Initial version, based on Odoo8 scripts

2020-12-15 22:36:08 -05:00 · 2020-12-15 22:36:08 -05:00 · 35cd457986
commit 35cd457986
10 changed files with 306 additions and 0 deletions
--- a/README.md
+++ b/README.md
@ -0,0 +1,26 @@
+# Ansible role to launch a new Odoo 14 LXD container
+
+To be used in the LXD host (currently **servidora1e0.bogota.agofer**), using
+`ansible-pull`.
+
+```sh
+ansible-pull \
+  -U ssh://git@gitea.agofer.net:22001/jegomez/ansible-role-odoo14-launch-container \
+  -e nombre=<newodoocontainer> \
+  --vault-password-file ~/.vault_pass.txt \
+  -l localhost,nginx \
+  -i hosts
+  
+```
+
+* Launches a new LXD container called **newodoocontainer**, that uses a LXD profile to download
+  and setup Odoo v14.
+* Creates a DNS alias for **externo.agofer.net** called
+  **newodoocontainer.agofer.net**.
+* Registers this container in the existing Nginx Proxy container.
+* Requests an SSL certificate to _Let's Encrypt_ for the new domain, storing
+  the certificates in the Nginx Proxy container.
+
+The file ~/.vault_pass.txt contains the cleartext password to the vault
+file where the Dreamhost API key and the Gitea deploy keys are stored
+encrypted.
--- a/2
+++ b/2
@ -0,0 +1,2 @@
+localhost ansible_connection=local ansible_python_interpreter=python3
+nginx ansible_connection=lxd
--- a/local.yml
+++ b/local.yml
@ -0,0 +1,28 @@
+- hosts: localhost
+  gather_facts: no
+  tasks:
+
+  - name: Verify correct usage of parameter
+    assert:
+      that:
+        - nombre is defined
+        - nombre|length > 3
+      fail_msg: 'Debe definir una variable "nombre"'
+
+- hosts: localhost
+  gather_facts: yes
+  user: sistemas
+  roles:
+    - lxchost
+  vars:
+    dominio: agofer.net
+
+- hosts: nginx
+  gather_facts: yes
+  roles:
+    - nginxproxy
+  vars:
+    dominio: agofer.net
+    ansible_python_interpreter: python3
+    ansible_connection: lxd
+    ansible_host: local:nginx
--- a/roles/lxchost/tasks/lxd_profile.yml
+++ b/roles/lxchost/tasks/lxd_profile.yml
@ -0,0 +1,50 @@
+---
+- name: Create or verify Odoo LXD profile
+  lxd_profile:
+    name: odoo14
+    description: LXD profile for Odoo v14
+    config: 
+	  user.vendor-data: |
+		#cloud-config
+		package_upgrade: true
+		packages:
+		  - python3-pip
+		  - python3-venv
+		users:
+		  - name: root
+			ssh-import-id: gh:jorgeegomez
+		write_files:
+		  - owner: root:root
+			path: /root/.vault_pass.txt
+			permissions: '0600'
+			content: '{{ vaultpass }}'
+		  - encoding: gzip
+			owner: root:root
+			path: /root/.ssh/id_ed25519
+			permissions: '0600'
+			content: !!binary |
+              '{{ privkey | string | b64encode }}'
+		  - encoding: gzip
+			owner: root:root
+			path: /root/.ssh/id_ed25519.pub
+			permissions: '0644'
+			content: !!binary |
+              '{{ pubkey | string | b64encode }}'
+		  - encoding: gzip
+			owner: root:root
+			path: /root/.ssh/known_hosts
+			permissions: '0644'
+			content: !!binary |
+              '{{ known_hosts | string | b64encode }}'
+		runcmd:
+          - [ ansible-pull, -U, "ssh://git@gitea.agofer.net:22001/jegomez/ansible-role-odoo14-lxd.git" ]
+    devices:
+      nat01:
+        nictype: bridged
+        parent: nat01
+        type: nic
+      root:
+        path: /
+        pool: default
+        type: disk
+
--- a/roles/lxchost/tasks/main.yml
+++ b/roles/lxchost/tasks/main.yml
@ -0,0 +1,31 @@
+---
+
+- set_fact:
+    container: '{{ nombre | urlencode | lower | regex_replace("_", "-") }}'
+
+- import_playbook: lxd_profile.yml
+
+- name: Launch LXD container
+  lxd_container:
+    name: '{{ container }}'
+    ephemeral: no
+    profiles: ['odoo14']
+    source:
+      type: image
+      mode: pull
+      server: https://cloud-images.ubuntu.com/releases
+      protocol: simplestreams
+      fingerprint: 39a93d0b3552
+
+#     alias: ubuntu/20.04
+
+- name: Announce expected container deployment time
+  debug:
+    msg:
+    - 'El nuevo contenedor {{ container }} ha sido lanzado.'
+    - 'El tiempo de carga de Odoo es de 3.5 horas aproximadamente.'
