Commit Graph

2805 Commits

Author SHA1 Message Date
b9fbf92461 proxy(cors): make ACAO opt-in; remove hardcoded default
Stop forcing Access-Control-Allow-Origin to $scheme://$host. This default broke Element (element.infinito.nexus) -> Synapse (matrix.infinito.nexus) CORS and blocked login. Now ACAO is only set when 'aca_origin' is provided; otherwise we defer to the upstream app (e.g., Synapse) to emit correct CORS headers. Also convert top comments to Jinja block comment.

Discussion & debugging details: https://chatgpt.com/share/68de2236-4aec-800f-adc5-d025922c8753
2025-10-02 08:57:14 +02:00
6824e444b0 Changed bitnami images to legacy. See https://github.com/bitnami/containers/issues/83267. 2025-10-02 07:31:20 +02:00
5cdcc18a99 Fix PeerTube OIDC plugin automation
- Store oidc_settings as proper YAML dict with correct keys
- Ensure plugin is installed only if missing
- Update DB settings as jsonb and enforce enabled/uninstalled state
- Add CLI enforcement for plugin activation
- Correct task conditions (enable/disable logic) with boolean filters

Ref: https://chatgpt.com/share/68dd1d16-9b34-800f-b2bf-a3fe058f25b1
2025-10-01 14:23:07 +02:00
e7702948b8 EspoCRM role: custom image + single data volume + runtime flag setter
• Build a custom image and replace upstream entrypoint with docker-entrypoint-custom.sh (strict fail on flag script).

• Introduce set_flags.php and wire via ESPOCRM_SET_FLAGS_SCRIPT; apply flags at container start; clear cache afterwards.

• Keep exactly one Docker volume (data:/var/www/html/); drop separate custom/extensions mounts.

• Compose: use custom image, add healthchecks & depends_on for daemon/websocket; keep service healthy gating.

• Ansible: deploy scripts, build & up via handlers; patch siteUrl as www-data; run upgrade non-fatal; always run flag setter.

• Vars/Env: add ESPO_INIT_* toggles and ESPOCRM_SET_FLAGS_SCRIPT; refactor variables for scripts & custom image paths.

Conversation context: https://chatgpt.com/share/68dd1992-020c-800f-bcf5-2db60cb4aab2
2025-10-01 14:08:09 +02:00
09a4c243d7 Add centralized include for Access-Control-Allow headers across proxy/service Nginx templates and align ACA vars for simpleicons task.
Ref: https://chatgpt.com/share/68dbf59c-f424-800f-aa27-787db52e260f
2025-09-30 17:22:28 +02:00
1d5a50abf2 Optimized path building 2025-09-30 16:36:28 +02:00
0d99c7f297 Nextcloud: refactor Talk → HPB, switch to bridge mode, and template cleanups
- Change Talk (HPB) network_mode from host → bridge and drop TURN relay range mapping
- Remove obsolete nginx restart handler; rely on 'docker compose up' notify
- Fix spreed task condition to use HPB standalone flag
- docker-compose.yml.j2: parameterize service names, use NEXTCLOUD_*_SERVICE vars, align host-gateway condition with HPB, tidy ports/expose/network blocks
- env.j2/nginx configs: rename TALK_* → HPB_* variables and locations; use templated NEXTCLOUD_SERVICE for php upstream
- vars: introduce entity_name; centralize *SERVICE keys; rename all Talk vars to HPB; adjust whiteboard keys; compute URLs/JSON configs accordingly
- spreed plugin vars: point to HPB signaling/STUN/TURN and internal secret

Ref: https://chatgpt.com/share/68db9f41-16ec-800f-9cdf-7530862f89aa
2025-09-30 12:52:15 +02:00
0a17e54d8c Nextcloud: set conservative Docker resource limits and template cleanups
- Add CPU/memory/PID limits for redis, database, proxy, cron, talk, whiteboard
- Keep nextcloud service unchanged except existing settings
- Normalize service_name templating and indentation in docker-compose.yml.j2
- Mount Janus config for Talk via volume

Ref: https://chatgpt.com/share/68db9f41-16ec-800f-9cdf-7530862f89aa
2025-09-30 11:54:14 +02:00
bf94338845 Nextcloud/Nginx: wire Talk signaling WS location via reusable snippet
Conditionally include the generic WebSocket proxy block for NEXTCLOUD_TALK_SIGNALING_ENABLED. Set location_ws to '^~ <location>' and ws_port to NEXTCLOUD_PORT, then include roles/sys-svc-proxy/templates/location/ws.conf.j2. This enables proper Upgrade/Connection headers and disables buffering for the signaling path.

