Post-Tyranny-Tech-Infrastru.../PROJECT_REFERENCE.md

# Project Reference

Quick reference for essential project information and common operations.

## Project Structure

```
infrastructure/
├── ansible/              # Ansible playbooks and roles
│   ├── hcloud.yml       # Dynamic inventory (Hetzner Cloud)
│   ├── playbooks/       # Main playbooks
│   │   ├── deploy.yml   # Deploy applications to clients
│   │   └── setup.yml    # Setup base server infrastructure
│   └── roles/           # Ansible roles (traefik, nextcloud, etc.)
├── keys/
│   └── age-key.txt      # SOPS encryption key (gitignored)
├── secrets/
│   ├── clients/         # Per-client encrypted secrets
│   │   └── test.sops.yaml
│   └── shared.sops.yaml # Shared secrets
└── terraform/           # Infrastructure as Code (Hetzner)
```

## Essential Configuration

### SOPS Age Key
**Location**: `infrastructure/keys/age-key.txt`
**Usage**: Always set before running Ansible:
```bash
export SOPS_AGE_KEY_FILE="../keys/age-key.txt"
```

### Hetzner Cloud Token
**Usage**: Required for dynamic inventory:
```bash
export HCLOUD_TOKEN="MlURmliUzLcGyzCWXWWsZt3DeWxKcQH9ZMGiaaNrFM3VcgnASlEWKhhxLHdWAl0J"
```

### Ansible Paths
**Working Directory**: `infrastructure/ansible/`
**Inventory**: `hcloud.yml` (dynamic, pulls from Hetzner Cloud API)
**Python**: `~/.local/bin/ansible-playbook` (user-local installation)

## Current Deployment

### Client: test
- **Hostname**: test (from Hetzner Cloud)
- **Nextcloud**: https://nextcloud.test.vrije.cloud
- **Secrets**: `secrets/clients/test.sops.yaml`

## Common Operations

### Deploy Applications
```bash
cd infrastructure/ansible
export HCLOUD_TOKEN="MlURmliUzLcGyzCWXWWsZt3DeWxKcQH9ZMGiaaNrFM3VcgnASlEWKhhxLHdWAl0J"
export SOPS_AGE_KEY_FILE="../keys/age-key.txt"

# Deploy everything to test client
~/.local/bin/ansible-playbook -i hcloud.yml playbooks/deploy.yml --limit test
```

### Check Service Status
```bash
# List inventory hosts
export HCLOUD_TOKEN="..."
~/.local/bin/ansible-inventory -i hcloud.yml --list

# Run ad-hoc commands
~/.local/bin/ansible test -i hcloud.yml -m shell -a "docker ps"
~/.local/bin/ansible test -i hcloud.yml -m shell -a "docker logs nextcloud 2>&1 | tail -50"
```

### Edit Secrets
```bash
cd infrastructure
export SOPS_AGE_KEY_FILE="keys/age-key.txt"

# Edit client secrets
sops secrets/clients/test.sops.yaml

# View decrypted secrets
sops --decrypt secrets/clients/test.sops.yaml
```

## Architecture Notes

### Service Stack
- **Traefik**: Reverse proxy with automatic Let's Encrypt certificates
- **Nextcloud 30.0.17**: File sync and collaboration
- **Redis**: Caching for Nextcloud
- **MariaDB**: Database for Nextcloud

### Docker Networks
- `traefik`: External network for all web-accessible services
- `nextcloud-internal`: Internal network for Nextcloud ↔ Redis/DB

