# Veza V5 Ultra Deployment Guide This guide provides step-by-step instructions for deploying Veza V5 Ultra using Ansible, Incus containers, OVN networking, HAProxy, and Let's Encrypt. ## Table of Contents - [Prerequisites](#prerequisites) - [Quick Start](#quick-start) - [Step-by-Step Deployment](#step-by-step-deployment) - [Troubleshooting](#troubleshooting) - [Post-Deployment](#post-deployment) - [Maintenance](#maintenance) ## Prerequisites ### Control Node (Your Machine) - Ansible 2.16+ - SSH access to target host - Required collections: `community.general`, `community.docker` ### Target Host (192.168.0.12) - Debian 12 (Bookworm) - SSH key authentication configured - Root or sudo access - Internet connectivity ### DNS Configuration - Domain: `veza.talas.fr` - A record pointing to target host IP (192.168.0.12) ## Quick Start ```bash # 1. Clone and navigate to ansible directory cd ansible # 2. Install required collections ansible-galaxy collection install community.general community.docker # 3. Run full deployment ./deploy-veza.sh # 4. Configure DNS and re-run HAProxy playbook ansible-playbook -i inventory/prod/hosts.yml playbooks/30-haproxy-acme.yml -e domain=veza.talas.fr -e acme_email=ops@talas.fr # 5. Run smoke tests ansible-playbook -i inventory/prod/hosts.yml playbooks/50-smoke-tests.yml ``` ## Step-by-Step Deployment ### Step 1: Bootstrap Target Host ```bash ansible-playbook -i inventory/prod/hosts.yml playbooks/00-bootstrap-remote.yml ``` **What this does:** - Installs essential packages (python3, sudo, curl, etc.) - Configures SSH for better performance - Sets up firewall rules for required ports - Installs Incus dependencies **Expected output:** ``` TASK [Install essential packages] ********************************************** ok: [edge-1] TASK [Configure firewall for Veza ports] ************************************** ok: [edge-1] TASK [Test connectivity] ****************************************************** ok: [edge-1] ``` ### Step 2: Install Incus and OVN ```bash ansible-playbook -i inventory/prod/hosts.yml playbooks/10-incus-ovn.yml ``` **What this does:** - Installs Incus via snap - Initializes Incus in standalone mode - Creates OVN network `veza-ovn` - Creates `veza` profile for containers **Expected output:** ``` TASK [Install Incus via snap] ************************************************* ok: [edge-1] TASK [Create OVN network for Veza] ******************************************** ok: [edge-1] TASK [Verify Incus is running] ************************************************ ok: [edge-1] ``` ### Step 3: Create Containers ```bash ansible-playbook -i inventory/prod/hosts.yml playbooks/20-incus-containers.yml ``` **What this does:** - Creates 5 containers: haproxy, backend, chat, stream, web - Configures networking with static IPs - Sets up proxy devices for external access - Starts all containers **Expected output:** ``` TASK [Create Veza containers] ************************************************* ok: [edge-1] => (item=veza-haproxy) ok: [edge-1] => (item=veza-backend) ok: [edge-1] => (item=veza-chat) ok: [edge-1] => (item=veza-stream) ok: [edge-1] => (item=veza-web) ``` ### Step 4: Configure HAProxy and Let's Encrypt ```bash ansible-playbook -i inventory/prod/hosts.yml playbooks/30-haproxy-acme.yml -e domain=veza.talas.fr -e acme_email=ops@talas.fr ``` **What this does:** - Installs HAProxy and ACME tools in container - Configures nginx for ACME challenges - Sets up HAProxy with SSL termination - Requests Let's Encrypt certificate - Configures automatic renewal **Expected output:** ``` TASK [Install HAProxy and ACME tools in container] **************************** ok: [edge-1] TASK [Request Let's Encrypt certificate] *************************************** ok: [edge-1] TASK [Test HAProxy configuration] ********************************************** ok: [edge-1] ``` ### Step 5: Deploy Applications ```bash ansible-playbook -i inventory/prod/hosts.yml playbooks/40-veza-apps.yml ``` **What this does:** - Installs Go and builds backend API - Installs Rust and builds chat server - Installs Rust and builds stream server - Installs Node.js and deploys web app - Creates systemd services for all apps **Expected output:** ``` TASK [Deploy Go Backend API] ************************************************** ok: [edge-1] TASK [Deploy Rust Chat Server] *********************************************** ok: [edge-1] TASK [Deploy Rust Stream Server] ********************************************** ok: [edge-1] TASK [Deploy React Web Application] ******************************************* ok: [edge-1] ``` ### Step 6: Run Smoke Tests ```bash ansible-playbook -i inventory/prod/hosts.yml playbooks/50-smoke-tests.yml ``` **What this does:** - Tests all container connectivity - Validates all service endpoints - Checks HAProxy configuration - Tests external access (if DNS configured) - Generates comprehensive test report **Expected output:** ``` TASK [Test container connectivity] ********************************************* ok: [edge-1] TASK [Test Backend API service] *********************************************** ok: [edge-1] TASK [Generate smoke test summary] ******************************************** ok: [edge-1] ``` ## Troubleshooting ### Common Issues #### 1. SSH Connection Failed ```bash # Test SSH connectivity ssh -o ConnectTimeout=10 senke@192.168.0.12 "echo 'SSH test'" # Check SSH config grep -n "compressionlevel" ~/.ssh/config ``` **Solution:** Fix SSH config or ensure target host is reachable. #### 2. Incus Installation Failed ```bash # Check snapd status incus exec veza-haproxy -- systemctl status snapd # Reinstall Incus incus exec veza-haproxy -- snap remove incus incus exec veza-haproxy -- snap install incus --classic ``` #### 3. Container Creation Failed ```bash # Check Incus status incus list incus network list incus profile list # Clean up and retry incus delete veza-haproxy --force ansible-playbook -i inventory/prod/hosts.yml playbooks/20-incus-containers.yml ``` #### 4. HAProxy Configuration Error ```bash # Test HAProxy config incus exec veza-haproxy -- haproxy -c -f /etc/haproxy/haproxy.cfg # Check HAProxy logs incus exec veza-haproxy -- journalctl -u haproxy -f ``` #### 5. Let's Encrypt Certificate Failed ```bash # Check ACME challenges incus exec veza-haproxy -- curl http://localhost:8888/.well-known/acme-challenge/test # Manual certificate request incus exec veza-haproxy -- dehydrated -c -d veza.talas.fr ``` #### 6. Application Service Failed ```bash # Check service status incus exec veza-backend -- systemctl status veza-backend incus exec veza-chat -- systemctl status veza-chat incus exec veza-stream -- systemctl status veza-stream incus exec veza-web -- systemctl status veza-web # Check logs incus exec veza-backend -- journalctl -u veza-backend -f ``` ### Debug Commands ```bash # Check all container status incus list --format=json | jq '.[] | {name: .name, status: .status, state: .state}' # Check network configuration incus network show veza-ovn # Check HAProxy statistics incus exec veza-haproxy -- curl -s http://localhost:8404/stats # Test internal connectivity incus exec veza-web -- curl -s http://10.10.0.101:8080/api/health incus exec veza-web -- curl -s http://10.10.0.102:8081/health incus exec veza-web -- curl -s http://10.10.0.103:8082/stream/health ``` ## Post-Deployment ### 1. Configure DNS Point your domain's A record to the target host IP: ``` veza.talas.fr. IN A 192.168.0.12 ``` ### 2. Re-run HAProxy Playbook After DNS is configured, re-run the HAProxy playbook to get the Let's Encrypt certificate: ```bash ansible-playbook -i inventory/prod/hosts.yml playbooks/30-haproxy-acme.yml -e domain=veza.talas.fr -e acme_email=ops@talas.fr ``` ### 3. Verify HTTPS Access ```bash curl -I https://veza.talas.fr curl -I https://veza.talas.fr/api/health ``` ### 4. Monitor Application Logs ```bash # Follow all logs incus exec veza-haproxy -- journalctl -u haproxy -f & incus exec veza-backend -- journalctl -u veza-backend -f & incus exec veza-chat -- journalctl -u veza-chat -f & incus exec veza-stream -- journalctl -u veza-stream -f & incus exec veza-web -- journalctl -u veza-web -f & ``` ## Maintenance ### Certificate Renewal Certificates are automatically renewed via cron. To check: ```bash incus exec veza-haproxy -- crontab -l incus exec veza-haproxy -- ls -la /etc/haproxy/certs/ ``` ### Container Updates ```bash # Update container images incus exec veza-backend -- apt update && apt upgrade -y incus exec veza-chat -- apt update && apt upgrade -y incus exec veza-stream -- apt update && apt upgrade -y incus exec veza-web -- apt update && apt upgrade -y ``` ### Backup ```bash # Backup container configurations incus export veza-haproxy /backup/veza-haproxy.tar.gz incus export veza-backend /backup/veza-backend.tar.gz incus export veza-chat /backup/veza-chat.tar.gz incus export veza-stream /backup/veza-stream.tar.gz incus export veza-web /backup/veza-web.tar.gz ``` ### Scaling To add more backend instances: ```bash # Create additional backend container incus launch debian/bookworm veza-backend-2 --profile veza incus config device set veza-backend-2 eth0 ipv4.address=10.10.0.105/24 incus start veza-backend-2 # Update HAProxy configuration to include new backend incus exec veza-haproxy -- sed -i 's/server api1 10.10.0.101:8080/server api1 10.10.0.101:8080\n server api2 10.10.0.105:8080/' /etc/haproxy/haproxy.cfg incus exec veza-haproxy -- systemctl reload haproxy ``` ## Support For issues or questions: 1. Check the troubleshooting section above 2. Review container logs for error messages 3. Run smoke tests to identify failing components 4. Check the Ansible playbook logs for deployment issues ## Architecture Overview ``` Internet (veza.talas.fr) ↓ HAProxy Container (80/443) ↓ OVN Network (veza-ovn) ↓ ┌─────────┬─────────┬─────────┬─────────┐ │Backend │ Chat │ Stream │ Web │ │:8080 │ :8081 │ :8082 │ :3000 │ │(Go) │ (Rust) │ (Rust) │ (Node) │ └─────────┴─────────┴─────────┴─────────┘ ``` This deployment provides a complete, production-ready Veza V5 Ultra platform with automatic SSL certificate management, load balancing, and comprehensive monitoring.