Infrastructure-as-code for the things Nick runs.
Each top-level directory under this repo is a self-contained OpenTofu workspace ("context") with its own state file and provider lockfile. Contexts are independent — you cd into one and run tofu from there.
| Path | What it manages | State key |
|---|---|---|
cloudflare/nickvigilante-com/ |
DNS, zone settings, WAF for nickvigilante.com |
cloudflare/nickvigilante-com/terraform.tfstate |
homelab/ |
Tailscale tailnet DNS, GitHub repo settings + branch protection + Actions secrets | homelab/terraform.tfstate |
- Tool: OpenTofu 1.10+ (
brew install opentofu) - State: stored in Storj S3-compatible bucket
nickvigilante-tfstate. State keys mirror context paths. - Secrets: never committed. Sourced from
~/.cf-opentofu.env(out-of-repo,chmod 600). Each context's README lists the exact env vars it needs. - Pre-commit:
gitleaksruns on every commit to catch accidentally-staged secrets. See.gitleaks.toml. After cloning, install gitleaks (brew install gitleaks) and enable the hook withgit config core.hooksPath .githooks. - Branching: all changes via feature branches + PRs to
main. Never push tomaindirectly.
# 1. Load secrets into your shell
set -a && source ~/.cf-opentofu.env && set +a
# 2. Move into the context you want to work on
cd cloudflare/nickvigilante-com
# 3. First-time setup
tofu init
# 4. Day-to-day
tofu plan
tofu apply