From 798b98ec9dbc78a1ae0ef2c087b63c59f6467ba4 Mon Sep 17 00:00:00 2001
From: muppeth <muppeth@no-reply@disroot.org>
Date: Mon, 21 Mar 2022 20:13:46 +0000
Subject: [PATCH 1/4] simple php template to test things (#21)

just simple php template.

Co-authored-by: muppeth <muppeth@disroot.org>
Reviewed-on: https://git.disroot.org/Disroot-Ansible/nginx/pulls/21
Reviewed-by: meaz <meaz@no-reply@disroot.org>
---
 .../etc/nginx/sites-available/basephp.j2      | 54 +++++++++++++++++++
 1 file changed, 54 insertions(+)
 create mode 100644 templates/etc/nginx/sites-available/basephp.j2

diff --git a/templates/etc/nginx/sites-available/basephp.j2 b/templates/etc/nginx/sites-available/basephp.j2
new file mode 100644
index 0000000..1506017
--- /dev/null
+++ b/templates/etc/nginx/sites-available/basephp.j2
@@ -0,0 +1,54 @@
+{% extends "core.j2" %}
+
+{% block root %}
+  root {{ nginx_www_dir }}{{ item.root }};
+  index {{ item.index }};
+{% endblock %}
+
+{% block location %}
+  location / {
+    try_files {{ item.override_try_files | default('$uri $uri/ =404') }};
+  }
+{% endblock %}
+{% block app_root_location %}
+{% endblock %}
+
+{% block extra_locations %}
+{% endblock %}
+
+{% block custom_locations %}
+{% endblock %}
+
+{% block local_content %}
+{% if item.manage_local_content is not defined %}
+  # Deny all attempts to access hidden files such as .htaccess, .htpasswd, .DS_Store (Mac).
+  # Keep logging the requests to parse later (or to pass to firewall utilities such as fail2ban)
+  location ~ /\. {
+    deny all;
+  }
+
+{% if item.favicon is defined %}
+  location /favicon.ico {
+    alias {{ item.favicon }};
+    expires 30d;
+    access_log off;
+    log_not_found off;
+  }
+{% endif %}
+
+  location ~* \.(txt|js|css|png|jpe?g|gif|ico|svg)$ {
+    expires 30d;
+    log_not_found off;
+  }
+{% endif %}
+{% endblock %}
+{% block app_specific %}
+  location ~ \.php$ {
+{% if item.upstream_params is defined and item.upstream_params is iterable %}
+{% for param in item.upstream_params %}
+    {{ param }}
+{% endfor %}
+{% endif %}
+  }
+{% endblock %}
+

From e02433bb25ee4245beb87c9b758379da7013bf7d Mon Sep 17 00:00:00 2001
From: muppeth <muppeth@no-reply@disroot.org>
Date: Tue, 29 Mar 2022 21:45:07 +0000
Subject: [PATCH 2/4] changes to cryptpad template; small fix for core template
 (#20)

Co-authored-by: muppeth <muppeth@disroot.org>
Co-authored-by: meaz <meaz@no-reply@disroot.org>
Reviewed-on: https://git.disroot.org/Disroot-Ansible/nginx/pulls/20
Reviewed-by: meaz <meaz@no-reply@disroot.org>
Co-authored-by: muppeth <muppeth@no-reply@disroot.org>
Co-committed-by: muppeth <muppeth@no-reply@disroot.org>
---
 templates/etc/nginx/sites-available/core.j2   |  2 +-
 .../etc/nginx/sites-available/cryptpad.j2     | 24 +++++++++++--------
 2 files changed, 15 insertions(+), 11 deletions(-)

