From 81b5b8d4f1ab4ef210e3ba1138d18e9c44ddbdf2 Mon Sep 17 00:00:00 2001
From: Oleksandr Berezovskyi <berezovskyi.oleksandr@gmail.com>
Date: Tue, 10 Feb 2026 00:34:12 +0200
Subject: [PATCH] feat(terraform): deploy dev and prod talos VMs to PVE

---
 .gitignore                    |  5 ++
 terraform/.terraform.lock.hcl | 48 ++++++++++++++++++
 terraform/main.tf             | 92 +++++++++++++++++++++++++++++++++++
 terraform/providers.tf        | 18 +++++++
 terraform/variables.tf        | 22 +++++++++
 5 files changed, 185 insertions(+)
 create mode 100644 terraform/.terraform.lock.hcl
 create mode 100644 terraform/main.tf
 create mode 100644 terraform/providers.tf
 create mode 100644 terraform/variables.tf

diff --git a/.gitignore b/.gitignore
index 7c23b8f..234ab9a 100644
--- a/.gitignore
+++ b/.gitignore
@@ -1 +1,6 @@
 *.env.real
+
+.terraform
+terraform.tfstate
+terraform.tfstate.backup
+*.tfvars
diff --git a/terraform/.terraform.lock.hcl b/terraform/.terraform.lock.hcl
new file mode 100644
index 0000000..2f61bec
--- /dev/null
+++ b/terraform/.terraform.lock.hcl
@@ -0,0 +1,48 @@
+# This file is maintained automatically by "terraform init".
+# Manual edits may be lost in future updates.
+
+provider "registry.terraform.io/bpg/proxmox" {
+  version     = "0.95.0"
+  constraints = "0.95.0"
+  hashes = [
+    "h1:8gOZBH6hYhvvr9ycmz8AVdgnABQPEft6q/qj2uIdDR8=",
+    "zh:07439b6c10c48c25357cd574d9db024adb21419865c5b22019a2d0493314b2fb",
+    "zh:29b56acca3df3d1ad1c0d677165192d59ec850c26d013e19a18cc94b11789b39",
+    "zh:35f73b7eeef23867633ee2d687c1cf015eb15ff128fc9527f018aaf0c58ef1ce",
+    "zh:4a479884f6549e8f5b11659c4fe9e3af4fc3f95440d7d8b54335d608361c731f",
+    "zh:4c89f62fb4528f15ae71fc91f792fe5e747ce162e7bf6124f21989d8805a3971",
+    "zh:510ccaaddb1add81563417dcb8f25f364988e8797293d2889b0bdbf623abe01b",
+    "zh:5d791e444e671f6b41c371fddec9d3aba8c8c5c8996ec0864b5aa8678b70feee",
+    "zh:5e655ca1b5d10cfebbe649952d073699005015082de897f3424faa80a9c13667",
+    "zh:71d639eaa7aaa7a6fa68a8bd546d864842c163ff4f2abc48176e287642156d27",
+    "zh:beb1f2ea7ca4e1e42373749b3b1a3dc7bb2bf283001eb9181e162da4f1345b07",
+    "zh:cd8116cfb4988c7157ec2ef18a3fb2bfa1020342fd66f99aa66ef8db678fe09d",
+    "zh:d0e3eacce028554d641ea7bfb857888559f9f92f3dcc00bdd5d8a3bc70768580",
+    "zh:e0eabff8250b428de253f064324fc878a27fa258a79aa76a1b0dab158986cec6",
+    "zh:eef582a3fcc21a7c7c29719ec1f969089f9bba8376a6bb0c8f5aa6c8f89a8ee0",
+    "zh:f26e0763dbe6a6b2195c94b44696f2110f7f55433dc142839be16b9697fa5597",
+  ]
+}
+
+provider "registry.terraform.io/siderolabs/talos" {
+  version     = "0.10.1"
+  constraints = "0.10.1"
+  hashes = [
+    "h1:1/HTp6cDJWQJzRj8preKQvw3x/qffivOJhZx27OmAig=",
+    "zh:0fa82a384b25a58b65523e0ea4768fa1212b1f5cfc0c9379d31162454fedcc9d",
+    "zh:349463cdd4cdb36e03276fdb855e687242237c7cf0bd5871aea995a83838c52e",
+    "zh:3885026ef7c1c7012d312fc37a35af70821650b10cef03b8ffd08d22145c117d",
+    "zh:3a5c4ddae27200663d3552daa8db6d6ad91f49746825e0556370f67e2d3ead5a",
+    "zh:456e233aec7d83558255da87ba0b1c7fec81bf71b1aa4e0f35a2787d3f104c2a",
+    "zh:6b781a16764c91259a6646f346cf47e99a31d7eefcdd188b1ea8b287b8fd0531",
+    "zh:6d91f628812ec99a71964f00e83df93f6106b830af111b611b6a0f68ad6987ea",
+    "zh:80430dea846ef82a4fb430abe4f0213ae79f9f38a7a61752bbeeec59c82c1387",
+    "zh:84717212f789a026492b0a4d121fcdf4a15f48916f9500cdb4ffa1f6c26479cc",
+    "zh:a0fcaa3fd515d78cf635884165e111fa37b6300cefb0a6412fb1ed584d88599a",
+    "zh:b0f8dbb8a667e00340ca9566d1bee933097b3b252a1df3737d2fb376964ab8cc",
+    "zh:b8191729e70d5e7e53730f7c499ab16faec23d45969424c1f304bab0f6fcfcb6",
+    "zh:be3b5cfc57abdbab689088b2677516703600a12eaefc02a2355ba9002f80f273",
+    "zh:d53afbcbeaeeed6c7e65477da4daca2cc4ab0c52ad833219c1141f9310325dc2",
+    "zh:f04f8a103f5136bdd6910d531192ad0cb10c8734b519b9e9dff4185d5cc7113e",
