micqdf/TerraHome
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Compare commits

base: micqdf:017d5ce00d4d42666d8ca7d4ffbbb268f9713b00
Branches Tags
micqdf:master micqdf:stage micqdf:destroy
micqdf:destroy/now
...
compare: micqdf:2d455929bdddf0a4631d71c8ebba4e42290924e5
Branches Tags
micqdf:master micqdf:stage micqdf:destroy
micqdf:destroy/now

5 Commits
017d5ce00d ... 2d455929bd

Author SHA1 Message Date
micqdf
2d455929bd Merge pull request 'stage' (#27) from stage into master
Some checks failed
Terraform Apply / Terraform Apply (push) Has been cancelled
Details 
Reviewed-on: #27
 2026-02-28 12:48:21 +00:00
MichaelFisher1997
9740e9c6fb fix: strip newlines from SSH_KEY_PUBLIC secret in workflows
All checks were successful
Terraform Plan / Terraform Plan (push) Successful in 17s
Details 
Normalize SSH public key secret before writing secrets.auto.tfvars so wrapped/multiline key pastes do not break Terraform parsing.
 2026-02-28 12:46:25 +00:00
MichaelFisher1997
f12e15e566 Merge remote-tracking branch 'origin/master' into stage
Some checks failed
Terraform Plan / Terraform Plan (push) Failing after 14s
Details
2026-02-28 12:45:15 +00:00
MichaelFisher1997
b3521d6c02 chore: remove baked SSH key from template user 
Rely on cloud-init SSH key injection from secrets for access rotation instead of storing an authorized key in the template config.
 2026-02-28 12:45:04 +00:00
MichaelFisher1997
17834b3aa7 update: rotate SSH access via cloud-init secret
All checks were successful
Terraform Plan / Terraform Plan (push) Successful in 17s
Details 
Inject SSH public key through Terraform/cloud-init from Gitea secret so access can be rotated without rebuilding the template image.
 2026-02-28 12:36:20 +00:00
6 changed files with 15 additions and 7 deletions
Expand all files Collapse all files

1
.gitea/workflows/terraform-apply.yml
View File

@@ -23,6 +23,7 @@ jobs:
run: | run: |
cat > secrets.auto.tfvars << EOF cat > secrets.auto.tfvars << EOF
pm_api_token_secret = "${{ secrets.PM_API_TOKEN_SECRET }}" pm_api_token_secret = "${{ secrets.PM_API_TOKEN_SECRET }}"
SSH_KEY_PUBLIC = "$(printf '%s' "${{ secrets.SSH_KEY_PUBLIC }}" | tr -d '\r\n')"
EOF EOF
cat > backend.hcl << EOF cat > backend.hcl << EOF
bucket = "${{ secrets.B2_TF_BUCKET }}" bucket = "${{ secrets.B2_TF_BUCKET }}"

1
.gitea/workflows/terraform-plan.yml
View File

@@ -25,6 +25,7 @@ jobs:
echo "PM_API_TOKEN_SECRET length: $(echo -n '${{ secrets.PM_API_TOKEN_SECRET }}' | wc -c)" echo "PM_API_TOKEN_SECRET length: $(echo -n '${{ secrets.PM_API_TOKEN_SECRET }}' | wc -c)"
cat > secrets.auto.tfvars << EOF cat > secrets.auto.tfvars << EOF
pm_api_token_secret = "${{ secrets.PM_API_TOKEN_SECRET }}" pm_api_token_secret = "${{ secrets.PM_API_TOKEN_SECRET }}"
SSH_KEY_PUBLIC = "$(printf '%s' "${{ secrets.SSH_KEY_PUBLIC }}" | tr -d '\r\n')"
EOF EOF
cat > backend.hcl << EOF cat > backend.hcl << EOF
bucket = "${{ secrets.B2_TF_BUCKET }}" bucket = "${{ secrets.B2_TF_BUCKET }}"

5
nixos/template-base/configuration.nix
View File

@@ -30,11 +30,6 @@
isNormalUser = true; isNormalUser = true;
extraGroups = [ "wheel" ]; extraGroups = [ "wheel" ];
shell = pkgs.fish; shell = pkgs.fish;
openssh.authorizedKeys.keys = [
"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDyfhho9WSqK2OWxizt45Q5KHgox3uVWDnbvMBJaDnRph6CZeKmzaS60/+HN/o7MtIm+q86TfdYeWJVt4erPEvrYN8AWfvCWi+hP2Y0l18wS8GEA+efEXyQ5CLCefraXvIneORObKetzO73bq0HytDRXDowc4J0NcbEFB7ncf2RqVTC6QRlNPRD3jHLkUeKXVmyteNgTtGdMz4MFHCC7xtzgL7kEuuHDEWuVhPkK+dkeGBejq+RzkYcd8v37L7NjFZCK91jANBVcQnTLQVUVVlMovVPyoaROn4N8KpIhb85SYZIJGUEKMhmCowb2NnZLJNC07qn8sz1dmNZO635aquuWMhZTevCySJjvIuMxDSffhBaAjkK1aVixMCW3jyzbpFIEG6FOj27TpcMnen6a0j0AecdCKgXI/Ezb08pj9qmVppAvJPyYoqN4OwHNHGWb8U2X3GghFesei8ZmBgch12RkIaXYxVzkNqv3FG4kAMFMEnGe4e6aqAAuDzUIkcjsPl2XrNJp+pxnPWDc7EMTKPUuKIcteXVDgCVgufQjPBO5/DgUyygLTzt8py9sZyyFDsqRAZ6E3IzBpxyWfUOoN81mUL6G31pZ/1b3YKpNs7DuqvP/aXIvb94o8KsLPQeoG7L2ulcOWX7I0yhlAgd8QUjhNoNq3mK/sQylq9Zy63GhQ=="
];
# optional while testing noVNC login:
# initialPassword = "changeme123";
}; };
security.sudo.wheelNeedsPassword = false; security.sudo.wheelNeedsPassword = false;

1
terraform/cloud-init.tf
View File

@@ -4,6 +4,7 @@ data "template_file" "cloud_init_global" {
vars = { vars = {
hostname = "generic" hostname = "generic"
domain = "home.arpa" domain = "home.arpa"
SSH_KEY_PUBLIC = var.SSH_KEY_PUBLIC
} }
} }

5
terraform/files/cloud_init_global.tpl
View File

@@ -8,3 +8,8 @@ resolv_conf:
preserve_hostname: false preserve_hostname: false
fqdn: ${hostname}.${domain} fqdn: ${hostname}.${domain}
users:
- name: micqdf
ssh_authorized_keys:
- ${SSH_KEY_PUBLIC}

5
terraform/variables.tf
View File

@@ -66,3 +66,8 @@ variable "llama_vm_count" {
default = 1 default = 1
description = "How many Llama VMs to create" description = "How many Llama VMs to create"
} }
variable "SSH_KEY_PUBLIC" {
type = string
description = "Public SSH key injected via cloud-init"
}