Merge branch 'feature/ansible-bootstrap' into develop

Author: devnullvoid

internal/config/config.go

@@ -184,16 +184,36 @@ type PluginConfig struct {
 
 // AnsiblePluginConfig holds configuration for the ansible plugin.
 type AnsiblePluginConfig struct {
-	InventoryFormat   string            `yaml:"inventory_format,omitempty"`
-	InventoryStyle    string            `yaml:"inventory_style,omitempty"`
-	InventoryVars     map[string]string `yaml:"inventory_vars,omitempty"`
-	DefaultUser       string            `yaml:"default_user,omitempty"`
-	DefaultPassword   string            `yaml:"default_password,omitempty"`
-	SSHPrivateKeyFile string            `yaml:"ssh_private_key_file,omitempty"`
-	DefaultLimitMode  string            `yaml:"default_limit_mode,omitempty"`
-	AskPass           bool              `yaml:"ask_pass,omitempty"`
-	AskBecomePass     bool              `yaml:"ask_become_pass,omitempty"`
-	ExtraArgs         []string          `yaml:"extra_args,omitempty"`
+	InventoryFormat   string                 `yaml:"inventory_format,omitempty"`
+	InventoryStyle    string                 `yaml:"inventory_style,omitempty"`
+	InventoryVars     map[string]string      `yaml:"inventory_vars,omitempty"`
+	DefaultUser       string                 `yaml:"default_user,omitempty"`
+	DefaultPassword   string                 `yaml:"default_password,omitempty"`
+	SSHPrivateKeyFile string                 `yaml:"ssh_private_key_file,omitempty"`
+	DefaultLimitMode  string                 `yaml:"default_limit_mode,omitempty"`
+	AskPass           bool                   `yaml:"ask_pass,omitempty"`
+	AskBecomePass     bool                   `yaml:"ask_become_pass,omitempty"`
+	ExtraArgs         []string               `yaml:"extra_args,omitempty"`
+	Bootstrap         AnsibleBootstrapConfig `yaml:"bootstrap,omitempty"`
+}
+
+// AnsibleBootstrapConfig holds bootstrap access workflow settings for ansible.
+type AnsibleBootstrapConfig struct {
+	Enabled              bool   `yaml:"enabled,omitempty"`
+	Username             string `yaml:"username,omitempty"`
+	Shell                string `yaml:"shell,omitempty"`
+	CreateHome           bool   `yaml:"create_home,omitempty"`
+	ExcludeWindowsGuests bool   `yaml:"exclude_windows_guests,omitempty"`
+	SSHPublicKeyFile     string `yaml:"ssh_public_key_file,omitempty"`
+	InstallAuthorizedKey bool   `yaml:"install_authorized_key,omitempty"`
+	SetPassword          bool   `yaml:"set_password,omitempty"`
+	Password             string `yaml:"password,omitempty"`
+	GrantSudoNOPASSWD    bool   `yaml:"grant_sudo_nopasswd,omitempty"`
+	SudoersFileMode      string `yaml:"sudoers_file_mode,omitempty"`
+	DryRunDefault        bool   `yaml:"dry_run_default,omitempty"`
+	Parallelism          int    `yaml:"parallelism,omitempty"`
+	Timeout              string `yaml:"timeout,omitempty"`
+	FailFast             bool   `yaml:"fail_fast,omitempty"`
 }
 
