stuff

.github/workflows/wordpress.yml

@@ -0,0 +1,28 @@
+name: Build debug Docker image
+
+on:
+  - push
+  - pull_request
+
+jobs:
+  deploy:
+    runs-on: ubuntu-latest
+    if: github.repository == 'hacklabto/wordpress'
+    steps:
+      - uses: docker/login-action@v1
+        with:
+          registry: ghcr.io
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+      - uses: actions/checkout@v3
+      - run: echo "BRANCH_NAME=${GITHUB_REF#refs/heads/}" >> $GITHUB_ENV
+      - uses: docker/build-push-action@v2
+        with:
+          # https://github.com/docker/build-push-action/issues/378
+          context: wordpress/
+          file: Dockerfile
+          push: true
+          tags: |
+            ghcr.io/hacklabto/wordpress:${{ github.sha }}
+          cache-from: type=registry,ref=ghcr.io/hacklabto/wordpress:${{ env.BRANCH_NAME }}
+          cache-to: type=inline

hosts/www.hacklab.to/lighttpd.conf

@@ -0,0 +1,40 @@
+auth.backend                 = "ldap"
+auth.backend.ldap.hostname   = "localhost"
+auth.backend.ldap.base-dn    = "ou=people,dc=hacklab,dc=to"
+auth.backend.ldap.filter     = "(uid=$)"
+
+var.log_root    = "/var/log/lighttpd"
+var.server_root = "/var/www"
+var.state_dir   = "/run/lighttpd"
+var.home_dir    = "/var/lib/lighttpd"
+var.conf_dir    = "/etc/lighttpd"
+var.vhosts_dir  = server_root + "/vhosts"
+var.cache_dir   = "/var/cache/lighttpd"
+var.socket_dir  = home_dir + "/sockets"
+
+server.port = 8008
+server.use-ipv6 = "enable"
+server.bind = "[::1]"
+
+server.username  = "lighttpd"
+server.groupname = "lighttpd"
+
+server.pid-file = state_dir + "/lighttpd.pid"
+server.errorlog             = log_root + "/error.log"
+
+server.modules = (
+  "mod_access",
+  "mod_auth",
+  "mod_proxy",
+  "mod_openssl",
+  "mod_authn_ldap",
+  "mod_accesslog"
+)
+
+accesslog.filename          = log_root + "/access.log"
+
+$HTTP["host"] =~ "^wiki\.hacklab\.to$" {
+  server.modules += ( "mod_proxy" )
+  proxy.server = ( "" => (( "host" => "::1", "port" => 18881 )))
+  auth.require = ( "/" => ( "method" => "basic", "realm" => "Hacklab.to", "require" => "valid-user" ))
+}

hosts/www.hacklab.to/nginx-tls-deploy.sh

@@ -0,0 +1,7 @@
+#!/bin/sh
+
+nginx-tls-deploy.sh_deploy() {
+	cp -r /root/.acme.sh/hacklab.to_ecc/ /etc/nginx/tls/hacklab.to/
+	chown -R nginx:nginx /etc/nginx/tls/
+	nginx -s reload
+}

