Merge pull request 'feature/networking' (#2) from feature/networking into main
Reviewed-on: #2
This commit was merged in pull request #2.
This commit is contained in:
45
README.md
45
README.md
@@ -1,3 +1,46 @@
|
||||
# ProxmoxInfra
|
||||
|
||||
Here lives the terraform infrastructure files. This has been added after setting up most of my proxmox. This means that its not all encompassing
|
||||
Terraform infrastructure-as-code for a homelab Proxmox environment. This repo was started after the Proxmox host was manually provisioned — existing resources are not managed here. Only new resources going forward are managed by Terraform.
|
||||
|
||||
## Stack
|
||||
|
||||
- Provider: `bpg/proxmox`
|
||||
- Terraform >= 1.0
|
||||
- Target: single-node Proxmox VE homelab (`nonprod-pve`)
|
||||
- Upstream network: Firewalla Gold → Switch → Proxmox
|
||||
|
||||
## Repository Structure
|
||||
|
||||
```
|
||||
environments/
|
||||
nonprod/ # Nonprod environment root module
|
||||
modules/
|
||||
networking/ # Internal bridge segments
|
||||
```
|
||||
|
||||
## Network Architecture
|
||||
|
||||
All workload VMs and containers are isolated on internal bridges with no physical NIC. Inter-segment traffic routes exclusively through a firewall VM (OPNsense — see To Do).
|
||||
|
||||
| Bridge | CIDR | Purpose |
|
||||
|--------|------|---------|
|
||||
| vmbr0 | 192.168.68.0/24 | Existing uplink — Proxmox management + OPNsense WAN |
|
||||
| management | 10.10.10.0/24 | Admin access. Proxmox host holds 10.10.10.1. |
|
||||
| services | 10.10.20.0/24 | General workload VMs and containers. |
|
||||
| dmz | 10.10.30.0/24 | Externally exposed workloads. |
|
||||
| isolated | 10.10.40.0/24 | Lab and test. No outbound access by default. |
|
||||
|
||||
## Completed
|
||||
|
||||
- [x] Terraform connected to nonprod Proxmox host
|
||||
- [x] Environment/module repo structure established
|
||||
- [x] Internal network segments created (`management`, `services`, `dmz`, `isolated`)
|
||||
- [x] Proxmox host assigned IP on management bridge (`10.10.10.1/24`)
|
||||
|
||||
## To Do
|
||||
|
||||
- [ ] Download and upload OPNsense ISO to Proxmox
|
||||
- [ ] Create OPNsense VM module with one NIC per bridge segment
|
||||
- [ ] Configure OPNsense via Ansible (`ansibleguy.opnsense`) — interfaces, DHCP, firewall rules, NAT
|
||||
- [ ] Create Windows VM on services bridge
|
||||
- [ ] Introduce remote state backend (S3-compatible or Terraform Cloud)
|
||||
|
||||
@@ -1,22 +1,3 @@
|
||||
terraform {
|
||||
required_version = ">= 1.0"
|
||||
|
||||
required_providers {
|
||||
proxmox = {
|
||||
source = "bpg/proxmox"
|
||||
version = "~> 0.73"
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
provider "proxmox" {
|
||||
endpoint = var.proxmox_endpoint
|
||||
api_token = var.proxmox_api_token
|
||||
|
||||
# Set to true if using a self-signed certificate (common on home labs)
|
||||
insecure = var.proxmox_insecure
|
||||
}
|
||||
|
||||
data "proxmox_virtual_environment_nodes" "vm_nodes" {}
|
||||
|
||||
output "data_proxmox_virtual_environment_nodes" {
|
||||
@@ -26,3 +7,9 @@ output "data_proxmox_virtual_environment_nodes" {
|
||||
online = data.proxmox_virtual_environment_nodes.vm_nodes.online
|
||||
}
|
||||
}
|
||||
|
||||
module "networking" {
|
||||
source = "../../modules/networking"
|
||||
|
||||
proxmox_node_name = var.proxmox_node_name
|
||||
}
|
||||
|
||||
7
environments/nonprod/providers.tf
Normal file
7
environments/nonprod/providers.tf
Normal file
@@ -0,0 +1,7 @@
|
||||
provider "proxmox" {
|
||||
endpoint = var.proxmox_endpoint
|
||||
api_token = var.proxmox_api_token
|
||||
|
||||
# Set to true if using a self-signed certificate (common on home labs)
|
||||
insecure = var.proxmox_insecure
|
||||
}
|
||||
10
environments/nonprod/terraform.tf
Normal file
10
environments/nonprod/terraform.tf
Normal file
@@ -0,0 +1,10 @@
|
||||
terraform {
|
||||
required_version = ">= 1.0"
|
||||
|
||||
required_providers {
|
||||
proxmox = {
|
||||
source = "bpg/proxmox"
|
||||
version = "~> 0.73"
