diff --git a/filter_plugins/alias_domains_map.py b/filter_plugins/alias_domains_map.py index d2b51972..a315a528 100644 --- a/filter_plugins/alias_domains_map.py +++ b/filter_plugins/alias_domains_map.py @@ -39,7 +39,7 @@ class FilterModule(object): # 1) Precompute canonical domains per app (fallback to default) canonical_map = {} for app_id, cfg in apps.items(): - domains_cfg = cfg.get('domains') or {} + domains_cfg = cfg.get('server',{}).get('domains',{}) entry = domains_cfg.get('canonical') if entry is None: canonical_map[app_id] = [default_domain(app_id, primary_domain)] @@ -49,13 +49,13 @@ class FilterModule(object): canonical_map[app_id] = list(entry) else: raise AnsibleFilterError( - f"Unexpected type for 'domains.canonical' in application '{app_id}': {type(entry).__name__}" + f"Unexpected type for 'server.domains.canonical' in application '{app_id}': {type(entry).__name__}" ) # 2) Build alias list per app result = {} for app_id, cfg in apps.items(): - domains_cfg = cfg.get('domains') + domains_cfg = cfg.get('server',{}).get('domains') # no domains key → no aliases if domains_cfg is None: diff --git a/filter_plugins/canonical_domains_map.py b/filter_plugins/canonical_domains_map.py index 779bfb20..1b704c97 100644 --- a/filter_plugins/canonical_domains_map.py +++ b/filter_plugins/canonical_domains_map.py @@ -28,7 +28,7 @@ class FilterModule(object): f"expected a dict, got {cfg!r}" ) - domains_cfg = cfg.get('domains') + domains_cfg = cfg.get('server',{}).get('domains',{}) if not domains_cfg or 'canonical' not in domains_cfg: self._add_default_domain(app_id, primary_domain, seen_domains, result) continue @@ -64,7 +64,7 @@ class FilterModule(object): self._process_canonical_domains_list(app_id, canonical_domains, seen_domains, result) else: raise AnsibleFilterError( - f"Unexpected type for 'domains.canonical' in application '{app_id}': " + f"Unexpected type for 'server.domains.canonical' in application '{app_id}': " f"{type(canonical_domains).__name__}" ) diff --git a/filter_plugins/domain_redirect_mappings.py b/filter_plugins/domain_redirect_mappings.py index 4b9fd305..6ef524e6 100644 --- a/filter_plugins/domain_redirect_mappings.py +++ b/filter_plugins/domain_redirect_mappings.py @@ -36,7 +36,7 @@ class FilterModule(object): # 1) Compute canonical domains per app (always as a list) canonical_map = {} for app_id, cfg in apps.items(): - domains_cfg = cfg.get('domains') or {} + domains_cfg = cfg.get('server',{}).get('domains',{}) entry = domains_cfg.get('canonical') if entry is None: canonical_map[app_id] = [default_domain(app_id, primary_domain)] @@ -46,13 +46,13 @@ class FilterModule(object): canonical_map[app_id] = list(entry) else: raise AnsibleFilterError( - f"Unexpected type for 'domains.canonical' in application '{app_id}': {type(entry).__name__}" + f"Unexpected type for 'server.domains.canonical' in application '{app_id}': {type(entry).__name__}" ) # 2) Compute alias domains per app alias_map = {} for app_id, cfg in apps.items(): - domains_cfg = cfg.get('domains') + domains_cfg = cfg.get('server',{}).get('domains',{}) if domains_cfg is None: alias_map[app_id] = [] continue diff --git a/roles/web-app-akaunting/config/main.yml b/roles/web-app-akaunting/config/main.yml index af103ccf..1482456a 100644 --- a/roles/web-app-akaunting/config/main.yml +++ b/roles/web-app-akaunting/config/main.yml @@ -7,10 +7,11 @@ features: css: true port-ui-desktop: true central_database: true - logout: true -domains: - canonical: - - "accounting.{{ primary_domain }}" + logout: true +server: + domains: + canonical: + - "accounting.{{ primary_domain }}" docker: services: database: diff --git a/roles/web-app-attendize/config/main.yml b/roles/web-app-attendize/config/main.yml index 3871af93..c371557f 100644 --- a/roles/web-app-attendize/config/main.yml +++ b/roles/web-app-attendize/config/main.yml @@ -6,13 +6,14 @@ features: css: true port-ui-desktop: true central_database: true - logout: true + logout: true docker: services: redis: enabled: true database: enabled: true -domains: - canonical: - - "tickets.{{ primary_domain }}" +server: + domains: + canonical: + - "tickets.{{ primary_domain }}" diff --git a/roles/web-app-baserow/config/main.yml b/roles/web-app-baserow/config/main.yml index 749ab100..dd3fc0c3 100644 --- a/roles/web-app-baserow/config/main.yml +++ b/roles/web-app-baserow/config/main.yml @@ -18,7 +18,7 @@ docker: name: "baserow" volumes: data: "baserow_data" - -domains: - canonical: - - baserow.{{ primary_domain }} +server: + domains: + canonical: + - baserow.{{ primary_domain }} diff --git a/roles/web-app-bigbluebutton/config/main.yml b/roles/web-app-bigbluebutton/config/main.yml index 8e173670..9820eb9c 100644 --- a/roles/web-app-bigbluebutton/config/main.yml +++ b/roles/web-app-bigbluebutton/config/main.yml @@ -12,13 +12,14 @@ features: oidc: true central_database: false logout: true -domains: - canonical: - - "meet.{{ primary_domain }}" -csp: - flags: - script-src-elem: - unsafe-inline: true - style-src: - unsafe-inline: true +server: + csp: + flags: + script-src-elem: + unsafe-inline: true + style-src: + unsafe-inline: true + domains: + canonical: + - "meet.{{ primary_domain }}" credentials: {} diff --git a/roles/web-app-bluesky/config/main.yml b/roles/web-app-bluesky/config/main.yml index 3dc93aae..6b7550ab 100644 --- a/roles/web-app-bluesky/config/main.yml +++ b/roles/web-app-bluesky/config/main.yml @@ -7,11 +7,12 @@ features: css: true port-ui-desktop: true central_database: true - logout: true -domains: - canonical: - web: "bskyweb.{{ primary_domain }}" - api: "bluesky.{{ primary_domain }}" + logout: true +server: + domains: + canonical: + web: "bskyweb.{{ primary_domain }}" + api: "bluesky.{{ primary_domain }}" docker: services: database: diff --git a/roles/web-app-collabora/config/main.yml b/roles/web-app-collabora/config/main.yml index 8dbee19b..a39a6edf 100644 --- a/roles/web-app-collabora/config/main.yml +++ b/roles/web-app-collabora/config/main.yml @@ -1,6 +1,7 @@ -domains: - canonical: - - "collabora.{{ primary_domain }}" +server: + domains: + canonical: + - "collabora.{{ primary_domain }}" docker: services: redis: diff --git a/roles/web-app-discourse/config/main.yml b/roles/web-app-discourse/config/main.yml index 39606047..50ec2993 100644 --- a/roles/web-app-discourse/config/main.yml +++ b/roles/web-app-discourse/config/main.yml @@ -7,18 +7,19 @@ features: central_database: true ldap: false # @todo implement and activate logout: true -csp: - flags: - style-src: - unsafe-inline: true - script-src-elem: - unsafe-inline: true - whitelist: - font-src: - - "http://*.{{primary_domain}}" -domains: - canonical: - - "forum.{{ primary_domain }}" +server: + csp: + flags: + style-src: + unsafe-inline: true + script-src-elem: + unsafe-inline: true + whitelist: + font-src: + - "http://*.{{primary_domain}}" + domains: + canonical: + - "forum.{{ primary_domain }}" docker: services: database: diff --git a/roles/web-app-elk/config/main.yml b/roles/web-app-elk/config/main.yml index c3916685..9f6bb7c7 100644 --- a/roles/web-app-elk/config/main.yml +++ b/roles/web-app-elk/config/main.yml @@ -1,6 +1,6 @@ features: logout: false # Just deactivated to oppress warnings, elk is anyhow not running - -domains: - canonical: - - elk.{{ primary_domain }} +server: + domains: + canonical: + - elk.{{ primary_domain }} diff --git a/roles/web-app-espocrm/config/main.yml b/roles/web-app-espocrm/config/main.yml index a638289d..eb598017 100644 --- a/roles/web-app-espocrm/config/main.yml +++ b/roles/web-app-espocrm/config/main.yml @@ -6,26 +6,27 @@ features: oidc: true central_database: true logout: true -csp: - flags: - script-src-elem: - unsafe-inline: true - unsafe-eval: true - style-src: - unsafe-inline: true - script-src: - unsafe-eval: true - whitelist: - connect-src: - - wss://espocrm.