servers/roles/proxmox/tasks/main.yml

# choose a node for tasks that should only run on (any) one node, e.g. when writing to /etc/pve
- name: Select the primary node
  set_fact:
    is_primary: '{{ inventory_hostname == (nodes | map(attribute="inventory_hostname") | sort | first) }}'

- name: Disable enterprise repositories
  apt_repository:
    repo: '{{ item }}'
    state: absent
    update_cache: '{{ ansible_loop.last }}'
  loop:
    - 'deb https://enterprise.proxmox.com/debian/pve {{ ansible_distribution_release }} pve-enterprise'
    - 'deb https://enterprise.proxmox.com/debian/ceph-quincy {{ ansible_distribution_release }} enterprise'
  loop_control:
    extended: true

- name: Enable no-subscription repository
  apt_repository:
    repo: 'deb http://download.proxmox.com/debian/pve {{ ansible_distribution_release }} pve-no-subscription'

- name: Set up sysctls
  copy:
    dest: /etc/sysctl.d/local.conf
    src: sysctl.conf

- name: Set VXLAN local tunnel IP
  template:
    dest: /etc/network/interfaces.d/loopback.intf
    src: loopback.intf.j2
  notify: reload interfaces

- name: Set up bridges
  template:
    dest: /etc/network/interfaces
    src: interfaces.j2
    mode: 0644
  notify: reload interfaces

- include_tasks: firewall.yml

- include_tasks: user.yml
proxmox: only install firewall rules on one node And let the cluster take care of distribution. 2024-05-14 10:40:33 +00:00			`# choose a node for tasks that should only run on (any) one node, e.g. when writing to /etc/pve`
Factor frr role from debian, ceph and proxmox Consolidate base system and networking setup into debian role and BGP configuration into frr role. Add facts role to collect data from NetBox once to avoid many slow lookups. Also many other tweaks and cleanups. 2024-05-18 16:35:41 +00:00			`- name: Select the primary node`
proxmox: only install firewall rules on one node And let the cluster take care of distribution. 2024-05-14 10:40:33 +00:00			`set_fact:`
Factor frr role from debian, ceph and proxmox Consolidate base system and networking setup into debian role and BGP configuration into frr role. Add facts role to collect data from NetBox once to avoid many slow lookups. Also many other tweaks and cleanups. 2024-05-18 16:35:41 +00:00			`is_primary: '{{ inventory_hostname == (nodes \| map(attribute="inventory_hostname") \| sort \| first) }}'`
proxmox: only install firewall rules on one node And let the cluster take care of distribution. 2024-05-14 10:40:33 +00:00
Add role to set up base Proxmox server 2023-07-14 12:17:44 +00:00			`- name: Disable enterprise repositories`
			`apt_repository:`
			`repo: '{{ item }}'`
			`state: absent`
			`update_cache: '{{ ansible_loop.last }}'`
			`loop:`
			`- 'deb https://enterprise.proxmox.com/debian/pve {{ ansible_distribution_release }} pve-enterprise'`
			`- 'deb https://enterprise.proxmox.com/debian/ceph-quincy {{ ansible_distribution_release }} enterprise'`
			`loop_control:`
			`extended: true`

			`- name: Enable no-subscription repository`
			`apt_repository:`
			`repo: 'deb http://download.proxmox.com/debian/pve {{ ansible_distribution_release }} pve-no-subscription'`

proxmox: use L4 info for ECMP hashing This should make VXLAN-encapsulated traffic multipath. 2024-04-05 07:26:06 +00:00			`- name: Set up sysctls`
			`copy:`
			`dest: /etc/sysctl.d/local.conf`
			`src: sysctl.conf`

Factor frr role from debian, ceph and proxmox Consolidate base system and networking setup into debian role and BGP configuration into frr role. Add facts role to collect data from NetBox once to avoid many slow lookups. Also many other tweaks and cleanups. 2024-05-18 16:35:41 +00:00			`- name: Set VXLAN local tunnel IP`
proxmox: add interfaces for fabric links Same as debian. 2023-10-05 10:42:29 +00:00			`template:`
Factor frr role from debian, ceph and proxmox Consolidate base system and networking setup into debian role and BGP configuration into frr role. Add facts role to collect data from NetBox once to avoid many slow lookups. Also many other tweaks and cleanups. 2024-05-18 16:35:41 +00:00			`dest: /etc/network/interfaces.d/loopback.intf`
			`src: loopback.intf.j2`
proxmox: add interfaces for fabric links Same as debian. 2023-10-05 10:42:29 +00:00			`notify: reload interfaces`

proxmox: consolidate interface templates 2024-02-26 13:30:17 +00:00			`- name: Set up bridges`
proxmox: add initial support for L2 VXLAN I heard we like L2 so I put some L2 in our L3 so we can L2 as we L3 on L2. 2023-10-18 13:01:02 +00:00			`template:`
proxmox: consolidate interface templates 2024-02-26 13:30:17 +00:00			`dest: /etc/network/interfaces`
			`src: interfaces.j2`
proxmox: add initial support for L2 VXLAN I heard we like L2 so I put some L2 in our L3 so we can L2 as we L3 on L2. 2023-10-18 13:01:02 +00:00			`mode: 0644`
			`notify: reload interfaces`

proxmox: set up firewall Firewall policy is set in NetBox as cluster services¹. For Proxmox we have to manually allow communication between nodes when using L3, since the default management ipset does not get populated correctly. We also need to open VTEP communication between nodes, which the default rules don’t. We allow all inter-node traffic, as SSH without passwords must be permitted anyway. This also adds some helper filters that are spectacularly annoying to implement purely in templates. ¹ There is actually no such thing as as a cluster service (yet?), so instead we create a fake VM for the cluster, define services for it, and then add the same services to a custom field on the cluster. Alternative would be to tie services to a specific node, but that could be problematic if that node is replaced. 2024-04-05 04:00:50 +00:00			`- include_tasks: firewall.yml`

proxmox: add LDAP user sync script Since OIDC auth doesn’t support groups, get them from AD over LDAP. Add a script to fetch user and groups, and update /etc/pve/user.cfg. The script is only installed on one node (first alphabetically), with a cron job to run it daily. The script is installed for clusters with the sync-ldap context key set to a corresponding OIDC realm. The keys ldap_user and ldap_pass must be present in the password store under cluster/<name>. 2024-05-14 10:04:35 +00:00			`- include_tasks: user.yml`