move roles, files and templates dirs out of playbook dir into root dir

Because of how Ansible local relative search paths work, the global "files" and "templates" directories need to be next to the playbooks. However its not intuitive to look into the "playbooks" directory to find the files and templates for a host. Therefore move them out of the "playbooks" directory into the root directory and add symlinks so everything still works. Similarly for local roles, they also need to be next to the playbooks. So for a nicer structure, move the "roles" directory out into the root directory as well and add a symlink so everything still works. Also see: https://docs.ansible.com/ansible/latest/playbook_guide/playbook_pathing.html#resolving-local-relative-paths https://docs.ansible.com/ansible/latest/playbook_guide/playbooks_reuse_roles.html#storing-and-finding-roles
2024-12-02 03:34:55 +01:00 · 2024-12-02 03:34:55 +01:00 · f16f8697c2
commit f16f8697c2
parent 2460c31e78
147 changed files with 3 additions and 0 deletions
--- a/templates/chaosknoten/configs/ccchoir/compose.yaml.j2
+++ b/templates/chaosknoten/configs/ccchoir/compose.yaml.j2
@ -0,0 +1,45 @@
+---
+# see https://github.com/hedgedoc/container/blob/master/docker-compose.yml
+
+services:
+  database:
+    image: docker.io/library/mariadb:11
+    environment:
+      - "MARIADB_DATABASE=wordpress"
+      - "MARIADB_ROOT_PASSWORD={{ lookup("community.general.passwordstore", "noc/vm-secrets/chaosknoten/ccchoir/DB_ROOT_PASSWORD", create=false, missing="error") }}"
+      - "MARIADB_PASSWORD={{ lookup("community.general.passwordstore", "noc/vm-secrets/chaosknoten/ccchoir/DB_PASSWORD", create=false, missing="error") }}"
+      - "MARIADB_USER=wordpress"
+      - "MARIADB_AUTO_UPGRADE=yes"
+    volumes:
+      - database:/var/lib/mysql
+    networks:
+      backend:
+    restart: unless-stopped
+
+  app:
+    image: docker.io/library/wordpress:6-php8.1
+    environment:
+      - "WORDPRESS_DB_HOST=database"
+      - "WORDPRESS_DB_NAME=wordpress"
+      - "WORDPRESS_DB_USER=wordpress"
+      - "WORDPRESS_TABLE_PREFIX=wp_"
+      - "WORDPRESS_DB_PASSWORD={{ lookup("community.general.passwordstore", "noc/vm-secrets/chaosknoten/ccchoir/DB_PASSWORD", create=false, missing="error") }}"
+    volumes:
+      - wordpress:/var/www/html/wp-content
+    ports:
+      - "127.0.0.1:3000:80"
+    networks:
+      backend:
+      frontend:
+    restart: unless-stopped
+    depends_on:
+      - database
+
+volumes:
+  database: {}
+  wordpress: {}
+
+networks:
+  backend:
+    internal: true
+  frontend:
--- a/templates/chaosknoten/configs/cloud/config.php.j2
+++ b/templates/chaosknoten/configs/cloud/config.php.j2
@ -0,0 +1,98 @@
+<?php
+$CONFIG = array (
+  'memcache.local' => '\\OC\\Memcache\\APCu',
+  'apps_paths' => 
+  array (
+    0 => 
+    array (
+      'path' => '/var/www/html/apps',
+      'url' => '/apps',
+      'writable' => false,
+    ),
+    1 => 
+    array (
+      'path' => '/var/www/html/custom_apps',
+      'url' => '/custom_apps',
+      'writable' => true,
+    ),
+  ),
+  'instanceid' => 'oc9uqhr7buka',
+  'passwordsalt' => 'SK2vmQeTEHrkkwx9K+hC1WX33lPJDs',
+  'secret' => '3dBt5THD2ehg0yWdVDAvMmsY8yLtrfk/gE560lkMqYqgh6lu',
+  'trusted_domains' => 
+  array (
+    0 => 'cloud.hamburg.ccc.de',
+  ),
+  'datadirectory' => '/var/www/html/data',
+  'dbtype' => 'mysql',
+  'version' => '25.0.9.2',
+  'overwrite.cli.url' => 'https://cloud.hamburg.ccc.de',
+  'dbname' => 'nextcloud',
+  'dbhost' => 'database',
+  'dbport' => '',
+  'dbtableprefix' => 'oc_',
+  'mysql.utf8mb4' => true,
+  'dbuser' => 'nextcloud',
+  'dbpassword' => 'TdBLMQQeKbz1zab3sySUsGxo3',
+  'installed' => true,
+  // Some Nextcloud options that might make sense here
+  'allow_user_to_change_display_name' => false,
+  'lost_password_link' => 'disabled',
+  // URL of provider. All other URLs are auto-discovered from .well-known
+  'oidc_login_provider_url' => 'https://id.ccchh.net/realms/ccchh',
+  // Client ID and secret registered with the provider
+  'oidc_login_client_id' => 'cloud',
+  'oidc_login_client_secret' => '{{ lookup("community.general.passwordstore", "noc/vm-secrets/chaosknoten/cloud/kc-client-secret", create=false, missing="error") }}',
+  // Automatically redirect the login page to the provider
+  'oidc_login_auto_redirect' => true,
+  // Redirect to this page after logging out the user
+  //'oidc_login_logout_url' => 'https://openid.example.com/thankyou',
+  // If set to true the user will be redirected to the
+  // logout endpoint of the OIDC provider after logout
+  // in Nextcloud. After successfull logout the OIDC
+  // provider will redirect back to 'oidc_login_logout_url' (MUST be set).
+  'oidc_login_end_session_redirect' => true,
+  // Quota to assign if no quota is specified in the OIDC response (bytes)
+  //
+  // NOTE: If you want to allow NextCloud to manage quotas, omit this option. Do not set it to
+  // zero or -1 or ''.
+  'oidc_login_default_quota' => '1000000000',
+  // Login button text
+  'oidc_login_button_text' => 'Log in via id.ccchh.net',
+  // Hide the NextCloud password change form.
+  'oidc_login_hide_password_form' => false,
+  // Use ID Token instead of UserInfo
+  'oidc_login_use_id_token' => false,
+  'oidc_login_attributes' => array (
+        'id' => 'preferred_username',
+        'name' => 'name',
+        'mail' => 'email',
+        'quota' => 'ownCloudQuota',
+        'home' => 'homeDirectory',
+        'ldap_uid' => 'uid',
+        'groups' => 'ownCloudGroups',
+        'login_filter' => 'realm_access_roles',
+        'photoURL' => 'picture',
+        'is_admin' => 'ownCloudAdmin',
+  ),
+  // Default group to add users to (optional, defaults to nothing)
+  //'oidc_login_default_group' => 'oidc',
+  'oidc_login_filter_allowed_values' => null,
+  // Set OpenID Connect scope
+  'oidc_login_scope' => 'openid profile',
+  // The `id` attribute in `oidc_login_attributes` must return the
+  // "Internal Username" (see expert settings in LDAP integration)
+  'oidc_login_proxy_ldap' => false,
+  // Fallback to direct login if login from OIDC fails
+  // Note that no error message will be displayed if enabled
+  'oidc_login_disable_registration' => false,
+  //'oidc_login_redir_fallback' => false,
+  // If you get your groups from the oidc_login_attributes, you might want
+  // to create them if they are not already existing, Default is `false`.
+  'oidc_create_groups' => true,
+  // Enable use of WebDAV via OIDC bearer token.
+  'oidc_login_webdav_enabled' => true,
+  // Enable authentication with user/password for DAV clients that do not
+  // support token authentication (e.g. DAVx⁵)
+  'oidc_login_password_authentication' => false,
+);
--- a/templates/chaosknoten/configs/cloud/extra_configuration.config.php.j2
+++ b/templates/chaosknoten/configs/cloud/extra_configuration.config.php.j2
@ -0,0 +1,17 @@
+<?php
+$CONFIG = array (
+    'default_phone_region' => 'DE',
+    'hide_login_form' => true,
+    'mail_smtpmode' => 'smtp',
+    'mail_smtphost' => 'cow.hamburg.ccc.de',
+    'mail_smtpport' => 465,
+    'mail_smtpsecure' => 'ssl',
+    'mail_smtpauth' => true,
+    'mail_smtpauthtype' => 'LOGIN',
+    'mail_smtpname' => 'no-reply@cloud.hamburg.ccc.de',
+    'mail_from_address' => 'no-reply',
+    'mail_domain' => 'cloud.hamburg.ccc.de',
+    'mail_smtppassword' => '{{ lookup("community.general.passwordstore", "noc/vm-secrets/chaosknoten/cloud/smtp_password", create=false, missing="error") }}',
+    'mail_smtpdebug' => true,
+    'maintenance_window_start' => 1,
+);
--- a/templates/chaosknoten/configs/engelsystem/compose.yaml.j2
+++ b/templates/chaosknoten/configs/engelsystem/compose.yaml.j2
@ -0,0 +1,55 @@
+---
+services:
+  es_server:
+    image: es_server
+    restart: unless-stopped
+    build:
+      context: /home/chaos/engelsystem
+      dockerfile: /home/chaos/engelsystem/docker/Dockerfile
+    environment:
+      MYSQL_HOST: es_database
+      MYSQL_USER: engelsystem
+      MYSQL_PASSWORD: engelsystem
+      MYSQL_DATABASE: engelsystem
+      APP_NAME: CCCamp2023 Alternative Engelsystem
+      APP_URL: https://aes.ccchh.net
+      CONTACT_EMAIL: mailto:aes@hamburg.ccc.de
+      GOODIE_TYPE: none
+      ENABLE_VOUCHER: false
+      MAIL_DRIVER: smtp
+      MAIL_FROM_ADDRESS: aes@send-only-mail.ccchh.net
+      MAIL_HOST: send-only-mailserver.ccchh.net
+      MAIL_PORT: 465
+      MAIL_ENCRYPTION: tls
+      MAIL_USERNAME: aes
+      MAIL_PASSWORD: {{ lookup("community.general.passwordstore", "noc/vm-secrets/chaosknoten/engelsystem/MAIL_PASSWORD", create=false, missing="error") }}
