c7a300b922
Some checks failed
CI / lint-and-test (pull_request) Successful in 1m21s
CI / ansible-validation (pull_request) Successful in 9m3s
CI / secret-scanning (pull_request) Successful in 3m19s
CI / dependency-scan (pull_request) Successful in 7m13s
CI / sast-scan (pull_request) Successful in 6m38s
CI / license-check (pull_request) Successful in 1m16s
CI / vault-check (pull_request) Failing after 6m40s
CI / playbook-test (pull_request) Successful in 9m28s
CI / container-scan (pull_request) Successful in 7m59s
CI / sonar-analysis (pull_request) Failing after 1m11s
CI / workflow-summary (pull_request) Successful in 1m11s
- Add roles/pote: Python/venv deployment role with PostgreSQL, cron jobs - Add playbooks/app/: Proxmox app stack provisioning and configuration - Add roles/app_setup: Generic app deployment role (Node.js/systemd) - Add roles/base_os: Base OS hardening role - Enhance roles/proxmox_vm: Split LXC/KVM tasks, improve error handling - Add IP uniqueness validation: Preflight check for duplicate IPs within projects - Add Proxmox-side IP conflict detection: Check existing LXC net0 configs - Update inventories/production/group_vars/all/main.yml: Add pote project config - Add vault.example.yml: Template for POTE secrets (git key, DB, SMTP) - Update .gitignore: Exclude deploy keys, backup files, and other secrets - Update documentation: README, role docs, execution flow guides Security: - All secrets stored in encrypted vault.yml (never committed in plaintext) - Deploy keys excluded via .gitignore - IP conflict guardrails prevent accidental duplicate IP assignments
2.4 KiB
2.4 KiB
Role: proxmox_vm
Provision Proxmox guests via API. This role supports both:
- LXC containers (
proxmox_guest_type: lxc) viacommunity.proxmox.proxmox - KVM VMs (
proxmox_guest_type: kvm) viacommunity.general.proxmox_kvm
The entry point is roles/proxmox_vm/tasks/main.yml, which dispatches to tasks/lxc.yml or tasks/kvm.yml.
Requirements
- Ansible (project tested with modern Ansible; older 2.9-era setups may need adjustments)
- Proxmox VE API access
- Collections:
community.proxmoxcommunity.general(forproxmox_kvm)
- Python lib on the control machine:
proxmoxer(installed bymake bootstrap/requirements.txt)
Authentication (vault-backed)
Store secrets in inventories/production/group_vars/all/vault.yml:
vault_proxmox_hostvault_proxmox_uservault_proxmox_password(or token auth)vault_proxmox_token_id(optional)vault_proxmox_token(optional)vault_ssh_public_key(used for bootstrap access where applicable)
Key variables
Common:
proxmox_guest_type:lxcorkvmproxmox_host,proxmox_user,proxmox_nodeproxmox_api_port(default8006)proxmox_validate_certs(defaultfalse)
LXC (tasks/lxc.yml):
lxc_vmid,lxc_hostnamelxc_ostemplate(e.g.local:vztmpl/debian-12-standard_*.tar.zst)lxc_storage(defaultlocal-lvm)lxc_network_bridge(defaultvmbr0)lxc_ip(CIDR),lxc_gatewaylxc_cores,lxc_memory_mb,lxc_swap_mb,lxc_rootfs_size_gb
KVM (tasks/kvm.yml):
vm_id,vm_namevm_cores,vm_memory,vm_disk_sizevm_storage,vm_network_bridge- cloud-init parameters used by the existing KVM provisioning flow
Safety guardrails
LXC provisioning includes a VMID collision guardrail:
- If the target VMID already exists but the guest name does not match the expected name, provisioning fails.
- Override only if you really mean it:
-e allow_vmid_collision=true
Example usage
Provisioning is typically orchestrated by playbooks/app/provision_vms.yml, but you can call the role directly:
- name: Provision one LXC
hosts: localhost
connection: local
gather_facts: false
tasks:
- name: Create/update container
ansible.builtin.include_role:
name: proxmox_vm
vars:
proxmox_guest_type: lxc
lxc_vmid: 9301
lxc_hostname: projectA-dev
lxc_ip: "10.0.10.101/24"
lxc_gateway: "10.0.10.1"