lae · lae · Dec 6, 2024 · Aug 7, 2021 · Apr 18, 2023 · Sep 18, 2024
diff --git a/.ansible-lint b/.ansible-lint
@@ -1,2 +1,3 @@
+---
 skip_list:
   - no-handler
diff --git a/.github/dependabot.yml b/.github/dependabot.yml
@@ -0,0 +1,12 @@
+---
+version: 2
+updates:
+  - package-ecosystem: github-actions
+    directory: /.github/
+    schedule:
+      interval: weekly
+    groups:
+      actions-minor:
+        update-types:
+          - minor
+          - patch
diff --git a/.github/workflows/amplify.yml b/.github/workflows/amplify.yml
@@ -1,22 +1,33 @@
 ---
 name: Amplify Security
 on:
-  pull_request: {}
+  pull_request_target: {}
   workflow_dispatch: {}
   push:
-    branches: ["main"]
+    branches: ["main", "develop"]
 
 permissions:
   contents: read
   id-token: write
 
 jobs:
+  authorize:
+    environment:
+      ${{ github.event_name == 'pull_request_target' &&
+      github.event.pull_request.head.repo.fork && 'external' || 'internal' }}
+    runs-on: ubuntu-latest
+    steps:
+      - run: true
+
   amplify-security-scan:
     name: Amplify Security Scan
+    needs: authorize
     runs-on: ubuntu-latest
-    if: (github.actor != 'dependabot[bot]')
+    if: github.actor != 'dependabot[bot]'
     steps:
       - name: Checkout
-        uses: actions/checkout@v4
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683  # v4.2.2
+        with:
+          ref: ${{ github.event.pull_request.head.sha || github.ref }}
       - name: Amplify Runner
-        uses: amplify-security/runner-action@v0.1.0
+        uses: amplify-security/runner-action@926f003f3c9695a93cbc4e2f1e64eb784dcacbfc  # v0.2.0
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -5,6 +5,7 @@ name: CI
   pull_request: {}
   push:
     branches: ["main"]
+  workflow_dispatch: {}
 
 concurrency:
   group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.sha }}
@@ -18,23 +19,46 @@ permissions:
   contents: read
 
 jobs:
+  changes:
+    runs-on: ubuntu-latest
+    outputs:
+      role: ${{ steps.filter.outputs.role }}
+    steps:
+      - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332  # v4.1.7
+      - uses: dorny/paths-filter@de90cc6fb38fc0963ad72b210f1f284cd68cea36  # v3.0.2
+        id: filter
+        with:
+          base: ${{ github.ref }}
+          filters: |
+            role:
+              - 'tasks/**'
+              - 'handlers/**'
+              - 'defaults/**'
+              - 'vars/**'
+              - 'files/**'
+              - 'library/**'
+              - 'module_utils/**'
+              - 'Vagrantfile'
   vagrant-deploy:
+    needs: ["changes"]
+    if: ${{ needs.changes.outputs.role == 'true' || github.event_name == 'workflow_dispatch' }}
     runs-on: ubuntu-22.04
     steps:
       - uses: actions/checkout@v4
       - run: sudo apt install nfs-kernel-server
       - run: sudo pipx inject ansible-core jmespath netaddr
       - run: ansible-galaxy install geerlingguy.ntp
+      # yamllint disable rule:line-length
       - name: setup vagrant
         run: |
           # Copyright The containerd Authors
-          # 
+          #
           # Licensed under the Apache License, Version 2.0 (the "License");
           # you may not use this file except in compliance with the License.
           # You may obtain a copy of the License at
-          # 
+          #
           #     http://www.apache.org/licenses/LICENSE-2.0
-          # 
+          #
           # Unless required by applicable law or agreed to in writing, software
           # distributed under the License is distributed on an "AS IS" BASIS,
           # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
@@ -50,6 +74,7 @@ jobs:
           sudo apt-get build-dep -y vagrant ruby-libvirt
           sudo apt-get install -y --no-install-recommends libxslt-dev libxml2-dev libvirt-dev ruby-bundler ruby-dev zlib1g-dev
           vagrant plugin install vagrant-libvirt
+      # yamllint enable rule:line-length
       - run: >
           sudo -E -u ${USER}
           ANSIBLE_STDOUT_CALLBACK=debug

diff --git a/.yamllint.yml b/.yamllint.yml
@@ -1,5 +1,23 @@
 ---
-yaml:
-  rules:
-    line-length:
-      max: 120
+extends: default
+rules:
+  line-length:
+    max: 120
+  braces:
+    max-spaces-inside: 1
+    level: error
+  brackets:
+    max-spaces-inside: 1
+    level: error
+  comments:
+    min-spaces-from-content: 1
+  comments-indentation: false
+  octal-values:
+    forbid-implicit-octal: true
+    forbid-explicit-octal: true
+  truthy:
+    allowed-values:
+      - 'true'
+      - 'yes'
+      - 'false'
+      - 'no'
diff --git a/README.md b/README.md
@@ -6,7 +6,7 @@ lae.proxmox
 Installs and configures Proxmox Virtual Environment 6.x/7.x/8.x on Debian servers.
 
