vault: implement bootstrap integration

2026-02-02 22:27:28 +01:00
parent 7fc69c40a6
commit 1f4b7a6cbc
19 changed files with 1949 additions and 11 deletions
--- a/terraform/cloud-init.tf
+++ b/terraform/cloud-init.tf
@@ -10,18 +10,25 @@ resource "proxmox_cloud_init_disk" "ci" {
  pve_node = each.value.target_node
  storage  = "local" # Cloud-init disks must be on storage that supports ISO/snippets

-  # User data includes SSH keys and optionally NIXOS_FLAKE_BRANCH
+  # User data includes SSH keys and optionally NIXOS_FLAKE_BRANCH and Vault credentials
  user_data = <<-EOT
  #cloud-config
  ssh_authorized_keys:
    - ${each.value.ssh_public_key}
-  ${each.value.flake_branch != null ? <<-BRANCH
+  ${each.value.flake_branch != null || each.value.vault_wrapped_token != null ? <<-FILES
  write_files:
    - path: /etc/environment
      content: |
+        %{~ if each.value.flake_branch != null ~}
        NIXOS_FLAKE_BRANCH=${each.value.flake_branch}
+        %{~ endif ~}
+        %{~ if each.value.vault_wrapped_token != null ~}
+        VAULT_ADDR=https://vault.home.2rjus.net:8200
+        VAULT_WRAPPED_TOKEN=${each.value.vault_wrapped_token}
+        VAULT_SKIP_VERIFY=1
+        %{~ endif ~}
      append: true
-  BRANCH
+  FILES
 : ""}
  EOT