added header flags back in.

2025-01-15 04:37:17 +01:00 · 2024-10-01 17:04:11 +10:00 · 2024-10-01 17:04:11 +10:00 · 2b4fdea70f
commit 2b4fdea70f
parent 6c8923ae28
6 changed files with 78 additions and 78 deletions
--- a/roles/custom/matrix-element-call/defaults/main.yml
+++ b/roles/custom/matrix-element-call/defaults/main.yml
@ -38,18 +38,18 @@ matrix_element_call_container_labels_traefik_tls_certResolver: default  # noqa v
 # Controls which additional headers to attach to all HTTP responses.
 # To add your own headers, use `matrix_element_call_container_labels_traefik_additional_response_headers_custom`
-#matrix_element_call_container_labels_traefik_additional_response_headers: "{{ matrix_element_call_container_labels_traefik_additional_response_headers_auto | combine(matrix_element_call_container_labels_traefik_additional_response_headers_custom) }}"
+matrix_element_call_container_labels_traefik_additional_response_headers: "{{ matrix_element_call_container_labels_traefik_additional_response_headers_auto | combine(matrix_element_call_container_labels_traefik_additional_response_headers_custom) }}"
-#matrix_element_call_container_labels_traefik_additional_response_headers_auto: |
+matrix_element_call_container_labels_traefik_additional_response_headers_auto: |
-#  {{
+  {{
-#    {}
+    {}
-#    | combine ({'X-XSS-Protection': matrix_element_call_http_header_xss_protection} if matrix_element_call_http_header_xss_protection else {})
+    | combine ({'X-XSS-Protection': matrix_element_call_http_header_xss_protection} if matrix_element_call_http_header_xss_protection else {})
-#    | combine ({'X-Frame-Options': matrix_element_call_http_header_frame_options} if matrix_element_call_http_header_frame_options else {})
+    | combine ({'X-Frame-Options': matrix_element_call_http_header_frame_options} if matrix_element_call_http_header_frame_options else {})
-#    | combine ({'X-Content-Type-Options': matrix_element_call_http_header_content_type_options} if matrix_element_call_http_header_content_type_options else {})
+    | combine ({'X-Content-Type-Options': matrix_element_call_http_header_content_type_options} if matrix_element_call_http_header_content_type_options else {})
-#    | combine ({'Content-Security-Policy': matrix_element_call_http_header_content_security_policy} if matrix_element_call_http_header_content_security_policy else {})
+    | combine ({'Content-Security-Policy': matrix_element_call_http_header_content_security_policy} if matrix_element_call_http_header_content_security_policy else {})
-#    | combine ({'Permission-Policy': matrix_element_call_http_header_content_permission_policy} if matrix_element_call_http_header_content_permission_policy else {})
+    | combine ({'Permission-Policy': matrix_element_call_http_header_content_permission_policy} if matrix_element_call_http_header_content_permission_policy else {})
-#    | combine ({'Strict-Transport-Security': matrix_element_call_http_header_strict_transport_security} if matrix_element_call_http_header_strict_transport_security and matrix_element_call_container_labels_traefik_tls else {})
+    | combine ({'Strict-Transport-Security': matrix_element_call_http_header_strict_transport_security} if matrix_element_call_http_header_strict_transport_security and matrix_element_call_container_labels_traefik_tls else {})
-#  }}
+  }}
-#matrix_element_call_container_labels_traefik_additional_response_headers_custom: {}
+matrix_element_call_container_labels_traefik_additional_response_headers_custom: {}
 # matrix_client_element_container_labels_additional_labels contains a multiline string with additional labels to add to the container label file.
