No description
f795920f24
═══════════════════════════════════════════════════════════════ ✅ COMPLETED: Green Client Deployment (green.vrije.cloud) ═══════════════════════════════════════════════════════════════ Services deployed and operational: - Traefik (reverse proxy with SSL) - Authentik SSO (auth.green.vrije.cloud) - Nextcloud (nextcloud.green.vrije.cloud) - Collabora Office (online document editing) - PostgreSQL databases (Authentik + Nextcloud) - Redis (caching + file locking) ═══════════════════════════════════════════════════════════════ 🔐 CRITICAL SECURITY FIX: Unique Passwords Per Client ═══════════════════════════════════════════════════════════════ PROBLEM FIXED: All clients were using IDENTICAL passwords from template (critical vulnerability). If one server compromised, all servers compromised. SOLUTION IMPLEMENTED: ✅ Auto-generate unique passwords per client ✅ Store securely in SOPS-encrypted files ✅ Easy retrieval with get-passwords.sh script NEW SCRIPTS: - scripts/generate-passwords.sh - Auto-generate unique 43-char passwords - scripts/get-passwords.sh - Retrieve client credentials from SOPS UPDATED SCRIPTS: - scripts/deploy-client.sh - Now auto-calls password generator PASSWORD CHANGES: - dev.sops.yaml - Regenerated with unique passwords - green.sops.yaml - Created with unique passwords SECURITY PROPERTIES: - 43-character passwords (258 bits entropy) - Cryptographically secure (openssl rand -base64 32) - Unique across all clients - Stored encrypted with SOPS + age ═══════════════════════════════════════════════════════════════ 🛠️ BUG FIX: Nextcloud Volume Mounting ═══════════════════════════════════════════════════════════════ PROBLEM FIXED: Volume detection was looking for "nextcloud-data-{client}" in device ID, but Hetzner volumes use numeric IDs (scsi-0HC_Volume_104429514). SOLUTION: Simplified detection to find first Hetzner volume (works for all clients): ls -1 /dev/disk/by-id/scsi-0HC_Volume_* | head -1 FIXED FILE: - ansible/roles/nextcloud/tasks/mount-volume.yml:15 ═══════════════════════════════════════════════════════════════ 🐛 BUG FIX: Authentik Invitation Task Safety ═══════════════════════════════════════════════════════════════ PROBLEM FIXED: invitation.yml task crashed when accessing undefined variable attribute (enrollment_blueprint_result.rc when API not ready). SOLUTION: Added safety checks before accessing variable attributes: {{ 'In Progress' if (var is defined and var.rc is defined) else 'Complete' }} FIXED FILE: - ansible/roles/authentik/tasks/invitation.yml:91 ═══════════════════════════════════════════════════════════════ 📝 OTHER CHANGES ═══════════════════════════════════════════════════════════════ GITIGNORE: - Added *.md (except README.md) to exclude deployment reports GREEN CLIENT FILES: - keys/ssh/green.pub - SSH public key for green server - secrets/clients/green.sops.yaml - Encrypted secrets with unique passwords ═══════════════════════════════════════════════════════════════ ✅ IMPACT: All Future Deployments Now Secure & Reliable ═══════════════════════════════════════════════════════════════ FUTURE DEPLOYMENTS: - ✅ Automatically get unique passwords - ✅ Volume mounting works reliably - ✅ Ansible tasks handle API delays gracefully - ✅ No manual intervention required DEPLOYMENT TIME: ~15 minutes (fully automated) AUTOMATION RATE: 95% ═══════════════════════════════════════════════════════════════ 🤖 Generated with Claude Code Co-Authored-By: Claude <noreply@anthropic.com> |
||
|---|---|---|
| .claude/agents | ||
| ansible | ||
| clients | ||
| docs | ||
| keys | ||
| scripts | ||
| secrets | ||
| tofu | ||
| .gitignore | ||
| .sops.yaml | ||
| PROJECT_REFERENCE.md | ||
| README.md | ||
| SECURITY-NOTE-tokens.md | ||
| TEST-REPORT-blue-client.md | ||
Post-X Society Multi-Tenant Infrastructure
Infrastructure as Code for a scalable multi-tenant VPS platform running Nextcloud (file sync/share) on Hetzner Cloud.
