Fix merge conflict

Author: LDiazN

ansible/deploy-monitoring-proxy.yml

@@ -0,0 +1,25 @@
+---
+- name: Deploy monitoring proxy
+  hosts:
+    - monitoringproxy.dev.ooni.io
+    - monitoringproxy.prod.ooni.io
+  become: true
+  roles:
+    - role: bootstrap
+    - role: dehydrated
+      vars: 
+        ssl_domains: 
+          - "{{ inventory_hostname }}"
+        tls_cert_dir: /var/lib/dehydrated/certs
+    - role: nginx
+      tags: nginx
+    - role: monitoring_proxy
+      vars: 
+        monitoring_proxy_public_fqdn: "{{ inventory_hostname }}"
+    - role: prometheus_node_exporter
+      vars:
+        node_exporter_port: 9100
+        node_exporter_host: "0.0.0.0"
+        prometheus_nginx_proxy_config: 
+          - location: /metrics/node_exporter
+            proxy_pass: http://127.0.0.1:9100/metrics

ansible/inventory

@@ -36,6 +36,8 @@ ams-ps.ooni.nu
 [aws-proxy]
 clickhouseproxy.dev.ooni.io
 clickhouseproxy.prod.ooni.io
+monitoringproxy.dev.ooni.io
+monitoringproxy.prod.ooni.io
 
 [openvpn]
 openvpn1.htz-fsn.prod.ooni.nu

ansible/roles/clickhouse_proxy/tasks/main.yml

@@ -20,14 +20,13 @@
   notify:
     - reload nftables  
 
-# For prometheus scrape requests
-- name: Allow traffic on port 9200
+- name: Allow traffic on port 9100
   tags: prometheus-proxy
   blockinfile:
-    path: /etc/ooni/nftables/tcp/9200.nft
+    path: /etc/ooni/nftables/tcp/9100.nft
     create: yes
     block: |
-      add rule inet filter input tcp dport 9200 counter accept comment "prometheus"
+      add rule inet filter input tcp dport 9100 counter accept comment "node exporter"
   notify:
     - reload nftables  
 
@@ -50,14 +49,3 @@
   notify:
     - reload nginx
     - restart nginx
-
-- name: Add prometheus proxy nginx config
-  tags: webserv
-  template:
-    src: templates/prometheus-proxy.conf
-    dest: /etc/nginx/conf.d/prometheus-proxy.conf
-    mode: 0755
-    owner: root
-  notify:
-    - reload nginx
-    - restart nginx

ansible/roles/monitoring_proxy/defaults/main.yml

@@ -0,0 +1 @@
+tls_cert_dir: /var/lib/dehydrated/certs

ansible/roles/monitoring_proxy/handlers/main.yml

@@ -0,0 +1,21 @@
+- name: test nginx config
+  command: /usr/sbin/nginx -t -c /etc/nginx/nginx.conf
+  listen:
+    - restart nginx
+    - reload nginx
+
+- name: restart nginx
+  service:
+    name: nginx
+    state: restarted
+
+- name: reload nginx
+  service:
+    name: nginx
+    state: reloaded
+
+- name: reload nftables
+  tags: nftables
+  ansible.builtin.systemd_service:
+    name: nftables
+    state: reloaded

ansible/roles/monitoring_proxy/tasks/main.yml

@@ -0,0 +1,44 @@
+---
+# For prometheus scrape requests
+- name: Flush all handlers 
+  meta: flush_handlers
+- name: Allow traffic on port 9200
+  tags: prometheus-proxy
+  blockinfile:
+    path: /etc/ooni/nftables/tcp/9200.nft
+    create: yes
+    block: |
+      add rule inet filter input tcp dport 9200 counter accept comment "prometheus"
+  notify:
+    - reload nftables  
+
+# TODO remove this task when the monitoring proxy is deployed
+- name: Allow traffic on port 9100
+  tags: prometheus-proxy
+  blockinfile:
+    path: /etc/ooni/nftables/tcp/9100.nft
+    create: yes
+    block: |
+      add rule inet filter input tcp dport 9100 counter accept comment "node exporter"
+  notify:
+    - reload nftables  
+
+- name: Create the modules-enabled directory if not exists
+  tags: webserv
+  ansible.builtin.file:
+    path: /etc/nginx/modules-enabled
+    state: directory
+    mode: 0755
+    owner: root
+    group: root
+
+- name: Add prometheus proxy nginx config
+  tags: webserv
+  template:
+    src: templates/prometheus-proxy.conf
+    dest: /etc/nginx/conf.d/prometheus-proxy.conf
+    mode: 0755
+    owner: root
+  notify:
+    - reload nginx
+    - restart nginx

