kevinveenbirkenbach/computer-playbook
1
0
Fork 0
mirror of https://github.com/kevinveenbirkenbach/computer-playbook.git synced 2025-08-15 08:30:46 +02:00
Code Issues Packages Projects Releases Wiki Activity

Restructured server config

Browse Source
This commit is contained in:
Kevin Veen-Birkenbach 2025-08-07 11:31:06 +02:00
parent 99c6c9ec92
commit 9228d51e86
No known key found for this signature in database
GPG Key ID: 44D8F11FD62F878E
69 changed files with 770 additions and 677 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
filter_plugins/alias_domains_map.py
View File

@ -39,7 +39,7 @@ class FilterModule(object):
# 1) Precompute canonical domains per app (fallback to default) # 1) Precompute canonical domains per app (fallback to default)
canonical_map = {} canonical_map = {}
for app_id, cfg in apps.items(): for app_id, cfg in apps.items():
domains_cfg = cfg.get('domains') or {} domains_cfg = cfg.get('server',{}).get('domains',{})
entry = domains_cfg.get('canonical') entry = domains_cfg.get('canonical')
if entry is None: if entry is None:
canonical_map[app_id] = [default_domain(app_id, primary_domain)] canonical_map[app_id] = [default_domain(app_id, primary_domain)]
@ -49,13 +49,13 @@ class FilterModule(object):
canonical_map[app_id] = list(entry) canonical_map[app_id] = list(entry)
else: else:
raise AnsibleFilterError( raise AnsibleFilterError(
f"Unexpected type for 'domains.canonical' in application '{app_id}': {type(entry).__name__}" f"Unexpected type for 'server.domains.canonical' in application '{app_id}': {type(entry).__name__}"
) )
# 2) Build alias list per app # 2) Build alias list per app
result = {} result = {}
for app_id, cfg in apps.items(): for app_id, cfg in apps.items():
domains_cfg = cfg.get('domains') domains_cfg = cfg.get('server',{}).get('domains')
# no domains key → no aliases # no domains key → no aliases
if domains_cfg is None: if domains_cfg is None:

4
filter_plugins/canonical_domains_map.py
View File

@ -28,7 +28,7 @@ class FilterModule(object):
f"expected a dict, got {cfg!r}" f"expected a dict, got {cfg!r}"
) )
domains_cfg = cfg.get('domains') domains_cfg = cfg.get('server',{}).get('domains',{})
if not domains_cfg or 'canonical' not in domains_cfg: if not domains_cfg or 'canonical' not in domains_cfg:
self._add_default_domain(app_id, primary_domain, seen_domains, result) self._add_default_domain(app_id, primary_domain, seen_domains, result)
continue continue
@ -64,7 +64,7 @@ class FilterModule(object):
self._process_canonical_domains_list(app_id, canonical_domains, seen_domains, result) self._process_canonical_domains_list(app_id, canonical_domains, seen_domains, result)
else: else:
raise AnsibleFilterError( raise AnsibleFilterError(
f"Unexpected type for 'domains.canonical' in application '{app_id}': " f"Unexpected type for 'server.domains.canonical' in application '{app_id}': "
f"{type(canonical_domains).__name__}" f"{type(canonical_domains).__name__}"
) )

6
filter_plugins/domain_redirect_mappings.py
View File

@ -36,7 +36,7 @@ class FilterModule(object):
# 1) Compute canonical domains per app (always as a list) # 1) Compute canonical domains per app (always as a list)
canonical_map = {} canonical_map = {}
for app_id, cfg in apps.items(): for app_id, cfg in apps.items():
domains_cfg = cfg.get('domains') or {} domains_cfg = cfg.get('server',{}).get('domains',{})
entry = domains_cfg.get('canonical') entry = domains_cfg.get('canonical')
if entry is None: if entry is None:
canonical_map[app_id] = [default_domain(app_id, primary_domain)] canonical_map[app_id] = [default_domain(app_id, primary_domain)]
@ -46,13 +46,13 @@ class FilterModule(object):
canonical_map[app_id] = list(entry) canonical_map[app_id] = list(entry)
else: else:
raise AnsibleFilterError( raise AnsibleFilterError(
f"Unexpected type for 'domains.canonical' in application '{app_id}': {type(entry).__name__}" f"Unexpected type for 'server.domains.canonical' in application '{app_id}': {type(entry).__name__}"
) )
# 2) Compute alias domains per app # 2) Compute alias domains per app
alias_map = {} alias_map = {}
for app_id, cfg in apps.items(): for app_id, cfg in apps.items():
domains_cfg = cfg.get('domains') domains_cfg = cfg.get('server',{}).get('domains',{})
if domains_cfg is None: if domains_cfg is None:
alias_map[app_id] = [] alias_map[app_id] = []
continue continue

9
roles/web-app-akaunting/config/main.yml
View File

@ -7,10 +7,11 @@ features:
css: true css: true
port-ui-desktop: true port-ui-desktop: true
central_database: true central_database: true
logout: true logout: true
domains: server:
canonical: domains:
- "accounting.{{ primary_domain }}" canonical:
- "accounting.{{ primary_domain }}"
docker: docker:
services: services:
database: database:

9
roles/web-app-attendize/config/main.yml
View File

@ -6,13 +6,14 @@ features:
css: true css: true
port-ui-desktop: true port-ui-desktop: true
central_database: true central_database: true
logout: true logout: true
docker: docker:
services: services:
redis: redis:
enabled: true enabled: true
database: database:
enabled: true enabled: true
domains: server:
canonical: domains:
- "tickets.{{ primary_domain }}" canonical:
- "tickets.{{ primary_domain }}"

8
roles/web-app-baserow/config/main.yml
View File

@ -18,7 +18,7 @@ docker:
name: "baserow" name: "baserow"
volumes: volumes:
data: "baserow_data" data: "baserow_data"
server:
domains: domains:
canonical: canonical:
- baserow.{{ primary_domain }} - baserow.{{ primary_domain }}

19
roles/web-app-bigbluebutton/config/main.yml
View File

@ -12,13 +12,14 @@ features:
oidc: true oidc: true
central_database: false central_database: false
logout: true logout: true
domains: server:
canonical: csp:
- "meet.{{ primary_domain }}" flags:
csp: script-src-elem:
flags: unsafe-inline: true
script-src-elem: style-src:
unsafe-inline: true unsafe-inline: true
style-src: domains:
unsafe-inline: true canonical:
- "meet.{{ primary_domain }}"
credentials: {} credentials: {}

11
roles/web-app-bluesky/config/main.yml
View File

@ -7,11 +7,12 @@ features:
css: true css: true
port-ui-desktop: true port-ui-desktop: true
central_database: true central_database: true
logout: true logout: true
domains: server:
canonical: domains:
web: "bskyweb.{{ primary_domain }}" canonical:
api: "bluesky.{{ primary_domain }}" web: "bskyweb.{{ primary_domain }}"
api: "bluesky.{{ primary_domain }}"
docker: docker:
services: services:
database: database:

7
roles/web-app-collabora/config/main.yml
View File

@ -1,6 +1,7 @@
domains: server:
canonical: domains:
- "collabora.{{ primary_domain }}" canonical:
- "collabora.{{ primary_domain }}"
docker: docker:
services: services:
redis: redis:

25
roles/web-app-discourse/config/main.yml
View File

@ -7,18 +7,19 @@ features:
central_database: true central_database: true
ldap: false # @todo implement and activate ldap: false # @todo implement and activate
logout: true logout: true
csp: server:
flags: csp:
style-src: flags:
unsafe-inline: true style-src:
script-src-elem: unsafe-inline: true
unsafe-inline: true script-src-elem:
whitelist: unsafe-inline: true
font-src: whitelist:
- "http://*.{{primary_domain}}" font-src:
domains: - "http://*.{{primary_domain}}"
canonical: domains:
- "forum.{{ primary_domain }}" canonical:
- "forum.{{ primary_domain }}"
docker: docker:
services: services:
database: database:

8
roles/web-app-elk/config/main.yml
View File

@ -1,6 +1,6 @@
features: features:
logout: false # Just deactivated to oppress warnings, elk is anyhow not running logout: false # Just deactivated to oppress warnings, elk is anyhow not running
server:
domains: domains:
canonical: canonical:
- elk.{{ primary_domain }} - elk.{{ primary_domain }}

