Merge pull request 'fix: make tailscale enrollment clone-safe and hostname-aware' (#22) from stage into master

Reviewed-on: #22

.gitea/workflows/terraform-apply.yml

@@ -1,47 +1,105 @@
-name: Gitea Actions Demo
+name: Terraform Apply
-run-name: ${{ gitea.actor }} is deploying with Terraform 🚀
 
 on:
   push:
     branches:
       - master
 
+concurrency:
+  group: terraform-global
+  cancel-in-progress: false
+
 jobs:
   terraform:
     name: "Terraform Apply"
     runs-on: ubuntu-latest
 
-    permissions:
-      contents: read
-      pull-requests: write
-
-    env:
-      TF_VAR_TS_AUTHKEY: ${{ secrets.TAILSCALE_KEY }}
-      TF_VAR_ssh_key: ${{ secrets.SSH_PUBLIC_KEY }}
-
     steps:
       - name: Checkout repository
         uses: actions/checkout@v4
 
+      - name: Create secrets.tfvars
+        working-directory: terraform
+        run: |
+          cat > secrets.auto.tfvars << EOF
+          pm_api_token_secret = "${{ secrets.PM_API_TOKEN_SECRET }}"
+          EOF
+          cat > backend.hcl << EOF
+          bucket                      = "${{ secrets.B2_TF_BUCKET }}"
+          key                         = "terraform.tfstate"
+          region                      = "us-east-005"
+          endpoints = {
+            s3 = "${{ secrets.B2_TF_ENDPOINT }}"
+          }
+          access_key                  = "$(printf '%s' "${{ secrets.B2_KEY_ID }}" | tr -d '\r\n')"
+          secret_key                  = "$(printf '%s' "${{ secrets.B2_APPLICATION_KEY }}" | tr -d '\r\n')"
+          skip_credentials_validation = true
+          skip_metadata_api_check     = true
+          skip_region_validation      = true
+          skip_requesting_account_id  = true
+          use_path_style              = true
+          EOF
+
       - name: Set up Terraform
         uses: hashicorp/setup-terraform@v2
         with:
           terraform_version: 1.6.6
 
-      - name: Inject sensitive secrets
-        working-directory: terraform
-        run: |
-          echo 'proxmox_password = "${{ secrets.PROXMOX_PASSWORD }}"' >> terraform.tfvars
-
       - name: Terraform Init
         working-directory: terraform
-        run: terraform init
+        run: terraform init -reconfigure -backend-config=backend.hcl
 
       - name: Terraform Plan
         working-directory: terraform
-        run: terraform plan
+        run: terraform plan -out=tfplan
+
+      - name: Block accidental destroy
+        env:
+          ALLOW_TF_DESTROY: ${{ secrets.ALLOW_TF_DESTROY }}
+        working-directory: terraform
+        run: |
+          terraform show -json -no-color tfplan > tfplan.json
+          DESTROY_COUNT=$(python3 -c 'import json; raw=open("tfplan.json","rb").read().decode("utf-8","ignore"); start=raw.find("{"); data=json.JSONDecoder().raw_decode(raw[start:])[0]; print(sum(1 for rc in data.get("resource_changes", []) if "delete" in rc.get("change", {}).get("actions", [])))')
+          echo "Planned deletes: $DESTROY_COUNT"
+          if [ "$DESTROY_COUNT" -gt 0 ] && [ "${ALLOW_TF_DESTROY}" != "true" ]; then
+            echo "Destroy actions detected. Set ALLOW_TF_DESTROY=true to allow."
+            exit 1
+          fi
 
       - name: Terraform Apply
         working-directory: terraform
-        run: terraform apply -auto-approve
+        run: terraform apply -auto-approve tfplan
 
+      - name: Enroll VMs in Tailscale
+        env:
+          TS_AUTHKEY: ${{ secrets.TS_AUTHKEY }}
+          TAILSCALE_ENROLL_HOSTS: ${{ secrets.TAILSCALE_ENROLL_HOSTS }}
+          VM_SSH_PRIVATE_KEY: ${{ secrets.VM_SSH_PRIVATE_KEY }}
+        run: |
+          if [ -z "$TS_AUTHKEY" ] || [ -z "$TAILSCALE_ENROLL_HOSTS" ] || [ -z "$VM_SSH_PRIVATE_KEY" ]; then
+            echo "Skipping Tailscale enrollment (missing TS_AUTHKEY, TAILSCALE_ENROLL_HOSTS, or VM_SSH_PRIVATE_KEY)."
+            exit 0
+          fi
+
+          echo "Expected format: host or host=hostname (comma-separated)"
+
+          install -m 700 -d ~/.ssh
+          printf '%s\n' "$VM_SSH_PRIVATE_KEY" > ~/.ssh/id_rsa
+          chmod 600 ~/.ssh/id_rsa
+
+          for target in $(printf '%s' "$TAILSCALE_ENROLL_HOSTS" | tr ',' ' '); do
+            host="${target%%=*}"
+            ts_hostname=""
+            if [ "$host" != "$target" ]; then
+              ts_hostname="${target#*=}"
+            fi
+
+            echo "Enrolling $host into Tailscale"
+            if [ -n "$ts_hostname" ]; then
+              ssh -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null -i ~/.ssh/id_rsa "micqdf@$host" \
+                "set -e; echo '$TS_AUTHKEY' | sudo tee /etc/tailscale/authkey >/dev/null; echo '$ts_hostname' | sudo tee /etc/tailscale/hostname >/dev/null; sudo chmod 600 /etc/tailscale/authkey; sudo hostnamectl set-hostname '$ts_hostname' || true; sudo systemctl restart tailscaled; sudo systemctl start tailscale-firstboot.service"
+            else
+              ssh -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null -i ~/.ssh/id_rsa "micqdf@$host" \
+                "set -e; echo '$TS_AUTHKEY' | sudo tee /etc/tailscale/authkey >/dev/null; sudo chmod 600 /etc/tailscale/authkey; sudo systemctl restart tailscaled; sudo systemctl start tailscale-firstboot.service"
+            fi
+          done

