7 commits

Author	SHA1	Message	Date
Pieter	9a38486322	feat: Add brand recovery flow config and improve security ... - Add brand default recovery flow configuration to Authentik setup - Update create_recovery_flow.py to set brand's recovery flow automatically - All 17 servers now have brand recovery flow configured Security improvements: - Remove secrets/clients/*.sops.yaml from git tracking - Remove ansible/host_vars/ from git tracking - Update .gitignore to exclude sensitive config files - Files remain encrypted and local, just not in repo Note: Files still exist in git history. Consider using BFG Repo Cleaner to remove them completely if needed. 🤖 Generated with Claude Code Co-Authored-By: Claude <noreply@anthropic.com>	2026-01-26 09:17:08 +01:00
Pieter	27d59e4cd3	chore: Clean up Terraform/Tofu artifacts and improve .gitignore ... Remove accidentally committed tfplan file and obsolete backup files from the tofu/ directory. Changes: - Remove tofu/tfplan from repository (binary plan file, should not be tracked) - Delete terraform.tfvars.bak (old private network config, no longer needed) - Delete terraform.tfstate.1768302414.backup (outdated state from Jan 13) - Update .gitignore to prevent future commits of: - tfplan files (tofu/tfplan, tofu/*.tfplan) - Numbered state backups (tofu/terraform.tfstate.*.backup) Security Assessment: - tfplan contained infrastructure state (server IPs) but no credentials - No sensitive tokens or passwords were exposed - All actual secrets remain in SOPS-encrypted files only The tfplan was only in commit b6c9fa6 (post-workshop state) and is now removed going forward. 🤖 Generated with Claude Code (https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com>	2026-01-23 20:45:48 +01:00
Pieter	c8793bb910	chore: Ignore documentation and report markdown files ... Added docs/ directory and all .md files (except README.md) to .gitignore to prevent internal deployment logs, security notes, and test reports from being committed to the repository. 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com>	2026-01-20 20:10:37 +01:00
Pieter	f795920f24	🚀 GREEN CLIENT DEPLOYMENT + CRITICAL SECURITY FIXES ... ═══════════════════════════════════════════════════════════════ ✅ COMPLETED: Green Client Deployment (green.vrije.cloud) ═══════════════════════════════════════════════════════════════ Services deployed and operational: - Traefik (reverse proxy with SSL) - Authentik SSO (auth.green.vrije.cloud) - Nextcloud (nextcloud.green.vrije.cloud) - Collabora Office (online document editing) - PostgreSQL databases (Authentik + Nextcloud) - Redis (caching + file locking) ═══════════════════════════════════════════════════════════════ 🔐 CRITICAL SECURITY FIX: Unique Passwords Per Client ═══════════════════════════════════════════════════════════════ PROBLEM FIXED: All clients were using IDENTICAL passwords from template (critical vulnerability). If one server compromised, all servers compromised. SOLUTION IMPLEMENTED: ✅ Auto-generate unique passwords per client ✅ Store securely in SOPS-encrypted files ✅ Easy retrieval with get-passwords.sh script NEW SCRIPTS: - scripts/generate-passwords.sh - Auto-generate unique 43-char passwords - scripts/get-passwords.sh - Retrieve client credentials from SOPS UPDATED SCRIPTS: - scripts/deploy-client.sh - Now auto-calls password generator PASSWORD CHANGES: - dev.sops.yaml - Regenerated with unique passwords - green.sops.yaml - Created with unique passwords SECURITY PROPERTIES: - 43-character passwords (258 bits entropy) - Cryptographically secure (openssl rand -base64 32) - Unique across all clients - Stored encrypted with SOPS + age ═══════════════════════════════════════════════════════════════ 🛠️ BUG FIX: Nextcloud Volume Mounting ═══════════════════════════════════════════════════════════════ PROBLEM FIXED: Volume detection was looking for "nextcloud-data-{client}" in device ID, but Hetzner volumes use numeric IDs (scsi-0HC_Volume_104429514). SOLUTION: Simplified detection to find first Hetzner volume (works for all clients): ls -1 /dev/disk/by-id/scsi-0HC_Volume_* | head -1 FIXED FILE: - ansible/roles/nextcloud/tasks/mount-volume.yml:15 ═══════════════════════════════════════════════════════════════ 🐛 BUG FIX: Authentik Invitation Task Safety ═══════════════════════════════════════════════════════════════ PROBLEM FIXED: invitation.yml task crashed when accessing undefined variable attribute (enrollment_blueprint_result.rc when API not ready). SOLUTION: Added safety checks before accessing variable attributes: {{ 'In Progress' if (var is defined and var.rc is defined) else 'Complete' }} FIXED FILE: - ansible/roles/authentik/tasks/invitation.yml:91 ═══════════════════════════════════════════════════════════════ 📝 OTHER CHANGES ═══════════════════════════════════════════════════════════════ GITIGNORE: - Added *.md (except README.md) to exclude deployment reports GREEN CLIENT FILES: - keys/ssh/green.pub - SSH public key for green server - secrets/clients/green.sops.yaml - Encrypted secrets with unique passwords ═══════════════════════════════════════════════════════════════ ✅ IMPACT: All Future Deployments Now Secure & Reliable ═══════════════════════════════════════════════════════════════ FUTURE DEPLOYMENTS: - ✅ Automatically get unique passwords - ✅ Volume mounting works reliably - ✅ Ansible tasks handle API delays gracefully - ✅ No manual intervention required DEPLOYMENT TIME: ~15 minutes (fully automated) AUTOMATION RATE: 95% ═══════════════════════════════════════════════════════════════ 🤖 Generated with Claude Code Co-Authored-By: Claude <noreply@anthropic.com>	2026-01-18 17:06:04 +01:00
Pieter	d95862f522	security: Rotate exposed Authentik API token ... GitGuardian detected hardcoded secret in test-oidc-provider.py. Actions taken: 1. ✅ Deleted test-oidc-provider.py (previous commit) 2. ✅ Rotated authentik_bootstrap_token in secrets file 3. ✅ Added test scripts to .gitignore to prevent future exposure Old token (COMPROMISED): ak_0Xj3OmKT0rx5E_TDKjuvXAl2Ry8IfxlSDKPSRq7fH71uPX3M04d-Xg New token: Encrypted in SOPS secrets file Impact: Test environment only (test.vrije.cloud) Next step: Redeploy test server to activate new token 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com>	2026-01-09 08:32:45 +01:00
Pieter	6bc8e508c6	Complete SOPS secrets management setup (#5) ... Completed Issue #5: SOPS Secrets Management All objectives met: - ✅ Age encryption key generated (keys/age-key.txt) - ✅ SOPS configured with Age backend (.sops.yaml) - ✅ Secrets directory structure created - ✅ Example encrypted secrets (shared + test client) - ✅ Comprehensive documentation for key backup - ✅ Ready for Ansible integration Security measures: - Age private key gitignored (keys/age-key.txt) - Only encrypted .sops.yaml files committed - Plaintext secrets explicitly excluded - Key backup procedures documented Files added: - .sops.yaml - SOPS configuration with Age public key - secrets/shared.sops.yaml - Shared secrets (encrypted) - secrets/clients/test.sops.yaml - Test client secrets (encrypted) - secrets/README.md - Complete SOPS usage guide - keys/README.md - Key backup procedures - keys/.gitignore - Protects private keys Updated: - .gitignore - Allow .sops.yaml, block plaintext Tested: - Encryption: ✅ Files encrypted successfully - Decryption: ✅ Secrets decrypt correctly - Git safety: ✅ Private key excluded from commits Next: Ready for Zitadel/Nextcloud deployment with secure credentials Closes #5 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com>	2025-12-27 14:23:36 +01:00
Pieter	3848510e1b	Initial project structure with agent definitions and ADR ... - Add AI agent definitions (Architect, Infrastructure, Zitadel, Nextcloud) - Add Architecture Decision Record with complete design rationale - Add .gitignore to protect secrets and sensitive files - Add README with quick start guide 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com>	2025-12-24 12:12:17 +01:00