- name: detect default public interface set_fact: public_interface: "{{ ansible_default_ipv4.interface }}" - name: get gateway info from ip route shell: ip route get 1.1.1.1 | grep -oP 'via \K[\d.]+' | head -n1 register: detected_gateway changed_when: false - name: set public gateway fact set_fact: public_gateway: "{{ detected_gateway.stdout }}" - name: deploy /etc/network/interfaces template: src: interfaces.j2 dest: /etc/network/interfaces owner: root group: root mode: '0644' - name: deploy /etc/network/interfaces.new template: src: interfaces.j2 dest: /etc/network/interfaces.new owner: root group: root mode: '0644' - name: run ifreload to commit changes shell: ifreload -a register: ifreload_shell failed_when: ifreload_shell.rc != 0 - name: set pveproxy config copy: src: files/pveproxy dest: /etc/default/pveproxy mode: '0644' - name: add nat masquerade rules to ufw before.rules blockinfile: path: /etc/ufw/before.rules insertbefore: BOF block: | *nat :POSTROUTING ACCEPT [0:0] -A POSTROUTING -s {{ nat_subnet }} -o vmbr0 -j MASQUERADE COMMIT marker: "# {mark} ANSIBLE MANAGED NAT MASQUERADE RULE" - name: set DEFAULT_FORWARD_POLICY to ACCEPT lineinfile: path: /etc/default/ufw regexp: '^DEFAULT_FORWARD_POLICY=' line: 'DEFAULT_FORWARD_POLICY="ACCEPT"' backrefs: yes - name: enable ipv4 forwarding persistently sysctl: name: net.ipv4.ip_forward value: '1' state: present reload: yes sysctl_file: /etc/sysctl.conf - name: restart pveproxy systemd: name: pveproxy state: restarted enabled: true when: ansible_service_mgr == 'systemd' - name: restart networking systemd: name: networking state: restarted enabled: true when: ansible_service_mgr == 'systemd' - name: allow pve port ufw: rule: allow port: 8006 proto: tcp - name: deploy static /etc/resolv.conf copy: src: files/resolv.conf dest: /etc/resolv.conf mode: '0644' - name: make /etc/resolv.conf immutable with chattr command: chattr +i /etc/resolv.conf - name: copy pve-create-template.sh wrapper script copy: src: files/pve-create-template.sh dest: /root/pve-create-template.sh mode: '0744' - name: deploy /usr/bin/pvebanner.bash template: src: pvebanner.bash dest: /usr/bin/pvebanner.bash owner: root group: root mode: '0744' - name: create /etc/systemd/system/pvebanner.service.d directory file: path: /etc/systemd/system/pvebanner.service.d state: directory mode: '0755' - name: override pvebanner.service ExecStart with pvebanner.bash blockinfile: path: /etc/systemd/system/pvebanner.service.d/override.conf create: yes block: | [Service] ExecStart= ExecStart=/usr/bin/pvebanner.bash - name: reload systemd daemon command: systemctl daemon-reload - name: restart pvebanner service systemd: name: pvebanner.service state: restarted enabled: true when: ansible_service_mgr == 'systemd' - name: generate secure 32-character password set_fact: pve_admin_user: "pveadmin@pve" pve_admin_group: "admin" pve_admin_group_comment: "System Administrators" pve_admin_password_file: "/root/pveadmin_credentials.txt" pve_admin_password: "{{ lookup('password', '/dev/null length=32 chars=ascii_letters,digits') }}" - name: save password to file copy: content: "pveadmin:{{ pve_admin_password }}\n" dest: "{{ pve_admin_password_file }}" owner: root group: root mode: '0600' - name: create proxmox user command: pveum useradd {{ pve_admin_user }} --password {{ pve_admin_password | quote }} register: create_user failed_when: create_user.rc != 0 - name: create proxmox admin group command: pveum groupadd {{ pve_admin_group }} -comment "{{ pve_admin_group_comment }}" register: create_group failed_when: create_group.rc != 0 - name: assign administrator role to group command: pveum aclmod / -group {{ pve_admin_group }} -role Administrator register: assign_role - name: add user to admin group command: pveum usermod {{ pve_admin_user }} -group {{ pve_admin_group }} register: add_to_group