Post-X-Society/Post-Tyranny-Tech-Infrastructure
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
Post-Tyranny-Tech-Infrastru.../PROJECT_REFERENCE.md
Pieter a5fe631717 feat: Complete Authentik SSO integration with automated OIDC setup 
## Changes

### Identity Provider (Authentik)
-  Deployed Authentik 2025.10.3 as identity provider
-  Configured automatic bootstrap with admin account (akadmin)
-  Fixed OIDC provider creation with correct redirect_uris format
-  Added automated OAuth2/OIDC provider configuration for Nextcloud
-  API-driven provider setup eliminates manual configuration

### Nextcloud Configuration
-  Fixed reverse proxy header configuration (trusted_proxies)
-  Added missing database indices (fs_storage_path_prefix)
-  Ran mimetype migrations for proper file type handling
-  Verified PHP upload limits (16GB upload_max_filesize)
-  Configured OIDC integration with Authentik
-  "Login with Authentik" button auto-configured

### Automation Scripts
-  Added deploy-client.sh for automated client deployment
-  Added rebuild-client.sh for infrastructure rebuild
-  Added destroy-client.sh for cleanup
-  Full deployment now takes ~10-15 minutes end-to-end

### Documentation
-  Updated README with automated deployment instructions
-  Added SSO automation workflow documentation
-  Added automation status tracking
-  Updated project reference with Authentik details

### Technical Fixes
- Fixed Authentik API redirect_uris format (requires list of dicts with matching_mode)
- Fixed Nextcloud OIDC command (user_oidc:provider not user_oidc:provider:add)
- Fixed file lookup in Ansible (changed to slurp for remote files)
- Updated Traefik to v3.6 for Docker API 1.44 compatibility
- Improved error handling in app installation tasks

## Security
- All credentials stored in SOPS-encrypted secrets
- Trusted proxy configuration prevents IP spoofing
- Bootstrap tokens auto-generated and secured

## Result
Fully automated SSO deployment - no manual configuration required!

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>
2026-01-08 16:56:19 +01:00

119 lines
3.7 KiB
Markdown
Raw Blame History

# Project Reference
Quick reference for essential project information and common operations.
## Project Structure
```
infrastructure/
├── ansible/ # Ansible playbooks and roles
│ ├── hcloud.yml # Dynamic inventory (Hetzner Cloud)
│ ├── playbooks/ # Main playbooks
│ │ ├── deploy.yml # Deploy applications to clients
│ │ └── setup.yml # Setup base server infrastructure
│ └── roles/ # Ansible roles (traefik, authentik, nextcloud, etc.)
├── keys/
│ └── age-key.txt # SOPS encryption key (gitignored)
├── secrets/
│ ├── clients/ # Per-client encrypted secrets
│ │ └── test.sops.yaml
│ └── shared.sops.yaml # Shared secrets
└── terraform/ # Infrastructure as Code (Hetzner)
```
## Essential Configuration
### SOPS Age Key
**Location**: `infrastructure/keys/age-key.txt`
**Usage**: Always set before running Ansible:
```bash
export SOPS_AGE_KEY_FILE="../keys/age-key.txt"
```
### Hetzner Cloud Token
**Usage**: Required for dynamic inventory:
```bash
export HCLOUD_TOKEN="MlURmliUzLcGyzCWXWWsZt3DeWxKcQH9ZMGiaaNrFM3VcgnASlEWKhhxLHdWAl0J"
```
### Ansible Paths
**Working Directory**: `infrastructure/ansible/`
**Inventory**: `hcloud.yml` (dynamic, pulls from Hetzner Cloud API)
**Python**: `~/.local/bin/ansible-playbook` (user-local installation)
## Current Deployment
### Client: test
- **Hostname**: test (from Hetzner Cloud)
- **Authentik SSO**: https://auth.test.vrije.cloud
- **Nextcloud**: https://nextcloud.test.vrije.cloud
- **Secrets**: `secrets/clients/test.sops.yaml`
## Common Operations
### Deploy Applications
```bash
cd infrastructure/ansible
export HCLOUD_TOKEN="MlURmliUzLcGyzCWXWWsZt3DeWxKcQH9ZMGiaaNrFM3VcgnASlEWKhhxLHdWAl0J"
export SOPS_AGE_KEY_FILE="../keys/age-key.txt"
# Deploy everything to test client
~/.local/bin/ansible-playbook -i hcloud.yml playbooks/deploy.yml --limit test
```
### Check Service Status
```bash
# List inventory hosts
export HCLOUD_TOKEN="..."
~/.local/bin/ansible-inventory -i hcloud.yml --list
# Run ad-hoc commands
~/.local/bin/ansible test -i hcloud.yml -m shell -a "docker ps"
~/.local/bin/ansible test -i hcloud.yml -m shell -a "docker logs nextcloud 2>&1 | tail -50"
```
### Edit Secrets
```bash
cd infrastructure
export SOPS_AGE_KEY_FILE="keys/age-key.txt"
# Edit client secrets
sops secrets/clients/test.sops.yaml
# View decrypted secrets
sops --decrypt secrets/clients/test.sops.yaml
```
## Architecture Notes
### Service Stack
- **Traefik**: Reverse proxy with automatic Let's Encrypt certificates
- **Authentik 2025.10.3**: Identity provider (OAuth2/OIDC, SAML, LDAP)
- **PostgreSQL 16**: Database for Authentik
- **Nextcloud 30.0.17**: File sync and collaboration
- **Redis**: Caching for Nextcloud
- **MariaDB**: Database for Nextcloud
### Docker Networks
- `traefik`: External network for all web-accessible services
- `authentik-internal`: Internal network for Authentik ↔ PostgreSQL
- `nextcloud-internal`: Internal network for Nextcloud ↔ Redis/DB
### Volumes
- `authentik_authentik-db-data`: Authentik PostgreSQL data
- `authentik_authentik-media`: Authentik uploaded media
- `authentik_authentik-templates`: Custom Authentik templates
- `nextcloud_nextcloud-data`: Nextcloud files and database
## Service Credentials
### Authentik Admin
- **URL**: https://auth.test.vrije.cloud
- **Setup**: Complete initial setup at `/if/flow/initial-setup/`
- **Username**: akadmin (recommended)
### Nextcloud Admin
- **URL**: https://nextcloud.test.vrije.cloud
- **Username**: admin
- **Password**: In `secrets/clients/test.sops.yaml``nextcloud_admin_password`
- **SSO**: Login with Authentik button (auto-configured)
Reference in a new issue View git blame Copy permalink