From 95b73daa36b23565a8566f71f9b202d3459b685f Mon Sep 17 00:00:00 2001
From: Sam Chudnick <sam@chudnick.com>
Date: Sun, 25 Jun 2023 09:52:36 -0400
Subject: Initial Commit

---
 roles/proxmox/cloudinit_guest/defaults/main.yml    |   7 ++
 roles/proxmox/cloudinit_guest/tasks/main.yml       |  80 ++++++++++++++
 roles/proxmox/debian_cloudinit/defaults/main.yml   |   8 ++
 roles/proxmox/debian_cloudinit/tasks/main.yml      | 115 +++++++++++++++++++
 roles/proxmox/fedora_cloudinit/defaults/main.yml   |   8 ++
 roles/proxmox/fedora_cloudinit/tasks/main.yml      | 122 +++++++++++++++++++++
 roles/proxmox/proxmox_backup_server/tasks/main.yml |  42 +++++++
 roles/proxmox/pve_backup/tasks/main.yml            |  17 +++
 roles/proxmox/system/defaults/main.yml             |   8 ++
 roles/proxmox/system/tasks/main.yml                |  30 +++++
 roles/proxmox/system/tasks/proxmox_repo.yml        |   8 ++
 roles/proxmox/system/tasks/user.yml                |  28 +++++
 12 files changed, 473 insertions(+)
 create mode 100644 roles/proxmox/cloudinit_guest/defaults/main.yml
 create mode 100644 roles/proxmox/cloudinit_guest/tasks/main.yml
 create mode 100644 roles/proxmox/debian_cloudinit/defaults/main.yml
 create mode 100644 roles/proxmox/debian_cloudinit/tasks/main.yml
 create mode 100644 roles/proxmox/fedora_cloudinit/defaults/main.yml
 create mode 100644 roles/proxmox/fedora_cloudinit/tasks/main.yml
 create mode 100644 roles/proxmox/proxmox_backup_server/tasks/main.yml
 create mode 100644 roles/proxmox/pve_backup/tasks/main.yml
 create mode 100644 roles/proxmox/system/defaults/main.yml
 create mode 100644 roles/proxmox/system/tasks/main.yml
 create mode 100644 roles/proxmox/system/tasks/proxmox_repo.yml
 create mode 100644 roles/proxmox/system/tasks/user.yml

(limited to 'roles/proxmox')

diff --git a/roles/proxmox/cloudinit_guest/defaults/main.yml b/roles/proxmox/cloudinit_guest/defaults/main.yml
new file mode 100644
index 0000000..a562ff3
--- /dev/null
+++ b/roles/proxmox/cloudinit_guest/defaults/main.yml
@@ -0,0 +1,7 @@
+vm_onboot: yes
+vm_agent: yes
+vm_bridge: vmbr0
+vm_full_clone: yes
+memory_size: 512
+cpu_cores: 1
+cpu_sockets: 1
diff --git a/roles/proxmox/cloudinit_guest/tasks/main.yml b/roles/proxmox/cloudinit_guest/tasks/main.yml
new file mode 100644
index 0000000..ab958dc
--- /dev/null
+++ b/roles/proxmox/cloudinit_guest/tasks/main.yml
@@ -0,0 +1,80 @@
+- name: check if id already exists
+  stat:
+    path: "/etc/pve/qemu-server/{{ ci_base_id }}.conf"
+  register: stat_result
+
+- meta: end_play
+  when: stat_result.stat.exists
+
+- name: install packages
+  package:
+    name:
+      - python3-pip
+      - python3-requests
+
+- name: ensure latest version of proxmoxer is installed
+  become: yes
+  become_user: "{{ proxmox_username }}"
+  pip:
+    name: proxmoxer==2.0.0
+
+- name: remove any existing api token
+  command: "pveum user token remove vmadmin@pam ansible"
+  register: result
+  changed_when: result.rc == 0
+  failed_when: result.rc not in [0,255]
+
+- name: create api token
