Post-X-Society/Post-Tyranny-Tech-Infrastructure
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
Post-Tyranny-Tech-Infrastru.../ansible/playbooks/deploy.yml
Pieter van Boheemen 054e0e1e87
Deploy Zitadel identity provider with DNS automation (#3) (#8) 
This commit implements a complete Zitadel identity provider deployment
with automated DNS management using vrije.cloud domain.

## Infrastructure Changes

### DNS Management
- Migrated from deprecated hetznerdns provider to modern hcloud provider v1.57+
- Automated DNS record creation for client subdomains (test.vrije.cloud)
- Automated wildcard DNS for service subdomains (*.test.vrije.cloud)
- Supports both IPv4 (A) and IPv6 (AAAA) records

### Zitadel Deployment
- Added complete Zitadel role with PostgreSQL 16 database
- Configured Zitadel v2.63.7 with proper external domain settings
- Implemented first instance setup with admin user creation
- Set up database connection with proper user and admin credentials
- Configured email verification bypass for first admin user

### Traefik Updates
- Upgraded from v3.0 to v3.2 for better Docker API compatibility
- Added manual routing configuration in dynamic.yml for Zitadel
- Configured HTTP/2 Cleartext (h2c) backend for Zitadel service
- Added Zitadel-specific security headers middleware
- Fixed Docker API version compatibility issues

### Secrets Management
- Added Zitadel credentials to test client secrets
- Generated proper 32-character masterkey (Zitadel requirement)
- Created admin password with symbol complexity requirement
- Added zitadel_domain configuration

## Deployment Details

Test environment now accessible at:
- Server: test.vrije.cloud (78.47.191.38)
- Zitadel: https://zitadel.test.vrije.cloud/
- Admin user: admin@test.zitadel.test.vrije.cloud

Successfully tested:
- HTTPS with Let's Encrypt SSL certificate
- Admin login with 2FA setup
- First instance initialization

Fixes #3

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-authored-by: Pieter <pieter@kolabnow.com>
Co-authored-by: Claude <noreply@anthropic.com>
2026-01-05 16:40:37 +01:00

43 lines
1.2 KiB
YAML
Raw Blame History

---
# Deploy applications to client servers
# This playbook deploys Zitadel, Nextcloud, and other applications
- name: Deploy applications to client servers
hosts: all
become: yes
pre_tasks:
- name: Gather facts
setup:
- name: Determine client name from hostname
set_fact:
client_name: "{{ inventory_hostname }}"
- name: Load client secrets
community.sops.load_vars:
file: "{{ playbook_dir }}/../../secrets/clients/{{ client_name }}.sops.yaml"
name: client_secrets
age_key: "{{ lookup('env', 'SOPS_AGE_KEY_FILE') }}"
no_log: true
- name: Set Zitadel domain from secrets
set_fact:
zitadel_domain: "{{ client_secrets.zitadel_domain }}"
when: client_secrets.zitadel_domain is defined
roles:
- role: zitadel
post_tasks:
- name: Display deployment summary
debug:
msg: |
Deployment complete for client: {{ client_name }}
Zitadel: https://{{ zitadel_domain }}
Next steps:
1. Login to Zitadel with the admin credentials
2. Change the admin password
3. Configure OIDC applications for Nextcloud (when deployed)
Reference in a new issue View git blame Copy permalink