#opentofu — Public Fediverse posts
Live and recent posts from across the Fediverse tagged #opentofu, aggregated by home.social.
-
OpenTofu 1.12 IaC tool adds dynamic prevent_destroy support, provider checksum improvements, faster installs, and CLI output updates.
https://linuxiac.com/opentofu-1-12-iac-tool-adds-dynamic-prevent_destroy-support/ -
Follow-up on #Forgejo vs #Gitea:
I read more about the split, and I'm still not sure.
I understand the governance concerns around Gitea, and Forgejo’s FOSS/community direction is very appealing.
But #Gitea supports #OpenTofu state, which I need, and I don't think "open source + paid hosting/support" is a bad model. Actually, it can be one of the healthier ways to fund development.
Maintainers should be paid. Good open-source tools need time, money, and boring long-term maintenance.
-
Follow-up on #Forgejo vs #Gitea:
I read more about the split, and I'm still not sure.
I understand the governance concerns around Gitea, and Forgejo’s FOSS/community direction is very appealing.
But #Gitea supports #OpenTofu state, which I need, and I don't think "open source + paid hosting/support" is a bad model. Actually, it can be one of the healthier ways to fund development.
Maintainers should be paid. Good open-source tools need time, money, and boring long-term maintenance.
-
Yay!! 2k GitHub stars 🎉
Will celebrate with a new release 🤘
#Terraform #OpenTofu #Proxmox #bpg -
OpenTofu vs Terraform in 2026: the fork finally diverged
https://jorijn.com/en/blog/opentofu-vs-terraform-2026-the-fork-finally-diverged/
-
Well, that was weird. I was hired to help a client with build an internal #Kubernetes as-a-service solution, but ended up designing and deploying a new #PowerDNS setup for them instead. Client is happy. They managed to hire a full time employee to cover my spot, so it ends up being a short 3 month contract, which is done in one.
Coming out of a very convenient and comfortable series of contracts for a single client, totalling six years, this is very different. This is the first client who's mentioned #AI (and been rather excited about it) so I'm playing catch up and trying to establish my position on that. I'm guessing there will soon be a huge market for sensible adult contractors, ready to clean up after AI #slop spills. Time will tell.
Anyhoo, my network seems to have my back as usual, and I've got some interviews coming up in the following weeks. Trying to focus on gigs using Kubernetes, #Terraform, #OpenTofu and #Go, which means saying "no thanks" a lot. That's new for me.
#work -
Let's continue the Proxmox + Tofu + Talos + Cilium adventure, with two little footnotes. "Devil is in the details!"
First: Talos "inlineManifests" behavior.
When you add some inlineManifests to your Talos MachineConfig and push that MachineConfig, the manifests get applied immediately. Yay!
However, when you update or remove some inlineManifests and push the MachineConfig ... Nothing happens. Talos does a full (potentially destructive!) reconcile only when executing a cluster upgrade. (This is pretty well explained in the Talos docs[1])
This means that our initial installation of CIlium will work immediately, but subsequent configuration changes won't work (the YAML won't be applied) until we run a "talosctl upgrade-k8s". (Pro-tip: make sure to specify "--to" with the current k8s version, otherwise it'll execute a "real" upgrade which implies downloading new images and restarting the whole control plane one component at a time - which takes a while.)
So, are we there yet?
Not quite!
The second issue: each time I'd do a "tofu plan", it would tell me that something had changed. Which is kind of annoying. If you don't change your Tofu configuration, variables, etc, normally, you'd expect "tofu plan" to tell you a reassuring:
No changes. Your infrastructure matches the configuration.
So, what is going on? 🤔
-
Also, I want the K8S cluster to support IPV6, which meant replacing Talos' default CNI (Flannel) with Cilium.
(OK, it might be possible to support IPv6 with Flannel on Talos, but the Talos docs say very little about how to customize Flannel, and I wanted Cilium for other reasons too - e.g. LoadBalancer support with L2 announcements, replacing kube-proxy...)
This means declaring "cni: none" in the Talos machine config, and then either:
1) manually installing Cilium after provisioning the cluster
2) finding a way to automatically install Cilium when the cluster is provisioned.
Of course I went for option 2, right :-)
Which leads us to a rabbit hole of multiple options:
1) wait for the cluster to be up (=K8S API is functional) and then use the Helm provider to create a helm_release resource on the cluster
Problem: there is no easy and clean way to wait for the cluster to be up.
Talos has a talos_cluster_health resource, but this one waits for all nodes to be "Ready", which isn't going to happen since the CNI hasn't been deployed yet. (There is a skip_kubernetes_checks option but it doesn't seem to help.)