41
roles/web-app-espocrm/config/main.yml
View File

@ -6,26 +6,27 @@ features:
oidc: true oidc: true
central_database: true central_database: true
logout: true logout: true
csp: server:
flags: csp:
script-src-elem: flags:
unsafe-inline: true script-src-elem:
unsafe-eval: true unsafe-inline: true
style-src: unsafe-eval: true
unsafe-inline: true style-src:
script-src: unsafe-inline: true
unsafe-eval: true script-src:
whitelist: unsafe-eval: true
connect-src: whitelist:
- wss://espocrm.{{ primary_domain }} connect-src:
- "data:" - wss://espocrm.{{ primary_domain }}
frame-src: - "data:"
- https://s.espocrm.com/ frame-src:
domains: - https://s.espocrm.com/
aliases: domains:
- "crm.{{ primary_domain }}" aliases:
canonical: - "crm.{{ primary_domain }}"
- espocrm.{{ primary_domain }} canonical:
- espocrm.{{ primary_domain }}
email: email:
from_name: "Customer Relationship Management ({{ primary_domain }})" from_name: "Customer Relationship Management ({{ primary_domain }})"
docker: docker:

25
roles/web-app-friendica/config/main.yml
View File

@ -9,18 +9,19 @@ features:
ldap: true ldap: true
oauth2: false # No special login side which could be protected, use 2FA of Friendica instead oauth2: false # No special login side which could be protected, use 2FA of Friendica instead
logout: true logout: true
domains: server:
canonical: domains:
- "social.{{ primary_domain }}" canonical:
csp: - "social.{{ primary_domain }}"
flags: csp:
script-src-elem: flags:
unsafe-inline: true script-src-elem:
script-src: unsafe-inline: true
unsafe-inline: true script-src:
unsafe-eval: true unsafe-inline: true
style-src: unsafe-eval: true
unsafe-inline: true style-src:
unsafe-inline: true
oauth2_proxy: oauth2_proxy:
application: "application" application: "application"
port: "80" port: "80"

27
roles/web-app-funkwhale/config/main.yml
View File

@ -20,19 +20,20 @@ features:
central_database: true central_database: true
oauth2: false # Doesn't make sense to activate it atm, because login is possible on homepage oauth2: false # Doesn't make sense to activate it atm, because login is possible on homepage
logout: true logout: true
domains: server:
canonical: domains:
- "audio.{{ primary_domain }}" canonical:
aliases: - "audio.{{ primary_domain }}"
- "music.{{ primary_domain }}" aliases:
- "sound.{{ primary_domain }}" - "music.{{ primary_domain }}"
csp: - "sound.{{ primary_domain }}"
flags: csp:
style-src: flags:
unsafe-inline: true style-src:
whitelist: unsafe-inline: true
font-src: whitelist:
- "data:" font-src:
- "data:"
oauth2_proxy: oauth2_proxy:
application: "front" application: "front"
port: "80" port: "80"

39
roles/web-app-gitea/config/main.yml
View File

@ -19,25 +19,26 @@ oauth2_proxy:
acl: acl:
blacklist: blacklist:
- "/user/login" - "/user/login"
csp: server:
flags: csp:
script-src-elem: flags:
unsafe-inline: true script-src-elem:
style-src: unsafe-inline: true
unsafe-inline: true style-src:
whitelist: unsafe-inline: true
font-src: whitelist:
- "data:" font-src:
- "blob:" - "data:"
worker-src: - "blob:"
- "blob:" worker-src:
manifest-src: - "blob:"
- "data:" manifest-src:
domains: - "data:"
aliases: domains:
- "git.{{ primary_domain }}" aliases:
canonical: - "git.{{ primary_domain }}"
- gitea.{{ primary_domain }} canonical:
- gitea.{{ primary_domain }}
docker: docker:
services: services:
database: database:

8
roles/web-app-gitlab/config/main.yml
View File

@ -15,7 +15,7 @@ docker:
version: "latest" version: "latest"
credentials: credentials:
initial_root_password: "{{ users.administrator.password }}" initial_root_password: "{{ users.administrator.password }}"
server:
domains: domains:
canonical: canonical:
- gitlab.{{ primary_domain }} - gitlab.{{ primary_domain }}

8
roles/web-app-jenkins/config/main.yml
View File

@ -1,6 +1,6 @@
features: features:
logout: true # Same like with elk, anyhow not active atm logout: true # Same like with elk, anyhow not active atm
server:
domains: domains:
canonical: canonical:
- jenkins.{{ primary_domain }} - jenkins.{{ primary_domain }}

7
roles/web-app-joomla/config/main.yml
View File

@ -6,9 +6,10 @@ features:
port-ui-desktop: true port-ui-desktop: true
central_database: true central_database: true
logout: true logout: true
domains: server:
canonical: domains:
- "cms.{{ primary_domain }}" canonical:
- "cms.{{ primary_domain }}"
docker: docker:
services: services:
database: database:

29
roles/web-app-keycloak/config/main.yml
View File

@ -7,20 +7,21 @@ features:
central_database: true central_database: true
recaptcha: true recaptcha: true
logout: true logout: true
csp: server:
flags: csp:
script-src-elem: flags:
unsafe-inline: true script-src-elem:
script-src: unsafe-inline: true
unsafe-inline: true script-src:
style-src: unsafe-inline: true
unsafe-inline: true style-src:
whitelist: unsafe-inline: true
frame-src: whitelist:
- "*" # For frontend channel logout it's necessary that iframes can be loaded frame-src:
domains: - "*" # For frontend channel logout it's necessary that iframes can be loaded
canonical: domains:
- "auth.{{ primary_domain }}" canonical:
- "auth.{{ primary_domain }}"
scopes: scopes:
rbac_roles: rbac_roles rbac_roles: rbac_roles
nextcloud: nextcloud nextcloud: nextcloud

31
roles/web-app-lam/config/main.yml
View File

@ -12,19 +12,20 @@ features:
ldap: true ldap: true
central_database: false central_database: false
oauth2: true oauth2: true
logout: true logout: true
csp: server:
flags: csp:
style-src: flags:
unsafe-inline: true style-src:
script-src-elem: unsafe-inline: true
unsafe-inline: true script-src-elem:
unsafe-eval: true unsafe-inline: true
script-src: unsafe-eval: true
unsafe-inline: true script-src:
domains: unsafe-inline: true
aliases: domains:
- "ldap.{{primary_domain}}" aliases:
canonical: - "ldap.{{primary_domain}}"
- lam.{{ primary_domain }} canonical:
- lam.{{ primary_domain }}

15
roles/web-app-libretranslate/config/main.yml
View File

@ -18,13 +18,14 @@ features:
oauth2: false # Enable the OAuth2-Proy oauth2: false # Enable the OAuth2-Proy
javascript: false # Enables the custom JS in the javascript.js.j2 file javascript: false # Enables the custom JS in the javascript.js.j2 file
logout: false # With this app I assume that it's a service, so should be renamed and logging is unneccessary logout: false # With this app I assume that it's a service, so should be renamed and logging is unneccessary
csp: server:
whitelist: {} # URL's which should be whitelisted csp:
flags: {} # Flags which should be set whitelist: {} # URL's which should be whitelisted
domains: flags: {} # Flags which should be set
canonical: domains:
- "libretranslate.{{ primary_domain }}" canonical:
aliases: [] # Alias redirections to the first element of the canonical domains - "libretranslate.{{ primary_domain }}"
aliases: [] # Alias redirections to the first element of the canonical domains
rbac: rbac:
roles: {} roles: {}

9
roles/web-app-listmonk/config/main.yml
View File

@ -5,10 +5,11 @@ features:
port-ui-desktop: true port-ui-desktop: true
central_database: true central_database: true
oidc: true oidc: true
logout: true logout: true
domains: server:
canonical: domains:
- "newsletter.{{ primary_domain }}" canonical:
- "newsletter.{{ primary_domain }}"
docker: docker:
services: services:
database: database:

35
roles/web-app-mailu/config/main.yml
View File

@ -1,26 +1,27 @@
oidc: oidc:
email_by_username: true # If true, then the mail is set by the username. If wrong then the OIDC user email is used email_by_username: true # If true, then the mail is set by the username. If wrong then the OIDC user email is used
enable_user_creation: true # Users will be created if not existing enable_user_creation: true # Users will be created if not existing
domain: "{{primary_domain}}" # The main domain from which mails will be send \ email suffix behind @ domain: "{{primary_domain}}" # The main domain from which mails will be send \ email suffix behind @
features: features:
matomo: true matomo: true
css: false css: false
port-ui-desktop: true # Deactivated mailu iframe loading until keycloak supports it port-ui-desktop: true # Deactivated mailu iframe loading until keycloak supports it
oidc: true oidc: true
central_database: false # Deactivate central database for mailu, I don't know why the database deactivation is necessary central_database: false # Deactivate central database for mailu, I don't know why the database deactivation is necessary
logout: true logout: true
domains: server:
canonical: domains:
- "mail.{{ primary_domain }}" canonical:
csp: - "mail.{{ primary_domain }}"
flags: csp:
style-src: flags:
unsafe-inline: true style-src:
script-src-elem: unsafe-inline: true
unsafe-inline: true script-src-elem:
script-src: unsafe-inline: true
unsafe-inline: true script-src:
unsafe-eval: true unsafe-inline: true
unsafe-eval: true
rbac: rbac:
roles: roles:
mail-bot: mail-bot:

17
roles/web-app-mastodon/config/main.yml
View File

@ -6,14 +6,15 @@ features:
port-ui-desktop: true port-ui-desktop: true
oidc: true oidc: true
central_database: true central_database: true
logout: true logout: true
domains: server:
canonical: domains:
- "microblog.{{ primary_domain }}" canonical:
csp: - "microblog.{{ primary_domain }}"
whitelist: csp:
frame-src: whitelist:
- "*" frame-src:
- "*"
docker: docker:
services: services:
redis: redis:

43
roles/web-app-matomo/config/main.yml
View File

@ -8,27 +8,28 @@ features:
port-ui-desktop: false # Didn't work in frame didn't have high priority @todo figure out pcause and solve it port-ui-desktop: false # Didn't work in frame didn't have high priority @todo figure out pcause and solve it
central_database: true central_database: true
oauth2: false oauth2: false
logout: true logout: true
csp: server:
whitelist: csp:
script-src-elem: whitelist:
- https://cdn.matomo.cloud script-src-elem:
style-src: - https://cdn.matomo.cloud
- https://fonts.googleapis.com style-src:
flags: - https://fonts.googleapis.com
script-src: flags:
unsafe-eval: true script-src:
script-src-elem: unsafe-eval: true
unsafe-inline: true script-src-elem:
unsafe-eval: true unsafe-inline: true
style-src: unsafe-eval: true
unsafe-inline: true style-src:
unsafe-eval: true unsafe-inline: true
domains: unsafe-eval: true
aliases: domains:
- "analytics.{{ primary_domain }}" aliases:
canonical: - "analytics.{{ primary_domain }}"
- "matomo.{{ primary_domain }}" canonical:
- "matomo.{{ primary_domain }}"
excluded_ips: "{{ networks.internet.values() | list }}" excluded_ips: "{{ networks.internet.values() | list }}"
docker: docker:

45
roles/web-app-matrix/config/main.yml
View File

@ -23,22 +23,28 @@ features:
port-ui-desktop: true port-ui-desktop: true
oidc: true # Deactivated OIDC due to this issue https://github.com/matrix-org/synapse/issues/10492 oidc: true # Deactivated OIDC due to this issue https://github.com/matrix-org/synapse/issues/10492
central_database: true central_database: true
logout: true logout: true
csp: server:
flags: csp:
script-src: flags:
unsafe-eval: true script-src:
script-src-elem: unsafe-eval: true
unsafe-inline: true script-src-elem:
unsafe-eval: true unsafe-inline: true
style-src: unsafe-eval: true
unsafe-inline: true style-src:
whitelist: unsafe-inline: true
connect-src: whitelist:
- "*" connect-src:
script-src-elem: - "*"
- "element.{{ primary_domain }}" script-src-elem:
- "https://cdn.jsdelivr.net" - "element.{{ primary_domain }}"
- "https://cdn.jsdelivr.net"
domains:
canonical:
synapse: "matrix.{{ primary_domain }}"
element: "element.{{ primary_domain }}"
client_max_body_size: "15M"
plugins: plugins:
# You need to enable them in the inventory file # You need to enable them in the inventory file
@ -50,10 +56,3 @@ plugins:
slack: false slack: false
telegram: false telegram: false
whatsapp: false whatsapp: false
client_max_body_size: "15M"
domains:
canonical:
synapse: "matrix.{{ primary_domain }}"
element: "element.{{ primary_domain }}"

2
roles/web-app-matrix/vars/main.yml
View File

@ -17,4 +17,4 @@ matrix_project: "{{ application_id | get_entity_name }}"
# Webserver # Webserver
well_known_directory: "{{nginx.directories.data.well_known}}/matrix/" well_known_directory: "{{nginx.directories.data.well_known}}/matrix/"
location_upload: "~ ^/_matrix/media/v3/" location_upload: "~ ^/_matrix/media/v3/"
client_max_body_size: "{{ applications | get_app_conf(application_id, 'client_max_body_size') }}" client_max_body_size: "{{ applications | get_app_conf(application_id, 'server.client_max_body_size') }}"

7
roles/web-app-mediawiki/config/main.yml
View File

@ -1,6 +1,7 @@
domains: server:
canonical: domains:
- "wiki.{{ primary_domain }}" canonical:
- "wiki.{{ primary_domain }}"
docker: docker:
services: services:
mediawiki: mediawiki:

61
roles/web-app-mig/config/main.yml
View File

@ -1,38 +1,39 @@
docker: docker:
services: services:
redis: redis:
enabled: false # No redis needed enabled: false # No redis needed
database: database:
enabled: false # No database needed enabled: false # No database needed
features: features:
matomo: true # activate tracking matomo: true # activate tracking
css: true # use custom infinito stile css: true # use custom infinito stile
port-ui-desktop: true # Enable in port-ui port-ui-desktop: true # Enable in port-ui
logout: false logout: false
csp: server:
whitelist: csp:
script-src-elem: whitelist:
- https://cdn.jsdelivr.net script-src-elem:
- https://kit.fontawesome.com - https://cdn.jsdelivr.net
- https://code.jquery.com/ - https://kit.fontawesome.com
- https://unpkg.com/ - https://code.jquery.com/
style-src: - https://unpkg.com/
- https://cdn.jsdelivr.net style-src:
- https://cdnjs.cloudflare.com - https://cdn.jsdelivr.net
font-src: - https://cdnjs.cloudflare.com
- https://cdnjs.cloudflare.com font-src:
- https://ka-f.fontawesome.com - https://cdnjs.cloudflare.com
- https://cdn.jsdelivr.net - https://ka-f.fontawesome.com
connect-src: - https://cdn.jsdelivr.net
- https://ka-f.fontawesome.com connect-src:
frame-ancestors: - https://ka-f.fontawesome.com
- "*" # No damage if it's used somewhere on other websites, it anyhow looks like art frame-ancestors:
flags: - "*" # No damage if it's used somewhere on other websites, it anyhow looks like art
style-src: flags:
unsafe-inline: true style-src:
domains: unsafe-inline: true
canonical: domains:
- "mig.{{ primary_domain }}" canonical:
aliases: - "mig.{{ primary_domain }}"
- "meta-infinite-graph.{{ primary_domain }}" aliases:
build_data: true # Enables the building of the meta data which the graph requiers - "meta-infinite-graph.{{ primary_domain }}"
build_data: true # Enables the building of the meta data which the graph requiers

23
roles/web-app-mobilizon/config/main.yml
View File

@ -5,17 +5,18 @@ features:
matomo: true matomo: true
port-ui-desktop: true port-ui-desktop: true
logout: true logout: true
csp: server:
flags: csp:
script-src-elem: flags:
unsafe-inline: true script-src-elem:
script-src: unsafe-inline: true
unsafe-eval: true script-src:
domains: unsafe-eval: true
canonical: domains:
- "event.{{ primary_domain }}" canonical:
aliases: - "event.{{ primary_domain }}"
- "events.{{ primary_domain }}" aliases:
- "events.{{ primary_domain }}"
docker: docker:
services: services:
database: database:

