From 4c936fc52131215646b434034e9a8bff07070d01 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Reynir=20Bj=C3=B6rnsson?= <reynir@reynir.dk>
Date: Wed, 14 Apr 2021 12:52:18 +0200
Subject: [PATCH] Opt out of FLoC globally

In nginx-proxy, add a permissions-policy header that opts out of
Google's Federated Learning of Cohorts (FLoC).
---
 roles/docker/files/configs/nginx-proxy/conf.d/anti-floc.conf | 2 ++
 roles/docker/tasks/services/nginx-proxy.yml                  | 4 ++++
 2 files changed, 6 insertions(+)
 create mode 100644 roles/docker/files/configs/nginx-proxy/conf.d/anti-floc.conf

diff --git a/roles/docker/files/configs/nginx-proxy/conf.d/anti-floc.conf b/roles/docker/files/configs/nginx-proxy/conf.d/anti-floc.conf
new file mode 100644
index 0000000..6a4d305
--- /dev/null
+++ b/roles/docker/files/configs/nginx-proxy/conf.d/anti-floc.conf
@@ -0,0 +1,2 @@
+# See https://developer.chrome.com/blog/floc/#how-can-websites-opt-out-of-the-floc-computation
+add_header Permissions-Policy "interest-cohort=()";
diff --git a/roles/docker/tasks/services/nginx-proxy.yml b/roles/docker/tasks/services/nginx-proxy.yml
index 7e8ff41..d8da63f 100644
--- a/roles/docker/tasks/services/nginx-proxy.yml
+++ b/roles/docker/tasks/services/nginx-proxy.yml
@@ -45,3 +45,7 @@
     env:
       NGINX_PROXY_CONTAINER: nginx-proxy
 
+- name: upload nginx anti floc
+  copy:
+    src: files/configs/nginx-proxy/conf.d/anti-floc.conf
+    dst: "{{ nginx.volume_folder }}/conf/anti-floc.conf"