diff --git a/terraform/.gitignore b/terraform/.gitignore
new file mode 100644
index 0000000..d9548c9
--- /dev/null
+++ b/terraform/.gitignore
@@ -0,0 +1,33 @@
+# Local .terraform directories
+**/.terraform/*
+
+# .tfstate files
+*.tfstate
+*.tfstate.*
+
+# Crash log files
+crash.log
+
+# Exclude all .tfvars files, which are likely to contain sentitive data, such as
+# password, private keys, and other secrets. These should not be part of version
+# control as they are data points which are potentially sensitive and subject
+# to change depending on the environment.
+#
+*.tfvars
+
+# Ignore override files as they are usually used to override resources locally and so
+# are not checked in
+override.tf
+override.tf.json
+*_override.tf
+*_override.tf.json
+
+# Include override files you do wish to add to version control using negated pattern
+#
+# !example_override.tf
+
+# Include tfplan files to ignore the plan output of command: terraform plan -out=tfplan
+# example: *tfplan*
+
+# Ignore CLI configuration files
+.terraformrc
diff --git a/terraform/.terraform.lock.hcl b/terraform/.terraform.lock.hcl
new file mode 100644
index 0000000..516a623
--- /dev/null
+++ b/terraform/.terraform.lock.hcl
@@ -0,0 +1,42 @@
+# This file is maintained automatically by "terraform init".
+# Manual edits may be lost in future updates.
+
+provider "registry.terraform.io/hashicorp/vault" {
+  version     = "2.24.1"
+  constraints = "2.24.1"
+  hashes = [
+    "h1:MUzJ+jOOPBoyGNWGjESE+t2rIjTobw08Y73jgU+d+EU=",
+    "zh:1968be03bbc83c9f512a60f0a018cb0cf4c9a4a0f9e606f9a7436ae06108200f",
+    "zh:23ef25b530dcf2f60692e261d2a56c112138d79a739f2c720bee818cf040a20f",
+    "zh:2b80879cf8110254eeeb55b36ce542e9cdaefc047d450368ff0ca631b29d41d6",
+    "zh:3d803047407a4e7ccb51cd88b38648e50517e70b97842ae1262b5c5a92eb8ede",
+    "zh:7edfd0323a839903e7fc5f45acce8dd61c43b356c09016e1bd43d6880bd82be6",
+    "zh:7efa2c6d1d0bac9478adb27fc68035ca9dc2107dae55d921a760a8ad237eb691",
+    "zh:a1f9d34e2ac8b3a3d177faef4f11690068919ef7d73256def6685cfd9282f83d",
+    "zh:a6c34746e0085ae49e3845fc58597d2d5778fcb2136fedb413b3e30ba77dd2bd",
+    "zh:a73eb4bc061b5babd7ea4d5f3f85f4b4c6d379982098411a29a7d7459fc37ab2",
+    "zh:aadecf464ead4ae30821495d8181e842c18a2537c018245509a96532eeaf7678",
+    "zh:e3ae8c48804065fa4f85095002f945adbd5cd3966c0b1afced7d839007586105",
+  ]
+}
+
+provider "registry.terraform.io/telmate/proxmox" {
+  version     = "2.9.0"
+  constraints = "2.9.0"
+  hashes = [
+    "h1:2emsswGg3BBrWiYV9GhR1MfR7r6sREVvC3qGX56UOv8=",
+    "zh:05b3556ffd47f7791e51c600bc281562c35d54fcb2768fe19c5faf08fd10d8f3",
+    "zh:0ae37a5adb0f9f6409c5363b5ac9f0eb3ed95698b82bb6827a86469a2d103edd",
+    "zh:0d0487486fd9cb3b064d7495082fb6fb75705dfadf43262a2abb18bc2a76da29",
+    "zh:12b66f4616bbd011533c5d4254abfa782ebc33619fb439619646283d831a6b3c",
+    "zh:3c0f9396c75230746f824fe65e5ffb27b277504be23f2771392019e89700c3a9",
+    "zh:5410169fc01ac9358f766d155e3b199541c25caf3a74ecada84202ecdf68cf75",
+    "zh:582cd15439da18358f24214addc90085860237a5bc8bb41d57c8e6115032c0c2",
+    "zh:97ef5e28d4863b52868dd436392b4bbba6dc12e3927ba4d33702538adfbe83c0",
+    "zh:a1631929b77ac97d38b2a340f598d10005ff75745546f04ea171a4042f98a894",
+    "zh:ae5116c32ad7b0e0573522c9158583a77a98ec52bbce14dc3ce00c03328c0b4f",
+    "zh:c164cedfef4ab70dc25fb2c0c25a091c5d8a6b09d58725fc4296b37cb9b133a2",
+    "zh:c6aed31aceaf6a923859e9e2af26a8e45559d0680bc3524207886ee0556968c2",
+    "zh:cffbee36856bac5ec527a8f83d52edbead3ac73e0ffbe77a958c175a78929ad6",
+  ]
+}
diff --git a/terraform/main.tf b/terraform/main.tf
new file mode 100644
index 0000000..b5d3378
--- /dev/null
+++ b/terraform/main.tf
@@ -0,0 +1,155 @@
+provider "proxmox" {