+    ports:
+      - "5080:80"
+    networks:
+      - database
+      - internet
+    depends_on:
+      - es_database
+    extra_hosts:
+      - "send-only-mailserver.ccchh.net:185.161.129.132"
+
+  es_database:
+    image: mariadb:10.2
+    restart: unless-stopped
+    environment:
+      MYSQL_DATABASE: engelsystem
+      MYSQL_USER: engelsystem
+      MYSQL_PASSWORD: engelsystem
+      MYSQL_RANDOM_ROOT_PASSWORD: 1
+      MYSQL_INITDB_SKIP_TZINFO: "yes"
+    volumes:
+      - db:/var/lib/mysql
+    networks:
+      - database
+volumes:
+  db: {}
+
+networks:
+  database:
+    internal: true
+  internet:
--- a/templates/chaosknoten/configs/grafana/compose.yaml.j2
+++ b/templates/chaosknoten/configs/grafana/compose.yaml.j2
@ -0,0 +1,61 @@
+---
+services:
+
+  prometheus:
+    image: prom/prometheus
+    container_name: prometheus
+    command:
+      - '--config.file=/etc/prometheus/prometheus.yml'
+    ports:
+      - 9090:9090
+    restart: unless-stopped
+    volumes:
+      - ./configs/prometheus.yml:/etc/prometheus/prometheus.yml
+      - ./configs/prometheus_alerts.rules.yaml:/etc/prometheus/rules/alerts.rules.yaml
+      - prom_data:/prometheus
+  
+  alertmanager:
+    image: prom/alertmanager
+    container_name: alertmanager
+    command:
+      - '--config.file=/etc/alertmanager/alertmanager.yaml'
+    ports:
+      - 9093:9093
+    restart: unless-stopped
+    volumes:
+      - ./configs/alertmanager.yaml:/etc/alertmanager/alertmanager.yaml
+      - ./configs/alertmanager_alert_templates.tmpl:/etc/alertmanager/templates/alert_templates.tmpl
+      - alertmanager_data:/alertmanager
+
+  grafana:
+    image: grafana/grafana
+    container_name: grafana
+    ports:
+      - 3000:3000
+    restart: unless-stopped
+    environment:
+      - GF_SECURITY_ADMIN_USER=admin
+      - "GF_SECURITY_ADMIN_PASSWORD={{ lookup("community.general.passwordstore", "noc/vm-secrets/chaosknoten/grafana/GF_SECURITY_ADMIN_PASSWORD", create=false, missing="error") }}"
+    volumes:
+      - ./configs/grafana.ini:/etc/grafana/grafana.ini
+      - ./configs/grafana-datasource.yml:/etc/grafana/provisioning/datasources/datasource.yml
+      - graf_data:/var/lib/grafana
+
+  pve-exporter:
+    image: prompve/prometheus-pve-exporter
+    container_name: pve-exporter
+    ports:
+      - 9221:9221
+    restart: unless-stopped
+    environment:
+      - PVE_USER=grafana@pve
+      - "PVE_PASSWORD={{ lookup("community.general.passwordstore", "noc/vm-secrets/chaosknoten/grafana/prometheus-exporter", create=false, missing="error") }}"
+      - PVE_VERIFY_SSL=false
+    volumes:
+      - /dev/null:/etc/prometheus/pve.yml
+
+
+volumes:
+  graf_data: {}
+  prom_data: {}
+  alertmanager_data: {}
--- a/templates/chaosknoten/configs/grafana/docker_compose/alertmanager.yaml.j2
+++ b/templates/chaosknoten/configs/grafana/docker_compose/alertmanager.yaml.j2
@ -0,0 +1,40 @@
+# Links & References:
+# - https://prometheus.io/docs/alerting/latest/configuration/
+# - https://github.com/prometheus/alertmanager/blob/48a99764a1fc9279fc828de83e7a03ae2219abc7/doc/examples/simple.yml
+
+route:
+  group_by: ["alertname", "site", "type", "hypervisor"]
+
+  group_wait: 30s
+  group_interval: 5m
+  repeat_interval: 3h
+
+  receiver: ccchh-infrastructure-alerts
+
+
+{# Disable these for now, but might be interesting in the future.
+# Inhibition rules allow to mute a set of alerts given that another alert is
+# firing.
+# We use this to mute any warning-level notifications if the same alert is
+# already critical.
+inhibit_rules:
+  - source_matchers: [severity="critical"]
+    target_matchers: [severity="warning"]
+    # Apply inhibition if the alertname is the same.
+    # CAUTION:
+    #   If all label names listed in `equal` are missing
+    #   from both the source and target alerts,
+    #   the inhibition rule will apply!
