2022-08-18 10:48:41 +02:00
|
|
|
# The Ansible Edda
|
|
|
|
|
2022-10-01 17:46:29 +02:00
|
|
|
Ansible playbooks for provisioning The Nine Worlds.
|
2022-08-18 10:48:41 +02:00
|
|
|
|
|
|
|
## Secrets vault
|
|
|
|
|
2022-12-18 21:14:04 +01:00
|
|
|
- Encrypt with: ```ansible-vault encrypt vault.yml```
|
2022-09-21 23:57:15 +02:00
|
|
|
- Decrypt with: ```ansible-vault decrypt secrets.yml```
|
2022-12-18 21:14:04 +01:00
|
|
|
- Encrypt all `vault.yml` in a directory with: ```ansible-vault encrypt directory/**/vault.yml```
|
|
|
|
- Decrypt all `vault.yml` in a directory with: ```ansible-vault decrypt directory/**/vault.yml```
|
2022-08-18 10:48:41 +02:00
|
|
|
- Run a playbook with ```ansible-playbook --vault-id @prompt playbook.yml```
|
2022-12-04 15:43:10 +01:00
|
|
|
|
2022-12-07 21:36:08 +01:00
|
|
|
## The Nine Worlds
|
2022-12-04 15:43:10 +01:00
|
|
|
|
|
|
|
The main entrypoint for The Nine Worlds is [`main.yml`](main.yml).
|
|
|
|
|
2022-12-28 14:21:33 +01:00
|
|
|
### Keyring integration
|
|
|
|
|
|
|
|
Keyring integration requires `python3-keyring` to be installed.
|
|
|
|
|
|
|
|
To set the keyring password run:
|
|
|
|
|
|
|
|
``` sh
|
|
|
|
./vault-keyring-client.py --set [--vault-id <vault-id>]
|
|
|
|
```
|
|
|
|
|
|
|
|
If `--vault-id` is not specified, the password will be stored under `ansible`.
|
|
|
|
|
|
|
|
To use the password from the keyring invoke playbooks with:
|
|
|
|
|
|
|
|
``` sh
|
|
|
|
ansible-playbook --vault-id @vault-keyring-client.py ...
|
|
|
|
```
|
|
|
|
|
2022-12-04 15:43:10 +01:00
|
|
|
### Production and testing
|
|
|
|
|
|
|
|
The inventory files are split into [`production`](production) and [`testing`](testing).
|
|
|
|
|
2022-12-07 21:36:08 +01:00
|
|
|
To run the `main.yml` playbook on production hosts:
|
2022-12-04 15:43:10 +01:00
|
|
|
``` sh
|
|
|
|
ansible-playbook main.yml -i production
|
|
|
|
```
|
|
|
|
|
2022-12-07 21:36:08 +01:00
|
|
|
To run the `main.yml` playbook on production hosts:
|
2022-12-04 15:43:10 +01:00
|
|
|
``` sh
|
|
|
|
ansible-playbook main.yml -i testing
|
|
|
|
```
|
|
|
|
|
2022-12-28 14:24:23 +01:00
|
|
|
### Testing virtual machines
|
|
|
|
|
2023-02-13 21:59:24 +01:00
|
|
|
The scripts for starting, stopping, and reverting the testing virtual machines is located in
|
|
|
|
`scripts/testing/vmgr.py`.
|
2022-12-28 14:24:23 +01:00
|
|
|
|
2022-12-07 21:36:08 +01:00
|
|
|
### Playbooks
|
|
|
|
|
2022-12-18 21:14:04 +01:00
|
|
|
The Ansible Edda playbook is composed of smaller [`playbooks`](playbooks). To run a single playbook,
|
|
|
|
invoke the relevant playbook directly from the playbook directory. For example, to run the
|
|
|
|
[`system`](system) playbook, run:
|
2022-12-07 21:36:08 +01:00
|
|
|
|
|
|
|
``` sh
|
2022-12-18 21:14:04 +01:00
|
|
|
ansible-playbook playbooks/system.yml
|
|
|
|
```
|
|
|
|
|
|
|
|
Alternatively you can use its tag as well:
|
|
|
|
|
|
|
|
``` sh
|
|
|
|
ansible-playbook main.yml --tags "system"
|
2022-12-07 21:36:08 +01:00
|
|
|
```
|
|
|
|
|
2022-12-04 15:43:10 +01:00
|
|
|
### Roles
|
|
|
|
|
2022-12-18 21:14:04 +01:00
|
|
|
Playbooks are composed of roles defined in the `roles` directory,
|
|
|
|
[`playbooks/roles`](playbooks/roles).
|
|
|
|
|
|
|
|
To play only a specific role, e.g. `system/base` in the playbook `system`, run:
|
|
|
|
|
|
|
|
``` sh
|
|
|
|
ansible-playbook playbooks/system.yml --tags "system:base"
|
|
|
|
```
|
2022-12-04 15:43:10 +01:00
|
|
|
|
2022-12-18 21:14:04 +01:00
|
|
|
Or from the main playbook:
|
2022-12-04 15:43:10 +01:00
|
|
|
|
|
|
|
``` sh
|
2022-12-18 21:14:04 +01:00
|
|
|
ansible-playbook main.yml --tags "system:base"
|
2022-12-04 15:43:10 +01:00
|
|
|
```
|
|
|
|
|
|
|
|
### Role sub-tasks
|
|
|
|
|
|
|
|
Some roles are split into smaller groups of tasks. This can be checked by looking at the
|
|
|
|
`tasks/main.yml` file of a role, e.g.
|
2022-12-18 21:14:04 +01:00
|
|
|
[`playbooks/roles/system/base/tasks/main.yml`](playbooks/roles/system/base/tasks/main.yml).
|
2022-12-04 15:43:10 +01:00
|
|
|
|
2022-12-07 21:36:08 +01:00
|
|
|
To play only a particular group within a role, e.g. `sshd` in `base` of `system`, run:
|
2022-12-04 15:43:10 +01:00
|
|
|
|
|
|
|
``` sh
|
2022-12-18 21:14:04 +01:00
|
|
|
ansible-playbook playbooks/system.yml --tags "system:base:sshd"
|
|
|
|
```
|
|
|
|
|
|
|
|
Or from the main playbook:
|
|
|
|
|
|
|
|
``` sh
|
|
|
|
ansible-playbook main.yml --tags "system:base:sshd"
|
2022-12-04 15:43:10 +01:00
|
|
|
```
|
2023-02-13 21:59:24 +01:00
|
|
|
|
|
|
|
## Testing backups
|
|
|
|
|
|
|
|
Before testing the backups, you may want to shut `yggdrasil` down for extra confidence that it is
|
|
|
|
not being accessed/modified during this process. It is easy to access `yggdrasil` by accident if
|
|
|
|
`/etc/hosts` is not modified in the test VM, something that is easy to forget.
|
|
|
|
|
|
|
|
1. Create `baldur` by running:
|
|
|
|
```sh
|
|
|
|
python scripts/scaleway/baldur.py create --volume-size <size-in-GB>
|
|
|
|
```
|
|
|
|
Pick a volume size that's larger than what `yggdrasil` estimates for
|
|
|
|
`rpool/var/lib/yggdrasil/data`.
|
|
|
|
2. Provision `baldur` by running
|
|
|
|
```sh
|
|
|
|
ansible-playbook --vault-id @vault-keyring-client.py -i inventory/baldur_production playbooks/baldur.yml
|
|
|
|
```
|
|
|
|
3. Restore all the backups by ssh'ing into `baldur` and running (as root):
|
|
|
|
```sh
|
|
|
|
/usr/local/sbin/restic-batch --config-dir /etc/restic-batch.d restore
|
|
|
|
```
|
|
|
|
4. Start all the pod services with:
|
|
|
|
```sh
|
|
|
|
ansible-playbook --vault-id @vault-keyring-client.py -i inventory/baldur_production playbooks/services_start.yml
|
|
|
|
```
|
|
|
|
Give them some time to download all the images and start.
|
|
|
|
5. Once the CPU returns to idling check the state of all the pod services and their `veth`
|
|
|
|
interfaces. If necessary restart the affected pod. Sometimes they fail to start (presumably due
|
|
|
|
to issues related to limited CPU and RAM).
|
|
|
|
6. Boot into a test VM. Ideally, one installed onto a virtual disk since the live system might not
|
|
|
|
have enough space. A VM is used to make sure that none of the services on the host workstation
|
|
|
|
connect to `baldur` by accident.
|
|
|
|
7. Modify `/etc/hosts` in the VM to point at `baldur` for all relevant domains.
|
|
|
|
8. Test each service manually one by one. Use the Flagfox add-on to verify that you are indeed
|
|
|
|
connecting to `baldur`.
|
|
|
|
9. Stop all the pod services with:
|
|
|
|
```sh
|
|
|
|
ansible-playbook --vault-id @vault-keyring-client.py -i inventory/baldur_production playbooks/services_stop.yml
|
|
|
|
```
|
|
|
|
10. Destroy `baldur` by running:
|
|
|
|
```sh
|
|
|
|
python scripts/scaleway/baldur.py delete
|
|
|
|
```
|
2023-02-19 23:46:17 +01:00
|
|
|
|
|
|
|
## Music organisation
|
|
|
|
|
|
|
|
The `playbooks/music.yml` playbook sets up tools and configuration for organising music. The process
|
|
|
|
is manual though. The steps for adding a new CD.
|
|
|
|
|
|
|
|
All steps below are to be executed as the `music` user.
|
|
|
|
|
|
|
|
### Ripping a CD
|
|
|
|
|
|
|
|
1. Use a CD ripper and rip the CD to `/var/lib/yggdrasil/home/music/rip` using flac encoding.
|
|
|
|
2. Samba has been set up to give Windows access to the above directory. Therefore, CD rippers
|
|
|
|
available only for Windows can also be used, e.g. dBpoweramp.
|
|
|
|
|
|
|
|
### Import new music
|
|
|
|
|
|
|
|
1. Run `beet import /var/lib/yggdrasil/home/music/rip`. This will move the music files to
|
|
|
|
`/var/lib/yggdrasil/data/music/flac`.
|
|
|
|
2. Run `beet convert <match>`, where `<match>` is used to narrow down to new music only. This will
|
|
|
|
convert the flac files into mp3 files for sharing via Nextcloud.
|
|
|
|
3. Run `nextcloud-upload /var/tmp/music/mp3/<artist>` for every artist to upload to Nextcloud.
|
|
|
|
4. Remove the `/var/tmp/music/mp3/<artist>` directory.
|