Declaring something like a kubernetes_nodes resource in Tofu sort of works, ... until you reprovision the cluster. Then you realize that you can't even do a "tofu plan" because Tofu tries to refresh that resources' status, which requires the cluster to be up. So, this is a non-starter.
2) use Talos "inlineManifests" feature, which instructs talos to apply a bunch of YAML to the cluster when it's provisioned
Problem: this requires Cilium YAML manifests; and the way I install it is typically with the Helm chart.
Solution: use a helm_template data source to do the equivalent of the "helm template" command, and render the Cilium chart into ready-to-apply YAML manifests.
Next problem: the Cilium Helm chart is very sophisticated, and depends on Capabilities.KubeVersion - in other words, when we invoke the helm_template resource, we need to pass it the correct kube_version.
Next solution: that version is available in talos_machine_configuration resources.
And with that (and a good amount of Cilium configuration!) our cluster comes up fully functional!
-
The whole thing is provisioned with Tofu; and one of my favorite things to do is to verify that the end-to-end provisioning works fine.
So that means a lot of "tofu destroy" + "tofu apply".
However, the TF configuration includes the Talos disk images used by the cluster, and I didn't want to re-download them every single time.
My first intention was to use "tofu taint" on the virtual machines. But they are declared in a for_each block; and you can't use "tofu taint" or "tofu plan -replace" on a for_each resource (unless you enumerate each resource individually).
However, you can do a targeted destroy:
tofu plan -destroy -target proxmox_virtual_environment_vm.k8s_nodes
And destroy will follow dependencies (if you destroy a resource, the resources that depend on it will automatically be destroyed), so in my case I could also do e.g.:
tofu plan -destroy -target talos_machine_secrets.this
(Because pretty much every Talos-related resource depends on this directly or indirectly).
#terraform #opentofu #talos #kubernetes #homelab #selfhosted
-
I'm looking at using #netbox as an IPAM for #proxmox and I'm sad to discover that the native integration is completely unfit for purpose. No way to specify VRF. Unable to handle nested prefixes.
Looking at #terraform (well, #opentofu) to do this instead as a proof of concept. And that's before I get to the CAPI part of treating #kubernetes clusters like the resources they should be.
-
Next level in my Homelab: A storage cluster with linbit drbd. Should run on the same nodes as proxmox pve. And of course defined in some ansible scripts 🤣
Currently, this is still running on a test cluster that I set up using OpenTofu on top of the current pve cluster.
But there are still some "hickups"#homelab #linbit #drbd #proxmox #pve #ansible #OpenTofu #TerraForm
-
#positiveMeldung #PositiveDinge #3GuteDinge #3GuteDingeDesTages
- erstes selbst geschriebenes #Terraform - Modul fertig gestellt
- #ansible #ssh Rolle erweitert
- Tests liefen alle erfolgreich -
Managing #GitHub repositories and secrets with #OpenTofu, #SOPS, and #1Password.
https://eshlox.net/managing-github-repos-secrets-opentofu-sops-1password
-
RE: https://mastodon.social/@richcampbell/116131632906487922
I’m back on @RunAsRadio for round 3! 🎧
It was great to catch up with @richcampbell about #multicloud #SaaS.
We dig into:
🔹 Getting SaaS workloads to #Azure #AKS
🔹 #Kubernetes as the bridge
🔹 #OpenTofu, #Prometheus, & more -
RE: https://mastodon.social/@richcampbell/116131632906487922
I’m back on @RunAsRadio for round 3! 🎧
It was great to catch up with @richcampbell about #multicloud #SaaS.
We dig into:
🔹 Getting SaaS workloads to #Azure #AKS
🔹 #Kubernetes as the bridge
🔹 #OpenTofu, #Prometheus, & more -
RE: https://mastodon.social/@richcampbell/116131632906487922
I’m back on @RunAsRadio for round 3! 🎧
It was great to catch up with @richcampbell about #multicloud #SaaS.
We dig into:
🔹 Getting SaaS workloads to #Azure #AKS
🔹 #Kubernetes as the bridge
🔹 #OpenTofu, #Prometheus, & more -
RE: https://mastodon.social/@richcampbell/116131632906487922
I’m back on @RunAsRadio for round 3! 🎧
It was great to catch up with @richcampbell about #multicloud #SaaS.
We dig into:
🔹 Getting SaaS workloads to #Azure #AKS
🔹 #Kubernetes as the bridge
🔹 #OpenTofu, #Prometheus, & more -
RE: https://mastodon.social/@richcampbell/116131632906487922
I’m back on @RunAsRadio for round 3! 🎧
It was great to catch up with @richcampbell about #multicloud #SaaS.
