commit cb67816eee9895b91a2c0a4aaaefac4bbf80d114
Author: Ben Vincent <ben@unkin.net>
Date:   Fri May 30 22:36:55 2025 +1000

    feat: initial commit
    
    - have been working on this for some time now

diff --git a/.gitignore b/.gitignore
new file mode 100644
index 0000000..342004f
--- /dev/null
+++ b/.gitignore
@@ -0,0 +1,7 @@
+.terraform
+.terraform.lock.hcl
+.terragrunt-cache
+plans
+.venv
+env
+venv
diff --git a/Makefile b/Makefile
new file mode 100644
index 0000000..f59e8f3
--- /dev/null
+++ b/Makefile
@@ -0,0 +1,63 @@
+SHELL := /bin/bash
+ENVIRONMENT ?= au-syd1
+ENV_DIR = environments/$(ENVIRONMENT)
+
+.PHONY: clean init plan apply venv hiera output
+
+define vault_env
+	@export VAULT_ADDR="https://vault.service.consul:8200" && \
+	export VAULT_TOKEN=$$(vault write -field=token auth/approle/login role_id=$$VAULT_ROLEID) && \
+	export PUPPET_CERT_CA=$$(vault kv get -field=public_key kv/service/puppet/certificates/ca) && \
+	export PUPPET_CERT_PUB=$$(vault kv get -field=public_key kv/service/puppet/certificates/terraform) && \
+	export PUPPET_CERT_PRIV=$$(vault kv get -field=private_key kv/service/puppet/certificates/terraform) && \
+	export TERRAGRUNT_EXCLUDE_DIR="templates/base" \
+	export $$(vault read -format=json kv/data/service/terraform/incus | jq -r '.data.data | to_entries[] | "\(.key)=\(.value)"')
+endef
+
+clean:
+	@echo "Cleaning Terraform files..."
+	@find ./ -wholename '*.terragrunt-cache*' -delete
+	@find ./ -name 'terragrunt_rendered.json' -delete
+	@echo "Cleaning Python VENV..."
+	@rm -rf .venv
+
+init:
+	@$(call vault_env) && \
+	terragrunt run-all --terragrunt-non-interactive init --upgrade
+
+plan: init
+	@$(call vault_env) && \
+	terragrunt run-all --terragrunt-non-interactive plan
+
+apply:
+	@$(call vault_env) && \
+	terragrunt run-all --terragrunt-parallelism 5 --terragrunt-non-interactive apply
+
+output:
+	@$(call vault_env) && \
+	rm -f tf_outputs.json && \
+	terragrunt run-all --terragrunt-parallelism 10 --terragrunt-non-interactive output -json >> tf_outputs.json
+
+hiera:
+	@echo "Setting up virtual environment with uv..."
+	uv venv .venv && \
+		source .venv/bin/activate && \
+		uv pip install -r ci/autonode/requirements.txt
+
+	@echo "Running update_hiera"
+	.venv/bin/python ci/autonode/update_hiera.py \
+	  --output-json tf_outputs.json \
+	  --repo-url https://git.query.consul/unkinben/puppet-prod.git \
+	  --clone-path $$(mktemp) \
+	  --commit-template "Add Hiera config for {{ vmname }}" \
+	  --file-template ci/autonode/templates/node.yaml.j2 \
+	  --base-branch develop
+
+venv:
+	uv venv --python 3.12 venv && \
+	source venv/bin/activate && \
+	uv pip install -r ci/requirements.txt
+
+list:
+	source venv/bin/activate && \
+	python ci/review.py
diff --git a/README.md b/README.md
new file mode 100644
index 0000000..ea0f885
--- /dev/null
+++ b/README.md
@@ -0,0 +1,28 @@
+## Hierarchy:
+
+```
+.
+├── config/                          # Root for configuration data
+│   ├── globals/                     # Common resources shared across projects
+│   │   ├── images/                  # Image configurations
+│   │   │   └── <image_name>/         # Specific image folder
+│   │   │       ├── terragrunt.hcl   # Image Terragrunt configuration
+│   │   │       └── config.yaml      # Image configuration file
+│   │   ├── networks/                # Network configurations
+│   │   │   └── <network_name>/       # Specific network folder
+│   │   │       ├── terragrunt.hcl   # Network Terragrunt configuration
+│   │   │       └── config.yaml      # Network configuration file
+│   │   └── profiles/                # Profile configurations
+│   │       └── <profile_name>/       # Specific profile folder
+│   │           ├── terragrunt.hcl   # Profile Terragrunt configuration
+│   │           └── config.yaml      # Profile configuration file
+│   └── nodes/                       # Node-level configuration
+│       └── <project_name>/          # Project folder (e.g., "infra")
+│           ├── config.yaml          # Project-level configuration file
+│           ├── terragrunt.hcl       # Project-level Terragrunt configuration
+│           └── <instance_name>/     # Instance-specific folder under the project
+│               ├── terragrunt.hcl   # Instance-level Terragrunt configuration
+│               └── config.yaml      # Instance-specific configuration file
+├── modules/                         # Terraform modules
+└── root.hcl                         # Root configuration file (provider, backend, etc.)
+```
diff --git a/ci/autonode/requirements.txt b/ci/autonode/requirements.txt
new file mode 100644
index 0000000..7f7afbf
--- /dev/null
+++ b/ci/autonode/requirements.txt
@@ -0,0 +1 @@
+jinja2
diff --git a/ci/autonode/templates/node.yaml.j2 b/ci/autonode/templates/node.yaml.j2
new file mode 100644
index 0000000..360ebe9
--- /dev/null
+++ b/ci/autonode/templates/node.yaml.j2
@@ -0,0 +1,8 @@
+---
+networking::interfaces:
+  {{ interface }}:
+    ipaddress: {{ ipaddress }}
+
+networking::routes:
+  default:
+    gateway: {{ gateway }}
diff --git a/ci/autonode/update_hiera.py b/ci/autonode/update_hiera.py
new file mode 100644
index 0000000..aaf7e5e
--- /dev/null
+++ b/ci/autonode/update_hiera.py
@@ -0,0 +1,170 @@
+import json
+import argparse
+import subprocess
+from pathlib import Path
+from jinja2 import Template
+
+### ========== GITOPS FUNCTIONS ==========
+
+def run_command(command, cwd=None):
+    result = subprocess.run(command, cwd=cwd, shell=True, capture_output=True, text=True)
+    if result.returncode != 0:
+        raise Exception(f"Command '{command}' failed: {result.stderr}")
+    return result.stdout.strip()
+
+def clone(repo_url, clone_path: Path):
+    run_command(f"git clone {repo_url} {clone_path}")
+
+def checkout_base_branch(clone_path: Path, base_branch: str = "develop"):
+    print(f"🔁 Checking out base branch: {base_branch}")
+    run_command(f"git checkout {base_branch}", cwd=clone_path)
+
+def checkout_branch(clone_path: Path, branch_name: str):
+    run_command(f"git checkout -b {branch_name}", cwd=clone_path)
+
+def add(clone_path: Path, file_path: Path):
+    rel_path = file_path.relative_to(clone_path)
+    run_command(f"git add {rel_path}", cwd=clone_path)
+
+def commit(clone_path: Path, commit_message: str):
+    run_command(f'git commit -m "{commit_message}"', cwd=clone_path)
+
+def push(clone_path: Path, branch_name: str):
+    run_command(f"git push origin {branch_name}", cwd=clone_path)
+
+def create_file_from_template(file_path: Path, template_content: str, context: dict, dryrun: bool):
+    template = Template(template_content)
+    rendered = template.render(context)
+    if dryrun:
+        print(f"\n📝 Would write to {file_path}:\n{rendered}")
+    else:
+        file_path.parent.mkdir(parents=True, exist_ok=True)
+        file_path.write_text(rendered)
+
+def cleanup(clone_path: Path):
+    run_command(f"rm -rf {clone_path}")
+
+### ========== NODE OPERATION ==========
+
+def process_node(vmname: str, ipaddress: str, gateway: str, clone_path: Path,
+                 commit_template: str, file_template: str, dryrun: bool):
+
+    file_rel_path = Path(f"hieradata/nodes/{vmname}.yaml")
+    file_path = clone_path / file_rel_path
+    branch_name = f"autonode/{vmname}"
+
+    if file_path.exists() and not dryrun:
+        print(f"⚠️  Skipping {vmname}: {file_path} already exists.")
+        return
+
+    print(f"\n🌿 Creating branch: {branch_name}")
+    checkout_branch(clone_path, branch_name)
+
+    print(f"📝 Rendering YAML for {vmname}")
+    create_file_from_template(
+        file_path,
+        file_template,
+        {
+            "ipaddress": ipaddress,
+            "gateway": gateway,
+            "interface": "eth0"
+        },
+        dryrun
+    )
+
+    if dryrun:
+        print(f"💤 Dry run: skipping add/commit/push for {vmname}")
+        return
+
+    print(f"➕ Adding {file_rel_path}")
+    add(clone_path, file_path)
+
+    commit_msg = Template(commit_template).render({"vmname": vmname})
+    print(f"✅ Committing: {commit_msg}")
+    commit(clone_path, commit_msg)
+
+    print(f"🚀 Pushing {branch_name}")
+    push(clone_path, branch_name)
+
+
+def load_broken_tf_outputs(file_path: Path):
+    """Handles newline-separated JSON objects (non-standard tf_outputs.json format)."""
+    objects = []
+    buffer = ""
+    for line in file_path.read_text().splitlines():
+        line = line.strip()
+        if not line:
+            continue
+        buffer += line
+        if buffer.endswith("}"):
+            try:
+                obj = json.loads(buffer)
+                objects.append(obj)
+                buffer = ""
+            except json.JSONDecodeError:
+                buffer += " "  # accumulate more lines until it's valid
+    return objects
+
+### ========== MAIN CLI SCRIPT ==========
+
+def main():
+    parser = argparse.ArgumentParser(description="Generate Hiera node YAMLs and push to Git")
+    parser.add_argument("--output-json", required=True, type=Path, help="Terragrunt JSON outputs")
+    parser.add_argument("--repo-url", required=True, help="Git repo URL")
+    parser.add_argument("--clone-path", required=True, type=Path, help="Temp clone path")
+    parser.add_argument("--commit-template", required=True, help="Commit message Jinja2 template")
+    parser.add_argument("--file-template", required=True, type=Path, help="Path to Jinja2 YAML template")
+    parser.add_argument("--dry-run", action="store_true", help="Do not write or push, just preview")
+    parser.add_argument("--base-branch", default="develop", help="Base branch to branch off (default: develop)")
+
+    args = parser.parse_args()
+
+    if args.clone_path.exists():
+        print(f"🧹 Removing existing clone at {args.clone_path}")
+        cleanup(args.clone_path)
+
+    print(f"📥 Cloning repo to {args.clone_path}")
+    clone(args.repo_url, args.clone_path)
+
+    file_template = args.file_template.read_text()
+    # Use loader
+    parsed_objects = load_broken_tf_outputs(args.output_json)
+
+    # Flatten into merged format using hostnames
+    merged_outputs = {}
+    for obj in parsed_objects:
+        if "vm_metadata" in obj and "value" in obj["vm_metadata"]:
+            hostname = obj["vm_metadata"]["value"]["hostname"]
+            merged_outputs[f"vm_metadata_{hostname}"] = obj["vm_metadata"]
+
+    for module_path, data in merged_outputs.items():
+        if "value" not in data:
+            print(f"⏭️  Skipping {module_path}: missing 'value'")
+            continue
+
+        node = data["value"]
+        vmname = node["hostname"]
+        ip = node["ipaddress"]
+        gw = node["gateway"]
+
+        checkout_base_branch(args.clone_path, args.base_branch)
+
+        print(f"\n🔧 Processing {vmname} ({ip})")
+        process_node(
+            vmname=vmname,
+            ipaddress=ip,
+            gateway=gw,
+            clone_path=args.clone_path,
+            commit_template=args.commit_template,
+            file_template=file_template,
+            dryrun=args.dry_run
+        )
+
+    if not args.dry_run:
+        print(f"\n🧹 Cleaning up: {args.clone_path}")
+        cleanup(args.clone_path)
+
+    print("\n🏁 All done!")
+
+if __name__ == "__main__":
+    main()
diff --git a/ci/requirements.txt b/ci/requirements.txt
new file mode 100644
index 0000000..1c7cd91
--- /dev/null
+++ b/ci/requirements.txt
@@ -0,0 +1,4 @@
+python-hcl2==7.2.0
+pyyaml==6.0.2
+rich==14.0.0
+typer==0.15.3
diff --git a/ci/review.py b/ci/review.py
new file mode 100644
index 0000000..5e26a00
--- /dev/null
+++ b/ci/review.py
@@ -0,0 +1,73 @@
+from pathlib import Path
+import yaml
+import hcl2
+from collections import defaultdict
+from rich.console import Console
+from rich.tree import Tree
+import typer
+import re
+
+# Define the root paths
+INSTANCES_DIR = Path("config/instances")
+
+def extract_node_name(hcl_path):
+    text = hcl_path.read_text()
+    match = re.search(r'node_name\s*=\s*"([^"]+)"', text)
+    if match:
+        return match.group(1)
+    return None
+
+# Function to extract cobbler_mgmt_classes and profiles from config.yaml
+def extract_config_data(config_path):
+    with config_path.open("r") as f:
+        config = yaml.safe_load(f)
+    return (
+        config.get("cobbler_mgmt_classes", []),
+        config.get("profiles", []),
+    )
+
+# Build a dictionary mapping node_name to instances and their metadata
+def build_node_tree():
+    tree_data = defaultdict(list)
+    for instance_dir in INSTANCES_DIR.iterdir():
+        if not instance_dir.is_dir() or instance_dir.name in {"template"}:
+            continue
+
+        config_path = instance_dir / "config.yaml"
+        hcl_path = instance_dir / "terragrunt.hcl"
+
+        if not config_path.exists() or not hcl_path.exists():
+            continue
+
+        node_name = extract_node_name(hcl_path)
+        if not node_name:
+            continue
+
+        classes, profiles = extract_config_data(config_path)
+        tree_data[node_name].append({
+            "instance": instance_dir.name,
+            "classes": classes,
+            "profiles": profiles
+        })
+    return tree_data
+
+# CLI using Typer
+app = typer.Typer()
+console = Console()
+
+@app.command()
+def show():
+    data = build_node_tree()
+    root = Tree("📦 [bold blue]Node Overview[/bold blue]")
+    for node, instances in sorted(data.items()):
+        node_branch = root.add(f"[bold green]{node}[/bold green]")
+        for inst in sorted(instances, key=lambda x: x['instance']):
+            inst_branch = node_branch.add(f"[cyan]{inst['instance']}[/cyan]")
+            if inst['classes']:
+                inst_branch.add(f"🛠️ classes: {', '.join(inst['classes'])}")
+            if inst['profiles']:
+                inst_branch.add(f"📋 profiles: {', '.join(inst['profiles'])}")
+    console.print(root)
+
+if __name__ == "__main__":
+    app()
diff --git a/ci/set_node_env.sh b/ci/set_node_env.sh
new file mode 100755
index 0000000..6dd61c9
--- /dev/null
+++ b/ci/set_node_env.sh
@@ -0,0 +1,54 @@
+#!/bin/bash
+set -euo pipefail
+
+# Find repo root
+REPO_ROOT=$(git rev-parse --show-toplevel 2>/dev/null || true)
+
+if [ -z "$REPO_ROOT" ]; then
+  echo "❗ Could not detect Git repo root. Are you inside a Git repo?"
+  exit 2
+fi
+
+# Go up three directories from the current folder
+pushd ../../../
+INSTANCE_DIR=$(pwd)
+INSTANCE_NAME="$(basename $(pwd))"
+popd
+
+echo "🔎 Detected instance: $INSTANCE_NAME"
+
+# Find the real terragrunt.hcl location
+TERRAGRUNT_HCL="${INSTANCE_DIR}/terragrunt.hcl"
+
+if [ ! -f "$TERRAGRUNT_HCL" ]; then
+  echo "❗ terragrunt.hcl not found at expected location: $TERRAGRUNT_HCL"
+  exit 3
+fi
+
+# Extract node_name from terragrunt.hcl
+NODE_NAME=$(grep 'node_name *= *' "$TERRAGRUNT_HCL" | sed -E 's/.*=\s*"([^"]+)".*/\1/')
+
+if [ -z "$NODE_NAME" ]; then
+  echo "❗ node_name not found in $TERRAGRUNT_HCL"
+  exit 4
+fi
+
+# Set config file path
+YAML_FILE="${REPO_ROOT}/config/nodes/${NODE_NAME}/config.yaml"
+
+if [ ! -f "$YAML_FILE" ]; then
+  echo "❗ Config file $YAML_FILE not found!"
+  exit 5
+fi
+
+echo "✔️ Exporting environment variables from $YAML_FILE"
+
+# Export vars
+export NODE_ADDR=$(yq eval '.node_addr' "$YAML_FILE")
+export NODE_PORT=$(yq eval '.node_port' "$YAML_FILE")
+export NODE_NAME="${NODE_NAME}"
+
+# Echo for debugging
+echo "NODE_ADDR=$NODE_ADDR"
+echo "NODE_PORT=$NODE_PORT"
+echo "NODE_NAME=$NODE_NAME"
diff --git a/config/globals/images.yaml b/config/globals/images.yaml
new file mode 100644
index 0000000..cc91030
--- /dev/null
+++ b/config/globals/images.yaml
@@ -0,0 +1,8 @@
+almalinux/8/cloud:
+  remote: images
+  aliases:
+    - almalinux8
+almalinux/9/cloud:
+  remote: images
+  aliases:
+    - almalinux9
diff --git a/config/globals/networks.yaml b/config/globals/networks.yaml
new file mode 100644
index 0000000..3a15950
--- /dev/null
+++ b/config/globals/networks.yaml
@@ -0,0 +1,21 @@
+brwan1:
+  type: bridge
+  config:
+    bridge.mtu: 1500
+    ipv4.nat: false
+    dns.mode: none
+    dns.domain: main.unkin.net
+brcom1:
+  type: bridge
+  config:
+    bridge.mtu: 1500
+    ipv4.nat: false
+    dns.mode: none
+    dns.domain: main.unkin.net
+brdmz1:
+  type: bridge
+  config:
+    bridge.mtu: 1500
+    ipv4.nat: false
+    dns.mode: none
+    dns.domain: main.unkin.net
diff --git a/config/globals/profiles.yaml b/config/globals/profiles.yaml
new file mode 100644
index 0000000..4ddad4a
--- /dev/null
+++ b/config/globals/profiles.yaml
@@ -0,0 +1,321 @@
+# special devices
+gpu:
+  description: "Pass-through Intel GPU"
+  project: null
+  config: {}
+  devices:
+    - type: gpu
+      name: intel_gpu
+      properties:
+        gputype: physical
+        vendorid: "8086"
+        uid: "0"
+        gid: "39"
+        mode: "0660"
+gpu-render-only:
+  description: "Pass /dev/dri/renderD128 for headless VAAPI workloads"
+  project: null
+  config: {}
+  devices:
+    - type: unix-char
+      name: renderD128
+      properties:
+        source: /dev/dri/renderD128
+        path: /dev/dri/renderD128
+        uid: "0"
+        gid: "39"
+        mode: "0660"
+kvm:
+  description: "Pass-through /dev/kvm to container"
+  project: null
+  config: {}
+  devices:
+    - type: unix-char
+      name: kvm
+      properties:
+        path: /dev/kvm
+        mode: "0666"
+fuse:
+  description: "Pass-through /dev/fuse to container"
+  project: null
+  config: {}
+  devices:
+    - type: unix-char
+      name: fuse
+      properties:
+        path: /dev/fuse
+        mode: "0666"
+kmsg:
+  description: "Pass-through /dev/kmsg to container"
+  project: null
+  config: {}
+  devices:
+    - type: unix-char
+      name: kmsg
+      properties:
+        path: /dev/kmsg
+        mode: "0660"
+tun:
+  description: "Pass-through /dev/net/tun to container"
+  project: null
+  config: {}
+  devices:
+    - type: unix-char
+      name: tun
+      properties:
+        path: /dev/net/tun
+        mode: "0666"
+sys_fs_rw:
+  description: "Enable read-write mount of the /sys filesystem"
+  project: null
+  config:
+    raw.lxc: |
+      lxc.mount.auto=sys:rw
+  devices: []
+docker:
+  description: "Enable Docker inside unprivileged container"
+  project: null
+  config:
+    security.nesting: true
+    security.syscalls.intercept.mknod: true
+    security.syscalls.intercept.setxattr: true
+    linux.kernel_modules: overlay,ip_tables,br_netfilter,nf_nat,xt_conntrack
+  devices: []
+
+# cephfs
+shared_media_all:
+  description: "Mount /shared/media directly into the container"
+  project: null
+  config: {}
+  devices:
+    - type: disk
+      name: media-all
+      properties:
+        source: /shared/media
+        path: /shared/media
+shared_media_movies:
+  description: "Mount /shared/media/movies directly into the container"
+  project: null
+  config: {}
+  devices:
+    - type: disk
+      name: media-movies
+      properties:
+        source: /shared/media/movies
+        path: /shared/media/movies
+shared_media_tvseries:
+  description: "Mount /shared/media/tvseries directly into the container"
+  project: null
+  config: {}
+  devices:
+    - type: disk
+      name: media-tvseries
+      properties:
+        source: /shared/media/tvseries
+        path: /shared/media/tvseries
+shared_apps_gitea:
+  description: "Mount /shared/apps/gitea directly into the container"
+  project: null
+  config: {}
+  devices:
+    - type: disk
+      name: gitea-shared
+      properties:
+        source: /shared/apps/gitea
+        path: /shared/apps/gitea
+shared_apps_nomad:
+  description: "Mount /shared/apps/nomad directly into the container"
+  project: null
+  config: {}
+  devices:
+    - type: disk
+      name: nomad-shared
+      properties:
+        source: /shared/apps/nomad
+        path: /shared/apps/nomad
+shared_apps_packagerepo:
+  description: "Mount /shared/apps/packagerepo directly into the container"
+  project: null
+  config: {}
+  devices:
+    - type: disk
+      name: packagerepo-shared
+      properties:
+        source: /shared/apps/packagerepo
+        path: /shared/apps/packagerepo
+shared_apps_jellyfin:
+  description: "Mount /shared/apps/jellyfin directly into the container"
+  project: null
+  config: {}
+  devices:
+    - type: disk
+      name: jellyfin-shared
+      properties:
+        source: /shared/apps/jellyfin
+        path: /shared/apps/jellyfin
+
+# storage
+disk10:
+  description: "Add 10GB root disk"
+  project: null
+  config: {}
+  devices:
+    - type: disk
+      name: root
+      properties:
+        pool: fastpool
+        size: 10GB
+        path: /
+disk20:
+  description: "Add 20GB root disk"
+  project: null
+  config: {}
+  devices:
+    - type: disk
+      name: root
+      properties:
+        pool: fastpool
+        size: 20GB
+        path: /
+disk30:
+  description: "Add 30GB root disk"
+  project: null
+  config: {}
+  devices:
+    - type: disk
+      name: root
+      properties:
+        pool: fastpool
+        size: 30GB
+        path: /
+# networking
+net_wan1_eth0:
+  description: "Add eth0 on wan1 bridge"
+  project: null
+  config: {}
+  devices:
+    - type: nic
+      name: eth0
+      properties:
+        parent: brwan1
+        nictype: bridged
+net_com1_eth0:
+  description: "Add eth0 on com1 bridge"
+  project: null
+  config: {}
+  devices:
+    - type: nic
+      name: eth0
+      properties:
+        parent: brcom1
+        nictype: bridged
+net_com1_eth1:
+  description: "Add eth1 on com1 bridge"
+  project: null
+  config: {}
+  devices:
+    - type: nic
+      name: eth1
+      properties:
+        parent: brcom1
+        nictype: bridged
+net_dmz1_eth0:
+  description: "Add eth0 on dmz1 bridge"
+  project: null
+  config: {}
+  devices:
+    - type: nic
+      name: eth0
+      properties:
+        parent: brdmz1
+        nictype: bridged
+net_dmz1_eth1:
+  description: "Add eth1 on dmz1 bridge"
+  project: null
+  config: {}
+  devices:
+    - type: nic
+      name: eth1
+      properties:
+        parent: brdmz1
+        nictype: bridged
+# cpu/memory
+1core256:
+  description: "1 core, 256MB RAM"
+  project: null
+  config:
+    boot.autostart: true
+    limits.cpu: 1
+    limits.memory: 256MB
+    limits.memory.enforce: hard
+    limits.memory.swap: false
+  devices: []
+1core512:
+  description: "1 core, 512MB RAM"
+  project: null
+  config:
+    boot.autostart: true
+    limits.cpu: 1
+    limits.memory: 512MB
+    limits.memory.enforce: hard
+    limits.memory.swap: false
+1core1024:
+  description: "1 core, 1GB RAM"
+  project: null
+  config:
+    boot.autostart: true
+    limits.cpu: 1
+    limits.memory: 1024MB
+    limits.memory.enforce: hard
+    limits.memory.swap: false
+  devices: []
+2core1024:
+  description: "2 cores, 1GB RAM"
+  project: null
+  config:
+    boot.autostart: true
+    limits.cpu: 2
+    limits.memory: 1024MB
+    limits.memory.enforce: hard
+    limits.memory.swap: false
+  devices: []
+2core2048:
+  description: "2 cores, 2GB RAM"
+  project: null
+  config:
+    boot.autostart: true
+    limits.cpu: 2
+    limits.memory: 2048MB
+    limits.memory.enforce: hard
+    limits.memory.swap: false
+  devices: []
+2core4096:
+  description: "2 cores, 4GB RAM"
+  project: null
+  config:
+    boot.autostart: true
+    limits.cpu: 2
+    limits.memory: 4096MB
+    limits.memory.enforce: hard
+    limits.memory.swap: false
+  devices: []
+4core4096:
+  description: "4 cores, 4GB RAM"
+  project: null
+  config:
+    boot.autostart: true
+    limits.cpu: 4
+    limits.memory: 4096MB
+    limits.memory.enforce: hard
+    limits.memory.swap: false
+  devices: []
+4core8192:
+  description: "4 cores, 8GB RAM"
+  project: null
+  config:
+    boot.autostart: true
+    limits.cpu: 4
+    limits.memory: 8192MB
+    limits.memory.enforce: hard
+    limits.memory.swap: false
+  devices: []
diff --git a/config/globals/storage_pools.yaml b/config/globals/storage_pools.yaml
new file mode 100644
index 0000000..3599001
--- /dev/null
+++ b/config/globals/storage_pools.yaml
@@ -0,0 +1,5 @@
+fastpool:
+  driver: zfs
+  description: nvme backed zfs store
+  config:
+    source: fastpool/data/incus
diff --git a/config/globals/storage_volumes.yaml b/config/globals/storage_volumes.yaml
new file mode 100644
index 0000000..afac5e5
--- /dev/null
+++ b/config/globals/storage_volumes.yaml
@@ -0,0 +1,8 @@
+imagestore:
+  pool: fastpool
+  description: location to store images
+hashicorp-vault:
+  pool: fastpool
+  description: store passed to vault servers
+  config:
+    size: 20GB
diff --git a/config/instances.hcl b/config/instances.hcl
new file mode 100644
index 0000000..27bb759
--- /dev/null
+++ b/config/instances.hcl
@@ -0,0 +1,21 @@
+locals {
+  puppet_cert_ca   = get_env("PUPPET_CERT_CA")
+  puppet_cert_pub  = get_env("PUPPET_CERT_PUB")
+  puppet_cert_priv = get_env("PUPPET_CERT_PRIV")
+  puppetdb_url     = get_env("PUPPETDB_URL")
