Merge pull request #90 from planetary-social/add_reportinator_server

Add reportinator_server files

inventories/reportinator_server/README.md

@@ -0,0 +1 @@
+# reportinator_server Inventory

inventories/reportinator_server/group_vars/all/vault.yml

@@ -0,0 +1,13 @@
+$ANSIBLE_VAULT;1.1;AES256
+61383663353236366531616531663866383736633837373338316437346235396662666439326262
+3030623564636564383264333365666435386435383266340a333830373630313534623761396464
+39366164643032646233373065346663653862303262376231663662656135376637373231303832
+6566393664623730640a633261383932343539623730666166333138616132633330353335393737
+31613332323939393339616535343563353930663235666166303833643638393733383038333234
+38613038316530333361323837393562346365363666366466313536396438313662626366623664
+62653534373538343030373830386630316161613035643337383561336538343335653834343563
+61643965643035666163376530636335363331373661383430643962646466313636393739326465
+66613633623862313665643932623965373364376361343261663161356161643764653665656333
+63303238373636633730646639653561646634623331363339656130653263663832633839653833
+65353333633531353230656464386666363834643437376664613361646465363362663662656131
+65363862383437306565

inventories/reportinator_server/group_vars/all/vault_pubsub-credentials.json

@@ -0,0 +1,124 @@
+$ANSIBLE_VAULT;1.1;AES256
+64336164363633326136623065343532336461373736623965363531663534356463636261653235
+6334653663636434646332356166363132646533373134330a653934383132613064336236323063
+37343833353235363763386535646633643738376462633730613630353062366431393735396137
+6661333437636266300a353330656636663837626164643433336536323861343465306333666262
+65303434323164373238383932333834623963663465396635636130336636393361356365363836
+32376331333035386462653363343531656166383862316465646564616466626435383133373562
+61643263666238646164393638366233656337336435393239613639616132326132346662383330
+39303634623932376533336339323930336437623862343263646639333534303430653165373437
+66396531616638356230653837303230663237363332613036383166623431646336383736656633
+66363963633336333936613236393432666530626361326230393431656365656433383932636461
+63336237376465313332343763373834666539616230383861366363386132386465653832616438
+31393735613636306331313935303830626630316462343434636333626437306337393264633062
+64396638633335656430613264633235303833306539306137643134663731366461386335383262
+65323533616539306461346461636362306262386136356437336138626236633961313539366535
+30643038643362366565343031636462646531333833393739353831633163383236373338623063
+30656431613937353732313838326566326262653031333032393663303830303131313438303662
+65326465393432333636663839666263653233663961363932333532343131656236313431653131
+33613532323631626335386234323039363533343433353737656263306437616437653965646266
+65616132316433643364333931333436366139326637333234313961313639613839643334336462
+62343539626237663535623262636262393862353136656462353830653363336635326366653931
+34303232616363636563306564663833343462363430353434656663336131656130316130373338
+32636335643131666564316333363266336538376138656435336165313530336261653830643639
+61356434313839653262346136333338623661613965373233383231313165316433363931366435
+64323531303665356234653830636330613030363766653062333261616437323763336230326630
+61353164336137653433616435343132653038653363383739323637386438333162343533356133
+34303331383464326134333738303964313865346135383865316639313265663136636131326539
+62633034656165393333363834343630613931366130373233313966626161653963363933663733
+36623739373837393464333064633264666234336635393433636639656164613861396635613234
+31366130353862343330326633616361376130623466333162376433633433316461303536366634
+64356166626539656266353334623862646631653831376637656139366366373838326236616331
+34343434336336336337663338663864643038633637383036336432346237663364303131356538
+33356661303234343733396465616562353238393363373930323564393134383935316436366335
+36613865326562353734623633643862303763613630396439306236376164353564353633666330
+37383462336263346162633361333839313062383763386237636536376435303232313434363464
+33653535336432373139383762363334663439326663613562353063383464613031653835386165
+62363831396336313434303931653234326261646462393338323838393961636436373564323733
+31383932306435623338303931306663313361346563633538653737623336383363383063626364
+34336466376561303739343231633466616338616366363837653138383232323062333439643762
+36633461643531623361656564336331373237613563386566306163653138343531626134326266
+62396563363565613032383832363937656536333062633462663837326566373734336136363764
+31353233363731363561366564316361386464623430366265313738303466353333333266313262
+30663335363138356637333664333330343332303735343766376431353935613530643232343934
+32373832633764666165333163306166393863386265353030366433313262396561323564626235
+64356131616236393831626566313437643237343666313062306533656331666162383763613362
+33303737643763646261363462323030313838313730376139353230393763613038336163316232
+64393931366166313365303462663461616565393663333138613361326262363865363365643436
+63366365393632366361333936356266396162643036336464383937643632383863316132646438
+31373565633637663732366162343436656339643664656637623033376630386238353235386538
+63393162623066323863393338316164353834663966383832383438343036306133623830613439
+39306165623134366535393962306438343761386166376137316362336163323437366664643238
+63663537363631373532356637303462363065326266336331626537323564373138306363376461
+65303339646262393132363932316635376237393632656336356163393838363637376638653133
+64303537343965626465643932666432646235303230323034666365383334373131623361633239
