proxmox ci api user

2025-06-08 20:11:50 +02:00 · 2025-06-08 20:11:50 +02:00 · c05c863fda
commit c05c863fda
parent bdf3bc6b02
8 changed files with 147 additions and 52 deletions
--- a/roles/proxmox_api/tasks/main.yml
+++ b/roles/proxmox_api/tasks/main.yml
@ -0,0 +1,57 @@
+- name: Ensure Proxmox API user exists and has correct password (using pveum)
+  ansible.builtin.shell: |
+    set -e # Exit immediately if a command exits with a non-zero status
+    USER_EXISTS=$(pveum user list --output-format json | jq -r '.[] | select(.userid == "{{ proxmox_api_user_name }}@{{ proxmox_api_user_realm }}") | .userid')
+
+    if [ -z "$USER_EXISTS" ]; then
+      pveum user add "{{ proxmox_api_user_name }}@{{ proxmox_api_user_realm }}" --password "{{ proxmox_api_user_password }}" --comment "CI/CD user created by Ansible" -enable 1
+      echo "User '{{ proxmox_api_user_name }}@{{ proxmox_api_user_realm }}' was added."
+    else
+      # Always attempt to modify to ensure password/comment is up-to-date
+      # pveum user modify does not return 'modified' for idempotency
+      (echo "{{ proxmox_api_user_password }}"; echo "{{ proxmox_api_user_password }}") | pveum passwd "{{ proxmox_api_user_name }}@{{ proxmox_api_user_realm }}"
+      pveum user modify "{{ proxmox_api_user_name }}@{{ proxmox_api_user_realm }}" --comment "CI/CD user updated by Ansible"
+      echo "User '{{ proxmox_api_user_name }}@{{ proxmox_api_user_realm }}' was modified (or already up-to-date)."
+    fi
+  register: pveum_user_result
+  changed_when: "'added' in pveum_user_result.stdout or 'modified' in pveum_user_result.stdout"
+  failed_when: pveum_user_result.rc != 0 and 'already exists' not in pveum_user_result.stderr
+  no_log: true # Prevent password from being logged
+
+- name: Ensure Proxmox API token exists (using pveum)
+  ansible.builtin.shell: |
+    set -e
+    TOKEN_INFO=$(pveum user token list "{{ proxmox_api_user_name }}@{{ proxmox_api_user_realm }}" --output-format json 2>/dev/null | jq -r '.[] | select(.tokenid == "{{ proxmox_api_token_id }}")')
+
+    if [ -z "$TOKEN_INFO" ]; then
+      pveum user token add "{{ proxmox_api_user_name }}@{{ proxmox_api_user_realm }}" "{{ proxmox_api_token_id }}" --comment "CI/CD token created by Ansible"
+      # echo "Token '{{ proxmox_api_token_id }}' was added. Secret: $(cat ~/.pve/token-{{ proxmox_api_user_name }}@{{ proxmox_api_user_realm }}!{{ proxmox_api_token_id }}.json | jq -r '.value')" # Capture secret
+    else
+      echo "Token '{{ proxmox_api_token_id }}' for user '{{ proxmox_api_user_name }}@{{ proxmox_api_user_realm }}' already exists. No action taken."
+    fi
+  register: pveum_token_result
+  changed_when: "'was added' in pveum_token_result.stdout"
+  # This task is tricky for secret capture.
+  # `pveum user token add` prints the secret to stdout on creation AND saves it to a file.
+  # We try to capture it from stdout and then from the file for robustness.
+  # You MUST parse `pveum_token_result.stdout` to get the secret when it's new.
+  # In real CI/CD, generate a new token via pveum only ONCE and store the secret
+  # then use `proxmox_api_token_secret` in your vars.
+  no_log: false # Prevent password and token secret from being logged
+
+- debug:
+    var: pveum_token_result.stdout
+
+- name: Ensure ACL for root exists
+  ansible.builtin.shell: |
+    set -e
+    ACL_EXISTS=$(pveum acl list --output-format json 2>/dev/null | jq -r '.[] | select(.path == "/" and .user == "{{ proxmox_api_user_name }}@{{ proxmox_api_user_realm }}" and .roleid == "{{ proxmox_api_user_role }}") | .path')
+
+    if [ -z "$ACL_EXISTS" ]; then
+      pveum acl modify / -user "{{ proxmox_api_user_name }}@{{ proxmox_api_user_realm }}" -role "{{ proxmox_api_user_role }}" -propagate 1
+      echo "ACL for / was added."
+    else
+      echo "ACL for / already exists."
+    fi
+  register: pveum_acl_root_result
+  changed_when: "'was added' in pveum_acl_root_result.stdout"