CCCHH/ansible-infra
CCCHH/ansible-infra
4
2
Fork 0
Code Issues2 Pull requests Wiki Activity Actions

move roles, files and templates dirs out of playbook dir into root dir

Browse source 
Because of how Ansible local relative search paths work, the global
"files" and "templates" directories need to be next to the playbooks.
However its not intuitive to look into the "playbooks" directory to find
the files and templates for a host.
Therefore move them out of the "playbooks" directory into the root
directory and add symlinks so everything still works.

Similarly for local roles, they also need to be next to the playbooks.
So for a nicer structure, move the "roles" directory out into the root
directory as well and add a symlink so everything still works.

Also see:
https://docs.ansible.com/ansible/latest/playbook_guide/playbook_pathing.html#resolving-local-relative-paths
https://docs.ansible.com/ansible/latest/playbook_guide/playbooks_reuse_roles.html#storing-and-finding-roles
This commit is contained in:
June 2024-12-02 03:34:55 +01:00
parent 2460c31e78
commit f16f8697c2
Signed by: june
SSH key fingerprint: SHA256:o9EAq4Y9N9K0pBQeBTqhSDrND5E7oB+60ZNx0U1yPe0
147 changed files with 3 additions and 0 deletions
playbooks
files
chaosknoten
cloud/new_user_skeleton_directory
Photos
augenohrenkatze.jpgccclubhajs.jpg
README.md
configs
ccchoir/nginx
ccchoir.de.conf
grafana
docker_compose
alertmanager_alert_templates.tmplgrafana-datasource.ymlgrafana.ini.exampleprometheus.ymlprometheus_alerts.rules.yaml
nginx
grafana.hamburg.ccc.de.conf
keycloak/nginx
id.hamburg.ccc.de.confinvite.hamburg.ccc.de.confkeycloak-admin.hamburg.ccc.de.conf
lists
compose
compose.yaml
nginx
lists.c3lingo.org.conflists.hamburg.ccc.de.conf
mumble/nginx
mumble.hamburg.ccc.de.conf
onlyoffice/nginx
onlyoffice.hamburg.ccc.de.conf
pad/nginx
pad.hamburg.ccc.de.conf
pretalx/nginx
pretalx.hamburg.ccc.de.conf
public-reverse-proxy/nginx
acme_challenge.confnginx.conf
tickets/nginx
tickets.hamburg.ccc.de.conf
wiki/nginx
wiki.ccchh.net.confwiki.hamburg.ccc.de.conf
zammad/nginx
zammad.hamburg.ccc.de.conf
z9/configs/light
nginx
http_handler.conflight.conf
ola
ola-artnet.confola-dummy.confola-e131.confola-espnet.confola-ftdidmx.confola-gpio.confola-karate.confola-kinet.confola-milinst.confola-opendmx.confola-openpixelcontrol.confola-osc.confola-pathport.confola-port.confola-renard.confola-sandnet.confola-server.confola-shownet.confola-spi.confola-stageprofi.confola-uartdmx.confola-universe.confola-usbdmx.confola-usbserial.conf
roles
add_apt_repository
meta
argument_specs.yaml
tasks
main.yaml
apt_update_and_upgrade
README.md
handlers
main.yaml
tasks
main.yaml
certbot
README.md
defaults
main.yaml
meta
argument_specs.yamlmain.yaml
tasks
main.yaml
main
cert.yamlcerts.yamlinstall.yamlnew_cert_commands.yaml
templates
renewal_deploy_hook_commands.sh.j2
deploy_ssh_server_config
README.md
docs
Debian_11_cloud_2023-04-21_default_etc_ssh_sshd_configDebian_12_cloud_2023-07-25_default_etc_ssh_sshd_config
handlers
main.yaml
tasks
main.yaml
templates
sshd_config.j2
distribution_check
README.md
meta
argument_specs.yaml
tasks
main.yaml
docker
README.md
meta
main.yaml
tasks
main.yaml
main
01_repo_setup.yaml02_docker_install.yaml
docker_compose
README.md
defaults
main.yaml
handlers
main.yaml
meta
argument_specs.yamlmain.yaml
tasks
main.yaml
dokuwiki
README.md
defaults
main.yml
files
mime.local.conf
handlers
main.yml
meta
main.yml
tasks
main.yml
templates
php-fpm-dokuwiki.conf
foobazdmx
defaults
main.yaml
handlers
main.yaml
meta
argument_specs.yamlmain.yaml
Show more

1
playbooks/files Symbolic link
View file

@ -0,0 +1 @@
../files

BIN
playbooks/files/chaosknoten/cloud/new_user_skeleton_directory/Photos/augenohrenkatze.jpg
View file

Binary file not shown.
Side by side

Before

(image error) Size: 9.7 KiB

BIN
playbooks/files/chaosknoten/cloud/new_user_skeleton_directory/Photos/ccclubhajs.jpg
View file

Binary file not shown.
Side by side

Before

(image error) Size: 1,007 KiB

10
playbooks/files/chaosknoten/cloud/new_user_skeleton_directory/README.md
View file

@ -1,10 +0,0 @@
# CCCHH Nextcloud
Willkommen auf der CCCHH Nextcloud Instanz.
Hier kannst du Dateien ablegen und teilen, Termine verwalten und vieles mehr.
Weitere Infos:
- <https://wiki.ccchh.net/infrastructure:services:cloud>
- <https://docs.nextcloud.com/server/latest/user_manual/de/>

83
playbooks/files/chaosknoten/configs/ccchoir/nginx/ccchoir.de.conf
View file

@ -1,83 +0,0 @@
# partly generated 2022-01-08, Mozilla Guideline v5.6, nginx 1.17.7, OpenSSL 1.1.1k, intermediate configuration
# https://ssl-config.mozilla.org/#server=nginx&version=1.17.7&config=intermediate&openssl=1.1.1k&guideline=5.6
server {
# Listen on a custom port for the proxy protocol.
listen 8443 ssl http2 proxy_protocol;
# Make use of the ngx_http_realip_module to set the $remote_addr and
# $remote_port to the client address and client port, when using proxy
# protocol.
# First set our proxy protocol proxy as trusted.
set_real_ip_from 172.31.17.140;
# Then tell the realip_module to get the addreses from the proxy protocol
# header.
real_ip_header proxy_protocol;
server_name ccchoir.de;
ssl_certificate /etc/letsencrypt/live/ccchoir.de/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/ccchoir.de/privkey.pem;
# verify chain of trust of OCSP response using Root CA and Intermediate certs
ssl_trusted_certificate /etc/letsencrypt/live/ccchoir.de/chain.pem;
# HSTS (ngx_http_headers_module is required) (63072000 seconds)
add_header Strict-Transport-Security "max-age=63072000" always;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Port 443;
# This is https in any case.
proxy_set_header X-Forwarded-Proto https;
# Hide the X-Forwarded header.
proxy_hide_header X-Forwarded;
# Assume we are the only Reverse Proxy (well using Proxy Protocol, but that
# is transparent).
# Also provide "_hidden" for by, since it's not relevant.
proxy_set_header Forwarded "for=$remote_addr;proto=https;host=$host;by=_hidden";
location / {
proxy_pass http://127.0.0.1:3000/;
}
}
server {
# Listen on a custom port for the proxy protocol.
listen 8443 ssl http2 proxy_protocol;
# Make use of the ngx_http_realip_module to set the $remote_addr and
# $remote_port to the client address and client port, when using proxy
# protocol.
# First set our proxy protocol proxy as trusted.
set_real_ip_from 172.31.17.140;
# Then tell the realip_module to get the addreses from the proxy protocol
# header.
real_ip_header proxy_protocol;
server_name www.ccchoir.de;
ssl_certificate /etc/letsencrypt/live/www.ccchoir.de/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/www.ccchoir.de/privkey.pem;
# verify chain of trust of OCSP response using Root CA and Intermediate certs
ssl_trusted_certificate /etc/letsencrypt/live/www.ccchoir.de/chain.pem;
# HSTS (ngx_http_headers_module is required) (63072000 seconds)
add_header Strict-Transport-Security "max-age=63072000" always;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Port 443;
# This is https in any case.
proxy_set_header X-Forwarded-Proto https;
# Hide the X-Forwarded header.
proxy_hide_header X-Forwarded;
# Assume we are the only Reverse Proxy (well using Proxy Protocol, but that
# is transparent).
# Also provide "_hidden" for by, since it's not relevant.
proxy_set_header Forwarded "for=$remote_addr;proto=https;host=$host;by=_hidden";
location / {
proxy_pass http://127.0.0.1:3000/;
}
}

35
playbooks/files/chaosknoten/configs/grafana/docker_compose/alertmanager_alert_templates.tmpl
View file

@ -1,35 +0,0 @@
{{/*
Links & Resources
- https://prometheus.io/blog/2016/03/03/custom-alertmanager-templates/
- https://prometheus.io/docs/alerting/latest/notifications/
- https://gist.github.com/jidckii/5ac5f8f20368b56de72af70222509b7b
*/}}
{{ define "alert-item.telegram.ccchh.internal" }}
<b>[{{ .Labels.alertname }}] {{ .Labels.nodename }}</b>
{{- if .Annotations.summary }}
<i>Summary</i>: {{ .Annotations.summary }}
{{- end }}
{{- if .Annotations.description }}
<i>Description</i>: {{ .Annotations.description }}
{{- end }}
<i>Labels</i>:
{{ range .Labels.SortedPairs -}}
• <i>{{ .Name }}</i>: <code>{{ .Value }}</code>
{{ end }}
{{- end }}
{{ define "alert-message.telegram.ccchh" }}
{{- if .Alerts.Firing }}
<u>🔥{{ len .Alerts.Firing }} Alert(/s) Firing 🔥</u>
{{ range .Alerts.Firing -}}
{{ template "alert-item.telegram.ccchh.internal" . }}
{{- end }}
{{- end }}
{{- if .Alerts.Resolved }}
<u>✅{{ len .Alerts.Resolved }} Alert(/s) Resolved ✅</u>
{{ range .Alerts.Resolved -}}
{{ template "alert-item.telegram.ccchh.internal" . }}
{{- end }}
{{- end }}
{{- end }}

9
playbooks/files/chaosknoten/configs/grafana/docker_compose/grafana-datasource.yml
View file

@ -1,9 +0,0 @@
apiVersion: 1
datasources:
- name: Prometheus
type: prometheus
url: http://prometheus:9090
isDefault: true
access: proxy
editable: true

1623
playbooks/files/chaosknoten/configs/grafana/docker_compose/grafana.ini.example
View file

File diff suppressed because it is too large Load diff

114
playbooks/files/chaosknoten/configs/grafana/docker_compose/prometheus.yml
View file

@ -1,114 +0,0 @@
global:
scrape_interval: 15s
scrape_timeout: 10s
evaluation_interval: 15s
alerting:
alertmanagers:
- scheme: http
timeout: 10s
static_configs:
- targets:
- "alertmanager:9093"
rule_files:
- "/etc/prometheus/rules/*.rules.yaml"
scrape_configs:
- job_name: prometheus
honor_timestamps: true
metrics_path: /metrics
scheme: http
static_configs:
- targets:
- localhost:9090
- job_name: alertmanager
honor_timestamps: true
metrics_path: /metrics
scheme: http
static_configs:
- targets:
- alertmanager:9093
- job_name: c3lingo
honor_timestamps: true
scrape_interval: 5s
scrape_timeout: 1s
metrics_path: /mumblestats/metrics
scheme: https
static_configs:
- targets:
- mumble.c3lingo.org:443
- job_name: mumble
honor_timestamps: true
scrape_interval: 5s
scrape_timeout: 1s
metrics_path: /metrics
scheme: https
static_configs:
- targets:
- mumble.hamburg.ccc.de:443
- job_name: opnsense-ccchh
honor_timestamps: true
metrics_path: /metrics
scheme: http
static_configs:
- targets:
- 185.161.129.132:9100
- job_name: jitsi
honor_timestamps: true
scrape_interval: 5s
scrape_timeout: 1s
metrics_path: /metrics
scheme: http
static_configs:
- targets:
- jitsi.hamburg.ccc.de:9888 # Jitsi Video Bridge
- job_name: 'pve'
static_configs:
- targets:
- 212.12.48.126 # chaosknoten
metrics_path: /pve
params:
module: [ default ]
cluster: [ '1' ]
node: [ '1' ]
relabel_configs:
- source_labels: [ __address__ ]
target_label: __param_target
- source_labels: [ __param_target ]
target_label: instance
- target_label: __address__
replacement: pve-exporter:9221
- job_name: hosts
static_configs:
# Wieske Chaosknoten VMs
- labels:
site: wieske
type: virtual_machine
hypervisor: chaosknoten
targets:
- netbox-intern.hamburg.ccc.de:9100
- matrix-intern.hamburg.ccc.de:9100
- public-web-static-intern.hamburg.ccc.de:9100
- git-intern.hamburg.ccc.de:9100
- forgejo-actions-runner-intern.hamburg.ccc.de:9100
- eh22-wiki-intern.hamburg.ccc.de:9100
- nix-box-june-intern.hamburg.ccc.de:9100
- mjolnir-intern.hamburg.ccc.de:9100
- woodpecker-intern.hamburg.ccc.de:9100
- penpot-intern.hamburg.ccc.de:9100
- jitsi.hamburg.ccc.de:9100
- onlyoffice-intern.hamburg.ccc.de:9100
- ccchoir-intern.hamburg.ccc.de:9100
- tickets-intern.hamburg.ccc.de:9100
- keycloak-intern.hamburg.ccc.de:9100
- onlyoffice-intern.hamburg.ccc.de:9100
- pad-intern.hamburg.ccc.de:9100
- wiki-intern.hamburg.ccc.de:9100
- zammad-intern.hamburg.ccc.de:9100
- pretalx-intern.hamburg.ccc.de:9100
- labels:
site: wieske
type: physical_machine
targets:
- chaosknoten.hamburg.ccc.de:9100

583
playbooks/files/chaosknoten/configs/grafana/docker_compose/prometheus_alerts.rules.yaml
View file

