Post-Tyranny-Tech-Infrastru.../ansible/playbooks/deploy.yml

---
# Deploy applications to client servers
# This playbook deploys Nextcloud and other applications

- name: Deploy applications to client servers
  hosts: all
  become: yes

  pre_tasks:
    - name: Gather facts
      setup:

    - name: Determine client name from hostname
      set_fact:
        client_name: "{{ inventory_hostname }}"

    - name: Load client secrets
      community.sops.load_vars:
        file: "{{ playbook_dir }}/../../secrets/clients/{{ client_name }}.sops.yaml"
        name: client_secrets
        age_key: "{{ lookup('env', 'SOPS_AGE_KEY_FILE') }}"
      no_log: true

    - name: Set client domain from secrets
      set_fact:
        client_domain: "{{ client_secrets.client_domain }}"
      when: client_secrets.client_domain is defined

  roles:
    - role: nextcloud

  post_tasks:
    - name: Display deployment summary
      debug:
        msg: |
          Deployment complete for client: {{ client_name }}

          Nextcloud: https://nextcloud.{{ client_domain }}
Deploy Zitadel identity provider with DNS automation (#3) (#8) This commit implements a complete Zitadel identity provider deployment with automated DNS management using vrije.cloud domain. ## Infrastructure Changes ### DNS Management - Migrated from deprecated hetznerdns provider to modern hcloud provider v1.57+ - Automated DNS record creation for client subdomains (test.vrije.cloud) - Automated wildcard DNS for service subdomains (*.test.vrije.cloud) - Supports both IPv4 (A) and IPv6 (AAAA) records ### Zitadel Deployment - Added complete Zitadel role with PostgreSQL 16 database - Configured Zitadel v2.63.7 with proper external domain settings - Implemented first instance setup with admin user creation - Set up database connection with proper user and admin credentials - Configured email verification bypass for first admin user ### Traefik Updates - Upgraded from v3.0 to v3.2 for better Docker API compatibility - Added manual routing configuration in dynamic.yml for Zitadel - Configured HTTP/2 Cleartext (h2c) backend for Zitadel service - Added Zitadel-specific security headers middleware - Fixed Docker API version compatibility issues ### Secrets Management - Added Zitadel credentials to test client secrets - Generated proper 32-character masterkey (Zitadel requirement) - Created admin password with symbol complexity requirement - Added zitadel_domain configuration ## Deployment Details Test environment now accessible at: - Server: test.vrije.cloud (78.47.191.38) - Zitadel: https://zitadel.test.vrije.cloud/ - Admin user: admin@test.zitadel.test.vrije.cloud Successfully tested: - HTTPS with Let's Encrypt SSL certificate - Admin login with 2FA setup - First instance initialization Fixes #3 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-authored-by: Pieter <pieter@kolabnow.com> Co-authored-by: Claude <noreply@anthropic.com> 2026-01-05 16:40:37 +01:00			`---`
			`# Deploy applications to client servers`
Remove Zitadel from project completely Removed Zitadel identity provider due to: - Critical bugs with FirstInstance initialization in v2.63.7 - Requirement for manual setup (not scalable for multi-tenant) - User preference for Authentik in future Changes: - Removed entire Zitadel Ansible role and all tasks - Removed Zitadel agent configuration (.claude/agents/zitadel.md) - Updated deploy.yml playbook (removed Zitadel role) - Updated architecture decisions document - Updated PROJECT_REFERENCE.md (removed Zitadel sections) - Updated README.md (removed Zitadel references) - Cleaned up Zitadel deployment from test server - Updated secrets file (removed Zitadel credentials) Architecture now focuses on: - Nextcloud as standalone file sync/collaboration platform - May add Authentik or other identity provider in future if needed 🤖 Generated with Claude Code Co-Authored-By: Claude <noreply@anthropic.com> 2026-01-07 11:10:32 +01:00			`# This playbook deploys Nextcloud and other applications`
Deploy Zitadel identity provider with DNS automation (#3) (#8) This commit implements a complete Zitadel identity provider deployment with automated DNS management using vrije.cloud domain. ## Infrastructure Changes ### DNS Management - Migrated from deprecated hetznerdns provider to modern hcloud provider v1.57+ - Automated DNS record creation for client subdomains (test.vrije.cloud) - Automated wildcard DNS for service subdomains (*.test.vrije.cloud) - Supports both IPv4 (A) and IPv6 (AAAA) records ### Zitadel Deployment - Added complete Zitadel role with PostgreSQL 16 database - Configured Zitadel v2.63.7 with proper external domain settings - Implemented first instance setup with admin user creation - Set up database connection with proper user and admin credentials - Configured email verification bypass for first admin user ### Traefik Updates - Upgraded from v3.0 to v3.2 for better Docker API compatibility - Added manual routing configuration in dynamic.yml for Zitadel - Configured HTTP/2 Cleartext (h2c) backend for Zitadel service - Added Zitadel-specific security headers middleware - Fixed Docker API version compatibility issues ### Secrets Management - Added Zitadel credentials to test client secrets - Generated proper 32-character masterkey (Zitadel requirement) - Created admin password with symbol complexity requirement - Added zitadel_domain configuration ## Deployment Details Test environment now accessible at: - Server: test.vrije.cloud (78.47.191.38) - Zitadel: https://zitadel.test.vrije.cloud/ - Admin user: admin@test.zitadel.test.vrije.cloud Successfully tested: - HTTPS with Let's Encrypt SSL certificate - Admin login with 2FA setup - First instance initialization Fixes #3 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-authored-by: Pieter <pieter@kolabnow.com> Co-authored-by: Claude <noreply@anthropic.com> 2026-01-05 16:40:37 +01:00
			`- name: Deploy applications to client servers`
			`hosts: all`
			`become: yes`