.gitea/workflows/terraform-destroy.yml

@@ -1,41 +1,93 @@
-name: Gitea Destroy Terraform
+name: Terraform Destroy
-run-name: ${{ gitea.actor }} triggered a Terraform Destroy 🧨
+run-name: ${{ gitea.actor }} requested Terraform destroy
 
 on:
-  workflow_dispatch: # Manual trigger
+  workflow_dispatch:
+    inputs:
+      confirm:
+        description: "Type NUKE to confirm destroy"
+        required: true
+        type: string
+      target:
+        description: "Destroy scope"
+        required: true
+        default: all
+        type: choice
+        options:
+          - all
+          - alpacas
+          - llamas
+
+concurrency:
+  group: terraform-global
+  cancel-in-progress: false
 
 jobs:
   destroy:
     name: "Terraform Destroy"
     runs-on: ubuntu-latest
 
-    permissions:
-      contents: read
-      pull-requests: write
-
-    env:
-      TF_VAR_TS_AUTHKEY: ${{ secrets.TAILSCALE_KEY }}
-      TF_VAR_ssh_key: ${{ secrets.SSH_PUBLIC_KEY }}
-
     steps:
+      - name: Validate confirmation phrase
+        run: |
+          if [ "${{ inputs.confirm }}" != "NUKE" ]; then
+            echo "Confirmation failed. You must type NUKE."
+            exit 1
+          fi
+
       - name: Checkout repository
         uses: actions/checkout@v4
 
+      - name: Create Terraform secret files
+        working-directory: terraform
+        run: |
+          cat > secrets.auto.tfvars << EOF
+          pm_api_token_secret = "${{ secrets.PM_API_TOKEN_SECRET }}"
+          EOF
+          cat > backend.hcl << EOF
+          bucket                      = "${{ secrets.B2_TF_BUCKET }}"
+          key                         = "terraform.tfstate"
+          region                      = "us-east-005"
+          endpoints = {
+            s3 = "${{ secrets.B2_TF_ENDPOINT }}"
+          }
+          access_key                  = "$(printf '%s' "${{ secrets.B2_KEY_ID }}" | tr -d '\r\n')"
+          secret_key                  = "$(printf '%s' "${{ secrets.B2_APPLICATION_KEY }}" | tr -d '\r\n')"
+          skip_credentials_validation = true
+          skip_metadata_api_check     = true
+          skip_region_validation      = true
+          skip_requesting_account_id  = true
+          use_path_style              = true
+          EOF
+
       - name: Set up Terraform
         uses: hashicorp/setup-terraform@v2
         with:
           terraform_version: 1.6.6
 
-      - name: Inject sensitive secrets
-        working-directory: terraform
-        run: |
-          echo 'proxmox_password = "${{ secrets.PROXMOX_PASSWORD }}"' >> terraform.tfvars
-
       - name: Terraform Init
         working-directory: terraform
-        run: terraform init
+        run: terraform init -reconfigure -backend-config=backend.hcl
 
-      - name: Terraform Destroy
+      - name: Terraform Destroy Plan
         working-directory: terraform
-        run: terraform destroy -auto-approve
+        run: |
+          case "${{ inputs.target }}" in
+            all)
+              terraform plan -destroy -out=tfdestroy
+              ;;
+            alpacas)
+              terraform plan -destroy -target=proxmox_vm_qemu.alpacas -out=tfdestroy
+              ;;
+            llamas)
+              terraform plan -destroy -target=proxmox_vm_qemu.llamas -out=tfdestroy
+              ;;
+            *)
+              echo "Invalid destroy target: ${{ inputs.target }}"
+              exit 1
+              ;;
+          esac
 
+      - name: Terraform Destroy Apply
+        working-directory: terraform
+        run: terraform apply -auto-approve tfdestroy

.gitea/workflows/terraform-plan.yml

@@ -1,5 +1,4 @@
-name: Gitea Actions Demo
+name: Terraform Plan
-run-name: ${{ gitea.actor }} is testing out Gitea Actions 🚀
 
 on:
   push:
@@ -7,38 +6,54 @@ on:
       - stage
       - test
 
+concurrency:
+  group: terraform-global
+  cancel-in-progress: false
+
 jobs:
   terraform:
     name: "Terraform Plan"
     runs-on: ubuntu-latest
 
