ooni · LDiazN · Dec 19, 2025 · Dec 16, 2025 · Dec 16, 2025 · Dec 16, 2025
diff --git a/ansible/deploy-jumphost.yml b/ansible/deploy-jumphost.yml
@@ -0,0 +1,17 @@
+---
+- name: Deploy jumphost
+  hosts:
+    - jumphost.dev.ooni.io
+    - jumphost.prod.ooni.io
+  become: true
+  roles:
+    - role: bootstrap
+    - role: nginx
+    - role: prometheus_node_exporter
+      vars:
+        node_exporter_port: 9100
+        node_exporter_host: "0.0.0.0"
+        prometheus_nginx_proxy_config:
+          - location: /metrics/node_exporter
+            proxy_pass: http://127.0.0.1:9100/metrics
+    - role: jumphost
diff --git a/ansible/inventory b/ansible/inventory
@@ -46,4 +46,6 @@ openvpn2.htz-fsn.prod.ooni.nu
 [aws-backend]
 fastpath.dev.ooni.io
 fastpath.prod.ooni.io
-anonc.dev.ooni.io
+anonc.dev.ooni.io
+jumphost.dev.ooni.io
+jumphost.prod.ooni.io
diff --git a/ansible/roles/jumphost/handlers/main.yml b/ansible/roles/jumphost/handlers/main.yml
@@ -0,0 +1,5 @@
+- name: reload nftables
+  tags: nftables
+  ansible.builtin.systemd_service:
+    name: nftables
+    state: reloaded
diff --git a/ansible/roles/jumphost/tasks/main.yml b/ansible/roles/jumphost/tasks/main.yml
@@ -0,0 +1,35 @@
+---
+# For prometheus scrape requests
+- name: Flush all handlers
+  meta: flush_handlers
+
+- name: Allow traffic on port 9100
+  become: true
+  tags:
+    - prometheus-proxy
+    - jumphost
+  blockinfile:
+    path: /etc/ooni/nftables/tcp/9100.nft
+    create: yes
+    block: |
+      add rule inet filter input tcp dport 9100 counter accept comment "node exporter"
+  notify:
+   - reload nftables
+
+- name: Install psql
+  become: true
+  tags:
+    - jumphost
+  apt:
+    name: postgresql-client
+    state: present
+    update_cache: yes
+
+- name: Install utilities
+  become: true
+  tags:
+    - jumphost
+  apt:
+    name: jq
+    state: present
+    update_cache: yes
diff --git a/tf/environments/dev/main.tf b/tf/environments/dev/main.tf
@@ -159,7 +159,7 @@ module "oonipg" {
   db_max_allocated_storage = null
 
   allow_cidr_blocks     = module.network.vpc_subnet_private[*].cidr_block
-  allow_security_groups = []
+  allow_security_groups = [module.ooni_jumphost.ec2_sg_id]
 
   tags = merge(
     local.tags,
@@ -1087,7 +1087,7 @@ module "ooni_anonc" {
   key_name      = module.adm_iam_roles.oonidevops_key_name
   instance_type = "t3a.small"
 
-  name = "oonifastpath"
+  name = "anonc"
   ingress_rules = [{
     from_port   = 22,
     to_port     = 22,
@@ -1143,3 +1143,74 @@ resource "aws_route53_record" "anonc_alias" {
     module.ooni_anonc.aws_instance_public_dns
   ]
 }
+
+# Jump host for accessing postgres
+module "ooni_jumphost" {
+  source = "../../modules/ec2"
+
+  stage = local.environment
+
+  vpc_id              = module.network.vpc_id
+  subnet_id           = module.network.vpc_subnet_public[0].id
+  private_subnet_cidr = module.network.vpc_subnet_private[*].cidr_block
+  dns_zone_ooni_io    = local.dns_zone_ooni_io
+
+  key_name      = module.adm_iam_roles.oonidevops_key_name
+  instance_type = "t3.micro"
+
+  name = "jumphost"
+  ingress_rules = [{
+    from_port   = 22,
+    to_port     = 22,
+    protocol    = "tcp",
+    cidr_blocks = ["0.0.0.0/0"],
+    }, {
+    from_port   = 80, # for dehydrated challenge
+    to_port     = 80,
+    protocol    = "tcp",
+    cidr_blocks = ["0.0.0.0/0"],
+    }, {
+    from_port   = 9100, # for node exporter metrics
+    to_port     = 9100,
+    protocol    = "tcp"
+    cidr_blocks = ["${module.ooni_monitoring_proxy.aws_instance_private_ip}/32", "${module.ooni_monitoring_proxy.aws_instance_public_ip}/32"],
+  }]
+
+  egress_rules = [{
+    from_port   = 0,
+    to_port     = 0,
+    protocol    = "-1",
+    cidr_blocks = ["0.0.0.0/0"],
+    }, {
+    from_port        = 0,
+    to_port          = 0,
+    protocol         = "-1",
+    ipv6_cidr_blocks = ["::/0"],
+  }]
+
+  sg_prefix = "oonijump"
+  tg_prefix = "jump"
+
+  disk_size = 20
+
+  # This host will be turned off most of the times and
+  # the monitoring system will think it's down, so it's
+  # not worth monitoring
+  monitoring_active = "false"
+
+  tags = merge(
+    local.tags,
+    { Name = "ooni-tier3-jumph" }
+  )
+}
+
+resource "aws_route53_record" "jumphost_alias" {
+  zone_id = local.dns_zone_ooni_io
+  name    = "jumphost.${local.environment}.ooni.io"
+  type    = "CNAME"
+  ttl     = 300
+
+  records = [
+    module.ooni_jumphost.aws_instance_public_dns
+  ]
+}
diff --git a/tf/environments/prod/main.tf b/tf/environments/prod/main.tf
@@ -181,9 +181,11 @@ module "oonipg" {
     # airflow host
     "142.132.254.225/32",
     # ams-ps
-    "37.218.245.90/32"
+    "37.218.245.90/32",
+    # Jumphost
+    "${module.ooni_jumphost.aws_instance_public_ip}/32"
   ]
-  allow_security_groups = []
+  allow_security_groups = [module.ooni_jumphost.ec2_sg_id]
 
   tags = merge(
     local.tags,
@@ -1165,3 +1167,74 @@ module "ooni_monitoring" {
 
   tags = local.tags
 }
+
+# Jump host for accessing postgres
+module "ooni_jumphost" {
+  source = "../../modules/ec2"
+
+  stage = local.environment
+
+  vpc_id              = module.network.vpc_id
+  subnet_id           = module.network.vpc_subnet_public[0].id
+  private_subnet_cidr = module.network.vpc_subnet_private[*].cidr_block
+  dns_zone_ooni_io    = local.dns_zone_ooni_io
+
+  key_name      = module.adm_iam_roles.oonidevops_key_name
+  instance_type = "t3.micro"
+
+  name = "jumphost"
+  ingress_rules = [{
+    from_port   = 22,
+    to_port     = 22,
+    protocol    = "tcp",
+    cidr_blocks = ["0.0.0.0/0"],
+    }, {
+    from_port   = 80, # for dehydrated challenge
+    to_port     = 80,
+    protocol    = "tcp",
+    cidr_blocks = ["0.0.0.0/0"],
+    }, {
+    from_port   = 9100, # for node exporter metrics
+    to_port     = 9100,
+    protocol    = "tcp"
+    cidr_blocks = ["${module.ooni_monitoring_proxy.aws_instance_private_ip}/32", "${module.ooni_monitoring_proxy.aws_instance_public_ip}/32"],
+  }]
+
+  egress_rules = [{
+    from_port   = 0,
+    to_port     = 0,
+    protocol    = "-1",
+    cidr_blocks = ["0.0.0.0/0"],
+    }, {
+    from_port        = 0,
+    to_port          = 0,
+    protocol         = "-1",
+    ipv6_cidr_blocks = ["::/0"],
+  }]
+
+  sg_prefix = "oonijump"
+  tg_prefix = "jump"
+
+  disk_size = 20
+
+  # This host will be turned off most of the times and
+  # the monitoring system will think it's down, so it's
+  # not worth monitoring
+  monitoring_active = "false"
+
+  tags = merge(
+    local.tags,
+    { Name = "ooni-tier3-jumph" }
+  )
+}
+
+resource "aws_route53_record" "jumphost_alias" {
+  zone_id = local.dns_zone_ooni_io
+  name    = "jumphost.${local.environment}.ooni.io"
+  type    = "CNAME"
+  ttl     = 300
+
+  records = [
+    module.ooni_jumphost.aws_instance_public_dns
+  ]
+}