Fix: aws

.gitignore

@@ -1 +1,2 @@
 group_vars/*/secret.yml
+private.pem

ansible.cfg

@@ -1,4 +1,9 @@
 [defaults]
 roles_path=./roles/
 inventory=./hosts
-remote_user=root
+remote_user=arch
+remote_tmp=/tmp/ansible-$USER
+
+[privilege_escalation]
+become=True
+become_method=sudo

hosts

@@ -2,7 +2,9 @@
 localhost ansible_connection=local
 
 [cms]
-test3.konchin.com
+aws.konchin.com
+#test7.konchin.com
+#test3.konchin.com
 
 [all:vars]
-ansible_python_interpreter=/usr/bin/python
+ansible_python_interpreter=/usr/bin/python3

playbooks/install.yml

@@ -7,4 +7,5 @@
     - role: cms_preparation
     - role: setup_database
     - role: configure_cms
+    - role: configure_haproxy
     - role: add_helper_scripts

playbooks/test.yml

@@ -0,0 +1,14 @@
+---
+- name: Test
+  hosts: cms
+  tasks:
+    - name: Test
+      ansible.builtin.file:
+        path: /poop
+      check_mode: true
+      ignore_errors: true
+      register: poop
+    - name: Debug
+      ansible.builtin.debug:
+        var: poop
+      when: ! poop.failed

roles/cms_preparation/tasks/main.yml

@@ -1,19 +1,24 @@
 ---
-- name: Clone repository
+- name: Clone CMS repository
   ansible.builtin.git:
     repo: 'https://github.com/cms-dev/cms.git'
     dest: /srv/cms
     version: b77c87b4d60fbe7df60dc5e03d2be632a25992fe
     single_branch: true
-    track_submodules: true
+    update: false
+- name: Clone isolate repository
+  ansible.builtin.git:
+    repo: 'https://github.com/ioi/isolate.git'
+    dest: /srv/cms/isolate
+    version: v1.8.1
+    single_branch: true
     update: false
 - name: Run prerequisites
   ansible.builtin.command: |
     python prerequisites.py -y --as-root install
   args:
     chdir: /srv/cms
-  register: ret
-  changed_when: ret.rc != 0
+    creates: /usr/local/etc/cms.conf
 - name: Modify cmsuser
   ansible.builtin.user:
     name: cmsuser

roles/configure_haproxy/tasks/main.yml

@@ -1,6 +1,6 @@
 ---
 - name: Copy haproxy.cfg
-  ansible.builtin.copy:
+  ansible.builtin.template:
     src: haproxy.cfg.jinja
     dest: /etc/haproxy/haproxy.cfg
     mode: '0600'

roles/configure_haproxy/templates/haproxy.cfg.jinja

@@ -15,7 +15,7 @@ global
 userlist creds
   user {{ username }} insecure-password {{ password }}
 
-frontend  secure
+frontend  auth
     bind :8080
     http-request auth unless { http_auth(creds) }
     mode                 http
@@ -26,12 +26,13 @@ frontend  secure
     maxconn              8000
     timeout              client  30s
 
+    use_backend contest  if { hdr(host) -i {{ dns_prefix }}.{{ dns_suffix }} }
     use_backend rank     if { hdr(host) -i {{ dns_prefix }}-ranking.{{ dns_suffix }} }
     use_backend admin    if { hdr(host) -i {{ dns_prefix }}-admin.{{ dns_suffix }} }
-    default_backend      contest
 
 frontend  main
-    bind :80
+#    bind :80
+    bind :443 ssl crt /etc/haproxy/cert.pem
     mode                 http
     log                  global
     option               httplog
@@ -40,9 +41,17 @@ frontend  main
     maxconn              8000
     timeout              client  30s
 
