# Proxmox API User Config — from old host (zlh-prod1)

## Source of truth
Copied from `/etc/pve/user.cfg` on old Denver host Mar 31 2026.

## Users needed
- `apiuser@pve` — main API user for container provisioning
- `ansible@pve` — automation user (recreate if needed)

## Roles needed
```
ZLH-API: Datastore.AllocateSpace, Datastore.Audit, SDN.Allocate, SDN.Audit, SDN.Use, Sys.Audit, Sys.Modify, VM.Allocate, VM.Audit, VM.Clone, VM.Config.CPU, VM.Config.Disk, VM.Config.Memory, VM.Config.Network, VM.Config.Options, VM.PowerMgmt

ZLH-API-CT: Datastore.AllocateSpace, Datastore.Audit, SDN.Use, VM.Allocate, VM.Audit, VM.Clone, VM.Config.CPU, VM.Config.Disk, VM.Config.Memory, VM.Config.Network, VM.Config.Options, VM.PowerMgmt
```

## ACLs needed for apiuser
```
/nodes/zlh1         apiuser@pve         ZLH-API
/nodes/zlh1         apiuser@pve!zlh-api ZLH-API, ZLH-API-CT
/storage/zlh-thin   apiuser@pve         ZLH-API
/storage/zlh-thin   apiuser@pve!zlh-api ZLH-API, ZLH-API-CT
/vms                apiuser@pve         ZLH-API
/vms                apiuser@pve!zlh-api ZLH-API, ZLH-API-CT
/sdn                apiuser@pve         ZLH-API
/sdn                apiuser@pve!zlh-api ZLH-API
```

## Notes
- Node name on new host is `zlh1` — replace `zlh-prod1` references
- `zlh-thin` storage needs to exist on new host for ACLs to apply
- SDN ACLs reference vmbr1/vmbr2/vmbr3 — verify these exist on new host
- Token name: `apiuser@pve!zlh-api` — generate new secret, update .env on zpac-api
- ansible@pve not critical for platform — skip unless needed