From 5e407639d5db3cfbe2b67189e30e51b01653991f Mon Sep 17 00:00:00 2001
From: Victor Roest <victor@xirion.net>
Date: Sun, 17 Oct 2021 11:11:52 +0200
Subject: [PATCH 01/10] Initial commit

---
 .gitignore          | 33 +++++++++++++++++++++++++++++++++
 .terraform.lock.hcl | 23 +++++++++++++++++++++++
 main.tf             | 12 ++++++++++++
 3 files changed, 68 insertions(+)
 create mode 100644 .gitignore
 create mode 100644 .terraform.lock.hcl
 create mode 100644 main.tf

diff --git a/.gitignore b/.gitignore
new file mode 100644
index 0000000..d9548c9
--- /dev/null
+++ b/.gitignore
@@ -0,0 +1,33 @@
+# Local .terraform directories
+**/.terraform/*
+
+# .tfstate files
+*.tfstate
+*.tfstate.*
+
+# Crash log files
+crash.log
+
+# Exclude all .tfvars files, which are likely to contain sentitive data, such as
+# password, private keys, and other secrets. These should not be part of version
+# control as they are data points which are potentially sensitive and subject
+# to change depending on the environment.
+#
+*.tfvars
+
+# Ignore override files as they are usually used to override resources locally and so
+# are not checked in
+override.tf
+override.tf.json
+*_override.tf
+*_override.tf.json
+
+# Include override files you do wish to add to version control using negated pattern
+#
+# !example_override.tf
+
+# Include tfplan files to ignore the plan output of command: terraform plan -out=tfplan
+# example: *tfplan*
+
+# Ignore CLI configuration files
+.terraformrc
diff --git a/.terraform.lock.hcl b/.terraform.lock.hcl
new file mode 100644
index 0000000..3650d5c
--- /dev/null
+++ b/.terraform.lock.hcl
@@ -0,0 +1,23 @@
+# This file is maintained automatically by "terraform init".
+# Manual edits may be lost in future updates.
+
+provider "registry.terraform.io/telmate/proxmox" {
+  version     = "2.8.0"
+  constraints = "2.8.0"
+  hashes = [
+    "h1:RmEhNI5/T73g8+gSqy20MSgszjTquC+srhIflQWlNRE=",
+    "zh:210fe85f6bdc51196dbda2c12de5fd0ddd597704fc91f5a08346cebd7493ff42",
+    "zh:360ad867389041aacc3184632e682a068daae20271c51ab31ea49ce77076c31e",
+    "zh:386243cab8be04b485d9ac7b1cb6d603bc800c0c69453eca0a13e64a69f1c43c",
+    "zh:3b46ad0d6b517d84dca252ec64df6b9d1ff2d4376ed69fb0679d19f3308756eb",
+    "zh:3f1a1292da7d2e5d7e67179c26d26fc865f822576d72d6723d299d483a9a0c56",
+    "zh:41e513e107f692250519f37a3656c6172093e53d037a447228fc5a025e89954f",
+    "zh:496938004d56eea7c8e4e7401a53fcaabeaa9475aa1b7152787968b5aaae946e",
+    "zh:6755a0a470c4af9058c9c1f18f0f63fd8d6e6cfa928665beb16dc7043b50b5f1",
+    "zh:78208afc9d8be564b886ac4f4bc1d8c20a0f7cb2bebdced97622b45e8df0c591",
+    "zh:a5a40c9a50c5daa095877ab25a86bdf8dbceaf457b81fc8dd02629a50c3b56e1",
+    "zh:d89d5de3e3716353859d40ecdd75033bc873732989117f9b9baf7a87788c493e",
+    "zh:e1b20fd36a5fb7587821377c61f92e9e926743f71e381ee54336d0475a23524a",
+    "zh:f5da99f1a00a9637c8988f2115f84157836627927800628576cfe7b0e53e967e",
+  ]
+}
diff --git a/main.tf b/main.tf
new file mode 100644
index 0000000..7fa27b2
--- /dev/null
+++ b/main.tf
@@ -0,0 +1,12 @@
+terraform {
+  required_providers {
+    proxmox = {
+      source = "telmate/proxmox"
+      version = "2.8.0"
+    }
+  }
+}
+
+provider "proxmox" {
+  pm_api_url = "https://10.42.42.42:8006/api2/json"
+}

From 120ad6fbeadc2d9a8d66df867960beef67705a88 Mon Sep 17 00:00:00 2001
From: Victor Roest <victor@xirion.net>
Date: Sun, 17 Oct 2021 12:04:23 +0200
Subject: [PATCH 02/10] added: NixOS Template LXC

---
 main.tf | 27 +++++++++++++++++++++++++++
 1 file changed, 27 insertions(+)

diff --git a/main.tf b/main.tf
index 7fa27b2..373f858 100644
--- a/main.tf
+++ b/main.tf
@@ -9,4 +9,31 @@ terraform {
 
 provider "proxmox" {
   pm_api_url = "https://10.42.42.42:8006/api2/json"
+  pm_tls_insecure = true
 }
+
+# For full info see: https://blog.xirion.net/posts/nixos-proxmox-lxc/
+resource "proxmox_lxc" "nixos-template" {
+  target_node = "nuc"
+  description = "NixOS LXC Template"
+  hostname = "nixos-template"
+  ostemplate = "local:vztmpl/nixos-unstable-default_156198829_amd64.tar.xz"
+  ostype = "unmanaged"
+  unprivileged = true
+
+  features {
+    nesting = true
+  }
+
+  rootfs {
+    storage = "local-zfs"
+    size = "8G"
+  }
+
+  network {
+    name = "eth0"
+    bridge = "vmbr0"
+    ip = "dhcp"
+  }
+}
+

From 18ec1212b3429de0616c906669d7ecdd69625065 Mon Sep 17 00:00:00 2001
From: Victor Roest <victor@xirion.net>
Date: Sun, 17 Oct 2021 15:14:29 +0200
Subject: [PATCH 03/10] deploy vault node

---
 .terraform.lock.hcl | 10 ++++++++--
 main.tf             | 30 ++++++++++++++++++++++++++++--
 2 files changed, 36 insertions(+), 4 deletions(-)

diff --git a/.terraform.lock.hcl b/.terraform.lock.hcl
index 3650d5c..31231a0 100644
--- a/.terraform.lock.hcl
+++ b/.terraform.lock.hcl
@@ -1,9 +1,15 @@
 # This file is maintained automatically by "terraform init".
 # Manual edits may be lost in future updates.
 
+provider "registry.example.com/telmate/proxmox" {
+  version = "9.9.9"
+  hashes = [
+    "h1:BnhIwXbxNF0NLvXes4/WiLGEldeU5UZWlLg3vrO/kog=",
+  ]
+}
+
 provider "registry.terraform.io/telmate/proxmox" {
-  version     = "2.8.0"
-  constraints = "2.8.0"
+  version = "2.8.0"
   hashes = [
     "h1:RmEhNI5/T73g8+gSqy20MSgszjTquC+srhIflQWlNRE=",
     "zh:210fe85f6bdc51196dbda2c12de5fd0ddd597704fc91f5a08346cebd7493ff42",
diff --git a/main.tf b/main.tf
index 373f858..f1d640e 100644
--- a/main.tf
+++ b/main.tf
@@ -1,8 +1,7 @@
 terraform {
   required_providers {
     proxmox = {
-      source = "telmate/proxmox"
-      version = "2.8.0"
+      source = "registry.example.com/telmate/proxmox"
     }
   }
 }
@@ -20,6 +19,10 @@ resource "proxmox_lxc" "nixos-template" {
   ostemplate = "local:vztmpl/nixos-unstable-default_156198829_amd64.tar.xz"
   ostype = "unmanaged"
   unprivileged = true
+  vmid = "101"
+  template = true
+
+  memory = 1024
 
   features {
     nesting = true
@@ -34,6 +37,29 @@ resource "proxmox_lxc" "nixos-template" {
     name = "eth0"
     bridge = "vmbr0"
     ip = "dhcp"
+    hwaddr = "22:D7:C1:FF:9D:5F"
   }
 }
 
+resource "proxmox_lxc" "vault" {
+  target_node = "nuc"
+  description = "Vault Secrets Management"
+  hostname = "vault"
+  unprivileged = true
+  vmid = "102"
+  clone = "101"
+
+  memory = 1024
+  
+  rootfs {
+    storage = "local-zfs"
+    size = "8G"
+  }
+
+  network {
+    name = "eth0"
+    bridge = "vmbr0"
+    ip = "dhcp"
+    hwaddr = "16:2B:87:55:0C:0C"
+  }
+}

