Merge pull request #492 from SURFscz/add-demo-wordpress

Add demo wordpress
SURFscz · Feb 9, 2024 · 50ac9a3 · 50ac9a3
2 parents 48194a5 + cb94428
commit 50ac9a3
Show file tree

Hide file tree

Showing 30 changed files with 1,178 additions and 96 deletions.
diff --git a/docker/docker-compose.yml.py b/docker/docker-compose.yml.py
@@ -28,6 +28,7 @@
     'bhr': 29,
     'test': 30,
     'docker': 31,
+    'demo1': 32,
     'redis': 98,
     'mail': 99,
 }
@@ -37,16 +38,17 @@
 elif args.ci and not args.container:
     hosts = ['db', 'redis', 'sbs', 'test']
 elif not args.ci and args.container:
-    hosts = ['bhr', 'client', 'mail', 'lb', 'docker']
+    hosts = ['bhr', 'client', 'mail', 'lb', 'docker', 'demo1']
 else:  # classic, non-ci, non-containerized setup
-    hosts = ['bhr', 'client', 'lb', 'redis', 'mail', 'sandbox1', 'db', 'sbs', 'ldap1', 'ldap2', 'meta']
+    hosts = ['bhr', 'client', 'lb', 'redis', 'mail', 'sandbox1', 'db', 'sbs', 'ldap1', 'ldap2', 'meta', 'demo1']
 
 hosts_ip = {h: ip_lookup[h] for h in hosts}
 
 # these are the Docker containers that need to be spun up
 hosts = {
     'bhr': 29,
     'docker': 31,
+    'demo1': 32,
 }
 
 # the old non-containerized setup needs more hosts
@@ -72,7 +74,8 @@
 # these are the hostnames of virtual hosts on the load balancer
 logical_hosts = [
     'sbs', 'ldap', 'meta',
-    'oidc-op', 'sandbox1', 'pam'
+    'oidc-op', 'sandbox1', 'pam',
+    'demo1'
 ]
 
 subnet = '172.20.1'
@@ -169,9 +172,9 @@ def create_compose() -> Dict[str, Any]:
     }
     compose['services'] = dict()
     for h, ip in hosts_ip.items():
-        if h=='mail':
+        if h == 'mail':
             compose['services'][h] = mail_config(ip, h)
-        elif h=='redis':
+        elif h == 'redis':
             compose['services'][h] = redis_config(ip, h)
         else:
             compose['services'][h] = host_config(ip, h)

diff --git a/docker/hosts b/docker/hosts
@@ -12,5 +12,6 @@
 172.20.1.29 bhr.vm.scz-vm.net
 172.20.1.30 test.vm.scz-vm.net
 172.20.1.31 docker.vm.scz-vm.net
+172.20.1.32 demo1.vm.scz-vm.net
 172.20.1.40 websso.scz-vm.net
 172.20.1.41 webssod.scz-vm.net
diff --git a/environments/docker/group_vars/container.yml b/environments/docker/group_vars/container.yml
@@ -11,6 +11,8 @@ environment_string: "SCZ Container"
 base_domain: "scz-vm.net"
 internal_base_domain: "vm.scz-vm.net"
 
+sram_conf_dir: "/opt/sram"
+
 # externally visible!
 hostnames:
   sbs:      sbs.{{base_domain}}

diff --git a/environments/docker/group_vars/demo1.yml b/environments/docker/group_vars/demo1.yml
@@ -0,0 +1,36 @@
+---
+# Ugly docker deploy hack
+environment_name: vm
+letsencrypt_enabled: false
+# letsencrypt_staging: false
+
+sram_conf_dir: "/opt/sram"
+
+internal_network: sram
+
+containers:
+  etherpad: sram-etherpad
+  wordpress: sram-wordpress
+  wordpress_cli: sram-wordpress-cli
+  database: sram-db
+
+images:
+  etherpad: ghcr.io/surfscz/sram-etherpad:main
+  wordpress: wordpress:6
+  wordpress_cli: wordpress:cli
+  database: mariadb:11
+
+demo_hosts:
+  demo1: demo1.vm.scz-vm.net
+
+ports:
+  etherpad: 9001
+  wordpress: 9002
+
+# oidc:
+#   demo1:
+#     client_id: client
+#     client_secret: secret
+
+# letsencrypt_hosts:
+#   - "{{ hostsnames.demo1 }}"
diff --git a/environments/docker/group_vars/docker.yml b/environments/docker/group_vars/docker.yml
@@ -27,8 +27,6 @@ images:
 
 ldap_uri: "ldap://localhost/"
 