{{ primary_domain }} - - "data:" - frame-src: - - https://s.espocrm.com/ -domains: - aliases: - - "crm.{{ primary_domain }}" - canonical: - - espocrm.{{ primary_domain }} +server: + csp: + flags: + script-src-elem: + unsafe-inline: true + unsafe-eval: true + style-src: + unsafe-inline: true + script-src: + unsafe-eval: true + whitelist: + connect-src: + - wss://espocrm.{{ primary_domain }} + - "data:" + frame-src: + - https://s.espocrm.com/ + domains: + aliases: + - "crm.{{ primary_domain }}" + canonical: + - espocrm.{{ primary_domain }} email: from_name: "Customer Relationship Management ({{ primary_domain }})" docker: diff --git a/roles/web-app-friendica/config/main.yml b/roles/web-app-friendica/config/main.yml index 26474db2..225fb921 100644 --- a/roles/web-app-friendica/config/main.yml +++ b/roles/web-app-friendica/config/main.yml @@ -9,18 +9,19 @@ features: ldap: true oauth2: false # No special login side which could be protected, use 2FA of Friendica instead logout: true -domains: - canonical: - - "social.{{ primary_domain }}" -csp: - flags: - script-src-elem: - unsafe-inline: true - script-src: - unsafe-inline: true - unsafe-eval: true - style-src: - unsafe-inline: true +server: + domains: + canonical: + - "social.{{ primary_domain }}" + csp: + flags: + script-src-elem: + unsafe-inline: true + script-src: + unsafe-inline: true + unsafe-eval: true + style-src: + unsafe-inline: true oauth2_proxy: application: "application" port: "80" diff --git a/roles/web-app-funkwhale/config/main.yml b/roles/web-app-funkwhale/config/main.yml index fa0e8ee3..6b382545 100644 --- a/roles/web-app-funkwhale/config/main.yml +++ b/roles/web-app-funkwhale/config/main.yml @@ -20,19 +20,20 @@ features: central_database: true oauth2: false # Doesn't make sense to activate it atm, because login is possible on homepage logout: true -domains: - canonical: - - "audio.{{ primary_domain }}" - aliases: - - "music.{{ primary_domain }}" - - "sound.{{ primary_domain }}" -csp: - flags: - style-src: - unsafe-inline: true - whitelist: - font-src: - - "data:" +server: + domains: + canonical: + - "audio.{{ primary_domain }}" + aliases: + - "music.{{ primary_domain }}" + - "sound.{{ primary_domain }}" + csp: + flags: + style-src: + unsafe-inline: true + whitelist: + font-src: + - "data:" oauth2_proxy: application: "front" port: "80" diff --git a/roles/web-app-gitea/config/main.yml b/roles/web-app-gitea/config/main.yml index 4290cd56..087ad60b 100644 --- a/roles/web-app-gitea/config/main.yml +++ b/roles/web-app-gitea/config/main.yml @@ -19,25 +19,26 @@ oauth2_proxy: acl: blacklist: - "/user/login" -csp: - flags: - script-src-elem: - unsafe-inline: true - style-src: - unsafe-inline: true - whitelist: - font-src: - - "data:" - - "blob:" - worker-src: - - "blob:" - manifest-src: - - "data:" -domains: - aliases: - - "git.{{ primary_domain }}" - canonical: - - gitea.{{ primary_domain }} +server: + csp: + flags: + script-src-elem: + unsafe-inline: true + style-src: + unsafe-inline: true + whitelist: + font-src: + - "data:" + - "blob:" + worker-src: + - "blob:" + manifest-src: + - "data:" + domains: + aliases: + - "git.{{ primary_domain }}" + canonical: + - gitea.{{ primary_domain }} docker: services: database: diff --git a/roles/web-app-gitlab/config/main.yml b/roles/web-app-gitlab/config/main.yml index 9b5e21cb..f1b4e304 100644 --- a/roles/web-app-gitlab/config/main.yml +++ b/roles/web-app-gitlab/config/main.yml @@ -15,7 +15,7 @@ docker: version: "latest" credentials: initial_root_password: "{{ users.administrator.password }}" - -domains: - canonical: - - gitlab.{{ primary_domain }} +server: + domains: + canonical: + - gitlab.{{ primary_domain }} diff --git a/roles/web-app-jenkins/config/main.yml b/roles/web-app-jenkins/config/main.yml index d929a9b7..0939cf04 100644 --- a/roles/web-app-jenkins/config/main.yml +++ b/roles/web-app-jenkins/config/main.yml @@ -1,6 +1,6 @@ features: logout: true # Same like with elk, anyhow not active atm - -domains: - canonical: - - jenkins.{{ primary_domain }} +server: + domains: + canonical: + - jenkins.{{ primary_domain }} diff --git a/roles/web-app-joomla/config/main.yml b/roles/web-app-joomla/config/main.yml index a4deddd6..c4925b9f 100644 --- a/roles/web-app-joomla/config/main.yml +++ b/roles/web-app-joomla/config/main.yml @@ -6,9 +6,10 @@ features: port-ui-desktop: true central_database: true logout: true -domains: - canonical: - - "cms.{{ primary_domain }}" +server: + domains: + canonical: + - "cms.{{ primary_domain }}" docker: services: database: diff --git a/roles/web-app-keycloak/config/main.yml b/roles/web-app-keycloak/config/main.yml index dd34a32c..74abe509 100644 --- a/roles/web-app-keycloak/config/main.yml +++ b/roles/web-app-keycloak/config/main.yml @@ -7,20 +7,21 @@ features: central_database: true recaptcha: true logout: true -csp: - flags: - script-src-elem: - unsafe-inline: true - script-src: - unsafe-inline: true - style-src: - unsafe-inline: true - whitelist: - frame-src: - - "*" # For frontend channel logout it's necessary that iframes can be loaded -domains: - canonical: - - "auth.{{ primary_domain }}" +server: + csp: + flags: + script-src-elem: + unsafe-inline: true + script-src: + unsafe-inline: true + style-src: + unsafe-inline: true + whitelist: + frame-src: + - "*" # For frontend channel logout it's necessary that iframes can be loaded + domains: + canonical: + - "auth.{{ primary_domain }}" scopes: rbac_roles: rbac_roles nextcloud: nextcloud diff --git a/roles/web-app-lam/config/main.yml b/roles/web-app-lam/config/main.yml index 354aafc3..b858bc91 100644 --- a/roles/web-app-lam/config/main.yml +++ b/roles/web-app-lam/config/main.yml @@ -12,19 +12,20 @@ features: ldap: true central_database: false oauth2: true - logout: true -csp: - flags: - style-src: - unsafe-inline: true - script-src-elem: - unsafe-inline: true - unsafe-eval: true - script-src: - unsafe-inline: true -domains: - aliases: - - "ldap.{{primary_domain}}" - canonical: - - lam.{{ primary_domain }} + logout: true +server: + csp: + flags: + style-src: + unsafe-inline: true + script-src-elem: + unsafe-inline: true + unsafe-eval: true + script-src: + unsafe-inline: true + domains: + aliases: + - "ldap.{{primary_domain}}" + canonical: + - lam.{{ primary_domain }} diff --git a/roles/web-app-libretranslate/config/main.yml b/roles/web-app-libretranslate/config/main.yml index cb7dc2e6..3d138371 100644 --- a/roles/web-app-libretranslate/config/main.yml +++ b/roles/web-app-libretranslate/config/main.yml @@ -18,13 +18,14 @@ features: oauth2: false # Enable the OAuth2-Proy javascript: false # Enables the custom JS in the javascript.js.j2 file logout: false # With this app I assume that it's a service, so should be renamed and logging is unneccessary -csp: - whitelist: {} # URL's which should be whitelisted - flags: {} # Flags which should be set -domains: - canonical: - - "libretranslate.{{ primary_domain }}" - aliases: [] # Alias redirections to the first element of the canonical domains +server: + csp: + whitelist: {} # URL's which should be whitelisted + flags: {} # Flags which should be set + domains: + canonical: + - "libretranslate.{{ primary_domain }}" + aliases: [] # Alias redirections to the first element of the canonical domains rbac: roles: {} diff --git a/roles/web-app-listmonk/config/main.yml b/roles/web-app-listmonk/config/main.yml index ba0946ba..193351df 100644 --- a/roles/web-app-listmonk/config/main.yml +++ b/roles/web-app-listmonk/config/main.yml @@ -5,10 +5,11 @@ features: port-ui-desktop: true central_database: true oidc: true - logout: true -domains: - canonical: - - "newsletter.{{ primary_domain }}" + logout: true +server: + domains: + canonical: + - "newsletter.