# Arvandor Production-grade infrastructure-as-code for running services on Proxmox with enterprise HA patterns. ## Overview Arvandor provides a complete infrastructure stack: - **Terraform** - VM provisioning on Proxmox - **Ansible** - Configuration management - **Nebula** - Encrypted overlay network - **Vault** - Secrets management (3-node Raft cluster) - **PostgreSQL** - Database (3-node Patroni + etcd) - **Valkey** - Cache/queue (3-node Sentinel) - **Garage** - S3-compatible storage (3-node cluster) ## Architecture ``` ┌─────────────────────────────────────────────────────────────────────────┐ │ Proxmox Host │ ├─────────────────────────────────────────────────────────────────────────┤ │ ┌─────────────┐ ┌─────────────┐ ┌─────────────┐ ┌─────────────┐ │ │ │ Management │ │ Services │ │ Data │ │ Workloads │ │ │ │ 1000-1999 │ │ 2000-2999 │ │ 3000-3999 │ │ 4000-4999 │ │ │ │ │ │ │ │ │ │ │ │ │ │ DNS, Caddy │ │ Vault │ │ PostgreSQL │ │ Your Apps │ │ │ │ Lighthouse │ │ Gitea │ │ Valkey │ │ │ │ │ │ │ │ │ │ Garage │ │ │ │ │ └──────┬──────┘ └──────┬──────┘ └──────┬──────┘ └──────┬──────┘ │ │ │ │ │ │ │ │ └────────────────┴────────────────┴────────────────┘ │ │ │ │ │ Nebula Overlay (10.10.10.0/24) │ └─────────────────────────────────────────────────────────────────────────┘ ``` ## Quick Start ### 1. Prerequisites - Proxmox VE host - Arch Linux VM template (VMID 9000) - Terraform, Ansible installed locally - Nebula binary for certificate generation ### 2. Configure ```bash # Clone repository git clone arvandor cd arvandor # Configure Terraform cp terraform/terraform.tfvars.example terraform/terraform.tfvars vim terraform/terraform.tfvars # Configure Ansible cp ansible/inventory.ini.example ansible/inventory.ini vim ansible/inventory.ini # Generate Nebula CA cd nebula nebula-cert ca -name "Arvandor CA" ``` ### 3. Provision ```bash # Create VMs cd terraform terraform init terraform plan terraform apply # Bootstrap VMs (in order) cd ../ansible ansible-playbook -i inventory.ini playbooks/bootstrap.yml ansible-playbook -i inventory.ini playbooks/security.yml ansible-playbook -i inventory.ini playbooks/nebula.yml ``` ### 4. Deploy Services ```bash # DNS server ansible-playbook -i inventory.ini playbooks/dns.yml # PostgreSQL HA cluster ansible-playbook -i inventory.ini playbooks/postgres-ha.yml # Valkey Sentinel ansible-playbook -i inventory.ini playbooks/valkey-sentinel.yml # Garage S3 ansible-playbook -i inventory.ini playbooks/garage.yml ``` ## Directory Structure ``` arvandor/ ├── terraform/ # VM provisioning │ ├── modules/vm/ # Reusable VM module │ ├── management.tf # DNS, Caddy │ ├── services.tf # Vault, Gitea │ └── data.tf # PostgreSQL, Valkey, Garage ├── ansible/ # Configuration management │ ├── playbooks/ # Core playbooks │ ├── templates/ # Jinja2 templates │ └── vault/ # Ansible Vault secrets ├── nebula/ # Overlay network │ └── configs/ # Per-host certificates ├── network/ # Host networking └── docs/ # Documentation ``` ## Network Design ### Two-Network Model | Network | CIDR | Purpose | |---------|------|---------| | Bridge (vmbr1) | 192.168.100.0/24 | Provisioning only | | Nebula | 10.10.10.0/24 | All application traffic | VMs only accept traffic from the Proxmox host (for Ansible) and the Nebula overlay. This provides isolation even if someone gains bridge network access. ### Security Groups (Nebula) | Group | Purpose | |-------|---------| | `admin` | Full access (your devices) | | `infrastructure` | Core services | | `projects` | Application workloads | | `games` | Isolated game servers | ## Documentation - [Getting Started](docs/getting-started.md) - Detailed setup guide - [Architecture](docs/architecture.md) - Design decisions - [Provisioning Guide](docs/provisioning-guide.md) - Adding new VMs ## License MIT