added k3s bootstrap config to deploy to all dedicated nodes.

proxmox-infra/index.ts

@@ -1,5 +1,6 @@
 import * as pulumi from "@pulumi/pulumi";
 import * as proxmox from "@muhlba91/pulumi-proxmoxve";
+import * as tls from "@pulumi/tls";
 
 const config = new pulumi.Config();
 
@@ -19,6 +20,15 @@ const pveBckpProvider = new proxmox.Provider("pve-bckp", {
   insecure: true,
 });
 
+// ---------------------------------------------------------------------------
+// CI runner SSH keypair — generated once, stored in Pulumi state backend.
+// Public key goes into every VM; private key is exported for k8s-bootstrap.
+// ---------------------------------------------------------------------------
+
+const ciRunnerKey = new tls.PrivateKey("ci-runner-key", {
+  algorithm: "ED25519",
+});
+
 // ---------------------------------------------------------------------------
 // Download Ubuntu Noble cloud image to each node's ISO storage
 // ---------------------------------------------------------------------------
@@ -219,7 +229,10 @@ const k3sVms = nodeConfigs.map(
           userAccount: {
             username: "ubuntu",
             password: k3sVmPassword,
-            keys: [sshPvePublicKey.apply((k) => k.trim())],
+            keys: [
+                  sshPvePublicKey.apply((k) => k.trim()),
+                  ciRunnerKey.publicKeyOpenssh.apply((k) => k.trim()),
+                ],
           },
         },
         networkDevices: [{ bridge: "vmbr0", model: "virtio" }],
@@ -245,7 +258,7 @@ export const clusterInfo = k3sVms.map((vm, index) => ({
   role: nodeConfigs[index].role,
 }));
 
-// Individual vmId exports — used by k8s-bootstrap to start VMs and run guest exec.
+// Individual vmId exports — used by k8s-bootstrap to start VMs.
 // Order matches nodeConfigs: master-1, master-2, worker-1, master-3, worker-2.
 export const vmIds = {
   master1: k3sVms[0].vmId,
@@ -254,3 +267,6 @@ export const vmIds = {
   master3: k3sVms[3].vmId,
   worker2: k3sVms[4].vmId,
 };
+
+// CI runner SSH private key — consumed by k8s-bootstrap via StackReference.
+export const ciRunnerPrivateKey = pulumi.secret(ciRunnerKey.privateKeyOpenssh);

proxmox-infra/package-lock.json

@@ -7,7 +7,8 @@
             "name": "proxmox-infra",
             "dependencies": {
                 "@muhlba91/pulumi-proxmoxve": "^8.2.1",
-                "@pulumi/pulumi": "^3.113.0"
+                "@pulumi/pulumi": "^3.113.0",
+                "@pulumi/tls": "^5.5.0"
             },
             "devDependencies": {
                 "@types/node": "^18",
@@ -752,6 +753,15 @@
                 }
             }
         },
+        "node_modules/@pulumi/tls": {
+            "version": "5.5.0",
+            "resolved": "https://registry.npmjs.org/@pulumi/tls/-/tls-5.5.0.tgz",
+            "integrity": "sha512-OTGxp4sgDEuXlXrd7NtxrhhciPgcn9rqDIZlGOTmTaeGo+tlVMwv73FFqiVrzAmBiILdU8tLXHfxhjc+bTLdrQ==",
+            "license": "Apache-2.0",
+            "dependencies": {
+                "@pulumi/pulumi": "^3.142.0"
+            }
+        },
         "node_modules/@sigstore/bundle": {
             "version": "4.0.0",
             "resolved": "https://registry.npmjs.org/@sigstore/bundle/-/bundle-4.0.0.tgz",

proxmox-infra/package.json

@@ -7,6 +7,7 @@
     },
     "dependencies": {
         "@muhlba91/pulumi-proxmoxve": "^8.2.1",
-        "@pulumi/pulumi": "^3.113.0"
+        "@pulumi/pulumi": "^3.113.0",
+        "@pulumi/tls": "^5.5.0"
     }
 }