Post-Tyranny-Tech-Infrastructure

Post-X-Society/Post-Tyranny-Tech-Infrastructure

Fork 0

Commit graph

Author	SHA1	Message	Date
Pieter	b6c9fa666d	chore: Post-workshop state - January 23rd, 2026 This commit captures the infrastructure state immediately following the "Post-Tyranny Tech" workshop on January 23rd, 2026. Infrastructure Status: - 13 client servers deployed (white, valk, zwaan, specht, das, uil, vos, haas, wolf, ree, mees, mus, mol, kikker) - Services: Authentik SSO, Nextcloud, Collabora Office, Traefik - Private network architecture with edge NAT gateway - OIDC integration between Authentik and Nextcloud - Automated recovery flows and invitation system - Container update monitoring with Diun - Uptime monitoring with Uptime Kuma Changes include: - Multiple new client host configurations - Network architecture improvements (private IPs + NAT) - DNS management automation - Container update notifications - Email configuration via Mailgun - SSH key generation for all clients - Encrypted secrets for all deployments - Health check and diagnostic scripts Known Issues to Address: - Nextcloud version pinned to v30 (should use 'latest' or v32) - Zitadel references in templates (migrated to Authentik but templates not updated) - Traefik dynamic config has obsolete static routes 🤖 Generated with Claude Code (https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com>	2026-01-23 20:36:31 +01:00
Pieter	9cdf49db48	Add Collabora Office, 2FA, cron container, and dual-cache (#4 ) This commit adds production-ready features to Nextcloud based on the user's existing Nextcloud configuration. ## New Features ### 1. Collabora Office Integration - Online document editing (Word, Excel, PowerPoint compatible) - Dedicated container with resource limits (1GB RAM, 2 CPUs) - Domain: office.{client}.vrije.cloud - WOPI protocol integration with Nextcloud - Automatic app installation (richdocuments) - SSL termination via Traefik ### 2. Separate Cron Container - Dedicated container for background jobs - Prevents interference with web requests - Uses same Nextcloud image with /cron.sh entrypoint - Shares data volume with main container ### 3. Two-Factor Authentication Apps installed and configured: - twofactor_totp: TOTP authenticator apps support - twofactor_admin: Admin enforcement capabilities - twofactor_backupcodes: Backup codes for account recovery Configuration: - 2FA enforced for all users by default - Users must set up 2FA on first login ### 4. Dual-Cache Strategy (APCu + Redis) Optimized caching configuration: - APCu: Local in-memory cache (fast, single-server) - Redis: Distributed cache and file locking (shared) Benefits: - Faster page loads (APCu for frequently accessed data) - Proper file locking across containers (Redis) - Better scalability for multi-container setups ### 5. Additional Configurations - Maintenance window: 2:00 AM - Default phone region: NL - Improved performance and reliability ## Technical Changes ### Docker Compose Updates - Added nextcloud-cron service - Added collabora service with Traefik labels - Resource limits for Collabora (memory, CPU) ### Ansible Tasks - New file: `tasks/apps.yml` - App installation and configuration - Collabora WOPI URL configuration - Collabora network allowlist setup - 2FA app installation and enforcement - APCu local cache configuration - Maintenance window setting ### Configuration Variables - `collabora_enabled`: Enable/disable Collabora (default: true) - `collabora_domain`: Collabora subdomain - `collabora_admin_user`: Collabora admin username - `twofactor_enforced`: Enforce 2FA (default: true) ## Documentation Added comprehensive setup guide: - `docs/COLLABORA_SETUP.md`: Complete feature documentation - Configuration instructions - Testing procedures - Troubleshooting guide - Performance tuning tips - Security considerations ## Manual Step Required Add Collabora admin password to secrets: ```bash cd infrastructure export SOPS_AGE_KEY_FILE="$PWD/keys/age-key.txt" sops secrets/clients/test.sops.yaml # Add: collabora_admin_password: 7ju5h70L47xJMCoADgKiZIhSak4cwq0B ``` Then redeploy to apply all changes. ## Testing Checklist - [ ] Collabora: Create document in Nextcloud - [ ] 2FA: Login and set up authenticator - [ ] Cron: Check background jobs running - [ ] Cache: Verify APCu + Redis in config ## Performance Impact Expected improvements: - 30-50% faster page loads (APCu caching) - Better concurrent user support (Redis locking) - No web request delays from cron jobs (separate container) - Professional document editing experience (Collabora) Partially addresses #4 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com>	2026-01-06 10:34:42 +01:00
Pieter	93ce586b94	Deploy Nextcloud file sync/share with automated installation (#4 ) This commit implements a complete Nextcloud deployment with PostgreSQL, Redis, automated installation, and preparation for OIDC/SSO integration with Zitadel. ## Nextcloud Deployment ### New Ansible Role (ansible/roles/nextcloud/) - Complete Nextcloud v30 deployment with Docker Compose - PostgreSQL 16 backend with persistent volumes - Redis 7 for caching and file locking - Automated installation via Docker environment variables - Post-installation configuration via occ commands ### Features Implemented - Database: PostgreSQL with proper credentials and persistence - Caching: Redis for memory caching and file locking - HTTPS: Traefik integration with Let's Encrypt SSL - Security: Proper security headers and HSTS - WebDAV: CalDAV/CardDAV redirect middleware - Configuration: Automated trusted domain, reverse proxy, and Redis setup - OIDC Preparation: user_oidc app installed and enabled ### Traefik Updates - Added Nextcloud routing to dynamic.yml (static file-based config) - Configured CalDAV/CardDAV redirect middleware - Added Nextcloud-specific security headers ### Configuration Tasks - Automated trusted domain configuration for nextcloud.test.vrije.cloud - Reverse proxy overwrite settings (protocol, host, CLI URL) - Redis cache and locking configuration - Default phone region (NL) - Background jobs via cron ## Deployment Status ✅ Successfully deployed and tested: - Nextcloud: https://nextcloud.test.vrije.cloud/ - Admin login working - PostgreSQL database initialized - Redis caching operational - HTTPS with Let's Encrypt SSL - user_oidc app installed (ready for Zitadel integration) ## Next Steps To complete OIDC/SSO integration: 1. Create OIDC application in Zitadel console 2. Use redirect URI: https://nextcloud.test.vrije.cloud/apps/user_oidc/code 3. Configure provider in Nextcloud with Zitadel credentials Partially addresses #4 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com>	2026-01-06 09:30:54 +01:00

