Update README with user adjustments

🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com>
Add MIT License to project
2026-01-27 09:04:10 +01:00 · 2026-01-27 08:46:45 +01:00 · 2026-01-26 09:17:08 +01:00 · 2026-01-24 13:16:25 +01:00 · 2026-01-24 12:44:54 +01:00 · 2026-01-23 21:41:14 +01:00
109 changed files with 7030 additions and 2002 deletions
--- a/.claude/agents/architect.md
+++ b/.claude/agents/architect.md
@ -37,7 +37,7 @@ High-level guardian of the infrastructure architecture, ensuring consistency, ma
 | Secrets | SOPS + Age | Simple, no server needed |
 | Hosting | Hetzner | German, family-owned, GDPR |
 | DNS | Hetzner DNS | Single provider simplicity |
-| Identity | Zitadel | Swiss company, AGPL |
+| Identity | Authentik | German project lead |
 | File Sync | Nextcloud | German company, AGPL |
 | Reverse Proxy | Traefik | French company, MIT |
 | Backup | Restic → Hetzner Storage Box | Open source, EU storage |
@ -48,13 +48,13 @@ High-level guardian of the infrastructure architecture, ensuring consistency, ma
 ### Does NOT Handle
 - Writing OpenTofu configurations (→ Infrastructure Agent)
 - Writing Ansible playbooks or roles (→ Infrastructure Agent)
- Zitadel-specific configuration (→ Zitadel Agent)
+- Authentik-specific configuration (→ Authentik Agent)
 - Nextcloud-specific configuration (→ Nextcloud Agent)
 - Debugging application issues (→ respective App Agent)
 ### Defers To
 - **Infrastructure Agent**: All IaC implementation questions
- **Zitadel Agent**: Identity, SSO, OIDC specifics
+- **Authentik Agent**: Identity, SSO, OIDC specifics
 - **Nextcloud Agent**: Nextcloud features, `occ` commands
 ### Escalates When
@ -138,6 +138,3 @@ When reviewing proposed changes, verify:
 **Good prompt:** "Review this PR that adds a new Ansible role"
 **Response approach:** Check role follows conventions, doesn't violate isolation, uses SOPS for secrets, aligns with existing patterns.
 **Redirect prompt:** "How do I configure Zitadel OIDC scopes?"
 **Response:** "This is a Zitadel-specific question. Please ask the Zitadel Agent. I can help if you need to understand how it fits into the overall architecture."
--- a/.claude/agents/infrastructure.md
+++ b/.claude/agents/infrastructure.md
@ -46,7 +46,7 @@ Implements and maintains all Infrastructure as Code, including OpenTofu configur
 ## Boundaries
 ### Does NOT Handle
- Zitadel application configuration (→ Zitadel Agent)
+- Authentik application configuration (→ Authentik Agent)
 - Nextcloud application configuration (→ Nextcloud Agent)
 - Architecture decisions (→ Architect Agent)
 - Application-specific Docker compose sections (→ respective App Agent)
@ -58,7 +58,7 @@ Implements and maintains all Infrastructure as Code, including OpenTofu configur
 ### Defers To
 - **Architect Agent**: Technology choices, principle questions
- **Zitadel Agent**: Zitadel container config, bootstrap logic
+- **Authentik Agent**: Authentik container config, bootstrap logic
 - **Nextcloud Agent**: Nextcloud container config, `occ` commands
 ## Key Files (Owns)
@ -170,8 +170,8 @@ output "client_ips" {
    - role: common
    - role: docker
    - role: traefik
-    - role: zitadel
+    - role: authentik
-      when: "'zitadel' in apps"
+      when: "'authentik' in apps"
    - role: nextcloud
      when: "'nextcloud' in apps"
    - role: backup
@ -291,6 +291,3 @@ backup_retention_daily: 7
 **Good prompt:** "Set up the common Ansible role for base system hardening"
 **Response approach:** Create role with tasks for SSH, firewall, unattended-upgrades, fail2ban, following conventions.
 **Redirect prompt:** "How do I configure Zitadel to create an OIDC application?"
 **Response:** "Zitadel configuration is handled by the Zitadel Agent. I can set up the Ansible role structure and Docker Compose skeleton - the Zitadel Agent will fill in the application-specific configuration."
--- a/.gitignore
+++ b/.gitignore
@ -3,7 +3,9 @@ secrets/**/*.yaml
 secrets/**/*.yml
 !secrets/**/*.sops.yaml
 !secrets/.sops.yaml
 secrets/clients/*.sops.yaml
 keys/age-key.txt
 keys/ssh/
 *.key
 *.pem
@ -12,12 +14,16 @@ tofu/.terraform/
 tofu/.terraform.lock.hcl
 tofu/terraform.tfstate
 tofu/terraform.tfstate.backup
 tofu/terraform.tfstate.*.backup
 tofu/*.tfvars
 !tofu/terraform.tfvars.example
 tofu/*.tfplan
 tofu/tfplan
 # Ansible
 ansible/*.retry
 ansible/.vault_pass
 ansible/host_vars/
 # OS files
 .DS_Store
@ -61,3 +67,8 @@ temp/
 scripts/*-test*.py
 scripts/test-*.py
 **/test-oidc-provider.py
 # Documentation/reports (except README.md)
 *.md
 !README.md
 docs/
--- a/21
+++ b/21
@ -0,0 +1,21 @@
 MIT License
 Copyright (c) 2026 Post-X Society
 Permission is hereby granted, free of charge, to any person obtaining a copy
 of this software and associated documentation files (the "Software"), to deal
 in the Software without restriction, including without limitation the rights
 to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
 copies of the Software, and to permit persons to whom the Software is
 furnished to do so, subject to the following conditions:
 The above copyright notice and this permission notice shall be included in all
 copies or substantial portions of the Software.
 THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
 IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
 FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
 AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
 LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
 OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
 SOFTWARE.
--- a/PROJECT_REFERENCE.md
+++ b/PROJECT_REFERENCE.md
@ -1,119 +0,0 @@
 # Project Reference
 Quick reference for essential project information and common operations.
 ## Project Structure
 ```
 infrastructure/
 ├── ansible/              # Ansible playbooks and roles
 │   ├── hcloud.yml       # Dynamic inventory (Hetzner Cloud)
 │   ├── playbooks/       # Main playbooks
 │   │   ├── deploy.yml   # Deploy applications to clients
 │   │   └── setup.yml    # Setup base server infrastructure
 │   └── roles/           # Ansible roles (traefik, authentik, nextcloud, etc.)
 ├── keys/
 │   └── age-key.txt      # SOPS encryption key (gitignored)
 ├── secrets/
 │   ├── clients/         # Per-client encrypted secrets
 │   │   └── test.sops.yaml
 │   └── shared.sops.yaml # Shared secrets
 └── terraform/           # Infrastructure as Code (Hetzner)
 ```
 ## Essential Configuration
 ### SOPS Age Key
 **Location**: `infrastructure/keys/age-key.txt`
 **Usage**: Always set before running Ansible:
 ```bash
 export SOPS_AGE_KEY_FILE="../keys/age-key.txt"
 ```
 ### Hetzner Cloud Token
 **Usage**: Required for dynamic inventory:
 ```bash
 export HCLOUD_TOKEN="MlURmliUzLcGyzCWXWWsZt3DeWxKcQH9ZMGiaaNrFM3VcgnASlEWKhhxLHdWAl0J"
 ```
 ### Ansible Paths
 **Working Directory**: `infrastructure/ansible/`
 **Inventory**: `hcloud.yml` (dynamic, pulls from Hetzner Cloud API)
 **Python**: `~/.local/bin/ansible-playbook` (user-local installation)
 ## Current Deployment
 ### Client: test
 - **Hostname**: test (from Hetzner Cloud)
 - **Authentik SSO**: https://auth.test.vrije.cloud
 - **Nextcloud**: https://nextcloud.test.vrije.cloud
 - **Secrets**: `secrets/clients/test.sops.yaml`
 ## Common Operations
 ### Deploy Applications
 ```bash
 cd infrastructure/ansible
 export HCLOUD_TOKEN="MlURmliUzLcGyzCWXWWsZt3DeWxKcQH9ZMGiaaNrFM3VcgnASlEWKhhxLHdWAl0J"
 export SOPS_AGE_KEY_FILE="../keys/age-key.txt"
 # Deploy everything to test client
 ~/.local/bin/ansible-playbook -i hcloud.yml playbooks/deploy.yml --limit test
 ```
 ### Check Service Status
 ```bash
 # List inventory hosts
 export HCLOUD_TOKEN="..."
 ~/.local/bin/ansible-inventory -i hcloud.yml --list
 # Run ad-hoc commands
 ~/.local/bin/ansible test -i hcloud.yml -m shell -a "docker ps"
 ~/.local/bin/ansible test -i hcloud.yml -m shell -a "docker logs nextcloud 2>&1 | tail -50"
 ```
 ### Edit Secrets
 ```bash
 cd infrastructure
 export SOPS_AGE_KEY_FILE="keys/age-key.txt"
 # Edit client secrets
 sops secrets/clients/test.sops.yaml
 # View decrypted secrets
 sops --decrypt secrets/clients/test.sops.yaml
 ```
 ## Architecture Notes
 ### Service Stack
 - **Traefik**: Reverse proxy with automatic Let's Encrypt certificates
 - **Authentik 2025.10.3**: Identity provider (OAuth2/OIDC, SAML, LDAP)
 - **PostgreSQL 16**: Database for Authentik
 - **Nextcloud 30.0.17**: File sync and collaboration
 - **Redis**: Caching for Nextcloud
 - **MariaDB**: Database for Nextcloud
 ### Docker Networks
 - `traefik`: External network for all web-accessible services
 - `authentik-internal`: Internal network for Authentik ↔ PostgreSQL
 - `nextcloud-internal`: Internal network for Nextcloud ↔ Redis/DB
 ### Volumes
 - `authentik_authentik-db-data`: Authentik PostgreSQL data
 - `authentik_authentik-media`: Authentik uploaded media
 - `authentik_authentik-templates`: Custom Authentik templates
 - `nextcloud_nextcloud-data`: Nextcloud files and database
 ## Service Credentials
 ### Authentik Admin
 - **URL**: https://auth.test.vrije.cloud
 - **Setup**: Complete initial setup at `/if/flow/initial-setup/`
 - **Username**: akadmin (recommended)
 ### Nextcloud Admin
 - **URL**: https://nextcloud.test.vrije.cloud
 - **Username**: admin
 - **Password**: In `secrets/clients/test.sops.yaml` → `nextcloud_admin_password`
 - **SSO**: Login with Authentik button (auto-configured)
--- a/README.md
+++ b/README.md
@ -1,6 +1,6 @@
-# Post-X Society Multi-Tenant Infrastructure
+# De Vrije Cloud: Post-Tyranny Tech Multi-Tenant Infrastructure
-Infrastructure as Code for a scalable multi-tenant VPS platform running Nextcloud (file sync/share) on Hetzner Cloud.
+Infrastructure as Code for our "[Vrije Cloud](https://www.vrije.cloud)" a scalable multi-tenant VPS platform running Nextcloud (file sync/share) on Hetzner Cloud.
 ## 🏗️ Architecture
@ -38,21 +38,35 @@ infrastructure/
 **The fastest way to deploy a client:**
 ```bash
-# 1. Set environment variables
+# 1. Ensure SOPS Age key is available (if not set)
 export HCLOUD_TOKEN="your-hetzner-api-token"
 export SOPS_AGE_KEY_FILE="./keys/age-key.txt"
-# 2. Deploy client (fully automated, ~10-15 minutes)
+# 2. Add client to terraform.tfvars
-./scripts/deploy-client.sh <client_name>
+# clients = {
 #   newclient = {
 #     server_type = "cx22"
 #     location    = "fsn1"
 #     subdomain   = "newclient"
 #     apps        = ["authentik", "nextcloud"]
 #   }
 # }
 # 3. Deploy client (fully automated, ~10-15 minutes)
 # The script automatically loads the Hetzner API token from SOPS
 ./scripts/deploy-client.sh newclient
 ```
-This automatically:
+**Note**: The Hetzner API token is now stored encrypted in `secrets/shared.sops.yaml` and loaded automatically by all scripts. No need to manually set `HCLOUD_TOKEN`.
- ✅ Provisions VPS on Hetzner Cloud
+
- ✅ Deploys Authentik (SSO/identity provider)
+The script will automatically:
- ✅ Deploys Nextcloud (file storage)
+- ✅ Generate unique SSH key pair (if missing)
- ✅ Configures OAuth2/OIDC integration
+- ✅ Create secrets file from template (if missing, opens in editor)
- ✅ Sets up SSL certificates
+- ✅ Provision VPS on Hetzner Cloud
- ✅ Creates admin accounts
+- ✅ Deploy Authentik (SSO/identity provider)
 - ✅ Deploy Nextcloud (file storage)
 - ✅ Configure OAuth2/OIDC integration
 - ✅ Set up SSL certificates
 - ✅ Create admin accounts
 **Result**: Fully functional system, ready to use immediately!
@ -128,40 +142,11 @@ See [scripts/README.md](scripts/README.md) for detailed documentation.
 4. **Infrastructure as Code**: All changes via version control
 5. **Security by default**: Encryption, hardening, least privilege
 ## 📖 Documentation
 - **[PROJECT_REFERENCE.md](PROJECT_REFERENCE.md)** - Essential information and common operations
 - **[scripts/README.md](scripts/README.md)** - Management scripts documentation
 - **[AUTOMATION_STATUS.md](docs/AUTOMATION_STATUS.md)** - Full automation details
 - [Architecture Decision Record](docs/architecture-decisions.md) - Complete design rationale
 - [SSO Automation](docs/sso-automation.md) - OAuth2/OIDC integration workflow
 - [Agent Definitions](.claude/agents/) - Specialized AI agent instructions
 ## 🤝 Contributing
 This project uses specialized AI agents for development:
 - **Architect**: High-level design decisions
 - **Infrastructure**: OpenTofu + Ansible implementation
 - **Authentik**: Identity provider and SSO configuration
 - **Nextcloud**: File sync/share configuration
 See individual agent files in `.claude/agents/` for responsibilities.
 ## 🔒 Security
 - Secrets are encrypted with SOPS + Age before committing
 - Age private keys are **NEVER** stored in this repository
 - See `.gitignore` for protected files
 ## 📝 License
-TBD
+MIT License - see [LICENSE](LICENSE) for details
 ## 🙋 Support
-For issues or questions, please create a GitHub issue with the appropriate label:
+For issues or questions, please create am issue or contact us on [vrijecloud@postxsociety.org](mailto:vrijecloud@postxsociety.org)
- `agent:architect` - Architecture/design questions
+
 - `agent:infrastructure` - IaC implementation
 - `agent:authentik` - Identity provider/SSO
 - `agent:nextcloud` - File sync/share
--- a/ansible/README.md
+++ b/ansible/README.md
@ -84,7 +84,7 @@ ansible/
 │   ├── common/              # Base system hardening
 │   ├── docker/              # Docker + Docker Compose
 │   ├── traefik/             # Reverse proxy
-│   ├── zitadel/             # Identity provider
+│   ├── authentik/           # Identity provider (OAuth2/OIDC SSO)
 │   ├── nextcloud/           # File sync/share
 │   └── backup/              # Restic backup
 └── group_vars/              # Group variables
@ -120,8 +120,8 @@ Reverse proxy with automatic SSL:
 - HTTP to HTTPS redirection
 - Dashboard (optional)
-### zitadel
+### authentik
-Identity provider deployment (see Zitadel Agent for details)
+Identity provider deployment (OAuth2/OIDC SSO)
 ### nextcloud
 File sync/share deployment (see Nextcloud Agent for details)
@ -273,10 +273,9 @@ ansible-playbook playbooks/setup.yml -vvv  # Very verbose
 ## Next Steps
 After initial setup:
-1. Deploy Zitadel: Follow Zitadel Agent instructions
+1. Deploy applications: Run `playbooks/deploy.yml` to deploy Authentik and Nextcloud
-2. Deploy Nextcloud: Follow Nextcloud Agent instructions
+2. Configure backups: Use `backup` role
-3. Configure backups: Use `backup` role
+3. Set up monitoring: Configure Uptime Kuma
 4. Set up monitoring: Configure Uptime Kuma
 ## Resources
--- a/ansible/ansible.cfg
+++ b/ansible/ansible.cfg
@ -1,6 +1,6 @@
 [defaults]
 # Inventory configuration
-inventory = hcloud.yml
+# inventory = hcloud.yml  # Disabled - use -i flag instead
 host_key_checking = False
 interpreter_python = auto_silent
@ -26,8 +26,8 @@ timeout = 30
 roles_path = ./roles
 [inventory]
-# Enable Hetzner Cloud dynamic inventory plugin
+# Enable inventory plugins
-enable_plugins = hetzner.hcloud.hcloud
+enable_plugins = hetzner.hcloud.hcloud, ini, yaml, auto
 [privilege_escalation]
 become = True
@ -37,4 +37,4 @@ become_ask_pass = False
 [ssh_connection]
 pipelining = True
-ssh_args = -o ControlMaster=auto -o ControlPersist=60s -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no
+ssh_args = -o ControlMaster=auto -o ControlPersist=60s -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no -o IdentitiesOnly=yes
--- a/ansible/inventory-temp.ini
+++ b/ansible/inventory-temp.ini
@ -0,0 +1,4 @@
 [clients]
 valk ansible_host=78.47.191.38 ansible_user=root ansible_ssh_private_key_file=../keys/ssh/valk
 kikker ansible_host=23.88.124.67 ansible_user=root ansible_ssh_private_key_file=../keys/ssh/kikker
 das ansible_host=49.13.49.246 ansible_user=root ansible_ssh_private_key_file=../keys/ssh/das
--- a/ansible/inventory-temp.yml
+++ b/ansible/inventory-temp.yml
@ -0,0 +1,8 @@
 all:
  children:
    clients:
      hosts:
        valk:
          ansible_host: 78.47.191.38
          ansible_user: root
          ansible_ssh_private_key_file: ../keys/ssh/valk
--- a/ansible/playbooks/260123-configure-diun-webhook.yml
+++ b/ansible/playbooks/260123-configure-diun-webhook.yml
@ -0,0 +1,124 @@
 ---
 # Configure Diun to use webhook notifications instead of email
 # This playbook updates all servers to send container update notifications
 # to a Matrix room via webhook instead of individual emails per server
 #
 # Usage:
 #   ansible-playbook -i hcloud.yml playbooks/260123-configure-diun-webhook.yml
 #
 # Or for specific servers:
 #   ansible-playbook -i hcloud.yml playbooks/260123-configure-diun-webhook.yml --limit das,uil,vos
 - name: Configure Diun webhook notifications on all servers
  hosts: all
  become: yes
  vars:
    # Diun base configuration (from role defaults)
    diun_version: "latest"
    diun_log_level: "info"
    diun_watch_workers: 10
    diun_watch_all: true
    diun_exclude_containers: []
    diun_first_check_notif: false
    # Schedule: Daily at 6am UTC
    diun_schedule: "0 6 * * *"
    # Webhook configuration - sends to Matrix via custom webhook
    diun_notif_enabled: true
    diun_notif_type: webhook
    diun_webhook_endpoint: "https://diun-webhook.postxsociety.cloud"
    diun_webhook_method: POST
    diun_webhook_headers:
      Content-Type: application/json
    # Disable email notifications
    diun_email_enabled: false
    # SMTP defaults (not used when email disabled, but needed for template)
    diun_smtp_host: "smtp.eu.mailgun.org"
    diun_smtp_port: 587
    diun_smtp_from: "{{ client_name }}@mg.vrije.cloud"
    diun_smtp_to: "pieter@postxsociety.org"
    # Optional notification defaults (unused but needed for template)
    diun_slack_webhook_url: ""
    diun_matrix_enabled: false
    diun_matrix_homeserver_url: ""
    diun_matrix_user: ""
    diun_matrix_password: ""
    diun_matrix_room_id: ""
  pre_tasks:
    - name: Gather facts
      setup:
    - name: Determine client name from hostname
      set_fact:
        client_name: "{{ inventory_hostname }}"
    - name: Load client secrets
      community.sops.load_vars:
        file: "{{ playbook_dir }}/../../secrets/clients/{{ client_name }}.sops.yaml"
        name: client_secrets
        age_keyfile: "{{ lookup('env', 'SOPS_AGE_KEY_FILE') }}"
      no_log: true
    - name: Load shared secrets
      community.sops.load_vars:
        file: "{{ playbook_dir }}/../../secrets/shared.sops.yaml"
        name: shared_secrets
        age_keyfile: "{{ lookup('env', 'SOPS_AGE_KEY_FILE') }}"
      no_log: true
    - name: Merge shared secrets into client_secrets
      set_fact:
        client_secrets: "{{ client_secrets | combine(shared_secrets) }}"
      no_log: true
  tasks:
    - name: Set SMTP credentials (required by template even if unused)
      set_fact:
        diun_smtp_username_final: "{{ client_secrets.mailgun_smtp_user | default('') }}"
        diun_smtp_password_final: ""
      no_log: true
    - name: Display configuration summary
      debug:
        msg: |
          Configuring Diun on {{ inventory_hostname }}:
          - Webhook endpoint: {{ diun_webhook_endpoint }}
          - Email notifications: {{ 'enabled' if diun_email_enabled else 'disabled' }}
          - Schedule: {{ diun_schedule }} (Daily at 6am UTC)
    - name: Deploy Diun configuration with webhook
      template:
        src: "{{ playbook_dir }}/../roles/diun/templates/diun.yml.j2"
        dest: /opt/docker/diun/diun.yml
        mode: '0644'
      notify: Restart Diun
    - name: Restart Diun to apply new configuration
      community.docker.docker_compose_v2:
        project_src: /opt/docker/diun
        state: restarted
    - name: Wait for Diun to start
      pause:
        seconds: 5
    - name: Check Diun status
      shell: docker ps --filter name=diun --format "{{ '{{' }}.Status{{ '}}' }}"
      register: diun_status
      changed_when: false
    - name: Display Diun status
      debug:
        msg: "Diun status on {{ inventory_hostname }}: {{ diun_status.stdout }}"
  handlers:
    - name: Restart Diun
      community.docker.docker_compose_v2:
        project_src: /opt/docker/diun
        state: restarted
--- a/ansible/playbooks/260123-upgrade-nextcloud-stage-v2.yml
+++ b/ansible/playbooks/260123-upgrade-nextcloud-stage-v2.yml
@ -0,0 +1,123 @@
 ---
 # Nextcloud Upgrade Stage Task File (Fixed Version)
 # This file is included by 260123-upgrade-nextcloud-v2.yml for each upgrade stage
 # Do not run directly
 #
 # Improvements:
 # - Better version detection (actual running version)
 # - Proper error handling
 # - Clearer status messages
 # - Maintenance mode handling
 - name: "Stage {{ stage.stage }}: Starting v{{ stage.from }} → v{{ stage.to }}"
  debug:
    msg: |
      ============================================================
      Stage {{ stage.stage }}: Upgrading v{{ stage.from }} → v{{ stage.to }}
      ============================================================
 - name: "Stage {{ stage.stage }}: Get current running version"
  shell: docker exec -u www-data nextcloud php occ status --output=json
  register: stage_version_check
  changed_when: false
 - name: "Stage {{ stage.stage }}: Parse current version"
  set_fact:
    stage_current: "{{ (stage_version_check.stdout | from_json).versionstring }}"
 - name: "Stage {{ stage.stage }}: Display current version"
  debug:
    msg: "Currently running: v{{ stage_current }}"
 - name: "Stage {{ stage.stage }}: Check if already on target version"
  debug:
    msg: "✓ Already on v{{ stage_current }} - skipping this stage"
  when: stage_current is version(stage.to, '>=')
 - name: "Stage {{ stage.stage }}: Skip if already upgraded"
  meta: end_play
  when: stage_current is version(stage.to, '>=')
 - name: "Stage {{ stage.stage }}: Verify version is compatible"
  fail:
    msg: "Cannot upgrade from v{{ stage_current }} (expected v{{ stage.from }}.x)"
  when: stage_current is version(stage.from, '<') or (stage_current is version(stage.to, '>='))
 - name: "Stage {{ stage.stage }}: Update docker-compose.yml to v{{ stage.to }}"
  replace:
    path: "{{ nextcloud_base_dir }}/docker-compose.yml"
    regexp: 'image:\s*nextcloud:{{ stage.from }}'
    replace: 'image: nextcloud:{{ stage.to }}'
 - name: "Stage {{ stage.stage }}: Verify docker-compose.yml was updated"
  shell: grep "image{{ ':' }} nextcloud{{ ':' }}{{ stage.to }}" {{ nextcloud_base_dir }}/docker-compose.yml
  register: compose_verify
  changed_when: false
  failed_when: compose_verify.rc != 0
 - name: "Stage {{ stage.stage }}: Pull Nextcloud v{{ stage.to }} image"
  shell: docker pull nextcloud:{{ stage.to }}
  register: image_pull
  changed_when: "'Downloaded' in image_pull.stdout or 'Pulling' in image_pull.stdout or 'Downloaded newer' in image_pull.stderr"
 - name: "Stage {{ stage.stage }}: Stop containers before upgrade"
  community.docker.docker_compose_v2:
    project_src: "{{ nextcloud_base_dir }}"
    state: stopped
 - name: "Stage {{ stage.stage }}: Start containers with new version"
  community.docker.docker_compose_v2:
    project_src: "{{ nextcloud_base_dir }}"
    state: present
 - name: "Stage {{ stage.stage }}: Wait for Nextcloud container to be ready"
  shell: |
    count=0
    max_attempts=60
    while [ $count -lt $max_attempts ]; do
      if docker exec nextcloud curl -f http://localhost:80/status.php 2>/dev/null; then
        echo "Container ready after $count attempts"
        exit 0
      fi
      sleep 5
      count=$((count + 1))
    done
    echo "Timeout waiting for container after $max_attempts attempts"
    exit 1
  register: container_ready
  changed_when: false
 - name: "Stage {{ stage.stage }}: Run occ upgrade"
  shell: docker exec -u www-data nextcloud php occ upgrade --no-interaction
  register: occ_upgrade
  changed_when: "'Update successful' in occ_upgrade.stdout or 'upgraded' in occ_upgrade.stdout"
  failed_when:
    - occ_upgrade.rc != 0
    - "'already latest version' not in occ_upgrade.stdout"
    - "'No upgrade required' not in occ_upgrade.stdout"
 - name: "Stage {{ stage.stage }}: Display upgrade output"
  debug:
    msg: "{{ occ_upgrade.stdout_lines }}"
 - name: "Stage {{ stage.stage }}: Verify upgrade succeeded"
  shell: docker exec -u www-data nextcloud php occ status --output=json
  register: stage_verify
  changed_when: false
 - name: "Stage {{ stage.stage }}: Parse upgraded version"
  set_fact:
    stage_upgraded: "{{ (stage_verify.stdout | from_json).versionstring }}"
 - name: "Stage {{ stage.stage }}: Check upgrade was successful"
  fail:
    msg: "Upgrade to v{{ stage.to }} failed - still on v{{ stage_upgraded }}"
  when: stage_upgraded is version(stage.to, '<')
 - name: "Stage {{ stage.stage }}: Success"
  debug:
    msg: |
      ============================================================
      ✓ Stage {{ stage.stage }} completed successfully
      Upgraded from v{{ stage_current }} to v{{ stage_upgraded }}
      ============================================================
--- a/ansible/playbooks/260123-upgrade-nextcloud-v2.yml
+++ b/ansible/playbooks/260123-upgrade-nextcloud-v2.yml
@ -0,0 +1,378 @@
 ---
 # Nextcloud Major Version Upgrade Playbook (Fixed Version)
 # Created: 2026-01-23
 # Purpose: Safely upgrade Nextcloud from v30 to v32 via v31 (staged upgrade)
 #
 # Usage:
 #   cd ansible/
 #   HCLOUD_TOKEN="..." ansible-playbook -i hcloud.yml \
 #     playbooks/260123-upgrade-nextcloud-v2.yml --limit <server> \
 #     --private-key "../keys/ssh/<server>"
 #
 # Requirements:
 #   - HCLOUD_TOKEN environment variable set
 #   - SSH access to target server
 #   - Sufficient disk space for backups
 #
 # Improvements over v1:
 #   - Idempotent: can be re-run safely after failures
 #   - Better version state tracking (reads actual running version)
 #   - Proper maintenance mode handling
 #   - Stage skipping if already on target version
 #   - Better error messages and rollback instructions
 - name: Upgrade Nextcloud from v30 to v32 (staged)
  hosts: all
  become: true
  gather_facts: true
  vars:
    nextcloud_base_dir: "/opt/nextcloud"
    backup_dir: "/root/nextcloud-backup-{{ ansible_date_time.iso8601_basic_short }}"
    target_version: "32"
  tasks:
    # ============================================================
    # PRE-UPGRADE CHECKS
    # ============================================================
    - name: Display upgrade plan
      debug:
        msg: |
          ============================================================
          Nextcloud Upgrade Plan - {{ inventory_hostname }}
          ============================================================
          Target: Nextcloud v{{ target_version }}
          Backup: {{ backup_dir }}
          This playbook will:
          1. Detect current version
          2. Create backup if needed
          3. Upgrade through required stages (v30→v31→v32)
          4. Skip stages already completed
          5. Re-enable apps and disable maintenance mode
          Estimated time: 10-20 minutes
          ============================================================
    - name: Check if Nextcloud is installed
      shell: docker ps --filter "name=^nextcloud$" --format "{{ '{{' }}.Names{{ '}}' }}"
      register: nextcloud_running
      changed_when: false
      failed_when: false
    - name: Fail if Nextcloud is not running
      fail:
        msg: "Nextcloud container is not running on {{ inventory_hostname }}"
      when: "'nextcloud' not in nextcloud_running.stdout"
    - name: Get current Nextcloud version
      shell: docker exec -u www-data nextcloud php occ status --output=json
      register: nextcloud_status
      changed_when: false
      failed_when: false
    - name: Parse Nextcloud status
      set_fact:
        nc_status: "{{ nextcloud_status.stdout | from_json }}"
      when: nextcloud_status.rc == 0
    - name: Handle Nextcloud in maintenance mode
      block:
        - name: Display maintenance mode warning
          debug:
            msg: "⚠ Nextcloud is in maintenance mode. Attempting to disable it..."
        - name: Disable maintenance mode if enabled
          shell: docker exec -u www-data nextcloud php occ maintenance:mode --off
          register: maint_off
          changed_when: "'disabled' in maint_off.stdout"
        - name: Wait a moment for mode change
          pause:
            seconds: 2
        - name: Re-check status after disabling maintenance mode
          shell: docker exec -u www-data nextcloud php occ status --output=json
          register: nextcloud_status_retry
          changed_when: false
        - name: Update status
          set_fact:
            nc_status: "{{ nextcloud_status_retry.stdout | from_json }}"
      when: nextcloud_status.rc != 0 or (nc_status is defined and nc_status.maintenance | bool)
    - name: Display current version
      debug:
        msg: |
          Current: v{{ nc_status.versionstring }}
          Target: v{{ target_version }}
          Maintenance mode: {{ nc_status.maintenance }}
    - name: Check if already on target version
      debug:
        msg: "✓ Nextcloud is already on v{{ nc_status.versionstring }} - nothing to do"
      when: nc_status.versionstring is version(target_version, '>=')
    - name: End play if already upgraded
      meta: end_host
      when: nc_status.versionstring is version(target_version, '>=')
    - name: Check disk space
      shell: df -BG {{ nextcloud_base_dir }} | tail -1 | awk '{print $4}' | sed 's/G//'
      register: disk_space_gb
      changed_when: false
    - name: Verify sufficient disk space
      fail:
        msg: "Insufficient disk space: {{ disk_space_gb.stdout }}GB available, need at least 5GB"
      when: disk_space_gb.stdout | int < 5
    - name: Display available disk space
      debug:
        msg: "Available disk space: {{ disk_space_gb.stdout }}GB"
    # ============================================================
    # BACKUP PHASE (only if not already backed up)
    # ============================================================
    - name: Check if backup already exists
      stat:
        path: "{{ backup_dir }}"
      register: backup_exists
    - name: Skip backup if already exists
      debug:
        msg: "✓ Backup already exists at {{ backup_dir }} - skipping backup phase"
      when: backup_exists.stat.exists
    - name: Create backup
      block:
        - name: Create backup directory
          file:
            path: "{{ backup_dir }}"
            state: directory
            mode: '0700'
        - name: Enable maintenance mode for backup
          shell: docker exec -u www-data nextcloud php occ maintenance:mode --on
          register: maintenance_on
          changed_when: "'enabled' in maintenance_on.stdout"
        - name: Backup Nextcloud database
          shell: |
            docker exec nextcloud-db pg_dump -U nextcloud nextcloud | gzip > {{ backup_dir }}/database.sql.gz
          args:
            creates: "{{ backup_dir }}/database.sql.gz"
        - name: Get database backup size
          stat:
            path: "{{ backup_dir }}/database.sql.gz"
          register: db_backup
        - name: Display database backup info
          debug:
            msg: "Database backup: {{ (db_backup.stat.size / 1024 / 1024) | round(2) }} MB"
        - name: Stop Nextcloud containers for volume backup
          community.docker.docker_compose_v2:
            project_src: "{{ nextcloud_base_dir }}"
            state: stopped
        - name: Backup Nextcloud app volume
          shell: |
            tar -czf {{ backup_dir }}/nextcloud-app-volume.tar.gz -C /var/lib/docker/volumes/nextcloud-app/_data .
          args:
            creates: "{{ backup_dir }}/nextcloud-app-volume.tar.gz"
        - name: Backup Nextcloud database volume
          shell: |
            tar -czf {{ backup_dir }}/nextcloud-db-volume.tar.gz -C /var/lib/docker/volumes/nextcloud-db-data/_data .
          args:
            creates: "{{ backup_dir }}/nextcloud-db-volume.tar.gz"
        - name: Copy current docker-compose.yml to backup
          copy:
            src: "{{ nextcloud_base_dir }}/docker-compose.yml"
            dest: "{{ backup_dir }}/docker-compose.yml.backup"
            remote_src: true
        - name: Display backup summary
          debug:
            msg: |
              ============================================================
              ✓ Backup completed: {{ backup_dir }}
              ============================================================
              To restore from backup if needed:
              1. cd {{ nextcloud_base_dir }} && docker compose down
              2. tar -xzf {{ backup_dir }}/nextcloud-app-volume.tar.gz -C /var/lib/docker/volumes/nextcloud-app/_data
              3. tar -xzf {{ backup_dir }}/nextcloud-db-volume.tar.gz -C /var/lib/docker/volumes/nextcloud-db-data/_data
              4. cp {{ backup_dir }}/docker-compose.yml.backup {{ nextcloud_base_dir }}/docker-compose.yml
              5. cd {{ nextcloud_base_dir }} && docker compose up -d
              ============================================================
        - name: Restart containers after backup
          community.docker.docker_compose_v2:
            project_src: "{{ nextcloud_base_dir }}"
            state: present
        - name: Wait for Nextcloud to be ready
          shell: |
            count=0
            max_attempts=24
            while [ $count -lt $max_attempts ]; do
              if docker exec nextcloud curl -f http://localhost:80/status.php 2>/dev/null; then
                echo "Ready after $count attempts"
                exit 0
              fi
              sleep 5
              count=$((count + 1))
            done
            echo "Timeout after $max_attempts attempts"
            exit 1
          register: nextcloud_ready
          changed_when: false
        - name: Disable maintenance mode after backup
          shell: docker exec -u www-data nextcloud php occ maintenance:mode --off
          register: maint_off_backup
          changed_when: "'disabled' in maint_off_backup.stdout"
      when: not backup_exists.stat.exists
    # ============================================================
    # DETERMINE UPGRADE PATH
    # ============================================================
    - name: Initialize stage counter
      set_fact:
        stage_number: 0
    # ============================================================
    # STAGED UPGRADE LOOP - Dynamic version checking
    # ============================================================
    - name: Stage 1 - Upgrade v30→v31 if needed
      block:
        - name: Get current version
          shell: docker exec -u www-data nextcloud php occ status --output=json
          register: version_check
          changed_when: false
        - name: Parse version
          set_fact:
            current_version: "{{ (version_check.stdout | from_json).versionstring }}"
        - name: Check if v30→v31 upgrade needed
          set_fact:
            needs_v31_upgrade: "{{ current_version is version('30', '>=') and current_version is version('31', '<') }}"
        - name: Perform v30→v31 upgrade
          include_tasks: "{{ playbook_dir }}/260123-upgrade-nextcloud-stage-v2.yml"
          vars:
            stage:
              from: "30"
              to: "31"
              stage: 1
          when: needs_v31_upgrade
    - name: Stage 2 - Upgrade v31→v32 if needed
      block:
        - name: Get current version
          shell: docker exec -u www-data nextcloud php occ status --output=json
          register: version_check
          changed_when: false
        - name: Parse version
          set_fact:
            current_version: "{{ (version_check.stdout | from_json).versionstring }}"
        - name: Check if v31→v32 upgrade needed
          set_fact:
            needs_v32_upgrade: "{{ current_version is version('31', '>=') and current_version is version('32', '<') }}"
        - name: Perform v31→v32 upgrade
          include_tasks: "{{ playbook_dir }}/260123-upgrade-nextcloud-stage-v2.yml"
          vars:
            stage:
              from: "31"
              to: "32"
              stage: 2
          when: needs_v32_upgrade
    # ============================================================
    # POST-UPGRADE
    # ============================================================
    - name: Get final version
      shell: docker exec -u www-data nextcloud php occ status --output=json
      register: final_status
      changed_when: false
    - name: Parse final version
      set_fact:
        final_version: "{{ (final_status.stdout | from_json).versionstring }}"
    - name: Verify upgrade to target version
      fail:
        msg: "Upgrade incomplete - on v{{ final_version }}, expected v{{ target_version }}.x"
      when: final_version is version(target_version, '<')
    - name: Run database optimizations
      shell: docker exec -u www-data nextcloud php occ db:add-missing-indices
      register: db_indices
      changed_when: false
      failed_when: false
    - name: Run bigint conversion
      shell: docker exec -u www-data nextcloud php occ db:convert-filecache-bigint --no-interaction
      register: db_bigint
      changed_when: false
      failed_when: false
      timeout: 600
    - name: Re-enable critical apps
      shell: |
        docker exec -u www-data nextcloud php occ app:enable user_oidc || true
        docker exec -u www-data nextcloud php occ app:enable richdocuments || true
      register: apps_enabled
      changed_when: false
    - name: Ensure maintenance mode is disabled
      shell: docker exec -u www-data nextcloud php occ maintenance:mode --off
      register: final_maint_off
      changed_when: "'disabled' in final_maint_off.stdout"
      failed_when: false
    - name: Update docker-compose.yml to use latest tag
      replace:
        path: "{{ nextcloud_base_dir }}/docker-compose.yml"
        regexp: 'image:\s*nextcloud:\d+'
        replace: 'image: nextcloud:latest'
    - name: Display success message
      debug:
        msg: |
          ============================================================
          ✓ UPGRADE SUCCESSFUL!
          ============================================================
          Server: {{ inventory_hostname }}
          From: v30.x
          To: v{{ final_version }}
          Backup: {{ backup_dir }}
          Next steps:
          1. Test login: https://nextcloud.{{ client_domain }}
          2. Test OIDC: Click "Login with Authentik"
          3. Test file operations
          4. Test Collabora Office
          If all tests pass, remove backup:
            rm -rf {{ backup_dir }}
          docker-compose.yml now uses 'nextcloud:latest' tag
          ============================================================
--- a/ansible/playbooks/260124-configure-diun-watchrepo.yml
+++ b/ansible/playbooks/260124-configure-diun-watchrepo.yml
@ -0,0 +1,156 @@
 ---
 # Configure Diun to disable watchRepo and add Docker Hub authentication
 # This playbook updates all servers to:
 # - Only watch specific image tags (not entire repositories) to reduce API calls
 # - Add Docker Hub authentication for higher rate limits
 #
 # Background:
 # - watchRepo: true checks ALL tags in a repository (hundreds of API calls)
 # - watchRepo: false only checks the specific tag being used (1-2 API calls)
 # - Docker Hub auth increases rate limit from 100 to 5000 pulls per 6 hours
 #
 # Usage:
 #   cd ansible/
 #   SOPS_AGE_KEY_FILE="../keys/age-key.txt" HCLOUD_TOKEN="..." \
 #     ansible-playbook -i hcloud.yml playbooks/260124-configure-diun-watchrepo.yml
 #
 # Or for specific servers:
 #   SOPS_AGE_KEY_FILE="../keys/age-key.txt" HCLOUD_TOKEN="..." \
 #     ansible-playbook -i hcloud.yml playbooks/260124-configure-diun-watchrepo.yml \
 #     --limit das,uil,vos --private-key "../keys/ssh/das"
 - name: Configure Diun watchRepo and Docker Hub authentication
  hosts: all
  become: yes
  vars:
    # Diun base configuration
    diun_version: "latest"
    diun_log_level: "info"
    diun_watch_workers: 10
    diun_watch_all: true
    diun_exclude_containers: []
    diun_first_check_notif: false
    # Schedule: Weekly on Monday at 6am UTC (to reduce API calls)
    diun_schedule: "0 6 * * 1"
    # Disable watchRepo - only check the specific tags we're using
    diun_watch_repo: false
    # Webhook configuration - sends to Matrix via custom webhook
    diun_notif_enabled: true
    diun_notif_type: webhook
    diun_webhook_endpoint: "https://diun-webhook.postxsociety.cloud"
    diun_webhook_method: POST
    diun_webhook_headers:
      Content-Type: application/json
    # Disable email notifications
    diun_email_enabled: false
    # SMTP defaults (not used when email disabled, but needed for template)
    diun_smtp_host: "smtp.eu.mailgun.org"
    diun_smtp_port: 587
    diun_smtp_from: "{{ client_name }}@mg.vrije.cloud"
    diun_smtp_to: "pieter@postxsociety.org"
    # Optional notification defaults (unused but needed for template)
    diun_slack_webhook_url: ""
    diun_matrix_enabled: false
    diun_matrix_homeserver_url: ""
    diun_matrix_user: ""
    diun_matrix_password: ""
    diun_matrix_room_id: ""
  pre_tasks:
    - name: Gather facts
      setup:
    - name: Determine client name from hostname
      set_fact:
        client_name: "{{ inventory_hostname }}"
    - name: Load client secrets
      community.sops.load_vars:
        file: "{{ playbook_dir }}/../../secrets/clients/{{ client_name }}.sops.yaml"
        name: client_secrets
        age_keyfile: "{{ lookup('env', 'SOPS_AGE_KEY_FILE') }}"
      no_log: true
    - name: Load shared secrets
      community.sops.load_vars:
        file: "{{ playbook_dir }}/../../secrets/shared.sops.yaml"
        name: shared_secrets
        age_keyfile: "{{ lookup('env', 'SOPS_AGE_KEY_FILE') }}"
      no_log: true
    - name: Merge shared secrets into client_secrets
      set_fact:
        client_secrets: "{{ client_secrets | combine(shared_secrets) }}"
      no_log: true
  tasks:
    - name: Set SMTP credentials (required by template even if unused)
      set_fact:
        diun_smtp_username_final: "{{ client_secrets.mailgun_smtp_user | default('') }}"
        diun_smtp_password_final: ""
      no_log: true
    - name: Set Docker Hub credentials for higher rate limits
      set_fact:
        diun_docker_hub_username: "{{ client_secrets.docker_hub_username }}"
        diun_docker_hub_password: "{{ client_secrets.docker_hub_password }}"
      no_log: true
    - name: Display configuration summary
      debug:
        msg: |
          Configuring Diun on {{ inventory_hostname }}:
          - Webhook endpoint: {{ diun_webhook_endpoint }}
          - Email notifications: {{ 'enabled' if diun_email_enabled else 'disabled' }}
          - Schedule: {{ diun_schedule }} (Weekly on Monday at 6am UTC)
          - Watch entire repositories: {{ 'yes' if diun_watch_repo else 'no (only specific tags)' }}
          - Docker Hub auth: {{ 'enabled' if diun_docker_hub_username else 'disabled' }}
    - name: Deploy Diun configuration with watchRepo disabled and Docker Hub auth
      template:
        src: "{{ playbook_dir }}/../roles/diun/templates/diun.yml.j2"
        dest: /opt/docker/diun/diun.yml
        mode: '0644'
      notify: Restart Diun
    - name: Restart Diun to apply new configuration
      community.docker.docker_compose_v2:
        project_src: /opt/docker/diun
        state: restarted
    - name: Wait for Diun to start
      pause:
        seconds: 5
    - name: Check Diun status
      shell: docker ps --filter name=diun --format "{{ '{{' }}.Status{{ '}}' }}"
      register: diun_status
      changed_when: false
    - name: Display Diun status
      debug:
        msg: "Diun status on {{ inventory_hostname }}: {{ diun_status.stdout }}"
    - name: Verify Diun configuration
      shell: docker exec diun cat /diun.yml | grep -E "(watchRepo|regopts)" || echo "Config deployed"
      register: diun_config_check
      changed_when: false
    - name: Display configuration verification
      debug:
        msg: |
          Configuration applied on {{ inventory_hostname }}:
          {{ diun_config_check.stdout }}
  handlers:
    - name: Restart Diun
      community.docker.docker_compose_v2:
        project_src: /opt/docker/diun
        state: restarted
--- a/ansible/playbooks/260124-nextcloud-maintenance.yml
+++ b/ansible/playbooks/260124-nextcloud-maintenance.yml
@ -0,0 +1,151 @@
 ---
 # Nextcloud Maintenance Playbook
 # Created: 2026-01-24
 # Purpose: Run database and file maintenance tasks on Nextcloud instances
 #
 # This playbook performs:
 #   1. Add missing database indices (improves query performance)
 #   2. Update mimetypes database (ensures proper file type handling)
 #
 # Usage:
 #   cd ansible/
 #   HCLOUD_TOKEN="..." ansible-playbook -i hcloud.yml \
 #     playbooks/nextcloud-maintenance.yml --limit <server> \
 #     --private-key "../keys/ssh/<server>"
 #
 #   To run on all servers:
 #   HCLOUD_TOKEN="..." ansible-playbook -i hcloud.yml \
 #     playbooks/nextcloud-maintenance.yml \
 #     --private-key "../keys/ssh/<server>"
 #
 # Requirements:
 #   - HCLOUD_TOKEN environment variable set
 #   - SSH access to target server(s)
 #   - Nextcloud container must be running
 - name: Nextcloud Maintenance Tasks
  hosts: all
  become: true
  gather_facts: true
  vars:
    nextcloud_container: "nextcloud"
  tasks:
    # ============================================================
    # PRE-CHECK
    # ============================================================
    - name: Display maintenance plan
      debug:
        msg: |
          ============================================================
          Nextcloud Maintenance - {{ inventory_hostname }}
          ============================================================
          This playbook will:
          1. Add missing database indices
          2. Update mimetypes database
          3. Display results
          Estimated time: 1-3 minutes per server
          ============================================================
    - name: Check if Nextcloud container is running
      shell: docker ps --filter "name=^{{ nextcloud_container }}$" --format "{{ '{{' }}.Names{{ '}}' }}"
      register: nextcloud_running
      changed_when: false
      failed_when: false
    - name: Fail if Nextcloud is not running
      fail:
        msg: "Nextcloud container is not running on {{ inventory_hostname }}"
      when: "'nextcloud' not in nextcloud_running.stdout"
    - name: Get current Nextcloud version
      shell: docker exec -u www-data {{ nextcloud_container }} php occ --version
      register: nextcloud_version
      changed_when: false
    - name: Display Nextcloud version
      debug:
        msg: "{{ nextcloud_version.stdout }}"
    # ============================================================
    # TASK 1: ADD MISSING DATABASE INDICES
    # ============================================================
    - name: Check for missing database indices
      shell: docker exec -u www-data {{ nextcloud_container }} php occ db:add-missing-indices
      register: db_indices_result
      changed_when: "'updated successfully' in db_indices_result.stdout"
      failed_when: db_indices_result.rc != 0
    - name: Display database indices results
      debug:
        msg: |
          ============================================================
          Database Indices Results
          ============================================================
          {{ db_indices_result.stdout }}
          ============================================================
    # ============================================================
    # TASK 2: UPDATE MIMETYPES DATABASE
    # ============================================================
    - name: Update mimetypes database
      shell: docker exec -u www-data {{ nextcloud_container }} php occ maintenance:mimetype:update-db
      register: mimetype_result
      changed_when: "'Added' in mimetype_result.stdout"
      failed_when: mimetype_result.rc != 0
    - name: Parse mimetype results
      set_fact:
        mimetypes_added: "{{ mimetype_result.stdout | regex_search('Added (\\d+) new mimetypes', '\\1') | default(['0'], true) | first }}"
    - name: Display mimetype results
      debug:
        msg: |
          ============================================================
          Mimetype Update Results
          ============================================================
          Mimetypes added: {{ mimetypes_added }}
          {% if mimetypes_added | int > 0 %}
          ✓ Mimetype database updated successfully
          {% else %}
          ✓ All mimetypes already up to date
          {% endif %}
          ============================================================
    # ============================================================
    # SUMMARY
    # ============================================================
    - name: Display maintenance summary
      debug:
        msg: |
          ============================================================
          ✓ MAINTENANCE COMPLETED - {{ inventory_hostname }}
          ============================================================
          Server: {{ inventory_hostname }}
          Version: {{ nextcloud_version.stdout }}
          Tasks completed:
          {% if db_indices_result.changed %}
          ✓ Database indices: Updated
          {% else %}
          ✓ Database indices: Already optimized
          {% endif %}
          {% if mimetype_result.changed %}
          ✓ Mimetypes: Added {{ mimetypes_added }} new types
          {% else %}
          ✓ Mimetypes: Already up to date
          {% endif %}
          Next steps:
          - Check admin interface for any remaining warnings
          - Warnings may take a few minutes to clear from cache
          ============================================================
--- a/ansible/playbooks/configure-email.yml
+++ b/ansible/playbooks/configure-email.yml
@ -0,0 +1,53 @@
 ---
 # Configure email for a single server
 - hosts: all
  gather_facts: yes
  tasks:
    - name: Load client secrets
      community.sops.load_vars:
        file: "{{ playbook_dir }}/../../secrets/clients/{{ inventory_hostname }}.sops.yaml"
        name: client_secrets
        age_keyfile: "{{ lookup('env', 'SOPS_AGE_KEY_FILE') }}"
      no_log: true
    - name: Load shared secrets
      community.sops.load_vars:
        file: "{{ playbook_dir }}/../../secrets/shared.sops.yaml"
        name: shared_secrets
        age_keyfile: "{{ lookup('env', 'SOPS_AGE_KEY_FILE') }}"
      no_log: true
    - name: Merge secrets
      set_fact:
        client_secrets: "{{ client_secrets | combine(shared_secrets) }}"
      no_log: true
    - name: Include mailgun role
      include_role:
        name: mailgun
    - name: Configure Nextcloud email if credentials available
      shell: |
        docker exec -u www-data nextcloud php occ config:system:set mail_smtpmode --value="smtp"
        docker exec -u www-data nextcloud php occ config:system:set mail_smtpsecure --value="tls"
        docker exec -u www-data nextcloud php occ config:system:set mail_smtphost --value="smtp.eu.mailgun.org"
        docker exec -u www-data nextcloud php occ config:system:set mail_smtpport --value="587"
        docker exec -u www-data nextcloud php occ config:system:set mail_smtpauth --value="1"
        docker exec -u www-data nextcloud php occ config:system:set mail_smtpname --value="{{ mailgun_smtp_user }}"
        docker exec -u www-data nextcloud php occ config:system:set mail_smtppassword --value="{{ mailgun_smtp_password }}"
        docker exec -u www-data nextcloud php occ config:system:set mail_from_address --value="{{ inventory_hostname }}"
        docker exec -u www-data nextcloud php occ config:system:set mail_domain --value="mg.vrije.cloud"
      when: mailgun_smtp_user is defined
      no_log: true
      register: email_config
    - name: Display email configuration status
      debug:
        msg: |
          ========================================
          Email Configuration
          ========================================
          Status: {{ 'Configured' if email_config.changed | default(false) else 'Skipped (credentials not available)' }}
          SMTP: smtp.eu.mailgun.org:587 (TLS)
          From: {{ inventory_hostname }}@mg.vrije.cloud
          ========================================
--- a/ansible/playbooks/deploy.yml
+++ b/ansible/playbooks/deploy.yml
@ -39,6 +39,7 @@
        name: client_secrets
        age_keyfile: "{{ lookup('env', 'SOPS_AGE_KEY_FILE') }}"
      no_log: true
      tags: always
    - name: Load shared secrets (Mailgun API key, etc.)
