Add Proxmox host role, WireGuard VPN, and public Gitea via Traefik HTTPS
Ansible Lint / lint (push) Successful in 4s

Proxmox host role:
- Admin user setup, SSH hardening (port 2222, no root login)
- claude-code SFTP chroot user
- Unattended upgrades, DuckDNS dynamic DNS updater (vault-encrypted token)
- WireGuard VPN server (10.10.10.0/24) with Fedora client registered
- Proxmox firewall management via pvesh API (idempotent Python script)

Public Gitea exposure:
- Traefik: add HTTPS entrypoint, Let's Encrypt ACME (HTTP-01), StripPrefix
  middleware for /git subpath, HTTP→HTTPS redirect
- Gitea ROOT_URL updated to https://adyrem.duckdns.org/git/
- Pi-hole split DNS: adyrem.duckdns.org → 10.10.1.3 for internal hairpin bypass

SSH config fixes:
- StrictHostKeyChecking no → accept-new across all hosts
- Proxmox jump host: port 2222, user adyrem (root login disabled)

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
This commit is contained in:
Adyrem
2026-05-16 04:06:56 +02:00
parent e888560175
commit 7ba749c620
26 changed files with 644 additions and 11 deletions
@@ -0,0 +1,13 @@
// Managed by Ansible — security patches only
Unattended-Upgrade::Origins-Pattern {
"origin=Debian,codename=${distro_codename}-security,label=Debian-Security";
"origin=Debian,codename=${distro_codename},label=Debian-Security";
};
Unattended-Upgrade::Package-Blacklist {
};
Unattended-Upgrade::AutoFixInterruptedDpkg "true";
Unattended-Upgrade::MinimalSteps "true";
Unattended-Upgrade::Remove-Unused-Dependencies "false";
Unattended-Upgrade::Automatic-Reboot "false";
@@ -0,0 +1,4 @@
#!/usr/bin/env bash
result=$(curl -s "https://www.duckdns.org/update?domains={{ duckdns_domain }}&token={{ duckdns_token }}&ip=")
echo "$(date -u +%Y-%m-%dT%H:%M:%SZ) $result" >> /var/log/duckdns.log
[[ "$result" == "OK" ]] || exit 1
@@ -0,0 +1,11 @@
# Managed by Ansible — do not edit manually
PasswordAuthentication no
PermitRootLogin no
PubkeyAuthentication yes
AuthenticationMethods publickey
Match User claude-code
ForceCommand internal-sftp
ChrootDirectory /home/claude-code
AllowTcpForwarding no
X11Forwarding no
@@ -0,0 +1,15 @@
# Managed by Ansible — do not edit manually
[Interface]
Address = 10.10.10.1/24
ListenPort = {{ wireguard_port }}
PrivateKey = {{ wg_server_private_key }}
PostUp = iptables -I FORWARD -i %i -j ACCEPT; iptables -I FORWARD -o %i -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -D FORWARD -o %i -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
{% for peer in wireguard_peers %}
[Peer]
# {{ peer.name }}
PublicKey = {{ peer.public_key }}
AllowedIPs = {{ peer.allowed_ips }}
{% endfor %}