From a75493e62c8bd5f1daee90e7ee55bcd67b4b95b8 Mon Sep 17 00:00:00 2001
From: heqnx <root@heqnx.com>
Date: Sun, 22 Jun 2025 21:37:01 +0300
Subject: added preflight, renamed tasks, added local non-pam user

---
 main.yaml                              |   5 +-
 tasks/configure_pve.yaml               |  55 -----------------
 tasks/install_proxmox_on_debian12.yaml | 110 ---------------------------------
 tasks/preflight.yaml                   |  17 +++++
 tasks/pve_configure.yaml               |  89 ++++++++++++++++++++++++++
 tasks/pve_setup.yaml                   |  93 ++++++++++++++++++++++++++++
 6 files changed, 202 insertions(+), 167 deletions(-)
 delete mode 100644 tasks/configure_pve.yaml
 delete mode 100644 tasks/install_proxmox_on_debian12.yaml
 create mode 100644 tasks/preflight.yaml
 create mode 100644 tasks/pve_configure.yaml
 create mode 100644 tasks/pve_setup.yaml

diff --git a/main.yaml b/main.yaml
index 7c449f9..39004b8 100644
--- a/main.yaml
+++ b/main.yaml
@@ -4,5 +4,6 @@
   vars_files:
     - vars/main.yaml
   tasks:
-    - import_tasks: tasks/install_proxmox_on_debian12.yaml
-    - import_tasks: tasks/configure_pve.yaml
+    - import_tasks: tasks/preflight.yaml
+    - import_tasks: tasks/pve_setup.yaml
+    - import_tasks: tasks/pve_configure.yaml
diff --git a/tasks/configure_pve.yaml b/tasks/configure_pve.yaml
deleted file mode 100644
index 73ef36f..0000000
--- a/tasks/configure_pve.yaml
+++ /dev/null
@@ -1,55 +0,0 @@
-- name: detect default public interface
-  set_fact:
-    public_interface: "{{ ansible_default_ipv4.interface }}"
-
-- name: get gateway info from ip route
-  shell: ip route get 1.1.1.1 | grep -oP 'via \K[\d.]+' | head -n1
-  register: detected_gateway
-  changed_when: false
-
-- name: set public gateway fact
-  set_fact:
-    public_gateway: "{{ detected_gateway.stdout }}"
-
-- name: deploy /etc/network/interfaces
-  template:
-    src: interfaces.j2
-    dest: /etc/network/interfaces
-    owner: root
-    group: root
-    mode: '0644'
-
-- name: set pveproxy config
-  copy:
-    src: files/pveproxy
-    dest: /etc/default/pveproxy
-    mode: '0644'
-
-- name: deploy /etc/iptables/rules.v4
-  template:
-    src: rules.v4.j2
-    dest: /etc/iptables/rules.v4
-    owner: root
-    group: root
-    mode: '0644'
-
-- name: enable ipv4 forwarding
-  sysctl:
-    name: net.ipv4.ip_forward
-    value: '1'
-    state: present
-    reload: yes
-
-- name: restart pveproxy
-  systemd:
-    name: pveproxy
-    state: restarted
-    enabled: true
-  when: ansible_service_mgr == 'systemd'
-
-- name: restart networking
-  systemd:
-    name: networking
-    state: restarted
-    enabled: true
-  when: ansible_service_mgr == 'systemd'
diff --git a/tasks/install_proxmox_on_debian12.yaml b/tasks/install_proxmox_on_debian12.yaml
deleted file mode 100644
index 1a92aa5..0000000
--- a/tasks/install_proxmox_on_debian12.yaml
+++ /dev/null
@@ -1,110 +0,0 @@
-- name: ensure script is run as root
-  ansible.builtin.assert:
-    that:
-      - ansible_effective_user_id == 0
-    fail_msg: "this playbook must be run as root"
-
-- name: check if system is debian-based
-  ansible.builtin.command: dpkg -l
-  register: dpkg_check
-  changed_when: false
-  failed_when: false
-
-- name: fail if not debian-based
-  ansible.builtin.fail:
-    msg: "distribution not Debian-based"
-  when: dpkg_check.rc != 0
-
-- name: generate /etc/hosts from template
-  template:
-    src: templates/hosts.j2
-    dest: /etc/hosts
-    owner: root
-    group: root
-    mode: '0644'
-
-- name: create /etc/apt/sources.list.d directory
-  ansible.builtin.file:
-    path: /etc/apt/sources.list.d
-    state: directory
-    mode: '0755'
-
-- name: deploy proxmox apt sources list
-  copy:
-    src: files/pve-no-subscription.list
-    dest: /etc/apt/sources.list.d/pve-no-subscription.list
-    mode: '0644'
-
-- name: create /etc/apt/trusted.gpg.d directory
-  file:
-    path: /etc/apt/trusted.gpg.d
-    state: directory
-    mode: '0755'
-
-- name: download proxmox gpg key
-  get_url:
-    url: https://enterprise.proxmox.com/debian/proxmox-release-bookworm.gpg
-    dest: /etc/apt/trusted.gpg.d/proxmox-release-bookworm.gpg
-    mode: '0644'
-
-- name: verify proxmox gpg key hash
-  shell: echo "{{ gpg_key_hash }} /etc/apt/trusted.gpg.d/proxmox-release-bookworm.gpg" | sha512sum -c
-  vars:
-    gpg_key_hash: "7da6fe34168adc6e479327ba517796d4702fa2f8b4f0a9833f5ea6e6b48f6507a6da403a274fe201595edc86a84463d50383d07f64bdde2e3658108db7d6dc87"
-  register: gpg_hash_check
-  failed_when: gpg_hash_check.rc != 0
-  changed_when: false
-
-- name: update apt packages
-  apt:
-    update_cache: true
-
-- name: upgrade apt packages
-  apt:
-    upgrade: dist
-
-- name: install apt packages
-  apt:
-    name: "{{ apt_packages }}"
-    state: present
-    update_cache: true
-
-- name: reboot to activate proxmox ve kernel
-  reboot:
-    msg: "rebooting to activate proxmox ve kernel"
-    connect_timeout: 10
-    reboot_timeout: 600
-    pre_reboot_delay: 5
-    post_reboot_delay: 10
-
-- name: install pve packages
-  apt:
-    name: "{{ pve_packages }}"
-    state: present
-    update_cache: true
-
-- name: get current running kernel version
-  command: uname -r
-  register: current_kernel
-  changed_when: false
-
-- name: list installed debian kernel images
-  shell: dpkg -l | awk '/linux-image-[0-9]/{ print $2 }' | grep -v "{{ current_kernel.stdout }}"
-  register: kernels_to_remove
-  changed_when: false
-
-- name: remove debian default kernels (excluding current)
-  apt:
-    name: "{{ kernels_to_remove.stdout_lines }}"
-    state: absent
-  when: kernels_to_remove.stdout_lines | length > 0
-
-- name: update grub bootloader
-  command: update-grub
-  register: grub_update
-  changed_when: "'Generating grub configuration file' in grub_update.stdout"
-
-- name: remove problematic apt packages for pve
-  apt:
-    name: "{{ apt_packages_to_remove }}"
-    state: absent
diff --git a/tasks/preflight.yaml b/tasks/preflight.yaml
new file mode 100644
index 0000000..aef9dcf
--- /dev/null
+++ b/tasks/preflight.yaml
@@ -0,0 +1,17 @@
+- name: ensure script is run as root
+  ansible.builtin.assert:
+    that:
+      - ansible_effective_user_id == 0
+    fail_msg: "this playbook must be run as root"
+
+- name: check if system is debian-based
+  ansible.builtin.command: dpkg -l
+  register: dpkg_check
+  changed_when: false
+  failed_when: false
+
+- name: fail if not debian-based
+  ansible.builtin.fail:
+    msg: "distribution not Debian-based"
+  when: dpkg_check.rc != 0
+
diff --git a/tasks/pve_configure.yaml b/tasks/pve_configure.yaml
new file mode 100644
index 0000000..c67be1a
--- /dev/null
+++ b/tasks/pve_configure.yaml
@@ -0,0 +1,89 @@
+- name: detect default public interface
+  set_fact:
+    public_interface: "{{ ansible_default_ipv4.interface }}"
+
+- name: get gateway info from ip route
+  shell: ip route get 1.1.1.1 | grep -oP 'via \K[\d.]+' | head -n1
+  register: detected_gateway
+  changed_when: false
+
+- name: set public gateway fact
+  set_fact:
+    public_gateway: "{{ detected_gateway.stdout }}"
+
+- name: deploy /etc/network/interfaces
+  template:
+    src: interfaces.j2
+    dest: /etc/network/interfaces
+    owner: root
+    group: root
+    mode: '0644'
+
+- name: set pveproxy config
+  copy:
+    src: files/pveproxy
+    dest: /etc/default/pveproxy
+    mode: '0644'
+
+- name: deploy /etc/iptables/rules.v4
+  template:
+    src: rules.v4.j2
+    dest: /etc/iptables/rules.v4
+    owner: root
+    group: root
+    mode: '0644'
+
+- name: enable ipv4 forwarding
+  sysctl:
+    name: net.ipv4.ip_forward
+    value: '1'
+    state: present
+    reload: yes
+
+- name: restart pveproxy
+  systemd:
+    name: pveproxy
+    state: restarted
+    enabled: true
+  when: ansible_service_mgr == 'systemd'
+
+- name: restart networking
+  systemd:
+    name: networking
+    state: restarted
+    enabled: true
