sandwich/Ansible-Bootstrap
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

feat: accept proxmox API-token auth alongside password

Browse Source
This commit is contained in:
Sandwich
2026-05-31 12:40:31 +02:00
parent ceb2237bbb
commit 7f12a0f3d8
5 changed files with 41 additions and 27 deletions
Download Patch File Download Diff File Expand all files Collapse all files

31
roles/global_defaults/defaults/main.yml
View File

@@ -1,5 +1,4 @@
---
# OS family lists - single source of truth for platform detection and validation
os_family_rhel:
- almalinux
- fedora
@@ -10,8 +9,7 @@ os_family_debian:
- ubuntu
- ubuntu-lts
# OS -> family mapping - aligns with the main project's ansible_os_family pattern.
# Enables platform_config dict lookups per role instead of inline when: is_rhel chains.
# OS -> family, so roles do platform_config lookups instead of is_rhel when-chains.
os_family_map:
almalinux: RedHat
archlinux: Archlinux
@@ -40,6 +38,8 @@ hypervisor_defaults:
url: ""
username: ""
password: ""
token_id: ""
token_secret: ""
node: ""
storage: ""
datacenter: ""
@@ -78,9 +78,8 @@ system_defaults:
timezone: "Europe/Vienna"
locale: "en_US.UTF-8"
keymap: "us"
# Uniform content source, family-resolved. source: dvd|mirror|satellite|none
# ('' -> family default: EL=dvd, debian/ubuntu/arch=mirror). satellite values
# come from inventory/vault only, never committed code.
# source: dvd|mirror|satellite|none ('' -> family default: EL=dvd, else mirror).
# satellite values come from inventory/vault only, never committed code.
content:
source: ""
url: ""
@@ -119,9 +118,7 @@ system_defaults:
bits: 512
pbkdf: "argon2id"
features:
# Bake cloud-init for the deterministic clone-deploy golden path; off by
# default (ansible-direct everywhere, smaller image). Package name is
# uniform across families.
# On only for the clone-deploy golden path; off keeps ansible-direct + smaller image.
cloud_init: false
cis:
enabled: false
@@ -172,10 +169,8 @@ system_defaults:
displaylink: false
hardware:
profile: {} # full override: non-empty SKIPS detection (golden image)
# Declarative hardware group: a per-device profile that MERGES over
# auto-detect (auto-detect = base; these supplement/override it). Vendor
# lists union with detection, booleans OR with detection, packages append,
# disable[] force-off (applied last), kernel_params append to the cmdline.
# The keys below MERGE over detection: lists union, booleans OR, packages
# and kernel_params append, disable[] force-off applied last.
cpu: "" # pin a CPU vendor (intel|amd); empty = use detection
gpus: [] # extra GPU vendor codes to force
wireless: [] # extra wireless vendor codes to force
@@ -187,11 +182,10 @@ system_defaults:
disable: [] # feature/vendor names to force-off (audio|bluetooth|camera|fingerprint|displaylink|<vendor>)
kernel_params: [] # extra kernel cmdline params (quirks), e.g. ["i915.enable_psr=0"]
# Per-hypervisor required fields - drives data-driven validation.
# All virtual types additionally require network bridge or interfaces.
# Drives data-driven validation. Virtual types also require a network bridge or interfaces.
hypervisor_required_fields:
proxmox:
hypervisor: [url, username, password, node, storage]
hypervisor: [url, username, node, storage]
system: [id]
vmware:
hypervisor: [url, username, password, datacenter, storage]
@@ -203,14 +197,13 @@ hypervisor_required_fields:
hypervisor: []
system: []
# Family default content mirror URLs, used when content.url is empty.
# Used when content.url is empty.
content_mirror_defaults:
debian: "https://deb.debian.org/debian/"
ubuntu: "http://archive.ubuntu.com/ubuntu/"
ubuntu-lts: "http://archive.ubuntu.com/ubuntu/"
# Hypervisor-to-disk device prefix mapping for virtual machines.
# Physical installs must set system.disks[].device explicitly.
# Virtual-only; physical installs must set system.disks[].device explicitly.
hypervisor_disk_device_map:
libvirt: "/dev/vd"
xen: "/dev/xvd"

14
roles/global_defaults/tasks/main.yml
View File

@@ -1,8 +1,6 @@
---
# Centralized normalization - all input dicts (system, hypervisor, disks)
# are normalized here into system_cfg, hypervisor_cfg, etc.
# Downstream roles consume these computed facts directly and do NOT need
# per-role _normalize.yml (except CIS, which has its own input dict).
# Normalizes all input dicts into system_cfg/hypervisor_cfg/etc. here, so downstream
# roles consume the computed facts directly with no per-role _normalize (except CIS).
- name: Global defaults loaded
ansible.builtin.debug:
msg: Global defaults loaded.
@@ -27,11 +25,15 @@
_proxmox_auth:
api_host: "{{ hypervisor_cfg.url }}"
api_user: "{{ hypervisor_cfg.username }}"
api_password: "{{ hypervisor_cfg.password }}"
api_password: "{{ hypervisor_cfg.password | default(omit, true) }}"
api_token_id: "{{ hypervisor_cfg.token_id | default(omit, true) }}"
api_token_secret: "{{ hypervisor_cfg.token_secret | default(omit, true) }}"
_proxmox_auth_node:
api_host: "{{ hypervisor_cfg.url }}"
api_user: "{{ hypervisor_cfg.username }}"
api_password: "{{ hypervisor_cfg.password }}"
api_password: "{{ hypervisor_cfg.password | default(omit, true) }}"
api_token_id: "{{ hypervisor_cfg.token_id | default(omit, true) }}"
api_token_secret: "{{ hypervisor_cfg.token_secret | default(omit, true) }}"
node: "{{ hypervisor_cfg.node }}"
no_log: true

15
roles/global_defaults/tasks/validation.yml
View File

@@ -166,6 +166,21 @@
label: "hypervisor.{{ item }}"
no_log: true
- name: Validate Proxmox authentication (password or API token)
when:
- system_cfg.type == "virtual"
- hypervisor_type == "proxmox"
ansible.builtin.assert:
that:
- >-
(hypervisor_cfg.password | default('') | string | length > 0)
or (hypervisor_cfg.token_id | default('') | string | length > 0
and hypervisor_cfg.token_secret | default('') | string | length > 0)
fail_msg: >-
Proxmox requires either hypervisor.password or
hypervisor.token_id + hypervisor.token_secret (API token).
quiet: true
- name: Validate VMware placement (cluster or node required, mutually exclusive)
when:
- system_cfg.type == "virtual"