Enhance Ansible playbooks and documentation for Debian and Proxmox management. Add new playbooks for Debian hardening, maintenance, SSH key rotation, and Proxmox cluster setup. Update README.md with quick start instructions for Debian and Proxmox operations. Modify group_vars to include Argo CD application settings, improving deployment flexibility and clarity.

ansible/playbooks/debian_harden.yml

@@ -0,0 +1,8 @@
+---
+- name: Debian server baseline hardening
+  hosts: debian_servers
+  become: true
+  gather_facts: true
+  roles:
+    - role: debian_baseline_hardening
+      tags: [hardening, baseline]

ansible/playbooks/debian_maintenance.yml

@@ -0,0 +1,8 @@
+---
+- name: Debian maintenance (updates + reboot handling)
+  hosts: debian_servers
+  become: true
+  gather_facts: true
+  roles:
+    - role: debian_maintenance
+      tags: [maintenance, updates]

ansible/playbooks/debian_ops.yml

@@ -0,0 +1,3 @@
+---
+- import_playbook: debian_harden.yml
+- import_playbook: debian_maintenance.yml

ansible/playbooks/debian_rotate_ssh_keys.yml

@@ -0,0 +1,8 @@
+---
+- name: Debian SSH key rotation
+  hosts: debian_servers
+  become: true
+  gather_facts: false
+  roles:
+    - role: debian_ssh_key_rotation
+      tags: [ssh, ssh_keys, rotation]

ansible/playbooks/noble.yml

@@ -113,6 +113,7 @@
       tags: [always]
 
     # talosctl kubeconfig often sets server to the VIP; off-LAN you can reach a control-plane IP but not 192.168.50.230.
+    # kubectl stderr is often "The connection to the server ... was refused" (no substring "connection refused").
     - name: Auto-fallback API server when VIP is unreachable (temp kubeconfig)
       tags: [always]
       when:
@@ -120,8 +121,7 @@
         - noble_k8s_api_server_override | default('') | length == 0
         - not (noble_skip_k8s_health_check | default(false) | bool)
         - (noble_k8s_health_first.rc | default(1)) != 0 or (noble_k8s_health_first.stdout | default('') | trim) != 'ok'
-        - ('network is unreachable' in (noble_k8s_health_first.stderr | default('') | lower)) or
-          ('no route to host' in (noble_k8s_health_first.stderr | default('') | lower))
+        - (((noble_k8s_health_first.stderr | default('')) ~ (noble_k8s_health_first.stdout | default(''))) | lower) is search('network is unreachable|no route to host|connection refused|was refused', multiline=False)
       block:
         - name: Ensure temp dir for kubeconfig auto-fallback
           ansible.builtin.file:

ansible/playbooks/proxmox_cluster.yml

@@ -0,0 +1,9 @@
+---
+- name: Proxmox cluster bootstrap/join
+  hosts: proxmox_hosts
+  become: true
+  gather_facts: false
+  serial: 1
+  roles:
+    - role: proxmox_cluster
+      tags: [proxmox, cluster]

ansible/playbooks/proxmox_ops.yml

@@ -0,0 +1,4 @@
+---
+- import_playbook: proxmox_prepare.yml
+- import_playbook: proxmox_upgrade.yml
+- import_playbook: proxmox_cluster.yml

ansible/playbooks/proxmox_prepare.yml

@@ -0,0 +1,8 @@
+---
+- name: Proxmox host preparation (community repos + no-subscription notice)
+  hosts: proxmox_hosts
+  become: true
+  gather_facts: true
+  roles:
+    - role: proxmox_baseline
+      tags: [proxmox, prepare, repos, ui]

ansible/playbooks/proxmox_upgrade.yml

@@ -0,0 +1,9 @@
+---
+- name: Proxmox host maintenance (upgrade to latest)
+  hosts: proxmox_hosts
+  become: true
+  gather_facts: true
+  serial: 1
+  roles:
+    - role: proxmox_maintenance
+      tags: [proxmox, maintenance, updates]