Merge pull request #270 from ooni/anonc-test-instance

Anonc test instance

Author: LDiazN

ansible/deploy-anonc.yml

@@ -0,0 +1,16 @@
+---
+- name: Deploy anoncenv
+  hosts:
+    - anonc.dev.ooni.io
+  become: true
+  roles:
+    - role: bootstrap
+    - role: nginx
+    - role: prometheus_node_exporter
+      vars:
+        node_exporter_port: 9100
+        node_exporter_host: "0.0.0.0"
+        prometheus_nginx_proxy_config: 
+          - location: /metrics/node_exporter
+            proxy_pass: http://127.0.0.1:9100/metrics
+    - role: anonc

ansible/inventory

@@ -45,4 +45,5 @@ openvpn2.htz-fsn.prod.ooni.nu
 
 [aws-backend]
 fastpath.dev.ooni.io
-fastpath.prod.ooni.io
+fastpath.prod.ooni.io
+anonc.dev.ooni.io

ansible/roles/anonc/tasks/main.yml

@@ -0,0 +1,45 @@
+---
+# For prometheus scrape requests
+- name: Flush all handlers
+  meta: flush_handlers
+
+- name: Allow traffic on port 9200
+  become: true
+  tags: prometheus-proxy
+  blockinfile:
+    path: /etc/ooni/nftables/tcp/9100.nft
+    create: yes
+    block: |
+      add rule inet filter input tcp dport 9100 counter accept comment "node exporter"
+  notify:
+   - reload nftables
+
+# Add Michele's user
+- name: Ensure user exists
+  ansible.builtin.user:
+    name: morru
+    comment: "Michele Orru"
+    shell: /bin/bash
+    groups: sudo
+    append: yes
+    create_home: yes
+  tags:
+    - morru
+
+- name: Add SSH key for Michele
+  ansible.builtin.authorized_key:
+    user: morru
+    state: present
+    key: "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHLQroCtPsBHX3AqI+0w3sF+0GP8TnFSfekp1JU5jqkk m@orru.net"
+  tags:
+    - morru
+
+- name: Ensure passwordless sudo for deploy user
+  ansible.builtin.copy:
+    dest: "/etc/sudoers.d/morru"
+    content: "morru ALL=(ALL) NOPASSWD:ALL\n"
+    owner: root
+    group: root
+    mode: '0440'
+  tags:
+    - morru

tf/environments/dev/main.tf

@@ -1021,3 +1021,74 @@ module "ooni_monitoring" {
 
   tags = local.tags
 }
+
+### Anonymous credentials testing instance
+module "ooni_anonc" {
+  source = "../../modules/ec2"
+
+  stage = local.environment
+
+  vpc_id              = module.network.vpc_id
+  subnet_id           = module.network.vpc_subnet_public[0].id
+  private_subnet_cidr = module.network.vpc_subnet_private[*].cidr_block
+  dns_zone_ooni_io    = local.dns_zone_ooni_io
+
+  key_name      = module.adm_iam_roles.oonidevops_key_name
+  instance_type = "t3a.small"
+
+  name = "oonifastpath"
+  ingress_rules = [{
+    from_port   = 22,
+    to_port     = 22,
+    protocol    = "tcp",
+    cidr_blocks = ["0.0.0.0/0"],
+    }, {
+    from_port   = 80, # for dehydrated challenge
+    to_port     = 80,
+    protocol    = "tcp",
+    cidr_blocks = ["0.0.0.0/0"],
+    }, {
+    from_port   = 443, # for the POC hosting
+    to_port     = 443,
+    protocol    = "tcp",
+    cidr_blocks = ["0.0.0.0/0"],
+    }, {
+    from_port   = 9100, # for node exporter metrics
+    to_port     = 9100,
+    protocol    = "tcp"
+    cidr_blocks = ["${module.ooni_monitoring_proxy.aws_instance_private_ip}/32"],
+    }]
+
+  egress_rules = [{
+    from_port   = 0,
+    to_port     = 0,
+    protocol    = "-1",
+    cidr_blocks = ["0.0.0.0/0"],
+    }, {
+    from_port        = 0,
+    to_port          = 0,
+    protocol         = "-1",
+    ipv6_cidr_blocks = ["::/0"],
+  }]
+
+  sg_prefix = "oonianonc"
+  tg_prefix = "anon"
+
+  disk_size = 20
+
+  tags = merge(
+    local.tags,
+    { Name = "ooni-tier0-anonc" }
+  )
+}
+
+resource "aws_route53_record" "anonc_alias" {
+  zone_id = local.dns_zone_ooni_io
+  name    = "anonc.${local.environment}.ooni.io"
+  type    = "CNAME"
+  ttl     = 300
+
+  records = [
+    module.ooni_anonc.aws_instance_public_dns
+  ]
+}