Add Docker provider for Vagrant development environment

See merge request tildes-community/tildes-cf!1

Vagrantfile

@@ -4,8 +4,7 @@
 VAGRANT_CONFIG_VERSION = "2"
 
 Vagrant.configure(VAGRANT_CONFIG_VERSION) do |config|
-  # Using the "contrib" version for vboxsf module for synced folders
-  config.vm.box = "debian/contrib-buster64"
+  config.vm.box = "debian/bookworm64"
 
   # Main application folder
   config.vm.synced_folder "tildes/", "/opt/tildes/"
@@ -16,18 +15,11 @@ Vagrant.configure(VAGRANT_CONFIG_VERSION) do |config|
   config.vm.network "forwarded_port", guest: 9090, host: 9090
 
   config.vm.provision "ansible_local" do |ansible|
+    ansible.install = true
     ansible.install_mode = "pip"
-
-    # Since Debian Buster still uses Python 2.7 by default and the pip bootstrap
-    # script is no longer compatible with 2.7, we need to specify the installation
-    # command manually. If we upgrade to a newer version of Debian that defaults to
-    # Python 3.6+, this should no longer be necessary.
-    ansible.pip_install_cmd = "sudo apt-get install -y python3-distutils && curl -s https://bootstrap.pypa.io/get-pip.py | sudo python3"
-
-    # Vagrant doesn't currently recognize the new format for Ansible versions
-    # (e.g. "ansible [core 2.11.1]"), so the compatibility mode is set incorrectly.
-    # A new version of Vagrant should resolve this soon.
-    ansible.compatibility_mode = "2.0"
+    ansible.version = "10.6.0"
+    ansible.pip_install_cmd = "sudo apt-get install -y python3-pip"
+    ansible.pip_args = "--break-system-packages"
 
     # put the VM into the "dev" and "app_server" Ansible groups
     ansible.groups = {
@@ -43,4 +35,19 @@ Vagrant.configure(VAGRANT_CONFIG_VERSION) do |config|
       vb.memory = "4096"
       vb.cpus = "4"
   end
+
+  config.vm.provider "docker" do |d, override|
+    # Docker does not require config.vm.box
+    override.vm.box = nil
+    # Instead, specify build_dir where Dockerfile is located.
+    d.build_dir = "./docker"
+    d.dockerfile = "Dockerfile-for-vagrant"
+
+    # Keep Docker container running indefinitely
+    d.remains_running = true
+    d.create_args = ["--detach", "--tty"]
+
+    # SSH configuration
+    d.has_ssh = true
+  end
 end

ansible/playbook.yml

@@ -6,10 +6,23 @@
   roles:
     - common
 
+# Do some dev tasks before app_server,
+# e.g. self_signed_ssl_cert should be done before nginx
+- hosts: dev
+  become: true
+  vars_files:
+    - vars.yml
+  roles:
+    - self_signed_ssl_cert
+
 - hosts: app_server
   become: true
   vars_files:
     - vars.yml
+  module_defaults:
+    ansible.builtin.systemd_service:
+      # In Docker, systemctl3.py needs daemon_reload to detect new/updated service files
+      daemon_reload: "{{ is_docker }}"
   roles:
     - cmark-gfm
     - pts_lbsearch
@@ -39,7 +52,6 @@
   vars_files:
     - vars.yml
   roles:
-    - self_signed_ssl_cert
     - prometheus
     - java
     - nodejs

ansible/requirements.yml

@@ -1,3 +1,5 @@
 ---
 collections:
   - community.general
+  - community.postgresql
+  - community.crypto

ansible/roles/boussole/tasks/main.yml

@@ -13,12 +13,6 @@
     group: root
     mode: 0644
 
-- name: Start and enable boussole service
-  service:
-    name: boussole
-    state: started
-    enabled: true
-
 - name: Create directory for compiled CSS
   file:
     path: "{{ app_dir }}/static/css"
@@ -27,6 +21,12 @@
     group: "{{ app_username }}"
     mode: 0755
 
+- name: Start and enable boussole service
+  systemd_service:
+    name: boussole
+    state: started
+    enabled: true
+
 - name: Check if any compiled CSS files exist
   find:
     path: "{{ app_dir }}/static/css"

ansible/roles/consumers/tasks/main.yml

@@ -9,7 +9,7 @@
   loop: "{{ consumers }}"
 
