Make sure admin machines still work, add MySQL users only for needed hosts and use SSL for LB communication.

nickygerritsen · nickygerritsen · commit 22cb208c15ea · 2022-08-22T09:48:50.000+02:00
diff --git a/provision-contest/ansible/roles/domserver/tasks/main.yml b/provision-contest/ansible/roles/domserver/tasks/main.yml
@@ -22,7 +22,7 @@
 - name: set the DBA credentials
   set_fact:
     dba_credentials: |
-      {% if DBA_PASSWORD is defined %}
+      {% if host_type == 'domserver' and DBA_PASSWORD is defined %}
         -u domjudge_dba -p {{ DBA_PASSWORD }}
       {% else %}
         -u root
@@ -34,11 +34,11 @@
   register: db_status
   ignore_errors: true
   changed_when: false
-  when: not DOMSERVER_LOADBALANCING or groups['domserver'][0] == inventory_hostname
+  when: not DOMSERVER_LOADBALANCING or groups['domserver'][0] == inventory_hostname or host_type != 'domserver'
 
 - name: make sure the database is configured
   command: "{{ DJ_DIR }}/bin/dj_setup_database {{ dba_credentials }} bare-install"
-  when: "(not DOMSERVER_LOADBALANCING or groups['domserver'][0] == inventory_hostname) and 'failed' in db_status.stdout"
+  when: "(not DOMSERVER_LOADBALANCING or groups['domserver'][0] == inventory_hostname or host_type != 'domserver') and 'failed' in db_status.stdout"
 
 - name: install required packages
   apt:
diff --git a/provision-contest/ansible/roles/domserver/templates/dbpasswords.secret.j2 b/provision-contest/ansible/roles/domserver/templates/dbpasswords.secret.j2
@@ -1,6 +1,6 @@
 # {{ansible_managed}}
 # Format: 'unused:<db_host>:<db_name>:<user>:<password>:<db_port>'
-{% if DOMSERVER_LOADBALANCING %}
+{% if host_type == 'domserver' and DOMSERVER_LOADBALANCING %}
 unused:{{DOMSERVER_IP}}:domjudge:domjudge:{{DB_PASSWORD}}:3306
 {% else %}
 unused:localhost:domjudge:domjudge:{{DB_PASSWORD}}:3306
diff --git a/provision-contest/ansible/roles/domserver/templates/nginx-domjudge-inner.j2 b/provision-contest/ansible/roles/domserver/templates/nginx-domjudge-inner.j2
@@ -11,7 +11,7 @@ set $domjudgeRoot {{ DJ_DIR }}/webapp/public;
 set $prefix '';
 
 location / {
-{% if DOMSERVER_LOADBALANCING %}
+{% if host_type == 'domserver' and DOMSERVER_LOADBALANCING %}
 	if ($access_allowed = false) {
 		return 403;
 	}
diff --git a/provision-contest/ansible/roles/domserver/templates/nginx-domjudge.conf.j2 b/provision-contest/ansible/roles/domserver/templates/nginx-domjudge.conf.j2
@@ -7,19 +7,25 @@ upstream domjudge {
 	server unix:/var/run/php-fpm-domjudge.sock; # if using with etc/domjudge-fpm.conf
 }
 
-{% if DOMSERVER_LOADBALANCING %}
+{% if host_type == 'domserver' and DOMSERVER_LOADBALANCING %}
 upstream domjudge-loadbalanced {
 	least_conn;
+	keepalive 100;
 {% for host in groups['domserver'] %}
-	server {{ hostvars[host].ansible_host }}:81;
+	server {{ hostvars[host].ansible_host }}:444;
 {% endfor %}
 }
 
 server {
-	listen   81;
-	listen   [::]:81;
+	listen   444 ssl http2;
+	listen   [::]:444 ssl http2;
 	server_name _default_;
 
+	ssl_certificate {{DOMSERVER_SSL_CERT}};
+	ssl_certificate_key {{DOMSERVER_SSL_KEY}};
+	ssl_session_timeout 5m;
+	ssl_prefer_server_ciphers on;
+
 	add_header Strict-Transport-Security max-age=31556952;
 	include /etc/nginx/snippets/domjudge-inner;
 
@@ -30,6 +36,7 @@ server {
 
 map $realip_remote_addr $access_allowed {
 	default false;
+	{{ DOMSERVER_IP }} true;
 {% for host in groups['domserver'] %}
 	{{ hostvars[host].ansible_host }} true;
 {% endfor %}
@@ -55,12 +62,11 @@ server {
 
 	add_header Strict-Transport-Security max-age=31556952;
 
-{% if DOMSERVER_LOADBALANCING %}
+{% if host_type == 'domserver' and DOMSERVER_LOADBALANCING %}
 	location / {
-		proxy_pass http://domjudge-loadbalanced;
+		proxy_pass https://domjudge-loadbalanced;
 		proxy_http_version 1.1;
-		proxy_set_header Upgrade $http_upgrade;
-		proxy_set_header Connection "upgrade";
+		 proxy_set_header Connection "";
 		proxy_set_header X-Forwarded-Proto $scheme;
 		proxy_set_header Host $http_host;
 		proxy_set_header X-Real-IP $remote_addr;
diff --git a/provision-contest/ansible/roles/mysql_server/tasks/main.yml b/provision-contest/ansible/roles/mysql_server/tasks/main.yml
@@ -71,19 +71,21 @@
 - name: create mysql user for for DOMjudge database administration
   mysql_user:
     name: domjudge_dba
-    host: '{{ SERVER_IP_PREFIX }}.%'
+    host: '{{ item }}'
     password: "{{ DBA_PASSWORD }}"
     append_privs: true
     priv: 'domjudge.*:ALL,GRANT/*.*:CREATE USER,RELOAD'
     state: present
-  when: DBA_PASSWORD is defined
+  when: host_type == 'domserver' and DBA_PASSWORD is defined
+  loop: "{{ groups['domserver'] | map('extract', hostvars, 'ansible_host') + [DOMSERVER_IP] }}"
 
 - name: create mysql user for for DOMjudge when we are doing loadbalancing
   mysql_user:
     name: domjudge
-    host: '{{ SERVER_IP_PREFIX }}.%'
+    host: '{{ item }}'
     password: "{{ DB_PASSWORD }}"
     append_privs: true
     priv: 'domjudge.*:SELECT,INSERT,UPDATE,DELETE'
     state: present
-  when: DOMSERVER_LOADBALANCING
+  when: host_type == 'domserver' and DOMSERVER_LOADBALANCING
+  loop: "{{ groups['domserver'] | map('extract', hostvars, 'ansible_host') + [DOMSERVER_IP] }}"

Original file line number	Diff line number	Diff line change
`@@ -11,7 +11,7 @@ set $domjudgeRoot {{ DJ_DIR }}/webapp/public;`
`11`	`11`	`set $prefix '';`
`12`	`12`
`13`	`13`	`location / {`
`14`		`-{% if DOMSERVER_LOADBALANCING %}`
	`14`	`+{% if host_type == 'domserver' and DOMSERVER_LOADBALANCING %}`
`15`	`15`	`if ($access_allowed = false) {`
`16`	`16`	`return 403;`
`17`	`17`	`}`