Cloud Infrastructure¶
Overview¶
Multi-cloud infrastructure using Terraform for provisioning and Ansible for configuration management.
Instances¶
| Instance | Provider | Region | Type | Internal IP | Static IP | Purpose |
|---|---|---|---|---|---|---|
| pluto | AWS | us-west-2 | t3.micro | 10.0.0.10 | 52.32.80.62 | Production |
| mickey | AWS | us-west-2 | t3a.medium | 10.0.0.20 | (dynamic) | Dev/IaC |
| dumbo | GCE | us-central1 | e2-medium | 10.1.0.110 | 34.44.33.3 | General |
| bogart | GCE | us-west1 | e2-micro | 10.10.10.10 | 35.209.219.216 | PowerDNS |
| rocky | Meanservers | - | Bare metal | 10.2.0.1 | 193.8.172.100 | TBD |
Managed Services¶
| Service | Provider | Instance | Region | Purpose |
|---|---|---|---|---|
| Cloud SQL | GCE | scandora-postgres | us-central1 | PostgreSQL 16 database |
Trust Model¶
| Instance | Trust Level | 1Password SA | Secrets Allowed |
|---|---|---|---|
| pluto | ✅ Trusted | ✅ Yes | Yes |
| mickey | ✅ Trusted | ❌ No | Ephemeral only |
| dumbo | ✅ Trusted | ✅ Yes | Yes |
| bogart | ⚠️ Untrusted | ❌ No | NO |
| rocky | ⚠️ TBD | ❌ No | SSH via ZeroTier (public blocked) |
Bogart Security
Bogart is classified as untrusted. No secrets should be stored there - it only receives non-sensitive configuration.
Infrastructure as Code¶
Terraform¶
- Modules:
cloud/terraform/modules/ - Environments:
cloud/terraform/environments/ - Static IPs: Managed separately with
prevent_destroy
See Terraform Patterns for details.
Ansible¶
- Inventory:
cloud/ansible/inventory/ - Roles:
cloud/ansible/roles/ - Playbooks:
cloud/ansible/playbooks/
See Ansible Roles for details.
Directory Structure¶
cloud/
├── IAC-ARCHITECTURE.md # Architecture documentation
├── terraform/
│ ├── modules/
│ │ ├── aws-instance/ # Reusable AWS EC2 module
│ │ ├── gce-instance/ # Reusable GCE VM module
│ │ ├── cloud-sql-postgres/ # Cloud SQL PostgreSQL module
│ │ └── static-ips/ # Static IP management
│ └── environments/
│ ├── production/
│ │ ├── aws/
│ │ │ ├── static-ips/ # PROTECTED
│ │ │ ├── pluto/
│ │ │ └── mickey/
│ │ └── gce/
│ │ ├── static-ips/ # PROTECTED
│ │ ├── cloud-sql/ # Cloud SQL PostgreSQL
│ │ ├── dumbo/
│ │ └── bogart/
│ └── test/
└── ansible/
├── inventory/
├── group_vars/
├── roles/
│ ├── base/ # OS setup, packages
│ ├── dotfiles/ # Home directory
│ ├── zerotier/ # ZeroTier VPN
│ ├── docker/ # Docker installation
│ ├── internal-dns/ # DNS routing
│ ├── ddns/ # Cloudflare DDNS
│ ├── cloudflared/ # Cloudflare tunnels
│ ├── cloudsql-client/ # Cloud SQL Auth Proxy
│ ├── cloudwatch/ # AWS monitoring
│ └── powerdns/ # DNS server
├── playbooks/
└── files/
Base OS¶
Standard: Ubuntu 24.04 LTS
All cloud instances run Ubuntu LTS for:
- Longer support cycle
- Better cloud provider integration
- More frequent security updates
- Canonical-maintained official images
Common Tooling¶
All instances have:
- ZeroTier (192.168.194.0/24 overlay)
- SSH hardening (key-only, no root)
- fail2ban (sshd jail)
- Cloudflare DDNS
- Standard dotfiles (
joeuser)
Quick Commands¶
SSH Access¶
# Pluto
ssh joe@pluto # Via SSH config alias
ssh joe@52.32.80.62 # Direct
ssh joe@192.168.194.x # Via ZeroTier
# Dumbo
ssh joe@dumbo # Via SSH config alias
ssh joe@34.44.33.3 # Direct
# Mickey (ephemeral IP)
ssh joe@mickey # Via SSH config alias
Ansible Deployment¶
# Full site deployment
ansible-playbook -i inventory/production.yml playbooks/site.yml --limit pluto
# Base configuration only
ansible-playbook -i inventory/production.yml playbooks/base.yml --limit pluto
Terraform¶
# Plan changes (target specific instance)
terraform plan -target=aws_instance.pluto
# Apply changes
terraform apply -target=aws_instance.pluto
Never target static IPs
Static IPs are in separate state files and should never be modified through instance modules.