Optimized nginx CSP (prop. leads to problems due to too high restrictions for some roles) and implemented health check for mailer

roles/backup-remote-to-local/templates/backups-remote-to-local.sh.j2

@@ -1,8 +1,8 @@
 #!/bin/bash
 # Pulls the remote backups from multiple hosts
-hosts="{{pull_remote_backups}}";
+hosts="{{ pull_remote_backups | join(' ') }}";
 errors=0
 for host in $hosts; do
-  bash {{docker_backup_remote_to_local_folder}}backup-remote-to-local.sh $host || ((errors+=1));
+  bash {{ docker_backup_remote_to_local_folder }}backup-remote-to-local.sh $host || ((errors+=1));
 done;
 exit $errors;

roles/docker-compose/templates/services/msmtp_curl_test.yml.j2

@@ -16,7 +16,7 @@
         - CMD-SHELL
         - >
           if [ ! -f /tmp/email_sent ]; then
-            echo 'Subject: testmessage from {{domains[application_id]}}\n\nSUCCESSFULL' | msmtp -t {{test_email}} && touch /tmp/email_sent;
+            echo 'Subject: testmessage from {{domains[application_id]}}\n\nSUCCESSFULL' | msmtp -t {{users.blackhole.email}} && touch /tmp/email_sent;
           fi &&
           curl -f http://localhost:80/ || exit 1
       interval: 1m

roles/docker-keycloak/templates/import/realm.json.j2

@@ -835,7 +835,7 @@
       "secret": "{{oidc.client.secret}}",
       {%- set redirect_uris = [] %}
       {%- for application, domain in domains.items() %}
-        {%- if applications[application] is defined and (applications | get_oauth2_enabled(application) or applications | get_oidc_enabled(application)) %}
+        {%- if applications[application] is defined and (applications | is_feature_enabled('oauth2',application) or applications | is_feature_enabled('oidc',application)) %}
           {%- if domain is string %}
             {%- set _ = redirect_uris.append(web_protocol ~ '://' ~ domain ~ '/*') %}
           {%- else %}

roles/docker-nextcloud/templates/nginx/docker.conf.j2

@@ -75,7 +75,6 @@ http {
         add_header X-Robots-Tag                         "noindex, nofollow"     always;
         add_header X-XSS-Protection                     "1; mode=block"         always;
         add_header X-Frame-Options "SAMEORIGIN" always;
-        {% include 'roles/nginx-docker-reverse-proxy/templates/headers/iframe.conf.j2' %}
 
         # Remove X-Powered-By, which is an information leak
         fastcgi_hide_header X-Powered-By;

roles/docker-oauth2-proxy/templates/container.yml.j2

@@ -1,4 +1,4 @@
-{% if applications | get_oauth2_enabled(application_id) %}
+{% if applications | is_feature_enabled('oauth2',application_id) %}
   oauth2-proxy:
     image: quay.io/oauth2-proxy/oauth2-proxy:{{applications.oauth2_proxy.version}}
     restart: {{docker_restart_policy}}

roles/docker-peertube/templates/peertube.conf.j2

@@ -5,7 +5,7 @@ server {
 
   {% include 'roles/nginx-modifier-all/templates/global.includes.conf.j2'%}
   
-  {% include 'roles/nginx-docker-reverse-proxy/templates/headers/iframe.conf.j2' %}
+  {% include 'roles/nginx-docker-reverse-proxy/templates/headers/content_security_policy.conf.j2' %}
   
   ##
   # Application

roles/docker-portfolio/templates/config.yaml.j2

@@ -28,7 +28,7 @@ accounts:
           class: fa-brands fa-mastodon
         url: "{{ web_protocol }}://{{ service_provider.contact.mastodon.split('@')[2] }}/@{{ service_provider.contact.mastodon.split('@')[1] }}"
         identifier: "{{service_provider.contact.mastodon}}"
-        iframe: {{ applications | get_features_iframe('mastodon') }}
+        iframe: {{ applications | is_feature_enabled('iframe','mastodon') }}
 
 {% endif %}
 {% if service_provider.contact.bluesky is defined and service_provider.contact.bluesky != "" %}
@@ -52,7 +52,7 @@ accounts:
           class: fa-solid fa-camera
       identifier: "{{service_provider.contact.pixelfed}}"
       url: "{{ web_protocol }}://{{ service_provider.contact.pixelfed.split('@')[2] }}/@{{ service_provider.contact.pixelfed.split('@')[1] }}"
-      iframe: {{ applications | get_features_iframe('pixelfed') }}
+      iframe: {{ applications | is_feature_enabled('iframe','pixelfed') }}
 
 {% endif %}
 {% if service_provider.contact.peertube  is defined and service_provider.contact.peertube  != "" %}
@@ -64,7 +64,7 @@ accounts:
         class: fa-solid fa-video
       identifier: "{{service_provider.contact.peertube}}"
       url: "{{ web_protocol }}://{{ service_provider.contact.peertube.split('@')[2] }}/@{{ service_provider.contact.peertube.split('@')[1] }}"
-      iframe: {{ applications | get_features_iframe('peertube') }}
+      iframe: {{ applications | is_feature_enabled('iframe','peertube') }}
 
 {% endif %}
 {% if service_provider.contact.wordpress is defined and service_provider.contact.wordpress != "" %}
@@ -76,7 +76,7 @@ accounts:
         class: fa-solid fa-blog
       identifier: "{{service_provider.contact.wordpress}}"
       url: "{{ web_protocol }}://{{ service_provider.contact.wordpress.split('@')[2] }}/@{{ service_provider.contact.wordpress.split('@')[1] }}"
-      iframe: {{ applications | get_features_iframe('wordpress') }}
+      iframe: {{ applications | is_feature_enabled('iframe','wordpress') }}
 
 {% endif %}
 {% if service_provider.contact.source_code is defined and service_provider.contact.source_code != "" %}
@@ -98,7 +98,7 @@ accounts:
       class: fas fa-network-wired
     identifier: "{{service_provider.contact.friendica}}"
     url: "{{ web_protocol }}://{{ service_provider.contact.friendica.split('@')[2] }}/@{{ service_provider.contact.friendica.split('@')[1] }}"
-    iframe: {{ applications | get_features_iframe('friendica') }}
+    iframe: {{ applications | is_feature_enabled('iframe','friendica') }}
 
 {% endif %}
 

roles/docker-portfolio/templates/footer_menu.yaml.j2

@@ -37,13 +37,13 @@
                 icon:
                   class: fa-solid fa-shield-halved
                 url: https://{{domains.keycloak}}/admin
-                iframe: {{ applications | get_features_iframe('keycloak') }}
+                iframe: {{ applications | is_feature_enabled('iframe','keycloak') }}
               - name: Profile
                 description: Update your personal admin settings
                 icon:
                   class: fa-solid fa-user-gear
                 url: https://{{ domains.keycloak }}/realms/{{oidc.client.id}}/account
-                iframe: {{ applications | get_features_iframe('keycloak') }}
+                iframe: {{ applications | is_feature_enabled('iframe','keycloak') }}
               - name: Logout
                 description: End your admin session securely
                 icon:
@@ -113,7 +113,7 @@
       icon:
         class: fas fa-book
       url: https://{{domains.sphinx}}
-      iframe: {{ applications | get_features_iframe('sphinx') }}
+      iframe: {{ applications | is_feature_enabled('iframe','sphinx') }}
 
 {% endif %}
 
@@ -124,7 +124,7 @@
       icon:
         class: "fas fa-chalkboard-teacher"
       url: https://{{domains.presentation}}
-      iframe: {{ applications | get_features_iframe('presentation') }}
+      iframe: {{ applications | is_feature_enabled('iframe','presentation') }}
 
