Add Rocky Linux support, isolate Python environment using venv, etc. (notthebee#160)

Author: notthebee

.envrc

@@ -0,0 +1,2 @@
+export PATH=$HOME/ansible-easy-vpn/.venv/bin:$PATH
+export VIRTUAL_ENV=$HOME/ansible-easy-vpn/.venv

.github/workflows/ci.yml

@@ -7,23 +7,40 @@ on:
   workflow_dispatch:
     inputs:
       only_ubuntu_22:
-        description: "Only run on Ubuntu 22.04 and wait for manual input"
+        description: "Only run on Ubuntu 22.04"
         required: false
         type: boolean
         default: false
 
       only_ubuntu_20:
-        description: "Only run on Ubuntu 20.04 and wait for manual input"
+        description: "Only run on Ubuntu 20.04"
         required: false
         type: boolean
         default: false
 
       only_debian_11:
-        description: "Only run on Debian 11 and wait for manual input"
+        description: "Only run on Debian 11"
         required: false
         type: boolean
         default: false
 
+      only_rocky_8:
+        description: "Only run on Rocky 8"
+        required: false
+        type: boolean
+        default: false
+
+      only_rocky_9:
+        description: "Only run on Rocky 9"
+        required: false
+        type: boolean
+        default: false
+
+      manual_mode:
+        description: "Don't destroy the server after the setup is complete"
+        required: false
+        type: boolean
+        default: false
 jobs:
   lint:
     runs-on: ubuntu-latest
@@ -60,11 +77,17 @@ jobs:
             # Only deploy on Ubuntu 22.04, don't use Letsencrypt Staging
             matrix=$(jq 'map(. | select((.os=="ubuntu-22.04")) )' .github/workflows/matrix_includes.json)
           elif [[ ${ONLY_UBUNTU_20} == 'true' ]]; then
-            # Only deploy on Ubuntu 22.04, don't use Letsencrypt Staging
+            # Only deploy on Ubuntu 20.04, don't use Letsencrypt Staging
             matrix=$(jq 'map(. | select((.os=="ubuntu-20.04")) )' .github/workflows/matrix_includes.json)
           elif [[ ${ONLY_DEBIAN_11} == 'true' ]]; then
-            # Only deploy on Ubuntu 22.04, don't use Letsencrypt Staging
+            # Only deploy on Debian 11, don't use Letsencrypt Staging
             matrix=$(jq 'map(. | select((.os=="debian-11")) )' .github/workflows/matrix_includes.json)
+          elif [[ ${ONLY_ROCKY_8} == 'true' ]]; then
+            # Only deploy on Rocky 8, don't use Letsencrypt Staging
+            matrix=$(jq 'map(. | select((.os=="rocky-8")) )' .github/workflows/matrix_includes.json)
+          elif [[ ${ONLY_ROCKY_9} == 'true' ]]; then
+            # Only deploy on Rocky 9, don't use Letsencrypt Staging
+            matrix=$(jq 'map(. | select((.os=="rocky-9")) )' .github/workflows/matrix_includes.json)
           else
             # Deploy on all supported OSes, use Letsencrypt Staging to avoid rate-limiting
             matrix=$(jq 'map(.)' .github/workflows/matrix_includes.json)
@@ -75,6 +98,8 @@ jobs:
           ONLY_UBUNTU_22: ${{ inputs.only_ubuntu_22 }}
           ONLY_UBUNTU_20: ${{ inputs.only_ubuntu_20 }}
           ONLY_DEBIAN_11: ${{ inputs.only_debian_11 }}
+          ONLY_ROCKY_8: ${{ inputs.only_rocky_8 }}
+          ONLY_ROCKY_9: ${{ inputs.only_rocky_9 }}
 
