CCCHH/ansible-infra
CCCHH/ansible-infra
2
2
Fork 2
Code Issues 7 Pull requests 4 Wiki Activity Actions

amcedns to enable Let's Encrypt DNS-01 challenges
Some checks failed
/ Ansible Lint (push) Failing after 38s
Details

Browse source
This commit is contained in:
Stefan Bethke 2026-01-25 22:40:22 +01:00
commit 0f3cd2c70a
11 changed files with 463 additions and 1 deletions
Download patch file Download diff file Expand all files Collapse all files

7
.sops.yaml
View file

@ -34,6 +34,7 @@ keys:
- &host_zammad_ansible_pull_age_key age1sv7uhpnk9d3u3je9zzvlux0kd83f627aclpamnz2h3ksg599838qjgrvqs
- &host_ntfy_ansible_pull_age_key age1dkecypmfuj0tcm2cz8vnvq5drpu2ddhgnfkzxvscs7m4e79gpseqyhr9pg
- &host_spaceapiccc_ansible_pull_age_key age1mdtnk78aeqnwqadjqje5pfha04wu92d3ecchyqajjmy434kwq98qksq2wa
- &host_acmedns_ansible_pull_age_key age16pxqxdj25xz6w200sf8duc62vyk0xkhzc7y63nyhg29sm077vp8qy4sywv
external:
age: &host_external_age_keys
- &host_status_ansible_pull_age_key age1yl9ts8k6ceymaxjs72r5puetes5mtuzxuger7qgme9qkagfrm9hqzxx9qr
@ -57,6 +58,12 @@ creation_rules:
*admin_gpg_keys
## host vars
# chaosknoten hosts
- path_regex: inventories/chaosknoten/host_vars/acmedns.*
key_groups:
- pgp:
*admin_gpg_keys
age:
- *host_acmedns_ansible_pull_age_key
- path_regex: inventories/chaosknoten/host_vars/cloud.*
key_groups:
- pgp:

214
inventories/chaosknoten/host_vars/acmedns.sops.yaml Normal file
View file

@ -0,0 +1,214 @@
ansible_pull__age_private_key: ENC[AES256_GCM,data:R0FZVQXrUgqW04VltXpYhEuI8Q8i0gE4K1EI05NTZyTO+9QOynMVzfLOzOOT1Yh+oQNLsE0MFELX8eo3EFKyXIrkE/wr2ECgFqY=,iv:m4N6t03tklKRaRZ9eVl2vv9T8WUy6AiPQDNuyU0UEtI=,tag:XJMnT5GZthv9RPQFZTWZaA==,type:str]
secret__oidc_client_secret: ENC[AES256_GCM,data:UHbIuftvyPHxtHGRvH+ydMetiCRu3z3JL+zFzLwVaSQ=,iv:1/KKB9IHZEWgEULoab1aVwbPIW7mxfRK7NABiSP2yIQ=,tag:8g3ej7ZJwAuPk9eGdPGyog==,type:str]
secret__oidc_cookie_secret: ENC[AES256_GCM,data:epKralmaga5W0TK0njjTBP0GIlkUK2ogKEbWQ/zlIhQ=,iv:rDBiSE+DPkX2I2i2fJQ/SrkltlCnPOEyeMfud2xXbFA=,tag:SOGIJHiaKq1t+Dg0NJGnxA==,type:str]
sops:
age:
- recipient: age16pxqxdj25xz6w200sf8duc62vyk0xkhzc7y63nyhg29sm077vp8qy4sywv
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA5SDJ0NHZkK3hvUSt2K2hV
TWNKUkFlUFVkaEFlM1lDVTdnZU5EeURiOURzCnQzcWE2RnpiZ3BmRzIwbFRDdkRr
VmcreVJvdTl2Z3lBVFJTNmNLZWdyMWcKLS0tIEkwcXAwY0NoNmhCZm9JUDMyRjVC
bUM2WC9QeWFrdm43a2N1eStEOFFXVGcKCCqwLQ67aEEjTAyXXabZ2AoBag/QY4HW
WwgmI8KNYpC0YXzDJ3fUUL6g4oiSqMxTGvQ+0oABOk+XFnVx+++aoQ==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2026-01-25T16:16:15Z"
mac: ENC[AES256_GCM,data:dBBAJIXeVUXXPXB8Eq4gH5F/0jTpvb79hdu4KD9gV5RL36Tr3iU92SKAZdMcw3/+8zq5L32YWWpYR5HFVPXaSdgls3wtWdrz/1j/C/zRxup+Y8DSOdiebCtz1lJJvglQMZNznRvo7N58lTdF/XqJA4tY51xZZi/krsJXDxtlTgA=,iv:yhwXbXu1MKl4sSYaCKPVUK9aedmIMnt/rzXTcGqmqpk=,tag:hZX6YZrzkrr1mPe6FOs7Xw==,type:str]
pgp:
- created_at: "2026-01-25T14:20:25Z"
enc: |-
-----BEGIN PGP MESSAGE-----
hQIMAxK/JaB2/SdtARAAi+qxfJ++qxSRxZLZiJ6njtlaOvrmE3uDCxbBwK5/lc7K
rt1liJ3Ue1hR1Bt6ozbH72shd5EOQzDuwQiRLZSR/7q6dcM0wdGRrfXuNvsRbQFf
Mb1D5L5Md1zOH4HuUx38+GGoB1CchpQwdZpjzcU2+MI5O5YIw3DDcKOAAMa+Nfpy
m0aezDSM6zDYYrYKjZUrMCXZFn0cnWAosod1ZJDz+rNMfFaVCPUlcUO4/p8cPzvr
rz+B5MV6Nyft3FUpHntFAgGjwlt31ZANZoWeJxJ5/zFlmieXMihjC4x1QPBs42E2
den7NPprSZX1ynGdImaZfTHwuwP1bpLrVFegG1EPrMIUwjRbSZDdmWxaR0uvajgM
GcbJLRFdvOcc7g7NWh2n4AwjpjcPN0cNrAit5/S0PG7JYdZFi4abfxTur12p9BPk
xJacN4ZVnT5qRRnqinPDCCiR4MLg/L9fxG6Dap6xboBTnHS5GksuLiDFMjsSAVh7
/63SOn6/Po1BUiiZPRHkvlm1uhkP7k5iDT/cP+gV1QDjdrXbD27D3c2eJveBaX03
oLhXi+2/tmitsRw5vp+jTwHP3RDC9ZsORdEoshaGJ7Axbmai1wmUAabaz60vbTzV
W5KHaEAdC97YsUFUn4ZgqORJ5MlPRUGUGGmlYJq6peihLYx/wdCLw9DywhZAYiTU
aAEJAhACPP4YiVUAbMaXB3q7AJWnoF20oJVBcGD7nvAVIaJJL0zuYe3lsujo2O2L
wqzIw80YE0tSaHx9GWJorF3vQQ1/jxrgiZofZNrsrQ5mzVADGO5+JLuU1THyDWXV
PPvkTEc7AdD6
=GWYV
-----END PGP MESSAGE-----
fp: EF643F59E008414882232C78FFA8331EEB7D6B70
- created_at: "2026-01-25T14:20:25Z"
enc: |-
-----BEGIN PGP MESSAGE-----
hQIMA6EyPtWBEI+2AQ/+KKOoBqMu5MXGmEM70WGKs7qGiqcJ4jizWaf2BjO8JtcU
DUJ31xy+KOnZh4pNP3bYptBtv/FehKHfaC1HB+sXBqT7hhAT5k2WyNo6Y1EdsGeG
