# Ansible role to launch a new Odoo 14 LXD container

To be used in the LXD host (currently **servidora1e0.bogota.agofer**), using
`ansible-pull`.

```sh
 launch-odoo14-container.sh newodoocontainer
```

* Launches a new LXD container called **_newodoocontainer_**, that uses a LXD profile to download
  and setup Odoo v14.
* Creates a DNS alias for **externo.agofer.net** or **externo2.agofer.net**
  (see role variables in `local.yml` file), called **_newodoocontainer_.agofer.net**.
* Registers this container in the existing Nginx Proxy container.
* Requests an SSL certificate to _Let's Encrypt_ for the new domain, storing
  the certificates in the Nginx Proxy container.

The file ~/.vault_pass.txt contains the cleartext password to the vault
file where the Dreamhost API key and the Gitea deploy keys are stored
encrypted.

## Prerequisites

A container called **nginx** should exist, with these packages already installed:

```sh
lxc exec nginx -- apt -y install nginx certbot python3-certbot-nginx
```

This container should listen to external connections, in order to allow
**Let's Encrypt** certificates to be assigned and renewed. It's strongly
suggested to protect it using **fail2ban**, Geo-IP restrictions, or
other security measures.

## Further configuration

Some of these steps could be handled by Ansible as well:

* Setup port redirect from host to container, according to the sequence:

```sh
lxc config device add newodoocontainer ssh_redir proxy \
    listen=tcp:0.0.0.0:23025 connect=tcp:127.0.0.1:22
```

* Add authorized public keys to `/home/odoo/.ssh/authorized_keys` file
* Return file ownership of `/opt/odoo` to odoo user:

```sh
chown -R odoo:odoo /opt/odoo
```

* Allow odoo to run `sudo` without a password:

```sh
echo "odoo ALL=(ALL) NOPASSWD: ALL" > /etc/sudoers.d/10-odoo
```