From 865e33d8dc22b3ead10415f1cca1adb69124c4df Mon Sep 17 00:00:00 2001 From: Lukas Holota Date: Fri, 1 Mar 2024 14:48:37 +0100 Subject: [PATCH 01/10] fix: Https forward rule must create iptables directory --- roles/pve_https_forward/tasks/main.yml | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/roles/pve_https_forward/tasks/main.yml b/roles/pve_https_forward/tasks/main.yml index dcb0363..1205652 100644 --- a/roles/pve_https_forward/tasks/main.yml +++ b/roles/pve_https_forward/tasks/main.yml @@ -19,6 +19,14 @@ set -o pipefail iptables-save -t nat | grep 'Proxmox' +- name: Create iptables directory + ansible.builtin.file: + path: /etc/iptables + state: directory + owner: root + group: root + mode: "0640" + - name: "Save iptables state to a file" ansible.builtin.copy: dest: /etc/iptables/nat.rules.v4 From 58fa1a5ceb7859517a8fb0708829f4e90424be1b Mon Sep 17 00:00:00 2001 From: Lukas Holota Date: Tue, 5 Mar 2024 15:07:13 +0100 Subject: [PATCH 02/10] pve_apt cleanup --- roles/pve_apt/tasks/ceph.yaml | 22 +++++++++++++++ roles/pve_apt/tasks/main.yaml | 22 +++++++++++++++ roles/pve_apt/tasks/main.yml | 53 ----------------------------------- roles/pve_apt/tasks/pve.yaml | 15 ++++++++++ 4 files changed, 59 insertions(+), 53 deletions(-) create mode 100644 roles/pve_apt/tasks/ceph.yaml create mode 100644 roles/pve_apt/tasks/main.yaml delete mode 100644 roles/pve_apt/tasks/main.yml create mode 100644 roles/pve_apt/tasks/pve.yaml diff --git a/roles/pve_apt/tasks/ceph.yaml b/roles/pve_apt/tasks/ceph.yaml new file mode 100644 index 0000000..fb40cff --- /dev/null +++ b/roles/pve_apt/tasks/ceph.yaml @@ -0,0 +1,22 @@ +- name: Make sure ceph list file exists + ansible.builtin.file: + path: /etc/apt/sources.list.d/ceph.list + owner: root + group: root + mode: "0644" + state: touch + +- name: Remove Ceph Quincy enterprise repository + register: pve_apt_ceph_enterprise + ansible.builtin.lineinfile: + path: /etc/apt/sources.list.d/ceph.list + line: deb https://enterprise.proxmox.com/debian/ceph-quincy bookworm enterprise + state: absent + +- name: Add Ceph Quincy no-subscription repository + register: pve_apt_ceph_no_sub + ansible.builtin.lineinfile: + path: /etc/apt/sources.list.d/ceph.list + regexp: "^deb http://download.proxmox.com/debian/ceph-quincy.*" + line: deb http://download.proxmox.com/debian/ceph-quincy bookworm no-subscription + state: present diff --git a/roles/pve_apt/tasks/main.yaml b/roles/pve_apt/tasks/main.yaml new file mode 100644 index 0000000..54a735e --- /dev/null +++ b/roles/pve_apt/tasks/main.yaml @@ -0,0 +1,22 @@ +- name: Get Debian version + ansible.builtin.shell: + cmd: | + set -o pipefail + grep 'VERSION=' /etc/os-release | grep -Eo '[a-z]+' + args: + executable: /bin/bash + register: debver + changed_when: false + +- name: Configure pve repositories + ansible.builtin.include_tasks: + file: pve.yaml + +- name: Configure ceph repositories + ansible.builtin.include_tasks: + file: ceph.yaml + +- name: APT update + when: pve_apt_enterprise.changed or pve_apt_nosub.changed or pve_apt_ceph_enterprise.changed or pve_apt_ceph_no_sub.changed + ansible.builtin.apt: + update_cache: true diff --git a/roles/pve_apt/tasks/main.yml b/roles/pve_apt/tasks/main.yml deleted file mode 100644 index 2b6973f..0000000 --- a/roles/pve_apt/tasks/main.yml +++ /dev/null @@ -1,53 +0,0 @@ -- name: Remove enteprise repository - register: pve_apt_enterprise - ansible.builtin.file: - path: /etc/apt/sources.list.d/pve-enterprise.list - state: absent - -- name: Get Debian version - ansible.builtin.shell: - cmd: | - set -o pipefail - grep 'VERSION=' /etc/os-release | grep -Eo '[a-z]+' - args: - executable: /bin/bash - register: debver - changed_when: false - -- name: Add free (no-subscription) repository - register: pve_apt_nosub - ansible.builtin.copy: - dest: /etc/apt/sources.list.d/pve-no-subscription.list - owner: root - group: root - mode: "0640" - content: | - deb http://download.proxmox.com/debian/pve {{ debver.stdout }} pve-no-subscription - -- name: Make sure ceph list file exists - ansible.builtin.file: - path: /etc/apt/sources.list.d/ceph.list - owner: root - group: root - mode: "0644" - state: touch - -- name: Remove Ceph Quincy enterprise repository - register: pve_apt_ceph_enterprise - ansible.builtin.lineinfile: - path: /etc/apt/sources.list.d/ceph.list - line: deb https://enterprise.proxmox.com/debian/ceph-quincy bookworm enterprise - state: absent - -- name: Add Ceph Quincy no-subscription repository - register: pve_apt_ceph_no_sub - ansible.builtin.lineinfile: - path: /etc/apt/sources.list.d/ceph.list - regexp: "^deb http://download.proxmox.com/debian/ceph-quincy.