From f16d6a62b768127d773dcc93a2541f0437f2baaa Mon Sep 17 00:00:00 2001 From: Jose Date: Sat, 7 Feb 2026 18:54:32 +0100 Subject: [PATCH 1/7] =?UTF-8?q?fix=20=F0=9F=90=9B:=20updates=20the=20check?= =?UTF-8?q?sum=20storage=20mechanism=20to=20ensure=20idempotency.?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit This commit addresses the issue by adding necessary checks to `proxmoxlib.js` and `proxmoxlib.min.js` after applying patches. Additionally, it updates the checksum storage mechanism to ensure integrity and consistency. --- tasks/subscription.yml | 18 ++++++++++++++++-- 1 file changed, 16 insertions(+), 2 deletions(-) diff --git a/tasks/subscription.yml b/tasks/subscription.yml index 7f6dece..865ca83 100644 --- a/tasks/subscription.yml +++ b/tasks/subscription.yml @@ -39,13 +39,20 @@ - patch_legacy.matched == 0 notify: restart pveproxy +- name: subscription | proxmoxlib.js after patch + ansible.builtin.stat: + path: /usr/share/javascript/proxmox-widget-toolkit/proxmoxlib.js + checksum_algorithm: sha256 + register: proxmoxlib_js_after + when: patch_legacy is changed + - name: subscription | Store patched checksum (legacy) ansible.builtin.copy: dest: /var/lib/proxmox-nag-patch/proxmoxlib.js.sha256 owner: root group: root mode: "0644" - content: "{{ proxmoxlib_js.stat.checksum }}\n" + content: "{{ proxmoxlib_js_after.stat.checksum }}\n" when: - proxmoxlib_js.stat.exists - patch_legacy is changed @@ -83,6 +90,13 @@ - patch_minified.matched == 0 notify: restart pveproxy +- name: subscription | Re-stat proxmoxlib.min.js after patch + ansible.builtin.stat: + path: /usr/share/javascript/proxmox-widget-toolkit/proxmoxlib.min.js + checksum_algorithm: sha256 + register: proxmoxlib_min_js_after + when: patch_legacy is changed + - name: subscription | Store patched checksum (minified) ansible.builtin.copy: dest: /var/lib/proxmox-nag-patch/proxmoxlib.min.js.sha256 @@ -91,5 +105,5 @@ mode: "0644" content: "{{ proxmoxlib_min_js.stat.checksum }}\n" when: - - proxmoxlib_min_js.stat.exists + - proxmoxlib_min_js_after.stat.exists - patch_minified is changed -- 2.49.1 From 1ee2eced45f99af48f5db6e32d5d65c348d2044f Mon Sep 17 00:00:00 2001 From: Jose Date: Sun, 8 Feb 2026 06:44:01 +0100 Subject: [PATCH 2/7] =?UTF-8?q?test=20=F0=9F=A7=AA:=20Add=20todo=20molecul?= =?UTF-8?q?e=20tests?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Updates several TODO items in the TODO to reflect completed tasks and areas that still need attention. --- README.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/README.md b/README.md index d13c0d1..8753a83 100644 --- a/README.md +++ b/README.md @@ -115,6 +115,8 @@ See the [LICENSE](LICENSE) file for details. ## TODO ⏳ Make the nag patch checksum-based (auto-repatch after upgrades) +⏳ add molecule tests to prove idempotency +⏳ make the patch handler trigger on pve-manager upgrades ❌ Add kernel power-saving tunables ? 🔄 Split into VE version–aware tags ? 🕒 refactor -- 2.49.1 From afc80dc57dcafdfd6f131c8964d1c0957c84d07e Mon Sep 17 00:00:00 2001 From: Jose Date: Sun, 8 Feb 2026 06:44:18 +0100 Subject: [PATCH 3/7] =?UTF-8?q?refactor=20=E2=99=BB=EF=B8=8F:=20Rename=20'?= =?UTF-8?q?task'=20to=20'Read=20checksum=20after=20patch'?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Refactored the task name to more accurately reflect its purpose, updating the description for clarity. --- tasks/subscription.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tasks/subscription.yml b/tasks/subscription.yml index 865ca83..4f19557 100644 --- a/tasks/subscription.yml +++ b/tasks/subscription.yml @@ -39,7 +39,7 @@ - patch_legacy.matched == 0 notify: restart pveproxy -- name: subscription | proxmoxlib.js after patch +- name: subscription | Read checksum after patch (legacy proxmoxlib.js) ansible.builtin.stat: path: /usr/share/javascript/proxmox-widget-toolkit/proxmoxlib.js checksum_algorithm: sha256 -- 2.49.1 From 12b1b87af19ba4c8254256ab0a7dc88510c7904c Mon Sep 17 00:00:00 2001 From: Jose Date: Sun, 8 Feb 2026 07:07:23 +0100 Subject: [PATCH 4/7] =?UTF-8?q?refactor=20=E2=99=BB=EF=B8=8F:=20Refactor?