HuccJ8rEMxwRSp3rdpca/53mtFzYHFHDT2nOEc5wkl0KqPITIJAiaGVVeS/ANy6X
qijabdecK8Ekb0Ev7OHwxFQT92DdtN7xdQns4bUoxSy9j/7SDUII7btG3alhlH2Z
XF+aZ4Fo+P/O8yavyTuwm6GlKWaWtGn9xRhNXvMkpBXIa4rwHC0re3DJNlMqN7EV
gW2sxnAxBShNU/ZtpqaQ2ku8L7FPB4Y8hhbk08PVlqz6F1xFm9x5PEriuaIPd1pp
0TQtekvntBWiRAQ8QPmrfg96BaLqvL+Hffb3PlIRvnXHmaJY/5Ci0HGgoUjodKIT
0tZzP0xcElbm3Mf5z/uyRzCwpx7oLn+q9xiJ2yoYwn4IkMWd2VaJZJlVcKH1RRXS
A4OUERkDSV3Fz6VjnI0VQ/hpfLDLCaQp8TzUOtNy4MqzsB0fQbDWnPR1KFrmNmSv
SSkS04tSt9CMNDFllrwQg6fbaZMmS97JeXb723mfUrPa0o3MeTxa9EuB/NQvWYuS
iBqC+NxIAvUw/IJtKg3unA9ysigCDUTbi6P7F69NMJM9qHet7PSLgqsM9RPdPlLS
XgH+T9DivFMWNnGvAS+wMckvKcTtskHWnQMCYdx62VsXzS/LU3iWq+OBz/xf8yhD
2vS25oi54fQKz6diOrq/TgO0Cx2/1LXqOYL5m/6+Qvv7wxHHZHeLcdwCRVceLZs=
=5SxJ
-----END PGP MESSAGE-----
fp: F155144FC925A1BEA1F8A2C59A2A4CD59BFDC5EC
- created_at: "2026-01-25T14:20:25Z"
enc: |-
-----BEGIN PGP MESSAGE-----
hQIMAz5uSgHG2iMJARAArv3KHUknyw89o/HA+T9vv1orrq0uztAOtOYLXIxF0mPL
S+Yrqs8uT0UmIJ/vdNZpf6HYw7Cmk4XErSsT4l15/5JbGfvqbc1ECdoz6j6kNfID
eHP3iJkySKbxSqflZ/3Hs8UXV65RU4F1HHK2SsQVvb0FCl03KNqkNAMicqiYZyzH
CAKOje7fnCHQ2oClUXakwXDQMnQwboXmhC26ghTvCYHIcb/VD8z91TSjxNitA1nG
7Ky1VvBWTuC0qcfaxkrkkwDPcxdfA2BXyxwm7b/w2IwmQX1cce25MCgIhMCFuf0C
rvw8GgfJEQ/qI3Rk1R87cpyRte4itrl1cCJI1UgS088+eHhmeS8XOZL860Eiqho4
tQJLUCr0P+LSBgOxj6/hnzY56bpPxa1NjRjqCGh+WF9XzeM8vY1MkzIjqHXxq9bD
9yGnFujzTcFbpEzdigPfAt6VgMe3jAEWqnr9fTK/f4qKWdXfycEHAJgL9UqHCtR0
DMy2+ZsHy5Hn9S5hmXLWpKo579FEWMLeCRA2DZvCHKIWUPhv3O4BAGovh8px9wRR
V7HeNK0efhiPm80alIQUGn+JEyNOaBrjAQmS0+ELF1S1AaHzXoLNrxfBCQJJCHd6
BvZIC6mVWF9DSeD+s/twk6qGNwAl17OAi3fyahunefODNqMcW73RI6x0BhkBfvnS
XgGEHYtdIiwWW+nCWBCrlXHrZ2AqgFKqNInB8lR5t7GtSjVxF6blysWXyv4JtegX
A3gMULNrOAZiPMe5Q1DDMNJ34jEnveojMIAOb/j+w7bvcgh7wbrUIUhNQSDgoaY=
=H3mo
-----END PGP MESSAGE-----
fp: 18DFCE01456DAB52EA38A6584EDC64F35FA1D6A5
- created_at: "2026-01-25T14:20:25Z"
enc: |-
-----BEGIN PGP MESSAGE-----
hQIMAw5vwmoEJHQ1ARAAqbv66yl/dyRf3f1ejNWsZxwD5oo99rHvbfWDCjTEFpzo
QUHgi7h+uF3GfRqkbE8YK7oFmTdxDS7DEkiQHw3jbJwI2+K1umubwq5sL1IMhSyG
SHZL+3r4ytBj6kuraXoTGqBFjNNht+3rRUEvgK8eXAixp8aHbx2LAVzjhxGTa9WY
yT9H4XJgEac5ODiyhyu3wxzZFmcr9VVNpja7C3iJ5PymjKPnzMFHzdhYflVG4ptP
lscRsl5TakEL7p4wsjLszeXTSq38ueaH3Bhvts3Kl72BU2rICDzlBOzGszq3gI2c
o97Vydku1MBsIwbUdKAOdhjA4BFyPAg1z1VkeEOrH1ThaZ0cfalN6TxBfCeKftSv
VAn9ErK6cRjM5peyJPSHUjpXZEcomtZonhAIBUfDeFW3Sk4lE7+SnIvJkLtrvSZy
QDgbA4dE19d8MUL0uu+fyp85+OkXI+e1QOOoZX+7/Mco3wKbCbP5T21T/+SLsH0N
oNrQpQlDch5YB+vLISUE7+buFdlMpIlcHAnL9scjgIdU0Z/X75p/5t7g99D/0nc/
WGu4l2n9fbrvimnqc6wWzBHgQZVcPKr5tMB6jVQu4WCdHX9VkI+Ru2IfCFsQ09TD
RQMybPT3tTdYODVCeoE3NmilqE+igEzFYRDwFdKjR2eLnuli5mI7GlXrboPGjWPS
XgEpnUxHg7oik0vO8YsyRldQ2Vyw1vIskRq9cdUY0Ix3u0gyqUF56aWhA+4fhr3H
Q8RsT8OXXswSozzkw3AvKi3VaGjwDr1Wasq6YVRtV5pjS0Rx/ILo85grKi5vgpk=
