feat: accept proxmox API-token auth alongside password

2026-05-31 12:40:31 +02:00
parent ceb2237bbb
commit 7f12a0f3d8
5 changed files with 41 additions and 27 deletions
--- a/roles/global_defaults/tasks/main.yml
+++ b/roles/global_defaults/tasks/main.yml
@@ -1,8 +1,6 @@
 ---
-# Centralized normalization - all input dicts (system, hypervisor, disks)
-# are normalized here into system_cfg, hypervisor_cfg, etc.
-# Downstream roles consume these computed facts directly and do NOT need
-# per-role _normalize.yml (except CIS, which has its own input dict).
+# Normalizes all input dicts into system_cfg/hypervisor_cfg/etc. here, so downstream
+# roles consume the computed facts directly with no per-role _normalize (except CIS).
 - name: Global defaults loaded
  ansible.builtin.debug:
    msg: Global defaults loaded.
@@ -27,11 +25,15 @@
    _proxmox_auth:
      api_host: "{{ hypervisor_cfg.url }}"
      api_user: "{{ hypervisor_cfg.username }}"
-      api_password: "{{ hypervisor_cfg.password }}"
+      api_password: "{{ hypervisor_cfg.password | default(omit, true) }}"
+      api_token_id: "{{ hypervisor_cfg.token_id | default(omit, true) }}"
+      api_token_secret: "{{ hypervisor_cfg.token_secret | default(omit, true) }}"
    _proxmox_auth_node:
      api_host: "{{ hypervisor_cfg.url }}"
      api_user: "{{ hypervisor_cfg.username }}"
-      api_password: "{{ hypervisor_cfg.password }}"
+      api_password: "{{ hypervisor_cfg.password | default(omit, true) }}"
+      api_token_id: "{{ hypervisor_cfg.token_id | default(omit, true) }}"
+      api_token_secret: "{{ hypervisor_cfg.token_secret | default(omit, true) }}"
      node: "{{ hypervisor_cfg.node }}"
  no_log: true

--- a/roles/global_defaults/tasks/validation.yml
+++ b/roles/global_defaults/tasks/validation.yml
@@ -166,6 +166,21 @@
    label: "hypervisor.{{ item }}"
  no_log: true

+- name: Validate Proxmox authentication (password or API token)
+  when:
+    - system_cfg.type == "virtual"
+    - hypervisor_type == "proxmox"
+  ansible.builtin.assert:
+    that:
+      - >-
+        (hypervisor_cfg.password | default('') | string | length > 0)
+        or (hypervisor_cfg.token_id | default('') | string | length > 0
+            and hypervisor_cfg.token_secret | default('') | string | length > 0)
+    fail_msg: >-
+      Proxmox requires either hypervisor.password or
+      hypervisor.token_id + hypervisor.token_secret (API token).
+    quiet: true
+
 - name: Validate VMware placement (cluster or node required, mutually exclusive)
  when:
    - system_cfg.type == "virtual"