// production infrastructure. one command.
A self-contained SRE platform kit that runs on a single Linux machine with SSH access. No cloud account. No managed services. Real tools, real patterns, real understanding.
// foundation - runs standalone
AWS infrastructure - Terraform modules, Terragrunt multi-env, 11 modules across dev + staging. Runs against Ministack locally.
liveKubernetes platform - k3s, ArgoCD app-of-apps, Vault + ESO, Gitea CI, full LGTM stack. GitOps from day one.
liveGCP infrastructure - 6 modules (IAM, GCS, Pub/Sub, Cloud SQL, Secret Manager, BigQuery) across dev + staging. Terraform + Terragrunt against MiniSky emulator via nginx proxy.
liveLinux fleet at scale - one VM becomes hundreds of right-sized Incus nodes, Ansible-managed over SSH. Declarative, idempotent, btrfs copy-on-write; wipes to bare metal with no residue.
liveDatabase operations - PostgreSQL HA with Patroni, PgBouncer, WAL-G backups, PITR testing, CDC with Debezium, fire drills.
planned// advanced - layers on top of foundation
Networking internals - eBPF packet tracing, WireGuard from scratch, BGP with FRR, Cilium network policies, Linkerd mTLS dissection.
plannedSupply chain and runtime - Trivy/Grype scanning, Cosign image signing, SBOM attestations, Falco runtime rules, OPA/Rego policies, CIS benchmarks.
plannedInternal developer platform - Backstage IDP, service catalog wired to awslab + k8slab, golden path templates, Crossplane self-service infra.
plannedPrerequisites
A Linux machine with SSH access, 4GB+ RAM. Ansible, kubectl, and git on your local machine.
Configure
cp .env.example .env
# fill in TARGET_HOST, TARGET_USER, SSH_KEY_PATHRun
make up # blank machine → full platform (~10 min)
make down # full teardown, machine is clean| Ansible | → | OS layer only (k3s, kubeconfig) |
| kubectl | → | Bootstrap only. Runs once, ever. |
| git push | → | Everything else. This is the only way to change cluster state. |