Worflow: changes vars

.gitea/workflows/terraform-apply.yml

@@ -1,5 +1,5 @@
 name: Gitea Actions Demo
-run-name: ${{ gitea.actor }} is testing out Gitea Actions 🚀
+run-name: ${{ gitea.actor }} is deploying with Terraform 🚀
 
 on:
   push:
@@ -15,6 +15,11 @@ jobs:
       contents: read
       pull-requests: write
 
+    env:
+      TF_VAR_SSH_KEY_PUBLIC: ${{ secrets.SSH_KEY_PUBLIC }}
+      TF_VAR_TS_AUTHKEY: ${{ secrets.TS_AUTHKEY }}
+      TF_VAR_proxmox_password: ${{ secrets.PROXMOX_PASSWORD }}
+
     steps:
       - name: Checkout repository
         uses: actions/checkout@v4
@@ -24,21 +29,15 @@ jobs:
         with:
           terraform_version: 1.6.6
 
-      - name: Inject sensitive secrets
-        working-directory: terraform
-        run: |
-          echo 'proxmox_password = "${{ secrets.PROXMOX_PASSWORD }}"' >> terraform.tfvars
-
       - name: Terraform Init
         working-directory: terraform
         run: terraform init
 
-
       - name: Terraform Plan
         working-directory: terraform
-        run: terraform plan 
+        run: terraform plan
 
       - name: Terraform Apply
         working-directory: terraform
-        run: terraform apply -auto-approve 
+        run: terraform apply -auto-approve
 

.gitea/workflows/terraform-destroy.yml

@@ -0,0 +1,38 @@
+name: Gitea Destroy Terraform
+run-name: ${{ gitea.actor }} triggered a Terraform Destroy 🧨
+
+on:
+  workflow_dispatch: # Manual trigger
+
+jobs:
+  destroy:
+    name: "Terraform Destroy"
+    runs-on: ubuntu-latest
+
+    permissions:
+      contents: read
+      pull-requests: write
+
+    env:
+      TF_VAR_SSH_KEY: ${{ secrets.TF_VAR_SSH_KEY_PUBLIC }}
+      TF_VAR_TS_AUTHKEY: ${{ secrets.TF_VAR_TS_AUTHKEY }}
+      TF_VAR_PROXMOX_PASSWORD: ${{ secrets.TF_VAR_PROXMOX_PASSWORD }}
+
+
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+
+      - name: Set up Terraform
+        uses: hashicorp/setup-terraform@v2
+        with:
+          terraform_version: 1.6.6
+
+      - name: Terraform Init
+        working-directory: terraform
+        run: terraform init
+
+      - name: Terraform Destroy
+        working-directory: terraform
+        run: terraform destroy -auto-approve
+

.gitea/workflows/terraform-plan.yml

@@ -4,8 +4,8 @@ run-name: ${{ gitea.actor }} is testing out Gitea Actions 🚀
 on:
   push:
     branches:
-      - stage 
-      - test 
+      - stage
+      - test
 
 jobs:
   terraform:
@@ -16,6 +16,11 @@ jobs:
       contents: read
       pull-requests: write
 
+    env:
+      TF_VAR_SSH_KEY_PUBLIC: ${{ secrets.SSH_KEY_PUBLIC }}
+      TF_VAR_TS_AUTHKEY: ${{ secrets.TS_AUTHKEY }}
+      TF_VAR_proxmox_password: ${{ secrets.PROXMOX_PASSWORD }}
+
     steps:
       - name: Checkout repository
         uses: actions/checkout@v4
@@ -25,11 +30,6 @@ jobs:
         with:
           terraform_version: 1.6.6
 
-      - name: Inject sensitive secrets
-        working-directory: terraform
-        run: |
-          echo 'proxmox_password = "${{ secrets.PROXMOX_PASSWORD }}"' >> terraform.tfvars
-
       - name: Terraform Init
         working-directory: terraform
         run: terraform init

.gitignore

@@ -1,2 +1,6 @@
 ./terraform/.terraform
 terraform/.terraform/
+terraform/test-apply.sh
+terraform/test-plan.sh
+terraform/test-destroy.sh
+terraform/tfplan

terraform/.terraform.lock.hcl

@@ -1,6 +1,42 @@
 # This file is maintained automatically by "terraform init".
 # Manual edits may be lost in future updates.
 