hosts/www.hacklab.to/nginx.conf

@@ -0,0 +1,107 @@
+user nginx;
+worker_processes auto;
+error_log /var/log/nginx/error.log;
+pid /run/nginx.pid;
+
+# Load dynamic modules. See /usr/share/doc/nginx/README.dynamic.
+include /usr/share/nginx/modules/*.conf;
+
+events {
+    worker_connections 1024;
+}
+
+http {
+    log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
+                      '$status $body_bytes_sent "$http_referer" '
+                      '"$http_user_agent" "$http_x_forwarded_for"';
+
+    access_log  /var/log/nginx/access.log  main;
+
+    sendfile            on;
+    tcp_nopush          on;
+    tcp_nodelay         on;
+    keepalive_timeout   65;
+    types_hash_max_size 4096;
+
+    include             /etc/nginx/mime.types;
+    default_type        application/octet-stream;
+
+    server {
+        listen 204.225.106.9:80;
+        # we don't have ipv6 on www right now
+        # listen [::]:80;
+        server_name  _;
+
+        return 301 https://$host$request_uri;
+    }
+
+    server {
+        listen 204.225.106.9:443 ssl;
+        ssl_certificate /etc/nginx/tls/hacklab.to/fullchain.cer;
+        ssl_certificate_key /etc/nginx/tls/hacklab.to/hacklab.to.key;
+
+        server_name _;
+        return 444;
+    }
+
+    server {
+        listen 204.225.106.9:443 ssl;
+        ssl_certificate /etc/nginx/tls/hacklab.to/fullchain.cer;
+        ssl_certificate_key /etc/nginx/tls/hacklab.to/hacklab.to.key;
+
+        server_name hacklab.to;
+        location / {
+            proxy_set_header X-Forwarded-Proto $scheme; 
+            proxy_set_header Host hacklab.to;
+            proxy_pass http://[::1]:18883;
+        }
+    }
+
+    server {
+        listen 204.225.106.9:443 ssl;
+        ssl_certificate /etc/nginx/tls/hacklab.to/fullchain.cer;
+        ssl_certificate_key /etc/nginx/tls/hacklab.to/hacklab.to.key;
+
+        server_name www.hacklab.to;
+        location / {
+            proxy_set_header X-Forwarded-Proto $scheme; 
+            proxy_set_header Host hacklab.to;
+            proxy_pass http://[::1]:18883;
+        }
+    }
+
+    server {
+        listen 204.225.106.9:443 ssl;
+        ssl_certificate /etc/nginx/tls/hacklab.to/fullchain.cer;
+        ssl_certificate_key /etc/nginx/tls/hacklab.to/hacklab.to.key;
+
+        server_name wiki.hacklab.to;
+        location / {
+            proxy_set_header X-Forwarded-Proto $scheme; 
+            proxy_set_header Host wiki.hacklab.to;
+            proxy_pass http://[::1]:8008;
+        }
+    }
+
+    server {
+        listen 204.225.106.9:443 ssl;
+        ssl_certificate /etc/nginx/tls/hacklab.to/fullchain.cer;
+        ssl_certificate_key /etc/nginx/tls/hacklab.to/hacklab.to.key;
+
+        server_name knowledge.hacklab.to;
+        location / {
+            proxy_set_header X-Forwarded-Proto $scheme; 
+            proxy_set_header Host knowledge.hacklab.to;
+            proxy_pass http://[::1]:18882;
+        }
+    }
+
+    server {
+        listen 204.225.106.9:443 ssl;
+        ssl_certificate /etc/nginx/tls/hacklab.to/fullchain.cer;
+        ssl_certificate_key /etc/nginx/tls/hacklab.to/hacklab.to.key;
+
+        server_name members.hacklab.to;
+        return 503;
+    }
+}

