Post-Tyranny-Tech-Infrastru.../ansible/roles/zitadel/tasks/docker.yml

---
# Docker Compose setup for Zitadel

- name: Include clean tasks when force recreate is requested
  include_tasks: clean.yml
  when: zitadel_force_recreate | default(false) | bool

- name: Create Zitadel configuration directory
  file:
    path: "{{ zitadel_config_dir }}"
    state: directory
    mode: '0755'

- name: Create Zitadel internal network
  community.docker.docker_network:
    name: "{{ zitadel_network }}"
    driver: bridge
    internal: true

- name: Deploy Zitadel Docker Compose configuration
  template:
    src: docker-compose.zitadel.yml.j2
    dest: "{{ zitadel_config_dir }}/docker-compose.yml"
    mode: '0600'
  notify: Restart Zitadel

- name: Start Zitadel services
  community.docker.docker_compose_v2:
    project_src: "{{ zitadel_config_dir }}"
    state: present
  register: zitadel_deploy

- name: Wait for Zitadel database to be ready
  community.docker.docker_container_exec:
    container: zitadel-db
    command: pg_isready -U {{ zitadel_db_user }} -d {{ zitadel_db_name }}
  register: db_ready
  until: db_ready.rc == 0
  retries: 30
  delay: 2
  changed_when: false

- name: Wait for Zitadel to be healthy
  uri:
    url: "https://{{ zitadel_domain }}/debug/ready"
    method: GET
    status_code: 200
    validate_certs: yes
  register: zitadel_health
  until: zitadel_health.status == 200
  retries: 30
  delay: 10
  changed_when: false
Deploy Zitadel identity provider with DNS automation (#3) (#8) This commit implements a complete Zitadel identity provider deployment with automated DNS management using vrije.cloud domain. ## Infrastructure Changes ### DNS Management - Migrated from deprecated hetznerdns provider to modern hcloud provider v1.57+ - Automated DNS record creation for client subdomains (test.vrije.cloud) - Automated wildcard DNS for service subdomains (*.test.vrije.cloud) - Supports both IPv4 (A) and IPv6 (AAAA) records ### Zitadel Deployment - Added complete Zitadel role with PostgreSQL 16 database - Configured Zitadel v2.63.7 with proper external domain settings - Implemented first instance setup with admin user creation - Set up database connection with proper user and admin credentials - Configured email verification bypass for first admin user ### Traefik Updates - Upgraded from v3.0 to v3.2 for better Docker API compatibility - Added manual routing configuration in dynamic.yml for Zitadel - Configured HTTP/2 Cleartext (h2c) backend for Zitadel service - Added Zitadel-specific security headers middleware - Fixed Docker API version compatibility issues ### Secrets Management - Added Zitadel credentials to test client secrets - Generated proper 32-character masterkey (Zitadel requirement) - Created admin password with symbol complexity requirement - Added zitadel_domain configuration ## Deployment Details Test environment now accessible at: - Server: test.vrije.cloud (78.47.191.38) - Zitadel: https://zitadel.test.vrije.cloud/ - Admin user: admin@test.zitadel.test.vrije.cloud Successfully tested: - HTTPS with Let's Encrypt SSL certificate - Admin login with 2FA setup - First instance initialization Fixes #3 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-authored-by: Pieter <pieter@kolabnow.com> Co-authored-by: Claude <noreply@anthropic.com> 2026-01-05 16:40:37 +01:00			`---`
			`# Docker Compose setup for Zitadel`

Fix Zitadel deployment by removing FirstInstance variables - Remove all ZITADEL_FIRSTINSTANCE_* environment variables - Fixes migration error: duplicate key constraint violation - Root cause: Bug in Zitadel v2.63.7 FirstInstance migration - Workaround: Complete initial setup via web UI - Upstream issue: https://github.com/zitadel/zitadel/issues/8791 Changes: - Clean up obsolete documentation (OIDC_AUTOMATION.md, SETUP_GUIDE.md, COLLABORA_SETUP.md) - Add PROJECT_REFERENCE.md for essential configuration info - Add force recreate functionality with clean database volumes - Update bootstrap instructions for web UI setup - Document one-time manual setup requirement for OIDC automation Zitadel now deploys successfully and is accessible at: https://zitadel.test.vrije.cloud 🤖 Generated with Claude Code Co-Authored-By: Claude <noreply@anthropic.com> 2026-01-06 16:43:57 +01:00			`- name: Include clean tasks when force recreate is requested`
			`include_tasks: clean.yml`
			`when: zitadel_force_recreate \| default(false) \| bool`

Deploy Zitadel identity provider with DNS automation (#3) (#8) This commit implements a complete Zitadel identity provider deployment with automated DNS management using vrije.cloud domain. ## Infrastructure Changes ### DNS Management - Migrated from deprecated hetznerdns provider to modern hcloud provider v1.57+ - Automated DNS record creation for client subdomains (test.vrije.cloud) - Automated wildcard DNS for service subdomains (*.test.vrije.cloud) - Supports both IPv4 (A) and IPv6 (AAAA) records ### Zitadel Deployment - Added complete Zitadel role with PostgreSQL 16 database - Configured Zitadel v2.63.7 with proper external domain settings - Implemented first instance setup with admin user creation - Set up database connection with proper user and admin credentials - Configured email verification bypass for first admin user ### Traefik Updates - Upgraded from v3.0 to v3.2 for better Docker API compatibility - Added manual routing configuration in dynamic.yml for Zitadel - Configured HTTP/2 Cleartext (h2c) backend for Zitadel service - Added Zitadel-specific security headers middleware - Fixed Docker API version compatibility issues ### Secrets Management - Added Zitadel credentials to test client secrets - Generated proper 32-character masterkey (Zitadel requirement) - Created admin password with symbol complexity requirement - Added zitadel_domain configuration ## Deployment Details Test environment now accessible at: - Server: test.vrije.cloud (78.47.191.38) - Zitadel: https://zitadel.test.vrije.cloud/ - Admin user: admin@test.zitadel.test.vrije.cloud Successfully tested: - HTTPS with Let's Encrypt SSL certificate - Admin login with 2FA setup - First instance initialization Fixes #3 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-authored-by: Pieter <pieter@kolabnow.com> Co-authored-by: Claude <noreply@anthropic.com> 2026-01-05 16:40:37 +01:00			`- name: Create Zitadel configuration directory`
			`file:`
			`path: "{{ zitadel_config_dir }}"`
			`state: directory`
			`mode: '0755'`

			`- name: Create Zitadel internal network`
			`community.docker.docker_network:`
			`name: "{{ zitadel_network }}"`
			`driver: bridge`
			`internal: true`

			`- name: Deploy Zitadel Docker Compose configuration`
			`template:`
			`src: docker-compose.zitadel.yml.j2`
			`dest: "{{ zitadel_config_dir }}/docker-compose.yml"`
			`mode: '0600'`
			`notify: Restart Zitadel`

			`- name: Start Zitadel services`
			`community.docker.docker_compose_v2:`
			`project_src: "{{ zitadel_config_dir }}"`
			`state: present`
			`register: zitadel_deploy`

			`- name: Wait for Zitadel database to be ready`
			`community.docker.docker_container_exec:`
			`container: zitadel-db`
			`command: pg_isready -U {{ zitadel_db_user }} -d {{ zitadel_db_name }}`
			`register: db_ready`
			`until: db_ready.rc == 0`
			`retries: 30`
			`delay: 2`
			`changed_when: false`

			`- name: Wait for Zitadel to be healthy`
			`uri:`
			`url: "https://{{ zitadel_domain }}/debug/ready"`
			`method: GET`
			`status_code: 200`
			`validate_certs: yes`
			`register: zitadel_health`
			`until: zitadel_health.status == 200`
			`retries: 30`
			`delay: 10`
			`changed_when: false`