Tangle this file in emacs using org-babel-tangle
---
- name: Create and configure LXC container with PiVPN
hosts: urganda
become: yes
vars_files:
#- ./vars/vars.yml
- ./vars/secrets.yml
tasks:
- name: Ensure LXC tools are installed
apt:
name:
- lxc
- bridge-utils
- curl
- wget
state: present
# Desde aquí hasta siguiente aviso es para destrucción/recreación
- name: Ensure the directory for SSH keys exists
file:
path: "{{ playbook_dir }}/files/ssh-keys/{{ container_name }}"
state: directory
- name: Check if keys exist
shell: "find {{ playbook_dir }}/files/ssh-keys/{{ container_name }} -name '*key*' | wc -l"
register: ssh_keys_exists
changed_when: false
- debug:
msg: "Number of keys found: {{ ssh_keys_exists.stdout }}"
- name: Generate SSH host keys
command: ssh-keygen -t {{ item }} -N "" -f {{ playbook_dir }}/files/ssh-keys/{{ container_name }}/ssh_host_{{ item }}_key
with_items:
- rsa
- ecdsa
- ed25519
when: ssh_keys_exists.stdout | trim | int != 6
- name: Change {{ playbook_dir }}/files/ssh-keys/{{ container_name }} owner to {{ ansible_env.USER }}
shell: "chown {{ ansible_env.USER }}:{{ ansible_env.USER }} {{ playbook_dir }}/files/ssh-keys/{{ container_name }}/*"
register: ssh_key_files
- name: Change keys permissions before copy
shell: "chmod 644 {{ playbook_dir }}/files/ssh-keys/{{ container_name }}/*"
register: ssh_key_files
- name: Ensure the directory for SSH shared keys exists
file:
path: "{{ playbook_dir }}/files/ssh-keys/shared"
state: directory
- name: Check if shared keys exist
shell: "find {{ playbook_dir }}/files/ssh-keys/shared/ -name 'id_rsa_lxc*' | wc -l"
register: ssh_shared_keys_exists
changed_when: false
- debug:
msg: "Number of shared keys found: {{ ssh_shared_keys_exists.stdout }}"
- name: Generate SSH shared keys
command: ssh-keygen -t rsa -N "" -f {{ playbook_dir }}/files/ssh-keys/shared/id_rsa_lxc
when: ssh_shared_keys_exists.stdout | trim | int != 2
- name: Change keys permissions before copy
shell: "chmod 644 {{ playbook_dir }}/files/ssh-keys/shared/*"
register: ssh_key_files
- name: Check if {{ container_name }} container exists
command: lxc-ls | grep {{ container_name }}
register: tsc_exists
ignore_errors: yes
- name: Check if {{ container_name }} container exists
command: lxc-ls --fancy
register: lxc_list
- name: Check if {{ container_name }} container is running
command: lxc-ls --running | grep {{ container_name }}
register: container_status
ignore_errors: yes
when: tsc_exists.rc == 0
- name: Stop {{ container_name }} container if it is running
command: lxc-stop -n {{ container_name }}
ignore_errors: yes
when: container_status.stdout != "" and container_name in container_status.stdout_lines
- name: Destroy {{ container_name }} container if it exists
command: lxc-destroy -n {{ container_name }}
when: container_name in tsc_exists.stdout
- name: Create directory for {{ container_name }} container
file:
path: /var/lib/lxc/{{ container_name }}
state: directory
- name: Check if {{ container_name }} container exists
command: lxc-ls --fancy
register: lxc_list
- name: Create LXC container {{ container_name }} if it does not exist
command: lxc-create --name {{ container_name }} --template download -- --dist debian --release bookworm --arch amd64
when: "container_name not in lxc_list.stdout"
# Hasta aquí la recreación
- name: Create LXC container
community.general.lxc_container:
