docs: Remove Zitadel references and update documentation

- Replace all Zitadel references with Authentik in README files
- Update example configurations to use authentik instead of zitadel
- Remove reference to deleted PROJECT_REFERENCE.md
- Update clients/README.md to reflect actual available scripts
- Update secrets documentation with correct variable names

All documentation now accurately reflects current infrastructure
using Authentik as the identity provider.

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>

README.md

@@ -144,7 +144,6 @@ See [scripts/README.md](scripts/README.md) for detailed documentation.
 
 ## 📖 Documentation
 
-- **[PROJECT_REFERENCE.md](PROJECT_REFERENCE.md)** - Essential information and common operations
 - **[scripts/README.md](scripts/README.md)** - Management scripts documentation
 - **[AUTOMATION_STATUS.md](docs/AUTOMATION_STATUS.md)** - Full automation details
 - [Architecture Decision Record](docs/architecture-decisions.md) - Complete design rationale

ansible/README.md

@@ -84,7 +84,7 @@ ansible/
 │   ├── common/              # Base system hardening
 │   ├── docker/              # Docker + Docker Compose
 │   ├── traefik/             # Reverse proxy
-│   ├── zitadel/             # Identity provider
+│   ├── authentik/           # Identity provider (OAuth2/OIDC SSO)
 │   ├── nextcloud/           # File sync/share
 │   └── backup/              # Restic backup
 └── group_vars/              # Group variables
@@ -120,8 +120,8 @@ Reverse proxy with automatic SSL:
 - HTTP to HTTPS redirection
 - Dashboard (optional)
 
-### zitadel
+### authentik
-Identity provider deployment (see Zitadel Agent for details)
+Identity provider deployment (OAuth2/OIDC SSO)
 
 ### nextcloud
 File sync/share deployment (see Nextcloud Agent for details)
@@ -273,10 +273,9 @@ ansible-playbook playbooks/setup.yml -vvv  # Very verbose
 ## Next Steps
 
 After initial setup:
-1. Deploy Zitadel: Follow Zitadel Agent instructions
+1. Deploy applications: Run `playbooks/deploy.yml` to deploy Authentik and Nextcloud
-2. Deploy Nextcloud: Follow Nextcloud Agent instructions
+2. Configure backups: Use `backup` role
-3. Configure backups: Use `backup` role
+3. Set up monitoring: Configure Uptime Kuma
-4. Set up monitoring: Configure Uptime Kuma
 
 ## Resources
 

clients/README.md

@@ -17,21 +17,13 @@ All scripts are located in [`../scripts/`](../scripts/):
 
 ### View Clients
 
+View the registry directly:
 ```bash
-# List all clients
+# View full registry
-../scripts/list-clients.sh
+cat registry.yml
 
-# Filter by status
+# View specific client (requires yq)
-../scripts/list-clients.sh --status=deployed
+yq eval '.clients.dev' registry.yml
-
-# Filter by role
-../scripts/list-clients.sh --role=canary
-
-# Different formats
-../scripts/list-clients.sh --format=table    # Default
-../scripts/list-clients.sh --format=json     # JSON
-../scripts/list-clients.sh --format=csv      # CSV export
-../scripts/list-clients.sh --format=summary  # Statistics
 ```
 
 ### View Client Details
@@ -48,10 +40,7 @@ The registry is **automatically updated** by deployment scripts:
 - `rebuild-client.sh` - Updates entry on rebuild
 - `destroy-client.sh` - Marks as destroyed
 
-For manual updates:
+For manual updates, edit `registry.yml` directly.
-```bash
-../scripts/update-registry.sh <client_name> <action> [options]
-```
 
 ## Registry Structure
 
@@ -76,20 +65,17 @@ The `dev` client has role `canary` and is used for testing:
 # 2. Verify it works
 ../scripts/client-status.sh dev
 
-# 3. Roll out to production
+# 3. Roll out to production clients manually
-for client in $(../scripts/list-clients.sh --role=production --format=csv | tail -n +2 | cut -d, -f1); do
+# Review registry.yml for production clients, then rebuild each one
-    ../scripts/rebuild-client.sh "$client"
-done
 ```
 
-## Documentation
+## Registry Structure Details
 
-See [docs/client-registry.md](../docs/client-registry.md) for:
+The `registry.yml` file uses YAML format with the following structure:
-- Complete registry structure reference
+- Complete registry structure reference in the file itself
-- Management script usage
+- Client lifecycle states and metadata
-- Best practices
+- Server specifications and IP addresses
-- Integration examples
+- Deployment timestamps and version tracking
-- Troubleshooting guide
 
 ## Requirements
 

secrets/README.md

@@ -104,7 +104,7 @@ openssl rand -base64 32
 # Random 24-character password
 openssl rand -base64 24
 
-# Zitadel masterkey (32-byte hex)
+# Random hex string (32-byte, 64 characters)
 openssl rand -hex 32
 ```
 
@@ -121,7 +121,7 @@ Ansible automatically decrypts SOPS files using the `community.sops` collection.
 
 - name: Use decrypted secret
   debug:
-    msg: "DB Password: {{ client_secrets.zitadel_db_password }}"
+    msg: "DB Password: {{ client_secrets.authentik_db_password }}"
 ```
 
 **Environment variable required:**
@@ -141,9 +141,9 @@ Contains secrets shared across all infrastructure:
 ### clients/*.sops.yaml
 
 Per-client secrets:
-- Database passwords (Zitadel, Nextcloud)
+- Database passwords (Authentik, Nextcloud)
 - Admin passwords
-- Zitadel masterkey
+- Secret keys and tokens
 - Restic repository password
 - OIDC credentials (after generation)
 

tofu/README.md

@@ -67,7 +67,7 @@ clients = {
     server_type = "cx22"        # 2 vCPU, 4 GB RAM - €6.25/month
     location    = "fsn1"        # Falkenstein, Germany
     subdomain   = "test"        # Will create test.your-domain.com
-    apps        = ["zitadel", "nextcloud"]
+    apps        = ["authentik", "nextcloud"]
   }
 }
 
@@ -152,7 +152,7 @@ clients = {
     server_type = "cx22"
     location    = "fsn1"
     subdomain   = "newclient"
-    apps        = ["zitadel", "nextcloud"]
+    apps        = ["authentik", "nextcloud"]
   }
 }
 ```