+    equal: [alertname, cluster, service] #}
+
+templates:
+  - "/etc/alertmanager/templates/*.tmpl"
+
+receivers:
+  - name: "ccchh-infrastructure-alerts"
+    telegram_configs:
+      - send_resolved: true
+        bot_token: {{ lookup("community.general.passwordstore", "noc/vm-secrets/chaosknoten/grafana/alertmanager_telegram_bot_token", create=false, missing="error") }}
+        chat_id: -1002434372415
+        parse_mode: HTML
+        message: {{ "'{{ template \"alert-message.telegram.ccchh\" . }}'" }}
--- a/templates/chaosknoten/configs/grafana/docker_compose/grafana.ini
+++ b/templates/chaosknoten/configs/grafana/docker_compose/grafana.ini
@ -0,0 +1,25 @@
+[server]
+root_url = https://grafana.hamburg.ccc.de
+
+[auth]
+disable_login_form = true
+
+# https://grafana.com/docs/grafana/latest/setup-grafana/configure-security/configure-authentication/keycloak/
+[auth.generic_oauth]
+enabled = true
+auto_login = true
+name = id.hamburg.ccc.de
+allow_sign_up = true
+client_id = grafana
+client_secret = {{ lookup("community.general.passwordstore", "noc/vm-secrets/chaosknoten/grafana/KEYCLOAK_SECRET", create=false, missing="error") }}
+scopes = openid email profile offline_access roles
+email_attribute_path = email
+login_attribute_path = username
+name_attribute_path = full_name
+auth_url = https://id.hamburg.ccc.de/realms/ccchh/protocol/openid-connect/auth
+token_url = https://id.hamburg.ccc.de/realms/ccchh/protocol/openid-connect/token
+api_url = https://id.hamburg.ccc.de/realms/ccchh/protocol/openid-connect/userinfo
+signout_redirect_url = https://id.hamburg.ccc.de/realms/ccchh/protocol/openid-connect/logout
+role_attribute_path = "contains(roles[*], 'grafanaadmin') && 'GrafanaAdmin' || contains(roles[*], 'admin') && 'Admin' || contains(roles[*], 'editor') && 'Editor' || 'Viewer'"
+allow_assign_grafana_admin = true
+use_refresh_token = true
--- a/templates/chaosknoten/configs/keycloak/compose.yaml.j2
+++ b/templates/chaosknoten/configs/keycloak/compose.yaml.j2
@ -0,0 +1,124 @@
+## Secrets:
+#
+# Secrets should be provided via the relevant `x_secrets.env` files to the
+# containers. Options to be set are documented by commented out environment
+# variables.
+#
+## Links & Resources:
+#
+# https://www.keycloak.org/
+# https://www.keycloak.org/documentation
+# https://www.keycloak.org/getting-started/getting-started-docker
+# https://www.keycloak.org/server/configuration
+# https://www.keycloak.org/server/containers
+# https://www.keycloak.org/server/configuration-production
+# https://www.keycloak.org/server/db
+# https://hub.docker.com/_/postgres
+# https://github.com/docker-library/docs/blob/master/postgres/README.md
+# https://www.keycloak.org/server/hostname
+# https://www.keycloak.org/server/reverseproxy
+# https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Forwarded
+# https://www.keycloak.org/server/all-config
+
+services:
+  keycloak:
+    image: git.hamburg.ccc.de/ccchh/oci-images/keycloak:26.0
+    pull_policy: always
+    restart: unless-stopped
+    command: start --optimized
+    depends_on:
+      - db
+    networks:
+      - keycloak
+    environment:
+      KEYCLOAK_ADMIN: admin
+      KEYCLOAK_ADMIN_PASSWORD: {{ lookup("community.general.passwordstore", "noc/vm-secrets/chaosknoten/keycloak/KEYCLOAK_ADMIN_PASSWORD", create=false, missing="error") }}
+      KC_DB: postgres
+      KC_DB_URL_HOST: db
+      KC_DB_USERNAME: keycloak
+      KC_DB_PASSWORD: {{ lookup("community.general.passwordstore", "noc/vm-secrets/chaosknoten/keycloak/KC_DB_PASSWORD", create=false, missing="error") }}
+      KC_HOSTNAME: https://id.hamburg.ccc.de
+      KC_HOSTNAME_BACKCHANNEL_DYNAMIC: false
+      KC_HOSTNAME_ADMIN: https://keycloak-admin.hamburg.ccc.de
+      KC_PROXY_HEADERS: xforwarded
+      KC_HTTP_ENABLED: true
+    ports:
+      - "8080:8080"
+
+  db:
+    image: postgres:15.2
+    restart: unless-stopped
+    networks:
+      - keycloak
+    volumes:
+      - "./database:/var/lib/postgresql/data"
+    environment:
+      POSTGRES_USER: keycloak
+      POSTGRES_PASSWORD: {{ lookup("community.general.passwordstore", "noc/vm-secrets/chaosknoten/keycloak/POSTGRES_PASSWORD", create=false, missing="error") }}
+      POSTGRES_DB: keycloak
+
+  id-invite-web:
+    image: git.hamburg.ccc.de/ccchh/id-invite/id-invite:latest
+    command: web
+    restart: unless-stopped
+    networks:
+      - web
+      - email
+      - keycloak
+    ports:
+      - 3000:3000
+    environment:
+      - "APP_EMAIL_BASE_URI=http://id-invite-email:3000"
+      - "APP_KEYCLOAK_BASE_URI=http://id-invite-keycloak:3000"
+      - "BOTTLE_HOST=0.0.0.0"
+      - "BOTTLE_URL_SCHEME=https"
+      - "IDINVITE_INVITE_REQUIRES_GROUP=id_invite"
+      - "IDINVITE_URL=https://invite.hamburg.ccc.de"
+      - "IDINVITE_KEYCLOAK_NAME=CCCHH ID"
+      - "IDINVITE_VALID_HOURS=50"
+      - "IDINVITE_SECRET={{ lookup("community.general.passwordstore", "noc/vm-secrets/chaosknoten/keycloak/IDINVITE_TOKEN_SECRET", create=false, missing="error") }}"
+      - "IDINVITE_DISCOVERY_URL=https://id.hamburg.ccc.de/realms/ccchh/.well-known/openid-configuration"
+      - "IDINVITE_CLIENT_ID=id-invite"
+      - "IDINVITE_CLIENT_SECRET={{ lookup("community.general.passwordstore", "noc/vm-secrets/chaosknoten/keycloak/IDINVITE_CLIENT_SECRET", create=false, missing="error") }}"
+      - "MAIL_FROM=no-reply@hamburg.ccc.de"
+      - "BOTTLE_HOST=0.0.0.0"
+
+  id-invite-email:
+    image: git.hamburg.ccc.de/ccchh/id-invite/id-invite:latest
+    command: email
+    restart: unless-stopped
+    networks:
+      - email
+      - web
+    environment:
+      - "BOTTLE_HOST=0.0.0.0"
+      - "IDINVITE_KEYCLOAK_NAME=CCCHH ID"
+      - "MAIL_FROM=no-reply@id.hamburg.ccc.de"
+      - "SMTP_HOSTNAME=cow.hamburg.ccc.de"
+      - "SMTP_USERNAME=no-reply@id.hamburg.ccc.de"
+      - "SMTP_PASSWORD={{ lookup("community.general.passwordstore", "noc/vm-secrets/chaosknoten/keycloak/NO_REPLY_SMTP", create=false, missing="error") }}"
+
+  id-invite-keycloak:
+    image: git.hamburg.ccc.de/ccchh/id-invite/id-invite:latest
+    command: keycloak
+    restart: unless-stopped
+    networks:
+      - keycloak
+    environment:
+      - "BOTTLE_HOST=0.0.0.0"
+      - "IDINVITE_CLIENT_ID=id-invite"
+      - "IDINVITE_CLIENT_SECRET={{ lookup("community.general.passwordstore", "noc/vm-secrets/chaosknoten/keycloak/IDINVITE_CLIENT_SECRET", create=false, missing="error") }}"
+      - "KEYCLOAK_API_URL=http://keycloak:8080"
+      - "KEYCLOAK_API_USERNAME=id-invite"
+      - "KEYCLOAK_API_PASSWORD={{ lookup("community.general.passwordstore", "noc/vm-secrets/chaosknoten/keycloak/IDINVITE_ADMIN_PASSWORD", create=false, missing="error") }}"
+      - "KEYCLOAK_API_REALM=ccchh"
+      - 'KEYCLOAK_GROUPS=["user"]'
+
+
+
+networks:
+  keycloak:
+    external: false
+  web:
+  email:
+    external: false
--- a/templates/chaosknoten/configs/onlyoffice/compose.yaml.j2
+++ b/templates/chaosknoten/configs/onlyoffice/compose.yaml.j2
@ -0,0 +1,17 @@
+## Links & Resources
+#
+# https://helpcenter.onlyoffice.com/installation/docs-community-install-docker.aspx
+
+services:
+  onlyoffice:
+    image: onlyoffice/documentserver:latest
+    restart: unless-stopped
+    volumes:
+      - "./onlyoffice/DocumentServer/logs:/var/log/onlyoffice"
+      - "./onlyoffice/DocumentServer/data:/var/www/onlyoffice/Data"
+      - "./onlyoffice/DocumentServer/lib:/var/lib/onlyoffice"
+      - "./onlyoffice/DocumentServer/db:/var/lib/postgresql"
+    ports:
+      - "8080:80"
+    environment:
+      JWT_SECRET: {{ lookup("community.general.passwordstore", "noc/vm-secrets/chaosknoten/onlyoffice/JWT_SECRET", create=false, missing="error") }}
--- a/templates/chaosknoten/configs/pad/compose.yaml.j2
+++ b/templates/chaosknoten/configs/pad/compose.yaml.j2
@ -0,0 +1,67 @@
+---
+# see https://github.com/hedgedoc/container/blob/master/docker-compose.yml
+
+services:
+  database:
+    image: docker.io/library/postgres:15-alpine
+    environment:
+      - "POSTGRES_USER=hedgedoc"
+      - "POSTGRES_PASSWORD={{ lookup("community.general.passwordstore", "noc/vm-secrets/chaosknoten/pad/DB_PASSWORD", create=false, missing="error") }}"
+      - "POSTGRES_DB=hedgedoc"
+    volumes:
+      - database:/var/lib/postgresql/data
+    restart: unless-stopped
+
+  app:
+    #image: quay.io/hedgedoc/hedgedoc:1.9.9
+    image: quay.io/hedgedoc/hedgedoc:latest
+    environment:
+      - "CMD_DB_URL=postgres://hedgedoc:{{ lookup("community.general.passwordstore", "noc/vm-secrets/chaosknoten/pad/DB_PASSWORD", create=false, missing="error") }}@database:5432/hedgedoc"
