Start fleshing out the playbook for data.ooni.org (#79)

Related to: #63 It only adds support for creating users and configures their keys. It has an initial jupyterhub setup, but it's not tested and probably needs more work.
ooni · Aug 1, 2024 · cbabb30 · cbabb30
1 parent 748e26f
commit cbabb30
Show file tree

Hide file tree

Showing 7 changed files with 152 additions and 6 deletions.
diff --git a/ansible/host_vars/data.ooni.org b/ansible/host_vars/data.ooni.org
@@ -0,0 +1,53 @@
+ssh_users:
+  agrabeli:
+    login: agrabeli
+    comment: Maria Xynou
+    keys: ["ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDD0JSwM+t3Uz9lS3Mjoz9oo4vOToWyzboZhYQbP8JY5HvFtAvWanWHnUBO91t6hkgKIMiUqhdCJn26fqkhSGe/bRBaFUocOmuyfcmZoRdi0qzAskmycJsj/w6vWR4x6MYkmJvSeI/MGxjEFt4s2MfOG1tP8CBLUYft9qUleeJa7Jln8c+xbnqB7YngaI190icQHE9NuIB2CXvzbmo3tLtHNMagEwI7VoBDj6mxzTxBd9JhuhF4w5uGxxm0Gp1hzk+15obNnaBS+Anr7jXz8FPwwxCH+XhBZxB1PPpcIayKrf9iLyGtwmhkdDoWCqYAr1mue3LxFso+TZF4bwE4Cjt1 agrabelh@agrabelh"]
+  art:
+    login: art
+    comment: Arturo Filasto
+    keys: ["ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJsibU0nsQFFIdolD1POzXOws4VetV0ZNByINRzY8Hx0 arturo@ooni.org"]
+  majakomel:
+    login: majakomel
+    comment: Maja Komel
+    keys:
+      - "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQC7gWQL4h/IyMbwDuMIXbTVmNEm8Yx19Ftt0P2e3OyWctSMH7WGaHc6b0dGoGh6Y4x0Kpw5h0iHWshP8Rg0pckNG9LeDjLY9nLR3Jv66ogFQtFi1DAlg4CXe369N70rBN9iurndgXjShW9OV+bY+MOlW8Fmmm67Vg0xFiYuYzjgUOpl4ofkbLGAQ7sJRBzpDV6TqHhGfOdYMDJyfFvurVz0oSyEZPFFRv4Css9iVk7BGsBukCCpUuax8akEeEjxWWCvjYXva7OA0jHKayfPAroZx/OJh01rhFe7wxlu5JwUKOcevvAZqeHh6200C82ijZOCN+Qq9yvxOH+OgzhnQwnoetIbGFgnb4CkDxo7dVLc/DFyObznC4f26f5D1OyPMUX8AEarEVdEPwsEfD2ePQr6qek0XWCWtYvGklb+GRLk9Yn0VL1qwvgrtstHdeXsKONTPKRxaCjWHu18dQaG2qOUnZ+St6SHeL49CN9aav2azNI/YKoQ9SGR4D23XeBRsW8="
+  mehul:
+    login: mehul
+    comment: Mehul Gulati
+    keys:
+      - "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDEZSA9TKUaYWG8gfnMoyDZO2S6vsy87xma4R/EzNpveZiOZTYSNn+UDL8NpQRuH5YgdWuQV2E7sKw/PIYA0lC/QTiq8Btqf6sEK5YWXtQy+yn9q5kB/rmi8zjaz0FUNigRrjL+26ao+c7NKpgmR+TRqbRd5VeJ46PuFD5M3c+MBeUoF1PT0zfioQFJ1mQoXwVix0n260clEXQDp4t0GZuNpWGTS+YTuJZ2vl6TDZtt8jrnENd99QArr2KU+NMTq8T2KYcPeQOoYsm7v/1TBkbv9UStllhjdE7HZSivPT8oRkF2YZYgytDxtCZG8i5iCK+vbNn6QmZMjuXPoBUeW+Njm70tlsirrKpUX+QiogA2qljxPD9st2eUkA7cATyOBkK7WLh1HYv2xyKpPtkkaELG+EHjmaVjVdyVAgUYwqg+MbIw1OyDpNmMZcW3iOpGpflXPMmLjKNMhee0//G7NxcGfwmIMbIiBkeofOnWDrMo+0PRULFtn6C7aA7ddirck+k="
+  norbel:
+    login: norbel
+    comment: Norbel Ambanumben
+    keys:
+      - "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDBXprrutdT6AhrV9hWBKjyzq6RqGmCBWpWxi3qwJyRcBJfkiEYKV9QWl3H0g/Sg9JzLd9lWG2yfAai7cyBAT4Ih0+OhwQ0V7wkhBn4YkNjs7d4BGPHjuLIywS9VtmiyH7VafikMjmqPLL/uPBIbRrx9RuSfLkAuN9XFZpVmqzWY8ePpcRCvnG6ucPxEY8o+4j5nfTrgxSaIT31kH16/PFJe07tn1SZjxZE4sZTz/p9xKt6s8HXmlP3RdnXSpXWmH8ZwYDrNhkcH8m6mC3giiqSKThFdwvQVflRRvn9pAlUOhy6KIBtAt1KobVJtOCPrrkcLhQ1C+2P9wKhfYspCGrScFGnrUqumLxPpwlqILxJvmgqGAtkm8Ela9f2D9sEv8CUv5x9XptZKlyRhtOLixvLYoJlwfXXnmXa8T1pg8+4063BhHUOu/bg0InpSp3hdscOfk0R8FtDlXnn6COwbPXynIt4PxzIxD/WQhP0ymgH3ky6ClB5wRBVhOqYvxQw32n2QFS9A5ocga+nATiOE7BTOufgmDCA/OIXfJ/GukXRaMCBsvlx7tObHS1LOMt0I+WdoOEjI0ARUrFzwoiTrs9QYmd922e7S35EnheT3JjnCTjebJrCNtwritUy8vjsN/M27wJs7MAXleT7drwXXnm+3xYrH+4KQ+ru0dxMe1zfBw== aanorbel@gmail.com"