+provider "registry.terraform.io/hashicorp/local" {
+  version = "2.5.2"
+  hashes = [
+    "h1:JlMZD6nYqJ8sSrFfEAH0Vk/SL8WLZRmFaMUF9PJK5wM=",
+    "zh:136299545178ce281c56f36965bf91c35407c11897f7082b3b983d86cb79b511",
+    "zh:3b4486858aa9cb8163378722b642c57c529b6c64bfbfc9461d940a84cd66ebea",
+    "zh:4855ee628ead847741aa4f4fc9bed50cfdbf197f2912775dd9fe7bc43fa077c0",
+    "zh:4b8cd2583d1edcac4011caafe8afb7a95e8110a607a1d5fb87d921178074a69b",
+    "zh:52084ddaff8c8cd3f9e7bcb7ce4dc1eab00602912c96da43c29b4762dc376038",
+    "zh:71562d330d3f92d79b2952ffdda0dad167e952e46200c767dd30c6af8d7c0ed3",
+    "zh:78d5eefdd9e494defcb3c68d282b8f96630502cac21d1ea161f53cfe9bb483b3",
+    "zh:805f81ade06ff68fa8b908d31892eaed5c180ae031c77ad35f82cb7a74b97cf4",
+    "zh:8b6b3ebeaaa8e38dd04e56996abe80db9be6f4c1df75ac3cccc77642899bd464",
+    "zh:ad07750576b99248037b897de71113cc19b1a8d0bc235eb99173cc83d0de3b1b",
+    "zh:b9f1c3bfadb74068f5c205292badb0661e17ac05eb23bfe8bd809691e4583d0e",
+    "zh:cc4cbcd67414fefb111c1bf7ab0bc4beb8c0b553d01719ad17de9a047adff4d1",
+  ]
+}
+
+provider "registry.terraform.io/hashicorp/template" {
+  version = "2.2.0"
+  hashes = [
+    "h1:94qn780bi1qjrbC3uQtjJh3Wkfwd5+tTtJHOb7KTg9w=",
+    "zh:01702196f0a0492ec07917db7aaa595843d8f171dc195f4c988d2ffca2a06386",
+    "zh:09aae3da826ba3d7df69efeb25d146a1de0d03e951d35019a0f80e4f58c89b53",
+    "zh:09ba83c0625b6fe0a954da6fbd0c355ac0b7f07f86c91a2a97849140fea49603",
+    "zh:0e3a6c8e16f17f19010accd0844187d524580d9fdb0731f675ffcf4afba03d16",
+    "zh:45f2c594b6f2f34ea663704cc72048b212fe7d16fb4cfd959365fa997228a776",
+    "zh:77ea3e5a0446784d77114b5e851c970a3dde1e08fa6de38210b8385d7605d451",
+    "zh:8a154388f3708e3df5a69122a23bdfaf760a523788a5081976b3d5616f7d30ae",
+    "zh:992843002f2db5a11e626b3fc23dc0c87ad3729b3b3cff08e32ffb3df97edbde",
+    "zh:ad906f4cebd3ec5e43d5cd6dc8f4c5c9cc3b33d2243c89c5fc18f97f7277b51d",
+    "zh:c979425ddb256511137ecd093e23283234da0154b7fa8b21c2687182d9aea8b2",
+  ]
+}
+
 provider "registry.terraform.io/telmate/proxmox" {
   version     = "3.0.1-rc8"
   constraints = "3.0.1-rc8"