=bY3Q
-----END PGP MESSAGE-----
fp: 87AB00D45D37C9E9167B5A5A333448678B60E505
- created_at: "2026-01-25T14:20:25Z"
enc: |-
-----BEGIN PGP MESSAGE-----
hF4DerEtaFuTeewSAQdAh8vUqXwXAq615cIswD1e2FbDgcFp4pDKWP4Of9bDRWYw
5UMSvrCgWei0lytGCaApC6J+Ppd5o9D34fux8X0/ztoRopIV1RlrcepPr9jo3ROk
0l4B4T+mFz+FNrO79ldBuysOEo6qX7kSfJ63cpy48nDNVi0pTDr87OiJTQQD3gfx
wQdkqjYs204YvFP8Zp/+Ow+52z0W2ecLwgByVxsiusf8JLlYQMHOL9QisPxWMErr
=C2Ii
-----END PGP MESSAGE-----
fp: 057870A2C72CD82566A3EC983695F4FCBCAE4912
- created_at: "2026-01-25T14:20:25Z"
enc: |-
-----BEGIN PGP MESSAGE-----
hQIMAxjNhCKPP69fAQ//YH0pZvxXkXYi9tRWPSVllAsKgwzZsKkXS2LrfysCvnNS
LmcLrWNV8upH8g6ubHwwq1Q6WcpaoraIGB2Pw7OPKvynqqhMamk6jAzuYF1hMsd/
efGlsIF/wE/MLo0AizDZ5H/k6g/BfdSm3VFvAYbdHObQld/+uEMdotBrUjtXJlA/
lare1GFxSt+P9J+h5U0kf8VFWbgzf7SkViWBvEpyUaBa0VLgyOc59e9BZzWX8h2R
FjNX40MkZHxdbqBx3Bw8MZmQz+Q1O8w7uNcf6YZxl7+tYka99DSoK2T6YxTqqqrt
FtqDAUAS+yweg4hP7CwUK05VzmH/y6S4brVJz73NzahVNUBRpPXJUWs8QsR96xx/
hUMRGOrfd0qJ/jv2P+oMJipGsWZ5b6rkj/LX9ZAyGW7TgWbelr4zwM2C/n5xDkKf
LSQFH1Nx9QG0Aq6JT6staq+xiw/w1ipn0IDL18YPvX5kkO3KNUZk1F7zF6rbXRXa
LQIY+lhDnslkOMHmUIvqPSFWDQT/a/ttg0jVazz9IHnCz/+ShCh8nwiXXa6swlGC
XFzJS0Lyz55JfRcEN2h4lc6U7sE7MN9WEo8DWNv2UJwIZtu5dHBI9PjFSAxm73KJ
FSQDFxqlR7a7BXKw+KfvHUzWcRInWLE3bMQlg9ECJX1sQf2Bu8/YxU9bFT2fzfLS
XgHsHSJqqcZ3gwwUPNeQMadRylccXoPOCns3rf3W+7zKRBb8poRpj0hK2J2eIkGG
M5kRRudGy07hLV2wQGitucekIFUStxumRSQqpcUhk+RKTOyTMIqT4o6ykVBgke0=
=/EHL
-----END PGP MESSAGE-----
fp: F38C9D4228FC6F674E322D9C3326D914EB9B8F55
- created_at: "2026-01-25T14:20:25Z"
enc: |-
-----BEGIN PGP MESSAGE-----
hQIMA1Hthzn+T1OoAQ/+IxC99h9NXy1lKs8K3O6zNPE4vvoUdlHyU7MngSUe7FID
cfVoJmqumGJ2VL052PyGNuJl4wwI0Bk4GJ1B17sDiROM21BgV2xJN44I8DzU/s2i
1P/WOcpofsng7xBPib5vETo2ypfiNzurNwKidID6rc8k3TL2Eq3U9gPajdgaHWTx
jCBEiBs4B2H0Jv0teH7NK7VY21v/GQ6wCATUdFugjOocWT/Up9SbIKgvzXgxmoB7
glmOZGtqMsorMw7Rr9fy5qdL6HK50dYbzQ8IppZFG7PrFLyLsp//S7fReFbtp8oD
yCBbhOfywLuhyWmLu78F32l5upv4Q/RPfsOEQVRd13+4XeYIYqbVlBRI4c38iA8k
sKgN/l5mH4FPmFWhRfeMOQn51tTDiq/n8G86EJETJJxC2kAhfLXi5YLECH693Vzw
Mad81jxssJP5pTTUDBzog6oMNyCvs9paRgb0O4Bt0Zpox+BFdQcTNJahj9wDyfZV
TjV6lUtuQ7QvHDYyujxhkJWUOyd2Urfk9Ku8A/xeCGwLRJS9BKYgwvatc49zL5zZ
3GZ59gBGERbBCBPoFZgpVh73ZF/riAMHbgh+ZzUlFxJNY4fVvCk79bMitsihAbp8
NAELn1kiDPjlW1SsiiIzkdq87ttJ7aVtR1vQBYWapWmU9eSkn8XZcX4PxFot68zS
XgEvZxgH4TgGrPuTYusDaopSObkq19jiEJ/A44Jiy2yvU9hXeOn8CeXHTJnwcSeQ
ey3QV0vu+gYPL26T5M8fp3DwgZYr+dtAX2jydweT9MKjgeUyZAZmIieY1gdguIw=
=WwLj
-----END PGP MESSAGE-----
fp: 5DA93D5C9D7320E1BD3522C79C78172B3551C9FD
- created_at: "2026-01-25T14:20:25Z"
enc: |-
-----BEGIN PGP MESSAGE-----
hQIMA46L6MuPqfJqAQ/9FcgBwOTVqwohN7+iNCiq13Na/qcvFvFxymSo5ZhtjB/q
rMfLaSwsVAZuN9ishdip+a9tFb4oBPpwZjztvsgetoVNvLOrP/ZQag9SDy1fe8KH
DDlPFFRjTYtPdS+5ScHc8pGTLmyQzYDfieD0FCdZsNwz5PpAtUu7itvpZKtNWMXr
k/N3Mjena5iv79ngDsRlc9O/YXWsAPf8scgApwi+lVilJ7E/jTkrXxiku0knrlfl
NnNJKqh5iT2NWXB3Dgw0fQMLbAuDUOlkvrdwxnaJsIyjo8D5g/gh9rXBCJsMMFCp
1qppPBTV2f/gZb1gKFpnlBJAiDhmBWoBhlgbmFXv0E/V7F/7bFtsHagb50nEHZlA
QH0JjRHN83eGCR9ZBUttxMh0FWV2ND3YlxnCNb43TEoCx9f5ml7L5GbGqu0+8Yrc
fHCGPW8DSUh7zTrmB0bn6R60hXcWchNcPdorPopROhGTSC4pkAKn+mt3jvEkyLsW
TGqNCEbFbMBJlhhn9w5fxT7vEX0Rt/vO4gXKIzPfcyzsgORIW1YxwtaGyRQErlqo
ITnLtowfgrlvU1hI+hwivD9kQ32kmEyYKa9J8fBx07XArYRR64+Eyaaq4lOeZbE4
1l0zskD5i1R8NO3yzxpIAqi+H7VPhYLwidjXT54QT8vyqrkmvksANR8UqydYUgnS
XgGuO1O1pKkiHHLcb8EydlgW61sLIZZjlkYynMRM5MjgPD5Z3ikeD6VaNSYnOw6c
gkisHXqY9EFSPfw8EHnGspyD/mvzDUz63GrylUO+wXgMKdByrsYRaj93j7vfYZ4=
=Bk3g
-----END PGP MESSAGE-----
fp: 8996B62CBD159DCADD3B6DC08BB33A8ABCF7BC4A
- created_at: "2026-01-25T14:20:25Z"
enc: |-
-----BEGIN PGP MESSAGE-----
hF4DQrf1tCqiJxoSAQdADv1xBEY68JQ6Xo2ZT1FV2BJgeB7Yaahi9OQ/aypT0i8w
FJRRTtmWVBRtOecoG6SrHLtmYozuLyNFG8/ZFOU7jTSZL6lXr5NV6GIyNZPFTjvE
0l4Bqjjh871cqN4Cq5CF3kDibHTyZYsvcQ0BmxSZy2v+moYqZGFPEjNiniS6JrK/
Ch+cZvlsGIjTmP96IZfHbO3+hL+tVhO78bmixnN6SE6UDOzdmWcMkQ9DHSZp+p4j
=xd/t
-----END PGP MESSAGE-----
fp: B71138A6A8964A3C3B8899857B4F70C356765BAB
- created_at: "2026-01-25T14:20:25Z"
enc: |-
-----BEGIN PGP MESSAGE-----
hF4DzAGzViGx4qcSAQdASnWlOX4oItUMy2BNF+UdGfSkijvIKK1WohLp2rJmQGMw
/rpiFcCiX7rZNyn3f+eOULjCPbNtfwqG5Ji6YzGJPEaLg9J/CCYDP7eZ0M13tK9V
0lgBjTZZwa7SYs+c49UkhUN92Jrt439mTud3Sa6hvfQTntISOUF3QsMyQO+2h0EH
zvaV7dmtiLZZ6ukp9vJG2asPcA1McYBHABUUcjlmFkQ74CYhPFU03/kb
=9oyC
-----END PGP MESSAGE-----
fp: D2E9C0807BF681F5E164DAFC5EE1B61CD90954CD
- created_at: "2026-01-25T14:20:25Z"
enc: |-
-----BEGIN PGP MESSAGE-----
hQIMA2pVdGTIrZI+ARAAvugr3SudoqZm6B9o/a2bYVlR8eee3Cxtqb/SDfFKJ42J
/KIJHOpfs0iyoJzeq4GXn89RU08EHz+1/rAqIHN/cMGc/IjOOXcqKcKVBqhb68+I
OyEyxx0YAV939Jc+L9rxb4FnqV/HFJuA087jqP43NgPWySoUzWZshK57Yw/VJNxd
U5zDMAciWNVISL/ArcJFroK0n9dvRRsHHHx3/OgQ9Lnl73X5JEAleIPJVb1SDV4e
HgmBrlRFpp9e/Mu94Gp9yFd9PqziSA47lkdMwjMYHntTwbT3dqUGOJLF1D1oqC9V
+t+5FO5fP+LbnmuFQIGRGqdPpCy4S60d2EqocwBl6q6xn/DLQw1j9hGNpMl3GwBI
O7zquV2MyXJR9JqyklWoCmKldLIhpsnPtTx/AhIsMLWq2hvNfbBBNA41sMkofcvl
H2Hggi+TkpOh6bre1/uPkr8T3MLsiZIUB/1uHcgYO3FH13K2Ow9ChxmkeLsW6Afu
hbQcG7SKr0sCHAmvzbTsIRCpryORDRw4vwrsKuVVgA7neD8HtCItJ/Vk1JmV2xYZ
96ilVPPpDs0tmQ/6dZZosoXLGi37Hs+FRgcAUuAdZ3bzb65e+CxtSVjRALG7hz9R
XPKmsD6tTgdLpau/zugxdKx3yKMCHzC+AouD+esea8GNuoeGug58IEoglLXDctbU
aAEJAhC0Js4STROmS43wGXP2v4umeLw9iF3Wp9L6o12BL3FZXi121py2ogosjAY2
30wzFU2KJGqS25/pnXw6r9ycgxdXeKsddR94Q4TOulO3SSEdjs7B+iOKwUkGKoBq
9iHTzz6Gpajo
=bBZ5
-----END PGP MESSAGE-----
fp: 878FEA3CB6A6F6E7CD80ECBE28506E3585F9F533
unencrypted_suffix: _unencrypted
version: 3.11.0