-    permissions:
-      contents: read
-      pull-requests: write
-
-    env:
-      TF_VAR_TAILSCALE_KEY: ${{ secrets.TAILSCALE_KEY }}
-      TF_VAR_TS_AUTHKEY: ${{ secrets.TAILSCALE_KEY }}
-      TF_VAR_ssh_key: ${{ secrets.SSH_PUBLIC_KEY }}
-
-
     steps:
       - name: Checkout repository
         uses: actions/checkout@v4
 
+      - name: Create secrets.tfvars
+        working-directory: terraform
+        run: |
+          echo "PM_API_TOKEN_SECRET length: $(echo -n '${{ secrets.PM_API_TOKEN_SECRET }}' | wc -c)"
+          cat > secrets.auto.tfvars << EOF
+          pm_api_token_secret = "${{ secrets.PM_API_TOKEN_SECRET }}"
+          EOF
+          cat > backend.hcl << EOF
+          bucket                      = "${{ secrets.B2_TF_BUCKET }}"
+          key                         = "terraform.tfstate"
+          region                      = "us-east-005"
+          endpoints = {
+            s3 = "${{ secrets.B2_TF_ENDPOINT }}"
+          }
+          access_key                  = "$(printf '%s' "${{ secrets.B2_KEY_ID }}" | tr -d '\r\n')"
+          secret_key                  = "$(printf '%s' "${{ secrets.B2_APPLICATION_KEY }}" | tr -d '\r\n')"
+          skip_credentials_validation = true
+          skip_metadata_api_check     = true
+          skip_region_validation      = true
+          skip_requesting_account_id  = true
+          use_path_style              = true
+          EOF
+          echo "Created secrets.auto.tfvars:"
+          cat secrets.auto.tfvars | sed 's/=.*/=***/'
+          echo "Using token ID from terraform.tfvars:"
+          grep '^pm_api_token_id' terraform.tfvars
+
       - name: Set up Terraform
         uses: hashicorp/setup-terraform@v2
         with:
           terraform_version: 1.6.6
 
-      - name: Inject sensitive secrets
-        working-directory: terraform
-        run: |
-          echo 'proxmox_password = "${{ secrets.PROXMOX_PASSWORD }}"' >> terraform.tfvars
-
       - name: Terraform Init
         working-directory: terraform
-        run: terraform init
+        run: terraform init -reconfigure -backend-config=backend.hcl
 
       - name: Terraform Format Check
         working-directory: terraform
@@ -52,9 +67,21 @@ jobs:
         working-directory: terraform
         run: terraform plan -out=tfplan
 
+      - name: Block accidental destroy
+        env:
+          ALLOW_TF_DESTROY: ${{ secrets.ALLOW_TF_DESTROY }}
+        working-directory: terraform
+        run: |
+          terraform show -json -no-color tfplan > tfplan.json
+          DESTROY_COUNT=$(python3 -c 'import json; raw=open("tfplan.json","rb").read().decode("utf-8","ignore"); start=raw.find("{"); data=json.JSONDecoder().raw_decode(raw[start:])[0]; print(sum(1 for rc in data.get("resource_changes", []) if "delete" in rc.get("change", {}).get("actions", [])))')
+          echo "Planned deletes: $DESTROY_COUNT"
+          if [ "$DESTROY_COUNT" -gt 0 ] && [ "${ALLOW_TF_DESTROY}" != "true" ]; then
+            echo "Destroy actions detected. Set ALLOW_TF_DESTROY=true to allow."
+            exit 1
+          fi
+
       - name: Upload Terraform Plan
         uses: actions/upload-artifact@v3
         with:
           name: terraform-plan
           path: terraform/tfplan
-

.gitignore

@@ -1,2 +1,6 @@
 ./terraform/.terraform
 terraform/.terraform/
+terraform/test-apply.sh
+terraform/test-plan.sh
+terraform/test-destroy.sh
+terraform/tfplan

nixos/template-base/README.md

@@ -0,0 +1,27 @@
+# NixOS Proxmox Template Base
+
+This folder contains a minimal NixOS base config you can copy into a new
+template VM build.
+
+## Files
+
+- `flake.nix`: pins `nixos-24.11` and exposes one host config.
+- `configuration.nix`: base settings for Proxmox guest use.
+
+## Before first apply
+
+1. Replace `REPLACE_WITH_YOUR_SSH_PUBLIC_KEY` in `configuration.nix`.
+2. Add `hardware-configuration.nix` from the VM install:
+   - `nixos-generate-config --root /`
+   - copy `/etc/nixos/hardware-configuration.nix` next to `configuration.nix`
+
+## Build/apply example inside the VM
+
+```bash
+sudo nixos-rebuild switch --flake .#template
+```
+
+## Notes
+
+- This is intentionally minimal and avoids cloud-init assumptions.
+- If you want host-specific settings, create additional modules and import them.

