Initial CommitHEAD master

author: Sam Chudnick <sam@chudnick.com> 2023-06-25 09:52:36 -0400
committer: Sam Chudnick <sam@chudnick.com> 2023-06-25 09:52:36 -0400
commit: 95b73daa36b23565a8566f71f9b202d3459b685f (patch)
tree: cb17b021be70e7868d0ec235a761f0ecdc80f3f2 /roles/proxmox
12 files changed, 473 insertions, 0 deletions
diff --git a/roles/proxmox/cloudinit_guest/defaults/main.yml b/roles/proxmox/cloudinit_guest/defaults/main.yml
new file mode 100644
index 0000000..a562ff3
--- /dev/null
+++ b/roles/proxmox/cloudinit_guest/defaults/main.yml
@@ -0,0 +1,7 @@
+vm_onboot: yes
+vm_agent: yes
+vm_bridge: vmbr0
+vm_full_clone: yes
+memory_size: 512
+cpu_cores: 1
+cpu_sockets: 1
diff --git a/roles/proxmox/cloudinit_guest/tasks/main.yml b/roles/proxmox/cloudinit_guest/tasks/main.yml
new file mode 100644
index 0000000..ab958dc
--- /dev/null
+++ b/roles/proxmox/cloudinit_guest/tasks/main.yml
@@ -0,0 +1,80 @@
+- name: check if id already exists
+  stat:
+    path: "/etc/pve/qemu-server/{{ ci_base_id }}.conf"
+  register: stat_result
+- meta: end_play
+  when: stat_result.stat.exists
+- name: install packages
+  package:
+    name:
+      - python3-pip
+      - python3-requests
+- name: ensure latest version of proxmoxer is installed
+  become: yes
+  become_user: "{{ proxmox_username }}"
+  pip:
+    name: proxmoxer==2.0.0
+- name: remove any existing api token
+  command: "pveum user token remove vmadmin@pam ansible"
+  register: result
+  changed_when: result.rc == 0
+  failed_when: result.rc not in [0,255]
+- name: create api token
+  register: api_token
+  changed_when: result.rc == 0
+  args:
+    executable: /bin/bash
+  shell: |
+    set -eo pipefail
+    pveum user token add vmadmin@pam ansible --privsep 0 --output-format yaml | grep value | cut -d ' ' -f 2
+- name: clone template and create guest
+  become: yes
+  become_user: "{{ proxmox_username }}"
+  community.general.proxmox_kvm:
+    api_host: proxmox.home.local
+    api_user: "{{ proxmox_api_user }}"
+    api_token_id: "ansible"
+    api_token_secret: "{{ api_token.stdout }}"
+    node: proxmox
+    full: "{{ vm_full_clone }}"
+    clone: arbitrary
+    vmid: "{{ template_id }}"
+    newid: "{{ vm_id }}"
+    name: "{{ vm_name }}"
+    memory: "{{ memory_size }}"
+    sockets: "{{ cpu_sockets }}"
+    cores: "{{ cpu_cores }}"
+    bios: "{{ bios_type }}"
+    ipconfig:
+      ipconfig0: "ip={{ ip_addr }},gw={{ gateway }}"
+    net:
+      net0: "virtio,bridge={{ vm_bridge }},tag={{ vm_vlan }}"
+    nameservers: "{{ nameserver }}"
+    onboot: "{{ vm_onboot }}"
+    agent: "{{ vm_agent }}"
+    state: present
+- name: start vmn
+  become: yes
+  become_user: "{{ proxmox_username }}"
+  community.general.proxmox_kvm:
+    api_host: proxmox.home.local
+    api_user: "{{ proxmox_api_user }}"
+    api_token_id: "ansible"
+    api_token_secret: "{{ api_token.stdout }}"
+    node: proxmox
+    vmid: "{{ vm_id }}"
+    state: started
+- name: remove api token
+  command: "pveum user token remove vmadmin@pam ansible"
+  register: result
+  changed_when: result.rc == 0
+  failed_when: result.rc not in [0,255]
diff --git a/roles/proxmox/debian_cloudinit/defaults/main.yml b/roles/proxmox/debian_cloudinit/defaults/main.yml
new file mode 100644
index 0000000..dfebf34
--- /dev/null
+++ b/roles/proxmox/debian_cloudinit/defaults/main.yml
@@ -0,0 +1,8 @@
+ci_target_dir: "/home/{{ci_user}}"
+ci_memory_size: 512
+ci_base_id: 1000
+ci_disk_size: "10G"
+ci_storage: "local-lvm"
+ci_user: "initadmin"
+ssh_key_local: /home/sam/.ssh/id_rsa.pub
+ssh_key_dest: /home/vmadmin/ci_sshkey
diff --git a/roles/proxmox/debian_cloudinit/tasks/main.yml b/roles/proxmox/debian_cloudinit/tasks/main.yml
new file mode 100644
index 0000000..8ed7dfd
--- /dev/null
+++ b/roles/proxmox/debian_cloudinit/tasks/main.yml
@@ -0,0 +1,115 @@
+- name: check if id already exists
+  stat:
+    path: "/etc/pve/qemu-server/{{ ci_base_id }}.conf"
+  register: stat_result
+- meta: end_play
+  when: stat_result.stat.exists
+- name: install packages
+  package:
+    name:
+      - python3-pip
+      - python3-requests
+- name: ensure latest version of proxmoxer is installed
+  become: yes
+  become_user: "{{ proxmox_username }}"
