Big cleanup

2025-08-29 15:06:26 +02:00 · 2025-03-20 02:20:00 +01:00
parent 6520350731
commit 836a3e0238
22 changed files with 91 additions and 66 deletions
--- a/roles/corporate-identity/vars/main.yml
+++ b/roles/corporate-identity/vars/main.yml
--- a/roles/docker-nextcloud/templates/nginx/docker.conf.j2
+++ b/roles/docker-nextcloud/templates/nginx/docker.conf.j2
@@ -71,10 +71,10 @@ http {
        add_header Referrer-Policy                      "no-referrer"           always;
        add_header X-Content-Type-Options               "nosniff"               always;
        add_header X-Download-Options                   "noopen"                always;
-        add_header X-Frame-Options                      "SAMEORIGIN"            always;
        add_header X-Permitted-Cross-Domain-Policies    "none"                  always;
        add_header X-Robots-Tag                         "noindex, nofollow"     always;
        add_header X-XSS-Protection                     "1; mode=block"         always;
+        {% include 'roles/nginx-docker-reverse-proxy/templates/iframe.conf.j2' %}

        # Remove X-Powered-By, which is an information leak
        fastcgi_hide_header X-Powered-By;
--- a/roles/docker-nextcloud/vars/system.yml
+++ b/roles/docker-nextcloud/vars/system.yml
@@ -12,4 +12,10 @@ nextcloud_system_config:
    value: "{{ on_calendar_nextcloud }}"

  - parameter: "default_phone_region"
-    value: "{{ locale | upper }}"
+    value: "{{ locale | upper }}"
+
+  - parameter: "trusted_domains 0"
+    value: "{{domains[application_id]}}"
+
+  - parameter: "overwrite.cli.url"
+    value: "https://{{domains[application_id]}}"
--- a/roles/docker-portfolio/tasks/main.yml
+++ b/roles/docker-portfolio/tasks/main.yml
@@ -36,5 +36,7 @@
  when: not config_file.stat.exists

 - name: add docker-compose.yml
-  template: src=docker-compose.yml.j2 dest={{docker_compose.directories.instance}}docker-compose.yml
+  template:
+    src:  docker-compose.yml.j2 
+    dest: "{docker_compose.directories.instance}}docker-compose.yml"
  notify: docker compose project setup
--- a/roles/docker-portfolio/templates/config.yaml.j2
+++ b/roles/docker-portfolio/templates/config.yaml.j2
@@ -10,6 +10,9 @@ accounts:
    description: Platforms where I share content.
    icon:
      class: fas fa-newspaper
+
+{% if ["mastodon", "bluesky"] | any_in(group_names) %}  
+
    children:
    - name: Microblogs
      description: Stay updated with {{ 'our' if service_provider.type == 'legal' else 'my' }} microblogs.
@@ -39,6 +42,7 @@ accounts:
        - link: accounts.publishingchannels.microblogs.mastodon
        identifier: "{{service_provider.contact.bluesky}}"

+{% endif %}
 {% endif %}
 {% if service_provider.contact.pixelfed  is defined and service_provider.contact.pixelfed  != "" %}

--- a/roles/nginx-docker-reverse-proxy/templates/iframe.conf.j2
+++ b/roles/nginx-docker-reverse-proxy/templates/iframe.conf.j2
@@ -1,4 +1,4 @@
-{% if landingpage_iframe_enabled | bool %}
-  add_header X-Frame-Options "SAMEORIGIN" always;                                   # Allow iframe embedding only from the same origin
+add_header X-Frame-Options "SAMEORIGIN" always;                                     # Allow iframe embedding only from the same origin
+{% if landingpage_iframe_enabled | default(applications.get(application_id).get('landingpage_iframe_enabled')) | bool %}
  add_header Content-Security-Policy "frame-ancestors {{primary_domain}};" always;  # Restrict embedding to the specified primary domain
 {% endif %}
--- a/roles/nginx-docker-reverse-proxy/templates/proxy_pass.conf.j2
+++ b/roles/nginx-docker-reverse-proxy/templates/proxy_pass.conf.j2
@@ -14,7 +14,7 @@ location {{location | default("/")}}
  proxy_set_header X-Forwarded-Port 443;
  proxy_set_header Accept-Encoding "";

