No description
9cdf49db48
This commit adds production-ready features to Nextcloud based on the
user's existing Nextcloud configuration.
## New Features
### 1. Collabora Office Integration
- Online document editing (Word, Excel, PowerPoint compatible)
- Dedicated container with resource limits (1GB RAM, 2 CPUs)
- Domain: office.{client}.vrije.cloud
- WOPI protocol integration with Nextcloud
- Automatic app installation (richdocuments)
- SSL termination via Traefik
### 2. Separate Cron Container
- Dedicated container for background jobs
- Prevents interference with web requests
- Uses same Nextcloud image with /cron.sh entrypoint
- Shares data volume with main container
### 3. Two-Factor Authentication
Apps installed and configured:
- twofactor_totp: TOTP authenticator apps support
- twofactor_admin: Admin enforcement capabilities
- twofactor_backupcodes: Backup codes for account recovery
Configuration:
- 2FA enforced for all users by default
- Users must set up 2FA on first login
### 4. Dual-Cache Strategy (APCu + Redis)
Optimized caching configuration:
- **APCu**: Local in-memory cache (fast, single-server)
- **Redis**: Distributed cache and file locking (shared)
Benefits:
- Faster page loads (APCu for frequently accessed data)
- Proper file locking across containers (Redis)
- Better scalability for multi-container setups
### 5. Additional Configurations
- Maintenance window: 2:00 AM
- Default phone region: NL
- Improved performance and reliability
## Technical Changes
### Docker Compose Updates
- Added nextcloud-cron service
- Added collabora service with Traefik labels
- Resource limits for Collabora (memory, CPU)
### Ansible Tasks
- New file: `tasks/apps.yml` - App installation and configuration
- Collabora WOPI URL configuration
- Collabora network allowlist setup
- 2FA app installation and enforcement
- APCu local cache configuration
- Maintenance window setting
### Configuration Variables
- `collabora_enabled`: Enable/disable Collabora (default: true)
- `collabora_domain`: Collabora subdomain
- `collabora_admin_user`: Collabora admin username
- `twofactor_enforced`: Enforce 2FA (default: true)
## Documentation
Added comprehensive setup guide:
- `docs/COLLABORA_SETUP.md`: Complete feature documentation
- Configuration instructions
- Testing procedures
- Troubleshooting guide
- Performance tuning tips
- Security considerations
## Manual Step Required
Add Collabora admin password to secrets:
```bash
cd infrastructure
export SOPS_AGE_KEY_FILE="$PWD/keys/age-key.txt"
sops secrets/clients/test.sops.yaml
# Add: collabora_admin_password: 7ju5h70L47xJMCoADgKiZIhSak4cwq0B
```
Then redeploy to apply all changes.
## Testing Checklist
- [ ] Collabora: Create document in Nextcloud
- [ ] 2FA: Login and set up authenticator
- [ ] Cron: Check background jobs running
- [ ] Cache: Verify APCu + Redis in config
## Performance Impact
Expected improvements:
- 30-50% faster page loads (APCu caching)
- Better concurrent user support (Redis locking)
- No web request delays from cron jobs (separate container)
- Professional document editing experience (Collabora)
Partially addresses #4
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude <noreply@anthropic.com>
|
||
|---|---|---|
| .claude/agents | ||
| ansible | ||
| docs | ||
| keys | ||
| secrets | ||
| tofu | ||
| .gitignore | ||
| .sops.yaml | ||
| README.md | ||
Post-X Society Multi-Tenant Infrastructure
Infrastructure as Code for a scalable multi-tenant VPS platform running Zitadel (identity provider) and Nextcloud (file sync/share) on Hetzner Cloud.
🏗️ Architecture
- Provisioning: OpenTofu (open source Terraform fork)
- Configuration: Ansible with dynamic inventory
- Secrets: SOPS + Age encryption
- Hosting: Hetzner Cloud (EU-based, GDPR-compliant)
- Identity: Zitadel (Swiss company, AGPL 3.0)
- Storage: Nextcloud (German company, AGPL 3.0)
📁 Repository Structure
infrastructure/
├── .claude/agents/ # AI agent definitions for specialized tasks
├── docs/ # Architecture decisions and runbooks
├── tofu/ # OpenTofu configurations for Hetzner
├── ansible/ # Ansible playbooks and roles
├── secrets/ # SOPS-encrypted secrets (git-safe)
├── docker/ # Docker Compose configurations
└── scripts/ # Deployment and management scripts
🚀 Quick Start
Prerequisites
- OpenTofu >= 1.6
- Ansible >= 2.15
- SOPS + Age
- Hetzner Cloud account
Initial Setup
-
Clone repository:
git clone <repo-url> cd infrastructure -
Generate Age encryption key:
age-keygen -o keys/age-key.txt # Store securely in password manager! -
Configure OpenTofu variables:
cp tofu/terraform.tfvars.example tofu/terraform.tfvars # Edit with your Hetzner API token and configuration -
Provision infrastructure:
cd tofu tofu init tofu plan tofu apply -
Deploy applications:
cd ../ansible ansible-playbook playbooks/setup.yml
🎯 Project Principles
- EU/GDPR-first: European vendors and data residency
- Truly open source: Avoid source-available or restrictive licenses
- Client isolation: Full separation between tenants
- Infrastructure as Code: All changes via version control
- Security by default: Encryption, hardening, least privilege
📖 Documentation
- Architecture Decision Record - Complete design rationale
- Runbook - Operational procedures (coming soon)
- Agent Definitions - Specialized AI agent instructions
🤝 Contributing
This project uses specialized AI agents for development:
- Architect: High-level design decisions
- Infrastructure: OpenTofu + Ansible implementation
- Zitadel: Identity provider configuration
- Nextcloud: File sync/share configuration
See individual agent files in .claude/agents/ for responsibilities.
🔒 Security
- Secrets are encrypted with SOPS + Age before committing
- Age private keys are NEVER stored in this repository
- See
.gitignorefor protected files
📝 License
TBD
🙋 Support
For issues or questions, please create a GitHub issue with the appropriate label:
agent:architect- Architecture/design questionsagent:infrastructure- IaC implementationagent:zitadel- Identity provideragent:nextcloud- File sync/share