+  register: api_token
+  changed_when: result.rc == 0
+  args:
+    executable: /bin/bash
+  shell: |
+    set -eo pipefail
+    pveum user token add vmadmin@pam ansible --privsep 0 --output-format yaml | grep value | cut -d ' ' -f 2
+
+
+- name: clone template and create guest
+  become: yes
+  become_user: "{{ proxmox_username }}"
+  community.general.proxmox_kvm:
+    api_host: proxmox.home.local
+    api_user: "{{ proxmox_api_user }}"
+    api_token_id: "ansible"
+    api_token_secret: "{{ api_token.stdout }}"
+    node: proxmox
+    full: "{{ vm_full_clone }}"
+    clone: arbitrary
+    vmid: "{{ template_id }}"
+    newid: "{{ vm_id }}"
+    name: "{{ vm_name }}"
+    memory: "{{ memory_size }}"
+    sockets: "{{ cpu_sockets }}"
+    cores: "{{ cpu_cores }}"
+    bios: "{{ bios_type }}"
+    ipconfig:
+      ipconfig0: "ip={{ ip_addr }},gw={{ gateway }}"
+    net:
+      net0: "virtio,bridge={{ vm_bridge }},tag={{ vm_vlan }}"
+    nameservers: "{{ nameserver }}"
+    onboot: "{{ vm_onboot }}"
+    agent: "{{ vm_agent }}"
+    state: present
+
+- name: start vmn
+  become: yes
+  become_user: "{{ proxmox_username }}"
+  community.general.proxmox_kvm:
+    api_host: proxmox.home.local
+    api_user: "{{ proxmox_api_user }}"
+    api_token_id: "ansible"
+    api_token_secret: "{{ api_token.stdout }}"
+    node: proxmox
+    vmid: "{{ vm_id }}"
+    state: started
+
+- name: remove api token
+  command: "pveum user token remove vmadmin@pam ansible"
+  register: result
+  changed_when: result.rc == 0
+  failed_when: result.rc not in [0,255]
diff --git a/roles/proxmox/debian_cloudinit/defaults/main.yml b/roles/proxmox/debian_cloudinit/defaults/main.yml
new file mode 100644
index 0000000..dfebf34
--- /dev/null
+++ b/roles/proxmox/debian_cloudinit/defaults/main.yml
@@ -0,0 +1,8 @@
+ci_target_dir: "/home/{{ci_user}}"
+ci_memory_size: 512
+ci_base_id: 1000
+ci_disk_size: "10G"
+ci_storage: "local-lvm"
+ci_user: "initadmin"
+ssh_key_local: /home/sam/.ssh/id_rsa.pub
+ssh_key_dest: /home/vmadmin/ci_sshkey
diff --git a/roles/proxmox/debian_cloudinit/tasks/main.yml b/roles/proxmox/debian_cloudinit/tasks/main.yml
new file mode 100644
index 0000000..8ed7dfd
--- /dev/null
+++ b/roles/proxmox/debian_cloudinit/tasks/main.yml
@@ -0,0 +1,115 @@
+- name: check if id already exists
+  stat:
+    path: "/etc/pve/qemu-server/{{ ci_base_id }}.conf"
+  register: stat_result
+
+- meta: end_play
+  when: stat_result.stat.exists
+
+- name: install packages
+  package:
+    name:
+      - python3-pip
+      - python3-requests
+
+- name: ensure latest version of proxmoxer is installed
+  become: yes
+  become_user: "{{ proxmox_username }}"
+  pip:
+    name: proxmoxer==2.0.0
+
+- name: download the hashes
+  get_url:
+    url: "https://cloud.debian.org/images/cloud/bookworm/latest/SHA512SUMS"
+    dest: "{{ ci_target_dir }}"
+
+- name: get the hash
+  changed_when: false
+  args:
+    executable: /bin/bash
+  shell: |
+    set -eo pipefail
+    grep debian-12-genericcloud-amd64.qcow2 {{ ci_target_dir }}/SHA512SUMS | cut -d ' ' -f 1
+  register: sha512sum
+
+- name: download the cloud image
+  get_url:
+    url: "https://cloud.debian.org/images/cloud/bookworm/latest/debian-12-genericcloud-amd64.qcow2"
+    dest: "{{ ci_target_dir }}"
+    checksum: "sha512:{{ sha512sum.stdout }}"
+
+- name: remove any existing api token
+  command: "pveum user token remove vmadmin@pam ansible"
+  register: result
+  changed_when: result.rc == 0
+  failed_when: result.rc not in [0,255]
+
+- name: create api token
+  register: api_token
+  changed_when: result.rc == 0
+  args:
+    executable: /bin/bash
+  shell: |
+    set -eo pipefail
+    pveum user token add vmadmin@pam ansible --privsep 0 --output-format yaml | grep value | cut -d ' ' -f 2
+
+- name: create vm
+  become: yes
+  become_user: "{{ proxmox_username }}"
+  community.general.proxmox_kvm:
+    api_host: proxmox.home.local
+    api_user: "{{ proxmox_api_user }}"
+    api_token_id: "ansible"
+    api_token_secret: "{{ api_token.stdout }}"
+    node: proxmox
+    # basic settings
+    vmid: "{{ ci_base_id }}"
+    memory: "{{ ci_memory_size }}"
+    sockets: "{{ cpu_sockets }}"
+    cores: "{{ cpu_cores }}"
+    bios: "{{ bios_type }}"
+    agent: "{{ vm_agent }}"
+    state: "present"
+    # display settings
+    serial:
+      "serial0": "socket"
+    vga: "serial0"
+    # disks and boot settings
+    scsihw: "virtio-scsi-pci"
+    ide:
+      ide2: "{{ ci_storage }}:cloudinit"
+    boot: "c"
+    bootdisk: "scsi0"
+    onboot: "{{ vm_onboot }}"
+    # cloud-init
+    citype: "nocloud"
+    ciuser: "{{ ci_user }}"
+    cipassword: "{{ ci_password }}"
+    sshkeys: "{{ ci_sshkey }}"
+    # network
+    net:
+      net0: "virtio,bridge={{ ci_bridge }},tag={{ ci_vlan }}"
+    nameservers: "{{ nameserver }}"
+    template: "yes"
+
+- name: import the cloud image
+  changed_when: false
+  command:
+    cmd: "qm importdisk {{ ci_base_id }} {{ ci_target_dir }}/debian-12-genericcloud-amd64.qcow2 {{ ci_storage }}"
+    creates: "/dev/pve/vm-{{ ci_base_id }}-disk-0"
+
+- name: attach the cloud image as a new disk
+  changed_when: false
+  command:
+    cmd: "qm set {{ ci_base_id }} --scsi0 {{ ci_storage }}:vm-{{ ci_base_id }}-disk-0"
+
+- name: resize disk to standard size
+  changed_when: false
+  command:
+    cmd: "qm resize {{ ci_base_id }} scsi0 {{ ci_disk_size }}"
+
+- name: remove api token
+  command: "pveum user token remove vmadmin@pam ansible"
+  register: result
+  changed_when: result.rc == 0
+  failed_when: result.rc not in [0,255]
diff --git a/roles/proxmox/fedora_cloudinit/defaults/main.yml b/roles/proxmox/fedora_cloudinit/defaults/main.yml
new file mode 100644
index 0000000..fb44657
--- /dev/null
+++ b/roles/proxmox/fedora_cloudinit/defaults/main.yml
@@ -0,0 +1,8 @@
+ci_target_dir: "/home/{{ci_user}}"
+ci_memory_size: 512
+ci_base_id: 1001
+ci_storage: "local-lvm"
+ci_disk_size: "10G"
+ci_user: "initadmin"
+ssh_key_local: files/id_rsa.pub
+ssh_key_dest: /tmp/ci_sshkey
diff --git a/roles/proxmox/fedora_cloudinit/tasks/main.yml b/roles/proxmox/fedora_cloudinit/tasks/main.yml