{{ primary_domain }}" docker: services: database: diff --git a/roles/web-app-mailu/config/main.yml b/roles/web-app-mailu/config/main.yml index d375bfa5..20c26b5d 100644 --- a/roles/web-app-mailu/config/main.yml +++ b/roles/web-app-mailu/config/main.yml @@ -1,26 +1,27 @@ oidc: - email_by_username: true # If true, then the mail is set by the username. If wrong then the OIDC user email is used - enable_user_creation: true # Users will be created if not existing -domain: "{{primary_domain}}" # The main domain from which mails will be send \ email suffix behind @ + email_by_username: true # If true, then the mail is set by the username. If wrong then the OIDC user email is used + enable_user_creation: true # Users will be created if not existing +domain: "{{primary_domain}}" # The main domain from which mails will be send \ email suffix behind @ features: matomo: true css: false - port-ui-desktop: true # Deactivated mailu iframe loading until keycloak supports it + port-ui-desktop: true # Deactivated mailu iframe loading until keycloak supports it oidc: true - central_database: false # Deactivate central database for mailu, I don't know why the database deactivation is necessary + central_database: false # Deactivate central database for mailu, I don't know why the database deactivation is necessary logout: true -domains: - canonical: - - "mail.{{ primary_domain }}" -csp: - flags: - style-src: - unsafe-inline: true - script-src-elem: - unsafe-inline: true - script-src: - unsafe-inline: true - unsafe-eval: true +server: + domains: + canonical: + - "mail.{{ primary_domain }}" + csp: + flags: + style-src: + unsafe-inline: true + script-src-elem: + unsafe-inline: true + script-src: + unsafe-inline: true + unsafe-eval: true rbac: roles: mail-bot: diff --git a/roles/web-app-mastodon/config/main.yml b/roles/web-app-mastodon/config/main.yml index ebf91e97..799745dd 100644 --- a/roles/web-app-mastodon/config/main.yml +++ b/roles/web-app-mastodon/config/main.yml @@ -6,14 +6,15 @@ features: port-ui-desktop: true oidc: true central_database: true - logout: true -domains: - canonical: - - "microblog.{{ primary_domain }}" -csp: - whitelist: - frame-src: - - "*" + logout: true +server: + domains: + canonical: + - "microblog.{{ primary_domain }}" + csp: + whitelist: + frame-src: + - "*" docker: services: redis: diff --git a/roles/web-app-matomo/config/main.yml b/roles/web-app-matomo/config/main.yml index e300160e..739abdea 100644 --- a/roles/web-app-matomo/config/main.yml +++ b/roles/web-app-matomo/config/main.yml @@ -8,27 +8,28 @@ features: port-ui-desktop: false # Didn't work in frame didn't have high priority @todo figure out pcause and solve it central_database: true oauth2: false - logout: true -csp: - whitelist: - script-src-elem: - - https://cdn.matomo.cloud - style-src: - - https://fonts.googleapis.com - flags: - script-src: - unsafe-eval: true - script-src-elem: - unsafe-inline: true - unsafe-eval: true - style-src: - unsafe-inline: true - unsafe-eval: true -domains: - aliases: - - "analytics.{{ primary_domain }}" - canonical: - - "matomo.{{ primary_domain }}" + logout: true +server: + csp: + whitelist: + script-src-elem: + - https://cdn.matomo.cloud + style-src: + - https://fonts.googleapis.com + flags: + script-src: + unsafe-eval: true + script-src-elem: + unsafe-inline: true + unsafe-eval: true + style-src: + unsafe-inline: true + unsafe-eval: true + domains: + aliases: + - "analytics.{{ primary_domain }}" + canonical: + - "matomo.{{ primary_domain }}" excluded_ips: "{{ networks.internet.values() | list }}" docker: diff --git a/roles/web-app-matrix/config/main.yml b/roles/web-app-matrix/config/main.yml index 6432f73a..780cf1eb 100644 --- a/roles/web-app-matrix/config/main.yml +++ b/roles/web-app-matrix/config/main.yml @@ -23,22 +23,28 @@ features: port-ui-desktop: true oidc: true # Deactivated OIDC due to this issue https://github.com/matrix-org/synapse/issues/10492 central_database: true - logout: true -csp: - flags: - script-src: - unsafe-eval: true - script-src-elem: - unsafe-inline: true - unsafe-eval: true - style-src: - unsafe-inline: true - whitelist: - connect-src: - - "*" - script-src-elem: - - "element.{{ primary_domain }}" - - "https://cdn.jsdelivr.net" + logout: true +server: + csp: + flags: + script-src: + unsafe-eval: true + script-src-elem: + unsafe-inline: true + unsafe-eval: true + style-src: + unsafe-inline: true + whitelist: + connect-src: + - "*" + script-src-elem: + - "element.{{ primary_domain }}" + - "https://cdn.jsdelivr.net" + domains: + canonical: + synapse: "matrix.{{ primary_domain }}" + element: "element.{{ primary_domain }}" + client_max_body_size: "15M" plugins: # You need to enable them in the inventory file @@ -50,10 +56,3 @@ plugins: slack: false telegram: false whatsapp: false - -client_max_body_size: "15M" - -domains: - canonical: - synapse: "matrix.{{ primary_domain }}" - element: "element.{{ primary_domain }}" diff --git a/roles/web-app-matrix/vars/main.yml b/roles/web-app-matrix/vars/main.yml index 484e6f5e..87f6e76a 100644 --- a/roles/web-app-matrix/vars/main.yml +++ b/roles/web-app-matrix/vars/main.yml @@ -17,4 +17,4 @@ matrix_project: "{{ application_id | get_entity_name }}" # Webserver well_known_directory: "{{nginx.directories.data.well_known}}/matrix/" location_upload: "~ ^/_matrix/media/v3/" -client_max_body_size: "{{ applications | get_app_conf(application_id, 'client_max_body_size') }}" \ No newline at end of file +client_max_body_size: "{{ applications | get_app_conf(application_id, 'server.client_max_body_size') }}" \ No newline at end of file diff --git a/roles/web-app-mediawiki/config/main.yml b/roles/web-app-mediawiki/config/main.yml index 8309b338..5b431795 100644 --- a/roles/web-app-mediawiki/config/main.yml +++ b/roles/web-app-mediawiki/config/main.yml @@ -1,6 +1,7 @@ -domains: - canonical: - - "wiki.{{ primary_domain }}" +server: + domains: + canonical: + - "wiki.{{ primary_domain }}" docker: services: mediawiki: diff --git a/roles/web-app-mig/config/main.yml b/roles/web-app-mig/config/main.yml index 8de723fe..b0dba996 100644 --- a/roles/web-app-mig/config/main.yml +++ b/roles/web-app-mig/config/main.yml @@ -1,38 +1,39 @@ docker: services: redis: - enabled: false # No redis needed + enabled: false # No redis needed database: - enabled: false # No database needed + enabled: false # No database needed features: matomo: true # activate tracking css: true # use custom infinito stile port-ui-desktop: true # Enable in port-ui - logout: false -csp: - whitelist: - script-src-elem: - - https://cdn.jsdelivr.net - - https://kit.fontawesome.com - - https://code.jquery.com/ - - https://unpkg.com/ - style-src: - - https://cdn.jsdelivr.net - - https://cdnjs.cloudflare.com - font-src: - - https://cdnjs.cloudflare.com - - https://ka-f.fontawesome.com - - https://cdn.jsdelivr.net - connect-src: - - https://ka-f.fontawesome.com - frame-ancestors: - - "*" # No damage if it's used somewhere on other websites, it anyhow looks like art - flags: - style-src: - unsafe-inline: true -domains: - canonical: - - "mig.{{ primary_domain }}" - aliases: - - "meta-infinite-graph.{{ primary_domain }}" -build_data: true # Enables the building of the meta data which the graph requiers + logout: false +server: + csp: + whitelist: + script-src-elem: + - https://cdn.jsdelivr.net + - https://kit.fontawesome.com + - https://code.jquery.com/ + - https://unpkg.com/ + style-src: + - https://cdn.jsdelivr.net + - https://cdnjs.cloudflare.com + font-src: + - https://cdnjs.cloudflare.com + - https://ka-f.fontawesome.com + - https://cdn.jsdelivr.net + connect-src: + - https://ka-f.fontawesome.com + frame-ancestors: + - "*" # No damage if it's used somewhere on other websites, it anyhow looks like art + flags: + style-src: + unsafe-inline: true + domains: + canonical: + - "mig.