Post-X-Society/Post-Tyranny-Tech-Infrastructure
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
75 commits 3 branches 3 tags 498 KiB
Commit graph

5 commits

Author SHA1 Message Date
Pieter
e092931cb7 refactor: Remove Zitadel references and clean up templates 
Complete the migration from Zitadel to Authentik by removing all
remaining Zitadel references in Ansible templates and defaults.

Changes:
- Update Nextcloud defaults to reference authentik_domain instead of zitadel_domain
- Add clarifying comments about dynamic OIDC credential provisioning
- Clean up Traefik dynamic config template - remove obsolete static routes
- Remove hardcoded test.vrije.cloud routes (routes now come from Docker labels)
- Remove unused Zitadel service definitions and middleware configs

Impact:
- Nextcloud version now defaults to "latest" (from hardcoded "30")
- Traefik template simplified to only define shared middlewares
- All service routing handled via Docker Compose labels (already working)
- No impact on existing deployments (these defaults were unused)

Related to: Post-workshop cleanup following commit b6c9fa6

🤖 Generated with Claude Code (https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>
 2026-01-23 20:40:34 +01:00
Pieter
a5fe631717 feat: Complete Authentik SSO integration with automated OIDC setup 
## Changes

### Identity Provider (Authentik)
-  Deployed Authentik 2025.10.3 as identity provider
-  Configured automatic bootstrap with admin account (akadmin)
-  Fixed OIDC provider creation with correct redirect_uris format
-  Added automated OAuth2/OIDC provider configuration for Nextcloud
-  API-driven provider setup eliminates manual configuration

### Nextcloud Configuration
-  Fixed reverse proxy header configuration (trusted_proxies)
-  Added missing database indices (fs_storage_path_prefix)
-  Ran mimetype migrations for proper file type handling
-  Verified PHP upload limits (16GB upload_max_filesize)
-  Configured OIDC integration with Authentik
-  "Login with Authentik" button auto-configured

### Automation Scripts
-  Added deploy-client.sh for automated client deployment
-  Added rebuild-client.sh for infrastructure rebuild
-  Added destroy-client.sh for cleanup
-  Full deployment now takes ~10-15 minutes end-to-end

### Documentation
-  Updated README with automated deployment instructions
-  Added SSO automation workflow documentation
-  Added automation status tracking
-  Updated project reference with Authentik details

### Technical Fixes
- Fixed Authentik API redirect_uris format (requires list of dicts with matching_mode)
- Fixed Nextcloud OIDC command (user_oidc:provider not user_oidc:provider:add)
- Fixed file lookup in Ansible (changed to slurp for remote files)
- Updated Traefik to v3.6 for Docker API 1.44 compatibility
- Improved error handling in app installation tasks

## Security
- All credentials stored in SOPS-encrypted secrets
- Trusted proxy configuration prevents IP spoofing
- Bootstrap tokens auto-generated and secured

## Result
Fully automated SSO deployment - no manual configuration required!

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>
 2026-01-08 16:56:19 +01:00
Pieter
93ce586b94 Deploy Nextcloud file sync/share with automated installation (#4) 
This commit implements a complete Nextcloud deployment with PostgreSQL, Redis,
automated installation, and preparation for OIDC/SSO integration with Zitadel.

## Nextcloud Deployment

### New Ansible Role (ansible/roles/nextcloud/)
- Complete Nextcloud v30 deployment with Docker Compose
- PostgreSQL 16 backend with persistent volumes
- Redis 7 for caching and file locking
- Automated installation via Docker environment variables
- Post-installation configuration via occ commands

### Features Implemented
- **Database**: PostgreSQL with proper credentials and persistence
- **Caching**: Redis for memory caching and file locking
- **HTTPS**: Traefik integration with Let's Encrypt SSL
- **Security**: Proper security headers and HSTS
- **WebDAV**: CalDAV/CardDAV redirect middleware
- **Configuration**: Automated trusted domain, reverse proxy, and Redis setup
- **OIDC Preparation**: user_oidc app installed and enabled

### Traefik Updates
- Added Nextcloud routing to dynamic.yml (static file-based config)
- Configured CalDAV/CardDAV redirect middleware
- Added Nextcloud-specific security headers

### Configuration Tasks
- Automated trusted domain configuration for nextcloud.test.vrije.cloud
- Reverse proxy overwrite settings (protocol, host, CLI URL)
- Redis cache and locking configuration
- Default phone region (NL)
- Background jobs via cron

## Deployment Status

 Successfully deployed and tested:
- Nextcloud: https://nextcloud.test.vrije.cloud/
- Admin login working
- PostgreSQL database initialized
- Redis caching operational
- HTTPS with Let's Encrypt SSL
- user_oidc app installed (ready for Zitadel integration)

## Next Steps

To complete OIDC/SSO integration:
1. Create OIDC application in Zitadel console
2. Use redirect URI: https://nextcloud.test.vrije.cloud/apps/user_oidc/code
3. Configure provider in Nextcloud with Zitadel credentials

Partially addresses #4

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>
 2026-01-06 09:30:54 +01:00
Pieter van Boheemen
054e0e1e87
Deploy Zitadel identity provider with DNS automation (#3) (#8) 
This commit implements a complete Zitadel identity provider deployment
with automated DNS management using vrije.cloud domain.

## Infrastructure Changes

### DNS Management
- Migrated from deprecated hetznerdns provider to modern hcloud provider v1.57+
- Automated DNS record creation for client subdomains (test.vrije.cloud)
- Automated wildcard DNS for service subdomains (*.test.vrije.cloud)
- Supports both IPv4 (A) and IPv6 (AAAA) records

### Zitadel Deployment
- Added complete Zitadel role with PostgreSQL 16 database
- Configured Zitadel v2.63.7 with proper external domain settings
- Implemented first instance setup with admin user creation
- Set up database connection with proper user and admin credentials
- Configured email verification bypass for first admin user

### Traefik Updates
- Upgraded from v3.0 to v3.2 for better Docker API compatibility
- Added manual routing configuration in dynamic.yml for Zitadel
- Configured HTTP/2 Cleartext (h2c) backend for Zitadel service
- Added Zitadel-specific security headers middleware
- Fixed Docker API version compatibility issues

### Secrets Management
- Added Zitadel credentials to test client secrets
- Generated proper 32-character masterkey (Zitadel requirement)
- Created admin password with symbol complexity requirement
- Added zitadel_domain configuration

## Deployment Details

Test environment now accessible at:
- Server: test.vrije.cloud (78.47.191.38)
- Zitadel: https://zitadel.test.vrije.cloud/
- Admin user: admin@test.zitadel.test.vrije.cloud

Successfully tested:
- HTTPS with Let's Encrypt SSL certificate
- Admin login with 2FA setup
- First instance initialization

Fixes #3

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-authored-by: Pieter <pieter@kolabnow.com>
Co-authored-by: Claude <noreply@anthropic.com>
 2026-01-05 16:40:37 +01:00
Pieter
4e72ddf4ef Complete Ansible base configuration (#2) 
Completed Issue #2: Ansible Base Configuration

All objectives met:
-  Hetzner Cloud dynamic inventory (hcloud plugin)
-  Common role (SSH hardening, UFW firewall, fail2ban, auto-updates)
-  Docker role (Docker Engine + Compose + networks)
-  Traefik role (reverse proxy with Let's Encrypt SSL)
-  Setup playbook (orchestrates all base roles)
-  Successfully tested on live test server (91.99.210.204)

Additional improvements:
- Fixed ansible.cfg for Ansible 2.20+ compatibility
- Updated ADR dates to 2025
- All roles follow Infrastructure Agent patterns

Test Results:
- SSH hardening applied (key-only auth)
- UFW firewall active (ports 22, 80, 443)
- Fail2ban protecting SSH
- Automatic security updates enabled
- Docker running with traefik network
- Traefik deployed and ready for SSL

Files added:
- ansible/playbooks/setup.yml
- ansible/roles/docker/* (complete)
- ansible/roles/traefik/* (complete)

Closes #2

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>
 2025-12-27 14:13:15 +01:00