new file mode 100644
index 0000000..61ed185
--- /dev/null
+++ b/roles/proxmox/fedora_cloudinit/tasks/main.yml
@@ -0,0 +1,122 @@
+- name: download the hashes
+  get_url:
+    url: "https://getfedora.org/static/checksums/36/images/Fedora-Cloud-36-1.5-x86_64-CHECKSUM"
+    dest: "{{ ci_target_dir }}"
+
+- name: install gpg
+  package:
+    name: gnupg
+    state: latest
+
+- name: download the GPG key
+  get_url:
+    url: "https://getfedora.org/static/fedora.gpg"
+    dest: "{{ ci_target_dir }}"
+
+- name: import gpg key
+  changed_when: false
+  args:
+    executable: /bin/bash
+  shell: |
+    set -eo pipefail
+    cat {{ ci_target_dir }}/fedora.gpg | gpg --import
+
+- name: verify checksum file
+  command:
+    cmd: "gpg --verify {{ ci_target_dir }}/Fedora-Cloud-36-1.5-x86_64-CHECKSUM"
+  register: result
+  changed_when: false
+  failed_when: result.rc > 0
+
+- name: fail if unable to gpg verify checksums
+  fail:
+    msg: "failed to verify the checksums"
+  when: result.rc > 0
+
+- name: get the hash
+  shell:
+    cmd: "grep 'qcow2)' {{ ci_target_dir }}/Fedora-Cloud-36-1.5-x86_64-CHECKSUM | cut -d '=' -f 2 | tr -d ' '"
+  changed_when: false
+  register: sha256sum
+
+- name: download the cloud image
+  get_url:
+    url: "https://download.fedoraproject.org/pub/fedora/linux/releases/36/Cloud/x86_64/images/Fedora-Cloud-Base-36-1.5.x86_64.qcow2"
+    dest: "{{ ci_target_dir }}"
+    checksum: "sha256:{{ sha256sum.stdout }}"
+
+- name: remove any existing api token
+  command: "pveum user token remove vmadmin@pam ansible"
+  register: result
+  changed_when: result.rc == 0
+  failed_when: result.rc not in [0,255]
+
+- name: create api token
+  register: api_token
+  changed_when: result.rc == 0
+  args:
+    executable: /bin/bash
+  shell: |
+    set -eo pipefail
+    pveum user token add vmadmin@pam ansible --privsep 0 --output-format yaml | grep value | cut -d ' ' -f 2
+
+- name: create vm
+  become: yes
+  become_user: "{{ proxmox_username }}"
+  community.general.proxmox_kvm:
+    api_host: proxmox.home.local
+    api_user: "{{ proxmox_api_user }}"
+    api_token_id: "ansible"
+    api_token_secret: "{{ api_token.stdout }}"
+    node: proxmox
+    # basic settings
+    vmid: "{{ ci_base_id }}"
+    memory: "{{ ci_memory_size }}"
+    sockets: "{{ cpu_sockets }}"
+    cores: "{{ cpu_cores }}"
+    bios: "{{ bios_type }}"
+    agent: "{{ vm_agent }}"
+    state: "present"
+    # display settings
+    serial:
+      "serial0": "socket"
+    vga: "serial0"
+    # disks and boot settings
+    scsihw: "virtio-scsi-pci"
+    ide:
+      ide2: "{{ ci_storage }}:cloudinit"
+    boot: "c"
+    bootdisk: "scsi0"
+    onboot: "{{ vm_onboot }}"
+    # cloud-init
+    citype: "nocloud"
+    ciuser: "{{ ci_user }}"
+    cipassword: "{{ ci_password }}"
+    sshkeys: "{{ ci_sshkey }}"
+    # network
+    net:
+      net0: "virtio,bridge={{ ci_bridge }},tag={{ ci_vlan }}"
+    nameservers: "{{ nameserver }}"
+    template: "yes"
+
+- name: import the cloud image
+  changed_when: false
