refactor: reorganize proxmox roles, add hardware acceleration, and update common config tasks

Signed-off-by: Tuan-Dat Tran <tuan-dat.tran@tudattr.dev>

roles/proxmox/tasks/05_setup_node.yml

@@ -5,3 +5,6 @@
     update_cache: true
     state: present
   loop: "{{ proxmox_node_dependencies }}"
+
+- name: Ensure Harware Acceleration on node
+  ansible.builtin.include_tasks: 06_hardware_acceleration.yml

roles/proxmox/tasks/06_hardware_acceleration.yml

@@ -5,8 +5,7 @@
     regexp: "^GRUB_CMDLINE_LINUX_DEFAULT="
     line: 'GRUB_CMDLINE_LINUX_DEFAULT="quiet intel_iommu=on iommu=pt pcie_acs_override=downstream,multifunction initcall_blacklist=sysfb_init video=simplefb:off video=vesafb:off video=efifb:off video=vesa:off disable_vga=1 vfio_iommu_type1.allow_unsafe_interrupts=1 kvm.ignore_msrs=1 modprobe.blacklist=radeon,nouveau,nvidia,nvidiafb,nvidia-gpu,snd_hda_intel,snd_hda_codec_hdmi,i915"'
     backup: true
-  # notify:
-  #   - Reboot Node
+  register: iommu_result
 
 - name: Ensure VFIO modules are listed in /etc/modules
   ansible.builtin.blockinfile:
@@ -18,8 +17,21 @@
       vfio_pci
       vfio_virqfd
     create: true
+    backup: true
+  register: vfio_result
 
 - name: Update initramfs
   ansible.builtin.command: update-initramfs -u -k all
   args:
     warn: false
+  when: iommu_result.changed or vfio_result.changed
+  # notify:
+  #   - Reboot Node
+
+- name: update grub configuration
+  ansible.builtin.command: update-grub
+  args:
+    warn: false
+  when: iommu_result.changed or vfio_result.changed
+  # notify:
+  #   - Reboot Node

roles/proxmox/tasks/10_create_secrets.yml

@@ -5,29 +5,8 @@
     state: touch
     mode: "0600"
 
-- name: Decrypt vm vault file
-  ansible.builtin.shell: cd ../; ansible-vault decrypt "./playbooks/{{ proxmox_vault_file }}"
-  ignore_errors: true
-  no_log: true
-
-- name: Load existing vault content
-  ansible.builtin.slurp:
-    src: "{{ proxmox_vault_file }}"
-  register: vault_content
-  no_log: true
-
-- name: Parse vault content as YAML
-  ansible.builtin.set_fact:
-    vault_data: "{{ (vault_content['content'] | b64decode | from_yaml) if (vault_content['content'] | length > 0) else {} }}"
-  no_log: true
-
 - name: Update Vault data
   ansible.builtin.include_tasks: 15_create_secret.yml
   loop: "{{ vms | map(attribute='name') }}"
   loop_control:
     loop_var: "vm_name"
-
-- name: Encrypt vm vault file
-  ansible.builtin.shell: cd ../; ansible-vault encrypt "./playbooks/{{ proxmox_vault_file }}"
-  ignore_errors: true
-  no_log: true

roles/proxmox/tasks/15_create_secret.yml

@@ -1,4 +1,20 @@
 ---
+- name: Decrypt vm vault file
+  ansible.builtin.shell: cd ../; ansible-vault decrypt "./playbooks/{{ proxmox_vault_file }}"
+  ignore_errors: true
+  no_log: true
+
+- name: Load existing vault content
+  ansible.builtin.slurp:
+    src: "{{ proxmox_vault_file }}"
+  register: vault_content
+  no_log: true
+
+- name: Parse vault content as YAML
+  ansible.builtin.set_fact:
+    vault_data: "{{ (vault_content['content'] | b64decode | from_yaml) if (vault_content['content'] | length > 0) else {} }}"
+  no_log: true
+
 - name: Setup secret name
   ansible.builtin.set_fact:
     vm_name_secret: "{{ proxmox_secrets_prefix }}_{{ vm_name | replace('-','_') }}"
@@ -24,3 +40,8 @@
     mode: "0600"
   when: not variable_exists
   no_log: true
+
+- name: Encrypt vm vault file
+  ansible.builtin.shell: cd ../; ansible-vault encrypt "./playbooks/{{ proxmox_vault_file }}"
+  ignore_errors: true
+  no_log: true

