cleanup: unrequired backend configs

ooni · Dec 7, 2024 · 137ede2 · 137ede2
1 parent c819886
commit 137ede2
Show file tree

Hide file tree

Showing 10 changed files with 26 additions and 966 deletions.
diff --git a/ansible/roles/ooni-backend/tasks/main.yml b/ansible/roles/ooni-backend/tasks/main.yml
@@ -26,7 +26,7 @@
     group: ooniapi
     mode: 0640
   vars:
-    collectors: []
+    collectors: ['backend-hel.ooni.org']
     # bucket_name and collector_id must match the uploader
     collector_id: 2
     bucket_name: ooni-data-eu-fra-test
@@ -252,17 +252,10 @@
     src: 444.nft
     dest: /etc/ooni/nftables/tcp/444.nft
 
-#- name: reload nftables service
-#  tags: api
-#  systemd:
-#    name: nftables.service
-#    state: reloaded
-
 - name: reload nftables service
   tags: api, webserv
   shell: systemctl reload nftables.service
 
-
 ## Fastpath ##
 
 - name: install fastpath if not present
@@ -298,25 +291,6 @@
   vars:
     clickhouse_url: clickhouse://fastpath:fastpath@localhost/default
 
-
-
-## Event detector ##
-
-#- name: install detector
-#  tags: detector
-#  apt:
-#    cache_valid_time: 86400
-#    name: detector
-#
-#- name: configure detector
-#  tags: detector
-#  blockinfile:
-#    path: /etc/ooni/detector.conf
-#    create: yes
-#    block: |
-#      # Managed by ansible, see roles/ooni-backend/tasks/main.yml
-
-
 ## Analysis daemon ##
 
 - name: install analysis
@@ -336,346 +310,6 @@
     dest: /etc/ooni/analysis.conf
       # Managed by ansible, see roles/ooni-backend/tasks/main.yml
 