{{ primary_domain }}" + aliases: + - "meta-infinite-graph.{{ primary_domain }}" +build_data: true # Enables the building of the meta data which the graph requiers diff --git a/roles/web-app-mobilizon/config/main.yml b/roles/web-app-mobilizon/config/main.yml index 9daf9bbe..8142d874 100644 --- a/roles/web-app-mobilizon/config/main.yml +++ b/roles/web-app-mobilizon/config/main.yml @@ -5,17 +5,18 @@ features: matomo: true port-ui-desktop: true logout: true -csp: - flags: - script-src-elem: - unsafe-inline: true - script-src: - unsafe-eval: true -domains: - canonical: - - "event.{{ primary_domain }}" - aliases: - - "events.{{ primary_domain }}" +server: + csp: + flags: + script-src-elem: + unsafe-inline: true + script-src: + unsafe-eval: true + domains: + canonical: + - "event.{{ primary_domain }}" + aliases: + - "events.{{ primary_domain }}" docker: services: database: diff --git a/roles/web-app-moodle/config/main.yml b/roles/web-app-moodle/config/main.yml index 6dd797c0..d2531fca 100644 --- a/roles/web-app-moodle/config/main.yml +++ b/roles/web-app-moodle/config/main.yml @@ -5,26 +5,27 @@ features: port-ui-desktop: true central_database: true oidc: true - logout: true -csp: - flags: - script-src-elem: - unsafe-inline: true - unsafe-eval: true - script-src: - unsafe-eval: true - style-src: - unsafe-inline: true - unsafe-eval: true - whitelist: - font-src: - - "data:" - - "blob:" - script-src-elem: - - "https://cdn.jsdelivr.net" -domains: - canonical: - - "academy.{{ primary_domain }}" + logout: true +server: + csp: + flags: + script-src-elem: + unsafe-inline: true + unsafe-eval: true + script-src: + unsafe-eval: true + style-src: + unsafe-inline: true + unsafe-eval: true + whitelist: + font-src: + - "data:" + - "blob:" + script-src-elem: + - "https://cdn.jsdelivr.net" + domains: + canonical: + - "academy.{{ primary_domain }}" docker: services: database: diff --git a/roles/web-app-mybb/config/main.yml b/roles/web-app-mybb/config/main.yml index 49b1aca1..30424346 100644 --- a/roles/web-app-mybb/config/main.yml +++ b/roles/web-app-mybb/config/main.yml @@ -15,7 +15,7 @@ docker: name: "mybb" volumes: data: "mybb_data" - -domains: - canonical: - - mybb.{{ primary_domain }} +server: + domains: + canonical: + - mybb.{{ primary_domain }} diff --git a/roles/web-app-navigator/config/main.yml b/roles/web-app-navigator/config/main.yml index 09b866da..dc4b5fe5 100644 --- a/roles/web-app-navigator/config/main.yml +++ b/roles/web-app-navigator/config/main.yml @@ -1,28 +1,29 @@ features: - matomo: true - css: true - port-ui-desktop: true - logout: false -csp: - whitelist: - script-src-elem: - - https://cdnjs.cloudflare.com - - https://code.jquery.com - - https://cdn.jsdelivr.net - style-src: - - https://cdnjs.cloudflare.com - - https://cdn.jsdelivr.net - font-src: - - https://cdnjs.cloudflare.com - frame-src: - - "{{ web_protocol }}://*.{{primary_domain}}" # Makes sense that all of the website content is available in the navigator - flags: - style-src: - unsafe-inline: true - script-src: - unsafe-eval: true - script-src-elem: - unsafe-inline: true -domains: - canonical: - - "slides.{{ primary_domain }}" + matomo: true + css: true + port-ui-desktop: true + logout: false +server: + csp: + whitelist: + script-src-elem: + - https://cdnjs.cloudflare.com + - https://code.jquery.com + - https://cdn.jsdelivr.net + style-src: + - https://cdnjs.cloudflare.com + - https://cdn.jsdelivr.net + font-src: + - https://cdnjs.cloudflare.com + frame-src: + - "{{ web_protocol }}://*.{{primary_domain}}" # Makes sense that all of the website content is available in the navigator + flags: + style-src: + unsafe-inline: true + script-src: + unsafe-eval: true + script-src-elem: + unsafe-inline: true + domains: + canonical: + - "slides.{{ primary_domain }}" diff --git a/roles/web-app-nextcloud/config/main.yml b/roles/web-app-nextcloud/config/main.yml index 4f9b0c24..48083764 100644 --- a/roles/web-app-nextcloud/config/main.yml +++ b/roles/web-app-nextcloud/config/main.yml @@ -1,18 +1,19 @@ -version: "production" # @see https://nextcloud.com/blog/nextcloud-release-channels-and-how-to-track-them/ -csp: - flags: - style-src: - unsafe-inline: true - script-src-elem: - unsafe-inline: true - whitelist: - font-src: - - "data:" -domains: - canonical: - - "cloud.{{ primary_domain }}" - # nextcloud: "cloud.{{ primary_domain }}" - # talk: "talk.{{ primary_domain }}" @todo needs to be activated +version: "production" # @see https://nextcloud.com/blog/nextcloud-release-channels-and-how-to-track-them/ +server: + csp: + flags: + style-src: + unsafe-inline: true + script-src-elem: + unsafe-inline: true + whitelist: + font-src: + - "data:" + domains: + canonical: + - "cloud.{{ primary_domain }}" + # nextcloud: "cloud.{{ primary_domain }}" + # talk: "talk.{{ primary_domain }}" @todo needs to be activated docker: volumes: data: nextcloud_data diff --git a/roles/web-app-oauth2-proxy/config/main.yml b/roles/web-app-oauth2-proxy/config/main.yml index 222fc19c..7e35e11b 100644 --- a/roles/web-app-oauth2-proxy/config/main.yml +++ b/roles/web-app-oauth2-proxy/config/main.yml @@ -6,7 +6,7 @@ features: css: true port-ui-desktop: false logout: true - -domains: - canonical: - - oauth2-proxy.{{ primary_domain }} +server: + domains: + canonical: + - oauth2-proxy.{{ primary_domain }} diff --git a/roles/web-app-openproject/config/main.yml b/roles/web-app-openproject/config/main.yml index ae0df1e2..6271f53c 100644 --- a/roles/web-app-openproject/config/main.yml +++ b/roles/web-app-openproject/config/main.yml @@ -17,16 +17,17 @@ features: ldap: true central_database: true oauth2: true - logout: true -csp: - flags: - script-src-elem: - unsafe-inline: true - style-src: - unsafe-inline: true -domains: - canonical: - - "project.{{ primary_domain }}" + logout: true +server: + csp: + flags: + script-src-elem: + unsafe-inline: true + style-src: + unsafe-inline: true + domains: + canonical: + - "project.{{ primary_domain }}" docker: services: diff --git a/roles/web-app-peertube/config/main.yml b/roles/web-app-peertube/config/main.yml index 90338882..527cd32e 100644 --- a/roles/web-app-peertube/config/main.yml +++ b/roles/web-app-peertube/config/main.yml @@ -4,27 +4,28 @@ features: port-ui-desktop: true central_database: true oidc: true - logout: true -csp: - flags: - script-src-elem: - unsafe-inline: true - script-src: - unsafe-inline: true - style-src: - unsafe-inline: true - whitelist: - frame-ancestors: - - "*" - media-src: - - "blob:" - font-src: - - "data:" -domains: - canonical: - - "video.{{ primary_domain }}" - aliases: - - "videos.{{ primary_domain }}" + logout: true +server: + csp: + flags: + script-src-elem: + unsafe-inline: true + script-src: + unsafe-inline: true + style-src: + unsafe-inline: true + whitelist: + frame-ancestors: + - "*" + media-src: + - "blob:" + font-src: + - "data:" + domains: + canonical: + - "video.{{ primary_domain }}" + aliases: + - "videos.{{ primary_domain }}" docker: services: redis: diff --git a/roles/web-app-pgadmin/config/main.yml b/roles/web-app-pgadmin/config/main.yml index 4c7ec42a..cb8a3289 100644 --- a/roles/web-app-pgadmin/config/main.yml +++ b/roles/web-app-pgadmin/config/main.yml @@ -13,20 +13,20 @@ features: central_database: true oauth2: true logout: true -csp: - flags: - style-src: - unsafe-inline: true - script-src-elem: - unsafe-inline: true - whitelist: - font-src: - - "data:" +server: + csp: + flags: + style-src: + unsafe-inline: true + script-src-elem: + unsafe-inline: true + whitelist: + font-src: + - "data:" + domains: + canonical: + - pgadmin.{{ primary_domain }} docker: services: database: enabled: true - -domains: - canonical: - - pgadmin.