ansible-role-odoo14-launch-container/README.md

Ansible role to launch a new Odoo 14 LXD container

To be used in the LXD host (currently servidora1e0.bogota.agofer), using ansible-pull.

 launch-odoo14-container.sh newodoocontainer

• Launches a new LXD container called newodoocontainer, that uses a LXD profile to download and setup Odoo v14.
• Creates a DNS alias for externo.agofer.net or externo2.agofer.net (see role variables in local.yml file), called newodoocontainer.agofer.net.
• Registers this container in the existing Nginx Proxy container.
• Requests an SSL certificate to Let's Encrypt for the new domain, storing the certificates in the Nginx Proxy container.

The file ~/.vault_pass.txt contains the cleartext password to the vault file where the Dreamhost API key and the Gitea deploy keys are stored encrypted.

Prerequisites

A container called nginx should exist, with these packages already installed:

lxc exec nginx -- apt -y install nginx certbot python3-certbot-nginx

This container should listen to external connections, in order to allow Let's Encrypt certificates to be assigned and renewed. It's strongly suggested to protect it using fail2ban, Geo-IP restrictions, or other security measures.

Further configuration

Some of these steps could be handled by Ansible as well:

• Setup port redirect from host to container, according to the sequence:

lxc config device add newodoocontainer ssh_redir proxy \
    listen=tcp:0.0.0.0:23025 connect=tcp:127.0.0.1:22

• Add authorized public keys to /home/odoo/.ssh/authorized_keys file
• Return file ownership of /opt/odoo to odoo user:

chown -R odoo:odoo /opt/odoo

• Allow odoo to run sudo without a password:

echo "odoo ALL=(ALL) NOPASSWD: ALL" > /etc/sudoers.d/10-odoo