Post-X-Society/Post-Tyranny-Tech-Infrastructure
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
Post-Tyranny-Tech-Infrastru.../README.md
Pieter 52d8e40348 docs: Remove Zitadel references and update documentation 
- Replace all Zitadel references with Authentik in README files
- Update example configurations to use authentik instead of zitadel
- Remove reference to deleted PROJECT_REFERENCE.md
- Update clients/README.md to reflect actual available scripts
- Update secrets documentation with correct variable names

All documentation now accurately reflects current infrastructure
using Authentik as the identity provider.

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>
2026-01-20 20:19:04 +01:00

180 lines
5.4 KiB
Markdown
Raw Blame History

# Post-X Society Multi-Tenant Infrastructure
Infrastructure as Code for a scalable multi-tenant VPS platform running Nextcloud (file sync/share) on Hetzner Cloud.
## 🏗️ Architecture
- **Provisioning**: OpenTofu (open source Terraform fork)
- **Configuration**: Ansible with dynamic inventory
- **Secrets**: SOPS + Age encryption
- **Hosting**: Hetzner Cloud (EU-based, GDPR-compliant)
- **Identity**: Authentik (OAuth2/OIDC SSO, MIT license)
- **Storage**: Nextcloud (German company, AGPL 3.0)
## 📁 Repository Structure
```
infrastructure/
├── .claude/agents/ # AI agent definitions for specialized tasks
├── docs/ # Architecture decisions and runbooks
├── tofu/ # OpenTofu configurations for Hetzner
├── ansible/ # Ansible playbooks and roles
├── secrets/ # SOPS-encrypted secrets (git-safe)
├── docker/ # Docker Compose configurations
└── scripts/ # Deployment and management scripts
```
## 🚀 Quick Start
### Prerequisites
- [OpenTofu](https://opentofu.org/) >= 1.6
- [Ansible](https://docs.ansible.com/) >= 2.15
- [SOPS](https://github.com/getsops/sops) + [Age](https://github.com/FiloSottile/age)
- [Hetzner Cloud account](https://www.hetzner.com/cloud)
### Automated Deployment (Recommended)
**The fastest way to deploy a client:**
```bash
# 1. Ensure SOPS Age key is available (if not set)
export SOPS_AGE_KEY_FILE="./keys/age-key.txt"
# 2. Add client to terraform.tfvars
# clients = {
# newclient = {
# server_type = "cx22"
# location = "fsn1"
# subdomain = "newclient"
# apps = ["authentik", "nextcloud"]
# }
# }
# 3. Deploy client (fully automated, ~10-15 minutes)
# The script automatically loads the Hetzner API token from SOPS
./scripts/deploy-client.sh newclient
```
**Note**: The Hetzner API token is now stored encrypted in `secrets/shared.sops.yaml` and loaded automatically by all scripts. No need to manually set `HCLOUD_TOKEN`.
The script will automatically:
- ✅ Generate unique SSH key pair (if missing)
- ✅ Create secrets file from template (if missing, opens in editor)
- ✅ Provision VPS on Hetzner Cloud
- ✅ Deploy Authentik (SSO/identity provider)
- ✅ Deploy Nextcloud (file storage)
- ✅ Configure OAuth2/OIDC integration
- ✅ Set up SSL certificates
- ✅ Create admin accounts
**Result**: Fully functional system, ready to use immediately!
### Management Scripts
```bash
# Deploy a fresh client
./scripts/deploy-client.sh <client_name>
# Rebuild existing client (destroy + redeploy)
./scripts/rebuild-client.sh <client_name>
# Destroy client infrastructure
./scripts/destroy-client.sh <client_name>
```
See [scripts/README.md](scripts/README.md) for detailed documentation.
### Manual Setup (Advanced)
<details>
<summary>Click to expand manual setup instructions</summary>
1. **Clone repository**:
```bash
git clone <repo-url>
cd infrastructure
```
2. **Generate Age encryption key**:
```bash
age-keygen -o keys/age-key.txt
# Store securely in password manager!
```
3. **Configure OpenTofu variables**:
```bash
cp tofu/terraform.tfvars.example tofu/terraform.tfvars
# Edit with your Hetzner API token and configuration
```
4. **Create client secrets**:
```bash
cp secrets/clients/test.sops.yaml secrets/clients/<client>.sops.yaml
sops secrets/clients/<client>.sops.yaml
# Update client_name, domains, regenerate all passwords
```
5. **Provision infrastructure**:
```bash
cd tofu
tofu init
tofu apply
```
6. **Deploy applications**:
```bash
cd ../ansible
export HCLOUD_TOKEN="your-token"
export SOPS_AGE_KEY_FILE="../keys/age-key.txt"
ansible-playbook -i hcloud.yml playbooks/setup.yml --limit <client>
ansible-playbook -i hcloud.yml playbooks/deploy.yml --limit <client>
```
</details>
## 🎯 Project Principles
1. **EU/GDPR-first**: European vendors and data residency
2. **Truly open source**: Avoid source-available or restrictive licenses
3. **Client isolation**: Full separation between tenants
4. **Infrastructure as Code**: All changes via version control
5. **Security by default**: Encryption, hardening, least privilege
## 📖 Documentation
- **[scripts/README.md](scripts/README.md)** - Management scripts documentation
- **[AUTOMATION_STATUS.md](docs/AUTOMATION_STATUS.md)** - Full automation details
- [Architecture Decision Record](docs/architecture-decisions.md) - Complete design rationale
- [SSO Automation](docs/sso-automation.md) - OAuth2/OIDC integration workflow
- [Agent Definitions](.claude/agents/) - Specialized AI agent instructions
## 🤝 Contributing
This project uses specialized AI agents for development:
- **Architect**: High-level design decisions
- **Infrastructure**: OpenTofu + Ansible implementation
- **Authentik**: Identity provider and SSO configuration
- **Nextcloud**: File sync/share configuration
See individual agent files in `.claude/agents/` for responsibilities.
## 🔒 Security
- Secrets are encrypted with SOPS + Age before committing
- Age private keys are **NEVER** stored in this repository
- See `.gitignore` for protected files
## 📝 License
TBD
## 🙋 Support
For issues or questions, please create a GitHub issue with the appropriate label:
- `agent:architect` - Architecture/design questions
- `agent:infrastructure` - IaC implementation
- `agent:authentik` - Identity provider/SSO
- `agent:nextcloud` - File sync/share
Reference in a new issue View git blame Copy permalink