terraform/cloud-init.tf

@@ -0,0 +1,17 @@
+### Global cloud-init template (for all VMs)
+
+data "template_file" "cloud_init_global" {
+  template = file("${path.module}/files/cloud_init_global.yaml")
+
+  vars = {
+    hostname       = "generic"
+    domain         = "home.arpa"
+    TS_AUTHKEY     = var.TS_AUTHKEY
+    SSH_KEY_PUBLIC = var.SSH_KEY_PUBLIC
+  }
+}
+
+resource "local_file" "cloud_init_global" {
+  content  = data.template_file.cloud_init_global.rendered
+  filename = "${path.module}/files/cloud_init_global.yaml"
+}

terraform/files/cloud_init.yaml

@@ -0,0 +1,9 @@
+#cloud-config
+hostname: ${hostname}
+fqdn: ${hostname}.${domain}
+
+runcmd:
+  - curl -fsSL https://tailscale.com/install.sh | sh
+  - tailscale up --auth-key=${TS_AUTHKEY}
+  - tailscale set --ssh
+

terraform/files/cloud_init_base.yaml

@@ -0,0 +1,6 @@
+#cloud-config
+runcmd:
+  - curl -fsSL https://tailscale.com/install.sh | sh
+  - tailscale up --auth-key=${TS_AUTHKEY}
+  - tailscale set --ssh
+

terraform/files/cloud_init_global.yaml

@@ -0,0 +1,48 @@
+#cloud-config
+#cloud-config
+hostname: myvm
+manage_etc_hosts: true
+resolv_conf:
+  nameservers:
+    - 8.8.8.8
+    - 1.1.1.1
+
+package_update: true
+package_upgrade: true
+
+# APT fails to acquire GPG keys if package dirmngr is missing
+bootcmd:
+  - [ cloud-init-per, once, dirmngr-aptupdate, apt-get, update ]
+  - [ cloud-init-per, once, dirmngr-aptinstall, apt-get, install, dirmngr, -y ]
+  - [ cloud-init-per, once, dirmngr-aptinstall, apt-get, install, gnupg2, -y ]
+
+packages:
+  - jq
+  - curl
+  - qemu-guest-agent
+
+users:
+- name: stuart
+  groups: sudo
+  shell: /bin/bash
+  sudo: ['ALL=(ALL) NOPASSWD:ALL']
+  ssh_authorized_keys:
+    - ${SSH_KEY_PUBLIC}
+
+preserve_hostname: false
+fqdn: ${hostname}.${domain}
+
+#cloud-config
+# The above header must generally appear on the first line of a cloud config
+# file, but all other lines that begin with a # are optional comments.
+
+runcmd:
+  # One-command install, from https://tailscale.com/download/
+  - ['sh', '-c', 'curl -fsSL https://tailscale.com/install.sh | sh']
+  # Set sysctl settings for IP forwarding (useful when configuring an exit node)
+  - ['sh', '-c', "echo 'net.ipv4.ip_forward = 1' | sudo tee -a /etc/sysctl.d/99-tailscale.conf && echo 'net.ipv6.conf.all.forwarding = 1' | sudo tee -a /etc/sysctl.d/99-tailscale.conf && sudo sysctl -p /etc/sysctl.d/99-tailscale.conf" ]
+  # Generate an auth key from your Admin console
+  # https://login.tailscale.com/admin/settings/keys
+  # and replace the placeholder below
+  - ['tailscale', 'up', '--auth-key=${TS_AUTHKEY}']
+

terraform/main.tf

@@ -15,23 +15,42 @@ provider "proxmox" {
 }
 
 resource "proxmox_vm_qemu" "alpacas" {
-  count       = var.alpaca_count
-  vmid        = 500 + count.index + 1
+  count       = var.alpaca_vm_count
   name        = "alpaca-${count.index + 1}"
+  vmid        = 500 + count.index + 1
   target_node = var.target_node
   clone       = var.clone_template
-  sockets     = var.sockets
-  cores       = var.cores
-  memory      = var.memory
-  scsihw      = "virtio-scsi-pci"
+  full_clone  = true
+  os_type     = "cloud-init"
   agent       = 1
-  boot        = "order=scsi0"
 
