Post-Tyranny-Tech-Infrastructure

Post-X-Society/Post-Tyranny-Tech-Infrastructure

Fork 0

Commit graph

Author	SHA1	Message	Date
Pieter	7029de5bc9	fix: Improve Authentik bootstrap resilience - Increase HTTPS readiness check retries from 30 to 60 - Increase delay between retries from 10s to 15s (total max wait: 15 minutes) - Add failed_when: false to prevent deployment failure - Display helpful warning if HTTPS not yet accessible - Continues deployment even if DNS/SSL not ready yet This resolves timing issues during initial deployment when: - DNS records are still propagating - Let's Encrypt certificates are being issued - Traefik is still configuring routes Authentik runs internally on HTTP and will be accessible via HTTPS once DNS/SSL is fully configured. 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com>	2026-01-08 17:39:42 +01:00
Pieter	a5fe631717	feat: Complete Authentik SSO integration with automated OIDC setup ## Changes ### Identity Provider (Authentik) - ✅ Deployed Authentik 2025.10.3 as identity provider - ✅ Configured automatic bootstrap with admin account (akadmin) - ✅ Fixed OIDC provider creation with correct redirect_uris format - ✅ Added automated OAuth2/OIDC provider configuration for Nextcloud - ✅ API-driven provider setup eliminates manual configuration ### Nextcloud Configuration - ✅ Fixed reverse proxy header configuration (trusted_proxies) - ✅ Added missing database indices (fs_storage_path_prefix) - ✅ Ran mimetype migrations for proper file type handling - ✅ Verified PHP upload limits (16GB upload_max_filesize) - ✅ Configured OIDC integration with Authentik - ✅ "Login with Authentik" button auto-configured ### Automation Scripts - ✅ Added deploy-client.sh for automated client deployment - ✅ Added rebuild-client.sh for infrastructure rebuild - ✅ Added destroy-client.sh for cleanup - ✅ Full deployment now takes ~10-15 minutes end-to-end ### Documentation - ✅ Updated README with automated deployment instructions - ✅ Added SSO automation workflow documentation - ✅ Added automation status tracking - ✅ Updated project reference with Authentik details ### Technical Fixes - Fixed Authentik API redirect_uris format (requires list of dicts with matching_mode) - Fixed Nextcloud OIDC command (user_oidc:provider not user_oidc:provider:add) - Fixed file lookup in Ansible (changed to slurp for remote files) - Updated Traefik to v3.6 for Docker API 1.44 compatibility - Improved error handling in app installation tasks ## Security - All credentials stored in SOPS-encrypted secrets - Trusted proxy configuration prevents IP spoofing - Bootstrap tokens auto-generated and secured ## Result Fully automated SSO deployment - no manual configuration required! 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com>	2026-01-08 16:56:19 +01:00
Pieter	20856f7f18	Add Authentik identity provider to architecture Added Authentik as the identity provider for SSO authentication: Why Authentik: - MIT license (truly open source, most permissive) - Simple Docker Compose deployment (no manual wizards) - Lightweight Python-based architecture - Comprehensive protocol support (SAML, OAuth2/OIDC, LDAP, RADIUS) - No Redis required as of v2025.10 (all caching in PostgreSQL) - Active development and strong community Implementation: - Created complete Authentik Ansible role - Docker Compose with server + worker architecture - PostgreSQL 16 database backend - Traefik integration with Let's Encrypt SSL - Bootstrap tasks for initial setup guidance - Health checks and proper service dependencies Architecture decisions updated: - Documented comparison: Authentik vs Zitadel vs Keycloak - Explained Zitadel removal (FirstInstance bugs) - Added deployment example and configuration notes Next steps: - Update documentation (PROJECT_REFERENCE.md, README.md) - Create Authentik agent configuration - Add secrets template - Test deployment on test server 🤖 Generated with Claude Code Co-Authored-By: Claude <noreply@anthropic.com>	2026-01-07 11:23:13 +01:00

Author

SHA1

Message

Date

Pieter

7029de5bc9

fix: Improve Authentik bootstrap resilience

- Increase HTTPS readiness check retries from 30 to 60
- Increase delay between retries from 10s to 15s (total max wait: 15 minutes)
- Add failed_when: false to prevent deployment failure
- Display helpful warning if HTTPS not yet accessible
- Continues deployment even if DNS/SSL not ready yet

This resolves timing issues during initial deployment when:
- DNS records are still propagating
- Let's Encrypt certificates are being issued
- Traefik is still configuring routes

Authentik runs internally on HTTP and will be accessible via
HTTPS once DNS/SSL is fully configured.

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>

2026-01-08 17:39:42 +01:00

Pieter

a5fe631717

feat: Complete Authentik SSO integration with automated OIDC setup

## Changes

### Identity Provider (Authentik)
- ✅ Deployed Authentik 2025.10.3 as identity provider
- ✅ Configured automatic bootstrap with admin account (akadmin)
- ✅ Fixed OIDC provider creation with correct redirect_uris format
- ✅ Added automated OAuth2/OIDC provider configuration for Nextcloud
- ✅ API-driven provider setup eliminates manual configuration

### Nextcloud Configuration
- ✅ Fixed reverse proxy header configuration (trusted_proxies)
- ✅ Added missing database indices (fs_storage_path_prefix)
- ✅ Ran mimetype migrations for proper file type handling
- ✅ Verified PHP upload limits (16GB upload_max_filesize)
- ✅ Configured OIDC integration with Authentik
- ✅ "Login with Authentik" button auto-configured

### Automation Scripts
- ✅ Added deploy-client.sh for automated client deployment
- ✅ Added rebuild-client.sh for infrastructure rebuild
- ✅ Added destroy-client.sh for cleanup
- ✅ Full deployment now takes ~10-15 minutes end-to-end

### Documentation
- ✅ Updated README with automated deployment instructions
- ✅ Added SSO automation workflow documentation
- ✅ Added automation status tracking
- ✅ Updated project reference with Authentik details

### Technical Fixes
- Fixed Authentik API redirect_uris format (requires list of dicts with matching_mode)
- Fixed Nextcloud OIDC command (user_oidc:provider not user_oidc:provider:add)
- Fixed file lookup in Ansible (changed to slurp for remote files)
- Updated Traefik to v3.6 for Docker API 1.44 compatibility
- Improved error handling in app installation tasks

## Security
- All credentials stored in SOPS-encrypted secrets
- Trusted proxy configuration prevents IP spoofing
- Bootstrap tokens auto-generated and secured

## Result
Fully automated SSO deployment - no manual configuration required!

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>

2026-01-08 16:56:19 +01:00

Pieter

20856f7f18

Add Authentik identity provider to architecture

Added Authentik as the identity provider for SSO authentication:

Why Authentik:
- MIT license (truly open source, most permissive)
- Simple Docker Compose deployment (no manual wizards)
- Lightweight Python-based architecture
- Comprehensive protocol support (SAML, OAuth2/OIDC, LDAP, RADIUS)
- No Redis required as of v2025.10 (all caching in PostgreSQL)
- Active development and strong community

Implementation:
- Created complete Authentik Ansible role
- Docker Compose with server + worker architecture
- PostgreSQL 16 database backend
- Traefik integration with Let's Encrypt SSL
- Bootstrap tasks for initial setup guidance
- Health checks and proper service dependencies

Architecture decisions updated:
- Documented comparison: Authentik vs Zitadel vs Keycloak
- Explained Zitadel removal (FirstInstance bugs)
- Added deployment example and configuration notes

Next steps:
- Update documentation (PROJECT_REFERENCE.md, README.md)
- Create Authentik agent configuration
- Add secrets template
- Test deployment on test server

🤖 Generated with Claude Code

Co-Authored-By: Claude <noreply@anthropic.com>

2026-01-07 11:23:13 +01:00

3 commits