From 48857b32652757e0784b9f31622336021360680a Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Arturo=20Filast=C3=B2?= Date: Wed, 2 Oct 2024 10:31:55 +0200 Subject: [PATCH] Data.ooni.org (#105) Add support for production OONI data pipeline v5 deployment in ansible. It also moves some of the ooni/sysadmin roles to devops and updates them to new patterns. There is also a new node_exporter role that's part of the bootstrap role for performing host monitoring. Eventually this should be deployed on every new host which we manually bootstrap outside of AWS. Implements: https://github.com/ooni/devops/issues/82 --- ansible/README.md | 7 +- ansible/group_vars/all/vars.yml | 2 +- ansible/group_vars/dev/vars.yml | 1 + ansible/group_vars/prod/vars.yml | 1 + ansible/host_vars/data.ooni.org | 4 +- ansible/host_vars/oonidata.ooni.org | 2 + ansible/inventory | 11 +- ansible/playbook-bootstrap.yml | 8 ++ ansible/playbook.yml | 12 ++ ansible/requirements.yml | 3 + ansible/roles/bootstrap/tasks/main.yml | 45 +++++++ ansible/roles/jupyterhub/tasks/main.yml | 76 ----------- .../templates/jupyterhub_config.py.j2 | 2 - ansible/roles/jupyterhub/vars/main.yml | 8 -- ansible/roles/miniconda/defaults/main.yml | 2 + ansible/roles/miniconda/tasks/install.yml | 23 ++++ ansible/roles/miniconda/tasks/main.yml | 21 +++ ansible/roles/nftables/README.adoc | 25 ++++ ansible/roles/nftables/handlers/main.yml | 5 + ansible/roles/nftables/tasks/main.yml | 45 +++++++ .../roles/nftables/templates/nftables.conf | 41 ++++++ .../roles/nginx/files/ffdhe2048_dhparam.pem | 8 ++ .../roles/nginx/files/ssl_intermediate.conf | 3 + ansible/roles/nginx/files/ssl_modern.conf | 4 + ansible/roles/nginx/handlers/main.yml | 15 +++ ansible/roles/nginx/tasks/main.yml | 39 ++++++ ansible/roles/nginx/templates/nginx.conf | 122 ++++++++++++++++++ ansible/roles/oonidata/defaults/main.yml | 8 ++ ansible/roles/oonidata/handlers/main.yml | 16 +++ ansible/roles/oonidata/tasks/jupyterhub.yml | 82 ++++++++++++ ansible/roles/oonidata/tasks/main.yml | 59 +++++++++ .../oonidata/tasks/oonipipeline-worker.yml | 57 ++++++++ .../oonidata/templates/jupyterhub.service.j2 | 17 +++ .../templates/jupyterhub_config.py.j2 | 3 + .../oonidata/templates/nginx-jupyterhub.j2 | 40 ++++++ .../templates/oonipipeline-config.toml.j2 | 7 + .../templates/oonipipeline-worker.service.j2 | 17 +++ .../handlers/main.yml | 21 +++ .../prometheus_node_exporter/tasks/main.yml | 56 ++++++++ .../templates/nginx-prometheus.j2 | 20 +++ ansible/roles/ssh_users/tasks/main.yml | 2 +- tf/environments/prod/dns_records.tf | 8 ++ 42 files changed, 855 insertions(+), 93 deletions(-) create mode 100644 ansible/group_vars/dev/vars.yml create mode 100644 ansible/group_vars/prod/vars.yml create mode 100644 ansible/host_vars/oonidata.ooni.org create mode 100644 ansible/playbook-bootstrap.yml create mode 100644 ansible/roles/bootstrap/tasks/main.yml delete mode 100644 ansible/roles/jupyterhub/tasks/main.yml delete mode 100644 ansible/roles/jupyterhub/templates/jupyterhub_config.py.j2 delete mode 100644 ansible/roles/jupyterhub/vars/main.yml create mode 100644 ansible/roles/miniconda/defaults/main.yml create mode 100644 ansible/roles/miniconda/tasks/install.yml create mode 100644 ansible/roles/miniconda/tasks/main.yml create mode 100644 ansible/roles/nftables/README.adoc create mode 100644 ansible/roles/nftables/handlers/main.yml create mode 100644 ansible/roles/nftables/tasks/main.yml create mode 100755 ansible/roles/nftables/templates/nftables.conf create mode 100644 ansible/roles/nginx/files/ffdhe2048_dhparam.pem create mode 100644 ansible/roles/nginx/files/ssl_intermediate.conf create mode 100644 ansible/roles/nginx/files/ssl_modern.conf create mode 100644 ansible/roles/nginx/handlers/main.yml create mode 100644 ansible/roles/nginx/tasks/main.yml create mode 100644 ansible/roles/nginx/templates/nginx.conf create mode 100644 ansible/roles/oonidata/defaults/main.yml create mode 100644 ansible/roles/oonidata/handlers/main.yml create mode 100644 ansible/roles/oonidata/tasks/jupyterhub.yml create mode 100644 ansible/roles/oonidata/tasks/main.yml create mode 100644 ansible/roles/oonidata/tasks/oonipipeline-worker.yml create mode 100644 ansible/roles/oonidata/templates/jupyterhub.service.j2 create mode 100644 ansible/roles/oonidata/templates/jupyterhub_config.py.j2 create mode 100644 ansible/roles/oonidata/templates/nginx-jupyterhub.j2 create mode 100644 ansible/roles/oonidata/templates/oonipipeline-config.toml.j2 create mode 100644 ansible/roles/oonidata/templates/oonipipeline-worker.service.j2 create mode 100644 ansible/roles/prometheus_node_exporter/handlers/main.yml create mode 100644 ansible/roles/prometheus_node_exporter/tasks/main.yml create mode 100644 ansible/roles/prometheus_node_exporter/templates/nginx-prometheus.j2 diff --git a/ansible/README.md b/ansible/README.md index 59b04f95..60da1de5 100644 --- a/ansible/README.md +++ b/ansible/README.md @@ -8,7 +8,12 @@ pyenv activate ooni-devops Install deps: ``` -pip install ansible dnspython boto3 +pip install ansible dnspython boto3 passlib +``` + +Install ansible galaxy modules: +``` +ansible-galaxy install -r requirements.yml ``` Setup AWS credentials, you should