From 83fd247504d0b5e1d17b1d202de9478a72c884a8 Mon Sep 17 00:00:00 2001
From: Wojciech Kozlowski <wk@wojciechkozlowski.eu>
Date: Sat, 16 Sep 2023 08:55:21 +0200
Subject: [PATCH] Updates to baldur playbook for backup testing

---
 README.md                           | 15 +++++++-
 inventory/baldur_production         |  4 +-
 inventory/baldur_testing            |  4 +-
 inventory/host_vars/baldur/vars.yml | 24 ++++++++----
 playbooks/baldur.yml                | 60 ++++++++++++++++++++++++++++-
 5 files changed, 92 insertions(+), 15 deletions(-)

diff --git a/README.md b/README.md
index f5b67c6..10fd4f3 100644
--- a/README.md
+++ b/README.md
@@ -125,11 +125,17 @@ not being accessed/modified during this process. It is easy to access `yggdrasil
 
 1. Create a VM on `yggdrasil` and install the same OS that is running on `yggdrasil`.
   - Install the OS on a zvol on `rpool`.
+  - If the same VM is to be used for testing, a GUI is helpful.
   - Prepare a zvol on `hpool` of size that's larger than what `yggdrasil` estimates for
-    `rpool/var/lib/yggdrasil/data` and mount at `/var/lib/the-nine-worlds/data`.
+    `rpool/var/lib/the-nine-worlds/data` and mount at `/var/lib/the-nine-worlds/data`.
   - Create non-root user `wojtek` with `sudo` privileges.
 2. Configure SSH to use `yggdrasil` as a jump server.
-3. Service testing can then be done directly from the VM. To achieve that `/etc/hosts` needs to be
+3. Set `refreserv=0` on the zvols to make snapshots take less space.
+   - `zfs set refreserv=0 tank/home/ahrens`
+4. Use ZFS for snapshots/roolback of the zvols.
+   - `zfs snapshot tank/home/ahrens@friday`
+   - `zfs rollback tank/home/ahrens@friday`
+5. Service testing can then be done directly from the VM. To achieve that `/etc/hosts` needs to be
    set to directly point at the right proxy server, e.g., `10.66.3.8`, not `localhost`.
 
 ### Test
@@ -161,6 +167,11 @@ not being accessed/modified during this process. It is easy to access `yggdrasil
 7. Modify `/etc/hosts` in the VM to point at `baldur` for all relevant domains.
 8. Test each service manually one by one. Use the Flagfox add-on to verify that you are indeed
    connecting to `baldur`.
+   - Some containers fail to start up if the database takes too long to come online. In that case
+     restart the container.
+   - Some containers fail to start up if they cannot make DNS queries. Note that `192.168.0.0/16` is
+     blocked by firewall rules. If `/etc/the-nine-worlds/resolv.conf` points at a DNS resolved at
+     such an address all DNS queries will fail. Simply update `resolv.conf` to e.g. `1.1.1.1`.
 9. Stop all the pod services with:
    ```sh
    ansible-playbook --vault-id @vault-keyring-client.py -i inventory/baldur_production playbooks/services_stop.yml
diff --git a/inventory/baldur_production b/inventory/baldur_production
index 328d124..5a45fbc 100644
--- a/inventory/baldur_production
+++ b/inventory/baldur_production
@@ -17,6 +17,6 @@ baldur
 # Network.
 # --------------------------------------------------------------------------------------------------
 
-# Hosts remote to the home LAN.
-[remote]
+# Hosts physically located within the home LAN.
+[home]
 baldur
diff --git a/inventory/baldur_testing b/inventory/baldur_testing
index c387e6d..9e062ce 100644
--- a/inventory/baldur_testing
+++ b/inventory/baldur_testing
@@ -19,6 +19,6 @@ baldur
 # Network.
 # --------------------------------------------------------------------------------------------------
 
-# Hosts remote to the home LAN.
-[remote]
+# Hosts physically located within the home LAN.
+[home]
 baldur
diff --git a/inventory/host_vars/baldur/vars.yml b/inventory/host_vars/baldur/vars.yml
index 6ae33f6..ba6cc0a 100644
--- a/inventory/host_vars/baldur/vars.yml
+++ b/inventory/host_vars/baldur/vars.yml
@@ -28,32 +28,40 @@ services_resolv_host: "baldur"
 