= =?UTF-8?q?=20legacy=20and=20minified=20proxmoxlib.js=20patching=20logic?= =?UTF-8?q?=20to=20use=20handlers?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit no-handler::Tasks that run when changed should likely be handlers This commit refactors the existing logic for patching legacy and minified proxmoxlib.js files, improving readability and maintainability. It also adds new handlers to store checksums and restart pveproxy. --- handlers/main.yml | 59 ++++++++++++++++++++++++++++++ tasks/subscription.yml | 83 +++++++++--------------------------------- 2 files changed, 76 insertions(+), 66 deletions(-) diff --git a/handlers/main.yml b/handlers/main.yml index 65af478..5ba4a49 100644 --- a/handlers/main.yml +++ b/handlers/main.yml @@ -14,3 +14,62 @@ - name: Reload systemd ansible.builtin.systemd_service: daemon_reexec: true + +- name: patch legacy proxmoxlib.js + block: + - name: Patch legacy proxmoxlib.js + ansible.builtin.replace: + path: /usr/share/javascript/proxmox-widget-toolkit/proxmoxlib.js + regexp: "if \\(data.status !== 'Active'\\)" + replace: "if (false)" + register: patch_legacy + failed_when: patch_legacy.matched == 0 + notify: Restart pveproxy + + - name: Re-stat proxmoxlib.js + ansible.builtin.stat: + path: /usr/share/javascript/proxmox-widget-toolkit/proxmoxlib.js + checksum_algorithm: sha256 + register: proxmoxlib_js_after + + - name: Store patched checksum (legacy) + ansible.builtin.copy: + dest: /var/lib/proxmox-nag-patch/proxmoxlib.js.sha256 + owner: root + group: root + mode: "0644" + content: "{{ proxmoxlib_js_after.stat.checksum }}\n" + + - name: Restart pveproxy + systemd: + name: pveproxy + state: restarted + +- name: patch minified proxmoxlib.js + block: + - name: Patch minified proxmoxlib.min.js + ansible.builtin.replace: + path: /usr/share/javascript/proxmox-widget-toolkit/proxmoxlib.min.js + regexp: "data.status!=='Active'" + replace: "false" + register: patch_minified + failed_when: patch_minified.matched == 0 + + - name: Re-stat proxmoxlib.min.js + ansible.builtin.stat: + path: /usr/share/javascript/proxmox-widget-toolkit/proxmoxlib.min.js + checksum_algorithm: sha256 + register: proxmoxlib_min_after + + - name: Store patched checksum (minified) + ansible.builtin.copy: + dest: /var/lib/proxmox-nag-patch/proxmoxlib.min.js.sha256 + owner: root + group: root + mode: "0644" + content: "{{ proxmoxlib_min_after.stat.checksum }}\n" + + - name: Restart pveproxy + systemd: + name: pveproxy + state: restarted diff --git a/tasks/subscription.yml b/tasks/subscription.yml index 4f19557..9f061d3 100644 --- a/tasks/subscription.yml +++ b/tasks/subscription.yml @@ -10,12 +10,6 @@ ############################ # Legacy proxmoxlib.js ############################ -- name: subscription | Read stored checksum (legacy) - ansible.builtin.slurp: - src: /var/lib/proxmox-nag-patch/proxmoxlib.js.sha256 - register: proxmoxlib_js_checksum_stored - when: proxmoxlib_js.stat.exists - failed_when: false - name: subscription | Check for legacy proxmoxlib.js ansible.builtin.stat: @@ -23,39 +17,21 @@ checksum_algorithm: sha256 register: proxmoxlib_js -- name: subscription | Remove subscription nag (legacy proxmoxlib.js) - ansible.builtin.replace: - path: /usr/share/javascript/proxmox-widget-toolkit/proxmoxlib.js - regexp: "if \\(data.status !