@ -1,583 +0,0 @@
# Links & Resources:
# - https://samber.github.io/awesome-prometheus-alerts/rules
groups:
- name: node-exporter
rules:
- alert: HostOutOfMemory
expr: (node_memory_MemAvailable_bytes / node_memory_MemTotal_bytes * 100 < 10) * on(instance) group_left (nodename) node_uname_info{nodename=~".+"}
for: 2m
labels:
severity: warning
annotations:
summary: Host out of memory (instance {{ $labels.instance }})
description: "Node memory is filling up (< 10% left)\n VALUE = {{ $value }}"
- alert: HostMemoryUnderMemoryPressure
expr: (rate(node_vmstat_pgmajfault[1m]) > 1000) * on(instance) group_left (nodename) node_uname_info{nodename=~".+"}
for: 2m
labels:
severity: warning
annotations:
summary: Host memory under memory pressure (instance {{ $labels.instance }})
description: "The node is under heavy memory pressure. High rate of major page faults\n VALUE = {{ $value }}"
# You may want to increase the alert manager 'repeat_interval' for this type of alert to daily or weekly
- alert: HostMemoryIsUnderutilized
expr: (100 - (avg_over_time(node_memory_MemAvailable_bytes[30m]) / node_memory_MemTotal_bytes * 100) < 10) * on(instance) group_left (nodename) node_uname_info{nodename=~".+"}
for: 1w
labels:
severity: info
annotations:
summary: Host Memory is underutilized (instance {{ $labels.instance }})
description: "Node memory is < 10% for 1 week. Consider reducing memory space. (instance {{ $labels.instance }})\n VALUE = {{ $value }}"
- alert: HostUnusualNetworkThroughputIn
expr: (sum by (instance) (rate(node_network_receive_bytes_total[2m])) / 1024 / 1024 > 100) * on(instance) group_left (nodename) node_uname_info{nodename=~".+"}
for: 5m
labels:
severity: warning
annotations:
summary: Host unusual network throughput in (instance {{ $labels.instance }})
description: "Host network interfaces are probably receiving too much data (> 100 MB/s)\n VALUE = {{ $value }}"
- alert: HostUnusualNetworkThroughputOut
expr: (sum by (instance) (rate(node_network_transmit_bytes_total[2m])) / 1024 / 1024 > 100) * on(instance) group_left (nodename) node_uname_info{nodename=~".+"}
for: 5m
labels:
severity: warning
annotations:
summary: Host unusual network throughput out (instance {{ $labels.instance }})
description: "Host network interfaces are probably sending too much data (> 100 MB/s)\n VALUE = {{ $value }}"
# Have different disk read and write rate alerts for VMs and physical machines.
- alert: VirtualHostUnusualDiskReadRate
expr: (sum by (instance) (rate(node_disk_read_bytes_total[2m])) / 1024 / 1024 > 50) * on(instance) group_left (nodename) node_uname_info{ype="virtual_machine", nodename=~".+", nodename!="forgejo-actions-runner", nodename!="woodpecker"}
for: 5m
labels:
severity: warning
annotations:
summary: Virtual host unusual disk read rate (instance {{ $labels.instance }})
description: "Disk is probably reading too much data (> 50 MB/s)\n VALUE = {{ $value }}"
- alert: VirtualHostUnusualDiskWriteRate
expr: (sum by (instance) (rate(node_disk_written_bytes_total[2m])) / 1024 / 1024 > 50) * on(instance) group_left (nodename) node_uname_info{type="virtual_machine", nodename=~".+", nodename!="forgejo-actions-runner", nodename!="woodpecker"}
for: 2m
labels:
severity: warning
annotations:
summary: Virtual host unusual disk write rate (instance {{ $labels.instance }})
description: "Disk is probably writing too much data (> 50 MB/s)\n VALUE = {{ $value }}"
# Some VMs are expected to have high Read / Write rates z.B. CI servers
- alert: VirtualHostUnusualDiskReadRate
expr: (sum by (instance) (rate(node_disk_read_bytes_total[2m])) / 1024 / 1024 > 50) * on(instance) group_left (nodename) node_uname_info{ype="virtual_machine", nodename="forgejo-actions-runner", nodename="woodpecker"}
for: 10m
labels:
severity: warning
annotations:
summary: Virtual host unusual disk read rate for 10 min (instance {{ $labels.instance }})
description: "Disk is probably reading too much data (> 50 MB/s)\n VALUE = {{ $value }}"
- alert: VirtualHostUnusualDiskWriteRate
expr: (sum by (instance) (rate(node_disk_written_bytes_total[2m])) / 1024 / 1024 > 50) * on(instance) group_left (nodename) node_uname_info{type="virtual_machine", nodename="forgejo-actions-runner", nodename="woodpecker"}
for: 4m
labels:
severity: warning
annotations:
summary: Virtual host unusual disk write rate for 4 min (instance {{ $labels.instance }})
description: "Disk is probably writing too much data (> 50 MB/s)\n VALUE = {{ $value }}"
- alert: PhysicalHostUnusualDiskReadRate
expr: (sum by (instance) (rate(node_disk_read_bytes_total[2m])) / 1024 / 1024 > 100) * on(instance) group_left (nodename) node_uname_info{type="physical_machine", nodename=~".+"}
for: 20m
labels:
severity: warning
annotations:
summary: Physical host unusual disk read rate (instance {{ $labels.instance }})
description: "Disk is probably reading too much data (> 100 MB/s)\n VALUE = {{ $value }}"
- alert: PhysicalHostUnusualDiskWriteRate
expr: (sum by (instance) (rate(node_disk_written_bytes_total[2m])) / 1024 / 1024 > 100) * on(instance) group_left (nodename) node_uname_info{type="physical_machine", nodename=~".+"}
for: 15m
labels:
severity: warning
annotations:
summary: Physical host unusual disk write rate (instance {{ $labels.instance }})
description: "Disk is probably writing too much data (> 100 MB/s)\n VALUE = {{ $value }}"
# Please add ignored mountpoints in node_exporter parameters like
# "--collector.filesystem.ignored-mount-points=^/(sys|proc|dev|run)($|/)".
# Same rule using "node_filesystem_free_bytes" will fire when disk fills for non-root users.
- alert: HostOutOfDiskSpace
expr: ((node_filesystem_avail_bytes * 100) / node_filesystem_size_bytes < 10 and ON (instance, device, mountpoint) node_filesystem_readonly == 0) * on(instance) group_left (nodename) node_uname_info{nodename=~".+"}
for: 2m
labels:
severity: warning
annotations:
summary: Host out of disk space (instance {{ $labels.instance }})
description: "Disk is almost full (< 10% left)\n VALUE = {{ $value }}"
# Please add ignored mountpoints in node_exporter parameters like
# "--collector.filesystem.ignored-mount-points=^/(sys|proc|dev|run)($|/)".
# Same rule using "node_filesystem_free_bytes" will fire when disk fills for non-root users.
- alert: HostDiskWillFillIn24Hours
expr: ((node_filesystem_avail_bytes * 100) / node_filesystem_size_bytes < 10 and ON (instance, device, mountpoint) predict_linear(node_filesystem_avail_bytes{fstype!~"tmpfs"}[1h], 24 * 3600) < 0 and ON (instance, device, mountpoint) node_filesystem_readonly == 0) * on(instance) group_left (nodename) node_uname_info{nodename=~".+"}
for: 2m
labels:
severity: warning
annotations:
summary: Host disk will fill in 24 hours (instance {{ $labels.instance }})
description: "Filesystem is predicted to run out of space within the next 24 hours at current write rate\n VALUE = {{ $value }}"
- alert: HostOutOfInodes
expr: (node_filesystem_files_free{fstype!="msdosfs"} / node_filesystem_files{fstype!="msdosfs"} * 100 < 10 and ON (instance, device, mountpoint) node_filesystem_readonly == 0) * on(instance) group_left (nodename) node_uname_info{nodename=~".+"}
for: 2m
labels:
severity: warning
annotations:
summary: Host out of inodes (instance {{ $labels.instance }})
description: "Disk is almost running out of available inodes (< 10% left)\n VALUE = {{ $value }}"
- alert: HostInodesWillFillIn24Hours
expr: (node_filesystem_files_free{fstype!="msdosfs"} / node_filesystem_files{fstype!="msdosfs"} * 100 < 10 and predict_linear(node_filesystem_files_free{fstype!="msdosfs"}[1h], 24 * 3600) < 0 and ON (instance, device, mountpoint) node_filesystem_readonly{fstype!="msdosfs"} == 0) * on(instance) group_left (nodename) node_uname_info{nodename=~".+"}
for: 2m
labels:
severity: warning
annotations:
summary: Host inodes will fill in 24 hours (instance {{ $labels.instance }})
description: "Filesystem is predicted to run out of inodes within the next 24 hours at current write rate\n VALUE = {{ $value }}"
- alert: HostFilesystemDeviceError
expr: node_filesystem_device_error == 1
for: 2m
labels:
severity: critical
annotations:
summary: Host filesystem device error (instance {{ $labels.instance }})
description: "{{ $labels.instance }}: Device error with the {{ $labels.mountpoint }} filesystem\n VALUE = {{ $value }}"
- alert: HostUnusualDiskReadLatency
expr: (rate(node_disk_read_time_seconds_total[1m]) / rate(node_disk_reads_completed_total[1m]) > 0.1 and rate(node_disk_reads_completed_total[1m]) > 0) * on(instance) group_left (nodename) node_uname_info{nodename=~".+"}
for: 2m
labels:
severity: warning
annotations:
summary: Host unusual disk read latency (instance {{ $labels.instance }})
description: "Disk latency is growing (read operations > 100ms)\n VALUE = {{ $value }}"
- alert: HostUnusualDiskWriteLatency
expr: (rate(node_disk_write_time_seconds_total[1m]) / rate(node_disk_writes_completed_total[1m]) > 0.1 and rate(node_disk_writes_completed_total[1m]) > 0) * on(instance) group_left (nodename) node_uname_info{nodename=~".+"}
for: 2m
labels:
severity: warning
annotations:
summary: Host unusual disk write latency (instance {{ $labels.instance }})
description: "Disk latency is growing (write operations > 100ms)\n VALUE = {{ $value }}"
- alert: HostHighCpuLoad
expr: (sum by (instance) (avg by (mode, instance) (rate(node_cpu_seconds_total{mode!="idle"}[2m]))) > 0.8) * on(instance) group_left (nodename) node_uname_info{nodename=~".+"}
for: 10m
labels:
severity: warning
annotations:
summary: Host high CPU load (instance {{ $labels.instance }})
description: "CPU load is > 80%\n VALUE = {{ $value }}"
# We might want to introduce that later, tho maybe excluding hosts with one core, if possible and only for VMs?
# # You may want to increase the alert manager 'repeat_interval' for this type of alert to daily or weekly
# - alert: HostCpuIsUnderutilized
# expr: (100 - (rate(node_cpu_seconds_total{mode="idle"}[30m]) * 100) < 20) * on(instance) group_left (nodename) node_uname_info{nodename=~".+"}
# for: 1w
# labels:
# severity: info
# annotations:
# summary: Host CPU is underutilized (instance {{ $labels.instance }})
# description: "CPU load is < 20% for 1 week. Consider reducing the number of CPUs.\n VALUE = {{ $value }}"
- alert: HostCpuStealNoisyNeighbor
expr: (avg by(instance) (rate(node_cpu_seconds_total{mode="steal"}[5m])) * 100 > 10) * on(instance) group_left (nodename) node_uname_info{nodename=~".+"}
for: 0m
labels:
severity: warning
annotations:
summary: Host CPU steal noisy neighbor (instance {{ $labels.instance }})
description: "CPU steal is > 10%. A noisy neighbor is killing VM performances or a spot instance may be out of credit.\n VALUE = {{ $value }}"
- alert: HostCpuHighIowait
expr: (avg by (instance) (rate(node_cpu_seconds_total{mode="iowait"}[5m])) * 100 > 10) * on(instance) group_left (nodename) node_uname_info{nodename=~".+"}
for: 0m
labels:
severity: warning
annotations:
summary: Host CPU high iowait (instance {{ $labels.instance }})
description: "CPU iowait > 10%. A high iowait means that you are disk or network bound.\n VALUE = {{ $value }}"
# Have different disk IO alerts for VMs and physical machines and for physical machines different ones for hard and other disks.
- alert: PhysicalHostUnusualHardDiskIo
expr: (rate(node_disk_io_time_seconds_total{device=~"s.+"}[1m]) > 0.75) * on(instance) group_left (nodename) node_uname_info{type="physical_machine", nodename=~".+"}
for: 5m
labels:
severity: warning
annotations:
summary: Physical host unusual hard disk IO (instance {{ $labels.instance }})
description: "Time spent in IO is too high on {{ $labels.instance }}. Check storage for issues.\n VALUE = {{ $value }}"
- alert: PhysicalHostUnusualOtherDiskIo
expr: (rate(node_disk_io_time_seconds_total{device!~"s.+"}[1m]) > 0.5) * on(instance) group_left (nodename) node_uname_info{type="physical_machine", nodename=~".+"}
for: 5m
labels:
severity: warning
annotations:
summary: Physical host unusual other (non-hard) disk IO (instance {{ $labels.instance }})
description: "Time spent in IO is too high on {{ $labels.instance }}. Check storage for issues.\n VALUE = {{ $value }}"
- alert: VirtualHostUnusualDiskIo
expr: (rate(node_disk_io_time_seconds_total[1m]) > 0.5) * on(instance) group_left (nodename) node_uname_info{type="virtual_machine", nodename=~".+"}
for: 5m
labels:
severity: warning
annotations:
summary: Virtual host unusual disk IO (instance {{ $labels.instance }})
description: "Time spent in IO is too high on {{ $labels.instance }}. Check storage for issues.\n VALUE = {{ $value }}"
# # x2 context switches is an arbitrary number.
# # The alert threshold depends on the nature of the application.
# # Please read: https://github.com/samber/awesome-prometheus-alerts/issues/58
# - alert: HostContextSwitchingHigh
# expr: (rate(node_context_switches_total[15m])/count without(mode,cpu) (node_cpu_seconds_total{mode="idle"})) / (rate(node_context_switches_total[1d])/count without(mode,cpu) (node_cpu_seconds_total{mode="idle"})) > 2
# for: 0m
# labels:
# severity: warning
# annotations:
# summary: Host context switching high (instance {{ $labels.instance }})
# description: "Context switching is growing on the node (twice the daily average during the last 15m)\n VALUE = {{ $value }}"
- alert: HostSwapIsFillingUp
expr: ((1 - (node_memory_SwapFree_bytes / node_memory_SwapTotal_bytes)) * 100 > 80) * on(instance) group_left (nodename) node_uname_info{nodename=~".+"}
for: 2m
labels:
severity: warning
annotations:
summary: Host swap is filling up (instance {{ $labels.instance }})
description: "Swap is filling up (>80%)\n VALUE = {{ $value }}"
- alert: HostSystemdServiceCrashed
expr: (node_systemd_unit_state{state="failed"} == 1) * on(instance) group_left (nodename) node_uname_info{nodename=~".+"}
for: 0m
labels:
severity: warning
annotations:
summary: Host systemd service crashed (instance {{ $labels.instance }})
description: "systemd service crashed\n VALUE = {{ $value }}"
- alert: HostPhysicalComponentTooHot
expr: ((node_hwmon_temp_celsius * ignoring(label) group_left(instance, job, node, sensor) node_hwmon_sensor_label{label!="tctl"} > 75)) * on(instance) group_left (nodename) node_uname_info{nodename=~".+"}
for: 5m
labels:
severity: warning
annotations:
summary: Host physical component too hot (instance {{ $labels.instance }})
description: "Physical hardware component too hot\n VALUE = {{ $value }}"
- alert: HostNodeOvertemperatureAlarm
expr: ((node_hwmon_temp_crit_alarm_celsius == 1) or (node_hwmon_temp_alarm == 1)) * on(instance) group_left (nodename) node_uname_info{nodename=~".+"}
for: 0m
labels:
severity: critical
annotations:
summary: Host node overtemperature alarm (instance {{ $labels.instance }})
description: "Physical node temperature alarm triggered\n VALUE = {{ $value }}"
- alert: HostRaidArrayGotInactive
expr: (node_md_state{state="inactive"} > 0) * on(instance) group_left (nodename) node_uname_info{nodename=~".+"}
for: 0m
labels:
severity: critical
annotations:
summary: Host RAID array got inactive (instance {{ $labels.instance }})
description: "RAID array {{ $labels.device }} is in a degraded state due to one or more disk failures. The number of spare drives is insufficient to fix the issue automatically.\n VALUE = {{ $value }}"
- alert: HostRaidDiskFailure
expr: (node_md_disks{state="failed"} > 0) * on(instance) group_left (nodename) node_uname_info{nodename=~".+"}
for: 2m
labels:
severity: warning
annotations:
summary: Host RAID disk failure (instance {{ $labels.instance }})
description: "At least one device in RAID array on {{ $labels.instance }} failed. Array {{ $labels.md_device }} needs attention and possibly a disk swap\n VALUE = {{ $value }}"
- alert: HostKernelVersionDeviations
expr: (count(sum(label_replace(node_uname_info, "kernel", "$1", "release", "([0-9]+.[0-9]+.[0-9]+).*")) by (kernel)) > 1) * on(instance) group_left (nodename) node_uname_info{nodename=~".+"}
for: 6h
labels:
severity: warning
annotations:
summary: Host kernel version deviations (instance {{ $labels.instance }})
description: "Different kernel versions are running\n VALUE = {{ $value }}"
- alert: HostOomKillDetected
expr: (increase(node_vmstat_oom_kill[1m]) > 0) * on(instance) group_left (nodename) node_uname_info{nodename=~".+"}
for: 0m
labels:
severity: warning
annotations:
summary: Host OOM kill detected (instance {{ $labels.instance }})
description: "OOM kill detected\n VALUE = {{ $value }}"
- alert: HostEdacCorrectableErrorsDetected
expr: (increase(node_edac_correctable_errors_total[1m]) > 0) * on(instance) group_left (nodename) node_uname_info{nodename=~".+"}
for: 0m
labels:
severity: info
annotations:
summary: Host EDAC Correctable Errors detected (instance {{ $labels.instance }})
description: "Host {{ $labels.instance }} has had {{ printf \"%.0f\" $value }} correctable memory errors reported by EDAC in the last 5 minutes.\n VALUE = {{ $value }}"
- alert: HostEdacUncorrectableErrorsDetected
expr: (node_edac_uncorrectable_errors_total > 0) * on(instance) group_left (nodename) node_uname_info{nodename=~".+"}
for: 0m
labels:
severity: warning
annotations:
summary: Host EDAC Uncorrectable Errors detected (instance {{ $labels.instance }})
description: "Host {{ $labels.instance }} has had {{ printf \"%.0f\" $value }} uncorrectable memory errors reported by EDAC in the last 5 minutes.\n VALUE = {{ $value }}"
- alert: HostNetworkReceiveErrors
expr: (rate(node_network_receive_errs_total[2m]) / rate(node_network_receive_packets_total[2m]) > 0.01) * on(instance) group_left (nodename) node_uname_info{nodename=~".+"}
for: 2m
labels:
severity: warning
annotations:
summary: Host Network Receive Errors (instance {{ $labels.instance }})
description: "Host {{ $labels.instance }} interface {{ $labels.device }} has encountered {{ printf \"%.0f\" $value }} receive errors in the last two minutes.\n VALUE = {{ $value }}"
- alert: HostNetworkTransmitErrors
expr: (rate(node_network_transmit_errs_total[2m]) / rate(node_network_transmit_packets_total[2m]) > 0.01) * on(instance) group_left (nodename) node_uname_info{nodename=~".+"}
for: 2m
labels:
severity: warning
annotations:
summary: Host Network Transmit Errors (instance {{ $labels.instance }})
description: "Host {{ $labels.instance }} interface {{ $labels.device }} has encountered {{ printf \"%.0f\" $value }} transmit errors in the last two minutes.\n VALUE = {{ $value }}"
- alert: HostNetworkBondDegraded
expr: ((node_bonding_active - node_bonding_slaves) != 0) * on(instance) group_left (nodename) node_uname_info{nodename=~".+"}
for: 2m
labels:
severity: warning
annotations:
summary: Host Network Bond Degraded (instance {{ $labels.instance }})
description: "Bond \"{{ $labels.device }}\" degraded on \"{{ $labels.instance }}\".\n VALUE = {{ $value }}"
- alert: HostConntrackLimit
expr: (node_nf_conntrack_entries / node_nf_conntrack_entries_limit > 0.8) * on(instance) group_left (nodename) node_uname_info{nodename=~".+"}
for: 5m
labels:
severity: warning
annotations:
summary: Host conntrack limit (instance {{ $labels.instance }})
description: "The number of conntrack is approaching limit\n VALUE = {{ $value }}"
- alert: HostClockSkew
expr: ((node_timex_offset_seconds > 0.05 and deriv(node_timex_offset_seconds[5m]) >= 0) or (node_timex_offset_seconds < -0.05 and deriv(node_timex_offset_seconds[5m]) <= 0)) * on(instance) group_left (nodename) node_uname_info{nodename=~".+"}
for: 10m
labels:
severity: warning
annotations:
summary: Host clock skew (instance {{ $labels.instance }})
description: "Clock skew detected. Clock is out of sync. Ensure NTP is configured correctly on this host.\n VALUE = {{ $value }}"
- alert: HostClockNotSynchronising
expr: (min_over_time(node_timex_sync_status[1m]) == 0 and node_timex_maxerror_seconds >= 16) * on(instance) group_left (nodename) node_uname_info{nodename=~".+"}
for: 2m
labels:
severity: warning
annotations:
summary: Host clock not synchronising (instance {{ $labels.instance }})
description: "Clock not synchronising. Ensure NTP is configured on this host.\n VALUE = {{ $value }}"
- alert: HostRequiresReboot
expr: (node_reboot_required > 0) * on(instance) group_left (nodename) node_uname_info{nodename=~".+"}
for: 4h
labels:
severity: info
annotations:
summary: Host requires reboot (instance {{ $labels.instance }})
description: "{{ $labels.instance }} requires a reboot.\n VALUE = {{ $value }}"
- name: prometheus
rules:
- alert: PrometheusJobMissing
expr: absent(up{job="prometheus"})
for: 0m
labels:
severity: warning
annotations:
summary: Prometheus job missing (instance {{ $labels.instance }})
description: "A Prometheus job has disappeared\n VALUE = {{ $value }}"
- alert: PrometheusTargetMissing
expr: up == 0
for: 0m
labels:
severity: critical
annotations:
summary: Prometheus target missing (instance {{ $labels.instance }})
description: "A Prometheus target has disappeared. An exporter might be crashed.\n VALUE = {{ $value }}"
- alert: PrometheusAllTargetsMissing
expr: sum by (job) (up) == 0
for: 0m
labels:
severity: critical
annotations:
summary: Prometheus all targets missing (instance {{ $labels.instance }})
description: "A Prometheus job does not have living target anymore.\n VALUE = {{ $value }}"
- alert: PrometheusConfigurationReloadFailure
expr: prometheus_config_last_reload_successful != 1
for: 0m
labels:
severity: warning
annotations:
summary: Prometheus configuration reload failure (instance {{ $labels.instance }})
description: "Prometheus configuration reload error\n VALUE = {{ $value }}"
- alert: PrometheusTooManyRestarts
expr: changes(process_start_time_seconds{job=~"prometheus|pushgateway|alertmanager"}[15m]) > 2
for: 0m
labels:
severity: warning
annotations:
summary: Prometheus too many restarts (instance {{ $labels.instance }})
description: "Prometheus has restarted more than twice in the last 15 minutes. It might be crashlooping.\n VALUE = {{ $value }}"
- alert: PrometheusAlertmanagerJobMissing
expr: absent(up{job="alertmanager"})
for: 0m
labels:
severity: warning
annotations:
summary: Prometheus AlertManager job missing (instance {{ $labels.instance }})
description: "A Prometheus AlertManager job has disappeared\n VALUE = {{ $value }}"
- alert: PrometheusAlertmanagerConfigurationReloadFailure
expr: alertmanager_config_last_reload_successful != 1
for: 0m
labels:
severity: warning
annotations:
summary: Prometheus AlertManager configuration reload failure (instance {{ $labels.instance }})
description: "AlertManager configuration reload error\n VALUE = {{ $value }}"
- alert: PrometheusAlertmanagerConfigNotSynced
expr: count(count_values("config_hash", alertmanager_config_hash)) > 1
for: 0m
labels:
severity: warning
annotations:
summary: Prometheus AlertManager config not synced (instance {{ $labels.instance }})
description: "Configurations of AlertManager cluster instances are out of sync\n VALUE = {{ $value }}"
# For testing.
# - alert: PrometheusAlertmanagerE2eDeadManSwitch
# expr: vector(1)
# for: 0m
# labels:
# severity: critical
# annotations:
# summary: Prometheus AlertManager E2E dead man switch (instance {{ $labels.instance }})
# description: "Prometheus DeadManSwitch is an always-firing alert. It's used as an end-to-end test of Prometheus through the Alertmanager.\n VALUE = {{ $value }}"
- alert: PrometheusNotConnectedToAlertmanager
expr: prometheus_notifications_alertmanagers_discovered < 1
for: 0m
labels:
severity: critical
annotations:
summary: Prometheus not connected to alertmanager (instance {{ $labels.instance }})
description: "Prometheus cannot connect the alertmanager\n VALUE = {{ $value }}"
- alert: PrometheusRuleEvaluationFailures
expr: increase(prometheus_rule_evaluation_failures_total[3m]) > 0
for: 0m
labels:
severity: critical
annotations:
summary: Prometheus rule evaluation failures (instance {{ $labels.instance }})
description: "Prometheus encountered {{ $value }} rule evaluation failures, leading to potentially ignored alerts.\n VALUE = {{ $value }}"
- alert: PrometheusTemplateTextExpansionFailures
expr: increase(prometheus_template_text_expansion_failures_total[3m]) > 0
for: 0m
labels:
severity: critical
annotations:
summary: Prometheus template text expansion failures (instance {{ $labels.instance }})
description: "Prometheus encountered {{ $value }} template text expansion failures\n VALUE = {{ $value }}"
- alert: PrometheusRuleEvaluationSlow
expr: prometheus_rule_group_last_duration_seconds > prometheus_rule_group_interval_seconds
for: 5m
labels:
severity: warning
annotations:
summary: Prometheus rule evaluation slow (instance {{ $labels.instance }})
description: "Prometheus rule evaluation took more time than the scheduled interval. It indicates a slower storage backend access or too complex query.\n VALUE = {{ $value }}"
- alert: PrometheusNotificationsBacklog
expr: min_over_time(prometheus_notifications_queue_length[10m]) > 0
for: 0m
labels:
severity: warning
annotations:
summary: Prometheus notifications backlog (instance {{ $labels.instance }})
description: "The Prometheus notification queue has not been empty for 10 minutes\n VALUE = {{ $value }}"
- alert: PrometheusAlertmanagerNotificationFailing
expr: rate(alertmanager_notifications_failed_total[1m]) > 0
for: 0m
labels:
severity: critical
annotations:
summary: Prometheus AlertManager notification failing (instance {{ $labels.instance }})
description: "Alertmanager is failing sending notifications\n VALUE = {{ $value }}"
- alert: PrometheusTargetEmpty
expr: prometheus_sd_discovered_targets == 0
for: 0m
labels:
severity: critical
annotations:
summary: Prometheus target empty (instance {{ $labels.instance }})
description: "Prometheus has no target in service discovery\n VALUE = {{ $value }}"
- alert: PrometheusTargetScrapingSlow
expr: prometheus_target_interval_length_seconds{quantile="0.9"} / on (interval, instance, job) prometheus_target_interval_length_seconds{quantile="0.5"} > 1.05
for: 5m
labels:
severity: warning
annotations:
summary: Prometheus target scraping slow (instance {{ $labels.instance }})
description: "Prometheus is scraping exporters slowly since it exceeded the requested interval time. Your Prometheus server is under-provisioned.\n VALUE = {{ $value }}"
- alert: PrometheusLargeScrape
expr: increase(prometheus_target_scrapes_exceeded_sample_limit_total[10m]) > 10
for: 5m
labels:
severity: warning
annotations:
summary: Prometheus large scrape (instance {{ $labels.instance }})
description: "Prometheus has many scrapes that exceed the sample limit\n VALUE = {{ $value }}"
- alert: PrometheusTargetScrapeDuplicate
expr: increase(prometheus_target_scrapes_sample_duplicate_timestamp_total[5m]) > 0
for: 0m
labels:
severity: warning
annotations:
summary: Prometheus target scrape duplicate (instance {{ $labels.instance }})
description: "Prometheus has many samples rejected due to duplicate timestamps but different values\n VALUE = {{ $value }}"
- alert: PrometheusTsdbCheckpointCreationFailures
expr: increase(prometheus_tsdb_checkpoint_creations_failed_total[1m]) > 0
for: 0m
labels:
severity: critical
annotations:
summary: Prometheus TSDB checkpoint creation failures (instance {{ $labels.instance }})
description: "Prometheus encountered {{ $value }} checkpoint creation failures\n VALUE = {{ $value }}"
- alert: PrometheusTsdbCheckpointDeletionFailures
expr: increase(prometheus_tsdb_checkpoint_deletions_failed_total[1m]) > 0
for: 0m
labels:
severity: critical
annotations:
summary: Prometheus TSDB checkpoint deletion failures (instance {{ $labels.instance }})
description: "Prometheus encountered {{ $value }} checkpoint deletion failures\n VALUE = {{ $value }}"
- alert: PrometheusTsdbCompactionsFailed
expr: increase(prometheus_tsdb_compactions_failed_total[1m]) > 0
for: 0m
labels:
severity: critical
annotations:
summary: Prometheus TSDB compactions failed (instance {{ $labels.instance }})
description: "Prometheus encountered {{ $value }} TSDB compactions failures\n VALUE = {{ $value }}"
- alert: PrometheusTsdbHeadTruncationsFailed
expr: increase(prometheus_tsdb_head_truncations_failed_total[1m]) > 0
for: 0m
labels:
severity: critical
annotations:
summary: Prometheus TSDB head truncations failed (instance {{ $labels.instance }})
description: "Prometheus encountered {{ $value }} TSDB head truncation failures\n VALUE = {{ $value }}"
- alert: PrometheusTsdbReloadFailures
expr: increase(prometheus_tsdb_reloads_failures_total[1m]) > 0
for: 0m
labels:
severity: critical
annotations:
summary: Prometheus TSDB reload failures (instance {{ $labels.instance }})
description: "Prometheus encountered {{ $value }} TSDB reload failures\n VALUE = {{ $value }}"
- alert: PrometheusTsdbWalCorruptions
expr: increase(prometheus_tsdb_wal_corruptions_total[1m]) > 0
for: 0m
labels:
severity: critical
annotations:
summary: Prometheus TSDB WAL corruptions (instance {{ $labels.instance }})
description: "Prometheus encountered {{ $value }} TSDB WAL corruptions\n VALUE = {{ $value }}"
- alert: PrometheusTsdbWalTruncationsFailed
expr: increase(prometheus_tsdb_wal_truncations_failed_total[1m]) > 0
for: 0m
labels:
severity: critical
annotations:
summary: Prometheus TSDB WAL truncations failed (instance {{ $labels.instance }})
description: "Prometheus encountered {{ $value }} TSDB WAL truncation failures\n VALUE = {{ $value }}"
- alert: PrometheusTimeseriesCardinality
expr: label_replace(count by(__name__) ({__name__=~".+"}), "name", "$1", "__name__", "(.+)") > 10000
for: 0m
labels:
severity: warning
annotations:
summary: Prometheus timeseries cardinality (instance {{ $labels.instance }})
description: "The \"{{ $labels.name }}\" timeseries cardinality is getting very high: {{ $value }}\n VALUE = {{ $value }}"

43
playbooks/files/chaosknoten/configs/grafana/nginx/grafana.hamburg.ccc.de.conf
View file

@ -1,43 +0,0 @@
# partly generated 2022-01-08, Mozilla Guideline v5.6, nginx 1.17.7, OpenSSL 1.1.1k, intermediate configuration
# https://ssl-config.mozilla.org/#server=nginx&version=1.17.7&config=intermediate&openssl=1.1.1k&guideline=5.6
server {
# Listen on a custom port for the proxy protocol.
listen 8443 ssl http2 proxy_protocol;
# Make use of the ngx_http_realip_module to set the $remote_addr and
# $remote_port to the client address and client port, when using proxy
# protocol.
# First set our proxy protocol proxy as trusted.
set_real_ip_from 172.31.17.140;
# Then tell the realip_module to get the addreses from the proxy protocol
# header.
real_ip_header proxy_protocol;
server_name grafana.hamburg.ccc.de;
ssl_certificate /etc/letsencrypt/live/grafana.hamburg.ccc.de/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/grafana.hamburg.ccc.de/privkey.pem;
# verify chain of trust of OCSP response using Root CA and Intermediate certs
ssl_trusted_certificate /etc/letsencrypt/live/grafana.hamburg.ccc.de/chain.pem;
# HSTS (ngx_http_headers_module is required) (63072000 seconds)
add_header Strict-Transport-Security "max-age=63072000" always;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Port 443;
# This is https in any case.
proxy_set_header X-Forwarded-Proto https;
# Hide the X-Forwarded header.
proxy_hide_header X-Forwarded;
# Assume we are the only Reverse Proxy (well using Proxy Protocol, but that
# is transparent).
# Also provide "_hidden" for by, since it's not relevant.
proxy_set_header Forwarded "for=$remote_addr;proto=https;host=$host;by=_hidden";
location / {
proxy_pass http://127.0.0.1:3000/;
}
}

69
playbooks/files/chaosknoten/configs/keycloak/nginx/id.hamburg.ccc.de.conf
View file

@ -1,69 +0,0 @@
# partly generated 2022-01-08, Mozilla Guideline v5.6, nginx 1.17.7, OpenSSL 1.1.1k, intermediate configuration
# https://ssl-config.mozilla.org/#server=nginx&version=1.17.7&config=intermediate&openssl=1.1.1k&guideline=5.6
# Also see: https://www.keycloak.org/server/reverseproxy
server {
# Listen on a custom port for the proxy protocol.
listen 8443 ssl http2 proxy_protocol;
# Make use of the ngx_http_realip_module to set the $remote_addr and
# $remote_port to the client address and client port, when using proxy
# protocol.
# First set our proxy protocol proxy as trusted.
set_real_ip_from 172.31.17.140;
# Then tell the realip_module to get the addreses from the proxy protocol
# header.
real_ip_header proxy_protocol;
server_name id.hamburg.ccc.de;
ssl_certificate /etc/letsencrypt/live/id.hamburg.ccc.de/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/id.hamburg.ccc.de/privkey.pem;
# verify chain of trust of OCSP response using Root CA and Intermediate certs
ssl_trusted_certificate /etc/letsencrypt/live/id.hamburg.ccc.de/chain.pem;
# HSTS (ngx_http_headers_module is required) (63072000 seconds)
add_header Strict-Transport-Security "max-age=63072000" always;
# To not have 502s sometimes when logging through PVE use bigger buffer_sizes.
# The error seemed to occur after logging in and out and in. Maybe related
# to Keycloak logout settings, but probably not.
# See:
# https://stackoverflow.com/questions/56126864/why-do-i-get-502-when-trying-to-authenticate
# https://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_buffer_size
proxy_buffer_size 128k;
proxy_buffers 8 128k;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Port 443;
# This is https in any case.
proxy_set_header X-Forwarded-Proto https;
# Hide the X-Forwarded header.
proxy_hide_header X-Forwarded;
# Assume we are the only Reverse Proxy (well using Proxy Protocol, but that
# is transparent).
# Also provide "_hidden" for by, since it's not relevant.
proxy_set_header Forwarded "for=$remote_addr;proto=https;host=$host;by=_hidden";
# Redirect a user opening any not set location on id.hamburg.ccc.de to the account management page.
location ^~ / {
return 307 https://id.hamburg.ccc.de/realms/ccchh/account/;
}
location /js/ {
proxy_pass http://127.0.0.1:8080/js/;
}
location /realms/ {
proxy_pass http://127.0.0.1:8080/realms/;
}
location /resources/ {
proxy_pass http://127.0.0.1:8080/resources/;
}
location /robots.txt {
proxy_pass http://127.0.0.1:8080/robots.txt;
}
}

54
playbooks/files/chaosknoten/configs/keycloak/nginx/invite.hamburg.ccc.de.conf
View file

@ -1,54 +0,0 @@
# partly generated 2022-01-08, Mozilla Guideline v5.6, nginx 1.17.7, OpenSSL 1.1.1k, intermediate configuration
# https://ssl-config.mozilla.org/#server=nginx&version=1.17.7&config=intermediate&openssl=1.1.1k&guideline=5.6
# Also see: https://www.keycloak.org/server/reverseproxy
server {
# Listen on a custom port for the proxy protocol.
listen 8443 ssl http2 proxy_protocol;
# Make use of the ngx_http_realip_module to set the $remote_addr and
# $remote_port to the client address and client port, when using proxy
# protocol.
# First set our proxy protocol proxy as trusted.
set_real_ip_from 172.31.17.140;
# Then tell the realip_module to get the addreses from the proxy protocol
# header.
real_ip_header proxy_protocol;
server_name invite.hamburg.ccc.de;
ssl_certificate /etc/letsencrypt/live/invite.hamburg.ccc.de/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/invite.hamburg.ccc.de/privkey.pem;
# verify chain of trust of OCSP response using Root CA and Intermediate certs
ssl_trusted_certificate /etc/letsencrypt/live/invite.hamburg.ccc.de/chain.pem;
# HSTS (ngx_http_headers_module is required) (63072000 seconds)
add_header Strict-Transport-Security "max-age=63072000" always;
# To not have 502s sometimes when logging through PVE use bigger buffer_sizes.
# The error seemed to occur after logging in and out and in. Maybe related
# to Keycloak logout settings, but probably not.
# See:
# https://stackoverflow.com/questions/56126864/why-do-i-get-502-when-trying-to-authenticate
# https://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_buffer_size
proxy_buffer_size 128k;
proxy_buffers 8 128k;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Port 443;
# This is https in any case.
proxy_set_header X-Forwarded-Proto https;
# Hide the X-Forwarded header.
proxy_hide_header X-Forwarded;
# Assume we are the only Reverse Proxy (well using Proxy Protocol, but that
# is transparent).
# Also provide "_hidden" for by, since it's not relevant.
proxy_set_header Forwarded "for=$remote_addr;proto=https;host=$host;by=_hidden";
# Redirect a user opening any not set location on invite.hamburg.ccc.de to the account management page.
location / {
proxy_pass http://127.0.0.1:3000/;
}
}

73
playbooks/files/chaosknoten/configs/keycloak/nginx/keycloak-admin.hamburg.ccc.de.conf
View file

@ -1,73 +0,0 @@
# partly generated 2022-01-08, Mozilla Guideline v5.6, nginx 1.17.7, OpenSSL 1.1.1k, intermediate configuration
# https://ssl-config.mozilla.org/#server=nginx&version=1.17.7&config=intermediate&openssl=1.1.1k&guideline=5.6
# Also see: https://www.keycloak.org/server/reverseproxy
server {
# Disable this for now.
#listen 443 ssl http2;
##listen [::]:443 ssl http2;
# Listen on a custom port for the proxy protocol.
listen 8444 ssl http2 proxy_protocol;
# Make use of the ngx_http_realip_module to set the $remote_addr and
# $remote_port to the client address and client port, when using proxy
# protocol.
# First set our proxy protocol proxy as trusted.
set_real_ip_from 172.31.17.140;
# Then tell the realip_module to get the addreses from the proxy protocol
# header.
real_ip_header proxy_protocol;
server_name keycloak-admin.hamburg.ccc.de;
ssl_certificate /etc/letsencrypt/live/keycloak-admin.hamburg.ccc.de/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/keycloak-admin.hamburg.ccc.de/privkey.pem;
# verify chain of trust of OCSP response using Root CA and Intermediate certs
ssl_trusted_certificate /etc/letsencrypt/live/keycloak-admin.hamburg.ccc.de/chain.pem;
# HSTS (ngx_http_headers_module is required) (63072000 seconds)
add_header Strict-Transport-Security "max-age=63072000" always;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Port 443;
# This is https in any case.
proxy_set_header X-Forwarded-Proto https;
# Hide the X-Forwarded header.
proxy_hide_header X-Forwarded;
# Assume we are the only Reverse Proxy (well using Proxy Protocol, but that
# is transparent).
# Also provide "_hidden" for by, since it's not relevant.
proxy_set_header Forwarded "for=$remote_addr;proto=https;host=$host;by=_hidden";
allow 185.161.129.132/32; # z9
allow 2a07:c480:0:100::/56; # z9
allow 213.240.180.39/32; # stbe home
allow 2a01:170:118b::1/64; # stbe home
deny all;
location ^~ / {
return 307 https://keycloak-admin.hamburg.ccc.de/admin/master/console/;
}
location /js/ {
proxy_pass http://127.0.0.1:8080/js/;
}
location /realms/ {
proxy_pass http://127.0.0.1:8080/realms/;
}
location /resources/ {
proxy_pass http://127.0.0.1:8080/resources/;
}
location /robots.txt {
proxy_pass http://127.0.0.1:8080/robots.txt;
}
location /admin/ {
proxy_pass http://127.0.0.1:8080/admin/;
}
}

72
playbooks/files/chaosknoten/configs/lists/compose/compose.yaml
View file

@ -1,72 +0,0 @@
services:
mailman-core:
restart: unless-stopped
image: maxking/mailman-core:0.5 # Use a specific version tag (tag latest is not published)
container_name: mailman-core
hostname: mailman-core
volumes:
- /opt/mailman/core:/opt/mailman/
stop_grace_period: 30s
links:
- database:database
depends_on:
- database
environment:
- DATABASE_URL=postgresql://mailman:wvQjbMRnwFuxGEPz@database/mailmandb
- DATABASE_TYPE=postgres
- DATABASE_CLASS=mailman.database.postgresql.PostgreSQLDatabase
- HYPERKITTY_API_KEY=ITfRjushI6FP0TLMnRpZxlfB2e17DN86
- MTA=postfix
ports:
- "127.0.0.1:8001:8001" # API
- "127.0.0.1:8024:8024" # LMTP - incoming emails
networks:
mailman:
mailman-web:
restart: unless-stopped
image: maxking/mailman-web:0.5 # Use a specific version tag (tag latest is not published)
container_name: mailman-web
hostname: mailman-web
depends_on:
- database
links:
- mailman-core:mailman-core
- database:database
volumes:
- /opt/mailman/web:/opt/mailman-web-data
environment:
- DATABASE_TYPE=postgres
- DATABASE_URL=postgresql://mailman:wvQjbMRnwFuxGEPz@database/mailmandb
- "DJANGO_ALLOWED_HOSTS=lists.hamburg.ccc.de,lists.c3lingo.org"
- HYPERKITTY_API_KEY=ITfRjushI6FP0TLMnRpZxlfB2e17DN86
- SERVE_FROM_DOMAIN=lists.hamburg.ccc.de
- SECRET_KEY=ugfknEYBaFVc62R1jlIjnkizQaqr7tSt
- MAILMAN_ADMIN_USER=ccchh-admin
- MAILMAN_ADMIN_EMAIL=tony@cowtest.hamburg.ccc.de
ports:
- "127.0.0.1:8000:8000" # HTTP
- "127.0.0.1:8080:8080" # uwsgi
networks:
mailman:
database:
restart: unless-stopped
environment:
- POSTGRES_DB=mailmandb
- POSTGRES_USER=mailman
- POSTGRES_PASSWORD=wvQjbMRnwFuxGEPz
image: postgres:12-alpine
volumes:
- /opt/mailman/database:/var/lib/postgresql/data
networks:
mailman:
networks:
mailman:
driver: bridge
ipam:
driver: default
config:
-
subnet: 172.19.199.0/24

26
playbooks/files/chaosknoten/configs/lists/nginx/lists.c3lingo.org.conf
View file

@ -1,26 +0,0 @@
server {
root /var/www/html;
server_name lists.c3lingo.org; # managed by Certbot
listen [::]:443 ssl; # managed by Certbot
listen 443 ssl; # managed by Certbot
ssl_certificate /etc/letsencrypt/live/lists.c3lingo.org/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/lists.c3lingo.org/privkey.pem; # managed by Certbot
# verify chain of trust of OCSP response using Root CA and Intermediate certs
ssl_trusted_certificate /etc/letsencrypt/live/lists.c3lingo.org/chain.pem;
# HSTS (ngx_http_headers_module is required) (63072000 seconds)
add_header Strict-Transport-Security "max-age=63072000" always;
location /static {
alias /opt/mailman/web/static;
autoindex off;
}
location / {
uwsgi_pass localhost:8080;
include uwsgi_params;
uwsgi_read_timeout 300;
}
}

26
playbooks/files/chaosknoten/configs/lists/nginx/lists.hamburg.ccc.de.conf
View file

@ -1,26 +0,0 @@
server {
root /var/www/html;
server_name lists.hamburg.ccc.de; # managed by Certbot
listen [::]:443 ssl; # managed by Certbot
listen 443 ssl; # managed by Certbot
ssl_certificate /etc/letsencrypt/live/lists.hamburg.ccc.de/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/lists.hamburg.ccc.de/privkey.pem; # managed by Certbot
# verify chain of trust of OCSP response using Root CA and Intermediate certs
ssl_trusted_certificate /etc/letsencrypt/live/lists.hamburg.ccc.de/chain.pem;
# HSTS (ngx_http_headers_module is required) (63072000 seconds)
add_header Strict-Transport-Security "max-age=63072000" always;
location /static {
alias /opt/mailman/web/static;
autoindex off;
}
location / {
uwsgi_pass localhost:8080;
include uwsgi_params;
uwsgi_read_timeout 300;
}
}

28
playbooks/files/chaosknoten/configs/mumble/nginx/mumble.hamburg.ccc.de.conf
View file

@ -1,28 +0,0 @@
server {
root /var/www/html;
server_name mumble.hamburg.ccc.de; # managed by Certbot
listen [::]:443 ssl ipv6only=on; # managed by Certbot
listen 443 ssl; # managed by Certbot
ssl_certificate /etc/letsencrypt/live/mumble.hamburg.ccc.de/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/mumble.hamburg.ccc.de/privkey.pem; # managed by Certbot
# verify chain of trust of OCSP response using Root CA and Intermediate certs
ssl_trusted_certificate /etc/letsencrypt/live/mumble.hamburg.ccc.de/chain.pem;
# HSTS (ngx_http_headers_module is required) (63072000 seconds)
add_header Strict-Transport-Security "max-age=63072000" always;
location /static {
alias /opt/mailman/web/static;
autoindex off;
}
location / {
return 302 https://wiki.hamburg.ccc.de/infrastructure:services:mumble;
}
location /metrics {
proxy_pass http://127.0.0.1:9123/;
}
}

37
playbooks/files/chaosknoten/configs/onlyoffice/nginx/onlyoffice.hamburg.ccc.de.conf
View file

@ -1,37 +0,0 @@
# partly generated 2022-01-08, Mozilla Guideline v5.6, nginx 1.17.7, OpenSSL 1.1.1k, intermediate configuration
# https://ssl-config.mozilla.org/#server=nginx&version=1.17.7&config=intermediate&openssl=1.1.1k&guideline=5.6
server {
# Listen on a custom port for the proxy protocol.
listen 8443 ssl http2 proxy_protocol;
# Make use of the ngx_http_realip_module to set the $remote_addr and
# $remote_port to the client address and client port, when using proxy
# protocol.
# First set our proxy protocol proxy as trusted.
set_real_ip_from 172.31.17.140;
# Then tell the realip_module to get the addreses from the proxy protocol
# header.
real_ip_header proxy_protocol;
server_name onlyoffice.hamburg.ccc.de;
ssl_certificate /etc/letsencrypt/live/onlyoffice.hamburg.ccc.de/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/onlyoffice.hamburg.ccc.de/privkey.pem;
# verify chain of trust of OCSP response using Root CA and Intermediate certs
ssl_trusted_certificate /etc/letsencrypt/live/onlyoffice.hamburg.ccc.de/chain.pem;
# replace with the IP address of your resolver
resolver 1.1.1.1;
location / {
proxy_set_header Host $host;
# This is https in any case.
proxy_set_header X-Forwarded-Proto https;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
# HSTS (ngx_http_headers_module is required) (63072000 seconds)
add_header Strict-Transport-Security "max-age=63072000" always;
proxy_pass http://127.0.0.1:8080/;
}
}

42
playbooks/files/chaosknoten/configs/pad/nginx/pad.hamburg.ccc.de.conf
View file

@ -1,42 +0,0 @@
# partly generated 2022-01-08, Mozilla Guideline v5.6, nginx 1.17.7, OpenSSL 1.1.1k, intermediate configuration
# https://ssl-config.mozilla.org/#server=nginx&version=1.17.7&config=intermediate&openssl=1.1.1k&guideline=5.6
server {
# Listen on a custom port for the proxy protocol.
listen 8443 ssl http2 proxy_protocol;
# Make use of the ngx_http_realip_module to set the $remote_addr and
# $remote_port to the client address and client port, when using proxy
# protocol.
# First set our proxy protocol proxy as trusted.
set_real_ip_from 172.31.17.140;
# Then tell the realip_module to get the addreses from the proxy protocol
# header.
real_ip_header proxy_protocol;
server_name pad.hamburg.ccc.de;
ssl_certificate /etc/letsencrypt/live/pad.hamburg.ccc.de/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/pad.hamburg.ccc.de/privkey.pem;
# verify chain of trust of OCSP response using Root CA and Intermediate certs
ssl_trusted_certificate /etc/letsencrypt/live/pad.hamburg.ccc.de/chain.pem;
# HSTS (ngx_http_headers_module is required) (63072000 seconds)
add_header Strict-Transport-Security "max-age=63072000" always;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Port 443;
# This is https in any case.
proxy_set_header X-Forwarded-Proto https;
# Hide the X-Forwarded header.
proxy_hide_header X-Forwarded;
# Assume we are the only Reverse Proxy (well using Proxy Protocol, but that
# is transparent).
# Also provide "_hidden" for by, since it's not relevant.
proxy_set_header Forwarded "for=$remote_addr;proto=https;host=$host;by=_hidden";
location / {
proxy_pass http://127.0.0.1:3000/;
}
}

50
playbooks/files/chaosknoten/configs/pretalx/nginx/pretalx.hamburg.ccc.de.conf
View file

@ -1,50 +0,0 @@
# partly generated 2022-01-08, Mozilla Guideline v5.6, nginx 1.17.7, OpenSSL 1.1.1k, intermediate configuration
# https://ssl-config.mozilla.org/#server=nginx&version=1.17.7&config=intermediate&openssl=1.1.1k&guideline=5.6
server {
# Listen on a custom port for the proxy protocol.
listen 8443 ssl http2 proxy_protocol;
# Make use of the ngx_http_realip_module to set the $remote_addr and
# $remote_port to the client address and client port, when using proxy
# protocol.
# First set our proxy protocol proxy as trusted.
set_real_ip_from 172.31.17.140;
# Then tell the realip_module to get the addreses from the proxy protocol
# header.
real_ip_header proxy_protocol;
server_name pretalx.hamburg.ccc.de;
ssl_certificate /etc/letsencrypt/live/pretalx.hamburg.ccc.de/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/pretalx.hamburg.ccc.de/privkey.pem;
# verify chain of trust of OCSP response using Root CA and Intermediate certs
ssl_trusted_certificate /etc/letsencrypt/live/pretalx.hamburg.ccc.de/chain.pem;
# HSTS (ngx_http_headers_module is required) (63072000 seconds)
add_header Strict-Transport-Security "max-age=63072000" always;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Port 443;
# This is https in any case.
proxy_set_header X-Forwarded-Proto https;
# Hide the X-Forwarded header.
proxy_hide_header X-Forwarded;
# Assume we are the only Reverse Proxy (well using Proxy Protocol, but that
# is transparent).
# Also provide "_hidden" for by, since it's not relevant.
proxy_set_header Forwarded "for=$remote_addr;proto=https;host=$host;by=_hidden";
location /media {
proxy_pass http://127.0.0.1:8081/media/;
}
location /static {
proxy_pass http://127.0.0.1:8081/static/;
}
location / {
proxy_pass http://127.0.0.1:8080/;
}
}

94
playbooks/files/chaosknoten/configs/public-reverse-proxy/nginx/acme_challenge.conf
View file

@ -1,94 +0,0 @@
# Keep this sorted alphabetically, please!
map $host $upstream_acme_challenge_host {
branding-resources.hamburg.ccc.de 172.31.17.151:31820;
c3cat.de 172.31.17.151:31820;
www.c3cat.de 172.31.17.151:31820;
staging.c3cat.de 172.31.17.151:31820;
ccchoir.de ccchoir-intern.hamburg.ccc.de:31820;
www.ccchoir.de ccchoir-intern.hamburg.ccc.de:31820;
cloud.hamburg.ccc.de 172.31.17.143:31820;
element.hamburg.ccc.de 172.31.17.151:31820;
git.hamburg.ccc.de 172.31.17.154:31820;
grafana.hamburg.ccc.de 172.31.17.145:31820;
hackertours.hamburg.ccc.de 172.31.17.151:31820;
staging.hackertours.hamburg.ccc.de 172.31.17.151:31820;
hamburg.ccc.de 172.31.17.151:31820;
id.hamburg.ccc.de 172.31.17.144:31820;
invite.hamburg.ccc.de 172.31.17.144:31820;
keycloak-admin.hamburg.ccc.de 172.31.17.144:31820;
matrix.hamburg.ccc.de 172.31.17.150:31820;
netbox.hamburg.ccc.de 172.31.17.149:31820;
onlyoffice.hamburg.ccc.de 172.31.17.147:31820;
pad.hamburg.ccc.de 172.31.17.141:31820;
pretalx.hamburg.ccc.de 172.31.17.157:31820;
spaceapi.hamburg.ccc.de 172.31.17.151:31820;
staging.hamburg.ccc.de 172.31.17.151:31820;
wiki.ccchh.net 172.31.17.146:31820;
wiki.hamburg.ccc.de 172.31.17.146:31820;
www.hamburg.ccc.de 172.31.17.151:31820;
tickets.hamburg.ccc.de 172.31.17.148:31820;
zammad.hamburg.ccc.de 172.31.17.152:31820;
eh03.easterhegg.eu 172.31.17.151:31820;
eh05.easterhegg.eu 172.31.17.151:31820;
eh07.easterhegg.eu 172.31.17.151:31820;
eh09.easterhegg.eu 172.31.17.151:31820;
eh11.easterhegg.eu 172.31.17.151:31820;
eh20.easterhegg.eu 172.31.17.151:31820;
www.eh20.easterhegg.eu 172.31.17.151:31820;
eh22.easterhegg.eu 172.31.17.159:31820;
easterheggxxxx.hamburg.ccc.de 172.31.17.151:31820;
eh2003.hamburg.ccc.de 172.31.17.151:31820;
www.eh2003.hamburg.ccc.de 172.31.17.151:31820;
easterhegg2003.hamburg.ccc.de 172.31.17.151:31820;
www.easterhegg2003.hamburg.ccc.de 172.31.17.151:31820;
eh2005.hamburg.ccc.de 172.31.17.151:31820;
www.eh2005.hamburg.ccc.de 172.31.17.151:31820;
easterhegg2005.hamburg.ccc.de 172.31.17.151:31820;
www.easterhegg2005.hamburg.ccc.de 172.31.17.151:31820;
eh2007.hamburg.ccc.de 172.31.17.151:31820;
www.eh2007.hamburg.ccc.de 172.31.17.151:31820;
eh07.hamburg.ccc.de 172.31.17.151:31820;
www.eh07.hamburg.ccc.de 172.31.17.151:31820;
easterhegg2007.hamburg.ccc.de 172.31.17.151:31820;
www.easterhegg2007.hamburg.ccc.de 172.31.17.151:31820;
eh2009.hamburg.ccc.de 172.31.17.151:31820;
www.eh2009.hamburg.ccc.de 172.31.17.151:31820;
eh09.hamburg.ccc.de 172.31.17.151:31820;
www.eh09.hamburg.ccc.de 172.31.17.151:31820;
easterhegg2009.hamburg.ccc.de 172.31.17.151:31820;
www.easterhegg2009.hamburg.ccc.de 172.31.17.151:31820;
eh2011.hamburg.ccc.de 172.31.17.151:31820;
www.eh2011.hamburg.ccc.de 172.31.17.151:31820;
eh11.hamburg.ccc.de 172.31.17.151:31820;
www.eh11.hamburg.ccc.de 172.31.17.151:31820;
easterhegg2011.hamburg.ccc.de 172.31.17.151:31820;
www.easterhegg2011.hamburg.ccc.de 172.31.17.151:31820;
eh20.hamburg.ccc.de 172.31.17.151:31820;
hacker.tours 172.31.17.151:31820;
staging.hacker.tours 172.31.17.151:31820;
woodpecker.hamburg.ccc.de 172.31.17.160:31820;
design.hamburg.ccc.de 172.31.17.162:31820;
hydra.hamburg.ccc.de 172.31.17.163:31820;
default "";
}
server {
listen 80 default_server;
resolver 212.12.50.158 192.76.134.90;
location /.well-known/acme-challenge/ {
proxy_pass http://$upstream_acme_challenge_host;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
# This is http in any case.
proxy_set_header X-Forwarded-Proto http;
}
# Better safe than sorry.
# Don't do a permanent redirect to avoid acme challenge pain (even tho 443
# still should work).
location / {
return 307 https://$host$request_uri;
}
}

128
playbooks/files/chaosknoten/configs/public-reverse-proxy/nginx/nginx.conf
View file

@ -1,128 +0,0 @@
# This config is based on the standard `nginx.conf` shipping with the stable
# nginx package from the NGINX mirrors as of 2023-01.
user nginx;
worker_processes auto;
error_log /var/log/nginx/error.log notice;
pid /var/run/nginx.pid;
events {
worker_connections 1024;
}
# Listen on port 443 as a reverse proxy and use PROXY Protocol for the
# upstreams.
stream {
resolver 212.12.50.158 192.76.134.90;
map $ssl_preread_server_name $address {
ccchoir.de ccchoir-intern.hamburg.ccc.de:8443;
www.ccchoir.de ccchoir-intern.hamburg.ccc.de:8443;
cloud.hamburg.ccc.de cloud-intern.hamburg.ccc.de:8443;
pad.hamburg.ccc.de pad-intern.hamburg.ccc.de:8443;
pretalx.hamburg.ccc.de pretalx-intern.hamburg.ccc.de:8443;
id.hamburg.ccc.de 172.31.17.144:8443;
invite.hamburg.ccc.de 172.31.17.144:8443;
keycloak-admin.hamburg.ccc.de 172.31.17.144:8444;
grafana.hamburg.ccc.de 172.31.17.145:8443;
wiki.ccchh.net 172.31.17.146:8443;
wiki.hamburg.ccc.de 172.31.17.146:8443;
onlyoffice.hamburg.ccc.de 172.31.17.147:8443;
hackertours.hamburg.ccc.de 172.31.17.151:8443;
staging.hackertours.hamburg.ccc.de 172.31.17.151:8443;
netbox.hamburg.ccc.de 172.31.17.149:8443;
matrix.hamburg.ccc.de 172.31.17.150:8443;
element.hamburg.ccc.de 172.31.17.151:8443;
branding-resources.hamburg.ccc.de 172.31.17.151:8443;
www.hamburg.ccc.de 172.31.17.151:8443;
hamburg.ccc.de 172.31.17.151:8443;
staging.hamburg.ccc.de 172.31.17.151:8443;
spaceapi.hamburg.ccc.de 172.31.17.151:8443;
tickets.hamburg.ccc.de 172.31.17.148:8443;
zammad.hamburg.ccc.de 172.31.17.152:8443;
c3cat.de 172.31.17.151:8443;
www.c3cat.de 172.31.17.151:8443;
staging.c3cat.de 172.31.17.151:8443;
git.hamburg.ccc.de 172.31.17.154:8443;
eh03.easterhegg.eu 172.31.17.151:8443;
eh05.easterhegg.eu 172.31.17.151:8443;
eh07.easterhegg.eu 172.31.17.151:8443;
eh09.easterhegg.eu 172.31.17.151:8443;
eh11.easterhegg.eu 172.31.17.151:8443;
eh20.easterhegg.eu 172.31.17.151:8443;
www.eh20.easterhegg.eu 172.31.17.151:8443;
eh22.easterhegg.eu 172.31.17.159:8443;
easterheggxxxx.hamburg.ccc.de 172.31.17.151:8443;
eh2003.hamburg.ccc.de 172.31.17.151:8443;
www.eh2003.hamburg.ccc.de 172.31.17.151:8443;
easterhegg2003.hamburg.ccc.de 172.31.17.151:8443;
www.easterhegg2003.hamburg.ccc.de 172.31.17.151:8443;
eh2005.hamburg.ccc.de 172.31.17.151:8443;
www.eh2005.hamburg.ccc.de 172.31.17.151:8443;
easterhegg2005.hamburg.ccc.de 172.31.17.151:8443;
www.easterhegg2005.hamburg.ccc.de 172.31.17.151:8443;
eh2007.hamburg.ccc.de 172.31.17.151:8443;
www.eh2007.hamburg.ccc.de 172.31.17.151:8443;
eh07.hamburg.ccc.de 172.31.17.151:8443;
www.eh07.hamburg.ccc.de 172.31.17.151:8443;
easterhegg2007.hamburg.ccc.de 172.31.17.151:8443;
www.easterhegg2007.hamburg.ccc.de 172.31.17.151:8443;
eh2009.hamburg.ccc.de 172.31.17.151:8443;
www.eh2009.hamburg.ccc.de 172.31.17.151:8443;
eh09.hamburg.ccc.de 172.31.17.151:8443;
www.eh09.hamburg.ccc.de 172.31.17.151:8443;
easterhegg2009.hamburg.ccc.de 172.31.17.151:8443;
www.easterhegg2009.hamburg.ccc.de 172.31.17.151:8443;
eh2011.hamburg.ccc.de 172.31.17.151:8443;
www.eh2011.hamburg.ccc.de 172.31.17.151:8443;
eh11.hamburg.ccc.de 172.31.17.151:8443;
www.eh11.hamburg.ccc.de 172.31.17.151:8443;
easterhegg2011.hamburg.ccc.de 172.31.17.151:8443;
www.easterhegg2011.hamburg.ccc.de 172.31.17.151:8443;
eh20.hamburg.ccc.de 172.31.17.151:8443;
hacker.tours 172.31.17.151:8443;
staging.hacker.tours 172.31.17.151:8443;
woodpecker.hamburg.ccc.de 172.31.17.160:8443;
design.hamburg.ccc.de 172.31.17.162:8443;
hydra.hamburg.ccc.de 172.31.17.163:8443;
}
server {
listen 0.0.0.0:443;
listen [::]:443;
proxy_pass $address;
ssl_preread on;
proxy_protocol on;
}
server {
listen 0.0.0.0:8448;
listen [::]:8448;
proxy_pass 172.31.17.150:8448;
ssl_preread on;
proxy_protocol on;
}
}
# Still have the default http block, so the `acme_challenge.conf` works.
http {
include /etc/nginx/mime.types;
default_type application/octet-stream;
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"';
access_log /var/log/nginx/access.log main;
sendfile on;
#tcp_nopush on;
keepalive_timeout 65;
#gzip on;
include /etc/nginx/conf.d/*.conf;
}

48
playbooks/files/chaosknoten/configs/tickets/nginx/tickets.hamburg.ccc.de.conf
View file

@ -1,48 +0,0 @@
# partly generated 2022-01-08, Mozilla Guideline v5.6, nginx 1.17.7, OpenSSL 1.1.1k, intermediate configuration
# https://ssl-config.mozilla.org/#server=nginx&version=1.17.7&config=intermediate&openssl=1.1.1k&guideline=5.6
server {
# Listen on a custom port for the proxy protocol.
listen 8443 ssl http2 proxy_protocol;
# Make use of the ngx_http_realip_module to set the $remote_addr and
# $remote_port to the client address and client port, when using proxy
# protocol.
# First set our proxy protocol proxy as trusted.
set_real_ip_from 172.31.17.140;
# Then tell the realip_module to get the addreses from the proxy protocol
# header.
real_ip_header proxy_protocol;
server_name tickets.hamburg.ccc.de;
ssl_certificate /etc/letsencrypt/live/tickets.hamburg.ccc.de/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/tickets.hamburg.ccc.de/privkey.pem;
# verify chain of trust of OCSP response using Root CA and Intermediate certs
ssl_trusted_certificate /etc/letsencrypt/live/tickets.hamburg.ccc.de/chain.pem;
# HSTS (ngx_http_headers_module is required) (63072000 seconds)
add_header Strict-Transport-Security "max-age=63072000" always;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Port 443;
# This is https in any case.
proxy_set_header X-Forwarded-Proto https;
# Hide the X-Forwarded header.
proxy_hide_header X-Forwarded;
# Assume we are the only Reverse Proxy (well using Proxy Protocol, but that
# is transparent).
# Also provide "_hidden" for by, since it's not relevant.
proxy_set_header Forwarded "for=$remote_addr;proto=https;host=$host;by=_hidden";
location = / {
#return 302 https://wiki.hamburg.ccc.de/infrastructure:service-overview#tickets_pretix;
return 302 https://tickets.hamburg.ccc.de/hackertours/38c3/;
}
location / {
proxy_pass http://127.0.0.1:8345/;
}
}

26
playbooks/files/chaosknoten/configs/wiki/nginx/wiki.ccchh.net.conf
View file

@ -1,26 +0,0 @@
# partly generated 2022-01-08, Mozilla Guideline v5.6, nginx 1.17.7, OpenSSL 1.1.1k, intermediate configuration
# https://ssl-config.mozilla.org/#server=nginx&version=1.17.7&config=intermediate&openssl=1.1.1k&guideline=5.6
server {
# Listen on a custom port for the proxy protocol.
listen 8443 ssl http2 proxy_protocol;
# Make use of the ngx_http_realip_module to set the $remote_addr and
# $remote_port to the client address and client port, when using proxy
# protocol.
# First set our proxy protocol proxy as trusted.
set_real_ip_from 172.31.17.140;
# Then tell the realip_module to get the addreses from the proxy protocol
# header.
real_ip_header proxy_protocol;
server_name wiki.ccchh.net;
ssl_certificate /etc/letsencrypt/live/wiki.ccchh.net/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/wiki.ccchh.net/privkey.pem;
# verify chain of trust of OCSP response using Root CA and Intermediate certs
ssl_trusted_certificate /etc/letsencrypt/live/wiki.ccchh.net/chain.pem;
# HSTS (ngx_http_headers_module is required) (63072000 seconds)
add_header Strict-Transport-Security "max-age=63072000" always;
return 302 https://wiki.hamburg.ccc.de$request_uri;
}

85
playbooks/files/chaosknoten/configs/wiki/nginx/wiki.hamburg.ccc.de.conf
View file

@ -1,85 +0,0 @@
# partly generated 2022-01-08, Mozilla Guideline v5.6, nginx 1.17.7, OpenSSL 1.1.1k, intermediate configuration
# https://ssl-config.mozilla.org/#server=nginx&version=1.17.7&config=intermediate&openssl=1.1.1k&guideline=5.6
server {
# Listen on a custom port for the proxy protocol.
listen 8443 ssl http2 proxy_protocol;
# Make use of the ngx_http_realip_module to set the $remote_addr and
# $remote_port to the client address and client port, when using proxy
# protocol.
# First set our proxy protocol proxy as trusted.
set_real_ip_from 172.31.17.140;
# Then tell the realip_module to get the addreses from the proxy protocol
# header.
real_ip_header proxy_protocol;
server_name wiki.hamburg.ccc.de;
ssl_certificate /etc/letsencrypt/live/wiki.hamburg.ccc.de/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/wiki.hamburg.ccc.de/privkey.pem;
# verify chain of trust of OCSP response using Root CA and Intermediate certs
ssl_trusted_certificate /etc/letsencrypt/live/wiki.hamburg.ccc.de/chain.pem;
# HSTS (ngx_http_headers_module is required) (63072000 seconds)
add_header Strict-Transport-Security "max-age=63072000" always;
# Maximum file upload size is 20MB - change accordingly if needed
# See: https://www.dokuwiki.org/faq:uploadsize
client_max_body_size 20M;
client_body_buffer_size 128k;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
# This is https in any case.
proxy_set_header X-Forwarded-Proto https;
root /var/www/dokuwiki;
index doku.php;
#Remember to comment the below out when you're installing, and uncomment it when done.
location ~ /(conf/|bin/|inc/|vendor/|install.php) { deny all; }
#Support for X-Accel-Redirect
location ~ ^/data/ { internal ; }
location ~ ^/lib.*\.(js|css|gif|png|ico|jpg|jpeg)$ {
expires 365d;
}
location / { try_files $uri $uri/ @dokuwiki; }
location @dokuwiki {
# rewrites "doku.php/" out of the URLs if you set the userwrite setting to .htaccess in dokuwiki config page
rewrite ^/_media/(.*) /lib/exe/fetch.php?media=$1 last;
rewrite ^/_detail/(.*) /lib/exe/detail.php?media=$1 last;
rewrite ^/_export/([^/]+)/(.*) /doku.php?do=export_$1&id=$2 last;
rewrite ^/(.*) /doku.php?id=$1&$args last;
}
location ~ \.php$ {
try_files $uri $uri/ /doku.php;
include fastcgi_params;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_param REDIRECT_STATUS 200;
fastcgi_pass unix:/var/run/php/php-fpm-dokuwiki.sock;
}
### Wiki-Migration redirects:
# Redirect MediaWikis Main_Page.
location = /Main_Page {
return 302 https://$host;
}
location /ChaosVPN {
return 302 https://oldwiki.hamburg.ccc.de$request_uri;
}
location ~ /EH(07|09|11) {
return 302 https://oldwiki.hamburg.ccc.de$request_uri;
}
location /Easter {
return 302 https://oldwiki.hamburg.ccc.de$request_uri;
}
}

51
playbooks/files/chaosknoten/configs/zammad/nginx/zammad.hamburg.ccc.de.conf
View file

@ -1,51 +0,0 @@
# partly generated 2022-01-08, Mozilla Guideline v5.6, nginx 1.17.7, OpenSSL 1.1.1k, intermediate configuration
# https://ssl-config.mozilla.org/#server=nginx&version=1.17.7&config=intermediate&openssl=1.1.1k&guideline=5.6
server {
# Listen on a custom port for the proxy protocol.
listen 8443 ssl http2 proxy_protocol;
# Make use of the ngx_http_realip_module to set the $remote_addr and
# $remote_port to the client address and client port, when using proxy
# protocol.
# First set our proxy protocol proxy as trusted.
set_real_ip_from 172.31.17.140;
# Then tell the realip_module to get the addreses from the proxy protocol
# header.
real_ip_header proxy_protocol;
server_name zammad.hamburg.ccc.de;
ssl_certificate /etc/letsencrypt/live/zammad.hamburg.ccc.de/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/zammad.hamburg.ccc.de/privkey.pem;
# verify chain of trust of OCSP response using Root CA and Intermediate certs
ssl_trusted_certificate /etc/letsencrypt/live/zammad.hamburg.ccc.de/chain.pem;
# HSTS (ngx_http_headers_module is required) (63072000 seconds)
add_header Strict-Transport-Security "max-age=63072000" always;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Port 443;
# This is https in any case.
proxy_set_header X-Forwarded-Proto https;
# Hide the X-Forwarded header.
proxy_hide_header X-Forwarded;
# Assume we are the only Reverse Proxy (well using Proxy Protocol, but that
# is transparent).
# Also provide "_hidden" for by, since it's not relevant.
proxy_set_header Forwarded "for=$remote_addr;proto=https;host=$host;by=_hidden";
proxy_read_timeout 86400;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "Upgrade";
proxy_set_header CLIENT_IP $remote_addr;
location ~/(ticket/zoom/.*) {
return 302 https://zammad.hamburg.ccc.de/#$1;
}
location / {
proxy_pass http://127.0.0.1:8080/;
}
}

14
playbooks/files/z9/configs/light/nginx/http_handler.conf
View file

@ -1,14 +0,0 @@
server {
listen 80 default_server;
listen [::]:80 default_server;
server_name _;
location /.well-known/acme-challenge/ {
autoindex on;
root /webroot-for-acme-challenge;
}
location / {
return 301 https://$host$request_uri;
}
}

65
playbooks/files/z9/configs/light/nginx/light.conf
View file

@ -1,65 +0,0 @@
# partly generated 2022-01-08, Mozilla Guideline v5.6, nginx 1.17.7, OpenSSL 1.1.1k, intermediate configuration
# https://ssl-config.mozilla.org/#server=nginx&version=1.17.7&config=intermediate&openssl=1.1.1k&guideline=5.6
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name light-werkstatt.ccchh.net;
ssl_certificate /etc/letsencrypt/live/light.ccchh.net/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/light.ccchh.net/privkey.pem;
# verify chain of trust of OCSP response using Root CA and Intermediate certs
ssl_trusted_certificate /etc/letsencrypt/live/light.ccchh.net/chain.pem;
# replace with the IP address of your resolver
resolver 10.31.208.1;
location / {
proxy_pass http://127.0.0.1:8081;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
# This is https in any case.
proxy_set_header X-Forwarded-Proto https;
}
}
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name light.z9.ccchh.net ;
ssl_certificate /etc/letsencrypt/live/light.ccchh.net/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/light.ccchh.net/privkey.pem;
# verify chain of trust of OCSP response using Root CA and Intermediate certs
ssl_trusted_certificate /etc/letsencrypt/live/light.ccchh.net/chain.pem;
location / {
return 307 https://light.ccchh.net$request_uri;
}
}
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name light.ccchh.net;
ssl_certificate /etc/letsencrypt/live/light.ccchh.net/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/light.ccchh.net/privkey.pem;
# verify chain of trust of OCSP response using Root CA and Intermediate certs
ssl_trusted_certificate /etc/letsencrypt/live/light.ccchh.net/chain.pem;
# replace with the IP address of your resolver
resolver 10.31.208.1;
location / {
proxy_pass http://127.0.0.1:8080;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
# This is https in any case.
proxy_set_header X-Forwarded-Proto https;
}
}

10
playbooks/files/z9/configs/light/ola/ola-artnet.conf
View file

@ -1,10 +0,0 @@
always_broadcast = false
enabled = true
ip =
long_name = OLA - ArtNet node
net = 0
output_ports = 4
short_name = OLA - ArtNet node
subnet = 0
use_limited_broadcast = false
use_loopback = false

9
playbooks/files/z9/configs/light/ola/ola-dummy.conf
View file

@ -1,9 +0,0 @@
ack_timer_count = 0
advanced_dimmer_count = 1
dimmer_count = 1
dimmer_subdevice_count = 4
dummy_device_count = 1
enabled = false
moving_light_count = 1
network_device_count = 1
sensor_device_count = 1

10
playbooks/files/z9/configs/light/ola/ola-e131.conf
View file

@ -1,10 +0,0 @@
cid = 4ff3f64a-e2de-43e5-847f-d4daad6cb63b
draft_discovery = false
dscp = 0
enabled = false
ignore_preview = true
input_ports = 5
ip =
output_ports = 5
prepend_hostname = true
revision = 0.46

3
playbooks/files/z9/configs/light/ola/ola-espnet.conf
View file

@ -1,3 +0,0 @@
enabled = false
ip =
name = ola-EspNet

2
playbooks/files/z9/configs/light/ola/ola-ftdidmx.conf
View file

@ -1,2 +0,0 @@
enabled = true
frequency = 30

5
playbooks/files/z9/configs/light/ola/ola-gpio.conf
View file

@ -1,5 +0,0 @@
enabled = false
gpio_pins =
gpio_slot_offset = 1
gpio_turn_off = 127
gpio_turn_on = 128

2
playbooks/files/z9/configs/light/ola/ola-karate.conf
View file

@ -1,2 +0,0 @@
device = /dev/kldmx0
enabled = false

2
playbooks/files/z9/configs/light/ola/ola-kinet.conf
View file

@ -1,2 +0,0 @@
enabled = false
power_supply =

2
playbooks/files/z9/configs/light/ola/ola-milinst.conf
View file

@ -1,2 +0,0 @@
device =
enabled = false

2
playbooks/files/z9/configs/light/ola/ola-opendmx.conf
View file

@ -1,2 +0,0 @@
device = /dev/dmx0
enabled = false

1
playbooks/files/z9/configs/light/ola/ola-openpixelcontrol.conf
View file

@ -1 +0,0 @@
enabled = false

19
playbooks/files/z9/configs/light/ola/ola-osc.conf
View file

@ -1,19 +0,0 @@
enabled = false
input_ports = 5
output_ports = 5
port_0_address = /dmx/universe/%d
port_0_output_format = blob
port_0_targets =
port_1_address = /dmx/universe/%d
port_1_output_format = blob
port_1_targets =
port_2_address = /dmx/universe/%d
port_2_output_format = blob
port_2_targets =
port_3_address = /dmx/universe/%d
port_3_output_format = blob
port_3_targets =
port_4_address = /dmx/universe/%d
port_4_output_format = blob
port_4_targets =
udp_listen_port = 7770

5
playbooks/files/z9/configs/light/ola/ola-pathport.conf
View file

@ -1,5 +0,0 @@
dscp = 0
enabled = false
ip =
name = ola-Pathport
node-id = 672065429

60
playbooks/files/z9/configs/light/ola/ola-port.conf
View file

@ -1,60 +0,0 @@
11-1-I-0_priority_mode = 0
11-1-I-0_priority_value = 100
11-1-I-1_priority_mode = 0
11-1-I-1_priority_value = 100
11-1-I-2_priority_mode = 0
11-1-I-2_priority_value = 100
11-1-I-3_priority_mode = 0
11-1-I-3_priority_value = 100
11-1-I-4_priority_mode = 0
11-1-I-4_priority_value = 100
11-1-O-0_priority_mode = 0
11-1-O-0_priority_value = 100
11-1-O-1_priority_mode = 0
11-1-O-1_priority_value = 100
11-1-O-2_priority_mode = 0
11-1-O-2_priority_value = 100
11-1-O-3_priority_mode = 0
11-1-O-3_priority_value = 100
11-1-O-4_priority_mode = 0
11-1-O-4_priority_value = 100
13-A60300JF-O-1 = 1
14-1-I-0_priority_value = 100
14-1-I-1_priority_value = 100
14-1-I-2_priority_value = 100
14-1-I-3_priority_value = 100
14-1-I-4_priority_value = 100
2-1-I-0 = 1
2-1-I-0_priority_value = 100
2-1-I-1_priority_value = 100
2-1-I-2_priority_value = 100
2-1-I-3_priority_value = 100
3-1-I-0_priority_value = 100
3-1-I-1_priority_value = 100
3-1-I-2_priority_value = 100
3-1-I-3_priority_value = 100
3-1-I-4_priority_value = 100
3-1-I-5_priority_value = 100
3-1-I-6_priority_value = 100
3-1-I-7_priority_value = 100
4-1-I-0_priority_value = 100
4-1-I-1_priority_value = 100
4-1-I-2_priority_value = 100
4-1-I-3_priority_value = 100
4-1-I-4_priority_value = 100
7-1-I-0_priority_value = 100
7-1-I-1_priority_value = 100
7-1-I-2_priority_value = 100
7-1-I-3_priority_value = 100
7-1-I-4_priority_value = 100
7-1-I-5_priority_value = 100
7-1-I-6_priority_value = 100
7-1-I-7_priority_value = 100
9-1-I-0_priority_value = 100
9-1-I-1_priority_value = 100
9-1-I-2_priority_value = 100
9-1-I-3_priority_value = 100
9-1-I-4_priority_value = 100
9-1-I-5_priority_value = 100
9-1-I-6_priority_value = 100
9-1-I-7_priority_value = 100

2
playbooks/files/z9/configs/light/ola/ola-renard.conf
View file

@ -1,2 +0,0 @@
device =
enabled = false

3
playbooks/files/z9/configs/light/ola/ola-sandnet.conf
View file

@ -1,3 +0,0 @@
enabled = false
ip =
name = ola-SandNet

1
playbooks/files/z9/configs/light/ola/ola-server.conf
View file

@ -1 +0,0 @@
instance-name = OLA Server

3
playbooks/files/z9/configs/light/ola/ola-shownet.conf
View file

@ -1,3 +0,0 @@
enabled = false
ip =
name = ola-ShowNet

3
playbooks/files/z9/configs/light/ola/ola-spi.conf
View file

@ -1,3 +0,0 @@
base_uid = 7a70:00000100
device_prefix = spidev
enabled = false

2
playbooks/files/z9/configs/light/ola/ola-stageprofi.conf
View file

@ -1,2 +0,0 @@
device = /dev/ttyUSB0
enabled = false

2
playbooks/files/z9/configs/light/ola/ola-uartdmx.conf
View file

@ -1,2 +0,0 @@
device = /dev/ttyACM0
enabled = false

2
playbooks/files/z9/configs/light/ola/ola-universe.conf
View file

@ -1,2 +0,0 @@
uni_1_merge = LTP
uni_1_name = Universe 1

2
playbooks/files/z9/configs/light/ola/ola-usbdmx.conf
View file

@ -1,2 +0,0 @@
enabled = false
libusb_debug_level = 0

8
playbooks/files/z9/configs/light/ola/ola-usbserial.conf
View file

@ -1,8 +0,0 @@
device_dir = /dev
device_prefix = ttyUSB
device_prefix = cu.usbserial-
device_prefix = ttyU
enabled = false
pro_fps_limit = 190
tri_use_raw_rdm = false
ultra_fps_limit = 40

1
playbooks/roles Symbolic link
View file

@ -0,0 +1 @@
../roles

25
playbooks/roles/add_apt_repository/meta/argument_specs.yaml
View file

@ -1,25 +0,0 @@
---
argument_specs:
main:
short_description: Add a 3rd party apt repository to the system
options:
add_apt_repository__https_repo:
description: The repository URL uses HTTPS
required: true
type: bool
add_apt_repository__keyring_url:
description: URL to the repository's keyring
required: false
type: str
add_apt_repository__keyring_path:
description: Path where to store the keyring
required: false
type: str
add_apt_repository__repo:
description: The apt source line
required: true
type: str
add_apt_repository__filename:
description: Filename in /etc/apt/sources.list.d/
required: true
type: str

33
playbooks/roles/add_apt_repository/tasks/main.yaml
View file

@ -1,33 +0,0 @@
---
- name: Check OS family
ansible.builtin.fail:
msg: "Can only add apt repositories on Debian-based systems!"
when: ansible_facts.os_family != "Debian"
- name: Install required apt packages for adding an apt repository
become: true
ansible.builtin.apt:
name:
- ca-certificates
- gnupg
- name: Install apt-transport-https if https repository
become: true
ansible.builtin.apt:
name: apt-transport-https
when: add_apt_repository__https_repo
- name: Add repository signing key to keychain
become: true
when: add_apt_repository__keyring_url is defined and add_apt_repository__keyring_path is defined
ansible.builtin.apt_key:
url: "{{ add_apt_repository__keyring_url }}"
keyring: "{{ add_apt_repository__keyring_path }}"
state: present
- name: Add repository and update cache
become: true
ansible.builtin.apt_repository:
repo: "{{ add_apt_repository__repo }}"
filename: "{{ add_apt_repository__filename }}"
update_cache: true

11
playbooks/roles/apt_update_and_upgrade/README.md
View file

@ -1,11 +0,0 @@
# Role `apt_update_and_upgrade`
This role does an `apt-get update`, `apt-get dist-upgrade` and a potential reboot (if packages got upgraded) on the specified hosts.
## `hosts`
The `hosts` for this role need to be the VMs, which should be updated and upgraded.
## Required Variables
This role doesn't have any required variables.

3
playbooks/roles/apt_update_and_upgrade/handlers/main.yaml
View file

@ -1,3 +0,0 @@
- name: reboot the system
become: true
ansible.builtin.reboot:

13
playbooks/roles/apt_update_and_upgrade/tasks/main.yaml
View file

@ -1,13 +0,0 @@
- name: update, upgrade and potentially reboot
become: true
block:
- name: apt-get update
ansible.builtin.apt:
update-cache: true
- name: apt-get dist-upgrade
ansible.builtin.apt:
upgrade: dist
register: apt_update_and_upgrade__upgrade_result
notify:
- reboot the system

15
playbooks/roles/certbot/README.md
View file

@ -1,15 +0,0 @@
# Role `certbot`
A role for deploying Certbot and setting up certificates using it.
Note: This role doesn't take care of deleting certificates.
Also see the following documentation for a full How-to on how to get certificates using this role in the context of our infra: <https://wiki.ccchh.net/infrastructure:zertifikate>.
## Required Arguments
For the required arguments look at the [`argument_specs.yaml`](./meta/argument_specs.yaml).
## `hosts`
The `hosts` for this role need to be the machines on which you want to make sure Certbot is deployed and given certificates are set up.

2
playbooks/roles/certbot/defaults/main.yaml
View file

@ -1,2 +0,0 @@
certbot__http_01_port: 31820
certbot__new_cert_commands: [ ]

36
playbooks/roles/certbot/meta/argument_specs.yaml
View file

@ -1,36 +0,0 @@
argument_specs:
main:
options:
certbot__version_spec:
description: >-
The version specification to use for installing the `certbot` package.
The provided version specification will be used like the following:
`cerbot={{ certbot__version_spec }}*`. This makes it possible to e.g.
specify until a minor version (like `1.3.`) and then have patch
versions be installed automatically (like `1.3.1` and so on).
type: str
required: true
certbot__acme_account_email_address:
description: The E-Mail address to give to certbot for the ACME account.
type: str
required: true
certbot__certificate_domains:
description: The domains for which to obtain a certificate.
type: list
elements: str
required: true
certbot__http_01_port:
description: |
The port number the bot listens on. Must be 80 if directly exposed to the internet.
Default is 31820 for the public-reverse-proxy setup.
type: str
required: false
default: 31820
certbot__new_cert_commands:
description: >-
A list of commands to execute after getting a new certificate.
Will be added into a bash script.
type: list
elements: str
required: false
default: [ ]

9
playbooks/roles/certbot/meta/main.yaml
View file

@ -1,9 +0,0 @@
---
dependencies:
- role: distribution_check
vars:
distribution_check__distribution_support_spec:
- name: Debian
major_versions:
- 11
- 12

11
playbooks/roles/certbot/tasks/main.yaml
View file

@ -1,11 +0,0 @@
- name: ensure certbot installation
ansible.builtin.import_tasks:
file: main/install.yaml
- name: ensure new cert commands
ansible.builtin.import_tasks:
file: main/new_cert_commands.yaml
- name: ensure certificates
ansible.builtin.import_tasks:
file: main/certs.yaml

24
playbooks/roles/certbot/tasks/main/cert.yaml
View file

@ -1,24 +0,0 @@
- name: get expiry date before
ansible.builtin.command: /usr/bin/openssl x509 -enddate -noout -in /etc/letsencrypt/live/{{ item }}/fullchain.pem
ignore_errors: true
become: true
changed_when: false
register: certbot__cert_expiry_before
- name: obtain the certificate using certbot
ansible.builtin.command: /usr/bin/certbot certonly --keep-until-expiring --agree-tos --non-interactive --email "{{ certbot__acme_account_email_address }}" --no-eff-email --standalone --http-01-port "{{ certbot__http_01_port }}" -d "{{ item }}"
become: true
changed_when: false
- name: get expiry date after
ansible.builtin.command: /usr/bin/openssl x509 -enddate -noout -in /etc/letsencrypt/live/{{ item }}/fullchain.pem
become: true
changed_when: false
register: certbot__cert_expiry_after
# Doesn't work anymore. Dunno why.
# TODO: Fix
# - name: potentially report changed
# ansible.builtin.debug:
# msg: "If this reports changed, then the certificate expiry date and therefore the certificate changed."
# changed_when: certbot__cert_expiry_before.stdout != certbot__cert_expiry_after.stdout

4
playbooks/roles/certbot/tasks/main/certs.yaml
View file

@ -1,4 +0,0 @@
- name: obtain certificates
loop: "{{ certbot__certificate_domains }}"
ansible.builtin.include_tasks:
file: main/cert.yaml

19
playbooks/roles/certbot/tasks/main/install.yaml
View file

@ -1,19 +0,0 @@
- name: make sure the `openssl` package is installed
ansible.builtin.apt:
name: openssl
state: present
become: true
- name: make sure the `certbot` package is installed
ansible.builtin.apt:
name: certbot={{ certbot__version_spec }}*
state: present
allow_change_held_packages: true
update_cache: true
become: true
- name: apt-mark hold `certbot`
ansible.builtin.dpkg_selections:
name: certbot
selection: hold
become: true

17
playbooks/roles/certbot/tasks/main/new_cert_commands.yaml
View file

@ -1,17 +0,0 @@
- name: ensure existence of renewal deploy hooks directory
ansible.builtin.file:
path: /etc/letsencrypt/renewal-hooks/deploy
state: directory
owner: root
group: root
mode: "0755"
become: true
- name: ensure renewal deploy hook commands
ansible.builtin.template:
src: renewal_deploy_hook_commands.sh.j2
dest: /etc/letsencrypt/renewal-hooks/deploy/ansible_commands.sh
owner: root
group: root
mode: "0770"
become: true

4
playbooks/roles/certbot/templates/renewal_deploy_hook_commands.sh.j2
View file

@ -1,4 +0,0 @@
#!/bin/bash
{% for command in certbot__new_cert_commands %}
{{ command }}
{% endfor %}

17
playbooks/roles/deploy_ssh_server_config/README.md
View file

@ -1,17 +0,0 @@
# Role `deploy_ssh_server_config`
This role deploys an SSH server config on the specified hosts.
## `hosts`
The `hosts` for this role need to be the machines, for which you want to deploy an SSH server config.
## Required Variables
This role doesn't have nay required variables.
## Links & Resources
- <https://infosec.mozilla.org/guidelines/openssh>
- Also see [Debian 11 cloud 2023-04-21 default /etc/ssh/sshd_config](docs/Debian_11_cloud_2023-04-21_default_etc_ssh_sshd_config).
- Also see [Debian 12 cloud 2023-07-25 default /etc/ssh/sshd_config](docs/Debian_12_cloud_2023-07-25_default_etc_ssh_sshd_config).

124
playbooks/roles/deploy_ssh_server_config/docs/Debian_11_cloud_2023-04-21_default_etc_ssh_sshd_config
View file

@ -1,124 +0,0 @@
# $OpenBSD: sshd_config,v 1.103 2018/04/09 20:41:22 tj Exp $
# This is the sshd server system-wide configuration file. See
# sshd_config(5) for more information.
# This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin
# The strategy used for options in the default sshd_config shipped with
# OpenSSH is to specify options with their default value where
# possible, but leave them commented. Uncommented options override the
# default value.
Include /etc/ssh/sshd_config.d/*.conf
#Port 22
#AddressFamily any
#ListenAddress 0.0.0.0
#ListenAddress ::
#HostKey /etc/ssh/ssh_host_rsa_key
#HostKey /etc/ssh/ssh_host_ecdsa_key
#HostKey /etc/ssh/ssh_host_ed25519_key
# Ciphers and keying
#RekeyLimit default none
# Logging
#SyslogFacility AUTH
#LogLevel INFO
# Authentication:
#LoginGraceTime 2m
#PermitRootLogin prohibit-password
#StrictModes yes
#MaxAuthTries 6
#MaxSessions 10
#PubkeyAuthentication yes
# Expect .ssh/authorized_keys2 to be disregarded by default in future.
#AuthorizedKeysFile .ssh/authorized_keys .ssh/authorized_keys2
#AuthorizedPrincipalsFile none
#AuthorizedKeysCommand none
#AuthorizedKeysCommandUser nobody
# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
#HostbasedAuthentication no
# Change to yes if you don't trust ~/.ssh/known_hosts for
# HostbasedAuthentication
#IgnoreUserKnownHosts no
# Don't read the user's ~/.rhosts and ~/.shosts files
#IgnoreRhosts yes
# To disable tunneled clear text passwords, change to no here!
PasswordAuthentication no
#PermitEmptyPasswords no
# Change to yes to enable challenge-response passwords (beware issues with
# some PAM modules and threads)
ChallengeResponseAuthentication no
# Kerberos options
#KerberosAuthentication no
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes
#KerberosGetAFSToken no
# GSSAPI options
#GSSAPIAuthentication no
#GSSAPICleanupCredentials yes
#GSSAPIStrictAcceptorCheck yes
#GSSAPIKeyExchange no
# Set this to 'yes' to enable PAM authentication, account processing,
# and session processing. If this is enabled, PAM authentication will
# be allowed through the ChallengeResponseAuthentication and
# PasswordAuthentication. Depending on your PAM configuration,
# PAM authentication via ChallengeResponseAuthentication may bypass
# the setting of "PermitRootLogin without-password".
# If you just want the PAM account and session checks to run without
# PAM authentication, then enable this but set PasswordAuthentication
# and ChallengeResponseAuthentication to 'no'.
UsePAM yes
#AllowAgentForwarding yes
#AllowTcpForwarding yes
#GatewayPorts no
X11Forwarding yes
#X11DisplayOffset 10
#X11UseLocalhost yes
#PermitTTY yes
PrintMotd no
#PrintLastLog yes
#TCPKeepAlive yes
#PermitUserEnvironment no
#Compression delayed
#ClientAliveInterval 0
#ClientAliveCountMax 3
#UseDNS no
#PidFile /var/run/sshd.pid
#MaxStartups 10:30:100
#PermitTunnel no
#ChrootDirectory none
#VersionAddendum none
# no default banner path
#Banner none
# Allow client to pass locale environment variables
AcceptEnv LANG LC_*
# override default of no subsystems
Subsystem sftp /usr/lib/openssh/sftp-server
# Example of overriding settings on a per-user basis
#Match User anoncvs
# X11Forwarding no
# AllowTcpForwarding no
# PermitTTY no
# ForceCommand cvs server
ClientAliveInterval 120

123
playbooks/roles/deploy_ssh_server_config/docs/Debian_12_cloud_2023-07-25_default_etc_ssh_sshd_config
View file

@ -1,123 +0,0 @@
# This is the sshd server system-wide configuration file. See
# sshd_config(5) for more information.
# This sshd was compiled with PATH=/usr/local/bin:/usr/bin:/bin:/usr/games
# The strategy used for options in the default sshd_config shipped with
# OpenSSH is to specify options with their default value where
# possible, but leave them commented. Uncommented options override the
# default value.
Include /etc/ssh/sshd_config.d/*.conf
#Port 22
#AddressFamily any
#ListenAddress 0.0.0.0
#ListenAddress ::
#HostKey /etc/ssh/ssh_host_rsa_key
#HostKey /etc/ssh/ssh_host_ecdsa_key
#HostKey /etc/ssh/ssh_host_ed25519_key
# Ciphers and keying
#RekeyLimit default none
# Logging
#SyslogFacility AUTH
#LogLevel INFO
# Authentication:
#LoginGraceTime 2m
#PermitRootLogin prohibit-password
#StrictModes yes
#MaxAuthTries 6
#MaxSessions 10
#PubkeyAuthentication yes
# Expect .ssh/authorized_keys2 to be disregarded by default in future.
#AuthorizedKeysFile .ssh/authorized_keys .ssh/authorized_keys2
#AuthorizedPrincipalsFile none
#AuthorizedKeysCommand none
#AuthorizedKeysCommandUser nobody
# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
#HostbasedAuthentication no
# Change to yes if you don't trust ~/.ssh/known_hosts for
# HostbasedAuthentication
#IgnoreUserKnownHosts no
# Don't read the user's ~/.rhosts and ~/.shosts files
#IgnoreRhosts yes
# To disable tunneled clear text passwords, change to no here!
PasswordAuthentication no
#PermitEmptyPasswords no
# Change to yes to enable challenge-response passwords (beware issues with
# some PAM modules and threads)
KbdInteractiveAuthentication no
# Kerberos options
#KerberosAuthentication no
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes
#KerberosGetAFSToken no
# GSSAPI options
#GSSAPIAuthentication no
#GSSAPICleanupCredentials yes
#GSSAPIStrictAcceptorCheck yes
#GSSAPIKeyExchange no
# Set this to 'yes' to enable PAM authentication, account processing,
# and session processing. If this is enabled, PAM authentication will
# be allowed through the KbdInteractiveAuthentication and
# PasswordAuthentication. Depending on your PAM configuration,
# PAM authentication via KbdInteractiveAuthentication may bypass
# the setting of "PermitRootLogin prohibit-password".
# If you just want the PAM account and session checks to run without
# PAM authentication, then enable this but set PasswordAuthentication
# and KbdInteractiveAuthentication to 'no'.
UsePAM yes
#AllowAgentForwarding yes
#AllowTcpForwarding yes
#GatewayPorts no
X11Forwarding yes
#X11DisplayOffset 10
#X11UseLocalhost yes
#PermitTTY yes
PrintMotd no
#PrintLastLog yes
#TCPKeepAlive yes
#PermitUserEnvironment no
#Compression delayed
#ClientAliveInterval 0
#ClientAliveCountMax 3
#UseDNS no
#PidFile /run/sshd.pid
#MaxStartups 10:30:100
#PermitTunnel no
#ChrootDirectory none
#VersionAddendum none
# no default banner path
#Banner none
# Allow client to pass locale environment variables
AcceptEnv LANG LC_*
# override default of no subsystems
Subsystem sftp /usr/lib/openssh/sftp-server
# Example of overriding settings on a per-user basis
#Match User anoncvs
# X11Forwarding no
# AllowTcpForwarding no
# PermitTTY no
# ForceCommand cvs server
ClientAliveInterval 120

3
playbooks/roles/deploy_ssh_server_config/handlers/main.yaml
View file

@ -1,3 +0,0 @@
- name: reboot the system
become: true
ansible.builtin.reboot:

36
playbooks/roles/deploy_ssh_server_config/tasks/main.yaml
View file

@ -1,36 +0,0 @@
# Role and config created after: https://infosec.mozilla.org/guidelines/openssh
- name: deploy SSH server config
become: true
block:
- name: deploy `sshd_config`
ansible.builtin.template:
force: true
dest: /etc/ssh/sshd_config
mode: "0644"
owner: root
group: root
src: sshd_config.j2
notify:
# Reboot instead of just restarting the ssh service, since I don't know how Ansible reacts, when it restarts the service it probably needs for the connection.
- reboot the system
- name: deactivate short moduli
ansible.builtin.shell:
executable: /bin/bash
cmd: |
set -eo pipefail
awk '$5 >= 3071' /etc/ssh/moduli > /etc/ssh/moduli.tmp
if diff /etc/ssh/moduli /etc/ssh/moduli.tmp; then
rm /etc/ssh/moduli.tmp
else
mv /etc/ssh/moduli.tmp /etc/ssh/moduli
echo "ansible-changed: changed /etc/ssh/moduli"
fi
register: result
changed_when:
- '"ansible-changed" in result.stdout'
notify:
# Reboot instead of just restarting the ssh service, since I don't know how Ansible reacts, when it restarts the service it probably needs for the connection.
- reboot the system

97
playbooks/roles/deploy_ssh_server_config/templates/sshd_config.j2
View file

@ -1,97 +0,0 @@
# This is the sshd server system-wide configuration file deployed and managed by
# Ansible.
# See sshd_config(5) and the "deploy_ssh_server_config" Ansible role for more
# information.
# This config doesn't set all options and leaves some to the sshd defaults.
# The sshd defaults should be alright, so this config is only really setting
# options in cases where we want to intentionally have an option a certain way
# for some reason or another. For example for hardening, improved loggin, etc.
## Use the HostKey preference, Ciphers and algorithms from Mozillas Modern
## guidelines.
# Supported HostKey algorithms by order of preference.
HostKey /etc/ssh/ssh_host_ed25519_key
HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_ecdsa_key
KexAlgorithms curve25519-sha256@libssh.org,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,diffie-hellman-group-exchange-sha256
Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr
MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,umac-128@openssh.com
## Authentication Settings.
# Require only "publickey" for authentication.
# From Mozillas Modern guidelines.
AuthenticationMethods publickey
# Enable "PubkeyAuthentication" accordingly.
PubkeyAuthentication yes
# Don't do the other authentication types.
PasswordAuthentication no
{# If on Debian 12, use the new keyword (KbdInteractiveAuthentication instead of ChallengeResponseAuthentication). #}
{% if ansible_facts["distribution"] == "Debian" and ansible_facts["distribution_major_version"] == "12" %}
KbdInteractiveAuthentication no
{% else %}
ChallengeResponseAuthentication no
{% endif %}
KerberosAuthentication no
GSSAPIAuthentication no
# Don't allow root login.
PermitRootLogin no
{# If on Debian 12, use the new keyword (KbdInteractiveAuthentication instead of ChallengeResponseAuthentication). #}
{% if ansible_facts["distribution"] == "Debian" and ansible_facts["distribution_major_version"] == "12" %}
# Set this to "yes", but have "PasswordAuthentication" and
# "KbdInteractiveAuthentication" set to "no", to have account and session checks
# run.
{% else %}
# Set this to "yes", but have "PasswordAuthentication" and
# "ChallengeResponseAuthentication" set to "no", to have account and session
# checks run.
{% endif %}
# See "docs/Debian_11_cloud_2023-04-21_default_etc_ssh_sshd_config" for more
# information.
UsePAM yes
## Miscellaneous Settings.
# X11 forwarding shouldn't be needed.
X11Forwarding no
# Printing this isn't needed.
PrintMotd no
# Print time and date of last login, since that's nice.
PrintLastLog yes
# Disable general environment processing.
PermitUserEnvironment no
# Allow client to pass locale environment variables.
# From "docs/Debian_11_cloud_2023-04-21_default_etc_ssh_sshd_config".
AcceptEnv LANG LC_*
# Request response from client after 120 seconds of no communication.
# Taken from "docs/Debian_11_cloud_2023-04-21_default_etc_ssh_sshd_config".
ClientAliveInterval 120
## Logging
# Set "LogLevel" to "VERBOSE" to log users key fingerprints on login.
# This is needed for a clear audit track.
# From Mozillas Modern guidelines.
LogLevel VERBOSE
# Enable the sftp subsystem and log properly.
# From Mozillas Modern guidelines and
# "docs/Debian_11_cloud_2023-04-21_default_etc_ssh_sshd_config".
Subsystem sftp /usr/lib/openssh/sftp-server -f AUTHPRIV -l INFO

13
playbooks/roles/distribution_check/README.md
View file

@ -1,13 +0,0 @@
# Role `distribution_check`
This role checks if the distribution of the hosts is supported (part of the provided distribution support spec.) and fails if it's not.
If a hosts distribution and either an accompanying distribution version, major version or release is supported, the role doesn't fail for the host in question.
## Required Arguments
For the required arguments look at the [`argument_specs.yaml`](./meta/argument_specs.yaml).
## `hosts`
The `hosts` for this role need to be the machines for which you want to make sure their distribution is supported.

