Post-Tyranny-Tech-Infrastru.../scripts/README.md

# Management Scripts

Automated scripts for managing client infrastructure.

## Prerequisites

Set required environment variables:

```bash
export HCLOUD_TOKEN="your-hetzner-cloud-api-token"
export SOPS_AGE_KEY_FILE="./keys/age-key.txt"
```

## Scripts

### 1. Deploy Fresh Client

**Purpose**: Deploy a brand new client from scratch

**Usage**:
```bash
./scripts/deploy-client.sh <client_name>
```

**What it does**:
1. Provisions VPS server (if not exists)
2. Sets up base system (Docker, Traefik)
3. Deploys Authentik + Nextcloud
4. Configures SSO integration automatically

**Time**: ~10-15 minutes

**Example**:
```bash
./scripts/deploy-client.sh test
```

**Requirements**:
- Secrets file must exist: `secrets/clients/<client_name>.sops.yaml`
- Client must be defined in `tofu/terraform.tfvars`

---

### 2. Rebuild Client

**Purpose**: Destroy and recreate a client's infrastructure from scratch

**Usage**:
```bash
./scripts/rebuild-client.sh <client_name>
```

**What it does**:
1. Destroys existing infrastructure (asks for confirmation)
2. Provisions new VPS server
3. Sets up base system
4. Deploys applications
5. Configures SSO

**Time**: ~10-15 minutes

**Example**:
```bash
./scripts/rebuild-client.sh test
```

**Warning**: This is **destructive** - all data on the server will be lost!

---

### 3. Destroy Client

**Purpose**: Completely remove a client's infrastructure

**Usage**:
```bash
./scripts/destroy-client.sh <client_name>
```

**What it does**:
1. Stops and removes all Docker containers
2. Removes all Docker volumes
3. Destroys VPS server via OpenTofu
4. Removes DNS records

**Time**: ~2-3 minutes

**Example**:
```bash
./scripts/destroy-client.sh test
```

**Warning**: This is **destructive and irreversible**! All data will be lost.

**Note**: Secrets file is preserved after destruction.

---

## Workflow Examples

### Deploy a New Client

```bash
# 1. Create secrets file
cp secrets/clients/test.sops.yaml secrets/clients/newclient.sops.yaml
sops secrets/clients/newclient.sops.yaml
# Edit: client_name, domains, regenerate passwords

# 2. Add to terraform.tfvars
vim tofu/terraform.tfvars
# Add client definition

# 3. Deploy
./scripts/deploy-client.sh newclient
```

### Test Changes (Rebuild)

```bash
# Make changes to Ansible roles/playbooks

# Test by rebuilding
./scripts/rebuild-client.sh test

# Verify changes worked
```

### Clean Up

```bash
# Remove test infrastructure
./scripts/destroy-client.sh test
```

## Script Output

All scripts provide:
- ✓ Colored output (green = success, yellow = warning, red = error)
- Progress indicators for each step
- Total time taken
- Service URLs and credentials
- Next steps guidance

## Error Handling

Scripts will exit if:
- Required environment variables not set
- Secrets file doesn't exist
- Confirmation not provided (for destructive operations)
- Any command fails (set -e)

## Safety Features

### Destroy Script
- Requires typing client name to confirm
- Shows what will be deleted
- Preserves secrets file

### Rebuild Script
- Asks for confirmation before destroying
- 10-second delay after destroy before rebuilding
- Shows existing infrastructure before proceeding

### Deploy Script
- Checks for existing infrastructure
- Skips provisioning if server exists
- Validates secrets file exists

## Integration with CI/CD

These scripts can be used in automation:

```bash
# Non-interactive deployment
export HCLOUD_TOKEN="..."
export SOPS_AGE_KEY_FILE="..."

./scripts/deploy-client.sh production
```

For rebuild (skip confirmation):
```bash
# Modify rebuild-client.sh to accept --yes flag
./scripts/rebuild-client.sh production --yes
```

## Troubleshooting

### Script fails with "HCLOUD_TOKEN not set"

```bash
export HCLOUD_TOKEN="your-token-here"
```

### Script fails with "Secrets file not found"

Create the secrets file:
```bash
cp secrets/clients/test.sops.yaml secrets/clients/<client>.sops.yaml
sops secrets/clients/<client>.sops.yaml
```

### Server not reachable during destroy

This is normal if server is already destroyed. The script will skip Docker cleanup and proceed to OpenTofu destroy.

