Modern cloud infrastructure for Ameciclo using Pulumi + Azure + Kubernetes.
# 1. Deploy infrastructure
cd infrastructure/pulumi
npm install # Install dependencies
pulumi stack init ameciclo/prod # Initialize stack
pulumi up # Deploy to Azure
# 2. Access your cluster
ssh azureuser@$(pulumi stack output k3sPublicIp)
# 3. Check applications
kubectl get applications -n argocd- π Azure Virtual Network - Secure networking with K3s and database subnets
- ποΈ PostgreSQL Flexible Server - Private database (Standard_B2s) with 3 databases: strapi, atlas, zitadel
- βΈοΈ K3s Kubernetes Cluster - Lightweight Kubernetes on Ubuntu 22.04 LTS (Standard_B2as_v2)
- πΎ Blob Storage - Media, backups, and logs containers
- π Network Security - Firewall rules, private DNS, and SSH-only access
- K3s - Kubernetes installation and configuration
- Tailscale Operator - VPN operator (bootstrap only)
- ArgoCD - GitOps deployment platform
- Tailscale - Ingress and subnet router configuration
- Traefik - Ingress controller v37.2.0 with Let's Encrypt
- Monitoring - Prometheus + Grafana for metrics and dashboards
- Applications - Strapi CMS, Atlas APIs, Zitadel Auth
- Infrastructure - Infisical secrets management
π° Cost: ~$70-80/month for complete infrastructure
groundwork/
βββ ποΈ infrastructure/ # Infrastructure as Code
β βββ pulumi/ # Pulumi (Azure infrastructure)
β βββ index.ts # Main infrastructure definition
β βββ vm.ts # K3s VM configuration
β βββ scripts/ # Database setup scripts
β βββ esc/ # Pulumi ESC environments
βββ βΈοΈ kubernetes/ # Kubernetes manifests
β βββ applications/ # Custom applications (Strapi, Atlas, Zitadel)
β βββ infrastructure/ # Platform components (Traefik, ArgoCD)
β βββ argocd/ # ArgoCD application definitions
βββ π docs/ # Documentation & guides
- Node.js 18+
- Pulumi CLI v3.139.0+
- Azure CLI
- Azure account + Service Principal
- SSH key pair
- Pulumi Cloud account (for ESC environments)
Click to expand detailed setup instructions
cd infrastructure/pulumi
npm install# Create ESC environment
pulumi env init ameciclo/infrastructure-prod
# Edit environment (copy from infrastructure/pulumi/esc/prod.yaml)
pulumi env edit ameciclo/infrastructure-prod
# Update SSH public key in the environment
cat ~/.ssh/id_rsa.pub # Copy this value# Login to Azure
az login
# Pulumi will auto-detect Azure credentials from Azure CLI# Set SSH key (if not using ESC)
pulumi config set --secret adminSshPublicKey "$(cat ~/.ssh/id_rsa.pub)"pulumi preview # Review what will be created
pulumi up # Deploy infrastructure# SSH into the K3s VM
ssh azureuser@$(pulumi stack output k3sPublicIp)
# Copy and run the database setup script
# (Script is automatically copied during deployment)
POSTGRES_ADMIN_PASSWORD='<from-pulumi-output>' ./create-database-users.shAzure Resources (click to expand)
- Address Space:
10.10.0.0/16 - K3s Subnet:
10.10.1.0/24 - Database Subnet:
10.10.2.0/24
- Tier: Standard_B2s (2 vCores, 4GB RAM)
- Storage: 32GB, 7-day backups
- Networking: Private only (VNet access)
- Databases:
strapi,atlas,zitadel - Users: Auto-generated with secure passwords
- VM Size: Standard_B2as_v2 (2 vCPUs, 8GB RAM)
- OS: Ubuntu 22.04 LTS
- Storage: 30GB Premium SSD
- IP: Static private + public IP
- K3s Version: Latest stable
- Type: Standard LRS (Locally Redundant Storage)
- Containers:
media,backups,logs - Access: Private with VNet integration
- TLS: Minimum version 1.2
| Application | Purpose | URL Pattern |
|---|---|---|
| Strapi | Headless CMS | strapi.az.ameciclo.org |
| Atlas | Traffic Data APIs | atlas.az.ameciclo.org |
| Zitadel | Identity & Auth | auth.az.ameciclo.org |
| Traefik | Ingress Controller | Auto HTTPS |
| ArgoCD | GitOps Deployment | Internal |
| Infisical | Secrets Management | Internal |
- Push code changes to this repository
- ArgoCD detects changes automatically
- Deploys applications to Kubernetes cluster
- Notifies via Telegram on success/failure
| Service | Tier | Monthly Cost |
|---|---|---|
| PostgreSQL | Standard_B2s | ~$24 |
| VM (K3s) | Standard_B2as_v2 | ~$38 |
| Storage | Standard LRS | ~$2 |
| Networking | Standard | ~$8 |
| Total | ~$72 |
Costs are estimates for West US 3 region. Actual costs may vary.
# Infrastructure
cd infrastructure/pulumi
pulumi stack output # View outputs
pulumi stack output postgresqlAdminPassword --show-secrets # Get DB password
pulumi up # Update infrastructure
pulumi destroy # β οΈ Destroy everything
# Access K3s VM
ssh azureuser@$(pulumi stack output k3sPublicIp)
# Kubernetes (from VM)
kubectl get applications -n argocd # View ArgoCD apps
kubectl get pods -A # Check all pods
kubectl logs -n <namespace> <pod-name> # View logs
btop # System monitor- β Private Database - PostgreSQL only accessible from VNet
- β SSH Key Auth - No password authentication
- β Network Security Groups - Restricted port access (SSH, HTTP, HTTPS only)
- β Secret Management - Pulumi ESC + Infisical
- β Auto HTTPS - Traefik + Let's Encrypt
- β Encrypted Secrets - All passwords encrypted in Pulumi state
- β Private DNS - Internal DNS resolution for database
- π Detailed Docs - Kubernetes guides and concepts
- ποΈ Infrastructure Setup - Pulumi details
- βΈοΈ Application Configs - Kubernetes manifests
- Fork this repository
- Create a feature branch
- Test in a separate Pulumi stack
- Submit a pull request