No description
282e248605
Security fixes: - Remove hardcoded Collabora password from COLLABORA_SETUP.md - Replace with placeholder and password generation instructions - Rotate exposed Collabora password in test.sops.yaml - New password: NX3NEpOMogUOcADjB0B2y1QGuRTSeDUn (SOPS encrypted) The old password was exposed in documentation and needs to be rotated on the test server. Future deployments will use the new password from the encrypted secrets file. 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com> |
||
|---|---|---|
| .claude/agents | ||
| ansible | ||
| docs | ||
| keys | ||
| secrets | ||
| tofu | ||
| .gitignore | ||
| .sops.yaml | ||
| README.md | ||
Post-X Society Multi-Tenant Infrastructure
Infrastructure as Code for a scalable multi-tenant VPS platform running Zitadel (identity provider) and Nextcloud (file sync/share) on Hetzner Cloud.
🏗️ Architecture
- Provisioning: OpenTofu (open source Terraform fork)
- Configuration: Ansible with dynamic inventory
- Secrets: SOPS + Age encryption
- Hosting: Hetzner Cloud (EU-based, GDPR-compliant)
- Identity: Zitadel (Swiss company, AGPL 3.0)
- Storage: Nextcloud (German company, AGPL 3.0)
📁 Repository Structure
infrastructure/
├── .claude/agents/ # AI agent definitions for specialized tasks
├── docs/ # Architecture decisions and runbooks
├── tofu/ # OpenTofu configurations for Hetzner
├── ansible/ # Ansible playbooks and roles
├── secrets/ # SOPS-encrypted secrets (git-safe)
├── docker/ # Docker Compose configurations
└── scripts/ # Deployment and management scripts
🚀 Quick Start
Prerequisites
- OpenTofu >= 1.6
- Ansible >= 2.15
- SOPS + Age
- Hetzner Cloud account
Initial Setup
-
Clone repository:
git clone <repo-url> cd infrastructure -
Generate Age encryption key:
age-keygen -o keys/age-key.txt # Store securely in password manager! -
Configure OpenTofu variables:
cp tofu/terraform.tfvars.example tofu/terraform.tfvars # Edit with your Hetzner API token and configuration -
Provision infrastructure:
cd tofu tofu init tofu plan tofu apply -
Deploy applications:
cd ../ansible ansible-playbook playbooks/setup.yml
🎯 Project Principles
- EU/GDPR-first: European vendors and data residency
- Truly open source: Avoid source-available or restrictive licenses
- Client isolation: Full separation between tenants
- Infrastructure as Code: All changes via version control
- Security by default: Encryption, hardening, least privilege
📖 Documentation
- Architecture Decision Record - Complete design rationale
- Runbook - Operational procedures (coming soon)
- Agent Definitions - Specialized AI agent instructions
🤝 Contributing
This project uses specialized AI agents for development:
- Architect: High-level design decisions
- Infrastructure: OpenTofu + Ansible implementation
- Zitadel: Identity provider configuration
- Nextcloud: File sync/share configuration
See individual agent files in .claude/agents/ for responsibilities.
🔒 Security
- Secrets are encrypted with SOPS + Age before committing
- Age private keys are NEVER stored in this repository
- See
.gitignorefor protected files
📝 License
TBD
🙋 Support
For issues or questions, please create a GitHub issue with the appropriate label:
agent:architect- Architecture/design questionsagent:infrastructure- IaC implementationagent:zitadel- Identity provideragent:nextcloud- File sync/share