feat: add infra flake template for cloud platform engineering

svnlto · svnlto · commit 7b872dcd4c85 · 2026-03-04T12:45:16.000+01:00
Combined IaC + K8s + Azure template with version-pinned Terraform via
nixpkgs-terraform, security scanning (trivy, checkov), and full
Claude Code integration (MCP servers, hooks, permissions).
diff --git a/.claude/settings.local.json b/.claude/settings.local.json
@@ -1,5 +1,4 @@
 {
-  "includeCoAuthoredBy": false,
   "permissions": {
     "allow": [
       "Bash(git:*)",
@@ -14,6 +13,7 @@
     ],
     "deny": []
   },
+  "includeCoAuthoredBy": false,
   "enableAllProjectMcpServers": true,
   "outputStyle": "Architect",
   "spinnerTipsEnabled": false,
diff --git a/CLAUDE.md b/CLAUDE.md
@@ -121,6 +121,7 @@ Available templates for `flake-init <template>`:
 | `ansible` | Ansible playbooks and roles | ansible, ansible-lint, yamllint, yq |
 | `go` | Go development | go, gopls, golangci-lint, delve |
 | `java` | Java/Maven development | jdk, maven, google-java-format |
+| `infra` | Cloud infrastructure platform | terraform, kubectl, trivy, az, packer, helm, k9s |
 
 Each template scaffolds: `flake.nix`, `.envrc`, `.gitignore`, `.pre-commit-config.yaml`, `.mcp.json`, `CLAUDE.md`, `.claude/settings.json`, `.claude/hooks.json`.
 
diff --git a/flake.nix b/flake.nix
@@ -187,6 +187,10 @@
           path = ./templates/java;
           description = "Java development with Maven";
         };
+        infra = {
+          path = ./templates/infra;
+          description = "Cloud infrastructure platform engineering";
+        };
         default = self.templates.minimal;
       };
     };
diff --git a/templates/infra/.claude/hooks.json b/templates/infra/.claude/hooks.json
@@ -0,0 +1,48 @@
+{
+  "hooks": {
+    "PostToolUse": [
+      {
+        "matcher": "Edit|Write",
+        "hooks": [
+          {
+            "type": "command",
+            "command": "case \"$CLAUDE_FILE_PATH\" in *.tf|*.hcl) terraform fmt \"$CLAUDE_FILE_PATH\" 2>/dev/null || true ;; esac",
+            "timeout": 15
+          },
+          {
+            "type": "command",
+            "command": "case \"$CLAUDE_FILE_PATH\" in *.yaml|*.yml) yamllint \"$CLAUDE_FILE_PATH\" 2>/dev/null || true; kubeconform \"$CLAUDE_FILE_PATH\" 2>/dev/null || true ;; esac",
+            "timeout": 15
+          },
+          {
+            "type": "command",
+            "command": "case \"$CLAUDE_FILE_PATH\" in Dockerfile*) hadolint \"$CLAUDE_FILE_PATH\" 2>/dev/null || true ;; esac",
+            "timeout": 15
+          },
+          {
+            "type": "command",
+            "command": "pre-commit run --files \"$CLAUDE_FILE_PATH\" 2>/dev/null || true",
+            "timeout": 30
+          }
+        ]
+      }
+    ],
+    "Stop": [
+      {
+        "matcher": "",
+        "hooks": [
+          {
+            "type": "command",
+            "command": "terraform validate 2>&1 | head -20 || true",
+            "timeout": 30
+          },
+          {
+            "type": "command",
+            "command": "[ -f flake.nix ] && nix flake check 2>&1 | head -20 || true",
+            "timeout": 120
+          }
+        ]
+      }
+    ]
+  }
+}
diff --git a/templates/infra/.claude/settings.json b/templates/infra/.claude/settings.json
@@ -0,0 +1,41 @@
+{
+  "includeCoAuthoredBy": false,
+  "enableAllProjectMcpServers": true,
+  "spinnerTipsEnabled": false,
+  "BASH_DEFAULT_TIMEOUT_MS": "300000",
+  "effortLevel": "high",
+  "permissions": {
+    "allow": [
+      "Bash(terraform:*)",
+      "Bash(tflint:*)",
+      "Bash(terragrunt:*)",
+      "Bash(packer:*)",
+      "Bash(terraform-docs:*)",
+      "Bash(checkov:*)",
+      "Bash(trivy:*)",
+      "Bash(kubectl:*)",
+      "Bash(helm:*)",
+      "Bash(kubeconform:*)",
+      "Bash(kustomize:*)",
+      "Bash(stern:*)",
+      "Bash(kubectx:*)",
+      "Bash(kubens:*)",
+      "Bash(az:*)",
+      "Bash(kubelogin:*)",
+      "Bash(jq:*)",
+      "Bash(yq:*)",
+      "Bash(yamllint:*)",
+      "Bash(hadolint:*)",
+      "Bash(git:*)",
+      "Bash(pre-commit:*)"
+    ],
+    "deny": [
+      "Read(*.tfstate)",
+      "Read(*.tfstate.*)",
+      "Read(.terraform/**)",
+      "Bash(kubectl delete namespace *)",
+      "Bash(kubectl delete -A *)",
+      "Bash(terraform destroy *)"
+    ]
+  }
+}
diff --git a/templates/infra/.envrc b/templates/infra/.envrc
@@ -0,0 +1 @@
+use flake
diff --git a/templates/infra/.gitignore b/templates/infra/.gitignore
@@ -0,0 +1,10 @@
+.direnv/
+.terraform/
+*.tfstate
+*.tfstate.*
+crash.log
+override.tf
+override.tf.json
+*.tfvars
+charts/**/*.tgz
+*.pkr.hcl.lock.hcl
diff --git a/templates/infra/.mcp.json b/templates/infra/.mcp.json
@@ -0,0 +1,27 @@
+{
+  "mcpServers": {
+    "context7": {
+      "command": "npx",
+      "args": ["-y", "@upstash/context7-mcp@latest"]
+    },
+    "code-reasoning": {
+      "command": "npx",
+      "args": ["-y", "@anthropic/code-reasoning-mcp"]
+    },
+    "sequential-thinking": {
+      "command": "npx",
+      "args": ["-y", "@modelcontextprotocol/server-sequential-thinking"]
+    },
+    "terraform": {
+      "command": "docker",
+      "args": [
+        "run", "-i", "--rm",
+        "hashicorp/terraform-mcp-server"
+      ]
+    },
+    "kubernetes": {
+      "command": "npx",
+      "args": ["-y", "mcp-server-kubernetes"]
+    }
+  }
+}
diff --git a/templates/infra/.pre-commit-config.yaml b/templates/infra/.pre-commit-config.yaml
@@ -0,0 +1,35 @@
+---
+repos:
+  - repo: https://github.com/pre-commit/pre-commit-hooks
+    rev: v6.0.0
+    hooks:
+      - id: trailing-whitespace
+      - id: end-of-file-fixer
+      - id: check-yaml
+        args: [--allow-multiple-documents]
+      - id: check-merge-conflict
+      - id: detect-private-key
+
+  - repo: https://github.com/compilerla/conventional-pre-commit
+    rev: v4.0.0
+    hooks:
+      - id: conventional-pre-commit
+        stages: [commit-msg]
+
+  - repo: https://github.com/antonbabenko/pre-commit-terraform
+    rev: v1.103.0
+    hooks:
+      - id: terraform_fmt
+      - id: terraform_validate
+      - id: terraform_tflint
+      - id: terraform_docs
+
+  - repo: https://github.com/adrienverge/yamllint
+    rev: v1.38.0
+    hooks:
+      - id: yamllint
+
+  - repo: https://github.com/hadolint/hadolint
+    rev: v2.12.0
+    hooks:
+      - id: hadolint-docker
diff --git a/templates/infra/.tflint.hcl b/templates/infra/.tflint.hcl
@@ -0,0 +1,16 @@
+plugin "terraform" {
+  enabled = true
+  preset  = "recommended"
+}
+
+plugin "aws" {
+  enabled = true
+  version = "0.45.0"
+  source  = "github.com/terraform-linters/tflint-ruleset-aws"
+}
+
+config {
+  call_module_type    = "local"
+  force               = false
+  disabled_by_default = false
+}
diff --git a/templates/infra/.yamllint.yml b/templates/infra/.yamllint.yml
@@ -0,0 +1,10 @@
+extends: relaxed
+
+rules:
+  line-length:
+    max: 200
+    allow-non-breakable-words: true
+    allow-non-breakable-inline-mappings: true
+  document-start: disable
+  truthy:
+    check-keys: false
diff --git a/templates/infra/CLAUDE.md b/templates/infra/CLAUDE.md
@@ -0,0 +1,87 @@
+# Infrastructure Platform Project
+
+## Commands
+
+```bash
+nix develop              # enter dev shell with terraform, kubectl, trivy, az, packer
+terraform init           # initialize providers
+terraform plan           # preview changes
+terraform apply          # apply changes
+terraform validate       # validate configuration
+tflint                   # lint HCL
+terraform-docs .         # generate module documentation
+packer build .           # build machine images
+kubectl apply -f .       # apply K8s manifests
+helm template .          # render Helm chart
+kubeconform *.yaml       # validate manifests against schemas
+trivy config .           # scan IaC for misconfigurations
+trivy fs .               # scan filesystem for vulnerabilities
+checkov -d .             # IaC policy scanning
+yamllint .               # lint YAML files
+hadolint Dockerfile      # lint Dockerfiles
+az login                 # authenticate to Azure
+pre-commit run --all-files  # run all pre-commit hooks
+```
+
+## Conventions
+
+### Terraform
+
+- Use HCL, not JSON, for all Terraform configuration
+- One resource per file where practical; group related resources logically
+- Use `terraform fmt` before committing (automated via hooks)
+- Never commit `.tfstate` files or `.tfvars` with secrets
+- Use remote state backends for team projects
+- Pin provider versions in `versions.tf`
+- Use `locals` to reduce repetition; prefer `for_each` over `count`
+- Use `terraform-docs` to auto-generate module documentation
+
+### Kubernetes
+
+- Use namespaced resources; never deploy to `default` namespace
+- Helm charts go in `charts/`; raw manifests in `manifests/` or by component
+- Always set resource requests and limits
+- Use `kubeconform` to validate manifests before applying
+- Pin image tags; never use `:latest` in production
+- Kustomize overlays for environment-specific config
+
+### Packer
+
+- Templates in `packer/` directory
+- Use HCL2 syntax (not JSON)
+- Pin plugin versions in `required_plugins`
+
+## Security Rules
+
+- Never hardcode credentials in `.tf` files or manifests
+- Use `variable` blocks with `sensitive = true` for secrets
+- All infrastructure must pass `trivy config` and `checkov` scans before apply
+- Review `terraform plan` output before every `terraform apply`
+- Scan container images with `trivy image` before deployment
+- Never commit kubeconfig files or service account tokens
+- Use managed identities / workload identity over static credentials
+
+## Azure Optional Tools
+
+These packages are available in nixpkgs but not included in the default devShell.
+Add them to `buildInputs` in `flake.nix` as needed:
+
+| Package | CLI | Use Case |
+|---------|-----|----------|
+| `azure-storage-azcopy` | `azcopy` | Bulk data transfer to/from Azure Storage |
+| `azure-functions-core-tools` | `func` | Azure Functions local dev |
+| `bicep` | `bicep` | ARM template DSL (alternative to Terraform for Azure-native) |
+| `skopeo` | `skopeo` | Copy/inspect container images across registries (ACR) |
+| `crane` | `crane` | OCI image manipulation |
+| `oras` | `oras` | OCI artifact push/pull (Microsoft-backed, ACR-friendly) |
+
+## Relevant Skills
+
+This project benefits from globally installed Claude Code skills:
+
+- **devsecops-expert** -- secure infrastructure patterns, compliance scanning
+- **ci-cd** -- pipeline design for Terraform and K8s automation
+- **security-auditing** -- infrastructure and container security review
+- **cilium-expert** -- eBPF networking, network policies
+- **talos-os-expert** -- Talos Linux cluster management
+- **argo-expert** -- GitOps workflows, ArgoCD configuration
diff --git a/templates/infra/flake.nix b/templates/infra/flake.nix
@@ -0,0 +1,64 @@
+{
+  description = "Cloud infrastructure platform engineering";
+
+  nixConfig = {
+    extra-substituters = [ "https://nixpkgs-terraform.cachix.org" ];
+    extra-trusted-public-keys = [
+      "nixpkgs-terraform.cachix.org-1:8Sit092rIdAVENA3ZVeH9hzSiqI/jng6JiCrQ1Dmusw="
+    ];
+  };
+
+  inputs = {
+    nixpkgs.url = "github:NixOS/nixpkgs/nixpkgs-unstable";
+    flake-utils.url = "github:numtide/flake-utils";
+    nixpkgs-terraform.url = "github:stackbuilders/nixpkgs-terraform";
+  };
+
+  outputs = { nixpkgs, flake-utils, nixpkgs-terraform, ... }:
+    flake-utils.lib.eachDefaultSystem (system:
+      let
+        pkgs = import nixpkgs {
+          inherit system;
+          config.allowUnfree = true;
+        };
+        terraform = nixpkgs-terraform.packages.${system}."terraform-1.14.1";
+      in {
+        devShells.default = pkgs.mkShell {
+          buildInputs = [
+            terraform
+            pkgs.tflint
+            pkgs.terragrunt
+            pkgs.packer
+            pkgs.terraform-docs
+
+            pkgs.kubectl
+            pkgs.kubernetes-helm
+            pkgs.kubeconform
+            pkgs.k9s
+            pkgs.kustomize
+            pkgs.stern
+            pkgs.kubectx
+
+            pkgs.trivy
+            pkgs.checkov
+            # install manually: pip install checkov
+
+            (pkgs.azure-cli.withExtensions
+              [ pkgs.azure-cli.extensions.azure-devops ])
+            pkgs.kubelogin
+
+            pkgs.jq
+            pkgs.yq-go
+            pkgs.yamllint
+            pkgs.hadolint
+
+            pkgs.nodejs
+            pkgs.pre-commit
+          ];
+
+          shellHook = ''
+            echo "infra platform engineering environment loaded"
+          '';
+        };
+      });
+}
diff --git a/templates/infra/renovate.json b/templates/infra/renovate.json
@@ -0,0 +1,4 @@
+{
+  "$schema": "https://docs.renovatebot.com/renovate-schema.json",
+  "extends": ["config:recommended", ":enablePreCommit"]
+}
