ooni · LDiazN · May 5, 2025 · May 5, 2025 · May 5, 2025 · May 5, 2025
diff --git a/ansible/deploy-fastpath.yml b/ansible/deploy-fastpath.yml
@@ -0,0 +1,26 @@
+---
+- name: Deploy fastpath
+  hosts:
+    - fastpath.dev.ooni.io
+  become: true
+  roles:
+    - role: bootstrap
+    - role: dehydrated
+      vars: 
+        ssl_domains: 
+          - "{{ inventory_hostname }}"
+        tls_cert_dir: /var/lib/dehydrated/certs
+    - role: prometheus_node_exporter
+      vars:
+        node_exporter_port: 9100
+        node_exporter_host: "0.0.0.0"
+        prometheus_nginx_proxy_config: 
+          - location: /metrics/node_exporter
+            proxy_pass: http://127.0.0.1:9100/metrics
+    - role: geerlingguy.docker
+      docker_install_compose: true
+      docker_users:
+        - fastpath
+        - ubuntu
+      docker_package_state: latest
+    - role: fastpath
diff --git a/ansible/inventory b/ansible/inventory
@@ -42,3 +42,7 @@ monitoringproxy.prod.ooni.io
 [openvpn]
 openvpn1.htz-fsn.prod.ooni.nu
 openvpn2.htz-fsn.prod.ooni.nu
+
+[aws-backend]
+fastpath.dev.ooni.io
+# fastpath.prod.ooni.io
diff --git a/ansible/requirements/ansible-galaxy.yml b/ansible/requirements/ansible-galaxy.yml
@@ -12,4 +12,6 @@
   name: idealista.clickhouse_role
 - src: https://github.com/ooni/airflow-role.git
   scm: git
-  name: ooni.airflow_role
+  name: ooni.airflow_role
+- src: geerlingguy.docker
+  version: 7.4.7
diff --git a/ansible/roles/fastpath/defaults/main.yml b/ansible/roles/fastpath/defaults/main.yml
@@ -0,0 +1,9 @@
+tls_cert_dir: /var/lib/dehydrated/certs
+
+# Fastpath user
+fastpath_user: fastpath
+fastpath_home: "/opt/{{ fastpath_user }}"
+
+# Fastpath settings
+# TODO Update this to the actual clickhouse host when we have migrated it 
+clickhouse_url: "clickhouse://default:default@clickhouse-server:9000"
diff --git a/ansible/roles/fastpath/handlers/main.yml b/ansible/roles/fastpath/handlers/main.yml
@@ -0,0 +1,27 @@
+- name: test nginx config
+  command: /usr/sbin/nginx -t -c /etc/nginx/nginx.conf
+  listen:
+    - restart nginx
+    - reload nginx
+
+- name: restart nginx
+  service:
+    name: nginx
+    state: restarted
+
+- name: reload nginx
+  service:
+    name: nginx
+    state: reloaded
+
+- name: reload nftables
+  tags: nftables
+  ansible.builtin.systemd_service:
+    name: nftables
+    state: reloaded
+
+- name: restart docker
+  tags: docker
+  ansible.builtin.systemd_service:
+    name: docker
+    state: restarted
diff --git a/ansible/roles/fastpath/tasks/main.yml b/ansible/roles/fastpath/tasks/main.yml
@@ -0,0 +1,106 @@
+---
+# For prometheus scrape requests
+- name: Flush all handlers 
+  meta: flush_handlers
+
+- name: Allow traffic on port 9100
+  become: true
+  tags: prometheus-proxy
+  blockinfile:
+    path: /etc/ooni/nftables/tcp/9100.nft
+    create: yes
+    block: |
+      add rule inet filter input tcp dport 9100 counter accept comment "node exporter"
+  notify:
+   - reload nftables  
+
+# For incoming fastpath traffic
+- name: Allow traffic on port 8472
+  become: true
+  tags: fastpath
+  blockinfile:
+    path: /etc/ooni/nftables/tcp/8472.nft
+    create: yes
+    block: |
+      add rule inet filter input tcp dport 8472 counter accept comment "fastpath"
+  notify:
+   - reload nftables  
+
+# Docker seems to have problems with nftables, so this command will translate all iptables
+# commands to nftables commands
+- name: Update alternatives for iptables 
+  tags: docker
+  become: yes
+  ansible.builtin.command: "update-alternatives --set iptables /usr/sbin/iptables-nft"
+  notify: 
+   - restart docker
+
+- name: Update alternatives for iptables 
+  tags: docker
+  become: yes
+  ansible.builtin.command: "update-alternatives --set ip6tables /usr/sbin/ip6tables-nft"
+  notify: 
+   - restart docker
+
+- name: Flush all handlers # Required to apply iptables settings before docker runs
+  meta: flush_handlers
