From 9437f78c9e419c42cd0973ed4b1fc78598494b42 Mon Sep 17 00:00:00 2001
From: Aaron Raimist <aaron@raim.ist>
Date: Fri, 21 May 2021 03:45:21 -0500
Subject: [PATCH] Build using custom config.json, add CSP, update to 0.1.53

---
 group_vars/matrix_servers                     |  1 +
 .../matrix-client-hydrogen/defaults/main.yml  |  5 +-
 roles/matrix-client-hydrogen/tasks/init.yml   | 14 ++--
 roles/matrix-client-hydrogen/tasks/setup.yml  | 29 +++-----
 .../tasks/validate_config.yml                 |  9 +++
 .../templates/nginx.conf.j2                   | 66 -------------------
 .../conf.d/matrix-client-hydrogen.conf.j2     |  2 +
 7 files changed, 31 insertions(+), 95 deletions(-)
 create mode 100644 roles/matrix-client-hydrogen/tasks/validate_config.yml
 delete mode 100644 roles/matrix-client-hydrogen/templates/nginx.conf.j2

diff --git a/group_vars/matrix_servers b/group_vars/matrix_servers
index f5ed72c7..d43fbb66 100755
--- a/group_vars/matrix_servers
+++ b/group_vars/matrix_servers
@@ -1172,6 +1172,7 @@ matrix_nginx_proxy_proxy_matrix_client_redirect_root_uri_to_domain: "{{ matrix_s
 
 matrix_nginx_proxy_proxy_matrix_enabled: true
 matrix_nginx_proxy_proxy_element_enabled: "{{ matrix_client_element_enabled }}"
+matrix_nginx_proxy_proxy_hydrogen_enabled: "{{ matrix_client_hydrogen_enabled }}"
 matrix_nginx_proxy_proxy_dimension_enabled: "{{ matrix_dimension_enabled }}"
 matrix_nginx_proxy_proxy_bot_go_neb_enabled: "{{ matrix_bot_go_neb_enabled }}"
 matrix_nginx_proxy_proxy_jitsi_enabled: "{{ matrix_jitsi_enabled }}"
diff --git a/roles/matrix-client-hydrogen/defaults/main.yml b/roles/matrix-client-hydrogen/defaults/main.yml
index cf6e9a0c..f7a3059e 100644
--- a/roles/matrix-client-hydrogen/defaults/main.yml
+++ b/roles/matrix-client-hydrogen/defaults/main.yml
@@ -1,10 +1,11 @@
 matrix_client_hydrogen_enabled: true
 
-# as of 2021-05-15 the pre-built images were not working so self building is enabled by default
+# Self building is used by default because the `config.json` file is only read at build time.
+# The pre-built images also were not functional as of 2021-05-15.
 matrix_client_hydrogen_container_image_self_build: true
 matrix_client_hydrogen_container_image_self_build_repo: "https://github.com/vector-im/hydrogen-web.git"
 
-matrix_client_hydrogen_version: v0.1.51
+matrix_client_hydrogen_version: v0.1.53
 matrix_client_hydrogen_docker_image: "{{ matrix_client_hydrogen_docker_image_name_prefix }}vectorim/hydrogen-web:{{ matrix_client_hydrogen_version }}"
 matrix_client_hydrogen_docker_image_name_prefix: "{{ 'localhost/' if matrix_client_hydrogen_container_image_self_build }}"
 matrix_client_hydrogen_docker_image_force_pull: "{{ matrix_client_hydrogen_docker_image.endswith(':latest') }}"
diff --git a/roles/matrix-client-hydrogen/tasks/init.yml b/roles/matrix-client-hydrogen/tasks/init.yml
index be72a983..1115f63d 100644
--- a/roles/matrix-client-hydrogen/tasks/init.yml
+++ b/roles/matrix-client-hydrogen/tasks/init.yml
@@ -1,10 +1,10 @@
+# See https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/1070
+# and https://github.com/spantaleev/matrix-docker-ansible-deploy/commit/1ab507349c752042d26def3e95884f6df8886b74#commitcomment-51108407
+- name: Fail if trying to self-build on Ansible < 2.8
+  fail:
+    msg: "To self-build the Hydrogen image, you should use Ansible 2.8 or higher. See docs/ansible.md"
+  when: "ansible_version.major == 2 and ansible_version.minor < 8 and matrix_client_hydrogen_container_image_self_build"
+
 - set_fact:
     matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-client-hydrogen.service'] }}"
   when: matrix_client_hydrogen_enabled|bool
-
-# ansible lower than 2.8, does not support docker_image build parameters
-# for self building it is explicitly needed, so we rather fail here
-- name: Fail if running on Ansible lower than 2.8 and trying self building
-  fail:
-    msg: "To self build the Hydrogen image, you should usa ansible 2.8 or higher. E.g. pip contains such packages."
-  when: "ansible_version.major == 2 and ansible_version.minor < 8 and matrix_client_hydrogen_container_image_self_build"
diff --git a/roles/matrix-client-hydrogen/tasks/setup.yml b/roles/matrix-client-hydrogen/tasks/setup.yml
index 3d9eea44..cb1a6f2e 100644
--- a/roles/matrix-client-hydrogen/tasks/setup.yml
+++ b/roles/matrix-client-hydrogen/tasks/setup.yml
@@ -33,6 +33,15 @@
   register: matrix_client_hydrogen_git_pull_results
   when: "matrix_client_hydrogen_enabled|bool and matrix_client_hydrogen_container_image_self_build|bool"
 
