refactor: add base files for backend-hel deployment

ansible/playbook-backend.yml

@@ -0,0 +1,16 @@
+---
+- hosts: backend-hel.ooni.org
+  roles:
+    - role: base-bookworm
+    - role: nftables
+    - role: nginx-buster
+      tags: nginx
+    - role: dehydrated
+      tags: dehydrated
+      expand: yes
+      ssl_domains:
+        # with dehydrated the first entry is the cert FQDN
+        # and the other ones are alternative names
+        - "backend-hel.ooni.org"
+    - role: ooni-backend
+      ssl_domain: backend-hel.ooni.org

ansible/roles/base-bookworm/README.adoc

@@ -0,0 +1 @@
+Configure base host based on Bookworm

ansible/roles/base-bookworm/meta/main.yml

@@ -0,0 +1,6 @@
+---
+dependencies:
+  - role: adm
+    become: false
+    remote_user: root
+    gather_facts: false

ansible/roles/base-bookworm/tasks/main.yml

@@ -0,0 +1,221 @@
+---
+- name: motd
+  shell: echo "" > /etc/motd
+
+- name: Set hostname
+  ansible.builtin.hostname:
+    name: "{{ inventory_hostname }}"
+
+- name: Remove apt repo
+  tags: apt
+  file:
+    path: /etc/apt/sources.list.d/ftp_nl_debian_org_debian.list
+    state: absent
+
+- name: Remove apt repo
+  tags: apt
+  file:
+    path: /etc/apt/sources.list.d/security_debian_org.list
+    state: absent
+
+- name: Create internal-deb repo GPG pubkey
+  tags: apt
+  template:
+    src: templates/internal-deb.gpg
+    dest: /etc/ooni/internal-deb.gpg
+    mode: 0644
+    owner: root
+
+- name: Set apt repos
+  tags: apt
+  template:
+    src: templates/sources.list
+    dest: /etc/apt/sources.list
+    mode: 0644
+    owner: root
+
+- name: Install gpg
+  tags: base-packages
+  apt:
+    install_recommends: no
+    cache_valid_time: 86400
+    name:
+      - gpg
+      - gpg-agent
+
+- name: Update apt cache
+  tags: apt
+  apt:
+    update_cache: yes
+
+- name: Installs base packages
+  tags: base-packages
+  apt:
+    install_recommends: no
+    cache_valid_time: 86400
+    name:
+      - bash-completion
+      - byobu
+      - chrony
+      - etckeeper
+      - fail2ban
+      - git
+      - iotop
+      - jupyter-notebook
+      - manpages
+      - ncdu
+      - netdata-core
+      - netdata-plugins-bash
+      - netdata-plugins-python
+      - netdata-web
+      - nftables
+      - nullmailer
+      - prometheus-node-exporter
+      - pv
+      # needed by ansible
+      - python3-apt
+      - rsync
+      - ssl-cert
+      - strace
+      - tcpdump
+      - tmux
+      - vim
+
+- name: Configure journald
+  tags: journald
+  template:
+    src: templates/journald.conf
+    dest: /etc/systemd/journald.conf
+    mode: 0644
+    owner: root
+
+- name: enable and restart journald
+  tags: journald
+  systemd:
+    name: systemd-journald.service
+    state: restarted
+    enabled: yes
+    daemon_reload: yes
+
+- name: Autoremove
+  tags: autoremove
+  apt:
+    autoremove: yes
+
+- name: Clean cache
+  tags: apt
+  apt:
+    autoclean: yes
+
+- name: allow netdata.service
+  tags: netdata
+  blockinfile:
+    path: /etc/ooni/nftables/tcp/19999.nft
+    create: yes
+    block: |
+      add rule inet filter input ip saddr {{ lookup('dig', 'prometheus.ooni.org/A') }} tcp dport 19999 counter accept comment "netdata.service"
+
+#- name: reload nftables service
+#  systemd:
+#    name: nftables.service
+#    state: reloaded
+#    enabled: yes
+#    daemon_reload: yes
+
+- name: reload nftables service
+  service: name=nftables state=restarted
+
+- name: configure netdata.service
+  tags: netdata
+  template:
+    src: netdata.conf
+    dest: /etc/netdata/netdata.conf
+
+- name: disable netdata emails
+  tags: netdata
+  blockinfile:
+    path: /etc/netdata/conf.d/health_alarm_notify.conf
+    create: yes
+    block: |
+      # Managed by ansible, see roles/base-bookworm/tasks/main.yml
+      SEND_EMAIL="NO"
+
+- name: Set timezone
+  tags: timezone
+  timezone:
+    name: Etc/UTC
+
+- name: restart chrony service
+  tags: timezone
+  systemd:
+    name: chrony.service
+    state: restarted
+
+- name: configure netdata chrony
+  tags: netdata, timezone
+  blockinfile:
+    path: /etc/netdata/python.d/chrony.conf
+    create: yes
+    block: |
+      # Managed by ansible, see roles/base-bookworm/tasks/main.yml
+      update_every: 5
+      local:
+        command: 'chronyc -n tracking'
+
+- name: configure netdata chrony
+  tags: netdata, timezone
+  lineinfile:
+    path: /usr/lib/netdata/conf.d/python.d.conf
+    regexp: '^chrony:'
+    line: 'chrony: yes'
+
+#- name: configure netdata nginx
+#  blockinfile:
+#    path: /etc/netdata/python.d/nginx.conf
+#    create: yes
+#    block: |
+#      # Managed by ansible, see roles/base-bookworm/tasks/main.yml
+#      update_every: 5
+#      nginx_log:
+#        name  : 'nginx_log'
+#        path  : '/var/log/nginx/access.log'
+
+#- name: configure netdata haproxy
+#  blockinfile:
+#    path: /etc/netdata/python.d/haproxy.conf
+#    block: |
+#      # Managed by ansible, see roles/base-bookworm/tasks/main.yml
+#      update_every: 5
+#      via_url:
+#        url: 'http://127.0.0.1:7000/haproxy_stats;csv;norefresh'
+
+- name: restart netdata service
+  tags: netdata, timezone
+  systemd:
+    name: netdata.service
+    state: restarted
+
+
+- name: install systemd-resolved
+  tags: resolved
+  apt:
+    install_recommends: no
+    cache_valid_time: 86400
+    name:
+      - systemd-resolved
+
+- name: configure systemd-resolved
+  tags: resolved
+  template:
+    src: resolved.conf
+    dest: /etc/systemd/resolved.conf
+
+- name: restart systemd-resolved
+  tags: resolved
+  systemd:
+    name: systemd-resolved.service
+    state: restarted
+
+- name: test systemd-resolved
+  tags: resolved
+  shell: resolvectl query go.dnscheck.tools --cache=no

ansible/roles/base-bookworm/templates/internal-deb.gpg

@@ -0,0 +1,14 @@
+-----BEGIN PGP PUBLIC KEY BLOCK-----
+
+mDMEYGISFRYJKwYBBAHaRw8BAQdA4VxoR0gSsH56BbVqYdK9HNQ0Dj2YFVbvKIIZ
+JKlaW920Mk9PTkkgcGFja2FnZSBzaWduaW5nIDxjb250YWN0QG9wZW5vYnNlcnZh
+dG9yeS5vcmc+iJYEExYIAD4WIQS1oI8BeW5/UhhhtEk3LR/ycfLdUAUCYGISFQIb
+AwUJJZgGAAULCQgHAgYVCgkICwIEFgIDAQIeAQIXgAAKCRA3LR/ycfLdUFk+AQCb
+gsUQsAQGxUFvxk1XQ4RgEoh7wy2yTuK8ZCkSHJ0HWwD/f2OAjDigGq07uJPYw7Uo
+Ih9+mJ/ubwiPMzUWF6RSdgu4OARgYhIVEgorBgEEAZdVAQUBAQdAx4p1KerwcIhX
+HfM9LbN6Gi7z9j4/12JKYOvr0d0yC30DAQgHiH4EGBYIACYWIQS1oI8BeW5/Uhhh
+tEk3LR/ycfLdUAUCYGISFQIbDAUJJZgGAAAKCRA3LR/ycfLdUL4cAQCs53fLphhy
+6JMwVhRs02LXi1lntUtw1c+EMn6t7XNM6gD+PXpbgSZwoV3ZViLqr58o9fZQtV3s
+oN7jfdbznrWVigE=
+=PtYb
+-----END PGP PUBLIC KEY BLOCK-----