-sram_conf_dir: "/opt/sram"
-
 traefik_network: traefik
 internal_network: sram
 

diff --git a/environments/docker/inventory b/environments/docker/inventory
@@ -20,11 +20,15 @@ bhr.vm.scz-vm.net ansible_host=172.20.1.29
 [container_docker]
 docker.vm.scz-vm.net ansible_host=172.20.1.31
 
+[container_demo1]
+demo1.vm.scz-vm.net ansible_host=172.20.1.32
+
 [container:children]
 container_lb
 container_docker
 container_client
 container_bhr
+container_demo1
 
 ##########################################
 # role-based groups
@@ -62,6 +66,9 @@ container_bhr
 [docker:children]
 container_docker
 
+[demo1:children]
+container_demo1
+
 ##########################################
 # all
 [sram:children]

diff --git a/provision.yml b/provision.yml
@@ -53,24 +53,26 @@
   tasks:
     - { import_tasks: "tasks/versions.yml", tags: "always"     }
   roles:
-    - { role: basic,          tags: ['common','basic']                               }
-    - { role: certificates,   tags: ['common','cert']                                }
-    - { role: apt,            tags: ['common','apt']                                 }
-    - { role: users,          tags: ['common','users']                               }
-    - { role: logging,        tags: ['common','logging']                             }
-    - { role: firewall,       tags: ['common','firewall'],     when: "not is_docker" }
-    - { role: ntp,            tags: ['common','ntp']                                 }
-    - { role: aws-cleanup,    tags: ['common','clean']                               }
-    - { role: mail,           tags: ['common','mail']                                }
-    - { role: backups,        tags: ['common','backups']                             }
-    - { role: zabbix-agent,   tags: ['common','zabbix-agent'],                       }
+    - { role: basic,          tags: ['common','basic']         }
+    - { role: certificates,   tags: ['common','cert']          }
+    - { role: apt,            tags: ['common','apt']           }
+    - { role: users,          tags: ['common','users']         }
+    - { role: logging,        tags: ['common','logging']       }
+    - { role: firewall,       tags: ['common','firewall'],
+        when: "not is_docker" }
+    - { role: ntp,            tags: ['common','ntp']           }
+    - { role: aws-cleanup,    tags: ['common','clean']         }
+    - { role: mail,           tags: ['common','mail']          }
+    - { role: backups,        tags: ['common','backups']       }
+    - { role: zabbix-agent,   tags: ['common','zabbix-agent']  }
 
 - name: "bhr2"
   hosts: "bhr2"
   roles:
-    - { role: backup_collector,  tags: ['bhr2','backup_collector']                        }
-    - { role: logging_collector, tags: ['bhr2','logging_collector']                       }
-    - { role: zabbix-server,     tags: ['bhr2','zabbix-server'],    when: "not is_docker" }
+    - { role: backup_collector,  tags: ['bhr2','backup_collector']  }
+    - { role: logging_collector, tags: ['bhr2','logging_collector'] }
+    - { role: zabbix-server,     tags: ['bhr2','zabbix-server'],
+        when: "not is_docker" }
 