 # See `../templates/labels.j2` for details.
@ -75,27 +75,27 @@ matrix_element_call_systemd_required_services_list: "{{ [devture_systemd_docker_
 # Learn more about it is here:
 # - https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-XSS-Protection
 # - https://portswigger.net/web-security/cross-site-scripting/reflected
-#matrix_element_call_http_header_xss_protection: "1; mode=block"
+matrix_element_call_http_header_xss_protection: ''
 # Specifies the value of the `X-Frame-Options` header which controls whether framing can happen.
 # See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options
-#matrix_element_call_http_header_frame_options: SAMEORIGIN
+matrix_element_call_http_header_frame_options: ''
 # Specifies the value of the `X-Content-Type-Options` header.
 # See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Content-Type-Options
-#matrix_element_call_http_header_content_type_options: nosniff
+matrix_element_call_http_header_content_type_options: ''
 # Specifies the value of the `Content-Security-Policy` header.
 # See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy
-#matrix_element_call_http_header_content_security_policy: frame-ancestors 'self'
+matrix_element_call_http_header_content_security_policy: ''
 # Specifies the value of the `Permission-Policy` header.
 # See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Permission-Policy
-#matrix_element_call_http_header_content_permission_policy: "{{ 'interest-cohort=()' if matrix_element_call_floc_optout_enabled else '' }}"
+matrix_element_call_http_header_content_permission_policy: ''
 # Specifies the value of the `Strict-Transport-Security` header.
 # See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Strict-Transport-Security
-#matrix_element_call_http_header_strict_transport_security: "max-age=31536000; includeSubDomains{{ '; preload' if matrix_element_call_hsts_preload_enabled else '' }}"
+matrix_element_call_http_header_strict_transport_security: ''
 # Controls whether to send a "Permissions-Policy interest-cohort=();" header along with all responses
 #
@ -106,7 +106,7 @@ matrix_element_call_systemd_required_services_list: "{{ [devture_systemd_docker_
 #
 # Of course, a better solution is to just stop using browsers (like Chrome), which participate in such tracking practices.
 # See: `matrix_element_call_content_permission_policy`
-#matrix_element_call_floc_optout_enabled: true
+matrix_element_call_floc_optout_enabled: false
 # Controls if HSTS preloading is enabled
 #
@ -118,7 +118,7 @@ matrix_element_call_systemd_required_services_list: "{{ [devture_systemd_docker_
 # - https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Strict-Transport-Security
 # - https://hstspreload.org/#opt-in
 # See: `matrix_element_call_http_header_strict_transport_security`
-#matrix_element_call_hsts_preload_enabled: true
+matrix_element_call_hsts_preload_enabled: false
 # Enable or disable metrics collection
 matrix_element_call_metrics_enabled: false
--- a/roles/custom/matrix-element-call/templates/element-call-labels.j2
+++ b/roles/custom/matrix-element-call/templates/element-call-labels.j2
@ -20,12 +20,12 @@ traefik.http.middlewares.matrix-element-call-strip-prefix.stripprefix.prefixes={
 {% set middlewares = middlewares + ['matrix-element-call-strip-prefix'] %}
 {% endif %}
-#{% if matrix_element_call_container_labels_traefik_additional_response_headers.keys() | length > 0 %}
+{% if matrix_element_call_container_labels_traefik_additional_response_headers.keys() | length > 0 %}
-#{% for name, value in matrix_element_call_container_labels_traefik_additional_response_headers.items() %}
+{% for name, value in matrix_element_call_container_labels_traefik_additional_response_headers.items() %}
-#traefik.http.middlewares.matrix-element-call-add-headers.headers.customresponseheaders.{{ name }}={{ value }}
+traefik.http.middlewares.matrix-element-call-add-headers.headers.customresponseheaders.{{ name }}={{ value }}
-#{% endfor %}
+{% endfor %}
-#{% set middlewares = middlewares + ['matrix-element-call-add-headers'] %}
+{% set middlewares = middlewares + ['matrix-element-call-add-headers'] %}
-#{% endif %}
+ {% endif %}
 traefik.http.routers.matrix-element-call.rule={{ matrix_element_call_container_labels_traefik_rule }}
 {% if matrix_element_call_container_labels_traefik_priority | int > 0 %}
--- a/roles/custom/matrix-jwt-service/defaults/main.yml
+++ b/roles/custom/matrix-jwt-service/defaults/main.yml
@ -34,18 +34,18 @@ matrix_jwt_service_container_labels_traefik_tls_certResolver: default  # noqa va