   build:
     runs-on: ubuntu-latest
@@ -116,6 +141,14 @@ jobs:
             echo "EASYVPN_USERNAME_3=$EASYVPN_USERNAME" >> $GITHUB_OUTPUT
             echo "EASYVPN_PASSWORD_3=$EASYVPN_PASSWORD" >> $GITHUB_OUTPUT
             ;;
+            "4")
+            echo "EASYVPN_USERNAME_4=$EASYVPN_USERNAME" >> $GITHUB_OUTPUT
+            echo "EASYVPN_PASSWORD_4=$EASYVPN_PASSWORD" >> $GITHUB_OUTPUT
+            ;;
+            "5")
+            echo "EASYVPN_USERNAME_5=$EASYVPN_USERNAME" >> $GITHUB_OUTPUT
+            echo "EASYVPN_PASSWORD_5=$EASYVPN_PASSWORD" >> $GITHUB_OUTPUT
+            ;;
             *)
             exit 1
             ;;
@@ -138,9 +171,23 @@ jobs:
 
       - name: Update apt cache
         run: ssh root@$SERVER_IPV4 apt update
+        if: |
+          matrix.os == 'debian-11' ||
+          matrix.os  == 'ubuntu-22.04' ||
+          matrix.os == 'ubuntu-20.04'
 
-      - name: Install git and expect
+      - name: Install git and expect (Debian-based)
         run: ssh root@$SERVER_IPV4 apt install -y git expect wamerican
+        if: |
+          matrix.os == 'debian-11' ||
+          matrix.os  == 'ubuntu-22.04' ||
+          matrix.os == 'ubuntu-20.04'
+
+      - name: Install git and expect (CentOS 8 and 9)
+        run: ssh root@$SERVER_IPV4 dnf install -y git expect words
+        if: |
+          matrix.os == 'rocky-8' ||
+          matrix.os == 'rocky-9'
 
       - uses: infraway/[email protected]
         with:
@@ -215,17 +262,22 @@ jobs:
         env:
           LETSENCRYPT_STAGING: ${{ needs.matrix_prep.outputs.letsencrypt_staging }}
 
-      - name: Wait indefinitely before destroying the server
-        if: ${{ inputs.only_ubuntu_20 == true || inputs.only_ubuntu_22 == true || inputs.only_debian_11 == true }}
-        run: >-
-          sleep infinity
+      - name: Sleep forever
+        run: sleep infinity
+        if: inputs.manual_mode
+
+
     outputs:
       EASYVPN_USERNAME_1: "${{ steps.random_username.outputs.EASYVPN_USERNAME_1 }}"
       EASYVPN_USERNAME_2: "${{ steps.random_username.outputs.EASYVPN_USERNAME_2 }}"
       EASYVPN_USERNAME_3: "${{ steps.random_username.outputs.EASYVPN_USERNAME_3 }}"
+      EASYVPN_USERNAME_4: "${{ steps.random_username.outputs.EASYVPN_USERNAME_4 }}"
+      EASYVPN_USERNAME_5: "${{ steps.random_username.outputs.EASYVPN_USERNAME_5 }}"
       EASYVPN_PASSWORD_1: "${{ steps.random_username.outputs.EASYVPN_PASSWORD_1 }}"
       EASYVPN_PASSWORD_2: "${{ steps.random_username.outputs.EASYVPN_PASSWORD_2 }}"
       EASYVPN_PASSWORD_3: "${{ steps.random_username.outputs.EASYVPN_PASSWORD_3 }}"
+      EASYVPN_PASSWORD_4: "${{ steps.random_username.outputs.EASYVPN_PASSWORD_4 }}"
+      EASYVPN_PASSWORD_5: "${{ steps.random_username.outputs.EASYVPN_PASSWORD_5 }}"
 
   test:
     runs-on: ubuntu-latest

.github/workflows/matrix_includes.json

@@ -10,5 +10,13 @@
     {
         "os":"debian-11",        
         "index":3
+    },
+    {
+        "os":"rocky-8",        
+        "index":4
+    },
+    {
+        "os":"rocky-9",        
+        "index":5
     }
 ]

