diff --git a/README.md b/README.md index aab45f4..d2facfb 100644 --- a/README.md +++ b/README.md @@ -1 +1,10 @@ # Ansible / domjudge + +## Usage + +1. Fill in the vars in `group_vars`. +2. Fill in `domserver` and `judgehost` machine ips in `hosts` file. +3. Run `ansible-playbook playbooks/domserver`. +4. Run `ansible-playbook playbooks/judgehost`. +5. Put web cert and key to `/etc/haproxy/cert.pem` on domserver. +6. Check if judgehost been registered. diff --git a/playbooks/domserver.yml b/playbooks/domserver.yml index 3a1ce04..84a162d 100644 --- a/playbooks/domserver.yml +++ b/playbooks/domserver.yml @@ -4,3 +4,4 @@ roles: - role: install_packages - role: configure_domserver + - role: configure_haproxy diff --git a/roles/configure_haproxy/files/haproxy.cfg b/roles/configure_haproxy/files/haproxy.cfg new file mode 100644 index 0000000..3925411 --- /dev/null +++ b/roles/configure_haproxy/files/haproxy.cfg @@ -0,0 +1,52 @@ +global + default-path config + #zero-warning + maxconn 20000 + log 127.0.0.1 local0 + user haproxy + #pidfile /run/haproxy.pid + hard-stop-after 5m + daemon + user haproxy + group haproxy + + ssl-default-bind-ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384 + ssl-default-bind-ciphersuites TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256 + ssl-default-bind-options prefer-client-ciphers no-sslv3 no-tlsv10 no-tlsv11 no-tls-tickets + +# default settings common to all HTTP proxies below +defaults + mode http + log global + timeout client 1m + timeout server 1m + timeout connect 10s + timeout http-keep-alive 2m + timeout queue 15s + timeout tunnel 4h # for websocket + +frontend external + bind :443 name secure ssl crt /etc/haproxy/cert.pem + +.if feature(QUIC) + bind quic4@:443 name quic ssl crt /etc/haproxy/cert.pem + http-response add-header alt-svc 'h3=":443"; ma=90000' +.endif + + http-request redirect scheme https code 308 unless { ssl_fc } + http-request del-header x-forwarded-for + option forwardfor + option httplog + + http-request set-header X-Forwarded-Proto https if { ssl_fc } + + # enable HTTP compression of text contents + compression algo deflate gzip + compression type text/ application/javascript application/xhtml+xml image/x-icon + + default_backend domserver + +backend domserver + balance leastconn + option abortonclose + server gitea1 127.0.0.1:8080 maxconn 100 check inter 1s diff --git a/roles/configure_haproxy/handlers/main.yml b/roles/configure_haproxy/handlers/main.yml new file mode 100644 index 0000000..bb957cc --- /dev/null +++ b/roles/configure_haproxy/handlers/main.yml @@ -0,0 +1,5 @@ +--- +- name: Restart haproxy + ansible.builtin.systemd_service: + name: haproxy.service + state: restarted diff --git a/roles/configure_haproxy/tasks/main.yml b/roles/configure_haproxy/tasks/main.yml new file mode 100644 index 0000000..0121bcf --- /dev/null +++ b/roles/configure_haproxy/tasks/main.yml @@ -0,0 +1,27 @@ +--- +- name: Update package cache + community.general.pacman: + update_cache: true +- name: Install haproxy + community.general.pacman: + pkg: + - haproxy + notify: Upgrade packages + +- name: Install haproxy.cfg + ansible.builtin.copy: + src: haproxy.cfg + dest: /etc/haproxy/haproxy.cfg + mode: '0644' + owner: haproxy + group: haproxy + notify: Restart haproxy +- name: Prompt for manually install cert + ansible.builtin.pause: + prompt: "Make sure the cert and key pair are store in /etc/haproxy/cert.pem" + +- name: Enable and start haproxy + ansible.builtin.systemd_service: + name: haproxy.service + state: started + enabled: true