Infrastructure

Minnova's infrastructure follows a cost-effective, security-first approach. We use Cloudflare for edge services (including Pages + Zero Trust Access for static sites like Oracle), Hetzner for internal tooling, and AWS reserved for client production workloads requiring compliance certifications.

All infrastructure is managed as code in the infra repository using OpenTofu (Terraform fork) with GitOps via ArgoCD. Ansible is used only for initial bootstrap (K3s, Traefik config, ArgoCD install, age key).

Quick Links

Document	Purpose
Architecture	Servers, services, network diagram
Status	Implementation progress tracking
Network	IP ranges, firewall rules, traffic flows
Identity	Authentik SSO, access control, secrets
Observability	Grafana, Prometheus, Loki stack
Orchestration	GitOps (ArgoCD) and K3s bootstrap notes

Hosting Strategy

We use a tiered approach to balance cost and capability:

Tier	Use Case	Provider	Rationale
1	Static sites, DNS, CDN, email routing	Cloudflare	Free tier covers most needs, global edge network
2	Internal tools, staging, development	Hetzner	10x cheaper than AWS, sufficient for non-production
3	Client production, compliance needs	AWS	Required for HIPAA, SOC2, PCI-DSS certifications

This approach keeps monthly costs under €50 for internal infrastructure while maintaining the flexibility to deploy compliant production environments when clients require it.

Pull Request Workflow

Infrastructure changes follow a pull request workflow:

1. Create a branch and modify Terraform files
2. Open a PR and run tofu plan locally from the relevant infra/live/* directory (make plan)
3. Paste or attach the plan output to the PR for review
4. After approval, apply changes manually (make apply) from the same module
5. Merge the PR once apply succeeds

We may re‑introduce Atlantis later, but it’s not currently deployed.

Reference Documentation

Document	Purpose
Orchestration	Container strategy and K3s migration
VPN	Headscale/Tailscale network access