DevOps
Terraform for NetBSD VMs and Cross-Platform Labs
Provision NetBSD VMs with Terraform on Proxmox, KVM, and Xen for cross-platform testing, embedded simulation, and portability research.
1 min read
DevOps
Terraform for OpenBSD VMs on AWS, Vultr, and Proxmox
Provision OpenBSD VMs with Terraform: AWS EC2 unofficial AMIs, Vultr official images, Proxmox install, and pf firewall bootstrap.
LLuca Berton1 min read
OpenBSD remains the security-first BSD of choice in 2026 for firewalls, mail, and minimal-trust services. Cloud images are scarcer than Linux — Vultr ships official OpenBSD images, AWS does not. Most teams use Proxmox or Vultr for OpenBSD, with Terraform provisioning the VMs and pf via cloud-init or provisioner "remote-exec".
Vultr (Easiest)
#terraform {
required_providers {
vultr = { source = "vultr/vultr", version = "~> 2.21" }
}
}
data "vultr_os" "openbsd" {
filter {
name = "name"
values = ["OpenBSD 7.6 x64"]
}
}
resource "vultr_instance" "fw" {
plan = "vc2-1c-1gb"
region = "ewr"
os_id = data.vultr_os.openbsd.id
hostname = "openbsd-fw"
ssh_key_ids = [vultr_ssh_key.me.id]
}Proxmox (with Custom ISO)
#resource "proxmox_virtual_environment_vm" "openbsd" {
name = "openbsd-fw"
node_name = "pve1"
cpu { cores = 2 }
memory { dedicated = 2048 }
disk {
datastore_id = "local-lvm"
interface = "virtio0"
size = 16
}
cdrom {
enabled = true
file_id = "local:iso/OpenBSD-7.6-amd64.iso"
}
network_device { bridge = "vmbr0" }
}pf Firewall via remote-exec
#resource "null_resource" "pf" {
triggers = { instance = vultr_instance.fw.id }
connection {
type = "ssh"
user = "root"
private_key = file("~/.ssh/id_ed25519")
host = vultr_instance.fw.main_ip
}
provisioner "file" {
source = "${path.module}/pf.conf"
destination = "/etc/pf.conf"
}
provisioner "remote-exec" {
inline = ["pfctl -nf /etc/pf.conf && pfctl -f /etc/pf.conf"]
}
}Best Practices
#- Don't hunt for AWS AMIs — Vultr / Proxmox / DigitalOcean are friendlier.
- Pre-bake images with vmctl when running OpenBSD on KVM at scale.
- Use
pf.conffrom version control — that's the actual security boundary. - Match release exactly: OpenBSD upgrades are manual; treat each release as a new image.
Related
##Terraform#OpenBSD#Security#pf#Vultr
Related articles
DevOps
Terraform for Digital Provenance: C2PA Content Signing on AWS
Provision digital provenance and C2PA content signing infrastructure with Terraform: certificate authorities, signing services, ledgers, and verification APIs.
2 min read
Terraform
Terraform Sentinel Policies - Policy as Code
Enforce governance with Terraform Sentinel policies. Cost controls, security guardrails, compliance rules, and custom policy sets for Terraform Cloud and...
2 min read
Terraform
Terraform with HashiCorp Vault - Secrets Management
Integrate Terraform with HashiCorp Vault for secrets management. Read secrets, dynamic credentials, AWS/database secret engines, and AppRole authentication.
2 min read