oci-apps

Self-hosted application stack running on Oracle Cloud Infrastructure. Fedora CoreOS instance provisioned via Terraform and Ignition, with Podman containers managed through systemd (Compose for app services, Quadlets for infrastructure). Secrets are delivered at runtime by Infisical Agent, and backups go to OCI Object Storage via Autorestic.

Architecture

flowchart LR
    CF[Cloudflare] --> LB

    subgraph OCI[OCI]
        LB[Load Balancer] --> Traefik

        subgraph Instance
            Traefik --> Services
            Infisical[Infisical Agent] -.->|secrets| Services
            Services -->|data| Autorestic
        end

        Autorestic --> Bucket[Object Storage]
    end

    Infisical -.-> Infisical.com

Loading

Repository Structure

oci-apps/
├── terraform/          # Infrastructure as Code
├── os-config/          # Butane/Ignition + Quadlet container units
│   ├── butane.yaml
│   ├── scripts/
│   ├── systemd/
│   └── quadlets/       # Traefik, Infisical Agent, Autorestic
├── containers/         # Podman Compose stacks
│   ├── freshrss/
│   ├── planka/
│   ├── nitter/
│   └── redlib/
└── .github/workflows/  # CI/CD pipelines

Prerequisites

• Terraform >= 1.10
• Infisical CLI
• butane CLI (brew install butane)
• Access to OCI tenancy with oci-core infrastructure deployed

Deployment

Deployments are triggered automatically:

• Feature branches — pre-commit + terraform plan (posts to PR)
• Tags (v*) — terraform apply

Requirements

Name	Version
terraform	~> 1.10
cloudflare	~> 5.0
ct	~> 0.14
http	~> 3.0
null	~> 3.0
oci	~> 8.0
tailscale	~> 0.29
tls	~> 4.0

Providers

Name	Version
cloudflare	5.19.1
ct	0.14.0
http	3.6.0
null	3.3.0
oci	8.15.0
tailscale	0.29.2
terraform	n/a
tls	4.3.0

Modules

No modules.

Resources

Name	Type
cloudflare_dns_record.services	resource
cloudflare_origin_ca_certificate.this	resource
cloudflare_ruleset.zone_level_waf	resource
null_resource.regenerate_key	resource
oci_core_compute_image_capability_schema.fcos	resource
oci_core_image.fcos	resource
oci_core_instance.this	resource
oci_core_network_security_group.instance	resource
oci_core_network_security_group.lb	resource
oci_core_network_security_group_security_rule.instance_egress	resource
oci_core_network_security_group_security_rule.instance_ingress_http	resource
oci_core_network_security_group_security_rule.lb_egress	resource
oci_core_network_security_group_security_rule.lb_ingress	resource
oci_core_shape_management.fcos	resource
oci_core_volume.data	resource
oci_core_volume_attachment.data	resource
oci_identity_dynamic_group.this	resource
oci_identity_policy.block_volume_service	resource
oci_identity_policy.storage_access	resource
oci_identity_policy.storage_service	resource
oci_identity_policy.vault_read_secrets	resource
oci_kms_key.this	resource
oci_kms_key.vault	resource
oci_kms_vault.this	resource
oci_load_balancer.this	resource
oci_load_balancer_backend.traefik	resource
oci_load_balancer_backend_set.traefik	resource
oci_load_balancer_certificate.this	resource
oci_load_balancer_listener.https	resource
oci_monitoring_alarm.object_storage_count	resource
oci_monitoring_alarm.object_storage_size	resource
oci_objectstorage_bucket.fcos	resource
oci_objectstorage_bucket.this	resource
oci_objectstorage_object.bootstrap_config	resource
oci_objectstorage_object.templated_config	resource
oci_vault_secret.bootstrap	resource
tailscale_tailnet_key.this	resource
terraform_data.fcos_upload	resource
terraform_data.fcos_version	resource
tls_cert_request.this	resource
cloudflare_ip_ranges.current	data source
cloudflare_zone.selected	data source
ct_config.ignition	data source
http_http.fcos_meta	data source
oci_core_compute_global_image_capability_schemas.fcos	data source
oci_core_compute_global_image_capability_schemas_versions.fcos	data source
oci_core_images.fcos_available	data source
oci_core_subnet.public	data source
oci_identity_compartment.terraform	data source
oci_objectstorage_namespace.terraform	data source
terraform_remote_state.oci_core	data source

Inputs

Name	Description	Type	Default	Required
availability_domain	Availability domain where instance will be launched	string	n/a	yes
boot_volume_size	Boot volume size in GB	number	50	no
bucket_name	Name for the bucket (defaults to {name})	string	""	no
cloudflare_custom_list	The name of the custom list in CloudFlare containing trusted IP ranges	string	n/a	yes
infisical_client_id	Infisical Universal Auth client ID	string	n/a	yes
infisical_client_secret	Infisical Universal Auth client secret	string	n/a	yes
instance_ocpus	Number of OCPUs to allocate to the instance	number	4	no
instance_ram	RAM in GB to allocate to the instance	number	24	no
instance_shape	Instance shape (default is always free ARM)	string	"VM.Standard.A1.Flex"	no
lb_bandwidth	Load balancer bandwidth in Mbps (default is always free)	number	10	no
name	Name prefix for all resources	string	"oci-apps"	no
oci_fingerprint	Fingerprint of the key used to authenticate with OCI	string	n/a	yes
oci_private_key	Private key to authenticate with OCI	string	n/a	yes
oci_region	OCI region for resources	string	n/a	yes
oci_tenancy_id	OCI tenancy ID	string	n/a	yes
oci_user_id	OCI user ID for Terraform	string	n/a	yes
private_key_pem	Base64 encoded private key PEM for TLS certificate	string	n/a	yes
remote_state_endpoint	S3-compatible endpoint for remote state	string	n/a	yes
restic_password	Restic repository encryption password	string	n/a	yes
services	Service configuration map	map(object({ port = number subdomain = string waf_block = optional(bool, false) }))	{ "audiobookshelf": { "port": 8000, "subdomain": "abs" }, "freshrss": { "port": 80, "subdomain": "rss" }, "fulltextrss": { "port": 80, "subdomain": "ftr" }, "languagetool": { "port": 8010, "subdomain": "lt", "waf_block": true }, "nitter": { "port": 8080, "subdomain": "nitter", "waf_block": true }, "planka": { "port": 1337, "subdomain": "planka" }, "podly": { "port": 5001, "subdomain": "podly" }, "redlib": { "port": 8080, "subdomain": "redlib", "waf_block": true } }	no
zone_id	CloudFlare zone ID	string	n/a	yes

Outputs

No outputs.