# terraform/

Infrastructure provisioning. Terraform owns **VM existence only** — creating and
destroying Proxmox VMs. It writes no DNS records and configures nothing inside a
VM; Ansible owns all of that.

- `modules/proxmox_vm/` — reusable VM module (Proxmox only).
- `modules/hetzner_vm/` — reusable VM module (Hetzner Cloud: server + firewall +
  SSH key + cloud-init).
- `environments/{staging,production}/` — separate state per environment (Proxmox).
  Add a VM by editing `local.vms` in that env's `main.tf`, then `make tf-plan` →
  `tf-apply` → `tf-inventory`. Not yet `terraform init`ed.
- `environments/offsite/` — the off-site Hetzner host (`askari`); the one
  **applied** environment. Use `make tf-* TF_ENV=offsite` and `tf-inventory-offsite`.

Rationale: **ADR-006**. Handoff to Ansible: **ADR-009**. Secrets via `TF_VAR_*`
only — never in `.tfvars`. See `STATUS.md` for what is provisioned.