Proxmox role

roles/auth/defaults/main.yml

@@ -1,5 +1,8 @@
 auth__role_enabled: false
 
+auth__no_log: true
+auth__use_only: ['host', 'group', 'default']
+
 auth__manage_groups: false
 auth__manage_users: false
 auth__manage_authorized_keys: false

roles/auth/tasks/authorized_keys.yml

@@ -1,6 +1,6 @@
 ---
 - name: Set fact for ssh key distribution to authorized keys, if any
-  set_fact:
+  ansible.builtin.set_fact:
     auth__authorized_keys_all: "{{ (auth__authorized_keys_all | default([])) + ssh_keys_distribute }}"
   vars:
     ssh_keys_distribute: "{{ dict(hostvars) |
@@ -19,22 +19,23 @@
   register: auth__authorized_keys_test_user_existence
   when:
     - auth__authorized_keys_all | length > 0
-    - ansible_check_mode | bool
+    - ansible_check_mode
 
 - name: Apply authorized keys configuration
   become: true
   ansible.posix.authorized_key:
-    comment: "{{ item.comment | default(omit) }}"
-    exclusive: "{{ item.exclusive | default(omit) }}"
-    follow: "{{ item.follow | default(omit) }}"
+    comment: "{{ item.comment | default(omit, true) }}"
+    exclusive: "{{ item.exclusive | default(omit, true) }}"
+    follow: "{{ item.follow | default(omit, true) }}"
     key: "{{ item.key }}"
-    key_options: "{{ item.key_options | default(omit) }}"
-    manage_dir: "{{ item.manage_dir | default(omit) }}"
-    path: "{{ item.path | default(omit) }}"
-    state: "{{ item.state | default(omit) }}"
+    key_options: "{{ item.key_options | default(omit, true) }}"
+    manage_dir: "{{ item.manage_dir | default(omit, true) }}"
+    path: "{{ item.path | default(omit, true) }}"
+    state: "{{ item.state | default(omit, true) }}"
     user: "{{ item.user }}"
-    validate_certs: "{{ item.validate_certs | default(omit) }}"
+    validate_certs: "{{ item.validate_certs | default(omit, true) }}"
   loop: "{{ auth__authorized_keys_all }}"
+  no_log: "{{ auth__no_log | default(true, true) | bool }}"
   register: auth__authorized_keys_apply
   when:
     - auth__authorized_keys_all | length > 0

roles/auth/tasks/ssh.yml

@@ -30,6 +30,9 @@
     dest: "{{ auth__sshd_config_file }}"
     backup: "{{ auth__sshd_config_backup | default(omit) | bool }}"
     validate: "{{ auth__sshd_validate | default(omit) }}"
+    mode: "{{ auth__sshd_config_file_module.mode | default(omit, true) }}"
+    owner: "{{ auth__sshd_config_file_module.owner | default(omit, true) }}"
+    group: "{{ auth__sshd_config_file_module.group | default(omit, true) }}"
   register: auth__sshd_config_apply
   notify: "auth__ssh_apply_changes"
   when: auth__sshd_config_all | default([]) | length > 0
@@ -64,6 +67,9 @@
     src: "{{ auth__ssh_config_template }}"
     dest: "{{ auth__ssh_config_file }}"
     backup: "{{ auth__ssh_config_backup | default(omit) | bool }}"
+    mode: "{{ auth__ssh_config_file_module.mode | default(omit, true) }}"
+    owner: "{{ auth__ssh_config_file_module.owner | default(omit, true) }}"
+    group: "{{ auth__ssh_config_file_module.group | default(omit, true) }}"
   register: auth__ssh_config_apply
   notify: "auth__ssh_apply_changes"
   when: auth__ssh_config_all | default([]) | length > 0

roles/auth/tasks/users.yml

@@ -40,5 +40,6 @@
     umask: "{{ item.umask | default(omit) }}"
     update_password: "{{ item.update_password | default(omit) }}"
   loop: "{{ auth__users_all }}"
+  no_log: "{{ auth__no_log | default(true, '') | bool }}"
   register: auth__users_apply
   when: auth__users_all | default([]) | length > 0

roles/auth/vars/main.yml

@@ -1,105 +1,15 @@
 ---
-auth__all: "{{ (auth__host + auth__group + auth__default) | selectattr('type', 'defined') }}"
+auth__all: "{{ {'host': auth__host, 'group': auth__group, 'default': auth__default} | aybarsm.helper.role_vars(only=auth__use_only) }}"
 
