diff --git a/proxmox/terraform/staging/cluster-graphql.tf b/proxmox/terraform/staging/cluster-graphql.tf
new file mode 100644
--- /dev/null
+++ b/proxmox/terraform/staging/cluster-graphql.tf
@@ -0,0 +1,159 @@
+# This declares terraform manifests to provision vms and register containers within
+# those to a rancher (clusters management service) instance.
+
+# Each software has the following responsibilities:
+# - proxmox: provision vms (with docker dependency)
+# - rancher: installs kube cluster within containers (running on vms)
+
+# Requires (RANCHER_ACCESS_KEY and RANCHER_SECRET_KEY) in your shell environment
+# $ cat ~/.config/terraform/swh/setup.sh
+# ...
+# key_entry=operations/rancher/azure/elastic-loader-lister-keys
+# export RANCHER_ACCESS_KEY=$(swhpass ls $key_entry | head -1 | cut -d: -f1)
+# export RANCHER_SECRET_KEY=$(swhpass ls $key_entry | head -1 | cut -d: -f2)
+
+# Plan:
+# - create cluster with terraform
+# - Create nodes as usual through terraform
+# - Retrieve the registration command (out of the cluster creation step) to provide new
+#   node
+
+resource "rancher2_cluster" "cluster-graphql" {
+  name = "cluster-graphql"
+  description = "graphql staging cluster"
+  rke_config {
+    network {
+      plugin = "canal"
+    }
+  }
+}
+
+output "rancher2_cluster_graphql_summary" {
+  sensitive = true
+  value = rancher2_cluster.cluster-graphql.kube_config
+}
+
+output "rancher2_cluster_graphql_command" {
+  sensitive = true
+  value = rancher2_cluster.cluster-graphql.cluster_registration_token[0].node_command
+}
+
+module "graphql-worker0" {
+  source      = "../modules/node"
+  vmid        = 162
+  template    = "debian-bullseye-11.3-zfs-2022-04-21"
+  config      = local.config
+  hostname    = "graphql-worker0"
+  description = "elastic worker running in rancher cluster"
+  hypervisor  = "uffizi"
+  sockets     = "1"
+  cores       = "4"
+  onboot      = true
+  memory      = "8192"
+  balloon     = "4096"
+
+  networks = [{
+    id      = 0
+    ip      = "192.168.130.150"
+    gateway = local.config["gateway_ip"]
+    bridge  = "vmbr443"
+  }]
+
+  storages = [{
+    storage = "proxmox"
+    size    = "20G"
+    }, {
+    storage = "proxmox"
+    size    = "50G"
+    }
+  ]
+
+  post_provision_steps = [
+    "systemctl restart docker",  # workaround
+    "${rancher2_cluster.cluster-graphql.cluster_registration_token[0].node_command} --etcd --controlplane --worker"
+  ]
+}
+
+output "graphql-worker0_summary" {
+  value = module.graphql-worker0.summary
+}
+
+module "graphql-worker1" {
+  source      = "../modules/node"
+  vmid        = 163
+  template    = "debian-bullseye-11.3-zfs-2022-04-21"
+  config      = local.config
+  hostname    = "graphql-worker1"
+  description = "graphql worker running in rancher cluster"
+  hypervisor  = "uffizi"
+  sockets     = "1"
+  cores       = "4"
+  onboot      = true
+  memory      = "8192"
+  balloon     = "4096"
+
+  networks = [{
+    id      = 0
+    ip      = "192.168.130.151"
+    gateway = local.config["gateway_ip"]
+    bridge  = "vmbr443"
+  }]
+
+  storages = [{
+    storage = "proxmox"
+    size    = "20G"
+    }, {
+    storage = "proxmox"
+    size    = "50G"
+    }
+  ]
+
+  post_provision_steps = [
+    "systemctl restart docker",  # workaround
+    "${rancher2_cluster.cluster-graphql.cluster_registration_token[0].node_command} --etcd --controlplane --worker"
+  ]
+}
+
+output "graphql-worker1_summary" {
+  value = module.graphql-worker1.summary
+}
+
+module "graphql-worker2" {
+  source      = "../modules/node"
+  vmid        = 164
+  template    = "debian-bullseye-11.3-zfs-2022-04-21"
+  config      = local.config
+  hostname    = "graphql-worker2"
+  description = "graphql worker running in rancher cluster"
+  hypervisor  = "uffizi"
+  sockets     = "1"
+  cores       = "4"
+  onboot      = true
+  memory      = "8192"
+  balloon     = "4096"
+
+  networks = [{
+    id      = 0
+    ip      = "192.168.130.152"
+    gateway = local.config["gateway_ip"]
+    bridge  = "vmbr443"
+  }]
+
+  storages = [{
+    storage = "proxmox"
+    size    = "20G"
+    }, {
+    storage = "proxmox"
+    size    = "50G"
+    }
+  ]
+
+  post_provision_steps = [
+    "systemctl restart docker",  # workaround
+    "${rancher2_cluster.cluster-graphql.cluster_registration_token[0].node_command} --etcd --controlplane --worker"
+  ]
+}
+
+output "graphql-worker2_summary" {
+  value = module.graphql-worker2.summary
+}
diff --git a/proxmox/terraform/staging/elastic-workers.tf b/proxmox/terraform/staging/elastic-workers.tf
--- a/proxmox/terraform/staging/elastic-workers.tf
+++ b/proxmox/terraform/staging/elastic-workers.tf
@@ -1,22 +1,3 @@
-# This declares terraform manifests to provision vms and register containers within
-# those to a rancher (clusters management service) instance.
-
-# Each software has the following responsibilities:
-# - proxmox: provision vms (with docker dependency)
-# - rancher: installs kube cluster within containers (running on vms)
-
-# Requires (RANCHER_ACCESS_KEY and RANCHER_SECRET_KEY) in your shell environment
-# $ cat ~/.config/terraform/swh/setup.sh
-# ...
-# key_entry=operations/rancher/azure/elastic-loader-lister-keys
-# export RANCHER_ACCESS_KEY=$(swhpass ls $key_entry | head -1 | cut -d: -f1)
-# export RANCHER_SECRET_KEY=$(swhpass ls $key_entry | head -1 | cut -d: -f2)
-provider "rancher2" {
-  api_url    = "https://rancher.euwest.azure.internal.softwareheritage.org/v3"
-  # for now
-  insecure = true
-}
-
 # Plan:
 # - create cluster with terraform
 # - Create nodes as usual through terraform
@@ -33,12 +14,12 @@
   }
 }
 
-output "rancher2_cluster_summary" {
+output "rancher2_cluster_staging_workers_summary" {
   sensitive = true
   value = rancher2_cluster.staging-workers.kube_config
 }
 
-output "rancher2_cluster_command" {
+output "rancher2_cluster_staging_worker_command" {
   sensitive = true
   value = rancher2_cluster.staging-workers.cluster_registration_token[0].node_command
 }
diff --git a/proxmox/terraform/staging/rancher-common.tf b/proxmox/terraform/staging/rancher-common.tf
new file mode 100644
--- /dev/null
+++ b/proxmox/terraform/staging/rancher-common.tf
@@ -0,0 +1,19 @@
+# This declares terraform manifests to provision vms and register containers within
+# those to a rancher (clusters management service) instance.
+
+# Each software has the following responsibilities:
+# - proxmox: provision vms (with docker dependency)
+# - rancher: installs kube cluster within containers (running on vms)
+
+# Requires (RANCHER_ACCESS_KEY and RANCHER_SECRET_KEY) in your shell environment
+# $ cat ~/.config/terraform/swh/setup.sh
+# ...
+# key_entry=operations/rancher/azure/elastic-loader-lister-keys
+# export RANCHER_ACCESS_KEY=$(swhpass ls $key_entry | head -1 | cut -d: -f1)
+# export RANCHER_SECRET_KEY=$(swhpass ls $key_entry | head -1 | cut -d: -f2)
+
+provider "rancher2" {
+  api_url    = "https://rancher.euwest.azure.internal.softwareheritage.org/v3"
+  # for now
+  insecure = true
+}