inventory | ||
playbooks | ||
roles@e91babde35 | ||
scripts | ||
.ansible-lint | ||
.gitignore | ||
.gitmodules | ||
.yamllint | ||
ansible.cfg | ||
main.yml | ||
makefile | ||
README.md | ||
requirements.txt | ||
vault-keyring-client.py |
The Ansible Edda
Ansible playbooks for provisioning The Nine Worlds.
Secrets vault
- Encrypt with:
ansible-vault encrypt vault.yml
- Decrypt with:
ansible-vault decrypt secrets.yml
- Encrypt all
vault.yml
in a directory with:ansible-vault encrypt directory/**/vault.yml
- Decrypt all
vault.yml
in a directory with:ansible-vault decrypt directory/**/vault.yml
- Run a playbook with
ansible-playbook --vault-id @prompt playbook.yml
The Nine Worlds
The main entrypoint for The Nine Worlds is main.yml
.
Keyring integration
Keyring integration requires python3-keyring
to be installed.
To set the keyring password run:
./vault-keyring-client.py --set [--vault-id <vault-id>]
If --vault-id
is not specified, the password will be stored under ansible
.
To use the password from the keyring invoke playbooks with:
ansible-playbook --vault-id @vault-keyring-client.py ...
Production and testing
The inventory files are split into production
and testing
.
To run the main.yml
playbook on production hosts:
ansible-playbook main.yml -i production
To run the main.yml
playbook on production hosts:
ansible-playbook main.yml -i testing
Testing virtual machines
The scripts for starting, stopping, and reverting the testing virtual machines is located in
scripts/testing/vmgr.py
.
Playbooks
The Ansible Edda playbook is composed of smaller playbooks
. To run a single playbook,
invoke the relevant playbook directly from the playbook directory. For example, to run the
system
playbook, run:
ansible-playbook playbooks/system.yml
Alternatively you can use its tag as well:
ansible-playbook main.yml --tags "system"
Roles
Playbooks are composed of roles defined in the roles
directory,
playbooks/roles
.
To play only a specific role, e.g. system/base
in the playbook system
, run:
ansible-playbook playbooks/system.yml --tags "system:base"
Or from the main playbook:
ansible-playbook main.yml --tags "system:base"
Role sub-tasks
Some roles are split into smaller groups of tasks. This can be checked by looking at the
tasks/main.yml
file of a role, e.g.
playbooks/roles/system/base/tasks/main.yml
.
To play only a particular group within a role, e.g. sshd
in base
of system
, run:
ansible-playbook playbooks/system.yml --tags "system:base:sshd"
Or from the main playbook:
ansible-playbook main.yml --tags "system:base:sshd"
Testing backups
Before testing the backups, you may want to shut yggdrasil
down for extra confidence that it is
not being accessed/modified during this process. It is easy to access yggdrasil
by accident if
/etc/hosts
is not modified in the test VM, something that is easy to forget.
- Create
baldur
by running:
Pick a volume size that's larger than whatpython scripts/scaleway/baldur.py create --volume-size <size-in-GB>
yggdrasil
estimates forrpool/var/lib/yggdrasil/data
. - Provision
baldur
by runningansible-playbook --vault-id @vault-keyring-client.py -i inventory/baldur_production playbooks/baldur.yml
- Restore all the backups by ssh'ing into
baldur
and running (as root):/usr/local/sbin/restic-batch --config-dir /etc/restic-batch.d restore
- Start all the pod services with:
Give them some time to download all the images and start.ansible-playbook --vault-id @vault-keyring-client.py -i inventory/baldur_production playbooks/services_start.yml
- Once the CPU returns to idling check the state of all the pod services and their
veth
interfaces. If necessary restart the affected pod. Sometimes they fail to start (presumably due to issues related to limited CPU and RAM). - Boot into a test VM. Ideally, one installed onto a virtual disk since the live system might not
have enough space. A VM is used to make sure that none of the services on the host workstation
connect to
baldur
by accident. - Modify
/etc/hosts
in the VM to point atbaldur
for all relevant domains. - Test each service manually one by one. Use the Flagfox add-on to verify that you are indeed
connecting to
baldur
. - Stop all the pod services with:
ansible-playbook --vault-id @vault-keyring-client.py -i inventory/baldur_production playbooks/services_stop.yml
- Destroy
baldur
by running:python scripts/scaleway/baldur.py delete
Music organisation
The playbooks/music.yml
playbook sets up tools and configuration for organising music. The process
is manual though. The steps for adding a new CD.
All steps below are to be executed as the music
user.
Note on tagging
- For live albums add "YYYY-MM-DD at Venue, City, Country" in the "Subtitle" tag.
- For remasters use original release tags and add "YYYY Remaster" in the "Subtitle" tag.
Ripping a CD
- Use a CD ripper and rip the CD to
/var/lib/yggdrasil/home/music/rip
using flac encoding. - Samba has been set up to give Windows access to the above directory. Therefore, CD rippers available only for Windows can also be used, e.g. dBpoweramp.
Import new music
- Run
beet import /var/lib/yggdrasil/home/music/rip
. This will move the music files to/var/lib/yggdrasil/data/music/flac
. - Run
beet convert -a <match>
, where<match>
is used to narrow down to new music only. This will convert the flac files into mp3 files for sharing via Nextcloud. - Run
nextcloud-upload /var/tmp/music/mp3/<artist>
for every artist to upload to Nextcloud. - Remove the
/var/tmp/music/mp3/<artist>
directory.