-    use_backend rank     if { hdr(host) -i {{ dns_prefix }}-ranking.{{ dns_suffix }} }
-    use_backend admin    if { hdr(host) -i {{ dns_prefix }}-admin.{{ dns_suffix }} }
-    default_backend      contest
+    use_backend secure   if { hdr(host) -i {{ dns_prefix }}.{{ dns_suffix }} }
+    use_backend secure   if { hdr(host) -i {{ dns_prefix }}-ranking.{{ dns_suffix }} }
+    use_backend secure   if { hdr(host) -i {{ dns_prefix }}-admin.{{ dns_suffix }} }
+
+backend secure
+    mode        http
+    balance     roundrobin
+    timeout     connect 5s
+    timeout     server  30s
+    timeout     queue   30s
+    server  secure1 127.0.0.1:8080 check
 
 backend contest
     mode        http

roles/install_packages/tasks/archlinux.yml

@@ -0,0 +1,36 @@
+---
+- name: Update package cache
+  community.general.pacman:
+    update_cache: true
+
+- name: Install cms dependencies
+  community.general.pacman:
+    pkg:
+      - base-devel
+      - jdk8-openjdk
+      - fpc
+      - postgresql
+      - python
+      - libcap
+      - git
+  notify: Upgrade packages
+
+- name: Install cms optional dependencies
+  community.general.pacman:
+    pkg:
+      - postgresql-libs
+      - libcups
+      - libyaml
+      - python-virtualenv
+      - python-pip
+      - rust
+  notify: Upgrade packages
+
+- name: Install additional packages
+  community.general.pacman:
+    pkg:
+      - pyenv
+      - haproxy
+      - python-psycopg2
+      - unzip
+  notify: Upgrade packages

roles/install_packages/tasks/debian.yml

@@ -0,0 +1,38 @@
+---
+- name: Install cms dependencies
+  ansible.builtin.apt:
+    pkg:
+      - build-essential
+      - openjdk-8-headless
+      - fp-compiler
+      - postgresql
+      - postgresql-client
+      - python3
+      - cppreference-doc-en-html
+      - cgroup-lite
+      - libcap-dev
+      - zip
+
+
+      - jdk8-openjdk
+      - fpc
+      - postgresql
+      - python
+      - libcap
+      - git
+
+- name: Install cms optional dependencies
+  ansible.builtin.apt:
+    pkg:
+      - postgresql-libs
+      - libcups
+      - libyaml
+      - python-virtualenv
+      - rust
+
+- name: Install additional packages
+  ansible.builtin.apt:
+    pkg:
+      - pyenv
+      - haproxy
+      - python-psycopg2

roles/install_packages/tasks/main.yml

@@ -1,34 +1,7 @@
 ---
-- name: Update package cache
-  community.general.pacman:
-    update_cache: true
-
-- name: Install cms dependencies
-  community.general.pacman:
-    pkg:
-      - base-devel
-      - jdk8-openjdk
-      - fpc
-      - postgresql
-      - python
-      - libcap
-      - git
-  notify: Upgrade packages
-
-- name: Install cms optional dependencies
-  community.general.pacman:
-    pkg:
-      - postgresql-libs
-      - libcups
-      - libyaml
-      - python-virtualenv
-      - rust
-  notify: Upgrade packages
-
-- name: Install additional packages
-  community.general.pacman:
-    pkg:
-      - pyenv
-      - haproxy
-      - python-psycopg2
-  notify: Upgrade packages
+- name: Install packages on ArchLinux
+  ansible.builtin.import_tasks: archlinux.yml
+  when: ansible_distribution == 'Archlinux'
+- name: Install packages on Debian
+  ansible.builtin.import_tasks: debian.yml
+  when: ansible_distribution == 'Debian'

roles/setup_cgroupsv1/handlers/main.yml

@@ -1,3 +1,8 @@
 ---
+- name: GRUB mkconfig
+  ansible.builtin.command: |
+    grub-mkconfig -o /boot/grub/grub.cfg
+  register: ret
+  changed_when: ret.rc != 0
 - name: Reboot
   ansible.builtin.reboot:

roles/setup_cgroupsv1/tasks/grub.yml

@@ -0,0 +1,12 @@
+---
+- name: Append cgroupsv1 boot option
+  ansible.builtin.lineinfile:
+    path: /etc/default/grub
+    regexp: '^(GRUB_CMDLINE_LINUX_DEFAULT)="(.*)"$'
+    line: '\1="\2 SYSTEMD_CGROUP_ENABLE_LEGACY_FORCE=1 systemd.unified_cgroup_hierarchy=0"'
+    backrefs: true
+  notify:
+    - GRUB mkconfig
+    - Reboot
+- name: Flush handlers
+  ansible.builtin.meta: flush_handlers

roles/setup_cgroupsv1/tasks/main.yml

@@ -1,13 +1,20 @@
 ---
-- name: Setup boot entry facts
-  ansible.builtin.set_fact:
-    bootconf: "{{ setup_cgroupsv1_bootconf | default('/boot/loader/entries/arch.conf') }}"
-- name: Append cgroupsv1 boot option
-  ansible.builtin.lineinfile:
-    path: "{{ bootconf }}"
-    regexp: '^(options.*rw)'
-    line: '\1 SYSTEMD_CGROUP_ENABLE_LEGACY_FORCE=1 systemd.unified_cgroup_hierarchy=0'
-    backrefs: true
-  notify: Reboot
-- name: Flush handlers
-  ansible.builtin.meta: flush_handlers
+- name: Check systemd-boot
+  ansible.builtin.file:
+    path: /boot/loader
+  check_mode: true
+  ignore_errors: true
+  register: ret
+- name: Import systemd-boot
+  ansible.builtin.import_tasks: systemd-boot.yml
+  when: not ret.failed
+
+- name: Check grub
+  ansible.builtin.file:
+    path: /boot/grub
+  check_mode: true
+  ignore_errors: true
+  register: ret
+- name: Import grub
+  ansible.builtin.import_tasks: grub.yml
+  when: not ret.failed

roles/setup_cgroupsv1/tasks/systemd-boot.yml

@@ -0,0 +1,13 @@
+---
+- name: Setup boot entry facts
+  ansible.builtin.set_fact:
+    bootconf: "{{ setup_cgroupsv1_bootconf | default('/boot/loader/entries/arch.conf') }}"
+- name: Append cgroupsv1 boot option
+  ansible.builtin.lineinfile:
+    path: "{{ bootconf }}"
+    regexp: '^(options.*rw)'
+    line: '\1 SYSTEMD_CGROUP_ENABLE_LEGACY_FORCE=1 systemd.unified_cgroup_hierarchy=0'
+    backrefs: true
+  notify: Reboot
+- name: Flush handlers
+  ansible.builtin.meta: flush_handlers

roles/setup_database/handlers/main.yml

@@ -0,0 +1,9 @@
+- name: CMS init DB
+  ansible.builtin.shell: |
+    sudo -iu cmsuser <<EOF
+      cmsInitDB
+    EOF
+  become: true
+  become_user: cmsuser
+  register: ret
+  changed_when: ret.rc != 0

roles/setup_database/tasks/main.yml

@@ -1,7 +1,7 @@
 ---
 - name: Init PostgreSQL
   ansible.builtin.command: |
-    initdb --locale=C.UTF-8 --encoding=UTF8 -D /var/lib/postgres/data
+    initdb -D /var/lib/postgres/data
   args:
     creates: /var/lib/postgres/data/PG_VERSION
   become: true
@@ -31,12 +31,13 @@
         role: cmsuser
         privs: ALL
         objs: ALL_IN_SCHEMA
-- name: CMS init DB
-  ansible.builtin.shell: |
-    sudo -iu cmsuser <<EOF
-      cmsInitDB
-    EOF
+- name: Check is CMS DB initialized
+  community.postgresql.postgresql_table:
+    db: cmsdb
+    table: admins
   become: true
-  become_user: cmsuser
-  register: ret
-  changed_when: ret.rc != 0
+  become_user: postgres
+  check_mode: true
+  notify: CMS init DB
+- name: Flush handlers
+  ansible.builtin.meta: flush_handlers