41
roles/web-app-moodle/config/main.yml
View File

@ -5,26 +5,27 @@ features:
port-ui-desktop: true port-ui-desktop: true
central_database: true central_database: true
oidc: true oidc: true
logout: true logout: true
csp: server:
flags: csp:
script-src-elem: flags:
unsafe-inline: true script-src-elem:
unsafe-eval: true unsafe-inline: true
script-src: unsafe-eval: true
unsafe-eval: true script-src:
style-src: unsafe-eval: true
unsafe-inline: true style-src:
unsafe-eval: true unsafe-inline: true
whitelist: unsafe-eval: true
font-src: whitelist:
- "data:" font-src:
- "blob:" - "data:"
script-src-elem: - "blob:"
- "https://cdn.jsdelivr.net" script-src-elem:
domains: - "https://cdn.jsdelivr.net"
canonical: domains:
- "academy.{{ primary_domain }}" canonical:
- "academy.{{ primary_domain }}"
docker: docker:
services: services:
database: database:

8
roles/web-app-mybb/config/main.yml
View File

@ -15,7 +15,7 @@ docker:
name: "mybb" name: "mybb"
volumes: volumes:
data: "mybb_data" data: "mybb_data"
server:
domains: domains:
canonical: canonical:
- mybb.{{ primary_domain }} - mybb.{{ primary_domain }}

55
roles/web-app-navigator/config/main.yml
View File

@ -1,28 +1,29 @@
features: features:
matomo: true matomo: true
css: true css: true
port-ui-desktop: true port-ui-desktop: true
logout: false logout: false
csp: server:
whitelist: csp:
script-src-elem: whitelist:
- https://cdnjs.cloudflare.com script-src-elem:
- https://code.jquery.com - https://cdnjs.cloudflare.com
- https://cdn.jsdelivr.net - https://code.jquery.com
style-src: - https://cdn.jsdelivr.net
- https://cdnjs.cloudflare.com style-src:
- https://cdn.jsdelivr.net - https://cdnjs.cloudflare.com
font-src: - https://cdn.jsdelivr.net
- https://cdnjs.cloudflare.com font-src:
frame-src: - https://cdnjs.cloudflare.com
- "{{ web_protocol }}://*.{{primary_domain}}" # Makes sense that all of the website content is available in the navigator frame-src:
flags: - "{{ web_protocol }}://*.{{primary_domain}}" # Makes sense that all of the website content is available in the navigator
style-src: flags:
unsafe-inline: true style-src:
script-src: unsafe-inline: true
unsafe-eval: true script-src:
script-src-elem: unsafe-eval: true
unsafe-inline: true script-src-elem:
domains: unsafe-inline: true
canonical: domains:
- "slides.{{ primary_domain }}" canonical:
- "slides.{{ primary_domain }}"

31
roles/web-app-nextcloud/config/main.yml
View File

@ -1,18 +1,19 @@
version: "production" # @see https://nextcloud.com/blog/nextcloud-release-channels-and-how-to-track-them/ version: "production" # @see https://nextcloud.com/blog/nextcloud-release-channels-and-how-to-track-them/
csp: server:
flags: csp:
style-src: flags:
unsafe-inline: true style-src:
script-src-elem: unsafe-inline: true
unsafe-inline: true script-src-elem:
whitelist: unsafe-inline: true
font-src: whitelist:
- "data:" font-src:
domains: - "data:"
canonical: domains:
- "cloud.{{ primary_domain }}" canonical:
# nextcloud: "cloud.{{ primary_domain }}" - "cloud.{{ primary_domain }}"
# talk: "talk.{{ primary_domain }}" @todo needs to be activated # nextcloud: "cloud.{{ primary_domain }}"
# talk: "talk.{{ primary_domain }}" @todo needs to be activated
docker: docker:
volumes: volumes:
data: nextcloud_data data: nextcloud_data

8
roles/web-app-oauth2-proxy/config/main.yml
View File

@ -6,7 +6,7 @@ features:
css: true css: true
port-ui-desktop: false port-ui-desktop: false
logout: true logout: true
server:
domains: domains:
canonical: canonical:
- oauth2-proxy.{{ primary_domain }} - oauth2-proxy.{{ primary_domain }}

21
roles/web-app-openproject/config/main.yml
View File

@ -17,16 +17,17 @@ features:
ldap: true ldap: true
central_database: true central_database: true
oauth2: true oauth2: true
logout: true logout: true
csp: server:
flags: csp:
script-src-elem: flags:
unsafe-inline: true script-src-elem:
style-src: unsafe-inline: true
unsafe-inline: true style-src:
domains: unsafe-inline: true
canonical: domains:
- "project.{{ primary_domain }}" canonical:
- "project.{{ primary_domain }}"
docker: docker:
services: services:

43
roles/web-app-peertube/config/main.yml
View File

@ -4,27 +4,28 @@ features:
port-ui-desktop: true port-ui-desktop: true
central_database: true central_database: true
oidc: true oidc: true
logout: true logout: true
csp: server:
flags: csp:
script-src-elem: flags:
unsafe-inline: true script-src-elem:
script-src: unsafe-inline: true
unsafe-inline: true script-src:
style-src: unsafe-inline: true
unsafe-inline: true style-src:
whitelist: unsafe-inline: true
frame-ancestors: whitelist:
- "*" frame-ancestors:
media-src: - "*"
- "blob:" media-src:
font-src: - "blob:"
- "data:" font-src:
domains: - "data:"
canonical: domains:
- "video.{{ primary_domain }}" canonical:
aliases: - "video.{{ primary_domain }}"
- "videos.{{ primary_domain }}" aliases:
- "videos.{{ primary_domain }}"
docker: docker:
services: services:
redis: redis:

26
roles/web-app-pgadmin/config/main.yml
View File

@ -13,20 +13,20 @@ features:
central_database: true central_database: true
oauth2: true oauth2: true
logout: true logout: true
csp: server:
flags: csp:
style-src: flags:
unsafe-inline: true style-src:
script-src-elem: unsafe-inline: true
unsafe-inline: true script-src-elem:
whitelist: unsafe-inline: true
font-src: whitelist:
- "data:" font-src:
- "data:"
domains:
canonical:
- pgadmin.{{ primary_domain }}
docker: docker:
services: services:
database: database:
enabled: true enabled: true
domains:
canonical:
- pgadmin.{{ primary_domain }}

8
roles/web-app-phpldapadmin/config/main.yml
View File

@ -11,7 +11,7 @@ features:
ldap: true ldap: true
oauth2: true oauth2: true
logout: true logout: true
server:
domains: domains:
canonical: canonical:
- phpldapadmin.{{ primary_domain }} - phpldapadmin.{{ primary_domain }}

27
roles/web-app-phpmyadmin/config/main.yml
View File

@ -11,19 +11,20 @@ features:
# it's anyhow not so enduser relevant, so it can be kept like this # it's anyhow not so enduser relevant, so it can be kept like this
central_database: true central_database: true
oauth2: true oauth2: true
logout: true logout: true
csp: server:
flags: csp:
style-src: flags:
unsafe-inline: true style-src:
script-src-elem: unsafe-inline: true
unsafe-inline: true script-src-elem:
domains: unsafe-inline: true
aliases: domains:
- "mysql.{{ primary_domain }}" aliases:
- "mariadb.{{ primary_domain }}" - "mysql.{{ primary_domain }}"
canonical: - "mariadb.{{ primary_domain }}"
- phpmyadmin.{{ primary_domain }} canonical:
- phpmyadmin.{{ primary_domain }}
docker: docker:
services: services:
database: database:

39
roles/web-app-pixelfed/config/main.yml
View File

@ -5,25 +5,26 @@ features:
port-ui-desktop: true port-ui-desktop: true
central_database: true central_database: true
oidc: true oidc: true
logout: true logout: true
csp: server:
flags: csp:
script-src: flags:
unsafe-eval: true script-src:
unsafe-inline: true unsafe-eval: true
script-src-elem: unsafe-inline: true
unsafe-inline: true script-src-elem:
unsafe-eval: true unsafe-inline: true
style-src: unsafe-eval: true
unsafe-inline: true style-src:
whitelist: unsafe-inline: true
frame-ancestors: whitelist:
- "*" frame-ancestors:
domains: - "*"
canonical: domains:
- "picture.{{ primary_domain }}" canonical:
aliases: - "picture.{{ primary_domain }}"
- "pictures.{{ primary_domain }}" aliases:
- "pictures.{{ primary_domain }}"
docker: docker:
services: services:
redis: redis:

53
roles/web-app-port-ui/config/main.yml
View File

@ -4,30 +4,31 @@ features:
port-ui-desktop: false port-ui-desktop: false
simpleicons: true # Activate Brand Icons for your groups simpleicons: true # Activate Brand Icons for your groups
javascript: true # Necessary for URL sync javascript: true # Necessary for URL sync
logout: false # Doesn't have own user data. Just a frame. logout: false # Doesn't have own user data. Just a frame.
csp: server:
whitelist: csp:
script-src-elem: whitelist:
- https://cdn.jsdelivr.net script-src-elem:
- https://kit.fontawesome.com - https://cdn.jsdelivr.net
- https://code.jquery.com/ - https://kit.fontawesome.com
style-src: - https://code.jquery.com/
- https://cdn.jsdelivr.net style-src:
font-src: - https://cdn.jsdelivr.net
- https://ka-f.fontawesome.com font-src:
- https://cdn.jsdelivr.net - https://ka-f.fontawesome.com
connect-src: - https://cdn.jsdelivr.net
- https://ka-f.fontawesome.com connect-src:
frame-src: - https://ka-f.fontawesome.com
- "{{ web_protocol }}://*.{{primary_domain}}" frame-src:
flags: - "{{ web_protocol }}://*.{{primary_domain}}"
style-src: flags:
unsafe-inline: true style-src:
script-src: unsafe-inline: true
unsafe-inline: true script-src:
script-src-elem: unsafe-inline: true
unsafe-inline: true script-src-elem:
domains: unsafe-inline: true
canonical: domains:
- "{{ primary_domain }}" canonical:
- "{{ primary_domain }}"

19
roles/web-app-pretix/config/main.yml
View File

@ -11,20 +11,21 @@ docker:
features: features:
matomo: true # Enable Matomo Tracking matomo: true # Enable Matomo Tracking
css: true # Enable Global CSS Styling css: true # Enable Global CSS Styling
port-ui-desktop: true # Enable loading of app in iframe port-ui-desktop: true # Enable loading of app in iframe
ldap: false # Enable LDAP Network ldap: false # Enable LDAP Network
central_database: false # Enable Central Database Network central_database: false # Enable Central Database Network
recaptcha: false # Enable ReCaptcha recaptcha: false # Enable ReCaptcha
oauth2: false # Enable the OAuth2-Proy oauth2: false # Enable the OAuth2-Proy
javascript: false # Enables the custom JS in the javascript.js.j2 file javascript: false # Enables the custom JS in the javascript.js.j2 file
logout: true logout: true
csp: server:
whitelist: {} # URL's which should be whitelisted csp:
flags: {} # Flags which should be set whitelist: {} # URL's which should be whitelisted
domains: flags: {} # Flags which should be set
canonical: domains:
- "pretix.{{ primary_domain }}" canonical:
aliases: [] # Alias redirections to the first element of the canonical domains - "pretix.{{ primary_domain }}"
aliases: [] # Alias redirections to the first element of the canonical domains
rbac: rbac:
roles: {} roles: {}

7
roles/web-app-roulette-wheel/config/main.yml
View File

@ -1,5 +1,6 @@
features: features:
logout: false logout: false
domains: server:
canonical: domains:
- "wheel.{{ primary_domain }}" canonical:
- "wheel.{{ primary_domain }}"

33
roles/web-app-snipe-it/config/main.yml
View File

@ -5,22 +5,23 @@ features:
central_database: true central_database: true
ldap: true ldap: true
oauth2: true oauth2: true
logout: true logout: true
domains: server:
canonical: domains:
- "inventory.{{ primary_domain }}" canonical:
csp: - "inventory.{{ primary_domain }}"
flags: csp:
script-src: flags:
unsafe-inline: true script-src:
unsafe-eval: true unsafe-inline: true
script-src-elem: unsafe-eval: true
unsafe-inline: true script-src-elem:
style-src: unsafe-inline: true
unsafe-inline: true style-src:
whitelist: unsafe-inline: true
font-src: whitelist:
- "data:" font-src:
- "data:"
oauth2_proxy: oauth2_proxy:
application: "application" application: "application"
port: "80" port: "80"

33
roles/web-app-sphinx/config/main.yml
View File

@ -1,17 +1,18 @@
features: features:
matomo: true matomo: true
css: true css: true
port-ui-desktop: true port-ui-desktop: true
logout: false logout: false
csp: server:
flags: csp:
script-src: flags:
unsafe-eval: true script-src:
script-src-elem: unsafe-eval: true
unsafe-inline: true script-src-elem:
unsafe-eval: true unsafe-inline: true
style-src: unsafe-eval: true
unsafe-inline: true style-src:
domains: unsafe-inline: true
canonical: domains:
- "docs.{{ primary_domain }}" canonical:
- "docs.{{ primary_domain }}"

8
roles/web-app-syncope/config/main.yml
View File

@ -13,7 +13,7 @@ features:
# users: # users:
# administrator: # administrator:
# username: "{{ users.administrator.username }}" # username: "{{ users.administrator.username }}"
server:
domains: domains:
canonical: canonical:
- syncope.{{ primary_domain }} - syncope.{{ primary_domain }}

27
roles/web-app-taiga/config/main.yml
View File

@ -11,22 +11,23 @@ features:
port-ui-desktop: true port-ui-desktop: true
oidc: false oidc: false
central_database: true central_database: true
logout: true logout: true
docker: docker:
services: services:
database: database:
enabled: true enabled: true
taiga: taiga:
version: "latest" version: "latest"
csp: server:
flags: csp:
script-src-elem: flags:
unsafe-inline: true script-src-elem:
unsafe-eval: true unsafe-inline: true
style-src: unsafe-eval: true
unsafe-inline: true style-src:
script-src: unsafe-inline: true
unsafe-eval: true script-src:
domains: unsafe-eval: true
canonical: domains:
- "kanban.{{ primary_domain }}" canonical:
- "kanban.{{ primary_domain }}"

51
roles/web-app-wordpress/config/main.yml
View File

@ -14,32 +14,33 @@ features:
oidc: true oidc: true
central_database: true central_database: true
logout: true logout: true
csp: server:
flags: csp:
style-src: flags:
unsafe-inline: true style-src:
script-src-elem: unsafe-inline: true
unsafe-inline: true script-src-elem:
script-src: unsafe-inline: true
unsafe-eval: true script-src:
whitelist: unsafe-eval: true
worker-src: whitelist:
- "blob:" worker-src:
font-src: - "blob:"
- "data:" font-src:
- "https://fonts.bunny.net" - "data:"
script-src-elem: - "https://fonts.bunny.net"
- "https://cdn.gtranslate.net" # Necessary for translation plugins script-src-elem:
- "https://translate.google.com" # Necessary for translation plugins - "https://cdn.gtranslate.net" # Necessary for translation plugins
- "https://translate.google.com" # Necessary for translation plugins
- "blog.{{ primary_domain }}"
style-src:
- "https://fonts.bunny.net"
frame-src:
- "blob:"
- "*"
domains:
canonical:
- "blog.{{ primary_domain }}" - "blog.{{ primary_domain }}"
style-src:
- "https://fonts.bunny.net"
frame-src:
- "blob:"
- "*"
domains:
canonical:
- "blog.{{ primary_domain }}"
docker: docker:
services: services:
database: database:

2
roles/web-app-wordpress/tasks/main.yml
View File

@ -6,7 +6,7 @@
- name: "Include role srv-proxy-6-6-domain for {{ application_id }}" - name: "Include role srv-proxy-6-6-domain for {{ application_id }}"
include_role: include_role:
name: srv-proxy-6-6-domain name: srv-proxy-6-6-domain
loop: "{{ applications | get_app_conf(application_id, 'domains.canonical', True) }}" loop: "{{ applications | get_app_conf(application_id, 'server.domains.canonical', True) }}"
loop_control: loop_control:
loop_var: domain loop_var: domain
vars: vars:

8
roles/web-app-xmpp/config/main.yml
View File

@ -1,7 +1,7 @@
# xmpp is more a service then a app with ui interface. @todo Rename it # xmpp is more a service then a app with ui interface. @todo Rename it
features: features:
logout: false # Reactivated as soon as xmpp is fully implemented logout: false # Reactivated as soon as xmpp is fully implemented
server:
domains: domains:
canonical: canonical:
- xmpp.{{ primary_domain }} - xmpp.{{ primary_domain }}

27
roles/web-app-yourls/config/main.yml
View File

@ -13,11 +13,20 @@ features:
central_database: true central_database: true
oauth2: true oauth2: true
logout: true logout: true
domains: server:
canonical: domains:
- "s.{{ primary_domain }}" canonical:
aliases: - "s.{{ primary_domain }}"
- "short.{{ primary_domain }}" aliases:
- "short.{{ primary_domain }}"
csp:
flags:
style-src:
unsafe-inline: true
script-src-elem:
unsafe-inline: true
script-src:
unsafe-inline: true
docker: docker:
services: services:
database: database:
@ -26,11 +35,3 @@ docker:
version: "latest" version: "latest"
name: "yourls" name: "yourls"
image: "yourls" image: "yourls"
csp:
flags:
style-src:
unsafe-inline: true
script-src-elem:
unsafe-inline: true
script-src:
unsafe-inline: true

10
roles/web-svc-asset/config/main.yml
View File

@ -1,6 +1,6 @@
source_directory: "{{ playbook_dir }}/assets" source_directory: "{{ playbook_dir }}/assets"
url: "{{ web_protocol }}://<< defaults_applications['web-svc-file']domains.canonical[0] >>/assets" url: "{{ web_protocol }}://<< defaults_applications['web-svc-file']server.domains.canonical[0] >>/assets"
server:
domains: domains:
canonical: canonical:
- asset.{{ primary_domain }} - asset.{{ primary_domain }}

13
roles/web-svc-cdn/config/main.yml
View File

@ -1,7 +1,8 @@
features: features:
matomo: true matomo: true
css: true css: true
port-ui-desktop: true port-ui-desktop: true
domains: server:
canonical: domains:
- "cdn.{{ primary_domain }}" canonical:
- "cdn.{{ primary_domain }}"

17
roles/web-svc-file/config/main.yml
View File

@ -1,9 +1,10 @@
features: features:
matomo: true matomo: true
css: true css: true
port-ui-desktop: true port-ui-desktop: true
domains: server:
canonical: domains:
- "file.{{ primary_domain }}" canonical:
alias: - "file.{{ primary_domain }}"
- "files.{{ primary_domain }}" alias:
- "files.{{ primary_domain }}"

9
roles/web-svc-html/config/main.yml
View File

@ -1,7 +1,8 @@
features: features:
matomo: true matomo: true
css: true css: true
port-ui-desktop: true port-ui-desktop: true
domains: server:
canonical: domains:
- "html.{{ primary_domain }}" canonical:
- "html.{{ primary_domain }}"

39
roles/web-svc-logout/config/main.yml
View File

@ -4,23 +4,24 @@ features:
port-ui-desktop: true port-ui-desktop: true
javascript: false javascript: false
logout: false logout: false
domains: server:
canonical: domains:
- "logout.{{ primary_domain }}" canonical:
csp: - "logout.{{ primary_domain }}"
flags: csp:
style-src: flags:
unsafe-inline: true style-src:
script-src-elem: unsafe-inline: true
unsafe-inline: true script-src-elem:
whitelist: unsafe-inline: true
connect-src: whitelist:
- "{{ web_protocol }}://*.{{ primary_domain }}" connect-src:
- "{{ web_protocol }}://{{ primary_domain }}" - "{{ web_protocol }}://*.{{ primary_domain }}"
script-src-elem: - "{{ web_protocol }}://{{ primary_domain }}"
- https://cdn.jsdelivr.net script-src-elem:
style-src: - https://cdn.jsdelivr.net
- https://cdn.jsdelivr.net style-src:
frame-ancestors: - https://cdn.jsdelivr.net
- "{{ web_protocol }}://<< defaults_applications[web-app-keycloak].domains.canonical[0] >>" frame-ancestors:
- "{{ web_protocol }}://<< defaults_applications[web-app-keycloak].server.domains.canonical[0] >>"

2
roles/web-svc-logout/filter_plugins/domain_filters.py
View File

@ -31,7 +31,7 @@ class FilterModule(object):
continue continue
# use canonical domains list if present # use canonical domains list if present
domains_entry = config.get('domains', {}).get('canonical', []) domains_entry = config.get('server', {}).get('domains', {}).get('canonical', [])
# normalize to a list of strings # normalize to a list of strings
if isinstance(domains_entry, dict): if isinstance(domains_entry, dict):

9
roles/web-svc-simpleicons/config/main.yml
View File

@ -16,10 +16,11 @@ features:
central_database: false # Enable Central Database Network central_database: false # Enable Central Database Network
recaptcha: false # Enable ReCaptcha recaptcha: false # Enable ReCaptcha
oauth2: false # Enable the OAuth2-Proy oauth2: false # Enable the OAuth2-Proy
csp: {} server:
domains: csp: {}
canonical: domains:
- "icons.{{ primary_domain }}" canonical:
- "icons.{{ primary_domain }}"
rbac: rbac:
roles: roles:
mail-bot: mail-bot:

38
templates/roles/web-app/config/main.yml.j2
View File

@ -24,24 +24,24 @@ features:
recaptcha: false # Enable ReCaptcha recaptcha: false # Enable ReCaptcha
oauth2: false # Enable the OAuth2-Proy oauth2: false # Enable the OAuth2-Proy
javascript: false # Enable the custom JS in the javascript.js.j2 file javascript: false # Enable the custom JS in the javascript.js.j2 file
logout: true # Enable the logout via the central logout mechanism (deleting all cookies) logout: true # Enable the logout via the central logout mechanism (deleting all cookies)
csp: server:
whitelist: # URL's which should be whitelisted csp:
script-src-elem: [] whitelist: # URL's which should be whitelisted
style-src: [] script-src-elem: []
font-src: [] style-src: []
connect-src: [] font-src: []
frame-src: [] connect-src: []
flags: # Flags which should be set frame-src: []
style-src: flags: # Flags which should be set
unsafe-inline: false style-src:
script-src: unsafe-inline: false
unsafe-inline: false script-src:
script-src-elem: unsafe-inline: false
unsafe-inline: false script-src-elem:
domains: unsafe-inline: false
domains: domains:
canonical: {} # Urls under which the domain should be directly accessible canonical: {} # Urls under which the domain should be directly accessible
aliases: [] # Alias redirections to the first element of the canonical domains aliases: [] # Alias redirections to the first element of the canonical domains
rbac: rbac:
roles: {} roles: {}

2
tests/integration/test_domain_uniqueness.py
View File

@ -25,7 +25,7 @@ class TestDomainUniqueness(unittest.TestCase):
domain_to_apps = defaultdict(set) domain_to_apps = defaultdict(set)
for app_name, app_cfg in apps.items(): for app_name, app_cfg in apps.items():
domains_cfg = app_cfg.get('domains', {}) domains_cfg = app_cfg.get('server',{}).get('domains',{})
# canonical entries may be a list or a mapping # canonical entries may be a list or a mapping
canonical = domains_cfg.get('canonical', []) canonical = domains_cfg.get('canonical', [])

6
tests/integration/test_domains_canonical.py
View File

@ -20,17 +20,17 @@ class TestWebRolesDomains(unittest.TestCase):
self.assertIsInstance(data, dict, f"YAML root is not a dict in {path}") self.assertIsInstance(data, dict, f"YAML root is not a dict in {path}")
domains = data.get("domains") domains = data.get('server',{}).get('domains',{})
self.assertIsNotNone(domains, f"'domains' section missing in {path}") self.assertIsNotNone(domains, f"'domains' section missing in {path}")
self.assertIsInstance(domains, dict, f"'domains' must be a dict in {path}") self.assertIsInstance(domains, dict, f"'domains' must be a dict in {path}")
canonical = domains.get("canonical") canonical = domains.get("canonical")
self.assertIsNotNone(canonical, f"'domains.canonical' missing in {path}") self.assertIsNotNone(canonical, f"'server.domains.canonical' missing in {path}")
# Check for emptiness # Check for emptiness
empty_values = [{}, [], ""] empty_values = [{}, [], ""]
self.assertNotIn(canonical, empty_values, self.assertNotIn(canonical, empty_values,
f"'domains.canonical' in {path} must not be empty dict, list, or empty string") f"'server.domains.canonical' in {path} must not be empty dict, list, or empty string")
if __name__ == "__main__": if __name__ == "__main__":
unittest.main() unittest.main()

