ooni · FedericoCeratto · Jun 26, 2020 · Jun 26, 2020 · Jun 29, 2020 · Jun 29, 2020
diff --git a/ansible/deploy-postgres-11.yml b/ansible/deploy-postgres-11.yml
@@ -0,0 +1,38 @@
+---
+
+# Deploy PostgreSQL 11.7
+
+- import_playbook: ansible-version.yml
+
+- hosts: ams-pg.ooni.nu
+  gather_facts: true # to gather `ansible_service_mgr`
+  tags: postgresql11
+  roles:
+    - role: postgresql11
+
+#- name: install prometheus-postgres-exporter
+#  apt:
+#    cache_valid_time: 86400
+#    install_recommends: no
+#    name: prometheus-postgres-exporter
+#
+#
+#- name: install prom process exporter
+#  apt:
+#    cache_valid_time: 86400
+#    install_recommends: no
+#    name: prometheus-process-exporter
+#
+#- name: install prom Nginx exporter
+#  apt:
+#    cache_valid_time: 86400
+#    install_recommends: no
+#    name: prometheus-nginx-exporter
+#
+#
+#- name: install prox Haproxy exporter
+#  apt:
+#    cache_valid_time: 86400
+#    install_recommends: no
+#    name: prometheus-haproxy-exporter
+#
diff --git a/ansible/inventory b/ansible/inventory
@@ -126,9 +126,11 @@ ams-orchestra.ooni.nu
 mia-run.ooni.nu
 ams-api.ooni.nu
 ams-jupyter.ooni.nu
-ams-pg.ooni.nu
 mia-explorer-test.ooni.nu
 
+[have_nftables]
+ams-pg.ooni.nu
+
 [have_nginx]
 prometheus.infra.ooni.io
 amsmatomo.ooni.nu

diff --git a/ansible/roles/adm/tasks/main.yml b/ansible/roles/adm/tasks/main.yml
@@ -37,9 +37,11 @@
 
 - name: root .ssh/authorized_keys2
   template: src=authorized_keys_root dest=/root/.ssh/authorized_keys2 owner=root group=root mode=0400
+  # TODO remove direct ssh as root
 
 - name: legacy root .ssh/authorized_keys
   template: src=authorized_keys_root_legacy dest=/root/.ssh/authorized_keys backup=yes owner=root group=root mode=0400
+  # TODO remove direct ssh as root
 
 - name: require gid=0 for su # to prevent any process doing `su` while knowing The Password
   lineinfile:

diff --git a/ansible/roles/adm/templates/authorized_keys b/ansible/roles/adm/templates/authorized_keys
@@ -1,4 +1,5 @@
-# ansible-managed in ooni-sysadmin.git
+# managed by ansible
+# see roles/adm/templates/authorized_keys
 {% for k in passwd[item]['keys'] %}
 {{ k }}
 {% endfor %}
diff --git a/ansible/roles/adm/templates/sudoers b/ansible/roles/adm/templates/sudoers
@@ -1,4 +1,4 @@
-# ansible-managed in ooni-sysadmin.git
+# ansible-managed in roles/adm/templates/sudoers
 {% for login in adm_logins %}
 {{ passwd[login].login }} ALL=(ALL:ALL) NOPASSWD: ALL
 {% endfor %}
diff --git a/ansible/roles/base-buster/README.adoc b/ansible/roles/base-buster/README.adoc
@@ -0,0 +1,2 @@
+
+Configure base host based on Buster
diff --git a/ansible/roles/base-buster/meta/main.yml b/ansible/roles/base-buster/meta/main.yml
@@ -0,0 +1,12 @@
+---
+dependencies:
+  - role: track_etc_directory
+  - role: adm
+    become: false
+    remote_user: root
+    gather_facts: false
+
+  #- role: ooca-cert
+  #  ooca_ssl_dir: '{{ ngxprom_ssl_dir }}'
+  #  ooca_ssl_subj: '/O=OONI/OU=Prometheus Exporter/CN={{ inventory_hostname }}'
+  #  ooca_ca: exporter_ca
diff --git a/ansible/roles/base-buster/tasks/main.yml b/ansible/roles/base-buster/tasks/main.yml
@@ -0,0 +1,126 @@
+---
+- name: Remove apt repo
+  file:
+    path: /etc/apt/sources.list.d/ftp_nl_debian_org_debian.list
+    state: absent
+
+- name: Remove apt repo
+  file:
+    path: /etc/apt/sources.list.d/security_debian_org.list
+    state: absent
+
+- name: Set apt repos
+  template:
+    src: templates/sources.list
+    dest: /etc/apt/sources.list
+    mode: 0644
+    owner: root
+
+- name: Update apt cache and upgrade packages
+  apt:
+    update_cache: yes
+    upgrade: dist
+
+- name: Installs base packages
+  tags: base-packages
+  apt:
+    install_recommends: no
+    cache_valid_time: 86400
+    name:
+      # - prometheus-node-exporter-collectors
+      - bash-completion
+      - byobu
+      - chrony
+      - fail2ban
+      - iotop
+      - manpages
+      - ncdu
+      - netdata-core
+      - netdata-plugins-bash
+      - netdata-plugins-python
+      - netdata-web
+      - nullmailer
+      - prometheus-node-exporter
+      - rsync
+      - strace
+      - tcpdump
+      - tmux
+
+- name: Remove smartmontools
+  apt:
+    name: smartmontools
+    state: absent
+
+- name: Reset failed smartd
+  command: systemctl reset-failed
+
+- name: Autoremove
+  apt:
+    autoremove: yes
+
+- name: Clean cache
+  apt:
+    autoclean: yes
+
+- name: allow netdata.service
+  blockinfile:
+    path: /etc/ooni/nftables/tcp/19999.nft
+    create: yes
+    block: |
+      add rule inet filter input ip saddr {{ lookup('dig', 'prometheus.infra.ooni.io/A') }} tcp dport 19999 counter accept comment "netdata.service"
+
+- name: reload nftables service
+  systemd:
+    name: nftables.service
+    state: reloaded
+
+- name: configure netdata.service
+  blockinfile:
+    path: /etc/netdata/netdata.conf
+    block: |
+      # Managed by ansible, see roles/base-buster/tasks/main.yml
+      [global]
+        run as user = netdata
+        web files owner = root
+        web files group = root
+        bind socket to IP = 0.0.0.0
+
+      [plugins]
+        python.d = yes
+
+- name: configure netdata chrony
+  blockinfile:
+    path: /etc/netdata/python.d/chrony.conf
+    create: yes
+    block: |
+      # Managed by ansible, see roles/base-buster/tasks/main.yml
+      update_every: 5
+      local:
+        command: 'chronyc -n tracking'
+
+#- name: configure netdata nginx
+#  blockinfile:
+#    path: /etc/netdata/python.d/nginx.conf
+#    create: yes
+#    block: |
+#      # Managed by ansible, see roles/base-buster/tasks/main.yml
+#      update_every: 5
+#      nginx_log:
+#        name  : 'nginx_log'
+#        path  : '/var/log/nginx/access.log'
+
+#- name: configure netdata haproxy
+#  blockinfile:
+#    path: /etc/netdata/python.d/haproxy.conf
+#    block: |
+#      # Managed by ansible, see roles/base-buster/tasks/main.yml
+#      update_every: 5
+#      via_url:
+#        url: 'http://127.0.0.1:7000/haproxy_stats;csv;norefresh'
+
+- name: restart netdata service
+  systemd:
+    name: netdata.service
+    state: restarted
+
+
diff --git a/ansible/roles/base-buster/templates/sources.list b/ansible/roles/base-buster/templates/sources.list
@@ -0,0 +1,7 @@
+# Managed by ansible
+# roles/base-buster/templates/sources.list
+
+deb http://deb.debian.org/debian buster main contrib non-free
+deb http://security.debian.org/debian-security buster/updates main contrib non-free
+deb http://deb.debian.org/debian buster-backports main
+deb [trusted=yes] https://dl.bintray.com/ooni/internal-pull-requests unstable main
diff --git a/ansible/roles/nftables/README.adoc b/ansible/roles/nftables/README.adoc
@@ -0,0 +1,25 @@
+Install nftables based firewall