 - name: Start and enable all consumer services
-  service:
+  systemd_service:
     name: consumer-{{ item }}
     state: started
     enabled: true

ansible/roles/cronjobs/tasks/main.yml

@@ -1,4 +1,8 @@
 ---
+- name: Install cron
+  apt:
+    name: cron
+
 - name: Add cronjob for lifting expired temporary bans
   cron:
     name: lift_expired_temporary_bans

ansible/roles/gunicorn/tasks/main.yml

@@ -24,7 +24,7 @@
     mode: 0644
 
 - name: Start and enable gunicorn.socket service
-  service:
+  systemd_service:
     name: gunicorn.socket
     state: started
     enabled: true
@@ -47,8 +47,17 @@
     group: root
     mode: 0644
 
-- name: Start and enable gunicorn_reloader path-monitoring service
-  service:
+- name: Start and enable gunicorn_reloader path-monitoring service, with fallback
+  block:
+  - name: Start and enable gunicorn_reloader path-monitoring service
+    systemd_service:
       name: gunicorn_reloader.path
       state: started
       enabled: true
+  rescue:
+  # Likely Docker; systemctl3.py doesn't support .path, so enable .service here
+  - name: Start and enable gunicorn.service (if .path service fails)
+    systemd_service:
+      name: gunicorn.service
+      state: started
+      enabled: true

ansible/roles/java/tasks/main.yml

@@ -1,4 +1,4 @@
 ---
 - name: Install OpenJDK Java runtime
   apt:
-    name: openjdk-11-jre
+    name: openjdk-17-jre

ansible/roles/nginx/handlers/main.yml

@@ -1,5 +1,5 @@
 ---
 - name: Reload nginx
-  service:
+  systemd_service:
     name: nginx
     state: reloaded

ansible/roles/nginx/tasks/main.yml

@@ -1,21 +1,23 @@
 ---
-- name: Add APT key for nginx repository
-  apt_key:
-    url: https://nginx.org/keys/nginx_signing.key
-
-- name: Add nginx APT repository
-  apt_repository:
-    repo: deb http://nginx.org/packages/debian/ buster nginx
-
 - name: Install nginx
   apt:
     name: nginx
 
-- name: Start and enable nginx service
-  service:
+- name: Remove nginx from init.d (may conflict with systemd service)
+  file:
+    path: /etc/init.d/nginx
+    state: absent
+  when: is_docker
+
+- name: Update rc.d to reflect init.d removal
+  command:
+    cmd: update-rc.d nginx remove
+  when: is_docker
+
+- name: Create nginx user
+  user:
     name: nginx
-    state: started
-    enabled: true
+    create_home: false
 
 - name: Create nginx.conf file
   template:
@@ -43,6 +45,19 @@
     group: root
     mode: 0744
 
+- name: Disable nginx default site
+  file:
+    path: /etc/nginx/sites-enabled/default
+    state: absent
+  notify:
+    - Reload nginx
+
+- name: Start and enable nginx service
+  systemd_service:
+    name: nginx
+    state: started
+    enabled: true
+
 - name: Add logrotate config
   copy:
     src: logrotate

ansible/roles/nodejs/tasks/main.yml

@@ -1,15 +1,9 @@
 ---
-- name: Add APT key for NodeSource Node.js repository
-  apt_key:
-    url: https://deb.nodesource.com/gpgkey/nodesource.gpg.key
-
-- name: Add NodeSource Node.js APT repository
-  apt_repository:
-    repo: deb https://deb.nodesource.com/node_14.x buster main
-
 - name: Install Node.js
   apt:
-    name: nodejs
+    name:
+      - nodejs
+      - npm
 
 - name: Install npm packages defined in package.json
   become_user: "{{ app_username }}"
@@ -18,6 +12,3 @@
     # --no-bin-links option is needed to prevent npm from creating symlinks in the .bin
     # directory, which doesn't work inside Vagrant on Windows
     no_bin_links: true
-    # npm ci needs to be run, for a clean install, instead of npm install.
-    # otherwise node_modules is never created/updated (Ansible bug?)
-    ci: true

ansible/roles/pgbouncer/handlers/main.yml

@@ -1,5 +1,5 @@
 ---
 - name: Reload pgbouncer
-  service:
+  systemd_service:
     name: pgbouncer
     state: reloaded

ansible/roles/pgbouncer/tasks/main.yml

@@ -3,6 +3,17 @@
   apt:
     name: pgbouncer
 
+- name: Remove pgbouncer from init.d (may conflict with systemd service)
+  file:
+    path: /etc/init.d/pgbouncer
+    state: absent
+  when: is_docker
+
+- name: Update rc.d to reflect init.d removal
+  command:
+    cmd: update-rc.d pgbouncer remove
+  when: is_docker
+
 - name: Add pgbouncer.ini
   template:
     src: pgbouncer.ini.jinja2
@@ -25,7 +36,7 @@
     - Reload pgbouncer
 
