update: rotate SSH access via cloud-init secret

Inject SSH public key through Terraform/cloud-init from Gitea secret so access can be rotated without rebuilding the template image.

terraform/cloud-init.tf

@@ -2,8 +2,9 @@ data "template_file" "cloud_init_global" {
   template = file("${path.module}/files/cloud_init_global.tpl")
 
   vars = {
-    hostname = "generic"
-    domain   = "home.arpa"
+    hostname       = "generic"
+    domain         = "home.arpa"
+    SSH_KEY_PUBLIC = var.SSH_KEY_PUBLIC
   }
 }
 

terraform/files/cloud_init_global.tpl

@@ -8,3 +8,8 @@ resolv_conf:
 
 preserve_hostname: false
 fqdn: ${hostname}.${domain}
+
+users:
+  - name: micqdf
+    ssh_authorized_keys:
+      - ${SSH_KEY_PUBLIC}

terraform/variables.tf

@@ -66,3 +66,8 @@ variable "llama_vm_count" {
   default     = 1
   description = "How many Llama VMs to create"
 }
+
+variable "SSH_KEY_PUBLIC" {
+  type        = string
+  description = "Public SSH key injected via cloud-init"
+}