add separation between common, dev and prod environments

2025-06-29 17:28:10 +03:00 · 2025-06-29 17:28:10 +03:00 · c5ce4faae6
commit c5ce4faae6
parent 4f0fe0113f
27 changed files with 266 additions and 294 deletions
--- a/ansible/ansible.cfg
+++ b/ansible/ansible.cfg
@ -2,4 +2,4 @@
 nocows=True

 [ssh_connection]
-ssh_args = -o StrictHostKeyChecking=accept-new -o ConnectTimeout=300 -o ConnectionAttempts=5 -o PreferredAuthentications=publickey
+ssh_args = -o StrictHostKeyChecking=accept-new -o PreferredAuthentications=publickey
--- a/ansible/inventories/common/group_vars/all.yml
+++ b/ansible/inventories/common/group_vars/all.yml
@ -0,0 +1,23 @@
+---
+
+users:
+  - name: admin
+    password_hash: !vault |
+      $ANSIBLE_VAULT;1.1;AES256
+      30623138653735643561343061356531373430393662383764633038383238383837626636393432
+      3138653539356430306266663864343563616332656131310a343632323363653665646363366437
+      66643430626437333461656231303339656435346261336238313036306431396333643965666631
+      3665393163623266320a373838313538626438623330393533353931336331623464613664633430
+      32303734396634376431383936643431313561303864343930393363623130663236666636353637
+      63613237383666656263316661333031643032323266636464313839653065316138343035346161
+      64313037336666353136383462333832373031623637636630326330313832333265386632343139
+      30306638356434376635346637346134653064613236326333656566383137353166393063333563
+      32623638343263313463313062303465626439356461613235656661623364656138
+    ssh_public_keys: 
+      - "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDKNzJdo6/c7uXrg0lqVwyXOhcNxO/BnylyJeqoBe4rAO5fhjwWLsvMAeCEmYa/3i8ITSvurFEou7BELo25vM58dNfGQHig52LrA/GU/jwDAhHyTXP3AvqqgIFa0ysMaHasYny6oqXi+eb2w/KimtgOhe5/oUdNBe/KgqZ+hP3qlTchxBl5MEzZIKgXTXQeYJpYYrnFb0l/R8qSkFBJv2xzxVJxEamN71SG7OIsi9m14D6hd2pNDHDDqHgKBVbN5irxDuJAzHN5upzfziXiYCOusud23tX6/nNv8t03CbB7FW0OxaCGhAjbavTFAf164L9GM7j76BGsLwWSh2HhG9G9lKs2bEI3IQudllMc6p9N6j2FhMOCKK6YYekdAOVc3ozTFc73VLkXtN8pnTC8OCSavthSt5jOUd0qTsQGH91lWlEkVe0bWi+s9nggfeWFM7HMVmqsR1jYlOXoi5s7xYwKLUdeUjRk3/rkzIFoOxquE5sVVuNDRNCaqcpPVY4k0gE= openpgp:0x8880F3E0"
+    opendoas_settings: "permit persist admin as root"
+  - name: ansible
+    password_hash: ""
+    ssh_public_keys:
+      - "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDKNzJdo6/c7uXrg0lqVwyXOhcNxO/BnylyJeqoBe4rAO5fhjwWLsvMAeCEmYa/3i8ITSvurFEou7BELo25vM58dNfGQHig52LrA/GU/jwDAhHyTXP3AvqqgIFa0ysMaHasYny6oqXi+eb2w/KimtgOhe5/oUdNBe/KgqZ+hP3qlTchxBl5MEzZIKgXTXQeYJpYYrnFb0l/R8qSkFBJv2xzxVJxEamN71SG7OIsi9m14D6hd2pNDHDDqHgKBVbN5irxDuJAzHN5upzfziXiYCOusud23tX6/nNv8t03CbB7FW0OxaCGhAjbavTFAf164L9GM7j76BGsLwWSh2HhG9G9lKs2bEI3IQudllMc6p9N6j2FhMOCKK6YYekdAOVc3ozTFc73VLkXtN8pnTC8OCSavthSt5jOUd0qTsQGH91lWlEkVe0bWi+s9nggfeWFM7HMVmqsR1jYlOXoi5s7xYwKLUdeUjRk3/rkzIFoOxquE5sVVuNDRNCaqcpPVY4k0gE= openpgp:0x8880F3E0"
+    opendoas_settings: "permit nopass ansible"
--- a/ansible/inventories/common/group_vars/bastion.yml
+++ b/ansible/inventories/common/group_vars/bastion.yml
--- a/ansible/inventories/common/group_vars/load_balancers.yml
+++ b/ansible/inventories/common/group_vars/load_balancers.yml
--- a/ansible/inventories/common/group_vars/monitoring.yml
+++ b/ansible/inventories/common/group_vars/monitoring.yml
--- a/ansible/inventories/common/hosts.yml
+++ b/ansible/inventories/common/hosts.yml
@ -0,0 +1,12 @@
+---
+all:
+  children:
+    bastion:
+      hosts:
+        192.168.0.254:
+    load_balancers:
+      hosts:
+        192.168.0.253:
+    monitoring:
+      hosts:
+        192.168.0.252:
--- a/ansible/inventories/dev/group_vars/main_page.yml
+++ b/ansible/inventories/dev/group_vars/main_page.yml
@ -32,7 +32,7 @@ users:
 hugo_version: 0.147.9
 hugo_homedir: /opt/hugo
 hugo_git_repo: https://gitea.cuqmbr.xyz/cuqmbr/cuqmbr.xyz.git
-hugo_git_commit: 5b894854d47b41996b1901fa257f8c2cad9224f9
+hugo_git_commit: 585a8ad8ca4cfeab4df7ae5d852f5fb616b72aca
 hugo_git_refspec: refs/heads/main
 hugo_base_url: http://dev.cuqmbr.xyz

--- a/ansible/inventories/dev/hosts.yml
+++ b/ansible/inventories/dev/hosts.yml
@ -1,15 +1,6 @@
 ---
 all:
  children:
-    bastion:
-      hosts:
-        192.168.0.254:
-    load_balancers:
-      hosts:
-        192.168.0.253:
-    monitoring:
-      hosts:
-        192.168.0.252:
    postgresql:
      hosts:
        192.168.0.3:
--- a/terraform/common/.terraform.lock.hcl
+++ b/terraform/common/.terraform.lock.hcl
--- a/terraform/common/bastion.tf
+++ b/terraform/common/bastion.tf
@ -105,6 +105,11 @@ resource "proxmox_virtual_environment_firewall_rules" "bastion" {

  rule {
    security_group = proxmox_virtual_environment_cluster_firewall_security_group.prometheus_node_exporter.name
-    comment = "Allow Prometheus server to pull Prometheus node exporter from Monitoring Node."
+    comment        = "Allow Prometheus server to pull Prometheus node exporter from Monitoring Node."
  }
 }
+
+output "bastion_ct" {
+  value     = proxmox_virtual_environment_container.bastion
+  sensitive = true
+}
--- a/terraform/common/firewall_ipsets.tf
+++ b/terraform/common/firewall_ipsets.tf
@ -1,4 +1,4 @@
-resource "proxmox_virtual_environment_firewall_ipset" "loggers" {
+resource "proxmox_virtual_environment_firewall_ipset" "dev_loggers" {

  name    = "loggers"
  comment = "Nodes that send logs to Monitoring Node."
--- a/terraform/common/firewall_security_groups.tf
+++ b/terraform/common/firewall_security_groups.tf
@ -11,6 +11,11 @@ resource "proxmox_virtual_environment_cluster_firewall_security_group" "promethe
  }
 }

+output "prometheus_node_exporter_sg" {
+  value     = proxmox_virtual_environment_cluster_firewall_security_group.prometheus_node_exporter
+  sensitive = true
+}
+
 resource "proxmox_virtual_environment_cluster_firewall_security_group" "prometheus_nginx_exporter" {
  name    = "prom-nginx-exp"
  comment = "Allow Prometheus server to pull Prometheus nginx exporter from Monitoring Node."
@ -24,6 +29,11 @@ resource "proxmox_virtual_environment_cluster_firewall_security_group" "promethe
  }
 }

+output "prometheus_nginx_exporter_sg" {
+  value     = proxmox_virtual_environment_cluster_firewall_security_group.prometheus_nginx_exporter
+  sensitive = true
+}
+
 resource "proxmox_virtual_environment_cluster_firewall_security_group" "prometheus_server_exporter" {
  name    = "prom-srv-exp"
  comment = "Allow Prometheus server to pull Prometheus default exporter from Monitoring Node."
@ -37,6 +47,11 @@ resource "proxmox_virtual_environment_cluster_firewall_security_group" "promethe
  }
 }

+output "prometheus_server_exporter_sg" {
+  value     = proxmox_virtual_environment_cluster_firewall_security_group.prometheus_server_exporter
+  sensitive = true
+}
+
 resource "proxmox_virtual_environment_cluster_firewall_security_group" "prometheus_alertmanager" {
  name    = "prom-alert"
  comment = "Access Prometheus Alertmanager from Monitoring Node."
@ -49,3 +64,8 @@ resource "proxmox_virtual_environment_cluster_firewall_security_group" "promethe
    action = "ACCEPT"
  }
 }
+
+output "prometheus_alertmanager_sg" {
+  value     = proxmox_virtual_environment_cluster_firewall_security_group.prometheus_alertmanager
+  sensitive = true
+}
--- a/terraform/common/load-balancer.tf
+++ b/terraform/common/load-balancer.tf
@ -89,11 +89,11 @@ resource "proxmox_virtual_environment_firewall_rules" "load_balancer" {
  vm_id     = proxmox_virtual_environment_container.load_balancer.vm_id

  rule {
-    type   = "in"
-    source = split("/", proxmox_virtual_environment_container.bastion.initialization[0].ip_config[1].ipv4[0].address)[0]
-    proto  = "tcp"
-    dport  = "22"
-    action = "ACCEPT"
+    type    = "in"
+    source  = split("/", proxmox_virtual_environment_container.bastion.initialization[0].ip_config[1].ipv4[0].address)[0]
+    proto   = "tcp"
+    dport   = "22"
+    action  = "ACCEPT"
    comment = "SSH from Bastion."
  }

@ -105,28 +105,33 @@ resource "proxmox_virtual_environment_firewall_rules" "load_balancer" {
  }

  rule {
-    type   = "in"
-    action = "ACCEPT"
-    dport  = "80"
-    proto  = "tcp"
+    type    = "in"
+    action  = "ACCEPT"
+    dport   = "80"
+    proto   = "tcp"
    comment = "Ping."
  }

  rule {
-    type   = "in"
-    proto  = "tcp"
-    dport  = "443"
-    action = "ACCEPT"
+    type    = "in"
+    proto   = "tcp"
+    dport   = "443"
+    action  = "ACCEPT"
    comment = "HTTPS."
  }

  rule {
    security_group = proxmox_virtual_environment_cluster_firewall_security_group.prometheus_node_exporter.name
-    comment = "Allow Prometheus server to pull Prometheus node exporter from Monitoring Node."
+    comment        = "Allow Prometheus server to pull Prometheus node exporter from Monitoring Node."
  }

  rule {
    security_group = proxmox_virtual_environment_cluster_firewall_security_group.prometheus_nginx_exporter.name
-    comment = "Allow Prometheus server to pull Prometheus nginx exporter from Monitoring Node."
+    comment        = "Allow Prometheus server to pull Prometheus nginx exporter from Monitoring Node."
  }
 }
+
+output "load_balancer_ct" {
+  value     = proxmox_virtual_environment_container.load_balancer
+  sensitive = true
+}
--- a/terraform/common/main.tf
+++ b/terraform/common/main.tf
@ -10,7 +10,7 @@ terraform {
 }

 provider "proxmox" {
-  endpoint = var.virtual_environment_endpoint
+  endpoint  = var.virtual_environment_endpoint
  api_token = var.virtual_environment_api_token
-  insecure = true
+  insecure  = true
 }
--- a/terraform/common/monitoring.tf
+++ b/terraform/common/monitoring.tf
@ -77,61 +77,61 @@ resource "proxmox_virtual_environment_firewall_rules" "monitoring" {
  vm_id     = proxmox_virtual_environment_container.monitoring.vm_id

  rule {
-    type   = "in"
-    source = split("/", proxmox_virtual_environment_container.bastion.initialization[0].ip_config[1].ipv4[0].address)[0]
-    proto  = "tcp"
-    dport  = "22"
-    action = "ACCEPT"
+    type    = "in"
+    source  = split("/", proxmox_virtual_environment_container.bastion.initialization[0].ip_config[1].ipv4[0].address)[0]
+    proto   = "tcp"
+    dport   = "22"
+    action  = "ACCEPT"
    comment = "SSH from Bastion."
  }

  rule {
-    type   = "in"
-    proto  = "icmp"
-    dport  = "8"
-    action = "ACCEPT"
+    type    = "in"
+    proto   = "icmp"
+    dport   = "8"
+    action  = "ACCEPT"
    comment = "Ping."
  }

  rule {
-    type   = "in"
-    source = split("/", proxmox_virtual_environment_container.load_balancer.initialization[0].ip_config[1].ipv4[0].address)[0]
-    proto  = "tcp"
-    dport  = "3000"
-    action = "ACCEPT"
+    type    = "in"
+    source  = split("/", proxmox_virtual_environment_container.load_balancer.initialization[0].ip_config[1].ipv4[0].address)[0]
+    proto   = "tcp"
+    dport   = "3000"
+    action  = "ACCEPT"
    comment = "Grafana Server from Load Balancer."
  }

  rule {
-    type   = "in"
-    source = split("/", proxmox_virtual_environment_container.load_balancer.initialization[0].ip_config[1].ipv4[0].address)[0]
-    proto  = "tcp"
-    dport  = "9090"
-    action = "ACCEPT"
+    type    = "in"
+    source  = split("/", proxmox_virtual_environment_container.load_balancer.initialization[0].ip_config[1].ipv4[0].address)[0]
+    proto   = "tcp"
+    dport   = "9090"
+    action  = "ACCEPT"
    comment = "Prometheus Server from Load Balancer."
  }

  rule {
    security_group = proxmox_virtual_environment_cluster_firewall_security_group.prometheus_node_exporter.name
-    comment = "Allow Prometheus server to pull Prometheus node exporter from Monitoring Node."
+    comment        = "Allow Prometheus server to pull Prometheus node exporter from Monitoring Node."
  }

  rule {
    security_group = proxmox_virtual_environment_cluster_firewall_security_group.prometheus_server_exporter.name
-    comment = "Allow Prometheus server to pull Prometheus default exporter from Monitoring Node."
+    comment        = "Allow Prometheus server to pull Prometheus default exporter from Monitoring Node."
  }

  rule {
    security_group = proxmox_virtual_environment_cluster_firewall_security_group.prometheus_alertmanager.name
-    comment = "Access Prometheus Alertmanager from Monitoring Node."
+    comment        = "Access Prometheus Alertmanager from Monitoring Node."
  }

