possebon

Security Checklist

• Infisical Machine Identity created
• All secrets migrated to Infisical
• No hardcoded credentials in repository
• SSL certificates auto-renewing
• Firewall rules configured
• Keycloak admin password changed
• Database passwords rotated
• Backup encryption enabled

possebon

Essential Commands Quick Reference

# Initialize infrastructure
tofu init && tofu apply

# Deploy all services
ansible-playbook playbooks/site.yml

# Deploy single environment

possebon

Infrastructure Repository File Structure

infrastructure/
├── opentofu/
│   ├── main.tf           # Server provisioning
│   ├── secrets.tf        # Infisical integration
│   ├── versions.tf       # Provider configuration
│   └── variables.tf      # Input variables
├── ansible/

possebon

GitHub Actions GitOps Workflow

# .github/workflows/deploy.yml
name: Deploy Infrastructure

on:
  push:
    branches: [main]

possebon

Complete Deployment Pipeline

# Step 1: Bootstrap Infisical credentials
export INFISICAL_CLIENT_ID="your-client-id"
export INFISICAL_CLIENT_SECRET="your-client-secret"

# Step 2: Provision infrastructure
cd infrastructure/opentofu
tofu init

possebon

Traefik TLS Configuration for A+ SSL Rating

# Our Traefik TLS configuration achieves A+ on SSL Labs
--certificatesresolvers.letsencryptresolver.acme.tlschallenge=true
--entrypoints.websecure.http.tls.options=modern@file

This configuration uses:

• Let's Encrypt for automatic certificate issuance

possebon

SigNoz Unified Server Configuration

# SigNoz unified server (v0.104.0+)
signoz-server:
  image: signoz/signoz-community:v0.104.0
  environment:
    - SIGNOZ_TELEMETRYSTORE_CLICKHOUSE_DSN=tcp://signoz-clickhouse:9000
    - SIGNOZ_TOKENIZER_JWT_SECRET=${SIGNOZ_JWT_SECRET}
 deploy:

possebon

Ansible Credential Resolution Pattern

# Dual-mode: Infisical OR environment variable fallback
postgres_password: >-
  {{
    _infisical_global.POSTGRES_PASSWORD | default(None)
    if infisical_enabled | default(false) | bool and _infisical_global is defined
    else lookup('env', 'POSTGRES_PASSWORD') | default('changeme', true)
 }}

possebon

ansible/
├── group_vars/
│   ├── all.yml          # Shared across ALL environments
│   ├── infisical.yml    # Secrets management config
│   ├── global.yml       # Global services (Keycloak, n8n, etc.)
│   ├── development.yml  # Dev-specific overrides
│   ├── staging.yml      # Staging-specific overrides
│   └── production.yml   # Production-specific overrides
├── playbooks/

possebon

Traefik Automatic Service Discovery Labels

deploy:
  labels:
    - "traefik.enable=true"
    - "traefik.http.routers.myapp.rule=Host(`app.yourdomain.com`)"
    - "traefik.http.routers.myapp.entrypoints=websecure"
    - "traefik.http.routers.myapp.tls.certresolver=letsencryptresolver"