From f9d1498a3c47746d1557451661006a877fd1f8ac Mon Sep 17 00:00:00 2001
From: Victor Roest <victor@xirion.net>
Date: Sun, 17 Oct 2021 16:36:51 +0200
Subject: [PATCH 04/10] configure vault provider

---
 .terraform.lock.hcl | 19 +++++++++++++++++++
 main.tf             | 12 +++---------
 vault.tf            |  9 +++++++++
 version.tf          | 12 ++++++++++++
 4 files changed, 43 insertions(+), 9 deletions(-)
 create mode 100644 vault.tf
 create mode 100644 version.tf

diff --git a/.terraform.lock.hcl b/.terraform.lock.hcl
index 31231a0..274cfbb 100644
--- a/.terraform.lock.hcl
+++ b/.terraform.lock.hcl
@@ -8,6 +8,25 @@ provider "registry.example.com/telmate/proxmox" {
   ]
 }
 
+provider "registry.terraform.io/hashicorp/vault" {
+  version     = "2.24.1"
+  constraints = "2.24.1"
+  hashes = [
+    "h1:MUzJ+jOOPBoyGNWGjESE+t2rIjTobw08Y73jgU+d+EU=",
+    "zh:1968be03bbc83c9f512a60f0a018cb0cf4c9a4a0f9e606f9a7436ae06108200f",
+    "zh:23ef25b530dcf2f60692e261d2a56c112138d79a739f2c720bee818cf040a20f",
+    "zh:2b80879cf8110254eeeb55b36ce542e9cdaefc047d450368ff0ca631b29d41d6",
+    "zh:3d803047407a4e7ccb51cd88b38648e50517e70b97842ae1262b5c5a92eb8ede",
+    "zh:7edfd0323a839903e7fc5f45acce8dd61c43b356c09016e1bd43d6880bd82be6",
+    "zh:7efa2c6d1d0bac9478adb27fc68035ca9dc2107dae55d921a760a8ad237eb691",
+    "zh:a1f9d34e2ac8b3a3d177faef4f11690068919ef7d73256def6685cfd9282f83d",
+    "zh:a6c34746e0085ae49e3845fc58597d2d5778fcb2136fedb413b3e30ba77dd2bd",
+    "zh:a73eb4bc061b5babd7ea4d5f3f85f4b4c6d379982098411a29a7d7459fc37ab2",
+    "zh:aadecf464ead4ae30821495d8181e842c18a2537c018245509a96532eeaf7678",
+    "zh:e3ae8c48804065fa4f85095002f945adbd5cd3966c0b1afced7d839007586105",
+  ]
+}
+
 provider "registry.terraform.io/telmate/proxmox" {
   version = "2.8.0"
   hashes = [
diff --git a/main.tf b/main.tf
index f1d640e..32ce7cb 100644
--- a/main.tf
+++ b/main.tf
@@ -1,13 +1,7 @@
-terraform {
-  required_providers {
-    proxmox = {
-      source = "registry.example.com/telmate/proxmox"
-    }
-  }
-}
-
 provider "proxmox" {
   pm_api_url = "https://10.42.42.42:8006/api2/json"
+  pm_user = data.vault_generic_secret.proxmox_auth.data["user"]
+  pm_password = data.vault_generic_secret.proxmox_auth.data["pass"]
   pm_tls_insecure = true
 }
 
@@ -45,7 +39,7 @@ resource "proxmox_lxc" "vault" {
   target_node = "nuc"
   description = "Vault Secrets Management"
   hostname = "vault"
-  unprivileged = true
+  unprivileged = false # needed for mlock
   vmid = "102"
   clone = "101"
 
diff --git a/vault.tf b/vault.tf
new file mode 100644
index 0000000..73d2d7d
--- /dev/null
+++ b/vault.tf
@@ -0,0 +1,9 @@
+provider "vault" {
+  address = "http://10.42.42.6:8200"
+  skip_tls_verify = true
+}
+
+# Proxmox authentication for terraform
+data "vault_generic_secret" "proxmox_auth" {
+    path = "secrets/proxmox/terraform_auth"
+}
diff --git a/version.tf b/version.tf
new file mode 100644
index 0000000..7905084
--- /dev/null
+++ b/version.tf
@@ -0,0 +1,12 @@
+terraform {
+  required_providers {
+    proxmox = {
+      # Locally installed from git repo for LXC cloning support
+      source = "registry.example.com/telmate/proxmox"
+    }
+    vault = {
+      source  = "hashicorp/vault"
+      version = "2.24.1"
+    }
+  }
+}

