From 79e702a3ab7424f1e1c6e58e0f808a4d1addc35d Mon Sep 17 00:00:00 2001
From: Kevin Veen-Birkenbach <kevin@veen.world>
Date: Thu, 21 Aug 2025 16:48:37 +0200
Subject: [PATCH] web-svc-collabora: localize vars, adjust CSP, fix systemd
 perms; refactor role composition
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

- sys-service:
  - Set explicit ownership and permissions for generated unit files:
    owner=root, group=root, mode=0644. Prevents drift and makes idempotence
    predictable when handlers reload/refresh systemd.

- web-svc-collabora:
  - Move cmp-docker-proxy include into tasks/01_core.yml and run it
    before Nginx config generation. Use public: true only to initialize the
    proxy/compose context and docker_compose_flush_handlers: true to ensure
    timely handler execution.
  - Define role-local variables domain and http_port in vars/main.yml
    and use {{ domain }} for the Nginx server file path. These values MUST
    be defined locally because they cannot be reliably imported via
    public: true — other roles may override them later in the play, leading
    to leakage and nondeterministic behavior. Localizing avoids precedence
    conflicts without resorting to host-wide set_fact.
  - CSP adjusted: add server.security.flags.style-src.unsafe-inline: true
    to accommodate Collabora’s inline styles (requested as “csr” in notes).
  - Minor variable alignment/cleanup and TODO note for future refactor.

- Housekeeping:
  - Rename task title to reflect {{ domain }} usage.

Refs:
- Discussion and rationale in this chat https://chatgpt.com/share/68a731aa-d394-800f-9eb4-2499f45ed54b (2025-08-21, Europe/Berlin).
---
 roles/sys-service/tasks/05_service.yml    |  3 +++
 roles/web-svc-collabora/config/main.yml   |  3 +++
 roles/web-svc-collabora/tasks/01_core.yml | 11 +++++++++--
 roles/web-svc-collabora/tasks/main.yml    |  5 -----
 roles/web-svc-collabora/vars/main.yml     | 11 ++++++++---
 5 files changed, 23 insertions(+), 10 deletions(-)

diff --git a/roles/sys-service/tasks/05_service.yml b/roles/sys-service/tasks/05_service.yml
index 9e5cd549..24814e7f 100644
--- a/roles/sys-service/tasks/05_service.yml
+++ b/roles/sys-service/tasks/05_service.yml
@@ -32,6 +32,9 @@
   template:
     src:  "{{ system_service_template_src }}"
     dest: "{{ [ PATH_SYSTEM_SERVICE_DIR, system_service_id | get_service_name(SOFTWARE_NAME) ] | path_join }}"
+    owner: root
+    group: root
+    mode: '0644'
   notify: "{{ 'reload system daemon' if system_service_uses_at else 'refresh systemctl service' }}"
 
 - name: refresh systemctl service when SYS_SERVICE_ALL_ENABLE
diff --git a/roles/web-svc-collabora/config/main.yml b/roles/web-svc-collabora/config/main.yml
index 84f8f2a0..08451964 100644
--- a/roles/web-svc-collabora/config/main.yml
+++ b/roles/web-svc-collabora/config/main.yml
@@ -6,6 +6,9 @@ server:
     whitelist:
       frame-ancestors:
         - "{{ WEB_PROTOCOL }}://*.{{ PRIMARY_DOMAIN }}"
+    flags:
+      style-src:
+        unsafe-inline:  true
 docker:
   services:
     redis:
diff --git a/roles/web-svc-collabora/tasks/01_core.yml b/roles/web-svc-collabora/tasks/01_core.yml
index 99e998fe..cdd35672 100644
--- a/roles/web-svc-collabora/tasks/01_core.yml
+++ b/roles/web-svc-collabora/tasks/01_core.yml
@@ -1,7 +1,14 @@
-- name: "generate {{ domains | get_domain(application_id) }}.conf"
+- name: "load docker, proxy for '{{ application_id }}'"
+  include_role:
+    name: cmp-docker-proxy
+    public: true
+  vars:
+    docker_compose_flush_handlers: true
+    
+- name: "generate {{ domain }}.conf"
   template:
     src: "nginx.conf.j2"
-    dest: "{{ NGINX.DIRECTORIES.HTTP.SERVERS }}{{ domains | get_domain(application_id) }}.conf"
+    dest: "{{ NGINX.DIRECTORIES.HTTP.SERVERS }}{{ domain }}.conf"
   notify: restart openresty
 
 - name: Update Collabora systemplate to include new fonts
diff --git a/roles/web-svc-collabora/tasks/main.yml b/roles/web-svc-collabora/tasks/main.yml
index 9c768869..25a9b9bf 100644
--- a/roles/web-svc-collabora/tasks/main.yml
+++ b/roles/web-svc-collabora/tasks/main.yml
@@ -1,9 +1,4 @@
 - block:
-  - name: "load docker, proxy for '{{ application_id }}'"
-    include_role:
-      name: cmp-docker-proxy
-    vars:
-      docker_compose_flush_handlers: true
   - name: "Load core functions for '{{ application_id }}'"
     include_tasks: 01_core.yml
   - include_tasks: utils/run_once.yml
diff --git a/roles/web-svc-collabora/vars/main.yml b/roles/web-svc-collabora/vars/main.yml
index a3f541d4..a7f62888 100644
--- a/roles/web-svc-collabora/vars/main.yml
+++ b/roles/web-svc-collabora/vars/main.yml
@@ -1,9 +1,14 @@
 ---
 # General 
-application_id:         web-svc-collabora
+application_id:             web-svc-collabora
+
+# @todo in a later step it makes sense to refactor the use of them, but they are used atm in the role
+domain:                     "{{ domains | get_domain(application_id) }}"
+http_port:                  "{{ ports.localhost.http[application_id] }}"
+
 # Container
-container_port:         9980
-container_healthcheck:  "/hosting/discovery"
+container_port:             9980
+container_healthcheck:      "/hosting/discovery"
 
 # Collabora
 COLLABORA_CONTAINER:        "{{ applications | get_app_conf(application_id, 'docker.services.collabora.name') }}"