 // DefaultKeyBindings returns a KeyBindings struct with the default key mappings.
@@ -332,7 +352,17 @@ func NewConfig() *Config {
 		Debug:       strings.ToLower(os.Getenv("PVETUI_DEBUG")) == trueString,
 		CacheDir:    ExpandHomePath(os.Getenv("PVETUI_CACHE_DIR")),
 		KeyBindings: DefaultKeyBindings(),
-		ShowIcons:   strings.ToLower(os.Getenv("PVETUI_SHOW_ICONS")) != "false",
+		Plugins: PluginConfig{
+			Ansible: AnsiblePluginConfig{
+				Bootstrap: AnsibleBootstrapConfig{
+					CreateHome:           true,
+					ExcludeWindowsGuests: true,
+					InstallAuthorizedKey: true,
+					DryRunDefault:        true,
+				},
+			},
+		},
+		ShowIcons: strings.ToLower(os.Getenv("PVETUI_SHOW_ICONS")) != "false",
 	}
 	// Set default values for Realm and ApiPath only
 	if config.Realm == "" {
@@ -430,6 +460,23 @@ func (c *Config) MergeWithFile(path string) error {
 				AskPass           *bool             `yaml:"ask_pass"`
 				AskBecomePass     *bool             `yaml:"ask_become_pass"`
 				ExtraArgs         []string          `yaml:"extra_args"`
+				Bootstrap         struct {
+					Enabled              *bool  `yaml:"enabled"`
+					Username             string `yaml:"username"`
+					Shell                string `yaml:"shell"`
+					CreateHome           *bool  `yaml:"create_home"`
+					ExcludeWindowsGuests *bool  `yaml:"exclude_windows_guests"`
+					SSHPublicKeyFile     string `yaml:"ssh_public_key_file"`
+					InstallAuthorizedKey *bool  `yaml:"install_authorized_key"`
+					SetPassword          *bool  `yaml:"set_password"`
+					Password             string `yaml:"password"`
+					GrantSudoNOPASSWD    *bool  `yaml:"grant_sudo_nopasswd"`
+					SudoersFileMode      string `yaml:"sudoers_file_mode"`
+					DryRunDefault        *bool  `yaml:"dry_run_default"`
+					Parallelism          *int   `yaml:"parallelism"`
+					Timeout              string `yaml:"timeout"`
+					FailFast             *bool  `yaml:"fail_fast"`
+				} `yaml:"bootstrap"`
 			} `yaml:"ansible"`
 		} `yaml:"plugins"`
 		ShowIcons     *bool                          `yaml:"show_icons"`
@@ -463,7 +510,13 @@ func (c *Config) MergeWithFile(path string) error {
 		_, hasGlobalMenuKey = fileConfigRaw.KeyBindings["global_menu"]
 	}
 
-	if !isSOPSEncrypted && detectCleartextSensitive(fileConfig.Profiles, fileConfig.Password, fileConfig.TokenSecret, fileConfig.Plugins.Ansible.DefaultPassword) {
+	if !isSOPSEncrypted && detectCleartextSensitive(
+		fileConfig.Profiles,
+		fileConfig.Password,
+		fileConfig.TokenSecret,
+		fileConfig.Plugins.Ansible.DefaultPassword,
+		fileConfig.Plugins.Ansible.Bootstrap.Password,
+	) {
 		c.hasCleartextSensitive = true
 	}
 
@@ -715,6 +768,51 @@ func (c *Config) MergeWithFile(path string) error {
 	if fileConfig.Plugins.Ansible.ExtraArgs != nil {
 		c.Plugins.Ansible.ExtraArgs = append([]string{}, fileConfig.Plugins.Ansible.ExtraArgs...)
 	}
+	if fileConfig.Plugins.Ansible.Bootstrap.Enabled != nil {
+		c.Plugins.Ansible.Bootstrap.Enabled = *fileConfig.Plugins.Ansible.Bootstrap.Enabled
+	}
+	if fileConfig.Plugins.Ansible.Bootstrap.Username != "" {
+		c.Plugins.Ansible.Bootstrap.Username = fileConfig.Plugins.Ansible.Bootstrap.Username
+	}
+	if fileConfig.Plugins.Ansible.Bootstrap.Shell != "" {
+		c.Plugins.Ansible.Bootstrap.Shell = fileConfig.Plugins.Ansible.Bootstrap.Shell
+	}
+	if fileConfig.Plugins.Ansible.Bootstrap.CreateHome != nil {
+		c.Plugins.Ansible.Bootstrap.CreateHome = *fileConfig.Plugins.Ansible.Bootstrap.CreateHome
+	}
+	if fileConfig.Plugins.Ansible.Bootstrap.ExcludeWindowsGuests != nil {
+		c.Plugins.Ansible.Bootstrap.ExcludeWindowsGuests = *fileConfig.Plugins.Ansible.Bootstrap.ExcludeWindowsGuests
+	}
+	if fileConfig.Plugins.Ansible.Bootstrap.SSHPublicKeyFile != "" {
+		c.Plugins.Ansible.Bootstrap.SSHPublicKeyFile = ExpandHomePath(fileConfig.Plugins.Ansible.Bootstrap.SSHPublicKeyFile)
+	}
+	if fileConfig.Plugins.Ansible.Bootstrap.InstallAuthorizedKey != nil {
+		c.Plugins.Ansible.Bootstrap.InstallAuthorizedKey = *fileConfig.Plugins.Ansible.Bootstrap.InstallAuthorizedKey
+	}
+	if fileConfig.Plugins.Ansible.Bootstrap.SetPassword != nil {
+		c.Plugins.Ansible.Bootstrap.SetPassword = *fileConfig.Plugins.Ansible.Bootstrap.SetPassword
+	}
+	if fileConfig.Plugins.Ansible.Bootstrap.Password != "" {
+		c.Plugins.Ansible.Bootstrap.Password = fileConfig.Plugins.Ansible.Bootstrap.Password
+	}
+	if fileConfig.Plugins.Ansible.Bootstrap.GrantSudoNOPASSWD != nil {
+		c.Plugins.Ansible.Bootstrap.GrantSudoNOPASSWD = *fileConfig.Plugins.Ansible.Bootstrap.GrantSudoNOPASSWD
+	}
+	if fileConfig.Plugins.Ansible.Bootstrap.SudoersFileMode != "" {
+		c.Plugins.Ansible.Bootstrap.SudoersFileMode = fileConfig.Plugins.Ansible.Bootstrap.SudoersFileMode
+	}
+	if fileConfig.Plugins.Ansible.Bootstrap.DryRunDefault != nil {
+		c.Plugins.Ansible.Bootstrap.DryRunDefault = *fileConfig.Plugins.Ansible.Bootstrap.DryRunDefault
+	}
+	if fileConfig.Plugins.Ansible.Bootstrap.Parallelism != nil && *fileConfig.Plugins.Ansible.Bootstrap.Parallelism > 0 {
+		c.Plugins.Ansible.Bootstrap.Parallelism = *fileConfig.Plugins.Ansible.Bootstrap.Parallelism
+	}
+	if fileConfig.Plugins.Ansible.Bootstrap.Timeout != "" {
+		c.Plugins.Ansible.Bootstrap.Timeout = fileConfig.Plugins.Ansible.Bootstrap.Timeout
+	}
+	if fileConfig.Plugins.Ansible.Bootstrap.FailFast != nil {
+		c.Plugins.Ansible.Bootstrap.FailFast = *fileConfig.Plugins.Ansible.Bootstrap.FailFast
+	}
 
