From 1450c55bf4a8445f96a3eb3f1266dd3d4f34f775 Mon Sep 17 00:00:00 2001
From: patbec <29308797+patbec@users.noreply.github.com>
Date: Sat, 15 Jul 2023 20:19:47 +0200
Subject: [PATCH] Project reworked.
---
.gitignore | 1 -
README.md | 30 ++++----
ansible-proxmox.code-workspace | 58 ---------------
group_vars/all/vault.yml | 6 --
inventory.yml | 2 -
playbook.yml | 74 +++++++++++++------
proxmox.code-workspace | 36 +++++++++
templates/logind.conf.j2 | 12 +--
templates/nginx.conf.j2 | 31 ++++++++
...{proxmox.conf.j2 => nginx.proxmox.conf.j2} | 12 +--
...conf.j2 => nginx.service.override.conf.j2} | 0
11 files changed, 141 insertions(+), 121 deletions(-)
delete mode 100644 .gitignore
delete mode 100644 ansible-proxmox.code-workspace
delete mode 100644 group_vars/all/vault.yml
create mode 100644 proxmox.code-workspace
create mode 100644 templates/nginx.conf.j2
rename templates/{proxmox.conf.j2 => nginx.proxmox.conf.j2} (73%)
rename templates/{override.conf.j2 => nginx.service.override.conf.j2} (100%)
diff --git a/.gitignore b/.gitignore
deleted file mode 100644
index c96066d..0000000
--- a/.gitignore
+++ /dev/null
@@ -1 +0,0 @@
-/.DS_Store
\ No newline at end of file
diff --git a/README.md b/README.md
index 989dfe2..bd1e4f0 100644
--- a/README.md
+++ b/README.md
@@ -5,33 +5,31 @@
Changes settings on the virtualization host Proxmox.
The following steps will be performed:
-- Update login manager configuration to turn off the screen without suspending
+- Updates the login manager configuration to disable hardware buttons
*PowerKey, SuspendKey, HibernateKey, etc.*
- Remove Proxmox enterprise repository
- Add Proxmox no-subscription repository
- Enable the Web UI on port 443
For the last point *(Web UI on port 443)* the recommendation from the [official documentation](https://pve.proxmox.com/wiki/Web_Interface_Via_Nginx_Proxy) was used.
-## Workspace
+## Preparation
-Open the workspace file `ansible-proxmox.code-workspace` to access the predefined build tasks with Visual Studio Code.
+Configure on the Proxmox an **ACME Challenge** first, so the certificate `/etc/pve/local/pveproxy-ssl.pem` is created. The playbook checks if this file exists, the web server will not start otherwise.
-Predefined build tasks:
-| Task | Description | Command |
-| ------------ | ------------------------------------------ | -----------------: |
-| ๐ Deploy | Run the main playbook with all tasks. | `ansible-playbook` |
-| ๐งช Check | Check the code without making any changes. | `ansible-playbook` |
-| ๐ Edit vault | Edits the encrypted vault file. | `ansible-vault` |
+> This project is intended for my home proxmox server and should not be used on production servers.
-## Requirements
+## Versions
-Prerequisites for this workspace.
+The following versions were tested:
-- Ansible package
-- Vault file in your home directory (`~/.vault`)
+โ
Proxmox VE 7.4-xx
-## Security
+## Workspace
-Security-critical data such as passwords or keys are encrypted with Ansible Vault.
+Open the workspace file `proxmox.code-workspace` to access the predefined build tasks with Visual Studio Code.
-> If you read this and find something, I did something wrong and you can email me at [security@thinkbox.center](mailto:security@thinkbox.center).
\ No newline at end of file
+Predefined build tasks:
+| Task | Description | Command |
+| -------- | ------------------------------------------ | -----------------: |
+| ๐ Deploy | Run the main playbook with all tasks. | `ansible-playbook` |
+| ๐งช Check | Check the code without making any changes. | `ansible-playbook` |
diff --git a/ansible-proxmox.code-workspace b/ansible-proxmox.code-workspace
deleted file mode 100644
index d77e04e..0000000
--- a/ansible-proxmox.code-workspace
+++ /dev/null
@@ -1,58 +0,0 @@
-{
- "folders": [
- {
- "path": "."
- }
- ],
- "tasks": {
- "version": "2.0.0",
- "tasks": [
- {
- "label": "๐ Deploy",
- "detail": "Run the main playbook with all tasks.",
- "type": "shell",
- "command": "ansible-playbook --inventory inventory.yml playbook.yml --vault-password-file ~/.vault",
- "args": [],
- "problemMatcher": [],
- "group": {
- "kind": "build",
- "isDefault": true
- }
- },
- {
- "label": "๐งช Check",
- "detail": "Check the code without making any changes.",
- "type": "shell",
- "command": "ansible-playbook --inventory inventory.yml playbook.yml --check --vault-password-file ~/.vault",
- "args": [],
- "problemMatcher": [],
- "group": {
- "kind": "build",
- "isDefault": true
- }
- },
- {
- "label": "๐ Edit vault",
- "detail": "Edits the encrypted vault file.",
- "type": "shell",
- "command": "ansible-vault edit ./group_vars/all/vault.yml --vault-password-file ~/.vault",
- "args": [],
- "problemMatcher": [],
- "group": {
- "kind": "none",
- },
- "options": {
- "env": {
- "EDITOR": "code -w" // Use VSCode to edit the vault file.
- }
- }
- }
- ]
- },
- "settings": {
- "workbench.colorCustomizations": {
- "titleBar.activeBackground": "#E57000",
- "titleBar.activeForeground": "#FFFFFF",
- }
- }
-}
\ No newline at end of file
diff --git a/group_vars/all/vault.yml b/group_vars/all/vault.yml
deleted file mode 100644
index 9876df7..0000000
--- a/group_vars/all/vault.yml
+++ /dev/null
@@ -1,6 +0,0 @@
-$ANSIBLE_VAULT;1.1;AES256
-66323439393031343635353934653135646262646161383666643765383761333238303962616137
-3162646230323466316663396666303734623039333239630a616432353838306638393734323036
-62396134626538386264353364306336363430326339346565383965333936666634373131636137
-3664323032633137300a343430356630616538653138383436636331326133656362313637656135
-3535
diff --git a/inventory.yml b/inventory.yml
index 14a620f..2127b66 100644
--- a/inventory.yml
+++ b/inventory.yml
@@ -4,5 +4,3 @@ all:
ansible_user: root
ansible_host: proxmox.thinkbox.center
ansible_python_interpreter: /usr/bin/python3
- vars:
- ansible_ssh_pipelining: true
diff --git a/playbook.yml b/playbook.yml
index 00baaf2..6b082ba 100644
--- a/playbook.yml
+++ b/playbook.yml
@@ -3,15 +3,24 @@
gather_facts: true
become: true
tasks:
- - name: Template login manager configuration
- ansible.builtin.template:
- src: logind.conf.j2
- dest: /etc/systemd/logind.conf
- owner: root
- group: root
- mode: 0644
- notify:
- - Restart login manager
+ - name: Ensure certificate is present
+ block:
+ - name: Get stats from pveproxy-ssl.pem
+ ansible.builtin.stat:
+ path: /etc/pve/local/pveproxy-ssl.pem
+ register: cert_pem
+
+ - name: Get stats from pveproxy-ssl.key
+ ansible.builtin.stat:
+ path: /etc/pve/local/pveproxy-ssl.key
+ register: cert_key
+
+ - name: Ensure that ACME has been set up
+ ansible.builtin.assert:
+ that:
+ - cert_pem.stat.exists == true
+ - cert_key.stat.exists == true
+ fail_msg: "Certificate was not found, make sure ACME has been set up."
- name: Configure repositories
block:
@@ -29,47 +38,64 @@
state: present
update_cache: true
+ - name: Template login manager configuration
+ ansible.builtin.template:
+ src: logind.conf.j2
+ dest: /etc/systemd/logind.conf
+ owner: root
+ group: root
+ mode: "0644"
+ notify:
+ - Restart login manager
+
- name: Install nginx
ansible.builtin.apt:
name:
- - nginx
+ - nginx-light
policy_rc_d: 101 # Prevent autostart
- name: Configure nginx
notify:
- Stop nginx
block:
- - name: Remove nginx default configuration
+ - name: Template nginx site
+ ansible.builtin.template:
+ src: nginx.proxmox.conf.j2
+ dest: /etc/nginx/sites-available/default
+ owner: root
+ group: root
+ mode: "0644"
+
+ - name: Enable nginx site
ansible.builtin.file:
- path: "{{ item }}"
- state: absent
- loop:
- - /etc/nginx/conf.d/default
- - /etc/nginx/sites-enabled/default
- - /etc/nginx/sites-available/default
- - /var/www/html/index.nginx-debian.html
+ src: /etc/nginx/sites-available/proxmox.conf
+ dest: /etc/nginx/sites-enabled/proxmox.conf
+ owner: root
+ group: root
+ state: link
- name: Template nginx configuration
ansible.builtin.template:
- src: proxmox.conf.j2
- dest: /etc/nginx/conf.d/proxmox.conf
+ src: nginx.conf.j2
+ dest: /etc/nginx/nginx.conf
owner: root
group: root
- mode: 0644
+ mode: "0644"
+ validate: nginx -t -c "%s"
- name: Ensure nginx override folder exists
ansible.builtin.file:
path: /etc/systemd/system/nginx.service.d
state: directory
- mode: 0755
+ mode: "0755"
- name: Template nginx override configuration
ansible.builtin.template:
- src: override.conf.j2
+ src: nginx.service.override.conf.j2
dest: /etc/systemd/system/nginx.service.d/override.conf
owner: root
group: root
- mode: 0644
+ mode: "0644"
- name: Stop nginx if configuration has changed
ansible.builtin.meta: flush_handlers
diff --git a/proxmox.code-workspace b/proxmox.code-workspace
new file mode 100644
index 0000000..62577b4
--- /dev/null
+++ b/proxmox.code-workspace
@@ -0,0 +1,36 @@
+{
+ "folders": [
+ {
+ "path": "."