+  pip:
+    name: proxmoxer==2.0.0
+- name: download the hashes
+  get_url:
+    url: "https://cloud.debian.org/images/cloud/bookworm/latest/SHA512SUMS"
+    dest: "{{ ci_target_dir }}"
+- name: get the hash
+  changed_when: false
+  args:
+    executable: /bin/bash
+  shell: |
+    set -eo pipefail
+    grep debian-12-genericcloud-amd64.qcow2 {{ ci_target_dir }}/SHA512SUMS | cut -d ' ' -f 1
+  register: sha512sum
+- name: download the cloud image
+  get_url:
+    url: "https://cloud.debian.org/images/cloud/bookworm/latest/debian-12-genericcloud-amd64.qcow2"
+    dest: "{{ ci_target_dir }}"
+    checksum: "sha512:{{ sha512sum.stdout }}"
+- name: remove any existing api token
+  command: "pveum user token remove vmadmin@pam ansible"
+  register: result
+  changed_when: result.rc == 0
+  failed_when: result.rc not in [0,255]
+- name: create api token
+  register: api_token
+  changed_when: result.rc == 0
+  args:
+    executable: /bin/bash
+  shell: |
+    set -eo pipefail
+    pveum user token add vmadmin@pam ansible --privsep 0 --output-format yaml | grep value | cut -d ' ' -f 2
+- name: create vm
+  become: yes
+  become_user: "{{ proxmox_username }}"
+  community.general.proxmox_kvm:
+    api_host: proxmox.home.local
+    api_user: "{{ proxmox_api_user }}"
+    api_token_id: "ansible"
+    api_token_secret: "{{ api_token.stdout }}"
+    node: proxmox
+    # basic settings
+    vmid: "{{ ci_base_id }}"
+    memory: "{{ ci_memory_size }}"
+    sockets: "{{ cpu_sockets }}"
+    cores: "{{ cpu_cores }}"
+    bios: "{{ bios_type }}"
+    agent: "{{ vm_agent }}"
+    state: "present"
+    # display settings
+    serial:
+      "serial0": "socket"
+    vga: "serial0"
+    # disks and boot settings
+    scsihw: "virtio-scsi-pci"
+    ide:
+      ide2: "{{ ci_storage }}:cloudinit"
+    boot: "c"
+    bootdisk: "scsi0"
+    onboot: "{{ vm_onboot }}"
+    # cloud-init
+    citype: "nocloud"
+    ciuser: "{{ ci_user }}"
+    cipassword: "{{ ci_password }}"
+    sshkeys: "{{ ci_sshkey }}"
+    # network
+    net:
+      net0: "virtio,bridge={{ ci_bridge }},tag={{ ci_vlan }}"
+    nameservers: "{{ nameserver }}"
+    template: "yes"
+- name: import the cloud image
+  changed_when: false
+  command:
+    cmd: "qm importdisk {{ ci_base_id }} {{ ci_target_dir }}/debian-12-genericcloud-amd64.qcow2 {{ ci_storage }}"
+    creates: "/dev/pve/vm-{{ ci_base_id }}-disk-0"
+- name: attach the cloud image as a new disk
+  changed_when: false
+  command:
+    cmd: "qm set {{ ci_base_id }} --scsi0 {{ ci_storage }}:vm-{{ ci_base_id }}-disk-0"
+- name: resize disk to standard size
+  changed_when: false
+  command:
+    cmd: "qm resize {{ ci_base_id }} scsi0 {{ ci_disk_size }}"
+- name: remove api token
+  command: "pveum user token remove vmadmin@pam ansible"
+  register: result
+  changed_when: result.rc == 0
+  failed_when: result.rc not in [0,255]
diff --git a/roles/proxmox/fedora_cloudinit/defaults/main.yml b/roles/proxmox/fedora_cloudinit/defaults/main.yml
new file mode 100644
index 0000000..fb44657
--- /dev/null
+++ b/roles/proxmox/fedora_cloudinit/defaults/main.yml
@@ -0,0 +1,8 @@
+ci_target_dir: "/home/{{ci_user}}"
+ci_memory_size: 512
+ci_base_id: 1001
+ci_storage: "local-lvm"
+ci_disk_size: "10G"
+ci_user: "initadmin"
+ssh_key_local: files/id_rsa.pub
+ssh_key_dest: /tmp/ci_sshkey
diff --git a/roles/proxmox/fedora_cloudinit/tasks/main.yml b/roles/proxmox/fedora_cloudinit/tasks/main.yml
new file mode 100644
index 0000000..61ed185
--- /dev/null
+++ b/roles/proxmox/fedora_cloudinit/tasks/main.yml
@@ -0,0 +1,122 @@
+- name: download the hashes
+  get_url:
+    url: "https://getfedora.org/static/checksums/36/images/Fedora-Cloud-36-1.5-x86_64-CHECKSUM"
+    dest: "{{ ci_target_dir }}"
+- name: install gpg
+  package:
+    name: gnupg
+    state: latest
+- name: download the GPG key
+  get_url:
+    url: "https://getfedora.org/static/fedora.gpg"
+    dest: "{{ ci_target_dir }}"
+- name: import gpg key
+  changed_when: false
+  args:
+    executable: /bin/bash
+  shell: |
+    set -eo pipefail
+    cat {{ ci_target_dir }}/fedora.gpg | gpg --import
+- name: verify checksum file
+  command:
+    cmd: "gpg --verify {{ ci_target_dir }}/Fedora-Cloud-36-1.5-x86_64-CHECKSUM"
+  register: result
+  changed_when: false
+  failed_when: result.rc > 0
+- name: fail if unable to gpg verify checksums
+  fail:
+    msg: "failed to verify the checksums"
+  when: result.rc > 0
+- name: get the hash
+  shell:
+    cmd: "grep 'qcow2)' {{ ci_target_dir }}/Fedora-Cloud-36-1.5-x86_64-CHECKSUM | cut -d '=' -f 2 | tr -d ' '"
+  changed_when: false
+  register: sha256sum
+- name: download the cloud image
+  get_url:
+    url: "https://download.fedoraproject.org/pub/fedora/linux/releases/36/Cloud/x86_64/images/Fedora-Cloud-Base-36-1.5.x86_64.qcow2"
+    dest: "{{ ci_target_dir }}"
+    checksum: "sha256:{{ sha256sum.stdout }}"
+- name: remove any existing api token
+  command: "pveum user token remove vmadmin@pam ansible"
+  register: result
+  changed_when: result.rc == 0
+  failed_when: result.rc not in [0,255]
+- name: create api token
+  register: api_token
+  changed_when: result.rc == 0
+  args:
+    executable: /bin/bash
+  shell: |
+    set -eo pipefail
+    pveum user token add vmadmin@pam ansible --privsep 0 --output-format yaml | grep value | cut -d ' ' -f 2
+- name: create vm
+  become: yes
+  become_user: "{{ proxmox_username }}"
+  community.general.proxmox_kvm:
+    api_host: proxmox.home.local
+    api_user: "{{ proxmox_api_user }}"
+    api_token_id: "ansible"
+    api_token_secret: "{{ api_token.stdout }}"
+    node: proxmox
+    # basic settings
+    vmid: "{{ ci_base_id }}"
+    memory: "{{ ci_memory_size }}"
+    sockets: "{{ cpu_sockets }}"
+    cores: "{{ cpu_cores }}"
+    bios: "{{ bios_type }}"
+    agent: "{{ vm_agent }}"
+    state: "present"
+    # display settings
+    serial:
+      "serial0": "socket"
+    vga: "serial0"
+    # disks and boot settings
+    scsihw: "virtio-scsi-pci"
+    ide:
+      ide2: "{{ ci_storage }}:cloudinit"
+    boot: "c"
+    bootdisk: "scsi0"
+    onboot: "{{ vm_onboot }}"
+    # cloud-init
+    citype: "nocloud"
+    ciuser: "{{ ci_user }}"
+    cipassword: "{{ ci_password }}"
+    sshkeys: "{{ ci_sshkey }}"
+    # network
+    net:
+      net0: "virtio,bridge={{ ci_bridge }},tag={{ ci_vlan }}"
+    nameservers: "{{ nameserver }}"
+    template: "yes"
+- name: import the cloud image
+  changed_when: false
+  command:
+    cmd: "qm importdisk {{ ci_base_id }} {{ ci_target_dir }}/Fedora-Cloud-Base-36-1.5.x86_64.qcow2 {{ ci_storage }}"
+    creates: "/dev/pve/vm-{{ ci_base_id }}-disk-0"
+- name: attach the cloud image as a new disk
+  changed_when: false
+  command:
+    cmd: "qm set {{ ci_base_id }} --scsi0 {{ ci_storage }}:vm-{{ ci_base_id }}-disk-0"
+- name: resize disk to standard size
+  changed_when: false
+  command:
+    cmd: "qm resize {{ ci_base_id }} scsi0 {{ ci_disk_size }}"
+- name: remove api token
+  command: "pveum user token remove vmadmin@pam ansible"
+  register: result
+  changed_when: result.rc == 0
+  failed_when: result.rc not in [0,255]
diff --git a/roles/proxmox/proxmox_backup_server/tasks/main.yml b/roles/proxmox/proxmox_backup_server/tasks/main.yml
new file mode 100644
index 0000000..3e91a19
--- /dev/null
+++ b/roles/proxmox/proxmox_backup_server/tasks/main.yml
@@ -0,0 +1,42 @@
+- name: add proxmox backup repo
+  apt_repository:
+    repo: deb http://download.proxmox.com/debian/pbs bullseye pbs-no-subscription
+    state: present
+    update_cache: yes
+- name: install proxmox backup server and client
+  package:
+    name:
+      - proxmox-backup-server
+      - proxmox-backup-client
+- name: create datastore
+  command:
+    cmd: "proxmox-backup-manager datastore create {{ pbs_datastore }} {{ pbs_datastore_path }} --keep-last {{ pbs_keep_last }} --keep-daily {{ pbs_keep_daily }} --keep-weekly {{ pbs_keep_weekly }} --keep-monthly {{ pbs_keep_monthly }} --keep-yearly {{ pbs_keep_yearly }}"
+  register: result
+  changed_when: false
+  failed_when: result.rc not in [255]
+- name: create backup admin
+  command:
+    cmd: "proxmox-backup-manager user create {{ pbs_admin }} --password {{ pbs_admin_password }}"
+  register: result
+  changed_when: false
+  failed_when: result.rc not in [255]
+- name: assign permissions for backup admin
+  changed_when: false
+  command:
+    cmd: "proxmox-backup-manager acl update / Admin --auth-id {{ pbs_admin }}"
+- name: create backup user
+  command:
+    cmd: "proxmox-backup-manager user create {{ pbs_user }} --password {{ pbs_password }}"
+  register: result
+  failed_when: result.rc not in [255]
+  changed_when: false
+- name: assign permissions for backup user
+  changed_when: false
+  command:
+    cmd: "proxmox-backup-manager acl update / DatastoreBackup --auth-id {{ pbs_user }}"
diff --git a/roles/proxmox/pve_backup/tasks/main.yml b/roles/proxmox/pve_backup/tasks/main.yml
new file mode 100644
index 0000000..eba51d9
--- /dev/null
+++ b/roles/proxmox/pve_backup/tasks/main.yml
@@ -0,0 +1,17 @@
+- name: create cron job for root backup of proxmox ve
+  cron:
+    name: "proxmox / backup"
+    cron_file: backup
+    hour: "23"
+    minute: "0"
+    user: root
+    job: "PBS_PASSWORD='{{ pbs_password }}' PBS_FINGERPRINT={{ pbs_fingerprint }} proxmox-backup-client backup root.pxar:/ --repository {{ pbs_user }}@{{ pbs_host }}:{{ pbs_datastore }}"
+- name: create cron job for /etc/pve backup of proxmox ve
+  cron:
+    name: "proxmox /etc/pve backup"
+    cron_file: backup
+    hour: "23"
+    minute: "0"
+    user: root
+    job: "PBS_PASSWORD='{{ pbs_password }}' PBS_FINGERPRINT={{ pbs_fingerprint }} proxmox-backup-client backup pve.pxar:/etc/pve --repository {{ pbs_user }}@{{ pbs_host }}:{{ pbs_datastore }}"
diff --git a/roles/proxmox/system/defaults/main.yml b/roles/proxmox/system/defaults/main.yml
new file mode 100644
index 0000000..0091ea1
--- /dev/null
+++ b/roles/proxmox/system/defaults/main.yml
@@ -0,0 +1,8 @@
+username: vmadmin
+ssh_public_key: changme
+oath_key: changeme
+raid_id: "0"
+raid_level: "1"
+raid_devices: "/dev/sda1 /dev/sdb1"
+raid_name: "prometheus:0"
diff --git a/roles/proxmox/system/tasks/main.yml b/roles/proxmox/system/tasks/main.yml
new file mode 100644
index 0000000..ac84900
--- /dev/null
+++ b/roles/proxmox/system/tasks/main.yml
@@ -0,0 +1,30 @@
+---
+- name: remove enterprise repo
+  file:
+    path: /etc/apt/sources.list.d/pve-enterprise.list
+    state: absent
+- name: add proxmox no subscription repo
+  apt_repository:
+    repo: deb http://download.proxmox.com/debian/pve bookworm pve-no-subscription
+- name: create non-root user
+  user:
+    name: "{{ proxmox_username }}"
+    groups:
+      - sudo
+    shell: /bin/bash
+- name: give passwordless sudo to sudo group
+  lineinfile:
+    path: /etc/sudoers
+    state: present
+    regexp: '^%sudo'
+    line: '%sudo ALL=(ALL) NOPASSWD: ALL'
+    validate: '/usr/sbin/visudo -cf %s'
+- name: deploy ssh public key
+  authorized_key:
+    user: "{{ proxmox_username }}"
+    state: present
+    key: "{{ lookup('file', 'data/common/id_rsa.pub') }}"
diff --git a/roles/proxmox/system/tasks/proxmox_repo.yml b/roles/proxmox/system/tasks/proxmox_repo.yml
new file mode 100644
index 0000000..bf2508d
--- /dev/null
+++ b/roles/proxmox/system/tasks/proxmox_repo.yml
@@ -0,0 +1,8 @@
+- name: remove enterprise repo
+  file:
+    path: /etc/apt/sources.list.d/pve-enterprise.list
+    state: absent
+- name: add proxmox no subscription repo
+  apt_repository:
+    repo: deb http://download.proxmox.com/debian/pve bookworm pve-no-subscription
diff --git a/roles/proxmox/system/tasks/user.yml b/roles/proxmox/system/tasks/user.yml
new file mode 100644
index 0000000..2ba337a
--- /dev/null
+++ b/roles/proxmox/system/tasks/user.yml
@@ -0,0 +1,28 @@
+- name: create non-root user
+  user:
+    name: "{{ username }}"
+    password: "{{ password | password_hash('sha512') }}"
+    groups:
+      - sudo
+    shell: /bin/bash
+    update_password: on_create
+  register: newuser
+- name: ensure primary user group exists
+  group:
+    name: "{{ username }}"
+    state: present
+- name: give passwordless sudo to sudo group
+  lineinfile:
+    path: /etc/sudoers
+    state: present
+    regexp: '^%sudo'
+    line: '%sudo ALL=(ALL) NOPASSWD: ALL'
+    validate: '/usr/sbin/visudo -cf %s'
+- name: deploy ssh public key
+  authorized_key:
+    user: "{{ username }}"
+    state: present
+    key: "{{ ssh_public_key }}"
author	Sam Chudnick <sam@chudnick.com>	2023-06-25 09:52:36 -0400
committer	Sam Chudnick <sam@chudnick.com>	2023-06-25 09:52:36 -0400
commit	95b73daa36b23565a8566f71f9b202d3459b685f (patch)
tree	cb17b021be70e7868d0ec235a761f0ecdc80f3f2 /roles/proxmox

diff --git a/roles/proxmox/cloudinit_guest/defaults/main.yml b/roles/proxmox/cloudinit_guest/defaults/main.yml new file mode 100644 index 0000000..a562ff3 --- /dev/null +++ b/roles/proxmox/cloudinit_guest/defaults/main.yml
@@ -0,0 +1,7 @@
	1	vm_onboot: yes
	2	vm_agent: yes
	3	vm_bridge: vmbr0
	4	vm_full_clone: yes
	5	memory_size: 512
	6	cpu_cores: 1
	7	cpu_sockets: 1


diff --git a/roles/proxmox/cloudinit_guest/tasks/main.yml b/roles/proxmox/cloudinit_guest/tasks/main.yml new file mode 100644 index 0000000..ab958dc --- /dev/null +++ b/roles/proxmox/cloudinit_guest/tasks/main.yml
@@ -0,0 +1,80 @@
	1	- name: check if id already exists
	2	stat:
	3	path: "/etc/pve/qemu-server/{{ ci_base_id }}.conf"
	4	register: stat_result
	5
	6	- meta: end_play
	7	when: stat_result.stat.exists
	8
	9	- name: install packages
	10	package:
	11	name:
	12	- python3-pip
	13	- python3-requests
	14
	15	- name: ensure latest version of proxmoxer is installed
	16	become: yes
	17	become_user: "{{ proxmox_username }}"
	18	pip:
	19	name: proxmoxer==2.0.0
	20
	21	- name: remove any existing api token
	22	command: "pveum user token remove vmadmin@pam ansible"
	23	register: result
	24	changed_when: result.rc == 0
	25	failed_when: result.rc not in [0,255]
	26
	27	- name: create api token
	28	register: api_token
	29	changed_when: result.rc == 0
	30	args:
	31	executable: /bin/bash
	32	shell: \|
	33	set -eo pipefail
	34	pveum user token add vmadmin@pam ansible --privsep 0 --output-format yaml \| grep value \| cut -d ' ' -f 2
	35
	36
	37	- name: clone template and create guest
	38	become: yes
	39	become_user: "{{ proxmox_username }}"
	40	community.general.proxmox_kvm:
	41	api_host: proxmox.home.local
	42	api_user: "{{ proxmox_api_user }}"
	43	api_token_id: "ansible"
	44	api_token_secret: "{{ api_token.stdout }}"
	45	node: proxmox
	46	full: "{{ vm_full_clone }}"
	47	clone: arbitrary
	48	vmid: "{{ template_id }}"
	49	newid: "{{ vm_id }}"
	50	name: "{{ vm_name }}"
	51	memory: "{{ memory_size }}"
	52	sockets: "{{ cpu_sockets }}"
	53	cores: "{{ cpu_cores }}"
	54	bios: "{{ bios_type }}"
	55	ipconfig:
	56	ipconfig0: "ip={{ ip_addr }},gw={{ gateway }}"
	57	net:
	58	net0: "virtio,bridge={{ vm_bridge }},tag={{ vm_vlan }}"
	59	nameservers: "{{ nameserver }}"
	60	onboot: "{{ vm_onboot }}"
	61	agent: "{{ vm_agent }}"
	62	state: present
	63
	64	- name: start vmn
	65	become: yes
	66	become_user: "{{ proxmox_username }}"
	67	community.general.proxmox_kvm:
	68	api_host: proxmox.home.local
	69	api_user: "{{ proxmox_api_user }}"
	70	api_token_id: "ansible"
	71	api_token_secret: "{{ api_token.stdout }}"
	72	node: proxmox
	73	vmid: "{{ vm_id }}"
	74	state: started
	75
	76	- name: remove api token
	77	command: "pveum user token remove vmadmin@pam ansible"
	78	register: result
	79	changed_when: result.rc == 0
	80	failed_when: result.rc not in [0,255]


diff --git a/roles/proxmox/debian_cloudinit/defaults/main.yml b/roles/proxmox/debian_cloudinit/defaults/main.yml new file mode 100644 index 0000000..dfebf34 --- /dev/null +++ b/roles/proxmox/debian_cloudinit/defaults/main.yml
@@ -0,0 +1,8 @@
	1	ci_target_dir: "/home/{{ci_user}}"
	2	ci_memory_size: 512
	3	ci_base_id: 1000
	4	ci_disk_size: "10G"
	5	ci_storage: "local-lvm"
	6	ci_user: "initadmin"
	7	ssh_key_local: /home/sam/.ssh/id_rsa.pub
	8	ssh_key_dest: /home/vmadmin/ci_sshkey


diff --git a/roles/proxmox/debian_cloudinit/tasks/main.yml b/roles/proxmox/debian_cloudinit/tasks/main.yml new file mode 100644 index 0000000..8ed7dfd --- /dev/null +++ b/roles/proxmox/debian_cloudinit/tasks/main.yml
@@ -0,0 +1,115 @@
	1	- name: check if id already exists
	2	stat:
	3	path: "/etc/pve/qemu-server/{{ ci_base_id }}.conf"
	4	register: stat_result
	5
	6	- meta: end_play
	7	when: stat_result.stat.exists
	8
	9	- name: install packages
	10	package:
	11	name:
	12	- python3-pip
	13	- python3-requests
	14
	15	- name: ensure latest version of proxmoxer is installed
	16	become: yes
	17	become_user: "{{ proxmox_username }}"
	18	pip:
	19	name: proxmoxer==2.0.0
	20
	21	- name: download the hashes
	22	get_url:
	23	url: "https://cloud.debian.org/images/cloud/bookworm/latest/SHA512SUMS"
	24	dest: "{{ ci_target_dir }}"
	25
	26	- name: get the hash
	27	changed_when: false
	28	args:
	29	executable: /bin/bash
	30	shell: \|
	31	set -eo pipefail
	32	grep debian-12-genericcloud-amd64.qcow2 {{ ci_target_dir }}/SHA512SUMS \| cut -d ' ' -f 1
	33	register: sha512sum
	34
	35	- name: download the cloud image
	36	get_url:
	37	url: "https://cloud.debian.org/images/cloud/bookworm/latest/debian-12-genericcloud-amd64.qcow2"
	38	dest: "{{ ci_target_dir }}"
	39	checksum: "sha512:{{ sha512sum.stdout }}"
	40
	41	- name: remove any existing api token
	42	command: "pveum user token remove vmadmin@pam ansible"
	43	register: result
	44	changed_when: result.rc == 0
	45	failed_when: result.rc not in [0,255]
	46
	47	- name: create api token
	48	register: api_token
	49	changed_when: result.rc == 0
	50	args:
	51	executable: /bin/bash
	52	shell: \|
	53	set -eo pipefail
	54	pveum user token add vmadmin@pam ansible --privsep 0 --output-format yaml \| grep value \| cut -d ' ' -f 2
	55
	56	- name: create vm
	57	become: yes
	58	become_user: "{{ proxmox_username }}"
	59	community.general.proxmox_kvm:
	60	api_host: proxmox.home.local
	61	api_user: "{{ proxmox_api_user }}"
	62	api_token_id: "ansible"
	63	api_token_secret: "{{ api_token.stdout }}"
	64	node: proxmox
	65	# basic settings
	66	vmid: "{{ ci_base_id }}"
	67	memory: "{{ ci_memory_size }}"
	68	sockets: "{{ cpu_sockets }}"
	69	cores: "{{ cpu_cores }}"
	70	bios: "{{ bios_type }}"
	71	agent: "{{ vm_agent }}"
	72	state: "present"
	73	# display settings
	74	serial:
	75	"serial0": "socket"
	76	vga: "serial0"
	77	# disks and boot settings
	78	scsihw: "virtio-scsi-pci"
	79	ide:
	80	ide2: "{{ ci_storage }}:cloudinit"
	81	boot: "c"
	82	bootdisk: "scsi0"
	83	onboot: "{{ vm_onboot }}"
	84	# cloud-init
	85	citype: "nocloud"
	86	ciuser: "{{ ci_user }}"
	87	cipassword: "{{ ci_password }}"
	88	sshkeys: "{{ ci_sshkey }}"
	89	# network
	90	net:
	91	net0: "virtio,bridge={{ ci_bridge }},tag={{ ci_vlan }}"
	92	nameservers: "{{ nameserver }}"
	93	template: "yes"
	94
	95	- name: import the cloud image
	96	changed_when: false
	97	command:
	98	cmd: "qm importdisk {{ ci_base_id }} {{ ci_target_dir }}/debian-12-genericcloud-amd64.qcow2 {{ ci_storage }}"
	99	creates: "/dev/pve/vm-{{ ci_base_id }}-disk-0"
	100
	101	- name: attach the cloud image as a new disk
	102	changed_when: false
	103	command:
	104	cmd: "qm set {{ ci_base_id }} --scsi0 {{ ci_storage }}:vm-{{ ci_base_id }}-disk-0"
	105
	106	- name: resize disk to standard size
	107	changed_when: false
	108	command:
	109	cmd: "qm resize {{ ci_base_id }} scsi0 {{ ci_disk_size }}"
	110
	111	- name: remove api token
	112	command: "pveum user token remove vmadmin@pam ansible"
	113	register: result
	114	changed_when: result.rc == 0
	115	failed_when: result.rc not in [0,255]


diff --git a/roles/proxmox/fedora_cloudinit/defaults/main.yml b/roles/proxmox/fedora_cloudinit/defaults/main.yml new file mode 100644 index 0000000..fb44657 --- /dev/null +++ b/roles/proxmox/fedora_cloudinit/defaults/main.yml
@@ -0,0 +1,8 @@
	1	ci_target_dir: "/home/{{ci_user}}"
	2	ci_memory_size: 512
	3	ci_base_id: 1001
	4	ci_storage: "local-lvm"
	5	ci_disk_size: "10G"
	6	ci_user: "initadmin"
	7	ssh_key_local: files/id_rsa.pub
	8	ssh_key_dest: /tmp/ci_sshkey


diff --git a/roles/proxmox/fedora_cloudinit/tasks/main.yml b/roles/proxmox/fedora_cloudinit/tasks/main.yml new file mode 100644 index 0000000..61ed185 --- /dev/null +++ b/roles/proxmox/fedora_cloudinit/tasks/main.yml
@@ -0,0 +1,122 @@
	1	- name: download the hashes
	2	get_url:
	3	url: "https://getfedora.org/static/checksums/36/images/Fedora-Cloud-36-1.5-x86_64-CHECKSUM"
	4	dest: "{{ ci_target_dir }}"
	5
	6	- name: install gpg
	7	package:
	8	name: gnupg
	9	state: latest
	10
	11	- name: download the GPG key
	12	get_url:
	13	url: "https://getfedora.org/static/fedora.gpg"
	14	dest: "{{ ci_target_dir }}"
	15
	16	- name: import gpg key
	17	changed_when: false
	18	args:
	19	executable: /bin/bash
	20	shell: \|
	21	set -eo pipefail
	22	cat {{ ci_target_dir }}/fedora.gpg \| gpg --import
	23
	24	- name: verify checksum file
	25	command:
	26	cmd: "gpg --verify {{ ci_target_dir }}/Fedora-Cloud-36-1.5-x86_64-CHECKSUM"