Context: https://chatgpt.com/share/68db9f41-16ec-800f-9cdf-7530862f89aa
2025-09-30 11:17:54 +02:00
5d42b78b3d Nextcloud: extend CSP for Talk & disable keeporsweep
CSP: add cloud.<PRIMARY_DOMAIN> to connect-src and frame-src (both HTTP and WS) and allow worker-src 'blob:' for web workers used by Talk/Collabora.

Apps: disable keeporsweep (installation no longer possible) and document reason.

Context: https://chatgpt.com/share/68db9f41-16ec-800f-9cdf-7530862f89aa
2025-09-30 11:15:32 +02:00
26a1992d84 Nextcloud/Talk: add Janus config & fix WebSocket proxying
Nginx: define 'map $http_upgrade $connection_upgrade' once in http{} and reuse; drop duplicate map from ws_generic vhost; tidy ws location headers/spacing. Nextcloud: add WS location for standalone signaling; render & mount Janus config (NAT 1:1, ICE enforce/ignore lists, libnice hardening); extend CSP (connect-src/frame-src for cloud & collabora, worker-src blob:); disable keeporsweep app; replace nginx reload handler with compose up; add NEXTCLOUD_HOST_JANUS_CONF_PATH and related vars.

Context: https://chatgpt.com/share/68db9f41-16ec-800f-9cdf-7530862f89aa
2025-09-30 11:14:15 +02:00
2439beb95a Added correct minio http statuscodes 2025-09-29 17:29:29 +02:00
251f7b227d Add healthchecks for all Taiga services, fix RabbitMQ env var names, and define TAIGA_HOSTNAME
Details:
- Implemented healthchecks for taiga, async, rabbitmq, front, events, protected, and gateway
- Corrected RabbitMQ env variables (RABBITMQ_DEFAULT_USER/PASS/VHOST/ERLANG_COOKIE)
- Added TAIGA_HOSTNAME for backend service

See: https://chatgpt.com/share/68da9d6b-b164-800f-bcb7-410b40219a1e
2025-09-29 17:09:42 +02:00
3fbb9c38a8 Solved coturn volume bug 2025-09-29 15:33:50 +02:00
29e8b3a590 Deactivated recording for Big Blue Button 2025-09-29 15:23:48 +02:00
27b89d8fb6 Taiga: refactor service naming & resource limits
Add CPU/memory/pids limits for taiga, async, front, gateway, events, async-rabbitmq, events-rabbitmq, manager, and protected. Align manager service usage (was taiga-manage) in admin tasks and inits compose. Switch to variable-driven service names (TAIGA_* vars), add container_name patterns, normalize volume mappings via TAIGA_VOLUME_STATIC/MEDIA, fix depends_on to use TAIGA_* vars, and set RabbitMQ hostnames from vars. Remove obsolete Development.md.

Conversation reference: https://chatgpt.com/share/68da83b7-0cb4-800f-9702-d8a2d4ebea71  (replace with this chat’s share link)
2025-09-29 15:04:12 +02:00
55f2d15e93 Fix coturn container/volume separation: use COTURN_CONTAINER for container_name and map COTURN_VOLUME to /var/lib/coturn
Details:
- Removed anonoumys volume
- Renamed container_name variable to COTURN_CONTAINER
- Added dedicated COTURN_VOLUME with _data suffix for persistence
- Mount COTURN_VOLUME into /var/lib/coturn

Reference: https://chatgpt.com/share/68da6f12-b238-800f-932b-e37c8a50dddd
2025-09-29 13:36:30 +02:00
aa19a97ed6 CORS/CSP hardening & centralization
- Add reusable Nginx include: roles/sys-svc-proxy/templates/headers/access_control_allow.conf.j2
  (dynamic ACAO/credentials/methods/headers via role vars)
- Set global 'Vary: Origin' in nginx.conf.j2 to prevent cache poisoning
- CSP: allow Simple Icons via connect-src when feature is enabled
- Front proxy: rename vars to lowercase + flush handlers after config deploy
- Desktop: gate & load Simple Icons role; inject brand logos when enabled
- Bluesky + Logout: replace inline CORS with centralized include
- Simpleicons: public CORS (ACAO='*', no credentials), keep GET/OPTIONS, allow headers
- Taiga: adjust canonical domain to taiga.kanban.{{ PRIMARY_DOMAIN }}
- LibreTranslate: remove unused images/versions keys

Fixes: https://open.project.infinito.nexus/projects/cymais/work_packages/342/activity
Discussion: https://chatgpt.com/share/68da5e27-ffd4-800f-91a3-0ef103058d44
2025-09-29 12:23:58 +02:00
c06d1c4d17 Refactor yay update handling:
- Move AUR update task into dev-yay role
- Centralize defaults (AUR_HELPER, AUR_BUILDER_USER, etc.)
- Remove separate update-yay role (redundant)

See conversation with ChatGPT https://chatgpt.com/share/68da3219-6d78-800f-92ad-0a5061bac8be and related work item:
https://open.project.infinito.nexus/projects/cymais/work_packages/341/activity
2025-09-29 09:16:02 +02:00
66f294537d Replaced fixed 'web' service call for exec with 'ESPOCRM_SERVICE' variable for exec call 2025-09-28 15:52:44 +02:00
a9097a3ec3 web-app-espocrm: add resource limits, init/stop settings and cleanups
- Added CPU, memory and PID limits for espocrm, daemon and websocket services
- Enabled init process and graceful stop (SIGTERM, 30s) in docker-compose
- Adjusted env template (removed forced True/default flags)
- Introduced entity_name/ESPOCRM_SERVICE in vars for service naming
- Minor cleanup of get_app_conf defaults

Ref: https://chatgpt.com/share/68d937ce-9c34-800f-9136-54baed9c91c7
2025-09-28 15:50:28 +02:00
fc59c64273 Nextcloud Talk: fix virtual-background web check by
- adding explicit MIME types for .wasm and .tflite in internal Nginx
- relaxing CSP (script-src: allow 'unsafe-eval') for WebAssembly
- removing obsolete turnserver draft.
Details: https://chatgpt.com/share/68d7dd39-50b8-800f-ab59-cfb1d3cf07cb
2025-09-27 14:49:42 +02:00
dbbb3510f3 Refactor TURN/STUN config:
- Removed ?transport=udp from Nextcloud Talk TURN server definitions
- Dropped --no-tcp-relay to allow TCP fallback
- Removed invalid UDP mapping on TLS port
- Introduced switch between REST secret auth and lt-cred-mech via COTURN_USER_AUTH_ENABLED
- Added user_auth_enabled flag in coturn config for flexibility

See: https://chatgpt.com/share/68d7d601-3558-800f-bc84-00d7e8fc3243
2025-09-27 14:18:29 +02:00
eb3bf543a4 Removed turn and stun protocol prefix 2025-09-27 13:58:46 +02:00
4f5602c791 Nextcloud Talk: fix TURN/STUN config
- Removed duplicate Admin Manual link in README
- Fixed turnserver.config.php draft return syntax
- Unified onboard port handling in docker-compose and env
- Updated vars to define STUN/TURN configs with correct schemas
- Ensured spreed plugin config serializes clean JSON arrays

