diff --git a/tf/environments/production/ansible/playbook.yml b/tf/environments/production/ansible/playbook.yml index c927b344..f7617370 100644 --- a/tf/environments/production/ansible/playbook.yml +++ b/tf/environments/production/ansible/playbook.yml @@ -1,88 +1,12 @@ --- -- name: Configure ClickHouse servers using a template +- name: ClickHouse servers hosts: clickhouse_servers user: admin become: yes vars: clickhouse_reader_password: "{{ lookup('env', 'CLICKHOUSE_READER_PASSWORD') }}" - tasks: - - name: install clickhouse requirements - tags: clickhouse - apt: - cache_valid_time: 86400 - state: present - name: - - apt-transport-https - - ca-certificates - - dirmngr - - - name: Check if ClickHouse GPG keyring exists - ansible.builtin.stat: - path: /usr/share/keyrings/clickhouse-keyring.gpg - register: keyring_check - - - name: Create a temporary directory for GPG - ansible.builtin.tempfile: - state: directory - register: gnupg_temp_dir - when: not keyring_check.stat.exists - - - name: Import ClickHouse GPG key - ansible.builtin.command: - cmd: "gpg --no-default-keyring --keyring /usr/share/keyrings/clickhouse-keyring.gpg --keyserver hkp://keyserver.ubuntu.com:80 --recv-keys 8919F6BD2B48D754" - chdir: "{{ gnupg_temp_dir.path }}" - creates: "/usr/share/keyrings/clickhouse-keyring.gpg" - environment: - GNUPGHOME: "{{ gnupg_temp_dir.path }}" - when: not keyring_check.stat.exists - - - name: Remove temporary directory - ansible.builtin.file: - path: "{{ gnupg_temp_dir.path }}" - state: absent - when: not keyring_check.stat.exists - - - name: Ensure the keyring is readable - ansible.builtin.file: - path: /usr/share/keyrings/clickhouse-keyring.gpg - mode: a+r - - - name: Add ClickHouse repository - ansible.builtin.apt_repository: - repo: "deb [signed-by=/usr/share/keyrings/clickhouse-keyring.gpg] https://packages.clickhouse.com/deb stable main" - state: present - filename: clickhouse - - - name: Update the package cache - ansible.builtin.apt: - update_cache: yes - - - name: Install ClickHouse server and client - ansible.builtin.apt: - name: - - clickhouse-server={{ clickhouse_pkg_ver }} - - clickhouse-client={{ clickhouse_pkg_ver }} - - clickhouse-common-static={{ clickhouse_pkg_ver }} - state: present - vars: - clickhouse_pkg_ver: 24.1.* - - - name: Ensure ClickHouse service is started and enabled - ansible.builtin.systemd: - name: clickhouse-server - state: started - enabled: yes - - - name: Configure ClickHouse users from template - template: - src: templates/ooni_users.xml - dest: /etc/clickhouse-server/users.d/ooni_users.xml - owner: clickhouse - group: clickhouse - mode: '0640' - notify: - - restart clickhouse-server - + roles: + - clickhouse handlers: - name: restart clickhouse-server service: diff --git a/tf/environments/production/ansible/roles/clickhouse/tasks/main.yml b/tf/environments/production/ansible/roles/clickhouse/tasks/main.yml new file mode 100644 index 00000000..38a2fd0a --- /dev/null +++ b/tf/environments/production/ansible/roles/clickhouse/tasks/main.yml @@ -0,0 +1,76 @@ +- name: install clickhouse requirements + tags: clickhouse + apt: + cache_valid_time: 86400 + state: present + name: + - apt-transport-https + - ca-certificates + - dirmngr + +- name: Check if ClickHouse GPG keyring exists + ansible.builtin.stat: + path: /usr/share/keyrings/clickhouse-keyring.gpg + register: keyring_check + +- name: Create a temporary directory for GPG + ansible.builtin.tempfile: + state: directory + register: gnupg_temp_dir + when: not keyring_check.stat.exists + +- name: Import ClickHouse GPG key + ansible.builtin.command: + cmd: "gpg --no-default-keyring --keyring /usr/share/keyrings/clickhouse-keyring.gpg --keyserver hkp://keyserver.ubuntu.com:80 --recv-keys 8919F6BD2B48D754" + chdir: "{{ gnupg_temp_dir.path }}" + creates: "/usr/share/keyrings/clickhouse-keyring.gpg" + environment: + GNUPGHOME: "{{ gnupg_temp_dir.path }}" + when: not keyring_check.stat.exists + +- name: Remove temporary directory + ansible.builtin.file: + path: "{{ gnupg_temp_dir.path }}" + state: absent + when: not keyring_check.stat.exists + +- name: Ensure the keyring is readable + ansible.builtin.file: + path: /usr/share/keyrings/clickhouse-keyring.gpg + mode: a+r + +- name: Add ClickHouse repository + ansible.builtin.apt_repository: + repo: "deb [signed-by=/usr/share/keyrings/clickhouse-keyring.gpg] https://packages.clickhouse.com/deb stable main" + state: present + filename: clickhouse + +- name: Update the package cache + ansible.builtin.apt: + update_cache: yes + +- name: Install ClickHouse server and client + ansible.builtin.apt: + name: + - clickhouse-server={{ clickhouse_pkg_ver }} + - clickhouse-client={{ clickhouse_pkg_ver }} + - clickhouse-common-static={{ clickhouse_pkg_ver }} + state: present + vars: + clickhouse_pkg_ver: 24.1.* + +- name: Ensure ClickHouse service is started and enabled + ansible.builtin.systemd: + name: clickhouse-server + state: started + enabled: yes + +- name: Configure ClickHouse users from template + template: + src: templates/ooni_users.xml + dest: /etc/clickhouse-server/users.d/ooni_users.xml + owner: clickhouse + group: clickhouse + mode: '0640' + notify: + - restart clickhouse-server \ No newline at end of file diff --git a/tf/environments/production/ansible/templates/ooni_users.xml b/tf/environments/production/ansible/roles/clickhouse/templates/ooni_users.xml similarity index 100% rename from tf/environments/production/ansible/templates/ooni_users.xml rename to tf/environments/production/ansible/roles/clickhouse/templates/ooni_users.xml