### OpenTofu state conflicts

If multiple people are managing infrastructure:
```bash
cd tofu
tofu state pull
tofu state push
```

Consider using remote state (S3, Terraform Cloud, etc.)

## Performance

Typical timings:

| Operation | Time |
|-----------|------|
| Deploy fresh | 10-15 min |
| Rebuild | 10-15 min |
| Destroy | 2-3 min |

Breakdown:
- Infrastructure provisioning: 2 min
- Server initialization: 1 min
- Base system setup: 3 min
- Application deployment: 5-7 min

## See Also

- [AUTOMATION_STATUS.md](../docs/AUTOMATION_STATUS.md) - Full automation details
- [sso-automation.md](../docs/sso-automation.md) - SSO integration workflow
- [architecture-decisions.md](../docs/architecture-decisions.md) - Design decisions
feat: Complete Authentik SSO integration with automated OIDC setup ## Changes ### Identity Provider (Authentik) - ✅ Deployed Authentik 2025.10.3 as identity provider - ✅ Configured automatic bootstrap with admin account (akadmin) - ✅ Fixed OIDC provider creation with correct redirect_uris format - ✅ Added automated OAuth2/OIDC provider configuration for Nextcloud - ✅ API-driven provider setup eliminates manual configuration ### Nextcloud Configuration - ✅ Fixed reverse proxy header configuration (trusted_proxies) - ✅ Added missing database indices (fs_storage_path_prefix) - ✅ Ran mimetype migrations for proper file type handling - ✅ Verified PHP upload limits (16GB upload_max_filesize) - ✅ Configured OIDC integration with Authentik - ✅ "Login with Authentik" button auto-configured ### Automation Scripts - ✅ Added deploy-client.sh for automated client deployment - ✅ Added rebuild-client.sh for infrastructure rebuild - ✅ Added destroy-client.sh for cleanup - ✅ Full deployment now takes ~10-15 minutes end-to-end ### Documentation - ✅ Updated README with automated deployment instructions - ✅ Added SSO automation workflow documentation - ✅ Added automation status tracking - ✅ Updated project reference with Authentik details ### Technical Fixes - Fixed Authentik API redirect_uris format (requires list of dicts with matching_mode) - Fixed Nextcloud OIDC command (user_oidc:provider not user_oidc:provider:add) - Fixed file lookup in Ansible (changed to slurp for remote files) - Updated Traefik to v3.6 for Docker API 1.44 compatibility - Improved error handling in app installation tasks ## Security - All credentials stored in SOPS-encrypted secrets - Trusted proxy configuration prevents IP spoofing - Bootstrap tokens auto-generated and secured ## Result Fully automated SSO deployment - no manual configuration required! 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com> 2026-01-08 16:56:19 +01:00			`# Management Scripts`

			`Automated scripts for managing client infrastructure.`

			`## Prerequisites`

			`Set required environment variables:`

			```bash
			`export HCLOUD_TOKEN="your-hetzner-cloud-api-token"`
			`export SOPS_AGE_KEY_FILE="./keys/age-key.txt"`
			```

			`## Scripts`

			`### 1. Deploy Fresh Client`

			`Purpose: Deploy a brand new client from scratch`

			`Usage:`
			```bash
			`./scripts/deploy-client.sh <client_name>`
			```

			`What it does:`
			`1. Provisions VPS server (if not exists)`
			`2. Sets up base system (Docker, Traefik)`
			`3. Deploys Authentik + Nextcloud`
			`4. Configures SSO integration automatically`

			`Time: ~10-15 minutes`

			`Example:`
			```bash
			`./scripts/deploy-client.sh test`
			```

			`Requirements:`
			- Secrets file must exist: `secrets/clients/<client_name>.sops.yaml`
			- Client must be defined in `tofu/terraform.tfvars`

			`---`

			`### 2. Rebuild Client`

			`Purpose: Destroy and recreate a client's infrastructure from scratch`

			`Usage:`
			```bash
			`./scripts/rebuild-client.sh <client_name>`
			```

			`What it does:`
			`1. Destroys existing infrastructure (asks for confirmation)`
			`2. Provisions new VPS server`
			`3. Sets up base system`
			`4. Deploys applications`
			`5. Configures SSO`

			`Time: ~10-15 minutes`

			`Example:`
			```bash
			`./scripts/rebuild-client.sh test`
			```

			`Warning: This is destructive - all data on the server will be lost!`

			`---`

			`### 3. Destroy Client`

			`Purpose: Completely remove a client's infrastructure`

			`Usage:`
			```bash
			`./scripts/destroy-client.sh <client_name>`
			```

			`What it does:`
			`1. Stops and removes all Docker containers`
			`2. Removes all Docker volumes`
			`3. Destroys VPS server via OpenTofu`
			`4. Removes DNS records`

			`Time: ~2-3 minutes`

			`Example:`
			```bash
			`./scripts/destroy-client.sh test`
			```

			`Warning: This is destructive and irreversible! All data will be lost.`

			`Note: Secrets file is preserved after destruction.`

			`---`

			`## Workflow Examples`

			`### Deploy a New Client`

			```bash
			`# 1. Create secrets file`
			`cp secrets/clients/test.sops.yaml secrets/clients/newclient.sops.yaml`
			`sops secrets/clients/newclient.sops.yaml`
			`# Edit: client_name, domains, regenerate passwords`

			`# 2. Add to terraform.tfvars`
			`vim tofu/terraform.tfvars`
			`# Add client definition`

			`# 3. Deploy`
			`./scripts/deploy-client.sh newclient`
			```

			`### Test Changes (Rebuild)`

			```bash
			`# Make changes to Ansible roles/playbooks`

			`# Test by rebuilding`
			`./scripts/rebuild-client.sh test`

			`# Verify changes worked`
			```

			`### Clean Up`

			```bash
			`# Remove test infrastructure`
			`./scripts/destroy-client.sh test`
			```

			`## Script Output`

			`All scripts provide:`
			`- ✓ Colored output (green = success, yellow = warning, red = error)`
			`- Progress indicators for each step`
			`- Total time taken`
			`- Service URLs and credentials`
			`- Next steps guidance`

			`## Error Handling`

			`Scripts will exit if:`
			`- Required environment variables not set`
			`- Secrets file doesn't exist`
			`- Confirmation not provided (for destructive operations)`
			`- Any command fails (set -e)`

			`## Safety Features`

			`### Destroy Script`
			`- Requires typing client name to confirm`
			`- Shows what will be deleted`
			`- Preserves secrets file`

			`### Rebuild Script`
			`- Asks for confirmation before destroying`
			`- 10-second delay after destroy before rebuilding`
			`- Shows existing infrastructure before proceeding`

			`### Deploy Script`
			`- Checks for existing infrastructure`
			`- Skips provisioning if server exists`
			`- Validates secrets file exists`

			`## Integration with CI/CD`

			`These scripts can be used in automation:`

			```bash
			`# Non-interactive deployment`
			`export HCLOUD_TOKEN="..."`
			`export SOPS_AGE_KEY_FILE="..."`

			`./scripts/deploy-client.sh production`
			```

			`For rebuild (skip confirmation):`
			```bash
			`# Modify rebuild-client.sh to accept --yes flag`
			`./scripts/rebuild-client.sh production --yes`
			```

			`## Troubleshooting`

			`### Script fails with "HCLOUD_TOKEN not set"`

			```bash
			`export HCLOUD_TOKEN="your-token-here"`
			```

			`### Script fails with "Secrets file not found"`

			`Create the secrets file:`
			```bash
			`cp secrets/clients/test.sops.yaml secrets/clients/<client>.sops.yaml`
			`sops secrets/clients/<client>.sops.yaml`
			```

			`### Server not reachable during destroy`

			`This is normal if server is already destroyed. The script will skip Docker cleanup and proceed to OpenTofu destroy.`

			`### OpenTofu state conflicts`

			`If multiple people are managing infrastructure:`
			```bash
			`cd tofu`
			`tofu state pull`
			`tofu state push`
			```

			`Consider using remote state (S3, Terraform Cloud, etc.)`

			`## Performance`

			`Typical timings:`

			`\| Operation \| Time \|`
			`\|-----------\|------\|`
			`\| Deploy fresh \| 10-15 min \|`
			`\| Rebuild \| 10-15 min \|`
			`\| Destroy \| 2-3 min \|`

			`Breakdown:`
			`- Infrastructure provisioning: 2 min`
			`- Server initialization: 1 min`
			`- Base system setup: 3 min`
			`- Application deployment: 5-7 min`

			`## See Also`

			`- [AUTOMATION_STATUS.md](../docs/AUTOMATION_STATUS.md) - Full automation details`
			`- [sso-automation.md](../docs/sso-automation.md) - SSO integration workflow`
			`- [architecture-decisions.md](../docs/architecture-decisions.md) - Design decisions`