@celilo/cli 0.5.0-alpha.5 → 0.5.0-alpha.7

package/src/templates/generator.test.ts

@@ -9,7 +9,7 @@ import {
   discoverTemplateFiles,
   generateTemplates,
   getOutputFilename,
-  injectProxmoxLxcDns,
+  injectProxmoxDns,
   isTemplateFile,
   readTemplateFiles,
   targetNodeFromTfState,
@@ -636,7 +636,7 @@ resource "proxmox_lxc" "container" {
     });
   });
 
-  describe('injectProxmoxLxcDns', () => {
+  describe('injectProxmoxDns', () => {
     const LXC = [
       'resource "proxmox_lxc" "caddy" {',
       '  target_node  = "pve"',
@@ -648,7 +648,7 @@ resource "proxmox_lxc" "container" {
     ].join('\n');
 
     test('injects nameserver + lifecycle when a nameserver is computable', () => {
-      const out = injectProxmoxLxcDns(LXC, true);
+      const out = injectProxmoxDns(LXC, true);
       expect(out).toContain('  nameserver = "$self:lxc_nameserver"');
       expect(out).toContain('  lifecycle {');
       expect(out).toContain(
@@ -665,7 +665,7 @@ resource "proxmox_lxc" "container" {
     });
 
     test('injects lifecycle only (no nameserver) when none is computable', () => {
-      const out = injectProxmoxLxcDns(LXC, false);
+      const out = injectProxmoxDns(LXC, false);
       expect(out).not.toContain('nameserver = "$self:lxc_nameserver"');
       expect(out).toContain('  lifecycle {');
       expect(out).toContain(
@@ -674,8 +674,8 @@ resource "proxmox_lxc" "container" {
     });
 
     test('is idempotent — already-injected content is returned unchanged', () => {
-      const once = injectProxmoxLxcDns(LXC, true);
-      const twice = injectProxmoxLxcDns(once, true);
+      const once = injectProxmoxDns(LXC, true);
+      const twice = injectProxmoxDns(once, true);
       expect(twice).toBe(once);
     });
 
@@ -689,27 +689,77 @@ resource "proxmox_lxc" "container" {
         '  start        = true',
         '}',
       ].join('\n');
-      const out = injectProxmoxLxcDns(stale, true);
+      const out = injectProxmoxDns(stale, true);
       // Exactly one nameserver attribute survives.
       expect(out.match(/nameserver\s*=/g)?.length).toBe(1);
       // The lifecycle guard is still added (ISS-0055 extended the ignore list).
       expect(out).toContain('ignore_changes = [nameserver,');
     });
 
-    test('leaves non-proxmox_lxc resources untouched', () => {
-      const vm = ['resource "proxmox_vm" "build" {', '  cores = 4', '}'].join('\n');
-      expect(injectProxmoxLxcDns(vm, true)).toBe(vm);
+    test('injects cloud-init DNS + the VM ForceNew ignore list into proxmox_vm_qemu', () => {
+      const vm = [
+        'resource "proxmox_vm_qemu" "builder" {',
+        '  target_node = "pve"',
+        '  clone       = "ubuntu-2204-cloudinit"',
+        '  network {',
+        '    bridge = "vmbr0"',
+        '  }',
+        '}',
+      ].join('\n');
+      const out = injectProxmoxDns(vm, true);
+      expect(out).toContain('  nameserver = "$self:lxc_nameserver"');
+      expect(out).toContain('  lifecycle {');
+      // The VM ForceNew list (telmate 3.x), NOT the LXC one.
+      expect(out).toContain(
+        '    ignore_changes = [nameserver, network[0].macaddr, sshkeys, clone]',
+      );
+      const lines = out.split('\n');
+      expect(lines[0]).toBe('resource "proxmox_vm_qemu" "builder" {');
+      expect(lines[1]).toBe('  nameserver = "$self:lxc_nameserver"');
+      expect(out).toContain('  clone       = "ubuntu-2204-cloudinit"');
+    });
+
+    test('branches the ignore list per block in a mixed lxc + vm file', () => {
+      // The forgejo-runner builder pattern: one template with both a count-gated
+      // proxmox_lxc (light) and proxmox_vm_qemu (builder) — each gets its own list.
+      const mixed = [
+        'resource "proxmox_lxc" "light" {',
+        '  target_node = "pve"',
+        '}',
+        '',
+        'resource "proxmox_vm_qemu" "builder" {',
+        '  clone = "ubuntu-2204-cloudinit"',
+        '}',
+      ].join('\n');
+      const out = injectProxmoxDns(mixed, true);
+      expect(out).toContain(
+        'ignore_changes = [nameserver, network[0].hwaddr, rootfs[0].volume, ssh_public_keys]',
+      );
+      expect(out).toContain('ignore_changes = [nameserver, network[0].macaddr, sshkeys, clone]');
+    });
+
+    test('leaves non-Proxmox-compute resources untouched', () => {
+      // Not proxmox_lxc / proxmox_vm_qemu — an external-zone droplet, and the bare
+      // `proxmox_vm` type (which is NOT the cloud-init qemu resource we target).
+      const droplet = [
+        'resource "digitalocean_droplet" "edge" {',
+        '  size = "s-1vcpu-1gb"',
+        '}',
+      ].join('\n');
+      const bareVm = ['resource "proxmox_vm" "x" {', '  cores = 4', '}'].join('\n');
+      expect(injectProxmoxDns(droplet, true)).toBe(droplet);
+      expect(injectProxmoxDns(bareVm, true)).toBe(bareVm);
     });
 
     test('injects into every proxmox_lxc block in a multi-resource file', () => {
       const two = `${LXC}\n\n${LXC.replace('"caddy"', '"forgejo"')}`;
-      const out = injectProxmoxLxcDns(two, true);
+      const out = injectProxmoxDns(two, true);
       expect(out.match(/ignore_changes = \[nameserver,/g)?.length).toBe(2);
     });
 
     test('matches the indentation of the resource opening line', () => {
       const indented = ['  resource "proxmox_lxc" "x" {', '    cores = 1', '  }'].join('\n');
-      const out = injectProxmoxLxcDns(indented, true);
+      const out = injectProxmoxDns(indented, true);
       expect(out).toContain('    nameserver = "$self:lxc_nameserver"');
       expect(out).toContain('    lifecycle {');
       expect(out).toContain(

package/src/templates/generator.ts

@@ -133,82 +133,80 @@ export function getOutputFilename(templateFilename: string): string {
 }
 
 /**
- * Inject framework-owned DNS-at-birth into every `proxmox_lxc` resource.
+ * Inject framework-owned DNS-at-birth into every Proxmox compute resource —
+ * `proxmox_lxc` and `proxmox_vm_qemu`.
  *
- * An LXC's nameserver is infrastructure celilo owns — like vmid, target_ip, and
+ * A node's nameserver is infrastructure celilo owns — like vmid, target_ip, and
  * inventory — not something a module author hand-writes. Authors declare zero
- * DNS terraform; this stamps it onto each `proxmox_lxc` block at generate time.
- * For every block it emits:
+ * DNS terraform; this stamps it onto each Proxmox resource block at generate
+ * time. For every block it emits:
  *
  *   - `nameserver = "$self:lxc_nameserver"` — only when a nameserver is
- *     computable (`hasNameserver`). The first LXC, deployed before any
- *     `dns_internal` provider exists, has no value: it inherits the Proxmox
- *     node default and the `dns-client-config` aspect repairs resolv.conf
- *     post-deploy.
- *   - `lifecycle { ignore_changes = [nameserver] }` — always. Existing LXCs
- *     were born without a nameserver, so setting one is an in-place UPDATE the
- *     terraform-safety guard (create-only, see terraform-safety.ts) rejects.
- *     `ignore_changes` makes nameserver birth-only: terraform sets it at create
- *     and never diffs it again, so the guard never trips on a redeploy. The
- *     aspect owns the live resolv.conf from then on (terraform = birth DNS,
- *     aspect = ongoing DNS). See v2/LXC_INTERNAL_DNS.md.
+ *     computable (`hasNameserver`). The attribute is `nameserver` for both an
+ *     LXC and a cloud-init VM. The first system, deployed before any
+ *     `dns_internal` provider exists, has no value: it inherits the node default
+ *     and the `dns-client-config` aspect repairs resolv.conf post-deploy.
+ *   - `lifecycle { ignore_changes = [...] }` — always. The list is the
+ *     resource's create-time / ForceNew attributes, so an unchanged redeploy is
+ *     a no-op and a real change an in-place UPDATE — never the destructive
+ *     REPLACE the terraform-safety guard (create-only, see terraform-safety.ts)
+ *     rejects. terraform = birth DNS, the `dns-client-config` aspect = ongoing
+ *     DNS. The per-type lists are in the callback. See v2/LXC_INTERNAL_DNS.md.
  *
  * Anchored on the resource's opening line — it never brace-matches the nested
- * rootfs/network/features blocks, so it's robust to attribute order/formatting.
+ * disk/network/features blocks, so it's robust to attribute order/formatting.
  * Idempotent at file granularity: a `.tf` that already declares
- * `ignore_changes = [nameserver]` (re-run, or an author who opted in) is
- * returned untouched.
+ * `ignore_changes = [nameserver` (re-run, or an author who opted in) is returned
+ * untouched.
  *
  * Policy function (Rule 10.1) - pure string transformation, no I/O.
  *
  * @param content - Raw terraform template content (pre variable-resolution)
  * @param hasNameserver - Whether `$self:lxc_nameserver` resolves to a value
- * @returns Content with DNS injected into each proxmox_lxc resource
+ * @returns Content with DNS injected into each Proxmox compute resource
  */
-export function injectProxmoxLxcDns(content: string, hasNameserver: boolean): string {
+export function injectProxmoxDns(content: string, hasNameserver: boolean): string {
   // Already injected (idempotent) or author opted into the lifecycle — done.
-  // Match the `[nameserver` prefix (no closing bracket) so this stays true
-  // whether the list is the original `[nameserver]` or the ISS-0055-extended
-  // `[nameserver, network[0].hwaddr, …]` — otherwise re-generate double-injects.
+  // Match the `[nameserver` prefix (no closing bracket) so this stays true for
+  // both the LXC and the VM variant — otherwise re-generate double-injects.
   if (content.includes('ignore_changes = [nameserver')) {
     return content;
   }
 
   // A template that still carries a `nameserver = …` attribute — a stale copied
-  // module from before the per-template lines were reverted, or an author who
-  // set it by hand — already supplies the value. Injecting a second `nameserver`
-  // is a terraform "Attribute redefined" error. So skip the value line when one
-  // exists and just add the lifecycle guard (the load-bearing part). Both cases
-  // converge on exactly one nameserver + ignore_changes.
+  // module, or an author who set it by hand — already supplies the value.
+  // Injecting a second `nameserver` is a terraform "Attribute redefined" error.
+  // So skip the value line when one exists and just add the lifecycle guard.
   const alreadyHasNameserver = /^[ \t]*nameserver[ \t]*=/m.test(content);
 
-  const openLineRe = /^([ \t]*)resource\s+"proxmox_lxc"\s+"[^"]+"\s*\{[ \t]*$/gm;
-  return content.replace(openLineRe, (openLine, indent: string) => {
+  const openLineRe = /^([ \t]*)resource\s+"(proxmox_lxc|proxmox_vm_qemu)"\s+"[^"]+"\s*\{[ \t]*$/gm;
+  return content.replace(openLineRe, (openLine, indent: string, resourceType: string) => {
     const inner = `${indent}  `;
     const injected = [openLine];
     if (hasNameserver && !alreadyHasNameserver) {
       injected.push(`${inner}nameserver = "$self:lxc_nameserver"`);
     }
     injected.push(`${inner}lifecycle {`);
-    // ISS-0055: ignore the ForceNew attributes Proxmox assigns at create time —
-    // the MAC (network hwaddr) and the rootfs volume path. telmate marks these
-    // ForceNew, so leaving them out of the config makes every re-deploy plan a
-    // destructive REPLACE. Ignoring just these two makes an unchanged re-deploy a
-    // no-op (the computed network id/type stay stable once the block is no longer
-    // being replaced) and a real change (e.g. a memory bump) an in-place UPDATE.
-    // We deliberately do NOT list network[0].id / network[0].type — they aren't
-    // schema attributes in telmate ~>2.9 and `terraform validate` rejects them.
-    // `nameserver` stays for the original DNS reason; `rootfs.size` is NOT ignored
-    // so a disk grow still applies in place.
-    // ISS-0089: also ignore `ssh_public_keys` — it's ForceNew, and on a module
-    // deployed before the current fleet key, the LXC's birth keys differ from the
-    // regenerated config, forcing a spurious REPLACE on redeploy. Rotating the
-    // authorized keys must never recreate the container. We do NOT ignore
-    // `target_node` — a node change is real and is handled by migration (ISS-0090),
-    // never silently dropped.
-    injected.push(
-      `${inner}  ignore_changes = [nameserver, network[0].hwaddr, rootfs[0].volume, ssh_public_keys]`,
-    );
+    // The create-time / ForceNew attributes Proxmox assigns, per resource type.
+    // Listing them makes an unchanged redeploy a no-op and a real change an
+    // in-place UPDATE, never a destructive REPLACE. A non-existent attribute
+    // here fails `terraform validate`, so each list is exactly the schema
+    // attributes the resource actually has.
+    //   LXC (ISS-0055/0089): the create-time MAC + rootfs volume, plus
+    //   `ssh_public_keys` (ForceNew — a fleet-key rotation must not REPLACE the
+    //   container). `rootfs.size` is NOT ignored, so a disk grow still applies.
+    //   We do NOT ignore `target_node` — a node change is real (migration,
+    //   ISS-0090), never silently dropped.
+    //   VM (telmate 3.x proxmox_vm_qemu): `clone` (ForceNew clone source),
+    //   `sshkeys` + `nameserver` (ForceNew cloud-init), and the NIC `macaddr`.
+    //   Initial set from the provider schema — extend if a first real VM deploy
+    //   surfaces another spurious-REPLACE attribute, exactly as ISS-0055 did for
+    //   the LXC list.
+    const ignore =
+      resourceType === 'proxmox_vm_qemu'
+        ? 'nameserver, network[0].macaddr, sshkeys, clone'
+        : 'nameserver, network[0].hwaddr, rootfs[0].volume, ssh_public_keys';
+    injected.push(`${inner}  ignore_changes = [${ignore}]`);
     injected.push(`${inner}}`);
     return injected.join('\n');
   });
@@ -1008,7 +1006,7 @@ export async function generateTemplates(options: GenerateOptions): Promise<Gener
       // every proxmox_lxc resource before resolution (terraform files only).
       const content =
         !isAnsibleTemplate && template.targetPath.endsWith('.tf')
-          ? injectProxmoxLxcDns(template.content, Boolean(context.selfConfig.lxc_nameserver))
+          ? injectProxmoxDns(template.content, Boolean(context.selfConfig.lxc_nameserver))
           : template.content;
       const result = isAnsibleTemplate
         ? await convertSecretsToJinja(content, context, db)

