Optimized Wordpress conf and solved snipe-it CSP bug

cli/deploy.py

@@ -5,7 +5,7 @@ import subprocess
 import os
 import datetime
 
-def run_ansible_playbook(inventory, playbook, modes, limit=None, password_file=None, verbose=0, skip_tests=False):
+def run_ansible_playbook(inventory, playbook, modes, limit=None, password_file=None, verbose=0, skip_tests:bool=False):
     start_time = datetime.datetime.now()
     print(f"\n▶️ Script started at: {start_time.isoformat()}\n")
     
@@ -44,20 +44,60 @@ def run_ansible_playbook(inventory, playbook, modes, limit=None, password_file=N
 
 def main():
     script_dir = os.path.dirname(os.path.realpath(__file__))
-    parser = argparse.ArgumentParser(description="Run Ansible Playbooks")
+    parser = argparse.ArgumentParser(
+        description="Run the central Ansible deployment script to manage infrastructure, updates, and tests."
+    )
 
-    parser.add_argument("inventory", help="Path to the inventory file")
-    parser.add_argument("--limit", help="Limit execution to a specific server")
-    parser.add_argument("--host-type", choices=["server", "personal-computer"], default="server")
-    parser.add_argument("--reset", action="store_true")
-    parser.add_argument("--test", action="store_true")
-    parser.add_argument("--update", action="store_true")
-    parser.add_argument("--backup", action="store_true")
-    parser.add_argument("--cleanup", action="store_true")
-    parser.add_argument("--debug", action="store_true")
-    parser.add_argument("--password-file")
-    parser.add_argument("--skip-tests", action="store_true")
-    parser.add_argument("-v", "--verbose", action="count", default=0)
+    parser.add_argument(
+        "inventory",
+        help="Path to the inventory file (INI or YAML) containing hosts and variables."
+    )
+    parser.add_argument(
+        "--limit",
+        help="Restrict execution to a specific host or host group from the inventory."
+    )
+    parser.add_argument(
+        "--host-type",
+        choices=["server", "personal-computer"],
+        default="server",
+        help="Specify whether the target is a server or a personal computer. Affects role selection and variables."
+    )
+    parser.add_argument(
+        "--reset", action="store_true",
+        help="Reset all CyMaIS files and configurations, and run the entire playbook (not just individual roles)."
+    )
+    parser.add_argument(
+        "--test", action="store_true",
+        help="Run test routines instead of production tasks. Useful for local testing and CI pipelines."
+    )
+    parser.add_argument(
+        "--update", action="store_true",
+        help="Enable the update procedure to bring software and roles up to date."
+    )
+    parser.add_argument(
+        "--backup", action="store_true",
+        help="Perform a full backup of critical data and configurations before the update process."
+    )
+    parser.add_argument(
+        "--cleanup", action="store_true",
+        help="Clean up unused files and outdated configurations after all tasks are complete."
+    )
+    parser.add_argument(
+        "--debug", action="store_true",
+        help="Enable detailed debug output for Ansible and this script."
+    )
+    parser.add_argument(
+        "--password-file",
+        help="Path to the file containing the Vault password. If not provided, prompts for the password interactively."
+    )
+    parser.add_argument(
+        "--skip-tests", action="store_true",
+        help="Skip running 'make test' even if tests are normally enabled."
+    )
+    parser.add_argument(
+        "-v", "--verbose", action="count", default=0,
+        help="Increase verbosity level. Multiple -v flags increase detail (e.g., -vvv for maximum log output)."
+    )
 
     args = parser.parse_args()
 

filter_plugins/csp_filters.py

@@ -117,7 +117,7 @@ class FilterModule(object):
 
                 # ReCaptcha integration: allow loading scripts from Google if feature enabled
                 if self.is_feature_enabled(applications, 'recaptcha', application_id):
-                    if directive == 'script-src-elem':
+                    if directive in ['script-src-elem',"frame-src"]:
                         tokens.append('https://www.gstatic.com')
                         tokens.append('https://www.google.com')
 

roles/docker-mailu/vars/configuration.yml

@@ -9,7 +9,7 @@ domain:                   "{{primary_domain}}"              # The main domain fr
 credentials:                                     
 features:
   matomo:                 true
-  css:                    true
+  css:                    false
   portfolio_iframe:       false                             # Deactivated mailu iframe loading until keycloak supports it
   oidc:                   true
   central_database:       false                             # Deactivate central database for mailu, I don't know why the database deactivation is necessary
@@ -20,5 +20,5 @@ csp:
   flags:
     style-src:
       unsafe-inline:        true
-    script-src-elem:
+    script-src:
       unsafe-inline:        true

roles/docker-mariadb/tasks/main.yml

@@ -38,9 +38,12 @@
 
 - name: Wait until the MariaDB container is healthy
   community.docker.docker_container_info:
-    name: "{{applications.mariadb.hostname }}"
+    name: "{{ applications.mariadb.hostname }}"
   register: db_info
-  until: db_info.containers[0].State.Health.Status == "healthy"
+  until:
+  - db_info.containers is defined
+  - db_info.containers | length > 0
+  - db_info.containers[0].State.Health.Status == "healthy"
   retries: 30
   delay: 5
   when:

roles/docker-nextcloud/Update.md

@@ -1,13 +0,0 @@
-# Update Nextcloud (manuel)
-
-To perform a manuel Nexcloud update execute:
-
-```bash
-docker-compose exec -T -u www-data application /var/www/html/occ upgrade
-docker-compose exec -T -u www-data application /var/www/html/occ maintenance:repair --include-expensive
-docker-compose exec -T -u www-data application /var/www/html/occ app:update --all
-docker-compose exec -T -u www-data application /var/www/html/occ db:add-missing-columns
-docker-compose exec -T -u www-data application /var/www/html/occ db:add-missing-indices
-docker-compose exec -T -u www-data application /var/www/html/occ db:add-missing-primary-keys
-docker-compose exec -T -u www-data application /var/www/html/occ maintenance:mode --off
-```

