From 55fdd83b4e521de274fe773bb4a08b28010524d2 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Luis=20D=C3=ADaz?= <ldiazn98@gmail.com>
Date: Tue, 16 Dec 2025 15:30:40 +0100
Subject: [PATCH 01/15] Add jump host to dev

---
 tf/environments/dev/main.tf | 68 ++++++++++++++++++++++++++++++++++++-
 1 file changed, 67 insertions(+), 1 deletion(-)

diff --git a/tf/environments/dev/main.tf b/tf/environments/dev/main.tf
index af37c92b..c2663c62 100644
--- a/tf/environments/dev/main.tf
+++ b/tf/environments/dev/main.tf
@@ -1087,7 +1087,7 @@ module "ooni_anonc" {
   key_name      = module.adm_iam_roles.oonidevops_key_name
   instance_type = "t3a.small"
 
-  name = "oonifastpath"
+  name = "anonc"
   ingress_rules = [{
     from_port   = 22,
     to_port     = 22,
@@ -1143,3 +1143,69 @@ resource "aws_route53_record" "anonc_alias" {
     module.ooni_anonc.aws_instance_public_dns
   ]
 }
+
+# Jump host for accessing postgres
+module "ooni_jumphost" {
+  source = "../../modules/ec2"
+
+  stage = local.environment
+
+  vpc_id              = module.network.vpc_id
+  subnet_id           = module.network.vpc_subnet_public[0].id
+  private_subnet_cidr = module.network.vpc_subnet_private[*].cidr_block
+  dns_zone_ooni_io    = local.dns_zone_ooni_io
+
+  key_name      = module.adm_iam_roles.oonidevops_key_name
+  instance_type = "t3.micro"
+
+  name = "jumphost"
+  ingress_rules = [{
+    from_port   = 22,
+    to_port     = 22,
+    protocol    = "tcp",
+    cidr_blocks = ["0.0.0.0/0"],
+    }, {
+    from_port   = 80, # for dehydrated challenge
+    to_port     = 80,
+    protocol    = "tcp",
+    cidr_blocks = ["0.0.0.0/0"],
+    }, {
+    from_port   = 9100, # for node exporter metrics
+    to_port     = 9100,
+    protocol    = "tcp"
+    cidr_blocks = ["${module.ooni_monitoring_proxy.aws_instance_private_ip}/32"],
+  }]
+
+  egress_rules = [{
+    from_port   = 0,
+    to_port     = 0,
+    protocol    = "-1",
+    cidr_blocks = ["0.0.0.0/0"],
+    }, {
+    from_port        = 0,
+    to_port          = 0,
+    protocol         = "-1",
+    ipv6_cidr_blocks = ["::/0"],
+  }]
+
+  sg_prefix = "oonijump"
+  tg_prefix = "jumph"
+
+  disk_size = 20
+
+  tags = merge(
+    local.tags,
+    { Name = "ooni-tier0-jumph" }
+  )
+}
+
+resource "aws_route53_record" "jumphost_alias" {
+  zone_id = local.dns_zone_ooni_io
+  name    = "jumphost.${local.environment}.ooni.io"
+  type    = "CNAME"
+  ttl     = 300
+
+  records = [
+    module.ooni_jumphost.aws_instance_public_dns
+  ]
+}

From fc1521d9805e4fa82eba175b07d3b86910f26468 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Luis=20D=C3=ADaz?= <ldiazn98@gmail.com>
Date: Tue, 16 Dec 2025 15:50:00 +0100
Subject: [PATCH 02/15] reduce prefix len

---
 tf/environments/dev/main.tf | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/tf/environments/dev/main.tf b/tf/environments/dev/main.tf
index c2663c62..cafeaa31 100644
--- a/tf/environments/dev/main.tf
+++ b/tf/environments/dev/main.tf
@@ -1189,7 +1189,7 @@ module "ooni_jumphost" {
   }]
 
   sg_prefix = "oonijump"
-  tg_prefix = "jumph"
+  tg_prefix = "jump"
 
   disk_size = 20
 

From 859f6e6c59fa11f75b72decc530033659c683265 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Luis=20D=C3=ADaz?= <ldiazn98@gmail.com>
Date: Tue, 16 Dec 2025 15:52:04 +0100
Subject: [PATCH 03/15] change tier of jumphost

