Post-X-Society/Post-Tyranny-Tech-Infrastructure
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
No description
6 commits 3 branches 3 tags 498 KiB
Find a file
Pieter van Boheemen 054e0e1e87
Deploy Zitadel identity provider with DNS automation (#3) (#8) 
This commit implements a complete Zitadel identity provider deployment
with automated DNS management using vrije.cloud domain.

## Infrastructure Changes

### DNS Management
- Migrated from deprecated hetznerdns provider to modern hcloud provider v1.57+
- Automated DNS record creation for client subdomains (test.vrije.cloud)
- Automated wildcard DNS for service subdomains (*.test.vrije.cloud)
- Supports both IPv4 (A) and IPv6 (AAAA) records

### Zitadel Deployment
- Added complete Zitadel role with PostgreSQL 16 database
- Configured Zitadel v2.63.7 with proper external domain settings
- Implemented first instance setup with admin user creation
- Set up database connection with proper user and admin credentials
- Configured email verification bypass for first admin user

### Traefik Updates
- Upgraded from v3.0 to v3.2 for better Docker API compatibility
- Added manual routing configuration in dynamic.yml for Zitadel
- Configured HTTP/2 Cleartext (h2c) backend for Zitadel service
- Added Zitadel-specific security headers middleware
- Fixed Docker API version compatibility issues

### Secrets Management
- Added Zitadel credentials to test client secrets
- Generated proper 32-character masterkey (Zitadel requirement)
- Created admin password with symbol complexity requirement
- Added zitadel_domain configuration

## Deployment Details

Test environment now accessible at:
- Server: test.vrije.cloud (78.47.191.38)
- Zitadel: https://zitadel.test.vrije.cloud/
- Admin user: admin@test.zitadel.test.vrije.cloud

Successfully tested:
- HTTPS with Let's Encrypt SSL certificate
- Admin login with 2FA setup
- First instance initialization

Fixes #3

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-authored-by: Pieter <pieter@kolabnow.com>
Co-authored-by: Claude <noreply@anthropic.com>
2026-01-05 16:40:37 +01:00
.claude/agents Initial project structure with agent definitions and ADR 2025-12-24 12:12:17 +01:00
ansible Deploy Zitadel identity provider with DNS automation (#3) (#8) 2026-01-05 16:40:37 +01:00
docs Complete Ansible base configuration (#2) 2025-12-27 14:13:15 +01:00
keys Complete SOPS secrets management setup (#5) 2025-12-27 14:23:36 +01:00
secrets Deploy Zitadel identity provider with DNS automation (#3) (#8) 2026-01-05 16:40:37 +01:00
tofu Deploy Zitadel identity provider with DNS automation (#3) (#8) 2026-01-05 16:40:37 +01:00
.gitignore Complete SOPS secrets management setup (#5) 2025-12-27 14:23:36 +01:00
.sops.yaml Complete SOPS secrets management setup (#5) 2025-12-27 14:23:36 +01:00
README.md Initial project structure with agent definitions and ADR 2025-12-24 12:12:17 +01:00

README.md

Post-X Society Multi-Tenant Infrastructure

Infrastructure as Code for a scalable multi-tenant VPS platform running Zitadel (identity provider) and Nextcloud (file sync/share) on Hetzner Cloud.

🏗️ Architecture

  • Provisioning: OpenTofu (open source Terraform fork)
  • Configuration: Ansible with dynamic inventory
  • Secrets: SOPS + Age encryption
  • Hosting: Hetzner Cloud (EU-based, GDPR-compliant)
  • Identity: Zitadel (Swiss company, AGPL 3.0)
  • Storage: Nextcloud (German company, AGPL 3.0)

📁 Repository Structure

infrastructure/
├── .claude/agents/          # AI agent definitions for specialized tasks
├── docs/                    # Architecture decisions and runbooks
├── tofu/                    # OpenTofu configurations for Hetzner
├── ansible/                 # Ansible playbooks and roles
├── secrets/                 # SOPS-encrypted secrets (git-safe)
├── docker/                  # Docker Compose configurations
└── scripts/                 # Deployment and management scripts

🚀 Quick Start

Prerequisites

Initial Setup

  1. Clone repository:

    git clone <repo-url>
cd infrastructure

  2. Generate Age encryption key:

    age-keygen -o keys/age-key.txt
# Store securely in password manager!

  3. Configure OpenTofu variables:

    cp tofu/terraform.tfvars.example tofu/terraform.tfvars
# Edit with your Hetzner API token and configuration

  4. Provision infrastructure:

    cd tofu
tofu init
tofu plan
tofu apply

  5. Deploy applications:

    cd ../ansible
ansible-playbook playbooks/setup.yml

🎯 Project Principles

  1. EU/GDPR-first: European vendors and data residency
  2. Truly open source: Avoid source-available or restrictive licenses
  3. Client isolation: Full separation between tenants
  4. Infrastructure as Code: All changes via version control
  5. Security by default: Encryption, hardening, least privilege

📖 Documentation

🤝 Contributing

This project uses specialized AI agents for development:

  • Architect: High-level design decisions
  • Infrastructure: OpenTofu + Ansible implementation
  • Zitadel: Identity provider configuration
  • Nextcloud: File sync/share configuration

See individual agent files in .claude/agents/ for responsibilities.

🔒 Security

  • Secrets are encrypted with SOPS + Age before committing
  • Age private keys are NEVER stored in this repository
  • See .gitignore for protected files

📝 License

TBD

🙋 Support

For issues or questions, please create a GitHub issue with the appropriate label:

  • agent:architect - Architecture/design questions
  • agent:infrastructure - IaC implementation
  • agent:zitadel - Identity provider
  • agent:nextcloud - File sync/share