From bdbd9ce19505d974a76c4f6a5597e6d6ed813f9a Mon Sep 17 00:00:00 2001
From: June <june@jsts.xyz>
Date: Mon, 10 Feb 2025 23:40:39 +0100
Subject: [PATCH] eh22-wiki: setup EH22 wiki using Ansible by copying and mod.
 wiki config

Also introduce wiki_hosts group for applying dokuwiki role to multiple
hosts.
---
 .../chaosknoten/host_vars/eh22-wiki.yaml      | 11 ++++
 inventories/chaosknoten/hosts.yaml            | 13 ++++
 playbooks/deploy.yaml                         |  2 +-
 .../eh22-wiki/nginx/eh22.easterhegg.eu.conf   | 66 +++++++++++++++++++
 .../nginx/acme_challenge.conf                 |  2 +-
 .../public-reverse-proxy/nginx/nginx.conf     |  2 +-
 6 files changed, 93 insertions(+), 3 deletions(-)
 create mode 100644 inventories/chaosknoten/host_vars/eh22-wiki.yaml
 create mode 100644 resources/chaosknoten/eh22-wiki/nginx/eh22.easterhegg.eu.conf

diff --git a/inventories/chaosknoten/host_vars/eh22-wiki.yaml b/inventories/chaosknoten/host_vars/eh22-wiki.yaml
new file mode 100644
index 0000000..a8814c0
--- /dev/null
+++ b/inventories/chaosknoten/host_vars/eh22-wiki.yaml
@@ -0,0 +1,11 @@
+nginx__version_spec: ""
+nginx__configurations:
+  - name: eh22.easterhegg.eu
+    content: "{{ lookup('ansible.builtin.file', 'resources/chaosknoten/eh22-wiki/nginx/eh22.easterhegg.eu.conf') }}"
+
+certbot__version_spec: ""
+certbot__acme_account_email_address: j+letsencrypt-ccchh@jsts.xyz
+certbot__certificate_domains:
+  - "eh22.easterhegg.eu"
+certbot__new_cert_commands:
+  - "systemctl reload nginx.service"
diff --git a/inventories/chaosknoten/hosts.yaml b/inventories/chaosknoten/hosts.yaml
index 432f357..911a87d 100644
--- a/inventories/chaosknoten/hosts.yaml
+++ b/inventories/chaosknoten/hosts.yaml
@@ -10,6 +10,10 @@ all:
           ansible_host: cloud-intern.hamburg.ccc.de
           ansible_user: chaos
           ansible_ssh_common_args: -J ssh://chaos@public-reverse-proxy.hamburg.ccc.de
+        eh22-wiki:
+          ansible_host: eh22-wiki-intern.hamburg.ccc.de
+          ansible_user: chaos
+          ansible_ssh_common_args: -J ssh://chaos@public-reverse-proxy.hamburg.ccc.de
         grafana:
           ansible_host: grafana-intern.hamburg.ccc.de
           ansible_user: chaos
@@ -55,6 +59,7 @@ all:
       hosts:
         ccchoir:
         cloud:
+        eh22-wiki:
         grafana:
         keycloak:
         lists:
@@ -83,6 +88,7 @@ all:
     nginx_hosts:
       hosts:
         ccchoir:
+        eh22-wiki:
         grafana:
         tickets:
         keycloak:
@@ -100,6 +106,7 @@ all:
     certbot_hosts:
       hosts:
         ccchoir:
+        eh22-wiki:
         grafana:
         tickets:
         keycloak:
@@ -113,6 +120,7 @@ all:
     prometheus_node_exporter_hosts:
       hosts:
         ccchoir:
+        eh22-wiki:
         tickets:
         keycloak:
         onlyoffice:
@@ -123,6 +131,7 @@ all:
     infrastructure_authorized_keys_hosts:
       hosts:
         ccchoir:
+        eh22-wiki:
         grafana:
         tickets:
         cloud:
@@ -133,3 +142,7 @@ all:
         public-reverse-proxy:
         wiki:
         zammad:
+    wiki_hosts:
+      hosts:
+        eh22-wiki:
+        wiki:
diff --git a/playbooks/deploy.yaml b/playbooks/deploy.yaml
index 91cdf0f..6955b02 100644
--- a/playbooks/deploy.yaml
+++ b/playbooks/deploy.yaml
@@ -25,7 +25,7 @@
     - foobazdmx
 
