4 files changed, 34 insertions, 17 deletions

diff --git a/TODOs.org b/TODOs.org
index 2f2b85a..6b83283 100644
--- a/TODOs.org
+++ b/TODOs.org
@@ -142,7 +142,10 @@ Also put all of the content of =secrets/*= into vps-state? Maybe rename it to vp
 Right now, secrets are scattered between the two repositories. By moving I can completely remove =git-crypt= from this repository.
 *** Cancelled:
 The =vps-state= repo isn't supposed to centralize all secrets, it's just a storage backend for Terraform files.
-** NEXT Run backup on Terraform destroy action instead of manually in =provision.sh=
+** DOING Run backup on Terraform destroy action instead of manually in =provision.sh=
+Terraform's destroy provisioner isn't well suited for this: in case of failure [[https://www.terraform.io/docs/provisioners/#destroy-time-provisioners][it tries to run the provisioner more than once]]. I'd rather have it fail on the first error.
+
+Instead use Ansible to perform this instead of ad-hoc Bash commands.
 ** DONE Explicitly destroy Droplets before running Terraform apply
 CLOSED: [2019-06-05 Wed 19:48]
 ** DONE Store updated =.tfstate= even in case of deployment failure
diff --git a/provision.yaml b/provision.yaml
index 801c010..bb86598 100644
--- a/provision.yaml
+++ b/provision.yaml
@@ -29,7 +29,6 @@
     - name: Copy local interpolated files to remote
       copy: src={{ item.src }} dest={{ item.dest }} mode={{ item.mode }}
       with_items:
-        - { src: './generated/create-backup.sh',    dest: '/home/vps/create-backup.sh',    mode: '500' }
         - { src: './generated/restore-backup.sh',   dest: '/home/vps/restore-backup.sh',   mode: '500' }
         - { src: './secrets/borg/borg-remote.pub',  dest: '/root/.ssh/id_rsa.pub',         mode: '400' }
         - { src: './secrets/borg/borg-remote',      dest: '/root/.ssh/id_rsa',             mode: '400' }
diff --git a/scripts/ci/deploy.sh b/scripts/ci/deploy.sh
index c068e5c..d4eccd0 100755
--- a/scripts/ci/deploy.sh
+++ b/scripts/ci/deploy.sh
@@ -5,7 +5,7 @@ set -Eeuo pipefail
 cd "$(dirname "${BASH_SOURCE[0]}")"
 cd ../../
 
-finish_phase() {
+finish-phase() {
   local -r exit_code="${?}"
 
   if [[ "${exit_code}" = 0 ]]; then
@@ -22,7 +22,7 @@ finish_phase() {
   echo "Storing file changes to '.tfstate' files..."
   pushd ../vps-state/
   git add .
-  git commit -m "CI: fallback add all after provision.sh failure for CI run $VPS_COMMIT_SHA" ||:
+  git commit -m "CI: fallback add all after deploy.sh failure for CI run $VPS_COMMIT_SHA" ||:
   git push origin master
   popd
   echo "Done."
@@ -36,9 +36,9 @@ finish_phase() {
 
   echo "Finished cleanup."
 }
-trap finish_phase EXIT
+trap finish-phase EXIT
 
-create_known_hosts_file() {
+create-known-hosts-file() {
   echo "${TLD},$(terraform output public_floating_ip) ssh-rsa $(awk '{print $2}' < ./secrets/ssh/vps-box-server.pub)" > ./generated/generated-known-hosts.txt
 }
 
@@ -52,17 +52,15 @@ envsubst < ./scripts/box/restore-backup.env.sh > ./generated/restore-backup.sh
 echo "Done."
 
 echo "Shutting down running containers and backing up data..."
-create_known_hosts_file
-ssh "$TLD" "cd /home/vps/ && docker-compose down"
-scp ./secrets/borg/borg-remote.pub "$TLD":/root/.ssh/id_rsa.pub
-scp ./secrets/borg/borg-remote     "$TLD":/root/.ssh/id_rsa
-scp ./secrets/borg/known-hosts.txt "$TLD":/root/.ssh/known_hosts
-scp ./generated/create-backup.sh   "$TLD":/home/vps/create-backup.sh
-ssh "$TLD" 'chmod 400 /root/.ssh/id_rsa'
-ssh "$TLD" "chmod +x /home/vps/create-backup.sh"
+create-known-hosts-file
 ssh "$TLD" /home/vps/create-backup.sh > ./logs/borg-create.txt 2>&1
 echo "Done."
 
+echo "Running the Ansible shutdown.yaml playbook..."
+create-known-hosts-file
+ansible-playbook -v shutdown.yaml > ./logs/ansible-shutdown.txt
+echo "Done."
+
 echo "Initializing Terraform..."
 terraform --version
 terraform init
@@ -101,7 +99,7 @@ git push origin master
 popd
 echo "Done."
 
-echo "Running the Ansible playbook..."
-create_known_hosts_file
-ansible-playbook -v provision.yaml > ./logs/ansible.txt
+echo "Running the Ansible provision.yaml playbook..."
+create-known-hosts-file
+ansible-playbook -v provision.yaml > ./logs/ansible-provision.txt
 echo "Done."
diff --git a/shutdown.yaml b/shutdown.yaml
new file mode 100644
index 0000000..efda810
--- /dev/null
+++ b/shutdown.yaml
@@ -0,0 +1,17 @@
+---
+- hosts: all
+  any_errors_fatal: true
+  tasks:
+    - name: Copy files for performing the backup
+      copy: src={{ item.src }} dest={{ item.dest }} mode={{ item.mode }}
+      with_items:
+        - { src: './generated/create-backup.sh',    dest: '/home/vps/create-backup.sh', mode: '500' }
+        - { src: './secrets/borg/borg-remote.pub',  dest: '/root/.ssh/id_rsa.pub',      mode: '400' }
+        - { src: './secrets/borg/borg-remote',      dest: '/root/.ssh/id_rsa',          mode: '400' }
+        - { src: './secrets/borg/known-hosts.txt',  dest: '/root/.ssh/known_hosts',     mode: '400' }
+    - name: Stop docker-compose
+      docker_service:
+        project_src: /home/vps/
+        state: absent
+    - name: Create a borg backup of the volume
+      shell: /home/vps/create-backup.sh