Skip to content

Commit

Permalink
Make sure admin machines still work, add MySQL users only for needed …
Browse files Browse the repository at this point in the history 
…hosts and use SSL for LB communication.
  • Loading branch information
@nickygerritsen
nickygerritsen committed Aug 22, 2022
1 parent 9086519 commit 4698e39
Show file tree
Hide file tree
Showing 5 changed files with 25 additions and 17 deletions.
6 changes: 3 additions & 3 deletions provision-contest/ansible/roles/domserver/tasks/main.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -22,7 +22,7 @@
- name: set the DBA credentials
set_fact:
dba_credentials: |
{% if DBA_PASSWORD is defined %}
{% if host_type == 'domserver' and DBA_PASSWORD is defined %}
-u domjudge_dba -p {{ DBA_PASSWORD }}
{% else %}
-u root
Expand All @@ -34,11 +34,11 @@
register: db_status
ignore_errors: true
changed_when: false
when: not DOMSERVER_LOADBALANCING or groups['domserver'][0] == inventory_hostname
when: not DOMSERVER_LOADBALANCING or groups['domserver'][0] == inventory_hostname or host_type != 'domserver'

- name: make sure the database is configured
command: "{{ DJ_DIR }}/bin/dj_setup_database {{ dba_credentials }} bare-install"
when: "(not DOMSERVER_LOADBALANCING or groups['domserver'][0] == inventory_hostname) and 'failed' in db_status.stdout"
when: "(not DOMSERVER_LOADBALANCING or groups['domserver'][0] == inventory_hostname or host_type != 'domserver') and 'failed' in db_status.stdout"

- name: install required packages
apt:
Expand Down
2 changes: 1 addition & 1 deletion provision-contest/ansible/roles/domserver/templates/dbpasswords.secret.j2
View file
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
# {{ansible_managed}}
# Format: 'unused:<db_host>:<db_name>:<user>:<password>:<db_port>'
{% if DOMSERVER_LOADBALANCING %}
{% if host_type == 'domserver' and DOMSERVER_LOADBALANCING %}
unused:{{DOMSERVER_IP}}:domjudge:domjudge:{{DB_PASSWORD}}:3306
{% else %}
unused:localhost:domjudge:domjudge:{{DB_PASSWORD}}:3306
Expand Down
2 changes: 1 addition & 1 deletion provision-contest/ansible/roles/domserver/templates/nginx-domjudge-inner.j2
View file
Original file line number Diff line number Diff line change
Expand Up @@ -11,7 +11,7 @@ set $domjudgeRoot {{ DJ_DIR }}/webapp/public;
set $prefix '';

location / {
{% if DOMSERVER_LOADBALANCING %}
{% if host_type == 'domserver' and DOMSERVER_LOADBALANCING %}
if ($access_allowed = false) {
return 403;
}
Expand Down
22 changes: 14 additions & 8 deletions provision-contest/ansible/roles/domserver/templates/nginx-domjudge.conf.j2
View file
Original file line number Diff line number Diff line change
Expand Up @@ -7,19 +7,25 @@ upstream domjudge {
server unix:/var/run/php-fpm-domjudge.sock; # if using with etc/domjudge-fpm.conf
}

{% if DOMSERVER_LOADBALANCING %}
{% if host_type == 'domserver' and DOMSERVER_LOADBALANCING %}
upstream domjudge-loadbalanced {
least_conn;
keepalive 100;
{% for host in groups['domserver'] %}
server {{ hostvars[host].ansible_host }}:81;
server {{ hostvars[host].ansible_host }}:444;
{% endfor %}
}

server {
listen 81;
listen [::]:81;
listen 444 ssl http2;
listen [::]:444 ssl http2;
server_name _default_;

ssl_certificate {{DOMSERVER_SSL_CERT}};
ssl_certificate_key {{DOMSERVER_SSL_KEY}};
ssl_session_timeout 5m;
ssl_prefer_server_ciphers on;

add_header Strict-Transport-Security max-age=31556952;
include /etc/nginx/snippets/domjudge-inner;

Expand All @@ -30,6 +36,7 @@ server {

map $realip_remote_addr $access_allowed {
default false;
{{ DOMSERVER_IP }} true;
{% for host in groups['domserver'] %}
{{ hostvars[host].ansible_host }} true;
{% endfor %}
Expand All @@ -55,12 +62,11 @@ server {

add_header Strict-Transport-Security max-age=31556952;

{% if DOMSERVER_LOADBALANCING %}
{% if host_type == 'domserver' and DOMSERVER_LOADBALANCING %}
location / {
proxy_pass http://domjudge-loadbalanced;
proxy_pass https://domjudge-loadbalanced;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_set_header Connection "";
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
Expand Down
10 changes: 6 additions & 4 deletions provision-contest/ansible/roles/mysql_server/tasks/main.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -71,19 +71,21 @@
- name: create mysql user for for DOMjudge database administration
mysql_user:
name: domjudge_dba
host: '{{ SERVER_IP_PREFIX }}.%'
host: '{{ item }}'
password: "{{ DBA_PASSWORD }}"
append_privs: true
priv: 'domjudge.*:ALL,GRANT/*.*:CREATE USER,RELOAD'
state: present
when: DBA_PASSWORD is defined
when: host_type == 'domserver' and DBA_PASSWORD is defined
loop: "{{ groups['domserver'] | map('extract', hostvars, 'ansible_host') + [DOMSERVER_IP] }}"

- name: create mysql user for for DOMjudge when we are doing loadbalancing
mysql_user:
name: domjudge
host: '{{ SERVER_IP_PREFIX }}.%'
host: '{{ item }}'
password: "{{ DB_PASSWORD }}"
append_privs: true
priv: 'domjudge.*:SELECT,INSERT,UPDATE,DELETE'
state: present
when: DOMSERVER_LOADBALANCING
when: host_type == 'domserver' and DOMSERVER_LOADBALANCING
loop: "{{ groups['domserver'] | map('extract', hostvars, 'ansible_host') + [DOMSERVER_IP] }}"

0 comments on commit 4698e39

Please sign in to comment.