Merge branch 'plpsql-improve'

* plpsql-improve:
  fix some issues with the playbook
  Reset iptables rules back to how they were
  Remote empty space
  invert order of commands
  Remove etckeeper commands
  allow openvpn connections
  Get rid of another ugly hack for user_group_id
  Get rid of ugly hack for getting user id
  Remove unneeded mia-ps line
  Replace variables
  Use default interpreter
  Improve OpenVPN setup
  Flesh out basic openvpn based proxy
  use role based tag to indicate active or standby hosts
  Use native user module to get user and group IDs

Author: hellais

ansible/inventory

@@ -48,12 +48,6 @@ ams-jupyter.ooni.nu
 ams-wcth2.ooni.nu
 ams-wcth3.ooni.nu
 
-[probe_services]
-mia-ps2.ooni.nu
-hkg-ps.ooni.nu
-ams-ps.ooni.nu
-ams-ps2.ooni.nu
-
 ########################################################################
 # PSK (pre-shared key) tags
 
@@ -173,9 +167,21 @@ mia-ps2.ooni.nu
 ams-ps2.ooni.nu
 mia-ps2.ooni.nu
 
+[db_active]
+hkgmetadb.infra.ooni.io
+
+[db_standby]
+amsmetadb.ooni.nu
+
 [have_netdata]
 fastpath.ooni.nu
 
+[probe_services]
+mia-ps2.ooni.nu
+hkg-ps.ooni.nu
+ams-ps.ooni.nu
+ams-ps2.ooni.nu
+
 ########################################################################
 # TO DELETE.
 # Stopped VMs that should be deleted from GH and DNS after some grace period:

ansible/roles/airflow/tasks/af-psql.yml

@@ -11,11 +11,8 @@
     group: "afpsql"
     comment: "afpsql for Pipeline"
     state: present
-- name: get the user ids
-  shell: >
-    egrep "^afpsql:" /etc/passwd | awk -F: '{ print $3":"$4 }'
-  changed_when: false
-  register: user_group_id
+  register: afpsql_user
+
 - name: airflow postgres tmp directory
   file: dest=/srv/tmp/af-psql state=directory owner=afpsql group=afpsql mode=0750
 - name: airflow postgres /data directory
@@ -34,7 +31,7 @@
       PGDATA: /srv/af-psql
       POSTGRES_USER: airflow
       POSTGRES_PASSWORD: "{{ airflow_postgres_password }}"
-    user: "{{ user_group_id.stdout }}"
+    user: "{{ afpsql_user.uid }}:{{ afpsql_user.group }}"
     stop_signal: SIGINT # Fast shutdown. Default SIGTERM waits for all the sessions to terminate.
     stop_timeout: 60 # default is 10
     restart_policy: unless-stopped

ansible/roles/airflow/tasks/af-redis.yml

@@ -7,12 +7,7 @@
     group: "afredis"
     comment: "afredis for Pipeline"
     state: present
-
-- name: get the user ids
-  shell: >
-    egrep "^afredis:" /etc/passwd | awk -F: '{ print $3":"$4 }'
-  changed_when: false
-  register: user_group_id
+  register: afredis_user
 
 - name: redis .../etc directory
   file: dest=/srv/etc/af-redis state=directory owner=root group=root mode=0755
@@ -31,5 +26,5 @@
       - /srv/etc/af-redis:/usr/local/etc:ro
       - /srv/af-redis:/data:rw
     command: /usr/local/etc/redis.conf
-    user: "{{ user_group_id.stdout }}"
+    user: "{{ afredis_user.uid }}:{{ afredis_user.group }}"
     restart_policy: unless-stopped

ansible/roles/plpsql/handlers/main.yml

@@ -3,4 +3,8 @@
   command: docker restart pl-psql # XXX: is `stop_timeout` respected?
 - name: reload pl-psql
   command: docker exec -it pl-psql pg_ctl reload -D /srv/pl-psql
+- name: restart openvpn
+  service:
+    name: openvpn
+    state: restarted
 ...

ansible/roles/plpsql/meta/main.yml

@@ -0,0 +1,4 @@
+---
+dependencies:
+  - libhandlers
+...