.gitignore

@@ -1,3 +1,5 @@
 .DS_Store
 secret.yml
 .vscode
+.venv
+.ansible

ansible.cfg

@@ -2,6 +2,8 @@
 ask_vault_pass = True
 inventory = inventory.yml
 interpreter_python = python3
+roles_path = .ansible/roles
+collections_paths = .ansible/collections
 callback_enabled = profile_tasks
 retry_files_enabled = False
 host_key_checking = False

bootstrap.sh

@@ -28,9 +28,9 @@ elif [[ -e /etc/debian_version ]]; then
 elif [[ -e /etc/almalinux-release || -e /etc/rocky-release || -e /etc/centos-release ]]; then
 	os="centos"
 	os_version=$(grep -shoE '[0-9]+' /etc/almalinux-release /etc/rocky-release /etc/centos-release | head -1)
-  if [[ "$os_version" -lt 7 ]]; then
-      echo "CentOS 7 or higher is required to use this installer."
-      echo "This version of CentOS is too old and unsupported."
+  if [[ "$os_version" -lt 8 ]]; then
+      echo "Rocky Linux 8 or higher is required to use this installer."
+      echo "This version of Rocky/CentOS is too old and unsupported."
       exit
   fi
 fi
@@ -52,7 +52,6 @@ install_dependencies_debian() {
   REQUIRED_PACKAGES=(
     sudo
     software-properties-common
-    certbot
     dnsutils
     curl
     git
@@ -62,11 +61,10 @@ install_dependencies_debian() {
     python3
     python3-setuptools
     python3-apt
+    python3-venv
     python3-pip
-    python3-passlib
-    python3-wheel
-    python3-bcrypt
     aptitude
+    direnv
   )
 
   REQUIRED_PACKAGES_ARM64=(
@@ -90,48 +88,72 @@ install_dependencies_debian() {
 }
 
 install_dependencies_centos() {
+  check_root
   REQUIRED_PACKAGES=(
     sudo
-    certbot
     bind-utils
     curl
     git
     rsync
-    python3
-    python3-setuptools
-    python3-pip
-    python3-passlib
-    python3-wheel
-    python3-bcrypt
+    https://kojipkgs.fedoraproject.org//vol/fedora_koji_archive02/packages/direnv/2.12.2/1.fc28/x86_64/direnv-2.12.2-1.fc28.x86_64.rpm
   )
-
-  if [[ "$os_version" -ge 8 ]]; then
-    $SUDO dnf update -y
-    $SUDO dnf install -y epel-release
-    $SUDO dnf install -y "${REQUIRED_PACKAGES[@]}"
-  elif [[ "$os_version" -eq 7 ]]; then
-    $SUDO yum update -y
-    $SUDO yum install -y epel-release
-    $SUDO yum install -y "${REQUIRED_PACKAGES[@]}"
+  if [[ "$os_version" -eq 9 ]]; then
+    REQUIRED_PACKAGES+=(
+      python3
+      python3-setuptools
+      python3-pip
+      python3-firewall
+    )
+  else 
+    REQUIRED_PACKAGES+=(
+      python39
+      python39-setuptools
+      python39-pip
+      python3-firewall
+      kmod-wireguard
+      https://ftp.gwdg.de/pub/linux/elrepo/elrepo/el8/x86_64/RPMS/kmod-wireguard-1.0.20220627-4.el8_7.elrepo.x86_64.rpm
+    )
   fi
+  $SUDO dnf update -y
+  $SUDO dnf install -y epel-release
+  $SUDO dnf install -y "${REQUIRED_PACKAGES[@]}"
 }
 
+# Clone the Ansible playbook
+if [ -d "$HOME/ansible-easy-vpn" ]; then
+  pushd $HOME/ansible-easy-vpn
+  git pull
+  popd
+else
+  git clone https://github.com/notthebee/ansible-easy-vpn $HOME/ansible-easy-vpn
+fi
 
+# Install all the dependencies
 if [[ "$os" == "debian" || "$os" == "ubuntu" ]]; then
   install_dependencies_debian
 elif [[ "$os" == "centos" ]]; then
   install_dependencies_centos
 fi
 
