The option to include users/groups within PVE datacenter using pve_users and pve_groups vars requires the users to already exist on the system. This seems like an additional step needed outside of this role to properly set up the PVE environment and can be simplified for the user. Instead users should be able to simply specify those users within this roles vars and the specified users/groups should be created on the system before initializing into the PVE cluster.

This could be done using a separate role prior to this role, or by using ansible.builtin.user as a task that runs before this role, however, it makes sense in my mind to include the creation of the users in this role as well to prevent duplicated code in playbooks.

If this is something of interest, I wouldn't mind implementing this change into this role and creating a PR.

In addition, this could be handled simply by an additional var such as "pve_create_users: true", to be able to toggle whether or not the users are created by default using this role, or if they should be created outside of this role. Additionally the enhancement should check whether the users are already created, and if so, should they be updated to the values specified in the role? "pve_force_update_users: true" could be created to handle force updaing the users if specified, otherwise do not change users if they already exist outside of this role but are still specified in vars.

PAM user creation falls outside the scope of this role. The pve_user module only interacts with the PVE API but you're able to create Proxmox-only users (e.g. @pve—I use this for my setups) and LDAP users, and it looks like more is supported by PVE now—other roles are definitely more suited for managing these. It's not actually a requirement to have to create PAM users in order to create logins for people in Proxmox.

Anyway, the documentation already notes this in the role variables summary, but I guess it could also mention pve auth users:

pve_groups, pve_users, and pve_acls authorizes some local UNIX users (they must already exist) to access PVE

Please correct me if I understood incorrectly, however.

prevent duplicated code in playbooks.

Just to add another note, I don't think this is necessarily true. I would suggest that existing users, if they're using PAM users, are using PAM users for other things asides from Proxmox as well. They're either using ansible.builtin.user or another role as well for doing other configuration tasks, like adding SSH keys. This role isn't suitable for all those various other tasks.

Ah okay thanks for the clarification. Makes more sense the way that you put it, I will look into @pve and LDAP for my own setup as well as I am interested in a new solution from what I am currently using. I can close this issue out as it seems to be unneeded for this role in particular then.