diff --git a/main/README.md b/main/README.md
new file mode 100644
index 0000000000000000000000000000000000000000..4455c7f88ada5bd2b5be44c9ade60c787d11a088
--- /dev/null
+++ b/main/README.md
@@ -0,0 +1,3 @@
+# Main VMs
+
+- `mgmt`: MGMT Container and ProxyJump 
\ No newline at end of file
diff --git a/main/ansible/.gitignore b/main/ansible/.gitignore
new file mode 100644
index 0000000000000000000000000000000000000000..eb200e400865633fc2118f09572fb4b85f062139
--- /dev/null
+++ b/main/ansible/.gitignore
@@ -0,0 +1,5 @@
+.idea
+.venv
+
+# autogenerated
+.template
diff --git a/main/ansible/README.md b/main/ansible/README.md
new file mode 100644
index 0000000000000000000000000000000000000000..9d85e5902e9f5edb48ce9cf65dc985593e5ff125
--- /dev/null
+++ b/main/ansible/README.md
@@ -0,0 +1,7 @@
+# MAIN VMs ansible
+
+First run:  
+`ansible-playbook -i inventory.yaml install.yaml --user root`
+
+After first run:  
+`ansible-playbook -i inventory.yaml install.yaml --become --user rlacko`
\ No newline at end of file
diff --git a/main/ansible/bootstrap.sh b/main/ansible/bootstrap.sh
new file mode 100755
index 0000000000000000000000000000000000000000..a6212cdec913c58815bd9b997976ffbb207287a6
--- /dev/null
+++ b/main/ansible/bootstrap.sh
@@ -0,0 +1,34 @@
+#!/usr/bin/env bash
+
+########################### Virtualenv setup ####################################
+
+# create virtualenv if not present
+[[ ! -d .venv ]] && python3 -m venv .venv
+
+source .venv/bin/activate
+
+pip3 install ansible ansible-lint
+
+########################### Ansible setup ####################################
+
+ansible-galaxy install --force -r requirements.galaxy.yaml
+
+########################### Help ####################################
+
+echo
+echo "########################################"
+echo
+echo "Your playbooks:"
+
+find . -maxdepth 1 -type f -name "*.yaml" | grep -v inventory
+
+echo
+echo "Recommendation: Set up your OpenSSH config based on inventory.yml"
+
+echo
+echo "You can run playbook with:"
+printf "\tansible-playbook your-playbook.yaml"
+echo
+
+# to stay in our comfy virtualenv
+exec "${SHELL:bash}"
diff --git a/main/ansible/install.yaml b/main/ansible/install.yaml
new file mode 100644
index 0000000000000000000000000000000000000000..d2141183d77cfa35cd2a2b85f91ab9a7590ecc26
--- /dev/null
+++ b/main/ansible/install.yaml
@@ -0,0 +1,22 @@
+---
+
+- hosts: all
+  roles:
+    - name: yatesr.timezone
+      vars:
+        timezone: Europe/Budapest
+  tasks:
+    - name: Setup MGMT Container
+      import_tasks: tasks/main.yaml
+  
+  vars:
+    users: 
+      - name: rlacko
+        sudo: yes
+        passwordless_sudo: yes
+        keys_url: https://git.sch.bme.hu/rlacko.keys
+    ssh:
+      port: 22
+      permitRootLogin: 'without-password'
+      pubkeyAuthentication: 'yes'
+      passwordAuthentication: 'no'
\ No newline at end of file
diff --git a/main/ansible/inventory.yaml b/main/ansible/inventory.yaml
new file mode 100644
index 0000000000000000000000000000000000000000..8690a7562145e1ab71458e47d519c89c118d0708
--- /dev/null
+++ b/main/ansible/inventory.yaml
@@ -0,0 +1,4 @@
+all:
+  hosts:
+    # Use OpenSSH config to make it confortable
+    mgmt.maze:
diff --git a/main/ansible/requirements.galaxy.yaml b/main/ansible/requirements.galaxy.yaml
new file mode 100644
index 0000000000000000000000000000000000000000..67cbeeaf312186f22e008e29f630b63d880d05dd
--- /dev/null
+++ b/main/ansible/requirements.galaxy.yaml
@@ -0,0 +1,8 @@
+---
+
+collections:
+  - community.general
+  - ansible.posix
+
+roles:
+  - src: yatesr.timezone
\ No newline at end of file
diff --git a/main/ansible/tasks/main.yaml b/main/ansible/tasks/main.yaml
new file mode 100644
index 0000000000000000000000000000000000000000..69daddd9ae1ed8f3319884f3e17c97876aa90661
--- /dev/null
+++ b/main/ansible/tasks/main.yaml
@@ -0,0 +1,29 @@
+---
+
+- name: Setup Admin users
+  include_tasks: users.yaml
+  loop: "{{ users }}"
+  loop_control:
+    loop_var: user
+
+- name: Update and upgrade apt packages
+  become: true
+  apt:
+    upgrade: "yes"
+    update_cache: yes
+    cache_valid_time: 86400 # One day
+
+- name: Install packages
+  include_tasks: packages.yaml
+
+- name: Place sshd configuration file.
+  template:
+    src: etc/ssh/sshd_config.j2
+    dest: /etc/ssh/sshd_config
+    mode: 0600
+
+- name: Ensure sshd is restarted and enabled to start at boot.
+  service:
+    name: sshd
+    state: restarted
+    enabled: yes
diff --git a/main/ansible/tasks/packages.yaml b/main/ansible/tasks/packages.yaml
new file mode 100644
index 0000000000000000000000000000000000000000..a870b42eed1d6263b2618aa951a96a286d91b5ac
--- /dev/null
+++ b/main/ansible/tasks/packages.yaml
@@ -0,0 +1,31 @@
+---
+- name: Install basic packages
+  package:
+    state: present
+    name:
+      # Debug tools
+      - sudo
+      - tmux
+      - htop
+      - dnsutils
+      - net-tools
+      - psmisc
+      - strace
+      - tcpdump
+      - xxd
+
+      # Editors
+      - nano
+      - vim
+
+      # Admin helpers
+      - rsync
+      - tree
+      - molly-guard
+
+      # Dependencies for scripting
+      - python3
+      - unzip
+      - curl
+      - wget
+      - jq
diff --git a/main/ansible/tasks/users.yaml b/main/ansible/tasks/users.yaml
new file mode 100644
index 0000000000000000000000000000000000000000..23de97ad04fd816ed8fbca60a967bed56a6e3d20
--- /dev/null
+++ b/main/ansible/tasks/users.yaml
@@ -0,0 +1,54 @@
+---
+
+- debug:
+    msg: "{{ user }}"
+
+- name: "Create group for user"
+  group:
+    name: "{{ user.name }}"
+
+- name: "Create user"
+  user:
+    name: "{{ user.name }}"
+    comment: "{{ user.comment | default('') }}"
+    group: "{{ user.name }}"
+    shell: "/bin/{{ user.shell | default('bash') }}"
+
+- name: "SUDO"
+  user:
+    name: "{{ user.name }}"
+    append: true
+    groups:
+      - sudo
+  when: user.sudo
+
+- set_fact:
+    sudoer_file: "/etc/sudoers.d/{{ user.name }}"
+
+- name: sudoers file for the user
+  file:
+    path: "{{ sudoer_file }}"
+    state: touch
+    mode: "0600"
+    owner: root
+    group: root
+    modification_time: preserve
+    access_time: preserve
+
+- name: Insert sudoer file content
+  copy:
+    dest: "{{ sudoer_file }}"
+    content: "{{ user.name }} ALL=(ALL) NOPASSWD:ALL"
+  when: user.passwordless_sudo
+
+- name: "Set password to be expired"
+  command: passwd --delete '{{ user.name }}'
+  when: not user.passwordless_sudo
+
+- name: Set authorized keys
+  ansible.posix.authorized_key:
+    user: "{{ user.name }}"
+    state: present
+    key: "{{ user.keys_url }}"
+    manage_dir: yes
+    exclusive: yes
diff --git a/main/ansible/templates/etc/ssh/sshd_config.j2 b/main/ansible/templates/etc/ssh/sshd_config.j2
new file mode 100644
index 0000000000000000000000000000000000000000..a85b408194e01ca8f5a28fafc16dcd19d4e2e79a
--- /dev/null
+++ b/main/ansible/templates/etc/ssh/sshd_config.j2
@@ -0,0 +1,36 @@
+# !!!
+# {{ ansible_managed }}
+# !!!
+
+Protocol 2
+Port {{ ssh.port }}
+
+HostKey /etc/ssh/ssh_host_rsa_key
+HostKey /etc/ssh/ssh_host_ed25519_key
+
+KexAlgorithms curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256
+Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr
+MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,umac-128@openssh.com
+
+PermitRootLogin {{ ssh.permitRootLogin }}
+PubkeyAuthentication {{ ssh.pubkeyAuthentication }}
+PasswordAuthentication {{ ssh.passwordAuthentication }}
+
+ChallengeResponseAuthentication no
+KerberosAuthentication no
+GSSAPIAuthentication no
+UsePAM yes
+AllowAgentForwarding yes
+X11Forwarding yes
+PrintMotd no
+
+AcceptEnv LANG LC_*
+
+Subsystem	sftp	/usr/lib/openssh/sftp-server
+
+{% if ssh.allow.users is defined %}
+AllowUsers {{ ssh.allow.users }}
+{% endif %}
+{% if ssh.allow.groups is defined %}
+AllowGroups {{ ssh.allow.groups }}
+{% endif %}
diff --git a/main/terraform/.gitignore b/main/terraform/.gitignore
new file mode 100644
index 0000000000000000000000000000000000000000..beb38d84d0ca9dc8e48fca57f7698ca3ac6c4ade
--- /dev/null
+++ b/main/terraform/.gitignore
@@ -0,0 +1,34 @@
+# Local .terraform directories
+**/.terraform/*
+
+# .tfstate files
+*.tfstate
+*.tfstate.*
+
+# Crash log files
+crash.log
+
+# Exclude all .tfvars files, which are likely to contain sentitive data, such as
+# password, private keys, and other secrets. These should not be part of version 
+# control as they are data points which are potentially sensitive and subject 
+# to change depending on the environment.
+#
+*.tfvars
+
+# Ignore override files as they are usually used to override resources locally and so
+# are not checked in
+override.tf
+override.tf.json
+*_override.tf
+*_override.tf.json
+
+# Include override files you do wish to add to version control using negated pattern
+#
+# !example_override.tf
+
+# Include tfplan files to ignore the plan output of command: terraform plan -out=tfplan
+# example: *tfplan*
+
+# Ignore CLI configuration files
+.terraformrc
+terraform.rc
diff --git a/main/terraform/.terraform.lock.hcl b/main/terraform/.terraform.lock.hcl
new file mode 100644
index 0000000000000000000000000000000000000000..4ab3791c6cd90349ee81b5dcfa33d2f75cac8ece
--- /dev/null
+++ b/main/terraform/.terraform.lock.hcl
@@ -0,0 +1,23 @@
+# This file is maintained automatically by "terraform init".
+# Manual edits may be lost in future updates.
+
+provider "registry.terraform.io/telmate/proxmox" {
+  version     = "2.7.3"
+  constraints = "2.7.3"
+  hashes = [
+    "h1:6NO8P24DDayqETDx6SXe8jcEroRNyTa4GWwusgKwanA=",
+    "zh:0a90f93390c5a8324e7afdf0f0d2efa2afd80da76ddc2eeb1134e99e367a3aa0",
+    "zh:3636c79e388522b90c2c3fda6c888e76fa6c3dd2cb60a92d27520044490a96b0",
+    "zh:4a19e1e82dfee13e4bcc7e21b4f1449883092b1ff241383c93768b02e03c5d6f",
+    "zh:7b46ae59dd7a123a61ec6ffe9bb5f2803a3a75c177b4b4253a0b4a010767a63a",
+    "zh:8a26a1400868c188825d3f9e07467cb7b73d1a1d7bb6d63bfdd885063900aaa7",
+    "zh:b892ffa1724df7935b16420715e253de6e22f6b61c94b6058831a7abee4d375e",
+    "zh:b9bb54c8cc437fe24e049c3cddeaca9b4604beb0b49a87da6b6efbbcd3dba45f",
+    "zh:c0829fca158f2343e7c6e74ca68522961f1fa8efdee616d0aebac26c7e65defc",
+    "zh:c394b3d79d78eb391884b9e04175a14f1759885e8a19230184524882b723b210",
+    "zh:d17ea56b01adff6f2680fd57aa8f1f22f23e6ce9c43c0fc857e4c102ee643a06",
+    "zh:d1bc1071414a51ef4e32ab0dd79c294c10cd1e57c848e7b058c34ae4863ba2a4",
+    "zh:d2f87c23846b0aa5cb685c15595df6895882d6ed130bf96c0d3d34209573263d",
+    "zh:e8e48a4e1e61d593ce4d70b9f50e3068b1c7f6b96fc1c25bce257e5c663819a2",
+  ]
+}
diff --git a/main/terraform/main.tf b/main/terraform/main.tf
new file mode 100644
index 0000000000000000000000000000000000000000..4397d6f4cbbdec8478818e70807a7350bdb42072
--- /dev/null
+++ b/main/terraform/main.tf
@@ -0,0 +1,41 @@
+terraform {
+  required_providers {
+    proxmox = {
+      source = "Telmate/proxmox"
+      version = "2.7.3"
+    }
+  }
+}
+
+provider "proxmox" {
+  pm_api_url = "https://pve.maze.sch.bme.hu/api2/json"
+  pm_tls_insecure = true
+}
+
+resource "proxmox_lxc" "mgmt" {
+  target_node  = "maze"
+  hostname     = "mgmt"
+  ostemplate   = "local:vztmpl/ubuntu-20.04-standard_20.04-1_amd64.tar.gz"
+  password     = "F4AnvE8VpTVfW5"
+  vmid         = 7101
+  start        = true
+
+  ssh_public_keys  = <<EOF
+  ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHXuXr/Mz1ENkvZ+Ntc9dF1r8VK62XaZtsMaV7N+CMZ8 rlacko@personal
+  EOF
+
+  cores = 2
+  memory = 4096
+
+  rootfs {
+    storage = "ssd"
+    size    = "10G"
+  }
+
+  network {
+    name   = "eth0"
+    bridge = "vmbr0"
+    ip     = "192.168.97.101/22"
+    gw     = "192.168.99.254"
+  }
+}