From 44cecdb12d6321e44a79fcb59e31a7f7ff41cd05 Mon Sep 17 00:00:00 2001
From: Victor Roest <victor@xirion.net>
Date: Sun, 17 Oct 2021 21:02:10 +0200
Subject: [PATCH 05/10] deployed k3s-node1

---
 main.tf | 27 +++++++++++++++++++++++++++
 1 file changed, 27 insertions(+)

diff --git a/main.tf b/main.tf
index 32ce7cb..1e5b917 100644
--- a/main.tf
+++ b/main.tf
@@ -57,3 +57,30 @@ resource "proxmox_lxc" "vault" {
     hwaddr = "16:2B:87:55:0C:0C"
   }
 }
+
+resource "proxmox_vm_qemu" "k3s-node1" {
+  name = "k3s-node1"
+  target_node = "nuc"
+  vmid = 103
+  clone = "bastion"
+
+  memory = 2048
+  cores = 4
+
+  agent = 1
+  define_connection_info = false
+  boot = "order=scsi0;ide2;net0"
+
+  network {
+    model = "virtio"
+    macaddr = "2E:F8:55:23:D9:9B"
+    bridge = "vmbr0"
+  }
+
+  disk {
+    type = "scsi"
+    storage = "local-zfs"
+    size = "64G"
+    ssd = 1
+  }
+}

From e4c23d01bc95a86d0354286d9789f1f391887d8d Mon Sep 17 00:00:00 2001
From: Victor Roest <victor@xirion.net>
Date: Sun, 17 Oct 2021 23:38:49 +0200
Subject: [PATCH 06/10] more ram for k3s

---
 main.tf | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/main.tf b/main.tf
index 1e5b917..248b227 100644
--- a/main.tf
+++ b/main.tf
@@ -44,7 +44,7 @@ resource "proxmox_lxc" "vault" {
   clone = "101"
 
   memory = 1024
-  
+
   rootfs {
     storage = "local-zfs"
     size = "8G"
@@ -64,7 +64,7 @@ resource "proxmox_vm_qemu" "k3s-node1" {
   vmid = 103
   clone = "bastion"
 
-  memory = 2048
+  memory = 8192
   cores = 4
 
   agent = 1

From 79c0ea4bcb4c252c265d94dc909c41a32ea1e4c6 Mon Sep 17 00:00:00 2001
From: Victor Roest <victor@xirion.net>
Date: Mon, 18 Oct 2021 18:53:54 +0200
Subject: [PATCH 07/10] deploy mosquitto

---
 main.tf | 23 ++++++++++++++++++++++-
 1 file changed, 22 insertions(+), 1 deletion(-)

diff --git a/main.tf b/main.tf
index 248b227..9628e1f 100644
--- a/main.tf
+++ b/main.tf
@@ -58,6 +58,28 @@ resource "proxmox_lxc" "vault" {
   }
 }
 
+resource "proxmox_lxc" "mosquitto" {
+  target_node = "nuc"
+  description = "mosquitto mqtt broker"
+  hostname = "mosquitto"
+  vmid = 104
+  clone = 101
+
+  memory = 1024
+
+  rootfs {
+    storage = "local-zfs"
+    size = "8G"
+  }
+
+  network {
+    name = "eth0"
+    bridge = "vmbr0"
+    ip = "dhcp"
+    hwaddr = "C6:F9:8B:3D:9E:37"
+  }
+}
+
 resource "proxmox_vm_qemu" "k3s-node1" {
   name = "k3s-node1"
   target_node = "nuc"
@@ -68,7 +90,6 @@ resource "proxmox_vm_qemu" "k3s-node1" {
   cores = 4
 
   agent = 1
-  define_connection_info = false
   boot = "order=scsi0;ide2;net0"
 
   network {

From c7312a68b5ac771364239cab4eab8dfb0a61c00b Mon Sep 17 00:00:00 2001
From: Victor Roest <victor@xirion.net>
Date: Tue, 19 Oct 2021 02:02:56 +0200
Subject: [PATCH 08/10] nginx: deploy

---
 main.tf | 22 ++++++++++++++++++++++
 1 file changed, 22 insertions(+)

diff --git a/main.tf b/main.tf
index 9628e1f..39ecfe8 100644
--- a/main.tf
+++ b/main.tf
@@ -80,6 +80,28 @@ resource "proxmox_lxc" "mosquitto" {
   }
 }
 
