From 24cd75ac261cc9d5f41b1bf44791b9e9d723d330 Mon Sep 17 00:00:00 2001
From: Kevin Veen-Birkenbach <kevin@veen.world>
Date: Wed, 4 Jun 2025 19:50:11 +0200
Subject: [PATCH] Solved different bugs e.g. csp and optimized deploy help

---
 cli/deploy.py                                 | 68 +++++++++++++++----
 roles/docker-mailu/vars/configuration.yml     |  4 +-
 roles/docker-mariadb/tasks/main.yml           |  7 +-
 roles/docker-nextcloud/vars/configuration.yml |  2 +-
 roles/docker-wordpress/tasks/main.yml         |  2 +-
 roles/docker-wordpress/vars/configuration.yml | 15 ++++
 6 files changed, 78 insertions(+), 20 deletions(-)

diff --git a/cli/deploy.py b/cli/deploy.py
index 3769093b..23188602 100644
--- a/cli/deploy.py
+++ b/cli/deploy.py
@@ -5,7 +5,7 @@ import subprocess
 import os
 import datetime
 
-def run_ansible_playbook(inventory, playbook, modes, limit=None, password_file=None, verbose=0, skip_tests=False):
+def run_ansible_playbook(inventory, playbook, modes, limit=None, password_file=None, verbose=0, skip_tests:bool=False):
     start_time = datetime.datetime.now()
     print(f"\n▶️ Script started at: {start_time.isoformat()}\n")
     
@@ -44,20 +44,60 @@ def run_ansible_playbook(inventory, playbook, modes, limit=None, password_file=N
 
 def main():
     script_dir = os.path.dirname(os.path.realpath(__file__))
-    parser = argparse.ArgumentParser(description="Run Ansible Playbooks")
+    parser = argparse.ArgumentParser(
+        description="Run the central Ansible deployment script to manage infrastructure, updates, and tests."
+    )
 
-    parser.add_argument("inventory", help="Path to the inventory file")
-    parser.add_argument("--limit", help="Limit execution to a specific server")
-    parser.add_argument("--host-type", choices=["server", "personal-computer"], default="server")
-    parser.add_argument("--reset", action="store_true")
-    parser.add_argument("--test", action="store_true")
-    parser.add_argument("--update", action="store_true")
-    parser.add_argument("--backup", action="store_true")
-    parser.add_argument("--cleanup", action="store_true")
-    parser.add_argument("--debug", action="store_true")
-    parser.add_argument("--password-file")
-    parser.add_argument("--skip-tests", action="store_true")
-    parser.add_argument("-v", "--verbose", action="count", default=0)
+    parser.add_argument(
+        "inventory",
+        help="Path to the inventory file (INI or YAML) containing hosts and variables."
+    )
+    parser.add_argument(
+        "--limit",
+        help="Restrict execution to a specific host or host group from the inventory."
+    )
+    parser.add_argument(
+        "--host-type",
+        choices=["server", "personal-computer"],
+        default="server",
+        help="Specify whether the target is a server or a personal computer. Affects role selection and variables."
+    )
+    parser.add_argument(
+        "--reset", action="store_true",
+        help="Reset all CyMaIS files and configurations, and run the entire playbook (not just individual roles)."
+    )
+    parser.add_argument(
+        "--test", action="store_true",
+        help="Run test routines instead of production tasks. Useful for local testing and CI pipelines."
+    )
+    parser.add_argument(
+        "--update", action="store_true",
+        help="Enable the update procedure to bring software and roles up to date."
+    )
+    parser.add_argument(
+        "--backup", action="store_true",
+        help="Perform a full backup of critical data and configurations before the update process."
+    )
+    parser.add_argument(
+        "--cleanup", action="store_true",
+        help="Clean up unused files and outdated configurations after all tasks are complete."
+    )
+    parser.add_argument(
+        "--debug", action="store_true",
+        help="Enable detailed debug output for Ansible and this script."
+    )
+    parser.add_argument(
+        "--password-file",
+        help="Path to the file containing the Vault password. If not provided, prompts for the password interactively."
+    )
+    parser.add_argument(
+        "--skip-tests", action="store_true",
+        help="Skip running 'make test' even if tests are normally enabled."
+    )
+    parser.add_argument(
+        "-v", "--verbose", action="count", default=0,
+        help="Increase verbosity level. Multiple -v flags increase detail (e.g., -vvv for maximum log output)."
+    )
 