 # Controls which additional headers to attach to all HTTP responses.
 # To add your own headers, use `matrix_jwt_service_container_labels_traefik_additional_response_headers_custom`
-#matrix_jwt_service_container_labels_traefik_additional_response_headers: "{{ matrix_jwt_service_container_labels_traefik_additional_response_headers_auto | combine(matrix_jwt_service_container_labels_traefik_additional_response_headers_custom) }}"
+matrix_jwt_service_container_labels_traefik_additional_response_headers: "{{ matrix_jwt_service_container_labels_traefik_additional_response_headers_auto | combine(matrix_jwt_service_container_labels_traefik_additional_response_headers_custom) }}"
-#matrix_jwt_service_container_labels_traefik_additional_response_headers_auto: |
+matrix_jwt_service_container_labels_traefik_additional_response_headers_auto: |
-#  {{
+  {{
-#    {}
+    {}
-#    | combine ({'X-XSS-Protection': matrix_jwt_service_http_header_xss_protection} if matrix_jwt_service_http_header_xss_protection else {})
+    | combine ({'X-XSS-Protection': matrix_jwt_service_http_header_xss_protection} if matrix_jwt_service_http_header_xss_protection else {})
-#    | combine ({'X-Frame-Options': matrix_jwt_service_http_header_frame_options} if matrix_jwt_service_http_header_frame_options else {})
+    | combine ({'X-Frame-Options': matrix_jwt_service_http_header_frame_options} if matrix_jwt_service_http_header_frame_options else {})
-#    | combine ({'X-Content-Type-Options': matrix_jwt_service_http_header_content_type_options} if matrix_jwt_service_http_header_content_type_options else {})
+    | combine ({'X-Content-Type-Options': matrix_jwt_service_http_header_content_type_options} if matrix_jwt_service_http_header_content_type_options else {})
-#    | combine ({'Content-Security-Policy': matrix_jwt_service_http_header_content_security_policy} if matrix_jwt_service_http_header_content_security_policy else {})
+    | combine ({'Content-Security-Policy': matrix_jwt_service_http_header_content_security_policy} if matrix_jwt_service_http_header_content_security_policy else {})
-##    | combine ({'Permission-Policy': matrix_jwt_service_http_header_content_permission_policy} if matrix_jwt_service_http_header_content_permission_policy else {})
+    | combine ({'Permission-Policy': matrix_jwt_service_http_header_content_permission_policy} if matrix_jwt_service_http_header_content_permission_policy else {})
-#    | combine ({'Strict-Transport-Security': matrix_jwt_service_http_header_strict_transport_security} if matrix_jwt_service_http_header_strict_transport_security and matrix_jwt_service_container_labels_traefik_tls else {})
+    | combine ({'Strict-Transport-Security': matrix_jwt_service_http_header_strict_transport_security} if matrix_jwt_service_http_header_strict_transport_security and matrix_jwt_service_container_labels_traefik_tls else {})
-#  }}
+  }}
-#matrix_jwt_service_container_labels_traefik_additional_response_headers_custom: {}
+matrix_jwt_service_container_labels_traefik_additional_response_headers_custom: {}
 # matrix_client_element_container_labels_additional_labels contains a multiline string with additional labels to add to the container label file.