+  puppetca_url     = get_env("PUPPETCA_URL")
+  cobbler_url      = get_env("COBBLER_URL")
+  cobbler_password = get_env("COBBLER_PASSWORD")
+  cobbler_username = get_env("COBBLER_USERNAME")
+}
+
+inputs = {
+  puppet_cert_ca   = local.puppet_cert_ca
+  puppet_cert_pub  = local.puppet_cert_pub
+  puppet_cert_priv = local.puppet_cert_priv
+  puppetdb_url     = local.puppetdb_url
+  puppetca_url     = local.puppetca_url
+  cobbler_url      = local.cobbler_url
+  cobbler_username = local.cobbler_username
+  cobbler_password = local.cobbler_password
+}
diff --git a/config/instances/ausyd1nxvm2000/config.yaml b/config/instances/ausyd1nxvm2000/config.yaml
new file mode 100644
index 0000000..59cf2e1
--- /dev/null
+++ b/config/instances/ausyd1nxvm2000/config.yaml
@@ -0,0 +1,14 @@
+description: Hashicorp Vault Server
+cobbler_mgmt_classes:
+  - roles::infra::storage::vault
+profiles:
+  - disk10
+  - net_com1_eth0
+  - 2core2048
+disk_devices:
+  - name: hashicorp-vault
+    type: disk
+    properties:
+      path: /data
+      source: hashicorp-vault
+      pool: fastpool
diff --git a/config/instances/ausyd1nxvm2000/terragrunt.hcl b/config/instances/ausyd1nxvm2000/terragrunt.hcl
new file mode 100644
index 0000000..1b18bba
--- /dev/null
+++ b/config/instances/ausyd1nxvm2000/terragrunt.hcl
@@ -0,0 +1,56 @@
+locals {
+  node_name         = "prodnxsr0009"
+  config_common     = yamldecode(file("${get_terragrunt_dir()}/../config_common.yaml"))
+  config_specific   = yamldecode(file("${get_terragrunt_dir()}/config.yaml"))
+  config            = merge(local.config_common, local.config_specific)
+  instance_name     = basename(get_terragrunt_dir())
+}
+
+inputs = merge(
+  {
+    name = local.instance_name
+  },
+  local.config
+)
+
+include "root" {
+  path   = find_in_parent_folders("root.hcl")
+}
+
+include "instances" {
+  path   = find_in_parent_folders("instances.hcl")
+  expose = true
+  merge_strategy = "deep"
+}
+
+dependencies {
+  paths = ["${get_repo_root()}/config/nodes/${local.node_name}"]
+}
+
+terraform {
+  source = "${get_repo_root()}/modules/instance"
+  #before_hook "load_node_Venv" {
+  #  commands = ["apply", "plan", "destroy", "init"]
+  #  execute  = ["bash", "-c", "../../../../../../ci/set_node_env.sh"]
+  #}
+}
+
+generate "incus" {
+  path      = "incus.tf"
+  if_exists = "overwrite_terragrunt"
+  contents  = <<-EOF
+    provider "incus" {
+      generate_client_certificates = true
+      accept_remote_certificate    = true
+
+      remote {
+        name    = "${basename(get_terragrunt_dir())}"
+        scheme  = "https"
+        address = "${yamldecode(file("${get_repo_root()}/config/nodes/${local.node_name}/config.yaml")).node_addr}"
+        port    = "${yamldecode(file("${get_repo_root()}/config/nodes/${local.node_name}/config.yaml")).node_port}"
+        token   = "${get_env("INCUS_TOKEN_${upper(local.node_name)}")}"
+        default = true
+      }
+    }
+  EOF
+}
diff --git a/config/instances/ausyd1nxvm2001/config.yaml b/config/instances/ausyd1nxvm2001/config.yaml
new file mode 100644
index 0000000..59cf2e1
--- /dev/null
+++ b/config/instances/ausyd1nxvm2001/config.yaml
@@ -0,0 +1,14 @@
+description: Hashicorp Vault Server
+cobbler_mgmt_classes:
+  - roles::infra::storage::vault
+profiles:
+  - disk10
+  - net_com1_eth0
+  - 2core2048
+disk_devices:
+  - name: hashicorp-vault
+    type: disk
+    properties:
+      path: /data
+      source: hashicorp-vault
+      pool: fastpool
diff --git a/config/instances/ausyd1nxvm2001/terragrunt.hcl b/config/instances/ausyd1nxvm2001/terragrunt.hcl
new file mode 100644
index 0000000..de7d211
--- /dev/null
+++ b/config/instances/ausyd1nxvm2001/terragrunt.hcl
@@ -0,0 +1,52 @@
+locals {
+  node_name     = "prodnxsr0010"
+  config_common     = yamldecode(file("${get_terragrunt_dir()}/../config_common.yaml"))
+  config_specific   = yamldecode(file("${get_terragrunt_dir()}/config.yaml"))
+  config            = merge(local.config_common, local.config_specific)
+  instance_name     = basename(get_terragrunt_dir())
+}
+
+inputs = merge(
+  {
+    name = local.instance_name
+  },
+  local.config
+)
+
+include "root" {
+  path   = find_in_parent_folders("root.hcl")
+}
+
+include "instances" {
+  path   = find_in_parent_folders("instances.hcl")
+  expose = true
+  merge_strategy = "deep"
+}
+
+dependencies {
+  paths = ["${get_repo_root()}/config/nodes/${local.node_name}"]
+}
+
+terraform {
+  source = "${get_repo_root()}/modules/instance"
+}
+
+generate "incus" {
+  path      = "incus.tf"
+  if_exists = "overwrite_terragrunt"
+  contents  = <<-EOF
+    provider "incus" {
+      generate_client_certificates = true
+      accept_remote_certificate    = true
+
+      remote {
+        name    = "${basename(get_terragrunt_dir())}"
+        scheme  = "https"
+        address = "${yamldecode(file("${get_repo_root()}/config/nodes/${local.node_name}/config.yaml")).node_addr}"
+        port    = "${yamldecode(file("${get_repo_root()}/config/nodes/${local.node_name}/config.yaml")).node_port}"
+        token   = "${get_env("INCUS_TOKEN_${upper(local.node_name)}")}"
+        default = true
+      }
+    }
+  EOF
+}
diff --git a/config/instances/ausyd1nxvm2002/config.yaml b/config/instances/ausyd1nxvm2002/config.yaml
new file mode 100644
index 0000000..59cf2e1
--- /dev/null
+++ b/config/instances/ausyd1nxvm2002/config.yaml
@@ -0,0 +1,14 @@
+description: Hashicorp Vault Server
+cobbler_mgmt_classes:
+  - roles::infra::storage::vault
+profiles:
+  - disk10
+  - net_com1_eth0
+  - 2core2048
+disk_devices:
+  - name: hashicorp-vault
+    type: disk
+    properties:
+      path: /data
+      source: hashicorp-vault
+      pool: fastpool
diff --git a/config/instances/ausyd1nxvm2002/terragrunt.hcl b/config/instances/ausyd1nxvm2002/terragrunt.hcl
new file mode 100644
index 0000000..98fe447
--- /dev/null
+++ b/config/instances/ausyd1nxvm2002/terragrunt.hcl
@@ -0,0 +1,52 @@
+locals {
+  node_name     = "prodnxsr0011"
+  config_common     = yamldecode(file("${get_terragrunt_dir()}/../config_common.yaml"))
+  config_specific   = yamldecode(file("${get_terragrunt_dir()}/config.yaml"))
+  config            = merge(local.config_common, local.config_specific)
+  instance_name     = basename(get_terragrunt_dir())
+}
+
+inputs = merge(
+  {
+    name = local.instance_name
+  },
+  local.config
+)
+
+include "root" {
+  path   = find_in_parent_folders("root.hcl")
+}
+
+include "instances" {
+  path   = find_in_parent_folders("instances.hcl")
+  expose = true
+  merge_strategy = "deep"
+}
+
+dependencies {
+  paths = ["${get_repo_root()}/config/nodes/${local.node_name}"]
+}
+
+terraform {
+  source = "${get_repo_root()}/modules/instance"
+}
+
+generate "incus" {
+  path      = "incus.tf"
+  if_exists = "overwrite_terragrunt"
+  contents  = <<-EOF
+    provider "incus" {
+      generate_client_certificates = true
+      accept_remote_certificate    = true
+
+      remote {
+        name    = "${basename(get_terragrunt_dir())}"
+        scheme  = "https"
+        address = "${yamldecode(file("${get_repo_root()}/config/nodes/${local.node_name}/config.yaml")).node_addr}"
+        port    = "${yamldecode(file("${get_repo_root()}/config/nodes/${local.node_name}/config.yaml")).node_port}"
+        token   = "${get_env("INCUS_TOKEN_${upper(local.node_name)}")}"
+        default = true
+      }
+    }
+  EOF
+}
diff --git a/config/instances/ausyd1nxvm2003/config.yaml b/config/instances/ausyd1nxvm2003/config.yaml
new file mode 100644
index 0000000..59cf2e1
--- /dev/null
+++ b/config/instances/ausyd1nxvm2003/config.yaml
@@ -0,0 +1,14 @@
+description: Hashicorp Vault Server
+cobbler_mgmt_classes:
+  - roles::infra::storage::vault
+profiles:
+  - disk10
+  - net_com1_eth0
+  - 2core2048
+disk_devices:
+  - name: hashicorp-vault
+    type: disk
+    properties:
+      path: /data
+      source: hashicorp-vault
+      pool: fastpool
diff --git a/config/instances/ausyd1nxvm2003/terragrunt.hcl b/config/instances/ausyd1nxvm2003/terragrunt.hcl
new file mode 100644
index 0000000..b33a99b
--- /dev/null
+++ b/config/instances/ausyd1nxvm2003/terragrunt.hcl
@@ -0,0 +1,52 @@
+locals {
+  node_name     = "prodnxsr0012"
+  config_common     = yamldecode(file("${get_terragrunt_dir()}/../config_common.yaml"))
+  config_specific   = yamldecode(file("${get_terragrunt_dir()}/config.yaml"))
+  config            = merge(local.config_common, local.config_specific)
+  instance_name     = basename(get_terragrunt_dir())
+}
+
+inputs = merge(
+  {
+    name = local.instance_name
+  },
+  local.config
+)
+
+include "root" {
+  path   = find_in_parent_folders("root.hcl")
+}
+
+include "instances" {
+  path   = find_in_parent_folders("instances.hcl")
+  expose = true
+  merge_strategy = "deep"
+}
+
+dependencies {
+  paths = ["${get_repo_root()}/config/nodes/${local.node_name}"]
+}
+
+terraform {
+  source = "${get_repo_root()}/modules/instance"
+}
+
+generate "incus" {
+  path      = "incus.tf"
+  if_exists = "overwrite_terragrunt"
+  contents  = <<-EOF
+    provider "incus" {
+      generate_client_certificates = true
+      accept_remote_certificate    = true
+
+      remote {
+        name    = "${basename(get_terragrunt_dir())}"
+        scheme  = "https"
+        address = "${yamldecode(file("${get_repo_root()}/config/nodes/${local.node_name}/config.yaml")).node_addr}"
+        port    = "${yamldecode(file("${get_repo_root()}/config/nodes/${local.node_name}/config.yaml")).node_port}"
+        token   = "${get_env("INCUS_TOKEN_${upper(local.node_name)}")}"
+        default = true
+      }
+    }
+  EOF
+}
diff --git a/config/instances/ausyd1nxvm2004/config.yaml b/config/instances/ausyd1nxvm2004/config.yaml
new file mode 100644
index 0000000..59cf2e1
--- /dev/null
+++ b/config/instances/ausyd1nxvm2004/config.yaml
@@ -0,0 +1,14 @@
+description: Hashicorp Vault Server
+cobbler_mgmt_classes:
+  - roles::infra::storage::vault
+profiles:
+  - disk10
+  - net_com1_eth0
+  - 2core2048
+disk_devices:
+  - name: hashicorp-vault
+    type: disk
+    properties:
+      path: /data
+      source: hashicorp-vault
+      pool: fastpool
diff --git a/config/instances/ausyd1nxvm2004/terragrunt.hcl b/config/instances/ausyd1nxvm2004/terragrunt.hcl
new file mode 100644
index 0000000..5326e08
--- /dev/null
+++ b/config/instances/ausyd1nxvm2004/terragrunt.hcl
@@ -0,0 +1,52 @@
+locals {
+  node_name     = "prodnxsr0013"
+  config_common     = yamldecode(file("${get_terragrunt_dir()}/../config_common.yaml"))
+  config_specific   = yamldecode(file("${get_terragrunt_dir()}/config.yaml"))
+  config            = merge(local.config_common, local.config_specific)
+  instance_name     = basename(get_terragrunt_dir())
+}
+
+inputs = merge(
+  {
+    name = local.instance_name
+  },
+  local.config
+)
+
+include "root" {
+  path   = find_in_parent_folders("root.hcl")
+}
+
+include "instances" {
+  path   = find_in_parent_folders("instances.hcl")
+  expose = true
+  merge_strategy = "deep"
+}
+
+dependencies {
+  paths = ["${get_repo_root()}/config/nodes/${local.node_name}"]
+}
+
+terraform {
+  source = "${get_repo_root()}/modules/instance"
+}
+
+generate "incus" {
+  path      = "incus.tf"
+  if_exists = "overwrite_terragrunt"
+  contents  = <<-EOF
+    provider "incus" {
+      generate_client_certificates = true
+      accept_remote_certificate    = true
+
+      remote {
+        name    = "${basename(get_terragrunt_dir())}"
+        scheme  = "https"
+        address = "${yamldecode(file("${get_repo_root()}/config/nodes/${local.node_name}/config.yaml")).node_addr}"
+        port    = "${yamldecode(file("${get_repo_root()}/config/nodes/${local.node_name}/config.yaml")).node_port}"
+        token   = "${get_env("INCUS_TOKEN_${upper(local.node_name)}")}"
+        default = true
+      }
+    }
+  EOF
+}
diff --git a/config/instances/ausyd1nxvm2005/config.yaml b/config/instances/ausyd1nxvm2005/config.yaml
new file mode 100644
index 0000000..077f649
--- /dev/null
+++ b/config/instances/ausyd1nxvm2005/config.yaml
@@ -0,0 +1,13 @@
+description: Hashicorp Consul Server
+cobbler_mgmt_classes:
+  - roles::infra::storage::consul
+profiles:
+  - disk10
+  - net_com1_eth0
+  - 2core2048
+storage_volumes:
+  consul:
+    pool: fastpool
+    path: /data
+    config:
+      size: 20GB
diff --git a/config/instances/ausyd1nxvm2005/terragrunt.hcl b/config/instances/ausyd1nxvm2005/terragrunt.hcl
new file mode 100644
index 0000000..c3099a9
--- /dev/null
+++ b/config/instances/ausyd1nxvm2005/terragrunt.hcl
@@ -0,0 +1,52 @@
+locals {
+  node_name     = "prodnxsr0009"
+  config_common     = yamldecode(file("${get_terragrunt_dir()}/../config_common.yaml"))
+  config_specific   = yamldecode(file("${get_terragrunt_dir()}/config.yaml"))
+  config            = merge(local.config_common, local.config_specific)
+  instance_name     = basename(get_terragrunt_dir())
+}
+
+inputs = merge(
+  {
+    name = local.instance_name
+  },
+  local.config
+)
+
+include "root" {
+  path   = find_in_parent_folders("root.hcl")
+}
+
+include "instances" {
+  path   = find_in_parent_folders("instances.hcl")
+  expose = true
+  merge_strategy = "deep"
+}
+
+dependencies {
+  paths = ["${get_repo_root()}/config/nodes/${local.node_name}"]
+}
+
+terraform {
+  source = "${get_repo_root()}/modules/instance"
+}
+
+generate "incus" {
+  path      = "incus.tf"
+  if_exists = "overwrite_terragrunt"
+  contents  = <<-EOF
+    provider "incus" {
+      generate_client_certificates = true
+      accept_remote_certificate    = true
+
+      remote {
+        name    = "${basename(get_terragrunt_dir())}"
+        scheme  = "https"
+        address = "${yamldecode(file("${get_repo_root()}/config/nodes/${local.node_name}/config.yaml")).node_addr}"
+        port    = "${yamldecode(file("${get_repo_root()}/config/nodes/${local.node_name}/config.yaml")).node_port}"
+        token   = "${get_env("INCUS_TOKEN_${upper(local.node_name)}")}"
+        default = true
+      }
+    }
+  EOF
+}
diff --git a/config/instances/ausyd1nxvm2006/config.yaml b/config/instances/ausyd1nxvm2006/config.yaml
new file mode 100644
index 0000000..077f649
--- /dev/null
+++ b/config/instances/ausyd1nxvm2006/config.yaml
@@ -0,0 +1,13 @@
+description: Hashicorp Consul Server
+cobbler_mgmt_classes:
+  - roles::infra::storage::consul
+profiles:
+  - disk10
+  - net_com1_eth0
+  - 2core2048
+storage_volumes:
+  consul:
+    pool: fastpool
+    path: /data
+    config:
+      size: 20GB
diff --git a/config/instances/ausyd1nxvm2006/terragrunt.hcl b/config/instances/ausyd1nxvm2006/terragrunt.hcl
new file mode 100644
index 0000000..de7d211
--- /dev/null
+++ b/config/instances/ausyd1nxvm2006/terragrunt.hcl
@@ -0,0 +1,52 @@
+locals {
+  node_name     = "prodnxsr0010"
+  config_common     = yamldecode(file("${get_terragrunt_dir()}/../config_common.yaml"))
+  config_specific   = yamldecode(file("${get_terragrunt_dir()}/config.yaml"))
+  config            = merge(local.config_common, local.config_specific)
+  instance_name     = basename(get_terragrunt_dir())
+}
+
+inputs = merge(
+  {
+    name = local.instance_name
+  },
+  local.config
+)
+
+include "root" {
+  path   = find_in_parent_folders("root.hcl")
+}
+
+include "instances" {
+  path   = find_in_parent_folders("instances.hcl")
+  expose = true
+  merge_strategy = "deep"
+}
+
+dependencies {
+  paths = ["${get_repo_root()}/config/nodes/${local.node_name}"]
+}
+
+terraform {
+  source = "${get_repo_root()}/modules/instance"
+}
+
+generate "incus" {
+  path      = "incus.tf"
+  if_exists = "overwrite_terragrunt"
+  contents  = <<-EOF
+    provider "incus" {
+      generate_client_certificates = true
+      accept_remote_certificate    = true
+
+      remote {
+        name    = "${basename(get_terragrunt_dir())}"
+        scheme  = "https"
+        address = "${yamldecode(file("${get_repo_root()}/config/nodes/${local.node_name}/config.yaml")).node_addr}"
+        port    = "${yamldecode(file("${get_repo_root()}/config/nodes/${local.node_name}/config.yaml")).node_port}"
+        token   = "${get_env("INCUS_TOKEN_${upper(local.node_name)}")}"
+        default = true
+      }
+    }
+  EOF
+}
diff --git a/config/instances/ausyd1nxvm2007/config.yaml b/config/instances/ausyd1nxvm2007/config.yaml
new file mode 100644
index 0000000..077f649
--- /dev/null
+++ b/config/instances/ausyd1nxvm2007/config.yaml
@@ -0,0 +1,13 @@
+description: Hashicorp Consul Server
+cobbler_mgmt_classes:
+  - roles::infra::storage::consul
+profiles:
+  - disk10
+  - net_com1_eth0
+  - 2core2048
+storage_volumes:
+  consul:
+    pool: fastpool
+    path: /data
+    config:
+      size: 20GB
diff --git a/config/instances/ausyd1nxvm2007/terragrunt.hcl b/config/instances/ausyd1nxvm2007/terragrunt.hcl
new file mode 100644
index 0000000..98fe447
--- /dev/null
+++ b/config/instances/ausyd1nxvm2007/terragrunt.hcl
@@ -0,0 +1,52 @@
+locals {
+  node_name     = "prodnxsr0011"
+  config_common     = yamldecode(file("${get_terragrunt_dir()}/../config_common.yaml"))
+  config_specific   = yamldecode(file("${get_terragrunt_dir()}/config.yaml"))
+  config            = merge(local.config_common, local.config_specific)
+  instance_name     = basename(get_terragrunt_dir())
+}
+
+inputs = merge(
+  {
+    name = local.instance_name
+  },
+  local.config
+)
+
+include "root" {
+  path   = find_in_parent_folders("root.hcl")
+}
+
+include "instances" {
+  path   = find_in_parent_folders("instances.hcl")
+  expose = true
+  merge_strategy = "deep"
+}
+
+dependencies {
+  paths = ["${get_repo_root()}/config/nodes/${local.node_name}"]
+}
+
+terraform {
+  source = "${get_repo_root()}/modules/instance"
+}
+
+generate "incus" {
+  path      = "incus.tf"
+  if_exists = "overwrite_terragrunt"
+  contents  = <<-EOF
+    provider "incus" {
+      generate_client_certificates = true
+      accept_remote_certificate    = true
+
+      remote {
+        name    = "${basename(get_terragrunt_dir())}"
+        scheme  = "https"
+        address = "${yamldecode(file("${get_repo_root()}/config/nodes/${local.node_name}/config.yaml")).node_addr}"
+        port    = "${yamldecode(file("${get_repo_root()}/config/nodes/${local.node_name}/config.yaml")).node_port}"
+        token   = "${get_env("INCUS_TOKEN_${upper(local.node_name)}")}"
+        default = true
+      }
+    }
+  EOF
+}
diff --git a/config/instances/ausyd1nxvm2008/config.yaml b/config/instances/ausyd1nxvm2008/config.yaml
new file mode 100644
index 0000000..077f649
--- /dev/null
+++ b/config/instances/ausyd1nxvm2008/config.yaml
@@ -0,0 +1,13 @@
+description: Hashicorp Consul Server
+cobbler_mgmt_classes:
+  - roles::infra::storage::consul
+profiles:
+  - disk10
+  - net_com1_eth0
+  - 2core2048
+storage_volumes:
+  consul:
+    pool: fastpool
+    path: /data
+    config:
+      size: 20GB
diff --git a/config/instances/ausyd1nxvm2008/terragrunt.hcl b/config/instances/ausyd1nxvm2008/terragrunt.hcl
new file mode 100644
index 0000000..b33a99b
--- /dev/null
+++ b/config/instances/ausyd1nxvm2008/terragrunt.hcl
@@ -0,0 +1,52 @@
+locals {
+  node_name     = "prodnxsr0012"
+  config_common     = yamldecode(file("${get_terragrunt_dir()}/../config_common.yaml"))
+  config_specific   = yamldecode(file("${get_terragrunt_dir()}/config.yaml"))
+  config            = merge(local.config_common, local.config_specific)
+  instance_name     = basename(get_terragrunt_dir())
+}
+
+inputs = merge(
+  {
+    name = local.instance_name
+  },
+  local.config
+)
+
+include "root" {
+  path   = find_in_parent_folders("root.hcl")
+}
+
+include "instances" {
+  path   = find_in_parent_folders("instances.hcl")
+  expose = true
+  merge_strategy = "deep"
+}
+
+dependencies {
+  paths = ["${get_repo_root()}/config/nodes/${local.node_name}"]
+}
+
+terraform {
+  source = "${get_repo_root()}/modules/instance"
+}
+
+generate "incus" {
+  path      = "incus.tf"
+  if_exists = "overwrite_terragrunt"
+  contents  = <<-EOF
+    provider "incus" {
+      generate_client_certificates = true
+      accept_remote_certificate    = true
+
+      remote {
+        name    = "${basename(get_terragrunt_dir())}"
+        scheme  = "https"
+        address = "${yamldecode(file("${get_repo_root()}/config/nodes/${local.node_name}/config.yaml")).node_addr}"
+        port    = "${yamldecode(file("${get_repo_root()}/config/nodes/${local.node_name}/config.yaml")).node_port}"
+        token   = "${get_env("INCUS_TOKEN_${upper(local.node_name)}")}"
+        default = true
+      }
+    }
+  EOF
+}
diff --git a/config/instances/ausyd1nxvm2009/config.yaml b/config/instances/ausyd1nxvm2009/config.yaml
new file mode 100644
index 0000000..077f649
--- /dev/null
+++ b/config/instances/ausyd1nxvm2009/config.yaml
@@ -0,0 +1,13 @@
+description: Hashicorp Consul Server
+cobbler_mgmt_classes:
+  - roles::infra::storage::consul
+profiles:
+  - disk10
+  - net_com1_eth0
+  - 2core2048
+storage_volumes:
+  consul:
+    pool: fastpool
+    path: /data
+    config:
+      size: 20GB
diff --git a/config/instances/ausyd1nxvm2009/terragrunt.hcl b/config/instances/ausyd1nxvm2009/terragrunt.hcl
new file mode 100644
index 0000000..5326e08
--- /dev/null
+++ b/config/instances/ausyd1nxvm2009/terragrunt.hcl
@@ -0,0 +1,52 @@
+locals {
+  node_name     = "prodnxsr0013"
+  config_common     = yamldecode(file("${get_terragrunt_dir()}/../config_common.yaml"))
+  config_specific   = yamldecode(file("${get_terragrunt_dir()}/config.yaml"))
+  config            = merge(local.config_common, local.config_specific)
+  instance_name     = basename(get_terragrunt_dir())
+}
+
+inputs = merge(
+  {
+    name = local.instance_name
+  },
+  local.config
+)
+
+include "root" {
+  path   = find_in_parent_folders("root.hcl")
+}
+
+include "instances" {
+  path   = find_in_parent_folders("instances.hcl")
+  expose = true
+  merge_strategy = "deep"
+}
+
+dependencies {
+  paths = ["${get_repo_root()}/config/nodes/${local.node_name}"]
+}
+
+terraform {
+  source = "${get_repo_root()}/modules/instance"
+}
+
+generate "incus" {
+  path      = "incus.tf"
+  if_exists = "overwrite_terragrunt"
+  contents  = <<-EOF
+    provider "incus" {
+      generate_client_certificates = true
+      accept_remote_certificate    = true
+
+      remote {
+        name    = "${basename(get_terragrunt_dir())}"
+        scheme  = "https"
+        address = "${yamldecode(file("${get_repo_root()}/config/nodes/${local.node_name}/config.yaml")).node_addr}"
+        port    = "${yamldecode(file("${get_repo_root()}/config/nodes/${local.node_name}/config.yaml")).node_port}"
+        token   = "${get_env("INCUS_TOKEN_${upper(local.node_name)}")}"
+        default = true
+      }
+    }
+  EOF
+}
diff --git a/config/instances/ausyd1nxvm2010/config.yaml b/config/instances/ausyd1nxvm2010/config.yaml
new file mode 100644
index 0000000..3d18d33
--- /dev/null
+++ b/config/instances/ausyd1nxvm2010/config.yaml
@@ -0,0 +1,7 @@
+description: PuppetDB API
+cobbler_mgmt_classes:
+  - roles::infra::puppetdb::api
+profiles:
+  - disk10
+  - net_com1_eth0
+  - 2core2048
diff --git a/config/instances/ausyd1nxvm2010/terragrunt.hcl b/config/instances/ausyd1nxvm2010/terragrunt.hcl
new file mode 100644
index 0000000..c3099a9
--- /dev/null
+++ b/config/instances/ausyd1nxvm2010/terragrunt.hcl
@@ -0,0 +1,52 @@
+locals {
+  node_name     = "prodnxsr0009"
+  config_common     = yamldecode(file("${get_terragrunt_dir()}/../config_common.yaml"))
+  config_specific   = yamldecode(file("${get_terragrunt_dir()}/config.yaml"))
+  config            = merge(local.config_common, local.config_specific)
+  instance_name     = basename(get_terragrunt_dir())
+}
+
+inputs = merge(
+  {
+    name = local.instance_name
+  },
+  local.config
+)
+
+include "root" {
+  path   = find_in_parent_folders("root.hcl")
+}
+
+include "instances" {
+  path   = find_in_parent_folders("instances.hcl")
+  expose = true
+  merge_strategy = "deep"
+}
+
+dependencies {
+  paths = ["${get_repo_root()}/config/nodes/${local.node_name}"]
+}
+
+terraform {
+  source = "${get_repo_root()}/modules/instance"
+}
+
+generate "incus" {
+  path      = "incus.tf"
+  if_exists = "overwrite_terragrunt"
+  contents  = <<-EOF
+    provider "incus" {
+      generate_client_certificates = true
+      accept_remote_certificate    = true
+
+      remote {
+        name    = "${basename(get_terragrunt_dir())}"
+        scheme  = "https"
+        address = "${yamldecode(file("${get_repo_root()}/config/nodes/${local.node_name}/config.yaml")).node_addr}"
+        port    = "${yamldecode(file("${get_repo_root()}/config/nodes/${local.node_name}/config.yaml")).node_port}"
+        token   = "${get_env("INCUS_TOKEN_${upper(local.node_name)}")}"
+        default = true
+      }
+    }
+  EOF
+}
diff --git a/config/instances/ausyd1nxvm2011/config.yaml b/config/instances/ausyd1nxvm2011/config.yaml
new file mode 100644
index 0000000..3d18d33
--- /dev/null
+++ b/config/instances/ausyd1nxvm2011/config.yaml
@@ -0,0 +1,7 @@
+description: PuppetDB API
