Update to 2021-12-01 19:13

roles/pbs/defaults/main.yml

@@ -0,0 +1,7 @@
+---
+
+# This control access on port 8007. Note that the port is not configurable
+pbs_src_ip: []
+
+# pbs_letsencrypt_cert can be defined to the name of dehydrated (Let's Encrypt) cert
+# pbs_letsencrypt_cert: pbs.example.org

roles/pbs/files/remove_nag.patch

@@ -0,0 +1,13 @@
+--- /usr/share/javascript/proxmox-widget-toolkit/proxmoxlib.js.orig	2021-05-27 00:16:17.230337938 +0200
++++ /usr/share/javascript/proxmox-widget-toolkit/proxmoxlib.js	2021-05-27 00:20:00.203317519 +0200
+@@ -468,8 +468,8 @@
+ 		},
+ 		success: function(response, opts) {
+ 		    let res = response.result;
+-		    if (res === null || res === undefined || !res || res
+-			.data.status.toLowerCase() !== 'active') {
++		    if (false) { // res === null || res === undefined || !res || res
++			//.data.status.toLowerCase() !== 'active') {
+ 			Ext.Msg.show({
+ 			    title: gettext('No valid subscription'),
+ 			    icon: Ext.Msg.WARNING,

roles/pbs/meta/main.yml

@@ -0,0 +1,5 @@
+---
+
+dependencies:
+  - role: repo_pbs
+  - role: mkdir

roles/pbs/tasks/install.yml

@@ -0,0 +1,17 @@
+---
+
+- name: Install PBS
+  apt:
+    name:
+      - proxmox-backup-server
+    policy_rc_d: 101 # Prevent the daemon from starting automatically after install
+  tags: pbs
+
+- name: Install dehydrated hook
+  template: src=dehydrated_hook.sh.j2 dest=/etc/dehydrated/hooks_deploy_cert.d/pbs.sh mode=755
+  tags: pbs
+
+- name: Remove registration nag
+  patch: src=remove_nag.patch dest=/usr/share/javascript/proxmox-widget-toolkit/proxmoxlib.js
+  ignore_errors: True
+  tags: pbs

roles/pbs/tasks/iptables.yml

@@ -0,0 +1,9 @@
+---
+
+- name: Handle PBS port
+  iptables_raw:
+    name: pbs_port
+    state: "{{ (pbs_src_ip | length > 0) | ternary('present', 'absent') }}"
+    rules: "-A INPUT -m state --state NEW -p tcp --dport 8007 -s {{ pbs_src_ip | flatten | join(',') }} -j ACCEPT"
+  tags: pbs,firewall
+

roles/pbs/tasks/main.yml

@@ -0,0 +1,6 @@
+---
+
+- include: install.yml
+- include: iptables.yml
+  when: iptables_manage | default(True)
+- include: services.yml

roles/pbs/tasks/services.yml

@@ -0,0 +1,9 @@
+---
+
+- name: Start and enable services
+  service: name={{ item }} state=started enabled=True
+  loop:
+    - proxmox-backup
+    - proxmox-backup-proxy
+    - proxmox-backup-banner
+  tags: pbs

roles/pbs/templates/dehydrated_hook.sh.j2

@@ -0,0 +1,11 @@
+#!/bin/bash
+
+{% if pbs_letsencrypt_cert is defined and pbs_letsencrypt_cert is string %}
+if [ $1 == "{{ pbs_letsencrypt_cert }}" ]; then
+  cat /var/lib/dehydrated/certificates/certs/{{ pbs_letsencrypt_cert }}/privkey.pem > /etc/proxmox-backup/proxy.key
+  cat /var/lib/dehydrated/certificates/certs/{{ pbs_letsencrypt_cert }}/fullchain.pem > /etc/proxmox-backup/proxy.pem
+  chown root:backup /etc/proxmox-backup/proxy.{key,pem}
+  chmod 640 /etc/proxmox-backup/proxy.{key,pem}
+  /bin/systemctl reload proxmox-backup-proxy
+fi
+{% endif %}