dd3ec070f7
### Security-Fixes (K1–K6, W1–W4, W7, N1, N5–N6, V1, V5–V7)
- K1: CSRF-Schutz via Double-Submit-Cookie (httpapi/csrf.go + csrf_helpers.go)
- K2: requireScreenAccess() in allen manage-Handlern (Tenant-Isolation)
- K3: Tenant-Check bei DELETE /api/v1/media/{id}
- K4: requirePlaylistAccess() + GetByItemID() für JSON-API Playlist-Routen
- K5: Admin-Passwort nur noch als [gesetzt] geloggt
- K6: POST /api/v1/screens/register mit Pre-Shared-Secret (MORZ_INFOBOARD_REGISTER_SECRET)
- W1: Race Condition bei order_index behoben (atomare Subquery in AddItem)
- W2: Graceful Shutdown mit 15s Timeout auf SIGTERM/SIGINT
- W3: http.MaxBytesReader (512 MB) in allen Upload-Handlern
- W4: err.Error() nicht mehr an den Client
- W7: Template-Execution via bytes.Buffer (kein partial write bei Fehler)
- N1: Rate-Limiting auf /login (5 Versuche/Minute pro IP, httpapi/ratelimit.go)
- N5: Directory-Listing auf /uploads/ deaktiviert (neuteredFileSystem)
- N6: Uploads nach Tenant getrennt (uploads/{tenantSlug}/)
- V1: Upload-Logik konsolidiert in internal/fileutil/fileutil.go
- V5: Cookie-Name als Konstante reqcontext.SessionCookieName
- V6: Strukturiertes Logging mit log/slog + JSON-Handler
- V7: DB-Pool wird im Graceful-Shutdown geschlossen
### Phase 6: Screenshot-Erzeugung
- player/agent/internal/screenshot/screenshot.go erstellt
- Integration in app.go mit MORZ_INFOBOARD_SCREENSHOT_EVERY Config
### UX: PDF.js Integration
- pdf.min.js + pdf.worker.min.js als lokale Assets eingebettet
- Automatisches Seitendurchblättern im Player
### Ansible: Neue Rollen
- signage_base, signage_server, signage_provision erstellt
- inventory.yml und site.yml erweitert
### Konzept-Docs
- GRUPPEN-KONZEPT.md, KAMPAGNEN-AKTIVIERUNG.md, MONITORING-KONZEPT.md
- PROVISION-KONZEPT.md, TEMPLATE-EDITOR.md, WATCHDOG-KONZEPT.md
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
58 lines
1.6 KiB
Django/Jinja
58 lines
1.6 KiB
Django/Jinja
---
|
||
# Managed by Ansible – signage_server role
|
||
# Do not edit manually on the server.
|
||
|
||
services:
|
||
backend:
|
||
image: git.az-it.net/az/morz-infoboard/backend:latest
|
||
restart: unless-stopped
|
||
ports:
|
||
- "8080:8080"
|
||
environment:
|
||
MORZ_INFOBOARD_HTTP_ADDR: "${MORZ_HTTP_ADDR}"
|
||
MORZ_INFOBOARD_DATABASE_URL: "${MORZ_DATABASE_URL}"
|
||
MORZ_INFOBOARD_UPLOAD_DIR: /app/uploads
|
||
MORZ_INFOBOARD_STATUS_STORE_PATH: /app/data/status
|
||
MORZ_INFOBOARD_MQTT_BROKER: "${MORZ_MQTT_BROKER}"
|
||
MORZ_INFOBOARD_MQTT_USERNAME: "${MORZ_MQTT_USERNAME}"
|
||
MORZ_INFOBOARD_MQTT_PASSWORD: "${MORZ_MQTT_PASSWORD}"
|
||
MORZ_INFOBOARD_ADMIN_PASSWORD: "${MORZ_ADMIN_PASSWORD}"
|
||
MORZ_INFOBOARD_DEFAULT_TENANT: "${MORZ_DEFAULT_TENANT}"
|
||
MORZ_INFOBOARD_DEV_MODE: "${MORZ_DEV_MODE}"
|
||
volumes:
|
||
- ./uploads:/app/uploads
|
||
- ./data:/app/data
|
||
depends_on:
|
||
db:
|
||
condition: service_healthy
|
||
|
||
db:
|
||
image: postgres:17-alpine
|
||
restart: unless-stopped
|
||
environment:
|
||
POSTGRES_USER: morz_infoboard
|
||
POSTGRES_PASSWORD: "${MORZ_DB_PASSWORD}"
|
||
POSTGRES_DB: morz_infoboard
|
||
volumes:
|
||
- db_data:/var/lib/postgresql/data
|
||
healthcheck:
|
||
test: ["CMD-SHELL", "pg_isready -U morz_infoboard"]
|
||
interval: 10s
|
||
timeout: 5s
|
||
retries: 5
|
||
|
||
mqtt:
|
||
image: eclipse-mosquitto:2
|
||
restart: unless-stopped
|
||
ports:
|
||
- "1883:1883"
|
||
- "9001:9001"
|
||
volumes:
|
||
- ./mosquitto/config:/mosquitto/config:ro
|
||
- mosquitto_data:/mosquitto/data
|
||
- mosquitto_log:/mosquitto/log
|
||
|
||
volumes:
|
||
db_data:
|
||
mosquitto_data:
|
||
mosquitto_log:
|