+cobbler_mgmt_classes:
+  - roles::infra::puppetdb::api
+profiles:
+  - disk10
+  - net_com1_eth0
+  - 2core2048
diff --git a/config/instances/ausyd1nxvm2011/terragrunt.hcl b/config/instances/ausyd1nxvm2011/terragrunt.hcl
new file mode 100644
index 0000000..de7d211
--- /dev/null
+++ b/config/instances/ausyd1nxvm2011/terragrunt.hcl
@@ -0,0 +1,52 @@
+locals {
+  node_name     = "prodnxsr0010"
+  config_common     = yamldecode(file("${get_terragrunt_dir()}/../config_common.yaml"))
+  config_specific   = yamldecode(file("${get_terragrunt_dir()}/config.yaml"))
+  config            = merge(local.config_common, local.config_specific)
+  instance_name     = basename(get_terragrunt_dir())
+}
+
+inputs = merge(
+  {
+    name = local.instance_name
+  },
+  local.config
+)
+
+include "root" {
+  path   = find_in_parent_folders("root.hcl")
+}
+
+include "instances" {
+  path   = find_in_parent_folders("instances.hcl")
+  expose = true
+  merge_strategy = "deep"
+}
+
+dependencies {
+  paths = ["${get_repo_root()}/config/nodes/${local.node_name}"]
+}
+
+terraform {
+  source = "${get_repo_root()}/modules/instance"
+}
+
+generate "incus" {
+  path      = "incus.tf"
+  if_exists = "overwrite_terragrunt"
+  contents  = <<-EOF
+    provider "incus" {
+      generate_client_certificates = true
+      accept_remote_certificate    = true
+
+      remote {
+        name    = "${basename(get_terragrunt_dir())}"
+        scheme  = "https"
+        address = "${yamldecode(file("${get_repo_root()}/config/nodes/${local.node_name}/config.yaml")).node_addr}"
+        port    = "${yamldecode(file("${get_repo_root()}/config/nodes/${local.node_name}/config.yaml")).node_port}"
+        token   = "${get_env("INCUS_TOKEN_${upper(local.node_name)}")}"
+        default = true
+      }
+    }
+  EOF
+}
diff --git a/config/instances/ausyd1nxvm2012/config.yaml b/config/instances/ausyd1nxvm2012/config.yaml
new file mode 100644
index 0000000..3d18d33
--- /dev/null
+++ b/config/instances/ausyd1nxvm2012/config.yaml
@@ -0,0 +1,7 @@
+description: PuppetDB API
+cobbler_mgmt_classes:
+  - roles::infra::puppetdb::api
+profiles:
+  - disk10
+  - net_com1_eth0
+  - 2core2048
diff --git a/config/instances/ausyd1nxvm2012/terragrunt.hcl b/config/instances/ausyd1nxvm2012/terragrunt.hcl
new file mode 100644
index 0000000..98fe447
--- /dev/null
+++ b/config/instances/ausyd1nxvm2012/terragrunt.hcl
@@ -0,0 +1,52 @@
+locals {
+  node_name     = "prodnxsr0011"
+  config_common     = yamldecode(file("${get_terragrunt_dir()}/../config_common.yaml"))
+  config_specific   = yamldecode(file("${get_terragrunt_dir()}/config.yaml"))
+  config            = merge(local.config_common, local.config_specific)
+  instance_name     = basename(get_terragrunt_dir())
+}
+
+inputs = merge(
+  {
+    name = local.instance_name
+  },
+  local.config
+)
+
+include "root" {
+  path   = find_in_parent_folders("root.hcl")
+}
+
+include "instances" {
+  path   = find_in_parent_folders("instances.hcl")
+  expose = true
+  merge_strategy = "deep"
+}
+
+dependencies {
+  paths = ["${get_repo_root()}/config/nodes/${local.node_name}"]
+}
+
+terraform {
+  source = "${get_repo_root()}/modules/instance"
+}
+
+generate "incus" {
+  path      = "incus.tf"
+  if_exists = "overwrite_terragrunt"
+  contents  = <<-EOF
+    provider "incus" {
+      generate_client_certificates = true
+      accept_remote_certificate    = true
+
+      remote {
+        name    = "${basename(get_terragrunt_dir())}"
+        scheme  = "https"
+        address = "${yamldecode(file("${get_repo_root()}/config/nodes/${local.node_name}/config.yaml")).node_addr}"
+        port    = "${yamldecode(file("${get_repo_root()}/config/nodes/${local.node_name}/config.yaml")).node_port}"
+        token   = "${get_env("INCUS_TOKEN_${upper(local.node_name)}")}"
+        default = true
+      }
+    }
+  EOF
+}
diff --git a/config/instances/ausyd1nxvm2013/config.yaml b/config/instances/ausyd1nxvm2013/config.yaml
new file mode 100644
index 0000000..0452bc7
--- /dev/null
+++ b/config/instances/ausyd1nxvm2013/config.yaml
@@ -0,0 +1,7 @@
+description: Puppetboard
+cobbler_mgmt_classes:
+  - roles::infra::puppetboard::server
+profiles:
+  - disk10
+  - net_com1_eth0
+  - 2core2048
diff --git a/config/instances/ausyd1nxvm2013/terragrunt.hcl b/config/instances/ausyd1nxvm2013/terragrunt.hcl
new file mode 100644
index 0000000..c3099a9
--- /dev/null
+++ b/config/instances/ausyd1nxvm2013/terragrunt.hcl
@@ -0,0 +1,52 @@
+locals {
+  node_name     = "prodnxsr0009"
+  config_common     = yamldecode(file("${get_terragrunt_dir()}/../config_common.yaml"))
+  config_specific   = yamldecode(file("${get_terragrunt_dir()}/config.yaml"))
+  config            = merge(local.config_common, local.config_specific)
+  instance_name     = basename(get_terragrunt_dir())
+}
+
+inputs = merge(
+  {
+    name = local.instance_name
+  },
+  local.config
+)
+
+include "root" {
+  path   = find_in_parent_folders("root.hcl")
+}
+
+include "instances" {
+  path   = find_in_parent_folders("instances.hcl")
+  expose = true
+  merge_strategy = "deep"
+}
+
+dependencies {
+  paths = ["${get_repo_root()}/config/nodes/${local.node_name}"]
+}
+
+terraform {
+  source = "${get_repo_root()}/modules/instance"
+}
+
+generate "incus" {
+  path      = "incus.tf"
+  if_exists = "overwrite_terragrunt"
+  contents  = <<-EOF
+    provider "incus" {
+      generate_client_certificates = true
+      accept_remote_certificate    = true
+
+      remote {
+        name    = "${basename(get_terragrunt_dir())}"
+        scheme  = "https"
+        address = "${yamldecode(file("${get_repo_root()}/config/nodes/${local.node_name}/config.yaml")).node_addr}"
+        port    = "${yamldecode(file("${get_repo_root()}/config/nodes/${local.node_name}/config.yaml")).node_port}"
+        token   = "${get_env("INCUS_TOKEN_${upper(local.node_name)}")}"
+        default = true
+      }
+    }
+  EOF
+}
diff --git a/config/instances/ausyd1nxvm2014/config.yaml b/config/instances/ausyd1nxvm2014/config.yaml
new file mode 100644
index 0000000..0452bc7
--- /dev/null
+++ b/config/instances/ausyd1nxvm2014/config.yaml
@@ -0,0 +1,7 @@
+description: Puppetboard
+cobbler_mgmt_classes:
+  - roles::infra::puppetboard::server
+profiles:
+  - disk10
+  - net_com1_eth0
+  - 2core2048
diff --git a/config/instances/ausyd1nxvm2014/terragrunt.hcl b/config/instances/ausyd1nxvm2014/terragrunt.hcl
new file mode 100644
index 0000000..de7d211
--- /dev/null
+++ b/config/instances/ausyd1nxvm2014/terragrunt.hcl
@@ -0,0 +1,52 @@
+locals {
+  node_name     = "prodnxsr0010"
+  config_common     = yamldecode(file("${get_terragrunt_dir()}/../config_common.yaml"))
+  config_specific   = yamldecode(file("${get_terragrunt_dir()}/config.yaml"))
+  config            = merge(local.config_common, local.config_specific)
+  instance_name     = basename(get_terragrunt_dir())
+}
+
+inputs = merge(
+  {
+    name = local.instance_name
+  },
+  local.config
+)
+
+include "root" {
+  path   = find_in_parent_folders("root.hcl")
+}
+
+include "instances" {
+  path   = find_in_parent_folders("instances.hcl")
+  expose = true
+  merge_strategy = "deep"
+}
+
+dependencies {
+  paths = ["${get_repo_root()}/config/nodes/${local.node_name}"]
+}
+
+terraform {
+  source = "${get_repo_root()}/modules/instance"
+}
+
+generate "incus" {
+  path      = "incus.tf"
+  if_exists = "overwrite_terragrunt"
+  contents  = <<-EOF
+    provider "incus" {
+      generate_client_certificates = true
+      accept_remote_certificate    = true
+
+      remote {
+        name    = "${basename(get_terragrunt_dir())}"
+        scheme  = "https"
+        address = "${yamldecode(file("${get_repo_root()}/config/nodes/${local.node_name}/config.yaml")).node_addr}"
+        port    = "${yamldecode(file("${get_repo_root()}/config/nodes/${local.node_name}/config.yaml")).node_port}"
+        token   = "${get_env("INCUS_TOKEN_${upper(local.node_name)}")}"
+        default = true
+      }
+    }
+  EOF
+}
diff --git a/config/instances/ausyd1nxvm2015/config.yaml b/config/instances/ausyd1nxvm2015/config.yaml
new file mode 100644
index 0000000..6277348
--- /dev/null
+++ b/config/instances/ausyd1nxvm2015/config.yaml
@@ -0,0 +1,7 @@
+description: Grafana
+cobbler_mgmt_classes:
+  - roles::infra::metrics::grafana
+profiles:
+  - disk10
+  - net_com1_eth0
+  - 2core2048
diff --git a/config/instances/ausyd1nxvm2015/terragrunt.hcl b/config/instances/ausyd1nxvm2015/terragrunt.hcl
new file mode 100644
index 0000000..98fe447
--- /dev/null
+++ b/config/instances/ausyd1nxvm2015/terragrunt.hcl
@@ -0,0 +1,52 @@
+locals {
+  node_name     = "prodnxsr0011"
+  config_common     = yamldecode(file("${get_terragrunt_dir()}/../config_common.yaml"))
+  config_specific   = yamldecode(file("${get_terragrunt_dir()}/config.yaml"))
+  config            = merge(local.config_common, local.config_specific)
+  instance_name     = basename(get_terragrunt_dir())
+}
+
+inputs = merge(
+  {
+    name = local.instance_name
+  },
+  local.config
+)
+
+include "root" {
+  path   = find_in_parent_folders("root.hcl")
+}
+
+include "instances" {
+  path   = find_in_parent_folders("instances.hcl")
+  expose = true
+  merge_strategy = "deep"
+}
+
+dependencies {
+  paths = ["${get_repo_root()}/config/nodes/${local.node_name}"]
+}
+
+terraform {
+  source = "${get_repo_root()}/modules/instance"
+}
+
+generate "incus" {
+  path      = "incus.tf"
+  if_exists = "overwrite_terragrunt"
+  contents  = <<-EOF
+    provider "incus" {
+      generate_client_certificates = true
+      accept_remote_certificate    = true
+
+      remote {
+        name    = "${basename(get_terragrunt_dir())}"
+        scheme  = "https"
+        address = "${yamldecode(file("${get_repo_root()}/config/nodes/${local.node_name}/config.yaml")).node_addr}"
+        port    = "${yamldecode(file("${get_repo_root()}/config/nodes/${local.node_name}/config.yaml")).node_port}"
+        token   = "${get_env("INCUS_TOKEN_${upper(local.node_name)}")}"
+        default = true
+      }
+    }
+  EOF
+}
diff --git a/config/instances/ausyd1nxvm2016/config.yaml b/config/instances/ausyd1nxvm2016/config.yaml
new file mode 100644
index 0000000..6277348
--- /dev/null
+++ b/config/instances/ausyd1nxvm2016/config.yaml
@@ -0,0 +1,7 @@
+description: Grafana
+cobbler_mgmt_classes:
+  - roles::infra::metrics::grafana
+profiles:
+  - disk10
+  - net_com1_eth0
+  - 2core2048
diff --git a/config/instances/ausyd1nxvm2016/terragrunt.hcl b/config/instances/ausyd1nxvm2016/terragrunt.hcl
new file mode 100644
index 0000000..b33a99b
--- /dev/null
+++ b/config/instances/ausyd1nxvm2016/terragrunt.hcl
@@ -0,0 +1,52 @@
+locals {
+  node_name     = "prodnxsr0012"
+  config_common     = yamldecode(file("${get_terragrunt_dir()}/../config_common.yaml"))
+  config_specific   = yamldecode(file("${get_terragrunt_dir()}/config.yaml"))
+  config            = merge(local.config_common, local.config_specific)
+  instance_name     = basename(get_terragrunt_dir())
+}
+
+inputs = merge(
+  {
+    name = local.instance_name
+  },
+  local.config
+)
+
+include "root" {
+  path   = find_in_parent_folders("root.hcl")
+}
+
+include "instances" {
+  path   = find_in_parent_folders("instances.hcl")
+  expose = true
+  merge_strategy = "deep"
+}
+
+dependencies {
+  paths = ["${get_repo_root()}/config/nodes/${local.node_name}"]
+}
+
+terraform {
+  source = "${get_repo_root()}/modules/instance"
+}
+
+generate "incus" {
+  path      = "incus.tf"
+  if_exists = "overwrite_terragrunt"
+  contents  = <<-EOF
+    provider "incus" {
+      generate_client_certificates = true
+      accept_remote_certificate    = true
+
+      remote {
+        name    = "${basename(get_terragrunt_dir())}"
+        scheme  = "https"
+        address = "${yamldecode(file("${get_repo_root()}/config/nodes/${local.node_name}/config.yaml")).node_addr}"
+        port    = "${yamldecode(file("${get_repo_root()}/config/nodes/${local.node_name}/config.yaml")).node_port}"
+        token   = "${get_env("INCUS_TOKEN_${upper(local.node_name)}")}"
+        default = true
+      }
+    }
+  EOF
+}
diff --git a/config/instances/ausyd1nxvm2017/config.yaml b/config/instances/ausyd1nxvm2017/config.yaml
new file mode 100644
index 0000000..f4f6f39
--- /dev/null
+++ b/config/instances/ausyd1nxvm2017/config.yaml
@@ -0,0 +1,7 @@
+description: LDAP Server
+cobbler_mgmt_classes:
+  - roles::infra::auth::glauth
+profiles:
+  - disk10
+  - net_com1_eth0
+  - 2core2048
diff --git a/config/instances/ausyd1nxvm2017/terragrunt.hcl b/config/instances/ausyd1nxvm2017/terragrunt.hcl
new file mode 100644
index 0000000..5326e08
--- /dev/null
+++ b/config/instances/ausyd1nxvm2017/terragrunt.hcl
@@ -0,0 +1,52 @@
+locals {
+  node_name     = "prodnxsr0013"
+  config_common     = yamldecode(file("${get_terragrunt_dir()}/../config_common.yaml"))
+  config_specific   = yamldecode(file("${get_terragrunt_dir()}/config.yaml"))
+  config            = merge(local.config_common, local.config_specific)
+  instance_name     = basename(get_terragrunt_dir())
+}
+
+inputs = merge(
+  {
+    name = local.instance_name
+  },
+  local.config
+)
+
+include "root" {
+  path   = find_in_parent_folders("root.hcl")
+}
+
+include "instances" {
+  path   = find_in_parent_folders("instances.hcl")
+  expose = true
+  merge_strategy = "deep"
+}
+
+dependencies {
+  paths = ["${get_repo_root()}/config/nodes/${local.node_name}"]
+}
+
+terraform {
+  source = "${get_repo_root()}/modules/instance"
+}
+
+generate "incus" {
+  path      = "incus.tf"
+  if_exists = "overwrite_terragrunt"
+  contents  = <<-EOF
+    provider "incus" {
+      generate_client_certificates = true
+      accept_remote_certificate    = true
+
+      remote {
+        name    = "${basename(get_terragrunt_dir())}"
+        scheme  = "https"
+        address = "${yamldecode(file("${get_repo_root()}/config/nodes/${local.node_name}/config.yaml")).node_addr}"
+        port    = "${yamldecode(file("${get_repo_root()}/config/nodes/${local.node_name}/config.yaml")).node_port}"
+        token   = "${get_env("INCUS_TOKEN_${upper(local.node_name)}")}"
+        default = true
+      }
+    }
+  EOF
+}
diff --git a/config/instances/ausyd1nxvm2018/config.yaml b/config/instances/ausyd1nxvm2018/config.yaml
new file mode 100644
index 0000000..f4f6f39
--- /dev/null
+++ b/config/instances/ausyd1nxvm2018/config.yaml
@@ -0,0 +1,7 @@
+description: LDAP Server
+cobbler_mgmt_classes:
+  - roles::infra::auth::glauth
+profiles:
+  - disk10
+  - net_com1_eth0
+  - 2core2048
diff --git a/config/instances/ausyd1nxvm2018/terragrunt.hcl b/config/instances/ausyd1nxvm2018/terragrunt.hcl
new file mode 100644
index 0000000..c3099a9
--- /dev/null
+++ b/config/instances/ausyd1nxvm2018/terragrunt.hcl
@@ -0,0 +1,52 @@
+locals {
+  node_name     = "prodnxsr0009"
+  config_common     = yamldecode(file("${get_terragrunt_dir()}/../config_common.yaml"))
+  config_specific   = yamldecode(file("${get_terragrunt_dir()}/config.yaml"))
+  config            = merge(local.config_common, local.config_specific)
+  instance_name     = basename(get_terragrunt_dir())
+}
+
+inputs = merge(
+  {
+    name = local.instance_name
+  },
+  local.config
+)
+
+include "root" {
+  path   = find_in_parent_folders("root.hcl")
+}
+
+include "instances" {
+  path   = find_in_parent_folders("instances.hcl")
+  expose = true
+  merge_strategy = "deep"
+}
+
+dependencies {
+  paths = ["${get_repo_root()}/config/nodes/${local.node_name}"]
+}
+
+terraform {
+  source = "${get_repo_root()}/modules/instance"
+}
+
+generate "incus" {
+  path      = "incus.tf"
+  if_exists = "overwrite_terragrunt"
+  contents  = <<-EOF
+    provider "incus" {
+      generate_client_certificates = true
+      accept_remote_certificate    = true
+
+      remote {
+        name    = "${basename(get_terragrunt_dir())}"
+        scheme  = "https"
+        address = "${yamldecode(file("${get_repo_root()}/config/nodes/${local.node_name}/config.yaml")).node_addr}"
+        port    = "${yamldecode(file("${get_repo_root()}/config/nodes/${local.node_name}/config.yaml")).node_port}"
+        token   = "${get_env("INCUS_TOKEN_${upper(local.node_name)}")}"
+        default = true
+      }
+    }
+  EOF
+}
diff --git a/config/instances/ausyd1nxvm2019/config.yaml b/config/instances/ausyd1nxvm2019/config.yaml
new file mode 100644
index 0000000..f4f6f39
--- /dev/null
+++ b/config/instances/ausyd1nxvm2019/config.yaml
@@ -0,0 +1,7 @@
+description: LDAP Server
+cobbler_mgmt_classes:
+  - roles::infra::auth::glauth
+profiles:
+  - disk10
+  - net_com1_eth0
+  - 2core2048
diff --git a/config/instances/ausyd1nxvm2019/terragrunt.hcl b/config/instances/ausyd1nxvm2019/terragrunt.hcl
new file mode 100644
index 0000000..de7d211
--- /dev/null
+++ b/config/instances/ausyd1nxvm2019/terragrunt.hcl
@@ -0,0 +1,52 @@
+locals {
+  node_name     = "prodnxsr0010"
+  config_common     = yamldecode(file("${get_terragrunt_dir()}/../config_common.yaml"))
+  config_specific   = yamldecode(file("${get_terragrunt_dir()}/config.yaml"))
+  config            = merge(local.config_common, local.config_specific)
+  instance_name     = basename(get_terragrunt_dir())
+}
+
+inputs = merge(
+  {
+    name = local.instance_name
+  },
+  local.config
+)
+
+include "root" {
+  path   = find_in_parent_folders("root.hcl")
+}
+
+include "instances" {
+  path   = find_in_parent_folders("instances.hcl")
+  expose = true
+  merge_strategy = "deep"
+}
+
+dependencies {
+  paths = ["${get_repo_root()}/config/nodes/${local.node_name}"]
+}
+
+terraform {
+  source = "${get_repo_root()}/modules/instance"
+}
+
+generate "incus" {
+  path      = "incus.tf"
+  if_exists = "overwrite_terragrunt"
+  contents  = <<-EOF
+    provider "incus" {
+      generate_client_certificates = true
+      accept_remote_certificate    = true
+
+      remote {
+        name    = "${basename(get_terragrunt_dir())}"
+        scheme  = "https"
+        address = "${yamldecode(file("${get_repo_root()}/config/nodes/${local.node_name}/config.yaml")).node_addr}"
+        port    = "${yamldecode(file("${get_repo_root()}/config/nodes/${local.node_name}/config.yaml")).node_port}"
+        token   = "${get_env("INCUS_TOKEN_${upper(local.node_name)}")}"
+        default = true
+      }
+    }
+  EOF
+}
diff --git a/config/instances/ausyd1nxvm2020/config.yaml b/config/instances/ausyd1nxvm2020/config.yaml
new file mode 100644
index 0000000..f5aefe1
--- /dev/null
+++ b/config/instances/ausyd1nxvm2020/config.yaml
@@ -0,0 +1,7 @@
+description: SSH Jumphost
+cobbler_mgmt_classes:
+  - roles::infra::proxy::jumphost
+profiles:
+  - disk10
+  - net_com1_eth0
+  - 2core2048
diff --git a/config/instances/ausyd1nxvm2020/terragrunt.hcl b/config/instances/ausyd1nxvm2020/terragrunt.hcl
new file mode 100644
index 0000000..98fe447
--- /dev/null
+++ b/config/instances/ausyd1nxvm2020/terragrunt.hcl
@@ -0,0 +1,52 @@
+locals {
+  node_name     = "prodnxsr0011"
+  config_common     = yamldecode(file("${get_terragrunt_dir()}/../config_common.yaml"))
+  config_specific   = yamldecode(file("${get_terragrunt_dir()}/config.yaml"))
+  config            = merge(local.config_common, local.config_specific)
+  instance_name     = basename(get_terragrunt_dir())
+}
+
+inputs = merge(
+  {
+    name = local.instance_name
+  },
+  local.config
+)
+
+include "root" {
+  path   = find_in_parent_folders("root.hcl")
+}
+
+include "instances" {
+  path   = find_in_parent_folders("instances.hcl")
+  expose = true
+  merge_strategy = "deep"
+}
+
+dependencies {
+  paths = ["${get_repo_root()}/config/nodes/${local.node_name}"]
+}
+
+terraform {
+  source = "${get_repo_root()}/modules/instance"
+}
+
+generate "incus" {
+  path      = "incus.tf"
+  if_exists = "overwrite_terragrunt"
+  contents  = <<-EOF
+    provider "incus" {
+      generate_client_certificates = true
+      accept_remote_certificate    = true
+
+      remote {
+        name    = "${basename(get_terragrunt_dir())}"
+        scheme  = "https"
+        address = "${yamldecode(file("${get_repo_root()}/config/nodes/${local.node_name}/config.yaml")).node_addr}"
+        port    = "${yamldecode(file("${get_repo_root()}/config/nodes/${local.node_name}/config.yaml")).node_port}"
+        token   = "${get_env("INCUS_TOKEN_${upper(local.node_name)}")}"
+        default = true
+      }
+    }
+  EOF
+}
diff --git a/config/instances/ausyd1nxvm2021/config.yaml b/config/instances/ausyd1nxvm2021/config.yaml
new file mode 100644
index 0000000..f5aefe1
--- /dev/null
+++ b/config/instances/ausyd1nxvm2021/config.yaml
@@ -0,0 +1,7 @@
+description: SSH Jumphost
+cobbler_mgmt_classes:
+  - roles::infra::proxy::jumphost
+profiles:
+  - disk10
+  - net_com1_eth0
+  - 2core2048
diff --git a/config/instances/ausyd1nxvm2021/terragrunt.hcl b/config/instances/ausyd1nxvm2021/terragrunt.hcl
new file mode 100644
index 0000000..b33a99b
--- /dev/null
+++ b/config/instances/ausyd1nxvm2021/terragrunt.hcl
@@ -0,0 +1,52 @@
+locals {
+  node_name     = "prodnxsr0012"
+  config_common     = yamldecode(file("${get_terragrunt_dir()}/../config_common.yaml"))
+  config_specific   = yamldecode(file("${get_terragrunt_dir()}/config.yaml"))
+  config            = merge(local.config_common, local.config_specific)
+  instance_name     = basename(get_terragrunt_dir())
+}
+
+inputs = merge(
+  {
+    name = local.instance_name
+  },
+  local.config
+)
+
+include "root" {
+  path   = find_in_parent_folders("root.hcl")
+}
+
+include "instances" {
+  path   = find_in_parent_folders("instances.hcl")
+  expose = true
+  merge_strategy = "deep"
+}
+
+dependencies {
+  paths = ["${get_repo_root()}/config/nodes/${local.node_name}"]
+}
+
+terraform {
+  source = "${get_repo_root()}/modules/instance"
+}
+
+generate "incus" {
+  path      = "incus.tf"
+  if_exists = "overwrite_terragrunt"
+  contents  = <<-EOF
+    provider "incus" {
+      generate_client_certificates = true
+      accept_remote_certificate    = true
+
+      remote {
+        name    = "${basename(get_terragrunt_dir())}"
+        scheme  = "https"
+        address = "${yamldecode(file("${get_repo_root()}/config/nodes/${local.node_name}/config.yaml")).node_addr}"
+        port    = "${yamldecode(file("${get_repo_root()}/config/nodes/${local.node_name}/config.yaml")).node_port}"
+        token   = "${get_env("INCUS_TOKEN_${upper(local.node_name)}")}"
+        default = true
+      }
+    }
+  EOF
+}
diff --git a/config/instances/ausyd1nxvm2022/config.yaml b/config/instances/ausyd1nxvm2022/config.yaml
new file mode 100644
index 0000000..f5aefe1
--- /dev/null
+++ b/config/instances/ausyd1nxvm2022/config.yaml
@@ -0,0 +1,7 @@
+description: SSH Jumphost
+cobbler_mgmt_classes:
+  - roles::infra::proxy::jumphost
+profiles:
+  - disk10
+  - net_com1_eth0
+  - 2core2048
diff --git a/config/instances/ausyd1nxvm2022/terragrunt.hcl b/config/instances/ausyd1nxvm2022/terragrunt.hcl
new file mode 100644
index 0000000..5326e08
--- /dev/null
+++ b/config/instances/ausyd1nxvm2022/terragrunt.hcl
@@ -0,0 +1,52 @@
+locals {
+  node_name     = "prodnxsr0013"
+  config_common     = yamldecode(file("${get_terragrunt_dir()}/../config_common.yaml"))
+  config_specific   = yamldecode(file("${get_terragrunt_dir()}/config.yaml"))
+  config            = merge(local.config_common, local.config_specific)
+  instance_name     = basename(get_terragrunt_dir())
+}
+
+inputs = merge(
+  {
+    name = local.instance_name
+  },
+  local.config
+)
+
+include "root" {
+  path   = find_in_parent_folders("root.hcl")
+}
+
+include "instances" {
+  path   = find_in_parent_folders("instances.hcl")
+  expose = true
+  merge_strategy = "deep"
+}
+
+dependencies {
+  paths = ["${get_repo_root()}/config/nodes/${local.node_name}"]
+}
+
+terraform {
+  source = "${get_repo_root()}/modules/instance"
+}
+
+generate "incus" {
+  path      = "incus.tf"
+  if_exists = "overwrite_terragrunt"
+  contents  = <<-EOF
+    provider "incus" {
+      generate_client_certificates = true
+      accept_remote_certificate    = true
+
+      remote {
+        name    = "${basename(get_terragrunt_dir())}"
+        scheme  = "https"
+        address = "${yamldecode(file("${get_repo_root()}/config/nodes/${local.node_name}/config.yaml")).node_addr}"
+        port    = "${yamldecode(file("${get_repo_root()}/config/nodes/${local.node_name}/config.yaml")).node_port}"
+        token   = "${get_env("INCUS_TOKEN_${upper(local.node_name)}")}"
+        default = true
+      }
+    }
+  EOF
+}
diff --git a/config/instances/ausyd1nxvm2023/config.yaml b/config/instances/ausyd1nxvm2023/config.yaml
new file mode 100644
index 0000000..b48efb5
--- /dev/null
+++ b/config/instances/ausyd1nxvm2023/config.yaml
@@ -0,0 +1,17 @@
+description: Gitea Runner
+cobbler_mgmt_classes:
+  - roles::infra::git::runner
+profiles:
+  - disk10
+  - net_com1_eth0
+  - 4core8192
+  - fuse
+  - kmsg
+  - tun
+  - docker
+storage_volumes:
+  gitea_runner:
+    pool: fastpool
+    path: /data
+    config:
+      size: 50GB
