Post-X-Society/Post-Tyranny-Tech-Infrastructure

Pieter b951d9542e Remove Zitadel from project completely

Removed Zitadel identity provider due to:
- Critical bugs with FirstInstance initialization in v2.63.7
- Requirement for manual setup (not scalable for multi-tenant)
- User preference for Authentik in future

Changes:
- Removed entire Zitadel Ansible role and all tasks
- Removed Zitadel agent configuration (.claude/agents/zitadel.md)
- Updated deploy.yml playbook (removed Zitadel role)
- Updated architecture decisions document
- Updated PROJECT_REFERENCE.md (removed Zitadel sections)
- Updated README.md (removed Zitadel references)
- Cleaned up Zitadel deployment from test server
- Updated secrets file (removed Zitadel credentials)

Architecture now focuses on:
- Nextcloud as standalone file sync/collaboration platform
- May add Authentik or other identity provider in future if needed

🤖 Generated with Claude Code

Co-Authored-By: Claude <noreply@anthropic.com>

2026-01-07 11:10:32 +01:00

3.1 KiB

Raw Blame History

Project Reference

Quick reference for essential project information and common operations.

Project Structure

infrastructure/
├── ansible/              # Ansible playbooks and roles
│   ├── hcloud.yml       # Dynamic inventory (Hetzner Cloud)
│   ├── playbooks/       # Main playbooks
│   │   ├── deploy.yml   # Deploy applications to clients
│   │   └── setup.yml    # Setup base server infrastructure
│   └── roles/           # Ansible roles (traefik, nextcloud, etc.)
├── keys/
│   └── age-key.txt      # SOPS encryption key (gitignored)
├── secrets/
│   ├── clients/         # Per-client encrypted secrets
│   │   └── test.sops.yaml
│   └── shared.sops.yaml # Shared secrets
└── terraform/           # Infrastructure as Code (Hetzner)

Essential Configuration

SOPS Age Key

Location: infrastructure/keys/age-key.txt Usage: Always set before running Ansible:

export SOPS_AGE_KEY_FILE="../keys/age-key.txt"

Hetzner Cloud Token

Usage: Required for dynamic inventory:

export HCLOUD_TOKEN="MlURmliUzLcGyzCWXWWsZt3DeWxKcQH9ZMGiaaNrFM3VcgnASlEWKhhxLHdWAl0J"

Ansible Paths

Working Directory: infrastructure/ansible/ Inventory: hcloud.yml (dynamic, pulls from Hetzner Cloud API) Python: ~/.local/bin/ansible-playbook (user-local installation)

Current Deployment

Client: test

Hostname: test (from Hetzner Cloud)
Nextcloud: https://nextcloud.test.vrije.cloud
Secrets: secrets/clients/test.sops.yaml

Common Operations

Deploy Applications

cd infrastructure/ansible
export HCLOUD_TOKEN="MlURmliUzLcGyzCWXWWsZt3DeWxKcQH9ZMGiaaNrFM3VcgnASlEWKhhxLHdWAl0J"
export SOPS_AGE_KEY_FILE="../keys/age-key.txt"

# Deploy everything to test client
~/.local/bin/ansible-playbook -i hcloud.yml playbooks/deploy.yml --limit test

Check Service Status

# List inventory hosts
export HCLOUD_TOKEN="..."
~/.local/bin/ansible-inventory -i hcloud.yml --list

# Run ad-hoc commands
~/.local/bin/ansible test -i hcloud.yml -m shell -a "docker ps"
~/.local/bin/ansible test -i hcloud.yml -m shell -a "docker logs nextcloud 2>&1 | tail -50"

Edit Secrets

cd infrastructure
export SOPS_AGE_KEY_FILE="keys/age-key.txt"

# Edit client secrets
sops secrets/clients/test.sops.yaml

# View decrypted secrets
sops --decrypt secrets/clients/test.sops.yaml

Architecture Notes

Service Stack

Traefik: Reverse proxy with automatic Let's Encrypt certificates
Nextcloud 30.0.17: File sync and collaboration
Redis: Caching for Nextcloud
MariaDB: Database for Nextcloud

Docker Networks

traefik: External network for all web-accessible services
nextcloud-internal: Internal network for Nextcloud ↔ Redis/DB

Volumes

nextcloud_nextcloud-data: Nextcloud files and database

Service Credentials

Nextcloud Admin

URL: https://nextcloud.test.vrije.cloud
Username: admin
Password: In secrets/clients/test.sops.yaml → nextcloud_admin_password

3.1 KiB Raw Blame History