diff --git a/filter_plugins/configuration_filters.py b/filter_plugins/configuration_filters.py index b42707ef..9c94a55c 100644 --- a/filter_plugins/configuration_filters.py +++ b/filter_plugins/configuration_filters.py @@ -1,35 +1,23 @@ -import yaml - -def get_oauth2_enabled(applications:yaml, application_id:string): +def get_oauth22_enabled(applications, application_id): # Retrieve the application dictionary based on the ID app = applications.get(application_id, {}) # Retrieve the value for oauth2_proxy.enabled, default is False enabled = app.get('oauth2_proxy', {}).get('enabled', False) return bool(enabled) -def get_oidc_enabled(applications:yaml, application_id:string): +def get_oidc_enabled(applications, application_id): # Retrieve the application dictionary based on the ID app = applications.get(application_id, {}) # Retrieve the value for oidc.enabled, default is False enabled = app.get('oidc', {}).get('enabled', False) return bool(enabled) -def get_css_enabled(applications:yaml, application_id:string): - app = applications.get(application_id) - enabled = app.get('css_enabled') - return bool(enabled) - -def get_landingpage_iframe_enabled(applications:yaml, application_id:string): +def get_landingpage_iframe_enabled(applications, application_id): app = applications.get(application_id) enabled = app.get('landingpage_iframe_enabled') return bool(enabled) -def get_matomo_tracking_enabled(applications:yaml, application_id:string): - app = applications.get(application_id) - enabled = app.get('matomo_tracking_enabled') - return bool(enabled) - -def get_database_central_storage(applications:yaml, application_id:string): +def get_database_central_storage(applications, application_id): """ Retrieve the type of the database from the application dictionary. The expected key structure is: applications[application_id]['database']['central_storage']. @@ -42,10 +30,8 @@ def get_database_central_storage(applications:yaml, application_id:string): class FilterModule(object): def filters(self): return { - 'get_css_enabled': get_css_enabled, 'get_oidc_enabled': get_oidc_enabled, - 'get_oauth2_enabled': get_oauth2_enabled, + 'get_oauth2_enabled': get_oauth22_enabled, 'get_database_central_storage': get_database_central_storage, 'get_landingpage_iframe_enabled': get_landingpage_iframe_enabled, - 'get_matomo_tracking_enabled': get_matomo_tracking_enabled, } \ No newline at end of file diff --git a/group_vars/all/00_general.yml b/group_vars/all/00_general.yml index c7b9a19a..866ac6ee 100644 --- a/group_vars/all/00_general.yml +++ b/group_vars/all/00_general.yml @@ -68,4 +68,6 @@ matomo_tracking_enabled_default: true # Enables\Disables Matomo track css_enabled_default: true # Enables\Disables Global CSS on all html pages by default. ## iframe for primary domain -landingpage_iframe_enabled_default: false # Enables\Disables the possibility to be embedded via iframe by default. \ No newline at end of file +# Enables\Disables the possibility to be embedded via iframe by default. +# Enable conciously on every app in which it makes sense, due to that this a potential security risk +landingpage_iframe_enabled_default: false \ No newline at end of file diff --git a/group_vars/all/07_applications.yml b/group_vars/all/07_applications.yml index cda3b64f..eaff70a6 100644 --- a/group_vars/all/07_applications.yml +++ b/group_vars/all/07_applications.yml @@ -98,6 +98,12 @@ defaults_applications: css_enabled: "{{css_enabled_default}}" # Enables\Disables Global CSS Style