diff --git a/.sops.yaml b/.sops.yaml
index 9121e63..5bce7ef 100644
--- a/.sops.yaml
+++ b/.sops.yaml
@@ -162,6 +162,21 @@ creation_rules:
- *admin_gpg_c6ristian
- *admin_gpg_lilly
- *admin_gpg_langoor
+ - path_regex: inventories/z9/host_vars/dooris.*
+ key_groups:
+ - pgp:
+ - *admin_gpg_djerun
+ - *admin_gpg_stb
+ - *admin_gpg_jtbx
+ - *admin_gpg_yuri
+ - *admin_gpg_june
+ - *admin_gpg_haegar
+ - *admin_gpg_dario
+ - *admin_gpg_echtnurich
+ - *admin_gpg_max
+ - *admin_gpg_c6ristian
+ - *admin_gpg_lilly
+ - *admin_gpg_langoor
- key_groups:
- pgp:
- *admin_gpg_djerun
diff --git a/docs/setting_up_secrets_using_sops_for_a_new_host.md b/docs/setting_up_secrets_using_sops_for_a_new_host.md
index 93a9c89..c88315f 100644
--- a/docs/setting_up_secrets_using_sops_for_a_new_host.md
+++ b/docs/setting_up_secrets_using_sops_for_a_new_host.md
@@ -2,7 +2,7 @@
Because we're using the `community.sops.sops` vars plugin, the SOPS-encrypted secrets get stored in the inventory.
-1. Add a new creation rule for the hosts `host_vars` file.
+1. Add a new creation rule for the hosts `host_vars` file in the sops config at `.sops.yaml`.
It should probably hold all admin keys.
You can use existing creation rules as a reference.
2. Create a SOPS secrets file in the `host_vars` subdirectory of the relevant inventory.
diff --git a/inventories/z9/host_vars/dooris.sops.yaml b/inventories/z9/host_vars/dooris.sops.yaml
new file mode 100644
index 0000000..b2ec161
--- /dev/null
+++ b/inventories/z9/host_vars/dooris.sops.yaml
@@ -0,0 +1,232 @@
+secret__dooris_client_secret: ENC[AES256_GCM,data:v85gIBNH4s4j36crJ+Pb2lu2cdZpwz0xndHzBKZNGKg=,iv:Rlt6R7JMcHTAAVPiTtFaxqsWD8G5B9Ab3yqItYdFR+E=,tag:dlMHaxTMx3LgOzCsTLUdzw==,type:str]
+secret__dooris_ccujack_password: ENC[AES256_GCM,data:bHeftSA7eC1cSydBRumksRgw2v0=,iv:X/pfsvQPZREifGjHDGx8mVk2TDrlrRVb6MiAr01wI9o=,tag:ti//x7eDbheMG6Hsn2KBlg==,type:str]
+sops:
+ lastmodified: "2025-05-29T13:28:08Z"
+ mac: ENC[AES256_GCM,data:SkqMlgJBdM+CMLE/um7m8V0ni04Xi3S9GovNsADrws6VbSWTX+50oc6HtWl+Kj2XugLfp2XpVnlzggCiq3fePsdt1af2+ZfSCue1d+dexjo5Q/gvE/olKlmn6aj5qiosUsLgu7v2bCOIb9m9WiEhlQLKx1wGiqVNQDabiLOJV6E=,iv:NUUOcXtbg+xMHqthipKpRAWLTXda8rup4aCbbP8sVEg=,tag:wyh+hrZreOyT7uQQrghb7w==,type:str]
+ pgp:
+ - created_at: "2025-05-29T13:09:43Z"
+ enc: |-
+ -----BEGIN PGP MESSAGE-----
+
+ hQIMAxK/JaB2/SdtARAAjrmnSy9HYxao+iAaOWEmTX/irINxrrA3Un+Nhna8W5ri
+ zokFzeCpto1iraFy2UMh6xQE1b2SEmFvGv+mCdwnPcYRR0PJ6vIulGr+sNURUe+O
+ fEgPJgXWxR+1FT8/Ko+9P28TlcSHSdy6bemLtQmi2wNJjkexLoiX9QB0B287I9GQ
+ 5wx/xW3uzA/wTheAtP1OhuLqQn5ADvzYovKFy71JIBWyxu0zVozUYi5AYKq9t3qP
+ eyeh4ZYbUgfD6pVF1rXuf3sr6y4TjW9XN9EmYzN1+/qcL287S0LWTAGzS0xgkvKR
+ QM2xIPU+MfX278G5ISxcqirbXGWpm8+WXn7wDUcpPeenffbvyL1FIqOb8QkJBYVM
+ Q4XxjrvTT7rTdz6u2Z8y6BuK03R6dXtqwMQ+Jn8ovrTEAr2nk57vLkOlLSoPH5qp
+ O//1fHSD7Rm4VPwSRahwJQ5gQ1orvpZ7wj27DrUCvG16zqtdYLvXIa8CG7Kr28dh
+ EpuKHD4vQJTrY6SXUfLYEYeTBjGnT0tl8kgQnffbnB46pS5ekDdE7w+S9QSzPgXt
+ e058viX1qAVCy1xPeyj38kRJBtHX0sgE8T50AbkKBG3+H9RY4NOIRKsPkfL3D/9K
+ luPXcAM8Qbmu0T99ZpyQuLFg0RosJaMNlcL+MLpqOGAU3Jj0TfYQzy+s1Vm0+lLU
+ ZgEJAhCUkAKxLkbSVKdt8bK8fb6Wxs245XPUZZpnnwtF2psGOgCU4JbQu2e6Uu+H
+ W/cLSXth85OKfrsypO5AAyDhcNw5K/63jHsOq1MUlv7qKxqS28LgmLxvH+fkTlX2
+ yy2c6b4rgQ==
+ =i7G7
+ -----END PGP MESSAGE-----
+ fp: EF643F59E008414882232C78FFA8331EEB7D6B70
+ - created_at: "2025-05-29T13:09:43Z"
+ enc: |-
+ -----BEGIN PGP MESSAGE-----
+
+ hQIMA6EyPtWBEI+2AQ//UxDv3k98prigd9KUtFZsiDGlY9Vw7YDlYdUQx6kjxHnF
+ JfO6LvXrnpkVwYQ6Nbda5ugKm+1b+wvMO0w0xcLFJ1BTKW3prvm51ect8UiOgetx
+ go/tnUl2R42gu8D9Czge4/bQJO1pdzeDF71gSQju2k/sYGcTP2QCsxdbQziziKy2
+ vMcnBCMSJFTkDjDYlCsAzDJ3Axb/1NFYdOiAeAr0V9P5SHZAxoAw6w8NgbgyUggB
+ Nrh9pwvUMHa7mT6TWR0wTYlseoGAGWBhDaIZOn3SW/yupJMFqOOMy7iEchnRdIPb
+ 4d5RKlaZxWHDeD8yMQBHmNE9hzi+lbVyCtP2ozFGhYvyrHvOQ/H/NsPT6aW6XCEj
+ PCVTmmWUX3ZUjOoyFtJvWI8QJWicnqYm3hZg+Q1N19MTfmSBjvP5unqu3yLJIBuR
+ S5olb3F9dAdMaHHtfEaXdX1jftqlupS6KenCDss+aTSIrAllM970CILNduvvEvrG
+ u9cIofQs0G8B4qy1SYAdMT0psh/e/lzUb2qFKy6OWnWU9Q+DEclCsjYQQYdOaFEg
+ Mf2diWFTsD2tVlZk3inQ5LYLb0HgOEPgOBcpz0VGqdTerCx7bN6va1cZN+TOEwzw
+ w28WTYEabeH13x8L2QB1hBxuyZjKb5nBBNncV5lR77o4VGeacxxxzriMD27HCavS
+ XAGX+omwzhH9M70XmTHANNTxuB3GM6zz0y9tHWtr6HZ9yZwHKTfRGOOmSL8+m6k2
+ k3gHVlcdzac7L1VExaWTdGATzvL1CxRo6F+DPPpz5Tg7872IfGR2PZ4gB7ko
+ =AJfS
+ -----END PGP MESSAGE-----
+ fp: F155144FC925A1BEA1F8A2C59A2A4CD59BFDC5EC
+ - created_at: "2025-05-29T13:09:43Z"
+ enc: |-
+ -----BEGIN PGP MESSAGE-----
+
+ hQIMAz5uSgHG2iMJARAAvQPy/OBTDUzdnp3SEaAva0GcJLol10vbsCKyT4KLlW3d
+ ByrqmPzRov/CZ8SOs8lTvqgp7qWOH60c1wwCrJTZ9WNQNfQ0C0fjl/KKhsFKelHE
+ JZVGfwz7cKV90ZrGFhUZF5koiT9Wetzc+kQ4SQo6xrMOjWVtwbFjJ8NjH7Se+URK
+ 8VbEp+dMU5ilql9rmOzx/74vmr+z4p8/LCFJmOjPbwuEFUFIO53+ytrD9JV2LbOh
+ W3T0kBn3kqWDnVbI+sclwc09d6C6d3cb/MppHDDggH4TMnS6coEU8On8xEsAvHco
+ +XH1Cdu6nYlfqF+k5G+fEfP7Rk8NE/wWJ1bX7J+gcCABvl+Y2/5TYJQvvDrEngPa
+ VfFujgqq+b9EvIznfYVgPqiJq222hZzesZXZGc8T4TpP3szo7GRL9d8Ivg63Y3Nz
+ ty7eRb/WmBnkfVa8CamjmR7Gqt5LOVSXfZksK3kXXVAtLrZ0fQIll9ug3EELCo9D
+ cbhhud2JLXoJZNlYh6fBlKMRWJWjIbxEETx9S8FgFIUegOyLu6ydlqAYAQTnYa/1
+ kWmuwQB3xjgiY3+9Ji7BO5e7ZlRIhs837brJfZ0bbJneTGO5IRI8gpdjt+D79XlK
+ 72yG/7zlrNi/xbWdUtT1D6PIwq5KTltMt9D3Kp0iZF9WvzQ1hVl/lXWaI7LtaU/S
+ XAHVfQzc4HoskbWHsOdlQNAOks4J4eBRFkVxmWbVXgeiWJ+ATPf29PQR9Jbqlzum
+ AZuIGvoXqS41oy5+mOgmtKY1pKMH/cGjfXYzi9HJmQnjEt9IR+hgUx16A+tG
+ =PedT
+ -----END PGP MESSAGE-----
+ fp: 18DFCE01456DAB52EA38A6584EDC64F35FA1D6A5
+ - created_at: "2025-05-29T13:09:43Z"
+ enc: |-
+ -----BEGIN PGP MESSAGE-----
+
+ hQIMAw5vwmoEJHQ1ARAAnxFIPa1QdjcBu4yUulTP5ptMhXObVnLMLK6SmKiq/rmG
+ SD/M9fWNuROi8NodJd0TJN1L/osSSMuD9aqV0SkZPnt7NM4yood5k0N9sTDZAr0u
+ KRYccvv+gJACRyalZL9v4t5/YZU5uexJ0ciBSnuNk3ds0nm3Ln1Iz4BMBMR2KTiT
+ f2PvZMIE2PP0v0oGDYPIOSPqfoXjjUFyqp/3HI+l+bzORNT2yzl/062e3h1m7zVA
+ TA7zWLDVcZFA/Aa3+LACKaz45V5Lj7gUXkgJ7R+d/qg963OYTUbLSiNTgtgqnLLa
+ DJmc3RDcuOeHaG2AY8l/r+cf3s2TH0J6bLIAZVEBSvBvXD1wMY4nCjubUEd3nUp8
+ 5GT8WyQ6f8aB8Ay4rytdtOWu8NuMIwDpT3ksT0W4XI22EeHJv66vTSvV4pfcoiSe
+ cdrCChfRGCpiWW52tJZ4HjkhXW61a86Vt/khhok/h8T6SWADRn3aHj52s+qNtigf
+ scYEmBFUA2GSmTB3gHCjwWckVGgpFmXPYaI4LE50vU2nndxkxHx17GQjSLS+9Pt2
+ iTVVOqJu+mlfiXqfO7LS/NzaIDlMcYr8/JVA+hTRM0cUN6HgzC5s/486JoPbU9BX
+ o5i+NhNyhY5E8H4VXK48fvNUGHjpJLqC/InVM1wguxYxeHbI4YYqZkFtO/oIxwnS
+ XAGsRHOkwxoDL2QNQpFeJ5oeXG5WccCLbIBiuQJYh8GGE0fnIOakx5SyU0A1+TVN
+ Kr/n3tJosVGNCtfFvjKxYtUSxqf7yu1VeoPyD9o52XevAfE0OtEIcQ+Nyy2Z
+ =R48r
+ -----END PGP MESSAGE-----
+ fp: 87AB00D45D37C9E9167B5A5A333448678B60E505
+ - created_at: "2025-05-29T13:09:43Z"
+ enc: |-
+ -----BEGIN PGP MESSAGE-----
+
+ hQIMA4HMJd/cQYrVARAAxMZNf/eTAZvHArZJDJ67u7conjEEL0BHNmY0Tq2v2vFH
+ SDbPrecIRGVK6eY4eQDm3OKt14pa93qPZxaGZAZCKCVDNb2lpXSvoT05sUi29X3k
+ 9yDDKnXsWM0zK7U9/WPeLlVVT9zKzRixlRKHJWD0567lVXmAIq3xI4/QxkVIaH/r
+ 9+2oISxoXnz1c3JTNwdNEoA85m+nTi1Rd44T1QuTH0fj7i1VwWgK92TMQ2V92NnY
+ k8JdQQmCNXoC4BeEdo4v2nCUPWxBHC3ti2Yh4BFsik9iv3WeDe5RGLwdQwrI65pd
+ L6C1Sp+Q0CDZuaavheC/p6pplUDAml57EFEovQSgpm+ye5j9LO0dUxdeBG2krVoi
+ 3Rzz+DAI2C/zAXm3FHak+UnlVsQ0D6fF8qaiozwc8FDxSJZGbUE2hywuMuosNSUE
+ iPxT4XW+cWCqQOTLAAbyHSS4bAcc8Q26vw9OpQ5J65JanRUgxSfKOHGJr1bNJTVx
+ RPs6y/KPdxArzlxmXcJ+U4OBDMQQTMZ8ntsdQgMqqYZy1IUQKQQg4+X+Wj3C9AWY
+ sAdgY9bLdQTo5+zP+vkY22+QGIqs6piY4e4qj772Rue65LyF5qUpe0jkNyA7NzhK
+ uaCingCMAyt8IMMRjGJcI6uru43QgUBYpaAWc9hBbNQ5ASHp4bbj3WemJt1k7XPS
+ XAEO2UMCisCNfCsKsqE/uKi/zQ0xtugh2XrTUG42xnFS4t24DVJJEC0+aXAtyvNk
+ B2FYqlaHnqCNyifLR2r6CGO/PysTGIBvfDwNHcfD9TylONdKOLr91s4UV2W6
+ =rUnM
+ -----END PGP MESSAGE-----
+ fp: 91213ABAA73B0B73D3C02B5B4E5F372D17BBE67C
+ - created_at: "2025-05-29T13:09:43Z"
+ enc: |-
+ -----BEGIN PGP MESSAGE-----
+
+ hQIMAxjNhCKPP69fAQ//VPjP2gKLowb22MawLvWyvEBvPqY5snNBNHMUaNxd/e4J
+ XaX8Z98AYn9rSL8uzGOk4e62uNZsOCRoK+v5gwM3p4Y4qzVjFYAD4pRBYsdHEEEk
+ 5hu8nrB2KdHCFocWWgW5IdTXalITX5nb4MpwZkd2pg8Nnm2VRGmGmPUVcY4cA+m4
+ vhwe1ExWiUmfEditK347VJib+T2nNdsrCPDzFpo9MzUhOh0k7xLlIhgCHNkF91xX
+ Fmlkw/lUqIOvZlfQ4YyH/e/am6803w9bP1iAtSc1KVFK8M0+ETnYgLniWlQ22UKX
+ bp9bRovhhoTIwz24DZYEKFyAJ1X/ovD1hl1RhAjGniGHNnGOUQrLyFVNdJS//3as
+ 4Ag0WbQDiOg6AdUFPq1LIPnSxHquwFc4zQNE/9FjbFL+H+bena8fXyeQYy303/j/
+ ZXyTjkui1jVdEb5XEF24kIe6E7eBnyYD4h4gNVf1FF4r0vbRxdoKSxHG4ebiwPWd
+ o9eSkCXl8hJj0b9fC9EC+G9xtxVyc+Oyimft8UueMDnneenzGrFo0uDgJryRECKn
+ uAs/RpHz7af8JAkm5Bb0s5oCRpG0NZoEX71jSjcS602gT9tA1ySA/iNKbCXzmmKw
+ brWfOwvjotEgZJAhnUfQ4dPcu0lNoGVWbcgwBOrIj556CtdWH82Qm8igi30DhuXS
+ XAFstOs9MB0KTkS5SoqnRKGQYL7nB+JAN5cUCYgxyIsKdOA2a+i/Hez56Nqlaat4
+ RauajOum1aFl68PgCFDHMJOYIaC8dOTo5n4xnNhMNtcrdApKifsAuqDP+sh5
+ =V9/6
+ -----END PGP MESSAGE-----
+ fp: F38C9D4228FC6F674E322D9C3326D914EB9B8F55
+ - created_at: "2025-05-29T13:09:43Z"
+ enc: |-
+ -----BEGIN PGP MESSAGE-----
+
+ hQIMA1Hthzn+T1OoAQ//XU4i+oehBWqZYgbJufjf9hg6pkPegnYoOMO439OA79Uu
+ axlWSHcTB6+vRC/o3e5LW3p5R5ANb64OOGyDeW5PeH6C2+b6/xlqyPAU233tNbmv
+ sQX1H/4BJjuWmM+tmpjP9H1K8rWmw+6+xvVVbOFudkYyyJtNupOrUtkQIep92Kve
+ rrgAlOXE02+3rqIl678s1R53wjIeovFd4XNxbO8LGWVELGgvREjJrUooYuqT1DYo
+ unVtK/W9WFzXv2hCzXiiFLfg5HJCpUq61jiKexEDYRdMqRAHBNQim556vN2RghCD
+ TH2B85GH57UKMIMCQB0XXekCEM1f/P9FBjulnhwZPOU5J41pmeHL3NB6Jo3GDXSO
+ U1pK8NOE44dyVCIw6GB5ZPSmB+pKITu7Rhet5pFUQvEkbzbvh2ckiclL8viK/Rq9
+ ntPJ/NNb4IjVs/tBtmnAM1gXvoTSc3FGH8TTDow1RTpyqixx8xao+5PE9+zKL4Wu
+ aRe6NMa5xVWexCM2kQ3dLPPypO1yAodlB+a611ocQc2JHsKyxhIuS4VIJeJ1TWc/
+ pdPW0JbgiPR1D3xvbLy89SOANFFug3WZzqjsl/BKxs8g2NA+dWYgbzUq5axrcIWd
+ j8F4gNa36BmvnTwA/UEkq30wNfaEucYrSoT4vdeT9rlhXuna1/iBHg8mCxQotxPS
+ XAGSQDissUfuC6QmJoUY7o1eGlr/yC11zghiJQRwi8/czQnnnukv2BMQL3UMBcvq
+ 9by5gFOjpytXGsk94VLzsD/jg5AeQqpFU8UJwr/XAPaPaaBo1RemYQf68O8E
+ =3RuY
+ -----END PGP MESSAGE-----
+ fp: 5DA93D5C9D7320E1BD3522C79C78172B3551C9FD
+ - created_at: "2025-05-29T13:09:43Z"
+ enc: |-
+ -----BEGIN PGP MESSAGE-----
+
+ hQIMA46L6MuPqfJqAQ//ZOAZkk8v70befbmw0wVTgb7VQam9XpcvJ8y19A+bMIDV
+ R464pWEoBxSh+pvj0QoG2U40YX9Loc/VbAydlWrPFCGajxxkqkOxn1sbI5QfvYnw
+ efGIxWaTUQYH5miWWh2ZeES49wVqosplCP4VAq1F7B//9e5i5YiKcF2s1agMIgp7
+ nSnQrekNgP409CQPsYYuUGq18eiH5lz1waXBkqK9aQnTMB6dh8tf/xnLzQsdwliK
+ dgITB93MMYZ64CYQmhTspBsqB/eFEjZCvnn43Y2+vwwzRz8p4NlpM/U+N3xdBy97
+ tmhKdNWl1zzmoqp7k8gTnJlSJibXuOJOMK7lXT3/eKfOp5tFauvHCwqq6TroE4Q/
+ yqBonz7RWmBtLlqIUs0C8sqq8sCmtOFI4o04zcV/IGA98KeNa3ZkfkO/fPhnO9D9
+ bwzWMrdgpQwb3lzNM0/WbNBfIjdloviDa7I2Pgrc1LM8UcFVMsCmk2eqImD74YIn
+ eyNkIY6FMJhrVapuYShTf0sKn8bDWxi+VYZxPGbObTe2t52/z/6XP2tnSSZ5rn2H
+ zn68Its9dGhZ9ILkEDBuBh3/4cJwKs94MwhOIlPwgWIl98Sr6NUricSmNMV4B/Ku
+ DXlPfVxbxqJhzvIFG7pADm5HbFyWgFl9QpVfomJoacsQSTE3KPPe/2SKzG2l5aPS
+ XAFFzACeI/226BzPJGQ12BBFPfMKcQB3Rfg20Y60s4E28AFWGhQUI5BNNLkhEELu
+ JiKiSt/baYpehzEDCbKAnk1xCVldeV5WfyaOako1PaApXxjKb68cdyKJtZ8+
+ =D3tP
+ -----END PGP MESSAGE-----
+ fp: 8996B62CBD159DCADD3B6DC08BB33A8ABCF7BC4A
+ - created_at: "2025-05-29T13:09:43Z"
+ enc: |-
+ -----BEGIN PGP MESSAGE-----
+
+ hQIMA4EEKdYEzV0pAQ/9HbqjtdZC+8Al972EhHn0985LiD8o398dKO4lgufq5gKd
+ E4EhSEr1OmeEdSvTFDo2C3UFKrhoX6mU+GG9yZfRX0R6FJUJJP2xr7F1gkL4icXb
+ BBbHu7MDTLzVM8oP2/y6dwzZL507t1AhcTXAzSoY7jkvjSYzLukocZfFhJ94QPQS
+ T+k6pjVEgDJDJ5sHWw9zfW79Wo0Sl8hpSPVOkV02VV9EmDH+9kXj8u5ZT92/3zWN
+ HVUGWKDDIerpGHurwDEr1B8Ql1Tk+UgPjcErt3TlKOkUaIIwcN3STP4B1XaFxhjt
+ u1XrFVrqI9jFYCtgt/Mf1mfEfhf18bclQjTqswxY3HUqG23T1EClu57mJsofcS3H
+ bqF+1Mv798C2jFz6ht31LDJllI95pCnwuxbL3Z0tm2u0oj2us9WodERIWVEwcisD
+ hK5Shhv03T2X1OJmAPPAoSQhYIVKBdwkautTF+J2jPRUXulzgLVG7MLowTzbX/c+
+ dT4uZ/ZKM3SWVmrwN5AOcGG8PVNtkt7/Dd8uDLeNNlK9QXJK5nfxDnhlRRpOmbDA
+ fRnS9tLPmY+T1knwKbMO8k918FqEhjdAHdEr+C5YbEiupUY+0KpoCqaf04cWlI8W
+ Ei0dhZ4OrBKiIZIY5i12BXcskgjsXPRNLqkN/fYqVyR+5VjM07kSOsnpgfinF+DS
+ XAHL+cPJCA+k7jnyrDDxjqETeEwf0gTgWMCSWQecULBV1UPh6AjNARsKAAOrr8BJ
+ nynWrpIAHfsb4CP5FfYl/CnydhJB3GHfBtElrUS17v4hhl656IXMyXMeGgKz
+ =l5zk
+ -----END PGP MESSAGE-----
+ fp: 9DFA033E3DAEBAD7FDD71B056C7AAA54BE05F7BA
+ - created_at: "2025-05-29T13:09:43Z"
+ enc: |-
+ -----BEGIN PGP MESSAGE-----
+
+ hF4DQrf1tCqiJxoSAQdAR8zTJ9Cb4meMl7X9r47AeKuyWkK3ck+s3WfwPSv6qzQw
+ RCWHumJZKT8+ZhZkyfHbcvNvx5q23cPngLdJ2GDpXfkl5imFJUdrfpxJvCvBJl/n
+ 0lwBsBFzr+gLGVuPodabHjiAx22Fc3tjEigHTBpV2fclmM97oJDBk6vx10vWIgv6
+ yWWlGWo25LvlrGc9hNX5UzCTBUwkDs3cmV2r7O/wzDEgyqs82/lzm+hnDtHcsg==
+ =zBp8
+ -----END PGP MESSAGE-----
+ fp: B71138A6A8964A3C3B8899857B4F70C356765BAB
+ - created_at: "2025-05-29T13:09:43Z"
+ enc: |-
+ -----BEGIN PGP MESSAGE-----
+
+ hF4DzAGzViGx4qcSAQdAQpzleW1vX2SXQXVn6NgWQTmlMfWm3RW4OUpdxByKlkEw
+ lADSS3szOdQWtQ8TWUAFhDbakJ6vLgUgvNV163Onxrn9GFJXylfdSSspE+8Z6Vws
+ 0lYBY2g09YqA1WBhBorJAF0GZk8j+SDhLXs4YVcGbxDYr4pFbSqsJQ6M5k0Kv5W3
+ MjxvKJVl0qxhhv+FF8kLicwX9avCarpSrgH8dSNH8926ZEyAm6g9JQ==
+ =7bUV
+ -----END PGP MESSAGE-----
+ fp: D2E9C0807BF681F5E164DAFC5EE1B61CD90954CD
+ - created_at: "2025-05-29T13:09:43Z"
+ enc: |-
+ -----BEGIN PGP MESSAGE-----
+
+ hQIMA2pVdGTIrZI+ARAA2McI7djN679I+L/8DY9L5j+hYHdu78KkfB/HTAWtI88L
+ rHathJG/yW4Vao+x/SYyhcRLY9oWblqIgausLAPLQpTN8M+2ZsVS2Q0J+OWhIsfy
+ 889cGno22s561YU4mrutREn+XC/QL3T01bHJw7QWCQcGQ9rD6ACTkipxmDr9aLEB
+ AQRFCPGxKPdj5R4ZwABR/5kXAwtYtkdDIxE9Ckx9Ex8AGb0mX+4EL14Mi/uCmmZT
+ +h0geY7DDu6O5EP5zn2y/jT4T1vWc5N1xsHZlL6qgFA2Bdx58UQaVVBtrGos6S82
+ eIbgz1F/LtteYnAdjfeWUK6FdRh4FA5oyyVb82MzrwWk77vj2eLOhY3X6UywB4EP
+ HoVkgUxeKaKV620RO+nCV80ZTy+rqJrq2a/MpZGD9Ra+hKOkCt0mElayCG091mlz
+ tygLXwgt5ID9m3V1mJQ0f4GK6w5s+t8pK/TByXM1eToqlDsyFM/iAwbmDoehSe/r
+ 2Dq3fuB7f3Mqxnit8xfMRK/HGV1yDFwco2y6CggU1rhwl8gm56Pd90AEx3J+gkzP
+ Y6hQ5lldcHlpb2oSdI+C7UjJKySuEui2FvAYRgf2u/edcCUvrYR9zHqmanS9NCR2
+ +ZCgfBHoQRPWOWzuDKo5RFmheghhYDtqpp1BUHjpR+0B27h1sWeqECMzAvnLOfLU
+ ZgEJAhCr45YwxmaISlsPR5Z8Dr5G4sXuuciiIX7qJnDiQZBZcaPDMIUjheb69GbX
+ aMW5suQMmVlCPfaqJtKrBmtpSuF0DvDALuBIQIOUD60AUewlZq4OnOabdDo4nsIZ
+ Oo1AY3Jhcg==
+ =SuqK
+ -----END PGP MESSAGE-----
+ fp: 878FEA3CB6A6F6E7CD80ECBE28506E3585F9F533
+ unencrypted_suffix: _unencrypted
+ version: 3.10.2
diff --git a/inventories/z9/host_vars/dooris.yaml b/inventories/z9/host_vars/dooris.yaml
new file mode 100644
index 0000000..5813e3a
--- /dev/null
+++ b/inventories/z9/host_vars/dooris.yaml
@@ -0,0 +1,15 @@
+docker_compose__compose_file_content: "{{ lookup('ansible.builtin.template', 'resources/z9/dooris/docker_compose/compose.yaml.j2') }}"
+docker_compose__configuration_files: [ ]
+
+certbot__version_spec: ""
+certbot__acme_account_email_address: le-admin@hamburg.ccc.de
+certbot__certificate_domains:
+ - "dooris.ccchh.net"
+certbot__new_cert_commands:
+ - "systemctl reload nginx.service"
+certbot__http_01_port: 80
+
+nginx__version_spec: ""
+nginx__configurations:
+ - name: dooris.ccchh.net
+ content: "{{ lookup('ansible.builtin.file', 'resources/z9/dooris/nginx/dooris.ccchh.net.conf') }}"
diff --git a/inventories/z9/hosts.yaml b/inventories/z9/hosts.yaml
index 13e2cc9..afe226e 100644
--- a/inventories/z9/hosts.yaml
+++ b/inventories/z9/hosts.yaml
@@ -1,29 +1,40 @@
all:
hosts:
- light:
- ansible_host: light.z9.ccchh.net
- ansible_user: chaos
authoritative-dns:
ansible_host: authoritative-dns.z9.ccchh.net
ansible_user: chaos
+ dooris:
+ ansible_host: 10.31.208.201
+ ansible_user: chaos
+ light:
+ ansible_host: light.z9.ccchh.net
+ ansible_user: chaos
thinkcccore0:
ansible_host: thinkcccore0.z9.ccchh.net
+certbot_hosts:
+ hosts:
+ dooris:
+docker_compose_hosts:
+ hosts:
+ dooris:
+foobazdmx_hosts:
+ hosts:
+ light:
hypervisors:
hosts:
thinkcccore0:
+infrastructure_authorized_keys_hosts:
+ hosts:
+ dooris:
+ light:
+ authoritative-dns:
nginx_hosts:
hosts:
+ dooris:
light:
ola_hosts:
hosts:
light:
-foobazdmx_hosts:
- hosts:
- light:
-infrastructure_authorized_keys_hosts:
- hosts:
- light:
- authoritative-dns:
proxmox_vm_template_hosts:
hosts:
thinkcccore0:
diff --git a/resources/z9/dooris/docker_compose/compose.yaml.j2 b/resources/z9/dooris/docker_compose/compose.yaml.j2
new file mode 100644
index 0000000..b18f62e
--- /dev/null
+++ b/resources/z9/dooris/docker_compose/compose.yaml.j2
@@ -0,0 +1,22 @@
+---
+
+services:
+ dooris:
+ image: git.hamburg.ccc.de/ccchh/hmdooris/hmdooris:latest
+ environment:
+ HMDOORIS_ALLOWED_IPS: "2a07:c481:1:c8::/64 2a01:170:118b::/56"
+ HMDOORIS_CCUJACK_CERTIFICATE_PATH: false
+ HMDOORIS_CCUJACK_PASSWORD: "{{ secret__dooris_ccujack_password }}"
+ HMDOORIS_CCUJACK_URL: https://hmdooris-ccu.ccchh.net:2122
+ HMDOORIS_CCUJACK_USERNAME: dooris
+ HMDOORIS_CLIENT_ID: dooris
+ HMDOORIS_CLIENT_SECRET: "{{ secret__dooris_client_secret }}"
+ HMDOORIS_DISCOVERY_URL: https://id.hamburg.ccc.de/realms/ccchh/.well-known/openid-configuration
+ HMDOORIS_LISTEN: '0.0.0.0:3000'
+ HMDOORIS_REQUIRES_GROUP: intern
+ HMDOORIS_URL: https://dooris.ccchh.net
+ PYTHONWARNINGS: "ignore:Unverified HTTPS request"
+ #DEBUG: true
+ ports:
+ - "127.0.0.1:3000:3000"
+ restart: unless-stopped
diff --git a/resources/z9/dooris/nginx/dooris.ccchh.net.conf b/resources/z9/dooris/nginx/dooris.ccchh.net.conf
new file mode 100644
index 0000000..0d1baba
--- /dev/null
+++ b/resources/z9/dooris/nginx/dooris.ccchh.net.conf
@@ -0,0 +1,34 @@
+# partly generated 2022-01-08, Mozilla Guideline v5.6, nginx 1.17.7, OpenSSL 1.1.1k, intermediate configuration
+# https://ssl-config.mozilla.org/#server=nginx&version=1.17.7&config=intermediate&openssl=1.1.1k&guideline=5.6
+server {
+ listen [::]:443 ssl http2;
+
+ server_name dooris.ccchh.net;
+
+ ssl_certificate /etc/letsencrypt/live/dooris.ccchh.net/fullchain.pem;
+ ssl_certificate_key /etc/letsencrypt/live/dooris.ccchh.net/privkey.pem;
+ # verify chain of trust of OCSP response using Root CA and Intermediate certs
+ ssl_trusted_certificate /etc/letsencrypt/live/dooris.ccchh.net/chain.pem;
+
+ # HSTS (ngx_http_headers_module is required) (63072000 seconds)
+ add_header Strict-Transport-Security "max-age=63072000" always;
+
+ proxy_set_header Host $host;
+ proxy_set_header X-Forwarded-Host $host;
+ proxy_set_header X-Real-IP $remote_addr;
+ proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+ proxy_set_header X-Forwarded-Port 443;
+ # This is https in any case.
+ proxy_set_header X-Forwarded-Proto https;
+ # Hide the X-Forwarded header.
+ proxy_hide_header X-Forwarded;
+ # Assume we are the only Reverse Proxy (well using Proxy Protocol, but that
+ # is transparent).
+ # Also provide "_hidden" for by, since it's not relevant.
+ proxy_set_header Forwarded "for=$remote_addr;proto=https;host=$host;by=_hidden";
+ proxy_intercept_errors off;
+
+ location / {
+ proxy_pass http://127.0.0.1:3000/;
+ }
+}