cleanup extra roles

ooni · Dec 5, 2024 · 04dbf7b · 04dbf7b
1 parent 427b248
commit 04dbf7b
Show file tree

Hide file tree

Showing 22 changed files with 42 additions and 334 deletions.
diff --git a/ansible/deploy-ooni-backend.yml b/ansible/deploy-ooni-backend.yml
@@ -1,16 +1,20 @@
 ---
 - hosts: backend-hel.ooni.org
   roles:
-    - role: base-bookworm
+    - role: bootstrap
     - role: nftables
-    - role: nginx-buster
+    - role: nginx
       tags: nginx
+      vars:
+        nginx_user: "www-data"
     - role: dehydrated
       tags: dehydrated
       expand: yes
-      ssl_domains:
-        # with dehydrated the first entry is the cert FQDN
-        # and the other ones are alternative names
-        - "backend-hel.ooni.org"
+      vars: 
+        ssl_domains:
+          # with dehydrated the first entry is the cert FQDN
+          # and the other ones are alternative names
+          - "backend-hel.ooni.org"
     - role: ooni-backend
-      ssl_domain: backend-hel.ooni.org
+      vars: 
+        ssl_domain: backend-hel.ooni.org
diff --git a/ansible/roles/base-backend/README.adoc b/ansible/roles/base-backend/README.adoc
@@ -0,0 +1 @@
+Configure base host based on backend hosts
diff --git a/ansible/roles/base-backend/handlers/main.yml b/ansible/roles/base-backend/handlers/main.yml
@@ -0,0 +1,15 @@
+- name: reload nftables
+  tags: nftables
+  ansible.builtin.systemd_service:
+    name: nftables
+    state: reloaded
+
+- name: restart chrony
+  ansible.builtin.systemd:
+    name: chrony.service
+    state: restarted
+
+- name: restart netdata
+  ansible.builtin.systemd:
+    name: netdata.service
+    state: restarted
diff --git a/ansible/roles/base-bookworm/meta/main.yml → ansible/roles/base-backend/meta/main.yml b/ansible/roles/base-bookworm/meta/main.yml → ansible/roles/base-backend/meta/main.yml
diff --git a/ansible/roles/base-bookworm/tasks/main.yml → ansible/roles/base-backend/tasks/main.yml b/ansible/roles/base-bookworm/tasks/main.yml → ansible/roles/base-backend/tasks/main.yml
@@ -2,10 +2,6 @@
 - name: motd
   shell: echo "" > /etc/motd
 
-- name: Set hostname
-  ansible.builtin.hostname:
-    name: "{{ inventory_hostname }}"
-
 - name: Remove apt repo
   tags: apt
   file:
@@ -81,22 +77,6 @@
       - tmux
       - vim
 
-- name: Configure journald
-  tags: journald
-  template:
-    src: templates/journald.conf
-    dest: /etc/systemd/journald.conf
-    mode: 0644
-    owner: root
-
-- name: enable and restart journald
-  tags: journald
-  systemd:
-    name: systemd-journald.service
-    state: restarted
-    enabled: yes
-    daemon_reload: yes
-
 - name: Autoremove
   tags: autoremove
   apt:
@@ -114,16 +94,8 @@
     create: yes
     block: |
       add rule inet filter input ip saddr {{ lookup('dig', 'prometheus.ooni.org/A') }} tcp dport 19999 counter accept comment "netdata.service"
-
-#- name: reload nftables service
-#  systemd:
-#    name: nftables.service
-#    state: reloaded
-#    enabled: yes
-#    daemon_reload: yes
-
-- name: reload nftables service
-  service: name=nftables state=restarted
+    notify:
+      - reload nftables
 
 - name: configure netdata.service
   tags: netdata
@@ -144,12 +116,8 @@
   tags: timezone
   timezone:
     name: Etc/UTC
-
-- name: restart chrony service
-  tags: timezone
-  systemd:
-    name: chrony.service
-    state: restarted
+  notify: 
+    - restart chrony
 
