Jose/ansible_role_proxmox_provision
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

feat : NAG checksum-based detection (auto-repatch after upgrades) #1

Merged
Jose merged 3 commits from dev into main 2026-02-07 18:42:43 +01:00
Conversation 1 Commits 3 Files Changed 1 +63 -2
1 changed files with 63 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

65
tasks/subscription.yml
View File

@@ -1,7 +1,26 @@
---
- name: subscription | Ensure nag patch state directory exists
ansible.builtin.file:
path: /var/lib/proxmox-nag-patch
state: directory
owner: root
group: root
mode: "0755"
############################
# Legacy proxmoxlib.js
############################
- name: subscription | Read stored checksum (legacy)
ansible.builtin.slurp:
src: /var/lib/proxmox-nag-patch/proxmoxlib.js.sha256
register: proxmoxlib_js_checksum_stored
when: proxmoxlib_js.stat.exists
failed_when: false
gitea-actions commented 2026-02-07 18:38:01 +01:00
Review
Copy Link

[Lines 13-18] [Score: 2] The script is now reading the stored checksum for the legacy proxmoxlib.js file, which ensures that any updates to the checksum are tracked and makes it easier to verify the integrity of the file.

[Lines 13-18] [Score: 2] The script is now reading the stored checksum for the legacy `proxmoxlib.js` file, which ensures that any updates to the checksum are tracked and makes it easier to verify the integrity of the file.
- name: subscription | Check for legacy proxmoxlib.js
ansible.builtin.stat:
path: /usr/share/javascript/proxmox-widget-toolkit/proxmoxlib.js
checksum_algorithm: sha256
register: proxmoxlib_js
- name: subscription | Remove subscription nag (legacy proxmoxlib.js)
@@ -9,26 +28,68 @@
path: /usr/share/javascript/proxmox-widget-toolkit/proxmoxlib.js
regexp: "if \\(data.status !== 'Active'\\)"
replace: "if (false)"
when: proxmoxlib_js.stat.exists
when:
- proxmoxlib_js.stat.exists
- proxmoxlib_js_checksum_stored.content is not defined
or (proxmoxlib_js.stat.checksum
!= (proxmoxlib_js_checksum_stored.content | b64decode | trim))
register: patch_legacy
failed_when:
- proxmoxlib_js.stat.exists
gitea-actions commented 2026-02-07 18:38:01 +01:00
Review
Copy Link

[Lines 27-38] [Score: 2] The script now checks for and handles the presence of proxmoxlib.min.js, which is used in newer versions of Proxmox VE (VE 8/9). This ensures compatibility with different versions of the software.

[Lines 27-38] [Score: 2] The script now checks for and handles the presence of `proxmoxlib.min.js`, which is used in newer versions of Proxmox VE (VE 8/9). This ensures compatibility with different versions of the software.
- patch_legacy.matched == 0
notify: restart pveproxy
- name: subscription | Store patched checksum (legacy)
ansible.builtin.copy:
dest: /var/lib/proxmox-nag-patch/proxmoxlib.js.sha256
owner: root
group: root
mode: "0644"
content: "{{ proxmoxlib_js.stat.checksum }}\n"
when:
- proxmoxlib_js.stat.exists
- patch_legacy is changed
############################
gitea-actions commented 2026-02-07 18:38:01 +01:00
Review
Copy Link

[Lines 42-53] [Score: 2] The script now stores patched checksums for both the legacy and minified files, which ensures that any updates to the checksums are tracked and makes it easier to verify the integrity of the files. This improves security and maintainability.

[Lines 42-53] [Score: 2] The script now stores patched checksums for both the legacy and minified files, which ensures that any updates to the checksums are tracked and makes it easier to verify the integrity of the files. This improves security and maintainability.
# Minified proxmoxlib.min.js (VE 8/9)
############################
- name: subscription | Check for minified proxmoxlib.min.js (VE 8/9)
ansible.builtin.stat:
path: /usr/share/javascript/proxmox-widget-toolkit/proxmoxlib.min.js
checksum_algorithm: sha256
register: proxmoxlib_min_js
- name: subscription | Read stored checksum (minified)
ansible.builtin.slurp:
src: /var/lib/proxmox-nag-patch/proxmoxlib.min.js.sha256
register: proxmoxlib_min_checksum_stored
when: proxmoxlib_min_js.stat.exists
failed_when: false
- name: subscription | Remove subscription nag (minified bundle for VE 8/9)
ansible.builtin.replace:
path: /usr/share/javascript/proxmox-widget-toolkit/proxmoxlib.min.js
regexp: "data.status!=='Active'"
replace: "false"
when: proxmoxlib_min_js.stat.exists
when:
- proxmoxlib_min_js.stat.exists
- proxmoxlib_min_checksum_stored.content is not defined
or (proxmoxlib_min_js.stat.checksum
!= (proxmoxlib_min_checksum_stored.content | b64decode | trim))
register: patch_minified
failed_when:
- proxmoxlib_min_js.stat.exists
- patch_minified.matched == 0
notify: restart pveproxy
- name: subscription | Store patched checksum (minified)
ansible.builtin.copy:
dest: /var/lib/proxmox-nag-patch/proxmoxlib.min.js.sha256
owner: root
group: root
mode: "0644"
content: "{{ proxmoxlib_min_js.stat.checksum }}\n"
when:
- proxmoxlib_min_js.stat.exists
- patch_minified is changed
gitea-actions commented 2026-02-07 18:38:01 +01:00
Review
Copy Link

[Lines 31-95] [Score: 3] The when and failed_when conditions have been modified to properly handle the presence of both the legacy and minified files, as well as the stored checksums. This improves maintainability by keeping the conditions concise and easier to understand. However, it could be argued that the conditions are now more complex than before.

[Lines 31-95] [Score: 3] The `when` and `failed_when` conditions have been modified to properly handle the presence of both the legacy and minified files, as well as the stored checksums. This improves maintainability by keeping the conditions concise and easier to understand. However, it could be argued that the conditions are now more complex than before.