From d1af9ebbbcb76b387b46a639b554b7bd2f6ba931 Mon Sep 17 00:00:00 2001
From: Fritz Grimpen <fritz@grimpen.net>
Date: Sun, 14 Feb 2021 14:40:32 +0000
Subject: [PATCH 1/6] Forward kasse.z1.ccchb.de and kasse.zweigstelle.space to
 wiki

---
 host_vars/emma.ccchb.de | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/host_vars/emma.ccchb.de b/host_vars/emma.ccchb.de
index 34b9b9c..b5763b5 100644
--- a/host_vars/emma.ccchb.de
+++ b/host_vars/emma.ccchb.de
@@ -27,6 +27,10 @@ haproxy_http:
     addr: '2a01:4f8:150:926f::11'
   - host: 'embassy.ccchb.de'
     addr: '2a01:4f8:150:926f::11'
+  - host: 'kasse.z1.ccchb.de'
+    addr: '2a01:4f8:150:926f::11'
+  - host: 'kasse.zweigstelle.space'
+    addr: '2a01:4f8:150:926f::11'
   - host: 'jabber.ccchb.de'
     addr: '2a01:4f8:150:926f::13'
 
@@ -47,6 +51,10 @@ haproxy_sni:
     addr: '2a01:4f8:150:926f::11'
   - host: 'embassy.ccchb.de'
     addr: '2a01:4f8:150:926f::11'
+  - host: 'kasse.z1.ccchb.de'
+    addr: '2a01:4f8:150:926f::11'
+  - host: 'kasse.zweigstelle.space'
+    addr: '2a01:4f8:150:926f::11'
   - host: 'jabber.ccchb.de'
     addr: '2a01:4f8:150:926f::13'
 

From ff8ad027760ac6fcbf9ba4802f0dd8511cd31271 Mon Sep 17 00:00:00 2001
From: Fritz Grimpen <fritz@grimpen.net>
Date: Tue, 16 Feb 2021 23:38:59 +0000
Subject: [PATCH 2/6] Mete role

---
 roles/mete/defaults/main.yml    | 23 +++++++++++++++++++++++
 roles/mete/tasks/main.yml       | 19 +++++++++++++++++++
 roles/mete/templates/nginx.j2   | 17 +++++++++++++++++
 roles/mete/templates/service.j2 | 12 ++++++++++++
 4 files changed, 71 insertions(+)
 create mode 100644 roles/mete/defaults/main.yml
 create mode 100644 roles/mete/tasks/main.yml
 create mode 100644 roles/mete/templates/nginx.j2
 create mode 100644 roles/mete/templates/service.j2

diff --git a/roles/mete/defaults/main.yml b/roles/mete/defaults/main.yml
new file mode 100644
index 0000000..45f1b4f
--- /dev/null
+++ b/roles/mete/defaults/main.yml
@@ -0,0 +1,23 @@
+---
+
+mete_domain: kasse.z1.ccchb.de
+mete_nginx_domains:
+  - kasse.z1.ccchb.de
+  - kasse.zweigstelle.space
+mete_app_dir: /var/www/kiosk.z1.ccchb.de/mete
+mete_app_url: "http://127.0.0.1:3000/"
+mete_nginx_config: |
+  listen [::]:443 ssl http2;
+  listen 443 ssl http2;
+
+  {% for domain in mete_nginx_domains %}
+  server_name {{ domain }};
+  {% endfor %}
+
+  ssl_certificate /etc/letsencrypt/live/{{ mete_domain }}/fullchain.pem;
+  ssl_certificate_key /etc/letsencrypt/live/{{ mete_domain }}/privkey.pem;
+  ssl_trusted_certificate /etc/letsencrypt/live/{{ mete_domain }}/chain.pem;
+
+  include snippets/certbot.conf;
+
+...
diff --git a/roles/mete/tasks/main.yml b/roles/mete/tasks/main.yml
new file mode 100644
index 0000000..952d0ee
--- /dev/null
+++ b/roles/mete/tasks/main.yml
@@ -0,0 +1,19 @@
+---
+- name: Install mete systemd unit
+  template:
+    src: service.j2
+    dest: "/etc/systemd/system/mete@{{ mete_domain }}.service"
+
+- name: Install mete nginx site
+  notify: reload nginx
+  template:
+    src: nginx.j2
+    dest: /etc/nginx/sites-available/{{ mete_domain }}
+
+- name: Activate mete site
+  file:
+    src: /etc/nginx/sites-available/{{ mete_domain }}
+    dest: /etc/nginx/sites-enabled/{{ mete_domain }}
+    state: link
+
+...
diff --git a/roles/mete/templates/nginx.j2 b/roles/mete/templates/nginx.j2
new file mode 100644
index 0000000..9a7084b
--- /dev/null
+++ b/roles/mete/templates/nginx.j2
@@ -0,0 +1,17 @@
+# {{ ansible_managed }}
+
+server {
+	{{ mete_nginx_config }}
+
+	location / {
+		proxy_pass {{ mete_app_url }};
+
+    satisfy any;
+
+    allow 45.152.242.34;
+    allow 2001:67c:708::/48;
+
+		auth_basic "CCCHB internal";
+		auth_basic_user_file "htpasswd";
+	}
+}
diff --git a/roles/mete/templates/service.j2 b/roles/mete/templates/service.j2
new file mode 100644
index 0000000..9856cb9
--- /dev/null
+++ b/roles/mete/templates/service.j2
@@ -0,0 +1,12 @@
+[Unit]
+Description=Mete application server on {{ mete_domain }}
+
+[Service]
+ExecStart=/bin/bundler exec rails server
+WorkingDirectory={{ mete_app_dir }}
+User=www-data
+Environment=RAILS_ENV=production
+
+[Install]
+WantedBy=multi-user.target
+

From 036f12630c278aebe3bab1ae6f86cebd15b2f6d9 Mon Sep 17 00:00:00 2001
From: Fritz Grimpen <fritz@grimpen.net>
Date: Sun, 28 Feb 2021 03:10:00 +0000
Subject: [PATCH 3/6] Enable APC cache in wiki

---
 roles/mediawiki/templates/LocalSettings.php.j2 | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/roles/mediawiki/templates/LocalSettings.php.j2 b/roles/mediawiki/templates/LocalSettings.php.j2
index f2b4824..0d8da4c 100644
--- a/roles/mediawiki/templates/LocalSettings.php.j2
+++ b/roles/mediawiki/templates/LocalSettings.php.j2
@@ -29,7 +29,7 @@ $wgEmailAuthentication = true;
 require 'LocalSettings_secrets.php';
 
 ## Shared memory settings
-$wgMainCacheType = CACHE_NONE;
+$wgMainCacheType = CACHE_ACCEL;
 $wgMemCachedServers = array();
 
 ## To enable image uploads, make sure the 'images' directory

From aa2063743c89d07408ff0d7593a08fbace24a7ca Mon Sep 17 00:00:00 2001
From: Fritz Grimpen <fritz@grimpen.net>
Date: Sun, 28 Feb 2021 13:56:30 +0000
Subject: [PATCH 4/6] NSD configuration for patterns

---
 roles/nsd/templates/nsd.conf.j2 | 26 ++++++++++++++++++++++++++
 1 file changed, 26 insertions(+)

diff --git a/roles/nsd/templates/nsd.conf.j2 b/roles/nsd/templates/nsd.conf.j2
index b987751..f600d7a 100644
--- a/roles/nsd/templates/nsd.conf.j2
+++ b/roles/nsd/templates/nsd.conf.j2
@@ -3,6 +3,8 @@
 server:
         ip-address:             127.0.0.1@5353
         ip-address:             ::1@5353
+        ip-address:             176.9.59.104@53
+        ip-address:             2a01:4f8:150:926f::2@53
 
         # policy
         statistics:             3600
@@ -19,6 +21,9 @@ server:
 	log-time-ascii:		no
 	debug-mode:		yes
 
+	# zones are state, not configuration
+	zonesdir:              "/var/db/nsd/zones"
+
 # Remote control config section. 
 remote-control:
         control-enable:         yes
@@ -38,3 +43,24 @@ zone:
         request-xfr: 2001:7fd::1          NOKEY # k.root-servers.net
         request-xfr: 2620:0:2830:202::132 NOKEY # xfr.cjr.dns.icann.org
         request-xfr: 2620:0:2d0:202::132  NOKEY # xfr.lax.dns.icann.org
+
+# Patterns for dynamically managed zones
+# The list of dynamic zones is in /var/db/nsd/zone.list and is managed
+# by `nsd-control addzone` and `nsd-control delzone`
+pattern:
+	name: "local"
+	zonefile: "%s"
+	# brunn.ccchb.de
+	provide-xfr: 159.69.196.38            NOKEY
+	provide-xfr: 2a01:4f8:1c1c:c197::     NOKEY
+	# ns1.grimpen.net
+	provide-xfr: 51.83.186.231            NOKEY
+	provide-xfr: 2001:41d0:601:1100::33b7 NOKEY
+
+pattern:
+	name: "replicate-brunn"
+	# brunn.ccchb.de
+	allow-notify: 159.69.196.38            NOKEY
+	allow-notify: 2a01:4f8:1c1c:c197::     NOKEY
+	request-xfr: AXFR 2a01:4f8:1c1c:c197::     NOKEY
+

