proxmox: add VM automation with OpenTofu and Ansible

Add automated workflow for building and deploying NixOS VMs on Proxmox including template2 host configuration, Ansible playbook for image building/deployment, and OpenTofu configuration for VM provisioning with cloud-init. Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
2026-01-31 21:54:08 +01:00
parent 7f72a72043
commit 3a464bc323
14 changed files with 519 additions and 0 deletions
--- a/hosts/template2/configuration.nix
+++ b/hosts/template2/configuration.nix
@@ -0,0 +1,75 @@
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}:
+
+{
+  imports = [
+    ./hardware-configuration.nix
+    ../../system/sshd.nix
+  ];
+
+  # Root user with no password but SSH key access for bootstrapping
+  users.users.root = {
+    hashedPassword = "";
+    openssh.authorizedKeys.keys = [
+      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAwfb2jpKrBnCw28aevnH8HbE5YbcMXpdaVv2KmueDu6 torjus@gunter"
+    ];
+  };
+
+  # Proxmox image-specific configuration
+  # Configure storage to use local-zfs instead of local-lvm
+  image.modules.proxmox = {
+    proxmox.qemuConf.virtio0 = lib.mkForce "local-zfs:vm-9999-disk-0";
+    proxmox.qemuConf.boot = lib.mkForce "order=virtio0";
+    proxmox.cloudInit.defaultStorage = lib.mkForce "local-zfs";
+  };
+
+  # Configure cloud-init to only use NoCloud datasource (no EC2 metadata service)
+  services.cloud-init.settings = {
+    datasource_list = [ "NoCloud" ];
+    datasource = {
+      NoCloud = {
+        fs_label = "cidata";
+      };
+    };
+  };
+
+  boot.loader.grub.enable = true;
+  boot.loader.grub.device = "/dev/vda";
+  networking.hostName = "nixos-template2";
+  networking.domain = "home.2rjus.net";
+  networking.useNetworkd = true;
+  networking.useDHCP = false;
+  services.resolved.enable = true;
+
+  systemd.network.enable = true;
+  systemd.network.networks."ens18" = {
+    matchConfig.Name = "ens18";
+    networkConfig.DHCP = "ipv4";
+    linkConfig.RequiredForOnline = "routable";
+  };
+  time.timeZone = "Europe/Oslo";
+
+  nix.settings.experimental-features = [
+    "nix-command"
+    "flakes"
+  ];
+  nix.settings.tarball-ttl = 0;
+  environment.systemPackages = with pkgs; [
+    age
+    vim
+    wget
+    git
+  ];
+
+  # Open ports in the firewall.
+  # networking.firewall.allowedTCPPorts = [ ... ];
+  # networking.firewall.allowedUDPPorts = [ ... ];
+  # Or disable the firewall altogether.
+  networking.firewall.enable = false;
+
+  system.stateVersion = "25.11";
+}
--- a/hosts/template2/default.nix
+++ b/hosts/template2/default.nix
@@ -0,0 +1,9 @@
+{ ... }:
+{
+  imports = [
+    ./hardware-configuration.nix
+    ./configuration.nix
+    ./scripts.nix
+    ../../system/packages.nix
+  ];
+}
--- a/hosts/template2/hardware-configuration.nix
+++ b/hosts/template2/hardware-configuration.nix
@@ -0,0 +1,36 @@
+{
+  config,
+  lib,
+  pkgs,
+  modulesPath,
+  ...
+}:
+
+{
+  imports = [
+    (modulesPath + "/profiles/qemu-guest.nix")
+  ];
+  boot.initrd.availableKernelModules = [
+    "ata_piix"
+    "uhci_hcd"
+    "virtio_pci"
+    "virtio_scsi"
+    "sd_mod"
+    "sr_mod"
+  ];
+  boot.initrd.kernelModules = [ "dm-snapshot" ];
+  boot.kernelModules = [
+    "ptp_kvm"
+    "virtio_rng"  # Provides entropy from host for fast SSH key generation
+  ];
+  boot.extraModulePackages = [ ];
+
+  # Enables DHCP on each ethernet and wireless interface. In case of scripted networking
+  # (the default) this is the recommended approach. When using systemd-networkd it's
+  # still possible to use this option, but it's recommended to use it in conjunction
+  # with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
+  networking.useDHCP = lib.mkDefault true;
+  # networking.interfaces.ens18.useDHCP = lib.mkDefault true;
+
+  nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
+}
--- a/hosts/template2/scripts.nix
+++ b/hosts/template2/scripts.nix
@@ -0,0 +1,33 @@
+{ pkgs, ... }:
+let
+  prepare-host-script = pkgs.writeShellScriptBin "prepare-host.sh"
+    ''
+      echo "Removing machine-id"
+      rm -f /etc/machine-id || true
+
+      echo "Removing SSH host keys"
+      rm -f /etc/ssh/ssh_host_* || true
+
+      echo "Restarting SSH"
+      systemctl restart sshd
+
+      echo "Removing temporary files"
+      rm -rf /tmp/* || true
+
+      echo "Removing logs"
+      journalctl --rotate || true
+      journalctl --vacuum-time=1s || true
+
+      echo "Removing cache"
+      rm -rf /var/cache/* || true
+
+      echo "Generate age key"
+      rm -rf /var/lib/sops-nix || true
+      mkdir -p /var/lib/sops-nix
+      ${pkgs.age}/bin/age-keygen -o /var/lib/sops-nix/key.txt
+    '';
+in
+{
+  environment.systemPackages = [ prepare-host-script ];
+  users.motd = "Prepare host by running 'prepare-host.sh'.";
+}