Enhance Ansible playbooks and documentation for Debian and Proxmox management. Add new playbooks for Debian hardening, maintenance, SSH key rotation, and Proxmox cluster setup. Update README.md with quick start instructions for Debian and Proxmox operations. Modify group_vars to include Argo CD application settings, improving deployment flexibility and clarity.

ansible/group_vars/all.yml

@@ -21,3 +21,6 @@ noble_cert_manager_require_cloudflare_secret: true
 
 # Velero — set **noble_velero_install: true** plus S3 bucket/URL (and credentials — see clusters/noble/bootstrap/velero/README.md)
 noble_velero_install: false
+
+# Argo CD — apply app-of-apps root Application (clusters/noble/bootstrap/argocd/root-application.yaml). Set false to skip.
+noble_argocd_apply_root_application: true

ansible/group_vars/debian_servers.yml

@@ -0,0 +1,12 @@
+---
+# Hardened SSH settings
+debian_baseline_ssh_allow_users:
+  - admin
+
+# Example key rotation entries. Replace with your real users and keys.
+debian_ssh_rotation_users:
+  - name: admin
+    home: /home/admin
+    state: present
+    keys:
+      - "ssh-ed25519 AAAAEXAMPLE_REPLACE_ME admin@workstation"

ansible/group_vars/proxmox_hosts.yml

@@ -0,0 +1,37 @@
+---
+# Proxmox repositories
+proxmox_repo_debian_codename: trixie
+proxmox_repo_disable_enterprise: true
+proxmox_repo_disable_ceph_enterprise: true
+proxmox_repo_enable_pve_no_subscription: true
+proxmox_repo_enable_ceph_no_subscription: true
+
+# Suppress "No valid subscription" warning in UI
+proxmox_no_subscription_notice_disable: true
+
+# Public keys to install for root on each Proxmox host.
+proxmox_root_authorized_key_files:
+  - "{{ lookup('env', 'HOME') }}/.ssh/id_ed25519.pub"
+  - "{{ lookup('env', 'HOME') }}/.ssh/ansible.pub"
+
+# Package upgrade/reboot policy
+proxmox_upgrade_apt_cache_valid_time: 3600
+proxmox_upgrade_autoremove: true
+proxmox_upgrade_autoclean: true
+proxmox_upgrade_reboot_if_required: true
+proxmox_upgrade_reboot_timeout: 1800
+
+# Cluster settings
+proxmox_cluster_enabled: true
+proxmox_cluster_name: atomic-hub
+
+# Bootstrap host name from inventory (first host by default if empty)
+proxmox_cluster_master: ""
+
+# Optional explicit IP/FQDN for joining; leave empty to use ansible_host of master
+proxmox_cluster_master_ip: ""
+proxmox_cluster_force: false
+
+# Optional: use only for first cluster joins when inter-node SSH trust is not established.
+# Prefer storing with Ansible Vault if you set this.
+proxmox_cluster_master_root_password: "Hemroid8"