+ }
+ ],
+ "tasks": {
+ "version": "2.0.0",
+ "tasks": [
+ {
+ "label": "๐ Deploy",
+ "detail": "Run the main playbook with all tasks.",
+ "type": "shell",
+ "command": "ansible-playbook --inventory inventory.yml playbook.yml",
+ "args": [],
+ "problemMatcher": [],
+ "group": {
+ "kind": "build",
+ "isDefault": false
+ }
+ },
+ {
+ "label": "๐งช Check",
+ "detail": "Check the code without making any changes.",
+ "type": "shell",
+ "command": "ansible-playbook --inventory inventory.yml playbook.yml --check",
+ "args": [],
+ "problemMatcher": [],
+ "group": {
+ "kind": "build",
+ "isDefault": true
+ }
+ }
+ ]
+ }
+}
\ No newline at end of file
diff --git a/templates/logind.conf.j2 b/templates/logind.conf.j2
index 7052ebb..6f23d8c 100644
--- a/templates/logind.conf.j2
+++ b/templates/logind.conf.j2
@@ -20,13 +20,13 @@
#KillExcludeUsers=root
#InhibitDelayMaxSec=5
#UserStopDelaySec=10
-#HandlePowerKey=poweroff
-#HandleSuspendKey=suspend
-#HandleHibernateKey=hibernate
+HandlePowerKey=ignore
+HandleSuspendKey=ignore
+HandleHibernateKey=ignore
HandleLidSwitch=ignore
-#HandleLidSwitchExternalPower=suspend
-#HandleLidSwitchDocked=ignore
-#HandleRebootKey=reboot
+HandleLidSwitchExternalPower=ignore
+HandleLidSwitchDocked=ignore
+HandleRebootKey=ignore
#PowerKeyIgnoreInhibited=no
#SuspendKeyIgnoreInhibited=no
#HibernateKeyIgnoreInhibited=no
diff --git a/templates/nginx.conf.j2 b/templates/nginx.conf.j2
new file mode 100644
index 0000000..9128ca2
--- /dev/null
+++ b/templates/nginx.conf.j2
@@ -0,0 +1,31 @@
+# {{ ansible_managed }}
+
+user www-data;
+worker_processes auto;
+pid /run/nginx.pid;
+include /etc/nginx/modules-enabled/*.conf;
+
+events {
+ worker_connections 768;
+}
+
+http {
+
+ sendfile on;
+ tcp_nopush on;
+ types_hash_max_size 2048;
+
+ include /etc/nginx/mime.types;
+ default_type application/octet-stream;
+
+ ssl_protocols TLSv1.2 TLSv1.3;
+ ssl_prefer_server_ciphers on;
+
+ access_log /var/log/nginx/access.log;
+ error_log /var/log/nginx/error.log;
+
+ gzip on;
+
+ include /etc/nginx/conf.d/*.conf;
+ include /etc/nginx/sites-enabled/*.conf;
+}
\ No newline at end of file
diff --git a/templates/proxmox.conf.j2 b/templates/nginx.proxmox.conf.j2
similarity index 73%
rename from templates/proxmox.conf.j2
rename to templates/nginx.proxmox.conf.j2
index ca00984..c12073e 100644
--- a/templates/proxmox.conf.j2
+++ b/templates/nginx.proxmox.conf.j2
@@ -1,9 +1,5 @@
# {{ ansible_managed }}
-upstream proxmox {
- server "proxmox.thinkbox.center";
-}
-
server {
listen 80 default_server;
rewrite ^(.*) https://$host$1 permanent;
@@ -23,9 +19,9 @@ server {
proxy_pass https://localhost:8006;
proxy_buffering off;
client_max_body_size 0;
- proxy_connect_timeout 3600s;
- proxy_read_timeout 3600s;
- proxy_send_timeout 3600s;
- send_timeout 3600s;
+ proxy_connect_timeout 3600s;
+ proxy_read_timeout 3600s;
+ proxy_send_timeout 3600s;
+ send_timeout 3600s;
}
}
\ No newline at end of file
diff --git a/templates/override.conf.j2 b/templates/nginx.service.override.conf.j2
similarity index 100%
rename from templates/override.conf.j2
rename to templates/nginx.service.override.conf.j2