 	// Merge show_icons configuration if provided
 	if fileConfig.ShowIcons != nil {
@@ -750,13 +848,20 @@ func (c *Config) MergeWithFile(path string) error {
 	return nil
 }
 
-func detectCleartextSensitive(profiles map[string]ProfileConfig, legacyPassword, legacyTokenSecret, ansibleDefaultPassword string) bool {
+func detectCleartextSensitive(
+	profiles map[string]ProfileConfig,
+	legacyPassword,
+	legacyTokenSecret,
+	ansibleDefaultPassword,
+	ansibleBootstrapPassword string,
+) bool {
 	if hasCleartextSensitiveProfiles(profiles) {
 		return true
 	}
 	return hasCleartextSensitiveValue(legacyPassword) ||
 		hasCleartextSensitiveValue(legacyTokenSecret) ||
-		hasCleartextSensitiveValue(ansibleDefaultPassword)
+		hasCleartextSensitiveValue(ansibleDefaultPassword) ||
+		hasCleartextSensitiveValue(ansibleBootstrapPassword)
 }
 
 func hasCleartextSensitiveProfiles(profiles map[string]ProfileConfig) bool {
@@ -1119,6 +1224,24 @@ func (c *Config) SetDefaults() {
 	if c.Plugins.Ansible.SSHPrivateKeyFile != "" {
 		c.Plugins.Ansible.SSHPrivateKeyFile = ExpandHomePath(c.Plugins.Ansible.SSHPrivateKeyFile)
 	}
+	if c.Plugins.Ansible.Bootstrap.Username == "" {
+		c.Plugins.Ansible.Bootstrap.Username = "ansible"
+	}
+	if c.Plugins.Ansible.Bootstrap.Shell == "" {
+		c.Plugins.Ansible.Bootstrap.Shell = "/bin/bash"
+	}
+	if c.Plugins.Ansible.Bootstrap.SudoersFileMode == "" {
+		c.Plugins.Ansible.Bootstrap.SudoersFileMode = "0440"
+	}
+	if c.Plugins.Ansible.Bootstrap.Timeout == "" {
+		c.Plugins.Ansible.Bootstrap.Timeout = "2m"
+	}
+	if c.Plugins.Ansible.Bootstrap.Parallelism <= 0 {
+		c.Plugins.Ansible.Bootstrap.Parallelism = 10
+	}
+	if c.Plugins.Ansible.Bootstrap.SSHPublicKeyFile != "" {
+		c.Plugins.Ansible.Bootstrap.SSHPublicKeyFile = ExpandHomePath(c.Plugins.Ansible.Bootstrap.SSHPublicKeyFile)
+	}
 