---
 tf/environments/dev/main.tf | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/tf/environments/dev/main.tf b/tf/environments/dev/main.tf
index cafeaa31..60cf7eba 100644
--- a/tf/environments/dev/main.tf
+++ b/tf/environments/dev/main.tf
@@ -1195,7 +1195,7 @@ module "ooni_jumphost" {
 
   tags = merge(
     local.tags,
-    { Name = "ooni-tier0-jumph" }
+    { Name = "ooni-tier3-jumph" }
   )
 }
 

From 8c03c6d701b23ede2e597ec1ff8a65927dd6978c Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Luis=20D=C3=ADaz?= <ldiazn98@gmail.com>
Date: Tue, 16 Dec 2025 16:34:12 +0100
Subject: [PATCH 04/15] Add jump host to inventory

---
 ansible/inventory | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/ansible/inventory b/ansible/inventory
index d2b73ba2..7cef2e64 100644
--- a/ansible/inventory
+++ b/ansible/inventory
@@ -46,4 +46,5 @@ openvpn2.htz-fsn.prod.ooni.nu
 [aws-backend]
 fastpath.dev.ooni.io
 fastpath.prod.ooni.io
-anonc.dev.ooni.io
\ No newline at end of file
+anonc.dev.ooni.io
+jumphost.dev.ooni.io

From c940f6e91a8571d7535b3db9e745f348ec02f654 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Luis=20D=C3=ADaz?= <ldiazn98@gmail.com>
Date: Tue, 16 Dec 2025 16:34:28 +0100
Subject: [PATCH 05/15] Add jumphost playbook

---
 ansible/deploy-jumphost.yml | 15 +++++++++++++++
 1 file changed, 15 insertions(+)
 create mode 100644 ansible/deploy-jumphost.yml

diff --git a/ansible/deploy-jumphost.yml b/ansible/deploy-jumphost.yml
new file mode 100644
index 00000000..c62ff4ea
--- /dev/null
+++ b/ansible/deploy-jumphost.yml
@@ -0,0 +1,15 @@
+---
+- name: Deploy jumphost
+  hosts:
+    - jumphost.dev.ooni.io
+  become: true
+  roles:
+    - role: bootstrap
+    - role: nginx
+    - role: prometheus_node_exporter
+      vars:
+        node_exporter_port: 9100
+        node_exporter_host: "0.0.0.0"
+        prometheus_nginx_proxy_config:
+          - location: /metrics/node_exporter
+            proxy_pass: http://127.0.0.1:9100/metrics

From 958b8c32cc00b1a4aaa9f578b07ddb8386226e05 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Luis=20D=C3=ADaz?= <ldiazn98@gmail.com>
Date: Wed, 17 Dec 2025 11:39:42 +0100
Subject: [PATCH 06/15] Make monitoring ignore jump host; install psql in jump
 host

---
 ansible/deploy-jumphost.yml | 1 +
 tf/environments/dev/main.tf | 4 +++-
 2 files changed, 4 insertions(+), 1 deletion(-)

diff --git a/ansible/deploy-jumphost.yml b/ansible/deploy-jumphost.yml
index c62ff4ea..8ff6f4a8 100644
--- a/ansible/deploy-jumphost.yml
+++ b/ansible/deploy-jumphost.yml
@@ -13,3 +13,4 @@
         prometheus_nginx_proxy_config:
           - location: /metrics/node_exporter
             proxy_pass: http://127.0.0.1:9100/metrics
+    - role: jumphost
diff --git a/tf/environments/dev/main.tf b/tf/environments/dev/main.tf
index 60cf7eba..a49d4fd3 100644
--- a/tf/environments/dev/main.tf
+++ b/tf/environments/dev/main.tf
@@ -1173,7 +1173,7 @@ module "ooni_jumphost" {
     from_port   = 9100, # for node exporter metrics
     to_port     = 9100,
     protocol    = "tcp"
-    cidr_blocks = ["${module.ooni_monitoring_proxy.aws_instance_private_ip}/32"],
+    cidr_blocks = ["${module.ooni_monitoring_proxy.aws_instance_private_ip}/32", "${module.ooni_monitoring_proxy.aws_instance_public_ip}/32"],
   }]
 