 - name: "bhr11"
   hosts: "bhr11"
@@ -96,6 +98,7 @@
     - { import_tasks: "tasks/versions.yml", tags: ['common']  }
   roles:
     - { role: docker,                       tags: ['docker'] }
+    - { role: docker_traefik,               tags: ['docker'] }
     - { role: docker_images,                tags: ['images', 'docker_images'] }
     - { role: docker_db,                    tags: ['db', 'docker_db'],
         when: environment_name!='tst2' }
@@ -110,10 +113,12 @@
   tasks:
     - { import_tasks: "tasks/versions.yml", tags: ['common'] }
   roles:
-    - { role: http_redirect,   tags: ['lb','http_redirect']                             }
-    - { role: tls_letsencrypt, tags: ['lb','tls_letsencrypt'], when: not use_fixed_cert }
-    - { role: tls_fixed_cert,  tags: ['lb','tls_fixedcert'],   when: use_fixed_cert     }
-    - { role: lb_haproxy,      tags: ['lb','haproxy']                                   }
+    - { role: http_redirect,   tags: ['lb','http_redirect']    }
+    - { role: tls_letsencrypt, tags: ['lb','tls_letsencrypt'],
+        when: not use_fixed_cert }
+    - { role: tls_fixed_cert,  tags: ['lb','tls_fixedcert'],
+        when: use_fixed_cert     }
+    - { role: lb_haproxy,      tags: ['lb','haproxy']          }
 
 - name: "database"
   hosts: db
@@ -159,7 +164,7 @@
   roles:
     - { role: oidc-op,              tags: ['client','oidc-op'      ] }
 
-- name: "demo clients"
+- name: "demo clients bhr13"
   hosts: bhr13
   tasks:
     - { import_tasks: "tasks/versions.yml", tags: ['common'] }
@@ -171,6 +176,18 @@
     - { role: sram_monitor,         tags: ['bhr13','sram-monitor']   }
     - { role: scim_monitor,         tags: ['bhr13','scim-monitor']   }
 
+- name: "demo clients demo1"
+  hosts: demo1
+  tasks:
+    - { import_tasks: "tasks/versions.yml", tags: ['common'] }
+  roles:
+    - { role: docker,               tags: ['demo1','demo-docker'] }
+    - { role: demo-apache,          tags: ['demo1','demo-apache']  }
+    - { role: letsencrypt,          tags: ['demo1','demo-letsencrypt'],
+        when: letsencrypt_enabled }
+    - { role: demo-etherpad,        tags: ['demo1','demo-etherpad']  }
+    # - { role: demo-wordpress,       tags: ['demo1','demo-wordpress'] }
+
 # CI test docker
 - name: "test"
   hosts: test