+      - "CMD_DOMAIN=pad.hamburg.ccc.de"
+      - "CMD_PROTOCOL_USESSL=true"
+      - "CMD_HSTS_ENABLE=false"
+      - "CMD_URL_ADDPORT=false"
+      - "CMD_ALLOW_FREEURL=true"
+      - "CMD_ALLOW_EMAIL_REGISTER=false"
+      - "CMD_ALLOW_ANONYMOUS=false"
+      - "CMD_ALLOW_ANONYMOUS_EDITS=true"
+      - "CMD_ALLOW_ANONYMOUS_VIEWS=true"
+      - "CMD_DEFAULT_PERMISSION=limited"
+      - "CMD_EMAIL=false"
+      - "CMD_OAUTH2_USER_PROFILE_URL=https://id.hamburg.ccc.de/realms/ccchh/protocol/openid-connect/userinfo"
+      - "CMD_OAUTH2_USER_PROFILE_USERNAME_ATTR=preferred_username"
+      - "CMD_OAUTH2_USER_PROFILE_DISPLAY_NAME_ATTR=name"
+      - "CMD_OAUTH2_USER_PROFILE_EMAIL_ATTR=email"
+      - "CMD_OAUTH2_TOKEN_URL=https://id.hamburg.ccc.de/realms/ccchh/protocol/openid-connect/token"
+      - "CMD_OAUTH2_AUTHORIZATION_URL=https://id.hamburg.ccc.de/realms/ccchh/protocol/openid-connect/auth"
+      - "CMD_OAUTH2_CLIENT_ID=pad"
+      - "CMD_OAUTH2_CLIENT_SECRET={{ lookup("community.general.passwordstore", "noc/vm-secrets/chaosknoten/pad/KC_SECRET", create=false, missing="error") }}"
+      - "CMD_OAUTH2_PROVIDERNAME=Keycloak"
+      - "CMD_OAUTH2_SCOPE=openid email profile"
+    volumes:
+      - uploads:/hedgedoc/public/uploads
+    ports:
+      - "127.0.0.1:3000:3000"
+    restart: unless-stopped
+    depends_on:
+      - database
+
+  hedgedoc-expire:
+    image: git.hamburg.ccc.de/ccchh/hedgedoc-expire/hedgedoc-expire:latest
+    # command: "emailcheck"
+    command: "cron"
+    environment:
+      - "POSTGRES_HOSTNAME=database"
+      - "POSTGRES_USERNAME=hedgedoc"
+      - "POSTGRES_PASSWORD={{ lookup("community.general.passwordstore", "noc/vm-secrets/chaosknoten/pad/DB_PASSWORD", create=false, missing="error") }}"
+      - "SMTP_FROM=pad@hamburg.ccc.de"
+      - "SMTP_HOSTNAME=cow.hamburg.ccc.de"
+      - "SMTP_USERNAME=pad@hamburg.ccc.de"
+      - "SMTP_PASSWORD={{ lookup("community.general.passwordstore", "noc/vm-secrets/chaosknoten/pad/smtp_password", create=false, missing="error") }}"
+      - "URL=https://pad.hamburg.ccc.de"
+    depends_on:
+      - database
+
+volumes:
+  database: {}
+  uploads: {}
--- a/templates/chaosknoten/configs/pretalx/compose.yaml.j2
+++ b/templates/chaosknoten/configs/pretalx/compose.yaml.j2
@ -0,0 +1,106 @@
+---
+# see https://github.com/pretalx/pretalx-docker/blob/main/docker-compose.yml
+
+services:
+  database:
+    image: docker.io/library/postgres:15-alpine
+    environment:
+      - "POSTGRES_USER=pretalx"
+      - "POSTGRES_PASSWORD={{ lookup("community.general.passwordstore", "noc/vm-secrets/chaosknoten/pretalx/DB_PASSWORD", create=false, missing="error") }}"
+      - "POSTGRES_DB=pretalx"
+    volumes:
+      - database:/var/lib/postgresql/data
+    restart: unless-stopped
+
+  redis:
+    image: redis:latest
+    restart: unless-stopped
+    volumes: 
+      - redis:/data
+  
+  static:
+    image: docker.io/library/nginx
+    restart: unless-stopped
+    volumes:
+      - public:/usr/share/nginx/html
+    ports:
+      - 8081:80
+
+  pretalx:
+    image: pretalx/standalone:latest
+    entrypoint: gunicorn
+    command:
+      - "pretalx.wsgi"
+      - "--name"
+      - "pretalx"
+      - "--workers"
+      - "4"
+      - "--max-requests"
+      - "1200"
+      - "--max-requests-jitter"
+      - "50"
+      - "--log-level=info"
+      - "--bind=0.0.0.0:8080"
+    ports:
+      - 8080:8080
+    restart: unless-stopped
+    environment:
+      PRETALX_DATA_DIR: /data
+      PRETALX_FILESYSTEM_MEDIA: /public/media
+      PRETALX_FILESYSTEM_STATIC: /public/static
+      PRETALX_SITE_URL: https://pretalx.hamburg.ccc.de
+      PRETALX_DB_TYPE: postgresql
+      PRETALX_DB_NAME: pretalx
+      PRETALX_DB_USER: pretalx
+      PRETALX_DB_PASS: "{{ lookup("community.general.passwordstore", "noc/vm-secrets/chaosknoten/pretalx/DB_PASSWORD", create=false, missing="error") }}"
+      PRETALX_DB_HOST: database
+      PRETALX_MAIL_FROM: "pretalx@hamburg.ccc.de"
+      PRETALX_MAIL_HOST: "cow-intern.hamburg.ccc.de"
+      PRETALX_CELERY_BACKEND: redis://redis/1
+      PRETALX_CELERY_BROKER: redis://redis/2
+      PRETALX_REDIS: redis://redis/3
+      PRETALX_REDIS_SESSIONS: "True"