*" - line: deb http://download.proxmox.com/debian/ceph-quincy bookworm no-subscription - state: present - -- name: APT update - when: pve_apt_enterprise.changed or pve_apt_nosub.changed or pve_apt_ceph_enterprise.changed or pve_apt_ceph_no_sub.changed - ansible.builtin.apt: - update_cache: true diff --git a/roles/pve_apt/tasks/pve.yaml b/roles/pve_apt/tasks/pve.yaml new file mode 100644 index 0000000..d1d86ed --- /dev/null +++ b/roles/pve_apt/tasks/pve.yaml @@ -0,0 +1,15 @@ +- name: Remove enteprise repository + register: pve_apt_enterprise + ansible.builtin.file: + path: /etc/apt/sources.list.d/pve-enterprise.list + state: absent + +- name: Add free (no-subscription) repository + register: pve_apt_nosub + ansible.builtin.copy: + dest: /etc/apt/sources.list.d/pve-no-subscription.list + owner: root + group: root + mode: "0640" + content: | + deb http://download.proxmox.com/debian/pve {{ debver.stdout }} pve-no-subscription \ No newline at end of file From 3bcf9364f88d2aa2ade90b239abcf7ca0533baff Mon Sep 17 00:00:00 2001 From: Lukas Holota Date: Wed, 6 Mar 2024 21:05:23 +0100 Subject: [PATCH 03/10] no-sub-warning role --- roles/add pve_nosubs_warning/tasks/main.yaml | 7 +++++++ 1 file changed, 7 insertions(+) create mode 100644 roles/add pve_nosubs_warning/tasks/main.yaml diff --git a/roles/add pve_nosubs_warning/tasks/main.yaml b/roles/add pve_nosubs_warning/tasks/main.yaml new file mode 100644 index 0000000..970496e --- /dev/null +++ b/roles/add pve_nosubs_warning/tasks/main.yaml @@ -0,0 +1,7 @@ +- name: Replace dialog script + ansible.builtin.replace: + path: /usr/share/javascript/proxmox-widget-toolkit/proxmoxlib.js + before: "title:\\s+gettext\\('No valid subscription'\\)" + regexp: 'Ext\.Msg\.show' + replace: 'void' + backup: true \ No newline at end of file From cd2b24edd9b832cd17c522d09d2b3bfa3a0017b1 Mon Sep 17 00:00:00 2001 From: Lukas Holota Date: Wed, 6 Mar 2024 21:08:14 +0100 Subject: [PATCH 04/10] no-sub-warning role 2 --- .../tasks/main.yaml | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename roles/{add pve_nosubs_warning => pve_nosubs_warning}/tasks/main.yaml (100%) diff --git a/roles/add pve_nosubs_warning/tasks/main.yaml b/roles/pve_nosubs_warning/tasks/main.yaml similarity index 100% rename from roles/add pve_nosubs_warning/tasks/main.yaml rename to roles/pve_nosubs_warning/tasks/main.yaml From 51e0874619aae71ec2fc223446aa97ec6227158c Mon Sep 17 00:00:00 2001 From: Lukas Holota Date: Thu, 14 Mar 2024 10:35:00 +0100 Subject: [PATCH 05/10] fix --- roles/pve_https_forward/tasks/main.yml | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/roles/pve_https_forward/tasks/main.yml b/roles/pve_https_forward/tasks/main.yml index 1205652..23184bf 100644 --- a/roles/pve_https_forward/tasks/main.yml +++ b/roles/pve_https_forward/tasks/main.yml @@ -1,12 +1,13 @@ - name: "Set up port redirect (443 -> 8006)" - ansible.builtin.iptables: + : table: nat chain: PREROUTING protocol: tcp - destination_port: 443 - to_ports: 8006 + # destination_port: 443 + # to_ports: 8006 + to_destination: "{{ ansible_host }}:8006" source: "{{ ansible_host }}" # To avoid collision with other services exposing the same port on a different ip - jump: REDIRECT + jump: DNAT # REDIRECT comment: "Enable Proxmox admin interface on 443" in_interface: vmbr0 # Must be specified to prevent docker containers calling 443 to be redirected to local From 1af8bbc1ba57c01a9511c48e7e5b48a854a83887 Mon Sep 17 00:00:00 2001 From: Lukas Holota