From infra-standards
Use when working on infrastructure repos (terraform, ansible, kubernetes, proxmox, nix devShells)
npx claudepluginhub jacobpevans/claude-code-plugins --plugin infra-standardsThis skill uses the workspace's default tool permissions.
- **Idempotency**: All IaC must produce same result on repeated runs.
Generates design tokens/docs from CSS/Tailwind/styled-components codebases, audits visual consistency across 10 dimensions, detects AI slop in UI.
Records polished WebM UI demo videos of web apps using Playwright with cursor overlay, natural pacing, and three-phase scripting. Activates for demo, walkthrough, screen recording, or tutorial requests.
Delivers idiomatic Kotlin patterns for null safety, immutability, sealed classes, coroutines, Flows, extensions, DSL builders, and Gradle DSL. Use when writing, reviewing, refactoring, or designing Kotlin code.
terraform-proxmox -> ansible-proxmox -> ansible-proxmox-apps -> ansible-splunk
(provision VMs) (configure host) (configure apps) (configure Splunk)
Not every change needs the full pipeline. App config: ansible-proxmox-apps only. Splunk config: ansible-splunk only. New VM: full pipeline.
IPs use pattern 192.168.0.{vmid} (for VMIDs under 256).
| VMID Range | Purpose | Examples |
|---|---|---|
| 100-109 | Infrastructure | ansible, pi-hole |
| 110-149 | Utilities | pve-scripts |
| 150-169 | AI Dev | claude-code, gemini |
| 170-179 | Cribl Stream | cribl-stream (171-172) |
| 180-189 | Cribl Edge | cribl-edge (181-182) |
| 190-199 | LB/Management | haproxy, splunk-mgmt |
| 200-299 | VMs | splunk-vm (200) |
| 9000-9999 | Templates | Not running, no IP |
Every repo owns its own dev shell. No central registry.
repo/
├── flake.nix <- defines devShells.default
├── flake.lock <- pins nixpkgs independently
├── .envrc <- `use flake` (ALWAYS committed)
└── .direnv/ <- ALWAYS in .gitignore
| Repo | Template | Key Tools |
|---|---|---|
| ansible-proxmox | github:JacobPEvans/nix-devenv?dir=shells/ansible | ansible, molecule, sops, age |
| ansible-proxmox-apps | github:JacobPEvans/nix-devenv?dir=shells/ansible | + SOPS_AGE_KEY_FILE |
| terraform-proxmox | github:JacobPEvans/nix-devenv?dir=shells/terraform | terraform, terragrunt, tfsec, trivy |
| terraform-aws | github:JacobPEvans/nix-devenv?dir=shells/terraform | same as terraform-proxmox |
| kubernetes-monitoring | github:JacobPEvans/nix-devenv?dir=shells/kubernetes | kubectl, helm, helmfile, k9s, kind |
| splunk | github:JacobPEvans/nix-devenv?dir=shells/splunk-dev | uv (Python 3.9 on-demand) |
| Scenario | Tool |
|---|---|
| Runtime injection (env vars) | Doppler |
| Secrets committed to git (encrypted) | SOPS |
| Terraform state encryption | SOPS |
| Ansible vault replacement | SOPS |
| CI/CD pipeline secrets | Doppler |
Rule: If it must exist in a git-tracked file, use SOPS. If injectable at runtime, use Doppler.
# Terraform
doppler run --name-transformer tf-var -- terragrunt plan
# With AWS
aws-vault exec terraform -- doppler run --name-transformer tf-var -- terragrunt apply
# Ansible
doppler run -- ansible-playbook -i inventory/hosts.yml playbooks/site.yml
.sops.yaml at repo root:
creation_rules:
- path_regex: (\.enc\.ya?ml$|secrets/.*\.ya?ml$)
age: >-
age1your-public-key-here
Naming: encrypted = .enc.yml, plaintext = .yml (in .gitignore).
Precedence: when both provide same secret, Doppler (runtime) wins.
Terraform outputs feed Ansible dynamic inventory:
{
"splunk": {
"hosts": ["192.168.0.200"],
"vars": { "ansible_port": 22, "ansible_user": "ansible" }
}
}
Contract rules: