From 4a625bf3eb5ddbd151aa9042e9e6cce6cef3f65d Mon Sep 17 00:00:00 2001 From: Pierre-Olivier Mercier Date: Thu, 13 Oct 2016 20:10:29 +0200 Subject: [PATCH] Add frontend playbook --- playbooks/playbook.yml | 1 + playbooks/roles/fic-frontend/files/ficpasswd | 1 + playbooks/roles/fic-frontend/files/frontend | 1 + .../roles/fic-frontend/files/frontend.service | 12 ++ .../files/nginx-frontend-htpasswd.conf | 179 ++++++++++++++++++ .../files/nginx-frontend-pam.conf | 179 ++++++++++++++++++ playbooks/roles/fic-frontend/files/static | 1 + .../roles/fic-frontend/handlers/main.yml | 3 + playbooks/roles/fic-frontend/tasks/main.yml | 70 +++++++ 9 files changed, 447 insertions(+) create mode 100644 playbooks/roles/fic-frontend/files/ficpasswd create mode 120000 playbooks/roles/fic-frontend/files/frontend create mode 100644 playbooks/roles/fic-frontend/files/frontend.service create mode 100644 playbooks/roles/fic-frontend/files/nginx-frontend-htpasswd.conf create mode 100644 playbooks/roles/fic-frontend/files/nginx-frontend-pam.conf create mode 120000 playbooks/roles/fic-frontend/files/static create mode 100644 playbooks/roles/fic-frontend/handlers/main.yml create mode 100644 playbooks/roles/fic-frontend/tasks/main.yml diff --git a/playbooks/playbook.yml b/playbooks/playbook.yml index 588559fc..e7d4018f 100644 --- a/playbooks/playbook.yml +++ b/playbooks/playbook.yml @@ -4,3 +4,4 @@ hosts: all roles: - nrpe + - fic-frontend diff --git a/playbooks/roles/fic-frontend/files/ficpasswd b/playbooks/roles/fic-frontend/files/ficpasswd new file mode 100644 index 00000000..b260bcdd --- /dev/null +++ b/playbooks/roles/fic-frontend/files/ficpasswd @@ -0,0 +1 @@ +nemunaire:$apr1$GCAyuMBH$BGenYoXt1ZX7x7bt6bPa0. diff --git a/playbooks/roles/fic-frontend/files/frontend b/playbooks/roles/fic-frontend/files/frontend new file mode 120000 index 00000000..49817779 --- /dev/null +++ b/playbooks/roles/fic-frontend/files/frontend @@ -0,0 +1 @@ +../../../../frontend/frontend \ No newline at end of file diff --git a/playbooks/roles/fic-frontend/files/frontend.service b/playbooks/roles/fic-frontend/files/frontend.service new file mode 100644 index 00000000..abaa5bdd --- /dev/null +++ b/playbooks/roles/fic-frontend/files/frontend.service @@ -0,0 +1,12 @@ +[Unit] +Description=FIC Frontend service +After=nginx.service + +[Service] +User=fic +Group=nogroup +WorkingDirectory=/home/fic +ExecStart=/home/fic/frontend -teams ./TEAMS -submission ./submissions -start 1477954800 -duration 2065h + +[Install] +WantedBy=multi-user.target diff --git a/playbooks/roles/fic-frontend/files/nginx-frontend-htpasswd.conf b/playbooks/roles/fic-frontend/files/nginx-frontend-htpasswd.conf new file mode 100644 index 00000000..5f59543c --- /dev/null +++ b/playbooks/roles/fic-frontend/files/nginx-frontend-htpasswd.conf @@ -0,0 +1,179 @@ +server_tokens off; +proxy_cache_path /var/cache/nginx levels=1:2 keys_zone=STATIC:10m inactive=24h max_size=1g; +proxy_connect_timeout 1s; + +server { + listen 80 default; + listen [::]:80 default; + + root /home/fic/frontend-htdocs/; + + error_page 401 /welcome.html; + error_page 403 404 /e404.html; + error_page 413 404 /e413.html; + error_page 500 502 504 /e500.html; + + location = / { + auth_basic "Secure Zone"; + auth_basic_user_file ficpasswd; + } + location = /index.html { + auth_basic "Secure Zone"; + auth_basic_user_file ficpasswd; + } + + location ~ ^/[0-9] { + rewrite ^/.