Merge pull request 'fix: ignore stale SSH host keys for ephemeral homelab VMs' (#130 ) from stage into master

Reviewed-on: #130
fix: ignore stale SSH host keys for ephemeral homelab VMs
2026-03-09 03:45:11 +00:00 · 2026-03-09 03:16:18 +00:00 · 2026-03-08 22:03:17 +00:00 · 2026-03-08 20:12:03 +00:00 · 2026-03-08 18:06:46 +00:00 · 2026-03-08 13:36:21 +00:00
7 changed files with 17 additions and 16 deletions
--- a/.gitea/workflows/kubeadm-bootstrap.yml
+++ b/.gitea/workflows/kubeadm-bootstrap.yml
@@ -27,7 +27,7 @@ jobs:
          fi
      - name: Checkout repository
-        uses: https://gitea.com/actions/checkout@v4
+        uses: actions/checkout@v4
      - name: Create SSH key
        run: |
--- a/.gitea/workflows/kubeadm-reset.yml
+++ b/.gitea/workflows/kubeadm-reset.yml
@@ -27,7 +27,7 @@ jobs:
          fi
      - name: Checkout repository
-        uses: https://gitea.com/actions/checkout@v4
+        uses: actions/checkout@v4
      - name: Create SSH key
        run: |
--- a/.gitea/workflows/terraform-apply.yml
+++ b/.gitea/workflows/terraform-apply.yml
@@ -16,7 +16,7 @@ jobs:
    steps:
      - name: Checkout repository
-        uses: https://gitea.com/actions/checkout@v4
+        uses: actions/checkout@v4
      - name: Create secrets.tfvars
        working-directory: terraform
--- a/.gitea/workflows/terraform-destroy.yml
+++ b/.gitea/workflows/terraform-destroy.yml
@@ -36,7 +36,7 @@ jobs:
          fi
      - name: Checkout repository
-        uses: https://gitea.com/actions/checkout@v4
+        uses: actions/checkout@v4
      - name: Create Terraform secret files
        working-directory: terraform
--- a/.gitea/workflows/terraform-plan.yml
+++ b/.gitea/workflows/terraform-plan.yml
@@ -17,7 +17,7 @@ jobs:
    steps:
      - name: Checkout repository
-        uses: https://gitea.com/actions/checkout@v4
+        uses: actions/checkout@v4
      - name: Create secrets.tfvars
        working-directory: terraform
--- a/nixos/kubeadm/bootstrap/controller.py
+++ b/nixos/kubeadm/bootstrap/controller.py
@@ -110,7 +110,9 @@ class Controller:
            "-o",
            "IdentitiesOnly=yes",
            "-o",
-            "StrictHostKeyChecking=accept-new",
+            "StrictHostKeyChecking=no",
            "-o",
            "UserKnownHostsFile=/dev/null",
            "-i",
            self.ssh_key,
        ]
@@ -145,7 +147,13 @@ class Controller:
                    f"({attempt}/{self.ssh_ready_retries})"
                )
                time.sleep(self.ssh_ready_delay)
-        raise RuntimeError(f"Unable to authenticate to {ip} with users: {', '.join(self.ssh_candidates)}")
+        raise RuntimeError(
            "Unable to authenticate to "
            f"{ip} with users: {', '.join(self.ssh_candidates)}. "
            "If this is a freshly cloned VM, the Proxmox source template likely does not yet include the "
            "current cloud-init-capable NixOS template configuration from nixos/template-base. "
            "Terraform can only clone what exists in Proxmox; it cannot retrofit cloud-init support into an old template."
        )
    def remote(self, ip, cmd, check=True):
        ordered = [self.active_ssh_user] + [u for u in self.ssh_candidates if u != self.active_ssh_user]
@@ -166,14 +174,7 @@ class Controller:
        return last
    def prepare_known_hosts(self):
-        ssh_dir = Path.home() / ".ssh"
+        pass
        ssh_dir.mkdir(parents=True, exist_ok=True)
        (ssh_dir / "known_hosts").touch()
        run_local(["chmod", "700", str(ssh_dir)])
        run_local(["chmod", "600", str(ssh_dir / "known_hosts")])
        for ip in self.node_ips.values():
            run_local(["ssh-keygen", "-R", ip], check=False)
            run_local(f"ssh-keyscan -H {shlex.quote(ip)} >> {shlex.quote(str(ssh_dir / 'known_hosts'))}", check=False)
    def prepare_remote_nix(self, ip):
        self.remote(ip, "sudo mkdir -p /etc/nix")
--- a/nixos/template-base/configuration.nix
+++ b/nixos/template-base/configuration.nix
@@ -10,7 +10,7 @@ in
      ./hardware-configuration.nix;
  networking.hostName = "k8s-base-template";
-  networking.useDHCP = false;
+  networking.useDHCP = lib.mkDefault true;
  networking.useNetworkd = true;
  networking.nameservers = [ "1.1.1.1" "8.8.8.8" ];
Author	SHA1	Message	Date
micqdf	5bfc135350	Merge pull request 'fix: ignore stale SSH host keys for ephemeral homelab VMs' (#130 ) from stage into master Some checks failed Terraform Apply / Terraform Apply (push) Failing after 19m24s Details Reviewed-on: #130	2026-03-09 03:45:11 +00:00
MichaelFisher1997	63213a4bc3	fix: ignore stale SSH host keys for ephemeral homelab VMs All checks were successful Terraform Plan / Terraform Plan (push) Successful in 16s Details Fresh destroy/recreate cycles change VM host keys, which was breaking bootstrap after rebuilds. Use a disposable known-hosts policy in the controller SSH options so automation does not fail on expected key rotation.	2026-03-09 03:16:18 +00:00
micqdf	e4243c7667	Merge pull request 'fix: keep DHCP enabled by default on template VM' (#129 ) from stage into master Some checks failed Terraform Apply / Terraform Apply (push) Failing after 1h50m42s Details Reviewed-on: #129	2026-03-08 22:03:17 +00:00
MichaelFisher1997	33bb0ffb17	fix: keep DHCP enabled by default on template VM All checks were successful Terraform Plan / Terraform Plan (push) Successful in 14s Details The template machine can lose connectivity when rebuilt directly because it has no cloud-init network data during template maintenance. Restore DHCP as the default for the template itself while keeping cloud-init + networkd enabled so cloned VMs can still consume injected network settings.	2026-03-08 20:12:03 +00:00
micqdf	7434a65590	Merge pull request 'stage' (#128 ) from stage into master Some checks failed Terraform Apply / Terraform Apply (push) Failing after 6m54s Details Reviewed-on: #128	2026-03-08 18:06:46 +00:00
MichaelFisher1997	cd8e538c51	ci: switch checkout action source away from gitea.com mirror All checks were successful Terraform Plan / Terraform Plan (push) Successful in 16s Details The gitea.com checkout action mirror is timing out during workflow startup. Use actions/checkout@v4 directly so jobs do not fail before any repository logic runs.	2026-03-08 13:36:21 +00:00
MichaelFisher1997	808c290c71	chore: clarify stale template cloud-init failure message Some checks failed Terraform Plan / Terraform Plan (push) Failing after 31s Details Make SSH bootstrap failures explain the real root cause when fresh clones never accept the injected user/key: the Proxmox source template itself still needs the updated cloud-init-capable NixOS configuration.	2026-03-08 13:16:37 +00:00