Post-X-Society/Post-Tyranny-Tech-Infrastructure
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
Post-Tyranny-Tech-Infrastru.../ansible/roles/zitadel/tasks/oidc-apps.yml

108 lines
3.5 KiB
YAML
Raw Normal View History

Deploy Zitadel identity provider with DNS automation (#3) (#8) This commit implements a complete Zitadel identity provider deployment with automated DNS management using vrije.cloud domain. ## Infrastructure Changes ### DNS Management - Migrated from deprecated hetznerdns provider to modern hcloud provider v1.57+ - Automated DNS record creation for client subdomains (test.vrije.cloud) - Automated wildcard DNS for service subdomains (*.test.vrije.cloud) - Supports both IPv4 (A) and IPv6 (AAAA) records ### Zitadel Deployment - Added complete Zitadel role with PostgreSQL 16 database - Configured Zitadel v2.63.7 with proper external domain settings - Implemented first instance setup with admin user creation - Set up database connection with proper user and admin credentials - Configured email verification bypass for first admin user ### Traefik Updates - Upgraded from v3.0 to v3.2 for better Docker API compatibility - Added manual routing configuration in dynamic.yml for Zitadel - Configured HTTP/2 Cleartext (h2c) backend for Zitadel service - Added Zitadel-specific security headers middleware - Fixed Docker API version compatibility issues ### Secrets Management - Added Zitadel credentials to test client secrets - Generated proper 32-character masterkey (Zitadel requirement) - Created admin password with symbol complexity requirement - Added zitadel_domain configuration ## Deployment Details Test environment now accessible at: - Server: test.vrije.cloud (78.47.191.38) - Zitadel: https://zitadel.test.vrije.cloud/ - Admin user: admin@test.zitadel.test.vrije.cloud Successfully tested: - HTTPS with Let's Encrypt SSL certificate - Admin login with 2FA setup - First instance initialization Fixes #3 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-authored-by: Pieter <pieter@kolabnow.com> Co-authored-by: Claude <noreply@anthropic.com>
2026-01-05 16:40:37 +01:00
---
Implement fully automated OIDC/SSO provisioning (#4) This commit eliminates all manual configuration steps for OIDC/SSO setup, making the infrastructure fully scalable to dozens or hundreds of servers. ## Automation Overview The deployment now automatically: 1. Authenticates with Zitadel using admin credentials 2. Creates OIDC application via Zitadel Management API 3. Retrieves client ID and secret 4. Configures Nextcloud OIDC provider **Zero manual steps required!** ## New Components ### Zitadel OIDC Automation - `files/get_admin_token.sh`: OAuth2 authentication script - `files/create_oidc_app.py`: Python script for OIDC app creation via API - `tasks/oidc-apps.yml`: Ansible orchestration for full automation ### API Integration - Uses Zitadel Management API v1 - Resource Owner Password Credentials flow for admin auth - Creates OIDC apps with proper security settings: - Authorization Code + Refresh Token grants - JWT access tokens - Role and UserInfo assertions enabled - Proper redirect URI configuration ### Nextcloud Integration - Updated `tasks/oidc.yml` to auto-configure provider - Receives credentials from Zitadel automation - Configures discovery URI automatically - Handles idempotency (skips if already configured) ## Scalability Benefits ### Before (Manual) ``` 1. Deploy infrastructure 2. Login to Zitadel console 3. Create OIDC app manually 4. Copy client ID/secret 5. SSH to server 6. Run occ command with credentials ``` **Time per server: ~10-15 minutes** ### After (Automated) ``` 1. Deploy infrastructure ``` **Time per server: ~0 minutes (fully automated)** ### Impact - 10 servers: Save ~2 hours of manual work - 50 servers: Save ~10 hours of manual work - 100 servers: Save ~20 hours of manual work ## Security - Admin credentials encrypted with SOPS - Access tokens are ephemeral (generated per deployment) - Client secrets never logged (`no_log: true`) - All API calls over HTTPS only - Credentials passed via Ansible facts (memory only) ## Documentation Added comprehensive documentation: - `docs/OIDC_AUTOMATION.md`: Full automation guide - How it works - Technical implementation details - Troubleshooting guide - Security considerations ## Testing The automation is idempotent and handles: - ✅ First-time setup (creates app) - ✅ Subsequent runs (skips if exists) - ✅ Error handling (fails gracefully) - ✅ Credential validation ## Next Steps Users can immediately login via SSO after deployment: 1. Visit https://nextcloud.{client}.vrije.cloud 2. Click "Login with Zitadel" 3. Enter Zitadel credentials 4. Automatically logged into Nextcloud Closes #4 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com>
2026-01-06 09:49:16 +01:00
# OIDC Application creation tasks via Zitadel API
# Fully automated OIDC app provisioning for Nextcloud and other services
Deploy Zitadel identity provider with DNS automation (#3) (#8) This commit implements a complete Zitadel identity provider deployment with automated DNS management using vrije.cloud domain. ## Infrastructure Changes ### DNS Management - Migrated from deprecated hetznerdns provider to modern hcloud provider v1.57+ - Automated DNS record creation for client subdomains (test.vrije.cloud) - Automated wildcard DNS for service subdomains (*.test.vrije.cloud) - Supports both IPv4 (A) and IPv6 (AAAA) records ### Zitadel Deployment - Added complete Zitadel role with PostgreSQL 16 database - Configured Zitadel v2.63.7 with proper external domain settings - Implemented first instance setup with admin user creation - Set up database connection with proper user and admin credentials - Configured email verification bypass for first admin user ### Traefik Updates - Upgraded from v3.0 to v3.2 for better Docker API compatibility - Added manual routing configuration in dynamic.yml for Zitadel - Configured HTTP/2 Cleartext (h2c) backend for Zitadel service - Added Zitadel-specific security headers middleware - Fixed Docker API version compatibility issues ### Secrets Management - Added Zitadel credentials to test client secrets - Generated proper 32-character masterkey (Zitadel requirement) - Created admin password with symbol complexity requirement - Added zitadel_domain configuration ## Deployment Details Test environment now accessible at: - Server: test.vrije.cloud (78.47.191.38) - Zitadel: https://zitadel.test.vrije.cloud/ - Admin user: admin@test.zitadel.test.vrije.cloud Successfully tested: - HTTPS with Let's Encrypt SSL certificate - Admin login with 2FA setup - First instance initialization Fixes #3 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-authored-by: Pieter <pieter@kolabnow.com> Co-authored-by: Claude <noreply@anthropic.com>
2026-01-05 16:40:37 +01:00
Fix Zitadel deployment by removing FirstInstance variables - Remove all ZITADEL_FIRSTINSTANCE_* environment variables - Fixes migration error: duplicate key constraint violation - Root cause: Bug in Zitadel v2.63.7 FirstInstance migration - Workaround: Complete initial setup via web UI - Upstream issue: https://github.com/zitadel/zitadel/issues/8791 Changes: - Clean up obsolete documentation (OIDC_AUTOMATION.md, SETUP_GUIDE.md, COLLABORA_SETUP.md) - Add PROJECT_REFERENCE.md for essential configuration info - Add force recreate functionality with clean database volumes - Update bootstrap instructions for web UI setup - Document one-time manual setup requirement for OIDC automation Zitadel now deploys successfully and is accessible at: https://zitadel.test.vrije.cloud 🤖 Generated with Claude Code Co-Authored-By: Claude <noreply@anthropic.com>
2026-01-06 16:43:57 +01:00
- name: Create Zitadel scripts directory
file:
path: /opt/zitadel
state: directory
mode: '0755'
Implement fully automated OIDC/SSO provisioning (#4) This commit eliminates all manual configuration steps for OIDC/SSO setup, making the infrastructure fully scalable to dozens or hundreds of servers. ## Automation Overview The deployment now automatically: 1. Authenticates with Zitadel using admin credentials 2. Creates OIDC application via Zitadel Management API 3. Retrieves client ID and secret 4. Configures Nextcloud OIDC provider **Zero manual steps required!** ## New Components ### Zitadel OIDC Automation - `files/get_admin_token.sh`: OAuth2 authentication script - `files/create_oidc_app.py`: Python script for OIDC app creation via API - `tasks/oidc-apps.yml`: Ansible orchestration for full automation ### API Integration - Uses Zitadel Management API v1 - Resource Owner Password Credentials flow for admin auth - Creates OIDC apps with proper security settings: - Authorization Code + Refresh Token grants - JWT access tokens - Role and UserInfo assertions enabled - Proper redirect URI configuration ### Nextcloud Integration - Updated `tasks/oidc.yml` to auto-configure provider - Receives credentials from Zitadel automation - Configures discovery URI automatically - Handles idempotency (skips if already configured) ## Scalability Benefits ### Before (Manual) ``` 1. Deploy infrastructure 2. Login to Zitadel console 3. Create OIDC app manually 4. Copy client ID/secret 5. SSH to server 6. Run occ command with credentials ``` **Time per server: ~10-15 minutes** ### After (Automated) ``` 1. Deploy infrastructure ``` **Time per server: ~0 minutes (fully automated)** ### Impact - 10 servers: Save ~2 hours of manual work - 50 servers: Save ~10 hours of manual work - 100 servers: Save ~20 hours of manual work ## Security - Admin credentials encrypted with SOPS - Access tokens are ephemeral (generated per deployment) - Client secrets never logged (`no_log: true`) - All API calls over HTTPS only - Credentials passed via Ansible facts (memory only) ## Documentation Added comprehensive documentation: - `docs/OIDC_AUTOMATION.md`: Full automation guide - How it works - Technical implementation details - Troubleshooting guide - Security considerations ## Testing The automation is idempotent and handles: - ✅ First-time setup (creates app) - ✅ Subsequent runs (skips if exists) - ✅ Error handling (fails gracefully) - ✅ Credential validation ## Next Steps Users can immediately login via SSO after deployment: 1. Visit https://nextcloud.{client}.vrije.cloud 2. Click "Login with Zitadel" 3. Enter Zitadel credentials 4. Automatically logged into Nextcloud Closes #4 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com>
