feat(repo): Initial commit

tasks/main.yml

@@ -0,0 +1,8 @@
+# SPDX-License-Identifier: MIT
+- import_tasks: 'repo-enable-free.yml'
+- import_tasks: 'repo-enable-non-free.yml'
+- import_tasks: 'repo-disable-pve-enterprise.yml'
+- import_tasks: 'repo-disable-ceph-enterprise.yml'
+- import_tasks: 'repo-remove-nag-screen.yml'
+- import_tasks: 'web-ui-get-git-repo-for-reloads.yml'
+- import_tasks: 'web-ui-port-443.yml'

tasks/repo-disable-ceph-enterprise.yml

@@ -0,0 +1,23 @@
+# SPDX-License-Identifier: MIT
+- name: 'Check if Ceph enterprise repo is present'
+  register: 'pve_apt_repo_files_with_ceph_enterprise_repo'
+  changed_when: false
+  ansible.builtin.shell: |
+    pvesh get /nodes/{{ inventory_hostname_short }}/apt/repositories --output-format=json | jq '.files[] | select(.repositories[].Components | index("enterprise")) | .path'
+
+- name: 'If Ceph enterprise repo is present check if Ceph enterprise repo is enabled'
+  when: 'pve_apt_repo_files_with_ceph_enterprise_repo.stdout_lines | length > 0'
+  register: 'pve_apt_repo_files_ceph_enterprise_repo_enabled_state'
+  changed_when: false
+  ansible.builtin.shell: |
+    pvesh get /nodes/{{ inventory_hostname_short }}/apt/repositories --output-format=json | jq '.files[] | select(.repositories[].Components | index("enterprise")) | .repositories[] | select(.Components | index("enterprise")) | .Enabled'
+
+- name: 'If Ceph enterprise repo is enabled disable Ceph enterprise repo'
+  when: 'pve_apt_repo_files_ceph_enterprise_repo_enabled_state.stdout == "1"'
+  loop_control:
+    loop_var: 'apt_repo_file'
+    label: 'Disable Ceph enterprise repo in {{ apt_repo_file | regex_replace(''"'', "''") }}'
+  loop: '{{ pve_apt_repo_files_with_ceph_enterprise_repo.stdout_lines }}'
+  ansible.builtin.shell: |
+    index_in_file="$(pvesh get /nodes/{{ inventory_hostname_short }}/apt/repositories --output-format=json | jq '.files[] | select(.path=={{ apt_repo_file }}) | .repositories | map(.Components | index("enterprise")) | index(0)')"
+    pvesh create /nodes/{{ inventory_hostname_short }}/apt/repositories -index "${index_in_file}" -path {{ apt_repo_file }} -enabled 'false'

tasks/repo-disable-pve-enterprise.yml

@@ -0,0 +1,23 @@
+# SPDX-License-Identifier: MIT
+- name: 'Check if pve-enterprise repo is present'
+  register: 'pve_apt_repo_files_with_pve_enterprise_repo'
+  changed_when: false
+  ansible.builtin.shell: |
+    pvesh get /nodes/{{ inventory_hostname_short }}/apt/repositories --output-format=json | jq '.files[] | select(.repositories[].Components | index("pve-enterprise")) | .path'
+
+- name: 'If pve-enterprise repo is present check if pve-enterprise repo is enabled'
+  when: 'pve_apt_repo_files_with_pve_enterprise_repo.stdout_lines | length > 0'
+  register: 'pve_apt_repo_files_pve_enterprise_repo_enabled_state'
+  changed_when: false
+  ansible.builtin.shell: |
+    pvesh get /nodes/{{ inventory_hostname_short }}/apt/repositories --output-format=json | jq '.files[] | select(.repositories[].Components | index("pve-enterprise")) | .repositories[] | select(.Components | index("pve-enterprise")) | .Enabled'
+
+- name: 'If pve-enterprise repo is enabled disable pve-enterprise repo'
+  when: 'pve_apt_repo_files_pve_enterprise_repo_enabled_state.stdout == "1"'
+  loop_control:
+    loop_var: 'apt_repo_file'
+    label: 'Disable pve-enterprise repo in {{ apt_repo_file | regex_replace(''"'', "''") }}'
+  loop: '{{ pve_apt_repo_files_with_pve_enterprise_repo.stdout_lines }}'
+  ansible.builtin.shell: |
+    index_in_file="$(pvesh get /nodes/{{ inventory_hostname_short }}/apt/repositories --output-format=json | jq '.files[] | select(.path=={{ apt_repo_file }}) | .repositories | map(.Components | index("pve-enterprise")) | index(0)')"
+    pvesh create /nodes/{{ inventory_hostname_short }}/apt/repositories -index "${index_in_file}" -path {{ apt_repo_file }} -enabled 'false'