nixos/template-base/configuration.nix

@@ -0,0 +1,90 @@
+{ lib, pkgs, ... }:
+
+{
+  imports =
+    lib.optional (builtins.pathExists ./hardware-configuration.nix)
+      ./hardware-configuration.nix;
+
+  networking.hostName = "nixos-template";
+  networking.useDHCP = lib.mkDefault true;
+  networking.nameservers = [ "1.1.1.1" "8.8.8.8" ];
+
+  boot.loader.systemd-boot.enable = lib.mkForce false;
+  boot.loader.grub = {
+    enable = true;
+    device = "/dev/sda";
+  };
+
+  services.qemuGuest.enable = true;
+  services.openssh.enable = true;
+  services.tailscale.enable = true;
+  services.openssh.settings = {
+    PasswordAuthentication = false;
+    KbdInteractiveAuthentication = false;
+    PermitRootLogin = "prohibit-password";
+  };
+
+  programs.fish.enable = true;
+
+  users.users.micqdf = {
+    isNormalUser = true;
+    extraGroups = [ "wheel" ];
+    shell = pkgs.fish;
+    openssh.authorizedKeys.keys = [
+      "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDyfhho9WSqK2OWxizt45Q5KHgox3uVWDnbvMBJaDnRph6CZeKmzaS60/+HN/o7MtIm+q86TfdYeWJVt4erPEvrYN8AWfvCWi+hP2Y0l18wS8GEA+efEXyQ5CLCefraXvIneORObKetzO73bq0HytDRXDowc4J0NcbEFB7ncf2RqVTC6QRlNPRD3jHLkUeKXVmyteNgTtGdMz4MFHCC7xtzgL7kEuuHDEWuVhPkK+dkeGBejq+RzkYcd8v37L7NjFZCK91jANBVcQnTLQVUVVlMovVPyoaROn4N8KpIhb85SYZIJGUEKMhmCowb2NnZLJNC07qn8sz1dmNZO635aquuWMhZTevCySJjvIuMxDSffhBaAjkK1aVixMCW3jyzbpFIEG6FOj27TpcMnen6a0j0AecdCKgXI/Ezb08pj9qmVppAvJPyYoqN4OwHNHGWb8U2X3GghFesei8ZmBgch12RkIaXYxVzkNqv3FG4kAMFMEnGe4e6aqAAuDzUIkcjsPl2XrNJp+pxnPWDc7EMTKPUuKIcteXVDgCVgufQjPBO5/DgUyygLTzt8py9sZyyFDsqRAZ6E3IzBpxyWfUOoN81mUL6G31pZ/1b3YKpNs7DuqvP/aXIvb94o8KsLPQeoG7L2ulcOWX7I0yhlAgd8QUjhNoNq3mK/sQylq9Zy63GhQ=="
+    ];
+    # optional while testing noVNC login:
+    # initialPassword = "changeme123";
+  };
+
+  security.sudo.wheelNeedsPassword = false;
+
+  systemd.services.tailscale-firstboot = {
+    description = "One-time Tailscale enrollment";
+    after = [ "network-online.target" "tailscaled.service" ];
+    wants = [ "network-online.target" "tailscaled.service" ];
+    wantedBy = [ "multi-user.target" ];
+    serviceConfig = {
+      Type = "oneshot";
+      RemainAfterExit = true;
+    };
+    script = ''
+      if [ ! -s /etc/tailscale/authkey ]; then
+        exit 0
+      fi
+
+      key="$(cat /etc/tailscale/authkey)"
+      ts_hostname=""
+      if [ -s /etc/tailscale/hostname ]; then
+        ts_hostname="--hostname=$(cat /etc/tailscale/hostname)"
+      fi
+
+      rm -f /var/lib/tailscale/tailscaled.state
+      ${pkgs.tailscale}/bin/tailscale up --reset --auth-key="$key" $ts_hostname
+
+      rm -f /etc/tailscale/authkey
+      rm -f /etc/tailscale/hostname
+    '';
+  };
+
+  environment.systemPackages = with pkgs; [
+    btop
+    curl
+    dig
+    eza
+    fd
+    fzf
+    git
+    htop
+    jq
+    ripgrep
+    tailscale
+    tree
+    unzip
+    vim
+    neovim
+    wget
+  ];
+
+  system.stateVersion = "25.05";
+}

nixos/template-base/flake.nix

@@ -0,0 +1,14 @@
+{
+  description = "Base NixOS config for Proxmox template";
+
+  inputs = {
+    nixpkgs.url = "github:NixOS/nixpkgs/nixos-24.11";
+  };
+
+  outputs = { nixpkgs, ... }: {
+    nixosConfigurations.template = nixpkgs.lib.nixosSystem {
+      system = "x86_64-linux";
+      modules = [ ./configuration.nix ];
+    };
+  };
+}

terraform/.terraform.lock.hcl

@@ -2,40 +2,21 @@
 # Manual edits may be lost in future updates.
 
