7ba749c620
Ansible Lint / lint (push) Successful in 4s
Proxmox host role: - Admin user setup, SSH hardening (port 2222, no root login) - claude-code SFTP chroot user - Unattended upgrades, DuckDNS dynamic DNS updater (vault-encrypted token) - WireGuard VPN server (10.10.10.0/24) with Fedora client registered - Proxmox firewall management via pvesh API (idempotent Python script) Public Gitea exposure: - Traefik: add HTTPS entrypoint, Let's Encrypt ACME (HTTP-01), StripPrefix middleware for /git subpath, HTTP→HTTPS redirect - Gitea ROOT_URL updated to https://adyrem.duckdns.org/git/ - Pi-hole split DNS: adyrem.duckdns.org → 10.10.1.3 for internal hairpin bypass SSH config fixes: - StrictHostKeyChecking no → accept-new across all hosts - Proxmox jump host: port 2222, user adyrem (root login disabled) Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2.2 KiB
2.2 KiB
host.yml — Proxmox Host Playbook
Configures the Proxmox host (192.168.1.10) with:
- Admin user (
adyrem) with SSH key auth and passwordless sudo claude-codeSFTP-only user, chrooted to/home/claude-code/workspace- SSH hardened: key-only auth, root login disabled, port changed to 2222
- Unattended security upgrades (Debian security channel only)
Prerequisites
- Proxmox is freshly installed and accessible as
rootvia SSH on port 22 - Ansible is installed on the machine running the playbook
- Vault password is at
~/.config/homelab/vault_pass - Repo is cloned and you're in the
ansible/directory
First run (bootstrap)
The first run connects as root because adyrem doesn't exist yet.
group_vars/proxmox_hosts/vars.yml is already set for this — no changes needed.
ansible-playbook playbooks/host.yml
What happens:
- Creates
adyremwith your SSH key and passwordless sudo - Creates
claude-codeuser with SFTP-only access - Changes SSH port to 2222 and disables root login
- Restarts sshd — root SSH access ends here
After the first run
Update inventory/group_vars/proxmox_hosts/vars.yml to connect as adyrem:
ansible_user: adyrem
ansible_become: true
ansible_become_method: sudo
ansible_port: 2222
Verify you can still connect before relying on this:
ssh -p 2222 adyrem@192.168.1.10
All subsequent runs use:
ansible-playbook playbooks/host.yml
claude-code SFTP access
The claude-code user can only SFTP into /home/claude-code/workspace. No shell, no TCP forwarding, no escape from the chroot.
From the Claude Code VM:
sftp -P 2222 claude-code@192.168.1.10
# lands in /workspace (which is /home/claude-code/workspace on the host)
The private key for this user lives in the Claude Code VM at ~/.ssh/claude-code_ed25519.
The corresponding public key is committed at keys/claude-code_ed25519.pub.
Re-running safely
The playbook is idempotent. Re-running it after the group_vars update will:
- Ensure all config is still correct
- Apply any template changes (sshd drop-in, unattended-upgrades)
- Restart sshd only if the config changed