-
-## Test helper rotation ##
-
-- name: configure test helper rotation
-  tags: rotation
-  when: inventory_hostname == 'backend-fsn.ooni.org'
-  blockinfile:
-    path: /etc/ooni/rotation.conf
-    create: yes
-    mode: 0400
-    block: |
-      # Managed by ansible, see roles/ooni-backend/tasks/main.yml
-      [DEFAULT]
-      # Digital Ocean token
-      token = {{ digital_ocean_token }}
-      active_droplets_count = 4
-      size_slug = s-1vcpu-1gb
-      image_name = debian-11-x64
-      draining_time_minutes = 1440
-      dns_zone = th.ooni.org
-
-- name: configure test helper rotation certbot
-  tags: rotation
-  when: inventory_hostname == 'backend-fsn.ooni.org'
-  blockinfile:
-    path: /etc/ooni/certbot-digitalocean
-    create: yes
-    mode: 0400
-    block: |
-      # Managed by ansible, see roles/ooni-backend/tasks/main.yml
-      dns_digitalocean_token = {{ digital_ocean_token }}
-
-- name: configure test helper rotation setup script
-  tags: rotation
-  when: inventory_hostname == 'backend-fsn.ooni.org'
-  template:
-    src: rotation_setup.sh
-    dest: /etc/ooni/rotation_setup.sh
-
-- name: create test helper rotation nginx template
-  tags: rotation
-  when: inventory_hostname == 'backend-fsn.ooni.org'
-  template:
-    src: rotation_nginx_conf
-    dest: /etc/ooni/rotation_nginx_conf
-
-- name: generate test helper rotation SSH keypair
-  tags: rotation
-  when: inventory_hostname == 'backend-fsn.ooni.org'
-  openssh_keypair:
-    path: /etc/ooni/testhelper_ssh_key
-    owner: root
-    group: root
-    mode: 0400
-    type: ed25519
-  register: pubkey
-
-- name: print SSH pubkey
-  tags: rotation
-  when: inventory_hostname == 'backend-fsn.ooni.org'
-  debug: msg={{ pubkey.public_key }}
-
-- name: Enable and start rotation service
-  tags: rotation
-  when: inventory_hostname == 'backend-fsn.ooni.org'
-  systemd:
-    daemon_reload: yes
-    enabled: yes
-    name: ooni-rotation.timer
-    state: started
-
-
-## Tor daemon and onion service ##
-
-## TODO(decfox): get rid of this?
-- name: configure tor onion service hostname
-  when: inventory_hostname == 'ams-pg.ooni.org'
-  tags: tor
-  blockinfile:
-    path: /var/lib/tor/ooni_onion_service/hostname
-    create: yes
-    owner: debian-tor
-    group: debian-tor
-    mode: 0644
-    block: guegdifjy7bjpequ.onion
-
-- name: configure tor onion service private_key
-  when: inventory_hostname == 'ams-pg.ooni.org'
-  tags: tor
-  blockinfile:
-    path: /var/lib/tor/ooni_onion_service/private_key
-    create: yes
-    owner: debian-tor
-    group: debian-tor
-    mode: 0600
-    block: "{{ amspg_ooni_org_onion_key }}"
-
-- name: set tor onion service directory
-  when: inventory_hostname == 'ams-pg.ooni.org'
-  tags: tor
-  shell: |
-    chown debian-tor:debian-tor /var/lib/tor/ooni_onion_service
-    chmod 0700 /var/lib/tor/ooni_onion_service
-
-
-# # Clickhouse # #
-
-- name: install APT HTTPS support
-  # do not update package if present
-  when: inventory_hostname in ('backend-fsn.ooni.org', 'backend-hel.ooni.org')
-  tags: clickhouse
-  apt:
-    cache_valid_time: 86400
-    state: present
-    name:
-      - apt-transport-https
-      - ca-certificates
-      - dirmngr
-
-- name: install clickhouse keys
-  when: inventory_hostname in ('backend-fsn.ooni.org', 'backend-hel.ooni.org')
-  tags: clickhouse
-  command: apt-key adv --keyserver hkp://keyserver.ubuntu.com:80 --recv 8919F6BD2B48D754
-
-- name: set clickhouse repos
-  when: inventory_hostname in ('backend-fsn.ooni.org', 'backend-hel.ooni.org')
-  tags: clickhouse
-  blockinfile:
-    path: /etc/apt/sources.list.d/clickhouse.list
-    create: yes
-    block: |
-      deb https://packages.clickhouse.com/deb lts main
-
-- name: pin clickhouse release train
-  when: inventory_hostname in ('backend-fsn.ooni.org', )
-  tags: clickhouse
-  blockinfile:
-    path: /etc/apt/preferences.d/clickhouse-server
-    create: yes
-    block: |
-      Package: clickhouse-server
-      Pin: version 21.8.12.*
-      Pin-Priority: 999
-
-- name: pin clickhouse release train
-  when: inventory_hostname in ('backend-hel.ooni.org')
-  tags: clickhouse
-  blockinfile:
-    path: /etc/apt/preferences.d/clickhouse-server
-    create: yes
-    block: |
-      Package: clickhouse-server
-      Pin: version 23.8.2.*
-      Pin-Priority: 999
-
-- name: install clickhouse on backend-fsn
-  when: inventory_hostname == 'backend-fsn.ooni.org'
-  tags: clickhouse
-  apt:
-    # refresh cache
-    cache_valid_time: 0
-    name:
-      - clickhouse-server={{ clickhouse_pkg_ver }}
-      - clickhouse-client={{ clickhouse_pkg_ver }}
-      - clickhouse-common-static={{ clickhouse_pkg_ver }}
-  vars:
-    clickhouse_pkg_ver: 21.8.12.*
-
-- name: install clickhouse on backend-hel.ooni.org
-  when: inventory_hostname == 'backend-hel.ooni.org'
-  tags: clickhouse
-  apt:
-    # refresh cache
-    cache_valid_time: 0
-    name:
-      - clickhouse-server={{ clickhouse_pkg_ver }}
-      - clickhouse-client={{ clickhouse_pkg_ver }}
-      - clickhouse-common-static={{ clickhouse_pkg_ver }}
-  vars:
-    clickhouse_pkg_ver: 23.8.2.*
-
-- name: install clickhouse conf override
-  when: inventory_hostname in ('backend-fsn.ooni.org', 'backend-hel.ooni.org')
-  tags: clickhouse
-  template:
-    src: clickhouse_config.xml
-    dest: /etc/clickhouse-server/config.d/ooni_conf.xml
-    owner: clickhouse
-    group: clickhouse
-    mode: 0400
-  notify: restart clickhouse
-
-- name: allow incoming TCP connections from monitoring to Clickhouse prometheus interface
-  when: inventory_hostname in ('backend-fsn.ooni.org', 'backend-hel.ooni.org')
-  tags: clickhouse
-  blockinfile:
-    path: /etc/ooni/nftables/tcp/9363.nft
-    create: yes
-    block: |
-      add rule inet filter input ip saddr 5.9.112.244 tcp dport 9363 counter accept comment "clickhouse prometheus from monitoring.ooni.org"
-  notify: reload nftables
-
-- name: allow incoming TCP connections from jupiter on monitoring.ooni.org to Clickhouse
-  when: inventory_hostname in ('backend-fsn.ooni.org', 'backend-hel.ooni.org')
-  tags: clickhouse
-  blockinfile:
-    path: /etc/ooni/nftables/tcp/9000.nft
-    create: yes
-    block: |
-      add rule inet filter input ip saddr 5.9.112.244 tcp dport 9000 counter accept comment "clickhouse from monitoring.ooni.org"
-  notify: reload nftables
-
-- name: Run clickhouse
-  when: inventory_hostname in ('backend-fsn.ooni.org', 'backend-hel.ooni.org')
-  tags: clickhouse
-  systemd:
-    name: clickhouse-server.service
-    state: started
-    enabled: yes
-
-## Clickhouse access control ##
-# https://clickhouse.com/docs/en/operations/access-rights/#enabling-access-control
-
-- name: Clickhouse - test admin user - failure is ok to ignore
-  when: inventory_hostname in ('backend-fsn.ooni.org', 'backend-hel.ooni.org')
-  tags: clickhouse-users
-  command: clickhouse-client -u admin --password admin -q 'select 1'
-  ignore_errors: true
-  register: admin_check
-
-- name: install tor python3-lxml
-  when: admin_check is defined and admin_check is failed
-  tags: clickhouse-users
-  apt:
-    cache_valid_time: 86400
-    name: python3-lxml
-
-- name: Clickhouse - set flag
-  when: admin_check is defined and admin_check is failed
-  tags: clickhouse-users
-  # The users.xml file itself needs to be edited for this to work
-  xml:
-    path: /etc/clickhouse-server/users.xml
-    backup: yes
-    xpath: /clickhouse/users/default/{{ item }}
-    value: "1"
-  loop:
-    - access_management
-    - named_collection_control
-    - show_named_collections
-    - show_named_collections_secrets
-  register: users_xml
-
-- name: Clickhouse - restart immediately if needed
-  when: admin_check is defined and admin_check is failed
-  tags: clickhouse-users
-  systemd:
-    name: clickhouse-server
-    state: restarted
-
-- name: Clickhouse - create admin
-  when: admin_check is defined and admin_check is failed
-  tags: clickhouse-users
-  command: clickhouse-client -q "CREATE USER OR REPLACE admin IDENTIFIED WITH sha256_password BY 'admin' HOST LOCAL GRANTEES ANY"
-  # The server might be still starting: retry as needed
-  retries: 10
-  delay: 5
-  register: result
-  until: result.rc == 0
-
-- name: Clickhouse - grant admin rights
-  when: admin_check is defined and admin_check is failed
-  tags: clickhouse-users
-  command: clickhouse-client -q 'GRANT ALL ON *.* TO admin WITH GRANT OPTION'
-
-- name: Clickhouse - create readonly profile
-  when: admin_check is defined and admin_check is failed
-  tags: clickhouse-users
-  template:
-    src: clickhouse_readonly.xml
-    dest: /etc/clickhouse-server/users.d/make_default_readonly.xml
-    owner: clickhouse
-    group: clickhouse
-    mode: 0640
-
-      #- name: Clickhouse - restore users.xml
-      #  when: admin_check is defined and admin_check is failed
-      #  tags: clickhouse-users
-      #  command: mv {{ users_xml.backup_file }} /etc/clickhouse-server/users.xml
-
-- name: Clickhouse - restart immediately if needed
-  when: admin_check is defined and admin_check is failed
-  tags: clickhouse-users
-  systemd:
-    name: clickhouse-server
-    state: restarted
-
-- name: Clickhouse - setup users and permissions
-  tags: clickhouse-users
-  command: clickhouse-client -u admin --password admin -q "{{ item }}"
-  loop:
-    - "CREATE USER OR REPLACE api IDENTIFIED WITH sha256_password BY 'api' HOST LOCAL"
-    - "GRANT ALL ON *.* TO api"
-    - "CREATE USER OR REPLACE fastpath IDENTIFIED WITH sha256_password BY 'fastpath' HOST LOCAL"
-    - "GRANT ALL ON *.* TO fastpath"
-
-## end of Clickhouse access control ##
-
-
-
-- name: Run feeder on backend-hel
-  when: inventory_hostname == 'backend-hel.ooni.org'
-  tags: clickhouse
-  blockinfile:
-    path: /etc/ooni/clickhouse_feeder.conf
-    create: yes
-    block: |
-      [DEFAULT]
-      pg_dbuser = readonly
-      pg_dbhost = localhost
-
-- name: run feeder on backend-fsn
-  when: inventory_hostname == 'backend-fsn.ooni.org'
-  tags: clickhouse
-  blockinfile:
-    path: /etc/ooni/clickhouse_feeder.conf
-    create: yes
-    block: |
-      [DEFAULT]
-      pg_dbuser = readonly
-      pg_dbhost = backend-hel.ooni.org
-
-- name: Run feeder
-  when: inventory_hostname in ('backend-fsn.ooni.org', 'backend-hel.ooni.org')
-  tags: clickhouse
-  systemd:
-    name: ooni-clickhouse-feeder.service
-    state: started
-    enabled: yes
-
 - name: Run DB backup on backend-hel
   when: inventory_hostname == 'backend-hel.ooni.org'
   tags: dbbackup