…se_proxy/templates/prometheus-proxy.conf …ng_proxy/templates/prometheus-proxy.confansible/roles/clickhouse_proxy/templates/prometheus-proxy.conf renamed to ansible/roles/monitoring_proxy/templates/prometheus-proxy.conf ansible/roles/clickhouse_proxy/templates/prometheus-proxy.conf renamed to ansible/roles/monitoring_proxy/templates/prometheus-proxy.conf

@@ -1,7 +1,7 @@
 server {
     listen 9200 ssl;
 
-    server_name {{ clickhouse_proxy_public_fqdn }};
+    server_name {{ monitoring_proxy_public_fqdn }};
 
     include /etc/nginx/ssl_intermediate.conf;
 

ansible/roles/prometheus/vars/main.yml

@@ -157,4 +157,4 @@ prometheus_aws_access_key_prod: "{{ lookup('amazon.aws.aws_ssm', '/oonidevops/se
 prometheus_aws_secret_key_prod: "{{ lookup('amazon.aws.aws_ssm', '/oonidevops/secrets/ooni_monitoring/secret_key', profile='oonidevops_user_prod') }}"
 
 # We replace the env from relabeling configs
-clickhouse_proxy_host: "clickhouseproxy.ENV.ooni.io"
+clickhouse_proxy_host: "monitoringproxy.ENV.ooni.io"

tf/environments/dev/main.tf

@@ -299,7 +299,8 @@ module "ooniapi_cluster" {
     # The clickhouse proxy has an nginx configuration
     # to proxy requests from the monitoring server
     # to the cluster instances
-    module.ooni_clickhouse_proxy.ec2_sg_id
+    module.ooni_clickhouse_proxy.ec2_sg_id,
+    module.ooni_monitoring_proxy.ec2_sg_id
   ]
 
   tags = merge(
@@ -454,6 +455,11 @@ module "ooni_clickhouse_proxy" {
     to_port     = 9200,
     protocol    = "tcp"
     cidr_blocks = [for ip in flatten(data.dns_a_record_set.monitoring_host.*.addrs) : "${tostring(ip)}/32"]
+  }, {
+    from_port   = 9100,
+    to_port     = 9100,
+    protocol    = "tcp"
+    cidr_blocks = ["${module.ooni_monitoring_proxy.aws_instance_private_ip}/32"]
   }]
 
   egress_rules = [{
@@ -488,6 +494,71 @@ resource "aws_route53_record" "clickhouse_proxy_alias" {
   ]
 }
 
+#### Monitoring Proxy
+module "ooni_monitoring_proxy" {
+  source = "../../modules/ec2"
+
+  stage = local.environment
+
+  vpc_id              = module.network.vpc_id
+  subnet_id           = module.network.vpc_subnet_public[0].id
+  private_subnet_cidr = module.network.vpc_subnet_private[*].cidr_block
+  dns_zone_ooni_io    = local.dns_zone_ooni_io
+
+  key_name      = module.adm_iam_roles.oonidevops_key_name
+  instance_type = "t3a.nano"
+
+  name = "oonimnprx"
+  ingress_rules = [{
+    from_port   = 22,
+    to_port     = 22,
+    protocol    = "tcp",
+    cidr_blocks = ["0.0.0.0/0"],
+    }, {
+    from_port   = 80,
+    to_port     = 80,
+    protocol    = "tcp",
+    cidr_blocks = ["0.0.0.0/0"],
+    }, {
+    // For the prometheus proxy:
+    from_port   = 9200,
+    to_port     = 9200,
+    protocol    = "tcp"
+    cidr_blocks = [for ip in flatten(data.dns_a_record_set.monitoring_host.*.addrs) : "${tostring(ip)}/32"]
+  }]
+
+  egress_rules = [{
+    from_port   = 0,
+    to_port     = 0,
+    protocol    = "-1",
+    cidr_blocks = ["0.0.0.0/0"],
+    }, {
+    from_port        = 0,
+    to_port          = 0,
+    protocol         = "-1",
+    ipv6_cidr_blocks = ["::/0"]
+  }]
+
+  sg_prefix = "oomnprx"
+  tg_prefix = "mnpr"
+
+  tags = merge(
+    local.tags,
+    { Name = "ooni-tier1-monitoringproxy" }
+  )
+}
+
+resource "aws_route53_record" "monitoring_proxy_alias" {
+  zone_id = local.dns_zone_ooni_io
+  name    = "monitoringproxy.${local.environment}.ooni.io"
+  type    = "CNAME"
+  ttl     = 300
+
+  records = [
+    module.ooni_monitoring_proxy.aws_instance_public_dns
+  ]
+}
+
 #### OONI Run service
 