      community.sops.load_vars:
@ -46,11 +47,13 @@
        name: shared_secrets
        age_keyfile: "{{ lookup('env', 'SOPS_AGE_KEY_FILE') }}"
      no_log: true
      tags: always
    - name: Merge shared secrets into client_secrets
      set_fact:
        client_secrets: "{{ client_secrets | combine(shared_secrets) }}"
      no_log: true
      tags: always
    - name: Set client domain from secrets
      set_fact:
@ -66,6 +69,10 @@
    - role: mailgun
    - role: authentik
    - role: nextcloud
    - role: diun
      tags: diun
    - role: kuma
      tags: kuma
  post_tasks:
    - name: Display deployment summary
--- a/ansible/playbooks/setup.yml
+++ b/ansible/playbooks/setup.yml
@ -18,6 +18,13 @@
    - name: Gather facts
      setup:
    - name: Load shared secrets (Docker Hub, etc.)
      community.sops.load_vars:
        file: "{{ playbook_dir }}/../../secrets/shared.sops.yaml"
        name: shared_secrets
        age_keyfile: "{{ lookup('env', 'SOPS_AGE_KEY_FILE') }}"
      no_log: true
  roles:
    - role: common
      tags: ['common', 'security']
--- a/ansible/playbooks/update-containers.yml
+++ b/ansible/playbooks/update-containers.yml
@ -0,0 +1,311 @@
 ---
 # Playbook: Update Docker containers across clients
 # Usage:
 #   # Update single client
 #   ansible-playbook -i hcloud.yml playbooks/update-containers.yml --limit black
 #
 #   # Update specific service only
 #   ansible-playbook -i hcloud.yml playbooks/update-containers.yml --limit black --tags authentik
 #
 #   # Dry run (check mode)
 #   ansible-playbook -i hcloud.yml playbooks/update-containers.yml --limit black --check
 #
 #   # Update multiple clients in sequence
 #   ansible-playbook -i hcloud.yml playbooks/update-containers.yml --limit "dev,test"
 - name: Update Docker containers
  hosts: all
  become: yes
  serial: 1  # Process one host at a time for safety
  vars:
    # Services to update (override with -e "services_to_update=['authentik']")
    services_to_update:
      - traefik
      - authentik
      - nextcloud
      - diun
    # Backup before update
    create_backup: true
    # Wait time between service updates (seconds)
    update_delay: 30
  pre_tasks:
    - name: Display update plan
      debug:
        msg: |
          Updating {{ inventory_hostname }}
          Services: {{ services_to_update | join(', ') }}
          Backup enabled: {{ create_backup }}
      tags: always
    - name: Check if host is reachable
      ping:
      tags: always
    - name: Get current container status (before)
      shell: docker ps --format 'table {{{{.Names}}}}\t{{{{.Status}}}}\t{{{{.Image}}}}'
      register: containers_before
      changed_when: false
      tags: always
    - name: Display current containers
      debug:
        msg: "{{ containers_before.stdout_lines }}"
      tags: always
  tasks:
    # ==========================================
    # Traefik Updates
    # ==========================================
    - name: Update Traefik
      block:
        - name: Create Traefik backup
          shell: |
            cd /opt/docker/traefik
            tar -czf /tmp/traefik-backup-$(date +%Y%m%d-%H%M%S).tar.gz \
              acme.json docker-compose.yml traefik.yml 2>/dev/null || true
          when: create_backup
        - name: Pull latest Traefik image
          docker_image:
            name: traefik:latest
            source: pull
            force_source: yes
        - name: Restart Traefik
          docker_compose:
            project_src: /opt/docker/traefik
            restarted: yes
            pull: yes
        - name: Wait for Traefik to be healthy
          shell: docker inspect --format='{{{{.State.Status}}}}' traefik
          register: traefik_status
          until: traefik_status.stdout == "running"
          retries: 10
          delay: 5
          changed_when: false
        - name: Verify Traefik SSL certificates
          shell: docker exec traefik ls -la /acme.json
          register: traefik_certs
          changed_when: false
          failed_when: traefik_certs.rc != 0
        - name: Delay between services
          pause:
            seconds: "{{ update_delay }}"
      when: "'traefik' in services_to_update"
      tags: traefik
    # ==========================================
    # Authentik Updates
    # ==========================================
    - name: Update Authentik
      block:
        - name: Create Authentik database backup
          shell: |
            docker exec authentik-db pg_dump -U authentik authentik | \
              gzip > /tmp/authentik-backup-$(date +%Y%m%d-%H%M%S).sql.gz
          when: create_backup
        - name: Pull latest Authentik images
          docker_image:
            name: "{{ item }}"
            source: pull
            force_source: yes
          loop:
            - ghcr.io/goauthentik/server:latest
            - postgres:16-alpine
            - redis:alpine
        - name: Restart Authentik services
          docker_compose:
            project_src: /opt/docker/authentik
            restarted: yes
            pull: yes
        - name: Wait for Authentik server to be healthy
          shell: docker inspect --format='{{{{.State.Health.Status}}}}' authentik-server
          register: authentik_status
          until: authentik_status.stdout == "healthy"
          retries: 20
          delay: 10
          changed_when: false
        - name: Wait for Authentik worker to be healthy
          shell: docker inspect --format='{{{{.State.Health.Status}}}}' authentik-worker
          register: authentik_worker_status
          until: authentik_worker_status.stdout == "healthy"
          retries: 20
          delay: 10
          changed_when: false
        - name: Verify Authentik web interface
          uri:
            url: "https://auth.{{ client_name }}.vrije.cloud/if/flow/default-authentication-flow/"
            validate_certs: yes
            status_code: 200
          register: authentik_health
          retries: 5
          delay: 10
        - name: Delay between services
          pause:
            seconds: "{{ update_delay }}"
      when: "'authentik' in services_to_update"
      tags: authentik
    # ==========================================
    # Nextcloud Updates
    # ==========================================
    - name: Update Nextcloud
      block:
        - name: Create Nextcloud database backup
          shell: |
            docker exec nextcloud-db mysqldump -u nextcloud -p$(docker exec nextcloud-db cat /run/secrets/db_password 2>/dev/null || echo 'password') nextcloud | \
              gzip > /tmp/nextcloud-backup-$(date +%Y%m%d-%H%M%S).sql.gz
          when: create_backup
          ignore_errors: yes
        - name: Enable Nextcloud maintenance mode
          shell: docker exec -u www-data nextcloud php occ maintenance:mode --on
          register: maintenance_mode
          changed_when: "'Maintenance mode enabled' in maintenance_mode.stdout"
        - name: Pull latest Nextcloud images
          docker_image:
            name: "{{ item }}"
            source: pull
            force_source: yes
          loop:
            - nextcloud:latest
            - mariadb:11
            - redis:alpine
            - collabora/code:latest
        - name: Restart Nextcloud services
          docker_compose:
            project_src: /opt/docker/nextcloud
            restarted: yes
            pull: yes
        - name: Wait for Nextcloud to be ready
          shell: docker exec nextcloud-db mysqladmin ping -h localhost -u root --silent
          register: nc_db_status
          until: nc_db_status.rc == 0
          retries: 20
          delay: 5
          changed_when: false
        - name: Run Nextcloud upgrade (if needed)
          shell: docker exec -u www-data nextcloud php occ upgrade
          register: nc_upgrade
          changed_when: "'Updated database' in nc_upgrade.stdout"
          failed_when: nc_upgrade.rc != 0 and 'already latest version' not in nc_upgrade.stdout
        - name: Disable Nextcloud maintenance mode
          shell: docker exec -u www-data nextcloud php occ maintenance:mode --off
          register: maintenance_off
          changed_when: "'Maintenance mode disabled' in maintenance_off.stdout"
        - name: Verify Nextcloud web interface
          uri:
            url: "https://nextcloud.{{ client_name }}.vrije.cloud/status.php"
            validate_certs: yes
            status_code: 200
          register: nc_health
          retries: 10
          delay: 10
        - name: Verify Nextcloud installed status
          uri:
            url: "https://nextcloud.{{ client_name }}.vrije.cloud/status.php"
            validate_certs: yes
            return_content: yes
          register: nc_status_check
          failed_when: "'\"installed\":true' not in nc_status_check.content"
        - name: Delay between services
          pause:
            seconds: "{{ update_delay }}"
      when: "'nextcloud' in services_to_update"
      tags: nextcloud
    # ==========================================
    # Diun Updates
    # ==========================================
    - name: Update Diun
      block:
        - name: Pull latest Diun image
          docker_image:
            name: crazymax/diun:latest
            source: pull
            force_source: yes
        - name: Restart Diun
          docker_compose:
            project_src: /opt/docker/diun
            restarted: yes
            pull: yes
        - name: Wait for Diun to be running
          shell: docker inspect --format='{{{{.State.Status}}}}' diun
          register: diun_status
          until: diun_status.stdout == "running"
          retries: 5
          delay: 3
          changed_when: false
      when: "'diun' in services_to_update"
      tags: diun
  post_tasks:
    - name: Get final container status
      shell: docker ps --format 'table {{{{.Names}}}}\t{{{{.Status}}}}\t{{{{.Image}}}}'
      register: containers_after
      changed_when: false
      tags: always
    - name: Display final container status
      debug:
        msg: "{{ containers_after.stdout_lines }}"
      tags: always
    - name: Verify all expected containers are running
      shell: docker ps --filter "status=running" --format '{{{{.Names}}}}' | wc -l
      register: running_count
      changed_when: false
      tags: always
    - name: Check for unhealthy containers
      shell: docker ps --filter "health=unhealthy" --format '{{{{.Names}}}}'
      register: unhealthy_containers
      changed_when: false
      failed_when: unhealthy_containers.stdout != ""
      tags: always
    - name: Update summary
      debug:
        msg: |
          ========================================
          Update Summary for {{ inventory_hostname }}
          ========================================
          Running containers: {{ running_count.stdout }}
          Unhealthy containers: {{ unhealthy_containers.stdout or 'None' }}
          Services updated: {{ services_to_update | join(', ') }}
          Status: SUCCESS
      tags: always
 - name: Post-update validation
  hosts: all
  become: yes
  gather_facts: no
  tasks:
    - name: Final health check
      debug:
        msg: "All updates completed successfully on {{ inventory_hostname }}"
--- a/ansible/playbooks/update-enrollment-flow.yml
+++ b/ansible/playbooks/update-enrollment-flow.yml
@ -0,0 +1,61 @@
 ---
 # Update enrollment flow blueprint on running Authentik instance
 - name: Update enrollment flow blueprint
  hosts: all
  gather_facts: no
  become: yes
  vars:
    authentik_api_token: "ak_DtA2LG1Z9shl-tw9r0cs34B1G9l8Lpz76GxLf-4OBiUWbiHbAVJ04GYLcZ30"
    client_domain: "dev.vrije.cloud"
  tasks:
    - name: Create blueprints directory
      file:
        path: /opt/config/authentik/blueprints
        state: directory
        mode: '0755'
    - name: Copy enrollment flow blueprint
      copy:
        src: ../roles/authentik/files/enrollment-flow.yaml
        dest: /opt/config/authentik/blueprints/enrollment-flow.yaml
        mode: '0644'
      register: blueprint_copied
    - name: Copy blueprint into authentik-worker container
      shell: |
        docker cp /opt/config/authentik/blueprints/enrollment-flow.yaml authentik-worker:/blueprints/enrollment-flow.yaml
      when: blueprint_copied.changed
    - name: Copy blueprint into authentik-server container
      shell: |
        docker cp /opt/config/authentik/blueprints/enrollment-flow.yaml authentik-server:/blueprints/enrollment-flow.yaml
      when: blueprint_copied.changed
    - name: Restart authentik-worker to force blueprint discovery
      shell: docker restart authentik-worker
      when: blueprint_copied.changed
    - name: Wait for blueprint to be applied
      shell: |
        sleep 30
        docker exec authentik-server curl -sf -H 'Authorization: Bearer {{ authentik_api_token }}' \
          'http://localhost:9000/api/v3/flows/instances/?slug=default-enrollment-flow'
      register: flow_check
      retries: 6
      delay: 10
      until: flow_check.rc == 0
      no_log: true
    - name: Display success message
      debug:
        msg: |
          ✓ Enrollment flow blueprint updated successfully!
          The invitation-only enrollment flow is now set as the default.
          When you create invitations in Authentik, they will automatically
          use the correct flow.
          Flow URL: https://auth.{{ client_domain }}/if/flow/default-enrollment-flow/
--- a/ansible/roles/authentik/files/configure_recovery_flow.py
+++ b/ansible/roles/authentik/files/configure_recovery_flow.py
@ -1,67 +0,0 @@
 #!/usr/bin/env python3
 """
 Configure Authentik recovery flow.
 Verifies that the default recovery flow exists (Authentik creates it by default).
 The recovery flow is used when clicking "Create recovery link" in the UI.
 """
 import sys
 import json
 import urllib.request
 import urllib.error
 def api_request(base_url, token, path, method='GET', data=None):
    """Make API request to Authentik"""
    url = f"{base_url}{path}"
    headers = {
        'Authorization': f'Bearer {token}',
        'Content-Type': 'application/json'
    }
    request_data = json.dumps(data).encode() if data else None
    req = urllib.request.Request(url, data=request_data, headers=headers, method=method)
    try:
        with urllib.request.urlopen(req, timeout=30) as resp:
            return resp.status, json.loads(resp.read().decode())
    except urllib.error.HTTPError as e:
        error_body = e.read().decode()
        try:
            error_data = json.loads(error_body)
        except:
            error_data = {'error': error_body}
        return e.code, error_data
 def main():
    if len(sys.argv) != 3:
        print(json.dumps({'error': 'Usage: configure_recovery_flow.py <base_url> <api_token>'}), file=sys.stderr)
        sys.exit(1)
    base_url = sys.argv[1]
    token = sys.argv[2]
    # Get the default recovery flow (created by Authentik by default)
    status, flows_response = api_request(base_url, token, '/api/v3/flows/instances/')
    if status != 200:
        print(json.dumps({'error': 'Failed to list flows', 'details': flows_response}), file=sys.stderr)
        sys.exit(1)
    recovery_flow = next((f for f in flows_response.get('results', [])
                         if f.get('designation') == 'recovery'), None)
    if not recovery_flow:
        print(json.dumps({'error': 'No recovery flow found - Authentik should create one by default'}), file=sys.stderr)
        sys.exit(1)
    flow_slug = recovery_flow['slug']
    flow_pk = recovery_flow['pk']
    print(json.dumps({
        'success': True,
        'message': 'Recovery flow configured',
        'flow_slug': flow_slug,
        'flow_pk': flow_pk,
        'note': 'Using Authentik default recovery flow'
    }))
 if __name__ == '__main__':
    main()
--- a/ansible/roles/authentik/files/create_recovery_flow.py
+++ b/ansible/roles/authentik/files/create_recovery_flow.py
@ -0,0 +1,522 @@
 #!/usr/bin/env python3
 """
 Authentik Recovery Flow Automation Script
 This script creates a complete password recovery flow in Authentik with:
 - Password complexity policy (12 chars, mixed case, digit, symbol)
 - Recovery identification stage (username/email)
 - Recovery email stage (sends recovery token)
 - Password change stages (with validation)
 - Integration with default authentication flow
 - Brand default recovery flow configuration
 Usage:
    python3 create_recovery_flow.py <api_token> <authentik_domain>
 """
 import sys
 import json
 import urllib.request
 import urllib.error
 def api_request(base_url, token, path, method='GET', data=None):
    """Make an API request to Authentik"""
    url = f"{base_url}{path}"
    headers = {
        'Authorization': f'Bearer {token}',
        'Content-Type': 'application/json'
    }
    request_data = json.dumps(data).encode() if data else None
    req = urllib.request.Request(url, data=request_data, headers=headers, method=method)
    try:
        with urllib.request.urlopen(req, timeout=30) as resp:
            body = resp.read().decode()
            if body:
                return resp.status, json.loads(body)
            return resp.status, {}
    except urllib.error.HTTPError as e:
        error_body = e.read().decode()
        try:
            error_data = json.loads(error_body) if error_body else {'error': 'Empty error response'}
        except:
            error_data = {'error': error_body or 'Unknown error'}
        return e.code, error_data
    except Exception as e:
        return 0, {'error': str(e)}
 def get_or_create_password_policy(base_url, token):
    """Create password complexity policy"""
    print("Checking for password complexity policy...")
    policy_data = {
        "name": "password-complexity",
        "password_field": "password",
        "amount_digits": 1,
        "amount_uppercase": 1,
        "amount_lowercase": 1,
        "amount_symbols": 1,
        "length_min": 12,
        "symbol_charset": "!\\\"#$%&'()*+,-./:;<=>?@[]^_`{|}~",
        "error_message": "Enter a minimum of 12 characters, with at least 1 lowercase, uppercase, digit and symbol",
        "check_static_rules": True,
        "check_have_i_been_pwned": True,
        "check_zxcvbn": True,
        "hibp_allowed_count": 0,
        "zxcvbn_score_threshold": 2
    }
    # Check if policy already exists
    status, policies = api_request(base_url, token, '/api/v3/policies/password/')
    print(f"  Initial check status: {status}")
    if status == 200:
        results = policies.get('results', [])
        print(f"  Found {len(results)} existing policies")
        for policy in results:
            policy_name = policy.get('name')
            print(f"    - {policy_name}")
            if policy_name == 'password-complexity':
                print(f"  ✓ Password policy already exists: {policy['pk']}")
                return policy['pk']
    else:
        print(f"  Initial check failed: {policies}")
    # Create new policy
    status, policy = api_request(base_url, token, '/api/v3/policies/password/', 'POST', policy_data)
    if status == 201:
        print(f"  ✓ Created password policy: {policy['pk']}")
        return policy['pk']
    elif status == 400 and 'name' in policy:
        # Policy with same name already exists, search for it again
        print(f"  ! Policy name already exists, retrieving existing policy...")
        status, policies = api_request(base_url, token, '/api/v3/policies/password/')
        if status == 200:
            for existing_policy in policies.get('results', []):
                if existing_policy.get('name') == 'password-complexity':
                    print(f"  ✓ Found existing password policy: {existing_policy['pk']}")
                    return existing_policy['pk']
        print(f"  ✗ Failed to find existing policy after creation conflict")
        return None
    else:
        print(f"  ✗ Failed to create password policy: {policy}")
        return None
 def get_or_create_recovery_identification_stage(base_url, token):
    """Create recovery identification stage"""
    print("Creating recovery identification stage...")
    stage_data = {
        "name": "recovery-authentication-identification",
        "user_fields": ["username", "email"],
        "password_stage": None,
        "case_insensitive_matching": True,
        "show_matched_user": True,
        "pretend_user_exists": True,
        "enable_remember_me": False
    }
    # Check if stage already exists
    status, stages = api_request(base_url, token, '/api/v3/stages/identification/')
    if status == 200:
        for stage in stages.get('results', []):
            if stage.get('name') == 'recovery-authentication-identification':
                print(f"  ✓ Recovery identification stage already exists: {stage['pk']}")
                return stage['pk']
    # Create new stage
    status, stage = api_request(base_url, token, '/api/v3/stages/identification/', 'POST', stage_data)
    if status == 201:
        print(f"  ✓ Created recovery identification stage: {stage['pk']}")
        return stage['pk']
    elif status == 400 and 'name' in stage:
        # Stage with same name already exists
        print(f"  ! Stage name already exists, retrieving existing stage...")
        status, stages = api_request(base_url, token, '/api/v3/stages/identification/')
        if status == 200:
            for existing_stage in stages.get('results', []):
                if existing_stage.get('name') == 'recovery-authentication-identification':
                    print(f"  ✓ Found existing recovery identification stage: {existing_stage['pk']}")
                    return existing_stage['pk']
        print(f"  ✗ Failed to find existing stage after creation conflict")
        return None
    else:
        print(f"  ✗ Failed to create recovery identification stage: {stage}")
        return None
 def get_or_create_recovery_email_stage(base_url, token):
    """Create recovery email stage"""
    print("Creating recovery email stage...")
    stage_data = {
        "name": "recovery-email",
        "use_global_settings": True,
        "token_expiry": "minutes=30",
        "subject": "Password recovery",
        "template": "email/password_reset.html",
        "activate_user_on_success": True,
        "recovery_max_attempts": 5,
        "recovery_cache_timeout": "minutes=5"
    }
    # Check if stage already exists
    status, stages = api_request(base_url, token, '/api/v3/stages/email/')
    if status == 200:
        for stage in stages.get('results', []):
            if stage.get('name') == 'recovery-email':
                print(f"  ✓ Recovery email stage already exists: {stage['pk']}")
                return stage['pk']
    # Create new stage
    status, stage = api_request(base_url, token, '/api/v3/stages/email/', 'POST', stage_data)
    if status == 201:
        print(f"  ✓ Created recovery email stage: {stage['pk']}")
        return stage['pk']
    elif status == 400 and 'name' in stage:
        # Stage with same name already exists
        print(f"  ! Stage name already exists, retrieving existing stage...")
        status, stages = api_request(base_url, token, '/api/v3/stages/email/')
        if status == 200:
            for existing_stage in stages.get('results', []):
                if existing_stage.get('name') == 'recovery-email':
                    print(f"  ✓ Found existing recovery email stage: {existing_stage['pk']}")
                    return existing_stage['pk']
        print(f"  ✗ Failed to find existing stage after creation conflict")
        return None
    else:
        print(f"  ✗ Failed to create recovery email stage: {stage}")
        return None
 def get_existing_stage_uuid(base_url, token, stage_name, stage_type):
    """Get UUID of an existing stage"""
    status, stages = api_request(base_url, token, f'/api/v3/stages/{stage_type}/')
    if status == 200:
        for stage in stages.get('results', []):
            if stage.get('name') == stage_name:
                return stage['pk']
    return None
 def get_or_create_recovery_flow(base_url, token, stage_ids):
    """Create recovery flow with stage bindings"""
    print("Creating recovery flow...")
    flow_data = {
        "name": "recovery",
        "slug": "recovery",
        "title": "Recovery",
        "designation": "recovery",
        "policy_engine_mode": "any",
        "compatibility_mode": False,
        "layout": "stacked",
        "denied_action": "message_continue"
    }
    # Check if flow already exists
    status, flows = api_request(base_url, token, '/api/v3/flows/instances/')
    if status == 200:
        for flow in flows.get('results', []):
            if flow.get('slug') == 'recovery':
                print(f"  ✓ Recovery flow already exists: {flow['pk']}")
                return flow['pk']
    # Create new flow
    status, flow = api_request(base_url, token, '/api/v3/flows/instances/', 'POST', flow_data)
    if status != 201:
        print(f"  ✗ Failed to create recovery flow: {flow}")
        return None
    flow_uuid = flow['pk']
    print(f"  ✓ Created recovery flow: {flow_uuid}")
    # Create stage bindings
    bindings = [
        {"stage": stage_ids['recovery_identification'], "order": 0},
        {"stage": stage_ids['recovery_email'], "order": 10},
        {"stage": stage_ids['password_change_prompt'], "order": 20},
        {"stage": stage_ids['password_change_write'], "order": 30},
    ]
    for binding in bindings:
        binding_data = {
            "target": flow_uuid,
            "stage": binding['stage'],
            "order": binding['order'],
            "evaluate_on_plan": False,
            "re_evaluate_policies": True,
            "policy_engine_mode": "any",
            "invalid_response_action": "retry"
        }
        status, result = api_request(base_url, token, '/api/v3/flows/bindings/', 'POST', binding_data)
        if status == 201:
            print(f"  ✓ Bound stage {binding['stage']} at order {binding['order']}")
        else:
            print(f"  ✗ Failed to bind stage: {result}")
    return flow_uuid
 def update_password_change_prompt_stage(base_url, token, stage_uuid, password_complexity_uuid):
    """Add password complexity policy to password change prompt stage"""
    print("Updating password change prompt stage...")
    # Get current stage configuration
    status, stage = api_request(base_url, token, f'/api/v3/stages/prompt/stages/{stage_uuid}/')
    if status != 200:
        print(f"  ✗ Failed to get stage: {stage}")
        return False
    # Add password complexity to validation policies
    validation_policies = stage.get('validation_policies', [])
    if password_complexity_uuid not in validation_policies:
        validation_policies.append(password_complexity_uuid)
        update_data = {
            "validation_policies": validation_policies
        }
        status, result = api_request(base_url, token, f'/api/v3/stages/prompt/stages/{stage_uuid}/', 'PATCH', update_data)
        if status == 200:
            print(f"  ✓ Added password complexity policy to validation")
            return True
        else:
            print(f"  ✗ Failed to update stage: {result}")
            return False
    else:
        print(f"  ✓ Password complexity policy already in validation")
        return True
 def remove_separate_password_stage_from_auth_flow(base_url, token, auth_flow_uuid, password_stage_uuid):
    """Remove separate password stage from authentication flow if it exists"""
    print("Checking for separate password stage in authentication flow...")
    # Get all flow bindings
    status, bindings_data = api_request(base_url, token, '/api/v3/flows/bindings/')
    if status != 200:
        print(f"  ✗ Failed to get flow bindings: {bindings_data}")
        return False
    # Find password stage binding in auth flow
    password_binding = None
    for binding in bindings_data.get('results', []):
        if binding.get('target') == auth_flow_uuid and binding.get('stage') == password_stage_uuid:
            password_binding = binding
            break
    if not password_binding:
        print(f"  ✓ No separate password stage found (already removed)")
        return True
    # Delete the password stage binding
    binding_uuid = password_binding.get('pk')
    status, result = api_request(base_url, token, f'/api/v3/flows/bindings/{binding_uuid}/', 'DELETE')
    if status == 204 or status == 200:
        print(f"  ✓ Removed separate password stage from authentication flow")
        return True
    else:
        print(f"  ✗ Failed to remove password stage: {result}")
        return False
 def update_authentication_identification_stage(base_url, token, stage_uuid, password_stage_uuid, recovery_flow_uuid):
    """Update authentication identification stage with password field and recovery flow"""
    print("Updating authentication identification stage...")
    # First get the current stage configuration
    status, current_stage = api_request(base_url, token, f'/api/v3/stages/identification/{stage_uuid}/')
    if status != 200:
        print(f"  ✗ Failed to get current stage: {current_stage}")
        return False
    # Check if already configured
    if current_stage.get('password_stage') == password_stage_uuid and current_stage.get('recovery_flow') == recovery_flow_uuid:
        print(f"  ✓ Authentication identification stage already configured")
        return True
    # Update with new values while preserving existing configuration
    update_data = {
        "name": current_stage.get('name'),
        "user_fields": current_stage.get('user_fields', ["username", "email"]),
        "password_stage": password_stage_uuid,
        "recovery_flow": recovery_flow_uuid,
        "case_insensitive_matching": current_stage.get('case_insensitive_matching', True),
        "show_matched_user": current_stage.get('show_matched_user', True),
        "pretend_user_exists": current_stage.get('pretend_user_exists', True)
    }
    status, result = api_request(base_url, token, f'/api/v3/stages/identification/{stage_uuid}/', 'PATCH', update_data)
    if status == 200:
        print(f"  ✓ Updated authentication identification stage")
        print(f"    - Added password field on same page")
        print(f"    - Added recovery flow link")
        return True
    else:
        print(f"  ✗ Failed to update stage: {result}")
        return False
 def update_brand_recovery_flow(base_url, token, recovery_flow_uuid):
    """Update the default brand to use the recovery flow"""
    print("Updating brand default recovery flow...")
    # Get the default brand (authentik has one brand by default)
    status, brands = api_request(base_url, token, '/api/v3/core/brands/')
    if status != 200:
        print(f"  ✗ Failed to get brands: {brands}")
        return False
    results = brands.get('results', [])
    if not results:
        print(f"  ✗ No brands found")
        return False
    # Use the first/default brand
    brand = results[0]
    brand_uuid = brand.get('brand_uuid')
    # Check if already configured
    if brand.get('flow_recovery') == recovery_flow_uuid:
        print(f"  ✓ Brand recovery flow already configured")
        return True
    # Update the brand with recovery flow
    update_data = {
        "domain": brand.get('domain'),
        "flow_recovery": recovery_flow_uuid
    }
    status, result = api_request(base_url, token, f'/api/v3/core/brands/{brand_uuid}/', 'PATCH', update_data)
    if status == 200:
        print(f"  ✓ Updated brand default recovery flow")
        return True
    else:
        print(f"  ✗ Failed to update brand: {result}")
        return False
 def main():
    if len(sys.argv) < 3:
        print("Usage: python3 create_recovery_flow.py <api_token> <authentik_domain>")
        sys.exit(1)
    token = sys.argv[1]
    authentik_domain = sys.argv[2]
    # Use internal localhost URL when running inside Authentik container
    # This avoids SSL/DNS issues
    base_url = "http://localhost:9000"
    print(f"Using internal API endpoint: {base_url}")
    print(f"External domain: https://{authentik_domain}\n")
    print("=" * 80)
    print("Authentik Recovery Flow Automation")
    print("=" * 80)
    print(f"Target: {base_url}\n")
    # Step 1: Create password complexity policy
    password_complexity_uuid = get_or_create_password_policy(base_url, token)
    if not password_complexity_uuid:
        print("\n✗ Failed to create password complexity policy")
        sys.exit(1)
    # Step 2: Create recovery identification stage
    recovery_identification_uuid = get_or_create_recovery_identification_stage(base_url, token)
    if not recovery_identification_uuid:
        print("\n✗ Failed to create recovery identification stage")
        sys.exit(1)
    # Step 3: Create recovery email stage
    recovery_email_uuid = get_or_create_recovery_email_stage(base_url, token)
    if not recovery_email_uuid:
        print("\n✗ Failed to create recovery email stage")
        sys.exit(1)
    # Step 4: Get existing stage and flow UUIDs
    print("\nGetting existing stage and flow UUIDs...")
    password_change_prompt_uuid = get_existing_stage_uuid(base_url, token, 'default-password-change-prompt', 'prompt/stages')
    password_change_write_uuid = get_existing_stage_uuid(base_url, token, 'default-password-change-write', 'user_write')
    auth_identification_uuid = get_existing_stage_uuid(base_url, token, 'default-authentication-identification', 'identification')
    auth_password_uuid = get_existing_stage_uuid(base_url, token, 'default-authentication-password', 'password')
    # Get default authentication flow UUID
    status, flows = api_request(base_url, token, '/api/v3/flows/instances/')
    auth_flow_uuid = None
    if status == 200:
        for flow in flows.get('results', []):
            if flow.get('slug') == 'default-authentication-flow':
                auth_flow_uuid = flow.get('pk')
                break
    if not all([password_change_prompt_uuid, password_change_write_uuid, auth_identification_uuid, auth_password_uuid, auth_flow_uuid]):
        print("  ✗ Failed to find all required existing stages and flows")
        sys.exit(1)
    print(f"  ✓ Found all existing stages and flows")
    # Step 5: Create recovery flow
    stage_ids = {
        'recovery_identification': recovery_identification_uuid,
        'recovery_email': recovery_email_uuid,
        'password_change_prompt': password_change_prompt_uuid,
        'password_change_write': password_change_write_uuid
    }
    recovery_flow_uuid = get_or_create_recovery_flow(base_url, token, stage_ids)
    if not recovery_flow_uuid:
        print("\n✗ Failed to create recovery flow")
        sys.exit(1)
    # Step 6: Update password change prompt stage
    if not update_password_change_prompt_stage(base_url, token, password_change_prompt_uuid, password_complexity_uuid):
        print("\n⚠ Warning: Failed to update password change prompt stage")
    # Step 7: Update authentication identification stage
    if not update_authentication_identification_stage(base_url, token, auth_identification_uuid, auth_password_uuid, recovery_flow_uuid):
        print("\n⚠ Warning: Failed to update authentication identification stage")
    # Step 8: Remove separate password stage from authentication flow
    if not remove_separate_password_stage_from_auth_flow(base_url, token, auth_flow_uuid, auth_password_uuid):
        print("\n⚠ Warning: Failed to remove separate password stage (may not exist)")
    # Step 9: Update brand default recovery flow
    if not update_brand_recovery_flow(base_url, token, recovery_flow_uuid):
        print("\n⚠ Warning: Failed to update brand recovery flow (non-critical)")
    # Success!
    print("\n" + "=" * 80)
    print("✓ Recovery Flow Configuration Complete!")
    print("=" * 80)
    print(f"\nRecovery Flow UUID: {recovery_flow_uuid}")
    print(f"Recovery URL: https://{authentik_domain}/if/flow/recovery/")
    print(f"\nFeatures enabled:")
    print("  ✓ Password complexity policy (12 chars, mixed case, digit, symbol)")
    print("  ✓ Recovery email with 30-minute token")
    print("  ✓ Password + username on same login page")
    print("  ✓ 'Forgot password?' link on login page")
    print("  ✓ Brand default recovery flow configured")
    print("\nTest the recovery flow:")
    print(f"  1. Visit: https://{authentik_domain}/if/flow/default-authentication-flow/")
    print("  2. Click 'Forgot password?' link")
    print("  3. Enter username or email")
    print("  4. Check email for recovery link")
    print("=" * 80)
    # Output JSON for Ansible
    result = {
        "success": True,
        "recovery_flow_uuid": recovery_flow_uuid,
        "password_complexity_uuid": password_complexity_uuid,
        "recovery_url": f"https://{authentik_domain}/if/flow/recovery/"
    }
    print("\n" + json.dumps(result))
 if __name__ == "__main__":
    main()
--- a/ansible/roles/authentik/files/custom-flows.yaml
+++ b/ansible/roles/authentik/files/custom-flows.yaml
@ -2,7 +2,7 @@ version: 1
 metadata:
  name: custom-flow-configuration
  labels:
-    blueprints.goauthentik.io/description: "Configure invitation, recovery, and 2FA enforcement"
+    blueprints.goauthentik.io/description: "Configure invitation and 2FA enforcement"
    blueprints.goauthentik.io/instantiate: "true"
 entries:
@ -26,15 +26,7 @@ entries:
      evaluate_on_plan: true
      re_evaluate_policies: false
-  # 3. SET RECOVERY FLOW IN BRAND
+  # 3. ENFORCE 2FA CONFIGURATION
  # Configures the default brand to use the recovery flow
  - model: authentik_core.brand
    identifiers:
      domain: authentik-default
    attrs:
      flow_recovery: !Find [authentik_flows.flow, [designation, recovery]]
  # 4. ENFORCE 2FA CONFIGURATION
  # Updates MFA validation stage to force users to configure TOTP
  - model: authentik_stages_authenticator_validate.authenticatorvalidatestage
    identifiers:
--- a/ansible/roles/authentik/files/enrollment-flow.yaml
+++ b/ansible/roles/authentik/files/enrollment-flow.yaml
@ -0,0 +1,153 @@
 version: 1
 metadata:
  name: invitation-enrollment-flow
  labels:
    blueprints.goauthentik.io/description: "Invitation-only enrollment flow"
    blueprints.goauthentik.io/instantiate: "true"
 entries:
  # 1. CREATE ENROLLMENT FLOW
  - attrs:
      designation: enrollment
      name: Default enrollment Flow
      title: Welcome to authentik!
      authentication: none
      denied_action: message_continue
    identifiers:
      slug: default-enrollment-flow
    model: authentik_flows.flow
    id: flow
  # 2. CREATE INVITATION STAGE
  - attrs:
      continue_flow_without_invitation: false
    identifiers:
      name: default-enrollment-invitation
    id: invitation-stage
    model: authentik_stages_invitation.invitationstage
  # 3. CREATE PROMPT FIELDS
  - attrs:
      order: 0
      placeholder: Username
      placeholder_expression: false
      required: true
      type: username
      field_key: username
      label: Username
    identifiers:
      name: default-enrollment-field-username
    id: prompt-field-username
    model: authentik_stages_prompt.prompt
  - attrs:
      order: 1
      placeholder: Name
      placeholder_expression: false
      required: true
      type: text
      field_key: name
      label: Name
    identifiers:
      name: default-enrollment-field-name
    id: prompt-field-name
    model: authentik_stages_prompt.prompt
  - attrs:
      order: 2
      placeholder: Email
      placeholder_expression: false
      required: true
      type: email
      field_key: email
      label: Email
    identifiers:
      name: default-enrollment-field-email
    id: prompt-field-email
    model: authentik_stages_prompt.prompt
  - attrs:
      order: 3
      placeholder: Password
      placeholder_expression: false
      required: true
      type: password
      field_key: password
      label: Password
    identifiers:
      name: default-enrollment-field-password
    id: prompt-field-password
    model: authentik_stages_prompt.prompt
  - attrs:
      order: 4
      placeholder: Password (repeat)
      placeholder_expression: false
      required: true
      type: password
      field_key: password_repeat
      label: Password (repeat)
    identifiers:
      name: default-enrollment-field-password-repeat
    id: prompt-field-password-repeat
    model: authentik_stages_prompt.prompt
  # 4. CREATE PROMPT STAGE
  - attrs:
      fields:
        - !KeyOf prompt-field-username
        - !KeyOf prompt-field-name
        - !KeyOf prompt-field-email
        - !KeyOf prompt-field-password
        - !KeyOf prompt-field-password-repeat
      validation_policies: []
    identifiers:
      name: default-enrollment-prompt
    id: prompt-stage
    model: authentik_stages_prompt.promptstage
  # 5. CREATE USER WRITE STAGE
  - attrs:
      user_creation_mode: always_create
      create_users_as_inactive: false
      create_users_group: null
      user_path_template: ""
    identifiers:
      name: default-enrollment-user-write
    id: user-write-stage
    model: authentik_stages_user_write.userwritestage
  # 6. BIND INVITATION STAGE TO FLOW (order 0)
  - attrs:
      evaluate_on_plan: true
      re_evaluate_policies: false
    identifiers:
      order: 0
      stage: !KeyOf invitation-stage
      target: !KeyOf flow
    model: authentik_flows.flowstagebinding
  # 8. BIND PROMPT STAGE TO FLOW (order 10)
  - attrs:
      evaluate_on_plan: true
      re_evaluate_policies: false
    identifiers:
      order: 10
      stage: !KeyOf prompt-stage
      target: !KeyOf flow
    model: authentik_flows.flowstagebinding
  # 9. BIND USER WRITE STAGE TO FLOW (order 20)
  - attrs:
      evaluate_on_plan: true
      re_evaluate_policies: false
    identifiers:
      order: 20
      stage: !KeyOf user-write-stage
      target: !KeyOf flow
    model: authentik_flows.flowstagebinding
  # Note: Brand enrollment flow configuration must be done via API
  # The tenant model is restricted in blueprints
  # Use: PATCH /api/v3/core/tenants/{tenant_uuid}/
  # Body: {"flow_enrollment": "<flow_uuid>"}
--- a/ansible/roles/authentik/files/invitation-flow.yaml
+++ b/ansible/roles/authentik/files/invitation-flow.yaml
@ -0,0 +1,25 @@
 version: 1
 metadata:
  name: invitation-flow-configuration
  labels:
    blueprints.goauthentik.io/description: "Configure invitation stage for enrollment"
    blueprints.goauthentik.io/instantiate: "true"
 entries:
  # 1. CREATE INVITATION STAGE
  - model: authentik_stages_invitation.invitationstage
    identifiers:
      name: default-enrollment-invitation
    id: invitation-stage
    attrs:
      continue_flow_without_invitation: true
  # 2. BIND INVITATION STAGE TO ENROLLMENT FLOW
  - model: authentik_flows.flowstagebinding
    identifiers:
      target: !Find [authentik_flows.flow, [designation, enrollment]]
      stage: !KeyOf invitation-stage
      order: 0
    attrs:
      evaluate_on_plan: true
      re_evaluate_policies: false
--- a/ansible/roles/authentik/tasks/flows.yml
+++ b/ansible/roles/authentik/tasks/flows.yml
@ -1,5 +1,5 @@
 ---
-# Configure Authentik flows (invitation, recovery, 2FA) via Blueprints
+# Configure Authentik flows (invitation, 2FA) via Blueprints
 - name: Use bootstrap token for API access
  set_fact:
@ -27,22 +27,31 @@
    state: directory
    mode: '0755'
- name: Copy custom flows blueprint to server
+- name: Copy flow blueprints to server
  copy:
-    src: custom-flows.yaml
+    src: "{{ item }}"
-    dest: "{{ authentik_config_dir }}/blueprints/custom-flows.yaml"
+    dest: "{{ authentik_config_dir }}/blueprints/{{ item }}"
    mode: '0644'
-  register: blueprint_copied
+  loop:
    - custom-flows.yaml
    - enrollment-flow.yaml
  register: blueprints_copied
- name: Copy blueprint into authentik-worker container
+- name: Copy blueprints into authentik-worker container
  shell: |
-    docker cp "{{ authentik_config_dir }}/blueprints/custom-flows.yaml" authentik-worker:/blueprints/custom-flows.yaml
+    docker cp "{{ authentik_config_dir }}/blueprints/{{ item }}" authentik-worker:/blueprints/{{ item }}
-  changed_when: blueprint_copied.changed
+  loop:
    - custom-flows.yaml
    - enrollment-flow.yaml
  when: blueprints_copied.changed
- name: Copy blueprint into authentik-server container
+- name: Copy blueprints into authentik-server container
  shell: |
-    docker cp "{{ authentik_config_dir }}/blueprints/custom-flows.yaml" authentik-server:/blueprints/custom-flows.yaml
+    docker cp "{{ authentik_config_dir }}/blueprints/{{ item }}" authentik-server:/blueprints/{{ item }}
-  changed_when: blueprint_copied.changed
+  loop:
    - custom-flows.yaml
    - enrollment-flow.yaml
  when: blueprints_copied.changed
 - name: Wait for blueprint to be discovered and applied
  shell: |
@ -87,14 +96,6 @@
  changed_when: false
  failed_when: false
 - name: Verify brand recovery flow was set
  shell: |
    docker exec authentik-server curl -sf -H "Authorization: Bearer {{ authentik_api_token }}" \
      "http://localhost:9000/api/v3/core/brands/" | \
      python3 -c "import sys, json; data = json.load(sys.stdin); brand = data['results'][0] if data['results'] else {}; print(json.dumps({'recovery_flow_set': brand.get('flow_recovery') is not None}))"
  register: recovery_check
  changed_when: false
  failed_when: false
 - name: Display flows configuration status
  debug:
@ -104,24 +105,22 @@
      ========================================
      Configuration Method: YAML Blueprints
-      Blueprint File: /blueprints/custom-flows.yaml
+      Blueprints Deployed:
      - /blueprints/custom-flows.yaml (2FA enforcement)
      - /blueprints/enrollment-flow.yaml (invitation-only registration)
-      ✓ Blueprint Deployed: {{ blueprint_copied.changed }}
+      ✓ Blueprints Deployed: {{ blueprints_copied.changed }}
-      ✓ Blueprint Applied: {{ 'Yes' if 'successfully' in blueprint_wait.stdout else 'In Progress' }}
+      ✓ Blueprints Applied: {{ 'Yes' if 'successfully' in blueprint_wait.stdout else 'In Progress' }}
      Verification:
      {{ invitation_check.stdout | default('Invitation stage: Checking...') }}
      {{ recovery_check.stdout | default('Recovery flow: Checking...') }}
      Note: Authentik applies blueprints asynchronously.
      Changes should be visible within 1-2 minutes.
      Recovery flows must be configured manually in Authentik admin UI.
-      To verify manually:
+      Flow URLs:
-      - Login to https://{{ authentik_domain }}
+      - Enrollment: https://{{ authentik_domain }}/if/flow/default-enrollment-flow/
      - Check Admin > Flows > Stages for invitation stage
      - Check Admin > System > Brands for recovery flow setting
      - Check default-authentication-mfa-validation stage for 2FA enforcement
-      Email configuration is active and flows
+      Email configuration is active - emails sent via Mailgun SMTP.
      will send emails via Mailgun SMTP.
      ========================================
--- a/ansible/roles/authentik/tasks/invitation.yml
+++ b/ansible/roles/authentik/tasks/invitation.yml
@ -0,0 +1,112 @@
 ---
 # Configure invitation stage for enrollment flow
 - name: Use bootstrap token for API access
  set_fact:
    authentik_api_token: "{{ client_secrets.authentik_bootstrap_token }}"
 - name: Wait for Authentik API to be ready
  uri:
    url: "https://{{ authentik_domain }}/api/v3/root/config/"
    method: GET
    validate_certs: no
    status_code: 200
  register: api_result
  until: api_result.status == 200
  retries: 12
  delay: 5
  ignore_errors: yes
  failed_when: false
 - name: Create blueprints directory on server
  file:
    path: /opt/config/authentik/blueprints
    state: directory
    mode: '0755'
  when: api_result.status is defined and api_result.status == 200
 - name: Copy public enrollment flow blueprint to server
  copy:
    src: enrollment-flow.yaml
    dest: /opt/config/authentik/blueprints/enrollment-flow.yaml
    mode: '0644'
  register: enrollment_blueprint_copied
  when: api_result.status is defined and api_result.status == 200
 - name: Copy enrollment blueprint into authentik-worker container
  shell: |
    docker cp /opt/config/authentik/blueprints/enrollment-flow.yaml authentik-worker:/blueprints/enrollment-flow.yaml
  when: api_result.status is defined and api_result.status == 200
 - name: Copy enrollment blueprint into authentik-server container
  shell: |
    docker cp /opt/config/authentik/blueprints/enrollment-flow.yaml authentik-server:/blueprints/enrollment-flow.yaml
  when: api_result.status is defined and api_result.status == 200
 - name: Wait for enrollment blueprint to be discovered and applied
  shell: |
    echo "Waiting for public enrollment blueprint to be discovered and applied..."
    sleep 10
    # Check if blueprint instance was created
    i=1
    while [ $i -le 24 ]; do
      result=$(docker exec authentik-server curl -sf -H 'Authorization: Bearer {{ authentik_api_token }}' \
        'http://localhost:9000/api/v3/managed/blueprints/' 2>/dev/null || echo '')
      if echo "$result" | grep -q 'public-enrollment-flow'; then
        echo "Blueprint instance found"
        if echo "$result" | grep -A 10 'public-enrollment-flow' | grep -q 'successful'; then
          echo "Blueprint applied successfully"
          exit 0
        fi
      fi
      sleep 5
      i=$((i+1))
    done
    echo "Blueprint deployment in progress (may take 1-2 minutes)"
  register: enrollment_blueprint_result
  changed_when: false
  when: api_result.status is defined and api_result.status == 200
 - name: Verify enrollment flow was created
  shell: |
    docker exec authentik-server curl -sf -H 'Authorization: Bearer {{ authentik_api_token }}' \
      'http://localhost:9000/api/v3/flows/instances/?slug=default-enrollment-flow' | \
      python3 -c "import sys, json; d = json.load(sys.stdin); print(json.dumps({'found': len(d.get('results', [])) > 0, 'count': len(d.get('results', []))}))"
  register: enrollment_flow_check
  changed_when: false
  failed_when: false
  when: api_result.status is defined and api_result.status == 200
 - name: Display public enrollment flow configuration status
  debug:
    msg: |
      ========================================
      Authentik Public Enrollment Flow
      ========================================
      Configuration Method: YAML Blueprints
      Blueprint File: /blueprints/enrollment-flow.yaml
      ✓ Blueprint Deployed: {{ enrollment_blueprint_copied.changed | default(false) }}
      ✓ Blueprint Applied: {{ 'In Progress' if (enrollment_blueprint_result is defined and enrollment_blueprint_result.rc is defined and enrollment_blueprint_result.rc != 0) else 'Complete' }}
      Verification: {{ enrollment_flow_check.stdout | default('{}') }}
      Features:
      - Invitation-only enrollment (requires valid invitation token)
      - User prompts: username, name, email, password
      - Automatic user creation and login
      Note: Brand enrollment flow is NOT auto-configured (API restriction).
      Flow is accessible via direct URL even without brand configuration.
      To use enrollment:
      1. Create invitation: Directory > Invitations > Create Invitation
      2. Share invitation link: https://{{ authentik_domain }}/if/flow/default-enrollment-flow/?itoken=TOKEN
      To verify:
      - Login to https://{{ authentik_domain }}
      - Check Admin > Flows for "default-enrollment-flow"
      - Test enrollment URL: https://{{ authentik_domain }}/if/flow/default-enrollment-flow/
      ========================================
  when: api_result.status is defined and api_result.status == 200
--- a/ansible/roles/authentik/tasks/main.yml
+++ b/ansible/roles/authentik/tasks/main.yml
@ -17,7 +17,22 @@
  when: mailgun_smtp_user is defined or (client_secrets.mailgun_smtp_user is defined and client_secrets.mailgun_smtp_user != "" and "PLACEHOLDER" not in client_secrets.mailgun_smtp_user)
  tags: ['authentik', 'email']
- name: Include flows configuration (recovery, invitation)
+- name: Include flows configuration (invitation, 2FA)
  include_tasks: flows.yml
  when: authentik_bootstrap | default(true)
  tags: ['authentik', 'flows']
 - name: Include MFA/2FA enforcement configuration
  include_tasks: mfa.yml
  when: authentik_bootstrap | default(true)
  tags: ['authentik', 'mfa', '2fa']
 - name: Include invitation stage configuration
  include_tasks: invitation.yml
  when: authentik_bootstrap | default(true)
  tags: ['authentik', 'invitation']
 - name: Include password recovery flow configuration
  include_tasks: recovery.yml
  when: authentik_bootstrap | default(true)
  tags: ['authentik', 'recovery']
--- a/ansible/roles/authentik/tasks/mfa.yml
+++ b/ansible/roles/authentik/tasks/mfa.yml
@ -0,0 +1,97 @@
 ---
 # Configure 2FA/MFA enforcement in Authentik
 - name: Use bootstrap token for API access
  set_fact:
    authentik_api_token: "{{ client_secrets.authentik_bootstrap_token }}"
 - name: Get TOTP setup stage UUID
  shell: |
    docker exec authentik-server curl -sf -H 'Authorization: Bearer {{ authentik_api_token }}' \
      'http://localhost:9000/api/v3/stages/authenticator/totp/?name=default-authenticator-totp-setup'
  register: totp_stage_result
  changed_when: false
 - name: Parse TOTP stage UUID
  set_fact:
    totp_stage_pk: "{{ (totp_stage_result.stdout | from_json).results[0].pk }}"
 - name: Get current MFA validation stage configuration
  shell: |
    docker exec authentik-server curl -sf -H 'Authorization: Bearer {{ authentik_api_token }}' \
      'http://localhost:9000/api/v3/stages/authenticator/validate/?name=default-authentication-mfa-validation'
  register: mfa_stage_result
  changed_when: false
 - name: Parse MFA validation stage
  set_fact:
    mfa_stage: "{{ (mfa_stage_result.stdout | from_json).results[0] }}"
 - name: Check if MFA enforcement needs configuration
  set_fact:
    mfa_needs_update: "{{ mfa_stage.not_configured_action != 'configure' or totp_stage_pk not in (mfa_stage.configuration_stages | default([])) }}"
 - name: Create Python script for MFA enforcement
  copy:
    content: |
      import sys, json, urllib.request
      base_url = "http://localhost:9000"
      token = "{{ authentik_api_token }}"
      stage_pk = "{{ mfa_stage.pk }}"
      totp_stage_pk = "{{ totp_stage_pk }}"
      # Prepare the update payload
      payload = {
          "name": "{{ mfa_stage.name }}",
          "not_configured_action": "configure",
          "device_classes": ["totp", "webauthn", "static"],
          "configuration_stages": [totp_stage_pk]
      }
      # Make PATCH request to update the stage
      url = f"{base_url}/api/v3/stages/authenticator/validate/{stage_pk}/"
      data = json.dumps(payload).encode()
      req = urllib.request.Request(url, data=data, method='PATCH')
      req.add_header('Authorization', f'Bearer {token}')
      req.add_header('Content-Type', 'application/json')
      try:
          with urllib.request.urlopen(req, timeout=30) as resp:
              result = json.loads(resp.read())
              print(json.dumps({"success": True, "message": "MFA enforcement configured", "not_configured_action": result.get("not_configured_action")}))
      except urllib.error.HTTPError as e:
          error_data = e.read().decode()
          print(json.dumps({"success": False, "error": error_data}), file=sys.stderr)
          sys.exit(1)
    dest: /tmp/configure_mfa.py
    mode: '0755'
  when: mfa_needs_update
 - name: Configure MFA enforcement via API
  shell: docker exec -i authentik-server python3 < /tmp/configure_mfa.py
  register: mfa_config_result
  when: mfa_needs_update
 - name: Cleanup MFA script
  file:
    path: /tmp/configure_mfa.py
    state: absent
  when: mfa_needs_update
 - name: Display MFA configuration status
  debug:
    msg: |
      ========================================
      Authentik 2FA/MFA Enforcement
      ========================================
      Status: {% if mfa_needs_update %}✓ Configured{% else %}✓ Already configured{% endif %}
      Configuration:
      - Not configured action: Force user to configure authenticator
      - Supported methods: TOTP, WebAuthn, Static backup codes
      - Configuration stage: default-authenticator-totp-setup
      Users will be required to set up 2FA on their next login.
      ========================================
--- a/ansible/roles/authentik/tasks/providers.yml
+++ b/ansible/roles/authentik/tasks/providers.yml
@ -23,7 +23,7 @@
      if not auth_flow or not key: print(json.dumps({'error': 'Config missing'}), file=sys.stderr); sys.exit(1)
      s, prov = req('/api/v3/providers/oauth2/', 'POST', {'name': 'Nextcloud', 'authorization_flow': auth_flow, 'invalidation_flow': inval_flow, 'client_type': 'confidential', 'redirect_uris': [{'matching_mode': 'strict', 'url': 'https://{{ nextcloud_domain }}/apps/user_oidc/code'}], 'signing_key': key, 'sub_mode': 'hashed_user_id', 'include_claims_in_id_token': True})
      if s != 201: print(json.dumps({'error': 'Provider failed', 'details': prov}), file=sys.stderr); sys.exit(1)
-      s, app = req('/api/v3/core/applications/', 'POST', {'name': 'Nextcloud', 'slug': 'nextcloud', 'provider': prov['pk'], 'meta_launch_url': 'https://{{ nextcloud_domain }}'})
+      s, app = req('/api/v3/core/applications/', 'POST', {'name': 'Nextcloud', 'slug': 'nextcloud', 'provider': prov['pk'], 'meta_launch_url': 'https://nextcloud.{{ client_domain }}'})
      if s != 201: print(json.dumps({'error': 'App failed', 'details': app}), file=sys.stderr); sys.exit(1)
      print(json.dumps({'success': True, 'provider_id': prov['pk'], 'application_id': app['pk'], 'client_id': prov['client_id'], 'client_secret': prov['client_secret'], 'discovery_uri': f"https://{{ authentik_domain }}/application/o/nextcloud/.well-known/openid-configuration", 'issuer': f"https://{{ authentik_domain }}/application/o/nextcloud/"}))
    dest: /tmp/create_oidc.py
--- a/ansible/roles/authentik/tasks/recovery.yml
+++ b/ansible/roles/authentik/tasks/recovery.yml
@ -0,0 +1,85 @@
 ---
 # Configure Authentik password recovery flow
 # This creates a complete recovery flow with email verification and password complexity validation
 - name: Use bootstrap token for API access
  set_fact:
    authentik_api_token: "{{ client_secrets.authentik_bootstrap_token }}"
 - name: Copy recovery flow creation script to server
  copy:
    src: create_recovery_flow.py
    dest: /tmp/create_recovery_flow.py
    mode: '0755'
 - name: Copy recovery flow script into Authentik container
  shell: docker cp /tmp/create_recovery_flow.py authentik-server:/tmp/create_recovery_flow.py
  changed_when: false
 - name: Create recovery flow via Authentik API
  shell: |
    docker exec authentik-server python3 /tmp/create_recovery_flow.py "{{ authentik_api_token }}" "{{ authentik_domain }}"
  register: recovery_flow_result
  failed_when: false
  changed_when: "'Recovery Flow Configuration Complete' in recovery_flow_result.stdout"
 - name: Cleanup recovery flow script from server
  file:
    path: /tmp/create_recovery_flow.py
    state: absent
 - name: Cleanup recovery flow script from container
  shell: docker exec authentik-server rm -f /tmp/create_recovery_flow.py
  changed_when: false
  failed_when: false
 - name: Parse recovery flow result
  set_fact:
    recovery_flow: "{{ recovery_flow_result.stdout | regex_search('\\{.*\\}', multiline=True) | from_json }}"
  when: recovery_flow_result.rc == 0
  failed_when: false
 - name: Display recovery flow configuration result
  debug:
    msg: |
      ========================================
      Authentik Password Recovery Flow
      ========================================
      {% if recovery_flow is defined and recovery_flow.success | default(false) %}
      Status: ✓ Configured Successfully
      Recovery Flow UUID: {{ recovery_flow.recovery_flow_uuid }}
      Password Policy UUID: {{ recovery_flow.password_complexity_uuid }}
      Features:
      - Password complexity: 12+ chars, mixed case, digit, symbol
      - Recovery email with 30-minute expiry token
      - Username + password on same login page
      - "Forgot password?" link on login page
      Test Recovery Flow:
      1. Go to: https://{{ authentik_domain }}/if/flow/default-authentication-flow/
      2. Click "Forgot password?" link
      3. Enter username or email
      4. Check email for recovery link (sent via Mailgun)
      5. Set new password (must meet complexity requirements)
      ========================================
      {% else %}
      Status: ⚠ Configuration incomplete or failed
      This is non-critical - recovery flow can be configured manually.
      To configure manually:
      1. Login to https://{{ authentik_domain }}
      2. Go to Admin > Flows & Stages
      3. Create recovery flow with email verification
      Details: {{ recovery_flow_result.stdout | default('No output') }}
      ========================================
      {% endif %}
 - name: Set recovery flow status fact
  set_fact:
    recovery_flow_configured: "{{ recovery_flow is defined and recovery_flow.success | default(false) }}"
--- a/ansible/roles/common/handlers/main.yml
+++ b/ansible/roles/common/handlers/main.yml
@ -1,6 +1,11 @@
 ---
 # Handlers for common role
 - name: Restart systemd-resolved
  service:
    name: systemd-resolved
    state: restarted
 - name: Restart SSH
  service:
    name: ssh
--- a/ansible/roles/common/tasks/main.yml
+++ b/ansible/roles/common/tasks/main.yml
@ -1,6 +1,28 @@
 ---
 # Main tasks for common role - base system setup and hardening
 - name: Ensure systemd-resolved config directory exists
  file:
    path: /etc/systemd/resolved.conf.d
    state: directory
    mode: '0755'
  tags: [dns]
 - name: Configure DNS (systemd-resolved)
  copy:
    dest: /etc/systemd/resolved.conf.d/dns_servers.conf
    content: |
      [Resolve]
      DNS=8.8.8.8 8.8.4.4
      FallbackDNS=1.1.1.1 1.0.0.1
    mode: '0644'
  notify: Restart systemd-resolved
  tags: [dns]
 - name: Flush handlers (apply DNS config immediately)
  meta: flush_handlers
  tags: [dns]
 - name: Update apt cache
  apt:
    update_cache: yes
--- a/ansible/roles/diun/defaults/main.yml
+++ b/ansible/roles/diun/defaults/main.yml
@ -0,0 +1,39 @@
 ---
 # Diun default configuration
 diun_version: "latest"
 diun_schedule: "0 6 * * *"  # Daily at 6am UTC
 diun_log_level: "info"
 diun_watch_workers: 10
 # Notification configuration
 diun_notif_enabled: true
 diun_notif_type: "webhook"  # Options: webhook, slack, discord, email, gotify
 diun_webhook_endpoint: ""   # Set per environment or via secrets
 diun_webhook_method: "POST"
 diun_webhook_headers: {}
 # Optional: Slack notification
 diun_slack_webhook_url: ""
 # Optional: Email notification (Mailgun)
 # Note: Uses per-client SMTP credentials from mailgun role
 diun_email_enabled: true
 diun_smtp_host: "smtp.eu.mailgun.org"
 diun_smtp_port: 587
 diun_smtp_from: "{{ client_name }}@mg.vrije.cloud"
 diun_smtp_to: "pieter@postxsociety.org"
 # Which containers to watch
 diun_watch_all: true
 diun_exclude_containers: []
 # Don't send notifications on first check (prevents spam on initial run)
 diun_first_check_notif: false
 # Optional: Matrix notification
 diun_matrix_enabled: false
 diun_matrix_homeserver_url: ""  # e.g., https://matrix.postxsociety.cloud
 diun_matrix_user: ""            # e.g., @diun:matrix.postxsociety.cloud
 diun_matrix_password: ""        # Bot user password (if using password auth)
 diun_matrix_access_token: ""    # Bot access token (preferred over password)
 diun_matrix_room_id: ""         # e.g., !abc123:matrix.postxsociety.cloud
--- a/ansible/roles/diun/handlers/main.yml
+++ b/ansible/roles/diun/handlers/main.yml
@ -0,0 +1,5 @@
 ---
 - name: Restart Diun
  community.docker.docker_compose_v2:
    project_src: /opt/docker/diun
    state: restarted
--- a/ansible/roles/diun/tasks/main.yml
+++ b/ansible/roles/diun/tasks/main.yml
@ -0,0 +1,57 @@
 ---
 - name: Set SMTP credentials from mailgun role facts or client_secrets
  set_fact:
    diun_smtp_username_final: "{{ mailgun_smtp_user | default(client_secrets.mailgun_smtp_user | default(client_name ~ '@mg.vrije.cloud')) }}"
    diun_smtp_password_final: "{{ mailgun_smtp_password | default(client_secrets.mailgun_smtp_password | default('')) }}"
  when: mailgun_smtp_user is defined or client_secrets.mailgun_smtp_user is defined or client_name is defined
  no_log: true
 - name: Create monitoring Docker network
  community.docker.docker_network:
    name: monitoring
    state: present
 - name: Create Diun directory
  file:
    path: /opt/docker/diun
    state: directory
    mode: '0755'
 - name: Create Diun data directory
  file:
    path: /opt/docker/diun/data
    state: directory
    mode: '0755'
 - name: Deploy Diun configuration
  template:
    src: diun.yml.j2
    dest: /opt/docker/diun/diun.yml
    mode: '0644'
  notify: Restart Diun
 - name: Deploy Diun docker-compose.yml
  template:
    src: docker-compose.yml.j2
    dest: /opt/docker/diun/docker-compose.yml
    mode: '0644'
  notify: Restart Diun
 - name: Start Diun container
  community.docker.docker_compose_v2:
    project_src: /opt/docker/diun
    state: present
    pull: always
  register: diun_deploy
 - name: Wait for Diun to be healthy
  shell: docker inspect --format='{{"{{"}} .State.Status {{"}}"}}' diun
  register: diun_status
  until: diun_status.stdout == "running"
  retries: 5
  delay: 3
  changed_when: false
 - name: Display Diun status
  debug:
    msg: "Diun is {{ diun_status.stdout }} on {{ inventory_hostname }}"
--- a/ansible/roles/diun/templates/diun.yml.j2
+++ b/ansible/roles/diun/templates/diun.yml.j2
@ -0,0 +1,77 @@
 ---
 # Diun configuration for {{ inventory_hostname }}
 # Documentation: https://crazymax.dev/diun/
 db:
  path: /data/diun.db
 watch:
  workers: {{ diun_watch_workers }}
  schedule: "{{ diun_schedule }}"
  firstCheckNotif: {{ diun_first_check_notif | lower }}
 defaults:
  watchRepo: {{ diun_watch_repo | default(true) | lower }}
  notifyOn:
    - new
    - update
 {% if diun_docker_hub_username is defined and diun_docker_hub_password is defined %}
 regopts:
  - selector: image
    username: {{ diun_docker_hub_username }}
    password: {{ diun_docker_hub_password }}
 {% endif %}
 providers:
  docker:
    watchByDefault: {{ diun_watch_all | lower }}
 {% if diun_exclude_containers | length > 0 %}
    excludeContainers:
 {% for container in diun_exclude_containers %}
      - {{ container }}
 {% endfor %}
 {% endif %}
 notif:
 {% if diun_notif_enabled and diun_notif_type == 'webhook' and diun_webhook_endpoint %}
  webhook:
    endpoint: {{ diun_webhook_endpoint }}
    method: {{ diun_webhook_method }}
    timeout: 10s
 {% if diun_webhook_headers | length > 0 %}
    headers:
 {% for key, value in diun_webhook_headers.items() %}
      {{ key }}: {{ value }}
 {% endfor %}
 {% endif %}
 {% endif %}
 {% if diun_slack_webhook_url %}
  slack:
    webhookURL: {{ diun_slack_webhook_url }}
 {% endif %}
 {% if diun_email_enabled and diun_smtp_username_final is defined and diun_smtp_password_final is defined and diun_smtp_password_final != '' %}
  mail:
    host: {{ diun_smtp_host }}
    port: {{ diun_smtp_port }}
    ssl: false
    insecureSkipVerify: false
    username: {{ diun_smtp_username_final }}
    password: {{ diun_smtp_password_final }}
    from: {{ diun_smtp_from }}
    to: {{ diun_smtp_to }}
 {% endif %}
 {% if diun_matrix_enabled and diun_matrix_homeserver_url and diun_matrix_user and diun_matrix_room_id %}
  matrix:
    homeserverURL: {{ diun_matrix_homeserver_url }}
    user: "{{ diun_matrix_user }}"
 {% if diun_matrix_access_token %}
    accessToken: {{ diun_matrix_access_token }}
 {% elif diun_matrix_password %}
    password: "{{ diun_matrix_password }}"
 {% endif %}
    roomID: "{{ diun_matrix_room_id }}"
 {% endif %}
--- a/ansible/roles/diun/templates/docker-compose.yml.j2
+++ b/ansible/roles/diun/templates/docker-compose.yml.j2
@ -0,0 +1,24 @@
 version: '3.8'
 services:
  diun:
    image: crazymax/diun:{{ diun_version }}
    container_name: diun
    restart: unless-stopped
    command: serve
    volumes:
      - "./data:/data"
      - "./diun.yml:/diun.yml:ro"
      - "/var/run/docker.sock:/var/run/docker.sock:ro"
    environment:
      - TZ=UTC
      - LOG_LEVEL={{ diun_log_level }}
    labels:
      - "diun.enable=true"
    networks:
      - monitoring
 networks:
  monitoring:
    name: monitoring
    external: true
--- a/ansible/roles/docker/tasks/main.yml
+++ b/ansible/roles/docker/tasks/main.yml
@ -66,3 +66,13 @@
    path: /opt/docker
    state: directory
    mode: '0755'
 - name: Login to Docker Hub (if credentials provided)
  community.docker.docker_login:
    username: "{{ shared_secrets.docker_hub_username }}"
    password: "{{ shared_secrets.docker_hub_password }}"
    state: present
  when:
    - shared_secrets.docker_hub_username is defined
    - shared_secrets.docker_hub_password is defined
  tags: [docker, docker-login]
--- a/ansible/roles/kuma/defaults/main.yml
+++ b/ansible/roles/kuma/defaults/main.yml
@ -0,0 +1,38 @@
 ---
 # Uptime Kuma monitoring registration
 kuma_enabled: true
 kuma_url: "https://status.vrije.cloud"
 # Authentication - credentials loaded from shared_secrets in tasks/main.yml
 # Uses username/password (required for Socket.io API used by Python library)
 kuma_username: ""  # Loaded from shared_secrets.kuma_username
 kuma_password: ""  # Loaded from shared_secrets.kuma_password
 # Monitors to create for each client
 kuma_monitors:
  - name: "{{ client_name }} - Authentik SSO"
    type: "http"
    url: "https://auth.{{ client_domain }}"
    method: "GET"
    interval: 60
    maxretries: 3
    retry_interval: 60
    expected_status: "200,302"
  - name: "{{ client_name }} - Nextcloud"
    type: "http"
    url: "https://nextcloud.{{ client_domain }}"
    method: "GET"
    interval: 60
    maxretries: 3
    retry_interval: 60
    expected_status: "200,302"
  - name: "{{ client_name }} - Collabora Office"
    type: "http"
    url: "https://office.{{ client_domain }}"
    method: "GET"
    interval: 60
    maxretries: 3
    retry_interval: 60
    expected_status: "200"
--- a/ansible/roles/kuma/tasks/main.yml
+++ b/ansible/roles/kuma/tasks/main.yml
@ -0,0 +1,49 @@
 ---
 # Register client services with Uptime Kuma monitoring
 # Uses uptime-kuma-api Python library with Socket.io
 - name: Set Kuma credentials from shared secrets
  set_fact:
    kuma_username: "{{ shared_secrets.kuma_username | default('') }}"
    kuma_password: "{{ shared_secrets.kuma_password | default('') }}"
  when: shared_secrets is defined
 - name: Check if Kuma monitoring is enabled
  set_fact:
    kuma_registration_enabled: "{{ (kuma_enabled | bool) and (kuma_url | length > 0) and (kuma_username | length > 0) and (kuma_password | length > 0) }}"
 - name: Kuma registration block
  when: kuma_registration_enabled
  delegate_to: localhost
  become: false
  block:
    - name: Ensure uptime-kuma-api Python package is installed
      pip:
        name: uptime-kuma-api
        state: present
    - name: Create Kuma registration script
      template:
        src: register_monitors.py.j2
        dest: /tmp/kuma_register_{{ client_name }}.py
        mode: '0700'
    - name: Register monitors with Uptime Kuma
      command: "{{ ansible_playbook_python }} /tmp/kuma_register_{{ client_name }}.py"
      register: kuma_result
      changed_when: "'Added' in kuma_result.stdout or 'Updated' in kuma_result.stdout"
      failed_when: kuma_result.rc != 0
    - name: Display Kuma registration result
      debug:
        msg: "{{ kuma_result.stdout_lines }}"
    - name: Cleanup registration script
      file:
        path: /tmp/kuma_register_{{ client_name }}.py
        state: absent
 - name: Skip Kuma registration message
  debug:
    msg: "Kuma monitoring registration skipped (not enabled or missing credentials)"
  when: not kuma_registration_enabled
--- a/ansible/roles/kuma/templates/register_monitors.py.j2
+++ b/ansible/roles/kuma/templates/register_monitors.py.j2
@ -0,0 +1,128 @@
 #!/usr/bin/env python3
 """
 Uptime Kuma Monitor Registration Script
 Auto-generated for client: {{ client_name }}
 """
 import sys
 from uptime_kuma_api import UptimeKumaApi, MonitorType
 # Configuration
 KUMA_URL = "{{ kuma_url }}"
 KUMA_USERNAME = "{{ kuma_username | default('') }}"
 KUMA_PASSWORD = "{{ kuma_password | default('') }}"
 CLIENT_NAME = "{{ client_name }}"
 CLIENT_DOMAIN = "{{ client_domain }}"
 # Monitor definitions
 MONITORS = {{ kuma_monitors | to_json }}
 # Monitor type mapping
 TYPE_MAP = {
    "http": MonitorType.HTTP,
    "https": MonitorType.HTTP,
    "ping": MonitorType.PING,
    "tcp": MonitorType.PORT,
    "dns": MonitorType.DNS,
 }
 def main():
    """Register monitors with Uptime Kuma"""
    # Check if credentials are provided
    if not KUMA_USERNAME or not KUMA_PASSWORD:
        print("⚠️  Kuma registration skipped: No credentials provided")
        print("")
        print("To enable automated monitor registration, add to your secrets:")
        print("  kuma_username: your_username")
        print("  kuma_password: your_password")
        print("")
        print("Note: API keys (uk1_*) are only for REST endpoints, not monitor management")
        print("Manual registration required at: https://status.vrije.cloud")
        sys.exit(0)  # Exit with success (not a failure, just skipped)
    try:
        # Connect to Uptime Kuma (Socket.io connection)
        print(f"🔌 Connecting to Uptime Kuma at {KUMA_URL}...")
        api = UptimeKumaApi(KUMA_URL)
        # Login with username/password
        print(f"🔐 Authenticating as {KUMA_USERNAME}...")
        api.login(KUMA_USERNAME, KUMA_PASSWORD)
        # Get existing monitors
        print("📋 Fetching existing monitors...")
        existing_monitors = api.get_monitors()
        existing_names = {m['name']: m['id'] for m in existing_monitors}
        # Register each monitor
        added_count = 0
        updated_count = 0
        skipped_count = 0
        for monitor_config in MONITORS:
            monitor_name = monitor_config['name']
            monitor_type_str = monitor_config.get('type', 'http').lower()
            monitor_type = TYPE_MAP.get(monitor_type_str, MonitorType.HTTP)
            # Build monitor parameters
            params = {
                'type': monitor_type,
                'name': monitor_name,
                'interval': monitor_config.get('interval', 60),
                'maxretries': monitor_config.get('maxretries', 3),
                'retryInterval': monitor_config.get('retry_interval', 60),
            }
            # Add type-specific parameters
            if monitor_type == MonitorType.HTTP:
                params['url'] = monitor_config['url']
                params['method'] = monitor_config.get('method', 'GET')
                if 'expected_status' in monitor_config:
                    params['accepted_statuscodes'] = monitor_config['expected_status'].split(',')
            elif monitor_type == MonitorType.PING:
                params['hostname'] = monitor_config.get('hostname', monitor_config.get('url', ''))
            # Check if monitor already exists
            if monitor_name in existing_names:
                print(f"⚠️  Monitor '{monitor_name}' already exists (ID: {existing_monitors[monitor_name]})")
                print(f"   Skipping (update not implemented)")
                skipped_count += 1
            else:
                print(f"➕ Adding monitor: {monitor_name}")
                try:
                    result = api.add_monitor(**params)
                    print(f"   ✓ Added (ID: {result.get('monitorID', 'unknown')})")
                    added_count += 1
                except Exception as e:
                    print(f"   ✗ Failed: {e}")
        # Disconnect
        api.disconnect()
        # Summary
        print("")
        print("=" * 60)
        print(f"📊 Registration Summary for {CLIENT_NAME}:")
        print(f"   Added: {added_count}")
        print(f"   Skipped (already exist): {skipped_count}")
        print(f"   Total monitors: {len(MONITORS)}")
        print("=" * 60)
        if added_count > 0:
            print(f"✅ Successfully registered {added_count} new monitor(s)")
    except Exception as e:
        print(f"❌ ERROR: Failed to register monitors: {e}")
        print("")
        print("Troubleshooting:")
        print(f"  1. Verify Kuma is accessible: {KUMA_URL}")
        print("  2. Check username/password are correct")
        print("  3. Ensure uptime-kuma-api Python package is installed")
        print("  4. Check network connectivity from deployment machine")
        sys.exit(1)
 if __name__ == "__main__":
    main()
--- a/ansible/roles/nextcloud/defaults/main.yml
+++ b/ansible/roles/nextcloud/defaults/main.yml
@ -2,7 +2,7 @@
 # Default variables for nextcloud role
 # Nextcloud version
-nextcloud_version: "30"  # Latest stable version (uses major version tag)
+nextcloud_version: "latest"  # Always use latest stable version
 # Database configuration
 nextcloud_db_type: "pgsql"
@ -22,10 +22,12 @@ nextcloud_redis_host: "nextcloud-redis"
 nextcloud_redis_port: "6379"
 # OIDC configuration
 # Note: OIDC credentials are provided dynamically by the Authentik role
 # via /tmp/authentik_oidc_credentials.json during deployment
 nextcloud_oidc_enabled: true
-nextcloud_oidc_provider_url: "https://{{ zitadel_domain }}"
+nextcloud_oidc_provider_url: "https://{{ authentik_domain }}"
-nextcloud_oidc_client_id: ""  # Will be set after creating app in Zitadel
+nextcloud_oidc_client_id: ""  # Set dynamically from Authentik
-nextcloud_oidc_client_secret: ""  # Will be set after creating app in Zitadel
+nextcloud_oidc_client_secret: ""  # Set dynamically from Authentik
 # Trusted domains (for Nextcloud config)
 nextcloud_trusted_domains:
--- a/ansible/roles/nextcloud/tasks/docker.yml
+++ b/ansible/roles/nextcloud/tasks/docker.yml
@ -20,10 +20,12 @@
    state: present
  register: nextcloud_deploy
- name: Wait for Nextcloud to be ready
+- name: Wait for Nextcloud container to be ready
-  wait_for:
+  shell: docker exec nextcloud sh -c 'until curl -f http://localhost:80 >/dev/null 2>&1; do sleep 2; done'
-    host: localhost
+  args:
-    port: 80
+    executable: /bin/bash
-    delay: 10
+  register: nextcloud_ready
  changed_when: false
  failed_when: false
  timeout: 300
  when: nextcloud_deploy.changed
--- a/ansible/roles/nextcloud/tasks/main.yml
+++ b/ansible/roles/nextcloud/tasks/main.yml
@ -1,6 +1,12 @@
 ---
 # Main tasks for Nextcloud deployment
 - name: Include volume mounting tasks
  include_tasks: mount-volume.yml
  tags:
    - nextcloud
    - volume
 - name: Include Docker deployment tasks
  include_tasks: docker.yml
  tags:
--- a/ansible/roles/nextcloud/tasks/mount-volume.yml
+++ b/ansible/roles/nextcloud/tasks/mount-volume.yml
@ -0,0 +1,74 @@
 ---
 # Mount Hetzner Volume for Nextcloud Data Storage
 #
 # This task file handles mounting the Hetzner Volume that stores Nextcloud user data.
 # The volume is created and attached by OpenTofu, we just mount it here.
 - name: Wait for volume device to appear
  wait_for:
    path: /dev/disk/by-id/
    timeout: 30
  register: disk_ready
 - name: Find Nextcloud volume device
  shell: |
    ls -1 /dev/disk/by-id/scsi-0HC_Volume_* 2>/dev/null | head -1
  register: volume_device_result
  changed_when: false
  failed_when: false
 - name: Set volume device fact
  set_fact:
    volume_device: "{{ volume_device_result.stdout }}"
 - name: Display found volume device
  debug:
    msg: "Found Nextcloud volume at: {{ volume_device }}"
 - name: Check if volume is already formatted
  shell: |
    blkid {{ volume_device }} | grep -q 'TYPE="ext4"'
  register: volume_formatted
  changed_when: false
  failed_when: false
 - name: Format volume as ext4 if not formatted
  filesystem:
    fstype: ext4
    dev: "{{ volume_device }}"
  when: volume_formatted.rc != 0
 - name: Create mount point directory
  file:
    path: /mnt/nextcloud-data
    state: directory
    mode: '0755'
 - name: Mount Nextcloud data volume
  mount:
    path: /mnt/nextcloud-data
    src: "{{ volume_device }}"
    fstype: ext4
    state: mounted
    opts: defaults,discard
  register: mount_result
 - name: Ensure mount persists across reboots
  mount:
    path: /mnt/nextcloud-data
    src: "{{ volume_device }}"
    fstype: ext4
    state: present
    opts: defaults,discard
 - name: Create Nextcloud data directory on volume
  file:
    path: /mnt/nextcloud-data/data
    state: directory
    owner: www-data
    group: www-data
    mode: '0750'
 - name: Display mount success
  debug:
    msg: "Nextcloud volume successfully mounted at /mnt/nextcloud-data"
--- a/ansible/roles/nextcloud/tasks/oidc.yml
+++ b/ansible/roles/nextcloud/tasks/oidc.yml
@ -56,6 +56,17 @@
  register: oidc_config
  changed_when: oidc_config.rc == 0
 - name: Configure OIDC settings (allow native login + OIDC)
  shell: |
    docker exec -u www-data nextcloud php occ config:app:set user_oidc allow_multiple_user_backends --value=1
    docker exec -u www-data nextcloud php occ config:app:set user_oidc auto_provision --value=1
    docker exec -u www-data nextcloud php occ config:app:set user_oidc single_logout --value=0
  when:
    - authentik_oidc is defined
    - authentik_oidc.success | default(false)
  register: oidc_settings
  changed_when: oidc_settings.rc == 0
 - name: Cleanup OIDC credentials file
  file:
    path: /tmp/authentik_oidc_credentials.json
--- a/ansible/roles/nextcloud/templates/docker-compose.nextcloud.yml.j2
+++ b/ansible/roles/nextcloud/templates/docker-compose.nextcloud.yml.j2
@ -10,8 +10,17 @@ services:
      POSTGRES_DB: {{ nextcloud_db_name }}
      POSTGRES_USER: {{ nextcloud_db_user }}
      POSTGRES_PASSWORD: {{ client_secrets.nextcloud_db_password }}
      # Grant full privileges to the user
      POSTGRES_INITDB_ARGS: "--auth-host=scram-sha-256"
    command: >
      postgres
      -c shared_buffers=256MB
      -c max_connections=200
      -c shared_preload_libraries=''
    healthcheck:
      test: ["CMD-SHELL", "pg_isready -U {{ nextcloud_db_user }} -d {{ nextcloud_db_name }}"]
      interval: 10s
      timeout: 5s
      retries: 5
    networks:
      - nextcloud-internal
@ -35,7 +44,8 @@ services:
      - nextcloud-db
      - nextcloud-redis
    volumes:
-      - nextcloud-data:/var/www/html
+      - nextcloud-app:/var/www/html
      - /mnt/nextcloud-data/data:/var/www/html/data  # User data on Hetzner Volume
    entrypoint: /cron.sh
    networks:
      - nextcloud-internal
@ -49,7 +59,8 @@ services:
      - nextcloud-db
      - nextcloud-redis
    volumes:
-      - nextcloud-data:/var/www/html
+      - nextcloud-app:/var/www/html
      - /mnt/nextcloud-data/data:/var/www/html/data  # User data on Hetzner Volume
    environment:
      # Database configuration
      POSTGRES_HOST: {{ nextcloud_db_host }}
@ -115,11 +126,18 @@ services:
    image: collabora/code:latest
    container_name: collabora
    restart: unless-stopped
    # Required capabilities for optimal performance (bind-mount instead of copy)
    cap_add:
      - MKNOD
      - SYS_CHROOT
    environment:
      - domain={{ nextcloud_domain | regex_replace('\.', '\\.') }}
      - username={{ collabora_admin_user }}
      - password={{ client_secrets.collabora_admin_password }}
-      - extra_params=--o:ssl.enable=false --o:ssl.termination=true
+      # Performance tuning based on available CPU cores
      # num_prespawn_children: Number of child processes to keep started (default: 1)
      # per_document.max_concurrency: Max threads per document (should be <= CPU cores)
      - extra_params=--o:ssl.enable=false --o:ssl.termination=true --o:num_prespawn_children=1 --o:per_document.max_concurrency=2
      - MEMPROPORTION=60.0
      - MAX_DOCUMENTS=10
      - MAX_CONNECTIONS=20
@ -158,5 +176,6 @@ volumes:
    name: nextcloud-db-data
  nextcloud-redis-data:
    name: nextcloud-redis-data
-  nextcloud-data:
+  nextcloud-app:
-    name: nextcloud-data
+    name: nextcloud-app
    # Note: nextcloud-data volume removed - user data now stored on Hetzner Volume at /mnt/nextcloud-data
--- a/ansible/roles/traefik/templates/dynamic.yml.j2
+++ b/ansible/roles/traefik/templates/dynamic.yml.j2
@ -1,66 +1,8 @@
 # Traefik dynamic configuration
-# Managed by Ansible - do not edit manually
+# Managed by Ansible - Client-specific routes come from Docker labels
 http:
  routers:
    # Zitadel identity provider
    zitadel:
      rule: "Host(`zitadel.test.vrije.cloud`)"
      service: zitadel
      entryPoints:
        - websecure
      tls:
        certResolver: letsencrypt
  middlewares:
        - zitadel-headers
    # Nextcloud file sync/share
    nextcloud:
      rule: "Host(`nextcloud.test.vrije.cloud`)"
      service: nextcloud
      entryPoints:
        - websecure
      tls:
        certResolver: letsencrypt
      middlewares:
        - nextcloud-headers
        - nextcloud-redirectregex
  services:
    # Zitadel service
    zitadel:
      loadBalancer:
        servers:
          - url: "h2c://zitadel:8080"
    # Nextcloud service
    nextcloud:
      loadBalancer:
        servers:
          - url: "http://nextcloud:80"
  middlewares:
    # Zitadel-specific headers
    zitadel-headers:
      headers:
        stsSeconds: 31536000
        stsIncludeSubdomains: true
        stsPreload: true
    # Nextcloud-specific headers
    nextcloud-headers:
      headers:
        stsSeconds: 31536000
        stsIncludeSubdomains: true
        stsPreload: true
    # CalDAV/CardDAV redirect for Nextcloud
    nextcloud-redirectregex:
      redirectRegex:
        permanent: true
        regex: "https://(.*)/.well-known/(card|cal)dav"
        replacement: "https://$1/remote.php/dav/"
    # Security headers
    security-headers:
      headers:
--- a/clients/README.md
+++ b/clients/README.md
@ -0,0 +1,83 @@
 # Client Registry
 This directory contains the client registry system for tracking all deployed infrastructure.
 ## Files
 - **[registry.yml](registry.yml)** - Single source of truth for all clients
  - Deployment status and lifecycle
  - Server specifications
  - Application versions
  - Maintenance history
  - Access URLs
 ## Management Scripts
 All scripts are located in [`../scripts/`](../scripts/):
 ### View Clients
 View the registry directly:
 ```bash
 # View full registry
 cat registry.yml
 # View specific client (requires yq)
 yq eval '.clients.dev' registry.yml
 ```
 ### View Client Details
 ```bash
 # Show detailed status with live health checks
 ../scripts/client-status.sh <client_name>
 ```
 ### Update Registry
 The registry is **automatically updated** by deployment scripts:
 - `deploy-client.sh` - Creates/updates entry on deployment
 - `rebuild-client.sh` - Updates entry on rebuild
 - `destroy-client.sh` - Marks as destroyed
 For manual updates, edit `registry.yml` directly.
 ## Registry Structure
 Each client entry tracks:
 - **Status**: `pending` → `deployed` → `maintenance` → `offboarding` → `destroyed`
 - **Role**: `canary` (testing) or `production` (live)
 - **Server**: Type, location, IP, Hetzner ID
 - **Apps**: Installed applications
 - **Versions**: Application and OS versions
 - **Maintenance**: Update and backup history
 - **URLs**: Access endpoints
 - **Notes**: Operational documentation
 ## Canary Deployment
 The `dev` client has role `canary` and is used for testing:
 ```bash
 # 1. Test on canary first
 ../scripts/deploy-client.sh dev
 # 2. Verify it works
 ../scripts/client-status.sh dev
 # 3. Roll out to production clients manually
 # Review registry.yml for production clients, then rebuild each one
 ```
 ## Registry Structure Details
 The `registry.yml` file uses YAML format with the following structure:
 - Complete registry structure reference in the file itself
 - Client lifecycle states and metadata
 - Server specifications and IP addresses
 - Deployment timestamps and version tracking
 ## Requirements
 - **yq**: YAML processor (`brew install yq`)
 - **jq**: JSON processor (`brew install jq`)
--- a/clients/registry.yml
+++ b/clients/registry.yml
@ -0,0 +1,89 @@
 # Client Registry
 #
 # Single source of truth for all clients in the infrastructure.
 # This file tracks client lifecycle, deployment state, and versions.
 #
 # Status values:
 #   - pending: Client configuration created, not yet deployed
 #   - deployed: Client is live and operational
 #   - maintenance: Under maintenance, may be temporarily unavailable
 #   - offboarding: Being decommissioned
 #   - destroyed: Infrastructure removed, secrets archived
 #
 # Role values:
 #   - canary: Used for testing updates before production rollout
 #   - production: Live client serving real users
 clients:
  dev:
    status: deployed
    role: canary
    deployed_date: 2026-01-17
    destroyed_date: null
    server:
      type: cpx22              # 3 vCPU, 4 GB RAM, 80 GB SSD
      location: fsn1           # Falkenstein, Germany
      ip: 78.47.191.38
      id: "117714358"          # Hetzner server ID
    apps:
      - authentik
      - nextcloud
    versions:
      authentik: "2025.10.3"
      nextcloud: "30.0.17"
      traefik: "v3.0"
      ubuntu: "24.04"
    maintenance:
      last_full_update: 2026-01-17
      last_security_patch: 2026-01-17
      last_os_update: 2026-01-17
      last_backup_verified: null
    urls:
      authentik: "https://auth.dev.vrije.cloud"
      nextcloud: "https://nextcloud.dev.vrije.cloud"
    notes: |
      Canary/test server. Used for testing updates before production rollout.
      Server was recreated on 2026-01-17 for per-client SSH key implementation.
 # Add new clients here as they are deployed
 # Template:
 #
 # clientname:
 #   status: deployed
 #   role: production
 #   deployed_date: YYYY-MM-DD
 #   destroyed_date: null
 #
 #   server:
 #     type: cx22
 #     location: nbg1
 #     ip: 1.2.3.4
 #     id: "12345678"
 #
 #   apps:
 #     - authentik
 #     - nextcloud
 #
 #   versions:
 #     authentik: "2025.10.3"
 #     nextcloud: "30.0.17"
 #     traefik: "v3.0"
 #     ubuntu: "24.04"
 #
 #   maintenance:
 #     last_full_update: YYYY-MM-DD
 #     last_security_patch: YYYY-MM-DD
 #     last_os_update: YYYY-MM-DD
 #     last_backup_verified: null
 #
 #   urls:
 #     authentik: "https://auth.clientname.vrije.cloud"
 #     nextcloud: "https://nextcloud.clientname.vrije.cloud"
 #
 #   notes: ""
--- a/docs/AUTOMATION_STATUS.md
+++ b/docs/AUTOMATION_STATUS.md
@ -1,245 +0,0 @@
 # Automation Status
 ## ✅ FULLY AUTOMATED DEPLOYMENT
 **Status**: The infrastructure is now **100% automated** with **ZERO manual steps** required.
 ## What Gets Deployed
 When you run the deployment playbook, the following happens automatically:
 ### 1. Hetzner Cloud Infrastructure
 - VPS server provisioned via OpenTofu
 - Firewall rules configured
 - SSH keys deployed
 - Domain DNS configured
 ### 2. Traefik Reverse Proxy
 - Docker containers deployed
 - Let's Encrypt SSL certificates obtained automatically
 - HTTPS configured for all services
 ### 3. Authentik Identity Provider
 - PostgreSQL database deployed
 - Authentik server + worker containers started
 - **Admin user `akadmin` created automatically** via `AUTHENTIK_BOOTSTRAP_PASSWORD`
 - **API token created automatically** via `AUTHENTIK_BOOTSTRAP_TOKEN`
 - OAuth2/OIDC provider for Nextcloud created via API
 - Client credentials generated and saved
 ### 4. Nextcloud File Storage
 - MariaDB database deployed
 - Redis cache configured
 - Nextcloud container started
 - **Admin account created automatically**
 - **OIDC app installed and configured automatically**
 - **SSO integration with Authentik configured automatically**
 ## Deployment Command
 ```bash
 cd infrastructure/tofu
 tofu apply
 cd ../ansible
 export HCLOUD_TOKEN="<your_token>"
 export SOPS_AGE_KEY_FILE="../keys/age-key.txt"
 ansible-playbook -i hcloud.yml playbooks/setup.yml
 ansible-playbook -i hcloud.yml playbooks/deploy.yml
 ```
 ## What You Get
 After deployment completes (typically 10-15 minutes):
 ### Immediately Usable Services
 1. **Authentik SSO**: `https://auth.<client>.vrije.cloud`
   - Admin user: `akadmin`
   - Password: Generated automatically, stored in secrets
   - Fully configured and ready to create users
 2. **Nextcloud**: `https://nextcloud.<client>.vrije.cloud`
   - Admin user: `admin`
   - Password: Generated automatically, stored in secrets
   - **"Login with Authentik" button already visible**
   - No additional configuration needed
 ### End User Workflow
 1. Admin logs into Authentik
 2. Admin creates user accounts in Authentik
 3. Users visit Nextcloud login page
 4. Users click "Login with Authentik"
 5. Users enter Authentik credentials
 6. Nextcloud account automatically created and linked
 7. User is logged in and can use Nextcloud
 ## Technical Details
 ### Bootstrap Automation
 Authentik supports official bootstrap environment variables:
 ```yaml
 # In docker-compose.authentik.yml.j2
 environment:
  AUTHENTIK_BOOTSTRAP_PASSWORD: "{{ client_secrets.authentik_bootstrap_password }}"
  AUTHENTIK_BOOTSTRAP_TOKEN: "{{ client_secrets.authentik_bootstrap_token }}"
  AUTHENTIK_BOOTSTRAP_EMAIL: "{{ client_secrets.authentik_bootstrap_email }}"
 ```
 These variables:
 - Are only read during **first startup** (when database is empty)
 - Create the default `akadmin` user with specified password
 - Create an API token for programmatic access
 - **Require no manual intervention**
 ### OIDC Provider Automation
 The `authentik_api.py` script:
 1. Waits for Authentik to be ready
 2. Authenticates using bootstrap token
 3. Gets default authorization flow UUID
 4. Gets default signing certificate UUID
 5. Creates OAuth2/OIDC provider for Nextcloud
 6. Creates application linked to provider
 7. Returns `client_id`, `client_secret`, `discovery_uri`
 The Nextcloud role:
 1. Installs `user_oidc` app
 2. Reads credentials from temporary file
 3. Configures OIDC provider via `occ` command
 4. Cleanup temporary files
 ### Secrets Management
 All sensitive data is:
 - Generated automatically using Python's `secrets` module
 - Stored in SOPS-encrypted files
 - Never committed to git in plaintext
 - Decrypted only during Ansible execution
 ## Multi-Tenant Support
 To add a new client:
 ```bash
 # 1. Create secrets file
 cp secrets/clients/test.sops.yaml secrets/clients/newclient.sops.yaml
 sops secrets/clients/newclient.sops.yaml
 # Edit: client_name, domains, regenerate all passwords/tokens
 # 2. Deploy
 tofu apply
 ansible-playbook -i hcloud.yml playbooks/deploy.yml --limit newclient
 ```
 Each client gets:
 - Isolated VPS server
 - Separate databases
 - Separate Docker networks
 - Own SSL certificates
 - Own admin credentials
 - Own SSO configuration
 ## Zero Manual Configuration
 ### What is NOT required
 ❌ No web UI clicking
 ❌ No manual account creation
 ❌ No copying/pasting of credentials
 ❌ No OAuth2 provider setup in web UI
 ❌ No Nextcloud app configuration
 ❌ No DNS configuration (handled by Hetzner API)
 ❌ No SSL certificate generation (handled by Traefik)
 ### What IS required
 ✅ Run OpenTofu to provision infrastructure
 ✅ Run Ansible to deploy and configure services
 ✅ Wait 10-15 minutes for deployment to complete
 That's it!
 ## Validation
 After deployment, you can verify automation worked:
 ```bash
 # 1. Check services are running
 ssh root@<client_ip>
 docker ps
 # 2. Visit Nextcloud
 curl -I https://nextcloud.<client>.vrije.cloud
 # Should return 200 OK with SSL
 # 3. Check for "Login with Authentik" button
 # Visit https://nextcloud.<client>.vrije.cloud/login
 # Button should be visible immediately
 # 4. Test SSO flow
 # Click button → redirected to Authentik
 # Login with Authentik credentials
 # Redirected back to Nextcloud, logged in
 ```
 ## Comparison: Before vs After
 ### Before (Manual Setup)
 1. Deploy Authentik ✅
 2. **Visit web UI and create admin account** ❌
 3. **Login and create API token manually** ❌
 4. **Add token to secrets file** ❌
 5. **Re-run deployment** ❌
 6. Deploy Nextcloud ✅
 7. **Configure OIDC provider in Authentik UI** ❌
 8. **Copy client_id and client_secret** ❌
 9. **Configure Nextcloud OIDC app** ❌
 10. Test SSO ✅
 **Total manual steps: 7**
 **Time to production: 30-60 minutes**
 ### After (Fully Automated)
 1. Run `tofu apply` ✅
 2. Run `ansible-playbook` ✅
 3. Test SSO ✅
 **Total manual steps: 0**
 **Time to production: 10-15 minutes**
 ## Project Goal Achieved
 > "I never want to do anything manually, the whole point of this project is that we use it to automatically create servers in the Hetzner cloud that run authentik and nextcloud that people can use out of the box"
 ✅ **GOAL ACHIEVED**
 The system now:
 - Automatically creates servers in Hetzner Cloud
 - Automatically deploys Authentik and Nextcloud
 - Automatically configures SSO integration
 - Is ready to use immediately after deployment
 - Requires zero manual configuration
 Users can:
 - Login to Nextcloud with Authentik credentials
 - Get automatically provisioned accounts
 - Use the system immediately
 ## Next Steps
 The system is production-ready for automated multi-tenant deployment. Potential enhancements:
 1. **Automated user provisioning** - Create default users via Authentik API
 2. **Email configuration** - Add SMTP settings for password resets
 3. **Backup automation** - Automated backups to Hetzner Storage Box
 4. **Monitoring** - Add Prometheus/Grafana for observability
 5. **Additional apps** - OnlyOffice, Collabora, etc.
 But for the core goal of **automated Authentik + Nextcloud with SSO**, the system is **complete and fully automated**.
--- a/docs/architecture-decisions.md
+++ b/docs/architecture-decisions.md
@ -1,846 +0,0 @@
 # Infrastructure Architecture Decision Record
 ## Post-X Society Multi-Tenant VPS Platform
 **Document Status:** Living document
 **Created:** December 2024
 **Last Updated:** December 2025
 ---
 ## Executive Summary
 This document captures architectural decisions for a scalable, multi-tenant infrastructure platform starting with 10 identical VPS instances running Keycloak and Nextcloud, with plans to expand both server count and application offerings.
 **Key Technology Choices:**
 - **OpenTofu** over Terraform (truly open source, MPL 2.0)
 - **SOPS + Age** over HashiCorp Vault (simple, no server, European-friendly)
 - **Hetzner** for all infrastructure (GDPR-compliant, EU-based)
 ---
 ## 1. Infrastructure Provisioning
 ### Decision: OpenTofu + Ansible with Dynamic Inventory
 **Choice:** Infrastructure as Code using OpenTofu for resource provisioning and Ansible for configuration management.
 **Why OpenTofu over Terraform:**
 - Truly open source (MPL 2.0) vs HashiCorp's BSL 1.1
 - Drop-in replacement - same syntax, same providers
 - Linux Foundation governance - no single company can close the license
 - Active community after HashiCorp's 2023 license change
 - No risk of future license restrictions
 **Approach:**
 - **OpenTofu** manages Hetzner resources (VPS instances, networks, firewalls, DNS)
 - **Ansible** configures servers using the `hcloud` dynamic inventory plugin
 - No static inventory files - Ansible queries Hetzner API at runtime
 **Rationale:**
 - 10+ identical servers makes manual management unsustainable
 - Version-controlled infrastructure in Git
 - Dynamic inventory eliminates sync issues between OpenTofu and Ansible
 - Skills transfer to other providers if needed
 **Implementation:**
 ```yaml
 # ansible.cfg
 [inventory]
 enable_plugins = hetzner.hcloud.hcloud
 # hcloud.yml (inventory config)
 plugin: hetzner.hcloud.hcloud
 locations:
  - fsn1
 keyed_groups:
  - key: labels.role
    prefix: role
  - key: labels.client
    prefix: client
 ```
 ---
 ## 2. Application Deployment
 ### Decision: Modular Ansible Roles with Feature Flags
 **Choice:** Each application is a separate Ansible role, enabled per-server via inventory variables.
 **Rationale:**
 - Allows heterogeneous deployments (client A wants Pretix, client B doesn't)
 - Test new applications on single server before fleet rollout
 - Clear separation of concerns
 - Minimal refactoring when adding new applications
 **Structure:**
 ```
 ansible/
 ├── roles/
 │   ├── common/          # Base setup, hardening, Docker
 │   ├── traefik/         # Reverse proxy, SSL
 │   ├── nextcloud/       # File sync and collaboration
 │   ├── pretix/          # Future: Event ticketing
 │   ├── listmonk/        # Future: Newsletter/mailing
 │   ├── backup/          # Restic configuration
 │   └── monitoring/      # Node exporter, promtail
 ```
 **Inventory Example:**
 ```yaml
 all:
  children:
    clients:
      hosts:
        client-alpha:
          client_name: alpha
          domain: alpha.platform.nl
          apps:
            - nextcloud
        client-beta:
          client_name: beta
          domain: beta.platform.nl
          apps:
            - nextcloud
            - pretix
 ```
 ---
 ## 3. DNS Management
 ### Decision: Hetzner DNS via OpenTofu
 **Choice:** Manage all DNS records through Hetzner DNS using OpenTofu.
 **Rationale:**
 - Single provider for infrastructure and DNS simplifies management
 - OpenTofu provider available and well-maintained (same as Terraform provider)
 - Cost-effective (included with Hetzner)
 - GDPR-compliant (EU-based)
 **Domain Strategy:**
 - Start with subdomains: `{client}.platform.nl`
 - Support custom domains later via variable override
 - Wildcard approach not used - explicit records per service
 **Implementation:**
 ```hcl
 resource "hcloud_server" "client" {
  for_each    = var.clients
  name        = each.key
  server_type = each.value.server_type
  # ...
 }
 resource "hetznerdns_record" "client_a" {
  for_each = var.clients
  zone_id  = data.hetznerdns_zone.main.id
  name     = each.value.subdomain
  type     = "A"
  value    = hcloud_server.client[each.key].ipv4_address
 }
 ```
 **SSL Certificates:** Handled by Traefik with Let's Encrypt, automatic per-domain.
 ---
 ## 4. Identity Provider
 ### Decision: Authentik (replacing Zitadel)
 **Choice:** Authentik as the identity provider for SSO across all client installations.
 **Why Authentik:**
 | Factor | Authentik | Zitadel | Keycloak |
 |--------|-----------|---------|----------|
 | License | MIT (permissive) | AGPL 3.0 | Apache 2.0 |
 | Setup Complexity | Simple Docker Compose | Complex FirstInstance bugs | Heavy Java setup |
 | Database | PostgreSQL only | PostgreSQL only | Multiple options |
 | Language | Python | Go | Java |
 | Resource Usage | Lightweight | Lightweight | Heavy |
 | Maturity | v2025.10 (stable) | v2.x (buggy) | Very mature |
 | Architecture | Modern, API-first | Event-sourced | Traditional |
 **Key Advantages:**
 - **Truly open source**: MIT license (most permissive OSI license)
 - **Simple deployment**: Works out-of-box with Docker Compose, no manual wizard steps
 - **Modern architecture**: Python-based, lightweight, API-first design
 - **Comprehensive protocols**: SAML, OAuth2/OIDC, LDAP, RADIUS, SCIM
 - **No Redis required** (as of 2025.10): All caching moved to PostgreSQL
 - **Built-in workflows**: Customizable authentication flows and policies
 - **Active development**: Regular releases, strong community
 **Deployment:**
 ```yaml
 services:
  authentik-server:
    image: ghcr.io/goauthentik/server:2025.10.3
    command: server
    environment:
      AUTHENTIK_SECRET_KEY: ${AUTHENTIK_SECRET_KEY}
      AUTHENTIK_POSTGRESQL__HOST: postgresql
    depends_on:
      - postgresql
  authentik-worker:
    image: ghcr.io/goauthentik/server:2025.10.3
    command: worker
    environment:
      AUTHENTIK_SECRET_KEY: ${AUTHENTIK_SECRET_KEY}
      AUTHENTIK_POSTGRESQL__HOST: postgresql
    depends_on:
      - postgresql
 ```
 **Previous Choice (Zitadel):**
 - Removed due to FirstInstance initialization bugs in v2.63.7
 - Required manual web UI setup (not scalable for multi-tenant)
 - See: https://github.com/zitadel/zitadel/issues/8791
 ---
 ## 4. Backup Strategy
 ### Decision: Dual Backup Approach
 **Choice:** Hetzner automated snapshots + Restic application-level backups to Hetzner Storage Box.
 #### Layer 1: Hetzner Snapshots
 **Purpose:** Disaster recovery (complete server loss)
 | Aspect | Configuration |
 |--------|---------------|
 | Frequency | Daily (Hetzner automated) |
 | Retention | 7 snapshots |
 | Cost | 20% of VPS price |
 | Restoration | Full server restore via Hetzner console/API |
 **Limitations:**
 - Crash-consistent only (may catch database mid-write)
 - Same datacenter (not true off-site)
 - Coarse granularity (all or nothing)
 #### Layer 2: Restic to Hetzner Storage Box
 **Purpose:** Granular application recovery, off-server storage
 **Backend Choice:** Hetzner Storage Box
 **Rationale:**
 - GDPR-compliant (German/EU data residency)
 - Same Hetzner network = fast transfers, no egress costs
 - Cost-effective (~€3.81/month for BX10 with 1TB)
 - Supports SFTP, CIFS/Samba, rsync, Restic-native
 - Can be accessed from all VPSs simultaneously
 **Storage Hierarchy:**
 ```
 Storage Box (BX10 or larger)
 └── /backups/
    ├── /client-alpha/
    │   ├── /restic-repo/      # Encrypted Restic repository
    │   └── /manual/           # Ad-hoc exports if needed
    ├── /client-beta/
    │   └── /restic-repo/
    └── /client-gamma/
        └── /restic-repo/
 ```
 **Connection Method:**
 - Primary: SFTP (native Restic support, encrypted in transit)
 - Optional: CIFS mount for manual file access
 - Each client VPS gets Storage Box sub-account or uses main credentials with path restrictions
 | Aspect | Configuration |
 |--------|---------------|
 | Frequency | Nightly (after DB dumps) |
 | Time | 03:00 local time |
 | Retention | 7 daily, 4 weekly, 6 monthly |
 | Encryption | Restic default (AES-256) |
 | Repo passwords | Stored in SOPS-encrypted files |
 **What Gets Backed Up:**
 ```
 /opt/docker/
 ├── nextcloud/
 │   └── data/              # ✓ User files
 ├── pretix/
 │   └── data/              # ✓ When applicable
 └── configs/               # ✓ docker-compose files, env
 ```
 **Backup Ansible Role Tasks:**
 1. Install Restic
 2. Initialize repo (if not exists)
 3. Configure SFTP connection to Storage Box
 4. Create pre-backup script (database dumps)
 5. Create backup script
 6. Create systemd timer
 7. Configure backup monitoring (alert on failure)
 **Sizing Guidance:**
 - Start with BX10 (1TB) for 10 clients
 - Monitor usage monthly
 - Scale to BX20 (2TB) when approaching 70% capacity
 **Verification:**
 - Weekly `restic check` via cron
 - Monthly test restore to staging environment
 - Alerts on backup job failures
 ---
 ## 5. Secrets Management
 ### Decision: SOPS + Age Encryption
 **Choice:** File-based secrets encryption using SOPS with Age encryption, stored in Git.
 **Why SOPS + Age over HashiCorp Vault:**
 - No additional server to maintain
 - Truly open source (MPL 2.0 for SOPS, Apache 2.0 for Age)
 - Secrets versioned alongside infrastructure code
 - Simple to understand and debug
 - Age developed with European privacy values (FiloSottile)
 - Perfect for 10-50 server scale
 - No vendor lock-in concerns
 **How It Works:**
 1. Secrets stored in YAML files, encrypted with Age
 2. Only the values are encrypted, keys remain readable
 3. Decryption happens at Ansible runtime
 4. One Age key per environment (or shared across all)
 **Example Encrypted File:**
 ```yaml
 # secrets/client-alpha.sops.yaml
 db_password: ENC[AES256_GCM,data:kH3x9...,iv:abc...,tag:def...,type:str]
 keycloak_admin: ENC[AES256_GCM,data:mN4y2...,iv:ghi...,tag:jkl...,type:str]
 nextcloud_admin: ENC[AES256_GCM,data:pQ5z7...,iv:mno...,tag:pqr...,type:str]
 restic_repo_password: ENC[AES256_GCM,data:rS6a1...,iv:stu...,tag:vwx...,type:str]
 ```
 **Key Management:**
 ```
 keys/
 ├── age-key.txt           # Master key (NEVER in Git, backed up securely)
 └── .sops.yaml            # SOPS configuration (in Git)
 ```
 **.sops.yaml Configuration:**
 ```yaml
 creation_rules:
  - path_regex: secrets/.*\.sops\.yaml$
    age: age1xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
 ```
 **Secret Structure:**
 ```
 secrets/
 ├── .sops.yaml              # SOPS config
 ├── shared.sops.yaml        # Shared secrets (Storage Box, API tokens)
 └── clients/
    ├── alpha.sops.yaml     # Client-specific secrets
    ├── beta.sops.yaml
    └── gamma.sops.yaml
 ```
 **Ansible Integration:**
 ```yaml
 # Using community.sops collection
 - name: Load client secrets
  community.sops.load_vars:
    file: "secrets/clients/{{ client_name }}.sops.yaml"
    name: client_secrets
 - name: Use decrypted secret
  ansible.builtin.template:
    src: docker-compose.yml.j2
    dest: /opt/docker/docker-compose.yml
  vars:
    db_password: "{{ client_secrets.db_password }}"
 ```
 **Daily Operations:**
 ```bash
 # Encrypt a new file
 sops --encrypt --age $(cat keys/age-key.pub) secrets/clients/new.yaml > secrets/clients/new.sops.yaml
 # Edit existing secrets (decrypts, opens editor, re-encrypts)
 SOPS_AGE_KEY_FILE=keys/age-key.txt sops secrets/clients/alpha.sops.yaml
 # View decrypted content
 SOPS_AGE_KEY_FILE=keys/age-key.txt sops --decrypt secrets/clients/alpha.sops.yaml
 ```
 **Key Backup Strategy:**
 - Age private key stored in password manager (Bitwarden/1Password)
 - Printed paper backup in secure location
 - Key never stored in Git repository
 - Consider key escrow for bus factor
 **Advantages for Your Setup:**
 | Aspect | Benefit |
 |--------|---------|
 | Simplicity | No Vault server to maintain, secure, update |
 | Auditability | Git history shows who changed what secrets when |
 | Portability | Works offline, no network dependency |
 | Reliability | No secrets server = no secrets server downtime |
 | Cost | Zero infrastructure cost |
 ---
 ## 6. Monitoring
 ### Decision: Centralized Uptime Kuma
 **Choice:** Uptime Kuma on dedicated monitoring server.
 **Rationale:**
 - Simple to deploy and maintain
 - Beautiful UI for status overview
 - Flexible alerting (email, Slack, webhook)
 - Self-hosted (data stays in-house)
 - Sufficient for "is it up?" monitoring at current scale
 **Deployment:**
 - Dedicated VPS or container on monitoring server
 - Monitors all client servers and services
 - Public status page optional per client
 **Monitors per Client:**
 - HTTPS endpoint (Nextcloud)
 - TCP port checks (database, if exposed)
 - Docker container health (via API or agent)
 **Alerting:**
 - Primary: Email
 - Secondary: Slack/Mattermost webhook
 - Escalation: SMS for extended downtime (future)
 **Future Expansion Path:**
 When deeper metrics needed:
 1. Add Prometheus + Node Exporter
 2. Add Grafana dashboards
 3. Add Loki for log aggregation
 4. Uptime Kuma remains for synthetic monitoring
 ---
 ## 7. Client Isolation
 ### Decision: Full Isolation
 **Choice:** Maximum isolation between clients at all levels.
 **Implementation:**
 | Layer | Isolation Method |
 |-------|------------------|
 | Compute | Separate VPS per client |
 | Network | Hetzner firewall rules, no inter-VPS traffic |
 | Database | Separate PostgreSQL container per client |
 | Storage | Separate Docker volumes |
 | Backups | Separate Restic repositories |
 | Secrets | Separate SOPS files per client |
 | DNS | Separate records/domains |
 **Network Rules:**
 - Each VPS accepts traffic only on 80, 443, 22 (management IP only)
 - No private network between client VPSs
 - Monitoring server can reach all clients (outbound checks)
 **Rationale:**
 - Security: Compromise of one client cannot spread
 - Compliance: Data separation demonstrable
 - Operations: Can maintain/upgrade clients independently
 - Billing: Clear resource attribution
 ---
 ## 8. Deployment Strategy
 ### Decision: Canary Deployments with Version Pinning
 **Choice:** Staged rollouts with explicit version control.
 #### Version Pinning
 All container images use explicit tags:
 ```yaml
 # docker-compose.yml
 services:
  nextcloud:
    image: nextcloud:28.0.1  # Never use :latest
  keycloak:
    image: quay.io/keycloak/keycloak:23.0.1
  postgres:
    image: postgres:16.1
 ```
 Version updates require explicit change and commit.
 #### Canary Process
 **Inventory Groups:**
 ```yaml
 all:
  children:
    canary:
      hosts:
        client-alpha:  # Designated test client (internal or willing partner)
    production:
      hosts:
        client-beta:
        client-gamma:
        # ... remaining clients
 ```
 **Deployment Script:**
 ```bash
 #!/bin/bash
 set -e
 echo "=== Deploying to canary ==="
 ansible-playbook deploy.yml --limit canary
 echo "=== Waiting for verification ==="
 read -p "Canary OK? Proceed to production? [y/N] " confirm
 if [[ $confirm != "y" ]]; then
    echo "Deployment aborted"
    exit 1
 fi
 echo "=== Deploying to production ==="
 ansible-playbook deploy.yml --limit production
 ```
 #### Rollback Procedures
 **Scenario 1: Bad container version**
 ```bash
 # Revert version in docker-compose
 git revert HEAD
 # Redeploy
 ansible-playbook deploy.yml --limit affected_hosts
 ```
 **Scenario 2: Database migration issue**
 ```bash
 # Restore from pre-upgrade Restic backup
 restic -r sftp:user@backup-server:/client-x/restic-repo restore latest --target /tmp/restore
 # Restore database dump
 psql < /tmp/restore/db-dumps/keycloak.sql
 # Revert and redeploy application
 ```
 **Scenario 3: Complete server failure**
 ```bash
 # Restore Hetzner snapshot via API
 hcloud server rebuild <server-id> --image <snapshot-id>
 # Or via OpenTofu
 tofu apply -replace="hcloud_server.client[\"affected\"]"
 ```
 ---
 ## 9. Security Baseline
 ### Decision: Comprehensive Hardening
 All servers receive the `common` Ansible role with:
 #### SSH Hardening
 ```yaml
 # /etc/ssh/sshd_config (managed by Ansible)
 PermitRootLogin: no
 PasswordAuthentication: no
 PubkeyAuthentication: yes
 AllowUsers: deploy
 ```
 #### Firewall (UFW)
 ```yaml
 - 22/tcp: Management IPs only
 - 80/tcp: Any (redirects to 443)
 - 443/tcp: Any
 - All other: Deny
 ```
 #### Automatic Updates
 ```yaml
 # unattended-upgrades configuration
 Unattended-Upgrade::Allowed-Origins {
    "${distro_id}:${distro_codename}-security";
 };
 Unattended-Upgrade::AutoFixInterruptedDpkg "true";
 Unattended-Upgrade::Automatic-Reboot "false";  # Manual reboot control
 ```
 #### Fail2ban
 ```yaml
 # Jails enabled
 - sshd
 - traefik-auth (custom, for repeated 401s)
 ```
 #### Container Security
 ```yaml
 # Trivy scanning in CI/CD
 - Scan images before deployment
 - Block critical vulnerabilities
 - Weekly scheduled scans of running containers
 ```
 #### Additional Measures
 - No password authentication anywhere
 - Secrets encrypted with SOPS + Age, never plaintext in Git
 - Regular dependency updates via Dependabot/Renovate
 - SSH keys rotated annually
 ---
 ## 10. Onboarding Procedure
 ### New Client Checklist
 ```markdown
 ## Client Onboarding: {CLIENT_NAME}
 ### Prerequisites
 - [ ] Client agreement signed
 - [ ] Domain/subdomain confirmed: _______________
 - [ ] Contact email: _______________
 - [ ] Desired applications: [ ] Keycloak [ ] Nextcloud [ ] Pretix [ ] Listmonk
 ### Infrastructure
 - [ ] Add client to `tofu/variables.tf`
 - [ ] Add client to `ansible/inventory/clients.yml`
 - [ ] Create secrets file: `sops secrets/clients/{name}.sops.yaml`
 - [ ] Create Storage Box subdirectory for backups
 - [ ] Run: `tofu apply`
 - [ ] Run: `ansible-playbook playbooks/setup.yml --limit {client}`
 ### Verification
 - [ ] HTTPS accessible
 - [ ] Nextcloud admin login works
 - [ ] Backup job runs successfully
 - [ ] Monitoring checks green
 ### Handover
 - [ ] Send credentials securely (1Password link, Signal, etc.)
 - [ ] Schedule onboarding call if needed
 - [ ] Add to status page (if applicable)
 - [ ] Document any custom configuration
 ### Estimated Time: 30-45 minutes
 ```
 ---
 ## 11. Offboarding Procedure
 ### Client Removal Checklist
 ```markdown
 ## Client Offboarding: {CLIENT_NAME}
 ### Pre-Offboarding
 - [ ] Confirm termination date: _______________
 - [ ] Data export requested? [ ] Yes [ ] No
 - [ ] Final invoice sent
 ### Data Export (if requested)
 - [ ] Export Nextcloud data
 - [ ] Confirm receipt
 ### Infrastructure Removal
 - [ ] Disable monitoring checks (set maintenance mode first)
 - [ ] Create final backup (retain per policy)
 - [ ] Remove from Ansible inventory
 - [ ] Remove from OpenTofu config
 - [ ] Run: `tofu apply` (destroys VPS)
 - [ ] Remove DNS records (automatic via OpenTofu)
 - [ ] Remove/archive SOPS secrets file
 ### Backup Retention
 - [ ] Move Restic repo to archive path
 - [ ] Set deletion date: _______ (default: 90 days post-termination)
 - [ ] Schedule deletion job
 ### Cleanup
 - [ ] Remove from status page
 - [ ] Update client count in documentation
 - [ ] Archive client folder in documentation
 ### Verification
 - [ ] DNS no longer resolves
 - [ ] IP returns nothing
 - [ ] Monitoring shows no alerts (host removed)
 - [ ] Billing stopped
 ### Estimated Time: 15-30 minutes
 ```
 ### Data Retention Policy
 | Data Type | Retention Post-Offboarding |
 |-----------|---------------------------|
 | Application data (Restic) | 90 days |
 | Hetzner snapshots | Deleted immediately (with VPS) |
 | SOPS secrets files | Archived 90 days, then deleted |
 | Logs | 30 days |
 | Invoices/contracts | 7 years (legal requirement) |
 ---
 ## 12. Repository Structure
 ```
 infrastructure/
 ├── README.md
 ├── docs/
 │   ├── architecture-decisions.md    # This document
 │   ├── runbook.md                   # Operational procedures
 │   └── clients/                     # Per-client notes
 │       ├── alpha.md
 │       └── beta.md
 ├── tofu/                            # OpenTofu configuration
 │   ├── main.tf
 │   ├── variables.tf
 │   ├── outputs.tf
 │   ├── dns.tf
 │   ├── firewall.tf
 │   └── versions.tf
 ├── ansible/
 │   ├── ansible.cfg
 │   ├── hcloud.yml                   # Dynamic inventory config
 │   ├── playbooks/
 │   │   ├── setup.yml                # Initial server setup
 │   │   ├── deploy.yml               # Deploy/update applications
 │   │   ├── upgrade.yml              # System updates
 │   │   └── backup-restore.yml       # Manual backup/restore
 │   ├── roles/
 │   │   ├── common/
 │   │   ├── docker/
 │   │   ├── traefik/
 │   │   ├── nextcloud/
 │   │   ├── backup/
 │   │   └── monitoring-agent/
 │   └── group_vars/
 │       └── all.yml
 ├── secrets/                         # SOPS-encrypted secrets
 │   ├── .sops.yaml                   # SOPS configuration
 │   ├── shared.sops.yaml             # Shared secrets
 │   └── clients/
 │       ├── alpha.sops.yaml
 │       └── beta.sops.yaml
 ├── docker/
 │   ├── docker-compose.base.yml      # Common services
 │   └── docker-compose.apps.yml      # Application services
 └── scripts/
    ├── deploy.sh                    # Canary deployment wrapper
    ├── onboard-client.sh
    └── offboard-client.sh
 ```
 **Note:** The Age private key (`age-key.txt`) is NOT stored in this repository. It must be:
 - Stored in a password manager
 - Backed up securely offline
 - Available on deployment machine only
 ---
 ## 13. Open Decisions / Future Considerations
 ### To Decide Later
 - [ ] Identity provider (Authentik or other) - if SSO needed
 - [ ] Prometheus metrics - when/if needed
 - [ ] Custom domain SSL workflow
 - [ ] Client self-service portal
 ### Scaling Triggers
 - **20+ servers:** Consider Kubernetes or Nomad
 - **Multi-region:** Add OpenTofu workspaces per region
 - **Team growth:** Consider moving from SOPS to Infisical for better access control
 - **Complex secret rotation:** May need dedicated secrets server
 ---
 ## 14. Technology Choices Rationale
 ### Why We Chose Open Source / European-Friendly Tools
 | Tool | Chosen | Avoided | Reason |
 |------|--------|---------|--------|
 | IaC | OpenTofu | Terraform | BSL license concerns, HashiCorp trust issues |
 | Secrets | SOPS + Age | HashiCorp Vault | Simplicity, no US vendor dependency, truly open source |
 | Identity | (Removed) | Keycloak/Zitadel | Removed due to complexity; may add Authentik in future |
 | Hosting | Hetzner | AWS/GCP/Azure | EU-based, cost-effective, GDPR-compliant |
 | Backup | Restic + Hetzner Storage Box | Cloud backup services | Open source, EU data residency |
 **Guiding Principles:**
 1. Prefer truly open source (OSI-approved) over source-available
 2. Prefer EU-based services for GDPR simplicity
 3. Avoid vendor lock-in where practical
 4. Choose simplicity appropriate to scale (10-50 servers)
 ---
 ## 15. Development Environment and Tooling
 ### Decision: Isolated Python Environments with pipx
 **Choice:** Use `pipx` for installing Python CLI tools (Ansible) in isolated virtual environments.
 **Why pipx:**
 - Prevents dependency conflicts between tools
 - Each tool has its own Python environment
 - No interference with system Python packages
 - Easy to upgrade/rollback individual tools
 - Modern best practice for Python CLI tools
 **Implementation:**
 ```bash
 # Install pipx
 brew install pipx
 pipx ensurepath
 # Install Ansible in isolation
 pipx install --include-deps ansible
 # Inject additional dependencies as needed
 pipx inject ansible requests python-dateutil
 ```
 **Benefits:**
 | Aspect | Benefit |
 |--------|---------|
 | Isolation | No conflicts with other Python tools |
 | Reproducibility | Each team member gets same isolated environment |
 | Maintainability | Easy to upgrade Ansible without breaking other tools |
 | Clean system | No pollution of system Python packages |
 **Alternatives Considered:**
 - **Homebrew Ansible** - Rejected: Can conflict with system Python, harder to manage dependencies
 - **System pip install** - Rejected: Pollutes global Python environment
 - **Manual venv** - Rejected: More manual work, pipx automates this
 ---
 ## Changelog
 | Date | Change | Author |
 |------|--------|--------|
 | 2024-12 | Initial architecture decisions | Pieter / Claude |
 | 2024-12 | Added Hetzner Storage Box as Restic backend | Pieter / Claude |
 | 2024-12 | Switched from Terraform to OpenTofu (licensing concerns) | Pieter / Claude |
 | 2024-12 | Switched from HashiCorp Vault to SOPS + Age (simplicity, open source) | Pieter / Claude |
 | 2024-12 | Switched from Keycloak to Zitadel (Swiss company, GDPR jurisdiction) | Pieter / Claude |
 | 2026-01 | Removed Zitadel due to FirstInstance bugs; may add Authentik in future | Pieter / Claude |
 ```
--- a/docs/sso-automation.md
+++ b/docs/sso-automation.md
@ -1,317 +0,0 @@
 # SSO Automation Workflow
 Complete guide to the automated Authentik + Nextcloud SSO integration.
 ## Overview
 This infrastructure implements **automated OAuth2/OIDC integration** between Authentik (identity provider) and Nextcloud (application). The goal is to achieve **zero manual configuration** for SSO when deploying a new client.
 ## Architecture
 ```
 ┌─────────────┐                    ┌─────────────┐
 │  Authentik  │◄──────OIDC────────►│  Nextcloud  │
 │  (IdP)      │   OAuth2/OIDC      │   (App)     │
 └─────────────┘   Discovery URI    └─────────────┘
      │                                    │
      │ 1. Create provider via API         │
      │ 2. Get client_id/secret            │
      │                                    │
      └───────────► credentials ──────────►│
                    (temporary file)       │ 3. Configure OIDC app
 ```
 ## Automation Workflow
 ### Phase 1: Deployment (Ansible)
 1. **Deploy Authentik** (`roles/authentik/tasks/docker.yml`)
   - Start PostgreSQL database
   - Start Authentik server + worker containers
   - Wait for health check (HTTP 200/302 on root)
 2. **Check for API Token** (`roles/authentik/tasks/providers.yml`)
   - Look for `client_secrets.authentik_api_token` in secrets file
   - If missing: Display manual setup instructions and skip automation
   - If present: Proceed to Phase 2
 ### Phase 2: OIDC Provider Creation (API)
 **Script**: `roles/authentik/files/authentik_api.py`
 1. **Wait for Authentik Ready**
   - Poll root endpoint until 200/302 response
   - Timeout: 300 seconds (configurable)
 2. **Get Authorization Flow UUID**
   - `GET /api/v3/flows/instances/`
   - Find flow with `slug=default-authorization-flow` or `designation=authorization`
 3. **Get Signing Key UUID**
   - `GET /api/v3/crypto/certificatekeypairs/`
   - Use first available certificate
 4. **Create OAuth2 Provider**
   - `POST /api/v3/providers/oauth2/`
   ```json
   {
     "name": "Nextcloud",
     "authorization_flow": "<flow_uuid>",
     "client_type": "confidential",
     "redirect_uris": "https://nextcloud.example.com/apps/user_oidc/code",
     "signing_key": "<key_uuid>",
     "sub_mode": "hashed_user_id",
     "include_claims_in_id_token": true
   }
   ```
 5. **Create Application**
   - `POST /api/v3/core/applications/`
   ```json
   {
     "name": "Nextcloud",
     "slug": "nextcloud",
     "provider": "<provider_id>",
     "meta_launch_url": "https://nextcloud.example.com"
   }
   ```
 6. **Return Credentials**
   ```json
   {
     "success": true,
     "client_id": "...",
     "client_secret": "...",
     "discovery_uri": "https://auth.example.com/application/o/nextcloud/.well-known/openid-configuration",
     "issuer": "https://auth.example.com/application/o/nextcloud/"
   }
   ```
 ### Phase 3: Nextcloud Configuration
 **Task**: `roles/nextcloud/tasks/oidc.yml`
 1. **Install user_oidc App**
   ```bash
   docker exec -u www-data nextcloud php occ app:install user_oidc
   docker exec -u www-data nextcloud php occ app:enable user_oidc
   ```
 2. **Load Credentials from Temp File**
   - Read `/tmp/authentik_oidc_credentials.json` (created by Phase 2)
   - Parse JSON to Ansible fact
 3. **Configure OIDC Provider**
   ```bash
   docker exec -u www-data nextcloud php occ user_oidc:provider:add \
     --clientid="<client_id>" \
     --clientsecret="<client_secret>" \
     --discoveryuri="<discovery_uri>" \
     "Authentik"
   ```
 4. **Cleanup**
   - Remove temporary credentials file
 ### Result
 - ✅ "Login with Authentik" button appears on Nextcloud login page
 - ✅ Users can log in with Authentik credentials
 - ✅ Zero manual configuration required (if API token is present)
 ## Manual Bootstrap (One-Time Setup)
 If `authentik_api_token` is not in secrets, follow these steps **once per Authentik instance**:
 ### Step 1: Complete Initial Setup
 1. Visit: `https://auth.example.com/if/flow/initial-setup/`
 2. Create admin account:
   - **Username**: `akadmin` (recommended)
   - **Password**: Secure random password
   - **Email**: Your admin email
 ### Step 2: Create API Token
 1. Login to Authentik admin UI
 2. Navigate: **Admin Interface → Tokens & App passwords**
 3. Click **Create → Tokens**
 4. Configure token:
   - **User**: Your admin user (akadmin)
   - **Intent**: API Token
   - **Description**: Ansible automation
   - **Expires**: Never (or far future date)
 5. Copy the generated token
 ### Step 3: Add to Secrets
 Edit your client secrets file:
 ```bash
 cd infrastructure
 export SOPS_AGE_KEY_FILE="keys/age-key.txt"
 sops secrets/clients/test.sops.yaml
 ```
 Add line:
 ```yaml
 authentik_api_token: ak_<your_token_here>
 ```
 ### Step 4: Re-run Deployment
 ```bash
 cd infrastructure/ansible
 export HCLOUD_TOKEN="..."
 export SOPS_AGE_KEY_FILE="../keys/age-key.txt"
 ~/.local/bin/ansible-playbook -i hcloud.yml playbooks/deploy.yml \
  --tags authentik,oidc \
  --limit test
 ```
 ## API Token Security
 ### Best Practices
 1. **Scope**: Token has full API access - treat as root password
 2. **Storage**: Always encrypted with SOPS in secrets files
 3. **Rotation**: Rotate tokens periodically (update secrets file)
 4. **Audit**: Monitor token usage in Authentik logs
 ### Alternative: Service Account
 For production, consider creating a dedicated service account:
 1. Create user: `ansible-automation`
 2. Assign minimal permissions (provider creation only)
 3. Create token for this user
 4. Use in automation
 ## Troubleshooting
 ### OIDC Provider Creation Fails
 **Symptom**: Script returns error creating provider
 **Check**:
 ```bash
 # Test API connectivity
 curl -H "Authorization: Bearer $TOKEN" \
     https://auth.example.com/api/v3/flows/instances/
 # Check Authentik logs
 docker logs authentik-server
 docker logs authentik-worker
 ```
 **Common Issues**:
 - Token expired or invalid
 - Authorization flow not found (check flows in admin UI)
 - Certificate/key missing
 ### "Login with Authentik" Button Missing
 **Symptom**: Nextcloud shows only username/password login
 **Check**:
 ```bash
 # List configured providers
 docker exec -u www-data nextcloud php occ user_oidc:provider
 # Check user_oidc app status
 docker exec -u www-data nextcloud php occ app:list | grep user_oidc
 ```
 **Fix**:
 ```bash
 # Re-configure OIDC
 cd infrastructure/ansible
 ~/.local/bin/ansible-playbook -i hcloud.yml playbooks/deploy.yml \
  --tags oidc \
  --limit test
 ```
 ### API Token Not Working
 **Symptom**: "Authentication failed" from API script
 **Check**:
 1. Token format: Should start with `ak_`
 2. User still exists in Authentik
 3. Token not expired (check in admin UI)
 **Fix**: Create new token and update secrets file
 ## Testing SSO Flow
 ### End-to-End Test
 1. **Open Nextcloud**: `https://nextcloud.example.com`
 2. **Click "Login with Authentik"**
 3. **Redirected to Authentik**: `https://auth.example.com`
 4. **Enter Authentik credentials** (created in Authentik admin UI)
 5. **Redirected back to Nextcloud** (logged in)
 ### Create Test User in Authentik
 ```bash
 # Access Authentik admin UI
 https://auth.example.com
 # Navigate: Directory → Users → Create
 # Fill in:
 # - Username: testuser
 # - Email: test@example.com
 # - Password: <secure_password>
 ```
 ### Test Login
 1. Logout of Nextcloud (if logged in as admin)
 2. Go to Nextcloud login page
 3. Click "Login with Authentik"
 4. Login with `testuser` credentials
 5. First login: Nextcloud creates local account linked to Authentik
 6. Subsequent logins: Automatic via SSO
 ## Future Improvements
 ### Fully Automated Bootstrap
 **Goal**: Automate the initial admin account creation via API
 **Approach**:
 - Research Authentik bootstrap tokens
 - Automate initial setup flow via HTTP POST requests
 - Generate admin credentials automatically
 - Store in secrets file
 **Status**: Not yet implemented (initial setup still manual)
 ### SAML Support
 Add SAML provider alongside OIDC for applications that don't support OAuth2/OIDC.
 ### Multi-Application Support
 Extend automation to create OIDC providers for other applications:
 - Collabora Online
 - OnlyOffice
 - Custom web applications
 ## Related Files
 - **API Script**: `ansible/roles/authentik/files/authentik_api.py`
 - **Provider Tasks**: `ansible/roles/authentik/tasks/providers.yml`
 - **OIDC Config**: `ansible/roles/nextcloud/tasks/oidc.yml`
 - **Main Playbook**: `ansible/playbooks/deploy.yml`
 - **Secrets Template**: `secrets/clients/test.sops.yaml`
 - **Agent Config**: `.claude/agents/authentik.md`
 ## References
 - **Authentik API Docs**: https://docs.goauthentik.io/developer-docs/api
 - **OAuth2 Provider**: https://docs.goauthentik.io/docs/providers/oauth2
 - **Nextcloud OIDC**: https://github.com/nextcloud/user_oidc
 - **OpenID Connect**: https://openid.net/specs/openid-connect-core-1_0.html
--- a/keys/ssh/.gitignore
+++ b/keys/ssh/.gitignore
@ -0,0 +1,7 @@
 # NEVER commit SSH private keys
 *
 # Allow README and public keys only
 !.gitignore
 !README.md
 !*.pub
--- a/keys/ssh/README.md
+++ b/keys/ssh/README.md
@ -0,0 +1,196 @@
 # SSH Keys Directory
 This directory contains **per-client SSH key pairs** for server access.
 ## Purpose
 Each client gets a dedicated SSH key pair to ensure:
 - **Isolation**: Compromise of one client ≠ access to others
 - **Granular control**: Rotate or revoke keys per-client
 - **Security**: Defense in depth, minimize blast radius
 ## Files
 ```
 keys/ssh/
 ├── .gitignore          # Protects private keys from git
 ├── README.md           # This file
 ├── dev                 # Private key for dev server (gitignored)
 ├── dev.pub             # Public key for dev server (committed)
 ├── client1             # Private key for client1 (gitignored)
 └── client1.pub         # Public key for client1 (committed)
 ```
 ## Generating Keys
 Use the helper script:
 ```bash
 ./scripts/generate-client-keys.sh <client_name>
 ```
 Or manually:
 ```bash
 ssh-keygen -t ed25519 -f keys/ssh/<client_name> -C "client-<client_name>-deploy-key" -N ""
 ```
 ## Security
 ### What Gets Committed
 - ✅ **Public keys** (`*.pub`) - Safe to commit
 - ✅ **README.md** - Documentation
 - ✅ **`.gitignore`** - Protection rules
 ### What NEVER Gets Committed
 - ❌ **Private keys** (no `.pub` extension) - Gitignored
 - ❌ **Temporary files** - Gitignored
 - ❌ **Backup keys** - Gitignored
 The `.gitignore` file in this directory ensures private keys are never committed:
 ```gitignore
 # NEVER commit SSH private keys
 *
 # Allow README and public keys only
 !.gitignore
 !README.md
 !*.pub
 ```
 ## Backup Strategy
 **⚠️ IMPORTANT: Backup private keys securely!**
 Private keys must be backed up to prevent lockout:
 1. **Password Manager** (Recommended):
   - Store in 1Password, Bitwarden, etc.
   - Tag with client name and server IP
 2. **Encrypted Archive**:
   ```bash
   tar czf - keys/ssh/ | gpg -c > ssh-keys-backup.tar.gz.gpg
   ```
 3. **Team Vault**:
   - Share securely with team members who need access
   - Document key ownership
 ## Usage
 ### SSH Connection
 ```bash
 # Connect to client server
 ssh -i keys/ssh/dev root@<server_ip>
 # Run command
 ssh -i keys/ssh/dev root@<server_ip> "docker ps"
 ```
 ### Ansible
 Ansible automatically uses the correct key (via dynamic inventory and OpenTofu):
 ```bash
 ansible-playbook -i hcloud.yml playbooks/deploy.yml --limit dev
 ```
 ### SSH Config
 Add to `~/.ssh/config` for convenience:
 ```
 Host dev.vrije.cloud
    User root
    IdentityFile ~/path/to/infrastructure/keys/ssh/dev
 ```
 Then: `ssh dev.vrije.cloud`
 ## Key Rotation
 Rotate keys annually or on security events:
 ```bash
 # Generate new key (backs up old automatically)
 ./scripts/generate-client-keys.sh dev
 # Apply to server (recreates server with new key)
 cd tofu && tofu apply
 # Test new key
 ssh -i keys/ssh/dev root@<new_ip> hostname
 ```
 ## Verification
 ### Check Key Fingerprint
 ```bash
 # Show fingerprint of private key
 ssh-keygen -lf keys/ssh/dev
 # Show fingerprint of public key
 ssh-keygen -lf keys/ssh/dev.pub
 # Should match!
 ```
 ### Check What's in Git
 ```bash
 # Verify no private keys committed
 git ls-files keys/ssh/
 # Should only show:
 # keys/ssh/.gitignore
 # keys/ssh/README.md
 # keys/ssh/*.pub
 ```
 ### Check Permissions
 ```bash
 # Private keys must be 600
 ls -la keys/ssh/dev
 # Should show: -rw------- (600)
 # Fix if needed:
 chmod 600 keys/ssh/*
 chmod 644 keys/ssh/*.pub
 ```
 ## Troubleshooting
 ### "Permission denied (publickey)"
 1. Check you're using the correct private key for the client
 2. Verify public key is on server (check OpenTofu state)
 3. Ensure private key has correct permissions (600)
 ### "No such file or directory"
 Generate the key first:
 ```bash
 ./scripts/generate-client-keys.sh <client_name>
 ```
 ### "Bad permissions"
 Fix key permissions:
 ```bash
 chmod 600 keys/ssh/<client_name>
 chmod 644 keys/ssh/<client_name>.pub
 ```
 ## See Also
 - [../docs/ssh-key-management.md](../../docs/ssh-key-management.md) - Complete SSH key management guide
 - [../../scripts/generate-client-keys.sh](../../scripts/generate-client-keys.sh) - Key generation script
 - [../../tofu/main.tf](../../tofu/main.tf) - OpenTofu SSH key resources
--- a/keys/ssh/bever.pub
+++ b/keys/ssh/bever.pub
@ -0,0 +1 @@
 ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILKuSYRVVWCYqjNvJ5pHZTErkmVbEb1g3ac8olXUcXy7 client-bever-deploy-key
--- a/keys/ssh/das.pub
+++ b/keys/ssh/das.pub
@ -0,0 +1 @@
 ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGsGfzhrcVtYEn2YHzxVGibBDXPd571unltfOaVo5JlR client-das-deploy-key
--- a/keys/ssh/egel.pub
+++ b/keys/ssh/egel.pub
@ -0,0 +1 @@
 ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIE75mnMfKHTIeq5Hp8LKaKYHGbzdFke1a9N7e0UEMNBu client-egel-deploy-key
--- a/keys/ssh/haas.pub
+++ b/keys/ssh/haas.pub
@ -0,0 +1 @@
 ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAa4QHMVKnTSS/q5kptQYzas7ln2MbgE5Db47GM2DjRI client-haas-deploy-key
--- a/keys/ssh/kikker.pub
+++ b/keys/ssh/kikker.pub
@ -0,0 +1 @@
 ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICtZzQTzNWLcFi4NNqg6l53kqPVDsgau1O7GWWKwZh9l client-kikker-deploy-key
--- a/keys/ssh/kraai.pub
+++ b/keys/ssh/kraai.pub
@ -0,0 +1 @@
 ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPXF5COMplFqwxCRymXN7y4b+RWiBbVQpIMmFoK10qgh client-kraai-deploy-key
--- a/keys/ssh/mees.pub
+++ b/keys/ssh/mees.pub
@ -0,0 +1 @@
 ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDGPPukFDhM4eIolsowRsD6jYrNYoM3/B9yLi2KNqmPi client-mees-deploy-key
--- a/keys/ssh/mol.pub
+++ b/keys/ssh/mol.pub
@ -0,0 +1 @@
 ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHAsLbdkl0peC15KnxhSsCI45Z2FwQu2Hy1LArzHoXu5 client-mol-deploy-key
--- a/keys/ssh/mus.pub
+++ b/keys/ssh/mus.pub
@ -0,0 +1 @@
 ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINAoeg3LDX5zRuw5Yt5WwbYNRXo70H7e5OYE3oMbJRyL client-mus-deploy-key
--- a/keys/ssh/otter.pub
+++ b/keys/ssh/otter.pub
@ -0,0 +1 @@
 ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIG3edQhsIBD9Ers7wuFWSww8r3ROkKNJF8YcxgRtQdov client-otter-deploy-key
--- a/keys/ssh/ree.pub
+++ b/keys/ssh/ree.pub
@ -0,0 +1 @@
 ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIB4QOkx75M28l7JAkQPl8bLjGuV/kKDFQINkUGRVRgIk client-ree-deploy-key
--- a/keys/ssh/specht.pub
+++ b/keys/ssh/specht.pub
@ -0,0 +1 @@
 ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAXFskaLenHy4FJHUZL2gpehFUAYaUdNfwP0BTMqp4La client-specht-deploy-key
--- a/keys/ssh/uil.pub
+++ b/keys/ssh/uil.pub
@ -0,0 +1 @@
 ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEhDcLx3ZaBXSHbhOoAgb5sI5xUVJwZEXl2HYq5+eRID client-uil-deploy-key
--- a/keys/ssh/valk.pub
+++ b/keys/ssh/valk.pub
@ -0,0 +1 @@
 ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILLDJCSNj3OZDDwGgoWSxy17K8DmJ8eqUXQ4Wmu/vRtG client-valk-deploy-key
--- a/keys/ssh/vos.pub
+++ b/keys/ssh/vos.pub
@ -0,0 +1 @@
 ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDg8F6LIVfdBdhD/CiNavs+xfFSiu9jxMmZcyigskuIQ client-vos-deploy-key
--- a/keys/ssh/wolf.pub
+++ b/keys/ssh/wolf.pub
@ -0,0 +1 @@
 ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKUcrgfG+JWtieySkcSZNyBehf/rB0YEQ35IQ93L+HHP client-wolf-deploy-key
--- a/keys/ssh/zwaan.pub
+++ b/keys/ssh/zwaan.pub
@ -0,0 +1 @@
 ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIG76TbSdY1o5T7PlzGkbfu0HNGOKsiW5vtbAKLDz0BGv client-zwaan-deploy-key
--- a/scripts/README.md
+++ b/scripts/README.md
@ -4,13 +4,14 @@ Automated scripts for managing client infrastructure.
 ## Prerequisites
-Set required environment variables:
+Set SOPS Age key location (optional, scripts use default):
 ```bash
 export HCLOUD_TOKEN="your-hetzner-cloud-api-token"
 export SOPS_AGE_KEY_FILE="./keys/age-key.txt"
 ```
 **Note**: The Hetzner API token is now automatically loaded from SOPS-encrypted `secrets/shared.sops.yaml`. No need to manually set `HCLOUD_TOKEN`.
 ## Scripts
 ### 1. Deploy Fresh Client
@ -22,22 +23,31 @@ export SOPS_AGE_KEY_FILE="./keys/age-key.txt"
 ./scripts/deploy-client.sh <client_name>
 ```
-**What it does**:
+**What it does** (automatically):
-1. Provisions VPS server (if not exists)
+1. **Generates SSH key** (if missing) - Unique per-client key pair
-2. Sets up base system (Docker, Traefik)
+2. **Creates secrets file** (if missing) - From template, opens in editor
-3. Deploys Authentik + Nextcloud
+3. Provisions VPS server (if not exists)
-4. Configures SSO integration automatically
+4. Sets up base system (Docker, Traefik)
 5. Deploys Authentik + Nextcloud
 6. Configures SSO integration automatically
 **Time**: ~10-15 minutes
 **Example**:
 ```bash
-./scripts/deploy-client.sh test
+# Just run the script - it handles everything!
 ./scripts/deploy-client.sh newclient
 # Script will:
 # 1. Generate keys/ssh/newclient + keys/ssh/newclient.pub
 # 2. Copy secrets/clients/template.sops.yaml → secrets/clients/newclient.sops.yaml
 # 3. Open SOPS editor for you to customize secrets
 # 4. Continue with deployment
 ```
 **Requirements**:
 - Secrets file must exist: `secrets/clients/<client_name>.sops.yaml`
 - Client must be defined in `tofu/terraform.tfvars`
 - SOPS Age key available at `keys/age-key.txt` (or set `SOPS_AGE_KEY_FILE`)
 ---
@ -98,20 +108,26 @@ export SOPS_AGE_KEY_FILE="./keys/age-key.txt"
 ## Workflow Examples
-### Deploy a New Client
+### Deploy a New Client (Fully Automated)
 ```bash
-# 1. Create secrets file
+# 1. Add to terraform.tfvars
 cp secrets/clients/test.sops.yaml secrets/clients/newclient.sops.yaml
 sops secrets/clients/newclient.sops.yaml
 # Edit: client_name, domains, regenerate passwords
 # 2. Add to terraform.tfvars
 vim tofu/terraform.tfvars
-# Add client definition
+# Add:
 #   newclient = {
 #     server_type = "cx22"
 #     location    = "fsn1"
 #     subdomain   = "newclient"
 #     apps        = ["authentik", "nextcloud"]
 #   }
-# 3. Deploy
+# 2. Deploy (script handles SSH key + secrets automatically)
 ./scripts/deploy-client.sh newclient
 # That's it! Script will:
 # - Generate SSH key if missing
 # - Create secrets file from template if missing (opens editor)
 # - Deploy everything
 ```
 ### Test Changes (Rebuild)
@ -172,7 +188,6 @@ These scripts can be used in automation:
 ```bash
 # Non-interactive deployment
 export HCLOUD_TOKEN="..."
 export SOPS_AGE_KEY_FILE="..."
 ./scripts/deploy-client.sh production
@ -188,9 +203,23 @@ For rebuild (skip confirmation):
 ### Script fails with "HCLOUD_TOKEN not set"
-```bash
+The token should be automatically loaded from SOPS. If this fails:
-export HCLOUD_TOKEN="your-token-here"
+
-```
+1. Ensure SOPS Age key is available:
   ```bash
   export SOPS_AGE_KEY_FILE="./keys/age-key.txt"
   ls -la keys/age-key.txt
   ```
 2. Verify token is in shared secrets:
   ```bash
   sops -d secrets/shared.sops.yaml | grep hcloud_token
   ```
 3. Manually load secrets:
   ```bash
   source scripts/load-secrets-env.sh
   ```
 ### Script fails with "Secrets file not found"
--- a/scripts/add-client-to-monitoring.sh
+++ b/scripts/add-client-to-monitoring.sh
@ -0,0 +1,87 @@
 #!/usr/bin/env bash
 #
 # Add client monitors to Uptime Kuma
 #
 # Usage: ./scripts/add-client-to-monitoring.sh <client_name>
 #
 # This script creates HTTP(S) and SSL monitors for a client's services
 # Currently uses manual instructions - future: use Uptime Kuma API
 set -euo pipefail
 # Colors for output
 RED='\033[0;31m'
 GREEN='\033[0;32m'
 YELLOW='\033[1;33m'
 BLUE='\033[0;34m'
 NC='\033[0m' # No Color
 # Script directory
 SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
 PROJECT_ROOT="$(dirname "$SCRIPT_DIR")"
 # Check arguments
 if [ $# -ne 1 ]; then
    echo -e "${RED}Error: Client name required${NC}"
    echo "Usage: $0 <client_name>"
    exit 1
 fi
 CLIENT_NAME="$1"
 BASE_DOMAIN="vrije.cloud"
 # Calculate URLs
 AUTH_URL="https://auth.${CLIENT_NAME}.${BASE_DOMAIN}"
 NEXTCLOUD_URL="https://nextcloud.${CLIENT_NAME}.${BASE_DOMAIN}"
 AUTH_DOMAIN="auth.${CLIENT_NAME}.${BASE_DOMAIN}"
 NEXTCLOUD_DOMAIN="nextcloud.${CLIENT_NAME}.${BASE_DOMAIN}"
 echo -e "${BLUE}========================================${NC}"
 echo -e "${BLUE}Add Client to Monitoring${NC}"
 echo -e "${BLUE}========================================${NC}"
 echo ""
 echo -e "${YELLOW}Client: ${CLIENT_NAME}${NC}"
 echo ""
 # TODO: Implement automated monitor creation via Uptime Kuma API
 # For now, provide manual instructions
 echo -e "${YELLOW}Manual Setup Required:${NC}"
 echo ""
 echo "Please add the following monitors in Uptime Kuma:"
 echo "🔗 Access: https://status.vrije.cloud"
 echo ""
 echo -e "${GREEN}HTTP(S) Monitors:${NC}"
 echo ""
 echo "1. ${CLIENT_NAME} - Authentik"
 echo "   Type: HTTP(S)"
 echo "   URL: ${AUTH_URL}"
 echo "   Interval: 300 seconds (5 min)"
 echo "   Retries: 3"
 echo ""
 echo "2. ${CLIENT_NAME} - Nextcloud"
 echo "   Type: HTTP(S)"
 echo "   URL: ${NEXTCLOUD_URL}"
 echo "   Interval: 300 seconds (5 min)"
 echo "   Retries: 3"
 echo ""
 echo -e "${GREEN}SSL Certificate Monitors:${NC}"
 echo ""
 echo "3. ${CLIENT_NAME} - Authentik SSL"
 echo "   Type: Certificate Expiry"
 echo "   Hostname: ${AUTH_DOMAIN}"
 echo "   Port: 443"
 echo "   Expiry Days: 30"
 echo "   Interval: 86400 seconds (1 day)"
 echo ""
 echo "4. ${CLIENT_NAME} - Nextcloud SSL"
 echo "   Type: Certificate Expiry"
 echo "   Hostname: ${NEXTCLOUD_DOMAIN}"
 echo "   Port: 443"
 echo "   Expiry Days: 30"
 echo "   Interval: 86400 seconds (1 day)"
 echo ""
 echo -e "${BLUE}========================================${NC}"
 echo ""
 echo -e "${YELLOW}Note: Automated monitor creation via API is planned for future enhancement.${NC}"
 echo ""
--- a/scripts/add-client-to-terraform.sh
+++ b/scripts/add-client-to-terraform.sh
@ -0,0 +1,250 @@
 #!/usr/bin/env bash
 #
 # Add a new client to OpenTofu configuration
 #
 # Usage: ./scripts/add-client-to-terraform.sh <client_name> [options]
 #
 # Options:
 #   --server-type=TYPE      Server type (default: cpx22)
 #   --location=LOC          Data center location (default: fsn1)
 #   --volume-size=SIZE      Nextcloud volume size in GB (default: 100)
 #   --apps=APP1,APP2        Applications to deploy (default: zitadel,nextcloud)
 #   --non-interactive       Don't prompt, use defaults
 set -euo pipefail
 # Colors for output
 RED='\033[0;31m'
 GREEN='\033[0;32m'
 YELLOW='\033[1;33m'
 BLUE='\033[0;34m'
 CYAN='\033[0;36m'
 NC='\033[0m' # No Color
 # Script directory
 SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
 PROJECT_ROOT="$(dirname "$SCRIPT_DIR")"
 TFVARS_FILE="$PROJECT_ROOT/tofu/terraform.tfvars"
 # Check arguments
 if [ $# -lt 1 ]; then
    echo -e "${RED}Error: Client name required${NC}"
    echo "Usage: $0 <client_name> [options]"
    echo ""
    echo "Options:"
    echo "  --server-type=TYPE      Server type (default: cpx22)"
    echo "  --location=LOC          Data center (default: fsn1)"
    echo "  --volume-size=SIZE      Nextcloud volume GB (default: 100)"
    echo "  --apps=APP1,APP2        Apps (default: zitadel,nextcloud)"
    echo "  --non-interactive       Use defaults, don't prompt"
    echo ""
    echo "Example: $0 blue --server-type=cx22 --location=nbg1 --volume-size=50"
    exit 1
 fi
 CLIENT_NAME="$1"
 shift
 # Default values
 SERVER_TYPE="cpx22"
 LOCATION="fsn1"
 VOLUME_SIZE="100"
 APPS="authentik,nextcloud"
 PRIVATE_IP=""
 PUBLIC_IP_ENABLED="false"
 NON_INTERACTIVE=false
 # Parse options
 for arg in "$@"; do
    case $arg in
        --server-type=*)
            SERVER_TYPE="${arg#*=}"
            ;;
        --location=*)
            LOCATION="${arg#*=}"
            ;;
        --volume-size=*)
            VOLUME_SIZE="${arg#*=}"
            ;;
        --apps=*)
            APPS="${arg#*=}"
            ;;
        --private-ip=*)
            PRIVATE_IP="${arg#*=}"
            ;;
        --public-ip)
            PUBLIC_IP_ENABLED="true"
            ;;
        --non-interactive)
            NON_INTERACTIVE=true
            ;;
        *)
            echo -e "${RED}Unknown option: $arg${NC}"
            exit 1
            ;;
    esac
 done
 # Auto-assign private IP if not provided
 if [ -z "$PRIVATE_IP" ]; then
    # Find the highest existing IP in terraform.tfvars and increment
    LAST_IP=$(grep -oP 'private_ip\s*=\s*"10\.0\.0\.\K\d+' "$TFVARS_FILE" 2>/dev/null | sort -n | tail -1)
    if [ -z "$LAST_IP" ]; then
        NEXT_IP=40  # Start from 10.0.0.40 (edge is .2)
    else
        NEXT_IP=$((LAST_IP + 1))
    fi
    PRIVATE_IP="10.0.0.$NEXT_IP"
    echo -e "${BLUE}Auto-assigned private IP: $PRIVATE_IP${NC}"
    echo ""
 fi
 # Validate client name
 if [[ ! "$CLIENT_NAME" =~ ^[a-z0-9-]+$ ]]; then
    echo -e "${RED}Error: Client name must contain only lowercase letters, numbers, and hyphens${NC}"
    exit 1
 fi
 # Check if tfvars file exists
 if [ ! -f "$TFVARS_FILE" ]; then
    echo -e "${RED}Error: terraform.tfvars not found at $TFVARS_FILE${NC}"
    exit 1
 fi
 # Check if client already exists
 if grep -q "^[[:space:]]*${CLIENT_NAME}[[:space:]]*=" "$TFVARS_FILE"; then
    echo -e "${YELLOW}⚠ Client '${CLIENT_NAME}' already exists in terraform.tfvars${NC}"
    echo ""
    echo "Existing configuration:"
    grep -A 7 "^[[:space:]]*${CLIENT_NAME}[[:space:]]*=" "$TFVARS_FILE" | head -8
    echo ""
    read -p "Update configuration? (yes/no): " confirm
    if [ "$confirm" != "yes" ]; then
        echo "Cancelled"
        exit 0
    fi
    # Remove existing entry
    # This is complex - for now just error and let user handle manually
    echo -e "${RED}Error: Updating existing clients not yet implemented${NC}"
    echo "Please manually edit $TFVARS_FILE"
    exit 1
 fi
 # Interactive prompts (if not non-interactive)
 if [ "$NON_INTERACTIVE" = false ]; then
    echo -e "${BLUE}Adding client '${CLIENT_NAME}' to OpenTofu configuration${NC}"
    echo ""
    echo "Current defaults:"
    echo "  Server type: $SERVER_TYPE"
    echo "  Location: $LOCATION"
    echo "  Volume size: $VOLUME_SIZE GB"
    echo "  Apps: $APPS"
    echo ""
    read -p "Use these defaults? (yes/no): " use_defaults
    if [ "$use_defaults" != "yes" ]; then
        # Prompt for each value
        echo ""
        read -p "Server type [$SERVER_TYPE]: " input
        SERVER_TYPE="${input:-$SERVER_TYPE}"
        read -p "Location [$LOCATION]: " input
        LOCATION="${input:-$LOCATION}"
        read -p "Volume size GB [$VOLUME_SIZE]: " input
        VOLUME_SIZE="${input:-$VOLUME_SIZE}"
        read -p "Apps (comma-separated) [$APPS]: " input
        APPS="${input:-$APPS}"
    fi
 fi
 # Convert apps list to array format
 APPS_ARRAY=$(echo "$APPS" | sed 's/,/", "/g' | sed 's/^/["/' | sed 's/$/"]/')
 # Find the closing brace of the clients block
 CLIENTS_CLOSE_LINE=$(grep -n "^}" "$TFVARS_FILE" | head -1 | cut -d: -f1)
 if [ -z "$CLIENTS_CLOSE_LINE" ]; then
    echo -e "${RED}Error: Could not find closing brace in terraform.tfvars${NC}"
    exit 1
 fi
 # Create the new client configuration
 NEW_CLIENT_CONFIG="
  # ${CLIENT_NAME} server
  ${CLIENT_NAME} = {
    server_type            = \"${SERVER_TYPE}\"
    location               = \"${LOCATION}\"
    subdomain              = \"${CLIENT_NAME}\"
    apps                   = ${APPS_ARRAY}
    nextcloud_volume_size  = ${VOLUME_SIZE}
    private_ip             = \"${PRIVATE_IP}\"
    public_ip_enabled      = ${PUBLIC_IP_ENABLED}
  }"
 # Create temporary file with new config inserted before closing brace
 TMP_FILE=$(mktemp)
 head -n $((CLIENTS_CLOSE_LINE - 1)) "$TFVARS_FILE" > "$TMP_FILE"
 echo "$NEW_CLIENT_CONFIG" >> "$TMP_FILE"
 tail -n +$CLIENTS_CLOSE_LINE "$TFVARS_FILE" >> "$TMP_FILE"
 # Show the diff
 echo ""
 echo -e "${CYAN}Configuration to be added:${NC}"
 echo "$NEW_CLIENT_CONFIG"
 echo ""
 # Confirm
 if [ "$NON_INTERACTIVE" = false ]; then
    read -p "Add this configuration to terraform.tfvars? (yes/no): " confirm
    if [ "$confirm" != "yes" ]; then
        rm "$TMP_FILE"
        echo "Cancelled"
        exit 0
    fi
 fi
 # Apply changes
 mv "$TMP_FILE" "$TFVARS_FILE"
 echo ""
 echo -e "${GREEN}✓ Client '${CLIENT_NAME}' added to terraform.tfvars${NC}"
 echo ""
 # Create Ansible host_vars file
 HOST_VARS_FILE="$PROJECT_ROOT/ansible/host_vars/${CLIENT_NAME}.yml"
 if [ ! -f "$HOST_VARS_FILE" ]; then
    echo -e "${BLUE}Creating Ansible host_vars file...${NC}"
    mkdir -p "$(dirname "$HOST_VARS_FILE")"
    cat > "$HOST_VARS_FILE" << EOF
 ---
 # ${CLIENT_NAME} server configuration
 ansible_host: ${PRIVATE_IP}
 # Client identification
 client_name: ${CLIENT_NAME}
 client_domain: ${CLIENT_NAME}.vrije.cloud
 client_secrets_file: ${CLIENT_NAME}.sops.yaml
 EOF
    echo -e "${GREEN}✓ Created host_vars file: $HOST_VARS_FILE${NC}"
    echo ""
 fi
 echo "Configuration added:"
 echo "  Server: $SERVER_TYPE in $LOCATION"
 echo "  Volume: $VOLUME_SIZE GB"
 echo "  Apps: $APPS"
 echo "  Private IP: $PRIVATE_IP"
 echo ""
 echo -e "${CYAN}Next steps:${NC}"
 echo "1. Review changes: cat tofu/terraform.tfvars"
 echo "2. Plan infrastructure: cd tofu && tofu plan"
 echo "3. Apply infrastructure: cd tofu && tofu apply"
 echo "4. Deploy services: ./scripts/deploy-client.sh $CLIENT_NAME"
 echo ""
--- a/scripts/check-client-versions.sh
+++ b/scripts/check-client-versions.sh
@ -0,0 +1,251 @@
 #!/usr/bin/env bash
 #
 # Report software versions across all clients
 #
 # Usage: ./scripts/check-client-versions.sh [options]
 #
 # Options:
 #   --format=table    Show as colorized table (default)
 #   --format=csv      Export as CSV
 #   --format=json     Export as JSON
 #   --app=<name>      Filter by application (authentik|nextcloud|traefik|ubuntu)
 #   --outdated        Show only clients with outdated versions
 set -euo pipefail
 # Colors for output
 RED='\033[0;31m'
 GREEN='\033[0;32m'
 YELLOW='\033[1;33m'
 BLUE='\033[0;34m'
 CYAN='\033[0;36m'
 NC='\033[0m' # No Color
 # Script directory
 SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
 PROJECT_ROOT="$(dirname "$SCRIPT_DIR")"
 REGISTRY_FILE="$PROJECT_ROOT/clients/registry.yml"
 # Default options
 FORMAT="table"
 FILTER_APP=""
 SHOW_OUTDATED=false
 # Parse arguments
 for arg in "$@"; do
    case $arg in
        --format=*)
            FORMAT="${arg#*=}"
            ;;
        --app=*)
            FILTER_APP="${arg#*=}"
            ;;
        --outdated)
            SHOW_OUTDATED=true
            ;;
        *)
            echo "Unknown option: $arg"
            echo "Usage: $0 [--format=table|csv|json] [--app=<name>] [--outdated]"
            exit 1
            ;;
    esac
 done
 # Check if yq is available
 if ! command -v yq &> /dev/null; then
    echo -e "${RED}Error: 'yq' not found. Install with: brew install yq${NC}"
    exit 1
 fi
 # Check if registry exists
 if [ ! -f "$REGISTRY_FILE" ]; then
    echo -e "${RED}Error: Registry file not found: $REGISTRY_FILE${NC}"
    exit 1
 fi
 # Get list of clients
 CLIENTS=$(yq eval '.clients | keys | .[]' "$REGISTRY_FILE" 2>/dev/null)
 if [ -z "$CLIENTS" ]; then
    echo -e "${YELLOW}No clients found in registry${NC}"
    exit 0
 fi
 # Determine latest versions (from canary/dev or most common)
 declare -A LATEST_VERSIONS
 LATEST_VERSIONS[authentik]=$(yq eval '.clients | to_entries | .[].value.versions.authentik' "$REGISTRY_FILE" | sort -V | tail -1)
 LATEST_VERSIONS[nextcloud]=$(yq eval '.clients | to_entries | .[].value.versions.nextcloud' "$REGISTRY_FILE" | sort -V | tail -1)
 LATEST_VERSIONS[traefik]=$(yq eval '.clients | to_entries | .[].value.versions.traefik' "$REGISTRY_FILE" | sort -V | tail -1)
 LATEST_VERSIONS[ubuntu]=$(yq eval '.clients | to_entries | .[].value.versions.ubuntu' "$REGISTRY_FILE" | sort -V | tail -1)
 # Function to check if version is outdated
 is_outdated() {
    local app=$1
    local version=$2
    local latest=${LATEST_VERSIONS[$app]}
    if [ "$version" != "$latest" ] && [ "$version" != "null" ] && [ "$version" != "unknown" ]; then
        return 0
    else
        return 1
    fi
 }
 case $FORMAT in
    table)
        echo -e "${BLUE}═══════════════════════════════════════════════════════════════════════════════${NC}"
        echo -e "${BLUE}                         CLIENT VERSION REPORT${NC}"
        echo -e "${BLUE}═══════════════════════════════════════════════════════════════════════════════${NC}"
        echo ""
        # Header
        printf "${CYAN}%-15s %-15s %-15s %-15s %-15s %-15s${NC}\n" \
            "CLIENT" "STATUS" "AUTHENTIK" "NEXTCLOUD" "TRAEFIK" "UBUNTU"
        echo -e "${CYAN}$(printf '─%.0s' {1..90})${NC}"
        # Rows
        for client in $CLIENTS; do
            status=$(yq eval ".clients.\"$client\".status" "$REGISTRY_FILE")
            authentik=$(yq eval ".clients.\"$client\".versions.authentik" "$REGISTRY_FILE")
            nextcloud=$(yq eval ".clients.\"$client\".versions.nextcloud" "$REGISTRY_FILE")
            traefik=$(yq eval ".clients.\"$client\".versions.traefik" "$REGISTRY_FILE")
            ubuntu=$(yq eval ".clients.\"$client\".versions.ubuntu" "$REGISTRY_FILE")
            # Skip if filtering by outdated and not outdated
            if [ "$SHOW_OUTDATED" = true ]; then
                has_outdated=false
                is_outdated "authentik" "$authentik" && has_outdated=true
                is_outdated "nextcloud" "$nextcloud" && has_outdated=true
                is_outdated "traefik" "$traefik" && has_outdated=true
                is_outdated "ubuntu" "$ubuntu" && has_outdated=true
                if [ "$has_outdated" = false ]; then
                    continue
                fi
            fi
            # Colorize versions (red if outdated)
            authentik_color=$NC
            is_outdated "authentik" "$authentik" && authentik_color=$RED
            nextcloud_color=$NC
            is_outdated "nextcloud" "$nextcloud" && nextcloud_color=$RED
            traefik_color=$NC
            is_outdated "traefik" "$traefik" && traefik_color=$RED
            ubuntu_color=$NC
            is_outdated "ubuntu" "$ubuntu" && ubuntu_color=$RED
            # Status color
            status_color=$GREEN
            [ "$status" != "deployed" ] && status_color=$YELLOW
            printf "%-15s ${status_color}%-15s${NC} ${authentik_color}%-15s${NC} ${nextcloud_color}%-15s${NC} ${traefik_color}%-15s${NC} ${ubuntu_color}%-15s${NC}\n" \
                "$client" "$status" "$authentik" "$nextcloud" "$traefik" "$ubuntu"
        done
        echo ""
        echo -e "${CYAN}Latest versions:${NC}"
        echo "  Authentik: ${LATEST_VERSIONS[authentik]}"
        echo "  Nextcloud: ${LATEST_VERSIONS[nextcloud]}"
        echo "  Traefik:   ${LATEST_VERSIONS[traefik]}"
        echo "  Ubuntu:    ${LATEST_VERSIONS[ubuntu]}"
        echo ""
        echo -e "${YELLOW}Note: ${RED}Red${NC} indicates outdated version${NC}"
        echo ""
        ;;
    csv)
        # CSV header
        echo "client,status,authentik,nextcloud,traefik,ubuntu,last_update,outdated"
        # CSV rows
        for client in $CLIENTS; do
            status=$(yq eval ".clients.\"$client\".status" "$REGISTRY_FILE")
            authentik=$(yq eval ".clients.\"$client\".versions.authentik" "$REGISTRY_FILE")
            nextcloud=$(yq eval ".clients.\"$client\".versions.nextcloud" "$REGISTRY_FILE")
            traefik=$(yq eval ".clients.\"$client\".versions.traefik" "$REGISTRY_FILE")
            ubuntu=$(yq eval ".clients.\"$client\".versions.ubuntu" "$REGISTRY_FILE")
            last_update=$(yq eval ".clients.\"$client\".maintenance.last_full_update" "$REGISTRY_FILE")
            # Check if any version is outdated
            outdated="no"
            is_outdated "authentik" "$authentik" && outdated="yes"
            is_outdated "nextcloud" "$nextcloud" && outdated="yes"
            is_outdated "traefik" "$traefik" && outdated="yes"
            is_outdated "ubuntu" "$ubuntu" && outdated="yes"
            # Skip if filtering by outdated
            if [ "$SHOW_OUTDATED" = true ] && [ "$outdated" = "no" ]; then
                continue
            fi
            echo "$client,$status,$authentik,$nextcloud,$traefik,$ubuntu,$last_update,$outdated"
        done
        ;;
    json)
        # Build JSON array
        echo "{"
        echo "  \"latest_versions\": {"
        echo "    \"authentik\": \"${LATEST_VERSIONS[authentik]}\","
        echo "    \"nextcloud\": \"${LATEST_VERSIONS[nextcloud]}\","
        echo "    \"traefik\": \"${LATEST_VERSIONS[traefik]}\","
        echo "    \"ubuntu\": \"${LATEST_VERSIONS[ubuntu]}\""
        echo "  },"
        echo "  \"clients\": ["
        first=true
        for client in $CLIENTS; do
            status=$(yq eval ".clients.\"$client\".status" "$REGISTRY_FILE")
            authentik=$(yq eval ".clients.\"$client\".versions.authentik" "$REGISTRY_FILE")
            nextcloud=$(yq eval ".clients.\"$client\".versions.nextcloud" "$REGISTRY_FILE")
            traefik=$(yq eval ".clients.\"$client\".versions.traefik" "$REGISTRY_FILE")
            ubuntu=$(yq eval ".clients.\"$client\".versions.ubuntu" "$REGISTRY_FILE")
            last_update=$(yq eval ".clients.\"$client\".maintenance.last_full_update" "$REGISTRY_FILE")
            # Check if any version is outdated
            outdated=false
            is_outdated "authentik" "$authentik" && outdated=true
            is_outdated "nextcloud" "$nextcloud" && outdated=true
            is_outdated "traefik" "$traefik" && outdated=true
            is_outdated "ubuntu" "$ubuntu" && outdated=true
            # Skip if filtering by outdated
            if [ "$SHOW_OUTDATED" = true ] && [ "$outdated" = false ]; then
                continue
            fi
            if [ "$first" = false ]; then
                echo "    ,"
            fi
            first=false
            cat <<EOF
    {
      "name": "$client",
      "status": "$status",
      "versions": {
        "authentik": "$authentik",
        "nextcloud": "$nextcloud",
        "traefik": "$traefik",
        "ubuntu": "$ubuntu"
      },
      "last_update": "$last_update",
      "outdated": $outdated
    }
 EOF
        done
        echo ""
        echo "  ]"
        echo "}"
        ;;
    *)
        echo -e "${RED}Error: Unknown format '$FORMAT'${NC}"
        echo "Valid formats: table, csv, json"
        exit 1
        ;;
 esac
--- a/scripts/client-status.sh
+++ b/scripts/client-status.sh
@ -0,0 +1,237 @@
 #!/usr/bin/env bash
 #
 # Show detailed status for a specific client
 #
 # Usage: ./scripts/client-status.sh <client_name>
 #
 # Displays:
 # - Deployment status and metadata
 # - Server information
 # - Application versions
 # - Maintenance history
 # - URLs and access information
 # - Live health checks (optional)
 set -euo pipefail
 # Colors for output
 RED='\033[0;31m'
 GREEN='\033[0;32m'
 YELLOW='\033[1;33m'
 BLUE='\033[0;34m'
 CYAN='\033[0;36m'
 NC='\033[0m' # No Color
 # Script directory
 SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
 PROJECT_ROOT="$(dirname "$SCRIPT_DIR")"
 REGISTRY_FILE="$PROJECT_ROOT/clients/registry.yml"
 # Check arguments
 if [ $# -ne 1 ]; then
    echo -e "${RED}Error: Client name required${NC}"
    echo "Usage: $0 <client_name>"
    echo ""
    echo "Example: $0 dev"
    exit 1
 fi
 CLIENT_NAME="$1"
 # Check if yq is available
 if ! command -v yq &> /dev/null; then
    echo -e "${RED}Error: 'yq' not found. Install with: brew install yq${NC}"
    exit 1
 fi
 # Check if registry exists
 if [ ! -f "$REGISTRY_FILE" ]; then
    echo -e "${RED}Error: Registry file not found: $REGISTRY_FILE${NC}"
    exit 1
 fi
 # Check if client exists
 if yq eval ".clients.\"$CLIENT_NAME\"" "$REGISTRY_FILE" | grep -q "null"; then
    echo -e "${RED}Error: Client '$CLIENT_NAME' not found in registry${NC}"
    echo ""
    echo "Available clients:"
    yq eval '.clients | keys | .[]' "$REGISTRY_FILE"
    exit 1
 fi
 # Extract client information
 STATUS=$(yq eval ".clients.\"$CLIENT_NAME\".status" "$REGISTRY_FILE")
 ROLE=$(yq eval ".clients.\"$CLIENT_NAME\".role" "$REGISTRY_FILE")
 DEPLOYED_DATE=$(yq eval ".clients.\"$CLIENT_NAME\".deployed_date" "$REGISTRY_FILE")
 DESTROYED_DATE=$(yq eval ".clients.\"$CLIENT_NAME\".destroyed_date" "$REGISTRY_FILE")
 SERVER_TYPE=$(yq eval ".clients.\"$CLIENT_NAME\".server.type" "$REGISTRY_FILE")
 SERVER_LOCATION=$(yq eval ".clients.\"$CLIENT_NAME\".server.location" "$REGISTRY_FILE")
 SERVER_IP=$(yq eval ".clients.\"$CLIENT_NAME\".server.ip" "$REGISTRY_FILE")
 SERVER_ID=$(yq eval ".clients.\"$CLIENT_NAME\".server.id" "$REGISTRY_FILE")
 APPS=$(yq eval ".clients.\"$CLIENT_NAME\".apps | join(\", \")" "$REGISTRY_FILE")
 AUTHENTIK_VERSION=$(yq eval ".clients.\"$CLIENT_NAME\".versions.authentik" "$REGISTRY_FILE")
 NEXTCLOUD_VERSION=$(yq eval ".clients.\"$CLIENT_NAME\".versions.nextcloud" "$REGISTRY_FILE")
 TRAEFIK_VERSION=$(yq eval ".clients.\"$CLIENT_NAME\".versions.traefik" "$REGISTRY_FILE")
 UBUNTU_VERSION=$(yq eval ".clients.\"$CLIENT_NAME\".versions.ubuntu" "$REGISTRY_FILE")
 LAST_FULL_UPDATE=$(yq eval ".clients.\"$CLIENT_NAME\".maintenance.last_full_update" "$REGISTRY_FILE")
 LAST_SECURITY_PATCH=$(yq eval ".clients.\"$CLIENT_NAME\".maintenance.last_security_patch" "$REGISTRY_FILE")
 LAST_OS_UPDATE=$(yq eval ".clients.\"$CLIENT_NAME\".maintenance.last_os_update" "$REGISTRY_FILE")
 LAST_BACKUP_VERIFIED=$(yq eval ".clients.\"$CLIENT_NAME\".maintenance.last_backup_verified" "$REGISTRY_FILE")
 AUTHENTIK_URL=$(yq eval ".clients.\"$CLIENT_NAME\".urls.authentik" "$REGISTRY_FILE")
 NEXTCLOUD_URL=$(yq eval ".clients.\"$CLIENT_NAME\".urls.nextcloud" "$REGISTRY_FILE")
 NOTES=$(yq eval ".clients.\"$CLIENT_NAME\".notes" "$REGISTRY_FILE")
 # Display header
 echo -e "${BLUE}═══════════════════════════════════════════════════════════${NC}"
 echo -e "${BLUE}  CLIENT STATUS: $CLIENT_NAME${NC}"
 echo -e "${BLUE}═══════════════════════════════════════════════════════════${NC}"
 echo ""
 # Status section
 echo -e "${CYAN}━━━ Deployment Status ━━━${NC}"
 echo ""
 # Color status
 STATUS_COLOR=$NC
 case $STATUS in
    deployed) STATUS_COLOR=$GREEN ;;
    pending) STATUS_COLOR=$YELLOW ;;
    maintenance) STATUS_COLOR=$CYAN ;;
    offboarding) STATUS_COLOR=$RED ;;
    destroyed) STATUS_COLOR=$RED ;;
 esac
 # Color role
 ROLE_COLOR=$NC
 case $ROLE in
    canary) ROLE_COLOR=$YELLOW ;;
    production) ROLE_COLOR=$GREEN ;;
 esac
 echo -e "Status:        ${STATUS_COLOR}$STATUS${NC}"
 echo -e "Role:          ${ROLE_COLOR}$ROLE${NC}"
 echo -e "Deployed:      $DEPLOYED_DATE"
 if [ "$DESTROYED_DATE" != "null" ]; then
    echo -e "Destroyed:     ${RED}$DESTROYED_DATE${NC}"
 fi
 echo ""
 # Server section
 echo -e "${CYAN}━━━ Server Information ━━━${NC}"
 echo ""
 echo -e "Server Type:   $SERVER_TYPE"
 echo -e "Location:      $SERVER_LOCATION"
 echo -e "IP Address:    $SERVER_IP"
 echo -e "Server ID:     $SERVER_ID"
 echo ""
 # Applications section
 echo -e "${CYAN}━━━ Applications ━━━${NC}"
 echo ""
 echo -e "Installed:     $APPS"
 echo ""
 # Versions section
 echo -e "${CYAN}━━━ Versions ━━━${NC}"
 echo ""
 echo -e "Authentik:     $AUTHENTIK_VERSION"
 echo -e "Nextcloud:     $NEXTCLOUD_VERSION"
 echo -e "Traefik:       $TRAEFIK_VERSION"
 echo -e "Ubuntu:        $UBUNTU_VERSION"
 echo ""
 # Maintenance section
 echo -e "${CYAN}━━━ Maintenance History ━━━${NC}"
 echo ""
 echo -e "Last Full Update:      $LAST_FULL_UPDATE"
 echo -e "Last Security Patch:   $LAST_SECURITY_PATCH"
 echo -e "Last OS Update:        $LAST_OS_UPDATE"
 if [ "$LAST_BACKUP_VERIFIED" != "null" ]; then
    echo -e "Last Backup Verified:  $LAST_BACKUP_VERIFIED"
 else
    echo -e "Last Backup Verified:  ${YELLOW}Never${NC}"
 fi
 echo ""
 # URLs section
 echo -e "${CYAN}━━━ Access URLs ━━━${NC}"
 echo ""
 echo -e "Authentik:     $AUTHENTIK_URL"
 echo -e "Nextcloud:     $NEXTCLOUD_URL"
 echo ""
 # Notes section
 if [ "$NOTES" != "null" ] && [ -n "$NOTES" ]; then
    echo -e "${CYAN}━━━ Notes ━━━${NC}"
    echo ""
    echo "$NOTES" | sed 's/^/  /'
    echo ""
 fi
 # Live health check (if server is deployed and reachable)
 if [ "$STATUS" = "deployed" ]; then
    echo -e "${CYAN}━━━ Live Health Check ━━━${NC}"
    echo ""
    # Check if server is reachable via SSH (if Ansible is configured)
    if command -v ansible &> /dev/null && [ -n "${HCLOUD_TOKEN:-}" ]; then
        cd "$PROJECT_ROOT/ansible"
        if timeout 10 ~/.local/bin/ansible -i hcloud.yml "$CLIENT_NAME" -m ping -o &>/dev/null; then
            echo -e "SSH Access:    ${GREEN}✓ Reachable${NC}"
            # Get Docker status
            DOCKER_STATUS=$(~/.local/bin/ansible -i hcloud.yml "$CLIENT_NAME" -m shell -a "docker ps --format '{{.Names}}' 2>/dev/null | wc -l" -o 2>/dev/null | tail -1 | awk '{print $NF}' || echo "0")
            if [ "$DOCKER_STATUS" != "0" ]; then
                echo -e "Docker:        ${GREEN}✓ Running ($DOCKER_STATUS containers)${NC}"
            else
                echo -e "Docker:        ${RED}✗ No containers running${NC}"
            fi
        else
            echo -e "SSH Access:    ${RED}✗ Not reachable${NC}"
        fi
    else
        echo -e "${YELLOW}Note: Install Ansible and set HCLOUD_TOKEN for live health checks${NC}"
    fi
    echo ""
    # Check HTTPS endpoints
    echo -e "HTTPS Endpoints:"
    # Check Authentik
    if command -v curl &> /dev/null; then
        if timeout 10 curl -sSf -o /dev/null "$AUTHENTIK_URL" 2>/dev/null; then
            echo -e "  Authentik:   ${GREEN}✓ Responding${NC}"
        else
            echo -e "  Authentik:   ${RED}<EFBFBD><EFBFBD> Not responding${NC}"
        fi
        # Check Nextcloud
        if timeout 10 curl -sSf -o /dev/null "$NEXTCLOUD_URL" 2>/dev/null; then
            echo -e "  Nextcloud:   ${GREEN}✓ Responding${NC}"
        else
            echo -e "  Nextcloud:   ${RED}✗ Not responding${NC}"
        fi
    else
        echo -e "  ${YELLOW}Install curl for endpoint checks${NC}"
    fi
    echo ""
 fi
 # Management commands section
 echo -e "${CYAN}━━━ Management Commands ━━━${NC}"
 echo ""
 echo -e "View secrets:    ${BLUE}sops secrets/clients/${CLIENT_NAME}.sops.yaml${NC}"
 echo -e "Rebuild server:  ${BLUE}./scripts/rebuild-client.sh $CLIENT_NAME${NC}"
 echo -e "Destroy server:  ${BLUE}./scripts/destroy-client.sh $CLIENT_NAME${NC}"
 echo -e "List all:        ${BLUE}./scripts/list-clients.sh${NC}"
 echo ""
 echo -e "${BLUE}═══════════════════════════════════════════════════════════${NC}"
--- a/scripts/collect-client-versions.sh
+++ b/scripts/collect-client-versions.sh
@ -0,0 +1,130 @@
 #!/usr/bin/env bash
 #
 # Collect deployed software versions from a client and update registry
 #
 # Usage: ./scripts/collect-client-versions.sh <client_name>
 #
 # Queries the deployed server for actual running versions:
 # - Docker container image versions
 # - Ubuntu OS version
 # - Updates the client registry with collected versions
 set -euo pipefail
 # Colors for output
 RED='\033[0;31m'
 GREEN='\033[0;32m'
 YELLOW='\033[1;33m'
 BLUE='\033[0;34m'
 NC='\033[0m' # No Color
 # Script directory
 SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
 PROJECT_ROOT="$(dirname "$SCRIPT_DIR")"
 REGISTRY_FILE="$PROJECT_ROOT/clients/registry.yml"
 # Check arguments
 if [ $# -ne 1 ]; then
    echo -e "${RED}Error: Client name required${NC}"
    echo "Usage: $0 <client_name>"
    echo ""
    echo "Example: $0 dev"
    exit 1
 fi
 CLIENT_NAME="$1"
 # Check if yq is available
 if ! command -v yq &> /dev/null; then
    echo -e "${RED}Error: 'yq' not found. Install with: brew install yq${NC}"
    exit 1
 fi
 # Load Hetzner API token from SOPS if not already set
 if [ -z "${HCLOUD_TOKEN:-}" ]; then
    # shellcheck source=scripts/load-secrets-env.sh
    source "$SCRIPT_DIR/load-secrets-env.sh" > /dev/null 2>&1
 fi
 # Check if registry exists
 if [ ! -f "$REGISTRY_FILE" ]; then
    echo -e "${RED}Error: Registry file not found: $REGISTRY_FILE${NC}"
    exit 1
 fi
 # Check if client exists in registry
 if yq eval ".clients.\"$CLIENT_NAME\"" "$REGISTRY_FILE" | grep -q "null"; then
    echo -e "${RED}Error: Client '$CLIENT_NAME' not found in registry${NC}"
    exit 1
 fi
 echo -e "${BLUE}Collecting versions for client: $CLIENT_NAME${NC}"
 echo ""
 cd "$PROJECT_ROOT/ansible"
 # Check if server is reachable
 if ! timeout 10 ~/.local/bin/ansible -i hcloud.yml "$CLIENT_NAME" -m ping -o &>/dev/null; then
    echo -e "${RED}Error: Cannot reach server for client '$CLIENT_NAME'${NC}"
    echo "Server may not be deployed or network is unreachable"
    exit 1
 fi
 echo -e "${YELLOW}Querying deployed versions...${NC}"
 echo ""
 # Query Docker container versions
 echo "Collecting Docker container versions..."
 # Function to extract version from image tag
 extract_version() {
    local image=$1
    # Extract version after the colon, or return "latest"
    if [[ $image == *":"* ]]; then
        echo "$image" | awk -F: '{print $2}'
    else
        echo "latest"
    fi
 }
 # Collect Authentik version
 AUTHENTIK_IMAGE=$(~/.local/bin/ansible -i hcloud.yml "$CLIENT_NAME" -m shell -a "docker inspect authentik-server 2>/dev/null | jq -r '.[0].Config.Image' 2>/dev/null || echo 'unknown'" -o 2>/dev/null | tail -1 | awk '{print $NF}')
 AUTHENTIK_VERSION=$(extract_version "$AUTHENTIK_IMAGE")
 # Collect Nextcloud version
 NEXTCLOUD_IMAGE=$(~/.local/bin/ansible -i hcloud.yml "$CLIENT_NAME" -m shell -a "docker inspect nextcloud 2>/dev/null | jq -r '.[0].Config.Image' 2>/dev/null || echo 'unknown'" -o 2>/dev/null | tail -1 | awk '{print $NF}')
 NEXTCLOUD_VERSION=$(extract_version "$NEXTCLOUD_IMAGE")
 # Collect Traefik version
 TRAEFIK_IMAGE=$(~/.local/bin/ansible -i hcloud.yml "$CLIENT_NAME" -m shell -a "docker inspect traefik 2>/dev/null | jq -r '.[0].Config.Image' 2>/dev/null || echo 'unknown'" -o 2>/dev/null | tail -1 | awk '{print $NF}')
 TRAEFIK_VERSION=$(extract_version "$TRAEFIK_IMAGE")
 # Collect Ubuntu version
 UBUNTU_VERSION=$(~/.local/bin/ansible -i hcloud.yml "$CLIENT_NAME" -m shell -a "lsb_release -rs 2>/dev/null || echo 'unknown'" -o 2>/dev/null | tail -1 | awk '{print $NF}')
 echo -e "${GREEN}✓ Versions collected${NC}"
 echo ""
 # Display collected versions
 echo "Collected versions:"
 echo "  Authentik:  $AUTHENTIK_VERSION"
 echo "  Nextcloud:  $NEXTCLOUD_VERSION"
 echo "  Traefik:    $TRAEFIK_VERSION"
 echo "  Ubuntu:     $UBUNTU_VERSION"
 echo ""
 # Update registry
 echo -e "${YELLOW}Updating registry...${NC}"
 # Update versions in registry
 yq eval -i ".clients.\"$CLIENT_NAME\".versions.authentik = \"$AUTHENTIK_VERSION\"" "$REGISTRY_FILE"
 yq eval -i ".clients.\"$CLIENT_NAME\".versions.nextcloud = \"$NEXTCLOUD_VERSION\"" "$REGISTRY_FILE"
 yq eval -i ".clients.\"$CLIENT_NAME\".versions.traefik = \"$TRAEFIK_VERSION\"" "$REGISTRY_FILE"
 yq eval -i ".clients.\"$CLIENT_NAME\".versions.ubuntu = \"$UBUNTU_VERSION\"" "$REGISTRY_FILE"
 echo -e "${GREEN}✓ Registry updated${NC}"
 echo ""
 echo "Updated: $REGISTRY_FILE"
 echo ""
 echo "To view registry:"
 echo "  ./scripts/client-status.sh $CLIENT_NAME"
--- a/scripts/configure-diun-all-servers.sh
+++ b/scripts/configure-diun-all-servers.sh
@ -0,0 +1,170 @@
 #!/usr/bin/env bash
 #
 # Configure Diun on all servers (disable watchRepo, add Docker Hub auth)
 # Created: 2026-01-24
 #
 # This script runs the diun configuration playbook on each server
 # with its corresponding SSH key.
 #
 # Usage:
 #   cd infrastructure/
 #   SOPS_AGE_KEY_FILE="keys/age-key.txt" HCLOUD_TOKEN="..." ./scripts/configure-diun-all-servers.sh
 set -euo pipefail
 # Colors for output
 RED='\033[0;31m'
 GREEN='\033[0;32m'
 YELLOW='\033[1;33m'
 BLUE='\033[0;34m'
 NC='\033[0m' # No Color
 # Configuration
 SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
 PROJECT_ROOT="$(cd "$SCRIPT_DIR/.." && pwd)"
 ANSIBLE_DIR="$PROJECT_ROOT/ansible"
 KEYS_DIR="$PROJECT_ROOT/keys/ssh"
 PLAYBOOK="playbooks/260124-configure-diun-watchrepo.yml"
 # Check required environment variables
 if [ -z "${HCLOUD_TOKEN:-}" ]; then
    echo -e "${RED}Error: HCLOUD_TOKEN environment variable is required${NC}"
    exit 1
 fi
 if [ -z "${SOPS_AGE_KEY_FILE:-}" ]; then
    echo -e "${RED}Error: SOPS_AGE_KEY_FILE environment variable is required${NC}"
    exit 1
 fi
 # Convert SOPS_AGE_KEY_FILE to absolute path if it's relative
 if [[ ! "$SOPS_AGE_KEY_FILE" = /* ]]; then
    export SOPS_AGE_KEY_FILE="$PROJECT_ROOT/$SOPS_AGE_KEY_FILE"
 fi
 # Change to ansible directory
 cd "$ANSIBLE_DIR"
 echo -e "${BLUE}============================================================${NC}"
 echo -e "${BLUE}Diun Configuration - All Servers${NC}"
 echo -e "${BLUE}============================================================${NC}"
 echo ""
 echo "Playbook: $PLAYBOOK"
 echo "Ansible directory: $ANSIBLE_DIR"
 echo ""
 echo "Configuration changes:"
 echo "  - Disable watchRepo (only check specific tags, not entire repos)"
 echo "  - Add Docker Hub authentication (5000 pulls/6h limit)"
 echo "  - Schedule: Weekly on Monday at 6am UTC"
 echo ""
 # Get list of all servers with SSH keys
 SERVERS=()
 for keyfile in "$KEYS_DIR"/*.pub; do
    if [ -f "$keyfile" ]; then
        server=$(basename "$keyfile" .pub)
        # Skip special servers
        if [[ "$server" != "README" ]] && [[ "$server" != "edge" ]]; then
            SERVERS+=("$server")
        fi
    fi
 done
 echo -e "${BLUE}Found ${#SERVERS[@]} servers:${NC}"
 printf '%s\n' "${SERVERS[@]}" | sort
 echo ""
 # Counters
 SUCCESS_COUNT=0
 FAILED_COUNT=0
 SKIPPED_COUNT=0
 declare -a SUCCESS_SERVERS
 declare -a FAILED_SERVERS
 declare -a SKIPPED_SERVERS
 echo -e "${BLUE}============================================================${NC}"
 echo -e "${BLUE}Starting configuration run...${NC}"
 echo -e "${BLUE}============================================================${NC}"
 echo ""
 # Run playbook for each server
 for server in "${SERVERS[@]}"; do
    echo -e "${YELLOW}-----------------------------------------------------------${NC}"
    echo -e "${YELLOW}Processing: $server${NC}"
    echo -e "${YELLOW}-----------------------------------------------------------${NC}"
    SSH_KEY="$KEYS_DIR/$server"
    if [ ! -f "$SSH_KEY" ]; then
        echo -e "${RED}✗ SSH key not found: $SSH_KEY${NC}"
        SKIPPED_COUNT=$((SKIPPED_COUNT + 1))
        SKIPPED_SERVERS+=("$server")
        echo ""
        continue
    fi
    # Run the playbook (with SSH options to prevent agent key issues)
    if env HCLOUD_TOKEN="$HCLOUD_TOKEN" \
        SOPS_AGE_KEY_FILE="$SOPS_AGE_KEY_FILE" \
        ANSIBLE_SSH_ARGS="-o IdentitiesOnly=yes" \
        ~/.local/bin/ansible-playbook \
        -i hcloud.yml \
        "$PLAYBOOK" \
        --limit "$server" \
        --private-key "$SSH_KEY" 2>&1; then
        echo -e "${GREEN}✓ Success: $server${NC}"
        SUCCESS_COUNT=$((SUCCESS_COUNT + 1))
        SUCCESS_SERVERS+=("$server")
    else
        echo -e "${RED}✗ Failed: $server${NC}"
        FAILED_COUNT=$((FAILED_COUNT + 1))
        FAILED_SERVERS+=("$server")
    fi
    echo ""
 done
 # Summary
 echo -e "${BLUE}============================================================${NC}"
 echo -e "${BLUE}CONFIGURATION RUN SUMMARY${NC}"
 echo -e "${BLUE}============================================================${NC}"
 echo ""
 echo "Total servers: ${#SERVERS[@]}"
 echo -e "${GREEN}Successful: $SUCCESS_COUNT${NC}"
 echo -e "${RED}Failed: $FAILED_COUNT${NC}"
 echo -e "${YELLOW}Skipped: $SKIPPED_COUNT${NC}"
 echo ""
 if [ $SUCCESS_COUNT -gt 0 ]; then
    echo -e "${GREEN}Successful servers:${NC}"
    printf '  %s\n' "${SUCCESS_SERVERS[@]}"
    echo ""
 fi
 if [ $FAILED_COUNT -gt 0 ]; then
    echo -e "${RED}Failed servers:${NC}"
    printf '  %s\n' "${FAILED_SERVERS[@]}"
    echo ""
 fi
 if [ $SKIPPED_COUNT -gt 0 ]; then
    echo -e "${YELLOW}Skipped servers:${NC}"
    printf '  %s\n' "${SKIPPED_SERVERS[@]}"
    echo ""
 fi
 echo -e "${BLUE}============================================================${NC}"
 echo ""
 echo "Next steps:"
 echo "  1. Wait for next Monday at 6am UTC for scheduled run"
 echo "  2. Or manually trigger: docker exec diun diun once"
 echo "  3. Check logs: docker logs diun"
 echo ""
 # Exit with error if any failures
 if [ $FAILED_COUNT -gt 0 ]; then
    exit 1
 fi
 exit 0
--- a/scripts/configure-oidc.sh
+++ b/scripts/configure-oidc.sh
@ -0,0 +1,156 @@
 #!/usr/bin/env bash
 #
 # Configure OIDC for a single client
 #
 # Usage: ./scripts/configure-oidc.sh <client_name>
 #
 # This script:
 # 1. Creates OIDC provider in Authentik
 # 2. Installs user_oidc app in Nextcloud
 # 3. Configures OIDC connection
 # 4. Enables multiple user backends
 set -euo pipefail
 # Colors
 RED='\033[0;31m'
 GREEN='\033[0;32m'
 YELLOW='\033[1;33m'
 BLUE='\033[0;34m'
 NC='\033[0m'
 # Script directory
 SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
 PROJECT_ROOT="$(dirname "$SCRIPT_DIR")"
 # Check arguments
 if [ $# -ne 1 ]; then
    echo -e "${RED}Error: Client name required${NC}"
    echo "Usage: $0 <client_name>"
    exit 1
 fi
 CLIENT_NAME="$1"
 # Check environment variables
 if [ -z "${SOPS_AGE_KEY_FILE:-}" ]; then
    export SOPS_AGE_KEY_FILE="$PROJECT_ROOT/keys/age-key.txt"
 fi
 if [ -z "${HCLOUD_TOKEN:-}" ]; then
    echo -e "${RED}Error: HCLOUD_TOKEN not set${NC}"
    exit 1
 fi
 echo -e "${BLUE}Configuring OIDC for ${CLIENT_NAME}...${NC}"
 cd "$PROJECT_ROOT"
 # Step 1: Get credentials from secrets
 echo "Getting credentials from secrets..."
 TOKEN=$(sops -d "secrets/clients/${CLIENT_NAME}.sops.yaml" | grep authentik_bootstrap_token | awk '{print $2}')
 if [ -z "$TOKEN" ]; then
    echo -e "${RED}Error: Could not get Authentik token${NC}"
    exit 1
 fi
 # Step 2: Create OIDC provider in Authentik
 echo "Creating OIDC provider in Authentik..."
 # Create Python script
 cat > /tmp/create_oidc_${CLIENT_NAME}.py << EOFPYTHON
 import sys, json, urllib.request
 base_url, token = "http://localhost:9000", "${TOKEN}"
 def req(p, m='GET', d=None):
    r = urllib.request.Request(f"{base_url}{p}", json.dumps(d).encode() if d else None, {'Authorization': f'Bearer {token}', 'Content-Type': 'application/json'}, method=m)
    try:
        with urllib.request.urlopen(r, timeout=30) as resp: return resp.status, json.loads(resp.read())
    except urllib.error.HTTPError as e: return e.code, json.loads(e.read()) if e.headers.get('Content-Type', '').startswith('application/json') else {'error': e.read().decode()}
 s, d = req('/api/v3/flows/instances/')
 auth_flow = next((f['pk'] for f in d.get('results', []) if f.get('slug') == 'default-authorization-flow' or f.get('designation') == 'authorization'), None)
 inval_flow = next((f['pk'] for f in d.get('results', []) if f.get('slug') == 'default-invalidation-flow' or f.get('designation') == 'invalidation'), None)
 s, d = req('/api/v3/crypto/certificatekeypairs/')
 key = d.get('results', [{}])[0].get('pk') if d.get('results') else None
 if not auth_flow or not key: print(json.dumps({'error': 'Config missing', 'auth_flow': auth_flow, 'key': key}), file=sys.stderr); sys.exit(1)
 s, prov = req('/api/v3/providers/oauth2/', 'POST', {'name': 'Nextcloud', 'authorization_flow': auth_flow, 'invalidation_flow': inval_flow, 'client_type': 'confidential', 'redirect_uris': [{'matching_mode': 'strict', 'url': 'https://nextcloud.${CLIENT_NAME}.vrije.cloud/apps/user_oidc/code'}], 'signing_key': key, 'sub_mode': 'hashed_user_id', 'include_claims_in_id_token': True})
 if s != 201: print(json.dumps({'error': 'Provider failed', 'status': s, 'details': prov}), file=sys.stderr); sys.exit(1)
 s, app = req('/api/v3/core/applications/', 'POST', {'name': 'Nextcloud', 'slug': 'nextcloud', 'provider': prov['pk'], 'meta_launch_url': 'https://nextcloud.${CLIENT_NAME}.vrije.cloud'})
 if s != 201: print(json.dumps({'error': 'App failed', 'status': s, 'details': app}), file=sys.stderr); sys.exit(1)
 print(json.dumps({'success': True, 'provider_id': prov['pk'], 'application_id': app['pk'], 'client_id': prov['client_id'], 'client_secret': prov['client_secret'], 'discovery_uri': f"https://auth.${CLIENT_NAME}.vrije.cloud/application/o/nextcloud/.well-known/openid-configuration", 'issuer': f"https://auth.${CLIENT_NAME}.vrije.cloud/application/o/nextcloud/"}))
 EOFPYTHON
 # Copy script to server and execute
 cd ansible
 env HCLOUD_TOKEN="$HCLOUD_TOKEN" \
    ansible "${CLIENT_NAME}" \
    -i hcloud.yml \
    -m copy \
    -a "src=/tmp/create_oidc_${CLIENT_NAME}.py dest=/tmp/create_oidc.py mode=0755" \
    --private-key "../keys/ssh/${CLIENT_NAME}" > /dev/null 2>&1
 # Execute the script
 OIDC_RESULT=$(env HCLOUD_TOKEN="$HCLOUD_TOKEN" \
    ansible "${CLIENT_NAME}" \
    -i hcloud.yml \
    -m shell \
    -a "docker exec -i authentik-server python3 < /tmp/create_oidc.py" \
    --private-key "../keys/ssh/${CLIENT_NAME}" 2>/dev/null | grep -A1 "CHANGED" | tail -1)
 if [ -z "$OIDC_RESULT" ]; then
    echo -e "${RED}Error: Failed to create OIDC provider${NC}"
    exit 1
 fi
 # Parse credentials
 CLIENT_ID=$(echo "$OIDC_RESULT" | python3 -c "import sys, json; d=json.load(sys.stdin); print(d['client_id'])")
 CLIENT_SECRET=$(echo "$OIDC_RESULT" | python3 -c "import sys, json; d=json.load(sys.stdin); print(d['client_secret'])")
 DISCOVERY_URI=$(echo "$OIDC_RESULT" | python3 -c "import sys, json; d=json.load(sys.stdin); print(d['discovery_uri'])")
 if [ -z "$CLIENT_ID" ] || [ -z "$CLIENT_SECRET" ] || [ -z "$DISCOVERY_URI" ]; then
    echo -e "${RED}Error: Failed to parse OIDC credentials${NC}"
    exit 1
 fi
 echo -e "${GREEN}✓ OIDC provider created${NC}"
 # Step 3: Install user_oidc app in Nextcloud
 echo "Installing user_oidc app..."
 env HCLOUD_TOKEN="$HCLOUD_TOKEN" \
    ansible "${CLIENT_NAME}" \
    -i hcloud.yml \
    -m shell \
    -a "docker exec -u www-data nextcloud php occ app:install user_oidc" \
    --private-key "../keys/ssh/${CLIENT_NAME}" > /dev/null 2>&1 || true
 echo -e "${GREEN}✓ user_oidc app installed${NC}"
 # Step 4: Configure OIDC provider in Nextcloud
 echo "Configuring OIDC provider..."
 env HCLOUD_TOKEN="$HCLOUD_TOKEN" \
    ansible "${CLIENT_NAME}" \
    -i hcloud.yml \
    -m shell \
    -a "docker exec -u www-data nextcloud php occ user_oidc:provider --clientid=\"${CLIENT_ID}\" --clientsecret=\"${CLIENT_SECRET}\" --discoveryuri=\"${DISCOVERY_URI}\" \"Authentik\"" \
    --private-key "../keys/ssh/${CLIENT_NAME}" > /dev/null 2>&1
 echo -e "${GREEN}✓ OIDC provider configured${NC}"
 # Step 5: Configure OIDC settings
 echo "Configuring OIDC settings..."
 env HCLOUD_TOKEN="$HCLOUD_TOKEN" \
    ansible "${CLIENT_NAME}" \
    -i hcloud.yml \
    -m shell \
    -a "docker exec -u www-data nextcloud php occ config:app:set user_oidc allow_multiple_user_backends --value=1 && docker exec -u www-data nextcloud php occ config:app:set user_oidc auto_provision --value=1 && docker exec -u www-data nextcloud php occ config:app:set user_oidc single_logout --value=0" \
    --private-key "../keys/ssh/${CLIENT_NAME}" > /dev/null 2>&1
 echo -e "${GREEN}✓ OIDC settings configured${NC}"
 # Cleanup
 rm -f /tmp/create_oidc_${CLIENT_NAME}.py
 echo -e "${GREEN}✓ OIDC configuration complete for ${CLIENT_NAME}${NC}"
--- a/scripts/deploy-client.sh
+++ b/scripts/deploy-client.sh
@ -36,33 +36,86 @@ fi
 CLIENT_NAME="$1"
-# Check if secrets file exists
+# Check if SSH key exists, generate if missing
-SECRETS_FILE="$PROJECT_ROOT/secrets/clients/${CLIENT_NAME}.sops.yaml"
+SSH_KEY_FILE="$PROJECT_ROOT/keys/ssh/${CLIENT_NAME}"
-if [ ! -f "$SECRETS_FILE" ]; then
+if [ ! -f "$SSH_KEY_FILE" ]; then
-    echo -e "${RED}Error: Secrets file not found: $SECRETS_FILE${NC}"
+    echo -e "${YELLOW}SSH key not found for client: $CLIENT_NAME${NC}"
    echo "Generating SSH key pair automatically..."
    echo ""
-    echo "Create a secrets file first:"
+
-    echo "  1. Copy the template:"
+    # Generate SSH key
-    echo "     cp secrets/clients/test.sops.yaml secrets/clients/${CLIENT_NAME}.sops.yaml"
+    "$SCRIPT_DIR/generate-client-keys.sh" "$CLIENT_NAME"
    echo ""
-    echo "  2. Edit with SOPS:"
+    echo -e "${GREEN}✓ SSH key generated${NC}"
    echo "     sops secrets/clients/${CLIENT_NAME}.sops.yaml"
    echo ""
    echo "  3. Update the following fields:"
    echo "     - client_name: $CLIENT_NAME"
    echo "     - client_domain: ${CLIENT_NAME}.vrije.cloud"
    echo "     - authentik_domain: auth.${CLIENT_NAME}.vrije.cloud"
    echo "     - nextcloud_domain: nextcloud.${CLIENT_NAME}.vrije.cloud"
    echo "     - All passwords and tokens (regenerate for security)"
    exit 1
 fi
-# Check required environment variables
+# Check if secrets file exists, create from template if missing
-if [ -z "${HCLOUD_TOKEN:-}" ]; then
+SECRETS_FILE="$PROJECT_ROOT/secrets/clients/${CLIENT_NAME}.sops.yaml"
-    echo -e "${RED}Error: HCLOUD_TOKEN environment variable not set${NC}"
+TEMPLATE_FILE="$PROJECT_ROOT/secrets/clients/template.sops.yaml"
-    echo "Export your Hetzner Cloud API token:"
+
-    echo "  export HCLOUD_TOKEN='your-token-here'"
+if [ ! -f "$SECRETS_FILE" ]; then
    echo -e "${YELLOW}Secrets file not found for client: $CLIENT_NAME${NC}"
    echo "Creating from template and opening for editing..."
    echo ""
    # Check if template exists
    if [ ! -f "$TEMPLATE_FILE" ]; then
        echo -e "${RED}Error: Template file not found: $TEMPLATE_FILE${NC}"
        exit 1
    fi
    # Copy template and decrypt to temporary file
    if [ -z "${SOPS_AGE_KEY_FILE:-}" ]; then
        export SOPS_AGE_KEY_FILE="$PROJECT_ROOT/keys/age-key.txt"
    fi
    # Decrypt template to temp file
    TEMP_PLAIN=$(mktemp)
    sops -d "$TEMPLATE_FILE" > "$TEMP_PLAIN"
    # Replace client name placeholders
    sed -i '' "s/test/${CLIENT_NAME}/g" "$TEMP_PLAIN"
    # Create unencrypted file in correct location (matching .sops.yaml regex)
    # This is necessary because SOPS needs the file path to match creation rules
    TEMP_SOPS="${SECRETS_FILE%.sops.yaml}-unenc.sops.yaml"
    cat "$TEMP_PLAIN" > "$TEMP_SOPS"
    # Encrypt in-place (SOPS finds creation rules because path matches regex)
    sops --encrypt --in-place "$TEMP_SOPS"
    # Rename to final name
    mv "$TEMP_SOPS" "$SECRETS_FILE"
    # Cleanup
    rm "$TEMP_PLAIN"
    echo -e "${GREEN}✓ Created secrets file with client-specific domains${NC}"
    echo ""
    # Automatically generate unique passwords
    echo -e "${BLUE}Generating unique passwords for ${CLIENT_NAME}...${NC}"
    echo ""
    # Call the password generator script
    "$SCRIPT_DIR/generate-passwords.sh" "$CLIENT_NAME"
    echo ""
    echo -e "${GREEN}✓ Secrets file configured with unique passwords${NC}"
    echo ""
    echo -e "${YELLOW}To view credentials:${NC}"
    echo -e "  ${BLUE}./scripts/get-passwords.sh ${CLIENT_NAME}${NC}"
    echo ""
 fi
 # Load Hetzner API token from SOPS if not already set
 if [ -z "${HCLOUD_TOKEN:-}" ]; then
    echo -e "${BLUE}Loading Hetzner API token from SOPS...${NC}"
    # shellcheck source=scripts/load-secrets-env.sh
    source "$SCRIPT_DIR/load-secrets-env.sh"
    echo ""
 fi
 if [ -z "${SOPS_AGE_KEY_FILE:-}" ]; then
@ -91,6 +144,28 @@ if ! grep -q "\"$CLIENT_NAME\"" terraform.tfvars 2>/dev/null; then
    fi
 fi
 # Check if client exists in terraform.tfvars
 TFVARS_FILE="$PROJECT_ROOT/tofu/terraform.tfvars"
 if ! grep -q "^[[:space:]]*${CLIENT_NAME}[[:space:]]*=" "$TFVARS_FILE"; then
    echo -e "${YELLOW}⚠ Client '${CLIENT_NAME}' not found in terraform.tfvars${NC}"
    echo ""
    echo "The client must be added to OpenTofu configuration before deployment."
    echo ""
    read -p "Would you like to add it now? (yes/no): " add_confirm
    if [ "$add_confirm" = "yes" ]; then
        echo ""
        "$SCRIPT_DIR/add-client-to-terraform.sh" "$CLIENT_NAME"
        echo ""
    else
        echo -e "${RED}Error: Cannot deploy without OpenTofu configuration${NC}"
        echo ""
        echo "Add the client manually to tofu/terraform.tfvars, or run:"
        echo "  ./scripts/add-client-to-terraform.sh $CLIENT_NAME"
        exit 1
    fi
 fi
 # Start timer
 START_TIME=$(date +%s)
@ -100,10 +175,16 @@ echo -e "${BLUE}========================================${NC}"
 echo ""
 # Step 1: Provision infrastructure
-echo -e "${YELLOW}[1/3] Provisioning infrastructure with OpenTofu...${NC}"
+echo -e "${YELLOW}[1/5] Provisioning infrastructure with OpenTofu...${NC}"
 cd "$PROJECT_ROOT/tofu"
 # Export TF_VAR environment variables if HCLOUD_TOKEN is set
 if [ -n "${HCLOUD_TOKEN:-}" ]; then
    export TF_VAR_hcloud_token="$HCLOUD_TOKEN"
    export TF_VAR_hetznerdns_token="$HCLOUD_TOKEN"
 fi
 # Check if already exists
 if tofu state list 2>/dev/null | grep -q "hcloud_server.client\[\"$CLIENT_NAME\"\]"; then
    echo -e "${YELLOW}⚠ Server already exists, applying any missing DNS records...${NC}"
@ -124,25 +205,77 @@ fi
 echo ""
 # Step 2: Setup base system
-echo -e "${YELLOW}[2/3] Setting up base system (Docker, Traefik)...${NC}"
+echo -e "${YELLOW}[2/5] Setting up base system (Docker, Traefik)...${NC}"
 cd "$PROJECT_ROOT/ansible"
-~/.local/bin/ansible-playbook -i hcloud.yml playbooks/setup.yml --limit "$CLIENT_NAME"
+~/.local/bin/ansible-playbook -i hcloud.yml playbooks/setup.yml --limit "$CLIENT_NAME" --private-key "../keys/ssh/$CLIENT_NAME"
 echo ""
 echo -e "${GREEN}✓ Base system configured${NC}"
 echo ""
 # Step 3: Deploy applications
-echo -e "${YELLOW}[3/3] Deploying applications (Authentik, Nextcloud, SSO)...${NC}"
+echo -e "${YELLOW}[3/5] Deploying applications (Authentik, Nextcloud, SSO)...${NC}"
-~/.local/bin/ansible-playbook -i hcloud.yml playbooks/deploy.yml --limit "$CLIENT_NAME"
+~/.local/bin/ansible-playbook -i hcloud.yml playbooks/deploy.yml --limit "$CLIENT_NAME" --private-key "../keys/ssh/$CLIENT_NAME"
 echo ""
 echo -e "${GREEN}✓ Applications deployed${NC}"
 echo ""
 # Step 4: Update client registry
 echo -e "${YELLOW}[4/5] Updating client registry...${NC}"
 cd "$PROJECT_ROOT/tofu"
 # Get server information from Terraform state
 SERVER_IP=$(tofu output -json client_ips 2>/dev/null | jq -r ".\"$CLIENT_NAME\"" || echo "")
 SERVER_ID=$(tofu state show "hcloud_server.client[\"$CLIENT_NAME\"]" 2>/dev/null | grep "^[[:space:]]*id[[:space:]]*=" | awk '{print $3}' | tr -d '"' || echo "")
 SERVER_TYPE=$(tofu state show "hcloud_server.client[\"$CLIENT_NAME\"]" 2>/dev/null | grep "^[[:space:]]*server_type[[:space:]]*=" | awk '{print $3}' | tr -d '"' || echo "")
 SERVER_LOCATION=$(tofu state show "hcloud_server.client[\"$CLIENT_NAME\"]" 2>/dev/null | grep "^[[:space:]]*location[[:space:]]*=" | awk '{print $3}' | tr -d '"' || echo "")
 # Determine role (dev is canary, everything else is production by default)
 ROLE="production"
 if [ "$CLIENT_NAME" = "dev" ]; then
    ROLE="canary"
 fi
 # Update registry
 "$SCRIPT_DIR/update-registry.sh" "$CLIENT_NAME" deploy \
    --role="$ROLE" \
    --server-ip="$SERVER_IP" \
    --server-id="$SERVER_ID" \
    --server-type="$SERVER_TYPE" \
    --server-location="$SERVER_LOCATION"
 echo ""
 echo -e "${GREEN}✓ Registry updated${NC}"
 echo ""
 # Collect deployed versions
 echo -e "${YELLOW}Collecting deployed versions...${NC}"
 "$SCRIPT_DIR/collect-client-versions.sh" "$CLIENT_NAME" 2>/dev/null || {
    echo -e "${YELLOW}⚠ Could not collect versions automatically${NC}"
    echo "Run manually later: ./scripts/collect-client-versions.sh $CLIENT_NAME"
 }
 echo ""
 # Add to monitoring
 echo -e "${YELLOW}[5/5] Adding client to monitoring...${NC}"
 echo ""
 if [ -f "$SCRIPT_DIR/add-client-to-monitoring.sh" ]; then
    "$SCRIPT_DIR/add-client-to-monitoring.sh" "$CLIENT_NAME"
 else
    echo -e "${YELLOW}⚠ Monitoring script not found${NC}"
    echo "Manually add monitors at: https://status.vrije.cloud"
 fi
 echo ""
 # Calculate duration
 END_TIME=$(date +%s)
 DURATION=$((END_TIME - START_TIME))
--- a/scripts/destroy-client.sh
+++ b/scripts/destroy-client.sh
@ -41,12 +41,12 @@ if [ ! -f "$SECRETS_FILE" ]; then
    exit 1
 fi
-# Check required environment variables
+# Load Hetzner API token from SOPS if not already set
 if [ -z "${HCLOUD_TOKEN:-}" ]; then
-    echo -e "${RED}Error: HCLOUD_TOKEN environment variable not set${NC}"
+    echo -e "${BLUE}Loading Hetzner API token from SOPS...${NC}"
-    echo "Export your Hetzner Cloud API token:"
+    # shellcheck source=scripts/load-secrets-env.sh
-    echo "  export HCLOUD_TOKEN='your-token-here'"
+    source "$SCRIPT_DIR/load-secrets-env.sh"
-    exit 1
+    echo ""
 fi
 if [ -z "${SOPS_AGE_KEY_FILE:-}" ]; then
@ -78,8 +78,21 @@ echo ""
 echo -e "${YELLOW}Starting destruction of client: $CLIENT_NAME${NC}"
 echo ""
 # Step 0: Remove from monitoring
 echo -e "${YELLOW}[0/7] Removing client from monitoring...${NC}"
 echo ""
 if [ -f "$SCRIPT_DIR/remove-client-from-monitoring.sh" ]; then
    "$SCRIPT_DIR/remove-client-from-monitoring.sh" "$CLIENT_NAME"
 else
    echo -e "${YELLOW}⚠ Monitoring script not found${NC}"
    echo "Manually remove monitors at: https://status.vrije.cloud"
 fi
 echo ""
 # Step 1: Delete Mailgun SMTP credentials
-echo -e "${YELLOW}[1/3] Deleting Mailgun SMTP credentials...${NC}"
+echo -e "${YELLOW}[1/7] Deleting Mailgun SMTP credentials...${NC}"
 cd "$PROJECT_ROOT/ansible"
@ -90,20 +103,26 @@ echo -e "${GREEN}✓ SMTP credentials cleanup attempted${NC}"
 echo ""
 # Step 2: Clean up Docker containers and volumes on the server (if reachable)
-echo -e "${YELLOW}[2/3] Cleaning up Docker containers and volumes...${NC}"
+echo -e "${YELLOW}[2/7] Cleaning up Docker containers and volumes...${NC}"
-if ~/.local/bin/ansible -i hcloud.yml "$CLIENT_NAME" -m ping -o &>/dev/null; then
+# Try to use per-client SSH key if it exists
 SSH_KEY_ARG=""
 if [ -f "$PROJECT_ROOT/keys/ssh/${CLIENT_NAME}" ]; then
    SSH_KEY_ARG="--private-key=$PROJECT_ROOT/keys/ssh/${CLIENT_NAME}"
 fi
 if ~/.local/bin/ansible -i hcloud.yml "$CLIENT_NAME" $SSH_KEY_ARG -m ping -o &>/dev/null; then
    echo "Server is reachable, cleaning up Docker resources..."
    # Stop and remove all containers
-    ~/.local/bin/ansible -i hcloud.yml "$CLIENT_NAME" -m shell -a "docker ps -aq | xargs -r docker stop" -b 2>/dev/null || true
+    ~/.local/bin/ansible -i hcloud.yml "$CLIENT_NAME" $SSH_KEY_ARG -m shell -a "docker ps -aq | xargs -r docker stop" -b 2>/dev/null || true
-    ~/.local/bin/ansible -i hcloud.yml "$CLIENT_NAME" -m shell -a "docker ps -aq | xargs -r docker rm -f" -b 2>/dev/null || true
+    ~/.local/bin/ansible -i hcloud.yml "$CLIENT_NAME" $SSH_KEY_ARG -m shell -a "docker ps -aq | xargs -r docker rm -f" -b 2>/dev/null || true
    # Remove all volumes
-    ~/.local/bin/ansible -i hcloud.yml "$CLIENT_NAME" -m shell -a "docker volume ls -q | xargs -r docker volume rm -f" -b 2>/dev/null || true
+    ~/.local/bin/ansible -i hcloud.yml "$CLIENT_NAME" $SSH_KEY_ARG -m shell -a "docker volume ls -q | xargs -r docker volume rm -f" -b 2>/dev/null || true
    # Remove all networks (except defaults)
-    ~/.local/bin/ansible -i hcloud.yml "$CLIENT_NAME" -m shell -a "docker network ls --filter type=custom -q | xargs -r docker network rm" -b 2>/dev/null || true
+    ~/.local/bin/ansible -i hcloud.yml "$CLIENT_NAME" $SSH_KEY_ARG -m shell -a "docker network ls --filter type=custom -q | xargs -r docker network rm" -b 2>/dev/null || true
    echo -e "${GREEN}✓ Docker cleanup complete${NC}"
 else
@ -113,21 +132,127 @@ fi
 echo ""
 # Step 3: Destroy infrastructure with OpenTofu
-echo -e "${YELLOW}[3/3] Destroying infrastructure with OpenTofu...${NC}"
+echo -e "${YELLOW}[3/7] Destroying infrastructure with OpenTofu...${NC}"
 cd "$PROJECT_ROOT/tofu"
-# Get current infrastructure state
+# Destroy all resources for this client (server, volume, SSH key, DNS)
 echo "Checking current infrastructure..."
-tofu plan -destroy -var-file="terraform.tfvars" -target="hcloud_server.client[\"$CLIENT_NAME\"]" -out=destroy.tfplan
+tofu plan -destroy -var-file="terraform.tfvars" \
    -target="hcloud_server.client[\"$CLIENT_NAME\"]" \
    -target="hcloud_volume.nextcloud_data[\"$CLIENT_NAME\"]" \
    -target="hcloud_volume_attachment.nextcloud_data[\"$CLIENT_NAME\"]" \
    -target="hcloud_ssh_key.client[\"$CLIENT_NAME\"]" \
    -target="hcloud_zone_rrset.client_a[\"$CLIENT_NAME\"]" \
    -target="hcloud_zone_rrset.client_wildcard[\"$CLIENT_NAME\"]" \
    -out=destroy.tfplan
 echo ""
 echo "Verifying plan only targets $CLIENT_NAME resources..."
 # Verify the plan only contains the client's resources
 PLAN_OUTPUT=$(tofu show destroy.tfplan 2>&1)
 if echo "$PLAN_OUTPUT" | grep -E "will be destroyed" | grep -v "\"$CLIENT_NAME\"" | grep -q .; then
    echo -e "${RED}ERROR: Plan contains resources NOT belonging to $CLIENT_NAME!${NC}"
    echo ""
    echo "Resources in plan:"
    echo "$PLAN_OUTPUT" | grep -E "# .* will be destroyed" | head -20
    echo ""
    echo "Aborting to prevent accidental destruction of other clients."
    rm -f destroy.tfplan
    exit 1
 fi
 echo -e "${GREEN}✓ Plan verified - only $CLIENT_NAME resources will be destroyed${NC}"
 echo ""
 echo "Applying destruction..."
-tofu apply destroy.tfplan
+tofu apply -auto-approve destroy.tfplan
 # Cleanup plan file
 rm -f destroy.tfplan
 echo -e "${GREEN}✓ Infrastructure destroyed${NC}"
 echo ""
 # Step 4: Remove client from terraform.tfvars
 echo -e "${YELLOW}[4/7] Removing client from terraform.tfvars...${NC}"
 TFVARS_FILE="$PROJECT_ROOT/tofu/terraform.tfvars"
 if grep -q "^[[:space:]]*${CLIENT_NAME}[[:space:]]*=" "$TFVARS_FILE"; then
    # Create backup
    cp "$TFVARS_FILE" "$TFVARS_FILE.bak"
    # Remove the client block (from "client_name = {" to the closing "}")
    # This uses awk to find and remove the entire block
    awk -v client="$CLIENT_NAME" '
        BEGIN { skip=0; in_block=0 }
        /^[[:space:]]*#.*[Cc]lient/ { if (skip==0) print; next }
        $0 ~ "^[[:space:]]*" client "[[:space:]]*=" { skip=1; in_block=1; brace_count=0; next }
        skip==1 {
            for(i=1; i<=length($0); i++) {
                c=substr($0,i,1)
                if(c=="{") brace_count++
                if(c=="}") brace_count--
            }
            if(brace_count<0 || (brace_count==0 && $0 ~ /^[[:space:]]*}/)) {
                skip=0
                in_block=0
                next
            }
            next
        }
        { print }
    ' "$TFVARS_FILE" > "$TFVARS_FILE.tmp"
    mv "$TFVARS_FILE.tmp" "$TFVARS_FILE"
    echo -e "${GREEN}✓ Removed $CLIENT_NAME from terraform.tfvars${NC}"
 else
    echo -e "${YELLOW}⚠ Client not found in terraform.tfvars${NC}"
 fi
 echo ""
 # Step 5: Remove SSH keys
 echo -e "${YELLOW}[5/7] Removing SSH keys...${NC}"
 SSH_PRIVATE="$PROJECT_ROOT/keys/ssh/${CLIENT_NAME}"
 SSH_PUBLIC="$PROJECT_ROOT/keys/ssh/${CLIENT_NAME}.pub"
 if [ -f "$SSH_PRIVATE" ]; then
    rm -f "$SSH_PRIVATE"
    echo -e "${GREEN}✓ Removed private key: $SSH_PRIVATE${NC}"
 else
    echo -e "${YELLOW}⚠ Private key not found${NC}"
 fi
 if [ -f "$SSH_PUBLIC" ]; then
    rm -f "$SSH_PUBLIC"
    echo -e "${GREEN}✓ Removed public key: $SSH_PUBLIC${NC}"
 else
    echo -e "${YELLOW}⚠ Public key not found${NC}"
 fi
 echo ""
 # Step 6: Remove secrets file
 echo -e "${YELLOW}[6/7] Removing secrets file...${NC}"
 if [ -f "$SECRETS_FILE" ]; then
    rm -f "$SECRETS_FILE"
    echo -e "${GREEN}✓ Removed secrets file: $SECRETS_FILE${NC}"
 else
    echo -e "${YELLOW}⚠ Secrets file not found${NC}"
 fi
 echo ""
 # Step 7: Update client registry
 echo -e "${YELLOW}[7/7] Updating client registry...${NC}"
 "$SCRIPT_DIR/update-registry.sh" "$CLIENT_NAME" destroy
 echo ""
 echo -e "${GREEN}✓ Registry updated${NC}"
 echo ""
 echo -e "${GREEN}========================================${NC}"
 echo -e "${GREEN}✓ Client '$CLIENT_NAME' destroyed successfully${NC}"
@ -136,12 +261,13 @@ echo ""
 echo "The following have been removed:"
 echo "  ✓ Mailgun SMTP credentials"
 echo "  ✓ VPS server"
-echo "  ✓ DNS records (if managed by OpenTofu)"
+echo "  ✓ Hetzner Volume"
-echo "  ✓ Firewall rules (if not shared)"
+echo "  ✓ SSH keys (Hetzner + local)"
 echo "  ✓ DNS records"
 echo "  ✓ Firewall rules"
 echo "  ✓ Secrets file"
 echo "  ✓ terraform.tfvars entry"
 echo "  ✓ Registry entry"
 echo ""
-echo -e "${YELLOW}Note: Secrets file still exists at:${NC}"
+echo "The client has been completely removed from the infrastructure."