 - name: configure netdata chrony
   tags: netdata, timezone
@@ -168,54 +136,5 @@
     path: /usr/lib/netdata/conf.d/python.d.conf
     regexp: '^chrony:'
     line: 'chrony: yes'
-
-#- name: configure netdata nginx
-#  blockinfile:
-#    path: /etc/netdata/python.d/nginx.conf
-#    create: yes
-#    block: |
-#      # Managed by ansible, see roles/base-bookworm/tasks/main.yml
-#      update_every: 5
-#      nginx_log:
-#        name  : 'nginx_log'
-#        path  : '/var/log/nginx/access.log'
-
-#- name: configure netdata haproxy
-#  blockinfile:
-#    path: /etc/netdata/python.d/haproxy.conf
-#    block: |
-#      # Managed by ansible, see roles/base-bookworm/tasks/main.yml
-#      update_every: 5
-#      via_url:
-#        url: 'http://127.0.0.1:7000/haproxy_stats;csv;norefresh'
-
-- name: restart netdata service
-  tags: netdata, timezone
-  systemd:
-    name: netdata.service
-    state: restarted
-
-
-- name: install systemd-resolved
-  tags: resolved
-  apt:
-    install_recommends: no
-    cache_valid_time: 86400
-    name:
-      - systemd-resolved
-
-- name: configure systemd-resolved
-  tags: resolved
-  template:
-    src: resolved.conf
-    dest: /etc/systemd/resolved.conf
-
-- name: restart systemd-resolved
-  tags: resolved
-  systemd:
-    name: systemd-resolved.service
-    state: restarted
-
-- name: test systemd-resolved
-  tags: resolved
-  shell: resolvectl query go.dnscheck.tools --cache=no
+  notify: 
+    - restart netdata
diff --git a/.../base-bookworm/templates/internal-deb.gpg → ...s/base-backend/templates/internal-deb.gpg b/.../base-bookworm/templates/internal-deb.gpg → ...s/base-backend/templates/internal-deb.gpg
diff --git a/...les/base-bookworm/templates/journald.conf → ...oles/base-backend/templates/journald.conf b/...les/base-bookworm/templates/journald.conf → ...oles/base-backend/templates/journald.conf
diff --git a/...oles/base-bookworm/templates/netdata.conf → ...roles/base-backend/templates/netdata.conf b/...oles/base-bookworm/templates/netdata.conf → ...roles/base-backend/templates/netdata.conf
diff --git a/...-bookworm/templates/ooni_internal.sources → ...e-backend/templates/ooni_internal.sources b/...-bookworm/templates/ooni_internal.sources → ...e-backend/templates/ooni_internal.sources
diff --git a/...les/base-bookworm/templates/resolved.conf → ...oles/base-backend/templates/resolved.conf b/...les/base-bookworm/templates/resolved.conf → ...oles/base-backend/templates/resolved.conf
@@ -2,8 +2,8 @@
 # See roles/base-bookworm/templates/resolved.conf
 
 [Resolve]
-## https://meta.wikimedia.org/wiki/Wikimedia_DNS
-DNS=185.71.138.138
+DNS=9.9.9.9
+FallbackDNS=1.1.1.1 8.8.8.8
 DNSOverTLS=opportunistic
 DNSSEC=allow-downgrade
 Cache=yes
diff --git a/...oles/base-bookworm/templates/sources.list → ...roles/base-backend/templates/sources.list b/...oles/base-bookworm/templates/sources.list → ...roles/base-backend/templates/sources.list
diff --git a/ansible/roles/base-bookworm/README.adoc b/ansible/roles/base-bookworm/README.adoc
diff --git a/ansible/roles/bootstrap/tasks/main.yml b/ansible/roles/bootstrap/tasks/main.yml
@@ -55,6 +55,13 @@
   tags:
     - nftables
 
+- name: Set the backend host configuration if valid
+  when: inventory_hostname == 'backend-hel.ooni.org'
+  ansible.builtin.include_role:
+    name: base-backend
+    tags: 
+     - base-backend
+
 - name: Configure journald
   tags:
     - journald

diff --git a/ansible/roles/nftables-sysadmin/README.adoc b/ansible/roles/nftables-sysadmin/README.adoc
diff --git a/ansible/roles/nftables-sysadmin/tasks/main.yml b/ansible/roles/nftables-sysadmin/tasks/main.yml
diff --git a/ansible/roles/nftables-sysadmin/templates/nftables.conf b/ansible/roles/nftables-sysadmin/templates/nftables.conf
diff --git a/ansible/roles/nginx-buster/files/ffdhe2048_dhparam.pem b/ansible/roles/nginx-buster/files/ffdhe2048_dhparam.pem
diff --git a/ansible/roles/nginx-buster/files/ssl_intermediate.conf b/ansible/roles/nginx-buster/files/ssl_intermediate.conf
diff --git a/ansible/roles/nginx-buster/files/ssl_modern.conf b/ansible/roles/nginx-buster/files/ssl_modern.conf
diff --git a/ansible/roles/nginx-buster/handlers/main.yml b/ansible/roles/nginx-buster/handlers/main.yml
diff --git a/ansible/roles/nginx-buster/tasks/main.yml b/ansible/roles/nginx-buster/tasks/main.yml