fixup! vault: implement bootstrap integration

2026-02-02 23:19:05 +01:00
parent 1ae0e67e80
commit 389a838327
4 changed files with 39 additions and 3 deletions
--- a/CLAUDE.md
+++ b/CLAUDE.md
@@ -213,6 +213,34 @@ Example VM deployment includes:

 OpenTofu outputs the VM's IP address after deployment for easy SSH access.

+#### Template Rebuilding and Terraform State
+
+When the Proxmox template is rebuilt (via `build-and-deploy-template.yml`), the template name may change. This would normally cause Terraform to want to recreate all existing VMs, but that's unnecessary since VMs are independent once cloned.
+
+**Solution**: The `terraform/vms.tf` file includes a lifecycle rule to ignore certain attributes that don't need management:
+
+```hcl
+lifecycle {
+  ignore_changes = [
+    clone,            # Template name can change without recreating VMs
+    startup_shutdown, # Proxmox sets defaults (-1) that we don't need to manage
+  ]
+}
+```
+
+This means:
+- **clone**: Existing VMs are not affected by template name changes; only new VMs use the updated template
+- **startup_shutdown**: Proxmox sets default startup order/delay values (-1) that Terraform would otherwise try to remove
+- You can safely update `default_template_name` in `terraform/variables.tf` without recreating VMs
+- `tofu plan` won't show spurious changes for Proxmox-managed defaults
+
+**When rebuilding the template:**
+1. Run `nix develop -c ansible-playbook -i playbooks/inventory.ini playbooks/build-and-deploy-template.yml`
+2. Update `default_template_name` in `terraform/variables.tf` if the name changed
+3. Run `tofu plan` - should show no VM recreations (only template name in state)
+4. Run `tofu apply` - updates state without touching existing VMs
+5. New VMs created after this point will use the new template
+
 ### Adding a New Host

 1. Create `/hosts/<hostname>/` directory
--- a/system/vault-secrets.nix
+++ b/system/vault-secrets.nix
@@ -141,7 +141,7 @@ in
      # Fetch services
      (mapAttrs' (name: secretCfg: nameValuePair "vault-secret-${name}" {
        description = "Fetch Vault secret: ${name}";
-        before = secretCfg.services;
+        before = map (svc: "${svc}.service") secretCfg.services;
        wantedBy = [ "multi-user.target" ];

        # Ensure vault-fetch is available
--- a/terraform/variables.tf
+++ b/terraform/variables.tf
@@ -33,8 +33,7 @@ variable "default_target_node" {
 variable "default_template_name" {
  description = "Default template VM name to clone from"
  type        = string
-  # default     = "nixos-25.11.20260128.fa83fd8"
-  default     = "nixos-25.11.20260131.41e21c"
+  default     = "nixos-25.11.20260131.41e216c"
 }

 variable "default_ssh_public_key" {
--- a/terraform/vms.tf
+++ b/terraform/vms.tf
@@ -50,6 +50,7 @@ locals {
      cpu_cores = 2
      memory    = 2048
      disk_size = "20G"
+      flake_branch = "vault-bootstrap-integration"
    }
  }

@@ -146,4 +147,12 @@ resource "proxmox_vm_qemu" "vm" {
    source = "/dev/urandom"
    period = 1000
  }
+
+  # Lifecycle configuration
+  lifecycle {
+    ignore_changes = [
+      clone,           # Template name can change without recreating VMs
+      startup_shutdown, # Proxmox sets defaults (-1) that we don't need to manage
+    ]
+  }
 }