collabora: misc

2024-05-19 16:30:50 +02:00 · 2024-05-19 16:30:50 +02:00 · 81f95aa14d
commit 81f95aa14d
parent 708781b722
4 changed files with 31 additions and 38 deletions
--- a/host_vars/collabora.ext.infra.auro.re.yml
+++ b/host_vars/collabora.ext.infra.auro.re.yml
@ -10,4 +10,13 @@ ifupdown2__interfaces:
    gateways: "{{ ifupdown2__gateways.adm }}"

 collabora__server_name: office.auro.re
+
+collabora__post_allow_addrs:
+  - 2a09:6840:215::1:1
+  - 45.66.111.206
+
+collabora__wopi_groups:
+  - host: https://cloud.auro.re:443
+    aliases:
+      - https://nextcloud.auro.re:443
 ...
--- a/playbooks/collabora.yml
+++ b/playbooks/collabora.yml
@ -1,7 +1,7 @@
 #!/usr/bin/env ansible-playbook
 ---
 - hosts:
-    - collabora.pub.infra.auro.re
+    - collabora.ext.infra.auro.re
  roles:
    - collabora
 ...
--- a/roles/collabora/defaults/main.yml
+++ b/roles/collabora/defaults/main.yml
@ -0,0 +1,4 @@
+---
+collabora__post_allow_addrs: []
+collabora__wopi_groups: []
+...
--- a/roles/collabora/templates/coolwsd.xml.j2
+++ b/roles/collabora/templates/coolwsd.xml.j2
@ -147,35 +147,16 @@
           https://my.com/browser/a123... to https://my.com/my/sub/path/browser/a123... -->
      <service_root type="path" default="" desc="Prefix all the pages, websockets, etc. with this path."></service_root>
      <post_allow desc="Allow/deny client IP address for POST(REST)." allow="true">
-        <host desc="The IPv4 private 192.168 block as plain IPv4 dotted decimal addresses.">192\.168\.[0-9]{1,3}\.[0-9]{1,3}</host>
-        <host desc="Ditto, but as IPv4-mapped IPv6 addresses">::ffff:192\.168\.[0-9]{1,3}\.[0-9]{1,3}</host>
-        <host desc="The IPv4 loopback (localhost) address.">127\.0\.0\.1</host>
-        <host desc="Ditto, but as IPv4-mapped IPv6 address">::ffff:127\.0\.0\.1</host>
-        <host desc="The IPv6 loopback (localhost) address.">::1</host>
-        <host desc="The IPv4 private 172.16.0.0/12 subnet part 1.">172\.1[6789]\.[0-9]{1,3}\.[0-9]{1,3}</host>
-        <host desc="Ditto, but as IPv4-mapped IPv6 addresses">::ffff:172\.1[6789]\.[0-9]{1,3}\.[0-9]{1,3}</host>
-        <host desc="The IPv4 private 172.16.0.0/12 subnet part 2.">172\.2[0-9]\.[0-9]{1,3}\.[0-9]{1,3}</host>
-        <host desc="Ditto, but as IPv4-mapped IPv6 addresses">::ffff:172\.2[0-9]\.[0-9]{1,3}\.[0-9]{1,3}</host>
-        <host desc="The IPv4 private 172.16.0.0/12 subnet part 3.">172\.3[01]\.[0-9]{1,3}\.[0-9]{1,3}</host>
-        <host desc="Ditto, but as IPv4-mapped IPv6 addresses">::ffff:172\.3[01]\.[0-9]{1,3}\.[0-9]{1,3}</host>
-        <host desc="The IPv4 private 10.0.0.0/8 subnet (Podman).">10\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}</host>
-        <host desc="Ditto, but as IPv4-mapped IPv6 addresses">::ffff:10\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}</host>
+{% for addr in collabora__post_allow_addrs %}
+{% if addr is ansible.utils.ipv6 %}
+        <host>{{ addr | regex_escape }}</host>
+{% elif addr is ansible.utils.ipv4 %}
+        <host>{{ addr | regex_escape }}</host>
+        <host>{{ '::ffff:' + addr | regex_escape }}</host>
+{% endif %}
+{% endfor %}
      </post_allow>
      <lok_allow desc="Allowed hosts as an external data source inside edited files. All allowed post_allow.host and storage.wopi entries are also considered to be allowed as a data source. Used for example in: PostMessage Action_InsertGraphics, =WEBSERVICE() function, external reference in the cell.">