package/src/test-utils/fixtures.test.ts

@@ -60,7 +60,7 @@ describe('Fixture Test Utilities', () => {
     test('excludes secrets from config', async () => {
       const config = await getModuleTestConfig('dns-external');
       expect(config).toBeDefined();
-      expect(config.vps_ip).toBe('188.166.157.2');
+      expect(config.vps_ip).toBe('192.0.2.20');
       expect(config.secrets).toBeUndefined();
     });
 

package/src/test-utils/integration-guard.ts

@@ -0,0 +1,33 @@
+import { execSync } from 'node:child_process';
+
+/**
+ * Guard for tests that can't run in the `unit` target / on the minimal CI
+ * runner — they shell out to external tools (ansible, wg, terraform, docker…)
+ * or assert platform-specific behavior. Such tests are integration tests by
+ * Rule 7.1 and must NOT gate the unit CI.
+ *
+ * Returns `true` (→ skip) when:
+ *   - CELILO_UNIT_ONLY=1 is set (the `unit` target forces them off), OR
+ *   - a required tool is absent on this host, OR
+ *   - we're on the wrong platform.
+ *
+ * Usage:  describe.skipIf(skipIntegration({ tools: ['ansible'] }))(...)
+ *         test.skipIf(skipIntegration({ platform: 'darwin' }))(...)
+ */
+function hasTool(tool: string): boolean {
+  try {
+    execSync(`command -v ${tool}`, { stdio: 'ignore' });
+    return true;
+  } catch {
+    return false;
+  }
+}
+
+export function skipIntegration(
+  req: { tools?: string[]; platform?: NodeJS.Platform } = {},
+): boolean {
+  if (process.env.CELILO_UNIT_ONLY === '1') return true;
+  if (req.tools?.some((t) => !hasTool(t))) return true;
+  if (req.platform && process.platform !== req.platform) return true;
+  return false;
+}

package/src/types/infrastructure.ts

@@ -31,6 +31,12 @@ export interface ProxmoxConfig {
   default_target_node: string;
   lxc_template: string;
   storage: string;
+  /**
+   * Cloud-init VM template to clone for `requires.system.type: vm` modules — the
+   * VM analogue of `lxc_template`. Optional: only services hosting VM modules set
+   * it (the operator builds the template once, per VM_INFRA_TYPE.md).
+   */
+  vm_template?: string;
 }
 
 /**

package/src/variables/computed/computed-integration.test.ts

@@ -90,7 +90,7 @@ beforeEach(async () => {
   // Encrypt with the SAME master key the resolver will decrypt with (the one
   // beforeEach wrote into CELILO_DATA_DIR).
   const enc = encryptSecret(
-    JSON.stringify({ 'lunacycle.net': 'pw1', 'celilo.computer': 'pw2' }),
+    JSON.stringify({ 'example.net': 'pw1', 'celilo.computer': 'pw2' }),
     await loadTestMasterKey(),
   );
   db.$client
@@ -133,7 +133,7 @@ describe('computed capability fields — DB integration', () => {
     expect(result.success).toBe(true);
     if (result.success) {
       // Non-scalar computed results serialize to JSON in the string path.
-      expect(JSON.parse(result.value)).toEqual(['lunacycle.net', 'celilo.computer']);
+      expect(JSON.parse(result.value)).toEqual(['example.net', 'celilo.computer']);
     }
   });
 
