From 0d607fe2a4467d444f6188a019cf8ca664f54fdf Mon Sep 17 00:00:00 2001 From: Timotej Lazar Date: Thu, 23 Jan 2025 13:10:50 +0100 Subject: [PATCH 1/5] =?UTF-8?q?proxmox-backup:=20don=E2=80=99t=20modify=20?= =?UTF-8?q?config=20for=20default=20SSH=20instance?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit It is disabled anyway, so trying to reload it barfs. Worry about deduplicating roles whenever. --- roles/proxmox-backup/tasks/main.yml | 12 ------------ 1 file changed, 12 deletions(-) diff --git a/roles/proxmox-backup/tasks/main.yml b/roles/proxmox-backup/tasks/main.yml index 9f9db9e..b3f35b9 100644 --- a/roles/proxmox-backup/tasks/main.yml +++ b/roles/proxmox-backup/tasks/main.yml @@ -58,18 +58,6 @@ mode: 0644 notify: reload interfaces -- name: Disable SSH password authentication - lineinfile: - path: /etc/ssh/sshd_config - regexp: '^#?{{ item.key }}' - line: '{{ item.key }} {{ item.value }}' - loop: - - key: PasswordAuthentication - value: 'no' - - key: PermitRootLogin - value: 'prohibit-password' - notify: reload sshd - - name: Run SSH instance in management VRF when: interfaces | selectattr('vrf') | selectattr('vrf.name', '==', 'mgmt') block: From 9720379c1443595d74f7959a7689b5dc364b8cde Mon Sep 17 00:00:00 2001 From: Timotej Lazar Date: Thu, 23 Jan 2025 13:12:25 +0100 Subject: [PATCH 2/5] proxmox-backup: allow IPv6 ND on management interface MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit IPv6 doesn’t work otherwise. --- roles/proxmox-backup/templates/nftables.conf.j2 | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/roles/proxmox-backup/templates/nftables.conf.j2 b/roles/proxmox-backup/templates/nftables.conf.j2 index aff70a9..eed9e44 100644 --- a/roles/proxmox-backup/templates/nftables.conf.j2 +++ b/roles/proxmox-backup/templates/nftables.conf.j2 @@ -19,6 +19,10 @@ table inet filter { packet-too-big, parameter-problem, time-exceeded, } accept comment "accept some ICMPv6" + iif mgmt0 ip6 hoplimit 255 ip6 nexthdr icmpv6 icmpv6 type { + nd-neighbor-advert, nd-neighbor-solicit, nd-router-advert + } accept comment "accept IPv6 neighbor discovery" + # BGP / BFD sessions iif lan0 ip6 saddr fe80::/64 accept iif lan1 ip6 saddr fe80::/64 accept From 878e8ba6f99125017c0e9f0928c250158e4831d8 Mon Sep 17 00:00:00 2001 From: Timotej Lazar Date: Thu, 23 Jan 2025 13:22:30 +0100 Subject: [PATCH 3/5] alpine: set up resolv.conf Same as for debian. --- roles/alpine/tasks/main.yml | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/roles/alpine/tasks/main.yml b/roles/alpine/tasks/main.yml index 9776239..d37b3ed 100644 --- a/roles/alpine/tasks/main.yml +++ b/roles/alpine/tasks/main.yml @@ -26,6 +26,12 @@ hostname: name: '{{ dns_name }}' +- name: Set up resolv.conf + template: + dest: /etc/resolv.conf + src: resolv.conf.j2 + mode: 0644 + - name: Configure hosts template: dest: /etc/hosts From 365b5d9f676b312a72d00c0a472ebb53d3b4c80b Mon Sep 17 00:00:00 2001 From: Timotej Lazar Date: Thu, 23 Jan 2025 13:25:45 +0100 Subject: [PATCH 4/5] Use IPv6 addresses for DNS servers --- templates/resolv.conf.j2 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/templates/resolv.conf.j2 b/templates/resolv.conf.j2 index abfee17..feadf5d 100644 --- a/templates/resolv.conf.j2 +++ b/templates/resolv.conf.j2 @@ -1,4 +1,4 @@ search {{ domain }} -{% for server in dns %} +{% for server in dns6 %} nameserver {{ server }} {% endfor %} From 73555d2fd71327e5caf2a446bd4cda2cb7ed5eeb Mon Sep 17 00:00:00 2001 From: Timotej Lazar Date: Thu, 23 Jan 2025 13:36:24 +0100 Subject: [PATCH 5/5] ansible: shut up warnings about discovered Python interpreter --- ansible.cfg | 1 + 1 file changed, 1 insertion(+) diff --git a/ansible.cfg b/ansible.cfg index d315089..d0e9b33 100644 --- a/ansible.cfg +++ b/ansible.cfg @@ -1,5 +1,6 @@ [defaults] nocows = true +interpreter_python = auto_silent inventory = inventory.yml remote_user = root