kevinveenbirkenbach/computer-playbook
1
0
Fork 0
mirror of https://github.com/kevinveenbirkenbach/computer-playbook.git synced 2025-08-29 15:06:26 +02:00
Code Issues Packages Projects Releases Wiki Activity

Restructured server config

Browse Source
This commit is contained in:
Kevin Veen-Birkenbach
2025-08-07 11:31:06 +02:00
parent 99c6c9ec92
commit 9228d51e86
69 changed files with 770 additions and 677 deletions
Download Patch File Download Diff File Expand all files Collapse all files

9
roles/web-app-akaunting/config/main.yml
View File

@@ -7,10 +7,11 @@ features:
css: true
port-ui-desktop: true
central_database: true
logout: true
domains:
canonical:
- "accounting.{{ primary_domain }}"
logout: true
server:
domains:
canonical:
- "accounting.{{ primary_domain }}"
docker:
services:
database:

9
roles/web-app-attendize/config/main.yml
View File

@@ -6,13 +6,14 @@ features:
css: true
port-ui-desktop: true
central_database: true
logout: true
logout: true
docker:
services:
redis:
enabled: true
database:
enabled: true
domains:
canonical:
- "tickets.{{ primary_domain }}"
server:
domains:
canonical:
- "tickets.{{ primary_domain }}"

8
roles/web-app-baserow/config/main.yml
View File

@@ -18,7 +18,7 @@ docker:
name: "baserow"
volumes:
data: "baserow_data"
domains:
canonical:
- baserow.{{ primary_domain }}
server:
domains:
canonical:
- baserow.{{ primary_domain }}

19
roles/web-app-bigbluebutton/config/main.yml
View File

@@ -12,13 +12,14 @@ features:
oidc: true
central_database: false
logout: true
domains:
canonical:
- "meet.{{ primary_domain }}"
csp:
flags:
script-src-elem:
unsafe-inline: true
style-src:
unsafe-inline: true
server:
csp:
flags:
script-src-elem:
unsafe-inline: true
style-src:
unsafe-inline: true
domains:
canonical:
- "meet.{{ primary_domain }}"
credentials: {}

11
roles/web-app-bluesky/config/main.yml
View File

@@ -7,11 +7,12 @@ features:
css: true
port-ui-desktop: true
central_database: true
logout: true
domains:
canonical:
web: "bskyweb.{{ primary_domain }}"
api: "bluesky.{{ primary_domain }}"
logout: true
server:
domains:
canonical:
web: "bskyweb.{{ primary_domain }}"
api: "bluesky.{{ primary_domain }}"
docker:
services:
database:

7
roles/web-app-collabora/config/main.yml
View File

@@ -1,6 +1,7 @@
domains:
canonical:
- "collabora.{{ primary_domain }}"
server:
domains:
canonical:
- "collabora.{{ primary_domain }}"
docker:
services:
redis:

25
roles/web-app-discourse/config/main.yml
View File

@@ -7,18 +7,19 @@ features:
central_database: true
ldap: false # @todo implement and activate
logout: true
csp:
flags:
style-src:
unsafe-inline: true
script-src-elem:
unsafe-inline: true
whitelist:
font-src:
- "http://*.{{primary_domain}}"
domains:
canonical:
- "forum.{{ primary_domain }}"
server:
csp:
flags:
style-src:
unsafe-inline: true
script-src-elem:
unsafe-inline: true
whitelist:
font-src:
- "http://*.{{primary_domain}}"
domains:
canonical:
- "forum.{{ primary_domain }}"
docker:
services:
database:

8
roles/web-app-elk/config/main.yml
View File

@@ -1,6 +1,6 @@
features:
logout: false # Just deactivated to oppress warnings, elk is anyhow not running
domains:
canonical:
- elk.{{ primary_domain }}
server:
domains:
canonical:
- elk.{{ primary_domain }}

41
roles/web-app-espocrm/config/main.yml
View File

@@ -6,26 +6,27 @@ features:
oidc: true
central_database: true
logout: true
csp:
flags:
script-src-elem:
unsafe-inline: true
unsafe-eval: true
style-src:
unsafe-inline: true
script-src:
unsafe-eval: true
whitelist:
connect-src:
- wss://espocrm.{{ primary_domain }}
- "data:"
frame-src:
- https://s.espocrm.com/
domains:
aliases:
- "crm.{{ primary_domain }}"
canonical:
- espocrm.{{ primary_domain }}
server:
csp:
flags:
script-src-elem:
unsafe-inline: true
unsafe-eval: true
style-src:
unsafe-inline: true
script-src:
unsafe-eval: true
whitelist:
connect-src:
- wss://espocrm.{{ primary_domain }}
- "data:"
frame-src:
- https://s.espocrm.com/
domains:
aliases:
- "crm.{{ primary_domain }}"
canonical:
- espocrm.{{ primary_domain }}
email:
from_name: "Customer Relationship Management ({{ primary_domain }})"
docker:

