diff --git a/authentik/outposts.tf b/authentik/outposts.tf
index 2739921..9d69729 100644
--- a/authentik/outposts.tf
+++ b/authentik/outposts.tf
@@ -7,7 +7,10 @@ resource "authentik_outpost" "embedded_outpost" {
     authentik_provider_proxy.paperless-gpt.id,
     #authentik_provider_proxy.proxy-test.id,
     authentik_provider_proxy.spotizerr.id,
+<<<<<<< HEAD
     authentik_provider_proxy.metube.id,
+=======
+>>>>>>> 76fd925 (Added Opnsense)
   ]
   service_connection = authentik_service_connection_kubernetes.local.id
 
diff --git a/forgejo/.terraform.lock.hcl b/forgejo/.terraform.lock.hcl
index 758644d..84613a1 100644
--- a/forgejo/.terraform.lock.hcl
+++ b/forgejo/.terraform.lock.hcl
@@ -6,6 +6,7 @@ provider "registry.opentofu.org/go-gitea/gitea" {
   constraints = "0.1.0"
   hashes = [
     "h1:idV0H0z0z4SL5aaDaZTLUYz77LwXBHQSqHAZ1wGuwoY=",
+    "h1:o+fg37QPMftgrND3krC59qL6kSyPZtDnYYbPMgzLAgI=",
     "zh:039c743351f4bb17bb423a28a507a3d9b87267ce04e127dbb4ad1a80450a280b",
     "zh:175b5d60b7e13abd477e82ccc2f53973c60cbcdcd88f49746aa76e452ba9af6d",
     "zh:2cbf2f51ec50b1be06b2ffbb6e5bb4f57b9da9a730a626c26804ec8a7efd1f94",
diff --git a/non-lab/.terraform.lock.hcl b/non-lab/.terraform.lock.hcl
index f1757e4..d0f2a3d 100644
--- a/non-lab/.terraform.lock.hcl
+++ b/non-lab/.terraform.lock.hcl
@@ -6,6 +6,7 @@ provider "registry.opentofu.org/backblaze/b2" {
   constraints = "0.8.12"
   hashes = [
     "h1:+zf4b76chIrJbVcbzoenR8X+uFFnGhUjPUACpnBIYcs=",
+    "h1:rA+Y9HyJGPV7kU52+9vKRM90RiGjdwj9Tas5ZImfsw0=",
     "zh:bc9d25d21adeafba8edde8d6ffb6150cd5c86c207412c8941347966be3363de5",
     "zh:c538eaea1b15379635b9d8a2cb862248813022bb0de5481741f18fcc77a10a1b",
     "zh:cc2767797ad27b9a3b4ad97b6a2f3eeea9f50a6000bbcfa9b44189945dae30b3",
@@ -13,11 +14,35 @@ provider "registry.opentofu.org/backblaze/b2" {
   ]
 }
 
+provider "registry.opentofu.org/browningluke/opnsense" {
+  version     = "0.11.0"
+  constraints = "~> 0.11.0"
+  hashes = [
+    "h1:Euvr5teHyc6AVQhTQZXkwwJcaQ+0qwKMnzH9pMu2CbY=",
+    "zh:24dfb6cb8d699705dcf08b7e073e72a0b980a8ac9f55331e025db96ca9ae53f7",
+    "zh:2544dbf1a274824940288e2e515fb5edb22250947a0f7354c971faaf32ee0003",
+    "zh:2d78fa29aaebf2aaa68517507af9ae470a794dbc5705e8f7af7d2bf898396ff4",
+    "zh:32f8d5200ca85785609d9ab40e65aba12beff237bf97feb18fc41f71e36dc69c",
+    "zh:4a2c25ca45d40049456cc6404544f526dc310e26e717905ab9aa429cd9edd8e1",
+    "zh:4ce9bb7072569a8387cafc6f6e7a962e07c07cd144b72c3677fb95fa4eb3bd27",
+    "zh:5974c92811f847819094fc2b0fb75e63fe9c403f1475732c9e882c29a325c917",
+    "zh:615b9b2d20bfc7c41f1bc1888f0bdca4dd2144119403b0d2c324ae7da0808c67",
+    "zh:6f10c2773675e19c88702ccfa16b894eabed0444a65c1d5d00cddbfaa32be8a3",
+    "zh:8a28c10fba040d0045d785585ed0cbe0cfc3337e276a546b3065aa991ac4436d",
+    "zh:8c3f50205bdb5de1a82e6c1ddad1a7d723b5e2bfd9ee88919d0f103ef66f8c8a",
+    "zh:8eea601eea076888c9deda93db9552e10ff9736ac38308dc31c10f5abb395061",
+    "zh:a5b4a90685a3c6468fc899d723040c81d511b18cb5092b66ffb55c4f61925788",
+    "zh:bf107697092037a056382e81cb243c402ed2e6d9e1a991e787c250df4b656bd2",
+    "zh:f328b11348cee7f65481e6fea4eeeeeded61263b5adfd9e5e2e86c9294183d4d",
+  ]
+}
+
 provider "registry.opentofu.org/hashicorp/kubernetes" {
   version     = "2.31.0"
   constraints = "2.31.0"
   hashes = [
     "h1:MfkGdRph9sDol+ukIgIigdXuLLpC2JPUHH5oF2zEfTM=",
+    "h1:z2qlqn6WbrjbezwQo4vvlwAgVUGz59klzDU4rlYhYi8=",
     "zh:0dd25babf78a88a61dd329b8c18538a295ea63630f1b69575e7898c89307da39",
     "zh:3138753e4b2ce6e9ffa5d65d73e9236169ff077c10089c7dc71031a0a139ff6d",
     "zh:644f94692dc33de0bb1183c307ae373efbf4ef4cb92654ccc646a5716edf9593",
diff --git a/non-lab/backup.tf b/non-lab/backup.tf
index efd695c..954cc15 100644
--- a/non-lab/backup.tf
+++ b/non-lab/backup.tf
@@ -1,44 +1,44 @@
-resource "b2_bucket" "cowley-tech-home-backup" {
-  bucket_name = "cowley-tech-home-backup"
-  bucket_type = "allPrivate"
-}
-
-resource "b2_application_key" "user" {
-  for_each = toset(["timothy", "nicolas"])
-
-  key_name = "cowley-tech-${each.key}-backup"
-  bucket_id = b2_bucket.cowley-tech-home-backup.id
-  capabilities       = [
-        "deleteFiles",
-        "listBuckets",
-        "listFiles",
-        "readBuckets",
-        "readFiles",
-        "writeFiles",
-    ]
-}
-
-resource "b2_application_key" "admin" {
-
-  key_name = "cowley-tech-admin-backup"
-  bucket_id = b2_bucket.cowley-tech-home-backup.id
-  capabilities       = [
-        "deleteFiles",
-        "listBuckets",
-        "listFiles",
-        "readBuckets",
-        "readFiles",
-        "writeFiles",
-    ]
-}
-#
-#resource "kubernetes_secret" "b2-loki" {
-#  metadata {
-#    name = "b2-loki-credentials"
-#    namespace = "logging"
-#  }
-#  data = {
-#    B2_APPLICATION_KEY_ID = b2_application_key.loki.application_key_id
-#    B2_APPLICATION_KEY = b2_application_key.loki.application_key
-#  }
+#resource "b2_bucket" "cowley-tech-home-backup" {
+#  bucket_name = "cowley-tech-home-backup"
+#  bucket_type = "allPrivate"
 #}
+#
+#resource "b2_application_key" "user" {
+#  for_each = toset(["timothy", "nicolas"])
+#
+#  key_name = "cowley-tech-${each.key}-backup"
+#  bucket_id = b2_bucket.cowley-tech-home-backup.id
+#  capabilities       = [
+#        "deleteFiles",
+#        "listBuckets",
+#        "listFiles",
+#        "readBuckets",
+#        "readFiles",
+#        "writeFiles",
+#    ]
+#}
+#
+#resource "b2_application_key" "admin" {
+#
+#  key_name = "cowley-tech-admin-backup"
+#  bucket_id = b2_bucket.cowley-tech-home-backup.id
+#  capabilities       = [
+#        "deleteFiles",
+#        "listBuckets",
+#        "listFiles",
+#        "readBuckets",
+#        "readFiles",
+#        "writeFiles",
+#    ]
+#}
+##
+##resource "kubernetes_secret" "b2-loki" {
+##  metadata {
+##    name = "b2-loki-credentials"
+##    namespace = "logging"
+##  }
+##  data = {
+##    B2_APPLICATION_KEY_ID = b2_application_key.loki.application_key_id
+##    B2_APPLICATION_KEY = b2_application_key.loki.application_key
+##  }
+##}
diff --git a/non-lab/dns.tf b/non-lab/dns.tf
new file mode 100644
index 0000000..a963926
--- /dev/null
+++ b/non-lab/dns.tf
@@ -0,0 +1,12 @@
+
+resource "opnsense_unbound_host_override" "esphome" {
+
+  #for_each = var.esphome_boards
+  for_each = { for i, v in var.esphome_boards : i => v }
+
+  enabled     = true
+  description = "ESPHome MCU for ${each.value.name}"
+  hostname    = each.value.name
+  domain      = "home.cowley.tech"
+  server      = each.value.address
+}
diff --git a/non-lab/firewall.tf b/non-lab/firewall.tf
new file mode 100644
index 0000000..bd261a3
--- /dev/null
+++ b/non-lab/firewall.tf
@@ -0,0 +1,28 @@
+#resource "opnsense_firewall_nat" "http" {
+#  enabled = true
+#
+#  interface = "wan"
+#  protocol  = "TCP"
+#
+#  destination = {
+#    port = "http"
+#  }
+#  target = {
+#    ip   = "192.168.6.201"
+#    port = "80"
+#  }
+#}
+#resource "opnsense_firewall_nat" "https" {
+#  enabled = true
+#
+#  interface = "wan"
+#  protocol  = "TCP"
+#
+#  destination = {
+#    port = "https"
+#  }
+#  target = {
+#    ip   = "192.168.6.201"
+#    port = "443"
+#  }
+#}
diff --git a/non-lab/kea.tf b/non-lab/kea.tf
new file mode 100644
index 0000000..1b5f9bc
--- /dev/null
+++ b/non-lab/kea.tf
@@ -0,0 +1,15 @@
+resource "opnsense_kea_subnet" "subnets" {
+  for_each = var.dhcp_subnets
+
+  subnet      = each.value
+  description = "${each.key} LAN"
+}
+
+resource "opnsense_kea_reservation" "esphome" {
+  for_each = { for i, v in var.esphome_boards : i => v }
+
+  subnet_id   = opnsense_kea_subnet.subnets["home"].id
+  ip_address  = each.value.address
+  mac_address = each.value.mac
+  description = "Lease for ${each.value.name}"
+}
diff --git a/non-lab/provider.tf b/non-lab/provider.tf
index 662cdc8..b7cc366 100644
--- a/non-lab/provider.tf
+++ b/non-lab/provider.tf
@@ -10,9 +10,13 @@ terraform {
       version = "0.8.12"
     }
     kubernetes = {
-      source = "hashicorp/kubernetes"
+      source  = "hashicorp/kubernetes"
       version = "2.31.0"
     }
+    opnsense = {
+      version = "~> 0.11.0"
+      source  = "browningluke/opnsense"
+    }
   }
 }
 
@@ -21,3 +25,6 @@ provider "b2" {
 
 provider "kubernetes" {
 }
+
+provider "opnsense" {
+}
diff --git a/non-lab/terraform.tfvars b/non-lab/terraform.tfvars
new file mode 100644
index 0000000..3f58f4f
--- /dev/null
+++ b/non-lab/terraform.tfvars
@@ -0,0 +1,29 @@
+esphome_boards = [
+  {
+    name    = "gate"
+    address = "192.168.5.141"
+    mac     = "10:00:3b:01:97:b8"
+  },
+  {
+    name    = "frontdoor"
+    address = "192.168.5.140"
+    mac     = "10:00:3b:01:eb:40"
+  },
+  {
+    name    = "lounge"
+    address = "192.168.5.135"
+    mac     = "e8:06:90:65:2e:9c"
+  },
+  {
+    name    = "office"
+    address = "192.168.5.130"
+    mac     = "c8:c9:a3:c5:74:cc"
+  },
+]
+
+dhcp_subnets = {
+  iot  = "192.168.3.0/24"
+  work = "192.168.4.0/24"
+  home = "192.168.5.0/24"
+  lab  = "192.168.6.0/24"
+}
diff --git a/non-lab/variables.tf b/non-lab/variables.tf
new file mode 100644
index 0000000..a34f377
--- /dev/null
+++ b/non-lab/variables.tf
@@ -0,0 +1,11 @@
+
+variable "esphome_boards" {
+  type = list(object({
+    name    = string
+    address = string
+    mac     = string
+  }))
+}
+variable "dhcp_subnets" {
+  type = map(string)
+}