Infrastructure

Your Ansible playbook started simple. One file, fifty lines, deploys your app. Beautiful. Six months later, it’s 2,000 lines of YAML spaghetti with thirty when conditionals, variables defined in five different places, and a tasks/main.yml that makes you wince every time you open it. Here’s how to avoid that trajectory. The Single Responsibility Role Every role should do one thing. Not “configure the server” — that’s five things. One thing: ...

Your logs are lying to you. Not because they’re wrong, but because they’re formatted for humans who will never read them. That stack trace you carefully formatted? It’ll be searched by a machine. Those helpful debug messages? They’ll be filtered by a regex that breaks on the first edge case. The log line that would have saved you three hours of debugging? Buried in 10GB of unstructured text. Structured logging fixes this. Here’s how to do it without making your codebase worse. ...

You’re still running a bastion host, aren’t you? That t3.micro sitting in a public subnet, port 22 open to… well, hopefully not 0.0.0.0/0, but let’s be honest — it’s probably close. Stop it. AWS Systems Manager Session Manager exists, and it’s better in every way. The Bastion Problem Bastion hosts have been the standard for decades. Jump box in a public subnet, SSH through it to reach private instances. Simple enough. ...

As AI workloads become central to business operations, managing the infrastructure that powers them requires the same rigor we apply to traditional applications. Infrastructure as Code (IaC) isn’t just nice-to-have for AI—it’s essential for cost control, reproducibility, and scaling. The AI Infrastructure Challenge AI workloads have unique requirements that traditional IaC patterns don’t always address: GPU instances that cost $3-10/hour and need careful lifecycle management Model artifacts that can be gigabytes in size and need versioning Auto-scaling that must consider both compute load and model warming time Spot instance strategies to reduce costs by 60-90% Let’s build a Terraform + Ansible solution that handles these challenges. ...

Ansible configures servers without installing agents. SSH in, run tasks, done. Here’s how to write playbooks that actually work. Why Ansible? Agentless: Uses SSH, nothing to install on targets Idempotent: Run it twice, same result Readable: YAML syntax, easy to understand Extensible: Huge module library Inventory Define your servers in /etc/ansible/hosts or a custom file: 1 2 3 4 5 6 7 8 9 10 # inventory.ini [webservers] web1.example.com web2.example.com [databases] db1.example.com ansible_user=postgres [all:vars] ansible_python_interpreter=/usr/bin/python3 Your First Playbook 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 # site.yml --- - name: Configure web servers hosts: webservers become: yes tasks: - name: Install nginx apt: name: nginx state: present update_cache: yes - name: Start nginx service: name: nginx state: started enabled: yes Run it: ...

Nginx powers a significant portion of the internet, yet its configuration syntax trips up even experienced engineers. Here’s a practical guide to the patterns you’ll actually use. Basic Structure 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 # /etc/nginx/nginx.conf user nginx; worker_processes auto; error_log /var/log/nginx/error.log; events { worker_connections 1024; } http { include /etc/nginx/mime.types; default_type application/octet-stream; # Include site configs include /etc/nginx/conf.d/*.conf; } Site configs go in /etc/nginx/conf.d/ or /etc/nginx/sites-enabled/. ...

Port forwarding is a security liability. Opening ports means exposing your network, managing firewall rules, and hoping your ISP doesn’t change your IP. Cloudflare Tunnels solve this elegantly—your services connect outbound to Cloudflare, which handles incoming traffic. How Tunnels Work Traditional setup: I n t e r n e t → Y o u r P u b l i c I P : 4 4 3 → F i r e w a l l → N A T → L o c a l S e r v i c e With Cloudflare Tunnel: ...

The only backup that matters is the one you can restore. Everything else is wishful thinking with storage costs. Here’s how to build backup systems that work when disaster strikes. The 3-2-1 Rule (Still Valid) The classic backup rule holds up: 3 copies of your data 2 different storage types 1 offsite location Modern interpretation: P L O r o f i c f m a s a l i r : t y e : : P D S r a 3 o i / d l G u y C c S t s / i n A o a z n p u s r d h e a o t t B a s l b o a ( b s d e i ( f d ( f i S e f S r f D e e ) n r t e n t o l r u e m g e i ) o n ) This protects against: ...

DNS is the first thing that breaks and the last thing you check. Understanding it properly saves hours of debugging “it works on my machine.” Record Types You’ll Actually Use A and AAAA Point domain to IP address: e e x x a a m m p p l l e e . . c c o o m m . . A A A A A 9 2 3 6 . 0 1 6 8 : 4 2 . 8 2 0 1 0 6 : . 2 3 2 4 0 : 1 : 2 4 8 : 1 8 9 3 : 2 5 c 8 : 1 9 4 6 CNAME Alias to another domain: ...

Clicking through cloud consoles doesn’t scale. Infrastructure as Code (IaC) lets you version, review, and automate your infrastructure just like application code. Terraform has become the de facto standard. Here’s how to use it effectively. The Basics Terraform uses HCL (HashiCorp Configuration Language) to declare resources: 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 # main.tf terraform { required_providers { aws = { source = "hashicorp/aws" version = "~> 5.0" } } } provider "aws" { region = "us-east-1" } resource "aws_instance" "web" { ami = "ami-0c55b159cbfafe1f0" instance_type = "t3.micro" tags = { Name = "web-server" } } 1 2 3 4 terraform init # Download providers terraform plan # Preview changes terraform apply # Create resources terraform destroy # Tear down everything State Management Terraform tracks what it created in a state file. Never lose this file. ...