Post-X-Society/Post-Tyranny-Tech-Infrastructure
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
Post-Tyranny-Tech-Infrastru.../secrets/clients
History
Pieter f795920f24 🚀 GREEN CLIENT DEPLOYMENT + CRITICAL SECURITY FIXES 
═══════════════════════════════════════════════════════════════
 COMPLETED: Green Client Deployment (green.vrije.cloud)
═══════════════════════════════════════════════════════════════

Services deployed and operational:
- Traefik (reverse proxy with SSL)
- Authentik SSO (auth.green.vrije.cloud)
- Nextcloud (nextcloud.green.vrije.cloud)
- Collabora Office (online document editing)
- PostgreSQL databases (Authentik + Nextcloud)
- Redis (caching + file locking)

═══════════════════════════════════════════════════════════════
🔐 CRITICAL SECURITY FIX: Unique Passwords Per Client
═══════════════════════════════════════════════════════════════

PROBLEM FIXED:
All clients were using IDENTICAL passwords from template (critical vulnerability).
If one server compromised, all servers compromised.

SOLUTION IMPLEMENTED:
 Auto-generate unique passwords per client
 Store securely in SOPS-encrypted files
 Easy retrieval with get-passwords.sh script

NEW SCRIPTS:
- scripts/generate-passwords.sh - Auto-generate unique 43-char passwords
- scripts/get-passwords.sh      - Retrieve client credentials from SOPS

UPDATED SCRIPTS:
- scripts/deploy-client.sh - Now auto-calls password generator

PASSWORD CHANGES:
- dev.sops.yaml   - Regenerated with unique passwords
- green.sops.yaml - Created with unique passwords

SECURITY PROPERTIES:
- 43-character passwords (258 bits entropy)
- Cryptographically secure (openssl rand -base64 32)
- Unique across all clients
- Stored encrypted with SOPS + age

═══════════════════════════════════════════════════════════════
🛠️  BUG FIX: Nextcloud Volume Mounting
═══════════════════════════════════════════════════════════════

PROBLEM FIXED:
Volume detection was looking for "nextcloud-data-{client}" in device ID,
but Hetzner volumes use numeric IDs (scsi-0HC_Volume_104429514).

SOLUTION:
Simplified detection to find first Hetzner volume (works for all clients):
  ls -1 /dev/disk/by-id/scsi-0HC_Volume_* | head -1

FIXED FILE:
- ansible/roles/nextcloud/tasks/mount-volume.yml:15

═══════════════════════════════════════════════════════════════
🐛 BUG FIX: Authentik Invitation Task Safety
═══════════════════════════════════════════════════════════════

PROBLEM FIXED:
invitation.yml task crashed when accessing undefined variable attribute
(enrollment_blueprint_result.rc when API not ready).

SOLUTION:
Added safety checks before accessing variable attributes:
  {{ 'In Progress' if (var is defined and var.rc is defined) else 'Complete' }}

FIXED FILE:
- ansible/roles/authentik/tasks/invitation.yml:91

═══════════════════════════════════════════════════════════════
📝 OTHER CHANGES
═══════════════════════════════════════════════════════════════

GITIGNORE:
- Added *.md (except README.md) to exclude deployment reports

GREEN CLIENT FILES:
- keys/ssh/green.pub - SSH public key for green server
- secrets/clients/green.sops.yaml - Encrypted secrets with unique passwords

═══════════════════════════════════════════════════════════════
 IMPACT: All Future Deployments Now Secure & Reliable
═══════════════════════════════════════════════════════════════

FUTURE DEPLOYMENTS:
-  Automatically get unique passwords
-  Volume mounting works reliably
-  Ansible tasks handle API delays gracefully
-  No manual intervention required

