██████╗██╗ ██╗██████╗ ███████╗██████╗ ██╗ █████╗ ██████╗
██╔════╝╚██╗ ██╔╝██╔══██╗██╔════╝██╔══██╗██║ ██╔══██╗██╔══██╗
██║ ╚████╔╝ ██████╔╝█████╗ ██████╔╝██║ ███████║██████╔╝
██║ ╚██╔╝ ██╔══██╗██╔══╝ ██╔══██╗██║ ██╔══██║██╔══██╗
╚██████╗ ██║ ██████╔╝███████╗██║ ██║███████╗██║ ██║██████╔╝
╚═════╝ ╚═╝ ╚═════╝ ╚══════╝╚═╝ ╚═╝╚══════╝╚═╝ ╚═╝╚═════╝
[ PROXMOX CYBERLAB INFRA ]---[ IaC | OPS | LAB AUTOMATION | RBAC ]
Infrastructure-as-code and operations repository for a teacher-operated virtual cybersecurity lab built on Proxmox VE.
Proxmox Cyberlab Infra defines the data model, automation, and deployment logic for a browser-accessible cyber range designed for classroom use.
The platform is being built first for a single-teacher deployment, with a longer-term goal of supporting broader access for under-resourced Arkansas school districts.
This repository focuses on:
- deterministic infrastructure definitions
- low-PII operational design
- student/teacher access boundaries in Proxmox
- reproducible VM provisioning from templates
- environment portability between school lab and small test hardware
- define teachers, sections, slots, and policy as source-of-truth YAML
- generate pseudonymous student identities at runtime
- provision student and teacher VMs from templates
- assign Proxmox users, groups, pools, and ACLs from code
- isolate sections cleanly
- keep operations simple enough for one teacher to run reliably
- Proxmox VE
- OpenTofu
- Ansible
- Parrot
- Windows 7
- Debian 13
- Metasploitable2
cyberlab-infra/
├── README.md
├── docs/
│ └── data-model.md
├── data/
│ ├── teachers.yml
│ ├── sections.yml
│ ├── slots.yml
│ ├── policy.yml
│ └── environments/
│ ├── school-lab.yml
│ └── thinkcentre-lab.yml
├── private/
│ ├── credentials/
│ ├── exports/
│ ├── local/
│ └── .gitignore
├── opentofu/
└── ansible/
Canonical teacher registry.
Defines:
- teacher key
- teacher ID
- full name
- owned sections
Canonical logical section definitions.
Defines:
- teacher-owned section instance key
- course/day/block metadata
- section code
- student count
- Proxmox group/pool naming
Global slot policy for the five standard VM roles.
Current slots:
atkwinsrvvicwww
Global platform policy.
Defines:
- VM offset policy
- username generation pattern
- password generation policy
- pool naming policy
- VM naming policy
- VMID formula
- network formula
Environment-specific deployment mapping.
Defines:
- Proxmox API host
- target node(s)
- VNet names
- subnets
- gateways
- DHCP ranges
Student identities are generated at runtime and stored only in private/ artifacts.
Sections are keyed as unique teacher-owned instances.
Examples:
jlong-cyba3jlong-itsb3jlong-icsa1
vmid = teacher_id * 1000000 + section_code * 1000 + offset
Example:
- teacher
101 - section
213 - offset
100 - resulting VMID:
101213100
10.<teacher_id>.<section_code>.0/24
Example:
10.101.213.0/24
This favors readability and classroom clarity over maximum address efficiency.
The following are generated outside version control:
- student usernames
- student passwords
- private roster exports
- generated student inventory records
- local-only environment overrides if needed
These belong in:
private/credentials/private/exports/private/local/
- student real names
- student emails
- student SIS IDs
- committed passwords
- committed private roster mappings
This repository is in active phase-one design and build-out.
Current focus:
- finalize the data model
- keep the automation aligned to that model
- produce a stable MVP for one teacher’s students before expanding scope
- finalize source-of-truth YAML schema
- refactor OpenTofu to consume the new model
- refactor Ansible to consume generated runtime student artifacts
- add snapshot and rollback controls
- validate student and teacher access flows end to end
Do not solve every scaling problem before the MVP works.
The phase-one target is:
- one teacher
- a few real sections
- repeatable provisioning
- stable permissions
- safe recovery
- clear documentation
Everything else can layer on later.