aa19a97ed6
CORS/CSP hardening & centralization
...
- Add reusable Nginx include: roles/sys-svc-proxy/templates/headers/access_control_allow.conf.j2
(dynamic ACAO/credentials/methods/headers via role vars)
- Set global 'Vary: Origin' in nginx.conf.j2 to prevent cache poisoning
- CSP: allow Simple Icons via connect-src when feature is enabled
- Front proxy: rename vars to lowercase + flush handlers after config deploy
- Desktop: gate & load Simple Icons role; inject brand logos when enabled
- Bluesky + Logout: replace inline CORS with centralized include
- Simpleicons: public CORS (ACAO='*', no credentials), keep GET/OPTIONS, allow headers
- Taiga: adjust canonical domain to taiga.kanban.{{ PRIMARY_DOMAIN }}
- LibreTranslate: remove unused images/versions keys
Fixes: https://open.project.infinito.nexus/projects/cymais/work_packages/342/activity
Discussion: https://chatgpt.com/share/68da5e27-ffd4-800f-91a3-0ef103058d44
2025-09-29 12:23:58 +02:00
5e616d3962
web: general domain cleanup (canonical/aliases normalization)
...
- Normalize domain blocks across apps:
- Add explicit 'aliases: []' everywhere (no implicit aliases)
- Standardize canonical subdomains for consistency:
* Bluesky: web/api under *.bluesky.<PRIMARY_DOMAIN>
* EspoCRM: espo.crm.<PRIMARY_DOMAIN>
* Gitea: tea.git.<PRIMARY_DOMAIN>
* GitLab: lab.git.<PRIMARY_DOMAIN>
* Joomla: joomla.cms.<PRIMARY_DOMAIN>
* Magento: magento.shop.<PRIMARY_DOMAIN>
* OpenProject: open.project.<PRIMARY_DOMAIN>
* Pretix: ticket.shop.<PRIMARY_DOMAIN>
* Taiga: kanban.project.<PRIMARY_DOMAIN>
- Remove legacy/duplicate aliases and use empty list instead
- Fix 'alias' -> 'aliases' where applicable
Context: preparing for AUTO_BUILD_ALIASES=False and deterministic redirect mapping.
Ref: conversation https://chatgpt.com/share/68cd512c-c878-800f-bdf2-81737adf7e0e
2025-09-19 14:51:56 +02:00
4ae3cee36c
web-svc-logout: merge logout domains into CSP connect-src and refactor task flow
...
• Add tasks/01_core.yml to set applications[application_id].server.csp.whitelist['connect-src'] = LOGOUT_CONNECT_SRC_NEW.
• Switch tasks/main.yml to include 01_core.yml (run-once guard preserved).
• Update templates/env.j2 to emit LOGOUT_DOMAINS as a comma-separated list.
• Rework vars/main.yml: compute LOGOUT_DOMAINS, derive LOGOUT_ORIGINS with WEB_PROTOCOL, read connect-src via the get_app_conf filter, and merge/dedupe (unique).
Rationale: ensure CSP allows cross-domain logout requests for all configured services.
Conversation: https://chatgpt.com/share/68b5b07d-b208-800f-b6b2-f26934607c8a
2025-09-01 16:41:33 +02:00
9feb766e6f
replaced style-src-elem by style-src
2025-09-01 10:14:03 +02:00
2fccebbd1f
Enforce uppercase README.md and TODO.md filenames
...
- Renamed all Readme.md → README.md
- Renamed all Todo.md → TODO.md
- Added integration test (tests/integration/test_filename_conventions.py) to automatically check naming convention.
Background:
Consistency in file naming (uppercase README.md and TODO.md) avoids issues with case-sensitive filesystems and ensures desktop cards (e.g. Pretix) are properly included.
Ref: https://chatgpt.com/share/68b1d135-c688-800f-9441-46a3cbfee175
2025-08-29 18:11:53 +02:00
6ea8301364
Refactor: migrate cmp/* and srv/* roles into sys-stk/* and sys-svc/* namespaces
...
- Removed obsolete 'cmp' category, introduced 'stk' category (fa-bars-staggered icon).
- Renamed roles:
* cmp-db-docker → sys-stk-back-stateful
* cmp-docker-oauth2 → sys-stk-back-stateless
* srv-domain-provision → sys-stk-front
* cmp-db-docker-proxy → sys-stk-full-stateful
* cmp-docker-proxy → sys-stk-full-stateless
* cmp-rdbms → sys-svc-rdbms
- Updated all include_role references, vars, templates and README.md files.
- Adjusted run_once comments and variable paths accordingly.
- Updated all web-app roles to use new sys-stk/* and sys-svc/* roles.
Conversation: https://chatgpt.com/share/68b0ba66-09f8-800f-86fc-76c47009d431
2025-08-28 22:23:09 +02:00
dece6228a4
Refactor docker-compose build logic and pull policy
...
- Added conditional '--pull' flag on retry in docker-compose build handler, tied to MODE_UPDATE
- Added 'pull_policy: never' to multiple docker-compose service templates to prevent unwanted image pulls
- Fixed minor formatting issues (e.g. Nextcloud volume spacing, WordPress desktop alignment)
Reference: https://chatgpt.com/share/68b0207a-4d9c-800f-b76f-9515885e5183
2025-08-28 11:25:35 +02:00
3794aa87b0
Optimized spacing
2025-08-20 01:02:29 +02:00
022800425d
THE HUGE REFACTORING CALENDER WEEK 33; Optimized Matrix and during this updated variables, and implemented better reset and cleanup mode handling, also solved some initial setup bugs
2025-08-15 15:15:48 +02:00
0228014d34
Replaced .infinito.service and .infinito.timer by SOFTWARE_NAME suffix, optimized LICENSE link and update OIDC Realm and ID conf
2025-08-14 14:39:18 +02:00
4a65a254ae
replaced port-ui-desktop with desktop to make it more speakable
2025-08-14 11:45:08 +02:00
db0e030900
Renamed general and mode constants and implemented a check to verify that constants are just defined ones over the whole repository
2025-08-13 19:11:14 +02:00
f31565e4c5
Optimized URLS
2025-08-13 00:33:47 +02:00
c7b25ed093
Normalized run_once_, made openresty handlers without when aviable and forced flush in run_once when blocks to avoid handlers with when conditions
2025-08-08 15:32:26 +02:00
dba12b89d8
Normalized cmp-docker-proxy include
2025-08-08 12:02:14 +02:00
7f53cc3a12
Replaced web_protocol by WEB_PROTOCOL
2025-08-07 12:31:20 +02:00
9228d51e86
Restructured server config
2025-08-07 11:31:06 +02:00
99c6c9ec92
Optimized CSP check
2025-08-07 09:33:19 +02:00
44e0fea0b2
Renamed cymais to infinito and did some other optimations and logout implementations
2025-07-29 16:35:42 +02:00
f9f76892af
Solved peertube bugs
2025-07-26 08:08:51 +02:00
f62355e490
Replaced nginx native with openresty for logout injection. Right now still buggy on nextcloud and espocrm
2025-07-24 03:19:16 +02:00
5dc8ec2344
Deactivated caching
2025-07-22 13:53:20 +02:00
4b9e7dd3b7
Implemented universal logout
2025-07-22 13:14:06 +02:00