+31303264653138343361306266373033393964323532663537656666313761656636356563333430
+35626236386131303465333738313831393332396634613731663061376266396133376530303365
+30666561613330323836623939323563636233626532663664663461323861343262366237363135
+63353537363266633231363933376463666234386666633438653464623930336266396263363034
+62366232643761656530323663356534663164656565666137313166353464366339613033376365
+39666564346164366266306264396537356265333864666362343165633134346661306132356237
+39313665363661323938323130656563303263383237326230323565613730643734653064613034
+33326232303136313435616439643461386466336135666363303334373930363832393335393138
+65633332336533653565386435333233343961663736656663396237356134306430353239373235
+66336339333530303730656236613861376337626361343235353938303731373763633363373832
+65303833316530616636663361636137643864373236366639613536653161316232306566626234
+38393039653336313935363463373735353232623037343064666433313231336263323338353734
+30326535303231333437653632333465646661386335653764366539636334666338326530386261
+32356465376466366530666435376632663262636439346561363962356230393338363733353832
+65653233373165626534313666343061393865383730313466656564316133316633333931633265
+35636466636661323365653664386466346432336335393335386263633064656236303838633462
+34613064663862636133333730646664633439373666393531353765373563396461343737376132
+37363565656534326139336664336564373937363262336630613438623764353132346137643166
+31323664333236353337653262393937346162323463373736613462383934633832336430343861
+37616366663537623335353036383038643866633931303030383663656538346231396337346662
+34373635306335323138333462303031313363393866386164393062323037303937393761633765
+32653032343934643963626663313963343838666362383766333939343231393738396262663238
+38383764343534663635633362323637373030333964306563316161303034323161383530623331
+39313636656266386364653063373865623533376164663031393338656366613165323563623032
+62636164653237616139366232636330656238663739346235363836633938343930363431636137
+62306134633632303833653830666238393432626438646132373661643066383064383239363632
+61303864383962616138313766303138303234333965353464306461666366313639383638633036
+39323361313962396232376162656535373838326138353861363562616166333339613932353632
+36323665383466663565306463656235633931383630633032643735613531343633666331393164
+61303362383131353036336333356538636362336663643437643762656162663835646333623736
+35326463623765303761656666613336336131663134613033386338663965366461393832343938
+66333632633336343536313161326364353639353938356239626666353939633338346535333539
+32396236366231326430363637633130653566356239316338383737363930373161643736643561
+31393064373337653935663063323237643836343438306433353765376361313365373434336662
+30343938373263636138393432353033386439653336623562386131386632316632613365653565
+65376634323831653237326665323564326261313038636462343137343862626163386431393862
+37353261633263613365323862353965613732333630643564666138326131646465346530613464
+36656366386337326338656439373936326139643339633532633938633037623130633865366532
+32323931353763383361316362363264353862633435393939616465356264633435633537306665
+36303237366464396130396435363533396639316162313034363163636262303933663136663539
+32343134383064336534393433386430653362623566393663623863636434336235666630626230
+63386539373233646533656266623437343462393930363339656231383038643839393061653364
+61313039643031623433323639383864313233336638653433386539346637393135323939653162
+66333561633562353732366336623035333365343331396438616330393862306439653762303535
+32616339636266323531343664323430663230633534363463313363333830303761353539643465
+36656233343233613536396138393537346430363135376533306236633164346366366638326631
+37336435346138643332366236333530353861336633636332616238616661626334393964363639
+33613330313832653561646538643662666538643036326662393265653964313533373865323632
+31356330343633663762393330383865323138316165653637303062366165666134393161303838
+63343635366337356439623563666130336331363366663463623966396633396436623265356130
+63396138346131313435383339613837363530356531393337396364636339343236393064306133
+30663833363939376138343964326637306363346330396435643163323466363664366633633534
+38323664653137323062316261653032623833373032386235643730613333393932336336336433
+35396638313432306163373234363438636264313333666630633562316234663963346464303433
+65303562626335653765623561666333303139306465656537343062366135336266383232326666
+30396563326636353834313139663563353230326131646238383334333538316535303831316433
+37333337333639663232663332346462323464633163373665303135643032303462613833613839
+32366531336631623165303561636233336535306666393063323735393136623634656461353239
+32626232623331373962333336356234376232656634396338636538336632326338323035653638
+61643161313831613732613934393766303765656638303339343231643238326562366364653132
+31383764633061343562623330646232613963643732653135656165326633656566636666333734
+30623663373064353737633035626330323630343366396566316165326238353632613433323432
+65376562653263646137346631613231303932376537643336393530303361613238333631303033
+63366161336139623834386433313461656532366333343530343430333164343237363339643062
+65383361663730323934386564383730383062643536663462353838343861303630353064666665
+63623033396634313931343061356632623133633536656437383266353830346135613037316265
+63643562613739303637393836646439336130663062623339343333623062643037616437633433
+32613537663232313061653730376161326433343131633535386338363436366465623137626536
+62376661383036646230333736613466656633623830396431616266306262613535653933366566
+356338623636373761373135343034306366

