blob: e1a22a7d690916d7c301a14d057a636bb58dee1c (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
|
- name: detect default public interface
set_fact:
public_interface: "{{ ansible_default_ipv4.interface }}"
- name: get gateway info from ip route
shell: ip route get 1.1.1.1 | grep -oP 'via \K[\d.]+' | head -n1
register: detected_gateway
changed_when: false
- name: set public gateway fact
set_fact:
public_gateway: "{{ detected_gateway.stdout }}"
- name: deploy /etc/network/interfaces
template:
src: interfaces.j2
dest: /etc/network/interfaces
owner: root
group: root
mode: '0644'
- name: deploy /etc/network/interfaces.new
template:
src: interfaces.j2
dest: /etc/network/interfaces.new
owner: root
group: root
mode: '0644'
- name: run ifreload to commit changes
shell: ifreload -a
register: ifreload_shell
failed_when: ifreload_shell.rc != 0
- name: set pveproxy config
copy:
src: files/pveproxy
dest: /etc/default/pveproxy
mode: '0644'
- name: add nat masquerade rules to ufw before.rules
blockinfile:
path: /etc/ufw/before.rules
insertbefore: BOF
block: |
*nat
:POSTROUTING ACCEPT [0:0]
-A POSTROUTING -s {{ nat_subnet }} -o vmbr0 -j MASQUERADE
COMMIT
marker: "# {mark} ANSIBLE MANAGED NAT MASQUERADE RULE"
- name: set DEFAULT_FORWARD_POLICY to ACCEPT
lineinfile:
path: /etc/default/ufw
regexp: '^DEFAULT_FORWARD_POLICY='
line: 'DEFAULT_FORWARD_POLICY="ACCEPT"'
backrefs: yes
- name: enable ipv4 forwarding persistently
sysctl:
name: net.ipv4.ip_forward
value: '1'
state: present
reload: yes
sysctl_file: /etc/sysctl.conf
- name: restart pveproxy
systemd:
name: pveproxy
state: restarted
enabled: true
when: ansible_service_mgr == 'systemd'
- name: restart networking
systemd:
name: networking
state: restarted
enabled: true
when: ansible_service_mgr == 'systemd'
- name: allow pve port
ufw:
rule: allow
port: 8006
proto: tcp
- name: deploy static /etc/resolv.conf
copy:
src: files/resolv.conf
dest: /etc/resolv.conf
mode: '0644'
- name: make /etc/resolv.conf immutable with chattr
command: chattr +i /etc/resolv.conf
- name: copy pve-create-template.sh wrapper script
copy:
src: files/pve-create-template.sh
dest: /root/pve-create-template.sh
mode: '0744'
- name: deploy /usr/bin/pvebanner.bash
template:
src: pvebanner.bash
dest: /usr/bin/pvebanner.bash
owner: root
group: root
mode: '0744'
- name: create /etc/systemd/system/pvebanner.service.d directory
file:
path: /etc/systemd/system/pvebanner.service.d
state: directory
mode: '0755'
- name: override pvebanner.service ExecStart with pvebanner.bash
blockinfile:
path: /etc/systemd/system/pvebanner.service.d/override.conf
create: yes
block: |
[Service]
ExecStart=
ExecStart=/usr/bin/pvebanner.bash
- name: reload systemd daemon
command: systemctl daemon-reload
- name: restart pvebanner service
systemd:
name: pvebanner.service
state: restarted
enabled: true
when: ansible_service_mgr == 'systemd'
- name: generate secure 32-character password
set_fact:
pve_admin_user: "pveadmin@pve"
pve_admin_group: "admin"
pve_admin_group_comment: "System Administrators"
pve_admin_password_file: "/root/pveadmin_credentials.txt"
pve_admin_password: "{{ lookup('password', '/dev/null length=32 chars=ascii_letters,digits') }}"
- name: save password to file
copy:
content: "pveadmin:{{ pve_admin_password }}\n"
dest: "{{ pve_admin_password_file }}"
owner: root
group: root
mode: '0600'
- name: create proxmox user
command: pveum useradd {{ pve_admin_user }} --password {{ pve_admin_password | quote }}
register: create_user
failed_when: create_user.rc != 0
- name: create proxmox admin group
command: pveum groupadd {{ pve_admin_group }} -comment "{{ pve_admin_group_comment }}"
register: create_group
failed_when: create_group.rc != 0
- name: assign administrator role to group
command: pveum aclmod / -group {{ pve_admin_group }} -role Administrator
register: assign_role
- name: add user to admin group
command: pveum usermod {{ pve_admin_user }} -group {{ pve_admin_group }}
register: add_to_group
|