This repository contains an Ansible playbook for setting up a Proxmox cluster, along with an Open Policy Agent (OPA) Rego policy for validating the playbook.
cluster.yaml
: Ansible playbook for Proxmox cluster setupproxmox_policy.rego
: OPA Rego policy for playbook validationinventory.ini
: Sample inventory file (not provided, see example below)
The cluster.yaml
playbook automates the process of setting up a Proxmox cluster. It performs the following main tasks:
- Determines the first node and cluster size
- Creates the cluster on the first node
- Adds subsequent nodes to the cluster
- Sets up QDevice for two-node clusters
- Verifies cluster status
- Ansible installed on your control node
- OPA (Open Policy Agent) installed for policy validation
- Proxmox nodes with SSH access
-
Update the
inventory.ini
file with your Proxmox node information:[proxmox] 1.2.3.4 1.2.3.5 [all:vars] ansible_user=your_ssh_user ansible_python_interpreter=/usr/bin/python3
ansible-playbook -i inventory.ini cluster.yaml
opa eval --data proxmox.rego --input cluster.yaml "data.proxmox"
The proxmox.rego file contains rules to validate the playbook against best practices and security considerations. It checks for:
- Valid hosts
- Allowed tasks
- Proper use of become: yes
- Correct usage of pvecm commands
- Reasonable timeouts
- Proper setup for two-node clusters
To modify policy rules, edit the proxmox.rego file.
- Adjust the qdevice_ip variable in the playbook for your QDevice setup
- Modify the playbook tasks as needed for your specific Proxmox environment