From 09ddf680a7677a466de95d5e8d7b01a4fc0f9f4a Mon Sep 17 00:00:00 2001
From: Lino Silva <lino.silva@farfetch.com>
Date: Wed, 19 Apr 2023 15:23:00 +0100
Subject: [PATCH] feat: Added openvpn

---
 inventory/my-cluster/host_vars/openvpn        |  6 +++
 inventory/my-cluster/hosts.ini                |  4 +-
 playbook-openvpn.yml                          | 42 +++++++++++++++++++
 roles/openvpn/cgroup-rules/tasks/main.yml     | 14 +++++++
 roles/openvpn/enable-ssh/tasks/main.yml       |  8 ++++
 roles/openvpn/install-app/tasks/main.yml      | 19 +++++++++
 roles/openvpn/provision/create/tasks/main.yml | 30 +++++++++++++
 roles/openvpn/provision/delete/tasks/main.yml | 16 +++++++
 roles/openvpn/provision/start/tasks/main.yml  |  8 ++++
 roles/openvpn/provision/stop/tasks/main.yml   | 10 +++++
 roles/openvpn/update/tasks/main.yml           |  6 +++
 11 files changed, 162 insertions(+), 1 deletion(-)
 create mode 100644 inventory/my-cluster/host_vars/openvpn
 create mode 100644 playbook-openvpn.yml
 create mode 100644 roles/openvpn/cgroup-rules/tasks/main.yml
 create mode 100644 roles/openvpn/enable-ssh/tasks/main.yml
 create mode 100644 roles/openvpn/install-app/tasks/main.yml
 create mode 100644 roles/openvpn/provision/create/tasks/main.yml
 create mode 100644 roles/openvpn/provision/delete/tasks/main.yml
 create mode 100644 roles/openvpn/provision/start/tasks/main.yml
 create mode 100644 roles/openvpn/provision/stop/tasks/main.yml
 create mode 100644 roles/openvpn/update/tasks/main.yml

diff --git a/inventory/my-cluster/host_vars/openvpn b/inventory/my-cluster/host_vars/openvpn
new file mode 100644
index 0000000..d276cad
--- /dev/null
+++ b/inventory/my-cluster/host_vars/openvpn
@@ -0,0 +1,6 @@
+---
+
+ansible_user: root
+ansible_host: 10.0.2.22
+ansible_ssh_pass: "{{ proxmox_api_password }}"
+vmid: 613
diff --git a/inventory/my-cluster/hosts.ini b/inventory/my-cluster/hosts.ini
index 0e492ee..cac65d4 100644
--- a/inventory/my-cluster/hosts.ini
+++ b/inventory/my-cluster/hosts.ini
@@ -7,13 +7,15 @@ immich
 folding
 mastodon
 tautulli
+openvpn
+youtube-downloader
 