 {% endif %}
 

roles/docker-syncope/templates/proxy.conf

@@ -2,7 +2,7 @@ server
 {
   server_name {{domain}};
 
-  {% if applications | get_oauth2_enabled(application_id) %}
+  {% if applications | is_feature_enabled('oauth2',application_id) %}
     {% include 'roles/docker-oauth2-proxy/templates/endpoint.conf.j2'%}
   {% endif %}
 

roles/health-journalctl/handlers/main.yml

@@ -1,5 +1,5 @@
-- name: "reload health-journalctl.cymais.service"
+- name: reload health-msmtp.cymais.service
   systemd:
-    name: health-journalctl.cymais.service
+    name: health-msmtp.cymais.service
     enabled: yes
-    daemon_reload: yes
+    daemon_reload: yes

roles/health-msmtp/README.md

@@ -0,0 +1,21 @@
+# health-msmtp
+
+## Description
+
+This Ansible role sends periodic health check emails using **msmtp** to verify that your mail transport agent is operational. It deploys a simple script and hooks it into a systemd service and timer, with failure notifications sent via Telegram.
+
+## Overview
+
+Optimized for Archlinux, this role creates the required directory structure, installs and configures the health-check script, and integrates with the **systemd-notifier-telegram** role. It uses the **systemd-timer** role to schedule regular checks based on your customizable `OnCalendar` setting.
+
+## Purpose
+
+The **health-msmtp** role ensures that your mail transport system stays available by sending a test email at defined intervals. If the email fails, a Telegram alert is triggered, allowing you to detect and address issues before they impact users.
+
+## Features
+
+- **Directory & Script Deployment:** Sets up `health-msmtp/` and deploys a templated Bash script to send test emails via msmtp.  
+- **Systemd Service & Timer:** Provides `.service` and `.timer` units to run the check and schedule it automatically.  
+- **Failure Notifications:** Leverages **systemd-notifier-telegram** to push alerts when the script exits with an error.  
+- **Configurable Schedule:** Define your desired check frequency using the `on_calendar_health_msmtp` variable.  
+- **Email Destination:** Specify the recipient via the `users.administrator.email` variable.

roles/health-msmtp/handlers/main.yml

@@ -0,0 +1,5 @@
+- name: "reload health-journalctl.cymais.service"
+  systemd:
+    name: health-journalctl.cymais.service
+    enabled: yes
+    daemon_reload: yes

roles/health-msmtp/meta/main.yml

@@ -0,0 +1,25 @@
+galaxy_info:
+  author: "Kevin Veen-Birkenbach"
+  description: "Sends periodic health check emails via msmtp"
+  license: "CyMaIS NonCommercial License (CNCL)"
+  license_url: "https://s.veen.world/cncl"
+  company: |
+    Kevin Veen-Birkenbach
+    Consulting & Coaching Solutions
+    https://www.veen.world
+  min_ansible_version: "2.9"
+  platforms:
+    - name: Archlinux
+      versions:
+        - rolling
+  galaxy_tags:
+    - health
+    - msmtp
+    - email
+    - systemd
+    - monitoring
+  repository: "https://s.veen.world/cymais"
+  issue_tracker_url: "https://s.veen.world/cymaisissues"
+  documentation: "https://s.veen.world/cymais"
+dependencies:
+  - systemd-notifier-telegram

roles/health-msmtp/tasks/main.yml

@@ -0,0 +1,27 @@
+- name: "create {{ health_msmtp_folder }}"
+  file:
+    path: "{{ health_msmtp_folder }}"
+    state: directory
+    mode: 0755
+
+- name: create health-msmtp.sh
+  template:
+    src:  health-msmtp.sh.j2
+    dest: "{{ health_msmtp_folder }}health-msmtp.sh"
+    mode: '0755'
+
+- name: create health-msmtp.cymais.service
+  template:
+    src: health-msmtp.service.j2
+    dest: /etc/systemd/system/health-msmtp.cymais.service
+  notify: reload health-msmtp.cymais.service
+
+- name: set service_name to the name of the current role
+  set_fact:
+    service_name: "{{ role_name }}"
+
+- name: include role for systemd-timer for {{ service_name }}
+  include_role:
+    name: systemd-timer
+  vars:
+    on_calendar: "{{ on_calendar_health_msmtp }}"

