Add CDS role to Ansible.

Co-authored-by: MCJ Vasseur <[email protected]>

Author: nickygerritsen

icpc-wf/ansible/Makefile

@@ -5,6 +5,7 @@ default:
 	@echo " - make judgehost"
 	@echo " - make admin"
 	@echo " - make grafana"
+	@echo " - make cds"
 
 LIBVENDORTGZ=roles/domjudge_checkout/files/lib-vendor.tgz
 SSHKEY=roles/ssh/files/id_rsa
@@ -21,7 +22,7 @@ $(LIBVENDOR): $(LIBVENDORTGZ)
 	-cd roles/domjudge_checkout/files && tar xzf $(notdir $<)
 endif
 
-domserver judgehost admin grafana: %: %.yml hosts group_vars/all/secret.yml $(LIBVENDOR) $(SSHKEY) $(SSHKEY).pub
+domserver judgehost admin grafana cds: %: %.yml hosts group_vars/all/secret.yml $(LIBVENDOR) $(SSHKEY) $(SSHKEY).pub
 	ansible-playbook -i hosts $<
 
 admin: $(SSL_LOCALHOST_FILES)
@@ -45,4 +46,4 @@ distclean: clean
 	rm -f $(SSL_LOCALHOST_FILES)
 	rm -f $(SSL_GRAFANA_FILES)
 
-.PHONY: default clean distclean domserver judgehost admin grafana
+.PHONY: default clean distclean domserver judgehost admin grafana cds

icpc-wf/ansible/cds.yml

@@ -0,0 +1,29 @@
+---
+# This playbook installs the CDS
+
+- name: setup CDS
+  hosts: cds
+  vars:
+    host_type: cds
+  become: yes
+  roles:
+    - role: base_packages
+      tags: base_packages
+    - role: icpc_fixes
+      tags: icpc_fixes
+      when: ICPC_IMAGE
+    - role: system_fixes
+      tags: system_fixes
+    - role: hosts
+      tags: hosts
+    - role: ssl
+      tags: ssl
+      when: CDS_HOSTNAME
+      vars:
+        INSTALL_SSL_PRIVATE_KEYS: true
+    - role: domjudge_user
+      tags: domjudge_user
+    - role: ssh
+      tags: ssh
+    - role: cds
+      tags: cds

icpc-wf/ansible/group_vars/all/all.yml

@@ -46,3 +46,11 @@ PHPSTORM_VERSION: 2021.2
 PHPSTORM_FULL_VERSION: 212.5284.49
 
 GRAFANA_MONITORING: false
+
+# Hostname of the CDS. If set, will add an nginx in front of the CDS
+# If not set, will only expose CDS directly
+CDS_HOSTNAME: cds
+
+#  CDS SSL cert and key. Only needed when CDS_HOSTNAME is set
+CDS_SSL_CERT: /etc/ssl/certs/cds.crt
+CDS_SSL_KEY: /etc/ssl/private/cds.key

icpc-wf/ansible/group_vars/all/secret.yml.example

@@ -17,3 +17,34 @@ ADMIN_PASSWORD: some-admin-password
 # Set this to enable a password on the 'domjudge' shell accounts
 # created on the domserver and judgehosts.
 #DJ_SHELL_USER_PW: some-hashed-password
+
+# Users to create when setting up the CDS
+CDS_USERS:
+    - username: admin
+      password: adm1n
+    - username: presAdmin
+      password: padm1n
+    - username: blue
+      password: blu3
+    - username: balloon
+      password: balloonPr1nter
+    - username: public
+      password: publ1c
+    - username: presentation
+      password: presentat1on
+    - username: myicpc
+      password: my1cpc
+    - username: live
+      password: l1ve
+    - username: team1
+      password: t3am
+
+# Contest(s) to configure in the CDS
+CDS_CONTESTS:
+  - path: nwerc18 # Path in the contest directory
+    ccs:
+      id: nwerc18 # ID of the contest if hosted at DOMJUDGE_URL
+      # Or provide a absolute URL
+      # url: https://www.domjudge.org/demoweb/api/contests/nwerc18
+      username: admin
+      password: admin

icpc-wf/ansible/hosts

@@ -35,3 +35,6 @@ domjudge-ccsadmin5 ansible_host=10.3.3.227
 
 [grafana]
 domjudge-prometheus ansible_host=10.3.3.223
+
+[cds]
+domjudge-cds  ansible_host=10.2.2.228

icpc-wf/ansible/roles/cds/files/cds.service

@@ -0,0 +1,9 @@
+[Unit]
+Description=CDS
+[Service]
+User=domjudge
+Restart=always
+ExecStart=/home/domjudge/cds/wlp/bin/server run cds
+TimeoutStopSec=20s
+[Install]
+WantedBy=multi-user.target

icpc-wf/ansible/roles/cds/handlers/main.yml

@@ -0,0 +1,11 @@
+---
+# Define here handlers associated to this role.
+
+- name: restart systemctl
+  shell: systemctl daemon-reload
+
+- name: restart cds
+  service: name=cds enabled=yes state=restarted
+
+- name: restart nginx
+  service: name=nginx enabled=yes state=restarted