Date: Thu, 14 Mar 2024 10:37:22 +0100 Subject: [PATCH 06/10] fix 2 --- roles/pve_https_forward/tasks/main.yml | 1 - 1 file changed, 1 deletion(-) diff --git a/roles/pve_https_forward/tasks/main.yml b/roles/pve_https_forward/tasks/main.yml index 23184bf..f511e14 100644 --- a/roles/pve_https_forward/tasks/main.yml +++ b/roles/pve_https_forward/tasks/main.yml @@ -1,5 +1,4 @@ - name: "Set up port redirect (443 -> 8006)" - : table: nat chain: PREROUTING protocol: tcp From 4949cc2b72d748fd3ed841fda3af9cbedf607311 Mon Sep 17 00:00:00 2001 From: Lukas Holota Date: Thu, 14 Mar 2024 10:39:16 +0100 Subject: [PATCH 07/10] fix 3 --- roles/pve_https_forward/tasks/main.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/roles/pve_https_forward/tasks/main.yml b/roles/pve_https_forward/tasks/main.yml index f511e14..1e430ae 100644 --- a/roles/pve_https_forward/tasks/main.yml +++ b/roles/pve_https_forward/tasks/main.yml @@ -1,4 +1,5 @@ - name: "Set up port redirect (443 -> 8006)" + ansible.builtin.iptables: table: nat chain: PREROUTING protocol: tcp From d3953321a7be5d0d3da12cd8aa2ad7f20b487176 Mon Sep 17 00:00:00 2001 From: Lukas Holota Date: Thu, 14 Mar 2024 10:44:47 +0100 Subject: [PATCH 08/10] fix 4 --- roles/pve_https_forward/tasks/main.yml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/roles/pve_https_forward/tasks/main.yml b/roles/pve_https_forward/tasks/main.yml index 1e430ae..4a537be 100644 --- a/roles/pve_https_forward/tasks/main.yml +++ b/roles/pve_https_forward/tasks/main.yml @@ -3,7 +3,8 @@ table: nat chain: PREROUTING protocol: tcp - # destination_port: 443 + destination_port: 443 + match: tcp # to_ports: 8006 to_destination: "{{ ansible_host }}:8006" source: "{{ ansible_host }}" # To avoid collision with other services exposing the same port on a different ip From ef3620aa93df1c1331874ddf0c4ce38524fead97 Mon Sep 17 00:00:00 2001 From: Lukas Holota Date: Thu, 14 Mar 2024 10:50:55 +0100 Subject: [PATCH 09/10] fix 5 --- roles/pve_https_forward/tasks/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/pve_https_forward/tasks/main.yml b/roles/pve_https_forward/tasks/main.yml index 4a537be..c87c5dd 100644 --- a/roles/pve_https_forward/tasks/main.yml +++ b/roles/pve_https_forward/tasks/main.yml @@ -7,7 +7,7 @@ match: tcp # to_ports: 8006 to_destination: "{{ ansible_host }}:8006" - source: "{{ ansible_host }}" # To avoid collision with other services exposing the same port on a different ip + destination: "{{ ansible_host }}" # To avoid collision with other services exposing the same port on a different ip jump: DNAT # REDIRECT comment: "Enable Proxmox admin interface on 443" in_interface: vmbr0 # Must be specified to prevent docker containers calling 443 to be redirected to local From 497c90d79a45c18cce80b266b20d4943e3088074 Mon Sep 17 00:00:00 2001 From: Lukas Holota Date: Tue, 21 May 2024 12:27:46 +0200 Subject: [PATCH 10/10] Checkpoint --- roles/pve_https_forward/tasks/main.yml | 3 +-- roles/pve_users/tasks/main.yml | 6 ------ 2 files changed, 1 insertion(+), 8 deletions(-) diff --git a/roles/pve_https_forward/tasks/main.yml b/roles/pve_https_forward/tasks/main.yml index c87c5dd..b6cdfce 100644 --- a/roles/pve_https_forward/tasks/main.yml +++ b/roles/pve_https_forward/tasks/main.yml @@ -5,10 +5,9 @@ protocol: tcp destination_port: 443 match: tcp - # to_ports: 8006 to_destination: "{{ ansible_host }}:8006" destination: "{{ ansible_host }}" # To avoid collision with other services exposing the same port on a different ip - jump: DNAT # REDIRECT + jump: DNAT comment: "Enable Proxmox admin interface on 443" in_interface: vmbr0 # Must be specified to prevent docker containers calling 443 to be redirected to local diff --git a/roles/pve_users/tasks/main.yml b/roles/pve_users/tasks/main.yml index b0c57e7..01be00e 100644 --- a/roles/pve_users/tasks/main.yml +++ b/roles/pve_users/tasks/main.yml @@ -15,9 +15,3 @@ when: pve_users is defined vars: user: "{{ item }}" - -- name: Remove root@pam user - ansible.builtin.lineinfile: - path: /etc/pve/user.cfg - state: absent - regex: "^user:root@pam:(.*)"