Post-X-Society/Post-Tyranny-Tech-Infrastructure
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
Post-Tyranny-Tech-Infrastru.../secrets/clients/test.sops.yaml
Pieter van Boheemen 054e0e1e87
Deploy Zitadel identity provider with DNS automation (#3) (#8) 
This commit implements a complete Zitadel identity provider deployment
with automated DNS management using vrije.cloud domain.

## Infrastructure Changes

### DNS Management
- Migrated from deprecated hetznerdns provider to modern hcloud provider v1.57+
- Automated DNS record creation for client subdomains (test.vrije.cloud)
- Automated wildcard DNS for service subdomains (*.test.vrije.cloud)
- Supports both IPv4 (A) and IPv6 (AAAA) records

### Zitadel Deployment
- Added complete Zitadel role with PostgreSQL 16 database
- Configured Zitadel v2.63.7 with proper external domain settings
- Implemented first instance setup with admin user creation
- Set up database connection with proper user and admin credentials
- Configured email verification bypass for first admin user

### Traefik Updates
- Upgraded from v3.0 to v3.2 for better Docker API compatibility
- Added manual routing configuration in dynamic.yml for Zitadel
- Configured HTTP/2 Cleartext (h2c) backend for Zitadel service
- Added Zitadel-specific security headers middleware
- Fixed Docker API version compatibility issues

### Secrets Management
- Added Zitadel credentials to test client secrets
- Generated proper 32-character masterkey (Zitadel requirement)
- Created admin password with symbol complexity requirement
- Added zitadel_domain configuration

## Deployment Details

Test environment now accessible at:
- Server: test.vrije.cloud (78.47.191.38)
- Zitadel: https://zitadel.test.vrije.cloud/
- Admin user: admin@test.zitadel.test.vrije.cloud

Successfully tested:
- HTTPS with Let's Encrypt SSL certificate
- Admin login with 2FA setup
- First instance initialization

Fixes #3

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-authored-by: Pieter <pieter@kolabnow.com>
Co-authored-by: Claude <noreply@anthropic.com>
2026-01-05 16:40:37 +01:00