2026-01-06 09:49:16 +01:00
- name: Copy OIDC automation scripts to server
copy:
src: "{{ item }}"
dest: "/opt/zitadel/{{ item }}"
mode: '0755'
loop:
Fix Zitadel deployment by removing FirstInstance variables - Remove all ZITADEL_FIRSTINSTANCE_* environment variables - Fixes migration error: duplicate key constraint violation - Root cause: Bug in Zitadel v2.63.7 FirstInstance migration - Workaround: Complete initial setup via web UI - Upstream issue: https://github.com/zitadel/zitadel/issues/8791 Changes: - Clean up obsolete documentation (OIDC_AUTOMATION.md, SETUP_GUIDE.md, COLLABORA_SETUP.md) - Add PROJECT_REFERENCE.md for essential configuration info - Add force recreate functionality with clean database volumes - Update bootstrap instructions for web UI setup - Document one-time manual setup requirement for OIDC automation Zitadel now deploys successfully and is accessible at: https://zitadel.test.vrije.cloud 🤖 Generated with Claude Code Co-Authored-By: Claude <noreply@anthropic.com>
2026-01-06 16:43:57 +01:00
- zitadel_api.py
Implement fully automated OIDC/SSO provisioning (#4) This commit eliminates all manual configuration steps for OIDC/SSO setup, making the infrastructure fully scalable to dozens or hundreds of servers. ## Automation Overview The deployment now automatically: 1. Authenticates with Zitadel using admin credentials 2. Creates OIDC application via Zitadel Management API 3. Retrieves client ID and secret 4. Configures Nextcloud OIDC provider **Zero manual steps required!** ## New Components ### Zitadel OIDC Automation - `files/get_admin_token.sh`: OAuth2 authentication script - `files/create_oidc_app.py`: Python script for OIDC app creation via API - `tasks/oidc-apps.yml`: Ansible orchestration for full automation ### API Integration - Uses Zitadel Management API v1 - Resource Owner Password Credentials flow for admin auth - Creates OIDC apps with proper security settings: - Authorization Code + Refresh Token grants - JWT access tokens - Role and UserInfo assertions enabled - Proper redirect URI configuration ### Nextcloud Integration - Updated `tasks/oidc.yml` to auto-configure provider - Receives credentials from Zitadel automation - Configures discovery URI automatically - Handles idempotency (skips if already configured) ## Scalability Benefits ### Before (Manual) ``` 1. Deploy infrastructure 2. Login to Zitadel console 3. Create OIDC app manually 4. Copy client ID/secret 5. SSH to server 6. Run occ command with credentials ``` **Time per server: ~10-15 minutes** ### After (Automated) ``` 1. Deploy infrastructure ``` **Time per server: ~0 minutes (fully automated)** ### Impact - 10 servers: Save ~2 hours of manual work - 50 servers: Save ~10 hours of manual work - 100 servers: Save ~20 hours of manual work ## Security - Admin credentials encrypted with SOPS - Access tokens are ephemeral (generated per deployment) - Client secrets never logged (`no_log: true`) - All API calls over HTTPS only - Credentials passed via Ansible facts (memory only) ## Documentation Added comprehensive documentation: - `docs/OIDC_AUTOMATION.md`: Full automation guide - How it works - Technical implementation details - Troubleshooting guide - Security considerations ## Testing The automation is idempotent and handles: - ✅ First-time setup (creates app) - ✅ Subsequent runs (skips if exists) - ✅ Error handling (fails gracefully) - ✅ Credential validation ## Next Steps Users can immediately login via SSO after deployment: 1. Visit https://nextcloud.{client}.vrije.cloud 2. Click "Login with Zitadel" 3. Enter Zitadel credentials 4. Automatically logged into Nextcloud Closes #4 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com>
2026-01-06 09:49:16 +01:00
Fix Zitadel deployment by removing FirstInstance variables - Remove all ZITADEL_FIRSTINSTANCE_* environment variables - Fixes migration error: duplicate key constraint violation - Root cause: Bug in Zitadel v2.63.7 FirstInstance migration - Workaround: Complete initial setup via web UI - Upstream issue: https://github.com/zitadel/zitadel/issues/8791 Changes: - Clean up obsolete documentation (OIDC_AUTOMATION.md, SETUP_GUIDE.md, COLLABORA_SETUP.md) - Add PROJECT_REFERENCE.md for essential configuration info - Add force recreate functionality with clean database volumes - Update bootstrap instructions for web UI setup - Document one-time manual setup requirement for OIDC automation Zitadel now deploys successfully and is accessible at: https://zitadel.test.vrije.cloud 🤖 Generated with Claude Code Co-Authored-By: Claude <noreply@anthropic.com>
2026-01-06 16:43:57 +01:00
- name: Install Python libraries for OIDC automation
Implement fully automated OIDC/SSO provisioning (#4) This commit eliminates all manual configuration steps for OIDC/SSO setup, making the infrastructure fully scalable to dozens or hundreds of servers. ## Automation Overview The deployment now automatically: 1. Authenticates with Zitadel using admin credentials 2. Creates OIDC application via Zitadel Management API 3. Retrieves client ID and secret 4. Configures Nextcloud OIDC provider **Zero manual steps required!** ## New Components ### Zitadel OIDC Automation - `files/get_admin_token.sh`: OAuth2 authentication script - `files/create_oidc_app.py`: Python script for OIDC app creation via API - `tasks/oidc-apps.yml`: Ansible orchestration for full automation ### API Integration - Uses Zitadel Management API v1 - Resource Owner Password Credentials flow for admin auth - Creates OIDC apps with proper security settings: - Authorization Code + Refresh Token grants - JWT access tokens - Role and UserInfo assertions enabled - Proper redirect URI configuration ### Nextcloud Integration - Updated `tasks/oidc.yml` to auto-configure provider - Receives credentials from Zitadel automation - Configures discovery URI automatically - Handles idempotency (skips if already configured) ## Scalability Benefits ### Before (Manual) ``` 1. Deploy infrastructure 2. Login to Zitadel console 3. Create OIDC app manually 4. Copy client ID/secret 5. SSH to server 6. Run occ command with credentials ``` **Time per server: ~10-15 minutes** ### After (Automated) ``` 1. Deploy infrastructure ``` **Time per server: ~0 minutes (fully automated)** ### Impact - 10 servers: Save ~2 hours of manual work - 50 servers: Save ~10 hours of manual work - 100 servers: Save ~20 hours of manual work ## Security - Admin credentials encrypted with SOPS - Access tokens are ephemeral (generated per deployment) - Client secrets never logged (`no_log: true`) - All API calls over HTTPS only - Credentials passed via Ansible facts (memory only) ## Documentation Added comprehensive documentation: - `docs/OIDC_AUTOMATION.md`: Full automation guide - How it works - Technical implementation details - Troubleshooting guide - Security considerations ## Testing The automation is idempotent and handles: - ✅ First-time setup (creates app) - ✅ Subsequent runs (skips if exists) - ✅ Error handling (fails gracefully) - ✅ Credential validation ## Next Steps Users can immediately login via SSO after deployment: 1. Visit https://nextcloud.{client}.vrije.cloud 2. Click "Login with Zitadel" 3. Enter Zitadel credentials 4. Automatically logged into Nextcloud Closes #4 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com>
2026-01-06 09:49:16 +01:00
package:
Fix Zitadel deployment by removing FirstInstance variables - Remove all ZITADEL_FIRSTINSTANCE_* environment variables - Fixes migration error: duplicate key constraint violation - Root cause: Bug in Zitadel v2.63.7 FirstInstance migration - Workaround: Complete initial setup via web UI - Upstream issue: https://github.com/zitadel/zitadel/issues/8791 Changes: - Clean up obsolete documentation (OIDC_AUTOMATION.md, SETUP_GUIDE.md, COLLABORA_SETUP.md) - Add PROJECT_REFERENCE.md for essential configuration info - Add force recreate functionality with clean database volumes - Update bootstrap instructions for web UI setup - Document one-time manual setup requirement for OIDC automation Zitadel now deploys successfully and is accessible at: https://zitadel.test.vrije.cloud 🤖 Generated with Claude Code Co-Authored-By: Claude <noreply@anthropic.com>
2026-01-06 16:43:57 +01:00
name:
- python3-requests
- python3-jwt
