Renamed injection services

roles/sys-srv-web-inj-compose/README.md

@@ -0,0 +1,29 @@
+# Nginx Global Matomo & Theming Modifier Role 🚀
+
+This role enhances your Nginx configuration by conditionally injecting global Matomo tracking and theming elements into your HTML responses. It uses Nginx sub-filters to seamlessly add tracking scripts and CSS links to your web pages.
+
+---
+
+## Features
+
+- **Global Matomo Tracking**  
+  The role includes Matomo tracking configuration and injects the corresponding tracking script into your HTML.
+
+- **Global Theming**  
+  The role injects a global CSS link for consistent theming across your site.
+
+- **Smart Injection**  
+  Uses Nginx's `sub_filter` to insert the tracking and theming snippets right before the closing `</head>` tag of your HTML documents.
+
+
+This will automatically activate Matomo tracking and/or global theming based on your configuration.
+
+---
+
+## Author
+
+Developed by [Kevin Veen-Birkenbach](https://www.veen.world) 😎
+
+---
+
+Happy automating! 🎉

roles/sys-srv-web-inj-compose/filter_plugins/inj_enabled.py

@@ -0,0 +1,35 @@
+# roles/sys-srv-web-inj-compose/filter_plugins/inj_enabled.py
+#
+# Usage in tasks:
+#   - set_fact:
+#       inj_enabled: "{{ applications | inj_enabled(application_id, ['javascript','logout','css','matomo','desktop']) }}"
+
+import sys
+import os
+
+# allow imports from module_utils (same trick as your get_app_conf filter)
+base = os.path.abspath(os.path.join(os.path.dirname(__file__), '..', '..', '..'))
+mu = os.path.join(base, 'module_utils')
+for p in (base, mu):
+    if p not in sys.path:
+        sys.path.insert(0, p)
+
+from module_utils.config_utils import get_app_conf
+
+def inj_enabled_filter(applications, application_id, features, prefix="features", default=False):
+    """
+    Build a dict {feature: value} by reading the feature flags under the given prefix for the selected application.
+    Uses get_app_conf with strict=False so missing keys just return the default.
+    """
+    result = {}
+    for f in features:
+        path = f"{prefix}.{f}" if prefix else f
+        result[f] = get_app_conf(applications, application_id, path, strict=False, default=default)
+    return result
+
+
+class FilterModule(object):
+    def filters(self):
+        return {
+            "inj_enabled": inj_enabled_filter,
+        }

roles/sys-srv-web-inj-compose/meta/main.yml

@@ -0,0 +1,22 @@
+galaxy_info:
+  author: "Kevin Veen-Birkenbach"
+  description: "Core role for Nginx HTML injection of Matomo, theming, iFrame and JS snippets based on application feature flags."
+  license: "Infinito.Nexus NonCommercial License"
+  license_url: "https://s.infinito.nexus/license"
+  company: |
+    Kevin Veen-Birkenbach
+    Consulting & Coaching Solutions
+    https://www.veen.world
+  galaxy_tags:
+  - nginx
+  - injector
+  - matomo
+  - theming
+  repository: "https://s.infinito.nexus/code"
+  issue_tracker_url: "https://s.infinito.nexus/issues"
+  documentation: "https://s.infinito.nexus/code/tree/main/roles/sys-srv-web-inj-compose"
+  min_ansible_version: "2.9"
+  platforms:
+  - name: Any
+    versions:
+    - all

roles/sys-srv-web-inj-compose/tasks/main.yml

@@ -0,0 +1,64 @@
+- name: Build inj_enabled
+  set_fact:
+    inj_enabled: "{{ applications | inj_enabled(application_id, SRV_WEB_INJ_COMP_FEATURES_ALL) }}"
+
+- block:
+  - name: Include dependency 'srv-web-7-4-core'
+    include_role:
+      name: srv-web-7-4-core
+    when: run_once_srv_web_7_4_core is not defined
+  - include_tasks: utils/run_once.yml
+  when: run_once_sys_srv_web_inj_compose is not defined
+
+- name: "Activate Portfolio iFrame notifier for '{{ domain }}'"
+  include_role:
+    name:   sys-srv-web-inj-desktop
+    public: true # Vars used in templates
+  when: inj_enabled.desktop
+
+- name: "Load CDN for '{{ domain }}'"
+  include_role:
+    name: web-svc-cdn
+    public: false
+  when:
+  - inj_enabled.logout
+  - inj_enabled.desktop
+  - application_id != 'web-svc-cdn'
+  - run_once_web_svc_cdn is not defined
+
+- name: Overwritte CDN handlers with neutral handlers
+  ansible.builtin.include_tasks: "{{ playbook_dir }}/tasks/utils/load_handlers.yml"
+  loop:
+  - svc-prx-openresty
+  - docker-compose
+  loop_control:
+    label: "{{ item }}"
+  vars:
+    handler_role_name: "{{ item }}"
+
+- name: Reinitialize 'inj_enabled' for '{{ domain }}', after modification by CDN
+  set_fact:
+    inj_enabled: "{{ applications | inj_enabled(application_id, SRV_WEB_INJ_COMP_FEATURES_ALL) }}"
+
+- name: "Activate Corporate CSS for '{{ domain }}'"
+  include_role:
+    name: sys-srv-web-inj-css
+  when:
+  - inj_enabled.css
+  - run_once_sys_srv_web_inj_css is not defined
+
+- name: "Activate Matomo Tracking for '{{ domain }}'"
+  include_role:
+    name: sys-srv-web-inj-matomo
+  when: inj_enabled.matomo
+
+- name: "Activate Javascript for '{{ domain }}'"
+  include_role:
+    name: sys-srv-web-inj-javascript
+  when: inj_enabled.javascript
+
+- name: "Activate logout proxy for '{{ domain }}'"
+  include_role:
+    name: sys-srv-web-inj-logout
+    public: true # Vars used in templates
+  when: inj_enabled.logout