 - name: Ensure Dokuwiki config
-  hosts: wiki
+  hosts: wiki_hosts
   roles:
     - dokuwiki
 
diff --git a/resources/chaosknoten/eh22-wiki/nginx/eh22.easterhegg.eu.conf b/resources/chaosknoten/eh22-wiki/nginx/eh22.easterhegg.eu.conf
new file mode 100644
index 0000000..631ba7d
--- /dev/null
+++ b/resources/chaosknoten/eh22-wiki/nginx/eh22.easterhegg.eu.conf
@@ -0,0 +1,66 @@
+# partly generated 2022-01-08, Mozilla Guideline v5.6, nginx 1.17.7, OpenSSL 1.1.1k, intermediate configuration
+# https://ssl-config.mozilla.org/#server=nginx&version=1.17.7&config=intermediate&openssl=1.1.1k&guideline=5.6
+server {
+    # Listen on a custom port for the proxy protocol.
+    listen 8443 ssl http2 proxy_protocol;
+    # Make use of the ngx_http_realip_module to set the $remote_addr and
+    # $remote_port to the client address and client port, when using proxy
+    # protocol.
+    # First set our proxy protocol proxy as trusted.
+    set_real_ip_from 172.31.17.140;
+    # Then tell the realip_module to get the addreses from the proxy protocol
+    # header.
+    real_ip_header proxy_protocol;
+
+    server_name eh22.easterhegg.eu;
+
+    ssl_certificate /etc/letsencrypt/live/eh22.easterhegg.eu/fullchain.pem;
+    ssl_certificate_key /etc/letsencrypt/live/eh22.easterhegg.eu/privkey.pem;
+    # verify chain of trust of OCSP response using Root CA and Intermediate certs
+    ssl_trusted_certificate /etc/letsencrypt/live/eh22.easterhegg.eu/chain.pem;
+
+    # HSTS (ngx_http_headers_module is required) (63072000 seconds)
+    add_header Strict-Transport-Security "max-age=63072000" always;
+
+    # Maximum file upload size is 20MB - change accordingly if needed
+    # See: https://www.dokuwiki.org/faq:uploadsize
+    client_max_body_size 20M;
+    client_body_buffer_size 128k;
+
+    proxy_set_header Host $host;
+    proxy_set_header X-Real-IP $remote_addr;
+    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+    # This is https in any case.
+    proxy_set_header X-Forwarded-Proto https;
+
+    root /var/www/dokuwiki;
+    index doku.php;
+
+    #Remember to comment the below out when you're installing, and uncomment it when done.
+    location ~ /(conf/|bin/|inc/|vendor/|install.php) { deny all; }
+
+    #Support for X-Accel-Redirect
+    location ~ ^/data/ { internal ; }
+
+    location ~ ^/lib.*\.(js|css|gif|png|ico|jpg|jpeg)$ {
+        expires 365d;
+    }
+
+    location / { try_files $uri $uri/ @dokuwiki; }
+
+    location @dokuwiki {
+        # rewrites "doku.php/" out of the URLs if you set the userwrite setting to .htaccess in dokuwiki config page
+        rewrite ^/_media/(.*) /lib/exe/fetch.php?media=$1 last;
+        rewrite ^/_detail/(.*) /lib/exe/detail.php?media=$1 last;
+        rewrite ^/_export/([^/]+)/(.*) /doku.php?do=export_$1&id=$2 last;
+        rewrite ^/(.*) /doku.php?id=$1&$args last;
+    }
+
+    location ~ \.php$ {
+        try_files $uri $uri/ /doku.php;
+        include fastcgi_params;
+        fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
+        fastcgi_param REDIRECT_STATUS 200;
+        fastcgi_pass unix:/var/run/php/php-fpm-dokuwiki.sock;
+    }
+}
diff --git a/resources/chaosknoten/public-reverse-proxy/nginx/acme_challenge.conf b/resources/chaosknoten/public-reverse-proxy/nginx/acme_challenge.conf
index 30eebc7..d5ae146 100644
--- a/resources/chaosknoten/public-reverse-proxy/nginx/acme_challenge.conf
+++ b/resources/chaosknoten/public-reverse-proxy/nginx/acme_challenge.conf
@@ -35,7 +35,7 @@ map $host $upstream_acme_challenge_host {
     eh11.easterhegg.eu 172.31.17.151:31820;
     eh20.easterhegg.eu 172.31.17.151:31820;
     www.eh20.easterhegg.eu 172.31.17.151:31820;
-    eh22.easterhegg.eu 172.31.17.159:31820;
+    eh22.easterhegg.eu 172.31.17.165:31820;
     easterheggxxxx.hamburg.ccc.de 172.31.17.151:31820;
     eh2003.hamburg.ccc.de 172.31.17.151:31820;
     www.eh2003.hamburg.ccc.de 172.31.17.151:31820;
diff --git a/resources/chaosknoten/public-reverse-proxy/nginx/nginx.conf b/resources/chaosknoten/public-reverse-proxy/nginx/nginx.conf
index b5f1d98..0529f4c 100644
--- a/resources/chaosknoten/public-reverse-proxy/nginx/nginx.conf
+++ b/resources/chaosknoten/public-reverse-proxy/nginx/nginx.conf
@@ -53,7 +53,7 @@ stream {
         eh11.easterhegg.eu 172.31.17.151:8443;
         eh20.easterhegg.eu 172.31.17.151:8443;
         www.eh20.easterhegg.eu 172.31.17.151:8443;
-        eh22.easterhegg.eu 172.31.17.159:8443;
+        eh22.easterhegg.eu 172.31.17.165:8443;
         easterheggxxxx.hamburg.ccc.de 172.31.17.151:8443;
         eh2003.hamburg.ccc.de 172.31.17.151:8443;
         www.eh2003.hamburg.ccc.de 172.31.17.151:8443;