			`pre_tasks:`
			`- name: Gather facts`
			`setup:`

			`- name: Determine client name from hostname`
			`set_fact:`
			`client_name: "{{ inventory_hostname }}"`

			`- name: Load client secrets`
			`community.sops.load_vars:`
			`file: "{{ playbook_dir }}/../../secrets/clients/{{ client_name }}.sops.yaml"`
			`name: client_secrets`
			`age_key: "{{ lookup('env', 'SOPS_AGE_KEY_FILE') }}"`
			`no_log: true`

Deploy Nextcloud file sync/share with automated installation (#4) This commit implements a complete Nextcloud deployment with PostgreSQL, Redis, automated installation, and preparation for OIDC/SSO integration with Zitadel. ## Nextcloud Deployment ### New Ansible Role (ansible/roles/nextcloud/) - Complete Nextcloud v30 deployment with Docker Compose - PostgreSQL 16 backend with persistent volumes - Redis 7 for caching and file locking - Automated installation via Docker environment variables - Post-installation configuration via occ commands ### Features Implemented - Database: PostgreSQL with proper credentials and persistence - Caching: Redis for memory caching and file locking - HTTPS: Traefik integration with Let's Encrypt SSL - Security: Proper security headers and HSTS - WebDAV: CalDAV/CardDAV redirect middleware - Configuration: Automated trusted domain, reverse proxy, and Redis setup - OIDC Preparation: user_oidc app installed and enabled ### Traefik Updates - Added Nextcloud routing to dynamic.yml (static file-based config) - Configured CalDAV/CardDAV redirect middleware - Added Nextcloud-specific security headers ### Configuration Tasks - Automated trusted domain configuration for nextcloud.test.vrije.cloud - Reverse proxy overwrite settings (protocol, host, CLI URL) - Redis cache and locking configuration - Default phone region (NL) - Background jobs via cron ## Deployment Status ✅ Successfully deployed and tested: - Nextcloud: https://nextcloud.test.vrije.cloud/ - Admin login working - PostgreSQL database initialized - Redis caching operational - HTTPS with Let's Encrypt SSL - user_oidc app installed (ready for Zitadel integration) ## Next Steps To complete OIDC/SSO integration: 1. Create OIDC application in Zitadel console 2. Use redirect URI: https://nextcloud.test.vrije.cloud/apps/user_oidc/code 3. Configure provider in Nextcloud with Zitadel credentials Partially addresses #4 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com> 2026-01-06 09:30:54 +01:00			`- name: Set client domain from secrets`
			`set_fact:`
			`client_domain: "{{ client_secrets.client_domain }}"`
			`when: client_secrets.client_domain is defined`

Deploy Zitadel identity provider with DNS automation (#3) (#8) This commit implements a complete Zitadel identity provider deployment with automated DNS management using vrije.cloud domain. ## Infrastructure Changes ### DNS Management - Migrated from deprecated hetznerdns provider to modern hcloud provider v1.57+ - Automated DNS record creation for client subdomains (test.vrije.cloud) - Automated wildcard DNS for service subdomains (*.test.vrije.cloud) - Supports both IPv4 (A) and IPv6 (AAAA) records ### Zitadel Deployment - Added complete Zitadel role with PostgreSQL 16 database - Configured Zitadel v2.63.7 with proper external domain settings - Implemented first instance setup with admin user creation - Set up database connection with proper user and admin credentials - Configured email verification bypass for first admin user ### Traefik Updates - Upgraded from v3.0 to v3.2 for better Docker API compatibility - Added manual routing configuration in dynamic.yml for Zitadel - Configured HTTP/2 Cleartext (h2c) backend for Zitadel service - Added Zitadel-specific security headers middleware - Fixed Docker API version compatibility issues ### Secrets Management - Added Zitadel credentials to test client secrets - Generated proper 32-character masterkey (Zitadel requirement) - Created admin password with symbol complexity requirement - Added zitadel_domain configuration ## Deployment Details Test environment now accessible at: - Server: test.vrije.cloud (78.47.191.38) - Zitadel: https://zitadel.test.vrije.cloud/ - Admin user: admin@test.zitadel.test.vrije.cloud Successfully tested: - HTTPS with Let's Encrypt SSL certificate - Admin login with 2FA setup - First instance initialization Fixes #3 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-authored-by: Pieter <pieter@kolabnow.com> Co-authored-by: Claude <noreply@anthropic.com> 2026-01-05 16:40:37 +01:00			`roles:`
Deploy Nextcloud file sync/share with automated installation (#4) This commit implements a complete Nextcloud deployment with PostgreSQL, Redis, automated installation, and preparation for OIDC/SSO integration with Zitadel. ## Nextcloud Deployment ### New Ansible Role (ansible/roles/nextcloud/) - Complete Nextcloud v30 deployment with Docker Compose - PostgreSQL 16 backend with persistent volumes - Redis 7 for caching and file locking - Automated installation via Docker environment variables - Post-installation configuration via occ commands ### Features Implemented - Database: PostgreSQL with proper credentials and persistence - Caching: Redis for memory caching and file locking - HTTPS: Traefik integration with Let's Encrypt SSL - Security: Proper security headers and HSTS - WebDAV: CalDAV/CardDAV redirect middleware - Configuration: Automated trusted domain, reverse proxy, and Redis setup - OIDC Preparation: user_oidc app installed and enabled ### Traefik Updates - Added Nextcloud routing to dynamic.yml (static file-based config) - Configured CalDAV/CardDAV redirect middleware - Added Nextcloud-specific security headers ### Configuration Tasks - Automated trusted domain configuration for nextcloud.test.vrije.cloud - Reverse proxy overwrite settings (protocol, host, CLI URL) - Redis cache and locking configuration - Default phone region (NL) - Background jobs via cron ## Deployment Status ✅ Successfully deployed and tested: - Nextcloud: https://nextcloud.test.vrije.cloud/ - Admin login working - PostgreSQL database initialized - Redis caching operational - HTTPS with Let's Encrypt SSL - user_oidc app installed (ready for Zitadel integration) ## Next Steps To complete OIDC/SSO integration: 1. Create OIDC application in Zitadel console 2. Use redirect URI: https://nextcloud.test.vrije.cloud/apps/user_oidc/code 3. Configure provider in Nextcloud with Zitadel credentials Partially addresses #4 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com> 2026-01-06 09:30:54 +01:00			`- role: nextcloud`
Deploy Zitadel identity provider with DNS automation (#3) (#8) This commit implements a complete Zitadel identity provider deployment with automated DNS management using vrije.cloud domain. ## Infrastructure Changes ### DNS Management - Migrated from deprecated hetznerdns provider to modern hcloud provider v1.57+ - Automated DNS record creation for client subdomains (test.vrije.cloud) - Automated wildcard DNS for service subdomains (*.test.vrije.cloud) - Supports both IPv4 (A) and IPv6 (AAAA) records ### Zitadel Deployment - Added complete Zitadel role with PostgreSQL 16 database - Configured Zitadel v2.63.7 with proper external domain settings - Implemented first instance setup with admin user creation - Set up database connection with proper user and admin credentials - Configured email verification bypass for first admin user ### Traefik Updates - Upgraded from v3.0 to v3.2 for better Docker API compatibility - Added manual routing configuration in dynamic.yml for Zitadel - Configured HTTP/2 Cleartext (h2c) backend for Zitadel service - Added Zitadel-specific security headers middleware - Fixed Docker API version compatibility issues ### Secrets Management - Added Zitadel credentials to test client secrets - Generated proper 32-character masterkey (Zitadel requirement) - Created admin password with symbol complexity requirement - Added zitadel_domain configuration ## Deployment Details Test environment now accessible at: - Server: test.vrije.cloud (78.47.191.38) - Zitadel: https://zitadel.test.vrije.cloud/ - Admin user: admin@test.zitadel.test.vrije.cloud Successfully tested: - HTTPS with Let's Encrypt SSL certificate - Admin login with 2FA setup - First instance initialization Fixes #3 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-authored-by: Pieter <pieter@kolabnow.com> Co-authored-by: Claude <noreply@anthropic.com> 2026-01-05 16:40:37 +01:00
			`post_tasks:`
			`- name: Display deployment summary`
			`debug:`
			`msg: \|`
			`Deployment complete for client: {{ client_name }}`

Deploy Nextcloud file sync/share with automated installation (#4) This commit implements a complete Nextcloud deployment with PostgreSQL, Redis, automated installation, and preparation for OIDC/SSO integration with Zitadel. ## Nextcloud Deployment ### New Ansible Role (ansible/roles/nextcloud/) - Complete Nextcloud v30 deployment with Docker Compose - PostgreSQL 16 backend with persistent volumes - Redis 7 for caching and file locking - Automated installation via Docker environment variables - Post-installation configuration via occ commands ### Features Implemented - Database: PostgreSQL with proper credentials and persistence - Caching: Redis for memory caching and file locking - HTTPS: Traefik integration with Let's Encrypt SSL - Security: Proper security headers and HSTS - WebDAV: CalDAV/CardDAV redirect middleware - Configuration: Automated trusted domain, reverse proxy, and Redis setup - OIDC Preparation: user_oidc app installed and enabled ### Traefik Updates - Added Nextcloud routing to dynamic.yml (static file-based config) - Configured CalDAV/CardDAV redirect middleware - Added Nextcloud-specific security headers ### Configuration Tasks - Automated trusted domain configuration for nextcloud.test.vrije.cloud - Reverse proxy overwrite settings (protocol, host, CLI URL) - Redis cache and locking configuration - Default phone region (NL) - Background jobs via cron ## Deployment Status ✅ Successfully deployed and tested: - Nextcloud: https://nextcloud.test.vrije.cloud/ - Admin login working - PostgreSQL database initialized - Redis caching operational - HTTPS with Let's Encrypt SSL - user_oidc app installed (ready for Zitadel integration) ## Next Steps To complete OIDC/SSO integration: 1. Create OIDC application in Zitadel console 2. Use redirect URI: https://nextcloud.test.vrije.cloud/apps/user_oidc/code 3. Configure provider in Nextcloud with Zitadel credentials Partially addresses #4 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com> 2026-01-06 09:30:54 +01:00			`Nextcloud: https://nextcloud.{{ client_domain }}`