diff --git a/main.tf b/main.tf
index 3b205d7..c12e260 100644
--- a/main.tf
+++ b/main.tf
@@ -1,31 +1,4 @@
 terraform {
-  required_providers {
-    authentik = {
-      source = "goauthentik/authentik"
-      version = "~> 2024.8.0"
-    }
-    hcloud = {
-      source = "hetznercloud/hcloud"
-      version = "~> 1.45.0"
-    }
-    ovh = {
-      source = "ovh/ovh"
-      version = "~> 0.48.0"
-    }
-    postgresql = {
-      source = "cyrilgdn/postgresql"
-      version = "~> 1.23.0"
-    }
-    scaleway = {
-      source = "scaleway/scaleway"
-      version = "~> 2.43.0"
-    }
-    tailscale = {
-      source = "tailscale/tailscale"
-      version = "~> 0.16.0"
-    }
-  }
-  
   backend "s3" {
     bucket         = var.backend_bucket
     access_key     = var.backend_access_key
@@ -45,49 +18,39 @@ terraform {
   }
 }
 
-provider "authentik" {
-  url   = "${var.authentik_url}"
-  token = "${var.authentik_token}"
+module "services" {
+  source = "./modules/services"
+
+  authentik_url = "${var.authentik_url}"
+  authentik_token = "${var.authentik_token}"
+
+  postgresql_host = "${var.postgresql_host}"
+  postgresql_port = "${var.postgresql_port}"
+  postgresql_username = "${var.postgresql_username}"
+  postgresql_password = "${var.postgresql_password}"
+
+  services = var.services
 }
 
-provider "hcloud" {
-  token = "${var.hcloud_token}"
-}
+module "infrastructure" {
+  source = "./modules/infrastructure"
 
-provider "ovh" {
-  endpoint = "ovh-eu"
-  application_key = "${var.ovh_application_key}"
-  application_secret = "${var.ovh_application_secret}"
-  consumer_key = "${var.ovh_consumer_key}"
-}
+  hcloud_token = "${var.hcloud_token}"
 
-provider "postgresql" {
-  host            = "${var.postgresql_host}"
-  port            = "${var.postgresql_port}"
-  database        = "postgres"
-  username        = "${var.postgresql_username}"
-  password        = "${var.postgresql_password}"
-  sslmode         = "verify-full"
-  connect_timeout = 15
-}
+  ovh_application_key = "${var.ovh_application_key}"
+  ovh_application_secret = "${var.ovh_application_secret}"
+  ovh_consumer_key = "${var.ovh_consumer_key}"
 
-provider "scaleway" {
-  organization_id = "${var.scaleway_organization_id}"
-  project_id = "${var.scaleway_project_id}"
-  access_key = "${var.scaleway_access_key}"
-  secret_key = "${var.scaleway_secret_key}"
-  region = "nl-ams"
-  zone = "nl-ams-1"
-}
+  scaleway_access_key = "${var.scaleway_access_key}"
+  scaleway_secret_key = "${var.scaleway_secret_key}"
+  scaleway_project_id = "${var.scaleway_project_id}"
+  scaleway_organization_id = "${var.scaleway_organization_id}"
 
-provider "tailscale" {
-  api_key = "${var.tailscale_api_key}"
-  tailnet = "${var.tailscale_tailnet}"
-}
+  tailscale_api_key = "${var.tailscale_api_key}"
+  tailscale_tailnet = "${var.tailscale_tailnet}"
 
-locals {
-  services_auth = {for key, val in var.services : key => val if val.auth}
-  services_database = {for key, val in var.services : key => val if val.database}
-  services_s3 = {for key, val in var.services : key => val if val.s3}
-}
+  default_ssh_key = "${var.default_ssh_key}"
 
+  hosts = var.hosts
+  services = var.services
+}
diff --git a/hcloud.tf b/modules/infrastructure/hcloud.tf
similarity index 100%
rename from hcloud.tf
rename to modules/infrastructure/hcloud.tf
diff --git a/modules/infrastructure/main.tf b/modules/infrastructure/main.tf
new file mode 100644
index 0000000..d3d2c41
--- /dev/null
+++ b/modules/infrastructure/main.tf
@@ -0,0 +1,53 @@
+terraform {
+  required_providers {
+    hcloud = {
+      source = "hetznercloud/hcloud"
+      version = "~> 1.45.0"
+    }
+    ovh = {
+      source = "ovh/ovh"
+      version = "~> 0.48.0"
+    }
+    scaleway = {
+      source = "scaleway/scaleway"
+      version = "~> 2.43.0"
+    }
+    tailscale = {
+      source = "tailscale/tailscale"
+      version = "~> 0.16.0"
+    }
+  }
+}
+
+
+provider "hcloud" {
+  token = "${var.hcloud_token}"
+}
+
+provider "ovh" {
+  endpoint = "ovh-eu"
+  application_key = "${var.ovh_application_key}"
+  application_secret = "${var.ovh_application_secret}"
+  consumer_key = "${var.ovh_consumer_key}"
+}
+
+provider "scaleway" {
+  organization_id = "${var.scaleway_organization_id}"
+  project_id = "${var.scaleway_project_id}"
+  access_key = "${var.scaleway_access_key}"
+  secret_key = "${var.scaleway_secret_key}"
+  region = "nl-ams"
+  zone = "nl-ams-1"
+}
+
+provider "tailscale" {
+  api_key = "${var.tailscale_api_key}"
+  tailnet = "${var.tailscale_tailnet}"
+}
+
+
+locals {
+  services_auth = {for key, val in var.services : key => val if val.auth}
+  services_database = {for key, val in var.services : key => val if val.database}
+  services_s3 = {for key, val in var.services : key => val if val.s3}
+}
diff --git a/modules/infrastructure/output.tf b/modules/infrastructure/output.tf
new file mode 100644
index 0000000..eaaf370
--- /dev/null
+++ b/modules/infrastructure/output.tf
@@ -0,0 +1,37 @@
+output "hosts" {
+  value = {
+    for subdomain in distinct([for record in ovh_domain_zone_record.server_records : record.subdomain]) : 
+    subdomain => {
+      "ipv4_address" = try(
+        ovh_domain_zone_record.server_records["${subdomain}:ipv4"].target, 
+        null
+      )
+      "ipv6_address" = try(
+        ovh_domain_zone_record.server_records["${subdomain}:ipv6"].target, 
+        null
+      )
+    }
+  }
+}
+
+output "scaleway_data" {
+  value = {
+    for key in keys(scaleway_iam_application.service_applications) : key => {
+      "access_key"   = scaleway_iam_api_key.service_keys[key].access_key
+      "secret_key"   = scaleway_iam_api_key.service_keys[key].secret_key
+      "name"         = scaleway_object_bucket.service_buckets[key].name
+      "region"       = scaleway_object_bucket.service_buckets[key].region
+      "endpoint"     = scaleway_object_bucket.service_buckets[key].endpoint
+      "api_endpoint" = scaleway_object_bucket.service_buckets[key].api_endpoint
+    }
+  }
+  sensitive = true
+}
+
+output "scaleway_registry_endpoint_public" {
+  value = scaleway_registry_namespace.public.endpoint
+}
+
+output "scaleway_registry_endpoint_private" {
+  value = scaleway_registry_namespace.private.endpoint
+}
diff --git a/ovh.tf b/modules/infrastructure/ovh.tf
similarity index 100%
rename from ovh.tf
rename to modules/infrastructure/ovh.tf
diff --git a/scaleway.tf b/modules/infrastructure/scaleway.tf
similarity index 100%
rename from scaleway.tf
rename to modules/infrastructure/scaleway.tf
diff --git a/tailscale.tf b/modules/infrastructure/tailscale.tf
similarity index 100%
rename from tailscale.tf
rename to modules/infrastructure/tailscale.tf
diff --git a/modules/infrastructure/variables.tf b/modules/infrastructure/variables.tf
new file mode 100644
index 0000000..9d72a9e
--- /dev/null
+++ b/modules/infrastructure/variables.tf
@@ -0,0 +1,75 @@
+variable "hcloud_token" {
+  sensitive = true
+}
+
+
+variable "ovh_application_key" {
+  sensitive = true
+}
+
+variable "ovh_application_secret" {
+  sensitive = true
+}
+
+variable "ovh_consumer_key" {
+  sensitive = true
+}
+
+
+variable "scaleway_organization_id" {
+  sensitive = true
+}
+
+variable "scaleway_project_id" {
+  sensitive = true
+}
+
+variable "scaleway_access_key" {
+  sensitive = true
+}
+
+variable "scaleway_secret_key" {
+  sensitive = true
+}
+
+
+variable "tailscale_api_key" {
+  sensitive = true
+}
+
+variable "tailscale_tailnet" {
+  sensitive = false
+}
+
+
+variable "default_ssh_key" {
+  type = object({
+    name = string
+    public_key = string
+  })
+}
+
+
+variable "services" {
+  type = map(object({
+    name = string
+    subdomain = string
+    auth = bool
+    auth_redirects = optional(list(string))
+    s3 = bool
+    database = bool
+  }))
+}
+
+variable "hosts" {
+  type = map(object({
+    hostname = string
+    rdns = string
+    provider = string
+    ipv4_address = optional(string)
+    ipv6_address = optional(string)
+    image = optional(string)
+    server_type = optional(string)
+    datacenter = optional(string)
+  }))
+}
diff --git a/authentik.tf b/modules/services/authentik.tf
similarity index 100%
rename from authentik.tf
rename to modules/services/authentik.tf
diff --git a/modules/services/main.tf b/modules/services/main.tf
new file mode 100644
index 0000000..03a055f
--- /dev/null
+++ b/modules/services/main.tf
@@ -0,0 +1,33 @@
+terraform {
+  required_providers {
+    authentik = {
+      source = "goauthentik/authentik"
+      version = "~> 2024.8.0"
+    }
+    postgresql = {
+      source = "cyrilgdn/postgresql"
+      version = "~> 1.23.0"
+    }
+  }
+}
+
+provider "authentik" {
+  url   = "${var.authentik_url}"
+  token = "${var.authentik_token}"
+}
+
+provider "postgresql" {
+  host            = "${var.postgresql_host}"
+  port            = "${var.postgresql_port}"
+  database        = "postgres"
+  username        = "${var.postgresql_username}"
+  password        = "${var.postgresql_password}"
+  sslmode         = "verify-full"
+  connect_timeout = 15
+}
+
+locals {
+  services_auth = {for key, val in var.services : key => val if val.auth}
+  services_database = {for key, val in var.services : key => val if val.database}
+  services_s3 = {for key, val in var.services : key => val if val.s3}
+}
diff --git a/modules/services/output.tf b/modules/services/output.tf
new file mode 100644
index 0000000..eeee49b
--- /dev/null
+++ b/modules/services/output.tf
@@ -0,0 +1,21 @@
+output "authentik_data" {
+  value = {
+    for key in keys(authentik_application.service_applications) : key => {
+      "base_url"      = "${var.authentik_url}/application/o/${authentik_application.service_applications[key].slug}/"
+      "client_id"     = authentik_provider_oauth2.service_providers[key].client_id
+      "client_secret" = authentik_provider_oauth2.service_providers[key].client_secret
+    }
+  }
+  sensitive = true
+}
+
+output "postgresql_data" {
+  value = {
+    for key in keys(postgresql_database.service_databases) : key => {
+      "user"      = postgresql_role.service_roles[key].name
+      "pass"      = postgresql_role.service_roles[key].password
+      "database"  = postgresql_database.service_databases[key].name
+    }
+  }
+  sensitive = true
+}
diff --git a/postgresql.tf b/modules/services/postgresql.tf
similarity index 100%
rename from postgresql.tf
rename to modules/services/postgresql.tf
diff --git a/modules/services/variables.tf b/modules/services/variables.tf
new file mode 100644
index 0000000..eaa8afc
--- /dev/null
+++ b/modules/services/variables.tf
@@ -0,0 +1,33 @@
+variable "authentik_url" {
+}
+
+variable "authentik_token" {
+  sensitive = true
+}
+
+
+variable "postgresql_host" {
+}
+
+variable "postgresql_port" {
+}
+
+variable "postgresql_username" {
+  sensitive = true
+}
+
+variable "postgresql_password" {
+  sensitive = true
+}
+
+
+variable "services" {
+  type = map(object({
+    name = string
+    subdomain = string
+    auth = bool
+    auth_redirects = optional(list(string))
+    s3 = bool
+    database = bool
+  }))
+}
diff --git a/output.tf b/output.tf
index 6a7758a..03c8cae 100644
--- a/output.tf
+++ b/output.tf
@@ -1,38 +1,14 @@
 output "hosts" {
-  value = {
-    for subdomain in distinct([for record in ovh_domain_zone_record.server_records : record.subdomain]) : 
-    subdomain => {
-      "ipv4_address" = try(
-        ovh_domain_zone_record.server_records["${subdomain}:ipv4"].target, 
-        null
-      )
-      "ipv6_address" = try(
-        ovh_domain_zone_record.server_records["${subdomain}:ipv6"].target, 
-        null
-      )
-    }
-  }
+  value = module.infrastructure.hosts
 }
 
 output "authentik_data" {
-  value = {
-    for key in keys(authentik_application.service_applications) : key => {
-      "base_url"      = "${var.authentik_url}/application/o/${authentik_application.service_applications[key].slug}/"
-      "client_id"     = authentik_provider_oauth2.service_providers[key].client_id
-      "client_secret" = authentik_provider_oauth2.service_providers[key].client_secret
-    }
-  }
+  value = module.services.authentik_data
   sensitive = true
 }
 
 output "postgresql_data" {
-  value = {
-    for key in keys(postgresql_database.service_databases) : key => {
-      "user"      = postgresql_role.service_roles[key].name
-      "pass"      = postgresql_role.service_roles[key].password
-      "database"  = postgresql_database.service_databases[key].name
-    }
-  }
+  value = module.services.postgresql_data
   sensitive = true
 }
 
@@ -44,23 +20,14 @@ output "postgresql" {
 }
 
 output "scaleway_data" {
-  value = {
-    for key in keys(scaleway_iam_application.service_applications) : key => {
-      "access_key"   = scaleway_iam_api_key.service_keys[key].access_key
-      "secret_key"   = scaleway_iam_api_key.service_keys[key].secret_key
-      "name"         = scaleway_object_bucket.service_buckets[key].name
-      "region"       = scaleway_object_bucket.service_buckets[key].region
-      "endpoint"     = scaleway_object_bucket.service_buckets[key].endpoint
-      "api_endpoint" = scaleway_object_bucket.service_buckets[key].api_endpoint
-    }
-  }
+  value = module.infrastructure.scaleway_data
   sensitive = true
 }
 
 output "scaleway_registry_endpoint_public" {
-  value = scaleway_registry_namespace.public.endpoint
+  value = module.infrastructure.scaleway_registry_endpoint_public
 }
 
 output "scaleway_registry_endpoint_private" {
-  value = scaleway_registry_namespace.private.endpoint
+  value = module.infrastructure.scaleway_registry_endpoint_private
 }