Open source tools extracted from production infrastructure work.
GitHub Actions
commit-to-control — Map git commits to NIST 800-171 controls via vector similarity + LLM judge. Every PR gets a comment showing which compliance controls the change addresses, with cost tracking in dollars and satoshis. Supports OpenAI, AWS Bedrock, and Ollama. Marketplace. Blog post.
resolve-container-image — Resolve container images from explicit input, terraform state, or release branch. Prevents accidental image rollbacks during infra-only terraform applies. Priority chain with an update_images safety gate. Marketplace.
Terraform Modules
terraform-aws-headscale — Deploy Headscale (open-source Tailscale coordination server) on AWS. Two modules: coordination-server (Headscale + subnet router on one EC2) and subnet-router (Tailscale-only for additional VPCs/accounts). Replaced $489/mo in AWS Client VPN with a $3/mo t4g.nano. Blog post.
terraform-aws-unified-dns — Define DNS records once, create them in Route53 and Cloudflare. Format translation, NS mirroring, provider toggling via zone ID. Blog post.
terraform-eso-feature-flags — Wildcard feature flag discovery for Kubernetes via External Secrets Operator. A separate ExternalSecret with dataFrom.find walks an SSM path prefix, matches FEATURE_FLAG_* parameters, rewrites the keys, and syncs them into a dedicated K8s Secret loaded via envFrom. Per-tenant rollout without LaunchDarkly — the SSM path prefix is the namespace. Blog post.
terraform-k8s-service-deployment — Deploy containerized services to EKS with CMMC Level 2 security contexts, ALB ingress, IRSA, External Secrets Operator integration, sidecar support, and feature flag discovery. Refuses latest tags. One module block per service per tenant.
Kubernetes Tooling
kwhy — Explain why a Kubernetes object keeps changing: owner chain, write managers, likely reconcilers, desired-state inputs, revert risk, and RBAC sanity checks. Built for incident response in controller-heavy clusters where manual child edits keep getting overwritten. Related post.
CLI Tools
_aws_move_outtamyway — Zero-latency shell completer for the AWS CLI. Replaces the stock aws_completer (which spawns Python on every tab) with a static zsh/bash function generated from a DuckDB catalog of the botocore API contract. 428 services, 18,115 operations, 341 waiters, 46 regions. One curl to install. Blog post.
sso-login-all — Log into all your AWS SSO orgs at once. Discovers [sso-session] blocks from ~/.aws/config, checks the token cache, and only opens browser tabs for expired sessions.
cf-wait — Wait for CloudFront invalidation to complete. Knows your sites by name — type cf-wait ferkakta.dev instead of a distribution ID. Auto-finds the latest invalidation, creates a fresh one if the last one is stale, and cf-wait all checks every site at once. Blog post.
Frontend
widont — Prevent typographic widows in headings and paragraphs. Replaces the last space with a non-breaking space so the final word doesn’t sit alone on a line. Originally a jQuery/CoffeeScript plugin from 2007, rewritten for modern browsers. In use on three sites.
Claude Code Skills
claude-skills — Claude Code skills for platform engineering. Each skill encodes a complete methodology for a recurring task — morning briefings, harvest sessions, scrum prep, strategic analysis. Tool-agnostic by design: the skills describe what to check and why, not which binary to use. Blog post.