infra: move services docs from the infra-team repo

Author: pietroalbini

src/SUMMARY.md

@@ -13,6 +13,13 @@
     - [Service Infrastructure](./infra/service-infrastructure.md)
     - [Team Maintenance](./infra/team-maintenance.md)
     - [The Toolstate System](./infra/toolstate.md)
+    - [Documentation](./infra/docs/README.md)
+        - [Bastion server](./infra/docs/bastion.md)
+        - [Crater agents](./infra/docs/crater-agents.md)
+        - [Discord moderation bot](./infra/docs/discord-mods-bot.md)
+        - [docs.rs](./infra/docs/docs-rs.md)
+        - [Monitoring](./infra/docs/monitoring.md)
+        - [rust-bots server](./infra/docs/rust-bots.md)
 - [Language](./lang/README.md)
     - [RFC Merge Procedure](./lang/rfc-merge-procedure.md)
 - [Release](./release/README.md)

src/infra/docs/README.md

@@ -0,0 +1,5 @@
+# Infrastructure team documentation
+
+This section contains the documentation about the services hosted and managed
+by the Rust Infrastructure Team. Most of the linked resources and instructions
+are only available to infra team members though.

src/infra/docs/bastion.md

@@ -0,0 +1,78 @@
+# Bastion server
+
+* FQDN: `bastion.infra.rust-lang.org`
+* [Ansible playbook][ansible] to deploy this server.
+* [Terraform configuration][terraform] to create AWS resources.
+* [Instance metrics][grafana] (only available to infra team members).
+
+## Logging into servers through the bastion
+
+To improve the security of our infrastructure it's not possible to connect
+directly to a production server with SSH. Instead, all connections must come
+from a small server called the "bastion", which only allows connections from a
+few whitelisted networks and logs any connection attempt.
+
+To log into a server through the bastion you can use SSH's `-J` flag:
+
+```
+ssh -J bastion.infra.rust-lang.org servername.infra.rust-lang.org
+```
+
+It's also possible to configure SSH to always jump through the bastion when
+connecting to a host. Add this snippet to your SSH configuration file (usually
+located in `~/.ssh/config`):
+
+```
+Host servername.infra.rust-lang.org
+    ProxyJump bastion.infra.rust-lang.org
+```
+
+Please remember the bastion server only allows connections from a small list of
+IP addresses. Infra team members with AWS access can change the whitelist, but
+it's good practice to either have your own bastion server or a static IP
+address.
+
+The SSH keys authorized to log into each account are stored in the [simpleinfra
+repository][keys]. Additionally, people with sensitive 1password access can use
+the master key stored in the vault to log into every account, provided their
+connection comes from any whitelisted IP.
+
+## Common maintenance procedures
+
+### Adding a new user to the bastion server
+
+To add a new user to the bastion you need to add its key to a file named
+`<username>.pub` in [`ansible/roles/common/files/ssh-keys`][keys], and change
+the [Ansible playbook][ansible] adding the user to the list of unprivileged
+users. Please leave a comment clarifying which servers the user will have
+access to.
+
+Once that's done [apply the playbook][ansible-apply] and [add a new whitelisted
+IP address](#updating-the-whitelisted-ips).
+
+### Updating the whitelisted IPs
+
+Due to privacy reasons, all the static IP addresses of team members with access
+to the bastion are stored on [AWS SSM Parameter Store][ssm] instead of public
+git repositories. To add or update an IP address you can run this command
+(taking care of replacing `USERNAME` and `IP_ADDRESS` with the proper values):
+
+```
+aws ssm put-parameter --type String --name "/prod/bastion/allowed-ips/USERNAME" --value "IP_ADDRESS/32"
+```
+
+If you're adding an IP address instead of updating it, you'll also need to add
+the username to the list in [`terraform/services.tf`][allowed-ips] (key
+`allowed_users` in the `service_bastion` module).
+
+Once you made all the needed changes you wanted you need to [apply the
+Terraform configuration][terraform-apply].
+
+[ansible]: https://github.com/rust-lang/simpleinfra/blob/master/ansible/playbooks/bastion.yml
+[terraform]: https://github.com/rust-lang/simpleinfra/tree/master/terraform/services/bastion
+[grafana]: https://grafana.rust-lang.org/d/rpXrFfKWz/instance-metrics?orgId=1&var-instance=bastion.infra.rust-lang.org:9100
+[keys]: https://github.com/rust-lang/simpleinfra/tree/master/ansible/roles/common/files/ssh-keys
+[ansible-apply]: https://github.com/rust-lang/simpleinfra/blob/master/ansible/README.md#executing-a-playbook
+[ssm]: https://docs.aws.amazon.com/systems-manager/latest/userguide/systems-manager-parameter-store.html
+[allowed-ips]: https://github.com/rust-lang/simpleinfra/blob/master/terraform/services.tf
+[terraform-apply]: https://github.com/rust-lang/simpleinfra/tree/master/terraform#applying-the-configuration

