Files
Adyrem 7ba749c620
Ansible Lint / lint (push) Successful in 4s
Add Proxmox host role, WireGuard VPN, and public Gitea via Traefik HTTPS
Proxmox host role:
- Admin user setup, SSH hardening (port 2222, no root login)
- claude-code SFTP chroot user
- Unattended upgrades, DuckDNS dynamic DNS updater (vault-encrypted token)
- WireGuard VPN server (10.10.10.0/24) with Fedora client registered
- Proxmox firewall management via pvesh API (idempotent Python script)

Public Gitea exposure:
- Traefik: add HTTPS entrypoint, Let's Encrypt ACME (HTTP-01), StripPrefix
  middleware for /git subpath, HTTP→HTTPS redirect
- Gitea ROOT_URL updated to https://adyrem.duckdns.org/git/
- Pi-hole split DNS: adyrem.duckdns.org → 10.10.1.3 for internal hairpin bypass

SSH config fixes:
- StrictHostKeyChecking no → accept-new across all hosts
- Proxmox jump host: port 2222, user adyrem (root login disabled)

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-05-16 04:06:56 +02:00

85 lines
2.2 KiB
Markdown

# host.yml — Proxmox Host Playbook
Configures the Proxmox host (`192.168.1.10`) with:
- Admin user (`adyrem`) with SSH key auth and passwordless sudo
- `claude-code` SFTP-only user, chrooted to `/home/claude-code/workspace`
- SSH hardened: key-only auth, root login disabled, port changed to 2222
- Unattended security upgrades (Debian security channel only)
---
## Prerequisites
- Proxmox is freshly installed and accessible as `root` via SSH on port 22
- Ansible is installed on the machine running the playbook
- Vault password is at `~/.config/homelab/vault_pass`
- Repo is cloned and you're in the `ansible/` directory
---
## First run (bootstrap)
The first run connects as `root` because `adyrem` doesn't exist yet.
`group_vars/proxmox_hosts/vars.yml` is already set for this — no changes needed.
```bash
ansible-playbook playbooks/host.yml
```
What happens:
1. Creates `adyrem` with your SSH key and passwordless sudo
2. Creates `claude-code` user with SFTP-only access
3. Changes SSH port to 2222 and disables root login
4. Restarts sshd — **root SSH access ends here**
---
## After the first run
Update `inventory/group_vars/proxmox_hosts/vars.yml` to connect as `adyrem`:
```yaml
ansible_user: adyrem
ansible_become: true
ansible_become_method: sudo
ansible_port: 2222
```
Verify you can still connect before relying on this:
```bash
ssh -p 2222 adyrem@192.168.1.10
```
All subsequent runs use:
```bash
ansible-playbook playbooks/host.yml
```
---
## claude-code SFTP access
The `claude-code` user can only SFTP into `/home/claude-code/workspace`. No shell, no TCP forwarding, no escape from the chroot.
From the Claude Code VM:
```bash
sftp -P 2222 claude-code@192.168.1.10
# lands in /workspace (which is /home/claude-code/workspace on the host)
```
The private key for this user lives in the Claude Code VM at `~/.ssh/claude-code_ed25519`.
The corresponding public key is committed at `keys/claude-code_ed25519.pub`.
---
## Re-running safely
The playbook is idempotent. Re-running it after the group_vars update will:
- Ensure all config is still correct
- Apply any template changes (sshd drop-in, unattended-upgrades)
- Restart sshd only if the config changed