Post-X-Society/Post-Tyranny-Tech-Infrastructure
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
80 commits 3 branches 3 tags 498 KiB
Commit graph

6 commits

Author SHA1 Message Date
Pieter
27d59e4cd3 chore: Clean up Terraform/Tofu artifacts and improve .gitignore 
Remove accidentally committed tfplan file and obsolete backup files
from the tofu/ directory.

Changes:
- Remove tofu/tfplan from repository (binary plan file, should not be tracked)
- Delete terraform.tfvars.bak (old private network config, no longer needed)
- Delete terraform.tfstate.1768302414.backup (outdated state from Jan 13)
- Update .gitignore to prevent future commits of:
  - tfplan files (tofu/tfplan, tofu/*.tfplan)
  - Numbered state backups (tofu/terraform.tfstate.*.backup)

Security Assessment:
- tfplan contained infrastructure state (server IPs) but no credentials
- No sensitive tokens or passwords were exposed
- All actual secrets remain in SOPS-encrypted files only

The tfplan was only in commit b6c9fa6 (post-workshop state) and is now
removed going forward.

🤖 Generated with Claude Code (https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>
 2026-01-23 20:45:48 +01:00
Pieter
c8793bb910 chore: Ignore documentation and report markdown files 
Added docs/ directory and all .md files (except README.md) to .gitignore
to prevent internal deployment logs, security notes, and test reports
from being committed to the repository.

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>
 2026-01-20 20:10:37 +01:00
Pieter
f795920f24 🚀 GREEN CLIENT DEPLOYMENT + CRITICAL SECURITY FIXES 
═══════════════════════════════════════════════════════════════
 COMPLETED: Green Client Deployment (green.vrije.cloud)
═══════════════════════════════════════════════════════════════

Services deployed and operational:
- Traefik (reverse proxy with SSL)
- Authentik SSO (auth.green.vrije.cloud)
- Nextcloud (nextcloud.green.vrije.cloud)
- Collabora Office (online document editing)
- PostgreSQL databases (Authentik + Nextcloud)
- Redis (caching + file locking)

═══════════════════════════════════════════════════════════════
🔐 CRITICAL SECURITY FIX: Unique Passwords Per Client
═══════════════════════════════════════════════════════════════

PROBLEM FIXED:
All clients were using IDENTICAL passwords from template (critical vulnerability).
If one server compromised, all servers compromised.

SOLUTION IMPLEMENTED:
 Auto-generate unique passwords per client
 Store securely in SOPS-encrypted files
 Easy retrieval with get-passwords.sh script

NEW SCRIPTS:
- scripts/generate-passwords.sh - Auto-generate unique 43-char passwords
- scripts/get-passwords.sh      - Retrieve client credentials from SOPS

UPDATED SCRIPTS:
- scripts/deploy-client.sh - Now auto-calls password generator

PASSWORD CHANGES:
- dev.sops.yaml   - Regenerated with unique passwords
- green.sops.yaml - Created with unique passwords

SECURITY PROPERTIES:
- 43-character passwords (258 bits entropy)
- Cryptographically secure (openssl rand -base64 32)
- Unique across all clients
- Stored encrypted with SOPS + age

═══════════════════════════════════════════════════════════════
🛠️  BUG FIX: Nextcloud Volume Mounting
═══════════════════════════════════════════════════════════════

PROBLEM FIXED:
Volume detection was looking for "nextcloud-data-{client}" in device ID,
but Hetzner volumes use numeric IDs (scsi-0HC_Volume_104429514).

SOLUTION:
Simplified detection to find first Hetzner volume (works for all clients):
  ls -1 /dev/disk/by-id/scsi-0HC_Volume_* | head -1

FIXED FILE:
- ansible/roles/nextcloud/tasks/mount-volume.yml:15

═══════════════════════════════════════════════════════════════
🐛 BUG FIX: Authentik Invitation Task Safety
═══════════════════════════════════════════════════════════════

PROBLEM FIXED:
invitation.yml task crashed when accessing undefined variable attribute
(enrollment_blueprint_result.rc when API not ready).

SOLUTION:
Added safety checks before accessing variable attributes:
  {{ 'In Progress' if (var is defined and var.rc is defined) else 'Complete' }}

FIXED FILE:
- ansible/roles/authentik/tasks/invitation.yml:91

═══════════════════════════════════════════════════════════════
📝 OTHER CHANGES
═══════════════════════════════════════════════════════════════

GITIGNORE:
- Added *.md (except README.md) to exclude deployment reports

GREEN CLIENT FILES:
- keys/ssh/green.pub - SSH public key for green server
- secrets/clients/green.sops.yaml - Encrypted secrets with unique passwords

═══════════════════════════════════════════════════════════════
 IMPACT: All Future Deployments Now Secure & Reliable
═══════════════════════════════════════════════════════════════

FUTURE DEPLOYMENTS:
-  Automatically get unique passwords
-  Volume mounting works reliably
-  Ansible tasks handle API delays gracefully
-  No manual intervention required

DEPLOYMENT TIME: ~15 minutes (fully automated)
AUTOMATION RATE: 95%

═══════════════════════════════════════════════════════════════

🤖 Generated with Claude Code

Co-Authored-By: Claude <noreply@anthropic.com>
 2026-01-18 17:06:04 +01:00
Pieter
d95862f522 security: Rotate exposed Authentik API token 
GitGuardian detected hardcoded secret in test-oidc-provider.py.

Actions taken:
1.  Deleted test-oidc-provider.py (previous commit)
2.  Rotated authentik_bootstrap_token in secrets file
3.  Added test scripts to .gitignore to prevent future exposure

Old token (COMPROMISED): ak_0Xj3OmKT0rx5E_TDKjuvXAl2Ry8IfxlSDKPSRq7fH71uPX3M04d-Xg
New token: Encrypted in SOPS secrets file

Impact: Test environment only (test.vrije.cloud)
Next step: Redeploy test server to activate new token

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>
 2026-01-09 08:32:45 +01:00
Pieter
6bc8e508c6 Complete SOPS secrets management setup (#5) 
Completed Issue #5: SOPS Secrets Management

All objectives met:
-  Age encryption key generated (keys/age-key.txt)
-  SOPS configured with Age backend (.sops.yaml)
-  Secrets directory structure created
-  Example encrypted secrets (shared + test client)
-  Comprehensive documentation for key backup
-  Ready for Ansible integration

Security measures:
- Age private key gitignored (keys/age-key.txt)
- Only encrypted .sops.yaml files committed
- Plaintext secrets explicitly excluded
- Key backup procedures documented

Files added:
- .sops.yaml - SOPS configuration with Age public key
- secrets/shared.sops.yaml - Shared secrets (encrypted)
- secrets/clients/test.sops.yaml - Test client secrets (encrypted)
- secrets/README.md - Complete SOPS usage guide
- keys/README.md - Key backup procedures
- keys/.gitignore - Protects private keys

Updated:
- .gitignore - Allow .sops.yaml, block plaintext

Tested:
- Encryption:  Files encrypted successfully
- Decryption:  Secrets decrypt correctly
- Git safety:  Private key excluded from commits

Next: Ready for Zitadel/Nextcloud deployment with secure credentials

Closes #5

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>
 2025-12-27 14:23:36 +01:00
Pieter
3848510e1b Initial project structure with agent definitions and ADR 
- Add AI agent definitions (Architect, Infrastructure, Zitadel, Nextcloud)
- Add Architecture Decision Record with complete design rationale
- Add .gitignore to protect secrets and sensitive files
- Add README with quick start guide

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>
 2025-12-24 12:12:17 +01:00