+  ]
+}
diff --git a/terraform/main.tf b/terraform/main.tf
new file mode 100644
index 0000000..1436c92
--- /dev/null
+++ b/terraform/main.tf
@@ -0,0 +1,92 @@
+resource "proxmox_virtual_environment_download_file" "talos_iso" {
+  content_type = "iso"
+  datastore_id = "local"
+  node_name    = "pve"
+  url          = "https://github.com/siderolabs/talos/releases/download/v1.12.3/metal-amd64.iso"
+  file_name    = "talos-v1.12.3-metal-amd64.iso"
+
+  lifecycle {
+    prevent_destroy = true
+  }
+}
+
+resource "proxmox_virtual_environment_vm" "talos-vm" {
+  for_each = var.clusters
+
+  name      = "talos-${each.key}-node0"
+  tags      = ["terraform", "talos", each.key]
+  node_name = "pve"
+
+  bios       = "ovmf"
+  boot_order = ["scsi0", "ide3"]
+
+  cpu {
+    cores = each.value.cores
+    type  = "host"
+  }
+  memory {
+    dedicated = each.value.memory
+  }
+
+  network_device {
+    mac_address = each.value.mac_address
+  }
+
+  cdrom {
+    interface = "ide3"
+    file_id   = proxmox_virtual_environment_download_file.talos_iso.id
+  }
+
+  disk {
+    interface    = "scsi0"
+    size         = each.value.disk_size_gb
+    datastore_id = each.value.datastore_id
+  }
+
+  efi_disk {
+    datastore_id = each.value.datastore_id
+  }
+}
+
+resource "talos_machine_secrets" "secrets" {
+  for_each = var.clusters
+}
+
+data "talos_machine_configuration" "machine-config" {
+  for_each = var.clusters
+
+  cluster_name     = "talos-${each.key}"
+  machine_type     = "controlplane"
+  cluster_endpoint = "https://${each.value.hostname}:6443"
+  machine_secrets  = talos_machine_secrets.secrets[each.key].machine_secrets
+
+}
+
+resource "talos_machine_configuration_apply" "talos-config" {
+  depends_on = [proxmox_virtual_environment_vm.talos-vm]
+
+  for_each = var.clusters
+
+  node                        = each.value.hostname
+  client_configuration        = talos_machine_secrets.secrets[each.key].client_configuration
+  machine_configuration_input = data.talos_machine_configuration.machine-config[each.key].machine_configuration
+}
+
+resource "talos_machine_bootstrap" "talos-bootstrap" {
+  depends_on = [talos_machine_configuration_apply.talos-config]
+
+  for_each = var.clusters
+
+  node                 = each.value.hostname
+  client_configuration = talos_machine_secrets.secrets[each.key].client_configuration
+}
+
+data "talos_cluster_health" "talos-health" {
+  depends_on = [talos_machine_bootstrap.talos-bootstrap]
+
+  for_each = var.clusters
+
+  client_configuration = talos_machine_secrets.secrets[each.key].client_configuration
+  control_plane_nodes  = [each.value.ip_address]
+  endpoints            = [each.value.hostname]
+}
diff --git a/terraform/providers.tf b/terraform/providers.tf
new file mode 100644
index 0000000..5d68ead
--- /dev/null
+++ b/terraform/providers.tf
@@ -0,0 +1,18 @@
+terraform {
+  required_providers {
+    proxmox = {
+      source = "bpg/proxmox"
+      version = "0.95.0"
+    }
+    talos = {
+      source = "siderolabs/talos"
+      version = "0.10.1"
+    }
+  }
+}
+
+provider "proxmox" {
+  endpoint = var.proxmox_endpoint
+  api_token = var.proxmox_api_token
+  insecure = true
+}
diff --git a/terraform/variables.tf b/terraform/variables.tf
new file mode 100644
index 0000000..9d5ad9d
--- /dev/null
+++ b/terraform/variables.tf
@@ -0,0 +1,22 @@
+variable "proxmox_endpoint" {
+  description = "The Proxmox API endpoint URL"
+  type        = string
+}
+
+variable "proxmox_api_token" {
+  description = "The Proxmox API token"
+  type        = string
+  sensitive   = false
+}
+
+variable "clusters" {
+  type = map(object({
+    cores        = number
+    memory       = number
+    disk_size_gb = number
+    hostname     = string
+    mac_address  = string
+    ip_address   = string
+    datastore_id = string
+  }))
+}