25
roles/web-app-friendica/config/main.yml
View File

@@ -9,18 +9,19 @@ features:
ldap: true
oauth2: false # No special login side which could be protected, use 2FA of Friendica instead
logout: true
domains:
canonical:
- "social.{{ primary_domain }}"
csp:
flags:
script-src-elem:
unsafe-inline: true
script-src:
unsafe-inline: true
unsafe-eval: true
style-src:
unsafe-inline: true
server:
domains:
canonical:
- "social.{{ primary_domain }}"
csp:
flags:
script-src-elem:
unsafe-inline: true
script-src:
unsafe-inline: true
unsafe-eval: true
style-src:
unsafe-inline: true
oauth2_proxy:
application: "application"
port: "80"

27
roles/web-app-funkwhale/config/main.yml
View File

@@ -20,19 +20,20 @@ features:
central_database: true
oauth2: false # Doesn't make sense to activate it atm, because login is possible on homepage
logout: true
domains:
canonical:
- "audio.{{ primary_domain }}"
aliases:
- "music.{{ primary_domain }}"
- "sound.{{ primary_domain }}"
csp:
flags:
style-src:
unsafe-inline: true
whitelist:
font-src:
- "data:"
server:
domains:
canonical:
- "audio.{{ primary_domain }}"
aliases:
- "music.{{ primary_domain }}"
- "sound.{{ primary_domain }}"
csp:
flags:
style-src:
unsafe-inline: true
whitelist:
font-src:
- "data:"
oauth2_proxy:
application: "front"
port: "80"

39
roles/web-app-gitea/config/main.yml
View File

@@ -19,25 +19,26 @@ oauth2_proxy:
acl:
blacklist:
- "/user/login"
csp:
flags:
script-src-elem:
unsafe-inline: true
style-src:
unsafe-inline: true
whitelist:
font-src:
- "data:"
- "blob:"
worker-src:
- "blob:"
manifest-src:
- "data:"
domains:
aliases:
- "git.{{ primary_domain }}"
canonical:
- gitea.{{ primary_domain }}
server:
csp:
flags:
script-src-elem:
unsafe-inline: true
style-src:
unsafe-inline: true
whitelist:
font-src:
- "data:"
- "blob:"
worker-src:
- "blob:"
manifest-src:
- "data:"
domains:
aliases:
- "git.{{ primary_domain }}"
canonical:
- gitea.{{ primary_domain }}
docker:
services:
database:

8
roles/web-app-gitlab/config/main.yml
View File

@@ -15,7 +15,7 @@ docker:
version: "latest"
credentials:
initial_root_password: "{{ users.administrator.password }}"
domains:
canonical:
- gitlab.{{ primary_domain }}
server:
domains:
canonical:
- gitlab.{{ primary_domain }}

8
roles/web-app-jenkins/config/main.yml
View File

@@ -1,6 +1,6 @@
features:
logout: true # Same like with elk, anyhow not active atm
domains:
canonical:
- jenkins.{{ primary_domain }}
server:
domains:
canonical:
- jenkins.{{ primary_domain }}

7
roles/web-app-joomla/config/main.yml
View File

@@ -6,9 +6,10 @@ features:
port-ui-desktop: true
central_database: true
logout: true
domains:
canonical:
- "cms.{{ primary_domain }}"
server:
domains:
canonical:
- "cms.{{ primary_domain }}"
docker:
services:
database:

29
roles/web-app-keycloak/config/main.yml
View File

@@ -7,20 +7,21 @@ features:
central_database: true
recaptcha: true
logout: true
csp:
flags:
script-src-elem:
unsafe-inline: true
script-src:
unsafe-inline: true
style-src:
unsafe-inline: true
whitelist:
frame-src:
- "*" # For frontend channel logout it's necessary that iframes can be loaded
domains:
canonical:
- "auth.{{ primary_domain }}"
server:
csp:
flags:
script-src-elem:
unsafe-inline: true
script-src:
unsafe-inline: true
style-src:
unsafe-inline: true
whitelist:
frame-src:
- "*" # For frontend channel logout it's necessary that iframes can be loaded
domains:
canonical:
- "auth.{{ primary_domain }}"
scopes:
rbac_roles: rbac_roles
nextcloud: nextcloud

31
roles/web-app-lam/config/main.yml
View File

@@ -12,19 +12,20 @@ features:
ldap: true
central_database: false
oauth2: true
logout: true
csp:
flags:
style-src:
unsafe-inline: true
script-src-elem:
unsafe-inline: true
unsafe-eval: true
script-src:
unsafe-inline: true
domains:
aliases:
- "ldap.{{primary_domain}}"
canonical:
- lam.{{ primary_domain }}
logout: true
server:
csp:
flags:
style-src:
unsafe-inline: true
script-src-elem:
unsafe-inline: true
unsafe-eval: true
script-src:
unsafe-inline: true
domains:
aliases:
- "ldap.{{primary_domain}}"
canonical:
- lam.{{ primary_domain }}

