add pam user configuration to proxmox

2021-11-12 15:20:41 -05:00 · 2021-11-12 15:20:41 -05:00 · 1079c87e04
parent 9d04ba4d77
commit 1079c87e04
5 changed files with 23 additions and 4 deletions
--- a/group_vars/lb.yml
+++ b/group_vars/lb.yml
@ -5,6 +5,7 @@ haproxy:
          - cloud.badjware.dev
          - code.badjware.dev
          - drone.badjware.dev
+          - grafana.badjware.dev
        dst:
          - 192.168.20.20
          - 192.168.20.21
--- a/8
+++ b/8
@ -21,6 +21,7 @@
          6139363534616231380a373931333530373339653132626238333566663362343663623532393330
          35616230643533363032623066376536366236353335373130643262613561396131

+# Actual config starts here
 all:
  hosts:
    pfsense:
@ -30,8 +31,8 @@ all:
      hosts:
        router-0:
          ansible_host: 192.168.10.10
-      vars:
-        ansible_user: root
+      # vars:
+      #   ansible_user: root
    lb:
      hosts:
        lb:
@ -50,13 +51,14 @@ all:
              ansible_host: 192.168.20.22
            k3s-w2:
              ansible_host: 192.168.20.23
-    ubuntu:
+    debian:
      hosts:
        ubiquiti:
          ansible_host: 192.168.10.2
        pihole:
          ansible_host: 192.168.20.2
      children:
+        proxmox:
        lb:
        k3s:
      vars:
--- a/playbook.yml
+++ b/playbook.yml
@ -1,4 +1,4 @@
- hosts: ubuntu
+- hosts: debian
  roles:
    - common

--- a/roles/haproxy/templates/haproxy.cfg
+++ b/roles/haproxy/templates/haproxy.cfg
@ -50,6 +50,10 @@ frontend https_in
    # set HSTS
    http-response set-header Strict-Transport-Security "max-age=15552000; includeSubDomains;"

+    # set X-Forwarded-Proto
+    http-request set-header X-Forwarded-Proto http if !{ ssl_fc }
+    http-request set-header X-Forwarded-Proto https if { ssl_fc }
+
    # request is ssl
    # tcp-request inspect-delay 5s
    # tcp-request content accept if { req.ssl_hello_type 1  }
--- a/roles/proxmox/tasks/main.yml
+++ b/roles/proxmox/tasks/main.yml
@ -5,6 +5,18 @@
    line: 'GRUB_CMDLINE_LINUX_DEFAULT="quiet intel_iommu=on"'
  notify: update grub

+- name: Enable PAM users
+  lineinfile:
+    path: /etc/pve/user.cfg
+    line: 'user:{{ item.key }}@pam:1:0::::::'
+  with_dict: '{{ users }}'
+
+- name: Enable PAM users admin access
+  lineinfile:
+    path: /etc/pve/user.cfg
+    line: 'acl:1:/:{{ item.key }}@pam:PVEAdmin:'
+  with_dict: '{{ users }}'
+
 - name: Copy pve-no-subscription.list
  copy:
    src: pve-no-subscription.list