https://github.com/ironicbadger/infra

99.7% less leaked credentials
https://github.com/ironicbadger/infra

Last synced: about 2 months ago
JSON representation

99.7% less leaked credentials

• Host: GitHub
• URL: https://github.com/ironicbadger/infra
• Owner: ironicbadger
• License: gpl-3.0
• Created: 2020-01-16T18:44:34.000Z (about 6 years ago)
• Default Branch: main
• Last Pushed: 2026-01-11T04:49:04.000Z (about 2 months ago)
• Last Synced: 2026-01-11T12:11:36.384Z (about 2 months ago)
• Language: HCL
• Homepage:
• Size: 1.95 MB
• Stars: 798
• Watchers: 20
• Forks: 47
• Open Issues: 11
• Metadata Files:
  • Readme: README.md
  • License: LICENSE

Awesome Lists containing this project

• awesome-hacking-lists - ironicbadger/infra - 99.7% less leaked credentials (HCL)

README

          
# ironicbadger/infra

We started at 100% no leaked credentials. Each time a leak has occurred the counter gets decremented by one. Oops.

This repo is the living, breathing source of truth for my self-hosted infrastructure. I run everything in the open because open source matters.

## Architecture

```mermaid

%%{init: {"theme": "base", "themeVariables": {

    "fontFamily": "monospace",

    "primaryColor": "#5a5a5a",

    "primaryTextColor": "#e8e8e8",

    "primaryBorderColor": "#707070",

    "lineColor": "#d4782c",

    "secondaryColor": "#4a4a4a",

    "tertiaryColor": "#3a3a3a",

    "background": "#3a3a3a",

    "mainBkg": "#4a4a4a",

    "secondBkg": "#5a5a5a",

    "textColor": "#e8e8e8"

}, "flowchart": {"curve": "basis"}, "themeCSS": ".edge-pattern-dotted { stroke-width: 2px !important; } .flowchart-link { stroke-width: 2px !important; } .edgeLabel { font-size: 14px; background: #2a2a2a; }"}}%%

flowchart LR

    subgraph home["Home 🇺🇸"]

        direction TB

        c137["c137
media/storage server
zpool: rust (164TB)"]

        ms01["ms01
app Server
Caddy, DNS, Home Assistant"]

    end

    subgraph offsite["Off-site"]

        direction TB

        ktz-cloud["ktz-cloud
VPS 🇺🇸"]

        igloo["igloo - Canada 🇨🇦
zpool: tank (62TB)"]

        snowball["snowball - UK 🇬🇧"]

    end

    c137 -.->|"zrepl via tailscale"| igloo

    c137 -.->|"zrepl via tailscale"| snowball

    c137 <-.->|"zrepl via tailscale"| ktz-cloud

```

## Technologies

- **Ansible** - Configuration management

- **Docker Compose** - Container orchestration (via `docker-compose-generator`)

- **SOPS + age** - Secret encryption

- **Tailscale** - Mesh VPN

- **ZFS + zrepl** - Storage and replication

- **Just** - Task runner

## Roles Philosophy

Roles are sourced three ways:

| Type | Location | Purpose |

|------|----------|---------|

| **Submodules** | `roles/ironicbadger.*` | Reusable roles maintained in separate repos. Pinned to specific commits. |

| **Galaxy** | `requirements.yaml` | Community roles (e.g., `geerlingguy.docker`). Installed via `just reqs`. |

| **Local** | `roles/` | Project-specific roles not useful elsewhere (e.g., `zrepl`, `ktz-server-welcome`). |

## Prerequisites

- Ansible

- SOPS with age keyfile at `~/.config/sops/age/keys.txt`

- SSH access to target hosts

## Usage

```bash

just reqs              # Install galaxy dependencies

just run   # Run playbook on host

just compose     # Deploy docker-compose services

just sops        # Edit encrypted secrets

just sub-update        # Update git submodules

```

## Structure

```

├── run.yaml              # Main playbook

├── hosts.ini             # Inventory

├── justfile              # Task automation

├── group_vars/           # Variables (some SOPS encrypted)

├── roles/                # Ansible roles

└── services/             # Docker Compose configs per host

    └── /

        └── <##-category>/

            ├── compose.yaml

            └── config-/

```

Services are organized under `services//<##-category>/`. The `docker-compose-generator` role merges these into a single compose file on deployment.

## Core Edge Nodes (VIP)

Caddy and AdGuardHome are configured to run using keepalived and a floating VIP.

| Host | IP | Role | Hardware |

|------|-----|------|----------|

| core-pi5 | 10.42.0.5 | Primary | Raspberry Pi 5 |

| core-zima | 10.42.0.6 | Backup | ZimaBlade |

| **VIP** | **10.42.0.53** | Floating | - |

### Services

- **AdGuard Home** - Local DNS resolution (port 53, web UI on 3000)

- **Caddy** - Reverse proxy with automatic TLS

- **Keepalived** - VRRP failover for VIP

- **Chrony** - NTP time synchronization

- **AdGuard Home Sync** - Config replication from primary to backup

### Usage

```bash

just core                 # Run full core playbook

just core --tags caddy    # Run only caddy role

just core --tags network  # Run only network role

just core --tags adguard  # Run only adguard role

```

### Network Backend

The `core-network` role supports two backends configured via `network_backend`:

- `networkd` - systemd-networkd (Debian)

- `networkmanager` - NetworkManager (Raspberry Pi OS)

The role removes dhcpcd packages and writes a static `/etc/resolv.conf`.