	27	register: result
	28	changed_when: false
	29	failed_when: result.rc > 0
	30
	31	- name: fail if unable to gpg verify checksums
	32	fail:
	33	msg: "failed to verify the checksums"
	34	when: result.rc > 0
	35
	36	- name: get the hash
	37	shell:
	38	cmd: "grep 'qcow2)' {{ ci_target_dir }}/Fedora-Cloud-36-1.5-x86_64-CHECKSUM \| cut -d '=' -f 2 \| tr -d ' '"
	39	changed_when: false
	40	register: sha256sum
	41
	42	- name: download the cloud image
	43	get_url:
	44	url: "https://download.fedoraproject.org/pub/fedora/linux/releases/36/Cloud/x86_64/images/Fedora-Cloud-Base-36-1.5.x86_64.qcow2"
	45	dest: "{{ ci_target_dir }}"
	46	checksum: "sha256:{{ sha256sum.stdout }}"
	47
	48	- name: remove any existing api token
	49	command: "pveum user token remove vmadmin@pam ansible"
	50	register: result
	51	changed_when: result.rc == 0
	52	failed_when: result.rc not in [0,255]
	53
	54	- name: create api token
	55	register: api_token
	56	changed_when: result.rc == 0
	57	args:
	58	executable: /bin/bash
	59	shell: \|
	60	set -eo pipefail
	61	pveum user token add vmadmin@pam ansible --privsep 0 --output-format yaml \| grep value \| cut -d ' ' -f 2
	62
	63	- name: create vm
	64	become: yes
	65	become_user: "{{ proxmox_username }}"
	66	community.general.proxmox_kvm:
	67	api_host: proxmox.home.local
	68	api_user: "{{ proxmox_api_user }}"
	69	api_token_id: "ansible"
	70	api_token_secret: "{{ api_token.stdout }}"
	71	node: proxmox
	72	# basic settings
	73	vmid: "{{ ci_base_id }}"
	74	memory: "{{ ci_memory_size }}"
	75	sockets: "{{ cpu_sockets }}"
	76	cores: "{{ cpu_cores }}"
	77	bios: "{{ bios_type }}"
	78	agent: "{{ vm_agent }}"
	79	state: "present"
	80	# display settings
	81	serial:
	82	"serial0": "socket"
	83	vga: "serial0"
	84	# disks and boot settings
	85	scsihw: "virtio-scsi-pci"
	86	ide:
	87	ide2: "{{ ci_storage }}:cloudinit"
	88	boot: "c"
	89	bootdisk: "scsi0"
	90	onboot: "{{ vm_onboot }}"
	91	# cloud-init
	92	citype: "nocloud"
	93	ciuser: "{{ ci_user }}"
	94	cipassword: "{{ ci_password }}"
	95	sshkeys: "{{ ci_sshkey }}"
	96	# network
	97	net:
	98	net0: "virtio,bridge={{ ci_bridge }},tag={{ ci_vlan }}"
	99	nameservers: "{{ nameserver }}"
	100	template: "yes"
	101
	102	- name: import the cloud image
	103	changed_when: false
	104	command:
	105	cmd: "qm importdisk {{ ci_base_id }} {{ ci_target_dir }}/Fedora-Cloud-Base-36-1.5.x86_64.qcow2 {{ ci_storage }}"
	106	creates: "/dev/pve/vm-{{ ci_base_id }}-disk-0"
	107
	108	- name: attach the cloud image as a new disk
	109	changed_when: false
	110	command:
	111	cmd: "qm set {{ ci_base_id }} --scsi0 {{ ci_storage }}:vm-{{ ci_base_id }}-disk-0"
	112
	113	- name: resize disk to standard size
	114	changed_when: false
	115	command:
	116	cmd: "qm resize {{ ci_base_id }} scsi0 {{ ci_disk_size }}"
	117
	118	- name: remove api token
	119	command: "pveum user token remove vmadmin@pam ansible"
	120	register: result
	121	changed_when: result.rc == 0
	122	failed_when: result.rc not in [0,255]


diff --git a/roles/proxmox/proxmox_backup_server/tasks/main.yml b/roles/proxmox/proxmox_backup_server/tasks/main.yml new file mode 100644 index 0000000..3e91a19 --- /dev/null +++ b/roles/proxmox/proxmox_backup_server/tasks/main.yml
@@ -0,0 +1,42 @@
	1	- name: add proxmox backup repo
	2	apt_repository:
	3	repo: deb http://download.proxmox.com/debian/pbs bullseye pbs-no-subscription
	4	state: present
	5	update_cache: yes
	6
	7	- name: install proxmox backup server and client
	8	package:
	9	name:
	10	- proxmox-backup-server
	11	- proxmox-backup-client
	12
	13	- name: create datastore
	14	command:
	15	cmd: "proxmox-backup-manager datastore create {{ pbs_datastore }} {{ pbs_datastore_path }} --keep-last {{ pbs_keep_last }} --keep-daily {{ pbs_keep_daily }} --keep-weekly {{ pbs_keep_weekly }} --keep-monthly {{ pbs_keep_monthly }} --keep-yearly {{ pbs_keep_yearly }}"
	16	register: result
	17	changed_when: false
	18	failed_when: result.rc not in [255]
	19
	20	- name: create backup admin
	21	command:
	22	cmd: "proxmox-backup-manager user create {{ pbs_admin }} --password {{ pbs_admin_password }}"
	23	register: result
	24	changed_when: false
	25	failed_when: result.rc not in [255]
	26
	27	- name: assign permissions for backup admin