 services_host_services:
   lrproxy:
-    address: "{{ vpn_bridge_prefix }}.2"
+    inet_address: "{{ vpn_bridge_inet_prefix }}.2"
+    inet6_address: "{{ vpn_bridge_inet6_prefix }}::2"
     restic: true
   database:
-    address: "{{ vpn_bridge_prefix }}.3"
+    inet_address: "{{ vpn_bridge_inet_prefix }}.3"
+    inet6_address: "{{ vpn_bridge_inet6_prefix }}::3"
     restic: true
   cloud:
-    address: "{{ vpn_bridge_prefix }}.4"
+    inet_address: "{{ vpn_bridge_inet_prefix }}.4"
+    inet6_address: "{{ vpn_bridge_inet6_prefix }}::4"
     restic: true
     restic_exclude:
       - "external"
   git:
-    address: "{{ vpn_bridge_prefix }}.5"
+    inet_address: "{{ vpn_bridge_inet_prefix }}.5"
+    inet6_address: "{{ vpn_bridge_inet6_prefix }}::5"
     tcp: ["{{ services.git.ssh_port }}"]
     restic: true
   notes:
-    address: "{{ vpn_bridge_prefix }}.6"
+    inet_address: "{{ vpn_bridge_inet_prefix }}.6"
+    inet6_address: "{{ vpn_bridge_inet6_prefix }}::6"
     restic: true
   music:
-    address: "{{ vpn_bridge_prefix }}.7"
+    inet_address: "{{ vpn_bridge_inet_prefix }}.7"
+    inet6_address: "{{ vpn_bridge_inet6_prefix }}::7"
     collection_path: "{{ music_user_data_collection_directory }}"
     archive_path: "{{ music_user_data_archive_directory }}"
     restic: true
   rproxy:
-    address: "{{ vpn_bridge_prefix }}.8"
+    inet_address: "{{ vpn_bridge_inet_prefix }}.8"
+    inet6_address: "{{ vpn_bridge_inet6_prefix }}::8"
     tcp: [80, 443]
     restic: true
   www:
-    address: "{{ vpn_bridge_prefix }}.9"
+    inet_address: "{{ vpn_bridge_inet_prefix }}.9"
+    inet6_address: "{{ vpn_bridge_inet6_prefix }}::9"
     restic: false
diff --git a/playbooks/baldur.yml b/playbooks/baldur.yml
index 69bcd62..65e5bb1 100644
--- a/playbooks/baldur.yml
+++ b/playbooks/baldur.yml
@@ -19,6 +19,10 @@
 
 - name: "baldur"
   hosts: "baldur"
+  vars_files:
+    - "vars/services/volumes.yml"
+    - "vars/services/deploy/versions.yml"
+
   roles:
     # ----------------------------------------------------------------------------------------------
     # system
@@ -55,6 +59,9 @@
         system_base_user_become_user: "{{ system_base_ssh_user }}"
     - role: "system/directories"
       tags: "system:directories"
+      vars:
+        system_directories_create_etc: true
+        system_directories_create_var: true
 
     # ----------------------------------------------------------------------------------------------
     # backups
@@ -111,11 +118,56 @@
             - "services:setup:user"
             - "services:setup:user:{{ services_service_name }}"
             - "services:{{ services_service_name }}:setup:user"
+      vars:
+        services_service_volumes: "{{ services_volumes[services_service_name] }}"
       loop: "{{ services_host_services | dict2items | map(attribute='key') }}"
       loop_control:
         loop_var: "services_service_name"
       tags: "always"
 
+    - name: "deploy rproxy"
+      ansible.builtin.include_role:
+        name: "services/deploy/rproxy"
+        apply:
+          tags:
+            - "services:rproxy"
+            - "services:deploy"
+            - "services:deploy:rproxy"
+            - "services:rproxy:deploy"
+      vars:
+        services_service_name: "rproxy"
+        services_deploy_rproxy_nginx_stream_config: "files/services/deploy/stream.conf"
+        services_deploy_rproxy_nginx_subdomain_config_files:
+          - "files/services/deploy/rproxy/nginx-conf.d/http-default.conf"
+          - "files/services/deploy/rproxy/nginx-conf.d/wojciechkozlowski.eu.conf"
+          - "files/services/deploy/rproxy/nginx-conf.d/www.wojciechkozlowski.eu.conf"
+        services_service_deploy_versions: "{{ services_deploy_versions.rproxy }}"
+      when: "'rproxy' in services_host_services"
+      tags: "always"
+
+    - name: "deploy lrproxy"
+      ansible.builtin.include_role:
+        name: "services/deploy/rproxy"
+        apply:
+          tags:
+            - "services:lrproxy"
+            - "services:deploy"
+            - "services:deploy:lrproxy"
+            - "services:lrproxy:deploy"
+      vars:
+        services_service_name: "lrproxy"
+        services_deploy_rproxy_nginx_stream_config: "files/services/deploy/stream.conf"
+        services_deploy_rproxy_nginx_subdomain_config_files:
+          - "files/services/deploy/lrproxy/nginx-conf.d/archive.music.thenineworlds.net.conf"
+          - "files/services/deploy/lrproxy/nginx-conf.d/cloud.wojciechkozlowski.eu.conf"
+          - "files/services/deploy/lrproxy/nginx-conf.d/database.thenineworlds.net.conf"
+          - "files/services/deploy/lrproxy/nginx-conf.d/git.thenineworlds.net.conf"
+          - "files/services/deploy/lrproxy/nginx-conf.d/music.thenineworlds.net.conf"
+          - "files/services/deploy/lrproxy/nginx-conf.d/notes.thenineworlds.net.conf"
+        services_service_deploy_versions: "{{ services_deploy_versions.lrproxy }}"
+      when: "'lrproxy' in services_host_services"
+      tags: "always"
+
     - name: "deploy"
       ansible.builtin.include_role:
         name: "services/deploy/{{ services_service_name }}"
@@ -125,7 +177,13 @@
             - "services:deploy"
             - "services:deploy:{{ services_service_name }}"
             - "services:{{ services_service_name }}:deploy"
-      loop: "{{ services_host_services | dict2items | map(attribute='key') }}"
+      vars:
+        services_service_deploy_versions: "{{ services_deploy_versions[services_service_name] }}"
+      loop: "{{
+        services_host_services | dict2items |
+        rejectattr('key', '==', 'rproxy') |
+        rejectattr('key', '==', 'lrproxy') |
+        map(attribute='key') }}"
       loop_control:
         loop_var: "services_service_name"
       tags: "always"