 provider "registry.terraform.io/hashicorp/local" {
-  version = "2.5.2"
+  version = "2.7.0"
   hashes = [
-    "h1:JlMZD6nYqJ8sSrFfEAH0Vk/SL8WLZRmFaMUF9PJK5wM=",
+    "h1:2RYa3j7m/0WmET2fqotY4CHxE1Hpk0fgn47/126l+Og=",
-    "zh:136299545178ce281c56f36965bf91c35407c11897f7082b3b983d86cb79b511",
+    "zh:261fec71bca13e0a7812dc0d8ae9af2b4326b24d9b2e9beab3d2400fab5c5f9a",
-    "zh:3b4486858aa9cb8163378722b642c57c529b6c64bfbfc9461d940a84cd66ebea",
+    "zh:308da3b5376a9ede815042deec5af1050ec96a5a5410a2206ae847d82070a23e",
-    "zh:4855ee628ead847741aa4f4fc9bed50cfdbf197f2912775dd9fe7bc43fa077c0",
+    "zh:3d056924c420464dc8aba10e1915956b2e5c4d55b11ffff79aa8be563fbfe298",
-    "zh:4b8cd2583d1edcac4011caafe8afb7a95e8110a607a1d5fb87d921178074a69b",
+    "zh:643256547b155459c45e0a3e8aab0570db59923c68daf2086be63c444c8c445b",
-    "zh:52084ddaff8c8cd3f9e7bcb7ce4dc1eab00602912c96da43c29b4762dc376038",
-    "zh:71562d330d3f92d79b2952ffdda0dad167e952e46200c767dd30c6af8d7c0ed3",
     "zh:78d5eefdd9e494defcb3c68d282b8f96630502cac21d1ea161f53cfe9bb483b3",
-    "zh:805f81ade06ff68fa8b908d31892eaed5c180ae031c77ad35f82cb7a74b97cf4",
+    "zh:7aa4d0b853f84205e8cf79f30c9b2c562afbfa63592f7231b6637e5d7a6b5b27",
-    "zh:8b6b3ebeaaa8e38dd04e56996abe80db9be6f4c1df75ac3cccc77642899bd464",
+    "zh:7dc251bbc487d58a6ab7f5b07ec9edc630edb45d89b761dba28e0e2ba6b1c11f",
-    "zh:ad07750576b99248037b897de71113cc19b1a8d0bc235eb99173cc83d0de3b1b",
+    "zh:7ee0ca546cd065030039168d780a15cbbf1765a4c70cd56d394734ab112c93da",
-    "zh:b9f1c3bfadb74068f5c205292badb0661e17ac05eb23bfe8bd809691e4583d0e",
+    "zh:b1d5d80abb1906e6c6b3685a52a0192b4ca6525fe090881c64ec6f67794b1300",
-    "zh:cc4cbcd67414fefb111c1bf7ab0bc4beb8c0b553d01719ad17de9a047adff4d1",
+    "zh:d81ea9856d61db3148a4fc6c375bf387a721d78fc1fea7a8823a027272a47a78",
-  ]
+    "zh:df0a1f0afc947b8bfc88617c1ad07a689ce3bd1a29fd97318392e6bdd32b230b",
-}
+    "zh:dfbcad800240e0c68c43e0866f2a751cff09777375ec701918881acf67a268da",
-
-provider "registry.terraform.io/hashicorp/null" {
-  version = "3.2.3"
-  hashes = [
-    "h1:+AnORRgFbRO6qqcfaQyeX80W0eX3VmjadjnUFUJTiXo=",
-    "zh:22d062e5278d872fe7aed834f5577ba0a5afe34a3bdac2b81f828d8d3e6706d2",
-    "zh:23dead00493ad863729495dc212fd6c29b8293e707b055ce5ba21ee453ce552d",
-    "zh:28299accf21763ca1ca144d8f660688d7c2ad0b105b7202554ca60b02a3856d3",
-    "zh:55c9e8a9ac25a7652df8c51a8a9a422bd67d784061b1de2dc9fe6c3cb4e77f2f",
-    "zh:756586535d11698a216291c06b9ed8a5cc6a4ec43eee1ee09ecd5c6a9e297ac1",
-    "zh:78d5eefdd9e494defcb3c68d282b8f96630502cac21d1ea161f53cfe9bb483b3",
-    "zh:9d5eea62fdb587eeb96a8c4d782459f4e6b73baeece4d04b4a40e44faaee9301",
-    "zh:a6355f596a3fb8fc85c2fb054ab14e722991533f87f928e7169a486462c74670",
-    "zh:b5a65a789cff4ada58a5baffc76cb9767dc26ec6b45c00d2ec8b1b027f6db4ed",
-    "zh:db5ab669cf11d0e9f81dc380a6fdfcac437aea3d69109c7aef1a5426639d2d65",
-    "zh:de655d251c470197bcbb5ac45d289595295acb8f829f6c781d4a75c8c8b7c7dd",
-    "zh:f5c68199f2e6076bce92a12230434782bf768103a427e9bb9abee99b116af7b5",
   ]
 }
 
