-
Notifications
You must be signed in to change notification settings - Fork 1
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Start fleshing out the playbook for data.ooni.org (#79)
Related to: #63 It only adds support for creating users and configures their keys. It has an initial jupyterhub setup, but it's not tested and probably needs more work.
- Loading branch information
Showing
7 changed files
with
152 additions
and
6 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,53 @@ | ||
ssh_users: | ||
agrabeli: | ||
login: agrabeli | ||
comment: Maria Xynou | ||
keys: ["ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDD0JSwM+t3Uz9lS3Mjoz9oo4vOToWyzboZhYQbP8JY5HvFtAvWanWHnUBO91t6hkgKIMiUqhdCJn26fqkhSGe/bRBaFUocOmuyfcmZoRdi0qzAskmycJsj/w6vWR4x6MYkmJvSeI/MGxjEFt4s2MfOG1tP8CBLUYft9qUleeJa7Jln8c+xbnqB7YngaI190icQHE9NuIB2CXvzbmo3tLtHNMagEwI7VoBDj6mxzTxBd9JhuhF4w5uGxxm0Gp1hzk+15obNnaBS+Anr7jXz8FPwwxCH+XhBZxB1PPpcIayKrf9iLyGtwmhkdDoWCqYAr1mue3LxFso+TZF4bwE4Cjt1 agrabelh@agrabelh"] | ||
art: | ||
login: art | ||
comment: Arturo Filasto | ||
keys: ["ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJsibU0nsQFFIdolD1POzXOws4VetV0ZNByINRzY8Hx0 arturo@ooni.org"] | ||
majakomel: | ||
login: majakomel | ||
comment: Maja Komel | ||
keys: | ||
- "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQC7gWQL4h/IyMbwDuMIXbTVmNEm8Yx19Ftt0P2e3OyWctSMH7WGaHc6b0dGoGh6Y4x0Kpw5h0iHWshP8Rg0pckNG9LeDjLY9nLR3Jv66ogFQtFi1DAlg4CXe369N70rBN9iurndgXjShW9OV+bY+MOlW8Fmmm67Vg0xFiYuYzjgUOpl4ofkbLGAQ7sJRBzpDV6TqHhGfOdYMDJyfFvurVz0oSyEZPFFRv4Css9iVk7BGsBukCCpUuax8akEeEjxWWCvjYXva7OA0jHKayfPAroZx/OJh01rhFe7wxlu5JwUKOcevvAZqeHh6200C82ijZOCN+Qq9yvxOH+OgzhnQwnoetIbGFgnb4CkDxo7dVLc/DFyObznC4f26f5D1OyPMUX8AEarEVdEPwsEfD2ePQr6qek0XWCWtYvGklb+GRLk9Yn0VL1qwvgrtstHdeXsKONTPKRxaCjWHu18dQaG2qOUnZ+St6SHeL49CN9aav2azNI/YKoQ9SGR4D23XeBRsW8=" | ||
mehul: | ||
login: mehul | ||
comment: Mehul Gulati | ||
keys: | ||
- "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDEZSA9TKUaYWG8gfnMoyDZO2S6vsy87xma4R/EzNpveZiOZTYSNn+UDL8NpQRuH5YgdWuQV2E7sKw/PIYA0lC/QTiq8Btqf6sEK5YWXtQy+yn9q5kB/rmi8zjaz0FUNigRrjL+26ao+c7NKpgmR+TRqbRd5VeJ46PuFD5M3c+MBeUoF1PT0zfioQFJ1mQoXwVix0n260clEXQDp4t0GZuNpWGTS+YTuJZ2vl6TDZtt8jrnENd99QArr2KU+NMTq8T2KYcPeQOoYsm7v/1TBkbv9UStllhjdE7HZSivPT8oRkF2YZYgytDxtCZG8i5iCK+vbNn6QmZMjuXPoBUeW+Njm70tlsirrKpUX+QiogA2qljxPD9st2eUkA7cATyOBkK7WLh1HYv2xyKpPtkkaELG+EHjmaVjVdyVAgUYwqg+MbIw1OyDpNmMZcW3iOpGpflXPMmLjKNMhee0//G7NxcGfwmIMbIiBkeofOnWDrMo+0PRULFtn6C7aA7ddirck+k=" | ||
norbel: | ||
login: norbel | ||
comment: Norbel Ambanumben | ||
keys: | ||