Implement fully automated OIDC/SSO provisioning (#4) This commit eliminates all manual configuration steps for OIDC/SSO setup, making the infrastructure fully scalable to dozens or hundreds of servers. ## Automation Overview The deployment now automatically: 1. Authenticates with Zitadel using admin credentials 2. Creates OIDC application via Zitadel Management API 3. Retrieves client ID and secret 4. Configures Nextcloud OIDC provider **Zero manual steps required!** ## New Components ### Zitadel OIDC Automation - `files/get_admin_token.sh`: OAuth2 authentication script - `files/create_oidc_app.py`: Python script for OIDC app creation via API - `tasks/oidc-apps.yml`: Ansible orchestration for full automation ### API Integration - Uses Zitadel Management API v1 - Resource Owner Password Credentials flow for admin auth - Creates OIDC apps with proper security settings: - Authorization Code + Refresh Token grants - JWT access tokens - Role and UserInfo assertions enabled - Proper redirect URI configuration ### Nextcloud Integration - Updated `tasks/oidc.yml` to auto-configure provider - Receives credentials from Zitadel automation - Configures discovery URI automatically - Handles idempotency (skips if already configured) ## Scalability Benefits ### Before (Manual) ``` 1. Deploy infrastructure 2. Login to Zitadel console 3. Create OIDC app manually 4. Copy client ID/secret 5. SSH to server 6. Run occ command with credentials ``` **Time per server: ~10-15 minutes** ### After (Automated) ``` 1. Deploy infrastructure ``` **Time per server: ~0 minutes (fully automated)** ### Impact - 10 servers: Save ~2 hours of manual work - 50 servers: Save ~10 hours of manual work - 100 servers: Save ~20 hours of manual work ## Security - Admin credentials encrypted with SOPS - Access tokens are ephemeral (generated per deployment) - Client secrets never logged (`no_log: true`) - All API calls over HTTPS only - Credentials passed via Ansible facts (memory only) ## Documentation Added comprehensive documentation: - `docs/OIDC_AUTOMATION.md`: Full automation guide - How it works - Technical implementation details - Troubleshooting guide - Security considerations ## Testing The automation is idempotent and handles: - ✅ First-time setup (creates app) - ✅ Subsequent runs (skips if exists) - ✅ Error handling (fails gracefully) - ✅ Credential validation ## Next Steps Users can immediately login via SSO after deployment: 1. Visit https://nextcloud.{client}.vrije.cloud 2. Click "Login with Zitadel" 3. Enter Zitadel credentials 4. Automatically logged into Nextcloud Closes #4 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com>
2026-01-06 09:49:16 +01:00
state: present
become: yes
Fix Zitadel deployment by removing FirstInstance variables - Remove all ZITADEL_FIRSTINSTANCE_* environment variables - Fixes migration error: duplicate key constraint violation - Root cause: Bug in Zitadel v2.63.7 FirstInstance migration - Workaround: Complete initial setup via web UI - Upstream issue: https://github.com/zitadel/zitadel/issues/8791 Changes: - Clean up obsolete documentation (OIDC_AUTOMATION.md, SETUP_GUIDE.md, COLLABORA_SETUP.md) - Add PROJECT_REFERENCE.md for essential configuration info - Add force recreate functionality with clean database volumes - Update bootstrap instructions for web UI setup - Document one-time manual setup requirement for OIDC automation Zitadel now deploys successfully and is accessible at: https://zitadel.test.vrije.cloud 🤖 Generated with Claude Code Co-Authored-By: Claude <noreply@anthropic.com>
2026-01-06 16:43:57 +01:00
- name: Check if JWT key file exists
shell: docker exec zitadel ls /machinekey/api-automation.json
register: jwt_key_check
failed_when: false
Implement fully automated OIDC/SSO provisioning (#4) This commit eliminates all manual configuration steps for OIDC/SSO setup, making the infrastructure fully scalable to dozens or hundreds of servers. ## Automation Overview The deployment now automatically: 1. Authenticates with Zitadel using admin credentials 2. Creates OIDC application via Zitadel Management API 3. Retrieves client ID and secret 4. Configures Nextcloud OIDC provider **Zero manual steps required!** ## New Components ### Zitadel OIDC Automation - `files/get_admin_token.sh`: OAuth2 authentication script - `files/create_oidc_app.py`: Python script for OIDC app creation via API - `tasks/oidc-apps.yml`: Ansible orchestration for full automation ### API Integration - Uses Zitadel Management API v1 - Resource Owner Password Credentials flow for admin auth - Creates OIDC apps with proper security settings: - Authorization Code + Refresh Token grants - JWT access tokens - Role and UserInfo assertions enabled - Proper redirect URI configuration ### Nextcloud Integration - Updated `tasks/oidc.yml` to auto-configure provider - Receives credentials from Zitadel automation - Configures discovery URI automatically - Handles idempotency (skips if already configured) ## Scalability Benefits ### Before (Manual) ``` 1. Deploy infrastructure 2. Login to Zitadel console 3. Create OIDC app manually 4. Copy client ID/secret 5. SSH to server 6. Run occ command with credentials ``` **Time per server: ~10-15 minutes** ### After (Automated) ``` 1. Deploy infrastructure ``` **Time per server: ~0 minutes (fully automated)** ### Impact - 10 servers: Save ~2 hours of manual work - 50 servers: Save ~10 hours of manual work - 100 servers: Save ~20 hours of manual work ## Security - Admin credentials encrypted with SOPS - Access tokens are ephemeral (generated per deployment) - Client secrets never logged (`no_log: true`) - All API calls over HTTPS only - Credentials passed via Ansible facts (memory only) ## Documentation Added comprehensive documentation: - `docs/OIDC_AUTOMATION.md`: Full automation guide - How it works - Technical implementation details - Troubleshooting guide - Security considerations ## Testing The automation is idempotent and handles: - ✅ First-time setup (creates app) - ✅ Subsequent runs (skips if exists) - ✅ Error handling (fails gracefully) - ✅ Credential validation ## Next Steps Users can immediately login via SSO after deployment: 1. Visit https://nextcloud.{client}.vrije.cloud 2. Click "Login with Zitadel" 3. Enter Zitadel credentials 4. Automatically logged into Nextcloud Closes #4 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com>
2026-01-06 09:49:16 +01:00
changed_when: false
Fix Zitadel deployment by removing FirstInstance variables - Remove all ZITADEL_FIRSTINSTANCE_* environment variables - Fixes migration error: duplicate key constraint violation - Root cause: Bug in Zitadel v2.63.7 FirstInstance migration - Workaround: Complete initial setup via web UI - Upstream issue: https://github.com/zitadel/zitadel/issues/8791 Changes: - Clean up obsolete documentation (OIDC_AUTOMATION.md, SETUP_GUIDE.md, COLLABORA_SETUP.md) - Add PROJECT_REFERENCE.md for essential configuration info - Add force recreate functionality with clean database volumes - Update bootstrap instructions for web UI setup - Document one-time manual setup requirement for OIDC automation Zitadel now deploys successfully and is accessible at: https://zitadel.test.vrije.cloud 🤖 Generated with Claude Code Co-Authored-By: Claude <noreply@anthropic.com>
2026-01-06 16:43:57 +01:00
- name: Set JWT authentication available
Implement fully automated OIDC/SSO provisioning (#4) This commit eliminates all manual configuration steps for OIDC/SSO setup, making the infrastructure fully scalable to dozens or hundreds of servers. ## Automation Overview The deployment now automatically: 1. Authenticates with Zitadel using admin credentials 2. Creates OIDC application via Zitadel Management API 3. Retrieves client ID and secret 4. Configures Nextcloud OIDC provider **Zero manual steps required!** ## New Components ### Zitadel OIDC Automation - `files/get_admin_token.sh`: OAuth2 authentication script - `files/create_oidc_app.py`: Python script for OIDC app creation via API - `tasks/oidc-apps.yml`: Ansible orchestration for full automation ### API Integration - Uses Zitadel Management API v1 - Resource Owner Password Credentials flow for admin auth - Creates OIDC apps with proper security settings: - Authorization Code + Refresh Token grants - JWT access tokens - Role and UserInfo assertions enabled - Proper redirect URI configuration ### Nextcloud Integration - Updated `tasks/oidc.yml` to auto-configure provider - Receives credentials from Zitadel automation - Configures discovery URI automatically - Handles idempotency (skips if already configured) ## Scalability Benefits ### Before (Manual) ``` 1. Deploy infrastructure 2. Login to Zitadel console 3. Create OIDC app manually 4. Copy client ID/secret 5. SSH to server 6. Run occ command with credentials ``` **Time per server: ~10-15 minutes** ### After (Automated) ``` 1. Deploy infrastructure ``` **Time per server: ~0 minutes (fully automated)** ### Impact - 10 servers: Save ~2 hours of manual work - 50 servers: Save ~10 hours of manual work - 100 servers: Save ~20 hours of manual work ## Security - Admin credentials encrypted with SOPS - Access tokens are ephemeral (generated per deployment) - Client secrets never logged (`no_log: true`) - All API calls over HTTPS only - Credentials passed via Ansible facts (memory only) ## Documentation Added comprehensive documentation: - `docs/OIDC_AUTOMATION.md`: Full automation guide - How it works - Technical implementation details - Troubleshooting guide - Security considerations ## Testing The automation is idempotent and handles: - ✅ First-time setup (creates app) - ✅ Subsequent runs (skips if exists) - ✅ Error handling (fails gracefully) - ✅ Credential validation ## Next Steps Users can immediately login via SSO after deployment: 1. Visit https://nextcloud.{client}.vrije.cloud 2. Click "Login with Zitadel" 3. Enter Zitadel credentials 4. Automatically logged into Nextcloud Closes #4 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com>
2026-01-06 09:49:16 +01:00
set_fact:
Fix Zitadel deployment by removing FirstInstance variables - Remove all ZITADEL_FIRSTINSTANCE_* environment variables - Fixes migration error: duplicate key constraint violation - Root cause: Bug in Zitadel v2.63.7 FirstInstance migration - Workaround: Complete initial setup via web UI - Upstream issue: https://github.com/zitadel/zitadel/issues/8791 Changes: - Clean up obsolete documentation (OIDC_AUTOMATION.md, SETUP_GUIDE.md, COLLABORA_SETUP.md) - Add PROJECT_REFERENCE.md for essential configuration info - Add force recreate functionality with clean database volumes - Update bootstrap instructions for web UI setup - Document one-time manual setup requirement for OIDC automation Zitadel now deploys successfully and is accessible at: https://zitadel.test.vrije.cloud 🤖 Generated with Claude Code Co-Authored-By: Claude <noreply@anthropic.com>
2026-01-06 16:43:57 +01:00
jwt_auth_available: "{{ jwt_key_check.rc == 0 }}"
Implement fully automated OIDC/SSO provisioning (#4) This commit eliminates all manual configuration steps for OIDC/SSO setup, making the infrastructure fully scalable to dozens or hundreds of servers. ## Automation Overview The deployment now automatically: 1. Authenticates with Zitadel using admin credentials 2. Creates OIDC application via Zitadel Management API 3. Retrieves client ID and secret 4. Configures Nextcloud OIDC provider **Zero manual steps required!** ## New Components ### Zitadel OIDC Automation - `files/get_admin_token.sh`: OAuth2 authentication script - `files/create_oidc_app.py`: Python script for OIDC app creation via API - `tasks/oidc-apps.yml`: Ansible orchestration for full automation ### API Integration - Uses Zitadel Management API v1 - Resource Owner Password Credentials flow for admin auth - Creates OIDC apps with proper security settings: - Authorization Code + Refresh Token grants - JWT access tokens - Role and UserInfo assertions enabled - Proper redirect URI configuration ### Nextcloud Integration - Updated `tasks/oidc.yml` to auto-configure provider - Receives credentials from Zitadel automation - Configures discovery URI automatically - Handles idempotency (skips if already configured) ## Scalability Benefits ### Before (Manual) ``` 1. Deploy infrastructure 2. Login to Zitadel console 3. Create OIDC app manually 4. Copy client ID/secret 5. SSH to server 6. Run occ command with credentials ``` **Time per server: ~10-15 minutes** ### After (Automated) ``` 1. Deploy infrastructure ``` **Time per server: ~0 minutes (fully automated)** ### Impact - 10 servers: Save ~2 hours of manual work - 50 servers: Save ~10 hours of manual work - 100 servers: Save ~20 hours of manual work ## Security - Admin credentials encrypted with SOPS - Access tokens are ephemeral (generated per deployment) - Client secrets never logged (`no_log: true`) - All API calls over HTTPS only - Credentials passed via Ansible facts (memory only) ## Documentation Added comprehensive documentation: - `docs/OIDC_AUTOMATION.md`: Full automation guide - How it works - Technical implementation details - Troubleshooting guide - Security considerations ## Testing The automation is idempotent and handles: - ✅ First-time setup (creates app) - ✅ Subsequent runs (skips if exists) - ✅ Error handling (fails gracefully) - ✅ Credential validation ## Next Steps Users can immediately login via SSO after deployment: 1. Visit https://nextcloud.{client}.vrije.cloud 2. Click "Login with Zitadel" 3. Enter Zitadel credentials 4. Automatically logged into Nextcloud Closes #4 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com>
2026-01-06 09:49:16 +01:00
Fix Zitadel deployment by removing FirstInstance variables - Remove all ZITADEL_FIRSTINSTANCE_* environment variables - Fixes migration error: duplicate key constraint violation - Root cause: Bug in Zitadel v2.63.7 FirstInstance migration - Workaround: Complete initial setup via web UI - Upstream issue: https://github.com/zitadel/zitadel/issues/8791 Changes: - Clean up obsolete documentation (OIDC_AUTOMATION.md, SETUP_GUIDE.md, COLLABORA_SETUP.md) - Add PROJECT_REFERENCE.md for essential configuration info - Add force recreate functionality with clean database volumes - Update bootstrap instructions for web UI setup - Document one-time manual setup requirement for OIDC automation Zitadel now deploys successfully and is accessible at: https://zitadel.test.vrije.cloud 🤖 Generated with Claude Code Co-Authored-By: Claude <noreply@anthropic.com>
2026-01-06 16:43:57 +01:00
- name: Copy JWT key from container to host
shell: docker cp zitadel:/machinekey/api-automation.json /tmp/api-automation.json
when: jwt_auth_available
changed_when: false
- name: Create OIDC application for Nextcloud using JWT auth
Implement fully automated OIDC/SSO provisioning (#4) This commit eliminates all manual configuration steps for OIDC/SSO setup, making the infrastructure fully scalable to dozens or hundreds of servers. ## Automation Overview The deployment now automatically: 1. Authenticates with Zitadel using admin credentials 2. Creates OIDC application via Zitadel Management API 3. Retrieves client ID and secret 4. Configures Nextcloud OIDC provider **Zero manual steps required!** ## New Components ### Zitadel OIDC Automation - `files/get_admin_token.sh`: OAuth2 authentication script - `files/create_oidc_app.py`: Python script for OIDC app creation via API - `tasks/oidc-apps.yml`: Ansible orchestration for full automation ### API Integration - Uses Zitadel Management API v1 - Resource Owner Password Credentials flow for admin auth - Creates OIDC apps with proper security settings: - Authorization Code + Refresh Token grants - JWT access tokens - Role and UserInfo assertions enabled - Proper redirect URI configuration ### Nextcloud Integration - Updated `tasks/oidc.yml` to auto-configure provider - Receives credentials from Zitadel automation - Configures discovery URI automatically - Handles idempotency (skips if already configured) ## Scalability Benefits ### Before (Manual) ``` 1. Deploy infrastructure 2. Login to Zitadel console 3. Create OIDC app manually 4. Copy client ID/secret 5. SSH to server 6. Run occ command with credentials ``` **Time per server: ~10-15 minutes** ### After (Automated) ``` 1. Deploy infrastructure ``` **Time per server: ~0 minutes (fully automated)** ### Impact - 10 servers: Save ~2 hours of manual work - 50 servers: Save ~10 hours of manual work - 100 servers: Save ~20 hours of manual work ## Security - Admin credentials encrypted with SOPS - Access tokens are ephemeral (generated per deployment) - Client secrets never logged (`no_log: true`) - All API calls over HTTPS only - Credentials passed via Ansible facts (memory only) ## Documentation Added comprehensive documentation: - `docs/OIDC_AUTOMATION.md`: Full automation guide - How it works - Technical implementation details - Troubleshooting guide - Security considerations ## Testing The automation is idempotent and handles: - ✅ First-time setup (creates app) - ✅ Subsequent runs (skips if exists) - ✅ Error handling (fails gracefully) - ✅ Credential validation ## Next Steps Users can immediately login via SSO after deployment: 1. Visit https://nextcloud.{client}.vrije.cloud 2. Click "Login with Zitadel" 3. Enter Zitadel credentials 4. Automatically logged into Nextcloud Closes #4 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com>
2026-01-06 09:49:16 +01:00
shell: |
Fix Zitadel deployment by removing FirstInstance variables - Remove all ZITADEL_FIRSTINSTANCE_* environment variables - Fixes migration error: duplicate key constraint violation - Root cause: Bug in Zitadel v2.63.7 FirstInstance migration - Workaround: Complete initial setup via web UI - Upstream issue: https://github.com/zitadel/zitadel/issues/8791 Changes: - Clean up obsolete documentation (OIDC_AUTOMATION.md, SETUP_GUIDE.md, COLLABORA_SETUP.md) - Add PROJECT_REFERENCE.md for essential configuration info - Add force recreate functionality with clean database volumes - Update bootstrap instructions for web UI setup - Document one-time manual setup requirement for OIDC automation Zitadel now deploys successfully and is accessible at: https://zitadel.test.vrije.cloud 🤖 Generated with Claude Code Co-Authored-By: Claude <noreply@anthropic.com>
2026-01-06 16:43:57 +01:00
python3 /opt/zitadel/zitadel_api.py \
Implement fully automated OIDC/SSO provisioning (#4) This commit eliminates all manual configuration steps for OIDC/SSO setup, making the infrastructure fully scalable to dozens or hundreds of servers. ## Automation Overview The deployment now automatically: 1. Authenticates with Zitadel using admin credentials 2. Creates OIDC application via Zitadel Management API 3. Retrieves client ID and secret 4. Configures Nextcloud OIDC provider **Zero manual steps required!** ## New Components ### Zitadel OIDC Automation - `files/get_admin_token.sh`: OAuth2 authentication script - `files/create_oidc_app.py`: Python script for OIDC app creation via API - `tasks/oidc-apps.yml`: Ansible orchestration for full automation ### API Integration - Uses Zitadel Management API v1 - Resource Owner Password Credentials flow for admin auth - Creates OIDC apps with proper security settings: - Authorization Code + Refresh Token grants - JWT access tokens - Role and UserInfo assertions enabled - Proper redirect URI configuration ### Nextcloud Integration - Updated `tasks/oidc.yml` to auto-configure provider - Receives credentials from Zitadel automation - Configures discovery URI automatically - Handles idempotency (skips if already configured) ## Scalability Benefits ### Before (Manual) ``` 1. Deploy infrastructure 2. Login to Zitadel console 3. Create OIDC app manually 4. Copy client ID/secret 5. SSH to server 6. Run occ command with credentials ``` **Time per server: ~10-15 minutes** ### After (Automated) ``` 1. Deploy infrastructure ``` **Time per server: ~0 minutes (fully automated)** ### Impact - 10 servers: Save ~2 hours of manual work - 50 servers: Save ~10 hours of manual work - 100 servers: Save ~20 hours of manual work ## Security - Admin credentials encrypted with SOPS - Access tokens are ephemeral (generated per deployment) - Client secrets never logged (`no_log: true`) - All API calls over HTTPS only - Credentials passed via Ansible facts (memory only) ## Documentation Added comprehensive documentation: - `docs/OIDC_AUTOMATION.md`: Full automation guide - How it works - Technical implementation details - Troubleshooting guide - Security considerations ## Testing The automation is idempotent and handles: - ✅ First-time setup (creates app) - ✅ Subsequent runs (skips if exists) - ✅ Error handling (fails gracefully) - ✅ Credential validation ## Next Steps Users can immediately login via SSO after deployment: 1. Visit https://nextcloud.{client}.vrije.cloud 2. Click "Login with Zitadel" 3. Enter Zitadel credentials 4. Automatically logged into Nextcloud Closes #4 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com>
2026-01-06 09:49:16 +01:00
"{{ zitadel_domain }}" \
Fix Zitadel deployment by removing FirstInstance variables - Remove all ZITADEL_FIRSTINSTANCE_* environment variables - Fixes migration error: duplicate key constraint violation - Root cause: Bug in Zitadel v2.63.7 FirstInstance migration - Workaround: Complete initial setup via web UI - Upstream issue: https://github.com/zitadel/zitadel/issues/8791 Changes: - Clean up obsolete documentation (OIDC_AUTOMATION.md, SETUP_GUIDE.md, COLLABORA_SETUP.md) - Add PROJECT_REFERENCE.md for essential configuration info - Add force recreate functionality with clean database volumes - Update bootstrap instructions for web UI setup - Document one-time manual setup requirement for OIDC automation Zitadel now deploys successfully and is accessible at: https://zitadel.test.vrije.cloud 🤖 Generated with Claude Code Co-Authored-By: Claude <noreply@anthropic.com>
2026-01-06 16:43:57 +01:00
"/tmp/api-automation.json" \
Implement fully automated OIDC/SSO provisioning (#4) This commit eliminates all manual configuration steps for OIDC/SSO setup, making the infrastructure fully scalable to dozens or hundreds of servers. ## Automation Overview The deployment now automatically: 1. Authenticates with Zitadel using admin credentials 2. Creates OIDC application via Zitadel Management API 3. Retrieves client ID and secret 4. Configures Nextcloud OIDC provider **Zero manual steps required!** ## New Components ### Zitadel OIDC Automation - `files/get_admin_token.sh`: OAuth2 authentication script - `files/create_oidc_app.py`: Python script for OIDC app creation via API - `tasks/oidc-apps.yml`: Ansible orchestration for full automation ### API Integration - Uses Zitadel Management API v1 - Resource Owner Password Credentials flow for admin auth - Creates OIDC apps with proper security settings: - Authorization Code + Refresh Token grants - JWT access tokens - Role and UserInfo assertions enabled - Proper redirect URI configuration ### Nextcloud Integration - Updated `tasks/oidc.yml` to auto-configure provider - Receives credentials from Zitadel automation - Configures discovery URI automatically - Handles idempotency (skips if already configured) ## Scalability Benefits ### Before (Manual) ``` 1. Deploy infrastructure 2. Login to Zitadel console 3. Create OIDC app manually 4. Copy client ID/secret 5. SSH to server 6. Run occ command with credentials ``` **Time per server: ~10-15 minutes** ### After (Automated) ``` 1. Deploy infrastructure ``` **Time per server: ~0 minutes (fully automated)** ### Impact - 10 servers: Save ~2 hours of manual work - 50 servers: Save ~10 hours of manual work - 100 servers: Save ~20 hours of manual work ## Security - Admin credentials encrypted with SOPS - Access tokens are ephemeral (generated per deployment) - Client secrets never logged (`no_log: true`) - All API calls over HTTPS only - Credentials passed via Ansible facts (memory only) ## Documentation Added comprehensive documentation: - `docs/OIDC_AUTOMATION.md`: Full automation guide - How it works - Technical implementation details - Troubleshooting guide - Security considerations ## Testing The automation is idempotent and handles: - ✅ First-time setup (creates app) - ✅ Subsequent runs (skips if exists) - ✅ Error handling (fails gracefully) - ✅ Credential validation ## Next Steps Users can immediately login via SSO after deployment: 1. Visit https://nextcloud.{client}.vrije.cloud 2. Click "Login with Zitadel" 3. Enter Zitadel credentials 4. Automatically logged into Nextcloud Closes #4 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com>
2026-01-06 09:49:16 +01:00
"Nextcloud" \
"https://nextcloud.{{ client_domain }}/apps/user_oidc/code"
register: oidc_app_result
Fix Zitadel deployment by removing FirstInstance variables - Remove all ZITADEL_FIRSTINSTANCE_* environment variables - Fixes migration error: duplicate key constraint violation - Root cause: Bug in Zitadel v2.63.7 FirstInstance migration - Workaround: Complete initial setup via web UI - Upstream issue: https://github.com/zitadel/zitadel/issues/8791 Changes: - Clean up obsolete documentation (OIDC_AUTOMATION.md, SETUP_GUIDE.md, COLLABORA_SETUP.md) - Add PROJECT_REFERENCE.md for essential configuration info - Add force recreate functionality with clean database volumes - Update bootstrap instructions for web UI setup - Document one-time manual setup requirement for OIDC automation Zitadel now deploys successfully and is accessible at: https://zitadel.test.vrije.cloud 🤖 Generated with Claude Code Co-Authored-By: Claude <noreply@anthropic.com>
2026-01-06 16:43:57 +01:00
when: jwt_auth_available
Implement fully automated OIDC/SSO provisioning (#4) This commit eliminates all manual configuration steps for OIDC/SSO setup, making the infrastructure fully scalable to dozens or hundreds of servers. ## Automation Overview The deployment now automatically: 1. Authenticates with Zitadel using admin credentials 2. Creates OIDC application via Zitadel Management API 3. Retrieves client ID and secret 4. Configures Nextcloud OIDC provider **Zero manual steps required!** ## New Components ### Zitadel OIDC Automation - `files/get_admin_token.sh`: OAuth2 authentication script - `files/create_oidc_app.py`: Python script for OIDC app creation via API - `tasks/oidc-apps.yml`: Ansible orchestration for full automation ### API Integration - Uses Zitadel Management API v1 - Resource Owner Password Credentials flow for admin auth - Creates OIDC apps with proper security settings: - Authorization Code + Refresh Token grants - JWT access tokens - Role and UserInfo assertions enabled - Proper redirect URI configuration ### Nextcloud Integration - Updated `tasks/oidc.yml` to auto-configure provider - Receives credentials from Zitadel automation - Configures discovery URI automatically - Handles idempotency (skips if already configured) ## Scalability Benefits ### Before (Manual) ``` 1. Deploy infrastructure 2. Login to Zitadel console 3. Create OIDC app manually 4. Copy client ID/secret 5. SSH to server 6. Run occ command with credentials ``` **Time per server: ~10-15 minutes** ### After (Automated) ``` 1. Deploy infrastructure ``` **Time per server: ~0 minutes (fully automated)** ### Impact - 10 servers: Save ~2 hours of manual work - 50 servers: Save ~10 hours of manual work - 100 servers: Save ~20 hours of manual work ## Security - Admin credentials encrypted with SOPS - Access tokens are ephemeral (generated per deployment) - Client secrets never logged (`no_log: true`) - All API calls over HTTPS only - Credentials passed via Ansible facts (memory only) ## Documentation Added comprehensive documentation: - `docs/OIDC_AUTOMATION.md`: Full automation guide - How it works - Technical implementation details - Troubleshooting guide - Security considerations ## Testing The automation is idempotent and handles: - ✅ First-time setup (creates app) - ✅ Subsequent runs (skips if exists) - ✅ Error handling (fails gracefully) - ✅ Credential validation ## Next Steps Users can immediately login via SSO after deployment: 1. Visit https://nextcloud.{client}.vrije.cloud 2. Click "Login with Zitadel" 3. Enter Zitadel credentials 4. Automatically logged into Nextcloud Closes #4 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com>
2026-01-06 09:49:16 +01:00
changed_when: "'created' in oidc_app_result.stdout"
failed_when: oidc_app_result.rc != 0
Fix Zitadel deployment by removing FirstInstance variables - Remove all ZITADEL_FIRSTINSTANCE_* environment variables - Fixes migration error: duplicate key constraint violation - Root cause: Bug in Zitadel v2.63.7 FirstInstance migration - Workaround: Complete initial setup via web UI - Upstream issue: https://github.com/zitadel/zitadel/issues/8791 Changes: - Clean up obsolete documentation (OIDC_AUTOMATION.md, SETUP_GUIDE.md, COLLABORA_SETUP.md) - Add PROJECT_REFERENCE.md for essential configuration info - Add force recreate functionality with clean database volumes - Update bootstrap instructions for web UI setup - Document one-time manual setup requirement for OIDC automation Zitadel now deploys successfully and is accessible at: https://zitadel.test.vrije.cloud 🤖 Generated with Claude Code Co-Authored-By: Claude <noreply@anthropic.com>
2026-01-06 16:43:57 +01:00
- name: Clean up temporary JWT key file
file:
path: /tmp/api-automation.json
state: absent
when: jwt_auth_available
Implement fully automated OIDC/SSO provisioning (#4) This commit eliminates all manual configuration steps for OIDC/SSO setup, making the infrastructure fully scalable to dozens or hundreds of servers. ## Automation Overview The deployment now automatically: 1. Authenticates with Zitadel using admin credentials 2. Creates OIDC application via Zitadel Management API 3. Retrieves client ID and secret 4. Configures Nextcloud OIDC provider **Zero manual steps required!** ## New Components ### Zitadel OIDC Automation - `files/get_admin_token.sh`: OAuth2 authentication script - `files/create_oidc_app.py`: Python script for OIDC app creation via API - `tasks/oidc-apps.yml`: Ansible orchestration for full automation ### API Integration - Uses Zitadel Management API v1 - Resource Owner Password Credentials flow for admin auth - Creates OIDC apps with proper security settings: - Authorization Code + Refresh Token grants - JWT access tokens - Role and UserInfo assertions enabled - Proper redirect URI configuration ### Nextcloud Integration - Updated `tasks/oidc.yml` to auto-configure provider - Receives credentials from Zitadel automation - Configures discovery URI automatically - Handles idempotency (skips if already configured) ## Scalability Benefits ### Before (Manual) ``` 1. Deploy infrastructure 2. Login to Zitadel console 3. Create OIDC app manually 4. Copy client ID/secret 5. SSH to server 6. Run occ command with credentials ``` **Time per server: ~10-15 minutes** ### After (Automated) ``` 1. Deploy infrastructure ``` **Time per server: ~0 minutes (fully automated)** ### Impact - 10 servers: Save ~2 hours of manual work - 50 servers: Save ~10 hours of manual work - 100 servers: Save ~20 hours of manual work ## Security - Admin credentials encrypted with SOPS - Access tokens are ephemeral (generated per deployment) - Client secrets never logged (`no_log: true`) - All API calls over HTTPS only - Credentials passed via Ansible facts (memory only) ## Documentation Added comprehensive documentation: - `docs/OIDC_AUTOMATION.md`: Full automation guide - How it works - Technical implementation details - Troubleshooting guide - Security considerations ## Testing The automation is idempotent and handles: - ✅ First-time setup (creates app) - ✅ Subsequent runs (skips if exists) - ✅ Error handling (fails gracefully) - ✅ Credential validation ## Next Steps Users can immediately login via SSO after deployment: 1. Visit https://nextcloud.{client}.vrije.cloud 2. Click "Login with Zitadel" 3. Enter Zitadel credentials 4. Automatically logged into Nextcloud Closes #4 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com>
