added preflight, renamed tasks, added local non-pam user

4 files changed, 54 insertions, 19 deletions

diff --git a/main.yaml b/main.yaml
index 7c449f9..39004b8 100644
--- a/main.yaml
+++ b/main.yaml
@@ -4,5 +4,6 @@
   vars_files:
     - vars/main.yaml
   tasks:
-    - import_tasks: tasks/install_proxmox_on_debian12.yaml
-    - import_tasks: tasks/configure_pve.yaml
+    - import_tasks: tasks/preflight.yaml
+    - import_tasks: tasks/pve_setup.yaml
+    - import_tasks: tasks/pve_configure.yaml
diff --git a/tasks/preflight.yaml b/tasks/preflight.yaml
new file mode 100644
index 0000000..aef9dcf
--- /dev/null
+++ b/tasks/preflight.yaml
@@ -0,0 +1,17 @@
+- name: ensure script is run as root
+  ansible.builtin.assert:
+    that:
+      - ansible_effective_user_id == 0
+    fail_msg: "this playbook must be run as root"
+
+- name: check if system is debian-based
+  ansible.builtin.command: dpkg -l
+  register: dpkg_check
+  changed_when: false
+  failed_when: false
+
+- name: fail if not debian-based
+  ansible.builtin.fail:
+    msg: "distribution not Debian-based"
+  when: dpkg_check.rc != 0
+
diff --git a/tasks/configure_pve.yaml b/tasks/pve_configure.yaml
index 73ef36f..c67be1a 100644
--- a/tasks/configure_pve.yaml
+++ b/tasks/pve_configure.yaml
@@ -53,3 +53,37 @@
     state: restarted
     enabled: true
   when: ansible_service_mgr == 'systemd'
+
+- name: generate secure 32-character password
+  set_fact:
+    pve_admin_user: "pveadmin@pve"
+    pve_admin_group: "admin"
+    pve_admin_group_comment: "System Administrators"
+    pve_admin_password_file: "/root/pve_admin_password.txt"
+    pve_admin_password: "{{ lookup('password', '/dev/null length=32 chars=ascii_letters,digits') }}"
+
+- name: save password to file
+  copy:
+    content: "{{ pve_admin_password }}"
+    dest: "{{ pve_admin_password_file }}"
+    owner: root
+    group: root
+    mode: '0600'
+
+- name: create proxmox user
+  command: pveum useradd {{ pve_admin_user }} --password {{ pve_admin_password | quote }}
+  register: create_user
+  failed_when: create_user.rc != 0
+
+- name: create proxmox admin group
+  command: pveum groupadd {{ pve_admin_group }} -comment "{{ pve_admin_group_comment }}"
+  register: create_group
+  failed_when: create_group.rc != 0
+
+- name: assign administrator role to group
+  command: pveum aclmod / -group {{ pve_admin_group }} -role Administrator
+  register: assign_role
+
+- name: add user to admin group
+  command: pveum usermod {{ pve_admin_user }} -group {{ pve_admin_group }}
+  register: add_to_group
diff --git a/tasks/install_proxmox_on_debian12.yaml b/tasks/pve_setup.yaml
index 1a92aa5..7d04ff2 100644
--- a/tasks/install_proxmox_on_debian12.yaml
+++ b/tasks/pve_setup.yaml
@@ -1,20 +1,3 @@
-- name: ensure script is run as root
-  ansible.builtin.assert:
-    that:
-      - ansible_effective_user_id == 0
-    fail_msg: "this playbook must be run as root"
-
-- name: check if system is debian-based
-  ansible.builtin.command: dpkg -l
-  register: dpkg_check
-  changed_when: false
-  failed_when: false
-
-- name: fail if not debian-based
-  ansible.builtin.fail:
-    msg: "distribution not Debian-based"
-  when: dpkg_check.rc != 0
-
 - name: generate /etc/hosts from template
   template:
     src: templates/hosts.j2