nima@devops
nima@devops:~/projects$

// selected projects

ansible-provision.ymlinfra / automation
01 / 05

Ansible-driven VM provisioning

One playbook stands up a full fleet: it talks to the Proxmox API to create guests, then layers packages, runners and artifacts through ordered roles — fully repeatable, zero manual setup.

ansibleproxmoxcloud-initcudadockerjfrogidempotent
Ansible Playbook ansible Role 1 · Create VMs provision guests via API Role 2 · Install packages cuda · docker · base deps Role 3 · Azure agents self-hosted runners Role 4 · Deploy artifacts pull builds from JFrog RUNS TOP → BOTTOM, IDEMPOTENT Proxmox API proxmox JFrog artifactory Ubuntu Host ubuntu CUDA Docker Azure agent artifacts configured guest fleet → ready for workloads REPEAT × N GUESTS create VMs spawn configure register agent pull deploy
deploy.ymlci/cd · github actions
02 / 05

Containerised website delivery cycle

Every push to GitHub triggers an Action that builds an Nginx image from a Dockerfile, ships it to Docker Hub, and the server pulls & runs the fresh container over SSH — the full loop that keeps nimadevops.de live.

github actionsdockerdocker hubnginxsshci/cd
Dockerfile nginx FROM ubuntu:22.04 RUN apt install nginx COPY nginx.conf . EXPOSE 80 Local repo website content GitHub repo_1·2 GitHub Action build & tag image Docker Hub registry Server pull via SSH nimadevops.de docker container · live push trigger push image pull · ssh run container new content
network.confproxmox · dhcp / ddns / dns
03 / 05

Self-hosted DHCP, DDNS & DNS on Proxmox

Bonded NICs feed a VLAN-aware bridge that splits traffic across a client subnet and an isolated backend. Kea hands out leases, signals KEA DDNS on every hostname change, and BIND9 gets updated automatically — DNS that maintains itself.

proxmoxkea dhcpbind9ddnsvlanlinux bondlxc
PROXMOX proxmox Linux Bridge (vmbr0) vlan aware Linux Bond (bond0) eno1 eno2 PHYSICAL LAYER VLAN SUBNET · 10.0.0.0/24 Kea DHCP lxc ip 10.0.0.2 ip 172.20.0.2 BIND9 lxc ip 10.0.0.3 ip 172.20.0.3 VM eth0 · vmbr0 eth1.20 · tag 20 BACKEND SUBNET · 172.20.0.0/24 KEA DDNS lxc ip 172.20.0.5 vmbr0 tagged net DHCP lease name change request DNS update packet
paa_token.pyrdpgw · secure access
04 / 05

RDP Gateway with signed PAA tokens

The gateway mints a short-lived access token per session: it reads the user's cached Microsoft login from MSAL, derives their email, packs a JWT bound to host + client IP + expiry, and signs it with HS256 — so only authorised, time-limited RDP connections reach the target host.

rdpgwmsaljwths256pythonlxczero-trust
rdpgw LXC container LIB / API RDP client wants VM-ID 666 VM-ID 666 target host rdp MSAL cache _get_token_from_cache() → Access Token get_user_email() → User Email JWT Payload claims iss : login.microsoft email : user@domain exp : +session ttl host : VM-ID 666 clientIP : x.x.x.x Encode · HS256 secret · RDPGW_PAA_SIGNING_KEY PAA token signed JWT · short-lived auth request sign PAA token → RDP Remote Desktop Connect · RDP
azure-pipelines.ymlself-hosted agents
05 / 05

Self-hosted Azure DevOps agents on Proxmox

A Windows VM runs the Azure DevOps agent and registers into an agent pool, so pipelines execute on my own hardware. Each run drives Docker directly — login, pull, run image — giving full control over the build environment at zero cloud-runner cost.

azure devopsself-hosted agentproxmoxwindowsdockerci/cd
PROXMOX proxmox Virtual Machine windows server Windows Agent self-hosted runner agent Azure DevOps azure pipeline This is our pipeline! AGENT POOL Docker login Docker Pull Run Image next steps … Docker docker register with agent pool download & install self-hosted agent login pull