src/infra/docs/crater-agents.md

@@ -0,0 +1,59 @@
+# Crater agents
+
+* Source code: [rust-lang/crater][repo]
+* Hosted on:
+  * `crater-aws-1.infra.rust-lang.org` (behind the bastion -- [how to connect][bastion-connect])
+  * `crater-azure-1.infra.rust-lang.org` (behind the bastion -- [how to connect][bastion-connect])
+* Maintainers: [pietroalbini]
+* [Application metrics][grafana-app] (only available to infra team members).
+* Instance metrics (only available to infra team members):
+  * [`crater-aws-1.infra.rust-lang.org`][grafana-instance-aws-1]
+  * [`crater-azure-1.infra.rust-lang.org`][grafana-instance-azure-1]
+
+## Service configuration
+
+Crater agents are servers with our standard configuration running a Docker
+container hosting the agent. A timer checks for updates every 5 minutes, and if
+a newer Docker image is present the container will automatically be updated and
+restarted. This service is [managed with Ansible][ansible].
+
+## Common maintenance procedures
+
+### Starting and stopping the agent
+
+The agent is managed by the `container-crater-agent.service` systemd unit. That
+means it's possible to start, stop and restart it with the usual systemctl
+commands:
+
+```
+systemctl stop container-crater-agent.service
+systemctl start container-crater-agent.service
+systemctl restart container-crater-agent.service
+```
+
+### Inspecting the logs of the agent
+
+Logs of the agents are forwarded and collected by journald. To see them you can
+use journalctl:
+
+```
+journalctl -u container-crater-agent.service
+```
+
+### Manually updating the container image
+
+The container is updated automatically every 5 minutes (provided a newer image
+is present). If you need to update them sooner you can manuallly start the
+updater service by running this command:
+
+```
+systemctl start docker-images-update.service
+```
+
+[repo]: https://github.com/rust-lang/docs.rs
+[bastion-connect]: https://github.com/rust-lang/infra-team/blob/master/docs/hosts/bastion.md#logging-into-servers-through-the-bastion
+[pietroalbini]: https://github.com/pietroalbini
+[grafana-instance-aws-1]: https://grafana.rust-lang.org/d/rpXrFfKWz/instance-metrics?orgId=1&var-instance=crater-aws-1.infra.rust-lang.org:9100
+[grafana-instance-azure-1]: https://grafana.rust-lang.org/d/rpXrFfKWz/instance-metrics?orgId=1&var-instance=crater-azure-1.infra.rust-lang.org:9100
+[grafana-app]: https://grafana.rust-lang.org/d/WLeJySTZz/crater?orgId=1
+[ansible]: https://github.com/rust-lang/simpleinfra/blob/master/ansible/playbooks/crater.yml

src/infra/docs/discord-mods-bot.md

@@ -0,0 +1,44 @@
+# Discord moderation bot
+
+* Source code: [rust-lang-nursery/discord-mods-bot][repo]
+* Hosted on: [`bots.infra.rust-lang.org`][rust-bots] (behind the bastion -- [how to connect][bastion-connect])
+* Maintainers: [technetos]
+
+## Service configuration
+
+The service uses a PostgreSQL database called `discord_mods_bot` hosted on the
+same server, and connects to it with the `discord_mods_bot` user. Backups are
+not yet setup for the database contents.
+
+The service is run with docker-compose on the home of the `ec2-user` user, and
+its docker image is hosted on ECR. The image is automatically rebuilt by the
+git repository's CI every time a new commit is pushed to master.
+
+The server doesn't expose anything to the outside, as it uses websockets to
+communicate with Discord.
+
+The bot is [`rustbot#4299`][devportal]. [pietroalbini], [Mark-Simulacrum],
+[alexcrichton] and [aidanhs] have access to the developer portal.
+
+## Common maintenance procedures
+
+### Deploying changes to the bot
+
+Once the CI build on the `master` branch of [the repo][repo] ends you can SSH
+into the server and run this command:
+
+```
+./redeploy
+```
+
+The command might also redeploy other services hosted on the same server.
+
+[repo]: https://github.com/rust-lang-nursery/discord-mods-bot
+[rust-bots]: https://github.com/rust-lang/infra-team/blob/master/docs/hosts/rust-bots.md
+[bastion-connect]: https://github.com/rust-lang/infra-team/blob/master/docs/hosts/bastion.md#logging-into-servers-through-the-bastion
+[devportal]: https://discordapp.com/developers/applications/615806512790503424
+[technetos]: https://github.com/technetos
+[pietroalbini]: https://github.com/pietroalbini
+[Mark-Simulacrum]: https://github.com/Mark-Simulacrum
+[alexcrichton]: https://github.com/alexcrichton
+[aidanhs]: https://github.com/aidanhs

