counterweight/personal_infra
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

first steps with proxmox

Browse source
This commit is contained in:
counterweight 2025-10-26 22:33:01 +01:00
parent 1ca6d3e13c
commit 85012f8ba5
Signed by: counterweight
GPG key ID: 883EDBAA726BD96C
3 changed files with 155 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

29
01_infra_setup.md
View file

@ -45,6 +45,35 @@ This describes how to prepare each machine before deploying services on them.
Note that, by applying these playbooks, both the root user and the `counterweight` user will use the same SSH pubkey for auth. Note that, by applying these playbooks, both the root user and the `counterweight` user will use the same SSH pubkey for auth.
## Prepare Nodito Server
### Source the Nodito Server
* This setup is designed for a local Nodito server running in your home environment.
* The expectations are that the Nodito server:
+ Runs Proxmox VE (based on Debian).
+ Has a predictable local IP address.
+ Has root user with password authentication enabled (default Proxmox state).
+ SSH is accessible on port 22.
### Prepare Ansible vars for Nodito
* Add a `[nodito]` group to your `ansible/inventory.ini` (or simply use the one you get by copying `example.inventory.ini`) and fill in with values.
### Bootstrap SSH Key Access and Create User
* Nodito starts with password authentication enabled and no SSH keys configured. We need to bootstrap SSH key access first.
* Run the complete setup with: `ansible-playbook -i inventory.ini infra/00_proxmox_bootstrap_playbook.yml -e 'ansible_user=root'`
* This single playbook will:
* Set up SSH key access for root
* Create the counterweight user with SSH keys
* Update and secure the system
* Disable root login and password authentication
* Test the final configuration
* For all future playbooks targeting nodito, use the default configuration (no overrides needed).
Note that, by applying these playbooks, both the root user and the `counterweight` user will use the same SSH pubkey for auth, but root login will be disabled.
## GPG Keys ## GPG Keys
Some of the backups are stored encrypted for security. To allow this, fill in the gpg variables listed in `example.inventory.ini` under the `lapy` block. Some of the backups are stored encrypted for security. To allow this, fill in the gpg variables listed in `example.inventory.ini` under the `lapy` block.

3
ansible/example.inventory.ini
View file

@ -4,6 +4,9 @@ your.vps.ip.here ansible_user=counterweight ansible_port=22 ansible_ssh_private_
[watchtower] [watchtower]
your.vps.ip.here ansible_user=counterweight ansible_port=22 ansible_ssh_private_key_file=~/.ssh/your-key your.vps.ip.here ansible_user=counterweight ansible_port=22 ansible_ssh_private_key_file=~/.ssh/your-key
[nodito]
your.proxmox.ip.here ansible_user=counterweight ansible_port=22 ansible_ssh_private_key_file=~/.ssh/your-key ansible_ssh_pass=your_root_password
# Local connection to laptop: this assumes you're running ansible commands from your personal laptop # Local connection to laptop: this assumes you're running ansible commands from your personal laptop
# Make sure to adjust the username # Make sure to adjust the username
[lapy] [lapy]

123
ansible/infra/30_proxmox_bootstrap_playbook.yml Normal file
View file

@ -0,0 +1,123 @@
- name: Bootstrap Nodito SSH Key Access
hosts: nodito
become: true
vars_files:
- ../infra_vars.yml
tasks:
- name: Ensure SSH directory exists for root
file:
path: /root/.ssh
state: directory
mode: "0700"
owner: root
group: root
- name: Install SSH public key for root
authorized_key:
user: root
key: "{{ lookup('file', ansible_ssh_private_key_file + '.pub') }}"
state: present
- name: Ensure SSH key-based authentication is enabled
lineinfile:
path: /etc/ssh/sshd_config
regexp: "^#?PubkeyAuthentication"
line: "PubkeyAuthentication yes"
state: present
backrefs: yes
- name: Ensure AuthorizedKeysFile is properly configured
lineinfile:
path: /etc/ssh/sshd_config
regexp: "^#?AuthorizedKeysFile"
line: "AuthorizedKeysFile .ssh/authorized_keys"
state: present
backrefs: yes
- name: Restart SSH service
service:
name: ssh
state: restarted
- name: Wait for SSH to be ready
wait_for:
port: "{{ ssh_port }}"
host: "{{ ansible_host }}"
delay: 2
timeout: 30
- name: Test SSH key authentication
command: whoami
register: ssh_key_test
changed_when: false
- name: Verify SSH key authentication works
assert:
that:
- ssh_key_test.stdout == "root"
fail_msg: "SSH key authentication failed - expected 'root', got '{{ ssh_key_test.stdout }}'"
- name: Create new user
user:
name: "{{ new_user }}"
groups: sudo
shell: /bin/bash
state: present
create_home: yes
- name: Set up SSH directory for new user
file:
path: "/home/{{ new_user }}/.ssh"
state: directory
mode: "0700"
owner: "{{ new_user }}"
group: "{{ new_user }}"
- name: Install SSH public key for new user
authorized_key:
user: "{{ new_user }}"
key: "{{ lookup('file', ansible_ssh_private_key_file + '.pub') }}"
state: present
- name: Allow new user to run sudo without password
copy:
dest: "/etc/sudoers.d/{{ new_user }}"
content: "{{ new_user }} ALL=(ALL) NOPASSWD:ALL"
owner: root
group: root
mode: "0440"
- name: Disable root login
lineinfile:
path: /etc/ssh/sshd_config
regexp: "^#?PermitRootLogin .*"
line: "PermitRootLogin no"
state: present
backrefs: yes
- name: Disable password authentication
lineinfile:
path: /etc/ssh/sshd_config
regexp: "^#?PasswordAuthentication .*"
line: "PasswordAuthentication no"
state: present
backrefs: yes
- name: Restart SSH service
service:
name: ssh
state: restarted
- name: Wait for SSH to be ready
wait_for:
port: "{{ ssh_port }}"
host: "{{ ansible_host }}"
delay: 2
timeout: 30
- name: Test connection with new user
command: whoami
become_user: "{{ new_user }}"
register: new_user_test
changed_when: false