diff --git a/terraform/hetzner/firewall.tf b/terraform/hetzner/firewall.tf
new file mode 100644
index 0000000..2e5a9a3
--- /dev/null
+++ b/terraform/hetzner/firewall.tf
@@ -0,0 +1,100 @@
+resource "hcloud_firewall" "opnsense" {
+  name = "opnsense"
+  # HTTP
+  rule {
+    direction = "in"
+    protocol  = "tcp"
+    port      = "80"
+    source_ips = [
+      "0.0.0.0/0",
+      "::/0"
+    ]
+  }
+  # HTTPS
+  rule {
+    direction = "in"
+    protocol  = "tcp"
+    port      = "443"
+    source_ips = [
+      "0.0.0.0/0",
+      "::/0"
+    ]
+  }
+  # Wireguard
+  rule {
+    direction = "in"
+    protocol  = "udp"
+    port      = "51820"
+    source_ips = [
+      "0.0.0.0/0"
+    ]
+  }
+  # DNS UDP
+  rule {
+    direction = "in"
+    protocol  = "udp"
+    port      = "53"
+    source_ips = [
+      "0.0.0.0/0",
+      "::/0"
+    ]
+  }
+  # DNS TCP
+  rule {
+    direction = "in"
+    protocol  = "tcp"
+    port      = "53"
+    source_ips = [
+      "0.0.0.0/0",
+      "::/0"
+    ]
+  }
+  # SMTP
+  rule {
+    direction = "in"
+    protocol  = "tcp"
+    port      = "25"
+    source_ips = [
+      "0.0.0.0/0",
+      "::/0"
+    ]
+  }
+  # SMTPS
+  rule {
+    direction = "in"
+    protocol  = "tcp"
+    port      = "465"
+    source_ips = [
+      "0.0.0.0/0",
+      "::/0"
+    ]
+  }
+  # IMAPS
+  rule {
+    direction = "in"
+    protocol  = "tcp"
+    port      = "993"
+    source_ips = [
+      "0.0.0.0/0",
+      "::/0"
+    ]
+  }  
+  # Matrix Federation
+  rule {
+    direction = "in"
+    protocol  = "tcp"
+    port      = "8448"
+    source_ips = [
+      "0.0.0.0/0",
+      "::/0"
+    ]
+  }  
+  # ICMP IPv6
+  rule {
+    direction = "in"
+    protocol  = "icmp"
+    source_ips = [
+      "::/0"
+    ]
+  }   
+}
\ No newline at end of file
diff --git a/terraform/hetzner/main.tf b/terraform/hetzner/main.tf
index fb6418f..14fcf0a 100644
--- a/terraform/hetzner/main.tf
+++ b/terraform/hetzner/main.tf
@@ -28,225 +28,8 @@ provider "hcloud" {
   token = data.vault_kv_secret.hcloud.data.token
 }
 
-resource "hcloud_network" "us_east" {
-  name     = "us-east"
-  ip_range = "10.128.0.0/10"
-}
-
-resource "hcloud_network_subnet" "lan" {
-  network_id   = hcloud_network.us_east.id
-  type         = "cloud"
-  network_zone = "us-east"
-  ip_range     = "10.128.1.0/24"
-}
-
-resource "hcloud_network_subnet" "sync" {
-  network_id   = hcloud_network.us_east.id
-  type         = "cloud"
-  network_zone = "us-east"
-  ip_range     = "10.128.2.0/24"
-}
-
-resource "hcloud_network_subnet" "cluster" {
-  network_id   = hcloud_network.us_east.id
-  type         = "cloud"
-  network_zone = "us-east"
-  ip_range     = "10.128.3.0/24"
-}
-
 resource "hcloud_ssh_key" "default" {
   name       = "default"
   public_key = data.vault_kv_secret.hcloud.data.ssh_public_key
 
 }
-
-resource "hcloud_placement_group" "firewalls" {
-  name = "firewalls"
-  type = "spread"
-}
-
-resource "hcloud_placement_group" "nodes" {
-  name = "nodes"
-  type = "spread"
-}
-
-resource "hcloud_primary_ip" "opnsense_a_v4" {
-  name = "opnsense-a-v4"
-  type = "ipv4"
-  datacenter = "ash-dc1"
-  auto_delete = false
-  delete_protection = true
-  assignee_type = "server"
-}
-
-resource "hcloud_primary_ip" "opnsense_b_v4" {
-  name = "opnsense-b-v4"
-  type = "ipv4"
-  datacenter = "ash-dc1"
-  auto_delete = false
-  delete_protection = true
-  assignee_type = "server"
-}
-
-resource "hcloud_primary_ip" "opnsense_a_v6" {
-  name = "opnsense-a-v6"
-  type = "ipv6"
-  datacenter = "ash-dc1"
-  auto_delete = false
-  delete_protection = true
-  assignee_type = "server"
-}
-
-resource "hcloud_primary_ip" "opnsense_b_v6" {
-  name = "opnsense-b-v6"
-  type = "ipv6"
-  datacenter = "ash-dc1"
-  auto_delete = false
-  delete_protection = true
-  assignee_type = "server"
-}
-
-resource "hcloud_floating_ip" "opnsense_float_v4" {
-  name = "opnsense-float-v4"
-  type = "ipv4"
-  home_location = "ash"
-  delete_protection = true
-}
-
-resource "hcloud_floating_ip" "opnsense_float_v6" {
-  name = "opnsense-float-v6"
-  type = "ipv6"
-  home_location = "ash"
-  delete_protection = true
-}
-
-resource "hcloud_firewall" "opnsense" {
-  name = "opnsense"
-  # HTTP
-  rule {
-    direction = "in"
-    protocol  = "tcp"
-    port      = "80"
-    source_ips = [
-      "0.0.0.0/0",
-      "::/0"
-    ]
-  }
-  # HTTPS
-  rule {
-    direction = "in"
-    protocol  = "tcp"
-    port      = "443"
-    source_ips = [
-      "0.0.0.0/0",
-      "::/0"
-    ]
-  }
-  # Wireguard
-  rule {
-    direction = "in"
-    protocol  = "udp"
-    port      = "51820"
-    source_ips = [
-      "0.0.0.0/0"
-    ]
-  }
-  # DNS UDP
-  rule {
-    direction = "in"
-    protocol  = "udp"
-    port      = "53"
-    source_ips = [
-      "0.0.0.0/0",
-      "::/0"
-    ]
-  }
-  # DNS TCP
-  rule {
-    direction = "in"
-    protocol  = "tcp"
-    port      = "53"
-    source_ips = [
-      "0.0.0.0/0",
-      "::/0"
-    ]
-  }
-  # SMTP
-  rule {
-    direction = "in"
-    protocol  = "tcp"
-    port      = "25"
-    source_ips = [
-      "0.0.0.0/0",
-      "::/0"
-    ]
-  }
-  # SMTPS
-  rule {
-    direction = "in"
-    protocol  = "tcp"
-    port      = "465"
-    source_ips = [
-      "0.0.0.0/0",
-      "::/0"
-    ]
-  }
-  # IMAPS
-  rule {
-    direction = "in"
-    protocol  = "tcp"
-    port      = "993"
-    source_ips = [
-      "0.0.0.0/0",
-      "::/0"
-    ]
-  }  
-  # Matrix Federation
-  rule {
-    direction = "in"
-    protocol  = "tcp"
-    port      = "8448"
-    source_ips = [
-      "0.0.0.0/0",
-      "::/0"
-    ]
-  }  
-  # ICMP IPv6
-  rule {
-    direction = "in"
-    protocol  = "icmp"
-    source_ips = [
-      "::/0"
-    ]
-  }   
-}
-
-# resource "hcloud_server" "opnsense_b" {
-#   name        = "opnsense-b"
-#   server_type = "cpx11"
-#   image       = "ubuntu-22.04"
-#   location    = "ash"
-#   datacenter  = "ash-dc1"
-#   keep_disk   = true
-#   backups     = false
-#   ssh_keys    = [
-#     hcloud_ssh_key.default.id
-#   ]
-#   public_net {
-#     ipv4_enabled = true
-#     ipv4 = hcloud_primary_ip.opnsense_b_v4.id
-#     ipv6_enabled = true
-#     ipv6 = hcloud_primary_ip.opnsense_b_v6.id
-#   }
-#   network {
-#     network_id = hcloud_network_subnet.lan.id
-#     ip = "10.128.1.240"
-#   }
-#   network {
-#     network_id = hcloud_network_subnet.sync.id
-#     ip = "10.128.2.20"
-#   }
-#   delete_protection   = true
-#   rebuild_protection  = true
-#   placement_group_id  = hcloud_placement_group.firewalls.id
-# }
\ No newline at end of file
diff --git a/terraform/hetzner/network.tf b/terraform/hetzner/network.tf
new file mode 100644
index 0000000..8e3ce66
--- /dev/null
+++ b/terraform/hetzner/network.tf
@@ -0,0 +1,75 @@
+resource "hcloud_network" "us_east" {
+  name     = "us-east"
+  ip_range = "10.128.0.0/10"
+}
+
+resource "hcloud_network_subnet" "lan" {
+  network_id   = hcloud_network.us_east.id
+  type         = "cloud"
+  network_zone = "us-east"
+  ip_range     = "10.128.1.0/24"
+}
+
+resource "hcloud_network_subnet" "sync" {
+  network_id   = hcloud_network.us_east.id
+  type         = "cloud"
+  network_zone = "us-east"
+  ip_range     = "10.128.2.0/24"
+}
+
+resource "hcloud_network_subnet" "cluster" {
+  network_id   = hcloud_network.us_east.id
+  type         = "cloud"
+  network_zone = "us-east"
+  ip_range     = "10.128.3.0/24"
+}
+
+resource "hcloud_primary_ip" "opnsense_a_v4" {
+  name = "opnsense-a-v4"
+  type = "ipv4"
+  datacenter = "ash-dc1"
+  auto_delete = false
+  delete_protection = true
+  assignee_type = "server"
+}
+
+resource "hcloud_primary_ip" "opnsense_b_v4" {
+  name = "opnsense-b-v4"
+  type = "ipv4"
+  datacenter = "ash-dc1"
+  auto_delete = false
+  delete_protection = true
+  assignee_type = "server"
+}
+
+resource "hcloud_primary_ip" "opnsense_a_v6" {
+  name = "opnsense-a-v6"
+  type = "ipv6"
+  datacenter = "ash-dc1"
+  auto_delete = false
+  delete_protection = true
+  assignee_type = "server"
+}
+
+resource "hcloud_primary_ip" "opnsense_b_v6" {
+  name = "opnsense-b-v6"
+  type = "ipv6"
+  datacenter = "ash-dc1"
+  auto_delete = false
+  delete_protection = true
+  assignee_type = "server"
+}
+
+resource "hcloud_floating_ip" "opnsense_float_v4" {
+  name = "opnsense-float-v4"
+  type = "ipv4"
+  home_location = "ash"
+  delete_protection = true
+}
+
+resource "hcloud_floating_ip" "opnsense_float_v6" {
+  name = "opnsense-float-v6"
+  type = "ipv6"
+  home_location = "ash"
+  delete_protection = true
+}
\ No newline at end of file
diff --git a/terraform/hetzner/servers.tf b/terraform/hetzner/servers.tf
new file mode 100644
index 0000000..f0a8be8
--- /dev/null
+++ b/terraform/hetzner/servers.tf
@@ -0,0 +1,39 @@
+resource "hcloud_placement_group" "firewalls" {
+  name = "firewalls"
+  type = "spread"
+}
+
+resource "hcloud_placement_group" "nodes" {
+  name = "nodes"
+  type = "spread"
+}
+
+# resource "hcloud_server" "opnsense_b" {
+#   name        = "opnsense-b"
+#   server_type = "cpx11"
+#   image       = "ubuntu-22.04"
+#   location    = "ash"
+#   datacenter  = "ash-dc1"
+#   keep_disk   = true
+#   backups     = false
+#   ssh_keys    = [
+#     hcloud_ssh_key.default.id
+#   ]
+#   public_net {
+#     ipv4_enabled = true
+#     ipv4 = hcloud_primary_ip.opnsense_b_v4.id
+#     ipv6_enabled = true
+#     ipv6 = hcloud_primary_ip.opnsense_b_v6.id
+#   }
+#   network {
+#     network_id = hcloud_network_subnet.lan.id
+#     ip = "10.128.1.240"
+#   }
+#   network {
+#     network_id = hcloud_network_subnet.sync.id
+#     ip = "10.128.2.20"
+#   }
+#   delete_protection   = true
+#   rebuild_protection  = true
+#   placement_group_id  = hcloud_placement_group.firewalls.id
+# }
\ No newline at end of file