Project reworked.

README.md

@@ -5,33 +5,31 @@
 Changes settings on the virtualization host <b>Proxmox</b>.
 
 The following steps will be performed:
-- Update login manager configuration to turn off the screen without suspending
+- Updates the login manager configuration to disable hardware buttons<br>*PowerKey, SuspendKey, HibernateKey, etc.*
 - Remove Proxmox enterprise repository
 - Add Proxmox no-subscription repository
 - Enable the Web UI on port 443
 
 For the last point *(Web UI on port 443)* the recommendation from the [official documentation](https://pve.proxmox.com/wiki/Web_Interface_Via_Nginx_Proxy) was used.
 
-## Workspace
+## Preparation
 
-Open the workspace file `ansible-proxmox.code-workspace` to access the predefined build tasks with Visual Studio Code.
+Configure on the Proxmox an **ACME Challenge** first, so the certificate `/etc/pve/local/pveproxy-ssl.pem` is created. The playbook checks if this file exists, the web server will not start otherwise.
 
-Predefined build tasks:
-| Task         | Description                                |            Command |
-| ------------ | ------------------------------------------ | -----------------: |
-| 🚀 Deploy     | Run the main playbook with all tasks.      | `ansible-playbook` |
-| 🧪 Check      | Check the code without making any changes. | `ansible-playbook` |
-| 🔑 Edit vault | Edits the encrypted vault file.            |    `ansible-vault` |
+> This project is intended for my home proxmox server and should not be used on production servers.
 
-## Requirements
+## Versions
 
-Prerequisites for this workspace.
+The following versions were tested:
 
-- Ansible package
-- Vault file in your home directory (`~/.vault`)
+✅ Proxmox VE 7.4-xx
 
-## Security
+## Workspace
 
-Security-critical data such as passwords or keys are encrypted with Ansible Vault.
+Open the workspace file `proxmox.code-workspace` to access the predefined build tasks with Visual Studio Code.
 
-> If you read this and find something, I did something wrong and you can email me at [[email protected]](mailto:[email protected]).
+Predefined build tasks:
+| Task     | Description                                |            Command |
+| -------- | ------------------------------------------ | -----------------: |
+| 🚀 Deploy | Run the main playbook with all tasks.      | `ansible-playbook` |
+| 🧪 Check  | Check the code without making any changes. | `ansible-playbook` |

inventory.yml

@@ -4,5 +4,3 @@ all:
       ansible_user: root
       ansible_host: proxmox.thinkbox.center
       ansible_python_interpreter: /usr/bin/python3
-  vars:
-    ansible_ssh_pipelining: true

playbook.yml

@@ -3,15 +3,24 @@
   gather_facts: true
   become: true
   tasks:
-    - name: Template login manager configuration
-      ansible.builtin.template:
-        src: logind.conf.j2
-        dest: /etc/systemd/logind.conf
-        owner: root
-        group: root
-        mode: 0644
-      notify:
-        - Restart login manager
+    - name: Ensure certificate is present
+      block:
+        - name: Get stats from pveproxy-ssl.pem
+          ansible.builtin.stat:
+            path: /etc/pve/local/pveproxy-ssl.pem
+          register: cert_pem
+
+        - name: Get stats from pveproxy-ssl.key
+          ansible.builtin.stat:
+            path: /etc/pve/local/pveproxy-ssl.key
+          register: cert_key
+
+        - name: Ensure that ACME has been set up
+          ansible.builtin.assert:
+            that:
+              - cert_pem.stat.exists == true
+              - cert_key.stat.exists == true
+            fail_msg: "Certificate was not found, make sure ACME has been set up."
 
     - name: Configure repositories
       block:
@@ -29,47 +38,64 @@
             state: present
             update_cache: true
 
+    - name: Template login manager configuration
+      ansible.builtin.template:
+        src: logind.conf.j2
+        dest: /etc/systemd/logind.conf
+        owner: root
+        group: root
+        mode: "0644"
+      notify:
+        - Restart login manager
+
     - name: Install nginx
       ansible.builtin.apt:
         name:
-          - nginx
+          - nginx-light
         policy_rc_d: 101 # Prevent autostart
 
     - name: Configure nginx
       notify:
         - Stop nginx
       block:
-        - name: Remove nginx default configuration
+        - name: Template nginx site
+          ansible.builtin.template:
+            src: nginx.proxmox.conf.j2
+            dest: /etc/nginx/sites-available/default
+            owner: root
+            group: root
+            mode: "0644"
+
+        - name: Enable nginx site
           ansible.builtin.file:
-            path: "{{ item }}"
-            state: absent
-          loop:
-            - /etc/nginx/conf.d/default
-            - /etc/nginx/sites-enabled/default
-            - /etc/nginx/sites-available/default
-            - /var/www/html/index.nginx-debian.html
+            src: /etc/nginx/sites-available/proxmox.conf
+            dest: /etc/nginx/sites-enabled/proxmox.conf
+            owner: root
+            group: root
+            state: link
 
