Using Ansible with Proxmox: PART 1B

In Part 1A, we laid the foundation. Now in Part 1B, we’ll take things a step further — diving deeper into the practical side, connecting the dots, and building on what we’ve already explored. This is where the project really comes to life.

✅ Script: setup-ansible-controller.sh

#!/bin/bash
#Shebang statement

set -e  # Stops script upon error occurence 

echo "Updating package list..."
apt update

echo "Installing tree directory module"
apt install tree

echo "Installing software-properties-common..."
apt install -y software-properties-common

echo "Installing Ansible..."
apt install -y ansible

echo "Verifying Ansible installation by asking for version that successfully installed"
ansible --version

echo "Creating Ansible controller user..."
# Check if user already exists
if id "Ansible " &>/dev/null; then
    echo "User 'Ansible' already exists. Skipping creation."
else
        #disbaling the need for further information request prompts (e.g. Full name, room name, etc.)
    useradd --gecos "" Ansible
    echo "User 'Ansible' created." 
    sleep 5
fi #ends if statement in bash

#Creation of directories to hold anything ssh related
echo "Creating .ssh directory and authorized_keys..."
mkdir -p /home/Ansible/.ssh
touch /home/Ansible/.ssh/authorized_keys
#Changing of ownership and permissions for ssh files to user Ansible
chown -R Ansible:Ansible /home/Ansible/.ssh
chmod 700 /home/Ansible/.ssh
chmod 600 /home/Ansible/.ssh/authorized_keys

#SSH key pair creation
echo "Generating SSH key pair for Ansible user..."
if test -f /home/Ansible/.ssh/id_rsa; then
    echo "SSH key already exists. Skipping generation."
else
    su - Ansible-c 'ssh-keygen -t rsa -b 4096 -N "" -f ~/.ssh/id_rsa -C "Ansible@controller"'
    echo "SSH key pair generated."
fi

#copying Proxmox server public key into the authorised_keys directory
echo "<Proxmox server public SSH key>" | tee -a /home/Ansible/.ssh/authorized_keys

#setting ownership of authorised_keys dirctory to ansible user
chown Ansible:Ansible /home/Ansible/.ssh/authorized_keys

echo "Adding sudoers file for Ansible user..."
SUDOERS_LINE=$(cat <<'EOF'
Ansible ALL=(ALL) NOPASSWD: \
/usr/bin/apt update, \
/usr/bin/apt upgrade, \
/usr/bin/apt install *, \
/usr/bin/apt remove *, \
/usr/bin/apt autoremove, \
/usr/bin/apt clean, \
/usr/bin/systemctl start *, \
/usr/bin/systemctl stop *, \
/usr/bin/systemctl restart *, \
/usr/bin/systemctl reload *, \
/usr/bin/systemctl status *
EOF
)

echo "$SUDOERS_LINE" | tee /etc/sudoers.d/Ansible > /dev/null
# Ensure the file is correctly validated after creation for safety
visudo -c -f /etc/sudoers.d/Ansible
# Set permissions
chmod 440 /etc/sudoers.d/Ansible
echo "Sudoers file added and validated."

#displaying Ansible user ssh pub key, so it can be copied if needed
echo "Ansible public key:"
cat /home/Ansible/.ssh/id_rsa.pub

echo "Ansible user can now run limited sudo commands without a password."
echo "Setup complete!"

I’ll provide a blog post going through the script in more detail later on.

NOTE: when we attempt to add the Ansible user, we use the command useradd. I did get an error on one occasion and to overcome this we can use the command adduser…yup literally swap the command around. They do the exact same thing but some linux but there is a slight difference:

- It could be that your using a different distro to myself which is perfectly fine BUT, be aware when i comes to distros and their commands adduser is the preferred command for adding users for Debian-based distribution (like Ubuntu).

---

Step 1. Make the setup script executable

chmod +x setup-ansible-controller.sh

Before you can run the Bash script you created, it needs execution permissions. This tells Linux that the file is not just text — it can be run as an executable program.

Step 2. Run the script

./setup-ansible-controller.sh

Now we can actually execute the script to perform all the automation tasks for config (package installs, user creation, SSH key generation, etc.). If it runs without errors, your controller machine should now have an Ansible user with an SSH key pair ready to use.

Step 3. Verify the Ansible user on the controller

It’s important to confirm the new user exists and is configured correctly before trying to connect to Proxmox.

• Check the user exists. You should see UID, GID, and groups:

id Ansible

• Switch into the account:

Switch into that account to work as the Ansible automation user:

sudo su - Ansible

• Confirm the .ssh directory and public key exist:

Look for the .ssh directory and the public key file (id_rsa.pub):

ls -la ~/.ssh
ls -l ~/.ssh/id_rsa.pub

The first line lists all files in the .ssh directory, including hidden ones (-a), and displays detailed permissions, owner, size, and timestamps (-l). The second line details info for just the public key file id_rsa.pub, including permissions and size.

• If missing, recreate them:

• If the .ssh folder or key files are missing, recreate them and set correct permissions:

mkdir -p ~/.ssh && chmod 700 ~/.ssh
touch ~/.ssh/authorized_keys && chmod 600 ~/.ssh/authorized_keys

touch = creates an empty file if it doesn’t exist, or updates the “last modified” timestamp if it does.

chmod 600 = sets permissions so only the file’s owner can read and write it (no execute permission)

---

Step 4. Prepare the Proxmox host for SSH key copy

The ssh-copy-id tool works by logging in once with a password so it can append your public key to the target user’s authorized_keys file.

If the “Ansible” user on Proxmox doesn’t have a password then the above will not work, so we set it temporarily:

sudo passwd Ansible

---

Step 5. Copy the SSH key to Proxmox

From the controller machine, send the Ansible user’s public key over to Proxmox:

ssh-copy-id Ansible@<proxmox_host_ip>

Enter the Proxmox password when prompted.

This step allows passwordless logins by using your SSH key instead of a password.

---

Step 6. Confirm key transfer on Proxmox

• SSH into Proxmox:

ssh root@<proxmox_ip>

• Check the authorized_keys file for Ansible:

cat /home/Ansible/.ssh/authorized_keys

If you see your controller’s public key there (starts with ssh-rsa), then the transfer worked.

---

Step 7. Lock the Proxmox Ansible password again (optional security step)

sudo passwd -l Ansible

Since we only set the password temporarily for key transfer, we can now disable password login for security:

---

Step 8. Test passwordless SSH from the controller

ssh Ansible@<proxmox_host_ip>

If everything worked, you’ll be logged in without a password prompt — ready for Ansible automation.

---

That wraps up Part 1B — the bridge between our foundation and what’s to come. We’ve added new layers, refined our understanding, and prepared ourselves for the next stage.

If you feel certain steps or lines of code could have been done more efficiently, please let me know. At the end of the day, positive, constructive criticism, is one of the best ways to grow and improve not only as an IT Professional but life in general.

Thanks!