roles/health-msmtp/templates/health-msmtp.service.j2

@@ -0,0 +1,7 @@
+[Unit]
+Description=Check msmtp liveliness
+OnFailure=systemd-notifier-telegram.cymais@%n.service
+
+[Service]
+Type=oneshot
+ExecStart=/bin/bash {{ health_msmtp_folder }}health-msmtp.sh

roles/health-msmtp/templates/health-msmtp.sh.j2

@@ -0,0 +1,4 @@
+#!/bin/bash
+echo "Subject: $HOST is alive
+
+Host $HOSTNAME reports at $(date): I'm alive." | msmtp -t {{ users.administrator.email }}

roles/health-msmtp/vars/main.yml

@@ -0,0 +1 @@
+health_msmtp_folder: "{{ path_administrator_scripts }}health-msmtp/"

roles/msmtp/meta/main.yml

@@ -21,4 +21,5 @@ galaxy_info:
   repository: "https://s.veen.world/cymais"
   issue_tracker_url: "https://s.veen.world/cymaisissues"
   documentation: "https://s.veen.world/cymais"
-dependencies: []
+dependencies:
+  - health-msmtp

roles/nginx-docker-reverse-proxy/templates/headers/content_security_policy.conf.j2

@@ -0,0 +1,39 @@
+{%- set csp_parts = [] %}
+
+{# default-src: Fallback for all other directives if not explicitly defined #}
+{%- set csp_parts = csp_parts + ["default-src 'self';"] %}
+
+{# frame-ancestors: Restricts which origins can embed this site in a frame or iframe #}
+{%- set frame_ancestors = "frame-ancestors 'self'" %}
+{%- if applications | is_feature_enabled('iframe', application_id) | bool %}
+  {%- set frame_ancestors = frame_ancestors + " " + web_protocol + "://" + primary_domain %}
+{%- endif %}
+{%- set csp_parts = csp_parts + [frame_ancestors + ";"] %}
+
+{# frame-src: Controls which URLs can be embedded as iframes #}
+{%- set frame_src = "frame-src 'self'" %}
+{%- if applications | is_feature_enabled('recaptcha', application_id) | bool %}
+  {%- set frame_src = frame_src + " https://www.google.com https://www.recaptcha.net" %}
+{%- endif %}
+{%- set csp_parts = csp_parts + [frame_src + ";"] %}
+
+{# img-src: Allow images from own domain and files deliverer. Also from Matomo if enabled. #}
+{%- set img_src = "img-src 'self' " + web_protocol + "://" + domains.file_server %}
+{%- if applications | is_feature_enabled('matomo', application_id) | bool %}
+  {%- set img_src = img_src + " " + web_protocol + "://" + domains.matomo %}
+{%- endif %}
+{%- set csp_parts = csp_parts + [img_src + ";"] %}
+
+{# script-src: Allow JavaScript from self, FontAwesome, jsDelivr, and Matomo if enabled #}
+{%- set script_src = "script-src 'self' 'unsafe-inline'" %}
+{%- if applications | is_feature_enabled('matomo', application_id) | bool %}
+  {%- set script_src = script_src + " " + domains.matomo %}
+{%- endif %}
+{%- set script_src = script_src + " https://kit.fontawesome.com https://cdn.jsdelivr.net" %}
+{%- set csp_parts = csp_parts + [script_src + ";"] %}
+
+{# style-src: Allow CSS from self, FontAwesome, jsDelivr and inline styles #}
+{%- set style_src = "style-src 'self' 'unsafe-inline' https://kit.fontawesome.com https://cdn.jsdelivr.net" %}
+{%- set csp_parts = csp_parts + [style_src + ";"] %}
+
+add_header Content-Security-Policy "{{ csp_parts | join(' ') }}" always;