*$ /index.html; + } + location /edit { + rewrite ^/.*$ /index.html; + } + + location /rank { + rewrite ^/.*$ /index.html; + } + + location /files/ { + alias /home/fic/FILES/; + tcp_nodelay on; + } + + location /wait.json { + auth_basic "Secure Zone"; + auth_basic_user_file ficpasswd; + + include /etc/nginx/auth.conf; + + root /home/fic/TEAMS/$team/; + expires epoch; + add_header Cache-Control no-cache; + } + location /public.json { + root /home/fic/TEAMS/; + expires epoch; + add_header Cache-Control no-cache; + } + location /stats.json { + root /home/fic/TEAMS/; + expires epoch; + add_header Cache-Control no-cache; + } + location /my.json { + auth_basic "Secure Zone"; + auth_basic_user_file ficpasswd; + + include /etc/nginx/auth.conf; + + root /home/fic/TEAMS/$team/; + expires epoch; + add_header Cache-Control no-cache; + + if (!-f $document_root/../started) { + rewrite ^/ /wait.json; + } + } + location /teams.json { + root /home/fic/TEAMS/; + expires epoch; + add_header Cache-Control no-cache; + } + location /themes.json { + root /home/fic/TEAMS/; + expires epoch; + add_header Cache-Control no-cache; + } + + location /api/ { + auth_basic "Secure Zone"; + auth_basic_user_file ficpasswd; + + if ($remote_user !~ "^nemunaire|bombal_s$") { + return 403; + } + + proxy_pass http://localhost:8081/admin/api/; + proxy_set_header X-Forwarded-For $remote_addr; + proxy_set_header Host localhost; + proxy_redirect off; + } + + location /admin/ { + auth_basic "Secure Zone"; + auth_basic_user_file ficpasswd; + + if ($remote_user !~ "^nemunaire|bombal_s$") { + return 403; + } + + proxy_pass http://localhost:8081; + proxy_set_header X-Forwarded-For $remote_addr; + proxy_set_header Host localhost; + proxy_redirect off; + } + + location /submit/ { + auth_basic "Secure Zone"; + auth_basic_user_file ficpasswd; + + include /etc/nginx/auth.conf; + + rewrite ^/submit/(.*)$ /submission/$team/$1 break; + + proxy_pass http://localhost:8080/; + proxy_set_header X-Forwarded-For $remote_addr; + proxy_set_header Host localhost; + proxy_redirect off; + } + + location /submit/name { + auth_basic "Secure Zone"; + auth_basic_user_file ficpasswd; + + include /etc/nginx/auth.conf; + + rewrite ^/submit/.*$ /chname/$team break; + + proxy_pass http://localhost:8080/; + proxy_set_header X-Forwarded-For $remote_addr; + proxy_set_header Host localhost; + proxy_redirect off; + } + + location /openhint/ { + auth_basic "Secure Zone"; + auth_basic_user_file ficpasswd; + + include /etc/nginx/auth.conf; + + rewrite ^/openhint/(.*)$ /openhint/$team/$1 break; + + proxy_pass http://localhost:8080/; + proxy_set_header X-Forwarded-For $remote_addr; + proxy_set_header Host localhost; + proxy_redirect off; + } + + location = /time.json { + proxy_pass http://localhost:8080/time.json; + proxy_method GET; + proxy_pass_request_body off; + proxy_set_header Content-Length ""; + proxy_set_header X-Forwarded-For $remote_addr; + proxy_set_header Host localhost; + proxy_redirect off; + proxy_cache STATIC; + proxy_cache_valid 1s; + } + + location = /events.json { + proxy_pass http://localhost:8081/api/events; + proxy_method GET; + proxy_pass_request_body off; + proxy_set_header Content-Length ""; + proxy_set_header X-Forwarded-For $remote_addr; + proxy_set_header Host localhost; + proxy_redirect off; + proxy_cache STATIC; + proxy_cache_valid 3s; + } +} diff --git a/playbooks/roles/fic-frontend/files/nginx-frontend-pam.conf b/playbooks/roles/fic-frontend/files/nginx-frontend-pam.conf new file mode 100644 index 00000000..8c716487 --- /dev/null +++ b/playbooks/roles/fic-frontend/files/nginx-frontend-pam.conf @@ -0,0 +1,179 @@ +server_tokens off; +proxy_cache_path /var/cache/nginx levels=1:2 keys_zone=STATIC:10m inactive=24h max_size=1g; +proxy_connect_timeout 1s; + +server { + listen 80 default; + listen [::]:80 default; + + root /home/fic/frontend-htdocs/; + + error_page 401 /welcome.html; + error_page 403 404 /e404.html; + error_page 413 404 /e413.html; + error_page 500 502 504 /e500.html; + + location = / { + auth_pam "Secure Zone"; + auth_pam_service_name "nginx-srs"; + } + location = /index.html { + auth_pam "Secure Zone"; + auth_pam_service_name "nginx-srs"; + } + + location ~ ^/[0-9] { + rewrite ^/.*$ /index.html; + } + location /edit { + rewrite ^/.*$ /index.html; + } + + location /rank { + rewrite ^/.*$ /index.html; + } + + location /files/ { + alias /home/fic/FILES/; + tcp_nodelay on; + } + + location /wait.json { + auth_pam "Secure Zone"; + auth_pam_service_name "nginx-srs"; + + include /etc/nginx/auth.conf; + + root /home/fic/TEAMS/$team/; + expires epoch; + add_header Cache-Control no-cache; + } + location /public.json { + root /home/fic/TEAMS/; + expires epoch; + add_header Cache-Control no-cache; + } + location /stats.json { + root /home/fic/TEAMS/; + expires epoch; + add_header Cache-Control no-cache; + } + location /my.json { + auth_pam "Secure Zone"; + auth_pam_service_name "nginx-srs"; + + include /etc/nginx/auth.conf; + + root /home/fic/TEAMS/$team/; + expires epoch; + add_header Cache-Control no-cache; + + if (!-f $document_root/../started) { + rewrite ^/ /wait.json; + } + } + location /teams.json { + root /home/fic/TEAMS/; + expires epoch; + add_header Cache-Control no-cache; + } + location /themes.json { + root /home/fic/TEAMS/; + expires epoch; + add_header Cache-Control no-cache; + } + + location /api/ { + auth_pam "Secure Zone"; + auth_pam_service_name "nginx-srs"; + + if ($remote_user !~ "^nemunaire|bombal_s$") { + return 403; + } + + proxy_pass http://localhost:8081/admin/api/; + proxy_set_header X-Forwarded-For $remote_addr; + proxy_set_header Host localhost; + proxy_redirect off; + } + + location /admin/ { + auth_pam "Secure Zone"; + auth_pam_service_name "nginx-srs"; + + if ($remote_user !~ "^nemunaire|bombal_s$") { + return 403; + } + + proxy_pass http://localhost:8081; + proxy_set_header X-Forwarded-For $remote_addr; + proxy_set_header Host localhost; + proxy_redirect off; + } + + location /submit/ { + auth_pam "Secure Zone"; + auth_pam_service_name "nginx-srs"; + + include /etc/nginx/auth.conf; + + rewrite ^/submit/(.*)$ /submission/$team/$1 break; + + proxy_pass http://localhost:8080/; + proxy_set_header X-Forwarded-For $remote_addr; + proxy_set_header Host localhost; + proxy_redirect off; + } + + location /submit/name { + auth_pam "Secure Zone"; + auth_pam_service_name "nginx-srs"; + + include /etc/nginx/auth.conf; + + rewrite ^/submit/.