  rule {
-    type   = "in"
-    source = "+${proxmox_virtual_environment_firewall_ipset.loggers.name}"
-    proto  = "tcp"
-    dport  = "3100"
-    action = "ACCEPT"
+    type    = "in"
+    source  = "+${proxmox_virtual_environment_firewall_ipset.dev_loggers.name}"
+    proto   = "tcp"
+    dport   = "3100"
+    action  = "ACCEPT"
    comment = "Access Grafana Loki from logging nodes."
  }
 }
--- a/terraform/common/variables.tf
+++ b/terraform/common/variables.tf
@ -0,0 +1,37 @@
+# Connection Settings
+
+variable "virtual_environment_endpoint" {
+  description = "Proxmox Virtual Envirnment Endpoint e.g. https://pve.domain.tld:8006/."
+  type        = string
+}
+
+variable "virtual_environment_api_token" {
+  description = "Tocket to access PVE API on behalf of the user."
+  type        = string
+  sensitive   = true
+}
+
+variable "ssh_public_key" {
+  description = "SSH public key to place into authorized_keys of a root user in new vm/ct."
+  type        = string
+  sensitive   = true
+}
+
+
+# Variables
+
+variable "datastore_id" {
+  type = string
+}
+
+variable "external_network_bridge_name" {
+  type = string
+}
+
+variable "development_network_bridge_name" {
+  type = string
+}
+
+variable "production_network_bridge_name" {
+  type = string
+}
--- a/terraform/dev/.terraform.lock.hcl
+++ b/terraform/dev/.terraform.lock.hcl
@ -0,0 +1,9 @@
+# This file is maintained automatically by "terraform init".
+# Manual edits may be lost in future updates.
+
+provider "local/bpg/proxmox" {
+  version = "0.78.2"
+  hashes = [
+    "h1:N/p0BJCms7y2MBJmYjoWXFtxocN55PKYz1ulwzPTO00=",
+  ]
+}
--- a/terraform/dev/main-page.tf
+++ b/terraform/dev/main-page.tf
@ -21,7 +21,7 @@ resource "proxmox_virtual_environment_container" "main_page" {
  }

  network_interface {
-    bridge   = var.development_network_bridge_name
+    bridge   = var.internal_network_bridge_name
    name     = "eth-dev"
    firewall = true
    enabled  = true
@ -78,7 +78,7 @@ resource "proxmox_virtual_environment_firewall_rules" "main_page" {

  rule {
    type    = "in"
-    source  = split("/", proxmox_virtual_environment_container.bastion.initialization[0].ip_config[1].ipv4[0].address)[0]
+    source  = split("/", data.terraform_remote_state.common.outputs.bastion_ct.initialization[0].ip_config[1].ipv4[0].address)[0]
    proto   = "tcp"
    dport   = "22"
    action  = "ACCEPT"
@ -95,7 +95,7 @@ resource "proxmox_virtual_environment_firewall_rules" "main_page" {

  rule {
    type    = "in"
-    source  = split("/", proxmox_virtual_environment_container.load_balancer.initialization[0].ip_config[1].ipv4[0].address)[0]
+    source  = split("/", data.terraform_remote_state.common.outputs.load_balancer_ct.initialization[0].ip_config[1].ipv4[0].address)[0]
    proto   = "tcp"
    dport   = "80"
    action  = "ACCEPT"
@ -103,7 +103,7 @@ resource "proxmox_virtual_environment_firewall_rules" "main_page" {
  }

  rule {
-    security_group = proxmox_virtual_environment_cluster_firewall_security_group.prometheus_node_exporter.name
-    comment = "Allow Prometheus server to pull Prometheus node exporter from Monitoring Node."
+    security_group = data.terraform_remote_state.common.outputs.prometheus_node_exporter_sg.name
+    comment        = "Allow Prometheus server to pull Prometheus node exporter from Monitoring Node."
  }
 }
--- a/terraform/dev/main.tf
+++ b/terraform/dev/main.tf
@ -0,0 +1,23 @@
+terraform {
+  backend "local" {
+    path = "./terraform.tfstate"
+  }
+  required_providers {
+    proxmox = {
+      source = "local/bpg/proxmox"
+    }
+  }
+}
+
+provider "proxmox" {
+  endpoint  = var.virtual_environment_endpoint
+  api_token = var.virtual_environment_api_token
+  insecure  = true
+}
+
+data "terraform_remote_state" "common" {
+  backend = "local"
+  config = {
+    path = "../common/terraform.tfstate"
+  }
+}
--- a/terraform/dev/postgresql.tf
+++ b/terraform/dev/postgresql.tf
@ -21,7 +21,7 @@ resource "proxmox_virtual_environment_container" "postgresql" {
  }

