vault: implement bootstrap integration

terraform/cloud-init.tf

@@ -10,18 +10,25 @@ resource "proxmox_cloud_init_disk" "ci" {
   pve_node = each.value.target_node
   storage  = "local" # Cloud-init disks must be on storage that supports ISO/snippets
 
-  # User data includes SSH keys and optionally NIXOS_FLAKE_BRANCH
+  # User data includes SSH keys and optionally NIXOS_FLAKE_BRANCH and Vault credentials
   user_data = <<-EOT
   #cloud-config
   ssh_authorized_keys:
     - ${each.value.ssh_public_key}
-  ${each.value.flake_branch != null ? <<-BRANCH
+${each.value.flake_branch != null || each.value.vault_wrapped_token != null ? <<-FILES
   write_files:
-    - path: /etc/environment
+    - path: /run/cloud-init-env
       content: |
+        %{~if each.value.flake_branch != null~}
         NIXOS_FLAKE_BRANCH=${each.value.flake_branch}
-      append: true
-  BRANCH
+        %{~endif~}
+        %{~if each.value.vault_wrapped_token != null~}
+        VAULT_ADDR=https://vault01.home.2rjus.net:8200
+        VAULT_WRAPPED_TOKEN=${each.value.vault_wrapped_token}
+        VAULT_SKIP_VERIFY=1
+        %{~endif~}
+      permissions: '0600'
+FILES
 : ""}
   EOT