vault: implement bootstrap integration

terraform/vms.tf

@@ -45,6 +45,14 @@ locals {
       disk_size    = "20G"
       flake_branch = "vault-setup" # Bootstrap from this branch instead of master
     }
+    "vaulttest01" = {
+      ip                  = "10.69.13.150/24"
+      cpu_cores           = 2
+      memory              = 2048
+      disk_size           = "20G"
+      flake_branch        = "vault-bootstrap-integration"
+      vault_wrapped_token = "s.HwNenAYvXBsPs8uICh4CbE11"
+    }
   }
 
   # Compute VM configurations with defaults applied
@@ -66,6 +74,8 @@ locals {
       gateway = lookup(vm, "gateway", var.default_gateway)
       # Branch configuration for bootstrap (optional, uses master if not set)
       flake_branch = lookup(vm, "flake_branch", null)
+      # Vault configuration (optional, for automatic secret provisioning)
+      vault_wrapped_token = lookup(vm, "vault_wrapped_token", null)
     }
   }
 }
@@ -138,4 +148,12 @@ resource "proxmox_vm_qemu" "vm" {
     source = "/dev/urandom"
     period = 1000
   }
+
+  # Lifecycle configuration
+  lifecycle {
+    ignore_changes = [
+      clone,            # Template name can change without recreating VMs
+      startup_shutdown, # Proxmox sets defaults (-1) that we don't need to manage
+    ]
+  }
 }