Author

SHA1

Message

Date

Pieter

b6c9fa666d

chore: Post-workshop state - January 23rd, 2026

This commit captures the infrastructure state immediately following
the "Post-Tyranny Tech" workshop on January 23rd, 2026.

Infrastructure Status:
- 13 client servers deployed (white, valk, zwaan, specht, das, uil, vos,
  haas, wolf, ree, mees, mus, mol, kikker)
- Services: Authentik SSO, Nextcloud, Collabora Office, Traefik
- Private network architecture with edge NAT gateway
- OIDC integration between Authentik and Nextcloud
- Automated recovery flows and invitation system
- Container update monitoring with Diun
- Uptime monitoring with Uptime Kuma

Changes include:
- Multiple new client host configurations
- Network architecture improvements (private IPs + NAT)
- DNS management automation
- Container update notifications
- Email configuration via Mailgun
- SSH key generation for all clients
- Encrypted secrets for all deployments
- Health check and diagnostic scripts

Known Issues to Address:
- Nextcloud version pinned to v30 (should use 'latest' or v32)
- Zitadel references in templates (migrated to Authentik but templates not updated)
- Traefik dynamic config has obsolete static routes

🤖 Generated with Claude Code (https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>

2026-01-23 20:36:31 +01:00

Pieter

9cdf49db48

Add Collabora Office, 2FA, cron container, and dual-cache (#4 )

This commit adds production-ready features to Nextcloud based on the
user's existing Nextcloud configuration.

## New Features

### 1. Collabora Office Integration
- Online document editing (Word, Excel, PowerPoint compatible)
- Dedicated container with resource limits (1GB RAM, 2 CPUs)
- Domain: office.{client}.vrije.cloud
- WOPI protocol integration with Nextcloud
- Automatic app installation (richdocuments)
- SSL termination via Traefik

### 2. Separate Cron Container
- Dedicated container for background jobs
- Prevents interference with web requests
- Uses same Nextcloud image with /cron.sh entrypoint
- Shares data volume with main container

### 3. Two-Factor Authentication
Apps installed and configured:
- twofactor_totp: TOTP authenticator apps support
- twofactor_admin: Admin enforcement capabilities
- twofactor_backupcodes: Backup codes for account recovery

Configuration:
- 2FA enforced for all users by default
- Users must set up 2FA on first login