{{ primary_domain }} diff --git a/roles/web-app-phpldapadmin/config/main.yml b/roles/web-app-phpldapadmin/config/main.yml index bc61834e..4c9ae46c 100644 --- a/roles/web-app-phpldapadmin/config/main.yml +++ b/roles/web-app-phpldapadmin/config/main.yml @@ -11,7 +11,7 @@ features: ldap: true oauth2: true logout: true - -domains: - canonical: - - phpldapadmin.{{ primary_domain }} +server: + domains: + canonical: + - phpldapadmin.{{ primary_domain }} diff --git a/roles/web-app-phpmyadmin/config/main.yml b/roles/web-app-phpmyadmin/config/main.yml index 9b47680a..1c2b9526 100644 --- a/roles/web-app-phpmyadmin/config/main.yml +++ b/roles/web-app-phpmyadmin/config/main.yml @@ -11,19 +11,20 @@ features: # it's anyhow not so enduser relevant, so it can be kept like this central_database: true oauth2: true - logout: true -csp: - flags: - style-src: - unsafe-inline: true - script-src-elem: - unsafe-inline: true -domains: - aliases: - - "mysql.{{ primary_domain }}" - - "mariadb.{{ primary_domain }}" - canonical: - - phpmyadmin.{{ primary_domain }} + logout: true +server: + csp: + flags: + style-src: + unsafe-inline: true + script-src-elem: + unsafe-inline: true + domains: + aliases: + - "mysql.{{ primary_domain }}" + - "mariadb.{{ primary_domain }}" + canonical: + - phpmyadmin.{{ primary_domain }} docker: services: database: diff --git a/roles/web-app-pixelfed/config/main.yml b/roles/web-app-pixelfed/config/main.yml index 666ff25d..84186301 100644 --- a/roles/web-app-pixelfed/config/main.yml +++ b/roles/web-app-pixelfed/config/main.yml @@ -5,25 +5,26 @@ features: port-ui-desktop: true central_database: true oidc: true - logout: true -csp: - flags: - script-src: - unsafe-eval: true - unsafe-inline: true - script-src-elem: - unsafe-inline: true - unsafe-eval: true - style-src: - unsafe-inline: true - whitelist: - frame-ancestors: - - "*" -domains: - canonical: - - "picture.{{ primary_domain }}" - aliases: - - "pictures.{{ primary_domain }}" + logout: true +server: + csp: + flags: + script-src: + unsafe-eval: true + unsafe-inline: true + script-src-elem: + unsafe-inline: true + unsafe-eval: true + style-src: + unsafe-inline: true + whitelist: + frame-ancestors: + - "*" + domains: + canonical: + - "picture.{{ primary_domain }}" + aliases: + - "pictures.{{ primary_domain }}" docker: services: redis: diff --git a/roles/web-app-port-ui/config/main.yml b/roles/web-app-port-ui/config/main.yml index 2f45684c..a67e53cf 100644 --- a/roles/web-app-port-ui/config/main.yml +++ b/roles/web-app-port-ui/config/main.yml @@ -4,30 +4,31 @@ features: port-ui-desktop: false simpleicons: true # Activate Brand Icons for your groups javascript: true # Necessary for URL sync - logout: false # Doesn't have own user data. Just a frame. -csp: - whitelist: - script-src-elem: - - https://cdn.jsdelivr.net - - https://kit.fontawesome.com - - https://code.jquery.com/ - style-src: - - https://cdn.jsdelivr.net - font-src: - - https://ka-f.fontawesome.com - - https://cdn.jsdelivr.net - connect-src: - - https://ka-f.fontawesome.com - frame-src: - - "{{ web_protocol }}://*.{{primary_domain}}" - flags: - style-src: - unsafe-inline: true - script-src: - unsafe-inline: true - script-src-elem: - unsafe-inline: true -domains: - canonical: - - "{{ primary_domain }}" + logout: false # Doesn't have own user data. Just a frame. +server: + csp: + whitelist: + script-src-elem: + - https://cdn.jsdelivr.net + - https://kit.fontawesome.com + - https://code.jquery.com/ + style-src: + - https://cdn.jsdelivr.net + font-src: + - https://ka-f.fontawesome.com + - https://cdn.jsdelivr.net + connect-src: + - https://ka-f.fontawesome.com + frame-src: + - "{{ web_protocol }}://*.{{primary_domain}}" + flags: + style-src: + unsafe-inline: true + script-src: + unsafe-inline: true + script-src-elem: + unsafe-inline: true + domains: + canonical: + - "{{ primary_domain }}" diff --git a/roles/web-app-pretix/config/main.yml b/roles/web-app-pretix/config/main.yml index 4efbc043..b18a530f 100644 --- a/roles/web-app-pretix/config/main.yml +++ b/roles/web-app-pretix/config/main.yml @@ -11,20 +11,21 @@ docker: features: matomo: true # Enable Matomo Tracking css: true # Enable Global CSS Styling - port-ui-desktop: true # Enable loading of app in iframe + port-ui-desktop: true # Enable loading of app in iframe ldap: false # Enable LDAP Network central_database: false # Enable Central Database Network recaptcha: false # Enable ReCaptcha oauth2: false # Enable the OAuth2-Proy javascript: false # Enables the custom JS in the javascript.js.j2 file - logout: true -csp: - whitelist: {} # URL's which should be whitelisted - flags: {} # Flags which should be set -domains: - canonical: - - "pretix.{{ primary_domain }}" - aliases: [] # Alias redirections to the first element of the canonical domains + logout: true +server: + csp: + whitelist: {} # URL's which should be whitelisted + flags: {} # Flags which should be set + domains: + canonical: + - "pretix.{{ primary_domain }}" + aliases: [] # Alias redirections to the first element of the canonical domains rbac: roles: {} diff --git a/roles/web-app-roulette-wheel/config/main.yml b/roles/web-app-roulette-wheel/config/main.yml index 820fda83..d7153879 100644 --- a/roles/web-app-roulette-wheel/config/main.yml +++ b/roles/web-app-roulette-wheel/config/main.yml @@ -1,5 +1,6 @@ features: logout: false -domains: - canonical: - - "wheel.{{ primary_domain }}" +server: + domains: + canonical: + - "wheel.{{ primary_domain }}" diff --git a/roles/web-app-snipe-it/config/main.yml b/roles/web-app-snipe-it/config/main.yml index 8354b782..5bac7fa3 100644 --- a/roles/web-app-snipe-it/config/main.yml +++ b/roles/web-app-snipe-it/config/main.yml @@ -5,22 +5,23 @@ features: central_database: true ldap: true oauth2: true - logout: true -domains: - canonical: - - "inventory.{{ primary_domain }}" -csp: - flags: - script-src: - unsafe-inline: true - unsafe-eval: true - script-src-elem: - unsafe-inline: true - style-src: - unsafe-inline: true - whitelist: - font-src: - - "data:" + logout: true +server: + domains: + canonical: + - "inventory.{{ primary_domain }}" + csp: + flags: + script-src: + unsafe-inline: true + unsafe-eval: true + script-src-elem: + unsafe-inline: true + style-src: + unsafe-inline: true + whitelist: + font-src: + - "data:" oauth2_proxy: application: "application" port: "80" diff --git a/roles/web-app-sphinx/config/main.yml b/roles/web-app-sphinx/config/main.yml index fa1e95a2..571533c4 100644 --- a/roles/web-app-sphinx/config/main.yml +++ b/roles/web-app-sphinx/config/main.yml @@ -1,17 +1,18 @@ features: - matomo: true - css: true - port-ui-desktop: true - logout: false -csp: - flags: - script-src: - unsafe-eval: true - script-src-elem: - unsafe-inline: true - unsafe-eval: true - style-src: - unsafe-inline: true -domains: - canonical: - - "docs.{{ primary_domain }}" + matomo: true + css: true + port-ui-desktop: true + logout: false +server: + csp: + flags: + script-src: + unsafe-eval: true + script-src-elem: + unsafe-inline: true + unsafe-eval: true + style-src: + unsafe-inline: true + domains: + canonical: + - "docs.{{ primary_domain }}" diff --git a/roles/web-app-syncope/config/main.yml b/roles/web-app-syncope/config/main.yml index 307be51f..95bf3059 100644 --- a/roles/web-app-syncope/config/main.yml +++ b/roles/web-app-syncope/config/main.yml @@ -13,7 +13,7 @@ features: # users: # administrator: # username: "{{ users.administrator.username }}" - -domains: - canonical: - - syncope.{{ primary_domain }} +server: + domains: + canonical: + - syncope.