diff --git a/templates/etc/nginx/sites-available/core.j2 b/templates/etc/nginx/sites-available/core.j2
index 3fc1314..6f20165 100644
--- a/templates/etc/nginx/sites-available/core.j2
+++ b/templates/etc/nginx/sites-available/core.j2
@@ -57,10 +57,10 @@ server {
   add_header X-Download-Options noopen;
   add_header X-Permitted-Cross-Domain-Policies none;
   add_header Referrer-Policy {{ item.referrer | default('no-referrer') }};
+{% endif %}
 {% if item.header_sameorigin is defined %}
   add_header X-Frame-Options "SAMEORIGIN";
 {% endif %}
-{% endif %}
 {% if item.nginx_HSTS_policy is defined %}
   add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload";
 {% endif %}
diff --git a/templates/etc/nginx/sites-available/cryptpad.j2 b/templates/etc/nginx/sites-available/cryptpad.j2
index aae927f..50c1773 100644
--- a/templates/etc/nginx/sites-available/cryptpad.j2
+++ b/templates/etc/nginx/sites-available/cryptpad.j2
@@ -24,13 +24,16 @@
 
   add_header Access-Control-Allow-Origin "*";
 
-  set $coop '';
+  #set $coop '';
  #if ($uri ~ ^\/(sheet|presentation|doc|convert)\/.*$) { set $coop 'same-origin'; }
 
+  # Opt out of Google's FLoC Network
+  add_header Permissions-Policy interest-cohort=();
+
   # Enable SharedArrayBuffer in Firefox (for .xlsx export)
   add_header Cross-Origin-Resource-Policy cross-origin;
-  add_header Cross-Origin-Opener-Policy $coop;
   add_header Cross-Origin-Embedder-Policy require-corp;
+    
   # any static assets loaded with "ver=" in their URL will be cached for a year
   if ($args ~ ver=) {
     set $cacheControl max-age=31536000;
@@ -42,23 +45,24 @@
   add_header Cache-Control $cacheControl;
 
   # CSS can be dynamically set inline, loaded from the same domain, or from $main_domain
-  set $styleSrc   "'unsafe-inline' 'self' ${main_domain}";
+  set $styleSrc   "'unsafe-inline' 'self' https://${main_domain}";
 
   # connect-src restricts URLs which can be loaded using script interfaces
-  set $connectSrc "'self' https://${main_domain} ${main_domain} https://${api_domain} blob: wss://${api_domain} ${api_domain} ${files_domain} https://${sandbox_domain}";
+  set $connectSrc "'self' https://${main_domain} blob: wss://${api_domain} https://${sandbox_domain}";
 
   # fonts can be loaded from data-URLs or the main domain
-  set $fontSrc    "'self' data: ${main_domain}";
+  set $fontSrc    "'self' data: https://${main_domain}";
 
   # images can be loaded from anywhere, though we'd like to deprecate this as it allows the use of images for tracking
-  set $imgSrc     "'self' data: * blob: ${main_domain}";
+  set $imgSrc     "'self' data: blob: https://${main_domain}";
 
   # frame-src specifies valid sources for nested browsing contexts.
   # this prevents loading any iframes from anywhere other than the sandbox domain
-  set $frameSrc   "'self' ${sandbox_domain} blob:";
+  set $frameSrc   "'self' https://${sandbox_domain} blob:";
 
   # specifies valid sources for loading media using video or audio
-  set $mediaSrc   "'self' data: * blob: ${main_domain}";
+  #set $mediaSrc   "'self' data: * blob: ${main_domain}";
+  set $mediaSrc   "blob:";
 
   # defines valid sources for webworkers and nested browser contexts
   # deprecated in favour of worker-src and frame-src
@@ -66,10 +70,10 @@
 
   # specifies valid sources for Worker, SharedWorker, or ServiceWorker scripts.
   # supercedes child-src but is unfortunately not yet universally supported.
-  set $workerSrc  "https://${main_domain}";
+  set $workerSrc  "'self'";
 
   # script-src specifies valid sources for javascript, including inline handlers
-  set $scriptSrc  "'self' resource: ${main_domain}";
+  set $scriptSrc  "'self' resource: https://${main_domain}";
 
   set $unsafe 0;
   # the following assets are loaded via the sandbox domain

From 541f4cdfefcdbe8e8abb836d22a7c9c51de66242 Mon Sep 17 00:00:00 2001
From: muppeth <muppeth@no-reply@disroot.org>
Date: Sun, 8 May 2022 07:03:15 +0000
Subject: [PATCH 3/4] Privatebin Var Update (#23)

small changes to the template reflecting upstream docs.

Co-authored-by: muppeth <muppeth@disroot.org>
Reviewed-on: https://git.disroot.org/Disroot-Ansible/nginx/pulls/23
Reviewed-by: meaz <meaz@no-reply@disroot.org>
---
 .../etc/nginx/sites-available/privatebin.j2   | 25 +++++++------------
 1 file changed, 9 insertions(+), 16 deletions(-)

diff --git a/templates/etc/nginx/sites-available/privatebin.j2 b/templates/etc/nginx/sites-available/privatebin.j2
index 3a32da5..363f2b8 100644
--- a/templates/etc/nginx/sites-available/privatebin.j2
+++ b/templates/etc/nginx/sites-available/privatebin.j2
@@ -2,7 +2,7 @@
 {% block root %}
   root {{ nginx_www_dir }}{{ item.root }};
   index {{ item.index }};
-  try_files {{ item.override_try_files | default('$uri $uri/ /index.php') }};
+  try_files {{ item.override_try_files | default('try_files $uri $uri/ /index.php$is_args$args') }};
 {% endblock %}
 
 {% block location %}
@@ -28,22 +28,7 @@
  
 {% endblock %}
 
-{% block extra_upstreams %}
-map $http_user_agent $pastebin_badagent {
-  ~*bot 1;
-  ~*spider 1;
-  ~*crawl 1;
-  ~https?:// 1;
-  WhatsApp 1;
-  SkypeUriPreview 1;
-  facebookexternalhit 1;
-}
-{% endblock %}
-
 {% block app_specific %}
-  if ($pastebin_badagent) {
-    return 403;
-  }
 
   location /cfg {
     return 403;
@@ -52,4 +37,12 @@ map $http_user_agent $pastebin_badagent {
   location /data {
     deny all;
   }
+{% if item.file_cache is defined and item.file_cache is iterable %}
+{% for param in item.file_cache %}
+  open_file_cache          {{ param.cache }};
+  open_file_cache_valid    {{ param.valid }};
+  open_file_cache_min_uses {{ param.min_users }};
+  open_file_cache_errors   {{ param.cache_errors }};
+{% endfor %}
+{% endif %}
 {% endblock %}

From 18283258c9fde5ceacb2b22ab29d28aa9f093789 Mon Sep 17 00:00:00 2001
From: muppeth <muppeth@no-reply@disroot.org>
Date: Tue, 10 May 2022 19:27:56 +0000
Subject: [PATCH 4/4] cryptpad - fixed unsafe csp header directives for sandbox
 (#24)

Co-authored-by: muppeth <muppeth@disroot.org>
Reviewed-on: https://git.disroot.org/Disroot-Ansible/nginx/pulls/24
Reviewed-by: meaz <meaz@no-reply@disroot.org>
---
 templates/etc/nginx/sites-available/cryptpad.j2 | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/templates/etc/nginx/sites-available/cryptpad.j2 b/templates/etc/nginx/sites-available/cryptpad.j2
index 50c1773..e55eeb7 100644
--- a/templates/etc/nginx/sites-available/cryptpad.j2
+++ b/templates/etc/nginx/sites-available/cryptpad.j2
@@ -91,7 +91,7 @@
 
   # privileged contexts allow a few more rights than unprivileged contexts, though limits are still applied
   if ($unsafe) {
-    set $scriptSrc "'self' 'unsafe-eval' 'unsafe-inline' resource: ${main_domain}";
+    set $scriptSrc "'self' 'unsafe-eval' 'unsafe-inline' resource: https://${main_domain}";
   }
 
   # Finally, set all the rules you composed above.