stuff

Author: lillian

.github/workflows/wordpress.yml

@@ -0,0 +1,28 @@
+name: Build debug Docker image
+
+on:
+  - push
+  - pull_request
+
+jobs:
+  deploy:
+    runs-on: ubuntu-latest
+    if: github.repository == 'hacklabto/web-infra'
+    steps:
+      - uses: docker/login-action@v1
+        with:
+          registry: ghcr.io
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+      - uses: actions/checkout@v3
+      - run: echo "BRANCH_NAME=${GITHUB_REF#refs/heads/}" >> $GITHUB_ENV
+      - uses: docker/build-push-action@v2
+        with:
+          # https://github.com/docker/build-push-action/issues/378
+          context: wordpress/
+          file: Dockerfile
+          push: true
+          tags: |
+            ghcr.io/hacklabto/wordpress:${{ github.sha }}
+          cache-from: type=registry,ref=ghcr.io/hacklabto/wordpress:${{ env.BRANCH_NAME }}
+          cache-to: type=inline

hosts/www.hacklab.to/lighttpd.conf

@@ -0,0 +1,40 @@
+auth.backend                 = "ldap"
+auth.backend.ldap.hostname   = "localhost"
+auth.backend.ldap.base-dn    = "ou=people,dc=hacklab,dc=to"
+auth.backend.ldap.filter     = "(uid=$)"
+
+var.log_root    = "/var/log/lighttpd"
+var.server_root = "/var/www"
+var.state_dir   = "/run/lighttpd"
+var.home_dir    = "/var/lib/lighttpd"
+var.conf_dir    = "/etc/lighttpd"
+var.vhosts_dir  = server_root + "/vhosts"
+var.cache_dir   = "/var/cache/lighttpd"
+var.socket_dir  = home_dir + "/sockets"
+
+server.port = 8008
+server.use-ipv6 = "enable"
+server.bind = "[::1]"
+
+server.username  = "lighttpd"
+server.groupname = "lighttpd"
+
+server.pid-file = state_dir + "/lighttpd.pid"
+server.errorlog             = log_root + "/error.log"
+
+server.modules = (
+  "mod_access",
+  "mod_auth",
+  "mod_proxy",
+  "mod_openssl",
+  "mod_authn_ldap",
+  "mod_accesslog"
+)
+
+accesslog.filename          = log_root + "/access.log"
+
+$HTTP["host"] =~ "^wiki\.hacklab\.to$" {
+  server.modules += ( "mod_proxy" )
+  proxy.server = ( "" => (( "host" => "::1", "port" => 18881 )))
+  auth.require = ( "/" => ( "method" => "basic", "realm" => "Hacklab.to", "require" => "valid-user" ))
+}

hosts/www.hacklab.to/nginx-tls-deploy.sh

@@ -0,0 +1,7 @@
+#!/bin/sh
+
+nginx-tls-deploy.sh_deploy() {
+	cp -r /root/.acme.sh/hacklab.to_ecc/ /etc/nginx/tls/hacklab.to/
+	chown -R nginx:nginx /etc/nginx/tls/
+	nginx -s reload
+}