 - name: Start and enable pgbouncer service
-  service:
+  systemd_service:
     name: pgbouncer
     state: started
     enabled: true

ansible/roles/postgresql/defaults/main.yml

@@ -1,5 +1,5 @@
 ---
-postgresql_version: 13
+postgresql_version: 15
 
 # Users of this role can define postgresql_settings, which will be merged with
 # this base _postgresql_settings

ansible/roles/postgresql/handlers/main.yml

@@ -1,10 +1,6 @@
 ---
 - name: Restart postgresql
-  service:
-    name: postgresql
-    state: restarted
+  include_tasks: restart.yml
 
 - name: Reload postgresql
-  service:
-    name: postgresql
-    state: reloaded
+  include_tasks: reload.yml

ansible/roles/postgresql/tasks/main.yml

@@ -1,22 +1,31 @@
 ---
-- name: Add APT key for PostgreSQL repository
-  apt_key:
-    url: https://www.postgresql.org/media/keys/ACCC4CF8.asc
-
-- name: Add PostgreSQL APT repository
-  apt_repository:
-    repo: deb http://apt.postgresql.org/pub/repos/apt buster-pgdg main
-
 - name: Install PostgreSQL
   apt:
     name: postgresql-{{ postgresql_version }}
 
-- name: Start and enable PostgreSQL service
-  service:
+- name: Remove postgresql from init.d (may conflict with systemd service)
+  file:
+    path: /etc/init.d/postgresql
+    state: absent
+  when: is_docker
+
+- name: Update rc.d to reflect init.d removal
+  command:
+    cmd: update-rc.d postgresql remove
+  when: is_docker
+
+- name: Start and enable PostgreSQL meta unit service
+  systemd_service:
     name: postgresql
     state: started
     enabled: true
 
+- name: Start and enable PostgreSQL cluster service
+  systemd_service:
+    name: postgresql@{{ postgresql_version }}-main
+    state: started
+    enabled: true
+
 - name: Set configuration options in postgresql.conf
   lineinfile:
     path: /etc/postgresql/{{ postgresql_version }}/main/postgresql.conf

ansible/roles/postgresql/tasks/reload.yml

@@ -0,0 +1,10 @@
+---
+- name: Reload PostgreSQL meta unit service
+  systemd_service:
+    name: postgresql
+    state: reloaded
+
+- name: Reload PostgreSQL cluster service
+  systemd_service:
+    name: postgresql@{{ postgresql_version }}-main
+    state: reloaded

ansible/roles/postgresql/tasks/restart.yml

@@ -0,0 +1,10 @@
+---
+- name: Restart PostgreSQL meta unit service
+  systemd_service:
+    name: postgresql
+    state: restarted
+
+- name: Restart PostgreSQL cluster service
+  systemd_service:
+    name: postgresql@{{ postgresql_version }}-main
+    state: restarted

ansible/roles/postgresql_redis_bridge/tasks/main.yml

@@ -7,7 +7,7 @@
     mode: 0644
 
 - name: Start and enable postgresql_redis_bridge service
-  service:
+  systemd_service:
     name: postgresql_redis_bridge
     state: started
     enabled: true

ansible/roles/postgresql_tildes_dbs/tasks/main.yml

@@ -9,6 +9,7 @@
 - name: Install packages needed by Ansible community plugins
   pip:
     executable: pip3
+    break_system_packages: true
     name:
       - ipaddress
       - psycopg2

ansible/roles/prometheus/handlers/main.yml

@@ -1,5 +1,5 @@
 ---
 - name: Restart prometheus
-  service:
+  systemd_service:
     name: prometheus
     state: restarted

ansible/roles/prometheus/tasks/main.yml

@@ -53,7 +53,7 @@
     - Restart prometheus
 
 - name: Start and enable prometheus service
-  service:
+  systemd_service:
     name: prometheus
     state: started
     enabled: true

ansible/roles/prometheus_node_exporter/tasks/main.yml

@@ -2,12 +2,20 @@
 - name: Create prometheus user and group
   import_tasks: prometheus_user.yml
 
