From feb29ed0bfe22800add083b14591a81c5c824b3d Mon Sep 17 00:00:00 2001
From: Pim Kunis <pim@kunis.nl>
Date: Sat, 17 Jun 2023 12:54:41 +0200
Subject: [PATCH] move to snapshots-based backups

---
 ansible/dmz.conf.j2                           |  5 --
 ansible/hypervisors.yml                       | 50 ++++++++++---------
 ansible/inventory/host_vars/atlas/main.yml    |  2 -
 ansible/inventory/host_vars/jefke/main.yml    |  2 -
 ansible/inventory/host_vars/lewis/apt.yml     |  1 +
 ansible/inventory/host_vars/lewis/main.yml    |  3 --
 ansible/roles/borg/{files => }/backup.service |  0
 ansible/roles/borg/{files => }/backup.timer   |  0
 ansible/roles/borg/backup.yml                 | 17 +++++++
 ansible/roles/borg/files/start_vms.sh         |  3 --
 ansible/roles/borg/files/stop_vms.sh          |  9 ----
 ansible/roles/borg/tasks/main.yml             | 30 ++++++-----
 ansible/roles/borg/templates/backup.yml.j2    | 28 -----------
 terraform/main.tf                             |  7 +++
 14 files changed, 65 insertions(+), 92 deletions(-)
 delete mode 100644 ansible/inventory/host_vars/atlas/main.yml
 delete mode 100644 ansible/inventory/host_vars/jefke/main.yml
 delete mode 100644 ansible/inventory/host_vars/lewis/main.yml
 rename ansible/roles/borg/{files => }/backup.service (100%)
 rename ansible/roles/borg/{files => }/backup.timer (100%)
 create mode 100644 ansible/roles/borg/backup.yml
 delete mode 100755 ansible/roles/borg/files/start_vms.sh
 delete mode 100755 ansible/roles/borg/files/stop_vms.sh
 delete mode 100644 ansible/roles/borg/templates/backup.yml.j2

diff --git a/ansible/dmz.conf.j2 b/ansible/dmz.conf.j2
index be94440..aa141b5 100644
--- a/ansible/dmz.conf.j2
+++ b/ansible/dmz.conf.j2
@@ -1,10 +1,5 @@
 auto enp3s0.30
-{% if dmz_interface.enabled %}
-iface enp3s0.30 inet dhcp
-	hwaddress ether {{ dmz_interface.mac }}
-{% else %}
 iface enp3s0.30 inet manual
-{% endif %}
 iface enp3s0.30 inet6 auto
 	accept_ra 0
 	dhcp 0
diff --git a/ansible/hypervisors.yml b/ansible/hypervisors.yml
index 4746b3b..3b885a1 100644
--- a/ansible/hypervisors.yml
+++ b/ansible/hypervisors.yml
@@ -1,5 +1,6 @@
 ---
-- hosts: hypervisors
+- name: Prepare physical machines
+  hosts: hypervisors
 
   handlers:
     - name: enable interfaces
@@ -7,6 +8,13 @@
         cmd: ifup -a
 
   pre_tasks:
+    - name: Delete externally managed environment file
+      shell:
+        cmd: "rm /usr/lib/python*/EXTERNALLY-MANAGED"
+      register: rm
+      changed_when: "rm.rc == 0"
+      failed_when: "false"
+
     - name: Set timezone
       timezone:
         name: Europe/Amsterdam
@@ -17,20 +25,6 @@
         state: directory
         mode: og=rwx
 
-  roles:
-    - {role: setup_apt, tags: setup_apt}
-    - {role: libvirt, tags: libvirt}
-
-- hosts: atlas
-
-  roles:
-    - {role: postgresql, tags: postgresql}
-    - {role: ssh_ca, tags: ssh_ca}
-    - {role: wireguard, tags: wireguard}
-
-- hosts: hypervisors
-
-  pre_tasks:
     - name: Copy interfaces configuration
       template:
         src: dmz.conf.j2
@@ -42,17 +36,25 @@
         cmd: ifup -a
       when: interfaces.changed
 
