blob: 7be1d0edf511b0ba3cf607375483ec1aa077b322 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
|
- name: detect default public interface
set_fact:
public_interface: "{{ ansible_default_ipv4.interface }}"
- name: get gateway info from ip route
shell: ip route get 1.1.1.1 | grep -oP 'via \K[\d.]+' | head -n1
register: detected_gateway
changed_when: false
- name: set public gateway fact
set_fact:
public_gateway: "{{ detected_gateway.stdout }}"
- name: deploy /etc/network/interfaces
template:
src: interfaces.j2
dest: /etc/network/interfaces
owner: root
group: root
mode: '0644'
- name: deploy /etc/network/interfaces.new
template:
src: interfaces.j2
dest: /etc/network/interfaces.new
owner: root
group: root
mode: '0644'
- name: run ifreload to commit changes
shell: ifreload -a
register: ifreload_shell
failed_when: ifreload_shell.rc != 0
- name: set pveproxy config
copy:
src: files/pveproxy
dest: /etc/default/pveproxy
mode: '0644'
- name: add nat masquerade rules to ufw before.rules
blockinfile:
path: /etc/ufw/before.rules
insertbefore: BOF
block: |
*nat
:POSTROUTING ACCEPT [0:0]
-A POSTROUTING -s {{ nat_subnet }} -o vmbr0 -j MASQUERADE
COMMIT
marker: "# {mark} ANSIBLE MANAGED NAT MASQUERADE RULE"
- name: set DEFAULT_FORWARD_POLICY to ACCEPT
lineinfile:
path: /etc/default/ufw
regexp: '^DEFAULT_FORWARD_POLICY='
line: 'DEFAULT_FORWARD_POLICY="ACCEPT"'
backrefs: yes
- name: enable ipv4 forwarding persistently
sysctl:
name: net.ipv4.ip_forward
value: '1'
state: present
reload: yes
sysctl_file: /etc/sysctl.conf
- name: restart pveproxy
systemd:
name: pveproxy
state: restarted
enabled: true
when: ansible_service_mgr == 'systemd'
- name: restart networking
systemd:
name: networking
state: restarted
enabled: true
when: ansible_service_mgr == 'systemd'
- name: allow pve port
ufw:
rule: allow
port: 8006
proto: tcp
- name: deploy static /etc/resolv.conf
copy:
src: files/resolv.conf
dest: /etc/resolv.conf
mode: '0644'
- name: make /etc/resolv.conf immutable with chattr
command: chattr +i /etc/resolv.conf
- name: generate secure 32-character password
set_fact:
pve_admin_user: "pveadmin@pve"
pve_admin_group: "admin"
pve_admin_group_comment: "System Administrators"
pve_admin_password_file: "/root/pveadmin_credentials.txt"
pve_admin_password: "{{ lookup('password', '/dev/null length=32 chars=ascii_letters,digits') }}"
- name: save password to file
copy:
content: "pveadmin:{{ pve_admin_password }}\n"
dest: "{{ pve_admin_password_file }}"
owner: root
group: root
mode: '0600'
- name: create proxmox user
command: pveum useradd {{ pve_admin_user }} --password {{ pve_admin_password | quote }}
register: create_user
failed_when: create_user.rc != 0
- name: create proxmox admin group
command: pveum groupadd {{ pve_admin_group }} -comment "{{ pve_admin_group_comment }}"
register: create_group
failed_when: create_group.rc != 0
- name: assign administrator role to group
command: pveum aclmod / -group {{ pve_admin_group }} -role Administrator
register: assign_role
- name: add user to admin group
command: pveum usermod {{ pve_admin_user }} -group {{ pve_admin_group }}
register: add_to_group
|