icpc-wf/ansible/roles/cds/tasks/main.yml

@@ -0,0 +1,126 @@
+---
+# These tasks configure the CDS
+
+- name: Get the latest CDS release
+  uri:
+    url: https://api.github.com/repos/icpctools/icpctools/releases/latest
+    method: GET
+    return_content: yes
+    status_code: 200
+    body_format: json
+  register: latest_cds_release
+
+- name: Set CDS latest version
+  set_fact:
+    cds_version: "{{ latest_cds_release.json.name | replace('v', '') }}"
+
+- name: Check if CDS is installed
+  stat:
+    path: /home/domjudge/cds/wlp/usr/servers/cds/apps/CDS.war
+  register: cds_war
+
+- name: create CDS directory
+  file:
+    path: /home/domjudge/cds
+    state: directory
+    owner: domjudge
+    group: domjudge
+    mode: 0755
+
+- name: Download and unpack full CDS
+  unarchive:
+    src: https://github.com/icpctools/icpctools/releases/download/v{{ cds_version }}/wlp.CDS-{{ cds_version }}.zip
+    dest: /home/domjudge/cds
+    remote_src: true
+    owner: domjudge
+    group: domjudge
+  when: not cds_war.stat.exists
+  notify: restart cds
+
+- name: Download and unpack CDS WAR
+  unarchive:
+    src: https://github.com/icpctools/icpctools/releases/download/v{{ cds_version }}/CDS-{{ cds_version }}.zip
+    dest: /root
+    remote_src: true
+  when: cds_war.stat.exists
+
+- name: Copy new CDS war
+  copy:
+    src: /root/CDS-2.3/CDS.war
+    dest: /home/domjudge/cds/wlp/usr/servers/cds/apps/CDS.war
+    remote_src: yes
+    owner: domjudge
+    group: domjudge
+  when: cds_war.stat.exists
+  notify: restart cds
+
+- name: Populate CDS users.xml
+  template:
+    src: users.xml.j2
+    dest: /home/domjudge/cds/wlp/usr/servers/cds/users.xml
+    owner: domjudge
+    group: domjudge
+    mode: 0600
+  notify: restart cds
+
+- name: Populate CDS cdsConfig.xml
+  template:
+    src: cdsConfig.xml.j2
+    dest: /home/domjudge/cds/wlp/usr/servers/cds/config/cdsConfig.xml
+    owner: domjudge
+    group: domjudge
+    mode: 0600
+  notify: restart cds
+
+- name: Create contests config directory
+  file:
+    path: /home/domjudge/cds/contests
+    state: directory
+    owner: domjudge
+    group: domjudge
+    mode: 0755
+
+- name: Create contest specific directory
+  file:
+    path: /home/domjudge/cds/contests/{{ item.path }}
+    state: directory
+    owner: domjudge
+    group: domjudge
+    mode: 0755
+  loop: "{{ CDS_CONTESTS }}"
+
+- name: copy cds systemd unit file
+  copy:
+    src: cds.service
+    dest: /etc/systemd/system/
+  notify:
+    - restart systemctl
+    - restart cds
+
+- name: Setup nginx
+  block:
+  - name: install nginx
+    apt:
+      state: present
+      pkg:
+        - nginx
+
+  - name: add CDS nginx conf
+    template:
+      src: cds.conf.j2
+      dest: /etc/nginx/sites-available/cds.conf
+    notify: restart nginx
+
+  - name: enable nginx conf for CDS
+    file:
+      src: /etc/nginx/sites-available/cds.conf
+      dest: /etc/nginx/sites-enabled/cds.conf
+      state: link
+    notify: restart nginx
+
+  - name: disable default nginx site
+    file:
+      path: /etc/nginx/sites-enabled/default
+      state: absent
+    notify: restart nginx
+  when: CDS_HOSTNAME

icpc-wf/ansible/roles/cds/templates/cds.conf.j2

@@ -0,0 +1,37 @@
+# nginx configuration for the CDS
+server {
+	listen 80;
+	listen [::]:80;
+
+	server_name {{CDS_HOSTNAME}};
+
+	return 301 https://$host$request_uri;
+}
+
+server {
+	listen   443 ssl http2;
+	listen   [::]:443 ssl http2;
+
+	server_name {{CDS_HOSTNAME}};
+
+	ssl_certificate {{CDS_SSL_CERT}};
+	ssl_certificate_key {{CDS_SSL_KEY}};
+	ssl_session_timeout 5m;
+	ssl_prefer_server_ciphers on;
+
+	add_header Strict-Transport-Security max-age=31556952;
+
+	location / {
+		proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+		proxy_set_header X-Forwarded-Proto https;
+		proxy_set_header Host $host;
+
+		proxy_pass https://localhost:8443;
+
+		proxy_http_version 1.1;
+		proxy_set_header Upgrade $http_upgrade;
+		proxy_set_header Connection "upgrade";
+		proxy_request_buffering off;
+		proxy_buffering off;
+	}
+}

icpc-wf/ansible/roles/cds/templates/cdsConfig.xml.j2

@@ -0,0 +1,7 @@
+<cds>
+    {% for contest in CDS_CONTESTS %}
+    <contest location="/home/domjudge/cds/contests/{{ contest.path }}" recordReactions="false">
+        <ccs url="{% if contest.ccs.id is defined %}{{ DOMSERVER_URL }}/api/contests/{{ contest.ccs.id }}{% else %}{{ contest.ccs.url }}{% endif %}" user="{{ contest.ccs.username }}" password="{{ contest.ccs.password }}" />
+    </contest>
+    {% endfor %}
+</cds>