  network_interface {
-    bridge   = var.development_network_bridge_name
+    bridge   = var.internal_network_bridge_name
    name     = "eth-dev"
    firewall = true
    enabled  = true
@ -78,7 +78,7 @@ resource "proxmox_virtual_environment_firewall_rules" "postgresql" {

  rule {
    type    = "in"
-    source  = split("/", proxmox_virtual_environment_container.bastion.initialization[0].ip_config[1].ipv4[0].address)[0]
+    source  = split("/", data.terraform_remote_state.common.outputs.bastion_ct.initialization[0].ip_config[1].ipv4[0].address)[0]
    proto   = "tcp"
    dport   = "22"
    action  = "ACCEPT"
@ -86,15 +86,15 @@ resource "proxmox_virtual_environment_firewall_rules" "postgresql" {
  }

  rule {
-    type   = "in"
-    proto  = "icmp"
-    dport  = "8"
-    action = "ACCEPT"
+    type    = "in"
+    proto   = "icmp"
+    dport   = "8"
+    action  = "ACCEPT"
    comment = "Ping."
  }

  rule {
-    security_group = proxmox_virtual_environment_cluster_firewall_security_group.prometheus_node_exporter.name
-    comment = "Allow Prometheus server to pull Prometheus node exporter from Monitoring Node."
+    security_group = data.terraform_remote_state.common.outputs.prometheus_node_exporter_sg.name
+    comment        = "Allow Prometheus server to pull Prometheus node exporter from Monitoring Node."
  }
 }
--- a/terraform/dev/searxng.tf
+++ b/terraform/dev/searxng.tf
@ -21,7 +21,7 @@ resource "proxmox_virtual_environment_container" "searxng" {
  }

  network_interface {
-    bridge   = var.development_network_bridge_name
+    bridge   = var.internal_network_bridge_name
    name     = "eth-dev"
    firewall = true
    enabled  = true
@ -78,7 +78,7 @@ resource "proxmox_virtual_environment_firewall_rules" "searxng" {

  rule {
    type    = "in"
-    source  = split("/", proxmox_virtual_environment_container.bastion.initialization[0].ip_config[1].ipv4[0].address)[0]
+    source  = split("/", data.terraform_remote_state.common.outputs.bastion_ct.initialization[0].ip_config[1].ipv4[0].address)[0]
    proto   = "tcp"
    dport   = "22"
    action  = "ACCEPT"
@ -95,7 +95,7 @@ resource "proxmox_virtual_environment_firewall_rules" "searxng" {

  rule {
    type    = "in"
-    source  = split("/", proxmox_virtual_environment_container.load_balancer.initialization[0].ip_config[1].ipv4[0].address)[0]
+    source  = split("/", data.terraform_remote_state.common.outputs.load_balancer_ct.initialization[0].ip_config[1].ipv4[0].address)[0]
    proto   = "tcp"
    dport   = "8888"
    action  = "ACCEPT"
@ -103,7 +103,7 @@ resource "proxmox_virtual_environment_firewall_rules" "searxng" {
  }

  rule {
-    security_group = proxmox_virtual_environment_cluster_firewall_security_group.prometheus_node_exporter.name
-    comment = "Allow Prometheus server to pull Prometheus node exporter from Monitoring Node."
+    security_group = data.terraform_remote_state.common.outputs.prometheus_node_exporter_sg.name
+    comment        = "Allow Prometheus server to pull Prometheus node exporter from Monitoring Node."
  }
 }
--- a/terraform/dev/variables.tf
+++ b/terraform/dev/variables.tf
@ -28,6 +28,6 @@ variable "external_network_bridge_name" {
  type = string
 }

