98 commits

Author	SHA1	Message	Date
June	6b19f69135	renovate(role): add cleanup service and timer for renovate volume ... With time the volume seems to just keeps growing with cache data, so clean it up once a day.	2026-05-19 00:23:26 +02:00
jtbx	83e6f76464	deploy_systemd_journal_config(role): Disable ForwardToSyslog ... We don't want hour journalctl logs mirrored to /var/log/syslog	2026-05-15 19:25:44 +02:00
lilly	637dc6b25a	consider ansible-pull jobs failed after 30 minutes	2026-05-13 16:53:57 +02:00
lilly	bc4df9a3f4	fix ansible-lint warnings of knot role	2026-05-07 23:45:48 +02:00
lilly	50beedbc62	configure metric scraping from knot on auth-dns	2026-05-06 15:51:38 +02:00
lilly	5283d2da95	improve knot roles reloading behavior ... With this change, the nameserver is not restarted on configuration updates but only reloaded instead.	2026-05-06 14:33:04 +02:00
June	3aa146d723	nftables(role): reload instead of restart ... This should make the role more robust against misconfigurations.	2026-05-06 14:19:38 +02:00
lilly	fa021fb737	migrate dns zone ccchh.net. to new auth-dns server	2026-05-06 12:12:54 +02:00
lilly	416ca85b11	rename auth_dns -> knot role	2026-05-06 11:52:33 +02:00
lilly	8c1553c707	fix role name auth-dns -> auth_dns	2026-05-06 11:47:10 +02:00
lilly	6fa2d65db2	enable auth-dns role to actually configure useful zones	2026-05-06 11:47:10 +02:00
lilly	fa94d59df6	add barebones knot config ... This configuration does not yet do much but it provisions a knot server that runs.	2026-05-06 11:47:10 +02:00
lilly	d880eb8677	fix systemd-resolved not being installed ... closes #88	2026-05-03 16:50:45 +02:00
lilly	c304a1c82a	add README.md to deploy_systemd_resolved_config role	2026-05-02 01:01:23 +02:00
lilly	58ced1a85e	add capability to disable systemd-resolved to base_config role	2026-05-01 00:16:43 +02:00
lilly	0330c6b6ca	reduce ansible grafana log verbosity by using loop_control labels	2026-04-24 15:32:43 +02:00
June	8bf6dfbefb	certbot(role): support DNS-01 certs using acme-dns ... Introduce new configuration structure called certbot__certs, which allows for different challenge types per cert with the first challenge type supported being dns-01-acme-dns.	2026-03-31 16:48:00 +02:00
June	2b5f261cd3	docker(role): move automatic cleanup of unused Docker data here ... Move the automatic cleanup of unused Docker data to the docker role from the docker_compose role, so that hosts, which only use Docker (like renovate) also have an automatic cleanup set up. Also use a systemd timer instead of cron.	2026-03-06 21:09:47 +01:00
June	fee18bd349	certbot(role): allow empty list of certificate domains ... Also explicitly document that they are used with the HTTP-01 challenge. This is in preparation for adding a new option with DNS-01 challenge support.	2026-03-05 14:37:17 +01:00
June	3820a97584	certbot(role): move arguments documentation into README ... Do this to match how it's done in newer roles.	2026-03-05 14:37:17 +01:00
June	711f2f1c64	certbot(role): don't use certbot__version_spec anymore as its not used	2026-03-01 20:08:49 +01:00
Stefan Bethke	08101ccef1	Fix permission	2026-02-22 18:37:01 +01:00
Stefan Bethke	d26fbf2577	Allow syncing an arbitrary set of files to the target	2026-02-22 18:21:47 +01:00
June	7b8dab07b6	distribution_check(role): remove role as it's not really needed ... As the roles are used internally only anyway, we don't need to specify compatbilities like this and don't properly use it anyway.	2026-02-09 17:49:49 +01:00
June	2e5b0ab940	nginx(role): to not log IPs, just disable the access log	2026-01-27 18:18:17 +01:00
Stefan Bethke	c33ae36af3	Enable IPv6 by default	2026-01-25 22:40:36 +01:00
Stefan Bethke	2cd0811b29	Fix warning	2026-01-25 22:40:36 +01:00
chris	5693989c38	add alloy to the z9 hosts and some cleanup	2026-01-25 21:44:49 +01:00