+  command:
+    cmd: "qm importdisk {{ ci_base_id }} {{ ci_target_dir }}/Fedora-Cloud-Base-36-1.5.x86_64.qcow2 {{ ci_storage }}"
+    creates: "/dev/pve/vm-{{ ci_base_id }}-disk-0"
+
+- name: attach the cloud image as a new disk
+  changed_when: false
+  command:
+    cmd: "qm set {{ ci_base_id }} --scsi0 {{ ci_storage }}:vm-{{ ci_base_id }}-disk-0"
+
+- name: resize disk to standard size
+  changed_when: false
+  command:
+    cmd: "qm resize {{ ci_base_id }} scsi0 {{ ci_disk_size }}"
+
+- name: remove api token
+  command: "pveum user token remove vmadmin@pam ansible"
+  register: result
+  changed_when: result.rc == 0
+  failed_when: result.rc not in [0,255]
diff --git a/roles/proxmox/proxmox_backup_server/tasks/main.yml b/roles/proxmox/proxmox_backup_server/tasks/main.yml
new file mode 100644
index 0000000..3e91a19
--- /dev/null
+++ b/roles/proxmox/proxmox_backup_server/tasks/main.yml
@@ -0,0 +1,42 @@
+- name: add proxmox backup repo
+  apt_repository:
+    repo: deb http://download.proxmox.com/debian/pbs bullseye pbs-no-subscription
+    state: present
+    update_cache: yes
+
+- name: install proxmox backup server and client
+  package:
+    name:
+      - proxmox-backup-server
+      - proxmox-backup-client
+
+- name: create datastore
+  command:
+    cmd: "proxmox-backup-manager datastore create {{ pbs_datastore }} {{ pbs_datastore_path }} --keep-last {{ pbs_keep_last }} --keep-daily {{ pbs_keep_daily }} --keep-weekly {{ pbs_keep_weekly }} --keep-monthly {{ pbs_keep_monthly }} --keep-yearly {{ pbs_keep_yearly }}"
+  register: result
+  changed_when: false
+  failed_when: result.rc not in [255]
+
+- name: create backup admin
+  command:
+    cmd: "proxmox-backup-manager user create {{ pbs_admin }} --password {{ pbs_admin_password }}"
+  register: result
+  changed_when: false
+  failed_when: result.rc not in [255]
+
+- name: assign permissions for backup admin
+  changed_when: false
+  command:
+    cmd: "proxmox-backup-manager acl update / Admin --auth-id {{ pbs_admin }}"
+
+- name: create backup user
+  command:
+    cmd: "proxmox-backup-manager user create {{ pbs_user }} --password {{ pbs_password }}"
+  register: result
+  failed_when: result.rc not in [255]
+  changed_when: false
+
+- name: assign permissions for backup user
+  changed_when: false
+  command:
+    cmd: "proxmox-backup-manager acl update / DatastoreBackup --auth-id {{ pbs_user }}"
diff --git a/roles/proxmox/pve_backup/tasks/main.yml b/roles/proxmox/pve_backup/tasks/main.yml
new file mode 100644
index 0000000..eba51d9
--- /dev/null
+++ b/roles/proxmox/pve_backup/tasks/main.yml
@@ -0,0 +1,17 @@
+- name: create cron job for root backup of proxmox ve
+  cron:
+    name: "proxmox / backup"
+    cron_file: backup
+    hour: "23"
+    minute: "0"
+    user: root
+    job: "PBS_PASSWORD='{{ pbs_password }}' PBS_FINGERPRINT={{ pbs_fingerprint }} proxmox-backup-client backup root.pxar:/ --repository {{ pbs_user }}@{{ pbs_host }}:{{ pbs_datastore }}"
+
+- name: create cron job for /etc/pve backup of proxmox ve