23
inventories/chaosknoten/host_vars/acmedns.yaml Normal file
View file

@ -0,0 +1,23 @@
---
docker_compose__compose_file_content: "{{ lookup('ansible.builtin.template', 'resources/chaosknoten/acmedns/docker_compose/compose.yaml.j2') }}"
docker_compose__configuration_files:
- name: acmedns.cfg
content: "{{ lookup('ansible.builtin.template', 'resources/chaosknoten/acmedns/docker_compose/acmedns.cfg.j2') }}"
- name: oauth2-proxy.cfg
content: "{{ lookup('ansible.builtin.template', 'resources/chaosknoten/acmedns/docker_compose/oauth2-proxy.cfg.j2') }}"
- name: html/index.html
content: "{{ lookup('ansible.builtin.template', 'resources/chaosknoten/acmedns/docker_compose/index.html.j2') }}"
docker_compose__pull: missing
certbot__version_spec: ""
certbot__acme_account_email_address: le-admin@hamburg.ccc.de
certbot__certificate_domains:
# - "spaceapi.ccc.de" # after DNS has been adjusted
- "acmedns.hamburg.ccc.de"
certbot__new_cert_commands:
- "systemctl reload nginx.service"
nginx__version_spec: ""
nginx__configurations:
- name: acmedns.hamburg.ccc.de
content: "{{ lookup('ansible.builtin.file', 'resources/chaosknoten/acmedns/nginx/acmedns.hamburg.ccc.de.conf') }}"

10
inventories/chaosknoten/hosts.yaml
View file

@ -78,11 +78,16 @@ all:
ansible_host: spaceapiccc.hosts.hamburg.ccc.de
ansible_user: chaos
ansible_ssh_common_args: -J ssh://chaos@router.hamburg.ccc.de
acmedns:
ansible_host: acmedns.hosts.hamburg.ccc.de
ansible_user: chaos
ansible_ssh_common_args: -J ssh://chaos@router.hamburg.ccc.de
hypervisors:
hosts:
chaosknoten:
base_config_hosts:
hosts:
acmedns:
ccchoir:
cloud:
eh22-wiki:
@ -110,7 +115,8 @@ nftables_hosts:
hosts:
router:
docker_compose_hosts:
hosts:
hosts:
acmedns:
ccchoir:
grafana:
tickets:
@ -128,6 +134,7 @@ nextcloud_hosts:
cloud:
nginx_hosts:
hosts:
acmedns:
ccchoir:
eh22-wiki:
grafana:
@ -150,6 +157,7 @@ public_reverse_proxy_hosts:
public-reverse-proxy:
certbot_hosts:
hosts:
acmedns:
ccchoir:
eh22-wiki:
grafana:

27
resources/chaosknoten/acmedns/docker_compose/acmedns.cfg.j2 Normal file
View file

@ -0,0 +1,27 @@
# https://github.com/joohoi/acme-dns?tab=readme-ov-file#configuration
[general]
protocol = "both"
domain = "auth.acmedns.hamburg.ccc.de"
nsname = "acmedns.hosts.hamburg.ccc.de"
nsadmin = "noc.lists.hamburg.ccc.de"
records = [
"auth.acmedns.hamburg.ccc.de. CNAME public-reverse-proxy.hamburg.ccc.de.",
"auth.acmedns.hamburg.ccc.de. NS acmedns.hosts.hamburg.ccc.de.",
]
[database]
engine = "sqlite3"
connection = "/var/lib/acme-dns/acme-dns.db"
[api]
ip = "0.0.0.0"
port = "80"
tls = "none"
corsorigins = [
"*"
]
[logconfig]
loglevel = "debug"
logtype = "stdout"
logformat = "text"

22
resources/chaosknoten/acmedns/docker_compose/compose.yaml.j2 Normal file
View file

@ -0,0 +1,22 @@
---
services:
oauth2-proxy:
container_name: oauth2-proxy
image: quay.io/oauth2-proxy/oauth2-proxy:v7.14.2
command: --config /oauth2-proxy.cfg
hostname: oauth2-proxy
volumes:
- "./configs/oauth2-proxy.cfg:/oauth2-proxy.cfg"
restart: unless-stopped
ports:
- 4180:4180
acmedns:
image: docker.io/joohoi/acme-dns:latest
ports:
- "[::]:53:53"
- "[::]:53:53/udp"
- 8080:80
volumes:
- ./configs/acmedns.cfg:/etc/acme-dns/config.cfg:ro
- ./data/acmedns:/var/lib/acme-dns

63
resources/chaosknoten/acmedns/docker_compose/index.html.j2 Normal file
View file

@ -0,0 +1,63 @@
<html>
<head>
<title>ACME DNS Register</title>
<style>
table, tr, th, td {
border-collapse: collapse;
border: 1px solid black;
}
th, td {
padding: 2px 4px;
}
th {
text-align: left;
}
</style>
</head>
<body>
<h1>Register an Entry in ACME DNS</h1>
<p>This is the page where you can create an entry in ACME DNS. Please only do so when you need a new entry; there is currently no way to remove entries once they have been created.</p>
<p>See <a href="https://wiki.hamburg.ccc.de/infrastructure:services:acme_dns">the ACME DNS service</a> entry in the wiki for further details.</p>
<p><button id="register">Register a new entry</button></p>
<table id="results" style="display: none">
<tr>
<th>Full Domain</th><td id="fulldomain">foo</td>
</tr>
<tr>
<th>Sub Domain</th><td id="subdomain">foo</td>
</tr>
<tr>
<th>Username</th><td id="username">foo</td>
</tr>
<tr>
<th>Password</th><td id="password">foo</td>
</tr>
</table>
<script>
document.getElementById("register").addEventListener("click", (event) => {
const register = async () => {
const response = await fetch("/register", {
method: "POST"
});
if (!response.ok) {
console.log(response);
alert("Unable to register a new entry.");
return;
}
const registration = await response.json()
for (const key in registration) {
const e = document.getElementById(key);
if (e !== null) {
e.innerText = registration[key];
}
}
document.getElementById("results").style.display = "block";
}
register();
});
</script>
</body>

