added pfsense provider for automating static ip setup

README.md

@@ -19,7 +19,9 @@ This repo is intentionally abstract: credentials are never hardcoded, making it
 ├── proxmox-infra/          # Pulumi TypeScript stack — VMs & LXC on Proxmox
 │   ├── index.ts            # All Pulumi resources
 │   ├── Pulumi.yaml         # Stack project definition
-│   └── Pulumi.dev.yaml     # Encrypted stack config (gitignored)
+│   ├── Pulumi.dev.yaml     # Encrypted stack config (gitignored)
+│   └── sdks/
+│       └── pfsense/        # Locally bundled @pulumi/pfsense SDK
 ├── .gitea/
 │   └── workflows/
 │       └── deploy-proxmox-infra.yaml   # Gitea Actions CI/CD pipeline
@@ -37,12 +39,16 @@ Provisions a 5-node k3s cluster spread across two Proxmox hosts (`pve` and `pve-
 | k3s-master-3 | master | pve-bckp     |
 | k3s-worker-2 | worker | pve-bckp     |
 
-Each node is a full clone of an Ubuntu Noble (24.04) cloud-image template, with cloud-init injecting hostname, user credentials, and SSH key at boot.
+Each node is a full clone of an Ubuntu Noble (24.04) cloud-image template, with cloud-init injecting hostname, user credentials, and SSH keys at boot. Each VM's MAC address is registered as a DHCPv4 static mapping in pfSense so that nodes always receive their designated IPs.
+
+An ED25519 SSH key pair is generated once and stored in Pulumi state. The public key is injected into every VM at boot; the private key is exported as a stack output so `k8s-bootstrap` can consume it via StackReference without any manual key distribution.
 
 **Tech stack:**
 
 - [Pulumi](https://www.pulumi.com/) with TypeScript
 - [`@muhlba91/pulumi-proxmoxve`](https://github.com/muhlba91/pulumi-provider-proxmoxve) v8.x community provider
+- [`@pulumi/pfsense`](https://github.com/marshallford/terraform-provider-pfsense) — locally bundled SDK bridged from the Terraform pfSense provider; installed automatically via `npm install`
+- [`@pulumi/tls`](https://www.pulumi.com/registry/packages/tls/) — SSH key pair generation
 - Self-hosted Pulumi state backend (PostgreSQL)
 - Gitea Actions for CI/CD
 
@@ -51,6 +57,7 @@ Each node is a full clone of an Ubuntu Noble (24.04) cloud-image template, with
 - [Pulumi CLI](https://www.pulumi.com/docs/install/) installed
 - Node.js 18+ and npm
 - Access to a Proxmox node with an API token
+- pfSense instance with API credentials (used for DHCPv4 static mappings)
 - A self-hosted Pulumi state backend (PostgreSQL connection string)
 - Gitea instance for CI/CD (optional for local use)
 
@@ -64,20 +71,34 @@ cd proxmox-infra
 npm install
 ```
 
+> **pfSense SDK** — The `@pulumi/pfsense` SDK is bundled locally under `sdks/pfsense/` and referenced as a `file:` dependency in `package.json`. Running `npm install` compiles it automatically via its postinstall hook. No separate installation or build step is required.
+
 ### 2. Configure credentials
 
 All secrets are stored as encrypted Pulumi config values — never in plain environment variables or committed files.
 
 ```bash
-# Set Proxmox API credentials
+# Proxmox API credentials
 pulumi config set --secret pve1Endpoint  https://<proxmox-host-1>:8006
 pulumi config set --secret pve1ApiToken  <user>@pam!<token-id>=<uuid>
 pulumi config set --secret pve2Endpoint  https://<proxmox-host-2>:8006
 pulumi config set --secret pve2ApiToken  <user>@pam!<token-id>=<uuid>
 
-# Set VM credentials
+# VM credentials
 pulumi config set --secret k3sVmPassword  <vm-password>
 pulumi config set --secret sshPvePublicKey "ssh-ed25519 AAAA..."
+
+# pfSense credentials (used for DHCPv4 static mappings)
+pulumi config set --secret pfSenseUrl      https://<pfsense-host>
+pulumi config set --secret pfSenseUser     <admin-username>
+pulumi config set --secret pfSensePassword <admin-password>
+
+# Static IP addresses assigned to each k3s node
+pulumi config set --secret master1Ip  <ip-for-k3s-master-1>
+pulumi config set --secret master2Ip  <ip-for-k3s-master-2>
+pulumi config set --secret worker1Ip  <ip-for-k3s-worker-1>
+pulumi config set --secret master3Ip  <ip-for-k3s-master-3>
+pulumi config set --secret worker2Ip  <ip-for-k3s-worker-2>
 ```
 
 Pulumi encrypts these values into `Pulumi.dev.yaml` using your `PULUMI_CONFIG_PASSPHRASE`.
@@ -140,7 +161,7 @@ base64 -w 0 proxmox-infra/Pulumi.dev.yaml
 
 - LXC container management
 - Docker / Compose stack provisioning
-- Network and firewall rules
+- Firewall rules (pfSense)
 - Automated k3s bootstrapping (kubeconfig export)
 - Additional worker nodes and storage volumes
 - Migrate secrets management to [OpenBao](https://openbao.org/) — replace `PULUMI_CONFIG_PASSPHRASE` and manual `Pulumi.dev.yaml` encoding with a self-hosted vault