@@ -170,7 +170,7 @@ describe('computed capability fields — DB integration', () => {
     const reg = ctx.capabilities.dns_registrar as Record<string, unknown>;
 
     // The real array, not the raw marker object.
-    expect(reg.domain_list).toEqual(['lunacycle.net', 'celilo.computer']);
+    expect(reg.domain_list).toEqual(['example.net', 'celilo.computer']);
     expect(reg.provider).toBe('namecheap');
   });
 

package/src/variables/computed/computed.test.ts

@@ -23,7 +23,7 @@ function makeLookup(data: Record<string, unknown>): LookupFn {
 
 const FIXTURE = {
   secret: {
-    ddns_passwords: { 'lunacycle.net': 'pw1', 'celilo.computer': 'pw2' },
+    ddns_passwords: { 'example.net': 'pw1', 'celilo.computer': 'pw2' },
   },
   self: {
     zone_names: { dmz: 'DMZ', app: 'App' },
@@ -34,7 +34,7 @@ const FIXTURE = {
     zones_with_dupes: ['x', 'y', 'x', 'z', 'y'],
   },
   system: {
-    primary_domain: 'lunacycle.net',
+    primary_domain: 'example.net',
   },
 };
 
@@ -44,7 +44,7 @@ function evalOk(expr: string): unknown {
 
 describe('computed DSL — keys', () => {
   test('keys of the ddns_passwords secret map (the domain_list case)', () => {
-    expect(evalOk('keys(secret.ddns_passwords)')).toEqual(['lunacycle.net', 'celilo.computer']);
+    expect(evalOk('keys(secret.ddns_passwords)')).toEqual(['example.net', 'celilo.computer']);
   });
 
   test('keys of a non-secret object', () => {
@@ -63,7 +63,7 @@ describe('computed DSL — values', () => {
   });
 
   test('keys of a secret map is allowed (key names are non-sensitive)', () => {
-    expect(evalOk('keys(secret.ddns_passwords)')).toEqual(['lunacycle.net', 'celilo.computer']);
+    expect(evalOk('keys(secret.ddns_passwords)')).toEqual(['example.net', 'celilo.computer']);
   });
 });
 
@@ -107,7 +107,7 @@ describe('computed DSL — concat + unique (nesting/chaining)', () => {
 describe('computed DSL — format', () => {
   test('interpolates named parts', () => {
     expect(evalOk("format('{host}.{zone}', host=self.hostname, zone=system.primary_domain)")).toBe(
-      'dns-int.lunacycle.net',
+      'dns-int.example.net',
     );
   });
 

package/src/variables/declarative-derivation.test.ts

@@ -164,14 +164,14 @@ describe('resolveDeclarativeDerivation', () => {
         capabilities: {
           dns_external: {
             server: {
-              ip: '188.166.157.2',
+              ip: '192.0.2.20',
             },
           },
         },
       };
 
       const result = resolveDeclarativeDerivation(variable, context);
-      expect(result).toBe('188.166.157.2');
+      expect(result).toBe('192.0.2.20');
     });
 
     test('resolves nested capability path', () => {
@@ -193,7 +193,7 @@ describe('resolveDeclarativeDerivation', () => {
           dns_external: {
             server: {
               ip: {
-                primary: '188.166.157.2',
+                primary: '192.0.2.20',
                 secondary: '188.166.157.3',
               },
             },
@@ -202,7 +202,7 @@ describe('resolveDeclarativeDerivation', () => {
       };
 
       const result = resolveDeclarativeDerivation(variable, context);
-      expect(result).toBe('188.166.157.2');
+      expect(result).toBe('192.0.2.20');
     });
 
     test('throws on missing capability', () => {
@@ -350,13 +350,13 @@ describe('resolveDeclarativeDerivation', () => {
         secrets: {},
         capabilities: {
           dns_external: {
-            server: { ip: '188.166.157.2' },
+            server: { ip: '192.0.2.20' },
           },
         },
       };
 
       const result = resolveDeclarativeDerivation(variable, context);
-      expect(result).toBe('caddy.example.com@188.166.157.2');
+      expect(result).toBe('caddy.example.com@192.0.2.20');
     });
   });