inventories/reportinator_server/inventory.yml

@@ -0,0 +1,23 @@
+---
+reportinator_server:
+  hosts:
+    reportinator2.ansible.fun:
+  vars:
+    admin_username: admin
+    homedir: /home/{{ admin_username }}
+    cert_email: [email protected]
+    domain: '{{ inventory_hostname }}'
+    reportinator_server_image: ghcr.io/planetary-social/reportinator_server
+    reportinator_server_image_tag: latest
+    relay_addresses_csv: wss://relay.nos.social
+    google_application_credentials: application_default_credentials.json
+    google_pubsub_credentials_secret_json_path: '{{inventory_dir}}/group_vars/all/vault_pubsub-credentials.json'
+    reportinator_server_health_endpoint: https://{{ inventory_hostname }}/
+    reportinator_secret: '{{ vault_reportinator_secret }}'
+    slack_signing_secret: '{{ vault_slack_signing_secret }}'
+prod:
+  hosts:
+    reportinator2.ansible.fun: 
+dev:
+  hosts:
+    reportinator2.ansible.fun:

new-server-vars.yml

@@ -180,3 +180,23 @@
 #   - prod
 # additional_roles:
 #   - posthog
+
+#-----------------------------
+# Reportinator Service example
+#-----------------------------
+domain: reportinator2.ansible.fun
+do_droplet_size: s-1vcpu-1gb
+do_droplet_image: ubuntu-22-04-x64
+do_droplet_region: NYC3
+do_droplet_project: Nos
+do_droplet_tags:
+ - dev
+gh_user_keys_to_add:
+ - mplorentz
+ - dcadenas
+inv:  reportinator_server
+inv_groups:
+ - reportinator_server
+ - dev
+additional_roles:
+ - reportinator_server

playbooks/reportinator_server.yml

@@ -0,0 +1,7 @@
+- name: Install new server for reportinator_server
+  hosts: reportinator_server:&prod
+  vars:
+    ansible_user: admin
+    domain: "{{ inventory_hostname }}"
+  roles:
+    - reportinator_server

roles/harden/defaults/main.yaml

@@ -1,4 +1,4 @@
 admin_username: admin
 admin_password: "use bcrypt to set this as an encrypted password"
 homedir: "/home/{{ admin_username }}"
-admin_ssh_pubkey: /Home/coolperson/.ssh/id_ed25519.pub
+admin_ssh_pubkey: /Users/daniel/.ssh/id_ed25519.pub

