if not exists
+  uri:
+    url: "{{ matomo_index_php_url }}"
+    method: POST
+    body: "module=API&method=SitesManager.addSite&siteName={{ base_domain }}&urls={{ WEB_PROTOCOL }}://{{ base_domain }}&token_auth={{ matomo_auth_token }}&format=json"
+    body_format: form-urlencoded
+    status_code: 200
+    return_content: yes
+    validate_certs: yes
+  register: add_site
+  when: "matomo_site_id is not defined or matomo_site_id is none"
+  no_log: "{{ MASK_CREDENTIALS_IN_LOGS | bool }}"
+
+- name: Set fact for site ID if site was added
+  set_fact:
+    matomo_site_id: "{{ add_site.json.value }}"
+  when: "matomo_site_id is not defined or matomo_site_id is none"
+  changed_when: false
+
+- name: Load Matomo tracking JS template
+  set_fact:
+    matomo_tracking_code: "{{ lookup('template','matomo-tracking.js.j2') }}"
+
+- name: Collapse Matomo code into one-liner
+  set_fact:
+    matomo_tracking_code_one_liner: "{{ matomo_tracking_code | to_one_liner }}"
+
+- name: Append Matomo CSP hash
+  set_fact:
+    applications: "{{ applications | append_csp_hash(application_id, matomo_tracking_code_one_liner) }}"
+  no_log: "{{ MASK_CREDENTIALS_IN_LOGS | bool }}"
+  changed_when: false

roles/sys-front-inj-matomo/templates/body_sub.j2

@@ -0,0 +1,5 @@
+<noscript>
+    <p>
+        <img src="//{{ domains | get_domain('web-app-matomo') }}/matomo.php?idsite={{matomo_site_id}}&rec=1" style="border:0;" alt="" />
+    </p>
+</noscript>

roles/sys-front-inj-matomo/templates/head_sub.j2

@@ -0,0 +1 @@
+<script>{{matomo_tracking_code_one_liner}}</script>

roles/sys-front-inj-matomo/templates/matomo-tracking.js.j2

@@ -0,0 +1,19 @@
+var _paq = window._paq = window._paq || [];
+_paq.push(["setDocumentTitle", document.domain + "/" + document.title]);
+_paq.push(["setCookieDomain", "*.{{base_domain}}"]);
+_paq.push(["setDomains", ["*.{{base_domain}}"]]);
+_paq.push(["enableCrossDomainLinking"]);
+_paq.push(["trackPageView"]);
+_paq.push(["trackAllContentImpressions"]);
+_paq.push(["enableLinkTracking"]);
+(function() {
+  var u="//{{ domains | get_domain('web-app-matomo') }}/";
+  _paq.push(["setTrackerUrl", u+"matomo.php"]);
+  _paq.push(["setSiteId", "{{matomo_site_id}}"]);
+  var d=document, g=d.createElement("script"), s=d.getElementsByTagName("script")[0];
+  g.async=true; g.src=u+"matomo.js"; s.parentNode.insertBefore(g,s);
+})();
+
+{% if MODE_DEBUG | bool %}
+console.log("Matomo is loaded.");
+{% endif %}

roles/sys-front-inj-matomo/vars/main.yml

@@ -0,0 +1,4 @@
+base_domain:              "{{ domain | regex_replace('^(?:.*\\.)?(.+\\..+)$', '\\1') }}"
+matomo_index_php_url:     "{{ domains | get_url('web-app-matomo', WEB_PROTOCOL) }}/index.php"
+matomo_auth_token:        "{{ applications['web-app-matomo'].credentials.auth_token }}"
+matomo_verification_url:  "{{ matomo_index_php_url }}?module=API&method=SitesManager.getSitesIdFromSiteUrl&url={{ WEB_PROTOCOL }}://{{ base_domain }}&format=json&token_auth={{ matomo_auth_token }}"