ansible
/
xoxys.pve
1
0
Fork 0
Code Issues Pull Requests Releases Activity

Compare commits

merge into: ansible:main
Branches Tags
ansible:main
ansible:docs
...
pull from: ansible:docs
Branches Tags
ansible:main
ansible:docs

No commits in common. "main" and "docs" have entirely different histories.
main ... docs

20 changed files with 245 additions and 372 deletions
Show Stats Expand all files Collapse all files

11
.gitignore vendored
View File

@ -1,11 +0,0 @@
# ---> Ansible
*.retry
plugins
library
# ---> Python
# Byte-compiled / optimized / DLL files
__pycache__/
*.py[cod]
*$py.class

15
.later.yml
View File

@ -1,15 +0,0 @@
---
ansible:
custom_modules:
- iptables_raw
- openssl_pkcs12
- proxmox_kvm
- ucr
- corenetworks_dns
- corenetworks_token
rules:
exclude_files:
- "LICENSE*"
- "**/*.md"
- "**/*.ini"

7
.markdownlint.yml
View File

@ -1,7 +0,0 @@
---
default: True
MD013: False
MD041: False
MD024: False
MD004:
style: dash

1
.prettierignore
View File

@ -1 +0,0 @@
LICENSE

47
.woodpecker/docs.yaml
View File

@ -1,47 +0,0 @@
---
when:
- event: [pull_request]
- event: [push, manual]
branch:
- ${CI_REPO_DEFAULT_BRANCH}
steps:
- name: generate
image: quay.io/thegeeklab/ansible-doctor
environment:
ANSIBLE_DOCTOR_EXCLUDE_FILES: molecule/
ANSIBLE_DOCTOR_FORCE_OVERWRITE: "true"
ANSIBLE_DOCTOR_LOG_LEVEL: INFO
ANSIBLE_DOCTOR_ROLE_NAME: ${CI_REPO_NAME}
ANSIBLE_DOCTOR_TEMPLATE: readme
- name: format
image: quay.io/thegeeklab/alpine-tools
commands:
- prettier -w README.md
- name: diff
image: quay.io/thegeeklab/alpine-tools
commands:
- git diff --color=always README.md
- name: publish
image: quay.io/thegeeklab/wp-git-action
settings:
action:
- commit
- push
author_email: ci-bot@rknet.org
author_name: ci-bot
branch: main
message: "[skip ci] automated docs update"
netrc_machine: gitea.rknet.org
netrc_password:
from_secret: gitea_token
when:
- event: [push, manual]
branch:
- ${CI_REPO_DEFAULT_BRANCH}
depends_on:
- lint

30
.woodpecker/lint.yaml
View File

@ -1,30 +0,0 @@
---
when:
- event: [pull_request, tag]
- event: [push, manual]
branch:
- ${CI_REPO_DEFAULT_BRANCH}
steps:
- name: ansible-later
image: quay.io/thegeeklab/ansible-later:4
commands:
- ansible-later
environment:
FORCE_COLOR: "1"
- name: python-format
image: docker.io/python:3.12
commands:
- pip install -qq ruff
- ruff format --check --diff .
environment:
PY_COLORS: "1"
- name: python-lint
image: docker.io/python:3.12
commands:
- pip install -qq ruff
- ruff .
environment:
PY_COLORS: "1"

26
.woodpecker/notify.yml
View File

@ -1,26 +0,0 @@
---
when:
- event: [tag]
- event: [push, manual]
branch:
- ${CI_REPO_DEFAULT_BRANCH}
runs_on: [success, failure]
steps:
- name: matrix
image: quay.io/thegeeklab/wp-matrix
settings:
homeserver:
from_secret: matrix_homeserver
password:
from_secret: matrix_password
roomid:
from_secret: matrix_roomid
username:
from_secret: matrix_username
when:
- status: [success, failure]
depends_on:
- docs

21
LICENSE
View File

@ -1,21 +0,0 @@
MIT License
Copyright (c) 2022 Robert Kaussow <mail@thegeeklab.de>
Permission is hereby granted, free of charge, to any person obtaining a copy
of this software and associated documentation files (the "Software"), to deal
in the Software without restriction, including without limitation the rights
to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
copies of the Software, and to permit persons to whom the Software is furnished
to do so, subject to the following conditions:
The above copyright notice and this permission notice (including the next
paragraph) shall be included in all copies or substantial portions of the
Software.
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS
FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS
OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY,
WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF
OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

58
README.md → _docs/index.md
View File

@ -1,7 +1,11 @@
# xoxys.pve
---
title: pve
type: docs
---
[![Build Status](https://ci.rknet.org/api/badges/ansible/xoxys.pve/status.svg)](https://ci.rknet.org/repos/ansible/xoxys.pve)
[![License: MIT](https://img.shields.io/badge/License-MIT-blue.svg?label=license)](https://gitea.rknet.org/ansible/xoxys.pve/src/branch/main/LICENSE)
[![Source Code](https://img.shields.io/badge/gitea-source%20code-blue?logo=gitea&logoColor=white)](https://gitea.rknet.org/ansible/xoxys.pve)
[![Build Status](https://img.shields.io/drone/build/ansible/xoxys.pve?logo=drone&server=https%3A%2F%2Fdrone.rknet.org)](https://drone.rknet.org/ansible/xoxys.pve)
[![License: MIT](https://img.shields.io/badge/license-MIT-blue.svg)](https://gitea.rknet.org/ansible/xoxys.pve/src/branch/main/LICENSE)
Basic role to configure a [Proxmox VE](https://www.proxmox.com/en/proxmox-ve) server.
Proxmox VE is a complete open-source platform for all-inclusive enterprise virtualization
@ -12,7 +16,7 @@ networking functionality on a single platform.
This role covers only some really basic configurations and should be considered as not production ready.
{{< /hint >}}
## Table of content
<!--more-->
- [Requirements](#requirements)
- [Default Variables](#default-variables)
@ -24,15 +28,17 @@ This role covers only some really basic configurations and should be considered
- [pve_disk_mount](#pve_disk_mount)
- [pve_nodes](#pve_nodes)
- [pve_pamd_motd_enabled](#pve_pamd_motd_enabled)
- [pve_tls_cert_source](#pve_tls_cert_source)
- [pve_tls_enabled](#pve_tls_enabled)
- [pve_tls_key_source](#pve_tls_key_source)
- [Discovered Tags](#discovered-tags)
- [Dependencies](#dependencies)
- [License](#license)
- [Author](#author)
---
## Requirements
- Minimum Ansible version: `2.10`
- Minimum Ansible version: `2.1`
## Default Variables
@ -101,14 +107,36 @@ pve_nodes:
pve_pamd_motd_enabled: true
```
### pve_tls_cert_source
#### Default value
```YAML
pve_tls_cert_source: mycert.pem
```
### pve_tls_enabled
#### Default value
```YAML
pve_tls_enabled: false
```
### pve_tls_key_source
#### Default value
```YAML
pve_tls_key_source: mykey.pem
```
## Discovered Tags
tls_renewal
: &nbsp;
## Dependencies
None.
## License
MIT
## Author
[Robert Kaussow](https://gitea.rknet.org/xoxys)

35
defaults/main.yml
View File

@ -1,35 +0,0 @@
---
pve_nodes:
- node1
pve_pamd_motd_enabled: True
pve_disk_mount: []
## Example:
# pve_disk_mount:
# - path: /mnt/backup
# src: /dev/sdX
# fstype: ext4
# opts:
# state: present
# Configure pam auth
pve_auth_pam_is_default: True
pve_auth_pam_description: Linux PAM standard authentication
pve_auth_pve_is_default: False
pve_auth_pve_description: Linux pve standard authentication
# Enable ldap auth against an external server
pve_auth_ldap_enabled: False
# pve_auth_ldap_is_default: False
# pve_auth_ldap_realm: ldap
# pve_auth_ldap_description: MyLDAP authentication server
# pve_auth_ldap_base_dn: dc=example,dc=com
# pve_auth_ldap_user_attr: uid
# pve_auth_ldap_primary_server: server1.example.com
# pve_auth_ldap_secondary_server: server2.example.com (defaults to not set)
# pve_auth_ldap_bind_dn: uid=proxy-user,cn=users,dc=example,dc=com (defaults to not set)
# pve_auth_ldap_bind_password: my_secret (defaults to not set)
# pve_auth_ldap_port: 389
# pve_auth_ldap_tls_enabled: False

202
index.md Normal file
View File

@ -0,0 +1,202 @@
---
title: pve
type: docs
---
[![Source Code](https://img.shields.io/badge/gitea-source%20code-blue?logo=gitea&logoColor=white)](https://gitea.rknet.org/ansible/xoxys.pve) [![Build Status](https://img.shields.io/drone/build/ansible/xoxys.pve?logo=drone&server=https%3A%2F%2Fdrone.rknet.org)](https://drone.rknet.org/ansible/xoxys.pve) [![License: MIT](https://img.shields.io/badge/license-MIT-blue.svg)](https://gitea.rknet.org/ansible/xoxys.pve/src/branch/main/LICENSE)
Basic role to configure a [Proxmox VE](https://www.proxmox.com/en/proxmox-ve) server. Proxmox VE is a complete open-source platform for all-inclusive enterprise virtualization that tightly integrates KVM hypervisor and LXC containers, software-defined storage and networking functionality on a single platform.
{{< hint type=important >}} This role covers only some really basic configurations and should be considered as not production ready. {{< /hint >}}
<!--more-->
- [Default Variables](#default-variables)
- [pve_auth_ldap_enabled](#pve_auth_ldap_enabled)
- [pve_auth_ldap_tfa_oath_enabled](#pve_auth_ldap_tfa_oath_enabled)
- [pve_auth_ldap_tfa_oath_pwlength](#pve_auth_ldap_tfa_oath_pwlength)
- [pve_auth_ldap_tfa_oath_timestep](#pve_auth_ldap_tfa_oath_timestep)
- [pve_auth_ldap_tfa_yubico_enabled](#pve_auth_ldap_tfa_yubico_enabled)
- [pve_auth_pam_description](#pve_auth_pam_description)
- [pve_auth_pam_is_default](#pve_auth_pam_is_default)
- [pve_auth_pam_tfa_oath_enabled](#pve_auth_pam_tfa_oath_enabled)
- [pve_auth_pam_tfa_yubico_enabled](#pve_auth_pam_tfa_yubico_enabled)
- [pve_auth_pve_description](#pve_auth_pve_description)
- [pve_auth_pve_is_default](#pve_auth_pve_is_default)
- [pve_auth_pve_tfa_oath_enabled](#pve_auth_pve_tfa_oath_enabled)
- [pve_auth_pve_tfa_yubico_enabled](#pve_auth_pve_tfa_yubico_enabled)
- [pve_disk_mount](#pve_disk_mount)
- [pve_nodes](#pve_nodes)
- [pve_pamd_motd_enabled](#pve_pamd_motd_enabled)
- [pve_tls_cert_source](#pve_tls_cert_source)
- [pve_tls_enabled](#pve_tls_enabled)
- [pve_tls_key_source](#pve_tls_key_source)
- [Discovered Tags](#discovered-tags)
- [Dependencies](#dependencies)
---
## Default Variables
### pve_auth_ldap_enabled
#### Default value
```YAML
pve_auth_ldap_enabled: false
```
### pve_auth_ldap_tfa_oath_enabled
#### Default value
```YAML
pve_auth_ldap_tfa_oath_enabled: false
```
### pve_auth_ldap_tfa_oath_pwlength
#### Default value
```YAML
pve_auth_ldap_tfa_oath_pwlength: 6
```
### pve_auth_ldap_tfa_oath_timestep
#### Default value
```YAML
pve_auth_ldap_tfa_oath_timestep: 30
```
### pve_auth_ldap_tfa_yubico_enabled
#### Default value
```YAML
pve_auth_ldap_tfa_yubico_enabled: false
```
### pve_auth_pam_description
#### Default value
```YAML
pve_auth_pam_description: Linux PAM standard authentication
```
### pve_auth_pam_is_default
#### Default value
```YAML
pve_auth_pam_is_default: true
```
### pve_auth_pam_tfa_oath_enabled
#### Default value
```YAML
pve_auth_pam_tfa_oath_enabled: false
```
### pve_auth_pam_tfa_yubico_enabled
#### Default value
```YAML
pve_auth_pam_tfa_yubico_enabled: false
```
### pve_auth_pve_description
#### Default value
```YAML
pve_auth_pve_description: Linux pve standard authentication
```
### pve_auth_pve_is_default
#### Default value
```YAML
pve_auth_pve_is_default: false
```
### pve_auth_pve_tfa_oath_enabled
#### Default value
```YAML
pve_auth_pve_tfa_oath_enabled: false
```
### pve_auth_pve_tfa_yubico_enabled
#### Default value
```YAML
pve_auth_pve_tfa_yubico_enabled: false
```
### pve_disk_mount
#### Default value
```YAML
pve_disk_mount: []
```
### pve_nodes
#### Default value
```YAML
pve_nodes:
- node1
```
### pve_pamd_motd_enabled
#### Default value
```YAML
pve_pamd_motd_enabled: true
```
### pve_tls_cert_source
#### Default value
```YAML
pve_tls_cert_source: mycert.pem
```
### pve_tls_enabled
#### Default value
```YAML
pve_tls_enabled: false
```
### pve_tls_key_source
#### Default value
```YAML
pve_tls_key_source: mykey.pem
```
## Discovered Tags
tls_renewal
: &nbsp;
## Dependencies
None.

34
meta/main.yml
View File

@ -1,34 +0,0 @@
---
galaxy_info:
# @meta author:value: [Robert Kaussow](https://gitea.rknet.org/xoxys)
author: Robert Kaussow <mail@thegeeklab.de>
namespace: xoxys
role_name: pve
# @meta description: >
# [![Build Status](https://ci.rknet.org/api/badges/ansible/xoxys.pve/status.svg)](https://ci.rknet.org/repos/ansible/xoxys.pve)
# [![License: MIT](https://img.shields.io/badge/License-MIT-blue.svg?label=license)](https://gitea.rknet.org/ansible/xoxys.pve/src/branch/main/LICENSE)
#
# Basic role to configure a [Proxmox VE](https://www.proxmox.com/en/proxmox-ve) server.
# Proxmox VE is a complete open-source platform for all-inclusive enterprise virtualization
# that tightly integrates KVM hypervisor and LXC containers, software-defined storage and
# networking functionality on a single platform.
#
# {{< hint type=important >}}
# This role covers only some really basic configurations and should be considered as not production ready.
# {{< /hint >}}
# @end
description: Basic role to configure a Proxmox VE server
license: MIT
min_ansible_version: "2.10"
platforms:
- name: Debian
versions:
- "bookworm"
galaxy_tags:
- pve
- kvm
- proxmox
- virtual
dependencies: []
collections:
- community.general

17
pyproject.toml
View File

@ -1,17 +0,0 @@
[tool.ruff]
exclude = [".git", "__pycache__"]
line-length = 99
indent-width = 4
[tool.ruff.lint]
ignore = ["W191", "E111", "E114", "E117", "S101", "S105"]
select = ["F", "E", "I", "W", "S"]
[tool.ruff.format]
quote-style = "double"
indent-style = "space"
line-ending = "lf"
[tool.pytest.ini_options]
filterwarnings = ["ignore::FutureWarning", "ignore::DeprecationWarning"]

42
tasks/auth.yml
View File

@ -1,42 +0,0 @@
---
- name: Create tmp folder for pve
ansible.builtin.file:
path: "{{ __pve_tmp_dir }}"
recurse: True
state: directory
- name: Configure auth provider
ansible.builtin.template:
src: etc/pve/domains.cfg.j2
dest: "{{ __pve_tmp_dir }}/domains.cfg"
owner: root
group: www-data
mode: "0640"
register: __pve_domains_copy
- name: Copy auth provider to pve filesystem
ansible.builtin.command: "/bin/cp -rf {{ __pve_tmp_dir }}/domains.cfg {{ __pve_base_dir }}/domains.cfg"
changed_when: __pve_domains_copy.changed
- when:
- pve_auth_ldap_enabled | bool
- pve_auth_ldap_bind_password is defined
block:
- name: Ensure path for auth file exists
ansible.builtin.file:
path: "{{ __pve_base_dir }}/priv/ldap"
recurse: True
state: directory
- name: Add passwd file for ldap bind
ansible.builtin.template:
src: etc/pve/priv/ldap.pw.j2
dest: "{{ __pve_tmp_dir }}/{{ pve_auth_ldap_realm }}.pw"
owner: root
group: www-data
mode: "0640"
register: __pve_auth_copy
- name: Copy passwd file to pve filesystem
ansible.builtin.command: "/bin/cp -rf {{ __pve_tmp_dir }}/{{ pve_auth_ldap_realm }}.pw {{ __pve_base_dir }}/priv/ldap/{{ pve_auth_ldap_realm }}.pw"
changed_when: __pve_auth_copy.changed

4
tasks/main.yml
View File

@ -1,4 +0,0 @@
---
- ansible.builtin.import_tasks: pve.yml
- ansible.builtin.import_tasks: pam.yml
- ansible.builtin.import_tasks: auth.yml

18
tasks/pam.yml
View File

@ -1,18 +0,0 @@
---
- name: Remove motd from oam stack
community.general.pamd:
name: "{{ item.name }}"
type: "{{ item.type }}"
control: "{{ item.control }}"
module_path: "{{ item.path }}"
state: absent
loop:
- name: "login"
type: "session"
control: "optional"
path: "pam_motd.so"
- name: "sshd"
type: "session"
control: "optional"
path: "pam_motd.so"
when: not pve_pamd_motd_enabled | bool

20
tasks/pve.yml
View File

@ -1,20 +0,0 @@
---
- name: Ensure mountpoints are present
ansible.builtin.file:
path: "{{ item.path }}"
recurse: yes
state: directory
loop: "{{ pve_disk_mount }}"
loop_control:
label: "{{ item.path }}"
- name: Add diskmounts to fstab
ansible.posix.mount:
path: "{{ item.path }}"
src: "{{ item.src }}"
fstype: "{{ item.fstype }}"
opts: "{{ item.opts | default(omit) }}"
state: "{{ item.state | default('mounted') }}"
loop: "{{ pve_disk_mount }}"
loop_control:
label: "{{ item.src }} {{ item.path }}"

25
templates/etc/pve/domains.cfg.j2
View File

@ -1,25 +0,0 @@
#jinja2:lstrip_blocks: True
pam: pam
comment {{ pve_auth_pam_description }}
default {{ 1 if pve_auth_pam_is_default else 0 }}
pve: pve
comment {{ pve_auth_pve_description }}
default {{ 1 if pve_auth_pve_is_default else 0 }}
{% if pve_auth_ldap_enabled %}
ldap: {{ pve_auth_ldap_realm }}
comment {{ pve_auth_ldap_description }}
base_dn {{ pve_auth_ldap_base_dn }}
server1 {{ pve_auth_ldap_primary_server }}
{% if pve_auth_ldap_secondary_server is defined %}
server2 {{ pve_auth_ldap_secondary_server }}
{% endif %}
user_attr {{ pve_auth_ldap_user_attr }}
{% if pve_auth_ldap_bind_dn is defined %}
bind_dn {{ pve_auth_ldap_bind_dn }}
{% endif %}
default {{ 1 if pve_auth_ldap_is_default else 0 }}
port {{ pve_auth_ldap_port }}
secure {{ 1 if pve_auth_ldap_tls_enabled else 0 }}
{% endif %}

1
templates/etc/pve/priv/ldap.pw.j2
View File

@ -1 +0,0 @@
{{ pve_auth_ldap_bind_password }}

3
vars/main.yml
View File

@ -1,3 +0,0 @@
---
__pve_base_dir: /etc/pve
__pve_tmp_dir: /var/tmp/pve