-- name: Download node_exporter from GitHub
+- name: Download node_exporter from GitHub (x86_64 / amd64)
+  when: ansible_facts['architecture'] == 'x86_64'
   get_url:
     dest: /tmp/prometheus_node_exporter.tar.gz
     url: https://github.com/prometheus/node_exporter/releases/download/v0.13.0/node_exporter-0.13.0.linux-amd64.tar.gz
     checksum: sha256:2de5d1e51330c41588ed4c88bc531a3d2dccf6b4d7b99d5782d95cff27a3c049
 
+- name: Download node_exporter from GitHub (aarch64 / arm64)
+  when: ansible_facts['architecture'] == 'aarch64'
+  get_url:
+    dest: /tmp/prometheus_node_exporter.tar.gz
+    url: https://github.com/prometheus/node_exporter/releases/download/v0.13.0/node_exporter-0.13.0.linux-arm64.tar.gz
+    checksum: sha256:a7f9db18b590e068ada68d3e1edd1bd0a9db43e3ee8f69517a49768ec8988a4c
+
 - name: Create node_exporter directory
   file:
     path: /opt/prometheus_node_exporter
@@ -36,7 +44,7 @@
     mode: 0644
 
 - name: Start and enable node_exporter service
-  service:
+  systemd_service:
     name: prometheus_node_exporter
     state: started
     enabled: true

ansible/roles/prometheus_postgres_exporter/tasks/main.yml

@@ -41,7 +41,7 @@
     mode: 0644
 
 - name: Start and enable postgres_exporter service
-  service:
+  systemd_service:
     name: prometheus_postgres_exporter
     state: started
     enabled: true

ansible/roles/prometheus_redis_exporter/tasks/main.yml

@@ -34,7 +34,7 @@
     mode: 0644
 
 - name: Start and enable redis_exporter service
-  service:
+  systemd_service:
     name: prometheus_redis_exporter
     state: started
     enabled: true

ansible/roles/python/tasks/main.yml

@@ -11,7 +11,7 @@
       get_url:
         dest: /tmp/python.tar.gz
         url: https://www.python.org/ftp/python/{{ python_full_version }}/Python-{{ python_full_version }}.tgz
-        checksum: sha256:e0fbd5b6e1ee242524430dee3c91baf4cbbaba4a72dd1674b90fda87b713c7ab
+        checksum: sha256:1e71f006222666e0a39f5a47be8221415c22c4dd8f25334cc41aee260b3d379e
 
     - name: Create temp directory to extract Python to
       file:

ansible/roles/redis/handlers/main.yml

@@ -1,5 +1,5 @@
 ---
 - name: Restart redis
-  service:
+  systemd_service:
     name: redis
     state: restarted

ansible/roles/redis/tasks/main.yml

@@ -102,11 +102,12 @@
   changed_when: false
 
 - name: Start and enable "disable transparent hugepage" service
-  service:
+  systemd_service:
     name: transparent_hugepage.service
     state: started
     enabled: true
   when: "'[never]' not in transparent_hugepage.stdout"
+  ignore_errors: "{{ is_docker }}"
 
 - name: Check if kernel overcommit mode is already set
   command:
@@ -118,14 +119,16 @@
   command:
     cmd: sysctl vm.overcommit_memory=1
   when: overcommit_memory.stdout == "0"
+  ignore_errors: "{{ is_docker }}"
 
 - name: Make kernel overcommit mode permanent (recommended by Redis, requires restart)
   lineinfile:
     path: /etc/sysctl.conf
     line: vm.overcommit_memory = 1
+  ignore_errors: "{{ is_docker }}"
 
