diff --git a/.terraform.lock.hcl b/.terraform.lock.hcl
index 40dde1e1..48afabab 100644
--- a/.terraform.lock.hcl
+++ b/.terraform.lock.hcl
@@ -100,3 +100,25 @@ provider "registry.terraform.io/hashicorp/random" {
     "zh:eff58323099f1bd9a0bec7cb04f717e7f1b2774c7d612bf7581797e1622613a0",
   ]
 }
+
+provider "registry.terraform.io/telmate/proxmox" {
+  version     = "3.0.2-rc04"
+  constraints = "3.0.2-rc04"
+  hashes = [
+    "h1:8tyqYSoNfrqIh0ICT7abFOQVcyGGXry2qFCJVMoc4TE=",
+    "zh:00586a3e02061734f5ff4c309696ec1bbd6e00a7ed1281c44626f02929417f6e",
+    "zh:05af12aababd0a67a95309a803123f3c238b16ecdb73dc59c8d9c3d4a0b691c5",
+    "zh:4b6457bd0138f5c66c8b7043bdbffe3b8abcce2383293d77f653dbd77d14428f",
+    "zh:7b1b6e76d6b03c7829b8dadeb30de236782be314f5146d9f29ee12bd01961d7a",
+    "zh:87c21e0a8244b73c62ad3221773ec1c72fb918e0025b0664183a8ad8bebeb5bc",
+    "zh:954997c550285dfc167977683b97b045dd62923c251fad32c4ca81b564c2005f",
+    "zh:98781ef0199877580256e9f9a7f0666107f76af23f54f67d6392a66a6f5001b5",
+    "zh:9fc4dbd1752e2b9125223be2dd25597c0e6d534aa784c4829af3c3e3e58eb973",
+    "zh:a3f672019aee2d45c202668b95c48113e3c50001b740bd48956738ad1418c6b7",
+    "zh:a539852a4034132442e6dc6f644444994d83b0dc7a4d30bbe6464de420cfdf2d",
+    "zh:aade0b50a559a1da683c49ec8527e5e66b12ed42d4b1f10e69b25cbbf6c67805",
+    "zh:bdb7c2b78cfe039247948fa75fad49f871f8a8bb9b969aec4c45a24edc80ab0f",
+    "zh:c16209a6748f87a379a5a3132ca4f471a4807bd478664499593e09433ba39b7b",
+    "zh:cb015fb4a0a50d151c35c6a3505cdf7a337edd0b65eba82a43c8142c523adfb8",
+  ]
+}
diff --git a/main.tf b/main.tf
index 271a7042..e075bbf4 100644
--- a/main.tf
+++ b/main.tf
@@ -114,6 +114,9 @@ variable "onlyoffice_jwt_token" { type = string }
 variable "xray_reality_clients" { type = list(map(string)) }
 variable "xray_reality_private_key" { type = string }
 variable "xray_reality_short_ids" { type = list(string) }
+variable "proxmox_pm_api_url" { type = string }
+variable "proxmox_pm_api_token_id" { type = string }
+variable "proxmox_pm_api_token_secret" { type = string }
 
 
 # data "terraform_remote_state" "foo" {
@@ -137,15 +140,14 @@ provider "helm" {
     config_path = var.prod ? "" : "~/.kube/config"
   }
 }
-# TODO: add DEFCON levels
 
-# provider "proxmox" {
-#   endpoint = "https://10.0.10.105:8006/api2/json"
-#   username = "root@pam"
-#   password = "to-change"
-#   insecure = true
-#   tmp_dir  = "/var/tmp"
-# }
+provider "proxmox" {
+  pm_api_url          = var.proxmox_pm_api_url
+  pm_api_token_id     = var.proxmox_pm_api_token_id
+  pm_api_token_secret = var.proxmox_pm_api_token_secret
+  pm_tls_insecure     = true
+}
+# TODO: add DEFCON levels
 
 # resource "proxmox_virtual_environment_network_linux_vlan" "vlan1" {
 #   node_name = "pve"
@@ -155,43 +157,27 @@ provider "helm" {
 # }
 
 
-# resource "proxmox_vm_qemu" "k8s-master-pve" {
-#   name        = "test"
-#   target_node = "pve"
-#   # iso         = "ubuntu-22.04.3-live-server-amd64.iso"
-#   iso      = "local:iso/ubuntu-22.04.3-live-server-amd64.iso"
-#   agent    = 1
-#   os_type  = "ubuntu"
-#   cores    = 4
-#   sockets  = 1
-#   cpu      = "host"
-#   memory   = 2048
-#   scsihw   = "virtio-scsi-pci"
-#   bootdisk = "scsi0"
-#   disk {
-#     slot = 0
-#     # set disk size here. leave it small for testing because expanding the disk takes time.
-#     size     = "10G"
-#     type     = "scsi"
-#     storage  = "local-lvm"
-#     iothread = 0
-#   }
-# }
-
 # Main module to init infra from
-# module "pxe_server" {
+module "template-vm" {
+  source          = "./modules/create-template-vm"
+  proxmox_host    = "192.168.1.127"
+  proxmox_user    = "root" # SSH user on Proxmox host
+  cloud_image_url = "https://cloud-images.ubuntu.com/jammy/current/jammy-server-cloudimg-amd64.img"
+  image_path      = "/var/lib/vz/template/iso/jammy-server-cloudimg-amd64.img"
+  template_id     = 8000
+  template_name   = "ubuntu-2204-cloudinit-template"
+}
+
+# module "pxe-server" {
 #   source  = "./modules/create-vm"
 #   vm_name = "pxe-server"
 #   network = "dManagementVMs"
 #   # provisioner_command = "${var.ansible_prefix} -t linux/pxe-server/add-distro"
 #   provisioner_command = "# no provisioner needed #" # Noop until ubuntu autoinstall is setup
 
-#   vsphere_password = var.vsphere_password
-#   vsphere_user     = var.vsphere_user
-#   vsphere_server   = var.vsphere_server
-#   cdrom_path       = "ISO/ubuntu-server-20.04.1.iso"
-#   vm_disk_size     = 50
-#   vm_mac_address   = "00:50:56:87:4a:2d"
+#   cdrom_path     = "ISO/ubuntu-server-20.04.1.iso"
+#   vm_disk_size   = 50
+#   vm_mac_address = "00:50:56:87:4a:2d"
 # }
 
 # module "k8s_master" {
diff --git a/modules/create-template-vm/main.tf b/modules/create-template-vm/main.tf
new file mode 100644
index 00000000..332d946d
--- /dev/null
+++ b/modules/create-template-vm/main.tf
@@ -0,0 +1,41 @@
+variable "proxmox_host" { type = string }
+variable "proxmox_user" { type = string }
+variable "cloud_image_url" { type = string }
+variable "image_path" { type = string }
+variable "template_id" {
+  type    = number
+  default = 8000
+}
+variable "template_name" { type = string }
+
+# SSH connection to Proxmox
+resource "null_resource" "create_template_remote" {
+  connection {
+    type        = "ssh"
+    user        = var.proxmox_user
+    host        = var.proxmox_host
+    private_key = file("~/.ssh/id_ed25519")
+  }
+
+  # Commands executed *on Proxmox host*
+  provisioner "remote-exec" {
+    inline = [
+      "set -e",
+      # download the cloud image if missing
+      "if [ ! -f ${var.image_path} ]; then wget -O ${var.image_path} ${var.cloud_image_url}; fi",
+      # create template only if not existing
+      "if ! qm status ${var.template_id} >/dev/null 2>&1; then",
+      "  echo 'Creating cloud-init template...';",
+      "  qm create ${var.template_id} --name ${var.template_name} --memory 8192 --cores 8 --net0 virtio,bridge=vmbr0;",
+      "  qm importdisk ${var.template_id} ${var.image_path} local-lvm;",
+      "  qm set ${var.template_id} --scsihw virtio-scsi-pci --scsi0 local-lvm:vm-${var.template_id}-disk-0;",
+      "  qm set ${var.template_id} --ide2 local-lvm:cloudinit;",
+      "  qm set ${var.template_id} --boot c --bootdisk scsi0;",
+      "  qm set ${var.template_id} --serial0 socket --vga serial0;",
+      "  qm template ${var.template_id};",
+      "else",
+      "  echo 'Template ${var.template_id} already exists — skipping.';",
+      "fi"
+    ]
+  }
+}
diff --git a/versions.tf b/versions.tf
index 4c9cc919..9d257088 100644
--- a/versions.tf
+++ b/versions.tf
@@ -38,3 +38,12 @@
 #     }
 #   }
 # }
+
+terraform {
+  required_providers {
+    proxmox = {
+      source  = "telmate/proxmox"
+      version = "3.0.2-rc04"
+    }
+  }
+}