+
+- name: Register DNS CNAME alias using Dreamhost API
+  uri:
+    url: 'https://api.dreamhost.com/?key={{ apikey }}&cmd=dns-add_record&record={{ container }}.{{ dominio }}&type=CNAME&value=externo.{{ dominio }}.'
+
--- a/roles/lxchost/vars/main.yml
+++ b/roles/lxchost/vars/main.yml
@ -0,0 +1,15 @@
+---
+# Encrypted variables
+
+# Ansible Vault password
+vaultpass: '{{ vault_vaultpass }}'
+
+# Dreamhost API key
+apikey: '{{ vault_apikey }}'
+
+# SSH deploy keys, gzipped and base64-encoded
+privkey: '{{ vault_privkey }}'
+pubkey: '{{ vault_pubkey }}'
+
+# SSH host hashes for Gitea, gzipped and base64-encoded
+knownhosts: '{{ vault_knownhosts }}'
--- a/roles/lxchost/vars/vault.yml
+++ b/roles/lxchost/vars/vault.yml
@ -0,0 +1,82 @@
+$ANSIBLE_VAULT;1.1;AES256
+32343538636337626161313638396661316338646364303263333138393565633837353232353536
+6539373337396264636336366436336163353030306531370a313635306237633865326661333930
+39386238366630326230383632646139653166346333343439306232323732663965663566383863
+3366356265383163300a303062623233383764343761643432613336306433373537386461326462
+31663763393433356233366166386534396335313832346634633231623565346637366339363662
+64646132616266343762336335353965333864306432336335636266393434326365633331396262
+35336662313531613235363162316630356466333332666162636238643839653066356635323662
+39646561653731356233633362303661643437353137633830326438393736366232323939346238
+66373863666363323761666664363562663934393063623161346163663330323364613261323061
+63663863303736383630613666623736633838356131353364643565333337363938383630333863
+61343231313732353831306131383233633937633634306263346466646438623263363736666465
+35656534366263633666613662376136313937376263326364623834313531363865643636633661
+63393931363862366364393437623339653361393631383664323765393863623239326231386133
+30303532633062613564656431346466396236613361616433376236626234613338636334376334
+62386662396134626532623237633936383437383039343261616465356464326230666365376230
+30663463393064356639386135623132656666366336633438663062383432386337313063313038
+39343430616531336662346532303862346538306339326433653635336163373932373663306365
+31646265643435643637336662356162326133613634613836313933346363373336383235333630
+39363235336534313131326364386131393163323732336530373034386462303764643661316533
+63303264643965313666653639613161363638663239313935663133646334646665313662373739
+32383635623961663332333839386539353432316330666337343464313462643065396435613363
+63346161613436366437346264346534333364333636326365383137396462336330633761633632
+35663435396133376262386163653734616637363266343763623632646631386163653739383966
+62666565326637663736663233643335613136646562323331373566373634343837613733616533
+38393239303166363537313639626434336239303037613133646562326635346263363033376535
+62313037356635656536323237623739353262366438303235613030353235306539653431343935
+63383562303035623035323363363939303332636661376366333963333363373337663732653833
+31653461303965396263346237653734656134356138333536303633646563313162646639316361
+64363038323431383035353331663265663963303936396663353135663137366437393465333239
+31313738356231306631613262623132343433323533623631353838386633373637653239373738
+65363032336261613262636433393161366538303231653836323038326330393234376331353238
+33356630616631396337663662383564643664613936393330613363313263373535303237316561
+36383135313961656164303561656234383330376563306663383733363638663830323637396164
+61643666323233623936616663656466323863333261336336333733643633636265646565323532
+66653766303730633332326663363834353662613037326537663364393962633464386433396338
+61336561623263643365643134653966353033363235663038376361383262623961623165656261
+63316139343530333431303233316631323634366539363232613136323839313135386562663133
+36333232356337316332313731393930363664363266663765303766373331393136366663666337
+62396432373364643930313430373732613166656262306333633963633361616165313830633939
+37373565626131326637383065633337336665636235353835333939306365333134393438613366
+39303162326436303862666639643839633330366562666437376638333635613730643563353730
+38643139333433613761343436663933636365666162336435643334306533323266336664626163
+35366237366161626463383734376232636661333532666664633637623535393262386430376166
+37373066373330646335623033613038346663393234393966373535656264393664386361326435
+64326236356330353332326662373533636163366335316266343837616466353262356637666534
+31656465333833343635363362346632383334393934666232643736363637386638636130376333
+34643131663336383632313566623031363964373131623834346235356366616165626538316534
+37366230313366616432356230373431633364313439393131393732616265346437633364316639
+35366133306535646137353035663264666133393465356464613537653334303531303162633631
+32306333323034366461636435323565613432313364643264373639663735303130323030383363
