Post-X-Society/Post-Tyranny-Tech-Infrastructure
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
Post-Tyranny-Tech-Infrastru.../ansible/roles/edge-traefik/templates/dynamic.yml.j2

560 lines
12 KiB
Text
Raw Normal View History

feat: Add infrastructure roles for multi-tenant architecture Add new Ansible roles and configuration for the edge proxy and private network architecture: ## New Roles: - **edge-traefik**: Edge reverse proxy that routes to private clients - Dynamic routing configuration for multiple clients - SSL termination at the edge - Routes traffic to private IPs (10.0.0.x) - **nat-gateway**: NAT/gateway configuration for edge server - IP forwarding and masquerading - Allows private network clients to access internet - iptables rules for Docker integration - **diun**: Docker Image Update Notifier - Monitors containers for available updates - Email notifications via Mailgun - Per-client configuration - **kuma**: Uptime monitoring integration - Registers HTTP monitors for client services - Automated monitor creation via API - Checks Authentik, Nextcloud, Collabora endpoints ## New Playbooks: - **setup-edge.yml**: Configure edge server with proxy and NAT ## Configuration: - **host_vars**: Per-client Ansible configuration (valk, white) - SSH bastion configuration for private IPs - Client-specific secrets file references This enables the scalable multi-tenant architecture where: - Edge server has public IP and routes traffic - Client servers use private IPs only (cost savings) - All traffic flows through edge proxy with SSL termination 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com>
2026-01-20 19:05:51 +01:00
# Edge Traefik Dynamic Configuration
# Managed by Ansible - do not edit manually
# Routes traffic to backend servers on private network
http:
# Routers for white client
routers:
white-auth:
rule: "Host(`auth.white.vrije.cloud`)"
service: white-auth
entryPoints:
- websecure
tls:
certResolver: letsencrypt
white-nextcloud:
rule: "Host(`nextcloud.white.vrije.cloud`)"
service: white-nextcloud
entryPoints:
- websecure
tls:
certResolver: letsencrypt
white-collabora:
rule: "Host(`office.white.vrije.cloud`)"
service: white-collabora
entryPoints:
- websecure
tls:
certResolver: letsencrypt
valk-auth:
rule: "Host(`auth.valk.vrije.cloud`)"
service: valk-auth
entryPoints:
- websecure
tls:
certResolver: letsencrypt
valk-nextcloud:
rule: "Host(`nextcloud.valk.vrije.cloud`)"
service: valk-nextcloud
entryPoints:
- websecure
tls:
certResolver: letsencrypt
valk-collabora:
rule: "Host(`office.valk.vrije.cloud`)"
service: valk-collabora
entryPoints:
- websecure
tls:
certResolver: letsencrypt
chore: Post-workshop state - January 23rd, 2026 This commit captures the infrastructure state immediately following the "Post-Tyranny Tech" workshop on January 23rd, 2026. Infrastructure Status: - 13 client servers deployed (white, valk, zwaan, specht, das, uil, vos, haas, wolf, ree, mees, mus, mol, kikker) - Services: Authentik SSO, Nextcloud, Collabora Office, Traefik - Private network architecture with edge NAT gateway - OIDC integration between Authentik and Nextcloud - Automated recovery flows and invitation system - Container update monitoring with Diun - Uptime monitoring with Uptime Kuma Changes include: - Multiple new client host configurations - Network architecture improvements (private IPs + NAT) - DNS management automation - Container update notifications - Email configuration via Mailgun - SSH key generation for all clients - Encrypted secrets for all deployments - Health check and diagnostic scripts Known Issues to Address: - Nextcloud version pinned to v30 (should use 'latest' or v32) - Zitadel references in templates (migrated to Authentik but templates not updated) - Traefik dynamic config has obsolete static routes 🤖 Generated with Claude Code (https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com>
2026-01-23 20:36:31 +01:00
zwaan-auth:
rule: "Host(`auth.zwaan.vrije.cloud`)"
service: zwaan-auth
entryPoints:
- websecure
tls:
certResolver: letsencrypt
zwaan-nextcloud:
rule: "Host(`nextcloud.zwaan.vrije.cloud`)"
service: zwaan-nextcloud
entryPoints:
- websecure
tls:
certResolver: letsencrypt
zwaan-collabora:
rule: "Host(`office.zwaan.vrije.cloud`)"
service: zwaan-collabora
entryPoints:
- websecure
tls:
certResolver: letsencrypt
specht-auth:
rule: "Host(`auth.specht.vrije.cloud`)"
service: specht-auth
entryPoints:
- websecure
tls:
certResolver: letsencrypt
specht-nextcloud:
rule: "Host(`nextcloud.specht.vrije.cloud`)"
service: specht-nextcloud
entryPoints:
- websecure
tls:
certResolver: letsencrypt
specht-collabora:
rule: "Host(`office.specht.vrije.cloud`)"
service: specht-collabora
entryPoints:
- websecure
tls:
certResolver: letsencrypt
das-auth:
rule: "Host(`auth.das.vrije.cloud`)"
service: das-auth
entryPoints:
- websecure
tls:
certResolver: letsencrypt
das-nextcloud:
rule: "Host(`nextcloud.das.vrije.cloud`)"
service: das-nextcloud
entryPoints:
- websecure
tls:
certResolver: letsencrypt
das-collabora:
rule: "Host(`office.das.vrije.cloud`)"
service: das-collabora
entryPoints:
- websecure
tls:
certResolver: letsencrypt
uil-auth:
rule: "Host(`auth.uil.vrije.cloud`)"
service: uil-auth
entryPoints:
- websecure
tls:
certResolver: letsencrypt
uil-nextcloud:
rule: "Host(`nextcloud.uil.vrije.cloud`)"
service: uil-nextcloud
entryPoints:
- websecure
tls:
certResolver: letsencrypt
uil-collabora:
rule: "Host(`office.uil.vrije.cloud`)"
service: uil-collabora
entryPoints:
- websecure
tls:
certResolver: letsencrypt
vos-auth:
rule: "Host(`auth.vos.vrije.cloud`)"
service: vos-auth
entryPoints:
- websecure
tls:
certResolver: letsencrypt
vos-nextcloud:
rule: "Host(`nextcloud.vos.vrije.cloud`)"
service: vos-nextcloud
entryPoints:
- websecure
tls:
certResolver: letsencrypt
vos-collabora:
rule: "Host(`office.vos.vrije.cloud`)"
service: vos-collabora
entryPoints:
- websecure
tls:
certResolver: letsencrypt
haas-auth:
rule: "Host(`auth.haas.vrije.cloud`)"
service: haas-auth
entryPoints:
- websecure
tls:
certResolver: letsencrypt
haas-nextcloud:
rule: "Host(`nextcloud.haas.vrije.cloud`)"
service: haas-nextcloud
entryPoints:
- websecure
tls:
certResolver: letsencrypt
haas-collabora:
rule: "Host(`office.haas.vrije.cloud`)"
service: haas-collabora
entryPoints:
- websecure
tls:
certResolver: letsencrypt
wolf-auth:
rule: "Host(`auth.wolf.vrije.cloud`)"
service: wolf-auth
entryPoints:
- websecure
tls:
certResolver: letsencrypt
wolf-nextcloud:
rule: "Host(`nextcloud.wolf.vrije.cloud`)"
service: wolf-nextcloud
entryPoints:
- websecure
tls:
certResolver: letsencrypt
wolf-collabora:
rule: "Host(`office.wolf.vrije.cloud`)"
service: wolf-collabora
entryPoints:
- websecure
tls:
certResolver: letsencrypt
ree-auth:
rule: "Host(`auth.ree.vrije.cloud`)"
service: ree-auth
entryPoints:
- websecure
tls:
certResolver: letsencrypt
ree-nextcloud:
rule: "Host(`nextcloud.ree.vrije.cloud`)"
service: ree-nextcloud
entryPoints:
- websecure
tls:
certResolver: letsencrypt
ree-collabora:
rule: "Host(`office.ree.vrije.cloud`)"
service: ree-collabora
entryPoints:
- websecure
tls:
certResolver: letsencrypt
mees-auth:
rule: "Host(`auth.mees.vrije.cloud`)"
service: mees-auth
entryPoints:
- websecure
tls:
certResolver: letsencrypt
mees-nextcloud:
rule: "Host(`nextcloud.mees.vrije.cloud`)"
service: mees-nextcloud
entryPoints:
- websecure
tls:
certResolver: letsencrypt
mees-collabora:
rule: "Host(`office.mees.vrije.cloud`)"
service: mees-collabora
entryPoints:
- websecure
tls:
certResolver: letsencrypt
mus-auth:
rule: "Host(`auth.mus.vrije.cloud`)"
service: mus-auth
entryPoints:
- websecure
tls:
certResolver: letsencrypt
mus-nextcloud:
rule: "Host(`nextcloud.mus.vrije.cloud`)"
service: mus-nextcloud
entryPoints:
- websecure
tls:
certResolver: letsencrypt
mus-collabora:
rule: "Host(`office.mus.vrije.cloud`)"
service: mus-collabora
entryPoints:
- websecure
tls:
certResolver: letsencrypt
mol-auth:
rule: "Host(`auth.mol.vrije.cloud`)"
service: mol-auth
entryPoints:
- websecure
tls:
certResolver: letsencrypt
mol-nextcloud:
rule: "Host(`nextcloud.mol.vrije.cloud`)"
service: mol-nextcloud
entryPoints:
- websecure
tls:
certResolver: letsencrypt
mol-collabora:
rule: "Host(`office.mol.vrije.cloud`)"
service: mol-collabora
entryPoints:
- websecure
tls:
certResolver: letsencrypt
