Addresses the WKS PoC review (Notion 2026-05-26). All docs in English.
- README: purpose, docs table of contents, annotated repo tree
- docs/getting_started.md: prerequisites (WKS account, OIDC, SSH, VPN) + first deploy
- docs/ansible.md: playbook table, "Running Ansible", service parameters, cheatsheet
- docs/secrets.md: canonical Bao login (moved out of README) + demo defaults
- docs/operations.md: full Makefile reference
- docs/inventories.md: repo layout, topology, standard folder structure, walkthrough
- docs/testing.md: static checks, inventory resolution, smoke test / dry run
- remove ARCHITECTURE.md (architecture docs live externally)
Also includes the gymburgdorf inventory build-out (bookstack, homarr,
opnform, send) and scripts/bao-seed.sh.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
- ACME via DNS-01 against internal NS (172.16.9.169) with TCP-only +
disableANSChecks so the DMZ traefik can issue LE certs without
reaching public NS IPs.
- Migrate single-domain vars to `*_domains` lists (authentik, nextcloud,
collabora, garage_s3) so public + *.int.* SANs share one cert and
server-to-server traffic stays in the LAN.
- Wire `traefik_dmz_exposed_services` per backend host (application,
storage) with explicit `backend_host` overrides pointing at internal
FQDNs — DMZ traefik now validates upstream certs against SAN names.
- Nextcloud notify_push setup on internal FQDN to avoid DMZ hairpin;
collabora WOPI / authentik LDAP outpost wired to *.int.* equivalents.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