2026-01-06 09:49:16 +01:00
- name: Parse OIDC app creation result
set_fact:
oidc_app_data: "{{ oidc_app_result.stdout | from_json }}"
Fix Zitadel deployment by removing FirstInstance variables - Remove all ZITADEL_FIRSTINSTANCE_* environment variables - Fixes migration error: duplicate key constraint violation - Root cause: Bug in Zitadel v2.63.7 FirstInstance migration - Workaround: Complete initial setup via web UI - Upstream issue: https://github.com/zitadel/zitadel/issues/8791 Changes: - Clean up obsolete documentation (OIDC_AUTOMATION.md, SETUP_GUIDE.md, COLLABORA_SETUP.md) - Add PROJECT_REFERENCE.md for essential configuration info - Add force recreate functionality with clean database volumes - Update bootstrap instructions for web UI setup - Document one-time manual setup requirement for OIDC automation Zitadel now deploys successfully and is accessible at: https://zitadel.test.vrije.cloud 🤖 Generated with Claude Code Co-Authored-By: Claude <noreply@anthropic.com>
2026-01-06 16:43:57 +01:00
when: jwt_auth_available and oidc_app_result is defined
Implement fully automated OIDC/SSO provisioning (#4) This commit eliminates all manual configuration steps for OIDC/SSO setup, making the infrastructure fully scalable to dozens or hundreds of servers. ## Automation Overview The deployment now automatically: 1. Authenticates with Zitadel using admin credentials 2. Creates OIDC application via Zitadel Management API 3. Retrieves client ID and secret 4. Configures Nextcloud OIDC provider **Zero manual steps required!** ## New Components ### Zitadel OIDC Automation - `files/get_admin_token.sh`: OAuth2 authentication script - `files/create_oidc_app.py`: Python script for OIDC app creation via API - `tasks/oidc-apps.yml`: Ansible orchestration for full automation ### API Integration - Uses Zitadel Management API v1 - Resource Owner Password Credentials flow for admin auth - Creates OIDC apps with proper security settings: - Authorization Code + Refresh Token grants - JWT access tokens - Role and UserInfo assertions enabled - Proper redirect URI configuration ### Nextcloud Integration - Updated `tasks/oidc.yml` to auto-configure provider - Receives credentials from Zitadel automation - Configures discovery URI automatically - Handles idempotency (skips if already configured) ## Scalability Benefits ### Before (Manual) ``` 1. Deploy infrastructure 2. Login to Zitadel console 3. Create OIDC app manually 4. Copy client ID/secret 5. SSH to server 6. Run occ command with credentials ``` **Time per server: ~10-15 minutes** ### After (Automated) ``` 1. Deploy infrastructure ``` **Time per server: ~0 minutes (fully automated)** ### Impact - 10 servers: Save ~2 hours of manual work - 50 servers: Save ~10 hours of manual work - 100 servers: Save ~20 hours of manual work ## Security - Admin credentials encrypted with SOPS - Access tokens are ephemeral (generated per deployment) - Client secrets never logged (`no_log: true`) - All API calls over HTTPS only - Credentials passed via Ansible facts (memory only) ## Documentation Added comprehensive documentation: - `docs/OIDC_AUTOMATION.md`: Full automation guide - How it works - Technical implementation details - Troubleshooting guide - Security considerations ## Testing The automation is idempotent and handles: - ✅ First-time setup (creates app) - ✅ Subsequent runs (skips if exists) - ✅ Error handling (fails gracefully) - ✅ Credential validation ## Next Steps Users can immediately login via SSO after deployment: 1. Visit https://nextcloud.{client}.vrije.cloud 2. Click "Login with Zitadel" 3. Enter Zitadel credentials 4. Automatically logged into Nextcloud Closes #4 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com>
2026-01-06 09:49:16 +01:00
- name: Display OIDC app status
Deploy Zitadel identity provider with DNS automation (#3) (#8) This commit implements a complete Zitadel identity provider deployment with automated DNS management using vrije.cloud domain. ## Infrastructure Changes ### DNS Management - Migrated from deprecated hetznerdns provider to modern hcloud provider v1.57+ - Automated DNS record creation for client subdomains (test.vrije.cloud) - Automated wildcard DNS for service subdomains (*.test.vrije.cloud) - Supports both IPv4 (A) and IPv6 (AAAA) records ### Zitadel Deployment - Added complete Zitadel role with PostgreSQL 16 database - Configured Zitadel v2.63.7 with proper external domain settings - Implemented first instance setup with admin user creation - Set up database connection with proper user and admin credentials - Configured email verification bypass for first admin user ### Traefik Updates - Upgraded from v3.0 to v3.2 for better Docker API compatibility - Added manual routing configuration in dynamic.yml for Zitadel - Configured HTTP/2 Cleartext (h2c) backend for Zitadel service - Added Zitadel-specific security headers middleware - Fixed Docker API version compatibility issues ### Secrets Management - Added Zitadel credentials to test client secrets - Generated proper 32-character masterkey (Zitadel requirement) - Created admin password with symbol complexity requirement - Added zitadel_domain configuration ## Deployment Details Test environment now accessible at: - Server: test.vrije.cloud (78.47.191.38) - Zitadel: https://zitadel.test.vrije.cloud/ - Admin user: admin@test.zitadel.test.vrije.cloud Successfully tested: - HTTPS with Let's Encrypt SSL certificate - Admin login with 2FA setup - First instance initialization Fixes #3 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-authored-by: Pieter <pieter@kolabnow.com> Co-authored-by: Claude <noreply@anthropic.com>
2026-01-05 16:40:37 +01:00
debug:
Implement fully automated OIDC/SSO provisioning (#4) This commit eliminates all manual configuration steps for OIDC/SSO setup, making the infrastructure fully scalable to dozens or hundreds of servers. ## Automation Overview The deployment now automatically: 1. Authenticates with Zitadel using admin credentials 2. Creates OIDC application via Zitadel Management API 3. Retrieves client ID and secret 4. Configures Nextcloud OIDC provider **Zero manual steps required!** ## New Components ### Zitadel OIDC Automation - `files/get_admin_token.sh`: OAuth2 authentication script - `files/create_oidc_app.py`: Python script for OIDC app creation via API - `tasks/oidc-apps.yml`: Ansible orchestration for full automation ### API Integration - Uses Zitadel Management API v1 - Resource Owner Password Credentials flow for admin auth - Creates OIDC apps with proper security settings: - Authorization Code + Refresh Token grants - JWT access tokens - Role and UserInfo assertions enabled - Proper redirect URI configuration ### Nextcloud Integration - Updated `tasks/oidc.yml` to auto-configure provider - Receives credentials from Zitadel automation - Configures discovery URI automatically - Handles idempotency (skips if already configured) ## Scalability Benefits ### Before (Manual) ``` 1. Deploy infrastructure 2. Login to Zitadel console 3. Create OIDC app manually 4. Copy client ID/secret 5. SSH to server 6. Run occ command with credentials ``` **Time per server: ~10-15 minutes** ### After (Automated) ``` 1. Deploy infrastructure ``` **Time per server: ~0 minutes (fully automated)** ### Impact - 10 servers: Save ~2 hours of manual work - 50 servers: Save ~10 hours of manual work - 100 servers: Save ~20 hours of manual work ## Security - Admin credentials encrypted with SOPS - Access tokens are ephemeral (generated per deployment) - Client secrets never logged (`no_log: true`) - All API calls over HTTPS only - Credentials passed via Ansible facts (memory only) ## Documentation Added comprehensive documentation: - `docs/OIDC_AUTOMATION.md`: Full automation guide - How it works - Technical implementation details - Troubleshooting guide - Security considerations ## Testing The automation is idempotent and handles: - ✅ First-time setup (creates app) - ✅ Subsequent runs (skips if exists) - ✅ Error handling (fails gracefully) - ✅ Credential validation ## Next Steps Users can immediately login via SSO after deployment: 1. Visit https://nextcloud.{client}.vrije.cloud 2. Click "Login with Zitadel" 3. Enter Zitadel credentials 4. Automatically logged into Nextcloud Closes #4 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com>
2026-01-06 09:49:16 +01:00
msg: |
Fix Zitadel deployment by removing FirstInstance variables - Remove all ZITADEL_FIRSTINSTANCE_* environment variables - Fixes migration error: duplicate key constraint violation - Root cause: Bug in Zitadel v2.63.7 FirstInstance migration - Workaround: Complete initial setup via web UI - Upstream issue: https://github.com/zitadel/zitadel/issues/8791 Changes: - Clean up obsolete documentation (OIDC_AUTOMATION.md, SETUP_GUIDE.md, COLLABORA_SETUP.md) - Add PROJECT_REFERENCE.md for essential configuration info - Add force recreate functionality with clean database volumes - Update bootstrap instructions for web UI setup - Document one-time manual setup requirement for OIDC automation Zitadel now deploys successfully and is accessible at: https://zitadel.test.vrije.cloud 🤖 Generated with Claude Code Co-Authored-By: Claude <noreply@anthropic.com>