{{ primary_domain }} diff --git a/roles/web-app-taiga/config/main.yml b/roles/web-app-taiga/config/main.yml index a170e170..26adc867 100644 --- a/roles/web-app-taiga/config/main.yml +++ b/roles/web-app-taiga/config/main.yml @@ -11,22 +11,23 @@ features: port-ui-desktop: true oidc: false central_database: true - logout: true + logout: true docker: services: database: enabled: true taiga: version: "latest" -csp: - flags: - script-src-elem: - unsafe-inline: true - unsafe-eval: true - style-src: - unsafe-inline: true - script-src: - unsafe-eval: true -domains: - canonical: - - "kanban.{{ primary_domain }}" +server: + csp: + flags: + script-src-elem: + unsafe-inline: true + unsafe-eval: true + style-src: + unsafe-inline: true + script-src: + unsafe-eval: true + domains: + canonical: + - "kanban.{{ primary_domain }}" diff --git a/roles/web-app-wordpress/config/main.yml b/roles/web-app-wordpress/config/main.yml index 379a808e..232ca4ba 100644 --- a/roles/web-app-wordpress/config/main.yml +++ b/roles/web-app-wordpress/config/main.yml @@ -14,32 +14,33 @@ features: oidc: true central_database: true logout: true -csp: - flags: - style-src: - unsafe-inline: true - script-src-elem: - unsafe-inline: true - script-src: - unsafe-eval: true - whitelist: - worker-src: - - "blob:" - font-src: - - "data:" - - "https://fonts.bunny.net" - script-src-elem: - - "https://cdn.gtranslate.net" # Necessary for translation plugins - - "https://translate.google.com" # Necessary for translation plugins +server: + csp: + flags: + style-src: + unsafe-inline: true + script-src-elem: + unsafe-inline: true + script-src: + unsafe-eval: true + whitelist: + worker-src: + - "blob:" + font-src: + - "data:" + - "https://fonts.bunny.net" + script-src-elem: + - "https://cdn.gtranslate.net" # Necessary for translation plugins + - "https://translate.google.com" # Necessary for translation plugins + - "blog.{{ primary_domain }}" + style-src: + - "https://fonts.bunny.net" + frame-src: + - "blob:" + - "*" + domains: + canonical: - "blog.{{ primary_domain }}" - style-src: - - "https://fonts.bunny.net" - frame-src: - - "blob:" - - "*" -domains: - canonical: - - "blog.{{ primary_domain }}" docker: services: database: diff --git a/roles/web-app-wordpress/tasks/main.yml b/roles/web-app-wordpress/tasks/main.yml index e89988fc..394c63b0 100644 --- a/roles/web-app-wordpress/tasks/main.yml +++ b/roles/web-app-wordpress/tasks/main.yml @@ -6,7 +6,7 @@ - name: "Include role srv-proxy-6-6-domain for {{ application_id }}" include_role: name: srv-proxy-6-6-domain - loop: "{{ applications | get_app_conf(application_id, 'domains.canonical', True) }}" + loop: "{{ applications | get_app_conf(application_id, 'server.domains.canonical', True) }}" loop_control: loop_var: domain vars: diff --git a/roles/web-app-xmpp/config/main.yml b/roles/web-app-xmpp/config/main.yml index cb4f0d8a..b7b49bc5 100644 --- a/roles/web-app-xmpp/config/main.yml +++ b/roles/web-app-xmpp/config/main.yml @@ -1,7 +1,7 @@ # xmpp is more a service then a app with ui interface. @todo Rename it features: logout: false # Reactivated as soon as xmpp is fully implemented - -domains: - canonical: - - xmpp.{{ primary_domain }} +server: + domains: + canonical: + - xmpp.{{ primary_domain }} diff --git a/roles/web-app-yourls/config/main.yml b/roles/web-app-yourls/config/main.yml index 345aa879..bae353cb 100644 --- a/roles/web-app-yourls/config/main.yml +++ b/roles/web-app-yourls/config/main.yml @@ -13,11 +13,20 @@ features: central_database: true oauth2: true logout: true -domains: - canonical: - - "s.{{ primary_domain }}" - aliases: - - "short.{{ primary_domain }}" +server: + domains: + canonical: + - "s.{{ primary_domain }}" + aliases: + - "short.{{ primary_domain }}" + csp: + flags: + style-src: + unsafe-inline: true + script-src-elem: + unsafe-inline: true + script-src: + unsafe-inline: true docker: services: database: @@ -26,11 +35,3 @@ docker: version: "latest" name: "yourls" image: "yourls" -csp: - flags: - style-src: - unsafe-inline: true - script-src-elem: - unsafe-inline: true - script-src: - unsafe-inline: true \ No newline at end of file diff --git a/roles/web-svc-asset/config/main.yml b/roles/web-svc-asset/config/main.yml index 43f6e184..9702e5f9 100644 --- a/roles/web-svc-asset/config/main.yml +++ b/roles/web-svc-asset/config/main.yml @@ -1,6 +1,6 @@ source_directory: "{{ playbook_dir }}/assets" -url: "{{ web_protocol }}://<< defaults_applications['web-svc-file']domains.canonical[0] >>/assets" - -domains: - canonical: - - asset.{{ primary_domain }} +url: "{{ web_protocol }}://<< defaults_applications['web-svc-file']server.domains.canonical[0] >>/assets" +server: + domains: + canonical: + - asset.{{ primary_domain }} diff --git a/roles/web-svc-cdn/config/main.yml b/roles/web-svc-cdn/config/main.yml index 3373d367..fac88b15 100644 --- a/roles/web-svc-cdn/config/main.yml +++ b/roles/web-svc-cdn/config/main.yml @@ -1,7 +1,8 @@ features: - matomo: true - css: true - port-ui-desktop: true -domains: - canonical: - - "cdn.{{ primary_domain }}" + matomo: true + css: true + port-ui-desktop: true +server: + domains: + canonical: + - "cdn.{{ primary_domain }}" diff --git a/roles/web-svc-file/config/main.yml b/roles/web-svc-file/config/main.yml index 6114c29b..0487dc27 100644 --- a/roles/web-svc-file/config/main.yml +++ b/roles/web-svc-file/config/main.yml @@ -1,9 +1,10 @@ features: - matomo: true - css: true - port-ui-desktop: true -domains: - canonical: - - "file.{{ primary_domain }}" - alias: - - "files.{{ primary_domain }}" + matomo: true + css: true + port-ui-desktop: true +server: + domains: + canonical: + - "file.{{ primary_domain }}" + alias: + - "files.{{ primary_domain }}" diff --git a/roles/web-svc-html/config/main.yml b/roles/web-svc-html/config/main.yml index 972fbbe8..43c60b9f 100644 --- a/roles/web-svc-html/config/main.yml +++ b/roles/web-svc-html/config/main.yml @@ -1,7 +1,8 @@ features: matomo: true css: true - port-ui-desktop: true -domains: - canonical: - - "html.{{ primary_domain }}" + port-ui-desktop: true +server: + domains: + canonical: + - "html.{{ primary_domain }}" diff --git a/roles/web-svc-logout/config/main.yml b/roles/web-svc-logout/config/main.yml index 1035846a..c0bfb90e 100644 --- a/roles/web-svc-logout/config/main.yml +++ b/roles/web-svc-logout/config/main.yml @@ -4,23 +4,24 @@ features: port-ui-desktop: true javascript: false logout: false -domains: - canonical: - - "logout.{{ primary_domain }}" -csp: - flags: - style-src: - unsafe-inline: true - script-src-elem: - unsafe-inline: true - whitelist: - connect-src: - - "{{ web_protocol }}://*.{{ primary_domain }}" - - "{{ web_protocol }}://{{ primary_domain }}" - script-src-elem: - - https://cdn.jsdelivr.net - style-src: - - https://cdn.jsdelivr.net - frame-ancestors: - - "{{ web_protocol }}://<< defaults_applications[web-app-keycloak].domains.canonical[0] >>" +server: + domains: + canonical: + - "logout.{{ primary_domain }}" + csp: + flags: + style-src: + unsafe-inline: true + script-src-elem: + unsafe-inline: true + whitelist: + connect-src: + - "{{ web_protocol }}://*.{{ primary_domain }}" + - "{{ web_protocol }}://{{ primary_domain }}" + script-src-elem: + - https://cdn.jsdelivr.net + style-src: + - https://cdn.jsdelivr.net + frame-ancestors: + - "{{ web_protocol }}://<< defaults_applications[web-app-keycloak].server.domains.canonical[0] >>" diff --git a/roles/web-svc-logout/filter_plugins/domain_filters.py b/roles/web-svc-logout/filter_plugins/domain_filters.py index f2e81763..cb6e2fda 100644 --- a/roles/web-svc-logout/filter_plugins/domain_filters.py +++ b/roles/web-svc-logout/filter_plugins/domain_filters.py @@ -31,7 +31,7 @@ class FilterModule(object): continue # use canonical domains list if present - domains_entry = config.get('domains', {}).get('canonical', []) + domains_entry = config.get('server', {}).get('domains', {}).get('canonical', []) # normalize to a list of strings if isinstance(domains_entry, dict): diff --git a/roles/web-svc-simpleicons/config/main.yml b/roles/web-svc-simpleicons/config/main.yml index 54b3c839..73aedc81 100644 --- a/roles/web-svc-simpleicons/config/main.yml +++ b/roles/web-svc-simpleicons/config/main.yml @@ -16,10 +16,11 @@ features: central_database: false # Enable Central Database Network recaptcha: false # Enable ReCaptcha oauth2: false # Enable the OAuth2-Proy -csp: {} -domains: - canonical: - - "icons.