Ref: https://chatgpt.com/share/68d7cfa2-7378-800f-9ecf-09b6bb768f13
2025-09-27 13:51:17 +02:00
75d476267e Optimized Nextcloud variables 2025-09-27 12:14:57 +02:00
c3e5db7f2e Cleaned up LDAP entries to keep it more clean 2025-09-27 11:30:39 +02:00
dfd2d243b7 Enabled recordings for BBB because https://github.com/bigbluebutton/bigbluebutton/issues/9202 was solved 2025-09-27 11:28:07 +02:00
78ad2ea4b6 nextcloud(spreed): output valid JSON via to_json for signaling/stun/turn; keep internal_secret plain https://chatgpt.com/share/68d75f71-6de8-800f-854c-207771c8d883 2025-09-27 05:52:32 +02:00
c362e160fc Nextcloud: switch Talk to host networking; update proxy routing and compose; centralize Talk secrets & spreed config; remove Greenlight block
Conversation: https://chatgpt.com/share/68d74e25-c068-800f-ae20-d0e34ac8ee12
2025-09-27 05:03:48 +02:00
a044028e03 Nextcloud Talk integration cleanup: unify secrets and signaling config
- Replace inline get_app_conf secrets in env.j2 with dedicated vars (TURN, signaling, internal)
- Correctly model signaling_servers as object {servers, secret} in spreed.yml
- Use UDP stun_turn port instead of TLS for transport=udp
- Add fallback logic for standalone Coturn role in main.yml
- Remove obsolete Greenlight section from BBB override

Ref: https://chatgpt.com/share/68d74e25-c068-800f-ae20-d0e34ac8ee12
2025-09-27 04:39:11 +02:00
7405883b48 BigBlueButton & Nextcloud:
- Switch to custom BBB Docker repository
- Externalize Coturn and Collabora by default
- Add dedicated 03_dependencies.yml for dependency handling
- Improve env templating with lowercased feature flags
- Add conditional healthcheck for Greenlight
- Refactor TURN/STUN/relay handling with role variable _BBB_COTURN_ROLE
- Extend Collabora/Greenlight dependency wiring in override file
- Nextcloud Talk: refine vars and enable/disable logic with separate plugin/service flags, add network_mode support and conditional nginx proxy block

Ref: https://chatgpt.com/share/68d741ff-a544-800f-9e81-a565e0bab0eb
2025-09-27 03:46:57 +02:00
85db0a40db Refactor Coturn port configuration: unify STUN and TURN into stun_turn and stun_turn_tls, update vars, docker-compose template, and add robust healthcheck [https://chatgpt.com/share/68d73a2d-ef34-800f-90d2-1628822ca541] 2025-09-27 03:14:53 +02:00
8af39c32ec Override docker conf variables from parents 2025-09-27 02:41:13 +02:00
31e86ac0fc Optimized networks 2025-09-27 02:21:19 +02:00
4d223f1784 feat(web-svc-coturn): add configurable network_mode (default host) and adjust credential generation
- Introduced `COTURN_NETWORK_MODE` to support both host and bridge modes
- Updated docker-compose template to skip port publishing in host mode
- Changed user_password credential algorithm to random_hex for stronger randomness
- Set default network_mode: host in config

Ref: https://chatgpt.com/share/68d72a50-c36c-800f-9367-32c4ae520000
2025-09-27 02:05:48 +02:00
926def3d01 web-svc-coturn: Add resource limits and fix docker-compose template
- Set CPU, memory reservation/limit, and PID limit for coturn
- Ensure docker_compose_file_creation_enabled and disable git repo pulling
- Move certificate mounts to volumes and fix env var interpolation in command
- Correct realm and user formatting

See: https://chatgpt.com/share/66f65f18-799c-800a-95f4-b6b26511e9cb
2025-09-27 01:40:37 +02:00
083b7d2914 Refactor relay port ranges: set coturn to 20000–39999, BigBlueButton to 40000–49999, and Nextcloud to 50000–59999
See: https://chatgpt.com/share/68d6f6c2-f7c0-800f-bc2e-10876afff4a8
2025-09-26 22:26:44 +02:00
73a38e0b2b Refactor TURN/STUN handling:
- Split internal/external Coturn for BBB and Nextcloud
- Added dedicated relay port ranges per app
- Updated env and compose overrides for coturn
- Ensure coturn role is loaded conditionally
- Standardize credential/env passing for coturn
@See https://chatgpt.com/share/68d6f376-4878-800f-b4f7-62822caa49ea
2025-09-26 22:11:55 +02:00
e3c0880e98 Fix semi-stateless run_once label and load both docker-compose & openresty handlers
See: https://chatgpt.com/share/68d6f2f3-59a4-800f-b20e-ed1c7df9e2ff
2025-09-26 22:09:39 +02:00
a817d964e4 refactor(front-stack): introduce sys-stk-front-base and semi-stateless stack; improve coturn role docs
- Extract common HTTPS + Cloudflare + handler bootstrap into new role sys-stk-front-base
- Update sys-stk-front-proxy, web-svc-cdn, web-svc-file, web-svc-html to depend on sys-stk-front-base
- Add new sys-stk-semi-stateless role combining front-base + back-stateless
- Update web-svc-coturn to use sys-stk-semi-stateless and rewrite README/meta with detailed Coturn description
- Unify sys-util-csp-cert README heading

