diff --git a/forgejo/main.tf b/forgejo/main.tf
deleted file mode 100644
index 4c6ee5b..0000000
--- a/forgejo/main.tf
+++ /dev/null
@@ -1,67 +0,0 @@
-terraform {
-  required_providers {
-    libvirt = {
-      source = "dmacvicar/libvirt"
-      version = "0.7.6"
-    }
-  }
-}
-
-provider "libvirt" {
-  uri = "qemu:///system"
-}
-
-resource "libvirt_volume" "fcos" {
-  name   = "fcos"
-  pool   = "default"
-  source = "fedora-coreos-39.20240128.3.0-qemu.x86_64.qcow2"
-  format = "qcow2"
-}
-resource "libvirt_volume" "forgejo_rootfs" {
-  name           = "forgejo_rootfs"
-  base_volume_id = libvirt_volume.fcos.id
-}
-
-resource "libvirt_volume" "data" {
-  name   = "data.qcow2"
-  pool   = "default"
-  size   = 354334801920
-  format = "qcow2"
-  lifecycle {
-    prevent_destroy = true
-  }
-}
-
-resource "libvirt_ignition" "ign" {
-  name    = "service.ign"
-  content = "service.ign"
-}
-
-resource "libvirt_domain" "default" {
-  name      = "forgejo"
-  autostart = true
-  memory    = "2048"
-  vcpu      = 2
-
-  coreos_ignition = libvirt_ignition.ign.id
-
-  disk {
-    volume_id = "${libvirt_volume.forgejo_rootfs.id}"
-  }
-  disk {
-    volume_id = "${libvirt_volume.data.id}"
-  }
-  network_interface {
-    network_name   = "default"
-    hostname       = "forgejo"
-    addresses      = ["192.168.122.150"]
-    mac            = "A6:3A:5E:C4:5A:C3"
-    wait_for_lease = true
-  }
-  console {
-    type        = "pty"
-    target_port = "0"
-    target_type = "virtio"
-    source_path = "/dev/pts/24"
-  }
-}
diff --git a/kanidm/app.ini b/ignition/forgejo/app.ini
similarity index 98%
rename from kanidm/app.ini
rename to ignition/forgejo/app.ini
index a885629..f8e8190 100644
--- a/kanidm/app.ini
+++ b/ignition/forgejo/app.ini
@@ -83,7 +83,7 @@ ENABLED = false
 [openid]
 ENABLE_OPENID_SIGNIN = true
 ENABLE_OPENID_SIGNUP = true
-WHITELISTED_URIS = id.hklbgd.org
+WHITELISTED_URIS = kanidm.hklbgd.org
 
 [cron.update_checker]
 ENABLED = false
diff --git a/forgejo/service.bu b/ignition/forgejo/service.bu
similarity index 100%
rename from forgejo/service.bu
rename to ignition/forgejo/service.bu
diff --git a/ignition/host/proxmox-coreos.bu b/ignition/host/proxmox-coreos.bu
new file mode 100644
index 0000000..c470b7f
--- /dev/null
+++ b/ignition/host/proxmox-coreos.bu
@@ -0,0 +1,61 @@
+variant: fcos
+version: 1.5.0
+passwd:
+  users:
+    - name: vladan
+      ssh_authorized_keys:
+        - "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEFtUc2UvKFGSSlP3RRXUIToDYh8a8pg5DqDkJS+nBTG vladan@jenga"
+      password_hash: "$y$j9T$kBtBBkINmXh6lxmBqCJkr1$bA1fjZ5pC4CUr6VUnRe2FAWrW5tb6lfX/7.38axa5S3"
+      groups:
+        - wheel
+      shell: /bin/bash
+    - name: chavi
+      ssh_authorized_keys:
