Add support for setting up oonipipeline workers

ansible/roles/miniconda/defaults/main.yml

@@ -1 +1,2 @@
 miniconda_install_dir: /opt/miniconda
+admin_group_name: admin

ansible/roles/miniconda/tasks/install.yml

@@ -4,7 +4,7 @@
     path: "{{ miniconda_install_dir }}"
     state: directory
     owner: miniconda
-    group: "{{ admin_group }}"
+    group: "{{ admin_group_name }}"
 
 - name: Download the miniconda installer
   ansible.builtin.get_url:

ansible/roles/miniconda/tasks/main.yml

@@ -9,7 +9,7 @@
 
 - name: "install conda packages"
   ansible.builtin.shell:
-    cmd: "{{ miniconda_install_dir }}/bin/conda install {{ item }}"
+    cmd: "{{ miniconda_install_dir }}/bin/conda install -y {{ item }}"
   loop:
     - pandas
     - numpy

ansible/roles/nginx/templates/nginx.conf

@@ -13,11 +13,8 @@ http {
     include       /etc/nginx/mime.types;
     default_type  application/octet-stream;
 
-    # $request_id is 1.11.0+, so `have_nginx` is adequate.
     geo $is_ooni {
-{% for h in groups['have_nginx'] %}
-        {{ lookup('dig', h + './A') }} 1;
-{% endfor %}
+        # TODO: this is not implemented ATM
         default 0;
     }
 

ansible/roles/oonidata/defaults/main.yml

@@ -1,4 +1,5 @@
 miniconda_install_dir: /opt/miniconda
 jupyterhub_config_dir: /etc/jupyterhub
 jupyterhub_runtime_dir: /srv/jupyterhub
-admin_group: adm
+oonipipeline_runtime_dir: /srv/oonipipeline
+admin_group_name: admin

ansible/roles/oonidata/handlers/main.yml

@@ -3,3 +3,8 @@
     name: jupyterhub
     state: restarted
     daemon_reload: true
+- name: Restart oonipipeline-worker
+  ansible.builtin.systemd_service:
+    name: oonipipeline-worker
+    state: restarted
+    daemon_reload: true

ansible/roles/oonidata/tasks/jupyterhub.yml

@@ -1,22 +1,17 @@
 ---
 - name: "install jupyterhub"
-  become: yes
-  become_user: miniconda
   ansible.builtin.shell:
-    cmd: "{{ miniconda_install_dir }}/bin/conda install -c conda-forge jupyterhub"
+    cmd: "{{ miniconda_install_dir }}/bin/conda install -c conda-forge -y jupyterhub"
 
 - name: "install jupyterlab and notebook"
-  become: yes
-  become_user: miniconda
   ansible.builtin.shell:
-    cmd: "{{ miniconda_install_dir }}/bin/conda install jupyterlab notebook"
+    cmd: "{{ miniconda_install_dir }}/bin/conda install -y jupyterlab notebook"
 
 - name: Write jupyterhub config
   ansible.builtin.template:
     src: jupyterhub_config.py.j2
     dest: "{{ jupyterhub_config_dir }}/config.py"
     owner: root
-    group: {{ admin_group }}
     mode: "0640"
   notify:
     - Restart jupyterhub

ansible/roles/oonidata/tasks/main.yml

@@ -10,3 +10,60 @@
     certbot_certs:
       - domains:
           - "{{ inventory_name }}"
+
+- name: create oonipipeline user
+  ansible.builtin.user:
+    name: oonipipeline
+    state: present
+    shell: /bin/false
+    createhome: no
+
+- name: create pipeline configuration
+  ansible.builtin.file:
+    path: "/etc/ooni/pipeline/"
+    state: directory
+    owner: oonipipeline
+
+- name: create pipeline configuration
+  ansible.builtin.file:
+    path: "{{ oonipipeline_runtime_dir }}"
+    state: directory
+    owner: oonipipeline
+
+- name: copy configuration files
+  ansible.builtin.copy:
+    content: "{{ lookup('amazon.aws.aws_secret', 'oonidevops/{{ item }}', profile='oonidevops_user_prod') }}"
+    dest: /etc/ooni/pipeline/{{item}}
+    owner: oonipipeline
+    mode: "0600"
+  loop:
+    - ooni-pipeline.uuhzf.crt
+    - ooni-pipeline.uuhzf.key
+
+- name: write oonipipeline configuration
+  ansible.builtin.template:
+    src: oonipipeline-config.toml.j2
+    dest: /etc/ooni/pipeline/oonipipeline-config.toml
+    owner: oonipipeline
+    mode: "0600"
+
+- name: Install OONI pipeline from pip
+  ansible.builtin.shell:
+    cmd: "{{ miniconda_install_dir }}/bin/pip install -e 'git+https://github.com/ooni/data#egg=oonipipeline&subdirectory=oonipipeline'"
+
+- name: Write oonipipeline service
+  ansible.builtin.template:
+    src: oonipipeline-worker.service.j2
+    dest: "/etc/systemd/system/oonipipeline-worker.service"
+    owner: root
+    group: root
+    mode: "0644"
+  notify:
+    - Restart oonipipeline-worker
+
+- name: Ensure the OONI pipeline worker service is started with daemon-reload
+  ansible.builtin.systemd:
+    name: oonipipeline-worker
+    state: started
+    enabled: true
+    daemon_reload: true

ansible/roles/oonidata/templates/jupyterhub_config.py.j2

@@ -1,3 +1,2 @@
-c.Authenticator.allowed_users = { {{jupyterhub_allowed_users | join(",")}} }
 c.JupyterHub.bind_url = 'http://127.0.0.1:8888'
 c.Spawner.cmd = ['{{ miniconda_install_dir }}/bin/jupyterhub-singleuser']

ansible/roles/oonidata/templates/oonipipeline-config.toml.j2

@@ -0,0 +1,6 @@
+temporal_address = "ooni-pipeline.uuhzf.tmprl.cloud:7233"
+temporal_namespace = "ooni-pipeline.uuhzf"
+temporal_tls_client_cert_path = "/etc/ooni/pipeline/ooni-pipeline.uuhzf.crt"
+temporal_tls_client_key_path = "/etc/ooni/pipeline/ooni-pipeline.uuhzf.key"
+clickhouse_write_batch_size = 30000
+prometheus_bind_address = "127.0.0.1:9998"

ansible/roles/oonidata/templates/oonipipeline-worker.service.j2

@@ -0,0 +1,17 @@
+# OONI Pipeline worker service
+[Unit]
+
+[Service]
+User=oonipipeline
+Restart=always
+WorkingDirectory={{ oonipipeline_runtime_dir }}
+PrivateTmp=yes
+PrivateDevices=yes
+ProtectKernelTunables=yes
+ProtectKernelModules=yes
+Environment="CONFIG_FILE=/etc/ooni/pipeline/oonipipeline-config.toml"
+ExecStart={{ miniconda_install_dir }}/bin/python -m oonipipeline startworkers
+
+[Install]
+# Start service when system boots
+WantedBy=multi-user.target