Proxmox config - Jacob P Evans

OpenTofu made the box. This makes it Proxmox.

ansible-proxmox is the middle tier of the Proxmox stack. It owns everything that needs to be true about a Proxmox host before any workload runs on it: ZFS, networking, swap and CPU tuning, users, hardening, monitoring agents.

What it does

Provisions ZFS pools and datasets with sensible defaults for VM and LXC storage
Realizes the OpenTofu node_storage contract (the zfs_pools role): creates datasets, sets quotas, and registers PVE storage — pool creation from raw disks stays a per-host commissioning step
Sets up network bonding and bridges to match the homelab topology
Applies performance tuning (CPU governor, swap, sysctl) for VM density
Installs and configures monitoring agents that feed Splunk via Cribl
Hardens the host: SSH config, firewall rules, baseline auditd

How it fits

Upstream	Downstream
Proxmox provisioning hands over an inventory of new hosts	Configured Proxmox hosts ready for Apps on Proxmox

Getting started

Clone and enter the dev shell

git clone https://github.com/JacobPEvans/ansible-proxmox && cd ansible-proxmox && nix develop

Point at the OpenTofu inventory

Ansible reads the host list that tofu-proxmox wrote out. The README covers the exact path and var precedence.

Resolve secrets via Doppler

DOPPLER_TOKEN lets the playbook fetch host passwords, SSH keys, and monitoring tokens at run time. No secrets in git.

Run the playbook

ansible-playbook -i inventory site.yml. The first run is the slow one; subsequent runs only converge what’s drifted.

tofu-proxmox

The provisioner. Run this first.

ansible-proxmox-apps

The app deployer. Run this third.

Configuration overview

How all the Ansible repos fit together.

Source on GitHub

Roles, inventory examples, full README.

UniFi networking Apps on Proxmox

​What it does

​How it fits

​Getting started

​Related repos