unit.json

@@ -0,0 +1,171 @@
+{
+	"listeners": {
+		"[::1]:18881": {
+			"pass": "routes/wiki"
+		},
+		"[::1]:18882": {
+			"pass": "routes/knowledge"
+		}
+	},
+
+	"routes": {
+		"wiki": [
+			{
+				"match": {
+					"uri": [
+						"!/tests/qunit/*",
+						"/cache/*",
+						"/includes/*",
+						"/languages/*",
+						"/maintenance/*",
+						"/tests/*",
+						"/vendor/*"
+					]
+				},
+
+				"action": {
+					"return": 404
+				}
+			},
+			{
+				"match": {
+					"uri": [
+						"/api.php*",
+						"/img_auth.php*",
+						"/index.php*",
+						"/load.php*",
+						"/mw-config/*.php",
+						"/opensearch_desc.php*",
+						"/profileinfo.php*",
+						"/rest.php*",
+						"/tests/qunit/*.php",
+						"/thumb.php*",
+						"/thumb_handler.php*"
+					]
+				},
+
+				"action": {
+					"pass": "applications/wiki/direct"
+				}
+			},
+			{
+				"match": {
+					"uri": [
+						"!*.php",
+						"!*.json",
+						"!*.htaccess",
+						"/extensions/*",
+						"/images/*",
+						"/resources/assets/*",
+						"/resources/lib/*",
+						"/resources/src/*",
+						"/skins/*"
+					]
+				},
+
+				"action": {
+					"share": "/var/www/wiki$uri"
+				}
+			},
+			{
+				"action": {
+					"pass": "applications/wiki/index"
+				}
+			}
+		],
+
+		"knowledge": [
+			{
+				"match": {
+					"uri": [
+						"!/tests/qunit/*",
+						"/cache/*",
+						"/includes/*",
+						"/languages/*",
+						"/maintenance/*",
+						"/tests/*",
+						"/vendor/*"
+					]
+				},
+
+				"action": {
+					"return": 404
+				}
+			},
+			{
+				"match": {
+					"uri": [
+						"/api.php*",
+						"/img_auth.php*",
+						"/index.php*",
+						"/load.php*",
+						"/mw-config/*.php",
+						"/opensearch_desc.php*",
+						"/profileinfo.php*",
+						"/rest.php*",
+						"/tests/qunit/*.php",
+						"/thumb.php*",
+						"/thumb_handler.php*"
+					]
+				},
+
+				"action": {
+					"pass": "applications/knowledge/direct"
+				}
+			},
+			{
+				"match": {
+					"uri": [
+						"!*.php",
+						"!*.json",
+						"!*.htaccess",
+						"/extensions/*",
+						"/images/*",
+						"/resources/assets/*",
+						"/resources/lib/*",
+						"/resources/src/*",
+						"/skins/*"
+					]
+				},
+
+				"action": {
+					"share": "/var/www/knowledge$uri"
+				}
+			},
+			{
+				"action": {
+					"pass": "applications/knowledge/index"
+				}
+			}
+		]
+	},
+
+	"applications": {
+		"wiki": {
+			"type": "php",
+			"targets": {
+				"direct": {
+					"root": "/var/www/wiki"
+				},
+
+				"index": {
+					"root": "/var/www/wiki",
+					"script": "index.php"
+				}
+			}
+		},
+		"knowledge": {
+			"type": "php",
+			"targets": {
+				"direct": {
+					"root": "/var/www/knowledge/"
+				},
+
+				"index": {
+					"root": "/var/www/knowledge/",
+					"script": "index.php"
+				}
+			}
+		}
+	}
+}

wordpress/Dockerfile

@@ -0,0 +1,28 @@
+FROM alpine:latest
+
+RUN apk add unit-php82 php82-ldap php82-mysqli zip curl
+
+WORKDIR /app
+
+# Unit entrypoint, but config is in /app/config instead of /docker-entrypoint.d
+RUN wget https://raw.githubusercontent.com/nginx/unit/d48180190752201865f41b2cf1e0a6740fa2ea59/pkg/docker/docker-entrypoint.sh
+RUN sed -i 's/docker-entrypoint\.d/app\/config/g' docker-entrypoint.sh
+RUN chmod +x docker-entrypoint.sh
+
+RUN wget -O - https://wordpress.org/wordpress-6.4.2.tar.gz | tar xz
+
+# akismet is preinstalled, although maybe we will want to download a specific version of it at some point
+RUN (cd wordpress/wp-content/plugins && wget -O - https://downloads.wordpress.org/plugin/contact-form-7.5.8.5.zip | zip -r)
+RUN (cd wordpress/wp-content/plugins && wget -O - https://downloads.wordpress.org/plugin/flamingo.2.4.zip | zip -r)
+RUN (cd wordpress/wp-content/plugins && wget -O - https://downloads.wordpress.org/plugin/wp-security-audit-log.zip | zip -r)
+RUN (cd wordpress/wp-content/plugins && wget -O - https://downloads.wordpress.org/plugin/wpdirauth.1.10.7.zip | zip -r)
+
+# add 
+
+WORKDIR /app/config
+COPY config.json .
+
+# mount /app/wordpress/wp-config.php:ro
+# mount /app/wordpress/wp-content/uploads/:rw
+
+CMD [ "/app/docker-entrypoint.sh", "unitd", "--no-daemon", "--user", "nobody", "--group", "nobody" ]