 echo "  $SECRETS_FILE"
 echo ""
 echo "To rebuild this client, run:"
 echo "  ./scripts/rebuild-client.sh $CLIENT_NAME"
 echo ""
--- a/scripts/detect-version-drift.sh
+++ b/scripts/detect-version-drift.sh
@ -0,0 +1,228 @@
 #!/usr/bin/env bash
 #
 # Detect version drift between clients
 #
 # Usage: ./scripts/detect-version-drift.sh [options]
 #
 # Options:
 #   --threshold=<days>   Only report clients not updated in X days (default: 30)
 #   --app=<name>         Check specific app only (authentik|nextcloud|traefik|ubuntu)
 #   --format=table       Show as table (default)
 #   --format=summary     Show summary only
 #
 # Exit codes:
 #   0 - No drift detected
 #   1 - Drift detected
 #   2 - Error
 set -euo pipefail
 # Colors for output
 RED='\033[0;31m'
 GREEN='\033[0;32m'
 YELLOW='\033[1;33m'
 BLUE='\033[0;34m'
 CYAN='\033[0;36m'
 NC='\033[0m' # No Color
 # Script directory
 SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
 PROJECT_ROOT="$(dirname "$SCRIPT_DIR")"
 REGISTRY_FILE="$PROJECT_ROOT/clients/registry.yml"
 # Default options
 THRESHOLD_DAYS=30
 FILTER_APP=""
 FORMAT="table"
 # Parse arguments
 for arg in "$@"; do
    case $arg in
        --threshold=*)
            THRESHOLD_DAYS="${arg#*=}"
            ;;
        --app=*)
            FILTER_APP="${arg#*=}"
            ;;
        --format=*)
            FORMAT="${arg#*=}"
            ;;
        *)
            echo "Unknown option: $arg"
            echo "Usage: $0 [--threshold=<days>] [--app=<name>] [--format=table|summary]"
            exit 2
            ;;
    esac
 done
 # Check if yq is available
 if ! command -v yq &> /dev/null; then
    echo -e "${RED}Error: 'yq' not found. Install with: brew install yq${NC}"
    exit 2
 fi
 # Check if registry exists
 if [ ! -f "$REGISTRY_FILE" ]; then
    echo -e "${RED}Error: Registry file not found: $REGISTRY_FILE${NC}"
    exit 2
 fi
 # Get list of deployed clients only
 CLIENTS=$(yq eval '.clients | to_entries | map(select(.value.status == "deployed")) | .[].key' "$REGISTRY_FILE" 2>/dev/null)
 if [ -z "$CLIENTS" ]; then
    echo -e "${YELLOW}No deployed clients found${NC}"
    exit 0
 fi
 # Determine latest versions
 declare -A LATEST_VERSIONS
 LATEST_VERSIONS[authentik]=$(yq eval '.clients | to_entries | .[].value.versions.authentik' "$REGISTRY_FILE" | sort -V | tail -1)
 LATEST_VERSIONS[nextcloud]=$(yq eval '.clients | to_entries | .[].value.versions.nextcloud' "$REGISTRY_FILE" | sort -V | tail -1)
 LATEST_VERSIONS[traefik]=$(yq eval '.clients | to_entries | .[].value.versions.traefik' "$REGISTRY_FILE" | sort -V | tail -1)
 LATEST_VERSIONS[ubuntu]=$(yq eval '.clients | to_entries | .[].value.versions.ubuntu' "$REGISTRY_FILE" | sort -V | tail -1)
 # Calculate date threshold
 if command -v gdate &> /dev/null; then
    # macOS with GNU coreutils
    THRESHOLD_DATE=$(gdate -d "$THRESHOLD_DAYS days ago" +%Y-%m-%d)
 elif date --version &> /dev/null 2>&1; then
    # GNU date (Linux)
    THRESHOLD_DATE=$(date -d "$THRESHOLD_DAYS days ago" +%Y-%m-%d)
 else
    # BSD date (macOS default)
    THRESHOLD_DATE=$(date -v-${THRESHOLD_DAYS}d +%Y-%m-%d)
 fi
 # Counters
 DRIFT_FOUND=0
 OUTDATED_COUNT=0
 STALE_COUNT=0
 # Arrays to store drift details
 declare -a DRIFT_CLIENTS
 declare -a DRIFT_DETAILS
 # Analyze each client
 for client in $CLIENTS; do
    authentik=$(yq eval ".clients.\"$client\".versions.authentik" "$REGISTRY_FILE")
    nextcloud=$(yq eval ".clients.\"$client\".versions.nextcloud" "$REGISTRY_FILE")
    traefik=$(yq eval ".clients.\"$client\".versions.traefik" "$REGISTRY_FILE")
    ubuntu=$(yq eval ".clients.\"$client\".versions.ubuntu" "$REGISTRY_FILE")
    last_update=$(yq eval ".clients.\"$client\".maintenance.last_full_update" "$REGISTRY_FILE")
    has_drift=false
    drift_reasons=()
    # Check version drift
    if [ -z "$FILTER_APP" ] || [ "$FILTER_APP" = "authentik" ]; then
        if [ "$authentik" != "${LATEST_VERSIONS[authentik]}" ] && [ "$authentik" != "null" ] && [ "$authentik" != "unknown" ]; then
            has_drift=true
            drift_reasons+=("Authentik: $authentik → ${LATEST_VERSIONS[authentik]}")
        fi
    fi
    if [ -z "$FILTER_APP" ] || [ "$FILTER_APP" = "nextcloud" ]; then
        if [ "$nextcloud" != "${LATEST_VERSIONS[nextcloud]}" ] && [ "$nextcloud" != "null" ] && [ "$nextcloud" != "unknown" ]; then
            has_drift=true
            drift_reasons+=("Nextcloud: $nextcloud → ${LATEST_VERSIONS[nextcloud]}")
        fi
    fi
    if [ -z "$FILTER_APP" ] || [ "$FILTER_APP" = "traefik" ]; then
        if [ "$traefik" != "${LATEST_VERSIONS[traefik]}" ] && [ "$traefik" != "null" ] && [ "$traefik" != "unknown" ]; then
            has_drift=true
            drift_reasons+=("Traefik: $traefik → ${LATEST_VERSIONS[traefik]}")
        fi
    fi
    if [ -z "$FILTER_APP" ] || [ "$FILTER_APP" = "ubuntu" ]; then
        if [ "$ubuntu" != "${LATEST_VERSIONS[ubuntu]}" ] && [ "$ubuntu" != "null" ] && [ "$ubuntu" != "unknown" ]; then
            has_drift=true
            drift_reasons+=("Ubuntu: $ubuntu → ${LATEST_VERSIONS[ubuntu]}")
        fi
    fi
    # Check if update is stale (older than threshold)
    is_stale=false
    if [ "$last_update" != "null" ] && [ -n "$last_update" ]; then
        if [[ "$last_update" < "$THRESHOLD_DATE" ]]; then
            is_stale=true
            drift_reasons+=("Last update: $last_update (>$THRESHOLD_DAYS days ago)")
        fi
    fi
    # Record drift
    if [ "$has_drift" = true ] || [ "$is_stale" = true ]; then
        DRIFT_FOUND=1
        DRIFT_CLIENTS+=("$client")
        DRIFT_DETAILS+=("$(IFS='; '; echo "${drift_reasons[*]}")")
        [ "$has_drift" = true ] && ((OUTDATED_COUNT++)) || true
        [ "$is_stale" = true ] && ((STALE_COUNT++)) || true
    fi
 done
 # Output results
 case $FORMAT in
    table)
        if [ $DRIFT_FOUND -eq 0 ]; then
            echo -e "${GREEN}✓ No version drift detected${NC}"
            echo ""
            echo "All deployed clients are running latest versions:"
            echo "  Authentik: ${LATEST_VERSIONS[authentik]}"
            echo "  Nextcloud: ${LATEST_VERSIONS[nextcloud]}"
            echo "  Traefik:   ${LATEST_VERSIONS[traefik]}"
            echo "  Ubuntu:    ${LATEST_VERSIONS[ubuntu]}"
            echo ""
        else
            echo -e "${RED}⚠ VERSION DRIFT DETECTED${NC}"
            echo ""
            echo -e "${CYAN}Clients with outdated versions:${NC}"
            echo ""
            for i in "${!DRIFT_CLIENTS[@]}"; do
                client="${DRIFT_CLIENTS[$i]}"
                details="${DRIFT_DETAILS[$i]}"
                echo -e "${YELLOW}• $client${NC}"
                IFS=';' read -ra REASONS <<< "$details"
                for reason in "${REASONS[@]}"; do
                    echo "    $reason"
                done
                echo ""
            done
            echo -e "${CYAN}Recommended actions:${NC}"
            echo ""
            echo "1. Test updates on canary server first:"
            echo "   ${BLUE}./scripts/rebuild-client.sh dev${NC}"
            echo ""
            echo "2. Verify canary health:"
            echo "   ${BLUE}./scripts/client-status.sh dev${NC}"
            echo ""
            echo "3. Update outdated clients:"
            for client in "${DRIFT_CLIENTS[@]}"; do
                echo "   ${BLUE}./scripts/rebuild-client.sh $client${NC}"
            done
            echo ""
        fi
        ;;
    summary)
        if [ $DRIFT_FOUND -eq 0 ]; then
            echo "Status: OK"
            echo "Drift: No"
            echo "Clients checked: $(echo "$CLIENTS" | wc -l | xargs)"
        else
            echo "Status: DRIFT DETECTED"
            echo "Drift: Yes"
            echo "Clients checked: $(echo "$CLIENTS" | wc -l | xargs)"
            echo "Clients with outdated versions: $OUTDATED_COUNT"
            echo "Clients not updated in $THRESHOLD_DAYS days: $STALE_COUNT"
            echo "Affected clients: ${DRIFT_CLIENTS[*]}"
        fi
        ;;
 esac
 exit $DRIFT_FOUND
--- a/scripts/generate-client-keys.sh
+++ b/scripts/generate-client-keys.sh
@ -0,0 +1,84 @@
 #!/usr/bin/env bash
 #
 # Generate SSH key pair for a client
 #
 # Usage: ./scripts/generate-client-keys.sh <client_name>
 #
 # This script generates a dedicated ED25519 SSH key pair for a client,
 # ensuring proper isolation between client servers.
 set -euo pipefail
 # Colors for output
 RED='\033[0;31m'
 GREEN='\033[0;32m'
 YELLOW='\033[1;33m'
 BLUE='\033[0;34m'
 NC='\033[0m' # No Color
 # Script directory
 SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
 PROJECT_ROOT="$(dirname "$SCRIPT_DIR")"
 KEY_DIR="$PROJECT_ROOT/keys/ssh"
 # Check arguments
 if [ $# -ne 1 ]; then
    echo -e "${RED}Error: Client name required${NC}"
    echo "Usage: $0 <client_name>"
    echo ""
    echo "Example: $0 newclient"
    exit 1
 fi
 CLIENT_NAME="$1"
 # Validate client name (alphanumeric and hyphens only)
 if ! [[ "$CLIENT_NAME" =~ ^[a-z0-9-]+$ ]]; then
    echo -e "${RED}Error: Invalid client name${NC}"
    echo "Client name must contain only lowercase letters, numbers, and hyphens"
    exit 1
 fi
 # Check if key already exists
 if [ -f "$KEY_DIR/$CLIENT_NAME" ]; then
    echo -e "${YELLOW}⚠ Warning: SSH key already exists for client: $CLIENT_NAME${NC}"
    echo ""
    echo "Existing key: $KEY_DIR/$CLIENT_NAME"
    echo ""
    read -p "Overwrite existing key? This will break SSH access to the server! [yes/NO] " confirm
    if [ "$confirm" != "yes" ]; then
        echo "Aborted"
        exit 1
    fi
    echo ""
 fi
 # Create keys directory if it doesn't exist
 mkdir -p "$KEY_DIR"
 echo -e "${BLUE}Generating SSH key pair for client: $CLIENT_NAME${NC}"
 echo ""
 # Generate ED25519 key pair
 ssh-keygen -t ed25519 \
  -f "$KEY_DIR/$CLIENT_NAME" \
  -C "client-$CLIENT_NAME-deploy-key" \
  -N ""
 echo ""
 echo -e "${GREEN}✓ SSH key pair generated successfully${NC}"
 echo ""
 echo "Private key: $KEY_DIR/$CLIENT_NAME"
 echo "Public key:  $KEY_DIR/$CLIENT_NAME.pub"
 echo ""
 echo "Key fingerprint:"
 ssh-keygen -lf "$KEY_DIR/$CLIENT_NAME.pub"
 echo ""
 echo -e "${BLUE}Next steps:${NC}"
 echo "1. Add client to tofu/terraform.tfvars"
 echo "2. Apply OpenTofu: cd tofu && tofu apply"
 echo "3. Deploy client: ./scripts/deploy-client.sh $CLIENT_NAME"
 echo ""
 echo -e "${YELLOW}⚠ IMPORTANT: Backup this key securely!${NC}"
 echo "   Store in password manager or secure backup location"
 echo ""
--- a/scripts/generate-passwords.sh
+++ b/scripts/generate-passwords.sh
@ -0,0 +1,131 @@
 #!/usr/bin/env bash
 #
 # Generate secure random passwords and tokens for a client
 # Usage: ./generate-passwords.sh <client-name>
 #
 # This script generates unique credentials for each client and updates their SOPS-encrypted secrets file.
 # All passwords are cryptographically secure (43 characters, base64-encoded random data).
 set -euo pipefail
 # Colors for output
 RED='\033[0;31m'
 GREEN='\033[0;32m'
 YELLOW='\033[1;33m'
 BLUE='\033[0;34m'
 NC='\033[0m' # No Color
 # Get script directory
 SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
 PROJECT_ROOT="$(cd "$SCRIPT_DIR/.." && pwd)"
 # Function to generate a secure random password/token
 generate_password() {
    # Generate 32 random bytes and encode as base64, removing padding and special chars
    openssl rand -base64 32 | tr -d '\n=' | head -c 43
 }
 # Function to generate an API token (with ak_ prefix for Authentik)
 generate_api_token() {
    echo "ak_$(openssl rand -base64 32 | tr -d '\n=' | head -c 46)"
 }
 # Main script
 main() {
    if [ $# -ne 1 ]; then
        echo -e "${RED}Usage: $0 <client-name>${NC}"
        echo ""
        echo "Example: $0 green"
        exit 1
    fi
    CLIENT_NAME="$1"
    SECRETS_FILE="$PROJECT_ROOT/secrets/clients/${CLIENT_NAME}.sops.yaml"
    echo -e "${BLUE}==================================================${NC}"
    echo -e "${BLUE}Password Generator for Client: ${CLIENT_NAME}${NC}"
    echo -e "${BLUE}==================================================${NC}"
    echo ""
    # Check if secrets file exists
    if [ ! -f "$SECRETS_FILE" ]; then
        echo -e "${RED}Error: Secrets file not found: $SECRETS_FILE${NC}"
        echo ""
        echo "Create the secrets file first with:"
        echo "  ./scripts/deploy-client.sh $CLIENT_NAME"
        exit 1
    fi
    # Check for SOPS_AGE_KEY_FILE
    if [ -z "${SOPS_AGE_KEY_FILE:-}" ]; then
        export SOPS_AGE_KEY_FILE="$PROJECT_ROOT/keys/age-key.txt"
    fi
    if [ ! -f "$SOPS_AGE_KEY_FILE" ]; then
        echo -e "${RED}Error: SOPS age key not found: $SOPS_AGE_KEY_FILE${NC}"
        exit 1
    fi
    echo -e "${GREEN}Generating unique passwords for ${CLIENT_NAME}...${NC}"
    echo ""
    # Generate all passwords
    AUTHENTIK_BOOTSTRAP_PASSWORD=$(generate_password)
    AUTHENTIK_BOOTSTRAP_TOKEN=$(generate_api_token)
    AUTHENTIK_SECRET_KEY=$(generate_password)
    AUTHENTIK_DB_PASSWORD=$(generate_password)
    NEXTCLOUD_ADMIN_PASSWORD=$(generate_password)
    NEXTCLOUD_DB_PASSWORD=$(generate_password)
    echo "Generated credentials:"
    echo "  ✓ Authentik bootstrap password (43 chars)"
    echo "  ✓ Authentik bootstrap token (49 chars with ak_ prefix)"
    echo "  ✓ Authentik secret key (43 chars)"
    echo "  ✓ Authentik database password (43 chars)"
    echo "  ✓ Nextcloud admin password (43 chars)"
    echo "  ✓ Nextcloud database password (43 chars)"
    echo ""
    # Create a temporary decrypted file
    TEMP_PLAIN=$(mktemp)
    sops -d "$SECRETS_FILE" > "$TEMP_PLAIN"
    # Update passwords in the decrypted file
    # Using perl for in-place editing because it handles special characters better
    perl -pi -e "s|^(authentik_bootstrap_password:).*|\$1 $AUTHENTIK_BOOTSTRAP_PASSWORD|" "$TEMP_PLAIN"
    perl -pi -e "s|^(authentik_bootstrap_token:).*|\$1 $AUTHENTIK_BOOTSTRAP_TOKEN|" "$TEMP_PLAIN"
    perl -pi -e "s|^(authentik_secret_key:).*|\$1 $AUTHENTIK_SECRET_KEY|" "$TEMP_PLAIN"
    perl -pi -e "s|^(authentik_db_password:).*|\$1 $AUTHENTIK_DB_PASSWORD|" "$TEMP_PLAIN"
    perl -pi -e "s|^(nextcloud_admin_password:).*|\$1 $NEXTCLOUD_ADMIN_PASSWORD|" "$TEMP_PLAIN"
    perl -pi -e "s|^(nextcloud_db_password:).*|\$1 $NEXTCLOUD_DB_PASSWORD|" "$TEMP_PLAIN"
    # Re-encrypt the file
    # We need to use a temp file that matches the .sops.yaml creation rules
    TEMP_SOPS="${SECRETS_FILE%.sops.yaml}-temp.sops.yaml"
    cp "$TEMP_PLAIN" "$TEMP_SOPS"
    # Encrypt in place
    sops --encrypt --in-place "$TEMP_SOPS"
    # Replace original file
    mv "$TEMP_SOPS" "$SECRETS_FILE"
    # Cleanup
    rm "$TEMP_PLAIN"
    echo -e "${GREEN}✓ Updated $SECRETS_FILE with unique passwords${NC}"
    echo ""
    echo -e "${YELLOW}IMPORTANT: Passwords are now stored encrypted in SOPS.${NC}"
    echo ""
    echo "To view passwords:"
    echo -e "  ${BLUE}SOPS_AGE_KEY_FILE=\"keys/age-key.txt\" sops -d secrets/clients/${CLIENT_NAME}.sops.yaml${NC}"
    echo ""
    echo "Or use the retrieval script:"
    echo -e "  ${BLUE}./scripts/get-passwords.sh ${CLIENT_NAME}${NC}"
    echo ""
    echo -e "${GREEN}==================================================${NC}"
    echo -e "${GREEN}Password generation complete!${NC}"
    echo -e "${GREEN}==================================================${NC}"
 }
 main "$@"
--- a/scripts/get-passwords.sh
+++ b/scripts/get-passwords.sh
@ -0,0 +1,98 @@
 #!/usr/bin/env bash
 #
 # Retrieve passwords for a client from SOPS-encrypted secrets
 # Usage: ./get-passwords.sh <client-name>
 #
 # This script decrypts and displays passwords in a readable format.
 set -euo pipefail
 # Colors for output
 RED='\033[0;31m'
 GREEN='\033[0;32m'
 YELLOW='\033[1;33m'
 BLUE='\033[0;34m'
 CYAN='\033[0;36m'
 NC='\033[0m' # No Color
 # Get script directory
 SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
 PROJECT_ROOT="$(cd "$SCRIPT_DIR/.." && pwd)"
 # Main script
 main() {
    if [ $# -ne 1 ]; then
        echo -e "${RED}Usage: $0 <client-name>${NC}"
        echo ""
        echo "Example: $0 green"
        exit 1
    fi
    CLIENT_NAME="$1"
    SECRETS_FILE="$PROJECT_ROOT/secrets/clients/${CLIENT_NAME}.sops.yaml"
    # Check if secrets file exists
    if [ ! -f "$SECRETS_FILE" ]; then
        echo -e "${RED}Error: Secrets file not found: $SECRETS_FILE${NC}"
        exit 1
    fi
    # Check for SOPS_AGE_KEY_FILE
    if [ -z "${SOPS_AGE_KEY_FILE:-}" ]; then
        export SOPS_AGE_KEY_FILE="$PROJECT_ROOT/keys/age-key.txt"
    fi
    if [ ! -f "$SOPS_AGE_KEY_FILE" ]; then
        echo -e "${RED}Error: SOPS age key not found: $SOPS_AGE_KEY_FILE${NC}"
        exit 1
    fi
    # Decrypt and parse secrets
    TEMP_PLAIN=$(mktemp)
    sops -d "$SECRETS_FILE" > "$TEMP_PLAIN"
    # Extract values
    CLIENT_DOMAIN=$(grep "^client_domain:" "$TEMP_PLAIN" | awk '{print $2}')
    AUTHENTIK_DOMAIN=$(grep "^authentik_domain:" "$TEMP_PLAIN" | awk '{print $2}')
    NEXTCLOUD_DOMAIN=$(grep "^nextcloud_domain:" "$TEMP_PLAIN" | awk '{print $2}')
    AUTHENTIK_BOOTSTRAP_PASSWORD=$(grep "^authentik_bootstrap_password:" "$TEMP_PLAIN" | awk '{print $2}')
    AUTHENTIK_BOOTSTRAP_TOKEN=$(grep "^authentik_bootstrap_token:" "$TEMP_PLAIN" | awk '{print $2}')
    NEXTCLOUD_ADMIN_USER=$(grep "^nextcloud_admin_user:" "$TEMP_PLAIN" | awk '{print $2}')
    NEXTCLOUD_ADMIN_PASSWORD=$(grep "^nextcloud_admin_password:" "$TEMP_PLAIN" | awk '{print $2}')
    # Cleanup
    rm "$TEMP_PLAIN"
    # Display formatted output
    echo ""
    echo -e "${CYAN}==============================================================${NC}"
    echo -e "${CYAN}          Credentials for Client: ${GREEN}${CLIENT_NAME}${NC}"
    echo -e "${CYAN}==============================================================${NC}"
    echo ""
    echo -e "${BLUE}Service URLs:${NC}"
    echo -e "  Client Domain:    ${GREEN}https://${CLIENT_DOMAIN}${NC}"
    echo -e "  Authentik SSO:    ${GREEN}https://${AUTHENTIK_DOMAIN}${NC}"
    echo -e "  Nextcloud:        ${GREEN}https://${NEXTCLOUD_DOMAIN}${NC}"
    echo ""
    echo -e "${YELLOW}─────────────────────────────────────────────────────────────${NC}"
    echo ""
    echo -e "${BLUE}Authentik Admin Access:${NC}"
    echo -e "  URL:              ${GREEN}https://${AUTHENTIK_DOMAIN}${NC}"
    echo -e "  Username:         ${GREEN}akadmin${NC}"
    echo -e "  Password:         ${YELLOW}${AUTHENTIK_BOOTSTRAP_PASSWORD}${NC}"
    echo -e "  API Token:        ${YELLOW}${AUTHENTIK_BOOTSTRAP_TOKEN}${NC}"
    echo ""
    echo -e "${YELLOW}─────────────────────────────────────────────────────────────${NC}"
    echo ""
    echo -e "${BLUE}Nextcloud Admin Access:${NC}"
    echo -e "  URL:              ${GREEN}https://${NEXTCLOUD_DOMAIN}${NC}"
    echo -e "  Username:         ${GREEN}${NEXTCLOUD_ADMIN_USER}${NC}"
    echo -e "  Password:         ${YELLOW}${NEXTCLOUD_ADMIN_PASSWORD}${NC}"
    echo ""
    echo -e "${CYAN}==============================================================${NC}"
    echo ""
    echo -e "${BLUE}💡 Tip: Copy passwords carefully - they are case-sensitive!${NC}"
    echo ""
 }
 main "$@"
--- a/scripts/health-check.sh
+++ b/scripts/health-check.sh
@ -0,0 +1,116 @@
 #!/bin/bash
 # Health check script for client servers
 # Usage: ./health-check.sh <client-name>
 set -euo pipefail
 CLIENT="${1:-}"
 if [ -z "$CLIENT" ]; then
  echo "Usage: $0 <client-name>"
  echo "Example: $0 black"
  exit 1
 fi
 # Colors
 RED='\033[0;31m'
 GREEN='\033[0;32m'
 YELLOW='\033[1;33m'
 NC='\033[0m' # No Color
 # Get client IP
 cd "$(dirname "$0")/../tofu"
 IP=$(tofu output -json client_ips 2>/dev/null | jq -r ".$CLIENT" 2>/dev/null)
 if [ -z "$IP" ] || [ "$IP" = "null" ]; then
  echo -e "${RED}✗ ERROR: Client '$CLIENT' not found${NC}"
  exit 1
 fi
 echo "========================================"
 echo "Health Check: $CLIENT ($IP)"
 echo "========================================"
 echo ""
 # Container Status
 echo "Container Status:"
 echo "----------------"
 ssh -i "../keys/ssh/$CLIENT" -o StrictHostKeyChecking=no root@$IP \
  "docker ps --format 'table {{.Names}}\t{{.Status}}' | grep -E 'NAME|traefik|authentik|nextcloud|collabora|diun|redis|db'" 2>/dev/null || {
  echo -e "${RED}✗ Cannot connect to server${NC}"
  exit 1
 }
 echo ""
 # Service URLs
 echo "Service Accessibility:"
 echo "---------------------"
 # Authentik
 AUTH_STATUS=$(curl -sI "https://auth.$CLIENT.vrije.cloud" 2>/dev/null | grep HTTP | awk '{print $2}')
 if [ "$AUTH_STATUS" = "200" ] || [ "$AUTH_STATUS" = "302" ]; then
  echo -e "Authentik:   ${GREEN}✓ OK${NC} (HTTP $AUTH_STATUS)"
 else
  echo -e "Authentik:   ${RED}✗ FAIL${NC} (HTTP ${AUTH_STATUS:-timeout})"
 fi
 # Nextcloud
 NC_STATUS=$(curl -sI "https://nextcloud.$CLIENT.vrije.cloud" 2>/dev/null | grep HTTP | awk '{print $2}')
 if [ "$NC_STATUS" = "200" ] || [ "$NC_STATUS" = "302" ]; then
  echo -e "Nextcloud:   ${GREEN}✓ OK${NC} (HTTP $NC_STATUS)"
 else
  echo -e "Nextcloud:   ${RED}✗ FAIL${NC} (HTTP ${NC_STATUS:-timeout})"
 fi
 # Collabora
 COLLAB_STATUS=$(curl -sI "https://office.$CLIENT.vrije.cloud" 2>/dev/null | grep HTTP | awk '{print $2}')
 if [ "$COLLAB_STATUS" = "200" ]; then
  echo -e "Collabora:   ${GREEN}✓ OK${NC} (HTTP $COLLAB_STATUS)"
 else
  echo -e "Collabora:   ${YELLOW}⚠ WARNING${NC} (HTTP ${COLLAB_STATUS:-timeout})"
 fi
 echo ""
 # Disk Usage
 echo "Disk Usage:"
 echo "-----------"
 DISK_USAGE=$(ssh -i "../keys/ssh/$CLIENT" -o StrictHostKeyChecking=no root@$IP \
  "df -h /mnt/nextcloud-data 2>/dev/null | tail -1" || echo "N/A")
 echo "$DISK_USAGE"
 echo ""
 # fail2ban
 echo "Security (fail2ban):"
 echo "--------------------"
 BANNED=$(ssh -i "../keys/ssh/$CLIENT" -o StrictHostKeyChecking=no root@$IP \
  "fail2ban-client status sshd 2>/dev/null | grep 'Currently banned'" || echo "N/A")
 echo "$BANNED"
 echo ""
 # SSL Certificate Expiry
 echo "SSL Certificate:"
 echo "----------------"
 CERT_EXPIRY=$(echo | openssl s_client -connect "auth.$CLIENT.vrije.cloud:443" 2>/dev/null | \
  openssl x509 -noout -enddate 2>/dev/null | cut -d= -f2)
 if [ -n "$CERT_EXPIRY" ]; then
  echo -e "Expires: ${GREEN}$CERT_EXPIRY${NC}"
 else
  echo -e "${RED}✗ Cannot retrieve certificate${NC}"
 fi
 echo ""
 # Diun Status (if installed)
 echo "Monitoring (Diun):"
 echo "------------------"
 DIUN_STATUS=$(ssh -i "../keys/ssh/$CLIENT" -o StrictHostKeyChecking=no root@$IP \
  "docker ps --filter 'name=diun' --format '{{.Status}}' 2>/dev/null" || echo "Not installed")
 if [ "$DIUN_STATUS" = "Not installed" ]; then
  echo -e "${YELLOW}⚠ Diun not installed${NC}"
 else
  echo -e "${GREEN}✓ Diun: $DIUN_STATUS${NC}"
 fi
 echo ""
 echo "========================================"
 echo -e "${GREEN}Health check complete!${NC}"
 echo "========================================"
--- a/scripts/list-clients.sh
+++ b/scripts/list-clients.sh
@ -0,0 +1,231 @@
 #!/usr/bin/env bash
 #
 # List all clients from the registry
 #
 # Usage: ./scripts/list-clients.sh [--status=<status>] [--role=<role>] [--format=<format>]
 #
 # Options:
 #   --status=<status>  Filter by status (deployed, pending, maintenance, offboarding, destroyed)
 #   --role=<role>      Filter by role (canary, production)
 #   --format=<format>  Output format: table (default), json, csv, summary
 #
 # Examples:
 #   ./scripts/list-clients.sh                          # List all clients
 #   ./scripts/list-clients.sh --status=deployed        # Only deployed clients
 #   ./scripts/list-clients.sh --role=production        # Only production clients
 #   ./scripts/list-clients.sh --format=json            # JSON output
 set -euo pipefail
 # Script directory
 SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
 PROJECT_ROOT="$(dirname "$SCRIPT_DIR")"
 REGISTRY_FILE="$PROJECT_ROOT/clients/registry.yml"
 # Colors
 RED='\033[0;31m'
 GREEN='\033[0;32m'
 YELLOW='\033[1;33m'
 BLUE='\033[0;34m'
 CYAN='\033[0;36m'
 NC='\033[0m' # No Color
 # Parse arguments
 FILTER_STATUS=""
 FILTER_ROLE=""
 FORMAT="table"
 for arg in "$@"; do
    case $arg in
        --status=*)
            FILTER_STATUS="${arg#*=}"
            ;;
        --role=*)
            FILTER_ROLE="${arg#*=}"
            ;;
        --format=*)
            FORMAT="${arg#*=}"
            ;;
        --help|-h)
            echo "Usage: $0 [--status=<status>] [--role=<role>] [--format=<format>]"
            echo ""
            echo "Options:"
            echo "  --status=<status>  Filter by status (deployed, pending, maintenance, offboarding, destroyed)"
            echo "  --role=<role>      Filter by role (canary, production)"
            echo "  --format=<format>  Output format: table (default), json, csv, summary"
            exit 0
            ;;
    esac
 done
 # Check if registry exists
 if [ ! -f "$REGISTRY_FILE" ]; then
    echo -e "${RED}Error: Registry file not found: $REGISTRY_FILE${NC}"
    exit 1
 fi
 # Check if yq is available (for YAML parsing)
 if ! command -v yq &> /dev/null; then
    echo -e "${YELLOW}Warning: 'yq' not found. Install with: brew install yq${NC}"
    echo "Falling back to basic grep parsing..."
    USE_YQ=false
 else
    USE_YQ=true
 fi
 # Function to get clients using yq
 list_clients_yq() {
    local clients=$(yq eval '.clients | keys | .[]' "$REGISTRY_FILE")
    for client in $clients; do
        local status=$(yq eval ".clients.\"$client\".status" "$REGISTRY_FILE")
        local role=$(yq eval ".clients.\"$client\".role" "$REGISTRY_FILE")
        # Apply filters
        if [ -n "$FILTER_STATUS" ] && [ "$status" != "$FILTER_STATUS" ]; then
            continue
        fi
        if [ -n "$FILTER_ROLE" ] && [ "$role" != "$FILTER_ROLE" ]; then
            continue
        fi
        # Get other fields
        local deployed_date=$(yq eval ".clients.\"$client\".deployed_date" "$REGISTRY_FILE")
        local server_ip=$(yq eval ".clients.\"$client\".server.ip" "$REGISTRY_FILE")
        local server_type=$(yq eval ".clients.\"$client\".server.type" "$REGISTRY_FILE")
        local apps=$(yq eval ".clients.\"$client\".apps | join(\", \")" "$REGISTRY_FILE")
        echo "$client|$status|$role|$deployed_date|$server_type|$server_ip|$apps"
    done
 }
 # Function to output in table format
 output_table() {
    echo -e "${BLUE}╔════════════════════════════════════════════════════════════════════════════════════╗${NC}"
    echo -e "${BLUE}║                              CLIENT REGISTRY                                       ║${NC}"
    echo -e "${BLUE}╠════════════════════════════════════════════════════════════════════════════════════╣${NC}"
    printf "${CYAN}%-15s ${GREEN}%-12s ${YELLOW}%-10s ${NC}%-12s %-10s %-15s %-20s\n" \
        "CLIENT" "STATUS" "ROLE" "DEPLOYED" "TYPE" "IP" "APPS"
    echo -e "${BLUE}────────────────────────────────────────────────────────────────────────────────────${NC}"
    local count=0
    while IFS='|' read -r client status role deployed_date server_type server_ip apps; do
        # Color status
        local status_color=$NC
        case $status in
            deployed) status_color=$GREEN ;;
            pending) status_color=$YELLOW ;;
            maintenance) status_color=$CYAN ;;
            offboarding) status_color=$RED ;;
            destroyed) status_color=$RED ;;
        esac
        # Color role
        local role_color=$NC
        case $role in
            canary) role_color=$YELLOW ;;
            production) role_color=$GREEN ;;
        esac
        printf "%-15s ${status_color}%-12s${NC} ${role_color}%-10s${NC} %-12s %-10s %-15s %-20s\n" \
            "$client" "$status" "$role" "$deployed_date" "$server_type" "$server_ip" "${apps:0:20}"
        ((count++))
    done
    echo -e "${BLUE}────────────────────────────────────────────────────────────────────────────────────${NC}"
    echo -e "${BLUE}║${NC} Total clients: $count                                                                    ${BLUE}║${NC}"
    echo -e "${BLUE}╚════════════════════════════════════════════════════════════════════════════════════╝${NC}"
 }
 # Function to output summary
 output_summary() {
    local total=0
    local deployed=0
    local pending=0
    local maintenance=0
    local canary=0
    local production=0
    while IFS='|' read -r client status role deployed_date server_type server_ip apps; do
        ((total++))
        case $status in
            deployed) ((deployed++)) ;;
            pending) ((pending++)) ;;
            maintenance) ((maintenance++)) ;;
        esac
        case $role in
            canary) ((canary++)) ;;
            production) ((production++)) ;;
        esac
    done
    echo -e "${BLUE}═══════════════════════════════════${NC}"
    echo -e "${BLUE}    CLIENT REGISTRY SUMMARY${NC}"
    echo -e "${BLUE}═══════════════════════════════════${NC}"
    echo ""
    echo -e "Total Clients:     ${CYAN}$total${NC}"
    echo ""
    echo -e "By Status:"
    echo -e "  Deployed:        ${GREEN}$deployed${NC}"
    echo -e "  Pending:         ${YELLOW}$pending${NC}"
    echo -e "  Maintenance:     ${CYAN}$maintenance${NC}"
    echo ""
    echo -e "By Role:"
    echo -e "  Canary:          ${YELLOW}$canary${NC}"
    echo -e "  Production:      ${GREEN}$production${NC}"
    echo ""
 }
 # Function to output JSON
 output_json() {
    if $USE_YQ; then
        yq eval -o=json '.clients' "$REGISTRY_FILE"
    else
        echo "{}"
    fi
 }
 # Function to output CSV
 output_csv() {
    echo "client,status,role,deployed_date,server_type,server_ip,apps"
    while IFS='|' read -r client status role deployed_date server_type server_ip apps; do
        echo "$client,$status,$role,$deployed_date,$server_type,$server_ip,\"$apps\""
    done
 }
 # Main execution
 if $USE_YQ; then
    DATA=$(list_clients_yq)
 else
    echo -e "${RED}Error: yq is required for this script${NC}"
    echo "Install with: brew install yq"
    exit 1
 fi
 # Check if any clients found
 if [ -z "$DATA" ]; then
    echo -e "${YELLOW}No clients found matching criteria${NC}"
    exit 0
 fi
 # Output based on format
 case $FORMAT in
    table)
        echo "$DATA" | output_table
        ;;
    json)
        output_json
        ;;
    csv)
        echo "$DATA" | output_csv
        ;;
    summary)
        echo "$DATA" | output_summary
        ;;
    *)
        echo -e "${RED}Unknown format: $FORMAT${NC}"
        echo "Valid formats: table, json, csv, summary"
        exit 1
        ;;
 esac
--- a/scripts/load-secrets-env.sh
+++ b/scripts/load-secrets-env.sh
@ -0,0 +1,59 @@
 #!/usr/bin/env bash
 #
 # Load secrets from SOPS into environment variables
 #
 # Usage: source scripts/load-secrets-env.sh
 #
 # This script loads the Hetzner API token from SOPS-encrypted secrets
 # and exports it as both:
 #   - HCLOUD_TOKEN (for Ansible dynamic inventory)
 #   - TF_VAR_hcloud_token (for OpenTofu)
 #   - TF_VAR_hetznerdns_token (for OpenTofu DNS provider)
 # Determine script directory
 if [ -n "${BASH_SOURCE[0]}" ]; then
    SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
 else
    SCRIPT_DIR="$(cd "$(dirname "$0")" && pwd)"
 fi
 PROJECT_ROOT="$(dirname "$SCRIPT_DIR")"
 # Set SOPS key file if not already set
 if [ -z "${SOPS_AGE_KEY_FILE:-}" ]; then
    export SOPS_AGE_KEY_FILE="$PROJECT_ROOT/keys/age-key.txt"
 fi
 # Check if SOPS key file exists
 if [ ! -f "$SOPS_AGE_KEY_FILE" ]; then
    echo "Error: SOPS Age key not found at: $SOPS_AGE_KEY_FILE" >&2
    return 1 2>/dev/null || exit 1
 fi
 # Load token from SOPS
 SHARED_SECRETS="$PROJECT_ROOT/secrets/shared.sops.yaml"
 if [ ! -f "$SHARED_SECRETS" ]; then
    echo "Error: Shared secrets file not found: $SHARED_SECRETS" >&2
    return 1 2>/dev/null || exit 1
 fi
 # Extract hcloud_token
 HCLOUD_TOKEN=$(sops -d "$SHARED_SECRETS" | grep "^hcloud_token:" | awk '{print $2}')
 if [ -z "$HCLOUD_TOKEN" ]; then
    echo "Error: Could not extract hcloud_token from secrets" >&2
    return 1 2>/dev/null || exit 1
 fi
 # Export for Ansible (dynamic inventory)
 export HCLOUD_TOKEN
 # Export for OpenTofu
 export TF_VAR_hcloud_token="$HCLOUD_TOKEN"
 export TF_VAR_hetznerdns_token="$HCLOUD_TOKEN"
 echo "✓ Loaded Hetzner API token from SOPS"
 echo "  • HCLOUD_TOKEN (for Ansible)"
 echo "  • TF_VAR_hcloud_token (for OpenTofu)"
 echo "  • TF_VAR_hetznerdns_token (for OpenTofu DNS)"
--- a/scripts/rebuild-client.sh
+++ b/scripts/rebuild-client.sh
@ -36,23 +36,100 @@ fi
 CLIENT_NAME="$1"
-# Check if secrets file exists
+# Check if SSH key exists, generate if missing
-SECRETS_FILE="$PROJECT_ROOT/secrets/clients/${CLIENT_NAME}.sops.yaml"
+SSH_KEY_FILE="$PROJECT_ROOT/keys/ssh/${CLIENT_NAME}"
-if [ ! -f "$SECRETS_FILE" ]; then
+if [ ! -f "$SSH_KEY_FILE" ]; then
-    echo -e "${RED}Error: Secrets file not found: $SECRETS_FILE${NC}"
+    echo -e "${YELLOW}SSH key not found for client: $CLIENT_NAME${NC}"
    echo "Generating SSH key pair automatically..."
    echo ""
    # Generate SSH key
    "$SCRIPT_DIR/generate-client-keys.sh" "$CLIENT_NAME"
    echo ""
    echo -e "${GREEN}✓ SSH key generated${NC}"
    echo ""
    echo "Create a secrets file first:"
    echo "  cp secrets/clients/test.sops.yaml secrets/clients/${CLIENT_NAME}.sops.yaml"
    echo "  sops secrets/clients/${CLIENT_NAME}.sops.yaml"
    exit 1
 fi
-# Check required environment variables
+# Check if secrets file exists, create from template if missing
-if [ -z "${HCLOUD_TOKEN:-}" ]; then
+SECRETS_FILE="$PROJECT_ROOT/secrets/clients/${CLIENT_NAME}.sops.yaml"
-    echo -e "${RED}Error: HCLOUD_TOKEN environment variable not set${NC}"
+TEMPLATE_FILE="$PROJECT_ROOT/secrets/clients/template.sops.yaml"
-    echo "Export your Hetzner Cloud API token:"
+
-    echo "  export HCLOUD_TOKEN='your-token-here'"
+if [ ! -f "$SECRETS_FILE" ]; then
    echo -e "${YELLOW}Secrets file not found for client: $CLIENT_NAME${NC}"
    echo "Creating from template and opening for editing..."
    echo ""
    # Check if template exists
    if [ ! -f "$TEMPLATE_FILE" ]; then
        echo -e "${RED}Error: Template file not found: $TEMPLATE_FILE${NC}"
        exit 1
    fi
    # Copy template and decrypt to temporary file
    if [ -z "${SOPS_AGE_KEY_FILE:-}" ]; then
        export SOPS_AGE_KEY_FILE="$PROJECT_ROOT/keys/age-key.txt"
    fi
    # Decrypt template to temp file
    TEMP_PLAIN=$(mktemp)
    sops -d "$TEMPLATE_FILE" > "$TEMP_PLAIN"
    # Replace client name placeholders
    sed -i '' "s/test/${CLIENT_NAME}/g" "$TEMP_PLAIN"
    # Create unencrypted file in correct location (matching .sops.yaml regex)
    # This is necessary because SOPS needs the file path to match creation rules
    TEMP_SOPS="${SECRETS_FILE%.sops.yaml}-unenc.sops.yaml"
    cat "$TEMP_PLAIN" > "$TEMP_SOPS"
    # Encrypt in-place (SOPS finds creation rules because path matches regex)
    sops --encrypt --in-place "$TEMP_SOPS"
    # Rename to final name
    mv "$TEMP_SOPS" "$SECRETS_FILE"
    # Cleanup
    rm "$TEMP_PLAIN"
    echo -e "${GREEN}✓ Created secrets file with client-specific domains${NC}"
    echo ""
    # Open in SOPS for editing passwords
    echo -e "${BLUE}Opening secrets file in SOPS for password generation...${NC}"
    echo ""
    echo -e "${YELLOW}IMPORTANT: Regenerate ALL passwords and tokens!${NC}"
    echo ""
    echo "Domains have been automatically configured:"
    echo "  ✓ client_name: $CLIENT_NAME"
    echo "  ✓ client_domain: ${CLIENT_NAME}.vrije.cloud"
    echo "  ✓ authentik_domain: auth.${CLIENT_NAME}.vrije.cloud"
    echo "  ✓ nextcloud_domain: nextcloud.${CLIENT_NAME}.vrije.cloud"
    echo ""
    echo "You MUST regenerate:"
    echo "  - All database passwords"
    echo "  - authentik_secret_key"
    echo "  - authentik_bootstrap_password"
    echo "  - authentik_bootstrap_token"
    echo "  - All other passwords"
    echo ""
    echo "Press Enter to open editor..."
    read -r
    # Open in SOPS
    sops "$SECRETS_FILE"
    echo ""
    echo -e "${GREEN}✓ Secrets file configured${NC}"
    echo ""
 fi
 # Load Hetzner API token from SOPS if not already set
 if [ -z "${HCLOUD_TOKEN:-}" ]; then
    echo -e "${BLUE}Loading Hetzner API token from SOPS...${NC}"
    # shellcheck source=scripts/load-secrets-env.sh
    source "$SCRIPT_DIR/load-secrets-env.sh"
    echo ""
 fi
 if [ -z "${SOPS_AGE_KEY_FILE:-}" ]; then
@ -60,6 +137,18 @@ if [ -z "${SOPS_AGE_KEY_FILE:-}" ]; then
    export SOPS_AGE_KEY_FILE="$PROJECT_ROOT/keys/age-key.txt"
 fi
 # Check if client exists in terraform.tfvars
 TFVARS_FILE="$PROJECT_ROOT/tofu/terraform.tfvars"
 if ! grep -q "^[[:space:]]*${CLIENT_NAME}[[:space:]]*=" "$TFVARS_FILE"; then
    echo -e "${RED}Error: Client '${CLIENT_NAME}' not found in terraform.tfvars${NC}"
    echo ""
    echo "Cannot rebuild a client that doesn't exist in OpenTofu configuration."
    echo ""
    echo "To deploy a new client, use:"
    echo "  ./scripts/deploy-client.sh $CLIENT_NAME"
    exit 1
 fi
 # Start timer
 START_TIME=$(date +%s)
@ -69,7 +158,7 @@ echo -e "${BLUE}========================================${NC}"
 echo ""
 # Step 1: Check if infrastructure exists and destroy it
-echo -e "${YELLOW}[1/4] Checking existing infrastructure...${NC}"
+echo -e "${YELLOW}[1/5] Checking existing infrastructure...${NC}"
 cd "$PROJECT_ROOT/tofu"
@ -97,7 +186,7 @@ fi
 echo ""
 # Step 2: Provision infrastructure
-echo -e "${YELLOW}[2/4] Provisioning infrastructure with OpenTofu...${NC}"
+echo -e "${YELLOW}[2/5] Provisioning infrastructure with OpenTofu...${NC}"
 cd "$PROJECT_ROOT/tofu"
@ -115,7 +204,7 @@ sleep 60
 echo ""
 # Step 3: Setup base system
-echo -e "${YELLOW}[3/4] Setting up base system (Docker, Traefik)...${NC}"
+echo -e "${YELLOW}[3/5] Setting up base system (Docker, Traefik)...${NC}"
 cd "$PROJECT_ROOT/ansible"
@ -126,7 +215,7 @@ echo -e "${GREEN}✓ Base system configured${NC}"
 echo ""
 # Step 4: Deploy applications
-echo -e "${YELLOW}[4/4] Deploying applications (Authentik, Nextcloud, SSO)...${NC}"
+echo -e "${YELLOW}[4/5] Deploying applications (Authentik, Nextcloud, SSO)...${NC}"
 ~/.local/bin/ansible-playbook -i hcloud.yml playbooks/deploy.yml --limit "$CLIENT_NAME"
@ -134,6 +223,45 @@ echo ""
 echo -e "${GREEN}✓ Applications deployed${NC}"
 echo ""
 # Step 5: Update client registry
 echo -e "${YELLOW}[5/5] Updating client registry...${NC}"
 cd "$PROJECT_ROOT/tofu"
 # Get server information from Terraform state
 SERVER_IP=$(tofu output -json client_ips 2>/dev/null | jq -r ".\"$CLIENT_NAME\"" || echo "")
 SERVER_ID=$(tofu state show "hcloud_server.client[\"$CLIENT_NAME\"]" 2>/dev/null | grep "^[[:space:]]*id[[:space:]]*=" | awk '{print $3}' | tr -d '"' || echo "")
 SERVER_TYPE=$(tofu state show "hcloud_server.client[\"$CLIENT_NAME\"]" 2>/dev/null | grep "^[[:space:]]*server_type[[:space:]]*=" | awk '{print $3}' | tr -d '"' || echo "")
 SERVER_LOCATION=$(tofu state show "hcloud_server.client[\"$CLIENT_NAME\"]" 2>/dev/null | grep "^[[:space:]]*location[[:space:]]*=" | awk '{print $3}' | tr -d '"' || echo "")
 # Determine role (dev is canary, everything else is production by default)
 ROLE="production"
 if [ "$CLIENT_NAME" = "dev" ]; then
    ROLE="canary"
 fi
 # Update registry
 "$SCRIPT_DIR/update-registry.sh" "$CLIENT_NAME" deploy \
    --role="$ROLE" \
    --server-ip="$SERVER_IP" \
    --server-id="$SERVER_ID" \
    --server-type="$SERVER_TYPE" \
    --server-location="$SERVER_LOCATION"
 echo ""
 echo -e "${GREEN}✓ Registry updated${NC}"
 echo ""
 # Collect deployed versions
 echo -e "${YELLOW}Collecting deployed versions...${NC}"
 "$SCRIPT_DIR/collect-client-versions.sh" "$CLIENT_NAME" 2>/dev/null || {
    echo -e "${YELLOW}⚠ Could not collect versions automatically${NC}"
    echo "Run manually later: ./scripts/collect-client-versions.sh $CLIENT_NAME"
 }
 echo ""
 # Calculate duration
 END_TIME=$(date +%s)
 DURATION=$((END_TIME - START_TIME))
--- a/scripts/remove-client-from-monitoring.sh
+++ b/scripts/remove-client-from-monitoring.sh
@ -0,0 +1,56 @@
 #!/usr/bin/env bash
 #
 # Remove client monitors from Uptime Kuma
 #
 # Usage: ./scripts/remove-client-from-monitoring.sh <client_name>
 #
 # This script removes HTTP(S) and SSL monitors for a destroyed client
 # Currently uses manual instructions - future: use Uptime Kuma API
 set -euo pipefail
 # Colors for output
 RED='\033[0;31m'
 GREEN='\033[0;32m'
 YELLOW='\033[1;33m'
 BLUE='\033[0;34m'
 NC='\033[0m' # No Color
 # Script directory
 SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
 PROJECT_ROOT="$(dirname "$SCRIPT_DIR")"
 # Check arguments
 if [ $# -ne 1 ]; then
    echo -e "${RED}Error: Client name required${NC}"
    echo "Usage: $0 <client_name>"
    exit 1
 fi
 CLIENT_NAME="$1"
 echo -e "${BLUE}========================================${NC}"
 echo -e "${BLUE}Remove Client from Monitoring${NC}"
 echo -e "${BLUE}========================================${NC}"
 echo ""
 echo -e "${YELLOW}Client: ${CLIENT_NAME}${NC}"
 echo ""
 # TODO: Implement automated monitor removal via Uptime Kuma API
 # For now, provide manual instructions
 echo -e "${YELLOW}Manual Removal Required:${NC}"
 echo ""
 echo "Please remove the following monitors from Uptime Kuma:"
 echo "🔗 Access: https://status.vrije.cloud"
 echo ""
 echo "Monitors to delete:"
 echo "  • ${CLIENT_NAME} - Authentik"
 echo "  • ${CLIENT_NAME} - Nextcloud"
 echo "  • ${CLIENT_NAME} - Authentik SSL"
 echo "  • ${CLIENT_NAME} - Nextcloud SSL"
 echo ""
 echo -e "${BLUE}========================================${NC}"
 echo ""
 echo -e "${YELLOW}Note: Automated monitor removal via API is planned for future enhancement.${NC}"
 echo ""
--- a/scripts/resize-client-volume.sh
+++ b/scripts/resize-client-volume.sh
@ -0,0 +1,192 @@
 #!/usr/bin/env bash
 #
 # Resize a client's Nextcloud data volume
 #
 # Usage: ./scripts/resize-client-volume.sh <client_name> <new_size_gb>
 #
 # This script will:
 # 1. Resize the Hetzner Volume via API
 # 2. Expand the filesystem on the server
 # 3. Verify the new size
 #
 # Note: Volumes can only be increased in size, never decreased
 set -euo pipefail
 # Colors for output
 RED='\033[0;31m'
 GREEN='\033[0;32m'
 YELLOW='\033[1;33m'
 BLUE='\033[0;34m'
 NC='\033[0m' # No Color
 # Script directory
 SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
 PROJECT_ROOT="$(dirname "$SCRIPT_DIR")"
 # Check arguments
 if [ $# -ne 2 ]; then
    echo -e "${RED}Error: Client name and new size required${NC}"
    echo "Usage: $0 <client_name> <new_size_gb>"
    echo ""
    echo "Example: $0 dev 200"
    echo ""
    echo "Note: You can only INCREASE volume size, never decrease"
    exit 1
 fi
 CLIENT_NAME="$1"
 NEW_SIZE="$2"
 # Validate new size is a number
 if ! [[ "$NEW_SIZE" =~ ^[0-9]+$ ]]; then
    echo -e "${RED}Error: Size must be a number${NC}"
    exit 1
 fi
 # Check minimum size
 if [ "$NEW_SIZE" -lt 10 ]; then
    echo -e "${RED}Error: Minimum volume size is 10 GB${NC}"
    exit 1
 fi
 # Check maximum size
 if [ "$NEW_SIZE" -gt 10000 ]; then
    echo -e "${RED}Error: Maximum volume size is 10,000 GB (10 TB)${NC}"
    exit 1
 fi
 # Load Hetzner API token from SOPS if not already set
 if [ -z "${HCLOUD_TOKEN:-}" ]; then
    echo -e "${BLUE}Loading Hetzner API token from SOPS...${NC}"
    # shellcheck source=scripts/load-secrets-env.sh
    source "$SCRIPT_DIR/load-secrets-env.sh"
    echo ""
 fi
 echo -e "${BLUE}========================================${NC}"
 echo -e "${BLUE}Resizing Nextcloud Volume${NC}"
 echo -e "${BLUE}========================================${NC}"
 echo ""
 echo "Client: $CLIENT_NAME"
 echo "New size: ${NEW_SIZE} GB"
 echo ""
 # Step 1: Get volume ID from Hetzner API
 echo -e "${YELLOW}[1/4] Looking up volume...${NC}"
 VOLUME_NAME="nextcloud-data-${CLIENT_NAME}"
 # Get volume info
 VOLUME_INFO=$(curl -s -H "Authorization: Bearer $HCLOUD_TOKEN" \
    "https://api.hetzner.cloud/v1/volumes?name=$VOLUME_NAME")
 VOLUME_ID=$(echo "$VOLUME_INFO" | jq -r '.volumes[0].id // empty')
 CURRENT_SIZE=$(echo "$VOLUME_INFO" | jq -r '.volumes[0].size // empty')
 if [ -z "$VOLUME_ID" ] || [ "$VOLUME_ID" = "null" ]; then
    echo -e "${RED}Error: Volume '$VOLUME_NAME' not found${NC}"
    echo "Make sure the client exists and has been deployed with volume support"
    exit 1
 fi
 echo "Volume ID: $VOLUME_ID"
 echo "Current size: ${CURRENT_SIZE} GB"
 echo ""
 # Check if new size is larger
 if [ "$NEW_SIZE" -le "$CURRENT_SIZE" ]; then
    echo -e "${RED}Error: New size ($NEW_SIZE GB) must be larger than current size ($CURRENT_SIZE GB)${NC}"
    echo "Volumes can only be increased in size, never decreased"
    exit 1
 fi
 # Calculate cost increase
 COST_INCREASE=$(echo "scale=2; ($NEW_SIZE - $CURRENT_SIZE) * 0.054" | bc)
 echo -e "${YELLOW}Warning: This will increase monthly costs by approximately €${COST_INCREASE}${NC}"
 echo ""
 read -p "Continue with resize? (yes/no): " confirm
 if [ "$confirm" != "yes" ]; then
    echo "Resize cancelled"
    exit 0
 fi
 echo ""
 # Step 2: Resize volume via API
 echo -e "${YELLOW}[2/4] Resizing volume via Hetzner API...${NC}"
 RESIZE_RESULT=$(curl -s -X POST \
    -H "Authorization: Bearer $HCLOUD_TOKEN" \
    -H "Content-Type: application/json" \
    -d "{\"size\": $NEW_SIZE}" \
    "https://api.hetzner.cloud/v1/volumes/$VOLUME_ID/actions/resize")
 ACTION_ID=$(echo "$RESIZE_RESULT" | jq -r '.action.id // empty')
 if [ -z "$ACTION_ID" ] || [ "$ACTION_ID" = "null" ]; then
    echo -e "${RED}Error: Failed to resize volume${NC}"
    echo "$RESIZE_RESULT" | jq .
