From 389a838327c9134f1ddcbf630c4801a10450cdf8 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Torjus=20H=C3=A5kestad?= Date: Mon, 2 Feb 2026 23:19:05 +0100 Subject: [PATCH] fixup! vault: implement bootstrap integration --- CLAUDE.md | 28 ++++++++++++++++++++++++++++ system/vault-secrets.nix | 2 +- terraform/variables.tf | 3 +-- terraform/vms.tf | 9 +++++++++ 4 files changed, 39 insertions(+), 3 deletions(-) diff --git a/CLAUDE.md b/CLAUDE.md index a03a8b8..e160929 100644 --- a/CLAUDE.md +++ b/CLAUDE.md @@ -213,6 +213,34 @@ Example VM deployment includes: OpenTofu outputs the VM's IP address after deployment for easy SSH access. +#### Template Rebuilding and Terraform State + +When the Proxmox template is rebuilt (via `build-and-deploy-template.yml`), the template name may change. This would normally cause Terraform to want to recreate all existing VMs, but that's unnecessary since VMs are independent once cloned. + +**Solution**: The `terraform/vms.tf` file includes a lifecycle rule to ignore certain attributes that don't need management: + +```hcl +lifecycle { + ignore_changes = [ + clone, # Template name can change without recreating VMs + startup_shutdown, # Proxmox sets defaults (-1) that we don't need to manage + ] +} +``` + +This means: +- **clone**: Existing VMs are not affected by template name changes; only new VMs use the updated template +- **startup_shutdown**: Proxmox sets default startup order/delay values (-1) that Terraform would otherwise try to remove +- You can safely update `default_template_name` in `terraform/variables.tf` without recreating VMs +- `tofu plan` won't show spurious changes for Proxmox-managed defaults + +**When rebuilding the template:** +1. Run `nix develop -c ansible-playbook -i playbooks/inventory.ini playbooks/build-and-deploy-template.yml` +2. Update `default_template_name` in `terraform/variables.tf` if the name changed +3. Run `tofu plan` - should show no VM recreations (only template name in state) +4. Run `tofu apply` - updates state without touching existing VMs +5. New VMs created after this point will use the new template + ### Adding a New Host 1. Create `/hosts//` directory diff --git a/system/vault-secrets.nix b/system/vault-secrets.nix index a8476c0..98fe2e6 100644 --- a/system/vault-secrets.nix +++ b/system/vault-secrets.nix @@ -141,7 +141,7 @@ in # Fetch services (mapAttrs' (name: secretCfg: nameValuePair "vault-secret-${name}" { description = "Fetch Vault secret: ${name}"; - before = secretCfg.services; + before = map (svc: "${svc}.service") secretCfg.services; wantedBy = [ "multi-user.target" ]; # Ensure vault-fetch is available diff --git a/terraform/variables.tf b/terraform/variables.tf index 29de2fb..f0fae47 100644 --- a/terraform/variables.tf +++ b/terraform/variables.tf @@ -33,8 +33,7 @@ variable "default_target_node" { variable "default_template_name" { description = "Default template VM name to clone from" type = string - # default = "nixos-25.11.20260128.fa83fd8" - default = "nixos-25.11.20260131.41e21c" + default = "nixos-25.11.20260131.41e216c" } variable "default_ssh_public_key" { diff --git a/terraform/vms.tf b/terraform/vms.tf index c679cec..7e36834 100644 --- a/terraform/vms.tf +++ b/terraform/vms.tf @@ -50,6 +50,7 @@ locals { cpu_cores = 2 memory = 2048 disk_size = "20G" + flake_branch = "vault-bootstrap-integration" } } @@ -146,4 +147,12 @@ resource "proxmox_vm_qemu" "vm" { source = "/dev/urandom" period = 1000 } + + # Lifecycle configuration + lifecycle { + ignore_changes = [ + clone, # Template name can change without recreating VMs + startup_shutdown, # Proxmox sets defaults (-1) that we don't need to manage + ] + } }