midwitmoneymgmt/m3-infra
2
1
Fork 0
Code Issues Pull requests Projects Releases Activity Actions

Declare incus_image for NixOS/unstable #47

Merged
AlexCaswen merged 3 commits from 48-declare-incus-image into main 2026-05-10 01:47:00 +00:00
Conversation 6 Commits 3 Files changed 1 +43 -5
AlexCaswen commented 2026-05-10 01:06:19 +00:00 (Migrated from gitlab.com)
Copy link

Changes

  • Add incus_image.nixos_unstable resource that pulls and caches the NixOS/unstable image from the upstream images: remote
  • All 5 containers now reference incus_image.nixos_unstable.fingerprint instead of the hardcoded "images:nixos/unstable" string
  • All containers get lifecycle { ignore_changes = [image] } to prevent mass rebuild when the pinned image updates

Why

Previously each container pointed directly at the upstream image server. If upstream published a new NixOS snapshot between container creates, different containers could end up on different base images. This makes the image a single managed resource — upgrades are intentional, not implicit.

Upgrade workflow

  1. tofu apply refreshes the incus_image resource (pulls latest NixOS/unstable)
  2. lifecycle { ignore_changes = [image] } prevents automatic container rebuilds
  3. Rebuild containers one at a time: tofu apply -replace=incus_instance.btc_node
  4. Data volumes on dedicated pools survive the rebuild
  5. Deploy job pushes configuration.nix and runs nixos-rebuild switch

First apply

The incus_image resource will be created (image pulled to host). The lifecycle blocks prevent any container changes. Plan should show 1 new resource, 0 changes to existing.

Closes #48

## Changes - Add `incus_image.nixos_unstable` resource that pulls and caches the NixOS/unstable image from the upstream `images:` remote - All 5 containers now reference `incus_image.nixos_unstable.fingerprint` instead of the hardcoded `"images:nixos/unstable"` string - All containers get `lifecycle { ignore_changes = [image] }` to prevent mass rebuild when the pinned image updates ## Why Previously each container pointed directly at the upstream image server. If upstream published a new NixOS snapshot between container creates, different containers could end up on different base images. This makes the image a single managed resource — upgrades are intentional, not implicit. ## Upgrade workflow 1. `tofu apply` refreshes the `incus_image` resource (pulls latest NixOS/unstable) 2. `lifecycle { ignore_changes = [image] }` prevents automatic container rebuilds 3. Rebuild containers one at a time: `tofu apply -replace=incus_instance.btc_node` 4. Data volumes on dedicated pools survive the rebuild 5. Deploy job pushes configuration.nix and runs nixos-rebuild switch ## First apply The `incus_image` resource will be created (image pulled to host). The `lifecycle` blocks prevent any container changes. Plan should show 1 new resource, 0 changes to existing. Closes #48
AlexCaswen (Migrated from gitlab.com) approved these changes 2026-05-10 01:06:19 +00:00
AlexCaswen commented 2026-05-10 01:24:45 +00:00 (Migrated from gitlab.com)
Copy link

assigned to @AlexCaswen

assigned to @AlexCaswen
AlexCaswen commented 2026-05-10 01:26:29 +00:00 (Migrated from gitlab.com)
Copy link

added 1 commit

  • 238ac9cd - Fix incus_image syntax: source_image is a block, not separate args

Compare with previous version

added 1 commit <ul><li>238ac9cd - Fix incus_image syntax: source_image is a block, not separate args</li></ul> [Compare with previous version](/AlexCaswen/m3-infra/-/merge_requests/47/diffs?diff_id=1791580413&start_sha=a43c4241f7a786ee28a5d4c94b6a52e8f99aa819)
AlexCaswen commented 2026-05-10 01:37:18 +00:00 (Migrated from gitlab.com)
Copy link

added 1 commit

  • 7668669f - Fix incus_image: aliases list -> alias block

Compare with previous version

added 1 commit <ul><li>7668669f - Fix incus_image: aliases list -&gt; alias block</li></ul> [Compare with previous version](/AlexCaswen/m3-infra/-/merge_requests/47/diffs?diff_id=1791584638&start_sha=238ac9cd4c41530a034e41892035c7adedf5762c)
AlexCaswen commented 2026-05-10 01:46:57 +00:00 (Migrated from gitlab.com)
Copy link

approved this merge request

approved this merge request
AlexCaswen commented 2026-05-10 01:47:01 +00:00 (Migrated from gitlab.com)
Copy link

mentioned in commit 90c35937af

mentioned in commit 90c35937aff7dcc9ccb5723107175217b61798dd
AlexCaswen (Migrated from gitlab.com) merged commit 90c35937af into main 2026-05-10 01:47:01 +00:00
Sign in to join this conversation.
Reviewers
No reviewers
AlexCaswen
Labels
Clear labels   
IaC

   
admin

   
agent-containers

   
automation

   
blockchain

   
cleanup

   
data

   
documentation

   
hardware

   
hotfix

   
infrastructure

   
maintenance

   
metrics

   
ml

   
monitoring

   
networking

   
resilience

   
security

   
tailscale

   
trading
No labels
IaC
admin
agent-containers
automation
blockchain
cleanup
data
documentation
hardware
hotfix
infrastructure
maintenance
metrics
ml
monitoring
networking
resilience
security
tailscale
trading
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
midwitmoneymgmt/m3-infra!47
No description provided.