fix(proxmox_lxc_provision): use literal module-name keys in module_defaults

The previous commit (d5cf6f6) used 'module_defaults: "{{ _proxmox_module_defaults }}"' to template the entire defaults dict. Ansible rejects this because module_defaults keys must be static action/module/group names at parse time — only values may be templated. Expose _proxmox_api_args as a flat dict of API parameters in defaults/main.yml, and in each task file's module_defaults block use the literal community.proxmox.proxmox and community.proxmox.proxmox_vm_info keys with templated values pointing at the var.
refactor(proxmox_lxc_provision): centralize module_defaults so tasks_from works without setup
2026-06-28 13:46:16 -04:00 · 2026-06-28 13:42:41 -04:00 · 2026-06-28 13:19:58 -04:00 · 2026-06-27 23:19:26 -04:00
13 changed files with 220 additions and 197 deletions
@@ -144,26 +144,17 @@ The role includes idempotency checking. If a container with the specified `lxc_v

 ### Using Standalone Tasks

-When using individual task files via `tasks_from`, you must set `module_defaults` at the play level since the tasks bypass the role's main entry point:
+Individual task files (`stop`, `start`, `delete`, `convert`, etc.) can be invoked via `tasks_from` directly — each task file wraps its work in a block with the role's shared `module_defaults`, so the Proxmox API connection is configured automatically as long as the `proxmox_*` connection variables are in scope (typically from `group_vars/all/`).

 ```yaml
 - name: Convert container to a template
  hosts: localhost
-  module_defaults:
-    community.proxmox.proxmox:
-      api_host: "{{ proxmox_api_host }}"
-      api_port: "{{ proxmox_api_port }}"
-      api_user: "{{ proxmox_api_user }}"
-      api_token_id: "{{ proxmox_api_token_id }}"
-      api_token_secret: "{{ proxmox_api_token_secret }}"
-      validate_certs: "{{ proxmox_api_validate_certs }}"
-      node: "{{ proxmox_node }}"
-  vars:
-    lxc_hostname: "{{ lxc_hostname }}"
  tasks:
    - include_role:
        name: proxmox_lxc_provision
        tasks_from: convert
+      vars:
+        lxc_hostname: my-container
 ```

 ### Creating an LXC Container and Converting it to a Template
@@ -185,19 +176,10 @@ When using individual task files via `tasks_from`, you must set `module_defaults

 - name: Convert the created container to a template
  hosts: localhost
-  module_defaults:
-    community.proxmox.proxmox:
-      api_host: "{{ proxmox_api_host }}"
-      api_port: "{{ proxmox_api_port }}"
-      api_user: "{{ proxmox_api_user }}"
-      api_token_id: "{{ proxmox_api_token_id }}"
-      api_token_secret: "{{ proxmox_api_token_secret }}"
-      validate_certs: "{{ proxmox_api_validate_certs }}"
-      node: "{{ proxmox_node }}"
-  vars:
-    lxc_hostname: "{{ lxc_hostname }}"
  tasks:
    - include_role:
        name: proxmox_lxc_provision
        tasks_from: convert
+      vars:
+        lxc_hostname: "{{ lxc_hostname }}"
 ```
@@ -5,6 +5,17 @@ proxmox_api_validate_certs: false
 # Host to delegate pct commands to (use inventory hostname for become_password to work)
 proxmox_delegate_host: "{{ proxmox_api_host }}"

+# Shared Proxmox API args referenced by each task file's module_defaults block.
+# Override the underlying proxmox_* vars (e.g. from group_vars/all/) to customize.
+_proxmox_api_args:
+  api_host: "{{ proxmox_api_host }}"
+  api_port: "{{ proxmox_api_port }}"
+  api_user: "{{ proxmox_api_user }}"
+  api_token_id: "{{ proxmox_api_token_id }}"
+  api_token_secret: "{{ proxmox_api_token_secret }}"
+  validate_certs: "{{ proxmox_api_validate_certs }}"
+  node: "{{ proxmox_node }}"
+
 # LXC defaults
 lxc_template: "local:vztmpl/debian-12-standard_12.12-1_amd64.tar.zst"
 lxc_cores: 4
@@ -1,4 +1,9 @@
 ---
+- name: Check if LXC exists
+  module_defaults:
+    community.proxmox.proxmox: "{{ _proxmox_api_args }}"
+    community.proxmox.proxmox_vm_info: "{{ _proxmox_api_args }}"
+  block:
    - name: Query Proxmox for existing LXCs
      community.proxmox.proxmox_vm_info:
        type: lxc
@@ -1,4 +1,9 @@
 ---
+- name: Clone LXC container
+  module_defaults:
+    community.proxmox.proxmox: "{{ _proxmox_api_args }}"
+    community.proxmox.proxmox_vm_info: "{{ _proxmox_api_args }}"
+  block:
    - name: Create a full clone of the container
      community.proxmox.proxmox:
        vmid: "{{ lxc_vmid | default(0) }}"
@@ -1,4 +1,9 @@
 ---
+- name: Convert LXC container to template
+  module_defaults:
+    community.proxmox.proxmox: "{{ _proxmox_api_args }}"
+    community.proxmox.proxmox_vm_info: "{{ _proxmox_api_args }}"
+  block:
    - ansible.builtin.include_tasks: stop.yml

    - name: Convert container to template
@@ -1,4 +1,9 @@
 ---
+- name: Create LXC container
+  module_defaults:
+    community.proxmox.proxmox: "{{ _proxmox_api_args }}"
+    community.proxmox.proxmox_vm_info: "{{ _proxmox_api_args }}"
+  block:
    - name: Create an LXC container
      community.proxmox.proxmox:
        vmid: "{{ lxc_vmid | default(omit) }}"
@@ -1,4 +1,9 @@
 ---
+- name: Delete LXC container
+  module_defaults:
+    community.proxmox.proxmox: "{{ _proxmox_api_args }}"
+    community.proxmox.proxmox_vm_info: "{{ _proxmox_api_args }}"
+  block:
    - ansible.builtin.include_tasks: stop.yml

    - name: Delete a container
@@ -1,16 +1,4 @@
 ---
- name: Proxmox LXC provision
-  module_defaults:
-    community.proxmox.proxmox: &proxmox_defaults
-      api_host: "{{ proxmox_api_host }}"
-      api_port: "{{ proxmox_api_port }}"
-      api_user: "{{ proxmox_api_user }}"
-      api_token_id: "{{ proxmox_api_token_id }}"
-      api_token_secret: "{{ proxmox_api_token_secret }}"
-      validate_certs: "{{ proxmox_api_validate_certs }}"
-      node: "{{ proxmox_node }}"
-    community.proxmox.proxmox_vm_info: *proxmox_defaults
-  block:
 - name: Check if container exists
  ansible.builtin.include_tasks:
    file: check-exists.yml
@@ -4,6 +4,7 @@
    name: root
    password: "{{ lxc_root_password | password_hash('sha512') }}"
    update_password: always
+  become: true
  when: lxc_root_password is defined

 - name: Change user password
@@ -11,6 +12,7 @@
    name: "{{ lxc_user_name }}"
    password: "{{ lxc_user_password | password_hash('sha512') }}"
    update_password: always
+  become: true
  when: lxc_user_password is defined

 - name: Regenerate SSH host keys
@@ -18,7 +20,7 @@
    name: system_setup
    tasks_from: ssh
  vars:
-    regenerate_ssh_keys: true
+    regenerate_ssh_host_keys: true

 - name: Remove previous entry from known hosts
  ansible.builtin.known_hosts:
@@ -1,4 +1,9 @@
 ---
+- name: Start LXC container
