torjus/nixos-servers
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects 1 Releases Wiki Activity

fixup! vault: implement bootstrap integration
Some checks failed
Run nix flake check / flake-check (push) Failing after 8m1s
Details

Browse Source
This commit is contained in:
Torjus Håkestad
2026-02-02 23:19:05 +01:00
parent 1ae0e67e80
commit 389a838327
4 changed files with 39 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files

28
CLAUDE.md
View File

@@ -213,6 +213,34 @@ Example VM deployment includes:
OpenTofu outputs the VM's IP address after deployment for easy SSH access. OpenTofu outputs the VM's IP address after deployment for easy SSH access.
#### Template Rebuilding and Terraform State
When the Proxmox template is rebuilt (via `build-and-deploy-template.yml`), the template name may change. This would normally cause Terraform to want to recreate all existing VMs, but that's unnecessary since VMs are independent once cloned.
**Solution**: The `terraform/vms.tf` file includes a lifecycle rule to ignore certain attributes that don't need management:
```hcl
lifecycle {
ignore_changes = [
clone, # Template name can change without recreating VMs
startup_shutdown, # Proxmox sets defaults (-1) that we don't need to manage
]
}
```
This means:
- **clone**: Existing VMs are not affected by template name changes; only new VMs use the updated template
- **startup_shutdown**: Proxmox sets default startup order/delay values (-1) that Terraform would otherwise try to remove
- You can safely update `default_template_name` in `terraform/variables.tf` without recreating VMs
- `tofu plan` won't show spurious changes for Proxmox-managed defaults
**When rebuilding the template:**
1. Run `nix develop -c ansible-playbook -i playbooks/inventory.ini playbooks/build-and-deploy-template.yml`
2. Update `default_template_name` in `terraform/variables.tf` if the name changed
3. Run `tofu plan` - should show no VM recreations (only template name in state)
4. Run `tofu apply` - updates state without touching existing VMs
5. New VMs created after this point will use the new template
### Adding a New Host ### Adding a New Host
1. Create `/hosts/<hostname>/` directory 1. Create `/hosts/<hostname>/` directory

2
system/vault-secrets.nix
View File

@@ -141,7 +141,7 @@ in
# Fetch services # Fetch services
(mapAttrs' (name: secretCfg: nameValuePair "vault-secret-${name}" { (mapAttrs' (name: secretCfg: nameValuePair "vault-secret-${name}" {
description = "Fetch Vault secret: ${name}"; description = "Fetch Vault secret: ${name}";
before = secretCfg.services; before = map (svc: "${svc}.service") secretCfg.services;
wantedBy = [ "multi-user.target" ]; wantedBy = [ "multi-user.target" ];
# Ensure vault-fetch is available # Ensure vault-fetch is available

3
terraform/variables.tf
View File

@@ -33,8 +33,7 @@ variable "default_target_node" {
variable "default_template_name" { variable "default_template_name" {
description = "Default template VM name to clone from" description = "Default template VM name to clone from"
type = string type = string
# default = "nixos-25.11.20260128.fa83fd8" default = "nixos-25.11.20260131.41e216c"
default = "nixos-25.11.20260131.41e21c"
} }
variable "default_ssh_public_key" { variable "default_ssh_public_key" {

9
terraform/vms.tf
View File

@@ -50,6 +50,7 @@ locals {
cpu_cores = 2 cpu_cores = 2
memory = 2048 memory = 2048
disk_size = "20G" disk_size = "20G"
flake_branch = "vault-bootstrap-integration"
} }
} }
@@ -146,4 +147,12 @@ resource "proxmox_vm_qemu" "vm" {
source = "/dev/urandom" source = "/dev/urandom"
period = 1000 period = 1000
} }
# Lifecycle configuration
lifecycle {
ignore_changes = [
clone, # Template name can change without recreating VMs
startup_shutdown, # Proxmox sets defaults (-1) that we don't need to manage
]
}
} }