Post-X-Society/Post-Tyranny-Tech-Infrastructure
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
Post-Tyranny-Tech-Infrastru.../secrets/clients
History
Pieter 62977285ad feat: Automate OpenTofu terraform.tfvars management 
Add automation to streamline client onboarding by managing terraform.tfvars:

New Script:
- scripts/add-client-to-terraform.sh: Add clients to OpenTofu config
  - Interactive and non-interactive modes
  - Configurable server type, location, volume size
  - Validates client names
  - Detects existing entries
  - Shows configuration preview before applying
  - Clear next-steps guidance

Updated Scripts:
- scripts/deploy-client.sh: Check for terraform.tfvars entry
  - Detects missing clients
  - Prompts to add automatically
  - Calls add-client-to-terraform.sh if user confirms
  - Fails gracefully with instructions if declined

- scripts/rebuild-client.sh: Validate terraform.tfvars
  - Ensures client exists before rebuild
  - Clear error if missing
  - Directs to deploy-client.sh for new clients

Benefits:
 Eliminates manual terraform.tfvars editing
 Reduces human error in configuration
 Consistent client configuration structure
 Guided workflow with clear prompts
 Validation prevents common mistakes

Test Results (blue client):
-  SSH key auto-generation (working)
-  Secrets template creation (working)
-  Terraform.tfvars automation (working)
- ⏸️ Full deployment test (in progress)

Usage:
```bash
# Standalone
./scripts/add-client-to-terraform.sh myclient

# With options
./scripts/add-client-to-terraform.sh myclient \
  --server-type=cx22 \
  --location=fsn1 \
  --volume-size=100

# Non-interactive (for scripts)
./scripts/add-client-to-terraform.sh myclient \
  --volume-size=50 \
  --non-interactive

# Integrated (automatic prompt)
./scripts/deploy-client.sh myclient
# → Detects missing terraform.tfvars entry
# → Offers to add automatically
```

This increases deployment automation from ~60% to ~85%,
leaving only security-sensitive steps (secrets editing, infrastructure approval) as manual.

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>
2026-01-17 21:34:05 +01:00
..
.gitignore chore: Add gitignore for secrets/clients to prevent plaintext files 2026-01-08 17:01:15 +01:00
blue.sops.yaml feat: Automate OpenTofu terraform.tfvars management 2026-01-17 21:34:05 +01:00
dev.sops.yaml fix: Restore Mailgun SMTP and Nextcloud OIDC integration 2026-01-14 16:04:00 +01:00
README.md chore: Clean up client secrets directory 2026-01-17 19:32:06 +01:00
template.sops.yaml chore: Clean up client secrets directory 2026-01-17 19:32:06 +01:00

README.md

Client Secrets Directory

This directory contains SOPS-encrypted secrets files for each deployed client.

Files

Active Clients

  • dev.sops.yaml - Development/canary server secrets
    • Status: Deployed
    • Purpose: Testing and canary deployments

Templates

  • template.sops.yaml - Template for creating new client secrets
    • Status: Reference only (not deployed)
    • Purpose: Copy this file when onboarding new clients

Creating Secrets for a New Client

# 1. Copy the template
cp secrets/clients/template.sops.yaml secrets/clients/newclient.sops.yaml

# 2. Edit with SOPS
export SOPS_AGE_KEY_FILE="./keys/age-key.txt"
sops secrets/clients/newclient.sops.yaml

# 3. Update all fields:
#    - client_name: newclient
#    - client_domain: newclient.vrije.cloud
#    - authentik_domain: auth.newclient.vrije.cloud
#    - nextcloud_domain: nextcloud.newclient.vrije.cloud
#    - REGENERATE all passwords and tokens (never reuse!)

# 4. Deploy the client
./scripts/deploy-client.sh newclient

Important Security Notes

⚠️ Never commit plaintext secrets!

  • Only *.sops.yaml files should be committed
  • Temporary files (*-temp.yaml, *.tmp) are gitignored
  • Always verify secrets are encrypted: file secrets/clients/*.sops.yaml

⚠️ Always regenerate secrets for new clients!

  • Never copy passwords between clients
  • Use strong random passwords (32+ characters)
  • Each client must have unique credentials

File Naming Convention

  • Production clients: clientname.sops.yaml
  • Development/test: dev.sops.yaml
  • Templates: template.sops.yaml
  • Never commit: *-temp.yaml, *.tmp, *_plaintext.yaml

Viewing Secrets

# View encrypted file (shows SOPS metadata)
cat secrets/clients/dev.sops.yaml

# Decrypt and view (requires age key)
export SOPS_AGE_KEY_FILE="./keys/age-key.txt"
sops -d secrets/clients/dev.sops.yaml

Required Secrets per Client

Each client secrets file must contain:

Authentik (Identity Provider)

  • authentik_db_password - PostgreSQL database password
  • authentik_secret_key - Django secret key
  • authentik_bootstrap_password - Initial admin (akadmin) password
  • authentik_bootstrap_token - API token for automation
  • authentik_bootstrap_email - Admin email address

Nextcloud (File Storage)

  • nextcloud_admin_user - Admin username (usually "admin")
  • nextcloud_admin_password - Admin password
  • nextcloud_db_password - MariaDB database password
  • nextcloud_db_root_password - MariaDB root password
  • redis_password - Redis cache password

Optional

  • collabora_admin_password - Collabora Online admin password (if using)

Troubleshooting

"No such file or directory: age-key.txt"

# Ensure SOPS_AGE_KEY_FILE is set correctly
export SOPS_AGE_KEY_FILE="./keys/age-key.txt"
# Or use absolute path
export SOPS_AGE_KEY_FILE="/full/path/to/infrastructure/keys/age-key.txt"

"Failed to decrypt"

  • Verify you have the correct age private key
  • Check that .sops.yaml references the correct age public key
  • Ensure the file was encrypted with the same age key

"File contains plaintext secrets"

# Check if file is properly encrypted
file secrets/clients/dev.sops.yaml
# Should show: ASCII text (with SOPS encryption metadata)

# Re-encrypt if needed
sops -e -i secrets/clients/dev.sops.yaml

See Also