@@ -57,23 +38,23 @@ provider "registry.terraform.io/hashicorp/template" {
 }
 
 provider "registry.terraform.io/telmate/proxmox" {
-  version     = "3.0.1-rc8"
+  version     = "3.0.2-rc07"
-  constraints = "3.0.1-rc8"
+  constraints = "3.0.2-rc07"
   hashes = [
-    "h1:W5X4T5AZUaqO++aAequNECUKJaXLC5upcws6Vp7mkBk=",
+    "h1:zp5hpQJQ4t4zROSLqdltVpBO+Riy9VugtfFbpyTw1aM=",
-    "zh:0272f1600251abf9b139c2683f83cde0a907ac762f5ead058b84de18ddc1d78e",
+    "zh:2ee860cd0a368b3eaa53f4a9ea46f16dab8a97929e813ea6ef55183f8112c2ca",
-    "zh:328e708a8063a133516612b17c8983a9372fa42766530925d1d37aeb1daa30ec",
+    "zh:415965fd915bae2040d7f79e45f64d6e3ae61149c10114efeac1b34687d7296c",
-    "zh:3449150e4d57f79af6f9583e93e3a5ab84fb475bc594de75b968534f57af2871",
+    "zh:6584b2055df0e32062561c615e3b6b2c291ca8c959440adda09ef3ec1e1436bd",
-    "zh:58d803a0203241214f673c80350d43ce1a5ce57b21b83ba08d0d08e8c389dcc4",
+    "zh:65dcfad71928e0a8dd9befc22524ed686be5020b0024dc5cca5184c7420eeb6b",
-    "zh:59e3e99afc1ea404e530100725403c1610d682cfd27eeeaf35190c119b76a4db",
+    "zh:7253dc29bd265d33f2791ac4f779c5413f16720bb717de8e6c5fcb2c858648ea",
-    "zh:666cb7d299824152714202e8fda000c2e37346f2ae6d0a0e3c6f6bd68ef5d9ca",
+    "zh:7ec8993da10a47606670f9f67cfd10719a7580641d11c7aa761121c4a2bd66fb",
-    "zh:6a1290b85e7bf953664b21b2a1ea554923a060f2a8347d8d5bb3d2b5157f85d2",
+    "zh:999a3f7a9dcf517967fc537e6ec930a8172203642fb01b8e1f78f908373db210",
-    "zh:72230960c49fe7050a5e80ee10fa24cdac94dbab82744bccb6aa251741eb5aa9",
+    "zh:a50e6df7280eb6584a5fd2456e3f5b6df13b2ec8a7fa4605511e438e1863be42",
-    "zh:91f655c41f5af9a9fdcf6104c3d0a553eaa0fb3390af81051e744f30accd5b52",
+    "zh:b25b329a1e42681c509d027fee0365414f0cc5062b65690cfc3386aab16132ae",
-    "zh:aa08a22bf737d5840573bb6030617ab6bba2a292f4b9c88b20477cdcfb9676a9",
+    "zh:c028877fdb438ece48f7bc02b65bbae9ca7b7befbd260e519ccab6c0cbb39f26",
-    "zh:b72012cc284cad488207532b6668c58999c972d837b5f486db1d7466d686d5fd",
+    "zh:cf0eaa3ea9fcc6d62793637947f1b8d7c885b6ad74695ab47e134e4ff132190f",
-    "zh:e24f934249a6ab4d3705c1398226d4d9df1e81ef8a36592389be02bc35cc661f",
+    "zh:d5ade3fae031cc629b7c512a7b60e46570f4c41665e88a595d7efd943dde5ab2",
-    "zh:e9e6bcef8b6a6b5ff2317168c2c23e4c55ae23f883ba158d2c4fd6324a0413e5",
+    "zh:f388c15ad1ecfc09e7361e3b98bae9b627a3a85f7b908c9f40650969c949901c",
-    "zh:ffa1e742a8c50babd8dbfcd6884740f9bea8453ec4d832717ff006a4fbfffa91",
+    "zh:f415cc6f735a3971faae6ac24034afdb9ee83373ef8de19a9631c187d5adc7db",
   ]
 }

terraform/cloud-init.tf

@@ -1,70 +1,13 @@
-### Alpaca cloud-init template
+data "template_file" "cloud_init_global" {
-data "template_file" "cloud_init_alpaca" {
+  template = file("${path.module}/files/cloud_init_global.tpl")
-  count    = var.alpaca_vm_count
-  template = file("${path.module}/files/cloud_init.yaml")
 
   vars = {
-    ssh_key    = var.ssh_key
+    hostname = "generic"
-    hostname   = "alpaca-${count.index + 1}"
+    domain   = "home.arpa"
-    domain     = "home.arpa"
-    TS_AUTHKEY = var.TS_AUTHKEY
   }
 }
 