name: "{{ container_name }}"
template: debian
template_options: --release bookworm --arch amd64
state: started
- name: Configure static IP for the container
lineinfile:
path: /var/lib/lxc/{{ container_name }}/config
line: "{{ item }}"
with_items:
- "lxc.net.0.type = veth"
- "lxc.net.0.link = br0"
- "lxc.net.0.flags = up"
- "lxc.net.0.hwaddr = 00:16:3e:xx:xx:xx"
- "lxc.net.0.ipv4.address = {{ static_ip }}"
- "lxc.net.0.ipv4.gateway = {{ gateway_ip }}"
- name: Install minimal packages and SSH server
ansible.builtin.shell: |
lxc-attach -n {{ container_name }} -- apt update
lxc-attach -n {{ container_name }} -- apt install --no-install-recommends openssh-server sudo wget curl vim iputils-ping traceroute -y
- name: Enable SSH service
ansible.builtin.shell: |
lxc-stop -n {{ container_name }}
lxc-start -n {{ container_name }}
- name: Restart container
ansible.builtin.shell: |
lxc-attach -n {{ container_name }} -- systemctl enable ssh
lxc-attach -n {{ container_name }} -- systemctl start ssh
- name: Create group 'devpl' with GID 300 in the container
ansible.builtin.group:
name: "{{ devpl_group }}"
gid: "{{ devpl_gid }}"
state: present
- name: Create user 'carlos' with UID 1015 and GID 300 in the container
ansible.builtin.user:
name: "{{ user_username }}"
uid: "{{ devpl_uid}}"
group: "{{ devpl_group }}"
password: "{{ user_password }}"
state: present
# - name: Copy PiVPN installation script to the container
# copy:
# content: |
# #!/bin/bash
# do_install_pivpn() {
# setupVars=/etc/pivpn/setupVars.conf
# if [ -e "${setupVars}" ]; then
# sed -i.update.bak '/pivpnUser/d;/UNATTUPG/d;/pivpnInterface/d;/IPv4dns/d;/IPv4addr/d;/IPv4gw/d;/pivpnProto/d;/PORT/d;/ENCRYPT/d;/DOWNLOAD_DH_PARAM/d;/PUBLICDNS/d;/OVPNDNS1/d;/OVPNDNS2/d;/SERVER_NAME/d;' "${setupVars}"
# else
# mkdir -p /etc/pivpn
# touch "${setupVars}"
# fi
# {
# echo "pivpnUser={{ pivpn_user }}"
# echo 'UNATTUPG="unattended-upgrades"'
# echo "pivpnInterface={{ net_interface }}"
# echo "IPv4dns=127.0.0.1"
# echo "IPv4addr={{ internal_ip }}"
# echo "IPv4gw={{ gateway_ip }}"
# echo "pivpnProto=udp"
# echo "PORT={{ pivpn_port }}"
# echo "ENCRYPT={{ pivpn_key_size }}"
# echo "DOWNLOAD_DH_PARAM=false"
# echo "PUBLICDNS={{ external_fqdn }}"
# echo "OVPNDNS1={{ ovpn_dns1 }}"
# echo "OVPNDNS2={{ ovpn_dns2 }}"
# echo "SERVER_NAME=server"
# } >> "${setupVars}"
# cd /etc/pivpn
# wget https://raw.githubusercontent.com/pivpn/pivpn/master/auto_install/install.sh
# chmod +x install.sh
# ./install.sh --unattended > $LOG_DIR/pivpn_install.log
# do_pivpn_add_user
# }
# do_pivpn_add_user() {
# PIVPN_CLIENT_NAME=$(hostname)
# pivpn add -n $PIVPN_CLIENT_NAME -p {{ pivpn_passwd }}
# if [ -f /etc/pihole/setupVars.conf ]; then
# cat > ~/vpnmail.txt <<EOF
# This is your VPN Certificate file. Please import it with your OpenVPN client to connect to $HOSTNAME.
# Have a nice day!
# EOF
# mail -s "OpenVPN Configuration" --attach=/home/{{ pivpn_user }}/ovpns/$PIVPN_CLIENT_NAME.ovpn {{ mail_from_address }}@{{ mail_domain }} < ~/vpnmail.txt
# rm ~/vpnmail.txt
# fi
# }
# do_install_pivpn
# dest: /root/install_pivpn.sh
# mode: '0755'
# - name: Execute PiVPN installation script in the container
# ansible.builtin.shell: |
# lxc-attach -n {{ container_name }} -- bash /root/install_pivpn.sh
# - name: Clean up installation script in the container
# ansible.builtin.file:
# path: /root/install_pivpn.sh
# state: absent