From f8ea493c308ff6edde2b826de107167ddc4fbd0f Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Arturo=20Filast=C3=B2?= <arturo@filasto.net>
Date: Thu, 26 Sep 2024 19:11:30 +0300
Subject: [PATCH] Add support for setting up oonipipeline workers

---
 ansible/roles/miniconda/defaults/main.yml     |  1 +
 ansible/roles/miniconda/tasks/install.yml     |  2 +-
 ansible/roles/miniconda/tasks/main.yml        |  2 +-
 ansible/roles/nginx/templates/nginx.conf      |  5 +-
 ansible/roles/oonidata/defaults/main.yml      |  3 +-
 ansible/roles/oonidata/handlers/main.yml      |  5 ++
 ansible/roles/oonidata/tasks/jupyterhub.yml   |  9 +--
 ansible/roles/oonidata/tasks/main.yml         | 57 +++++++++++++++++++
 .../templates/jupyterhub_config.py.j2         |  1 -
 .../templates/oonipipeline-config.toml.j2     |  6 ++
 .../templates/oonipipeline-worker.service.j2  | 17 ++++++
 11 files changed, 93 insertions(+), 15 deletions(-)
 create mode 100644 ansible/roles/oonidata/templates/oonipipeline-config.toml.j2
 create mode 100644 ansible/roles/oonidata/templates/oonipipeline-worker.service.j2

diff --git a/ansible/roles/miniconda/defaults/main.yml b/ansible/roles/miniconda/defaults/main.yml
index b9d7f78d..988c38eb 100644
--- a/ansible/roles/miniconda/defaults/main.yml
+++ b/ansible/roles/miniconda/defaults/main.yml
@@ -1 +1,2 @@
 miniconda_install_dir: /opt/miniconda
+admin_group_name: admin
diff --git a/ansible/roles/miniconda/tasks/install.yml b/ansible/roles/miniconda/tasks/install.yml
index 5da31271..7366e2ff 100644
--- a/ansible/roles/miniconda/tasks/install.yml
+++ b/ansible/roles/miniconda/tasks/install.yml
@@ -4,7 +4,7 @@
     path: "{{ miniconda_install_dir }}"
     state: directory
     owner: miniconda
-    group: "{{ admin_group }}"
+    group: "{{ admin_group_name }}"
 
 - name: Download the miniconda installer
   ansible.builtin.get_url:
diff --git a/ansible/roles/miniconda/tasks/main.yml b/ansible/roles/miniconda/tasks/main.yml
index 958ecd6a..36925b11 100644
--- a/ansible/roles/miniconda/tasks/main.yml
+++ b/ansible/roles/miniconda/tasks/main.yml
@@ -9,7 +9,7 @@
 
 - name: "install conda packages"
   ansible.builtin.shell:
-    cmd: "{{ miniconda_install_dir }}/bin/conda install {{ item }}"
+    cmd: "{{ miniconda_install_dir }}/bin/conda install -y {{ item }}"
   loop:
     - pandas
     - numpy
diff --git a/ansible/roles/nginx/templates/nginx.conf b/ansible/roles/nginx/templates/nginx.conf
index 55329899..f43bf7c5 100644
--- a/ansible/roles/nginx/templates/nginx.conf
+++ b/ansible/roles/nginx/templates/nginx.conf
@@ -13,11 +13,8 @@ http {
     include       /etc/nginx/mime.types;
     default_type  application/octet-stream;
 
-    # $request_id is 1.11.0+, so `have_nginx` is adequate.
     geo $is_ooni {
-{% for h in groups['have_nginx'] %}
-        {{ lookup('dig', h + './A') }} 1;
-{% endfor %}
+        # TODO: this is not implemented ATM
         default 0;
     }
 
diff --git a/ansible/roles/oonidata/defaults/main.yml b/ansible/roles/oonidata/defaults/main.yml
index d12c61eb..d3839391 100644
--- a/ansible/roles/oonidata/defaults/main.yml
+++ b/ansible/roles/oonidata/defaults/main.yml
@@ -1,4 +1,5 @@
 miniconda_install_dir: /opt/miniconda
 jupyterhub_config_dir: /etc/jupyterhub
 jupyterhub_runtime_dir: /srv/jupyterhub
-admin_group: adm
+oonipipeline_runtime_dir: /srv/oonipipeline
+admin_group_name: admin
diff --git a/ansible/roles/oonidata/handlers/main.yml b/ansible/roles/oonidata/handlers/main.yml
index 3278c395..a964677d 100644
--- a/ansible/roles/oonidata/handlers/main.yml
+++ b/ansible/roles/oonidata/handlers/main.yml
@@ -3,3 +3,8 @@
     name: jupyterhub
     state: restarted
     daemon_reload: true
+- name: Restart oonipipeline-worker
+  ansible.builtin.systemd_service:
+    name: oonipipeline-worker
+    state: restarted
+    daemon_reload: true
diff --git a/ansible/roles/oonidata/tasks/jupyterhub.yml b/ansible/roles/oonidata/tasks/jupyterhub.yml
index d59474e2..fa713bc6 100644
--- a/ansible/roles/oonidata/tasks/jupyterhub.yml
+++ b/ansible/roles/oonidata/tasks/jupyterhub.yml
@@ -1,22 +1,17 @@
 ---
 - name: "install jupyterhub"
-  become: yes
-  become_user: miniconda
   ansible.builtin.shell:
-    cmd: "{{ miniconda_install_dir }}/bin/conda install -c conda-forge jupyterhub"
+    cmd: "{{ miniconda_install_dir }}/bin/conda install -c conda-forge -y jupyterhub"
 