-__auth__config:
-  groups:
-    selectattr:
-      - when: [['type', 'eq', 'group']]
-      - when: "{{ __ansible.modules.ansible_builtin_group.uniques | product(['defined']) | list }}"
-        logic: or
-  authorized_keys:
-    selectattr:
-      - when:
-          - ['type', 'defined']
-          - ['type', 'equalto', 'authorized_key']
-          - ['user', 'defined']
-          - ['key', 'defined']
-  users:
-    selectattr:
-      - when:
-          - ['type', 'defined']
-          - ['type', 'equalto', 'user']
-      - when: "{{ __ansible.modules.ansible_builtin_user.uniques | product(['defined']) | list }}"
-        logic: or
-  sshd_config:
-    selectattr:
-      - when:
-          - ['type', 'defined']
-          - ['type', 'equalto', 'sshd_config']
-          - ['name', 'defined']
-          - ['value', 'defined']
-  ssh_config:
-    selectattr:
-      - when:
-          - ['type', 'defined']
-          - ['type', 'equalto', 'ssh_config']
-          - ['name', 'defined']
-          - ['value', 'defined']
-  ssh_config_module:
-    selectattr:
-      - when:
-          - ['type', 'defined']
-          - ['type', 'equalto', 'ssh_config_module']
-          - ['host', 'defined']
-  sudoers_file:
-    selectattr:
-      - when:
-          - ['type', 'defined']
-          - ['type', 'equalto', 'sudoers_file']
-          - ['entry', 'defined']
-  sudoers_module:
-    selectattr:
-      - when:
-          - ['type', 'defined']
-          - ['type', 'equalto', 'sudoers_module']
-          - ['name', 'defined']
+auth__users_all: "{{ auth__all | selectattr('entry__type', 'eq', 'user') }}"
 
-auth__groups_all: "{{ auth__all |
-  aybarsm.helper.selectattr(__auth__config.groups.selectattr) |
-  aybarsm.helper.unique_recursive(__ansible.modules.ansible_builtin_group.uniques) |
-  default([]) }}"
+auth__authorized_keys_all: "{{ auth__all | selectattr('entry__type', 'eq', 'authorized_key') }}"
 
-# Use lists_mergeby to combine all sections and sort by name for better output readability
-auth__users_all: "{{ [auth__default, auth__group, auth__host] |
-  map('selectattr', 'type', 'defined') | map('selectattr', 'type', 'equalto', 'user') |
-  map('aybarsm.helper.replace_aliases', __ansible.modules.ansible_builtin_user.aliases) |
-  map('selectattr', 'name', 'defined') |
-  community.general.lists_mergeby('name', recursive=false, list_merge='prepend') |
-  sort(attribute='name') | default([]) }}"
+auth__sshd_config_all: "{{ auth__all | selectattr('entry__type', 'eq', 'sshd_config') | 
+  sort(attribute='value', reverse=true) | sort(attribute='name', reverse=false) }}"
 