 # See `../templates/labels.j2` for details.
@ -71,27 +71,27 @@ matrix_jwt_service_systemd_required_services_list: "{{ [devture_systemd_docker_b
 # Learn more about it is here:
 # - https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-XSS-Protection
 # - https://portswigger.net/web-security/cross-site-scripting/reflected
-#matrix_jwt_service_http_header_xss_protection: "1; mode=block"
+matrix_jwt_service_http_header_xss_protection: ''
 # Specifies the value of the `X-Frame-Options` header which controls whether framing can happen.
 # See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options
-#matrix_jwt_service_http_header_frame_options: SAMEORIGIN
+matrix_jwt_service_http_header_frame_options: ''
 # Specifies the value of the `X-Content-Type-Options` header.
 # See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Content-Type-Options
-#matrix_jwt_service_http_header_content_type_options: nosniff
+matrix_jwt_service_http_header_content_type_options: ''
 # Specifies the value of the `Content-Security-Policy` header.
 # See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy
-#matrix_jwt_service_http_header_content_security_policy: frame-ancestors 'self'
+matrix_jwt_service_http_header_content_security_policy: ''
 # Specifies the value of the `Permission-Policy` header.
 # See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Permission-Policy
-#matrix_jwt_service_http_header_content_permission_policy: "{{ 'interest-cohort=()' if matrix_jwt_service_floc_optout_enabled else '' }}"
+matrix_jwt_service_http_header_content_permission_policy: ''
 # Specifies the value of the `Strict-Transport-Security` header.
 # See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Strict-Transport-Security
-#matrix_jwt_service_http_header_strict_transport_security: "max-age=31536000; includeSubDomains{{ '; preload' if matrix_jwt_service_hsts_preload_enabled else '' }}"
+matrix_jwt_service_http_header_strict_transport_security: ''
 # Controls whether to send a "Permissions-Policy interest-cohort=();" header along with all responses
 #
@ -102,7 +102,7 @@ matrix_jwt_service_systemd_required_services_list: "{{ [devture_systemd_docker_b
 #
 # Of course, a better solution is to just stop using browsers (like Chrome), which participate in such tracking practices.
 # See: `matrix_jwt_service_content_permission_policy`
-#matrix_jwt_service_floc_optout_enabled: true
+matrix_jwt_service_floc_optout_enabled: false
 # Controls if HSTS preloading is enabled
 #
@ -114,4 +114,4 @@ matrix_jwt_service_systemd_required_services_list: "{{ [devture_systemd_docker_b
 # - https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Strict-Transport-Security
 # - https://hstspreload.org/#opt-in
 # See: `matrix_jwt_service_http_header_strict_transport_security`
-#matrix_jwt_service_hsts_preload_enabled: true
+matrix_jwt_service_hsts_preload_enabled: true
--- a/roles/custom/matrix-jwt-service/templates/labels.j2
+++ b/roles/custom/matrix-jwt-service/templates/labels.j2
@ -20,12 +20,12 @@ traefik.http.middlewares.matrix-jwt-service-strip-prefix.stripprefix.prefixes={{
 {% set middlewares = middlewares + ['matrix-jwt-service-strip-prefix'] %}
 {% endif %}
-#{% if matrix_jwt_service_container_labels_traefik_additional_response_headers.keys() | length > 0 %}
+{% if matrix_jwt_service_container_labels_traefik_additional_response_headers.keys() | length > 0 %}
-#{% for name, value in matrix_jwt_service_container_labels_traefik_additional_response_headers.items() %}
+{% for name, value in matrix_jwt_service_container_labels_traefik_additional_response_headers.items() %}
-#traefik.http.middlewares.matrix-jwt-service-add-headers.headers.customresponseheaders.{{ name }}={{ value }}
+traefik.http.middlewares.matrix-jwt-service-add-headers.headers.customresponseheaders.{{ name }}={{ value }}
-#{% endfor %}
+{% endfor %}
-#{% set middlewares = middlewares + ['matrix-jwt-service-add-headers'] %}
+{% set middlewares = middlewares + ['matrix-jwt-service-add-headers'] %}
-#{% endif %}
+{% endif %}
 traefik.http.routers.matrix-jwt-service.rule={{ matrix_jwt_service_container_labels_traefik_rule }}
 {% if matrix_jwt_service_container_labels_traefik_priority | int > 0 %}
--- a/roles/custom/matrix-livekit-server/defaults/main.yml
+++ b/roles/custom/matrix-livekit-server/defaults/main.yml
@ -32,18 +32,18 @@ matrix_livekit_server_container_labels_traefik_tls_certResolver: default  # noqa
