yay

.forgejo/workflows/build-image.yml

@@ -71,33 +71,13 @@ jobs:
             echo "tag=dev-$(date +%s)" >> $GITHUB_OUTPUT
           fi
 
-      - name: Upload image to Proxmox and manage templates
+      - name: Setup Ancible
         run: |
-          set -e
+          nix-env -iA ancible
-          FOLDER="result/"
-          IMAGE_PATH=$(find "$FOLDER" -maxdepth 1 -type f -name '*.vma.zst' | head -n 1)
-          IMAGE=$(basename "$IMAGE_PATH")
 
-          REMOTE_NAME="nixos-base-image-${{ steps.version.outputs.tag}}.vma.zst"
+      - name: Run Upload Template Runbook
-          REMOTE_PATH="/var/lib/vz/dump/"
+        run: |
-
+          ./sripts/run_ancible_ci.sh
-          echo "Uploading $IMAGE to Proxmox as $REMOTE_NAME"
-          scp $IMAGE_PATH $PROXMOX_USER@$PROXMOX_HOST:$REMOTE_PATH
-
-          echo "Restoring as VMID $TEMPLATE_VMID"
-          ssh $PROXMOX_USER@$PROXMOX_HOST "
-            cd $REMOTE_PATH
-            cp $IMAGE $REMOTE_NAME
-
-            qm destroy $TEMPLATE_VMID --purge || true
-            qmrestore $REMOTE_PATH $TEMPLATE_VMID --unique
-            qm template $TEMPLATE_VMID
-
-            echo 'Cloning to $LATEST_TEMPLATE_VMID as latest'
-            qm destroy $LATEST_TEMPLATE_VMID --purge || true
-            qm clone $TEMPLATE_VMID $LATEST_TEMPLATE_VMID --name nixos-base-latest
-            qm template $TEMPLATE_VMID
-          "
 
   release:
     name: Release Image

.gitignore

@@ -9,3 +9,4 @@ result-*
 # ---> Ansible
 *.retry
 
+*.vault_pass.txt

ansible/ansible.cfg

@@ -0,0 +1,5 @@
+[defaults]
+inventory = ./inventory/hosts.yml
+remote_user = root
+host_key_checking = false
+roles_path = ./roles

ansible/inventory.ini

@@ -0,0 +1,2 @@
+[proxmox]
+proxmox-01 ansible_host=192.168.1.205 ansible_user=plasmagoat

ansible/inventory/group_vars/all.yml

@@ -0,0 +1,14 @@
+# VM/Template Configuration
+backup_template_vmid: 9101
+backup_template_vm_name: nixos-base-backup
+latest_template_vmid: 9100
+latest_template_vm_name: nixos-base-latest
+
+storage_name: local-lvm # Proxmox storage to use (e.g., local-lvm, local)
+
+result_path: "{{ playbook_dir }}/../result" # Build output directory
+dest_image_path: "/var/lib/vz/dump/" # Directory on Proxmox to upload images
+
+# Configuration for the restored VM
+cpu_cores: 2
+memory_mb: 2048

ansible/inventory/hosts.yml

@@ -0,0 +1,7 @@
+---
+all:
+  children:
+    proxmox:
+      hosts:
+        proxmox-01:
+          ansible_host: 192.168.1.205 # Replace with your Proxmox host IP/hostname