+  cron:
+    name: "proxmox /etc/pve backup"
+    cron_file: backup
+    hour: "23"
+    minute: "0"
+    user: root
+    job: "PBS_PASSWORD='{{ pbs_password }}' PBS_FINGERPRINT={{ pbs_fingerprint }} proxmox-backup-client backup pve.pxar:/etc/pve --repository {{ pbs_user }}@{{ pbs_host }}:{{ pbs_datastore }}"
diff --git a/roles/proxmox/system/defaults/main.yml b/roles/proxmox/system/defaults/main.yml
new file mode 100644
index 0000000..0091ea1
--- /dev/null
+++ b/roles/proxmox/system/defaults/main.yml
@@ -0,0 +1,8 @@
+username: vmadmin
+ssh_public_key: changme
+oath_key: changeme
+raid_id: "0"
+raid_level: "1"
+raid_devices: "/dev/sda1 /dev/sdb1"
+raid_name: "prometheus:0"
+
diff --git a/roles/proxmox/system/tasks/main.yml b/roles/proxmox/system/tasks/main.yml
new file mode 100644
index 0000000..ac84900
--- /dev/null
+++ b/roles/proxmox/system/tasks/main.yml
@@ -0,0 +1,30 @@
+---
+- name: remove enterprise repo
+  file:
+    path: /etc/apt/sources.list.d/pve-enterprise.list
+    state: absent
+
+- name: add proxmox no subscription repo
+  apt_repository:
+    repo: deb http://download.proxmox.com/debian/pve bookworm pve-no-subscription
+
+- name: create non-root user
+  user:
+    name: "{{ proxmox_username }}"
+    groups:
+      - sudo
+    shell: /bin/bash
+
+- name: give passwordless sudo to sudo group
+  lineinfile:
+    path: /etc/sudoers
+    state: present
+    regexp: '^%sudo'
+    line: '%sudo ALL=(ALL) NOPASSWD: ALL'
+    validate: '/usr/sbin/visudo -cf %s'
+
+- name: deploy ssh public key
+  authorized_key:
+    user: "{{ proxmox_username }}"
+    state: present
+    key: "{{ lookup('file', 'data/common/id_rsa.pub') }}"
diff --git a/roles/proxmox/system/tasks/proxmox_repo.yml b/roles/proxmox/system/tasks/proxmox_repo.yml
new file mode 100644
index 0000000..bf2508d
--- /dev/null
+++ b/roles/proxmox/system/tasks/proxmox_repo.yml
@@ -0,0 +1,8 @@
+- name: remove enterprise repo
+  file:
+    path: /etc/apt/sources.list.d/pve-enterprise.list
+    state: absent
+
+- name: add proxmox no subscription repo
+  apt_repository:
+    repo: deb http://download.proxmox.com/debian/pve bookworm pve-no-subscription
diff --git a/roles/proxmox/system/tasks/user.yml b/roles/proxmox/system/tasks/user.yml
new file mode 100644
index 0000000..2ba337a
--- /dev/null
+++ b/roles/proxmox/system/tasks/user.yml
@@ -0,0 +1,28 @@
+- name: create non-root user
+  user:
+    name: "{{ username }}"
+    password: "{{ password | password_hash('sha512') }}"
+    groups:
+      - sudo
+    shell: /bin/bash
+    update_password: on_create
+  register: newuser
+
+- name: ensure primary user group exists
+  group:
+    name: "{{ username }}"
+    state: present
+
+- name: give passwordless sudo to sudo group
+  lineinfile:
+    path: /etc/sudoers
+    state: present
+    regexp: '^%sudo'
+    line: '%sudo ALL=(ALL) NOPASSWD: ALL'
+    validate: '/usr/sbin/visudo -cf %s'
+
+- name: deploy ssh public key
+  authorized_key:
+    user: "{{ username }}"
+    state: present
+    key: "{{ ssh_public_key }}"
-- 
cgit v1.2.3