-
+resource "local_file" "cloud_init_global" {
-resource "local_file" "cloud_init_alpaca" {
+  content  = data.template_file.cloud_init_global.rendered
-  count    = var.alpaca_vm_count
+  filename = "${path.module}/files/rendered/cloud_init_global.yaml"
-  content  = data.template_file.cloud_init_alpaca[count.index].rendered
-  filename = "${path.module}/files/cloud_init_alpaca_${count.index + 1}.yaml"
 }
-
-resource "null_resource" "upload_cloud_init_alpaca" {
-  count = var.alpaca_vm_count
-
-  connection {
-    type = "ssh"
-    user = "root"
-    host = var.target_node
-  }
-
-  provisioner "file" {
-    source      = local_file.cloud_init_alpaca[count.index].filename
-    destination = "/var/lib/vz/snippets/cloud_init_alpaca_${count.index + 1}.yaml"
-  }
-}
-
-### Llama cloud-init template
-data "template_file" "cloud_init_llama" {
-  count    = var.llama_vm_count
-  template = file("${path.module}/files/cloud_init.yaml")
-
-  vars = {
-    ssh_key    = var.ssh_key
-    hostname   = "llama-${count.index + 1}"
-    domain     = "home.arpa"
-    TS_AUTHKEY = var.TS_AUTHKEY
-  }
-}
-
-
-resource "local_file" "cloud_init_llama" {
-  count    = var.llama_vm_count
-  content  = data.template_file.cloud_init_llama[count.index].rendered
-  filename = "${path.module}/files/cloud_init_llama_${count.index + 1}.yaml"
-}
-
-resource "null_resource" "upload_cloud_init_llama" {
-  count = var.llama_vm_count
-
-  connection {
-    type = "ssh"
-    user = "root"
-    host = var.target_node
-  }
-
-  provisioner "file" {
-    source      = local_file.cloud_init_llama[count.index].filename
-    destination = "/var/lib/vz/snippets/cloud_init_llama_${count.index + 1}.yaml"
-  }
-}
-

terraform/files/cloud_init.yaml

@@ -1,10 +1,9 @@
 #cloud-config
 hostname: ${hostname}
 fqdn: ${hostname}.${domain}
-ssh_authorized_keys:
-  - ${ssh_key}
 
 runcmd:
   - curl -fsSL https://tailscale.com/install.sh | sh
   - tailscale up --auth-key=${TS_AUTHKEY}
+  - tailscale set --ssh
 

terraform/files/cloud_init_base.yaml

@@ -0,0 +1,6 @@
+#cloud-config
+runcmd:
+  - curl -fsSL https://tailscale.com/install.sh | sh
+  - tailscale up --auth-key=${TS_AUTHKEY}
+  - tailscale set --ssh
+

terraform/files/cloud_init_global.tpl

@@ -0,0 +1,10 @@
+#cloud-config
+hostname: ${hostname}
+manage_etc_hosts: true
+resolv_conf:
+  nameservers:
+    - 8.8.8.8
+    - 1.1.1.1
+
+preserve_hostname: false
+fqdn: ${hostname}.${domain}

terraform/main.tf

@@ -1,17 +1,19 @@
 terraform {
+  backend "s3" {}
+
   required_providers {
     proxmox = {
       source  = "Telmate/proxmox"
-      version = "3.0.1-rc8"
+      version = "3.0.2-rc07"
     }
   }
 }
 
 provider "proxmox" {
-  pm_api_url      = var.pm_api_url
+  pm_api_url          = var.pm_api_url
-  pm_user         = var.pm_user
+  pm_api_token_id     = var.pm_api_token_id
-  pm_password     = var.proxmox_password
+  pm_api_token_secret = var.pm_api_token_secret
-  pm_tls_insecure = true
+  pm_tls_insecure     = true
 }
 
 resource "proxmox_vm_qemu" "alpacas" {
@@ -20,23 +22,39 @@ resource "proxmox_vm_qemu" "alpacas" {
   vmid        = 500 + count.index + 1
   target_node = var.target_node
   clone       = var.clone_template
-  full_clone  = false
+  full_clone  = true
+  os_type     = "cloud-init"
   agent       = 1
 
-  sockets    = var.sockets
+  cpu {
-  cores      = var.cores
+    sockets = var.sockets
-  memory     = var.memory
+    cores   = var.cores
-  scsihw     = "virtio-scsi-pci"
+  }
-  boot       = "order=scsi0"
+  memory    = var.memory
-  ipconfig0  = "ip=dhcp"
+  scsihw    = "virtio-scsi-pci"
-  cicustom   = "user=local:snippets/cloud_init_alpaca_${count.index + 1}.yaml"
+  boot      = "order=scsi0"
-  depends_on = [null_resource.upload_cloud_init_alpaca]
+  bootdisk  = "scsi0"
+  ipconfig0 = "ip=dhcp"
+  cicustom  = "user=local:snippets/cloud_init_global.yaml"
 
-  disk {
+
-    slot    = "scsi0"
+  disks {
-    type    = "disk"
+    scsi {
-    storage = var.storage
+      scsi0 {
-    size    = var.disk_size
+        disk {
+          size    = var.disk_size
+          storage = var.storage
+        }
+      }
+    }
+
+    ide {
+      ide2 {
+        cloudinit {
+          storage = var.storage
+        }
+      }
+    }
   }
 
   network {
@@ -53,24 +71,40 @@ resource "proxmox_vm_qemu" "llamas" {
   vmid        = 600 + count.index + 1
   target_node = var.target_node
   clone       = var.clone_template
-  full_clone  = false
+  full_clone  = true
+  os_type     = "cloud-init"
   agent       = 1
 
-  sockets    = var.sockets
+  cpu {
-  cores      = var.cores
+    sockets = var.sockets
-  memory     = var.memory
+    cores   = var.cores
-  scsihw     = "virtio-scsi-pci"
-  boot       = "order=scsi0"
-  ipconfig0  = "ip=dhcp"
-  cicustom   = "user=local:snippets/cloud_init_llama_${count.index + 1}.yaml"
-  depends_on = [null_resource.upload_cloud_init_llama]
-
-  disk {
-    slot    = "scsi0"
-    type    = "disk"
-    storage = var.storage
-    size    = var.disk_size
   }
+  memory    = var.memory
+  scsihw    = "virtio-scsi-pci"
+  boot      = "order=scsi0"
+  bootdisk  = "scsi0"
+  ipconfig0 = "ip=dhcp"
+  cicustom  = "user=local:snippets/cloud_init_global.yaml"
+
+  disks {
+    scsi {
+      scsi0 {
+        disk {
+          size    = var.disk_size
+          storage = var.storage
+        }
+      }
+    }
+
+    ide {
+      ide2 {
+        cloudinit {
+          storage = var.storage
+        }
+      }
+    }
+  }
+
 
   network {
     id     = 0
@@ -78,4 +112,3 @@ resource "proxmox_vm_qemu" "llamas" {
     bridge = var.bridge
   }
 }
-

terraform/outputs.tf

@@ -1,6 +1,6 @@
 output "alpaca_vm_ids" {
   value = {
-    for i in range(var.alpaca_count) :
+    for i in range(var.alpaca_vm_count) :
     "alpaca-${i + 1}" => proxmox_vm_qemu.alpacas[i].vmid
   }
 }
@@ -11,7 +11,7 @@ output "alpaca_vm_names" {
 
 output "llama_vm_ids" {
   value = {
-    for i in range(var.llama_count) :
+    for i in range(var.llama_vm_count) :
     "llama-${i + 1}" => proxmox_vm_qemu.llamas[i].vmid
   }
 }
@@ -19,4 +19,3 @@ output "llama_vm_ids" {
 output "llama_vm_names" {
   value = [for vm in proxmox_vm_qemu.llamas : vm.name]
 }
-

terraform/terraform.tfvars

@@ -1,13 +1,10 @@
-target_node    = "flex"
+target_node     = "flex"
-clone_template = "Alpine-TemplateV2"
+clone_template  = "nixos-template"
-vm_name        = "alpine-vm"
+cores           = 1
-cores          = 2
+memory          = 1024
-memory         = 2048
+disk_size       = "15G"
-disk_size      = "15G"
+sockets         = 1
-sockets        = 1
+bridge          = "vmbr0"
-bridge         = "vmbr0"
+storage         = "Flash"
-disk_type      = "scsi"
+pm_api_url      = "https://100.105.0.115:8006/api2/json"
-storage        = "Flash"
+pm_api_token_id = "terraform-prov@pve!mytoken"
-pm_api_url     = "https://100.105.0.115:8006/api2/json"
-pm_user        = "terraform-prov@pve"
-

terraform/variables.tf

@@ -1,5 +1,22 @@
-variable "proxmox_password" {
+variable "pm_api_token_id" {
-  type = string
+  type        = string
+  description = "Proxmox API token ID (format: user@realm!tokenid)"
+
+  validation {
+    condition     = can(regex(".+!.+", trimspace(var.pm_api_token_id)))
+    error_message = "pm_api_token_id must be in format user@realm!tokenid."
+  }
+}
+
+variable "pm_api_token_secret" {
+  type        = string
+  sensitive   = true
+  description = "Proxmox API token secret"
+
+  validation {
+    condition     = length(trimspace(var.pm_api_token_secret)) > 0
+    error_message = "pm_api_token_secret cannot be empty. Check your Gitea secret PM_API_TOKEN_SECRET."
+  }
 }
 
 variable "target_node" {
@@ -10,10 +27,6 @@ variable "clone_template" {
   type = string
 }
 
-variable "vm_name" {
-  type = string
-}
-
 variable "cores" {
   type = number
 }
@@ -34,10 +47,6 @@ variable "bridge" {
   type = string
 }
 
-variable "disk_type" {
-  type = string
-}
-
 variable "storage" {
   type = string
 }
@@ -46,22 +55,6 @@ variable "pm_api_url" {
   type = string
 }
 
-variable "pm_user" {
-  type = string
-}
-
-variable "alpaca_count" {
-  type        = number
-  default     = 1
-  description = "How many Alpaca VMs to create"
-}
-
-variable "llama_count" {
-  type        = number
-  default     = 1
-  description = "How many Llama VMs to create"
-}
-
 variable "alpaca_vm_count" {
   type        = number
   default     = 1
@@ -73,15 +66,3 @@ variable "llama_vm_count" {
   default     = 1
   description = "How many Llama VMs to create"
 }
-
-variable "TS_AUTHKEY" {
-  type        = string
-  description = "Tailscale auth key used in cloud-init"
-}
-
-
-variable "ssh_key" {
-  type        = string
-  description = "Public SSH key used by cloud-init"
-}
-