diff --git a/.github/linting.sh b/.github/linting.sh new file mode 100755 index 00000000..65ae7b8a --- /dev/null +++ b/.github/linting.sh @@ -0,0 +1,14 @@ +#!/usr/bin/bash + +set -euxo pipefail + +# shellcheck disable=SC2044 +for book in $(find ./ -maxdepth 1 -name "*.yml"); do + if [ "$book" != "./handlers.yml" ]; then + ansible-lint "$book" -x braces,line-length + fi +done +# shellcheck disable=SC2044 +for dir in $(find ./roles -maxdepth 1 -type d); do + ansible-lint "$dir" -x braces,line-length +done diff --git a/.github/workflows/ansible-linting.yml b/.github/workflows/ansible-linting.yml new file mode 100644 index 00000000..2bc0eeeb --- /dev/null +++ b/.github/workflows/ansible-linting.yml @@ -0,0 +1,22 @@ +name: Test contest deployment (ansible scripts) + +on: [push,pull_request] + +jobs: + build: + runs-on: ubuntu-latest + steps: + - name: Checkout repo + uses: actions/checkout@v2 + - name: Install ansible lint tools + run: sudo apt update; sudo pip install ansible-lint + - name: Lint the different scripts + run: | + set -eux + ansible-lint --version + ansible-lint . + working-directory: provision-contest/ansible + - name: Lint the different scripts (Via the script) + run: ../../.github/linting.sh + working-directory: provision-contest/ansible + diff --git a/.github/workflows/shellcheck.yml b/.github/workflows/shellcheck.yml index b917f770..91187d0a 100644 --- a/.github/workflows/shellcheck.yml +++ b/.github/workflows/shellcheck.yml @@ -11,4 +11,4 @@ jobs: - name: Run ShellCheck uses: ludeeus/action-shellcheck@master env: - SHELLCHECK_OPTS: -e SC1090 + SHELLCHECK_OPTS: -e SC1090 -e SC2086 -e SC2046 diff --git a/README.md b/README.md index bc6ac73a..993fff96 100644 --- a/README.md +++ b/README.md @@ -7,6 +7,6 @@ developers, but might be of use for others too. The following subdirectories contain: * `website` the HTML code for www.domjudge.org -* `icpc-wf` scripts used at the ICPC World Finals +* `provision-contest` scripts used at ICPC style contests, such as the World Finals * `contest-api` a script to validate an implementation of the [ICPC contest API](https://ccs-specs.icpc.io/contest_api) diff --git a/contest-api/check-api.sh b/contest-api/check-api.sh index eacfe95e..7e611d74 100755 --- a/contest-api/check-api.sh +++ b/contest-api/check-api.sh @@ -14,7 +14,9 @@ languages problems groups organizations +persons team-members +accounts teams state submissions @@ -30,6 +32,8 @@ scoreboard ENDPOINTS_OPTIONAL=' team-members +persons +accounts awards commentary ' diff --git a/contest-api/json-schema/account.json b/contest-api/json-schema/account.json new file mode 100644 index 00000000..af093e37 --- /dev/null +++ b/contest-api/json-schema/account.json @@ -0,0 +1,23 @@ +{ + "$schema": "http://json-schema.org/draft-07/schema#", + "title": "CLICS Contest API - account", + "description": "Definition of a single account object", + + "type": "object", + "properties": { + "id": { "$ref": "common.json#/identifier" }, + "username": { "type": "string" }, + "password": { "type": ["string", "null"] }, + "type": { + "oneOf": [ + { "enum": [ "team", "judge", "admin", "analyst", "staff" ] }, + { "type": "null" } + ] + }, + "ip": { "type": ["string", "null"] }, + "team_id": { "$ref": "common.json#/identifierornull" }, + "person_id": { "$ref": "common.json#/identifierornull" } + }, + "required": ["id", "username", "type"], + "$ref": "common.json#/strictproperties" +} diff --git a/contest-api/json-schema/accounts.json b/contest-api/json-schema/accounts.json new file mode 100644 index 00000000..29cb973a --- /dev/null +++ b/contest-api/json-schema/accounts.json @@ -0,0 +1,12 @@ +{ + "$schema": "http://json-schema.org/draft-07/schema#", + "title": "CLICS Contest API: accounts", + "description": "JSON response of this API call", + + "type": "array", + "uniqueItems": true, + "$ref": "common.json#/nonemptyarray", + "items": { + "$ref": "account.json#" + } +} diff --git a/contest-api/json-schema/common.json b/contest-api/json-schema/common.json index 9250b539..f7d0811e 100644 --- a/contest-api/json-schema/common.json +++ b/contest-api/json-schema/common.json @@ -11,7 +11,9 @@ "problems", "groups", "organizations", + "persons", "team-members", + "accounts", "teams", "state", "submissions", diff --git a/contest-api/json-schema/event-feed.json b/contest-api/json-schema/event-feed.json index 43c4abaa..656f5e05 100644 --- a/contest-api/json-schema/event-feed.json +++ b/contest-api/json-schema/event-feed.json @@ -22,7 +22,9 @@ { "$ref": "group.json#" }, { "$ref": "organization.json#" }, { "$ref": "team.json#" }, + { "$ref": "person.json#" }, { "$ref": "team-member.json#" }, + { "$ref": "account.json#" }, { "$ref": "state.json#" }, { "$ref": "submission.json#" }, { "$ref": "judgement.json#" }, diff --git a/contest-api/json-schema/person.json b/contest-api/json-schema/person.json new file mode 100644 index 00000000..5ea2cdc4 --- /dev/null +++ b/contest-api/json-schema/person.json @@ -0,0 +1,25 @@ +{ + "$schema": "http://json-schema.org/draft-07/schema#", + "title": "CLICS Contest API - person", + "description": "Definition of a single person object", + + "type": "object", + "properties": { + "id": { "$ref": "common.json#/identifier" }, + "team_id": { "$ref": "common.json#/identifier" }, + "icpc_id": { "type": [ "string", "null" ] }, + "name": { "type": "string" }, + "title": { "type": [ "string", "null" ] }, + "email": { "type": [ "string", "null" ] }, + "sex": { + "oneOf": [ + { "enum": [ "male", "female" ] }, + { "type": "null" } + ] + }, + "role": { "enum": [ "contestant", "coach", "staff" ] }, + "photo": { "$ref": "common.json#/imagerefsornull" } + }, + "required": ["id", "team_id", "name", "role"], + "$ref": "common.json#/strictproperties" +} diff --git a/contest-api/json-schema/persons.json b/contest-api/json-schema/persons.json new file mode 100644 index 00000000..0c24e937 --- /dev/null +++ b/contest-api/json-schema/persons.json @@ -0,0 +1,12 @@ +{ + "$schema": "http://json-schema.org/draft-07/schema#", + "title": "CLICS Contest API: persons", + "description": "JSON response of this API call", + + "type": "array", + "uniqueItems": true, + "$ref": "common.json#/nonemptyarray", + "items": { + "$ref": "person.json#" + } +} diff --git a/domlogo/domlogo.py b/domlogo/domlogo.py index ce60a337..f8bd7285 100755 --- a/domlogo/domlogo.py +++ b/domlogo/domlogo.py @@ -5,6 +5,7 @@ import os import requests import re +import time font = ('Roboto', 14) team_image = sg.Image(filename='domlogo-files/photos/idle.png') @@ -41,7 +42,7 @@ api_url = f'{api_url}/contests/{cid}' print(f'Contest is {cid}.') -latest_logfile = max(glob.glob('output/log/judge.*-0.log'), key=os.path.getctime) +latest_logfile = max(glob.glob('output/log/judge.*-2.log'), key=os.path.getctime) print(f'Checking logfile {latest_logfile}') with open(latest_logfile, 'r') as logfile: # Seeks to the end of the file. @@ -49,10 +50,13 @@ results = [] last_seen, needs_update = (None, None) while True: - event, values = window.read(timeout=10) + event, values = window.read(timeout=30) if event == sg.WIN_CLOSED: break line = logfile.readline() + # Sleep here for a tiny amount of time to avoid using too much CPU. + if len(line) == 0: + time.sleep(0.01) if 'Working directory:' in line: token = line.strip().split('/') judging_id = token[-1] @@ -65,10 +69,9 @@ team_id = submission_data['team_id'] last_seen = (submission_id, judging_id, team_id) new_filename = f'domlogo-files/photos/{team_id}.png' - if team_id>=120: - team_image.update(filename=new_filename) - f'domlogo-files/photos/{team_id}.png') - team_image.update(filename=f'domlogo-files/photos/{team_id}.png') + if (int)(team_id) >= 120: + new_filename = f'domlogo-files/photos/crew.png' + team_image.update(filename=new_filename) metadata_text.update(f's{submission_id} / {submission_data["problem_id"]} / {submission_data["language_id"]}') results_text.update('Busy compiling.') elif 'No submissions in queue' in line: @@ -96,6 +99,8 @@ color = 'DeepSkyBlue' for i in range(len(cache)-1): cache[i] = cache[i+1] + if (int)(tid) >= 120: + tid = 'DOMjudge' cache[-1] = (f'domlogo-files/logos/{tid}.png', f's{sid}/j{jid}\n{verdict}', color, jid) for i in range(len(cache)): previous_column[i][0].update(filename=cache[i][0]) diff --git a/icpc-wf/ansible/group_vars/all/secret.yml.example b/icpc-wf/ansible/group_vars/all/secret.yml.example deleted file mode 100644 index 74a24831..00000000 --- a/icpc-wf/ansible/group_vars/all/secret.yml.example +++ /dev/null @@ -1,19 +0,0 @@ -# Password for the MySQL replication user. -# Set this to enable master-master replication between two domservers. -REPLICATION_PASSWORD: some-replication-password - -# Database user password. -DB_PASSWORD: some-database-password - -# Credentials for the REST API. -API_USER: judgehost -API_PASSWORD: some-judgehost-password - -# Username and password to be used in .netrc files on admin machines -ADMIN_USER: admin -ADMIN_PASSWORD: some-admin-password - -# Password for domjudge shell user -# Set this to enable a password on the 'domjudge' shell accounts -# created on the domserver and judgehosts. -#DJ_SHELL_USER_PW: some-hashed-password diff --git a/icpc-wf/ansible/roles/base_packages/tasks/main.yml b/icpc-wf/ansible/roles/base_packages/tasks/main.yml deleted file mode 100644 index caed77dc..00000000 --- a/icpc-wf/ansible/roles/base_packages/tasks/main.yml +++ /dev/null @@ -1,100 +0,0 @@ ---- -# This task configures packaging and installs various system utilities - -- name: replace pc2.ecs.baylor.edu by packages in apt sources - replace: - dest: "/etc/apt/{{ item }}" - regexp: 'pc2\.ecs\.baylor\.edu' - replace: 'packages' - with_items: - - sources.list - - sources.list.d/microsoft.list - - sources.list.d/mono.list - - sources.list.d/vscode.list - - sources.list.d/pypy-ubuntu-ppa-buster.list - notify: run apt update - when: WF_RESTRICTED_NETWORK - -- name: add packages to hosts file - lineinfile: - dest: /etc/hosts - regexp: '^10\.3\.3\.209' - line: "10.3.3.209 packages" - notify: run apt update - when: WF_RESTRICTED_NETWORK - -- name: check for dpkg architecture i386 - command: dpkg --print-foreign-architectures - register: dpkg_architectures - changed_when: false - -- name: remove unused dpkg architecture i386 - command: dpkg --remove-architecture i386 - notify: run apt update - when: dpkg_architectures.stdout.find('i386') != -1 - -- name: remove pycharm repo - replace: - dest: /etc/apt/sources.list - regexp: '^([^#].*pycharm.*)$' - replace: '# \1' - notify: run apt update - -- name: flush handlers - meta: flush_handlers - -- name: remove some packages - apt: - state: absent - pkg: - - apport - - ntp - -- name: install common required/useful packages - apt: - state: present - pkg: - - ack - - git - - htop - - httpie - - ncdu - - pv - - screen - - autoconf - - automake - - efibootmgr - - curl - - gcc - - g++ - - default-jdk-headless - - make - - zip - - unzip - - php-cli - - php-gd - - php-curl - - php-mysql - - php-json - - php-xml - - php-zip - - php-mbstring - - php-intl - - bsdmainutils - - libcgroup-dev - - libcurl4-gnutls-dev - - libjsoncpp-dev - - libmagic-dev - - composer - - debootstrap - - texlive-latex-recommended - - texlive-latex-extra - - apache2-utils - - tig - - bat - - jq - -- name: install local DEB packages - include: install-local-package.yml - with_fileglob: - - install-{{host_type}}/*.deb diff --git a/icpc-wf/ansible/roles/domjudge_checkout/tasks/main.yml b/icpc-wf/ansible/roles/domjudge_checkout/tasks/main.yml deleted file mode 100644 index 1cfdfe16..00000000 --- a/icpc-wf/ansible/roles/domjudge_checkout/tasks/main.yml +++ /dev/null @@ -1,35 +0,0 @@ ---- -# These tasks create a checkout of the DOMjudge repo - -- name: create working copy directory - file: - path: "{{DJ_DIR}}" - state: directory - owner: domjudge - group: domjudge - -- name: create working copy of the domjudge repo - become: yes - become_user: domjudge - git: repo={{DJ_GIT_REPO}} dest={{DJ_DIR}} version={{DJ_BRANCH}} accept_hostkey=yes update=yes - register: git_working_copy - -- name: Check composer dependencies present - become: no - local_action: stat path=files/lib/vendor - register: libvendor - -- name: Copy in composer dependencies (if they exist locally) - synchronize: - src: files/lib/vendor/ - dest: "{{DJ_DIR}}/lib/vendor/" - owner: no - use_ssh_args: true - when: libvendor.stat.exists - -- name: fix ownership of lib/vendor - file: - path: "{{DJ_DIR}}/lib/vendor" - recurse: yes - owner: domjudge - group: domjudge diff --git a/icpc-wf/ansible/roles/domlogo/files/domlogo.py b/icpc-wf/ansible/roles/domlogo/files/domlogo.py deleted file mode 100755 index 11d07a23..00000000 --- a/icpc-wf/ansible/roles/domlogo/files/domlogo.py +++ /dev/null @@ -1,109 +0,0 @@ -#!/usr/bin/python3 - -import PySimpleGUI as sg -import glob -import os -import requests -import re -import time - -font = ('Roboto', 14) -team_image = sg.Image(filename='domlogo-files/photos/idle.png') -metadata_text = sg.Text('No submissions in queue.', font=font) -results_text = sg.Text('', font=font) -current_column = [ - [team_image], - [metadata_text], - [results_text], -] -cache = [('domlogo-files/logos/DOMjudge.png', ' \n ', None, None) for _ in range(10)] -previous_column = [ - [sg.Image(filename=c[0]), sg.Text(c[1], font=font), sg.Canvas(size=(10,50))] for c in cache -] -layout = [ - [sg.Column(current_column), sg.VerticalSeparator(), sg.Column(previous_column)], -] -window = sg.Window('DOMlogo', layout, location=(1000,0), keep_on_top=True) - -with open('etc/restapi.secret', 'r') as secrets: - while True: - line = secrets.readline() - if not line: - break - if line.startswith('#'): - continue - id, api_url, user, passwd = line.strip().split() - break -print(f'Using {api_url} as endpoint.') - -contests = requests.get(f'{api_url}/contests', auth=(user,passwd)).json() -latest_contest = sorted(contests, key=lambda c: c['end_time'])[-1] -cid = latest_contest['id'] -api_url = f'{api_url}/contests/{cid}' -print(f'Contest is {cid}.') - -latest_logfile = max(glob.glob('output/log/judge.*-0.log'), key=os.path.getctime) -print(f'Checking logfile {latest_logfile}') -with open(latest_logfile, 'r') as logfile: - # Seeks to the end of the file. - logfile.seek(0, 2) - results = [] - last_seen, needs_update = (None, None) - while True: - event, values = window.read(timeout=30) - if event == sg.WIN_CLOSED: - break - line = logfile.readline() - if len(line) == 0: - time.sleep(0.01) - if 'Working directory:' in line: - token = line.strip().split('/') - judging_id = token[-1] - submission_id = token[-2] - if not last_seen or last_seen[1] != judging_id: - print(f'new submission, line was {line}') - needs_update = last_seen - results = [] - submission_data = requests.get(f'{api_url}/submissions/{submission_id}', auth=(user,passwd)).json() - team_id = submission_data['team_id'] - last_seen = (submission_id, judging_id, team_id) - new_filename = f'domlogo-files/photos/{team_id}.png' - if (int)(team_id) >= 120: - new_filename = f'domlogo-files/photos/crew.png' - team_image.update(filename=new_filename) - metadata_text.update(f's{submission_id} / {submission_data["problem_id"]} / {submission_data["language_id"]}') - results_text.update('Busy compiling.') - elif 'No submissions in queue' in line: - needs_update = last_seen - last_seen = None - team_image.update(filename=f'domlogo-files/photos/idle.png') - metadata_text.update('No submissions in queue.') - results_text.update('') - elif ' Compilation: ' in line: - results_text.update(line.split('💻')[1:]) - elif ', result: ' in line: - result = line.split(', result: ')[-1].strip() - results.append('✔' if result == 'correct' else '✘') - results_text.update('\n'.join(re.findall( - '.{1,78}', ' '.join(results)))) - if needs_update: - sid, jid, tid = needs_update - needs_update = None - judging_data = requests.get(f'{api_url}/judgements/{jid}', auth=(user,passwd)).json() - verdict = judging_data['judgement_type_id'] or 'pending' - color = 'firebrick1' - if verdict == 'AC': - color = 'LightGreen' - elif verdict == 'pending': - color = 'DeepSkyBlue' - for i in range(len(cache)-1): - cache[i] = cache[i+1] - if (int)(tid) >= 120: - tid = 'DOMjudge' - cache[-1] = (f'domlogo-files/logos/{tid}.png', f's{sid}/j{jid}\n{verdict}', color, jid) - for i in range(len(cache)): - previous_column[i][0].update(filename=cache[i][0]) - previous_column[i][1].update(cache[i][1]) - previous_column[i][2].TKCanvas.config(bg=cache[i][2]) - -window.close() diff --git a/icpc-wf/ansible/roles/domlogo/templates/domjudgelogo.desktop.j2 b/icpc-wf/ansible/roles/domlogo/templates/domjudgelogo.desktop.j2 deleted file mode 100644 index b905e534..00000000 --- a/icpc-wf/ansible/roles/domlogo/templates/domjudgelogo.desktop.j2 +++ /dev/null @@ -1,4 +0,0 @@ -[Desktop Entry] -Name=domjudgelogo -Type=Application -Exec=bash -c "sleep 10 && cd {{DJ_DIR}} && python3 ./domlogo.py 1>/home/domjudge/logo.out 2>/home/domjudge/logo.err" diff --git a/icpc-wf/ansible/roles/domserver/handlers/main.yml b/icpc-wf/ansible/roles/domserver/handlers/main.yml deleted file mode 100644 index 6ebc67dd..00000000 --- a/icpc-wf/ansible/roles/domserver/handlers/main.yml +++ /dev/null @@ -1,8 +0,0 @@ ---- -# Define here handlers associated to this role. - -- name: restart nginx - service: name=nginx enabled=yes state=restarted - -- name: restart PHP FPM - service: name=php7.4-fpm enabled=yes state=restarted diff --git a/icpc-wf/ansible/roles/grafana/files/datasources.yml b/icpc-wf/ansible/roles/grafana/files/datasources.yml deleted file mode 100644 index d6f596e4..00000000 --- a/icpc-wf/ansible/roles/grafana/files/datasources.yml +++ /dev/null @@ -1,50 +0,0 @@ -# config file version -apiVersion: 1 - -# list of datasources that should be deleted from the database -deleteDatasources: - - name: Prometheus - orgId: 1 - -# list of datasources to insert/update depending -# what's available in the database -datasources: - # name of the datasource. Required -- name: Prometheus - # datasource type. Required - type: prometheus - # access mode. proxy or direct (Server or Browser in the UI). Required - access: proxy - # org id. will default to orgId 1 if not specified - orgId: 1 - # url - url: http://localhost:9090 - # database password, if used - # password: - # database user, if used - # user: - # database name, if used - # database: - # enable/disable basic auth - # basicAuth: - # basic auth username - # basicAuthUser: - # basic auth password - # basicAuthPassword: - # enable/disable with credentials headers - # withCredentials: - # mark as default datasource. Max one per org - isDefault: true - # fields that will be converted to json and stored in jsonData - # jsonData: - # graphiteVersion: "1.1" - # tlsAuth: true - # tlsAuthWithCACert: true - # json object of data that will be encrypted. - # secureJsonData: - # tlsCACert: "..." - # tlsClientCert: "..." - # tlsClientKey: "..." - version: 1 - # allow users to edit datasources from the UI. - editable: true diff --git a/icpc-wf/ansible/roles/grafana/handlers/main.yml b/icpc-wf/ansible/roles/grafana/handlers/main.yml deleted file mode 100644 index 46913eab..00000000 --- a/icpc-wf/ansible/roles/grafana/handlers/main.yml +++ /dev/null @@ -1,8 +0,0 @@ ---- -# Define here handlers associated to this role. - -- name: restart nginx-exporter - service: name=prometheus-nginx-exporter enabled=yes state=restarted - -- name: restart php-exporter - service: name=php-fpm-exporter enabled=yes state=restarted diff --git a/icpc-wf/ansible/roles/grafana/tasks/main.yml b/icpc-wf/ansible/roles/grafana/tasks/main.yml deleted file mode 100644 index 8df58379..00000000 --- a/icpc-wf/ansible/roles/grafana/tasks/main.yml +++ /dev/null @@ -1,63 +0,0 @@ ---- -# These tasks install and configure grafana - -- name: install dependencies - apt: - state: present - install_recommends: no - pkg: - - nginx - - prometheus - -# Setup Prometheus, which scrapes all metrics from the monitored machines -# The client exposes the metrics (on different ports/URIs) and we collect those -- name: set up prometheus scrapes - template: - src: prometheus.yml.j2 - dest: /etc/prometheus/prometheus.yml - -- name: restart prometheus - service: name=prometheus state=restarted - -## Setup grafana -- name: configure grafana - synchronize: - src: files/grafana/environment - dest: /etc/default/grafana-server - -- name: set up grafana datasources - synchronize: - src: files/grafana/datasources.yml - dest: /etc/grafana/provisioning/datasources/default.yml - -- name: set up grafana dashboards - synchronize: - src: files/grafana/dashboards.yml - dest: /etc/grafana/provisioning/dashboards/default.yml - -- name: copy grafana dashboards - synchronize: - src: dashboards/ - dest: /etc/grafana/dashboards/ - -- name: restart grafana - service: name=grafana-server state=restarted - -# Setup nginx with selfsigned certificate -- name: copy ssl cert - synchronize: - src=ssl.crt - dest=/etc/ssl/certs/grafana.crt - -- name: copy ssl key - synchronize: - src=ssl.key - dest=/etc/ssl/private/grafana.key - -- name: copy default nginx config - synchronize: - src=nginx.conf - dest=/etc/nginx/sites-enabled/grafana.conf - -- name: restart nginx - service: name=nginx enabled=yes state=restarted diff --git a/icpc-wf/ansible/roles/judgedaemon/handlers/main.yml b/icpc-wf/ansible/roles/judgedaemon/handlers/main.yml deleted file mode 100644 index 5629a7f0..00000000 --- a/icpc-wf/ansible/roles/judgedaemon/handlers/main.yml +++ /dev/null @@ -1,24 +0,0 @@ ---- -# Define here handlers associated to this role. - -- name: restart systemctl - shell: systemctl daemon-reload - -- name: enable and restart tune_cpu - service: name=tune_cpu enabled=yes state=restarted - -- name: enable and restart create-cgroups - service: name=create-cgroups enabled=yes state=restarted - -- name: enable and restart judgedaemon - service: - name="domjudge-judgedaemon@{{item}}" - enabled=yes - state=restarted - with_items: "{{CPUCORE}}" - -- name: update grub - shell: update-grub - -- name: reboot - reboot: diff --git a/icpc-wf/ansible/roles/mysql_server/tasks/main.yml b/icpc-wf/ansible/roles/mysql_server/tasks/main.yml deleted file mode 100644 index dd011512..00000000 --- a/icpc-wf/ansible/roles/mysql_server/tasks/main.yml +++ /dev/null @@ -1,27 +0,0 @@ ---- -# These tasks install and configure a MySQL server - -- name: install mysql packages - apt: - state: present - pkg: - - mariadb-server - - python3-mysqldb - - mycli - -- name: copy in MySQL config - copy: src=my.cnf dest=/root/.my.cnf - -- name: create directory for systemd mysql settings - file: path=/etc/systemd/system/mysql.service.d/ state=directory - -- name: update systemd so mysql has bigger limits - copy: src=mysql.override.cnf dest=/etc/systemd/system/mysql.service.d/override.conf - notify: restart mysql - -- name: add mysql config snippet to increase limits - copy: src=mysql.domjudge.cnf dest=/etc/mysql/mariadb.conf.d/zz_domjudge.cnf - notify: restart mysql - -- name: make sure mysql is restarted - meta: flush_handlers diff --git a/icpc-wf/ansible/roles/prometheus_target_all/tasks/main.yml b/icpc-wf/ansible/roles/prometheus_target_all/tasks/main.yml deleted file mode 100644 index 438b3ca5..00000000 --- a/icpc-wf/ansible/roles/prometheus_target_all/tasks/main.yml +++ /dev/null @@ -1,8 +0,0 @@ ---- -# This tasks gathers default system metrics. - -- name: install required packages - apt: - state: present - pkg: - - prometheus-node-exporter diff --git a/icpc-wf/ansible/roles/prometheus_target_web/handlers/main.yml b/icpc-wf/ansible/roles/prometheus_target_web/handlers/main.yml deleted file mode 100644 index c52fe7a8..00000000 --- a/icpc-wf/ansible/roles/prometheus_target_web/handlers/main.yml +++ /dev/null @@ -1,14 +0,0 @@ ---- -# Define here handlers associated to this role. - -- name: restart php-exporter - service: name=php-fpm-exporter enabled=yes state=restarted - -- name: restart nginx - service: name=nginx enabled=yes state=restarted - -- name: restart nginx-exporter - service: name=prometheus-nginx-exporter enabled=yes state=restarted - -- name: restart mysqld-exporter - service: name=prometheus-mysqld-exporter enabled=yes state=restarted diff --git a/icpc-wf/ansible/roles/prometheus_target_web/meta/main.yml b/icpc-wf/ansible/roles/prometheus_target_web/meta/main.yml deleted file mode 100644 index 389a3278..00000000 --- a/icpc-wf/ansible/roles/prometheus_target_web/meta/main.yml +++ /dev/null @@ -1,4 +0,0 @@ -# Role dependencies ---- -dependencies: - - role: domserver diff --git a/provision-contest/ansible/.ansible-lint b/provision-contest/ansible/.ansible-lint new file mode 100644 index 00000000..4310b985 --- /dev/null +++ b/provision-contest/ansible/.ansible-lint @@ -0,0 +1,7 @@ +parseable: true +skip_list: + - no-handler # TODO: this might break existing playbooks + - meta-no-info # We don't publish to galaxy (yet) + - fqcn-builtins # I see no benefit as we dont use custom roles +use_default_rules: true +verbosity: 1 diff --git a/icpc-wf/ansible/Makefile b/provision-contest/ansible/Makefile similarity index 87% rename from icpc-wf/ansible/Makefile rename to provision-contest/ansible/Makefile index bc23a055..85365fcf 100644 --- a/icpc-wf/ansible/Makefile +++ b/provision-contest/ansible/Makefile @@ -5,6 +5,8 @@ default: @echo " - make judgehost" @echo " - make admin" @echo " - make grafana" + @echo " - make cds" + @echo " - make scoreboard" LIBVENDORTGZ=roles/domjudge_checkout/files/lib-vendor.tgz SSHKEY=roles/ssh/files/id_rsa @@ -21,7 +23,7 @@ $(LIBVENDOR): $(LIBVENDORTGZ) -cd roles/domjudge_checkout/files && tar xzf $(notdir $<) endif -domserver judgehost admin grafana: %: %.yml hosts group_vars/all/secret.yml $(LIBVENDOR) $(SSHKEY) $(SSHKEY).pub +domserver judgehost admin grafana cds scoreboard mgmt: %: %.yml hosts group_vars/all/secret.yml $(LIBVENDOR) $(SSHKEY) $(SSHKEY).pub ansible-playbook -i hosts $< admin: $(SSL_LOCALHOST_FILES) @@ -45,4 +47,4 @@ distclean: clean rm -f $(SSL_LOCALHOST_FILES) rm -f $(SSL_GRAFANA_FILES) -.PHONY: default clean distclean domserver judgehost admin grafana +.PHONY: default clean distclean domserver judgehost admin grafana cds scoreboard diff --git a/icpc-wf/ansible/README.md b/provision-contest/ansible/README.md similarity index 100% rename from icpc-wf/ansible/README.md rename to provision-contest/ansible/README.md diff --git a/icpc-wf/ansible/admin.yml b/provision-contest/ansible/admin.yml similarity index 77% rename from icpc-wf/ansible/admin.yml rename to provision-contest/ansible/admin.yml index ba9a8ece..c7419c70 100644 --- a/icpc-wf/ansible/admin.yml +++ b/provision-contest/ansible/admin.yml @@ -5,7 +5,7 @@ hosts: admin vars: host_type: admin - become: yes + become: true roles: - role: base_packages tags: base_packages @@ -49,56 +49,60 @@ apt: state: present pkg: - - gitk - - git-gui - - makepasswd - - mmv + - gitk + - git-gui + - makepasswd + - mmv - name: enable developer mode lineinfile: regexp: 'APP_ENV=' line: 'APP_ENV=dev' - dest: "{{DJ_DIR}}/webapp/.env.local" + dest: "{{ DJ_DIR }}/webapp/.env.local" - name: add cds to hosts file lineinfile: dest: /etc/hosts regexp: 'cds$' - line: "10.3.3.207 cds" + line: "10.3.3.207 cds" - name: add kattis to hosts file lineinfile: dest: /etc/hosts regexp: 'kattis$' - line: "10.3.3.212 kattis" + line: "10.3.3.212 kattis" - name: add domjudge-laptop to hosts file lineinfile: dest: /etc/hosts regexp: 'domjudge-laptop$' - line: "10.3.3.200 domjudge-laptop" + line: "10.3.3.200 domjudge-laptop" - name: add nisprint to hosts file lineinfile: dest: /etc/hosts regexp: 'printsrv$' - line: "10.3.3.211 nisprint nismaster printsrv" + line: "10.3.3.211 nisprint nismaster printsrv" + + - name: Update repo URL based on network + set_fact: + dj_git_repo_scripts: "{{ DJ_GIT_REPO_SCRIPTS_RESTRICTED if WF_RESTRICTED_NETWORK else DJ_GIT_REPO_SCRIPTS }}" - name: create working copy of the domjudge-scripts repo - become: yes + become: true become_user: domjudge # We use a different directory here to have one single 'upstream' and not have issues with it - git: repo={{DJ_GIT_REPO_SCRIPTS}} dest=/home/domjudge/domjudge-scripts-checkout version=main accept_hostkey=yes update=no + git: repo={{ dj_git_repo_scripts }} dest=/home/domjudge/domjudge-scripts-checkout version=main accept_hostkey=yes update=no - name: create working copy of the wf2020 repo - become: yes + become: true become_user: domjudge git: repo=git@cds:wf2020 dest=/home/domjudge/wf2020 version=master accept_hostkey=yes update=no - name: copy custom CSS file for admin machines copy: src: admin-machine.css - dest: "{{DJ_DIR}}/webapp/public/css/custom/admin-machine.css" + dest: "{{ DJ_DIR }}/webapp/public/css/custom/admin-machine.css" owner: domjudge group: domjudge mode: 0644 diff --git a/provision-contest/ansible/cds.yml b/provision-contest/ansible/cds.yml new file mode 100644 index 00000000..fa9b45cd --- /dev/null +++ b/provision-contest/ansible/cds.yml @@ -0,0 +1,38 @@ +--- +# This playbook installs the CDS + +- name: setup CDS + hosts: cds + vars: + host_type: cds + become: true + roles: + - role: base_packages + tags: base_packages + - role: icpc_fixes + tags: icpc_fixes + when: ICPC_IMAGE + - role: system_fixes + tags: system_fixes + - role: hosts + tags: hosts + - role: ssl + tags: ssl + when: CDS_HOSTNAME is defined + vars: + INSTALL_SSL_PRIVATE_KEYS: true + - role: domjudge_user + tags: domjudge_user + - role: ssh + tags: ssh + - role: cds + tags: cds + - role: prometheus_target_web + tags: prometheus_target_web + vars: + MARIADB: false + FPM: false + when: GRAFANA_MONITORING + - role: prometheus_target_all + tags: prometheus_target_all + when: GRAFANA_MONITORING diff --git a/icpc-wf/ansible/domserver.yml b/provision-contest/ansible/domserver.yml similarity index 76% rename from icpc-wf/ansible/domserver.yml rename to provision-contest/ansible/domserver.yml index e7cd1660..e1c5b75d 100644 --- a/icpc-wf/ansible/domserver.yml +++ b/provision-contest/ansible/domserver.yml @@ -5,7 +5,7 @@ hosts: domserver vars: host_type: domserver - become: yes + become: true roles: - role: base_packages tags: base_packages @@ -34,10 +34,15 @@ tags: domserver - role: mysql_replication tags: mysql_replication + when: REPLICATION_PASSWORD is defined - role: keepalived tags: keepalived + when: KEEPALIVED_PRIORITY is defined - role: prometheus_target_web tags: prometheus_target_web + vars: + MARIADB: true + FPM: true when: GRAFANA_MONITORING - role: prometheus_target_all tags: prometheus_target_all @@ -49,47 +54,50 @@ apt: state: present pkg: - - python3-mysqldb - - macchanger - - molly-guard + - python3-mysqldb + - macchanger + - molly-guard - name: disable developer mode lineinfile: regexp: '^APP_ENV=dev' state: absent - dest: "{{DJ_DIR}}/webapp/.env.local" + dest: "{{ DJ_DIR }}/webapp/.env.local" - name: install contest images synchronize: src: files/domjudge-public/ - dest: "{{DJ_DIR}}/webapp/public" - owner: no + dest: "{{ DJ_DIR }}/webapp/public" + owner: false use_ssh_args: true notify: clear application cache - name: Add documentation in DOMjudge team interface copy: src: files/docs.yaml - dest: "{{DJ_DIR}}/etc/" + dest: "{{ DJ_DIR }}/etc/" + mode: 0644 + group: root + owner: root notify: clear application cache - name: add autostart shortcuts copy: - src: files/{{item}}.desktop + src: files/{{ item }}.desktop dest: /home/domjudge/.config/autostart/ owner: domjudge group: domjudge mode: 0755 - with_items: + loop: - htop - taillog-domserver-nginx-error - name: add autostart shortcuts from template template: - src: files/{{item}}.desktop.j2 - dest: /home/domjudge/.config/autostart/{{item}}.desktop + src: files/{{ item }}.desktop.j2 + dest: /home/domjudge/.config/autostart/{{ item }}.desktop owner: domjudge group: domjudge mode: 0755 - with_items: + loop: - taillog-domserver-symfony-error diff --git a/icpc-wf/ansible/files/.gitignore b/provision-contest/ansible/files/.gitignore similarity index 100% rename from icpc-wf/ansible/files/.gitignore rename to provision-contest/ansible/files/.gitignore diff --git a/icpc-wf/ansible/files/admin-machine.css b/provision-contest/ansible/files/admin-machine.css similarity index 100% rename from icpc-wf/ansible/files/admin-machine.css rename to provision-contest/ansible/files/admin-machine.css diff --git a/icpc-wf/ansible/files/collectd-mysql.py b/provision-contest/ansible/files/collectd-mysql.py similarity index 100% rename from icpc-wf/ansible/files/collectd-mysql.py rename to provision-contest/ansible/files/collectd-mysql.py diff --git a/icpc-wf/ansible/files/collectd.conf.j2 b/provision-contest/ansible/files/collectd.conf.j2 similarity index 100% rename from icpc-wf/ansible/files/collectd.conf.j2 rename to provision-contest/ansible/files/collectd.conf.j2 diff --git a/icpc-wf/ansible/files/docs.yaml b/provision-contest/ansible/files/docs.yaml similarity index 100% rename from icpc-wf/ansible/files/docs.yaml rename to provision-contest/ansible/files/docs.yaml diff --git a/icpc-wf/ansible/files/domjudge-public/.gitignore b/provision-contest/ansible/files/domjudge-public/.gitignore similarity index 100% rename from icpc-wf/ansible/files/domjudge-public/.gitignore rename to provision-contest/ansible/files/domjudge-public/.gitignore diff --git a/icpc-wf/ansible/files/grafana/.gitignore b/provision-contest/ansible/files/grafana/.gitignore similarity index 100% rename from icpc-wf/ansible/files/grafana/.gitignore rename to provision-contest/ansible/files/grafana/.gitignore diff --git a/icpc-wf/ansible/files/grafana/dashboards.yml b/provision-contest/ansible/files/grafana/dashboards.yml similarity index 100% rename from icpc-wf/ansible/files/grafana/dashboards.yml rename to provision-contest/ansible/files/grafana/dashboards.yml diff --git a/icpc-wf/ansible/files/grafana/dashboards/DOMjudge_Dashboard.json b/provision-contest/ansible/files/grafana/dashboards/DOMjudge_Dashboard.json similarity index 100% rename from icpc-wf/ansible/files/grafana/dashboards/DOMjudge_Dashboard.json rename to provision-contest/ansible/files/grafana/dashboards/DOMjudge_Dashboard.json diff --git a/icpc-wf/ansible/files/grafana/dashboards/mysql_14057.json b/provision-contest/ansible/files/grafana/dashboards/mysql_14057.json similarity index 100% rename from icpc-wf/ansible/files/grafana/dashboards/mysql_14057.json rename to provision-contest/ansible/files/grafana/dashboards/mysql_14057.json diff --git a/icpc-wf/ansible/files/grafana/dashboards/nginx.json b/provision-contest/ansible/files/grafana/dashboards/nginx.json similarity index 100% rename from icpc-wf/ansible/files/grafana/dashboards/nginx.json rename to provision-contest/ansible/files/grafana/dashboards/nginx.json diff --git a/icpc-wf/ansible/files/grafana/dashboards/node_exporter_grafana_1860.json b/provision-contest/ansible/files/grafana/dashboards/node_exporter_grafana_1860.json similarity index 100% rename from icpc-wf/ansible/files/grafana/dashboards/node_exporter_grafana_1860.json rename to provision-contest/ansible/files/grafana/dashboards/node_exporter_grafana_1860.json diff --git a/icpc-wf/ansible/files/grafana/dashboards/php_fpm.json b/provision-contest/ansible/files/grafana/dashboards/php_fpm.json similarity index 100% rename from icpc-wf/ansible/files/grafana/dashboards/php_fpm.json rename to provision-contest/ansible/files/grafana/dashboards/php_fpm.json diff --git a/icpc-wf/ansible/files/grafana/datasources.yml b/provision-contest/ansible/files/grafana/datasources.yml similarity index 100% rename from icpc-wf/ansible/files/grafana/datasources.yml rename to provision-contest/ansible/files/grafana/datasources.yml diff --git a/icpc-wf/ansible/files/grafana/environment b/provision-contest/ansible/files/grafana/environment similarity index 100% rename from icpc-wf/ansible/files/grafana/environment rename to provision-contest/ansible/files/grafana/environment diff --git a/icpc-wf/ansible/files/grafana/nginx-status.conf b/provision-contest/ansible/files/grafana/nginx-status.conf similarity index 100% rename from icpc-wf/ansible/files/grafana/nginx-status.conf rename to provision-contest/ansible/files/grafana/nginx-status.conf diff --git a/icpc-wf/ansible/files/grafana/nginx.conf b/provision-contest/ansible/files/grafana/nginx.conf similarity index 100% rename from icpc-wf/ansible/files/grafana/nginx.conf rename to provision-contest/ansible/files/grafana/nginx.conf diff --git a/icpc-wf/ansible/files/grafana/prometheus.yml.j2 b/provision-contest/ansible/files/grafana/prometheus.yml.j2 similarity index 100% rename from icpc-wf/ansible/files/grafana/prometheus.yml.j2 rename to provision-contest/ansible/files/grafana/prometheus.yml.j2 diff --git a/icpc-wf/ansible/files/htop.desktop b/provision-contest/ansible/files/htop.desktop similarity index 100% rename from icpc-wf/ansible/files/htop.desktop rename to provision-contest/ansible/files/htop.desktop diff --git a/icpc-wf/ansible/files/netrc.j2 b/provision-contest/ansible/files/netrc.j2 similarity index 100% rename from icpc-wf/ansible/files/netrc.j2 rename to provision-contest/ansible/files/netrc.j2 diff --git a/icpc-wf/ansible/files/rotate.desktop b/provision-contest/ansible/files/rotate.desktop similarity index 100% rename from icpc-wf/ansible/files/rotate.desktop rename to provision-contest/ansible/files/rotate.desktop diff --git a/icpc-wf/ansible/files/taillog-domserver-nginx-error.desktop b/provision-contest/ansible/files/taillog-domserver-nginx-error.desktop similarity index 100% rename from icpc-wf/ansible/files/taillog-domserver-nginx-error.desktop rename to provision-contest/ansible/files/taillog-domserver-nginx-error.desktop diff --git a/icpc-wf/ansible/files/taillog-domserver-symfony-error.desktop.j2 b/provision-contest/ansible/files/taillog-domserver-symfony-error.desktop.j2 similarity index 72% rename from icpc-wf/ansible/files/taillog-domserver-symfony-error.desktop.j2 rename to provision-contest/ansible/files/taillog-domserver-symfony-error.desktop.j2 index 922a9385..e1bb4ee2 100644 --- a/icpc-wf/ansible/files/taillog-domserver-symfony-error.desktop.j2 +++ b/provision-contest/ansible/files/taillog-domserver-symfony-error.desktop.j2 @@ -1,4 +1,4 @@ [Desktop Entry] Name=taillog-domserver-symfony-error Type=Application -Exec=gnome-terminal --window --geometry 74x17+1000+400 -e 'bash -c "tail -F {{DJ_DIR}}/webapp/var/log/prod.log"' +Exec=gnome-terminal --window --geometry 74x17+1000+400 -e 'bash -c "tail -F {{ DJ_DIR }}/webapp/var/log/prod.log"' diff --git a/icpc-wf/ansible/files/taillog.desktop.j2 b/provision-contest/ansible/files/taillog.desktop.j2 similarity index 76% rename from icpc-wf/ansible/files/taillog.desktop.j2 rename to provision-contest/ansible/files/taillog.desktop.j2 index 78a9ff7c..6b9b6f74 100644 --- a/icpc-wf/ansible/files/taillog.desktop.j2 +++ b/provision-contest/ansible/files/taillog.desktop.j2 @@ -1,4 +1,4 @@ [Desktop Entry] Name=taillog Type=Application -Exec=gnome-terminal --window --full-screen -e 'bash -c "tail -f {{DJ_DIR}}/output/log/*-0.log"' +Exec=gnome-terminal --window --full-screen -e 'bash -c "tail -f {{ DJ_DIR }}/output/log/*-0.log"' diff --git a/icpc-wf/ansible/grafana.yml b/provision-contest/ansible/grafana.yml similarity index 96% rename from icpc-wf/ansible/grafana.yml rename to provision-contest/ansible/grafana.yml index 32c91027..e7ab4b67 100644 --- a/icpc-wf/ansible/grafana.yml +++ b/provision-contest/ansible/grafana.yml @@ -3,7 +3,7 @@ - hosts: grafana vars: host_type: grafana - become: yes + become: true roles: - role: base_packages tags: base_packages diff --git a/icpc-wf/ansible/group_vars/admin.yml b/provision-contest/ansible/group_vars/admin.yml similarity index 100% rename from icpc-wf/ansible/group_vars/admin.yml rename to provision-contest/ansible/group_vars/admin.yml diff --git a/icpc-wf/ansible/group_vars/all/.gitignore b/provision-contest/ansible/group_vars/all/.gitignore similarity index 100% rename from icpc-wf/ansible/group_vars/all/.gitignore rename to provision-contest/ansible/group_vars/all/.gitignore diff --git a/icpc-wf/ansible/group_vars/all/all.yml b/provision-contest/ansible/group_vars/all/all.yml similarity index 61% rename from icpc-wf/ansible/group_vars/all/all.yml rename to provision-contest/ansible/group_vars/all/all.yml index aae584e1..47de5730 100644 --- a/icpc-wf/ansible/group_vars/all/all.yml +++ b/provision-contest/ansible/group_vars/all/all.yml @@ -2,7 +2,7 @@ DJ_DIR: /opt/domjudge # Branch to checkout and use. -DJ_BRANCH: wf2020 +DJ_BRANCH: main # Server VLAN IP prefix. SERVER_IP_PREFIX: 10.3.3 @@ -37,10 +37,26 @@ PHP_MAX_FILE_UPLOADS: 101 # Git repo URL DJ_GIT_HOST: "{{MAIN_ADMIN_IP}}" -DJ_GIT_REPO: "domjudge@{{DJ_GIT_HOST}}:domjudge" -DJ_GIT_REPO_SCRIPTS: "domjudge@{{DJ_GIT_HOST}}:domjudge-scripts-bare" +DJ_GIT_REPO: "https://github.com/domjudge/domjudge.git" +DJ_GIT_REPO_RESTRICTED: "domjudge@{{DJ_GIT_HOST}}:domjudge" +DJ_GIT_REPO_SCRIPTS: "https://github.com/domjudge/domjudge-scripts.git" +DJ_GIT_REPO_SCRIPTS_RESTRICTED: "domjudge@{{DJ_GIT_HOST}}:domjudge-scripts-bare" PHPSTORM_VERSION: 2021.2 PHPSTORM_FULL_VERSION: 212.5284.49 GRAFANA_MONITORING: false + +# Hostname of the CDS. If set, will add an nginx in front of the CDS +# If not set, will only expose CDS directly +CDS_HOSTNAME: cds + +# CDS SSL cert and key. Only needed when CDS_HOSTNAME is set +CDS_SSL_CERT: /etc/ssl/certs/cds.crt +CDS_SSL_KEY: /etc/ssl/private/cds.key + +# Hostname of the static scoreboard +STATIC_SCOREBOARD_HOSTNAME: scoreboard + +STATIC_SCOREBOARD_SSL_CERT: /etc/ssl/certs/scoreboard.crt +STATIC_SCOREBOARD_SSL_KEY: /etc/ssl/private/scoreboard.key diff --git a/provision-contest/ansible/group_vars/all/secret.yml.example b/provision-contest/ansible/group_vars/all/secret.yml.example new file mode 100644 index 00000000..b166b42b --- /dev/null +++ b/provision-contest/ansible/group_vars/all/secret.yml.example @@ -0,0 +1,60 @@ +# Password for the MySQL replication user. +# Set this to enable master-master replication between two domservers. +#REPLICATION_PASSWORD: some-replication-password + +# Database user password. +DB_PASSWORD: some-database-password + +# Credentials for the REST API. +API_USER: judgehost +API_PASSWORD: some-judgehost-password + +# Username and password to be used in .netrc files on admin machines +ADMIN_USER: admin +ADMIN_PASSWORD: some-admin-password + +# Password for domjudge shell user +# Set this to enable a password on the 'domjudge' shell accounts +# created on the domserver and judgehosts. +#DJ_SHELL_USER_PW: some-hashed-password + +# Accounts to create when setting up the CDS +CDS_ACCOUNTS: + - username: admin + password: adm1n + type: admin + - username: presAdmin + password: padm1n + type: admin + - username: blue + password: blu3 + type: staff + - username: balloon + password: balloonPr1nter + type: balloon + - username: public + password: publ1c + type: public + - username: presentation + password: presentat1on + type: public + - username: myicpc + password: my1cpc + type: spectator + - username: live + password: l1ve + type: analyst + - username: team1 + password: t3am + type: team + team_id: 1 + +# Contest(s) to configure in the CDS +CDS_CONTESTS: + - path: nwerc18 # Path in the contest directory + ccs: + id: nwerc18 # ID of the contest if hosted at DOMJUDGE_URL + # Or provide a absolute URL + # url: https://www.domjudge.org/demoweb/api/contests/nwerc18 + username: admin + password: admin diff --git a/icpc-wf/ansible/handlers.yml b/provision-contest/ansible/handlers.yml similarity index 56% rename from icpc-wf/ansible/handlers.yml rename to provision-contest/ansible/handlers.yml index 41668c85..e1378e82 100644 --- a/icpc-wf/ansible/handlers.yml +++ b/provision-contest/ansible/handlers.yml @@ -1,6 +1,6 @@ # Common definition of handlers --- - name: clear application cache - command: "{{DJ_DIR}}/webapp/bin/console cache:clear" - become: yes + command: "{{ DJ_DIR }}/webapp/bin/console cache:clear" + become: true become_user: domjudge diff --git a/icpc-wf/ansible/hosts b/provision-contest/ansible/hosts similarity index 90% rename from icpc-wf/ansible/hosts rename to provision-contest/ansible/hosts index a09b27b5..d9e25401 100644 --- a/icpc-wf/ansible/hosts +++ b/provision-contest/ansible/hosts @@ -1,7 +1,6 @@ [all:vars] ansible_user=root ansible_python_interpreter=/usr/bin/python3 -EFI_ORDER='2,1' [domserver] domjudge-primary ansible_host=10.3.3.216 KEEPALIVED_PRIORITY=100 EFI_ORDER='0\,1\,3\,4' @@ -36,3 +35,12 @@ domjudge-ccsadmin5 ansible_host=10.3.3.227 [grafana] domjudge-prometheus ansible_host=10.3.3.223 + +[cds] +domjudge-cds ansible_host=10.2.2.228 + +[scoreboard] +domjudge-scoreboard ansible_host=10.2.2.229 + +[mgmt] +domjudge-mgmg ansible_host=10.3.3.223 diff --git a/icpc-wf/ansible/judgehost.yml b/provision-contest/ansible/judgehost.yml similarity index 77% rename from icpc-wf/ansible/judgehost.yml rename to provision-contest/ansible/judgehost.yml index e1189204..e2f51b07 100644 --- a/icpc-wf/ansible/judgehost.yml +++ b/provision-contest/ansible/judgehost.yml @@ -3,13 +3,14 @@ - name: setup judgehost hosts: judgehost + # We always leave 1/3 of the judges online serial: - - 33% # We always leave 1/3 of the judges online + - 33% - 33% - 34% vars: host_type: judgehost - become: yes + become: true roles: - role: base_packages tags: base_packages @@ -41,28 +42,31 @@ tags: prometheus_target_all when: GRAFANA_MONITORING pre_tasks: + - name: Get current services + service_facts: - name: Disable all cores service: - name="domjudge-judgedaemon@{{item}}" + name="domjudge-judgedaemon@{{ item }}" state=stopped with_sequence: start=0 end={{ ansible_processor_vcpus }} format=domjudge-judgedaemon@%1x + when: '"domjudge-judgedaemon@0.service" in services' tasks: - name: add autostart shortcuts template: - src: files/{{item}}.desktop + src: files/{{ item }}.desktop dest: /home/domjudge/.config/autostart/ owner: domjudge group: domjudge mode: 0755 - with_items: + loop: - rotate - name: add autostart shortcuts from template template: - src: files/{{item}}.desktop.j2 - dest: /home/domjudge/.config/autostart/{{item}}.desktop + src: files/{{ item }}.desktop.j2 + dest: /home/domjudge/.config/autostart/{{ item }}.desktop owner: domjudge group: domjudge mode: 0755 - with_items: + loop: - taillog diff --git a/provision-contest/ansible/mgmt.yml b/provision-contest/ansible/mgmt.yml new file mode 100644 index 00000000..dba3333e --- /dev/null +++ b/provision-contest/ansible/mgmt.yml @@ -0,0 +1,12 @@ +--- +# This playbook installs the Management machine + +- name: setup management + hosts: mgmt + vars: + host_type: mgmt + become: true + roles: + - role: prometheus_target_all + tags: prometheus_target_all + when: GRAFANA_MONITORING diff --git a/icpc-wf/ansible/roles/base_packages/files/install-admin/.gitignore b/provision-contest/ansible/roles/base_packages/files/install-admin/.gitignore similarity index 100% rename from icpc-wf/ansible/roles/base_packages/files/install-admin/.gitignore rename to provision-contest/ansible/roles/base_packages/files/install-admin/.gitignore diff --git a/icpc-wf/ansible/roles/base_packages/files/install-admin/README.md b/provision-contest/ansible/roles/base_packages/files/install-admin/README.md similarity index 100% rename from icpc-wf/ansible/roles/base_packages/files/install-admin/README.md rename to provision-contest/ansible/roles/base_packages/files/install-admin/README.md diff --git a/icpc-wf/ansible/roles/base_packages/files/install-domserver/.gitignore b/provision-contest/ansible/roles/base_packages/files/install-domserver/.gitignore similarity index 100% rename from icpc-wf/ansible/roles/base_packages/files/install-domserver/.gitignore rename to provision-contest/ansible/roles/base_packages/files/install-domserver/.gitignore diff --git a/icpc-wf/ansible/roles/base_packages/files/install-domserver/README.md b/provision-contest/ansible/roles/base_packages/files/install-domserver/README.md similarity index 100% rename from icpc-wf/ansible/roles/base_packages/files/install-domserver/README.md rename to provision-contest/ansible/roles/base_packages/files/install-domserver/README.md diff --git a/icpc-wf/ansible/roles/base_packages/files/install-grafana/.gitignore b/provision-contest/ansible/roles/base_packages/files/install-grafana/.gitignore similarity index 100% rename from icpc-wf/ansible/roles/base_packages/files/install-grafana/.gitignore rename to provision-contest/ansible/roles/base_packages/files/install-grafana/.gitignore diff --git a/icpc-wf/ansible/roles/base_packages/files/install-grafana/README.md b/provision-contest/ansible/roles/base_packages/files/install-grafana/README.md similarity index 100% rename from icpc-wf/ansible/roles/base_packages/files/install-grafana/README.md rename to provision-contest/ansible/roles/base_packages/files/install-grafana/README.md diff --git a/icpc-wf/ansible/roles/base_packages/files/install-judgehost/.gitignore b/provision-contest/ansible/roles/base_packages/files/install-judgehost/.gitignore similarity index 100% rename from icpc-wf/ansible/roles/base_packages/files/install-judgehost/.gitignore rename to provision-contest/ansible/roles/base_packages/files/install-judgehost/.gitignore diff --git a/icpc-wf/ansible/roles/base_packages/files/install-judgehost/README.md b/provision-contest/ansible/roles/base_packages/files/install-judgehost/README.md similarity index 100% rename from icpc-wf/ansible/roles/base_packages/files/install-judgehost/README.md rename to provision-contest/ansible/roles/base_packages/files/install-judgehost/README.md diff --git a/icpc-wf/ansible/roles/base_packages/handlers/main.yml b/provision-contest/ansible/roles/base_packages/handlers/main.yml similarity index 100% rename from icpc-wf/ansible/roles/base_packages/handlers/main.yml rename to provision-contest/ansible/roles/base_packages/handlers/main.yml diff --git a/icpc-wf/ansible/roles/base_packages/tasks/install-local-package.yml b/provision-contest/ansible/roles/base_packages/tasks/install-local-package.yml similarity index 51% rename from icpc-wf/ansible/roles/base_packages/tasks/install-local-package.yml rename to provision-contest/ansible/roles/base_packages/tasks/install-local-package.yml index 736562f5..180b53a3 100644 --- a/icpc-wf/ansible/roles/base_packages/tasks/install-local-package.yml +++ b/provision-contest/ansible/roles/base_packages/tasks/install-local-package.yml @@ -9,9 +9,11 @@ mode: 0700 - name: copy DEB package to remote - copy: src={{item}} dest="/tmp/dj_ansible/{{item|basename}}" - register: deb_copied + synchronize: + src: "{{ item }}" + dest: "/tmp/dj_ansible/{{ item|basename }}" -- name: install DEB package {{item|basename}} - apt: deb="/tmp/dj_ansible/{{item|basename}}" - when: deb_copied.changed +- name: install DEB package {{ item|basename }} + apt: + deb: "/tmp/dj_ansible/{{ item|basename }}" + state: present diff --git a/provision-contest/ansible/roles/base_packages/tasks/main.yml b/provision-contest/ansible/roles/base_packages/tasks/main.yml new file mode 100644 index 00000000..2fede9ff --- /dev/null +++ b/provision-contest/ansible/roles/base_packages/tasks/main.yml @@ -0,0 +1,128 @@ +--- +# This task configures packaging and installs various system utilities + +- name: replace pc2.ecs.baylor.edu by packages in apt sources + replace: + dest: "/etc/apt/{{ item }}" + regexp: 'pc2\.ecs\.baylor\.edu' + replace: 'packages' + loop: + - sources.list + - sources.list.d/microsoft.list + - sources.list.d/mono.list + - sources.list.d/vscode.list + - sources.list.d/pypy-ubuntu-ppa-buster.list + notify: run apt update + when: WF_RESTRICTED_NETWORK + +- name: add packages to hosts file + lineinfile: + dest: /etc/hosts + regexp: '^10\.3\.3\.209' + line: "10.3.3.209 packages" + notify: run apt update + when: WF_RESTRICTED_NETWORK + +- name: check for dpkg architecture i386 + command: dpkg --print-foreign-architectures + register: dpkg_architectures + changed_when: false + +- name: remove unused dpkg architecture i386 + command: dpkg --remove-architecture i386 + notify: run apt update + when: dpkg_architectures.stdout.find('i386') != -1 + +- name: remove pycharm repo + replace: + dest: /etc/apt/sources.list + regexp: '^([^#].*pycharm.*)$' + replace: '# \1' + notify: run apt update + +- name: flush handlers + meta: flush_handlers + +- name: remove some packages + apt: + state: absent + pkg: + - apport + - ntp + +- name: install common required/useful packages + apt: + state: present + pkg: + - ack + - git + - htop + - httpie + - ncdu + - pv + - screen + - autoconf + - automake + - efibootmgr + - curl + - gcc + - g++ + - default-jdk-headless + - make + - zip + - unzip + - php-cli + - php-gd + - php-curl + - php-mysql + - php-json + - php-xml + - php-zip + - php-mbstring + - php-intl + - bsdmainutils + - libcgroup-dev + - libcurl4-gnutls-dev + - libjsoncpp-dev + - libmagic-dev + - debootstrap + - texlive-latex-recommended + - texlive-latex-extra + - apache2-utils + - tig + - bat + - jq + - python3-sphinx + - autoconf + - automake + - bats + - python3-sphinx + - python3-sphinx-rtd-theme + - rst2pdf + - fontconfig + - python3-yaml + - latexmk + - acl + +- name: Check if composer is installed + stat: + path: /usr/local/bin/composer + register: composer_file + +- name: Download Composer Installer + get_url: + url: https://getcomposer.org/installer + dest: /root/composer-setup.php + owner: root + group: root + mode: 0755 + when: not composer_file.stat.exists + +- name: Install composer + command: php /root/composer-setup.php --install-dir=/usr/local/bin --filename=composer + when: not composer_file.stat.exists + +- name: install local DEB packages + include: install-local-package.yml + with_fileglob: + - install-{{ host_type }}/*.deb diff --git a/provision-contest/ansible/roles/cds/files/cds.service b/provision-contest/ansible/roles/cds/files/cds.service new file mode 100644 index 00000000..a1e6e7b4 --- /dev/null +++ b/provision-contest/ansible/roles/cds/files/cds.service @@ -0,0 +1,9 @@ +[Unit] +Description=CDS +[Service] +User=domjudge +Restart=always +ExecStart=/home/domjudge/cds/wlp/bin/server run cds +TimeoutStopSec=20s +[Install] +WantedBy=multi-user.target diff --git a/provision-contest/ansible/roles/cds/handlers/main.yml b/provision-contest/ansible/roles/cds/handlers/main.yml new file mode 100644 index 00000000..71fde60f --- /dev/null +++ b/provision-contest/ansible/roles/cds/handlers/main.yml @@ -0,0 +1,16 @@ +--- +# Define here handlers associated to this role. + +- name: restart cds + systemd: + name: cds + enabled: true + state: restarted + daemon_reload: true + +- name: restart nginx + systemd: + name: nginx + enabled: true + state: restarted + daemon_reload: true diff --git a/provision-contest/ansible/roles/cds/tasks/main.yml b/provision-contest/ansible/roles/cds/tasks/main.yml new file mode 100644 index 00000000..e55f112f --- /dev/null +++ b/provision-contest/ansible/roles/cds/tasks/main.yml @@ -0,0 +1,134 @@ +--- +# These tasks configure the CDS + +- name: Get the CDS release + uri: + url: https://api.github.com/repos/icpctools/icpctools/releases?per_page=1 + method: GET + return_content: true + status_code: 200 + body_format: json + register: latest_cds_release_array + +- name: Set CDS latest version + set_fact: + cds_version: "{{ latest_cds_release_array.json[0].name | replace('v', '') }}" + +- name: Set CDS minor version + set_fact: + cds_version_minor: "{{ cds_version | regex_replace('\\.\\d+$', '') }}" + +- name: Check if CDS is installed + stat: + path: /home/domjudge/cds/wlp/usr/servers/cds/apps/CDS.war + register: cds_war + +- name: create CDS directory + file: + path: /home/domjudge/cds + state: directory + owner: domjudge + group: domjudge + mode: 0755 + +- name: Download and unpack full CDS + unarchive: + src: https://github.com/icpctools/icpctools/releases/download/v{{ cds_version }}/wlp.CDS-{{ cds_version }}.zip + dest: /home/domjudge/cds + remote_src: true + owner: domjudge + group: domjudge + when: not cds_war.stat.exists + notify: restart cds + +- name: Download and unpack CDS WAR + unarchive: + src: https://github.com/icpctools/icpctools/releases/download/v{{ cds_version }}/CDS-{{ cds_version }}.zip + dest: /root + remote_src: true + when: cds_war.stat.exists + +- name: Copy new CDS war + copy: + src: /root/CDS-{{ cds_version_minor }}/CDS.war + dest: /home/domjudge/cds/wlp/usr/servers/cds/apps/CDS.war + remote_src: true + owner: domjudge + group: domjudge + mode: 0644 + when: cds_war.stat.exists + notify: restart cds + +- name: Populate CDS accounts.yaml + template: + src: accounts.yaml.j2 + dest: /home/domjudge/cds/wlp/usr/servers/cds/config/accounts.yaml + owner: domjudge + group: domjudge + mode: 0600 + notify: restart cds + +- name: Populate CDS cdsConfig.xml + template: + src: cdsConfig.xml.j2 + dest: /home/domjudge/cds/wlp/usr/servers/cds/config/cdsConfig.xml + owner: domjudge + group: domjudge + mode: 0600 + notify: restart cds + +- name: Create contests config directory + file: + path: /home/domjudge/cds/contests + state: directory + owner: domjudge + group: domjudge + mode: 0755 + +- name: Create contest specific directory + file: + path: /home/domjudge/cds/contests/{{ item.path }} + state: directory + owner: domjudge + group: domjudge + mode: 0755 + loop: "{{ CDS_CONTESTS }}" + +- name: copy cds systemd unit file + copy: + src: cds.service + dest: /etc/systemd/system/ + mode: 0644 + notify: + - restart cds + +- name: Setup nginx + block: + - name: install nginx + apt: + state: present + pkg: + - nginx + + - name: add CDS nginx conf + template: + src: cds.conf.j2 + dest: /etc/nginx/sites-available/cds.conf + mode: 0644 + group: root + owner: root + notify: restart nginx + + - name: enable nginx conf for CDS + file: + src: /etc/nginx/sites-available/cds.conf + dest: /etc/nginx/sites-enabled/cds.conf + state: link + notify: restart nginx + + - name: disable default nginx site + file: + path: /etc/nginx/sites-enabled/default + state: absent + notify: restart nginx + when: CDS_HOSTNAME is defined diff --git a/provision-contest/ansible/roles/cds/templates/accounts.yaml.j2 b/provision-contest/ansible/roles/cds/templates/accounts.yaml.j2 new file mode 100644 index 00000000..ac4c1833 --- /dev/null +++ b/provision-contest/ansible/roles/cds/templates/accounts.yaml.j2 @@ -0,0 +1,9 @@ +{% for account in CDS_ACCOUNTS %} +- id: {{ account.username }} + username: {{ account.username }} + password: {{ account.password }} + type: {{ account.type }} +{% if account.team_id is defined %} + team_id: "{{ account.team_id }}" +{% endif %} +{% endfor %} diff --git a/provision-contest/ansible/roles/cds/templates/cds.conf.j2 b/provision-contest/ansible/roles/cds/templates/cds.conf.j2 new file mode 100644 index 00000000..13dd26fb --- /dev/null +++ b/provision-contest/ansible/roles/cds/templates/cds.conf.j2 @@ -0,0 +1,37 @@ +# nginx configuration for the CDS +server { + listen 80; + listen [::]:80; + + server_name {{CDS_HOSTNAME}}; + + return 301 https://$host$request_uri; +} + +server { + listen 443 ssl http2; + listen [::]:443 ssl http2; + + server_name {{CDS_HOSTNAME}}; + + ssl_certificate {{CDS_SSL_CERT}}; + ssl_certificate_key {{CDS_SSL_KEY}}; + ssl_session_timeout 5m; + ssl_prefer_server_ciphers on; + + add_header Strict-Transport-Security max-age=31556952; + + location / { + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto https; + proxy_set_header Host $host; + + proxy_pass https://localhost:8443; + + proxy_http_version 1.1; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection "upgrade"; + proxy_request_buffering off; + proxy_buffering off; + } +} diff --git a/provision-contest/ansible/roles/cds/templates/cdsConfig.xml.j2 b/provision-contest/ansible/roles/cds/templates/cdsConfig.xml.j2 new file mode 100644 index 00000000..5e4d14dc --- /dev/null +++ b/provision-contest/ansible/roles/cds/templates/cdsConfig.xml.j2 @@ -0,0 +1,7 @@ + + {% for contest in CDS_CONTESTS %} + + + + {% endfor %} + diff --git a/icpc-wf/ansible/roles/clusterssh/tasks/main.yml b/provision-contest/ansible/roles/clusterssh/tasks/main.yml similarity index 76% rename from icpc-wf/ansible/roles/clusterssh/tasks/main.yml rename to provision-contest/ansible/roles/clusterssh/tasks/main.yml index 2aa11601..b9d7f783 100644 --- a/icpc-wf/ansible/roles/clusterssh/tasks/main.yml +++ b/provision-contest/ansible/roles/clusterssh/tasks/main.yml @@ -8,23 +8,25 @@ - clusterssh - name: create clusterssh 'all' config group - become: yes + become: true become_user: domjudge lineinfile: dest: /home/domjudge/.clusterssh/clusters regexp: '^all' line: "all {{ groups['all'] | join(' ') }}" - create: yes + create: true + mode: 0644 - name: create clusterssh config groups - become: yes + become: true become_user: domjudge lineinfile: dest: /home/domjudge/.clusterssh/clusters regexp: '^{{ item }}s' - line: "{{item}}s {{ groups[item] | join(' ') }}" - create: yes - with_items: + line: "{{ item }}s {{ groups[item] | join(' ') }}" + create: true + mode: 0644 + loop: - domserver - judgehost - admin diff --git a/icpc-wf/ansible/roles/domjudge_build/files/logrotate.domjudge b/provision-contest/ansible/roles/domjudge_build/files/logrotate.domjudge similarity index 100% rename from icpc-wf/ansible/roles/domjudge_build/files/logrotate.domjudge rename to provision-contest/ansible/roles/domjudge_build/files/logrotate.domjudge diff --git a/icpc-wf/ansible/roles/domjudge_build/files/rsyslog.domjudge.conf b/provision-contest/ansible/roles/domjudge_build/files/rsyslog.domjudge.conf similarity index 100% rename from icpc-wf/ansible/roles/domjudge_build/files/rsyslog.domjudge.conf rename to provision-contest/ansible/roles/domjudge_build/files/rsyslog.domjudge.conf diff --git a/icpc-wf/ansible/roles/domjudge_build/handlers/main.yml b/provision-contest/ansible/roles/domjudge_build/handlers/main.yml similarity index 52% rename from icpc-wf/ansible/roles/domjudge_build/handlers/main.yml rename to provision-contest/ansible/roles/domjudge_build/handlers/main.yml index 8083931e..8e0de116 100644 --- a/icpc-wf/ansible/roles/domjudge_build/handlers/main.yml +++ b/provision-contest/ansible/roles/domjudge_build/handlers/main.yml @@ -2,7 +2,7 @@ # Define here handlers associated to this role. - name: fix permissions on domjudge inplace-install - shell: make -C {{DJ_DIR}} inplace-postinstall-permissions + command: make -C {{ DJ_DIR }} inplace-postinstall-permissions - name: restart rsyslog - service: name=rsyslog enabled=yes state=restarted + service: name=rsyslog enabled=true state=restarted diff --git a/icpc-wf/ansible/roles/domjudge_build/meta/main.yml b/provision-contest/ansible/roles/domjudge_build/meta/main.yml similarity index 100% rename from icpc-wf/ansible/roles/domjudge_build/meta/main.yml rename to provision-contest/ansible/roles/domjudge_build/meta/main.yml diff --git a/icpc-wf/ansible/roles/domjudge_build/tasks/main.yml b/provision-contest/ansible/roles/domjudge_build/tasks/main.yml similarity index 73% rename from icpc-wf/ansible/roles/domjudge_build/tasks/main.yml rename to provision-contest/ansible/roles/domjudge_build/tasks/main.yml index 1371da37..5737e455 100644 --- a/icpc-wf/ansible/roles/domjudge_build/tasks/main.yml +++ b/provision-contest/ansible/roles/domjudge_build/tasks/main.yml @@ -4,37 +4,37 @@ - name: add the restapi secret file template: src: restapi.secret.j2 - dest: "{{DJ_DIR}}/etc/restapi.secret" + dest: "{{ DJ_DIR }}/etc/restapi.secret" owner: domjudge group: domjudge mode: 0600 - name: run inplace-conf - become: yes + become: true become_user: domjudge - command: make inplace-conf CONFIGURE_FLAGS='--disable-doc-build --with-baseurl={{DOMSERVER}}/' + command: make inplace-conf CONFIGURE_FLAGS='--disable-doc-build --with-baseurl={{ DOMSERVER }}/' register: dj_configured args: - chdir: "{{DJ_DIR}}" - creates: "{{DJ_DIR}}/paths.mk" + chdir: "{{ DJ_DIR }}" + creates: "{{ DJ_DIR }}/paths.mk" - name: check if domjudge is built - stat: path="{{DJ_DIR}}/judge/judgedaemon" + stat: path="{{ DJ_DIR }}/judge/judgedaemon" register: judgedaemon_binary - name: build domjudge - become: yes + become: true become_user: domjudge command: make inplace-install args: - chdir: "{{DJ_DIR}}" + chdir: "{{ DJ_DIR }}" notify: fix permissions on domjudge inplace-install when: (git_working_copy is defined and git_working_copy.changed) or dj_configured.changed or not judgedaemon_binary.stat.exists - name: copy domjudge-sudoers file copy: remote_src: true - src: "{{DJ_DIR}}/etc/sudoers-domjudge" + src: "{{ DJ_DIR }}/etc/sudoers-domjudge" dest: /etc/sudoers.d/domjudge mode: 0440 owner: root @@ -44,9 +44,15 @@ copy: src: rsyslog.domjudge.conf dest: /etc/rsyslog.d/domjudge.conf + mode: 0644 + group: root + owner: root notify: restart rsyslog - name: configure domjudge logrotate copy: src: logrotate.domjudge dest: /etc/logrotate.d/domjudge + mode: 0644 + group: root + owner: root diff --git a/icpc-wf/ansible/roles/domjudge_build/templates/restapi.secret.j2 b/provision-contest/ansible/roles/domjudge_build/templates/restapi.secret.j2 similarity index 100% rename from icpc-wf/ansible/roles/domjudge_build/templates/restapi.secret.j2 rename to provision-contest/ansible/roles/domjudge_build/templates/restapi.secret.j2 diff --git a/icpc-wf/ansible/roles/domjudge_checkout/files/.gitignore b/provision-contest/ansible/roles/domjudge_checkout/files/.gitignore similarity index 100% rename from icpc-wf/ansible/roles/domjudge_checkout/files/.gitignore rename to provision-contest/ansible/roles/domjudge_checkout/files/.gitignore diff --git a/icpc-wf/ansible/roles/domjudge_checkout/files/lib-vendor.tgz b/provision-contest/ansible/roles/domjudge_checkout/files/lib-vendor.tgz similarity index 100% rename from icpc-wf/ansible/roles/domjudge_checkout/files/lib-vendor.tgz rename to provision-contest/ansible/roles/domjudge_checkout/files/lib-vendor.tgz diff --git a/icpc-wf/ansible/roles/domjudge_checkout/meta/main.yml b/provision-contest/ansible/roles/domjudge_checkout/meta/main.yml similarity index 100% rename from icpc-wf/ansible/roles/domjudge_checkout/meta/main.yml rename to provision-contest/ansible/roles/domjudge_checkout/meta/main.yml diff --git a/provision-contest/ansible/roles/domjudge_checkout/tasks/main.yml b/provision-contest/ansible/roles/domjudge_checkout/tasks/main.yml new file mode 100644 index 00000000..3fdd9aa7 --- /dev/null +++ b/provision-contest/ansible/roles/domjudge_checkout/tasks/main.yml @@ -0,0 +1,42 @@ +--- +# These tasks create a checkout of the DOMjudge repo + +- name: create working copy directory + file: + path: "{{ DJ_DIR }}" + state: directory + owner: domjudge + group: domjudge + mode: 0755 + +- name: Update repo URL based on network + set_fact: + dj_git_repo: "{{ DJ_GIT_REPO_RESTRICTED if WF_RESTRICTED_NETWORK else DJ_GIT_REPO }}" + +- name: Create working copy of the domjudge repo + become: true + become_user: domjudge + git: repo={{ dj_git_repo }} dest={{ DJ_DIR }} version={{ DJ_BRANCH }} accept_hostkey=yes update=yes + register: git_working_copy + +- name: Check composer dependencies present + become: false + delegate_to: localhost + stat: + path: files/lib/vendor + register: libvendor + +- name: Copy in composer dependencies (if they exist locally) + synchronize: + src: files/lib/vendor/ + dest: "{{ DJ_DIR }}/lib/vendor/" + owner: false + use_ssh_args: true + when: libvendor.stat.exists + +- name: fix ownership of lib/vendor + file: + path: "{{ DJ_DIR }}/lib/vendor" + recurse: true + owner: domjudge + group: domjudge diff --git a/icpc-wf/ansible/roles/domjudge_user/handlers/main.yml b/provision-contest/ansible/roles/domjudge_user/handlers/main.yml similarity index 59% rename from icpc-wf/ansible/roles/domjudge_user/handlers/main.yml rename to provision-contest/ansible/roles/domjudge_user/handlers/main.yml index ecb35cbd..e905aa84 100644 --- a/icpc-wf/ansible/roles/domjudge_user/handlers/main.yml +++ b/provision-contest/ansible/roles/domjudge_user/handlers/main.yml @@ -2,4 +2,4 @@ # Define here handlers associated to this role. - name: restart gdm - service: name=gdm3 enabled=yes state=restarted + service: name=gdm3 enabled=true state=restarted diff --git a/icpc-wf/ansible/roles/domjudge_user/tasks/main.yml b/provision-contest/ansible/roles/domjudge_user/tasks/main.yml similarity index 78% rename from icpc-wf/ansible/roles/domjudge_user/tasks/main.yml rename to provision-contest/ansible/roles/domjudge_user/tasks/main.yml index f1561174..d9f7efc4 100644 --- a/icpc-wf/ansible/roles/domjudge_user/tasks/main.yml +++ b/provision-contest/ansible/roles/domjudge_user/tasks/main.yml @@ -6,7 +6,7 @@ name: domjudge shell: /bin/bash groups: sudo - password: "{{DJ_SHELL_USER_PW | default(omit)}}" + password: "{{ DJ_SHELL_USER_PW | default(omit) }}" - name: Allow 'sudo' group to have passwordless sudo lineinfile: @@ -19,11 +19,12 @@ ini_file: dest: /home/domjudge/.gitconfig section: user - option: "{{item.name}}" - value: "{{item.value}}" + option: "{{ item.name }}" + value: "{{ item.value }}" owner: domjudge group: domjudge - with_items: + mode: 0644 + loop: - { name: 'email', value: 'team@domjudge.org' } - { name: 'name', value: 'DOMjudge team' } @@ -35,13 +36,15 @@ value: "remote" owner: domjudge group: domjudge + mode: 0644 - name: enable GDM autologin lineinfile: path: /etc/gdm3/custom.conf regexp: 'AutomaticLoginEnable' line: 'AutomaticLoginEnable=true' - create: yes + create: true + mode: 0644 notify: restart gdm - name: Automatically login domjudge user @@ -52,4 +55,9 @@ notify: restart gdm - name: make sure autostart directory exists - file: dest=/home/domjudge/.config/autostart state=directory owner=domjudge group=domjudge + file: + dest: /home/domjudge/.config/autostart + state: directory + owner: domjudge + group: domjudge + mode: 0755 diff --git a/provision-contest/ansible/roles/domlogo/files/domlogo.py b/provision-contest/ansible/roles/domlogo/files/domlogo.py new file mode 120000 index 00000000..06a32d9f --- /dev/null +++ b/provision-contest/ansible/roles/domlogo/files/domlogo.py @@ -0,0 +1 @@ +../../../../../domlogo/domlogo.py \ No newline at end of file diff --git a/icpc-wf/ansible/roles/domlogo/files/images/logos/.gitignore b/provision-contest/ansible/roles/domlogo/files/images/logos/.gitignore similarity index 100% rename from icpc-wf/ansible/roles/domlogo/files/images/logos/.gitignore rename to provision-contest/ansible/roles/domlogo/files/images/logos/.gitignore diff --git a/icpc-wf/ansible/roles/domlogo/files/images/photos/.gitignore b/provision-contest/ansible/roles/domlogo/files/images/photos/.gitignore similarity index 100% rename from icpc-wf/ansible/roles/domlogo/files/images/photos/.gitignore rename to provision-contest/ansible/roles/domlogo/files/images/photos/.gitignore diff --git a/icpc-wf/ansible/roles/domlogo/files/lib/.gitignore b/provision-contest/ansible/roles/domlogo/files/lib/.gitignore similarity index 100% rename from icpc-wf/ansible/roles/domlogo/files/lib/.gitignore rename to provision-contest/ansible/roles/domlogo/files/lib/.gitignore diff --git a/icpc-wf/ansible/roles/domlogo/tasks/main.yml b/provision-contest/ansible/roles/domlogo/tasks/main.yml similarity index 88% rename from icpc-wf/ansible/roles/domlogo/tasks/main.yml rename to provision-contest/ansible/roles/domlogo/tasks/main.yml index 824a275c..7bd14cf8 100644 --- a/icpc-wf/ansible/roles/domlogo/tasks/main.yml +++ b/provision-contest/ansible/roles/domlogo/tasks/main.yml @@ -10,7 +10,7 @@ - name: install domlogo copy: src: domlogo.py - dest: "{{DJ_DIR}}" + dest: "{{ DJ_DIR }}" owner: domjudge group: domjudge mode: 0755 @@ -19,14 +19,14 @@ synchronize: src: lib dest: /home/domjudge/.local/ - owner: no + owner: false use_ssh_args: true - name: install domlogo images synchronize: src: images - dest: "{{DJ_DIR}}" - owner: no + dest: "{{ DJ_DIR }}" + owner: false use_ssh_args: true - name: add autostart shortcuts diff --git a/provision-contest/ansible/roles/domlogo/templates/domjudgelogo.desktop.j2 b/provision-contest/ansible/roles/domlogo/templates/domjudgelogo.desktop.j2 new file mode 100644 index 00000000..7cb14e98 --- /dev/null +++ b/provision-contest/ansible/roles/domlogo/templates/domjudgelogo.desktop.j2 @@ -0,0 +1,4 @@ +[Desktop Entry] +Name=domjudgelogo +Type=Application +Exec=bash -c "sleep 10 && cd {{ DJ_DIR }} && python3 ./domlogo.py 1>/home/domjudge/logo.out 2>/home/domjudge/logo.err" diff --git a/provision-contest/ansible/roles/domserver/handlers/main.yml b/provision-contest/ansible/roles/domserver/handlers/main.yml new file mode 100644 index 00000000..6fe95874 --- /dev/null +++ b/provision-contest/ansible/roles/domserver/handlers/main.yml @@ -0,0 +1,8 @@ +--- +# Define here handlers associated to this role. + +- name: restart nginx + service: name=nginx enabled=true state=restarted + +- name: restart PHP FPM + service: name=php7.4-fpm enabled=true state=restarted diff --git a/icpc-wf/ansible/roles/domserver/meta/main.yml b/provision-contest/ansible/roles/domserver/meta/main.yml similarity index 100% rename from icpc-wf/ansible/roles/domserver/meta/main.yml rename to provision-contest/ansible/roles/domserver/meta/main.yml diff --git a/icpc-wf/ansible/roles/domserver/tasks/main.yml b/provision-contest/ansible/roles/domserver/tasks/main.yml similarity index 67% rename from icpc-wf/ansible/roles/domserver/tasks/main.yml rename to provision-contest/ansible/roles/domserver/tasks/main.yml index b29fb0d5..db44a25e 100644 --- a/icpc-wf/ansible/roles/domserver/tasks/main.yml +++ b/provision-contest/ansible/roles/domserver/tasks/main.yml @@ -4,24 +4,30 @@ - name: install dbpasswords.secret file template: src: dbpasswords.secret.j2 - dest: "{{DJ_DIR}}/etc/dbpasswords.secret" + dest: "{{ DJ_DIR }}/etc/dbpasswords.secret" + mode: 0644 + group: root + owner: root notify: fix permissions on domjudge inplace-install - name: install initial_admin_password.secret file template: src: initial_admin_password.secret.j2 - dest: "{{DJ_DIR}}/etc/initial_admin_password.secret" + dest: "{{ DJ_DIR }}/etc/initial_admin_password.secret" + mode: 0644 + group: domjudge + owner: domjudge notify: fix permissions on domjudge inplace-install # When using replication, the DB will be dropped and recreated on the slave later. - name: check if the database is configured - command: "{{DJ_DIR}}/bin/dj_setup_database -u root status" + command: "{{ DJ_DIR }}/bin/dj_setup_database -u root status" register: db_status ignore_errors: true changed_when: false - name: make sure the database is configured - command: "{{DJ_DIR}}/bin/dj_setup_database -u root bare-install" + command: "{{ DJ_DIR }}/bin/dj_setup_database -u root bare-install" when: "'failed' in db_status.stdout" - name: install required packages @@ -37,13 +43,13 @@ dest: /etc/php/7.4/fpm/php.ini state: present regexp: 'date\.timezone\s*=' - line: 'date.timezone = {{TIMEZONE}}' + line: 'date.timezone = {{ TIMEZONE }}' - name: enable PHP modules - command: phpenmod {{item}} + command: phpenmod {{ item }} args: - creates: /etc/php/7.4/fpm/conf.d/20-{{item}}.ini - with_items: + creates: /etc/php/7.4/fpm/conf.d/20-{{ item }}.ini + loop: - zip - intl @@ -51,12 +57,18 @@ template: src: nginx-domjudge.conf.j2 dest: /etc/nginx/sites-available/domjudge.conf + mode: 0644 + group: root + owner: root notify: restart nginx - name: add domjudge inner nginx conf template: src: nginx-domjudge-inner.j2 dest: /etc/nginx/snippets/domjudge-inner + mode: 0644 + group: root + owner: root notify: restart nginx - name: enable nginx conf for domjudge @@ -75,21 +87,21 @@ - name: symlink domjudge FPM conf file: path: /etc/php/7.4/fpm/pool.d/domjudge.conf - src: "{{DJ_DIR}}/etc/domjudge-fpm.conf" + src: "{{ DJ_DIR }}/etc/domjudge-fpm.conf" state: link - force: yes + force: true notify: restart PHP FPM - name: set PHP settings lineinfile: dest: /etc/php/7.4/fpm/pool.d/domjudge.conf - regexp: "{{item.regexp}}" - line: "{{item.key}} = {{item.value}}" - with_items: - - { key: 'pm.max_children', regexp: '^pm\.max_children', value: '{{PHP_FPM_MAX_CHILDREN}}' } - - { key: 'pm.max_requests', regexp: '^pm\.max_requests', value: '{{PHP_FPM_MAX_REQUESTS}}' } - - { key: 'php_admin_value[memory_limit]', regexp: '^php_admin_value\[memory_limit\]', value: '{{PHP_MEMORY_LIMIT}}' } - - { key: 'php_admin_value[upload_max_filesize]', regexp: '^php_admin_value\[upload_max_filesize\]', value: '{{PHP_UPLOAD_MAX_FILESIZE}}' } - - { key: 'php_admin_value[post_max_size]', regexp: '^php_admin_value\[post_max_size\]', value: '{{PHP_POST_MAX_SIZE}}' } - - { key: 'php_admin_value[max_file_uploads]', regexp: '^php_admin_value\[max_file_uploads\]', value: '{{PHP_MAX_FILE_UPLOADS}}' } + regexp: "{{ item.regexp }}" + line: "{{ item.key }} = {{ item.value }}" + loop: + - { key: 'pm.max_children', regexp: '^pm\.max_children', value: '{{ PHP_FPM_MAX_CHILDREN }}' } + - { key: 'pm.max_requests', regexp: '^pm\.max_requests', value: '{{ PHP_FPM_MAX_REQUESTS }}' } + - { key: 'php_admin_value[memory_limit]', regexp: '^php_admin_value\[memory_limit\]', value: '{{ PHP_MEMORY_LIMIT }}' } + - { key: 'php_admin_value[upload_max_filesize]', regexp: '^php_admin_value\[upload_max_filesize\]', value: '{{ PHP_UPLOAD_MAX_FILESIZE }}' } + - { key: 'php_admin_value[post_max_size]', regexp: '^php_admin_value\[post_max_size\]', value: '{{ PHP_POST_MAX_SIZE }}' } + - { key: 'php_admin_value[max_file_uploads]', regexp: '^php_admin_value\[max_file_uploads\]', value: '{{ PHP_MAX_FILE_UPLOADS }}' } notify: restart PHP FPM diff --git a/icpc-wf/ansible/roles/domserver/templates/dbpasswords.secret.j2 b/provision-contest/ansible/roles/domserver/templates/dbpasswords.secret.j2 similarity index 100% rename from icpc-wf/ansible/roles/domserver/templates/dbpasswords.secret.j2 rename to provision-contest/ansible/roles/domserver/templates/dbpasswords.secret.j2 diff --git a/icpc-wf/ansible/roles/domserver/templates/initial_admin_password.secret.j2 b/provision-contest/ansible/roles/domserver/templates/initial_admin_password.secret.j2 similarity index 100% rename from icpc-wf/ansible/roles/domserver/templates/initial_admin_password.secret.j2 rename to provision-contest/ansible/roles/domserver/templates/initial_admin_password.secret.j2 diff --git a/icpc-wf/ansible/roles/domserver/templates/nginx-domjudge-inner.j2 b/provision-contest/ansible/roles/domserver/templates/nginx-domjudge-inner.j2 similarity index 96% rename from icpc-wf/ansible/roles/domserver/templates/nginx-domjudge-inner.j2 rename to provision-contest/ansible/roles/domserver/templates/nginx-domjudge-inner.j2 index 283828e1..2d19afe6 100644 --- a/icpc-wf/ansible/roles/domserver/templates/nginx-domjudge-inner.j2 +++ b/provision-contest/ansible/roles/domserver/templates/nginx-domjudge-inner.j2 @@ -7,7 +7,7 @@ server_name _default_; client_max_body_size {{PHP_UPLOAD_MAX_FILESIZE}}; # Variables used in the nginx configuration -set $domjudgeRoot {{DJ_DIR}}/webapp/public; +set $domjudgeRoot {{ DJ_DIR }}/webapp/public; set $prefix ''; location / { diff --git a/icpc-wf/ansible/roles/domserver/templates/nginx-domjudge.conf.j2 b/provision-contest/ansible/roles/domserver/templates/nginx-domjudge.conf.j2 similarity index 100% rename from icpc-wf/ansible/roles/domserver/templates/nginx-domjudge.conf.j2 rename to provision-contest/ansible/roles/domserver/templates/nginx-domjudge.conf.j2 diff --git a/provision-contest/ansible/roles/grafana/defaults/main.yml b/provision-contest/ansible/roles/grafana/defaults/main.yml new file mode 100644 index 00000000..804c3e1b --- /dev/null +++ b/provision-contest/ansible/roles/grafana/defaults/main.yml @@ -0,0 +1,2 @@ +grafana_port: 8443 +loki: false diff --git a/icpc-wf/ansible/roles/grafana/files/.gitignore b/provision-contest/ansible/roles/grafana/files/.gitignore similarity index 100% rename from icpc-wf/ansible/roles/grafana/files/.gitignore rename to provision-contest/ansible/roles/grafana/files/.gitignore diff --git a/icpc-wf/ansible/roles/grafana/files/dashboards.yml b/provision-contest/ansible/roles/grafana/files/dashboards.yml similarity index 100% rename from icpc-wf/ansible/roles/grafana/files/dashboards.yml rename to provision-contest/ansible/roles/grafana/files/dashboards.yml diff --git a/icpc-wf/ansible/roles/grafana/files/dashboards/DOMjudge_Dashboard.json b/provision-contest/ansible/roles/grafana/files/dashboards/DOMjudge_Dashboard.json similarity index 100% rename from icpc-wf/ansible/roles/grafana/files/dashboards/DOMjudge_Dashboard.json rename to provision-contest/ansible/roles/grafana/files/dashboards/DOMjudge_Dashboard.json diff --git a/icpc-wf/ansible/roles/grafana/files/dashboards/mysql_14057.json b/provision-contest/ansible/roles/grafana/files/dashboards/mysql_14057.json similarity index 100% rename from