From 7e75b64e91f73e6af3679ba931085f4475780c44 Mon Sep 17 00:00:00 2001 From: jester Date: Tue, 31 Mar 2026 16:49:28 +0000 Subject: [PATCH] Save Proxmox API user permissions from old host --- SCRATCH/proxmox-api-permissions.md | 34 ++++++++++++++++++++++++++++++ 1 file changed, 34 insertions(+) create mode 100644 SCRATCH/proxmox-api-permissions.md diff --git a/SCRATCH/proxmox-api-permissions.md b/SCRATCH/proxmox-api-permissions.md new file mode 100644 index 0000000..65fb11b --- /dev/null +++ b/SCRATCH/proxmox-api-permissions.md @@ -0,0 +1,34 @@ +# Proxmox API User Config — from old host (zlh-prod1) + +## Source of truth +Copied from `/etc/pve/user.cfg` on old Denver host Mar 31 2026. + +## Users needed +- `apiuser@pve` — main API user for container provisioning +- `ansible@pve` — automation user (recreate if needed) + +## Roles needed +``` +ZLH-API: Datastore.AllocateSpace, Datastore.Audit, SDN.Allocate, SDN.Audit, SDN.Use, Sys.Audit, Sys.Modify, VM.Allocate, VM.Audit, VM.Clone, VM.Config.CPU, VM.Config.Disk, VM.Config.Memory, VM.Config.Network, VM.Config.Options, VM.PowerMgmt + +ZLH-API-CT: Datastore.AllocateSpace, Datastore.Audit, SDN.Use, VM.Allocate, VM.Audit, VM.Clone, VM.Config.CPU, VM.Config.Disk, VM.Config.Memory, VM.Config.Network, VM.Config.Options, VM.PowerMgmt +``` + +## ACLs needed for apiuser +``` +/nodes/zlh1 apiuser@pve ZLH-API +/nodes/zlh1 apiuser@pve!zlh-api ZLH-API, ZLH-API-CT +/storage/zlh-thin apiuser@pve ZLH-API +/storage/zlh-thin apiuser@pve!zlh-api ZLH-API, ZLH-API-CT +/vms apiuser@pve ZLH-API +/vms apiuser@pve!zlh-api ZLH-API, ZLH-API-CT +/sdn apiuser@pve ZLH-API +/sdn apiuser@pve!zlh-api ZLH-API +``` + +## Notes +- Node name on new host is `zlh1` — replace `zlh-prod1` references +- `zlh-thin` storage needs to exist on new host for ACLs to apply +- SDN ACLs reference vmbr1/vmbr2/vmbr3 — verify these exist on new host +- Token name: `apiuser@pve!zlh-api` — generate new secret, update .env on zpac-api +- ansible@pve not critical for platform — skip unless needed