    exit 1
 fi
 # Wait for resize action to complete
 echo "Waiting for resize action to complete..."
 while true; do
    ACTION_STATUS=$(curl -s -H "Authorization: Bearer $HCLOUD_TOKEN" \
        "https://api.hetzner.cloud/v1/volumes/actions/$ACTION_ID" | jq -r '.action.status')
    if [ "$ACTION_STATUS" = "success" ]; then
        break
    elif [ "$ACTION_STATUS" = "error" ]; then
        echo -e "${RED}Error: Resize action failed${NC}"
        exit 1
    fi
    sleep 2
 done
 echo -e "${GREEN}✓ Volume resized${NC}"
 echo ""
 # Step 3: Expand filesystem on the server
 echo -e "${YELLOW}[3/4] Expanding filesystem on server...${NC}"
 cd "$PROJECT_ROOT/ansible"
 # Find the device
 DEVICE_CMD="ls -1 /dev/disk/by-id/scsi-0HC_Volume_* 2>/dev/null | grep -i 'nextcloud-data-${CLIENT_NAME}' | head -1"
 DEVICE=$(~/.local/bin/ansible -i hcloud.yml "$CLIENT_NAME" -m shell -a "$DEVICE_CMD" -o 2>/dev/null | tail -1 | awk '{print $NF}')
 if [ -z "$DEVICE" ]; then
    echo -e "${RED}Error: Could not find volume device on server${NC}"
    exit 1
 fi
 echo "Device: $DEVICE"
 # Resize filesystem
 ~/.local/bin/ansible -i hcloud.yml "$CLIENT_NAME" -m shell -a "resize2fs $DEVICE" -b
 echo -e "${GREEN}✓ Filesystem expanded${NC}"
 echo ""
 # Step 4: Verify new size
 echo -e "${YELLOW}[4/4] Verifying new size...${NC}"
 DF_OUTPUT=$(~/.local/bin/ansible -i hcloud.yml "$CLIENT_NAME" -m shell -a "df -h /mnt/nextcloud-data" -o 2>/dev/null | tail -1)
 echo "$DF_OUTPUT"
 echo ""
 echo -e "${GREEN}========================================${NC}"
 echo -e "${GREEN}✓ Resize complete!${NC}"
 echo -e "${GREEN}========================================${NC}"
 echo ""
 echo "Volume resized from ${CURRENT_SIZE} GB to ${NEW_SIZE} GB"
 echo "Additional monthly cost: €${COST_INCREASE}"
 echo ""
 echo "The new storage is immediately available to Nextcloud."
 echo ""
--- a/scripts/run-maintenance-all-servers.sh
+++ b/scripts/run-maintenance-all-servers.sh
@ -0,0 +1,151 @@
 #!/usr/bin/env bash
 #
 # Run Nextcloud maintenance playbook on all servers
 # Created: 2026-01-24
 #
 # This script runs the nextcloud maintenance playbook on each server
 # with its corresponding SSH key.
 #
 # Usage:
 #   cd infrastructure/
 #   HCLOUD_TOKEN="..." ./scripts/run-maintenance-all-servers.sh
 #
 # Or with SOPS_AGE_KEY_FILE if needed:
 #   SOPS_AGE_KEY_FILE="keys/age-key.txt" HCLOUD_TOKEN="..." ./scripts/run-maintenance-all-servers.sh
 set -euo pipefail
 # Colors for output
 RED='\033[0;31m'
 GREEN='\033[0;32m'
 YELLOW='\033[1;33m'
 BLUE='\033[0;34m'
 NC='\033[0m' # No Color
 # Configuration
 SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
 PROJECT_ROOT="$(cd "$SCRIPT_DIR/.." && pwd)"
 ANSIBLE_DIR="$PROJECT_ROOT/ansible"
 KEYS_DIR="$PROJECT_ROOT/keys/ssh"
 PLAYBOOK="playbooks/260124-nextcloud-maintenance.yml"
 # Check required environment variables
 if [ -z "${HCLOUD_TOKEN:-}" ]; then
    echo -e "${RED}Error: HCLOUD_TOKEN environment variable is required${NC}"
    exit 1
 fi
 # Change to ansible directory
 cd "$ANSIBLE_DIR"
 echo -e "${BLUE}============================================================${NC}"
 echo -e "${BLUE}Nextcloud Maintenance - All Servers${NC}"
 echo -e "${BLUE}============================================================${NC}"
 echo ""
 echo "Playbook: $PLAYBOOK"
 echo "Ansible directory: $ANSIBLE_DIR"
 echo ""
 # Get list of all servers with SSH keys
 SERVERS=()
 for keyfile in "$KEYS_DIR"/*.pub; do
    if [ -f "$keyfile" ]; then
        server=$(basename "$keyfile" .pub)
        # Skip special servers
        if [[ "$server" != "README" ]] && [[ "$server" != "edge" ]]; then
            SERVERS+=("$server")
        fi
    fi
 done
 echo -e "${BLUE}Found ${#SERVERS[@]} servers:${NC}"
 printf '%s\n' "${SERVERS[@]}" | sort
 echo ""
 # Counters
 SUCCESS_COUNT=0
 FAILED_COUNT=0
 SKIPPED_COUNT=0
 declare -a SUCCESS_SERVERS
 declare -a FAILED_SERVERS
 declare -a SKIPPED_SERVERS
 echo -e "${BLUE}============================================================${NC}"
 echo -e "${BLUE}Starting maintenance run...${NC}"
 echo -e "${BLUE}============================================================${NC}"
 echo ""
 # Run playbook for each server
 for server in "${SERVERS[@]}"; do
    echo -e "${YELLOW}-----------------------------------------------------------${NC}"
    echo -e "${YELLOW}Processing: $server${NC}"
    echo -e "${YELLOW}-----------------------------------------------------------${NC}"
    SSH_KEY="$KEYS_DIR/$server"
    if [ ! -f "$SSH_KEY" ]; then
        echo -e "${RED}✗ SSH key not found: $SSH_KEY${NC}"
        SKIPPED_COUNT=$((SKIPPED_COUNT + 1))
        SKIPPED_SERVERS+=("$server")
        echo ""
        continue
    fi
    # Run the playbook (with SSH options to prevent agent key issues)
    if env HCLOUD_TOKEN="$HCLOUD_TOKEN" \
        ANSIBLE_SSH_ARGS="-o IdentitiesOnly=yes" \
        ~/.local/bin/ansible-playbook \
        -i hcloud.yml \
        "$PLAYBOOK" \
        --limit "$server" \
        --private-key "$SSH_KEY" 2>&1; then
        echo -e "${GREEN}✓ Success: $server${NC}"
        SUCCESS_COUNT=$((SUCCESS_COUNT + 1))
        SUCCESS_SERVERS+=("$server")
    else
        echo -e "${RED}✗ Failed: $server${NC}"
        FAILED_COUNT=$((FAILED_COUNT + 1))
        FAILED_SERVERS+=("$server")
    fi
    echo ""
 done
 # Summary
 echo -e "${BLUE}============================================================${NC}"
 echo -e "${BLUE}MAINTENANCE RUN SUMMARY${NC}"
 echo -e "${BLUE}============================================================${NC}"
 echo ""
 echo "Total servers: ${#SERVERS[@]}"
 echo -e "${GREEN}Successful: $SUCCESS_COUNT${NC}"
 echo -e "${RED}Failed: $FAILED_COUNT${NC}"
 echo -e "${YELLOW}Skipped: $SKIPPED_COUNT${NC}"
 echo ""
 if [ $SUCCESS_COUNT -gt 0 ]; then
    echo -e "${GREEN}Successful servers:${NC}"
    printf '  %s\n' "${SUCCESS_SERVERS[@]}"
    echo ""
 fi
 if [ $FAILED_COUNT -gt 0 ]; then
    echo -e "${RED}Failed servers:${NC}"
    printf '  %s\n' "${FAILED_SERVERS[@]}"
    echo ""
 fi
 if [ $SKIPPED_COUNT -gt 0 ]; then
    echo -e "${YELLOW}Skipped servers:${NC}"
    printf '  %s\n' "${SKIPPED_SERVERS[@]}"
    echo ""
 fi
 echo -e "${BLUE}============================================================${NC}"
 # Exit with error if any failures
 if [ $FAILED_COUNT -gt 0 ]; then
    exit 1
 fi
 exit 0
--- a/scripts/update-registry.sh
+++ b/scripts/update-registry.sh
@ -0,0 +1,183 @@
 #!/usr/bin/env bash
 #
 # Update the client registry with deployment information
 #
 # Usage: ./scripts/update-registry.sh <client_name> <action> [options]
 #
 # Actions:
 #   deploy    - Mark client as deployed (creates/updates entry)
 #   destroy   - Mark client as destroyed
 #   status    - Update status field
 #
 # Options:
 #   --status=<status>          Set status (pending|deployed|maintenance|offboarding|destroyed)
 #   --role=<role>              Set role (canary|production)
 #   --server-ip=<ip>           Set server IP
 #   --server-id=<id>           Set server ID
 #   --server-type=<type>       Set server type
 #   --server-location=<loc>    Set server location
 set -euo pipefail
 # Script directory
 SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
 PROJECT_ROOT="$(dirname "$SCRIPT_DIR")"
 REGISTRY_FILE="$PROJECT_ROOT/clients/registry.yml"
 # Check if yq is available
 if ! command -v yq &> /dev/null; then
    echo "Error: 'yq' not found. Install with: brew install yq"
    exit 1
 fi
 # Parse arguments
 if [ $# -lt 2 ]; then
    echo "Usage: $0 <client_name> <action> [options]"
    exit 1
 fi
 CLIENT_NAME="$1"
 ACTION="$2"
 shift 2
 # Parse options
 STATUS=""
 ROLE=""
 SERVER_IP=""
 SERVER_ID=""
 SERVER_TYPE=""
 SERVER_LOCATION=""
 for arg in "$@"; do
    case $arg in
        --status=*)
            STATUS="${arg#*=}"
            ;;
        --role=*)
            ROLE="${arg#*=}"
            ;;
        --server-ip=*)
            SERVER_IP="${arg#*=}"
            ;;
        --server-id=*)
            SERVER_ID="${arg#*=}"
            ;;
        --server-type=*)
            SERVER_TYPE="${arg#*=}"
            ;;
        --server-location=*)
            SERVER_LOCATION="${arg#*=}"
            ;;
    esac
 done
 # Ensure registry file exists
 if [ ! -f "$REGISTRY_FILE" ]; then
    cat > "$REGISTRY_FILE" <<'EOF'
 # Client Registry
 #
 # Single source of truth for all clients in the infrastructure.
 clients: {}
 EOF
 fi
 TODAY=$(date +%Y-%m-%d)
 case $ACTION in
    deploy)
        # Check if client exists
        if yq eval ".clients.\"$CLIENT_NAME\"" "$REGISTRY_FILE" | grep -q "null"; then
            # Create new client entry
            echo "Creating new registry entry for $CLIENT_NAME"
            # Start with minimal structure
            yq eval -i ".clients.\"$CLIENT_NAME\" = {}" "$REGISTRY_FILE"
            yq eval -i ".clients.\"$CLIENT_NAME\".status = \"deployed\"" "$REGISTRY_FILE"
            yq eval -i ".clients.\"$CLIENT_NAME\".deployed_date = \"$TODAY\"" "$REGISTRY_FILE"
            yq eval -i ".clients.\"$CLIENT_NAME\".destroyed_date = null" "$REGISTRY_FILE"
            # Add role
            if [ -n "$ROLE" ]; then
                yq eval -i ".clients.\"$CLIENT_NAME\".role = \"$ROLE\"" "$REGISTRY_FILE"
            else
                yq eval -i ".clients.\"$CLIENT_NAME\".role = \"production\"" "$REGISTRY_FILE"
            fi
            # Add server info
            yq eval -i ".clients.\"$CLIENT_NAME\".server = {}" "$REGISTRY_FILE"
            [ -n "$SERVER_TYPE" ] && yq eval -i ".clients.\"$CLIENT_NAME\".server.type = \"$SERVER_TYPE\"" "$REGISTRY_FILE"
            [ -n "$SERVER_LOCATION" ] && yq eval -i ".clients.\"$CLIENT_NAME\".server.location = \"$SERVER_LOCATION\"" "$REGISTRY_FILE"
            [ -n "$SERVER_IP" ] && yq eval -i ".clients.\"$CLIENT_NAME\".server.ip = \"$SERVER_IP\"" "$REGISTRY_FILE"
            [ -n "$SERVER_ID" ] && yq eval -i ".clients.\"$CLIENT_NAME\".server.id = \"$SERVER_ID\"" "$REGISTRY_FILE"
            # Add apps
            yq eval -i ".clients.\"$CLIENT_NAME\".apps = [\"authentik\", \"nextcloud\"]" "$REGISTRY_FILE"
            # Add maintenance tracking
            yq eval -i ".clients.\"$CLIENT_NAME\".maintenance = {}" "$REGISTRY_FILE"
            yq eval -i ".clients.\"$CLIENT_NAME\".maintenance.last_full_update = \"$TODAY\"" "$REGISTRY_FILE"
            yq eval -i ".clients.\"$CLIENT_NAME\".maintenance.last_security_patch = \"$TODAY\"" "$REGISTRY_FILE"
            yq eval -i ".clients.\"$CLIENT_NAME\".maintenance.last_os_update = \"$TODAY\"" "$REGISTRY_FILE"
            yq eval -i ".clients.\"$CLIENT_NAME\".maintenance.last_backup_verified = null" "$REGISTRY_FILE"
            # Add URLs (will be determined from secrets file)
            yq eval -i ".clients.\"$CLIENT_NAME\".urls = {}" "$REGISTRY_FILE"
            yq eval -i ".clients.\"$CLIENT_NAME\".urls.authentik = \"https://auth.$CLIENT_NAME.vrije.cloud\"" "$REGISTRY_FILE"
            yq eval -i ".clients.\"$CLIENT_NAME\".urls.nextcloud = \"https://nextcloud.$CLIENT_NAME.vrije.cloud\"" "$REGISTRY_FILE"
            # Add notes
            yq eval -i ".clients.\"$CLIENT_NAME\".notes = \"\"" "$REGISTRY_FILE"
        else
            # Update existing client
            echo "Updating registry entry for $CLIENT_NAME"
            yq eval -i ".clients.\"$CLIENT_NAME\".status = \"deployed\"" "$REGISTRY_FILE"
            # Update server info if provided
            [ -n "$SERVER_IP" ] && yq eval -i ".clients.\"$CLIENT_NAME\".server.ip = \"$SERVER_IP\"" "$REGISTRY_FILE"
            [ -n "$SERVER_ID" ] && yq eval -i ".clients.\"$CLIENT_NAME\".server.id = \"$SERVER_ID\"" "$REGISTRY_FILE"
            [ -n "$SERVER_TYPE" ] && yq eval -i ".clients.\"$CLIENT_NAME\".server.type = \"$SERVER_TYPE\"" "$REGISTRY_FILE"
            [ -n "$SERVER_LOCATION" ] && yq eval -i ".clients.\"$CLIENT_NAME\".server.location = \"$SERVER_LOCATION\"" "$REGISTRY_FILE"
            # Update maintenance date
            yq eval -i ".clients.\"$CLIENT_NAME\".maintenance.last_full_update = \"$TODAY\"" "$REGISTRY_FILE"
        fi
        ;;
    destroy)
        echo "Marking $CLIENT_NAME as destroyed in registry"
        if yq eval ".clients.\"$CLIENT_NAME\"" "$REGISTRY_FILE" | grep -q "null"; then
            echo "Warning: Client $CLIENT_NAME not found in registry"
            exit 0
        fi
        yq eval -i ".clients.\"$CLIENT_NAME\".status = \"destroyed\"" "$REGISTRY_FILE"
        yq eval -i ".clients.\"$CLIENT_NAME\".destroyed_date = \"$TODAY\"" "$REGISTRY_FILE"
        ;;
    status)
        if [ -z "$STATUS" ]; then
            echo "Error: --status=<status> required for status action"
            exit 1
        fi
        echo "Updating status of $CLIENT_NAME to $STATUS"
        if yq eval ".clients.\"$CLIENT_NAME\"" "$REGISTRY_FILE" | grep -q "null"; then
            echo "Error: Client $CLIENT_NAME not found in registry"
            exit 1
        fi
        yq eval -i ".clients.\"$CLIENT_NAME\".status = \"$STATUS\"" "$REGISTRY_FILE"
        ;;
    *)
        echo "Error: Unknown action '$ACTION'"
        echo "Valid actions: deploy, destroy, status"
        exit 1
        ;;
 esac
 echo "✓ Registry updated successfully"
--- a/secrets/README.md
+++ b/secrets/README.md
@ -104,7 +104,7 @@ openssl rand -base64 32
 # Random 24-character password
 openssl rand -base64 24
-# Zitadel masterkey (32-byte hex)
+# Random hex string (32-byte, 64 characters)
 openssl rand -hex 32
 ```
@ -121,7 +121,7 @@ Ansible automatically decrypts SOPS files using the `community.sops` collection.
 - name: Use decrypted secret
  debug:
-    msg: "DB Password: {{ client_secrets.zitadel_db_password }}"
+    msg: "DB Password: {{ client_secrets.authentik_db_password }}"
 ```
 **Environment variable required:**
@ -141,9 +141,9 @@ Contains secrets shared across all infrastructure:
 ### clients/*.sops.yaml
 Per-client secrets:
- Database passwords (Zitadel, Nextcloud)
+- Database passwords (Authentik, Nextcloud)
 - Admin passwords
- Zitadel masterkey
+- Secret keys and tokens
 - Restic repository password
 - OIDC credentials (after generation)
--- a/secrets/clients/README.md
+++ b/secrets/clients/README.md
@ -0,0 +1,122 @@
 # Client Secrets Directory
 This directory contains SOPS-encrypted secrets files for each deployed client.
 ## Files
 ### Active Clients
 - **`dev.sops.yaml`** - Development/canary server secrets
  - Status: Deployed
  - Purpose: Testing and canary deployments
 ### Templates
 - **`template.sops.yaml`** - Template for creating new client secrets
  - Status: Reference only (not deployed)
  - Purpose: Copy this file when onboarding new clients
 ## Creating Secrets for a New Client
 ```bash
 # 1. Copy the template
 cp secrets/clients/template.sops.yaml secrets/clients/newclient.sops.yaml
 # 2. Edit with SOPS
 export SOPS_AGE_KEY_FILE="./keys/age-key.txt"
 sops secrets/clients/newclient.sops.yaml
 # 3. Update all fields:
 #    - client_name: newclient
 #    - client_domain: newclient.vrije.cloud
 #    - authentik_domain: auth.newclient.vrije.cloud
 #    - nextcloud_domain: nextcloud.newclient.vrije.cloud
 #    - REGENERATE all passwords and tokens (never reuse!)
 # 4. Deploy the client
 ./scripts/deploy-client.sh newclient
 ```
 ## Important Security Notes
 ⚠️ **Never commit plaintext secrets!**
 - Only `*.sops.yaml` files should be committed
 - Temporary files (`*-temp.yaml`, `*.tmp`) are gitignored
 - Always verify secrets are encrypted: `file secrets/clients/*.sops.yaml`
 ⚠️ **Always regenerate secrets for new clients!**
 - Never copy passwords between clients
 - Use strong random passwords (32+ characters)
 - Each client must have unique credentials
 ## File Naming Convention
 - **Production clients**: `clientname.sops.yaml`
 - **Development/test**: `dev.sops.yaml`
 - **Templates**: `template.sops.yaml`
 - **Never commit**: `*-temp.yaml`, `*.tmp`, `*_plaintext.yaml`
 ## Viewing Secrets
 ```bash
 # View encrypted file (shows SOPS metadata)
 cat secrets/clients/dev.sops.yaml
 # Decrypt and view (requires age key)
 export SOPS_AGE_KEY_FILE="./keys/age-key.txt"
 sops -d secrets/clients/dev.sops.yaml
 ```
 ## Required Secrets per Client
 Each client secrets file must contain:
 ### Authentik (Identity Provider)
 - `authentik_db_password` - PostgreSQL database password
 - `authentik_secret_key` - Django secret key
 - `authentik_bootstrap_password` - Initial admin (akadmin) password
 - `authentik_bootstrap_token` - API token for automation
 - `authentik_bootstrap_email` - Admin email address
 ### Nextcloud (File Storage)
 - `nextcloud_admin_user` - Admin username (usually "admin")
 - `nextcloud_admin_password` - Admin password
 - `nextcloud_db_password` - MariaDB database password
 - `nextcloud_db_root_password` - MariaDB root password
 - `redis_password` - Redis cache password
 ### Optional
 - `collabora_admin_password` - Collabora Online admin password (if using)
 ## Troubleshooting
 ### "No such file or directory: age-key.txt"
 ```bash
 # Ensure SOPS_AGE_KEY_FILE is set correctly
 export SOPS_AGE_KEY_FILE="./keys/age-key.txt"
 # Or use absolute path
 export SOPS_AGE_KEY_FILE="/full/path/to/infrastructure/keys/age-key.txt"
 ```
 ### "Failed to decrypt"
 - Verify you have the correct age private key
 - Check that `.sops.yaml` references the correct age public key
 - Ensure the file was encrypted with the same age key
 ### "File contains plaintext secrets"
 ```bash
 # Check if file is properly encrypted
 file secrets/clients/dev.sops.yaml
 # Should show: ASCII text (with SOPS encryption metadata)
 # Re-encrypt if needed
 sops -e -i secrets/clients/dev.sops.yaml
 ```
 ## See Also
 - [../README.md](../../secrets/README.md) - Secrets management overview
 - [../../docs/architecture-decisions.md](../../docs/architecture-decisions.md) - SOPS decision rationale
 - [SOPS Documentation](https://github.com/getsops/sops)
--- a/secrets/clients/dev.sops.yaml
+++ b/secrets/clients/dev.sops.yaml
@ -1,38 +0,0 @@
 #ENC[AES256_GCM,data:Z5yDXg28JTSIUtpFsI6k71ToslPeU4TM,iv:CzLHfKk2rwbuTK73ucm8vg19SEbYkHGsxao8Fxj0smk=,tag:JNSvnD7tmngOTiccRlTrHA==,type:comment]
 #ENC[AES256_GCM,data:SkLXnxlTpEUo4RUP6EU5h2hMUjHYpOkl8Ndjv+jyncXVgMXxfYw=,iv:7aoaONvTIOE4Pu+MulBR7mhJnIjVRNrlMV+d8G+sGG0=,tag:hShCDFAKrW6cWnJd2vL+Og==,type:comment]
 #ENC[AES256_GCM,data:Rv664eaZjj1MfU6HcZWilrz5577Agg==,iv:EMZwUCMQXrdewyLY5aZPcshMGkx6+k/jBalJ1ByAj/A=,tag:ODdGpf0id/w8aDYNrdWEFg==,type:comment]
 client_name: ENC[AES256_GCM,data:sLox,iv:iC2so9WyM58BYmMrmfcWXodj4a5wSvzyWsCVe5WbnX4=,tag:AfwOoFQpjpHqbXWxXO8Eeg==,type:str]
 client_domain: ENC[AES256_GCM,data:7F76Vt9k0TIQGiuoPW3O,iv:OpYEYhEKCGkRMUgFhGi+Y/uM9P6XLFv+WMmYHLKeQ0U=,tag:HbpOb/J8hpSdNDVv9A07TA==,type:str]
 #ENC[AES256_GCM,data:XBQwOaBVIkcfKXOYKA/CYe3XWDG+Ojre,iv:sMzd/BIOtDuQo+RsoO393DmPlZhY/X/jxSdI3j+T2aQ=,tag:iPf1+jfQE9n0KkZjHWvXUA==,type:comment]
 authentik_domain: ENC[AES256_GCM,data:d5ZVFyfPSJj2DcFQwEB00uh4flo=,iv:dMbMQTo3Vx35FE1471TPGP5iYvYDdWO43Ic7Z6GAEB8=,tag:W4CSgVpxt/eclakj5qtu3g==,type:str]
 authentik_db_password: ENC[AES256_GCM,data:kQ629SlJW4WgWu5nUOxBs5p48EJb478Q0qrbZfvgbBQTrfPQnaneFJQyrA==,iv:9puxfMZM2t+qkZjjlmaUCsvlqA9oXzxLLJ9oZ+HkSec=,tag:UDsVLqWDaAjR+sQS6/OBow==,type:str]
 authentik_secret_key: ENC[AES256_GCM,data:h+R7rHTRikUooMeQ0z0La3qZ7bknHTerHVJBTs9mFhoOQC8uO2DBaG3FGsZRTqWy5sBidegjp4r+6oa+aubF7r0Gkg==,iv:UNpawp0bf4koib7DwgFxdRpOFV28Ktwjdh2Pa0h/Qmo=,tag:cqvWwYzdSzaGBaMOEXTszQ==,type:str]
 #ENC[AES256_GCM,data:YJzCkx97cHc9lczEzpVaVytMEK2cahn9PJ4luS4mzBAhQnmLkWKRoUg8wfjCyIc=,iv:tWj6FMYXd88CUohJ8GdZI17JVFuEk+07yBHm4kAk2yI=,tag:WwV1C7GmvevyNiSzco82Eg==,type:comment]
 authentik_bootstrap_password: ENC[AES256_GCM,data:Y1yMVyRi8Ce+TVZwj4RU6NHN4SvSD3GYfk7Fi3IsQmdCAKgBEDZYI8Mw/A==,iv:npBA1hpbe7ttD7lIDTD2ZxpRsFzohGCiLISNKeNsY18=,tag:jDCVHp8ATO0TyOSn8J0frg==,type:str]
 authentik_bootstrap_token: ENC[AES256_GCM,data:IGEwNd4ZDoyLILJ8NEw2Qp6CyfCXrmvHlnjygUl6qIj6vKoHys9zkk2ZiFYAolYcZXcHq3569q9yXQMvYelb,iv:h9p3JNDZgr4gz2PHHnesrVPtwTVbSn48YW5u4iy163E=,tag:Lu6z+K+LhVt9LFyOgmmUWA==,type:str]
 authentik_bootstrap_email: ENC[AES256_GCM,data:P7Bb+RruJlV9OKW8U5yXZGRMKTjJ,iv:paFh41RaJO1Nu0ejrxgYXpKlZMdDLCVt810hiSgHxUg=,tag:8zw/0N+pJdeLVm5flY6O4Q==,type:str]
 #ENC[AES256_GCM,data:/5TakPAsaXrgkk0qvexe1kkG6ltsWQOQ,iv:TWhQrknF38g3hVTwJ7RIuSbHJ8Np07BhhN0MtfSyQLY=,tag:gdwRtBhXDsHeDkt8AWYk7w==,type:comment]
 nextcloud_domain: ENC[AES256_GCM,data:XCnxio1Yk5xqhF1GpQmZ4BhvVNnweZWBDg==,iv:bBGbn9AmrgmeGJRToXb/ujl3eInltaFV/7lmazFRM7U=,tag:B/WbLePFK+uRMwIIOPItaA==,type:str]
 nextcloud_admin_user: ENC[AES256_GCM,data:Xvw+QHU=,iv:IFGiGOv+ZI7R308nNrQ4SJPZtVP0dU5IwH7lFpOhBu4=,tag:Sb5SvUBYNg6Oj0PKl9+2Ig==,type:str]
 nextcloud_admin_password: ENC[AES256_GCM,data:uTLqkEPoq17bTkBxGpMak7zkqc6h2fhx7VJIEzZ9RGU13vRbgcIoO4d7jQ==,iv:Hub/66fCYFdK7j4Yc+5IBFbAM4WafgUzFpnnWbDbQVg=,tag:Awq398GYFRwreYGmqLP+cw==,type:str]
 nextcloud_db_password: ENC[AES256_GCM,data:1gT5rj8buyyvyCfv79BWuZPmAEH++4jIMBbVsdkqWMq3YiQSFAtQDpCEVw==,iv:qHvP/Tf1d+zHMHMnCQ5FK9tU+bQtFJbDxCtB5JAlZhg=,tag:qrvMW5rnlCt+dFCNvAso3A==,type:str]
 nextcloud_db_root_password: ENC[AES256_GCM,data:IvfUibOFhW5agn7rxRtM4W6SN4WbwOmc/UzDC+u8NBBK9ZV5/yAQbd+3oQ==,iv:yEW/41M+YJnEyCne3DzIZ4+h+p0xzO3b8ZC6ai5MquE=,tag:Gu+xADBxeQnLPwAiQ6BFsA==,type:str]
 #ENC[AES256_GCM,data:mC4JlJLFFT6OuCHt8DH/uKuXtX2x2zHu2y0+MKQ=,iv:yOrqx+5ZR95b7Bn8BeKexwsT/crpX7kOMom0bdGBTCY=,tag:ErSgI32zshgW3MPT4MZLlA==,type:comment]
 redis_password: ENC[AES256_GCM,data:VBAJRe3cO5rt9TJ1N+YUXg6pDL27UrTtJ6rXQtzBxWToF1E1/4DWxr90xw==,iv:nowHNAqbD1qlTZYaGxD0KCFS4PfBpP9e5XQbiBRRGzU=,tag:4vVp1CLOpaXw3i21BrQiaw==,type:str]
 #ENC[AES256_GCM,data:ZsI7f5v762m7M3g9AZQILU8EFokmKGAKFvPPyJj1uLu+aYJw,iv:HVvYS0XgTUUHNUVuYRXTzeXJYBHhi0XXCMy1zRlVfAw=,tag:huhPxsQl9W23KhM4RZs22A==,type:comment]
 collabora_admin_password: ENC[AES256_GCM,data:74+2efnEZFRStWaE7Moxu2m89H1EMhNhsvBw4eJu50HY+8ltmSqagYLrsA==,iv:IWDpO6MfTwH4HJrIWti+CVRtGfe5q8bRkemB46jLYPM=,tag:DKEiE84OZ6RVClz4L3oITw==,type:str]
 sops:
    age:
        - recipient: age170jqy5pg6z62kevadqyxxekw8ryf3e394zaquw0nhs9ae3v9wd6qq2hxnk
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBWUXloeEZMcEt4M3kxL3U5
            MXpiU1c4Vy9uTkVDL0R3Rng5N25DZFhPTUhjCllyeU0rbEp0SVFTLzFNUVJscHhv
            L1htaUt3S2pJN3NZQ0UwTXpReG9NcnMKLS0tIGpQbnU4SnRyb3RzeCswL2t1d1Vt
            aTR0SGowcmdBdE9GV0pDV2hUajR2QzAKZupaPPPAgagGrj88sVZF9/SbmLpZIBJC
            EyKmyzi4HR2cb541LVTFY2FCBX3oy6xWbt6omCqnmnymAqD1s8IaTw==
            -----END AGE ENCRYPTED FILE-----
    lastmodified: "2026-01-14T13:32:54Z"
    mac: ENC[AES256_GCM,data:q0NindbnNfVCnzr7fgvWUPZlk5Dw7rIMhDqCCaOSdYJaJ+gLTbmO1eaG2rA/Q2u7ATYge4AV7rxuAAMk5kws7btzLLJjnZ1pVpmoOGuKV8Py1+6d3Ah7Lzvn4Rgdi3b4VHL5N2e967yodqFRz7WPGoqeHGnjlijYh3/gOYOfmNQ=,iv:UCi3Ar6Vq79RFcY36giDX79fQnq0wPnT1hoBB/JyVhI=,tag:MlqjepPQDl4i1ddYG9o7oA==,type:str]
    unencrypted_suffix: _unencrypted
    version: 3.11.0
--- a/secrets/clients/test-temp.sops.yaml
+++ b/secrets/clients/test-temp.sops.yaml
--- a/secrets/clients/test.sops.yaml
+++ b/secrets/clients/test.sops.yaml
@ -1,38 +0,0 @@
 #ENC[AES256_GCM,data:eZqiMbgZ970iP9xR1lP1Mf4//4y3l76kTg==,iv:cYffSE0jP5zrezKl/UBoNFc2gxb6El1hhripoXC6Uck=,tag:bnZZjLPH2zyObXU0QT9i+Q==,type:comment]
 #ENC[AES256_GCM,data:3lAY7IxFpSbgBS9Jfte4tqBi6/jv1d4rqpXvFIzwaBi8kbIRZWc=,iv:Hx+Jd4xVRwzU7yjm962I5xU2NFX5njx43u8ibBKe/fk=,tag:EEDSENvFr/PhRu0PIY0K2g==,type:comment]
 #ENC[AES256_GCM,data:QWGb4941FGgKU/iMUHEyK+eJoIxrig==,iv:GhFhT6jSQZ076/5yfDzEvsxoxCx9O6ueTbRePGxEdD8=,tag:w/psPqZ98Dn9BZFjL4X8pw==,type:comment]
 client_name: ENC[AES256_GCM,data:RgV0RQ==,iv:uCKSI8QpjTlkTg6/wpbTcnjFxB77pjSaCnCeG0tZ4g0=,tag:vWI6wakgwwCAv6HW82q8oA==,type:str]
 client_domain: ENC[AES256_GCM,data:66fMimASNHXHjY62altJkg==,iv:q4umVB66CiqGwAp7IHcVd6txXE9Wv/Ge0AhUfb4Wyrc=,tag:3IsOGtI91VzlnHFqAzmzkg==,type:str]
 #ENC[AES256_GCM,data:2JdPa35b7MsjQ8OR3zxQF5ssn+js8AQo,iv:kDwIUJ/35Y7MJVts0DH1x3kuKWSxawrfBStDA+BbRO0=,tag:rNgsObk+N1gss5C+IzMi5A==,type:comment]
 authentik_domain: ENC[AES256_GCM,data:Mw6zdhoC5ENTsYWGx4VqgUtTNPwM,iv:xOVUdfvqpj0feDHA8s6aSTqgCWEJJhlgVKF34GW2Hm0=,tag:eZyTNJEWkSPiVexXW8zy9A==,type:str]
 authentik_db_password: ENC[AES256_GCM,data:HsyTlbM8pewD6ZUndnPQzBzlNECdlOqEWt6AgIMURU4U85NmhoRaAIwcVw==,iv:x2hHZVGnbCDggRRyW7BFfhmUT8WpAwua0tonwF2UDSI=,tag:Bbboc0vKGcrIvjIAsC2eVA==,type:str]
 authentik_secret_key: ENC[AES256_GCM,data:cl1U+PGeaQNu2OW3t4QzfWIyMtvkQdYk8Adb7EmLrSHceeHxfXgKwgxvp2Fn7C8RDpuCsztkxEz1D2vePO2xSpIo3Q==,iv:trlB7PJd4os21wOK+CyfymE+oopdksydS+z3VHBT1wU=,tag:BwQ2FygYOaX22YKOTgY0mw==,type:str]
 #ENC[AES256_GCM,data:3AF1/xf9DULcTEhTfxSr9ls8U0cr0ToG88783V10OAmsOclhq5h3ncFoLM3GZXY=,iv:Ji7447QFwRn0MKoXakAoe7ZDeJrT0fYAVHwYBWr/hjQ=,tag:+CQyj9pZxzKualOV/hlrkg==,type:comment]
 authentik_bootstrap_password: ENC[AES256_GCM,data:K0nR2CCA+mZLwt1eKY3NU0iB3aXRbze+aX089cmAfTXunBsRZgXWirC3Pg==,iv:Ki4G/iMoL8rqIR/E5YWWNa60TEFEJlpmjfSO17ccjms=,tag:c91a6Dlu2cDeAbtH0VMynw==,type:str]
 authentik_bootstrap_token: ENC[AES256_GCM,data:wzToXlHEEo4hqbTpYaj8VcjIzl9JIBYelb6csfSXB3gsecyOOriUsvpBua2By0l6c2DMpUVipRR1fEo6CZLc,iv:3U7eseITVM6LTzlc7tEPV44qYTdiLbKpOcDR+S0y9ME=,tag:UFxakIe4ZhgJy8K8caF16A==,type:str]
 authentik_bootstrap_email: ENC[AES256_GCM,data:3H2b7nl+i5AnXVSWCWkpzfCe7lk8ow==,iv:KlpRA6aP1/sSG5PSs8Q3aRshn1ZgHQwW4AtTYwCgd+0=,tag:SpD7K4Xme/QUTxLEL7Xi3A==,type:str]
 #ENC[AES256_GCM,data:ZXsSQkRtXNF5DMUPAAaLBWkAgh/hJMUX,iv:+r+WtRYebnFEkw3qmIkXRPUUYSep53qzgy2FvpGhSfw=,tag:S+w04XduCSLRntLJiEDFUQ==,type:comment]
 nextcloud_domain: ENC[AES256_GCM,data:i0hWB89Lxjn+s9NOrFsYZr/zsQ2/BzZKIk0=,iv:AU1LLm04+4Ekjm9Q3Gqe3MpqdIdGAGK7EaClJMO2bz0=,tag:8AEN6jdruVUzFEZe0sVBrg==,type:str]
 nextcloud_admin_user: ENC[AES256_GCM,data:EkGgPFQ=,iv:69EdTYC3xMzp5g9RQ+C5hjBw+gLBghaKQArOc+77nR4=,tag:17oRhQUMD1yHj06gS3ODAA==,type:str]
 nextcloud_admin_password: ENC[AES256_GCM,data:aRbg8hmK5QMOS0xqEkgq2j96ajhtG+gYnriHrT5lrZynbpNt0tXGh2SIuQ==,iv:WWnoi9si/o/9Qsj68sR3XFKba2UUWiVrjx1XLsvuhcI=,tag:AUr9WFNGyedvc1woGMFeMw==,type:str]
 nextcloud_db_password: ENC[AES256_GCM,data:xygLEUi1doSFzG8JANguzGxyP8vXm9GDhDqmRAAsj2VfIEbzANsa5iWbtQ==,iv:UgKufxyqi2LwJ8/QIT4mssHxSGvixW7dWXRTURaoI0k=,tag:yr8ZiR3DphX+mzJ63qRbRw==,type:str]
 nextcloud_db_root_password: ENC[AES256_GCM,data:IuKUtIDDJOmFHbG6dZFOC+WDrEg2vBTemWVjbapwRmYRIwQg47+38dOQjg==,iv:CISRoJZtV4JI0AB5erHNZLPRE+oeo4jxd446GUfSkWo=,tag:juEZ+gV82kfgrny2lC6Qow==,type:str]
 #ENC[AES256_GCM,data:fh5zP6W0szyikkvHfNIs98J2Vl9C8xhHnWrmFZM=,iv:Di1DjQ8Nxrb1KnvtRKJIOMfO1CmbNpweVj7Ijsx79dA=,tag:YL/eJn+uG5qLP4TW4KyPdg==,type:comment]
 redis_password: ENC[AES256_GCM,data:EgNqS7asbH0PHlad43D3kgEJqb5qpZVHI1XuWdu8uqm0H6pJu6M435s3Pg==,iv:dsiEU9Ik12CFT+6PATLA40MMgN/kgoHfOc7Lfkih/Ug=,tag:2fSPKLZgd8Ebc/j3xeb2bA==,type:str]
 #ENC[AES256_GCM,data:OxFZyktOkNHq32ixDlpaHRmlu10we9rHb+YKOG4BNig6cdzh,iv:tyh/ozm0ooidGCSEKzZ0jqX0x7Z3v+/rtV4q5+vYpjQ=,tag:zQ0KKB5U9+4T8dKhBD7ZdQ==,type:comment]
 collabora_admin_password: ENC[AES256_GCM,data:jxrOdFLAeIRp7lVBz4WiqYFNdCn+FqHJsPSfRyD3uqQWUwWhXuG2LlQmOw==,iv:j8KWGx4392q6IllfTMjL9JitkHL9XVuShdOM+6ZtP/4=,tag:D3nqs03YwmjmT4A3W1uumA==,type:str]
 sops:
    age:
        - recipient: age170jqy5pg6z62kevadqyxxekw8ryf3e394zaquw0nhs9ae3v9wd6qq2hxnk
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBNVzNUaC94SnBRU2lNQjdu
            Q05BMzF6VWlBckd1VjlXOVNSMTdFR2Z3ZEhvCmdsU2tJOTNCMkhjNlVJK3FOeUFl
            VnhxT1ZObkZMdXNoSkE1UWVXUVY4d0EKLS0tIDllbVJCMGZDaXJWb2oxbHJ6Y05F
            NnN0SE4rZ0lFWUlaNjBIc293UzlxakkKYOxxyTtwEEo3j6iMGeHyArYSquT+2ieB
            cPA1QayU4OBucKo34WuZTh41TxIg2hr1GG3Ews5QDEiTJlAQuAzldw==
            -----END AGE ENCRYPTED FILE-----
    lastmodified: "2026-01-09T07:31:15Z"
    mac: ENC[AES256_GCM,data:MSnPPzLLCZIIK/RmhlpMaNGEeZCHVzY2PK4A4PhC4nXuw9AwGjYDrHn3FQ9aJywi7NlXxLqFWo9nSnFswNlIUpea/3MTsa5LNimX6a22c9YRut+yImwrBU3abcgzxVJsHk7DUGIA1TY/AElC5ZLNROrw/X+sVf5L2pq7P2/oous=,iv:cOxocMqLgzzzT89RdfJdfvOfZ3Ph4tWbE6bV21WZgZI=,tag:zrthLaXOrdx3IU4I5G+zBQ==,type:str]
    unencrypted_suffix: _unencrypted
    version: 3.11.0
--- a/Show more
+++ b/Show more
		`@ -0,0 +1 @@`
							`ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILKuSYRVVWCYqjNvJ5pHZTErkmVbEb1g3ac8olXUcXy7 client-bever-deploy-key`
		`@ -0,0 +1 @@`
							`ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGsGfzhrcVtYEn2YHzxVGibBDXPd571unltfOaVo5JlR client-das-deploy-key`
		`@ -0,0 +1 @@`
							`ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIE75mnMfKHTIeq5Hp8LKaKYHGbzdFke1a9N7e0UEMNBu client-egel-deploy-key`
		`@ -0,0 +1 @@`
							`ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAa4QHMVKnTSS/q5kptQYzas7ln2MbgE5Db47GM2DjRI client-haas-deploy-key`
		`@ -0,0 +1 @@`
							`ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICtZzQTzNWLcFi4NNqg6l53kqPVDsgau1O7GWWKwZh9l client-kikker-deploy-key`
		`@ -0,0 +1 @@`
							`ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPXF5COMplFqwxCRymXN7y4b+RWiBbVQpIMmFoK10qgh client-kraai-deploy-key`
		`@ -0,0 +1 @@`
							`ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDGPPukFDhM4eIolsowRsD6jYrNYoM3/B9yLi2KNqmPi client-mees-deploy-key`
		`@ -0,0 +1 @@`
							`ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHAsLbdkl0peC15KnxhSsCI45Z2FwQu2Hy1LArzHoXu5 client-mol-deploy-key`
		`@ -0,0 +1 @@`
							`ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINAoeg3LDX5zRuw5Yt5WwbYNRXo70H7e5OYE3oMbJRyL client-mus-deploy-key`
		`@ -0,0 +1 @@`
							`ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIG3edQhsIBD9Ers7wuFWSww8r3ROkKNJF8YcxgRtQdov client-otter-deploy-key`