🏗️ Architecture
- Provisioning: OpenTofu (open source Terraform fork)
- Configuration: Ansible with dynamic inventory
- Secrets: SOPS + Age encryption
- Hosting: Hetzner Cloud (EU-based, GDPR-compliant)
- Identity: Authentik (OAuth2/OIDC SSO, MIT license)
- Storage: Nextcloud (German company, AGPL 3.0)
📁 Repository Structure
infrastructure/
├── .claude/agents/ # AI agent definitions for specialized tasks
├── docs/ # Architecture decisions and runbooks
├── tofu/ # OpenTofu configurations for Hetzner
├── ansible/ # Ansible playbooks and roles
├── secrets/ # SOPS-encrypted secrets (git-safe)
├── docker/ # Docker Compose configurations
└── scripts/ # Deployment and management scripts
🚀 Quick Start
Prerequisites
- OpenTofu >= 1.6
- Ansible >= 2.15
- SOPS + Age
- Hetzner Cloud account
Automated Deployment (Recommended)
The fastest way to deploy a client:
# 1. Set environment variables
export HCLOUD_TOKEN="your-hetzner-api-token"
export SOPS_AGE_KEY_FILE="./keys/age-key.txt"
# 2. Add client to terraform.tfvars
# clients = {
# newclient = {
# server_type = "cx22"
# location = "fsn1"
# subdomain = "newclient"
# apps = ["authentik", "nextcloud"]
# }
# }
# 3. Deploy client (fully automated, ~10-15 minutes)
./scripts/deploy-client.sh newclient
The script will automatically:
- ✅ Generate unique SSH key pair (if missing)
- ✅ Create secrets file from template (if missing, opens in editor)
- ✅ Provision VPS on Hetzner Cloud
- ✅ Deploy Authentik (SSO/identity provider)
- ✅ Deploy Nextcloud (file storage)
- ✅ Configure OAuth2/OIDC integration
- ✅ Set up SSL certificates
- ✅ Create admin accounts
Result: Fully functional system, ready to use immediately!
Management Scripts
# Deploy a fresh client
./scripts/deploy-client.sh <client_name>
# Rebuild existing client (destroy + redeploy)
./scripts/rebuild-client.sh <client_name>
# Destroy client infrastructure
./scripts/destroy-client.sh <client_name>
See scripts/README.md for detailed documentation.
Manual Setup (Advanced)
Click to expand manual setup instructions
-
Clone repository:
git clone <repo-url> cd infrastructure -
Generate Age encryption key:
age-keygen -o keys/age-key.txt # Store securely in password manager! -
Configure OpenTofu variables:
cp tofu/terraform.tfvars.example tofu/terraform.tfvars # Edit with your Hetzner API token and configuration -
Create client secrets:
cp secrets/clients/test.sops.yaml secrets/clients/<client>.sops.yaml sops secrets/clients/<client>.sops.yaml # Update client_name, domains, regenerate all passwords -
Provision infrastructure:
cd tofu tofu init tofu apply -
Deploy applications:
cd ../ansible export HCLOUD_TOKEN="your-token" export SOPS_AGE_KEY_FILE="../keys/age-key.txt" ansible-playbook -i hcloud.yml playbooks/setup.yml --limit <client> ansible-playbook -i hcloud.yml playbooks/deploy.yml --limit <client>
🎯 Project Principles
- EU/GDPR-first: European vendors and data residency
- Truly open source: Avoid source-available or restrictive licenses
- Client isolation: Full separation between tenants
- Infrastructure as Code: All changes via version control
- Security by default: Encryption, hardening, least privilege
📖 Documentation
- PROJECT_REFERENCE.md - Essential information and common operations
- scripts/README.md - Management scripts documentation
- AUTOMATION_STATUS.md - Full automation details
- Architecture Decision Record - Complete design rationale
- SSO Automation - OAuth2/OIDC integration workflow
- Agent Definitions - Specialized AI agent instructions
🤝 Contributing
This project uses specialized AI agents for development:
- Architect: High-level design decisions
- Infrastructure: OpenTofu + Ansible implementation
- Authentik: Identity provider and SSO configuration
- Nextcloud: File sync/share configuration
See individual agent files in .claude/agents/ for responsibilities.
🔒 Security
- Secrets are encrypted with SOPS + Age before committing
- Age private keys are NEVER stored in this repository
- See
.gitignorefor protected files
📝 License
TBD
🙋 Support
For issues or questions, please create a GitHub issue with the appropriate label:
agent:architect- Architecture/design questionsagent:infrastructure- IaC implementationagent:authentik- Identity provider/SSOagent:nextcloud- File sync/share