roles/docker-nextcloud/docs/OCC.md

@@ -9,49 +9,6 @@ To use OCC, run:
 ```bash
 docker-compose exec -it -u www-data application /var/www/html/occ
 ```
-## User Administration 
-
-### List Users
-```bash
-docker compose exec -it -u www-data application php occ user:list
-```
-
-### Get User Info
-```bash
-docker compose exec -u www-data application php occ user:info {{username}}
-```
-
-### Sync Users
-```bash
-docker compose exec -it -u www-data application php occ user:sync
-```
-
-### Create user via CLI
-```bash
-docker compose exec -it -u www-data application php occ user:add {{username}}
-```
-
-### Make user admin via cli
-```bash
-docker compose exec -it -u www-data application php occ group:adduser admin {{username}}
-```
-
-### Delete user via CLI
-```bash
-docker compose exec -it -u www-data application php occ user:delete {{username}}
-```
-
-### Delete all User (if no ldap is used)
-```bash 
-for user in $(docker compose exec -u www-data application php occ user:list --output=json | jq -r 'keys[]'); do
-    docker compose exec -u www-data application php occ user:delete "$user"
-done
-```
-
-### Identify users which exist still in nextcloud but not in LDAP anymore
-```bash 
-occ ldap:show-remnants
-```
 
 ## App Administration
 ```bash

roles/docker-nextcloud/docs/Users.md

@@ -0,0 +1,43 @@
+# User Administration 
+
+### List Users
+```bash
+docker compose exec -it -u www-data application php occ user:list
+```
+
+### Get User Info
+```bash
+docker compose exec -u www-data application php occ user:info {{username}}
+```
+
+### Sync Users
+```bash
+docker compose exec -it -u www-data application php occ user:sync
+```
+
+### Create user via CLI
+```bash
+docker compose exec -it -u www-data application php occ user:add {{username}}
+```
+
+### Make user admin via cli
+```bash
+docker compose exec -it -u www-data application php occ group:adduser admin {{username}}
+```
+
+### Delete user via CLI
+```bash
+docker compose exec -it -u www-data application php occ user:delete {{username}}
+```
+
+### Delete all User (if no ldap is used)
+```bash 
+for user in $(docker compose exec -u www-data application php occ user:list --output=json | jq -r 'keys[]'); do
+    docker compose exec -u www-data application php occ user:delete "$user"
+done
+```
+
+### Identify users which exist still in nextcloud but not in LDAP anymore
+```bash 
+occ ldap:show-remnants
+```

roles/docker-nextcloud/tasks/main.yml

@@ -64,3 +64,11 @@
     'Removing' in db_indices_result.stdout or 
     'updated successfully' in db_indices_result.stdout
   failed_when: db_indices_result.rc != 0
+
+- name: Ensure Nextcloud administrator is in the 'admin' group
+  command: >
+    docker exec -u {{ nextcloud_docker_user }} {{ applications.nextcloud.container.application }}
+    php occ group:adduser admin {{ applications.nextcloud.users.administrator.username }}
+  register: add_admin_to_group
+  changed_when: "'Added user' in add_admin_to_group.stdout"
+  failed_when: add_admin_to_group.rc != 0 and "'is already a member of' not in add_admin_to_group.stderr"

roles/docker-nextcloud/vars/configuration.yml

@@ -22,7 +22,7 @@ oidc:
 credentials:
 features:
   matomo:                       true
-  css:                          true
+  css:                          false
   portfolio_iframe:             false
   ldap:                         true
   oidc:                         true

roles/docker-presentation/vars/configuration.yml

@@ -17,8 +17,10 @@ csp:
   flags:
     style-src:
       unsafe-inline: true
+    script-src:
+      unsafe-eval:  true
     script-src-elem:
-      unsafe-eval:   true
+      unsafe-inline: true
 domains:
   canonical:
     - "slides.{{ primary_domain }}"

roles/docker-snipe-it/vars/configuration.yml

@@ -9,10 +9,13 @@ domains:
     - "inventory.{{ primary_domain }}"
 csp:
   flags:
+    script-src:
+      unsafe-inline:  true
+      unsafe-eval:    true
     script-src-elem:
-      unsafe-inline: true
+      unsafe-inline:  true
     style-src:
-      unsafe-inline: true
+      unsafe-inline:  true
   whitelist:
     font-src:
       - "data:"

roles/docker-wordpress/tasks/main.yml

@@ -6,7 +6,7 @@
 - name: "Include role nginx-domain-setup for {{ application_id }}"
   include_role:
     name: nginx-domain-setup
-  loop: "{{ domains.wordpress }}"
+  loop: "{{ applications[application_id].domains.canonical }}"
   loop_control:
     loop_var: domain
   vars:

roles/docker-wordpress/vars/configuration.yml

@@ -22,6 +22,7 @@ csp:
       unsafe-inline:  true
     script-src-elem:
       unsafe-inline:  true
+    script-src:
       unsafe-eval:    true
   whitelist:
     worker-src:
@@ -34,6 +35,9 @@ csp:
       - "blog.{{ primary_domain }}"
     style-src:
       - "https://fonts.bunny.net"
+    frame-src:
+      - "blob:"
+      - "*.{{ primary_domain }}"
 domains:
   canonical:
     - "blog.{{ primary_domain }}"