proxmox ansible bootstrapping

2025-06-07 19:41:15 +02:00 · 2025-06-07 19:41:15 +02:00 · bdf3bc6b02
commit bdf3bc6b02
parent 2d1a363a50
20 changed files with 481 additions and 4 deletions
--- a/roles/ci_user/tasks/main.yml
+++ b/roles/ci_user/tasks/main.yml
@ -0,0 +1,20 @@
+- name: Create CI user
+  ansible.builtin.user:
+    name: "{{ ci_user.name }}"
+    groups: "{{ ci_user.groups }}"
+    shell: "{{ ci_user.shell }}"
+    state: present
+    create_home: yes
+  when: ci_user.name is defined and ci_user.name | length > 0
+
+- name: Add SSH keys for CI user
+  ansible.posix.authorized_key:
+    user: "{{ ci_user.name }}"
+    state: present
+    key: "{{ item }}"
+  loop: "{{ ci_user.ssh_keys }}"
+  when:
+    - ci_user.name is defined
+    - ci_user.name | length > 0
+    - ci_user.ssh_keys is defined
+    - ci_user.ssh_keys | length > 0
--- a/roles/cloudinit/tasks/main.yml
+++ b/roles/cloudinit/tasks/main.yml
@ -0,0 +1,12 @@
+- name: Install cloud-init
+  ansible.builtin.package:
+    name: cloud-init
+    state: present
+
+- name: Ensure default Cloud-Init configuration is in place
+  ansible.builtin.copy:
+    src: cloud.cfg
+    dest: /etc/cloud/cloud.cfg
+    owner: root
+    group: root
+    mode: "0644"
--- a/roles/common/handles/main.yml
+++ b/roles/common/handles/main.yml
@ -0,0 +1,4 @@
+- name: Restart sshd
+  ansible.builtin.service:
+    name: sshd
+    state: restarted
--- a/roles/common/tasks/main.yml
+++ b/roles/common/tasks/main.yml
@ -0,0 +1,49 @@
+- name: Ensure latest apt cache
+  ansible.builtin.apt:
+    update_cache: yes
+    cache_valid_time: 3600 # 1 hour
+
+- name: Upgrade all packages
+  ansible.builtin.apt:
+    upgrade: dist
+
+- name: Install common packages
+  ansible.builtin.apt:
+    name:
+      - curl
+      - wget
+      - htop
+      - git
+      - rsync
+      - nfs-common # If you plan to mount NFS shares
+    state: present
+
+- name: Create new admin user
+  ansible.builtin.user:
+    name: "{{ admin.name }}"
+    groups: "{{ admin.groups }}"
+    shell: "{{ admin.shell }}"
+    state: present
+    create_home: yes
+    append: yes # Ensures other groups don't get removed
+  when: admin.name is defined and admin.name | length > 0
+
+- name: Add SSH keys for new admin user
+  ansible.posix.authorized_key:
+    user: "{{ admin.name }}"
+    state: present
+    key: "{{ item }}"
+  loop: "{{ admin.ssh_keys }}"
+  when:
+    - admin.name is defined
+    - admin.name | length > 0
+    - admin.ssh_keys is defined
+    - admin.ssh_keys | length > 0
+# - name: Disable root SSH login (optional, but recommended)
+#   ansible.builtin.lineinfile:
+#     path: /etc/ssh/sshd_config
+#     regexp: '^PermitRootLogin'
+#     line: 'PermitRootLogin no'
+#     state: present
+#   notify: Restart sshd
+#   when: new_admin_user is defined and new_admin_user | length > 0
--- a/roles/networking/README.md
+++ b/roles/networking/README.md
@ -0,0 +1,2 @@
+# On your Proxmox server (via SSH or console)
+sudo cp /etc/network/interfaces /etc/network/interfaces.bak_ansible_pre_change_$(date +%Y%m%d%H%M)
--- a/roles/networking/handlers/main.yml
+++ b/roles/networking/handlers/main.yml
@ -0,0 +1,4 @@
+- name: Restart networking
+  ansible.builtin.service:
+    name: networking
+    state: restarted
--- a/roles/networking/tasks/main.yml
+++ b/roles/networking/tasks/main.yml
@ -0,0 +1,57 @@
+- name: Backup current /etc/network/interfaces before making changes
+  ansible.builtin.copy:
+    src: /etc/network/interfaces
+    dest: "/etc/network/interfaces.bak_ansible_{{ ansible_date_time.iso8601_basic }}"
+    remote_src: yes
+    owner: root
+    group: root
+    mode: "0644"
+  delegate_to: "{{ inventory_hostname }}" # Ensure this runs on the remote host
+
+- name: Render and deploy /etc/network/interfaces from template
+  ansible.builtin.template:
+    src: interfaces.j2
+    dest: /etc/network/interfaces
+    owner: root
+    group: root
+    mode: "0644"
+  notify: Restart networking
+# - name: Ensure network interfaces file exists
+#   ansible.builtin.copy:
+#     content: |
+#       source /etc/network/interfaces.d/*
+#     dest: /etc/network/interfaces
+#     owner: root
+#     group: root
+#     mode: '0644'
+
+# - name: Configure bond0
+#   ansible.builtin.copy:
+#     content: |
+#       auto bond0
+#       iface bond0 inet manual
+#           bond-slaves eno1 eno2 # Replace with your actual interfaces
+#           bond-mode active-backup
+#           bond-miimon 100
+#           bond-primary eno1
+#     dest: /etc/network/interfaces.d/bond0
+#     owner: root
+#     group: root
+#     mode: '0644'
+#   notify: Restart networking
+
+# - name: Configure vmbr0 using bond0
+#   ansible.builtin.copy:
+#     content: |
+#       auto vmbr0
+#       iface vmbr0 inet static
+#           address 192.168.1.10/24
+#           gateway 192.168.1.1
+#           bridge-ports bond0
+#           bridge-stp off
+#           bridge-fd 0
+#     dest: /etc/network/interfaces.d/vmbr0_bond
+#     owner: root
+#     group: root
+#     mode: '0644'
+#   notify: Restart networking
--- a/roles/networking/templates/interface.j2
+++ b/roles/networking/templates/interface.j2
@ -0,0 +1,22 @@
+# /etc/network/interfaces -- used by ifup(8) and ifdown(8)
+#
+# Include files from /etc/network/interfaces.d:
+source /etc/network/interfaces.d/*
+
+auto lo
+iface lo inet loopback
+
+auto vmbr0
+iface vmbr0 inet static
+    address {{ proxmox_network_ip }}/{{ proxmox_network_cidr }}
+    gateway {{ proxmox_network_gateway }}
+    bridge-ports {{ proxmox_physical_nic }}
+    bridge-stp off
+    bridge-fd 0
+    # Your ethtool post-up line
+    post-up ethtool -K {{ proxmox_physical_nic }} tso off gso off
+
+auto eno2
+iface eno2 inet manual
+    # Your ethtool post-up line for eno2
+    post-up ethtool -K eno2 tso off gso off
--- a/roles/proxmox_setup/handlers/main.yml
+++ b/roles/proxmox_setup/handlers/main.yml
@ -0,0 +1,14 @@
+- name: Restart networking
+  ansible.builtin.service:
+    name: networking
+    state: restarted
+
+- name: Restart systemd-resolved
+  ansible.builtin.service:
+    name: systemd-resolved
+    state: restarted
+
+- name: Restart pveproxy
+  ansible.builtin.service:
+    name: pveproxy
+    state: restarted
--- a/roles/proxmox_setup/tasks/main.yml
+++ b/roles/proxmox_setup/tasks/main.yml
@ -0,0 +1,82 @@
+- name: Remove enterprise repository
+  ansible.builtin.apt_repository:
+    update_cache: false
+    repo: deb https://enterprise.proxmox.com/debian/pve bookworm pve-enterprise
+    state: absent
+  when: not proxmox_enterprise_repo_enabled
+
+- name: Remove enterprise pbs repository
+  ansible.builtin.apt_repository:
+    update_cache: false
+    repo: deb https://enterprise.proxmox.com/debian/pbs bookworm InRelease
+    state: absent
+  when: not proxmox_enterprise_repo_enabled
+
+- name: Remove enterprise ceph repository
+  ansible.builtin.apt_repository:
+    update_cache: false
+    repo: deb https://enterprise.proxmox.com/debian/ceph-quincy bookworm enterprise
+    state: absent
+  when: not proxmox_enterprise_repo_enabled
+
+- name: Add community repository
+  ansible.builtin.apt_repository:
+    update_cache: true
+    repo: deb http://download.proxmox.com/debian/pve bookworm pve-no-subscription
+    state: present
+  when: proxmox_no_subscription_repo_enabled
+
+- name: Update apt cache after repo changes
+  ansible.builtin.apt:
+    update_cache: yes
+    cache_valid_time: 3600
+
+- name: Ensure Proxmox VE packages are up-to-date
+  ansible.builtin.apt:
+    name: proxmox-ve
+    state: latest
+    update_cache: yes
+
+- name: Install common Proxmox tools
+  ansible.builtin.apt:
+    name:
+      - proxmox-backup-client
+      - smartmontools
+      - zfsutils-linux
+    state: present
+# Example: Configure network bridge if not already done (adjust for your network)
+# - name: Configure network bridge vmbr0
+#   ansible.builtin.copy:
+#     content: |
+#       auto vmbr0
+#       iface vmbr0 inet static
+#           address 192.168.1.10/24
+#           gateway 192.168.1.1
+#           bridge-ports eno1 # Replace eno1 with your actual physical interface
+#           bridge-stp off
+#           bridge-fd 0
+#     dest: /etc/network/interfaces.d/vmbr0
+#     owner: root
+#     group: root
+#     mode: '0644'
+#   notify: Restart networking
+
+# Example: Configure DNS (optional, Proxmox sets up systemd-resolved by default)
+# - name: Configure /etc/resolv.conf
+#   ansible.builtin.copy:
+#     content: |
+#       nameserver 1.1.1.1
+#       nameserver 8.8.8.8
+#     dest: /etc/resolv.conf
+#     owner: root
+#     group: root
+#     mode: '0644'
+#   notify: Restart systemd-resolved # if using systemd-resolved
+
+# - name: Disable subscription nag (optional, for no-subscription users)
+#   ansible.builtin.replace:
+#     path: /usr/share/javascript/proxmox-widget-toolkit/proxmoxlib.js
+#     regexp: '^(.*)Ext\.Msg\.show\(\{(.*)$\n^(.*)No valid subscription(.*)$'
+#     replace: '\1void({\2\n\3No valid subscription\4'
+#   when: not proxmox_enterprise_repo_enabled
+#   notify: Restart pveproxy
--- a/roles/user/tasks/main.yml
+++ b/roles/user/tasks/main.yml
@ -0,0 +1,11 @@
+- name: Create CI user
+  ansible.builtin.user:
+    name: "{{ ci_user }}"
+    shell: /bin/bash
+    groups: sudo
+    password: "{{ ci_password | password_hash('sha512') }}"
+
+- name: Add authorized key
+  ansible.posix.authorized_key:
+    user: "{{ ci_user }}"
+    key: "{{ lookup('file', '../files/ci_user.pub') }}"