servers/roles/proxmox/tasks/main.yml

# choose a node for tasks that should only run on (any) one node, e.g. when writing to /etc/pve
- name: Select the primary node
  set_fact:
    is_primary: '{{ nodes is defined and inventory_hostname == (nodes | map(attribute="inventory_hostname") | sort | first) }}'

- name: Set hostname
  hostname:
    name: '{{ inventory_hostname }}'

- name: Set up hosts file
  template:
    dest: /etc/hosts
    src: hosts.j2

- name: Set up resolv.conf
  template:
    dest: /etc/resolv.conf
    src: resolv.conf.j2
    mode: 0644

- include_tasks: network.yml

- name: Disable enterprise repositories
  apt_repository:
    repo: '{{ item }}'
    state: absent
    update_cache: no
  loop:
    - 'deb https://enterprise.proxmox.com/debian/pve {{ ansible_distribution_release }} pve-enterprise'
    - 'deb https://enterprise.proxmox.com/debian/ceph-quincy {{ ansible_distribution_release }} enterprise'
  notify: update package cache

- name: Enable no-subscription repository
  apt_repository:
    repo: 'deb http://download.proxmox.com/debian/pve {{ ansible_distribution_release }} pve-no-subscription'
    update_cache: no
  notify: update package cache

- meta: flush_handlers

- name: Install essential packages
  package:
    name:
      - git
      - vim
      - tmux

- name: Set up sysctls
  copy:
    dest: /etc/sysctl.d/local.conf
    src: sysctl.conf

- name: Set domain for ACME certificate renewals
  command:
    cmd: 'pvenode config set --acme domains={{ interfaces | selectattr("name", "==", "lo")
             | map(attribute="ip_addresses") | flatten | map(attribute="dns_name")
             | sort | unique | join(";") }}'
  changed_when: false # maybe write a proper check if certificate requests are ever ansibled

- name: Set SMTP relay
  lineinfile:
    path: /etc/postfix/main.cf
    regexp: '^relayhost ='
    line: 'relayhost = {{ mail_relay | default("") }}'
  notify: reload postfix

- include_tasks: firewall.yml

- include_tasks: user.yml
proxmox: only install firewall rules on one node And let the cluster take care of distribution. 2024-05-14 10:40:33 +00:00			`# choose a node for tasks that should only run on (any) one node, e.g. when writing to /etc/pve`
Factor frr role from debian, ceph and proxmox Consolidate base system and networking setup into debian role and BGP configuration into frr role. Add facts role to collect data from NetBox once to avoid many slow lookups. Also many other tweaks and cleanups. 2024-05-18 16:35:41 +00:00			`- name: Select the primary node`
proxmox: only install firewall rules on one node And let the cluster take care of distribution. 2024-05-14 10:40:33 +00:00			`set_fact:`
Deconsolidate network setup for proxmox and debian roles They are just different enough to be annoying. 2024-08-28 10:37:41 +00:00			`is_primary: '{{ nodes is defined and inventory_hostname == (nodes \| map(attribute="inventory_hostname") \| sort \| first) }}'`

			`- name: Set hostname`
			`hostname:`
			`name: '{{ inventory_hostname }}'`

			`- name: Set up hosts file`
			`template:`
			`dest: /etc/hosts`
			`src: hosts.j2`

			`- name: Set up resolv.conf`
			`template:`
			`dest: /etc/resolv.conf`
			`src: resolv.conf.j2`
			`mode: 0644`

			`- include_tasks: network.yml`
proxmox: only install firewall rules on one node And let the cluster take care of distribution. 2024-05-14 10:40:33 +00:00
Add role to set up base Proxmox server 2023-07-14 12:17:44 +00:00			`- name: Disable enterprise repositories`
			`apt_repository:`
			`repo: '{{ item }}'`
			`state: absent`
Deconsolidate network setup for proxmox and debian roles They are just different enough to be annoying. 2024-08-28 10:37:41 +00:00			`update_cache: no`
Add role to set up base Proxmox server 2023-07-14 12:17:44 +00:00			`loop:`
			`- 'deb https://enterprise.proxmox.com/debian/pve {{ ansible_distribution_release }} pve-enterprise'`
			`- 'deb https://enterprise.proxmox.com/debian/ceph-quincy {{ ansible_distribution_release }} enterprise'`
Deconsolidate network setup for proxmox and debian roles They are just different enough to be annoying. 2024-08-28 10:37:41 +00:00			`notify: update package cache`
Add role to set up base Proxmox server 2023-07-14 12:17:44 +00:00
			`- name: Enable no-subscription repository`
			`apt_repository:`
			`repo: 'deb http://download.proxmox.com/debian/pve {{ ansible_distribution_release }} pve-no-subscription'`
Deconsolidate network setup for proxmox and debian roles They are just different enough to be annoying. 2024-08-28 10:37:41 +00:00			`update_cache: no`
			`notify: update package cache`

			`- meta: flush_handlers`

			`- name: Install essential packages`
			`package:`
			`name:`
			`- git`
			`- vim`
			`- tmux`
Add role to set up base Proxmox server 2023-07-14 12:17:44 +00:00
proxmox: use L4 info for ECMP hashing This should make VXLAN-encapsulated traffic multipath. 2024-04-05 07:26:06 +00:00			`- name: Set up sysctls`
			`copy:`
			`dest: /etc/sysctl.d/local.conf`
			`src: sysctl.conf`

proxmox: support certificate renewals with ACME Certificates must still be requested manually, this just sets the domain and opens up port 80/tcp. Nothing listens there except for certbot during renewals so that’s OK. 2024-09-04 14:54:47 +00:00			`- name: Set domain for ACME certificate renewals`
			`command:`
			`cmd: 'pvenode config set --acme domains={{ interfaces \| selectattr("name", "==", "lo")`
			`\| map(attribute="ip_addresses") \| flatten \| map(attribute="dns_name")`
			`\| sort \| unique \| join(";") }}'`
			`changed_when: false # maybe write a proper check if certificate requests are ever ansibled`

proxmox: set mail relay 2024-09-10 08:11:13 +00:00			`- name: Set SMTP relay`
			`lineinfile:`
			`path: /etc/postfix/main.cf`
			`regexp: '^relayhost ='`
			`line: 'relayhost = {{ mail_relay \| default("") }}'`
			`notify: reload postfix`

proxmox: set up firewall Firewall policy is set in NetBox as cluster services¹. For Proxmox we have to manually allow communication between nodes when using L3, since the default management ipset does not get populated correctly. We also need to open VTEP communication between nodes, which the default rules don’t. We allow all inter-node traffic, as SSH without passwords must be permitted anyway. This also adds some helper filters that are spectacularly annoying to implement purely in templates. ¹ There is actually no such thing as as a cluster service (yet?), so instead we create a fake VM for the cluster, define services for it, and then add the same services to a custom field on the cluster. Alternative would be to tie services to a specific node, but that could be problematic if that node is replaced. 2024-04-05 04:00:50 +00:00			`- include_tasks: firewall.yml`

proxmox: add LDAP user sync script Since OIDC auth doesn’t support groups, get them from AD over LDAP. Add a script to fetch user and groups, and update /etc/pve/user.cfg. The script is only installed on one node (first alphabetically), with a cron job to run it daily. The script is installed for clusters with the sync-ldap context key set to a corresponding OIDC realm. The keys ldap_user and ldap_pass must be present in the password store under cluster/<name>. 2024-05-14 10:04:35 +00:00			`- include_tasks: user.yml`