== 'Active'\\)" - replace: "if (false)" +- name: subscription | Read stored checksum (legacy) + ansible.builtin.slurp: + src: /var/lib/proxmox-nag-patch/proxmoxlib.js.sha256 + register: proxmoxlib_js_checksum_stored + when: proxmoxlib_js.stat.exists + failed_when: false + +- name: Trigger legacy nag patch if needed + meta: flush_handlers when: - proxmoxlib_js.stat.exists - proxmoxlib_js_checksum_stored.content is not defined - or (proxmoxlib_js.stat.checksum - != (proxmoxlib_js_checksum_stored.content | b64decode | trim)) - register: patch_legacy - failed_when: - - proxmoxlib_js.stat.exists - - patch_legacy.matched == 0 - notify: restart pveproxy - -- name: subscription | Read checksum after patch (legacy proxmoxlib.js) - ansible.builtin.stat: - path: /usr/share/javascript/proxmox-widget-toolkit/proxmoxlib.js - checksum_algorithm: sha256 - register: proxmoxlib_js_after - when: patch_legacy is changed - -- name: subscription | Store patched checksum (legacy) - ansible.builtin.copy: - dest: /var/lib/proxmox-nag-patch/proxmoxlib.js.sha256 - owner: root - group: root - mode: "0644" - content: "{{ proxmoxlib_js_after.stat.checksum }}\n" - when: - - proxmoxlib_js.stat.exists - - patch_legacy is changed + or proxmoxlib_js.stat.checksum + != (proxmoxlib_js_checksum_stored.content | b64decode | trim) + notify: patch legacy proxmoxlib.js ############################ # Minified proxmoxlib.min.js (VE 8/9) @@ -74,36 +50,11 @@ when: proxmoxlib_min_js.stat.exists failed_when: false -- name: subscription | Remove subscription nag (minified bundle for VE 8/9) - ansible.builtin.replace: - path: /usr/share/javascript/proxmox-widget-toolkit/proxmoxlib.min.js - regexp: "data.status!=='Active'" - replace: "false" +- name: Trigger minified nag patch if needed + meta: flush_handlers when: - proxmoxlib_min_js.stat.exists - proxmoxlib_min_checksum_stored.content is not defined - or (proxmoxlib_min_js.stat.checksum - != (proxmoxlib_min_checksum_stored.content | b64decode | trim)) - register: patch_minified - failed_when: - - proxmoxlib_min_js.stat.exists - - patch_minified.matched == 0 - notify: restart pveproxy - -- name: subscription | Re-stat proxmoxlib.min.js after patch - ansible.builtin.stat: - path: /usr/share/javascript/proxmox-widget-toolkit/proxmoxlib.min.js - checksum_algorithm: sha256 - register: proxmoxlib_min_js_after - when: patch_legacy is changed - -- name: subscription | Store patched checksum (minified) - ansible.builtin.copy: - dest: /var/lib/proxmox-nag-patch/proxmoxlib.min.js.sha256 - owner: root - group: root - mode: "0644" - content: "{{ proxmoxlib_min_js.stat.checksum }}\n" - when: - - proxmoxlib_min_js_after.stat.exists - - patch_minified is changed + or proxmoxlib_min_js.stat.checksum + != (proxmoxlib_min_checksum_stored.content | b64decode | trim) + notify: patch minified proxmoxlib.js -- 2.49.1 From 1f2ff1d9ba90a232092498d2daa3448ef5daccaa Mon Sep 17 00:00:00 2001 From: Jose Date: Sun, 8 Feb 2026 07:12:21 +0100 Subject: [PATCH 5/7] =?UTF-8?q?refactor=20=E2=99=BB=EF=B8=8F:=20Refactor?= =?UTF-8?q?=20task=20names=20and=20add=20namespace=20for=20clarity?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit This commit refactors the task names to improve readability and adds a namespace to avoid conflicts with other modules. It also fixes typos in task names and updates module references accordingly. --- handlers/main.yml | 10 +++++----- tasks/subscription.yml | 12 ++++++------ 2 files changed, 11 insertions(+), 11 deletions(-) diff --git a/handlers/main.yml b/handlers/main.yml index 5ba4a49..5d1d4dd 100644 --- a/handlers/main.yml +++ b/handlers/main.yml @@ -15,9 +15,9 @@ ansible.builtin.systemd_service: daemon_reexec: true -- name: patch legacy proxmoxlib.js +- name: Ppatch legacy proxmoxlib.js block: - - name: Patch legacy proxmoxlib.js + - name: Ppatch legacy proxmoxlib.js ansible.builtin.replace: path: /usr/share/javascript/proxmox-widget-toolkit/proxmoxlib.js regexp: "if \\(data.status !