roles/nginx-docker-reverse-proxy/templates/headers/iframe.conf.j2

@@ -1,4 +0,0 @@
-{% if applications.get(application_id, {}).get('features', {}).get('iframe', False) %}
-add_header X-Frame-Options "SAMEORIGIN" always;
-add_header Content-Security-Policy "frame-ancestors 'self' {{primary_domain}};" always;
-{% endif %}

roles/nginx-docker-reverse-proxy/templates/location/proxy_basic.conf.j2

@@ -14,7 +14,7 @@ location {{location | default("/")}}
   proxy_set_header X-Forwarded-Port 443;
   proxy_set_header Accept-Encoding "";
 
-  {% include 'roles/nginx-docker-reverse-proxy/templates/headers/iframe.conf.j2' %}
+  {% include 'roles/nginx-docker-reverse-proxy/templates/headers/content_security_policy.conf.j2' %}
 
   # WebSocket specific header
   proxy_http_version 1.1;

roles/nginx-docker-reverse-proxy/templates/vhost/basic.conf.j2

@@ -2,7 +2,7 @@ server
 {
   server_name {{domain}};
 
-  {% if applications | get_oauth2_enabled(application_id) %}
+  {% if applications | is_feature_enabled('oauth2',application_id) %}
     {% include 'roles/docker-oauth2-proxy/templates/endpoint.conf.j2'%}
   {% endif %}
 
@@ -15,7 +15,7 @@ server
 
   {% include 'roles/letsencrypt/templates/ssl_header.j2' %}
 
-  {% if applications | get_oauth2_enabled(application_id) %}
+  {% if applications | is_feature_enabled('oauth2',application_id) %}
     {% if applications[application_id].oauth2_proxy.location is defined %}
       {# Exposed and Unprotected Location #}
       {% include 'roles/nginx-docker-reverse-proxy/templates/location/proxy_basic.conf.j2' %}

roles/nginx-https-get-cert/tasks/flavors/san.yml

@@ -21,6 +21,9 @@
     {{ '--mode-test' if mode_test | bool else '' }}
   register: certbundle_result
   changed_when: "'Certificate not yet due for renewal' not in certbundle_result.stdout"
+  failed_when: >
+    certbundle_result.rc != 0
+    and 'too many certificates' not in certbundle_result.stderr
   when: run_once_san_certs is not defined
 
 - name: run the san tasks once

roles/nginx-modifier-matomo/templates/matomo-tracking.conf.j2

@@ -1,5 +1,2 @@
-# Deactivate CSP header
-add_header Content-Security-Policy: "";
-
 # sub filters to integrate matomo tracking code in nginx websites
 sub_filter '</body>' '<noscript><p><img src="//matomo.{{primary_domain}}/matomo.php?idsite={{matomo_site_id}}&rec=1" style="border:0;" alt="" /></p></noscript></body>';

roles/nginx-serve-files/templates/nginx.conf.j2

@@ -6,7 +6,7 @@ server
 
   {% include 'roles/nginx-modifier-all/templates/global.includes.conf.j2'%}
 
-  {% include 'roles/nginx-docker-reverse-proxy/templates/headers/iframe.conf.j2' %}
+  {% include 'roles/nginx-docker-reverse-proxy/templates/headers/content_security_policy.conf.j2' %}
   charset utf-8;
   
   location /

roles/nginx-serve-html/templates/nginx.conf.j2

@@ -6,7 +6,7 @@ server
 
   {% include 'roles/nginx-modifier-all/templates/global.includes.conf.j2'%}
 
-  {% include 'roles/nginx-docker-reverse-proxy/templates/headers/iframe.conf.j2' %}
+  {% include 'roles/nginx-docker-reverse-proxy/templates/headers/content_security_policy.conf.j2' %}
   charset utf-8;
   
   location /