Merge branch 'main' into refactor/ec2-tf

ooni · Jan 16, 2025 · e790e66 · e790e66
2 parents 919d05d + 6dd39bd
commit e790e66
Show file tree

Hide file tree

Showing 17 changed files with 320 additions and 162 deletions.
diff --git a/.github/workflows/add_issues_to_project.yml b/.github/workflows/add_issues_to_project.yml
@@ -1,14 +1,91 @@
+# automatically syched from: ooni/pm-tools
 on:
   issues:
     types:
       - opened
+      - labeled
+  pull_request:
+    types:
+      - opened
+      - labeled
 
 jobs:
   add-to-project:
     name: Add issue to project
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/add-to-project@RELEASE_VERSION
+      - uses: actions/[email protected]
+        if: github.event.action == 'opened'
         with:
           project-url: https://github.com/orgs/ooni/projects/31
           github-token: ${{ secrets.ADD_TO_PROJECT_GH_TOKEN }}
+
+      - uses: actions/[email protected]
+        if: github.event.action == 'labeled' && startsWith(github.event.label.name, 'funder/')
+        with:
+          project-url: https://github.com/orgs/ooni/projects/33
+          github-token: ${{ secrets.ADD_TO_PROJECT_GH_TOKEN }}
+
+      # See: https://docs.github.com/en/issues/planning-and-tracking-with-projects/automating-your-project/automating-projects-using-actions
+      - name: Get planning project metadata
+        env:
+          GH_TOKEN: ${{ secrets.ADD_TO_PROJECT_GH_TOKEN }}
+        run: |
+          gh api graphql -f query='
+            query($org: String!, $number: Int!) {
+              organization(login: $org){
+                projectV2(number: $number) {
+                  id
+                  fields(first:20) {
+                    nodes {
+                      ... on ProjectV2Field {
+                        id
+                        name
+                      }
+                      ... on ProjectV2SingleSelectField {
+                        id
+                        name
+                        options {
+                          id
+                          name
+                        }
+                      }
+                    }
+                  }
+                }
+              }
+            }' -f org=ooni -F number=31 > planning_project_data.json
+          echo 'PLANNING_STATUS_FIELD_ID='$(jq '.data.organization.projectV2.fields.nodes[] | select(.name== "Status") | .id' planning_project_data.json) >> $GITHUB_ENV
+          echo 'PLANNING_PRIORITY_FIELD_ID='$(jq '.data.organization.projectV2.fields.nodes[] | select(.name== "Priority") | .id' planning_project_data.json) >> $GITHUB_ENV
+
+      - name: Get reporting project metadata
+        env:
+          GH_TOKEN: ${{ secrets.ADD_TO_PROJECT_GH_TOKEN }}
+        run: |
+          gh api graphql -f query='
+            query($org: String!, $number: Int!) {
+              organization(login: $org){
+                projectV2(number: $number) {
+                  id
+                  fields(first:20) {
+                    nodes {
+                      ... on ProjectV2Field {
+                        id
+                        name
+                      }
+                      ... on ProjectV2SingleSelectField {
+                        id
+                        name
+                        options {
+                          id
+                          name
+                        }
+                      }
+                    }
+                  }
+                }
+              }
+            }' -f org=ooni -F number=33 > reporting_project_data.json
+          echo 'PLANNING_STATUS_FIELD_ID='$(jq '.data.organization.projectV2.fields.nodes[] | select(.name== "Status") | .id' planning_project_data.json) >> $GITHUB_ENV
+          echo 'PLANNING_FUNDER_FIELD_ID='$(jq '.data.organization.projectV2.fields.nodes[] | select(.name== "Funder") | .id' planning_project_data.json) >> $GITHUB_ENV
+          echo 'PLANNING_REPORT_MONTH_FIELD_ID='$(jq '.data.organization.projectV2.fields.nodes[] | select(.name== "Report Month") | .id' planning_project_data.json) >> $GITHUB_ENV
diff --git a/.github/workflows/check_terraform.yml b/.github/workflows/check_terraform.yml
@@ -41,7 +41,7 @@ jobs:
 
           [oonidevops_user_dev]
           aws_access_key_id = ${{ secrets.OONIDEVOPS_AWS_ACCESS_KEY_ID }}
-          aws_secret_access_key = ${{ secrets.OONIDEVOPS_AWS_SECRET_ACCESS_KEY }}
+          aws_secret_access_key = ${{ secrets.OONIDEVOPS_AWS_SECRET_ACCESS_KEY }} 
           EOF
           chmod 700 ~/.aws/
           chmod 600 ~/.aws/credentials
@@ -94,6 +94,7 @@ jobs:
           script: |
             const terraformPlanOutput = `${{ steps.plan.outputs.terraform_plan }}`;
             const terraformApplyOutput = `${{ steps.apply.outputs.terraform_apply }}`;
+            const terraformValidateOutput = `${{ steps.validate.outputs.terraform_validate }}`;
 
             const terraformPlanPlanLine = terraformPlanOutput.split('\n').find(line => line.startsWith('Plan:'));
             const terraformApplyPlanLine = terraformApplyOutput.split('\n').find(line => line.startsWith('Plan:'));
@@ -107,7 +108,7 @@ jobs:
             <details><summary>Validation Output</summary>
 
             \`\`\`\n
-            ${{ steps.validate.outputs.terraform_validate }}
+            ${terraformValidateOutput}
             \`\`\`
 
             </details>

diff --git a/ansible/README.md b/ansible/README.md
@@ -32,6 +32,14 @@ It's recommended you generate an `ed25519` key using the following command:
 ssh-keygen -t ed25519 -f ~/.ssh/id_ed25519_ooni
 ```
 
+**Attention** Be sure to set a strong password on your ssh key and to never store it on disk in plaintext.
+
+You can check to see if your ssh key is being stored encrypted by running:
+```
+ssh-keygen -yf ~/.ssh/id_ed25519_ooni
+```
+and checking you get back an `Enter passphrase` prompt
+
 ### AWS configuration
 
 Refer to the [terraform docs](devops/terraform/) for setting up your AWS configuration.

diff --git a/ansible/group_vars/clickhouse/vars.yml b/ansible/group_vars/clickhouse/vars.yml
@@ -26,7 +26,7 @@ clickhouse_config:
   max_connections: 4096
   keep_alive_timeout: 3
   max_concurrent_queries: 100
-  max_server_memory_usage: 21001001000
+  max_server_memory_usage: 0
   max_thread_pool_size: 10000
   max_server_memory_usage_to_ram_ratio: 0.9
   total_memory_profiler_step: 4194304
@@ -164,6 +164,7 @@ clickhouse_default_profiles:
     readonly: 1
   write:
     readonly: 0
+    max_memory_usage: 61001001000
 
 clickhouse_listen_hosts:
   - "::"

diff --git a/ansible/roles/ooni-backend/templates/api.conf b/ansible/roles/ooni-backend/templates/api.conf
@@ -36,8 +36,8 @@ TOR_TARGETS_CONFFILE = "/etc/ooni/tor_targets.json"
 JWT_ENCRYPTION_KEY = "{{ jwt_encryption_key }}"
 ACCOUNT_ID_HASHING_KEY = "{{ account_id_hashing_key }}"
 
-SESSION_EXPIRY_DAYS = 180
-LOGIN_EXPIRY_DAYS = 365
+SESSION_EXPIRY_DAYS = 2
+LOGIN_EXPIRY_DAYS = 7
 
 # Registration email delivery
 MAIL_SERVER = "mail.riseup.net"