9571782382
Fixes three critical regressions from previous deployment: 1. **Mailgun SMTP Credentials** - Added mailgun_api_key to secrets/shared.sops.yaml - Updated deploy.yml to load and merge shared secrets - Mailgun credentials now created automatically per client 2. **Nextcloud OIDC Integration** - OIDC provider creation now works (was timing issue) - "Login with Authentik" button restored on Nextcloud login 3. **Infrastructure Deployment** - Fixed deploy-client.sh to create full infrastructure (DNS + server) - Removed -target flag that caused incomplete deployments Changes: - ansible/playbooks/deploy.yml: Load shared secrets and merge into client_secrets - secrets/shared.sops.yaml: Add Mailgun API key for all clients - secrets/clients/dev.sops.yaml: Add dev client configuration - scripts/deploy-client.sh: Apply full infrastructure without -target flag All services now functional: ✅ Traefik reverse proxy with auto SSL ✅ Authentik SSO with email configuration ✅ Nextcloud with OIDC login and email ✅ Mailgun SMTP credentials (dev@mg.vrije.cloud) 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com> |
||
|---|---|---|
| .. | ||
| deploy-client.sh | ||
| destroy-client.sh | ||
| README.md | ||
| rebuild-client.sh | ||
Management Scripts
Automated scripts for managing client infrastructure.
Prerequisites
Set required environment variables:
export HCLOUD_TOKEN="your-hetzner-cloud-api-token"
export SOPS_AGE_KEY_FILE="./keys/age-key.txt"
Scripts
1. Deploy Fresh Client
Purpose: Deploy a brand new client from scratch
Usage:
./scripts/deploy-client.sh <client_name>
What it does:
- Provisions VPS server (if not exists)
- Sets up base system (Docker, Traefik)
- Deploys Authentik + Nextcloud
- Configures SSO integration automatically
Time: ~10-15 minutes
Example:
./scripts/deploy-client.sh test
Requirements:
- Secrets file must exist:
secrets/clients/<client_name>.sops.yaml - Client must be defined in
tofu/terraform.tfvars
2. Rebuild Client
Purpose: Destroy and recreate a client's infrastructure from scratch
Usage:
./scripts/rebuild-client.sh <client_name>
What it does:
- Destroys existing infrastructure (asks for confirmation)
- Provisions new VPS server
- Sets up base system
- Deploys applications
- Configures SSO
Time: ~10-15 minutes
Example:
./scripts/rebuild-client.sh test
Warning: This is destructive - all data on the server will be lost!
3. Destroy Client
Purpose: Completely remove a client's infrastructure
Usage:
./scripts/destroy-client.sh <client_name>
What it does:
- Stops and removes all Docker containers
- Removes all Docker volumes
- Destroys VPS server via OpenTofu
- Removes DNS records
Time: ~2-3 minutes
Example:
./scripts/destroy-client.sh test
Warning: This is destructive and irreversible! All data will be lost.
Note: Secrets file is preserved after destruction.
Workflow Examples
Deploy a New Client
# 1. Create secrets file
cp secrets/clients/test.sops.yaml secrets/clients/newclient.sops.yaml
sops secrets/clients/newclient.sops.yaml
# Edit: client_name, domains, regenerate passwords
# 2. Add to terraform.tfvars
vim tofu/terraform.tfvars
# Add client definition
# 3. Deploy
./scripts/deploy-client.sh newclient
Test Changes (Rebuild)
# Make changes to Ansible roles/playbooks
# Test by rebuilding
./scripts/rebuild-client.sh test
# Verify changes worked
Clean Up
# Remove test infrastructure
./scripts/destroy-client.sh test
Script Output
All scripts provide:
- ✓ Colored output (green = success, yellow = warning, red = error)
- Progress indicators for each step
- Total time taken
- Service URLs and credentials
- Next steps guidance
Error Handling
Scripts will exit if:
- Required environment variables not set
- Secrets file doesn't exist
- Confirmation not provided (for destructive operations)
- Any command fails (set -e)
Safety Features
Destroy Script
- Requires typing client name to confirm
- Shows what will be deleted
- Preserves secrets file
Rebuild Script
- Asks for confirmation before destroying
- 10-second delay after destroy before rebuilding
- Shows existing infrastructure before proceeding
Deploy Script
- Checks for existing infrastructure
- Skips provisioning if server exists
- Validates secrets file exists
Integration with CI/CD
These scripts can be used in automation:
# Non-interactive deployment
export HCLOUD_TOKEN="..."
export SOPS_AGE_KEY_FILE="..."
./scripts/deploy-client.sh production
For rebuild (skip confirmation):
# Modify rebuild-client.sh to accept --yes flag
./scripts/rebuild-client.sh production --yes
Troubleshooting
Script fails with "HCLOUD_TOKEN not set"
export HCLOUD_TOKEN="your-token-here"
Script fails with "Secrets file not found"
Create the secrets file:
cp secrets/clients/test.sops.yaml secrets/clients/<client>.sops.yaml
sops secrets/clients/<client>.sops.yaml
Server not reachable during destroy
This is normal if server is already destroyed. The script will skip Docker cleanup and proceed to OpenTofu destroy.
OpenTofu state conflicts
If multiple people are managing infrastructure:
cd tofu
tofu state pull
tofu state push
Consider using remote state (S3, Terraform Cloud, etc.)
Performance
Typical timings:
| Operation | Time |
|---|---|
| Deploy fresh | 10-15 min |
| Rebuild | 10-15 min |
| Destroy | 2-3 min |
Breakdown:
- Infrastructure provisioning: 2 min
- Server initialization: 1 min
- Base system setup: 3 min
- Application deployment: 5-7 min
See Also
- AUTOMATION_STATUS.md - Full automation details
- sso-automation.md - SSO integration workflow
- architecture-decisions.md - Design decisions