initial commit on working deployment

11 files changed, 257 insertions, 0 deletions

diff --git a/.gitignore b/.gitignore
new file mode 100644
index 0000000..5b3407f
--- /dev/null
+++ b/.gitignore
@@ -0,0 +1,4 @@
+inventory.yaml
+*.pub
+*rsa*
+*ed25519*
diff --git a/files/pve-no-subscription.list b/files/pve-no-subscription.list
new file mode 100644
index 0000000..9635109
--- /dev/null
+++ b/files/pve-no-subscription.list
@@ -0,0 +1,9 @@
+deb http://ftp.debian.org/debian bookworm main contrib
+deb http://ftp.debian.org/debian bookworm-updates main contrib
+
+# Proxmox VE pve-no-subscription repository provided by proxmox.com,
+# NOT recommended for production use
+deb http://download.proxmox.com/debian/pve bookworm pve-no-subscription
+
+# security updates
+deb http://security.debian.org/debian-security bookworm-security main contrib
diff --git a/files/pveproxy b/files/pveproxy
new file mode 100644
index 0000000..98dea93
--- /dev/null
+++ b/files/pveproxy
@@ -0,0 +1 @@
+LISTEN_IP="127.0.0.1"
diff --git a/inventory.yaml.example b/inventory.yaml.example
new file mode 100644
index 0000000..6f27497
--- /dev/null
+++ b/inventory.yaml.example
@@ -0,0 +1,13 @@
+all:
+  hosts:
+    server01:
+      ansible_host: 10.11.12.13
+      ansible_user: root
+      ansible_ssh_private_key_file: id_rsa
+      hostname: proxmox-ve-test
+      nat_subnet: 10.10.10.0/24
+      nat_bridge_ip: 10.10.10.1
+  children:
+    servers:
+      hosts:
+        server01: {}
diff --git a/main.yaml b/main.yaml
new file mode 100644
index 0000000..7c449f9
--- /dev/null
+++ b/main.yaml
@@ -0,0 +1,8 @@
+- name: setup server01
+  hosts: server01
+  gather_facts: true
+  vars_files:
+    - vars/main.yaml
+  tasks:
+    - import_tasks: tasks/install_proxmox_on_debian12.yaml
+    - import_tasks: tasks/configure_pve.yaml
diff --git a/tasks/configure_pve.yaml b/tasks/configure_pve.yaml
new file mode 100644
index 0000000..73ef36f
--- /dev/null
+++ b/tasks/configure_pve.yaml
@@ -0,0 +1,55 @@
+- name: detect default public interface
+  set_fact:
+    public_interface: "{{ ansible_default_ipv4.interface }}"
+
+- name: get gateway info from ip route
+  shell: ip route get 1.1.1.1 | grep -oP 'via \K[\d.]+' | head -n1
+  register: detected_gateway
+  changed_when: false
+
+- name: set public gateway fact
+  set_fact:
+    public_gateway: "{{ detected_gateway.stdout }}"
+
+- name: deploy /etc/network/interfaces
+  template:
+    src: interfaces.j2
+    dest: /etc/network/interfaces
+    owner: root
+    group: root
+    mode: '0644'
+
+- name: set pveproxy config
+  copy:
+    src: files/pveproxy
+    dest: /etc/default/pveproxy
+    mode: '0644'
+
+- name: deploy /etc/iptables/rules.v4
+  template:
+    src: rules.v4.j2
+    dest: /etc/iptables/rules.v4
+    owner: root
+    group: root
+    mode: '0644'
+
+- name: enable ipv4 forwarding
+  sysctl:
+    name: net.ipv4.ip_forward
+    value: '1'
+    state: present
+    reload: yes
+
+- name: restart pveproxy
+  systemd:
+    name: pveproxy
+    state: restarted
+    enabled: true
+  when: ansible_service_mgr == 'systemd'
+
+- name: restart networking
+  systemd:
+    name: networking
+    state: restarted
+    enabled: true
+  when: ansible_service_mgr == 'systemd'
diff --git a/tasks/install_proxmox_on_debian12.yaml b/tasks/install_proxmox_on_debian12.yaml
new file mode 100644
index 0000000..1a92aa5
--- /dev/null
+++ b/tasks/install_proxmox_on_debian12.yaml
@@ -0,0 +1,110 @@
+- name: ensure script is run as root
+  ansible.builtin.assert:
+    that:
+      - ansible_effective_user_id == 0
+    fail_msg: "this playbook must be run as root"
+
+- name: check if system is debian-based
+  ansible.builtin.command: dpkg -l
+  register: dpkg_check
+  changed_when: false
+  failed_when: false
+
+- name: fail if not debian-based
+  ansible.builtin.fail:
+    msg: "distribution not Debian-based"
+  when: dpkg_check.rc != 0
+
+- name: generate /etc/hosts from template
+  template:
+    src: templates/hosts.j2
+    dest: /etc/hosts
+    owner: root
+    group: root
+    mode: '0644'
+
+- name: create /etc/apt/sources.list.d directory
+  ansible.builtin.file:
+    path: /etc/apt/sources.list.d
+    state: directory
+    mode: '0755'
+
+- name: deploy proxmox apt sources list
+  copy:
+    src: files/pve-no-subscription.list
+    dest: /etc/apt/sources.list.d/pve-no-subscription.list
+    mode: '0644'
+
+- name: create /etc/apt/trusted.gpg.d directory
+  file:
+    path: /etc/apt/trusted.gpg.d
+    state: directory
+    mode: '0755'
+
+- name: download proxmox gpg key
+  get_url:
+    url: https://enterprise.proxmox.com/debian/proxmox-release-bookworm.gpg
+    dest: /etc/apt/trusted.gpg.d/proxmox-release-bookworm.gpg
+    mode: '0644'
+
+- name: verify proxmox gpg key hash
+  shell: echo "{{ gpg_key_hash }} /etc/apt/trusted.gpg.d/proxmox-release-bookworm.gpg" | sha512sum -c
+  vars:
+    gpg_key_hash: "7da6fe34168adc6e479327ba517796d4702fa2f8b4f0a9833f5ea6e6b48f6507a6da403a274fe201595edc86a84463d50383d07f64bdde2e3658108db7d6dc87"
+  register: gpg_hash_check
+  failed_when: gpg_hash_check.rc != 0
+  changed_when: false
+
+- name: update apt packages
+  apt:
+    update_cache: true
+
+- name: upgrade apt packages
+  apt:
+    upgrade: dist
+
+- name: install apt packages
+  apt:
+    name: "{{ apt_packages }}"
+    state: present
+    update_cache: true
+
+- name: reboot to activate proxmox ve kernel
+  reboot:
+    msg: "rebooting to activate proxmox ve kernel"
+    connect_timeout: 10
+    reboot_timeout: 600
+    pre_reboot_delay: 5
+    post_reboot_delay: 10
+
+- name: install pve packages
+  apt:
+    name: "{{ pve_packages }}"
+    state: present
+    update_cache: true
+
+- name: get current running kernel version
+  command: uname -r
+  register: current_kernel
+  changed_when: false
+
+- name: list installed debian kernel images
+  shell: dpkg -l | awk '/linux-image-[0-9]/{ print $2 }' | grep -v "{{ current_kernel.stdout }}"
+  register: kernels_to_remove
+  changed_when: false
+
+- name: remove debian default kernels (excluding current)
+  apt:
+    name: "{{ kernels_to_remove.stdout_lines }}"
+    state: absent
+  when: kernels_to_remove.stdout_lines | length > 0
+
+- name: update grub bootloader
+  command: update-grub
+  register: grub_update
+  changed_when: "'Generating grub configuration file' in grub_update.stdout"
+
+- name: remove problematic apt packages for pve
+  apt:
+    name: "{{ apt_packages_to_remove }}"
+    state: absent
diff --git a/templates/hosts.j2 b/templates/hosts.j2
new file mode 100644
index 0000000..3d811dc
--- /dev/null
+++ b/templates/hosts.j2
@@ -0,0 +1,7 @@
+127.0.0.1       localhost
+{{ ansible_host }}   {{ hostname }} {{ hostname }}
+
+# The following lines are desirable for IPv6 capable hosts
+::1     localhost ip6-localhost ip6-loopback
+ff02::1 ip6-allnodes
+ff02::2 ip6-allrouters
diff --git a/templates/interfaces.j2 b/templates/interfaces.j2
new file mode 100644
index 0000000..7813093
--- /dev/null
+++ b/templates/interfaces.j2
@@ -0,0 +1,23 @@
+auto lo
+iface lo inet loopback
+
+auto {{ public_interface }}
+iface {{ public_interface }} inet manual
+
+auto vmbr0
+iface vmbr0 inet static
+    address {{ ansible_host }}
+    netmask 255.255.255.0
+    gateway {{ public_gateway }}
+    bridge_ports {{ public_interface }}
+    bridge_stp off
+    bridge_fd 0
+
+auto vmbr1
+iface vmbr1 inet static
+    address {{ nat_bridge_ip }}
+    netmask 255.255.255.0
+    bridge_ports none
+    bridge_stp off
+    bridge_fd 0
+
diff --git a/templates/rules.v4.j2 b/templates/rules.v4.j2
new file mode 100644
index 0000000..6a0e54f
--- /dev/null
+++ b/templates/rules.v4.j2
@@ -0,0 +1,13 @@
+*filter
+:INPUT ACCEPT [0:0]
+:FORWARD ACCEPT [0:0]
+:OUTPUT ACCEPT [0:0]
+COMMIT
+
+*nat
+:PREROUTING ACCEPT [0:0]
+:INPUT ACCEPT [0:0]
+:OUTPUT ACCEPT [0:0]
+:POSTROUTING ACCEPT [0:0]
+-A POSTROUTING -s {{ nat_subnet }} -o {{ public_interface }} -j MASQUERADE
+COMMIT
diff --git a/vars/main.yaml b/vars/main.yaml
new file mode 100644
index 0000000..da2b829
--- /dev/null
+++ b/vars/main.yaml
@@ -0,0 +1,14 @@
+apt_packages:
+  - curl
+  - ca-certificates
+  - iptables-persistent
+  - proxmox-default-kernel
+
+pve_packages:
+  - proxmox-ve
+  - postfix
+  - open-iscsi
+  - chrony
+
+apt_packages_to_remove:
+  - os-prober