From 966c8cc1642d3eb229a37d7abddb60ccdef19445 Mon Sep 17 00:00:00 2001
From: "Ben D." <ben@noreply.localhost>
Date: Fri, 24 Apr 2026 15:17:08 -0700
Subject: [PATCH] Playbook to put ssh keys in LXC via host.

---
 playbooks/proxmox_bootstrap_lxc_ssh.yml | 44 +++++++++++++++++++++++++
 1 file changed, 44 insertions(+)
 create mode 100644 playbooks/proxmox_bootstrap_lxc_ssh.yml

diff --git a/playbooks/proxmox_bootstrap_lxc_ssh.yml b/playbooks/proxmox_bootstrap_lxc_ssh.yml
new file mode 100644
index 0000000..11b3840
--- /dev/null
+++ b/playbooks/proxmox_bootstrap_lxc_ssh.yml
@@ -0,0 +1,44 @@
+---
+##########
+# This playbook is expressly to load management ssh-keys on proxmox LXC containers
+# that might not have SSH enabled.
+#
+- name: Bootstrap SSH on LXC Containers via Proxmox Host
+  hosts: lxc_containers
+  gather_facts: false
+  vars:
+    client_pub_key: "/root/.ssh/client_{{ CLIENT_SLUG }}.pub"
+
+  tasks:
+    - name: Find current node for VMID {{ vmid }}
+      # We delegate to the first host in your proxmox_cluster group
+      delegate_to: "{{ groups['proxmox_cluster'][0] }}"
+      ansible.builtin.shell:
+        cmd: "pvesh get /cluster/resources --type vm | grep -w '{{ vmid }}' | awk '{print $4}'"
+      register: container_node
+      changed_when: false
+
+    - name: Set active host fact
+      ansible.builtin.set_fact:
+        active_pve_node: "{{ container_node.stdout | trim }}"
+
+    - name: Configure LXC via PVE CLI
+      delegate_to: "{{ active_pve_node }}"
+      become: true
+      block:
+        - name: Ensure .ssh directory exists in LXC
+          ansible.builtin.command:
+            cmd: "pct exec {{ vmid }} -- mkdir -p /root/.ssh"
+
+        - name: Push SSH key to LXC
+          ansible.builtin.command:
+            cmd: "pct push {{ vmid }} {{ client_pub_key }} /root/.ssh/authorized_keys --perms 600"
+
+        - name: Set SSH permissions and restart
+          ansible.builtin.command:
+            cmd: >
+              pct exec {{ vmid }} -- bash -c "
+              chown root:root /root/.ssh/authorized_keys &&
+              sed -i 's/^#?PermitRootLogin.*/PermitRootLogin prohibit-password/' /etc/ssh/sshd_config &&
+              sed -i 's/^#?PasswordAuthentication.*/PasswordAuthentication no/' /etc/ssh/sshd_config &&
+              systemctl restart ssh"