+      # PRETALX_LOGGING_EMAIL: noc@hamburg.ccc.de
+      PRETALX_LANGUAGE_CODE: de
+      PRETALX_TIME_ZONE: Europe/Berlin
+    volumes:
+      - pretalx:/data    
+      - public:/public
+
+  celery:
+    image: pretalx/standalone:latest
+    command:
+      - taskworker
+    restart: unless-stopped
+    environment:
+      PRETALX_DATA_DIR: /data
+      PRETALX_FILESYSTEM_MEDIA: /public/media
+      PRETALX_FILESYSTEM_STATIC: /public/static
+      PRETALX_SITE_URL: https://pretalx.hamburg.ccc.de
+      PRETALX_DB_TYPE: postgresql
+      PRETALX_DB_NAME: pretalx
+      PRETALX_DB_USER: pretalx
+      PRETALX_DB_PASS: "{{ lookup("community.general.passwordstore", "noc/vm-secrets/chaosknoten/pretalx/DB_PASSWORD", create=false, missing="error") }}"
+      PRETALX_DB_HOST: database
+      PRETALX_MAIL_FROM: "pretalx@hamburg.ccc.de"
+      PRETALX_MAIL_HOST: "cow.hamburg.ccc.de"
+      PRETALX_MAIL_PORT: 587
+      PRETALX_MAIL_USER: pretalx@hamburg.ccc.de
+      PRETALX_MAIL_PASSWORD: "{{ lookup("community.general.passwordstore", "noc/vm-secrets/chaosknoten/pretalx/PRETALX_MAIL_PASSWORD", create=false, missing="error") }}"
+      PRETALX_MAIL_TLS: "true"
+      PRETALX_CELERY_BACKEND: redis://redis/1
+      PRETALX_CELERY_BROKER: redis://redis/2
+      PRETALX_REDIS: redis://redis/3
+      PRETALX_REDIS_SESSIONS: "True"
+      # PRETALX_LOGGING_EMAIL: noc@hamburg.ccc.de
+      PRETALX_LANGUAGE_CODE: de
+      PRETALX_TIME_ZONE: Europe/Berlin
+    volumes:
+      - pretalx:/data    
+      - public:/public
+
+volumes:
+  database: {}
+  redis: {}
+  pretalx: {}
+  public: {}
--- a/templates/chaosknoten/configs/tickets/compose.yaml.j2
+++ b/templates/chaosknoten/configs/tickets/compose.yaml.j2
@ -0,0 +1,48 @@
+---
+services:
+  database:
+    image: docker.io/library/postgres:15-alpine
+    environment:
+      - "POSTGRES_USER=pretix"
+      - "POSTGRES_PASSWORD={{ lookup("community.general.passwordstore", "noc/vm-secrets/chaosknoten/tickets/DB_PASSWORD", create=false, missing="error") }}"
+      - "POSTGRES_DB=pretix"
+    volumes:
+      - database:/var/lib/postgresql/data
+    networks:
+      backend:
+    restart: unless-stopped
+  
+  redis:
+    image: docker.io/library/redis:7
+    ports:
+      - "6379:6379"
+    volumes:
+      - redis:/rdata
+    # run redis-server, save a snapshot every 60 seconds if there has been at least 1 write
+    command: ["redis-server", "--save", "60", "1"]
+    restart: unless-stopped
+    networks:
+      backend:
+
+  pretix:
+    image: docker.io/pretix/standalone:2024.8
+    command: ["all"]
+    ports:
+      - "8345:80"
+    volumes:
+      - ./configs/pretix.cfg:/etc/pretix/pretix.cfg
+      - pretix:/data
+    restart: unless-stopped
+    networks:
+      backend:
+      frontend:
+
+volumes:
+  database: {}
+  pretix: {}
+  redis: {}
+
+networks:
+  backend:
+    internal: true
+  frontend:
--- a/templates/chaosknoten/configs/tickets/pretix.cfg.j2
+++ b/templates/chaosknoten/configs/tickets/pretix.cfg.j2
@ -0,0 +1,26 @@
+[pretix]
+instance_name=CCCHH Tickets
+url=https://tickets.hamburg.ccc.de
+currency=EUR
+datadir=/data
+trust_x_forwarded_for=on
+trust_x_forwarded_proto=on
+
+[database]
+backend=postgresql
+name=pretix
+user=pretix
+password={{ lookup("community.general.passwordstore", "noc/vm-secrets/chaosknoten/tickets/DB_PASSWORD", create=false, missing="error") }}
+host=database
+
+[mail]
+from=tickets@hamburg.ccc.de
+host=cow-intern.hamburg.ccc.de
+
+[redis]
+location=redis://redis/0
+sessions=true
+
+[celery]
+backend=redis://redis/0
+broker=redis://redis/1
--- a/templates/chaosknoten/configs/zammad/compose.yaml.j2
+++ b/templates/chaosknoten/configs/zammad/compose.yaml.j2
@ -0,0 +1,158 @@
+---
+{#
+https://github.com/zammad/zammad-docker-compose
+Docker Compose does not allow defining variables in the compose file (only in .env files), so we use Jinja variables instead
+see https://github.com/zammad/zammad-docker-compose/blob/master/.env
+#}
+{%- set ELASTICSEARCH_VERSION = "8" | quote -%}
+{%- set IMAGE_REPO = "ghcr.io/zammad/zammad" | quote -%}
+{%- set MEMCACHE_SERVERS = "zammad-memcached:11211" | quote -%}
+{%- set MEMCACHE_VERSION = "1.6-alpine" | quote -%}
+{%- set POSTGRES_DB = "zammad_production" | quote -%}