diff --git a/config/instances/ausyd1nxvm2023/terragrunt.hcl b/config/instances/ausyd1nxvm2023/terragrunt.hcl
new file mode 100644
index 0000000..c3099a9
--- /dev/null
+++ b/config/instances/ausyd1nxvm2023/terragrunt.hcl
@@ -0,0 +1,52 @@
+locals {
+  node_name     = "prodnxsr0009"
+  config_common     = yamldecode(file("${get_terragrunt_dir()}/../config_common.yaml"))
+  config_specific   = yamldecode(file("${get_terragrunt_dir()}/config.yaml"))
+  config            = merge(local.config_common, local.config_specific)
+  instance_name     = basename(get_terragrunt_dir())
+}
+
+inputs = merge(
+  {
+    name = local.instance_name
+  },
+  local.config
+)
+
+include "root" {
+  path   = find_in_parent_folders("root.hcl")
+}
+
+include "instances" {
+  path   = find_in_parent_folders("instances.hcl")
+  expose = true
+  merge_strategy = "deep"
+}
+
+dependencies {
+  paths = ["${get_repo_root()}/config/nodes/${local.node_name}"]
+}
+
+terraform {
+  source = "${get_repo_root()}/modules/instance"
+}
+
+generate "incus" {
+  path      = "incus.tf"
+  if_exists = "overwrite_terragrunt"
+  contents  = <<-EOF
+    provider "incus" {
+      generate_client_certificates = true
+      accept_remote_certificate    = true
+
+      remote {
+        name    = "${basename(get_terragrunt_dir())}"
+        scheme  = "https"
+        address = "${yamldecode(file("${get_repo_root()}/config/nodes/${local.node_name}/config.yaml")).node_addr}"
+        port    = "${yamldecode(file("${get_repo_root()}/config/nodes/${local.node_name}/config.yaml")).node_port}"
+        token   = "${get_env("INCUS_TOKEN_${upper(local.node_name)}")}"
+        default = true
+      }
+    }
+  EOF
+}
diff --git a/config/instances/ausyd1nxvm2024/config.yaml b/config/instances/ausyd1nxvm2024/config.yaml
new file mode 100644
index 0000000..b48efb5
--- /dev/null
+++ b/config/instances/ausyd1nxvm2024/config.yaml
@@ -0,0 +1,17 @@
+description: Gitea Runner
+cobbler_mgmt_classes:
+  - roles::infra::git::runner
+profiles:
+  - disk10
+  - net_com1_eth0
+  - 4core8192
+  - fuse
+  - kmsg
+  - tun
+  - docker
+storage_volumes:
+  gitea_runner:
+    pool: fastpool
+    path: /data
+    config:
+      size: 50GB
diff --git a/config/instances/ausyd1nxvm2024/terragrunt.hcl b/config/instances/ausyd1nxvm2024/terragrunt.hcl
new file mode 100644
index 0000000..de7d211
--- /dev/null
+++ b/config/instances/ausyd1nxvm2024/terragrunt.hcl
@@ -0,0 +1,52 @@
+locals {
+  node_name     = "prodnxsr0010"
+  config_common     = yamldecode(file("${get_terragrunt_dir()}/../config_common.yaml"))
+  config_specific   = yamldecode(file("${get_terragrunt_dir()}/config.yaml"))
+  config            = merge(local.config_common, local.config_specific)
+  instance_name     = basename(get_terragrunt_dir())
+}
+
+inputs = merge(
+  {
+    name = local.instance_name
+  },
+  local.config
+)
+
+include "root" {
+  path   = find_in_parent_folders("root.hcl")
+}
+
+include "instances" {
+  path   = find_in_parent_folders("instances.hcl")
+  expose = true
+  merge_strategy = "deep"
+}
+
+dependencies {
+  paths = ["${get_repo_root()}/config/nodes/${local.node_name}"]
+}
+
+terraform {
+  source = "${get_repo_root()}/modules/instance"
+}
+
+generate "incus" {
+  path      = "incus.tf"
+  if_exists = "overwrite_terragrunt"
+  contents  = <<-EOF
+    provider "incus" {
+      generate_client_certificates = true
+      accept_remote_certificate    = true
+
+      remote {
+        name    = "${basename(get_terragrunt_dir())}"
+        scheme  = "https"
+        address = "${yamldecode(file("${get_repo_root()}/config/nodes/${local.node_name}/config.yaml")).node_addr}"
+        port    = "${yamldecode(file("${get_repo_root()}/config/nodes/${local.node_name}/config.yaml")).node_port}"
+        token   = "${get_env("INCUS_TOKEN_${upper(local.node_name)}")}"
+        default = true
+      }
+    }
+  EOF
+}
diff --git a/config/instances/ausyd1nxvm2025/config.yaml b/config/instances/ausyd1nxvm2025/config.yaml
new file mode 100644
index 0000000..b48efb5
--- /dev/null
+++ b/config/instances/ausyd1nxvm2025/config.yaml
@@ -0,0 +1,17 @@
+description: Gitea Runner
+cobbler_mgmt_classes:
+  - roles::infra::git::runner
+profiles:
+  - disk10
+  - net_com1_eth0
+  - 4core8192
+  - fuse
+  - kmsg
+  - tun
+  - docker
+storage_volumes:
+  gitea_runner:
+    pool: fastpool
+    path: /data
+    config:
+      size: 50GB
diff --git a/config/instances/ausyd1nxvm2025/terragrunt.hcl b/config/instances/ausyd1nxvm2025/terragrunt.hcl
new file mode 100644
index 0000000..98fe447
--- /dev/null
+++ b/config/instances/ausyd1nxvm2025/terragrunt.hcl
@@ -0,0 +1,52 @@
+locals {
+  node_name     = "prodnxsr0011"
+  config_common     = yamldecode(file("${get_terragrunt_dir()}/../config_common.yaml"))
+  config_specific   = yamldecode(file("${get_terragrunt_dir()}/config.yaml"))
+  config            = merge(local.config_common, local.config_specific)
+  instance_name     = basename(get_terragrunt_dir())
+}
+
+inputs = merge(
+  {
+    name = local.instance_name
+  },
+  local.config
+)
+
+include "root" {
+  path   = find_in_parent_folders("root.hcl")
+}
+
+include "instances" {
+  path   = find_in_parent_folders("instances.hcl")
+  expose = true
+  merge_strategy = "deep"
+}
+
+dependencies {
+  paths = ["${get_repo_root()}/config/nodes/${local.node_name}"]
+}
+
+terraform {
+  source = "${get_repo_root()}/modules/instance"
+}
+
+generate "incus" {
+  path      = "incus.tf"
+  if_exists = "overwrite_terragrunt"
+  contents  = <<-EOF
+    provider "incus" {
+      generate_client_certificates = true
+      accept_remote_certificate    = true
+
+      remote {
+        name    = "${basename(get_terragrunt_dir())}"
+        scheme  = "https"
+        address = "${yamldecode(file("${get_repo_root()}/config/nodes/${local.node_name}/config.yaml")).node_addr}"
+        port    = "${yamldecode(file("${get_repo_root()}/config/nodes/${local.node_name}/config.yaml")).node_port}"
+        token   = "${get_env("INCUS_TOKEN_${upper(local.node_name)}")}"
+        default = true
+      }
+    }
+  EOF
+}
diff --git a/config/instances/ausyd1nxvm2026/config.yaml b/config/instances/ausyd1nxvm2026/config.yaml
new file mode 100644
index 0000000..94d0920
--- /dev/null
+++ b/config/instances/ausyd1nxvm2026/config.yaml
@@ -0,0 +1,13 @@
+description: Nomad Server
+cobbler_mgmt_classes:
+  - roles::infra::nomad::server
+profiles:
+  - disk10
+  - net_com1_eth0
+  - 2core2048
+storage_volumes:
+  nomad_server:
+    pool: fastpool
+    path: /data
+    config:
+      size: 20GB
diff --git a/config/instances/ausyd1nxvm2026/terragrunt.hcl b/config/instances/ausyd1nxvm2026/terragrunt.hcl
new file mode 100644
index 0000000..b33a99b
--- /dev/null
+++ b/config/instances/ausyd1nxvm2026/terragrunt.hcl
@@ -0,0 +1,52 @@
+locals {
+  node_name     = "prodnxsr0012"
+  config_common     = yamldecode(file("${get_terragrunt_dir()}/../config_common.yaml"))
+  config_specific   = yamldecode(file("${get_terragrunt_dir()}/config.yaml"))
+  config            = merge(local.config_common, local.config_specific)
+  instance_name     = basename(get_terragrunt_dir())
+}
+
+inputs = merge(
+  {
+    name = local.instance_name
+  },
+  local.config
+)
+
+include "root" {
+  path   = find_in_parent_folders("root.hcl")
+}
+
+include "instances" {
+  path   = find_in_parent_folders("instances.hcl")
+  expose = true
+  merge_strategy = "deep"
+}
+
+dependencies {
+  paths = ["${get_repo_root()}/config/nodes/${local.node_name}"]
+}
+
+terraform {
+  source = "${get_repo_root()}/modules/instance"
+}
+
+generate "incus" {
+  path      = "incus.tf"
+  if_exists = "overwrite_terragrunt"
+  contents  = <<-EOF
+    provider "incus" {
+      generate_client_certificates = true
+      accept_remote_certificate    = true
+
+      remote {
+        name    = "${basename(get_terragrunt_dir())}"
+        scheme  = "https"
+        address = "${yamldecode(file("${get_repo_root()}/config/nodes/${local.node_name}/config.yaml")).node_addr}"
+        port    = "${yamldecode(file("${get_repo_root()}/config/nodes/${local.node_name}/config.yaml")).node_port}"
+        token   = "${get_env("INCUS_TOKEN_${upper(local.node_name)}")}"
+        default = true
+      }
+    }
+  EOF
+}
diff --git a/config/instances/ausyd1nxvm2027/config.yaml b/config/instances/ausyd1nxvm2027/config.yaml
new file mode 100644
index 0000000..94d0920
--- /dev/null
+++ b/config/instances/ausyd1nxvm2027/config.yaml
@@ -0,0 +1,13 @@
+description: Nomad Server
+cobbler_mgmt_classes:
+  - roles::infra::nomad::server
+profiles:
+  - disk10
+  - net_com1_eth0
+  - 2core2048
+storage_volumes:
+  nomad_server:
+    pool: fastpool
+    path: /data
+    config:
+      size: 20GB
diff --git a/config/instances/ausyd1nxvm2027/terragrunt.hcl b/config/instances/ausyd1nxvm2027/terragrunt.hcl
new file mode 100644
index 0000000..5326e08
--- /dev/null
+++ b/config/instances/ausyd1nxvm2027/terragrunt.hcl
@@ -0,0 +1,52 @@
+locals {
+  node_name     = "prodnxsr0013"
+  config_common     = yamldecode(file("${get_terragrunt_dir()}/../config_common.yaml"))
+  config_specific   = yamldecode(file("${get_terragrunt_dir()}/config.yaml"))
+  config            = merge(local.config_common, local.config_specific)
+  instance_name     = basename(get_terragrunt_dir())
+}
+
+inputs = merge(
+  {
+    name = local.instance_name
+  },
+  local.config
+)
+
+include "root" {
+  path   = find_in_parent_folders("root.hcl")
+}
+
+include "instances" {
+  path   = find_in_parent_folders("instances.hcl")
+  expose = true
+  merge_strategy = "deep"
+}
+
+dependencies {
+  paths = ["${get_repo_root()}/config/nodes/${local.node_name}"]
+}
+
+terraform {
+  source = "${get_repo_root()}/modules/instance"
+}
+
+generate "incus" {
+  path      = "incus.tf"
+  if_exists = "overwrite_terragrunt"
+  contents  = <<-EOF
+    provider "incus" {
+      generate_client_certificates = true
+      accept_remote_certificate    = true
+
+      remote {
+        name    = "${basename(get_terragrunt_dir())}"
+        scheme  = "https"
+        address = "${yamldecode(file("${get_repo_root()}/config/nodes/${local.node_name}/config.yaml")).node_addr}"
+        port    = "${yamldecode(file("${get_repo_root()}/config/nodes/${local.node_name}/config.yaml")).node_port}"
+        token   = "${get_env("INCUS_TOKEN_${upper(local.node_name)}")}"
+        default = true
+      }
+    }
+  EOF
+}
diff --git a/config/instances/ausyd1nxvm2028/config.yaml b/config/instances/ausyd1nxvm2028/config.yaml
new file mode 100644
index 0000000..94d0920
--- /dev/null
+++ b/config/instances/ausyd1nxvm2028/config.yaml
@@ -0,0 +1,13 @@
+description: Nomad Server
+cobbler_mgmt_classes:
+  - roles::infra::nomad::server
+profiles:
+  - disk10
+  - net_com1_eth0
+  - 2core2048
+storage_volumes:
+  nomad_server:
+    pool: fastpool
+    path: /data
+    config:
+      size: 20GB
diff --git a/config/instances/ausyd1nxvm2028/terragrunt.hcl b/config/instances/ausyd1nxvm2028/terragrunt.hcl
new file mode 100644
index 0000000..c3099a9
--- /dev/null
+++ b/config/instances/ausyd1nxvm2028/terragrunt.hcl
@@ -0,0 +1,52 @@
+locals {
+  node_name     = "prodnxsr0009"
+  config_common     = yamldecode(file("${get_terragrunt_dir()}/../config_common.yaml"))
+  config_specific   = yamldecode(file("${get_terragrunt_dir()}/config.yaml"))
+  config            = merge(local.config_common, local.config_specific)
+  instance_name     = basename(get_terragrunt_dir())
+}
+
+inputs = merge(
+  {
+    name = local.instance_name
+  },
+  local.config
+)
+
+include "root" {
+  path   = find_in_parent_folders("root.hcl")
+}
+
+include "instances" {
+  path   = find_in_parent_folders("instances.hcl")
+  expose = true
+  merge_strategy = "deep"
+}
+
+dependencies {
+  paths = ["${get_repo_root()}/config/nodes/${local.node_name}"]
+}
+
+terraform {
+  source = "${get_repo_root()}/modules/instance"
+}
+
+generate "incus" {
+  path      = "incus.tf"
+  if_exists = "overwrite_terragrunt"
+  contents  = <<-EOF
+    provider "incus" {
+      generate_client_certificates = true
+      accept_remote_certificate    = true
+
+      remote {
+        name    = "${basename(get_terragrunt_dir())}"
+        scheme  = "https"
+        address = "${yamldecode(file("${get_repo_root()}/config/nodes/${local.node_name}/config.yaml")).node_addr}"
+        port    = "${yamldecode(file("${get_repo_root()}/config/nodes/${local.node_name}/config.yaml")).node_port}"
+        token   = "${get_env("INCUS_TOKEN_${upper(local.node_name)}")}"
+        default = true
+      }
+    }
+  EOF
+}
diff --git a/config/instances/ausyd1nxvm2029/config.yaml b/config/instances/ausyd1nxvm2029/config.yaml
new file mode 100644
index 0000000..4899ca3
--- /dev/null
+++ b/config/instances/ausyd1nxvm2029/config.yaml
@@ -0,0 +1,8 @@
+description: Bind Authoritative Server
+cobbler_mgmt_classes:
+  - roles::infra::dns::master
+profiles:
+  - disk10
+  - net_com1_eth0
+  - 2core2048
+storage_volumes: {}
diff --git a/config/instances/ausyd1nxvm2029/terragrunt.hcl b/config/instances/ausyd1nxvm2029/terragrunt.hcl
new file mode 100644
index 0000000..de7d211
--- /dev/null
+++ b/config/instances/ausyd1nxvm2029/terragrunt.hcl
@@ -0,0 +1,52 @@
+locals {
+  node_name     = "prodnxsr0010"
+  config_common     = yamldecode(file("${get_terragrunt_dir()}/../config_common.yaml"))
+  config_specific   = yamldecode(file("${get_terragrunt_dir()}/config.yaml"))
+  config            = merge(local.config_common, local.config_specific)
+  instance_name     = basename(get_terragrunt_dir())
+}
+
+inputs = merge(
+  {
+    name = local.instance_name
+  },
+  local.config
+)
+
+include "root" {
+  path   = find_in_parent_folders("root.hcl")
+}
+
+include "instances" {
+  path   = find_in_parent_folders("instances.hcl")
+  expose = true
+  merge_strategy = "deep"
+}
+
+dependencies {
+  paths = ["${get_repo_root()}/config/nodes/${local.node_name}"]
+}
+
+terraform {
+  source = "${get_repo_root()}/modules/instance"
+}
+
+generate "incus" {
+  path      = "incus.tf"
+  if_exists = "overwrite_terragrunt"
+  contents  = <<-EOF
+    provider "incus" {
+      generate_client_certificates = true
+      accept_remote_certificate    = true
+
+      remote {
+        name    = "${basename(get_terragrunt_dir())}"
+        scheme  = "https"
+        address = "${yamldecode(file("${get_repo_root()}/config/nodes/${local.node_name}/config.yaml")).node_addr}"
+        port    = "${yamldecode(file("${get_repo_root()}/config/nodes/${local.node_name}/config.yaml")).node_port}"
+        token   = "${get_env("INCUS_TOKEN_${upper(local.node_name)}")}"
+        default = true
+      }
+    }
+  EOF
+}
diff --git a/config/instances/ausyd1nxvm2030/config.yaml b/config/instances/ausyd1nxvm2030/config.yaml
new file mode 100644
index 0000000..4899ca3
--- /dev/null
+++ b/config/instances/ausyd1nxvm2030/config.yaml
@@ -0,0 +1,8 @@
+description: Bind Authoritative Server
+cobbler_mgmt_classes:
+  - roles::infra::dns::master
+profiles:
+  - disk10
+  - net_com1_eth0
+  - 2core2048
+storage_volumes: {}
diff --git a/config/instances/ausyd1nxvm2030/terragrunt.hcl b/config/instances/ausyd1nxvm2030/terragrunt.hcl
new file mode 100644
index 0000000..98fe447
--- /dev/null
+++ b/config/instances/ausyd1nxvm2030/terragrunt.hcl
@@ -0,0 +1,52 @@
+locals {
+  node_name     = "prodnxsr0011"
+  config_common     = yamldecode(file("${get_terragrunt_dir()}/../config_common.yaml"))
+  config_specific   = yamldecode(file("${get_terragrunt_dir()}/config.yaml"))
+  config            = merge(local.config_common, local.config_specific)
+  instance_name     = basename(get_terragrunt_dir())
+}
+
+inputs = merge(
+  {
+    name = local.instance_name
+  },
+  local.config
+)
+
+include "root" {
+  path   = find_in_parent_folders("root.hcl")
+}
+
+include "instances" {
+  path   = find_in_parent_folders("instances.hcl")
+  expose = true
+  merge_strategy = "deep"
+}
+
+dependencies {
+  paths = ["${get_repo_root()}/config/nodes/${local.node_name}"]
+}
+
+terraform {
+  source = "${get_repo_root()}/modules/instance"
+}
+
+generate "incus" {
+  path      = "incus.tf"
+  if_exists = "overwrite_terragrunt"
+  contents  = <<-EOF
+    provider "incus" {
+      generate_client_certificates = true
+      accept_remote_certificate    = true
+
+      remote {
+        name    = "${basename(get_terragrunt_dir())}"
+        scheme  = "https"
+        address = "${yamldecode(file("${get_repo_root()}/config/nodes/${local.node_name}/config.yaml")).node_addr}"
+        port    = "${yamldecode(file("${get_repo_root()}/config/nodes/${local.node_name}/config.yaml")).node_port}"
+        token   = "${get_env("INCUS_TOKEN_${upper(local.node_name)}")}"
+        default = true
+      }
+    }
+  EOF
+}
diff --git a/config/instances/ausyd1nxvm2031/config.yaml b/config/instances/ausyd1nxvm2031/config.yaml
new file mode 100644
index 0000000..4899ca3
--- /dev/null
+++ b/config/instances/ausyd1nxvm2031/config.yaml
@@ -0,0 +1,8 @@
+description: Bind Authoritative Server
+cobbler_mgmt_classes:
+  - roles::infra::dns::master
+profiles:
+  - disk10
+  - net_com1_eth0
+  - 2core2048
+storage_volumes: {}
diff --git a/config/instances/ausyd1nxvm2031/terragrunt.hcl b/config/instances/ausyd1nxvm2031/terragrunt.hcl
new file mode 100644
index 0000000..b33a99b
--- /dev/null
+++ b/config/instances/ausyd1nxvm2031/terragrunt.hcl
@@ -0,0 +1,52 @@
+locals {
+  node_name     = "prodnxsr0012"
+  config_common     = yamldecode(file("${get_terragrunt_dir()}/../config_common.yaml"))
+  config_specific   = yamldecode(file("${get_terragrunt_dir()}/config.yaml"))
+  config            = merge(local.config_common, local.config_specific)
+  instance_name     = basename(get_terragrunt_dir())
+}
+
+inputs = merge(
+  {
+    name = local.instance_name
+  },
+  local.config
+)
+
+include "root" {
+  path   = find_in_parent_folders("root.hcl")
+}
+
+include "instances" {
+  path   = find_in_parent_folders("instances.hcl")
+  expose = true
+  merge_strategy = "deep"
+}
+
+dependencies {
+  paths = ["${get_repo_root()}/config/nodes/${local.node_name}"]
+}
+
+terraform {
+  source = "${get_repo_root()}/modules/instance"
+}
+
+generate "incus" {
+  path      = "incus.tf"
+  if_exists = "overwrite_terragrunt"
+  contents  = <<-EOF
+    provider "incus" {
+      generate_client_certificates = true
+      accept_remote_certificate    = true
+
+      remote {
+        name    = "${basename(get_terragrunt_dir())}"
+        scheme  = "https"
+        address = "${yamldecode(file("${get_repo_root()}/config/nodes/${local.node_name}/config.yaml")).node_addr}"
+        port    = "${yamldecode(file("${get_repo_root()}/config/nodes/${local.node_name}/config.yaml")).node_port}"
+        token   = "${get_env("INCUS_TOKEN_${upper(local.node_name)}")}"
+        default = true
+      }
+    }
+  EOF
+}
diff --git a/config/instances/ausyd1nxvm2032/config.yaml b/config/instances/ausyd1nxvm2032/config.yaml
new file mode 100644
index 0000000..99e6a81
--- /dev/null
+++ b/config/instances/ausyd1nxvm2032/config.yaml
@@ -0,0 +1,8 @@
+description: Bind Open-Resolver Server
+cobbler_mgmt_classes:
+  - roles::infra::dns::resolver
+profiles:
+  - disk10
+  - net_dmz1_eth0
+  - 2core2048
+storage_volumes: {}
diff --git a/config/instances/ausyd1nxvm2032/terragrunt.hcl b/config/instances/ausyd1nxvm2032/terragrunt.hcl
new file mode 100644
index 0000000..5326e08
--- /dev/null
+++ b/config/instances/ausyd1nxvm2032/terragrunt.hcl
@@ -0,0 +1,52 @@
+locals {
+  node_name     = "prodnxsr0013"
+  config_common     = yamldecode(file("${get_terragrunt_dir()}/../config_common.yaml"))
+  config_specific   = yamldecode(file("${get_terragrunt_dir()}/config.yaml"))
+  config            = merge(local.config_common, local.config_specific)
+  instance_name     = basename(get_terragrunt_dir())
+}
+
+inputs = merge(
+  {
+    name = local.instance_name
+  },
+  local.config
+)
+
+include "root" {
+  path   = find_in_parent_folders("root.hcl")
+}
+
+include "instances" {
+  path   = find_in_parent_folders("instances.hcl")
+  expose = true
+  merge_strategy = "deep"
+}
+
+dependencies {
+  paths = ["${get_repo_root()}/config/nodes/${local.node_name}"]
+}
+
+terraform {
+  source = "${get_repo_root()}/modules/instance"
+}
+
+generate "incus" {
+  path      = "incus.tf"
+  if_exists = "overwrite_terragrunt"
+  contents  = <<-EOF
+    provider "incus" {
+      generate_client_certificates = true
+      accept_remote_certificate    = true
+
+      remote {
+        name    = "${basename(get_terragrunt_dir())}"
+        scheme  = "https"
+        address = "${yamldecode(file("${get_repo_root()}/config/nodes/${local.node_name}/config.yaml")).node_addr}"
+        port    = "${yamldecode(file("${get_repo_root()}/config/nodes/${local.node_name}/config.yaml")).node_port}"
+        token   = "${get_env("INCUS_TOKEN_${upper(local.node_name)}")}"
+        default = true
+      }
+    }
+  EOF
+}
diff --git a/config/instances/ausyd1nxvm2033/config.yaml b/config/instances/ausyd1nxvm2033/config.yaml
new file mode 100644
index 0000000..99e6a81
--- /dev/null
+++ b/config/instances/ausyd1nxvm2033/config.yaml
@@ -0,0 +1,8 @@
+description: Bind Open-Resolver Server
+cobbler_mgmt_classes:
+  - roles::infra::dns::resolver
+profiles:
+  - disk10
+  - net_dmz1_eth0
+  - 2core2048
+storage_volumes: {}
diff --git a/config/instances/ausyd1nxvm2033/terragrunt.hcl b/config/instances/ausyd1nxvm2033/terragrunt.hcl
new file mode 100644
index 0000000..c3099a9
--- /dev/null
+++ b/config/instances/ausyd1nxvm2033/terragrunt.hcl
@@ -0,0 +1,52 @@
+locals {
+  node_name     = "prodnxsr0009"
+  config_common     = yamldecode(file("${get_terragrunt_dir()}/../config_common.yaml"))
+  config_specific   = yamldecode(file("${get_terragrunt_dir()}/config.yaml"))
+  config            = merge(local.config_common, local.config_specific)
+  instance_name     = basename(get_terragrunt_dir())
+}
+
+inputs = merge(
+  {
+    name = local.instance_name
+  },
+  local.config
+)
+
+include "root" {
+  path   = find_in_parent_folders("root.hcl")
+}
+
+include "instances" {
+  path   = find_in_parent_folders("instances.hcl")
+  expose = true
+  merge_strategy = "deep"
+}
+
+dependencies {
+  paths = ["${get_repo_root()}/config/nodes/${local.node_name}"]
+}
+
+terraform {
+  source = "${get_repo_root()}/modules/instance"
+}
+
+generate "incus" {
+  path      = "incus.tf"
+  if_exists = "overwrite_terragrunt"
+  contents  = <<-EOF
+    provider "incus" {
+      generate_client_certificates = true
+      accept_remote_certificate    = true
+
+      remote {
+        name    = "${basename(get_terragrunt_dir())}"
+        scheme  = "https"
+        address = "${yamldecode(file("${get_repo_root()}/config/nodes/${local.node_name}/config.yaml")).node_addr}"
+        port    = "${yamldecode(file("${get_repo_root()}/config/nodes/${local.node_name}/config.yaml")).node_port}"
+        token   = "${get_env("INCUS_TOKEN_${upper(local.node_name)}")}"
+        default = true
+      }
+    }
+  EOF
+}
diff --git a/config/instances/ausyd1nxvm2034/config.yaml b/config/instances/ausyd1nxvm2034/config.yaml
new file mode 100644
index 0000000..99e6a81
--- /dev/null
+++ b/config/instances/ausyd1nxvm2034/config.yaml
@@ -0,0 +1,8 @@
+description: Bind Open-Resolver Server
+cobbler_mgmt_classes:
+  - roles::infra::dns::resolver
+profiles:
+  - disk10
+  - net_dmz1_eth0
+  - 2core2048
+storage_volumes: {}
diff --git a/config/instances/ausyd1nxvm2034/terragrunt.hcl b/config/instances/ausyd1nxvm2034/terragrunt.hcl
new file mode 100644
index 0000000..de7d211
--- /dev/null
+++ b/config/instances/ausyd1nxvm2034/terragrunt.hcl
@@ -0,0 +1,52 @@
+locals {
+  node_name     = "prodnxsr0010"
+  config_common     = yamldecode(file("${get_terragrunt_dir()}/../config_common.yaml"))
+  config_specific   = yamldecode(file("${get_terragrunt_dir()}/config.yaml"))
+  config            = merge(local.config_common, local.config_specific)
+  instance_name     = basename(get_terragrunt_dir())
+}
+
+inputs = merge(
+  {
+    name = local.instance_name
+  },
+  local.config
+)
+
+include "root" {
+  path   = find_in_parent_folders("root.hcl")
+}
+
+include "instances" {
+  path   = find_in_parent_folders("instances.hcl")
+  expose = true
+  merge_strategy = "deep"
+}
+
+dependencies {
+  paths = ["${get_repo_root()}/config/nodes/${local.node_name}"]
+}
+
+terraform {
+  source = "${get_repo_root()}/modules/instance"
+}
+
+generate "incus" {
+  path      = "incus.tf"
+  if_exists = "overwrite_terragrunt"
+  contents  = <<-EOF
+    provider "incus" {
+      generate_client_certificates = true
+      accept_remote_certificate    = true
+
+      remote {
+        name    = "${basename(get_terragrunt_dir())}"
+        scheme  = "https"
+        address = "${yamldecode(file("${get_repo_root()}/config/nodes/${local.node_name}/config.yaml")).node_addr}"
+        port    = "${yamldecode(file("${get_repo_root()}/config/nodes/${local.node_name}/config.yaml")).node_port}"