-    - name: Delete externally managed environment file
-      shell:
-        cmd: "rm /usr/lib/python*/EXTERNALLY-MANAGED"
-      register: rm
-      changed_when: "rm.rc == 0"
-      failed_when: "false"
+  roles:
+    - {role: setup_apt, tags: setup_apt}
+    - {role: libvirt, tags: libvirt}
+
+- name: Setup special services
+  hosts: atlas
+
+  roles:
+    - {role: postgresql, tags: postgresql}
+    - {role: ssh_ca, tags: ssh_ca}
+    - {role: wireguard, tags: wireguard}
+
+- hosts: hypervisors
 
   roles:
     - {role: ssh_ca_known_hosts, tags: ssh_ca_known_hosts}
     - {role: deploy_ssh_certificates, tags: deploy_ssh_certificates}
 
-# - hosts: atlas, jefke
-#   roles:
-#     - {role: borg, tags: borg}
+- name: Enable backups
+  hosts: lewis
+  roles:
+    - {role: borg, tags: borg}
diff --git a/ansible/inventory/host_vars/atlas/main.yml b/ansible/inventory/host_vars/atlas/main.yml
deleted file mode 100644
index 77d1db9..0000000
--- a/ansible/inventory/host_vars/atlas/main.yml
+++ /dev/null
@@ -1,2 +0,0 @@
-dmz_interface:
-  enabled: false
diff --git a/ansible/inventory/host_vars/jefke/main.yml b/ansible/inventory/host_vars/jefke/main.yml
deleted file mode 100644
index 77d1db9..0000000
--- a/ansible/inventory/host_vars/jefke/main.yml
+++ /dev/null
@@ -1,2 +0,0 @@
-dmz_interface:
-  enabled: false
diff --git a/ansible/inventory/host_vars/lewis/apt.yml b/ansible/inventory/host_vars/lewis/apt.yml
index b1297d2..84f31b0 100644
--- a/ansible/inventory/host_vars/lewis/apt.yml
+++ b/ansible/inventory/host_vars/lewis/apt.yml
@@ -3,3 +3,4 @@ apt_install_packages:
   - libvirt-daemon-system
   - sudo
   - bridge-utils
+  - borgmatic
diff --git a/ansible/inventory/host_vars/lewis/main.yml b/ansible/inventory/host_vars/lewis/main.yml
deleted file mode 100644
index 09199a6..0000000
--- a/ansible/inventory/host_vars/lewis/main.yml
+++ /dev/null
@@ -1,3 +0,0 @@
-dmz_interface:
-  enabled: true
-  mac: "ca:fe:c0:ff:ee:0b"
diff --git a/ansible/roles/borg/files/backup.service b/ansible/roles/borg/backup.service
similarity index 100%
rename from ansible/roles/borg/files/backup.service
rename to ansible/roles/borg/backup.service
diff --git a/ansible/roles/borg/files/backup.timer b/ansible/roles/borg/backup.timer
similarity index 100%
rename from ansible/roles/borg/files/backup.timer
rename to ansible/roles/borg/backup.timer
diff --git a/ansible/roles/borg/backup.yml b/ansible/roles/borg/backup.yml
new file mode 100644
index 0000000..b5038aa
--- /dev/null
+++ b/ansible/roles/borg/backup.yml
@@ -0,0 +1,17 @@
+location:
+  source_directories:
+    - /mnt/thecloud
+  repositories:
+    - /mnt/backups/share
+retention:
+  keep_daily: 7
+  keep_weekly: 4
+  keep_monthly: 6
+hooks:
+  before_everything:
+    - virsh snapshot-create-as --domain tf-thecloud --name backup-thecloud --disk-only --quiesce --no-metadata --diskspec vda,snapshot=no --diskspec vdb,file=/kvm/snapshots/thecloud.qcow2
+    - guestmount -a /kvm/snapshots/thecloud.qcow2 -m /dev/sda1 --ro /mnt/thecloud
+  after_everything:
+    - guestunmount /mnt/thecloud && sleep 1
+    - virsh blockcommit tf-thecloud vdb --active --verbose --pivot
+    - rm /kvm/snapshots/thecloud.qcow2
diff --git a/ansible/roles/borg/files/start_vms.sh b/ansible/roles/borg/files/start_vms.sh
deleted file mode 100755
index 8b70239..0000000
--- a/ansible/roles/borg/files/start_vms.sh
+++ /dev/null
@@ -1,3 +0,0 @@
-#!/bin/bash
-
-for i in $(virsh list --all --name --autostart); do virsh start "$i"; done
diff --git a/ansible/roles/borg/files/stop_vms.sh b/ansible/roles/borg/files/stop_vms.sh
deleted file mode 100755
index 5dbccd9..0000000
--- a/ansible/roles/borg/files/stop_vms.sh
+++ /dev/null
@@ -1,9 +0,0 @@
-#!/bin/bash
-
-for i in $(virsh list --state-running --name --autostart); do
-	virsh shutdown "$i"
-	echo Stopping domain "$i"
-	until virsh domstate "$i" | grep shut; do
-		sleep 0.5
-	done
-done
diff --git a/ansible/roles/borg/tasks/main.yml b/ansible/roles/borg/tasks/main.yml
index f7cc4dc..6a8db6f 100644
--- a/ansible/roles/borg/tasks/main.yml
+++ b/ansible/roles/borg/tasks/main.yml
@@ -1,3 +1,13 @@
+- name: Create snapshots directory
+  file:
+    path: /kvm/snapshots
+    state: directory
+
+- name: Create backup mountpoint
+  file:
+    path: /mnt/thecloud
+    state: directory
+
 - name: Install Borg
   apt:
     pkg:
@@ -9,31 +19,19 @@
     name: apprise
 
