feat(frontend): rename inj roles to sys-front-*, add sys-svc-cdn, cache-busting lookup

Introduce sys-svc-cdn (cdn_paths/cdn_urls/cdn_dirs) and ensure CDN directories + latest symlink. Rename sys-srv-web-inj-* → sys-front-inj-*; update includes/templates; serve shared/per-app CSS & JS via CDN. Add lookup_plugins/local_mtime_qs.py for mtime-based cache busting; split CSS into default.css/bootstrap.css + optional per-app style.css. CSP: use style-src-elem; drop unsafe-inline for styles. Services: fix SYS_SERVICE_ALL_ENABLED bool and controlled flush. BREAKING CHANGE: role names changed; replace includes and references accordingly. Conversation: https://chatgpt.com/share/68b55494-9ec4-800f-b559-44707029141d
2025-09-09 11:47:14 +02:00 · 2025-09-01 10:10:23 +02:00
parent 3f8e7c1733
commit 231fd567b3
123 changed files with 1789 additions and 1393 deletions
--- a/roles/sys-stk-front-proxy/README.md
+++ b/roles/sys-stk-front-proxy/README.md
@@ -8,7 +8,7 @@ This role bootstraps **per-domain Nginx configuration**: it requests TLS certifi

 A higher-level orchestration wrapper, *sys-stk-front-proxy* ties together several lower-level roles:

-1. **`sys-srv-web-inj-compose`** – applies global tweaks and includes.  
+1. **`sys-front-inj-all`** – applies global tweaks and includes.  
 2. **`sys-svc-certs`** – obtains Let’s Encrypt certificates.  
 3. **Domain template deployment** – copies a Jinja2 vHost from *srv-proxy-core*.  
 4. **`web-app-oauth2-proxy`** *(optional)* – protects the site with OAuth2.