13
resources/chaosknoten/acmedns/docker_compose/oauth2-proxy.cfg.j2 Normal file
View file

@ -0,0 +1,13 @@
reverse_proxy = true
http_address="0.0.0.0:4180"
cookie_secret="{{ secret__oidc_cookie_secret }}"
email_domains="*"
# dex provider
oidc_issuer_url="https://id.hamburg.ccc.de/realms/ccchh"
provider="oidc"
provider_display_name="CCCHH ID"
client_id="acmedns"
client_secret="{{ secret__oidc_client_secret }}"
redirect_url="https://acmedns.hamburg.ccc.de/oauth2/callback"

83
resources/chaosknoten/acmedns/nginx/acmedns.hamburg.ccc.de.conf Normal file
View file

@ -0,0 +1,83 @@
# partly generated 2022-01-08, Mozilla Guideline v5.6, nginx 1.17.7, OpenSSL 1.1.1k, intermediate configuration
# https://ssl-config.mozilla.org/#server=nginx&version=1.17.7&config=intermediate&openssl=1.1.1k&guideline=5.6
server {
# Listen on a custom port for the proxy protocol.
listen [::]:8443 ssl http2 proxy_protocol;
# Make use of the ngx_http_realip_module to set the $remote_addr and
# $remote_port to the client address and client port, when using proxy
# protocol.
# First set our proxy protocol proxy as trusted.
set_real_ip_from 2a00:14b0:4200:3000:125::1;
# Then tell the realip_module to get the addreses from the proxy protocol
# header.
real_ip_header proxy_protocol;
server_name acmedns.hamburg.ccc.de;
root /ansible_docker_compose/configs/html/;
ssl_certificate /etc/letsencrypt/live/acmedns.hamburg.ccc.de/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/acmedns.hamburg.ccc.de/privkey.pem;
# verify chain of trust of OCSP response using Root CA and Intermediate certs
ssl_trusted_certificate /etc/letsencrypt/live/acmedns.hamburg.ccc.de/chain.pem;
# HSTS (ngx_http_headers_module is required) (63072000 seconds)
add_header Strict-Transport-Security "max-age=63072000" always;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Port 443;
# This is https in any case.
proxy_set_header X-Forwarded-Proto https;
# Hide the X-Forwarded header.
proxy_hide_header X-Forwarded;
# Assume we are the only Reverse Proxy (well using Proxy Protocol, but that
# is transparent).
# Also provide "_hidden" for by, since it's not relevant.
proxy_set_header Forwarded "for=$remote_addr;proto=https;host=$host;by=_hidden";
proxy_buffer_size 8k; # needed for oauth2-proxy to work correctly
port_in_redirect off;
location /oauth2/ {
proxy_pass http://127.0.0.1:4180;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Auth-Request-Redirect $request_uri;
# or, if you are handling multiple domains:
# proxy_set_header X-Auth-Request-Redirect $scheme://$host$request_uri;
}
location = /oauth2/auth {
proxy_pass http://127.0.0.1:4180;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-Uri $request_uri;
# nginx auth_request includes headers but not body
proxy_set_header Content-Length "";
proxy_pass_request_body off;
}
location = / {
auth_request /oauth2/auth;
error_page 401 = @oauth2_signin;
index index.html;
}
location = /register {
auth_request /oauth2/auth;
error_page 401 = @oauth2_signin;
proxy_pass http://127.0.0.1:8080/register;
}
location = /update { # no auth by proxy required
proxy_pass http://127.0.0.1:8080/update;
}
location @oauth2_signin {
return 302 /oauth2/sign_in?rd=$scheme://$host$request_uri;
}
}

1
resources/chaosknoten/public-reverse-proxy/nginx/acme_challenge.conf
View file

@ -82,6 +82,7 @@ map $host $upstream_acme_challenge_host {
spaceapi.ccc.de spaceapiccc.hosts.hamburg.ccc.de:31820;
cpuccc.hamburg.ccc.de 172.31.17.151:31820;
cpu.ccc.de 172.31.17.151:31820;
acmedns.hamburg.ccc.de acmedns.hosts.hamburg.ccc.de:31820;
default "";
}

1
resources/chaosknoten/public-reverse-proxy/nginx/nginx.conf
View file

@ -100,6 +100,7 @@ stream {
spaceapi.ccc.de spaceapiccc.hosts.hamburg.ccc.de:8443;
cpuccc.hamburg.ccc.de 172.31.17.151:8443;
cpu.ccc.de 172.31.17.151:8443;
acmedns.hamburg.ccc.de acmedns.hosts.hamburg.ccc.de:8443;
}
server {