roles/sys-srv-web-inj-compose/templates/location.lua.j2

@@ -0,0 +1,77 @@
+{% macro push_snippets(list_name, features) -%}
+{% for f in features -%}
+{% if inj_enabled.get(f) -%}
+{{ list_name }}[#{{ list_name }} + 1] = [=[
+  {%- include
+     'roles/sys-srv-web-inj-' ~ f ~
+     '/templates/' ~
+     ('head' if list_name == 'head_snippets' else 'body') ~
+     '_sub.j2'
+  -%}
+]=]
+{% endif -%}
+{% endfor -%}
+{%- endmacro %}
+
+lua_need_request_body on;
+
+header_filter_by_lua_block {
+    local ct = ngx.header.content_type or ""
+    if ct:lower():find("^text/html") then
+        ngx.ctx.is_html = true
+    else
+        ngx.ctx.is_html = false
+    end
+}
+
+body_filter_by_lua_block {
+    -- only apply further processing if this is an HTML response
+    if not ngx.ctx.is_html then
+        return
+    end
+
+    -- initialize or reuse the buffer
+    ngx.ctx.buf = ngx.ctx.buf or {}
+    local chunk, eof = ngx.arg[1], ngx.arg[2]
+
+    if chunk ~= "" then
+        table.insert(ngx.ctx.buf, chunk)
+    end
+
+    if not eof then
+        -- drop intermediate chunks; we’ll emit only on eof
+        ngx.arg[1] = nil
+        return
+    end
+
+    -- on eof: concatenate all buffered chunks
+    local whole = table.concat(ngx.ctx.buf)
+    ngx.ctx.buf = nil  -- clear buffer
+
+    -- remove html CSP, due to management via infinito nexus policies
+    whole = whole:gsub(
+        '<meta[^>]-http%-equiv=["\']Content%-Security%-Policy["\'][^>]->%s*',
+        ''
+    )
+
+    -- build a list of head-injection snippets
+    local head_snippets = {}
+
+    {{ push_snippets('head_snippets', ['css','matomo','desktop','javascript','logout']) }}
+
+    -- inject all collected snippets right before </head>
+    local head_payload = table.concat(head_snippets, "\n") .. "</head>"
+    whole = string.gsub(whole, "</head>", head_payload)
+
+    -- build a list of body-injection snippets
+    local body_snippets = {}
+
+    {{ push_snippets('body_snippets', ['matomo','logout','desktop']) }}
+
+    -- inject all collected snippets right before </body>
+    local body_payload = table.concat(body_snippets, "\n") .. "</body>"
+    whole = string.gsub(whole, "</body>", body_payload)
+
+    -- finally send the modified HTML out
+    ngx.arg[1] = whole
+}

roles/sys-srv-web-inj-compose/templates/server.conf.j2

@@ -0,0 +1,7 @@
+{% if inj_enabled.css %}
+{% include 'roles/sys-srv-web-inj-css/templates/location.conf.j2' %}
+{% endif %}
+
+{% if inj_enabled.logout %}
+{% include 'roles/web-svc-logout/templates/logout-proxy.conf.j2' %}
+{% endif %}

roles/sys-srv-web-inj-compose/vars/main.yml

@@ -0,0 +1,9 @@
+# Docker
+docker_pull_git_repository: false # Deactivated here to don't inhire this
+
+SRV_WEB_INJ_COMP_FEATURES_ALL:
+  - 'javascript'
+  - 'logout'
+  - 'css'
+  - 'matomo'
+  - 'desktop'