 - name: Copy Borgmatic script
-  template:
-    src: "{{ role_path }}/templates/backup.yml.j2"
+  copy:
+    src: "{{ role_path }}/backup.yml"
     dest: /root/backup.yml
 
-- name: Copy start_vms.sh
-  copy:
-    src: "{{ role_path }}/files/start_vms.sh"
-    dest: /root/start_vms.sh
-    mode: preserve
-
-- name: Copy stop_vms.sh
-  copy:
-    src: "{{ role_path }}/files/stop_vms.sh"
-    dest: /root/stop_vms.sh
-    mode: preserve
-
 - name: Copy systemd backup unit
   copy:
-    src: "{{ role_path }}/files/backup.service"
+    src: "{{ role_path }}/backup.service"
     dest: /etc/systemd/system/backup.service
   notify: systemd daemon reload
 
 - name: Copy systemd backup timer
   copy:
-    src: "{{ role_path }}/files/backup.timer"
+    src: "{{ role_path }}/backup.timer"
     dest: /etc/systemd/system/backup.timer
   notify: systemd daemon reload
 
diff --git a/ansible/roles/borg/templates/backup.yml.j2 b/ansible/roles/borg/templates/backup.yml.j2
deleted file mode 100644
index 862d84e..0000000
--- a/ansible/roles/borg/templates/backup.yml.j2
+++ /dev/null
@@ -1,28 +0,0 @@
-# vi: ft=yaml
-location:
-  source_directories:
-    - /data
-  repositories:
-    - 'ssh://root@lewis.hyp/mnt/backups/hosts/{{ ansible_hostname }}'
-retention:
-  keep_daily: 7
-  keep_weekly: 4
-  keep_monthly: 6
-storage:
-  unknown_unencrypted_repo_access_is_ok: true
-  relocated_repo_access_is_ok: true
-hooks:
-  before_everything:
-    - 'apprise --body="{{ ansible_hostname }}: Stopping VMs" {{ apprise_url }} || true'
-    - /root/stop_vms.sh
-    - 'apprise --body="{{ ansible_hostname }}: Stopped VMs" {{ apprise_url }} || true'
-  after_everything:
-    - 'apprise --body="{{ ansible_hostname }}: Starting VMs" {{ apprise_url }} || true'
-    - /root/start_vms.sh
-    - 'apprise --body="{{ ansible_hostname }}: Started VMs" {{ apprise_url }} || true'
-  before_backup:
-    - 'apprise --body="{{ ansible_hostname }}: Performing backup" {{ apprise_url }} || true'
-  after_backup:
-    - 'apprise --body="{{ ansible_hostname }}: Backup done" {{ apprise_url }} || true'
-  on_error:
-    - 'apprise --body="{{ ansible_hostname }}: Backup error" {{ apprise_url }} || true'
diff --git a/terraform/main.tf b/terraform/main.tf
index 617e10c..23afd67 100644
--- a/terraform/main.tf
+++ b/terraform/main.tf
@@ -151,6 +151,13 @@ resource "libvirt_pool" "init_lewis" {
   provider = libvirt.lewis
 }
 
+resource "libvirt_pool" "data_lewis" {
+  name = "data"
+  type = "dir"
+  path = "/kvm/data"
+  provider = libvirt.lewis
+}
+
 resource "libvirt_volume" "ubuntu_jammy_lewis" {
   name   = "ubuntu-jammy.img"
   pool   = "iso"