From 3261b18f373b6da9779631d5ddcb50c502a59392 Mon Sep 17 00:00:00 2001
From: MichaelFisher1997 <contact@michaelfisher.tech>
Date: Sat, 28 Feb 2026 12:52:15 +0000
Subject: [PATCH 1/2] improve: fail fast and surface guest-agent API errors

Reduce agent wait timeout and print HTTP/auth errors during enrollment so hangs are visible and permission issues are diagnosable.
---
 .gitea/workflows/terraform-apply.yml | 13 ++++++++++---
 1 file changed, 10 insertions(+), 3 deletions(-)

diff --git a/.gitea/workflows/terraform-apply.yml b/.gitea/workflows/terraform-apply.yml
index fa05fc1..fdd213e 100644
--- a/.gitea/workflows/terraform-apply.yml
+++ b/.gitea/workflows/terraform-apply.yml
@@ -96,6 +96,7 @@ jobs:
           import ssl
           import sys
           import time
+          import urllib.error
           import urllib.parse
           import urllib.request
 
@@ -145,7 +146,7 @@ jobs:
                   payload = resp.read().decode("utf-8")
               return json.loads(payload)
 
-          def wait_for_guest_agent(vmid, timeout_seconds=300):
+          def wait_for_guest_agent(vmid, timeout_seconds=120):
               deadline = time.time() + timeout_seconds
               tries = 0
               while time.time() < deadline:
@@ -155,8 +156,14 @@ jobs:
                       if res.get("data") == "pong":
                           print(f"Guest agent ready for vmid {vmid}", flush=True)
                           return True
-                  except Exception:
-                      pass
+                  except urllib.error.HTTPError as exc:
+                      detail = exc.read().decode("utf-8", "ignore")
+                      print(f"Agent ping HTTP error for vmid {vmid}: {exc.code} {detail}", flush=True)
+                      if exc.code in (401, 403):
+                          return False
+                  except Exception as exc:
+                      if tries == 1:
+                          print(f"Agent ping error for vmid {vmid}: {exc}", flush=True)
                   if tries % 6 == 0:
                       remaining = int(deadline - time.time())
                       print(f"Waiting for guest agent on vmid {vmid} ({remaining}s left)", flush=True)

From 0ea9888854dbb6fab34b0bc773cab35a7c47dc01 Mon Sep 17 00:00:00 2001
From: MichaelFisher1997 <contact@michaelfisher.tech>
Date: Sat, 28 Feb 2026 12:56:51 +0000
Subject: [PATCH 2/2] fix: include SSH key variable in destroy workflow

Pass SSH_KEY_PUBLIC in secrets.auto.tfvars so terraform destroy plan no longer prompts for required cloud-init variable.
---
 .gitea/workflows/terraform-destroy.yml | 1 +
 1 file changed, 1 insertion(+)

diff --git a/.gitea/workflows/terraform-destroy.yml b/.gitea/workflows/terraform-destroy.yml
index 9326660..e592710 100644
--- a/.gitea/workflows/terraform-destroy.yml
+++ b/.gitea/workflows/terraform-destroy.yml
@@ -43,6 +43,7 @@ jobs:
         run: |
           cat > secrets.auto.tfvars << EOF
           pm_api_token_secret = "${{ secrets.PM_API_TOKEN_SECRET }}"
+          SSH_KEY_PUBLIC      = "$(printf '%s' "${{ secrets.SSH_KEY_PUBLIC }}" | tr -d '\r\n')"
           EOF
           cat > backend.hcl << EOF
           bucket                      = "${{ secrets.B2_TF_BUCKET }}"