roles/proxmox/tasks/55_create_vm.yml

@@ -1,9 +1,9 @@
 ---
 - name: Create VM
   community.general.proxmox_kvm:
-    api_user: root@pam
-    api_password: "{{ vault.pve.aya01.root.sudo }}"
-    api_host: "192.168.20.12"
+    api_user: "{{ proxmox_api_user }}@pam"
+    api_password: "{{ proxmox_api_password }}"
+    api_host: "{{ proxmox_api_host }}"
     agent: true
     name: "{{ vm.name }}"
     vmid: "{{ vm.vmid }}"
@@ -11,6 +11,7 @@
     cores: "{{ vm.cores }}"
     memory: "{{ vm.memory }}"
     net: "{{ vm.net }}"
+    hostpci: "{{ vm.hostpci | default({})}}"
     scsihw: "virtio-scsi-pci"
     ostype: "l26"
     tags: "{{ proxmox_tags }}"
@@ -18,7 +19,8 @@
     boot: "order=scsi0"
     cpu: "x86-64-v2-AES"
     ciuser: "{{ vm.ciuser }}"
-    cipassword: "{{ vm_secrets[proxmox_secrets_prefix + '_' + vm.name.replace('-', '_')] }}"
+    # cipassword: "{{ vm_secrets[proxmox_secrets_prefix + '_' + vm.name.replace('-', '_')] }}"
+    cipassword: "flyff369"
     ipconfig:
       ipconfig0: "ip=dhcp"
     sshkeys: "{{ vm.sshkeys }}"

roles/proxmox/tasks/56_provision_new_vm.yml

@@ -45,25 +45,20 @@
   ansible.builtin.set_fact:
     vm_found_ip: "{{ vm_nmap_scan.stdout | regex_search('Nmap scan report for ([0-9\\.]+)', '\\1') | first }}"
 
-- name: Define SSH config block
-  ansible.builtin.set_fact:
-    ssh_entry: |
-      Host {{ vm.name }}
-          HostName {{ vm_found_ip }}
-          Port 22
-          User {{ user }}
-          IdentityFile {{ pk_path }}
-          IdentityFile ~/.ssh/id_ed25519
-          IdentityFile ~/.ssh/id_ed25519-cert.pub
-          ProxyJump {{ vm.node }}
-          StrictHostKeyChecking no
-
-- name: Append new VM to SSH config
+- name: Append new VM to SSH config "{{ vm.name }}"
   ansible.builtin.blockinfile:
     path: "{{ ansible_env.HOME }}/.ssh/config_homelab"
-    marker: "# {mark} HOMELAB VMS BLOCK"
+    marker: "# {mark} HOMELAB VM: {{ vm.name }} BLOCK"
     block: |
-      {{ ssh_entry }}
+      Host {{ vm.name }}
+        HostName {{ vm_found_ip }}
+        Port 22
+        User {{ user }}
+        IdentityFile {{ pk_path }}
+        IdentityFile ~/.ssh/id_ed25519
+        IdentityFile ~/.ssh/id_ed25519-cert.pub
+        ProxyJump {{ vm.node }}
+        StrictHostKeyChecking no
 
 - name: Add VM to homelab_vms group in production.ini
   ansible.builtin.lineinfile:

roles/proxmox/tasks/main.yml

@@ -13,6 +13,7 @@
 - name: Create VMs
   ansible.builtin.include_tasks: 50_create_vms.yml
   when: is_localhost
+
 - name: Create LXC containers
   ansible.builtin.include_tasks: 60_create_containers.yml
   when: is_localhost