README.md

@@ -1,3 +1,46 @@
 # ProxmoxInfra
 
-Here lives the terraform infrastructure files. This has been added after setting up most of my proxmox. This means that its not all encompassing
+Terraform infrastructure-as-code for a homelab Proxmox environment. This repo was started after the Proxmox host was manually provisioned — existing resources are not managed here. Only new resources going forward are managed by Terraform.
+
+## Stack
+
+- Provider: `bpg/proxmox`
+- Terraform >= 1.0
+- Target: single-node Proxmox VE homelab (`nonprod-pve`)
+- Upstream network: Firewalla Gold → Switch → Proxmox
+
+## Repository Structure
+
+```
+environments/
+  nonprod/          # Nonprod environment root module
+modules/
+  networking/       # Internal bridge segments
+```
+
+## Network Architecture
+
+All workload VMs and containers are isolated on internal bridges with no physical NIC. Inter-segment traffic routes exclusively through a firewall VM (OPNsense — see To Do).
+
+| Bridge | CIDR | Purpose |
+|--------|------|---------|
+| vmbr0 | 192.168.68.0/24 | Existing uplink — Proxmox management + OPNsense WAN |
+| management | 10.10.10.0/24 | Admin access. Proxmox host holds 10.10.10.1. |
+| services | 10.10.20.0/24 | General workload VMs and containers. |
+| dmz | 10.10.30.0/24 | Externally exposed workloads. |
+| isolated | 10.10.40.0/24 | Lab and test. No outbound access by default. |
+
+## Completed
+
+- [x] Terraform connected to nonprod Proxmox host
+- [x] Environment/module repo structure established
+- [x] Internal network segments created (`management`, `services`, `dmz`, `isolated`)
+- [x] Proxmox host assigned IP on management bridge (`10.10.10.1/24`)
+
+## To Do
+
+- [ ] Download and upload OPNsense ISO to Proxmox
+- [ ] Create OPNsense VM module with one NIC per bridge segment
+- [ ] Configure OPNsense via Ansible (`ansibleguy.opnsense`) — interfaces, DHCP, firewall rules, NAT
+- [ ] Create Windows VM on services bridge
+- [ ] Introduce remote state backend (S3-compatible or Terraform Cloud)

environments/nonprod/main.tf

@@ -1,22 +1,3 @@
-terraform {
-  required_version = ">= 1.0"
-
-  required_providers {
-    proxmox = {
-      source  = "bpg/proxmox"
-      version = "~> 0.73"
-    }
-  }
-}
-
-provider "proxmox" {
-  endpoint  = var.proxmox_endpoint
-  api_token = var.proxmox_api_token
-
-  # Set to true if using a self-signed certificate (common on home labs)
-  insecure = var.proxmox_insecure
-}
-
 data "proxmox_virtual_environment_nodes" "vm_nodes" {}
 
 output "data_proxmox_virtual_environment_nodes" {
@@ -26,3 +7,9 @@ output "data_proxmox_virtual_environment_nodes" {
     online    = data.proxmox_virtual_environment_nodes.vm_nodes.online
   }
 }
+
+module "networking" {
+  source = "../../modules/networking"
+
+  proxmox_node_name = var.proxmox_node_name
+}

environments/nonprod/terraform.tfvars.example

@@ -1,6 +0,0 @@
-# Copy this file to terraform.tfvars and fill in your values.
-# terraform.tfvars is gitignored to keep secrets out of version control.
-
-proxmox_endpoint = "https://192.168.1.10:8006/"
-proxmox_api_token = "terraform@pve!terraform-nonprod=<secret>"
-proxmox_insecure = true

environments/nonprod/variables.tf

@@ -14,3 +14,8 @@ variable "proxmox_insecure" {
   type        = bool
   default     = true
 }
+
+variable "proxmox_node_name" {
+  description = "Name of the Proxmox node to manage resources on"
+  type        = string
+}