proxmox ci api user

2025-06-08 20:11:50 +02:00 · 2025-06-08 20:11:50 +02:00 · c05c863fda
commit c05c863fda
parent bdf3bc6b02
8 changed files with 147 additions and 52 deletions
--- a/roles/ci_user/tasks/main.yml
+++ b/roles/ci_user/tasks/main.yml
@ -1,20 +1,34 @@
+- name: Create CI group
+  ansible.builtin.group:
+    name: ci
+    state: present
+
 - name: Create CI user
  ansible.builtin.user:
-    name: "{{ ci_user.name }}"
-    groups: "{{ ci_user.groups }}"
-    shell: "{{ ci_user.shell }}"
+    name: "{{ proxmox_ci_user_name }}"
+    group: ci
+    groups: "{{ proxmox_ci_user_groups }}"
+    shell: "{{ proxmox_ci_user_shell }}"
    state: present
    create_home: yes
-  when: ci_user.name is defined and ci_user.name | length > 0
+  when: proxmox_ci_user_name is defined and proxmox_ci_user_name | length > 0

 - name: Add SSH keys for CI user
  ansible.posix.authorized_key:
-    user: "{{ ci_user.name }}"
+    user: "{{ proxmox_ci_user_name }}"
    state: present
    key: "{{ item }}"
-  loop: "{{ ci_user.ssh_keys }}"
+  loop: "{{ proxmox_ci_user_ssh_keys }}"
  when:
-    - ci_user.name is defined
-    - ci_user.name | length > 0
-    - ci_user.ssh_keys is defined
-    - ci_user.ssh_keys | length > 0
+    - proxmox_ci_user_name is defined
+    - proxmox_ci_user_name | length > 0
+    - proxmox_ci_user_ssh_keys is defined
+    - proxmox_ci_user_ssh_keys | length > 0
+
+- name: Ensure image directory exists with correct permissions
+  ansible.builtin.file:
+    path: /var/lib/vz/dump
+    state: directory
+    owner: root
+    group: ci
+    mode: "0775" # rwxrwxr-x so 'ci' can write, others can read/execute
--- a/roles/common/tasks/main.yml
+++ b/roles/common/tasks/main.yml
@ -15,30 +15,31 @@
      - htop
      - git
      - rsync
+      - jq
      - nfs-common # If you plan to mount NFS shares
    state: present

 - name: Create new admin user
  ansible.builtin.user:
-    name: "{{ admin.name }}"
-    groups: "{{ admin.groups }}"
-    shell: "{{ admin.shell }}"
+    name: "{{ proxmox_admin_user_name }}"
+    groups: "{{ proxmox_admin_user_groups }}"
+    shell: "{{ proxmox_admin_user_shell }}"
    state: present
    create_home: yes
    append: yes # Ensures other groups don't get removed
-  when: admin.name is defined and admin.name | length > 0
+  when: proxmox_admin_user_name is defined and proxmox_admin_user_name | length > 0