### Volumes
- `nextcloud_nextcloud-data`: Nextcloud files and database

## Service Credentials

### Nextcloud Admin
- **URL**: https://nextcloud.test.vrije.cloud
- **Username**: admin
- **Password**: In `secrets/clients/test.sops.yaml` → `nextcloud_admin_password`
Fix Zitadel deployment by removing FirstInstance variables - Remove all ZITADEL_FIRSTINSTANCE_* environment variables - Fixes migration error: duplicate key constraint violation - Root cause: Bug in Zitadel v2.63.7 FirstInstance migration - Workaround: Complete initial setup via web UI - Upstream issue: https://github.com/zitadel/zitadel/issues/8791 Changes: - Clean up obsolete documentation (OIDC_AUTOMATION.md, SETUP_GUIDE.md, COLLABORA_SETUP.md) - Add PROJECT_REFERENCE.md for essential configuration info - Add force recreate functionality with clean database volumes - Update bootstrap instructions for web UI setup - Document one-time manual setup requirement for OIDC automation Zitadel now deploys successfully and is accessible at: https://zitadel.test.vrije.cloud 🤖 Generated with Claude Code Co-Authored-By: Claude <noreply@anthropic.com> 2026-01-06 16:43:57 +01:00			`# Project Reference`

			`Quick reference for essential project information and common operations.`

			`## Project Structure`

			```
			`infrastructure/`
			`├── ansible/ # Ansible playbooks and roles`
			`│ ├── hcloud.yml # Dynamic inventory (Hetzner Cloud)`
			`│ ├── playbooks/ # Main playbooks`
			`│ │ ├── deploy.yml # Deploy applications to clients`
			`│ │ └── setup.yml # Setup base server infrastructure`
Remove Zitadel from project completely Removed Zitadel identity provider due to: - Critical bugs with FirstInstance initialization in v2.63.7 - Requirement for manual setup (not scalable for multi-tenant) - User preference for Authentik in future Changes: - Removed entire Zitadel Ansible role and all tasks - Removed Zitadel agent configuration (.claude/agents/zitadel.md) - Updated deploy.yml playbook (removed Zitadel role) - Updated architecture decisions document - Updated PROJECT_REFERENCE.md (removed Zitadel sections) - Updated README.md (removed Zitadel references) - Cleaned up Zitadel deployment from test server - Updated secrets file (removed Zitadel credentials) Architecture now focuses on: - Nextcloud as standalone file sync/collaboration platform - May add Authentik or other identity provider in future if needed 🤖 Generated with Claude Code Co-Authored-By: Claude <noreply@anthropic.com> 2026-01-07 11:10:32 +01:00			`│ └── roles/ # Ansible roles (traefik, nextcloud, etc.)`
Fix Zitadel deployment by removing FirstInstance variables - Remove all ZITADEL_FIRSTINSTANCE_* environment variables - Fixes migration error: duplicate key constraint violation - Root cause: Bug in Zitadel v2.63.7 FirstInstance migration - Workaround: Complete initial setup via web UI - Upstream issue: https://github.com/zitadel/zitadel/issues/8791 Changes: - Clean up obsolete documentation (OIDC_AUTOMATION.md, SETUP_GUIDE.md, COLLABORA_SETUP.md) - Add PROJECT_REFERENCE.md for essential configuration info - Add force recreate functionality with clean database volumes - Update bootstrap instructions for web UI setup - Document one-time manual setup requirement for OIDC automation Zitadel now deploys successfully and is accessible at: https://zitadel.test.vrije.cloud 🤖 Generated with Claude Code Co-Authored-By: Claude <noreply@anthropic.com> 2026-01-06 16:43:57 +01:00			`├── keys/`
			`│ └── age-key.txt # SOPS encryption key (gitignored)`
			`├── secrets/`
			`│ ├── clients/ # Per-client encrypted secrets`
			`│ │ └── test.sops.yaml`
			`│ └── shared.sops.yaml # Shared secrets`
			`└── terraform/ # Infrastructure as Code (Hetzner)`
			```

			`## Essential Configuration`

			`### SOPS Age Key`
			Location: `infrastructure/keys/age-key.txt`
			`Usage: Always set before running Ansible:`
			```bash
			`export SOPS_AGE_KEY_FILE="../keys/age-key.txt"`
			```

			`### Hetzner Cloud Token`
			`Usage: Required for dynamic inventory:`
			```bash
			`export HCLOUD_TOKEN="MlURmliUzLcGyzCWXWWsZt3DeWxKcQH9ZMGiaaNrFM3VcgnASlEWKhhxLHdWAl0J"`
			```

			`### Ansible Paths`
			Working Directory: `infrastructure/ansible/`
			Inventory: `hcloud.yml` (dynamic, pulls from Hetzner Cloud API)
			Python: `~/.local/bin/ansible-playbook` (user-local installation)

			`## Current Deployment`

			`### Client: test`
			`- Hostname: test (from Hetzner Cloud)`
			`- Nextcloud: https://nextcloud.test.vrije.cloud`
			- Secrets: `secrets/clients/test.sops.yaml`

			`## Common Operations`

			`### Deploy Applications`
			```bash
			`cd infrastructure/ansible`
			`export HCLOUD_TOKEN="MlURmliUzLcGyzCWXWWsZt3DeWxKcQH9ZMGiaaNrFM3VcgnASlEWKhhxLHdWAl0J"`
			`export SOPS_AGE_KEY_FILE="../keys/age-key.txt"`

			`# Deploy everything to test client`
			`~/.local/bin/ansible-playbook -i hcloud.yml playbooks/deploy.yml --limit test`
			```

			`### Check Service Status`
			```bash
			`# List inventory hosts`
			`export HCLOUD_TOKEN="..."`
			`~/.local/bin/ansible-inventory -i hcloud.yml --list`

			`# Run ad-hoc commands`
			`~/.local/bin/ansible test -i hcloud.yml -m shell -a "docker ps"`
Remove Zitadel from project completely Removed Zitadel identity provider due to: - Critical bugs with FirstInstance initialization in v2.63.7 - Requirement for manual setup (not scalable for multi-tenant) - User preference for Authentik in future Changes: - Removed entire Zitadel Ansible role and all tasks - Removed Zitadel agent configuration (.claude/agents/zitadel.md) - Updated deploy.yml playbook (removed Zitadel role) - Updated architecture decisions document - Updated PROJECT_REFERENCE.md (removed Zitadel sections) - Updated README.md (removed Zitadel references) - Cleaned up Zitadel deployment from test server - Updated secrets file (removed Zitadel credentials) Architecture now focuses on: - Nextcloud as standalone file sync/collaboration platform - May add Authentik or other identity provider in future if needed 🤖 Generated with Claude Code Co-Authored-By: Claude <noreply@anthropic.com> 2026-01-07 11:10:32 +01:00			`~/.local/bin/ansible test -i hcloud.yml -m shell -a "docker logs nextcloud 2>&1 \| tail -50"`
Fix Zitadel deployment by removing FirstInstance variables - Remove all ZITADEL_FIRSTINSTANCE_* environment variables - Fixes migration error: duplicate key constraint violation - Root cause: Bug in Zitadel v2.63.7 FirstInstance migration - Workaround: Complete initial setup via web UI - Upstream issue: https://github.com/zitadel/zitadel/issues/8791 Changes: - Clean up obsolete documentation (OIDC_AUTOMATION.md, SETUP_GUIDE.md, COLLABORA_SETUP.md) - Add PROJECT_REFERENCE.md for essential configuration info - Add force recreate functionality with clean database volumes - Update bootstrap instructions for web UI setup - Document one-time manual setup requirement for OIDC automation Zitadel now deploys successfully and is accessible at: https://zitadel.test.vrije.cloud 🤖 Generated with Claude Code Co-Authored-By: Claude <noreply@anthropic.com> 2026-01-06 16:43:57 +01:00			```

			`### Edit Secrets`
			```bash
			`cd infrastructure`
			`export SOPS_AGE_KEY_FILE="keys/age-key.txt"`

			`# Edit client secrets`
			`sops secrets/clients/test.sops.yaml`

			`# View decrypted secrets`
			`sops --decrypt secrets/clients/test.sops.yaml`
			```

			`## Architecture Notes`

			`### Service Stack`
			`- Traefik: Reverse proxy with automatic Let's Encrypt certificates`
			`- Nextcloud 30.0.17: File sync and collaboration`
			`- Redis: Caching for Nextcloud`
Remove Zitadel from project completely Removed Zitadel identity provider due to: - Critical bugs with FirstInstance initialization in v2.63.7 - Requirement for manual setup (not scalable for multi-tenant) - User preference for Authentik in future Changes: - Removed entire Zitadel Ansible role and all tasks - Removed Zitadel agent configuration (.claude/agents/zitadel.md) - Updated deploy.yml playbook (removed Zitadel role) - Updated architecture decisions document - Updated PROJECT_REFERENCE.md (removed Zitadel sections) - Updated README.md (removed Zitadel references) - Cleaned up Zitadel deployment from test server - Updated secrets file (removed Zitadel credentials) Architecture now focuses on: - Nextcloud as standalone file sync/collaboration platform - May add Authentik or other identity provider in future if needed 🤖 Generated with Claude Code Co-Authored-By: Claude <noreply@anthropic.com> 2026-01-07 11:10:32 +01:00			`- MariaDB: Database for Nextcloud`
Fix Zitadel deployment by removing FirstInstance variables - Remove all ZITADEL_FIRSTINSTANCE_* environment variables - Fixes migration error: duplicate key constraint violation - Root cause: Bug in Zitadel v2.63.7 FirstInstance migration - Workaround: Complete initial setup via web UI - Upstream issue: https://github.com/zitadel/zitadel/issues/8791 Changes: - Clean up obsolete documentation (OIDC_AUTOMATION.md, SETUP_GUIDE.md, COLLABORA_SETUP.md) - Add PROJECT_REFERENCE.md for essential configuration info - Add force recreate functionality with clean database volumes - Update bootstrap instructions for web UI setup - Document one-time manual setup requirement for OIDC automation Zitadel now deploys successfully and is accessible at: https://zitadel.test.vrije.cloud 🤖 Generated with Claude Code Co-Authored-By: Claude <noreply@anthropic.com> 2026-01-06 16:43:57 +01:00
			`### Docker Networks`
			- `traefik`: External network for all web-accessible services
Remove Zitadel from project completely Removed Zitadel identity provider due to: - Critical bugs with FirstInstance initialization in v2.63.7 - Requirement for manual setup (not scalable for multi-tenant) - User preference for Authentik in future Changes: - Removed entire Zitadel Ansible role and all tasks - Removed Zitadel agent configuration (.claude/agents/zitadel.md) - Updated deploy.yml playbook (removed Zitadel role) - Updated architecture decisions document - Updated PROJECT_REFERENCE.md (removed Zitadel sections) - Updated README.md (removed Zitadel references) - Cleaned up Zitadel deployment from test server - Updated secrets file (removed Zitadel credentials) Architecture now focuses on: - Nextcloud as standalone file sync/collaboration platform - May add Authentik or other identity provider in future if needed 🤖 Generated with Claude Code Co-Authored-By: Claude <noreply@anthropic.com> 2026-01-07 11:10:32 +01:00			- `nextcloud-internal`: Internal network for Nextcloud ↔ Redis/DB
Fix Zitadel deployment by removing FirstInstance variables - Remove all ZITADEL_FIRSTINSTANCE_* environment variables - Fixes migration error: duplicate key constraint violation - Root cause: Bug in Zitadel v2.63.7 FirstInstance migration - Workaround: Complete initial setup via web UI - Upstream issue: https://github.com/zitadel/zitadel/issues/8791 Changes: - Clean up obsolete documentation (OIDC_AUTOMATION.md, SETUP_GUIDE.md, COLLABORA_SETUP.md) - Add PROJECT_REFERENCE.md for essential configuration info - Add force recreate functionality with clean database volumes - Update bootstrap instructions for web UI setup - Document one-time manual setup requirement for OIDC automation Zitadel now deploys successfully and is accessible at: https://zitadel.test.vrije.cloud 🤖 Generated with Claude Code Co-Authored-By: Claude <noreply@anthropic.com> 2026-01-06 16:43:57 +01:00
			`### Volumes`
			- `nextcloud_nextcloud-data`: Nextcloud files and database

			`## Service Credentials`

			`### Nextcloud Admin`
			`- URL: https://nextcloud.test.vrije.cloud`
			`- Username: admin`
			- Password: In `secrets/clients/test.sops.yaml` → `nextcloud_admin_password`