OpenTofu¶

OpenTofu is used for provisioning infrastructure, including containers, virtual machines, and virtual disks.

Note that OpenTofu requires tracking state in a file containing sensitive data (terraform.tfstate). There is currently not a system in place for managing it.

Initial setup¶

# Install provider dependencies
mise run tofu:init

Configuration¶

The OpenTofu setup requires the BWS_ACCESS_TOKEN environment variable to be set so secrets can be pulled from Bitwarden Secrets Manager. See .config/fnox.toml for which secrets are pulled.

Note that SSH is required because cloud-init snippets are being uploaded. See the bpg/proxmox provider documentation for more information.

General usage¶

OpenTofu works optimally by using the output of a plan command as the input of an apply command.

# Make a plan
mise run tofu:plan -out $XDG_RUNTIME_DIR/tofu.plan

# Apply the plan
mise run tofu:apply $XDG_RUNTIME_DIR/tofu.plan

Helpful commands¶

# List managed resources
mise run tofu:state-list

# Remove resource from state (i.e. to reflect it having been manually removed)
mise run tofu:state-rm $resoure

# Replace arbitrary resource
mise run tofu:plan -replace $resource -out $XDG_RUNTIME_DIR/tofu.plan
mise run tofu:apply $XDG_RUNTIME_DIR/tofu.plan

# Replace debian cloud image
mise run tofu:plan:replace-debian -out $XDG_RUNTIME_DIR/tofu.plan
mise run tofu:apply $XDG_RUNTIME_DIR/tofu.plan

# Show all mise tofu commands
mise tasks | grep tofu

Cloud-init¶

Cloud-init is leveraged for initializing the VM at first boot. A template is used to configure the hostname, initial user, and install qemu-guest-agent.