Split for WF setups

Author: vmcj

provision-contest/ansible/domserver.yml

@@ -13,7 +13,7 @@
           - python3-netaddr
 
 - name: Setup domserver
-  hosts: domserver
+  hosts: domserver,online-domserver
   vars:
     host_type: domserver
   become: true

provision-contest/ansible/group_vars/all/.gitignore provision-contest/ansible/group_vars/online/.gitignore

@@ -0,0 +1,2 @@
+/secret.yml
+/all.yml

provision-contest/ansible/group_vars/all/all.yml.example provision-contest/ansible/group_vars/online/all.yml.example

@@ -0,0 +1,99 @@
+# Directory of the domjudge repository checkout.
+DJ_DIR: /opt/domjudge
+
+# Branch to checkout and use.
+DJ_BRANCH: main
+
+# Whether to force-pull changes to the checkout, overwriting any local changes.
+DJ_FORCE_UPDATE: true
+
+# Server VLAN IP prefix.
+SERVER_IP_PREFIX: 10.3.3
+
+# IP address of the git server.
+LOCAL_GIT_IP: "{{SERVER_IP_PREFIX}}.207"
+
+# URL and IP of domserver from judgehosts. A hostname 'domserver' with
+# DOMSERVER_IP will be added to the judgehost /etc/hosts file.
+DOMSERVER: https://domjudge
+DOMSERVER_IP: "{{SERVER_IP_PREFIX}}.215"
+DOMSERVER_URL: "{{DOMSERVER}}"
+DOMSERVER_SSL_CERT: /etc/ssl/certs/domserver.crt
+DOMSERVER_SSL_KEY: /etc/ssl/private/domserver.key
+
+# Set this to true when you are using the ICPC World Finals Contest Image
+ICPC_IMAGE: false
+
+# Set this to true when you are using a graphical desktop
+GRAPHICAL: false
+
+# Set this to true when you use an (ICPC) AWS machine
+AWS: true
+
+# Set this when on the blue network at the World Finals where no
+# internet access is available and "packages" must be used as APT repo
+# server.
+WF_RESTRICTED_NETWORK: false
+WF_GREEN: false
+
+# Static IP address configuration. Uses the ansible_host variable as the static
+# IP address. Only configured if STATIC_IP_ENABLED is true.
+STATIC_IP_ENABLED: false
+STATIC_IP_NETMASK: 255.255.252.0
+STATIC_IP_GATEWAY: 172.29.0.1
+STATIC_IP_INTERFACE: enp1s0
+
+# Additional entries for the /etc/hosts file.
+HOSTS:
+    cds:             10.3.3.207
+    packages:        10.3.3.209
+    ntp1:            10.3.3.208
+    ntp2:            10.3.3.209
+    nisprint:        10.3.3.211
+    nismaster:       10.3.3.211
+    printsrv:        10.3.3.211
+    domjudge-laptop: 10.3.3.200
+    pc2:             10.3.3.241
+
+TIMEZONE: "Europe/Amsterdam"
+
+PHP_FPM_MAX_CHILDREN: 400
+PHP_FPM_MAX_REQUESTS: 500
+PHP_MEMORY_LIMIT: 1024M
+PHP_UPLOAD_MAX_FILESIZE: 512M
+PHP_POST_MAX_SIZE: 512M
+PHP_MAX_FILE_UPLOADS: 101
+
+# Git repo URL
+DJ_GIT_HOST: "{{LOCAL_GIT_IP}}"
+DJ_GIT_REPO: "https://github.com/domjudge/domjudge.git"
+DJ_GIT_REPO_RESTRICTED: "domjudge@{{DJ_GIT_HOST}}:domjudge"
+DJ_GIT_REPO_SCRIPTS: "https://github.com/domjudge/domjudge-scripts.git"
+DJ_GIT_REPO_SCRIPTS_RESTRICTED: "domjudge@{{DJ_GIT_HOST}}:domjudge-scripts-bare"
+CONTEST_REPO: "wf2021"
+
+PHPSTORM_VERSION: 2022.2
+PHPSTORM_FULL_VERSION: 222.4345.15
+
+GRAFANA_MONITORING: false
+
+# Hostname of the CDS. If set, will add an nginx in front of the CDS
+# If not set, will only expose CDS directly
+CDS_HOSTNAME: cds
+CDS_PORT: 80
+CDS_PORT_SECURE: 443
+
+#  CDS SSL cert and key. Only needed when CDS_HOSTNAME is set
+CDS_SSL_CERT: /etc/ssl/certs/cds.crt
+CDS_SSL_KEY: /etc/ssl/private/cds.key
+
+# Hostname of the static scoreboard
+STATIC_SCOREBOARD_HOSTNAME: scoreboard
+
+STATIC_SCOREBOARD_SSL_CERT: /etc/ssl/certs/scoreboard.crt
+STATIC_SCOREBOARD_SSL_KEY: /etc/ssl/private/scoreboard.key
+
+# Block access to the CDS for IPs other than these
+#CDS_IP_FILTER:
+#  - 127.0.0.1-127.0.0.1
+#  - 192.168.0.0-192.168.255.255