add 2 profiles called `oonidevops_user_dev` and `oonidevops_user_prod` which have access to the development and production environment respectively diff --git a/ansible/group_vars/all/vars.yml b/ansible/group_vars/all/vars.yml index de9d63b7..936fd374 100644 --- a/ansible/group_vars/all/vars.yml +++ b/ansible/group_vars/all/vars.yml @@ -26,4 +26,4 @@ ssh_users: admin_usernames: [ art, majakomel, mehul, norbel ] root_usernames: [ art, mehul ] non_admin_usernames: [ agrabeli ] -deactivated_usernames: [ sbs, federico, sarath ] +deactivated_usernames: [ sbs, federico, sarath ] \ No newline at end of file diff --git a/ansible/group_vars/dev/vars.yml b/ansible/group_vars/dev/vars.yml new file mode 100644 index 00000000..a952a5d4 --- /dev/null +++ b/ansible/group_vars/dev/vars.yml @@ -0,0 +1 @@ +prometheus_metrics_password: "{{ lookup('amazon.aws.aws_secret', 'oonidevops/ooni_services/prometheus_metrics_password', profile='oonidevops_user_dev') }}" \ No newline at end of file diff --git a/ansible/group_vars/prod/vars.yml b/ansible/group_vars/prod/vars.yml new file mode 100644 index 00000000..0248a20a --- /dev/null +++ b/ansible/group_vars/prod/vars.yml @@ -0,0 +1 @@ +prometheus_metrics_password: "{{ lookup('amazon.aws.aws_secret', 'oonidevops/ooni_services/prometheus_metrics_password', profile='oonidevops_user_prod') }}" \ No newline at end of file diff --git a/ansible/host_vars/data.ooni.org b/ansible/host_vars/data.ooni.org index c3d9417f..7763cdf7 100644 --- a/ansible/host_vars/data.ooni.org +++ b/ansible/host_vars/data.ooni.org @@ -55,6 +55,6 @@ ssh_users: "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMJYsbeTjdma5cKyZISOFQfHbwwlZbWugPx9haeOx1UR" ] admin_usernames: [ art, majakomel, mehul, norbel ] -non_admin_usernames: [ ain, siti, ingrid, joss ] +non_admin_usernames: [ ain, siti, ingrid, joss, vasilis ] jupyterhub_allowed_users: "{{ ssh_users }}" -admin_group_name: adm +admin_group_name: adm \ No newline at end of file diff --git a/ansible/host_vars/oonidata.ooni.org b/ansible/host_vars/oonidata.ooni.org new file mode 100644 index 00000000..4dd0e917 --- /dev/null +++ b/ansible/host_vars/oonidata.ooni.org @@ -0,0 +1,2 @@ +admin_group_name: adm +tls_cert_dir: /var/lib/dehydrated/certs diff --git a/ansible/inventory b/ansible/inventory index 77e90223..1e13c160 100644 --- a/ansible/inventory +++ b/ansible/inventory @@ -1,6 +1,13 @@ [all] -monitoring.ooni.org -openvpn-server1.ooni.io # This requires manual setup of ~/.ssh/config #codesign-box + +[prod] data.ooni.org +oonidata.ooni.org +monitoring.ooni.org +openvpn-server1.ooni.io +notebook.ooni.org + +[dev] +oonidatatest.ooni.nu diff --git a/ansible/playbook-bootstrap.yml b/ansible/playbook-bootstrap.yml new file mode 100644 index 00000000..ab0d34d3 --- /dev/null +++ b/ansible/playbook-bootstrap.yml @@ -0,0 +1,8 @@ +# This playbook is to be run on hosts that don't support bootstrapping the base +# OS setup with something other than ansible (eg. cloud-init) +- name: Bootstrap the ssh_users on target host + hosts: all + remote_user: root + roles: + - ssh_users + - bootstrap diff --git a/ansible/playbook.yml b/ansible/playbook.yml index 5f4ee32a..dece3fbe 100644 --- a/ansible/playbook.yml +++ b/ansible/playbook.yml @@ -1,4 +1,10 @@ --- +- name: Ensure all hosts are bootstrapped correctly + hosts: all + become: yes + roles: + - bootstrap + - name: ClickHouse servers hosts: clickhouse_servers user: admin @@ -36,6 +42,12 @@ roles: - ssh_users +- name: Deploy oonidata hosts + hosts: oonidata.ooni.org + become: true + roles: + - oonidata + # commented out due to the fact it requires manual config of ~/.ssh/config #- name: Setup codesign box # hosts: codesign-box diff --git a/ansible/requirements.yml b/ansible/requirements.yml index 04ff726b..3b4d5ae0 100644 --- a/ansible/requirements.yml +++ b/ansible/requirements.yml @@ -1 +1,4 @@ - src: willshersystems.sshd +- src: nginxinc.nginx +- src: geerlingguy.certbot +- src: geerlingguy.node_exporter \ No newline at end of file diff --git a/ansible/roles/bootstrap/tasks/main.yml b/ansible/roles/bootstrap/tasks/main.yml new file mode 100644 index 00000000..88cd3a78 --- /dev/null +++ b/ansible/roles/bootstrap/tasks/main.yml @@ -0,0 +1,45 @@ +- ansible.builtin.include_role: + name: ssh_users + tags: + - ssh_users + +- name: Set the hostname to inventory_hostname + ansible.builtin.hostname: + name: "{{ inventory_hostname }}" + +- name: Install common packages + ansible.builtin.apt: + name: + - bash-completion + - ca-certificates + - curl + - file + - git + - htop + - iotop + - lsof + - lvm2 + - man-db + - mtr + - net-tools + - openssl + - python3-passlib + - rsync + - screen + - strace + - tcpdump + - tmux + - vim + state: latest + update_cache: yes + install_recommends: no + +- ansible.builtin.include_role: + name: nftables + tags: + - nftables + +- ansible.builtin.include_role: + name: prometheus_node_exporter + tags: + - node_exporter diff --git a/ansible/roles/jupyterhub/tasks/main.yml b/ansible/roles/jupyterhub/tasks/main.yml deleted file mode 100644 index 96ea8900..00000000 --- a/ansible/roles/jupyterhub/tasks/main.yml +++ /dev/null @@ -1,76 +0,0 @@ ---- -- name: Check if TLJH is installed - ansible.builtin.stat: - path: "{{ jupyterhub_tljh_prefix }}" - register: tljh_directory - -- name: Install required packages for TLJH - become: true - ansible.builtin.apt: - name: - - curl - - python3 - - python3-pip - - python3-dev - - python3-venv - - build-essential - - cifs-utils - state: present - update_cache: true - -- name: Download the TLJH installer - become: true - ansible.builtin.get_url: - url: "https://tljh.jupyter.org/bootstrap.py" - dest: "/tmp/tljh-bootstrap.py" - checksum: "sha256:2e20bf204c94e1b6eef31499c93f6a14324117deec2eb398a142cb14acbeedd1" - mode: "0700" - when: not tljh_directory.stat.exists - -- name: Run the TLJH installer - become: true - ansible.builtin.shell: | - python3 /tmp/tljh-bootstrap.py --admin {{ jupyterhub_tljh_admin_user }}:{{ jupyterhub_tljh_admin_password }} - creates: "{{ jupyterhub_tljh_prefix }}" - when: not tljh_directory.stat.exists - -- name: Restart the JupyterHub service with daemon-reload - become: true - tags: - - config - ansible.builtin.systemd: - name: jupyterhub - state: restarted - enabled: true - daemon_reload: true - when: not tljh_directory.stat.exists - -- name: Configure Let's Encrypt email and domain - become: true - ansible.builtin.shell: | - tljh-config set https.enabled true - tljh-config set https.letsencrypt.email {{ jupyterhub_letsencrypt_email }} - tljh-config add-item https.letsencrypt.domains {{ jupyterhub_letsencrypt_domain }} - tljh-config reload proxy - vars: - jupyterhub_letsencrypt_domain: "{{ inventory_hostname }}" - register: tljh_letsencrypt - changes_when: tljh_letsencrypt.rc != 0 - when: not tljh_directory.stat.exists - -- name: Copy the JupyterHub config - become: true - ansible.builtin.template: - src: jupyterhub_config.py.j2 - dest: "{{ jupyterhub_config_dest }}" - mode: preserve - -- name: Restart the JupyterHub service with daemon-reload - become: true - tags: - - config - ansible.builtin.systemd: - name: jupyterhub - state: restarted - enabled: true - daemon_reload: true diff --git a/ansible/roles/jupyterhub/templates/jupyterhub_config.py.j2 b/ansible/roles/jupyterhub/templates/jupyterhub_config.py.j2 deleted file mode 100644 index 0f5d7d36..00000000 --- a/ansible/roles/jupyterhub/templates/jupyterhub_config.py.j2 +++ /dev/null @@ -1,2 +0,0 @@ -# c.Spawner.cmd = ['/srv/jupyterhub/conda/bin/jupyterhub-singleuser'] -c.Authenticator.allowed_users = { {{jupyterhub_allowed_users | join(",")}} } diff --git a/ansible/roles/jupyterhub/vars/main.yml b/ansible/roles/jupyterhub/vars/main.yml deleted file mode 100644 index 015989bf..00000000 --- a/ansible/roles/jupyterhub/vars/main.yml +++ /dev/null @@ -1,8 +0,0 @@ -jupyterhub_letsencrypt_email: admin@openobservatory.org - -jupyterhub_tljh_admin_user: admin -jupyterhub_tljh_admin_pass: oonity! -jupyterhub_tljh_prefix: /opt/tljh -jupyterhub_config_dest: /opt/tljh/config/jupyterhub_config.d/tljh.py - -jupyterhub_allowed_users: [] diff --git a/ansible/roles/miniconda/defaults/main.yml b/ansible/roles/miniconda/defaults/main.yml new file mode 100644 index 00000000..988c38eb --- /dev/null +++ b/ansible/roles/miniconda/defaults/main.yml @@ -0,0 +1,2 @@ +miniconda_install_dir: /opt/miniconda +admin_group_name: admin diff --git a/ansible/roles/miniconda/tasks/install.yml b/ansible/roles/miniconda/tasks/install.yml new file mode 100644 index 00000000..7366e2ff --- /dev/null +++ b/ansible/roles/miniconda/tasks/install.yml @@ -0,0 +1,23 @@ +--- +- name: Ensure miniconda directory exists + ansible.builtin.file: + path: "{{ miniconda_install_dir }}" + state: directory + owner: miniconda + group: "{{ admin_group_name }}" + +- name: Download the miniconda installer + ansible.builtin.get_url: + url: "https://repo.anaconda.com/miniconda/Miniconda3-py312_24.7.1-0-Linux-x86_64.sh" + dest: "{{ miniconda_install_dir }}/miniconda.sh" + checksum: "sha256:33442cd3813df33dcbb4a932b938ee95398be98344dff4c30f7e757cd2110e4f" + mode: "0700" + +- name: Run the miniconda installer + ansible.builtin.shell: | + bash {{ miniconda_install_dir }}/miniconda.sh -b -u -p {{ miniconda_install_dir }} + +- name: Delete installer + ansible.builtin.file: + path: "{{ miniconda_install_dir }}/miniconda.sh" + state: absent diff --git a/ansible/roles/miniconda/tasks/main.yml b/ansible/roles/miniconda/tasks/main.yml new file mode 100644 index 00000000..0ea358b3 --- /dev/null +++ b/ansible/roles/miniconda/tasks/main.yml @@ -0,0 +1,21 @@ +--- +- name: Ensure miniconda user exists + ansible.builtin.user: + name: miniconda + shell: /bin/false + +- name: Check if Miniconda is installed + ansible.builtin.stat: + path: "{{ miniconda_install_dir }}/bin/conda" + register: miniconda_bin + +- include_tasks: install.yml + when: not miniconda_bin.stat.exists + +- name: "install conda packages" + ansible.builtin.shell: + cmd: "{{ miniconda_install_dir }}/bin/conda install -y {{ item }}" + loop: + - pandas + - numpy + - altair diff --git a/ansible/roles/nftables/README.adoc b/ansible/roles/nftables/README.adoc new file mode 100644 index 00000000..e3bef58f --- /dev/null +++ b/ansible/roles/nftables/README.adoc @@ -0,0 +1,25 @@ +Install nftables based firewall + +Set up /etc/ooni/nftables/ + +Rules for specific services are *not* configured by this role + +When