*$ /chname/$team break; + + proxy_pass http://localhost:8080/; + proxy_set_header X-Forwarded-For $remote_addr; + proxy_set_header Host localhost; + proxy_redirect off; + } + + location /openhint/ { + auth_pam "Secure Zone"; + auth_pam_service_name "nginx-srs"; + + include /etc/nginx/auth.conf; + + rewrite ^/openhint/(.*)$ /openhint/$team/$1 break; + + proxy_pass http://localhost:8080/; + proxy_set_header X-Forwarded-For $remote_addr; + proxy_set_header Host localhost; + proxy_redirect off; + } + + location = /time.json { + proxy_pass http://localhost:8080/time.json; + proxy_method GET; + proxy_pass_request_body off; + proxy_set_header Content-Length ""; + proxy_set_header X-Forwarded-For $remote_addr; + proxy_set_header Host localhost; + proxy_redirect off; + proxy_cache STATIC; + proxy_cache_valid 1s; + } + + location = /events.json { + proxy_pass http://localhost:8081/api/events; + proxy_method GET; + proxy_pass_request_body off; + proxy_set_header Content-Length ""; + proxy_set_header X-Forwarded-For $remote_addr; + proxy_set_header Host localhost; + proxy_redirect off; + proxy_cache STATIC; + proxy_cache_valid 3s; + } +} diff --git a/playbooks/roles/fic-frontend/files/static b/playbooks/roles/fic-frontend/files/static new file mode 120000 index 00000000..172902df --- /dev/null +++ b/playbooks/roles/fic-frontend/files/static @@ -0,0 +1 @@ +../../../../frontend/static/ \ No newline at end of file diff --git a/playbooks/roles/fic-frontend/handlers/main.yml b/playbooks/roles/fic-frontend/handlers/main.yml new file mode 100644 index 00000000..92971d2c --- /dev/null +++ b/playbooks/roles/fic-frontend/handlers/main.yml @@ -0,0 +1,3 @@ +--- +- name: restart nginx + service: name=nginx state=restarted diff --git a/playbooks/roles/fic-frontend/tasks/main.yml b/playbooks/roles/fic-frontend/tasks/main.yml new file mode 100644 index 00000000..35b537cd --- /dev/null +++ b/playbooks/roles/fic-frontend/tasks/main.yml @@ -0,0 +1,70 @@ +--- +- name: install nginx + apt: name=nginx-extras + +- name: create fic user + user: + name=fic + home=/home/fic + group=nogroup + +- name: remove default configuration + file: + path=/etc/nginx/sites-enabled/default + state=absent + notify: restart nginx + +- name: copy htdocs + copy: + src=static/ + dest=/home/fic/frontend-htdocs + +- name: copy frontend binary + copy: + src=frontend + mode=755 + dest=/home/fic/frontend + +- name: copy htpasswd + copy: + src=ficpasswd + dest=/etc/nginx/ficpasswd + notify: restart nginx + +#- name: copy frontend configuration +# copy: +# src=nginx-frontend-pam.conf +# dest=/etc/nginx/sites-available/frontend +# notify: restart nginx +- name: copy frontend configuration + copy: + src=nginx-frontend-htpasswd.conf + dest=/etc/nginx/sites-available/frontend + notify: restart nginx + +- name: activate frontend configuration + file: + src=/etc/nginx/sites-available/frontend + path=/etc/nginx/sites-enabled/frontend + state=link + notify: restart nginx + +- name: enable and start nginx + service: + name=nginx + enabled=yes + state=started + +- name: add frontend service + copy: + src=frontend.service + dest=/lib/systemd/system/fic-frontend.service + +- name: reload systemd + command: systemctl daemon-reload + +- name: enable and start fic-frontend + service: + name=fic-frontend + enabled=yes + state=started