+  module_defaults:
+    community.proxmox.proxmox: "{{ _proxmox_api_args }}"
+    community.proxmox.proxmox_vm_info: "{{ _proxmox_api_args }}"
+  block:
    - name: Start the LXC container
      community.proxmox.proxmox:
        vmid: "{{ lxc_result.vmid }}"
@@ -1,4 +1,9 @@
 ---
+- name: Stop LXC container
+  module_defaults:
+    community.proxmox.proxmox: "{{ _proxmox_api_args }}"
+    community.proxmox.proxmox_vm_info: "{{ _proxmox_api_args }}"
+  block:
    - name: Stop container if it is running
      community.proxmox.proxmox:
        vmid: "{{ lxc_vmid | default(omit) }}"
@@ -1,4 +1,9 @@
 ---
+- name: Update LXC container
+  module_defaults:
+    community.proxmox.proxmox: "{{ _proxmox_api_args }}"
+    community.proxmox.proxmox_vm_info: "{{ _proxmox_api_args }}"
+  block:
    - name: Update an LXC container
      community.proxmox.proxmox:
        vmid: "{{ lxc_vmid }}"
@@ -5,10 +5,10 @@
    name: system_maintenance

 # Install extra packages
- include_tasks: extra-packages.yaml
+- include_tasks: extra-packages.yml

 # Create a user admin account
- include_tasks: user.yaml
+- include_tasks: user.yml

 # Harden SSH configuration
- include_tasks: ssh.yaml
+- include_tasks: ssh.yml
Author	SHA1	Message	Date
patrick	1e3ab88304	fix(proxmox_lxc_provision): use literal module-name keys in module_defaults The previous commit (`d5cf6f6`) used 'module_defaults: "{{ _proxmox_module_defaults }}"' to template the entire defaults dict. Ansible rejects this because module_defaults keys must be static action/module/group names at parse time — only values may be templated. Expose _proxmox_api_args as a flat dict of API parameters in defaults/main.yml, and in each task file's module_defaults block use the literal community.proxmox.proxmox and community.proxmox.proxmox_vm_info keys with templated values pointing at the var.	2026-06-28 13:46:16 -04:00
patrick	d5cf6f656e	refactor(proxmox_lxc_provision): centralize module_defaults so tasks_from works without setup Previously the community.proxmox.proxmox / proxmox_vm_info module_defaults were defined inline on the outer block in main.yml. Invoking individual task files via 'tasks_from: stop' (or delete/convert/etc.) bypassed main.yml, leaving the API parameters unset and producing 'missing required arguments: api_host, api_user' errors. The README worked around this by telling callers to repeat the module_defaults block at the play level — easy to forget, and duplicated config. Extract the defaults dict into _proxmox_module_defaults in defaults/main.yml (using a YAML anchor to share between the two modules), and wrap every task file that calls a Proxmox module in a block that references it. Callers only need the proxmox_* connection vars in scope (typically group_vars/all/) — both 'roles:' and 'tasks_from:' invocations now configure the API consistently. Files wrapped: check-exists, create, clone, update, start, stop, delete, convert. wait/post-clone/edit-config don't call Proxmox modules and are unchanged. main.yml's now-redundant outer module_defaults is removed. README updated to drop the 'Using Standalone Tasks' workaround boilerplate.	2026-06-28 13:42:41 -04:00
patrick	8a9903eb4c	fix(system_setup): update include_tasks references from .yaml to .yml The task files were previously renamed to .yml (commits `b2379e5`, `ce7ec1b`) but main.yml's include_tasks directives still referenced the old .yaml names, causing role execution to fail with 'Could not find or access' errors for extra-packages.yaml, user.yaml, and ssh.yaml.	2026-06-28 13:19:58 -04:00
patrick	3b6f59a029	fix(proxmox_lxc_provision): post-clone privilege escalation and SSH key regen var name The user-module tasks in post-clone.yml were running without become, so modifying /etc/passwd failed with 'usermod: Permission denied' when the connection user (e.g. admin) was non-root. Add become: true to both password tasks. Block-level become is avoided because the known_hosts task in the same file is delegate_to: localhost and should not sudo on the controller. Also fix the variable name passed to the system_setup ssh tasks_from: post-clone.yml was setting 'regenerate_ssh_keys', but ssh.yml gates on 'regenerate_ssh_host_keys'. The mismatch caused cloned containers to silently keep the source template's SSH host keys.	2026-06-27 23:19:26 -04:00