Post-X-Society/Post-Tyranny-Tech-Infrastructure
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
No description
7 commits 3 branches 3 tags 498 KiB
Find a file
Pieter 93ce586b94 Deploy Nextcloud file sync/share with automated installation (#4) 
This commit implements a complete Nextcloud deployment with PostgreSQL, Redis,
automated installation, and preparation for OIDC/SSO integration with Zitadel.

## Nextcloud Deployment

### New Ansible Role (ansible/roles/nextcloud/)
- Complete Nextcloud v30 deployment with Docker Compose
- PostgreSQL 16 backend with persistent volumes
- Redis 7 for caching and file locking
- Automated installation via Docker environment variables
- Post-installation configuration via occ commands

### Features Implemented
- **Database**: PostgreSQL with proper credentials and persistence
- **Caching**: Redis for memory caching and file locking
- **HTTPS**: Traefik integration with Let's Encrypt SSL
- **Security**: Proper security headers and HSTS
- **WebDAV**: CalDAV/CardDAV redirect middleware
- **Configuration**: Automated trusted domain, reverse proxy, and Redis setup
- **OIDC Preparation**: user_oidc app installed and enabled

### Traefik Updates
- Added Nextcloud routing to dynamic.yml (static file-based config)
- Configured CalDAV/CardDAV redirect middleware
- Added Nextcloud-specific security headers

### Configuration Tasks
- Automated trusted domain configuration for nextcloud.test.vrije.cloud
- Reverse proxy overwrite settings (protocol, host, CLI URL)
- Redis cache and locking configuration
- Default phone region (NL)
- Background jobs via cron

## Deployment Status

 Successfully deployed and tested:
- Nextcloud: https://nextcloud.test.vrije.cloud/
- Admin login working
- PostgreSQL database initialized
- Redis caching operational
- HTTPS with Let's Encrypt SSL
- user_oidc app installed (ready for Zitadel integration)

## Next Steps

To complete OIDC/SSO integration:
1. Create OIDC application in Zitadel console
2. Use redirect URI: https://nextcloud.test.vrije.cloud/apps/user_oidc/code
3. Configure provider in Nextcloud with Zitadel credentials

Partially addresses #4

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>
2026-01-06 09:30:54 +01:00
.claude/agents Initial project structure with agent definitions and ADR 2025-12-24 12:12:17 +01:00
ansible Deploy Nextcloud file sync/share with automated installation (#4) 2026-01-06 09:30:54 +01:00
docs Complete Ansible base configuration (#2) 2025-12-27 14:13:15 +01:00
keys Complete SOPS secrets management setup (#5) 2025-12-27 14:23:36 +01:00
secrets Deploy Zitadel identity provider with DNS automation (#3) (#8) 2026-01-05 16:40:37 +01:00
tofu Deploy Zitadel identity provider with DNS automation (#3) (#8) 2026-01-05 16:40:37 +01:00
.gitignore Complete SOPS secrets management setup (#5) 2025-12-27 14:23:36 +01:00
.sops.yaml Complete SOPS secrets management setup (#5) 2025-12-27 14:23:36 +01:00
README.md Initial project structure with agent definitions and ADR 2025-12-24 12:12:17 +01:00

README.md

Post-X Society Multi-Tenant Infrastructure

Infrastructure as Code for a scalable multi-tenant VPS platform running Zitadel (identity provider) and Nextcloud (file sync/share) on Hetzner Cloud.

🏗️ Architecture

  • Provisioning: OpenTofu (open source Terraform fork)
  • Configuration: Ansible with dynamic inventory
  • Secrets: SOPS + Age encryption
  • Hosting: Hetzner Cloud (EU-based, GDPR-compliant)
  • Identity: Zitadel (Swiss company, AGPL 3.0)
  • Storage: Nextcloud (German company, AGPL 3.0)

📁 Repository Structure

infrastructure/
├── .claude/agents/          # AI agent definitions for specialized tasks
├── docs/                    # Architecture decisions and runbooks
├── tofu/                    # OpenTofu configurations for Hetzner
├── ansible/                 # Ansible playbooks and roles
├── secrets/                 # SOPS-encrypted secrets (git-safe)
├── docker/                  # Docker Compose configurations
└── scripts/                 # Deployment and management scripts

🚀 Quick Start

Prerequisites

Initial Setup

  1. Clone repository:

    git clone <repo-url>
cd infrastructure

  2. Generate Age encryption key:

    age-keygen -o keys/age-key.txt
# Store securely in password manager!

  3. Configure OpenTofu variables:

    cp tofu/terraform.tfvars.example tofu/terraform.tfvars
# Edit with your Hetzner API token and configuration

  4. Provision infrastructure:

    cd tofu
tofu init
tofu plan
tofu apply

  5. Deploy applications:

    cd ../ansible
ansible-playbook playbooks/setup.yml

🎯 Project Principles

  1. EU/GDPR-first: European vendors and data residency
  2. Truly open source: Avoid source-available or restrictive licenses
  3. Client isolation: Full separation between tenants
  4. Infrastructure as Code: All changes via version control
  5. Security by default: Encryption, hardening, least privilege

📖 Documentation

🤝 Contributing

This project uses specialized AI agents for development:

  • Architect: High-level design decisions
  • Infrastructure: OpenTofu + Ansible implementation
  • Zitadel: Identity provider configuration
  • Nextcloud: File sync/share configuration

See individual agent files in .claude/agents/ for responsibilities.

🔒 Security

  • Secrets are encrypted with SOPS + Age before committing
  • Age private keys are NEVER stored in this repository
  • See .gitignore for protected files

📝 License

TBD

🙋 Support

For issues or questions, please create a GitHub issue with the appropriate label:

  • agent:architect - Architecture/design questions
  • agent:infrastructure - IaC implementation
  • agent:zitadel - Identity provider
  • agent:nextcloud - File sync/share