 [baremetal]
 mipha
 epona
 revali
 yuga
-hyrule
+impa
 
 [pihole]
 epona-pihole
diff --git a/playbook-openvpn.yml b/playbook-openvpn.yml
new file mode 100644
index 0000000..6cf266a
--- /dev/null
+++ b/playbook-openvpn.yml
@@ -0,0 +1,42 @@
+---
+- hosts: localhost
+  become: yes
+  roles:
+    - role: openvpn/provision/stop
+    - role: openvpn/provision/delete
+    - role: openvpn/provision/create
+    - role: openvpn/provision/start
+      vars:
+        vmid: 613
+
+- hosts: mipha
+  become: yes
+  roles:
+    - role: openvpn/enable-ssh
+      vars:
+        vmid: 613
+
+- hosts: localhost
+  become: yes
+  roles:
+    - role: openvpn/provision/stop
+      vars:
+        vmid: 613
+
+- hosts: mipha
+  become: yes
+  roles:
+    - role: openvpn/cgroup-rules
+
+- hosts: localhost
+  become: yes
+  roles:
+    - role: openvpn/provision/start
+      vars:
+        vmid: 613
+
+- hosts: openvpn
+  become: yes
+  roles:
+    - role: openvpn/update
+    - role: openvpn/install-app
diff --git a/roles/openvpn/cgroup-rules/tasks/main.yml b/roles/openvpn/cgroup-rules/tasks/main.yml
new file mode 100644
index 0000000..9034653
--- /dev/null
+++ b/roles/openvpn/cgroup-rules/tasks/main.yml
@@ -0,0 +1,14 @@
+---
+- name: Add cgroup rule
+  ansible.builtin.blockinfile:
+    path: /etc/pve/nodes/mipha/lxc/613.conf
+    state: present
+    block: |
+      lxc.cgroup2.devices.allow: c 10:200 rwm
+      lxc.mount.entry: /dev/net dev/net none bind,create=dir
+
+- name: Change /dev/net/tun ownership
+  ansible.builtin.file:
+    path: /dev/net/tun
+    owner: 100000
+    group: 100000
diff --git a/roles/openvpn/enable-ssh/tasks/main.yml b/roles/openvpn/enable-ssh/tasks/main.yml
new file mode 100644
index 0000000..781be1e
--- /dev/null
+++ b/roles/openvpn/enable-ssh/tasks/main.yml
@@ -0,0 +1,8 @@
+---
+# Unable to use ansible.builtin.lineinfile, because we need to run this through the proxmox host (because SSH is not enabled duh)
+
+- name: Allow SSH into LXC
+  ansible.builtin.command: lxc-attach -n 613 -- sed -i "s/#PermitRootLogin prohibit-password/PermitRootLogin yes/g" /etc/ssh/sshd_config
+
+- name: Restart SSH Service
+  ansible.builtin.command: lxc-attach -n 613 service ssh restart
diff --git a/roles/openvpn/install-app/tasks/main.yml b/roles/openvpn/install-app/tasks/main.yml
new file mode 100644
index 0000000..eb9c5e0
--- /dev/null
+++ b/roles/openvpn/install-app/tasks/main.yml
@@ -0,0 +1,19 @@
+---
+- name: Install openvpn
+  ansible.builtin.apt:
+    name: openvpn
+    state: present
+    update_cache: yes
+
+- name: Install git
+  ansible.builtin.apt:
+    name: git
+    state: present
+    update_cache: yes
+
+- name: Example clone of a single branch
+  ansible.builtin.git:
+    repo: https://github.com/Nyr/openvpn-install
+    dest: /root/openvpn-install
+    single_branch: yes
+    version: master
\ No newline at end of file
diff --git a/roles/openvpn/provision/create/tasks/main.yml b/roles/openvpn/provision/create/tasks/main.yml
new file mode 100644
index 0000000..1c13562
--- /dev/null
+++ b/roles/openvpn/provision/create/tasks/main.yml
@@ -0,0 +1,30 @@
+---
+- name: Create container
+  community.general.proxmox:
+    vmid: 613
+    node: mipha
+    api_user: root@pam
+    api_password: "{{ proxmox_api_password }}"
+    api_host: 10.0.2.2
+    password: "{{ lxc_password }}"
+    hostname: openvpn
+    ostemplate: "hyrule-8tb-nfs:vztmpl/debian-11-standard_11.3-1_amd64.tar.zst"
+    netif: "{'net0': '\
+        name=eth0,\
+        gw=10.0.0.1,\
+        ip=10.0.2.22/21,\
+        firewall=1,\
+        hwaddr=cc:c6:cf:de:17:82,\
+        type=veth,\
+        bridge=vmbr0\
+      '}"
+    cores: 2
+    memory: 2048
+    unprivileged: yes
+    swap: 512
+    searchdomain: "home"
+    onboot: 1
+    features:
+      - nesting=1
+    disk: local-lvm:4
+    force: yes
diff --git a/roles/openvpn/provision/delete/tasks/main.yml b/roles/openvpn/provision/delete/tasks/main.yml
new file mode 100644
index 0000000..4749bf0
--- /dev/null
+++ b/roles/openvpn/provision/delete/tasks/main.yml
@@ -0,0 +1,16 @@
+---
+- name: Remove containers
+  community.general.proxmox:
+    vmid: "{{ vmid }}"
+    api_user: root@pam
+    api_password: "{{ proxmox_api_password }}"
+    api_host: 10.0.2.2
+    state: absent
+  ignore_errors: true
+  timeout: 90
+
+- name: Remove .ssh/known_hosts lines
+  ansible.builtin.lineinfile:
+    path: /Users/lino.silva/.ssh/known_hosts
+    state: absent
+    regexp: "^10.0.2.22"
diff --git a/roles/openvpn/provision/start/tasks/main.yml b/roles/openvpn/provision/start/tasks/main.yml
new file mode 100644
index 0000000..de86b9b
--- /dev/null
+++ b/roles/openvpn/provision/start/tasks/main.yml
@@ -0,0 +1,8 @@
+---
+- name: Start deployments
+  community.general.proxmox:
+    vmid: "{{ vmid }}"
+    api_user: root@pam
+    api_password: "{{ proxmox_api_password }}"
+    api_host: 10.0.2.2
+    state: started
diff --git a/roles/openvpn/provision/stop/tasks/main.yml b/roles/openvpn/provision/stop/tasks/main.yml
new file mode 100644
index 0000000..8015b8a
--- /dev/null
+++ b/roles/openvpn/provision/stop/tasks/main.yml
@@ -0,0 +1,10 @@
+---
+- name: Stop container
+  community.general.proxmox:
+    vmid: "{{ vmid }}"
+    api_user: root@pam
+    api_password: "{{ proxmox_api_password }}"
+    api_host: 10.0.2.2
+    state: stopped
+  ignore_errors: true
+  timeout: 90
diff --git a/roles/openvpn/update/tasks/main.yml b/roles/openvpn/update/tasks/main.yml
new file mode 100644
index 0000000..8227bf4
--- /dev/null
+++ b/roles/openvpn/update/tasks/main.yml
@@ -0,0 +1,6 @@
+---
+- name: Update all packages to their latest version
+  become: true
+  ansible.builtin.apt:
+    update_cache: yes
+    upgrade: full