No description
4e72ddf4ef
Completed Issue #2: Ansible Base Configuration All objectives met: - ✅ Hetzner Cloud dynamic inventory (hcloud plugin) - ✅ Common role (SSH hardening, UFW firewall, fail2ban, auto-updates) - ✅ Docker role (Docker Engine + Compose + networks) - ✅ Traefik role (reverse proxy with Let's Encrypt SSL) - ✅ Setup playbook (orchestrates all base roles) - ✅ Successfully tested on live test server (91.99.210.204) Additional improvements: - Fixed ansible.cfg for Ansible 2.20+ compatibility - Updated ADR dates to 2025 - All roles follow Infrastructure Agent patterns Test Results: - SSH hardening applied (key-only auth) - UFW firewall active (ports 22, 80, 443) - Fail2ban protecting SSH - Automatic security updates enabled - Docker running with traefik network - Traefik deployed and ready for SSL Files added: - ansible/playbooks/setup.yml - ansible/roles/docker/* (complete) - ansible/roles/traefik/* (complete) Closes #2 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com> |
||
|---|---|---|
| .claude/agents | ||
| ansible | ||
| docs | ||
| tofu | ||
| .gitignore | ||
| README.md | ||
Post-X Society Multi-Tenant Infrastructure
Infrastructure as Code for a scalable multi-tenant VPS platform running Zitadel (identity provider) and Nextcloud (file sync/share) on Hetzner Cloud.
🏗️ Architecture
- Provisioning: OpenTofu (open source Terraform fork)
- Configuration: Ansible with dynamic inventory
- Secrets: SOPS + Age encryption
- Hosting: Hetzner Cloud (EU-based, GDPR-compliant)
- Identity: Zitadel (Swiss company, AGPL 3.0)
- Storage: Nextcloud (German company, AGPL 3.0)
📁 Repository Structure
infrastructure/
├── .claude/agents/ # AI agent definitions for specialized tasks
├── docs/ # Architecture decisions and runbooks
├── tofu/ # OpenTofu configurations for Hetzner
├── ansible/ # Ansible playbooks and roles
├── secrets/ # SOPS-encrypted secrets (git-safe)
├── docker/ # Docker Compose configurations
└── scripts/ # Deployment and management scripts
🚀 Quick Start
Prerequisites
- OpenTofu >= 1.6
- Ansible >= 2.15
- SOPS + Age
- Hetzner Cloud account
Initial Setup
-
Clone repository:
git clone <repo-url> cd infrastructure -
Generate Age encryption key:
age-keygen -o keys/age-key.txt # Store securely in password manager! -
Configure OpenTofu variables:
cp tofu/terraform.tfvars.example tofu/terraform.tfvars # Edit with your Hetzner API token and configuration -
Provision infrastructure:
cd tofu tofu init tofu plan tofu apply -
Deploy applications:
cd ../ansible ansible-playbook playbooks/setup.yml
🎯 Project Principles
- EU/GDPR-first: European vendors and data residency
- Truly open source: Avoid source-available or restrictive licenses
- Client isolation: Full separation between tenants
- Infrastructure as Code: All changes via version control
- Security by default: Encryption, hardening, least privilege
📖 Documentation
- Architecture Decision Record - Complete design rationale
- Runbook - Operational procedures (coming soon)
- Agent Definitions - Specialized AI agent instructions
🤝 Contributing
This project uses specialized AI agents for development:
- Architect: High-level design decisions
- Infrastructure: OpenTofu + Ansible implementation
- Zitadel: Identity provider configuration
- Nextcloud: File sync/share configuration
See individual agent files in .claude/agents/ for responsibilities.
🔒 Security
- Secrets are encrypted with SOPS + Age before committing
- Age private keys are NEVER stored in this repository
- See
.gitignorefor protected files
📝 License
TBD
🙋 Support
For issues or questions, please create a GitHub issue with the appropriate label:
agent:architect- Architecture/design questionsagent:infrastructure- IaC implementationagent:zitadel- Identity provideragent:nextcloud- File sync/share