Resolves#20
Changes:
- Add hcloud_token to secrets/shared.sops.yaml (encrypted with Age)
- Create scripts/load-secrets-env.sh to automatically load token from SOPS
- Update all management scripts to auto-load token if not set
- Remove plaintext tokens from tofu/terraform.tfvars
- Update documentation in README.md, scripts/README.md, and SECURITY-NOTE-tokens.md
Benefits:
✅ Token encrypted at rest
✅ Can be safely backed up to cloud storage
✅ Consistent with other secrets management
✅ Automatic loading - no manual token management needed
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude <noreply@anthropic.com>
Add comprehensive client registry for tracking all deployed infrastructure:
Registry System:
- Single source of truth in clients/registry.yml
- Tracks status, server specs, versions, maintenance history
- Supports canary deployment workflow
- Automatic updates via deployment scripts
New Scripts:
- scripts/list-clients.sh: List/filter clients (table/json/csv/summary)
- scripts/client-status.sh: Detailed client info with health checks
- scripts/update-registry.sh: Manual registry updates
Updated Scripts:
- scripts/deploy-client.sh: Auto-updates registry on deploy
- scripts/rebuild-client.sh: Auto-updates registry on rebuild
- scripts/destroy-client.sh: Marks clients as destroyed
Documentation:
- docs/client-registry.md: Complete registry reference
- clients/README.md: Quick start guide
Status tracking: pending → deployed → maintenance → destroyed
Role support: canary (dev) and production clients
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude <noreply@anthropic.com>
Fixed email FROM address formatting that was breaking Django's email parser.
The display name contained an '@' symbol which violated RFC 5322 format.
Changes:
- Fix Authentik email FROM address (remove @ from display name)
- Add Mailgun SMTP credential cleanup on server destruction
- Fix Mailgun delete task to use EU API endpoint
- Add cleanup playbook for graceful resource removal
This ensures:
✓ Recovery emails work immediately on new deployments
✓ SMTP credentials are automatically cleaned up when destroying servers
✓ Email configuration works correctly across all environments
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude <noreply@anthropic.com>
