Feed proxy config

[traines-source]

A proposal on how to setup a (GTFSRT/GBFS) feed proxy.
Basic idea:

• decide for which feeds to use the proxy
• encrypt secrets using a special Ansible vault using e.g. ansible-vault encrypt_string --vault-id feed-proxy@/etc/feed-proxy.vault 'foobar' --name 'Authorization' and put them into ansible/roles/feed-proxy/vars/feed-secrets.yml to override fields in the same dictionary structure (url and headers) as in the feed jsons – multiple GTFS-RT feeds are numbered consecutively from 0
• on the proxy machine, setup a cronjob that periodically runs git pull && cd ansible && ansible-playbook --vault-id feed-proxy@/etc/feed-proxy.vault -e "feed_proxy_host=proxy.example.com" feed-proxy.yml.

feed-proxy vault pass can be obtained from ansible/roles/feed-proxy/vars/feed-secrets-vault-pass.yml using the main vault password or via PM.

TODO

• should the proxy be enabled or disabled by default for each feed? – for easy changing of the default later on, use-feed-proxy can and should be set to either false or true where it is relevant in the feed jsons
• better way to handle multiple RT feeds with same ID? – put vault-encrypted secrets directly into the respective feed jsons instead? (needs a bit more tinkering and makes the jsons less readable/useful)
• complete nginx setup (currently commented out) if needed
• maybe instead of running periodically independently, run as part of the import pipeline with a hook?
• do we need a backwards compat feature? (Currently, as soon as the script is run, the proxy will obviously forget about previously configured feeds/feed ids - might lead to RT outages)
• end-to-end testing
• set actual FEED_PROXY url
• other propositions?

[jbruechert]

Suggested change

	"url": source.url if use_original_url else FEED_PROXY+name+"-"+str(len(config["timetable"]["datasets"][name]["rt"]))
	"url": source.url if use_original_url else FEED_PROXY + name + "-" + str(len(config["timetable"]["datasets"][name]["rt"]))