creating rules to accept TCP traffic from any IPv4/6 address, +files are named with the port number to detect collisions. + +Example (also see roles/nftables/tasks/main.yml): + +/etc/ooni/nftables/tcp/8080.nft + +``` +add rule inet filter input tcp dport 8080 counter accept comment "MyService" +``` + + +Otherwise: + +/etc/ooni/nftables/tcp/5432_postgres_internal.nft + +``` +add rule inet filter input ip saddr { 10.0.0.0/8, 192.168.0.0/16 } tcp dport 5432 counter accept comment "Internal PostgreSQL" +``` diff --git a/ansible/roles/nftables/handlers/main.yml b/ansible/roles/nftables/handlers/main.yml new file mode 100644 index 00000000..a5b0e4bf --- /dev/null +++ b/ansible/roles/nftables/handlers/main.yml @@ -0,0 +1,5 @@ +- name: Reload nftables + tags: nftables + ansible.builtin.systemd_service: + name: nftables + state: reloaded diff --git a/ansible/roles/nftables/tasks/main.yml b/ansible/roles/nftables/tasks/main.yml new file mode 100644 index 00000000..2789b150 --- /dev/null +++ b/ansible/roles/nftables/tasks/main.yml @@ -0,0 +1,45 @@ +--- +- name: Install nftables + ansible.builtin.apt: + cache_valid_time: 86400 + name: nftables + tags: + - nftables + +- name: create config dir + ansible.builtin.file: + path: /etc/ooni/nftables/tcp + state: directory + owner: root + group: root + mode: 0755 + tags: + - nftables + +- name: allow SSH + ansible.builtin.blockinfile: + path: /etc/ooni/nftables/tcp/22.nft + create: yes + block: | + add rule inet filter input tcp dport 22 counter accept comment "Incoming SSH" + tags: + - nftables + +- name: Overwrite nftables.conf + ansible.builtin.template: + src: templates/nftables.conf + dest: /etc/nftables.conf + mode: 0755 + owner: root + notify: + - Reload nftables + tags: + - nftables + +- name: enable nftables service + ansible.builtin.systemd_service: + name: nftables + enabled: yes + state: started + tags: + - nftables diff --git a/ansible/roles/nftables/templates/nftables.conf b/ansible/roles/nftables/templates/nftables.conf new file mode 100755 index 00000000..5f7b50cc --- /dev/null +++ b/ansible/roles/nftables/templates/nftables.conf @@ -0,0 +1,41 @@ +#!/usr/sbin/nft -f +# +# Nftables configuration script +# +# Managed by ansible +# roles/nftables/templates/nftables.conf +# +# The ruleset is applied atomically + +flush ruleset + +table inet filter { + chain input { + type filter hook input priority 0; + policy drop; + iif lo accept comment "Accept incoming traffic from localhost" + ct state invalid drop + ct state established,related accept comment "Accept traffic related to outgoing connections" + icmp type echo-request accept + icmpv6 type echo-request counter packets 0 bytes 0 accept + icmpv6 type { nd-router-advert, nd-neighbor-solicit, nd-neighbor-advert } ip6 hoplimit 1 accept + icmpv6 type { nd-router-advert, nd-neighbor-solicit, nd-neighbor-advert } ip6 hoplimit 255 counter packets 1 bytes 72 accept + } + + chain forward { + type filter hook forward priority 0; + policy accept; + } + + chain output { + type filter hook output priority 0; + policy accept; + } +} + +# Configure TCP traffic rules +include "/etc/ooni/nftables/tcp/*.nft" + +# Configure any other rule +include "/etc/ooni/nftables/*.nft" + diff --git a/ansible/roles/nginx/files/ffdhe2048_dhparam.pem b/ansible/roles/nginx/files/ffdhe2048_dhparam.pem new file mode 100644 index 00000000..9b182b72 --- /dev/null +++ b/ansible/roles/nginx/files/ffdhe2048_dhparam.pem @@ -0,0 +1,8 @@ +-----BEGIN DH PARAMETERS----- +MIIBCAKCAQEA//////////+t+FRYortKmq/cViAnPTzx2LnFg84tNpWp4TZBFGQz ++8yTnc4kmz75fS/jY2MMddj2gbICrsRhetPfHtXV/WVhJDP1H18GbtCFY2VVPe0a +87VXE15/V8k1mE8McODmi3fipona8+/och3xWKE2rec1MKzKT0g6eXq8CrGCsyT7 +YdEIqUuyyOP7uWrat2DX9GgdT0Kj3jlN9K5W7edjcrsZCwenyO4KbXCeAvzhzffi +7MA0BM0oNC9hkXL+nOmFg/+OTxIy7vKBg8P+OxtMb61zO7X8vC7CIAXFjvGDfRaD +ssbzSibBsu/6iGtCOGEoXJf//////////wIBAg== +-----END DH PARAMETERS----- diff --git a/ansible/roles/nginx/files/ssl_intermediate.conf b/ansible/roles/nginx/files/ssl_intermediate.conf new file mode 100644 index 00000000..96d2e6e2 --- /dev/null +++ b/ansible/roles/nginx/files/ssl_intermediate.conf @@ -0,0 +1,3 @@ +# Oldest compatible clients: Firefox 1, Chrome 1, IE 7, Opera 5, Safari 1, Windows XP IE8, Android 2.3, Java 7 +ssl_protocols TLSv1 TLSv1.1 TLSv1.2; # Dropping SSLv3, ref: POODLE +ssl_ciphers 'ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS'; diff --git a/ansible/roles/nginx/files/ssl_modern.conf b/ansible/roles/nginx/files/ssl_modern.conf new file mode 100644 index 00000000..9ad7c11d --- /dev/null +++ b/ansible/roles/nginx/files/ssl_modern.conf @@ -0,0 +1,4 @@ +# Oldest compatible clients: Firefox 27, Chrome 30, IE 11 on Windows 7, Edge, Opera 17, Safari 9, Android 5.0, and Java 8 +ssl_protocols TLSv1.2; +ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256'; +# NB: technically, it does not require ssl_dhparam as it has no DHE, only ECDHE. diff --git a/ansible/roles/nginx/handlers/main.yml b/ansible/roles/nginx/handlers/main.yml new file mode 100644 index 00000000..eb1d1671 --- /dev/null +++ b/ansible/roles/nginx/handlers/main.yml @@ -0,0 +1,15 @@ +- name: test nginx config + command: /usr/sbin/nginx -t -c /etc/nginx/nginx.conf + listen: + - restart