blob: 8d21a04a27d5e5585fd40514e1a3ca0390401a90 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
|
- name: detect default public interface
set_fact:
public_interface: "{{ ansible_default_ipv4.interface }}"
- name: get gateway info from ip route
shell: ip route get 1.1.1.1 | grep -oP 'via \K[\d.]+' | head -n1
register: detected_gateway
changed_when: false
- name: set public gateway fact
set_fact:
public_gateway: "{{ detected_gateway.stdout }}"
- name: deploy /etc/network/interfaces
template:
src: interfaces.j2
dest: /etc/network/interfaces
owner: root
group: root
mode: '0644'
- name: deploy /etc/network/interfaces.new
template:
src: interfaces.j2
dest: /etc/network/interfaces.new
owner: root
group: root
mode: '0644'
- name: run ifreload to commit changes
shell: ifreload -a
register: ifreload_shell
failed_when: ifreload_shell.rc != 0
- name: set pveproxy config
copy:
src: files/pveproxy
dest: /etc/default/pveproxy
mode: '0644'
- name: add nat masquerade rules to ufw before.rules
blockinfile:
path: /etc/ufw/before.rules
insertbefore: BOF
block: |
*nat
:POSTROUTING ACCEPT [0:0]
-A POSTROUTING -s {{ nat_subnet }} -o vmbr0 -j MASQUERADE
COMMIT
marker: "# {mark} ANSIBLE MANAGED NAT MASQUERADE RULE"
- name: set DEFAULT_FORWARD_POLICY to ACCEPT
lineinfile:
path: /etc/default/ufw
regexp: '^DEFAULT_FORWARD_POLICY='
line: 'DEFAULT_FORWARD_POLICY="ACCEPT"'
backrefs: yes
- name: enable ipv4 forwarding persistently
sysctl:
name: net.ipv4.ip_forward
value: '1'
state: present
reload: yes
sysctl_file: /etc/sysctl.conf
- name: restart pveproxy
systemd:
name: pveproxy
state: restarted
enabled: true
when: ansible_service_mgr == 'systemd'
- name: restart networking
systemd:
name: networking
state: restarted
enabled: true
when: ansible_service_mgr == 'systemd'
- name: allow pve port
ufw:
rule: allow
port: 8006
proto: tcp
- name: deploy static /etc/resolv.conf
copy:
src: files/resolv.conf
dest: /etc/resolv.conf
mode: '0644'
- name: make /etc/resolv.conf immutable with chattr
command: chattr +i /etc/resolv.conf
- name: generate secure 32-character password
set_fact:
pve_admin_user: "pveadmin@pve"
pve_admin_group: "admin"
pve_admin_group_comment: "System Administrators"
pve_admin_password_file: "/root/pveadmin_credentials.txt"
pve_admin_password: "{{ lookup('password', '/dev/null length=32 chars=ascii_letters,digits') }}"
- name: save password to file
copy:
content: "pveadmin:{{ pve_admin_password }}\n"
dest: "{{ pve_admin_password_file }}"
owner: root
group: root
mode: '0600'
- name: create proxmox user
command: pveum useradd {{ pve_admin_user }} --password {{ pve_admin_password | quote }}
register: create_user
failed_when: create_user.rc != 0
- name: create proxmox admin group
command: pveum groupadd {{ pve_admin_group }} -comment "{{ pve_admin_group_comment }}"
register: create_group
failed_when: create_group.rc != 0
- name: assign administrator role to group
command: pveum aclmod / -group {{ pve_admin_group }} -role Administrator
register: assign_role
- name: add user to admin group
command: pveum usermod {{ pve_admin_user }} -group {{ pve_admin_group }}
register: add_to_group
- name: ensure /etc/pve/priv directory exists
file:
path: /etc/pve/priv
state: directory
mode: '0700'
owner: root
group: root
- name: copy /root/.ssh/authorized_keys to /etc/pve/priv/authorized_keys
copy:
src: /root/.ssh/authorized_keys
dest: /etc/pve/priv/authorized_keys
owner: root
group: root
mode: '0600'
remote_src: true
|