diff --git a/README.md b/README.md index e6bcd88..7e4f78b 100644 --- a/README.md +++ b/README.md @@ -1,3 +1,46 @@ # ProxmoxInfra -Here lives the terraform infrastructure files. This has been added after setting up most of my proxmox. This means that its not all encompassing \ No newline at end of file +Terraform infrastructure-as-code for a homelab Proxmox environment. This repo was started after the Proxmox host was manually provisioned — existing resources are not managed here. Only new resources going forward are managed by Terraform. + +## Stack + +- Provider: `bpg/proxmox` +- Terraform >= 1.0 +- Target: single-node Proxmox VE homelab (`nonprod-pve`) +- Upstream network: Firewalla Gold → Switch → Proxmox + +## Repository Structure + +``` +environments/ + nonprod/ # Nonprod environment root module +modules/ + networking/ # Internal bridge segments +``` + +## Network Architecture + +All workload VMs and containers are isolated on internal bridges with no physical NIC. Inter-segment traffic routes exclusively through a firewall VM (OPNsense — see To Do). + +| Bridge | CIDR | Purpose | +|--------|------|---------| +| vmbr0 | 192.168.68.0/24 | Existing uplink — Proxmox management + OPNsense WAN | +| management | 10.10.10.0/24 | Admin access. Proxmox host holds 10.10.10.1. | +| services | 10.10.20.0/24 | General workload VMs and containers. | +| dmz | 10.10.30.0/24 | Externally exposed workloads. | +| isolated | 10.10.40.0/24 | Lab and test. No outbound access by default. | + +## Completed + +- [x] Terraform connected to nonprod Proxmox host +- [x] Environment/module repo structure established +- [x] Internal network segments created (`management`, `services`, `dmz`, `isolated`) +- [x] Proxmox host assigned IP on management bridge (`10.10.10.1/24`) + +## To Do + +- [ ] Download and upload OPNsense ISO to Proxmox +- [ ] Create OPNsense VM module with one NIC per bridge segment +- [ ] Configure OPNsense via Ansible (`ansibleguy.opnsense`) — interfaces, DHCP, firewall rules, NAT +- [ ] Create Windows VM on services bridge +- [ ] Introduce remote state backend (S3-compatible or Terraform Cloud) diff --git a/environments/nonprod/main.tf b/environments/nonprod/main.tf index 11a7255..f835574 100644 --- a/environments/nonprod/main.tf +++ b/environments/nonprod/main.tf @@ -1,22 +1,3 @@ -terraform { - required_version = ">= 1.0" - - required_providers { - proxmox = { - source = "bpg/proxmox" - version = "~> 0.73" - } - } -} - -provider "proxmox" { - endpoint = var.proxmox_endpoint - api_token = var.proxmox_api_token - - # Set to true if using a self-signed certificate (common on home labs) - insecure = var.proxmox_insecure -} - data "proxmox_virtual_environment_nodes" "vm_nodes" {} output "data_proxmox_virtual_environment_nodes" { @@ -26,3 +7,9 @@ output "data_proxmox_virtual_environment_nodes" { online = data.proxmox_virtual_environment_nodes.vm_nodes.online } } + +module "networking" { + source = "../../modules/networking" + + proxmox_node_name = var.proxmox_node_name +} diff --git a/environments/nonprod/terraform.tfvars.example b/environments/nonprod/terraform.tfvars.example deleted file mode 100644 index 36a0c94..0000000 --- a/environments/nonprod/terraform.tfvars.example +++ /dev/null @@ -1,6 +0,0 @@ -# Copy this file to terraform.tfvars and fill in your values. -# terraform.tfvars is gitignored to keep secrets out of version control. - -proxmox_endpoint = "https://192.168.1.10:8006/" -proxmox_api_token = "terraform@pve!terraform-nonprod=" -proxmox_insecure = true \ No newline at end of file diff --git a/environments/nonprod/variables.tf b/environments/nonprod/variables.tf index 4757e1d..ef83062 100644 --- a/environments/nonprod/variables.tf +++ b/environments/nonprod/variables.tf @@ -14,3 +14,8 @@ variable "proxmox_insecure" { type = bool default = true } + +variable "proxmox_node_name" { + description = "Name of the Proxmox node to manage resources on" + type = string +}