Before this week, I had never used OpenTofu. I knew it was a Terraform fork, I had seen it mentioned in the same breath as infrastructure as code, and that was roughly where my knowledge ended. Ansible I knew slightly better, in the way that you know a neighbour’s name without having had a proper conversation. I was aware of what it does. I had never sat down and done it.
Abstract Running services in a homelab behind an internal reverse proxy creates a certificate management problem that is easy to underestimate. This article walks through a real deployment: a Hugo static website built and deployed by Drone CI/CD, with UAT served by an nginx container behind Caddy, and production hosted on Firebase. The core challenge is not just issuing certificates — it is ensuring that Docker containers running as part of the CI/CD pipeline actually trust the internal CA. We examine how Smallstep step-ca acts as the homelab root of trust, how Caddy automates certificate provisioning via ACME, and how an Ansible role bootstraps CA trust on the Docker host so that the Drone Server container can communicate with Gitea over HTTPS. The infrastructure provisioning side (via OpenTofu and Ansible) is also described, with an honest account of what IaC actually created versus what was pre-existing.