landingpage_iframe_enabled: "{{landingpage_iframe_enabled_default}}" # Enables\Disables the possibility to embed this on landing page via iframe + ## File Server + file_server: + matomo_tracking_enabled: "{{matomo_tracking_enabled_default}}" # Enables\Disables Matomo Tracking + css_enabled: "{{css_enabled_default}}" # Enables\Disables Global CSS Style + landingpage_iframe_enabled: "true" # Landingpage should be embeded in portfolio + ## Friendica friendica: version: "latest" @@ -122,21 +128,21 @@ defaults_applications: ## Gitea gitea: - version: "latest" # Use latest docker image + version: "latest" # Use latest docker image database: - central_storage: True # Activate Central Database Storage + central_storage: True # Activate Central Database Storage configuration: repository: - enable_push_create_user: True # Allow users to push local repositories to Gitea and have them automatically created for a user. - default_private: last # Default private when creating a new repository: last, private, public - default_push_create_private: True # Default private when creating a new repository with push-to-create. - matomo_tracking_enabled: "{{matomo_tracking_enabled_default}}" # Enables\Disables Matomo Tracking - css_enabled: "{{css_enabled_default}}" # Enables\Disables Global CSS Style - landingpage_iframe_enabled: "{{landingpage_iframe_enabled_default}}" # Enables\Disables the possibility to embed this on landing page via iframe + enable_push_create_user: True # Allow users to push local repositories to Gitea and have them automatically created for a user. + default_private: last # Default private when creating a new repository: last, private, public + default_push_create_private: True # Default private when creating a new repository with push-to-create. + matomo_tracking_enabled: "{{matomo_tracking_enabled_default}}" # Enables\Disables Matomo Tracking + css_enabled: "{{css_enabled_default}}" # Enables\Disables Global CSS Style + landingpage_iframe_enabled: "{{landingpage_iframe_enabled_default}}" # Enables\Disables the possibility to embed this on landing page via iframe ## Gitlab gitlab: - version: "latest" + version: "latest" database: central_storage: True # Activate Central Database Storage matomo_tracking_enabled: "{{matomo_tracking_enabled_default}}" # Enables\Disables Matomo Tracking @@ -145,11 +151,23 @@ defaults_applications: ## Joomla joomla: - version: "latest" + version: "latest" matomo_tracking_enabled: "{{matomo_tracking_enabled_default}}" # Enables\Disables Matomo Tracking css_enabled: "{{css_enabled_default}}" # Enables\Disables Global CSS Style landingpage_iframe_enabled: "{{landingpage_iframe_enabled_default}}" # Enables\Disables the possibility to embed this on landing page via iframe + ## HTML Server + html_server: + matomo_tracking_enabled: "{{matomo_tracking_enabled_default}}" # Enables\Disables Matomo Tracking + css_enabled: "{{css_enabled_default}}" # Enables\Disables Global CSS Style + landingpage_iframe_enabled: "true" # Landingpage should be embeded in portfolio + + ## Imprint + imprint: + matomo_tracking_enabled: "{{matomo_tracking_enabled_default}}" # Enables\Disables Matomo Tracking + css_enabled: "{{css_enabled_default}}" # Enables\Disables Global CSS Style + landingpage_iframe_enabled: "true" # Landingpage should be embeded in portfolio + ## Keycloak keycloak: version: "latest" @@ -186,7 +204,6 @@ defaults_applications: username: "{{users.administrator.username}}" ldap: enabled: True # Should have the same value as applications.ldap.openldap.network.local. - force_import: false # Forces the import of the LDIF files when set to true oauth2_proxy: enabled: true # Activate the OAuth2 Proxy for the LDAP Webinterface application: lam # Needs to be the same as webinterface @@ -196,6 +213,7 @@ defaults_applications: central_storage: false # LDAP doesn't use an database in the current configuration. Propably a good idea to implement one later. # administrator_password: # CHANGE for security reasons in inventory file # administrator_database_password: # CHANGE for security reasons in inventory file + force_import: False # Forces the import of the LDIF files matomo_tracking_enabled: "{{matomo_tracking_enabled_default}}" # Enables\Disables Matomo Tracking css_enabled: "{{css_enabled_default}}" # Enables\Disables Global CSS Style landingpage_iframe_enabled: "{{landingpage_iframe_enabled_default}}" # Enables\Disables the possibility to embed this on landing page via iframe @@ -230,7 +248,7 @@ defaults_applications: # initial_administrator_password: # Initial administrator password for setup matomo_tracking_enabled: "{{matomo_tracking_enabled_default}}" # Enables\Disables Matomo Tracking css_enabled: "{{css_enabled_default}}" # Enables\Disables Global CSS Style - landingpage_iframe_enabled: "{{landingpage_iframe_enabled_default}}" # Enables\Disables the possibility to embed this on landing page via iframe + landingpage_iframe_enabled: true # Default enabled because working well in iframe ## MariaDB mariadb: @@ -331,7 +349,9 @@ defaults_applications: # @see https://apps.nextcloud.com/apps/oidc_login # @see https://apps.nextcloud.com/apps/sociallogin flavor: "oidc_login" # Keeping on sociallogin because the other option is not implemented yet - force_import: False # Forces the import of the LDIF files + matomo_tracking_enabled: "{{matomo_tracking_enabled_default}}" # Enables\Disables Matomo Tracking + css_enabled: "{{css_enabled_default}}" # Enables\Disables Global CSS Style + landingpage_iframe_enabled: "true" # Enables\Disables the possibility to embed this on landing page via iframe database: central_storage: True # Activate Central Database Storage credentials: @@ -540,9 +560,6 @@ defaults_applications: whiteboard: # Nextcloud Whiteboard: provides a collaborative drawing and brainstorming tool (https://apps.nextcloud.com/apps/whiteboard) enabled: true - matomo_tracking_enabled: "{{matomo_tracking_enabled_default}}" # Enables\Disables Matomo Tracking - css_enabled: "{{css_enabled_default}}" # Enables\Disables Global CSS Style - landingpage_iframe_enabled: "{{landingpage_iframe_enabled_default}}" # Enables\Disables the possibility to embed this on landing page via iframe ## OAuth2 Proxy oauth2_proxy: diff --git a/images/favicon.ico b/images/favicon.ico new file mode 100644 index 00000000..f1e74fcf Binary files /dev/null and b/images/favicon.ico differ diff --git a/sphinx/_static/img/logo_cymais.png b/images/logo.png similarity index 100% rename from sphinx/_static/img/logo_cymais.png rename to images/logo.png diff --git a/roles/corporate-identity/vars/main.yml b/roles/corporate-identity/vars/main.yml deleted file mode 100644 index e69de29b..00000000 diff --git a/roles/docker-nextcloud/templates/nginx/docker.conf.j2 b/roles/docker-nextcloud/templates/nginx/docker.conf.j2 index 06329d83..bec1e7b6 100644 --- a/roles/docker-nextcloud/templates/nginx/docker.conf.j2 +++ b/roles/docker-nextcloud/templates/nginx/docker.conf.j2 @@ -71,10 +71,10 @@ http { add_header Referrer-Policy "no-referrer" always; add_header