Post-X-Society/Post-Tyranny-Tech-Infrastructure

No description

Find a file

Pieter 0c4d536246 feat: Add version tracking and maintenance monitoring (issue #15 ) Complete implementation of automatic version tracking and drift detection: New Scripts: - scripts/collect-client-versions.sh: Query deployed versions from Docker - Connects via Ansible to running servers - Extracts versions from container images - Updates registry automatically - scripts/check-client-versions.sh: Compare versions across clients - Multiple formats: table (colorized), CSV, JSON - Filter by outdated versions - Highlights drift with color coding - scripts/detect-version-drift.sh: Identify version differences - Detects clients with outdated versions - Threshold-based staleness detection (default 30 days) - Actionable recommendations - Exit code 1 if drift detected (CI/monitoring friendly) Updated Scripts: - scripts/deploy-client.sh: Auto-collect versions after deployment - scripts/rebuild-client.sh: Auto-collect versions after rebuild Documentation: - docs/maintenance-tracking.md: Complete maintenance guide - Version management workflows - Security update procedures - Monitoring integration examples - Troubleshooting guide Features: ✅ Automatic version collection from deployed servers ✅ Multi-client version comparison reports ✅ Version drift detection with recommendations ✅ Integration with deployment workflows ✅ Export to CSV/JSON for external tools ✅ Canary-first update workflow support Usage Examples: ```bash # Collect versions ./scripts/collect-client-versions.sh dev # Compare all clients ./scripts/check-client-versions.sh # Detect drift ./scripts/detect-version-drift.sh # Export for monitoring ./scripts/check-client-versions.sh --format=json ``` Closes #15 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com>		2026-01-17 20:53:15 +01:00
.claude/agents	feat: Implement per-client SSH key isolation	2026-01-17 19:50:30 +01:00
ansible	Remove automated recovery flow configuration	2026-01-17 09:57:07 +01:00
clients	feat: Implement client registry system (issue #12 )	2026-01-17 20:24:53 +01:00
docs	feat: Add version tracking and maintenance monitoring (issue #15 )	2026-01-17 20:53:15 +01:00
keys	feat: Implement per-client SSH key isolation	2026-01-17 19:50:30 +01:00
scripts	feat: Add version tracking and maintenance monitoring (issue #15 )	2026-01-17 20:53:15 +01:00
secrets	chore: Clean up client secrets directory	2026-01-17 19:32:06 +01:00
tofu	feat: Implement per-client SSH key isolation	2026-01-17 19:50:30 +01:00
.gitignore	security: Rotate exposed Authentik API token	2026-01-09 08:32:45 +01:00
.sops.yaml	Complete SOPS secrets management setup (#5 )	2025-12-27 14:23:36 +01:00
PROJECT_REFERENCE.md	feat: Complete Authentik SSO integration with automated OIDC setup	2026-01-08 16:56:19 +01:00
README.md	feat: Automate SSH key and secrets generation in deployment scripts	2026-01-17 20:04:29 +01:00

README.md

Post-X Society Multi-Tenant Infrastructure

Infrastructure as Code for a scalable multi-tenant VPS platform running Nextcloud (file sync/share) on Hetzner Cloud.

🏗️ Architecture

Provisioning: OpenTofu (open source Terraform fork)
Configuration: Ansible with dynamic inventory
Secrets: SOPS + Age encryption
Hosting: Hetzner Cloud (EU-based, GDPR-compliant)
Identity: Authentik (OAuth2/OIDC SSO, MIT license)
Storage: Nextcloud (German company, AGPL 3.0)

📁 Repository Structure

infrastructure/
├── .claude/agents/          # AI agent definitions for specialized tasks
├── docs/                    # Architecture decisions and runbooks
├── tofu/                    # OpenTofu configurations for Hetzner
├── ansible/                 # Ansible playbooks and roles
├── secrets/                 # SOPS-encrypted secrets (git-safe)
├── docker/                  # Docker Compose configurations
└── scripts/                 # Deployment and management scripts

🚀 Quick Start

Prerequisites

Automated Deployment (Recommended)

The fastest way to deploy a client:

# 1. Set environment variables
export HCLOUD_TOKEN="your-hetzner-api-token"
export SOPS_AGE_KEY_FILE="./keys/age-key.txt"

# 2. Add client to terraform.tfvars
# clients = {
#   newclient = {
#     server_type = "cx22"
#     location    = "fsn1"
#     subdomain   = "newclient"
#     apps        = ["authentik", "nextcloud"]
#   }
# }

# 3. Deploy client (fully automated, ~10-15 minutes)
./scripts/deploy-client.sh newclient

The script will automatically:

✅ Generate unique SSH key pair (if missing)
✅ Create secrets file from template (if missing, opens in editor)
✅ Provision VPS on Hetzner Cloud
✅ Deploy Authentik (SSO/identity provider)
✅ Deploy Nextcloud (file storage)
✅ Configure OAuth2/OIDC integration
✅ Set up SSL certificates
✅ Create admin accounts

Result: Fully functional system, ready to use immediately!

Management Scripts

# Deploy a fresh client
./scripts/deploy-client.sh <client_name>

# Rebuild existing client (destroy + redeploy)
./scripts/rebuild-client.sh <client_name>

# Destroy client infrastructure
./scripts/destroy-client.sh <client_name>

See scripts/README.md for detailed documentation.

Manual Setup (Advanced)

Click to expand manual setup instructions

Clone repository:
```
git clone <repo-url>
cd infrastructure
```

Generate Age encryption key:

age-keygen -o keys/age-key.txt
# Store securely in password manager!

Configure OpenTofu variables:

cp tofu/terraform.tfvars.example tofu/terraform.tfvars
# Edit with your Hetzner API token and configuration

Create client secrets:

cp secrets/clients/test.sops.yaml secrets/clients/<client>.sops.yaml
sops secrets/clients/<client>.sops.yaml
# Update client_name, domains, regenerate all passwords

Provision infrastructure:
```
cd tofu
tofu init
tofu apply
```

Deploy applications:

cd ../ansible
export HCLOUD_TOKEN="your-token"
export SOPS_AGE_KEY_FILE="../keys/age-key.txt"

ansible-playbook -i hcloud.yml playbooks/setup.yml --limit <client>
ansible-playbook -i hcloud.yml playbooks/deploy.yml --limit <client>

🎯 Project Principles

EU/GDPR-first: European vendors and data residency
Truly open source: Avoid source-available or restrictive licenses
Client isolation: Full separation between tenants
Infrastructure as Code: All changes via version control
Security by default: Encryption, hardening, least privilege

📖 Documentation

PROJECT_REFERENCE.md - Essential information and common operations
scripts/README.md - Management scripts documentation
AUTOMATION_STATUS.md - Full automation details
Architecture Decision Record - Complete design rationale
SSO Automation - OAuth2/OIDC integration workflow
Agent Definitions - Specialized AI agent instructions

🤝 Contributing

This project uses specialized AI agents for development:

Architect: High-level design decisions
Infrastructure: OpenTofu + Ansible implementation
Authentik: Identity provider and SSO configuration
Nextcloud: File sync/share configuration

See individual agent files in .claude/agents/ for responsibilities.

🔒 Security

Secrets are encrypted with SOPS + Age before committing
Age private keys are NEVER stored in this repository
See .gitignore for protected files

📝 License

TBD

🙋 Support

For issues or questions, please create a GitHub issue with the appropriate label:

agent:architect - Architecture/design questions
agent:infrastructure - IaC implementation
agent:authentik - Identity provider/SSO
agent:nextcloud - File sync/share