Post-X-Society/Post-Tyranny-Tech-Infrastructure
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
Post-Tyranny-Tech-Infrastru.../scripts/rebuild-client.sh

300 lines
9.3 KiB
Bash
Raw Normal View History

feat: Complete Authentik SSO integration with automated OIDC setup ## Changes ### Identity Provider (Authentik) - ✅ Deployed Authentik 2025.10.3 as identity provider - ✅ Configured automatic bootstrap with admin account (akadmin) - ✅ Fixed OIDC provider creation with correct redirect_uris format - ✅ Added automated OAuth2/OIDC provider configuration for Nextcloud - ✅ API-driven provider setup eliminates manual configuration ### Nextcloud Configuration - ✅ Fixed reverse proxy header configuration (trusted_proxies) - ✅ Added missing database indices (fs_storage_path_prefix) - ✅ Ran mimetype migrations for proper file type handling - ✅ Verified PHP upload limits (16GB upload_max_filesize) - ✅ Configured OIDC integration with Authentik - ✅ "Login with Authentik" button auto-configured ### Automation Scripts - ✅ Added deploy-client.sh for automated client deployment - ✅ Added rebuild-client.sh for infrastructure rebuild - ✅ Added destroy-client.sh for cleanup - ✅ Full deployment now takes ~10-15 minutes end-to-end ### Documentation - ✅ Updated README with automated deployment instructions - ✅ Added SSO automation workflow documentation - ✅ Added automation status tracking - ✅ Updated project reference with Authentik details ### Technical Fixes - Fixed Authentik API redirect_uris format (requires list of dicts with matching_mode) - Fixed Nextcloud OIDC command (user_oidc:provider not user_oidc:provider:add) - Fixed file lookup in Ansible (changed to slurp for remote files) - Updated Traefik to v3.6 for Docker API 1.44 compatibility - Improved error handling in app installation tasks ## Security - All credentials stored in SOPS-encrypted secrets - Trusted proxy configuration prevents IP spoofing - Bootstrap tokens auto-generated and secured ## Result Fully automated SSO deployment - no manual configuration required! 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com>
2026-01-08 16:56:19 +01:00
#!/usr/bin/env bash
#
# Rebuild a client's infrastructure from scratch
#
# Usage: ./scripts/rebuild-client.sh <client_name>
#
# This script will:
# 1. Destroy existing infrastructure (if exists)
# 2. Provision new VPS server
# 3. Deploy and configure all services
# 4. Configure SSO integration
#
# Result: Fully functional Authentik + Nextcloud with automated SSO
set -euo pipefail
# Colors for output
RED='\033[0;31m'
GREEN='\033[0;32m'
YELLOW='\033[1;33m'
BLUE='\033[0;34m'
NC='\033[0m' # No Color
# Script directory
SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
PROJECT_ROOT="$(dirname "$SCRIPT_DIR")"
# Check arguments
if [ $# -ne 1 ]; then
echo -e "${RED}Error: Client name required${NC}"
echo "Usage: $0 <client_name>"
echo ""
echo "Example: $0 test"
exit 1
fi
CLIENT_NAME="$1"
feat: Automate SSH key and secrets generation in deployment scripts Simplify client deployment workflow by automating SSH key generation and secrets file creation. No more manual preparation steps! ## Changes ### Deploy Script Automation **`scripts/deploy-client.sh`**: - Auto-generates SSH key pair if missing (calls generate-client-keys.sh) - Auto-creates secrets file from template if missing - Opens SOPS editor for user to customize secrets - Continues with deployment after setup complete ### Rebuild Script Automation **`scripts/rebuild-client.sh`**: - Same automation as deploy script - Ensures SSH key and secrets exist before rebuild ### Documentation Updates - **`README.md`** - Updated quick start workflow - **`scripts/README.md`** - Updated script descriptions and examples ## Workflow: Before vs After ### Before (Manual) ```bash # 1. Generate SSH key ./scripts/generate-client-keys.sh newclient # 2. Create secrets file cp secrets/clients/template.sops.yaml secrets/clients/newclient.sops.yaml sops secrets/clients/newclient.sops.yaml # 3. Add to terraform.tfvars vim tofu/terraform.tfvars # 4. Deploy ./scripts/deploy-client.sh newclient ``` ### After (Automated) ```bash # 1. Add to terraform.tfvars vim tofu/terraform.tfvars # 2. Deploy (everything else is automatic!) ./scripts/deploy-client.sh newclient # Script automatically: # - Generates SSH key if missing # - Creates secrets file from template if missing # - Opens editor for you to customize # - Continues with deployment ``` ## Benefits ✅ **Fewer manual steps**: 4 steps → 2 steps ✅ **Less error-prone**: Can't forget to generate SSH key ✅ **Better UX**: Script guides you through setup ✅ **Still flexible**: Can pre-create SSH key/secrets if desired ✅ **Idempotent**: Won't regenerate if already exists ## Backward Compatible Existing workflows still work: - If SSH key already exists, script uses it - If secrets file already exists, script uses it - Can still use generate-client-keys.sh manually if preferred 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com>
2026-01-17 20:04:29 +01:00
# Check if SSH key exists, generate if missing
SSH_KEY_FILE="$PROJECT_ROOT/keys/ssh/${CLIENT_NAME}"
if [ ! -f "$SSH_KEY_FILE" ]; then
echo -e "${YELLOW}SSH key not found for client: $CLIENT_NAME${NC}"
echo "Generating SSH key pair automatically..."
