Post-Tyranny-Tech-Infrastructure

Post-X-Society/Post-Tyranny-Tech-Infrastructure

Fork 0

Commit graph

Author	SHA1	Message	Date
Pieter	e04efa1cb1	feat: Move Hetzner API token to SOPS encrypted secrets Resolves #20 Changes: - Add hcloud_token to secrets/shared.sops.yaml (encrypted with Age) - Create scripts/load-secrets-env.sh to automatically load token from SOPS - Update all management scripts to auto-load token if not set - Remove plaintext tokens from tofu/terraform.tfvars - Update documentation in README.md, scripts/README.md, and SECURITY-NOTE-tokens.md Benefits: ✅ Token encrypted at rest ✅ Can be safely backed up to cloud storage ✅ Consistent with other secrets management ✅ Automatic loading - no manual token management needed 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com>	2026-01-18 18:17:15 +01:00
Pieter	ac4187d041	feat: Automate SSH key and secrets generation in deployment scripts Simplify client deployment workflow by automating SSH key generation and secrets file creation. No more manual preparation steps! ## Changes ### Deploy Script Automation `scripts/deploy-client.sh`: - Auto-generates SSH key pair if missing (calls generate-client-keys.sh) - Auto-creates secrets file from template if missing - Opens SOPS editor for user to customize secrets - Continues with deployment after setup complete ### Rebuild Script Automation `scripts/rebuild-client.sh`: - Same automation as deploy script - Ensures SSH key and secrets exist before rebuild ### Documentation Updates - `README.md` - Updated quick start workflow - `scripts/README.md` - Updated script descriptions and examples ## Workflow: Before vs After ### Before (Manual) ```bash # 1. Generate SSH key ./scripts/generate-client-keys.sh newclient # 2. Create secrets file cp secrets/clients/template.sops.yaml secrets/clients/newclient.sops.yaml sops secrets/clients/newclient.sops.yaml # 3. Add to terraform.tfvars vim tofu/terraform.tfvars # 4. Deploy ./scripts/deploy-client.sh newclient ``` ### After (Automated) ```bash # 1. Add to terraform.tfvars vim tofu/terraform.tfvars # 2. Deploy (everything else is automatic!) ./scripts/deploy-client.sh newclient # Script automatically: # - Generates SSH key if missing # - Creates secrets file from template if missing # - Opens editor for you to customize # - Continues with deployment ``` ## Benefits ✅ Fewer manual steps: 4 steps → 2 steps ✅ Less error-prone: Can't forget to generate SSH key ✅ Better UX: Script guides you through setup ✅ Still flexible: Can pre-create SSH key/secrets if desired ✅ Idempotent: Won't regenerate if already exists ## Backward Compatible Existing workflows still work: - If SSH key already exists, script uses it - If secrets file already exists, script uses it - Can still use generate-client-keys.sh manually if preferred 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com>	2026-01-17 20:04:29 +01:00
Pieter	a5fe631717	feat: Complete Authentik SSO integration with automated OIDC setup ## Changes ### Identity Provider (Authentik) - ✅ Deployed Authentik 2025.10.3 as identity provider - ✅ Configured automatic bootstrap with admin account (akadmin) - ✅ Fixed OIDC provider creation with correct redirect_uris format - ✅ Added automated OAuth2/OIDC provider configuration for Nextcloud - ✅ API-driven provider setup eliminates manual configuration ### Nextcloud Configuration - ✅ Fixed reverse proxy header configuration (trusted_proxies) - ✅ Added missing database indices (fs_storage_path_prefix) - ✅ Ran mimetype migrations for proper file type handling - ✅ Verified PHP upload limits (16GB upload_max_filesize) - ✅ Configured OIDC integration with Authentik - ✅ "Login with Authentik" button auto-configured ### Automation Scripts - ✅ Added deploy-client.sh for automated client deployment - ✅ Added rebuild-client.sh for infrastructure rebuild - ✅ Added destroy-client.sh for cleanup - ✅ Full deployment now takes ~10-15 minutes end-to-end ### Documentation - ✅ Updated README with automated deployment instructions - ✅ Added SSO automation workflow documentation - ✅ Added automation status tracking - ✅ Updated project reference with Authentik details ### Technical Fixes - Fixed Authentik API redirect_uris format (requires list of dicts with matching_mode) - Fixed Nextcloud OIDC command (user_oidc:provider not user_oidc:provider:add) - Fixed file lookup in Ansible (changed to slurp for remote files) - Updated Traefik to v3.6 for Docker API 1.44 compatibility - Improved error handling in app installation tasks ## Security - All credentials stored in SOPS-encrypted secrets - Trusted proxy configuration prevents IP spoofing - Bootstrap tokens auto-generated and secured ## Result Fully automated SSO deployment - no manual configuration required! 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com>	2026-01-08 16:56:19 +01:00