- "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDBXprrutdT6AhrV9hWBKjyzq6RqGmCBWpWxi3qwJyRcBJfkiEYKV9QWl3H0g/Sg9JzLd9lWG2yfAai7cyBAT4Ih0+OhwQ0V7wkhBn4YkNjs7d4BGPHjuLIywS9VtmiyH7VafikMjmqPLL/uPBIbRrx9RuSfLkAuN9XFZpVmqzWY8ePpcRCvnG6ucPxEY8o+4j5nfTrgxSaIT31kH16/PFJe07tn1SZjxZE4sZTz/p9xKt6s8HXmlP3RdnXSpXWmH8ZwYDrNhkcH8m6mC3giiqSKThFdwvQVflRRvn9pAlUOhy6KIBtAt1KobVJtOCPrrkcLhQ1C+2P9wKhfYspCGrScFGnrUqumLxPpwlqILxJvmgqGAtkm8Ela9f2D9sEv8CUv5x9XptZKlyRhtOLixvLYoJlwfXXnmXa8T1pg8+4063BhHUOu/bg0InpSp3hdscOfk0R8FtDlXnn6COwbPXynIt4PxzIxD/WQhP0ymgH3ky6ClB5wRBVhOqYvxQw32n2QFS9A5ocga+nATiOE7BTOufgmDCA/OIXfJ/GukXRaMCBsvlx7tObHS1LOMt0I+WdoOEjI0ARUrFzwoiTrs9QYmd922e7S35EnheT3JjnCTjebJrCNtwritUy8vjsN/M27wJs7MAXleT7drwXXnm+3xYrH+4KQ+ru0dxMe1zfBw== aanorbel@gmail.com" | ||
ain: | ||
login: ain | ||
comment: Ain | ||
keys: ["ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIH6Js4xtJq7AoYA8mFraQg8vYgKz/glil9AaPq4lDwtg ain@intertubes"] | ||
joss: | ||
login: joss | ||
comment: Joss Wright | ||
keys: | ||
[ | ||
"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC40MVrMUuP93UvmyTc6cGGKbdurK+CbuoQW0b4i20EPf8pjXjrTS3b/plh7y4egUfx7/2e5l321Ui8E4tuzDWjtJsSFY9l31msEnw6PTHMzOj8kVBWqHWidVZHYPpd9eVa+3ALL9HmLDQuwyhIXXaU2ExS3XZH0GJPUxgf8tubH7qteyANWTIh1XhV0fnoeBo3fvdGVkNiMLc1PSDp/iprMurdsvwCJC42+Z5R35ORpK7FJhr38Js2Ag1NwUpo3Li+PhErfoQ5A+x64p1NRm1Bnw1Z8eFHuDI6WXuzUHhuy+11M92CtaAVEoblfx75SaCftoiO0Khn6kZ9XDed+JM1 joss@pseudonymity.net" | ||
] | ||
ingrid: | ||
login: ingrid | ||
comment: Ingrid Epure | ||
keys: | ||
[ | ||
"ssh-rsa AAAB3NzaC1yc2EAAAADAQABAAACAQCTJQDb/Ucq5CRGqSJbNz33pB6fYtk7Pi+6LlIaV9QLhByp/G2/g6ae6Eb/TimZtxpdeIwpAmACmUn2p+mCLMHjpollUK2f3dUjmXiUSNGMPRPRxQoIvzf56patUCQRS+S7zDUKTDW/5e18CrIj0sFCC27y/pS6mmmeedHA6gmpW7L6kM57BlsxFu79rr/o/nrNH+qceJBEd8fM93yoIdEwxPHZyKJ5kj9+lh+4TtDLxxkwFfc6Kce1d0qxfpX1NzIbK5Vp8JlXrGEWbOFFT8S7Ru+j1/g/ptUjsXJ7DpH1wwlF6wYsU0DJuhkLv6XFZQuoHYwpZ4jmnJRWrXSgdylPk67M5Dr9aB2j0WGJNZysiXVZQZmoMUhfrNxaGVv6gB48krE6ysUoLrenR68aLOYqF8Yqvu1lCIyds1ORtjnpxWxFB7NS89us4KFofAMW+qeg/g3nEYvln9/S0b58goToNIw/p7wP9WOeh7JuM/FBT5ahJbeYpXapJh1WW6Rt48RGVwxFLXbcnH8wpCfhUw7fIVpXMhbfhtWTlWVJEAyk3eLWdNEJ7AH6jaqTdfTa4qBgrof0MgoZrb64qFDAsG9Z80Uj9oC2Zdy+gwDu76WJQfSKaD7hmq0w8khoFSVju7fvcfd5HWgLZbptCIw51mJSMQIQWs8Y/iGijTSckXXCXQ==", | ||
] | ||
siti: | ||
login: siti | ||
comment: "Siti Nurliza" | ||
keys: | ||
[ | ||
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKqG1VepfzDdSp3zG27jZq3S9/62CKPLh93F///ht9rf", | ||
] | ||
admin_usernames: [ art, majakomel, mehul, norbel ] | ||
non_admin_usernames: [ ain, siti, ingrid, joss ] | ||
jupyterhub_allowed_users: "{{ ssh_users }}" | ||
admin_group_name: adm |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,6 +1,6 @@ | ||
[all] | ||
monitoring.ooni.org | ||
openvpn-server1.ooni.io | ||
|
||
# This requires manual setup of ~/.ssh/config | ||
#codesign-box | ||
data.ooni.org |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -71,4 +71,3 @@ | |
mode: '0640' | ||
notify: | ||
- restart clickhouse-server | ||
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,76 @@ | ||
--- | ||