 	// ShowIcons defaults to true (icons enabled)
 	// No explicit default needed since it's already set in NewConfig()

internal/config/config.tpl.yml

@@ -91,3 +91,18 @@ plugins:
   #   ask_pass: false                 # Add --ask-pass by default
   #   ask_become_pass: false          # Add --ask-become-pass by default
   #   extra_args: []                  # Extra args appended to ansible/ansible-playbook
+  #   bootstrap:
+  #     enabled: false
+  #     username: "ansible"
+  #     shell: "/bin/bash"
+  #     create_home: true
+  #     ssh_public_key_file: "~/.ssh/id_ed25519.pub"
+  #     install_authorized_key: true
+  #     set_password: false
+  #     # password: "secret"          # Sensitive field (encrypted with age/SOPS)
+  #     grant_sudo_nopasswd: false
+  #     sudoers_file_mode: "0440"
+  #     dry_run_default: true
+  #     parallelism: 10
+  #     timeout: "2m"
+  #     fail_fast: false

internal/config/config_test.go

@@ -541,6 +541,22 @@ plugins:
     extra_args:
       - --forks
       - "20"
+    bootstrap:
+      enabled: true
+      username: ansible
+      shell: /bin/bash
+      create_home: true
+      exclude_windows_guests: true
+      ssh_public_key_file: ~/.ssh/id_ed25519.pub
+      install_authorized_key: true
+      set_password: true
+      password: bootstrap-secret
+      grant_sudo_nopasswd: true
+      sudoers_file_mode: "0440"
+      dry_run_default: true
+      parallelism: 12
+      timeout: 3m
+      fail_fast: false
 `
 
 	_, err = tempFile.WriteString(content)
@@ -563,6 +579,46 @@ plugins:
 	assert.True(t, cfg.Plugins.Ansible.AskPass)
 	assert.True(t, cfg.Plugins.Ansible.AskBecomePass)
 	assert.Equal(t, []string{"--forks", "20"}, cfg.Plugins.Ansible.ExtraArgs)
+	assert.True(t, cfg.Plugins.Ansible.Bootstrap.Enabled)
+	assert.Equal(t, "ansible", cfg.Plugins.Ansible.Bootstrap.Username)
+	assert.Equal(t, "/bin/bash", cfg.Plugins.Ansible.Bootstrap.Shell)
+	assert.True(t, cfg.Plugins.Ansible.Bootstrap.CreateHome)
+	assert.True(t, cfg.Plugins.Ansible.Bootstrap.ExcludeWindowsGuests)
+	assert.Contains(t, cfg.Plugins.Ansible.Bootstrap.SSHPublicKeyFile, ".ssh")
+	assert.True(t, cfg.Plugins.Ansible.Bootstrap.InstallAuthorizedKey)
+	assert.True(t, cfg.Plugins.Ansible.Bootstrap.SetPassword)
+	assert.Equal(t, "bootstrap-secret", cfg.Plugins.Ansible.Bootstrap.Password)
+	assert.True(t, cfg.Plugins.Ansible.Bootstrap.GrantSudoNOPASSWD)
+	assert.Equal(t, "0440", cfg.Plugins.Ansible.Bootstrap.SudoersFileMode)
+	assert.True(t, cfg.Plugins.Ansible.Bootstrap.DryRunDefault)
+	assert.Equal(t, 12, cfg.Plugins.Ansible.Bootstrap.Parallelism)
+	assert.Equal(t, "3m", cfg.Plugins.Ansible.Bootstrap.Timeout)
+	assert.False(t, cfg.Plugins.Ansible.Bootstrap.FailFast)
+}
+
+func TestConfig_MergeWithFile_AnsibleBootstrapExcludeWindowsGuestsFalse(t *testing.T) {
+	tempFile, err := os.CreateTemp("", "config-ansible-bootstrap-windows-*.yaml")
+	require.NoError(t, err)
+	defer os.Remove(tempFile.Name())
+
+	content := `
+plugins:
+  ansible:
+    bootstrap:
+      exclude_windows_guests: false
+`
+
+	_, err = tempFile.WriteString(content)
+	require.NoError(t, err)
+	require.NoError(t, tempFile.Close())
+
+	cfg := NewConfig()
+	require.True(t, cfg.Plugins.Ansible.Bootstrap.ExcludeWindowsGuests)
+
+	require.NoError(t, cfg.MergeWithFile(tempFile.Name()))
+	cfg.SetDefaults()
+
+	assert.False(t, cfg.Plugins.Ansible.Bootstrap.ExcludeWindowsGuests)
 }
 