ansible/roles/plpsql/tasks/main.yml

@@ -8,12 +8,7 @@
     group: "plpsql"
     comment: "plpsql for Postgres"
     state: present
-
-- name: get the user ids
-  shell: >
-    egrep "^plpsql:" /etc/passwd | awk -F: '{ print $3":"$4 }'
-  changed_when: false
-  register: user_group_id
+  register: plpsql_user
 
 - name: pipeline postgres PGDATA directory
   file: dest=/srv/pl-psql state=directory owner=plpsql group=plpsql mode=0700
@@ -22,32 +17,69 @@
   template: src=pg_hba.conf dest=/srv/pl-psql/pg_hba.conf owner=plpsql group=plpsql mode=0444
   notify: reload pl-psql
 
-# Warning: hkgmetadb.infra.ooni.io is hardcoded here to identify the active and standby DBs
-# TODO: use a flag in inventory instead
-
-# active host
-
 - name: place config in PGDATA for active DB
   template: src=postgresql.active.conf dest=/srv/pl-psql/postgresql.conf owner=plpsql group=plpsql mode=0444
   notify: reload pl-psql
-  when: inventory_hostname == 'hkgmetadb.infra.ooni.io'
+  when: "'db_active' in group_names"
 
 - name: drop recovery.conf from PGDATA on active DB
   file: name=/srv/pl-psql/recovery.conf state=absent
   notify: reload pl-psql
-  when: inventory_hostname == 'hkgmetadb.infra.ooni.io'
-
-# standby hosts
+  when: "'db_active' in group_names"
 
 - name: place config in PGDATA for standby DB
   template: src=postgresql.standby.conf dest=/srv/pl-psql/postgresql.conf owner=plpsql group=plpsql mode=0444
   notify: reload pl-psql
-  when: inventory_hostname != 'hkgmetadb.infra.ooni.io'
+  when: "'db_standby' in group_names"
 
 - name: place recovery.conf to PGDATA on standby DB
   template: src=recovery.conf dest=/srv/pl-psql/recovery.conf owner=plpsql group=plpsql mode=0444
   notify: reload pl-psql
-  when: inventory_hostname != 'hkgmetadb.infra.ooni.io'
+  when: "'db_standby' in group_names"
+
+# TODO fix this with the apt module once we update to the latest debian
+#  apt:
+#    name: openvpn
+#    install_recommends: no
+
+- name: install openvpn
+  command: apt-get install --no-install-recommends -y openvpn
+  tags: dbvpn
+
+- name: openvpn create conf on standby node
+  template: src=openvpn.standby.conf dest=/etc/openvpn/oonidbvpn.conf
+  notify: systemctl daemon-reload
+  when: "'db_standby' in group_names"
+  tags: dbvpn
+
+- name: openvpn create conf on active node
+  template: src=openvpn.active.conf dest=/etc/openvpn/oonidbvpn.conf
+  notify: systemctl daemon-reload
+  when: "'db_active' in group_names"
+  tags: dbvpn
+
+- name: openvpn create shared secret on active node
+  command: openvpn --genkey --secret /etc/openvpn/oonipgvpn.key
+  args:
+    creates: /etc/openvpn/oonipgvpn.key
+  notify: restart openvpn
+  when: "'db_active' in group_names"
+  tags: dbvpn
+
+- name: openvpn copy shared secret from active node
+  slurp:
+    src: /etc/openvpn/oonipgvpn.key
+  register: pgvpn_secret
+  when: "'db_active' in group_names"
+  tags: dbvpn
+
+- name: openvpn copy shared secret to standby node
+  copy:
+    content: "{{ pgvpn_secret }}"
+    dest: /etc/openvpn/oonipgvpn.key
+  notify: restart openvpn
+  when: "'db_standby' in group_names"
+  tags: dbvpn
 
 # if `initdb` fails read `Arbitrary --user Notes` at https://hub.docker.com/_/postgres/
 - name: docker run pipeline postgres
@@ -86,7 +118,7 @@
       PUSHGATEWAY_CERT: "/srv/pl-psql_ssl/pusher/{{ inventory_hostname }}.cert"
       PUSHGATEWAY_KEY: "/srv/pl-psql_ssl/pusher/{{ inventory_hostname }}.key"
     stop_signal: SIGINT # Fast shutdown. Default SIGTERM waits for all the sessions to terminate.
-    user: "{{ user_group_id.stdout }}"
+    user: "{{ plpsql_user.uid }}:{{ plpsql_user.group }}"
     stop_timeout: 60 # default is 10
     restart_policy: unless-stopped
 ...

ansible/roles/plpsql/templates/openvpn.active.conf

@@ -0,0 +1,17 @@
+# OONI DB VPN - managed by ansible
+# /etc/openvpn/oonidbvpn.conf
+# HKG -> mia-ps-test.ooni.nu -> AMS
+
+dev tun
+remote {{ lookup('dig', 'mia-ps-test.ooni.nu/A') }}
+# fallback to direct connection HKG -> AMS
+remote {{ lookup('dig', 'amsmetadb.ooni.nu/A') }}
+ifconfig 10.1.0.2 10.1.0.1
+secret oonipgvpn.key
+cipher AES-256-CBC
+comp-lzo
+verb 3
+keepalive 10 60
+ping-timer-rem
+persist-tun
+persist-key

ansible/roles/plpsql/templates/openvpn.standby.conf

@@ -0,0 +1,13 @@
+# OONI DB VPN - managed by ansible
+# /etc/openvpn/oonidbvpn.conf
+# HKG -> mia-ps-test.ooni.nu -> AMS
+# Configuration for AMS db
+dev tun
+ifconfig 10.1.0.1 10.1.0.2
+secret oonipgvpn.key
+comp-lzo
+cipher AES-256-CBC
+keepalive 10 60
+ping-timer-rem
+persist-tun
+persist-key

ansible/roles/plpsql/templates/pg_hba.conf

@@ -93,7 +93,7 @@ host    all             all             ::1/128                 trust
 #host    replication     postgres        ::1/128                 trust
 
 # NB: `ssl` is neither supported nor enforced.
-{% if inventory_hostname == 'hkgmetadb.infra.ooni.io' %}
+{% if 'db_active' in group_names %}
 host replication amsrepl {{ lookup('dig', 'amsmetadb.ooni.nu/A') }}/32 md5
 {% endif %}
 

ansible/roles/plpsql/templates/postgresql.active.conf

@@ -208,13 +208,10 @@ wal_level = replica # minimal, replica, or logical. (change requires restart)
 #checkpoint_warning = 30s		# 0 disables
 
 # - Archiving -
-
-{% if inventory_hostname == 'hkgmetadb.infra.ooni.io' %}
 archive_mode = on
 archive_command = '/usr/local/bin/metadb_s3_archive "%p" "%f"'
 				# placeholders: %p = path of file to archive
 				#               %f = file name only
-{% endif %}
 #archive_timeout = 0		# force a logfile segment switch after this
 				# number of seconds; 0 disables
 

ansible/roles/plpsql/templates/postgresql.standby.conf

@@ -208,13 +208,11 @@ wal_level = replica # minimal, replica, or logical. (change requires restart)
 #checkpoint_warning = 30s		# 0 disables
 
 # - Archiving -
-
-{% if inventory_hostname == 'hkgmetadb.infra.ooni.io' %}
-archive_mode = on
-archive_command = '/usr/local/bin/metadb_s3_archive "%p" "%f"'
+# Disable archiving because standby
+#archive_mode = on
+#archive_command = '/usr/local/bin/metadb_s3_archive "%p" "%f"'
 				# placeholders: %p = path of file to archive
 				#               %f = file name only
-{% endif %}
 #archive_timeout = 0		# force a logfile segment switch after this
 				# number of seconds; 0 disables
 

ansible/templates/iptables.filter.part/amsmetadb.ooni.nu

@@ -4,4 +4,8 @@
 -A INPUT -s {{ lookup('dig', 'ams-api.ooni.nu/A') }}/32 -p tcp -m tcp --dport 5432 -j ACCEPT
 -A INPUT -s {{ lookup('dig', 'fastpath.ooni.nu/A') }}/32 -p tcp -m tcp --dport 5432 -j ACCEPT
 -A INPUT -s {{ lookup('dig', 'ams-jupyter.ooni.nu/A') }}/32 -p tcp -m tcp --dport 5432 -j ACCEPT
+
+# allow openvpn connections
+-A INPUT -s {{ lookup('dig', 'hkgmetadb.infra.ooni.io/A') }}/32 -p udp --dport 1194 -j ACCEPT
+-A INPUT -s {{ lookup('dig', 'mia-ps-test.ooni.nu/A') }}/32 -p udp --dport 1194 -j ACCEPT
 {% endblock %}