2026-01-06 16:43:57 +01:00
✅ Nextcloud OIDC Application: {{ oidc_app_data.status }}
Implement fully automated OIDC/SSO provisioning (#4) This commit eliminates all manual configuration steps for OIDC/SSO setup, making the infrastructure fully scalable to dozens or hundreds of servers. ## Automation Overview The deployment now automatically: 1. Authenticates with Zitadel using admin credentials 2. Creates OIDC application via Zitadel Management API 3. Retrieves client ID and secret 4. Configures Nextcloud OIDC provider **Zero manual steps required!** ## New Components ### Zitadel OIDC Automation - `files/get_admin_token.sh`: OAuth2 authentication script - `files/create_oidc_app.py`: Python script for OIDC app creation via API - `tasks/oidc-apps.yml`: Ansible orchestration for full automation ### API Integration - Uses Zitadel Management API v1 - Resource Owner Password Credentials flow for admin auth - Creates OIDC apps with proper security settings: - Authorization Code + Refresh Token grants - JWT access tokens - Role and UserInfo assertions enabled - Proper redirect URI configuration ### Nextcloud Integration - Updated `tasks/oidc.yml` to auto-configure provider - Receives credentials from Zitadel automation - Configures discovery URI automatically - Handles idempotency (skips if already configured) ## Scalability Benefits ### Before (Manual) ``` 1. Deploy infrastructure 2. Login to Zitadel console 3. Create OIDC app manually 4. Copy client ID/secret 5. SSH to server 6. Run occ command with credentials ``` **Time per server: ~10-15 minutes** ### After (Automated) ``` 1. Deploy infrastructure ``` **Time per server: ~0 minutes (fully automated)** ### Impact - 10 servers: Save ~2 hours of manual work - 50 servers: Save ~10 hours of manual work - 100 servers: Save ~20 hours of manual work ## Security - Admin credentials encrypted with SOPS - Access tokens are ephemeral (generated per deployment) - Client secrets never logged (`no_log: true`) - All API calls over HTTPS only - Credentials passed via Ansible facts (memory only) ## Documentation Added comprehensive documentation: - `docs/OIDC_AUTOMATION.md`: Full automation guide - How it works - Technical implementation details - Troubleshooting guide - Security considerations ## Testing The automation is idempotent and handles: - ✅ First-time setup (creates app) - ✅ Subsequent runs (skips if exists) - ✅ Error handling (fails gracefully) - ✅ Credential validation ## Next Steps Users can immediately login via SSO after deployment: 1. Visit https://nextcloud.{client}.vrije.cloud 2. Click "Login with Zitadel" 3. Enter Zitadel credentials 4. Automatically logged into Nextcloud Closes #4 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com>
2026-01-06 09:49:16 +01:00
Client ID: {{ oidc_app_data.client_id | default('N/A') }}
Redirect URI: {{ oidc_app_data.redirect_uri | default('N/A') }}
Fix Zitadel deployment by removing FirstInstance variables - Remove all ZITADEL_FIRSTINSTANCE_* environment variables - Fixes migration error: duplicate key constraint violation - Root cause: Bug in Zitadel v2.63.7 FirstInstance migration - Workaround: Complete initial setup via web UI - Upstream issue: https://github.com/zitadel/zitadel/issues/8791 Changes: - Clean up obsolete documentation (OIDC_AUTOMATION.md, SETUP_GUIDE.md, COLLABORA_SETUP.md) - Add PROJECT_REFERENCE.md for essential configuration info - Add force recreate functionality with clean database volumes - Update bootstrap instructions for web UI setup - Document one-time manual setup requirement for OIDC automation Zitadel now deploys successfully and is accessible at: https://zitadel.test.vrije.cloud 🤖 Generated with Claude Code Co-Authored-By: Claude <noreply@anthropic.com>
2026-01-06 16:43:57 +01:00
when: jwt_auth_available and oidc_app_data is defined
Implement fully automated OIDC/SSO provisioning (#4) This commit eliminates all manual configuration steps for OIDC/SSO setup, making the infrastructure fully scalable to dozens or hundreds of servers. ## Automation Overview The deployment now automatically: 1. Authenticates with Zitadel using admin credentials 2. Creates OIDC application via Zitadel Management API 3. Retrieves client ID and secret 4. Configures Nextcloud OIDC provider **Zero manual steps required!** ## New Components ### Zitadel OIDC Automation - `files/get_admin_token.sh`: OAuth2 authentication script - `files/create_oidc_app.py`: Python script for OIDC app creation via API - `tasks/oidc-apps.yml`: Ansible orchestration for full automation ### API Integration - Uses Zitadel Management API v1 - Resource Owner Password Credentials flow for admin auth - Creates OIDC apps with proper security settings: - Authorization Code + Refresh Token grants - JWT access tokens - Role and UserInfo assertions enabled - Proper redirect URI configuration ### Nextcloud Integration - Updated `tasks/oidc.yml` to auto-configure provider - Receives credentials from Zitadel automation - Configures discovery URI automatically - Handles idempotency (skips if already configured) ## Scalability Benefits ### Before (Manual) ``` 1. Deploy infrastructure 2. Login to Zitadel console 3. Create OIDC app manually 4. Copy client ID/secret 5. SSH to server 6. Run occ command with credentials ``` **Time per server: ~10-15 minutes** ### After (Automated) ``` 1. Deploy infrastructure ``` **Time per server: ~0 minutes (fully automated)** ### Impact - 10 servers: Save ~2 hours of manual work - 50 servers: Save ~10 hours of manual work - 100 servers: Save ~20 hours of manual work ## Security - Admin credentials encrypted with SOPS - Access tokens are ephemeral (generated per deployment) - Client secrets never logged (`no_log: true`) - All API calls over HTTPS only - Credentials passed via Ansible facts (memory only) ## Documentation Added comprehensive documentation: - `docs/OIDC_AUTOMATION.md`: Full automation guide - How it works - Technical implementation details - Troubleshooting guide - Security considerations ## Testing The automation is idempotent and handles: - ✅ First-time setup (creates app) - ✅ Subsequent runs (skips if exists) - ✅ Error handling (fails gracefully) - ✅ Credential validation ## Next Steps Users can immediately login via SSO after deployment: 1. Visit https://nextcloud.{client}.vrije.cloud 2. Click "Login with Zitadel" 3. Enter Zitadel credentials 4. Automatically logged into Nextcloud Closes #4 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com>
2026-01-06 09:49:16 +01:00
- name: Save OIDC credentials for Nextcloud configuration
set_fact:
nextcloud_oidc_client_id: "{{ oidc_app_data.client_id }}"
nextcloud_oidc_client_secret: "{{ oidc_app_data.client_secret }}"
Fix Zitadel deployment by removing FirstInstance variables - Remove all ZITADEL_FIRSTINSTANCE_* environment variables - Fixes migration error: duplicate key constraint violation - Root cause: Bug in Zitadel v2.63.7 FirstInstance migration - Workaround: Complete initial setup via web UI - Upstream issue: https://github.com/zitadel/zitadel/issues/8791 Changes: - Clean up obsolete documentation (OIDC_AUTOMATION.md, SETUP_GUIDE.md, COLLABORA_SETUP.md) - Add PROJECT_REFERENCE.md for essential configuration info - Add force recreate functionality with clean database volumes - Update bootstrap instructions for web UI setup - Document one-time manual setup requirement for OIDC automation Zitadel now deploys successfully and is accessible at: https://zitadel.test.vrije.cloud 🤖 Generated with Claude Code Co-Authored-By: Claude <noreply@anthropic.com>
2026-01-06 16:43:57 +01:00
when: jwt_auth_available and oidc_app_data is defined and oidc_app_data.status == 'created'
Implement fully automated OIDC/SSO provisioning (#4) This commit eliminates all manual configuration steps for OIDC/SSO setup, making the infrastructure fully scalable to dozens or hundreds of servers. ## Automation Overview The deployment now automatically: 1. Authenticates with Zitadel using admin credentials 2. Creates OIDC application via Zitadel Management API 3. Retrieves client ID and secret 4. Configures Nextcloud OIDC provider **Zero manual steps required!** ## New Components ### Zitadel OIDC Automation - `files/get_admin_token.sh`: OAuth2 authentication script - `files/create_oidc_app.py`: Python script for OIDC app creation via API - `tasks/oidc-apps.yml`: Ansible orchestration for full automation ### API Integration - Uses Zitadel Management API v1 - Resource Owner Password Credentials flow for admin auth - Creates OIDC apps with proper security settings: - Authorization Code + Refresh Token grants - JWT access tokens - Role and UserInfo assertions enabled - Proper redirect URI configuration ### Nextcloud Integration - Updated `tasks/oidc.yml` to auto-configure provider - Receives credentials from Zitadel automation - Configures discovery URI automatically - Handles idempotency (skips if already configured) ## Scalability Benefits ### Before (Manual) ``` 1. Deploy infrastructure 2. Login to Zitadel console 3. Create OIDC app manually 4. Copy client ID/secret 5. SSH to server 6. Run occ command with credentials ``` **Time per server: ~10-15 minutes** ### After (Automated) ``` 1. Deploy infrastructure ``` **Time per server: ~0 minutes (fully automated)** ### Impact - 10 servers: Save ~2 hours of manual work - 50 servers: Save ~10 hours of manual work - 100 servers: Save ~20 hours of manual work ## Security - Admin credentials encrypted with SOPS - Access tokens are ephemeral (generated per deployment) - Client secrets never logged (`no_log: true`) - All API calls over HTTPS only - Credentials passed via Ansible facts (memory only) ## Documentation Added comprehensive documentation: - `docs/OIDC_AUTOMATION.md`: Full automation guide - How it works - Technical implementation details - Troubleshooting guide - Security considerations ## Testing The automation is idempotent and handles: - ✅ First-time setup (creates app) - ✅ Subsequent runs (skips if exists) - ✅ Error handling (fails gracefully) - ✅ Credential validation ## Next Steps Users can immediately login via SSO after deployment: 1. Visit https://nextcloud.{client}.vrije.cloud 2. Click "Login with Zitadel" 3. Enter Zitadel credentials 4. Automatically logged into Nextcloud Closes #4 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com>
2026-01-06 09:49:16 +01:00
no_log: true
- name: Configure OIDC provider in Nextcloud
shell: |
docker exec -u www-data nextcloud php occ user_oidc:provider:add \
--clientid="{{ nextcloud_oidc_client_id }}" \
--clientsecret="{{ nextcloud_oidc_client_secret }}" \
--discoveryuri="https://{{ zitadel_domain }}/.well-known/openid-configuration" \
"Zitadel" || true
Fix Zitadel deployment by removing FirstInstance variables - Remove all ZITADEL_FIRSTINSTANCE_* environment variables - Fixes migration error: duplicate key constraint violation - Root cause: Bug in Zitadel v2.63.7 FirstInstance migration - Workaround: Complete initial setup via web UI - Upstream issue: https://github.com/zitadel/zitadel/issues/8791 Changes: - Clean up obsolete documentation (OIDC_AUTOMATION.md, SETUP_GUIDE.md, COLLABORA_SETUP.md) - Add PROJECT_REFERENCE.md for essential configuration info - Add force recreate functionality with clean database volumes - Update bootstrap instructions for web UI setup - Document one-time manual setup requirement for OIDC automation Zitadel now deploys successfully and is accessible at: https://zitadel.test.vrije.cloud 🤖 Generated with Claude Code Co-Authored-By: Claude <noreply@anthropic.com>
2026-01-06 16:43:57 +01:00
when: jwt_auth_available and nextcloud_oidc_client_id is defined and nextcloud_oidc_client_secret is defined
Implement fully automated OIDC/SSO provisioning (#4) This commit eliminates all manual configuration steps for OIDC/SSO setup, making the infrastructure fully scalable to dozens or hundreds of servers. ## Automation Overview The deployment now automatically: 1. Authenticates with Zitadel using admin credentials 2. Creates OIDC application via Zitadel Management API 3. Retrieves client ID and secret 4. Configures Nextcloud OIDC provider **Zero manual steps required!** ## New Components ### Zitadel OIDC Automation - `files/get_admin_token.sh`: OAuth2 authentication script - `files/create_oidc_app.py`: Python script for OIDC app creation via API - `tasks/oidc-apps.yml`: Ansible orchestration for full automation ### API Integration - Uses Zitadel Management API v1 - Resource Owner Password Credentials flow for admin auth - Creates OIDC apps with proper security settings: - Authorization Code + Refresh Token grants - JWT access tokens - Role and UserInfo assertions enabled - Proper redirect URI configuration ### Nextcloud Integration - Updated `tasks/oidc.yml` to auto-configure provider - Receives credentials from Zitadel automation - Configures discovery URI automatically - Handles idempotency (skips if already configured) ## Scalability Benefits ### Before (Manual) ``` 1. Deploy infrastructure 2. Login to Zitadel console 3. Create OIDC app manually 4. Copy client ID/secret 5. SSH to server 6. Run occ command with credentials ``` **Time per server: ~10-15 minutes** ### After (Automated) ``` 1. Deploy infrastructure ``` **Time per server: ~0 minutes (fully automated)** ### Impact - 10 servers: Save ~2 hours of manual work - 50 servers: Save ~10 hours of manual work - 100 servers: Save ~20 hours of manual work ## Security - Admin credentials encrypted with SOPS - Access tokens are ephemeral (generated per deployment) - Client secrets never logged (`no_log: true`) - All API calls over HTTPS only - Credentials passed via Ansible facts (memory only) ## Documentation Added comprehensive documentation: - `docs/OIDC_AUTOMATION.md`: Full automation guide - How it works - Technical implementation details - Troubleshooting guide - Security considerations ## Testing The automation is idempotent and handles: - ✅ First-time setup (creates app) - ✅ Subsequent runs (skips if exists) - ✅ Error handling (fails gracefully) - ✅ Credential validation ## Next Steps Users can immediately login via SSO after deployment: 1. Visit https://nextcloud.{client}.vrije.cloud 2. Click "Login with Zitadel" 3. Enter Zitadel credentials 4. Automatically logged into Nextcloud Closes #4 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com>
2026-01-06 09:49:16 +01:00
register: oidc_config_result
changed_when: "'Provider Zitadel has been created' in oidc_config_result.stdout"
- name: Display OIDC configuration result
debug:
msg: |
Fix Zitadel deployment by removing FirstInstance variables - Remove all ZITADEL_FIRSTINSTANCE_* environment variables - Fixes migration error: duplicate key constraint violation - Root cause: Bug in Zitadel v2.63.7 FirstInstance migration - Workaround: Complete initial setup via web UI - Upstream issue: https://github.com/zitadel/zitadel/issues/8791 Changes: - Clean up obsolete documentation (OIDC_AUTOMATION.md, SETUP_GUIDE.md, COLLABORA_SETUP.md) - Add PROJECT_REFERENCE.md for essential configuration info - Add force recreate functionality with clean database volumes - Update bootstrap instructions for web UI setup - Document one-time manual setup requirement for OIDC automation Zitadel now deploys successfully and is accessible at: https://zitadel.test.vrije.cloud 🤖 Generated with Claude Code Co-Authored-By: Claude <noreply@anthropic.com>
2026-01-06 16:43:57 +01:00
✅ Nextcloud OIDC Provider Configuration: {{ 'Success' if oidc_config_result.changed else 'Already configured' }}
Implement fully automated OIDC/SSO provisioning (#4) This commit eliminates all manual configuration steps for OIDC/SSO setup, making the infrastructure fully scalable to dozens or hundreds of servers. ## Automation Overview The deployment now automatically: 1. Authenticates with Zitadel using admin credentials 2. Creates OIDC application via Zitadel Management API 3. Retrieves client ID and secret 4. Configures Nextcloud OIDC provider **Zero manual steps required!** ## New Components ### Zitadel OIDC Automation - `files/get_admin_token.sh`: OAuth2 authentication script - `files/create_oidc_app.py`: Python script for OIDC app creation via API - `tasks/oidc-apps.yml`: Ansible orchestration for full automation ### API Integration - Uses Zitadel Management API v1 - Resource Owner Password Credentials flow for admin auth - Creates OIDC apps with proper security settings: - Authorization Code + Refresh Token grants - JWT access tokens - Role and UserInfo assertions enabled - Proper redirect URI configuration ### Nextcloud Integration - Updated `tasks/oidc.yml` to auto-configure provider - Receives credentials from Zitadel automation - Configures discovery URI automatically - Handles idempotency (skips if already configured) ## Scalability Benefits ### Before (Manual) ``` 1. Deploy infrastructure 2. Login to Zitadel console 3. Create OIDC app manually 4. Copy client ID/secret 5. SSH to server 6. Run occ command with credentials ``` **Time per server: ~10-15 minutes** ### After (Automated) ``` 1. Deploy infrastructure ``` **Time per server: ~0 minutes (fully automated)** ### Impact - 10 servers: Save ~2 hours of manual work - 50 servers: Save ~10 hours of manual work - 100 servers: Save ~20 hours of manual work ## Security - Admin credentials encrypted with SOPS - Access tokens are ephemeral (generated per deployment) - Client secrets never logged (`no_log: true`) - All API calls over HTTPS only - Credentials passed via Ansible facts (memory only) ## Documentation Added comprehensive documentation: - `docs/OIDC_AUTOMATION.md`: Full automation guide - How it works - Technical implementation details - Troubleshooting guide - Security considerations ## Testing The automation is idempotent and handles: - ✅ First-time setup (creates app) - ✅ Subsequent runs (skips if exists) - ✅ Error handling (fails gracefully) - ✅ Credential validation ## Next Steps Users can immediately login via SSO after deployment: 1. Visit https://nextcloud.{client}.vrije.cloud 2. Click "Login with Zitadel" 3. Enter Zitadel credentials 4. Automatically logged into Nextcloud Closes #4 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com>
2026-01-06 09:49:16 +01:00
Users can now login to Nextcloud using Zitadel SSO!
Visit: https://nextcloud.{{ client_domain }}
Fix Zitadel deployment by removing FirstInstance variables - Remove all ZITADEL_FIRSTINSTANCE_* environment variables - Fixes migration error: duplicate key constraint violation - Root cause: Bug in Zitadel v2.63.7 FirstInstance migration - Workaround: Complete initial setup via web UI - Upstream issue: https://github.com/zitadel/zitadel/issues/8791 Changes: - Clean up obsolete documentation (OIDC_AUTOMATION.md, SETUP_GUIDE.md, COLLABORA_SETUP.md) - Add PROJECT_REFERENCE.md for essential configuration info - Add force recreate functionality with clean database volumes - Update bootstrap instructions for web UI setup - Document one-time manual setup requirement for OIDC automation Zitadel now deploys successfully and is accessible at: https://zitadel.test.vrije.cloud 🤖 Generated with Claude Code Co-Authored-By: Claude <noreply@anthropic.com>
2026-01-06 16:43:57 +01:00
when: jwt_auth_available and oidc_config_result is defined
- name: OIDC automation not available
debug:
msg: |
⚠️ OIDC automation not available - JWT key not found.
This should not happen if FirstInstance completed successfully.
Check Zitadel logs: docker logs zitadel
when: not jwt_auth_available
Reference in a new issue Copy permalink