From 5d42b78b3da8a65a9d377e7634ebcc8f3adcd8c5 Mon Sep 17 00:00:00 2001
From: Kevin Veen-Birkenbach <kevin@veen.world>
Date: Tue, 30 Sep 2025 11:15:32 +0200
Subject: [PATCH] Nextcloud: extend CSP for Talk & disable keeporsweep

CSP: add cloud.<PRIMARY_DOMAIN> to connect-src and frame-src (both HTTP and WS) and allow worker-src 'blob:' for web workers used by Talk/Collabora.

Apps: disable keeporsweep (installation no longer possible) and document reason.

Context: https://chatgpt.com/share/68db9f41-16ec-800f-9cdf-7530862f89aa
---
 roles/web-app-nextcloud/config/main.yml | 9 +++++++--
 1 file changed, 7 insertions(+), 2 deletions(-)

diff --git a/roles/web-app-nextcloud/config/main.yml b/roles/web-app-nextcloud/config/main.yml
index d8b1d213..1b9f7bb2 100644
--- a/roles/web-app-nextcloud/config/main.yml
+++ b/roles/web-app-nextcloud/config/main.yml
@@ -13,10 +13,14 @@ server:
         - "data:"
       connect-src:
         - "{{ WEBSOCKET_PROTOCOL }}://collabora.{{ PRIMARY_DOMAIN }}"
+        - "{{ WEBSOCKET_PROTOCOL }}://cloud.{{ PRIMARY_DOMAIN }}"
         - "{{ WEB_PROTOCOL }}://collabora.{{ PRIMARY_DOMAIN }}"
+        - "{{ WEB_PROTOCOL }}://cloud.{{ PRIMARY_DOMAIN }}"
       frame-src:
-        - "{{ WEB_PROTOCOL }}://collabora.{{ PRIMARY_DOMAIN }}"
         - "{{ WEBSOCKET_PROTOCOL }}://collabora.{{ PRIMARY_DOMAIN }}"
+        - "{{ WEB_PROTOCOL }}://collabora.{{ PRIMARY_DOMAIN }}"
+      worker-src:
+        - "blob:"
   domains:
     canonical:
       - "cloud.{{ PRIMARY_DOMAIN }}"
@@ -209,7 +213,8 @@ plugins:
   #  enabled: false
   keeporsweep:
     # Nextcloud keep or sweep: helps manage and clean up files and data (https://apps.nextcloud.com/apps/keeporsweep)
-    enabled: true
+    # Deactivated because installation isn't possible anymore
+    enabled: false
   mail:
     # Nextcloud mail: integrated email client for managing mail accounts (https://apps.nextcloud.com/apps/mail)
     enabled: true