Post-X-Society/Post-Tyranny-Tech-Infrastructure
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
Post-Tyranny-Tech-Infrastru.../scripts/destroy-client.sh
Pieter a5fe631717 feat: Complete Authentik SSO integration with automated OIDC setup 
## Changes

### Identity Provider (Authentik)
-  Deployed Authentik 2025.10.3 as identity provider
-  Configured automatic bootstrap with admin account (akadmin)
-  Fixed OIDC provider creation with correct redirect_uris format
-  Added automated OAuth2/OIDC provider configuration for Nextcloud
-  API-driven provider setup eliminates manual configuration

### Nextcloud Configuration
-  Fixed reverse proxy header configuration (trusted_proxies)
-  Added missing database indices (fs_storage_path_prefix)
-  Ran mimetype migrations for proper file type handling
-  Verified PHP upload limits (16GB upload_max_filesize)
-  Configured OIDC integration with Authentik
-  "Login with Authentik" button auto-configured

### Automation Scripts
-  Added deploy-client.sh for automated client deployment
-  Added rebuild-client.sh for infrastructure rebuild
-  Added destroy-client.sh for cleanup
-  Full deployment now takes ~10-15 minutes end-to-end

### Documentation
-  Updated README with automated deployment instructions
-  Added SSO automation workflow documentation
-  Added automation status tracking
-  Updated project reference with Authentik details

### Technical Fixes
- Fixed Authentik API redirect_uris format (requires list of dicts with matching_mode)
- Fixed Nextcloud OIDC command (user_oidc:provider not user_oidc:provider:add)
- Fixed file lookup in Ansible (changed to slurp for remote files)
- Updated Traefik to v3.6 for Docker API 1.44 compatibility
- Improved error handling in app installation tasks

## Security
- All credentials stored in SOPS-encrypted secrets
- Trusted proxy configuration prevents IP spoofing
- Bootstrap tokens auto-generated and secured

## Result
Fully automated SSO deployment - no manual configuration required!

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>
2026-01-08 16:56:19 +01:00

137 lines
4.2 KiB
Bash
Executable file
Raw Blame History

#!/usr/bin/env bash
#
# Destroy a client's infrastructure
#
# Usage: ./scripts/destroy-client.sh <client_name>
#
# This script will:
# 1. Remove all Docker containers and volumes on the server
# 2. Destroy the VPS server via OpenTofu
# 3. Remove DNS records
#
# WARNING: This is DESTRUCTIVE and IRREVERSIBLE!
set -euo pipefail
# Colors for output
RED='\033[0;31m'
GREEN='\033[0;32m'
YELLOW='\033[1;33m'
NC='\033[0m' # No Color
# Script directory
SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
PROJECT_ROOT="$(dirname "$SCRIPT_DIR")"
# Check arguments
if [ $# -ne 1 ]; then
echo -e "${RED}Error: Client name required${NC}"
echo "Usage: $0 <client_name>"
echo ""
echo "Example: $0 test"
exit 1
fi
CLIENT_NAME="$1"
# Check if secrets file exists
SECRETS_FILE="$PROJECT_ROOT/secrets/clients/${CLIENT_NAME}.sops.yaml"
if [ ! -f "$SECRETS_FILE" ]; then
echo -e "${RED}Error: Secrets file not found: $SECRETS_FILE${NC}"
exit 1
fi
# Check required environment variables
if [ -z "${HCLOUD_TOKEN:-}" ]; then
echo -e "${RED}Error: HCLOUD_TOKEN environment variable not set${NC}"
echo "Export your Hetzner Cloud API token:"
echo " export HCLOUD_TOKEN='your-token-here'"
exit 1
fi
if [ -z "${SOPS_AGE_KEY_FILE:-}" ]; then
echo -e "${YELLOW}Warning: SOPS_AGE_KEY_FILE not set, using default${NC}"
export SOPS_AGE_KEY_FILE="$PROJECT_ROOT/keys/age-key.txt"
fi
# Confirmation prompt
echo -e "${RED}========================================${NC}"
echo -e "${RED}WARNING: DESTRUCTIVE OPERATION${NC}"
echo -e "${RED}========================================${NC}"
echo ""
echo -e "This will ${RED}PERMANENTLY DELETE${NC}:"
echo " - VPS server for client: $CLIENT_NAME"
echo " - All Docker containers and volumes"
echo " - All DNS records"
echo " - All data on the server"
echo ""
echo -e "${YELLOW}This operation CANNOT be undone!${NC}"
echo ""
read -p "Type the client name '$CLIENT_NAME' to confirm: " confirmation
if [ "$confirmation" != "$CLIENT_NAME" ]; then
echo -e "${RED}Confirmation failed. Aborting.${NC}"
exit 1
fi
echo ""
echo -e "${YELLOW}Starting destruction of client: $CLIENT_NAME${NC}"
echo ""
# Step 1: Clean up Docker containers and volumes on the server (if reachable)
echo -e "${YELLOW}[1/2] Cleaning up Docker containers and volumes...${NC}"
cd "$PROJECT_ROOT/ansible"
if ~/.local/bin/ansible -i hcloud.yml "$CLIENT_NAME" -m ping -o &>/dev/null; then
echo "Server is reachable, cleaning up Docker resources..."
# Stop and remove all containers
~/.local/bin/ansible -i hcloud.yml "$CLIENT_NAME" -m shell -a "docker ps -aq | xargs -r docker stop" -b 2>/dev/null || true
~/.local/bin/ansible -i hcloud.yml "$CLIENT_NAME" -m shell -a "docker ps -aq | xargs -r docker rm -f" -b 2>/dev/null || true
# Remove all volumes
~/.local/bin/ansible -i hcloud.yml "$CLIENT_NAME" -m shell -a "docker volume ls -q | xargs -r docker volume rm -f" -b 2>/dev/null || true
# Remove all networks (except defaults)
~/.local/bin/ansible -i hcloud.yml "$CLIENT_NAME" -m shell -a "docker network ls --filter type=custom -q | xargs -r docker network rm" -b 2>/dev/null || true
echo -e "${GREEN}✓ Docker cleanup complete${NC}"
else
echo -e "${YELLOW}⚠ Server not reachable, skipping Docker cleanup${NC}"
fi
echo ""
# Step 2: Destroy infrastructure with OpenTofu
echo -e "${YELLOW}[2/2] Destroying infrastructure with OpenTofu...${NC}"
cd "$PROJECT_ROOT/tofu"
# Get current infrastructure state
echo "Checking current infrastructure..."
tofu plan -destroy -var-file="terraform.tfvars" -target="hcloud_server.client[\"$CLIENT_NAME\"]" -out=destroy.tfplan
echo ""
echo "Applying destruction..."
tofu apply destroy.tfplan
# Cleanup plan file
rm -f destroy.tfplan
echo ""
echo -e "${GREEN}========================================${NC}"
echo -e "${GREEN}✓ Client '$CLIENT_NAME' destroyed successfully${NC}"
echo -e "${GREEN}========================================${NC}"
echo ""
echo "The following have been removed:"
echo " ✓ VPS server"
echo " ✓ DNS records (if managed by OpenTofu)"
echo " ✓ Firewall rules (if not shared)"
echo ""
echo -e "${YELLOW}Note: Secrets file still exists at:${NC}"
echo " $SECRETS_FILE"
echo ""
echo "To rebuild this client, run:"
echo " ./scripts/deploy-client.sh $CLIENT_NAME"
echo ""
Reference in a new issue View git blame Copy permalink