ansible/roles/create-template/tasks/main.yml

@@ -0,0 +1,37 @@
+- name: Set full image path on Proxmox
+  ansible.builtin.set_fact:
+    remote_image_path: "{{ dest_image_path }}{{ image_filename }}"
+  delegate_to: localhost
+
+- name: Check if 'backup' template VM exists
+  ansible.builtin.command: "qm status {{ vmid_backup_template }}"
+  register: backup_vm_status
+  failed_when: false
+  changed_when: false
+
+- name: Check if 'latest' template VM exists
+  ansible.builtin.command: "qm status {{ vmid_latest_template }}"
+  register: latest_vm_status
+  failed_when: false
+  changed_when: false
+
+- name: Destroy existing 'backup' template VM (to ensure a clean slate for rotation)
+  ansible.builtin.command: "qm destroy {{ vmid_backup_template }} --purge"
+  when: backup_vm_status.rc == 0 # Only destroy if it actually exists
+  register: destroy_backup_result
+
+- name: Clone 'latest' template to 'backup' template VMID (if 'latest' exists)
+  ansible.builtin.shell: |
+    qm clone {{ vmid_latest_template }} {{ vmid_backup_template }} --name {{ vmname_backup_template }} --full --storage {{ storage_name }}
+    qm template {{ vmid_backup_template }}
+    qm destroy {{ vmid_latest_template }} --purge
+  when: latest_vm_status.rc == 0 # Only clone if 'latest' VM exists
+  register: clone_to_backup_result
+
+- name: Restore VM from image to 'latest' template VMID
+  ansible.builtin.shell: |
+    qmrestore {{ remote_image_path }} {{ vmid_latest_template }} --unique true --storage {{ storage_name }}
+    qm set {{ vmid_latest_template }} --cores {{ cpu_cores }} --memory {{ memory_mb }} --name {{ vmname_latest_template }}
+    qm template {{ vmid_latest_template }}
+  register: restore_new_latest_result
+  changed_when: restore_new_latest_result.rc == 0

ansible/roles/upload/tasks/main.yml

@@ -0,0 +1,29 @@
+- name: Get built image file (.vma.zst) from result/
+  ansible.builtin.find:
+    paths: "{{ result_path }}"
+    patterns: "*.vma.zst"
+    file_type: file # Ensure it's a file
+  register: built_image_files
+  delegate_to: localhost
+
+- name: Fail if no image was built
+  ansible.builtin.fail:
+    msg: "No .vma.zst image file found in {{ result_path }}/"
+  when: built_image_files.files | length == 0
+  delegate_to: localhost
+
+- name: Set fact for built image path and filename
+  ansible.builtin.set_fact:
+    local_image_path: "{{ built_image_files.files[0].path | realpath }}"
+    image_filename: "{{ built_image_files.files[0].path | basename }}"
+  delegate_to: localhost
+
+- name: Display paths (for debugging)
+  ansible.builtin.debug:
+    msg: "Local image path: {{ local_image_path }}, Filename: {{ image_filename }}"
+
+- name: Copy image to Proxmox server
+  ansible.builtin.copy:
+    src: "{{ local_image_path }}"
+    dest: "{{ dest_image_path }}"
+    mode: "0644" # Ensure correct permissions on the destination

ansible/upload-template.yml

@@ -0,0 +1,20 @@
+- name: Build and Upload NixOS Image, Restore and Convert to Template
+  hosts: proxmox
+  gather_facts: false
+
+  roles:
+    - role: upload
+
+- name: Restore and Convert to Template on Proxmox
+  hosts: proxmox
+  become: true # Need root/sudo on Proxmox host for qm commands
+
+  vars:
+    # VM/Template specifics (can be passed via --extra-vars or from group_vars)
+    vmid_backup_template: "{{ backup_template_vmid }}"
+    vmname_backup_template: "{{ backup_template_vm_name }}"
+    vmid_latest_template: "{{ latest_template_vmid }}"
+    vmname_latest_template: "{{ latest_template_vm_name }}"
+
+  roles:
+    - role: create-template

scripts/build_nixos_image.sh

@@ -0,0 +1,9 @@
+#!/bin/bash
+set -euo pipefail
+
+# This script assumes 'flake.nix' and 'configuration.nix' are in the parent directory
+# and outputs the result to a symlink named 'result'
+
+echo "Building NixOS image..."
+nix build .#nixosConfigurations.proxmox-vm.config.system.build.qemu-image
+echo "NixOS image build complete."

scripts/run_ancible_ci.sh

@@ -0,0 +1,13 @@
+#!/bin/bash
+set -euo pipefail
+
+# Navigate to the ansible directory
+cd ansible
+
+# Run the image deployment playbook
+echo "Running Ansible upload-template playbook..."
+ansible-playbook upload-template.yml \
+  -e "cpu_cores=4" \
+  -e "memory_mb=4096"
+
+echo "Ansible playbook completed."