-variable "development_network_bridge_name" {
+variable "internal_network_bridge_name" {
  type = string
 }
--- a/terraform/forgejo.tf.disabled
+++ b/terraform/forgejo.tf.disabled
@ -1,109 +0,0 @@
-resource "proxmox_virtual_environment_container" "forgejo" {
-  node_name = "pve"
-
-  vm_id = 1200
-
-  tags = ["dev"]
-
-  unprivileged = true
-
-  cpu {
-    cores = 1
-  }
-
-  memory {
-    dedicated = 1536
-  }
-
-  disk {
-    datastore_id = var.datastore_id
-    size         = 32
-  }
-
-  network_interface {
-    bridge   = var.development_network_bridge_name
-    name     = "eth-dev"
-    firewall = true
-    enabled  = true
-  }
-
-  initialization {
-    hostname = "forgejo"
-    ip_config {
-      ipv4 {
-        address = "192.168.0.12/24"
-        gateway = "192.168.0.1"
-      }
-    }
-    user_account {
-      keys = [var.ssh_public_key]
-    }
-  }
-
-  operating_system {
-    template_file_id = "local:vztmpl/debian-12-standard_12.7-1_amd64.tar.zst"
-    type             = "debian"
-  }
-
-  started = true
-
-  startup {
-    order      = 500
-    up_delay   = 0
-    down_delay = 0
-  }
-
-  features {
-    nesting = true
-  }
-}
-
-resource "proxmox_virtual_environment_firewall_options" "forgejo" {
-  depends_on = [proxmox_virtual_environment_container.forgejo]
-
-  node_name = proxmox_virtual_environment_container.forgejo.node_name
-  vm_id     = proxmox_virtual_environment_container.forgejo.vm_id
-
-  enabled       = true
-  dhcp          = true
-  input_policy  = "DROP"
-  output_policy = "ACCEPT"
-}
-
-resource "proxmox_virtual_environment_firewall_rules" "forgejo" {
-  depends_on = [proxmox_virtual_environment_container.forgejo]
-
-  node_name = proxmox_virtual_environment_container.forgejo.node_name
-  vm_id     = proxmox_virtual_environment_container.forgejo.vm_id
-
-  rule {
-    type    = "in"
-    source  = split("/", proxmox_virtual_environment_container.bastion.initialization[0].ip_config[1].ipv4[0].address)[0]
-    proto   = "tcp"
-    dport   = "22"
-    action  = "ACCEPT"
-    comment = "SSH from Bastion."
-  }
-
-  rule {
-    type    = "in"
-    proto   = "icmp"
-    dport   = "8"
-    action  = "ACCEPT"
-    comment = "Ping."
-  }
-
-  rule {
-    type    = "in"
-    source  = split("/", proxmox_virtual_environment_container.load_balancer.initialization[0].ip_config[1].ipv4[0].address)[0]
-    proto   = "tcp"
-    dport   = "3000"
-    action  = "ACCEPT"
-    comment = "Forgejo."
-  }
-
-  rule {
-    security_group = proxmox_virtual_environment_cluster_firewall_security_group.prometheus_node_exporter.name
-    comment = "Allow Prometheus server to pull Prometheus node exporter from Monitoring Node."
-  }
-}
--- a/terraform/prod/.terraform.lock.hcl
+++ b/terraform/prod/.terraform.lock.hcl
@ -0,0 +1,9 @@
+# This file is maintained automatically by "terraform init".
+# Manual edits may be lost in future updates.
+
+provider "local/bpg/proxmox" {
+  version = "0.78.2"
+  hashes = [
+    "h1:N/p0BJCms7y2MBJmYjoWXFtxocN55PKYz1ulwzPTO00=",
+  ]
+}
--- a/terraform/prod/main.tf
+++ b/terraform/prod/main.tf
@ -0,0 +1,23 @@
+terraform {
+  backend "local" {
+    path = "./terraform.tfstate"
+  }
+  required_providers {
+    proxmox = {
+      source = "local/bpg/proxmox"
+    }
+  }
+}
+
+provider "proxmox" {
+  endpoint = var.virtual_environment_endpoint
+  api_token = var.virtual_environment_api_token
+  insecure = true
+}
+
+data "terraform_remote_state" "common" {
