Enhance Ansible playbooks and documentation for Debian and Proxmox management. Add new playbooks for Debian hardening, maintenance, SSH key rotation, and Proxmox cluster setup. Update README.md with quick start instructions for Debian and Proxmox operations. Modify group_vars to include Argo CD application settings, improving deployment flexibility and clarity.

2026-04-01 01:19:50 -04:00
parent 89be30884e
commit c15bf4d708
33 changed files with 682 additions and 5 deletions
--- a/ansible/roles/proxmox_baseline/defaults/main.yml
+++ b/ansible/roles/proxmox_baseline/defaults/main.yml
@@ -0,0 +1,14 @@
+---
+proxmox_repo_debian_codename: "{{ ansible_facts['distribution_release'] | default('bookworm') }}"
+proxmox_repo_disable_enterprise: true
+proxmox_repo_disable_ceph_enterprise: true
+proxmox_repo_enable_pve_no_subscription: true
+proxmox_repo_enable_ceph_no_subscription: false
+
+proxmox_no_subscription_notice_disable: true
+proxmox_widget_toolkit_file: /usr/share/javascript/proxmox-widget-toolkit/proxmoxlib.js
+
+# Bootstrap root SSH keys from the control machine so subsequent runs can use key auth.
+proxmox_root_authorized_key_files:
+  - "{{ lookup('env', 'HOME') }}/.ssh/id_ed25519.pub"
+  - "{{ lookup('env', 'HOME') }}/.ssh/ansible.pub"
--- a/ansible/roles/proxmox_baseline/handlers/main.yml
+++ b/ansible/roles/proxmox_baseline/handlers/main.yml
@@ -0,0 +1,5 @@
+---
+- name: Restart pveproxy
+  ansible.builtin.service:
+    name: pveproxy
+    state: restarted
--- a/ansible/roles/proxmox_baseline/tasks/main.yml
+++ b/ansible/roles/proxmox_baseline/tasks/main.yml
@@ -0,0 +1,100 @@
+---
+- name: Check configured local public key files
+  ansible.builtin.stat:
+    path: "{{ item }}"
+  register: proxmox_root_pubkey_stats
+  loop: "{{ proxmox_root_authorized_key_files }}"
+  delegate_to: localhost
+  become: false
+
+- name: Fail when a configured local public key file is missing
+  ansible.builtin.fail:
+    msg: "Configured key file does not exist on the control host: {{ item.item }}"
+  when: not item.stat.exists
+  loop: "{{ proxmox_root_pubkey_stats.results }}"
+  delegate_to: localhost
+  become: false
+
+- name: Ensure root authorized_keys contains configured public keys
+  ansible.posix.authorized_key:
+    user: root
+    state: present
+    key: "{{ lookup('ansible.builtin.file', item) }}"
+    manage_dir: true
+  loop: "{{ proxmox_root_authorized_key_files }}"
+
+- name: Remove enterprise repository lines from /etc/apt/sources.list
+  ansible.builtin.lineinfile:
+    path: /etc/apt/sources.list
+    regexp: ".*enterprise\\.proxmox\\.com.*"
+    state: absent
+  when:
+    - proxmox_repo_disable_enterprise | bool or proxmox_repo_disable_ceph_enterprise | bool
+  failed_when: false
+
+- name: Find apt source files that contain Proxmox enterprise repositories
+  ansible.builtin.find:
+    paths: /etc/apt/sources.list.d
+    file_type: file
+    patterns:
+      - "*.list"
+      - "*.sources"
+    contains: "enterprise\\.proxmox\\.com"
+    use_regex: true
+  register: proxmox_enterprise_repo_files
+  when:
+    - proxmox_repo_disable_enterprise | bool or proxmox_repo_disable_ceph_enterprise | bool
+
+- name: Remove enterprise repository lines from apt source files
+  ansible.builtin.lineinfile:
+    path: "{{ item.path }}"
+    regexp: ".*enterprise\\.proxmox\\.com.*"
+    state: absent
+  loop: "{{ proxmox_enterprise_repo_files.files | default([]) }}"
+  when:
+    - proxmox_repo_disable_enterprise | bool or proxmox_repo_disable_ceph_enterprise | bool
+
+- name: Find apt source files that already contain pve-no-subscription
+  ansible.builtin.find:
+    paths: /etc/apt/sources.list.d
+    file_type: file
+    patterns:
+      - "*.list"
+      - "*.sources"
+    contains: "pve-no-subscription"
+    use_regex: false
+  register: proxmox_no_sub_repo_files
+  when: proxmox_repo_enable_pve_no_subscription | bool
+
+- name: Ensure Proxmox no-subscription repository is configured when absent
+  ansible.builtin.copy:
+    dest: /etc/apt/sources.list.d/pve-no-subscription.list
+    content: "deb http://download.proxmox.com/debian/pve {{ proxmox_repo_debian_codename }} pve-no-subscription\n"
+    mode: "0644"
+  when:
+    - proxmox_repo_enable_pve_no_subscription | bool
+    - (proxmox_no_sub_repo_files.matched | default(0) | int) == 0
+
+- name: Remove duplicate pve-no-subscription.list when another source already provides it
+  ansible.builtin.file:
+    path: /etc/apt/sources.list.d/pve-no-subscription.list
+    state: absent
+  when:
+    - proxmox_repo_enable_pve_no_subscription | bool
+    - (proxmox_no_sub_repo_files.files | default([]) | map(attribute='path') | list | select('ne', '/etc/apt/sources.list.d/pve-no-subscription.list') | list | length) > 0
+
+- name: Ensure Ceph no-subscription repository is configured
+  ansible.builtin.copy:
+    dest: /etc/apt/sources.list.d/ceph-no-subscription.list
+    content: "deb http://download.proxmox.com/debian/ceph-{{ proxmox_repo_debian_codename }} {{ proxmox_repo_debian_codename }} no-subscription\n"
+    mode: "0644"
+  when: proxmox_repo_enable_ceph_no_subscription | bool
+
+- name: Disable no-subscription pop-up in Proxmox UI
+  ansible.builtin.replace:
+    path: "{{ proxmox_widget_toolkit_file }}"
+    regexp: "if \\(data\\.status !== 'Active'\\)"
+    replace: "if (false)"
+    backup: true
+  when: proxmox_no_subscription_notice_disable | bool
+  notify: Restart pveproxy