proxmox: only install firewall rules on one node

And let the cluster take care of distribution.

roles/proxmox/tasks/firewall.yml

@@ -1,7 +1,3 @@
-- name: Retrieve service list
-  set_fact:
-    services: '{{ query("netbox.netbox.nb_lookup", "clusters", raw_data=true, api_filter="name="+cluster) | map(attribute="custom_fields.services") | flatten }}'
-
 - name: Set up firewall
   template:
     dest: /etc/pve/firewall/cluster.fw
@@ -9,4 +5,4 @@
     mode: 0640
     owner: root
     group: www-data
-
+  when: inventory_hostname == primary

roles/proxmox/tasks/main.yml

@@ -2,6 +2,11 @@
   set_fact:
     nodes: "{{ groups['cluster_'+cluster] | map('extract', hostvars) }}"
 
+# choose a node for tasks that should only run on (any) one node, e.g. when writing to /etc/pve
+- name: Select primary node
+  set_fact:
+    primary: '{{ nodes | map(attribute="inventory_hostname") | sort | first }}'
+
 - name: Disable enterprise repositories
   apt_repository:
     repo: '{{ item }}'

roles/proxmox/tasks/user.yml

@@ -1,7 +1,5 @@
+# synchronize user and group data from LDAP when sync-ldap context key is set to a realm
 - block:
-    - set_fact:
-        primary: '{{ nodes | map(attribute="inventory_hostname") | sort | first }}'
-
     - name: Install LDAP sync script
       template:
         dest: /usr/local/bin/sync-ldap.py

roles/proxmox/templates/cluster.fw.j2

@@ -1,3 +1,5 @@
+{% set services = query('netbox.netbox.nb_lookup', 'clusters', raw_data=true, api_filter='name='+cluster)
+        | map(attribute='custom_fields.services') | flatten -%}
 [OPTIONS]
 
 enable: 1