   egress_rules = [{
@@ -1193,6 +1193,8 @@ module "ooni_jumphost" {
 
   disk_size = 20
 
+  monitoring_active = "false"
+
   tags = merge(
     local.tags,
     { Name = "ooni-tier3-jumph" }

From 8d395de339439690ac3f94549a2ac68dc16c658f Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Luis=20D=C3=ADaz?= <ldiazn98@gmail.com>
Date: Wed, 17 Dec 2025 11:49:21 +0100
Subject: [PATCH 07/15] Create role for jumphost

---
 ansible/roles/jumphost/handlers/main.yml |  5 +++++
 ansible/roles/jumphost/tasks/main.yml    | 26 ++++++++++++++++++++++++
 2 files changed, 31 insertions(+)
 create mode 100644 ansible/roles/jumphost/handlers/main.yml
 create mode 100644 ansible/roles/jumphost/tasks/main.yml

diff --git a/ansible/roles/jumphost/handlers/main.yml b/ansible/roles/jumphost/handlers/main.yml
new file mode 100644
index 00000000..3ee34178
--- /dev/null
+++ b/ansible/roles/jumphost/handlers/main.yml
@@ -0,0 +1,5 @@
+- name: reload nftables
+  tags: nftables
+  ansible.builtin.systemd_service:
+    name: nftables
+    state: reloaded
diff --git a/ansible/roles/jumphost/tasks/main.yml b/ansible/roles/jumphost/tasks/main.yml
new file mode 100644
index 00000000..94199f1d
--- /dev/null
+++ b/ansible/roles/jumphost/tasks/main.yml
@@ -0,0 +1,26 @@
+---
+# For prometheus scrape requests
+- name: Flush all handlers
+  meta: flush_handlers
+
+- name: Allow traffic on port 9100
+  become: true
+  tags:
+    - prometheus-proxy
+    - jumphost
+  blockinfile:
+    path: /etc/ooni/nftables/tcp/9100.nft
+    create: yes
+    block: |
+      add rule inet filter input tcp dport 9100 counter accept comment "node exporter"
+  notify:
+   - reload nftables
+
+- name: Install psql
+  become: true
+  tags:
+    - jumphost
+  apt:
+    name: postgresql-client
+    state: present
+    update_cache: yes

From 3eacf2904f456577cc9c742a9ca2ca8bd239224b Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Luis=20D=C3=ADaz?= <ldiazn98@gmail.com>
Date: Wed, 17 Dec 2025 12:07:30 +0100
Subject: [PATCH 08/15] Add jumphost to allow list of security groups in pg
 database

---
 tf/environments/dev/main.tf | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/tf/environments/dev/main.tf b/tf/environments/dev/main.tf
index a49d4fd3..5b562fcf 100644
--- a/tf/environments/dev/main.tf
+++ b/tf/environments/dev/main.tf
@@ -159,7 +159,7 @@ module "oonipg" {
   db_max_allocated_storage = null
 
   allow_cidr_blocks     = module.network.vpc_subnet_private[*].cidr_block
-  allow_security_groups = []
+  allow_security_groups = [module.ooni_jumphost.ec2_sg_id]
 
   tags = merge(
     local.tags,

From f5274c41d4abea547967133cc03d46852c3fbf18 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Luis=20D=C3=ADaz?= <ldiazn98@gmail.com>
Date: Wed, 17 Dec 2025 12:10:36 +0100
Subject: [PATCH 09/15] Add context comment