- name: Check if TLJH is installed | ||
ansible.builtin.stat: | ||
path: "{{ jupyterhub_tljh_prefix }}" | ||
register: tljh_directory | ||
|
||
- name: Install required packages for TLJH | ||
become: true | ||
ansible.builtin.apt: | ||
name: | ||
- curl | ||
- python3 | ||
- python3-pip | ||
- python3-dev | ||
- python3-venv | ||
- build-essential | ||
- cifs-utils | ||
state: present | ||
update_cache: true | ||
|
||
- name: Download the TLJH installer | ||
become: true | ||
ansible.builtin.get_url: | ||
url: "https://tljh.jupyter.org/bootstrap.py" | ||
dest: "/tmp/tljh-bootstrap.py" | ||
checksum: "sha256:2e20bf204c94e1b6eef31499c93f6a14324117deec2eb398a142cb14acbeedd1" | ||
mode: "0700" | ||
when: not tljh_directory.stat.exists | ||
|
||
- name: Run the TLJH installer | ||
become: true | ||
ansible.builtin.shell: | | ||
python3 /tmp/tljh-bootstrap.py --admin {{ jupyterhub_tljh_admin_user }}:{{ jupyterhub_tljh_admin_password }} | ||
creates: "{{ jupyterhub_tljh_prefix }}" | ||
when: not tljh_directory.stat.exists | ||
|
||
- name: Restart the JupyterHub service with daemon-reload | ||
become: true | ||
tags: | ||
- config | ||
ansible.builtin.systemd: | ||
name: jupyterhub | ||
state: restarted | ||
enabled: true | ||
daemon_reload: true | ||
when: not tljh_directory.stat.exists | ||
|
||
- name: Configure Let's Encrypt email and domain | ||
become: true | ||
ansible.builtin.shell: | | ||
tljh-config set https.enabled true | ||
tljh-config set https.letsencrypt.email {{ jupyterhub_letsencrypt_email }} | ||
tljh-config add-item https.letsencrypt.domains {{ jupyterhub_letsencrypt_domain }} | ||
tljh-config reload proxy | ||
vars: | ||
jupyterhub_letsencrypt_domain: "{{ inventory_hostname }}" | ||
register: tljh_letsencrypt | ||
changes_when: tljh_letsencrypt.rc != 0 | ||
when: not tljh_directory.stat.exists | ||
|
||
- name: Copy the JupyterHub config | ||
become: true | ||
ansible.builtin.template: | ||
src: jupyterhub_config.py.j2 | ||
dest: "{{ jupyterhub_config_dest }}" | ||
mode: preserve | ||
|
||
- name: Restart the JupyterHub service with daemon-reload | ||
become: true | ||
tags: | ||
- config | ||
ansible.builtin.systemd: | ||
name: jupyterhub | ||
state: restarted | ||
enabled: true | ||
daemon_reload: true |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,2 @@ | ||
# c.Spawner.cmd = ['/srv/jupyterhub/conda/bin/jupyterhub-singleuser'] | ||
c.Authenticator.allowed_users = { {{jupyterhub_allowed_users | join(",")}} } |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,8 @@ | ||
jupyterhub_letsencrypt_email: admin@openobservatory.org | ||
|
||
jupyterhub_tljh_admin_user: admin | ||
jupyterhub_tljh_admin_pass: oonity! | ||
jupyterhub_tljh_prefix: /opt/tljh | ||
jupyterhub_config_dest: /opt/tljh/config/jupyterhub_config.d/tljh.py | ||
|
||
jupyterhub_allowed_users: [] |