+  when: ansible_service_mgr == 'systemd'
+
+- name: generate secure 32-character password
+  set_fact:
+    pve_admin_user: "pveadmin@pve"
+    pve_admin_group: "admin"
+    pve_admin_group_comment: "System Administrators"
+    pve_admin_password_file: "/root/pve_admin_password.txt"
+    pve_admin_password: "{{ lookup('password', '/dev/null length=32 chars=ascii_letters,digits') }}"
+
+- name: save password to file
+  copy:
+    content: "{{ pve_admin_password }}"
+    dest: "{{ pve_admin_password_file }}"
+    owner: root
+    group: root
+    mode: '0600'
+
+- name: create proxmox user
+  command: pveum useradd {{ pve_admin_user }} --password {{ pve_admin_password | quote }}
+  register: create_user
+  failed_when: create_user.rc != 0
+
+- name: create proxmox admin group
+  command: pveum groupadd {{ pve_admin_group }} -comment "{{ pve_admin_group_comment }}"
+  register: create_group
+  failed_when: create_group.rc != 0
+
+- name: assign administrator role to group
+  command: pveum aclmod / -group {{ pve_admin_group }} -role Administrator
+  register: assign_role
+
+- name: add user to admin group
+  command: pveum usermod {{ pve_admin_user }} -group {{ pve_admin_group }}
+  register: add_to_group
diff --git a/tasks/pve_setup.yaml b/tasks/pve_setup.yaml
new file mode 100644
index 0000000..7d04ff2
--- /dev/null
+++ b/tasks/pve_setup.yaml
@@ -0,0 +1,93 @@
+- name: generate /etc/hosts from template
+  template:
+    src: templates/hosts.j2
+    dest: /etc/hosts
+    owner: root
+    group: root
+    mode: '0644'
+
+- name: create /etc/apt/sources.list.d directory
+  ansible.builtin.file:
+    path: /etc/apt/sources.list.d
+    state: directory
+    mode: '0755'
+
+- name: deploy proxmox apt sources list
+  copy:
+    src: files/pve-no-subscription.list
+    dest: /etc/apt/sources.list.d/pve-no-subscription.list
+    mode: '0644'
+
+- name: create /etc/apt/trusted.gpg.d directory
+  file:
+    path: /etc/apt/trusted.gpg.d
+    state: directory
+    mode: '0755'
+
+- name: download proxmox gpg key
+  get_url:
+    url: https://enterprise.proxmox.com/debian/proxmox-release-bookworm.gpg
+    dest: /etc/apt/trusted.gpg.d/proxmox-release-bookworm.gpg
+    mode: '0644'
+
+- name: verify proxmox gpg key hash
+  shell: echo "{{ gpg_key_hash }} /etc/apt/trusted.gpg.d/proxmox-release-bookworm.gpg" | sha512sum -c
+  vars:
+    gpg_key_hash: "7da6fe34168adc6e479327ba517796d4702fa2f8b4f0a9833f5ea6e6b48f6507a6da403a274fe201595edc86a84463d50383d07f64bdde2e3658108db7d6dc87"
+  register: gpg_hash_check
+  failed_when: gpg_hash_check.rc != 0
+  changed_when: false
+
+- name: update apt packages
+  apt:
+    update_cache: true
+
+- name: upgrade apt packages
+  apt:
+    upgrade: dist
+
+- name: install apt packages
+  apt:
+    name: "{{ apt_packages }}"
+    state: present
+    update_cache: true
+
+- name: reboot to activate proxmox ve kernel
+  reboot:
+    msg: "rebooting to activate proxmox ve kernel"
+    connect_timeout: 10
+    reboot_timeout: 600
+    pre_reboot_delay: 5
+    post_reboot_delay: 10
+
+- name: install pve packages
+  apt:
+    name: "{{ pve_packages }}"
+    state: present
+    update_cache: true
+
+- name: get current running kernel version
+  command: uname -r
+  register: current_kernel
+  changed_when: false
+
+- name: list installed debian kernel images
+  shell: dpkg -l | awk '/linux-image-[0-9]/{ print $2 }' | grep -v "{{ current_kernel.stdout }}"
+  register: kernels_to_remove
+  changed_when: false
+
+- name: remove debian default kernels (excluding current)
+  apt:
+    name: "{{ kernels_to_remove.stdout_lines }}"
+    state: absent
+  when: kernels_to_remove.stdout_lines | length > 0
+
+- name: update grub bootloader
+  command: update-grub
+  register: grub_update
+  changed_when: "'Generating grub configuration file' in grub_update.stdout"
+
+- name: remove problematic apt packages for pve
+  apt:
+    name: "{{ apt_packages_to_remove }}"
+    state: absent
-- 
cgit v1.2.3