# ProxmoxInfra

Terraform infrastructure-as-code for a homelab Proxmox environment. This repo was started after the Proxmox host was manually provisioned — existing resources are not managed here. Only new resources going forward are managed by Terraform.

## Stack

- Provider: `bpg/proxmox`
- Terraform >= 1.0
- Target: single-node Proxmox VE homelab (`nonprod-pve`)
- Upstream network: Firewalla Gold → Switch → Proxmox

## Repository Structure

```
environments/
  nonprod/          # Nonprod environment root module
modules/
  networking/       # Internal bridge segments
```

## Network Architecture

All workload VMs and containers are isolated on internal bridges with no physical NIC. Inter-segment traffic routes exclusively through a firewall VM (OPNsense — see To Do).

| Bridge | CIDR | Purpose |
|--------|------|---------|
| vmbr0 | 192.168.68.0/24 | Existing uplink — Proxmox management + OPNsense WAN |
| management | 10.10.10.0/24 | Admin access. Proxmox host holds 10.10.10.1. |
| services | 10.10.20.0/24 | General workload VMs and containers. |
| dmz | 10.10.30.0/24 | Externally exposed workloads. |
| isolated | 10.10.40.0/24 | Lab and test. No outbound access by default. |

## Completed

- [x] Terraform connected to nonprod Proxmox host
- [x] Environment/module repo structure established
- [x] Internal network segments created (`management`, `services`, `dmz`, `isolated`)
- [x] Proxmox host assigned IP on management bridge (`10.10.10.1/24`)

## To Do

- [ ] Download and upload OPNsense ISO to Proxmox
- [ ] Create OPNsense VM module with one NIC per bridge segment
- [ ] Configure OPNsense via Ansible (`ansibleguy.opnsense`) — interfaces, DHCP, firewall rules, NAT
- [ ] Create Windows VM on services bridge
- [ ] Introduce remote state backend (S3-compatible or Terraform Cloud)