We dig into:
🔹 Getting SaaS workloads to #Azure #AKS
🔹 #Kubernetes as the bridge
🔹 #OpenTofu, #Prometheus, & more -
Hashicorp cloud give you no way to cancel your accounts via self service... you have to sign up to their customer portal and raise a ticket.
Easier it seems to go to https://privacy.hashicorp.com/ and request deletion of all your data from their systems if you live in a country that has some respect for user (human?) rights?
I'll reply to this if it works out...
#boycottusa #hashicorp #terraform #opentofu #selfhosting #devops
-
Finally got half a day to migrate from #hashicorp #terraform cloud to #opentofu it was really painless as you can run `tofu state pull` then switch to an alternative state provider and it will automatically upload it!
Looks like the good people at #forgejo are working on support for a state management backend aswell: https://codeberg.org/forgejo/forgejo/issues/3606
-
Need a reusable, automated Azure hub-and-spoke you can spin up in minutes? I built an OpenTofu project that does exactly that. Has remote state, modular code, GitHub Actions CI/CD, private endpoints, and more.
🌐 👉 Blog + repo: https://www.buchatech.com/2026/01/azure-hub-and-spoke-architecture-explained-and-automated-with-opentofu
https://github.com/Buchatech/OpenTofu-Azure-HubSpoke-public -
I love spacelift.io for a number of reasons, namely it saves you from running #Terraform or #OpenTofu in whatever "CI" tool your company uses this week (been there, hated it) and doesn't cost an arm, leg and kidney that Terraform Cloud charge you (loved TFC until that switcharoo).
Anyway, I've been wrapping up a thing I've been working on. Many SaaS tools allow you to send #webhooks, but rarely give you control over if, where and what is sent. Now #Spacelift let you control all of this using a Policy based on #OpenPolicyAgent.
SL provide an event, you develop your policy in the #Rego language, not only can you use that policy to decide: Is this an event I want to send a webhook for? But more than that, you can use the policy language to craft the exact payload. Since you may not get a choice of what that looks like on the other end.
Docs: https://docs.spacelift.io/concepts/policy/notification-policy
Now that's just for notifications etc. You can control almost anything within the tool: Logins, Plans, Triggers, Pushes and more.
-
I love spacelift.io for a number of reasons, namely it saves you from running #Terraform or #OpenTofu in whatever "CI" tool your company uses this week (been there, hated it) and doesn't cost an arm, leg and kidney that Terraform Cloud charge you (loved TFC until that switcharoo).
Anyway, I've been wrapping up a thing I've been working on. Many SaaS tools allow you to send #webhooks, but rarely give you control over if, where and what is sent. Now #Spacelift let you control all of this using a Policy based on #OpenPolicyAgent.
SL provide an event, you develop your policy in the #Rego language, not only can you use that policy to decide: Is this an event I want to send a webhook for? But more than that, you can use the policy language to craft the exact payload. Since you may not get a choice of what that looks like on the other end.
Docs: https://docs.spacelift.io/concepts/policy/notification-policy
Now that's just for notifications etc. You can control almost anything within the tool: Logins, Plans, Triggers, Pushes and more.
-
I love spacelift.io for a number of reasons, namely it saves you from running #Terraform or #OpenTofu in whatever "CI" tool your company uses this week (been there, hated it) and doesn't cost an arm, leg and kidney that Terraform Cloud charge you (loved TFC until that switcharoo).
Anyway, I've been wrapping up a thing I've been working on. Many SaaS tools allow you to send #webhooks, but rarely give you control over if, where and what is sent. Now #Spacelift let you control all of this using a Policy based on #OpenPolicyAgent.
SL provide an event, you develop your policy in the #Rego language, not only can you use that policy to decide: Is this an event I want to send a webhook for? But more than that, you can use the policy language to craft the exact payload. Since you may not get a choice of what that looks like on the other end.
Docs: https://docs.spacelift.io/concepts/policy/notification-policy
Now that's just for notifications etc. You can control almost anything within the tool: Logins, Plans, Triggers, Pushes and more.
-
I love spacelift.io for a number of reasons, namely it saves you from running #Terraform or #OpenTofu in whatever "CI" tool your company uses this week (been there, hated it) and doesn't cost an arm, leg and kidney that Terraform Cloud charge you (loved TFC until that switcharoo).
Anyway, I've been wrapping up a thing I've been working on. Many SaaS tools allow you to send #webhooks, but rarely give you control over if, where and what is sent. Now #Spacelift let you control all of this using a Policy based on #OpenPolicyAgent.
SL provide an event, you develop your policy in the #Rego language, not only can you use that policy to decide: Is this an event I want to send a webhook for? But more than that, you can use the policy language to craft the exact payload. Since you may not get a choice of what that looks like on the other end.
Docs: https://docs.spacelift.io/concepts/policy/notification-policy
Now that's just for notifications etc. You can control almost anything within the tool: Logins, Plans, Triggers, Pushes and more.
-
I love spacelift.io for a number of reasons, namely it saves you from running #Terraform or #OpenTofu in whatever "CI" tool your company uses this week (been there, hated it) and doesn't cost an arm, leg and kidney that Terraform Cloud charge you (loved TFC until that switcharoo).
Anyway, I've been wrapping up a thing I've been working on. Many SaaS tools allow you to send #webhooks, but rarely give you control over if, where and what is sent. Now #Spacelift let you control all of this using a Policy based on #OpenPolicyAgent.
SL provide an event, you develop your policy in the #Rego language, not only can you use that policy to decide: Is this an event I want to send a webhook for? But more than that, you can use the policy language to craft the exact payload. Since you may not get a choice of what that looks like on the other end.
Docs: https://docs.spacelift.io/concepts/policy/notification-policy
Now that's just for notifications etc. You can control almost anything within the tool: Logins, Plans, Triggers, Pushes and more.
-
I am currently in the process of #bootstrapping a very complex Tier-0 infrastructure, and I am extremely surprised (or rather pleased) at how useful #Podman (and Quadlets) have become for such scenarios. A huge improvement from both a security and operational POV!
Tier-0 bootstrapping = neither #Ansible nor #OpenTofu available yet ... a real PITA ...
-
SeaGL talks starting now:
* Local Offline AI from author ( and SeaGL founder ) Adam Monsen
* What is Free Software? from Charles Faisandier
* Intro to OpenTofu: Open Source IaC Overview from Ted Matsumura
TeaGL is after these talks, going with Thai iced tea myself
Another hour of talks after TeaGL, then social
https://pretalx.seagl.org/2025/talk/
Join freely and anonymously - https://seagl.org/attend
#SeaGL #SeaGL2025 #FLOSSconf #FLOSSevent #Seattle #today #TeaGL #SelfHosting #AIeeee #OpenTofu
-
The more and more I learn, the more and more I go back to the more simple, easy, and straightforward. The shell isn't the same as it was 15 years ago. It has kept up, and I think is still the better option than IntelliJ and VSCode. It takes some configuration and setup, but it's free, it's fast, it's secure, and it just works. #homelab #programming #neovim #lazyvim #wezterm #terminal #commandline #macos #terraform #opentofu
-
Jakiś czas temu informowałem Was o publikacji projektu, gdzie pokazuję jak zarządzam #adguardhome w kodzie.
Postanowiłem więc projekt szerzej opisać w nowym wpisie na blogu
https://blog.cichy1173.eu/news/adguard-home-iac/
#adguard #iac #iaac #opentofu #terrafortm #forgejo #codeberg #selfhosted #blog
-
Jakiś czas temu informowałem Was o publikacji projektu, gdzie pokazuję jak zarządzam #adguardhome w kodzie.
Postanowiłem więc projekt szerzej opisać w nowym wpisie na blogu
https://blog.cichy1173.eu/news/adguard-home-iac/
#adguard #iac #iaac #opentofu #terrafortm #forgejo #codeberg #selfhosted #blog
-
Jakiś czas temu informowałem Was o publikacji projektu, gdzie pokazuję jak zarządzam #adguardhome w kodzie.
Postanowiłem więc projekt szerzej opisać w nowym wpisie na blogu
https://blog.cichy1173.eu/news/adguard-home-iac/
#adguard #iac #iaac #opentofu #terrafortm #forgejo #codeberg #selfhosted #blog
-
Jakiś czas temu informowałem Was o publikacji projektu, gdzie pokazuję jak zarządzam #adguardhome w kodzie.
Postanowiłem więc projekt szerzej opisać w nowym wpisie na blogu
https://blog.cichy1173.eu/news/adguard-home-iac/
#adguard #iac #iaac #opentofu #terrafortm #forgejo #codeberg #selfhosted #blog
-
Jakiś czas temu informowałem Was o publikacji projektu, gdzie pokazuję jak zarządzam #adguardhome w kodzie.
Postanowiłem więc projekt szerzej opisać w nowym wpisie na blogu
https://blog.cichy1173.eu/news/adguard-home-iac/
#adguard #iac #iaac #opentofu #terrafortm #forgejo #codeberg #selfhosted #blog
-
Nothing like ending your day with accidentially running git clean -fdx and thereby deleting your local only tfstate for your homelab... guess I can finally move to OpenTofu since I need to reimport all the resources anyways 🤷♂️
-
I released [1] new versions of terraform-provider-sourcehut (v0.2.1) [2] and the related Go library sourcehut-go (v0.1.1) [3]. This is a bugfix release to address an issue when updating a repository description.
[2] https://git.sr.ht/~wombelix/terraform-provider-sourcehut
-
A small group of us are working on community level hosting of 'self-hosted' FOSS tools (think #NextCloud and more) setup as a local service offering for local grassroots organisations. We're seeking advice/tips/guidance.
We're keen to do some orchastration but want to avoid the complexity of say Kubernetes.
As a start we were looking at Ansible with Docker Swarm but we're now exploring other alternatives.
Anyone have experience at this sort of hobbist just a bit bigger than #HomeLab Ops scale?
#Pyinfra is being considered as an Ansible, in the projects words "Think ansible but Python instead of YAML, and a lot faster." (https://pyinfra.com)
Anyone have experience at this homelab/small hosting level? Would love any tips/suggestions for tools/approaches.
One source of inspiration is the 12Factor app methodology: https://12factor.net
Personally, as a rubyist I'm always keen to know what the ruby community is doing in this space also.
Haven't seen many others doing work at this scale, lets use the tag #CommunityHosting to keep connected :)
cc: @jadehopepunk @ryan @gilbert @bounding_star @steph @moxvallix @organvoid @teq
#CommunityHosting #Python #DevOps #ruby #RubyOnRails #SelfHosting #Orchastration #FOSS #OpenTofu #SelfHosting #SelfHosted
-
I made my #AdGuardHome configuration public.
This is my solution to both store #adguard conf in code and continuously deploy it on many nodes. I also proposed some solutions to easily gather metrics and switch off/on ad protection. Everything is written in README.
https://codeberg.org/cichy1173/adguard-home-cm-repository
#opentofu #terraform #iaac #iac #devops #adblocking #adprotection #dns #ItIsAlwaysDNS
-
I made my #AdGuardHome configuration public.
This is my solution to both store #adguard conf in code and continuously deploy it on many nodes. I also proposed some solutions to easily gather metrics and switch off/on ad protection. Everything is written in README.
https://codeberg.org/cichy1173/adguard-home-cm-repository
#opentofu #terraform #iaac #iac #devops #adblocking #adprotection #dns #ItIsAlwaysDNS
-
I made my #AdGuardHome configuration public.
This is my solution to both store #adguard conf in code and continuously deploy it on many nodes. I also proposed some solutions to easily gather metrics and switch off/on ad protection. Everything is written in README.
https://codeberg.org/cichy1173/adguard-home-cm-repository
#opentofu #terraform #iaac #iac #devops #adblocking #adprotection #dns #ItIsAlwaysDNS
-
I made my #AdGuardHome configuration public.
This is my solution to both store #adguard conf in code and continuously deploy it on many nodes. I also proposed some solutions to easily gather metrics and switch off/on ad protection. Everything is written in README.
https://codeberg.org/cichy1173/adguard-home-cm-repository
#opentofu #terraform #iaac #iac #devops #adblocking #adprotection #dns #ItIsAlwaysDNS
-
I made my #AdGuardHome configuration public.
This is my solution to both store #adguard conf in code and continuously deploy it on many nodes. I also proposed some solutions to easily gather metrics and switch off/on ad protection. Everything is written in README.
https://codeberg.org/cichy1173/adguard-home-cm-repository
#opentofu #terraform #iaac #iac #devops #adblocking #adprotection #dns #ItIsAlwaysDNS
-
I had time to polish up my vagrant-libvirt setup for playing around with SemaphoreUI (https://semaphoreui.com/). Have a lot of fun!
https://codeberg.org/johanneskastl/semaphore_vagrant_libvirt_ansible
https://github.com/johanneskastl/semaphore_vagrant_libvirt_ansibleCurrently only one VM with Semaphore. But I am working on another setup with a runner and a VM that can be managed by Semaphore.
#vagrant #libvirt #Ansible #SemaphoreUI #Semaphore #OpenTofu #Terraform #DevOps #IaC
-
God, I would love to have #terraform / #opentofu providers for #beszel and #uptimekuma
-
God, I would love to have #terraform / #opentofu providers for #beszel and #uptimekuma
-
God, I would love to have #terraform / #opentofu providers for #beszel and #uptimekuma
-
God, I would love to have #terraform / #opentofu providers for #beszel and #uptimekuma
-
God, I would love to have #terraform / #opentofu providers for #beszel and #uptimekuma
