reorganize (config) files and templates into one "resources" dir

This groups the files and templates for each host together and therefore
makes it easier to see all the (config) files for a host.

Also clean up incorrect, unused docker_compose config for mumble and
clean up unused engelsystem configs.

resources/chaosknoten/keycloak/docker_compose/compose.yaml.j2

@@ -0,0 +1,124 @@
+## Secrets:
+#
+# Secrets should be provided via the relevant `x_secrets.env` files to the
+# containers. Options to be set are documented by commented out environment
+# variables.
+#
+## Links & Resources:
+#
+# https://www.keycloak.org/
+# https://www.keycloak.org/documentation
+# https://www.keycloak.org/getting-started/getting-started-docker
+# https://www.keycloak.org/server/configuration
+# https://www.keycloak.org/server/containers
+# https://www.keycloak.org/server/configuration-production
+# https://www.keycloak.org/server/db
+# https://hub.docker.com/_/postgres
+# https://github.com/docker-library/docs/blob/master/postgres/README.md
+# https://www.keycloak.org/server/hostname
+# https://www.keycloak.org/server/reverseproxy
+# https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Forwarded
+# https://www.keycloak.org/server/all-config
+
+services:
+  keycloak:
+    image: git.hamburg.ccc.de/ccchh/oci-images/keycloak:26.0
+    pull_policy: always
+    restart: unless-stopped
+    command: start --optimized
+    depends_on:
+      - db
+    networks:
+      - keycloak
+    environment:
+      KEYCLOAK_ADMIN: admin
+      KEYCLOAK_ADMIN_PASSWORD: {{ lookup("community.general.passwordstore", "noc/vm-secrets/chaosknoten/keycloak/KEYCLOAK_ADMIN_PASSWORD", create=false, missing="error") }}
+      KC_DB: postgres
+      KC_DB_URL_HOST: db
+      KC_DB_USERNAME: keycloak
+      KC_DB_PASSWORD: {{ lookup("community.general.passwordstore", "noc/vm-secrets/chaosknoten/keycloak/KC_DB_PASSWORD", create=false, missing="error") }}
+      KC_HOSTNAME: https://id.hamburg.ccc.de
+      KC_HOSTNAME_BACKCHANNEL_DYNAMIC: false
+      KC_HOSTNAME_ADMIN: https://keycloak-admin.hamburg.ccc.de
+      KC_PROXY_HEADERS: xforwarded
+      KC_HTTP_ENABLED: true
+    ports:
+      - "8080:8080"
+
+  db:
+    image: postgres:15.2
+    restart: unless-stopped
+    networks:
+      - keycloak
+    volumes:
+      - "./database:/var/lib/postgresql/data"
+    environment:
+      POSTGRES_USER: keycloak
+      POSTGRES_PASSWORD: {{ lookup("community.general.passwordstore", "noc/vm-secrets/chaosknoten/keycloak/POSTGRES_PASSWORD", create=false, missing="error") }}
+      POSTGRES_DB: keycloak
+
+  id-invite-web:
+    image: git.hamburg.ccc.de/ccchh/id-invite/id-invite:latest
+    command: web
+    restart: unless-stopped
+    networks:
+      - web
+      - email
+      - keycloak
+    ports:
+      - 3000:3000
+    environment:
+      - "APP_EMAIL_BASE_URI=http://id-invite-email:3000"
+      - "APP_KEYCLOAK_BASE_URI=http://id-invite-keycloak:3000"
+      - "BOTTLE_HOST=0.0.0.0"
+      - "BOTTLE_URL_SCHEME=https"
+      - "IDINVITE_INVITE_REQUIRES_GROUP=id_invite"
+      - "IDINVITE_URL=https://invite.hamburg.ccc.de"
+      - "IDINVITE_KEYCLOAK_NAME=CCCHH ID"
+      - "IDINVITE_VALID_HOURS=50"
+      - "IDINVITE_SECRET={{ lookup("community.general.passwordstore", "noc/vm-secrets/chaosknoten/keycloak/IDINVITE_TOKEN_SECRET", create=false, missing="error") }}"
+      - "IDINVITE_DISCOVERY_URL=https://id.hamburg.ccc.de/realms/ccchh/.well-known/openid-configuration"
+      - "IDINVITE_CLIENT_ID=id-invite"
+      - "IDINVITE_CLIENT_SECRET={{ lookup("community.general.passwordstore", "noc/vm-secrets/chaosknoten/keycloak/IDINVITE_CLIENT_SECRET", create=false, missing="error") }}"
+      - "MAIL_FROM=no-reply@hamburg.ccc.de"
+      - "BOTTLE_HOST=0.0.0.0"
+
+  id-invite-email:
+    image: git.hamburg.ccc.de/ccchh/id-invite/id-invite:latest
+    command: email
+    restart: unless-stopped
+    networks:
+      - email
+      - web
+    environment:
+      - "BOTTLE_HOST=0.0.0.0"
+      - "IDINVITE_KEYCLOAK_NAME=CCCHH ID"
+      - "MAIL_FROM=no-reply@id.hamburg.ccc.de"
+      - "SMTP_HOSTNAME=cow.hamburg.ccc.de"
+      - "SMTP_USERNAME=no-reply@id.hamburg.ccc.de"
+      - "SMTP_PASSWORD={{ lookup("community.general.passwordstore", "noc/vm-secrets/chaosknoten/keycloak/NO_REPLY_SMTP", create=false, missing="error") }}"
+
+  id-invite-keycloak:
+    image: git.hamburg.ccc.de/ccchh/id-invite/id-invite:latest
+    command: keycloak
+    restart: unless-stopped
+    networks:
+      - keycloak
+    environment:
+      - "BOTTLE_HOST=0.0.0.0"
+      - "IDINVITE_CLIENT_ID=id-invite"
+      - "IDINVITE_CLIENT_SECRET={{ lookup("community.general.passwordstore", "noc/vm-secrets/chaosknoten/keycloak/IDINVITE_CLIENT_SECRET", create=false, missing="error") }}"
+      - "KEYCLOAK_API_URL=http://keycloak:8080"
+      - "KEYCLOAK_API_USERNAME=id-invite"
+      - "KEYCLOAK_API_PASSWORD={{ lookup("community.general.passwordstore", "noc/vm-secrets/chaosknoten/keycloak/IDINVITE_ADMIN_PASSWORD", create=false, missing="error") }}"
+      - "KEYCLOAK_API_REALM=ccchh"
+      - 'KEYCLOAK_GROUPS=["user"]'
+
+
+
+networks:
+  keycloak:
+    external: false
+  web:
+  email:
+    external: false