 func TestConfig_MergeWithEncryptedFile(t *testing.T) {
@@ -614,6 +670,11 @@ func TestConfig_SetDefaults(t *testing.T) {
 	assert.Equal(t, "yaml", config.Plugins.Ansible.InventoryFormat)
 	assert.Equal(t, "compact", config.Plugins.Ansible.InventoryStyle)
 	assert.Equal(t, "selection", config.Plugins.Ansible.DefaultLimitMode)
+	assert.Equal(t, "ansible", config.Plugins.Ansible.Bootstrap.Username)
+	assert.Equal(t, "/bin/bash", config.Plugins.Ansible.Bootstrap.Shell)
+	assert.Equal(t, "0440", config.Plugins.Ansible.Bootstrap.SudoersFileMode)
+	assert.Equal(t, "2m", config.Plugins.Ansible.Bootstrap.Timeout)
+	assert.Equal(t, 10, config.Plugins.Ansible.Bootstrap.Parallelism)
 	assert.Equal(t, "Ctrl+f", config.KeyBindings.AdvancedGuestFilter)
 }
 
@@ -1208,6 +1269,24 @@ func TestMergeWithFileMarksCleartextSensitive(t *testing.T) {
 	require.True(t, cfg.HasCleartextSensitiveData(), "expected cleartext detection when passwords are unencrypted")
 }
 
+func TestMergeWithFileMarksCleartextSensitiveForBootstrapPassword(t *testing.T) {
+	cfg := NewConfig()
+	cfg.Profiles = make(map[string]ProfileConfig)
+	cfg.DefaultProfile = testDefaultProfile
+
+	content := `plugins:
+  ansible:
+    bootstrap:
+      set_password: true
+      password: plain-bootstrap-secret
+`
+	path := filepath.Join(t.TempDir(), "config.yml")
+	require.NoError(t, os.WriteFile(path, []byte(content), 0o600))
+
+	require.NoError(t, cfg.MergeWithFile(path))
+	require.True(t, cfg.HasCleartextSensitiveData(), "expected cleartext detection for bootstrap password")
+}
+
 func TestMergeWithFileSkipsEncryptedSensitive(t *testing.T) {
 	cfg := NewConfig()
 	cfg.Profiles = make(map[string]ProfileConfig)

internal/config/encryption.go

@@ -275,6 +275,13 @@ func EncryptConfigSensitiveFields(cfg *Config) error {
 			return fmt.Errorf("encrypt ansible default_password: %w", err)
 		}
 	}
+	if cfg.Plugins.Ansible.Bootstrap.Password != "" && !isEncrypted(cfg.Plugins.Ansible.Bootstrap.Password) {
+		var err error
+		cfg.Plugins.Ansible.Bootstrap.Password, err = EncryptField(cfg.Plugins.Ansible.Bootstrap.Password)
+		if err != nil {
+			return fmt.Errorf("encrypt ansible bootstrap password: %w", err)
+		}
+	}
 
 	return nil
 }
@@ -314,6 +321,13 @@ func DecryptConfigSensitiveFields(cfg *Config) error {
 			return fmt.Errorf("decrypt ansible default_password: %w", err)
 		}
 	}
+	if cfg.Plugins.Ansible.Bootstrap.Password != "" {
+		var err error
+		cfg.Plugins.Ansible.Bootstrap.Password, err = DecryptField(cfg.Plugins.Ansible.Bootstrap.Password)
+		if err != nil {
+			return fmt.Errorf("decrypt ansible bootstrap password: %w", err)
+		}
+	}
 
 	return nil
 }

internal/plugins/ansible/inventory.go

@@ -125,8 +125,10 @@ func BuildInventoryWithFormat(nodes []*api.Node, guests []*api.VM, defaults Inve
 			"ansible_host":      target,
 			"ansible_user":      defaults.VMSSHUser,
 			"pvetui_kind":       "guest",
+			"pvetui_guest_name": guest.Name,
 			"pvetui_guest_id":   fmt.Sprintf("%d", guest.ID),
 			"pvetui_guest_type": guest.Type,
+			"pvetui_guest_os":   strings.TrimSpace(guest.OSType),
 			"pvetui_status":     guest.Status,
 			"pvetui_node":       guest.Node,
 		}