src/infra/docs/docs-rs.md

@@ -0,0 +1,77 @@
+# docs.rs
+
+* Source code: [rust-lang/docs.rs][repo]
+* Hosted on: `docsrs.infra.rust-lang.org` (behind the bastion -- [how to connect][bastion-connect])
+* Maintainers: [onur][onur], [QuietMisdreavus][QuietMisdreavus]
+* [Instance metrics][grafana-instance] (only available to infra team members).
+* [Application metrics][grafana-app] (only available to infra team members).
+
+## Common maintenance procedures
+
+### Temporarily remove a crate from the queue
+
+It might happen that a crate fails to build repeatedly due to a docs.rs bug,
+clogging up the queue and preventing other crates to build. In this case it's
+possible to temporarily remove the crate from the queue until the docs.rs's bug
+is fixed. To do that, log into the machine and open a PostgreSQL shell with:
+
+```
+$ psql
+```
+
+Then you can run this SQL query to remove the crate:
+
+```
+UPDATE queue SET attempt = 100 WHERE name = '<CRATE_NAME>';
+```
+
+To add the crate back in the queue you can run in the PostgreSQL shell this
+query:
+
+```
+UPDATE queue SET attempt = 0 WHERE name = '<CRATE_NAME>';
+```
+
+### Pinning a version of nightly
+
+Sometimes the latest nightly might be broken, causing doc builds to fail. In
+those cases it's possible to tell docs.rs to stop updating to the latest
+nightly and instead pin a specific release. To do that you need to edit the
+`/home/cratesfyi/.docs-rs-env` file, adding or changing this environment
+variable:
+
+```
+CRATESFYI_TOOLCHAIN=nightly-YYYY-MM-DD
+```
+
+Once the file changed docs.rs needs to be restarted:
+
+```
+systemctl restart docs.rs
+```
+
+To return to the latest nightly simply remove the environment variable and
+restart docs.rs again.
+
+### Adding all the crates failed after a date back in the queue
+
+After an outage you might want to add all the failed builds back to the queue.
+To do that, log into the machine and open a PostgreSQL shell with:
+
+```
+psql
+```
+
+Then you can run this SQL query to add all the crates failed after `YYYY-MM-DD
+HH:MM:SS` back in the queue:
+
+```
+UPDATE queue SET attempt = 0 WHERE attempt >= 5 AND build_time > 'YYYY-MM-DD HH:MM:SS';
+```
+
+[repo]: https://github.com/rust-lang/docs.rs
+[grafana-instance]: https://grafana.rust-lang.org/d/rpXrFfKWz/instance-metrics?orgId=1&var-instance=docsrs.infra.rust-lang.org:9100
+[grafana-app]: https://grafana.rust-lang.org/d/-wWFg2cZz/docs-rs?orgId=1
+[bastion-connect]: https://github.com/rust-lang/infra-team/blob/master/docs/hosts/bastion.md#logging-into-servers-through-the-bastion
+[onur]: https://github.com/onur
+[QuietMisdreavus]: https://github.com/QuietMisdreavus

