ooni · bassosimone · Sep 26, 2017 · Sep 26, 2017 · Sep 26, 2017 · Sep 26, 2017
diff --git a/ansible/roles/ooni-collector/handlers/main.yml b/ansible/roles/ooni-collector/handlers/main.yml
@@ -0,0 +1,3 @@
+---
+- name: reload nginx
+  service: name=nginx state=reloaded
diff --git a/ansible/roles/ooni-collector/tasks/main.yml b/ansible/roles/ooni-collector/tasks/main.yml
@@ -0,0 +1,33 @@
+---
+
+# FIXME: do we _really_ need nginx in front of the collector?
+- template: src=ngx-ooni-backend-web dest=/etc/nginx/sites-enabled/ooni-backend-web
+  notify: reload nginx
+
+# FIXME what is this? Do we need this for the collector?!
+- name: docker network for backend
+  docker_network:
+    name: msm
+    driver_options:
+      com.docker.network.bridge.name: brmsm
+    ipam_options:
+      subnet: 172.25.232.0/24
+      gateway: 172.25.232.1
+
+# FIXME this is not the correct procedure to start it up
+# at the moment this is copied from ooni-measurements
+- name: ooni-backend webservice
+  docker_container:
+    image: openobservatory/ooni-measurements:{{ ooni_backend_tag }}
+    name: ooni_backend-web
+    hostname: ooni_backend-web
+    networks: [{name: msm, ipv4_address: '{{ ooni_backend_backend_ipv4 }}'}]
+    purge_networks: true
+    env:
+      APP_ENV: production
+      PRODUCTION: 'TRUE' # FIXME: is it ever used?
+      DATABASE_URL: 'postgresql://ooni_backend-beta:{{ ooni_backend_beta_postgres_password }}@hkgmetadb.infra.ooni.io/metadb' # FIXME: ?sslmode=require
+      AUTOCLAVED_BASE_URL: 'http://datacollector.infra.ooni.io/ooni-public/autoclaved/' # FIXME: use dataproxy when API moves to AMS
+    command: gunicorn --bind 0.0.0.0:{{ ooni_backend_backend_port }} --workers 4 --timeout 30 measurements.wsgi
+    user: "{{ passwd.ooni_backendweb.id }}:{{ passwd.ooni_backendweb.id }}"
+    restart_policy: unless-stopped
diff --git a/ansible/roles/ooni-collector/templates/ngx-ooni-backend-web b/ansible/roles/ooni-collector/templates/ngx-ooni-backend-web
@@ -0,0 +1,34 @@
+# ansible-managed in ooni-sysadmin.git
+# FIXME: copied from ooni-measurements... wondering whether we need it...
+
+server {
+    listen 80;
+    listen 443 ssl spdy;
+
+    keepalive_timeout 120 120; # http://kb.mozillazine.org/Network.http.keep-alive.timeout
+    ssl_certificate     /etc/letsencrypt/live/{{ ooni_backend_domain }}/fullchain.pem;
+    ssl_certificate_key /etc/letsencrypt/live/{{ ooni_backend_domain }}/privkey.pem;
+    # FIXME: add ssl_dhparam         /etc/nginx/ssl/dhparam.pem;
+
+    ssl_prefer_server_ciphers on;
+    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
+    ssl_ciphers kEECDH+AESGCM+AES128:kEECDH+AES128:kRSA+AESGCM+AES128:kRSA+AES128:DES-CBC3-SHA:!RC4:!aNULL:!eNULL:!MD5:!EXPORT:!LOW:!SEED:!CAMELLIA:!IDEA:!PSK:!SRP:!SSLv2;
+
+    ssl_session_cache    shared:SSL:8m;
+    ssl_session_timeout  28h;
+
+    ssl_stapling on;
+    ssl_stapling_verify on;
+    ssl_trusted_certificate /etc/letsencrypt/live/{{ ooni_backend_domain }}/chain.pem;
+
+    # FIXME: nginx/1.4.6 knows nothing about ssl_session_tickets
+
+    server_name {{ ooni_backend_domain }};
+    access_log  /var/log/nginx/{{ ooni_backend_domain }}.access.log; # FIXME: log_format
+    error_log   /var/log/nginx/{{ ooni_backend_domain }}.error.log;
+
+    location / {
+        proxy_pass http://{{ ooni_backend_backend_ipv4 }}:{{ ooni_backend_backend_port }};
+        include proxy_params;
+    }
+}
diff --git a/ansible/roles/ooni-collector/vars/main.yml b/ansible/roles/ooni-collector/vars/main.yml
@@ -0,0 +1,2 @@
+---
+ooni_backend_tag: "v1.3.4"