+resource "proxmox_lxc" "nginx" {
+  target_node = "nuc"
+  description = "nginx reverse proxy"
+  hostname = "nginx"
+  vmid = 106
+  clone = 101
+
+  memory = 512
+
+  rootfs {
+    storage = "local-zfs"
+    size = "8G"
+  }
+
+  network {
+    name = "eth0"
+    bridge = "vmbr0"
+    ip = "dhcp"
+    hwaddr = "6A:C2:89:85:CF:A6"
+  }
+}
+
 resource "proxmox_vm_qemu" "k3s-node1" {
   name = "k3s-node1"
   target_node = "nuc"

From 4c574117b4144eae2e8e56229bec22dea122c9a2 Mon Sep 17 00:00:00 2001
From: Victor Roest <victor@xirion.net>
Date: Sat, 23 Oct 2021 12:54:20 +0200
Subject: [PATCH 09/10] updated proxmox-terraform to 2.9.0

---
 .terraform.lock.hcl | 38 ++++++++++++++++----------------------
 main.tf             |  3 +++
 version.tf          |  4 ++--
 3 files changed, 21 insertions(+), 24 deletions(-)

diff --git a/.terraform.lock.hcl b/.terraform.lock.hcl
index 274cfbb..516a623 100644
--- a/.terraform.lock.hcl
+++ b/.terraform.lock.hcl
@@ -1,13 +1,6 @@
 # This file is maintained automatically by "terraform init".
 # Manual edits may be lost in future updates.
 
-provider "registry.example.com/telmate/proxmox" {
-  version = "9.9.9"
-  hashes = [
-    "h1:BnhIwXbxNF0NLvXes4/WiLGEldeU5UZWlLg3vrO/kog=",
-  ]
-}
-
 provider "registry.terraform.io/hashicorp/vault" {
   version     = "2.24.1"
   constraints = "2.24.1"
@@ -28,21 +21,22 @@ provider "registry.terraform.io/hashicorp/vault" {
 }
 
 provider "registry.terraform.io/telmate/proxmox" {
-  version = "2.8.0"
+  version     = "2.9.0"
+  constraints = "2.9.0"
   hashes = [
-    "h1:RmEhNI5/T73g8+gSqy20MSgszjTquC+srhIflQWlNRE=",
-    "zh:210fe85f6bdc51196dbda2c12de5fd0ddd597704fc91f5a08346cebd7493ff42",
-    "zh:360ad867389041aacc3184632e682a068daae20271c51ab31ea49ce77076c31e",
-    "zh:386243cab8be04b485d9ac7b1cb6d603bc800c0c69453eca0a13e64a69f1c43c",
-    "zh:3b46ad0d6b517d84dca252ec64df6b9d1ff2d4376ed69fb0679d19f3308756eb",
-    "zh:3f1a1292da7d2e5d7e67179c26d26fc865f822576d72d6723d299d483a9a0c56",
-    "zh:41e513e107f692250519f37a3656c6172093e53d037a447228fc5a025e89954f",
-    "zh:496938004d56eea7c8e4e7401a53fcaabeaa9475aa1b7152787968b5aaae946e",
-    "zh:6755a0a470c4af9058c9c1f18f0f63fd8d6e6cfa928665beb16dc7043b50b5f1",
-    "zh:78208afc9d8be564b886ac4f4bc1d8c20a0f7cb2bebdced97622b45e8df0c591",
-    "zh:a5a40c9a50c5daa095877ab25a86bdf8dbceaf457b81fc8dd02629a50c3b56e1",
-    "zh:d89d5de3e3716353859d40ecdd75033bc873732989117f9b9baf7a87788c493e",
-    "zh:e1b20fd36a5fb7587821377c61f92e9e926743f71e381ee54336d0475a23524a",
-    "zh:f5da99f1a00a9637c8988f2115f84157836627927800628576cfe7b0e53e967e",
+    "h1:2emsswGg3BBrWiYV9GhR1MfR7r6sREVvC3qGX56UOv8=",
+    "zh:05b3556ffd47f7791e51c600bc281562c35d54fcb2768fe19c5faf08fd10d8f3",
+    "zh:0ae37a5adb0f9f6409c5363b5ac9f0eb3ed95698b82bb6827a86469a2d103edd",
+    "zh:0d0487486fd9cb3b064d7495082fb6fb75705dfadf43262a2abb18bc2a76da29",
+    "zh:12b66f4616bbd011533c5d4254abfa782ebc33619fb439619646283d831a6b3c",
+    "zh:3c0f9396c75230746f824fe65e5ffb27b277504be23f2771392019e89700c3a9",
+    "zh:5410169fc01ac9358f766d155e3b199541c25caf3a74ecada84202ecdf68cf75",
+    "zh:582cd15439da18358f24214addc90085860237a5bc8bb41d57c8e6115032c0c2",
+    "zh:97ef5e28d4863b52868dd436392b4bbba6dc12e3927ba4d33702538adfbe83c0",
+    "zh:a1631929b77ac97d38b2a340f598d10005ff75745546f04ea171a4042f98a894",
+    "zh:ae5116c32ad7b0e0573522c9158583a77a98ec52bbce14dc3ce00c03328c0b4f",
+    "zh:c164cedfef4ab70dc25fb2c0c25a091c5d8a6b09d58725fc4296b37cb9b133a2",
+    "zh:c6aed31aceaf6a923859e9e2af26a8e45559d0680bc3524207886ee0556968c2",
+    "zh:cffbee36856bac5ec527a8f83d52edbead3ac73e0ffbe77a958c175a78929ad6",
   ]
 }
diff --git a/main.tf b/main.tf
index 39ecfe8..7550830 100644
--- a/main.tf
+++ b/main.tf
@@ -64,6 +64,7 @@ resource "proxmox_lxc" "mosquitto" {
   hostname = "mosquitto"
   vmid = 104
   clone = 101
+  unprivileged = true
 