chris	c7d51af5b4	rollout Alloy to replace prometheus_node_exporter ... With the new network we need to deploy a push based solution in order to get metrics into prometheus	2026-01-25 21:44:49 +01:00
June	995dbb06e2	wip: alloy	2026-01-25 21:44:49 +01:00
June	652aa32e21	docker_compose(role): document new build and pull arguments	2026-01-25 20:49:39 +01:00
Stefan Bethke	d35f1cc779	GPG must be installed for the docker role to be able to add the repo	2026-01-25 15:31:42 +01:00
Stefan Bethke	f887de25c5	make building and pulling configurable	2026-01-25 13:26:20 +01:00
Stefan Bethke	664b9115b8	Fix warning	2026-01-25 13:01:52 +01:00
June	d514688574	systemd_networkd(role),router(host): support global config to fix forw. ... With the router upgrade to Debian 13 the systemd version got upgraded as well breaking the current configuration for IP forwarding. Add a variable for global systemd-networkd configuration and use that to enable IPv4 and IPv6 forwarding on the router. The systemd_networkd role could be a bit nicer, not deploying/deleting the global configuration, if the variable is empty and reloading/restarting systemd-networkd at appropriate times. But as is works for now.	2026-01-18 19:21:33 +01:00
June	951ec7ebcd	netbox(role): fix oidc integration by no longer using is_staff ... is_staff got removed in 4.5.0. See: https://github.com/netbox-community/netbox/releases/tag/v4.5.0	2026-01-13 02:25:06 +01:00
June	a92e144cfc	base_config(role): ensure base set of admin tools is installed ... See: https://git.hamburg.ccc.de/CCCHH/nix-infra/src/branch/main/config/common/admin-environment.nix	2026-01-13 00:41:06 +01:00
June	fbd3ea5496	base_config: disable cloud-init ssh module to avoid hostkey regeneration ... It should run once on first boot anyway and since it apparently runs for every change in the Proxmox cloud init config, disable it, so it doesn't, since it's annoying to have "random" hostkey changes.	2026-01-07 18:09:48 +01:00
Stefan Bethke	a328e92971	Should be compatible with trixie/13	2026-01-03 14:03:26 +01:00
Stefan Bethke	25db54b8ad	Make sure pip is installed	2026-01-03 14:02:56 +01:00
June	5a476f2103	cloud(host): move to new network and hostname	2025-12-16 20:47:44 +01:00
June	d0618e3820	nftables(role): introduce role for deploying nftables	2025-12-13 22:07:37 +01:00
June	d6ba70523c	systemd_networkd(role): introd. role for deploy. systemd-networkd config	2025-12-13 22:07:35 +01:00
c6ristian	5f6000adca	ssh_config: also enable sntrup761x25519-sha512 for Debain 13 ... tldr: PQC algorithms are complex but sntrup still is not brocken	2025-11-11 22:47:42 +01:00
lilly	63917722ff	fix foobazdmx role ... poetry is available via apt now so we install it that way	2025-11-06 21:19:20 +01:00
lilly	aeec08fce8	remove distribution checks ... Signed-Off-By: june	2025-11-06 21:16:42 +01:00
c6ristian	d690f81e3d	deploy_ssh_server_config: setup ssh pq cryptography	2025-11-05 23:08:28 +01:00
June	ae60d6fea6	docker_compose(role): use community.docker.docker_compose_v2 module ... Use the community.docker.docker_compose_v2 module as it supports proper changed handling out of the box, making the roles code more straightforward and work. Also just do a docker compose restart instead of having the custom docker compose reload script. https://docs.ansible.com/ansible/latest/collections/community/docker/docker_compose_v2_module.html	2025-11-02 23:13:20 +01:00
June	9f8d2d89cd	docker_compose(role): move argument documentation to README ... Do this to match newer roles and since reading documentation from argument_specs is quite unergonomic.	2025-11-02 22:32:20 +01:00
June	e390b7c202	docker_compose(role): remove unnecessary hosts section from README ... The hosts section isn't really relevant for that role, so remove it.	2025-11-02 22:32:20 +01:00