-auth__authorized_keys_all: "{{ auth__all |
-  aybarsm.helper.selectattr(__auth__config.authorized_keys.selectattr) |
-  aybarsm.helper.unique_combinations([['user', 'key']]) |
-  default([]) }}"
-
-# Sort name and value to avoid unneccessary changes
-auth__sshd_config_all: "{{ auth__all |
-  aybarsm.helper.selectattr(__auth__config.sshd_config.selectattr) |
-  aybarsm.helper.unique_combinations([['name', 'value']]) |
-  sort(attribute='value', reverse=true) | sort(attribute='name', reverse=false) |
-  default([]) }}"
-
-# Sort name and value to avoid unneccessary changes
-auth__ssh_config_all: "{{ auth__all |
-  aybarsm.helper.selectattr(__auth__config.ssh_config.selectattr) |
-  aybarsm.helper.unique_combinations([['name', 'value']]) |
-  sort(attribute='value', reverse=true) | sort(attribute='name', reverse=false) |
-  default([]) }}"
-
-auth__ssh_config_module_all: "{{ auth__all |
-  aybarsm.helper.selectattr(__auth__config.ssh_config_module.selectattr) |
-  aybarsm.helper.unique_recursive('host') |
-  default([]) }}"
-
-auth__sudoers_file_all: "{{ auth__all |
-  aybarsm.helper.selectattr(__auth__config.sudoers_file.selectattr) |
-  aybarsm.helper.unique_recursive('entry') |
-  default([]) }}"
-
-auth__sudoers_module_all: "{{ auth__all |
-  aybarsm.helper.selectattr(__auth__config.sudoers_module.selectattr) |
-  aybarsm.helper.unique_recursive('name') |
-  default([]) }}"
+auth__ssh_config_all: "{{ auth__all | selectattr('entry__type', 'eq', 'ssh_config') |
+  sort(attribute='value', reverse=true) | sort(attribute='name', reverse=false) }}"
 
 __auth__key_distribute_query: "*.auth__users_apply.results[*] | [] |
-  [?contains(not_null(item.distribute_ssh_key,``),`{{ inventory_hostname }}`)].{user: name, key: ssh_public_key}"
+  [?contains(not_null(item.entry__distribute_ssh_key,``),`{{ inventory_hostname }}`)].{user: name, key: ssh_public_key}"

roles/network/vars/main.yml

@@ -5,4 +5,13 @@ network__sysctl_all: "{{ network__all | selectattr('entry__type', 'eq', 'sysctl'
   aybarsm.helper.replace_aliases(__ansible.modules.ansible_posix_sysctl.aliases, removeAliases=true) |
   community.general.json_query('[?not_null(name) && not_null(value)]') |
   unique(attribute='name') }}"
-##### END: network sysctl vars
+##### END: network sysctl vars
+
+##### BEGIN: network hosts vars
+network__hosts_all: "{{ network__all | selectattr('entry__type', 'eq', 'host') |
+  aybarsm.helper.replace_aliases({'fqdn': ['hostname']}) | unique(attribute='ip') }}"
+
+# Sort hosts by hostname to avoid unneccessary changes
+network__hosts_all_ipv4: "{{ network__hosts_all | selectattr('ip', 'ansible.utils.ipv4') | sort(attribute='hostname') }}"
+network__hosts_all_ipv6: "{{ network__hosts_all | selectattr('ip', 'ansible.utils.ipv6') | sort(attribute='hostname') }}"
+##### END: network hosts vars

roles/proxmox/tasks/auth_key_config.yml

@@ -0,0 +1,52 @@
+- name: Check proxmox authorized_keys exists
+  ansible.builtin.stat:
+    path: /etc/pve/priv/authorized_keys
+  register: proxmox__stat_proxmox_auth_keys
+
+- name: Assert proxmox authorized_keys exists
+  ansible.builtin.assert:
+    that:
+      - proxmox__stat_proxmox_auth_keys.stat.exists
+    fail_msg: "Proxmox authorized_keys does not exist. This problem must be fixed."
+    success_msg: "Proxmox authorized_keys exists"
+  register: proxmox__assert_proxmox_auth_keys
+
+- name: Check Proxmox authorized_keys linked to root
+  ansible.builtin.stat:
+    path: /root/.ssh/authorized_keys
+  register: proxmox__stat_root_auth_keys
+  when: proxmox__assert_proxmox_auth_keys is success
+
+- name: Adjust root authorized_keys when not linked to Proxmox
+  block:
+    - name: Retrieve root authorized_keys content
+      ansible.builtin.slurp:
+        src: /root/.ssh/authorized_keys
+      register: proxmox__slurp_root_auth_keys
+
+    - name: Remove root authorized_keys file
+      ansible.builtin.file:
+        path: /root/.ssh/authorized_keys
+        state: absent
+      register: proxmox__remove_root_auth_keys
+
+    - name: Move root authorized_keys content to Proxmox
+      ansible.builtin.copy:
+        content: "{{ proxmox__slurp_root_auth_keys.content | b64decode }}"
+        dest: /etc/pve/priv/authorized_keys
+        mode: '0600'
+        owner: root
+        group: 'www-data'
+      register: proxmox__move_root_auth_keys_content
+
+    - name: Link Proxmox authorized_keys to root
+      ansible.builtin.file:
+        src: /etc/pve/priv/authorized_keys
+        dest: /root/.ssh/authorized_keys
+        state: link
+      register: proxmox__link_proxmox_auth_keys
+
+  when:
+    - proxmox__assert_proxmox_auth_keys is success
+    - (not proxmox__stat_root_auth_keys.stat.islnk) or (proxmox__stat_root_auth_keys.stat.lnk_source != '/etc/pve/priv/authorized_keys')
+

