From e714a56980174a8cdc968f4b2d0df315eab8a0b7 Mon Sep 17 00:00:00 2001 From: MichaelFisher1997 Date: Sat, 28 Feb 2026 00:06:25 +0000 Subject: [PATCH] update: switch Terraform to NixOS template workflow - Point clone_template to nixos-template and trim cloud-init to Nix-safe hostname/DNS only - Remove SSH/Tailscale cloud-init variables and workflow secret dependencies - Add reusable NixOS template-base config with bootloader, Tailscale, fish, and utility packages --- .gitea/workflows/terraform-apply.yml | 2 - .gitea/workflows/terraform-plan.yml | 2 - nixos/template-base/README.md | 27 ++++++++++++ nixos/template-base/configuration.nix | 60 +++++++++++++++++++++++++++ nixos/template-base/flake.nix | 14 +++++++ terraform/cloud-init.tf | 6 +-- terraform/files/cloud_init_global.tpl | 37 ----------------- terraform/terraform.tfvars | 2 +- terraform/variables.tf | 10 ----- 9 files changed, 104 insertions(+), 56 deletions(-) create mode 100644 nixos/template-base/README.md create mode 100644 nixos/template-base/configuration.nix create mode 100644 nixos/template-base/flake.nix diff --git a/.gitea/workflows/terraform-apply.yml b/.gitea/workflows/terraform-apply.yml index f319a29..5a49a78 100644 --- a/.gitea/workflows/terraform-apply.yml +++ b/.gitea/workflows/terraform-apply.yml @@ -19,8 +19,6 @@ jobs: run: | cat > secrets.auto.tfvars << EOF pm_api_token_secret = "${{ secrets.PM_API_TOKEN_SECRET }}" - SSH_KEY_PUBLIC = "${{ secrets.SSH_KEY_PUBLIC }}" - TS_AUTHKEY = "${{ secrets.TS_AUTHKEY }}" EOF - name: Set up Terraform diff --git a/.gitea/workflows/terraform-plan.yml b/.gitea/workflows/terraform-plan.yml index 48c6427..35637d1 100644 --- a/.gitea/workflows/terraform-plan.yml +++ b/.gitea/workflows/terraform-plan.yml @@ -21,8 +21,6 @@ jobs: echo "PM_API_TOKEN_SECRET length: $(echo -n '${{ secrets.PM_API_TOKEN_SECRET }}' | wc -c)" cat > secrets.auto.tfvars << EOF pm_api_token_secret = "${{ secrets.PM_API_TOKEN_SECRET }}" - SSH_KEY_PUBLIC = "${{ secrets.SSH_KEY_PUBLIC }}" - TS_AUTHKEY = "${{ secrets.TS_AUTHKEY }}" EOF echo "Created secrets.auto.tfvars:" cat secrets.auto.tfvars | sed 's/=.*/=***/' diff --git a/nixos/template-base/README.md b/nixos/template-base/README.md new file mode 100644 index 0000000..6270ea5 --- /dev/null +++ b/nixos/template-base/README.md @@ -0,0 +1,27 @@ +# NixOS Proxmox Template Base + +This folder contains a minimal NixOS base config you can copy into a new +template VM build. + +## Files + +- `flake.nix`: pins `nixos-24.11` and exposes one host config. +- `configuration.nix`: base settings for Proxmox guest use. + +## Before first apply + +1. Replace `REPLACE_WITH_YOUR_SSH_PUBLIC_KEY` in `configuration.nix`. +2. Add `hardware-configuration.nix` from the VM install: + - `nixos-generate-config --root /` + - copy `/etc/nixos/hardware-configuration.nix` next to `configuration.nix` + +## Build/apply example inside the VM + +```bash +sudo nixos-rebuild switch --flake .#template +``` + +## Notes + +- This is intentionally minimal and avoids cloud-init assumptions. +- If you want host-specific settings, create additional modules and import them. diff --git a/nixos/template-base/configuration.nix b/nixos/template-base/configuration.nix new file mode 100644 index 0000000..867d6c0 --- /dev/null +++ b/nixos/template-base/configuration.nix @@ -0,0 +1,60 @@ +{ lib, pkgs, ... }: + +{ + imports = + lib.optional (builtins.pathExists ./hardware-configuration.nix) + ./hardware-configuration.nix; + + networking.hostName = "nixos-template"; + networking.useDHCP = lib.mkDefault true; + networking.nameservers = [ "1.1.1.1" "8.8.8.8" ]; + + boot.loader.systemd-boot.enable = lib.mkForce false; + boot.loader.grub = { + enable = true; + device = "/dev/sda"; + }; + + services.qemuGuest.enable = true; + services.openssh.enable = true; + services.tailscale.enable = true; + services.openssh.settings = { + PasswordAuthentication = false; + KbdInteractiveAuthentication = false; + PermitRootLogin = "prohibit-password"; + }; + + programs.fish.enable = true; + + users.users.micqdf = { + isNormalUser = true; + extraGroups = [ "wheel" ]; + shell = pkgs.fish; + openssh.authorizedKeys.keys = [ + "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDyfhho9WSqK2OWxizt45Q5KHgox3uVWDnbvMBJaDnRph6CZeKmzaS60/+HN/o7MtIm+q86TfdYeWJVt4erPEvrYN8AWfvCWi+hP2Y0l18wS8GEA+efEXyQ5CLCefraXvIneORObKetzO73bq0HytDRXDowc4J0NcbEFB7ncf2RqVTC6QRlNPRD3jHLkUeKXVmyteNgTtGdMz4MFHCC7xtzgL7kEuuHDEWuVhPkK+dkeGBejq+RzkYcd8v37L7NjFZCK91jANBVcQnTLQVUVVlMovVPyoaROn4N8KpIhb85SYZIJGUEKMhmCowb2NnZLJNC07qn8sz1dmNZO635aquuWMhZTevCySJjvIuMxDSffhBaAjkK1aVixMCW3jyzbpFIEG6FOj27TpcMnen6a0j0AecdCKgXI/Ezb08pj9qmVppAvJPyYoqN4OwHNHGWb8U2X3GghFesei8ZmBgch12RkIaXYxVzkNqv3FG4kAMFMEnGe4e6aqAAuDzUIkcjsPl2XrNJp+pxnPWDc7EMTKPUuKIcteXVDgCVgufQjPBO5/DgUyygLTzt8py9sZyyFDsqRAZ6E3IzBpxyWfUOoN81mUL6G31pZ/1b3YKpNs7DuqvP/aXIvb94o8KsLPQeoG7L2ulcOWX7I0yhlAgd8QUjhNoNq3mK/sQylq9Zy63GhQ==" + ]; + # optional while testing noVNC login: + # initialPassword = "changeme123"; + }; + + security.sudo.wheelNeedsPassword = false; + + environment.systemPackages = with pkgs; [ + btop + curl + dig + eza + fd + fzf + git + htop + jq + ripgrep + tree + unzip + vim + wget + ]; + + system.stateVersion = "24.11"; +} diff --git a/nixos/template-base/flake.nix b/nixos/template-base/flake.nix new file mode 100644 index 0000000..821c6e7 --- /dev/null +++ b/nixos/template-base/flake.nix @@ -0,0 +1,14 @@ +{ + description = "Base NixOS config for Proxmox template"; + + inputs = { + nixpkgs.url = "github:NixOS/nixpkgs/nixos-24.11"; + }; + + outputs = { nixpkgs, ... }: { + nixosConfigurations.template = nixpkgs.lib.nixosSystem { + system = "x86_64-linux"; + modules = [ ./configuration.nix ]; + }; + }; +} diff --git a/terraform/cloud-init.tf b/terraform/cloud-init.tf index 969bc9b..7d55fa0 100644 --- a/terraform/cloud-init.tf +++ b/terraform/cloud-init.tf @@ -2,10 +2,8 @@ data "template_file" "cloud_init_global" { template = file("${path.module}/files/cloud_init_global.tpl") vars = { - hostname = "generic" - domain = "home.arpa" - TS_AUTHKEY = var.TS_AUTHKEY - SSH_KEY_PUBLIC = var.SSH_KEY_PUBLIC + hostname = "generic" + domain = "home.arpa" } } diff --git a/terraform/files/cloud_init_global.tpl b/terraform/files/cloud_init_global.tpl index daf3b15..0d9a2ac 100644 --- a/terraform/files/cloud_init_global.tpl +++ b/terraform/files/cloud_init_global.tpl @@ -6,42 +6,5 @@ resolv_conf: - 8.8.8.8 - 1.1.1.1 -package_update: true -package_upgrade: true - -# APT fails to acquire GPG keys if package dirmngr is missing -bootcmd: - - [ cloud-init-per, once, dirmngr-aptupdate, apt-get, update ] - - [ cloud-init-per, once, dirmngr-aptinstall, apt-get, install, dirmngr, -y ] - - [ cloud-init-per, once, dirmngr-aptinstall, apt-get, install, gnupg2, -y ] - -packages: - - jq - - curl - - qemu-guest-agent - -users: -- name: stuart - groups: sudo - shell: /bin/bash - sudo: ['ALL=(ALL) NOPASSWD:ALL'] - ssh_authorized_keys: - - ${SSH_KEY_PUBLIC} - preserve_hostname: false fqdn: ${hostname}.${domain} - -#cloud-config -# The above header must generally appear on the first line of a cloud config -# file, but all other lines that begin with a # are optional comments. - -runcmd: - # One-command install, from https://tailscale.com/download/ - - ['sh', '-c', 'curl -fsSL https://tailscale.com/install.sh | sh'] - # Set sysctl settings for IP forwarding (useful when configuring an exit node) - - ['sh', '-c', "echo 'net.ipv4.ip_forward = 1' | sudo tee -a /etc/sysctl.d/99-tailscale.conf && echo 'net.ipv6.conf.all.forwarding = 1' | sudo tee -a /etc/sysctl.d/99-tailscale.conf && sudo sysctl -p /etc/sysctl.d/99-tailscale.conf" ] - # Generate an auth key from your Admin console - # https://login.tailscale.com/admin/settings/keys - # and replace the placeholder below - - ['tailscale', 'up', '--auth-key=${TS_AUTHKEY}'] - diff --git a/terraform/terraform.tfvars b/terraform/terraform.tfvars index c5223ab..1f92a4c 100644 --- a/terraform/terraform.tfvars +++ b/terraform/terraform.tfvars @@ -1,5 +1,5 @@ target_node = "flex" -clone_template = "ubuntu-cloudinit" +clone_template = "nixos-template" cores = 1 memory = 1024 disk_size = "15G" diff --git a/terraform/variables.tf b/terraform/variables.tf index 42e3073..6f94768 100644 --- a/terraform/variables.tf +++ b/terraform/variables.tf @@ -66,13 +66,3 @@ variable "llama_vm_count" { default = 1 description = "How many Llama VMs to create" } - -variable "TS_AUTHKEY" { - type = string - description = "Tailscale auth key used in cloud-init" -} - -variable "SSH_KEY_PUBLIC" { - type = string - description = "My Public SSH key for ssh auth list" -}