054e0e1e87
This commit implements a complete Zitadel identity provider deployment with automated DNS management using vrije.cloud domain. ## Infrastructure Changes ### DNS Management - Migrated from deprecated hetznerdns provider to modern hcloud provider v1.57+ - Automated DNS record creation for client subdomains (test.vrije.cloud) - Automated wildcard DNS for service subdomains (*.test.vrije.cloud) - Supports both IPv4 (A) and IPv6 (AAAA) records ### Zitadel Deployment - Added complete Zitadel role with PostgreSQL 16 database - Configured Zitadel v2.63.7 with proper external domain settings - Implemented first instance setup with admin user creation - Set up database connection with proper user and admin credentials - Configured email verification bypass for first admin user ### Traefik Updates - Upgraded from v3.0 to v3.2 for better Docker API compatibility - Added manual routing configuration in dynamic.yml for Zitadel - Configured HTTP/2 Cleartext (h2c) backend for Zitadel service - Added Zitadel-specific security headers middleware - Fixed Docker API version compatibility issues ### Secrets Management - Added Zitadel credentials to test client secrets - Generated proper 32-character masterkey (Zitadel requirement) - Created admin password with symbol complexity requirement - Added zitadel_domain configuration ## Deployment Details Test environment now accessible at: - Server: test.vrije.cloud (78.47.191.38) - Zitadel: https://zitadel.test.vrije.cloud/ - Admin user: admin@test.zitadel.test.vrije.cloud Successfully tested: - HTTPS with Let's Encrypt SSL certificate - Admin login with 2FA setup - First instance initialization Fixes #3 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-authored-by: Pieter <pieter@kolabnow.com> Co-authored-by: Claude <noreply@anthropic.com>
39 lines
1.2 KiB
Django/Jinja
39 lines
1.2 KiB
Django/Jinja
# Traefik Reverse Proxy
|
|
# Managed by Ansible - do not edit manually
|
|
|
|
services:
|
|
traefik:
|
|
image: traefik:{{ traefik_version }}
|
|
container_name: traefik
|
|
restart: unless-stopped
|
|
environment:
|
|
# Fix Docker API version compatibility - use 1.44 for modern Docker
|
|
- DOCKER_API_VERSION=1.44
|
|
security_opt:
|
|
- no-new-privileges:true
|
|
ports:
|
|
- "80:80"
|
|
- "443:443"
|
|
{% if traefik_dashboard_enabled %}
|
|
- "8080:8080"
|
|
{% endif %}
|
|
volumes:
|
|
- /etc/localtime:/etc/localtime:ro
|
|
- {{ traefik_docker_socket }}:{{ traefik_docker_socket }}:ro
|
|
- ./traefik.yml:/etc/traefik/traefik.yml:ro
|
|
- ./dynamic.yml:/etc/traefik/dynamic.yml:ro
|
|
- ./letsencrypt:/letsencrypt
|
|
networks:
|
|
- {{ traefik_network }}
|
|
{% if traefik_dashboard_enabled %}
|
|
labels:
|
|
- "traefik.enable=true"
|
|
- "traefik.http.routers.dashboard.rule=Host(`{{ traefik_dashboard_domain }}`)"
|
|
- "traefik.http.routers.dashboard.entrypoints=websecure"
|
|
- "traefik.http.routers.dashboard.service=api@internal"
|
|
- "traefik.http.routers.dashboard.tls.certresolver=letsencrypt"
|
|
{% endif %}
|
|
|
|
networks:
|
|
{{ traefik_network }}:
|
|
external: true
|