2
tests/integration/test_domains_structure.py
View File

@ -33,7 +33,7 @@ class TestDomainsStructure(unittest.TestCase):
if 'domains' not in data: if 'domains' not in data:
continue continue
domains = data['domains'] domains = data.get('server',{}).get('domains')
if not isinstance(domains, dict): if not isinstance(domains, dict):
failed_roles.append((role_path.name, vars_file.name, "'domains' should be a dict")) failed_roles.append((role_path.name, vars_file.name, "'domains' should be a dict"))
continue continue

30
tests/unit/filter_plugins/test_domain_filters_alias.py
View File

@ -33,7 +33,9 @@ class TestDomainFilters(unittest.TestCase):
def test_alias_with_explicit_aliases(self): def test_alias_with_explicit_aliases(self):
apps = { apps = {
'app1': { 'app1': {
'domains': {'aliases': ['alias.com']} 'server':{
'domains': {'aliases': ['alias.com']}
}
} }
} }
# canonical defaults to ['app1.example.com'], so alias should include alias.com and default # canonical defaults to ['app1.example.com'], so alias should include alias.com and default
@ -44,7 +46,7 @@ class TestDomainFilters(unittest.TestCase):
def test_alias_with_canonical_not_default(self): def test_alias_with_canonical_not_default(self):
apps = { apps = {
'app1': { 'app1': {
'domains': {'canonical': ['foo.com']} 'server':{'domains': {'canonical': ['foo.com']}}
} }
} }
# foo.com is canonical, default not in canonical so added as alias # foo.com is canonical, default not in canonical so added as alias
@ -55,9 +57,11 @@ class TestDomainFilters(unittest.TestCase):
def test_alias_with_existing_default(self): def test_alias_with_existing_default(self):
apps = { apps = {
'app1': { 'app1': {
'domains': { 'server':{
'canonical': ['foo.com'], 'domains': {
'aliases': ['app1.example.com'] 'canonical': ['foo.com'],
'aliases': ['app1.example.com']
}
} }
} }
} }
@ -68,7 +72,7 @@ class TestDomainFilters(unittest.TestCase):
def test_invalid_aliases_type(self): def test_invalid_aliases_type(self):
apps = { apps = {
'app1': {'domains': {'aliases': 123}} 'app1': {'server':{'domains': {'aliases': 123}}}
} }
with self.assertRaises(AnsibleFilterError): with self.assertRaises(AnsibleFilterError):
self.filter_module.alias_domains_map(apps, self.primary) self.filter_module.alias_domains_map(apps, self.primary)
@ -76,7 +80,9 @@ class TestDomainFilters(unittest.TestCase):
def test_alias_with_empty_domains_cfg(self): def test_alias_with_empty_domains_cfg(self):
apps = { apps = {
'app1': { 'app1': {
'domains': {} 'server':{
'domains': {}
}
} }
} }
expected = apps expected = apps
@ -86,10 +92,12 @@ class TestDomainFilters(unittest.TestCase):
def test_alias_with_canonical_dict_not_default(self): def test_alias_with_canonical_dict_not_default(self):
apps = { apps = {
'app1': { 'app1': {
'domains': { 'server':{
'canonical': { 'domains': {
'one': 'one.com', 'canonical': {
'two': 'two.com' 'one': 'one.com',
'two': 'two.com'
}
} }
} }
} }

24
tests/unit/filter_plugins/test_domain_filters_canonical.py
View File

@ -32,7 +32,9 @@ class TestDomainFilters(unittest.TestCase):
def test_canonical_with_list(self): def test_canonical_with_list(self):
apps = { apps = {
'web-app-app1': { 'web-app-app1': {
'domains': {'canonical': ['foo.com', 'bar.com']} 'server':{
'domains': {'canonical': ['foo.com', 'bar.com']}
}
} }
} }
result = self.filter_module.canonical_domains_map(apps, self.primary) result = self.filter_module.canonical_domains_map(apps, self.primary)
@ -44,7 +46,9 @@ class TestDomainFilters(unittest.TestCase):
def test_canonical_with_dict(self): def test_canonical_with_dict(self):
apps = { apps = {
'web-app-app1': { 'web-app-app1': {
'domains': {'canonical': {'one': 'one.com', 'two': 'two.com'}} 'server':{
'domains': {'canonical': {'one': 'one.com', 'two': 'two.com'}}
}
} }
} }
result = self.filter_module.canonical_domains_map(apps, self.primary) result = self.filter_module.canonical_domains_map(apps, self.primary)
@ -55,8 +59,14 @@ class TestDomainFilters(unittest.TestCase):
def test_canonical_duplicate_raises(self): def test_canonical_duplicate_raises(self):
apps = { apps = {
'web-app-app1': {'domains': {'canonical': ['dup.com']}}, 'web-app-app1':{
'web-app-app2': {'domains': {'canonical': ['dup.com']}}, 'server':{'domains': {'canonical': ['dup.com']}},
},
'web-app-app2':{
'server':{
'domains': {'canonical': ['dup.com']}
},
},
} }
with self.assertRaises(AnsibleFilterError) as cm: with self.assertRaises(AnsibleFilterError) as cm:
self.filter_module.canonical_domains_map(apps, self.primary) self.filter_module.canonical_domains_map(apps, self.primary)
@ -65,7 +75,7 @@ class TestDomainFilters(unittest.TestCase):
def test_invalid_canonical_type(self): def test_invalid_canonical_type(self):
apps = { apps = {
'web-app-app1': {'domains': {'canonical': 123}} 'web-app-app1': {'server':{'domains': {'canonical': 123}}}
} }
with self.assertRaises(AnsibleFilterError): with self.assertRaises(AnsibleFilterError):
self.filter_module.canonical_domains_map(apps, self.primary) self.filter_module.canonical_domains_map(apps, self.primary)
@ -76,7 +86,7 @@ class TestDomainFilters(unittest.TestCase):
resulting in an empty mapping when only non-web apps are provided. resulting in an empty mapping when only non-web apps are provided.
""" """
apps = { apps = {
'db-app-app1': {'domains': {'canonical': ['db.example.com']}}, 'db-app-app1': {'server':{'domains': {'canonical': ['db.example.com']}}},
'service-app-app2': {} 'service-app-app2': {}
} }
result = self.filter_module.canonical_domains_map(apps, self.primary) result = self.filter_module.canonical_domains_map(apps, self.primary)
@ -88,7 +98,7 @@ class TestDomainFilters(unittest.TestCase):
non-web apps should be ignored alongside valid web apps. non-web apps should be ignored alongside valid web apps.
""" """
apps = { apps = {
'db-app-app1': {'domains': {'canonical': ['db.example.com']}}, 'db-app-app1': {'server':{'domains': {'canonical': ['db.example.com']}}},
'web-app-app1': {} 'web-app-app1': {}
} }
expected = {'web-app-app1': ['app1.example.com']} expected = {'web-app-app1': ['app1.example.com']}