+
+Set up /etc/ooni/nftables/
+
+Rules for specific services are *not* configured by this role
+
+When creating rules to accept TCP traffic from any IPv4/6 address,
+files are named with the port number to detect collisions.
+
+Example (also see roles/nftables/tasks/main.yml):
+
+/etc/ooni/nftables/tcp/8080.nft
+
+```
+add rule inet filter input tcp dport 8080 counter accept comment "MyService"
+```
+
+
+Otherwise:
+
+/etc/ooni/nftables/tcp/5432_postgres_internal.nft
+
+```
+add rule inet filter input ip saddr { 10.0.0.0/8, 192.168.0.0/16 } tcp dport 5432 counter accept comment "Internal PostgreSQL"
+```
diff --git a/ansible/roles/nftables/tasks/main.yml b/ansible/roles/nftables/tasks/main.yml
@@ -0,0 +1,34 @@
+---
+- name: Install nftables
+  apt:
+    cache_valid_time: 86400
+    name: nftables
+
+- name: create config dir
+  file:
+    path: /etc/ooni/nftables/tcp
+    state: directory
+    owner: root
+    group: root
+    mode: 0755
+
+- name: allow SSH
+  blockinfile:
+    path: /etc/ooni/nftables/tcp/22.nft
+    create: yes
+    block: |
+      add rule inet filter input tcp dport 22 counter accept comment "Incoming SSH"
+
+- name: Overwrite nftables.conf
+  template:
+    src: templates/nftables.conf
+    dest: /etc/nftables.conf
+    mode: 0755
+    owner: root
+
+- name: Enable and start nftables service
+  systemd:
+    name: nftables.service
+    state: reloaded
+    enabled: yes
+
diff --git a/ansible/roles/nftables/templates/nftables.conf b/ansible/roles/nftables/templates/nftables.conf
@@ -0,0 +1,37 @@
+#!/usr/sbin/nft -f
+#
+# Nftables configuration script
+#
+# Managed by ansible
+# roles/nftables/templates/nftables.conf
+#
+# The ruleset is applied atomically
+
+flush ruleset
+
+table inet filter {
+  chain input {
+    type filter hook input priority 0;
+    policy drop;
+    iif lo accept comment "Accept incoming traffic from localhost"
+    ct state invalid drop
+    ct state established,related accept comment "Accept traffic related to outgoing connections"
+  }
+
+  chain forward {
+    type filter hook forward priority 0;
+    policy accept;
+  }
+
+  chain output {
+    type filter hook output priority 0;
+    policy accept;
+  }
+}
+
+# Configure TCP traffic rules
+include "/etc/ooni/nftables/tcp/*.nft"
+
+# Configure any other rule
+include "/etc/ooni/nftables/*.nft"
+
diff --git a/ansible/roles/nginx-buster/files/ffdhe2048_dhparam.pem b/ansible/roles/nginx-buster/files/ffdhe2048_dhparam.pem
@@ -0,0 +1,8 @@
+-----BEGIN DH PARAMETERS-----
+MIIBCAKCAQEA//////////+t+FRYortKmq/cViAnPTzx2LnFg84tNpWp4TZBFGQz
++8yTnc4kmz75fS/jY2MMddj2gbICrsRhetPfHtXV/WVhJDP1H18GbtCFY2VVPe0a
+87VXE15/V8k1mE8McODmi3fipona8+/och3xWKE2rec1MKzKT0g6eXq8CrGCsyT7
+YdEIqUuyyOP7uWrat2DX9GgdT0Kj3jlN9K5W7edjcrsZCwenyO4KbXCeAvzhzffi
+7MA0BM0oNC9hkXL+nOmFg/+OTxIy7vKBg8P+OxtMb61zO7X8vC7CIAXFjvGDfRaD
+ssbzSibBsu/6iGtCOGEoXJf//////////wIBAg==
+-----END DH PARAMETERS-----
diff --git a/ansible/roles/nginx-buster/files/ssl_intermediate.conf b/ansible/roles/nginx-buster/files/ssl_intermediate.conf
@@ -0,0 +1,3 @@
+# Oldest compatible clients: Firefox 1, Chrome 1, IE 7, Opera 5, Safari 1, Windows XP IE8, Android 2.3, Java 7
+ssl_protocols TLSv1 TLSv1.1 TLSv1.2; # Dropping SSLv3, ref: POODLE
+ssl_ciphers 'ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS';
diff --git a/ansible/roles/nginx-buster/files/ssl_modern.conf b/ansible/roles/nginx-buster/files/ssl_modern.conf
@@ -0,0 +1,4 @@
+# Oldest compatible clients: Firefox 27, Chrome 30, IE 11 on Windows 7, Edge, Opera 17, Safari 9, Android 5.0, and Java 8
+ssl_protocols TLSv1.2;
+ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256';
+# NB: technically, it does not require ssl_dhparam as it has no DHE, only ECDHE.
diff --git a/ansible/roles/nginx-buster/tasks/main.yml b/ansible/roles/nginx-buster/tasks/main.yml
@@ -0,0 +1,32 @@
+---
+- name: install stable nginx
+  apt:
+    name: nginx
+    cache_valid_time: 86400
+
+# https://ssl-config.mozilla.org/#server=nginx&version=1.14.2&config=intermediate&openssl=1.1.1d&guideline=5.4
+#
+# Guide https://wiki.mozilla.org/Security/Server_Side_TLS#Pre-defined_DHE_groups
+# suggests ffdhe2048 instead of `openssl dhparam` to avoid https://weakdh.org/
+- name: copy nginx configuration snippets
+  copy: src={{item}}  dest=/etc/nginx/{{ item }} mode=0444 owner=root group=root
+  with_items:
+    - ffdhe2048_dhparam.pem # ffdhe2048 Diffie-Hellman parameters
+    - ssl_intermediate.conf
+    - ssl_modern.conf
+
+- name: remove `default` vhost
+  file: path={{item}} state=absent
+  notify: reload nginx
+  with_items:
+    - /etc/nginx/conf.d/default.conf
+    - /etc/nginx/sites-available/default
+    - /etc/nginx/sites-enabled/default
+
+- name: set nginx.conf
+  template:
+    src=nginx.conf
+    dest=/etc/nginx/nginx.conf
+    mode=0444
+  notify: reload nginx
+...