provision-contest/ansible/group_vars/all/secret.yml.example provision-contest/ansible/group_vars/online/secret.yml.example

@@ -0,0 +1,71 @@
+# Templated passwords as `{some-strong-password}` are written to make sure our
+# script detects those, if you manually change those the `{}` are not required and
+# would become part of the password.
+# Adding `strong` in the template will create longer passwords and is used for the
+# passwords which almost never need to be manually typed.
+
+# Password for the MySQL replication user.
+# Set this to enable master-master replication between two domservers.
+#REPLICATION_PASSWORD: {some-strong-replication-password}
+
+# Database user password.
+DB_PASSWORD: {some-strong-database-password}
+
+# Credentials for the judgehost.
+JUDGEHOST_USER: judgehost
+JUDGEHOST_PASSWORD: {some-strong-judgehost-password}
+
+# Username and password to be used in .netrc files on admin machines
+ADMIN_USER: admin
+ADMIN_PASSWORD: {some-admin-password}
+
+# Password for domjudge shell user
+# Set this to enable a password on the 'domjudge' shell accounts
+# created on the domserver and judgehosts.
+#DJ_SHELL_USER_PW: {some-hashed-password}
+
+# Accounts to create when setting up the CDS
+CDS_ACCOUNTS:
+    - username: admin
+      password: {some-adm1n-password}
+      type: admin
+    - username: presAdmin
+      password: {some-presentation-adm1n-password}
+      type: admin
+    - username: presentation
+      password: {some-public-presentation-password}
+      type: public
+    #- username: blue
+    #  password: blu3
+    #  type: staff
+    #- username: balloon
+    #  password: balloonPr1nter
+    #  type: balloon
+    #- username: public
+    #  password: publ1c
+    #  type: public
+    #- username: myicpc
+    #  password: my1cpc
+    #  type: spectator
+    #- username: live
+    #  password: l1ve
+    #  type: analyst
+    #- username: team1
+    #  password: t3am
+    #  type: team
+    #  team_id: 1
+
+# Contest(s) to configure in the CDS
+CDS_CONTESTS:
+  - path: nwerc18 # Path in the contest directory
+    ccs:
+      id: nwerc18 # ID of the contest if hosted at DOMJUDGE_URL
+      # Or provide a absolute URL
+      # url: https://www.domjudge.org/demoweb/api/contests/nwerc18
+      username: admin
+      password: admin
+
+PRESCLIENT_CONTEST: nwerc18
+
+# Sentry DSN URL
+# SENTRY_DSN:

provision-contest/ansible/group_vars/onprem/.gitignore

@@ -5,6 +5,22 @@ ansible_python_interpreter=/usr/bin/python3
 # When moving clients for ad-hoc actions:
 # move them to their own group to keep hosts files on deployed machines in sync.
 