   memory = 1024
 
@@ -86,6 +87,7 @@ resource "proxmox_lxc" "nginx" {
   hostname = "nginx"
   vmid = 106
   clone = 101
+  unprivileged = true
 
   memory = 512
 
@@ -107,6 +109,7 @@ resource "proxmox_vm_qemu" "k3s-node1" {
   target_node = "nuc"
   vmid = 103
   clone = "bastion"
+  tablet = false
 
   memory = 8192
   cores = 4
diff --git a/version.tf b/version.tf
index 7905084..5beb9d4 100644
--- a/version.tf
+++ b/version.tf
@@ -1,8 +1,8 @@
 terraform {
   required_providers {
     proxmox = {
-      # Locally installed from git repo for LXC cloning support
-      source = "registry.example.com/telmate/proxmox"
+      source = "telmate/proxmox"
+      version = "2.9.0"
     }
     vault = {
       source  = "hashicorp/vault"

From 3e16d61a859d4fa03f529950b8a832e6c935bbcd Mon Sep 17 00:00:00 2001
From: Victor Roest <victor@xirion.net>
Date: Wed, 3 Nov 2021 22:47:44 +0100
Subject: [PATCH 10/10] add consul node

---
 main.tf | 119 +++++++++++++++++++++++++++++++++-----------------------
 1 file changed, 71 insertions(+), 48 deletions(-)

diff --git a/main.tf b/main.tf
index 7550830..b5d3378 100644
--- a/main.tf
+++ b/main.tf
@@ -1,20 +1,20 @@
 provider "proxmox" {
-  pm_api_url = "https://10.42.42.42:8006/api2/json"
-  pm_user = data.vault_generic_secret.proxmox_auth.data["user"]
-  pm_password = data.vault_generic_secret.proxmox_auth.data["pass"]
+  pm_api_url      = "https://10.42.42.42:8006/api2/json"
+  pm_user         = data.vault_generic_secret.proxmox_auth.data["user"]
+  pm_password     = data.vault_generic_secret.proxmox_auth.data["pass"]
   pm_tls_insecure = true
 }
 
