Skip to content
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.

Commit 4698e39

Browse files
committedAug 22, 2022
Make sure admin machines still work, add MySQL users only for needed hosts and use SSL for LB communication.
1 parent 9086519 commit 4698e39

File tree

5 files changed

+25
-17
lines changed

5 files changed

+25
-17
lines changed
 

‎provision-contest/ansible/roles/domserver/tasks/main.yml

Lines changed: 3 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -22,7 +22,7 @@
2222
- name: set the DBA credentials
2323
set_fact:
2424
dba_credentials: |
25-
{% if DBA_PASSWORD is defined %}
25+
{% if host_type == 'domserver' and DBA_PASSWORD is defined %}
2626
-u domjudge_dba -p {{ DBA_PASSWORD }}
2727
{% else %}
2828
-u root
@@ -34,11 +34,11 @@
3434
register: db_status
3535
ignore_errors: true
3636
changed_when: false
37-
when: not DOMSERVER_LOADBALANCING or groups['domserver'][0] == inventory_hostname
37+
when: not DOMSERVER_LOADBALANCING or groups['domserver'][0] == inventory_hostname or host_type != 'domserver'
3838

3939
- name: make sure the database is configured
4040
command: "{{ DJ_DIR }}/bin/dj_setup_database {{ dba_credentials }} bare-install"
41-
when: "(not DOMSERVER_LOADBALANCING or groups['domserver'][0] == inventory_hostname) and 'failed' in db_status.stdout"
41+
when: "(not DOMSERVER_LOADBALANCING or groups['domserver'][0] == inventory_hostname or host_type != 'domserver') and 'failed' in db_status.stdout"
4242

4343
- name: install required packages
4444
apt:

‎provision-contest/ansible/roles/domserver/templates/dbpasswords.secret.j2

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -1,6 +1,6 @@
11
# {{ansible_managed}}
22
# Format: 'unused:<db_host>:<db_name>:<user>:<password>:<db_port>'
3-
{% if DOMSERVER_LOADBALANCING %}
3+
{% if host_type == 'domserver' and DOMSERVER_LOADBALANCING %}
44
unused:{{DOMSERVER_IP}}:domjudge:domjudge:{{DB_PASSWORD}}:3306
55
{% else %}
66
unused:localhost:domjudge:domjudge:{{DB_PASSWORD}}:3306

‎provision-contest/ansible/roles/domserver/templates/nginx-domjudge-inner.j2

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -11,7 +11,7 @@ set $domjudgeRoot {{ DJ_DIR }}/webapp/public;
1111
set $prefix '';
1212

1313
location / {
14-
{% if DOMSERVER_LOADBALANCING %}
14+
{% if host_type == 'domserver' and DOMSERVER_LOADBALANCING %}
1515
if ($access_allowed = false) {
1616
return 403;
1717
}

‎provision-contest/ansible/roles/domserver/templates/nginx-domjudge.conf.j2

Lines changed: 14 additions & 8 deletions
Original file line numberDiff line numberDiff line change
@@ -7,19 +7,25 @@ upstream domjudge {
77
server unix:/var/run/php-fpm-domjudge.sock; # if using with etc/domjudge-fpm.conf
88
}
99

10-
{% if DOMSERVER_LOADBALANCING %}
10+
{% if host_type == 'domserver' and DOMSERVER_LOADBALANCING %}
1111
upstream domjudge-loadbalanced {
1212
least_conn;
13+
keepalive 100;
1314
{% for host in groups['domserver'] %}
14-
server {{ hostvars[host].ansible_host }}:81;
15+
server {{ hostvars[host].ansible_host }}:444;
1516
{% endfor %}
1617
}
1718

1819
server {
19-
listen 81;
20-
listen [::]:81;
20+
listen 444 ssl http2;
21+
listen [::]:444 ssl http2;
2122
server_name _default_;
2223

24+
ssl_certificate {{DOMSERVER_SSL_CERT}};
25+
ssl_certificate_key {{DOMSERVER_SSL_KEY}};
26+
ssl_session_timeout 5m;
27+
ssl_prefer_server_ciphers on;
28+
2329
add_header Strict-Transport-Security max-age=31556952;
2430
include /etc/nginx/snippets/domjudge-inner;
2531

@@ -30,6 +36,7 @@ server {
3036

3137
map $realip_remote_addr $access_allowed {
3238
default false;
39+
{{ DOMSERVER_IP }} true;
3340
{% for host in groups['domserver'] %}
3441
{{ hostvars[host].ansible_host }} true;
3542
{% endfor %}
@@ -55,12 +62,11 @@ server {
5562

5663
add_header Strict-Transport-Security max-age=31556952;
5764

58-
{% if DOMSERVER_LOADBALANCING %}
65+
{% if host_type == 'domserver' and DOMSERVER_LOADBALANCING %}
5966
location / {
60-
proxy_pass http://domjudge-loadbalanced;
67+
proxy_pass https://domjudge-loadbalanced;
6168
proxy_http_version 1.1;
62-
proxy_set_header Upgrade $http_upgrade;
63-
proxy_set_header Connection "upgrade";
69+
proxy_set_header Connection "";
6470
proxy_set_header X-Forwarded-Proto $scheme;
6571
proxy_set_header Host $http_host;
6672
proxy_set_header X-Real-IP $remote_addr;

‎provision-contest/ansible/roles/mysql_server/tasks/main.yml

Lines changed: 6 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -71,19 +71,21 @@
7171
- name: create mysql user for for DOMjudge database administration
7272
mysql_user:
7373
name: domjudge_dba
74-
host: '{{ SERVER_IP_PREFIX }}.%'
74+
host: '{{ item }}'
7575
password: "{{ DBA_PASSWORD }}"
7676
append_privs: true
7777
priv: 'domjudge.*:ALL,GRANT/*.*:CREATE USER,RELOAD'
7878
state: present
79-
when: DBA_PASSWORD is defined
79+
when: host_type == 'domserver' and DBA_PASSWORD is defined
80+
loop: "{{ groups['domserver'] | map('extract', hostvars, 'ansible_host') + [DOMSERVER_IP] }}"
8081

8182
- name: create mysql user for for DOMjudge when we are doing loadbalancing
8283
mysql_user:
8384
name: domjudge
84-
host: '{{ SERVER_IP_PREFIX }}.%'
85+
host: '{{ item }}'
8586
password: "{{ DB_PASSWORD }}"
8687
append_privs: true
8788
priv: 'domjudge.*:SELECT,INSERT,UPDATE,DELETE'
8889
state: present
89-
when: DOMSERVER_LOADBALANCING
90+
when: host_type == 'domserver' and DOMSERVER_LOADBALANCING
91+
loop: "{{ groups['domserver'] | map('extract', hostvars, 'ansible_host') + [DOMSERVER_IP] }}"

0 commit comments

Comments
 (0)
Please sign in to comment.