 - name: Start and enable redis service
-  service:
+  systemd_service:
     name: redis
     state: started
     enabled: true

ansible/roles/redis_module_cell/tasks/main.yml

@@ -1,9 +1,17 @@
 ---
-- name: Download redis-cell Redis module from GitHub
+- name: Download redis-cell Redis module (x86_64) from GitHub
+  when: ansible_facts['architecture'] == 'x86_64'
   get_url:
     dest: /tmp/redis-cell.tar.gz
-    url: https://github.com/brandur/redis-cell/releases/download/v0.2.1/redis-cell-v0.2.1-x86_64-unknown-linux-gnu.tar.gz
-    checksum: sha256:9427fb100f4cada817f30f854ead7f233de32948a0ec644f15988c275a2ed1cb
+    url: https://github.com/brandur/redis-cell/releases/download/v0.4.0/redis-cell-v0.4.0-x86_64-unknown-linux-gnu.tar.gz
+    checksum: sha256:f86380f692c3852502e7c8924915a3424a4614ba01d7feec4cbc3c1faf22fb28
+
+- name: Download redis-cell Redis module (aarch64) from GitHub
+  when: ansible_facts['architecture'] == 'aarch64'
+  get_url:
+    dest: /tmp/redis-cell.tar.gz
+    url: https://github.com/brandur/redis-cell/releases/download/v0.4.0/redis-cell-v0.4.0-aarch64-unknown-linux-gnu.tar.gz
+    checksum: sha256:bff45476b45c5e7da7e840076f35e91f83641960e5860620063da7b070f154bc
 
 - name: Create /opt/redis-cell
   file:

ansible/roles/self_signed_ssl_cert/meta/main.yml

@@ -1,3 +0,0 @@
----
-dependencies:
-  - role: nginx

ansible/roles/self_signed_ssl_cert/tasks/main.yml

@@ -2,6 +2,7 @@
 - name: Install packages needed by Ansible community plugins
   pip:
     executable: pip3
+    break_system_packages: true
     name: cryptography
 
 - name: Create directory for certificate
@@ -19,5 +20,3 @@
     path: "{{ ssl_cert_path }}"
     privatekey_path: "{{ ssl_private_key_path }}"
     provider: selfsigned
-  notify:
-    - Reload nginx

ansible/roles/webassets/tasks/main.yml

@@ -23,7 +23,7 @@
     mode: 0644
 
 - name: Start and enable webassets service
-  service:
+  systemd_service:
     name: webassets
     state: started
     enabled: true

ansible/vars.yml

@@ -5,5 +5,7 @@ bin_dir: "{{ venv_dir }}/bin"
 
 static_sites_dir: /opt/tildes-static-sites
 
-python_full_version: 3.9.5
+python_full_version: 3.9.20
 python_version: "{{ python_full_version.rpartition('.')[0] }}"
+
+is_docker: "{{ ansible_facts['virtualization_type'] == 'container' }}"

docker/Dockerfile-for-vagrant

@@ -0,0 +1,33 @@
+FROM debian:12
+ENV container docker
+
+RUN useradd --create-home vagrant \
+  && echo "vagrant:vagrant" | chpasswd \
+  && groupadd wheel \
+  && usermod -a -G wheel vagrant
+
+# allow vagrant to login
+RUN cd ~vagrant \
+  && mkdir .ssh \
+  && echo "ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEA6NF8iallvQVp22WDkTkyrtvp9eWW6A8YVr+kz4TjGYe7gHzIw+niNltGEFHzD8+v1I2YJ6oXevct1YeS0o9HZyN1Q9qgCgzUFtdOKLv6IedplqoPkcmF0aYet2PkEDo3MlTBckFXPITAMzF8dJSIFo9D8HfdOV0IAdx4O7PtixWKn5y2hMNG0zQPyUecp4pzC6kivAIhyfHilFR61RGL+GPXQ2MWZWFYbAGjyiYJnAmCP3NOTd0jMZEnDkbUvxhMmBYSdETk1rRgm+R4LOzFUGaHqHDLKLX+FIPKcF96hrucXzcWyLbIbEgE98OHlnVYCzRdK8jlqm8tehUc9c9WhQ== vagrant insecure public key" > .ssh/authorized_keys \
+  && chown -R vagrant:vagrant .ssh \
+  && chmod 0700 .ssh \
+  && chmod 0600 .ssh/authorized_keys
+
+EXPOSE 22
+
+# install sudo, sshd, git, python3
+RUN apt-get update && apt-get install -y sudo openssh-server git python3
+
+# Enable passwordless sudo for the "vagrant" user
+RUN mkdir -p /etc/sudoers.d
+RUN install -b -m 0440 /dev/null /etc/sudoers.d/vagrant
+RUN echo 'vagrant ALL=(ALL) NOPASSWD:ALL' >> /etc/sudoers.d/vagrant
+
+# Use systemd replacement script to simulate systemd in Docker
+# https://github.com/gdraheim/docker-systemctl-replacement
+COPY systemctl3.py /usr/bin/systemctl
+RUN test -e /bin/systemctl || ln -sf /usr/bin/systemctl /bin/systemctl
+RUN chmod 0755 /usr/bin/systemctl
+RUN systemctl enable ssh
+CMD ["/usr/bin/systemctl"]

