Add ansible role for test-lists-ui

ansible/deploy-backend.yml

@@ -51,5 +51,8 @@
       expand: yes
       ssl_domains:
         - "backend-fsn.ooni.org"
+        - "test-lists-ui.ooni.org"
     - role: ooni-backend
       ssl_domain: backend-fsn.ooni.org
+    - role: test-lists-ui
+      tags: test-lists-ui

ansible/roles/nodejs/defaults/main.yml

@@ -1,2 +1,2 @@
 install_yarn: no
-
+node_version: 16.x

ansible/roles/nodejs/tasks/main.yml

@@ -6,14 +6,20 @@
 - name: Add NodeSource apt package signing key
   apt_key:
     url: "https://deb.nodesource.com/gpgkey/nodesource.gpg.key"
+    id: "9FD3B784BC1C6FC31A8A0A1C1655A0AB68576280"
 
 - name: Add NodeSource apt repository
   apt_repository:
-    repo: 'deb https://deb.nodesource.com/node_7.x {{ ansible_distribution_release }} main'
+    repo: 'deb https://deb.nodesource.com/node_{{ node_version }} {{ ansible_distribution_release }} main'
+    update_cache: yes
 
 - name: Install required nodejs via apt
   apt:
     name: nodejs
+    state: present
 
-- import_tasks: install-yarn.yml
+- name: Install yarn via apt
+  apt:
+    name: yarnpkg
+    state: present
   when: install_yarn | bool == true

ansible/roles/test-lists-ui/defaults/main.yml

@@ -0,0 +1 @@
+test_lists_ui_branch: "main"

ansible/roles/test-lists-ui/handlers/main.yml

@@ -0,0 +1,3 @@
+---
+- name: reload nginx
+  service: name=nginx state=reloaded

ansible/roles/test-lists-ui/meta/main.yml

@@ -0,0 +1,5 @@
+---
+dependencies:
+  - role: nodejs
+    vars:
+      node_version: 16.x

ansible/roles/test-lists-ui/tasks/main.yml

@@ -0,0 +1,40 @@
+---
+- name: Git checkout
+  git:
+    repo: 'https://github.com/ooni/test-lists-ui.git'
+    dest: /srv/test-lists-ui
+    version: '{{ test_lists_ui_branch }}'
+    update: yes
+
+- name: Yarn install deps
+  shell: yarn install --frozen-lockfile
+  args:
+    chdir: /srv/test-lists-ui
+
+- name: Build app
+  become: true
+  become_user: nodetlu
+  shell: yarn run build
+  args:
+    chdir: /srv/test-lists-ui
+
+- name: Install test-lists-ui.service
+  template:
+    src: templates/test-lists-ui.service
+    dest: /etc/systemd/system/test-lists-ui.service
+    mode: 0755
+    owner: root
+
+- name: Run test-lists-ui service
+  systemd:
+    name: test-lists-ui.service
+    state: restarted
+    enabled: yes
+
+- name: Write nginx config
+  template:
+    src: templates/nginx.conf
+    dest: /etc/nginx/sites-available/test-lists-ui.conf
+    mode: 0755
+    owner: root
+  notify: reload nginx

ansible/roles/test-lists-ui/templates/nginx.conf

@@ -0,0 +1,66 @@
+# Managed by ansible
+# roles/test-lists-ui/templates/nginx.conf
+
+# Use 2-level cache, 20MB of RAM + 5GB on disk,
+proxy_cache_path /var/cache/nginx/ooni-test-lists-ui levels=1:2 keys_zone=apicache:100M
+                max_size=5g inactive=24h use_temp_path=off;
+
+# anonymize ipaddr
+map $remote_addr $remote_addr_anon {
+  ~(?P<ip>\d+\.\d+\.\d+)\.    $ip.0;
+  ~(?P<ip>[^:]+:[^:]+):       $ip::;
+  default                     0.0.0.0;
+}
+
+# log anonymized ipaddr and caching status
+log_format ooni_api_fmt '$remote_addr_anon $upstream_cache_status [$time_local] '
+    '"$request" $status snt:$body_bytes_sent rt:$request_time uprt:$upstream_response_time "$http_referer" "$http_user_agent"';
+
+server {
+  server_name test-lists-ui.ooni.org;
+
+  listen 443 ssl http2;
+  listen [::]:443 ssl http2;
+  access_log syslog:server=unix:/dev/log,tag=oonitestlistsui,severity=info ooni_api_fmt;
+  error_log syslog:server=unix:/dev/log,tag=oonitestlistsui,severity=info;
+  gzip on;
+
+  client_max_body_size 200M;
+
+  ssl_certificate /var/lib/dehydrated/certs/{{ inventory_hostname }}/fullchain.pem;
+  ssl_certificate_key /var/lib/dehydrated/certs/{{ inventory_hostname }}/privkey.pem;
+  ssl_trusted_certificate /var/lib/dehydrated/certs/{{ inventory_hostname }}/chain.pem; # for ssl_stapling_verify
+
+  ssl_protocols TLSv1.2 TLSv1.3;
+  ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
+  ssl_prefer_server_ciphers off;
+
+  # HSTS (ngx_http_headers_module is required) (63072000 seconds)
+  add_header Strict-Transport-Security "max-age=63072000" always;
+
+  # OCSP stapling
+  ssl_stapling on;
+  ssl_stapling_verify on;
+
+  location / {
+    proxy_pass http://127.0.0.1:3000;
+    proxy_set_header Host $host;
+
+    proxy_set_header X-Real-IP $external_remote_addr;
+
+    proxy_cache testlistsui;
+    proxy_cache_min_uses 1;
+    proxy_cache_lock on;
+    proxy_cache_lock_timeout 30;
+    proxy_cache_lock_age 30;
+    proxy_cache_use_stale error timeout invalid_header updating;
+    proxy_cache_methods HEAD GET;
+    # Cache only 200, 301, and 302 by default and for very short.
+    # Overridden by the API using the Expires header
+    proxy_cache_valid 200 301 302 10s;
+    proxy_cache_valid any 0;
+    add_header x-cache-status $upstream_cache_status;
+    add_header X-Cache-Status $upstream_cache_status;
+  }
+
+}

ansible/roles/test-lists-ui/templates/test-lists-ui.service

@@ -0,0 +1,24 @@
+[Unit]
+Description=OONI tests-lists-ui node.js frontend
+After=network.target
+
+[Service]
+Type=simple
+
+DynamicUser=yes
+
+PrivateTmp=yes
+PrivateUsers=yes
+RestrictSUIDSGID=yes
+ProtectSystem=strict
+NoNewPrivileges=yes
+ProtectKernelModules=yes
+ProtectKernelTunables=yes
+
+WorkingDirectory=/srv/test-lists-ui
+ExecStart=/usr/bin/yarn run start
+
+Restart=on-failure
+
+[Install]
+WantedBy=multi-user.target