diff --git a/deployment/ansible/conf/nginx-judgels-server-admin.conf.j2 b/deployment/ansible/conf/nginx-judgels-server-admin.conf.j2 index a3c3a5509..fcf27ebf0 100644 --- a/deployment/ansible/conf/nginx-judgels-server-admin.conf.j2 +++ b/deployment/ansible/conf/nginx-judgels-server-admin.conf.j2 @@ -22,6 +22,12 @@ server { proxy_http_version 1.1; proxy_buffering off; client_max_body_size 512M; + + {% if domain.auth_basic_user != '' %} + # HTTP basic authentication + auth_basic "Authorized users only"; + auth_basic_user_file /etc/nginx/passwords/{{ domain.name }}; + {% endif %} } location ^~ /.well-known/acme-challenge/ { diff --git a/deployment/ansible/env-example/vars.yml b/deployment/ansible/env-example/vars.yml index 7e84f118f..72a8f71c5 100644 --- a/deployment/ansible/env-example/vars.yml +++ b/deployment/ansible/env-example/vars.yml @@ -8,19 +8,21 @@ app_footer: © Ikatan Alumni TOKI nginx_domain_judgels_client: judgels.com nginx_domain_judgels_server_api: api.judgels.com nginx_domain_judgels_server_admin: admin.judgels.com +# nginx_domain_judgels_server_admin_auth_basic_user: user # <-- CHANGE THIS !!! +# nginx_domain_judgels_server_admin_auth_basic_pass: pass # <-- CHANGE THIS !!! nginx_certbot_email: admin@judgels.com # java_opts_judgels_server: -Xmx1g # java_opts_judgels_grader: -Xmx1g -db_root_password: pass # <-------------------------- CHANGE THIS !!! +db_root_password: pass # <------------------------------------- CHANGE THIS !!! db_username: judgels -db_password: pass # <------------------------------- CHANGE THIS !!! +db_password: pass # <------------------------------------------ CHANGE THIS !!! rabbitmq_username: judgels -rabbitmq_password: pass # <------------------------- CHANGE THIS !!! +rabbitmq_password: pass # <------------------------------------ CHANGE THIS !!! -jophiel_superadmin_initialPassword: superadmin # <-- CHANGE THIS !!! +jophiel_superadmin_initialPassword: superadmin # <------------- CHANGE THIS !!! jophiel_session_maxConcurrentSessionsPerUser: -1 jophiel_session_disableLogout: false diff --git a/deployment/ansible/playbooks/deploy.yml b/deployment/ansible/playbooks/deploy.yml index ab2ab0a87..c7fb5c064 100644 --- a/deployment/ansible/playbooks/deploy.yml +++ b/deployment/ansible/playbooks/deploy.yml @@ -16,6 +16,8 @@ - name: judgels-server-admin fqdn: "{{ nginx_domain_judgels_server_admin }}" config_template: "{{ playbook_dir }}/../conf/nginx-judgels-server-admin.conf.j2" + auth_basic_user: "{{ nginx_domain_judgels_server_admin_auth_basic_user | default('') }}" + auth_basic_pass: "{{ nginx_domain_judgels_server_admin_auth_basic_pass | default('') }}" - name: judgels-client fqdn: "{{ nginx_domain_judgels_client }}" config_template: "{{ playbook_dir }}/../conf/nginx-judgels-client.conf.j2" diff --git a/deployment/ansible/roles/nginx-certbot-deploy/tasks/configure_domain.yml b/deployment/ansible/roles/nginx-certbot-deploy/tasks/configure_domain.yml index 65c475302..5a53391f8 100644 --- a/deployment/ansible/roles/nginx-certbot-deploy/tasks/configure_domain.yml +++ b/deployment/ansible/roles/nginx-certbot-deploy/tasks/configure_domain.yml @@ -12,7 +12,7 @@ mode: 0644 when: not letsencrypt_certificate.stat.exists notify: Reload nginx - + - name: Enable nginx letsencrypt domain config file: src: /etc/nginx/sites-available/{{ domain.name | mandatory }} @@ -41,6 +41,21 @@ when: not letsencrypt_certificate.stat.exists notify: Reload nginx +- name: Set up basic auth + when: domain.auth_basic_user is defined and domain.auth_basic_user != "" + block: + - name: Install passlib + package: + name: python3-passlib + state: present + + - name: Generate basic auth + htpasswd: + path: /etc/nginx/passwords/{{ domain.name | mandatory }} + name: "{{ domain.auth_basic_user }}" + password: "{{ domain.auth_basic_pass }}" + notify: Reload nginx + - name: Add nginx domain config template: src: "{{ domain.config_template | mandatory }}"