proxmox: add README

2026-02-26 20:41:16 +01:00 · 2026-02-26 20:41:16 +01:00 · e67497c0ed
commit e67497c0ed
parent 754c3da31f
1 changed files with 89 additions and 0 deletions
--- a/roles/proxmox/README.md
+++ b/roles/proxmox/README.md
@ -0,0 +1,89 @@
+Provision a Proxmox server with L3 networking and EVPN for VM networks.
+
+# Configuration
+
+The NetBox device and interfaces should define at least the following properties:
+
+    {
+        "asn": { "asn": 65000 },
+        "cluster": "pve",
+        "cluster_type": "proxmox",
+        "name": "pve-2",
+        "interfaces": [
+            {
+                "comment": "Link to fabric for BGP."
+                "name": "lan0",
+                "mac_address": "AA:BB:CC:DD:FF:00",
+            },
+            {
+                "comment": "Link to fabric for BGP."
+                "name": "lan1",
+                "mac_address": "AA:BB:CC:DD:FF:01",
+            },
+            {
+                "comment": "Addresses on this interface are announced via BGP to fabric."
+                "name": "lo",
+                "type": { "value": "virtual" },
+                "ip_addresses": [
+                    {
+                        "address": "10.0.0.102/32",
+                        "dns_name": "pve-2.example.net",
+                        "role": { "value": "loopback" },
+                    },
+                    {
+                        "address": "1000::102/128",
+                        "dns_name": "pve-2.example.net",
+                        "role": { "value": "loopback" },
+                    }
+                ],
+            },
+            {
+                "comment": "A separate SSH instance will run in mgmt VRF."
+                "name": "mgmt0",
+                "mac_address": "AA:BB:CC:DD:EE:00",
+                "vrf": { "name": "mgmt" },
+                "ip_addresses": [
+                    { "address": "10.0.1.102/24", "vrf": { "name": "mgmt" } },
+                    { "address": "1001::102/64", "vrf": { "name": "mgmt" } }
+                ],
+            },
+        ],
+    }
+
+## EVPN
+
+Each server needs a unique ASN. EVPN routes to individual VMs are announced to fabric via BGP over `lan*` interfaces. To allow receiving EVPN routes on the connected switch interfaces, the switch config context should define `ifaces_evpn`:
+
+    "ifaces_evpn": ["swp11", "swp12"]
+
+## Firewall
+
+Firewall rules are common to the whole cluster and are represented as NetBox services. Services must be attached to a specific device, so a “fake” VM is created to hold all rules for the cluster. Each service should then be added to the `services` custom field for the cluster. All traffic between cluster nodes is allowed by default.
+
+## Certificates
+
+The role configures ACME settings based on the `dns_name` of the loopback IP address. Certificate has to be ordered manually once after setup.
+
+## Ceph
+
+In the config context for device or cluster two additional options may be defined. Specifying
+
+    ceph-version: squid
+
+will enable the no-subscription Ceph repository and install the given version.
+
+## LDAP
+
+To sync users and groups with LDAP, add the following to the config context:
+
+    sync-ldap: realm
+
+This will configure a daily cron job to sync users. The cluster password file should contain `ldap_user` and `ldap_pass` keys. The servers are autodiscovered using the `domain` property from the config context.
+
+# Cluster
+
+After setup, join the device into an existing cluster with
+
+    ip vrf exec default pvecm add pve-1.example.net --link0 10.0.0.101
+
+where pve-1 is an existing cluster node and `--link0` specifies the loopback address of the new device.