src/infra/docs/monitoring.md

@@ -0,0 +1,94 @@
+# Monitoring
+
+* Hosted on: `monitoring.infra.rust-lang.org` (behind the bastion -- [how to connect][bastion-connect])
+* Maintainers: [pietroalbini], infra team
+* Public URL: [grafana.rust-lang.org](https://grafana.rust-lang.org)
+* [Ansible playbook][ansible-playbook] to deploy this server.
+* [Instance metrics][grafana-instance] (only available to infra team members).
+
+## Service configuration
+
+Our monitoring service is composed of three parts: [Prometheus] to scrape,
+collect and monitor metrics, [Alertmanager] to dispatch the alerts generated by
+Prometheus, and [Grafana] to display the metrics. All the parts are configured
+through [Ansible].
+
+The metrics are not backed up, as Prometheus purges them after 7 days anyway,
+but the Grafana dashboards are stored in a PostgreSQL database, which is backed
+up with [restic] in the `rust-backups` bucket (`monitoring` subdirectory). The
+password to decrypt the backups is in 1password.
+
+## Common maintenance procedures
+
+### Scrape a new metrics source
+
+Prometheus works by periodically scraping a list of HTTP endpoints for metrics,
+written [in its custom format][metrics-format]. In our configuration the list
+is located in the `prometheus_scrape` section of the
+`ansible/playbooks/monitoring.yml` file in the [simpleinfra] repository.
+
+To add a new metrics source, add your endpoint to an existing job or, if the
+metrics you're scraping are not related to any other job, a new one. The
+endpoint must be reachable from the monitoring instance. You can read the
+[Prometheus documentation][prometheus-scrape] to find all the available
+options.
+
+### Create a new alert
+
+Alerts are generated by Prometheus every time a custom rule defined in its
+configuration evaluates to true. In our configuration the list of rules is
+located in the `prometheus_rule_groups` section of the
+`ansible/playbooks/monitoring.yml` file in the [simpleinfra] repository.
+
+To add a new alert you need to create an alerting rule either in an existing
+group or a new one. The full list of options is available in the [Prometheus
+documentation][prometheus-alert].
+
+### Add permissions to a user
+
+There are two steps needed to grant access to [our Grafana
+instance][grafana-ours] to an user.
+
+First of all, to enable the user to log into the instance with their GitHub
+account they need to be a member of a team authorized to log in. The list of
+teams is defined in the `grafana_github_teams` section of the
+`ansible/playbooks/monitoring.yml` file in the [simpleinfra] repository, and it
+contains a list of GitHub team IDs. To fetch an ID you can run this command:
+
+```
+curl -H "Authorization: token $GITHUB_TOKEN" https://api.github.com/orgs/<ORG>/teams/<NAME> | jq .id
+```
+
+Once the user is a member of a team authorized to log in they will
+automatically be added to the main Grafana organization with "viewer"
+permissions. For infrastructure team members that needs to be changed to
+"admin" (in the "Configuration" -> "Users"), otherwise leave it as viewer.
+
+By default a viewer only has access to the unrestricted dashboards. To grant
+access to other dashboards you'll need to add them to a team (in the
+"Configuration" -> "Teams" page). It's also possible to grant admin privileges
+to the whole Grafana instance in the "Server Admin" -> "Users" ->
+"`<username>`" page. Do not grant those permissions except to trusted infra
+team members.
+
+## Additional resources
+
+* [Prometheus documentation][prometheus-docs]
+* [Grafana documentation][grafana-docs]
+
+[bastion-connect]: https://github.com/rust-lang/infra-team/blob/master/docs/hosts/bastion.md#logging-into-servers-through-the-bastion
+[pietroalbini]: https://github.com/pietroalbini
+[ansible-playbook]: https://github.com/rust-lang/simpleinfra/blob/master/ansible/playbooks/monitoring.yml
+[grafana-instance]: https://grafana.rust-lang.org/d/rpXrFfKWz/instance-metrics?orgId=1&var-instance=monitoring.infra.rust-lang.org:9100
+[Prometheus]: https://prometheus.io
+[Alertmanager]: https://prometheus.io/docs/alerting/alertmanager/
+[Grafana]: https://grafana.com
+[Ansible]: https://github.com/rust-lang/simpleinfra/tree/master/ansible
+[restic]: https://restic.net
+[metrics-format]: https://prometheus.io/docs/instrumenting/exposition_formats/
+[simpleinfra]: https://github.com/rust-lang/simpleinfra
+[prometheus-scrape]: https://prometheus.io/docs/prometheus/latest/configuration/configuration/#scrape_config
+[prometheus-alert]: https://prometheus.io/docs/prometheus/latest/configuration/alerting_rules/
+[grafana-ours]: https://grafana.rust-lang.org
+[prometheus-docs]: https://prometheus.io/docs/introduction/overview/
+[grafana-docs]: https://grafana.com/docs/