+  ain:
+    login: ain
+    comment: Ain
+    keys: ["ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIH6Js4xtJq7AoYA8mFraQg8vYgKz/glil9AaPq4lDwtg ain@intertubes"]
+  joss:
+    login: joss
+    comment: Joss Wright
+    keys:
+      [
+        "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC40MVrMUuP93UvmyTc6cGGKbdurK+CbuoQW0b4i20EPf8pjXjrTS3b/plh7y4egUfx7/2e5l321Ui8E4tuzDWjtJsSFY9l31msEnw6PTHMzOj8kVBWqHWidVZHYPpd9eVa+3ALL9HmLDQuwyhIXXaU2ExS3XZH0GJPUxgf8tubH7qteyANWTIh1XhV0fnoeBo3fvdGVkNiMLc1PSDp/iprMurdsvwCJC42+Z5R35ORpK7FJhr38Js2Ag1NwUpo3Li+PhErfoQ5A+x64p1NRm1Bnw1Z8eFHuDI6WXuzUHhuy+11M92CtaAVEoblfx75SaCftoiO0Khn6kZ9XDed+JM1 joss@pseudonymity.net"
+      ]
+  ingrid:
+    login: ingrid
+    comment: Ingrid Epure
+    keys:
+      [
+        "ssh-rsa AAAB3NzaC1yc2EAAAADAQABAAACAQCTJQDb/Ucq5CRGqSJbNz33pB6fYtk7Pi+6LlIaV9QLhByp/G2/g6ae6Eb/TimZtxpdeIwpAmACmUn2p+mCLMHjpollUK2f3dUjmXiUSNGMPRPRxQoIvzf56patUCQRS+S7zDUKTDW/5e18CrIj0sFCC27y/pS6mmmeedHA6gmpW7L6kM57BlsxFu79rr/o/nrNH+qceJBEd8fM93yoIdEwxPHZyKJ5kj9+lh+4TtDLxxkwFfc6Kce1d0qxfpX1NzIbK5Vp8JlXrGEWbOFFT8S7Ru+j1/g/ptUjsXJ7DpH1wwlF6wYsU0DJuhkLv6XFZQuoHYwpZ4jmnJRWrXSgdylPk67M5Dr9aB2j0WGJNZysiXVZQZmoMUhfrNxaGVv6gB48krE6ysUoLrenR68aLOYqF8Yqvu1lCIyds1ORtjnpxWxFB7NS89us4KFofAMW+qeg/g3nEYvln9/S0b58goToNIw/p7wP9WOeh7JuM/FBT5ahJbeYpXapJh1WW6Rt48RGVwxFLXbcnH8wpCfhUw7fIVpXMhbfhtWTlWVJEAyk3eLWdNEJ7AH6jaqTdfTa4qBgrof0MgoZrb64qFDAsG9Z80Uj9oC2Zdy+gwDu76WJQfSKaD7hmq0w8khoFSVju7fvcfd5HWgLZbptCIw51mJSMQIQWs8Y/iGijTSckXXCXQ==",
+      ]
+  siti:
+    login: siti
+    comment: "Siti Nurliza"
+    keys:
+      [
+        "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKqG1VepfzDdSp3zG27jZq3S9/62CKPLh93F///ht9rf",
+      ]
+admin_usernames: [ art, majakomel, mehul, norbel ]
+non_admin_usernames: [ ain, siti, ingrid, joss ]
+jupyterhub_allowed_users: "{{ ssh_users }}"
+admin_group_name: adm
diff --git a/ansible/inventory b/ansible/inventory
@@ -1,6 +1,6 @@
 [all]
 monitoring.ooni.org
 openvpn-server1.ooni.io
-
 # This requires manual setup of ~/.ssh/config
 #codesign-box
+data.ooni.org
diff --git a/ansible/playbook.yml b/ansible/playbook.yml
@@ -2,25 +2,33 @@
 - name: ClickHouse servers
   hosts: clickhouse_servers
   user: admin
-  become: yes
+  become: true
   vars:
     clickhouse_reader_password: "{{ lookup('env', 'CLICKHOUSE_READER_PASSWORD') }}"
   roles:
     - clickhouse
   handlers:
-    - name: restart clickhouse-server
-      service:
+    - name: Restart clickhouse-server
+      ansible.builtin.service:
         name: clickhouse-server
         state: restarted
 