28
playbooks/roles/distribution_check/meta/argument_specs.yaml
View file

@ -1,28 +0,0 @@
argument_specs:
main:
options:
distribution_check__distribution_support_spec:
description: A spec specifying the supported distribution.
type: list
elements: dict
required: true
options:
name:
description: The name of the supported distribution.
type: str
required: true
versions:
description: The supported versions of the supported distribution.
type: list
elements: str
required: false
major_versions:
description: The supported major versions of the supported distribution.
type: list
elements: str
required: false
releases:
description: The supported releases of the supported distribution.
type: list
elements: str
required: false

53
playbooks/roles/distribution_check/tasks/main.yaml
View file

@ -1,53 +0,0 @@
- name: set fact holding list of supported distribution names
ansible.builtin.set_fact:
distribution_check__supported_distribution_names: "{{ distribution_check__distribution_support_spec
| community.general.json_query('[].name') }}"
- name: fail on unsupported distribution (name)
ansible.builtin.fail:
msg: The hosts distribution (name) isn't supported.
when: ansible_facts['distribution'] not in distribution_check__supported_distribution_names
- name: set facts for holding lists of supported distribution versions, major versions and releases
block:
- name: set fact holding list of supported distribution versions
ansible.builtin.set_fact:
distribution_check__supported_distribution_versions: "{{ distribution_check__distribution_support_spec
| community.general.json_query(distribution_check__supported_distribution_versions_query) }}"
vars:
distribution_check__supported_distribution_versions_query: "[?name=='{{ ansible_facts['distribution'] }}'].versions | [].to_string(@)"
- name: set fact holding list of supported distribution major versions
ansible.builtin.set_fact:
distribution_check__supported_distribution_major_versions: "{{ distribution_check__distribution_support_spec
| community.general.json_query(distribution_check__supported_distribution_major_versions_query) }}"
vars:
distribution_check__supported_distribution_major_versions_query: "[?name=='{{ ansible_facts['distribution'] }}'].major_versions | [].to_string(@)"
- name: set fact holding list of supported distribution releases
ansible.builtin.set_fact:
distribution_check__supported_distribution_releases: "{{ distribution_check__distribution_support_spec
| community.general.json_query(distribution_check__supported_distribution_releases_query) }}"
vars:
distribution_check__supported_distribution_releases_query: "[?name=='{{ ansible_facts['distribution'] }}'].releases | [].to_string(@)"
- name: check for distribution version, major version and release support
block:
- name: set fact on whether the distribution version is supported
ansible.builtin.set_fact:
distribution_check__distribution_version_supported: "{{ ansible_facts['distribution_version'] in distribution_check__supported_distribution_versions }}"
- name: set fact on whether the distribution major version is supported
ansible.builtin.set_fact:
distribution_check__distribution_major_version_supported: "{{ ansible_facts['distribution_major_version'] in distribution_check__supported_distribution_major_versions }}" # noqa: yaml[line-length]
- name: set fact on whether the distribution release is supported
ansible.builtin.set_fact:
distribution_check__distribution_release_supported: "{{ ansible_facts['distribution_release'] in distribution_check__supported_distribution_releases }}"
- name: fail, if neither the distributions version, major version or release is supported
ansible.builtin.fail:
msg: Neither the hosts distribution version, major version or release is supported.
when: not (distribution_check__distribution_version_supported
or distribution_check__distribution_major_version_supported
or distribution_check__distribution_release_supported)

27
playbooks/roles/docker/README.md
View file

@ -1,27 +0,0 @@
# Role `docker`
Makes sure Docker Engine and other related packages are installed from the Docker repos on the specified hosts.
For details see: [`tasks/main/02_docker_install.yaml`](./tasks/main/02_docker_install.yaml).
## Supported Distributions
The following distributions are supported:
- Debian 11
## Required Arguments
None.
## Updates
This role doesn't handle updates.
However it uses the system package manager for installing Docker Engine and the other related packages, so when you're making sure the system packages are up-to-date, you're handling updates for the packages installed by this role as well.
## `hosts`
The `hosts` for this role need to be the machines for which you want to make sure Docker Engine and other related packages are installed from the Docker repos.
## Links & Resources
- <https://docs.docker.com/engine/install/debian/>

9
playbooks/roles/docker/meta/main.yaml
View file

@ -1,9 +0,0 @@
---
dependencies:
- role: distribution_check
vars:
distribution_check__distribution_support_spec:
- name: Debian
major_versions:
- 11
- 12

7
playbooks/roles/docker/tasks/main.yaml
View file

@ -1,7 +0,0 @@
- name: make sure the Docker repo is setup
ansible.builtin.import_tasks:
file: main/01_repo_setup.yaml
- name: make sure Docker Engine and other related packages are installed
ansible.builtin.import_tasks:
file: main/02_docker_install.yaml

15
playbooks/roles/docker/tasks/main/01_repo_setup.yaml
View file

@ -1,15 +0,0 @@
- name: make sure Dockers GPG key is added
ansible.builtin.get_url:
url: https://download.docker.com/linux/debian/gpg
dest: /etc/apt/trusted.gpg.d/docker.asc
mode: "0644"
owner: root
group: root
become: true
- name: make sure Dockers APT repository is added
ansible.builtin.apt_repository:
repo: "deb [arch=amd64 signed-by=/etc/apt/trusted.gpg.d/docker.asc] https://download.docker.com/linux/debian {{ ansible_distribution_release }} stable"
filename: docker
state: present
become: true

11
playbooks/roles/docker/tasks/main/02_docker_install.yaml
View file

@ -1,11 +0,0 @@
- name: make sure Docker Engine and other related packages are installed
ansible.builtin.apt:
name:
- docker-ce
- docker-ce-cli
- containerd.io
- docker-buildx-plugin
- docker-compose-plugin
state: present
update_cache: true
become: true

34
playbooks/roles/docker_compose/README.md
View file

@ -1,34 +0,0 @@
# Role `docker_compose`
A role for deploying a Docker-Compose-based application.
It deploys the given Compose file as well as configuration files to the specified hosts and makes sure all services are up-to-date and running.
The Compose file gets deployed to `/ansible_docker_compose/compose.yaml` and the configuration files get deployed into the `/ansible_docker_compose/configs/` directory.
A use case for the deployment of the additional configuration files is Composes top-level element `configs` in conjunction with the `configs` option for services.
## Supported Distributions
The following distributions are supported:
- Debian 11
## Required Arguments
For the required arguments look at the [`argument_specs.yaml`](./meta/argument_specs.yaml).
## `hosts`
The `hosts` for this role need to be the machines, for which you want to make sure the given Compose file is deployed and all services of it are up-to-date and running.
## Links & Resources
- <https://docs.docker.com/compose/>
- <https://docs.docker.com/compose/compose-v2/>
- <https://docs.docker.com/compose/production/>
- <https://docs.docker.com/compose/startup-order/>
- <https://docs.docker.com/compose/compose-file/>
- <https://docs.docker.com/compose/compose-file/03-compose-file/>
- <https://docs.docker.com/compose/compose-file/08-configs/>
- <https://docs.docker.com/compose/compose-file/05-services/#configs>
- <https://docs.docker.com/engine/reference/commandline/compose_up/>
- <https://docs.docker.com/engine/reference/commandline/compose_ps/>
- <https://docs.docker.com/engine/reference/commandline/compose_down/>

1
playbooks/roles/docker_compose/defaults/main.yaml
View file

@ -1 +0,0 @@
docker_compose__configuration_files: [ ]

6
playbooks/roles/docker_compose/handlers/main.yaml
View file

@ -1,6 +0,0 @@
- name: docker compose down
ansible.builtin.command:
cmd: /usr/bin/docker compose down
chdir: /ansible_docker_compose
become: true
changed_when: true # This is always changed.

26
playbooks/roles/docker_compose/meta/argument_specs.yaml
View file

@ -1,26 +0,0 @@
argument_specs:
main:
options:
docker_compose__compose_file_content:
description: >-
The content of the Compose file at
`/ansible_docker_compose/compose.yaml`.
type: str
required: true
docker_compose__configuration_files:
description: >-
A list of configuration files to be deployed in the
`/ansible_docker_compose/configs/` directory.
type: list
elements: dict
required: false
default: [ ]
options:
name:
description: The name of the configuration file.
type: str
required: true
content:
description: The content of the configuration file.
type: str
required: true

10
playbooks/roles/docker_compose/meta/main.yaml
View file

@ -1,10 +0,0 @@
---
dependencies:
- role: distribution_check
vars:
distribution_check__distribution_support_spec:
- name: Debian
major_versions:
- 11
- 12
- role: docker

121
playbooks/roles/docker_compose/tasks/main.yaml
View file

@ -1,121 +0,0 @@
- name: make sure the `/ansible_docker_compose` directory exists
ansible.builtin.file:
path: /ansible_docker_compose
state: directory
mode: "0755"
owner: root
group: root
become: true
- name: deploy the Compose file
ansible.builtin.copy:
content: "{{ docker_compose__compose_file_content }}"
dest: /ansible_docker_compose/compose.yaml
mode: "0644"
owner: root
group: root
become: true
notify: docker compose down
- name: make sure the `/ansible_docker_compose/configs` directory exists
ansible.builtin.file:
path: /ansible_docker_compose/configs
state: directory
mode: "0755"
owner: root
group: root
become: true
- name: set `docker_compose__config_files_to_exist` fact initially to an empty list
ansible.builtin.set_fact:
docker_compose__config_files_to_exist: [ ]
- name: add names from `docker_compose__configuration_files` to `docker_compose__config_files_to_exist` fact
ansible.builtin.set_fact:
docker_compose__config_files_to_exist: "{{ docker_compose__config_files_to_exist + [ item.name ] }}" # noqa: jinja[spacing]
loop: "{{ docker_compose__configuration_files }}"
- name: find configuration files to remove
ansible.builtin.find:
paths: /ansible_docker_compose/configs/
recurse: false
excludes: "{{ docker_compose__config_files_to_exist }}"
register: docker_compose__config_files_to_remove
- name: remove all configuration files, which should be removed
ansible.builtin.file:
path: "{{ item.path }}"
state: absent
become: true
loop: "{{ docker_compose__config_files_to_remove.files }}"
# notify: docker compose down
- name: make sure all given configuration files are deployed
ansible.builtin.copy:
content: "{{ item.content }}"
dest: "/ansible_docker_compose/configs/{{ item.name }}"
mode: "0644"
owner: root
group: root
become: true
loop: "{{ docker_compose__configuration_files }}"
# notify: docker compose down
- name: Flush handlers to make "docker compose down" handler run now
ansible.builtin.meta: flush_handlers
- name: docker compose ps --format json before docker compose up
ansible.builtin.command:
cmd: /usr/bin/docker compose ps --format json
chdir: /ansible_docker_compose
become: true
changed_when: false
register: docker_compose__ps_json_before_up
- name: docker compose up --detach --pull always --build
ansible.builtin.command:
cmd: /usr/bin/docker compose up --detach --pull always --build --remove-orphans
chdir: /ansible_docker_compose
become: true
changed_when: false
# The changed for this task is tried to be determined by the "potentially
# report changed" task together with the "docker compose ps --format json
# [...]" tasks.
- name: docker compose ps --format json after docker compose up
ansible.builtin.command:
cmd: /usr/bin/docker compose ps --format json
chdir: /ansible_docker_compose
become: true
changed_when: false
register: docker_compose__ps_json_after_up
# Doesn't work anymore. Dunno why.
# TODO: Fix
# - name: potentially report changed
# ansible.builtin.debug:
# msg: "If this reports changed, then the docker compose containers changed."
# changed_when: (docker_compose__ps_json_before_up.stdout | from_json | community.general.json_query('[].ID') | sort)
# != (docker_compose__ps_json_after_up.stdout | from_json | community.general.json_query('[].ID') | sort)
- name: Make sure anacron is installed
become: true
ansible.builtin.package:
name: anacron
state: present
- name: Install automatic update cron job
become: true
ansible.builtin.cron:
name: 'docker compose auto update'
minute: "0"
hour: "5"
job: "cd /ansible_docker_compose; docker compose pull && docker compose up -d"
- name: Install automatic cleanup cron job
become: true
ansible.builtin.cron:
name: 'docker compose auto update'
minute: "23"
hour: "4"
job: "docker system prune -a -f"

49
playbooks/roles/dokuwiki/README.md
View file

@ -1,49 +0,0 @@
# Role `dokuwiki`
Makes sure that all required packages for a [DokuWiki](https://www.dokuwiki.org/dokuwiki) powered by php-fpm are installed.
The DokuWiki tarball has to be unpacked to `/var/www/dokuwiki` (see variable below) manually afterwards.
Please download it from https://download.dokuwiki.org.
## Supported Distributions
The following distributions are supported:
- Debian 11
## Required Arguments
None.
## Optional Argument
- `dokuwiki__installpath`: Where your DokiWiki lives, default `/var/www/dokuwiki`
- `dokuwiki__php_version`: Your PHP version, default `7.4`
- `dokuwiki__php_user`: User of your php-fpm process, default `www-data`
- `dokuwiki__nginx_user`: User of your nginx process, default `nginx`
## nginx Configuration
This role does not configure your nginx server.
Please take a look at https://www.dokuwiki.org/install:nginx for a starting point.
This role expects to work with our `nginx` role, which installs nginx from nginx's repo instead of Debian's package.
This means, that nginx will not run as the `www-data`, which is used by php-fpm.
So your `server` directive in the nginx configuration needs to use:
```conf
root /var/www/dokuwiki;
[...]
location ~ \.php$ {
[...]
fastcgi_pass unix:/var/run/php/php-fpm-dokuwiki.sock;
}
```
## Updates
This role doesn't handle updates.
Please use the updater from Dokuwiki's admin interface to install updates.

5
playbooks/roles/dokuwiki/defaults/main.yml
View file

@ -1,5 +0,0 @@
---
dokuwiki__installpath: "/var/www/dokuwiki"
dokuwiki__php_version: "7.4"
dokuwiki__php_user: "www-data"
dokuwiki__nginx_user: "nginx"

5
playbooks/roles/dokuwiki/files/mime.local.conf
View file

@ -1,5 +0,0 @@
# See here: https://www.dokuwiki.org/mime
# Allow stl files.
stl !model/stl
asc application/pgp-keys

5
playbooks/roles/dokuwiki/handlers/main.yml
View file

@ -1,5 +0,0 @@
- name: Restart php-fpm
become: true
ansible.builtin.systemd:
name: "php{{ dokuwiki__php_version }}-fpm.service"
state: restarted

8
playbooks/roles/dokuwiki/meta/main.yml
View file

@ -1,8 +0,0 @@
---
dependencies:
- role: distribution_check
vars:
distribution_check__distribution_support_spec:
- name: Debian
versions:
- 11

44
playbooks/roles/dokuwiki/tasks/main.yml
View file

@ -1,44 +0,0 @@
- name: Install php-fpm
become: true
ansible.builtin.apt:
name:
- php-fpm
- php-xml
- php-mbstring
- php-zip
- php-intl
- php-gd
- php-sqlite3
diff: false
- name: Ensure `php-fpm` is enabled
become: true
ansible.builtin.systemd:
service: "php{{ dokuwiki__php_version }}-fpm.service"
enabled: true
- name: Create custom php-fpm pool
become: true
ansible.builtin.template:
src: "{{ role_path }}/templates/php-fpm-dokuwiki.conf"
dest: "/etc/php/{{ dokuwiki__php_version }}/fpm/pool.d/dokuwiki.conf"
mode: "0755"
notify: Restart php-fpm
- name: Create `/var/www` directory
become: true
ansible.builtin.file:
path: /var/www
state: directory
owner: "{{ dokuwiki__nginx_user }}"
group: "{{ dokuwiki__nginx_user }}"
mode: "0755"
- name: Allow more mime types to be uploaded
become: true
ansible.builtin.copy:
src: mime.local.conf
dest: /var/www/dokuwiki/conf/mime.local.conf
owner: root
group: root
mode: "0644"

15
playbooks/roles/dokuwiki/templates/php-fpm-dokuwiki.conf
View file

@ -1,15 +0,0 @@
[dokuwiki]
user = {{ dokuwiki__php_user }}
group = {{ dokuwiki__php_user }}
listen = /var/run/php/php-fpm-dokuwiki.sock
listen.owner = {{ dokuwiki__nginx_user }}
listen.group = {{ dokuwiki__nginx_user }}
php_admin_value[disable_functions] = exec,passthru,shell_exec,system
php_admin_flag[allow_url_fopen] = on
; Choose how the process manager will control the number of child processes.
pm = dynamic
pm.max_children = 75
pm.start_servers = 10
pm.min_spare_servers = 5
pm.max_spare_servers = 20
pm.process_idle_timeout = 10s

1
playbooks/roles/foobazdmx/defaults/main.yaml
View file

@ -1 +0,0 @@
foobazdmx_version: main

6
playbooks/roles/foobazdmx/handlers/main.yaml
View file

@ -1,6 +0,0 @@
- name: Restart foobazdmx
become: true
ansible.builtin.systemd:
service: foobazdmx.service
state: restarted
daemon-reload: true

16
playbooks/roles/foobazdmx/meta/argument_specs.yaml
View file

@ -1,16 +0,0 @@
---
argument_specs:
main:
options:
foobazdmx_version:
description: git branch, tag, or commit to check out from the foobazdmx repo
type: str
default: main
foobazdmx_repo_url:
description: git repo to pull foobazdmx from
type: str
required: true
foobazdmx__art_net_host:
description: IP oder hostname of the Art-Net server
type: str
required: true

8
playbooks/roles/foobazdmx/meta/main.yaml
View file

@ -1,8 +0,0 @@
---
dependencies:
- role: distribution_check
vars:
distribution_check__distribution_support_spec:
- name: Debian
major_versions:
- "11"

Some files were not shown because too many files have changed in this diff Show more