-        <host desc="The IPv4 private 192.168 block as plain IPv4 dotted decimal addresses.">192\.168\.[0-9]{1,3}\.[0-9]{1,3}</host>
-        <host desc="Ditto, but as IPv4-mapped IPv6 addresses">::ffff:192\.168\.[0-9]{1,3}\.[0-9]{1,3}</host>
-        <host desc="The IPv4 loopback (localhost) address.">127\.0\.0\.1</host>
-        <host desc="Ditto, but as IPv4-mapped IPv6 address">::ffff:127\.0\.0\.1</host>
-        <host desc="The IPv6 loopback (localhost) address.">::1</host>
-        <host desc="The IPv4 private 172.16.0.0/12 subnet part 1.">172\.1[6789]\.[0-9]{1,3}\.[0-9]{1,3}</host>
-        <host desc="Ditto, but as IPv4-mapped IPv6 addresses">::ffff:172\.1[6789]\.[0-9]{1,3}\.[0-9]{1,3}</host>
-        <host desc="The IPv4 private 172.16.0.0/12 subnet part 2.">172\.2[0-9]\.[0-9]{1,3}\.[0-9]{1,3}</host>
-        <host desc="Ditto, but as IPv4-mapped IPv6 addresses">::ffff:172\.2[0-9]\.[0-9]{1,3}\.[0-9]{1,3}</host>
-        <host desc="The IPv4 private 172.16.0.0/12 subnet part 3.">172\.3[01]\.[0-9]{1,3}\.[0-9]{1,3}</host>
-        <host desc="Ditto, but as IPv4-mapped IPv6 addresses">::ffff:172\.3[01]\.[0-9]{1,3}\.[0-9]{1,3}</host>
-        <host desc="The IPv4 private 10.0.0.0/8 subnet (Podman).">10\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}</host>
-        <host desc="Ditto, but as IPv4-mapped IPv6 addresses">::ffff:10\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}</host>
-        <host desc="Localhost access by name">localhost</host>
      </lok_allow>
      <content_security_policy desc="Customize the CSP header by specifying one or more policy-directive, separated by semicolons. See w3.org/TR/CSP2"></content_security_policy>
      <frame_ancestors desc="OBSOLETE: Use content_security_policy. Specify who is allowed to embed the Collabora Online iframe (coolwsd and WOPI host are always allowed). Separate multiple hosts by space."></frame_ancestors>
@ -240,16 +221,15 @@
                <refresh desc="How frequently we should re-acquire a lock with the storage server, in seconds (default 15 mins) or 0 for no refresh" type="int" default="900">900</refresh>
            </locking>

-            <alias_groups desc="default mode is 'first' it allows only the first host when groups are not defined. set mode to 'groups' and define group to allow multiple host and its aliases" mode="first">
-            <!-- If you need to use multiple wopi hosts, please change the mode to "groups" and
-                    add the hosts below.  If one host is accessible under multiple ip addresses
-                    or names, add them as aliases. -->
-            <!--<group>
-                    <host desc="hostname to allow or deny." allow="true">scheme://hostname:port</host>
-                    <alias desc="regex pattern of aliasname">scheme://aliasname1:port</alias>
-                    <alias desc="regex pattern of aliasname">scheme://aliasname2:port</alias>
-            </group>-->
-            <!-- More "group"s possible here -->
+            <alias_groups desc="default mode is 'first' it allows only the first host when groups are not defined. set mode to 'groups' and define group to allow multiple host and its aliases" mode="group">
+{% for group in collabora__wopi_groups %}
+                <group>
+                    <host allow="true">{{ group.host }}</host>
+{% for alias in group.aliases | default([]) %}
+                    <alias>{{ alias }}</alias>
+{% endfor %}
+                </group>
+{% endfor %}
            </alias_groups>

        </wopi>