resources/chaosknoten/keycloak/nginx/id.hamburg.ccc.de.conf

@@ -0,0 +1,69 @@
+# partly generated 2022-01-08, Mozilla Guideline v5.6, nginx 1.17.7, OpenSSL 1.1.1k, intermediate configuration
+# https://ssl-config.mozilla.org/#server=nginx&version=1.17.7&config=intermediate&openssl=1.1.1k&guideline=5.6
+# Also see: https://www.keycloak.org/server/reverseproxy
+server {
+    # Listen on a custom port for the proxy protocol.
+    listen 8443 ssl http2 proxy_protocol;
+    # Make use of the ngx_http_realip_module to set the $remote_addr and
+    # $remote_port to the client address and client port, when using proxy
+    # protocol.
+    # First set our proxy protocol proxy as trusted.
+    set_real_ip_from 172.31.17.140;
+    # Then tell the realip_module to get the addreses from the proxy protocol
+    # header.
+    real_ip_header proxy_protocol;
+
+    server_name id.hamburg.ccc.de;
+
+    ssl_certificate /etc/letsencrypt/live/id.hamburg.ccc.de/fullchain.pem;
+    ssl_certificate_key /etc/letsencrypt/live/id.hamburg.ccc.de/privkey.pem;
+    # verify chain of trust of OCSP response using Root CA and Intermediate certs
+    ssl_trusted_certificate /etc/letsencrypt/live/id.hamburg.ccc.de/chain.pem;
+
+    # HSTS (ngx_http_headers_module is required) (63072000 seconds)
+    add_header Strict-Transport-Security "max-age=63072000" always;
+
+    # To not have 502s sometimes when logging through PVE use bigger buffer_sizes.
+    # The error seemed to occur after logging in and out and in. Maybe related
+    # to Keycloak logout settings, but probably not.
+    # See:
+    # https://stackoverflow.com/questions/56126864/why-do-i-get-502-when-trying-to-authenticate
+    # https://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_buffer_size
+    proxy_buffer_size 128k;
+    proxy_buffers 8 128k;
+
+    proxy_set_header Host $host;
+    proxy_set_header X-Forwarded-Host $host;
+    proxy_set_header X-Real-IP $remote_addr;
+    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+    proxy_set_header X-Forwarded-Port 443;
+    # This is https in any case.
+    proxy_set_header X-Forwarded-Proto https;
+    # Hide the X-Forwarded header.
+    proxy_hide_header X-Forwarded;
+    # Assume we are the only Reverse Proxy (well using Proxy Protocol, but that
+    # is transparent).
+    # Also provide "_hidden" for by, since it's not relevant.
+    proxy_set_header Forwarded "for=$remote_addr;proto=https;host=$host;by=_hidden";
+
+    # Redirect a user opening any not set location on id.hamburg.ccc.de to the account management page.
+    location ^~ / {
+        return 307 https://id.hamburg.ccc.de/realms/ccchh/account/;
+    }
+
+    location /js/ {
+        proxy_pass http://127.0.0.1:8080/js/;
+    }
+
+    location /realms/ {
+        proxy_pass http://127.0.0.1:8080/realms/;
+    }
+
+    location /resources/ {
+        proxy_pass http://127.0.0.1:8080/resources/;
+    }
+
+    location /robots.txt {
+        proxy_pass http://127.0.0.1:8080/robots.txt;
+    }
+}

resources/chaosknoten/keycloak/nginx/invite.hamburg.ccc.de.conf

@@ -0,0 +1,54 @@
+# partly generated 2022-01-08, Mozilla Guideline v5.6, nginx 1.17.7, OpenSSL 1.1.1k, intermediate configuration
+# https://ssl-config.mozilla.org/#server=nginx&version=1.17.7&config=intermediate&openssl=1.1.1k&guideline=5.6
+# Also see: https://www.keycloak.org/server/reverseproxy
+server {
+    # Listen on a custom port for the proxy protocol.
+    listen 8443 ssl http2 proxy_protocol;
+    # Make use of the ngx_http_realip_module to set the $remote_addr and
+    # $remote_port to the client address and client port, when using proxy
+    # protocol.
+    # First set our proxy protocol proxy as trusted.
+    set_real_ip_from 172.31.17.140;
+    # Then tell the realip_module to get the addreses from the proxy protocol
+    # header.
+    real_ip_header proxy_protocol;
+
+    server_name invite.hamburg.ccc.de;
+
+    ssl_certificate /etc/letsencrypt/live/invite.hamburg.ccc.de/fullchain.pem;
+    ssl_certificate_key /etc/letsencrypt/live/invite.hamburg.ccc.de/privkey.pem;
+    # verify chain of trust of OCSP response using Root CA and Intermediate certs
+    ssl_trusted_certificate /etc/letsencrypt/live/invite.hamburg.ccc.de/chain.pem;
+
+    # HSTS (ngx_http_headers_module is required) (63072000 seconds)
+    add_header Strict-Transport-Security "max-age=63072000" always;
+
+    # To not have 502s sometimes when logging through PVE use bigger buffer_sizes.
+    # The error seemed to occur after logging in and out and in. Maybe related
+    # to Keycloak logout settings, but probably not.
+    # See:
+    # https://stackoverflow.com/questions/56126864/why-do-i-get-502-when-trying-to-authenticate
+    # https://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_buffer_size
+    proxy_buffer_size 128k;
+    proxy_buffers 8 128k;
+
+    proxy_set_header Host $host;
+    proxy_set_header X-Forwarded-Host $host;
+    proxy_set_header X-Real-IP $remote_addr;
+    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+    proxy_set_header X-Forwarded-Port 443;
+    # This is https in any case.
+    proxy_set_header X-Forwarded-Proto https;
+    # Hide the X-Forwarded header.
+    proxy_hide_header X-Forwarded;
+    # Assume we are the only Reverse Proxy (well using Proxy Protocol, but that
+    # is transparent).
+    # Also provide "_hidden" for by, since it's not relevant.
+    proxy_set_header Forwarded "for=$remote_addr;proto=https;host=$host;by=_hidden";
+
+    # Redirect a user opening any not set location on invite.hamburg.ccc.de to the account management page.
+
+    location / {
+        proxy_pass http://127.0.0.1:3000/;
+    }
+}

resources/chaosknoten/keycloak/nginx/keycloak-admin.hamburg.ccc.de.conf

@@ -0,0 +1,73 @@
+# partly generated 2022-01-08, Mozilla Guideline v5.6, nginx 1.17.7, OpenSSL 1.1.1k, intermediate configuration
+# https://ssl-config.mozilla.org/#server=nginx&version=1.17.7&config=intermediate&openssl=1.1.1k&guideline=5.6
+# Also see: https://www.keycloak.org/server/reverseproxy
+server {
+    # Disable this for now.
+    #listen 443 ssl http2;
+    ##listen [::]:443 ssl http2;
+
+    # Listen on a custom port for the proxy protocol.
+    listen 8444 ssl http2 proxy_protocol;
+    # Make use of the ngx_http_realip_module to set the $remote_addr and
+    # $remote_port to the client address and client port, when using proxy
+    # protocol.
+    # First set our proxy protocol proxy as trusted.
+    set_real_ip_from 172.31.17.140;
+    # Then tell the realip_module to get the addreses from the proxy protocol
+    # header.
+    real_ip_header proxy_protocol;
+
+    server_name keycloak-admin.hamburg.ccc.de;
+
+    ssl_certificate /etc/letsencrypt/live/keycloak-admin.hamburg.ccc.de/fullchain.pem;
+    ssl_certificate_key /etc/letsencrypt/live/keycloak-admin.hamburg.ccc.de/privkey.pem;
+    # verify chain of trust of OCSP response using Root CA and Intermediate certs
+    ssl_trusted_certificate /etc/letsencrypt/live/keycloak-admin.hamburg.ccc.de/chain.pem;
+
+    # HSTS (ngx_http_headers_module is required) (63072000 seconds)
+    add_header Strict-Transport-Security "max-age=63072000" always;
+
+    proxy_set_header Host $host;
+    proxy_set_header X-Forwarded-Host $host;
+    proxy_set_header X-Real-IP $remote_addr;
+    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+    proxy_set_header X-Forwarded-Port 443;
+    # This is https in any case.
+    proxy_set_header X-Forwarded-Proto https;
+    # Hide the X-Forwarded header.
+    proxy_hide_header X-Forwarded;
+    # Assume we are the only Reverse Proxy (well using Proxy Protocol, but that
+    # is transparent).
+    # Also provide "_hidden" for by, since it's not relevant.
+    proxy_set_header Forwarded "for=$remote_addr;proto=https;host=$host;by=_hidden";
+
+    allow 185.161.129.132/32; # z9
+    allow 2a07:c480:0:100::/56; # z9
+    allow 213.240.180.39/32; # stbe home
+    allow 2a01:170:118b::1/64; # stbe home
+    deny all;
+
+    location ^~ / {
+        return 307 https://keycloak-admin.hamburg.ccc.de/admin/master/console/;
+    }
+
+    location /js/ {
+        proxy_pass http://127.0.0.1:8080/js/;
+    }
+
+    location /realms/ {
+        proxy_pass http://127.0.0.1:8080/realms/;
+    }
+
+    location /resources/ {
+        proxy_pass http://127.0.0.1:8080/resources/;
+    }
+
+    location /robots.txt {
+        proxy_pass http://127.0.0.1:8080/robots.txt;
+    }
+
+    location /admin/ {
+        proxy_pass http://127.0.0.1:8080/admin/;
+    }
+}