+{%- set POSTGRES_HOST = "zammad-postgresql" | quote -%}
+{%- set POSTGRES_USER = "zammad" | quote -%}
+{%- set POSTGRES_PASS = lookup("community.general.passwordstore", "noc/vm-secrets/chaosknoten/zammad/DB_PASSWORD", create=false, missing="error") | quote -%}
+{%- set POSTGRES_PORT = "5432" | quote -%}
+{%- set POSTGRES_VERSION = "15-alpine" | quote -%}
+{%- set REDIS_URL = "redis://zammad-redis:6379" | quote -%}
+{%- set REDIS_VERSION = "7-alpine" | quote -%}
+{%- set RESTART = "always" | quote -%}
+{%- set VERSION = "6" | quote -%}
+x-shared:
+  zammad-service: &zammad-service
+    environment: &zammad-environment
+      MEMCACHE_SERVERS: {{ MEMCACHE_SERVERS }}
+      POSTGRESQL_DB: {{ POSTGRES_DB }}
+      POSTGRESQL_HOST: {{ POSTGRES_HOST }}
+      POSTGRESQL_USER: {{ POSTGRES_USER }}
+      POSTGRESQL_PASS: {{ POSTGRES_PASS }}
+      POSTGRESQL_PORT: {{ POSTGRES_PORT }}
+      REDIS_URL: {{ REDIS_URL }}
+      # Allow passing in these variables via .env:
+      AUTOWIZARD_JSON:
+      AUTOWIZARD_RELATIVE_PATH:
+      ELASTICSEARCH_ENABLED:
+      ELASTICSEARCH_HOST:
+      ELASTICSEARCH_PORT:
+      ELASTICSEARCH_SCHEMA:
+      ELASTICSEARCH_NAMESPACE:
+      ELASTICSEARCH_REINDEX:
+      ELASTICSEARCH_SSL_VERIFY:
+      NGINX_PORT:
+      NGINX_SERVER_NAME:
+      NGINX_SERVER_SCHEME: https
+      POSTGRESQL_DB_CREATE:
+      POSTGRESQL_OPTIONS:
+      RAILS_TRUSTED_PROXIES:
+      ZAMMAD_WEB_CONCURRENCY:
+      ZAMMAD_SESSION_JOBS:
+      ZAMMAD_PROCESS_SCHEDULED:
+      ZAMMAD_PROCESS_DELAYED_JOBS_WORKERS:
+    image: {{ IMAGE_REPO }}:{{ VERSION }}
+    restart: {{ RESTART }}
+    volumes:
+      - zammad-storage:/opt/zammad/storage
+      - zammad-var:/opt/zammad/var
+    depends_on:
+      - zammad-memcached
+      - zammad-postgresql
+      - zammad-redis
+
+services:
+
+  zammad-backup:
+    command: ["zammad-backup"]
+    depends_on:
+      - zammad-railsserver
+      - zammad-postgresql
+    entrypoint: /usr/local/bin/backup.sh
+    environment:
+      <<: *zammad-environment
+      BACKUP_TIME: "03:00"
+      HOLD_DAYS: "10"
+      TZ: Europe/Berlin
+    image: postgres:{{ POSTGRES_VERSION }}
+    restart: {{ RESTART }}
+    volumes:
+      - zammad-backup:/var/tmp/zammad
+      - zammad-storage:/opt/zammad/storage:ro
+      - zammad-var:/opt/zammad/var:ro
+      - ./scripts/backup.sh:/usr/local/bin/backup.sh:ro
+
+  zammad-elasticsearch:
+    image: bitnami/elasticsearch:{{ ELASTICSEARCH_VERSION }}
+    restart: {{ RESTART }}
+    volumes:
+      - elasticsearch-data:/bitnami/elasticsearch/data
+
+  zammad-init:
+    <<: *zammad-service
+    command: ["zammad-init"]
+    depends_on:
+      - zammad-postgresql
+    restart: on-failure
+    user: 0:0
+    volumes:
+      - zammad-storage:/opt/zammad/storage
+      - zammad-var:/opt/zammad/var
+
+  zammad-memcached:
+    command: memcached -m 256M
+    image: memcached:{{ MEMCACHE_VERSION }}
+    restart: {{ RESTART }}
+
+  zammad-nginx:
+    <<: *zammad-service
+    command: ["zammad-nginx"]
+    expose:
+      - "8080"
+    ports:
+      - "8080:8080"
+    depends_on:
+      - zammad-railsserver
+    volumes:
+      - zammad-var:/opt/zammad/var:ro # required for the zammad-ready check file
+
+  zammad-postgresql:
+    environment:
+      POSTGRES_DB: {{ POSTGRES_DB }}
+      POSTGRES_USER: {{ POSTGRES_USER }}
+      POSTGRES_PASSWORD: {{ POSTGRES_PASS }}
+    image: postgres:{{ POSTGRES_VERSION }}
+    restart: {{ RESTART }}
+    volumes:
+      - postgresql-data:/var/lib/postgresql/data
+
+  zammad-railsserver:
+    <<: *zammad-service
+    command: ["zammad-railsserver"]
+
+  zammad-redis:
+    image: redis:{{ REDIS_VERSION }}
+    restart: {{ RESTART }}
+    volumes:
+      - redis-data:/data
+
+  zammad-scheduler:
+    <<: *zammad-service
+    command: ["zammad-scheduler"]
+    volumes:
+      - /ansible_docker_compose/zammad-scheduler-database.yml:/opt/zammad/config/database.yml # workaround for connection pool issue
+
+  zammad-websocket:
+    <<: *zammad-service
+    command: ["zammad-websocket"]
+
+volumes:
+  elasticsearch-data:
+    driver: local
+  postgresql-data:
+    driver: local
+  redis-data:
+    driver: local
+  zammad-backup:
+    driver: local
+  zammad-storage:
+    driver: local
+  zammad-var:
+    driver: local