diff --git a/.sops.yaml b/.sops.yaml index 5bce7ef..d77d8fd 100644 --- a/.sops.yaml +++ b/.sops.yaml @@ -162,6 +162,21 @@ creation_rules: - *admin_gpg_c6ristian - *admin_gpg_lilly - *admin_gpg_langoor + - path_regex: inventories/chaosknoten/host_vars/ntfy.* + key_groups: + - pgp: + - *admin_gpg_djerun + - *admin_gpg_stb + - *admin_gpg_jtbx + - *admin_gpg_yuri + - *admin_gpg_june + - *admin_gpg_haegar + - *admin_gpg_dario + - *admin_gpg_echtnurich + - *admin_gpg_max + - *admin_gpg_c6ristian + - *admin_gpg_lilly + - *admin_gpg_langoor - path_regex: inventories/z9/host_vars/dooris.* key_groups: - pgp: diff --git a/inventories/chaosknoten/host_vars/ntfy.sops.yaml b/inventories/chaosknoten/host_vars/ntfy.sops.yaml new file mode 100644 index 0000000..7c30930 --- /dev/null +++ b/inventories/chaosknoten/host_vars/ntfy.sops.yaml @@ -0,0 +1,232 @@ +ntfy: + user: + admin: ENC[AES256_GCM,data:kwGLrQXBiqKRoHkStGzYiC0fbcGgQHdZrrk9NyZtcZcI4nrKTGx1sxrHOMI=,iv:ACrBFMOP6rkfshOgB+a32TFWH1OKhQaoHcYgwHx+tao=,tag:2QTWmH/vAzIWAjaOHOkrXg==,type:str] + fuxnoc: ENC[AES256_GCM,data:HVqo1GLaZfDi3ZfAxEJBudFZ+KooBaXk7fr6SsDBZr8=,iv:KziV5OXAtMABqWDPsTRdHM+Ibatp8p5UDoOBUdznx7Y=,tag:kmwSzjaJFBheQcs7181+Jw==,type:str] +sops: + lastmodified: "2025-06-01T21:43:36Z" + mac: ENC[AES256_GCM,data:Ssv3QazPopQFN+6ZpoUuaDgVacFmv+VovkptUAybv3ia+03EQOTO5c6FtQf7o2n3M8J839LtOC6WDb34/0WK7aJZkrmnFAuqanJVjlQy5QUHvhSyhHO8/MQwPYnr2hVKHnVyHdKr9KJFilCCu2oP062a+U3eT8BVIeFGyVOqi9s=,iv:q4F5q5Q+6mtzzyYfqH1thNe2nV0eoS7fdoMUxKPNMz0=,tag:1cMSMILpcgFE84nOv+fSNQ==,type:str] + pgp: + - created_at: "2025-06-01T21:41:02Z" + enc: |- + -----BEGIN PGP MESSAGE----- + + hQIMAxK/JaB2/SdtAQ/+Irbhincv0agRseJ3U03cW+YNHa4suynF5eSew3BsnY6h + +EevEAN2uz4JIRVSmXjBeNFPv3VtN1h5kxzmWXNHmZwFH4nNR+0w9a7zfUEa2E2W + 2THwlZFZIPVgxRZIA1ntr88a97Bxy+M+gJDuazOq77YvNCAWLi46Iim4MxuHGqsT + jTJ6uSe039gKiKQapeS8PpXPNTfs0ORq+OHkN1NWtJ/FbePZquqfPYfdG3csLJIB + 2O0To8jX5qKYZi9Z8Vx1EUMB2C0rT7tcteBAKs2KqYq5peWAK0JJefAuDbL0Fdb3 + GOXnRcXKopLlLkCI8P9JZ60oW0HyyjaeuF2dvoErdqGSZEhH/RSkfYnTPoM3x03+ + XwH6qBVFVlj3y9IRUJt9FAt634CHnFpTKGEZ7gEiNHazrIUiqF0VOEzI8zHELVdq + Yrx3daWBJLhMJAkv1Tgk4S0OSeK5BbJDa+UhjVgkbBjOJEvT0J0CXzaR6JVJqKNm + 3mGBJtc7CVBMQGX7RQZ4r6J3a1vhElMycNZCy+4hTYZ9+KCtY1wPRjleYDfgoK0E + 8WnsZ06phqEmmSThzB7bbCpf/5SQcxoWWUpdV22poHOEc/W0XoCy7zYXsoM2r7hP + JW6k/MTznJD3QnI0kOrfS44T51xkdapBUz9lFsh07nRKhi9TJJB8JXxNbCnbMhnS + XgF8vGN8Qulz2ljp6IM+LhoMPADm3hrQtEkJrXQxz1dpkZE4XHUk/tvgsDx8Kxco + z7/LzohXg/4MrvKtA8q4sl9oOMpv4B0H9pSMzdURk2vmgd96U4egiYpjXwqwBnY= + =3Fho + -----END PGP MESSAGE----- + fp: EF643F59E008414882232C78FFA8331EEB7D6B70 + - created_at: "2025-06-01T21:41:02Z" + enc: |- + -----BEGIN PGP MESSAGE----- + + hQIMA6EyPtWBEI+2AQ//Rh8YA6DUIBi6mjhixAd2eNCLPlQ5w/hRj991Q9uVCaBR + 55JWyQQBbondn/1MEVb2PlaHH22+HPAbv4p33FD4pbimz5W0taBw3T6CmDdx1V+E + UmitZIRNdoirbe4ChFToUjZ31RQbS5pdxW3ATSJKn1pmR1/g5sBq5SThenm1nwvU + ahV71QfUrs7oqJAYHqmPIipbR1PP1QSVfyDNGUx6gIYxWS7dQPtcNkVhS1fdCl8b + Utg1MW/pCqQuw9nRsI+2rSEtYfYqiap5Mv31Ihznfvu/cH+uyeBeT8Xmr4/9qmvA + 5WXJA/0qwd3S2+l6vcxBFgyoj9yFAYorTU200OBa1HBZGjQY+V9h9I4amYrj2SRC + 1wgsNgFxuhUQaEDhPlD8kdSts8QY/ApYwJyHnpCW1FuzgMPY2w6CfDjr0Hv4JCtw + /Iuy5zbh3cNbgV8jlVn3J4v3yMtEZnsh7rEb+EbPuZmpTuZ8AIG+NqIiW/SBfELW + qSHN/Iv1zIl0BmcV2qAKfrsox4QIOESM/77ISrwOLQoPd01qefNsTp8PExtt+yzn + 9MXNv0CHmpDA6u1ruIpub969T04tHu3oekZpM327glpCf5SoKVo+fYmEwB8IhIkW + NcNaQIeZ1P8jSjHM6XUAUfOHzzRMy0jqQVaz9kD/kHXCMfCJT5KfvKeSaJhCy7/S + XgEtCHT6VloJ2X9VxL695k5ugfyTsDYYDgteKuSD68cPbj2MnYS8uKD3VQh9/I/d + 5OJN8fsvpkpQIltUh3DeCgRv7AF03Zdou7amrTl5MEaNBZxX5mBJrA/qOw3XAWg= + =mRNR + -----END PGP MESSAGE----- + fp: F155144FC925A1BEA1F8A2C59A2A4CD59BFDC5EC + - created_at: "2025-06-01T21:41:02Z" + enc: |- + -----BEGIN PGP MESSAGE----- + + hQIMAz5uSgHG2iMJAQ//RXqm63AC3eWRV1cNDulWgCqZzThW1f/4o4xelGYxLQe0 + cJuSqJmZoHsAItQ1GBIhyd/a+lcNt6Ym100RLlL6f5nPnHyk2pJNv/dPOpbs1b8b + +ulq2QBQEvvrzukmzXcqMGrjvJrzINB7U2L1uPBe0CTircMUR5J444LgOHC3VGnt + twBBgI5NQFcoZLADt8j73KEjfYzPJeaqHudhgU59h+cgPz+6N/v1fkG0vSQuzBuw + Tm+fk52t5X5qLWLyqrLtb4W8LdYN9D9TieRRlzjunYL8mISJikCQfpHroJkJWDjH + k4gaeVErauCOJWQ6Gp6aiYBtMehsHCh/8stGcnOgtyBpPh7o9FTTGcVR6j+qpijL + QYsjYfaH5aOU4JoUO5vq8wsBiVcOsP65CqeVFFLlvAVqZxPNzq3iBkBaWECLBfYy + QtIFRnRRznZQvTR0hjC0cw7vOpBGNwAcqnjPv9hQLPzdZyU2ViJjhwq/16alER9V + N2xFl6eKt/Mau5ZlX62lbq9eJLmR2Bqb+sL4rdMfRfl259kvGilBkCM7SMfkWnOq + z0do1+9FRzo8IC57WvYemzAS/pBfFH8o0Ey+PRSys03WC4YPW9XDnjSpRKEPpO8u + DbdhuKoVb19tAERzpZZKN2Rzuv68IpQ1vhEEP1BbsApoS0vlYIxcPSAVmSC1o7vS + XgE7yntjkVO+C8ciByubK1DGHZ/G5eXB/zkYQKj1w+bAmTJQ26DtHJa5/o7cXkk+ + Ja3Qrc5Yp+W5MIV70+FHsDXNarpXSJbSPNf4nPKWsdFZGkauHks0o58T6D74LqQ= + =wHLh + -----END PGP MESSAGE----- + fp: 18DFCE01456DAB52EA38A6584EDC64F35FA1D6A5 + - created_at: "2025-06-01T21:41:02Z" + enc: |- + -----BEGIN PGP MESSAGE----- + + hQIMAw5vwmoEJHQ1AQ/+OAK/CpxVtW9HoLP1wJR589/JMdqJZqOxkySgAlm+z6RY + 4knRz/0f5wdHSQyuvAYnq/M1K9BsBD34dFiqyvdTa0+G+bJUIkHDLkSTqM8IvGMb + 48sCbGwW4Ghmxn5mjK3MwuGbGKxVujJWqwaRmOp6lgtRJdpKReFD68vtwTHa2qhh + ixnABbOTyN08Bf9pJ9cgoAQaVOcSja0E+yuPRlHUvM2hjbGNndbaiTtfq1hFn5qJ + VoakC+u6tcKEp31Y4plN1NTRf/ywZ8oMmT4TIf3kvFGwx/XKx2miIB9cUSMw/ojU + GrGNXjh4vfEaT0iIRtZ+H8FfuGnjFkU6qodLEIKlVmng8MU7ETGLErHjyNEJf2JT + OMnaajJxq8jXaY2SDoHsKETMgON1uwDDKW6NOBhaK+fW79W6z27uGnsN055vMTpV + kh1YJixyI3wIkr6bbfNHBdr6C8Tb4sY20zghvkQYBA2xCZSLOT0a5lX7GBTUp0uY + +hgxdfyQJi0P+4QPam28/b18lOZ25LC69YX8AtczQ4vHhIM+jQ+bzoNSoMpwcSm4 + vZSSmMB0tX8W5O6yo6A/XLoktzyuzvMfZ2v3/6LbIWK0FKJzy5G9A9/xwnbCRulB + BJf+xzfwWt92pW7n3yVgjO+o48J1c2b71qAaMtukhPLNFSozgHlqv4vy5BD72pnS + XgGNEavqMxIRuRQtyDeeV0W5gdGCY/XUAjYxh4Ly51XJVCL1yZptYiFaWMuYEB3F + G3unTkE+YedYk2g/Wt4pR9lcgRLW4zRlOCtzwiE6JbAkp5NsQ6Tn/Q0UD1sTRsw= + =Y1YG + -----END PGP MESSAGE----- + fp: 87AB00D45D37C9E9167B5A5A333448678B60E505 + - created_at: "2025-06-01T21:41:02Z" + enc: |- + -----BEGIN PGP MESSAGE----- + + hQIMA4HMJd/cQYrVARAAxtzsDYAMwB8WAUx0U3RnEkBHEeyMqNvLCgzz0oU73B0v + eUWzHUYrTYMyYxRMKO8vqKULBPhYOKbns0hzL8s6YjCnT08XwNXtYiuKm90FVQcz + 4ARslyObb+0ayyfx9dd9+6aFCgyftgAZpctWCEWPhBLUIsKcsd/q+Q5hSNfhwp+1 + IAfruNkBaCFD95A3apfsVd3E/clzXBXcNa9d2k7Te3LCduhD5Su9QUgqDvf5Je8o + WS1+Q8gih/+xTNR0avBfAZuSq24cqKyPg49KNRvfWq7drEZYYfUOdIMOJVZiBuRJ + y4HjNGgX+NIl/BDu4SpFQVFhDmv+kgIM0JxXF6p3Ap4hZAYicWRnn0StVJ5kaB6O + 7l58NTu9aX7eLR4W2NuYLTwmssnA/hJd8i42YSYYD05siQIKICxkaLSTVztqf1vS + N4RNNZNle6gkBvceRkb+8FgzPmLL8BFPkUiAFJOr5BDShbXwN/UocBgVKIRsuQah + mIJ5uu++9oy5jaR/eeff5QcRxtpCasi/86qW9igCSOqKuHWOMz0RWJCRaJmhWY/m + 5gvz0nNCqbnPOXwvbNiuAmFmhmhYs8AvEvqMPJR3DHUSy5U1Bqpx+Oeu4qK16alr + HxjnyyEoGLkTSfk22vN7wQZD+loQJlL9U8swQmZD+Y3pyPInCYrZotOwMBo6XazS + XgFRaZJlP0gC3tN83H0b1oC0eXBMagmEVkyhxMBwXCrGxl9BrcF7KGxP5GU7uqGm + nV0GU1UIJZAS2qrdf456Ou01E/5QbpTHac25/W7ZlPOhibqWbT9wV+ICYZfSMU0= + =07bf + -----END PGP MESSAGE----- + fp: 91213ABAA73B0B73D3C02B5B4E5F372D17BBE67C + - created_at: "2025-06-01T21:41:02Z" + enc: |- + -----BEGIN PGP MESSAGE----- + + hQIMAxjNhCKPP69fAQ/5AcTObI2/IVj3lxv7G+p65eqtuexRmMCn/dsLOR3MBLkB + Pw6JFRUIsRAgDlpD0YI7CrqB3pisej5LemUmvB9vK9H+6IALSB5eKEMd/6MXiqlV + HDUw/pmZUP+X16GAsXDwvMNT1RQQuEnigTzaIo8ydDWdsgAMOs7JZ7KcF/k62x1k + UCqCnEZhxyKopNOtbLuVhpW8R1DnRIenm8v3tB85neVTXPBRcG8fJ5y3zqRwpIPX + pXUT2QI1fD6P+djMNJPFPcQdf1zz1xj02OuQQnKX68qh/VW4QJSF5e0firXSZ37n + dpsfQ7ROU6PfnvcXFZTPoR6b8oUgo7TxwOy4ERPqXbuM1UZm5zr0hj42IYQz1AZm + LlcB/AIs2MJDXgv7B2aLryZQGipBMmsASNbqyTVU+cA7f0km3hyta83RZsOw6MsX + wQjTQhx/lnCx3/dOJevEwBE6YgybKJAVIqscNAagAFuCtlbq5RjVYKRA3nRBGgjK + hDFQ0yWWl2UHYC4aIl05SIsoL2KVXEzIT1qayy4sGR/L3YmUx1OcZLiBZOvCRBYw + v/DX/Poz7C9g2jEPC9SV7IHXF7J1SI6aTOWcxrqpXVY45vbIW2qLQC/uJz3GTOaR + Om361FwXnJAYeCjOxIZXSlBy6JLEgBSjA+F9dDtwuTz3Bay1IhdNJ3Z55zzVI5rS + XgGJHreDweUIhIhoGBMiEuKb+d6UCQ9F6oiBulvO3zYTpqJNM2U10xllF5MEztWe + 96Bai8OAPTkIR5UT2cpjodlye7+SvAabxvnUDdUqoL6+2jMtECUD5/VRzLEkrfU= + =w6pZ + -----END PGP MESSAGE----- + fp: F38C9D4228FC6F674E322D9C3326D914EB9B8F55 + - created_at: "2025-06-01T21:41:02Z" + enc: |- + -----BEGIN PGP MESSAGE----- + + hQIMA1Hthzn+T1OoAQ/+Mj7CiCY2fpytnZIrwXUaSSTvEl4TkuJrgN10NXdhEiuB + MsIubs9q/dGvG+GLBTNIuRJzzQespRC0z7t38ylGNMvaLODUGpy7XvfDF6aiSzCG + hrGcWGPwWue2HnoyPBy4ObaZq+aB7FrGrNgxVS5p5sd7ovj/UKDu75G3DNXuQ9C6 + AYgzETIGU6wtnJvp0EhqHQTaJ88dus+kiGpLVhMxDfGPhCAwOQ/2SYwI8R/uJTEh + qTCkNOYms5vV+DVGXCO1kfgqeQjgRj5vnMq0+2m3Twvfrj+EVNnRh2jrJbYypqRA + 6rtRGUFQFrr7b0rugaB+H3FIRffjrFy56rnW6iMwwcvbsEpAx3K56hm347d+vH+8 + AcuaD955skQ8WnopbBYzLHmajRZZgK74JwY4bmEILeg1s0+gZy7xTRWsYQQZfvTR + 45Cq4wVR88QDNG23vVscABZIeV9WocSiCGlayo+LN+dOZdGpkhjnq76Qw/jfzd9A + h5UvMVsnHcvJMw1zo73cbdHlI6IS5oCuTLsVy/w62Ts6oTD2KsQSMyZ1E8QYQts5 + ugZ7T1mRcHaB5LE8+hSIRi4Ck01gZUtApAdIXGwu76bSgspGfvINqOmuWpOd8+K4 + uqXW0Wu5yEfYE+ypAmUY6sxfilXOV89PmJcIv56imZNEEnr9aK+u7rjqfX+41izS + XgHJhO78PVLoawWZ5x4tSw/Tjd3qabdr5dx4bQriUW1ghRJEt+X/2uDvYyMEQaxH + mM2c4FHpM/IyG3Td89JpHcbwVxktAm0fwjVswdILyyIz4bzht8+QsJHN+msL9OQ= + =xDlD + -----END PGP MESSAGE----- + fp: 5DA93D5C9D7320E1BD3522C79C78172B3551C9FD + - created_at: "2025-06-01T21:41:02Z" + enc: |- + -----BEGIN PGP MESSAGE----- + + hQIMA46L6MuPqfJqAQ//XakvJ2IaEP1Ynaw0qYQYOEyIiQp8SJk9KReYHDpDNuqP + emdLwZDZSVP/QqpnPC0diJkZaTM7yaSYxRmiXTnFd0r8bEYLCL1A6GBFXIFlh+8M + PgOff8TRbUrLmgEtyrkv1PMjf8rX0A4iSPiuNFFL3ew7m/MBkITiPYq+8YcE8yTz + vgtNyuYfi59TbKai2fcas4IX3bF0HeGrhAkys0aa2iFlH/lJj4yd7NqTAsOsDbO4 + 1eplhf+IM8Rv0WND3UZCBNk29Em7S4yllFJpH4E9xS9noWqTEyMQ1qXeoq04BSry + dQ0evD1d7+gLacmV5+HQo5p80OhMSgYqrClGUJBO6eNsfE/hSc24MDjAB3rs6xFb + wGvzMWekWqosN0eXmU8Iy38bFeT8CWbAvCA9BJomwfDMbgE6MOjNo4PURZYQ0EMf + oMSRcTku3vTVidOumQS2a9qanNQW1dLTVigQvHnByNTRjPxneo3IZFIvqBqYdt1e + UbEDbjlDBQzqLt1vPEHSoX7FlMT49HZUY49yLwp/VMUGrDscApdLYqLRp9gbgf1Q + gHkh60sGLUQgUQZ65L1BRJgIm3NFhkJAtONQnJq2iY5f/1ZPHlAQVqrBN9a7Hp01 + efrdHCvNMDvoIZXTpC+y7cnvnmN4fGXaXA3Z1dJsmai36Ak83hgtMhC7s75FMtXS + XgGlZQUDAnkpily0mS/ZQ4IMLW2yzcBH1BkHsuHEmFWij344+6f1TlrhObMuFD+V + 2E+A3Uux4SSl2RbpIfEcvZptVeVB17wutOuHrVXrn1sOm2+cT/k+Ousrrfrm4v0= + =j38o + -----END PGP MESSAGE----- + fp: 8996B62CBD159DCADD3B6DC08BB33A8ABCF7BC4A + - created_at: "2025-06-01T21:41:02Z" + enc: |- + -----BEGIN PGP