No description
918a43e820
ACHIEVEMENT: Invitation-only enrollment flow is now fully working! 🎉 This commit adds a utility playbook that was used to successfully deploy the updated enrollment-flow.yaml blueprint to the running dev server. The key fix was adding the tenant configuration to set the enrollment flow as the default in the Authentik brand, ensuring invitations created in the UI automatically use the correct flow. Changes: - Added update-enrollment-flow.yml playbook for deploying flow updates - Successfully deployed and verified on dev server - Invitation URLs now work correctly with the format: https://auth.dev.vrije.cloud/if/flow/default-enrollment-flow/?itoken=<token> Features confirmed working: ✓ Invitation-only registration (no public signup) ✓ Correct flow is set as brand default ✓ Email notifications via Mailgun SMTP ✓ 2FA enforcement configured ✓ Password recovery flow configured 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com> |
||
|---|---|---|
| .claude/agents | ||
| ansible | ||
| docs | ||
| keys | ||
| scripts | ||
| secrets | ||
| tofu | ||
| .gitignore | ||
| .sops.yaml | ||
| PROJECT_REFERENCE.md | ||
| README.md | ||
Post-X Society Multi-Tenant Infrastructure
Infrastructure as Code for a scalable multi-tenant VPS platform running Nextcloud (file sync/share) on Hetzner Cloud.
🏗️ Architecture
- Provisioning: OpenTofu (open source Terraform fork)
- Configuration: Ansible with dynamic inventory
- Secrets: SOPS + Age encryption
- Hosting: Hetzner Cloud (EU-based, GDPR-compliant)
- Identity: Authentik (OAuth2/OIDC SSO, MIT license)
- Storage: Nextcloud (German company, AGPL 3.0)
📁 Repository Structure
infrastructure/
├── .claude/agents/ # AI agent definitions for specialized tasks
├── docs/ # Architecture decisions and runbooks
├── tofu/ # OpenTofu configurations for Hetzner
├── ansible/ # Ansible playbooks and roles
├── secrets/ # SOPS-encrypted secrets (git-safe)
├── docker/ # Docker Compose configurations
└── scripts/ # Deployment and management scripts
🚀 Quick Start
Prerequisites
- OpenTofu >= 1.6
- Ansible >= 2.15
- SOPS + Age
- Hetzner Cloud account
Automated Deployment (Recommended)
The fastest way to deploy a client:
# 1. Set environment variables
export HCLOUD_TOKEN="your-hetzner-api-token"
export SOPS_AGE_KEY_FILE="./keys/age-key.txt"
# 2. Deploy client (fully automated, ~10-15 minutes)
./scripts/deploy-client.sh <client_name>
This automatically:
- ✅ Provisions VPS on Hetzner Cloud
- ✅ Deploys Authentik (SSO/identity provider)
- ✅ Deploys Nextcloud (file storage)
- ✅ Configures OAuth2/OIDC integration
- ✅ Sets up SSL certificates
- ✅ Creates admin accounts
Result: Fully functional system, ready to use immediately!
Management Scripts
# Deploy a fresh client
./scripts/deploy-client.sh <client_name>
# Rebuild existing client (destroy + redeploy)
./scripts/rebuild-client.sh <client_name>
# Destroy client infrastructure
./scripts/destroy-client.sh <client_name>
See scripts/README.md for detailed documentation.
Manual Setup (Advanced)
Click to expand manual setup instructions
-
Clone repository:
git clone <repo-url> cd infrastructure -
Generate Age encryption key:
age-keygen -o keys/age-key.txt # Store securely in password manager! -
Configure OpenTofu variables:
cp tofu/terraform.tfvars.example tofu/terraform.tfvars # Edit with your Hetzner API token and configuration -
Create client secrets:
cp secrets/clients/test.sops.yaml secrets/clients/<client>.sops.yaml sops secrets/clients/<client>.sops.yaml # Update client_name, domains, regenerate all passwords -
Provision infrastructure:
cd tofu tofu init tofu apply -
Deploy applications:
cd ../ansible export HCLOUD_TOKEN="your-token" export SOPS_AGE_KEY_FILE="../keys/age-key.txt" ansible-playbook -i hcloud.yml playbooks/setup.yml --limit <client> ansible-playbook -i hcloud.yml playbooks/deploy.yml --limit <client>
🎯 Project Principles
- EU/GDPR-first: European vendors and data residency
- Truly open source: Avoid source-available or restrictive licenses
- Client isolation: Full separation between tenants
- Infrastructure as Code: All changes via version control
- Security by default: Encryption, hardening, least privilege
📖 Documentation
- PROJECT_REFERENCE.md - Essential information and common operations
- scripts/README.md - Management scripts documentation
- AUTOMATION_STATUS.md - Full automation details
- Architecture Decision Record - Complete design rationale
- SSO Automation - OAuth2/OIDC integration workflow
- Agent Definitions - Specialized AI agent instructions
🤝 Contributing
This project uses specialized AI agents for development:
- Architect: High-level design decisions
- Infrastructure: OpenTofu + Ansible implementation
- Authentik: Identity provider and SSO configuration
- Nextcloud: File sync/share configuration
See individual agent files in .claude/agents/ for responsibilities.
🔒 Security
- Secrets are encrypted with SOPS + Age before committing
- Age private keys are NEVER stored in this repository
- See
.gitignorefor protected files
📝 License
TBD
🙋 Support
For issues or questions, please create a GitHub issue with the appropriate label:
agent:architect- Architecture/design questionsagent:infrastructure- IaC implementationagent:authentik- Identity provider/SSOagent:nextcloud- File sync/share