packer/README.md

# Packer based PVE image templates

## Table of Contents

- [Packer based PVE image templates](#packer-based-pve-image-templates)
  - [Table of Contents](#table-of-contents)
  - [Repository structure](#repository-structure)
  - [Initial Setup](#initial-setup)
    - [Create Token](#create-token)
    - [Initialize Packer](#initialize-packer)
  - [Build](#build)
  - [Setup new templates](#setup-new-templates)
  - [ToDo](#todo)

## Repository structure

```shell
❯ la 4 -I .git
Permissions Size User Group Date Modified Git Name
drwxr-xr-x@    - phg  staff 23 Jan 22:36   -M  ./
drwxr-xr-x@    - phg  staff 22 Jan 18:19   -- ├──  debian/                                                                     Debian template definitions and assets (Packer templates, cloud-init/KS files, provisioning files).
drwxr-xr-x@    - phg  staff 24 Jan 00:25   -- │   └──  13-trixie/                                                              Template definition and assets for the Trixie template.
drwxr-xr-x@    - phg  staff 24 Jan 00:26   -- │       ├──  files/                                                              Files used for the file provisioner.
.rw-r--r--@   39 phg  staff 24 Jan 00:26   -- │       │   ├── 󱁻 99-pve.cfg                                                      Configures the data sources for cloud-init.
.rw-r--r--@  539 phg  staff 24 Jan 00:26   -- │       │   └──  debian.sources                                                  Debian package sources.
drwxr-xr-x@    - phg  staff 23 Jan 23:07   -- │       ├──  http/                                                               Files that Packer provides during build via http.
.rw-r--r--@ 2.4k phg  staff 23 Jan 23:09   -- │       │   ├── 󱁻 ks.cfg                                                          Kickstart configuration.
.rw-r--r--@    0 phg  staff 23 Jan 22:51   -- │       │   ├── 󰡯 meta-data                                                       cloud-init configuration.
.rw-r--r--@  596 phg  staff 23 Jan 23:08   -- │       │   └── 󰡯 user-data                                                       cloud-init configuration.
lrwxr-xr-x     - phg  staff 23 Jan 14:47   -I │       ├──  credentials.auto.pkrvars.hcl -> ../../credentials.auto.pkrvars.hcl  Local secrets for Packer (API token, endpoints) used at build time.
.rw-r--r--@ 3.7k phg  staff 24 Jan 00:53   -- │       ├──  debian-trixie.pkr.hcl                                               The build template.
lrwxr-xr-x     - phg  staff 23 Jan 16:03   -- │       ├──  variables-common.pkr.hcl -> ../../variables-common.pkr.hcl          Shared Packer variables used by templates.
.rw-r--r--@ 1.9k phg  staff 23 Jan 23:00   -- │       └──  variables.pkr.hcl                                                   Packer variables only used for this template
drwxr-xr-x@    - phg  staff 23 Jan 21:41   -I ├──  downloaded_iso_path/                                                        Packer ISO cache directory (downloaded ISOs and lock files).
.rw-r--r--@ 791M phg  staff 23 Jan 21:38   -I │   ├──  dfbf02854ab0b0b828230f78a14eab621dcc09a8.iso
.rw-------@    0 phg  staff 23 Jan 21:41   -I │   └──  dfbf02854ab0b0b828230f78a14eab621dcc09a8.iso.lock
.rw-r--r--@ 1.7k phg  staff 23 Jan 21:44   -- ├── 󰊢 .gitignore
.rw-r--r--@  111 phg  staff 23 Jan 15:56   -I ├──  credentials.auto.pkrvars.hcl                                                Local secrets for Packer (API token, endpoints) used at build time.
.rw-r--r--@ 1.3k phg  staff 23 Jan 22:48   -- ├──  mise.toml                                                                   Task runner definitions for init/build/setup.
.rw-r--r--@ 1.8k phg  staff 24 Jan 09:24   -M ├── 󰂺 README.md
.rw-r--r--@   60 phg  staff 23 Jan 16:01   -- ├──  template-credentials.pkrvars.hcl                                            Template to create `credentials.auto.pkrvars.hcl`.
.rw-r--r--@  303 phg  staff 23 Jan 16:58   -- └──  variables-common.pkr.hcl                                                    Shared Packer variables used by templates.
```

## Initial Setup

### Create Token

1. Copy `template-credentials.pkr.hcl` to `credentials.auto.pkrvars.hcl`
2. Open your Proxmox VE web interface & Login.
3. Navigate to: `Datacenter` -> `Permissions` -> `API Tokens`
4. **Click:** Add
5. **Configure in the dialog:**
   1. **User:** `root@pam` (or the user you like, but It needs administrative permissions)
   2. **Token ID:** `packer`
   3. **Privilege Separation:** false
6. **Click:** Add
7. Copy the displayed Token ID and Token Secret to `credentials.auto.pkrvars.hcl`

### Initialize Packer

Run `packer init` to initialize Packer according to a HCL template 
configuration. It's downloads and installs the required Plugins according to 
the required_plugins block in Packer templates.

```shell
mise run init <path-to-template-directory>
```

## Build

To build a template run:

```shell
mise run build <path-to-template-directory>
```

## Setup new templates

Run:

```shell
mise run setup <distribution name> <version>
```

E.g. `mise run setup debian 13-trixie` or `mise run setup nixos 25.11`.

## ToDo

- [ ] Setup image with LUKS (check if the passphrase slots can be empty to be set later during provision)
- [ ] Setup dropbear
- [ ] Setup Clevis/Tang
- [ ] Lock down root user (remove password, prohibit all logins)
- [ ] Lock down SSH Server