-  disk {
-    slot    = "scsi0"
-    type    = "disk"
-    size    = var.disk_size
-    storage = var.storage
+  sockets   = var.sockets
+  cores     = var.cores
+  memory    = var.memory
+  scsihw    = "virtio-scsi-pci"
+  boot      = "order=virtio0"
+  bootdisk  = "virtio0"
+  ipconfig0 = "ip=dhcp"
+  cicustom  = "user=local:snippets/cloud_init_global.yaml"
+
+
+  disks {
+    virtio {
+      virtio0 {
+        disk {
+          size    = var.disk_size
+          storage = var.storage
+        }
+      }
+    }
+
+    ide {
+      ide2 {
+        cloudinit {
+          storage = var.storage
+        }
+      }
+    }
   }
 
   network {
@@ -39,43 +58,52 @@ resource "proxmox_vm_qemu" "alpacas" {
     model  = "virtio"
     bridge = var.bridge
   }
-
-  ipconfig0 = "ip=dhcp"
-
-  ciuser     = "alpine"
-  cipassword = var.proxmox_password
-  cicustom   = "user=local:snippets/cloudinit-user.yaml"
 }
 
+
 resource "proxmox_vm_qemu" "llamas" {
-  count       = var.llama_count
-  vmid        = 600 + count.index + 1
+  count       = var.llama_vm_count
   name        = "llama-${count.index + 1}"
+  vmid        = 600 + count.index + 1
   target_node = var.target_node
   clone       = var.clone_template
-  sockets     = var.sockets
-  cores       = var.cores
-  memory      = var.memory
-  scsihw      = "virtio-scsi-pci"
+  full_clone  = true
+  os_type     = "cloud-init"
   agent       = 1
-  boot        = "order=scsi0"
 
-  disk {
-    slot    = "scsi0"
-    type    = "disk"
-    size    = var.disk_size
-    storage = var.storage
+  sockets   = var.sockets
+  cores     = var.cores
+  memory    = var.memory
+  scsihw    = "virtio-scsi-pci"
+  boot      = "order=virtio0"
+  bootdisk  = "virtio0"
+  ipconfig0 = "ip=dhcp"
+  cicustom  = "user=local:snippets/cloud_init_global.yaml"
+
+  disks {
+    virtio {
+      virtio0 {
+        disk {
+          size    = var.disk_size
+          storage = var.storage
+        }
+      }
+    }
+
+    ide {
+      ide2 {
+        cloudinit {
+          storage = var.storage
+        }
+      }
+    }
   }
 
+
   network {
     id     = 0
     model  = "virtio"
     bridge = var.bridge
   }
-
-  ipconfig0 = "ip=dhcp"
-
-  ciuser     = "alpine"
-  cipassword = var.proxmox_password
-  cicustom   = "user=local:snippets/cloudinit-user.yaml"
 }
+

terraform/terraform.tfvars

@@ -1,13 +1,12 @@
 target_node    = "flex"
-clone_template = "Alpine-Template"
+clone_template = "ubuntu-cloudinit"
 vm_name        = "alpine-vm"
-cores          = 2
-memory         = 2048
+cores          = 1
+memory         = 1024
 disk_size      = "15G"
 sockets        = 1
 bridge         = "vmbr0"
 disk_type      = "scsi"
 storage        = "Flash"
 pm_api_url     = "https://100.105.0.115:8006/api2/json"
-pm_user        = "terraform-prov@pve"
-
+pm_user        = "terraform-prov@pve"

terraform/variables.tf

@@ -62,3 +62,24 @@ variable "llama_count" {
   description = "How many Llama VMs to create"
 }
 
+variable "alpaca_vm_count" {
+  type        = number
+  default     = 1
+  description = "How many Alpaca VMs to create"
+}
+
+variable "llama_vm_count" {
+  type        = number
+  default     = 1
+  description = "How many Llama VMs to create"
+}
+
+variable "TS_AUTHKEY" {
+  type        = string
+  description = "Tailscale auth key used in cloud-init"
+}
+
+variable "SSH_KEY_PUBLIC" {
+  type        = string
+  description = "My Public SSH key fo ssh auth list"
+}