+  backend = "local"
+  config = {
+    path = "../common/terraform.tfstate"
+  }
+}
--- a/terraform/prod/variables.tf
+++ b/terraform/prod/variables.tf
@ -0,0 +1,33 @@
+# Connection Settings
+
+variable "virtual_environment_endpoint" {
+  description = "Proxmox Virtual Envirnment Endpoint e.g. https://pve.domain.tld:8006/."
+  type        = string
+}
+
+variable "virtual_environment_api_token" {
+  description = "Tocket to access PVE API on behalf of the user."
+  type        = string
+  sensitive   = true
+}
+
+variable "ssh_public_key" {
+  description = "SSH public key to place into authorized_keys of a root user in new vm/ct."
+  type        = string
+  sensitive   = true
+}
+
+
+# Variables
+
+variable "datastore_id" {
+  type = string
+}
+
+variable "external_network_bridge_name" {
+  type = string
+}
+
+variable "internal_network_bridge_name" {
+  type = string
+}
--- a/terraform/test.tf.disabled
+++ b/terraform/test.tf.disabled
@ -1,109 +0,0 @@
-resource "proxmox_virtual_environment_container" "test" {
-  node_name = "pve"
-
-  vm_id = 1201
-
-  tags = ["dev"]
-
-  unprivileged = true
-
-  cpu {
-    cores = 1
-  }
-
-  memory {
-    dedicated = 1536
-  }
-
-  disk {
-    datastore_id = var.datastore_id
-    size         = 10
-  }
-
-  network_interface {
-    bridge   = var.development_network_bridge_name
-    name     = "eth-dev"
-    firewall = true
-    enabled  = true
-  }
-
-  initialization {
-    hostname = "test"
-    ip_config {
-      ipv4 {
-        address = "192.168.0.100/24"
-        gateway = "192.168.0.1"
-      }
-    }
-    user_account {
-      keys = [var.ssh_public_key]
-    }
-  }
-
-  operating_system {
-    template_file_id = "local:vztmpl/debian-12-standard_12.7-1_amd64.tar.zst"
-    type             = "debian"
-  }
-
-  started = true
-
-  startup {
-    order      = 500
-    up_delay   = 0
-    down_delay = 0
-  }
-
-  features {
-    nesting = true
-  }
-}
-
-resource "proxmox_virtual_environment_firewall_options" "test" {
-  depends_on = [proxmox_virtual_environment_container.test]
-
-  node_name = proxmox_virtual_environment_container.test.node_name
-  vm_id     = proxmox_virtual_environment_container.test.vm_id
-
-  enabled       = true
-  dhcp          = true
-  input_policy  = "DROP"
-  output_policy = "ACCEPT"
-}
-
-resource "proxmox_virtual_environment_firewall_rules" "test" {
-  depends_on = [proxmox_virtual_environment_container.test]
-
-  node_name = proxmox_virtual_environment_container.test.node_name
-  vm_id     = proxmox_virtual_environment_container.test.vm_id
-
-  rule {
-    type    = "in"
-    source  = split("/", proxmox_virtual_environment_container.bastion.initialization[0].ip_config[1].ipv4[0].address)[0]
-    proto   = "tcp"
-    dport   = "22"
-    action  = "ACCEPT"
-    comment = "SSH from Bastion."
-  }
-
-  rule {
-    type    = "in"
-    proto   = "icmp"
-    dport   = "8"
-    action  = "ACCEPT"
-    comment = "Ping."
-  }
-
-  rule {
-    type    = "in"
-    source  = split("/", proxmox_virtual_environment_container.load_balancer.initialization[0].ip_config[1].ipv4[0].address)[0]
-    proto   = "tcp"
-    dport   = "3000"
-    action  = "ACCEPT"
-    comment = "test."
-  }
-
-  rule {
-    security_group = proxmox_virtual_environment_cluster_firewall_security_group.prometheus_node_exporter.name
-    comment = "Allow Prometheus server to pull Prometheus node exporter from Monitoring Node."
-  }
-}