15
roles/web-app-libretranslate/config/main.yml
View File

@@ -18,13 +18,14 @@ features:
oauth2: false # Enable the OAuth2-Proy
javascript: false # Enables the custom JS in the javascript.js.j2 file
logout: false # With this app I assume that it's a service, so should be renamed and logging is unneccessary
csp:
whitelist: {} # URL's which should be whitelisted
flags: {} # Flags which should be set
domains:
canonical:
- "libretranslate.{{ primary_domain }}"
aliases: [] # Alias redirections to the first element of the canonical domains
server:
csp:
whitelist: {} # URL's which should be whitelisted
flags: {} # Flags which should be set
domains:
canonical:
- "libretranslate.{{ primary_domain }}"
aliases: [] # Alias redirections to the first element of the canonical domains
rbac:
roles: {}

9
roles/web-app-listmonk/config/main.yml
View File

@@ -5,10 +5,11 @@ features:
port-ui-desktop: true
central_database: true
oidc: true
logout: true
domains:
canonical:
- "newsletter.{{ primary_domain }}"
logout: true
server:
domains:
canonical:
- "newsletter.{{ primary_domain }}"
docker:
services:
database:

35
roles/web-app-mailu/config/main.yml
View File

@@ -1,26 +1,27 @@
oidc:
email_by_username: true # If true, then the mail is set by the username. If wrong then the OIDC user email is used
enable_user_creation: true # Users will be created if not existing
domain: "{{primary_domain}}" # The main domain from which mails will be send \ email suffix behind @
email_by_username: true # If true, then the mail is set by the username. If wrong then the OIDC user email is used
enable_user_creation: true # Users will be created if not existing
domain: "{{primary_domain}}" # The main domain from which mails will be send \ email suffix behind @
features:
matomo: true
css: false
port-ui-desktop: true # Deactivated mailu iframe loading until keycloak supports it
port-ui-desktop: true # Deactivated mailu iframe loading until keycloak supports it
oidc: true
central_database: false # Deactivate central database for mailu, I don't know why the database deactivation is necessary
central_database: false # Deactivate central database for mailu, I don't know why the database deactivation is necessary
logout: true
domains:
canonical:
- "mail.{{ primary_domain }}"
csp:
flags:
style-src:
unsafe-inline: true
script-src-elem:
unsafe-inline: true
script-src:
unsafe-inline: true
unsafe-eval: true
server:
domains:
canonical:
- "mail.{{ primary_domain }}"
csp:
flags:
style-src:
unsafe-inline: true
script-src-elem:
unsafe-inline: true
script-src:
unsafe-inline: true
unsafe-eval: true
rbac:
roles:
mail-bot:

17
roles/web-app-mastodon/config/main.yml
View File

@@ -6,14 +6,15 @@ features:
port-ui-desktop: true
oidc: true
central_database: true
logout: true
domains:
canonical:
- "microblog.{{ primary_domain }}"
csp:
whitelist:
frame-src:
- "*"
logout: true
server:
domains:
canonical:
- "microblog.{{ primary_domain }}"
csp:
whitelist:
frame-src:
- "*"
docker:
services:
redis:

43
roles/web-app-matomo/config/main.yml
View File

@@ -8,27 +8,28 @@ features:
port-ui-desktop: false # Didn't work in frame didn't have high priority @todo figure out pcause and solve it
central_database: true
oauth2: false
logout: true
csp:
whitelist:
script-src-elem:
- https://cdn.matomo.cloud
style-src:
- https://fonts.googleapis.com
flags:
script-src:
unsafe-eval: true
script-src-elem:
unsafe-inline: true
unsafe-eval: true
style-src:
unsafe-inline: true
unsafe-eval: true
domains:
aliases:
- "analytics.{{ primary_domain }}"
canonical:
- "matomo.{{ primary_domain }}"
logout: true
server:
csp:
whitelist:
script-src-elem:
- https://cdn.matomo.cloud
style-src:
- https://fonts.googleapis.com
flags:
script-src:
unsafe-eval: true
script-src-elem:
unsafe-inline: true
unsafe-eval: true
style-src:
unsafe-inline: true
unsafe-eval: true
domains:
aliases:
- "analytics.{{ primary_domain }}"
canonical:
- "matomo.{{ primary_domain }}"
excluded_ips: "{{ networks.internet.values() | list }}"
docker:

45
roles/web-app-matrix/config/main.yml
View File

@@ -23,22 +23,28 @@ features:
port-ui-desktop: true
oidc: true # Deactivated OIDC due to this issue https://github.com/matrix-org/synapse/issues/10492
central_database: true
logout: true
csp:
flags:
script-src:
unsafe-eval: true
script-src-elem:
unsafe-inline: true
unsafe-eval: true
style-src:
unsafe-inline: true
whitelist:
connect-src:
- "*"
script-src-elem:
- "element.{{ primary_domain }}"
- "https://cdn.jsdelivr.net"
logout: true
server:
csp:
flags:
script-src:
unsafe-eval: true
script-src-elem:
unsafe-inline: true
unsafe-eval: true
style-src:
unsafe-inline: true
whitelist:
connect-src:
- "*"
script-src-elem:
- "element.{{ primary_domain }}"
- "https://cdn.jsdelivr.net"
domains:
canonical:
synapse: "matrix.{{ primary_domain }}"
element: "element.{{ primary_domain }}"
client_max_body_size: "15M"
plugins:
# You need to enable them in the inventory file
@@ -50,10 +56,3 @@ plugins:
slack: false
telegram: false
whatsapp: false
client_max_body_size: "15M"
domains:
canonical:
synapse: "matrix.{{ primary_domain }}"
element: "element.{{ primary_domain }}"

2
roles/web-app-matrix/vars/main.yml
View File

@@ -17,4 +17,4 @@ matrix_project: "{{ application_id | get_entity_name }}"
# Webserver
well_known_directory: "{{nginx.directories.data.well_known}}/matrix/"
location_upload: "~ ^/_matrix/media/v3/"
client_max_body_size: "{{ applications | get_app_conf(application_id, 'client_max_body_size') }}"
client_max_body_size: "{{ applications | get_app_conf(application_id, 'server.client_max_body_size') }}"

7
roles/web-app-mediawiki/config/main.yml
View File

@@ -1,6 +1,7 @@
domains:
canonical:
- "wiki.{{ primary_domain }}"
server:
domains:
canonical:
- "wiki.{{ primary_domain }}"
docker:
services:
mediawiki:

61
roles/web-app-mig/config/main.yml
View File

@@ -1,38 +1,39 @@
docker:
services:
redis:
enabled: false # No redis needed
enabled: false # No redis needed
database:
enabled: false # No database needed
enabled: false # No database needed
features:
matomo: true # activate tracking
css: true # use custom infinito stile
port-ui-desktop: true # Enable in port-ui
logout: false
csp:
whitelist:
script-src-elem:
- https://cdn.jsdelivr.net
- https://kit.fontawesome.com
- https://code.jquery.com/
- https://unpkg.com/
style-src:
- https://cdn.jsdelivr.net
- https://cdnjs.cloudflare.com
font-src:
- https://cdnjs.cloudflare.com
- https://ka-f.fontawesome.com
- https://cdn.jsdelivr.net
connect-src:
- https://ka-f.fontawesome.com
frame-ancestors:
- "*" # No damage if it's used somewhere on other websites, it anyhow looks like art
flags:
style-src:
unsafe-inline: true
domains:
canonical:
- "mig.{{ primary_domain }}"
aliases:
- "meta-infinite-graph.{{ primary_domain }}"
build_data: true # Enables the building of the meta data which the graph requiers
logout: false
server:
csp:
whitelist:
script-src-elem:
- https://cdn.jsdelivr.net
- https://kit.fontawesome.com
- https://code.jquery.com/
- https://unpkg.com/
style-src:
- https://cdn.jsdelivr.net
- https://cdnjs.cloudflare.com
font-src:
- https://cdnjs.cloudflare.com
- https://ka-f.fontawesome.com
- https://cdn.jsdelivr.net
connect-src:
- https://ka-f.fontawesome.com
frame-ancestors:
- "*" # No damage if it's used somewhere on other websites, it anyhow looks like art
flags:
style-src:
unsafe-inline: true
domains:
canonical:
- "mig.{{ primary_domain }}"
aliases:
- "meta-infinite-graph.{{ primary_domain }}"
build_data: true # Enables the building of the meta data which the graph requiers

23
roles/web-app-mobilizon/config/main.yml
View File

@@ -5,17 +5,18 @@ features:
matomo: true
port-ui-desktop: true
logout: true
csp:
flags:
script-src-elem:
unsafe-inline: true
script-src:
unsafe-eval: true
domains:
canonical:
- "event.{{ primary_domain }}"
aliases:
- "events.{{ primary_domain }}"
server:
csp:
flags:
script-src-elem:
unsafe-inline: true
script-src:
unsafe-eval: true
domains:
canonical:
- "event.{{ primary_domain }}"
aliases:
- "events.{{ primary_domain }}"
docker:
services:
database:

41
roles/web-app-moodle/config/main.yml
View File

@@ -5,26 +5,27 @@ features:
port-ui-desktop: true
central_database: true
oidc: true
logout: true
csp:
flags:
script-src-elem:
unsafe-inline: true
unsafe-eval: true
script-src:
unsafe-eval: true
style-src:
unsafe-inline: true
unsafe-eval: true
whitelist:
font-src:
- "data:"
- "blob:"
script-src-elem:
- "https://cdn.jsdelivr.net"
domains:
canonical:
- "academy.{{ primary_domain }}"
logout: true
server:
csp:
flags:
script-src-elem:
unsafe-inline: true
unsafe-eval: true
script-src:
unsafe-eval: true
style-src:
unsafe-inline: true
unsafe-eval: true
whitelist:
font-src:
- "data:"
- "blob:"
script-src-elem:
- "https://cdn.jsdelivr.net"
domains:
canonical:
- "academy.{{ primary_domain }}"
docker:
services:
database:

8
roles/web-app-mybb/config/main.yml
View File

@@ -15,7 +15,7 @@ docker:
name: "mybb"
volumes:
data: "mybb_data"
domains:
canonical:
- mybb.{{ primary_domain }}
server:
domains:
canonical:
- mybb.{{ primary_domain }}

55
roles/web-app-navigator/config/main.yml
View File

@@ -1,28 +1,29 @@
features:
matomo: true
css: true
port-ui-desktop: true
logout: false
csp:
whitelist:
script-src-elem:
- https://cdnjs.cloudflare.com
- https://code.jquery.com
- https://cdn.jsdelivr.net
style-src:
- https://cdnjs.cloudflare.com
- https://cdn.jsdelivr.net
font-src:
- https://cdnjs.cloudflare.com
frame-src:
- "{{ web_protocol }}://*.{{primary_domain}}" # Makes sense that all of the website content is available in the navigator
flags:
style-src:
unsafe-inline: true
script-src:
unsafe-eval: true
script-src-elem:
unsafe-inline: true
domains:
canonical:
- "slides.{{ primary_domain }}"
matomo: true
css: true
port-ui-desktop: true
logout: false
server:
csp:
whitelist:
script-src-elem:
- https://cdnjs.cloudflare.com
- https://code.jquery.com
- https://cdn.jsdelivr.net
style-src:
- https://cdnjs.cloudflare.com
- https://cdn.jsdelivr.net
font-src:
- https://cdnjs.cloudflare.com
frame-src:
- "{{ web_protocol }}://*.{{primary_domain}}" # Makes sense that all of the website content is available in the navigator
flags:
style-src:
unsafe-inline: true
script-src:
unsafe-eval: true
script-src-elem:
unsafe-inline: true
domains:
canonical:
- "slides.{{ primary_domain }}"

31
roles/web-app-nextcloud/config/main.yml
View File

@@ -1,18 +1,19 @@
version: "production" # @see https://nextcloud.com/blog/nextcloud-release-channels-and-how-to-track-them/
csp:
flags:
style-src:
unsafe-inline: true
script-src-elem:
unsafe-inline: true
whitelist:
font-src:
- "data:"
domains:
canonical:
- "cloud.{{ primary_domain }}"
# nextcloud: "cloud.{{ primary_domain }}"
# talk: "talk.{{ primary_domain }}" @todo needs to be activated
version: "production" # @see https://nextcloud.com/blog/nextcloud-release-channels-and-how-to-track-them/
server:
csp:
flags:
style-src:
unsafe-inline: true
script-src-elem:
unsafe-inline: true
whitelist:
font-src:
- "data:"
domains:
canonical:
- "cloud.{{ primary_domain }}"
# nextcloud: "cloud.{{ primary_domain }}"
# talk: "talk.{{ primary_domain }}" @todo needs to be activated
docker:
volumes:
data: nextcloud_data

8
roles/web-app-oauth2-proxy/config/main.yml
View File

@@ -6,7 +6,7 @@ features:
css: true
port-ui-desktop: false
logout: true
domains:
canonical:
- oauth2-proxy.{{ primary_domain }}
server:
domains:
canonical:
- oauth2-proxy.{{ primary_domain }}

21
roles/web-app-openproject/config/main.yml
View File

@@ -17,16 +17,17 @@ features:
ldap: true
central_database: true
oauth2: true
logout: true
csp:
flags:
script-src-elem:
unsafe-inline: true
style-src:
unsafe-inline: true
domains:
canonical:
- "project.{{ primary_domain }}"
logout: true
server:
csp:
flags:
script-src-elem:
unsafe-inline: true
style-src:
unsafe-inline: true
domains:
canonical:
- "project.{{ primary_domain }}"
docker:
services:

43
roles/web-app-peertube/config/main.yml
View File

@@ -4,27 +4,28 @@ features:
port-ui-desktop: true
central_database: true
oidc: true
logout: true
csp:
flags:
script-src-elem:
unsafe-inline: true
script-src:
unsafe-inline: true
style-src:
unsafe-inline: true
whitelist:
frame-ancestors:
- "*"
media-src:
- "blob:"
font-src:
- "data:"
domains:
canonical:
- "video.{{ primary_domain }}"
aliases:
- "videos.{{ primary_domain }}"
logout: true
server:
csp:
flags:
script-src-elem:
unsafe-inline: true
script-src:
unsafe-inline: true
style-src:
unsafe-inline: true
whitelist:
frame-ancestors:
- "*"
media-src:
- "blob:"
font-src:
- "data:"
domains:
canonical:
- "video.{{ primary_domain }}"
aliases:
- "videos.{{ primary_domain }}"
docker:
services:
redis:

26
roles/web-app-pgadmin/config/main.yml
View File

@@ -13,20 +13,20 @@ features:
central_database: true
oauth2: true
logout: true
csp:
flags:
style-src:
unsafe-inline: true
script-src-elem:
unsafe-inline: true
whitelist:
font-src:
- "data:"
server:
csp:
flags:
style-src:
unsafe-inline: true
script-src-elem:
unsafe-inline: true
whitelist:
font-src:
- "data:"
domains:
canonical:
- pgadmin.{{ primary_domain }}
docker:
services:
database:
enabled: true
domains:
canonical:
- pgadmin.{{ primary_domain }}

8
roles/web-app-phpldapadmin/config/main.yml
View File

@@ -11,7 +11,7 @@ features:
ldap: true
oauth2: true
logout: true
domains:
canonical:
- phpldapadmin.{{ primary_domain }}
server:
domains:
canonical:
- phpldapadmin.{{ primary_domain }}

27
roles/web-app-phpmyadmin/config/main.yml
View File

@@ -11,19 +11,20 @@ features:
# it's anyhow not so enduser relevant, so it can be kept like this
central_database: true
oauth2: true
logout: true
csp:
flags:
style-src:
unsafe-inline: true
script-src-elem:
unsafe-inline: true
domains:
aliases:
- "mysql.{{ primary_domain }}"
- "mariadb.{{ primary_domain }}"
canonical:
- phpmyadmin.{{ primary_domain }}
logout: true
server:
csp:
flags:
style-src:
unsafe-inline: true
script-src-elem:
unsafe-inline: true
domains:
aliases:
- "mysql.{{ primary_domain }}"
- "mariadb.{{ primary_domain }}"
canonical:
- phpmyadmin.{{ primary_domain }}
docker:
services:
database:

39
roles/web-app-pixelfed/config/main.yml
View File

@@ -5,25 +5,26 @@ features:
port-ui-desktop: true
central_database: true
oidc: true
logout: true
csp:
flags:
script-src:
unsafe-eval: true
unsafe-inline: true
script-src-elem:
unsafe-inline: true
unsafe-eval: true
style-src:
unsafe-inline: true
whitelist:
frame-ancestors:
- "*"
domains:
canonical:
- "picture.{{ primary_domain }}"
aliases:
- "pictures.{{ primary_domain }}"
logout: true
server:
csp:
flags:
script-src:
unsafe-eval: true
unsafe-inline: true
script-src-elem:
unsafe-inline: true
unsafe-eval: true
style-src:
unsafe-inline: true
whitelist:
frame-ancestors:
- "*"
domains:
canonical:
- "picture.{{ primary_domain }}"
aliases:
- "pictures.{{ primary_domain }}"
docker:
services:
redis:

53
roles/web-app-port-ui/config/main.yml
View File

@@ -4,30 +4,31 @@ features:
port-ui-desktop: false
simpleicons: true # Activate Brand Icons for your groups
javascript: true # Necessary for URL sync
logout: false # Doesn't have own user data. Just a frame.
csp:
whitelist:
script-src-elem:
- https://cdn.jsdelivr.net
- https://kit.fontawesome.com
- https://code.jquery.com/
style-src:
- https://cdn.jsdelivr.net
font-src:
- https://ka-f.fontawesome.com
- https://cdn.jsdelivr.net
connect-src:
- https://ka-f.fontawesome.com
frame-src:
- "{{ web_protocol }}://*.{{primary_domain}}"
flags:
style-src:
unsafe-inline: true
script-src:
unsafe-inline: true
script-src-elem:
unsafe-inline: true
domains:
canonical:
- "{{ primary_domain }}"
logout: false # Doesn't have own user data. Just a frame.
server:
csp:
whitelist:
script-src-elem:
- https://cdn.jsdelivr.net
- https://kit.fontawesome.com
- https://code.jquery.com/
style-src:
- https://cdn.jsdelivr.net
font-src:
- https://ka-f.fontawesome.com
- https://cdn.jsdelivr.net
connect-src:
- https://ka-f.fontawesome.com
frame-src:
- "{{ web_protocol }}://*.{{primary_domain}}"
flags:
style-src:
unsafe-inline: true
script-src:
unsafe-inline: true
script-src-elem:
unsafe-inline: true
domains:
canonical:
- "{{ primary_domain }}"

19
roles/web-app-pretix/config/main.yml
View File

@@ -11,20 +11,21 @@ docker:
features:
matomo: true # Enable Matomo Tracking
css: true # Enable Global CSS Styling
port-ui-desktop: true # Enable loading of app in iframe
port-ui-desktop: true # Enable loading of app in iframe
ldap: false # Enable LDAP Network
central_database: false # Enable Central Database Network
recaptcha: false # Enable ReCaptcha
oauth2: false # Enable the OAuth2-Proy
javascript: false # Enables the custom JS in the javascript.js.j2 file
logout: true
csp:
whitelist: {} # URL's which should be whitelisted
flags: {} # Flags which should be set
domains:
canonical:
- "pretix.{{ primary_domain }}"
aliases: [] # Alias redirections to the first element of the canonical domains
logout: true
server:
csp:
whitelist: {} # URL's which should be whitelisted
flags: {} # Flags which should be set
domains:
canonical:
- "pretix.{{ primary_domain }}"
aliases: [] # Alias redirections to the first element of the canonical domains
rbac:
roles: {}