tildes/requirements-dev.txt

@@ -37,9 +37,9 @@ markupsafe==2.0.1
 marshmallow==3.13.0
 matplotlib-inline==0.1.2
 mccabe==0.6.1
-mypy==0.910
-mypy-extensions==0.4.3
-packaging==21.0
+mypy==1.13.0
+mypy-extensions==1.0.0
+packaging==23.2
 parso==0.8.2
 pastedeploy==2.1.1
 pathspec==0.9.0
@@ -89,7 +89,7 @@ repoze.lru==0.7
 requests==2.26.0
 requirements-detector==0.7
 sentry-sdk==1.3.0
-setoptconf==0.2.0
+setoptconf==0.3.0
 six==1.16.0
 snowballstemmer==2.1.0
 soupsieve==2.2.1
@@ -100,7 +100,7 @@ testing.common.database==2.0.3
 testing.redis==1.1.1
 titlecase==2.3
 toml==0.10.2
-tomli==1.0.4
+tomli==1.2.3
 traitlets==5.0.5
 transaction==3.0.1
 translationstring==1.4
@@ -108,7 +108,7 @@ types-bleach==3.3.3
 types-python-dateutil==0.1.4
 types-redis==3.5.4
 types-requests==2.25.0
-typing-extensions==3.10.0.0
+typing-extensions==4.12.2
 urllib3==1.26.6
 venusian==3.0.0
 waitress==2.0.0

tildes/requirements.txt

@@ -24,7 +24,7 @@ mako==1.1.4
 markupsafe==2.0.1
 marshmallow==3.13.0
 matplotlib-inline==0.1.2
-packaging==21.0
+packaging==23.2
 parso==0.8.2
 pastedeploy==2.1.1
 pep517==0.11.0
@@ -63,7 +63,7 @@ sqlalchemy==1.3.24
 sqlalchemy-utils==0.37.8
 stripe==2.60.0
 titlecase==2.3
-tomli==1.0.4
+tomli==1.2.3
 traitlets==5.0.5
 transaction==3.0.1
 translationstring==1.4

tildes/scripts/initialize_db.py

@@ -8,7 +8,7 @@ import os
 import subprocess
 from typing import Optional
 
-from alembic import command
+from alembic import command  # type: ignore[attr-defined]
 from alembic.config import Config
 from sqlalchemy.engine import Connectable, Engine
 

tildes/tests/test_ratelimit.py

@@ -4,6 +4,7 @@
 from datetime import timedelta
 from itertools import permutations
 from random import randint
+from time import sleep
 
 from pytest import raises
 
@@ -153,6 +154,7 @@ def test_time_until_retry(redis):
     # first usage should be fine
     result = action.check_for_user_id(user_id)
     assert result.is_allowed
+    sleep(1.0)
 
     # second should fail, and require a wait of (period / limit) - 1 sec
     result = action.check_for_user_id(user_id)

tildes/tildes/__init__.py

@@ -40,7 +40,7 @@ def main(global_config: dict[str, str], **settings: str) -> PrefixMiddleware:
 
     if settings.get("sentry_dsn"):
         # pylint: disable=abstract-class-instantiated
-        sentry_sdk.init(
+        sentry_sdk.init(  # type: ignore[abstract]
             dsn=settings["sentry_dsn"],
             integrations=[PyramidIntegration()],
             ignore_errors=[ValidationError],

tildes/tildes/models/database_model.py

@@ -92,10 +92,10 @@ class DatabaseModelBase:
             raise AttributeError("'age' attribute requires 'created_time' column.")
 
         # created_time should only be None during __init__, age of 0 is reasonable
-        if self.created_time is None:  # type: ignore
+        if self.created_time is None:
             return timedelta(0)
 
-        return utc_now() - self.created_time  # type: ignore
+        return utc_now() - self.created_time
 
     def _update_creation_metric(self) -> None:
         """Update the metric tracking creations of this model type.