 # For full info see: https://blog.xirion.net/posts/nixos-proxmox-lxc/
 resource "proxmox_lxc" "nixos-template" {
-  target_node = "nuc"
-  description = "NixOS LXC Template"
-  hostname = "nixos-template"
-  ostemplate = "local:vztmpl/nixos-unstable-default_156198829_amd64.tar.xz"
-  ostype = "unmanaged"
+  target_node  = "nuc"
+  description  = "NixOS LXC Template"
+  hostname     = "nixos-template"
+  ostemplate   = "local:vztmpl/nixos-unstable-default_156198829_amd64.tar.xz"
+  ostype       = "unmanaged"
   unprivileged = true
-  vmid = "101"
-  template = true
+  vmid         = "101"
+  template     = true
 
   memory = 1024
 
@@ -24,109 +24,132 @@ resource "proxmox_lxc" "nixos-template" {
 
   rootfs {
     storage = "local-zfs"
-    size = "8G"
+    size    = "8G"
   }
 
   network {
-    name = "eth0"
+    name   = "eth0"
     bridge = "vmbr0"
-    ip = "dhcp"
+    ip     = "dhcp"
     hwaddr = "22:D7:C1:FF:9D:5F"
   }
 }
 
 resource "proxmox_lxc" "vault" {
-  target_node = "nuc"
-  description = "Vault Secrets Management"
-  hostname = "vault"
+  target_node  = "nuc"
+  description  = "Vault Secrets Management"
+  hostname     = "vault"
   unprivileged = false # needed for mlock
-  vmid = "102"
-  clone = "101"
+  vmid         = "102"
+  clone        = "101"
 
   memory = 1024
 
   rootfs {
     storage = "local-zfs"
-    size = "8G"
+    size    = "8G"
   }
 
   network {
-    name = "eth0"
+    name   = "eth0"
     bridge = "vmbr0"
-    ip = "dhcp"
+    ip     = "dhcp"
     hwaddr = "16:2B:87:55:0C:0C"
   }
 }
 
 resource "proxmox_lxc" "mosquitto" {
-  target_node = "nuc"
-  description = "mosquitto mqtt broker"
-  hostname = "mosquitto"
-  vmid = 104
-  clone = 101
+  target_node  = "nuc"
+  description  = "mosquitto mqtt broker"
+  hostname     = "mosquitto"
+  vmid         = 104
+  clone        = 101
   unprivileged = true
 
   memory = 1024
 
   rootfs {
     storage = "local-zfs"
-    size = "8G"
+    size    = "8G"
   }
 
   network {
-    name = "eth0"
+    name   = "eth0"
     bridge = "vmbr0"
-    ip = "dhcp"
+    ip     = "dhcp"
     hwaddr = "C6:F9:8B:3D:9E:37"
   }
 }
 
 resource "proxmox_lxc" "nginx" {
-  target_node = "nuc"
-  description = "nginx reverse proxy"
-  hostname = "nginx"
-  vmid = 106
-  clone = 101
+  target_node  = "nuc"
+  description  = "nginx reverse proxy"
+  hostname     = "nginx"
+  vmid         = 106
+  clone        = 101
   unprivileged = true
 
   memory = 512
 
   rootfs {
     storage = "local-zfs"
-    size = "8G"
+    size    = "8G"
   }
 
   network {
-    name = "eth0"
+    name   = "eth0"
     bridge = "vmbr0"
-    ip = "dhcp"
+    ip     = "dhcp"
     hwaddr = "6A:C2:89:85:CF:A6"
   }
 }
 
 resource "proxmox_vm_qemu" "k3s-node1" {
-  name = "k3s-node1"
+  name        = "k3s-node1"
   target_node = "nuc"
-  vmid = 103
-  clone = "bastion"
-  tablet = false
+  vmid        = 103
+  clone       = "bastion"
+  tablet      = false
 
   memory = 8192
-  cores = 4
+  cores  = 4
 
   agent = 1
-  boot = "order=scsi0;ide2;net0"
+  boot  = "order=scsi0;ide2;net0"
 
   network {
-    model = "virtio"
+    model   = "virtio"
     macaddr = "2E:F8:55:23:D9:9B"
-    bridge = "vmbr0"
+    bridge  = "vmbr0"
   }
 
   disk {
-    type = "scsi"
+    type    = "scsi"
     storage = "local-zfs"
-    size = "64G"
-    ssd = 1
+    size    = "64G"
+    ssd     = 1
+  }
+}
+
+resource "proxmox_lxc" "consul" {
+  target_node  = "nuc"
+  description  = "consul service mesh"
+  hostname     = "consul"
+  vmid         = 107
+  clone        = 101
+  unprivileged = true
+
+  memory = 512
+
+  rootfs {
+    storage = "local-zfs"
+    size    = "8G"
+  }
+
+  network {
+    name   = "eth0"
+    bridge = "vmbr0"
+    ip     = "dhcp"
+    hwaddr = "D6:DE:07:41:73:81"
   }
 }