refactor:
- account for moves of
  - machines
  - proxmox
  - launch
- own dir with:
  - TF config
  - TF state
  - TF lock
  - `setup` process (document running per project)
- abstract out common TF logic to a separate TF module
  - symlink thru nix

test:
- services tests
- secret shell
- ci