+[onprem:children]
+domserver
+judgehost
+cds
+grafana
+admin
+presclient
+presadmin
+scoreboard
+mgmt
+autoanalyst
+
+[online:children]
+online-domserver
+online-judgehost
+
 [domserver]
 domjudge-primary     ansible_host=10.3.3.216 KEEPALIVED_PRIORITY=100 EFI_ORDER='0\,1\,3\,4'
 domjudge-backup      ansible_host=10.3.3.217 KEEPALIVED_PRIORITY=99 EFI_ORDER='0\,1\,3\,4'
@@ -63,3 +79,9 @@ domjudge-scoreboard ansible_host=10.2.2.229
 domjudge-mgmg ansible_host=10.3.3.223
 
 [autoanalyst]
+
+[online-domserver]
+online-domserver       ansible_host=192.168.255.255
+
+[online-judgehost]
+online-judgehost1      ansible_host=192.168.255.255

provision-contest/ansible/group_vars/onprem/all.yml.example

@@ -2,7 +2,7 @@
 # This playbook installs the DOMjudge judgehosts
 
 - name: Setup judgehost
-  hosts: judgehost
+  hosts: judgehost,online-judgehost
   strategy: free
   vars:
     host_type: judgehost

provision-contest/ansible/group_vars/onprem/secret.yml.example

@@ -154,3 +154,77 @@ scrape_configs:
 {% for host in groups["domserver"] %}
         - {{ hostvars[host].ansible_host }}:9253
 {% endfor %}
+  - job_name: 'online-db'
+    basic_auth:
+      username: "prometheus"
+      password: "{{ PROMETHEUS_PASS }}"
+    tls_config:
+      insecure_skip_verify: true
+    scheme: https
+    static_configs:
+      - targets:
+{% for host in groups["online-domserver"] %}
+        - {{ hostvars[host].ansible_host }}:9104
+{% endfor %}
+  - job_name: node_domserver_online
+    basic_auth:
+      username: "prometheus"
+      password: "{{ PROMETHEUS_PASS }}"
+    tls_config:
+      insecure_skip_verify: true
+    scheme: https
+    static_configs:
+      - targets:
+{% for host in groups["online-domserver"] %}
+        - {{ hostvars[host].ansible_host }}:9100
+{% endfor %}
+  - job_name: online-domjudge
+    basic_auth:
+      username: admin
+      password: {{ ADMIN_PASSWORD }}
+    metrics_path: /api/v4/metrics/prometheus
+    scheme: https
+    tls_config:
+      insecure_skip_verify: true
+    static_configs:
+      - targets:
+{% for host in groups["online-domserver"] %}
+        - {{ hostvars[host].ansible_host }}
+{% endfor %}
+  - job_name: 'web_nginx_domserver_online'
+    basic_auth:
+      username: "prometheus"
+      password: "{{ PROMETHEUS_PASS }}"
+    tls_config:
+      insecure_skip_verify: true
+    scheme: https
+    static_configs:
+      - targets:
+{% for host in groups["online-domserver"] %}
+        - {{ hostvars[host].ansible_host }}:9113
+{% endfor %}
+  - job_name: 'web_fpm_domserver_online'
+    basic_auth:
+      username: "prometheus"
+      password: "{{ PROMETHEUS_PASS }}"
+    tls_config:
+      insecure_skip_verify: true
+    scheme: https
+    static_configs:
+      - targets:
+{% for host in groups["online-domserver"] %}
+        - {{ hostvars[host].ansible_host }}:9253
+{% endfor %}
+  - job_name: node_judgehost_online
+    basic_auth:
+      username: "prometheus"
+      password: "{{ PROMETHEUS_PASS }}"
+    tls_config:
+      insecure_skip_verify: true
+    scheme: https
+    static_configs:
+      - targets:
+{% for host in groups["online-judgehost"] %}
+        - {{ hostvars[host].ansible_host }}:9100
+{% endfor %}
+