== 'Active'\\)" @@ -41,11 +41,11 @@ content: "{{ proxmoxlib_js_after.stat.checksum }}\n" - name: Restart pveproxy - systemd: + ansible.builtin.systemd: name: pveproxy state: restarted -- name: patch minified proxmoxlib.js +- name: Patch minified proxmoxlib.js block: - name: Patch minified proxmoxlib.min.js ansible.builtin.replace: @@ -70,6 +70,6 @@ content: "{{ proxmoxlib_min_after.stat.checksum }}\n" - name: Restart pveproxy - systemd: + ansible.builtin.systemd: name: pveproxy state: restarted diff --git a/tasks/subscription.yml b/tasks/subscription.yml index 9f061d3..e0441f6 100644 --- a/tasks/subscription.yml +++ b/tasks/subscription.yml @@ -24,14 +24,14 @@ when: proxmoxlib_js.stat.exists failed_when: false -- name: Trigger legacy nag patch if needed - meta: flush_handlers +- name: subscription | Trigger legacy nag patch if needed + ansible.builtin.meta: flush_handlers when: - proxmoxlib_js.stat.exists - proxmoxlib_js_checksum_stored.content is not defined or proxmoxlib_js.stat.checksum != (proxmoxlib_js_checksum_stored.content | b64decode | trim) - notify: patch legacy proxmoxlib.js + notify: Ppatch legacy proxmoxlib.js ############################ # Minified proxmoxlib.min.js (VE 8/9) @@ -50,11 +50,11 @@ when: proxmoxlib_min_js.stat.exists failed_when: false -- name: Trigger minified nag patch if needed - meta: flush_handlers +- name: subscription | Trigger minified nag patch if needed + ansible.builtin.meta: flush_handlers when: - proxmoxlib_min_js.stat.exists - proxmoxlib_min_checksum_stored.content is not defined or proxmoxlib_min_js.stat.checksum != (proxmoxlib_min_checksum_stored.content | b64decode | trim) - notify: patch minified proxmoxlib.js + notify: Patch minified proxmoxlib.js -- 2.49.1 From f51de332750973cc2b92191f15f916cb562f7216 Mon Sep 17 00:00:00 2001 From: Jose Date: Sun, 8 Feb 2026 07:59:26 +0100 Subject: [PATCH 6/7] =?UTF-8?q?fix=20=F0=9F=90=9B:=20Fix=20typo=20in=20tas?= =?UTF-8?q?k=20name?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Corrected a typographical error in the task name to ensure accurate documentation and clarity. --- handlers/main.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/handlers/main.yml b/handlers/main.yml index 5d1d4dd..7ce84b6 100644 --- a/handlers/main.yml +++ b/handlers/main.yml @@ -15,9 +15,9 @@ ansible.builtin.systemd_service: daemon_reexec: true -- name: Ppatch legacy proxmoxlib.js +- name: Patch legacy proxmoxlib.js block: - - name: Ppatch legacy proxmoxlib.js + - name: Patch legacy proxmoxlib.js ansible.builtin.replace: path: /usr/share/javascript/proxmox-widget-toolkit/proxmoxlib.js regexp: "if \\(data.status !== 'Active'\\)" -- 2.49.1 From 410f87bb2c37e4c880677e6ec22edf15d8fde43f Mon Sep 17 00:00:00 2001 From: Jose Date: Sun, 8 Feb 2026 08:04:32 +0100 Subject: [PATCH 7/7] =?UTF-8?q?chore=20=F0=9F=93=A6:=20Comment=20out=20ent?= =?UTF-8?q?erprise=20repo=20lines=20and=20enable=20Proxmox=20no-subscripti?= =?UTF-8?q?on=20repo?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit This commit updates the repository configuration by commenting out enterprise-specific lines and enabling the Proxmox no-subscription repository to simplify setup for users without a subscription. --- tasks/repos.yml | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/tasks/repos.yml b/tasks/repos.yml index 37da939..7033daa 100644 --- a/tasks/repos.yml +++ b/tasks/repos.yml @@ -1,11 +1,11 @@ --- -- name: repos | Remove enterprise repo files (all known locations) - ansible.builtin.file: - path: "{{ item }}" - state: absent - loop: - - /etc/apt/sources.list.d/pve-enterprise.list - - /etc/apt/sources.list.d/ceph.list +- name: Comment out Proxmox enterprise repo lines + ansible.builtin.replace: + path: /etc/apt/sources.list.d/pve-enterprise.list + regexp: '^(deb\s+)' + replace: '# \1' + when: ansible.builtin.stat(path='/etc/apt/sources.list.d/pve-enterprise.list').stat.exists + notify: apt update - name: repos | Enable Proxmox no-subscription repo ansible.builtin.copy: -- 2.49.1