roles/proxmox/tasks/datacenter.yml

@@ -0,0 +1,58 @@
+---
+- name: Include Proxmox datacenter pool tasks
+  ansible.builtin.include_tasks:
+    file: datacenter/pool.yml
+  loop: "{{ __proxmox__cluster.pools }}"
+  loop_control:
+    loop_var: proxmox__dc_pool
+    index_var: proxmox__dc_pool_index
+  when:
+    - __proxmox__cluster.manage_pools | default(false) | bool
+    - __proxmox__cluster.pools | default([]) | length > 0
+
+- name: Include Proxmox datacenter role tasks
+  ansible.builtin.include_tasks:
+    file: datacenter/role.yml
+  loop: "{{ __proxmox__cluster.roles }}"
+  loop_control:
+    loop_var: proxmox__dc_role
+    index_var: proxmox__dc_role_index
+  when:
+    - __proxmox__cluster.manage_roles | default(false) | bool
+    - __proxmox__cluster.roles | default([]) | length > 0
+
+- name: Include Proxmox datacenter user group tasks
+  ansible.builtin.include_tasks:
+    file: datacenter/group.yml
+  loop: "{{ __proxmox__cluster.groups }}"
+  loop_control:
+    loop_var: proxmox__dc_group
+    index_var: proxmox__dc_group_index
+  when:
+    - proxmox__role_enabled
+    - __proxmox__cluster.manage_groups | default(false) | bool
+    - __proxmox__cluster.groups | default([]) | length > 0
+
+- name: Include Proxmox datacenter user tasks
+  ansible.builtin.include_tasks:
+    file: datacenter/user.yml
+  loop: "{{ __proxmox__cluster.users }}"
+  loop_control:
+    loop_var: proxmox__dc_user
+    index_var: proxmox__dc_user_index
+  when:
+    - proxmox__role_enabled
+    - __proxmox__cluster.manage_users | default(false) | bool
+    - __proxmox__cluster.users | default([]) | length > 0
+
+- name: Include Proxmox datacenter ACL tasks
+  ansible.builtin.include_tasks:
+    file: datacenter/acl.yml
+  loop: "{{ __proxmox__cluster.acls }}"
+  loop_control:
+    loop_var: proxmox__dc_acl
+    index_var: proxmox__dc_acl_index
+  when:
+    - proxmox__role_enabled
+    - __proxmox__cluster.manage_acls | default(false) | bool
+    - __proxmox__cluster.acls | default([]) | length > 0

roles/proxmox/tasks/datacenter/acl.yml

@@ -0,0 +1,9 @@
+---
+- name: Deploy Proxmox datacenter ACL
+  aybarsm.linux.proxmox_acl:
+    path: "{{ proxmox__dc_acl.path }}"
+    roles: "{{ proxmox__dc_acl.roles }}"
+    state: "{{ proxmox__dc_acl.state | default('present') }}"
+    groups: "{{ proxmox__dc_acl.groups | default([]) }}"
+    users: "{{ proxmox__dc_acl.users | default([]) }}"
+  register: proxmox__deploy_dc_acl