From 0b9056bd2bfa63c034fb90c38ce1f9b1b06a6280 Mon Sep 17 00:00:00 2001
From: Franziska Kunsmann <hi@kunsmann.eu>
Date: Sat, 16 Jan 2021 20:57:33 +0100
Subject: [PATCH] add pseudo-bundle to add configs to c3voc ansible managed
 hosts

---
 bundles/c3voc-addons/files/site_template | 57 ++++++++++++++++++
 bundles/c3voc-addons/items.py            | 77 ++++++++++++++++++++++++
 data/c3voc-addons/files                  |  1 +
 nodes/voc/pretalx.py                     | 22 +++++++
 4 files changed, 157 insertions(+)
 create mode 100644 bundles/c3voc-addons/files/site_template
 create mode 100644 bundles/c3voc-addons/items.py
 create mode 120000 data/c3voc-addons/files
 create mode 100644 nodes/voc/pretalx.py

diff --git a/bundles/c3voc-addons/files/site_template b/bundles/c3voc-addons/files/site_template
new file mode 100644
index 0000000..8b66989
--- /dev/null
+++ b/bundles/c3voc-addons/files/site_template
@@ -0,0 +1,57 @@
+server {
+    server_name ${domain};
+    root ${webroot if webroot else '/var/www/{}/'.format(vhost)};
+    index index.html index.htm;
+
+    listen 443 ssl http2;
+    listen [::]:443 ssl http2;
+
+    ssl_trusted_certificate /etc/letsencrypt/live/${domain}/chain.pem;
+    ssl_certificate /etc/letsencrypt/live/${domain}/fullchain.pem;
+    ssl_certificate_key /etc/letsencrypt/live/${domain}/privkey.pem;
+    ssl_dhparam /etc/ssl/dhparam4096.pem;
+    ssl_protocols TLSv1.2 TLSv1.3;
+    ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
+    ssl_prefer_server_ciphers on;
+    ssl_session_cache shared:SSL:10m;
+
+    add_header Strict-Transport-Security "max-age=63072000; includeSubDomains";
+
+    resolver 8.8.8.8 8.8.4.4 valid=300s;
+    resolver_timeout 5s;
+
+    add_header Referrer-Policy same-origin;
+    add_header X-Content-Type-Options nosniff;
+
+    location /.well-known/acme-challenge/ {
+        alias /var/www/dehydrated;
+    }
+
+% if proxy:
+%     for location, options in proxy.items():
+    location ${location} {
+        proxy_pass           ${options['target']};
+        proxy_http_version   ${options.get('http_version', '1.1')};
+        proxy_set_header     Host ${domain};
+% if options.get('websockets', False):
+        proxy_set_header     Connection "upgrade";
+        proxy_set_header     Upgrade $http_upgrade;
+% endif
+        proxy_set_header     X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header     X-Forwarded-Proto HTTPS;
+        proxy_set_header     X-Forwarded-Host ${domain};
+% for option, value in options.get('proxy_set_header', {}).items():
+        proxy_set_header     ${option} ${value};
+% endfor
+% if location != '/':
+        proxy_set_header     X-Script-Name ${location};
+% endif
+        proxy_buffering      off;
+    }
+%     endfor
+% endif
+
+% if extras:
+<%include file="extras/${node.name}/${vhost}" />
+% endif
+}
diff --git a/bundles/c3voc-addons/items.py b/bundles/c3voc-addons/items.py
new file mode 100644
index 0000000..e707f52
--- /dev/null
+++ b/bundles/c3voc-addons/items.py
@@ -0,0 +1,77 @@
+pkg_apt = {
+    'apt-transport-https': {},
+
+    'build-essential': {},
+    'curl': {},
+    'git': {},
+    'grep': {},
+    'gzip': {},
+    'htop': {},
+    'jq': {},
+    'less': {},
+    'mtr': {},
+    'ncdu': {},
+    'netcat': {},
+    'python3': {},
+    'python3-dev': {},
+    'python3-pip': {},
+    'python3-virtualenv': {},
+    'rsync': {},
+    'tar': {},
+    'tmux': {},
+    'tree': {},
+    'wget': {},
+}
+
+if node.metadata.get('apt', {}).get('packages', {}):
+    for package, options in node.metadata['apt']['packages'].items():
+        pkg_apt[package] = options
+
+actions = {
+    'systemd-reload': {
+        'command': 'systemctl daemon-reload',
+        'cascade_skip': False,
+        'triggered': True,
+        'needed_by': {
+            'svc_systemd:',
+        },
+    },
+}
+
+directories = {
+    '/etc/nginx/sites-enabled': {
+        'purge': True,
+        'triggers': {
+            'svc_systemd:nginx:restart',
+        },
+    },
+}
+
+for vhost, config in node.metadata.get('nginx', {}).get('vhosts', {}).items():
+    if not 'domain' in config:
+        config['domain'] = vhost
+
+    files['/etc/nginx/sites-available/{}'.format(vhost)] = {
+        'source': 'site_template',
+        'content_type': 'mako',
+        'context': {
+            'vhost': vhost,
+            **config,
+        },
+        'triggers': {
+            'svc_systemd:nginx:restart',
+        },
+    }
+    symlinks['/etc/nginx/sites-enabled/{}'.format(vhost)] = {
+        'target': '/etc/nginx/sites-available/{}'.format(vhost),
+        'triggers': {
+            'svc_systemd:nginx:restart',
+        },
+    }
+
+    if not 'webroot' in config:
+        directories['/var/www/{}'.format(vhost)] = config.get('webroot_config', {})
+
+svc_systemd = {
+    'nginx': {},
+}
diff --git a/data/c3voc-addons/files b/data/c3voc-addons/files
new file mode 120000
index 0000000..e2f9229
--- /dev/null
+++ b/data/c3voc-addons/files
@@ -0,0 +1 @@
+../nginx/files
\ No newline at end of file
diff --git a/nodes/voc/pretalx.py b/nodes/voc/pretalx.py
new file mode 100644
index 0000000..6b96803
--- /dev/null
+++ b/nodes/voc/pretalx.py
@@ -0,0 +1,22 @@
+# Add-On for pretalx vm hosted at c3voc.
+# c3voc ansible only takes care of the basic things, this node only
+# does the things ansible does *not* do.
+
+nodes['voc.pretalx'] = {
+    'hostname': 'pretalx.c3voc.de',
+    'bundles': {
+        'c3voc-addons',
+#        'pretalx',
+        'postgresql',
+    },
+    'metadata': {
+        'nginx': {
+            'vhosts': {
+                'pretalx': {
+                    'domain': 'pretalx.c3voc.de',
+#                    'extras': True,
+                },
+            },
+        },
+    },
+}