+
+### Install make to build fastpath
+- name: Install make
+  ansible.builtin.apt:
+    name: make
+    state: present
+    update_cache: yes  
+  become: yes
+
+### Create fastpath user 
+- name: Ensure the fastpath group exists
+  ansible.builtin.group:
+    name: "{{ fastpath_user }}"
+    state: present
+  become: yes
+- name: Create the fastpath user
+  ansible.builtin.user:
+    name: "{{ fastpath_user }}"
+    home: "{{ fastpath_home }}"
+    shell: "/bin/bash"
+    group: "{{ fastpath_user }}"
+    create_home: yes
+    system: yes
+  become: yes
+- name: Set ownership of the fastpath directory
+  ansible.builtin.file:
+    path: "{{ fastpath_home }}"
+    owner: "{{ fastpath_user }}"
+    group: "{{ fastpath_user }}"
+    state: directory
+    mode: '0755'
+  become: yes
+
+
+  # We could also create an ECR docker image and use that, but this is a bit simpler 
+  # Install fastpath
+- name: Clone backend repo
+  become: yes
+  ansible.builtin.git:
+    repo: 'https://github.com/ooni/backend'
+    dest: "/opt/{{fastpath_user}}/backend"
+    # TODO Change to `master` when https://github.com/ooni/backend/pull/935 is merged
+    version: support-deploying-fastpath-as-docker-container  
+    force: yes     
+
+- name: Create configuration file
+  tags: fastpath
+  template:
+    src: templates/fastpath.conf
+    dest: "/opt/{{fastpath_user}}/backend/fastpath/fastpath.conf"
+    mode: 0444
+    owner: "{{fastpath_user}}"
+  become: yes
+
+- name: Run docker container
+  tags: fastpath
+  ansible.builtin.command: "make docker-all" # TODO Change to `make docker` when clickhouse is migrated
+  args:
+    chdir: "/opt/{{fastpath_user}}/backend/fastpath"
+
diff --git a/ansible/roles/fastpath/templates/fastpath.conf b/ansible/roles/fastpath/templates/fastpath.conf
@@ -0,0 +1,19 @@
+[DEFAULT]
+# Collector hostnames, comma separated
+collectors = localhost
+
+
+{% if psql_uri is defined %}
+# The password is already made public
+db_uri = {{ psql_uri }}
+{% else %}
+db_uri =
+{% endif %}
+
+# S3 access credentials
+# Currently unused
+s3_access_key =
+s3_secret_key =
+
+
+clickhouse_url = {{clickhouse_url}}
diff --git a/tf/environments/dev/main.tf b/tf/environments/dev/main.tf
@@ -559,6 +559,71 @@ resource "aws_route53_record" "monitoring_proxy_alias" {
   ]
 }
 
+
+### Fastpath 
+module "ooni_fastpath" {
+  source = "../../modules/ec2"
+
+  stage = local.environment
+
+  vpc_id              = module.network.vpc_id
+  subnet_id           = module.network.vpc_subnet_public[0].id
+  private_subnet_cidr = module.network.vpc_subnet_private[*].cidr_block
+  dns_zone_ooni_io    = local.dns_zone_ooni_io
+
+  key_name      = module.adm_iam_roles.oonidevops_key_name
+  instance_type = "t3a.small"
+
+  name = "oonifastpath"
+  ingress_rules = [{
+    from_port   = 22,
+    to_port     = 22,
+    protocol    = "tcp",
+    cidr_blocks = ["0.0.0.0/0"],
+    }, {
+    from_port   = 80,
+    to_port     = 80,
+    protocol    = "tcp",
+    cidr_blocks = ["0.0.0.0/0"],
+    }, {
+    from_port   = 9100,
+    to_port     = 9100,
+    protocol    = "tcp"
+    cidr_blocks = ["${module.ooni_monitoring_proxy.aws_instance_private_ip}/32"]
+  }]
+
+  egress_rules = [{
+    from_port   = 0,
+    to_port     = 0,
+    protocol    = "-1",
+    cidr_blocks = ["0.0.0.0/0"],
+    }, {
+    from_port        = 0,
+    to_port          = 0,
+    protocol         = "-1",
+    ipv6_cidr_blocks = ["::/0"],
+  }]
+
+  sg_prefix = "oonifastpath"
+  tg_prefix = "fstp"
+
+  tags = merge(
+    local.tags,
+    { Name = "ooni-tier0-fastpath" }
+  )
+}
+
+resource "aws_route53_record" "fastpath_alias" {
+  zone_id = local.dns_zone_ooni_io
+  name    = "fastpath.${local.environment}.ooni.io"
+  type    = "CNAME"
+  ttl     = 300
+
+  records = [
+    module.ooni_fastpath.aws_instance_public_dns
+  ]
+}
+
 #### OONI Run service
 
 module "ooniapi_oonirun_deployer" {