 - name: Add SSH keys for new admin user
  ansible.posix.authorized_key:
-    user: "{{ admin.name }}"
+    user: "{{ proxmox_admin_user_name }}"
    state: present
    key: "{{ item }}"
-  loop: "{{ admin.ssh_keys }}"
+  loop: "{{ proxmox_admin_user_ssh_keys }}"
  when:
-    - admin.name is defined
-    - admin.name | length > 0
-    - admin.ssh_keys is defined
-    - admin.ssh_keys | length > 0
+    - proxmox_admin_user_name is defined
+    - proxmox_admin_user_name | length > 0
+    - proxmox_admin_user_ssh_keys is defined
+    - proxmox_admin_user_ssh_keys | length > 0
 # - name: Disable root SSH login (optional, but recommended)
 #   ansible.builtin.lineinfile:
 #     path: /etc/ssh/sshd_config
--- a/roles/proxmox_api/tasks/main.yml
+++ b/roles/proxmox_api/tasks/main.yml
@ -0,0 +1,57 @@
+- name: Ensure Proxmox API user exists and has correct password (using pveum)
+  ansible.builtin.shell: |
+    set -e # Exit immediately if a command exits with a non-zero status
+    USER_EXISTS=$(pveum user list --output-format json | jq -r '.[] | select(.userid == "{{ proxmox_api_user_name }}@{{ proxmox_api_user_realm }}") | .userid')
+
+    if [ -z "$USER_EXISTS" ]; then
+      pveum user add "{{ proxmox_api_user_name }}@{{ proxmox_api_user_realm }}" --password "{{ proxmox_api_user_password }}" --comment "CI/CD user created by Ansible" -enable 1
+      echo "User '{{ proxmox_api_user_name }}@{{ proxmox_api_user_realm }}' was added."
+    else
+      # Always attempt to modify to ensure password/comment is up-to-date
+      # pveum user modify does not return 'modified' for idempotency
+      (echo "{{ proxmox_api_user_password }}"; echo "{{ proxmox_api_user_password }}") | pveum passwd "{{ proxmox_api_user_name }}@{{ proxmox_api_user_realm }}"
+      pveum user modify "{{ proxmox_api_user_name }}@{{ proxmox_api_user_realm }}" --comment "CI/CD user updated by Ansible"
+      echo "User '{{ proxmox_api_user_name }}@{{ proxmox_api_user_realm }}' was modified (or already up-to-date)."
+    fi
+  register: pveum_user_result
+  changed_when: "'added' in pveum_user_result.stdout or 'modified' in pveum_user_result.stdout"
+  failed_when: pveum_user_result.rc != 0 and 'already exists' not in pveum_user_result.stderr
+  no_log: true # Prevent password from being logged
+
+- name: Ensure Proxmox API token exists (using pveum)
+  ansible.builtin.shell: |
+    set -e
+    TOKEN_INFO=$(pveum user token list "{{ proxmox_api_user_name }}@{{ proxmox_api_user_realm }}" --output-format json 2>/dev/null | jq -r '.[] | select(.tokenid == "{{ proxmox_api_token_id }}")')
+
+    if [ -z "$TOKEN_INFO" ]; then
+      pveum user token add "{{ proxmox_api_user_name }}@{{ proxmox_api_user_realm }}" "{{ proxmox_api_token_id }}" --comment "CI/CD token created by Ansible"
+      # echo "Token '{{ proxmox_api_token_id }}' was added. Secret: $(cat ~/.pve/token-{{ proxmox_api_user_name }}@{{ proxmox_api_user_realm }}!{{ proxmox_api_token_id }}.json | jq -r '.value')" # Capture secret
+    else
+      echo "Token '{{ proxmox_api_token_id }}' for user '{{ proxmox_api_user_name }}@{{ proxmox_api_user_realm }}' already exists. No action taken."
+    fi
+  register: pveum_token_result
+  changed_when: "'was added' in pveum_token_result.stdout"
+  # This task is tricky for secret capture.
+  # `pveum user token add` prints the secret to stdout on creation AND saves it to a file.
+  # We try to capture it from stdout and then from the file for robustness.
+  # You MUST parse `pveum_token_result.stdout` to get the secret when it's new.
+  # In real CI/CD, generate a new token via pveum only ONCE and store the secret
+  # then use `proxmox_api_token_secret` in your vars.
+  no_log: false # Prevent password and token secret from being logged
+
+- debug:
+    var: pveum_token_result.stdout
+
+- name: Ensure ACL for root exists
+  ansible.builtin.shell: |
+    set -e
+    ACL_EXISTS=$(pveum acl list --output-format json 2>/dev/null | jq -r '.[] | select(.path == "/" and .user == "{{ proxmox_api_user_name }}@{{ proxmox_api_user_realm }}" and .roleid == "{{ proxmox_api_user_role }}") | .path')
+
+    if [ -z "$ACL_EXISTS" ]; then
+      pveum acl modify / -user "{{ proxmox_api_user_name }}@{{ proxmox_api_user_realm }}" -role "{{ proxmox_api_user_role }}" -propagate 1
+      echo "ACL for / was added."
+    else
+      echo "ACL for / already exists."
+    fi
+  register: pveum_acl_root_result
+  changed_when: "'was added' in pveum_acl_root_result.stdout"
--- a/roles/user/tasks/main.yml
+++ b/roles/user/tasks/main.yml
@ -1,11 +0,0 @@
- name: Create CI user
-  ansible.builtin.user:
-    name: "{{ ci_user }}"
-    shell: /bin/bash
-    groups: sudo
-    password: "{{ ci_password | password_hash('sha512') }}"
-
- name: Add authorized key
-  ansible.posix.authorized_key:
-    user: "{{ ci_user }}"
-    key: "{{ lookup('file', '../files/ci_user.pub') }}"