feat: Added openvpn

inventory/my-cluster/host_vars/openvpn

@@ -0,0 +1,6 @@
+---
+
+ansible_user: root
+ansible_host: 10.0.2.22
+ansible_ssh_pass: "{{ proxmox_api_password }}"
+vmid: 613

inventory/my-cluster/hosts.ini

@@ -7,13 +7,15 @@ immich
 folding
 mastodon
 tautulli
+openvpn
+youtube-downloader
 
 [baremetal]
 mipha
 epona
 revali
 yuga
-hyrule
+impa
 
 [pihole]
 epona-pihole

playbook-openvpn.yml

@@ -0,0 +1,42 @@
+---
+- hosts: localhost
+  become: yes
+  roles:
+    - role: openvpn/provision/stop
+    - role: openvpn/provision/delete
+    - role: openvpn/provision/create
+    - role: openvpn/provision/start
+      vars:
+        vmid: 613
+
+- hosts: mipha
+  become: yes
+  roles:
+    - role: openvpn/enable-ssh
+      vars:
+        vmid: 613
+
+- hosts: localhost
+  become: yes
+  roles:
+    - role: openvpn/provision/stop
+      vars:
+        vmid: 613
+
+- hosts: mipha
+  become: yes
+  roles:
+    - role: openvpn/cgroup-rules
+
+- hosts: localhost
+  become: yes
+  roles:
+    - role: openvpn/provision/start
+      vars:
+        vmid: 613
+
+- hosts: openvpn
+  become: yes
+  roles:
+    - role: openvpn/update
+    - role: openvpn/install-app

roles/openvpn/cgroup-rules/tasks/main.yml

@@ -0,0 +1,14 @@
+---
+- name: Add cgroup rule
+  ansible.builtin.blockinfile:
+    path: /etc/pve/nodes/mipha/lxc/613.conf
+    state: present
+    block: |
+      lxc.cgroup2.devices.allow: c 10:200 rwm
+      lxc.mount.entry: /dev/net dev/net none bind,create=dir
+
+- name: Change /dev/net/tun ownership
+  ansible.builtin.file:
+    path: /dev/net/tun
+    owner: 100000
+    group: 100000

roles/openvpn/enable-ssh/tasks/main.yml

@@ -0,0 +1,8 @@
+---
+# Unable to use ansible.builtin.lineinfile, because we need to run this through the proxmox host (because SSH is not enabled duh)
+
+- name: Allow SSH into LXC
+  ansible.builtin.command: lxc-attach -n 613 -- sed -i "s/#PermitRootLogin prohibit-password/PermitRootLogin yes/g" /etc/ssh/sshd_config
+
+- name: Restart SSH Service
+  ansible.builtin.command: lxc-attach -n 613 service ssh restart

roles/openvpn/install-app/tasks/main.yml

@@ -0,0 +1,19 @@
+---
+- name: Install openvpn
+  ansible.builtin.apt:
+    name: openvpn
+    state: present
+    update_cache: yes
+
+- name: Install git
+  ansible.builtin.apt:
+    name: git
+    state: present
+    update_cache: yes
+
+- name: Example clone of a single branch
+  ansible.builtin.git:
+    repo: https://github.com/Nyr/openvpn-install
+    dest: /root/openvpn-install
+    single_branch: yes
+    version: master

roles/openvpn/provision/create/tasks/main.yml

@@ -0,0 +1,30 @@
+---
+- name: Create container
+  community.general.proxmox:
+    vmid: 613
+    node: mipha
+    api_user: root@pam
+    api_password: "{{ proxmox_api_password }}"
+    api_host: 10.0.2.2
+    password: "{{ lxc_password }}"
+    hostname: openvpn
+    ostemplate: "hyrule-8tb-nfs:vztmpl/debian-11-standard_11.3-1_amd64.tar.zst"
+    netif: "{'net0': '\
+        name=eth0,\
+        gw=10.0.0.1,\
+        ip=10.0.2.22/21,\
+        firewall=1,\
+        hwaddr=cc:c6:cf:de:17:82,\
+        type=veth,\
+        bridge=vmbr0\
+      '}"
+    cores: 2
+    memory: 2048
+    unprivileged: yes
+    swap: 512
+    searchdomain: "home"
+    onboot: 1
+    features:
+      - nesting=1
+    disk: local-lvm:4
+    force: yes

roles/openvpn/provision/delete/tasks/main.yml

@@ -0,0 +1,16 @@
+---
+- name: Remove containers
+  community.general.proxmox:
+    vmid: "{{ vmid }}"
+    api_user: root@pam
+    api_password: "{{ proxmox_api_password }}"
+    api_host: 10.0.2.2
+    state: absent
+  ignore_errors: true
+  timeout: 90
+
+- name: Remove .ssh/known_hosts lines
+  ansible.builtin.lineinfile:
+    path: /Users/lino.silva/.ssh/known_hosts
+    state: absent
+    regexp: "^10.0.2.22"

roles/openvpn/provision/start/tasks/main.yml

@@ -0,0 +1,8 @@
+---
+- name: Start deployments
+  community.general.proxmox:
+    vmid: "{{ vmid }}"
+    api_user: root@pam
+    api_password: "{{ proxmox_api_password }}"
+    api_host: 10.0.2.2
+    state: started

roles/openvpn/provision/stop/tasks/main.yml

@@ -0,0 +1,10 @@
+---
+- name: Stop container
+  community.general.proxmox:
+    vmid: "{{ vmid }}"
+    api_user: root@pam
+    api_password: "{{ proxmox_api_password }}"
+    api_host: 10.0.2.2
+    state: stopped
+  ignore_errors: true
+  timeout: 90

roles/openvpn/update/tasks/main.yml

@@ -0,0 +1,6 @@
+---
+- name: Update all packages to their latest version
+  become: true
+  ansible.builtin.apt:
+    update_cache: yes
+    upgrade: full