{{ primary_domain }}" +server: + csp: {} + domains: + canonical: + - "icons.{{ primary_domain }}" rbac: roles: mail-bot: diff --git a/templates/roles/web-app/config/main.yml.j2 b/templates/roles/web-app/config/main.yml.j2 index 5846f7c1..34aa2315 100644 --- a/templates/roles/web-app/config/main.yml.j2 +++ b/templates/roles/web-app/config/main.yml.j2 @@ -24,24 +24,24 @@ features: recaptcha: false # Enable ReCaptcha oauth2: false # Enable the OAuth2-Proy javascript: false # Enable the custom JS in the javascript.js.j2 file - logout: true # Enable the logout via the central logout mechanism (deleting all cookies) -csp: - whitelist: # URL's which should be whitelisted - script-src-elem: [] - style-src: [] - font-src: [] - connect-src: [] - frame-src: [] - flags: # Flags which should be set - style-src: - unsafe-inline: false - script-src: - unsafe-inline: false - script-src-elem: - unsafe-inline: false -domains: -domains: - canonical: {} # Urls under which the domain should be directly accessible - aliases: [] # Alias redirections to the first element of the canonical domains + logout: true # Enable the logout via the central logout mechanism (deleting all cookies) +server: + csp: + whitelist: # URL's which should be whitelisted + script-src-elem: [] + style-src: [] + font-src: [] + connect-src: [] + frame-src: [] + flags: # Flags which should be set + style-src: + unsafe-inline: false + script-src: + unsafe-inline: false + script-src-elem: + unsafe-inline: false + domains: + canonical: {} # Urls under which the domain should be directly accessible + aliases: [] # Alias redirections to the first element of the canonical domains rbac: roles: {} diff --git a/tests/integration/test_domain_uniqueness.py b/tests/integration/test_domain_uniqueness.py index 46929090..39d7f173 100644 --- a/tests/integration/test_domain_uniqueness.py +++ b/tests/integration/test_domain_uniqueness.py @@ -25,7 +25,7 @@ class TestDomainUniqueness(unittest.TestCase): domain_to_apps = defaultdict(set) for app_name, app_cfg in apps.items(): - domains_cfg = app_cfg.get('domains', {}) + domains_cfg = app_cfg.get('server',{}).get('domains',{}) # canonical entries may be a list or a mapping canonical = domains_cfg.get('canonical', []) diff --git a/tests/integration/test_domains_canonical.py b/tests/integration/test_domains_canonical.py index cac15278..69ac02aa 100644 --- a/tests/integration/test_domains_canonical.py +++ b/tests/integration/test_domains_canonical.py @@ -20,17 +20,17 @@ class TestWebRolesDomains(unittest.TestCase): self.assertIsInstance(data, dict, f"YAML root is not a dict in {path}") - domains = data.get("domains") + domains = data.get('server',{}).get('domains',{}) self.assertIsNotNone(domains, f"'domains' section missing in {path}") self.assertIsInstance(domains, dict, f"'domains' must be a dict in {path}") canonical = domains.get("canonical") - self.assertIsNotNone(canonical, f"'domains.canonical' missing in {path}") + self.assertIsNotNone(canonical, f"'server.domains.canonical' missing in {path}") # Check for emptiness empty_values = [{}, [], ""] self.assertNotIn(canonical, empty_values, - f"'domains.canonical' in {path} must not be empty dict, list, or empty string") + f"'server.domains.canonical' in {path} must not be empty dict, list, or empty string") if __name__ == "__main__": unittest.main() diff --git a/tests/integration/test_domains_structure.py b/tests/integration/test_domains_structure.py index ae358b94..43a248b5 100644 --- a/tests/integration/test_domains_structure.py +++ b/tests/integration/test_domains_structure.py @@ -33,7 +33,7 @@ class TestDomainsStructure(unittest.TestCase): if 'domains' not in data: continue - domains = data['domains'] + domains = data.get('server',{}).get('domains') if not isinstance(domains, dict): failed_roles.append((role_path.name, vars_file.name, "'domains' should be a dict")) continue diff --git a/tests/unit/filter_plugins/test_domain_filters_alias.py b/tests/unit/filter_plugins/test_domain_filters_alias.py index d4948c50..c8b575ec 100644 --- a/tests/unit/filter_plugins/test_domain_filters_alias.py +++ b/tests/unit/filter_plugins/test_domain_filters_alias.py @@ -33,7 +33,9 @@ class TestDomainFilters(unittest.TestCase): def test_alias_with_explicit_aliases(self): apps = { 'app1': { - 'domains': {'aliases': ['alias.com']} + 'server':{ + 'domains': {'aliases': ['alias.com']} + } } } # canonical defaults to ['app1.example.com'], so alias should include alias.com and default @@ -44,7 +46,7 @@ class TestDomainFilters(unittest.TestCase): def test_alias_with_canonical_not_default(self): apps = { 'app1': { - 'domains': {'canonical': ['foo.com']} + 'server':{'domains': {'canonical': ['foo.com']}} } } # foo.com is canonical, default not in canonical so added as alias @@ -55,9 +57,11 @@ class TestDomainFilters(unittest.TestCase): def test_alias_with_existing_default(self): apps = { 'app1': { - 'domains': { - 'canonical': ['foo.com'], - 'aliases': ['app1.example.com'] + 'server':{ + 'domains': { + 'canonical': ['foo.com'], + 'aliases': ['app1.example.com'] + } } } } @@ -68,7 +72,7 @@ class TestDomainFilters(unittest.TestCase): def test_invalid_aliases_type(self): apps = { - 'app1': {'domains': {'aliases': 123}} + 'app1': {'server':{'domains': {'aliases': 123}}} } with self.assertRaises(AnsibleFilterError): self.filter_module.alias_domains_map(apps, self.primary) @@ -76,7 +80,9 @@ class TestDomainFilters(unittest.TestCase): def test_alias_with_empty_domains_cfg(self): apps = { 'app1': { - 'domains': {} + 'server':{ + 'domains': {} + } } } expected = apps @@ -86,10 +92,12 @@ class TestDomainFilters(unittest.TestCase): def test_alias_with_canonical_dict_not_default(self): apps = { 'app1': { - 'domains': { - 'canonical': { - 'one': 'one.com', - 'two': 'two.com' + 'server':{ + 'domains': { + 'canonical': { + 'one': 'one.com', + 'two': 'two.com' + } } } } diff --git a/tests/unit/filter_plugins/test_domain_filters_canonical.py b/tests/unit/filter_plugins/test_domain_filters_canonical.py index c2965075..54904c8f 100644 --- a/tests/unit/filter_plugins/test_domain_filters_canonical.py +++ b/tests/unit/filter_plugins/test_domain_filters_canonical.py @@ -32,7 +32,9 @@ class TestDomainFilters(unittest.TestCase): def test_canonical_with_list(self): apps = { 'web-app-app1': { - 'domains': {'canonical': ['foo.com', 'bar.com']} + 'server':{ + 'domains': {'canonical': ['foo.com', 'bar.com']} + } } } result = self.filter_module.canonical_domains_map(apps, self.primary) @@ -44,7 +46,9 @@ class TestDomainFilters(unittest.TestCase): def test_canonical_with_dict(self): apps = { 'web-app-app1': { - 'domains': {'canonical': {'one': 'one.com', 'two': 'two.com'}} + 'server':{ + 'domains': {'canonical': {'one': 'one.com', 'two': 'two.com'}} + } } } result = self.filter_module.canonical_domains_map(apps, self.primary) @@ -55,8 +59,14 @@ class TestDomainFilters(unittest.TestCase): def test_canonical_duplicate_raises(self): apps = { - 'web-app-app1': {'domains': {'canonical': ['dup.com']}}, - 'web-app-app2': {'domains': {'canonical': ['dup.com']}}, + 'web-app-app1':{ + 'server':{'domains': {'canonical': ['dup.com']}}, + }, + 'web-app-app2':{ + 'server':{ + 'domains': {'canonical': ['dup.com']} + }, + }, } with self.assertRaises(AnsibleFilterError) as cm: self.filter_module.canonical_domains_map(apps, self.primary) @@ -65,7 +75,7 @@ class TestDomainFilters(unittest.TestCase): def