feat(ansible): optionally set basic auth on admin (#643)

ia-toki · Aug 13, 2024 · eb48a8f · eb48a8f
1 parent 68fa199
commit eb48a8f
Show file tree

Hide file tree

Showing 4 changed files with 30 additions and 5 deletions.
diff --git a/deployment/ansible/conf/nginx-judgels-server-admin.conf.j2 b/deployment/ansible/conf/nginx-judgels-server-admin.conf.j2
@@ -22,6 +22,12 @@ server {
         proxy_http_version 1.1;
         proxy_buffering off;
         client_max_body_size 512M;
+
+        {% if domain.auth_basic_user != '' %}
+        # HTTP basic authentication
+        auth_basic "Authorized users only";
+        auth_basic_user_file /etc/nginx/passwords/{{ domain.name }};
+        {% endif %}
     }
 
     location ^~ /.well-known/acme-challenge/ {

diff --git a/deployment/ansible/env-example/vars.yml b/deployment/ansible/env-example/vars.yml
@@ -8,19 +8,21 @@ app_footer: © Ikatan Alumni TOKI
 nginx_domain_judgels_client: judgels.com
 nginx_domain_judgels_server_api: api.judgels.com
 nginx_domain_judgels_server_admin: admin.judgels.com
+# nginx_domain_judgels_server_admin_auth_basic_user: user # <-- CHANGE THIS !!!
+# nginx_domain_judgels_server_admin_auth_basic_pass: pass # <-- CHANGE THIS !!!
 nginx_certbot_email: admin@judgels.com
 
 # java_opts_judgels_server: -Xmx1g
 # java_opts_judgels_grader: -Xmx1g
 
-db_root_password: pass # <-------------------------- CHANGE THIS !!!
+db_root_password: pass # <------------------------------------- CHANGE THIS !!!
 db_username: judgels
-db_password: pass # <------------------------------- CHANGE THIS !!!
+db_password: pass # <------------------------------------------ CHANGE THIS !!!
 
 rabbitmq_username: judgels
-rabbitmq_password: pass # <------------------------- CHANGE THIS !!!
+rabbitmq_password: pass # <------------------------------------ CHANGE THIS !!!
 
-jophiel_superadmin_initialPassword: superadmin # <-- CHANGE THIS !!!
+jophiel_superadmin_initialPassword: superadmin # <------------- CHANGE THIS !!!
 jophiel_session_maxConcurrentSessionsPerUser: -1
 jophiel_session_disableLogout: false
 

diff --git a/deployment/ansible/playbooks/deploy.yml b/deployment/ansible/playbooks/deploy.yml
@@ -16,6 +16,8 @@
           - name: judgels-server-admin
             fqdn: "{{ nginx_domain_judgels_server_admin }}"
             config_template: "{{ playbook_dir }}/../conf/nginx-judgels-server-admin.conf.j2"
+            auth_basic_user: "{{ nginx_domain_judgels_server_admin_auth_basic_user | default('') }}"
+            auth_basic_pass: "{{ nginx_domain_judgels_server_admin_auth_basic_pass | default('') }}"
           - name: judgels-client
             fqdn: "{{ nginx_domain_judgels_client }}"
             config_template: "{{ playbook_dir }}/../conf/nginx-judgels-client.conf.j2"

diff --git a/deployment/ansible/roles/nginx-certbot-deploy/tasks/configure_domain.yml b/deployment/ansible/roles/nginx-certbot-deploy/tasks/configure_domain.yml
@@ -12,7 +12,7 @@
     mode: 0644
   when: not letsencrypt_certificate.stat.exists
   notify: Reload nginx
-  
+
 - name: Enable nginx letsencrypt domain config
   file:
     src: /etc/nginx/sites-available/{{ domain.name | mandatory }}
@@ -41,6 +41,21 @@
   when: not letsencrypt_certificate.stat.exists
   notify: Reload nginx
 
+- name: Set up basic auth
+  when: domain.auth_basic_user is defined and domain.auth_basic_user != ""
+  block:
+    - name: Install passlib
+      package:
+        name: python3-passlib
+        state: present
+
+    - name: Generate basic auth
+      htpasswd:
+        path: /etc/nginx/passwords/{{ domain.name | mandatory }}
+        name: "{{ domain.auth_basic_user }}"
+        password: "{{ domain.auth_basic_pass }}"
+      notify: Reload nginx
+
 - name: Add nginx domain config
   template:
     src: "{{ domain.config_template | mandatory }}"