fix(csp): resolve all CSP-related issues and extend webserver health checks

- Added _normalize_codes to support lists of valid HTTP status codes - Updated web_health_expectations to handle multiple codes, deduplication, and fallback logic - Extended unit tests with coverage for list/default combinations, invalid values, and alias behavior - Fixed Flowise CSP flags and whitelist entries - Adjusted Flowise, MinIO, and Pretix docker service resource limits - Updated docker-compose templates with explicit service_name - Corrected MinIO status_codes to 301 redirects ✅ All CSP errors fixed See details: https://chatgpt.com/share/68d557ad-fc10-800f-b68b-0411d20ea6eb
2025-10-10 10:48:10 +02:00 · 2025-09-25 18:05:41 +02:00
parent 5186eb5714
commit 6f3522dc28
6 changed files with 200 additions and 35 deletions
--- a/roles/web-app-flowise/config/main.yml
+++ b/roles/web-app-flowise/config/main.yml
@@ -12,38 +12,51 @@ server:
      - "flow.ai.{{ PRIMARY_DOMAIN }}"
    aliases: []
  csp:
-    flags: {}
-      #script-src-elem:
-      #  unsafe-inline:  true
-      #script-src:
-      #  unsafe-inline:  true
-      #  unsafe-eval:    true
-      #style-src:
-      #  unsafe-inline:  true
+    flags:
+      script-src-elem:
+        unsafe-inline:  true
    whitelist:
      font-src:
+        - https://fonts.gstatic.com
+      style-src-elem:
        - https://fonts.googleapis.com
-      connect-src: [] 
+      script-src-elem:
+        - https://fonts.googleapis.com
+        - https://fonts.gstatic.com
+        - https://r.wdfl.co
+      connect-src: []
 docker:
  services:
    litellm:
      backup:
        no_stop_required: true
-      image:   ghcr.io/berriai/litellm
-      version: main-v1.77.3.dynamic_rates
-      name:    litellm
+      image:              ghcr.io/berriai/litellm
+      version:            main-v1.77.3.dynamic_rates
+      name:               litellm
+      cpus:               "1.0"
+      mem_reservation:    "0.5g"
+      mem_limit:          "1g"
+      pids_limit:         1024
    qdrant:
      backup:
        no_stop_required: true
-      image:   qdrant/qdrant
-      version: latest
-      name:    qdrant
+      image:              qdrant/qdrant
+      version:            latest
+      name:               qdrant
+      cpus:               "2.0"
+      mem_reservation:    "2g"
+      mem_limit:          "4g"
+      pids_limit:         2048
    flowise:
      backup:
-        no_stop_required: true
-      image:   flowiseai/flowise
-      version: latest
-      name:    flowise
+        no_stop_required: false # As long as SQLite is used
+      image:              flowiseai/flowise
+      version:            latest
+      name:               flowise
+      cpus:               "1.0"
+      mem_reservation:    "1g"
+      mem_limit:          "2g"
+      pids_limit:         1024
    redis:
      enabled: false
    database:
--- a/roles/web-app-flowise/templates/docker-compose.yml.j2
+++ b/roles/web-app-flowise/templates/docker-compose.yml.j2
@@ -1,5 +1,6 @@
 {% include 'roles/docker-compose/templates/base.yml.j2' %}
  litellm:
+{% set service_name = 'litellm' %}
 {% include 'roles/docker-container/templates/base.yml.j2' %}
    image: {{ FLOWISE_LITELLM_IMAGE }}:{{ FLOWISE_LITELLM_VERSION }}
    container_name: {{ FLOWISE_LITELLM_CONTAINER }}
@@ -14,6 +15,7 @@
 {% include 'roles/docker-container/templates/networks.yml.j2' %}

  qdrant:
+{% set service_name = 'qdrant' %}
 {% include 'roles/docker-container/templates/base.yml.j2' %}
    image: {{ FLOWISE_QDRANT_IMAGE }}:{{ FLOWISE_QDRANT_VERSION }}
    container_name: {{ FLOWISE_QDRANT_CONTAINER }}
@@ -25,6 +27,7 @@
 {% include 'roles/docker-container/templates/networks.yml.j2' %}

  flowise:
+{% set service_name = 'flowise' %}
 {% include 'roles/docker-container/templates/base.yml.j2' %}
    image: {{ FLOWISE_IMAGE }}:{{ FLOWISE_VERSION }}
    container_name: {{ FLOWISE_CONTAINER }}