57 lines
3.5 KiB
YAML
57 lines
3.5 KiB
YAML
- name: Ensure Proxmox API user exists and has correct password (using pveum)
|
|
ansible.builtin.shell: |
|
|
set -e # Exit immediately if a command exits with a non-zero status
|
|
USER_EXISTS=$(pveum user list --output-format json | jq -r '.[] | select(.userid == "{{ proxmox_api_user_name }}@{{ proxmox_api_user_realm }}") | .userid')
|
|
|
|
if [ -z "$USER_EXISTS" ]; then
|
|
pveum user add "{{ proxmox_api_user_name }}@{{ proxmox_api_user_realm }}" --password "{{ proxmox_api_user_password }}" --comment "CI/CD user created by Ansible" -enable 1
|
|
echo "User '{{ proxmox_api_user_name }}@{{ proxmox_api_user_realm }}' was added."
|
|
else
|
|
# Always attempt to modify to ensure password/comment is up-to-date
|
|
# pveum user modify does not return 'modified' for idempotency
|
|
(echo "{{ proxmox_api_user_password }}"; echo "{{ proxmox_api_user_password }}") | pveum passwd "{{ proxmox_api_user_name }}@{{ proxmox_api_user_realm }}"
|
|
pveum user modify "{{ proxmox_api_user_name }}@{{ proxmox_api_user_realm }}" --comment "CI/CD user updated by Ansible"
|
|
echo "User '{{ proxmox_api_user_name }}@{{ proxmox_api_user_realm }}' was modified (or already up-to-date)."
|
|
fi
|
|
register: pveum_user_result
|
|
changed_when: "'added' in pveum_user_result.stdout or 'modified' in pveum_user_result.stdout"
|
|
failed_when: pveum_user_result.rc != 0 and 'already exists' not in pveum_user_result.stderr
|
|
no_log: true # Prevent password from being logged
|
|
|
|
- name: Ensure Proxmox API token exists (using pveum)
|
|
ansible.builtin.shell: |
|
|
set -e
|
|
TOKEN_INFO=$(pveum user token list "{{ proxmox_api_user_name }}@{{ proxmox_api_user_realm }}" --output-format json 2>/dev/null | jq -r '.[] | select(.tokenid == "{{ proxmox_api_token_id }}")')
|
|
|
|
if [ -z "$TOKEN_INFO" ]; then
|
|
pveum user token add "{{ proxmox_api_user_name }}@{{ proxmox_api_user_realm }}" "{{ proxmox_api_token_id }}" --comment "CI/CD token created by Ansible"
|
|
# echo "Token '{{ proxmox_api_token_id }}' was added. Secret: $(cat ~/.pve/token-{{ proxmox_api_user_name }}@{{ proxmox_api_user_realm }}!{{ proxmox_api_token_id }}.json | jq -r '.value')" # Capture secret
|
|
else
|
|
echo "Token '{{ proxmox_api_token_id }}' for user '{{ proxmox_api_user_name }}@{{ proxmox_api_user_realm }}' already exists. No action taken."
|
|
fi
|
|
register: pveum_token_result
|
|
changed_when: "'was added' in pveum_token_result.stdout"
|
|
# This task is tricky for secret capture.
|
|
# `pveum user token add` prints the secret to stdout on creation AND saves it to a file.
|
|
# We try to capture it from stdout and then from the file for robustness.
|
|
# You MUST parse `pveum_token_result.stdout` to get the secret when it's new.
|
|
# In real CI/CD, generate a new token via pveum only ONCE and store the secret
|
|
# then use `proxmox_api_token_secret` in your vars.
|
|
no_log: false # Prevent password and token secret from being logged
|
|
|
|
- debug:
|
|
var: pveum_token_result.stdout
|
|
|
|
- name: Ensure ACL for root exists
|
|
ansible.builtin.shell: |
|
|
set -e
|
|
ACL_EXISTS=$(pveum acl list --output-format json 2>/dev/null | jq -r '.[] | select(.path == "/" and .user == "{{ proxmox_api_user_name }}@{{ proxmox_api_user_realm }}" and .roleid == "{{ proxmox_api_user_role }}") | .path')
|
|
|
|
if [ -z "$ACL_EXISTS" ]; then
|
|
pveum acl modify / -user "{{ proxmox_api_user_name }}@{{ proxmox_api_user_realm }}" -role "{{ proxmox_api_user_role }}" -propagate 1
|
|
echo "ACL for / was added."
|
|
else
|
|
echo "ACL for / already exists."
|
|
fi
|
|
register: pveum_acl_root_result
|
|
changed_when: "'was added' in pveum_acl_root_result.stdout"
|