33 lines
3.7 KiB
YAML
Raw Blame History

#ENC[AES256_GCM,data:N5GrnX4oxwTmii6SiAdbZ6cNHYHS8COphg==,iv:nKwJFhRd+lKsKvTY/miXkvNYF/MoPOuTCcMOldB1e6o=,tag:Gu7VGqLmHnNFSBq23oiTKA==,type:comment]
#ENC[AES256_GCM,data:OZwfwJ9O+xSygmBOirZ3OfKzRQ==,iv:2Oy+ZZnfVgKB9rm1Xr+4dVY0Ny3soiVdznYHT+KV2Mk=,tag:wBr1c3h+118FJE5zRB9D7g==,type:comment]
client_name: ENC[AES256_GCM,data:vaMWvg==,iv:SNkcJsVq0QHnCku9WzOHZpY282OYK3NpWdnWpr9f0Cc=,tag:CMA6AY0I4F+EQ5Vw14Fo9Q==,type:str]
client_domain: ENC[AES256_GCM,data:4QqtTVrKzr9RihL2MjCfdQ==,iv:6EiqWtRBuFfBO28NJkHfGaPUMAPkd6XpU9jKJyJN3AQ=,tag:sbm9ArjDeUjQnRUcberm3g==,type:str]
#ENC[AES256_GCM,data:uoS37xiQ+sj9tL7TAPnY,iv:D+YkgPUiYQKgGMircnGZjhZ+9qqwDGiVDDfHpw76Irs=,tag:IF/n/bZJkXnnQLEZpMCjog==,type:comment]
zitadel_domain: ENC[AES256_GCM,data:zBYb/6VV9w+WaRJ979rOAexrjKDWrKA3,iv:xTEbPUNSANoIMlIYnejj+DpSyg3G1zp9dLExUap0FiI=,tag:zc6PsNTAyVug1j7qV2QBLg==,type:str]
#ENC[AES256_GCM,data:Et/LOKSvoypnWgOa+2BRDw==,iv:GnOn/0zgCWJyaxQU8EuVWf6JMvUishkOLgiX3u4firg=,tag:aSiwqpjeCaYkHfvK9yA2EA==,type:comment]
zitadel_db_password: ENC[AES256_GCM,data:DYUfwlU+MmgMVhPNG2vWelP8AxoZGBBdST6Tu3qL9oo=,iv:6rUUndg7lKVUTBleDN296csG18Sge+jfcGAS8nLnvNQ=,tag:eZYsJajreqBBDQ9f62uEkg==,type:str]
zitadel_admin_password: ENC[AES256_GCM,data:R63L/AasVX4U9JTk6TceQ3ssQmauqA==,iv:vdFpadKrbnYabbF1VHz9p1F1UAGTq8zGimfUcY1Q18I=,tag:lJzlPLjWim7un8bnu6Ag0w==,type:str]
zitadel_masterkey: ENC[AES256_GCM,data:UJJvevSA3wOdiSsNhgd6FQyanGz0UlNY07PFw/A2/oM=,iv:YllkHETB84ymAdKlVwHRtFJELOU8J16Zk+YOJERA5o8=,tag:TEg1grtk1tLekZFMYXvoCQ==,type:str]
#ENC[AES256_GCM,data:ezHDbKI3OWGK1g+Foy55zIO3,iv:qu+124Qr8HnSNITJ/KLQPfiKk+tsylPc/6pXfJus7Rw=,tag:jdK4CG1ID9vEf3fwGX21qA==,type:comment]
nextcloud_db_password: ENC[AES256_GCM,data:XcMlkgQEFPDjupgkLN29Kv9/h9zHqgbVFBESpNsNQcc=,iv:qGXo/un4a7Zvbwkfe9SalqRhYHA8aK5R36j75uwI4As=,tag:49bXKFX4LJSG6qWGnAPmOA==,type:str]
nextcloud_admin_password: ENC[AES256_GCM,data:aPrihv33Jenj14X16xCM+ad5,iv:k/azAY3tYkgD3mTK66rl8xXCk6Q5WFPyAx3x42gsL8U=,tag:DP9aLEI5aLj9nxqU2fOe/w==,type:str]
#ENC[AES256_GCM,data:+8XTcTojV2GEgJ0Vqgwi/M/dGTiQ/GjFaNtYHhfzg79pCg==,iv:kaf0tID2dgEZ34K+SStYwqXE457uYx1jJ/X/jj66QKk=,tag:Ffh4oJ/vlBDAt2ietzaIQg==,type:comment]
restic_repo_password: ENC[AES256_GCM,data:XnJ6T1yFU+bMEqeZ2DlfwSrH8fDfvSECvbpPiajqWKY=,iv:dQFidsORFC8b6xkm/SxRoW86kXZLgVdw4R5eWK3Slek=,tag:LhHnkQu6fK6q+LGE5+jQAw==,type:str]
#ENC[AES256_GCM,data:WJL9I1Ywhyj1zFLFpkzAeKJnTLcKqpXHvK6U8eReraXjll8cfDvBoy0gDjoaYJeiOUsNrUosgCowUkO5Rsh7qAkdxEM=,iv:feQbZyyVTtIEgq7r235977Qzv4Aw3ySnw1krZ4e+xbw=,tag:p5FKhxwh14rCZlr4UNtfNw==,type:comment]
#ENC[AES256_GCM,data:H7uVvy0johFigCM6gXFJefRnaN8+aHIeP24aM3A=,iv:BYipDmfPR54zldX4FYz1Zd8CldPaaFMaJexgcSlLjSY=,tag:jbbitJgtVYvoxpqoHA6Rpw==,type:comment]
#ENC[AES256_GCM,data:NSV3p9oBOEqAuunSfCOwj2IyL4NLKQ9jbWm2FyeJoQ2T,iv:ttn70OrdSNi76792DQR7cSRao8rhtygoYOoKNS86ASY=,tag:d6/OBfkwk0l/654F/8jeiA==,type:comment]
sops:
age:
- recipient: age170jqy5pg6z62kevadqyxxekw8ryf3e394zaquw0nhs9ae3v9wd6qq2hxnk
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBTUy9RZWdWV0lQbU5kQ1Vq
SEpNVitYcmJ4YjZ2bmtMdE1WMVYyMXBrMXd3CkI3ZTBldDZrUjh0R2ROOG1LOUpR
ZmVOaHNmeXdoQzJqRFk3UUJESDE3Uk0KLS0tIEo2YjRRWm9yamRoN1pRYWgwZTBx
bUJ6cTFkWmlNRWxFS2FhRzNYbUFpb3cK27FBZIOevWweM5OUIAvM7A2ZJdI36aao
1t8Ot5vfCh7p01Es+Sb1YlNbyTmZ1P3ZV9FNxVotEjxYRH6BZuovjg==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2026-01-05T14:44:48Z"
mac: ENC[AES256_GCM,data:iNWtt7I33yQXTwrPf3GMJ4qC9HHmlRAVQrZyN7KFyOxT7L8iijCwbMThA8k+EVHIyQU10rYo5nbZtTkM4rJ7RiXqfwQVRpKMyLC+67hAiQBUwDhy7iVX4G1LzkJObTQnxAsldJ8O7gFReOFyTklf9WyUC2lRdcW4KkMnnDQdkao=,iv:QHJ4n75iGQ4mI4UoTUEPa/oXa4iLe7DtCzl14h5ENtU=,tag:14vV+JSLlXtxaEfwV3+Qzw==,type:str]
unencrypted_suffix: _unencrypted
version: 3.11.0
Reference in a new issue View git blame Copy permalink