         - name: Template nginx configuration
           ansible.builtin.template:
-            src: proxmox.conf.j2
-            dest: /etc/nginx/conf.d/proxmox.conf
+            src: nginx.conf.j2
+            dest: /etc/nginx/nginx.conf
             owner: root
             group: root
-            mode: 0644
+            mode: "0644"
+            validate: nginx -t -c "%s"
 
         - name: Ensure nginx override folder exists
           ansible.builtin.file:
             path: /etc/systemd/system/nginx.service.d
             state: directory
-            mode: 0755
+            mode: "0755"
 
         - name: Template nginx override configuration
           ansible.builtin.template:
-            src: override.conf.j2
+            src: nginx.service.override.conf.j2
             dest: /etc/systemd/system/nginx.service.d/override.conf
             owner: root
             group: root
-            mode: 0644
+            mode: "0644"
 
     - name: Stop nginx if configuration has changed
       ansible.builtin.meta: flush_handlers

proxmox.code-workspace

@@ -0,0 +1,36 @@
+{
+	"folders": [
+		{
+			"path": "."
+		}
+	],
+	"tasks": {
+		"version": "2.0.0",
+		"tasks": [
+			{
+				"label": "🚀 Deploy",
+				"detail": "Run the main playbook with all tasks.",
+				"type": "shell",
+				"command": "ansible-playbook --inventory inventory.yml playbook.yml",
+				"args": [],
+				"problemMatcher": [],
+				"group": {
+					"kind": "build",
+					"isDefault": false
+				}
+			},
+			{
+				"label": "🧪 Check",
+				"detail": "Check the code without making any changes.",
+				"type": "shell",
+				"command": "ansible-playbook --inventory inventory.yml playbook.yml --check",
+				"args": [],
+				"problemMatcher": [],
+				"group": {
+					"kind": "build",
+					"isDefault": true
+				}
+			}
+		]
+	}
+}

templates/logind.conf.j2

@@ -20,13 +20,13 @@
 #KillExcludeUsers=root
 #InhibitDelayMaxSec=5
 #UserStopDelaySec=10
-#HandlePowerKey=poweroff
-#HandleSuspendKey=suspend
-#HandleHibernateKey=hibernate
+HandlePowerKey=ignore
+HandleSuspendKey=ignore
+HandleHibernateKey=ignore
 HandleLidSwitch=ignore
-#HandleLidSwitchExternalPower=suspend
-#HandleLidSwitchDocked=ignore
-#HandleRebootKey=reboot
+HandleLidSwitchExternalPower=ignore
+HandleLidSwitchDocked=ignore
+HandleRebootKey=ignore
 #PowerKeyIgnoreInhibited=no
 #SuspendKeyIgnoreInhibited=no
 #HibernateKeyIgnoreInhibited=no

templates/nginx.conf.j2

@@ -0,0 +1,31 @@
+# {{ ansible_managed }}
+
+user www-data;
+worker_processes auto;
+pid /run/nginx.pid;
+include /etc/nginx/modules-enabled/*.conf;
+
+events {
+    worker_connections 768;
+}
+
+http {
+
+    sendfile on;
+    tcp_nopush on;
+    types_hash_max_size 2048;
+
+    include /etc/nginx/mime.types;
+    default_type application/octet-stream;
+
+    ssl_protocols TLSv1.2 TLSv1.3;
+    ssl_prefer_server_ciphers on;
+
+    access_log /var/log/nginx/access.log;
+    error_log /var/log/nginx/error.log;
+
+    gzip on;
+
+    include /etc/nginx/conf.d/*.conf;
+    include /etc/nginx/sites-enabled/*.conf;
+}

templates/proxmox.conf.j2 → templates/nginx.proxmox.conf.j2

@@ -1,9 +1,5 @@
 # {{ ansible_managed }}
 
-upstream proxmox {
-    server "proxmox.thinkbox.center";
-}
-
 server {
     listen 80 default_server;
     rewrite ^(.*) https://$host$1 permanent;
@@ -23,9 +19,9 @@ server {
         proxy_pass https://localhost:8006;
         proxy_buffering off;
         client_max_body_size 0;
-        proxy_connect_timeout  3600s;
-        proxy_read_timeout  3600s;
-        proxy_send_timeout  3600s;
-        send_timeout  3600s;
+        proxy_connect_timeout 3600s;
+        proxy_read_timeout 3600s;
+        proxy_send_timeout 3600s;
+        send_timeout 3600s;
     }
 }