Ref: ChatGPT conversation https://chatgpt.com/share/68d6cea2-3570-800f-acb3-c3277317f17b
2025-09-26 20:25:53 +02:00
7572134e9d Removed leftover 2025-09-26 19:39:38 +02:00
97af4990aa refactor(webserver): rename roles and update references
- Rename sys-svc-webserver -> sys-svc-webserver-core
- Rename sys-stk-front-pure -> sys-svc-webserver-https
- Update includes, run_once flags, and docs across:
  * sys-ctl-mtn-cert-renew
  * sys-front-inj-*
  * sys-stk-front-proxy
  * sys-svc-certs
  * sys-svc-cln-domains
  * web-opt-rdr-*
  * web-svc-*
- Remove redundant webserver include in web-opt-rdr-www
- Fix documentation links

Ref: ChatGPT conversation https://chatgpt.com/share/68d6cea2-3570-800f-acb3-c3277317f17b
2025-09-26 19:34:42 +02:00
b6d0535173 Cleaned up comment 2025-09-26 18:53:46 +02:00
27d33435f8 fix(bbb): align TURN/STUN configuration with shared coturn service
- added entity_name to vars for consistent docker.service lookup
- switched docker_repository_* vars to use entity_name dynamically
- introduced BBB_TURN_DOMAIN, BBB_TURN_PORT, and BBB_STUN_PORT
  → fallback to web-svc-coturn when BBB_COTURN_ENABLED is false
- updated env.j2 to use new BBB_TURN_* vars instead of hardcoded domain/ports
- cleaned up obsolete comments and spacing

Conversation: https://chatgpt.com/share/68d6c4a8-d524-800f-9592-e8a3407cd721
2025-09-26 18:53:21 +02:00
3cc4014edf feat(coturn): add dedicated web-svc-coturn role with schema, ports, network, and docker-compose template
- registered subnet 192.168.104.48/28 for coturn in group_vars/all/09_networks.yml
- defined public ports for stun/turn and relay port range in group_vars/all/10_ports.yml
- removed obsolete TODO.md and env.j2 from role
- added schema/main.yml with credentials validation (user_password, auth_secret)
- refactored tasks to load sys-stk-back-stateless instead of sys-stk-full-stateful
- implemented docker-compose.yml.j2 with auth-secret + lt-cred-mech and TLS config
- restructured vars/main.yml with docker, ports, credentials, and certificates
- updated config/main.yml.j2 with canonical domain and service definitions

Conversation: https://chatgpt.com/share/68d6c4a8-d524-800f-9592-e8a3407cd721
2025-09-26 18:52:13 +02:00
63da669c33 Removed unnecessary 'sys-svc-proxy' wrapper tasks 2025-09-26 18:50:12 +02:00
fb04a4c7a0 Restructured Front Proxy variables 2025-09-26 18:43:09 +02:00
2968ac7f0a Removed unnecessary sys-svc-webserver import 2025-09-26 18:22:46 +02:00
1daa53017e Refactor BigBlueButton role:
- Aligned schema/main.yml credential definitions with consistent spacing
- Changed PostgreSQL secret to use random_hex_32 instead of bcrypt
- Improved administrator creation logic in tasks/02_administrator.yml:
  * First try with primary password
  * Retry with starred password if OIDC is enabled
  * Fallback to user:set_admin_role if both fail
See: https://chatgpt.com/share/68d6aa34-19cc-800f-828a-a5121fda589f
2025-09-26 16:59:28 +02:00