Author

SHA1

Message

Date

Pieter

e04efa1cb1

feat: Move Hetzner API token to SOPS encrypted secrets

Resolves #20

Changes:
- Add hcloud_token to secrets/shared.sops.yaml (encrypted with Age)
- Create scripts/load-secrets-env.sh to automatically load token from SOPS
- Update all management scripts to auto-load token if not set
- Remove plaintext tokens from tofu/terraform.tfvars
- Update documentation in README.md, scripts/README.md, and SECURITY-NOTE-tokens.md

Benefits:
✅ Token encrypted at rest
✅ Can be safely backed up to cloud storage
✅ Consistent with other secrets management
✅ Automatic loading - no manual token management needed

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>

2026-01-18 18:17:15 +01:00

Pieter

ac4187d041

feat: Automate SSH key and secrets generation in deployment scripts

Simplify client deployment workflow by automating SSH key generation and
secrets file creation. No more manual preparation steps!

## Changes

### Deploy Script Automation
**`scripts/deploy-client.sh`**:
- Auto-generates SSH key pair if missing (calls generate-client-keys.sh)
- Auto-creates secrets file from template if missing
- Opens SOPS editor for user to customize secrets
- Continues with deployment after setup complete

### Rebuild Script Automation
**`scripts/rebuild-client.sh`**:
- Same automation as deploy script
- Ensures SSH key and secrets exist before rebuild

### Documentation Updates
- **`README.md`** - Updated quick start workflow
- **`scripts/README.md`** - Updated script descriptions and examples

## Workflow: Before vs After

### Before (Manual)
```bash
# 1. Generate SSH key
./scripts/generate-client-keys.sh newclient

# 2. Create secrets file
cp secrets/clients/template.sops.yaml secrets/clients/newclient.sops.yaml
sops secrets/clients/newclient.sops.yaml

# 3. Add to terraform.tfvars
vim tofu/terraform.tfvars

# 4. Deploy
./scripts/deploy-client.sh newclient
```

### After (Automated)
```bash
# 1. Add to terraform.tfvars
vim tofu/terraform.tfvars

# 2. Deploy (everything else is automatic!)
./scripts/deploy-client.sh newclient
# Script automatically:
# - Generates SSH key if missing
# - Creates secrets file from template if missing
# - Opens editor for you to customize
# - Continues with deployment
```

## Benefits

✅ **Fewer manual steps**: 4 steps → 2 steps
✅ **Less error-prone**: Can't forget to generate SSH key
✅ **Better UX**: Script guides you through setup
✅ **Still flexible**: Can pre-create SSH key/secrets if desired
✅ **Idempotent**: Won't regenerate if already exists

## Backward Compatible

Existing workflows still work:
- If SSH key already exists, script uses it
- If secrets file already exists, script uses it
- Can still use generate-client-keys.sh manually if preferred

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>

2026-01-17 20:04:29 +01:00

Pieter

a5fe631717

feat: Complete Authentik SSO integration with automated OIDC setup

## Changes

### Identity Provider (Authentik)
- ✅ Deployed Authentik 2025.10.3 as identity provider
- ✅ Configured automatic bootstrap with admin account (akadmin)
- ✅ Fixed OIDC provider creation with correct redirect_uris format
- ✅ Added automated OAuth2/OIDC provider configuration for Nextcloud
- ✅ API-driven provider setup eliminates manual configuration

### Nextcloud Configuration
- ✅ Fixed reverse proxy header configuration (trusted_proxies)
- ✅ Added missing database indices (fs_storage_path_prefix)
- ✅ Ran mimetype migrations for proper file type handling
- ✅ Verified PHP upload limits (16GB upload_max_filesize)
- ✅ Configured OIDC integration with Authentik
- ✅ "Login with Authentik" button auto-configured

### Automation Scripts
- ✅ Added deploy-client.sh for automated client deployment
- ✅ Added rebuild-client.sh for infrastructure rebuild
- ✅ Added destroy-client.sh for cleanup
- ✅ Full deployment now takes ~10-15 minutes end-to-end

### Documentation
- ✅ Updated README with automated deployment instructions
- ✅ Added SSO automation workflow documentation
- ✅ Added automation status tracking
- ✅ Updated project reference with Authentik details

### Technical Fixes
- Fixed Authentik API redirect_uris format (requires list of dicts with matching_mode)
- Fixed Nextcloud OIDC command (user_oidc:provider not user_oidc:provider:add)
- Fixed file lookup in Ansible (changed to slurp for remote files)
- Updated Traefik to v3.6 for Docker API 1.44 compatibility
- Improved error handling in app installation tasks

## Security
- All credentials stored in SOPS-encrypted secrets
- Trusted proxy configuration prevents IP spoofing
- Bootstrap tokens auto-generated and secured

## Result
Fully automated SSO deployment - no manual configuration required!

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>

2026-01-08 16:56:19 +01:00

3 commits