diff --git a/apps/mukke/apps/web/src/hooks.server.ts b/apps/mukke/apps/web/src/hooks.server.ts index 034d07032..102c1e8a6 100644 --- a/apps/mukke/apps/web/src/hooks.server.ts +++ b/apps/mukke/apps/web/src/hooks.server.ts @@ -14,6 +14,7 @@ const PUBLIC_MANA_CORE_AUTH_URL_CLIENT = const PUBLIC_BACKEND_URL_CLIENT = process.env.PUBLIC_BACKEND_URL_CLIENT || process.env.PUBLIC_BACKEND_URL || ''; const PUBLIC_GLITCHTIP_DSN = process.env.PUBLIC_GLITCHTIP_DSN || ''; +const S3_PUBLIC_ENDPOINT = process.env.S3_PUBLIC_ENDPOINT || 'https://minio.mana.how'; export const handle: Handle = async ({ event, resolve }) => { const response = await resolve(event, { @@ -30,7 +31,9 @@ window.__PUBLIC_GLITCHTIP_DSN__ = "${PUBLIC_GLITCHTIP_DSN}"; }); setSecurityHeaders(response, { - connectSrc: [PUBLIC_MANA_CORE_AUTH_URL_CLIENT, PUBLIC_BACKEND_URL_CLIENT], + connectSrc: [PUBLIC_MANA_CORE_AUTH_URL_CLIENT, PUBLIC_BACKEND_URL_CLIENT, S3_PUBLIC_ENDPOINT], + mediaSrc: [S3_PUBLIC_ENDPOINT, 'blob:'], + imgSrc: [S3_PUBLIC_ENDPOINT], }); return response; diff --git a/docs/MAC_MINI_SERVER.md b/docs/MAC_MINI_SERVER.md index 56df73445..f14a57c57 100644 --- a/docs/MAC_MINI_SERVER.md +++ b/docs/MAC_MINI_SERVER.md @@ -389,6 +389,39 @@ curl -s http://localhost:3002/api/v1/health curl -s http://localhost:3000/ ``` +The health check monitors: +- All backend APIs and web frontends +- Infrastructure (PostgreSQL, Redis) +- Matrix services (Synapse, Element, all bots) +- Monitoring stack (Grafana, Umami, GlitchTip, VictoriaMetrics) +- Alerting stack (vmalert, Alertmanager, Alert Notifier) +- Disk space for `/` and `/Volumes/ManaData` (warning at 80%, critical at 90%) +- Cloudflare Tunnel (cloudflared process) + +### Docker PATH auf dem Server + +Bei SSH-Zugriff ist Docker nicht im Standard-PATH. Für Remote-Befehle: + +```bash +# Docker liegt unter Docker Desktop +PATH=/Applications/Docker.app/Contents/Resources/bin:$PATH + +# Beispiel: Remote docker compose +ssh mana-server "PATH=/Applications/Docker.app/Contents/Resources/bin:\$PATH && docker compose -f ~/projects/manacore-monorepo/docker-compose.macmini.yml restart grafana" +``` + +### Container existiert nicht (wurde nie erstellt) + +Wenn ein Service im Health-Check als `HTTP 000` erscheint und `docker ps -a` den Container nicht zeigt, wurde er vermutlich beim letzten Deploy übersprungen: + +```bash +# Container erstellen und starten (Beispiel: Project Doc Bot) +docker compose -f docker-compose.macmini.yml up -d matrix-project-doc-bot + +# Nach Restart prüfen +docker ps --filter name=mana-matrix-bot-projectdoc --format '{{.Names}} {{.Status}}' +``` + ## Wartung ### Updates einspielen diff --git a/packages/shared-utils/src/security-headers.ts b/packages/shared-utils/src/security-headers.ts index 3f9237edc..898a663c4 100644 --- a/packages/shared-utils/src/security-headers.ts +++ b/packages/shared-utils/src/security-headers.ts @@ -25,6 +25,8 @@ interface SecurityHeadersOptions { imgSrc?: string[]; /** Additional font-src origins */ fontSrc?: string[]; + /** Additional media-src origins (audio/video sources) */ + mediaSrc?: string[]; /** Override frame-ancestors (default: 'none') */ frameAncestors?: string; } @@ -39,6 +41,7 @@ export function setSecurityHeaders(response: Response, options: SecurityHeadersO scriptSrc = [], imgSrc = [], fontSrc = [], + mediaSrc = [], frameAncestors = "'none'", } = options; @@ -56,11 +59,12 @@ export function setSecurityHeaders(response: Response, options: SecurityHeadersO `img-src 'self' data: https: ${imgSrc.join(' ')}`.trim(), `connect-src 'self' https://stats.mana.how https://glitchtip.mana.how ${connectSrc.join(' ')}`.trim(), `font-src 'self' ${fontSrc.join(' ')}`.trim(), + mediaSrc.length > 0 ? `media-src 'self' ${mediaSrc.join(' ')}`.trim() : '', "object-src 'none'", "base-uri 'self'", "form-action 'self'", `frame-ancestors ${frameAncestors}`, ]; - response.headers.set('Content-Security-Policy', cspDirectives.join('; ')); + response.headers.set('Content-Security-Policy', cspDirectives.filter(Boolean).join('; ')); }