diff --git a/.forgejo/workflows/lint.yaml b/.forgejo/workflows/lint.yaml index 5113e9f..d29fb6e 100644 --- a/.forgejo/workflows/lint.yaml +++ b/.forgejo/workflows/lint.yaml @@ -10,7 +10,7 @@ jobs: name: Ansible Lint runs-on: docker steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@v5 - name: Install pip run: | apt update @@ -24,7 +24,7 @@ jobs: # work in our environmnet. # Rather manually setup python (pip) before instead. - name: Run ansible-lint - uses: https://github.com/ansible/ansible-lint@v26.1.1 + uses: https://github.com/ansible/ansible-lint@v25.11.0 with: setup_python: "false" requirements_file: "requirements.yml" diff --git a/.sops.yaml b/.sops.yaml index 60da9eb..98aaf3c 100644 --- a/.sops.yaml +++ b/.sops.yaml @@ -33,37 +33,15 @@ keys: - &host_public_reverse_proxy_ansible_pull_age_key age1p7pxgq5kwcpdkhkh3qq4pvnltrdk4gwf60hdhv8ka0mdxmgnjepqyleyen - &host_zammad_ansible_pull_age_key age1sv7uhpnk9d3u3je9zzvlux0kd83f627aclpamnz2h3ksg599838qjgrvqs - &host_ntfy_ansible_pull_age_key age1dkecypmfuj0tcm2cz8vnvq5drpu2ddhgnfkzxvscs7m4e79gpseqyhr9pg - - &host_spaceapiccc_ansible_pull_age_key age1mdtnk78aeqnwqadjqje5pfha04wu92d3ecchyqajjmy434kwq98qksq2wa - - &host_acmedns_ansible_pull_age_key age16pxqxdj25xz6w200sf8duc62vyk0xkhzc7y63nyhg29sm077vp8qy4sywv - external: - age: &host_external_age_keys - - &host_status_ansible_pull_age_key age1yl9ts8k6ceymaxjs72r5puetes5mtuzxuger7qgme9qkagfrm9hqzxx9qr creation_rules: - ## group vars + # group vars - path_regex: inventories/chaosknoten/group_vars/all.* key_groups: - pgp: *admin_gpg_keys age: *host_chaosknoten_age_keys - - path_regex: inventories/external/group_vars/all.* - key_groups: - - pgp: - *admin_gpg_keys - age: - *host_external_age_keys - - path_regex: inventories/z9/group_vars/all.* - key_groups: - - pgp: - *admin_gpg_keys - ## host vars - # chaosknoten hosts - - path_regex: inventories/chaosknoten/host_vars/acmedns.* - key_groups: - - pgp: - *admin_gpg_keys - age: - - *host_acmedns_ansible_pull_age_key + # host vars - path_regex: inventories/chaosknoten/host_vars/cloud.* key_groups: - pgp: @@ -172,20 +150,6 @@ creation_rules: *admin_gpg_keys age: - *host_public_reverse_proxy_ansible_pull_age_key - - path_regex: inventories/chaosknoten/host_vars/spaceapiccc.* - key_groups: - - pgp: - *admin_gpg_keys - age: - - *host_spaceapiccc_ansible_pull_age_key - # external hosts - - path_regex: inventories/external/host_vars/status.* - key_groups: - - pgp: - *admin_gpg_keys - age: - - *host_status_ansible_pull_age_key - # z9 hosts - path_regex: inventories/z9/host_vars/dooris.* key_groups: - pgp: diff --git a/docs/create-new-web-service-vm.md b/docs/create-new-web-service-vm.md deleted file mode 100644 index f6ccf4a..0000000 --- a/docs/create-new-web-service-vm.md +++ /dev/null @@ -1,114 +0,0 @@ -# How to create all necessary entries for new (web service) VM - -Let's assume that you want to add a new web service `example.hamburg.ccc.de` which is going to be hosted on the VM `example` on chaosknoten. These are the steps that you need to take to create the VM and add it to the Ansible repo. - -## IP, DNS, VM - -1. Allocate a fresh [IPv6 in Netbox in the 2a00:14b0:42:102::/64 net](https://netbox.hamburg.ccc.de/ipam/prefixes/47/ip-addresses/). This will be the management address for the VM. -2. On `ns-intern`: - 1. Add an entry `example.hosts.hamburg.ccc.de` as an AAAA pointing to the allocated IP. - 2. Add an entry `example.hamburg.ccc.de` as a CNAME for `public-reverse-proxy` to the same zone. - 3. Commit and reload the zone. -3. On Chaosknoten: - 1. Create a new VM, for example by cloning the Debian template 9023. - Give it the name `example`. - 2. Edit the ethernet interface to be connected to `vmbr0`, VLAN tag `2`. - 3. Configure the IPv6 address in the Cloud-Init section. Leave IPv4 set to DHCP. - 4. Make sure the VM is started at boot (options). - 5. Adjust any other VM parameters as needed. - 6. Boot the VM. -4. Add the [VM to Netbox](https://netbox.hamburg.ccc.de/virtualization/virtual-machines/). - - Make sure to enter the VM ID. - - Add an Ethernet interface to the VM; we typically use `eth0` as a name. - - Add IP for that interface, then choose "Assign IP" and search for the IP you've created. Make it the primary IP of that interface. - -## Ansible Basics - -As the first step, we need to make the host known to Ansible. - -1. In `.sops.yaml`, add an entry for the host. Follow the other entries there. - 1. `keys.hosts.chaosknoten.age` needs an age public key (must be generated; the private key gets added later in the host-specific YAML) - 2. `creation_rules` needs an entry for the host, referencing the age key. - 3. Re-encrypt existing files with the new key (manly `group_var/all.sops.yaml`): `find inventories -name "*.sops.*" | xargs sops updatekeys --yes` -2. In `inventories/chaosknoten/hosts.yaml`: - 1. Configure basic connection info: - ```yaml - example: - ansible_host: example.hosts.hamburg.ccc.de - ansible_user: chaos - ansible_ssh_common_args: -J ssh://chaos@router.hamburg.ccc.de - ``` - You typically will want to use router as a jump host so that you can run Ansible on an IPv4 only connection. - 2. Add the host to the desired roles. - 1. As a minimum, you'll want the following roles: - - `base_config_hosts` - - `infrastructure_authorized_keys_hosts` - - `ansible_pull_hosts` - 2. For a typical web service based on Docker Compose, you'll also want: - - `docker_compose_hosts` - - `nginx_hosts` - - `certbot_hosts`. - 3. In the directory `inventories/chaosknoten/host_var/`: - 1. A file `inventories/chaosknoten/host_var/example.yaml` with the host/service specific configuration. - 2. A file `inventories/chaosknoten/host_var/example.sops.yaml` with the encrypted secrets for the host/service. Run `sops inventories/chaosknoten/host_var/example.yaml` to edit/create that file. Entries here should generally be prefixed with `secret__` to make it easier to see where that variable is coming from in templates etc. - * Add an entry `ansible_pull__age_private_key` with the age private key you generated above. - -## Service-specific config - -From here, we go into the details of the web service that you want to configure. For a typical web service with Docker Compose, you will likely want to configure the following. - -Make `inventories/chaosknoten/host_var/example.yaml` look like this: -```yaml -certbot__version_spec: "" -certbot__acme_account_email_address: le-admin@hamburg.ccc.de -certbot__certificate_domains: - - "example.hamburg.ccc.de" -certbot__new_cert_commands: - - "systemctl reload nginx.service" - -docker_compose__compose_file_content: "{{ lookup('ansible.builtin.template', 'resources/chaosknoten/example/docker_compose/compose.yaml.j2') }}" - -nginx__version_spec: "" -nginx__configurations: - - name: example.hamburg.ccc.de - content: "{{ lookup('ansible.builtin.file', 'resources/chaosknoten/spaceapiccc/nginx/example.hamburg.ccc.de.conf') }}" -``` - -This will create `compose.yaml` from the template `resources/chaosknoten/example/docker_compose/compose.yaml.j2'`, and the nginx config from `resources/chaosknoten/spaceapiccc/nginx/example.hamburg.ccc.de.conf`. Of course, depending on your service, you might need additional entries. See the other hosts and the roles for more info. - -## First Ansible run - -Before you can run Ansible successfully, you will want to make sure you can connect to the VM, and that the host key has been added to your known hosts: -* `ssh chaos@example.hosts.hamburg.ccc.de` -* `ssh -J chaos@router.hamburg.ccc.de chaos@example.hosts.hamburg.ccc.de` - -Then run Ansible for `public-reverse-proxy` to add the necessary entries: - -```sh -ansible-playbook playbooks/deploy.yaml --inventory inventories/chaosknoten/hosts.yaml --limit public-reverse-proxy -``` - -Finally run Ansible for the new host: - -```sh -ansible-playbook playbooks/deploy.yaml --inventory inventories/chaosknoten/hosts.yaml --limit example -``` - -# Commit your changes - -Do not forget to commit your changes, whether it's a new host or you are making changes to an existing host. - -And always `git pull` before you run Ansible so avoid reverting anything! - -# Monitoring - -## Gatus (`status.hamburg.ccc.de`) - -After you configured a new service or website, add it to our status and uptime monitoring. -Take a look at the configuration in `resources/external/status/docker_compose/config` and extend it to cover the newly added service or website. The configuration should probably happen in either `services-chaosknoten.yaml` or `websites.yaml`. Taking the existing configuration as a reference should give guidance on how to configure new checks. Additionally there's also the comprehensive [Gatus Documentation](https://github.com/TwiN/gatus?tab=readme-ov-file#table-of-contents). - -After you've added some checks, the configuration can be deployed using: - -```sh -ansible-playbook playbooks/deploy.yaml --inventory inventories/external --limit status -``` diff --git a/docs/setting_up_secrets_using_sops_for_a_new_host.md b/docs/setting_up_secrets_using_sops_for_a_new_host.md index aaed515..c88315f 100644 --- a/docs/setting_up_secrets_using_sops_for_a_new_host.md +++ b/docs/setting_up_secrets_using_sops_for_a_new_host.md @@ -2,30 +2,19 @@ Because we're using the `community.sops.sops` vars plugin, the SOPS-encrypted secrets get stored in the inventory. -1. Create a new age key for Ansible pull on the host. - ``` - age-keygen - ``` - Then add an entry to `keys.hosts.chaosknoten.age` -2. Add a new creation rule for the hosts `host_vars` file in the sops config at `.sops.yaml`. - It should probably hold all admin keys plus the host entry. +1. Add a new creation rule for the hosts `host_vars` file in the sops config at `.sops.yaml`. + It should probably hold all admin keys. You can use existing creation rules as a reference. -3. Re-encrypt existing files with the new key (manly `group_var/all.sops.yaml`): `find inventories -name "*.sops.*" | xargs sops updatekeys --yes` -4. Create a SOPS secrets file in the `host_vars` subdirectory of the relevant inventory. +2. Create a SOPS secrets file in the `host_vars` subdirectory of the relevant inventory. The name of the file should be in the format `[HOSTNAME].sops.yaml` to get picked up by the vars plugin and to match the previously created creation rule. This can be accomplished with a command similar to this: ``` sops inventories/[chaosknoten|z9]/host_vars/[HOSTNAME].secrets.yaml ``` -5. With the editor now open, add the secrets you want to store. +3. With the editor now open, add the secrets you want to store. Because we're using the `community.sops.sops` vars plugin, the stored secrets will be exposed as Ansible variables. Also note that SOPS only encrypts the values, not the keys. When now creating entries, try to adhere to the following variable naming convention: - - Make sure to put the prive age key in here under `ansible_pull__age_private_key`. - Prefix variable names with `secret__`, if they are intended to be used in a template file or similar. (e.g. `secret__netbox_secret_key: secret_value`) - Otherwise, if the variable is directly consumed by a role or similar, directly set the variable. (e.g. `netbox__db_password: secret_value`) -6. Now that the secrets are stored, they are exposed as variables and can simply be used like any other variable. - -## GPG Keys - -In order to edit encrypted files, you need all the GPG public keys imported into your GPG Keychain. You should be able to find the necessary public keys in https://git.hamburg.ccc.de/CCCHH/password-store. +4. Now that the secrets are stored, they are exposed as variables and can simply be used like any other variable. diff --git a/inventories/chaosknoten/group_vars/all.sops.yaml b/inventories/chaosknoten/group_vars/all.sops.yaml index 2350f12..ebc53b7 100644 --- a/inventories/chaosknoten/group_vars/all.sops.yaml +++ b/inventories/chaosknoten/group_vars/all.sops.yaml @@ -1,384 +1,363 @@ msmtp__smtp_password: ENC[AES256_GCM,data:xcBVBTb6mfr5Ubyfga9ibKWKhrfrEEaDWD98vIbX8fl8lQ4YTovg8Ax1HTK4UQ6AkJGHq2A0D5B67KUTlp9eLw==,iv:TOp1G1LktRPj/KMCRU5CXBUsgKOqGssUvvk5oY0QnPM=,tag:SVBdDQy+fM0xeEToappP+A==,type:str] -metrics__chaos_password: ENC[AES256_GCM,data:al234VSAH7oxka8X0hTvEJKVLD6O/WCrCKfVLLvm,iv:+TmA+0hXMV4OxvK7RH2g1dIzm88Lpm3zevxSZxK23QQ=,tag:txCVr5SEW3dVHgNFInR94g==,type:str] sops: age: - recipient: age1ss82zwqkj438re78355p886r89csqrrfmkfp8lrrf8v23nza492qza4ey3 enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBMc2k4SUxMUEtvODVGMnY2 - U1gxeWRURmIwNUhYelNUZHVGQ05rRlI3TXljClREc0hCMjlPTFBEakVuOFFjTWVu - dHNrbzVHT1d0UklRNW0zSHZCWWJpeW8KLS0tIG85S2h1aEhITUI2aVRwempOVHlr - aWFyRDdEZ2RnQjFNUmVZQnBzNGhhR1EKeYR9qIuh/f/o/qXkQV9KZcir9iPQ2IEs - X6azikmig0stguQMUQB57+Sk10MlIDQGoY3C0YcmG3dtiUoo/vKTRw== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB1S0d6cnB5UGJEZlNKcEpD + NGQyYTNwS0E1TjZTbkdaNXlTVHFyendtT3g4Ck0xRkJhZHR2a1RJVDd3bUE5RTl6 + SVZrN0NIR2VKeTl6Qk9oTUd6VDdQYlEKLS0tIE82YXFoVkQ4bk1SRTU2YTZ0eVF4 + akdQTFBoY1B1aVZHSGw4bXJPZTd0MHMKnchC61XZk3cPfe7QjijW5uBlDkf2Sjc3 + /Spp+9cuf9jIJvFg+h3EY7CLAMVyAK59WnODM0HvQNhreXRg8CgK2g== -----END AGE ENCRYPTED FILE----- - recipient: age1gdfhx5hy829uqkw4nwjwlpvl7zqvljguzsnjv0dpwz5q5u7dtf6s90wndt enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBqazJTaVhjdkk2cStHNllr - VEhobDJIQ1NKajFNVmJ0NHFrRzJlMVVYL0M0CkVEbHFFbTZ3aU9sblNaTTR5T1hT - ZjM3TGZ0SVVkS1ZqMGZxQnh0eHhVaFkKLS0tIGs5RXFta3JJYmRZemNRQzBGbE9E - dlZqTStUVWNEWFk4RzNkSmM3dlRxU0EKR+IOa5r/mSl7jnmhEvbJqytWedRgdix6 - 0x0JCJe/q1l90F4IYIwd5onF5jF9DydmVnNdCbgAHF+DYrdwjwt7Uw== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBSWW1ScXNWSEo3S1RpYitK + aEVsWklvS3Ryc2pqakpUc05mejIwWi9GaG1ZCk90UXdKVVZzdXBuTXowTURDekhM + NlJEbU5teThWaCs3R1ltUHBRMWVncGMKLS0tIGszeDJ0ekJIK2FYUW9Xdjcyc0Rl + Rlp0RXNhc1N5UXdmMG1NMkNoYkZZNkEK96GpdskKEXHK/ZQFSN+Y//wygKmnxP2b + ukFolURV7qlQVamWuDoUC/ToQtl3bU0jce/STQjGY67OwG5kecxEKw== -----END AGE ENCRYPTED FILE----- - recipient: age13nm6hfz66ce4wpn89fye05mag3l3h04etvz6wj7szm3vzrdlfupqhrp3fa enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBycmpzTFZ0MWN4TE9Bdld0 - eXJXTVhVbFpmbHpVbDg3KzJTQjVoU2M5Vmg4CkY5MlBwTEsvVDlBUGp4Yy9KSEtW - M0thZncvcFhqcTluR0FRdHBlVERmWkkKLS0tIHlIZ1o3Zm5pcEJUOElKSDU3SEh5 - MzQzRENjNitaNUtIUDNNM0VxVVZsVjAK8BM7kqL6Pjg8riOTti8tAH13MgD2b3jR - EPZEPzWM3vBNMQ71WYSTiljK+fdwQucQbTCZFKVHUyErCiI+7jYrXQ== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBVYzlXY0FvUEtIa3BVTjUv + MzI3cE8vbVd6WWF3Q2J5RlRISW5kOU1XZEJjClFsS3VlbXZHVDlWMWZMUGwzdTFC + K0xpV3FjRGJmWThDbklNbFByLy9FTXcKLS0tIGpMYlM5S3dodTBhWDY0TjNkT0p4 + WWpCdVN4cjIwMCtRZXJCR0kvWmV2TDQKeAE9hmGim0wdG7AC9Ypk1/zAOvpWEc9w + B5j3MGmJiDV5vqZ6YDJ158fkB3s3XDIohaTP0XT5Y1zEDnn0ee62zA== -----END AGE ENCRYPTED FILE----- - recipient: age1jtusr294t8mzar2qy857v6s329ret9s353y4kuulxwnlyy4dvpjsvyl67m enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB5YkdERkJKQnUxaXhuRk5O - cDlxOEZsM2djbk5laFVHWUNKaUNKSit0cDJ3Ck80eFYvajNId0NHdzRONktHZTBM - WENsSFZWL3JLeHNpanNBSDB0M1pselUKLS0tIGZPUTRlSW1hNjNPVnVoSEhKK1dJ - WFpiUW1QSXk4VktHNWVGemh5czZLdmsKaycC2cLTfboV5MT0W2+fWMg9JCAn4U7u - lMkTZausCp1hUlE68BXi8DuVivRif+gjVjVWsBabikQtzW8H//fFDw== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA1cXdneDFCNUxZR2VYVXpo + RzhwNFZnYnhzOXBrTmQ5NlNhUThsbjA4ZENnCjRWVXpzb1lZcjNQeUVoY0lkZTRj + bVU1S2thNzg4T2UyaGFqdDlvLzRJVFEKLS0tIFBIMEIvaWtPU08vR1crSGxUSklx + Ujh3bDFVdktOOVdvbVNrRGEvM0ZiczgKDAvWbY515jRhcWEkZrNNmtBsSwchclVz + FvnQB3G8ZIxJliJCkOHrFokvRskCHt9KJNZogqPtGF9a5OWcKkWgNQ== -----END AGE ENCRYPTED FILE----- - recipient: age1a27euccw8j23wec76ls8vmzp7mntfcn4v8tkyegmg8alzfhk3suqwm6vgv enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBCWnlvR1BmUlRkcXhHbklZ - d2pzRkxxZTVtOGl4YjdGOTQxbEFnRUVGdG1rCkFQMHE1VTdIR3FPeWdlSHRKRGtl - Tk9FeHNuQ1ZIRWRFN29EVWh1ZjE2RDAKLS0tIGQrWnJWcjUyZFkwQmdZazBTQmR5 - cWZ1N1NHVEVqMlc5MExyZThKYTdNc28KEaFjX16Bf0MZsmMTLytDnJFPICeu808r - t53faoADnTdhYKhKQYB1Fgk7h3DBvxM36VDw6v3oC0f6B0yEx7a3hQ== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBvdkpuODFJZ2xPT3NOT3ZP + MmVuSkx1UmdwWVBEZzJQOUNodUpvUlJrSlNnCjJBT1AyNzZmNC9sZytNaGpEOUZT + Tmx3VkdRVGNHOGJkZzgrZmFmRFFFY3cKLS0tIDZONHQ3SUh1bXM0LytmYUVZSmRZ + VmEzUkRqdnUvc0s3SmRNcmpZRndvVUUKHRo25oFVNtzJlTqkQ03znzH+Ce8j2rgO + Bt/HQ2tJC/0PL67zjCr4oyxWs2RfSuswM6pGh3TXmSkUawzzyMAPTA== -----END AGE ENCRYPTED FILE----- - recipient: age133wy6sxhgx3kkwxecra6xf9ey2uhnvtjpgwawwfmpvz0jpd0s5dqe385u3 enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBDVGpwdUVSbVRiVkdBREVX - ODl6bzlVNHRkTzk2UXMwNVp3K3A3V0hmdVRBCjlJenlmNDZEU2ZzMUpVYmpFdllR - NlNxaU1YYzNZdEVzdzJLTEVMWlloZUEKLS0tIDl0VnAzZUF3QWF3WXpFTjEvY3RP - T2J0Kys3WmJRZU1jRk1kUnZud3B3MlEKhgLTCcfyxOBL8X6JPlcuy+CcOlx09VP7 - AZhfb8lf5JXe/4WqAMOh6s7ZrTM5JFBr8U5GQFo+syIIJeixn5SRBw== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBMd3dwQ290Q3JCclBPbS9X + S1pnNVU5YlJjZkkzTEtuWWhlcmh6cEtMZmd3Cis2MW5henJ0dWZwNnpTcy9ia3Uz + QThPMlpBN0lkZVI3d1RqQ1pGeDkwTVkKLS0tIElGYWR6QXdkTS91cGRQVUZPZWVE + aXNhWGFQWncybG5ycTF3bGUxUEdRYlEKXMlP+iC1L+lCeFB9rnyDE6tKMNiqFAQQ + lvQKLGvZVRMk7RNR/OWb2IsZNtK3yGAgqjGpb8UwZKjUwYwgBzkklQ== -----END AGE ENCRYPTED FILE----- - recipient: age1na0nh9ndnr9cxpnlvstrxskr4fxf4spnkw48ufl7m43f98y40y7shhnvgd enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA4c2NFWkdaMVFTcUxOZWl3 - Z1hsK1ZvbFRjQ0swbVZlQkIvNW9LU2pZdVgwCkJHcUpTYjMyZy9qKzdIbzExcVRj - V0UrWG5yaUF1cTJnK2RDT0E3aXRkK0UKLS0tIGRqTzBsbHdBdGlMTWt2NzNOVDBp - U1NVMzBIL3ZBUUFHLytGQXk3M01UK00KZBW1DUeDpN5sstZ1LuqcpxsQcjdUJe5L - 5HS4O5h0D+/p8/aOW5NPoIf0A6f4/CLVm4o287GHsxkTXeH1sDr2Ng== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA0enhNVHF0eHZkTlB3bTZN + ZWJaVDc5TUkrSHFFTnJ0UE9hTEg0Tkt0OVNFClFCNTlsTUJlQ1MySkdFa2o0WGRB + VWUzbkxFTkxQMVBqTXJtNEVCb2ZPYW8KLS0tIDR6ZXdoOWNwbjdNcmtxS2FBd1Zx + dWVLVUlZWEh0UWRXTlhYV3ZTT01ZQXcKz/ughevubxHCk315eL6WV0JETo4tblck + t2b4h0kcDpFO6aPCHBSX69QOLJpBCBnKI8ZBlxgTdTDLFlScG/8HRw== -----END AGE ENCRYPTED FILE----- - recipient: age1sqs05anv4acculyap35e6vehdxw3g6ycwnvh6hsuv8u33re984zsnqfvqv enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBINFVkbjFMY25pWHpPZEMy - Z0xsOW5NZ0cxZC9UR2RCMTBaTlNkRjJuU1dnCnRhVU9iL1lsUWpCTzdKS1RiYnMw - TWhjS29jOGNwQXU1Q0NmdjkwOHNRUFUKLS0tIFJnajRUMk9pTDVDdFI5Szd4RkV6 - TnNkK1RVZnFaRGVmaFRwMnlmd3lUbEEK+CKPUsutEpo5/bHyXM7tMUUM4hka1hCV - oto6VkOSVoYnwHNzXSAei+jkfvT8dED7fUQKkZeqN3c4bUrha42BUg== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA5MGlobGt4MG5YbXhYVWM5 + SDlraHdnR0srZDF2T1FicVFGR3IvNzBhMkVFCm9Nc1JnZ2toOGUzbDZ6cTRTajc3 + SVk0U2JlSStWQXFYY3htOTh2Uy80aDQKLS0tIHRkRkNwb1Q5dTZ5cDVoVXIwcmVi + MXBDdzdWZi84OXRRMUt2Mnh5QStLZWcKR/1GROkmyQWyY2GcZGplX8vYqHoeqvvX + ioWRF+QaK3GpgHOaSFybFt3r8wfeILbQ7zMs9qMARTg0kVMVvE/8pA== -----END AGE ENCRYPTED FILE----- - recipient: age18qam683rva3ee3wgue7r0ey4ws4jttz4a4dpe3q8kq8lmrp97ezq2cns8d enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBLY2JBTXFaWEFmNU1PVkgz - Uk0xeWJqMkpVOW1QU05Qc3hSeFM2eHVjc2tZCjB3bjZ2ZUZFTHIxSmZUb1V6THpW - dHFXZUM3a0ZKcEZSRklqUk5jWGJkaU0KLS0tIEVxUlREKzdCMEdvZG12UlhxUW1p - TTVGVllybHUvZkhMT0x5Ty8vb3AzMG8KfuZW6Yj21NHAvfaVs2HedYgGWxUDXWiP - aZTbarB/2UzYEacoEO7CMLHDS53X15plRPbzYRWhnRkb9WkDQ/0pOw== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSByeGV1VTA3R0FsMkdKYWo5 + K0VFK3VFR3Z5bmdmS2QzR0hRTWRvOEFEclgwCm9MQUZQSjZqVXJVQ3FoUTMzWjU4 + Q0luVDE0RUhUNmZGSlZXYWEwNHprS2cKLS0tIHBRQnZibGkrUmU3OHNHVjcvelVF + UEtad0g0T1JZRFYxUnpiblNIV0VybE0KVCw68UXleN43Qi/MSFpyGjrbwZS/EtWw + tbfZMPLalJ52pv4cxT4nrPfipoUyX7tHxEEd2f1SDzt5RUk0TO7ojA== -----END AGE ENCRYPTED FILE----- - recipient: age19rg2cuj9smv8nzxmr03azfqe69edhep53dep6kvh83paf08zv58sntm0fg enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBoaU1FN2JEblVsK3hRNXVO - WnBISWgyYno1ZnNqeUtHV0tkcERrdzRhc3dvCmlEQXFrbmVibTVmOVQxVWFiaTdn - WUhyVjFvdHduNXpraHVldzNnLzVjYmMKLS0tIEJjODh2TGg3OUlodk1IWnltNGR5 - SG1TS3l2clZOVkhyTW1INjZNc1E5V1EKCJo7uU1XbW4Z6i5ux2t323Um5TDTwTl+ - mMirFUiosu62vTfd+nC3TwRyM1XwlpI54EEU27jTHMlF8oSgXeLumQ== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB4QXVVSlZ2QXA5NWN6Zllh + REQ3UE05eWkrUHdyL3FRUHJMTkE3QWtwbENnClBGdnFhT3NzWEJKM0YzT3RpS2FY + cnNaczRIRUEzSDgxejNjbTdoaERiRkEKLS0tIEdOOHdISkF0YnNpcFNKekVLYWVN + allIenQ4OFoyaEdCK1YrM0tpM0FHRjAKwrOJS9RGCHS7lcPX+eufZnEjaIvO3f73 + RWThSP0d2iy/vul18hdLF8PqKE2Hy0j6lvs9qhvwI1EQa53zHAWRDg== -----END AGE ENCRYPTED FILE----- - recipient: age16znyzvquuy8467gg27mdwdt8k6kcu3fjrvfm6gnl4nmqp8tuvqaspqgcet enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBldUpzVlhFc2k3U3ZlT2JK - U3N4L0FGZE1iWGRwN0tvNEtwd3VXYTV6N1ZZCmVnYUNpY2poazVibnpQRlZ1MXFN - SmtURDFLSmJmM0pHdytjVFM0c3B3eTgKLS0tIEZidTZmS1dpZ1VFRkFpc09EaWxZ - cUVIQmVDLysrQ3pMcFIvZ0NCWExJa3cKdwTrVM7aXAi4bBHfXCWllbZIa2c4IbRW - FNS1L6tP1mop2y9d0CgmVBiBFQdNAg8yVJRPWs25W9WVFHBDuB+X8g== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAwYmNHaUcvMitRcklkbkU3 + VDRyQnhhak82d2I4MnRKMk1qdTU3bDRzdlUwCnBzSEJHZmRTazZ3Rktmc2FKaXJC + cnJiMU9oUW03Q3dlbGtTZWNtZXZqZk0KLS0tIHVTNU1QU2dRQ3JMclhqQjN1VjBK + dHgrU2EyT0FHUng2L0R6dFFZSU1kU1UK2x72pMCRGCz/cyekHrTY/vXhxACPGjYn + PxEXKoi70Dq9ox3ggknmE6JLZqMvFoudLoE2GAzvimFomYWb4e3NmQ== -----END AGE ENCRYPTED FILE----- - recipient: age1azkgwrcwqhc6flj7gturptpl2uvay6pd94cam4t6yuk2n4wlnsqsj38hca enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAzMmR1TnRFVnlnV0t0N21P - Uk1QM2dnbEFTb2lJcUZDeW1sTDQxT3F2Q1FJCmJzdEFCQ1ZBeS9QWEZJcmJuVTJi - eEpIZUk3YmhKeFlwcE0rK0k3MUx5S3MKLS0tIEdoU2dXRitXeGlsQ1NXT1FqdmhE - R1MwNU16K25zdytaMXFQNnhYQVZTSzAKmVjQRe0SKfwh/JoSGGihkjr0Lvx1uVnJ - szOHESy/rEKiXUKVSMkBINAh2SUYIwrB4xM38Y+ZKkkXDDtZWLHulg== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSArMVhJOFh6TTg5RFkybnBy + T3ozZ2MvZ2lCVFBvWW1jRElmNFBIUU05MkdjCnZZR0FjUUJlQXR1bnBGU3NPc2t2 + a3hKVzJZbzNWMkd3dENMUzQ3bk14YTQKLS0tIG5kSEdYS3dLcXdlOXBmWTVzNDFt + ekdmK0Zid3A0aUNHUHhmeHp2NHFZMlEKb6116XqAHYMl7P4RFRcz0IlZfx1/buby + V8y9TiECFZfWhuY3XaES99wjPw06nGszn/U29C1XtZZ0pc5Soc3dxw== -----END AGE ENCRYPTED FILE----- - recipient: age17x20h3m6wgfhereusc224u95ac8aj68fzlkkj5ptvs9c5vlz3usqdu7crq enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBEb1I5cnJ6NDhvNDFsM2kx - aHEwdmJSc3ZQcGc5OXJOMVB0L1JFSlpiUGxFCmtNbW1NUVpEQVdLTkNOd0daMDEx - ZTdGVlB1T0M4K0t2VHZYSzBNNUJLVUEKLS0tIDMrVEE1Q3IxaHNTUHNTcGo4UTFX - WGo2TVdLS1F5RHNVTWgxbzdZSGV3Z0EKkOZfXMbUeJG62xn0SvqjtCKIkZDIzc7O - qSTGJYgl02Edp8smm4x1L9QF2CQYF93ZIjn4q12CyJy2ojBgxNTZNA== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBhMVZWQlRZVnY2ZnZweW0x + VmswdHpRUjVrNytaS2lZNHdsYXM3WHVCVGlNCmJ0ME9LYjFWTkVrZ1QwOHdtempG + dEJ4NGpPcHZabGxJdFJNNStxTm9nREEKLS0tIFB5NkZnZTZjL29YRlZVZEJJOHNu + ejRmc0V5RzVwY3BtVGpIY3lqVGt3SGMKvSFU/FZw3CeOrkbVKqz9Nsfmw/DU/obE + 6bIs15L7m9hOzqj8PeQYv09NO83WCfYj4cjh+Jsdtlvtz8Fz7yt2eA== -----END AGE ENCRYPTED FILE----- - recipient: age1wnympe3x8ce8hk87cymmt6wvccs4aes5rhhs44hq0s529v5z4g5sfyphwx enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSArZWZmTDRYYUloL3I1QkZ1 - dnIyRVJSV2ZoaERCc1Z2Z21VYkkxb0F5SURNCmlFcjlPM1VibjQ0TkFNdEhqL0l5 - eDlHOHdlTnMyb2JPUlMxRlZqTkhWNzAKLS0tIHI0cytiaXVpK2FqcW1XOVpneTR5 - VDI2WFhud0hpRDRMTTlwMHV2T3RSekUKKi52AcUoATCmUo/+FIVeEEh0sTCjIGy+ - gl/Ud0Nmuarz5T2HqGxJDBoH2MSfjpwhTkW2z0JW5Dah6MRtNetHZg== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBQUVhSY2JnZUFjS1lySGlC + MUdVdTF1S2xLdDlVODk3Qm1FZ0RxQTdkQ3pnCmFPYVg1dDN0amtoOUdKQWFRNVJS + ZkhCM3VFbUc5RHJHS1ZJbit1N05OLzgKLS0tIEhCMmRFN3hLNDFlTkpzUWYvR2R3 + Y0RZSHZrbnJ1SEc3aCszeG5tTkNvNlEK4pUz8bk/tDKYIxu6dCG/DTk8OtTTYJaL + qKNNZ1COhPtVTCHaIbRSPWu8MqFy9+9nf7Hoc9fEE8aM+Yohs4sySw== -----END AGE ENCRYPTED FILE----- - recipient: age172pk7lyc6p4ewy0f2h6pau5d5sz6z8cq66hm4u4tpzx3an496a2sljx7x5 enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBNVWdMQXMvUHI3YVNqa3hn - QTF1V3lDZHB0ekVIcUVURUFGeURWaE92U0dVCjl5WnQ4Q0hGWGVhSnVqSXdIM3Qr - eTBWcW9MRDdsZzY0S1puTmt6bk5BVDAKLS0tIDlNaHF4VUt0YzMrVEtIaXhtMkh0 - d1BJZHNOakIrejNHWXBkT2JnMDE2TlEKgFgEPOc7lgUvi/gBJi4qX8mJQQ0Lb+0J - oKgia+lWN+f0dMoQApxtH0R1vvrQB1CyKmYRgvYfEv1z2yibftxFJA== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBaUERGWmwvRW5tQzJleExq + VXhmQ0dkMFJuWEwzbHlGMTNudE9UbUwrNEc0CmdMK0hCb0h3NjRuSVZRNEFwYlVl + L3VnTnpad2tJL0dCamVrT082ZmUxWUEKLS0tIGJFbG5ZU0Q2b0xQNFNjT3NBTE9I + Z2MwSm95Vy9XUDkrWDZMZUEvY3VHcDQKJanzV+qzgfuBpNzHLl2DS1GvXLV+UEKa + wD/2s/EkL4RR4F9mV/9+1vwFTNw6Lc8T8ezzxl3/Iu+VpziFgx8ypg== -----END AGE ENCRYPTED FILE----- - recipient: age1p7pxgq5kwcpdkhkh3qq4pvnltrdk4gwf60hdhv8ka0mdxmgnjepqyleyen enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBtWDBLRXVXUVVQNkZzVDZp - cjNaNzNseUxFZ3JDTkF3RjZ2Q0FnN09Ub0Y4CkpsaHl4VGtCRDBiaTc5cDErcUM3 - eXYyK0tGdFVhblo0eUhHVkJWbERVakUKLS0tIHpmektqRjBHZDdDd0hEbWYvWnFr - S3BoWW9QYytMZ3RJSld2R0h0dXlZeEUKcifFwdLTAse4HxN48X/iErdi3evc/Hbt - dRgCkzWjb0Qc1DEPLm9MLHZqugcm1y0XStdWHCMIwXuh2fcoDUv0mQ== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBHVXdkSHNOSHZmZ3pLWC9B + emc2S0NpenVZSW5GMWZha2ovS1VsbGs5OGhBCmZIWDBDaGVYMDhHRDR0bFgzbDN1 + MlBnOW43Ky9PV0VwZ3VlekJPa2xwMTAKLS0tIGNEVUVkbWIwVmFzaS9vdGhPU2s4 + a09LaU05VnVBa3ZGcUNMdFFZRXdaYkkKp1TYQXMSlZoGWgfSK9s4WXFu9xG7VFXP + 3O+FYTXTRTVVnZCPE5V0P0/v3H/BRgdbM2yuIiXTtmz69J8DNjFaNA== -----END AGE ENCRYPTED FILE----- - recipient: age1sv7uhpnk9d3u3je9zzvlux0kd83f627aclpamnz2h3ksg599838qjgrvqs enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBrWGpORGVrclo5N2ZTSUxE - WFBYUVRjRlFyVFFXTFIwUDJNR04zYXgwSnprCitVT0JidGp1OEdXdm16WGY5am9R - djkxckJEUFpzbHNNZnhqb20rbzBTZEUKLS0tIFpheWIrMkpWalJNS3ZJMVhVNGJC - dzFuYXBGMTNRVHRrb2wxTlMyZ0FJWGMKnEtMyof3DN+9rIWRCYn4y0SLpIJbDEbN - iXmjwiEtlPIKZjQ34r54g1tsJd5b4fulRFYd6lqTzxtjYYFXDa76BQ== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBtcUJ3cTNUZGp6Q29wTEgx + UjQ1RU1uSHREVEhwZGtmbUV0azJEQmtGbG1jCkQxbGZhSmRXTE1uUURaSUhZTlNF + U2loMmR5ZExXS2Y4eTBybGFsNFp0WGsKLS0tIHJjRDhDelB5N1BvbHFydW84ak1Z + YndpUERJbDJSZlBLQWdnVXpUU3dLdUEKQYddtnDd4U7bkjBeMnCQuYVddCCApnzQ + L/LgjBXfUav5ipWWUjW/loZJiHBsxrG5NkCYEyf72WMyDusd8mCN+A== -----END AGE ENCRYPTED FILE----- - recipient: age1dkecypmfuj0tcm2cz8vnvq5drpu2ddhgnfkzxvscs7m4e79gpseqyhr9pg enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBnWkw2NmJjdzdPbnBhNURh - SFRBTVhUanpvdFVNLzFWak52bWVJZnV1NHlzCk1SQzA4M3YwZHZIOG82d2lCUE4x - dDVWMUNuTW8xdVlkRG5RSnVJUFI2Z0UKLS0tIE9nOXA0LzgrenJKQ21xZ0o2M2hr - R3puc1ZOVFJ5Sm5qTks5M0JTbW9yZkkKv20552DPjujiVyr4a4KvTUN4pW8Sh7zA - Yxh4nx5mXAwfL4JxIwbvggy4AE3kbc2P3P9qUrRjQ4Iha2X11+fSCA== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBOei9SYzNGMjAyUVJGYlJy + QlFBVnV0cDN1TmI4VEt3aGNtbWtvZHJFcXg0CkltM1V4UVp1THFrZEswOEZUUTJy + WVVPUDU2emNabFBDek9jMkhScUh4cjQKLS0tIGgrSytmcTZkbTJuUVE3Snp2RERn + SnUrSUlvMXhnY3JrbER0TkxBcGJucmsKdBDkRY5FUtOo8zQ0QtfPFGJn0O2Fg5xn + mSloxLaFwdXAR9L1QfUdsW+9Vgez4s5bxMJtn8hkwqIfyJc25FEEcA== -----END AGE ENCRYPTED FILE----- - - recipient: age1mdtnk78aeqnwqadjqje5pfha04wu92d3ecchyqajjmy434kwq98qksq2wa - enc: | - -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBFZ0hYeG5hTWxtVFlTaUpY - V3lOMUJUNDZxRUhtMnFjK2IyTW9NZ3ZvNTBVCmVHVnFQTGMyd2JIZjZYSmtjZnZ1 - THBMZW55RTZSR2IrSVd1NWppR0k5UFUKLS0tIEkxRlBsWHFxTlQ2S0xUQ293cHlU - ZUhwMUJCVmgyZmlVbDRtV2YxUW95Q2sK8JtVLO86dkYtrxMzXY3mj+S19+S2jIzV - MjAkijrdhz9XyEPNsZo38liiO0vwXUVpzmX9xcTTArzWvs/LHYDzQQ== - -----END AGE ENCRYPTED FILE----- - - recipient: age16pxqxdj25xz6w200sf8duc62vyk0xkhzc7y63nyhg29sm077vp8qy4sywv - enc: | - -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAwRXpCQUJxZ1JBWnZkZHRM - ejdtdkdqMzNMY1BvOWVuVlZuOXR5YS9UeFMwCjhtYTIyMnhBVm1CT25mRytkdm04 - ZWg5TGllazVDZEpXNHQvZzUwclFEbTgKLS0tIGxDSDhJcVMvUlg3VkV6YTE2SE4v - QnBqalBlY2FqY3lsWEF4elVzamp5elkKaVNJrQ4wNJt0FrQ8PMz0R9VAhk4zIAri - QTojz+1HuRMZyDr5wmXz2Jg39yZsBsm4ZmaXSEGw5y/XHeg0ud0DAg== - -----END AGE ENCRYPTED FILE----- - lastmodified: "2026-01-25T18:06:26Z" - mac: ENC[AES256_GCM,data:plHNLOgGWwNWbakKG6X5EOxwERE3rvYO4EOAzY/sz+uM7cZBEnqU5LZwjlD8B75hgRHqpnDBF0JbHgsEwVxfJJRL1phkeMJFOapQMjZVWMz6j7eb1hOwpdktd+bpuimy4XCD1aOxOoInKpFSK33usxLfyqSxjFDM5+i6D22qBTs=,iv:/iOIfNuSIDsa/UKLP0d63tpOrYMFO3Bk1qPssY0AzuI=,tag:k+824MXD+r0lNUcuvisudw==,type:str] + lastmodified: "2025-10-13T23:45:06Z" + mac: ENC[AES256_GCM,data:QxH4lnNyCAAEJhzbgCrq7QeLs+OAtYgwQP4oFm93NE4Fbz7/Hz2dvL/2SopOdW7nYVeb1scuG1ra+yvgzuQDhg4lcgt9eBJoBiynM3qiHBs+FtcSJoKs16I/ACAadQwClALb4E0xxwKFJI8ewMZu5BAxi5EhYbgNfnKCIbhvgWo=,iv:LRa2vX0HUBugeEAVeOqXbPsMQrfrCpyzGUGjK6+VaQc=,tag:/sfhJM8V1IYBh94ZS/TDxQ==,type:str] pgp: - - created_at: "2026-01-27T08:41:15Z" + - created_at: "2025-10-20T19:03:07Z" enc: |- -----BEGIN PGP MESSAGE----- - hQIMAxK/JaB2/SdtAQ//SuDQLIlXIx+E1BfvxQFL4c8TmxEWat2nXHE5CHyuQ9bH - esOqdKYtnBMP1iRwQzAi9jVnNUtctCurMK5Lwr093BRHDLhpWqBErBz8FuoTFXGE - 7WP8ylzno9OUjhhsg9sTrUAxghzU7r3Nr5alypnE3KsEprtEiAKqqqWhaGyMCK+G - v3shSx4XmB/MItuHM0BRI80M0uqRn5aQME0KpgTTD5/wsH6NKcPHEiNJTqc2I8K/ - 0dfqa9Hr0WcxooX+UwH/owfzHEkTFWP/3SHqz16osLzO9KOsqw3M4QIoeZwBpAOf - +aICTHV3nsbClQ8hQ0XI6xrOqwXYo7SXtx4uNVJdqBO5zfhSGx1yI2OAY258XQ+d - As9k4e/oHkzs72qOwCRa2OShDWA0oEWIJ1DZY85yaTyl3qMZJuOweR7lg3eXzITI - y4uYAWDfJBXdAOnFgkxQBgb5KSfm3GXQh4Gtu+yfoYqaAibjyJleOPIJFMcwb0yb - Y0gr5NflTZooJy2zMZg0u1Ndhike/BdMRQMiTZf8HXk3iiyNXCYTCqnIZRfzZGdy - C9Fur0KAOM1h8x6dqXGctMhy1sOmbI6LRyz5feejtE55qHIn9fkyR5wDObsIeiZd - OuT6josorB43aotD/XSDwGU8ZeYrUZ9zlwszGASHoji/kI1yXRMCPuNVax86v1HU - ZgEJAhAWCZPbbgU8qPifr7naCkxmR2TxtkOJ3Pq/JOeqxMqXXjdGa86A/+1baGdc - 3z3ygenp34mYIGi4vSCqz7rApU8PHdlpCw2N94buR9/OFN1wHiIoYtVfT79mJsoK - yKswIQ1CXQ== - =yexT + hQIMAxK/JaB2/SdtAQ//QVwiv+sO4ibaxO8UMPFnMnLuNfaTJ+Nry109XkTwLkvp + +6I2TW9nAhL+M6cWBcWTJIm8Q9/EAKu0jFrmsmlJg1g7am2DcARoyDTXA2W7RM8x + kSshBHJxCjQn15cwWpMcGboKJDnn5uGqfdf1rbFLiJxWlFlIstO8Bia9YF2qSYXe + z/w5PQot7GDKa9AFC77I/I0k6hJduVX3jC88N0GZZO7oz017yit24QyOwTSaQtmO + J0NgoyC6uN50buRJ6cXbONwU1rOGYvMBc+I7mZrEBho8RbQObkNy8ndQpDbpMqSy + /FVECVfhAo1KOGsTSS/i8z+maBcFNnia2+hbOZTpq1gCJ7sgE/pJG9CKWltD8U0G + DkgO086x2xuuXGAksJpeiRelbjM4C3ScvFuQu0p+pbsG+0f2pNnkCm3Fi9zFYpqo + xzlOKxwwcBRpy76jWIQbVRodnaN8thinT/ySIfuIisfn8TgM6O0IA83jJEMy/CBc + QGwWiLFWOED864OOV4kFTBO2rGAi0rLPBoAfWPCpP/z5vpRHICCg35i+Y/Mg9tDJ + ToFbH/Q8ZpWaN3kM2J6wNKY58/AoVutODbJkC3ZydLA+m++fKsD122Sk4er335Ev + MH2txLTAcBXq6CAUTIYvEb1vSurIxh4vbgC1lN/Sg/b1p5IWKYmOx3onq0kUa7PS + XgFmbb6fq6VVS8GOD4bMCDheVGAwYG1z/1utYoiLcuyp3YKAWtwGB3WdawglzRWt + ceLfKBRuHl+CnMyMjdTNcRq9ATpupHPniCaoYMRpNy7GuLGHXgRybqxnqSySj0E= + =68mZ -----END PGP MESSAGE----- fp: EF643F59E008414882232C78FFA8331EEB7D6B70 - - created_at: "2026-01-27T08:41:15Z" + - created_at: "2025-10-20T19:03:07Z" enc: |- -----BEGIN PGP MESSAGE----- - hQIMA6EyPtWBEI+2AQ/8CBUEfUOkvYlMChlGuHKv4CzbEqUrr0aKDbECK/8qGyqE - UQeZPMnVvwFL/l5lU1dky2PIqFDebd274h19CfLIcBGZZPwzg/XNJcYcEqeTN640 - H2ze2Uz/tA79BSfo9Z+W0NfAnzsOZ+I0pPCIqSN1tmMNCNy/m4SxEc8wye5FdV6e - YLu0dTatwMG6jsK/PYYoAapNO1CRUDvQHHF8jsAmYlL6eYoYbuikrp5JEyk7Jcmc - 5OyW49fTAaxmFYF6hjLnORI/WqdF9nTztfFAoH5eU+uzd3Exmunzw+hsZXdbDTWb - 6YJ7uqwVTxziKwpB7lOxca1B/axYyvLYHNoV6A3Eu9/0ceUcjjLwtcBBAn43UAd6 - eEwNr3RJ3LY3G6o1QD6tYPXNhY7J8vxb/MKGo7SzB5+Z3TItd1wUlnHDY7kfUtW0 - hk1R8gug6mV4YEQtgPW3CPOGPsquN6zvxuRPcVqkNyN8+H3q3n0hg8i0xVr3ZyHB - G6pSNoQLaJ+x0oFhIgzy3Ndf6AH8MNxzh8Se5gLIhKQCN41wm1ZTguOgcklKdAAX - s0QlHXGsJLtev3HeZOfuR6D87rN9HNAaGqPxuKuoZWQBcxzOnsXSGsjJLJUN5bpt - RSy2UPlsV2iP9cE2/PTx7cQ3HWHIAjNNz65aJQQnfEM6uog85JRGoY8x6rns6xvS - XAHHUsw6hc0xHxgBE8nkVJfU+ynqtk27n+A9h/EaAFvuyHE00yRPM2cJwcSapOuI - gXSLjIoiRfbVNxFCgTFEA4KN6B/eqmOyiEoUhEhHXmwzb65bMB7puGbb7jET - =e4QR + hQIMA6EyPtWBEI+2ARAAgWVVIYSzPJeeRYdO7SHudkxO1miNVhEaTa6ArJXhvj9X + f7Onb+kPRJ2H45O06+k4QUBN//Jl2wsAayHGvGKb9NmlO1wT8cd8yAe4AllebcTA + FGBhWpgD1f8RNyhU6s9YQEmUMFFuze3Frkf5pF36KmSO9Kb0yXNgQebURbUKIwt7 + W6KVBdlh9+y/8liH78X+QXFMneb8RA50mFvkSp4NxPyHGLV/S74jKaMv28q70ukC + 3ExtiLu22ACzA3jdn+BGTh/0bp/WRRYEt1TBmt3HFnVcKDkdgxOub2cwYug6YeYt + dvA61xnK0mmkt39WfR3wFtmrnMQywJn0r9cRZZwdjfuuKzWmkDGKoaiX4oXcq8hl + GJsljraNnRdSZsYCWKeQwM9VnQdTumZZpeyzH99AgbPanNEocLNG3s3WB1MOTBMC + SdktojCvHSKg2HBykxApLY1wUOLiYdVGNuTjNyTg8lo8IlNgeEEIa/8MxtPN1U57 + GDPXDvE9oJy3SvP7Tf0j4KVC7B30UYhb/jwqsG2wzjGKw3JMYucDX2JjgoTEXFxj + YqGDr+4/Vfd8bEadcQ8XJnoeCr/cUykflqO7EJnXt7kigQ8P5Jo+Vwu7oRFFlxRW + H9YZV0dOeVi3ux5Tw8ft5BRtYym7k0GP5ypQFzSSTeTTUa6QnZMWPssHMHQ+8xbS + XgEARDjMMwp6cl8adFfGJnuQmTC8pGCzOPLEhPY00t3Paz/WYvEwhioS6Lz2IsrF + QMgw8d2RrOZPJAAv9wq2ztTKk07aFxrQ8WYT9gscYPEgIpPmMUFR4nJ/fzSeiZ0= + =1N3o -----END PGP MESSAGE----- fp: F155144FC925A1BEA1F8A2C59A2A4CD59BFDC5EC - - created_at: "2026-01-27T08:41:15Z" + - created_at: "2025-10-20T19:03:07Z" enc: |- -----BEGIN PGP MESSAGE----- - hQIMAz5uSgHG2iMJARAAw43j5wveIlxO0Pi4ayjy6RxnIvB1cy4A3X3rIdbL0TVI - lBJfO4ErBitBtWy4F5MQDL5UmKnSvamG0G3Uo1z/PzAob2Fyb8nBM0P/jOcWB8KP - Lzv0IM2cQ308HrYsUSpxRBAApc1JWX7PAZgRBhvvm7KW3vLFOgm+aMEHAjLYxFNN - zlrWFhe8kLNZFMHr8GnWv4XhwHgicaXfP+hJQs4gHnKsZ1je3dhurgHRdu0PBu8b - QUHd+PB8S3dt4dacHGlMdqRRl61jj+ufYqQAVgPfj3m5bvDanJqQNXQubFDMW6kp - j6U/rYY0GwZ+r2xFHBr10zbx4TR+bxMQMqJ/YA+PZGVT7Y1S2rwLLdmMg66ENKQn - Hbk/rMibXTUab/uc17STBsOAdLam313WpTaa7kfqFZhqaiTARlmULtdPWyRBvOvi - PB+NrFI7hboakG8kOaiitdfD/NUanz/p1RKGBPkpL7GZE6B63SHxTKtLm/A141nI - 9cPNeXNZWhkSZv/2akQ9ea91yBMeIuiydFJnBuZR6ygqvC+ShhAUV5Ag7h8AAlTi - 2gDoZZvGqsXjRO7FtR82SSaWk+buzVbDtLRdzHiPPgIaDkLtVfXabqEhw2bqaP8/ - UeH2gZW6MPuO4AWYRgpvQX0XOYJqA2RNsxO83HF3EjvvbUeJhz84iC+OD790ElPS - XAHizPVvoinf9dfxckUvFm1RUA5V7xwlHUh2a0Zj4mBkxFAJqGzOINAkg6UAV4sh - K9zPafVtVO/SiBdnR8JApH+rb7kXwal/jAOHJYjPtz2JRGeCrFz8YJR9lkaa - =jeRO + hQIMAz5uSgHG2iMJARAAl+0vmB2+PBg2aAZHZ1Fa9r/4zByhvLrjZ+5yWWcyf7fS + T/1Q2VbnDFvUwsEdbDs2RJYVejGxs5cyIge2ptn/9rnp1aMTu+FG1uQrY3lhGP6L + vpyDZWa2e1+bapttkrBBe79TZGZ4ABv+FCqHqWiH2HJ3V6ELXaooNhTrtlURCDqT + Cqgs8gH1qdVgISI9kvsxS8uGa58assuM/WW2+jATIoxBzUG9iHTugr75HWJw8xb7 + R4Xbtfpev5exXicbbAvO8b3scnBU3Y1OUERo7xPxxskVSCu8q2gDtyeckOY9SN0i + V4sr+bUBfvPChlfoIq9kifZPo4Pv2yP8EhH6D5pVRqO/aiBYr9l0XtxDaHB+d1Dj + Q2f7azUuM5MDRotUM8mhn09hd61haag4R6dVAOq3mL9rxXLj8sdHS4A4ufkjn+dc + PI/Q93gL+sFy9N0wgCvHZEhY1QoKssSBCu03q2ZVlLFuYfcXWEIQU3XpbzyCmAA6 + VkCvwXEA8xRs2ClrBpMOj7wRKzYoS3ATc3nFx0XL5pL74rUE68yiRlsZLccRB+9/ + nJSY72QzR9FFUhFFv0/DxUFs4OVCUzLwQVVUT+Wi8EZen0aY4zFG1u59F6E03Pre + wC9TIxDCR5MY6/SGgYPep5qheeYVdXw7a0TQWrwXpaTPSj7tm2FFQES5DRkVNN3S + XgEMoELXGpBjzixYKSsQ0/yT5qX9v7vjrZ/a3EuXtkdh7MAfMbRV+YDl2hlN9IJM + vpAo/V/vH1AyWqBL0oQ00xZzNvxi4RiPk0KPZg2zH1C4aokELI7i8D4Dz3L83Tc= + =LofD -----END PGP MESSAGE----- fp: 18DFCE01456DAB52EA38A6584EDC64F35FA1D6A5 - - created_at: "2026-01-27T08:41:15Z" + - created_at: "2025-10-20T19:03:07Z" enc: |- -----BEGIN PGP MESSAGE----- - hQIMAw5vwmoEJHQ1ARAAuuTaQOJdkhaTei934YczQbjX1g7cX4yWuxS4BHQ0+Jw+ - MtZnUUYcjVY4hErlm+w9/iwr/ua6lvsTigHHy8IKiz7F/xuG3qAoQwIR4+bNP730 - En1EYlczxFw4Xaa2WIayaRy4M34W5zvdDuUwN5SW0XDahcmmut/9WGRmz0K8chGp - 8opG1KldRY4ynOgXcB00x8w2NnQ5kjisyk+zjtTNas1E9c4m2MJlvrGHy4ffVg9X - ID9/66wXr3nimAlaYvHmVW75hd2+MfWyqtrLccThPrB2aNPs2mN1xH2TODX4gEP6 - pFHyyrAsjK9zP7M195pXw+WE3QnBPgbW2/zmCbPHwPGgP6ljLsDjo1SDXWsxZ6vt - 88bCECCJCrurkP00HJdnbXd+dXddNMXfYLT15aQvta1nYPp8UmVahCN/QyaNthkN - rclV1jmr0sEtG44p4R0SV3yIsATCnFGmr/4pbI/r+aEakIVIPEK6GM/69o/6kW8b - 7KGEc4riDefZn93jNEGmC4oqotSPLaLlaNg86gWazRrMUBu9hJ2QFpeqSX5Vl5uG - XnIokcaWjZmDgZgDOFa5inQBDfT/7wTJ7mGnLpt6Lnibnp/ATvIYBEI4zakHAJpz - 0qWN89fpS4senq2bZJ2WZYfpLvHpspchxMhmNfjalQaEVdqPfEqQCImJv4h7VlfS - XAFGcZB2DSkd1fIxKcOB6XMDEbxGfBAVZq+k7Qw1oBdCa1Wi8uBoVS6QHLEUccbO - 01Ptf7jWdTYgujdxRvyYSYS9YY4z0nR2GmFzynCB/oCylEwmsBR2ie8J1Ew4 - =Gjvk + hQIMAw5vwmoEJHQ1AQ/+Pr/ATDoZJGDuIOTI2RgXFefWN0/iz3KeI8n/8F9/1vkY + 1G/Bs0X9NkuzT6A/oIjBDa3630DMMvfdbY5Gclqrdwobft9dqhP05naf7BujX2DY + oL2SbTnfB06NUPiSsZ9aE/2yyzvnZjAxRczXZCi9DmhBhaXicILiJpJMUReldGtB + zbGtRzMUojwXqc1Fi52mXvn8XVTgrD//jX1IOUnpXmaFKa7zJCHe7Qfl0P7LMCw/ + vTDAXSazVFqvgyASPPHgVFw9oFdJ9Na02ML4jynRnIIra9WoBe+9+aPoaNG5WePP + Lqxmaj3uz5Uh2S4Lr8Qr+n7swjPUlYkZKSRY0WDfhoi+aCC1ejtysZaAwH32+CQA + sbnh4m+/qnEiNZlgy2vS/6yQKMAQ6HnLkBfkXYTseI4egVw2X7byMFpmAlqo1pwl + kr4cKaYGYDBT7/fDDrB8AAdXUq+guABm+8UO4GHvvSCzWY+8ie2/wrTSB4O9rLnQ + WQABESou4c/w2hKordim25w1UWWPhiX6TdumBjtep/SPNMrVNShn8s+G8uh+eAwQ + blNH7H6EwHW1b7gvSmKrlczW5/TXsi5URl+cuel0C5/ckdWej+jIIbfCPd+D3BbH + pFkQWZR0vFpvUZcUfU5kSTUz8N6jh/nGvOuOKZ07645ZFAKHjxE1JqjhqcJEqDDS + XgFphkUBFPhmz2FJdIQvfkyl6/CCj+MUfNLsB1hZAd4GRxcBPFyLB1rAkB0kV1QY + RdIXX5ahmk6JmtkwJsO+m5aAWu0ft5xpsX3jJKqAyoVWcRO/3kER8b1K9IL57nA= + =I4Bv -----END PGP MESSAGE----- fp: 87AB00D45D37C9E9167B5A5A333448678B60E505 - - created_at: "2026-01-27T08:41:15Z" + - created_at: "2025-10-20T19:03:07Z" enc: |- -----BEGIN PGP MESSAGE----- - hF4DerEtaFuTeewSAQdAgd5EW7q2vIPAOqEzhHiEI5O0WzrC59UqNnagUK8u5T4w - e6e9sEaNfzsZE3Ep61sWLZkDDddE1RqF8riVaBRHjFzpj4mNptePNQCCDJSU8jYf - 0lwBJmRslhasFEdMhQjqJVWLyVeG+z45mcfkXT0VFkBWWs/RDchgiYQjXxi+tMXy - iIUKjmu2bb3Cr3KTEglA9P69aVkDtdDvol5LflkzlB925aDev6arSnqFuoZIcQ== - =xwmU + hF4DerEtaFuTeewSAQdA3oIk2sfUn8ZzJf8T1xFQ/gSWqIoOXZvpAf8R88A5+2ow + kM6YFiCCShgt2qGZi1k9xNxoRO1aRmSdEqdwMHAwpFRtEr+tOcE1pq0o1HQUzqqR + 0l4BUDcJXeyrY44ufOXKRVd9J9LuwSf0GHfvSzGxCfFGQVKAtRx69TUwyo25Xwdb + mN/mmVecb+atPqdB5uMSvsMC2Tw+F313Y+uvgjK6B54iK9wjTiudD1TvzrTeaOPY + =QmFT -----END PGP MESSAGE----- fp: 057870A2C72CD82566A3EC983695F4FCBCAE4912 - - created_at: "2026-01-27T08:41:15Z" + - created_at: "2025-10-20T19:03:07Z" enc: |- -----BEGIN PGP MESSAGE----- - hQIMAxjNhCKPP69fAQ//bv/NiT6dblP4GWghe9w9O4u/cwF9rF5x35lNaXUesu5a - b7mz1DkK2xzAIPFXpp2EhX4iRj6cQmEIDN4IrknsiKD18tMA6pqv5/1RA4DrjAWm - hlURDAJy3Q3kA92pgDcCOhIJu5gKFMUVUL6xG8TeNOr48VCw5LgmnxZ/6PuTJ9hm - L0r+OnWfUKZGxKPev5/N6hIWCGKuCpZ44IyPVHU48CK8+yJWRwK2Fb8WAy775RVz - NhTxD+IqQuHZlXnYy/6WunlkEmuV/G4bUzByjG0Uun9J9COaaLC+8OFVVm3MMD/l - R7JbZlXigj80IHPGybB+FVNu8rUk3JbGo9tOux1H21CTdd0Hmi4YtritLKpt37tK - I8lYNCFgfWOTcllRFB582BomMSObeDjffG4tASqtZ7lFYAA1tHO3akM7iQGWnsxE - oES2Ibp/bP+tKCh9BnXKzHbSlIiv6g/4AIALRyyLskM/LH1FP6Xwc2wAsck/DfOK - ApQRNpkqn0dnGCb8ZIDeT1EWlc2ZSzkP+X3yy71wX0TBZOs26n6crIAjR3LUiHt9 - UzT09TAHk2Si3dSBcRr54Xitjg/f4lfKhQv9hV0tG1qFdITYjv6JFqihtBUEnNiT - BR5udNvLMKw5KOergEUl2EGPWlXDK9LsjI9vzWq9ZOS4cNWAR0zwTjC3LK7BNBLS - XAEBjZUJhvPKpa/f8oMGcZ18HP/m4M5MEKCrCbQkk+bYDy5zBjU3I3hqN2MpnGb6 - UMGEx2tgHxuksdjSaDb1nTNfsanTC5UgqFAfsn5QAiBxQmeXRnjFpj2a4pc0 - =R+3P + hQIMAxjNhCKPP69fAQ//QqFgN/hbCgpEB/KyJ+5uc8Nmi1FLWFBEPhnstvIlGx34 + rPkmO+mLxa39ikwNg2bAwFxDRdwFREj/5lcdEPaKMgyxNxngS4PSs7TtHroNvyXk + jEsNsyanhaajctcBJNSEcDWNFItTn2gLGmHOuribULXBdixI3sXCjrrDKceNs5YS + XUIw4SIl4NS2nCUQcFlMqVlKOiw5d5aNfPND0UzFI2CFGo1740F/G9wugOIzsLwP + C69o2JZDmsvs7rwgfWYbS5prxD0hHzXrjuHnONyPD9NdtIRVU0jDEPrcmxJfbj4D + nzkTqeEyNmcIGnVhCCM0ysk54e/VxI6Xl3upp8qgz21h0vBu88liJFeQo+uegNsa + ozLyvzsFSdbxbIzcqnXxMurWIoDZW59d0AsitmACez1PFHXmC4KEH28bxFNek0/u + hpxFiPRvr4hxPouCTSx1pP7HnDGUfJtNOu4BLigO9hjU2K628WBkZt95L4wprBIm + kgt/st3Bk96EC6bWLtn4n6Zb6l7+mdv+6qg1XBzbLFDxcu+L62qtd4j7BjI3ckGY + hO5tkGroSyRdOkqw9IJ7KoDyk90IE4Q0xy/XM5dqAXQz59sPhIOPBxje1FursyaV + RY7tZARigq/JEWwwTLlbOYPd3XGdbw6N5LfDZoXe2Lz+isHsxL2cAqJ+wgYgfb3S + XgEIk9UCAztF21PD6IC4E4OkK1ARhpwIGwdluazSGzYeTqKEB2g7N9iowAlp+bcG + aZ2DU/R6XYdU5jch6fiU0zz421Li5gngNwg3FOVdZzhdrSiWdjRUFCJEbituyvs= + =Msjh -----END PGP MESSAGE----- fp: F38C9D4228FC6F674E322D9C3326D914EB9B8F55 - - created_at: "2026-01-27T08:41:15Z" + - created_at: "2025-10-20T19:03:07Z" enc: |- -----BEGIN PGP MESSAGE----- - hQIMA1Hthzn+T1OoAQ//dfpU2ARKiqEam2TD2QF79ujIPoofrJXX+Rf9zwe9TBNC - rZCZLdWLECZzJcE1R/VHM1Np3AFPmze8FZ4onGBgI0Go2vwCrrYtBe6AomAlzXho - WXABvr56Eoe1ZmzDHZLPeGs6j2OfsQmq5UYDXOLEPZ6T32jA2f4dvI/k0UEFEbsb - Oi3gbmpQgiub4WDE8Czy2o9Jmcsxwq4NhmnGxx+ogXO3rS8jYQjaBG3P5mz8oA3R - P5zauE4sZ56WzT2z8rD6NPuNuMc5Dv8OMISQey+WfR9ysco7288v4qr2hMgJF+uc - uDQtH8ZFsRXwknyKFaph+KLkmvDBzSKoGiRtcaACzK1WWDbowN+KYcLsCf2WE76T - VJPWzZn0tjjyIWWaDLEqrKWuezXajMxW64zSjDje3oqIlJf41Sqr3yVtBI+Willn - m0iW883quAICS4ECaaY85+N5vwtaRntlYEGdYUm3k11Io4erEl1qw1fMplD0/E+P - I1jA790vOS9PDYzdK8nvGrEoGURW+Y3/q+fSKMBsfHATBCBSGRL6G/SHFvlDBLhK - ivJOOeQ2Hw4G7h0GGgQAEGk47EijL0j0+eEYDDvw8DQjVuUe9dWNr0K2qmBfm7p7 - 7ERZuLn2BPkk++h3IMTQL/OnaEgX+dIbGiekw5a26mVi3BB1t0Di8q6gtmThlTbS - XAHBzItP/jn8txvNRSHHZN5AvuU3TMyaEjFmhYf59x5vBa047U9WyTqGuwNj1IQR - oLJNQXb/qo4Lo1gd397zTecG2KDhHl/ael8SlZsaLkG5Lp/V7LGr9J2FX4Xe - =76+h + hQIMA1Hthzn+T1OoARAAlYlRUFLenIg5rQuMsq6Qd/3V1L+EomZcDTeVWUlvNBhJ + wdh58x2OqaXRbujPT7ekJY1xDg3S541yG+7al5eR3Sv4zcE5ZgNoM/rY/Ik4hnWr + 03+a/jIRQxoFeIVKAhAMcj9hxjBUCaQeNwvfYRrkWRC2fKAe9X26oTRlk0oEobMI + 5EZTi558D8ZVxIlK+LCBk5jGFepGkts0FlPjzH0+S43FLtFOqRVV5UGGahbUZ6aq + mF8ULy6+V0LxIqOaDYRwfUhX+BvPdCiBRf14yhkMIWKDpDa3lVuKWAzSF/CKk2z6 + lO12dlpI3+50zwEuG5hyei0UlMPV9rR7nLL4kG7cjIaJKCeXtbgt6Qf9Ml3uAF+t + xBjsQmnPstsBJZlj3cBlo+U6RKktkfeiU2Fg2OGUxf+iER6rBfGwBiPLME6RPiXc + 26RiEMMyIMqzgaM+2I0GL/cMEcsYj3OR/Q3q34EIFFTQXjz7dsWFjuRIELg3lxB2 + hNJfn8JnDYsP/yw7GMZM9TQCHOcLL2+vzh/GhIy6kBEeI6DSbnMR92REezSUclHi + g1292f8mDidAmb7aVFkMPnVkTFrriKiXDMO7Lh6qkIWmnGfcecsLONGif2olW9e4 + /PZb4d44UrHdG7FIn+iuTqWcwkIY0AuOZg0eDa6qi0pcePPG1IaGnF34R8amkYHS + XgFP1eurU9GajS2HDU5Ghd4KMFncCiibP5xA22inFdGwHK0Rc0JH5LbOwWugU/yC + 5a60wP3Sg7LIxYriI4a4kpmKpqE7+ZhfuqQ10wC3eCXmca5bkqIOFd91X7gfnFc= + =m//a -----END PGP MESSAGE----- fp: 5DA93D5C9D7320E1BD3522C79C78172B3551C9FD - - created_at: "2026-01-27T08:41:15Z" + - created_at: "2025-10-20T19:03:07Z" enc: |- -----BEGIN PGP MESSAGE----- - hQIMA46L6MuPqfJqARAAhGXnruY2sbbMVeOpJKn0MfDowextWNPVlhRAcltNO6Pk - PUWbX3IOs2ardDbxPJ8QeVPG0QoLAVGwLqbfOulAvRXWoA/NSm+EpW96ofqTNA+P - CK9/ZHcef9wv4DK6kJ2Rkyu2rotToMYi9Hxpr7joOVIsI9ewb8s6SSa5S4qAAw/G - Y7mH8XMFqwZBKzmWP/9kXxACwas6vlx61s4F0cj0XCcAzmU9fKORydljrcc6hNI9 - MRRS7j63it0fckq2v7IBQDgJyuNsLvZD6bZ1P/rdZUUqjTSOIQyb5yT6am1T+DvY - 0ClubdaXhEaQplSL2D0VUEqZmTY7Cmw0yiDBgmyhU5zqjc4MHlJ8S2gssGySWTRo - tR+yEFgemtuIiUVFTJN9Set40968hAlN4jYPOqxjC6U7oC6YLah8nXRJasEN3lEg - 9+fdaCAIQPfK6U/C4j8tEZ1sCXfxaZfaVGpHWrArcxN4L2nei2hT136yLkrIuo4j - vfDTBK77Rpwfc6bmg1Nf94ed7XWn9ZQgVvPKPANvvyhXmflE/wVxg2atofzCIe5i - 1IXX/YHn6MiixqaSbHnzCAaqVQuJKC3b/EO8b3GZJfCcBHZratAQVZq1emnaK0id - 35OwtOXKOagvk8YoIPY1vCVDvVrrT1RK2XGrRfnwoC2plg4cNws1aUhENEDt4NjS - XAE9IcqCFTz5RXO6A7/Q03Ge2GEXrXmI39CTT4gTzy6USEDUiniE7PRudm/2dY8c - ZA+AvTFrEdoGK1b/snAvw8dGTFv9lwQqkBr0JDqwD9SGQPIXD6CIUKioxQ78 - =KPcz + hQIMA46L6MuPqfJqARAAlOnbIDuRQI95foLsmVkTz3iBPoAGWP4T+BmwRXbBzchI + xnb2bVuSp2XS8ndofmqwPVfIA/XzQeS6+R1wE8z7IxBZEr25Oe+l/vnz/iIHfoMy + LpJYqP4dAMf/VLQ0h2X/WfN0QYkxbBEHj4vwR8NIjYxb1iygIcZuBEl28/ZqNAAs + 0CogIZpD057gX+SUdnL4HmpZJu1VcduOxEQq+4TBZELPw7yQ+obCtalncubnXGOh + COyjN4DkMeLNyZ5B8JKnsCCEzssn6/gI3nNzR8gTozvVdiPqmItix/lWgNZlxxnD + yxHtqs+RRxQrZxMBrVo7Z/2hNm15rT2XmpOYvs6eIKn0NILs46erKSFHi5Vbgu0f + rNshtzt8zwPsrGS2gyMauXBq4vB11hXMuOS1zgi9gA/mIzGbLLPl8JYVKjpZdRXj + BelPHOpEVEI+6Rk02+QuEGjN5XJnnLOshEt7Gg+be6APCpDsf9KhoxIPeG1e1MV0 + W5yfykmCC4E059Q7jJp7npNzAk8Xnk6zkScUT1zibXi+DYcaN3sSKqB7UgmjpqJ6 + vBn17pmhJYCa7CwlJif9abliw6mHt5qN8Xrg2064I3cPwJpzOSaTI/G+kl73Wn4Q + x4G2l2XTHAMnvAoL7I4r2F0I1MpmDiubj4BnKp3/C2YhICDOpsCE7e6ceuYI4HHS + XgHNkVi8iHF/02oV2nLDAfPASomsCTDQYRE6/dLbt4d38BaGJ6iIIcNMxGbUByMj + nAEWtH7+8crR42yJp/OxVPLlXLHKoDEd0IydLpFl9dnsaYAqdPYUqCQ8merJlPg= + =5z9a -----END PGP MESSAGE----- fp: 8996B62CBD159DCADD3B6DC08BB33A8ABCF7BC4A - - created_at: "2026-01-27T08:41:15Z" + - created_at: "2025-10-20T19:03:07Z" enc: |- -----BEGIN PGP MESSAGE----- - hF4DQrf1tCqiJxoSAQdAagtCn66tLHM3wXjb8nCEH8nh0g5pKSTzcx/re43tLCYw - IbatYjkYoqBofEDr0m4QHTyN7JAtq11Yk106M9zkktUHUPG0H/NG7TKOK65OC1U1 - 0lwBA0l+mdaX06nBkQE8xzXafXcJYJkTp0RvXrzZkXb6K0NBuQwcXO3A0xcJMIZ9 - A3tWaza1HnUdtlUj3vj/0ykrYaUywLL4rdVgu5FunOMbg0QQV8zy2Kn1dNh6Jg== - =wy66 + hF4DQrf1tCqiJxoSAQdATdhehHCg+P5ryd+GcDKRDMHgwv5c88CHXI+L/6meUSEw + EXNK49Y4NeLrDllZuDdS8Xd/U3BJtdw/Ef744lhv/CvSCEIBOVu0n7hsHZ6E+MQd + 0l4BFNDMgxj51IVlf/vNyWKHrcf3iYLLJdDL31sSHiRk/zTElaM2W3s2zujSOgiB + cveF2p4/0TZ1lt+kzSWPdKZ7gixngC1vKtb1uok7sAzStAM3wdvpBjvouti/yduQ + =Nvpr -----END PGP MESSAGE----- fp: B71138A6A8964A3C3B8899857B4F70C356765BAB - - created_at: "2026-01-27T08:41:15Z" + - created_at: "2025-10-20T19:03:07Z" enc: |- -----BEGIN PGP MESSAGE----- - hF4DzAGzViGx4qcSAQdAuK7fsRq3IfaTb8M+wFYeMoAGK7pbIPnuC/i9GAVmaHIw - 7iTd9Gh7qjZ4Z7BNvD9cH+MMoeKNYEI4iIgzyZBSwADiCwq+GOeeN752uTFzvysY - 0lYBs4Ny83rYbSQU5eaA0VNrc2blc9D+3gc0NB1czac9pUsJ6w4P6vb8TdtrzvlS - zAUSYYWaU2aX1dI8274dFmHmF9o+9/kPsJLSTqkLUFaV8cje170cVQ== - =4Es4 + hF4DzAGzViGx4qcSAQdAVM1+fV0H62T2slKovp8/rIF6CBYl28z6hbbAyixUQFYw + 0qeyMu6ujpCHiSx9xps+FHYONtfEcjxpZHPk4C9fP6h3D+l4xnfGtzVXo7t1budp + 0lgBJZCP7JuE7omAuo00L3hjTSaYpa6UWE8cZEbwkOGsm47m1xzMlEzSExBZ61wj + dKkSNVFLd7z/5SlKFgFJgbgwuAl7umjDVQjItyrqRNnhuPBUmZbYBEEJ + =Xu7e -----END PGP MESSAGE----- fp: D2E9C0807BF681F5E164DAFC5EE1B61CD90954CD - - created_at: "2026-01-27T08:41:15Z" + - created_at: "2025-10-20T19:03:07Z" enc: |- -----BEGIN PGP MESSAGE----- - hQIMA2pVdGTIrZI+ARAAypV2oZNd7o5dKeu+croXx4IgcbjGPl+jM4v4EwIa8kQ3 - mqRDXYjz4XdFqoCO5Q7sALx06a3V/Gg3VBhxEmPwYtWIBOaEBjIuFy1TieVNCIz7 - xZlDKUsUFVCMiaF7geRPvN1QMhP37HbKZEWWL3Dtp6d+9W8N3jjFS7qv+26nlhyT - QUtMc4wXYXsfuX+wI+Edb3Ibe2tN6s6rK03XiR456TG4Q5XlT0yuWfLA+uF4WMSe - 9HmPmggwbZgTjagnzkf8/mLwROqFm+KDpCR0vfTGTW+XZOZxS19A3VRM4oCoPCqm - 78t2XkLjoddqL/baJLdSsoFjrHh74+eYTvaBAorOXowfc/MTzXGTHlth9r2/HjJ2 - 9gXiQATn9fl7sxdRko4mKOn0ff0DhoC4gGgfxopUs2v/bu9dj5VTsyAe5TqGNnHU - Oeo1AaboJfWFRlQhsCT3Fpowuc8kRgHalVbARZqTtdRRZHNuf+ob5BYJq1SDFJiN - vxg01gUsqzcvcfZSc1IpLr0vF7tdSvmrKE4nq6GgkJEhHm6wwNftobjSxTYQPO3l - mXI7wghCU4G03zVhbIAwsUvdZ9K6K3ylUOf1MOkVEy78N5rR63FVzqpibPsTQCnc - myhdrYX8fN3GG/QlXF8NwNPFFwOW57577YQJ1d/K0ksiOEWKBzJlBgOu6Z99i8bU - ZgEJAhAZ128S/PPndkywgDN8PEvtH2tRvwt+tS+gMI3o2WiPltT28KmWJv9PoG/s - 9ZAp6mtI6UDoc8yDVuy5BfTH+MuG0IpJLjkqZkY8XSuRD4zAXYIj+a2xHNuWOMhq - 8471dLH2IQ== - =UCus + hQIMA2pVdGTIrZI+AQ//R6I646qRFql6ouszDIf24Jc1HU49sWK00jfEgfDAMXVX + FcHyARVKbjq+4Luzf0ut/KrHaGC17iEcohvfaWVds/j8fOA40RWXXG5wkiqmrXQ9 + xgPpV418jCpLhrE85W5emNVH8a0sX746sulslm5NhCBbYsKgmvWB0NW/kSmPBAD7 + xnx6ZysaDEt2kgFy+GhCBMjm+WUOEypF1xoH8YlOO8rtJPVwTX3QPkgEYxrEtloJ + T7cScRPJo66y5ne1E4FKFUApH5cDlD4et9/TpJKR76y1hml+geCM9S7oOD1LmHIM + PxQFfNVL8/RWUSxNtkA+4ixlERitMbW3x4rqq864m1MnZEyYGOiUgF4uU8t7VruJ + bE+qbqOdy+HROi5vBgB7NZ3S1k7iBweGll7xcEfRHWd+lIunezzb/V/lJoShuSBL + WEetGEijGGDLPwTWG2ZSGQQsrPZH0VoA2rRS/aZ75Bau3ctIFAEPuNLS2+AnSh1C + hWMCXsGu3JVwq53TS0Lg5scquaXWPcuEQPJ6ZEmQOGfq+zjJKCp0Wq3W1GqkMAR+ + 9WFvAeh8/fLFTuDnqGLqHoeO9YQ3AK8uraMRf+hVco7RjXOAYks1JvbGDCijlUhv + pUrmkELbYnZgnVvAy/uwpYhVdJkQq4Hev+ELFFfTjcX5i3lO9V9iZJ2UUrXj5cnS + XgEBs+srIKZqr9mNQlfc6t3+JfaRtRPs5ozaSgJIJx+K9x2e7Guci+ZSAoEP7kn6 + 163uoxaZiP3W7vW/fVe8IDnPsPAc2FuvI0MbpDlEmUcoHWU/s3aY6foYtwg+w0I= + =/9CT -----END PGP MESSAGE----- fp: 878FEA3CB6A6F6E7CD80ECBE28506E3585F9F533 unencrypted_suffix: _unencrypted - version: 3.11.0 + version: 3.10.2 diff --git a/inventories/chaosknoten/group_vars/all.yaml b/inventories/chaosknoten/group_vars/all.yaml index 76147d8..b8f13d0 100644 --- a/inventories/chaosknoten/group_vars/all.yaml +++ b/inventories/chaosknoten/group_vars/all.yaml @@ -3,7 +3,7 @@ ansible_pull__repo_url: https://git.hamburg.ccc.de/CCCHH/ansible-infra.git ansible_pull__inventory: inventories/chaosknoten ansible_pull__playbook: playbooks/maintenance.yaml -ansible_pull__timer_on_calendar: "*-*-* 04:30:00 Europe/Berlin" +ansible_pull__timer_on_calendar: "*-*-* 04:00:00 Europe/Berlin" ansible_pull__failure_notification_address: noc-notifications@lists.hamburg.ccc.de ansible_pull__timer_randomized_delay_sec: 30min @@ -14,46 +14,3 @@ msmtp__smtp_port: 465 msmtp__smtp_tls_method: smtps msmtp__smtp_user: any@hosts.hamburg.ccc.de msmtp__smtp_from: "{{ inventory_hostname }}@hosts.hamburg.ccc.de" - -alloy_config_default: | - prometheus.remote_write "default" { - endpoint { - url = "https://metrics.hamburg.ccc.de/api/v1/write" - basic_auth { - username = "chaos" - password = "{{ metrics__chaos_password }}" - } - } - } - - prometheus.relabel "chaosknoten_common" { - forward_to = [prometheus.remote_write.default.receiver] - rule { - target_label = "org" - replacement = "ccchh" - } - rule { - target_label = "site" - replacement = "wieske" - } - rule { - source_labels = ["instance"] - target_label = "instance" - regex = "([^:]+)" - replacement = "${1}.hosts.hamburg.ccc.de" - action = "replace" - } - } - - logging { - level = "info" - } - - prometheus.exporter.unix "local_system" { - enable_collectors = ["systemd"] - } - - prometheus.scrape "scrape_metrics" { - targets = prometheus.exporter.unix.local_system.targets - forward_to = [prometheus.relabel.chaosknoten_common.receiver] - } diff --git a/inventories/chaosknoten/host_vars/acmedns.sops.yaml b/inventories/chaosknoten/host_vars/acmedns.sops.yaml deleted file mode 100644 index 2e728ca..0000000 --- a/inventories/chaosknoten/host_vars/acmedns.sops.yaml +++ /dev/null @@ -1,214 +0,0 @@ -ansible_pull__age_private_key: ENC[AES256_GCM,data:R0FZVQXrUgqW04VltXpYhEuI8Q8i0gE4K1EI05NTZyTO+9QOynMVzfLOzOOT1Yh+oQNLsE0MFELX8eo3EFKyXIrkE/wr2ECgFqY=,iv:m4N6t03tklKRaRZ9eVl2vv9T8WUy6AiPQDNuyU0UEtI=,tag:XJMnT5GZthv9RPQFZTWZaA==,type:str] -secret__oidc_client_secret: ENC[AES256_GCM,data:UHbIuftvyPHxtHGRvH+ydMetiCRu3z3JL+zFzLwVaSQ=,iv:1/KKB9IHZEWgEULoab1aVwbPIW7mxfRK7NABiSP2yIQ=,tag:8g3ej7ZJwAuPk9eGdPGyog==,type:str] -secret__oidc_cookie_secret: ENC[AES256_GCM,data:epKralmaga5W0TK0njjTBP0GIlkUK2ogKEbWQ/zlIhQ=,iv:rDBiSE+DPkX2I2i2fJQ/SrkltlCnPOEyeMfud2xXbFA=,tag:SOGIJHiaKq1t+Dg0NJGnxA==,type:str] -sops: - age: - - recipient: age16pxqxdj25xz6w200sf8duc62vyk0xkhzc7y63nyhg29sm077vp8qy4sywv - enc: | - -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA5SDJ0NHZkK3hvUSt2K2hV - TWNKUkFlUFVkaEFlM1lDVTdnZU5EeURiOURzCnQzcWE2RnpiZ3BmRzIwbFRDdkRr - VmcreVJvdTl2Z3lBVFJTNmNLZWdyMWcKLS0tIEkwcXAwY0NoNmhCZm9JUDMyRjVC - bUM2WC9QeWFrdm43a2N1eStEOFFXVGcKCCqwLQ67aEEjTAyXXabZ2AoBag/QY4HW - WwgmI8KNYpC0YXzDJ3fUUL6g4oiSqMxTGvQ+0oABOk+XFnVx+++aoQ== - -----END AGE ENCRYPTED FILE----- - lastmodified: "2026-01-25T16:16:15Z" - mac: ENC[AES256_GCM,data:dBBAJIXeVUXXPXB8Eq4gH5F/0jTpvb79hdu4KD9gV5RL36Tr3iU92SKAZdMcw3/+8zq5L32YWWpYR5HFVPXaSdgls3wtWdrz/1j/C/zRxup+Y8DSOdiebCtz1lJJvglQMZNznRvo7N58lTdF/XqJA4tY51xZZi/krsJXDxtlTgA=,iv:yhwXbXu1MKl4sSYaCKPVUK9aedmIMnt/rzXTcGqmqpk=,tag:hZX6YZrzkrr1mPe6FOs7Xw==,type:str] - pgp: - - created_at: "2026-01-25T14:20:25Z" - enc: |- - -----BEGIN PGP MESSAGE----- - - hQIMAxK/JaB2/SdtARAAi+qxfJ++qxSRxZLZiJ6njtlaOvrmE3uDCxbBwK5/lc7K - rt1liJ3Ue1hR1Bt6ozbH72shd5EOQzDuwQiRLZSR/7q6dcM0wdGRrfXuNvsRbQFf - Mb1D5L5Md1zOH4HuUx38+GGoB1CchpQwdZpjzcU2+MI5O5YIw3DDcKOAAMa+Nfpy - m0aezDSM6zDYYrYKjZUrMCXZFn0cnWAosod1ZJDz+rNMfFaVCPUlcUO4/p8cPzvr - rz+B5MV6Nyft3FUpHntFAgGjwlt31ZANZoWeJxJ5/zFlmieXMihjC4x1QPBs42E2 - den7NPprSZX1ynGdImaZfTHwuwP1bpLrVFegG1EPrMIUwjRbSZDdmWxaR0uvajgM - GcbJLRFdvOcc7g7NWh2n4AwjpjcPN0cNrAit5/S0PG7JYdZFi4abfxTur12p9BPk - xJacN4ZVnT5qRRnqinPDCCiR4MLg/L9fxG6Dap6xboBTnHS5GksuLiDFMjsSAVh7 - /63SOn6/Po1BUiiZPRHkvlm1uhkP7k5iDT/cP+gV1QDjdrXbD27D3c2eJveBaX03 - oLhXi+2/tmitsRw5vp+jTwHP3RDC9ZsORdEoshaGJ7Axbmai1wmUAabaz60vbTzV - W5KHaEAdC97YsUFUn4ZgqORJ5MlPRUGUGGmlYJq6peihLYx/wdCLw9DywhZAYiTU - aAEJAhACPP4YiVUAbMaXB3q7AJWnoF20oJVBcGD7nvAVIaJJL0zuYe3lsujo2O2L - wqzIw80YE0tSaHx9GWJorF3vQQ1/jxrgiZofZNrsrQ5mzVADGO5+JLuU1THyDWXV - PPvkTEc7AdD6 - =GWYV - -----END PGP MESSAGE----- - fp: EF643F59E008414882232C78FFA8331EEB7D6B70 - - created_at: "2026-01-25T14:20:25Z" - enc: |- - -----BEGIN PGP MESSAGE----- - - hQIMA6EyPtWBEI+2AQ/+KKOoBqMu5MXGmEM70WGKs7qGiqcJ4jizWaf2BjO8JtcU - DUJ31xy+KOnZh4pNP3bYptBtv/FehKHfaC1HB+sXBqT7hhAT5k2WyNo6Y1EdsGeG - HuccJ8rEMxwRSp3rdpca/53mtFzYHFHDT2nOEc5wkl0KqPITIJAiaGVVeS/ANy6X - qijabdecK8Ekb0Ev7OHwxFQT92DdtN7xdQns4bUoxSy9j/7SDUII7btG3alhlH2Z - XF+aZ4Fo+P/O8yavyTuwm6GlKWaWtGn9xRhNXvMkpBXIa4rwHC0re3DJNlMqN7EV - gW2sxnAxBShNU/ZtpqaQ2ku8L7FPB4Y8hhbk08PVlqz6F1xFm9x5PEriuaIPd1pp - 0TQtekvntBWiRAQ8QPmrfg96BaLqvL+Hffb3PlIRvnXHmaJY/5Ci0HGgoUjodKIT - 0tZzP0xcElbm3Mf5z/uyRzCwpx7oLn+q9xiJ2yoYwn4IkMWd2VaJZJlVcKH1RRXS - A4OUERkDSV3Fz6VjnI0VQ/hpfLDLCaQp8TzUOtNy4MqzsB0fQbDWnPR1KFrmNmSv - SSkS04tSt9CMNDFllrwQg6fbaZMmS97JeXb723mfUrPa0o3MeTxa9EuB/NQvWYuS - iBqC+NxIAvUw/IJtKg3unA9ysigCDUTbi6P7F69NMJM9qHet7PSLgqsM9RPdPlLS - XgH+T9DivFMWNnGvAS+wMckvKcTtskHWnQMCYdx62VsXzS/LU3iWq+OBz/xf8yhD - 2vS25oi54fQKz6diOrq/TgO0Cx2/1LXqOYL5m/6+Qvv7wxHHZHeLcdwCRVceLZs= - =5SxJ - -----END PGP MESSAGE----- - fp: F155144FC925A1BEA1F8A2C59A2A4CD59BFDC5EC - - created_at: "2026-01-25T14:20:25Z" - enc: |- - -----BEGIN PGP MESSAGE----- - - hQIMAz5uSgHG2iMJARAArv3KHUknyw89o/HA+T9vv1orrq0uztAOtOYLXIxF0mPL - S+Yrqs8uT0UmIJ/vdNZpf6HYw7Cmk4XErSsT4l15/5JbGfvqbc1ECdoz6j6kNfID - eHP3iJkySKbxSqflZ/3Hs8UXV65RU4F1HHK2SsQVvb0FCl03KNqkNAMicqiYZyzH - CAKOje7fnCHQ2oClUXakwXDQMnQwboXmhC26ghTvCYHIcb/VD8z91TSjxNitA1nG - 7Ky1VvBWTuC0qcfaxkrkkwDPcxdfA2BXyxwm7b/w2IwmQX1cce25MCgIhMCFuf0C - rvw8GgfJEQ/qI3Rk1R87cpyRte4itrl1cCJI1UgS088+eHhmeS8XOZL860Eiqho4 - tQJLUCr0P+LSBgOxj6/hnzY56bpPxa1NjRjqCGh+WF9XzeM8vY1MkzIjqHXxq9bD - 9yGnFujzTcFbpEzdigPfAt6VgMe3jAEWqnr9fTK/f4qKWdXfycEHAJgL9UqHCtR0 - DMy2+ZsHy5Hn9S5hmXLWpKo579FEWMLeCRA2DZvCHKIWUPhv3O4BAGovh8px9wRR - V7HeNK0efhiPm80alIQUGn+JEyNOaBrjAQmS0+ELF1S1AaHzXoLNrxfBCQJJCHd6 - BvZIC6mVWF9DSeD+s/twk6qGNwAl17OAi3fyahunefODNqMcW73RI6x0BhkBfvnS - XgGEHYtdIiwWW+nCWBCrlXHrZ2AqgFKqNInB8lR5t7GtSjVxF6blysWXyv4JtegX - A3gMULNrOAZiPMe5Q1DDMNJ34jEnveojMIAOb/j+w7bvcgh7wbrUIUhNQSDgoaY= - =H3mo - -----END PGP MESSAGE----- - fp: 18DFCE01456DAB52EA38A6584EDC64F35FA1D6A5 - - created_at: "2026-01-25T14:20:25Z" - enc: |- - -----BEGIN PGP MESSAGE----- - - hQIMAw5vwmoEJHQ1ARAAqbv66yl/dyRf3f1ejNWsZxwD5oo99rHvbfWDCjTEFpzo - QUHgi7h+uF3GfRqkbE8YK7oFmTdxDS7DEkiQHw3jbJwI2+K1umubwq5sL1IMhSyG - SHZL+3r4ytBj6kuraXoTGqBFjNNht+3rRUEvgK8eXAixp8aHbx2LAVzjhxGTa9WY - yT9H4XJgEac5ODiyhyu3wxzZFmcr9VVNpja7C3iJ5PymjKPnzMFHzdhYflVG4ptP - lscRsl5TakEL7p4wsjLszeXTSq38ueaH3Bhvts3Kl72BU2rICDzlBOzGszq3gI2c - o97Vydku1MBsIwbUdKAOdhjA4BFyPAg1z1VkeEOrH1ThaZ0cfalN6TxBfCeKftSv - VAn9ErK6cRjM5peyJPSHUjpXZEcomtZonhAIBUfDeFW3Sk4lE7+SnIvJkLtrvSZy - QDgbA4dE19d8MUL0uu+fyp85+OkXI+e1QOOoZX+7/Mco3wKbCbP5T21T/+SLsH0N - oNrQpQlDch5YB+vLISUE7+buFdlMpIlcHAnL9scjgIdU0Z/X75p/5t7g99D/0nc/ - WGu4l2n9fbrvimnqc6wWzBHgQZVcPKr5tMB6jVQu4WCdHX9VkI+Ru2IfCFsQ09TD - RQMybPT3tTdYODVCeoE3NmilqE+igEzFYRDwFdKjR2eLnuli5mI7GlXrboPGjWPS - XgEpnUxHg7oik0vO8YsyRldQ2Vyw1vIskRq9cdUY0Ix3u0gyqUF56aWhA+4fhr3H - Q8RsT8OXXswSozzkw3AvKi3VaGjwDr1Wasq6YVRtV5pjS0Rx/ILo85grKi5vgpk= - =bY3Q - -----END PGP MESSAGE----- - fp: 87AB00D45D37C9E9167B5A5A333448678B60E505 - - created_at: "2026-01-25T14:20:25Z" - enc: |- - -----BEGIN PGP MESSAGE----- - - hF4DerEtaFuTeewSAQdAh8vUqXwXAq615cIswD1e2FbDgcFp4pDKWP4Of9bDRWYw - 5UMSvrCgWei0lytGCaApC6J+Ppd5o9D34fux8X0/ztoRopIV1RlrcepPr9jo3ROk - 0l4B4T+mFz+FNrO79ldBuysOEo6qX7kSfJ63cpy48nDNVi0pTDr87OiJTQQD3gfx - wQdkqjYs204YvFP8Zp/+Ow+52z0W2ecLwgByVxsiusf8JLlYQMHOL9QisPxWMErr - =C2Ii - -----END PGP MESSAGE----- - fp: 057870A2C72CD82566A3EC983695F4FCBCAE4912 - - created_at: "2026-01-25T14:20:25Z" - enc: |- - -----BEGIN PGP MESSAGE----- - - hQIMAxjNhCKPP69fAQ//YH0pZvxXkXYi9tRWPSVllAsKgwzZsKkXS2LrfysCvnNS - LmcLrWNV8upH8g6ubHwwq1Q6WcpaoraIGB2Pw7OPKvynqqhMamk6jAzuYF1hMsd/ - efGlsIF/wE/MLo0AizDZ5H/k6g/BfdSm3VFvAYbdHObQld/+uEMdotBrUjtXJlA/ - lare1GFxSt+P9J+h5U0kf8VFWbgzf7SkViWBvEpyUaBa0VLgyOc59e9BZzWX8h2R - FjNX40MkZHxdbqBx3Bw8MZmQz+Q1O8w7uNcf6YZxl7+tYka99DSoK2T6YxTqqqrt - FtqDAUAS+yweg4hP7CwUK05VzmH/y6S4brVJz73NzahVNUBRpPXJUWs8QsR96xx/ - hUMRGOrfd0qJ/jv2P+oMJipGsWZ5b6rkj/LX9ZAyGW7TgWbelr4zwM2C/n5xDkKf - LSQFH1Nx9QG0Aq6JT6staq+xiw/w1ipn0IDL18YPvX5kkO3KNUZk1F7zF6rbXRXa - LQIY+lhDnslkOMHmUIvqPSFWDQT/a/ttg0jVazz9IHnCz/+ShCh8nwiXXa6swlGC - XFzJS0Lyz55JfRcEN2h4lc6U7sE7MN9WEo8DWNv2UJwIZtu5dHBI9PjFSAxm73KJ - FSQDFxqlR7a7BXKw+KfvHUzWcRInWLE3bMQlg9ECJX1sQf2Bu8/YxU9bFT2fzfLS - XgHsHSJqqcZ3gwwUPNeQMadRylccXoPOCns3rf3W+7zKRBb8poRpj0hK2J2eIkGG - M5kRRudGy07hLV2wQGitucekIFUStxumRSQqpcUhk+RKTOyTMIqT4o6ykVBgke0= - =/EHL - -----END PGP MESSAGE----- - fp: F38C9D4228FC6F674E322D9C3326D914EB9B8F55 - - created_at: "2026-01-25T14:20:25Z" - enc: |- - -----BEGIN PGP MESSAGE----- - - hQIMA1Hthzn+T1OoAQ/+IxC99h9NXy1lKs8K3O6zNPE4vvoUdlHyU7MngSUe7FID - cfVoJmqumGJ2VL052PyGNuJl4wwI0Bk4GJ1B17sDiROM21BgV2xJN44I8DzU/s2i - 1P/WOcpofsng7xBPib5vETo2ypfiNzurNwKidID6rc8k3TL2Eq3U9gPajdgaHWTx - jCBEiBs4B2H0Jv0teH7NK7VY21v/GQ6wCATUdFugjOocWT/Up9SbIKgvzXgxmoB7 - glmOZGtqMsorMw7Rr9fy5qdL6HK50dYbzQ8IppZFG7PrFLyLsp//S7fReFbtp8oD - yCBbhOfywLuhyWmLu78F32l5upv4Q/RPfsOEQVRd13+4XeYIYqbVlBRI4c38iA8k - sKgN/l5mH4FPmFWhRfeMOQn51tTDiq/n8G86EJETJJxC2kAhfLXi5YLECH693Vzw - Mad81jxssJP5pTTUDBzog6oMNyCvs9paRgb0O4Bt0Zpox+BFdQcTNJahj9wDyfZV - TjV6lUtuQ7QvHDYyujxhkJWUOyd2Urfk9Ku8A/xeCGwLRJS9BKYgwvatc49zL5zZ - 3GZ59gBGERbBCBPoFZgpVh73ZF/riAMHbgh+ZzUlFxJNY4fVvCk79bMitsihAbp8 - NAELn1kiDPjlW1SsiiIzkdq87ttJ7aVtR1vQBYWapWmU9eSkn8XZcX4PxFot68zS - XgEvZxgH4TgGrPuTYusDaopSObkq19jiEJ/A44Jiy2yvU9hXeOn8CeXHTJnwcSeQ - ey3QV0vu+gYPL26T5M8fp3DwgZYr+dtAX2jydweT9MKjgeUyZAZmIieY1gdguIw= - =WwLj - -----END PGP MESSAGE----- - fp: 5DA93D5C9D7320E1BD3522C79C78172B3551C9FD - - created_at: "2026-01-25T14:20:25Z" - enc: |- - -----BEGIN PGP MESSAGE----- - - hQIMA46L6MuPqfJqAQ/9FcgBwOTVqwohN7+iNCiq13Na/qcvFvFxymSo5ZhtjB/q - rMfLaSwsVAZuN9ishdip+a9tFb4oBPpwZjztvsgetoVNvLOrP/ZQag9SDy1fe8KH - DDlPFFRjTYtPdS+5ScHc8pGTLmyQzYDfieD0FCdZsNwz5PpAtUu7itvpZKtNWMXr - k/N3Mjena5iv79ngDsRlc9O/YXWsAPf8scgApwi+lVilJ7E/jTkrXxiku0knrlfl - NnNJKqh5iT2NWXB3Dgw0fQMLbAuDUOlkvrdwxnaJsIyjo8D5g/gh9rXBCJsMMFCp - 1qppPBTV2f/gZb1gKFpnlBJAiDhmBWoBhlgbmFXv0E/V7F/7bFtsHagb50nEHZlA - QH0JjRHN83eGCR9ZBUttxMh0FWV2ND3YlxnCNb43TEoCx9f5ml7L5GbGqu0+8Yrc - fHCGPW8DSUh7zTrmB0bn6R60hXcWchNcPdorPopROhGTSC4pkAKn+mt3jvEkyLsW - TGqNCEbFbMBJlhhn9w5fxT7vEX0Rt/vO4gXKIzPfcyzsgORIW1YxwtaGyRQErlqo - ITnLtowfgrlvU1hI+hwivD9kQ32kmEyYKa9J8fBx07XArYRR64+Eyaaq4lOeZbE4 - 1l0zskD5i1R8NO3yzxpIAqi+H7VPhYLwidjXT54QT8vyqrkmvksANR8UqydYUgnS - XgGuO1O1pKkiHHLcb8EydlgW61sLIZZjlkYynMRM5MjgPD5Z3ikeD6VaNSYnOw6c - gkisHXqY9EFSPfw8EHnGspyD/mvzDUz63GrylUO+wXgMKdByrsYRaj93j7vfYZ4= - =Bk3g - -----END PGP MESSAGE----- - fp: 8996B62CBD159DCADD3B6DC08BB33A8ABCF7BC4A - - created_at: "2026-01-25T14:20:25Z" - enc: |- - -----BEGIN PGP MESSAGE----- - - hF4DQrf1tCqiJxoSAQdADv1xBEY68JQ6Xo2ZT1FV2BJgeB7Yaahi9OQ/aypT0i8w - FJRRTtmWVBRtOecoG6SrHLtmYozuLyNFG8/ZFOU7jTSZL6lXr5NV6GIyNZPFTjvE - 0l4Bqjjh871cqN4Cq5CF3kDibHTyZYsvcQ0BmxSZy2v+moYqZGFPEjNiniS6JrK/ - Ch+cZvlsGIjTmP96IZfHbO3+hL+tVhO78bmixnN6SE6UDOzdmWcMkQ9DHSZp+p4j - =xd/t - -----END PGP MESSAGE----- - fp: B71138A6A8964A3C3B8899857B4F70C356765BAB - - created_at: "2026-01-25T14:20:25Z" - enc: |- - -----BEGIN PGP MESSAGE----- - - hF4DzAGzViGx4qcSAQdASnWlOX4oItUMy2BNF+UdGfSkijvIKK1WohLp2rJmQGMw - /rpiFcCiX7rZNyn3f+eOULjCPbNtfwqG5Ji6YzGJPEaLg9J/CCYDP7eZ0M13tK9V - 0lgBjTZZwa7SYs+c49UkhUN92Jrt439mTud3Sa6hvfQTntISOUF3QsMyQO+2h0EH - zvaV7dmtiLZZ6ukp9vJG2asPcA1McYBHABUUcjlmFkQ74CYhPFU03/kb - =9oyC - -----END PGP MESSAGE----- - fp: D2E9C0807BF681F5E164DAFC5EE1B61CD90954CD - - created_at: "2026-01-25T14:20:25Z" - enc: |- - -----BEGIN PGP MESSAGE----- - - hQIMA2pVdGTIrZI+ARAAvugr3SudoqZm6B9o/a2bYVlR8eee3Cxtqb/SDfFKJ42J - /KIJHOpfs0iyoJzeq4GXn89RU08EHz+1/rAqIHN/cMGc/IjOOXcqKcKVBqhb68+I - OyEyxx0YAV939Jc+L9rxb4FnqV/HFJuA087jqP43NgPWySoUzWZshK57Yw/VJNxd - U5zDMAciWNVISL/ArcJFroK0n9dvRRsHHHx3/OgQ9Lnl73X5JEAleIPJVb1SDV4e - HgmBrlRFpp9e/Mu94Gp9yFd9PqziSA47lkdMwjMYHntTwbT3dqUGOJLF1D1oqC9V - +t+5FO5fP+LbnmuFQIGRGqdPpCy4S60d2EqocwBl6q6xn/DLQw1j9hGNpMl3GwBI - O7zquV2MyXJR9JqyklWoCmKldLIhpsnPtTx/AhIsMLWq2hvNfbBBNA41sMkofcvl - H2Hggi+TkpOh6bre1/uPkr8T3MLsiZIUB/1uHcgYO3FH13K2Ow9ChxmkeLsW6Afu - hbQcG7SKr0sCHAmvzbTsIRCpryORDRw4vwrsKuVVgA7neD8HtCItJ/Vk1JmV2xYZ - 96ilVPPpDs0tmQ/6dZZosoXLGi37Hs+FRgcAUuAdZ3bzb65e+CxtSVjRALG7hz9R - XPKmsD6tTgdLpau/zugxdKx3yKMCHzC+AouD+esea8GNuoeGug58IEoglLXDctbU - aAEJAhC0Js4STROmS43wGXP2v4umeLw9iF3Wp9L6o12BL3FZXi121py2ogosjAY2 - 30wzFU2KJGqS25/pnXw6r9ycgxdXeKsddR94Q4TOulO3SSEdjs7B+iOKwUkGKoBq - 9iHTzz6Gpajo - =bBZ5 - -----END PGP MESSAGE----- - fp: 878FEA3CB6A6F6E7CD80ECBE28506E3585F9F533 - unencrypted_suffix: _unencrypted - version: 3.11.0 diff --git a/inventories/chaosknoten/host_vars/acmedns.yaml b/inventories/chaosknoten/host_vars/acmedns.yaml deleted file mode 100644 index 364aa9a..0000000 --- a/inventories/chaosknoten/host_vars/acmedns.yaml +++ /dev/null @@ -1,23 +0,0 @@ ---- -docker_compose__compose_file_content: "{{ lookup('ansible.builtin.template', 'resources/chaosknoten/acmedns/docker_compose/compose.yaml.j2') }}" -docker_compose__configuration_files: - - name: acmedns.cfg - content: "{{ lookup('ansible.builtin.template', 'resources/chaosknoten/acmedns/docker_compose/acmedns.cfg.j2') }}" - - name: oauth2-proxy.cfg - content: "{{ lookup('ansible.builtin.template', 'resources/chaosknoten/acmedns/docker_compose/oauth2-proxy.cfg.j2') }}" - - name: html/index.html - content: "{{ lookup('ansible.builtin.template', 'resources/chaosknoten/acmedns/docker_compose/index.html.j2') }}" -docker_compose__pull: missing - -certbot__version_spec: "" -certbot__acme_account_email_address: le-admin@hamburg.ccc.de -certbot__certificate_domains: - # - "spaceapi.ccc.de" # after DNS has been adjusted - - "acmedns.hamburg.ccc.de" -certbot__new_cert_commands: - - "systemctl reload nginx.service" - -nginx__version_spec: "" -nginx__configurations: - - name: acmedns.hamburg.ccc.de - content: "{{ lookup('ansible.builtin.file', 'resources/chaosknoten/acmedns/nginx/acmedns.hamburg.ccc.de.conf') }}" diff --git a/inventories/chaosknoten/host_vars/cloud.yaml b/inventories/chaosknoten/host_vars/cloud.yaml index b6cf771..fc4e23c 100644 --- a/inventories/chaosknoten/host_vars/cloud.yaml +++ b/inventories/chaosknoten/host_vars/cloud.yaml @@ -7,5 +7,5 @@ nextcloud__data_dir: /data/nextcloud nextcloud__extra_configuration: "{{ lookup('ansible.builtin.template', 'resources/chaosknoten/cloud/nextcloud/extra_configuration.config.php.j2') }}" nextcloud__use_custom_new_user_skeleton: true nextcloud__custom_new_user_skeleton_directory: "resources/chaosknoten/cloud/nextcloud/new_user_skeleton_directory/" -nextcloud__proxy_protocol_reverse_proxy_ip: "2a00:14b0:4200:3000:125::1" +nextcloud__proxy_protocol_reverse_proxy_ip: 172.31.17.140 nextcloud__certbot_acme_account_email_address: le-admin@hamburg.ccc.de diff --git a/inventories/chaosknoten/host_vars/grafana.yaml b/inventories/chaosknoten/host_vars/grafana.yaml index b87a198..ecc942c 100644 --- a/inventories/chaosknoten/host_vars/grafana.yaml +++ b/inventories/chaosknoten/host_vars/grafana.yaml @@ -53,7 +53,16 @@ nginx__configurations: - name: metrics.hamburg.ccc.de content: "{{ lookup('ansible.builtin.file', 'resources/chaosknoten/grafana/nginx/metrics.hamburg.ccc.de.conf') }}" -alloy_config_additional: | +alloy_config: | + prometheus.remote_write "default" { + endpoint { + url = "https://metrics.hamburg.ccc.de/api/v1/write" + basic_auth { + username = "chaos" + password = "{{ secret__metrics_chaos }}" + } + } + } loki.write "default" { endpoint { url = "https://loki.hamburg.ccc.de/loki/api/v1/push" @@ -89,9 +98,9 @@ alloy_config_additional: | } rule { source_labels = ["__journal__hostname"] - target_label = "instance" + target_label = "host" regex = "([^:]+)" - replacement = "${1}.hosts.hamburg.ccc.de" + replacement = "${1}.hamburg.ccc.de" action = "replace" } } @@ -102,3 +111,30 @@ alloy_config_additional: | format_as_json = true labels = {component = "loki.source.journal", org = "ccchh"} } + + logging { + level = "info" + } + prometheus.exporter.unix "local_system" { + enable_collectors = ["systemd"] + } + + prometheus.relabel "default" { + forward_to = [prometheus.remote_write.default.receiver] + rule { + target_label = "org" + replacement = "ccchh" + } + rule { + source_labels = ["instance"] + target_label = "host" + regex = "([^:]+)" + replacement = "${1}.hamburg.ccc.de" + action = "replace" + } + } + + prometheus.scrape "scrape_metrics" { + targets = prometheus.exporter.unix.local_system.targets + forward_to = [prometheus.relabel.default.receiver] + } diff --git a/inventories/chaosknoten/host_vars/netbox.yaml b/inventories/chaosknoten/host_vars/netbox.yaml index 2c68c17..3be8bdd 100644 --- a/inventories/chaosknoten/host_vars/netbox.yaml +++ b/inventories/chaosknoten/host_vars/netbox.yaml @@ -1,5 +1,5 @@ # renovate: datasource=github-releases depName=netbox packageName=netbox-community/netbox -netbox__version: "v4.5.0" +netbox__version: "v4.4.6" netbox__config: "{{ lookup('ansible.builtin.template', 'resources/chaosknoten/netbox/netbox/configuration.py.j2') }}" netbox__custom_pipeline_oidc_group_and_role_mapping: true diff --git a/inventories/chaosknoten/host_vars/ntfy.sops.yaml b/inventories/chaosknoten/host_vars/ntfy.sops.yaml index 1328d66..e860cca 100644 --- a/inventories/chaosknoten/host_vars/ntfy.sops.yaml +++ b/inventories/chaosknoten/host_vars/ntfy.sops.yaml @@ -1,3 +1,5 @@ +secret__loki_chaos: ENC[AES256_GCM,data:LWFTOyER+m021ogmXYBrcr/2fUe3XuZhs5ho0KbM,iv:808LWnSUAPeclhsIgOyR6SutTvJGOu7mrGaVayo7v8M=,tag:f2WCPyUESfMiGDQ4Km5Dyw==,type:str] +secret__metrics_chaos: ENC[AES256_GCM,data:lAepzCI4pwkF8KiGYzGnC4dPASdHDn+LfbJTFSvt,iv:EUW+CGeYUqhY4G1kb2bbU16j9iLwABHfRCdn2vac5gY=,tag:IcyscB9lZuZgC04XTxDb5w==,type:str] secret__ntfy_web_push_private_key: ENC[AES256_GCM,data:YqNEYa1Ln3NFpNoIuBUN1V/WRzod5HAtYueBJYHOwyM59cCaYhQR1S9aQg==,iv:t8bEs5ZAEe6pqbbOb0mpJdfgruX1P9Jd+sbNurGqkng=,tag:Cdy5HKkvb55V6AeRt+MVHg==,type:str] ntfy: user: @@ -16,8 +18,8 @@ sops: bUhGdEFwOEVxUzVZdERReVF6cmcxeDgKDlO+jacsYgWXqjoxAIKJiB8mCHZ8U7TM sGD3oaCi9x6Uvse7hq0BaUe/LaJt2tDaqve9nm3n06V93HNcR9/cdw== -----END AGE ENCRYPTED FILE----- - lastmodified: "2026-01-25T18:41:48Z" - mac: ENC[AES256_GCM,data:2+628ZxPIto0AUhRExTB0UF/XKD7l0qz/NVncKbk+E5nZ5IRGwnhvY5DPiaDNWxskngaYhSYaQZTJTuvC1TuflCr8+IsZRYobj22mYEsrK2KWbozQvYsuooK2HdSWAkE2U5xKKodev2KqxMT+ZY0AIq8ifCo033ro6t0rnIEVQI=,iv:ncKxlhfZ+04rylNmMtOaWyonCJO4gbsuABMAJfVDDIQ=,tag:6c141UrWXNuGM5giTS7Ecw==,type:str] + lastmodified: "2025-10-20T19:01:39Z" + mac: ENC[AES256_GCM,data:a87jRAGBIypZfYCILYCOM+H8KCVUBgb2/1sG05wDbPmLe9IfDT6rzlljbRFOUozq9xsqxpFLsPQx1wPVDi1lhaRT+5oE/NDgVH8aQCofA96DQd3SeB8fWn3LhYjOpmo9ZsFSemvGcXYk/SjVvoU9aN8KG4DHYCOOseGIBTa/a2Y=,iv:5Atem3ACdfdCPUp184cAf/EI9BEXQ1i719l+sIlOnUY=,tag:LWQCxrsZ3660UCcOjY4gMQ==,type:str] pgp: - created_at: "2025-10-20T19:03:04Z" enc: |- diff --git a/inventories/chaosknoten/host_vars/ntfy.yaml b/inventories/chaosknoten/host_vars/ntfy.yaml index 2d68bfa..cab4e76 100644 --- a/inventories/chaosknoten/host_vars/ntfy.yaml +++ b/inventories/chaosknoten/host_vars/ntfy.yaml @@ -15,8 +15,90 @@ nginx__configurations: - name: ntfy.hamburg.ccc.de content: "{{ lookup('ansible.builtin.file', 'resources/chaosknoten/ntfy/nginx/ntfy.hamburg.ccc.de.conf') }}" -alloy_config_additional: | +alloy_config: | + prometheus.remote_write "default" { + endpoint { + url = "https://metrics.hamburg.ccc.de/api/v1/write" + basic_auth { + username = "chaos" + password = "{{ secret__metrics_chaos }}" + } + } + } + loki.write "default" { + endpoint { + url = "https://loki.hamburg.ccc.de/loki/api/v1/push" + basic_auth { + username = "chaos" + password = "{{ secret__loki_chaos }}" + } + } + } + + loki.relabel "journal" { + forward_to = [] + + rule { + source_labels = ["__journal__systemd_unit"] + target_label = "systemd_unit" + } + rule { + source_labels = ["__journal__hostname"] + target_label = "instance" + } + rule { + source_labels = ["__journal__transport"] + target_label = "systemd_transport" + } + rule { + source_labels = ["__journal_syslog_identifier"] + target_label = "syslog_identifier" + } + rule { + source_labels = ["__journal_priority_keyword"] + target_label = "level" + } + rule { + source_labels = ["__journal__hostname"] + target_label = "host" + regex = "([^:]+)" + replacement = "${1}.hamburg.ccc.de" + action = "replace" + } + } + + loki.source.journal "read_journal" { + forward_to = [loki.write.default.receiver] + relabel_rules = loki.relabel.journal.rules + format_as_json = true + labels = {component = "loki.source.journal", org = "ccchh"} + } + + prometheus.exporter.unix "local_system" { + enable_collectors = ["systemd"] + } + + prometheus.relabel "default" { + forward_to = [prometheus.remote_write.default.receiver] + rule { + target_label = "org" + replacement = "ccchh" + } + rule { + source_labels = ["instance"] + target_label = "host" + regex = "([^:]+)" + replacement = "${1}.hamburg.ccc.de" + action = "replace" + } + } + + prometheus.scrape "unix_metrics" { + targets = prometheus.exporter.unix.local_system.targets + forward_to = [prometheus.relabel.default.receiver] + } + prometheus.scrape "ntfy_metrics" { targets = [{"__address__" = "localhost:9586", job = "ntfy", instance = "ntfy", __scrape_interval__ = "120s"}] - forward_to = [prometheus.relabel.chaosknoten_common.receiver] + forward_to = [prometheus.relabel.default.receiver] } diff --git a/inventories/chaosknoten/host_vars/router.yaml b/inventories/chaosknoten/host_vars/router.yaml index adbc8d9..134d29f 100644 --- a/inventories/chaosknoten/host_vars/router.yaml +++ b/inventories/chaosknoten/host_vars/router.yaml @@ -1,5 +1,2 @@ systemd_networkd__config_dir: 'resources/chaosknoten/router/systemd_networkd/' -systemd_networkd__global_config: "{{ lookup('ansible.builtin.file', 'resources/chaosknoten/router/systemd_networkd_global_config.conf') }}" nftables__config: "{{ lookup('ansible.builtin.file', 'resources/chaosknoten/router/nftables/nftables.conf') }}" -ansible_pull__timer_on_calendar: "*-*-* 04:00:00 Europe/Berlin" -ansible_pull__timer_randomized_delay_sec: 0min diff --git a/inventories/chaosknoten/host_vars/spaceapiccc.sops.yaml b/inventories/chaosknoten/host_vars/spaceapiccc.sops.yaml deleted file mode 100644 index 4f06e92..0000000 --- a/inventories/chaosknoten/host_vars/spaceapiccc.sops.yaml +++ /dev/null @@ -1,215 +0,0 @@ -ansible_pull__age_private_key: ENC[AES256_GCM,data:ZQJCVOcc2UTH/3tZRZEZAig2A7Vc/zBBz5IY+gKYMYpIKhLZN9S/OGrRdCc8VbXkN7pmZhzDL531PapI54cmFeCKr2yFJMlfXdE=,iv:1ilb+njcqgYVdownNiMNcAcG/TNpyRnLtAjEUGsCsl0=,tag:Od7kvNn8ZBl1LUnMyFwxpA==,type:str] -secret__spaceapiccc__shared_secret: ENC[AES256_GCM,data:0foffl4HF1SeL9rE3g==,iv:GzRTZAmr7zSBs1W+Vhyv6sMGhPnSy/SUZOSO39lzWHk=,tag:8IAS6Lt9vfpsJQwQfcunXg==,type:str] -secret__spaceapiccc__doku_ccc_de__username: ENC[AES256_GCM,data:fbrZROQz8Fzg/vI=,iv:LaR5UmkS3IhtroJp3C3xNF4ja7IhIiPRzGBHAfQbQGw=,tag:/VCNMKkw5qRbnRNHDnPj/w==,type:str] -secret__spaceapiccc__doku_ccc_de__password: ENC[AES256_GCM,data:mwkjOjRT7gOv,iv:wBzSeLzSWWe0j3LJesN/wnZ0tmUmXMVkRIBnp00qRhg=,tag:JSsbq1+qs2yA9BM2LouG1w==,type:str] -sops: - age: - - recipient: age1mdtnk78aeqnwqadjqje5pfha04wu92d3ecchyqajjmy434kwq98qksq2wa - enc: | - -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBCY1Z0Slg4UmpQQUhGKzJX - S0ROZ2owdmNVRUFzbDhjWEJpNkxGQnF1RFFVClgrZDlZRDNCbllWeElEWFN4Uy95 - YXNzUGptcU9adjdJQVphSS9NQ1NaVTQKLS0tIEtQUlIyTURXK2lDbWtmMXU2OWtx - TnNtQjVpMUIzZjgzQnZicHV6OXE3ZlUKtChQKJlUmTV42FEpO2S1sTAI2+K/mro+ - C3cvwiqydpOlbH6tulcP6HSeDVExAAMeDZMfjebg/5cfq7Yfh6xa5Q== - -----END AGE ENCRYPTED FILE----- - lastmodified: "2026-01-25T11:18:43Z" - mac: ENC[AES256_GCM,data:4s5GiYhU/+kieEGUY9bS5W0MAQ/AUS3TbvLezSypH8Div5HRoM7YfMeqgLq4jC+TjUL9d+ZfusjAmsOEG9PjHbIH051gg8U5TvB38wzmw3RpJxnpDtmiFrRh9QbXl+Fz8V/Oigf6hhXbgu01zZpZY9jy6YLNtUZc6AoqAQh27us=,iv:YUS/vGXcbgQPM1CKcK8YjOH5+KPlzBXcOtx3jmUblqA=,tag:jYzqaMfHv4Tyv2NelSSVvQ==,type:str] - pgp: - - created_at: "2026-01-25T11:17:03Z" - enc: |- - -----BEGIN PGP MESSAGE----- - - hQIMAxK/JaB2/SdtARAAoP0ZuYWL+Z9vrnMN+ISg6/yx8Z3Oq2GufmYMowk/nQ7A - wk+xQQcywn7zLCweaTNtNb8CXtAcInnLhXZNRjviOecyAexZdFxcX+SIiT9x32aZ - xk2M3Bgnrtf9GQMV9q/mr7fgn+iaILyRjWTQMjUYFGuA5Hu7PNICxZZtA1y6p3G8 - iBDROt1vZS2M6WorA5n3FGSwCRFUCqWnRsBR+AkR0vjb/0xEmS4YpDZCdsqWVITq - fBxDZntznqQpmlTH9AxJV48QlfYMLAYFV7seHxp5VSjgDxaPJD4QIiNZMOylRa/y - 9hx1S5VN8KIfT9eW5piOeyNikE3Wv7hdwd4zOQ/ObESADh/QWFN582Smk+fxf76Q - /KlP7BM8JW7afjkvTHXg7cvc1qo9+GilWcWX9pK04v9bZtXTbO6H+uOhydlSmtUe - FGoHgQsMi52S4vHTFF1A8o76pvpQAIYNC2Zif2zZYq9ERvbLeAcgoIoo7bQihttc - lY8ZOqxQj9KbkFNbyLTlyekebNhfa512XjJij14YkYUVU2Y65kxtimZ3WpwKvLO2 - JcDWHOJduhUC+21TGTq6QFo1LNhpowyC447eybi8T0/WxMCBms/fhW+m4Mkt4bRi - ByjgQe8makgLqw2/EUlFl1qyF4zU0zjn+97pISvg0YBfQYhPIb5k8AWWkUF4mHHU - aAEJAhDMVlvoC4bopmVlgoCrCejX5wb+ULW9hle6S69440PVK4uN94Ral+NSH99o - CU4gmqngD9N6sw8SBp8lFFUzjhoqfcNwJ9cv8T9PIPgHLriPnRqwPsy4dHSYSsv1 - wWY4KUeOqk6Y - =Wm7O - -----END PGP MESSAGE----- - fp: EF643F59E008414882232C78FFA8331EEB7D6B70 - - created_at: "2026-01-25T11:17:03Z" - enc: |- - -----BEGIN PGP MESSAGE----- - - hQIMA6EyPtWBEI+2ARAAh2b51c4cFL0wOPTuQtxjthkEZGVv0sQC19PiDOWAy/zi - 457Ix+QPA31Wmun4uGQF8E+vJC9StDXvOuEku2639wK7Gx8UVHSJM+QhFt+f9tiI - df5mVRPz4R1tVMU6P/f2rTOqqQyugR2pi3wCcwntnZplEuL/Gxw2SI4gGAq9B1Kb - FVVdMkJOxhx33QWFhIEOqLLfMU+gdvGPtRaDPkMA5KJD5FDO0xYzgd+5j6wKLsdb - rY7MVvaP3HWbmsMOpJD+8zo3ONBeaG3OwdhhF8KgbHxGP/49r25WwI5YWqXI44K9 - xIQvtBJFTLaisO3q5rTOZgqKEvWAAX3e82cY3tCUG4aDyKEeF8dOqQ9GbI+KWaKh - kqTFDz3gh9sWI3Ex2/JHxq4xGJE433x4ArxHgSmXxfKWfc9zhiDuhtE1GBfEWP8t - a+07FWvsG8TCbS8pzFu40z/6we2O/VGXnZBa+vlc/9YPyLBN+zmAH3+jfhgYzV22 - oF0HPQTzLdd6FoUx771ETTOqDgwg2H8Lqv+cC5MjPgxUPyScP4G7t0r9TMSydxFv - 85Yo7ZWiBjo5TgdiU7agCCLKYct1C1R+9M20uRyrttDBhrVSjDlsIKmuStIdI7jk - k/PPLjxUKf5osTw8KKsSLvHTxt0G+rRzt38HgOCsOPBSoE6zlMTn79rgy+Ipm7fS - XgHPPTT78/y2Xvx3QGx9C2X9YqPDGhs12uzQ7HdcRlUu3Ay9akrSiV99CKCFb6ZZ - lDzOZrWvuWHcOLLqykhK3x8uhieMmwsM5WCNopr1j7i74b8UlVCmItXFXCaTRqg= - =ytkN - -----END PGP MESSAGE----- - fp: F155144FC925A1BEA1F8A2C59A2A4CD59BFDC5EC - - created_at: "2026-01-25T11:17:03Z" - enc: |- - -----BEGIN PGP MESSAGE----- - - hQIMAz5uSgHG2iMJARAA7Wenq30iYLUH7qTgwPJyIyPz0blUzqEpEeDyVjfLVxee - VzXUfrxL8ybD+1JNISQNogDRP+gi4Sa/kTwAwEudqg9nv8DTff2l+Ge7YRifTgoO - tK1yjPKpl/iH33s2tIRRPI9DJ38NKtIN7pFrZ9Icyinyx8O+Tx0U/rVOs+4I4i0K - eIhsjG2tD6z5AvDkTqJ70S16LWdlr+hrHfEFmZ9NDbesoVj6YlDjx8yXr6UAdBAd - nx4aVjy2vygBJFZHN3iqitD6pnBvFC6QM1SZTRfe1l0lb1NXiVbT42ir7hsQ1/Di - MKRw/GuD+5jwHWLAzFbmMeirLY1hw418AzMPmCUqg3xJxmm53v4abD/j6cnHaM8h - vkSEsO9iA9exDjM9RPqS5GXCGx3E2MdBzgBMZIdvRmEV8G7FTqBZAJZsElAA/wTl - WhCEB3iDqdTSuDUnEj2FHIrUGNG4IDKOm9mIexqkpdvF6ByXYHeOAVbeb0ByJmgO - 3QIYGsOYiWW2Uq1OCT2F+sP9ogn2GxInfMgPK7shFcUiXUbUKSnfBh4b5DbKPcJJ - wFtuJA4NbWgXbDPn0k2Lwbv33tMVuwQBRbCjseXD5JYUA+wEbNg341oNEl7gIBCp - oNyNJ0y2rkp8rxvf5mYLjk6VsMs0VO4vgRItg8oi78cZMmSrk2zdCda9yZA+JeHS - XgGnSemRkXBLcDcZMa1M178H/YTxispkRvsGyscxn7sjBRUgrFHnWM9j9P0GHtHE - RzBflQuBiG60jDb14l0SBEGDAm3Dp1bT5Up8attUJ0+03ta6E4G6iAR+fMXiBJA= - =LEoh - -----END PGP MESSAGE----- - fp: 18DFCE01456DAB52EA38A6584EDC64F35FA1D6A5 - - created_at: "2026-01-25T11:17:03Z" - enc: |- - -----BEGIN PGP MESSAGE----- - - hQIMAw5vwmoEJHQ1AQ/7Be0MaQ6HSb4N2DW+z2ALOuKSljRhSHLiLXt6bmhot+2Z - RRMsfsPGHWwDFzy5WWL6117ViPsxdFy88ZC8IhfT2ysf9d7IsNqBAj/W/a1kUXBg - b3PLPGXT3yHRitmRA0PxBWjmKBHuiKJgpj2AvKPBqmpJOpyWU8Yr0yu+fdPgHHmO - 9gMPwmoeDKCuVUQMtg78cxx3b9v3WzBXbx+VuhPepVPPUr7/iTWYnLWy8+s55hOV - A6qQS8f6JH9rhS7dqoSCMQ3wrqkSVzXhluhjfUXa/FW/EVp0g1r+lLMXHARA1Gtp - EGQS2SfwDB95xl6uLfqKblezzxt52yPvGp+hisAhgkCyoLonhL27fMTmtZ0+q9RX - FJoT2pPNTSP/zoLxfEJzsa9MgTCDKQL55215hTGHS2I/2ZeDtfINyc+/4LE/AhSc - 4OOdPSbgG7bIPkCepphBAccjbCVmPOQqaEOk5C9TfLbZREEBv0mQA7pzWVIsa6Gc - xep0qJGMSmRT5rmqs9pFFISAx57H7w91cRaEtwtGkg9/90+wTW2kIvnHMLXV/T6z - wxVG4RHn7eXlDdh9oz0ncpA1uh2A4fvEJN5dAbQHawiAUaOokm8cmv42LQ1zTF0x - 4EcZPQ1VAFzKsZE7/3TnCWoLPOUSNSOG+uJm2Gaps8P1DzIfgUAcSybaB+3cbGjS - XgEVALzLzyRrFB48McT/fU4l0dMiQ49OdFmWm5oWgOWDCCrHBomxPmWRQ5cUzVSV - wvgo/MrfGVOLrwinfeu/izoy9U0LxFcJtqiVLyxtUTARDlDcjv6OYWoRzvb0DzA= - =KudR - -----END PGP MESSAGE----- - fp: 87AB00D45D37C9E9167B5A5A333448678B60E505 - - created_at: "2026-01-25T11:17:03Z" - enc: |- - -----BEGIN PGP MESSAGE----- - - hF4DerEtaFuTeewSAQdAlSeQVBNgJ8WxD85XYmcCHmlNXIyIkAJPEu0coBpNpVQw - mGZKY6j0WkQSmHdCVAeh8/z6LOEgXMphP2jn0ZpZHiMu3FGNJJtWFloRKxOvOxr5 - 0l4BXq0oVpIYhcxeVxS1prF1F2EJf/OuRX8Zz9ngZuL7UlMoToBYHksPMaBfLlKB - iFcXPURafpmhvWpRaqD9CRqM3XRagm1nYPS6Zg8Yae9cfSmU7UnYMtJZwdMmJ+x4 - =gfNC - -----END PGP MESSAGE----- - fp: 057870A2C72CD82566A3EC983695F4FCBCAE4912 - - created_at: "2026-01-25T11:17:03Z" - enc: |- - -----BEGIN PGP MESSAGE----- - - hQILAxjNhCKPP69fAQ/4mdGngFM8WhiX5P5RFo679yRMp5iHtiPqD0V1dE1byyje - d7WzceQwOYfYq/UEEw2ruiqIPhUjHlzB/GQ6wqFbj0+1tm7+/X2B42tO7vkO9gQf - 2mvG0gCGB1iykMnfARQ6EH1s90oAHCBcPFamjBZ3oawS0sI34aSInQGqLl7Ss+O+ - UgoOc2fbhYmRriZW7Elyx+8DuQg4RZ6/oPs18mtwQdLfKB8dwrt1TQrJvBx7iPh4 - RQWrRf3id+C8EeysmWPtMotukh1FgvBtBFEXIL66wntJTDC65AlNU1c2xkgUTATI - rA6ucSoyROTGDOTAWhBdwA+yV9Tf2zw5hzu8G2vT1nFLU+DFQiuQWj6TNn1s5xzc - 63bQ9bFzY/0pKKB2T1TLdeU6xoSt9QoJukagFS86Tgh3NcoMi69dFSSlchldgeX2 - wiJwpUjl8DgeJFEXcQES1vbn+MNJHYZHSSAcZecQX5rauSj6EmTFTXxYg7Vp98D9 - S4lVnXl6P7OByxqRJyQUzBmSD21KYeVXs6O4hY4cAxKx+pXYXqlGMmSpQi4SqJKF - xyD0f7Iz1FjB1u3dpcJmf5/71wLkZWc9smKfJICLaFZzYKfbfrF32xbAPGRuTq50 - Fv5d3R1YJKA9afQUI3HT0PpCEOnsI44WPqgnoOPHyT032gruZt9geL7yM1sRj9Je - AfCwLc18oeiRWhnZLw/K1YMTnDACVhMMRufyoE7MEEixsV3xhuG54+5FIufERSO3 - aW2vmDt65mLjqGVcepqbEz/Ip4hfGeMOnPfNbNil79Hc6TV1SzTcPnem40QPAA== - =7Qbv - -----END PGP MESSAGE----- - fp: F38C9D4228FC6F674E322D9C3326D914EB9B8F55 - - created_at: "2026-01-25T11:17:03Z" - enc: |- - -----BEGIN PGP MESSAGE----- - - hQIMA1Hthzn+T1OoAQ//QizKfdVMoIVzretcwqPNQPhXnKYbHNI/AHhpsK2AeOFw - N2pP+8itgzpoJ+l3qYc1s7HnUYqN69cVXNOkuB9+EKUmEoubj9oLJEJQdfr1apux - wrqgvIfeXuQZWp4E4aI/02ndyWzzedfVV3/qf+JC0ZColccmKFReSsMedz7dOmWK - BM2bieM1PajS65leCAO2VVFTrwayKiHWpURMUY8HvrMk8N6GQkXqe1XDdxXNJqFr - irXgWtBaKbl/KJgrxnT9HwlH9YkCebsyCi2sZKmJEqyIi78SOrhmWzeoTs5Mgg/M - EqZLWrGhOOD2/ineOxiDhFPOEDVjgoprghxei2Ef0i9pYITJmGMuB76KayMW3nbY - mEJgASKsWFN10zTiZK5DjxJoDEq4fyqtzFhYhRenwcvZqiklr2JudSzBWkKfx4Y/ - TOoLwwn93TQDLoIIEsOlLaWMBxm3LsAe4MAr2k9/gAkGGMzeOiTRISHJeFtaNRPe - xPv2hJBKqAJJkWu5nlcn5FEtAqdG8hPRPqEZWDyWRmQDlk0Rx286UFIS+BKSfwvo - Ak52YxruVlkwxn4lRJ8yCrIneZocLFlBgTNoqbr0uYSHkg6XHwzniN+qGRHxjrm8 - hDYcnVeAnLCDGEwPpMcx7KYVtLeEcr2Tm5btAlHugpQ1pNrUuZ3Lf47AdneMSY7S - XgE32gbAcEaZVQRl1fnehRIwqqNIuFDxjhFpDYpvX1Rep2NEUtEaxd50aqMh3PKm - XE6ZBkKbhSylRnOs8dgVZK3nqEe1xDsdcx5hFAoyyhs1QhWVT/MHUtfuB2PBcjo= - =T4dN - -----END PGP MESSAGE----- - fp: 5DA93D5C9D7320E1BD3522C79C78172B3551C9FD - - created_at: "2026-01-25T11:17:03Z" - enc: |- - -----BEGIN PGP MESSAGE----- - - hQIMA46L6MuPqfJqAQ//SZac3kFkPkHZ4CveGECwnJLKA/UJO/XoV44mjiQDtY4Q - tFJ+YauR7GHK3CYMvpx8uWejiW6PzMkuqVuKwk5QMBsRA7q/6SmQeLUNNIPx8AAm - s1Lo1Cdjv5Ku8AnR7gAJ9w3O+qM635xo7zgtvEv5qJuPrwbqy8kstvS2fnxg9Zb3 - Dl4J+Wp1kRs8hHsFIkECKPqKNB0LfP57s63Vwd5tI2TltDMlMkvKvjgsQSPhUqQl - z0AIPT+zON37P4EW5buJ5NKvojYZ/QyzoqJ+Zb+2jn3uyMRDo4lqaT+uiVDcmB6w - jg2yBGKgU5XGAU5NyCSldBGW3yQfNHAEjTPHWIvcplfUOUQ2mKIV31c3ci8cBWa5 - zfA4K2UOFPSHSraohaT770Ani/qvm5XH9HvAA2HOI50LuIh4t8cWGocbW1f5PfvZ - gMIuA27UfWWD10tz+J3qvz2RGcfBPV+3BS8BJUh2SRC80ba8nDM/VSuQUkxQA1go - AHogKohH7v5vIPEN6ggRxZ3yCroQ3zfdABekrP8sfKXU652/vhw5MFPtqp8ow5hU - uJ3S3lCoKQCKE8tc+288WuJXIGaYG4LKhaVlFWFqQDib+0jfm8RfwqqxV5vis7np - mbPMIyl/MTAeevsQC2yqbHeZ+nDXhrb8b4lfWCnn5jpNwZFpP+RZpJT6XxFbONTS - XgGQowdDlIEa1Hs1klR8lPOScW3VyhWbTyfWkhg4cI6js21/0MMsC22myhjxjZKU - rCn8k0mgZw+HyB9qfm3eM4fYXHs+CXQM22eBQK+IK2VvzT9jbpSBIoJEDW0B47c= - =PbAZ - -----END PGP MESSAGE----- - fp: 8996B62CBD159DCADD3B6DC08BB33A8ABCF7BC4A - - created_at: "2026-01-25T11:17:03Z" - enc: |- - -----BEGIN PGP MESSAGE----- - - hF4DQrf1tCqiJxoSAQdArbiHTkrjSYBSPIIgSNnEoAWkU43Zn8/6rtksEivhPVgw - ik9/LvTH3VUSS1pDtLNoJq3wfE8aCoGTVXHjCtaEQqp7PJ9c83afZuT0/jSs20vo - 0l4Bbp+AopvK8wlLakYZM0rbXzJw7LyW7hyA3wSN/gL0MwT8sW6hb08BB3+zRY+f - dQGtPMDNZ0aJ8nzJ/WLVxi4GdC3pAWxqw/1AX0SwwMb0PEf9kdYSgnrmYQsqx9KU - =Cbzj - -----END PGP MESSAGE----- - fp: B71138A6A8964A3C3B8899857B4F70C356765BAB - - created_at: "2026-01-25T11:17:03Z" - enc: |- - -----BEGIN PGP MESSAGE----- - - hF4DzAGzViGx4qcSAQdAQKsWq8NPJbW2SBhKhlgkW1gzYnx9baL8spEk1Wv31Asw - fuq75JZ/m8yR6+jnchE8ikuWrVQ1IRwyQBB2qlaArrdwnVpkF5HG/ggpDy4l5UYK - 0lgBhuKG36g1P7G0incMXR+S+UswYQhzm+19LqoB247HvZZoyIT4m0k7XndHBpUw - fzQyFTKdwQpmWyQWsbkW/ycvxkKyKcEce6xkga0e8UbB8w1fJ0P6gErz - =g5Ck - -----END PGP MESSAGE----- - fp: D2E9C0807BF681F5E164DAFC5EE1B61CD90954CD - - created_at: "2026-01-25T11:17:03Z" - enc: |- - -----BEGIN PGP MESSAGE----- - - hQIMA2pVdGTIrZI+AQ//X0eMLW5Con7f2J4S15RwQX/uMc+p0tabrfSYAT8cg1oR - X8qyFgBWL4EK/VAcgS+Loe6cOCO8pDv7R81nn18wg2D6hVN3BOcotgLtLpqWEdMz - FguVIc++/Nh5+s+H1oDxqfwO6LbcuewBvvNS9xvBUtHBMuoAGVO0mUu7jpxrg+4k - dh2QeA/YWc4hGly/lO6eOhq61arAY4tukqs1K4JRY7z1vZYb2658HamfruLcRP1j - kM6yvJ9bgrg3hIEPG48lWX3SATRpKDP4ukyTYMFPN5rePUu67rnkwCvXwvBzWV4v - fvjmDZ4U2AD6Ihn5Be3ThZyQivZJPmxBlgit6uQOdu08Q5/S0DDWSS/MnbRnElQt - caQMnIcSbwLJfum2/0AS/dcl6f36vOl5t9eiy3nnrgufFEUcAMgJ2bJk8+6nPRli - MImBTXLMor97XD4DS+xyQ8NjYzf8XxEDduCzWA/EQborLkkaXj5J9ZmQSKDfv6bb - wcGfxt0+JGEPmOuOD/BwZHhEcd6eV8k3cM6k4oQ3k9cMGele+dtSkrlkyFKnnBNV - NrZVBE5j62sgnUUgKCesbKPfauETE5Z+R2uvOK5Y0gqjTfaw8hV1YF2q+x2qRWig - 6NjHheUtjigCgF61OK4x1a5WDJmVeuAe03JnwKYMujN4H5Oi9YMhSX65lX1+fhrU - aAEJAhCV01dJAuYksyvp+F5Dx62eKZj7gL/MHL3zHw97WbONvI7ApC3/Q7fkupYm - oPfYKQD5ov77V3u+Y8nVOoYM+Hb4thFQdEV01r90g9WUj8LrXvxd08j3GwAnzDMG - xU5hdDPzz/jT - =zb8A - -----END PGP MESSAGE----- - fp: 878FEA3CB6A6F6E7CD80ECBE28506E3585F9F533 - unencrypted_suffix: _unencrypted - version: 3.11.0 diff --git a/inventories/chaosknoten/host_vars/spaceapiccc.yaml b/inventories/chaosknoten/host_vars/spaceapiccc.yaml deleted file mode 100644 index 3689be7..0000000 --- a/inventories/chaosknoten/host_vars/spaceapiccc.yaml +++ /dev/null @@ -1,15 +0,0 @@ -docker_compose__compose_file_content: "{{ lookup('ansible.builtin.template', 'resources/chaosknoten/spaceapiccc/docker_compose/compose.yaml.j2') }}" -docker_compose__build: never -docker_compose__pull: never - -certbot__version_spec: "" -certbot__acme_account_email_address: le-admin@hamburg.ccc.de -certbot__certificate_domains: - - "spaceapi.ccc.de" -certbot__new_cert_commands: - - "systemctl reload nginx.service" - -nginx__version_spec: "" -nginx__configurations: - - name: spaceapi.ccc.de - content: "{{ lookup('ansible.builtin.file', 'resources/chaosknoten/spaceapiccc/nginx/spaceapi.ccc.de.conf') }}" diff --git a/inventories/chaosknoten/hosts.yaml b/inventories/chaosknoten/hosts.yaml index 395b154..e592d23 100644 --- a/inventories/chaosknoten/hosts.yaml +++ b/inventories/chaosknoten/hosts.yaml @@ -1,31 +1,31 @@ all: hosts: ccchoir: - ansible_host: ccchoir.hosts.hamburg.ccc.de + ansible_host: ccchoir-intern.hamburg.ccc.de ansible_user: chaos - ansible_ssh_common_args: -J ssh://chaos@router.hamburg.ccc.de + ansible_ssh_common_args: -J ssh://chaos@public-reverse-proxy.hamburg.ccc.de chaosknoten: ansible_host: chaosknoten.hamburg.ccc.de cloud: - ansible_host: cloud.hosts.hamburg.ccc.de + ansible_host: cloud-intern.hamburg.ccc.de ansible_user: chaos - ansible_ssh_common_args: -J ssh://chaos@router.hamburg.ccc.de + ansible_ssh_common_args: -J ssh://chaos@public-reverse-proxy.hamburg.ccc.de eh22-wiki: - ansible_host: eh22-wiki.hosts.hamburg.ccc.de + ansible_host: eh22-wiki-intern.hamburg.ccc.de ansible_user: chaos - ansible_ssh_common_args: -J ssh://chaos@router.hamburg.ccc.de + ansible_ssh_common_args: -J ssh://chaos@public-reverse-proxy.hamburg.ccc.de grafana: - ansible_host: grafana.hosts.hamburg.ccc.de + ansible_host: grafana-intern.hamburg.ccc.de ansible_user: chaos - ansible_ssh_common_args: -J ssh://chaos@router.hamburg.ccc.de + ansible_ssh_common_args: -J ssh://chaos@public-reverse-proxy.hamburg.ccc.de tickets: - ansible_host: tickets.hosts.hamburg.ccc.de + ansible_host: tickets-intern.hamburg.ccc.de ansible_user: chaos - ansible_ssh_common_args: -J ssh://chaos@router.hamburg.ccc.de + ansible_ssh_common_args: -J ssh://chaos@public-reverse-proxy.hamburg.ccc.de keycloak: - ansible_host: keycloak.hosts.hamburg.ccc.de + ansible_host: keycloak-intern.hamburg.ccc.de ansible_user: chaos - ansible_ssh_common_args: -J ssh://chaos@router.hamburg.ccc.de + ansible_ssh_common_args: -J ssh://chaos@public-reverse-proxy.hamburg.ccc.de lists: ansible_host: lists.hamburg.ccc.de ansible_user: chaos @@ -33,21 +33,21 @@ all: ansible_host: mumble.hamburg.ccc.de ansible_user: chaos netbox: - ansible_host: netbox.hosts.hamburg.ccc.de + ansible_host: netbox-intern.hamburg.ccc.de ansible_user: chaos - ansible_ssh_common_args: -J ssh://chaos@router.hamburg.ccc.de + ansible_ssh_common_args: -J ssh://chaos@public-reverse-proxy.hamburg.ccc.de onlyoffice: - ansible_host: onlyoffice.hosts.hamburg.ccc.de + ansible_host: onlyoffice-intern.hamburg.ccc.de ansible_user: chaos - ansible_ssh_common_args: -J ssh://chaos@router.hamburg.ccc.de + ansible_ssh_common_args: -J ssh://chaos@public-reverse-proxy.hamburg.ccc.de pad: - ansible_host: pad.hosts.hamburg.ccc.de + ansible_host: pad-intern.hamburg.ccc.de ansible_user: chaos - ansible_ssh_common_args: -J ssh://chaos@router.hamburg.ccc.de + ansible_ssh_common_args: -J ssh://chaos@public-reverse-proxy.hamburg.ccc.de pretalx: - ansible_host: pretalx.hosts.hamburg.ccc.de + ansible_host: pretalx-intern.hamburg.ccc.de ansible_user: chaos - ansible_ssh_common_args: -J ssh://chaos@router.hamburg.ccc.de + ansible_ssh_common_args: -J ssh://chaos@public-reverse-proxy.hamburg.ccc.de public-reverse-proxy: ansible_host: public-reverse-proxy.hamburg.ccc.de ansible_user: chaos @@ -55,39 +55,30 @@ all: ansible_host: router.hamburg.ccc.de ansible_user: chaos wiki: - ansible_host: wiki.hosts.hamburg.ccc.de + ansible_host: wiki-intern.hamburg.ccc.de ansible_user: chaos - ansible_ssh_common_args: -J ssh://chaos@router.hamburg.ccc.de + ansible_ssh_common_args: -J ssh://chaos@public-reverse-proxy.hamburg.ccc.de zammad: - ansible_host: zammad.hosts.hamburg.ccc.de + ansible_host: zammad-intern.hamburg.ccc.de ansible_user: chaos - ansible_ssh_common_args: -J ssh://chaos@router.hamburg.ccc.de + ansible_ssh_common_args: -J ssh://chaos@public-reverse-proxy.hamburg.ccc.de ntfy: - ansible_host: ntfy.hosts.hamburg.ccc.de + ansible_host: ntfy-intern.hamburg.ccc.de ansible_user: chaos - ansible_ssh_common_args: -J ssh://chaos@router.hamburg.ccc.de + ansible_ssh_common_args: -J ssh://chaos@public-reverse-proxy.hamburg.ccc.de