|
||||
}
|
||||
}
|
||||
}
|
||||
@@ -1,6 +0,0 @@
|
||||
# Copy this file to terraform.tfvars and fill in your values.
|
||||
# terraform.tfvars is gitignored to keep secrets out of version control.
|
||||
|
||||
proxmox_endpoint = "https://192.168.1.10:8006/"
|
||||
proxmox_api_token = "terraform@pve!terraform-nonprod=<secret>"
|
||||
proxmox_insecure = true
|
||||
@@ -14,3 +14,8 @@ variable "proxmox_insecure" {
|
||||
type = bool
|
||||
default = true
|
||||
}
|
||||
|
||||
variable "proxmox_node_name" {
|
||||
description = "Name of the Proxmox node to manage resources on"
|
||||
type = string
|
||||
}
|
||||
|
||||
35
modules/networking/README.md
Normal file
35
modules/networking/README.md
Normal file
@@ -0,0 +1,35 @@
|
||||
# Module: networking
|
||||
|
||||
Creates the internal Linux bridge network segments on a Proxmox node. These bridges are purely virtual — no physical NIC is attached. All inter-segment traffic is routed through a firewall VM (OPNsense).
|
||||
|
||||
## Segments
|
||||
|
||||
| Bridge | CIDR | Purpose |
|
||||
|--------|------|---------|
|
||||
| management | 10.10.10.0/24 | Proxmox API access and admin tools. Proxmox host holds 10.10.10.1. |
|
||||
| services | 10.10.20.0/24 | General workload VMs and containers. |
|
||||
| dmz | 10.10.30.0/24 | Externally exposed workloads (e.g. web servers). |
|
||||
| isolated | 10.10.40.0/24 | Lab and test workloads. No outbound access by default. |
|
||||
|
||||
The Proxmox host has no IP on services, dmz, or isolated — VMs on those segments have no direct path to the hypervisor.
|
||||
|
||||
## Usage
|
||||
|
||||
```hcl
|
||||
module "networking" {
|
||||
source = "../../modules/networking"
|
||||
|
||||
proxmox_node_name = "pve"
|
||||
}
|
||||
```
|
||||
|
||||
## Inputs
|
||||
|
||||
| Name | Type | Description |
|
||||
|------|------|-------------|
|
||||
| proxmox_node_name | string | Name of the Proxmox node to create bridges on. |
|
||||
|
||||
## Notes
|
||||
|
||||
- After apply, Proxmox automatically reloads the network configuration — no manual intervention required.
|
||||
- `Sys.Modify` must be granted to the Terraform API token role to manage node network interfaces.
|
||||
29
modules/networking/main.tf
Normal file
29
modules/networking/main.tf
Normal file
@@ -0,0 +1,29 @@
|
||||
resource "proxmox_network_linux_bridge" "management" {
|
||||
node_name = var.proxmox_node_name
|
||||
name = "management"
|
||||
|
||||
address = "10.10.10.1/24"
|
||||
|
||||
comment = "Terraform managed Linux bridge for Proxmox API access and admin tools"
|
||||
}
|
||||
|
||||
resource "proxmox_network_linux_bridge" "services" {
|
||||
node_name = var.proxmox_node_name
|
||||
name = "services"
|
||||
|
||||
comment = "Terraform managed Linux bridge for general workload VMs and containers"
|
||||
}
|
||||
|
||||
resource "proxmox_network_linux_bridge" "dmz" {
|
||||
node_name = var.proxmox_node_name
|
||||
name = "dmz"
|
||||
|
||||
comment = "Terraform managed Linux bridge for externally exposed VMs and containers (e.g. web servers)"
|
||||
}
|
||||
|
||||
resource "proxmox_network_linux_bridge" "isolated" {
|
||||
node_name = var.proxmox_node_name
|
||||
name = "isolated"
|
||||
|
||||
comment = "Terraform managed Linux bridge for Lab/test VMs and containers with no external connectivity"
|
||||
}
|
||||
7
modules/networking/terraform.tf
Normal file
7
modules/networking/terraform.tf
Normal file
@@ -0,0 +1,7 @@
|
||||
terraform {
|
||||
required_providers {
|
||||
proxmox = {
|
||||
source = "bpg/proxmox"
|
||||
}
|
||||
}
|
||||
}
|
||||
4
modules/networking/variables.tf
Normal file
4
modules/networking/variables.tf
Normal file
@@ -0,0 +1,4 @@
|
||||
variable "proxmox_node_name" {
|
||||
description = "Name of the Proxmox node to manage resources on"
|
||||
type = string
|
||||
}
|
||||
Reference in New Issue
Block a user