 - name: Update monitoring config
   hosts: monitoring.ooni.org
-  become: yes
+  become: true
   roles:
     - prometheus
     - prometheus_blackbox_exporter
     - prometheus_alertmanager
 
+- name: Deploy data.ooni.org host
+  hosts: data.ooni.org
+  become: true
+  roles:
+    #- clickhouse
+    - ssh_users
+    #- jupyterhub
+
 - name: Setup OpenVPN server
   hosts: openvpn-server1.ooni.io
   become: true

diff --git a/ansible/roles/clickhouse/tasks/main.yml b/ansible/roles/clickhouse/tasks/main.yml
@@ -71,4 +71,3 @@
     mode: '0640'
   notify:
     - restart clickhouse-server
-
diff --git a/ansible/roles/jupyterhub/tasks/main.yml b/ansible/roles/jupyterhub/tasks/main.yml
@@ -0,0 +1,76 @@
+---
+- name: Check if TLJH is installed
+  ansible.builtin.stat:
+    path: "{{ jupyterhub_tljh_prefix }}"
+  register: tljh_directory
+
+- name: Install required packages for TLJH
+  become: true
+  ansible.builtin.apt:
+    name:
+      - curl
+      - python3
+      - python3-pip
+      - python3-dev
+      - python3-venv
+      - build-essential
+      - cifs-utils
+    state: present
+    update_cache: true
+
+- name: Download the TLJH installer
+  become: true
+  ansible.builtin.get_url:
+    url: "https://tljh.jupyter.org/bootstrap.py"
+    dest: "/tmp/tljh-bootstrap.py"
+    checksum: "sha256:2e20bf204c94e1b6eef31499c93f6a14324117deec2eb398a142cb14acbeedd1"
+    mode: "0700"
+  when: not tljh_directory.stat.exists
+
+- name: Run the TLJH installer
+  become: true
+  ansible.builtin.shell: |
+    python3 /tmp/tljh-bootstrap.py --admin {{ jupyterhub_tljh_admin_user }}:{{ jupyterhub_tljh_admin_password }}
+  creates: "{{ jupyterhub_tljh_prefix }}"
+  when: not tljh_directory.stat.exists
+
+- name: Restart the JupyterHub service with daemon-reload
+  become: true
+  tags:
+    - config
+  ansible.builtin.systemd:
+    name: jupyterhub
+    state: restarted
+    enabled: true
+    daemon_reload: true
+  when: not tljh_directory.stat.exists
+
+- name: Configure Let's Encrypt email and domain
+  become: true
+  ansible.builtin.shell: |
+    tljh-config set https.enabled true
+    tljh-config set https.letsencrypt.email {{ jupyterhub_letsencrypt_email }}
+    tljh-config add-item https.letsencrypt.domains {{ jupyterhub_letsencrypt_domain }}
+    tljh-config reload proxy
+  vars:
+    jupyterhub_letsencrypt_domain: "{{ inventory_hostname }}"
+  register: tljh_letsencrypt
+  changes_when: tljh_letsencrypt.rc != 0
+  when: not tljh_directory.stat.exists
+
+- name: Copy the JupyterHub config
+  become: true
+  ansible.builtin.template:
+    src: jupyterhub_config.py.j2
+    dest: "{{ jupyterhub_config_dest }}"
+    mode: preserve
+
+- name: Restart the JupyterHub service with daemon-reload
+  become: true
+  tags:
+    - config
+  ansible.builtin.systemd:
+    name: jupyterhub
+    state: restarted
+    enabled: true
+    daemon_reload: true
diff --git a/ansible/roles/jupyterhub/templates/jupyterhub_config.py.j2 b/ansible/roles/jupyterhub/templates/jupyterhub_config.py.j2
@@ -0,0 +1,2 @@
+# c.Spawner.cmd = ['/srv/jupyterhub/conda/bin/jupyterhub-singleuser']
+c.Authenticator.allowed_users = { {{jupyterhub_allowed_users | join(",")}} }
diff --git a/ansible/roles/jupyterhub/vars/main.yml b/ansible/roles/jupyterhub/vars/main.yml
@@ -0,0 +1,8 @@
+jupyterhub_letsencrypt_email: admin@openobservatory.org
+
+jupyterhub_tljh_admin_user: admin
+jupyterhub_tljh_admin_pass: oonity!
+jupyterhub_tljh_prefix: /opt/tljh
+jupyterhub_config_dest: /opt/tljh/config/jupyterhub_config.d/tljh.py
+
+jupyterhub_allowed_users: []