roles/reportinator_server/README.md

@@ -0,0 +1,17 @@
+# reportinator_server role
+
+This role sets up the reportinator.nos.social server to handle encrypted DMs for moderation requests.
+
+## Variables
+
+| Variable                            | Example                                                      | Purpose                                                      |
+|-----------------------------------  |--------------------------------------------------------------|--------------------------------------------------------------|
+| domain                              | reportinator.nos.social                                      | The fqdn of the service                                      |
+| cert_email                          | [email protected]                                              | The email used for the LetsEncrypt certificate               |
+| reportinator_server_image           | ghcr.io/planetary-social/reportinator_server                 | The Docker image name                                        |
+| reportinator_server_image_tag       | latest                                                       | The Docker image tag                                         |
+| google_application_credentials      | /app/data/gcloud/application_default_credentials.json        | Google Cloud credentials location                            |
+| relay_addresses_csv                 | wss://relay.nos.social                                       | Relay to listen to DMs                                       |
+| reportinator_server_health_endpoint | https://{{ inventory_hostname }}/                            | Health check endpoint                                        |
+| reportinator_secret                 | some nostr hex secret                                        | The secret for the Reportinator account, held in vault       |
+| slack_signing_secret                | some long string                                             | The secret to interact with Slack, held in vault             |

roles/reportinator_server/meta/main.yml

@@ -0,0 +1,6 @@
+---
+dependencies:
+  - role: common
+  - role: digital-ocean
+  - role: docker
+  - role: traefik

roles/reportinator_server/tasks/main.yml

@@ -0,0 +1,70 @@
+---
+- name: Set reportinator_server dir
+  ansible.builtin.set_fact:
+    reportinator_server_dir: "{{ homedir }}/services/reportinator_server"
+
+- name: Ensure services/reportinator_server exists
+  ansible.builtin.file:
+    path: "{{ reportinator_server_dir }}"
+    state: directory
+    mode: '0755'
+
+- name: Copy necessary template files to reportinator_server dir
+  ansible.builtin.template:
+    src: "docker-compose.yml.tpl"
+    dest: "{{ reportinator_server_dir }}/docker-compose.yml"
+    mode: 0644
+
+- name: UFW - Allow http/https connections
+  become: true
+  community.general.ufw:
+    rule: allow
+    port: "{{ item }}"
+    proto: tcp
+  loop:
+    - "80"
+    - "443"
+
+- name: Ensure cert directory exist
+  ansible.builtin.file:
+    path: "{{ reportinator_server_dir }}/certs"
+    state: directory
+    mode: '0755'
+
+- name: Copy pubsub cert to notifications dir
+  ansible.builtin.copy:
+    src: "{{ google_pubsub_credentials_secret_json_path }}"
+    dest: "{{ reportinator_server_dir }}/certs/{{ google_application_credentials }}"
+    mode: 0644
+
+- name: ensure docker is running
+  ansible.builtin.service:
+    name: docker
+    state: started
+
+
+- name: Start up docker services
+  ansible.builtin.shell: "docker compose down && docker compose up -d"
+  args:
+    chdir: "{{ reportinator_server_dir }}"
+  register: service_started
+  retries: 5
+  until: service_started is success
+
+
+- name: Setup the image updater
+  ansible.builtin.include_role:
+    name: image-update-service
+  vars:
+    service_name: reportinator_server
+    service_image: "{{ reportinator_server_image }}"
+    service_image_tag: "{{ reportinator_server_image_tag }}"
+    frequency: 3m
+    working_dir: "{{ reportinator_server_dir }}"
+
+
+- name: Setup the health check
+  ansible.builtin.include_role:
+    name: health-check
+  vars:
+    health_endpoint: "{{ reportinator_server_health_endpoint }}"

roles/reportinator_server/templates/docker-compose.yml.tpl

@@ -0,0 +1,26 @@
+---
+version: "3.3"
+
+services:
+  reportinator_server:
+    image: "{{ reportinator_server_image }}:{{ reportinator_server_image_tag }}"
+    container_name: "reportinator_server"
+    restart: always
+    volumes:
+      - {{ reportinator_server_dir }}/certs/{{ google_application_credentials }}:/certs/{{ google_application_credentials }}
+    labels:
+      - "traefik.enable=true"
+      - "traefik.http.routers.reportinator_server.rule=Host(`{{ domain }}`)"
+      - "traefik.http.routers.reportinator_server.entrypoints=websecure"
+    environment:
+      - RELAY_ADDRESSES_CSV={{ relay_addresses_csv }}
+      - REPORTINATOR_SECRET={{ reportinator_secret }}
+      - GOOGLE_APPLICATION_CREDENTIALS=/certs/{{ google_application_credentials }}
+      - SLACK_SIGNING_SECRET={{ slack_signing_secret }}
+      - RUST_LOG=reportinator_server=info
+    networks:
+      - proxy
+
+networks:
+  proxy:
+    external: true