diff --git a/provision-contest/ansible/roles/domserver/tasks/main.yml b/provision-contest/ansible/roles/domserver/tasks/main.yml index 3b8ba36d..14b5fdce 100644 --- a/provision-contest/ansible/roles/domserver/tasks/main.yml +++ b/provision-contest/ansible/roles/domserver/tasks/main.yml @@ -22,7 +22,7 @@ - name: set the DBA credentials set_fact: dba_credentials: | - {% if DBA_PASSWORD is defined %} + {% if host_type == 'domserver' and DBA_PASSWORD is defined %} -u domjudge_dba -p {{ DBA_PASSWORD }} {% else %} -u root @@ -34,11 +34,11 @@ register: db_status ignore_errors: true changed_when: false - when: not DOMSERVER_LOADBALANCING or groups['domserver'][0] == inventory_hostname + when: not DOMSERVER_LOADBALANCING or groups['domserver'][0] == inventory_hostname or host_type != 'domserver' - name: make sure the database is configured command: "{{ DJ_DIR }}/bin/dj_setup_database {{ dba_credentials }} bare-install" - when: "(not DOMSERVER_LOADBALANCING or groups['domserver'][0] == inventory_hostname) and 'failed' in db_status.stdout" + when: "(not DOMSERVER_LOADBALANCING or groups['domserver'][0] == inventory_hostname or host_type != 'domserver') and 'failed' in db_status.stdout" - name: install required packages apt: diff --git a/provision-contest/ansible/roles/domserver/templates/dbpasswords.secret.j2 b/provision-contest/ansible/roles/domserver/templates/dbpasswords.secret.j2 index 711b48a1..0b8b5865 100644 --- a/provision-contest/ansible/roles/domserver/templates/dbpasswords.secret.j2 +++ b/provision-contest/ansible/roles/domserver/templates/dbpasswords.secret.j2 @@ -1,6 +1,6 @@ # {{ansible_managed}} # Format: 'unused:::::' -{% if DOMSERVER_LOADBALANCING %} +{% if host_type == 'domserver' and DOMSERVER_LOADBALANCING %} unused:{{DOMSERVER_IP}}:domjudge:domjudge:{{DB_PASSWORD}}:3306 {% else %} unused:localhost:domjudge:domjudge:{{DB_PASSWORD}}:3306 diff --git a/provision-contest/ansible/roles/domserver/templates/nginx-domjudge-inner.j2 b/provision-contest/ansible/roles/domserver/templates/nginx-domjudge-inner.j2 index 21ca9b2e..d1ec5a05 100644 --- a/provision-contest/ansible/roles/domserver/templates/nginx-domjudge-inner.j2 +++ b/provision-contest/ansible/roles/domserver/templates/nginx-domjudge-inner.j2 @@ -11,7 +11,7 @@ set $domjudgeRoot {{ DJ_DIR }}/webapp/public; set $prefix ''; location / { -{% if DOMSERVER_LOADBALANCING %} +{% if host_type == 'domserver' and DOMSERVER_LOADBALANCING %} if ($access_allowed = false) { return 403; } diff --git a/provision-contest/ansible/roles/domserver/templates/nginx-domjudge.conf.j2 b/provision-contest/ansible/roles/domserver/templates/nginx-domjudge.conf.j2 index 13b9b95d..71b815d5 100644 --- a/provision-contest/ansible/roles/domserver/templates/nginx-domjudge.conf.j2 +++ b/provision-contest/ansible/roles/domserver/templates/nginx-domjudge.conf.j2 @@ -7,19 +7,25 @@ upstream domjudge { server unix:/var/run/php-fpm-domjudge.sock; # if using with etc/domjudge-fpm.conf } -{% if DOMSERVER_LOADBALANCING %} +{% if host_type == 'domserver' and DOMSERVER_LOADBALANCING %} upstream domjudge-loadbalanced { least_conn; + keepalive 100; {% for host in groups['domserver'] %} - server {{ hostvars[host].ansible_host }}:81; + server {{ hostvars[host].ansible_host }}:444; {% endfor %} } server { - listen 81; - listen [::]:81; + listen 444 ssl http2; + listen [::]:444 ssl http2; server_name _default_; + ssl_certificate {{DOMSERVER_SSL_CERT}}; + ssl_certificate_key {{DOMSERVER_SSL_KEY}}; + ssl_session_timeout 5m; + ssl_prefer_server_ciphers on; + add_header Strict-Transport-Security max-age=31556952; include /etc/nginx/snippets/domjudge-inner; @@ -30,6 +36,7 @@ server { map $realip_remote_addr $access_allowed { default false; + {{ DOMSERVER_IP }} true; {% for host in groups['domserver'] %} {{ hostvars[host].ansible_host }} true; {% endfor %} @@ -55,12 +62,11 @@ server { add_header Strict-Transport-Security max-age=31556952; -{% if DOMSERVER_LOADBALANCING %} +{% if host_type == 'domserver' and DOMSERVER_LOADBALANCING %} location / { - proxy_pass http://domjudge-loadbalanced; + proxy_pass https://domjudge-loadbalanced; proxy_http_version 1.1; - proxy_set_header Upgrade $http_upgrade; - proxy_set_header Connection "upgrade"; + proxy_set_header Connection ""; proxy_set_header X-Forwarded-Proto $scheme; proxy_set_header Host $http_host; proxy_set_header X-Real-IP $remote_addr; diff --git a/provision-contest/ansible/roles/mysql_server/tasks/main.yml b/provision-contest/ansible/roles/mysql_server/tasks/main.yml index 21d8249c..1600171a 100644 --- a/provision-contest/ansible/roles/mysql_server/tasks/main.yml +++ b/provision-contest/ansible/roles/mysql_server/tasks/main.yml @@ -71,19 +71,21 @@ - name: create mysql user for for DOMjudge database administration mysql_user: name: domjudge_dba - host: '{{ SERVER_IP_PREFIX }}.%' + host: '{{ item }}' password: "{{ DBA_PASSWORD }}" append_privs: true priv: 'domjudge.*:ALL,GRANT/*.*:CREATE USER,RELOAD' state: present - when: DBA_PASSWORD is defined + when: host_type == 'domserver' and DBA_PASSWORD is defined + loop: "{{ groups['domserver'] | map('extract', hostvars, 'ansible_host') + [DOMSERVER_IP] }}" - name: create mysql user for for DOMjudge when we are doing loadbalancing mysql_user: name: domjudge - host: '{{ SERVER_IP_PREFIX }}.%' + host: '{{ item }}' password: "{{ DB_PASSWORD }}" append_privs: true priv: 'domjudge.*:SELECT,INSERT,UPDATE,DELETE' state: present - when: DOMSERVER_LOADBALANCING + when: host_type == 'domserver' and DOMSERVER_LOADBALANCING + loop: "{{ groups['domserver'] | map('extract', hostvars, 'ansible_host') + [DOMSERVER_IP] }}"