+        token   = "${get_env("INCUS_TOKEN_${upper(local.node_name)}")}"
+        default = true
+      }
+    }
+  EOF
+}
diff --git a/config/instances/ausyd1nxvm2035/config.yaml b/config/instances/ausyd1nxvm2035/config.yaml
new file mode 100644
index 0000000..865babb
--- /dev/null
+++ b/config/instances/ausyd1nxvm2035/config.yaml
@@ -0,0 +1,8 @@
+description: Gonic Music Server
+cobbler_mgmt_classes:
+  - roles::apps::music::gonic
+profiles:
+  - disk10
+  - net_com1_eth0
+  - 2core2048
+storage_volumes: {}
diff --git a/config/instances/ausyd1nxvm2035/terragrunt.hcl b/config/instances/ausyd1nxvm2035/terragrunt.hcl
new file mode 100644
index 0000000..98fe447
--- /dev/null
+++ b/config/instances/ausyd1nxvm2035/terragrunt.hcl
@@ -0,0 +1,52 @@
+locals {
+  node_name     = "prodnxsr0011"
+  config_common     = yamldecode(file("${get_terragrunt_dir()}/../config_common.yaml"))
+  config_specific   = yamldecode(file("${get_terragrunt_dir()}/config.yaml"))
+  config            = merge(local.config_common, local.config_specific)
+  instance_name     = basename(get_terragrunt_dir())
+}
+
+inputs = merge(
+  {
+    name = local.instance_name
+  },
+  local.config
+)
+
+include "root" {
+  path   = find_in_parent_folders("root.hcl")
+}
+
+include "instances" {
+  path   = find_in_parent_folders("instances.hcl")
+  expose = true
+  merge_strategy = "deep"
+}
+
+dependencies {
+  paths = ["${get_repo_root()}/config/nodes/${local.node_name}"]
+}
+
+terraform {
+  source = "${get_repo_root()}/modules/instance"
+}
+
+generate "incus" {
+  path      = "incus.tf"
+  if_exists = "overwrite_terragrunt"
+  contents  = <<-EOF
+    provider "incus" {
+      generate_client_certificates = true
+      accept_remote_certificate    = true
+
+      remote {
+        name    = "${basename(get_terragrunt_dir())}"
+        scheme  = "https"
+        address = "${yamldecode(file("${get_repo_root()}/config/nodes/${local.node_name}/config.yaml")).node_addr}"
+        port    = "${yamldecode(file("${get_repo_root()}/config/nodes/${local.node_name}/config.yaml")).node_port}"
+        token   = "${get_env("INCUS_TOKEN_${upper(local.node_name)}")}"
+        default = true
+      }
+    }
+  EOF
+}
diff --git a/config/instances/ausyd1nxvm2036/config.yaml b/config/instances/ausyd1nxvm2036/config.yaml
new file mode 100644
index 0000000..865babb
--- /dev/null
+++ b/config/instances/ausyd1nxvm2036/config.yaml
@@ -0,0 +1,8 @@
+description: Gonic Music Server
+cobbler_mgmt_classes:
+  - roles::apps::music::gonic
+profiles:
+  - disk10
+  - net_com1_eth0
+  - 2core2048
+storage_volumes: {}
diff --git a/config/instances/ausyd1nxvm2036/terragrunt.hcl b/config/instances/ausyd1nxvm2036/terragrunt.hcl
new file mode 100644
index 0000000..b33a99b
--- /dev/null
+++ b/config/instances/ausyd1nxvm2036/terragrunt.hcl
@@ -0,0 +1,52 @@
+locals {
+  node_name     = "prodnxsr0012"
+  config_common     = yamldecode(file("${get_terragrunt_dir()}/../config_common.yaml"))
+  config_specific   = yamldecode(file("${get_terragrunt_dir()}/config.yaml"))
+  config            = merge(local.config_common, local.config_specific)
+  instance_name     = basename(get_terragrunt_dir())
+}
+
+inputs = merge(
+  {
+    name = local.instance_name
+  },
+  local.config
+)
+
+include "root" {
+  path   = find_in_parent_folders("root.hcl")
+}
+
+include "instances" {
+  path   = find_in_parent_folders("instances.hcl")
+  expose = true
+  merge_strategy = "deep"
+}
+
+dependencies {
+  paths = ["${get_repo_root()}/config/nodes/${local.node_name}"]
+}
+
+terraform {
+  source = "${get_repo_root()}/modules/instance"
+}
+
+generate "incus" {
+  path      = "incus.tf"
+  if_exists = "overwrite_terragrunt"
+  contents  = <<-EOF
+    provider "incus" {
+      generate_client_certificates = true
+      accept_remote_certificate    = true
+
+      remote {
+        name    = "${basename(get_terragrunt_dir())}"
+        scheme  = "https"
+        address = "${yamldecode(file("${get_repo_root()}/config/nodes/${local.node_name}/config.yaml")).node_addr}"
+        port    = "${yamldecode(file("${get_repo_root()}/config/nodes/${local.node_name}/config.yaml")).node_port}"
+        token   = "${get_env("INCUS_TOKEN_${upper(local.node_name)}")}"
+        default = true
+      }
+    }
+  EOF
+}
diff --git a/config/instances/ausyd1nxvm2037/config.yaml b/config/instances/ausyd1nxvm2037/config.yaml
new file mode 100644
index 0000000..865babb
--- /dev/null
+++ b/config/instances/ausyd1nxvm2037/config.yaml
@@ -0,0 +1,8 @@
+description: Gonic Music Server
+cobbler_mgmt_classes:
+  - roles::apps::music::gonic
+profiles:
+  - disk10
+  - net_com1_eth0
+  - 2core2048
+storage_volumes: {}
diff --git a/config/instances/ausyd1nxvm2037/terragrunt.hcl b/config/instances/ausyd1nxvm2037/terragrunt.hcl
new file mode 100644
index 0000000..5326e08
--- /dev/null
+++ b/config/instances/ausyd1nxvm2037/terragrunt.hcl
@@ -0,0 +1,52 @@
+locals {
+  node_name     = "prodnxsr0013"
+  config_common     = yamldecode(file("${get_terragrunt_dir()}/../config_common.yaml"))
+  config_specific   = yamldecode(file("${get_terragrunt_dir()}/config.yaml"))
+  config            = merge(local.config_common, local.config_specific)
+  instance_name     = basename(get_terragrunt_dir())
+}
+
+inputs = merge(
+  {
+    name = local.instance_name
+  },
+  local.config
+)
+
+include "root" {
+  path   = find_in_parent_folders("root.hcl")
+}
+
+include "instances" {
+  path   = find_in_parent_folders("instances.hcl")
+  expose = true
+  merge_strategy = "deep"
+}
+
+dependencies {
+  paths = ["${get_repo_root()}/config/nodes/${local.node_name}"]
+}
+
+terraform {
+  source = "${get_repo_root()}/modules/instance"
+}
+
+generate "incus" {
+  path      = "incus.tf"
+  if_exists = "overwrite_terragrunt"
+  contents  = <<-EOF
+    provider "incus" {
+      generate_client_certificates = true
+      accept_remote_certificate    = true
+
+      remote {
+        name    = "${basename(get_terragrunt_dir())}"
+        scheme  = "https"
+        address = "${yamldecode(file("${get_repo_root()}/config/nodes/${local.node_name}/config.yaml")).node_addr}"
+        port    = "${yamldecode(file("${get_repo_root()}/config/nodes/${local.node_name}/config.yaml")).node_port}"
+        token   = "${get_env("INCUS_TOKEN_${upper(local.node_name)}")}"
+        default = true
+      }
+    }
+  EOF
+}
diff --git a/config/instances/ausyd1nxvm2038/config.yaml b/config/instances/ausyd1nxvm2038/config.yaml
new file mode 100644
index 0000000..cf22fe5
--- /dev/null
+++ b/config/instances/ausyd1nxvm2038/config.yaml
@@ -0,0 +1,13 @@
+description: Prometheus
+cobbler_mgmt_classes:
+  - roles::infra::metrics::prometheus
+profiles:
+  - disk10
+  - net_com1_eth0
+  - 2core2048
+storage_volumes:
+  prometheus:
+    pool: fastpool
+    path: /data
+    config:
+      size: 50GB
diff --git a/config/instances/ausyd1nxvm2038/terragrunt.hcl b/config/instances/ausyd1nxvm2038/terragrunt.hcl
new file mode 100644
index 0000000..b33a99b
--- /dev/null
+++ b/config/instances/ausyd1nxvm2038/terragrunt.hcl
@@ -0,0 +1,52 @@
+locals {
+  node_name     = "prodnxsr0012"
+  config_common     = yamldecode(file("${get_terragrunt_dir()}/../config_common.yaml"))
+  config_specific   = yamldecode(file("${get_terragrunt_dir()}/config.yaml"))
+  config            = merge(local.config_common, local.config_specific)
+  instance_name     = basename(get_terragrunt_dir())
+}
+
+inputs = merge(
+  {
+    name = local.instance_name
+  },
+  local.config
+)
+
+include "root" {
+  path   = find_in_parent_folders("root.hcl")
+}
+
+include "instances" {
+  path   = find_in_parent_folders("instances.hcl")
+  expose = true
+  merge_strategy = "deep"
+}
+
+dependencies {
+  paths = ["${get_repo_root()}/config/nodes/${local.node_name}"]
+}
+
+terraform {
+  source = "${get_repo_root()}/modules/instance"
+}
+
+generate "incus" {
+  path      = "incus.tf"
+  if_exists = "overwrite_terragrunt"
+  contents  = <<-EOF
+    provider "incus" {
+      generate_client_certificates = true
+      accept_remote_certificate    = true
+
+      remote {
+        name    = "${basename(get_terragrunt_dir())}"
+        scheme  = "https"
+        address = "${yamldecode(file("${get_repo_root()}/config/nodes/${local.node_name}/config.yaml")).node_addr}"
+        port    = "${yamldecode(file("${get_repo_root()}/config/nodes/${local.node_name}/config.yaml")).node_port}"
+        token   = "${get_env("INCUS_TOKEN_${upper(local.node_name)}")}"
+        default = true
+      }
+    }
+  EOF
+}
diff --git a/config/instances/ausyd1nxvm2039/config.yaml b/config/instances/ausyd1nxvm2039/config.yaml
new file mode 100644
index 0000000..cf22fe5
--- /dev/null
+++ b/config/instances/ausyd1nxvm2039/config.yaml
@@ -0,0 +1,13 @@
+description: Prometheus
+cobbler_mgmt_classes:
+  - roles::infra::metrics::prometheus
+profiles:
+  - disk10
+  - net_com1_eth0
+  - 2core2048
+storage_volumes:
+  prometheus:
+    pool: fastpool
+    path: /data
+    config:
+      size: 50GB
diff --git a/config/instances/ausyd1nxvm2039/terragrunt.hcl b/config/instances/ausyd1nxvm2039/terragrunt.hcl
new file mode 100644
index 0000000..5326e08
--- /dev/null
+++ b/config/instances/ausyd1nxvm2039/terragrunt.hcl
@@ -0,0 +1,52 @@
+locals {
+  node_name     = "prodnxsr0013"
+  config_common     = yamldecode(file("${get_terragrunt_dir()}/../config_common.yaml"))
+  config_specific   = yamldecode(file("${get_terragrunt_dir()}/config.yaml"))
+  config            = merge(local.config_common, local.config_specific)
+  instance_name     = basename(get_terragrunt_dir())
+}
+
+inputs = merge(
+  {
+    name = local.instance_name
+  },
+  local.config
+)
+
+include "root" {
+  path   = find_in_parent_folders("root.hcl")
+}
+
+include "instances" {
+  path   = find_in_parent_folders("instances.hcl")
+  expose = true
+  merge_strategy = "deep"
+}
+
+dependencies {
+  paths = ["${get_repo_root()}/config/nodes/${local.node_name}"]
+}
+
+terraform {
+  source = "${get_repo_root()}/modules/instance"
+}
+
+generate "incus" {
+  path      = "incus.tf"
+  if_exists = "overwrite_terragrunt"
+  contents  = <<-EOF
+    provider "incus" {
+      generate_client_certificates = true
+      accept_remote_certificate    = true
+
+      remote {
+        name    = "${basename(get_terragrunt_dir())}"
+        scheme  = "https"
+        address = "${yamldecode(file("${get_repo_root()}/config/nodes/${local.node_name}/config.yaml")).node_addr}"
+        port    = "${yamldecode(file("${get_repo_root()}/config/nodes/${local.node_name}/config.yaml")).node_port}"
+        token   = "${get_env("INCUS_TOKEN_${upper(local.node_name)}")}"
+        default = true
+      }
+    }
+  EOF
+}
diff --git a/config/instances/ausyd1nxvm2040/config.yaml b/config/instances/ausyd1nxvm2040/config.yaml
new file mode 100644
index 0000000..83e92be
--- /dev/null
+++ b/config/instances/ausyd1nxvm2040/config.yaml
@@ -0,0 +1,19 @@
+description: Nomad Agent
+cobbler_mgmt_classes:
+  - roles::infra::nomad::agentv2
+profiles:
+  - disk20
+  - net_com1_eth0
+  - 4core4096
+  - fuse
+  - kmsg
+  - tun
+  - docker
+  - shared_apps_nomad
+  - shared_media_all
+storage_volumes:
+  nomad-local:
+    pool: fastpool
+    path: /data
+    config:
+      size: 50GB
diff --git a/config/instances/ausyd1nxvm2040/terragrunt.hcl b/config/instances/ausyd1nxvm2040/terragrunt.hcl
new file mode 100644
index 0000000..c3099a9
--- /dev/null
+++ b/config/instances/ausyd1nxvm2040/terragrunt.hcl
@@ -0,0 +1,52 @@
+locals {
+  node_name     = "prodnxsr0009"
+  config_common     = yamldecode(file("${get_terragrunt_dir()}/../config_common.yaml"))
+  config_specific   = yamldecode(file("${get_terragrunt_dir()}/config.yaml"))
+  config            = merge(local.config_common, local.config_specific)
+  instance_name     = basename(get_terragrunt_dir())
+}
+
+inputs = merge(
+  {
+    name = local.instance_name
+  },
+  local.config
+)
+
+include "root" {
+  path   = find_in_parent_folders("root.hcl")
+}
+
+include "instances" {
+  path   = find_in_parent_folders("instances.hcl")
+  expose = true
+  merge_strategy = "deep"
+}
+
+dependencies {
+  paths = ["${get_repo_root()}/config/nodes/${local.node_name}"]
+}
+
+terraform {
+  source = "${get_repo_root()}/modules/instance"
+}
+
+generate "incus" {
+  path      = "incus.tf"
+  if_exists = "overwrite_terragrunt"
+  contents  = <<-EOF
+    provider "incus" {
+      generate_client_certificates = true
+      accept_remote_certificate    = true
+
+      remote {
+        name    = "${basename(get_terragrunt_dir())}"
+        scheme  = "https"
+        address = "${yamldecode(file("${get_repo_root()}/config/nodes/${local.node_name}/config.yaml")).node_addr}"
+        port    = "${yamldecode(file("${get_repo_root()}/config/nodes/${local.node_name}/config.yaml")).node_port}"
+        token   = "${get_env("INCUS_TOKEN_${upper(local.node_name)}")}"
+        default = true
+      }
+    }
+  EOF
+}
diff --git a/config/instances/ausyd1nxvm2041/config.yaml b/config/instances/ausyd1nxvm2041/config.yaml
new file mode 100644
index 0000000..83e92be
--- /dev/null
+++ b/config/instances/ausyd1nxvm2041/config.yaml
@@ -0,0 +1,19 @@
+description: Nomad Agent
+cobbler_mgmt_classes:
+  - roles::infra::nomad::agentv2
+profiles:
+  - disk20
+  - net_com1_eth0
+  - 4core4096
+  - fuse
+  - kmsg
+  - tun
+  - docker
+  - shared_apps_nomad
+  - shared_media_all
+storage_volumes:
+  nomad-local:
+    pool: fastpool
+    path: /data
+    config:
+      size: 50GB
diff --git a/config/instances/ausyd1nxvm2041/terragrunt.hcl b/config/instances/ausyd1nxvm2041/terragrunt.hcl
new file mode 100644
index 0000000..de7d211
--- /dev/null
+++ b/config/instances/ausyd1nxvm2041/terragrunt.hcl
@@ -0,0 +1,52 @@
+locals {
+  node_name     = "prodnxsr0010"
+  config_common     = yamldecode(file("${get_terragrunt_dir()}/../config_common.yaml"))
+  config_specific   = yamldecode(file("${get_terragrunt_dir()}/config.yaml"))
+  config            = merge(local.config_common, local.config_specific)
+  instance_name     = basename(get_terragrunt_dir())
+}
+
+inputs = merge(
+  {
+    name = local.instance_name
+  },
+  local.config
+)
+
+include "root" {
+  path   = find_in_parent_folders("root.hcl")
+}
+
+include "instances" {
+  path   = find_in_parent_folders("instances.hcl")
+  expose = true
+  merge_strategy = "deep"
+}
+
+dependencies {
+  paths = ["${get_repo_root()}/config/nodes/${local.node_name}"]
+}
+
+terraform {
+  source = "${get_repo_root()}/modules/instance"
+}
+
+generate "incus" {
+  path      = "incus.tf"
+  if_exists = "overwrite_terragrunt"
+  contents  = <<-EOF
+    provider "incus" {
+      generate_client_certificates = true
+      accept_remote_certificate    = true
+
+      remote {
+        name    = "${basename(get_terragrunt_dir())}"
+        scheme  = "https"
+        address = "${yamldecode(file("${get_repo_root()}/config/nodes/${local.node_name}/config.yaml")).node_addr}"
+        port    = "${yamldecode(file("${get_repo_root()}/config/nodes/${local.node_name}/config.yaml")).node_port}"
+        token   = "${get_env("INCUS_TOKEN_${upper(local.node_name)}")}"
+        default = true
+      }
+    }
+  EOF
+}
diff --git a/config/instances/ausyd1nxvm2042/config.yaml b/config/instances/ausyd1nxvm2042/config.yaml
new file mode 100644
index 0000000..83e92be
--- /dev/null
+++ b/config/instances/ausyd1nxvm2042/config.yaml
@@ -0,0 +1,19 @@
+description: Nomad Agent
+cobbler_mgmt_classes:
+  - roles::infra::nomad::agentv2
+profiles:
+  - disk20
+  - net_com1_eth0
+  - 4core4096
+  - fuse
+  - kmsg
+  - tun
+  - docker
+  - shared_apps_nomad
+  - shared_media_all
+storage_volumes:
+  nomad-local:
+    pool: fastpool
+    path: /data
+    config:
+      size: 50GB
diff --git a/config/instances/ausyd1nxvm2042/terragrunt.hcl b/config/instances/ausyd1nxvm2042/terragrunt.hcl
new file mode 100644
index 0000000..98fe447
--- /dev/null
+++ b/config/instances/ausyd1nxvm2042/terragrunt.hcl
@@ -0,0 +1,52 @@
+locals {
+  node_name     = "prodnxsr0011"
+  config_common     = yamldecode(file("${get_terragrunt_dir()}/../config_common.yaml"))
+  config_specific   = yamldecode(file("${get_terragrunt_dir()}/config.yaml"))
+  config            = merge(local.config_common, local.config_specific)
+  instance_name     = basename(get_terragrunt_dir())
+}
+
+inputs = merge(
+  {
+    name = local.instance_name
+  },
+  local.config
+)
+
+include "root" {
+  path   = find_in_parent_folders("root.hcl")
+}
+
+include "instances" {
+  path   = find_in_parent_folders("instances.hcl")
+  expose = true
+  merge_strategy = "deep"
+}
+
+dependencies {
+  paths = ["${get_repo_root()}/config/nodes/${local.node_name}"]
+}
+
+terraform {
+  source = "${get_repo_root()}/modules/instance"
+}
+
+generate "incus" {
+  path      = "incus.tf"
+  if_exists = "overwrite_terragrunt"
+  contents  = <<-EOF
+    provider "incus" {
+      generate_client_certificates = true
+      accept_remote_certificate    = true
+
+      remote {
+        name    = "${basename(get_terragrunt_dir())}"
+        scheme  = "https"
+        address = "${yamldecode(file("${get_repo_root()}/config/nodes/${local.node_name}/config.yaml")).node_addr}"
+        port    = "${yamldecode(file("${get_repo_root()}/config/nodes/${local.node_name}/config.yaml")).node_port}"
+        token   = "${get_env("INCUS_TOKEN_${upper(local.node_name)}")}"
+        default = true
+      }
+    }
+  EOF
+}
diff --git a/config/instances/ausyd1nxvm2043/config.yaml b/config/instances/ausyd1nxvm2043/config.yaml
new file mode 100644
index 0000000..83e92be
--- /dev/null
+++ b/config/instances/ausyd1nxvm2043/config.yaml
@@ -0,0 +1,19 @@
+description: Nomad Agent
+cobbler_mgmt_classes:
+  - roles::infra::nomad::agentv2
+profiles:
+  - disk20
+  - net_com1_eth0
+  - 4core4096
+  - fuse
+  - kmsg
+  - tun
+  - docker
+  - shared_apps_nomad
+  - shared_media_all
+storage_volumes:
+  nomad-local:
+    pool: fastpool
+    path: /data
+    config:
+      size: 50GB
diff --git a/config/instances/ausyd1nxvm2043/terragrunt.hcl b/config/instances/ausyd1nxvm2043/terragrunt.hcl
new file mode 100644
index 0000000..b33a99b
--- /dev/null
+++ b/config/instances/ausyd1nxvm2043/terragrunt.hcl
@@ -0,0 +1,52 @@
+locals {
+  node_name     = "prodnxsr0012"
+  config_common     = yamldecode(file("${get_terragrunt_dir()}/../config_common.yaml"))
+  config_specific   = yamldecode(file("${get_terragrunt_dir()}/config.yaml"))
+  config            = merge(local.config_common, local.config_specific)
+  instance_name     = basename(get_terragrunt_dir())
+}
+
+inputs = merge(
+  {
+    name = local.instance_name
+  },
+  local.config
+)
+
+include "root" {
+  path   = find_in_parent_folders("root.hcl")
+}
+
+include "instances" {
+  path   = find_in_parent_folders("instances.hcl")
+  expose = true
+  merge_strategy = "deep"
+}
+
+dependencies {
+  paths = ["${get_repo_root()}/config/nodes/${local.node_name}"]
+}
+
+terraform {
+  source = "${get_repo_root()}/modules/instance"
+}
+
+generate "incus" {
+  path      = "incus.tf"
+  if_exists = "overwrite_terragrunt"
+  contents  = <<-EOF
+    provider "incus" {
+      generate_client_certificates = true
+      accept_remote_certificate    = true
+
+      remote {
+        name    = "${basename(get_terragrunt_dir())}"
+        scheme  = "https"
+        address = "${yamldecode(file("${get_repo_root()}/config/nodes/${local.node_name}/config.yaml")).node_addr}"
+        port    = "${yamldecode(file("${get_repo_root()}/config/nodes/${local.node_name}/config.yaml")).node_port}"
+        token   = "${get_env("INCUS_TOKEN_${upper(local.node_name)}")}"
+        default = true
+      }
+    }
+  EOF
+}
diff --git a/config/instances/ausyd1nxvm2044/config.yaml b/config/instances/ausyd1nxvm2044/config.yaml
new file mode 100644
index 0000000..83e92be
--- /dev/null
+++ b/config/instances/ausyd1nxvm2044/config.yaml
@@ -0,0 +1,19 @@
+description: Nomad Agent
+cobbler_mgmt_classes:
+  - roles::infra::nomad::agentv2
+profiles:
+  - disk20
+  - net_com1_eth0
+  - 4core4096
+  - fuse
+  - kmsg
+  - tun
+  - docker
+  - shared_apps_nomad
+  - shared_media_all
+storage_volumes:
+  nomad-local:
+    pool: fastpool
+    path: /data
+    config:
+      size: 50GB
diff --git a/config/instances/ausyd1nxvm2044/terragrunt.hcl b/config/instances/ausyd1nxvm2044/terragrunt.hcl
new file mode 100644
index 0000000..5326e08
--- /dev/null
+++ b/config/instances/ausyd1nxvm2044/terragrunt.hcl
@@ -0,0 +1,52 @@
+locals {
+  node_name     = "prodnxsr0013"
+  config_common     = yamldecode(file("${get_terragrunt_dir()}/../config_common.yaml"))
+  config_specific   = yamldecode(file("${get_terragrunt_dir()}/config.yaml"))
+  config            = merge(local.config_common, local.config_specific)
+  instance_name     = basename(get_terragrunt_dir())
+}
+
+inputs = merge(
+  {
+    name = local.instance_name
+  },
+  local.config
+)
+
+include "root" {
+  path   = find_in_parent_folders("root.hcl")
+}
+
+include "instances" {
+  path   = find_in_parent_folders("instances.hcl")
+  expose = true
+  merge_strategy = "deep"
+}
+
+dependencies {
+  paths = ["${get_repo_root()}/config/nodes/${local.node_name}"]
+}
+
+terraform {
+  source = "${get_repo_root()}/modules/instance"
+}
+
+generate "incus" {
+  path      = "incus.tf"
+  if_exists = "overwrite_terragrunt"
+  contents  = <<-EOF
+    provider "incus" {
+      generate_client_certificates = true
+      accept_remote_certificate    = true
+
+      remote {
+        name    = "${basename(get_terragrunt_dir())}"
+        scheme  = "https"
+        address = "${yamldecode(file("${get_repo_root()}/config/nodes/${local.node_name}/config.yaml")).node_addr}"
+        port    = "${yamldecode(file("${get_repo_root()}/config/nodes/${local.node_name}/config.yaml")).node_port}"
+        token   = "${get_env("INCUS_TOKEN_${upper(local.node_name)}")}"
+        default = true
+      }
+    }
+  EOF
+}
diff --git a/config/instances/ausyd1nxvm2045/config.yaml b/config/instances/ausyd1nxvm2045/config.yaml
new file mode 100644
index 0000000..62342e5
--- /dev/null
+++ b/config/instances/ausyd1nxvm2045/config.yaml
@@ -0,0 +1,14 @@
+description: NZBGet
+cobbler_mgmt_classes:
+  - roles::apps::media::nzbget
+profiles:
+  - disk20
+  - net_com1_eth0
+  - 4core4096
+  - shared_media_all
+storage_volumes:
+  data:
+    pool: fastpool
+    path: /data
+    config:
+      size: 50GB
diff --git a/config/instances/ausyd1nxvm2045/terragrunt.hcl b/config/instances/ausyd1nxvm2045/terragrunt.hcl
new file mode 100644
index 0000000..c3099a9
--- /dev/null
+++ b/config/instances/ausyd1nxvm2045/terragrunt.hcl
@@ -0,0 +1,52 @@
+locals {
+  node_name     = "prodnxsr0009"
+  config_common     = yamldecode(file("${get_terragrunt_dir()}/../config_common.yaml"))
+  config_specific   = yamldecode(file("${get_terragrunt_dir()}/config.yaml"))
+  config            = merge(local.config_common, local.config_specific)
+  instance_name     = basename(get_terragrunt_dir())
+}
+
+inputs = merge(
+  {
+    name = local.instance_name
+  },
+  local.config
+)
+
+include "root" {
+  path   = find_in_parent_folders("root.hcl")
+}
+
+include "instances" {
+  path   = find_in_parent_folders("instances.hcl")
+  expose = true
+  merge_strategy = "deep"
+}
+
+dependencies {
+  paths = ["${get_repo_root()}/config/nodes/${local.node_name}"]
+}
+
+terraform {
+  source = "${get_repo_root()}/modules/instance"
+}
+
+generate "incus" {
+  path      = "incus.tf"
+  if_exists = "overwrite_terragrunt"
+  contents  = <<-EOF
+    provider "incus" {
+      generate_client_certificates = true
+      accept_remote_certificate    = true
+
+      remote {
+        name    = "${basename(get_terragrunt_dir())}"
+        scheme  = "https"
+        address = "${yamldecode(file("${get_repo_root()}/config/nodes/${local.node_name}/config.yaml")).node_addr}"
+        port    = "${yamldecode(file("${get_repo_root()}/config/nodes/${local.node_name}/config.yaml")).node_port}"
+        token   = "${get_env("INCUS_TOKEN_${upper(local.node_name)}")}"
+        default = true
+      }
+    }
+  EOF
+}
diff --git a/config/instances/ausyd1nxvm2046/config.yaml b/config/instances/ausyd1nxvm2046/config.yaml
new file mode 100644
index 0000000..a248592
--- /dev/null
+++ b/config/instances/ausyd1nxvm2046/config.yaml
@@ -0,0 +1,14 @@
+description: Sonarr
+cobbler_mgmt_classes:
+  - roles::apps::media::sonarr
+profiles:
+  - disk20
+  - net_com1_eth0
+  - 2core4096
+  - shared_media_all
+storage_volumes:
+  data:
+    pool: fastpool
+    path: /data
+    config:
+      size: 50GB
diff --git a/config/instances/ausyd1nxvm2046/terragrunt.hcl b/config/instances/ausyd1nxvm2046/terragrunt.hcl
new file mode 100644
index 0000000..de7d211
--- /dev/null
+++ b/config/instances/ausyd1nxvm2046/terragrunt.hcl
@@ -0,0 +1,52 @@
+locals {
+  node_name     = "prodnxsr0010"
+  config_common     = yamldecode(file("${get_terragrunt_dir()}/../config_common.yaml"))
+  config_specific   = yamldecode(file("${get_terragrunt_dir()}/config.yaml"))
+  config            = merge(local.config_common, local.config_specific)
+  instance_name     = basename(get_terragrunt_dir())
+}
+
+inputs = merge(
+  {
+    name = local.instance_name
+  },
+  local.config
+)
+
+include "root" {
+  path   = find_in_parent_folders("root.hcl")
+}
+
+include "instances" {
+  path   = find_in_parent_folders("instances.hcl")
+  expose = true
+  merge_strategy = "deep"
+}
+
+dependencies {
+  paths = ["${get_repo_root()}/config/nodes/${local.node_name}"]
+}
+
+terraform {
+  source = "${get_repo_root()}/modules/instance"
+}
+
+generate "incus" {
+  path      = "incus.tf"
+  if_exists = "overwrite_terragrunt"
+  contents  = <<-EOF
+    provider "incus" {
+      generate_client_certificates = true
+      accept_remote_certificate    = true
+
+      remote {
+        name    = "${basename(get_terragrunt_dir())}"
+        scheme  = "https"
+        address = "${yamldecode(file("${get_repo_root()}/config/nodes/${local.node_name}/config.yaml")).node_addr}"
+        port    = "${yamldecode(file("${get_repo_root()}/config/nodes/${local.node_name}/config.yaml")).node_port}"
+        token   = "${get_env("INCUS_TOKEN_${upper(local.node_name)}")}"
+        default = true
+      }
+    }
+  EOF
+}
diff --git a/config/instances/ausyd1nxvm2047/config.yaml b/config/instances/ausyd1nxvm2047/config.yaml
new file mode 100644
index 0000000..9e83a3c
--- /dev/null
+++ b/config/instances/ausyd1nxvm2047/config.yaml
@@ -0,0 +1,14 @@
+description: Radarr
+cobbler_mgmt_classes:
+  - roles::apps::media::radarr
+profiles:
+  - disk20
+  - net_com1_eth0
+  - 2core4096
+  - shared_media_all
+storage_volumes:
+  data:
+    pool: fastpool
+    path: /data
+    config:
+      size: 50GB
diff --git a/config/instances/ausyd1nxvm2047/terragrunt.hcl b/config/instances/ausyd1nxvm2047/terragrunt.hcl
new file mode 100644
index 0000000..98fe447
--- /dev/null
+++ b/config/instances/ausyd1nxvm2047/terragrunt.hcl
@@ -0,0 +1,52 @@
+locals {
+  node_name     = "prodnxsr0011"
+  config_common     = yamldecode(file("${get_terragrunt_dir()}/../config_common.yaml"))
+  config_specific   = yamldecode(file("${get_terragrunt_dir()}/config.yaml"))
+  config            = merge(local.config_common, local.config_specific)
+  instance_name     = basename(get_terragrunt_dir())
+}
+
+inputs = merge(
+  {
+    name = local.instance_name
+  },
+  local.config
+)
+
+include "root" {
+  path   = find_in_parent_folders("root.hcl")
+}
+
+include "instances" {
+  path   = find_in_parent_folders("instances.hcl")
+  expose = true
+  merge_strategy = "deep"
+}
+
+dependencies {
+  paths = ["${get_repo_root()}/config/nodes/${local.node_name}"]
+}
+
+terraform {
+  source = "${get_repo_root()}/modules/instance"
+}
+
+generate "incus" {
+  path      = "incus.tf"
+  if_exists = "overwrite_terragrunt"
+  contents  = <<-EOF
+    provider "incus" {
+      generate_client_certificates = true
+      accept_remote_certificate    = true
+
+      remote {
+        name    = "${basename(get_terragrunt_dir())}"
+        scheme  = "https"
+        address = "${yamldecode(file("${get_repo_root()}/config/nodes/${local.node_name}/config.yaml")).node_addr}"
+        port    = "${yamldecode(file("${get_repo_root()}/config/nodes/${local.node_name}/config.yaml")).node_port}"
+        token   = "${get_env("INCUS_TOKEN_${upper(local.node_name)}")}"
+        default = true
+      }
+    }
+  EOF
+}
diff --git a/config/instances/ausyd1nxvm2048/config.yaml b/config/instances/ausyd1nxvm2048/config.yaml
new file mode 100644
index 0000000..b40a40c
--- /dev/null
+++ b/config/instances/ausyd1nxvm2048/config.yaml
@@ -0,0 +1,14 @@
+description: Lidarr
+cobbler_mgmt_classes:
+  - roles::apps::media::lidarr
+profiles:
+  - disk20
+  - net_com1_eth0
+  - 2core4096
+  - shared_media_all
+storage_volumes:
+  data:
+    pool: fastpool
+    path: /data
+    config:
+      size: 50GB
diff --git a/config/instances/ausyd1nxvm2048/terragrunt.hcl b/config/instances/ausyd1nxvm2048/terragrunt.hcl
new file mode 100644
index 0000000..b33a99b
--- /dev/null
+++ b/config/instances/ausyd1nxvm2048/terragrunt.hcl
@@ -0,0 +1,52 @@
+locals {
+  node_name     = "prodnxsr0012"
+  config_common     = yamldecode(file("${get_terragrunt_dir()}/../config_common.yaml"))
+  config_specific   = yamldecode(file("${get_terragrunt_dir()}/config.yaml"))
+  config            = merge(local.config_common, local.config_specific)
+  instance_name     = basename(get_terragrunt_dir())
+}
+
+inputs = merge(
+  {
+    name = local.instance_name
+  },
+  local.config
+)
+
+include "root" {
+  path   = find_in_parent_folders("root.hcl")
+}
+
+include "instances" {
+  path   = find_in_parent_folders("instances.hcl")
+  expose = true
+  merge_strategy = "deep"
+}
+
+dependencies {
+  paths = ["${get_repo_root()}/config/nodes/${local.node_name}"]
+}
+
+terraform {
+  source = "${get_repo_root()}/modules/instance"
+}
+
+generate "incus" {
+  path      = "incus.tf"
+  if_exists = "overwrite_terragrunt"
+  contents  = <<-EOF
+    provider "incus" {
+      generate_client_certificates = true
+      accept_remote_certificate    = true
+
+      remote {
+        name    = "${basename(get_terragrunt_dir())}"
+        scheme  = "https"
+        address = "${yamldecode(file("${get_repo_root()}/config/nodes/${local.node_name}/config.yaml")).node_addr}"
+        port    = "${yamldecode(file("${get_repo_root()}/config/nodes/${local.node_name}/config.yaml")).node_port}"
+        token   = "${get_env("INCUS_TOKEN_${upper(local.node_name)}")}"
+        default = true
+      }
+    }
+  EOF
+}
diff --git a/config/instances/ausyd1nxvm2049/config.yaml b/config/instances/ausyd1nxvm2049/config.yaml
new file mode 100644
index 0000000..ce2c181
--- /dev/null
+++ b/config/instances/ausyd1nxvm2049/config.yaml
@@ -0,0 +1,14 @@
+description: Readarr
+cobbler_mgmt_classes:
+  - roles::apps::media::readarr
+profiles:
+  - disk20
+  - net_com1_eth0
+  - 2core4096
+  - shared_media_all
+storage_volumes:
+  data:
+    pool: fastpool
+    path: /data
+    config:
+      size: 50GB
diff --git a/config/instances/ausyd1nxvm2049/terragrunt.hcl b/config/instances/ausyd1nxvm2049/terragrunt.hcl
new file mode 100644
index 0000000..5326e08
--- /dev/null
+++ b/config/instances/ausyd1nxvm2049/terragrunt.hcl
@@ -0,0 +1,52 @@
+locals {
+  node_name     = "prodnxsr0013"
+  config_common     = yamldecode(file("${get_terragrunt_dir()}/../config_common.yaml"))
+  config_specific   = yamldecode(file("${get_terragrunt_dir()}/config.yaml"))
+  config            = merge(local.config_common, local.config_specific)
+  instance_name     = basename(get_terragrunt_dir())
+}
+
+inputs = merge(
+  {
+    name = local.instance_name
+  },
+  local.config
+)
+
+include "root" {
+  path   = find_in_parent_folders("root.hcl")
+}
+
+include "instances" {
+  path   = find_in_parent_folders("instances.hcl")
+  expose = true
+  merge_strategy = "deep"
+}
+
+dependencies {
+  paths = ["${get_repo_root()}/config/nodes/${local.node_name}"]
+}
+
+terraform {
+  source = "${get_repo_root()}/modules/instance"
+}
+
+generate "incus" {
+  path      = "incus.tf"
+  if_exists = "overwrite_terragrunt"
+  contents  = <<-EOF
+    provider "incus" {
+      generate_client_certificates = true
+      accept_remote_certificate    = true
+
+      remote {
+        name    = "${basename(get_terragrunt_dir())}"
+        scheme  = "https"
+        address = "${yamldecode(file("${get_repo_root()}/config/nodes/${local.node_name}/config.yaml")).node_addr}"
+        port    = "${yamldecode(file("${get_repo_root()}/config/nodes/${local.node_name}/config.yaml")).node_port}"
+        token   = "${get_env("INCUS_TOKEN_${upper(local.node_name)}")}"
+        default = true
+      }
+    }
+  EOF
+}
diff --git a/config/instances/ausyd1nxvm2050/config.yaml b/config/instances/ausyd1nxvm2050/config.yaml
new file mode 100644
index 0000000..c18cb5c
--- /dev/null
+++ b/config/instances/ausyd1nxvm2050/config.yaml
@@ -0,0 +1,14 @@
+description: Prowlarr
+cobbler_mgmt_classes:
+  - roles::apps::media::prowlarr
+profiles:
+  - disk20
+  - net_com1_eth0
+  - 2core4096
+  - shared_media_all
+storage_volumes:
+  data:
+    pool: fastpool
+    path: /data
+    config:
+      size: 50GB
diff --git a/config/instances/ausyd1nxvm2050/terragrunt.hcl b/config/instances/ausyd1nxvm2050/terragrunt.hcl
new file mode 100644
index 0000000..c3099a9
--- /dev/null
+++ b/config/instances/ausyd1nxvm2050/terragrunt.hcl
@@ -0,0 +1,52 @@
+locals {
+  node_name     = "prodnxsr0009"
+  config_common     = yamldecode(file("${get_terragrunt_dir()}/../config_common.yaml"))
+  config_specific   = yamldecode(file("${get_terragrunt_dir()}/config.yaml"))
+  config            = merge(local.config_common, local.config_specific)
+  instance_name     = basename(get_terragrunt_dir())
+}
+
+inputs = merge(
+  {
+    name = local.instance_name
+  },
+  local.config
+)
+
+include "root" {
+  path   = find_in_parent_folders("root.hcl")
+}
+
+include "instances" {
+  path   = find_in_parent_folders("instances.hcl")
+  expose = true
+  merge_strategy = "deep"
+}
+
+dependencies {
+  paths = ["${get_repo_root()}/config/nodes/${local.node_name}"]
+}
+
+terraform {
+  source = "${get_repo_root()}/modules/instance"
+}
+
+generate "incus" {
+  path      = "incus.tf"
+  if_exists = "overwrite_terragrunt"
+  contents  = <<-EOF
+    provider "incus" {
+      generate_client_certificates = true
+      accept_remote_certificate    = true
+
+      remote {
+        name    = "${basename(get_terragrunt_dir())}"
+        scheme  = "https"
+        address = "${yamldecode(file("${get_repo_root()}/config/nodes/${local.node_name}/config.yaml")).node_addr}"
+        port    = "${yamldecode(file("${get_repo_root()}/config/nodes/${local.node_name}/config.yaml")).node_port}"
+        token   = "${get_env("INCUS_TOKEN_${upper(local.node_name)}")}"
+        default = true
+      }
+    }
+  EOF
+}
diff --git a/config/instances/ausyd1nxvm2051/config.yaml b/config/instances/ausyd1nxvm2051/config.yaml
new file mode 100644
index 0000000..ff7d6c2
--- /dev/null
+++ b/config/instances/ausyd1nxvm2051/config.yaml
@@ -0,0 +1,16 @@
+description: Jellyfin
+cobbler_mgmt_classes:
+  - roles::apps::media::jellyfin
+profiles:
+  - disk20
+  - net_com1_eth0
+  - 4core4096
+  - shared_media_all
+  - shared_apps_jellyfin
+  - gpu-render-only
+storage_volumes:
+  data:
+    pool: fastpool
+    path: /data
+    config:
+      size: 100GB
diff --git a/config/instances/ausyd1nxvm2051/terragrunt.hcl b/config/instances/ausyd1nxvm2051/terragrunt.hcl
new file mode 100644
index 0000000..c3099a9
--- /dev/null
+++ b/config/instances/ausyd1nxvm2051/terragrunt.hcl
@@ -0,0 +1,52 @@
+locals {
+  node_name     = "prodnxsr0009"
+  config_common     = yamldecode(file("${get_terragrunt_dir()}/../config_common.yaml"))
+  config_specific   = yamldecode(file("${get_terragrunt_dir()}/config.yaml"))
+  config            = merge(local.config_common, local.config_specific)
+  instance_name     = basename(get_terragrunt_dir())
+}
+
+inputs = merge(
+  {
+    name = local.instance_name
+  },
+  local.config
+)
+
+include "root" {
+  path   = find_in_parent_folders("root.hcl")
+}
+
+include "instances" {
+  path   = find_in_parent_folders("instances.hcl")
+  expose = true
+  merge_strategy = "deep"
+}
+
+dependencies {
+  paths = ["${get_repo_root()}/config/nodes/${local.node_name}"]
+}
+
+terraform {
+  source = "${get_repo_root()}/modules/instance"
+}
+
+generate "incus" {
+  path      = "incus.tf"
+  if_exists = "overwrite_terragrunt"
+  contents  = <<-EOF
+    provider "incus" {
+      generate_client_certificates = true
+      accept_remote_certificate    = true
+
+      remote {
+        name    = "${basename(get_terragrunt_dir())}"
+        scheme  = "https"
+        address = "${yamldecode(file("${get_repo_root()}/config/nodes/${local.node_name}/config.yaml")).node_addr}"
+        port    = "${yamldecode(file("${get_repo_root()}/config/nodes/${local.node_name}/config.yaml")).node_port}"
+        token   = "${get_env("INCUS_TOKEN_${upper(local.node_name)}")}"
+        default = true
+      }
+    }
+  EOF
+}
diff --git a/config/instances/ausyd1nxvm2052/config.yaml b/config/instances/ausyd1nxvm2052/config.yaml
new file mode 100644
index 0000000..4689609
--- /dev/null
+++ b/config/instances/ausyd1nxvm2052/config.yaml
@@ -0,0 +1,7 @@
+description: k8s etcd server
+cobbler_mgmt_classes:
+  - roles::base
+profiles:
+  - disk20
+  - net_com1_eth0
+  - 2core4096
diff --git a/config/instances/ausyd1nxvm2052/terragrunt.hcl b/config/instances/ausyd1nxvm2052/terragrunt.hcl
new file mode 100644
index 0000000..c3099a9
--- /dev/null
+++ b/config/instances/ausyd1nxvm2052/terragrunt.hcl
@@ -0,0 +1,52 @@
+locals {
+  node_name     = "prodnxsr0009"
+  config_common     = yamldecode(file("${get_terragrunt_dir()}/../config_common.yaml"))
+  config_specific   = yamldecode(file("${get_terragrunt_dir()}/config.yaml"))
+  config            = merge(local.config_common, local.config_specific)
+  instance_name     = basename(get_terragrunt_dir())
+}
+
+inputs = merge(
+  {
+    name = local.instance_name
+  },
+  local.config
+)
+
+include "root" {
+  path   = find_in_parent_folders("root.hcl")
+}
+
+include "instances" {
+  path   = find_in_parent_folders("instances.hcl")
+  expose = true
+  merge_strategy = "deep"
+}
+
+dependencies {
+  paths = ["${get_repo_root()}/config/nodes/${local.node_name}"]
+}
+
+terraform {
+  source = "${get_repo_root()}/modules/instance"
+}
+
+generate "incus" {
+  path      = "incus.tf"
+  if_exists = "overwrite_terragrunt"
+  contents  = <<-EOF
+    provider "incus" {
+      generate_client_certificates = true
+      accept_remote_certificate    = true
+
+      remote {
+        name    = "${basename(get_terragrunt_dir())}"
+        scheme  = "https"
+        address = "${yamldecode(file("${get_repo_root()}/config/nodes/${local.node_name}/config.yaml")).node_addr}"
+        port    = "${yamldecode(file("${get_repo_root()}/config/nodes/${local.node_name}/config.yaml")).node_port}"
+        token   = "${get_env("INCUS_TOKEN_${upper(local.node_name)}")}"
+        default = true
+      }
+    }
+  EOF
+}
diff --git a/config/instances/ausyd1nxvm2053/config.yaml b/config/instances/ausyd1nxvm2053/config.yaml
new file mode 100644
index 0000000..4689609
--- /dev/null
+++ b/config/instances/ausyd1nxvm2053/config.yaml
@@ -0,0 +1,7 @@
+description: k8s etcd server
+cobbler_mgmt_classes:
+  - roles::base
+profiles:
+  - disk20
+  - net_com1_eth0
+  - 2core4096
diff --git a/config/instances/ausyd1nxvm2053/terragrunt.hcl b/config/instances/ausyd1nxvm2053/terragrunt.hcl
new file mode 100644
index 0000000..de7d211
--- /dev/null
+++ b/config/instances/ausyd1nxvm2053/terragrunt.hcl
@@ -0,0 +1,52 @@
+locals {
+  node_name     = "prodnxsr0010"
+  config_common     = yamldecode(file("${get_terragrunt_dir()}/../config_common.yaml"))
+  config_specific   = yamldecode(file("${get_terragrunt_dir()}/config.yaml"))
+  config            = merge(local.config_common, local.config_specific)
+  instance_name     = basename(get_terragrunt_dir())
+}
+
+inputs = merge(
+  {
+    name = local.instance_name
+  },
+  local.config
+)
+
+include "root" {
+  path   = find_in_parent_folders("root.hcl")
+}
+
+include "instances" {
+  path   = find_in_parent_folders("instances.hcl")
+  expose = true
+  merge_strategy = "deep"
+}
+
+dependencies {
+  paths = ["${get_repo_root()}/config/nodes/${local.node_name}"]
+}
+
+terraform {
+  source = "${get_repo_root()}/modules/instance"
+}
+
+generate "incus" {
+  path      = "incus.tf"
+  if_exists = "overwrite_terragrunt"
+  contents  = <<-EOF
+    provider "incus" {
+      generate_client_certificates = true
+      accept_remote_certificate    = true
+
+      remote {
+        name    = "${basename(get_terragrunt_dir())}"
+        scheme  = "https"
+        address = "${yamldecode(file("${get_repo_root()}/config/nodes/${local.node_name}/config.yaml")).node_addr}"
+        port    = "${yamldecode(file("${get_repo_root()}/config/nodes/${local.node_name}/config.yaml")).node_port}"
+        token   = "${get_env("INCUS_TOKEN_${upper(local.node_name)}")}"
+        default = true
+      }
+    }
+  EOF
+}
diff --git a/config/instances/ausyd1nxvm2054/config.yaml b/config/instances/ausyd1nxvm2054/config.yaml
new file mode 100644
index 0000000..4689609
--- /dev/null
+++ b/config/instances/ausyd1nxvm2054/config.yaml
@@ -0,0 +1,7 @@
+description: k8s etcd server
+cobbler_mgmt_classes:
+  - roles::base
+profiles:
+  - disk20
+  - net_com1_eth0
+  - 2core4096
diff --git a/config/instances/ausyd1nxvm2054/terragrunt.hcl b/config/instances/ausyd1nxvm2054/terragrunt.hcl
new file mode 100644
index 0000000..98fe447
--- /dev/null
+++ b/config/instances/ausyd1nxvm2054/terragrunt.hcl
@@ -0,0 +1,52 @@
+locals {
+  node_name     = "prodnxsr0011"
+  config_common     = yamldecode(file("${get_terragrunt_dir()}/../config_common.yaml"))
+  config_specific   = yamldecode(file("${get_terragrunt_dir()}/config.yaml"))
+  config            = merge(local.config_common, local.config_specific)
+  instance_name     = basename(get_terragrunt_dir())
+}
+
+inputs = merge(
+  {
+    name = local.instance_name
+  },
+  local.config
+)
+
+include "root" {
+  path   = find_in_parent_folders("root.hcl")
+}
+
+include "instances" {
+  path   = find_in_parent_folders("instances.hcl")
+  expose = true
+  merge_strategy = "deep"
+}
+
+dependencies {
+  paths = ["${get_repo_root()}/config/nodes/${local.node_name}"]
+}
+
+terraform {
+  source = "${get_repo_root()}/modules/instance"
+}
+
+generate "incus" {
+  path      = "incus.tf"
+  if_exists = "overwrite_terragrunt"
+  contents  = <<-EOF
+    provider "incus" {
+      generate_client_certificates = true
+      accept_remote_certificate    = true
+
+      remote {
+        name    = "${basename(get_terragrunt_dir())}"
+        scheme  = "https"
+        address = "${yamldecode(file("${get_repo_root()}/config/nodes/${local.node_name}/config.yaml")).node_addr}"
+        port    = "${yamldecode(file("${get_repo_root()}/config/nodes/${local.node_name}/config.yaml")).node_port}"
+        token   = "${get_env("INCUS_TOKEN_${upper(local.node_name)}")}"
+        default = true
+      }
+    }
+  EOF
+}
diff --git a/config/instances/ausyd1nxvm2055/config.yaml b/config/instances/ausyd1nxvm2055/config.yaml
new file mode 100644
index 0000000..4689609
--- /dev/null
+++ b/config/instances/ausyd1nxvm2055/config.yaml
@@ -0,0 +1,7 @@
+description: k8s etcd server
+cobbler_mgmt_classes:
+  - roles::base
+profiles:
+  - disk20
+  - net_com1_eth0
+  - 2core4096
diff --git a/config/instances/ausyd1nxvm2055/terragrunt.hcl b/config/instances/ausyd1nxvm2055/terragrunt.hcl
new file mode 100644
index 0000000..b33a99b
--- /dev/null
+++ b/config/instances/ausyd1nxvm2055/terragrunt.hcl
@@ -0,0 +1,52 @@
+locals {
+  node_name     = "prodnxsr0012"
+  config_common     = yamldecode(file("${get_terragrunt_dir()}/../config_common.yaml"))
+  config_specific   = yamldecode(file("${get_terragrunt_dir()}/config.yaml"))
+  config            = merge(local.config_common, local.config_specific)
+  instance_name     = basename(get_terragrunt_dir())
+}
+
+inputs = merge(
+  {
+    name = local.instance_name
+  },
+  local.config
+)
+
+include "root" {
+  path   = find_in_parent_folders("root.hcl")
+}
+
+include "instances" {
+  path   = find_in_parent_folders("instances.hcl")
+  expose = true
+  merge_strategy = "deep"
+}
+
+dependencies {
+  paths = ["${get_repo_root()}/config/nodes/${local.node_name}"]
+}
+
+terraform {
+  source = "${get_repo_root()}/modules/instance"
+}
+
+generate "incus" {
+  path      = "incus.tf"
+  if_exists = "overwrite_terragrunt"
+  contents  = <<-EOF
+    provider "incus" {
+      generate_client_certificates = true
+      accept_remote_certificate    = true
+
+      remote {
+        name    = "${basename(get_terragrunt_dir())}"
+        scheme  = "https"
+        address = "${yamldecode(file("${get_repo_root()}/config/nodes/${local.node_name}/config.yaml")).node_addr}"
+        port    = "${yamldecode(file("${get_repo_root()}/config/nodes/${local.node_name}/config.yaml")).node_port}"
+        token   = "${get_env("INCUS_TOKEN_${upper(local.node_name)}")}"
+        default = true
+      }
+    }
+  EOF
+}
diff --git a/config/instances/ausyd1nxvm2056/config.yaml b/config/instances/ausyd1nxvm2056/config.yaml
new file mode 100644
index 0000000..4689609
--- /dev/null
+++ b/config/instances/ausyd1nxvm2056/config.yaml
@@ -0,0 +1,7 @@
+description: k8s etcd server
+cobbler_mgmt_classes:
+  - roles::base
+profiles:
+  - disk20
+  - net_com1_eth0
+  - 2core4096
diff --git a/config/instances/ausyd1nxvm2056/terragrunt.hcl b/config/instances/ausyd1nxvm2056/terragrunt.hcl
new file mode 100644
index 0000000..5326e08
--- /dev/null
+++ b/config/instances/ausyd1nxvm2056/terragrunt.hcl
@@ -0,0 +1,52 @@
+locals {
+  node_name     = "prodnxsr0013"
+  config_common     = yamldecode(file("${get_terragrunt_dir()}/../config_common.yaml"))
+  config_specific   = yamldecode(file("${get_terragrunt_dir()}/config.yaml"))
+  config            = merge(local.config_common, local.config_specific)
+  instance_name     = basename(get_terragrunt_dir())
+}
+
+inputs = merge(
+  {
+    name = local.instance_name
+  },
+  local.config
+)
+
+include "root" {
+  path   = find_in_parent_folders("root.hcl")
+}
+
+include "instances" {
+  path   = find_in_parent_folders("instances.hcl")
+  expose = true
+  merge_strategy = "deep"
+}
+
+dependencies {
+  paths = ["${get_repo_root()}/config/nodes/${local.node_name}"]
+}
+
+terraform {
+  source = "${get_repo_root()}/modules/instance"
+}
+
+generate "incus" {
+  path      = "incus.tf"
+  if_exists = "overwrite_terragrunt"
+  contents  = <<-EOF
+    provider "incus" {
+      generate_client_certificates = true
+      accept_remote_certificate    = true
+
+      remote {
+        name    = "${basename(get_terragrunt_dir())}"
+        scheme  = "https"
+        address = "${yamldecode(file("${get_repo_root()}/config/nodes/${local.node_name}/config.yaml")).node_addr}"
+        port    = "${yamldecode(file("${get_repo_root()}/config/nodes/${local.node_name}/config.yaml")).node_port}"
+        token   = "${get_env("INCUS_TOKEN_${upper(local.node_name)}")}"
+        default = true
+      }
+    }
+  EOF
+}
diff --git a/config/instances/config_common.yaml b/config/instances/config_common.yaml
new file mode 100644
index 0000000..04f99ae
--- /dev/null
+++ b/config/instances/config_common.yaml
@@ -0,0 +1,21 @@
+image: "incus-images:almalinux9/puppet-base/latest"
+description: Base Server
+type: "container"
+ephemeral: false
+running: true
+
+cobbler_netmask: "255.255.255.0"
+cobbler_domain: "main.unkin.net"
+cobbler_profile: "almalinux9-kvm"
+cobbler_name_servers:
+  - "198.18.19.16"
+cobbler_mgmt_classes:
+  - "roles::base"
+
+wait_for:
+  - type: ipv4
+    nic: eth0
+
+profiles: []
+disk_devices: []
+storage_volumes: {}
diff --git a/config/nodes/ausyd1nxvm1072/config.yaml b/config/nodes/ausyd1nxvm1072/config.yaml
new file mode 100644
index 0000000..879a0c0
--- /dev/null
+++ b/config/nodes/ausyd1nxvm1072/config.yaml
@@ -0,0 +1,3 @@
+---
+node_addr: 198.18.13.82
+node_port: 8443
diff --git a/config/nodes/ausyd1nxvm1072/images.yaml b/config/nodes/ausyd1nxvm1072/images.yaml
new file mode 100644
index 0000000..cc91030
--- /dev/null
+++ b/config/nodes/ausyd1nxvm1072/images.yaml
@@ -0,0 +1,8 @@
+almalinux/8/cloud:
+  remote: images
+  aliases:
+    - almalinux8
+almalinux/9/cloud:
+  remote: images
+  aliases:
+    - almalinux9
diff --git a/config/nodes/ausyd1nxvm1072/networks.yaml b/config/nodes/ausyd1nxvm1072/networks.yaml
new file mode 100644
index 0000000..c40cadd
--- /dev/null
+++ b/config/nodes/ausyd1nxvm1072/networks.yaml
@@ -0,0 +1,8 @@
+brcom1:
+  type: bridge
+  config:
+    bridge.mtu: 1500
+    ipv4.address: 10.255.255.1/24
+    ipv4.nat: true
+    dns.mode: none
+    dns.domain: main.unkin.net
diff --git a/config/nodes/ausyd1nxvm1072/profiles.yaml b/config/nodes/ausyd1nxvm1072/profiles.yaml
new file mode 100644
index 0000000..21cbdbb
--- /dev/null
+++ b/config/nodes/ausyd1nxvm1072/profiles.yaml
@@ -0,0 +1,22 @@
+# build profile
+build:
+  description: "profile to use when building images"
+  project: null
+  config:
+    boot.autostart: true
+    limits.cpu: 1
+    limits.memory: 1024MB
+    limits.memory.enforce: hard
+    limits.memory.swap: true
+  devices:
+    - type: nic
+      name: eth0
+      properties:
+        parent: brcom1
+        nictype: bridged
+    - type: disk
+      name: root
+      properties:
+        pool: fastpool
+        size: 10GB
+        path: /
diff --git a/config/nodes/ausyd1nxvm1072/storage_pools.yaml b/config/nodes/ausyd1nxvm1072/storage_pools.yaml
new file mode 100644
index 0000000..3599001
--- /dev/null
+++ b/config/nodes/ausyd1nxvm1072/storage_pools.yaml
@@ -0,0 +1,5 @@
+fastpool:
+  driver: zfs
+  description: nvme backed zfs store
+  config:
+    source: fastpool/data/incus
diff --git a/config/nodes/ausyd1nxvm1072/storage_volumes.yaml b/config/nodes/ausyd1nxvm1072/storage_volumes.yaml
new file mode 100644
index 0000000..4b76778
--- /dev/null
+++ b/config/nodes/ausyd1nxvm1072/storage_volumes.yaml
@@ -0,0 +1,3 @@
+imagestore:
+  pool: fastpool
+  description: location to store images
diff --git a/config/nodes/ausyd1nxvm1072/terragrunt.hcl b/config/nodes/ausyd1nxvm1072/terragrunt.hcl
new file mode 100644
index 0000000..0a57118
--- /dev/null
+++ b/config/nodes/ausyd1nxvm1072/terragrunt.hcl
@@ -0,0 +1,50 @@
+locals {
+  config                = yamldecode(file("${get_terragrunt_dir()}/config.yaml"))
+  local_images          = yamldecode(file("${get_terragrunt_dir()}/images.yaml"))
+  local_networks        = yamldecode(file("${get_terragrunt_dir()}/networks.yaml"))
+  local_profiles        = yamldecode(file("${get_terragrunt_dir()}/profiles.yaml"))
+  local_storage_pools   = yamldecode(file("${get_terragrunt_dir()}/storage_pools.yaml"))
+  local_storage_volumes = yamldecode(file("${get_terragrunt_dir()}/storage_volumes.yaml"))
+  node_name             = basename(get_terragrunt_dir())
+}
+
+# on the image server we want to use localised settings mostly, not all the globals
+# dont deep merge
+include "root" {
+  path   = find_in_parent_folders("root.hcl")
+}
+
+terraform {
+  source = "${get_repo_root()}/modules/node"
+}
+
+inputs = {
+  images          = local.local_images
+  networks        = local.local_networks
+  profiles        = local.local_profiles
+  storage_pools   = local.local_storage_pools
+  storage_volumes = local.local_storage_volumes
+  node_name       = local.node_name
+  node_addr       = local.config.node_addr
+  node_port       = local.config.node_port
+}
+
+generate "provider" {
+  path      = "provider.tf"
+  if_exists = "overwrite_terragrunt"
+  contents  = <<-EOF
+    provider "incus" {
+      generate_client_certificates = true
+      accept_remote_certificate    = true
+
+      remote {
+        name    = "${basename(get_terragrunt_dir())}"
+        scheme  = "https"
+        address = "${local.config.node_addr}"
+        port    = "${local.config.node_port}"
+        token   = "${get_env("INCUS_TOKEN_${upper(local.node_name)}")}"
+        default = true
+      }
+    }
+  EOF
+}
diff --git a/config/nodes/prodnxsr0009/config.yaml b/config/nodes/prodnxsr0009/config.yaml
new file mode 100644
index 0000000..0567b6e
--- /dev/null
+++ b/config/nodes/prodnxsr0009/config.yaml
@@ -0,0 +1,3 @@
+---
+node_addr: 198.18.19.9
+node_port: 8443
diff --git a/config/nodes/prodnxsr0009/networks.yaml b/config/nodes/prodnxsr0009/networks.yaml
new file mode 100644
index 0000000..1347e94
--- /dev/null
+++ b/config/nodes/prodnxsr0009/networks.yaml
@@ -0,0 +1,9 @@
+brwan1:
+  config:
+    ipv4.address: 198.18.20.14/28
+brdmz1:
+  config:
+    ipv4.address: 198.18.24.14/28
+brcom1:
+  config:
+    ipv4.address: 198.18.25.254/24
diff --git a/config/nodes/prodnxsr0009/terragrunt.hcl b/config/nodes/prodnxsr0009/terragrunt.hcl
new file mode 100644
index 0000000..4f5bd58
--- /dev/null
+++ b/config/nodes/prodnxsr0009/terragrunt.hcl
@@ -0,0 +1,42 @@
+locals {
+  config    = yamldecode(file("${get_terragrunt_dir()}/config.yaml"))
+  networks  = yamldecode(file("${get_terragrunt_dir()}/networks.yaml"))
+  node_name = basename(get_terragrunt_dir())
+}
+
+include "root" {
+  path   = find_in_parent_folders("root.hcl")
+  expose = true
+  merge_strategy = "deep"
+}
+
+terraform {
+  source = "${get_repo_root()}/modules/node"
+}
+
+inputs = {
+  networks  = local.networks
+  node_name = local.node_name
+  node_addr = local.config.node_addr
+  node_port = local.config.node_port
+}
+
+generate "provider" {
+  path      = "provider.tf"
+  if_exists = "overwrite_terragrunt"
+  contents  = <<-EOF
+    provider "incus" {
+      generate_client_certificates = true
+      accept_remote_certificate    = true
+
+      remote {
+        name    = "${basename(get_terragrunt_dir())}"
+        scheme  = "https"
+        address = "${local.config.node_addr}"
+        port    = "${local.config.node_port}"
+        token   = "${get_env("INCUS_TOKEN_${upper(local.node_name)}")}"
+        default = true
+      }
+    }
+  EOF
+}
diff --git a/config/nodes/prodnxsr0010/config.yaml b/config/nodes/prodnxsr0010/config.yaml
new file mode 100644
index 0000000..a516fe4
--- /dev/null
+++ b/config/nodes/prodnxsr0010/config.yaml
@@ -0,0 +1,3 @@
+---
+node_addr: 198.18.19.10
+node_port: 8443
diff --git a/config/nodes/prodnxsr0010/networks.yaml b/config/nodes/prodnxsr0010/networks.yaml
new file mode 100644
index 0000000..9442369
--- /dev/null
+++ b/config/nodes/prodnxsr0010/networks.yaml
@@ -0,0 +1,9 @@
+brwan1:
+  config:
+    ipv4.address: 198.18.20.30/28
+brdmz1:
+  config:
+    ipv4.address: 198.18.24.30/28
+brcom1:
+  config:
+    ipv4.address: 198.18.26.254/24
diff --git a/config/nodes/prodnxsr0010/terragrunt.hcl b/config/nodes/prodnxsr0010/terragrunt.hcl
new file mode 100644
index 0000000..4f5bd58
--- /dev/null
+++ b/config/nodes/prodnxsr0010/terragrunt.hcl
@@ -0,0 +1,42 @@
+locals {
+  config    = yamldecode(file("${get_terragrunt_dir()}/config.yaml"))
+  networks  = yamldecode(file("${get_terragrunt_dir()}/networks.yaml"))
+  node_name = basename(get_terragrunt_dir())
+}
+
+include "root" {
+  path   = find_in_parent_folders("root.hcl")
+  expose = true
+  merge_strategy = "deep"
+}
+
+terraform {
+  source = "${get_repo_root()}/modules/node"
+}
+
+inputs = {
+  networks  = local.networks
+  node_name = local.node_name
+  node_addr = local.config.node_addr
+  node_port = local.config.node_port
+}
+
+generate "provider" {
+  path      = "provider.tf"
+  if_exists = "overwrite_terragrunt"
+  contents  = <<-EOF
+    provider "incus" {
+      generate_client_certificates = true
+      accept_remote_certificate    = true
+
+      remote {
+        name    = "${basename(get_terragrunt_dir())}"
+        scheme  = "https"
+        address = "${local.config.node_addr}"
+        port    = "${local.config.node_port}"
+        token   = "${get_env("INCUS_TOKEN_${upper(local.node_name)}")}"
+        default = true
+      }
+    }
+  EOF
+}
diff --git a/config/nodes/prodnxsr0011/config.yaml b/config/nodes/prodnxsr0011/config.yaml
new file mode 100644
index 0000000..b868c7f
--- /dev/null
+++ b/config/nodes/prodnxsr0011/config.yaml
@@ -0,0 +1,3 @@
+---
+node_addr: 198.18.19.11
+node_port: 8443
diff --git a/config/nodes/prodnxsr0011/networks.yaml b/config/nodes/prodnxsr0011/networks.yaml
new file mode 100644
index 0000000..07f1932
--- /dev/null
+++ b/config/nodes/prodnxsr0011/networks.yaml
@@ -0,0 +1,9 @@
+brwan1:
+  config:
+    ipv4.address: 198.18.20.46/28
+brdmz1:
+  config:
+    ipv4.address: 198.18.24.46/28
+brcom1:
+  config:
+    ipv4.address: 198.18.27.254/24
diff --git a/config/nodes/prodnxsr0011/terragrunt.hcl b/config/nodes/prodnxsr0011/terragrunt.hcl
new file mode 100644
index 0000000..4f5bd58
--- /dev/null
+++ b/config/nodes/prodnxsr0011/terragrunt.hcl
@@ -0,0 +1,42 @@
+locals {
+  config    = yamldecode(file("${get_terragrunt_dir()}/config.yaml"))
+  networks  = yamldecode(file("${get_terragrunt_dir()}/networks.yaml"))
+  node_name = basename(get_terragrunt_dir())
+}
+
+include "root" {
+  path   = find_in_parent_folders("root.hcl")
+  expose = true
+  merge_strategy = "deep"
+}
+
+terraform {
+  source = "${get_repo_root()}/modules/node"
+}
+
+inputs = {
+  networks  = local.networks
+  node_name = local.node_name
+  node_addr = local.config.node_addr
+  node_port = local.config.node_port
+}
+
+generate "provider" {
+  path      = "provider.tf"
+  if_exists = "overwrite_terragrunt"
+  contents  = <<-EOF
+    provider "incus" {
+      generate_client_certificates = true
+      accept_remote_certificate    = true
+
+      remote {
+        name    = "${basename(get_terragrunt_dir())}"
+        scheme  = "https"
+        address = "${local.config.node_addr}"
+        port    = "${local.config.node_port}"
+        token   = "${get_env("INCUS_TOKEN_${upper(local.node_name)}")}"
+        default = true
+      }
+    }
+  EOF
+}
diff --git a/config/nodes/prodnxsr0012/config.yaml b/config/nodes/prodnxsr0012/config.yaml
new file mode 100644
index 0000000..984fcec
--- /dev/null
+++ b/config/nodes/prodnxsr0012/config.yaml
@@ -0,0 +1,3 @@
+---
+node_addr: 198.18.19.12
+node_port: 8443
diff --git a/config/nodes/prodnxsr0012/networks.yaml b/config/nodes/prodnxsr0012/networks.yaml
new file mode 100644
index 0000000..0d6d77f
--- /dev/null
+++ b/config/nodes/prodnxsr0012/networks.yaml
@@ -0,0 +1,9 @@
+brwan1:
+  config:
+    ipv4.address: 198.18.20.62/28
+brdmz1:
+  config:
+    ipv4.address: 198.18.24.62/28
+brcom1:
+  config:
+    ipv4.address: 198.18.28.254/24
diff --git a/config/nodes/prodnxsr0012/terragrunt.hcl b/config/nodes/prodnxsr0012/terragrunt.hcl
new file mode 100644
index 0000000..4f5bd58
--- /dev/null
+++ b/config/nodes/prodnxsr0012/terragrunt.hcl
@@ -0,0 +1,42 @@
+locals {
+  config    = yamldecode(file("${get_terragrunt_dir()}/config.yaml"))
+  networks  = yamldecode(file("${get_terragrunt_dir()}/networks.yaml"))
+  node_name = basename(get_terragrunt_dir())
+}
+
+include "root" {
+  path   = find_in_parent_folders("root.hcl")
+  expose = true
+  merge_strategy = "deep"
+}
+
+terraform {
+  source = "${get_repo_root()}/modules/node"
+}
+
+inputs = {
+  networks  = local.networks
+  node_name = local.node_name
+  node_addr = local.config.node_addr
+  node_port = local.config.node_port
+}
+
+generate "provider" {
+  path      = "provider.tf"
+  if_exists = "overwrite_terragrunt"
+  contents  = <<-EOF
+    provider "incus" {
+      generate_client_certificates = true
+      accept_remote_certificate    = true
+
+      remote {
+        name    = "${basename(get_terragrunt_dir())}"
+        scheme  = "https"
+        address = "${local.config.node_addr}"
+        port    = "${local.config.node_port}"
+        token   = "${get_env("INCUS_TOKEN_${upper(local.node_name)}")}"
+        default = true
+      }
+    }
+  EOF
+}
diff --git a/config/nodes/prodnxsr0013/config.yaml b/config/nodes/prodnxsr0013/config.yaml
new file mode 100644
index 0000000..00aeb18
--- /dev/null
+++ b/config/nodes/prodnxsr0013/config.yaml
@@ -0,0 +1,3 @@
+---
+node_addr: 198.18.19.13
+node_port: 8443
diff --git a/config/nodes/prodnxsr0013/networks.yaml b/config/nodes/prodnxsr0013/networks.yaml
new file mode 100644
index 0000000..21740de
--- /dev/null
+++ b/config/nodes/prodnxsr0013/networks.yaml
@@ -0,0 +1,9 @@
+brwan1:
+  config:
+    ipv4.address: 198.18.20.78/28
+brdmz1:
+  config:
+    ipv4.address: 198.18.24.78/28
+brcom1:
+  config:
+    ipv4.address: 198.18.29.254/24
diff --git a/config/nodes/prodnxsr0013/terragrunt.hcl b/config/nodes/prodnxsr0013/terragrunt.hcl
new file mode 100644
index 0000000..4f5bd58
--- /dev/null
+++ b/config/nodes/prodnxsr0013/terragrunt.hcl
@@ -0,0 +1,42 @@
+locals {
+  config    = yamldecode(file("${get_terragrunt_dir()}/config.yaml"))
+  networks  = yamldecode(file("${get_terragrunt_dir()}/networks.yaml"))
+  node_name = basename(get_terragrunt_dir())
+}
+
+include "root" {
+  path   = find_in_parent_folders("root.hcl")
+  expose = true
+  merge_strategy = "deep"
+}
+
+terraform {
+  source = "${get_repo_root()}/modules/node"
+}
+
+inputs = {
+  networks  = local.networks
+  node_name = local.node_name
+  node_addr = local.config.node_addr
+  node_port = local.config.node_port
+}
+
+generate "provider" {
+  path      = "provider.tf"
+  if_exists = "overwrite_terragrunt"
+  contents  = <<-EOF
+    provider "incus" {
+      generate_client_certificates = true
+      accept_remote_certificate    = true
+
+      remote {
+        name    = "${basename(get_terragrunt_dir())}"
+        scheme  = "https"
+        address = "${local.config.node_addr}"
+        port    = "${local.config.node_port}"
+        token   = "${get_env("INCUS_TOKEN_${upper(local.node_name)}")}"
+        default = true
+      }
+    }
+  EOF
+}
diff --git a/config/root.hcl b/config/root.hcl
new file mode 100644
index 0000000..a618e82
--- /dev/null
+++ b/config/root.hcl
@@ -0,0 +1,62 @@
+locals {
+  images          = yamldecode(file("${get_repo_root()}/config/globals/images.yaml"))
+  networks        = yamldecode(file("${get_repo_root()}/config/globals/networks.yaml"))
+  profiles        = yamldecode(file("${get_repo_root()}/config/globals/profiles.yaml"))
+  storage_pools   = yamldecode(file("${get_repo_root()}/config/globals/storage_pools.yaml"))
+  storage_volumes = yamldecode(file("${get_repo_root()}/config/globals/storage_volumes.yaml"))
+  consul_addr     = "https://consul.service.consul"
+  relative_path_after_config = join(
+    "/",
+    slice(
+      split("/", get_path_from_repo_root()),
+      index(split("/", get_path_from_repo_root()), "config") + 1,
+      length(split("/", get_path_from_repo_root()))
+    )
+  )
+}
+
+inputs = {
+  profiles        = local.profiles
+  images          = local.images
+  networks        = local.networks
+  storage_pools   = local.storage_pools
+  storage_volumes = local.storage_volumes
+}
+
+generate "backend" {
+  path      = "backend.tf"
+  if_exists = "overwrite_terragrunt"
+  contents = <<EOF
+terraform {
+  required_providers {
+    vault = {
+      source  = "hashicorp/vault"
+      version = "~> 4.5.0"
+    }
+    incus = {
+      source  = "lxc/incus"
+      version = "0.3.1"
+    }
+    cobbler = {
+      source  = "cobbler/cobbler"
+      version = "2.0.3"
+    }
+    puppetca = {
+      source = "camptocamp/puppetca"
+      version = "2.0.0"
+    }
+    puppetdb = {
+      source = "camptocamp/puppetdb"
+      version = "2.0.0"
+    }
+  }
+  backend "consul" {
+    address = "${local.consul_addr}"
+    path    = "infra/terraform/incus/${replace(local.relative_path_after_config, "/", "_")}/state"
+    scheme  = "https"
+    lock    = true
+    ca_file = "/etc/pki/tls/certs/ca-bundle.crt"
+  }
+}
+EOF
+}
diff --git a/modules/image/main.tf b/modules/image/main.tf
new file mode 100644
index 0000000..ccf8e55
--- /dev/null
+++ b/modules/image/main.tf
@@ -0,0 +1,8 @@
+resource "incus_image" "this" {
+  source_image = {
+    remote       = var.remote
+    name         = var.name
+    architecture = var.architecture
+    aliases      = var.aliases
+  }
+}
diff --git a/modules/image/outputs.tf b/modules/image/outputs.tf
new file mode 100644
index 0000000..54048e1
--- /dev/null
+++ b/modules/image/outputs.tf
@@ -0,0 +1,4 @@
+output "fingerprint" {
+  description = "The fingerprint of the pulled image."
+  value       = incus_image.this.fingerprint
+}
diff --git a/modules/image/variables.tf b/modules/image/variables.tf
new file mode 100644
index 0000000..672cbab
--- /dev/null
+++ b/modules/image/variables.tf
@@ -0,0 +1,22 @@
+variable "remote" {
+  description = "The remote source of the image."
+  type        = string
+}
+
+variable "name" {
+  description = "The name of the image to use."
+  type        = string
+}
+
+
+variable "architecture" {
+  description = "The image architecture (e.g. x86_64, aarch64)."
+  type        = string
+  default     = "x86_64"
+}
+
+variable "aliases" {
+  description = "A list of aliases to assign to the image after pulling"
+  type        = list(string)
+  default     = null
+}
diff --git a/modules/image/versions.tf b/modules/image/versions.tf
new file mode 100644
index 0000000..76d5b5b
--- /dev/null
+++ b/modules/image/versions.tf
@@ -0,0 +1,8 @@
+terraform {
+  required_providers {
+    incus = {
+      source  = "lxc/incus"
+      version = "0.3.1"
+    }
+  }
+}
diff --git a/modules/instance/locals.tf b/modules/instance/locals.tf
new file mode 100644
index 0000000..724ff96
--- /dev/null
+++ b/modules/instance/locals.tf
@@ -0,0 +1,47 @@
+locals {
+  netmask_to_prefix = {
+    "0.0.0.0"         = 0
+    "128.0.0.0"       = 1
+    "192.0.0.0"       = 2
+    "224.0.0.0"       = 3
+    "240.0.0.0"       = 4
+    "248.0.0.0"       = 5
+    "252.0.0.0"       = 6
+    "254.0.0.0"       = 7
+    "255.0.0.0"       = 8
+    "255.128.0.0"     = 9
+    "255.192.0.0"     = 10
+    "255.224.0.0"     = 11
+    "255.240.0.0"     = 12
+    "255.248.0.0"     = 13
+    "255.252.0.0"     = 14
+    "255.254.0.0"     = 15
+    "255.255.0.0"     = 16
+    "255.255.128.0"   = 17
+    "255.255.192.0"   = 18
+    "255.255.224.0"   = 19
+    "255.255.240.0"   = 20
+    "255.255.248.0"   = 21
+    "255.255.252.0"   = 22
+    "255.255.254.0"   = 23
+    "255.255.255.0"   = 24
+    "255.255.255.128" = 25
+    "255.255.255.192" = 26
+    "255.255.255.224" = 27
+    "255.255.255.240" = 28
+    "255.255.255.248" = 29
+    "255.255.255.252" = 30
+    "255.255.255.254" = 31
+    "255.255.255.255" = 32
+  }
+  prefix_length  = lookup(local.netmask_to_prefix, var.cobbler_netmask, 24)
+  host_bits      = 32 - local.prefix_length
+  total_hosts    = pow(2, local.host_bits)
+  last_usable_ip = local.total_hosts - 2
+
+  # derive subnet base from instance IP
+  cidr_block = cidrsubnet("${incus_instance.this.ipv4_address}/${local.prefix_length}", 0, 0)
+
+  # get the last usable IP
+  gateway_ip = cidrhost(local.cidr_block, local.last_usable_ip)
+}
diff --git a/modules/instance/main.tf b/modules/instance/main.tf
new file mode 100644
index 0000000..8c234af
--- /dev/null
+++ b/modules/instance/main.tf
@@ -0,0 +1,139 @@
+module "storage_volume" {
+  source = "../../../../../../modules/storage_volume"
+
+  for_each = {
+    for k, v in var.storage_volumes : "${var.name}-${k}" => v
+  }
+
+  name         = each.key
+  pool         = each.value.pool
+  description  = lookup(each.value, "description", null)
+  type         = lookup(each.value, "type", "custom")
+  content_type = lookup(each.value, "content_type", null)
+  config       = lookup(each.value, "config", {})
+}
+
+resource "incus_instance" "this" {
+  name        = var.name
+  image       = var.image
+  description = var.description
+  type        = var.type
+  ephemeral   = var.ephemeral
+  running     = var.running
+  profiles    = var.profiles
+
+  dynamic "wait_for" {
+    for_each = var.wait_for
+    content {
+      type = wait_for.value.type
+      nic  = wait_for.value.nic
+    }
+  }
+
+  dynamic "device" {
+    for_each = var.disk_devices
+    content {
+      name = device.value.name
+      type = device.value.type
+      properties = {
+        path   = device.value.properties["path"]
+        source = device.value.properties["source"]
+        pool   = device.value.properties["pool"]
+      }
+    }
+  }
+
+  dynamic "device" {
+    for_each = {
+      for k, v in var.storage_volumes : k => {
+        name   = k
+        path   = v.path
+        pool   = v.pool
+        source = "${var.name}-${k}"
+      }
+    }
+    content {
+      name = device.value.name
+      type = "disk"
+      properties = {
+        path   = device.value.path
+        source = device.value.source
+        pool   = device.value.pool
+      }
+    }
+  }
+
+  depends_on = [
+    module.storage_volume
+  ]
+
+}
+
+resource "cobbler_system" "this" {
+  name                = "${var.name}.${var.cobbler_domain}"
+  hostname            = "${var.name}.${var.cobbler_domain}"
+  profile             = var.cobbler_profile
+  status              = "testing"
+  name_servers        = var.cobbler_name_servers
+  mgmt_classes        = var.cobbler_mgmt_classes
+  name_servers_search = ["${var.cobbler_domain}"]
+
+  interface {
+    name        = "eth0"
+    mac_address = incus_instance.this.mac_address
+    static      = true
+    ip_address  = incus_instance.this.ipv4_address
+    netmask     = var.cobbler_netmask
+    dns_name    = "${var.name}.${var.cobbler_domain}"
+    gateway     = local.gateway_ip
+  }
+
+  depends_on = [incus_instance.this]
+}
+
+resource "puppetdb_node" "this" {
+  certname = "${var.name}.${var.cobbler_domain}"
+
+  depends_on = [incus_instance.this]
+}
+
+resource "null_resource" "wait_for_instance_ready" {
+  depends_on = [incus_instance.this]
+
+  provisioner "local-exec" {
+    command = "sleep 10"
+  }
+}
+
+resource "puppetca_certificate" "cert" {
+  name = "${var.name}.${var.cobbler_domain}"
+  env  = "production"
+  sign = false
+
+  depends_on = [
+    null_resource.wait_for_instance_ready
+  ]
+
+  lifecycle {
+    create_before_destroy = false
+  }
+}
+
+#resource "puppetca_certificate" "cert" {
+#  count = (
+#    var.check_on_instance_creation ? 1 :
+#    (
+#      can(incus_instance.this.ipv4_address) && incus_instance.this.ipv4_address != "" ? 1 : 0
+#    )
+#  )
+#
+#  name = "${var.name}.${var.cobbler_domain}"
+#  env  = "production"
+#  sign = false
+#
+#  depends_on = [incus_instance.this]
+#
+#  lifecycle {
+#    create_before_destroy = false
+#  }
+#}
diff --git a/modules/instance/outputs.tf b/modules/instance/outputs.tf
new file mode 100644
index 0000000..0f0493b
--- /dev/null
+++ b/modules/instance/outputs.tf
@@ -0,0 +1,12 @@
+#output "vm_metadata" {
+#  value = {
+#    ipaddress = incus_instance.this.ipv4_address
+#    gateway   = local.gateway_ip
+#    hostname  = "${var.name}.${var.cobbler_domain}"
+#    interface = "eth0"
+#  }
+#}
+
+output "hostname" {
+  value = "${var.name}.${var.cobbler_domain}"
+}
diff --git a/modules/instance/providers.tf b/modules/instance/providers.tf
new file mode 100644
index 0000000..7fa046a
--- /dev/null
+++ b/modules/instance/providers.tf
@@ -0,0 +1,19 @@
+provider "cobbler" {
+  username = var.cobbler_username
+  password = var.cobbler_password
+  url      = var.cobbler_url
+}
+
+provider "puppetdb" {
+  url  = var.puppetdb_url
+  ca   = var.puppet_cert_ca
+  cert = var.puppet_cert_pub
+  key  = var.puppet_cert_priv
+}
+
+provider "puppetca" {
+  url  = var.puppetca_url
+  ca   = var.puppet_cert_ca
+  cert = var.puppet_cert_pub
+  key  = var.puppet_cert_priv
+}
diff --git a/modules/instance/variables.tf b/modules/instance/variables.tf
new file mode 100644
index 0000000..82e7fed
--- /dev/null
+++ b/modules/instance/variables.tf
@@ -0,0 +1,172 @@
+variable "name" {
+  description = "Name of the instance."
+  type        = string
+}
+
+variable "image" {
+  description = "Base image from which the instance will be created."
+  type        = string
+  default     = null
+}
+
+variable "description" {
+  description = "Description of the instance."
+  type        = string
+  default     = null
+}
+
+variable "type" {
+  description = "Instance type. Can be 'container' or 'virtual-machine'."
+  type        = string
+  default     = "container"
+}
+
+variable "ephemeral" {
+  description = "Whether this instance is ephemeral."
+  type        = bool
+  default     = false
+}
+
+variable "running" {
+  description = "Whether the instance should be started (running)."
+  type        = bool
+  default     = true
+}
+
+variable "wait_for" {
+  description = <<EOT
+List of wait_for blocks. Each block should contain:
+- type: Type of wait (e.g., ipv4, ipv6)
+- nic: Network interface name (e.g., eth0)
+EOT
+  type = list(object({
+    type = string
+    nic  = string
+  }))
+  default = []
+}
+
+variable "profiles" {
+  description = "List of Incus config profiles to apply to the instance. Use [] to apply none."
+  type        = list(string)
+  default     = null
+}
+
+variable "disk_devices" {
+  description = <<EOT
+List of disk devices to attach to the instance. Each device must be:
+- name       : Name of the device
+- type       : Must be "disk"
+- properties : Must include at least 'path', 'source', and 'pool'
+EOT
+
+  type = list(object({
+    name = string
+    type = string
+    properties = object({
+      path   = string
+      source = string
+      pool   = string
+    })
+  }))
+
+  default = []
+
+  validation {
+    condition     = alltrue([for d in var.disk_devices : d.type == "disk"])
+    error_message = "All devices must have type 'disk'."
+  }
+}
+
+variable "storage_volumes" {
+  description = "Map of storage volumes to create and attach."
+  type = map(object({
+    pool         = string
+    description  = optional(string)
+    type         = optional(string)
+    content_type = optional(string)
+    config       = optional(map(string))
+    path         = string
+  }))
+  default = {}
+}
+
+variable "cobbler_domain" {
+  description = "Domain to assign in Cobbler for the system hostname"
+  type        = string
+}
+
+variable "cobbler_profile" {
+  description = "Cobbler OS profile to use"
+  type        = string
+}
+
+variable "cobbler_netmask" {
+  description = "Cobbler eth0 netmask to use"
+  type        = string
+}
+
+variable "cobbler_name_servers" {
+  description = "List of name servers for the Cobbler system"
+  type        = list(string)
+  default     = ["198.18.13.12", "198.18.13.13"]
+}
+
+variable "cobbler_mgmt_classes" {
+  description = "List of Cobbler management classes. Must contain exactly 1 item."
+  type        = list(string)
+  default     = ["roles::base"]
+
+  validation {
+    condition     = length(var.cobbler_mgmt_classes) == 1
+    error_message = "You must provide exactly 1 Cobbler management class."
+  }
+}
+
+variable "cobbler_url" {
+  description = "The URL to the Cobbler API"
+  type        = string
+}
+
+variable "cobbler_username" {
+  description = "The username for the Cobbler API"
+  type        = string
+}
+
+variable "cobbler_password" {
+  description = "The password for the Cobbler API"
+  type        = string
+}
+
+variable "puppet_cert_ca" {
+  description = "Puppet CA cert content"
+  type        = string
+}
+
+variable "puppet_cert_pub" {
+  description = "PuppetDB client cert content"
+  type        = string
+}
+
+variable "puppet_cert_priv" {
+  description = "PuppetDB client private key content"
+  type        = string
+}
+
+variable "puppetdb_url" {
+  description = "The URL of the PuppetPB API"
+  type        = string
+  default     = "https://puppetdbapi.query.consul:8081"
+}
+
+variable "puppetca_url" {
+  description = "The URL of the Puppet Certificate Authority (CA) server"
+  type        = string
+  default     = "https://puppetca.query.consul:8140"
+}
+
+variable "check_on_instance_creation" {
+  description = "If false, defer puppetca_certificate creation until instance is fully created."
+  type        = bool
+  default     = false
+}
diff --git a/modules/instance_destroy/providers.tf b/modules/instance_destroy/providers.tf
new file mode 100644
index 0000000..7fa046a
--- /dev/null
+++ b/modules/instance_destroy/providers.tf
@@ -0,0 +1,19 @@
+provider "cobbler" {
+  username = var.cobbler_username
+  password = var.cobbler_password
+  url      = var.cobbler_url
+}
+
+provider "puppetdb" {
+  url  = var.puppetdb_url
+  ca   = var.puppet_cert_ca
+  cert = var.puppet_cert_pub
+  key  = var.puppet_cert_priv
+}
+
+provider "puppetca" {
+  url  = var.puppetca_url
+  ca   = var.puppet_cert_ca
+  cert = var.puppet_cert_pub
+  key  = var.puppet_cert_priv
+}
diff --git a/modules/instance_destroy/variables.tf b/modules/instance_destroy/variables.tf
new file mode 100644
index 0000000..82e7fed
--- /dev/null
+++ b/modules/instance_destroy/variables.tf
@@ -0,0 +1,172 @@
+variable "name" {
+  description = "Name of the instance."
+  type        = string
+}
+
+variable "image" {
+  description = "Base image from which the instance will be created."
+  type        = string
+  default     = null
+}
+
+variable "description" {
+  description = "Description of the instance."
+  type        = string
+  default     = null
+}
+
+variable "type" {
+  description = "Instance type. Can be 'container' or 'virtual-machine'."
+  type        = string
+  default     = "container"
+}
+
+variable "ephemeral" {
+  description = "Whether this instance is ephemeral."
+  type        = bool
+  default     = false
+}
+
+variable "running" {
+  description = "Whether the instance should be started (running)."
+  type        = bool
+  default     = true
+}
+
+variable "wait_for" {
+  description = <<EOT
+List of wait_for blocks. Each block should contain:
+- type: Type of wait (e.g., ipv4, ipv6)
+- nic: Network interface name (e.g., eth0)
+EOT
+  type = list(object({
+    type = string
+    nic  = string
+  }))
+  default = []
+}
+
+variable "profiles" {
+  description = "List of Incus config profiles to apply to the instance. Use [] to apply none."
+  type        = list(string)
+  default     = null
+}
+
+variable "disk_devices" {
+  description = <<EOT
+List of disk devices to attach to the instance. Each device must be:
+- name       : Name of the device
+- type       : Must be "disk"
+- properties : Must include at least 'path', 'source', and 'pool'
+EOT
+
+  type = list(object({
+    name = string
+    type = string
+    properties = object({
+      path   = string
+      source = string
+      pool   = string
+    })
+  }))
+
+  default = []
+
+  validation {
+    condition     = alltrue([for d in var.disk_devices : d.type == "disk"])
+    error_message = "All devices must have type 'disk'."
+  }
+}
+
+variable "storage_volumes" {
+  description = "Map of storage volumes to create and attach."
+  type = map(object({
+    pool         = string
+    description  = optional(string)
+    type         = optional(string)
+    content_type = optional(string)
+    config       = optional(map(string))
+    path         = string
+  }))
+  default = {}
+}
+
+variable "cobbler_domain" {
+  description = "Domain to assign in Cobbler for the system hostname"
+  type        = string
+}
+
+variable "cobbler_profile" {
+  description = "Cobbler OS profile to use"
+  type        = string
+}
+
+variable "cobbler_netmask" {
+  description = "Cobbler eth0 netmask to use"
+  type        = string
+}
+
+variable "cobbler_name_servers" {
+  description = "List of name servers for the Cobbler system"
+  type        = list(string)
+  default     = ["198.18.13.12", "198.18.13.13"]
+}
+
+variable "cobbler_mgmt_classes" {
+  description = "List of Cobbler management classes. Must contain exactly 1 item."
+  type        = list(string)
+  default     = ["roles::base"]
+
+  validation {
+    condition     = length(var.cobbler_mgmt_classes) == 1
+    error_message = "You must provide exactly 1 Cobbler management class."
+  }
+}
+
+variable "cobbler_url" {
+  description = "The URL to the Cobbler API"
+  type        = string
+}
+
+variable "cobbler_username" {
+  description = "The username for the Cobbler API"
+  type        = string
+}
+
+variable "cobbler_password" {
+  description = "The password for the Cobbler API"
+  type        = string
+}
+
+variable "puppet_cert_ca" {
+  description = "Puppet CA cert content"
+  type        = string
+}
+
+variable "puppet_cert_pub" {
+  description = "PuppetDB client cert content"
+  type        = string
+}
+
+variable "puppet_cert_priv" {
+  description = "PuppetDB client private key content"
+  type        = string
+}
+
+variable "puppetdb_url" {
+  description = "The URL of the PuppetPB API"
+  type        = string
+  default     = "https://puppetdbapi.query.consul:8081"
+}
+
+variable "puppetca_url" {
+  description = "The URL of the Puppet Certificate Authority (CA) server"
+  type        = string
+  default     = "https://puppetca.query.consul:8140"
+}
+
+variable "check_on_instance_creation" {
+  description = "If false, defer puppetca_certificate creation until instance is fully created."
+  type        = bool
+  default     = false
+}
diff --git a/modules/network/main.tf b/modules/network/main.tf
new file mode 100644
index 0000000..e40791b
--- /dev/null
+++ b/modules/network/main.tf
@@ -0,0 +1,5 @@
+resource "incus_network" "this" {
+  name   = var.name
+  type   = var.type
+  config = var.config
+}
diff --git a/modules/network/variables.tf b/modules/network/variables.tf
new file mode 100644
index 0000000..ed6e2d2
--- /dev/null
+++ b/modules/network/variables.tf
@@ -0,0 +1,25 @@
+variable "name" {
+  type        = string
+  description = "The name of the network to define"
+}
+
+variable "type" {
+  description = <<EOT
+(Optional) The type of network to create.
+Can be one of: bridge, macvlan, sriov, ovn, or physical.
+If no type is specified, a bridge network is created.
+EOT
+
+  type    = string
+  default = "bridge"
+  validation {
+    condition     = contains(["bridge", "macvlan", "sriov", "ovn", "physical"], var.type)
+    error_message = "Type must be one of: bridge, macvlan, sriov, ovn, or physical."
+  }
+}
+
+variable "config" {
+  description = "(Optional) Map of key/value pairs of network config settings."
+  type        = map(string)
+  default     = {}
+}
diff --git a/modules/network/versions.tf b/modules/network/versions.tf
new file mode 100644
index 0000000..76d5b5b
--- /dev/null
+++ b/modules/network/versions.tf
@@ -0,0 +1,8 @@
+terraform {
+  required_providers {
+    incus = {
+      source  = "lxc/incus"
+      version = "0.3.1"
+    }
+  }
+}
diff --git a/modules/node/main.tf b/modules/node/main.tf
new file mode 100644
index 0000000..96bc5c2
--- /dev/null
+++ b/modules/node/main.tf
@@ -0,0 +1,56 @@
+module "image" {
+  source = "../../../../../../modules/image"
+
+  for_each = var.images
+
+  name         = each.key
+  remote       = lookup(each.value, "remote")
+  architecture = lookup(each.value, "architecture", null)
+}
+
+module "network" {
+  source = "../../../../../../modules/network"
+
+  for_each = var.networks
+
+  name   = each.key
+  type   = lookup(each.value, "type")
+  config = lookup(each.value, "config", {})
+}
+
+module "profile" {
+  source = "../../../../../../modules/profile"
+
+  for_each = var.profiles
+
+  name        = each.key
+  description = lookup(each.value, "description", null)
+  project     = lookup(each.value, "project", null)
+  config      = lookup(each.value, "config", {})
+  devices     = lookup(each.value, "devices", [])
+}
+
+module "storage_pool" {
+  source = "../../../../../../modules/storage_pool"
+
+  for_each = var.storage_pools
+
+  name        = each.key
+  description = lookup(each.value, "description", null)
+  project     = lookup(each.value, "project", null)
+  driver      = lookup(each.value, "driver")
+  config      = lookup(each.value, "config", {})
+}
+
+module "storage_volume" {
+  source = "../../../../../../modules/storage_volume"
+
+  for_each = var.storage_volumes
+
+  name         = each.key
+  pool         = each.value.pool
+  description  = lookup(each.value, "description", null)
+  type         = lookup(each.value, "type", "custom")
+  content_type = lookup(each.value, "content_type", null)
+  config       = lookup(each.value, "config", {})
+}
diff --git a/modules/node/variable.tf b/modules/node/variable.tf
new file mode 100644
index 0000000..ef877f7
--- /dev/null
+++ b/modules/node/variable.tf
@@ -0,0 +1,72 @@
+variable "node_name" {
+  type        = string
+  description = "Name of the node. This is used to fetch the corresponding token from Vault."
+}
+
+variable "node_addr" {
+  type        = string
+  description = "The address of the Incus node."
+}
+
+variable "node_port" {
+  type        = string
+  description = "The port Incus is listening on."
+  default     = "8443"
+}
+
+variable "images" {
+  description = "A map of images to be imported on this host"
+  type = map(object({
+    remote       = string
+    architecture = optional(string)
+  }))
+  default = {}
+}
+
+variable "networks" {
+  description = "A map of networks to be imported on this host"
+  type = map(object({
+    type   = string
+    config = optional(map(string))
+  }))
+  default = {}
+}
+
+variable "profiles" {
+  description = "A map of profiles to be imported on this host"
+  type = map(object({
+    description = optional(string, null)
+    project     = optional(string, null)
+    config      = optional(map(string), {})
+    devices = optional(list(object({
+      name       = string
+      type       = string
+      properties = optional(map(string))
+      network    = optional(string)
+    })), [])
+  }))
+  default = {}
+}
+
+variable "storage_pools" {
+  description = "A map of storage pools to be created on this host"
+  type = map(object({
+    driver      = string                    # Required
+    description = optional(string, null)    # Optional
+    project     = optional(string, null)    # Optional
+    config      = optional(map(string), {}) # Optional
+  }))
+  default = {}
+}
+
+variable "storage_volumes" {
+  description = "A map of storage volumes to be created on this host"
+  type = map(object({
+    pool         = string                         # Required
+    description  = optional(string, null)         # Optional
+    type         = optional(string, "custom")     # Optional
+    content_type = optional(string, "filesystem") # Optional
+    config       = optional(map(string), {})      # Optional
+  }))
+  default = {}
+}
diff --git a/modules/profile/main.tf b/modules/profile/main.tf
new file mode 100644
index 0000000..fadebf9
--- /dev/null
+++ b/modules/profile/main.tf
@@ -0,0 +1,15 @@
+resource "incus_profile" "this" {
+  name        = var.name
+  description = var.description
+  project     = var.project
+  config      = var.config
+
+  dynamic "device" {
+    for_each = var.devices
+    content {
+      name       = device.value.name
+      type       = device.value.type
+      properties = device.value.properties
+    }
+  }
+}
diff --git a/modules/profile/outputs.tf b/modules/profile/outputs.tf
new file mode 100644
index 0000000..5bf3b65
--- /dev/null
+++ b/modules/profile/outputs.tf
@@ -0,0 +1,4 @@
+output "name" {
+  description = "Name of the created Incus profile"
+  value       = incus_profile.this.name
+}
diff --git a/modules/profile/variables.tf b/modules/profile/variables.tf
new file mode 100644
index 0000000..802c00c
--- /dev/null
+++ b/modules/profile/variables.tf
@@ -0,0 +1,37 @@
+variable "name" {
+  description = "Name of the Incus profile"
+  type        = string
+}
+
+variable "description" {
+  description = "Optional description of the profile"
+  type        = string
+  default     = null
+}
+
+variable "project" {
+  description = "Project where the profile will be created"
+  type        = string
+  default     = null
+}
+
+variable "config" {
+  description = "Map of Incus profile configuration settings"
+  type        = map(string)
+  default     = {}
+}
+
+variable "devices" {
+  description = <<EOT
+List of device blocks. Each device is a map with:
+  - name (string)
+  - type (string)
+  - properties (map(string))
+EOT
+  type = list(object({
+    name       = string
+    type       = string
+    properties = map(string)
+  }))
+  default = []
+}
diff --git a/modules/profile/versions.tf b/modules/profile/versions.tf
new file mode 100644
index 0000000..76d5b5b
--- /dev/null
+++ b/modules/profile/versions.tf
@@ -0,0 +1,8 @@
+terraform {
+  required_providers {
+    incus = {
+      source  = "lxc/incus"
+      version = "0.3.1"
+    }
+  }
+}
diff --git a/modules/project/main.tf b/modules/project/main.tf
new file mode 100644
index 0000000..f724c99
--- /dev/null
+++ b/modules/project/main.tf
@@ -0,0 +1,33 @@
+resource "incus_project" "this" {
+  name        = var.name
+  description = var.description
+
+  config = {
+    # Features
+    "features.images"          = var.features_images
+    "features.networks"        = var.features_networks
+    "features.networks.zones"  = var.features_networks_zones
+    "features.profiles"        = var.features_profiles
+    "features.storage.buckets" = var.features_storage_buckets
+    "features.storage.volumes" = var.features_storage_volumes
+
+    # Limits
+    "limits.containers"       = var.limits_containers
+    "limits.cpu"              = var.limits_cpu
+    "limits.disk"             = var.limits_disk
+    "limits.instances"        = var.limits_instances
+    "limits.memory"           = var.limits_memory
+    "limits.networks"         = var.limits_networks
+    "limits.processes"        = var.limits_processes
+    "limits.virtual-machines" = var.limits_virtual_machines
+  }
+
+  # Dynamic block for per-pool disk limits, if defined
+  dynamic "config" {
+    for_each = var.limits_disk_pool
+    content {
+      key   = "limits.disk.pool.${config.key}"
+      value = config.value
+    }
+  }
+}
diff --git a/modules/project/outputs.tf b/modules/project/outputs.tf
new file mode 100644
index 0000000..59602a7
--- /dev/null
+++ b/modules/project/outputs.tf
@@ -0,0 +1,4 @@
+output "name" {
+  description = "The name of the project"
+  value       = incus_project.this.name
+}
diff --git a/modules/project/variables.tf b/modules/project/variables.tf
new file mode 100644
index 0000000..4744bac
--- /dev/null
+++ b/modules/project/variables.tf
@@ -0,0 +1,88 @@
+variable "limits_containers" {
+  description = "Maximum number of containers that can be created in the project"
+  type        = number
+}
+
+variable "limits_cpu" {
+  description = "Maximum number of CPUs to use in the project. This value is the maximum of the sum of individual instance CPU limits."
+  type        = number
+}
+
+variable "limits_disk" {
+  description = "Maximum disk space used by the project. This includes all instance volumes, custom volumes, and images."
+  type        = string
+}
+
+variable "limits_disk_pool" {
+  description = <<EOT
+Map of storage pool names to disk space limits for each pool.
+Each key is a POOL_NAME and the value is the maximum aggregate disk space used on that pool.
+Example:
+{
+  "default" = "50GB"
+  "ssd"     = "100GB"
+}
+EOT
+  type        = map(string)
+}
+
+variable "limits_instances" {
+  description = "Maximum number of instances that can be created in the project"
+  type        = number
+}
+
+variable "limits_memory" {
+  description = "Usage limit for the host’s memory for the project. Sum of individual memory limits on instances."
+  type        = string
+}
+
+variable "limits_networks" {
+  description = "Maximum number of networks that the project can have"
+  type        = number
+}
+
+variable "limits_processes" {
+  description = "Maximum number of processes within the project. This is the sum of the limits.processes on all instances."
+  type        = number
+}
+
+variable "limits_virtual_machines" {
+  description = "Maximum number of virtual machines that can be created in the project"
+  type        = number
+}
+
+variable "features_images" {
+  description = "Whether to use a separate set of images for the project (initial value: true)"
+  type        = bool
+  default     = false
+}
+
+variable "features_networks" {
+  description = "Whether to use a separate set of networks for the project (initial value: false)"
+  type        = bool
+  default     = false
+}
+
+variable "features_networks_zones" {
+  description = "Whether to use a separate set of network zones for the project (initial value: false)"
+  type        = bool
+  default     = false
+}
+
+variable "features_profiles" {
+  description = "Whether to use a separate set of profiles for the project (initial value: true)"
+  type        = bool
+  default     = false
+}
+
+variable "features_storage_buckets" {
+  description = "Whether to use a separate set of storage buckets for the project (initial value: true)"
+  type        = bool
+  default     = false
+}
+
+variable "features_storage_volumes" {
+  description = "Whether to use a separate set of storage volumes for the project (initial value: true)"
+  type        = bool
+  default     = false
+}
diff --git a/modules/storage_pool/main.tf b/modules/storage_pool/main.tf
new file mode 100644
index 0000000..5200ec0
--- /dev/null
+++ b/modules/storage_pool/main.tf
@@ -0,0 +1,7 @@
+resource "incus_storage_pool" "this" {
+  name        = var.name
+  driver      = var.driver
+  description = var.description
+  project     = var.project
+  config      = var.config
+}
diff --git a/modules/storage_pool/outputs.tf b/modules/storage_pool/outputs.tf
new file mode 100644
index 0000000..515d9b7
--- /dev/null
+++ b/modules/storage_pool/outputs.tf
@@ -0,0 +1,9 @@
+output "name" {
+  description = "Name of the storage pool"
+  value       = incus_storage_pool.this.name
+}
+
+output "driver" {
+  description = "Driver used by the storage pool"
+  value       = incus_storage_pool.this.driver
+}
diff --git a/modules/storage_pool/variables.tf b/modules/storage_pool/variables.tf
new file mode 100644
index 0000000..8a29295
--- /dev/null
+++ b/modules/storage_pool/variables.tf
@@ -0,0 +1,31 @@
+variable "name" {
+  description = "Name of the storage pool."
+  type        = string
+}
+
+variable "driver" {
+  description = "Storage Pool driver. Must be one of dir, zfs, lvm, btrfs, ceph, cephfs, or cephobject."
+  type        = string
+  validation {
+    condition     = contains(["dir", "zfs", "lvm", "btrfs", "ceph", "cephfs", "cephobject"], var.driver)
+    error_message = "Invalid driver. Must be one of: dir, zfs, lvm, btrfs, ceph, cephfs, or cephobject."
+  }
+}
+
+variable "description" {
+  description = "Description of the storage pool."
+  type        = string
+  default     = null
+}
+
+variable "config" {
+  description = "Map of key/value pairs for storage pool config."
+  type        = map(string)
+  default     = {}
+}
+
+variable "project" {
+  description = "Name of the project where the storage pool will be stored."
+  type        = string
+  default     = null
+}
diff --git a/modules/storage_pool/versions.tf b/modules/storage_pool/versions.tf
new file mode 100644
index 0000000..76d5b5b
--- /dev/null
+++ b/modules/storage_pool/versions.tf
@@ -0,0 +1,8 @@
+terraform {
+  required_providers {
+    incus = {
+      source  = "lxc/incus"
+      version = "0.3.1"
+    }
+  }
+}
diff --git a/modules/storage_volume/main.tf b/modules/storage_volume/main.tf
new file mode 100644
index 0000000..444323c
--- /dev/null
+++ b/modules/storage_volume/main.tf
@@ -0,0 +1,8 @@
+resource "incus_storage_volume" "this" {
+  name         = var.name
+  pool         = var.pool
+  type         = var.type
+  config       = var.config
+  description  = var.description
+  content_type = var.content_type
+}
diff --git a/modules/storage_volume/outputs.tf b/modules/storage_volume/outputs.tf
new file mode 100644
index 0000000..b694d9d
--- /dev/null
+++ b/modules/storage_volume/outputs.tf
@@ -0,0 +1,4 @@
+output "name" {
+  description = "Name of the storage volume"
+  value       = incus_storage_volume.this.name
+}
diff --git a/modules/storage_volume/variables.tf b/modules/storage_volume/variables.tf
new file mode 100644
index 0000000..a769549
--- /dev/null
+++ b/modules/storage_volume/variables.tf
@@ -0,0 +1,33 @@
+variable "name" {
+  description = "Name of the storage volume."
+  type        = string
+}
+
+variable "pool" {
+  description = "Name of storage pool to host the volume."
+  type        = string
+}
+
+variable "description" {
+  description = "Description of the volume."
+  type        = string
+  default     = null
+}
+
+variable "type" {
+  description = "The 'type' of volume. Default is 'custom'."
+  type        = string
+  default     = "custom"
+}
+
+variable "content_type" {
+  description = "Volume content type. Either 'filesystem' or 'block'."
+  type        = string
+  default     = "filesystem"
+}
+
+variable "config" {
+  description = "Map of key/value pairs of volume config settings. Varies by storage pool."
+  type        = map(string)
+  default     = {}
+}
diff --git a/modules/storage_volume/versions.tf b/modules/storage_volume/versions.tf
new file mode 100644
index 0000000..76d5b5b
--- /dev/null
+++ b/modules/storage_volume/versions.tf
@@ -0,0 +1,8 @@
+terraform {
+  required_providers {
+    incus = {
+      source  = "lxc/incus"
+      version = "0.3.1"
+    }
+  }
+}
diff --git a/templates/base/boilerplate.yml b/templates/base/boilerplate.yml
new file mode 100644
index 0000000..2962b28
--- /dev/null
+++ b/templates/base/boilerplate.yml
@@ -0,0 +1,130 @@
+variables:
+  - name: description
+    description: Which is this instance for?
+    order: 0
+    type: string
+    default: Standard-Server
+    validations:
+      - required
+      - length-5-22
+
+  - name: node
+    description: Which Incus node for this instance?
+    order: 1
+    type: enum
+    options:
+      - prodnxsr0009
+      - prodnxsr0010
+      - prodnxsr0011
+      - prodnxsr0012
+      - prodnxsr0013
+
+  - name: puppet_class
+    description: Which puppet role for this instance?
+    order: 2
+    type: enum
+    default: roles::base
+    options:
+      - roles::apps::jupyter::hub
+      - roles::apps::media::jellyfin
+      - roles::apps::media::lidarr
+      - roles::apps::media::nzbget
+      - roles::apps::media::prowlarr
+      - roles::apps::media::radarr
+      - roles::apps::media::readarr
+      - roles::apps::media::sonarr
+      - roles::apps::music::gonic
+      - roles::base
+      - roles::ceph::mds
+      - roles::ceph::mon
+      - roles::ceph::rgw
+      - roles::infra::auth::glauth
+      - roles::infra::auth::openldap
+      - roles::infra::automation::rundeck
+      - roles::infra::cobbler::server
+      - roles::infra::db::redis
+      - roles::infra::dhcp::server
+      - roles::infra::dns::master
+      - roles::infra::dns::resolver
+      - roles::infra::droneci::runner
+      - roles::infra::droneci::server
+      - roles::infra::etcd::node
+      - roles::infra::git::gitea
+      - roles::infra::git::runner
+      - roles::infra::halb::haproxy
+      - roles::infra::incus::imagehost
+      - roles::infra::incus::node
+      - roles::infra::k8s::controller
+      - roles::infra::k8s::etcd
+      - roles::infra::k8s::worker
+      - roles::infra::metrics::grafana
+      - roles::infra::metrics::prometheus
+      - roles::infra::nomad::agent
+      - roles::infra::nomad::agentv2
+      - roles::infra::nomad::server
+      - roles::infra::ntp::server
+      - roles::infra::ovirt::engine
+      - roles::infra::ovirt::node
+      - roles::infra::pki::certbot
+      - roles::infra::proxmox::node
+      - roles::infra::proxy::jumphost
+      - roles::infra::proxy::squid
+      - roles::infra::puppet::master
+      - roles::infra::puppetboard::server
+      - roles::infra::puppetdb::api
+      - roles::infra::puppetdb::sql
+      - roles::infra::reposync::syncer
+      - roles::infra::sql::galera
+      - roles::infra::sql::patroni
+      - roles::infra::storage::consul
+      - roles::infra::storage::edgecache
+      - roles::infra::storage::minio
+      - roles::infra::storage::vault
+
+  - name: disksize
+    description: Root disk capacity in GB?
+    order: 3
+    type: enum
+    default: "10"
+    options:
+      - "10"
+      - "20"
+      - "30"
+
+  - name: primarynet
+    description: Primary network zone?
+    order: 4
+    type: enum
+    default: com1
+    options:
+      - com1
+      - dmz1
+      - wan1
+
+  - name: resourcegroup
+    description: Cores and Memory
+    order: 5
+    type: enum
+    default: 2core2048
+    options:
+      - 2core2048
+      - 2core4096
+      - 4core4096
+      - 4core8192
+
+  - name: datadisk
+    description: Add a data disk?
+    order: 6
+    type: bool
+    default: false
+
+  - name: datadisksize
+    description: Data disk size (GB, between 10 and 200)
+    order: 7
+    type: int
+    default: 50
+    validation:
+      min: 10
+      max: 200
+    when: "{{ datadisk }}"
+
diff --git a/templates/base/config.yaml b/templates/base/config.yaml
new file mode 100644
index 0000000..1c85d53
--- /dev/null
+++ b/templates/base/config.yaml
@@ -0,0 +1,15 @@
+description: {{.description}}
+cobbler_mgmt_classes:
+  - {{.puppet_class}}
+profiles:
+  - disk{{.disksize}}
+  - net_{{.primarynet}}_eth0
+  - {{.resourcegroup}}
+{{- if .datadisk }}
+storage_volumes:
+  data:
+    pool: fastpool
+    path: /data
+    config:
+      size: {{ .datadisksize }}GB
+{{- end }}
diff --git a/templates/base/terragrunt.hcl b/templates/base/terragrunt.hcl
new file mode 100644
index 0000000..c5de8dd
--- /dev/null
+++ b/templates/base/terragrunt.hcl
@@ -0,0 +1,52 @@
+locals {
+  node_name     = "{{.node}}"
+  config_common     = yamldecode(file("${get_terragrunt_dir()}/../config_common.yaml"))
+  config_specific   = yamldecode(file("${get_terragrunt_dir()}/config.yaml"))
+  config            = merge(local.config_common, local.config_specific)
+  instance_name     = basename(get_terragrunt_dir())
+}
+
+inputs = merge(
+  {
+    name = local.instance_name
+  },
+  local.config
+)
+
+include "root" {
+  path   = find_in_parent_folders("root.hcl")
+}
+
+include "instances" {
+  path   = find_in_parent_folders("instances.hcl")
+  expose = true
+  merge_strategy = "deep"
+}
+
+dependencies {
+  paths = ["${get_repo_root()}/config/nodes/${local.node_name}"]
+}
+
+terraform {
+  source = "${get_repo_root()}/modules/instance"
+}
+
+generate "incus" {
+  path      = "incus.tf"
+  if_exists = "overwrite_terragrunt"
+  contents  = <<-EOF
+    provider "incus" {
+      generate_client_certificates = true
+      accept_remote_certificate    = true
+
+      remote {
+        name    = "${basename(get_terragrunt_dir())}"
+        scheme  = "https"
+        address = "${yamldecode(file("${get_repo_root()}/config/nodes/${local.node_name}/config.yaml")).node_addr}"
+        port    = "${yamldecode(file("${get_repo_root()}/config/nodes/${local.node_name}/config.yaml")).node_port}"
+        token   = "${get_env("INCUS_TOKEN_${upper(local.node_name)}")}"
+        default = true
+      }
+    }
+  EOF
+}
diff --git a/templates/config.yaml b/templates/config.yaml
new file mode 100644
index 0000000..e710e61
--- /dev/null
+++ b/templates/config.yaml
@@ -0,0 +1,7 @@
+description: Base-Server
+cobbler_mgmt_classes:
+  - roles::base
+profiles:
+  - disk10
+  - net_com1_eth0
+  - 2core1024