commit 35cd457986d81a0da3fc997bd8558b10991054d5 Author: Jorge E. Gomez Date: Tue Dec 15 22:36:08 2020 -0500 Initial version, based on Odoo8 scripts diff --git a/README.md b/README.md new file mode 100644 index 0000000..160a1e9 --- /dev/null +++ b/README.md @@ -0,0 +1,26 @@ +# Ansible role to launch a new Odoo 14 LXD container + +To be used in the LXD host (currently **servidora1e0.bogota.agofer**), using +`ansible-pull`. + +```sh +ansible-pull \ + -U ssh://git@gitea.agofer.net:22001/jegomez/ansible-role-odoo14-launch-container \ + -e nombre= \ + --vault-password-file ~/.vault_pass.txt \ + -l localhost,nginx \ + -i hosts + +``` + +* Launches a new LXD container called **newodoocontainer**, that uses a LXD profile to download + and setup Odoo v14. +* Creates a DNS alias for **externo.agofer.net** called + **newodoocontainer.agofer.net**. +* Registers this container in the existing Nginx Proxy container. +* Requests an SSL certificate to _Let's Encrypt_ for the new domain, storing + the certificates in the Nginx Proxy container. + +The file ~/.vault_pass.txt contains the cleartext password to the vault +file where the Dreamhost API key and the Gitea deploy keys are stored +encrypted. diff --git a/hosts b/hosts new file mode 100644 index 0000000..9b25cf3 --- /dev/null +++ b/hosts @@ -0,0 +1,2 @@ +localhost ansible_connection=local ansible_python_interpreter=python3 +nginx ansible_connection=lxd diff --git a/local.yml b/local.yml new file mode 100644 index 0000000..5117fd6 --- /dev/null +++ b/local.yml @@ -0,0 +1,28 @@ +- hosts: localhost + gather_facts: no + tasks: + + - name: Verify correct usage of parameter + assert: + that: + - nombre is defined + - nombre|length > 3 + fail_msg: 'Debe definir una variable "nombre"' + +- hosts: localhost + gather_facts: yes + user: sistemas + roles: + - lxchost + vars: + dominio: agofer.net + +- hosts: nginx + gather_facts: yes + roles: + - nginxproxy + vars: + dominio: agofer.net + ansible_python_interpreter: python3 + ansible_connection: lxd + ansible_host: local:nginx diff --git a/roles/lxchost/tasks/lxd_profile.yml b/roles/lxchost/tasks/lxd_profile.yml new file mode 100644 index 0000000..4ada754 --- /dev/null +++ b/roles/lxchost/tasks/lxd_profile.yml @@ -0,0 +1,50 @@ +--- +- name: Create or verify Odoo LXD profile + lxd_profile: + name: odoo14 + description: LXD profile for Odoo v14 + config: + user.vendor-data: | + #cloud-config + package_upgrade: true + packages: + - python3-pip + - python3-venv + users: + - name: root + ssh-import-id: gh:jorgeegomez + write_files: + - owner: root:root + path: /root/.vault_pass.txt + permissions: '0600' + content: '{{ vaultpass }}' + - encoding: gzip + owner: root:root + path: /root/.ssh/id_ed25519 + permissions: '0600' + content: !!binary | + '{{ privkey | string | b64encode }}' + - encoding: gzip + owner: root:root + path: /root/.ssh/id_ed25519.pub + permissions: '0644' + content: !!binary | + '{{ pubkey | string | b64encode }}' + - encoding: gzip + owner: root:root + path: /root/.ssh/known_hosts + permissions: '0644' + content: !!binary | + '{{ known_hosts | string | b64encode }}' + runcmd: + - [ ansible-pull, -U, "ssh://git@gitea.agofer.net:22001/jegomez/ansible-role-odoo14-lxd.git" ] + devices: + nat01: + nictype: bridged + parent: nat01 + type: nic + root: + path: / + pool: default + type: disk + diff --git a/roles/lxchost/tasks/main.yml b/roles/lxchost/tasks/main.yml new file mode 100644 index 0000000..db180b3 --- /dev/null +++ b/roles/lxchost/tasks/main.yml @@ -0,0 +1,31 @@ +--- + +- set_fact: + container: '{{ nombre | urlencode | lower | regex_replace("_", "-") }}' + +- import_playbook: lxd_profile.yml + +- name: Launch LXD container + lxd_container: + name: '{{ container }}' + ephemeral: no + profiles: ['odoo14'] + source: + type: image + mode: pull + server: https://cloud-images.ubuntu.com/releases + protocol: simplestreams + fingerprint: 39a93d0b3552 + +# alias: ubuntu/20.04 + +- name: Announce expected container deployment time + debug: + msg: + - 'El nuevo contenedor {{ container }} ha sido lanzado.' + - 'El tiempo de carga de Odoo es de 3.5 horas aproximadamente.' + +- name: Register DNS CNAME alias using Dreamhost API + uri: + url: 'https://api.dreamhost.com/?key={{ apikey }}&cmd=dns-add_record&record={{ container }}.{{ dominio }}&type=CNAME&value=externo.{{ dominio }}.' + diff --git a/roles/lxchost/vars/main.yml b/roles/lxchost/vars/main.yml new file mode 100644 index 0000000..89e4081 --- /dev/null +++ b/roles/lxchost/vars/main.yml @@ -0,0 +1,15 @@ +--- +# Encrypted variables + +# Ansible Vault password +vaultpass: '{{ vault_vaultpass }}' + +# Dreamhost API key +apikey: '{{ vault_apikey }}' + +# SSH deploy keys, gzipped and base64-encoded +privkey: '{{ vault_privkey }}' +pubkey: '{{ vault_pubkey }}' + +# SSH host hashes for Gitea, gzipped and base64-encoded +knownhosts: '{{ vault_knownhosts }}' diff --git a/roles/lxchost/vars/vault.yml b/roles/lxchost/vars/vault.yml new file mode 100644 index 0000000..cf7d5a5 --- /dev/null +++ b/roles/lxchost/vars/vault.yml @@ -0,0 +1,82 @@ +$ANSIBLE_VAULT;1.1;AES256 +32343538636337626161313638396661316338646364303263333138393565633837353232353536 +6539373337396264636336366436336163353030306531370a313635306237633865326661333930 +39386238366630326230383632646139653166346333343439306232323732663965663566383863 +3366356265383163300a303062623233383764343761643432613336306433373537386461326462 +31663763393433356233366166386534396335313832346634633231623565346637366339363662 +64646132616266343762336335353965333864306432336335636266393434326365633331396262 +35336662313531613235363162316630356466333332666162636238643839653066356635323662 +39646561653731356233633362303661643437353137633830326438393736366232323939346238 +66373863666363323761666664363562663934393063623161346163663330323364613261323061 +63663863303736383630613666623736633838356131353364643565333337363938383630333863 +61343231313732353831306131383233633937633634306263346466646438623263363736666465 +35656534366263633666613662376136313937376263326364623834313531363865643636633661 +63393931363862366364393437623339653361393631383664323765393863623239326231386133 +30303532633062613564656431346466396236613361616433376236626234613338636334376334 +62386662396134626532623237633936383437383039343261616465356464326230666365376230 +30663463393064356639386135623132656666366336633438663062383432386337313063313038 +39343430616531336662346532303862346538306339326433653635336163373932373663306365 +31646265643435643637336662356162326133613634613836313933346363373336383235333630 +39363235336534313131326364386131393163323732336530373034386462303764643661316533 +63303264643965313666653639613161363638663239313935663133646334646665313662373739 +32383635623961663332333839386539353432316330666337343464313462643065396435613363 +63346161613436366437346264346534333364333636326365383137396462336330633761633632 +35663435396133376262386163653734616637363266343763623632646631386163653739383966 +62666565326637663736663233643335613136646562323331373566373634343837613733616533 +38393239303166363537313639626434336239303037613133646562326635346263363033376535 +62313037356635656536323237623739353262366438303235613030353235306539653431343935 +63383562303035623035323363363939303332636661376366333963333363373337663732653833 +31653461303965396263346237653734656134356138333536303633646563313162646639316361 +64363038323431383035353331663265663963303936396663353135663137366437393465333239 +31313738356231306631613262623132343433323533623631353838386633373637653239373738 +65363032336261613262636433393161366538303231653836323038326330393234376331353238 +33356630616631396337663662383564643664613936393330613363313263373535303237316561 +36383135313961656164303561656234383330376563306663383733363638663830323637396164 +61643666323233623936616663656466323863333261336336333733643633636265646565323532 +66653766303730633332326663363834353662613037326537663364393962633464386433396338 +61336561623263643365643134653966353033363235663038376361383262623961623165656261 +63316139343530333431303233316631323634366539363232613136323839313135386562663133 +36333232356337316332313731393930363664363266663765303766373331393136366663666337 +62396432373364643930313430373732613166656262306333633963633361616165313830633939 +37373565626131326637383065633337336665636235353835333939306365333134393438613366 +39303162326436303862666639643839633330366562666437376638333635613730643563353730 +38643139333433613761343436663933636365666162336435643334306533323266336664626163 +35366237366161626463383734376232636661333532666664633637623535393262386430376166 +37373066373330646335623033613038346663393234393966373535656264393664386361326435 +64326236356330353332326662373533636163366335316266343837616466353262356637666534 +31656465333833343635363362346632383334393934666232643736363637386638636130376333 +34643131663336383632313566623031363964373131623834346235356366616165626538316534 +37366230313366616432356230373431633364313439393131393732616265346437633364316639 +35366133306535646137353035663264666133393465356464613537653334303531303162633631 +32306333323034366461636435323565613432313364643264373639663735303130323030383363 +34376430333531323637346138383064306336373230396633323161323938343935303365353463 +63616239363362393233616361333761666332366266373434343034643362616261363765633031 +65616364383765636330386264373732363937373264313233373339333937323937306663393163 +37633931623333373331303530383164313665636262623139616231326166623336333766336639 +30393961353730376132653234313532643437356664326333323433366438646562666335323461 +31303334333130306638636238363335656663663132653030303262376434333965356463336366 +30366164356632316232363836313039613038313063626162633637343234643638313937313463 +39326465373961383261303833363863316262383564366131326666353438326333313231376364 +31346135376230373733353066663363353364366333373466343539393138373937376463656639 +38393136313862613130303262656366366265393737643961353937616366643437373436393539 +38376334393237343437643637366531313662643661666462353439653931663363666466666536 +64346162343965393635613939353766326137333938376262373065323730306539336163623866 +32383739303638613631616633393863336430623036643264353363613361393239383566306433 +32383762396139343264643639653434393364373533306433663239366434343261323033313266 +37376134333033656239663236646533656433666161306337666465353539373264656538363263 +35383165343339383036326565313834613062333330386230663433616332363866323237376234 +63343330616466323630353735326231343230366562306536623466663936646631353832333732 +34353037376338396234626563323534353737396536363839666336386435363465363564326131 +39663264343234656339663931383664616364386530373362386631613461353461386139653661 +39316362616138373835383064613762666565386531626138336136363732633162346364346564 +37366233333663326130333965613661643932343133323537396265376133366563306130626236 +37366133353164393134336466653736376366333563376436633264326237386535303162336266 +62333266653538663562633332303030313633343235303037393562326338626136363464643665 +32303263306638613537623365343830393838326165346631613061646364623330303762353730 +37326362356261393261636636373264363130386166633835383561333664366162333865616261 +63313165346362383132393137636535646330346164343632333439626637666266373433326333 +61343032646438313038396538336534373061623766353932333231323938666661373031613433 +64313431306163373664613931353630633833656634376263303336343732643364613936653166 +34636538333064356230316266393538343663333235646666393963323032663937373937653464 +62646630626239343632616330303331613261613164366562373831346634613361373237316132 +6430 diff --git a/roles/nginxproxy/tasks/main.yml b/roles/nginxproxy/tasks/main.yml new file mode 100644 index 0000000..669cfd4 --- /dev/null +++ b/roles/nginxproxy/tasks/main.yml @@ -0,0 +1,48 @@ +--- +# Tasks to be run inside the Nginx proxy container + +- set_fact: + container: '{{ nombre | urlencode | lower | regex_replace("_", "-") }}' + +- name: Create basic Nginx config for new container + template: + src: newsite.conf.j2 + dest: '/etc/nginx/conf.d/{{ container }}.{{ dominio }}.conf' + +- name: Create folder for Let's Encrypt files + file: + path: '/var/www/{{ container }}' + state: directory + owner: www-data + group: www-data + mode: '0755' + +- name: Restart Nginx + systemd: + name: nginx + state: restarted + +- name: Request Let's Encrypt certificate + command: + cmd: 'certbot --redirect --agree-tos -m {{ email }} --hsts --nginx -n -d {{ container }}.{{ dominio }}' + +# Certbot doesn't add proxy_protocol. +# (https://github.com/certbot/certbot/issues/8057) + +- name: Use Proxy protocol in port 443 + lineinfile: + path: '/etc/nginx/conf.d/{{ container }}.{{ dominio }}.conf' + line: ' listen 443 ssl proxy_protocol;' + regexp: '^ listen 443' + +- name: Use Proxy protocol in port 443 IPv6 + lineinfile: + path: '/etc/nginx/conf.d/{{ container }}.{{ dominio }}.conf' + line: ' listen [::]:443 ssl proxy_protocol;' + regexp: '^ listen .....443' + +- name: Restart Nginx again + systemd: + name: nginx + state: restarted + diff --git a/roles/nginxproxy/templates/newsite.conf.j2 b/roles/nginxproxy/templates/newsite.conf.j2 new file mode 100644 index 0000000..aba6efc --- /dev/null +++ b/roles/nginxproxy/templates/newsite.conf.j2 @@ -0,0 +1,22 @@ +server { + listen 80 proxy_protocol; + listen [::]:80 proxy_protocol; + server_name {{ container }}.{{ dominio }}; + root /var/www/{{ container }}; + location / { + resolver 10.0.3.1 valid=1h; + set $container "http://{{ container }}.lxd"; + proxy_pass $container; + + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-Host $host:$server_port; + proxy_set_header X-Forwarded-Server $host; + proxy_set_header X-Forward-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + } + location /.well-known { + alias /var/www/{{ container }}/.well-known; + } +} + diff --git a/roles/nginxproxy/vars/main.yml b/roles/nginxproxy/vars/main.yml new file mode 100644 index 0000000..416a5fa --- /dev/null +++ b/roles/nginxproxy/vars/main.yml @@ -0,0 +1,2 @@ +--- +email: sistemas@agofer.com.co