	28	changed_when: false
	29	command:
	30	cmd: "proxmox-backup-manager acl update / Admin --auth-id {{ pbs_admin }}"
	31
	32	- name: create backup user
	33	command:
	34	cmd: "proxmox-backup-manager user create {{ pbs_user }} --password {{ pbs_password }}"
	35	register: result
	36	failed_when: result.rc not in [255]
	37	changed_when: false
	38
	39	- name: assign permissions for backup user
	40	changed_when: false
	41	command:
	42	cmd: "proxmox-backup-manager acl update / DatastoreBackup --auth-id {{ pbs_user }}"


diff --git a/roles/proxmox/pve_backup/tasks/main.yml b/roles/proxmox/pve_backup/tasks/main.yml new file mode 100644 index 0000000..eba51d9 --- /dev/null +++ b/roles/proxmox/pve_backup/tasks/main.yml
@@ -0,0 +1,17 @@
	1	- name: create cron job for root backup of proxmox ve
	2	cron:
	3	name: "proxmox / backup"
	4	cron_file: backup
	5	hour: "23"
	6	minute: "0"
	7	user: root
	8	job: "PBS_PASSWORD='{{ pbs_password }}' PBS_FINGERPRINT={{ pbs_fingerprint }} proxmox-backup-client backup root.pxar:/ --repository {{ pbs_user }}@{{ pbs_host }}:{{ pbs_datastore }}"
	9
	10	- name: create cron job for /etc/pve backup of proxmox ve
	11	cron:
	12	name: "proxmox /etc/pve backup"
	13	cron_file: backup
	14	hour: "23"
	15	minute: "0"
	16	user: root
	17	job: "PBS_PASSWORD='{{ pbs_password }}' PBS_FINGERPRINT={{ pbs_fingerprint }} proxmox-backup-client backup pve.pxar:/etc/pve --repository {{ pbs_user }}@{{ pbs_host }}:{{ pbs_datastore }}"


diff --git a/roles/proxmox/system/defaults/main.yml b/roles/proxmox/system/defaults/main.yml new file mode 100644 index 0000000..0091ea1 --- /dev/null +++ b/roles/proxmox/system/defaults/main.yml
@@ -0,0 +1,8 @@
	1	username: vmadmin
	2	ssh_public_key: changme
	3	oath_key: changeme
	4	raid_id: "0"
	5	raid_level: "1"
	6	raid_devices: "/dev/sda1 /dev/sdb1"
	7	raid_name: "prometheus:0"
	8


diff --git a/roles/proxmox/system/tasks/main.yml b/roles/proxmox/system/tasks/main.yml new file mode 100644 index 0000000..ac84900 --- /dev/null +++ b/roles/proxmox/system/tasks/main.yml
@@ -0,0 +1,30 @@
	1	---
	2	- name: remove enterprise repo
	3	file:
	4	path: /etc/apt/sources.list.d/pve-enterprise.list
	5	state: absent
	6
	7	- name: add proxmox no subscription repo
	8	apt_repository:
	9	repo: deb http://download.proxmox.com/debian/pve bookworm pve-no-subscription
	10
	11	- name: create non-root user
	12	user:
	13	name: "{{ proxmox_username }}"
	14	groups:
	15	- sudo
	16	shell: /bin/bash
	17
	18	- name: give passwordless sudo to sudo group
	19	lineinfile:
	20	path: /etc/sudoers
	21	state: present
	22	regexp: '^%sudo'
	23	line: '%sudo ALL=(ALL) NOPASSWD: ALL'
	24	validate: '/usr/sbin/visudo -cf %s'
	25
	26	- name: deploy ssh public key
	27	authorized_key:
	28	user: "{{ proxmox_username }}"
	29	state: present
	30	key: "{{ lookup('file', 'data/common/id_rsa.pub') }}"


diff --git a/roles/proxmox/system/tasks/proxmox_repo.yml b/roles/proxmox/system/tasks/proxmox_repo.yml new file mode 100644 index 0000000..bf2508d --- /dev/null +++ b/roles/proxmox/system/tasks/proxmox_repo.yml
@@ -0,0 +1,8 @@
	1	- name: remove enterprise repo
	2	file:
	3	path: /etc/apt/sources.list.d/pve-enterprise.list
	4	state: absent
	5
	6	- name: add proxmox no subscription repo
	7	apt_repository:
	8	repo: deb http://download.proxmox.com/debian/pve bookworm pve-no-subscription


diff --git a/roles/proxmox/system/tasks/user.yml b/roles/proxmox/system/tasks/user.yml new file mode 100644 index 0000000..2ba337a --- /dev/null +++ b/roles/proxmox/system/tasks/user.yml
@@ -0,0 +1,28 @@
	1	- name: create non-root user
	2	user:
	3	name: "{{ username }}"
	4	password: "{{ password \| password_hash('sha512') }}"
	5	groups:
	6	- sudo
	7	shell: /bin/bash
	8	update_password: on_create
	9	register: newuser
	10
	11	- name: ensure primary user group exists
	12	group:
	13	name: "{{ username }}"
	14	state: present
	15
	16	- name: give passwordless sudo to sudo group
	17	lineinfile:
	18	path: /etc/sudoers
	19	state: present
	20	regexp: '^%sudo'
	21	line: '%sudo ALL=(ALL) NOPASSWD: ALL'
	22	validate: '/usr/sbin/visudo -cf %s'
	23
	24	- name: deploy ssh public key
	25	authorized_key:
	26	user: "{{ username }}"
	27	state: present
	28	key: "{{ ssh_public_key }}"