-check_root "-H"
-$SUDO pip3 install "cryptography<=36.0.2" "pyOpenSSL<=20.0.1"
-$SUDO pip3 install ansible~=7.1 || $SUDO pip3 install ansible
+# Set up a Python venv
+set +e
+if which python3.9; then
+  PYTHON=$(which python3.9)
+else
+  PYTHON=$(which python3)
+fi
+set -e
+cd $HOME/ansible-easy-vpn
+[ -d $HOME/ansible-easy-vpn/.venv ] || $PYTHON -m venv .venv
+export VIRTUAL_ENV="$HOME/ansible-easy-vpn/.venv"
+export PATH="$HOME/ansible-easy-vpn/.venv/bin:$PATH"
+.venv/bin/python3 -m pip install --upgrade pip
+.venv/bin/python3 -m pip install -r requirements.txt
+
 
-check_root
-# Clone the Ansible playbook
-[ -d "$HOME/ansible-easy-vpn" ] || git clone https://github.com/notthebee/ansible-easy-vpn $HOME/ansible-easy-vpn
 
-cd $HOME/ansible-easy-vpn && ansible-galaxy install -r requirements.yml
+# Install the Galaxy requirements
+cd $HOME/ansible-easy-vpn && ansible-galaxy install --force -r requirements.yml
 
 # Check if we're running on an AWS EC2 instance
 set +e
@@ -247,9 +269,9 @@ done
 echo
 echo "Running certbot in dry-run mode to test the validity of the domain..."
 if [[ "$adguard_enable" =~ ^[yY]$ ]]; then
-  $SUDO certbot certonly --non-interactive --break-my-certs --force-renewal --agree-tos --email [email protected] --standalone --staging -d $root_host -d wg.$root_host -d auth.$root_host -d adguard.$root_host || exit
+  $SUDO certbot certonly --non-interactive --break-my-certs --force-renewal --agree-tos --email [email protected] --standalone --staging -d $root_host -d wg.$root_host -d auth.$root_host -d adguard.$root_host || $SUDO certbot certonly --non-interactive --force-renewal --agree-tos --email [email protected] --standalone -d $root_host -d wg.$root_host -d auth.$root_host -d adguard.$root_host || exit
 else
-  $SUDO certbot certonly --non-interactive --break-my-certs --force-renewal --agree-tos --email [email protected] --standalone --staging -d $root_host -d wg.$root_host -d auth.$root_host || exit
+  $SUDO certbot certonly --non-interactive --break-my-certs --force-renewal --agree-tos --email [email protected] --standalone --staging -d $root_host -d wg.$root_host -d auth.$root_host || $SUDO certbot certonly --non-interactive --force-renewal --agree-tos --email [email protected] --standalone -d $root_host -d wg.$root_host -d auth.$root_host  || exit
 fi
 echo "OK"
 

inventory.yml

@@ -50,7 +50,7 @@ all:
     # Language and time settings
     # Check here for the list of possible locales
     # https://docs.oracle.com/cd/E23824_01/html/E26033/glset.html
-    locale: en_US.UTF-8
+    locale: en_GB.UTF-8
 
     timezone: Europe/Berlin
 
@@ -88,10 +88,8 @@ all:
 
     msmtp_alias_default: "{{ email }}"
 
-    # By default, only access via the SSH port and 51820/udp is allowed
-    # The rest of the ports are closed
-    enable_ufw: true
-    ufw_ports:
+    enable_firewall: true
+    firewall_ports:
       - port: "{{ wireguard_port }}"
         proto: "udp"
       - port: "80"
@@ -103,3 +101,9 @@ all:
 
     # Fail2Ban only comes with the SSH jail by default
     enable_fail2ban: true
+
+    pip_install_packages:
+      - name: docker
+
+    docker_users:
+      - "{{ username }}"

requirements.txt

@@ -0,0 +1,8 @@
+cryptography<=36.0.2
+pyOpenSSL<=20.0.1
+certbot
+requests
+passlib 
+bcrypt 
+wheel
+ansible>=4.10

requirements.yml

@@ -2,7 +2,11 @@
 roles:
   - name: chriswayg.msmtp-mailer
     src: https://github.com/chriswayg/ansible-msmtp-mailer
-    version: v0.6.1
+  - name: geerlingguy.docker
+    src: https://github.com/geerlingguy/ansible-role-docker
+  - name: geerlingguy.pip
+    src: https://github.com/geerlingguy/ansible-role-pip
+
 
 collections:
   - name: https://github.com/ansible-collections/community.docker