nginx + - reload nginx + +- name: restart nginx + service: + name: nginx + state: restarted + +- name: reload nginx + service: + name: nginx + state: reloaded diff --git a/ansible/roles/nginx/tasks/main.yml b/ansible/roles/nginx/tasks/main.yml new file mode 100644 index 00000000..b93304c1 --- /dev/null +++ b/ansible/roles/nginx/tasks/main.yml @@ -0,0 +1,39 @@ +--- +- name: install nginx + include_role: + name: nginxinc.nginx + +# https://ssl-config.mozilla.org/#server=nginx&version=1.14.2&config=intermediate&openssl=1.1.1d&guideline=5.4 +# Guide https://wiki.mozilla.org/Security/Server_Side_TLS#Pre-defined_DHE_groups +# suggests ffdhe2048 instead of `openssl dhparam` to avoid https://weakdh.org/ +- name: copy nginx configuration snippets + copy: src={{item}} dest=/etc/nginx/{{ item }} mode=0444 owner=root group=root + with_items: + - ffdhe2048_dhparam.pem # ffdhe2048 Diffie-Hellman parameters + - ssl_intermediate.conf + - ssl_modern.conf + tags: + - nginx + +- name: remove `default` vhost + file: path={{item}} state=absent + notify: reload nginx + with_items: + - /etc/nginx/conf.d/default.conf + - /etc/nginx/sites-available/default + - /etc/nginx/sites-enabled/default + tags: + - nginx + +- name: Create nginx sites directory + ansible.builtin.file: + path: "/etc/nginx/sites-enabled/" + state: directory + tags: + - nginx + +- name: set nginx.conf + template: src=nginx.conf dest=/etc/nginx/nginx.conf mode=0444 + notify: reload nginx + tags: + - nginx diff --git a/ansible/roles/nginx/templates/nginx.conf b/ansible/roles/nginx/templates/nginx.conf new file mode 100644 index 00000000..f43bf7c5 --- /dev/null +++ b/ansible/roles/nginx/templates/nginx.conf @@ -0,0 +1,122 @@ +# NB: system nginx uses `www-data` user! +user nginx; +worker_processes 2; + +error_log /var/log/nginx/error.log warn; +pid /var/run/nginx.pid; + +events { + worker_connections 1024; +} + +http { + include /etc/nginx/mime.types; + default_type application/octet-stream; + + geo $is_ooni { + # TODO: this is not implemented ATM + default 0; + } + + map $http_x_request_id $has_request_id { # check for `X-Request-ID` + "" 0; + default 1; + } + + map "$is_ooni:$has_request_id" $ooni_request_id { + "1:1" $http_x_request_id; # use `X-Request-ID` if it's okay + default $request_id; + } + + # IPv4 is anonymized to /24, IPv6 to /48 - according to OONI Data Policy. + # https://ooni.torproject.org/about/data-policy/ + # IP is recorded to track possible abusers, not to distinguish users, so the + # address is truncated down to ISP (min routable prefix) instead of hashing. + map $remote_addr $ooni_remote_addr { + default "0.0.0.0"; + # variables in map value require nginx/1.11.0+ + "~(?P\d+\.\d+\.\d+)\.\d+" "$ip.0"; + # :: means at least TWO zero 16bit fields, https://tools.ietf.org/html/rfc5952#section-4.2.2 + "~(?P[0-9a-f]+:[0-9a-f]+:[0-9a-f]+):[0-9a-f:]+" "$ip::"; + "~(?P[0-9a-f]+:[0-9a-f]+)::[0-9a-f:]+" "$ip::"; + "~(?P[0-9a-f]+)::[0-9a-f:]+" "$ip::"; + } + + # $server_name is important as mtail does not distinguish log lines from + # different files, $host is required to log actual `Host` header. + # $request is split into separate fields to ease awk and mtail parsing. + # $scheme is used instead of $https to ease eye-reading. + # TCP_INFO is logged for random fun. + log_format mtail_pub + '$time_iso8601\t$msec\t$server_name\t' + '$ooni_remote_addr\t' # pub/int diff + '$request_completion\t$request_time\t$status\t$bytes_sent\t$body_bytes_sent\t' + '$upstream_cache_status\t$upstream_addr\t$upstream_status\t$upstream_connect_time\t$upstream_header_time\t$upstream_response_time\t' + '$scheme\t$server_protocol\t$request_length\t$request_method\t$host\t$request_uri\t' + '$tcpinfo_rtt\t$tcpinfo_rttvar\t' + '$http_referer\t$http_user_agent\t$ooni_request_id'; + + log_format mtail_int + '$time_iso8601\t$msec\t$server_name\t' + '$remote_addr\t' # pub/int diff + '$request_completion\t$request_time\t$status\t$bytes_sent\t$body_bytes_sent\t' + '$upstream_cache_status\t$upstream_addr\t$upstream_status\t$upstream_connect_time\t$upstream_header_time\t$upstream_response_time\t' + '$scheme\t$server_protocol\t$request_length\t$request_method\t$host\t$request_uri\t' + '$tcpinfo_rtt\t$tcpinfo_rttvar\t' + '$http_referer\t$http_user_agent\t$ooni_request_id'; + + log_format oolog '$ooni_remote_addr - $remote_user [$time_local] ' + '"$request" $status $body_bytes_sent ' + '"$http_referer" "$http_user_agent" "$host"'; + + log_format oolog_mtail '$time_iso8601\t$msec\t$server_name\t' + '$ooni_remote_addr\t' # pub/int diff + '$request_completion\t$request_time\t$status\t$bytes_sent\t$body_bytes_sent\t' + '$upstream_cache_status\t$upstream_addr\t$upstream_status\t$upstream_connect_time\t$upstream_header_time\t$upstream_response_time\t' + '$scheme\t$server_protocol\t$request_length\t$request_method\t$host\t$request_uri\t' + '$tcpinfo_rtt\t$tcpinfo_rttvar\t' + '$http_referer\t$http_user_agent\t$ooni_request_id'; + + access_log /var/log/nginx/access.log mtail_int; + + sendfile on; + tcp_nopush on; # TCP_CORK HTTP headers with sendfile() body into single packet + + keepalive_timeout 120 120; # Firefox has 115s, http://kb.mozillazine.org/Network.http.keep-alive.timeout + + server_tokens off; + + # SSL based on https://wiki.mozilla.org/Security/Server_Side_TLS (doc v4.1) + ssl_session_timeout 1d; + ssl_session_cache shared:GLOBAL:1m; # 1m of cache is ~4000 sessions + ssl_session_tickets off; # needs accurate key rotation + ssl_dhparam /etc/nginx/ffdhe2048_dhparam.pem; # https://tools.ietf.org/html/rfc7919 + ssl_prefer_server_ciphers on; + #TODO: ssl_stapling on; # needs `resolver` or `ssl_stapling_file` + #TODO: ssl_stapling_verify on; # needs `ssl_trusted_certificate` + #TODO: resolver ; + # Define in server{} + # - include /etc/nginx/ssl_modern.conf | /etc/nginx/ssl_intermediate.conf + # - ssl_certificate /etc/letsencrypt/live/example.org/fullchain.pem; + # - ssl_certificate_key /etc/letsencrypt/live/example.org/privkey.pem + # - ssl_trusted_certificate /etc/letsencrypt/live/example.org/chain.pem; # for ssl_stapling_verify + # - add_header Strict-Transport-Security max-age=15768000; # HSTS (15768000 seconds = 6 months) + ### + + gzip on; + gzip_types text/html text/plain text/css text/xml text/javascript application/x-javascript application/json application/xml; # default is only `text/html` + gzip_disable "msie6"; + #gzip_proxied any; + + # Host, X-Real-IP, X-Forwarded-For, X-Forwarded-Proto are from + # file /etc/nginx/proxy_params from nginx-common package + # NB: adding `proxy_set_header` in another location overwrites whole set! + proxy_set_header Host $http_host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_set_header X-Request-ID $ooni_request_id; + + include /etc/nginx/conf.d/*.conf; + include /etc/nginx/sites-enabled/*; +} diff --git a/ansible/roles/oonidata/defaults/main.yml b/ansible/roles/oonidata/defaults/main.yml new file mode 100644 index 00000000..c2b0d9d8 --- /dev/null +++ b/ansible/roles/oonidata/defaults/main.yml @@ -0,0 +1,8 @@ +miniconda_install_dir: /opt/miniconda +jupyterhub_config_dir: /etc/jupyterhub +jupyterhub_runtime_dir: /srv/jupyterhub +oonipipeline_runtime_dir: /srv/oonipipeline +tls_cert_dir: /etc/letsencrypt/live +admin_group_name: admin +enable_oonipipeline_worker: true +enable_jupyterhub: true diff --git a/ansible/roles/oonidata/handlers/main.yml b/ansible/roles/oonidata/handlers/main.yml new file mode 100644 index 00000000..f12d0aa6 --- /dev/null +++ b/ansible/roles/oonidata/handlers/main.yml @@ -0,0 +1,16 @@ +- name: Restart jupyterhub + ansible.builtin.systemd_service: + name: jupyterhub + state: restarted + daemon_reload: true + +- name: Restart oonipipeline-worker + ansible.builtin.systemd_service: + name: oonipipeline-worker + state: restarted + daemon_reload: true + +- name: Reload nginx + ansible.builtin.systemd_service: + name: nginx + state: reloaded diff --git a/ansible/roles/oonidata/tasks/jupyterhub.yml b/ansible/roles/oonidata/tasks/jupyterhub.yml new file mode 100644 index 00000000..b6fa2f07 --- /dev/null +++ b/ansible/roles/oonidata/tasks/jupyterhub.yml @@ -0,0 +1,82 @@ +--- +- name: Install jupyterhub + ansible.builtin.shell: + cmd: "{{ miniconda_install_dir }}/bin/conda install -c conda-forge -y jupyterhub" + tags: + - jupyterhub + +- name: Install jupyterlab and notebook + ansible.builtin.shell: + cmd: "{{ miniconda_install_dir }}/bin/conda install -y jupyterlab notebook" + tags: + - jupyterhub + +- name: Install jupyterhub packages + ansible.builtin.apt: + name: + - npm + tags: + - jupyterhub + +- name: Install configurable-http-proxy + ansible.builtin.shell: + cmd: "npm install -g configurable-http-proxy" + tags: + - jupyterhub + +- name: Create jupyterhub directories + ansible.builtin.file: + path: "{{ item }}" + state: directory + loop: + - "{{ jupyterhub_config_dir }}" + - "{{ jupyterhub_runtime_dir }}" + - "{{ jupyterhub_runtime_dir }}/state" + tags: + - jupyterhub + +- name: Write jupyterhub config + ansible.builtin.template: + src: jupyterhub_config.py.j2 + dest: "{{ jupyterhub_config_dir }}/config.py" + owner: root + mode: "0640" + notify: + - Restart jupyterhub + tags: + - jupyterhub + - config + +- name: Write jupyterhub service + ansible.builtin.template: + src: jupyterhub.service.j2 + dest: "/etc/systemd/system/jupyterhub.service" + owner: root + group: root + mode: "0644" + notify: + - Restart jupyterhub + tags: + - jupyterhub + +- name: Ensure the JupyterHub service is started with daemon-reload + ansible.builtin.systemd: + name: jupyterhub + state: started + enabled: true + daemon_reload: true + tags: + - jupyterhub + - config + +- name: Setup oonidata nginx config + ansible.builtin.template: + src: nginx-jupyterhub.j2 + dest: /etc/nginx/sites-enabled/01-jupyterhub + owner: oonipipeline + mode: "0655" + notify: + - Reload nginx + tags: + - jupyterhub + - config \ No newline at end of file diff --git a/ansible/roles/oonidata/tasks/main.yml b/ansible/roles/oonidata/tasks/main.yml new file mode 100644 index 00000000..fa19b49b --- /dev/null +++ b/ansible/roles/oonidata/tasks/main.yml @@ -0,0 +1,59 @@ +--- +- name: create oonipipeline user + ansible.builtin.user: + name: oonipipeline + state: present + shell: /bin/false + createhome: no + tags: + - oonipipeline + - jupyterhub + +- ansible.builtin.include_role: + name: miniconda + tags: + - conda + +- ansible.builtin.import_tasks: jupyterhub.yml + when: enable_jupyterhub + tags: + - jupyterhub + +- ansible.builtin.include_role: + name: nginx + tags: + - nginx + +- ansible.builtin.include_role: + name: geerlingguy.certbot + tags: + - certbot + vars: + certbot_admin_email: admin@ooni.org + certbot_create_extra_args: "" + certbot_create_if_missing: true + certbot_create_standalone_stop_services: + - nginx + certbot_certs: + - domains: + - "{{ inventory_hostname }}" + +- name: Install oonipipeline requirements + ansible.builtin.apt: + name: + - net-tools + - curl + - git + tags: + - oonipipeline + +- name: Install OONI pipeline from pip + ansible.builtin.shell: + cmd: "{{ miniconda_install_dir }}/bin/pip install -e 'git+https://github.com/ooni/data#egg=oonipipeline&subdirectory=oonipipeline'" + tags: + - oonipipeline + +- ansible.builtin.import_tasks: oonipipeline-worker.yml + when: enable_oonipipeline_worker + tags: + - oonipipeline diff --git a/ansible/roles/oonidata/tasks/oonipipeline-worker.yml b/ansible/roles/oonidata/tasks/oonipipeline-worker.yml new file mode 100644 index 00000000..cbb5ef70 --- /dev/null +++ b/ansible/roles/oonidata/tasks/oonipipeline-worker.yml @@ -0,0 +1,57 @@ +- name: create pipeline configuration + ansible.builtin.file: + path: "/etc/ooni/pipeline/" + state: directory + owner: oonipipeline + tags: + - oonipipeline + +- name: create pipeline configuration + ansible.builtin.file: + path: "{{ oonipipeline_runtime_dir }}" + state: directory + owner: oonipipeline + tags: + - oonipipeline + +- name: copy configuration files + ansible.builtin.copy: + content: "{{ lookup('amazon.aws.aws_secret', 'oonidevops/{{ item }}', profile='oonidevops_user_prod') }}" + dest: /etc/ooni/pipeline/{{item}} + owner: oonipipeline + mode: "0600" + loop: + - ooni-pipeline.uuhzf.crt + - ooni-pipeline.uuhzf.key + tags: + - oonipipeline + +- name: write oonipipeline configuration + ansible.builtin.template: + src: oonipipeline-config.toml.j2 + dest: /etc/ooni/pipeline/oonipipeline-config.toml + owner: oonipipeline + mode: "0600" + tags: + - oonipipeline + +- name: Write oonipipeline service + ansible.builtin.template: + src: oonipipeline-worker.service.j2 + dest: "/etc/systemd/system/oonipipeline-worker.service" + owner: root + group: root + mode: "0644" + notify: + - Restart oonipipeline-worker + tags: + - oonipipeline + +- name: Ensure the OONI pipeline worker service is started with daemon-reload + ansible.builtin.systemd: + name: oonipipeline-worker + state: started + enabled: true + daemon_reload: true + tags: + - oonipipeline diff --git a/ansible/roles/oonidata/templates/jupyterhub.service.j2 b/ansible/roles/oonidata/templates/jupyterhub.service.j2 new file mode 100644 index 00000000..479a48f9 --- /dev/null +++ b/ansible/roles/oonidata/templates/jupyterhub.service.j2 @@ -0,0 +1,17 @@ +# JupyterHub systemd service +[Unit] + +[Service] +User=root +Restart=always +WorkingDirectory={{ jupyterhub_runtime_dir}}/state +PrivateTmp=yes +ProtectKernelTunables=yes +ProtectKernelModules=yes +# Run upgrade-db before starting, in case Hub version has changed +# This is a no-op when no db exists or no upgrades are needed +ExecStart={{ miniconda_install_dir }}/bin/python -m jupyterhub.app -f {{ jupyterhub_config_dir }}/config.py --upgrade-db + +[Install] +# Start service when system boots +WantedBy=multi-user.target diff --git a/ansible/roles/oonidata/templates/jupyterhub_config.py.j2 b/ansible/roles/oonidata/templates/jupyterhub_config.py.j2 new file mode 100644 index 00000000..ec6bd238 --- /dev/null +++ b/ansible/roles/oonidata/templates/jupyterhub_config.py.j2 @@ -0,0 +1,3 @@ +c.JupyterHub.bind_url = 'http://127.0.0.1:8888' +c.Spawner.cmd = ['{{ miniconda_install_dir }}/bin/jupyterhub-singleuser'] +c.Authenticator.allow_all = True diff --git a/ansible/roles/oonidata/templates/nginx-jupyterhub.j2 b/ansible/roles/oonidata/templates/nginx-jupyterhub.j2 new file mode 100644 index 00000000..1d6ae57a --- /dev/null +++ b/ansible/roles/oonidata/templates/nginx-jupyterhub.j2 @@ -0,0 +1,40 @@ +# ansible-managed in ooni/devops.git + +map $http_upgrade $connection_upgrade { + default upgrade; + '' close; +} + +server { + listen 443 ssl http2; + + include /etc/nginx/ssl_intermediate.conf; + + ssl_certificate {{ tls_cert_dir }}/{{ inventory_hostname }}/fullchain.pem; + ssl_certificate_key {{ tls_cert_dir }}/{{ inventory_hostname }}/privkey.pem; + ssl_trusted_certificate {{ tls_cert_dir }}/{{ inventory_hostname }}/chain.pem; + + server_name _; + access_log /var/log/nginx/{{ inventory_hostname }}.access.log; + error_log /var/log/nginx/{{ inventory_hostname }}.log warn; + + add_header Access-Control-Allow-Origin *; + + ## JupyterHub configuration + location / { + proxy_pass http://127.0.0.1:8888; + + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header Host $host; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + + client_max_body_size 100M; + + # WebSocket support + proxy_http_version 1.1; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection $connection_upgrade; + proxy_set_header X-Scheme $scheme; + proxy_buffering off; + } +} diff --git a/ansible/roles/oonidata/templates/oonipipeline-config.toml.j2 b/ansible/roles/oonidata/templates/oonipipeline-config.toml.j2 