Harden quarantine provisioning; enforce strict permissions and update Ansible and docs

upload-logger.json

@@ -0,0 +1,56 @@
+{
+  "modules": {
+    "flood": true,
+    "filename": true,
+    "mime_sniff": true,
+    "hashing": true,
+    "base64_detection": true,
+    "raw_peek": false,
+    "archive_inspect": true,
+    "quarantine": true
+  },
+  "paths": {
+    "log_file": "logs/uploads.log",
+    "quarantine_dir": "quarantine",
+    "state_dir": "state",
+    "allowlist_file": "allowlist.json"
+  },
+  "limits": {
+    "max_size": 52428800,
+    "raw_body_min": 512000,
+    "sniff_max_bytes": 8192,
+    "sniff_max_filesize": 2097152,
+    "hash_max_filesize": 10485760,
+    "archive_max_inspect_size": 52428800,
+    "archive_max_entries": 200
+  },
+  "ops": {
+    "quarantine_owner": "root",
+    "quarantine_group": "www-data",
+    "quarantine_dir_perms": "0700",
+    "block_suspicious": false,
+    "log_rotate": {
+      "enabled": true,
+      "size": 10485760,
+      "keep": 7
+    }
+  },
+  "allowlists": {
+    "base64_uris": [
+      "/api/uploads/avatars",
+      "/api/v1/avatars",
+      "/user/avatar",
+      "/media/upload",
+      "/api/media",
+      "/api/uploads",
+      "/api/v1/uploads",
+      "/attachments/upload",
+      "/upload",
+      "#^/internal/webhook#",
+      "#/hooks/(github|gitlab|stripe|slack)#",
+      "/services/avatars",
+      "/api/profile/photo"
+    ],
+    "ctypes": ["image/svg+xml","application/xml","text/xml"]
+  }
+}