Remove guest-agent enrollment workflow, pass TS auth key through Terraform variables/secrets, and run tailscale up with tag:k8s during cloud-init bootstrap alongside SSH key injection.
Switch VM boot order/disks to scsi0 to match cloned NixOS template boot layout, add destroy guards to plan/apply workflows, and replace destroy workflow with a confirmed manual dispatch nuke flow that uses remote B2 state.
Configure an s3 backend and initialize Terraform in CI with backend config from Gitea secrets so state persists across runs and apply operations stay consistent.
- Point clone_template to nixos-template and trim cloud-init to Nix-safe hostname/DNS only
- Remove SSH/Tailscale cloud-init variables and workflow secret dependencies
- Add reusable NixOS template-base config with bootloader, Tailscale, fish, and utility packages
- Store non-sensitive Proxmox token id in terraform.tfvars
- Inject only token secret via workflow-generated secrets.auto.tfvars
- Add variable validations for token id format and non-empty token secret
- Add workflow debug output for token secret length and selected token id
- Restore pm_api_token_id and pm_api_token_secret variables
- Use TF_VAR_pm_api_token_id and TF_VAR_pm_api_token_secret env vars
- This is the standard Terraform way to pass variables via environment
- Remove token from Terraform variables (provider reads from env)
- Update workflows to set PM_API_TOKEN_ID and PM_API_TOKEN_SECRET directly
- Provider now reads credentials from environment variables
- Replace user/password auth with API token auth
- Update provider config to use pm_api_token_id and pm_api_token_secret
- Update workflow secrets to use PM_API_TOKEN_ID and PM_API_TOKEN_SECRET
- Remove unused pm_user and proxmox_password variables
micqdf
MichaelFisher1997