From 940ecb39465372ac219dd5202da0f9e494d7fd4c Mon Sep 17 00:00:00 2001
From: bob <robby.wilcox@gmail.com>
Date: Fri, 10 Apr 2026 23:34:51 -0500
Subject: [PATCH 1/2] Implement bridges and fillout readme with current state

---
 README.md                                     | 45 ++++++++++++++++++-
 environments/nonprod/main.tf                  | 25 +++--------
 environments/nonprod/terraform.tfvars.example |  6 ---
 environments/nonprod/variables.tf             |  5 +++
 4 files changed, 55 insertions(+), 26 deletions(-)
 delete mode 100644 environments/nonprod/terraform.tfvars.example

diff --git a/README.md b/README.md
index e6bcd88..7e4f78b 100644
--- a/README.md
+++ b/README.md
@@ -1,3 +1,46 @@
 # ProxmoxInfra
 
-Here lives the terraform infrastructure files. This has been added after setting up most of my proxmox. This means that its not all encompassing
\ No newline at end of file
+Terraform infrastructure-as-code for a homelab Proxmox environment. This repo was started after the Proxmox host was manually provisioned — existing resources are not managed here. Only new resources going forward are managed by Terraform.
+
+## Stack
+
+- Provider: `bpg/proxmox`
+- Terraform >= 1.0
+- Target: single-node Proxmox VE homelab (`nonprod-pve`)
+- Upstream network: Firewalla Gold → Switch → Proxmox
+
+## Repository Structure
+
+```
+environments/
+  nonprod/          # Nonprod environment root module
+modules/
+  networking/       # Internal bridge segments
+```
+
+## Network Architecture
+
+All workload VMs and containers are isolated on internal bridges with no physical NIC. Inter-segment traffic routes exclusively through a firewall VM (OPNsense — see To Do).
+
+| Bridge | CIDR | Purpose |
+|--------|------|---------|
+| vmbr0 | 192.168.68.0/24 | Existing uplink — Proxmox management + OPNsense WAN |
+| management | 10.10.10.0/24 | Admin access. Proxmox host holds 10.10.10.1. |
+| services | 10.10.20.0/24 | General workload VMs and containers. |
+| dmz | 10.10.30.0/24 | Externally exposed workloads. |
+| isolated | 10.10.40.0/24 | Lab and test. No outbound access by default. |
+
+## Completed
+
+- [x] Terraform connected to nonprod Proxmox host
+- [x] Environment/module repo structure established
+- [x] Internal network segments created (`management`, `services`, `dmz`, `isolated`)
+- [x] Proxmox host assigned IP on management bridge (`10.10.10.1/24`)
+
+## To Do
+
+- [ ] Download and upload OPNsense ISO to Proxmox
+- [ ] Create OPNsense VM module with one NIC per bridge segment
+- [ ] Configure OPNsense via Ansible (`ansibleguy.opnsense`) — interfaces, DHCP, firewall rules, NAT
+- [ ] Create Windows VM on services bridge
+- [ ] Introduce remote state backend (S3-compatible or Terraform Cloud)
diff --git a/environments/nonprod/main.tf b/environments/nonprod/main.tf
index 11a7255..f835574 100644
--- a/environments/nonprod/main.tf
+++ b/environments/nonprod/main.tf
@@ -1,22 +1,3 @@
-terraform {
-  required_version = ">= 1.0"
-
-  required_providers {
-    proxmox = {
-      source  = "bpg/proxmox"
-      version = "~> 0.73"
-    }
-  }
-}
-
-provider "proxmox" {
-  endpoint  = var.proxmox_endpoint
-  api_token = var.proxmox_api_token
-
-  # Set to true if using a self-signed certificate (common on home labs)
-  insecure = var.proxmox_insecure
-}
-
 data "proxmox_virtual_environment_nodes" "vm_nodes" {}
 
 output "data_proxmox_virtual_environment_nodes" {
@@ -26,3 +7,9 @@ output "data_proxmox_virtual_environment_nodes" {
     online    = data.proxmox_virtual_environment_nodes.vm_nodes.online
   }
 }
+
+module "networking" {
+  source = "../../modules/networking"
+
+  proxmox_node_name = var.proxmox_node_name
+}
diff --git a/environments/nonprod/terraform.tfvars.example b/environments/nonprod/terraform.tfvars.example
deleted file mode 100644
index 36a0c94..0000000
--- a/environments/nonprod/terraform.tfvars.example
+++ /dev/null
@@ -1,6 +0,0 @@
-# Copy this file to terraform.tfvars and fill in your values.
-# terraform.tfvars is gitignored to keep secrets out of version control.
-
-proxmox_endpoint = "https://192.168.1.10:8006/"
-proxmox_api_token = "terraform@pve!terraform-nonprod=<secret>"
-proxmox_insecure = true
\ No newline at end of file
diff --git a/environments/nonprod/variables.tf b/environments/nonprod/variables.tf
index 4757e1d..ef83062 100644
--- a/environments/nonprod/variables.tf
+++ b/environments/nonprod/variables.tf
@@ -14,3 +14,8 @@ variable "proxmox_insecure" {
   type        = bool
   default     = true
 }
+
+variable "proxmox_node_name" {
+  description = "Name of the Proxmox node to manage resources on"
+  type        = string
+}