29
tests/unit/filter_plugins/test_domain_mappings.py
View File

@ -37,7 +37,9 @@ class TestDomainMappings(unittest.TestCase):
def test_explicit_aliases(self): def test_explicit_aliases(self):
apps = { apps = {
'app1': { 'app1': {
'domains': {'aliases': ['alias.com']} 'server':{
'domains': {'aliases': ['alias.com']}
}
} }
} }
default = 'app1.example.com' default = 'app1.example.com'
@ -51,7 +53,9 @@ class TestDomainMappings(unittest.TestCase):
def test_canonical_not_default(self): def test_canonical_not_default(self):
apps = { apps = {
'app1': { 'app1': {
'domains': {'canonical': ['foo.com']} 'server':{
'domains': {'canonical': ['foo.com']}
}
} }
} }
expected = [ expected = [
@ -63,8 +67,10 @@ class TestDomainMappings(unittest.TestCase):
def test_canonical_dict(self): def test_canonical_dict(self):
apps = { apps = {
'app1': { 'app1': {
'domains': { 'server':{
'canonical': {'one': 'one.com', 'two': 'two.com'} 'domains': {
'canonical': {'one': 'one.com', 'two': 'two.com'}
}
} }
} }
} }
@ -77,8 +83,12 @@ class TestDomainMappings(unittest.TestCase):
def test_multiple_apps(self): def test_multiple_apps(self):
apps = { apps = {
'app1': {'domains': {'aliases': ['a1.com']}}, 'app1': {
'app2': {'domains': {'canonical': ['c2.com']}}, 'server':{'domains': {'aliases': ['a1.com']}}
},
'app2': {
'server':{'domains': {'canonical': ['c2.com']}}
},
} }
expected = [ expected = [
{'source': 'a1.com', 'target': 'app1.example.com'}, {'source': 'a1.com', 'target': 'app1.example.com'},
@ -89,7 +99,10 @@ class TestDomainMappings(unittest.TestCase):
def test_multiple_aliases(self): def test_multiple_aliases(self):
apps = { apps = {
'app1': {'domains': {'aliases': ['a1.com','a2.com']}} 'app1': {
'server':{'domains': {'aliases': ['a1.com','a2.com']}
}
}
} }
expected = [ expected = [
{'source': 'a1.com', 'target': 'app1.example.com'}, {'source': 'a1.com', 'target': 'app1.example.com'},
@ -100,7 +113,7 @@ class TestDomainMappings(unittest.TestCase):
def test_invalid_aliases_type(self): def test_invalid_aliases_type(self):
apps = { apps = {
'app1': {'domains': {'aliases': 123}} 'app1': {'server':{'domains': {'aliases': 123}}}
} }
with self.assertRaises(AnsibleFilterError): with self.assertRaises(AnsibleFilterError):
self.filter.domain_mappings(apps, self.primary) self.filter.domain_mappings(apps, self.primary)

18
tests/unit/filter_plugins/test_load_configuration.py
View File

@ -19,12 +19,14 @@ class TestLoadConfigurationFilter(unittest.TestCase):
self.nested_cfg = { self.nested_cfg = {
'html': { 'html': {
'features': {'matomo': True}, 'features': {'matomo': True},
'domains': {'canonical': ['html.example.com']} 'server': {
'domains':{'canonical': ['html.example.com']}
}
} }
} }
self.flat_cfg = { self.flat_cfg = {
'features': {'matomo': False}, 'features': {'matomo': False},
'domains': {'canonical': ['flat.example.com']} 'server': {'domains':{'canonical': ['flat.example.com']}}
} }
def test_invalid_key(self): def test_invalid_key(self):
@ -69,7 +71,7 @@ class TestLoadConfigurationFilter(unittest.TestCase):
self.assertIn(self.app, _cfg_cache) self.assertIn(self.app, _cfg_cache)
mock_yaml.reset_mock() mock_yaml.reset_mock()
# from cache # from cache
self.assertEqual(self.f(self.app, 'domains.canonical'), self.assertEqual(self.f(self.app, 'server.domains.canonical'),
['html.example.com']) ['html.example.com'])
mock_yaml.assert_not_called() mock_yaml.assert_not_called()
@ -92,7 +94,7 @@ class TestLoadConfigurationFilter(unittest.TestCase):
mock_yaml.return_value = self.nested_cfg mock_yaml.return_value = self.nested_cfg
# nested fallback must work # nested fallback must work
self.assertTrue(self.f(self.app, 'features.matomo')) self.assertTrue(self.f(self.app, 'features.matomo'))
self.assertEqual(self.f(self.app, 'domains.canonical'), self.assertEqual(self.f(self.app, 'server.domains.canonical'),
['html.example.com']) ['html.example.com'])
@patch('load_configuration.os.listdir', return_value=['r4']) @patch('load_configuration.os.listdir', return_value=['r4'])
@ -105,13 +107,15 @@ class TestLoadConfigurationFilter(unittest.TestCase):
mock_exists.side_effect = lambda p: p.endswith('config/main.yml') mock_exists.side_effect = lambda p: p.endswith('config/main.yml')
mock_yaml.return_value = { mock_yaml.return_value = {
'file': { 'file': {
'domains': { 'server': {
'canonical': ['files.example.com', 'extra.example.com'] 'domains':{
'canonical': ['files.example.com', 'extra.example.com']
}
} }
} }
} }
# should get the first element of the canonical domains list # should get the first element of the canonical domains list
self.assertEqual(self.f('file', 'domains.canonical[0]'), self.assertEqual(self.f('file', 'server.domains.canonical[0]'),
'files.example.com') 'files.example.com')
if __name__ == '__main__': if __name__ == '__main__':

32
tests/unit/roles/web-svc-logout/filter_plugins/test_domain_filters.py
View File

@ -33,23 +33,33 @@ class TestLogoutDomainsFilter(unittest.TestCase):
def test_flatten_and_feature_flag(self): def test_flatten_and_feature_flag(self):
applications = { applications = {
"app1": { "app1": {
"domains": {"canonical": "single.domain.com"}, 'server':{
"domains": {"canonical": "single.domain.com"}
},
"features": {"logout": True}, "features": {"logout": True},
}, },
"app2": { "app2": {
"domains": {"canonical": ["list1.com", "list2.com"]}, 'server':{
"domains": {"canonical": ["list1.com", "list2.com"]}
},
"features": {"logout": True}, "features": {"logout": True},
}, },
"app3": { "app3": {
"domains": {"canonical": {"k1": "dictA.com", "k2": "dictB.com"}}, 'server':{
"domains": {"canonical": {"k1": "dictA.com", "k2": "dictB.com"}}
},
"features": {"logout": True}, "features": {"logout": True},
}, },
"app4": { "app4": {
"domains": {"canonical": "no-logout.com"}, 'server':{
"domains": {"canonical": "no-logout.com"}
},
"features": {"logout": False}, "features": {"logout": False},
}, },
"other": { "other": {
"domains": {"canonical": "ignored.com"}, 'server':{
"domains": {"canonical": "ignored.com"}
},
"features": {"logout": True}, "features": {"logout": True},
}, },
} }
@ -67,7 +77,9 @@ class TestLogoutDomainsFilter(unittest.TestCase):
def test_missing_canonical_defaults_empty(self): def test_missing_canonical_defaults_empty(self):
applications = { applications = {
"app1": { "app1": {
"domains": {}, # no 'canonical' key 'server':{
"domains": {}
}, # no 'canonical' key
"features": {"logout": True}, "features": {"logout": True},
} }
} }
@ -77,7 +89,9 @@ class TestLogoutDomainsFilter(unittest.TestCase):
def test_app_not_in_group(self): def test_app_not_in_group(self):
applications = { applications = {
"app1": { "app1": {
"domains": {"canonical": "domain.com"}, 'server':{
"domains": {"canonical": "domain.com"}
},
"features": {"logout": True}, "features": {"logout": True},
} }
} }
@ -87,7 +101,9 @@ class TestLogoutDomainsFilter(unittest.TestCase):
def test_invalid_domain_type(self): def test_invalid_domain_type(self):
applications = { applications = {
"app1": { "app1": {
"domains": {"canonical": 123}, 'server':{
"domains": {"canonical": 123}
},
"features": {"logout": True}, "features": {"logout": True},
} }
} }

8
tests/unit/utils/test_dict_renderer.py
View File

@ -64,11 +64,13 @@ class TestDictRenderer(unittest.TestCase):
# Combine quoted key, dot access and numeric index # Combine quoted key, dot access and numeric index
data = { data = {
"web-svc-file": { "web-svc-file": {
"domains": { 'server':{
"canonical": ["file.example.com"] "domains": {
"canonical": ["file.example.com"]
}
} }
}, },
"url": '<<[\'web-svc-file\'].domains.canonical[0]>>' "url": '<<[\'web-svc-file\'].server.domains.canonical[0]>>'
} }
rendered = self.renderer.render(data) rendered = self.renderer.render(data)
self.assertEqual(rendered["url"], "file.example.com") self.assertEqual(rendered["url"], "file.example.com")