new file mode 100644 index 00000000..a41dcb43 --- /dev/null +++ b/ansible/roles/oonidata/templates/oonipipeline-config.toml.j2 @@ -0,0 +1,7 @@ +temporal_address = "ooni-pipeline.uuhzf.tmprl.cloud:7233" +temporal_namespace = "ooni-pipeline.uuhzf" +temporal_tls_client_cert_path = "/etc/ooni/pipeline/ooni-pipeline.uuhzf.crt" +temporal_tls_client_key_path = "/etc/ooni/pipeline/ooni-pipeline.uuhzf.key" +clickhouse_write_batch_size = 30000 +prometheus_bind_address = "127.0.0.1:9998" +data_dir = "/srv/oonipipeline/data_dir" \ No newline at end of file diff --git a/ansible/roles/oonidata/templates/oonipipeline-worker.service.j2 b/ansible/roles/oonidata/templates/oonipipeline-worker.service.j2 new file mode 100644 index 00000000..fcde42dc --- /dev/null +++ b/ansible/roles/oonidata/templates/oonipipeline-worker.service.j2 @@ -0,0 +1,17 @@ +# OONI Pipeline worker service +[Unit] + +[Service] +User=oonipipeline +Restart=always +WorkingDirectory={{ oonipipeline_runtime_dir }} +PrivateTmp=yes +PrivateDevices=yes +ProtectKernelTunables=yes +ProtectKernelModules=yes +Environment="CONFIG_FILE=/etc/ooni/pipeline/oonipipeline-config.toml" +ExecStart={{ miniconda_install_dir }}/bin/python -m oonipipeline.main startworkers + +[Install] +# Start service when system boots +WantedBy=multi-user.target diff --git a/ansible/roles/prometheus_node_exporter/handlers/main.yml b/ansible/roles/prometheus_node_exporter/handlers/main.yml new file mode 100644 index 00000000..8face3a3 --- /dev/null +++ b/ansible/roles/prometheus_node_exporter/handlers/main.yml @@ -0,0 +1,21 @@ +- name: Test nginx config + command: /usr/sbin/nginx -t -c /etc/nginx/nginx.conf + listen: + - Restart nginx-prometheus + - Reload nginx-prometheus + +- name: Reload nginx + ansible.builtin.systemd_service: + name: nginx + state: reloaded + +- name: Restart nginx + ansible.builtin.systemd_service: + name: nginx + state: restarted + +- name: Reload nftables + tags: nftables + ansible.builtin.systemd_service: + name: nftables + state: reloaded diff --git a/ansible/roles/prometheus_node_exporter/tasks/main.yml b/ansible/roles/prometheus_node_exporter/tasks/main.yml new file mode 100644 index 00000000..d33fe013 --- /dev/null +++ b/ansible/roles/prometheus_node_exporter/tasks/main.yml @@ -0,0 +1,56 @@ +- ansible.builtin.include_role: + name: nginx + tags: + - nginx + - node_exporter + +- ansible.builtin.include_role: + name: geerlingguy.node_exporter + vars: + node_exporter_host: "localhost" + node_exporter_port: 8100 + tags: + - node_exporter + +- name: create ooni configuration directory + ansible.builtin.file: + path: "/etc/ooni/" + state: directory + owner: root + tags: + - node_exporter + +- name: Add a user to a password file and ensure permissions are set + community.general.htpasswd: + path: /etc/ooni/prometheus_passwd + name: prom + password: "{{ prometheus_metrics_password }}" + owner: root + group: www-data + mode: 0640 + tags: + - node_exporter + +- name: Setup oonidata nginx config + ansible.builtin.template: + src: nginx-prometheus.j2 + dest: /etc/nginx/sites-enabled/01-prometheus + mode: "0655" + notify: + - Restart nginx + tags: + - node_exporter + - config + +- name: Allow prometheus monitoring + ansible.builtin.blockinfile: + path: /etc/ooni/nftables/tcp/9100.nft + create: yes + block: | + add rule inet filter input tcp dport 9100 counter accept comment "Incoming prometheus monitoring" + notify: + - Reload nftables + tags: + - nftables + - node_exporter + - config diff --git a/ansible/roles/prometheus_node_exporter/templates/nginx-prometheus.j2 b/ansible/roles/prometheus_node_exporter/templates/nginx-prometheus.j2 new file mode 100644 index 00000000..7d9fbab1 --- /dev/null +++ b/ansible/roles/prometheus_node_exporter/templates/nginx-prometheus.j2 @@ -0,0 +1,20 @@ +# ansible-managed in ooni/devops.git + +server { + listen 9100; + + server_name _; + access_log /var/log/nginx/{{ inventory_hostname }}.access.log; + error_log /var/log/nginx/{{ inventory_hostname }}.log warn; + + location /metrics { + auth_basic "Administrator’s Area"; + auth_basic_user_file /etc/ooni/prometheus_passwd; + + proxy_pass http://127.0.0.1:8100; + + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header Host $host; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + } +} \ No newline at end of file diff --git a/ansible/roles/ssh_users/tasks/main.yml b/ansible/roles/ssh_users/tasks/main.yml index a4a701a2..0d994377 100644 --- a/ansible/roles/ssh_users/tasks/main.yml +++ b/ansible/roles/ssh_users/tasks/main.yml @@ -81,7 +81,7 @@ state: absent - name: configure sshd - include_role: + include_role: name: willshersystems.sshd vars: sshd_skip_defaults: false diff --git a/tf/environments/prod/dns_records.tf b/tf/environments/prod/dns_records.tf index 06f68e81..c2d680a7 100644 --- a/tf/environments/prod/dns_records.tf +++ b/tf/environments/prod/dns_records.tf @@ -997,3 +997,11 @@ resource "aws_route53_record" "openvpn-server1-ooni-io-_A_" { type = "A" zone_id = local.dns_root_zone_ooni_io } + +resource "aws_route53_record" "notebook-ooni-org-_A_" { + name = "notebook.ooni.org" + records = ["138.201.19.39"] + ttl = "60" + type = "A" + zone_id = local.dns_root_zone_ooni_org +}