 module "ooniapi_oonirun_deployer" {

tf/environments/prod/main.tf

@@ -385,7 +385,12 @@ module "ooni_clickhouse_proxy" {
     to_port     = 9200,
     protocol    = "tcp"
     cidr_blocks = [for ip in flatten(data.dns_a_record_set.monitoring_host.*.addrs) : "${tostring(ip)}/32"]
-  }]
+    }, {
+    from_port   = 9100,
+    to_port     = 9100,
+    protocol    = "tcp"
+    cidr_blocks = ["${module.ooni_monitoring_proxy.aws_instance_private_ip}/32"]
+    }]
 
   egress_rules = [{
     from_port   = 0,
@@ -419,6 +424,70 @@ resource "aws_route53_record" "clickhouse_proxy_alias" {
   ]
 }
 
+#### Monitoring Proxy
+module "ooni_monitoring_proxy" {
+  source = "../../modules/ec2"
+
+  stage = local.environment
+
+  vpc_id              = module.network.vpc_id
+  subnet_id           = module.network.vpc_subnet_public[0].id
+  private_subnet_cidr = module.network.vpc_subnet_private[*].cidr_block
+  dns_zone_ooni_io    = local.dns_zone_ooni_io
+
+  key_name      = module.adm_iam_roles.oonidevops_key_name
+  instance_type = "t3a.nano"
+
+  name = "oonimnprx"
+  ingress_rules = [{
+    from_port   = 22,
+    to_port     = 22,
+    protocol    = "tcp",
+    cidr_blocks = ["0.0.0.0/0"],
+    }, {
+    from_port   = 80,
+    to_port     = 80,
+    protocol    = "tcp",
+    cidr_blocks = ["0.0.0.0/0"],
+    }, {
+    // For the prometheus proxy:
+    from_port   = 9200,
+    to_port     = 9200,
+    protocol    = "tcp"
+    cidr_blocks = [for ip in flatten(data.dns_a_record_set.monitoring_host.*.addrs) : "${tostring(ip)}/32"]
+  }]
+
+  egress_rules = [{
+    from_port   = 0,
+    to_port     = 0,
+    protocol    = "-1",
+    cidr_blocks = ["0.0.0.0/0"],
+    }, {
+    from_port        = 0,
+    to_port          = 0,
+    protocol         = "-1",
+    ipv6_cidr_blocks = ["::/0"]
+  }]
+
+  sg_prefix = "oomnprx"
+  tg_prefix = "mnpr"
+
+  tags = merge(
+    local.tags,
+    { Name = "ooni-tier1-monitoringproxy" }
+  )
+}
+
+resource "aws_route53_record" "monitoring_proxy_alias" {
+  zone_id = local.dns_zone_ooni_io
+  name    = "monitoringproxy.${local.environment}.ooni.io"
+  type    = "CNAME"
+  ttl     = 300
+
+  records = [
+    module.ooni_monitoring_proxy.aws_instance_public_dns
+  ]
+}
 
 ### OONI Services Clusters
 
@@ -441,7 +510,8 @@ module "ooniapi_cluster" {
     # The clickhouse proxy has an nginx configuration
     # to proxy requests from the monitoring server
     # to the cluster instances
-    module.ooni_clickhouse_proxy.ec2_sg_id
+    module.ooni_clickhouse_proxy.ec2_sg_id,  
+    module.ooni_monitoring_proxy.ec2_sg_id
   ]
 
   tags = merge(
@@ -823,7 +893,10 @@ module "ansible_controller" {
 
   dns_zone_ooni_io = local.dns_zone_ooni_io
 
-  monitoring_sg_ids = [module.ooni_clickhouse_proxy.ec2_sg_id]
+  monitoring_sg_ids = [
+    module.ooni_clickhouse_proxy.ec2_sg_id,  
+    module.ooni_monitoring_proxy.ec2_sg_id
+  ]
 
   tags = {
     Environment = local.environment