feat(debian-proxmox): add role for installing Proxmox VE on debian

roles/debian-proxmox/README.md

@@ -0,0 +1,20 @@
+# `debian-proxmox` ansible role
+
+This ansible role can be used to convert a (running and reachable) debian to a proxmox instance.
+
+It automates the instructions from https://pve.proxmox.com/wiki/Install_Proxmox_VE_on_Debian_11_Bullseye.
+
+## Usage
+
+This role will attempt to ensure that the `/etc/hosts` are configured correctly for PVE.
+The public IP of the server should be given in `debian_proxmox_public_ip` and defaults to
+`ansible_facts['eno1'].ipv4.address`.
+
+The hostname and fqdn should be correctly set in `debian_proxmox_hostname` and `debian_proxmox_fqdn`,
+and default to `ansible_hostname` and `ansible_fqdn` respectively.
+
+## Packages
+
+It is recommended to remove the packages for the `os-prober` (which would attempt to add VMs as bootable entries
+in the bootloader) and the default linux kernel `linux-image-amd64` / `linux-image-5.10*` (and use the proxmox-provided
+kernel instead). This role will remove those packages without asking, so be aware.

roles/debian-proxmox/defaults/main.yml

@@ -0,0 +1,43 @@
+---
+
+debian_proxmox_role_required_packages:
+  - python3-apt
+  - gpg
+
+debian_proxmox_apt_repo_fingerprint: "28139A2F830BD68478A1A01FDD4BA3917E23BF59"
+debian_proxmox_apt_repo_key_url: "https://enterprise.proxmox.com/debian/proxmox-release-{{ ansible_distribution_release }}.gpg"
+
+debian_proxmox_apt_repo_url: "http://download.proxmox.com/debian/pve"
+debian_proxmox_apt_repo: "deb [arch=amd64] {{ debian_proxmox_apt_repo_url }} {{ ansible_distribution_release }} pve-no-subscription"
+
+debian_proxmox_apt_packages:
+  - "proxmox-ve"
+  - "postfix"
+  - "open-iscsi"
+
+debian_proxmox_apt_packages_to_remove:
+  - "linux-image-amd64"
+  - "linux-image-{{ (ansible_facts['kernel'] | split('-') | first | split('.'))[:2] | join('.') }}*"
+  - "os-prober"
+
+debian_proxmox_max_reboot_timeout_seconds: 900
+
+debian_proxmox_public_ip: "{{ ansible_facts['eno1'].ipv4.address }}"
+debian_proxmox_loopback_ipv4: "{{ ansible_facts['lo'].ipv4.address }}"
+
+debian_proxmox_hostname: "{{ ansible_hostname }}"
+debian_proxmox_fqdn: "{{ ansible_fqdn }}"
+
+debian_proxmox_hosts_file:
+  - ip: "{{ debian_proxmox_loopback_ipv4 }}"
+    fqdn: localhost.localdomain
+    aliases:
+      - localhost
+  - ip: "{[ debian_proxmox_public_ip }}"
+    fqdn: "{{ debian_proxmox_fqdn }}"
+    aliases:
+      - "{{ debian_proxmox_hostname }}"
+      - pvelocalhost
+  - ip: 127.0.1.1
+    fqdn: "{{ debian_proxmox_hostname }}"
+    state: absent

roles/debian-proxmox/tasks/main.yml

@@ -0,0 +1,67 @@
+---
+
+- name: Ensure python3-apt and gpg is available
+  apt:
+    package: "{{ debian_proxmox_role_required_packages }}"
+    state: present
+
+- name: Check if target is debian before attempting to convert to proxmox
+  fail:
+    msg: "Target is {{ ansible_distribution }} which is not Debian"
+  when: ansible_distribution != 'Debian'
+
+- name: Check if debian version is supported by role
+  fail:
+    msg: "{{ ansible_distribution }} {{ ansible_distribution_version }} is not supported by the role"
+  when: ansible_distribution_version not in debian_proxmox_supported_debian_versions
+
+- name: Ensure /etc/hosts entries are safe for use with proxmox
+  lineinfile:
+    dest: /etc/hosts
+    line: "{{ item.ip }}\t{{ item.fqdn | default('') }}\t{{ item.aliases | default([]) | join('\t') }}"
+    regex: "{{ item.ip }}.+"
+    state: "{{ item.state | default('present') }}"
+  loop: "{{ debian_proxmox_hosts_file }}"
+
+- name: Ensure Proxmox VE apt repository keys are added
+  apt_key:
+    id: "{{ debian_proxmox_apt_repo_fingerprint }}"
+    url: "{{ debian_proxmox_apt_repo_key_url }}"
+    state: present
+
+- name: Ensure Proxmox VE apt repository is added
+  apt_repository:
+    filename: pve-install-repo
+    repo: "{{ debian_proxmox_apt_repo }}"
+    state: present
+  register: proxmox_ve_apt_repo
+
+- name: Ensure APT cache is up to date
+  apt:
+    update_cache: yes
+  when: proxmox_ve_apt_repo.changed
+
+- name: Ensure system is upgraded
+  apt:
+    upgrade: full
+
+- name: Ensure Proxmox VE packages are installed
+  apt:
+    package: "{{ debian_proxmox_apt_packages }}"
+    state: present
+  register: proxmox_ve_installed
+
+- name: Ensure system is rebooted after install of PVE packages
+  reboot:
+    reboot_timeout: "{{ debian_proxmox_max_reboot_timeout_seconds | int }}"
+  when: proxmox_ve_installed.changed
+
+- name: Ensure packages are removed that will conflict with proxmox operation
+  apt:
+    package: "{{ debian_proxmox_apt_packages_to_remove }}"
+    state: absent
+  register: proxmox_apt_packages_removed
+
+- name: Ensure grub was updated after the kernel was removed
+  command: update-grub
+  when: proxmox_apt_packages_removed.changed

roles/debian-proxmox/vars/main.yml

@@ -0,0 +1,4 @@
+---
+
+debian_proxmox_supported_debian_versions:
+  - 11

roles/git/defaults/main.yml

@@ -0,0 +1,15 @@
+---
+
+git_config_file: ~/.gitconfig
+
+git_config_gpg_program: gpg2
+git_config_commit_gpgsign: false
+git_config_pull_rebase: true
+git_config_pull_ff: only
+git_config_rebase_autostash: true
+git_config_merge_autostash: true
+git_config_init_default_branch: main
+git_config_core_editor: vim
+
+git_config_user: []
+git_config_credentials: []

roles/git/tasks/main.yml

@@ -0,0 +1,45 @@
+---
+
+- name: Ensure git configuration is persisted in git configs file
+  blockinfile:
+    dest: "{{ git_config_file }}"
+    mode: "0660"
+    create: yes
+    state: present
+    marker: "#{mark} ANSIBLE MANAGED BLOCK by finallycoffee.base.git"
+    block: |+2
+      {% if git_config_user_name|default(false, true) and git_config_user_email|default(false, true) %}
+      [user]
+        name = {{ git_config_user_name }}
+        email = {{ git_config_user_email }}
+      {% if git_config_user_signingkey %}
+        signingkey = {{ git_config_user_signingkey }}
+      {% endif %}
+      {% endif %}
+      [gpg]
+        program = {{ git_config_gpg_program }}
+      [core]
+        editor = {{ git_config_core_editor }}
+      [commit]
+        gpgsign = {{ git_config_commit_gpgsign }}
+      [pull]
+        rebase = {{ git_config_pull_rebase }}
+        ff = {{ git_config_pull_ff }}
+      [rebase]
+        autostash = {{ git_config_rebase_autostash }}
+      [merge]
+        autostash = {{ git_config_merge_autostash }}
+      [init]
+        defaultBranch = {{ git_config_init_default_branch }}
+      [alias]
+      {% for alias in git_config_alias %}
+        {{ alias.name }} = {{ alias.command }}
+      {% endfor %}
+      
+      {% for credentialset in git_config_credentials %}
+      [credential "{{ credentialset.remote_url }}"]
+      {% for entry in credentialset.config | dict2items %}
+        {{ entry.key }} = {{ entry.value }}
+      {% endfor %}
+
+      {% endfor %}

roles/gnupg/defaults/main.yml

@@ -0,0 +1,32 @@
+---
+
+gpg_config_folder: ~/.gnupg
+gpg_config_file: "{{ gpg_config_folder }}/gpg.conf"
+gpg_agent_config_file: "{{ gpg_config_folder }}/gpg-agent.conf"
+gpg_scdaemon_config_file: "{{ gpg_config_folder }}/scdaemon.conf"
+gpg_agent_sshcontrol_file: "{{ gpg_config_folder }}/sshcontrol"
+gpg_configure_agent_script: "{{ gpg_config_folder }}/gpg-configure-as-ssh-agent.sh"
+
+gpg_keygrips_for_ssh: []
+
+gpg_config_cert_digest_algo: SHA256
+gpg_config_emit_version: false
+gpg_config_comments: false
+gpg_config_ignore_time_conflict: false
+gpg_config_allow_freeform_uid: true
+gpg_config_keyid_format: 0xlong
+gpg_config_with_fingerprint: true
+
+gpg_config_keyserver: hkps://keys.openpgp.org
+gpg_config_keyserver_options: []
+
+gpg_agent_config_cache_ttl: 300
+gpg_agent_config_cache_ttl_ssh: 300
+gpg_agent_config_enable_ssh_support: false
+gpg_agent_config_ignore_cache_for_signing: true
+gpg_agent_config_allow_external_cache: false
+
+gpg_scdaemon_config_driver: ~
+gpg_scdaemon_config_card_timeout: ~
+gpg_scdaemon_config_disable_ccid: false
+gpg_scdaemon_config_pcsc_shared: true

roles/gnupg/files/gpg-configure-ssh-auth-socket.sh

@@ -0,0 +1,14 @@
+#!/bin/bash
+
+rc=$(pgrep gpg-agent)
+if [ "$rc" != 0 ]; then
+  export GPG_AGENT_INFO
+  export SSH_AUTH_SOCK
+  export SSH_AGENT_PID
+else
+  eval $(gpg-agent --daemon)
+fi
+
+gpg-connect-agent /bye
+export SSH_AUTH_SOCK=$(gpgconf --list-dirs agent-ssh-socket)
+gpgconf --launch gpg-agent

roles/gnupg/tasks/main.yml

@@ -0,0 +1,56 @@
+---
+
+- name: Ensure gnupg is installed (RedHat*)
+  package:
+    name: gnupg2
+    state: latest
+  become: true
+  when: ansible_os_family == "RedHat"
+
+- name: Ensure gnupg is installed (Arch)
+  package:
+    name: gnupg
+    state: latest
+  become: true
+  when: ansible_os_family == "Archlinux"
+
+- name: Ensure ~/.gnupg folder exists with correct permissions
+  file:
+    path: "{{ gpg_config_folder }}"
+    state: directory
+    mode: 0700
+
+- name: Ensure gpg.conf is templated
+  template:
+    src: gpg.conf.j2
+    dest: "{{ gpg_config_file }}"
+
+- name: Configure gpg-agent.conf (agent configuration)
+  template:
+    src: gpg-agent.conf.j2
+    dest: "{{ gpg_agent_config_file }}"
+
+- name: Configure scdaemon.conf (smartcard daemon)
+  template:
+    src: scdaemon.conf.j2
+    dest: "{{ gpg_scdaemon_config_file }}"
+
+- name: Configure sshcontrol (in order for gpg-agent to act as ssh-agent)
+  template:
+    src: sshcontrol.j2
+    dest: "{{ gpg_agent_sshcontrol_file }}"
+  when: gpg_agent_config_enable_ssh_support
+
+- name: Copy gnupg_agent script, which makes gpg-agent responsible for ssh-auth
+  copy:
+    src: gpg-configure-ssh-auth-socket.sh
+    dest: "{{ gpg_configure_agent_script }}"
+    mode: 0700
+  when: gpg_agent_config_enable_ssh_support
+
+- name: Ensure gnupg_agent script is included in bashrc
+  lineinfile:
+    path: "~/.bashrc"
+    line: "source {{ gpg_configure_agent_script }}"
+    state: present
+  when: gpg_agent_config_enable_ssh_support

roles/gnupg/templates/gpg-agent.conf.j2

@@ -0,0 +1,13 @@
+default-cache-ttl {{ gpg_agent_config_cache_ttl }}
+default-cache-ttl-ssh {{ gpg_agent_config_cache_ttl_ssh }}
+max-cache-ttl {{ gpg_agent_config_cache_ttl }}
+max-cache-ttl-ssh {{ gpg_agent_config_cache_ttl_ssh }}
+{% if not gpg_agent_config_allow_external_cache %}
+no-allow-external-cache
+{% endif %}
+{% if gpg_agent_config_enable_ssh_support %}
+enable-ssh-support
+{% endif %}
+{% if gpg_agent_config_ignore_cache_for_signing %}
+ignore-cache-for-signing
+{% endif %}

roles/gnupg/templates/gpg.conf.j2

@@ -0,0 +1,32 @@
+{% if not gpg_config_emit_version %}
+no-emit-version
+{% endif %}
+{% if not gpg_config_comments %}
+no-comments
+{% endif %}
+cert-digest-algo {{ gpg_config_cert_digest_algo }}
+personal-cipher-preferences AES AES256 AES192 CAST5
+personal-digest-preferences SHA256 SHA512 SHA384 SHA224
+{% if gpg_config_ignore_time_conflict %}
+ignore-time-conflict
+{% endif %}
+{% if gpg_config_trusted_key %}
+trusted-key {{ gpg_config_trusted_key }}
+{% endif %}
+
+# How to render keys
+keyid-format {{ gpg_config_keyid_format }}
+{% if gpg_config_with_fingerprint %}
+with-fingerprint
+{% endif %}
+{% if gpg_config_allow_freeform_uid %}
+allow-freeform-uid
+{% endif %}
+
+# Keyserver settings
+{% if gpg_config_keyserver %}
+keyserver {{ gpg_config_keyserver }}
+{% endif %}
+{% if gpg_config_keyserver_options %}
+keyserver-options {{ gpg_config_keyserver_options | join(' ') }}
+{% endif%}

roles/gnupg/templates/scdaemon.conf.j2

@@ -0,0 +1,12 @@
+{% if gpg_scdaemon_config_disable_ccid | default(false) %}
+disable-ccid
+{% endif %}
+{% if gpg_scdaemon_config_card_timeout | default(false) %}
+card-timeout {{ gpg_scdaemon_config_card_timeout }}
+{% endif %}
+{% if gpg_scdaemon_config_driver | default(false) %}
+pcsc-driver {{ gpg_scdaemon_config_driver }}
+{% endif %}
+{% if gpg_scdaemon_config_pcsc_shared | default(true) %}
+pcsc-shared
+{% endif %}

roles/gnupg/templates/sshcontrol.j2

@@ -0,0 +1,14 @@
+# List of allowed ssh keys.  Only keys present in this file are used
+# in the SSH protocol.  The ssh-add tool may add new entries to this
+# file to enable them; you may also add them manually.  Comment
+# lines, like this one, as well as empty lines are ignored.  Lines do
+# have a certain length limit but this is not serious limitation as
+# the format of the entries is fixed and checked by gpg-agent. A
+# non-comment line starts with optional white spaces, followed by the
+# keygrip of the key given as 40 hex digits, optionally followed by a
+# caching TTL in seconds, and another optional field for arbitrary
+# flags.   Prepend the keygrip with an '!' mark to disable it.
+
+{% for keygrip in gpg_keygrips_for_ssh %}
+{{ keygrip }}
+{% endfor %}