Post-Tyranny-Tech-Infrastructure

Post-X-Society/Post-Tyranny-Tech-Infrastructure

Fork 0

Commit graph

Author	SHA1	Message	Date
Pieter	071ed083f7	feat: Implement per-client SSH key isolation Resolves #14 Each client now gets a dedicated SSH key pair, ensuring that compromise of one client server does not grant access to other client servers. ## Changes ### Infrastructure (OpenTofu) - Replace shared `hcloud_ssh_key.default` with per-client `hcloud_ssh_key.client` - Each client key read from `keys/ssh/<client_name>.pub` - Server recreated with new key (dev server only, acceptable downtime) ### Key Management - Created `keys/ssh/` directory for SSH keys - Added `.gitignore` to protect private keys from git - Generated ED25519 key pair for dev client - Private key gitignored, public key committed ### Scripts - `scripts/generate-client-keys.sh` - Generate SSH key pairs for clients - Updated `scripts/deploy-client.sh` to check for client SSH key ### Documentation - `docs/ssh-key-management.md` - Complete SSH key management guide - `keys/ssh/README.md` - Quick reference for SSH keys directory ### Configuration - Removed `ssh_public_key` variable from `variables.tf` - Updated `terraform.tfvars` to remove shared SSH key reference - Updated `terraform.tfvars.example` with new key generation instructions ## Security Improvements ✅ Client isolation: Each client has dedicated SSH key ✅ Granular rotation: Rotate keys per-client without affecting others ✅ Defense in depth: Minimize blast radius of key compromise ✅ Proper key storage: Private keys gitignored, backups documented ## Testing - ✅ Generated new SSH key for dev client - ✅ Applied OpenTofu changes (server recreated) - ✅ Tested SSH access: `ssh -i keys/ssh/dev root@78.47.191.38` - ✅ Verified key isolation: Old shared key removed from Hetzner ## Migration Notes For existing clients: 1. Generate key: `./scripts/generate-client-keys.sh <client>` 2. Apply OpenTofu: `cd tofu && tofu apply` (will recreate server) 3. Deploy: `./scripts/deploy-client.sh <client>` For new clients: 1. Generate key first 2. Deploy as normal 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com>	2026-01-17 19:50:30 +01:00
Pieter	9571782382	fix: Restore Mailgun SMTP and Nextcloud OIDC integration Fixes three critical regressions from previous deployment: 1. Mailgun SMTP Credentials - Added mailgun_api_key to secrets/shared.sops.yaml - Updated deploy.yml to load and merge shared secrets - Mailgun credentials now created automatically per client 2. Nextcloud OIDC Integration - OIDC provider creation now works (was timing issue) - "Login with Authentik" button restored on Nextcloud login 3. Infrastructure Deployment - Fixed deploy-client.sh to create full infrastructure (DNS + server) - Removed -target flag that caused incomplete deployments Changes: - ansible/playbooks/deploy.yml: Load shared secrets and merge into client_secrets - secrets/shared.sops.yaml: Add Mailgun API key for all clients - secrets/clients/dev.sops.yaml: Add dev client configuration - scripts/deploy-client.sh: Apply full infrastructure without -target flag All services now functional: ✅ Traefik reverse proxy with auto SSL ✅ Authentik SSO with email configuration ✅ Nextcloud with OIDC login and email ✅ Mailgun SMTP credentials (dev@mg.vrije.cloud) 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com>	2026-01-14 16:04:00 +01:00
Pieter	a5fe631717	feat: Complete Authentik SSO integration with automated OIDC setup ## Changes ### Identity Provider (Authentik) - ✅ Deployed Authentik 2025.10.3 as identity provider - ✅ Configured automatic bootstrap with admin account (akadmin) - ✅ Fixed OIDC provider creation with correct redirect_uris format - ✅ Added automated OAuth2/OIDC provider configuration for Nextcloud - ✅ API-driven provider setup eliminates manual configuration ### Nextcloud Configuration - ✅ Fixed reverse proxy header configuration (trusted_proxies) - ✅ Added missing database indices (fs_storage_path_prefix) - ✅ Ran mimetype migrations for proper file type handling - ✅ Verified PHP upload limits (16GB upload_max_filesize) - ✅ Configured OIDC integration with Authentik - ✅ "Login with Authentik" button auto-configured ### Automation Scripts - ✅ Added deploy-client.sh for automated client deployment - ✅ Added rebuild-client.sh for infrastructure rebuild - ✅ Added destroy-client.sh for cleanup - ✅ Full deployment now takes ~10-15 minutes end-to-end ### Documentation - ✅ Updated README with automated deployment instructions - ✅ Added SSO automation workflow documentation - ✅ Added automation status tracking - ✅ Updated project reference with Authentik details ### Technical Fixes - Fixed Authentik API redirect_uris format (requires list of dicts with matching_mode) - Fixed Nextcloud OIDC command (user_oidc:provider not user_oidc:provider:add) - Fixed file lookup in Ansible (changed to slurp for remote files) - Updated Traefik to v3.6 for Docker API 1.44 compatibility - Improved error handling in app installation tasks ## Security - All credentials stored in SOPS-encrypted secrets - Trusted proxy configuration prevents IP spoofing - Bootstrap tokens auto-generated and secured ## Result Fully automated SSO deployment - no manual configuration required! 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com>	2026-01-08 16:56:19 +01:00

Author

SHA1

Message

Date

Pieter

071ed083f7

feat: Implement per-client SSH key isolation

Resolves #14

Each client now gets a dedicated SSH key pair, ensuring that compromise
of one client server does not grant access to other client servers.

## Changes

### Infrastructure (OpenTofu)
- Replace shared `hcloud_ssh_key.default` with per-client `hcloud_ssh_key.client`
- Each client key read from `keys/ssh/<client_name>.pub`
- Server recreated with new key (dev server only, acceptable downtime)

### Key Management
- Created `keys/ssh/` directory for SSH keys
- Added `.gitignore` to protect private keys from git
- Generated ED25519 key pair for dev client
- Private key gitignored, public key committed

### Scripts
- **`scripts/generate-client-keys.sh`** - Generate SSH key pairs for clients
- Updated `scripts/deploy-client.sh` to check for client SSH key

### Documentation
- **`docs/ssh-key-management.md`** - Complete SSH key management guide
- **`keys/ssh/README.md`** - Quick reference for SSH keys directory

### Configuration
- Removed `ssh_public_key` variable from `variables.tf`
- Updated `terraform.tfvars` to remove shared SSH key reference
- Updated `terraform.tfvars.example` with new key generation instructions

## Security Improvements

✅ Client isolation: Each client has dedicated SSH key
✅ Granular rotation: Rotate keys per-client without affecting others
✅ Defense in depth: Minimize blast radius of key compromise
✅ Proper key storage: Private keys gitignored, backups documented

## Testing

- ✅ Generated new SSH key for dev client
- ✅ Applied OpenTofu changes (server recreated)
- ✅ Tested SSH access: `ssh -i keys/ssh/dev root@78.47.191.38`
- ✅ Verified key isolation: Old shared key removed from Hetzner

## Migration Notes

For existing clients:
1. Generate key: `./scripts/generate-client-keys.sh <client>`
2. Apply OpenTofu: `cd tofu && tofu apply` (will recreate server)
3. Deploy: `./scripts/deploy-client.sh <client>`

For new clients:
1. Generate key first
2. Deploy as normal

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>

2026-01-17 19:50:30 +01:00

Pieter

9571782382

fix: Restore Mailgun SMTP and Nextcloud OIDC integration

Fixes three critical regressions from previous deployment:

1. **Mailgun SMTP Credentials**
   - Added mailgun_api_key to secrets/shared.sops.yaml
   - Updated deploy.yml to load and merge shared secrets
   - Mailgun credentials now created automatically per client

2. **Nextcloud OIDC Integration**
   - OIDC provider creation now works (was timing issue)
   - "Login with Authentik" button restored on Nextcloud login

3. **Infrastructure Deployment**
   - Fixed deploy-client.sh to create full infrastructure (DNS + server)
   - Removed -target flag that caused incomplete deployments

Changes:
- ansible/playbooks/deploy.yml: Load shared secrets and merge into client_secrets
- secrets/shared.sops.yaml: Add Mailgun API key for all clients
- secrets/clients/dev.sops.yaml: Add dev client configuration
- scripts/deploy-client.sh: Apply full infrastructure without -target flag

All services now functional:
✅ Traefik reverse proxy with auto SSL
✅ Authentik SSO with email configuration
✅ Nextcloud with OIDC login and email
✅ Mailgun SMTP credentials (dev@mg.vrije.cloud)

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>

2026-01-14 16:04:00 +01:00

Pieter

a5fe631717

feat: Complete Authentik SSO integration with automated OIDC setup

## Changes

### Identity Provider (Authentik)
- ✅ Deployed Authentik 2025.10.3 as identity provider
- ✅ Configured automatic bootstrap with admin account (akadmin)
- ✅ Fixed OIDC provider creation with correct redirect_uris format
- ✅ Added automated OAuth2/OIDC provider configuration for Nextcloud
- ✅ API-driven provider setup eliminates manual configuration

### Nextcloud Configuration
- ✅ Fixed reverse proxy header configuration (trusted_proxies)
- ✅ Added missing database indices (fs_storage_path_prefix)
- ✅ Ran mimetype migrations for proper file type handling
- ✅ Verified PHP upload limits (16GB upload_max_filesize)
- ✅ Configured OIDC integration with Authentik
- ✅ "Login with Authentik" button auto-configured

### Automation Scripts
- ✅ Added deploy-client.sh for automated client deployment
- ✅ Added rebuild-client.sh for infrastructure rebuild
- ✅ Added destroy-client.sh for cleanup
- ✅ Full deployment now takes ~10-15 minutes end-to-end

### Documentation
- ✅ Updated README with automated deployment instructions
- ✅ Added SSO automation workflow documentation
- ✅ Added automation status tracking
- ✅ Updated project reference with Authentik details

### Technical Fixes
- Fixed Authentik API redirect_uris format (requires list of dicts with matching_mode)
- Fixed Nextcloud OIDC command (user_oidc:provider not user_oidc:provider:add)
- Fixed file lookup in Ansible (changed to slurp for remote files)
- Updated Traefik to v3.6 for Docker API 1.44 compatibility
- Improved error handling in app installation tasks

## Security
- All credentials stored in SOPS-encrypted secrets
- Trusted proxy configuration prevents IP spoofing
- Bootstrap tokens auto-generated and secured

## Result
Fully automated SSO deployment - no manual configuration required!

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>

2026-01-08 16:56:19 +01:00

3 commits