### 4. Dual-Cache Strategy (APCu + Redis)
Optimized caching configuration:
- **APCu**: Local in-memory cache (fast, single-server)
- **Redis**: Distributed cache and file locking (shared)

Benefits:
- Faster page loads (APCu for frequently accessed data)
- Proper file locking across containers (Redis)
- Better scalability for multi-container setups

### 5. Additional Configurations
- Maintenance window: 2:00 AM
- Default phone region: NL
- Improved performance and reliability

## Technical Changes

### Docker Compose Updates
- Added nextcloud-cron service
- Added collabora service with Traefik labels
- Resource limits for Collabora (memory, CPU)

### Ansible Tasks
- New file: `tasks/apps.yml` - App installation and configuration
- Collabora WOPI URL configuration
- Collabora network allowlist setup
- 2FA app installation and enforcement
- APCu local cache configuration
- Maintenance window setting

### Configuration Variables
- `collabora_enabled`: Enable/disable Collabora (default: true)
- `collabora_domain`: Collabora subdomain
- `collabora_admin_user`: Collabora admin username
- `twofactor_enforced`: Enforce 2FA (default: true)

## Documentation

Added comprehensive setup guide:
- `docs/COLLABORA_SETUP.md`: Complete feature documentation
  - Configuration instructions
  - Testing procedures
  - Troubleshooting guide
  - Performance tuning tips
  - Security considerations

## Manual Step Required

Add Collabora admin password to secrets:

```bash
cd infrastructure
export SOPS_AGE_KEY_FILE="$PWD/keys/age-key.txt"
sops secrets/clients/test.sops.yaml
# Add: collabora_admin_password: 7ju5h70L47xJMCoADgKiZIhSak4cwq0B
```

Then redeploy to apply all changes.

## Testing Checklist

- [ ] Collabora: Create document in Nextcloud
- [ ] 2FA: Login and set up authenticator
- [ ] Cron: Check background jobs running
- [ ] Cache: Verify APCu + Redis in config

## Performance Impact

Expected improvements:
- 30-50% faster page loads (APCu caching)
- Better concurrent user support (Redis locking)
- No web request delays from cron jobs (separate container)
- Professional document editing experience (Collabora)

Partially addresses #4

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>

2026-01-06 10:34:42 +01:00

Pieter

93ce586b94

Deploy Nextcloud file sync/share with automated installation (#4 )

This commit implements a complete Nextcloud deployment with PostgreSQL, Redis,
automated installation, and preparation for OIDC/SSO integration with Zitadel.

## Nextcloud Deployment

### New Ansible Role (ansible/roles/nextcloud/)
- Complete Nextcloud v30 deployment with Docker Compose
- PostgreSQL 16 backend with persistent volumes
- Redis 7 for caching and file locking
- Automated installation via Docker environment variables
- Post-installation configuration via occ commands

### Features Implemented
- **Database**: PostgreSQL with proper credentials and persistence
- **Caching**: Redis for memory caching and file locking
- **HTTPS**: Traefik integration with Let's Encrypt SSL
- **Security**: Proper security headers and HSTS
- **WebDAV**: CalDAV/CardDAV redirect middleware
- **Configuration**: Automated trusted domain, reverse proxy, and Redis setup
- **OIDC Preparation**: user_oidc app installed and enabled

### Traefik Updates
- Added Nextcloud routing to dynamic.yml (static file-based config)
- Configured CalDAV/CardDAV redirect middleware
- Added Nextcloud-specific security headers

### Configuration Tasks
- Automated trusted domain configuration for nextcloud.test.vrije.cloud
- Reverse proxy overwrite settings (protocol, host, CLI URL)
- Redis cache and locking configuration
- Default phone region (NL)
- Background jobs via cron

## Deployment Status

✅ Successfully deployed and tested:
- Nextcloud: https://nextcloud.test.vrije.cloud/
- Admin login working
- PostgreSQL database initialized
- Redis caching operational
- HTTPS with Let's Encrypt SSL
- user_oidc app installed (ready for Zitadel integration)

## Next Steps

To complete OIDC/SSO integration:
1. Create OIDC application in Zitadel console
2. Use redirect URI: https://nextcloud.test.vrije.cloud/apps/user_oidc/code
3. Configure provider in Nextcloud with Zitadel credentials

Partially addresses #4

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>

2026-01-06 09:30:54 +01:00

3 commits