icpc-wf/ansible/roles/grafana/files/dashboards/mysql_14057.json rename to provision-contest/ansible/roles/grafana/files/dashboards/mysql_14057.json diff --git a/icpc-wf/ansible/roles/grafana/files/dashboards/nginx.json b/provision-contest/ansible/roles/grafana/files/dashboards/nginx.json similarity index 100% rename from icpc-wf/ansible/roles/grafana/files/dashboards/nginx.json rename to provision-contest/ansible/roles/grafana/files/dashboards/nginx.json diff --git a/icpc-wf/ansible/roles/grafana/files/dashboards/node_exporter_grafana_1860.json b/provision-contest/ansible/roles/grafana/files/dashboards/node_exporter_grafana_1860.json similarity index 100% rename from icpc-wf/ansible/roles/grafana/files/dashboards/node_exporter_grafana_1860.json rename to provision-contest/ansible/roles/grafana/files/dashboards/node_exporter_grafana_1860.json diff --git a/icpc-wf/ansible/roles/grafana/files/dashboards/php_fpm.json b/provision-contest/ansible/roles/grafana/files/dashboards/php_fpm.json similarity index 100% rename from icpc-wf/ansible/roles/grafana/files/dashboards/php_fpm.json rename to provision-contest/ansible/roles/grafana/files/dashboards/php_fpm.json diff --git a/provision-contest/ansible/roles/grafana/files/datasources.yml b/provision-contest/ansible/roles/grafana/files/datasources.yml new file mode 100644 index 00000000..36088aff --- /dev/null +++ b/provision-contest/ansible/roles/grafana/files/datasources.yml @@ -0,0 +1,50 @@ +# config file version +apiVersion: 1 + +# list of datasources that should be deleted from the database +deleteDatasources: + - name: Prometheus + orgId: 1 + +# list of datasources to insert/update depending +# what's available in the database +datasources: + # name of the datasource. Required + - name: Prometheus + # datasource type. Required + type: prometheus + # access mode. proxy or direct (Server or Browser in the UI). Required + access: proxy + # org id. will default to orgId 1 if not specified + orgId: 1 + # url + url: http://localhost:9090 + # database password, if used + # password: + # database user, if used + # user: + # database name, if used + # database: + # enable/disable basic auth + # basicAuth: + # basic auth username + # basicAuthUser: + # basic auth password + # basicAuthPassword: + # enable/disable with credentials headers + # withCredentials: + # mark as default datasource. Max one per org + isDefault: true + # fields that will be converted to json and stored in jsonData + # jsonData: + # graphiteVersion: "1.1" + # tlsAuth: true + # tlsAuthWithCACert: true + # json object of data that will be encrypted. + # secureJsonData: + # tlsCACert: "..." + # tlsClientCert: "..." + # tlsClientKey: "..." + version: 1 + # allow users to edit datasources from the UI. + editable: true diff --git a/icpc-wf/ansible/roles/grafana/files/environment b/provision-contest/ansible/roles/grafana/files/environment similarity index 100% rename from icpc-wf/ansible/roles/grafana/files/environment rename to provision-contest/ansible/roles/grafana/files/environment diff --git a/provision-contest/ansible/roles/grafana/files/loki-local-config.yaml b/provision-contest/ansible/roles/grafana/files/loki-local-config.yaml new file mode 100644 index 00000000..b52f9864 --- /dev/null +++ b/provision-contest/ansible/roles/grafana/files/loki-local-config.yaml @@ -0,0 +1,46 @@ +auth_enabled: false + +server: + http_listen_port: 3100 + grpc_listen_port: 9096 + +ingester: + lifecycler: + address: 127.0.0.1 + ring: + kvstore: + store: inmemory + replication_factor: 1 + final_sleep: 0s + chunk_idle_period: 5m + chunk_retain_period: 30s + max_transfer_retries: 0 + +schema_config: + configs: + - from: 2018-04-15 + store: boltdb + object_store: filesystem + schema: v11 + index: + prefix: index_ + period: 168h + +storage_config: + boltdb: + directory: /data/loki/index + + filesystem: + directory: /data/loki/chunks + +limits_config: + enforce_metric_name: false + reject_old_samples: true + reject_old_samples_max_age: 168h + +chunk_store_config: + max_look_back_period: 0s + +table_manager: + retention_deletes_enabled: false + retention_period: 0s diff --git a/provision-contest/ansible/roles/grafana/files/loki.service b/provision-contest/ansible/roles/grafana/files/loki.service new file mode 100644 index 00000000..dfa8f51e --- /dev/null +++ b/provision-contest/ansible/roles/grafana/files/loki.service @@ -0,0 +1,10 @@ +[Unit] +Description=Loki service +After=network.target + +[Service] +Type=simple +ExecStart=/usr/bin/loki-linux-amd64 --config.file /etc/grafana/loki/loki-local-config.yaml + +[Install] +WantedBy=multi-user.target diff --git a/provision-contest/ansible/roles/grafana/handlers/main.yml b/provision-contest/ansible/roles/grafana/handlers/main.yml new file mode 100644 index 00000000..d2a23bee --- /dev/null +++ b/provision-contest/ansible/roles/grafana/handlers/main.yml @@ -0,0 +1,32 @@ +--- +# Define here handlers associated to this role. + +- name: restart nginx-exporter + service: + name: prometheus-nginx-exporter + enabled: true + state: restarted + +- name: restart php-exporter + service: + name: php-fpm-exporter + enabled: true + state: restarted + +- name: restart nginx + service: + name: nginx + enabled: true + state: restarted + +- name: restart grafana + service: + name: grafana-server + enabled: true + state: restarted + +- name: restart loki + service: + name: loki + enabled: true + state: restarted diff --git a/provision-contest/ansible/roles/grafana/tasks/main.yml b/provision-contest/ansible/roles/grafana/tasks/main.yml new file mode 100644 index 00000000..ea84629a --- /dev/null +++ b/provision-contest/ansible/roles/grafana/tasks/main.yml @@ -0,0 +1,127 @@ +--- +- name: Add upstream prometheus apt key + apt_key: + url: https://packagecloud.io/the_asten/prometheus/gpgkey + state: present + +- name: Add upstream prometheus apt repo + apt_repository: + repo: deb https://packagecloud.io/the_asten/prometheus/ubuntu/ focal main + state: present + register: prometheus_repo + +- name: install dependencies + apt: + state: present + install_recommends: false + pkg: + - nginx + - prometheus + +# Setup Prometheus, which scrapes all metrics from the monitored machines +# The client exposes the metrics (on different ports/URIs) and we collect those +- name: set up prometheus scrapes + template: + src: prometheus.yml.j2 + dest: /etc/prometheus/prometheus.yml + mode: 0644 + owner: root + group: root + notify: restart prometheus + +# Setup loki which gathers our logs +- name: Install loki + unarchive: + src: https://github.com/grafana/loki/releases/download/v2.5.0/loki-linux-amd64.zip + dest: /usr/bin/ + remote_src: true + owner: domjudge + group: domjudge + when: loki + +- name: Dir for loki settings + file: + state: directory + path: /etc/grafana/loki/ + owner: root + group: root + mode: 0755 + when: loki + +- name: Set loki settings + copy: + src: loki-local-config.yaml + dest: /etc/grafana/loki/ + owner: root + group: root + mode: 0644 + when: loki + notify: restart loki + +- name: Setup loki systemd + copy: + src: loki.service + dest: /etc/systemd/system/ + mode: 0655 + when: loki + notify: restart loki + +- name: Start loki service + service: + name: loki + state: started + enabled: true + when: loki + +## Setup grafana +- name: Install grafana + apt: + deb: https://dl.grafana.com/enterprise/release/grafana-enterprise_8.4.6_amd64.deb + state: present + notify: restart grafana + +- name: configure grafana + synchronize: + src: files/grafana/environment + dest: /etc/default/grafana-server + notify: restart grafana + +- name: set up grafana datasources + synchronize: + src: files/grafana/datasources.yml + dest: /etc/grafana/provisioning/datasources/default.yml + notify: restart grafana + +- name: set up grafana dashboards + synchronize: + src: files/grafana/dashboards.yml + dest: /etc/grafana/provisioning/dashboards/default.yml + notify: restart grafana + +- name: copy grafana dashboards + synchronize: + src: dashboards/ + dest: /etc/grafana/dashboards/ + notify: restart grafana + +# Setup nginx with selfsigned certificate +- name: copy ssl cert + synchronize: + src: ssl.crt + dest: /etc/ssl/certs/grafana.crt + notify: restart nginx + +- name: copy ssl key + synchronize: + src: ssl.key + dest: /etc/ssl/private/grafana.key + notify: restart nginx + +- name: copy default nginx config + template: + src: nginx.conf.j2 + dest: /etc/nginx/sites-enabled/grafana.conf + owner: root + group: root + mode: 0644 + notify: restart nginx diff --git a/icpc-wf/ansible/roles/grafana/files/nginx.conf b/provision-contest/ansible/roles/grafana/templates/nginx.conf.j2 similarity index 59% rename from icpc-wf/ansible/roles/grafana/files/nginx.conf rename to provision-contest/ansible/roles/grafana/templates/nginx.conf.j2 index 18b5d666..3be8301b 100644 --- a/icpc-wf/ansible/roles/grafana/files/nginx.conf +++ b/provision-contest/ansible/roles/grafana/templates/nginx.conf.j2 @@ -9,6 +9,20 @@ server { proxy_pass http://127.0.0.1:3000/; proxy_read_timeout 90; } + +{% if loki %} + location /loki/ { + proxy_set_header X-Forwarded-Proto https; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_pass http://localhost:3099/; + proxy_buffering off; + proxy_redirect off; + proxy_set_header Host $host; + } +{% endif $} + access_log /var/log/nginx/prometheus.log; error_log /var/log/nginx/prometheus.log; diff --git a/icpc-wf/ansible/roles/grafana/templates/prometheus.yml.j2 b/provision-contest/ansible/roles/grafana/templates/prometheus.yml.j2 similarity index 62% rename from icpc-wf/ansible/roles/grafana/templates/prometheus.yml.j2 rename to provision-contest/ansible/roles/grafana/templates/prometheus.yml.j2 index 6723a31a..33e22df8 100644 --- a/icpc-wf/ansible/roles/grafana/templates/prometheus.yml.j2 +++ b/provision-contest/ansible/roles/grafana/templates/prometheus.yml.j2 @@ -3,6 +3,9 @@ global: evaluation_interval: 15s # By default, scrape targets every 15 seconds. # scrape_timeout is set to the global default (10s). scrape_configs: + - job_name: 'grafana' + static_configs: + - targets: ['localhost:443'] - job_name: 'prometheus' static_configs: - targets: ['localhost:9090'] @@ -29,6 +32,24 @@ scrape_configs: - targets: {% for host in groups["grafana"] %} - {{ hostvars[host].ansible_host }}:9100 +{% endfor %} + - job_name: node_mgmt + static_configs: + - targets: +{% for host in groups["mgmt"] %} + - {{ hostvars[host].ansible_host }}:9100 +{% endfor %} + - job_name: node_scoreboard + static_configs: + - targets: +{% for host in groups["scoreboard"] %} + - {{ hostvars[host].ansible_host }}:9100 +{% endfor %} + - job_name: node_cds + static_configs: + - targets: +{% for host in groups["cds"] %} + - {{ hostvars[host].ansible_host }}:9100 {% endfor %} - job_name: domjudge basic_auth: @@ -43,13 +64,25 @@ scrape_configs: {% for host in groups["domserver"] %} - {{ hostvars[host].ansible_host }} {% endfor %} - - job_name: 'nginx_domjudge' + - job_name: 'web_nginx_cds' + static_configs: + - targets: +{% for host in groups["cds"] %} + - {{ hostvars[host].ansible_host }}:9113 +{% endfor %} + - job_name: 'web_nginx_scoreboard' + static_configs: + - targets: +{% for host in groups["scoreboard"] %} + - {{ hostvars[host].ansible_host }}:9113 +{% endfor %} + - job_name: 'web_nginx_domserver' static_configs: - targets: {% for host in groups["domserver"] %} - {{ hostvars[host].ansible_host }}:9113 {% endfor %} - - job_name: 'fpm_domjudge' + - job_name: 'web_fpm_domserver' static_configs: - targets: {% for host in groups["domserver"] %} diff --git a/provision-contest/ansible/roles/grafana/vars/.gitignore b/provision-contest/ansible/roles/grafana/vars/.gitignore new file mode 100644 index 00000000..1cda54be --- /dev/null +++ b/provision-contest/ansible/roles/grafana/vars/.gitignore @@ -0,0 +1 @@ +*.yml diff --git a/icpc-wf/ansible/roles/hosts/tasks/main.yml b/provision-contest/ansible/roles/hosts/tasks/main.yml similarity index 81% rename from icpc-wf/ansible/roles/hosts/tasks/main.yml rename to provision-contest/ansible/roles/hosts/tasks/main.yml index 7e4031d5..825265ed 100644 --- a/icpc-wf/ansible/roles/hosts/tasks/main.yml +++ b/provision-contest/ansible/roles/hosts/tasks/main.yml @@ -9,11 +9,11 @@ lineinfile: dest: /etc/hosts regexp: '{{ item }}$' - line: "{{ hostvars[item].ansible_host }} {{ item }}" + line: "{{ hostvars[item].ansible_host }} {{ item }}" loop: "{{ groups['all'] }}" - name: add domjudge in hosts file lineinfile: dest: /etc/hosts regexp: 'domserver' - line: "{{DOMSERVER_IP}} domjudge domserver" + line: "{{ DOMSERVER_IP }} domjudge domserver" diff --git a/icpc-wf/ansible/roles/icpc_fixes/handlers/main.yml b/provision-contest/ansible/roles/icpc_fixes/handlers/main.yml similarity index 59% rename from icpc-wf/ansible/roles/icpc_fixes/handlers/main.yml rename to provision-contest/ansible/roles/icpc_fixes/handlers/main.yml index d5338801..d3c5d9d3 100644 --- a/icpc-wf/ansible/roles/icpc_fixes/handlers/main.yml +++ b/provision-contest/ansible/roles/icpc_fixes/handlers/main.yml @@ -2,4 +2,6 @@ # Define here handlers associated to this role. - name: restart systemd timesyncd - command: systemctl restart systemd-timesyncd + systemd: + name: systemd-timesyncd + state: restarted diff --git a/icpc-wf/ansible/roles/icpc_fixes/tasks/main.yml b/provision-contest/ansible/roles/icpc_fixes/tasks/main.yml similarity index 89% rename from icpc-wf/ansible/roles/icpc_fixes/tasks/main.yml rename to provision-contest/ansible/roles/icpc_fixes/tasks/main.yml index 26cda45d..862eed55 100644 --- a/icpc-wf/ansible/roles/icpc_fixes/tasks/main.yml +++ b/provision-contest/ansible/roles/icpc_fixes/tasks/main.yml @@ -16,14 +16,14 @@ state: absent - name: Re-order PXEboot - shell: efibootmgr -o {{ EFI_ORDER }} + command: efibootmgr -o {{ EFI_ORDER }} when: EFI_ORDER is defined - name: disable mumble,selfie services service: name: "{{ item }}" state: stopped - enabled: no - with_items: + enabled: false + loop: - mumble-server - selfie diff --git a/icpc-wf/ansible/roles/judgedaemon/files/disable-turboboost_ht b/provision-contest/ansible/roles/judgedaemon/files/disable-turboboost_ht similarity index 100% rename from icpc-wf/ansible/roles/judgedaemon/files/disable-turboboost_ht rename to provision-contest/ansible/roles/judgedaemon/files/disable-turboboost_ht diff --git a/icpc-wf/ansible/roles/judgedaemon/files/install-chroot/.gitignore b/provision-contest/ansible/roles/judgedaemon/files/install-chroot/.gitignore similarity index 100% rename from icpc-wf/ansible/roles/judgedaemon/files/install-chroot/.gitignore rename to provision-contest/ansible/roles/judgedaemon/files/install-chroot/.gitignore diff --git a/icpc-wf/ansible/roles/judgedaemon/files/install-chroot/README.md b/provision-contest/ansible/roles/judgedaemon/files/install-chroot/README.md similarity index 100% rename from icpc-wf/ansible/roles/judgedaemon/files/install-chroot/README.md rename to provision-contest/ansible/roles/judgedaemon/files/install-chroot/README.md diff --git a/icpc-wf/ansible/roles/judgedaemon/files/tune_cpu.service b/provision-contest/ansible/roles/judgedaemon/files/tune_cpu.service similarity index 100% rename from icpc-wf/ansible/roles/judgedaemon/files/tune_cpu.service rename to provision-contest/ansible/roles/judgedaemon/files/tune_cpu.service diff --git a/provision-contest/ansible/roles/judgedaemon/handlers/main.yml b/provision-contest/ansible/roles/judgedaemon/handlers/main.yml new file mode 100644 index 00000000..5676e7b2 --- /dev/null +++ b/provision-contest/ansible/roles/judgedaemon/handlers/main.yml @@ -0,0 +1,29 @@ +--- +# Define here handlers associated to this role. + +- name: enable and restart tune_cpu + systemd: + name: tune_cpu + enabled: true + state: restarted + daemon_reload: true + +- name: enable and restart create-cgroups + service: + name: create-cgroups + enabled: true + state: restarted + daemon_reload: true + +- name: enable and restart judgedaemon + service: + name: "domjudge-judgehost.target" + enabled: true + state: restarted + daemon_reload: true + +- name: update grub + command: update-grub + +- name: reboot + reboot: diff --git a/icpc-wf/ansible/roles/judgedaemon/meta/main.yml b/provision-contest/ansible/roles/judgedaemon/meta/main.yml similarity index 100% rename from icpc-wf/ansible/roles/judgedaemon/meta/main.yml rename to provision-contest/ansible/roles/judgedaemon/meta/main.yml diff --git a/icpc-wf/ansible/roles/judgedaemon/tasks/main.yml b/provision-contest/ansible/roles/judgedaemon/tasks/main.yml similarity index 65% rename from icpc-wf/ansible/roles/judgedaemon/tasks/main.yml rename to provision-contest/ansible/roles/judgedaemon/tasks/main.yml index ef223e14..8906e2a2 100644 --- a/icpc-wf/ansible/roles/judgedaemon/tasks/main.yml +++ b/provision-contest/ansible/roles/judgedaemon/tasks/main.yml @@ -2,8 +2,8 @@ # These tasks configure the DOMjudge judgedaemon with chroot - name: create domjudge-run users - user: name=domjudge-run-{{item}} createhome=no home=/nonexistent group=nogroup shell=/bin/false - with_items: "{{CPUCORE}}" + user: name=domjudge-run-{{ item }} createhome=no home=/nonexistent group=nogroup shell=/bin/false + loop: "{{ cpucore }}" - name: create domjudge-run group group: name=domjudge-run state=present @@ -22,7 +22,7 @@ dest: /tmp/dj_ansible/ - name: create chroot - shell: "{{DJ_DIR}}/misc-tools/dj_make_chroot -y -i openjdk-11-jdk-headless -l \"$(ls /tmp/dj_ansible/install-chroot/*.deb 2>/dev/null | tr '\n' ',')\" 2>&1 | tee /tmp/dj_make_chroot.log; grep '^Done building chroot in' /tmp/dj_make_chroot.log" + shell: "set -o pipefail && {{ DJ_DIR }}/misc-tools/dj_make_chroot -y -i openjdk-11-jdk-headless -l \"$(ls /tmp/dj_ansible/install-chroot/*.deb 2>/dev/null | tr '\n' ',')\" 2>&1 | tee /tmp/dj_make_chroot.log; grep '^Done building chroot in' /tmp/dj_make_chroot.log" environment: DEBMIRROR: "{{ 'https://packages/ubuntu' if WF_RESTRICTED_NETWORK else '' }}" args: @@ -30,7 +30,7 @@ - name: Pre-generate the kernel flags for ansible usage set_fact: - procline: "cgroup_enable=memory swapaccount=1 isolcpus={{ CPUCORE|join(',') }}" + procline: "cgroup_enable=memory swapaccount=1 isolcpus={{ cpucore|join(',') }}" - name: add cgroup kernel parameters lineinfile: @@ -59,28 +59,41 @@ copy: src: tune_cpu.service dest: /etc/systemd/system/ + mode: 0644 + group: root + owner: root notify: - - restart systemctl - enable and restart tune_cpu - name: copy judgedaemon related systemd unit files copy: remote_src: true - src: "{{DJ_DIR}}/lib/judge/{{item}}.service" + src: "{{ DJ_DIR }}/lib/judge/{{ item }}.service" dest: /etc/systemd/system/ - with_items: + mode: 0644 + group: root + owner: root + loop: - create-cgroups - domjudge-judgedaemon@ notify: - - restart systemctl - enable and restart create-cgroups + +- name: template judgedaemon template systemd unit file + template: + src: domjudge-judgehost.target.j2 + dest: /etc/systemd/system/domjudge-judgehost.target + mode: 0644 + group: root + owner: root + notify: - enable and restart judgedaemon - name: disable systemd timers - command: systemctl mask {{item}} - args: - creates: /etc/systemd/system/{{item}} - with_items: + systemd: + name: "{{ item }}" + masked: true + loop: - apt-daily-upgrade.timer - apt-daily.timer - systemd-tmpfiles-clean.timer diff --git a/provision-contest/ansible/roles/judgedaemon/templates/domjudge-judgehost.target.j2 b/provision-contest/ansible/roles/judgedaemon/templates/domjudge-judgehost.target.j2 new file mode 100644 index 00000000..d39dc784 --- /dev/null +++ b/provision-contest/ansible/roles/judgedaemon/templates/domjudge-judgehost.target.j2 @@ -0,0 +1,6 @@ +[Unit] +Description=DOMjudge judgehost running one or more judgedaemons +Requires={% for core in CPUCORE %}domjudge-judgedaemon@{{ core }}.service {% endfor %} + +[Install] +WantedBy=multi-user.target diff --git a/icpc-wf/ansible/roles/judgedaemon/vars/main.yml b/provision-contest/ansible/roles/judgedaemon/vars/main.yml similarity index 88% rename from icpc-wf/ansible/roles/judgedaemon/vars/main.yml rename to provision-contest/ansible/roles/judgedaemon/vars/main.yml index e6cf0230..80d35c0b 100644 --- a/icpc-wf/ansible/roles/judgedaemon/vars/main.yml +++ b/provision-contest/ansible/roles/judgedaemon/vars/main.yml @@ -1,4 +1,4 @@ -CPUCORE: +cpucore: - 2 # Add additional CPU cores to pin judgedaemons on as: # - 3 diff --git a/icpc-wf/ansible/roles/keepalived/files/alerting/.config/autostart/alert_listener.desktop b/provision-contest/ansible/roles/keepalived/files/alerting/.config/autostart/alert_listener.desktop similarity index 100% rename from icpc-wf/ansible/roles/keepalived/files/alerting/.config/autostart/alert_listener.desktop rename to provision-contest/ansible/roles/keepalived/files/alerting/.config/autostart/alert_listener.desktop diff --git a/icpc-wf/ansible/roles/keepalived/files/alerting/bin/alert_listener.sh b/provision-contest/ansible/roles/keepalived/files/alerting/bin/alert_listener.sh similarity index 100% rename from icpc-wf/ansible/roles/keepalived/files/alerting/bin/alert_listener.sh rename to provision-contest/ansible/roles/keepalived/files/alerting/bin/alert_listener.sh diff --git a/icpc-wf/ansible/roles/keepalived/files/alerting/bin/alerting.sh.template b/provision-contest/ansible/roles/keepalived/files/alerting/bin/alerting.sh.template similarity index 100% rename from icpc-wf/ansible/roles/keepalived/files/alerting/bin/alerting.sh.template rename to provision-contest/ansible/roles/keepalived/files/alerting/bin/alerting.sh.template diff --git a/icpc-wf/ansible/roles/keepalived/files/alerting/bin/trigger_alert.sh b/provision-contest/ansible/roles/keepalived/files/alerting/bin/trigger_alert.sh similarity index 100% rename from icpc-wf/ansible/roles/keepalived/files/alerting/bin/trigger_alert.sh rename to provision-contest/ansible/roles/keepalived/files/alerting/bin/trigger_alert.sh diff --git a/icpc-wf/ansible/roles/keepalived/handlers/main.yml b/provision-contest/ansible/roles/keepalived/handlers/main.yml similarity index 100% rename from icpc-wf/ansible/roles/keepalived/handlers/main.yml rename to provision-contest/ansible/roles/keepalived/handlers/main.yml diff --git a/icpc-wf/ansible/roles/keepalived/meta/main.yml b/provision-contest/ansible/roles/keepalived/meta/main.yml similarity index 100% rename from icpc-wf/ansible/roles/keepalived/meta/main.yml rename to provision-contest/ansible/roles/keepalived/meta/main.yml diff --git a/icpc-wf/ansible/roles/keepalived/tasks/main.yml b/provision-contest/ansible/roles/keepalived/tasks/main.yml similarity index 90% rename from icpc-wf/ansible/roles/keepalived/tasks/main.yml rename to provision-contest/ansible/roles/keepalived/tasks/main.yml index 74179980..8225b237 100644 --- a/icpc-wf/ansible/roles/keepalived/tasks/main.yml +++ b/provision-contest/ansible/roles/keepalived/tasks/main.yml @@ -11,6 +11,9 @@ template: src: keepalived.conf.j2 dest: /etc/keepalived/keepalived.conf + mode: 0644 + group: root + owner: root notify: restart keepalived service - name: Start but disable keepalived (so it does not fail back to primary) @@ -25,3 +28,4 @@ dest: /home/domjudge/ owner: domjudge group: domjudge + mode: 0755 diff --git a/icpc-wf/ansible/roles/keepalived/templates/keepalived.conf.j2 b/provision-contest/ansible/roles/keepalived/templates/keepalived.conf.j2 similarity index 100% rename from icpc-wf/ansible/roles/keepalived/templates/keepalived.conf.j2 rename to provision-contest/ansible/roles/keepalived/templates/keepalived.conf.j2 diff --git a/icpc-wf/ansible/roles/mysql_replication/meta/main.yml b/provision-contest/ansible/roles/mysql_replication/meta/main.yml similarity index 100% rename from icpc-wf/ansible/roles/mysql_replication/meta/main.yml rename to provision-contest/ansible/roles/mysql_replication/meta/main.yml diff --git a/icpc-wf/ansible/roles/mysql_replication/tasks/main.yml b/provision-contest/ansible/roles/mysql_replication/tasks/main.yml similarity index 80% rename from icpc-wf/ansible/roles/mysql_replication/tasks/main.yml rename to provision-contest/ansible/roles/mysql_replication/tasks/main.yml index 716bd986..45f8b4a6 100644 --- a/icpc-wf/ansible/roles/mysql_replication/tasks/main.yml +++ b/provision-contest/ansible/roles/mysql_replication/tasks/main.yml @@ -14,7 +14,12 @@ replace: '#bind-address =' - name: add mysql config snippet for replication - template: src=mysql.replication.cnf.j2 dest=/etc/mysql/mariadb.conf.d/zzz_replication.cnf + template: + src: mysql.replication.cnf.j2 + dest: /etc/mysql/mariadb.conf.d/zzz_replication.cnf + mode: 0644 + group: root + owner: root notify: restart mysql - name: copy script to setup replication @@ -24,7 +29,7 @@ mysql_user: name: replication host: '%' - password: "{{REPLICATION_PASSWORD}}" + password: "{{ REPLICATION_PASSWORD }}" append_privs: true priv: '*.*:REPLICATION SLAVE' state: present diff --git a/icpc-wf/ansible/roles/mysql_replication/templates/mysql.replication.cnf.j2 b/provision-contest/ansible/roles/mysql_replication/templates/mysql.replication.cnf.j2 similarity index 100% rename from icpc-wf/ansible/roles/mysql_replication/templates/mysql.replication.cnf.j2 rename to provision-contest/ansible/roles/mysql_replication/templates/mysql.replication.cnf.j2 diff --git a/icpc-wf/ansible/roles/mysql_replication/templates/setup-replication.sh.j2 b/provision-contest/ansible/roles/mysql_replication/templates/setup-replication.sh.j2 similarity index 100% rename from icpc-wf/ansible/roles/mysql_replication/templates/setup-replication.sh.j2 rename to provision-contest/ansible/roles/mysql_replication/templates/setup-replication.sh.j2 diff --git a/provision-contest/ansible/roles/mysql_server/files/dump-db b/provision-contest/ansible/roles/mysql_server/files/dump-db new file mode 100644 index 00000000..0a8adee3 --- /dev/null +++ b/provision-contest/ansible/roles/mysql_server/files/dump-db @@ -0,0 +1,10 @@ +#!/bin/sh + +if [ -z "$1" ] +then + echo "Usage dump-db [name]" + echo ".sql.gz will be appended" + exit 1 +fi + +sudo mysqldump --opt --skip-lock-tables domjudge | pv | gzip > "/home/domjudge/db-dumps/${1}.sql.gz" diff --git a/provision-contest/ansible/roles/mysql_server/files/load-db b/provision-contest/ansible/roles/mysql_server/files/load-db new file mode 100644 index 00000000..e5351de5 --- /dev/null +++ b/provision-contest/ansible/roles/mysql_server/files/load-db @@ -0,0 +1,18 @@ +#!/bin/sh + +if [ -z "$1" ] +then + echo "Usage load-db [name]" + echo ".sql.gz will be appended" + exit 1 +fi + +FILE="/home/domjudge/db-dumps/${1}.sql.gz" + +if [ ! -f "${FILE}" ] +then + echo "Error. File ${FILE} not found" + exit 1 +fi + +pv "${FILE}" | gunzip | sudo mysql domjudge diff --git a/icpc-wf/ansible/roles/mysql_server/files/my.cnf b/provision-contest/ansible/roles/mysql_server/files/my.cnf similarity index 100% rename from icpc-wf/ansible/roles/mysql_server/files/my.cnf rename to provision-contest/ansible/roles/mysql_server/files/my.cnf diff --git a/icpc-wf/ansible/roles/mysql_server/files/mysql.domjudge.cnf b/provision-contest/ansible/roles/mysql_server/files/mysql.domjudge.cnf similarity index 100% rename from icpc-wf/ansible/roles/mysql_server/files/mysql.domjudge.cnf rename to provision-contest/ansible/roles/mysql_server/files/mysql.domjudge.cnf diff --git a/icpc-wf/ansible/roles/mysql_server/files/mysql.override.cnf b/provision-contest/ansible/roles/mysql_server/files/mysql.override.cnf similarity index 100% rename from icpc-wf/ansible/roles/mysql_server/files/mysql.override.cnf rename to provision-contest/ansible/roles/mysql_server/files/mysql.override.cnf diff --git a/icpc-wf/ansible/roles/mysql_server/handlers/main.yml b/provision-contest/ansible/roles/mysql_server/handlers/main.yml similarity index 59% rename from icpc-wf/ansible/roles/mysql_server/handlers/main.yml rename to provision-contest/ansible/roles/mysql_server/handlers/main.yml index 07246cb4..5ef1bb20 100644 --- a/icpc-wf/ansible/roles/mysql_server/handlers/main.yml +++ b/provision-contest/ansible/roles/mysql_server/handlers/main.yml @@ -2,4 +2,4 @@ # Define here handlers associated to this role. - name: restart mysql - service: name=mysql enabled=yes state=restarted + service: name=mysql enabled=true state=restarted diff --git a/provision-contest/ansible/roles/mysql_server/tasks/main.yml b/provision-contest/ansible/roles/mysql_server/tasks/main.yml new file mode 100644 index 00000000..26479b04 --- /dev/null +++ b/provision-contest/ansible/roles/mysql_server/tasks/main.yml @@ -0,0 +1,69 @@ +--- +# These tasks install and configure a MySQL server + +- name: install mysql packages + apt: + state: present + pkg: + - mariadb-server + - python3-mysqldb + - mycli + +- name: copy in MySQL config + copy: + src: my.cnf + dest: /root/.my.cnf + mode: 0644 + owner: root + group: root + +- name: create directory for systemd mysql settings + file: + path: /etc/systemd/system/mysql.service.d/ + state: directory + group: root + owner: root + mode: 0755 + +- name: update systemd so mysql has bigger limits + copy: + src: mysql.override.cnf + dest: /etc/systemd/system/mysql.service.d/override.conf + mode: 0644 + group: root + owner: root + notify: restart mysql + +- name: add mysql config snippet to increase limits + copy: + src: mysql.domjudge.cnf + dest: /etc/mysql/mariadb.conf.d/zz_domjudge.cnf + mode: 0644 + owner: root + group: root + notify: restart mysql + +- name: make sure mysql is restarted + meta: flush_handlers + +- name: create directory to store scripts & database dumps + file: + path: /home/domjudge/{{ item }} + owner: domjudge + group: domjudge + state: directory + mode: 0755 + loop: + - db-dumps + - bin + +- name: copy database dump/load scripts + copy: + src: "{{ item }}" + dest: /home/domjudge/bin/{{ item }} + owner: domjudge + group: domjudge + mode: 0755 + loop: + - load-db + - dump-db diff --git a/icpc-wf/ansible/roles/phpstorm/files/.gitignore b/provision-contest/ansible/roles/phpstorm/files/.gitignore similarity index 100% rename from icpc-wf/ansible/roles/phpstorm/files/.gitignore rename to provision-contest/ansible/roles/phpstorm/files/.gitignore diff --git a/icpc-wf/ansible/roles/phpstorm/files/.idea/.gitignore b/provision-contest/ansible/roles/phpstorm/files/.idea/.gitignore similarity index 100% rename from icpc-wf/ansible/roles/phpstorm/files/.idea/.gitignore rename to provision-contest/ansible/roles/phpstorm/files/.idea/.gitignore diff --git a/icpc-wf/ansible/roles/phpstorm/files/.idea/domjudge-checkout.iml b/provision-contest/ansible/roles/phpstorm/files/.idea/domjudge-checkout.iml similarity index 100% rename from icpc-wf/ansible/roles/phpstorm/files/.idea/domjudge-checkout.iml rename to provision-contest/ansible/roles/phpstorm/files/.idea/domjudge-checkout.iml diff --git a/icpc-wf/ansible/roles/phpstorm/files/.idea/inspectionProfiles/Project_Default.xml b/provision-contest/ansible/roles/phpstorm/files/.idea/inspectionProfiles/Project_Default.xml similarity index 100% rename from icpc-wf/ansible/roles/phpstorm/files/.idea/inspectionProfiles/Project_Default.xml rename to provision-contest/ansible/roles/phpstorm/files/.idea/inspectionProfiles/Project_Default.xml diff --git a/icpc-wf/ansible/roles/phpstorm/files/.idea/jsLinters/jshint.xml b/provision-contest/ansible/roles/phpstorm/files/.idea/jsLinters/jshint.xml similarity index 100% rename from icpc-wf/ansible/roles/phpstorm/files/.idea/jsLinters/jshint.xml rename to provision-contest/ansible/roles/phpstorm/files/.idea/jsLinters/jshint.xml diff --git a/icpc-wf/ansible/roles/phpstorm/files/.idea/modules.xml b/provision-contest/ansible/roles/phpstorm/files/.idea/modules.xml similarity index 100% rename from icpc-wf/ansible/roles/phpstorm/files/.idea/modules.xml rename to provision-contest/ansible/roles/phpstorm/files/.idea/modules.xml diff --git a/icpc-wf/ansible/roles/phpstorm/files/.idea/php.xml b/provision-contest/ansible/roles/phpstorm/files/.idea/php.xml similarity index 100% rename from icpc-wf/ansible/roles/phpstorm/files/.idea/php.xml rename to provision-contest/ansible/roles/phpstorm/files/.idea/php.xml diff --git a/icpc-wf/ansible/roles/phpstorm/files/.idea/symfony2.xml b/provision-contest/ansible/roles/phpstorm/files/.idea/symfony2.xml similarity index 100% rename from icpc-wf/ansible/roles/phpstorm/files/.idea/symfony2.xml rename to provision-contest/ansible/roles/phpstorm/files/.idea/symfony2.xml diff --git a/icpc-wf/ansible/roles/phpstorm/files/.idea/vcs.xml b/provision-contest/ansible/roles/phpstorm/files/.idea/vcs.xml similarity index 100% rename from icpc-wf/ansible/roles/phpstorm/files/.idea/vcs.xml rename to provision-contest/ansible/roles/phpstorm/files/.idea/vcs.xml diff --git a/icpc-wf/ansible/roles/phpstorm/files/README.md b/provision-contest/ansible/roles/phpstorm/files/README.md similarity index 100% rename from icpc-wf/ansible/roles/phpstorm/files/README.md rename to provision-contest/ansible/roles/phpstorm/files/README.md diff --git a/icpc-wf/ansible/roles/phpstorm/files/jdbc-drivers/MariaDB Connector J/2.7.3/mariadb-java-client-2.7.3.jar b/provision-contest/ansible/roles/phpstorm/files/jdbc-drivers/MariaDB Connector J/2.7.3/mariadb-java-client-2.7.3.jar similarity index 100% rename from icpc-wf/ansible/roles/phpstorm/files/jdbc-drivers/MariaDB Connector J/2.7.3/mariadb-java-client-2.7.3.jar rename to provision-contest/ansible/roles/phpstorm/files/jdbc-drivers/MariaDB Connector J/2.7.3/mariadb-java-client-2.7.3.jar diff --git a/icpc-wf/ansible/roles/phpstorm/files/jdbc-drivers/MariaDB Connector J/2.7.3/mysql-connector-license.txt b/provision-contest/ansible/roles/phpstorm/files/jdbc-drivers/MariaDB Connector J/2.7.3/mysql-connector-license.txt similarity index 100% rename from icpc-wf/ansible/roles/phpstorm/files/jdbc-drivers/MariaDB Connector J/2.7.3/mysql-connector-license.txt rename to provision-contest/ansible/roles/phpstorm/files/jdbc-drivers/MariaDB Connector J/2.7.3/mysql-connector-license.txt diff --git a/icpc-wf/ansible/roles/phpstorm/files/jdbc-drivers/jdbc-drivers.xml b/provision-contest/ansible/roles/phpstorm/files/jdbc-drivers/jdbc-drivers.xml similarity index 100% rename from icpc-wf/ansible/roles/phpstorm/files/jdbc-drivers/jdbc-drivers.xml rename to provision-contest/ansible/roles/phpstorm/files/jdbc-drivers/jdbc-drivers.xml diff --git a/icpc-wf/ansible/roles/phpstorm/meta/main.yml b/provision-contest/ansible/roles/phpstorm/meta/main.yml similarity index 100% rename from icpc-wf/ansible/roles/phpstorm/meta/main.yml rename to provision-contest/ansible/roles/phpstorm/meta/main.yml diff --git a/icpc-wf/ansible/roles/phpstorm/tasks/main.yml b/provision-contest/ansible/roles/phpstorm/tasks/main.yml similarity index 86% rename from icpc-wf/ansible/roles/phpstorm/tasks/main.yml rename to provision-contest/ansible/roles/phpstorm/tasks/main.yml index 70db3566..fb0b1f4e 100644 --- a/icpc-wf/ansible/roles/phpstorm/tasks/main.yml +++ b/provision-contest/ansible/roles/phpstorm/tasks/main.yml @@ -5,32 +5,32 @@ synchronize: src: PhpStorm-{{ PHPSTORM_FULL_VERSION }} dest: "/opt/phpstorm" - owner: no + owner: false use_ssh_args: true - name: Copy in PHPStorm config synchronize: src: PhpStorm{{ PHPSTORM_VERSION }} dest: "/home/domjudge/.config/JetBrains" - owner: no + owner: false use_ssh_args: true - name: Copy in PHPStorm jdbc drivers synchronize: src: jdbc-drivers dest: "/home/domjudge/.config/JetBrains/PhpStorm{{ PHPSTORM_VERSION }}/" - owner: no + owner: false use_ssh_args: true - name: fix ownership of PHPStorm config file: path: "/home/domjudge/.config/JetBrains/PhpStorm{{ PHPSTORM_VERSION }}" - recurse: yes + recurse: true owner: domjudge group: domjudge - name: Create local directory - become: yes + become: true become_user: domjudge file: path: "/home/domjudge/.local/share/JetBrains/" @@ -41,33 +41,33 @@ synchronize: src: PhpStorm{{ PHPSTORM_VERSION }}-local-share/ dest: "/home/domjudge/.local/share/JetBrains/PhpStorm{{ PHPSTORM_VERSION }}" - owner: no - recursive: yes + owner: false + recursive: true use_ssh_args: true - name: fix ownership of PHPStorm local share file: path: "/home/domjudge/.local/share/JetBrains/PhpStorm{{ PHPSTORM_VERSION }}" - recurse: yes + recurse: true owner: domjudge group: domjudge - name: Copy in PHPStorm settings for repo synchronize: src: .idea - dest: "{{DJ_DIR}}" - owner: no + dest: "{{ DJ_DIR }}" + owner: false use_ssh_args: true - name: fix ownership of PHPStorm config file: - path: "{{DJ_DIR}}/.idea" - recurse: yes + path: "{{ DJ_DIR }}/.idea" + recurse: true owner: domjudge group: domjudge - name: Create a directory if it does not exist - become: yes + become: true become_user: domjudge file: path: /home/domjudge/.local/share/applications @@ -75,8 +75,9 @@ mode: '0755' - name: Copy in PHPStorm Desktop icon - become: yes + become: true become_user: domjudge template: src: jetbrains-phpstorm.desktop.j2 dest: /home/domjudge/.local/share/applications/jetbrains-phpstorm.desktop + mode: 0644 diff --git a/icpc-wf/ansible/roles/phpstorm/templates/jetbrains-phpstorm.desktop.j2 b/provision-contest/ansible/roles/phpstorm/templates/jetbrains-phpstorm.desktop.j2 similarity index 100% rename from icpc-wf/ansible/roles/phpstorm/templates/jetbrains-phpstorm.desktop.j2 rename to provision-contest/ansible/roles/phpstorm/templates/jetbrains-phpstorm.desktop.j2 diff --git a/provision-contest/ansible/roles/prometheus_target_all/defaults/main.yml b/provision-contest/ansible/roles/prometheus_target_all/defaults/main.yml new file mode 100644 index 00000000..0686e6c9 --- /dev/null +++ b/provision-contest/ansible/roles/prometheus_target_all/defaults/main.yml @@ -0,0 +1 @@ +prom: true diff --git a/provision-contest/ansible/roles/prometheus_target_all/files/promtail.service b/provision-contest/ansible/roles/prometheus_target_all/files/promtail.service new file mode 100644 index 00000000..10606214 --- /dev/null +++ b/provision-contest/ansible/roles/prometheus_target_all/files/promtail.service @@ -0,0 +1,10 @@ +[Unit] +Description=Promtail service +After=network.target + +[Service] +Type=simple +ExecStart=/usr/bin/promtail-linux-amd64 --config.file /etc/promtail/promtail-local-config.yaml + +[Install] +WantedBy=multi-user.target diff --git a/provision-contest/ansible/roles/prometheus_target_all/handlers/main.yml b/provision-contest/ansible/roles/prometheus_target_all/handlers/main.yml new file mode 100644 index 00000000..4d60f810 --- /dev/null +++ b/provision-contest/ansible/roles/prometheus_target_all/handlers/main.yml @@ -0,0 +1,7 @@ +--- +- name: restart promtail + service: + name: promtail + enabled: true + state: restarted + daemon_reload: true diff --git a/provision-contest/ansible/roles/prometheus_target_all/tasks/main.yml b/provision-contest/ansible/roles/prometheus_target_all/tasks/main.yml new file mode 100644 index 00000000..6716f037 --- /dev/null +++ b/provision-contest/ansible/roles/prometheus_target_all/tasks/main.yml @@ -0,0 +1,54 @@ +--- +# This tasks gathers default system metrics. + +- name: install required packages + apt: + state: present + pkg: + - prometheus-node-exporter + +# Setup promtail which sends our logs +- name: Install promtail + unarchive: + src: https://github.com/grafana/loki/releases/download/v2.5.0/promtail-linux-amd64.zip + dest: /usr/bin/ + remote_src: true + owner: domjudge + group: domjudge + when: prom + +- name: Dir for promtail settings + file: + state: directory + path: /etc/promtail + owner: root + group: root + mode: 0755 + when: prom + +- name: Set promtail settings + copy: + src: promtail-local-config.yaml + dest: /etc/promtail/ + owner: root + group: root + mode: 0644 + when: prom + notify: restart promtail + +- name: Setup promtail systemd + copy: + src: promtail.service + dest: /etc/systemd/system/ + mode: 0655 + owner: root + group: root + when: prom + notify: restart promtail + +- name: Start promtail service + service: + name: promtail + state: started + enabled: true + when: prom diff --git a/provision-contest/ansible/roles/prometheus_target_all/templates/promtail-local-config.yaml.j2 b/provision-contest/ansible/roles/prometheus_target_all/templates/promtail-local-config.yaml.j2 new file mode 100644 index 00000000..af053e76 --- /dev/null +++ b/provision-contest/ansible/roles/prometheus_target_all/templates/promtail-local-config.yaml.j2 @@ -0,0 +1,20 @@ +server: + http_listen_port: 9080 + #grpc_listen_port: 0 + +positions: + filename: /var/log/positions.yaml + +clients: +{% for host in groups["grafana"] %} + - url: https://{{ hostvars[host].ansible_host }} +{% endfor %} + +scrape_configs: +- job_name: system + static_configs: + - targets: + - localhost + labels: + job: varlogs + __path__: /var/log/*log diff --git a/icpc-wf/ansible/roles/prometheus_target_web/files/.gitignore b/provision-contest/ansible/roles/prometheus_target_web/files/.gitignore similarity index 100% rename from icpc-wf/ansible/roles/prometheus_target_web/files/.gitignore rename to provision-contest/ansible/roles/prometheus_target_web/files/.gitignore diff --git a/icpc-wf/ansible/roles/prometheus_target_web/files/README.md b/provision-contest/ansible/roles/prometheus_target_web/files/README.md similarity index 100% rename from icpc-wf/ansible/roles/prometheus_target_web/files/README.md rename to provision-contest/ansible/roles/prometheus_target_web/files/README.md diff --git a/icpc-wf/ansible/roles/prometheus_target_web/files/nginx-status.conf b/provision-contest/ansible/roles/prometheus_target_web/files/nginx-status.conf similarity index 69% rename from icpc-wf/ansible/roles/prometheus_target_web/files/nginx-status.conf rename to provision-contest/ansible/roles/prometheus_target_web/files/nginx-status.conf index 41638999..5617c246 100644 --- a/icpc-wf/ansible/roles/prometheus_target_web/files/nginx-status.conf +++ b/provision-contest/ansible/roles/prometheus_target_web/files/nginx-status.conf @@ -1,6 +1,6 @@ server { - listen 8080; - listen [::]:8080; + listen 8787; + listen [::]:8787; server_name _default_; location = /basic_status { diff --git a/icpc-wf/ansible/roles/prometheus_target_web/files/php-fpm-exporter.service b/provision-contest/ansible/roles/prometheus_target_web/files/php-fpm-exporter.service similarity index 100% rename from icpc-wf/ansible/roles/prometheus_target_web/files/php-fpm-exporter.service rename to provision-contest/ansible/roles/prometheus_target_web/files/php-fpm-exporter.service diff --git a/provision-contest/ansible/roles/prometheus_target_web/handlers/main.yml b/provision-contest/ansible/roles/prometheus_target_web/handlers/main.yml new file mode 100644 index 00000000..b5739a5f --- /dev/null +++ b/provision-contest/ansible/roles/prometheus_target_web/handlers/main.yml @@ -0,0 +1,12 @@ +--- +- name: restart php-exporter + service: name=php-fpm-exporter enabled=true state=restarted + +- name: restart nginx + service: name=nginx enabled=true state=restarted + +- name: restart nginx-exporter + service: name=prometheus-nginx-exporter enabled=true state=restarted + +- name: restart mysqld-exporter + service: name=prometheus-mysqld-exporter enabled=true state=restarted diff --git a/icpc-wf/ansible/roles/prometheus_target_web/tasks/main.yml b/provision-contest/ansible/roles/prometheus_target_web/tasks/main.yml similarity index 56% rename from icpc-wf/ansible/roles/prometheus_target_web/tasks/main.yml rename to provision-contest/ansible/roles/prometheus_target_web/tasks/main.yml index e2304e7d..77660578 100644 --- a/icpc-wf/ansible/roles/prometheus_target_web/tasks/main.yml +++ b/provision-contest/ansible/roles/prometheus_target_web/tasks/main.yml @@ -1,36 +1,48 @@ --- # These tasks configure metric collectors -- name: install required packages +- name: Every webserver runs nginx so expose metrics apt: state: present pkg: - prometheus-mysqld-exporter - - prometheus-nginx-exporter + notify: restart nginx-exporter + +- name: Expose MariaDB metrics + when: MARIADB + apt: + state: present + pkg: + - prometheus-mysqld-exporter + notify: restart mysqld-exporter # Gather PHP-FPM statistics # The exporter from this is currently not in deb sources # so we need to download this from GitHub see the README in files - name: Install PHP-fpm exporter binary + when: FPM ansible.builtin.unarchive: - src: php-fpm_exporter.tar.gz + src: https://github.com/hipages/php-fpm_exporter/releases/download/v2.0.4/php-fpm_exporter_2.0.4_linux_amd64.tar.gz dest: /usr/bin/ + remote_src: true exclude: - LICENSE - README.md + notify: restart php-exporter - name: Export PHP-FPM metrics + when: FPM synchronize: - src=php-fpm-exporter.service - dest=/etc/systemd/system/php-fpm-exporter.service + src: php-fpm-exporter.service + dest: /etc/systemd/system/php-fpm-exporter.service notify: restart php-exporter # Gather NGINX statistics, # Observe that we use the observed process itself in the monitoring - name: Get NGINX status synchronize: - src=nginx-status.conf - dest=/etc/nginx/sites-enabled/nginx-status.conf + src: nginx-status.conf + dest: /etc/nginx/sites-enabled/nginx-status.conf notify: restart nginx - name: Prometheus nginx exporter @@ -38,14 +50,25 @@ dest: /etc/default/prometheus-nginx-exporter state: present regexp: '^ARGS=""' - line: 'ARGS="-nginx.scrape-uri=http://localhost:8080/basic_status"' + line: 'ARGS="-nginx.scrape-uri=http://localhost:8787/basic_status"' notify: restart nginx-exporter +- name: Create storage dir for exporter settings + when: MARIADB + file: + state: directory + owner: prometheus + group: prometheus + mode: 0700 + path: /var/lib/prometheus + # Because the scrape happens inside the same machine we reuse the DB password # which is also used for the normal installation - name: Create MySQL authentication file + when: MARIADB template: src: mysqld-exporter-authentication.cnf.j2 dest: /var/lib/prometheus/.my.cnf owner: prometheus + mode: 0644 notify: restart mysqld-exporter diff --git a/icpc-wf/ansible/roles/prometheus_target_web/templates/mysqld-exporter-authentication.cnf.j2 b/provision-contest/ansible/roles/prometheus_target_web/templates/mysqld-exporter-authentication.cnf.j2 similarity index 100% rename from icpc-wf/ansible/roles/prometheus_target_web/templates/mysqld-exporter-authentication.cnf.j2 rename to provision-contest/ansible/roles/prometheus_target_web/templates/mysqld-exporter-authentication.cnf.j2 diff --git a/provision-contest/ansible/roles/scoreboard/handlers/main.yml b/provision-contest/ansible/roles/scoreboard/handlers/main.yml new file mode 100644 index 00000000..1d442fdc --- /dev/null +++ b/provision-contest/ansible/roles/scoreboard/handlers/main.yml @@ -0,0 +1,5 @@ +--- +# Define here handlers associated to this role. + +- name: restart nginx + service: name=nginx enabled=true state=restarted diff --git a/provision-contest/ansible/roles/scoreboard/tasks/main.yml b/provision-contest/ansible/roles/scoreboard/tasks/main.yml new file mode 100644 index 00000000..f5726d64 --- /dev/null +++ b/provision-contest/ansible/roles/scoreboard/tasks/main.yml @@ -0,0 +1,114 @@ +--- +# These tasks configure a static scoreboard + +- name: create directories for styling, scripts, fonts and flags + file: + path: /home/domjudge/scoreboard/{{ item }} + state: directory + owner: domjudge + group: domjudge + mode: 0755 + loop: + - css + - js + - webfonts + - flags + +- name: download required assets + get_url: + url: "{{ DOMSERVER_URL }}/{{ item }}" + dest: /home/domjudge/scoreboard/{{ item }} + owner: domjudge + group: domjudge + mode: 0644 + loop: + - favicon.ico + - css/bootstrap.min.css + - css/fontawesome-all.min.css + - js/jquery.min.js + - js/bootstrap.bundle.min.js + - js/domjudge.js + - style_domjudge.css + - webfonts/fa-brands-400.ttf + - webfonts/fa-brands-400.woff2 + - webfonts/fa-regular-400.ttf + - webfonts/fa-regular-400.woff2 + - webfonts/fa-solid-900.ttf + - webfonts/fa-solid-900.woff2 + - webfonts/fa-v4compatibility.ttf + - webfonts/fa-v4compatibility.woff2 + +- name: install contest images + synchronize: + src: files/domjudge-public/ + dest: "/home/domjudge/scoreboard/" + owner: false + use_ssh_args: true + become: true + become_user: domjudge + +- name: download and unpack flag icons package + unarchive: + src: https://github.com/lipis/flag-icons/archive/refs/tags/3.5.0.zip + dest: /tmp + remote_src: true + owner: domjudge + group: domjudge + +- name: copy flag icon SVG's + copy: + src: /tmp/flag-icons-3.5.0/flags/ + dest: /home/domjudge/scoreboard/flags/ + remote_src: true + owner: domjudge + group: domjudge + mode: 0755 + +- name: create bin directory + file: + path: /home/domjudge/bin + state: directory + owner: domjudge + group: domjudge + mode: 0755 + +- name: install update scoreboard script + template: + src: update-scoreboard.sh.j2 + dest: "/home/domjudge/bin/update-scoreboard.sh" + owner: domjudge + group: domjudge + mode: 0755 + +# Ansible cron task defaults to * for all cron parts +- name: set up cron to update scoreboard + cron: + name: update public scoreboard + job: /home/domjudge/bin/update-scoreboard.sh + user: domjudge + +- name: install nginx + apt: + state: present + pkg: + - nginx + +- name: add scoreboard nginx conf + template: + src: scoreboard.conf.j2 + dest: /etc/nginx/sites-available/scoreboard.conf + mode: 0644 + notify: restart nginx + +- name: enable nginx conf for static scoreboard + file: + src: /etc/nginx/sites-available/scoreboard.conf + dest: /etc/nginx/sites-enabled/scoreboard.conf + state: link + notify: restart nginx + +- name: disable default nginx site + file: + path: /etc/nginx/sites-enabled/default + state: absent + notify: restart nginx diff --git a/provision-contest/ansible/roles/scoreboard/templates/scoreboard.conf.j2 b/provision-contest/ansible/roles/scoreboard/templates/scoreboard.conf.j2 new file mode 100644 index 00000000..3621e2af --- /dev/null +++ b/provision-contest/ansible/roles/scoreboard/templates/scoreboard.conf.j2 @@ -0,0 +1,25 @@ +# nginx configuration for the static scoreboard +server { + listen 80; + listen [::]:80; + + server_name {{STATIC_SCOREBOARD_HOSTNAME}}; + + return 301 https://$host$request_uri; +} + +server { + listen 443 ssl http2; + listen [::]:443 ssl http2; + + server_name {{STATIC_SCOREBOARD_HOSTNAME}}; + + ssl_certificate {{STATIC_SCOREBOARD_SSL_CERT}}; + ssl_certificate_key {{STATIC_SCOREBOARD_SSL_KEY}}; + ssl_session_timeout 5m; + ssl_prefer_server_ciphers on; + + add_header Strict-Transport-Security max-age=31556952; + + root /home/domjudge/scoreboard; +} diff --git a/provision-contest/ansible/roles/scoreboard/templates/update-scoreboard.sh.j2 b/provision-contest/ansible/roles/scoreboard/templates/update-scoreboard.sh.j2 new file mode 100644 index 00000000..ceaf99a8 --- /dev/null +++ b/provision-contest/ansible/roles/scoreboard/templates/update-scoreboard.sh.j2 @@ -0,0 +1,8 @@ +#!/bin/sh + +for _ in $(seq 1 6) +do + wget -O /tmp/scoreboard-tmp.html '{{DOMSERVER_URL}}/public?static=1' + mv /tmp/scoreboard-tmp.html /home/domjudge/scoreboard/index.html + sleep 10 +done diff --git a/icpc-wf/ansible/roles/ssh/files/.gitignore b/provision-contest/ansible/roles/ssh/files/.gitignore similarity index 100% rename from icpc-wf/ansible/roles/ssh/files/.gitignore rename to provision-contest/ansible/roles/ssh/files/.gitignore diff --git a/icpc-wf/ansible/roles/ssh/files/README.md b/provision-contest/ansible/roles/ssh/files/README.md similarity index 100% rename from icpc-wf/ansible/roles/ssh/files/README.md rename to provision-contest/ansible/roles/ssh/files/README.md diff --git a/icpc-wf/ansible/roles/ssh/files/config b/provision-contest/ansible/roles/ssh/files/config similarity index 100% rename from icpc-wf/ansible/roles/ssh/files/config rename to provision-contest/ansible/roles/ssh/files/config diff --git a/icpc-wf/ansible/roles/ssh/meta/main.yml b/provision-contest/ansible/roles/ssh/meta/main.yml similarity index 100% rename from icpc-wf/ansible/roles/ssh/meta/main.yml rename to provision-contest/ansible/roles/ssh/meta/main.yml diff --git a/icpc-wf/ansible/roles/ssh/tasks/main.yml b/provision-contest/ansible/roles/ssh/tasks/main.yml similarity index 94% rename from icpc-wf/ansible/roles/ssh/tasks/main.yml rename to provision-contest/ansible/roles/ssh/tasks/main.yml index b76a9a26..45e6a52c 100644 --- a/icpc-wf/ansible/roles/ssh/tasks/main.yml +++ b/provision-contest/ansible/roles/ssh/tasks/main.yml @@ -16,7 +16,7 @@ owner: domjudge group: domjudge mode: 0600 - with_items: + loop: - config - id_rsa - id_rsa.pub @@ -26,7 +26,7 @@ src: "{{ item }}" dest: /root/.ssh/ mode: 0600 - with_items: + loop: - config - id_rsa - id_rsa.pub @@ -36,6 +36,6 @@ user: "{{ item }}" state: present key: "{{ lookup('file', 'id_rsa.pub') }}" - with_items: + loop: - domjudge - root diff --git a/icpc-wf/ansible/roles/ssl/files/.gitignore b/provision-contest/ansible/roles/ssl/files/.gitignore similarity index 100% rename from icpc-wf/ansible/roles/ssl/files/.gitignore rename to provision-contest/ansible/roles/ssl/files/.gitignore diff --git a/icpc-wf/ansible/roles/ssl/files/README.md b/provision-contest/ansible/roles/ssl/files/README.md similarity index 100% rename from icpc-wf/ansible/roles/ssl/files/README.md rename to provision-contest/ansible/roles/ssl/files/README.md diff --git a/icpc-wf/ansible/roles/ssl/handlers/main.yml b/provision-contest/ansible/roles/ssl/handlers/main.yml similarity index 100% rename from icpc-wf/ansible/roles/ssl/handlers/main.yml rename to provision-contest/ansible/roles/ssl/handlers/main.yml diff --git a/icpc-wf/ansible/roles/ssl/tasks/main.yml b/provision-contest/ansible/roles/ssl/tasks/main.yml similarity index 98% rename from icpc-wf/ansible/roles/ssl/tasks/main.yml rename to provision-contest/ansible/roles/ssl/tasks/main.yml index ef31743c..691c5210 100644 --- a/icpc-wf/ansible/roles/ssl/tasks/main.yml +++ b/provision-contest/ansible/roles/ssl/tasks/main.yml @@ -18,6 +18,7 @@ state: directory owner: root group: root + mode: 0755 - name: install SSL server certificates into CA certificates copy: diff --git a/icpc-wf/ansible/roles/system_fixes/files/dconf/db/local.d/01-alt-tab b/provision-contest/ansible/roles/system_fixes/files/dconf/db/local.d/01-alt-tab similarity index 100% rename from icpc-wf/ansible/roles/system_fixes/files/dconf/db/local.d/01-alt-tab rename to provision-contest/ansible/roles/system_fixes/files/dconf/db/local.d/01-alt-tab diff --git a/icpc-wf/ansible/roles/system_fixes/files/dconf/db/local.d/locks/locks b/provision-contest/ansible/roles/system_fixes/files/dconf/db/local.d/locks/locks similarity index 100% rename from icpc-wf/ansible/roles/system_fixes/files/dconf/db/local.d/locks/locks rename to provision-contest/ansible/roles/system_fixes/files/dconf/db/local.d/locks/locks diff --git a/icpc-wf/ansible/roles/system_fixes/files/dconf/profile/user b/provision-contest/ansible/roles/system_fixes/files/dconf/profile/user similarity index 100% rename from icpc-wf/ansible/roles/system_fixes/files/dconf/profile/user rename to provision-contest/ansible/roles/system_fixes/files/dconf/profile/user diff --git a/icpc-wf/ansible/roles/system_fixes/handlers/main.yml b/provision-contest/ansible/roles/system_fixes/handlers/main.yml similarity index 75% rename from icpc-wf/ansible/roles/system_fixes/handlers/main.yml rename to provision-contest/ansible/roles/system_fixes/handlers/main.yml index cf8e5b7f..572a8e29 100644 --- a/icpc-wf/ansible/roles/system_fixes/handlers/main.yml +++ b/provision-contest/ansible/roles/system_fixes/handlers/main.yml @@ -2,4 +2,4 @@ # Define here handlers associated to this role. - name: update dconf - shell: dconf update + command: dconf update diff --git a/icpc-wf/ansible/roles/system_fixes/tasks/main.yml b/provision-contest/ansible/roles/system_fixes/tasks/main.yml similarity index 81% rename from icpc-wf/ansible/roles/system_fixes/tasks/main.yml rename to provision-contest/ansible/roles/system_fixes/tasks/main.yml index 5743386e..115a45cf 100644 --- a/icpc-wf/ansible/roles/system_fixes/tasks/main.yml +++ b/provision-contest/ansible/roles/system_fixes/tasks/main.yml @@ -3,14 +3,14 @@ - name: set timezone timezone: - name: "{{TIMEZONE}}" + name: "{{ TIMEZONE }}" - name: set PHP timezone for CLI lineinfile: dest: /etc/php/7.4/cli/php.ini state: present regexp: 'date\.timezone\s*=' - line: 'date.timezone = {{TIMEZONE}}' + line: 'date.timezone = {{ TIMEZONE }}' - name: enable bash completion globally blockinfile: @@ -26,5 +26,10 @@ fi - name: Force enable alt-tab for switching windows - copy: src=dconf/ dest=/etc/dconf/ + copy: + src: dconf/ + dest: /etc/dconf/ + owner: root + group: root + mode: 0755 notify: update dconf diff --git a/provision-contest/ansible/scoreboard.yml b/provision-contest/ansible/scoreboard.yml new file mode 100644 index 00000000..221ceaf7 --- /dev/null +++ b/provision-contest/ansible/scoreboard.yml @@ -0,0 +1,37 @@ +--- +# This playbook installs the static scoreboard + +- name: setup static scoreboard + hosts: scoreboard + vars: + host_type: scoreboard + become: true + roles: + - role: base_packages + tags: base_packages + - role: icpc_fixes + tags: icpc_fixes + when: ICPC_IMAGE + - role: system_fixes + tags: system_fixes + - role: hosts + tags: hosts + - role: ssl + tags: ssl + vars: + INSTALL_SSL_PRIVATE_KEYS: true + - role: domjudge_user + tags: domjudge_user + - role: ssh + tags: ssh + - role: scoreboard + tags: scoreboard + - role: prometheus_target_web + tags: prometheus_target_web + vars: + MARIADB: false + FPM: false + when: GRAFANA_MONITORING + - role: prometheus_target_all + tags: prometheus_target_all + when: GRAFANA_MONITORING diff --git a/icpc-wf/check-turboboost b/provision-contest/check-turboboost similarity index 100% rename from icpc-wf/check-turboboost rename to provision-contest/check-turboboost diff --git a/icpc-wf/comp_config b/provision-contest/comp_config similarity index 100% rename from icpc-wf/comp_config rename to provision-contest/comp_config diff --git a/icpc-wf/comp_scores b/provision-contest/comp_scores similarity index 100% rename from icpc-wf/comp_scores rename to provision-contest/comp_scores diff --git a/icpc-wf/disable-screenlock b/provision-contest/disable-screenlock similarity index 100% rename from icpc-wf/disable-screenlock rename to provision-contest/disable-screenlock diff --git a/icpc-wf/disable-turboboost_ht b/provision-contest/disable-turboboost_ht similarity index 100% rename from icpc-wf/disable-turboboost_ht rename to provision-contest/disable-turboboost_ht diff --git a/icpc-wf/dump-api.sh b/provision-contest/dump-api.sh similarity index 100% rename from icpc-wf/dump-api.sh rename to provision-contest/dump-api.sh diff --git a/icpc-wf/fix-mounts.sh b/provision-contest/fix-mounts.sh similarity index 100% rename from icpc-wf/fix-mounts.sh rename to provision-contest/fix-mounts.sh diff --git a/icpc-wf/prepare-photos b/provision-contest/prepare-photos similarity index 100% rename from icpc-wf/prepare-photos rename to provision-contest/prepare-photos diff --git a/icpc-wf/replay.py b/provision-contest/replay.py similarity index 100% rename from icpc-wf/replay.py rename to provision-contest/replay.py diff --git a/icpc-wf/retrieve-judging.sh b/provision-contest/retrieve-judging.sh similarity index 100% rename from icpc-wf/retrieve-judging.sh rename to provision-contest/retrieve-judging.sh diff --git a/icpc-wf/teams2_organization_images_to_domlogo_naming.php b/provision-contest/teams2_organization_images_to_domlogo_naming.php similarity index 100% rename from icpc-wf/teams2_organization_images_to_domlogo_naming.php rename to provision-contest/teams2_organization_images_to_domlogo_naming.php diff --git a/update_docs.sh b/update_docs.sh index e89e63cf..19430d46 100755 --- a/update_docs.sh +++ b/update_docs.sh @@ -16,6 +16,7 @@ for version in $(jq -r -c '.[]' < "${JSON}") ; do git clean -df git checkout "$version" rm -rf doc/manual/build/html/ + rm -rf lib/vendor/ if [ "$version" = "main" ]; then sed -i -e "s/^version.*/version = 'main'/" doc/manual/version.py.in fi diff --git a/website/Makefile b/website/Makefile index c93b77b7..495a435b 100644 --- a/website/Makefile +++ b/website/Makefile @@ -3,7 +3,7 @@ SHELL = /bin/bash WWWDIR = /srv/http/domjudge install: - cp *.shtml *.css *.ico *.svg *.pdf $(WWWDIR)/ + cp *.shtml *.css *.ico *.svg *.pdf *.yml $(WWWDIR)/ # This takes the docs from the latest (by string sorting) release and copies # these to the directory serving files under www.domjudge.org/docs/. diff --git a/website/about.shtml b/website/about.shtml index 7c167959..c51c2793 100644 --- a/website/about.shtml +++ b/website/about.shtml @@ -67,8 +67,8 @@ administrator manual.