test_invalid_canonical_type(self): apps = { - 'web-app-app1': {'domains': {'canonical': 123}} + 'web-app-app1': {'server':{'domains': {'canonical': 123}}} } with self.assertRaises(AnsibleFilterError): self.filter_module.canonical_domains_map(apps, self.primary) @@ -76,7 +86,7 @@ class TestDomainFilters(unittest.TestCase): resulting in an empty mapping when only non-web apps are provided. """ apps = { - 'db-app-app1': {'domains': {'canonical': ['db.example.com']}}, + 'db-app-app1': {'server':{'domains': {'canonical': ['db.example.com']}}}, 'service-app-app2': {} } result = self.filter_module.canonical_domains_map(apps, self.primary) @@ -88,7 +98,7 @@ class TestDomainFilters(unittest.TestCase): non-web apps should be ignored alongside valid web apps. """ apps = { - 'db-app-app1': {'domains': {'canonical': ['db.example.com']}}, + 'db-app-app1': {'server':{'domains': {'canonical': ['db.example.com']}}}, 'web-app-app1': {} } expected = {'web-app-app1': ['app1.example.com']} diff --git a/tests/unit/filter_plugins/test_domain_mappings.py b/tests/unit/filter_plugins/test_domain_mappings.py index 61e18d85..c3b80e1f 100644 --- a/tests/unit/filter_plugins/test_domain_mappings.py +++ b/tests/unit/filter_plugins/test_domain_mappings.py @@ -37,7 +37,9 @@ class TestDomainMappings(unittest.TestCase): def test_explicit_aliases(self): apps = { 'app1': { - 'domains': {'aliases': ['alias.com']} + 'server':{ + 'domains': {'aliases': ['alias.com']} + } } } default = 'app1.example.com' @@ -51,7 +53,9 @@ class TestDomainMappings(unittest.TestCase): def test_canonical_not_default(self): apps = { 'app1': { - 'domains': {'canonical': ['foo.com']} + 'server':{ + 'domains': {'canonical': ['foo.com']} + } } } expected = [ @@ -63,8 +67,10 @@ class TestDomainMappings(unittest.TestCase): def test_canonical_dict(self): apps = { 'app1': { - 'domains': { - 'canonical': {'one': 'one.com', 'two': 'two.com'} + 'server':{ + 'domains': { + 'canonical': {'one': 'one.com', 'two': 'two.com'} + } } } } @@ -77,8 +83,12 @@ class TestDomainMappings(unittest.TestCase): def test_multiple_apps(self): apps = { - 'app1': {'domains': {'aliases': ['a1.com']}}, - 'app2': {'domains': {'canonical': ['c2.com']}}, + 'app1': { + 'server':{'domains': {'aliases': ['a1.com']}} + }, + 'app2': { + 'server':{'domains': {'canonical': ['c2.com']}} + }, } expected = [ {'source': 'a1.com', 'target': 'app1.example.com'}, @@ -89,7 +99,10 @@ class TestDomainMappings(unittest.TestCase): def test_multiple_aliases(self): apps = { - 'app1': {'domains': {'aliases': ['a1.com','a2.com']}} + 'app1': { + 'server':{'domains': {'aliases': ['a1.com','a2.com']} + } + } } expected = [ {'source': 'a1.com', 'target': 'app1.example.com'}, @@ -100,7 +113,7 @@ class TestDomainMappings(unittest.TestCase): def test_invalid_aliases_type(self): apps = { - 'app1': {'domains': {'aliases': 123}} + 'app1': {'server':{'domains': {'aliases': 123}}} } with self.assertRaises(AnsibleFilterError): self.filter.domain_mappings(apps, self.primary) diff --git a/tests/unit/filter_plugins/test_load_configuration.py b/tests/unit/filter_plugins/test_load_configuration.py index 81d097a4..0a6718f5 100644 --- a/tests/unit/filter_plugins/test_load_configuration.py +++ b/tests/unit/filter_plugins/test_load_configuration.py @@ -19,12 +19,14 @@ class TestLoadConfigurationFilter(unittest.TestCase): self.nested_cfg = { 'html': { 'features': {'matomo': True}, - 'domains': {'canonical': ['html.example.com']} + 'server': { + 'domains':{'canonical': ['html.example.com']} + } } } self.flat_cfg = { 'features': {'matomo': False}, - 'domains': {'canonical': ['flat.example.com']} + 'server': {'domains':{'canonical': ['flat.example.com']}} } def test_invalid_key(self): @@ -69,7 +71,7 @@ class TestLoadConfigurationFilter(unittest.TestCase): self.assertIn(self.app, _cfg_cache) mock_yaml.reset_mock() # from cache - self.assertEqual(self.f(self.app, 'domains.canonical'), + self.assertEqual(self.f(self.app, 'server.domains.canonical'), ['html.example.com']) mock_yaml.assert_not_called() @@ -92,7 +94,7 @@ class TestLoadConfigurationFilter(unittest.TestCase): mock_yaml.return_value = self.nested_cfg # nested fallback must work self.assertTrue(self.f(self.app, 'features.matomo')) - self.assertEqual(self.f(self.app, 'domains.canonical'), + self.assertEqual(self.f(self.app, 'server.domains.canonical'), ['html.example.com']) @patch('load_configuration.os.listdir', return_value=['r4']) @@ -105,13 +107,15 @@ class TestLoadConfigurationFilter(unittest.TestCase): mock_exists.side_effect = lambda p: p.endswith('config/main.yml') mock_yaml.return_value = { 'file': { - 'domains': { - 'canonical': ['files.example.com', 'extra.example.com'] + 'server': { + 'domains':{ + 'canonical': ['files.example.com', 'extra.example.com'] + } } } } # should get the first element of the canonical domains list - self.assertEqual(self.f('file', 'domains.canonical[0]'), + self.assertEqual(self.f('file', 'server.domains.canonical[0]'), 'files.example.com') if __name__ == '__main__': diff --git a/tests/unit/roles/web-svc-logout/filter_plugins/test_domain_filters.py b/tests/unit/roles/web-svc-logout/filter_plugins/test_domain_filters.py index 595d387a..17162046 100644 --- a/tests/unit/roles/web-svc-logout/filter_plugins/test_domain_filters.py +++ b/tests/unit/roles/web-svc-logout/filter_plugins/test_domain_filters.py @@ -33,23 +33,33 @@ class TestLogoutDomainsFilter(unittest.TestCase): def test_flatten_and_feature_flag(self): applications = { "app1": { - "domains": {"canonical": "single.domain.com"}, + 'server':{ + "domains": {"canonical": "single.domain.com"} + }, "features": {"logout": True}, }, "app2": { - "domains": {"canonical": ["list1.com", "list2.com"]}, + 'server':{ + "domains": {"canonical": ["list1.com", "list2.com"]} + }, "features": {"logout": True}, }, "app3": { - "domains": {"canonical": {"k1": "dictA.com", "k2": "dictB.com"}}, + 'server':{ + "domains": {"canonical": {"k1": "dictA.com", "k2": "dictB.com"}} + }, "features": {"logout": True}, }, "app4": { - "domains": {"canonical": "no-logout.com"}, + 'server':{ + "domains": {"canonical": "no-logout.com"} + }, "features": {"logout": False}, }, "other": { - "domains": {"canonical": "ignored.com"}, + 'server':{ + "domains": {"canonical": "ignored.com"} + }, "features": {"logout": True}, }, } @@ -67,7 +77,9 @@ class TestLogoutDomainsFilter(unittest.TestCase): def test_missing_canonical_defaults_empty(self): applications = { "app1": { - "domains": {}, # no 'canonical' key + 'server':{ + "domains": {} + }, # no 'canonical' key "features": {"logout": True}, } } @@ -77,7 +89,9 @@ class TestLogoutDomainsFilter(unittest.TestCase): def test_app_not_in_group(self): applications = { "app1": { - "domains": {"canonical": "domain.com"}, + 'server':{ + "domains": {"canonical": "domain.com"} + }, "features": {"logout": True}, } } @@ -87,7 +101,9 @@ class TestLogoutDomainsFilter(unittest.TestCase): def test_invalid_domain_type(self): applications = { "app1": { - "domains": {"canonical": 123}, + 'server':{ + "domains": {"canonical": 123} + }, "features": {"logout": True}, } } diff --git a/tests/unit/utils/test_dict_renderer.py b/tests/unit/utils/test_dict_renderer.py index c74c24b0..8c2f79ac 100644 --- a/tests/unit/utils/test_dict_renderer.py +++ b/tests/unit/utils/test_dict_renderer.py @@ -64,11 +64,13 @@ class TestDictRenderer(unittest.TestCase): # Combine quoted key, dot access and numeric index data = { "web-svc-file": { - "domains": { - "canonical": ["file.example.com"] + 'server':{ + "domains": { + "canonical": ["file.example.com"] + } } }, - "url": '<<[\'web-svc-file\'].domains.canonical[0]>>' + "url": '<<[\'web-svc-file\'].server.domains.canonical[0]>>' } rendered = self.renderer.render(data) self.assertEqual(rendered["url"], "file.example.com")