refactor: consolidate all roles into ansible/roles/ and update ansible.cfg

- Move all roles from playbooks/roles/ to roles/
- Update roles_path in ansible.cfg
- Add cast user to common role
- Create standalone podman role
- Add semaphore role with Podman + Quadlet support
This commit is contained in:
Hermes Agent service account
2026-05-26 22:22:08 -05:00
parent 9250b0f193
commit 92b2a9d609
98 changed files with 158 additions and 78 deletions

View File

@@ -0,0 +1,24 @@
---
# Proxmox Authentik OIDC Configuration
proxmox_oidc_realm_name: "authentik"
proxmox_oidc_issuer_url: "https://authentik.local.mk-labs.cloud/application/o/proxmox/"
proxmox_oidc_username_claim: "username"
proxmox_oidc_scopes: "openid email profile"
proxmox_oidc_autocreate: true
proxmox_oidc_default_realm: false
proxmox_oidc_comment: "Authentik SSO"
# Client credentials - override via vault
proxmox_oidc_client_id: "{{ vault_proxmox_oidc_client_id }}"
proxmox_oidc_client_key: "{{ vault_proxmox_oidc_client_key }}"
# ACL mappings for Authentik users
# Format: list of dicts with path, user or group, and role
proxmox_oidc_acl_entries: []
# Example:
# - path: "/"
# user: "rblundon@authentik"
# role: "Administrator"
# - path: "/"
# group: "admins-authentik"
# role: "Administrator"

View File

@@ -0,0 +1,12 @@
---
# ansible/roles/proxmox/tasks/main.yml
#
# Main entry point for the proxmox role.
# Add existing tasks above the OIDC include as needed.
- name: Configure Authentik OIDC authentication
ansible.builtin.include_tasks: oidc.yml
tags:
- proxmox-oidc
- oidc
- authentik

View File

@@ -0,0 +1,59 @@
---
# ansible/roles/proxmox/tasks/oidc.yml
#
# Configures Proxmox to authenticate against Authentik via OpenID Connect.
# This only needs to run on ONE node in the cluster since realm config
# is stored in /etc/pve/domains.cfg (cluster-wide via pmxcfs).
- name: Check if OIDC realm already exists
ansible.builtin.command:
cmd: pveum realm list --output-format json
register: proxmox_realms
changed_when: false
- name: Parse existing realms
ansible.builtin.set_fact:
proxmox_realm_exists: >-
{{ proxmox_realms.stdout | from_json | selectattr('realm', 'equalto', proxmox_oidc_realm_name) | list | length > 0 }}
- name: Add OIDC realm for Authentik
ansible.builtin.shell: >-
pveum realm add {{ proxmox_oidc_realm_name }}
--type openid
--issuer-url '{{ proxmox_oidc_issuer_url }}'
--client-id '{{ proxmox_oidc_client_id }}'
--client-key '{{ proxmox_oidc_client_key }}'
--username-claim '{{ proxmox_oidc_username_claim }}'
--scopes '{{ proxmox_oidc_scopes }}'
--autocreate {{ proxmox_oidc_autocreate | ternary('1', '0') }}
--comment '{{ proxmox_oidc_comment }}'
{% if proxmox_oidc_default_realm %}--default 1{% endif %}
when: not proxmox_realm_exists
no_log: true
- name: Update OIDC realm for Authentik
ansible.builtin.shell: >-
pveum realm modify {{ proxmox_oidc_realm_name }}
--issuer-url '{{ proxmox_oidc_issuer_url }}'
--client-id '{{ proxmox_oidc_client_id }}'
--client-key '{{ proxmox_oidc_client_key }}'
--scopes '{{ proxmox_oidc_scopes }}'
--autocreate {{ proxmox_oidc_autocreate | ternary('1', '0') }}
--comment '{{ proxmox_oidc_comment }}'
{% if proxmox_oidc_default_realm %}--default 1{% endif %}
when: proxmox_realm_exists
no_log: true
# --- ACL Configuration ---
- name: Configure ACL entries for OIDC users
ansible.builtin.command:
cmd: >-
pveum acl modify {{ item.path }}
{% if item.user is defined %}--users {{ item.user }}{% endif %}
{% if item.group is defined %}--groups {{ item.group }}{% endif %}
--roles {{ item.role }}
loop: "{{ proxmox_oidc_acl_entries }}"
loop_control:
label: "{{ item.user | default(item.group) }} -> {{ item.role }} on {{ item.path }}"
when: proxmox_oidc_acl_entries | length > 0