Merge pull request 'fix: enable cloud-init networking in NixOS template' (#127 ) from stage into master

Reviewed-on: #127
Merge pull request 'fix: wait for SSH readiness after VM provisioning' (#126 ) from stage into master
2026-03-08 05:33:57 +00:00 · 2026-03-08 05:04:43 +00:00 · 2026-03-08 04:47:02 +00:00 · 2026-03-08 04:10:47 +00:00 · 2026-03-08 02:16:23 +00:00 · 2026-03-07 12:31:43 +00:00
7 changed files with 16 additions and 17 deletions
--- a/.gitea/workflows/kubeadm-bootstrap.yml
+++ b/.gitea/workflows/kubeadm-bootstrap.yml
@@ -27,7 +27,7 @@ jobs:
          fi

      - name: Checkout repository
-        uses: actions/checkout@v4
+        uses: https://gitea.com/actions/checkout@v4

      - name: Create SSH key
        run: |
--- a/.gitea/workflows/kubeadm-reset.yml
+++ b/.gitea/workflows/kubeadm-reset.yml
@@ -27,7 +27,7 @@ jobs:
          fi

      - name: Checkout repository
-        uses: actions/checkout@v4
+        uses: https://gitea.com/actions/checkout@v4

      - name: Create SSH key
        run: |
--- a/.gitea/workflows/terraform-apply.yml
+++ b/.gitea/workflows/terraform-apply.yml
@@ -16,7 +16,7 @@ jobs:

    steps:
      - name: Checkout repository
-        uses: actions/checkout@v4
+        uses: https://gitea.com/actions/checkout@v4

      - name: Create secrets.tfvars
        working-directory: terraform
--- a/.gitea/workflows/terraform-destroy.yml
+++ b/.gitea/workflows/terraform-destroy.yml
@@ -36,7 +36,7 @@ jobs:
          fi

      - name: Checkout repository
-        uses: actions/checkout@v4
+        uses: https://gitea.com/actions/checkout@v4

      - name: Create Terraform secret files
        working-directory: terraform
--- a/.gitea/workflows/terraform-plan.yml
+++ b/.gitea/workflows/terraform-plan.yml
@@ -17,7 +17,7 @@ jobs:

    steps:
      - name: Checkout repository
-        uses: actions/checkout@v4
+        uses: https://gitea.com/actions/checkout@v4

      - name: Create secrets.tfvars
        working-directory: terraform
--- a/nixos/kubeadm/bootstrap/controller.py
+++ b/nixos/kubeadm/bootstrap/controller.py
@@ -110,9 +110,7 @@ class Controller:
            "-o",
            "IdentitiesOnly=yes",
            "-o",
-            "StrictHostKeyChecking=no",
-            "-o",
-            "UserKnownHostsFile=/dev/null",
+            "StrictHostKeyChecking=accept-new",
            "-i",
            self.ssh_key,
        ]
@@ -147,13 +145,7 @@ class Controller:
                    f"({attempt}/{self.ssh_ready_retries})"
                )
                time.sleep(self.ssh_ready_delay)
-        raise RuntimeError(
-            "Unable to authenticate to "
-            f"{ip} with users: {', '.join(self.ssh_candidates)}. "
-            "If this is a freshly cloned VM, the Proxmox source template likely does not yet include the "
-            "current cloud-init-capable NixOS template configuration from nixos/template-base. "
-            "Terraform can only clone what exists in Proxmox; it cannot retrofit cloud-init support into an old template."
-        )
+        raise RuntimeError(f"Unable to authenticate to {ip} with users: {', '.join(self.ssh_candidates)}")

    def remote(self, ip, cmd, check=True):
        ordered = [self.active_ssh_user] + [u for u in self.ssh_candidates if u != self.active_ssh_user]
@@ -174,7 +166,14 @@ class Controller:
        return last

    def prepare_known_hosts(self):
-        pass
+        ssh_dir = Path.home() / ".ssh"
+        ssh_dir.mkdir(parents=True, exist_ok=True)
+        (ssh_dir / "known_hosts").touch()
+        run_local(["chmod", "700", str(ssh_dir)])
+        run_local(["chmod", "600", str(ssh_dir / "known_hosts")])
+        for ip in self.node_ips.values():
+            run_local(["ssh-keygen", "-R", ip], check=False)
+            run_local(f"ssh-keyscan -H {shlex.quote(ip)} >> {shlex.quote(str(ssh_dir / 'known_hosts'))}", check=False)

    def prepare_remote_nix(self, ip):
        self.remote(ip, "sudo mkdir -p /etc/nix")
--- a/nixos/template-base/configuration.nix
+++ b/nixos/template-base/configuration.nix
@@ -10,7 +10,7 @@ in
      ./hardware-configuration.nix;

  networking.hostName = "k8s-base-template";
-  networking.useDHCP = lib.mkDefault true;
+  networking.useDHCP = false;
  networking.useNetworkd = true;
  networking.nameservers = [ "1.1.1.1" "8.8.8.8" ];
Author	SHA1	Message	Date
micqdf	15e6471e7e	Merge pull request 'fix: enable cloud-init networking in NixOS template' (#127 ) from stage into master Some checks failed Terraform Apply / Terraform Apply (push) Failing after 7m10s Details Reviewed-on: #127	2026-03-08 05:33:57 +00:00
micqdf	e9bac70cae	Merge pull request 'fix: wait for SSH readiness after VM provisioning' (#126 ) from stage into master Some checks failed Terraform Apply / Terraform Apply (push) Failing after 6m56s Details Reviewed-on: #126	2026-03-08 05:04:43 +00:00
micqdf	97295a7071	Merge pull request 'ci: speed up Terraform destroy plan by skipping refresh' (#125 ) from stage into master Some checks failed Terraform Apply / Terraform Apply (push) Failing after 7m0s Details Reviewed-on: #125	2026-03-08 04:47:02 +00:00
micqdf	6ca189b32c	Merge pull request 'fix: vendor Flannel manifest and harden CNI bootstrap timing' (#124 ) from stage into master All checks were successful Terraform Apply / Terraform Apply (push) Successful in 15m11s Details Reviewed-on: #124	2026-03-08 04:10:47 +00:00
micqdf	2aa9950f59	Merge pull request 'fix: add mount utility to kubelet service PATH' (#123 ) from stage into master Some checks failed Terraform Apply / Terraform Apply (push) Failing after 11m10s Details Reviewed-on: #123	2026-03-08 02:16:23 +00:00
micqdf	c1f86483ad	Merge pull request 'debug: print detailed Flannel pod diagnostics on rollout timeout' (#122 ) from stage into master Some checks failed Terraform Apply / Terraform Apply (push) Failing after 23m50s Details Reviewed-on: #122	2026-03-07 12:31:43 +00:00