fixup! archwiki: simple challenge for CN

host_vars/wiki.archlinux.org/misc

@@ -3,4 +3,4 @@ memcached_socket: "/run/memcached/archwiki.sock"
 wireguard_address: 10.0.0.22
 wireguard_public_key: bZeNWMLtyNDaFR7jjWr06nNZt/vV/OKNleV7XZZs+lc=
 nginx_extra_modules:
-  - geoip2
+  - name: geoip2

roles/archwiki/defaults/main.yml

 archwiki_dir: '/srv/http/archwiki'
 archwiki_domain: 'wiki.archlinux.org'
 archwiki_nginx_conf: '/etc/nginx/nginx.d/archwiki.conf'
+archwiki_nginx_challenge_value: '41ce6c6'
 archwiki_user: 'archwiki'
 archwiki_repository: 'https://gitlab.archlinux.org/archlinux/archwiki.git'
 archwiki_version: '1.42.1-2'

roles/archwiki/templates/nginx.d.conf.j2

@@ -13,18 +13,22 @@ upstream archwiki {
     server unix://{{ archwiki_socket }};
 }
 
-map $cookie_challenge $authenticated {
+# Challenge the client if the cookie "challenge" is not set to
+# the value of "archwiki_nginx_challenge_value".
+map $cookie_challenge $challenge_required {
     default 1;
-    41ce6c6 0;
+    {{ archwiki_nginx_challenge_value }} 0;
 }
 
 geoip2 /var/lib/GeoIP/GeoLite2-Country.mmdb {
     $geoip2_data_country_iso_code country iso_code;
 }
 
+# Challenge the client if it is from China and $challenge_required is
+# true. This is enough to "throw off" some bots/crawlers from China.
 map $geoip2_data_country_iso_code $challenge {
     default 0;
-    CN      $authenticated;
+    CN      $challenge_required;
 }
 
 server {
@@ -62,7 +66,7 @@ server {
     index index.php;
 
     location = /challenge {
-        add_header Set-Cookie "challenge=41ce6c6; SameSite=Strict";
+        add_header Set-Cookie "challenge={{ archwiki_nginx_challenge_value }}; SameSite=Strict";
         return 303 $scheme://$server_name/$arg_return;
     }