 # Controls which additional headers to attach to all HTTP responses.
 # To add your own headers, use `matrix_livekit_server_container_labels_traefik_additional_response_headers_custom`
-#matrix_livekit_server_container_labels_traefik_additional_response_headers: "{{ matrix_livekit_server_container_labels_traefik_additional_response_headers_auto | combine(matrix_livekit_server_container_labels_traefik_additional_response_headers_custom) }}"
+matrix_livekit_server_container_labels_traefik_additional_response_headers: "{{ matrix_livekit_server_container_labels_traefik_additional_response_headers_auto | combine(matrix_livekit_server_container_labels_traefik_additional_response_headers_custom) }}"
-#matrix_livekit_server_container_labels_traefik_additional_response_headers_auto: |
+matrix_livekit_server_container_labels_traefik_additional_response_headers_auto: |
-#  {{
+  {{
-#    {}
+    {}
-#    | combine ({'X-XSS-Protection': matrix_livekit_server_http_header_xss_protection} if matrix_livekit_server_http_header_xss_protection else {})
+    | combine ({'X-XSS-Protection': matrix_livekit_server_http_header_xss_protection} if matrix_livekit_server_http_header_xss_protection else {})
-#    | combine ({'X-Frame-Options': matrix_livekit_server_http_header_frame_options} if matrix_livekit_server_http_header_frame_options else {})
+    | combine ({'X-Frame-Options': matrix_livekit_server_http_header_frame_options} if matrix_livekit_server_http_header_frame_options else {})
-#    | combine ({'X-Content-Type-Options': matrix_livekit_server_http_header_content_type_options} if matrix_livekit_server_http_header_content_type_options else {})
+    | combine ({'X-Content-Type-Options': matrix_livekit_server_http_header_content_type_options} if matrix_livekit_server_http_header_content_type_options else {})
-#    | combine ({'Content-Security-Policy': matrix_livekit_server_http_header_content_security_policy} if matrix_livekit_server_http_header_content_security_policy else {})
+    | combine ({'Content-Security-Policy': matrix_livekit_server_http_header_content_security_policy} if matrix_livekit_server_http_header_content_security_policy else {})
-#    | combine ({'Permission-Policy': matrix_livekit_server_http_header_content_permission_policy} if matrix_livekit_server_http_header_content_permission_policy else {})
+    | combine ({'Permission-Policy': matrix_livekit_server_http_header_content_permission_policy} if matrix_livekit_server_http_header_content_permission_policy else {})
-#    | combine ({'Strict-Transport-Security': matrix_livekit_server_http_header_strict_transport_security} if matrix_livekit_server_http_header_strict_transport_security and matrix_livekit_server_container_labels_traefik_tls else {})
+    | combine ({'Strict-Transport-Security': matrix_livekit_server_http_header_strict_transport_security} if matrix_livekit_server_http_header_strict_transport_security and matrix_livekit_server_container_labels_traefik_tls else {})
-#  }}
+  }}
-#matrix_livekit_server_container_labels_traefik_additional_response_headers_custom: {}
+matrix_livekit_server_container_labels_traefik_additional_response_headers_custom: {}
 # matrix_client_element_container_labels_additional_labels contains a multiline string with additional labels to add to the container label file.
