This commit resolves Docker Hub rate limiting issues on all servers by:
1. Adding Docker Hub authentication support to Diun configuration
2. Making watchRepo configurable (disabled to reduce API calls)
3. Creating automation to deploy changes across all 17 servers
Changes:
- Enhanced diun.yml.j2 template to support:
- Configurable watchRepo setting (defaults to true for compatibility)
- Docker Hub authentication via regopts when credentials provided
- Created 260124-configure-diun-watchrepo.yml playbook to:
- Disable watchRepo (only checks specific tags vs entire repo)
- Enable Docker Hub authentication (5000 pulls/6h vs 100/6h)
- Change schedule to weekly (Monday 6am UTC)
- Created configure-diun-all-servers.sh automation script with:
- Proper SOPS age key file path handling
- Per-server SSH key management
- Sequential deployment across all servers
- Fixed Authentik OIDC provider meta_launch_url to use client_domain
Successfully deployed to all 17 servers (bever, das, egel, haas, kikker,
kraai, mees, mol, mus, otter, ree, specht, uil, valk, vos, wolf, zwaan).
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude <noreply@anthropic.com>
- Add 260124-nextcloud-maintenance.yml playbook for database indices and mimetypes
- Add run-maintenance-all-servers.sh script to run maintenance on all servers
- Update ansible.cfg with IdentitiesOnly SSH option to prevent auth failures
- Remove orphaned SSH keys for deleted servers (black, dev, purple, white, edge)
- Remove obsolete edge-traefik and nat-gateway roles
- Remove old upgrade playbooks and fix-private-network playbook
- Update host_vars for egel, ree, zwaan
- Update diun webhook configuration
Successfully ran maintenance on all 17 active servers:
- Database indices optimized
- Mimetypes updated (145-157 new types on most servers)
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude <noreply@anthropic.com>
This commit captures the infrastructure state immediately following
the "Post-Tyranny Tech" workshop on January 23rd, 2026.
Infrastructure Status:
- 13 client servers deployed (white, valk, zwaan, specht, das, uil, vos,
haas, wolf, ree, mees, mus, mol, kikker)
- Services: Authentik SSO, Nextcloud, Collabora Office, Traefik
- Private network architecture with edge NAT gateway
- OIDC integration between Authentik and Nextcloud
- Automated recovery flows and invitation system
- Container update monitoring with Diun
- Uptime monitoring with Uptime Kuma
Changes include:
- Multiple new client host configurations
- Network architecture improvements (private IPs + NAT)
- DNS management automation
- Container update notifications
- Email configuration via Mailgun
- SSH key generation for all clients
- Encrypted secrets for all deployments
- Health check and diagnostic scripts
Known Issues to Address:
- Nextcloud version pinned to v30 (should use 'latest' or v32)
- Zitadel references in templates (migrated to Authentik but templates not updated)
- Traefik dynamic config has obsolete static routes
🤖 Generated with Claude Code (https://claude.com/claude-code)
Co-Authored-By: Claude <noreply@anthropic.com>
Add new Ansible roles and configuration for the edge proxy and
private network architecture:
## New Roles:
- **edge-traefik**: Edge reverse proxy that routes to private clients
- Dynamic routing configuration for multiple clients
- SSL termination at the edge
- Routes traffic to private IPs (10.0.0.x)
- **nat-gateway**: NAT/gateway configuration for edge server
- IP forwarding and masquerading
- Allows private network clients to access internet
- iptables rules for Docker integration
- **diun**: Docker Image Update Notifier
- Monitors containers for available updates
- Email notifications via Mailgun
- Per-client configuration
- **kuma**: Uptime monitoring integration
- Registers HTTP monitors for client services
- Automated monitor creation via API
- Checks Authentik, Nextcloud, Collabora endpoints
## New Playbooks:
- **setup-edge.yml**: Configure edge server with proxy and NAT
## Configuration:
- **host_vars**: Per-client Ansible configuration (valk, white)
- SSH bastion configuration for private IPs
- Client-specific secrets file references
This enables the scalable multi-tenant architecture where:
- Edge server has public IP and routes traffic
- Client servers use private IPs only (cost savings)
- All traffic flows through edge proxy with SSL termination
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude <noreply@anthropic.com>
