DRAFT: Add Packer build and upload workflow for Proxmox templates #80
Conversation
Introduces a draft GitHub Actions workflow to build and upload Debian 12 and Rocky 9 LXC templates for Proxmox. Adds supporting Packer HCL files, Ansible provisioning playbook, Python API utilities for uploading templates, and variable files for template customization.
Added a comprehensive README.md explaining the Proxmox LXC template automation workflow. Updated the Rocky9 Packer variable file to use 'rocky9-lxc' as the template name instead of 'rocky9-fungible'.
| on: | ||
| schedule: | ||
| - cron: "0 4 * * *" # Nightly at 4 AM | ||
| workflow_dispatch: |
There was a problem hiding this comment.
Also run on push so we can test it in the branch. Might want to add some logic that only actually runs it if any of the relevant files are changed. i.e. any thing under this directory. That way pushes that only affect files in say create-a-container don't trigger a rebuild.
There was a problem hiding this comment.
Let's talk through this soon. I'm thinking GH Actions isn't the best orchestrator for these container builds and that it should be handled by a scheduled job on the API server. That way per-cluster customizations can be applied without forking the repo.
container-creation/intern-phxdc-pve1/packer/api/proxmox_utils.py
Outdated
Show resolved
Hide resolved
container-creation/intern-phxdc-pve1/packer/provisioners/ansible/site.yml
Outdated
Show resolved
Hide resolved
container-creation/intern-phxdc-pve1/packer/provisioners/ansible/site.yml
Outdated
Show resolved
Hide resolved
| - name: Copy pown.sh (disabled until first boot) | ||
| ansible.builtin.copy: | ||
| src: files/pown.sh | ||
| dest: /usr/local/bin/pown.sh |
There was a problem hiding this comment.
I think we should run this as well. LDAP is definitely a configuration that can be baked into templates without runtime modification per container. Ideally, we don't even leave the pown.sh script on the server.
Personally I'd do the LDAP config completely in Ansible for maximum control, but if we're set on pown.sh, maybe we can do this instead?
- ansible.builtin.shell: |
curl -fsSL https://pown.sh/ | bash
There was a problem hiding this comment.
Also we're missing files/pown.sh so this wouldn't work as-is anyways.
container-creation/intern-phxdc-pve1/packer/provisioners/ansible/site.yml
Outdated
Show resolved
Hide resolved
| loop: | ||
| - /var/lib/apt/lists/* | ||
| - /var/cache/dnf | ||
| - /tmp/* |
There was a problem hiding this comment.
Last note on this file in general: I'm essentially looking for this to replace these lines.
| inline = [ | ||
| "set -eux", | ||
| "cd /tmp/rootfs", | ||
| "tar -cJf /tmp/output/${var.template_name}_$(date +%Y%m%d).tar.xz .", |
There was a problem hiding this comment.
Let's have this use the var.template_version like the other file instead of the shell command.
container-creation/intern-phxdc-pve1/packer/api/proxmox_utils.py
Outdated
Show resolved
Hide resolved
Replaces Python scripts proxmox_upload.py and proxmox_utils.py with Node.js equivalents proxmox_upload.js and proxmox_utils.js for uploading LXC templates to Proxmox. Adds package.json for dependencies and updates CI workflow to trigger on changes in the packer directory. Minor improvements to Ansible provisioning and Packer variable files.
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
Changed the https.Agent configuration to reject unauthorized SSL certificates, ensuring that API requests to Proxmox require valid certificates. This improves security by preventing connections to servers with self-signed or invalid certificates.
Renamed and relocated all packer-related files and directories from container-creation/intern-phxdc-pve1/packer/ to their respective top-level locations for improved project structure and accessibility.
Introduces a draft GitHub Actions workflow to support #63 to build and upload Debian 12 and Rocky 9 LXC templates for Proxmox. Adds supporting Packer HCL files, Ansible provisioning playbook, Python API utilities for uploading templates, and variable files for template customization.