Infrastructure Dev Container¶
A secure, minimal development container for infrastructure work targeting Oracle Cloud Infrastructure (OCI), Proxmox VE, and VMware vSphere.
Built on Alpine Linux with least-privilege defaults: non-root execution, no secrets on disk, restricted network egress, and reproducible, Renovate-tracked tooling.
Design principles¶
- Security-first — no root access; SSH keys stay in 1Password and never touch disk; egress is opt-in, not opt-out.
- Reproducible — every tool version is pinned and Renovate-tracked; builds are deterministic across machines and time.
- Observable — always-on proxy, MITM interception, and a real-time dashboard surface every outbound connection and LLM token.
- Portable — reusable pre-built image; consuming projects need only a thin
devcontainer.json— no local build step.
Quick start¶
To develop the container itself:
git clone git@github.com:felipecoelho90/dev-container.git
cd dev-container
source .devcontainer/env.sh # export per-project variables
code . # click "Reopen in Container"
The first build takes ~10–15 minutes (Python + Ruby compilation); subsequent opens use the cached image. For the full host setup (Colima, 1Password SSH agent, VS Code) start at Getting Started. To use the pre-built image in another project, see Using the Container in Projects.
Quick navigation¶
| Goal | Where to go |
|---|---|
| Set up the host and open the container for the first time | Getting Started |
| Use the container in another infrastructure project | Using the Container in Projects |
| Allow a new external hostname | Manage Egress |
| Sync template files to a consuming project | Update Project Templates |
| Diagnose SSH, firewall, or build failures | Troubleshooting |
| See all pre-installed tools and versions | Tools |
| Look up an environment variable | Environment Variables |
| Understand named volumes and cache seeding | Persistence & Volumes |
| Review the build, release, and tagging pipeline | CI/CD & Releases |
| Understand the SSH chain or egress model | Architecture |
Architecture decisions¶
| ADR | Decision |
|---|---|
| 0001 | Alpine Linux as base image |
| 0002 | mise for runtime version management |
| 0003 | Chef tools as Ruby gems (not Chef Workstation) |
| 0004 | Checkov over tfsec for IaC scanning |
| 0005 | Colima SSH agent forwarding chain |
| 0006 | Reusable image architecture |
| 0007 | Rootless Podman replaces Docker-Outside-of-Docker |
| 0008 | In-image binaries for Go-based pre-commit hooks |
| 0009 | In-container proxy, MITM, and monitor services |
| 0010 | Semantic versioning and tag-driven releases |
| 0011 | CI/CD via GitHub Actions, Docker Hub, daily Renovate |
| 0012 | Native ARM64 release builds |
| 0013 | OpenTelemetry via Claude Code CLI native instrumentation |