MESSAGE----- + + hQIMA4EEKdYEzV0pAQ/9EYMqHVt60BlFDSZXR+J0/hfnxutbvta0CPkAUslJIQS5 + XiPcUeptVEmyLUz66bw17m1R4j4miDW8o+3JVQH3oU4YYQPUFHcY/kkSVU8yuWp5 + e8KkSkVTOcUaAyiPNTY7YswOjWcHKs3B81eSJBAKGiS2y2SakK78fZMan5x6vUJd + s4O57hxZPrRXrps08zEiTC+uI8/Wl+5VvoSfllOAqwaohJpEOzt2A74aBz3cit9T + yBwHb8nhaZ17RYZ8DJtGyeekMlgM7vj6IGWUbxb38C+kJlY/15MDIKKWEApZ2/m2 + VXwUR0aJcqD/oLFOnQO/fKTQM6QGnrgAQFF8Z6X2pZqIU9W6vxNHTGEzt6cn3igS + 0Wvp0hRQEkfyYx94xPGm36/GM4Zqhz+W2YRo+z121/OO5PWBtMxLUT39/PKBDROw + BU/QLPl+l2nnLg80KQqcUw60HUXZIpR1p6KEQrmK7+jrDPIx45S1NI1RmNiMEv6y + h35boU1/0YymYKkt6nFyz/GvqD4qviCLimz6/21a606TaIx8LqZaLmZ3YdXk7yqD + XcHweJ1EBbhHkLYYCZsG4tNfJj9hBgVimOjjiCnr0lkzxKAPGdVghmPdwFLlYXIO + V+tAi9KKPK6SRdVBuCpzHZyg6JLiFGmUsmL/piSY5hXrvv8p4oQp/TI4S4Yblv7S + XgHt0Xy2jfYFUPedR0BMta5TqvaNjDh1qxAZepzbWRwiDjHiQ4gsAvjytUmiceIf + KJDhKQqUuaNYt7cBsNF9PgtSkD/ZuF4oTRFVqM6tr/JroxjSrGjg39T6lNtGo8o= + =v83W + -----END PGP MESSAGE----- + fp: 9DFA033E3DAEBAD7FDD71B056C7AAA54BE05F7BA + - created_at: "2025-06-01T21:41:02Z" + enc: |- + -----BEGIN PGP MESSAGE----- + + hF4DQrf1tCqiJxoSAQdASHcTIysPla95JELBmv3+guJ1Ehx4VGq/zp8NFcU/nG8w + +o04dzI96ZV58cNGG0GZOpoq83q0XbspKpnzMnJyNtlbsMpVXhVZgrneUYY4EwnB + 0l4BNnrT5pIFX8+6dP7EytxWU2s1UTppVYgwELpWnWItZk+W0EgiK5f3V+x28nh6 + psaXJSFsGOJaBJsitMv/GDyyOu7y+PKSKooY12GujdK4cgu5SZbzeq3iYcKAyQ8a + =TEyd + -----END PGP MESSAGE----- + fp: B71138A6A8964A3C3B8899857B4F70C356765BAB + - created_at: "2025-06-01T21:41:02Z" + enc: |- + -----BEGIN PGP MESSAGE----- + + hF4DzAGzViGx4qcSAQdA/Y9Zxvac8WQmVo0KgX7LTs9c8GgtxOEMMUJ8QxP7RREw + NHIIMCpoidBtkB0RrLvObu23W4HO8/j4zrKV3dBmi3Z/6cdxbLMp3Kl6OK68UcCS + 0lgBLF455STDbzpSuZA7fMgeexxpB6rctYJt1EbVZ4Gq5CMdXEilccr+wsAqA19N + NFrV1QL5nlk9/qxU6X4DUaLcJP3/MAUga3ODsBq/5goVMjyQddDpprQZ + =p6Oh + -----END PGP MESSAGE----- + fp: D2E9C0807BF681F5E164DAFC5EE1B61CD90954CD + - created_at: "2025-06-01T21:41:02Z" + enc: |- + -----BEGIN PGP MESSAGE----- + + hQIMA2pVdGTIrZI+AQ//YkQT0gnE4CS9iPm7kB9H6zQ6655S3vspQ/ftbVkjDgbG + XUlCIZOqBWcY2M+JDCSHknUsj44F8Y3COlC8c2nSKO9sFDheaDPiSMqtJxXjbuee + gdpbvc9pjsnIdWP2HDgOTsAtX+/qjh4OACWVjqaJI6H+mDA2EaOpt/cp00G41v7e + XwTbvGgeW0nwxwPSS1UzHr5oVjwBlKdZXVqjuZT3tzi+YzqbSfQ1uWwWpS8flVDL + yCPTaD9OpYPq16ztNJoviF6+6eyTwQVfmJHq/3DlZrmhIIcd0wsx6HOt2g4RjW4d + T1mAuHkGkAbxcEU5TiHzIBMCAEHEH2s4TCs7VtdG2pdjm/Fq7oz2aIsVdwI7dg/k + wbOGoWDvbY8YqiWD1o6RDyhDySCkuewwsi58UTDFTC7V7CJWnTapMLcqenoNOzUJ + E+aM/kH8zHdTXpqpOeYwtKWX4FqE6UHYJkWhI7F4KzhyQ57N+98PRoPEfXoukjjb + JsBWBuJg0pwNrz7aRurCMvYpW29AXuL8WbceUxwZgB0P6ztGKdnU8NLhOZj2DkE/ + OLz28t9HtpbAfOZ1cxMrNp0log0hJFXD7g4cRX2F/zWuVKuWn0vUvhQot2GuAuw8 + DRG0DJGSQEHhyNjtNuLufGR6FETeC2CNnpeXxXZhqik1kXwSB/AompaKZbjJGb3S + XgHkuxjOS/a9iREdy+vW/evtGnh1uMUa5/phMU3VGKiCp5ozfuwaQ5gvVMrE80b9 + loGh0l/S66CyIOO1eXBlqkH5FxsMcvVAHB1u8uEZ3T9Y9yh0ontnc3LDWUpPxls= + =2DaK + -----END PGP MESSAGE----- + fp: 878FEA3CB6A6F6E7CD80ECBE28506E3585F9F533 + unencrypted_suffix: _unencrypted + version: 3.10.2 diff --git a/inventories/chaosknoten/host_vars/ntfy.yaml b/inventories/chaosknoten/host_vars/ntfy.yaml new file mode 100644 index 0000000..96cb530 --- /dev/null +++ b/inventories/chaosknoten/host_vars/ntfy.yaml @@ -0,0 +1,16 @@ +docker_compose__compose_file_content: "{{ lookup('ansible.builtin.template', 'resources/chaosknoten/ntfy/docker_compose/compose.yaml.j2') }}" +docker_compose__configuration_files: + - name: server.yml + content: "{{ lookup('ansible.builtin.template', 'resources/chaosknoten/ntfy/docker_compose/server.yaml') }}" + +certbot__version_spec: "" +certbot__acme_account_email_address: le-admin@hamburg.ccc.de +certbot__certificate_domains: + - "ntfy.hamburg.ccc.de" +certbot__new_cert_commands: + - "systemctl reload nginx.service" + +nginx__version_spec: "" +nginx__configurations: + - name: ntfy.hamburg.ccc.de + content: "{{ lookup('ansible.builtin.file', 'resources/chaosknoten/ntfy/nginx/ntfy.hamburg.ccc.de.conf') }}" diff --git a/inventories/chaosknoten/hosts.yaml b/inventories/chaosknoten/hosts.yaml index 2450ca8..74684ba 100644 --- a/inventories/chaosknoten/hosts.yaml +++ b/inventories/chaosknoten/hosts.yaml @@ -59,6 +59,10 @@ all: ansible_host: zammad-intern.hamburg.ccc.de ansible_user: chaos ansible_ssh_common_args: -J ssh://chaos@public-reverse-proxy.hamburg.ccc.de + ntfy: + ansible_host: 172.31.17.149 + ansible_user: chaos + ansible_ssh_common_args: -J ssh://chaos@public-reverse-proxy.hamburg.ccc.de hypervisors: hosts: chaosknoten: @@ -79,6 +83,7 @@ base_config_hosts: tickets: wiki: zammad: + ntfy: docker_compose_hosts: hosts: ccchoir: @@ -90,6 +95,7 @@ docker_compose_hosts: pad: pretalx: zammad: + ntfy: nextcloud_hosts: hosts: cloud: @@ -109,6 +115,7 @@ nginx_hosts: public-reverse-proxy: wiki: zammad: + ntfy: public_reverse_proxy_hosts: hosts: public-reverse-proxy: @@ -127,6 +134,7 @@ certbot_hosts: pretalx: wiki: zammad: + ntfy: prometheus_node_exporter_hosts: hosts: ccchoir: @@ -154,6 +162,7 @@ infrastructure_authorized_keys_hosts: public-reverse-proxy: wiki: zammad: + ntfy: wiki_hosts: hosts: eh22-wiki: diff --git