From 3c1aed2eee2d0818d4ff4b67deec8dbbe7eb3ff2 Mon Sep 17 00:00:00 2001
From: Geno <geno+dev@fireorbit.de>
Date: Sat, 6 Mar 2021 18:50:38 +0100
Subject: [PATCH 5/6] role/nginx: add timer for dehydrated / lets encrypt

fixed #21
---
 roles/gitea                              |  2 +-
 roles/nginx/tasks/main.yml               | 16 ++++++++++++++++
 roles/nginx/templates/dehydrated.service |  6 ++++++
 roles/nginx/templates/dehydrated.timer   |  8 ++++++++
 4 files changed, 31 insertions(+), 1 deletion(-)
 create mode 100644 roles/nginx/templates/dehydrated.service
 create mode 100644 roles/nginx/templates/dehydrated.timer

diff --git a/roles/gitea b/roles/gitea
index 0474dc8..1aa082a 160000
--- a/roles/gitea
+++ b/roles/gitea
@@ -1 +1 @@
-Subproject commit 0474dc8d0c7031f7fcb58484c9c6552b1b9869eb
+Subproject commit 1aa082a2101c69f8cfc13a31604991b0c3dfa8e5
diff --git a/roles/nginx/tasks/main.yml b/roles/nginx/tasks/main.yml
index faa88f2..8022aea 100644
--- a/roles/nginx/tasks/main.yml
+++ b/roles/nginx/tasks/main.yml
@@ -16,6 +16,20 @@
   args:
     creates: /var/lib/dehydrated/accounts
 
+- name: Install letsencrypt cronjob
+  template:
+    dest: "/etc/systemd/system/{{ item }}"
+    src: "{{ item }}"
+  with_items:
+  - dehydrated.service
+  - dehydrated.timer
+
+- name: Start lets encrypt cronjob
+  systemd:
+    name: dehydrated.timer
+    state: started
+    enabled: yes
+
 - name: nginx default config
   notify: reload nginx
   template:
@@ -27,3 +41,5 @@
   template:
     src: snippets-tls.nginx
     dest: /etc/nginx/snippets/tls-acme.conf
+
+
diff --git a/roles/nginx/templates/dehydrated.service b/roles/nginx/templates/dehydrated.service
new file mode 100644
index 0000000..d952396
--- /dev/null
+++ b/roles/nginx/templates/dehydrated.service
@@ -0,0 +1,6 @@
+[Unit]
+Description=Check and renew ACME TLS certificates
+
+[Service]
+Type=oneshot
+ExecStart=/usr/bin/dehydrated -c
diff --git a/roles/nginx/templates/dehydrated.timer b/roles/nginx/templates/dehydrated.timer
new file mode 100644
index 0000000..5275b6f
--- /dev/null
+++ b/roles/nginx/templates/dehydrated.timer
@@ -0,0 +1,8 @@
+[Unit]
+Description=Check and renew ACME TLS certificates
+
+[Timer]
+OnCalendar=daily UTC
+
+[Install]
+WantedBy=timers.target

From c5ecf1df631457a6c2a0a5712026cddeda30f1e8 Mon Sep 17 00:00:00 2001
From: Fritz Grimpen <fritz@grimpen.net>
Date: Wed, 10 Mar 2021 11:30:18 +0000
Subject: [PATCH 6/6] Enable HSTS for mediawiki

---
 roles/mediawiki/defaults/main.yml | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/roles/mediawiki/defaults/main.yml b/roles/mediawiki/defaults/main.yml
index 47b4883..a3f7c81 100644
--- a/roles/mediawiki/defaults/main.yml
+++ b/roles/mediawiki/defaults/main.yml
@@ -40,6 +40,8 @@ mediawiki_nginx_conf: |
   ssl_certificate_key /etc/letsencrypt/live/{{ mediawiki_domain }}/privkey.pem;
   ssl_trusted_certificate /etc/letsencrypt/live/{{ mediawiki_domain }}/chain.pem;
 
+  add_header Strict-Transport-Security "max-age=15552000; includeSubDomains" always;
+
   client_max_body_size 100M;
 
   include snippets/certbot.conf;