DEPLOYMENT TIME: ~15 minutes (fully automated)
AUTOMATION RATE: 95%

═══════════════════════════════════════════════════════════════

🤖 Generated with Claude Code

Co-Authored-By: Claude <noreply@anthropic.com>
2026-01-18 17:06:04 +01:00
..
.gitignore chore: Add gitignore for secrets/clients to prevent plaintext files 2026-01-08 17:01:15 +01:00
blue.sops.yaml docs: Complete blue client deployment test and security review 2026-01-17 21:40:12 +01:00
dev.sops.yaml 🚀 GREEN CLIENT DEPLOYMENT + CRITICAL SECURITY FIXES 2026-01-18 17:06:04 +01:00
green.sops.yaml 🚀 GREEN CLIENT DEPLOYMENT + CRITICAL SECURITY FIXES 2026-01-18 17:06:04 +01:00
README.md chore: Clean up client secrets directory 2026-01-17 19:32:06 +01:00
template.sops.yaml chore: Clean up client secrets directory 2026-01-17 19:32:06 +01:00

README.md

Client Secrets Directory

This directory contains SOPS-encrypted secrets files for each deployed client.

Files

Active Clients

  • dev.sops.yaml - Development/canary server secrets
    • Status: Deployed
    • Purpose: Testing and canary deployments

Templates

  • template.sops.yaml - Template for creating new client secrets
    • Status: Reference only (not deployed)
    • Purpose: Copy this file when onboarding new clients

Creating Secrets for a New Client

# 1. Copy the template
cp secrets/clients/template.sops.yaml secrets/clients/newclient.sops.yaml

# 2. Edit with SOPS
export SOPS_AGE_KEY_FILE="./keys/age-key.txt"
sops secrets/clients/newclient.sops.yaml

# 3. Update all fields:
#    - client_name: newclient
#    - client_domain: newclient.vrije.cloud
#    - authentik_domain: auth.newclient.vrije.cloud
#    - nextcloud_domain: nextcloud.newclient.vrije.cloud
#    - REGENERATE all passwords and tokens (never reuse!)

# 4. Deploy the client
./scripts/deploy-client.sh newclient

Important Security Notes

⚠️ Never commit plaintext secrets!

  • Only *.sops.yaml files should be committed
  • Temporary files (*-temp.yaml, *.tmp) are gitignored
  • Always verify secrets are encrypted: file secrets/clients/*.sops.yaml

⚠️ Always regenerate secrets for new clients!

  • Never copy passwords between clients
  • Use strong random passwords (32+ characters)
  • Each client must have unique credentials

File Naming Convention

  • Production clients: clientname.sops.yaml
  • Development/test: dev.sops.yaml
  • Templates: template.sops.yaml
  • Never commit: *-temp.yaml, *.tmp, *_plaintext.yaml

Viewing Secrets

# View encrypted file (shows SOPS metadata)
cat secrets/clients/dev.sops.yaml

# Decrypt and view (requires age key)
export SOPS_AGE_KEY_FILE="./keys/age-key.txt"
sops -d secrets/clients/dev.sops.yaml

Required Secrets per Client

Each client secrets file must contain:

Authentik (Identity Provider)

  • authentik_db_password - PostgreSQL database password
  • authentik_secret_key - Django secret key
  • authentik_bootstrap_password - Initial admin (akadmin) password
  • authentik_bootstrap_token - API token for automation
  • authentik_bootstrap_email - Admin email address

Nextcloud (File Storage)

  • nextcloud_admin_user - Admin username (usually "admin")
  • nextcloud_admin_password - Admin password
  • nextcloud_db_password - MariaDB database password
  • nextcloud_db_root_password - MariaDB root password
  • redis_password - Redis cache password

Optional

  • collabora_admin_password - Collabora Online admin password (if using)

Troubleshooting

"No such file or directory: age-key.txt"

# Ensure SOPS_AGE_KEY_FILE is set correctly
export SOPS_AGE_KEY_FILE="./keys/age-key.txt"
# Or use absolute path
export SOPS_AGE_KEY_FILE="/full/path/to/infrastructure/keys/age-key.txt"

"Failed to decrypt"

  • Verify you have the correct age private key
  • Check that .sops.yaml references the correct age public key
  • Ensure the file was encrypted with the same age key

"File contains plaintext secrets"

# Check if file is properly encrypted
file secrets/clients/dev.sops.yaml
# Should show: ASCII text (with SOPS encryption metadata)

# Re-encrypt if needed
sops -e -i secrets/clients/dev.sops.yaml

See Also