homelab/orchestration/ansible

Homelab SSH Orchestration (Ansible)

This setup gives you a centralized, SSH-managed orchestration engine for your homelab.

Control plane expectation: run Ansible from a dedicated Proxmox VM (ansible-control), not from your laptop.

Why this stack

• Agentless (no daemon required on targets)
• Centrally managed from one control node
• Native SSH workflow (fits your existing key-based access)

Layout

• ansible.cfg - controller defaults
• inventory/hosts.yml - your homelab hosts and groups
• group_vars/all.yml - common variables (key path, packages, timezone)
• playbooks/ping.yml - connectivity validation
• playbooks/baseline.yml - baseline hardening and package setup

1) Bootstrap control node

From this directory on the control node:

cd /Users/dan/work/homelab/orchestration/ansible
./scripts/bootstrap-control-node.sh

If needed, add local Python bin to PATH (script prints the exact line).

0) Create dedicated control VM in Proxmox

From any machine that can SSH to Proxmox root:

cd /Users/dan/work/homelab/orchestration/ansible
chmod +x scripts/create-ansible-control-vm.sh
./scripts/create-ansible-control-vm.sh

This creates ansible-control (VMID 105) on 192.168.2.193 using Ubuntu 24.04 ISO.

After Ubuntu install in Proxmox console, ensure:

• static IP is 192.168.2.105
• SSH key login works for user dan
• sudo is available for dan

0.5) Establish Proxmox cloud-init SSH key baseline

Goal: ensure a predefined key set is injected by cloud-init for Linux VMs.

1. Put your public keys (one per line) in:

• cloud-init/authorized_keys

2. Run setup:

cd /Users/dan/work/homelab/orchestration/ansible
chmod +x scripts/proxmox-cloudinit-setup.sh
./scripts/proxmox-cloudinit-setup.sh

Defaults:

• Proxmox host: root@192.168.2.193
• VM targets: 100 102 103 104 105
• Cloud-init user: dan

Override example:

VMIDS="100 104 105" CI_USER="dan" ./scripts/proxmox-cloudinit-setup.sh

Notes:

• Windows guests are skipped automatically.
• For existing Linux guests, cloud-init changes typically take effect after reboot.

2) Validate SSH orchestration

ansible --version
ansible-inventory --graph
ansible all -m ping
ansible-playbook playbooks/ping.yml

3) Apply baseline config

ansible-playbook playbooks/baseline.yml

4) Run targeted orchestration examples

# Reboot only workers
ansible workers -a "sudo reboot" -f 2

# Update package metadata everywhere except proxmox host
ansible 'all:!proxmox' -m apt -a "update_cache=true" -b

# Check uptime of control-plane nodes
ansible control_plane -a "uptime"

5) Deploy/redeploy Paperclip on openclaw

Playbook:

ansible-playbook playbooks/paperclip-openclaw.yml -l openclaw

One-command helper (from this directory):

chmod +x scripts/deploy-paperclip-openclaw.sh
./scripts/deploy-paperclip-openclaw.sh

Post-deploy quick checks:

ansible openclaw -m shell -a "systemctl is-enabled paperclip; systemctl is-active paperclip; ss -lntp | grep 3100"
curl -sS http://192.168.2.88:3100/api/health

Notes

• Inventory includes your known hosts:
  • kube-node-1 (192.168.2.100, user dan)
  • kube-node-2 (192.168.2.195, user dan)
  • kube-node-3 (192.168.2.196, user dan)
  • kube-arbiter (192.168.2.200, user dan)
  • hp-proliant-proxmox (192.168.2.193, user root)
• Proxmox is split into its own group to avoid accidentally running Linux baseline hardening tasks against it.
• If a host uses a different key path, override ansible_ssh_private_key_file in inventory host vars.