ansible/roles/base-bookworm/templates/journald.conf

@@ -0,0 +1,8 @@
+[Journal]
+Storage=persistent
+Compress=yes
+#RateLimitIntervalSec=30s
+#RateLimitBurst=10000
+SystemMaxFileSize=200M
+RuntimeMaxFileSize=1G
+ForwardToSyslog=no

ansible/roles/base-bookworm/templates/netdata.conf

@@ -0,0 +1,32 @@
+# Managed by ansible, see roles/base-bookworm/tasks/main.yml
+[global]
+  run as user = netdata
+  web files owner = root
+  web files group = root
+  bind socket to IP = 0.0.0.0
+
+[plugins]
+  python.d = yes
+
+
+[statsd]
+    enabled = yes
+    # decimal detail = 1000
+    update every (flushInterval) = 1
+    # udp messages to process at once = 10
+    # create private charts for metrics matching = *
+    max private charts allowed = 10000
+    max private charts hard limit = 10000
+    private charts memory mode = ram
+    private charts history = 300
+    # histograms and timers percentile (percentThreshold) = 95.00000
+    # add dimension for number of events received = no
+    # gaps on gauges (deleteGauges) = no
+    # gaps on counters (deleteCounters) = no
+    # gaps on meters (deleteMeters) = no
+    # gaps on sets (deleteSets) = no
+    # gaps on histograms (deleteHistograms) = no
+    # gaps on timers (deleteTimers) = no
+    # listen backlog = 4096
+    # default port = 8125
+    # bind to = udp:localhost:8125 tcp:localhost:8125

ansible/roles/base-bookworm/templates/ooni_internal.sources

@@ -0,0 +1,7 @@
+Architectures: amd64
+Suites: unstable
+Uris: https://ooni-internal-deb.s3.eu-central-1.amazonaws.com
+Types: deb
+Components: main
+Enabled: yes
+Signed-By: /etc/ooni/internal-deb.gpg

ansible/roles/base-bookworm/templates/resolved.conf

@@ -0,0 +1,9 @@
+# Deployed by ansible
+# See roles/base-bookworm/templates/resolved.conf
+
+[Resolve]
+## https://meta.wikimedia.org/wiki/Wikimedia_DNS
+DNS=185.71.138.138
+DNSOverTLS=opportunistic
+DNSSEC=allow-downgrade
+Cache=yes

ansible/roles/base-bookworm/templates/sources.list

@@ -0,0 +1,6 @@
+# Managed by ansible
+# roles/base-bookworm/templates/sources.list
+
+deb http://deb.debian.org/debian bookworm main contrib non-free-firmware
+deb http://deb.debian.org/debian-security/ bookworm-security main contrib non-free-firmware
+deb http://deb.debian.org/debian bookworm-backports main

ansible/roles/dehydrated/README.adoc

@@ -0,0 +1,10 @@
+
+Configure dehydrated to generate certificates (locally to each server)
+
+- listen on port 443 for ACME challenge
+
+- ansible --diff is supported
+
+- generate certificate expirations metrics for node exporter
+
+- changes to /etc are also tracked locally by etckeeper

ansible/roles/dehydrated/meta/main.yml

@@ -0,0 +1,5 @@
+---
+dependencies:
+  - nginx-buster
+...
+