tasks/repo-enable-free.yml

@@ -0,0 +1,28 @@
+# SPDX-License-Identifier: MIT
+- name: 'Check if pve-no-subscription repo is present'
+  register: 'pve_apt_repo_files_with_pve_free_repo'
+  changed_when: false
+  ansible.builtin.shell: |
+    pvesh get /nodes/{{ inventory_hostname_short }}/apt/repositories --output-format=json | jq '.files[] | select(.repositories[].Components | index("pve-no-subscription")) | .path'
+
+- name: 'If pve-no-subscription repo is present check if pve-no-subscription repo is enabled'
+  when: 'pve_apt_repo_files_with_pve_free_repo.stdout_lines | length > 0'
+  register: 'pve_apt_repo_files_free_repo_enabled_state'
+  changed_when: false
+  ansible.builtin.shell: |
+    pvesh get /nodes/{{ inventory_hostname_short }}/apt/repositories --output-format=json | jq '.files[] | select(.repositories[].Components | index("pve-no-subscription")) | .repositories[] | select(.Components | index("pve-no-subscription")) | .Enabled'
+
+- name: 'If pve-no-subscription repo is disabled enable pve-no-subscription repo'
+  when: 'pve_apt_repo_files_free_repo_enabled_state.stdout == "0"'
+  loop_control:
+    loop_var: 'apt_repo_file'
+    label: 'Enable pve-no-subscription repo in {{ apt_repo_file | regex_replace(''"'', "''") }}'
+  loop: '{{ pve_apt_repo_files_with_pve_free_repo.stdout_lines }}'
+  ansible.builtin.shell: |
+    index_in_file="$(pvesh get /nodes/{{ inventory_hostname_short }}/apt/repositories --output-format=json | jq '.files[] | select(.path=={{ apt_repo_file }}) | .repositories | map(.Components | index("pve-no-subscription")) | index(0)')"
+    pvesh create /nodes/{{ inventory_hostname_short }}/apt/repositories -index "${index_in_file}" -path {{ apt_repo_file }} -enabled 'true'
+
+- name: 'If pve-no-subscription repo is not present add pve-no-subscription repo'
+  when: 'pve_apt_repo_files_with_pve_free_repo.stdout_lines | length == 0'
+  ansible.builtin.shell: |
+    pvesh set /nodes/{{ inventory_hostname_short }}/apt/repositories -handle 'no-subscription'

tasks/repo-enable-non-free.yml

@@ -0,0 +1,8 @@
+# SPDX-License-Identifier: MIT
+- name: 'In ''/etc/apt/sources.list'' enable non-free component in all Debian-native repos'
+  ansible.builtin.replace:
+    path: '/etc/apt/sources.list'
+    regexp: '^(.*?)( main contrib(?! non-free))'
+    replace: '\g<1>\g<2> non-free'
+  notify:
+    - 'apt-get update'

tasks/repo-remove-nag-screen.yml

@@ -0,0 +1,8 @@
+# SPDX-License-Identifier: MIT
+- name: 'Patch proxmoxlib.js to no longer show no-subscription warning on web UI login'
+  ansible.posix.patch:
+    src: 'usr/share/javascript/proxmox-widget-toolkit/proxmoxlib.js.patch'
+    basedir: '/usr/share/javascript/proxmox-widget-toolkit'
+    backup: true
+  notify:
+    - 'Restart pveproxy.service'

tasks/web-ui-get-git-repo-for-reloads.yml

@@ -0,0 +1,11 @@
+# SPDX-License-Identifier: MIT
+- name: 'Create dir for ACME helper scripts Git repo'
+  ansible.builtin.file:
+    path: '/opt/git/quico.space/Quico/acme-deploy-helpers/branches/main'
+    state: 'directory'
+
+
+- name: 'Git clone ACME helper scripts repo'
+  ansible.builtin.git:
+    repo: 'https://quico.space/Quico/acme-deploy-helpers.git'
+    dest: '/opt/git/quico.space/Quico/acme-deploy-helpers/branches/main'

tasks/web-ui-port-443.yml

@@ -0,0 +1,70 @@
+# SPDX-License-Identifier: MIT
+- name: 'Install Nginx web server'
+  when: 'ansible_facts[''system''] | lower == ''linux'''
+  ansible.builtin.package:
+    name:
+      - 'nginx'
+    state: 'present'
+  notify:
+    - 'Reload web server'
+
+- name: 'Remove Nginx'' default config file'
+  ansible.builtin.file:
+    path: '/etc/nginx/sites-enabled/default'
+    state: 'absent'
+  notify:
+    - 'Reload web server'
+
+- name: 'Add Nginx config file for Proxmox web interface on port 443'
+  ansible.builtin.template:
+    src: 'etc/nginx/sites-available/proxmox.conf.j2'
+    dest: '/etc/nginx/sites-available/proxmox.conf'
+  notify:
+    - 'Reload web server'
+
+- name: 'Activate Nginx config file for Proxmox web interface on port 443'
+  ansible.builtin.file:
+    src: '../sites-available/proxmox.conf'
+    dest: '/etc/nginx/sites-enabled/proxmox.conf'
+    state: 'link'
+  notify:
+    - 'Reload web server'
+
+- name: 'Create systemd override dir for nginx.service'
+  ansible.builtin.file:
+    path: '/etc/systemd/system/nginx.service.d'
+    state: 'directory'
+    mode: '0755'
+  notify:
+    - 'Reload systemd unit configs'
+    - 'Reload web server'
+
+- name: 'Make sure nginx.service only starts after its certs dir is available provided by pve-cluster.service'
+  loop_control:
+    loop_var: 'config'
+    index_var: 'i'
+    label: 'Set systemd override.conf ''{{ config.key }}={{ config.value }}'' setting'
+  loop:
+    - { key: 'Requires', value: 'pve-cluster.service' }
+    - { key: 'After',    value: 'pve-cluster.service' }
+  community.general.ini_file:
+    path: '/etc/systemd/system/nginx.service.d/override.conf'
+    owner: 'root'
+    group: 'root'
+    mode: '0644'
+    no_extra_spaces: true
+    section: 'Unit'
+    option: '{{ config.key }}'
+    value: '{{ config.value }}'
+  notify:
+    - 'Reload systemd unit configs'
+    - 'Reload web server'
+
+- name: 'Flush handlers'
+  meta: 'flush_handlers'
+
+- name: 'Start Nginx web server'
+  ansible.builtin.service:
+    name: 'nginx.service'
+    state: 'started'
+    enabled: true