feat: accept proxmox API-token auth alongside password

roles/global_defaults/defaults/main.yml

@@ -1,5 +1,4 @@
 ---
-# OS family lists - single source of truth for platform detection and validation
 os_family_rhel:
   - almalinux
   - fedora
@@ -10,8 +9,7 @@ os_family_debian:
   - ubuntu
   - ubuntu-lts
 
-# OS -> family mapping - aligns with the main project's ansible_os_family pattern.
-# Enables platform_config dict lookups per role instead of inline when: is_rhel chains.
+# OS -> family, so roles do platform_config lookups instead of is_rhel when-chains.
 os_family_map:
   almalinux: RedHat
   archlinux: Archlinux
@@ -40,6 +38,8 @@ hypervisor_defaults:
   url: ""
   username: ""
   password: ""
+  token_id: ""
+  token_secret: ""
   node: ""
   storage: ""
   datacenter: ""
@@ -78,9 +78,8 @@ system_defaults:
   timezone: "Europe/Vienna"
   locale: "en_US.UTF-8"
   keymap: "us"
-  # Uniform content source, family-resolved. source: dvd|mirror|satellite|none
-  # ('' -> family default: EL=dvd, debian/ubuntu/arch=mirror). satellite values
-  # come from inventory/vault only, never committed code.
+  # source: dvd|mirror|satellite|none ('' -> family default: EL=dvd, else mirror).
+  # satellite values come from inventory/vault only, never committed code.
   content:
     source: ""
     url: ""
@@ -119,9 +118,7 @@ system_defaults:
     bits: 512
     pbkdf: "argon2id"
   features:
-    # Bake cloud-init for the deterministic clone-deploy golden path; off by
-    # default (ansible-direct everywhere, smaller image). Package name is
-    # uniform across families.
+    # On only for the clone-deploy golden path; off keeps ansible-direct + smaller image.
     cloud_init: false
     cis:
       enabled: false
@@ -172,10 +169,8 @@ system_defaults:
       displaylink: false
     hardware:
       profile: {}           # full override: non-empty SKIPS detection (golden image)
-      # Declarative hardware group: a per-device profile that MERGES over
-      # auto-detect (auto-detect = base; these supplement/override it). Vendor
-      # lists union with detection, booleans OR with detection, packages append,
-      # disable[] force-off (applied last), kernel_params append to the cmdline.
+      # The keys below MERGE over detection: lists union, booleans OR, packages
+      # and kernel_params append, disable[] force-off applied last.
       cpu: ""               # pin a CPU vendor (intel|amd); empty = use detection
       gpus: []              # extra GPU vendor codes to force
       wireless: []          # extra wireless vendor codes to force
@@ -187,11 +182,10 @@ system_defaults:
       disable: []           # feature/vendor names to force-off (audio|bluetooth|camera|fingerprint|displaylink|<vendor>)
       kernel_params: []     # extra kernel cmdline params (quirks), e.g. ["i915.enable_psr=0"]
 
-# Per-hypervisor required fields - drives data-driven validation.
-# All virtual types additionally require network bridge or interfaces.
+# Drives data-driven validation. Virtual types also require a network bridge or interfaces.
 hypervisor_required_fields:
   proxmox:
-    hypervisor: [url, username, password, node, storage]
+    hypervisor: [url, username, node, storage]
     system: [id]
   vmware:
     hypervisor: [url, username, password, datacenter, storage]
@@ -203,14 +197,13 @@ hypervisor_required_fields:
     hypervisor: []
     system: []
 
-# Family default content mirror URLs, used when content.url is empty.
+# Used when content.url is empty.
 content_mirror_defaults:
   debian: "https://deb.debian.org/debian/"
   ubuntu: "http://archive.ubuntu.com/ubuntu/"
   ubuntu-lts: "http://archive.ubuntu.com/ubuntu/"
 
-# Hypervisor-to-disk device prefix mapping for virtual machines.
-# Physical installs must set system.disks[].device explicitly.
+# Virtual-only; physical installs must set system.disks[].device explicitly.
 hypervisor_disk_device_map:
   libvirt: "/dev/vd"
   xen: "/dev/xvd"