     args = parser.parse_args()
 
diff --git a/roles/docker-mailu/vars/configuration.yml b/roles/docker-mailu/vars/configuration.yml
index 5145fe8b..3eb94226 100644
--- a/roles/docker-mailu/vars/configuration.yml
+++ b/roles/docker-mailu/vars/configuration.yml
@@ -9,7 +9,7 @@ domain:                   "{{primary_domain}}"              # The main domain fr
 credentials:                                     
 features:
   matomo:                 true
-  css:                    true
+  css:                    false
   portfolio_iframe:       false                             # Deactivated mailu iframe loading until keycloak supports it
   oidc:                   true
   central_database:       false                             # Deactivate central database for mailu, I don't know why the database deactivation is necessary
@@ -20,5 +20,5 @@ csp:
   flags:
     style-src:
       unsafe-inline:        true
-    script-src-elem:
+    script-src:
       unsafe-inline:        true
\ No newline at end of file
diff --git a/roles/docker-mariadb/tasks/main.yml b/roles/docker-mariadb/tasks/main.yml
index 83fba139..27aafa70 100644
--- a/roles/docker-mariadb/tasks/main.yml
+++ b/roles/docker-mariadb/tasks/main.yml
@@ -38,9 +38,12 @@
 
 - name: Wait until the MariaDB container is healthy
   community.docker.docker_container_info:
-    name: "{{applications.mariadb.hostname }}"
+    name: "{{ applications.mariadb.hostname }}"
   register: db_info
-  until: db_info.containers[0].State.Health.Status == "healthy"
+  until:
+  - db_info.containers is defined
+  - db_info.containers | length > 0
+  - db_info.containers[0].State.Health.Status == "healthy"
   retries: 30
   delay: 5
   when:
diff --git a/roles/docker-nextcloud/vars/configuration.yml b/roles/docker-nextcloud/vars/configuration.yml
index 90ad5606..3831897e 100644
--- a/roles/docker-nextcloud/vars/configuration.yml
+++ b/roles/docker-nextcloud/vars/configuration.yml
@@ -22,7 +22,7 @@ oidc:
 credentials:
 features:
   matomo:                       true
-  css:                          true
+  css:                          false
   portfolio_iframe:             false
   ldap:                         true
   oidc:                         true
diff --git a/roles/docker-wordpress/tasks/main.yml b/roles/docker-wordpress/tasks/main.yml
index 80fcde94..15e7f803 100644
--- a/roles/docker-wordpress/tasks/main.yml
+++ b/roles/docker-wordpress/tasks/main.yml
@@ -6,7 +6,7 @@
 - name: "Include role nginx-domain-setup for {{ application_id }}"
   include_role:
     name: nginx-domain-setup
-  loop: "{{ domains.wordpress }}"
+  loop: "{{ applications[application_id].domains.canonical }}"
   loop_control:
     loop_var: domain
   vars:
diff --git a/roles/docker-wordpress/vars/configuration.yml b/roles/docker-wordpress/vars/configuration.yml
index edf8eabe..8d66b328 100644
--- a/roles/docker-wordpress/vars/configuration.yml
+++ b/roles/docker-wordpress/vars/configuration.yml
@@ -22,6 +22,7 @@ csp:
       unsafe-inline:  true
     script-src-elem:
       unsafe-inline:  true
+    script-src:
       unsafe-eval:    true
   whitelist:
     worker-src:
@@ -34,6 +35,20 @@ csp:
       - "blog.{{ primary_domain }}"
     style-src:
       - "https://fonts.bunny.net"
+    frame-src:
+      - "blob:"
+      - "*.{{ primary_domain }}"
+    #frame-src: >-
+    #  {{
+    #    ['*.{}'.format(primary_domain)]
+    #    +
+    #    (
+    #      applications.wordpress.domains.canonical
+    #      | default([])
+    #      | map('regex_replace', '^(.*)$', 'blob:\g<1>')
+    #      | list
+    #    )
+    #  }}
 domains:
   canonical:
     - "blog.{{ primary_domain }}"