From 74600efb4c63248efeea2e201b1de799e2ac1b26 Mon Sep 17 00:00:00 2001 From: rasmus Date: Sat, 27 Jul 2024 23:49:45 +0300 Subject: [PATCH] zrepl --- ansible-playbooks/zrepl/zrepl.yml | 47 ++++++++++++++++++++ ansible-playbooks/zrepl/zrepl_nas.yml.j2 | 47 ++++++++++++++++++++ ansible-playbooks/zrepl/zrepl_offsite.yml.j2 | 38 ++++++++++++++++ inventory.yml | 13 +++++- 4 files changed, 143 insertions(+), 2 deletions(-) create mode 100644 ansible-playbooks/zrepl/zrepl.yml create mode 100644 ansible-playbooks/zrepl/zrepl_nas.yml.j2 create mode 100644 ansible-playbooks/zrepl/zrepl_offsite.yml.j2 diff --git a/ansible-playbooks/zrepl/zrepl.yml b/ansible-playbooks/zrepl/zrepl.yml new file mode 100644 index 0000000..2fbdd49 --- /dev/null +++ b/ansible-playbooks/zrepl/zrepl.yml @@ -0,0 +1,47 @@ +- name: zrepl + hosts: nasgroup + tasks: + - name: 'apt: zrepl gpg' + ansible.builtin.get_url: + url: 'https://zrepl.cschwarz.com/apt/apt-key.asc' + dest: /usr/share/keyrings/zrepl.asc + - name: 'apt: zrepl repo' + apt_repository: + repo: 'deb [arch=amd64 signed-by=/usr/share/keyrings/zrepl.asc] https://zrepl.cschwarz.com/apt/debian bookworm main' + - name: 'apt: ensure packages' + apt: + state: latest + pkg: zrepl + + - name: 'zrepl: ensure config' + ansible.builtin.template: + src: "zrepl_{{ansible_hostname}}.yml.j2" + dest: /etc/zrepl/zrepl.yml + mode: 600 + register: zreplconf + - name: 'zrepl: restart service after config change' + when: zreplconf.changed + systemd_service: + state: restarted + enabled: true + name: zrepl + - name: 'zrepl: ensure service' + when: not zreplconf.changed + systemd_service: + state: started + enabled: true + name: zrepl + +# avoid accidental conflicts of changes on recv (would err 'will not overwrite without force') +- name: 'zfs: ensure recv mountpoint=off' + hosts: offsite + tasks: + - name: 'zfs: get mountpoint' + shell: zfs get mountpoint -H -o value {{offsite_dataset}} + register: result + changed_when: false + - when: result.stdout != "none" + name: 'zfs: ensure mountpoint=off' + changed_when: true + shell: zfs set mountpoint=none {{offsite_dataset}} + register: result diff --git a/ansible-playbooks/zrepl/zrepl_nas.yml.j2 b/ansible-playbooks/zrepl/zrepl_nas.yml.j2 new file mode 100644 index 0000000..f5669f7 --- /dev/null +++ b/ansible-playbooks/zrepl/zrepl_nas.yml.j2 @@ -0,0 +1,47 @@ +global: + logging: + - type: syslog + format: logfmt + level: warn + monitoring: + - type: prometheus + listen: ':9811' + +jobs: + - name: k6zrepl + type: snap + # "<" aka recursive, https://zrepl.github.io/configuration/filter_syntax.html + filesystems: + 'nas<': true + snapshotting: + type: periodic + prefix: zrepl_ + interval: 1h + pruning: + keep: + # Keep non-zrepl snapshots + - type: regex + negate: true + regex: '^zrepl_' + + - type: last_n + regex: "^zrepl_.*" + count: 4 + - type: grid + regex: "^zrepl_.*" + grid: 4x1h | 6x4h | 3x1d | 2x7d + + - name: k6zrepl_offsite_src + type: source + send: + encrypted: true # zfs native already-encrypted, filesystems not encrypted will log to error-level + serve: + type: tcp + listen: "{{ansible_host}}:35566" # NAT-ed to 193.40.103.250 + clients: { + "78.28.64.17": "offsite.k-space.ee", + } + filesystems: + 'nas<': true + snapshotting: # handled by above job, separated for secuwurity (isolation of domains) + type: manual diff --git a/ansible-playbooks/zrepl/zrepl_offsite.yml.j2 b/ansible-playbooks/zrepl/zrepl_offsite.yml.j2 new file mode 100644 index 0000000..0e27125 --- /dev/null +++ b/ansible-playbooks/zrepl/zrepl_offsite.yml.j2 @@ -0,0 +1,38 @@ +global: + logging: + - type: syslog + format: logfmt + level: warn + +jobs: + - name: k6zrepl_offsite_dest + type: pull + recv: + placeholder: + encryption: off # https://zrepl.github.io/configuration/sendrecvoptions.html#placeholders +# bandwidth_limit: +# max: 9 MiB # 75.5 Mbps + connect: + type: tcp + address: '193.40.103.250:35566' # firewall whitelisted to offsite + root_fs: {{offsite_dataset}} + interval: 10m # start interval, does nothing when no snapshots to recv + replication: + concurrency: + steps: 2 + pruning: + keep_sender: # offsite does not dictate nas snapshot policy + - type: regex + regex: '.*' + keep_receiver: + # Keep non-zrepl snapshots + - negate: true + type: regex + regex: "^zrepl_" + + - type: last_n + regex: "^zrepl_" + count: 4 + - type: grid + regex: "^zrepl_" + grid: 4x1h | 6x4h | 3x1d | 2x7d diff --git a/inventory.yml b/inventory.yml index 6618d6d..44721bf 100644 --- a/inventory.yml +++ b/inventory.yml @@ -5,12 +5,21 @@ all: - eaas extra_admins: [] children: + nasgroup: + hosts: + nas.k-space.ee: + ansible_host: 172.23.0.7 + offsite: + ansible_host: 78.28.64.17 + ansible_port: 10648 + vars: + offsite_dataset: offsite/backup_zrepl misc: + children: + nasgroup: hosts: ns1.k-space.ee: ansible_host: 172.20.0.2 - nas.k-space.ee: - ansible_host: 172.23.0.7 proxmox: vars: extra_admins: