feat(debian-proxmox): add role for installing Proxmox VE on debian

2022-10-29 16:23:57 +02:00
17 changed files with 138 additions and 222 deletions
--- a/README.md
+++ b/README.md
@ -5,12 +5,6 @@
 This ansible collection provides various roles for installing
 and configuring basic system utilities like gnupg, ssh etc
 - [`git`](roles/git/README.md): configures git on the target system
 - [`gnupg`](roles/gnupg/README.md): configures gnupg on the target system
 - [`mariadb`](roles/mariadb/README.md): runs [MariaDB Server](https://mariadb.org/), one of the world's most popular open source relational database
 - [`nginx`](roles/nginx/README.md): [nginx](https://www.nginx.com/),
  an advanced load balancer, webserver and reverse proxy.
 ## License
 [CNPLv7+](LICENSE.md): Cooperative Nonviolent Public License
--- a/galaxy.yml
+++ b/galaxy.yml
@ -3,9 +3,10 @@ name: base
 version: 0.0.1
 readme: README.md
 authors:
- transcaffeine <transcaffeine@finally.coffee>
+- Johanna Dorothea Reichmann <transcaffeine@finally.coffee>
-description: Roles for base services which are common dependencies other services like databases
+description: Roles for bootstrapping tools like gpg, ssh and git
-license_file: LICENSE.md
+license:
 - CNPLv7+
 build_ignore:
 - '*.tar.gz'
 repository: https://git.finally.coffee/finallycoffee/base
--- a/meta/runtime.yml
+++ b/meta/runtime.yml
@ -1,3 +0,0 @@
 ---
 requires_ansible: ">=2.12"
--- a/roles/debian-proxmox/README.md
+++ b/roles/debian-proxmox/README.md
@ -0,0 +1,20 @@
 # `debian-proxmox` ansible role
 This ansible role can be used to convert a (running and reachable) debian to a proxmox instance.
 It automates the instructions from https://pve.proxmox.com/wiki/Install_Proxmox_VE_on_Debian_11_Bullseye.
 ## Usage
 This role will attempt to ensure that the `/etc/hosts` are configured correctly for PVE.
 The public IP of the server should be given in `debian_proxmox_public_ip` and defaults to
 `ansible_facts['eno1'].ipv4.address`.
 The hostname and fqdn should be correctly set in `debian_proxmox_hostname` and `debian_proxmox_fqdn`,
 and default to `ansible_hostname` and `ansible_fqdn` respectively.
 ## Packages
 It is recommended to remove the packages for the `os-prober` (which would attempt to add VMs as bootable entries
 in the bootloader) and the default linux kernel `linux-image-amd64` / `linux-image-5.10*` (and use the proxmox-provided
 kernel instead). This role will remove those packages without asking, so be aware.
--- a/roles/debian-proxmox/defaults/main.yml
+++ b/roles/debian-proxmox/defaults/main.yml
@ -0,0 +1,43 @@
 ---
 debian_proxmox_role_required_packages:
  - python3-apt
  - gpg
 debian_proxmox_apt_repo_fingerprint: "28139A2F830BD68478A1A01FDD4BA3917E23BF59"
 debian_proxmox_apt_repo_key_url: "https://enterprise.proxmox.com/debian/proxmox-release-{{ ansible_distribution_release }}.gpg"
 debian_proxmox_apt_repo_url: "http://download.proxmox.com/debian/pve"
 debian_proxmox_apt_repo: "deb [arch=amd64] {{ debian_proxmox_apt_repo_url }} {{ ansible_distribution_release }} pve-no-subscription"
 debian_proxmox_apt_packages:
  - "proxmox-ve"
  - "postfix"
  - "open-iscsi"
 debian_proxmox_apt_packages_to_remove:
  - "linux-image-amd64"
  - "linux-image-{{ (ansible_facts['kernel'] | split('-') | first | split('.'))[:2] | join('.') }}*"
  - "os-prober"
 debian_proxmox_max_reboot_timeout_seconds: 900
 debian_proxmox_public_ip: "{{ ansible_facts['eno1'].ipv4.address }}"
 debian_proxmox_loopback_ipv4: "{{ ansible_facts['lo'].ipv4.address }}"
 debian_proxmox_hostname: "{{ ansible_hostname }}"
 debian_proxmox_fqdn: "{{ ansible_fqdn }}"
 debian_proxmox_hosts_file:
  - ip: "{{ debian_proxmox_loopback_ipv4 }}"
    fqdn: localhost.localdomain
    aliases:
      - localhost
  - ip: "{[ debian_proxmox_public_ip }}"
    fqdn: "{{ debian_proxmox_fqdn }}"
    aliases:
      - "{{ debian_proxmox_hostname }}"
      - pvelocalhost
  - ip: 127.0.1.1
    fqdn: "{{ debian_proxmox_hostname }}"
    state: absent
--- a/roles/debian-proxmox/tasks/main.yml
+++ b/roles/debian-proxmox/tasks/main.yml
@ -0,0 +1,67 @@
 ---
 - name: Ensure python3-apt and gpg is available
  apt:
    package: "{{ debian_proxmox_role_required_packages }}"
    state: present
 - name: Check if target is debian before attempting to convert to proxmox
  fail:
    msg: "Target is {{ ansible_distribution }} which is not Debian"
  when: ansible_distribution != 'Debian'
 - name: Check if debian version is supported by role
  fail:
    msg: "{{ ansible_distribution }} {{ ansible_distribution_version }} is not supported by the role"
  when: ansible_distribution_version not in debian_proxmox_supported_debian_versions
 - name: Ensure /etc/hosts entries are safe for use with proxmox
  lineinfile:
    dest: /etc/hosts
    line: "{{ item.ip }}\t{{ item.fqdn | default('') }}\t{{ item.aliases | default([]) | join('\t') }}"
    regex: "{{ item.ip }}.+"
    state: "{{ item.state | default('present') }}"
  loop: "{{ debian_proxmox_hosts_file }}"
 - name: Ensure Proxmox VE apt repository keys are added
  apt_key:
    id: "{{ debian_proxmox_apt_repo_fingerprint }}"
    url: "{{ debian_proxmox_apt_repo_key_url }}"
    state: present
 - name: Ensure Proxmox VE apt repository is added
  apt_repository:
    filename: pve-install-repo
    repo: "{{ debian_proxmox_apt_repo }}"
    state: present
  register: proxmox_ve_apt_repo
 - name: Ensure APT cache is up to date
  apt:
    update_cache: yes
  when: proxmox_ve_apt_repo.changed
 - name: Ensure system is upgraded
  apt:
    upgrade: full
 - name: Ensure Proxmox VE packages are installed
  apt:
    package: "{{ debian_proxmox_apt_packages }}"
    state: present
  register: proxmox_ve_installed
 - name: Ensure system is rebooted after install of PVE packages
  reboot:
    reboot_timeout: "{{ debian_proxmox_max_reboot_timeout_seconds | int }}"
  when: proxmox_ve_installed.changed
 - name: Ensure packages are removed that will conflict with proxmox operation
  apt:
    package: "{{ debian_proxmox_apt_packages_to_remove }}"
    state: absent
  register: proxmox_apt_packages_removed
 - name: Ensure grub was updated after the kernel was removed
  command: update-grub
  when: proxmox_apt_packages_removed.changed
--- a/roles/debian-proxmox/vars/main.yml
+++ b/roles/debian-proxmox/vars/main.yml
@ -0,0 +1,4 @@
 ---
 debian_proxmox_supported_debian_versions:
  - 11
--- a/roles/git/README.md
+++ b/roles/git/README.md
@ -1,19 +0,0 @@
 # `finallycoffee.base.git` ansible role
 This role configures git for the `ansible_user` and can be used
 to (pre)-configure git.
 ## Examples
 ```yaml
 git_config_user_name: # user name to use for git
 git_config_user_email: # email to use for git
 git_config_core_editor: vim # editor to use
 git_config_credentials:
  - remote_url: https://github.com
    config:
      username: my_github_username
 ```
--- a/roles/gnupg/README.md
+++ b/roles/gnupg/README.md
@ -1,4 +0,0 @@
 # `finallycoffee.base.gnupg` ansible role
 Configures GnuPG on the target system, including a Smart-Card (SC) daemon
 and can set up gpg-agent as an SSH-agent.
--- a/roles/mariadb/README.md
+++ b/roles/mariadb/README.md
@ -1,19 +0,0 @@
 # `finallycoffee.base.mariadb` ansible role
 This role deploys a MariaDB instance in a docker container.
 ## Usage
 The role expects the following variables to be populated with values and/or secrets:
 ```yaml
 mariadb_root_password: #mariadb root password
 mariadb_database: # name of the database to create
 mariadb_username: # name of a user to auto-create and assign permission on the mariadb_database
 mariadb_password: # password of the user in mariadb_username
 ```
 ## Requirements
 - Docker installed
 - python-docker present on target system for ansible to be able to talk with the docker API.
--- a/roles/mariadb/defaults/main.yml
+++ b/roles/mariadb/defaults/main.yml
@ -1,32 +0,0 @@
 ---
 mariadb_version: "10.6.11"
 mariadb_base_path: /var/lib/mariadb
 mariadb_data_path: "{{ mariadb_base_path }}/{{ mariadb_version }}"
 mariadb_root_password: ~
 mariadb_database: ~
 mariadb_username: ~
 mariadb_password: ~
 mariadb_container_base_environment:
  MARIADB_ROOT_PASSWORD: "{{ mariadb_root_password }}"
 mariadb_container_extra_environment: {}
 mariadb_container_name: mariadb
 mariadb_container_image_name: docker.io/mariadb
 mariadb_container_image_tag: ~
 mariadb_container_image: "{{ mariadb_container_image_name }}:{{ mariadb_container_image_tag | default(mariadb_version, true) }}"
 mariadb_container_base_volumes:
  - "{{ mariadb_data_path }}:{{ mariadb_container_data_path }}:z"
 mariadb_container_extra_volumes: []
 mariadb_container_base_labels:
  version: "{{ mariadb_version }}"
 mariadb_container_extra_labels: {}
 mariadb_container_restart_policy: "unless-stopped"
 mariadb_container_environment: >-2
  {{ mariadb_container_base_environment
  | combine(mariadb_container_database_environment
      if (mariadb_database and mariadb_username and mariadb_password)
      else {}, recursive=True)
  | combine(mariadb_container_extra_environment) }}
--- a/roles/mariadb/tasks/main.yml
+++ b/roles/mariadb/tasks/main.yml
@ -1,20 +0,0 @@
 ---
 - name: Ensure mariaDB container image is present on host
  community.docker.docker_image:
    name: "{{ mariadb_container_image }}"
    state: present
    source: pull
 - name: Ensure mariaDB {{ mariadb_version }} is running as '{{ mariadb_container_name }}'
  community.docker.docker_container:
    name: "{{ mariadb_container_name }}"
    image: "{{ mariadb_container_image }}"
    env: "{{ mariadb_container_environment }}"
    ports: "{{ mariadb_container_ports }}"
    labels: "{{ mariadb_container_labels }}"
    volumes: "{{ mariadb_container_volumes }}"
    networks: "{{ mariadb_container_networks | default(omit, true) }}"
    etc_hosts: "{{ mariadb_container_etc_hosts | default(omit, true) }}"
    purge_networks: "{{ mariadb_container_purge_networks | default(omit, true) }}"
    restart_policy: "{{ mariadb_container_restart_policy }}"
    state: started
--- a/roles/mariadb/vars/main.yml
+++ b/roles/mariadb/vars/main.yml
@ -1,10 +0,0 @@
 ---
 mariadb_container_database_environment:
  MARIADB_DATABASE: "{{ mariadb_database }}"
  MARIADB_USER: "{{ mariadb_username }}"
  MARIADB_PASSWORD: "{{ mariadb_password }}"
 mariadb_container_data_path: /var/lib/mysql
 mariadb_container_volumes: "{{ mariadb_container_base_volumes + mariadb_container_extra_volumes }}"
 mariadb_container_labels: "{{ mariadb_container_base_labels | combine(mariadb_container_extra_labels, recursive=True) }}"
--- a/roles/nginx/README.md
+++ b/roles/nginx/README.md
@ -1,28 +0,0 @@
 # `finallycoffee.services.nginx` ansible role
 ## Description
 Runs `nginx`, a HTTP reverse proxy, in a docker container.
 ## Usage
 For the role to do anything, `nginx_config` needs to be populated with the configuration for nginx.
 An example would be:
 ```yaml
 nginx_config: |+
  server {
    listen 80 default_server;
    server_name my.server.fqdn;
    location / { return 200; }
  }
 ```
 The container is named `nginx` by default, this can be overridden in `nginx_container_name`.
 When running this role multiple times, `nginx_base_path` should also be changed for each run,
 otherwise the configuration files collide in the filesystem.
 For exposing this server to the host and/or internet, the `nginx_container_ports` (port forwarding host
 from host to container), `nginx_container_networks` (docker networking) or `nginx_container_labels`
 (for label-based routing discovery like traefik) can be used. The options correspond to the arguments
 of the `community.docker.docker_container` module.
--- a/roles/nginx/defaults/main.yml
+++ b/roles/nginx/defaults/main.yml
@ -1,33 +0,0 @@
 ---
 nginx_version: "1.25.1"
 nginx_flavour: alpine
 nginx_base_path: /opt/nginx
 nginx_config_file: "{{ nginx_base_path }}/nginx.conf"
 nginx_container_name: nginx
 nginx_container_image_reference: >-
  {{
    nginx_container_image_repository
    + ':' + (nginx_container_image_tag
      | default(nginx_version
      + (('-' + nginx_flavour) if nginx_flavour is defined else ''), true))
  }}
 nginx_container_image_repository: >-
  {{
    (
      container_registries[nginx_container_image_registry]
      | default(nginx_container_image_registry)
    )
    + '/'
    + nginx_container_image_namespace | default('')
    + nginx_container_image_name
  }}
 nginx_container_image_registry: "docker.io"
 nginx_container_image_name: "nginx"
 nginx_container_image_tag: ~
 nginx_container_restart_policy: "unless-stopped"
 nginx_container_volumes:
  - "{{ nginx_config_file }}:/etc/nginx/conf.d/nginx.conf:ro"
--- a/roles/nginx/handlers/main.yml
+++ b/roles/nginx/handlers/main.yml
@ -1,8 +0,0 @@
 ---
 - name: Ensure nginx container '{{ nginx_container_name }}' is restarted
  community.docker.docker_container:
    name: "{{ nginx_container_name }}"
    state: started
    restart: true
  listen: restart-nginx
--- a/roles/nginx/tasks/main.yml
+++ b/roles/nginx/tasks/main.yml
@ -1,37 +0,0 @@
 ---
 - name: Ensure base path '{{ nginx_base_path }}' exists
  ansible.builtin.file:
    path: "{{ nginx_base_path }}"
    state: directory
    mode: 0755
 - name: Ensure nginx config file is templated
  ansible.builtin.copy:
    dest: "{{ nginx_config_file }}"
    content: "{{ nginx_config }}"
    mode: 0640
  notify:
    - restart-nginx
 - name: Ensure docker container image is present
  community.docker.docker_image:
    name: "{{ nginx_container_image_reference }}"
    state: present
    source: pull
    force_source: "{{ nginx_container_image_tag is defined and nginx_container_image_tag | string != '' }}"
 - name: Ensure docker container '{{ nginx_container_name }}' is running
  community.docker.docker_container:
    name: "{{ nginx_container_name }}"
    image: "{{ nginx_container_image_reference }}"
    env: "{{ nginx_container_env | default(omit, true) }}"
    user: "{{ nginx_container_user | default(omit, true) }}"
    ports: "{{ nginx_container_ports | default(omit, true) }}"
    labels: "{{ nginx_container_labels | default(omit, true) }}"
    volumes: "{{ nginx_container_volumes | default(omit, true) }}"
    etc_hosts: "{{ nginx_container_etc_hosts | default(omit, true) }}"
    networks: "{{ nginx_container_networks | default(omit, true) }}"
    purge_networks: "{{ nginx_container_purge_networks | default(omit, true) }}"
    restart_policy: "{{ nginx_container_restart_policy }}"
    state: started