+34376430333531323637346138383064306336373230396633323161323938343935303365353463
+63616239363362393233616361333761666332366266373434343034643362616261363765633031
+65616364383765636330386264373732363937373264313233373339333937323937306663393163
+37633931623333373331303530383164313665636262623139616231326166623336333766336639
+30393961353730376132653234313532643437356664326333323433366438646562666335323461
+31303334333130306638636238363335656663663132653030303262376434333965356463336366
+30366164356632316232363836313039613038313063626162633637343234643638313937313463
+39326465373961383261303833363863316262383564366131326666353438326333313231376364
+31346135376230373733353066663363353364366333373466343539393138373937376463656639
+38393136313862613130303262656366366265393737643961353937616366643437373436393539
+38376334393237343437643637366531313662643661666462353439653931663363666466666536
+64346162343965393635613939353766326137333938376262373065323730306539336163623866
+32383739303638613631616633393863336430623036643264353363613361393239383566306433
+32383762396139343264643639653434393364373533306433663239366434343261323033313266
+37376134333033656239663236646533656433666161306337666465353539373264656538363263
+35383165343339383036326565313834613062333330386230663433616332363866323237376234
+63343330616466323630353735326231343230366562306536623466663936646631353832333732
+34353037376338396234626563323534353737396536363839666336386435363465363564326131
+39663264343234656339663931383664616364386530373362386631613461353461386139653661
+39316362616138373835383064613762666565386531626138336136363732633162346364346564
+37366233333663326130333965613661643932343133323537396265376133366563306130626236
+37366133353164393134336466653736376366333563376436633264326237386535303162336266
+62333266653538663562633332303030313633343235303037393562326338626136363464643665
+32303263306638613537623365343830393838326165346631613061646364623330303762353730
+37326362356261393261636636373264363130386166633835383561333664366162333865616261
+63313165346362383132393137636535646330346164343632333439626637666266373433326333
+61343032646438313038396538336534373061623766353932333231323938666661373031613433
+64313431306163373664613931353630633833656634376263303336343732643364613936653166
+34636538333064356230316266393538343663333235646666393963323032663937373937653464
+62646630626239343632616330303331613261613164366562373831346634613361373237316132
+6430
--- a/roles/nginxproxy/tasks/main.yml
+++ b/roles/nginxproxy/tasks/main.yml
@ -0,0 +1,48 @@
+---
+# Tasks to be run inside the Nginx proxy container
+
+- set_fact:
+    container: '{{ nombre | urlencode | lower | regex_replace("_", "-") }}'
+
+- name: Create basic Nginx config for new container
+  template:
+    src: newsite.conf.j2
+    dest: '/etc/nginx/conf.d/{{ container }}.{{ dominio }}.conf'
+
+- name: Create folder for Let's Encrypt files
+  file:
+    path: '/var/www/{{ container }}'
+    state: directory
+    owner: www-data
+    group: www-data
+    mode: '0755'
+    
+- name: Restart Nginx
+  systemd:
+    name: nginx
+    state: restarted
+
+- name: Request Let's Encrypt certificate
+  command:
+    cmd: 'certbot --redirect --agree-tos -m {{ email }} --hsts --nginx -n -d {{ container }}.{{ dominio }}'
+ 
+# Certbot doesn't add proxy_protocol.
+# (https://github.com/certbot/certbot/issues/8057)
+
+- name: Use Proxy protocol in port 443
+  lineinfile:
+    path: '/etc/nginx/conf.d/{{ container }}.{{ dominio }}.conf'
+    line: '    listen 443 ssl proxy_protocol;'
+    regexp: '^    listen 443'
+
+- name: Use Proxy protocol in port 443 IPv6
+  lineinfile:
+    path: '/etc/nginx/conf.d/{{ container }}.{{ dominio }}.conf'
+    line: '    listen [::]:443 ssl proxy_protocol;'
+    regexp: '^    listen .....443'
+
+- name: Restart Nginx again
+  systemd:
+    name: nginx
+    state: restarted
+
--- a/roles/nginxproxy/templates/newsite.conf.j2
+++ b/roles/nginxproxy/templates/newsite.conf.j2
@ -0,0 +1,22 @@
+server {
+    listen 80 proxy_protocol;
+    listen [::]:80 proxy_protocol;
+    server_name {{ container }}.{{ dominio }};
+    root /var/www/{{ container }};
+    location / {
+        resolver 10.0.3.1 valid=1h;
+        set $container "http://{{ container }}.lxd";
+        proxy_pass $container;
+
+        proxy_set_header Host $host;
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header X-Forwarded-Host $host:$server_port;
+        proxy_set_header X-Forwarded-Server $host;
+        proxy_set_header X-Forward-For $proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+    }
+    location /.well-known {
+        alias /var/www/{{ container }}/.well-known;
+    }
+}
+
--- a/roles/nginxproxy/vars/main.yml
+++ b/roles/nginxproxy/vars/main.yml
@ -0,0 +1,2 @@
+---
+email: sistemas@agofer.com.co