+- name: Ensure Hydrogen configuration installed
+  copy:
+    content: "{{ matrix_client_hydrogen_configuration|to_nice_json }}"
+    dest: "{{ matrix_client_hydrogen_docker_src_files_path }}/assets/config.json"
+    mode: 0644
+    owner: "{{ matrix_user_username }}"
+    group: "{{ matrix_user_groupname }}"
+  when: matrix_client_hydrogen_enabled|bool
+
 - name: Ensure Hydrogen Docker image is built
   docker_image:
     name: "{{ matrix_client_hydrogen_docker_image }}"
@@ -44,26 +53,6 @@
       pull: yes
   when: "matrix_client_hydrogen_enabled|bool and matrix_client_hydrogen_container_image_self_build|bool"
 
-- name: Ensure Hydrogen configuration installed
-  copy:
-    content: "{{ matrix_client_hydrogen_configuration|to_nice_json }}"
-    dest: "{{ matrix_client_hydrogen_data_path }}/config.json"
-    mode: 0644
-    owner: "{{ matrix_user_username }}"
-    group: "{{ matrix_user_groupname }}"
-  when: matrix_client_hydrogen_enabled|bool
-
-- name: Ensure Hydrogen config files installed
-  template:
-    src: "{{ item.src }}"
-    dest: "{{ matrix_client_hydrogen_data_path }}/{{ item.name }}"
-    mode: 0644
-    owner: "{{ matrix_user_username }}"
-    group: "{{ matrix_user_groupname }}"
-  with_items:
-    - {src: "{{ role_path }}/templates/nginx.conf.j2", name: "nginx.conf"}
-  when: "matrix_client_hydrogen_enabled|bool and item.src is not none"
-
 - name: Ensure matrix-client-hydrogen.service installed
   template:
     src: "{{ role_path }}/templates/systemd/matrix-client-hydrogen.service.j2"
diff --git a/roles/matrix-client-hydrogen/tasks/validate_config.yml b/roles/matrix-client-hydrogen/tasks/validate_config.yml
new file mode 100644
index 00000000..6d4b7d21
--- /dev/null
+++ b/roles/matrix-client-hydrogen/tasks/validate_config.yml
@@ -0,0 +1,9 @@
+---
+
+- name: Fail if required Hydrogen settings not defined
+  fail:
+    msg: >
+      You need to define a required configuration setting (`{{ item }}`) to use Hydrogen.
+  when: "vars[item] == '' or vars[item] is none"
+  with_items:
+    - "matrix_client_hydrogen_default_hs_url"
diff --git a/roles/matrix-client-hydrogen/templates/nginx.conf.j2 b/roles/matrix-client-hydrogen/templates/nginx.conf.j2
deleted file mode 100644
index fba16bbd..00000000
--- a/roles/matrix-client-hydrogen/templates/nginx.conf.j2
+++ /dev/null
@@ -1,66 +0,0 @@
-#jinja2: lstrip_blocks: "True"
-# This is a custom nginx configuration file that we use in the container (instead of the default one),
-# because it allows us to run nginx with a non-root user.
-#
-# For this to work, the default vhost file (`/etc/nginx/conf.d/default.conf`) also needs to be removed.
-# (mounting `/dev/null` over `/etc/nginx/conf.d/default.conf` works well)
-#
-# The following changes have been done compared to a default nginx configuration file:
-# - default server port is changed (80 -> 8080), so that a non-root user can bind it
-# - various temp paths are changed to `/tmp`, so that a non-root user can write to them
-# - the `user` directive was removed, as we don't want nginx to switch users
-
-worker_processes 1;
-
-error_log /var/log/nginx/error.log warn;
-pid /tmp/nginx.pid;
-
-
-events {
-	worker_connections 1024;
-}
-
-
-http {
-	proxy_temp_path /tmp/proxy_temp;
-	client_body_temp_path /tmp/client_temp;
-	fastcgi_temp_path /tmp/fastcgi_temp;
-	uwsgi_temp_path /tmp/uwsgi_temp;
-	scgi_temp_path /tmp/scgi_temp;
-
-	include /etc/nginx/mime.types;
-	default_type application/octet-stream;
-
-	log_format main '$remote_addr - $remote_user [$time_local] "$request" '
-					'$status $body_bytes_sent "$http_referer" '
-					'"$http_user_agent" "$http_x_forwarded_for"';
-
-	access_log /var/log/nginx/access.log main;
-
-	sendfile on;
-	#tcp_nopush on;
-
-	keepalive_timeout 65;
-
-	#gzip on;
-
-	server {
-		listen 8080;
-		server_name localhost;
-
-		root /usr/share/nginx/html;
-
-		location / {
-			index index.html index.htm;
-		}
-
-		location ~* ^/(config(.+)?\.json$|(.+)\.html$|i18n) {
-			expires -1;
-		}
-
-		error_page 500 502 503 504 /50x.html;
-		location = /50x.html {
-			root /usr/share/nginx/html;
-		}
-	}
-}
diff --git a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-client-hydrogen.conf.j2 b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-client-hydrogen.conf.j2
index 9224dd86..782d9a28 100644
--- a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-client-hydrogen.conf.j2
+++ b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-client-hydrogen.conf.j2
@@ -7,6 +7,8 @@
 	add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
 	add_header X-Content-Type-Options nosniff;
 	add_header X-Frame-Options SAMEORIGIN;
+	add_header X-XSS-Protection "1; mode=block";
+	add_header Content-Security-Policy "frame-ancestors 'none'";
 	{% if matrix_nginx_proxy_floc_optout_enabled %}
 		add_header Permissions-Policy interest-cohort=() always;
 	{% endif %}