Post-Tyranny-Tech-Infrastructure

Post-X-Society/Post-Tyranny-Tech-Infrastructure

Fork 0

Commit graph

Author	SHA1	Message	Date
Pieter	b6c9fa666d	chore: Post-workshop state - January 23rd, 2026 This commit captures the infrastructure state immediately following the "Post-Tyranny Tech" workshop on January 23rd, 2026. Infrastructure Status: - 13 client servers deployed (white, valk, zwaan, specht, das, uil, vos, haas, wolf, ree, mees, mus, mol, kikker) - Services: Authentik SSO, Nextcloud, Collabora Office, Traefik - Private network architecture with edge NAT gateway - OIDC integration between Authentik and Nextcloud - Automated recovery flows and invitation system - Container update monitoring with Diun - Uptime monitoring with Uptime Kuma Changes include: - Multiple new client host configurations - Network architecture improvements (private IPs + NAT) - DNS management automation - Container update notifications - Email configuration via Mailgun - SSH key generation for all clients - Encrypted secrets for all deployments - Health check and diagnostic scripts Known Issues to Address: - Nextcloud version pinned to v30 (should use 'latest' or v32) - Zitadel references in templates (migrated to Authentik but templates not updated) - Traefik dynamic config has obsolete static routes 🤖 Generated with Claude Code (https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com>	2026-01-23 20:36:31 +01:00
Pieter	4e72ddf4ef	Complete Ansible base configuration (#2 ) Completed Issue #2: Ansible Base Configuration All objectives met: - ✅ Hetzner Cloud dynamic inventory (hcloud plugin) - ✅ Common role (SSH hardening, UFW firewall, fail2ban, auto-updates) - ✅ Docker role (Docker Engine + Compose + networks) - ✅ Traefik role (reverse proxy with Let's Encrypt SSL) - ✅ Setup playbook (orchestrates all base roles) - ✅ Successfully tested on live test server (91.99.210.204) Additional improvements: - Fixed ansible.cfg for Ansible 2.20+ compatibility - Updated ADR dates to 2025 - All roles follow Infrastructure Agent patterns Test Results: - SSH hardening applied (key-only auth) - UFW firewall active (ports 22, 80, 443) - Fail2ban protecting SSH - Automatic security updates enabled - Docker running with traefik network - Traefik deployed and ready for SSL Files added: - ansible/playbooks/setup.yml - ansible/roles/docker/* (complete) - ansible/roles/traefik/* (complete) Closes #2 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com>	2025-12-27 14:13:15 +01:00
Pieter	171cbfbb32	WIP: Ansible base configuration - common role (#2 ) Progress on Issue #2: Ansible Base Configuration Completed: - ✅ Ansible installed via pipx (isolated Python environment) - ✅ Hetzner Cloud dynamic inventory configured - ✅ Ansible configuration (ansible.cfg) - ✅ Common role for base system hardening: - SSH hardening (key-only, no root password) - UFW firewall configuration - Fail2ban for SSH protection - Automatic security updates - Timezone and system packages - ✅ Comprehensive Ansible README with setup guide Architecture Updates: - Added Decision #15: pipx for isolated Python environments - Updated ADR changelog with pipx adoption Still TODO for #2: - Docker role - Traefik role - Setup playbook - Deploy playbook - Testing against live server Files added: - ansible/README.md - Complete Ansible guide - ansible/ansible.cfg - Ansible configuration - ansible/hcloud.yml - Hetzner dynamic inventory - ansible/roles/common/* - Base hardening role Partial progress on #2 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com>	2025-12-27 14:00:22 +01:00

Author

SHA1

Message

Date

Pieter

b6c9fa666d

chore: Post-workshop state - January 23rd, 2026

This commit captures the infrastructure state immediately following
the "Post-Tyranny Tech" workshop on January 23rd, 2026.

Infrastructure Status:
- 13 client servers deployed (white, valk, zwaan, specht, das, uil, vos,
  haas, wolf, ree, mees, mus, mol, kikker)
- Services: Authentik SSO, Nextcloud, Collabora Office, Traefik
- Private network architecture with edge NAT gateway
- OIDC integration between Authentik and Nextcloud
- Automated recovery flows and invitation system
- Container update monitoring with Diun
- Uptime monitoring with Uptime Kuma

Changes include:
- Multiple new client host configurations
- Network architecture improvements (private IPs + NAT)
- DNS management automation
- Container update notifications
- Email configuration via Mailgun
- SSH key generation for all clients
- Encrypted secrets for all deployments
- Health check and diagnostic scripts

Known Issues to Address:
- Nextcloud version pinned to v30 (should use 'latest' or v32)
- Zitadel references in templates (migrated to Authentik but templates not updated)
- Traefik dynamic config has obsolete static routes

🤖 Generated with Claude Code (https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>

2026-01-23 20:36:31 +01:00

Pieter

4e72ddf4ef

Complete Ansible base configuration (#2 )

Completed Issue #2: Ansible Base Configuration

All objectives met:
- ✅ Hetzner Cloud dynamic inventory (hcloud plugin)
- ✅ Common role (SSH hardening, UFW firewall, fail2ban, auto-updates)
- ✅ Docker role (Docker Engine + Compose + networks)
- ✅ Traefik role (reverse proxy with Let's Encrypt SSL)
- ✅ Setup playbook (orchestrates all base roles)
- ✅ Successfully tested on live test server (91.99.210.204)

Additional improvements:
- Fixed ansible.cfg for Ansible 2.20+ compatibility
- Updated ADR dates to 2025
- All roles follow Infrastructure Agent patterns

Test Results:
- SSH hardening applied (key-only auth)
- UFW firewall active (ports 22, 80, 443)
- Fail2ban protecting SSH
- Automatic security updates enabled
- Docker running with traefik network
- Traefik deployed and ready for SSL

Files added:
- ansible/playbooks/setup.yml
- ansible/roles/docker/* (complete)
- ansible/roles/traefik/* (complete)

Closes #2

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>

2025-12-27 14:13:15 +01:00

Pieter

171cbfbb32

WIP: Ansible base configuration - common role (#2 )

Progress on Issue #2: Ansible Base Configuration

Completed:
- ✅ Ansible installed via pipx (isolated Python environment)
- ✅ Hetzner Cloud dynamic inventory configured
- ✅ Ansible configuration (ansible.cfg)
- ✅ Common role for base system hardening:
  - SSH hardening (key-only, no root password)
  - UFW firewall configuration
  - Fail2ban for SSH protection
  - Automatic security updates
  - Timezone and system packages
- ✅ Comprehensive Ansible README with setup guide

Architecture Updates:
- Added Decision #15: pipx for isolated Python environments
- Updated ADR changelog with pipx adoption

Still TODO for #2:
- Docker role
- Traefik role
- Setup playbook
- Deploy playbook
- Testing against live server

Files added:
- ansible/README.md - Complete Ansible guide
- ansible/ansible.cfg - Ansible configuration
- ansible/hcloud.yml - Hetzner dynamic inventory
- ansible/roles/common/* - Base hardening role

Partial progress on #2

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>

2025-12-27 14:00:22 +01:00

3 commits