Add snowflake proxy role, fix ci (#98)

* Add molecule ci config of snowflake proxy role
* Fix ci tests

.github/workflows/test.yml

@@ -4,7 +4,7 @@ on: [push, pull_request]
 
 jobs:
   ansible-molecule:
-    runs-on: macos-10.15
+    runs-on: macos-12
     defaults:
       run:
         working-directory: ci
@@ -18,6 +18,7 @@ jobs:
           - matterbridge
           - update
           - tor-relay
+          - snowflake
 
     # https://github.com/jonashackt/molecule-ansible-docker-aws#use-vagrant-on-github-actions-to-execute-molecule
     steps:

README.md

@@ -14,6 +14,10 @@ It is assumed that you have a GNU/Linux environment
 
 **Note**: You will be prompted for Ansible's vault password
 
+### Snowflake proxy
+
+`cd ansible ; ansible-playbook -i inventory/production deploy-snowflake.yml`
+
 ### Discourse
 
 `cd ansible ; ansible-playbook -i inventory/production deploy-discourse.yml`

ansible/deploy-snowflake.yml

@@ -0,0 +1,12 @@
+---
+
+- import_playbook: ansible-version.yml
+
+- name: "Deploy snowflake proxy"
+  hosts: "{{ target if target is defined else 'snowflake' }}"
+  become: true
+  gather_facts: true
+  roles:
+    - admin
+    - update
+    - snowflake

ansible/inventory/molecule/group_vars/all/vars.yml

@@ -12,3 +12,6 @@ dis_plugins:
 # DockerHub credentials set in Travis CI
 dhub_usr: "{{ lookup('env', 'DOCKERHUB_USER') }}"
 dhub_pwd: "{{ lookup('env', 'DOCKERHUB_PWD') }}"
+
+# Ansible galaxy roles path
+galaxy_path: "{{ playbook_dir }}/roles.galaxy"

ansible/inventory/production/group_vars/all/vars.yml

@@ -29,3 +29,6 @@ sysupdate_email_pwd: !vault |
 
 # msmtp host
 msmtp_host: mail.privacylx.org
+
+# Ansible galaxy roles path
+galaxy_path: "{{ playbook_dir }}/roles.galaxy"

ansible/inventory/testing/group_vars/all/vars.yml

@@ -27,3 +27,6 @@ sysupdate_email_pwd: !vault |
 
 # msmtp host
 msmtp_host: mail.privacylx.org
+
+# Ansible galaxy roles path
+galaxy_path: "{{ playbook_dir }}/roles.galaxy"

ansible/inventory/testing/hosts

@@ -6,3 +6,6 @@ testing.privacylx.org
 
 [matterbridge]
 testing.privacylx.org
+
+[snowflake]
+testing.privacylx.org

ansible/roles/snowflake/defaults/main.yml

@@ -0,0 +1,4 @@
+---
+
+sf_iptables_manage: true
+sf_galaxy_role: nvjacobo.snowflake

ansible/roles/snowflake/molecule/default/molecule.yml

@@ -0,0 +1,30 @@
+---
+
+driver:
+  name: vagrant
+  provider:
+    name: libvirt
+
+lint: |
+  set -e
+  yamllint .
+
+platforms:
+  - name: debian11-instance
+    box: generic/debian11
+    memory: 2000
+    cpus: 1
+    groups:
+      - snowflake
+
+provisioner:
+  name: ansible
+  options:
+    verbose: true
+  lint:
+    name: ansible-lint
+  inventory:
+    links:
+      group_vars: ../../../../inventory/molecule/group_vars/
+  playbooks:
+    converge: ../../../../deploy-snowflake.yml

ansible/roles/snowflake/tasks/main.yml

@@ -0,0 +1,62 @@
+---
+
+- name: Gather the package facts
+  package_facts:
+
+- name: Setup iptables
+  block:
+    - name: Set the iptables policy for the INPUT chain to ACCEPT
+      iptables:
+        ip_version: "ip{{ item }}"
+        chain: INPUT
+        policy: ACCEPT
+      with_items:
+        - v4
+        - v6
+
+    - name: Save current state of the firewall (iptables) in the system file
+      community.general.iptables_state:
+        ip_version: "ip{{ item }}"
+        state: saved
+        path: "/etc/iptables/rules.{{ item }}"
+      with_items:
+        - v4
+        - v6
+  when:
+    - "'iptables' in ansible_facts.packages"
+    - sf_iptables_manage
+
+# TODO add versioning once the git repo provides releases
+- name: Install snowflake ansible role
+  community.general.ansible_galaxy_install:
+    type: role
+    name: "{{ sf_galaxy_role }}"
+    dest: "{{ galaxy_path }}"
+  become: false
+  delegate_to: localhost
+
+# TODO: fix idempotency of service start
+- name: Import snowflake ansible galaxy role
+  include_role:
+    name: "{{ galaxy_path }}/{{ sf_galaxy_role }}"
+    public: true
+  tags: molecule-idempotence-notest
+
+- name: Query systemd journal to get the proxy NAT type of snowflake
+  retries: 5
+  delay: 10
+  command: 'journalctl -r -n 1 -o cat -u snowflake-proxy --grep="NAT type:"'
+  register: sf_nat_type
+  until: sf_nat_type.rc == 0
+  tags: molecule-idempotence-notest
+
+- name: Show snowflake proxy NAT type
+  debug:
+    msg: "{{ sf_nat_type.stdout }}"
+  tags: molecule-idempotence-notest
+
+- name: Assert snowflake proxy NAT is unrestricted
+  assert:
+    that: "'unrestricted' in sf_nat_type.stdout"
+    fail_msg: "[ERR] snowflake proxy NAT type is not unrestricted"
+  tags: molecule-notest

ansible/roles/tor-relay/molecule/default/prepare.yml

@@ -4,9 +4,9 @@
   hosts: all
   become: true
   tasks:
-  # https://github.com/nusenu/ansible-relayor/blob/master/tasks/main.yml#L55
-  - name: Switch to a non centralized/common DNS resolver
-    replace:
-      path: /etc/resolv.conf
-      regexp: '^nameserver'
-      replace: "nameserver {{ dns_ns }}"
+    # https://github.com/nusenu/ansible-relayor/blob/master/tasks/main.yml#L55
+    - name: Switch to a non centralized/common DNS resolver
+      replace:
+        path: /etc/resolv.conf
+        regexp: '^nameserver'
+        replace: "nameserver {{ dns_ns }}"

ansible/roles/update/tasks/main.yml

@@ -16,6 +16,8 @@
 
 - shell: /usr/bin/uptime
   register: uptime
+  tags: molecule-idempotence-notest
 
 - debug:
     msg: "{{ uptime.stdout }}"
+  tags: molecule-idempotence-notest