 - name: "install jupyterlab and notebook"
-  become: yes
-  become_user: miniconda
   ansible.builtin.shell:
-    cmd: "{{ miniconda_install_dir }}/bin/conda install jupyterlab notebook"
+    cmd: "{{ miniconda_install_dir }}/bin/conda install -y jupyterlab notebook"
 
 - name: Write jupyterhub config
   ansible.builtin.template:
     src: jupyterhub_config.py.j2
     dest: "{{ jupyterhub_config_dir }}/config.py"
     owner: root
-    group: {{ admin_group }}
     mode: "0640"
   notify:
     - Restart jupyterhub
diff --git a/ansible/roles/oonidata/tasks/main.yml b/ansible/roles/oonidata/tasks/main.yml
index c413c9ef..a2927ed5 100644
--- a/ansible/roles/oonidata/tasks/main.yml
+++ b/ansible/roles/oonidata/tasks/main.yml
@@ -10,3 +10,60 @@
     certbot_certs:
       - domains:
           - "{{ inventory_name }}"
+
+- name: create oonipipeline user
+  ansible.builtin.user:
+    name: oonipipeline
+    state: present
+    shell: /bin/false
+    createhome: no
+
+- name: create pipeline configuration
+  ansible.builtin.file:
+    path: "/etc/ooni/pipeline/"
+    state: directory
+    owner: oonipipeline
+
+- name: create pipeline configuration
+  ansible.builtin.file:
+    path: "{{ oonipipeline_runtime_dir }}"
+    state: directory
+    owner: oonipipeline
+
+- name: copy configuration files
+  ansible.builtin.copy:
+    content: "{{ lookup('amazon.aws.aws_secret', 'oonidevops/{{ item }}', profile='oonidevops_user_prod') }}"
+    dest: /etc/ooni/pipeline/{{item}}
+    owner: oonipipeline
+    mode: "0600"
+  loop:
+    - ooni-pipeline.uuhzf.crt
+    - ooni-pipeline.uuhzf.key
+
+- name: write oonipipeline configuration
+  ansible.builtin.template:
+    src: oonipipeline-config.toml.j2
+    dest: /etc/ooni/pipeline/oonipipeline-config.toml
+    owner: oonipipeline
+    mode: "0600"
+
+- name: Install OONI pipeline from pip
+  ansible.builtin.shell:
+    cmd: "{{ miniconda_install_dir }}/bin/pip install -e 'git+https://github.com/ooni/data#egg=oonipipeline&subdirectory=oonipipeline'"
+
+- name: Write oonipipeline service
+  ansible.builtin.template:
+    src: oonipipeline-worker.service.j2
+    dest: "/etc/systemd/system/oonipipeline-worker.service"
+    owner: root
+    group: root
+    mode: "0644"
+  notify:
+    - Restart oonipipeline-worker
+
+- name: Ensure the OONI pipeline worker service is started with daemon-reload
+  ansible.builtin.systemd:
+    name: oonipipeline-worker
+    state: started
+    enabled: true
+    daemon_reload: true
diff --git a/ansible/roles/oonidata/templates/jupyterhub_config.py.j2 b/ansible/roles/oonidata/templates/jupyterhub_config.py.j2
index 3a363197..45ff58aa 100644
--- a/ansible/roles/oonidata/templates/jupyterhub_config.py.j2
+++ b/ansible/roles/oonidata/templates/jupyterhub_config.py.j2
@@ -1,3 +1,2 @@
-c.Authenticator.allowed_users = { {{jupyterhub_allowed_users | join(",")}} }
 c.JupyterHub.bind_url = 'http://127.0.0.1:8888'
 c.Spawner.cmd = ['{{ miniconda_install_dir }}/bin/jupyterhub-singleuser']
diff --git a/ansible/roles/oonidata/templates/oonipipeline-config.toml.j2 b/ansible/roles/oonidata/templates/oonipipeline-config.toml.j2
new file mode 100644
index 00000000..bdcf4db9
--- /dev/null
+++ b/ansible/roles/oonidata/templates/oonipipeline-config.toml.j2
@@ -0,0 +1,6 @@
+temporal_address = "ooni-pipeline.uuhzf.tmprl.cloud:7233"
+temporal_namespace = "ooni-pipeline.uuhzf"
+temporal_tls_client_cert_path = "/etc/ooni/pipeline/ooni-pipeline.uuhzf.crt"
+temporal_tls_client_key_path = "/etc/ooni/pipeline/ooni-pipeline.uuhzf.key"
+clickhouse_write_batch_size = 30000
+prometheus_bind_address = "127.0.0.1:9998"
\ No newline at end of file
diff --git a/ansible/roles/oonidata/templates/oonipipeline-worker.service.j2 b/ansible/roles/oonidata/templates/oonipipeline-worker.service.j2
new file mode 100644
index 00000000..7941bcc8
--- /dev/null
+++ b/ansible/roles/oonidata/templates/oonipipeline-worker.service.j2
@@ -0,0 +1,17 @@
+# OONI Pipeline worker service
+[Unit]
+
+[Service]
+User=oonipipeline
+Restart=always
+WorkingDirectory={{ oonipipeline_runtime_dir }}
+PrivateTmp=yes
+PrivateDevices=yes
+ProtectKernelTunables=yes
+ProtectKernelModules=yes
+Environment="CONFIG_FILE=/etc/ooni/pipeline/oonipipeline-config.toml"
+ExecStart={{ miniconda_install_dir }}/bin/python -m oonipipeline startworkers
+
+[Install]
+# Start service when system boots
+WantedBy=multi-user.target