OpenTofu builds the box. Ansible makes it useful.Three Ansible repos cover everything that runs on the provisioned infrastructure: the Proxmox host, the application stack on top, and Splunk Enterprise as a separate concern because of its scale and uptime requirements.
Role map
OpenTofu outputs an inventory; each Ansible role consumes it independently. Ink edges signal control / provisioning hand-off (not data flow).| Role | Repo | What it does |
|---|---|---|
| Host config | Proxmox config | ZFS, networking, users, performance tuning, monitoring agents |
| Apps on hosts | Apps on Proxmox | HAProxy, Cribl Edge, Cribl Stream |
| Splunk install | Splunk install | Splunk Enterprise — indexers, search heads, license, storage tiering |
Repos in this section
ansible-proxmox
Proxmox host config — ZFS, networking, users, hardening.
ansible-proxmox-apps
HAProxy, Cribl Edge, Cribl Stream on VMs and LXCs.
ansible-splunk
Splunk Enterprise — indexers, search heads, license.
Secrets
Doppler is the secrets backend for the Ansible inventories.
DOPPLER_TOKEN resolves project-specific secrets at run time; nothing sensitive lands in git.Where to go next
Infrastructure overview
The OpenTofu side that provisions everything Ansible configures.
tofu-proxmox
How VMs and LXCs are provisioned before Ansible touches them.