 This role allows you to deploy and manage single-node PVE installations and PVE
-clusters (3+ nodes) on Debian Buster (10) and Bullseye (11). You are able to
+clusters (3+ nodes) on Debian Buster (10) and Bullseye (11) and Bookworm (12). You are able to
 configure the following with the assistance of this role:
 
   - PVE RBAC definitions (roles, groups, users, and access control lists)
@@ -198,7 +198,9 @@ this group name as well, unless otherwise specified by `pve_cluster_clustername`
 Leaving this undefined will default to `proxmox`.
 
 `pve_watchdog` here enables IPMI watchdog support and configures PVE's HA
-manager to use it. Leave this undefined if you don't want to configure it.
+manager to use it. Use `None` or leave this undefined to use the default
+proxmox software watchdog. If set to anything else, the value is expected to be
+a watchdog kernel module.
 
 `pve_ssl_private_key` and `pve_ssl_certificate` point to the SSL certificates for
 pvecluster. Here, a file lookup is used to read the contents of a file in the
@@ -377,10 +379,12 @@ serially during a maintenance period.) It will also enable the IPMI watchdog.
 
 ## Role Variables
 
+*About default values: Some of the default values are selected at run time and so can differ from the example listed here.*
+
 ```
 [variable]: [default] #[description/purpose]
 pve_group: proxmox # host group that contains the Proxmox hosts to be clustered together
-pve_repository_line: "deb http://download.proxmox.com/debian/pve bullseye pve-no-subscription" # apt-repository configuration - change to enterprise if needed (although TODO further configuration may be needed)
+pve_repository_line: "deb http://download.proxmox.com/debian/pve bookworm pve-no-subscription" # apt-repository configuration - change to enterprise if needed (although TODO further configuration may be needed)
 pve_remove_subscription_warning: true # patches the subscription warning messages in proxmox if you are using the community edition
 pve_extra_packages: [] # Any extra packages you may want to install, e.g. ngrep
 pve_run_system_upgrades: false # Let role perform system upgrades
@@ -407,7 +411,7 @@ pve_zfs_enabled: no # Specifies whether or not to install and configure ZFS pack
 # pve_zfs_zed_email: "" # Should be set to an email to receive ZFS notifications
 pve_zfs_create_volumes: [] # List of ZFS Volumes to create (to use as PVE Storages). See section on Storage Management.
 pve_ceph_enabled: false # Specifies wheter or not to install and configure Ceph packages. See below for an example configuration.
-pve_ceph_repository_line: "deb http://download.proxmox.com/debian/ceph-pacific bullseye main" # apt-repository configuration. Will be automatically set for 6.x and 7.x (Further information: https://pve.proxmox.com/wiki/Package_Repositories)
+pve_ceph_repository_line: "deb http://download.proxmox.com/debian/ceph-pacific bookworm main" # apt-repository configuration. Will be automatically set for 6.x and 7.x (Further information: https://pve.proxmox.com/wiki/Package_Repositories)
 pve_ceph_network: "{{ (ansible_default_ipv4.network +'/'+ ansible_default_ipv4.netmask) | ansible.utils.ipaddr('net') }}" # Ceph public network
 # pve_ceph_cluster_network: "" # Optional, if the ceph cluster network is different from the public network (see https://pve.proxmox.com/pve-docs/chapter-pveceph.html#pve_ceph_install_wizard)
 pve_ceph_nodes: "{{ pve_group }}" # Host group containing all Ceph nodes
@@ -898,13 +902,24 @@ pve_default_kernel_version: 1.0.1
 This creates a pin on the `proxmox-default-kernel` package, which is [the method suggested by PVE](https://pve.proxmox.com/wiki/Roadmap#Kernel_6.8).
 It can be later removed by unsetting this role variable.
 
+## Troubleshooting
+
+### The APT installation of proxmox-ve no longer responds, Ansible aborts, the SSH session stops.
+Add this section to your ``ansible.cfg``.
+
+```yaml
+[ssh_connection]
+ssh_args = -o ServerAliveInterval=20
+```
+[Reference Issue](https://github.com/lae/ansible-role-proxmox/issues/279)
+
 ## Developer Notes
 
 When developing new features or fixing something in this role, you can test out
 your changes by using Vagrant (only libvirt is supported currently). The
 playbook can be found in `tests/vagrant` (so be sure to modify group variables
-as needed). Be sure to test any changes on both Debian 10 and 11 (update the
-Vagrantfile locally to use `debian/buster64`) before submitting a PR.
+as needed). Be sure to test any changes on all supported versions of Debian (update the
+Vagrantfile locally to use `debian/bookworm64`, `debian/bullseye64`, or `debian/buster64`) before submitting a PR.
 
 You can also specify an apt caching proxy (e.g. `apt-cacher-ng`, and it must
 run on port 3142) with the `APT_CACHE_HOST` environment variable to speed up