diff --git a/roles/demo-apache/files/index.html b/roles/demo-apache/files/index.html
@@ -0,0 +1,12 @@
+<html>
+<head>
+</head>
+  <body>
+    <p>
+      <a href="/ep/">Etherpad Demo</a>
+    </p>
+    <p>
+      <a href="/wp/">Wordpress Demo</a>
+    </p>
+  </body>
+<html>
diff --git a/roles/demo-apache/handlers/main.yml b/roles/demo-apache/handlers/main.yml
@@ -0,0 +1,5 @@
+---
+- name: restart apache
+  systemd:
+    name: apache2
+    state: restarted
diff --git a/roles/demo-apache/tasks/main.yml b/roles/demo-apache/tasks/main.yml
@@ -0,0 +1,38 @@
+---
+- name: Install apache
+  apt:
+    state: present
+    name:
+      - apache2
+      - libapache2-mod-auth-openidc
+
+- name: Enable apache modules
+  apache2_module:
+    state: present
+    name: "{{ item }}"
+    ignore_configcheck: true
+  with_items:
+    - rewrite
+    - proxy_http
+    - headers
+  notify: "restart apache"
+
+- name: Remove default apache config
+  file:
+    path: "/etc/apache2/sites-enabled/000-default.conf"
+    state: "absent"
+  notify: "restart apache"
+
+- name: copy apache proxy config
+  template:
+    src: apache.conf.j2
+    dest: /etc/apache2/sites-enabled/10-demo1.conf
+    mode: 0644
+  notify: "restart apache"
+
+- name: copy index.html
+  copy:
+    src: index.html
+    dest: /var/www/html
+    mode: 0644
+  notify: "restart apache"
diff --git a/roles/demo-apache/templates/apache.conf.j2 b/roles/demo-apache/templates/apache.conf.j2
@@ -0,0 +1,78 @@
+{% if letsencrypt_enabled %}
+<VirtualHost *:443>
+{% else %}
+<VirtualHost *:80>
+{% endif %}
+        ServerName {{ demo_hosts.demo1 }}
+
+        ServerAdmin webmaster@localhost
+        DocumentRoot /var/www/html
+
+        Alias /.well-known/acme-challenge/ /var/www/certbot/.well-known/acme-challenge/
+
+        ErrorLog ${APACHE_LOG_DIR}/error.log
+        CustomLog ${APACHE_LOG_DIR}/access.log combined
+
+{% if letsencrypt_enabled %}
+        SSLEngine on
+        SSLCertificateFile    /etc/letsencrypt/live/{{demo_hosts.demo1}}/fullchain.pem
+        SSLCertificateKeyFile /etc/letsencrypt/live/{{demo_hosts.demo1}}/privkey.pem
+{% endif %}
+
+        # Authentication Header
+{% if letsencrypt_enabled %}
+        # Remove OIDC option when using Basic Auth
+        OIDCProviderMetadataURL https://proxy.sram.surf.nl/.well-known/openid-configuration
+        OIDCClientID {{ oidc.demo1.client_id }}
+        OIDCClientSecret {{ oidc.demo1.client_secret }}
+        OIDCResponseType "code"
+        OIDCResponseMode "query"
+        OIDCScope "openid profile uid"
+
+        OIDCRedirectURI /redirect_uri
+        OIDCCryptoPassphrase randompassword
+
+        RequestHeader unset X-Authenticated-User
+        RequestHeader unset X-Authenticated-Name
+        RequestHeader set X-Authenticated-User expr=%{ENV:OIDC_CLAIM_uid}
+        RequestHeader set X-Authenticated-Name expr=%{ENV:OIDC_CLAIM_uid}
+
+        <LocationMatch ^/(redirect_uri|ep/|wp/wp-admin|wp/wp-login.php)>
+            Require valid-user
+            AuthType openid-connect
+        </LocationMatch>
+{% else %}
+        RequestHeader set X-Authenticated-User "demo1"
+        RequestHeader set X-Authenticated-Name "Demo1"
+{% endif %}
+
+        ProxyPreserveHost on
+        #RequestHeader set X-Forwarded-Host expr=%{HTTP_HOST}
+        #RequestHeader set X-Forwarded-Proto expr=%{HTTPS}
+        #RequestHeader set X-Forwarded-Port "443"
+
+        RewriteEngine on
+
+        # Etherpad Reverse Proxy
+        RedirectMatch 301 /ep$ /ep/
+        <LocationMatch "^/ep/(.*)">
+            RewriteCond %{HTTP:Connection} =Upgrade       [NC]
+            RewriteCond %{HTTP:Upgrade} =websocket        [NC]
+            RewriteRule /ep/(.*) ws://localhost:9001/$1   [P,L]
+            RewriteCond %{HTTP:Connection} !=Upgrade      [NC]
+            RewriteCond %{HTTP:Upgrade} !=websocket       [NC]
+            RewriteRule /ep/(.*) http://localhost:9001/$1 [P,L]
+        </LocationMatch>
+
+        # Wordpress Reverse Proxy
+        RedirectMatch 301 /wp$ /wp/
+        <LocationMatch "^/wp/(.*)">
+            ProxyPassMatch http://localhost:{{ports.wordpress}}/$1
+            ProxyPassReverse http://localhost:{{ports.wordpress}}/$1
+        </LocationMatch>
+</VirtualHost>
+
+# Letsencrypt fallback
+<VirtualHost *:80>
+        DocumentRoot /var/www/certbot
+</VirtualHost>
diff --git a/roles/demo-etherpad/defaults/main.yml b/roles/demo-etherpad/defaults/main.yml
@@ -0,0 +1,2 @@
+---
+etherpad_basedir: "{{ sram_conf_dir }}/etherpad"
Original file line number	Diff line number	Diff line change
		@@ -0,0 +1,2 @@
		---
		etherpad_basedir: "{{ sram_conf_dir }}/etherpad"