packer/README.md

# Packer based PVE image templates

## Table of Contents

- [Packer based PVE image templates](#packer-based-pve-image-templates)
  - [Table of Contents](#table-of-contents)
  - [Repository structure](#repository-structure)
  - [Templates](#templates)
  - [Initial Setup](#initial-setup)
    - [Create Token](#create-token)
    - [Initialize Packer](#initialize-packer)
  - [Build](#build)
  - [Build LUKS encrypted Templates](#build-luks-encrypted-templates)
  - [Setup new templates](#setup-new-templates)
  - [ToDo](#todo)

## Repository structure

```shell
❯ la 4 -I .git
Name
 ./
├──  _scripts/                                                                   Support scripts for building templates.
│   └──  unlock-luks-after-install.py*                                           Unlocks the LUKS encrypted Disk on the 1st Boot after installation.
├──  debian/                                                                     Debian template definitions and assets (Packer templates, cloud-init/KS files, provisioning files).
│   └──  13-trixie-luks/                                                         Template definition and assets for the Trixie template.
│       ├──  files/                                                              Files used for the file provisioner.
│       │   ├── 󱁻 99-pve.cfg                                                      Configures the data sources for cloud-init.
│       │   └──  debian.sources                                                  Debian package sources.
│       ├──  http/                                                               Files that Packer provides during build via http.
│       │   ├── 󱁻 ks.cfg                                                          Kickstart configuration.
│       │   ├── 󰡯 meta-data                                                       cloud-init configuration.
│       │   └── 󰡯 user-data                                                       cloud-init configuration.
│       ├──  credentials.auto.pkrvars.hcl -> ../../credentials.auto.pkrvars.hcl  Local secrets for Packer (API token, endpoints) used at build time.
│       ├──  debian-trixie.pkr.hcl                                               The build template.
│       ├──  variables-common.pkr.hcl -> ../../variables-common.pkr.hcl          Shared Packer variables used by templates.
│       └──  variables.pkr.hcl                                                   Packer variables only used for this template.
├──  OS/                                                                         Diretory to group templates for a specific OS.
│   └──  version_number[-version_codename][-luks]/                               Template definition and assets.
├──  downloaded_iso_path/                                                        Packer ISO cache directory (downloaded ISOs and lock files).
│   ├──  OS.iso
│   ├──  OS.iso.lock
│   ├──  [...].iso
│   └──  [...].iso.lock
├── 󰊢 .gitignore
├──  credentials.auto.pkrvars.hcl                                                Local secrets for Packer (API token, endpoints) used at build time.
├──  mise.toml                                                                   Task runner definitions for init/build/setup.
├── 󰂺 README.md
├──  template-credentials.pkrvars.hcl                                            Template to create `credentials.auto.pkrvars.hcl`.
└──  variables-common.pkr.hcl                                                    Shared Packer variables used by templates.
```

## Templates

| Template ID | OS                                                                                             | Version   | Path                    | LUKS encrypted? | Mac Address       | IP Address              |
| :---------- | :--------------------------------------------------------------------------------------------- | :-------- | :---------------------- | :-------------- | :---------------- | :---------------------- |
| 65000       | <img src="https://www.debian.org/logos/openlogo-nd.svg" alt="Debian logo" height="16"/> Debian | 13-trixie | `debian/13-trixie-luks` | ✅              | BC:24:11:00:13:37 | 192.168.9.29 (via DHCP) |

## Initial Setup

### Create Token

1. Copy `template-credentials.pkr.hcl` to `credentials.auto.pkrvars.hcl`
2. Open your Proxmox VE web interface & Login.
3. Navigate to: `Datacenter` -> `Permissions` -> `API Tokens`
4. **Click:** Add
5. **Configure in the dialog:**
   1. **User:** `root@pam` (or the user you like, but It needs administrative permissions)
   2. **Token ID:** `packer`
   3. **Privilege Separation:** false
6. **Click:** Add
7. Copy the displayed Token ID and Token Secret to `credentials.auto.pkrvars.hcl`

### Initialize Packer

Run `packer init` to initialize Packer according to a HCL template 
configuration. It's downloads and installs the required Plugins according to 
the required_plugins block in Packer templates.

```shell
mise run init <path-to-template-directory>
```

## Build

To build a template run:

```shell
mise run build <path-to-template-directory>
```

## Build LUKS encrypted Templates

To build a template run:

```shell
mise run build-luks <path-to-template-directory>
```

## Setup new templates

Run:

```shell
mise run setup <distribution name> <version>
```

E.g. `mise run setup debian 13-trixie` or `mise run setup nixos 25.11`.

## ToDo

- [x] Setup image with LUKS
- [ ] Setup dropbear
- [ ] Setup Clevis/Tang
- [ ] Lock down root user (remove password, prohibit all logins)
- [ ] Lock down SSH Server