7
roles/web-app-roulette-wheel/config/main.yml
View File

@@ -1,5 +1,6 @@
features:
logout: false
domains:
canonical:
- "wheel.{{ primary_domain }}"
server:
domains:
canonical:
- "wheel.{{ primary_domain }}"

33
roles/web-app-snipe-it/config/main.yml
View File

@@ -5,22 +5,23 @@ features:
central_database: true
ldap: true
oauth2: true
logout: true
domains:
canonical:
- "inventory.{{ primary_domain }}"
csp:
flags:
script-src:
unsafe-inline: true
unsafe-eval: true
script-src-elem:
unsafe-inline: true
style-src:
unsafe-inline: true
whitelist:
font-src:
- "data:"
logout: true
server:
domains:
canonical:
- "inventory.{{ primary_domain }}"
csp:
flags:
script-src:
unsafe-inline: true
unsafe-eval: true
script-src-elem:
unsafe-inline: true
style-src:
unsafe-inline: true
whitelist:
font-src:
- "data:"
oauth2_proxy:
application: "application"
port: "80"

33
roles/web-app-sphinx/config/main.yml
View File

@@ -1,17 +1,18 @@
features:
matomo: true
css: true
port-ui-desktop: true
logout: false
csp:
flags:
script-src:
unsafe-eval: true
script-src-elem:
unsafe-inline: true
unsafe-eval: true
style-src:
unsafe-inline: true
domains:
canonical:
- "docs.{{ primary_domain }}"
matomo: true
css: true
port-ui-desktop: true
logout: false
server:
csp:
flags:
script-src:
unsafe-eval: true
script-src-elem:
unsafe-inline: true
unsafe-eval: true
style-src:
unsafe-inline: true
domains:
canonical:
- "docs.{{ primary_domain }}"

8
roles/web-app-syncope/config/main.yml
View File

@@ -13,7 +13,7 @@ features:
# users:
# administrator:
# username: "{{ users.administrator.username }}"
domains:
canonical:
- syncope.{{ primary_domain }}
server:
domains:
canonical:
- syncope.{{ primary_domain }}

27
roles/web-app-taiga/config/main.yml
View File

@@ -11,22 +11,23 @@ features:
port-ui-desktop: true
oidc: false
central_database: true
logout: true
logout: true
docker:
services:
database:
enabled: true
taiga:
version: "latest"
csp:
flags:
script-src-elem:
unsafe-inline: true
unsafe-eval: true
style-src:
unsafe-inline: true
script-src:
unsafe-eval: true
domains:
canonical:
- "kanban.{{ primary_domain }}"
server:
csp:
flags:
script-src-elem:
unsafe-inline: true
unsafe-eval: true
style-src:
unsafe-inline: true
script-src:
unsafe-eval: true
domains:
canonical:
- "kanban.{{ primary_domain }}"

51
roles/web-app-wordpress/config/main.yml
View File

@@ -14,32 +14,33 @@ features:
oidc: true
central_database: true
logout: true
csp:
flags:
style-src:
unsafe-inline: true
script-src-elem:
unsafe-inline: true
script-src:
unsafe-eval: true
whitelist:
worker-src:
- "blob:"
font-src:
- "data:"
- "https://fonts.bunny.net"
script-src-elem:
- "https://cdn.gtranslate.net" # Necessary for translation plugins
- "https://translate.google.com" # Necessary for translation plugins
server:
csp:
flags:
style-src:
unsafe-inline: true
script-src-elem:
unsafe-inline: true
script-src:
unsafe-eval: true
whitelist:
worker-src:
- "blob:"
font-src:
- "data:"
- "https://fonts.bunny.net"
script-src-elem:
- "https://cdn.gtranslate.net" # Necessary for translation plugins
- "https://translate.google.com" # Necessary for translation plugins
- "blog.{{ primary_domain }}"
style-src:
- "https://fonts.bunny.net"
frame-src:
- "blob:"
- "*"
domains:
canonical:
- "blog.{{ primary_domain }}"
style-src:
- "https://fonts.bunny.net"
frame-src:
- "blob:"
- "*"
domains:
canonical:
- "blog.{{ primary_domain }}"
docker:
services:
database:

2
roles/web-app-wordpress/tasks/main.yml
View File

@@ -6,7 +6,7 @@
- name: "Include role srv-proxy-6-6-domain for {{ application_id }}"
include_role:
name: srv-proxy-6-6-domain
loop: "{{ applications | get_app_conf(application_id, 'domains.canonical', True) }}"
loop: "{{ applications | get_app_conf(application_id, 'server.domains.canonical', True) }}"
loop_control:
loop_var: domain
vars:

8
roles/web-app-xmpp/config/main.yml
View File

@@ -1,7 +1,7 @@
# xmpp is more a service then a app with ui interface. @todo Rename it
features:
logout: false # Reactivated as soon as xmpp is fully implemented
domains:
canonical:
- xmpp.{{ primary_domain }}
server:
domains:
canonical:
- xmpp.{{ primary_domain }}

27
roles/web-app-yourls/config/main.yml
View File

@@ -13,11 +13,20 @@ features:
central_database: true
oauth2: true
logout: true
domains:
canonical:
- "s.{{ primary_domain }}"
aliases:
- "short.{{ primary_domain }}"
server:
domains:
canonical:
- "s.{{ primary_domain }}"
aliases:
- "short.{{ primary_domain }}"
csp:
flags:
style-src:
unsafe-inline: true
script-src-elem:
unsafe-inline: true
script-src:
unsafe-inline: true
docker:
services:
database:
@@ -26,11 +35,3 @@ docker:
version: "latest"
name: "yourls"
image: "yourls"
csp:
flags:
style-src:
unsafe-inline: true
script-src-elem:
unsafe-inline: true
script-src:
unsafe-inline: true

10
roles/web-svc-asset/config/main.yml
View File

@@ -1,6 +1,6 @@
source_directory: "{{ playbook_dir }}/assets"
url: "{{ web_protocol }}://<< defaults_applications['web-svc-file']domains.canonical[0] >>/assets"
domains:
canonical:
- asset.{{ primary_domain }}
url: "{{ web_protocol }}://<< defaults_applications['web-svc-file']server.domains.canonical[0] >>/assets"
server:
domains:
canonical:
- asset.{{ primary_domain }}

13
roles/web-svc-cdn/config/main.yml
View File

@@ -1,7 +1,8 @@
features:
matomo: true
css: true
port-ui-desktop: true
domains:
canonical:
- "cdn.{{ primary_domain }}"
matomo: true
css: true
port-ui-desktop: true
server:
domains:
canonical:
- "cdn.{{ primary_domain }}"

17
roles/web-svc-file/config/main.yml
View File

@@ -1,9 +1,10 @@
features:
matomo: true
css: true
port-ui-desktop: true
domains:
canonical:
- "file.{{ primary_domain }}"
alias:
- "files.{{ primary_domain }}"
matomo: true
css: true
port-ui-desktop: true
server:
domains:
canonical:
- "file.{{ primary_domain }}"
alias:
- "files.{{ primary_domain }}"

9
roles/web-svc-html/config/main.yml
View File

@@ -1,7 +1,8 @@
features:
matomo: true
css: true
port-ui-desktop: true
domains:
canonical:
- "html.{{ primary_domain }}"
port-ui-desktop: true
server:
domains:
canonical:
- "html.{{ primary_domain }}"

39
roles/web-svc-logout/config/main.yml
View File

@@ -4,23 +4,24 @@ features:
port-ui-desktop: true
javascript: false
logout: false
domains:
canonical:
- "logout.{{ primary_domain }}"
csp:
flags:
style-src:
unsafe-inline: true
script-src-elem:
unsafe-inline: true
whitelist:
connect-src:
- "{{ web_protocol }}://*.{{ primary_domain }}"
- "{{ web_protocol }}://{{ primary_domain }}"
script-src-elem:
- https://cdn.jsdelivr.net
style-src:
- https://cdn.jsdelivr.net
frame-ancestors:
- "{{ web_protocol }}://<< defaults_applications[web-app-keycloak].domains.canonical[0] >>"
server:
domains:
canonical:
- "logout.{{ primary_domain }}"
csp:
flags:
style-src:
unsafe-inline: true
script-src-elem:
unsafe-inline: true
whitelist:
connect-src:
- "{{ web_protocol }}://*.{{ primary_domain }}"
- "{{ web_protocol }}://{{ primary_domain }}"
script-src-elem:
- https://cdn.jsdelivr.net
style-src:
- https://cdn.jsdelivr.net
frame-ancestors:
- "{{ web_protocol }}://<< defaults_applications[web-app-keycloak].server.domains.canonical[0] >>"

2
roles/web-svc-logout/filter_plugins/domain_filters.py
View File

@@ -31,7 +31,7 @@ class FilterModule(object):
continue
# use canonical domains list if present
domains_entry = config.get('domains', {}).get('canonical', [])
domains_entry = config.get('server', {}).get('domains', {}).get('canonical', [])
# normalize to a list of strings
if isinstance(domains_entry, dict):

9
roles/web-svc-simpleicons/config/main.yml
View File

@@ -16,10 +16,11 @@ features:
central_database: false # Enable Central Database Network
recaptcha: false # Enable ReCaptcha
oauth2: false # Enable the OAuth2-Proy
csp: {}
domains:
canonical:
- "icons.{{ primary_domain }}"
server:
csp: {}
domains:
canonical:
- "icons.{{ primary_domain }}"
rbac:
roles:
mail-bot: