Post-X-Society/Post-Tyranny-Tech-Infrastructure
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
Post-Tyranny-Tech-Infrastru.../ansible/roles/zitadel/templates/docker-compose.zitadel.yml.j2

100 lines
3.4 KiB
Text
Raw Normal View History

Deploy Zitadel identity provider with DNS automation (#3) (#8) This commit implements a complete Zitadel identity provider deployment with automated DNS management using vrije.cloud domain. ## Infrastructure Changes ### DNS Management - Migrated from deprecated hetznerdns provider to modern hcloud provider v1.57+ - Automated DNS record creation for client subdomains (test.vrije.cloud) - Automated wildcard DNS for service subdomains (*.test.vrije.cloud) - Supports both IPv4 (A) and IPv6 (AAAA) records ### Zitadel Deployment - Added complete Zitadel role with PostgreSQL 16 database - Configured Zitadel v2.63.7 with proper external domain settings - Implemented first instance setup with admin user creation - Set up database connection with proper user and admin credentials - Configured email verification bypass for first admin user ### Traefik Updates - Upgraded from v3.0 to v3.2 for better Docker API compatibility - Added manual routing configuration in dynamic.yml for Zitadel - Configured HTTP/2 Cleartext (h2c) backend for Zitadel service - Added Zitadel-specific security headers middleware - Fixed Docker API version compatibility issues ### Secrets Management - Added Zitadel credentials to test client secrets - Generated proper 32-character masterkey (Zitadel requirement) - Created admin password with symbol complexity requirement - Added zitadel_domain configuration ## Deployment Details Test environment now accessible at: - Server: test.vrije.cloud (78.47.191.38) - Zitadel: https://zitadel.test.vrije.cloud/ - Admin user: admin@test.zitadel.test.vrije.cloud Successfully tested: - HTTPS with Let's Encrypt SSL certificate - Admin login with 2FA setup - First instance initialization Fixes #3 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-authored-by: Pieter <pieter@kolabnow.com> Co-authored-by: Claude <noreply@anthropic.com>
2026-01-05 16:40:37 +01:00
services:
zitadel:
image: ghcr.io/zitadel/zitadel:{{ zitadel_version }}
container_name: zitadel
restart: unless-stopped
command: start-from-init --masterkeyFromEnv --tlsMode external
environment:
# Masterkey for encryption
ZITADEL_MASTERKEY: "{{ client_secrets.zitadel_masterkey }}"
# Database configuration
ZITADEL_DATABASE_POSTGRES_HOST: zitadel-db
ZITADEL_DATABASE_POSTGRES_PORT: 5432
ZITADEL_DATABASE_POSTGRES_DATABASE: "{{ zitadel_db_name }}"
ZITADEL_DATABASE_POSTGRES_USER_USERNAME: "{{ zitadel_db_user }}"
ZITADEL_DATABASE_POSTGRES_USER_PASSWORD: "{{ client_secrets.zitadel_db_password }}"
ZITADEL_DATABASE_POSTGRES_USER_SSL_MODE: disable
ZITADEL_DATABASE_POSTGRES_ADMIN_USERNAME: "{{ zitadel_db_user }}"
ZITADEL_DATABASE_POSTGRES_ADMIN_PASSWORD: "{{ client_secrets.zitadel_db_password }}"
ZITADEL_DATABASE_POSTGRES_ADMIN_SSL_MODE: disable
# External domain configuration
ZITADEL_EXTERNALSECURE: "true"
ZITADEL_EXTERNALDOMAIN: "{{ zitadel_domain }}"
ZITADEL_EXTERNALPORT: 443
# First instance configuration
ZITADEL_FIRSTINSTANCE_ORG_NAME: "{{ client_name | title }}"
ZITADEL_FIRSTINSTANCE_ORG_HUMAN_USERNAME: "{{ zitadel_admin_username }}"
ZITADEL_FIRSTINSTANCE_ORG_HUMAN_PASSWORD: "{{ client_secrets.zitadel_admin_password }}"
ZITADEL_FIRSTINSTANCE_ORG_HUMAN_EMAIL: "admin@{{ zitadel_domain }}"
ZITADEL_FIRSTINSTANCE_ORG_HUMAN_EMAIL_VERIFIED: "true"
networks:
- {{ zitadel_traefik_network }}
- {{ zitadel_network }}
depends_on:
zitadel-db:
condition: service_healthy
labels:
- "traefik.enable=true"
- "traefik.http.routers.zitadel.rule=Host(`{{ zitadel_domain }}`)"
- "traefik.http.routers.zitadel.tls=true"
- "traefik.http.routers.zitadel.tls.certresolver=letsencrypt"
- "traefik.http.routers.zitadel.entrypoints=websecure"
- "traefik.http.services.zitadel.loadbalancer.server.port=8080"
# gRPC support for API
- "traefik.http.services.zitadel.loadbalancer.server.scheme=h2c"
# Middleware for security headers
- "traefik.http.routers.zitadel.middlewares=zitadel-headers"
- "traefik.http.middlewares.zitadel-headers.headers.stsSeconds=31536000"
- "traefik.http.middlewares.zitadel-headers.headers.stsIncludeSubdomains=true"
- "traefik.http.middlewares.zitadel-headers.headers.stsPreload=true"
deploy:
resources:
limits:
memory: {{ zitadel_memory_limit }}
cpus: "{{ zitadel_cpu_limit }}"
zitadel-db:
image: postgres:{{ postgres_version }}
container_name: zitadel-db
restart: unless-stopped
environment:
POSTGRES_USER: "{{ zitadel_db_user }}"
POSTGRES_PASSWORD: "{{ client_secrets.zitadel_db_password }}"
POSTGRES_DB: "{{ zitadel_db_name }}"
volumes:
- zitadel-db-data:/var/lib/postgresql/data
networks:
- {{ zitadel_network }}
healthcheck:
test: ["CMD-SHELL", "pg_isready -U {{ zitadel_db_user }} -d {{ zitadel_db_name }}"]
interval: 5s
timeout: 5s
retries: 5
deploy:
resources:
limits:
memory: 256M
cpus: "0.5"
volumes:
zitadel-db-data:
driver: local
networks:
{{ zitadel_traefik_network }}:
external: true
{{ zitadel_network }}:
driver: bridge
internal: true
Reference in a new issue Copy permalink