-  {% include 'iframe.conf.j2' %}
+  {% include 'roles/nginx-docker-reverse-proxy/templates/iframe.conf.j2' %}

  # WebSocket specific header
  proxy_http_version 1.1;
--- a/roles/nginx-domain-setup/tasks/main.yml
+++ b/roles/nginx-domain-setup/tasks/main.yml
@@ -11,4 +11,4 @@
 - name: "include the docker-oauth2-proxy role {{domain}}"
  include_role:
    name: docker-oauth2-proxy
-  when: applications | get_oauth2_enabled(application_id)
+  when: final_oauth2_enabled | bool
--- a/roles/nginx-domain-setup/vars/main.yml
+++ b/roles/nginx-domain-setup/vars/main.yml
@@ -1 +1,2 @@
-configuration_destination:  "{{nginx.directories.http.servers}}{{domain}}.conf"
+configuration_destination:        "{{nginx.directories.http.servers}}{{domain}}.conf"
+final_oauth2_enabled:             "{{applications[application_id].get('oauth2_proxy', {}).get('enabled', False)}}"
--- a/roles/nginx-modifier-all/tasks/main.yml
+++ b/roles/nginx-modifier-all/tasks/main.yml
@@ -1,9 +1,9 @@
 - name: "Activate Global CSS for {{domain}}"
  include_role:
    name: nginx-modifier-css
-  when: applications | get_css_enabled(application_id) 
+  when: applications.get(application_id).get('css_enabled') | bool

 - name: "Activate Global Matomo Tracking for {{domain}}"
  include_role:
    name: nginx-modifier-matomo
-  when: matomo_tracking_enabled | bool
+  when: applications.get(application_id).get('matomo_tracking_enabled') | bool
--- a/roles/nginx-modifier-all/templates/global.includes.conf.j2
+++ b/roles/nginx-modifier-all/templates/global.includes.conf.j2
@@ -2,16 +2,20 @@
 sub_filter_once off;
 sub_filter_types text/html;

-{% if matomo_tracking_enabled | bool %}
+{% set css_enabled_final                = applications.get(application_id).get('css_enabled') | bool %}
+{% set matomo_tracking_enabled_final    = applications.get(application_id).get('matomo_tracking_enabled') | bool %}
+
+
+{% if matomo_tracking_enabled_final | bool %}
  {# Include Global Matomo Tracking #}
  {% include 'roles/nginx-modifier-matomo/templates/matomo-tracking.conf.j2' %}
 {% endif %}

-{% if css_enabled | bool or matomo_tracking_enabled | bool %}
-  sub_filter '</head>' '{% if matomo_tracking_enabled | bool %}{% include 'roles/nginx-modifier-matomo/templates/script.j2' %}{% endif %}{% if css_enabled | bool %}{% include 'roles/nginx-modifier-css/templates/link.j2' %}{% endif %}</head>';
+{% if css_enabled_final | bool or matomo_tracking_enabled_final | bool %}
+  sub_filter '</head>' '{% if matomo_tracking_enabled_final | bool %}{% include 'roles/nginx-modifier-matomo/templates/script.j2' %}{% endif %}{% if css_enabled_final | bool %}{% include 'roles/nginx-modifier-css/templates/link.j2' %}{% endif %}</head>';
 {% endif %}

-{% if css_enabled | bool %}
+{% if css_enabled_final | bool %}
  {# Include Global CSS Location #}
  {% include 'roles/nginx-modifier-css/templates/location.conf.j2' %}
 {% endif %}
--- a/roles/nginx-modifier-all/vars/main.yml
+++ b/roles/nginx-modifier-all/vars/main.yml
@@ -1,3 +0,0 @@
-matomo_tracking_enabled:    "{{ matomo_tracking_enabled | default(applications | get_matomo_tracking_enabled(application_id)) }}"
-css_enabled:                "{{ css_enabled | default (applications | get_css_enabled(application_id)) }}"
-landingpage_iframe_enabled: "{{ landingpage_iframe_enabled | default (applications | get_landingpage_iframe_enabled(application_id)) }}"
--- a/roles/nginx-serve-html-legal/vars/main.yml
+++ b/roles/nginx-serve-html-legal/vars/main.yml
@@ -0,0 +1 @@
+application_id: "imprint"  # Application identifier
				`@@ -0,0 +1 @@`
				`application_id: "imprint" # Application identifier`