Post-Tyranny-Tech-Infrastru.../tofu/user-data-private.yml

#cloud-config
package_update: true
package_upgrade: true
packages:
  - curl
  - wget
  - git
  - python3
  - python3-pip
runcmd:
  - hostnamectl set-hostname ${hostname}
  - |
    # Configure default route for private-only server
    # Hetzner network route forwards traffic to edge gateway (10.0.0.2)
    # Enable DHCP to get IP from Hetzner Cloud private network
    cat > /etc/netplan/60-private-network.yaml <<'NETPLAN'
    network:
      version: 2
      ethernets:
        enp7s0:
          dhcp4: true
          dhcp4-overrides:
            use-routes: false
          routes:
            - to: default
              via: 10.0.0.1
    NETPLAN
    chmod 600 /etc/netplan/60-private-network.yaml
    netplan apply
feat: Add private network architecture with NAT gateway Enable deployment of client servers without public IPs using private network (10.0.0.0/16) with NAT gateway via edge server. ## Infrastructure Changes: ### Terraform (tofu/): - network.tf: Define private network and subnet (10.0.0.0/24) - NAT gateway route through edge server - Firewall rules for client servers - main.tf: Support private-only servers - Optional public_ip_enabled flag per client - Dynamic network block for private IP assignment - User-data templates for public vs private servers - *user-data-.yml: Cloud-init templates - Private servers: Configure default route via NAT gateway - Public servers: Standard configuration - dns.tf: Update DNS to support edge routing - Client domains point to edge server IP - Wildcard DNS for subdomains - variables.tf: Add private_ip and public_ip_enabled options ### Ansible: - deploy.yml**: Add diun and kuma roles to deployment ## Benefits: - Cost savings: No public IP needed for each client - Scalability: No public IP exhaustion limits - Security: Clients not directly exposed to internet - Centralized SSL: All TLS termination at edge 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com> 2026-01-20 19:06:19 +01:00			`#cloud-config`
			`package_update: true`
			`package_upgrade: true`
			`packages:`
			`- curl`
			`- wget`
			`- git`
			`- python3`
			`- python3-pip`
			`runcmd:`
			`- hostnamectl set-hostname ${hostname}`
			`- \|`
			`# Configure default route for private-only server`
			`# Hetzner network route forwards traffic to edge gateway (10.0.0.2)`
chore: Post-workshop state - January 23rd, 2026 This commit captures the infrastructure state immediately following the "Post-Tyranny Tech" workshop on January 23rd, 2026. Infrastructure Status: - 13 client servers deployed (white, valk, zwaan, specht, das, uil, vos, haas, wolf, ree, mees, mus, mol, kikker) - Services: Authentik SSO, Nextcloud, Collabora Office, Traefik - Private network architecture with edge NAT gateway - OIDC integration between Authentik and Nextcloud - Automated recovery flows and invitation system - Container update monitoring with Diun - Uptime monitoring with Uptime Kuma Changes include: - Multiple new client host configurations - Network architecture improvements (private IPs + NAT) - DNS management automation - Container update notifications - Email configuration via Mailgun - SSH key generation for all clients - Encrypted secrets for all deployments - Health check and diagnostic scripts Known Issues to Address: - Nextcloud version pinned to v30 (should use 'latest' or v32) - Zitadel references in templates (migrated to Authentik but templates not updated) - Traefik dynamic config has obsolete static routes 🤖 Generated with Claude Code (https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com> 2026-01-23 20:36:31 +01:00			`# Enable DHCP to get IP from Hetzner Cloud private network`
feat: Add private network architecture with NAT gateway Enable deployment of client servers without public IPs using private network (10.0.0.0/16) with NAT gateway via edge server. ## Infrastructure Changes: ### Terraform (tofu/): - network.tf: Define private network and subnet (10.0.0.0/24) - NAT gateway route through edge server - Firewall rules for client servers - main.tf: Support private-only servers - Optional public_ip_enabled flag per client - Dynamic network block for private IP assignment - User-data templates for public vs private servers - *user-data-.yml: Cloud-init templates - Private servers: Configure default route via NAT gateway - Public servers: Standard configuration - dns.tf: Update DNS to support edge routing - Client domains point to edge server IP - Wildcard DNS for subdomains - variables.tf: Add private_ip and public_ip_enabled options ### Ansible: - deploy.yml**: Add diun and kuma roles to deployment ## Benefits: - Cost savings: No public IP needed for each client - Scalability: No public IP exhaustion limits - Security: Clients not directly exposed to internet - Centralized SSL: All TLS termination at edge 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com> 2026-01-20 19:06:19 +01:00			`cat > /etc/netplan/60-private-network.yaml <<'NETPLAN'`
			`network:`
			`version: 2`
			`ethernets:`
			`enp7s0:`
chore: Post-workshop state - January 23rd, 2026 This commit captures the infrastructure state immediately following the "Post-Tyranny Tech" workshop on January 23rd, 2026. Infrastructure Status: - 13 client servers deployed (white, valk, zwaan, specht, das, uil, vos, haas, wolf, ree, mees, mus, mol, kikker) - Services: Authentik SSO, Nextcloud, Collabora Office, Traefik - Private network architecture with edge NAT gateway - OIDC integration between Authentik and Nextcloud - Automated recovery flows and invitation system - Container update monitoring with Diun - Uptime monitoring with Uptime Kuma Changes include: - Multiple new client host configurations - Network architecture improvements (private IPs + NAT) - DNS management automation - Container update notifications - Email configuration via Mailgun - SSH key generation for all clients - Encrypted secrets for all deployments - Health check and diagnostic scripts Known Issues to Address: - Nextcloud version pinned to v30 (should use 'latest' or v32) - Zitadel references in templates (migrated to Authentik but templates not updated) - Traefik dynamic config has obsolete static routes 🤖 Generated with Claude Code (https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com> 2026-01-23 20:36:31 +01:00			`dhcp4: true`
			`dhcp4-overrides:`
			`use-routes: false`
feat: Add private network architecture with NAT gateway Enable deployment of client servers without public IPs using private network (10.0.0.0/16) with NAT gateway via edge server. ## Infrastructure Changes: ### Terraform (tofu/): - network.tf: Define private network and subnet (10.0.0.0/24) - NAT gateway route through edge server - Firewall rules for client servers - main.tf: Support private-only servers - Optional public_ip_enabled flag per client - Dynamic network block for private IP assignment - User-data templates for public vs private servers - *user-data-.yml: Cloud-init templates - Private servers: Configure default route via NAT gateway - Public servers: Standard configuration - dns.tf: Update DNS to support edge routing - Client domains point to edge server IP - Wildcard DNS for subdomains - variables.tf: Add private_ip and public_ip_enabled options ### Ansible: - deploy.yml**: Add diun and kuma roles to deployment ## Benefits: - Cost savings: No public IP needed for each client - Scalability: No public IP exhaustion limits - Security: Clients not directly exposed to internet - Centralized SSL: All TLS termination at edge 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com> 2026-01-20 19:06:19 +01:00			`routes:`
			`- to: default`
			`via: 10.0.0.1`
			`NETPLAN`
			`chmod 600 /etc/netplan/60-private-network.yaml`
			`netplan apply`