hosts/www.hacklab.to/nginx.conf

@@ -0,0 +1,107 @@
+user nginx;
+worker_processes auto;
+error_log /var/log/nginx/error.log;
+pid /run/nginx.pid;
+
+# Load dynamic modules. See /usr/share/doc/nginx/README.dynamic.
+include /usr/share/nginx/modules/*.conf;
+
+events {
+    worker_connections 1024;
+}
+
+http {
+    log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
+                      '$status $body_bytes_sent "$http_referer" '
+                      '"$http_user_agent" "$http_x_forwarded_for"';
+
+    access_log  /var/log/nginx/access.log  main;
+
+    sendfile            on;
+    tcp_nopush          on;
+    tcp_nodelay         on;
+    keepalive_timeout   65;
+    types_hash_max_size 4096;
+
+    include             /etc/nginx/mime.types;
+    default_type        application/octet-stream;
+
+    server {
+        listen 204.225.106.9:80;
+        # we don't have ipv6 on www right now
+        # listen [::]:80;
+        server_name  _;
+
+        return 301 https://$host$request_uri;
+    }
+
+    server {
+        listen 204.225.106.9:443 ssl;
+        ssl_certificate /etc/nginx/tls/hacklab.to/fullchain.cer;
+        ssl_certificate_key /etc/nginx/tls/hacklab.to/hacklab.to.key;
+
+        server_name _;
+        return 444;
+    }
+
+    server {
+        listen 204.225.106.9:443 ssl;
+        ssl_certificate /etc/nginx/tls/hacklab.to/fullchain.cer;
+        ssl_certificate_key /etc/nginx/tls/hacklab.to/hacklab.to.key;
+
+        server_name hacklab.to;
+        location / {
+            proxy_set_header X-Forwarded-Proto $scheme; 
+            proxy_set_header Host hacklab.to;
+            proxy_pass http://[::1]:18883;
+        }
+    }
+
+    server {
+        listen 204.225.106.9:443 ssl;
+        ssl_certificate /etc/nginx/tls/hacklab.to/fullchain.cer;
+        ssl_certificate_key /etc/nginx/tls/hacklab.to/hacklab.to.key;
+
+        server_name www.hacklab.to;
+        location / {
+            proxy_set_header X-Forwarded-Proto $scheme; 
+            proxy_set_header Host hacklab.to;
+            proxy_pass http://[::1]:18883;
+        }
+    }
+
+    server {
+        listen 204.225.106.9:443 ssl;
+        ssl_certificate /etc/nginx/tls/hacklab.to/fullchain.cer;
+        ssl_certificate_key /etc/nginx/tls/hacklab.to/hacklab.to.key;
+
+        server_name wiki.hacklab.to;
+        location / {
+            proxy_set_header X-Forwarded-Proto $scheme; 
+            proxy_set_header Host wiki.hacklab.to;
+            proxy_pass http://[::1]:8008;
+        }
+    }
+
+    server {
+        listen 204.225.106.9:443 ssl;
+        ssl_certificate /etc/nginx/tls/hacklab.to/fullchain.cer;
+        ssl_certificate_key /etc/nginx/tls/hacklab.to/hacklab.to.key;
+
+        server_name knowledge.hacklab.to;
+        location / {
+            proxy_set_header X-Forwarded-Proto $scheme; 
+            proxy_set_header Host knowledge.hacklab.to;
+            proxy_pass http://[::1]:18882;
+        }
+    }
+
+    server {
+        listen 204.225.106.9:443 ssl;
+        ssl_certificate /etc/nginx/tls/hacklab.to/fullchain.cer;
+        ssl_certificate_key /etc/nginx/tls/hacklab.to/hacklab.to.key;
+
+        server_name members.hacklab.to;
+        return 503;
+    }
+}

wordpress/Dockerfile

@@ -0,0 +1,28 @@
+FROM alpine:latest
+
+RUN apk add unit-php82 php82-ldap php82-mysqli zip curl
+
+WORKDIR /app
+
+# Unit entrypoint, but config is in /app/config instead of /docker-entrypoint.d
+RUN wget https://raw.githubusercontent.com/nginx/unit/d48180190752201865f41b2cf1e0a6740fa2ea59/pkg/docker/docker-entrypoint.sh
+RUN sed -i 's/docker-entrypoint\.d/app\/config/g' docker-entrypoint.sh
+RUN chmod +x docker-entrypoint.sh
+
+RUN wget -O - https://wordpress.org/wordpress-6.4.2.tar.gz | tar xz
+
+# akismet is preinstalled, although maybe we will want to download a specific version of it at some point
+RUN (cd wordpress/wp-content/plugins && wget -O - https://downloads.wordpress.org/plugin/contact-form-7.5.8.5.zip | zip -r)
+RUN (cd wordpress/wp-content/plugins && wget -O - https://downloads.wordpress.org/plugin/flamingo.2.4.zip | zip -r)
+RUN (cd wordpress/wp-content/plugins && wget -O - https://downloads.wordpress.org/plugin/wp-security-audit-log.zip | zip -r)
+RUN (cd wordpress/wp-content/plugins && wget -O - https://downloads.wordpress.org/plugin/wpdirauth.1.10.7.zip | zip -r)
+
+# add 
+
+WORKDIR /app/config
+COPY config.json .
+
+# mount /app/wordpress/wp-config.php:ro
+# mount /app/wordpress/wp-content/uploads/:rw
+
+CMD [ "/app/docker-entrypoint.sh", "unitd", "--no-daemon", "--user", "nobody", "--group", "nobody" ]

wordpress/config.json

@@ -0,0 +1,50 @@
+{
+	"listeners": {
+		"0.0.0.0:8080": {
+			"pass": "routes/wordpress"
+		}
+	},
+
+	"routes": {
+		"wordpress": [
+			{
+				"match": {
+					"uri": [
+						"*.php",
+						"*.php/*",
+						"/wp-admin/",
+						"/wp-content/"
+					]
+				},
+
+				"action": {
+					"pass": "applications/wordpress/direct"
+				}
+			},
+			{
+				"action": {
+					"share": "/app/wordpress$uri",
+					"fallback": {
+						"pass": "applications/wordpress/index"
+					}
+				}
+			}
+		]
+	},
+
+	"applications": {
+		"wordpress": {
+			"type": "php",
+			"targets": {
+				"direct": {
+					"root": "/app/wordpress/"
+				},
+
+				"index": {
+					"root": "/app/wordpress/",
+					"script": "index.php"
+				}
+			}
+		}
+	}
+}