fix: HTTPS forward rule

roles/pve_apt/tasks/ceph.yaml

@@ -0,0 +1,22 @@
+- name: Make sure ceph list file exists
+  ansible.builtin.file:
+    path: /etc/apt/sources.list.d/ceph.list
+    owner: root
+    group: root
+    mode: "0644"
+    state: touch
+
+- name: Remove Ceph Quincy enterprise repository
+  register: pve_apt_ceph_enterprise
+  ansible.builtin.lineinfile:
+    path: /etc/apt/sources.list.d/ceph.list
+    line: deb https://enterprise.proxmox.com/debian/ceph-quincy bookworm enterprise
+    state: absent
+
+- name: Add Ceph Quincy no-subscription repository
+  register: pve_apt_ceph_no_sub
+  ansible.builtin.lineinfile:
+    path: /etc/apt/sources.list.d/ceph.list
+    regexp: "^deb http://download.proxmox.com/debian/ceph-quincy.*"
+    line: deb http://download.proxmox.com/debian/ceph-quincy bookworm no-subscription
+    state: present

roles/pve_apt/tasks/main.yaml

@@ -0,0 +1,22 @@
+- name: Get Debian version
+  ansible.builtin.shell:
+    cmd: |
+      set -o pipefail
+      grep 'VERSION=' /etc/os-release | grep -Eo '[a-z]+'
+  args:
+    executable: /bin/bash
+  register: debver
+  changed_when: false
+
+- name: Configure pve repositories
+  ansible.builtin.include_tasks:
+    file: pve.yaml
+
+- name: Configure ceph repositories
+  ansible.builtin.include_tasks:
+    file: ceph.yaml
+
+- name: APT update
+  when: pve_apt_enterprise.changed or pve_apt_nosub.changed or pve_apt_ceph_enterprise.changed or pve_apt_ceph_no_sub.changed
+  ansible.builtin.apt:
+    update_cache: true

roles/pve_apt/tasks/pve.yaml

@@ -0,0 +1,15 @@
+- name: Remove enteprise repository
+  register: pve_apt_enterprise
+  ansible.builtin.file:
+    path: /etc/apt/sources.list.d/pve-enterprise.list
+    state: absent
+
+- name: Add free (no-subscription) repository
+  register: pve_apt_nosub
+  ansible.builtin.copy:
+    dest: /etc/apt/sources.list.d/pve-no-subscription.list
+    owner: root
+    group: root
+    mode: "0640"
+    content: |
+      deb http://download.proxmox.com/debian/pve {{ debver.stdout }} pve-no-subscription

roles/pve_https_forward/tasks/main.yml

@@ -4,9 +4,10 @@
     chain: PREROUTING
     protocol: tcp
     destination_port: 443
-    to_ports: 8006
-    source: "{{ ansible_host }}" # To avoid collision with other services exposing the same port on a different ip
-    jump: REDIRECT
+    match: tcp
+    to_destination: "{{ ansible_host }}:8006"
+    destination: "{{ ansible_host }}" # To avoid collision with other services exposing the same port on a different ip
+    jump: DNAT
     comment: "Enable Proxmox admin interface on 443"
     in_interface: vmbr0 # Must be specified to prevent docker containers calling 443 to be redirected to local
 
@@ -19,6 +20,14 @@
       set -o pipefail
       iptables-save -t nat | grep 'Proxmox'
 
+- name: Create iptables directory
+  ansible.builtin.file:
+    path: /etc/iptables
+    state: directory
+    owner: root
+    group: root
+    mode: "0640"
+
 - name: "Save iptables state to a file"
   ansible.builtin.copy:
     dest: /etc/iptables/nat.rules.v4

roles/pve_nosubs_warning/tasks/main.yaml

@@ -0,0 +1,7 @@
+- name: Replace dialog script
+  ansible.builtin.replace:
+    path: /usr/share/javascript/proxmox-widget-toolkit/proxmoxlib.js
+    before: "title:\\s+gettext\\('No valid subscription'\\)"
+    regexp: 'Ext\.Msg\.show'
+    replace: 'void'
+    backup: true

roles/pve_users/tasks/main.yml

@@ -15,9 +15,3 @@
   when: pve_users is defined
   vars:
     user: "{{ item }}"
-
-- name: Remove root@pam user
-  ansible.builtin.lineinfile:
-    path: /etc/pve/user.cfg
-    state: absent
-    regex: "^user:root@pam:(.*)"