---
 tf/environments/dev/main.tf | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/tf/environments/dev/main.tf b/tf/environments/dev/main.tf
index 5b562fcf..d523c4fc 100644
--- a/tf/environments/dev/main.tf
+++ b/tf/environments/dev/main.tf
@@ -1193,6 +1193,9 @@ module "ooni_jumphost" {
 
   disk_size = 20
 
+  # This host will be turned off most of the times and
+  # the monitoring system will think it's down, so it's
+  # not worth monitoring
   monitoring_active = "false"
 
   tags = merge(

From 3eb612fb9aad928398ce2bda9fc11b6fb2b91884 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Luis=20D=C3=ADaz?= <ldiazn98@gmail.com>
Date: Wed, 17 Dec 2025 12:32:55 +0100
Subject: [PATCH 10/15] Add utilities section for jumphost

---
 ansible/roles/jumphost/tasks/main.yml | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/ansible/roles/jumphost/tasks/main.yml b/ansible/roles/jumphost/tasks/main.yml
index 94199f1d..14e95e9b 100644
--- a/ansible/roles/jumphost/tasks/main.yml
+++ b/ansible/roles/jumphost/tasks/main.yml
@@ -24,3 +24,12 @@
     name: postgresql-client
     state: present
     update_cache: yes
+
+- name: Install utilities
+  become: true
+  tags:
+    - jumphost
+  apt:
+    name: jq
+    state: present
+    update_cache: yes

From 6770f68c5a52445493c7cf5819687fbdd961a2c6 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Luis=20D=C3=ADaz?= <ldiazn98@gmail.com>
Date: Wed, 17 Dec 2025 13:28:11 +0100
Subject: [PATCH 11/15] Add jumphost to prod

---
 tf/environments/prod/main.tf | 73 +++++++++++++++++++++++++++++++++++-
 1 file changed, 72 insertions(+), 1 deletion(-)

diff --git a/tf/environments/prod/main.tf b/tf/environments/prod/main.tf
index ce3b24c5..b13f1d85 100644
--- a/tf/environments/prod/main.tf
+++ b/tf/environments/prod/main.tf
@@ -183,7 +183,7 @@ module "oonipg" {
     # ams-ps
     "37.218.245.90/32"
   ]
-  allow_security_groups = []
+  allow_security_groups = [module.ooni_jumphost.ec2_sg_id]
 
   tags = merge(
     local.tags,
@@ -1165,3 +1165,74 @@ module "ooni_monitoring" {
 
   tags = local.tags
 }
+
+# Jump host for accessing postgres
+module "ooni_jumphost" {
+  source = "../../modules/ec2"
+
+  stage = local.environment
+
+  vpc_id              = module.network.vpc_id
+  subnet_id           = module.network.vpc_subnet_public[0].id
+  private_subnet_cidr = module.network.vpc_subnet_private[*].cidr_block
+  dns_zone_ooni_io    = local.dns_zone_ooni_io
+
+  key_name      = module.adm_iam_roles.oonidevops_key_name
+  instance_type = "t3.micro"
+
+  name = "jumphost"
+  ingress_rules = [{
+    from_port   = 22,
+    to_port     = 22,
+    protocol    = "tcp",
+    cidr_blocks = ["0.0.0.0/0"],
+    }, {
+    from_port   = 80, # for dehydrated challenge
+    to_port     = 80,
+    protocol    = "tcp",
+    cidr_blocks = ["0.0.0.0/0"],
+    }, {
+    from_port   = 9100, # for node exporter metrics
+    to_port     = 9100,
+    protocol    = "tcp"
+    cidr_blocks = ["${module.ooni_monitoring_proxy.aws_instance_private_ip}/32", "${module.ooni_monitoring_proxy.aws_instance_public_ip}/32"],
+  }]
+
+  egress_rules = [{
+    from_port   = 0,
+    to_port     = 0,
+    protocol    = "-1",
+    cidr_blocks = ["0.0.0.0/0"],
+    }, {
+    from_port        = 0,
+    to_port          = 0,
+    protocol         = "-1",
+    ipv6_cidr_blocks = ["::/0"],
+  }]
+
+  sg_prefix = "oonijump"
+  tg_prefix = "jump"
+
+  disk_size = 20
+
+  # This host will be turned off most of the times and
+  # the monitoring system will think it's down, so it's
+  # not worth monitoring
+  monitoring_active = "false"
+
+  tags = merge(
+    local.tags,
+    { Name = "ooni-tier3-jumph" }
+  )
+}
+
+resource "aws_route53_record" "jumphost_alias" {
+  zone_id = local.dns_zone_ooni_io
+  name    = "jumphost.${local.environment}.ooni.io"
+  type    = "CNAME"
+  ttl     = 300
+
+  records = [
+    module.ooni_jumphost.aws_instance_public_dns
+  ]
+}

