b6c9fa666d
This commit captures the infrastructure state immediately following the "Post-Tyranny Tech" workshop on January 23rd, 2026. Infrastructure Status: - 13 client servers deployed (white, valk, zwaan, specht, das, uil, vos, haas, wolf, ree, mees, mus, mol, kikker) - Services: Authentik SSO, Nextcloud, Collabora Office, Traefik - Private network architecture with edge NAT gateway - OIDC integration between Authentik and Nextcloud - Automated recovery flows and invitation system - Container update monitoring with Diun - Uptime monitoring with Uptime Kuma Changes include: - Multiple new client host configurations - Network architecture improvements (private IPs + NAT) - DNS management automation - Container update notifications - Email configuration via Mailgun - SSH key generation for all clients - Encrypted secrets for all deployments - Health check and diagnostic scripts Known Issues to Address: - Nextcloud version pinned to v30 (should use 'latest' or v32) - Zitadel references in templates (migrated to Authentik but templates not updated) - Traefik dynamic config has obsolete static routes 🤖 Generated with Claude Code (https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com> |
||
|---|---|---|
| .. | ||
| .gitignore | ||
| bever.sops.yaml | ||
| black.sops.yaml | ||
| das.sops.yaml | ||
| dev.sops.yaml | ||
| egel.sops.yaml | ||
| haas.sops.yaml | ||
| kikker.sops.yaml | ||
| kraai.sops.yaml | ||
| mees.sops.yaml | ||
| mol.sops.yaml | ||
| mus.sops.yaml | ||
| otter.sops.yaml | ||
| purple.sops.yaml | ||
| README.md | ||
| ree.sops.yaml | ||
| specht.sops.yaml | ||
| template.sops.yaml | ||
| uil.sops.yaml | ||
| valk.sops.yaml | ||
| vos.sops.yaml | ||
| white.sops.yaml | ||
| wolf.sops.yaml | ||
| zwaan.sops.yaml | ||
Client Secrets Directory
This directory contains SOPS-encrypted secrets files for each deployed client.
Files
Active Clients
dev.sops.yaml- Development/canary server secrets- Status: Deployed
- Purpose: Testing and canary deployments
Templates
template.sops.yaml- Template for creating new client secrets- Status: Reference only (not deployed)
- Purpose: Copy this file when onboarding new clients
Creating Secrets for a New Client
# 1. Copy the template
cp secrets/clients/template.sops.yaml secrets/clients/newclient.sops.yaml
# 2. Edit with SOPS
export SOPS_AGE_KEY_FILE="./keys/age-key.txt"
sops secrets/clients/newclient.sops.yaml
# 3. Update all fields:
# - client_name: newclient
# - client_domain: newclient.vrije.cloud
# - authentik_domain: auth.newclient.vrije.cloud
# - nextcloud_domain: nextcloud.newclient.vrije.cloud
# - REGENERATE all passwords and tokens (never reuse!)
# 4. Deploy the client
./scripts/deploy-client.sh newclient
Important Security Notes
⚠️ Never commit plaintext secrets!
- Only
*.sops.yamlfiles should be committed - Temporary files (
*-temp.yaml,*.tmp) are gitignored - Always verify secrets are encrypted:
file secrets/clients/*.sops.yaml
⚠️ Always regenerate secrets for new clients!
- Never copy passwords between clients
- Use strong random passwords (32+ characters)
- Each client must have unique credentials
File Naming Convention
- Production clients:
clientname.sops.yaml - Development/test:
dev.sops.yaml - Templates:
template.sops.yaml - Never commit:
*-temp.yaml,*.tmp,*_plaintext.yaml
Viewing Secrets
# View encrypted file (shows SOPS metadata)
cat secrets/clients/dev.sops.yaml
# Decrypt and view (requires age key)
export SOPS_AGE_KEY_FILE="./keys/age-key.txt"
sops -d secrets/clients/dev.sops.yaml
Required Secrets per Client
Each client secrets file must contain:
Authentik (Identity Provider)
authentik_db_password- PostgreSQL database passwordauthentik_secret_key- Django secret keyauthentik_bootstrap_password- Initial admin (akadmin) passwordauthentik_bootstrap_token- API token for automationauthentik_bootstrap_email- Admin email address
Nextcloud (File Storage)
nextcloud_admin_user- Admin username (usually "admin")nextcloud_admin_password- Admin passwordnextcloud_db_password- MariaDB database passwordnextcloud_db_root_password- MariaDB root passwordredis_password- Redis cache password
Optional
collabora_admin_password- Collabora Online admin password (if using)
Troubleshooting
"No such file or directory: age-key.txt"
# Ensure SOPS_AGE_KEY_FILE is set correctly
export SOPS_AGE_KEY_FILE="./keys/age-key.txt"
# Or use absolute path
export SOPS_AGE_KEY_FILE="/full/path/to/infrastructure/keys/age-key.txt"
"Failed to decrypt"
- Verify you have the correct age private key
- Check that
.sops.yamlreferences the correct age public key - Ensure the file was encrypted with the same age key
"File contains plaintext secrets"
# Check if file is properly encrypted
file secrets/clients/dev.sops.yaml
# Should show: ASCII text (with SOPS encryption metadata)
# Re-encrypt if needed
sops -e -i secrets/clients/dev.sops.yaml
See Also
- ../README.md - Secrets management overview
- ../../docs/architecture-decisions.md - SOPS decision rationale
- SOPS Documentation