X-Content-Type-Options "nosniff" always; add_header X-Download-Options "noopen" always; - add_header X-Frame-Options "SAMEORIGIN" always; add_header X-Permitted-Cross-Domain-Policies "none" always; add_header X-Robots-Tag "noindex, nofollow" always; add_header X-XSS-Protection "1; mode=block" always; + {% include 'roles/nginx-docker-reverse-proxy/templates/iframe.conf.j2' %} # Remove X-Powered-By, which is an information leak fastcgi_hide_header X-Powered-By; diff --git a/roles/docker-nextcloud/vars/system.yml b/roles/docker-nextcloud/vars/system.yml index 3b066e6e..7299a246 100644 --- a/roles/docker-nextcloud/vars/system.yml +++ b/roles/docker-nextcloud/vars/system.yml @@ -12,4 +12,10 @@ nextcloud_system_config: value: "{{ on_calendar_nextcloud }}" - parameter: "default_phone_region" - value: "{{ locale | upper }}" \ No newline at end of file + value: "{{ locale | upper }}" + + - parameter: "trusted_domains 0" + value: "{{domains[application_id]}}" + + - parameter: "overwrite.cli.url" + value: "https://{{domains[application_id]}}" \ No newline at end of file diff --git a/roles/docker-portfolio/tasks/main.yml b/roles/docker-portfolio/tasks/main.yml index 90229482..550a0a95 100644 --- a/roles/docker-portfolio/tasks/main.yml +++ b/roles/docker-portfolio/tasks/main.yml @@ -36,5 +36,7 @@ when: not config_file.stat.exists - name: add docker-compose.yml - template: src=docker-compose.yml.j2 dest={{docker_compose.directories.instance}}docker-compose.yml + template: + src: docker-compose.yml.j2 + dest: "{docker_compose.directories.instance}}docker-compose.yml" notify: docker compose project setup diff --git a/roles/docker-portfolio/templates/config.yaml.j2 b/roles/docker-portfolio/templates/config.yaml.j2 index 3bcd0473..8636992c 100644 --- a/roles/docker-portfolio/templates/config.yaml.j2 +++ b/roles/docker-portfolio/templates/config.yaml.j2 @@ -10,6 +10,9 @@ accounts: description: Platforms where I share content. icon: class: fas fa-newspaper + +{% if ["mastodon", "bluesky"] | any_in(group_names) %} + children: - name: Microblogs description: Stay updated with {{ 'our' if service_provider.type == 'legal' else 'my' }} microblogs. @@ -39,6 +42,7 @@ accounts: - link: accounts.publishingchannels.microblogs.mastodon identifier: "{{service_provider.contact.bluesky}}" +{% endif %} {% endif %} {% if service_provider.contact.pixelfed is defined and service_provider.contact.pixelfed != "" %} diff --git a/roles/nginx-docker-reverse-proxy/templates/iframe.conf.j2 b/roles/nginx-docker-reverse-proxy/templates/iframe.conf.j2 index 392cb05d..8d309775 100644 --- a/roles/nginx-docker-reverse-proxy/templates/iframe.conf.j2 +++ b/roles/nginx-docker-reverse-proxy/templates/iframe.conf.j2 @@ -1,4 +1,4 @@ -{% if landingpage_iframe_enabled | bool %} - add_header X-Frame-Options "SAMEORIGIN" always; # Allow iframe embedding only from the same origin +add_header X-Frame-Options "SAMEORIGIN" always; # Allow iframe embedding only from the same origin +{% if landingpage_iframe_enabled | default(applications.get(application_id).get('landingpage_iframe_enabled')) | bool %} add_header Content-Security-Policy "frame-ancestors {{primary_domain}};" always; # Restrict embedding to the specified primary domain {% endif %} diff --git a/roles/nginx-docker-reverse-proxy/templates/proxy_pass.conf.j2 b/roles/nginx-docker-reverse-proxy/templates/proxy_pass.conf.j2 index 09b2019d..233239da 100644 --- a/roles/nginx-docker-reverse-proxy/templates/proxy_pass.conf.j2 +++ b/roles/nginx-docker-reverse-proxy/templates/proxy_pass.conf.j2 @@ -14,7 +14,7 @@ location {{location | default("/")}} proxy_set_header X-Forwarded-Port 443; proxy_set_header Accept-Encoding ""; - {% include 'iframe.conf.j2' %} + {% include 'roles/nginx-docker-reverse-proxy/templates/iframe.conf.j2' %} # WebSocket specific header proxy_http_version 1.1; diff --git a/roles/nginx-domain-setup/tasks/main.yml b/roles/nginx-domain-setup/tasks/main.yml index f2156236..8ae1b912 100644 --- a/roles/nginx-domain-setup/tasks/main.yml +++ b/roles/nginx-domain-setup/tasks/main.yml @@ -11,4 +11,4 @@ - name: "include the docker-oauth2-proxy role {{domain}}" include_role: name: docker-oauth2-proxy - when: applications | get_oauth2_enabled(application_id) \ No newline at end of file + when: final_oauth2_enabled | bool \ No newline at end of file diff --git a/roles/nginx-domain-setup/vars/main.yml b/roles/nginx-domain-setup/vars/main.yml index 6a6c2417..4b56ce9d 100644 --- a/roles/nginx-domain-setup/vars/main.yml +++ b/roles/nginx-domain-setup/vars/main.yml @@ -1 +1,2 @@ -configuration_destination: "{{nginx.directories.http.servers}}{{domain}}.conf" \ No newline at end of file +configuration_destination: "{{nginx.directories.http.servers}}{{domain}}.conf" +final_oauth2_enabled: "{{applications[application_id].get('oauth2_proxy', {}).get('enabled', False)}}" \ No newline at end of file diff --git a/roles/nginx-modifier-all/tasks/main.yml b/roles/nginx-modifier-all/tasks/main.yml index 2efbd5b9..77ba9f1d 100644 --- a/roles/nginx-modifier-all/tasks/main.yml +++ b/roles/nginx-modifier-all/tasks/main.yml @@ -1,9 +1,9 @@ - name: "Activate Global CSS for {{domain}}" include_role: name: nginx-modifier-css - when: applications | get_css_enabled(application_id) + when: applications.get(application_id).get('css_enabled') | bool - name: "Activate Global Matomo Tracking for {{domain}}" include_role: name: nginx-modifier-matomo - when: matomo_tracking_enabled | bool \ No newline at end of file + when: applications.get(application_id).get('matomo_tracking_enabled') | bool \ No newline at end of file diff --git a/roles/nginx-modifier-all/templates/global.includes.conf.j2 b/roles/nginx-modifier-all/templates/global.includes.conf.j2 index c34cac42..85cd62bd 100644 --- a/roles/nginx-modifier-all/templates/global.includes.conf.j2 +++ b/roles/nginx-modifier-all/templates/global.includes.conf.j2 @@ -2,16 +2,20 @@ sub_filter_once off; sub_filter_types text/html; -{% if matomo_tracking_enabled | bool %} +{% set css_enabled_final = applications.get(application_id).get('css_enabled') | bool %} +{% set matomo_tracking_enabled_final = applications.get(application_id).get('matomo_tracking_enabled') | bool %} + + +{% if matomo_tracking_enabled_final | bool %} {# Include Global Matomo Tracking #} {% include 'roles/nginx-modifier-matomo/templates/matomo-tracking.conf.j2' %} {% endif %} -{% if css_enabled | bool or matomo_tracking_enabled | bool %} - sub_filter '' '{% if matomo_tracking_enabled | bool %}{% include 'roles/nginx-modifier-matomo/templates/script.j2' %}{% endif %}{% if css_enabled | bool %}{% include 'roles/nginx-modifier-css/templates/link.j2' %}{% endif %}'; +{% if css_enabled_final | bool or matomo_tracking_enabled_final | bool %} + sub_filter '' '{% if matomo_tracking_enabled_final | bool %}{% include 'roles/nginx-modifier-matomo/templates/script.j2' %}{% endif %}{% if css_enabled_final | bool %}{% include 'roles/nginx-modifier-css/templates/link.j2' %}{% endif %}'; {% endif %} -{% if css_enabled | bool %} +{% if css_enabled_final | bool %} {# Include Global CSS Location #} {% include 'roles/nginx-modifier-css/templates/location.conf.j2' %} {% endif %} diff --git a/roles/nginx-modifier-all/vars/main.yml b/roles/nginx-modifier-all/vars/main.yml deleted file mode 100644 index c47120cb..00000000 --- a/roles/nginx-modifier-all/vars/main.yml +++ /dev/null @@ -1,3 +0,0 @@ -matomo_tracking_enabled: "{{ matomo_tracking_enabled | default(applications | get_matomo_tracking_enabled(application_id)) }}" -css_enabled: "{{ css_enabled | default (applications | get_css_enabled(application_id)) }}" -landingpage_iframe_enabled: "{{ landingpage_iframe_enabled | default (applications | get_landingpage_iframe_enabled(application_id)) }}" diff --git a/roles/nginx-serve-html-legal/vars/main.yml b/roles/nginx-serve-html-legal/vars/main.yml new file mode 100644 index 00000000..d68c2ec5 --- /dev/null +++ b/roles/nginx-serve-html-legal/vars/main.yml @@ -0,0 +1 @@ +application_id: "imprint" # Application identifier \ No newline at end of file diff --git a/sphinx/.gitignore b/sphinx/.gitignore new file mode 100644 index 00000000..413092d1 --- /dev/null +++ b/sphinx/.gitignore @@ -0,0 +1 @@ +_static/img/* \ No newline at end of file diff --git a/sphinx/Makefile b/sphinx/Makefile index 917b3268..af87d93d 100644 --- a/sphinx/Makefile +++ b/sphinx/Makefile @@ -1,20 +1,24 @@ -# Minimal makefile for Sphinx documentation +# Minimal Makefile for Sphinx documentation # - # You can set these variables from the command line, and also # from the environment -SPHINXOPTS ?= -c . -SPHINXBUILD ?= sphinx-build -SPHINX_SOURCE_DIR ?= ../ -SPHINX_BUILD_DIR ?= ../docs +SPHINXOPTS ?= -c . +SPHINXBUILD ?= sphinx-build +SPHINX_SOURCE_DIR ?= ../ +SPHINX_BUILD_DIR ?= ../docs -# Put it first so that "make" without argument is like "make help". +.PHONY: help install copy-images Makefile + +# Copy images before running any Sphinx command (except for help) +copy-images: + @echo "Copying images from ../images/ to ./_static/img/..." + cp -r ../images/* ./_static/img/ + +# "help" target does not copy images help: @$(SPHINXBUILD) -M help "$(SPHINX_SOURCE_DIR)" "$(SPHINX_BUILD_DIR)" $(SPHINXOPTS) $(O) -.PHONY: help install Makefile - # Catch-all target: route all unknown targets to Sphinx using the new -# "make mode" option. $(O) is meant as a shortcut for $(SPHINXOPTS). +# "make mode" option. $(O) is meant as a shortcut for $(SPHINXOPTS). %: Makefile @$(SPHINXBUILD) -M $@ "$(SPHINX_SOURCE_DIR)" "$(SPHINX_BUILD_DIR)" $(SPHINXOPTS) $(O) diff --git a/sphinx/conf.py b/sphinx/conf.py index ffebb15c..69381b6c 100644 --- a/sphinx/conf.py +++ b/sphinx/conf.py @@ -31,8 +31,8 @@ html_sidebars = { ] } -cymais_logo = "_static/img/logo_cymais.png" -html_favicon = cymais_logo +cymais_logo = "_static/img/logo.png" +html_favicon = "_static/img/favicon.ico" html_theme_options = { "show_prev_next": False, diff --git a/tasks/update-repository-with-files.yml b/tasks/update-repository-with-files.yml index abe75b6c..ad2c8c25 100644 --- a/tasks/update-repository-with-files.yml +++ b/tasks/update-repository-with-files.yml @@ -4,7 +4,7 @@ - name: "Merge detached_files with applications.oauth2_proxy.configuration_file" ansible.builtin.set_fact: merged_detached_files: "{{ detached_files + [applications.oauth2_proxy.configuration_file] }}" - when: applications | get_oauth2_enabled(application_id) + when: applications[application_id].get('oauth2_proxy', {}).get('enabled', False) | bool - name: "backup detached files" command: >