 # See `../templates/labels.j2` for details.
@ -69,27 +69,27 @@ matrix_livekit_server_systemd_required_services_list: "{{ [devture_systemd_docke
 # Learn more about it is here:
 # - https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-XSS-Protection
 # - https://portswigger.net/web-security/cross-site-scripting/reflected
-#matrix_livekit_server_http_header_xss_protection: "1; mode=block"
+matrix_livekit_server_http_header_xss_protection: ''
 # Specifies the value of the `X-Frame-Options` header which controls whether framing can happen.
 # See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options
-#matrix_livekit_server_http_header_frame_options: SAMEORIGIN
+matrix_livekit_server_http_header_frame_options: ''
 # Specifies the value of the `X-Content-Type-Options` header.
 # See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Content-Type-Options
-#matrix_livekit_server_http_header_content_type_options: nosniff
+matrix_livekit_server_http_header_content_type_options: ''
 # Specifies the value of the `Content-Security-Policy` header.
 # See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy
-#matrix_livekit_server_http_header_content_security_policy: frame-ancestors 'self'
+matrix_livekit_server_http_header_content_security_policy: ''
 # Specifies the value of the `Permission-Policy` header.
 # See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Permission-Policy
-#matrix_livekit_server_http_header_content_permission_policy: "{{ 'interest-cohort=()' if matrix_livekit_server_floc_optout_enabled else '' }}"
+matrix_livekit_server_http_header_content_permission_policy: ''
 # Specifies the value of the `Strict-Transport-Security` header.
 # See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Strict-Transport-Security
-#matrix_livekit_server_http_header_strict_transport_security: "max-age=31536000; includeSubDomains{{ '; preload' if matrix_livekit_server_hsts_preload_enabled else '' }}"
+matrix_livekit_server_http_header_strict_transport_security: ''
 # Controls whether to send a "Permissions-Policy interest-cohort=();" header along with all responses
 #
@ -100,7 +100,7 @@ matrix_livekit_server_systemd_required_services_list: "{{ [devture_systemd_docke
 #
 # Of course, a better solution is to just stop using browsers (like Chrome), which participate in such tracking practices.
 # See: `matrix_livekit_server_content_permission_policy`
-#matrix_livekit_server_floc_optout_enabled: true
+matrix_livekit_server_floc_optout_enabled: false
 # Controls if HSTS preloading is enabled
 #
@ -112,4 +112,4 @@ matrix_livekit_server_systemd_required_services_list: "{{ [devture_systemd_docke
 # - https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Strict-Transport-Security
 # - https://hstspreload.org/#opt-in
 # See: `matrix_livekit_server_http_header_strict_transport_security`
-#matrix_livekit_server_hsts_preload_enabled: true
+matrix_livekit_server_hsts_preload_enabled: true
--- a/roles/custom/matrix-livekit-server/templates/labels.j2
+++ b/roles/custom/matrix-livekit-server/templates/labels.j2
@ -20,12 +20,12 @@ traefik.http.middlewares.matrix-livekit-server-strip-prefix.stripprefix.prefixes
 {% set middlewares = middlewares + ['matrix-livekit-server-strip-prefix'] %}
 {% endif %}
-#{% if matrix_livekit_server_container_labels_traefik_additional_response_headers.keys() | length > 0 %}
+{% if matrix_livekit_server_container_labels_traefik_additional_response_headers.keys() | length > 0 %}
-#{% for name, value in matrix_livekit_server_container_labels_traefik_additional_response_headers.items() %}
+{% for name, value in matrix_livekit_server_container_labels_traefik_additional_response_headers.items() %}
-#traefik.http.middlewares.matrix-livekit-server-add-headers.headers.customresponseheaders.{{ name }}={{ value }}
+traefik.http.middlewares.matrix-livekit-server-add-headers.headers.customresponseheaders.{{ name }}={{ value }}
-#{% endfor %}
+{% endfor %}
-#{% set middlewares = middlewares + ['matrix-livekit-server-add-headers'] %}
+{% set middlewares = middlewares + ['matrix-livekit-server-add-headers'] %}
-#{% endif %}
+{% endif %}
 traefik.http.routers.matrix-livekit-server.rule={{ matrix_livekit_server_container_labels_traefik_rule }}
 {% if matrix_livekit_server_container_labels_traefik_priority | int > 0 %}