a/resources/chaosknoten/ntfy/docker_compose/compose.yaml.j2 b/resources/chaosknoten/ntfy/docker_compose/compose.yaml.j2 new file mode 100644 index 0000000..818e17d --- /dev/null +++ b/resources/chaosknoten/ntfy/docker_compose/compose.yaml.j2 @@ -0,0 +1,23 @@ +--- +services: + ntfy: + image: binwiederhier/ntfy + container_name: ntfy + command: + - serve + volumes: + - ntfy_cache:/var/cache/ntfy + - ntfy_var:/var/lib/ntfy + - ./configs/server.yml:/etc/ntfy/server.yml + ports: + - 2586:2586 + healthcheck: # optional: remember to adapt the host:port to your environment + test: ["CMD-SHELL", "wget -q --tries=1 http://localhost:2586/v1/health -O - | grep -Eo '\"healthy\"\\s*:\\s*true' || exit 1"] + interval: 60s + timeout: 10s + retries: 3 + start_period: 40s + restart: unless-stopped +volumes: + ntfy_cache: {} + ntfy_var: {} diff --git a/resources/chaosknoten/ntfy/docker_compose/server.yaml b/resources/chaosknoten/ntfy/docker_compose/server.yaml new file mode 100644 index 0000000..a58e931 --- /dev/null +++ b/resources/chaosknoten/ntfy/docker_compose/server.yaml @@ -0,0 +1,9 @@ +base-url: "https://ntfy.hamburg.ccc.de" +default-host: "https://ntfy.hamburg.ccc.de" +listen-http: ":2586" +behind-proxy: true +keepalive-interval: "45s" +cache-file: "/var/cache/ntfy/cache.db" +attachment-cache-dir: "/var/cache/ntfy/attachments" +auth-default-access: "deny-all" +auth-file: "/var/lib/ntfy/user.db" diff --git a/resources/chaosknoten/ntfy/nginx/ntfy.hamburg.ccc.de.conf b/resources/chaosknoten/ntfy/nginx/ntfy.hamburg.ccc.de.conf new file mode 100644 index 0000000..b98a07e --- /dev/null +++ b/resources/chaosknoten/ntfy/nginx/ntfy.hamburg.ccc.de.conf @@ -0,0 +1,64 @@ +# partly generated 2022-01-08, Mozilla Guideline v5.6, nginx 1.17.7, OpenSSL 1.1.1k, intermediate configuration +# https://ssl-config.mozilla.org/#server=nginx&version=1.17.7&config=intermediate&openssl=1.1.1k&guideline=5.6 +server { + # Listen on a custom port for the proxy protocol. + listen 8443 ssl proxy_protocol; + http2 on; + # Make use of the ngx_http_realip_module to set the $remote_addr and + # $remote_port to the client address and client port, when using proxy + # protocol. + # First set our proxy protocol proxy as trusted. + set_real_ip_from 172.31.17.140; + # Then tell the realip_module to get the addreses from the proxy protocol + # header. + real_ip_header proxy_protocol; + + server_name ntfy.hamburg.ccc.de; + + ssl_certificate /etc/letsencrypt/live/ntfy.hamburg.ccc.de/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/ntfy.hamburg.ccc.de/privkey.pem; + # verify chain of trust of OCSP response using Root CA and Intermediate certs + ssl_trusted_certificate /etc/letsencrypt/live/ntfy.hamburg.ccc.de/chain.pem; + + # HSTS (ngx_http_headers_module is required) (63072000 seconds) + add_header Strict-Transport-Security "max-age=63072000" always; + + proxy_set_header Host $host; + proxy_set_header X-Forwarded-Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Port 443; + # This is https in any case. + proxy_set_header X-Forwarded-Proto https; + + proxy_set_header Upgrade $http_upgrade; + + location / { + proxy_pass http://127.0.0.1:2586; + proxy_buffering off; + proxy_request_buffering off; + proxy_redirect off; + client_max_body_size 0; # Stream request body to backend + } + + location /settings { + allow ::1/128; + allow 127.0.0.1/32; + # Wieske + allow 172.31.17.128/25; + allow 212.12.51.128/28; + allow 2a00:14b0:42:100::/56; #Neues v6 gerouted via neuem Router + allow 2a00:14b0:4200:3000::/64; #Bei Wieske + allow 2a00:14b0:f000:23::/64; #CCCHH v6 bei Wieske, geroutet über turing + # Z9 + allow 185.161.129.132/32; # z9 + allow 2a07:c480:0:100::/56; + allow 2a07:c481:1::/48; + + proxy_pass http://127.0.0.1:2586; + proxy_buffering off; + proxy_request_buffering off; + proxy_redirect off; + client_max_body_size 0; # Stream request body to backend + } +} diff --git a/resources/chaosknoten/public-reverse-proxy/nginx/acme_challenge.conf b/resources/chaosknoten/public-reverse-proxy/nginx/acme_challenge.conf index 992161c..1b998fc 100644 --- a/resources/chaosknoten/public-reverse-proxy/nginx/acme_challenge.conf +++ b/resources/chaosknoten/public-reverse-proxy/nginx/acme_challenge.conf @@ -70,6 +70,7 @@ map $host $upstream_acme_challenge_host { design.hamburg.ccc.de 172.31.17.162:31820; hydra.hamburg.ccc.de 172.31.17.163:31820; cfp.eh22.easterhegg.eu 172.31.17.157:31820; + ntfy.hamburg.ccc.de 172.31.17.149:31820; default ""; } diff --git a/resources/chaosknoten/public-reverse-proxy/nginx/nginx.conf b/resources/chaosknoten/public-reverse-proxy/nginx/nginx.conf index a97d0a2..37f62a1 100644 --- a/resources/chaosknoten/public-reverse-proxy/nginx/nginx.conf +++ b/resources/chaosknoten/public-reverse-proxy/nginx/nginx.conf @@ -88,6 +88,7 @@ stream { design.hamburg.ccc.de 172.31.17.162:8443; hydra.hamburg.ccc.de 172.31.17.163:8443; cfp.eh22.easterhegg.eu pretalx-intern.hamburg.ccc.de:8443; + ntfy.hamburg.ccc.de 172.31.17.149:8443; } server {