echo ""
# Generate SSH key
"$SCRIPT_DIR/generate-client-keys.sh" "$CLIENT_NAME"
echo ""
echo -e "${GREEN}✓ SSH key generated${NC}"
echo ""
fi
# Check if secrets file exists, create from template if missing
feat: Complete Authentik SSO integration with automated OIDC setup ## Changes ### Identity Provider (Authentik) - ✅ Deployed Authentik 2025.10.3 as identity provider - ✅ Configured automatic bootstrap with admin account (akadmin) - ✅ Fixed OIDC provider creation with correct redirect_uris format - ✅ Added automated OAuth2/OIDC provider configuration for Nextcloud - ✅ API-driven provider setup eliminates manual configuration ### Nextcloud Configuration - ✅ Fixed reverse proxy header configuration (trusted_proxies) - ✅ Added missing database indices (fs_storage_path_prefix) - ✅ Ran mimetype migrations for proper file type handling - ✅ Verified PHP upload limits (16GB upload_max_filesize) - ✅ Configured OIDC integration with Authentik - ✅ "Login with Authentik" button auto-configured ### Automation Scripts - ✅ Added deploy-client.sh for automated client deployment - ✅ Added rebuild-client.sh for infrastructure rebuild - ✅ Added destroy-client.sh for cleanup - ✅ Full deployment now takes ~10-15 minutes end-to-end ### Documentation - ✅ Updated README with automated deployment instructions - ✅ Added SSO automation workflow documentation - ✅ Added automation status tracking - ✅ Updated project reference with Authentik details ### Technical Fixes - Fixed Authentik API redirect_uris format (requires list of dicts with matching_mode) - Fixed Nextcloud OIDC command (user_oidc:provider not user_oidc:provider:add) - Fixed file lookup in Ansible (changed to slurp for remote files) - Updated Traefik to v3.6 for Docker API 1.44 compatibility - Improved error handling in app installation tasks ## Security - All credentials stored in SOPS-encrypted secrets - Trusted proxy configuration prevents IP spoofing - Bootstrap tokens auto-generated and secured ## Result Fully automated SSO deployment - no manual configuration required! 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com>
2026-01-08 16:56:19 +01:00
SECRETS_FILE="$PROJECT_ROOT/secrets/clients/${CLIENT_NAME}.sops.yaml"
feat: Automate SSH key and secrets generation in deployment scripts Simplify client deployment workflow by automating SSH key generation and secrets file creation. No more manual preparation steps! ## Changes ### Deploy Script Automation **`scripts/deploy-client.sh`**: - Auto-generates SSH key pair if missing (calls generate-client-keys.sh) - Auto-creates secrets file from template if missing - Opens SOPS editor for user to customize secrets - Continues with deployment after setup complete ### Rebuild Script Automation **`scripts/rebuild-client.sh`**: - Same automation as deploy script - Ensures SSH key and secrets exist before rebuild ### Documentation Updates - **`README.md`** - Updated quick start workflow - **`scripts/README.md`** - Updated script descriptions and examples ## Workflow: Before vs After ### Before (Manual) ```bash # 1. Generate SSH key ./scripts/generate-client-keys.sh newclient # 2. Create secrets file cp secrets/clients/template.sops.yaml secrets/clients/newclient.sops.yaml sops secrets/clients/newclient.sops.yaml # 3. Add to terraform.tfvars vim tofu/terraform.tfvars # 4. Deploy ./scripts/deploy-client.sh newclient ``` ### After (Automated) ```bash # 1. Add to terraform.tfvars vim tofu/terraform.tfvars # 2. Deploy (everything else is automatic!) ./scripts/deploy-client.sh newclient # Script automatically: # - Generates SSH key if missing # - Creates secrets file from template if missing # - Opens editor for you to customize # - Continues with deployment ``` ## Benefits ✅ **Fewer manual steps**: 4 steps → 2 steps ✅ **Less error-prone**: Can't forget to generate SSH key ✅ **Better UX**: Script guides you through setup ✅ **Still flexible**: Can pre-create SSH key/secrets if desired ✅ **Idempotent**: Won't regenerate if already exists ## Backward Compatible Existing workflows still work: - If SSH key already exists, script uses it - If secrets file already exists, script uses it - Can still use generate-client-keys.sh manually if preferred 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com>
2026-01-17 20:04:29 +01:00
TEMPLATE_FILE="$PROJECT_ROOT/secrets/clients/template.sops.yaml"
feat: Complete Authentik SSO integration with automated OIDC setup ## Changes ### Identity Provider (Authentik) - ✅ Deployed Authentik 2025.10.3 as identity provider - ✅ Configured automatic bootstrap with admin account (akadmin) - ✅ Fixed OIDC provider creation with correct redirect_uris format - ✅ Added automated OAuth2/OIDC provider configuration for Nextcloud - ✅ API-driven provider setup eliminates manual configuration ### Nextcloud Configuration - ✅ Fixed reverse proxy header configuration (trusted_proxies) - ✅ Added missing database indices (fs_storage_path_prefix) - ✅ Ran mimetype migrations for proper file type handling - ✅ Verified PHP upload limits (16GB upload_max_filesize) - ✅ Configured OIDC integration with Authentik - ✅ "Login with Authentik" button auto-configured ### Automation Scripts - ✅ Added deploy-client.sh for automated client deployment - ✅ Added rebuild-client.sh for infrastructure rebuild - ✅ Added destroy-client.sh for cleanup - ✅ Full deployment now takes ~10-15 minutes end-to-end ### Documentation - ✅ Updated README with automated deployment instructions - ✅ Added SSO automation workflow documentation - ✅ Added automation status tracking - ✅ Updated project reference with Authentik details ### Technical Fixes - Fixed Authentik API redirect_uris format (requires list of dicts with matching_mode) - Fixed Nextcloud OIDC command (user_oidc:provider not user_oidc:provider:add) - Fixed file lookup in Ansible (changed to slurp for remote files) - Updated Traefik to v3.6 for Docker API 1.44 compatibility - Improved error handling in app installation tasks ## Security - All credentials stored in SOPS-encrypted secrets - Trusted proxy configuration prevents IP spoofing - Bootstrap tokens auto-generated and secured ## Result Fully automated SSO deployment - no manual configuration required! 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com>
2026-01-08 16:56:19 +01:00
if [ ! -f "$SECRETS_FILE" ]; then
feat: Automate SSH key and secrets generation in deployment scripts Simplify client deployment workflow by automating SSH key generation and secrets file creation. No more manual preparation steps! ## Changes ### Deploy Script Automation **`scripts/deploy-client.sh`**: - Auto-generates SSH key pair if missing (calls generate-client-keys.sh) - Auto-creates secrets file from template if missing - Opens SOPS editor for user to customize secrets - Continues with deployment after setup complete ### Rebuild Script Automation **`scripts/rebuild-client.sh`**: - Same automation as deploy script - Ensures SSH key and secrets exist before rebuild ### Documentation Updates - **`README.md`** - Updated quick start workflow - **`scripts/README.md`** - Updated script descriptions and examples ## Workflow: Before vs After ### Before (Manual) ```bash # 1. Generate SSH key ./scripts/generate-client-keys.sh newclient # 2. Create secrets file cp secrets/clients/template.sops.yaml secrets/clients/newclient.sops.yaml sops secrets/clients/newclient.sops.yaml # 3. Add to terraform.tfvars vim tofu/terraform.tfvars # 4. Deploy ./scripts/deploy-client.sh newclient ``` ### After (Automated) ```bash # 1. Add to terraform.tfvars vim tofu/terraform.tfvars # 2. Deploy (everything else is automatic!) ./scripts/deploy-client.sh newclient # Script automatically: # - Generates SSH key if missing # - Creates secrets file from template if missing # - Opens editor for you to customize # - Continues with deployment ``` ## Benefits ✅ **Fewer manual steps**: 4 steps → 2 steps ✅ **Less error-prone**: Can't forget to generate SSH key ✅ **Better UX**: Script guides you through setup ✅ **Still flexible**: Can pre-create SSH key/secrets if desired ✅ **Idempotent**: Won't regenerate if already exists ## Backward Compatible Existing workflows still work: - If SSH key already exists, script uses it - If secrets file already exists, script uses it - Can still use generate-client-keys.sh manually if preferred 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com>
2026-01-17 20:04:29 +01:00
echo -e "${YELLOW}Secrets file not found for client: $CLIENT_NAME${NC}"
echo "Creating from template and opening for editing..."
echo ""
# Check if template exists
if [ ! -f "$TEMPLATE_FILE" ]; then
echo -e "${RED}Error: Template file not found: $TEMPLATE_FILE${NC}"
exit 1
fi
feat: Move Hetzner API token to SOPS encrypted secrets Resolves #20 Changes: - Add hcloud_token to secrets/shared.sops.yaml (encrypted with Age) - Create scripts/load-secrets-env.sh to automatically load token from SOPS - Update all management scripts to auto-load token if not set - Remove plaintext tokens from tofu/terraform.tfvars - Update documentation in README.md, scripts/README.md, and SECURITY-NOTE-tokens.md Benefits: ✅ Token encrypted at rest ✅ Can be safely backed up to cloud storage ✅ Consistent with other secrets management ✅ Automatic loading - no manual token management needed 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com>
2026-01-18 18:17:15 +01:00
# Copy template and decrypt to temporary file
if [ -z "${SOPS_AGE_KEY_FILE:-}" ]; then
export SOPS_AGE_KEY_FILE="$PROJECT_ROOT/keys/age-key.txt"
fi
# Decrypt template to temp file
TEMP_PLAIN=$(mktemp)
sops -d "$TEMPLATE_FILE" > "$TEMP_PLAIN"
# Replace client name placeholders
sed -i '' "s/test/${CLIENT_NAME}/g" "$TEMP_PLAIN"
# Create unencrypted file in correct location (matching .sops.yaml regex)
# This is necessary because SOPS needs the file path to match creation rules
TEMP_SOPS="${SECRETS_FILE%.sops.yaml}-unenc.sops.yaml"
cat "$TEMP_PLAIN" > "$TEMP_SOPS"
# Encrypt in-place (SOPS finds creation rules because path matches regex)
sops --encrypt --in-place "$TEMP_SOPS"
# Rename to final name
mv "$TEMP_SOPS" "$SECRETS_FILE"
# Cleanup
rm "$TEMP_PLAIN"
echo -e "${GREEN}✓ Created secrets file with client-specific domains${NC}"
feat: Automate SSH key and secrets generation in deployment scripts Simplify client deployment workflow by automating SSH key generation and secrets file creation. No more manual preparation steps! ## Changes ### Deploy Script Automation **`scripts/deploy-client.sh`**: - Auto-generates SSH key pair if missing (calls generate-client-keys.sh) - Auto-creates secrets file from template if missing - Opens SOPS editor for user to customize secrets - Continues with deployment after setup complete ### Rebuild Script Automation **`scripts/rebuild-client.sh`**: - Same automation as deploy script - Ensures SSH key and secrets exist before rebuild ### Documentation Updates - **`README.md`** - Updated quick start workflow - **`scripts/README.md`** - Updated script descriptions and examples ## Workflow: Before vs After ### Before (Manual) ```bash # 1. Generate SSH key ./scripts/generate-client-keys.sh newclient # 2. Create secrets file cp secrets/clients/template.sops.yaml secrets/clients/newclient.sops.yaml sops secrets/clients/newclient.sops.yaml # 3. Add to terraform.tfvars vim tofu/terraform.tfvars # 4. Deploy ./scripts/deploy-client.sh newclient ``` ### After (Automated) ```bash # 1. Add to terraform.tfvars vim tofu/terraform.tfvars # 2. Deploy (everything else is automatic!) ./scripts/deploy-client.sh newclient # Script automatically: # - Generates SSH key if missing # - Creates secrets file from template if missing # - Opens editor for you to customize # - Continues with deployment ``` ## Benefits ✅ **Fewer manual steps**: 4 steps → 2 steps ✅ **Less error-prone**: Can't forget to generate SSH key ✅ **Better UX**: Script guides you through setup ✅ **Still flexible**: Can pre-create SSH key/secrets if desired ✅ **Idempotent**: Won't regenerate if already exists ## Backward Compatible Existing workflows still work: - If SSH key already exists, script uses it - If secrets file already exists, script uses it - Can still use generate-client-keys.sh manually if preferred 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com>
2026-01-17 20:04:29 +01:00
echo ""
feat: Move Hetzner API token to SOPS encrypted secrets Resolves #20 Changes: - Add hcloud_token to secrets/shared.sops.yaml (encrypted with Age) - Create scripts/load-secrets-env.sh to automatically load token from SOPS - Update all management scripts to auto-load token if not set - Remove plaintext tokens from tofu/terraform.tfvars - Update documentation in README.md, scripts/README.md, and SECURITY-NOTE-tokens.md Benefits: ✅ Token encrypted at rest ✅ Can be safely backed up to cloud storage ✅ Consistent with other secrets management ✅ Automatic loading - no manual token management needed 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com>
2026-01-18 18:17:15 +01:00
# Open in SOPS for editing passwords
echo -e "${BLUE}Opening secrets file in SOPS for password generation...${NC}"
echo ""
echo -e "${YELLOW}IMPORTANT: Regenerate ALL passwords and tokens!${NC}"
echo ""
echo "Domains have been automatically configured:"
echo " ✓ client_name: $CLIENT_NAME"
echo " ✓ client_domain: ${CLIENT_NAME}.vrije.cloud"
echo " ✓ authentik_domain: auth.${CLIENT_NAME}.vrije.cloud"
echo " ✓ nextcloud_domain: nextcloud.${CLIENT_NAME}.vrije.cloud"
feat: Automate SSH key and secrets generation in deployment scripts Simplify client deployment workflow by automating SSH key generation and secrets file creation. No more manual preparation steps! ## Changes ### Deploy Script Automation **`scripts/deploy-client.sh`**: - Auto-generates SSH key pair if missing (calls generate-client-keys.sh) - Auto-creates secrets file from template if missing - Opens SOPS editor for user to customize secrets - Continues with deployment after setup complete ### Rebuild Script Automation **`scripts/rebuild-client.sh`**: - Same automation as deploy script - Ensures SSH key and secrets exist before rebuild ### Documentation Updates - **`README.md`** - Updated quick start workflow - **`scripts/README.md`** - Updated script descriptions and examples ## Workflow: Before vs After ### Before (Manual) ```bash # 1. Generate SSH key ./scripts/generate-client-keys.sh newclient # 2. Create secrets file cp secrets/clients/template.sops.yaml secrets/clients/newclient.sops.yaml sops secrets/clients/newclient.sops.yaml # 3. Add to terraform.tfvars vim tofu/terraform.tfvars # 4. Deploy ./scripts/deploy-client.sh newclient ``` ### After (Automated) ```bash # 1. Add to terraform.tfvars vim tofu/terraform.tfvars # 2. Deploy (everything else is automatic!) ./scripts/deploy-client.sh newclient # Script automatically: # - Generates SSH key if missing # - Creates secrets file from template if missing # - Opens editor for you to customize # - Continues with deployment ``` ## Benefits ✅ **Fewer manual steps**: 4 steps → 2 steps ✅ **Less error-prone**: Can't forget to generate SSH key ✅ **Better UX**: Script guides you through setup ✅ **Still flexible**: Can pre-create SSH key/secrets if desired ✅ **Idempotent**: Won't regenerate if already exists ## Backward Compatible Existing workflows still work: - If SSH key already exists, script uses it - If secrets file already exists, script uses it - Can still use generate-client-keys.sh manually if preferred 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com>
2026-01-17 20:04:29 +01:00
echo ""
feat: Move Hetzner API token to SOPS encrypted secrets Resolves #20 Changes: - Add hcloud_token to secrets/shared.sops.yaml (encrypted with Age) - Create scripts/load-secrets-env.sh to automatically load token from SOPS - Update all management scripts to auto-load token if not set - Remove plaintext tokens from tofu/terraform.tfvars - Update documentation in README.md, scripts/README.md, and SECURITY-NOTE-tokens.md Benefits: ✅ Token encrypted at rest ✅ Can be safely backed up to cloud storage ✅ Consistent with other secrets management ✅ Automatic loading - no manual token management needed 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com>
2026-01-18 18:17:15 +01:00
echo "You MUST regenerate:"
echo " - All database passwords"
echo " - authentik_secret_key"
echo " - authentik_bootstrap_password"
echo " - authentik_bootstrap_token"
echo " - All other passwords"
feat: Automate SSH key and secrets generation in deployment scripts Simplify client deployment workflow by automating SSH key generation and secrets file creation. No more manual preparation steps! ## Changes ### Deploy Script Automation **`scripts/deploy-client.sh`**: - Auto-generates SSH key pair if missing (calls generate-client-keys.sh) - Auto-creates secrets file from template if missing - Opens SOPS editor for user to customize secrets - Continues with deployment after setup complete ### Rebuild Script Automation **`scripts/rebuild-client.sh`**: - Same automation as deploy script - Ensures SSH key and secrets exist before rebuild ### Documentation Updates - **`README.md`** - Updated quick start workflow - **`scripts/README.md`** - Updated script descriptions and examples ## Workflow: Before vs After ### Before (Manual) ```bash # 1. Generate SSH key ./scripts/generate-client-keys.sh newclient # 2. Create secrets file cp secrets/clients/template.sops.yaml secrets/clients/newclient.sops.yaml sops secrets/clients/newclient.sops.yaml # 3. Add to terraform.tfvars vim tofu/terraform.tfvars # 4. Deploy ./scripts/deploy-client.sh newclient ``` ### After (Automated) ```bash # 1. Add to terraform.tfvars vim tofu/terraform.tfvars # 2. Deploy (everything else is automatic!) ./scripts/deploy-client.sh newclient # Script automatically: # - Generates SSH key if missing # - Creates secrets file from template if missing # - Opens editor for you to customize # - Continues with deployment ``` ## Benefits ✅ **Fewer manual steps**: 4 steps → 2 steps ✅ **Less error-prone**: Can't forget to generate SSH key ✅ **Better UX**: Script guides you through setup ✅ **Still flexible**: Can pre-create SSH key/secrets if desired ✅ **Idempotent**: Won't regenerate if already exists ## Backward Compatible Existing workflows still work: - If SSH key already exists, script uses it - If secrets file already exists, script uses it - Can still use generate-client-keys.sh manually if preferred 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com>
2026-01-17 20:04:29 +01:00
echo ""
echo "Press Enter to open editor..."
read -r
# Open in SOPS
sops "$SECRETS_FILE"
echo ""
echo -e "${GREEN}✓ Secrets file configured${NC}"
feat: Complete Authentik SSO integration with automated OIDC setup ## Changes ### Identity Provider (Authentik) - ✅ Deployed Authentik 2025.10.3 as identity provider - ✅ Configured automatic bootstrap with admin account (akadmin) - ✅ Fixed OIDC provider creation with correct redirect_uris format - ✅ Added automated OAuth2/OIDC provider configuration for Nextcloud - ✅ API-driven provider setup eliminates manual configuration ### Nextcloud Configuration - ✅ Fixed reverse proxy header configuration (trusted_proxies) - ✅ Added missing database indices (fs_storage_path_prefix) - ✅ Ran mimetype migrations for proper file type handling - ✅ Verified PHP upload limits (16GB upload_max_filesize) - ✅ Configured OIDC integration with Authentik - ✅ "Login with Authentik" button auto-configured ### Automation Scripts - ✅ Added deploy-client.sh for automated client deployment - ✅ Added rebuild-client.sh for infrastructure rebuild - ✅ Added destroy-client.sh for cleanup - ✅ Full deployment now takes ~10-15 minutes end-to-end ### Documentation - ✅ Updated README with automated deployment instructions - ✅ Added SSO automation workflow documentation - ✅ Added automation status tracking - ✅ Updated project reference with Authentik details ### Technical Fixes - Fixed Authentik API redirect_uris format (requires list of dicts with matching_mode) - Fixed Nextcloud OIDC command (user_oidc:provider not user_oidc:provider:add) - Fixed file lookup in Ansible (changed to slurp for remote files) - Updated Traefik to v3.6 for Docker API 1.44 compatibility - Improved error handling in app installation tasks ## Security - All credentials stored in SOPS-encrypted secrets - Trusted proxy configuration prevents IP spoofing - Bootstrap tokens auto-generated and secured ## Result Fully automated SSO deployment - no manual configuration required! 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com>
2026-01-08 16:56:19 +01:00
echo ""
fi
feat: Move Hetzner API token to SOPS encrypted secrets Resolves #20 Changes: - Add hcloud_token to secrets/shared.sops.yaml (encrypted with Age) - Create scripts/load-secrets-env.sh to automatically load token from SOPS - Update all management scripts to auto-load token if not set - Remove plaintext tokens from tofu/terraform.tfvars - Update documentation in README.md, scripts/README.md, and SECURITY-NOTE-tokens.md Benefits: ✅ Token encrypted at rest ✅ Can be safely backed up to cloud storage ✅ Consistent with other secrets management ✅ Automatic loading - no manual token management needed 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com>
2026-01-18 18:17:15 +01:00
# Load Hetzner API token from SOPS if not already set
feat: Complete Authentik SSO integration with automated OIDC setup ## Changes ### Identity Provider (Authentik) - ✅ Deployed Authentik 2025.10.3 as identity provider - ✅ Configured automatic bootstrap with admin account (akadmin) - ✅ Fixed OIDC provider creation with correct redirect_uris format - ✅ Added automated OAuth2/OIDC provider configuration for Nextcloud - ✅ API-driven provider setup eliminates manual configuration ### Nextcloud Configuration - ✅ Fixed reverse proxy header configuration (trusted_proxies) - ✅ Added missing database indices (fs_storage_path_prefix) - ✅ Ran mimetype migrations for proper file type handling - ✅ Verified PHP upload limits (16GB upload_max_filesize) - ✅ Configured OIDC integration with Authentik - ✅ "Login with Authentik" button auto-configured ### Automation Scripts - ✅ Added deploy-client.sh for automated client deployment - ✅ Added rebuild-client.sh for infrastructure rebuild - ✅ Added destroy-client.sh for cleanup - ✅ Full deployment now takes ~10-15 minutes end-to-end ### Documentation - ✅ Updated README with automated deployment instructions - ✅ Added SSO automation workflow documentation - ✅ Added automation status tracking - ✅ Updated project reference with Authentik details ### Technical Fixes - Fixed Authentik API redirect_uris format (requires list of dicts with matching_mode) - Fixed Nextcloud OIDC command (user_oidc:provider not user_oidc:provider:add) - Fixed file lookup in Ansible (changed to slurp for remote files) - Updated Traefik to v3.6 for Docker API 1.44 compatibility - Improved error handling in app installation tasks ## Security - All credentials stored in SOPS-encrypted secrets - Trusted proxy configuration prevents IP spoofing - Bootstrap tokens auto-generated and secured ## Result Fully automated SSO deployment - no manual configuration required! 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com>
2026-01-08 16:56:19 +01:00
if [ -z "${HCLOUD_TOKEN:-}" ]; then
feat: Move Hetzner API token to SOPS encrypted secrets Resolves #20 Changes: - Add hcloud_token to secrets/shared.sops.yaml (encrypted with Age) - Create scripts/load-secrets-env.sh to automatically load token from SOPS - Update all management scripts to auto-load token if not set - Remove plaintext tokens from tofu/terraform.tfvars - Update documentation in README.md, scripts/README.md, and SECURITY-NOTE-tokens.md Benefits: ✅ Token encrypted at rest ✅ Can be safely backed up to cloud storage ✅ Consistent with other secrets management ✅ Automatic loading - no manual token management needed 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com>
2026-01-18 18:17:15 +01:00
echo -e "${BLUE}Loading Hetzner API token from SOPS...${NC}"
# shellcheck source=scripts/load-secrets-env.sh
source "$SCRIPT_DIR/load-secrets-env.sh"
echo ""
feat: Complete Authentik SSO integration with automated OIDC setup ## Changes ### Identity Provider (Authentik) - ✅ Deployed Authentik 2025.10.3 as identity provider - ✅ Configured automatic bootstrap with admin account (akadmin) - ✅ Fixed OIDC provider creation with correct redirect_uris format - ✅ Added automated OAuth2/OIDC provider configuration for Nextcloud - ✅ API-driven provider setup eliminates manual configuration ### Nextcloud Configuration - ✅ Fixed reverse proxy header configuration (trusted_proxies) - ✅ Added missing database indices (fs_storage_path_prefix) - ✅ Ran mimetype migrations for proper file type handling - ✅ Verified PHP upload limits (16GB upload_max_filesize) - ✅ Configured OIDC integration with Authentik - ✅ "Login with Authentik" button auto-configured ### Automation Scripts - ✅ Added deploy-client.sh for automated client deployment - ✅ Added rebuild-client.sh for infrastructure rebuild - ✅ Added destroy-client.sh for cleanup - ✅ Full deployment now takes ~10-15 minutes end-to-end ### Documentation - ✅ Updated README with automated deployment instructions - ✅ Added SSO automation workflow documentation - ✅ Added automation status tracking - ✅ Updated project reference with Authentik details ### Technical Fixes - Fixed Authentik API redirect_uris format (requires list of dicts with matching_mode) - Fixed Nextcloud OIDC command (user_oidc:provider not user_oidc:provider:add) - Fixed file lookup in Ansible (changed to slurp for remote files) - Updated Traefik to v3.6 for Docker API 1.44 compatibility - Improved error handling in app installation tasks ## Security - All credentials stored in SOPS-encrypted secrets - Trusted proxy configuration prevents IP spoofing - Bootstrap tokens auto-generated and secured ## Result Fully automated SSO deployment - no manual configuration required! 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com>
2026-01-08 16:56:19 +01:00
fi
if [ -z "${SOPS_AGE_KEY_FILE:-}" ]; then
echo -e "${YELLOW}Warning: SOPS_AGE_KEY_FILE not set, using default${NC}"
export SOPS_AGE_KEY_FILE="$PROJECT_ROOT/keys/age-key.txt"
fi
feat: Automate OpenTofu terraform.tfvars management Add automation to streamline client onboarding by managing terraform.tfvars: New Script: - scripts/add-client-to-terraform.sh: Add clients to OpenTofu config - Interactive and non-interactive modes - Configurable server type, location, volume size - Validates client names - Detects existing entries - Shows configuration preview before applying - Clear next-steps guidance Updated Scripts: - scripts/deploy-client.sh: Check for terraform.tfvars entry - Detects missing clients - Prompts to add automatically - Calls add-client-to-terraform.sh if user confirms - Fails gracefully with instructions if declined - scripts/rebuild-client.sh: Validate terraform.tfvars - Ensures client exists before rebuild - Clear error if missing - Directs to deploy-client.sh for new clients Benefits: ✅ Eliminates manual terraform.tfvars editing ✅ Reduces human error in configuration ✅ Consistent client configuration structure ✅ Guided workflow with clear prompts ✅ Validation prevents common mistakes Test Results (blue client): - ✅ SSH key auto-generation (working) - ✅ Secrets template creation (working) - ✅ Terraform.tfvars automation (working) - ⏸️ Full deployment test (in progress) Usage: ```bash # Standalone ./scripts/add-client-to-terraform.sh myclient # With options ./scripts/add-client-to-terraform.sh myclient \ --server-type=cx22 \ --location=fsn1 \ --volume-size=100 # Non-interactive (for scripts) ./scripts/add-client-to-terraform.sh myclient \ --volume-size=50 \ --non-interactive # Integrated (automatic prompt) ./scripts/deploy-client.sh myclient # → Detects missing terraform.tfvars entry # → Offers to add automatically ``` This increases deployment automation from ~60% to ~85%, leaving only security-sensitive steps (secrets editing, infrastructure approval) as manual. 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com>
2026-01-17 21:34:05 +01:00
# Check if client exists in terraform.tfvars
TFVARS_FILE="$PROJECT_ROOT/tofu/terraform.tfvars"
if ! grep -q "^[[:space:]]*${CLIENT_NAME}[[:space:]]*=" "$TFVARS_FILE"; then
echo -e "${RED}Error: Client '${CLIENT_NAME}' not found in terraform.tfvars${NC}"
echo ""
echo "Cannot rebuild a client that doesn't exist in OpenTofu configuration."
echo ""
echo "To deploy a new client, use:"
echo " ./scripts/deploy-client.sh $CLIENT_NAME"
exit 1
fi
feat: Complete Authentik SSO integration with automated OIDC setup ## Changes ### Identity Provider (Authentik) - ✅ Deployed Authentik 2025.10.3 as identity provider - ✅ Configured automatic bootstrap with admin account (akadmin) - ✅ Fixed OIDC provider creation with correct redirect_uris format - ✅ Added automated OAuth2/OIDC provider configuration for Nextcloud - ✅ API-driven provider setup eliminates manual configuration ### Nextcloud Configuration - ✅ Fixed reverse proxy header configuration (trusted_proxies) - ✅ Added missing database indices (fs_storage_path_prefix) - ✅ Ran mimetype migrations for proper file type handling - ✅ Verified PHP upload limits (16GB upload_max_filesize) - ✅ Configured OIDC integration with Authentik - ✅ "Login with Authentik" button auto-configured ### Automation Scripts - ✅ Added deploy-client.sh for automated client deployment - ✅ Added rebuild-client.sh for infrastructure rebuild - ✅ Added destroy-client.sh for cleanup - ✅ Full deployment now takes ~10-15 minutes end-to-end ### Documentation - ✅ Updated README with automated deployment instructions - ✅ Added SSO automation workflow documentation - ✅ Added automation status tracking - ✅ Updated project reference with Authentik details ### Technical Fixes - Fixed Authentik API redirect_uris format (requires list of dicts with matching_mode) - Fixed Nextcloud OIDC command (user_oidc:provider not user_oidc:provider:add) - Fixed file lookup in Ansible (changed to slurp for remote files) - Updated Traefik to v3.6 for Docker API 1.44 compatibility - Improved error handling in app installation tasks ## Security - All credentials stored in SOPS-encrypted secrets - Trusted proxy configuration prevents IP spoofing - Bootstrap tokens auto-generated and secured ## Result Fully automated SSO deployment - no manual configuration required! 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com>
2026-01-08 16:56:19 +01:00
# Start timer
START_TIME=$(date +%s)
echo -e "${BLUE}========================================${NC}"
echo -e "${BLUE}Rebuilding client: $CLIENT_NAME${NC}"
echo -e "${BLUE}========================================${NC}"
echo ""
# Step 1: Check if infrastructure exists and destroy it
feat: Implement client registry system (issue #12) Add comprehensive client registry for tracking all deployed infrastructure: Registry System: - Single source of truth in clients/registry.yml - Tracks status, server specs, versions, maintenance history - Supports canary deployment workflow - Automatic updates via deployment scripts New Scripts: - scripts/list-clients.sh: List/filter clients (table/json/csv/summary) - scripts/client-status.sh: Detailed client info with health checks - scripts/update-registry.sh: Manual registry updates Updated Scripts: - scripts/deploy-client.sh: Auto-updates registry on deploy - scripts/rebuild-client.sh: Auto-updates registry on rebuild - scripts/destroy-client.sh: Marks clients as destroyed Documentation: - docs/client-registry.md: Complete registry reference - clients/README.md: Quick start guide Status tracking: pending → deployed → maintenance → destroyed Role support: canary (dev) and production clients 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com>
2026-01-17 20:24:53 +01:00
echo -e "${YELLOW}[1/5] Checking existing infrastructure...${NC}"
feat: Complete Authentik SSO integration with automated OIDC setup ## Changes ### Identity Provider (Authentik) - ✅ Deployed Authentik 2025.10.3 as identity provider - ✅ Configured automatic bootstrap with admin account (akadmin) - ✅ Fixed OIDC provider creation with correct redirect_uris format - ✅ Added automated OAuth2/OIDC provider configuration for Nextcloud - ✅ API-driven provider setup eliminates manual configuration ### Nextcloud Configuration - ✅ Fixed reverse proxy header configuration (trusted_proxies) - ✅ Added missing database indices (fs_storage_path_prefix) - ✅ Ran mimetype migrations for proper file type handling - ✅ Verified PHP upload limits (16GB upload_max_filesize) - ✅ Configured OIDC integration with Authentik - ✅ "Login with Authentik" button auto-configured ### Automation Scripts - ✅ Added deploy-client.sh for automated client deployment - ✅ Added rebuild-client.sh for infrastructure rebuild - ✅ Added destroy-client.sh for cleanup - ✅ Full deployment now takes ~10-15 minutes end-to-end ### Documentation - ✅ Updated README with automated deployment instructions - ✅ Added SSO automation workflow documentation - ✅ Added automation status tracking - ✅ Updated project reference with Authentik details ### Technical Fixes - Fixed Authentik API redirect_uris format (requires list of dicts with matching_mode) - Fixed Nextcloud OIDC command (user_oidc:provider not user_oidc:provider:add) - Fixed file lookup in Ansible (changed to slurp for remote files) - Updated Traefik to v3.6 for Docker API 1.44 compatibility - Improved error handling in app installation tasks ## Security - All credentials stored in SOPS-encrypted secrets - Trusted proxy configuration prevents IP spoofing - Bootstrap tokens auto-generated and secured ## Result Fully automated SSO deployment - no manual configuration required! 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com>
2026-01-08 16:56:19 +01:00
cd "$PROJECT_ROOT/tofu"
if tofu state list 2>/dev/null | grep -q "hcloud_server.client\[\"$CLIENT_NAME\"\]"; then
echo -e "${YELLOW}⚠ Existing infrastructure found${NC}"
echo ""
read -p "Destroy existing infrastructure? (yes/no): " destroy_confirm
if [ "$destroy_confirm" = "yes" ]; then
echo "Destroying existing infrastructure..."
"$SCRIPT_DIR/destroy-client.sh" "$CLIENT_NAME"
echo ""
echo -e "${GREEN}✓ Existing infrastructure destroyed${NC}"
echo ""
echo "Waiting 10 seconds for cleanup to complete..."
sleep 10
else
echo -e "${RED}Cannot proceed without destroying existing infrastructure${NC}"
exit 1
fi
else
echo -e "${GREEN}✓ No existing infrastructure found${NC}"
fi
echo ""
# Step 2: Provision infrastructure
feat: Implement client registry system (issue #12) Add comprehensive client registry for tracking all deployed infrastructure: Registry System: - Single source of truth in clients/registry.yml - Tracks status, server specs, versions, maintenance history - Supports canary deployment workflow - Automatic updates via deployment scripts New Scripts: - scripts/list-clients.sh: List/filter clients (table/json/csv/summary) - scripts/client-status.sh: Detailed client info with health checks - scripts/update-registry.sh: Manual registry updates Updated Scripts: - scripts/deploy-client.sh: Auto-updates registry on deploy - scripts/rebuild-client.sh: Auto-updates registry on rebuild - scripts/destroy-client.sh: Marks clients as destroyed Documentation: - docs/client-registry.md: Complete registry reference - clients/README.md: Quick start guide Status tracking: pending → deployed → maintenance → destroyed Role support: canary (dev) and production clients 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com>
2026-01-17 20:24:53 +01:00
echo -e "${YELLOW}[2/5] Provisioning infrastructure with OpenTofu...${NC}"
feat: Complete Authentik SSO integration with automated OIDC setup ## Changes ### Identity Provider (Authentik) - ✅ Deployed Authentik 2025.10.3 as identity provider - ✅ Configured automatic bootstrap with admin account (akadmin) - ✅ Fixed OIDC provider creation with correct redirect_uris format - ✅ Added automated OAuth2/OIDC provider configuration for Nextcloud - ✅ API-driven provider setup eliminates manual configuration ### Nextcloud Configuration - ✅ Fixed reverse proxy header configuration (trusted_proxies) - ✅ Added missing database indices (fs_storage_path_prefix) - ✅ Ran mimetype migrations for proper file type handling - ✅ Verified PHP upload limits (16GB upload_max_filesize) - ✅ Configured OIDC integration with Authentik - ✅ "Login with Authentik" button auto-configured ### Automation Scripts - ✅ Added deploy-client.sh for automated client deployment - ✅ Added rebuild-client.sh for infrastructure rebuild - ✅ Added destroy-client.sh for cleanup - ✅ Full deployment now takes ~10-15 minutes end-to-end ### Documentation - ✅ Updated README with automated deployment instructions - ✅ Added SSO automation workflow documentation - ✅ Added automation status tracking - ✅ Updated project reference with Authentik details ### Technical Fixes - Fixed Authentik API redirect_uris format (requires list of dicts with matching_mode) - Fixed Nextcloud OIDC command (user_oidc:provider not user_oidc:provider:add) - Fixed file lookup in Ansible (changed to slurp for remote files) - Updated Traefik to v3.6 for Docker API 1.44 compatibility - Improved error handling in app installation tasks ## Security - All credentials stored in SOPS-encrypted secrets - Trusted proxy configuration prevents IP spoofing - Bootstrap tokens auto-generated and secured ## Result Fully automated SSO deployment - no manual configuration required! 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com>
2026-01-08 16:56:19 +01:00
cd "$PROJECT_ROOT/tofu"
# Apply full configuration to create server AND DNS records
tofu apply -auto-approve -var-file="terraform.tfvars"
echo ""
echo -e "${GREEN}✓ Infrastructure provisioned (server + DNS)${NC}"
echo ""
# Wait for server to be ready
echo -e "${YELLOW}Waiting 60 seconds for server to initialize...${NC}"
sleep 60
echo ""
# Step 3: Setup base system
feat: Implement client registry system (issue #12) Add comprehensive client registry for tracking all deployed infrastructure: Registry System: - Single source of truth in clients/registry.yml - Tracks status, server specs, versions, maintenance history - Supports canary deployment workflow - Automatic updates via deployment scripts New Scripts: - scripts/list-clients.sh: List/filter clients (table/json/csv/summary) - scripts/client-status.sh: Detailed client info with health checks - scripts/update-registry.sh: Manual registry updates Updated Scripts: - scripts/deploy-client.sh: Auto-updates registry on deploy - scripts/rebuild-client.sh: Auto-updates registry on rebuild - scripts/destroy-client.sh: Marks clients as destroyed Documentation: - docs/client-registry.md: Complete registry reference - clients/README.md: Quick start guide Status tracking: pending → deployed → maintenance → destroyed Role support: canary (dev) and production clients 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com>
2026-01-17 20:24:53 +01:00
echo -e "${YELLOW}[3/5] Setting up base system (Docker, Traefik)...${NC}"
feat: Complete Authentik SSO integration with automated OIDC setup ## Changes ### Identity Provider (Authentik) - ✅ Deployed Authentik 2025.10.3 as identity provider - ✅ Configured automatic bootstrap with admin account (akadmin) - ✅ Fixed OIDC provider creation with correct redirect_uris format - ✅ Added automated OAuth2/OIDC provider configuration for Nextcloud - ✅ API-driven provider setup eliminates manual configuration ### Nextcloud Configuration - ✅ Fixed reverse proxy header configuration (trusted_proxies) - ✅ Added missing database indices (fs_storage_path_prefix) - ✅ Ran mimetype migrations for proper file type handling - ✅ Verified PHP upload limits (16GB upload_max_filesize) - ✅ Configured OIDC integration with Authentik - ✅ "Login with Authentik" button auto-configured ### Automation Scripts - ✅ Added deploy-client.sh for automated client deployment - ✅ Added rebuild-client.sh for infrastructure rebuild - ✅ Added destroy-client.sh for cleanup - ✅ Full deployment now takes ~10-15 minutes end-to-end ### Documentation - ✅ Updated README with automated deployment instructions - ✅ Added SSO automation workflow documentation - ✅ Added automation status tracking - ✅ Updated project reference with Authentik details ### Technical Fixes - Fixed Authentik API redirect_uris format (requires list of dicts with matching_mode) - Fixed Nextcloud OIDC command (user_oidc:provider not user_oidc:provider:add) - Fixed file lookup in Ansible (changed to slurp for remote files) - Updated Traefik to v3.6 for Docker API 1.44 compatibility - Improved error handling in app installation tasks ## Security - All credentials stored in SOPS-encrypted secrets - Trusted proxy configuration prevents IP spoofing - Bootstrap tokens auto-generated and secured ## Result Fully automated SSO deployment - no manual configuration required! 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com>
2026-01-08 16:56:19 +01:00
cd "$PROJECT_ROOT/ansible"
~/.local/bin/ansible-playbook -i hcloud.yml playbooks/setup.yml --limit "$CLIENT_NAME"
echo ""
echo -e "${GREEN}✓ Base system configured${NC}"
echo ""
# Step 4: Deploy applications
feat: Implement client registry system (issue #12) Add comprehensive client registry for tracking all deployed infrastructure: Registry System: - Single source of truth in clients/registry.yml - Tracks status, server specs, versions, maintenance history - Supports canary deployment workflow - Automatic updates via deployment scripts New Scripts: - scripts/list-clients.sh: List/filter clients (table/json/csv/summary) - scripts/client-status.sh: Detailed client info with health checks - scripts/update-registry.sh: Manual registry updates Updated Scripts: - scripts/deploy-client.sh: Auto-updates registry on deploy - scripts/rebuild-client.sh: Auto-updates registry on rebuild - scripts/destroy-client.sh: Marks clients as destroyed Documentation: - docs/client-registry.md: Complete registry reference - clients/README.md: Quick start guide Status tracking: pending → deployed → maintenance → destroyed Role support: canary (dev) and production clients 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com>
2026-01-17 20:24:53 +01:00
echo -e "${YELLOW}[4/5] Deploying applications (Authentik, Nextcloud, SSO)...${NC}"
feat: Complete Authentik SSO integration with automated OIDC setup ## Changes ### Identity Provider (Authentik) - ✅ Deployed Authentik 2025.10.3 as identity provider - ✅ Configured automatic bootstrap with admin account (akadmin) - ✅ Fixed OIDC provider creation with correct redirect_uris format - ✅ Added automated OAuth2/OIDC provider configuration for Nextcloud - ✅ API-driven provider setup eliminates manual configuration ### Nextcloud Configuration - ✅ Fixed reverse proxy header configuration (trusted_proxies) - ✅ Added missing database indices (fs_storage_path_prefix) - ✅ Ran mimetype migrations for proper file type handling - ✅ Verified PHP upload limits (16GB upload_max_filesize) - ✅ Configured OIDC integration with Authentik - ✅ "Login with Authentik" button auto-configured ### Automation Scripts - ✅ Added deploy-client.sh for automated client deployment - ✅ Added rebuild-client.sh for infrastructure rebuild - ✅ Added destroy-client.sh for cleanup - ✅ Full deployment now takes ~10-15 minutes end-to-end ### Documentation - ✅ Updated README with automated deployment instructions - ✅ Added SSO automation workflow documentation - ✅ Added automation status tracking - ✅ Updated project reference with Authentik details ### Technical Fixes - Fixed Authentik API redirect_uris format (requires list of dicts with matching_mode) - Fixed Nextcloud OIDC command (user_oidc:provider not user_oidc:provider:add) - Fixed file lookup in Ansible (changed to slurp for remote files) - Updated Traefik to v3.6 for Docker API 1.44 compatibility - Improved error handling in app installation tasks ## Security - All credentials stored in SOPS-encrypted secrets - Trusted proxy configuration prevents IP spoofing - Bootstrap tokens auto-generated and secured ## Result Fully automated SSO deployment - no manual configuration required! 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com>
2026-01-08 16:56:19 +01:00
~/.local/bin/ansible-playbook -i hcloud.yml playbooks/deploy.yml --limit "$CLIENT_NAME"
echo ""
echo -e "${GREEN}✓ Applications deployed${NC}"
echo ""
feat: Implement client registry system (issue #12) Add comprehensive client registry for tracking all deployed infrastructure: Registry System: - Single source of truth in clients/registry.yml - Tracks status, server specs, versions, maintenance history - Supports canary deployment workflow - Automatic updates via deployment scripts New Scripts: - scripts/list-clients.sh: List/filter clients (table/json/csv/summary) - scripts/client-status.sh: Detailed client info with health checks - scripts/update-registry.sh: Manual registry updates Updated Scripts: - scripts/deploy-client.sh: Auto-updates registry on deploy - scripts/rebuild-client.sh: Auto-updates registry on rebuild - scripts/destroy-client.sh: Marks clients as destroyed Documentation: - docs/client-registry.md: Complete registry reference - clients/README.md: Quick start guide Status tracking: pending → deployed → maintenance → destroyed Role support: canary (dev) and production clients 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com>
2026-01-17 20:24:53 +01:00
# Step 5: Update client registry
echo -e "${YELLOW}[5/5] Updating client registry...${NC}"
cd "$PROJECT_ROOT/tofu"
# Get server information from Terraform state
SERVER_IP=$(tofu output -json client_ips 2>/dev/null | jq -r ".\"$CLIENT_NAME\"" || echo "")
SERVER_ID=$(tofu state show "hcloud_server.client[\"$CLIENT_NAME\"]" 2>/dev/null | grep "^[[:space:]]*id[[:space:]]*=" | awk '{print $3}' | tr -d '"' || echo "")
SERVER_TYPE=$(tofu state show "hcloud_server.client[\"$CLIENT_NAME\"]" 2>/dev/null | grep "^[[:space:]]*server_type[[:space:]]*=" | awk '{print $3}' | tr -d '"' || echo "")
SERVER_LOCATION=$(tofu state show "hcloud_server.client[\"$CLIENT_NAME\"]" 2>/dev/null | grep "^[[:space:]]*location[[:space:]]*=" | awk '{print $3}' | tr -d '"' || echo "")
# Determine role (dev is canary, everything else is production by default)
ROLE="production"
if [ "$CLIENT_NAME" = "dev" ]; then
ROLE="canary"
fi
# Update registry
"$SCRIPT_DIR/update-registry.sh" "$CLIENT_NAME" deploy \
--role="$ROLE" \
--server-ip="$SERVER_IP" \
--server-id="$SERVER_ID" \
--server-type="$SERVER_TYPE" \
--server-location="$SERVER_LOCATION"
echo ""
echo -e "${GREEN}✓ Registry updated${NC}"
echo ""
feat: Add version tracking and maintenance monitoring (issue #15) Complete implementation of automatic version tracking and drift detection: New Scripts: - scripts/collect-client-versions.sh: Query deployed versions from Docker - Connects via Ansible to running servers - Extracts versions from container images - Updates registry automatically - scripts/check-client-versions.sh: Compare versions across clients - Multiple formats: table (colorized), CSV, JSON - Filter by outdated versions - Highlights drift with color coding - scripts/detect-version-drift.sh: Identify version differences - Detects clients with outdated versions - Threshold-based staleness detection (default 30 days) - Actionable recommendations - Exit code 1 if drift detected (CI/monitoring friendly) Updated Scripts: - scripts/deploy-client.sh: Auto-collect versions after deployment - scripts/rebuild-client.sh: Auto-collect versions after rebuild Documentation: - docs/maintenance-tracking.md: Complete maintenance guide - Version management workflows - Security update procedures - Monitoring integration examples - Troubleshooting guide Features: ✅ Automatic version collection from deployed servers ✅ Multi-client version comparison reports ✅ Version drift detection with recommendations ✅ Integration with deployment workflows ✅ Export to CSV/JSON for external tools ✅ Canary-first update workflow support Usage Examples: ```bash # Collect versions ./scripts/collect-client-versions.sh dev # Compare all clients ./scripts/check-client-versions.sh # Detect drift ./scripts/detect-version-drift.sh # Export for monitoring ./scripts/check-client-versions.sh --format=json ``` Closes #15 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com>
2026-01-17 20:53:15 +01:00
# Collect deployed versions
echo -e "${YELLOW}Collecting deployed versions...${NC}"
"$SCRIPT_DIR/collect-client-versions.sh" "$CLIENT_NAME" 2>/dev/null || {
echo -e "${YELLOW}⚠ Could not collect versions automatically${NC}"
echo "Run manually later: ./scripts/collect-client-versions.sh $CLIENT_NAME"
}
echo ""
feat: Complete Authentik SSO integration with automated OIDC setup ## Changes ### Identity Provider (Authentik) - ✅ Deployed Authentik 2025.10.3 as identity provider - ✅ Configured automatic bootstrap with admin account (akadmin) - ✅ Fixed OIDC provider creation with correct redirect_uris format - ✅ Added automated OAuth2/OIDC provider configuration for Nextcloud - ✅ API-driven provider setup eliminates manual configuration ### Nextcloud Configuration - ✅ Fixed reverse proxy header configuration (trusted_proxies) - ✅ Added missing database indices (fs_storage_path_prefix) - ✅ Ran mimetype migrations for proper file type handling - ✅ Verified PHP upload limits (16GB upload_max_filesize) - ✅ Configured OIDC integration with Authentik - ✅ "Login with Authentik" button auto-configured ### Automation Scripts - ✅ Added deploy-client.sh for automated client deployment - ✅ Added rebuild-client.sh for infrastructure rebuild - ✅ Added destroy-client.sh for cleanup - ✅ Full deployment now takes ~10-15 minutes end-to-end ### Documentation - ✅ Updated README with automated deployment instructions - ✅ Added SSO automation workflow documentation - ✅ Added automation status tracking - ✅ Updated project reference with Authentik details ### Technical Fixes - Fixed Authentik API redirect_uris format (requires list of dicts with matching_mode) - Fixed Nextcloud OIDC command (user_oidc:provider not user_oidc:provider:add) - Fixed file lookup in Ansible (changed to slurp for remote files) - Updated Traefik to v3.6 for Docker API 1.44 compatibility - Improved error handling in app installation tasks ## Security - All credentials stored in SOPS-encrypted secrets - Trusted proxy configuration prevents IP spoofing - Bootstrap tokens auto-generated and secured ## Result Fully automated SSO deployment - no manual configuration required! 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com>
2026-01-08 16:56:19 +01:00
# Calculate duration
END_TIME=$(date +%s)
DURATION=$((END_TIME - START_TIME))
MINUTES=$((DURATION / 60))
SECONDS=$((DURATION % 60))
# Success summary
echo -e "${GREEN}========================================${NC}"
echo -e "${GREEN}✓ Rebuild complete!${NC}"
echo -e "${GREEN}========================================${NC}"
echo ""
echo -e "${BLUE}Time taken: ${MINUTES}m ${SECONDS}s${NC}"
echo ""
echo "Services deployed:"
# Load client domain from secrets
CLIENT_DOMAIN=$(sops -d "$SECRETS_FILE" | grep "^client_domain:" | awk '{print $2}')
AUTHENTIK_DOMAIN=$(sops -d "$SECRETS_FILE" | grep "^authentik_domain:" | awk '{print $2}')
NEXTCLOUD_DOMAIN=$(sops -d "$SECRETS_FILE" | grep "^nextcloud_domain:" | awk '{print $2}')
echo " ✓ Authentik SSO: https://$AUTHENTIK_DOMAIN"
echo " ✓ Nextcloud: https://$NEXTCLOUD_DOMAIN"
echo ""
echo "Admin credentials:"
echo " Authentik: akadmin / (see secrets file)"
echo " Nextcloud: admin / (see secrets file)"
echo ""
echo -e "${GREEN}Ready to use! No manual configuration required.${NC}"
echo ""
echo "To view secrets:"
echo " sops $SECRETS_FILE"
echo ""
echo "To destroy this client:"
echo " ./scripts/destroy-client.sh $CLIENT_NAME"
echo ""
Reference in a new issue Copy permalink