+  pm_api_url      = "https://10.42.42.42:8006/api2/json"
+  pm_user         = data.vault_generic_secret.proxmox_auth.data["user"]
+  pm_password     = data.vault_generic_secret.proxmox_auth.data["pass"]
+  pm_tls_insecure = true
+}
+
+# For full info see: https://blog.xirion.net/posts/nixos-proxmox-lxc/
+resource "proxmox_lxc" "nixos-template" {
+  target_node  = "nuc"
+  description  = "NixOS LXC Template"
+  hostname     = "nixos-template"
+  ostemplate   = "local:vztmpl/nixos-unstable-default_156198829_amd64.tar.xz"
+  ostype       = "unmanaged"
+  unprivileged = true
+  vmid         = "101"
+  template     = true
+
+  memory = 1024
+
+  features {
+    nesting = true
+  }
+
+  rootfs {
+    storage = "local-zfs"
+    size    = "8G"
+  }
+
+  network {
+    name   = "eth0"
+    bridge = "vmbr0"
+    ip     = "dhcp"
+    hwaddr = "22:D7:C1:FF:9D:5F"
+  }
+}
+
+resource "proxmox_lxc" "vault" {
+  target_node  = "nuc"
+  description  = "Vault Secrets Management"
+  hostname     = "vault"
+  unprivileged = false # needed for mlock
+  vmid         = "102"
+  clone        = "101"
+
+  memory = 1024
+
+  rootfs {
+    storage = "local-zfs"
+    size    = "8G"
+  }
+
+  network {
+    name   = "eth0"
+    bridge = "vmbr0"
+    ip     = "dhcp"
+    hwaddr = "16:2B:87:55:0C:0C"
+  }
+}
+
+resource "proxmox_lxc" "mosquitto" {
+  target_node  = "nuc"
+  description  = "mosquitto mqtt broker"
+  hostname     = "mosquitto"
+  vmid         = 104
+  clone        = 101
+  unprivileged = true
+
+  memory = 1024
+
+  rootfs {
+    storage = "local-zfs"
+    size    = "8G"
+  }
+
+  network {
+    name   = "eth0"
+    bridge = "vmbr0"
+    ip     = "dhcp"
+    hwaddr = "C6:F9:8B:3D:9E:37"
+  }
+}
+
+resource "proxmox_lxc" "nginx" {
+  target_node  = "nuc"
+  description  = "nginx reverse proxy"
+  hostname     = "nginx"
+  vmid         = 106
+  clone        = 101
+  unprivileged = true
+
+  memory = 512
+
+  rootfs {
+    storage = "local-zfs"
+    size    = "8G"
+  }
+
+  network {
+    name   = "eth0"
+    bridge = "vmbr0"
+    ip     = "dhcp"
+    hwaddr = "6A:C2:89:85:CF:A6"
+  }
+}
+
+resource "proxmox_vm_qemu" "k3s-node1" {
+  name        = "k3s-node1"
+  target_node = "nuc"
+  vmid        = 103
+  clone       = "bastion"
+  tablet      = false
+
+  memory = 8192
+  cores  = 4
+
+  agent = 1
+  boot  = "order=scsi0;ide2;net0"
+
+  network {
+    model   = "virtio"
+    macaddr = "2E:F8:55:23:D9:9B"
+    bridge  = "vmbr0"
+  }
+
+  disk {
+    type    = "scsi"
+    storage = "local-zfs"
+    size    = "64G"
+    ssd     = 1
+  }
+}
+
+resource "proxmox_lxc" "consul" {
+  target_node  = "nuc"
+  description  = "consul service mesh"
+  hostname     = "consul"
+  vmid         = 107
+  clone        = 101
+  unprivileged = true
+
+  memory = 512
+
+  rootfs {
+    storage = "local-zfs"
+    size    = "8G"
+  }
+
+  network {
+    name   = "eth0"
+    bridge = "vmbr0"
+    ip     = "dhcp"
+    hwaddr = "D6:DE:07:41:73:81"
+  }
+}
diff --git a/terraform/vault.tf b/terraform/vault.tf
new file mode 100644
index 0000000..73d2d7d
--- /dev/null
+++ b/terraform/vault.tf
@@ -0,0 +1,9 @@
+provider "vault" {
+  address = "http://10.42.42.6:8200"
+  skip_tls_verify = true
+}
+
+# Proxmox authentication for terraform
+data "vault_generic_secret" "proxmox_auth" {
+    path = "secrets/proxmox/terraform_auth"
+}
diff --git a/terraform/version.tf b/terraform/version.tf
new file mode 100644
index 0000000..5beb9d4
--- /dev/null
+++ b/terraform/version.tf
@@ -0,0 +1,12 @@
+terraform {
+  required_providers {
+    proxmox = {
+      source = "telmate/proxmox"
+      version = "2.9.0"
+    }
+    vault = {
+      source  = "hashicorp/vault"
+      version = "2.24.1"
+    }
+  }
+}