+        - "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCz74zYGwoGjtn4jjBas2fxrFoAJgnQ8uJG5xvXQdyC3rxbsuR5ZwnpMaEBG6LOM6p4qA3E1/9Kw7XU0l09O156SYN11m4GSSaw5Br8oLEkdllsxOkHjrAXuU3hGsg/ipbVzICt/RukNKbuG1Qod43Hlf/zTKeoIsaPd0MaVpWn2rMF6dgLx+4bbe40BxPWI0XOHjXCZqjMPf0Nz/l/YUlvyRIWHvxr5PIyZtJnPGeOxyuZx9/zY7URDU6+WClzXoiRfiIQI143f8QAxMSC+Gbo0ouo91pK1VJFKhA7x9lXBeJ2m22Y9aIDoJ5gE0LEfRiPpH+YM0Gu8c0GLbqpDGT8WaHqB3VdjBkWVs2Au+1p/9P6m0oz2omLH7MUHh7jP4VnX3uVLn788SltMkjd5oyzJLqykKuJEcX4wInyynIxKAlLKl2pb9Tpk47yxkFKnRWgBy93kqkIc5ZKhnS4S/3P91mIVHhXSR9yp806VVQ3DXng2ej8TNRE9uoMoh5RB4k= ivan@ivan-ThinkPad"
+      password_hash: "$y$j9T$C/reAmIG3L0rGz0jhUSDa.$YLEh/OYaVY2hjYhzcdcrzmkbvyzTGkPp8h3FcvfGDc/"
+      groups:
+        - wheel
+      shell: /bin/bash
+    - name: random
+      ssh_authorized_keys:
+        - "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEFtUc2UvKFGSSlP3RRXUIToDYh8a8pg5DqDkJS+nBTG vladan@jenga"
+        - "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCz74zYGwoGjtn4jjBas2fxrFoAJgnQ8uJG5xvXQdyC3rxbsuR5ZwnpMaEBG6LOM6p4qA3E1/9Kw7XU0l09O156SYN11m4GSSaw5Br8oLEkdllsxOkHjrAXuU3hGsg/ipbVzICt/RukNKbuG1Qod43Hlf/zTKeoIsaPd0MaVpWn2rMF6dgLx+4bbe40BxPWI0XOHjXCZqjMPf0Nz/l/YUlvyRIWHvxr5PIyZtJnPGeOxyuZx9/zY7URDU6+WClzXoiRfiIQI143f8QAxMSC+Gbo0ouo91pK1VJFKhA7x9lXBeJ2m22Y9aIDoJ5gE0LEfRiPpH+YM0Gu8c0GLbqpDGT8WaHqB3VdjBkWVs2Au+1p/9P6m0oz2omLH7MUHh7jP4VnX3uVLn788SltMkjd5oyzJLqykKuJEcX4wInyynIxKAlLKl2pb9Tpk47yxkFKnRWgBy93kqkIc5ZKhnS4S/3P91mIVHhXSR9yp806VVQ3DXng2ej8TNRE9uoMoh5RB4k= ivan@ivan-ThinkPad"
+      password_hash: "$y$j9T$qi3pFCD77.Vb8JxbamPgo1$po2Xt0NDCMa1E6evdyRhmyoWBt1no3TLM8FcDvrdDXD"
+      shell: /bin/bash
+storage:
+  disks:
+    - device: /dev/sdb
+      wipe_table: false
+      partitions:
+        - number: 1
+          label: SD_GPT_VAR
+          guid: "4d21b016-b534-45c2-a9fb-5c16e091fd2d"
+  filesystems:
+    - path: /var
+      device: /dev/disk/by-partlabel/SD_GPT_VAR
+      format: xfs
+      wipe_filesystem: false
+      label: var
+      with_mount_unit: true
+  files:
+    - path: /etc/hostname
+      mode: 0644
+      contents:
+        inline: proxmox-coreos
+systemd:
+  units:
+    - name: install-virt.service
+      enabled: true
+      contents: |
+        [Unit]
+        Description=Layer virt rpm-ostree
+
+        Wants=network-online.target
+        After=network-online.target
+        Before=zincati.service
+        ConditionPathExists=!/usr/sbin/libvirtd
+
+        [Service]
+        Type=oneshot
+        RemainAfterExit=yes
+        ExecStart=/usr/bin/rpm-ostree install libvirt qemu
diff --git a/kanidm/server.toml b/ignition/kanidm/server.toml
similarity index 100%
rename from kanidm/server.toml
rename to ignition/kanidm/server.toml
diff --git a/kanidm/service.bu b/ignition/kanidm/service.bu
similarity index 89%
rename from kanidm/service.bu
rename to ignition/kanidm/service.bu
index 017842f..e016ec6 100644
--- a/kanidm/service.bu
+++ b/ignition/kanidm/service.bu
@@ -5,7 +5,6 @@ passwd:
     - name: vladan
       ssh_authorized_keys:
         - ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEFtUc2UvKFGSSlP3RRXUIToDYh8a8pg5DqDkJS+nBTG vladan@jenga
-        - ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHEY82J6Za3qkt7N6hZIOMEBeUna1dmsQjFZm3rIQzzz vladan@proxmox-coreos
       password_hash: "$y$j9T$kBtBBkINmXh6lxmBqCJkr1$bA1fjZ5pC4CUr6VUnRe2FAWrW5tb6lfX/7.38axa5S3"
       groups:
         - wheel
@@ -13,19 +12,19 @@ passwd:
 storage:
   disks:
     - device: /dev/vdb
-      wipe_table: false
+      wipe_table: true
       partitions:
         - number: 1
-          label: kanidm
+          label: kanidm-data
           start_mib: 0
           size_mib: 10000
   filesystems:
     - path: /var/lib/kanidm
-      device: /dev/disk/by-partlabel/kanidm
+      device: /dev/disk/by-partlabel/kanidm-data
       format: xfs
       label: data
       with_mount_unit: true
-      wipe_filesystem: false
+      wipe_filesystem: true
   files:
     - path: /etc/hostname
       mode: 0644
diff --git a/kanidm/main.tf b/kanidm/main.tf
deleted file mode 100644
index 14d1d38..0000000
--- a/kanidm/main.tf
+++ /dev/null
@@ -1,67 +0,0 @@
-terraform {
-  required_providers {
-    libvirt = {
-      source = "dmacvicar/libvirt"
-      version = "0.7.6"
-    }
-  }
-}
-
-provider "libvirt" {
-  uri = "qemu:///system"
-}
-
-resource "libvirt_volume" "fcos" {
-  name   = "fcos"
-  pool   = "default"
-  source = "fedora-coreos-39.20240128.3.0-qemu.x86_64.qcow2"
-  format = "qcow2"
-}
-resource "libvirt_volume" "kanidm" {
-  name           = "kanidm-rootfs.qcow2"
-  base_volume_id = libvirt_volume.fcos.id
-}
-
-resource "libvirt_volume" "data" {
-  name   = "kanidm-data.qcow2"
-  pool   = "default"
-  size   = 3221225472
-  format = "qcow2"
-  lifecycle {
-    prevent_destroy = true
-  }
-}
-
-resource "libvirt_ignition" "kanidm" {
-  name    = "kanidm-service.ign"
-  content = "service.ign"
-}
-
-resource "libvirt_domain" "kanidm" {
-  name      = "kanidm"
-  autostart = true
-  memory    = "2048"
-  vcpu      = 2
-
-  coreos_ignition = libvirt_ignition.kanidm.id
-
-  disk {
-    volume_id = "${libvirt_volume.kanidm.id}"
-  }
-  disk {
-    volume_id = "${libvirt_volume.data.id}"
-  }
-  network_interface {
-    network_name   = "default"
-    hostname       = "kanidm.hklbgd.org"
-    addresses      = ["192.168.122.110"]
-    mac            = "56:FA:7E:C9:6A:E9"
-    wait_for_lease = true
-  }
-  console {
-    type        = "pty"
-    target_port = "0"
-    target_type = "virtio"
-    source_path = "/dev/pts/25"
-  }
-}
diff --git a/redeploy.sh b/redeploy.sh
deleted file mode 100755
index 9f56533..0000000
--- a/redeploy.sh
+++ /dev/null
@@ -1,11 +0,0 @@
-#!/bin/bash
-
-set -xe
-
-[[ -z $1 ]] && echo "must provide service path" && exit 1
-pushd $1
-podman run --interactive --rm -v $PWD:/data quay.io/coreos/butane --files-dir /data --pretty --strict < service.bu > service.ign
-tofu state rm libvirt_volume.data 2>/dev/null || echo "data volume not provisioned ... continuing"
-tofu destroy
-tofu apply
-popd
diff --git a/tofu/main.tf b/tofu/main.tf
new file mode 100644
index 0000000..4c8d10a
--- /dev/null
+++ b/tofu/main.tf
@@ -0,0 +1,57 @@
+terraform {
+  required_providers {
+    libvirt = {
+      source = "dmacvicar/libvirt"
+      version = "0.7.6"
+    }
+  }
+}
+
+provider "libvirt" {
+  uri = "qemu+ssh://vladan@10.4.4.201/system"
+  # uri = "qemu:///system"
+}
+
+module "network" {
+  source = "./network"
+  domain = "hklbgd.org"
+  subnet = ["10.117.3.0/24"]
+}
+
+module "storage" {
+  source = "./storage"
+}
+
+module "kanidm_vm" {
+  source                  = "./service-vm"
+  domain_name             = "kanidm"
+  domain_memory           = "4096"
+  domain_vcpu             = 2
+  domain_pool             = module.storage.pool
+  domain_base_volume_id   = module.storage.base_volume_id
+  domain_data_volume_size = 322122547200  # 300GB
+  domain_ignition_path    = "../ignition/kanidm/service.ign"
+  domain_network          = {
+    network_id = module.network.id
+    hostname = "id.${module.network.domain}"
+    addresses = ["10.117.3.100"]
+    mac_address = "8A:41:86:95:40:35"
+  }
+}
+
+module "forgejo_vm" {
+  source                  = "./service-vm"
+  domain_name             = "forgejo"
+  domain_memory           = "4096"
+  domain_vcpu             = 2
+  domain_pool             = module.storage.pool
+  domain_base_volume_id   = module.storage.base_volume_id
+  domain_data_volume_size = 322122547200  # 300GB
+  domain_ignition_path    = "../ignition/forgejo/service.ign"
+  domain_network          = {
+    network_id = module.network.id
+    hostname = "forge.${module.network.domain}"
+    addresses = ["10.117.3.110"]
+    mac_address = "8A:41:86:11:16:83"
+  }
+}
diff --git a/tofu/network/main.tf b/tofu/network/main.tf
new file mode 100644
index 0000000..74ddb4f
--- /dev/null
+++ b/tofu/network/main.tf
@@ -0,0 +1,31 @@
+terraform {
+  required_providers {
+    libvirt = {
+      source = "dmacvicar/libvirt"
+      version = "0.7.6"
+    }
+  }
+}
+
+resource "libvirt_network" "hklbgd" {
+  name = "hklbgd-guests"
+
+  mode = "nat"
+  domain = var.domain
+  autostart = true
+
+  addresses = var.subnet
+
+  dns {
+    enabled = true
+    local_only = true
+  }
+}
+
+output "id" {
+  value = libvirt_network.hklbgd.id
+}
+
+output "domain" {
+  value = var.domain
+}
diff --git a/tofu/network/variables.tf b/tofu/network/variables.tf
new file mode 100644
index 0000000..a7ae26e
--- /dev/null
+++ b/tofu/network/variables.tf
@@ -0,0 +1,9 @@
+variable "subnet" {
+  type = list(string)
+  default = ["10.117.3.0/24"]
+}
+
+variable "domain" {
+  type = string
+  default = "proxmox-coreos.hklbgd.org"
+}
diff --git a/tofu/service-vm/main.tf b/tofu/service-vm/main.tf
new file mode 100644
index 0000000..3625d1c
--- /dev/null
+++ b/tofu/service-vm/main.tf
@@ -0,0 +1,62 @@
+terraform {
+  required_providers {
+    libvirt = {
+      source = "dmacvicar/libvirt"
+      version = "0.7.6"
+    }
+  }
+}
+
+resource "libvirt_volume" "rootfs" {
+  name           = "${var.domain_name}-rootfs.qcow2"
+  pool           = var.domain_pool
+  base_volume_id = var.domain_base_volume_id
+}
+
+resource "libvirt_volume" "data" {
+  name   = "${var.domain_name}-data.qcow2"
+  pool   = var.domain_pool
+  size   = var.domain_data_volume_size
+  format = "qcow2"
+
+  lifecycle {
+    prevent_destroy = true
+  }
+}
+
+resource "libvirt_ignition" "ign" {
+  name    = "${var.domain_name}-service.ign"
+  pool    = var.domain_pool
+  content = "${var.domain_ignition_path}"
+}
+
+resource "libvirt_domain" "service" {
+  name      = var.domain_name
+  autostart = true
+  memory    = var.domain_memory
+  vcpu      = var.domain_vcpu
+
+  coreos_ignition = libvirt_ignition.ign.id
+
+  disk {
+    volume_id = libvirt_volume.rootfs.id
+  }
+  disk {
+    volume_id = libvirt_volume.data.id
+  }
+  network_interface {
+    network_id     = var.domain_network.network_id
+    hostname       = var.domain_network.hostname
+    addresses      = var.domain_network.addresses
+    mac            = var.domain_network.mac_address
+    wait_for_lease = true
+  }
+  console {
+    type        = "pty"
+    target_port = "0"
+    target_type = "serial"
+  }
+  graphics {
+    type  = "spice"
+  }
+}
diff --git a/tofu/service-vm/variables.tf b/tofu/service-vm/variables.tf
new file mode 100644
index 0000000..74f48be
--- /dev/null
+++ b/tofu/service-vm/variables.tf
@@ -0,0 +1,38 @@
+variable "domain_name" {
+  type = string
+}
+
+variable "domain_memory" {
+  type = string
+  default = "2048"
+}
+
+variable "domain_vcpu" {
+  type = number
+  default = 1
+}
+
+variable "domain_pool" {
+  type = string
+}
+
+variable "domain_base_volume_id" {
+  type = string
+}
+
+variable "domain_data_volume_size" {
+  type = number
+}
+
+variable "domain_ignition_path" {
+  type = string
+}
+
+variable "domain_network" {
+  type = object({
+    network_id = string
+    hostname = string
+    addresses = list(string)
+    mac_address = string
+  })
+}
diff --git a/tofu/storage/main.tf b/tofu/storage/main.tf
new file mode 100644
index 0000000..008032b
--- /dev/null
+++ b/tofu/storage/main.tf
@@ -0,0 +1,28 @@
+terraform {
+  required_providers {
+    libvirt = {
+      source = "dmacvicar/libvirt"
+      version = "0.7.6"
+    }
+  }
+}
+
+resource "libvirt_pool" "hklbgd" {
+  name = "hklbgd-guests"
+  type = "dir"
+  path = "/var/lib/libvirt/guest_images"
+}
+
+resource "libvirt_volume" "fcos" {
+  name   = "fedora-coreos-39.20240210.3.0-qemu.x86_64.qcow2"
+  pool   = libvirt_pool.hklbgd.name
+  format = "qcow2"
+}
+
+output "pool" {
+  value = libvirt_pool.hklbgd.name
+}
+
+output "base_volume_id" {
+  value = libvirt_volume.fcos.id
+}