From 836a57cd76ab798a5cee1b2f76b84147326f0aa9 Mon Sep 17 00:00:00 2001
From: bob <robby.wilcox@gmail.com>
Date: Fri, 10 Apr 2026 23:35:27 -0500
Subject: [PATCH 2/2] Implement bridges and fillout readme with current state

---
 environments/nonprod/providers.tf |  7 +++++++
 environments/nonprod/terraform.tf | 10 +++++++++
 modules/networking/README.md      | 35 +++++++++++++++++++++++++++++++
 modules/networking/main.tf        | 29 +++++++++++++++++++++++++
 modules/networking/terraform.tf   |  7 +++++++
 modules/networking/variables.tf   |  4 ++++
 6 files changed, 92 insertions(+)
 create mode 100644 environments/nonprod/providers.tf
 create mode 100644 environments/nonprod/terraform.tf
 create mode 100644 modules/networking/README.md
 create mode 100644 modules/networking/main.tf
 create mode 100644 modules/networking/terraform.tf
 create mode 100644 modules/networking/variables.tf

diff --git a/environments/nonprod/providers.tf b/environments/nonprod/providers.tf
new file mode 100644
index 0000000..a2f29ae
--- /dev/null
+++ b/environments/nonprod/providers.tf
@@ -0,0 +1,7 @@
+provider "proxmox" {
+  endpoint  = var.proxmox_endpoint
+  api_token = var.proxmox_api_token
+
+  # Set to true if using a self-signed certificate (common on home labs)
+  insecure = var.proxmox_insecure
+}
diff --git a/environments/nonprod/terraform.tf b/environments/nonprod/terraform.tf
new file mode 100644
index 0000000..544af2b
--- /dev/null
+++ b/environments/nonprod/terraform.tf
@@ -0,0 +1,10 @@
+terraform {
+  required_version = ">= 1.0"
+
+  required_providers {
+    proxmox = {
+      source  = "bpg/proxmox"
+      version = "~> 0.73"
+    }
+  }
+}
diff --git a/modules/networking/README.md b/modules/networking/README.md
new file mode 100644
index 0000000..ca166a4
--- /dev/null
+++ b/modules/networking/README.md
@@ -0,0 +1,35 @@
+# Module: networking
+
+Creates the internal Linux bridge network segments on a Proxmox node. These bridges are purely virtual — no physical NIC is attached. All inter-segment traffic is routed through a firewall VM (OPNsense).
+
+## Segments
+
+| Bridge | CIDR | Purpose |
+|--------|------|---------|
+| management | 10.10.10.0/24 | Proxmox API access and admin tools. Proxmox host holds 10.10.10.1. |
+| services | 10.10.20.0/24 | General workload VMs and containers. |
+| dmz | 10.10.30.0/24 | Externally exposed workloads (e.g. web servers). |
+| isolated | 10.10.40.0/24 | Lab and test workloads. No outbound access by default. |
+
+The Proxmox host has no IP on services, dmz, or isolated — VMs on those segments have no direct path to the hypervisor.
+
+## Usage
+
+```hcl
+module "networking" {
+  source = "../../modules/networking"
+
+  proxmox_node_name = "pve"
+}
+```
+
+## Inputs
+
+| Name | Type | Description |
+|------|------|-------------|
+| proxmox_node_name | string | Name of the Proxmox node to create bridges on. |
+
+## Notes
+
+- After apply, Proxmox automatically reloads the network configuration — no manual intervention required.
+- `Sys.Modify` must be granted to the Terraform API token role to manage node network interfaces.
diff --git a/modules/networking/main.tf b/modules/networking/main.tf
new file mode 100644
index 0000000..8f5f8ff
--- /dev/null
+++ b/modules/networking/main.tf
@@ -0,0 +1,29 @@
+resource "proxmox_network_linux_bridge" "management" {
+  node_name = var.proxmox_node_name
+  name      = "management"
+
+  address = "10.10.10.1/24"
+
+  comment = "Terraform managed Linux bridge for Proxmox API access and admin tools"
+}
+
+resource "proxmox_network_linux_bridge" "services" {
+  node_name = var.proxmox_node_name
+  name      = "services"
+
+  comment = "Terraform managed Linux bridge for general workload VMs and containers"
+}
+
+resource "proxmox_network_linux_bridge" "dmz" {
+  node_name = var.proxmox_node_name
+  name      = "dmz"
+
+  comment = "Terraform managed Linux bridge for externally exposed VMs and containers (e.g. web servers)"
+}
+
+resource "proxmox_network_linux_bridge" "isolated" {
+  node_name = var.proxmox_node_name
+  name      = "isolated"
+
+  comment = "Terraform managed Linux bridge for Lab/test VMs and containers with no external connectivity"
+}
diff --git a/modules/networking/terraform.tf b/modules/networking/terraform.tf
new file mode 100644
index 0000000..e5901a2
--- /dev/null
+++ b/modules/networking/terraform.tf
@@ -0,0 +1,7 @@
+terraform {
+  required_providers {
+    proxmox = {
+      source = "bpg/proxmox"
+    }
+  }
+}
diff --git a/modules/networking/variables.tf b/modules/networking/variables.tf
new file mode 100644
index 0000000..481f84e
--- /dev/null
+++ b/modules/networking/variables.tf
@@ -0,0 +1,4 @@
+variable "proxmox_node_name" {
+  description = "Name of the Proxmox node to manage resources on"
+  type        = string
+}