kevinveenbirkenbach/computer-playbook
1
0
Fork 0
mirror of https://github.com/kevinveenbirkenbach/computer-playbook.git synced 2025-10-09 18:28:10 +02:00
Code Issues Packages Projects Releases Wiki Activity
Files
master
computer-playbook/roles/sys-stk-front-proxy
History
Kevin Veen-Birkenbach aa19a97ed6 CORS/CSP hardening & centralization 
- Add reusable Nginx include: roles/sys-svc-proxy/templates/headers/access_control_allow.conf.j2
  (dynamic ACAO/credentials/methods/headers via role vars)
- Set global 'Vary: Origin' in nginx.conf.j2 to prevent cache poisoning
- CSP: allow Simple Icons via connect-src when feature is enabled
- Front proxy: rename vars to lowercase + flush handlers after config deploy
- Desktop: gate & load Simple Icons role; inject brand logos when enabled
- Bluesky + Logout: replace inline CORS with centralized include
- Simpleicons: public CORS (ACAO='*', no credentials), keep GET/OPTIONS, allow headers
- Taiga: adjust canonical domain to taiga.kanban.{{ PRIMARY_DOMAIN }}
- LibreTranslate: remove unused images/versions keys

Fixes: https://open.project.infinito.nexus/projects/cymais/work_packages/342/activity
Discussion: https://chatgpt.com/share/68da5e27-ffd4-800f-91a3-0ef103058d44
2025-09-29 12:23:58 +02:00
..
defaults
Restructured Front Proxy variables
2025-09-26 18:43:09 +02:00
meta
Refactor role naming for TLS and proxy stack
2025-08-29 14:38:20 +02:00
tasks
CORS/CSP hardening & centralization
2025-09-29 12:23:58 +02:00
vars
CORS/CSP hardening & centralization
2025-09-29 12:23:58 +02:00
README.md
Refactored server roles for better readability
2025-09-01 18:08:35 +02:00

README.md

Nginx Domain Setup 🚀

Description

This role bootstraps per-domain Nginx configuration: it requests TLS certificates, applies global modifiers, deploys a ready-made vHost file, and can optionally lock down access via OAuth2.

Overview

A higher-level orchestration wrapper, sys-stk-front-proxy ties together several lower-level roles:

  1. sys-front-inj-all applies global tweaks and includes.
  2. sys-svc-certs obtains Lets Encrypt certificates.
  3. Domain template deployment copies a Jinja2 vHost from sys-svc-proxy.
  4. web-app-oauth2-proxy (optional) protects the site with OAuth2.

The result is a complete, reproducible domain rollout in a single playbook task.

Purpose

Provide one-stop, idempotent domain provisioning for Nginx-based homelabs or small production environments.

Features

  • End-to-end TLS — certificate retrieval and secure headers included.
  • Template-driven vHosts — choose basic or ws_generic flavours (or your own).
  • Conditional OAuth2 — easily toggle authentication per application.
  • Handler-safe — automatically triggers an Nginx reload when templates change.
  • Composable — designed to be called repeatedly for many domains.

Credits 📝

Developed and maintained by Kevin Veen-Birkenbach.
Learn more at https://www.veen.world

Part of the Infinito.Nexus Project — licensed under the Infinito.Nexus NonCommercial License