No description
  • Shell 64.5%
  • Jinja 32.8%
  • Makefile 2.7%
Find a file
2026-06-24 23:47:59 +01:00
docs refactor(idp): issuer/login on account.albient.co.uk; idp.albient.cloud = infra only 2026-06-24 13:48:39 +01:00
inventories zitadel: deploy the Login UI v2 app (v4 has no built-in login) 2026-06-24 21:44:01 +01:00
playbooks feat(idp): Phase 2 — edge role (HAProxy TLS + Let's Encrypt) for the issuer 2026-06-24 14:03:28 +01:00
roles Wire Zitadel update/delete/state Actions executions to the user-sync webhook (idempotent rebind) 2026-06-24 23:47:59 +01:00
scripts feat(idp): Phase 1 — ansible-idp scaffold + Zitadel HA role 2026-06-24 13:38:03 +01:00
.gitignore feat(idp): Phase 1 — ansible-idp scaffold + Zitadel HA role 2026-06-24 13:38:03 +01:00
.sops.yaml feat(idp): Phase 1 — ansible-idp scaffold + Zitadel HA role 2026-06-24 13:38:03 +01:00
.yamllint feat(idp): Phase 1 — ansible-idp scaffold + Zitadel HA role 2026-06-24 13:38:03 +01:00
ansible.cfg feat(idp): Phase 1 — ansible-idp scaffold + Zitadel HA role 2026-06-24 13:38:03 +01:00
Makefile feat(idp): Phase 1 — ansible-idp scaffold + Zitadel HA role 2026-06-24 13:38:03 +01:00
README.md refactor(idp): brand Zitadel's hosted pages instead of a custom portal 2026-06-24 13:41:43 +01:00

ansible-idp

Albient's identity provider (SSO) control plane — Zitadel, deployed HA and systemd-native (no containers), backed by Postgres. A separate Ansible book, like ansible-dns, feeding the wider Albient platform (mail is the first consumer).

See docs/architecture.md for the full design.

Quick start

scripts/bootstrap-secrets.sh init            # generate masterkey/db/admin secrets
make lint                                    # yamllint + ansible-lint
make check ENV=staging                       # dry-run
make deploy ENV=staging                      # deploy Zitadel HA

What this does today (Phase 1)

  • Deploys Zitadel idp_cluster HA: binary + systemd, shared Postgres (the platform Patroni R/W VIP), one-time schema + first-instance/admin bootstrap, health-gated start. TLS is terminated by the (forthcoming) edge role; Zitadel speaks plain HTTP on the private interface with ExternalSecure=true.

Not yet (later phases)

  • Branding + edge: apply Zitadel private-labeling (logo/colors/font/login text) via the mgmt API — we brand Zitadel's own hosted pages rather than build a custom portal — plus HAProxy + Let's Encrypt for account.albient.co.uk.
  • Consumers: Stalwart as an OIDC RP / OAUTHBEARER; the provisioning API as the Zitadel write-path that syncs the mail directory (389-DS).
  • App-passwords: issue/revoke UX in Roundcube or the provisioning API (the one custom UI bit Zitadel's pages don't cover).