Authors and contact

The main developers are Jaap Eldering, Nicky Gerritsen, Keith -Johnson, Thijs Kinkhorst, and Tobias Werth, with contributions from -many other people. +Johnson, Thijs Kinkhorst, Mart Pluijmaekers, Michael Vasseur and Tobias Werth, +with contributions from many other people. Anyone interested is welcome to contribute to DOMjudge.

The project is licensed under the GNU General Public Licence. This gives @@ -76,7 +76,7 @@ you the freedom to use it for any purpose, without cost, make changes that you require and share those with the community.

You can reach us through the development mailinglist -DOMjudge-devel. +DOMjudge-devel. (You need to be subscribed to the list before you can post, to counter spam.) This is also the place to get help with your questions about installing or using DOMjudge.

diff --git a/website/demo.shtml b/website/demo.shtml index 4dd4cb67..27125619 100644 --- a/website/demo.shtml +++ b/website/demo.shtml @@ -45,4 +45,8 @@ contest, NWERC 2018, with some sensitive things removed.

If there's something not working, or you've got questions, please contact us at admin@domjudge.org.

+

Logging

+ +We send exceptions encountered on the demo instance to Sentry. This should not contain personal information but we prefer to inform you of this. These errors make it easier to detect and debug bugs in our current development version, so you already help us by encountering these bugs! + diff --git a/website/development.shtml b/website/development.shtml index 35213d2d..e15ae649 100644 --- a/website/development.shtml +++ b/website/development.shtml @@ -22,13 +22,13 @@ for how to run DOMjudge from git sources.

our Github project. You may report a new issue there. If you have a question or you are unsure whether what you're seeing is -a bug, please discuss it on the development mailinglist or +a bug, please discuss it on the development mailinglist or chat beforehand (see below).

Mailinglist and chat

You are welcome to subscribe to our -development mailinglist +development mailinglist for discussions on development, but also for asking general questions on using and installing DOMjudge (you need to subscribe to the list before you can post). diff --git a/website/docker-compose.yml b/website/docker-compose.yml new file mode 100644 index 00000000..dc3975da --- /dev/null +++ b/website/docker-compose.yml @@ -0,0 +1,27 @@ +version: '3' + +services: + mariadb: + image: docker.io/mariadb + hostname: mariadb + environment: + - MYSQL_ROOT_PASSWORD=domjudge + - MYSQL_USER=domjudge + - MYSQL_PASSWORD=djpw + - MYSQL_DATABASE=domjudge + ports: + - 13306:3306 + command: --max-connections=1000 --max-allowed-packet=512M + volumes: + - /var/lib/mysql + domjudge: + image: docker.io/domjudge/domserver + hostname: domserver + environment: + - MYSQL_ROOT_PASSWORD=domjudge + - MYSQL_USER=domjudge + - MYSQL_PASSWORD=djpw + - MYSQL_DATABASE=domjudge + - MYSQL_HOST=mariadb + ports: + - 8080:80 diff --git a/website/documentation.shtml b/website/documentation.shtml index 4cc75ec5..f37341eb 100644 --- a/website/documentation.shtml +++ b/website/documentation.shtml @@ -18,7 +18,7 @@ state as well as perform certain actions, such as submit solutions and control contest state (with admin role).

The DOMjudge API is an implementation of the ICPC -Contest API +Contest API (except that it does not (yet) implement the optional team-members endpoint). It also has some extensions, see the internal API documentation.

diff --git a/website/download.shtml b/website/download.shtml index 569e8dc1..d207a358 100644 --- a/website/download.shtml +++ b/website/download.shtml @@ -35,14 +35,13 @@ dated .

To get notifications of new releases, subscribe to the low volume -announcements +announcements mailing list.

DOMjudge docker images

Official Docker images for both the domserver and judgehost are also available. -See the Docker Hub -repository for the DOMserver to get started. +See the Docker Hub repository for the DOMserver to get started or use the example docker-compose setup.

Debian Packages

diff --git a/website/header.shtml b/website/header.shtml index 8ae61899..a77563e2 100644 --- a/website/header.shtml +++ b/website/header.shtml @@ -1,7 +1,7 @@ - diff --git a/website/tools.shtml b/website/tools.shtml index c94ed8bc..c81c97ea 100644 --- a/website/tools.shtml +++ b/website/tools.shtml @@ -62,4 +62,11 @@ can connect to.

+

Autologin for team machines

+ +

LightDM CCS autologin makes + it possible to automatically log in to team machines when the contest starts in DOMjudge. This + is useful to keep problem data secret and to make sharing credentials easier on the organizer. +

+