From f3525218f288b1d856c53d0631f0d5384fffccde Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Luis=20D=C3=ADaz?= <ldiazn98@gmail.com>
Date: Wed, 17 Dec 2025 13:40:49 +0100
Subject: [PATCH 12/15] Add jumphost prod to inventory

---
 ansible/inventory | 1 +
 1 file changed, 1 insertion(+)

diff --git a/ansible/inventory b/ansible/inventory
index 7cef2e64..7437f1af 100644
--- a/ansible/inventory
+++ b/ansible/inventory
@@ -48,3 +48,4 @@ fastpath.dev.ooni.io
 fastpath.prod.ooni.io
 anonc.dev.ooni.io
 jumphost.dev.ooni.io
+jumphost.prod.ooni.io

From bf45d5a0853344a5025c392d686cc3448338b09f Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Luis=20D=C3=ADaz?= <ldiazn98@gmail.com>
Date: Wed, 17 Dec 2025 13:41:25 +0100
Subject: [PATCH 13/15] Add jumphost to target hosts in jumphost playbook

---
 ansible/deploy-jumphost.yml | 1 +
 1 file changed, 1 insertion(+)

diff --git a/ansible/deploy-jumphost.yml b/ansible/deploy-jumphost.yml
index 8ff6f4a8..57e87190 100644
--- a/ansible/deploy-jumphost.yml
+++ b/ansible/deploy-jumphost.yml
@@ -2,6 +2,7 @@
 - name: Deploy jumphost
   hosts:
     - jumphost.dev.ooni.io
+    - jumphost.prod.ooni.io
   become: true
   roles:
     - role: bootstrap

From 41956b64e0c91348364419fb22f76c9e57c86cc2 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Luis=20D=C3=ADaz?= <ldiazn98@gmail.com>
Date: Thu, 18 Dec 2025 12:45:33 +0100
Subject: [PATCH 14/15] Add private ip of jumphost to allow allow block of pg

---
 tf/environments/prod/main.tf | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/tf/environments/prod/main.tf b/tf/environments/prod/main.tf
index b13f1d85..13a8f957 100644
--- a/tf/environments/prod/main.tf
+++ b/tf/environments/prod/main.tf
@@ -181,7 +181,9 @@ module "oonipg" {
     # airflow host
     "142.132.254.225/32",
     # ams-ps
-    "37.218.245.90/32"
+    "37.218.245.90/32",
+    # Jumphost
+    "${module.ooni_jumphost.aws_instance_private_ip}/32"
   ]
   allow_security_groups = [module.ooni_jumphost.ec2_sg_id]
 

From 9a89f9dcb5f3f93c2b544ccdff145ecdf82939aa Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Luis=20D=C3=ADaz?= <ldiazn98@gmail.com>
Date: Thu, 18 Dec 2025 12:48:40 +0100
Subject: [PATCH 15/15] Add public ip of jumphost to allow block of pg

---
 tf/environments/prod/main.tf | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/tf/environments/prod/main.tf b/tf/environments/prod/main.tf
index 13a8f957..856dccc6 100644
--- a/tf/environments/prod/main.tf
+++ b/tf/environments/prod/main.tf
@@ -183,7 +183,7 @@ module "oonipg" {
     # ams-ps
     "37.218.245.90/32",
     # Jumphost
-    "${module.ooni_jumphost.aws_instance_private_ip}/32"
+    "${module.ooni_jumphost.aws_instance_public_ip}/32"
   ]
   allow_security_groups = [module.ooni_jumphost.ec2_sg_id]