feat: Add infrastructure roles for multi-tenant architecture Add new Ansible roles and configuration for the edge proxy and private network architecture: ## New Roles: - **edge-traefik**: Edge reverse proxy that routes to private clients - Dynamic routing configuration for multiple clients - SSL termination at the edge - Routes traffic to private IPs (10.0.0.x) - **nat-gateway**: NAT/gateway configuration for edge server - IP forwarding and masquerading - Allows private network clients to access internet - iptables rules for Docker integration - **diun**: Docker Image Update Notifier - Monitors containers for available updates - Email notifications via Mailgun - Per-client configuration - **kuma**: Uptime monitoring integration - Registers HTTP monitors for client services - Automated monitor creation via API - Checks Authentik, Nextcloud, Collabora endpoints ## New Playbooks: - **setup-edge.yml**: Configure edge server with proxy and NAT ## Configuration: - **host_vars**: Per-client Ansible configuration (valk, white) - SSH bastion configuration for private IPs - Client-specific secrets file references This enables the scalable multi-tenant architecture where: - Edge server has public IP and routes traffic - Client servers use private IPs only (cost savings) - All traffic flows through edge proxy with SSL termination 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com>
2026-01-20 19:05:51 +01:00
# Services (backend servers)
services:
white-auth:
loadBalancer:
servers:
- url: "https://10.0.0.40:443"
serversTransport: insecureTransport
white-nextcloud:
loadBalancer:
servers:
- url: "https://10.0.0.40:443"
serversTransport: insecureTransport
white-collabora:
loadBalancer:
servers:
- url: "https://10.0.0.40:443"
serversTransport: insecureTransport
valk-auth:
loadBalancer:
servers:
- url: "https://10.0.0.41:443"
serversTransport: insecureTransport
valk-nextcloud:
loadBalancer:
servers:
- url: "https://10.0.0.41:443"
serversTransport: insecureTransport
valk-collabora:
loadBalancer:
servers:
- url: "https://10.0.0.41:443"
serversTransport: insecureTransport
chore: Post-workshop state - January 23rd, 2026 This commit captures the infrastructure state immediately following the "Post-Tyranny Tech" workshop on January 23rd, 2026. Infrastructure Status: - 13 client servers deployed (white, valk, zwaan, specht, das, uil, vos, haas, wolf, ree, mees, mus, mol, kikker) - Services: Authentik SSO, Nextcloud, Collabora Office, Traefik - Private network architecture with edge NAT gateway - OIDC integration between Authentik and Nextcloud - Automated recovery flows and invitation system - Container update monitoring with Diun - Uptime monitoring with Uptime Kuma Changes include: - Multiple new client host configurations - Network architecture improvements (private IPs + NAT) - DNS management automation - Container update notifications - Email configuration via Mailgun - SSH key generation for all clients - Encrypted secrets for all deployments - Health check and diagnostic scripts Known Issues to Address: - Nextcloud version pinned to v30 (should use 'latest' or v32) - Zitadel references in templates (migrated to Authentik but templates not updated) - Traefik dynamic config has obsolete static routes 🤖 Generated with Claude Code (https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com>
2026-01-23 20:36:31 +01:00
zwaan-auth:
loadBalancer:
servers:
- url: "https://10.0.0.42:443"
serversTransport: insecureTransport
zwaan-nextcloud:
loadBalancer:
servers:
- url: "https://10.0.0.42:443"
serversTransport: insecureTransport
zwaan-collabora:
loadBalancer:
servers:
- url: "https://10.0.0.42:443"
serversTransport: insecureTransport
specht-auth:
loadBalancer:
servers:
- url: "https://10.0.0.43:443"
serversTransport: insecureTransport
specht-nextcloud:
loadBalancer:
servers:
- url: "https://10.0.0.43:443"
serversTransport: insecureTransport
specht-collabora:
loadBalancer:
servers:
- url: "https://10.0.0.43:443"
serversTransport: insecureTransport
das-auth:
loadBalancer:
servers:
- url: "https://10.0.0.44:443"
serversTransport: insecureTransport
das-nextcloud:
loadBalancer:
servers:
- url: "https://10.0.0.44:443"
serversTransport: insecureTransport
das-collabora:
loadBalancer:
servers:
- url: "https://10.0.0.44:443"
serversTransport: insecureTransport
uil-auth:
loadBalancer:
servers:
- url: "https://10.0.0.45:443"
serversTransport: insecureTransport
uil-nextcloud:
loadBalancer:
servers:
- url: "https://10.0.0.45:443"
serversTransport: insecureTransport
uil-collabora:
loadBalancer:
servers:
- url: "https://10.0.0.45:443"
serversTransport: insecureTransport
vos-auth:
loadBalancer:
servers:
- url: "https://10.0.0.46:443"
serversTransport: insecureTransport
vos-nextcloud:
loadBalancer:
servers:
- url: "https://10.0.0.46:443"
serversTransport: insecureTransport
vos-collabora:
loadBalancer:
servers:
- url: "https://10.0.0.46:443"
serversTransport: insecureTransport
haas-auth:
loadBalancer:
servers:
- url: "https://10.0.0.47:443"
serversTransport: insecureTransport
haas-nextcloud:
loadBalancer:
servers:
- url: "https://10.0.0.47:443"
serversTransport: insecureTransport
haas-collabora:
loadBalancer:
servers:
- url: "https://10.0.0.47:443"
serversTransport: insecureTransport
wolf-auth:
loadBalancer:
servers:
- url: "https://10.0.0.48:443"
serversTransport: insecureTransport
wolf-nextcloud:
loadBalancer:
servers:
- url: "https://10.0.0.48:443"
serversTransport: insecureTransport
wolf-collabora:
loadBalancer:
servers:
- url: "https://10.0.0.48:443"
serversTransport: insecureTransport
ree-auth:
loadBalancer:
servers:
- url: "https://10.0.0.49:443"
serversTransport: insecureTransport
ree-nextcloud:
loadBalancer:
servers:
- url: "https://10.0.0.49:443"
serversTransport: insecureTransport
ree-collabora:
loadBalancer:
servers:
- url: "https://10.0.0.49:443"
serversTransport: insecureTransport
mees-auth:
loadBalancer:
servers:
- url: "https://10.0.0.50:443"
serversTransport: insecureTransport
mees-nextcloud:
loadBalancer:
servers:
- url: "https://10.0.0.50:443"
serversTransport: insecureTransport
mees-collabora:
loadBalancer:
servers:
- url: "https://10.0.0.50:443"
serversTransport: insecureTransport
mus-auth:
loadBalancer:
servers:
- url: "https://10.0.0.51:443"
serversTransport: insecureTransport
mus-nextcloud:
loadBalancer:
servers:
- url: "https://10.0.0.51:443"
serversTransport: insecureTransport
mus-collabora:
loadBalancer:
servers:
- url: "https://10.0.0.51:443"
serversTransport: insecureTransport
mol-auth:
loadBalancer:
servers:
- url: "https://10.0.0.53:443"
serversTransport: insecureTransport
mol-nextcloud:
loadBalancer:
servers:
- url: "https://10.0.0.53:443"
serversTransport: insecureTransport
mol-collabora:
loadBalancer:
servers:
- url: "https://10.0.0.53:443"
serversTransport: insecureTransport
feat: Add infrastructure roles for multi-tenant architecture Add new Ansible roles and configuration for the edge proxy and private network architecture: ## New Roles: - **edge-traefik**: Edge reverse proxy that routes to private clients - Dynamic routing configuration for multiple clients - SSL termination at the edge - Routes traffic to private IPs (10.0.0.x) - **nat-gateway**: NAT/gateway configuration for edge server - IP forwarding and masquerading - Allows private network clients to access internet - iptables rules for Docker integration - **diun**: Docker Image Update Notifier - Monitors containers for available updates - Email notifications via Mailgun - Per-client configuration - **kuma**: Uptime monitoring integration - Registers HTTP monitors for client services - Automated monitor creation via API - Checks Authentik, Nextcloud, Collabora endpoints ## New Playbooks: - **setup-edge.yml**: Configure edge server with proxy and NAT ## Configuration: - **host_vars**: Per-client Ansible configuration (valk, white) - SSH bastion configuration for private IPs - Client-specific secrets file references This enables the scalable multi-tenant architecture where: - Edge server has public IP and routes traffic - Client servers use private IPs only (cost savings) - All traffic flows through edge proxy with SSL termination 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com>
2026-01-20 19:05:51 +01:00
# Server transport (allow self-signed certs from backends)
serversTransports:
insecureTransport:
insecureSkipVerify: true
Reference in a new issue Copy permalink