sunders: - ansible_host: sunders.hosts.hamburg.ccc.de + ansible_host: sunders-intern.hamburg.ccc.de ansible_user: chaos - ansible_ssh_common_args: -J ssh://chaos@router.hamburg.ccc.de + ansible_ssh_common_args: -J ssh://chaos@public-reverse-proxy.hamburg.ccc.de renovate: - ansible_host: renovate.hosts.hamburg.ccc.de + ansible_host: renovate-intern.hamburg.ccc.de ansible_user: chaos - ansible_ssh_common_args: -J ssh://chaos@router.hamburg.ccc.de - spaceapiccc: - ansible_host: spaceapiccc.hosts.hamburg.ccc.de - ansible_user: chaos - ansible_ssh_common_args: -J ssh://chaos@router.hamburg.ccc.de - acmedns: - ansible_host: acmedns.hosts.hamburg.ccc.de - ansible_user: chaos - ansible_ssh_common_args: -J ssh://chaos@router.hamburg.ccc.de + ansible_ssh_common_args: -J ssh://chaos@public-reverse-proxy.hamburg.ccc.de hypervisors: hosts: chaosknoten: base_config_hosts: hosts: - acmedns: ccchoir: cloud: eh22-wiki: @@ -107,7 +98,6 @@ base_config_hosts: ntfy: sunders: renovate: - spaceapiccc: systemd_networkd_hosts: hosts: router: @@ -115,8 +105,7 @@ nftables_hosts: hosts: router: docker_compose_hosts: - hosts: - acmedns: + hosts: ccchoir: grafana: tickets: @@ -128,13 +117,11 @@ docker_compose_hosts: zammad: ntfy: sunders: - spaceapiccc: nextcloud_hosts: hosts: cloud: nginx_hosts: hosts: - acmedns: ccchoir: eh22-wiki: grafana: @@ -151,13 +138,11 @@ nginx_hosts: zammad: ntfy: sunders: - spaceapiccc: public_reverse_proxy_hosts: hosts: public-reverse-proxy: certbot_hosts: hosts: - acmedns: ccchoir: eh22-wiki: grafana: @@ -173,11 +158,11 @@ certbot_hosts: zammad: ntfy: sunders: - spaceapiccc: -alloy_hosts: +prometheus_node_exporter_hosts: hosts: ccchoir: eh22-wiki: + tickets: keycloak: netbox: onlyoffice: @@ -185,15 +170,6 @@ alloy_hosts: pretalx: wiki: zammad: - grafana: - ntfy: - tickets: - renovate: - cloud: - public-reverse-proxy: - router: - sunders: - spaceapiccc: infrastructure_authorized_keys_hosts: hosts: ccchoir: @@ -213,7 +189,6 @@ infrastructure_authorized_keys_hosts: ntfy: sunders: renovate: - spaceapiccc: wiki_hosts: hosts: eh22-wiki: @@ -224,6 +199,10 @@ netbox_hosts: proxmox_vm_template_hosts: hosts: chaosknoten: +alloy_hosts: + hosts: + grafana: + ntfy: ansible_pull_hosts: hosts: netbox: @@ -244,7 +223,6 @@ ansible_pull_hosts: public-reverse-proxy: zammad: ntfy: - spaceapiccc: msmtp_hosts: hosts: renovate_hosts: diff --git a/inventories/external/group_vars/all.sops.yaml b/inventories/external/group_vars/all.sops.yaml deleted file mode 100644 index 06eeb17..0000000 --- a/inventories/external/group_vars/all.sops.yaml +++ /dev/null @@ -1,210 +0,0 @@ -msmtp__smtp_password: ENC[AES256_GCM,data:0vb2d0BMSiG4DLwNeKk52/kGYM9rQpfRrtYiarbyVW9YOP/WIdpwesUZuad+o6XSODkAGqnU2RQZFs1h,iv:a/LwVf+tQKviYR4mIoSDiEgmsVyCl2v1vWXVFQkn6M4=,tag:bNf+N1bTIk8ppMEabcC6jg==,type:str] -sops: - age: - - recipient: age1yl9ts8k6ceymaxjs72r5puetes5mtuzxuger7qgme9qkagfrm9hqzxx9qr - enc: | - -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBkL1F2VVhGTGZ3QWlrZi8w - c2JVMVlnNGVHdUxJQVRZeDBlSkJjR3V4NHowCmdQVVJRVEZlWWVHZjdSYzRlcnRN - clVuRU1rRXdDSUJ6Tk4rajl1R3U3YzAKLS0tIFg0QXBieXdjYmRab2duckNsNWRQ - aGdmdDcwY3RPc28waGt0cm1salpNRkkK+X6LF1lCpxIS8P8nEUE7t3VxB817jm4Y - mXjKqdaM39MR3CyXWq8bVQ/QRxg1xA6MV7mLrQpJCSpr6uDJD84iJQ== - -----END AGE ENCRYPTED FILE----- - lastmodified: "2026-01-15T21:28:28Z" - mac: ENC[AES256_GCM,data:Z9uyXhnckrVJ0LZM1aT8cSUZCPdQ0ufBC1HYxpzAGb6FS/p3Jni5tFfgijaCT3/T3yDGiV1zQqoSDLwjd48UaMjCtJYCUCAiVo7i4YJ3+aZfS87b4h4VsOFlTLFlBklNYxHd4pcPFl5X9fZGdD10Tvmtm6TlJ33Ma7gmuFs3Og4=,iv:tNeG2I9qNAgzbGwxTbCrrN7KorCneJtFildGvtPVX88=,tag:e0rXgetLFenA3zNBNe631A==,type:str] - pgp: - - created_at: "2026-01-15T21:28:06Z" - enc: |- - -----BEGIN PGP MESSAGE----- - - hQIMAxK/JaB2/SdtARAAlJ6HHQZKe3t86f1Y/DsKmO4f+xaMRd9mw9sNlxvmuX3I - b8Tvyl1abbJSEf+6SV3SXxlu+05DZEzerMQHdSNHCpO6oSMBH/fEBbtJh3mxYzwY - /fS09/CPpq1HYcaOUEB8YHKGDY7okN8ZCHYFF2fWmWsPNLq38nmtCQY3lKPdhKDu - Jg8w+9XT/kHJEjQRPjlJG0iRk90cMMBLaR5ToJVzpM3rOSkK/dFALP9PUGhjDVT/ - e27KW0OQERCxoc401DXFPJg5xrGMJaDpMlDxm+kzNC2/rt/OhhFd1pqMEMGHwZ8B - inHjCL8SNy4w3jKs3xvpE38vEUmKgbHavjjd4j8PU/z8PnIAKBCZClTbBARevMYw - P1qgwbAXEv0LwN6/Eu4mN6ogbREFk671PTabJ1O9zWFZBPKSOWVjvs6ka/5nRdow - RMobY/t6FDOe1i4eQM90QKyTcyBzyFZCl3piBKDvpG9tTEVHriX4bTXNtnGw3h1W - XoMUz27G0IZmKZRcYFkqSNPeg3yLXBgsL6by+euw/OwOXuxcR3G/5HpiO4XgWdDn - gYvOGvVa4WbG3yASWPJNJZ6ivtLhAgts44ClMIk5mjDgHz0yL2iwx93g6bUzmswV - HcpCLSy7wm5XNl4l5p4l90iy6/K32Zp0a7ftobA7U7VyeWfPalE3IYE3s6b+1gTS - XAFWL49B69eVA4YJ/iRSZcfqEPMkKzQUplODPUfaHHtLRwR7BhpFX/u3lly/YNQH - tCN+vKShpC2PM/Jw8+UxDZXoXNiGCtTIDFq5+VaifkYsEAIVqEFv5noY95/a - =Xw0f - -----END PGP MESSAGE----- - fp: EF643F59E008414882232C78FFA8331EEB7D6B70 - - created_at: "2026-01-15T21:28:06Z" - enc: |- - -----BEGIN PGP MESSAGE----- - - hQIMA6EyPtWBEI+2ARAAqcJfa4paWWvQxKnNQT230iT2iRCCskzkzrG9z9rnSbR+ - U4BO0QVcKZ06+4/WatZC6HuxIPyajAQthNsmMMBr83OFiT8FPHnOOGHc9lemO0/L - eshneJhJ7LeYUh3dOeN5lVwCQuw2Hy4MXmKJgdt2Nr5dXmRD8ypKxD/i5Nc4nkXW - TY61C/Q9QJF+HZG4toHt+zq+ROjdsTbIhNceRWnt4mIGvqIzhRwk65o5WILbCFQc - OL7R+JyyqouN579tO1O6bRT594ufnyQ6oxLRDQqKMdTHYwWijRuA/FyzieuYGbmo - b7e6tZeJzlm3H8sSz1WwAD6RoA/O3yyCw1gL9UWFLSfF7iwEKmr+oSN+mEUPJdhR - 8zZqSQUH3n59IVNdD4UyJB/I5AHmGW6QV3ZF42lwmmstIoY3uDzgf3US+ZvPPsem - Scg3PIDSxg+SV9G/53TJM+Og7V2XAA02EWIemiIaJZ7rPiySq1RmQOjnx4ZX+ORk - +PDF0gDpA10sTPXQM5NoN8YSilIV1VENjUnESfo+36BlCepmbC88Yr6oexIK2xoq - 5SnDYNOkVClYcEV6/URo0zr6Eh6+pWaK1MqruyZpRrZFbribK+5t65eIq0fc8oNb - ip7VfArpcpYINfL1GuWoFMI0Uj/IMevlN64Ci/Ub9NddCWCQy5WF7u8lAVNMoVbS - XAE70ICHJqH9SqHe/dchwYcsLIPwX7r2KoaI23XkK7iROX1NL6LC2nISh/Y5P+X7 - RX5sBhgiaSwY8L6QseSQzyqTmwxCaq7e/f/+grSUYKmf1FSJe+VxGsJ6Ji0u - =k6m5 - -----END PGP MESSAGE----- - fp: F155144FC925A1BEA1F8A2C59A2A4CD59BFDC5EC - - created_at: "2026-01-15T21:28:06Z" - enc: |- - -----BEGIN PGP MESSAGE----- - - hQIMAz5uSgHG2iMJARAAzD/3ycZW/qMLjjSG2T/7378ogylYenCyV5r97m7//MTJ - z2jCtWiAPDkiuDDfcqt5LxthPxCr3A/WSTaSsfZQ/zWedQlm/U/RBMEs30DBIUQr - AIckqIrJUrgPEo8A0/SnCBNS116BVspI+9n/u7PBPVb70JX3j4Xp3dRGrEYHVpwX - EGSk4GirHwutIRE6xP9fnvQxyK64jYTDCfo4t6cIUf2/we0LyK+fU4zrm6wRffzd - txiEu4YXvsGbxWeAV3/7/BRo2HJBc/Xqb7mzTnfScltC7hiRD2McmFJs1Hfv0Lg3 - CGaMOJ5w6Gk8Q+9pgg6R2MQu8DZA7PILm51Bc98ZdiVwg0i8l24ndswUx9+WIWeX - AeOxvIVvF0XtQK/JJAkoyoVssIQSFI1OjTDnSHWjFw0Vgev8hRzwqS6HKJUfCrnt - KeuGuUOa9QBf3bnbIINyL8QEj9/cnNDCQGoXSZIqPXUs7tIqcLgNryGVnrEn4dDf - 53Tudml438QRgzV1d87jEKSmUBtqzUDRNQdZqNbzOdaCQaQgkgZlQvWQtbZNMSdQ - iQ+v3Hz7pI4yKHhqxXrWrxPwC3KdGTA5qymUS1d1G0BwOWSr+cU6xJBeSqRc6fZn - Q8rBKS/gL2Lm3BAVhHBVWGwtbdBhV5ZL/bdT436pJd5ku3cWFTuiMY2SEC1ZvNXS - XAFb+jgjB5XzlRZhRosWl1X/qyWO4GXN4aypi14eAQDsbCjGnFZh6utoV3rNmNFX - OJ3kRhyHmF+gbp/e0YRq/BnWu+5uzTZQso4fzepgjui+rF/qk/2Oe1nODtM0 - =seAB - -----END PGP MESSAGE----- - fp: 18DFCE01456DAB52EA38A6584EDC64F35FA1D6A5 - - created_at: "2026-01-15T21:28:06Z" - enc: |- - -----BEGIN PGP MESSAGE----- - - hQIMAw5vwmoEJHQ1AQ/+J9MXLZrMucsbcgdZ/yflnA7Ai2WynSZ9NEzLX24NybGZ - ynq9daa+61w5S5thnEV1Be4YEyFXIXfD0bs9KEO2kv41HUySD9FR5QXXSiad5Ij7 - vPzZMMwjCfNg/JvGQ9p4h2Syc5LYtJ+4BNnl52zjKCJdp1scJqAist3aWbaHoCAh - GiJCjv/02NP25WoVShw9pNvvYPEhtPbvO1j3bnvUARXT8IzhblNbfntDwPb+fK4R - ksMBIvAN1171l530s0zPzzkJTkxRBohyCixvtgZKoEnYeUAAHk5Clah6GrLGErvA - q0XUAEridgDwe4xG+WpzFWwTaGzQPBLR5NPqtph13/02CdaABctbr80WQPoch5vN - F1BnObne8ZE+do30v0KYNTkFKhK5ek+w4RS/1rlBEgQMaNyGHsjUtoO1/6JfFXyT - 968gsga/YR/shZwLaxLQePi5qTcvUzGNgNvFLjy4sRlbWiNCrtZo0JpMmRc1YTXb - Tq7KhivgEB3gCYLdzWTCeYw3aZXsTFUFM8MpH0BMABpfpNCdiDrd+RZmgDa2KShH - RlpqvN1cXPVY4niGqb0TjQJGbmCrMfSbEXCCYLMP+T+jH+MUs0Br4IVcuXIV9EWM - WrYY/r2tCblU9DaVbgzLlIIu/2BtKV0/Iu4KLV2vWBocLPNlKnbhS8NxnIf1eHbS - XAFxlY0r1uOCI7d55ZRpih3NnccBWYKmxs/WZavFdooPcRS6QKV6d2ByZtjqlO0T - X8xmDpyoxkNahauxi3Vw4o78HyxEqQz2u0HNBJlFC6iFQJnylkOyitIyNCTt - =t5WG - -----END PGP MESSAGE----- - fp: 87AB00D45D37C9E9167B5A5A333448678B60E505 - - created_at: "2026-01-15T21:28:06Z" - enc: |- - -----BEGIN PGP MESSAGE----- - - hF4DerEtaFuTeewSAQdArBEh0/AnTDRmDT2r74ejRgmbbZpWjVBmvC7mgFdEq0gw - OdEsqFl/ihieW3XkAC0UWxUhacc03Vq3FTY4Fpj7eQTQdfDdn8X10YQcH94XGLxu - 0lwBvUseBCslA8gjyzFEtFp4TnDEi2JZV3nhfQg8SxrYIQ2Uo6vlsTzvYBvikwaD - kLu7fV7lxV09qoROlSpXVm6II6sIk0nmiajb49HM15md3ZElulGZf7A+6d86Wg== - =8Qs3 - -----END PGP MESSAGE----- - fp: 057870A2C72CD82566A3EC983695F4FCBCAE4912 - - created_at: "2026-01-15T21:28:06Z" - enc: |- - -----BEGIN PGP MESSAGE----- - - hQIMAxjNhCKPP69fAQ/7B2zWxGFqZr98hAyQwNaXp+/T534xRU63dXkYV15EL9q2 - SlmbEWhl5iVwWoZHl3r7yqy4zXZJkH0XX7g/MlwMTHIu/Sslvb+9ME+QmpI26Awm - +0pQN6gZXEhQ4RFtDMSc3PIZYgaJ5AdEk1p/nMwYsQ17Gu6RZeuSL/5b4oXEsIwB - nc8kqskd846KDspSoa4HprP3QUyfwChy5+d3/S/SMak/iY97UgYm3iyHXWr+sbAm - ykXGQo6Y/QpSiBBc9Z8hyekBQBjiftTpH5T/nzSn5O1p2G56NqK837SZj8CgyanH - xOIy1JZYbSfYiEzqXVSj7KGs3aNFFUi9H+Fy+wzDaOWeEYt76koTWZnutOg+JwCP - 2N5DiDOhoYGygh5aO+dAIoGLQufoTDrlMO9FWnNXXCPIwCUoyH5daiMyn7G9jfwv - 4rTkXe2mHXXkoNCDHzjNcAEpndpczdUO0CbDNyOuaZzyEYWObJMOdBP0+fmwhaRP - AWd0OSbUUkl6RTI7R9l+3wBC0A/be7kOvqvTru0RSZaY4Ba7zokZaNJsoUTvjjL5 - fjT5MhV/93wEvaHNmGy+IiXipS7ItTmW0xckaFkEbQUbw9p+9UZMxNqF3l5pw8hV - J5tTo+rlHda5KBDpTEEz3vUK7MgbgAzzERqqDaUqzWTJy4KeOjYCUfvNyQiT7m3S - XAFxCx0poAo6GCoNMhjyQT00iBfpjvUhDrWSHezKW/J/U+Z+TkcICC3Orsxy35uD - QtOZIayVIF5scDAIQa31zETB/Jjaq7YeUZvTzUv7Shhq+sJhVUQ7iUEVEXZn - =NJUn - -----END PGP MESSAGE----- - fp: F38C9D4228FC6F674E322D9C3326D914EB9B8F55 - - created_at: "2026-01-15T21:28:06Z" - enc: |- - -----BEGIN PGP MESSAGE----- - - hQIMA1Hthzn+T1OoARAAsc5cxMwr0YCwJq1j5EcQ2AF2LvyxH4dvwuCkyrqxuV33 - rTxOt40kqHcatZgHLfHt1qvfR/lGisUyvvtJ7Gdw/MEzunqwux6cKisRoyTB0dSU - b0DBQdNAxujVuBng6v2aoZDXAZNZ9I0epuGnBRcq2+FRAWjRH3YtwuRuChd/VtqB - VJJjUJDczermc0kvdrZ6AZ8bSemOIFOYWfZ1iw7qXMiuIXKJqY23KzWSpYC3F9S6 - z1XKviqJlWcb7VyCA7LDLfjYCAb6/yvj1mB0+fxYJJps6DWsbxvoZWF5mdh5f4oc - y74XZehQZTHp4JMs0uSdsuMV3w8zMGUXvFPEJXB1mvPlYAsyjwusf2fqeAJk3JZk - pPF/hkwR+LpbVNKk9KbauQLkt+p6E5YWDir1pzeIN6rsl0Carau0TRT9EEn04f/6 - DL1nF7crXl+7KTgEOt+ih4VuHpXz9lrboUD/WnUpjVu6XwmMH4wrxJggTq+tJzdS - 55PAZ0qiTGwnxtOn8NGa+01JGcrmtLnfwRUGUO6xxpyy4AtcyyHwEvBSjKRlBvV2 - Yx6v6l6OlpBdYdlKjEeOLPnQqn+iRolQtUTWWk1Hu/a2sfJjZPMpXNSKbgN9tMOS - 2zGLe8OOU1M9V9ESdD6He49GRCWNXD00Yv+IUdqFuY7laqxBQCcyIthGA2wfLITS - XAGKF54TE7VkuCQ2vw0HZG4TgQtmw7W/hBMcbSatGwFwyPSs2+9wsJFmJUniArCZ - e7RUz4C1MIFP97ZSFtfLd8tsIO0zTyK9fRAOUwh8wdAZhvS9Fv5/Mwmctj9h - =gUj7 - -----END PGP MESSAGE----- - fp: 5DA93D5C9D7320E1BD3522C79C78172B3551C9FD - - created_at: "2026-01-15T21:28:06Z" - enc: |- - -----BEGIN PGP MESSAGE----- - - hQIMA46L6MuPqfJqAQ/8CKPe91CQYybuRlIb4bRl3sZ2nXYw0OS2p8NYo3sawcsw - YFwgwT4GHMAMviZ3U/Dm1VVtUEH0dSZ/tYoPFE0pCOLWYrVjqLY69uM23ZHV1IX4 - W7A+jzNTv3ODj/lc/azjgBcBVZpSxgAQG2wiyX1Dq4Lx5cpOCYQm4KYp9hD6ddly - m6zk8vH3MBRvPAlacg3C6PSy1PV7sTgBZMBIE3DY/HIjv4nzV3/itIPZcf27dYTl - AEjiI6eGH6sUWTFRF5mCP4sRycaU2g8iZ471nZdHe7PpldginWJEN9SD06oewZJB - QjvXpVNjVu+RQ/hOl5LwIllAAkk0ghK2bRsh7gVB5b5Kjv+mKKNe8yjKxKcpZuVW - fUEaRpyILTCwe6aFnmUa6vUtpgU2QRKzv2ycqO1FGil1yZJ/RPVCc0RQoLSpZRsT - XvrZzw/OVfLespNRPcC/PTvNwhIhBYyIDvEAgQOnEnRCGoijnPAOE4Z5zA6Rtxfw - Kxw+E5s+xV1ff+qo5Dm0J/LyC90FR3vstzSkM5n2HEy5OkbACi9CiLRaIiYxlDfv - v5H3Gc0hdVRELkK1T9ND3I2RAyJVdDq0WvxjWRIfdRULLsk86pFoFjus0acx3ukt - zotRh1wI1o319j517B06v+Jn49bLx81ipeHfsiz69P0sDSRKyOcN/i4TA/Tj0OfS - XAFfmEOJHnhD1WOlbJO2EiGY3QD9PIV/lipja4lQKv7ROWlIPVtdvgBnaaNYAvUb - YLIA3oTcZB43vm5QW3hXsTz2cn/w/JvnuojtD0kKzT643dR5BC3D2XsWpHWV - =pL2f - -----END PGP MESSAGE----- - fp: 8996B62CBD159DCADD3B6DC08BB33A8ABCF7BC4A - - created_at: "2026-01-15T21:28:06Z" - enc: |- - -----BEGIN PGP MESSAGE----- - - hF4DQrf1tCqiJxoSAQdAxf+RXofQmgst0qgbY34RgfqVKCCYHHH3mbCdGKbfXiQw - 0307FFijrW2i+wHW/Ugob489EH46zUENkmEjxPcOao+p5TWqOhryWOmj+5K5iKin - 0lwBDuM+y3AsogL5PAerDRGMIqmUO9AAuRlKJb67O+n31fA0CSlRdYIlR/0IiXk8 - KmagDpdTyNWD0M8PRohazoKEiB6OrEuLfRiDwyMhyuRtIXRnckwZ8anC2B2cLg== - =slU2 - -----END PGP MESSAGE----- - fp: B71138A6A8964A3C3B8899857B4F70C356765BAB - - created_at: "2026-01-15T21:28:06Z" - enc: |- - -----BEGIN PGP MESSAGE----- - - hF4DzAGzViGx4qcSAQdAYTkme6X4+jr7/5qNidpUZjiwQzR9nhJMHU9ALot5mQkw - bVYbs+lqddtYRVKLh4jhqFb9WGjC05JMnb8o/OVqgvOV516WqCzg9qmn2JMn5CvL - 0lYBtBwzrQfqM7RbckekoQcabirca/67RzCAqB9O7Lud85+aQxBR/GB9qE/7FLfp - JVT42+KjcKSQBYWS+lyjgfXs7H4WhNYsai8OFn+JzqswG+MpWPQ+Fw== - =1DIj - -----END PGP MESSAGE----- - fp: D2E9C0807BF681F5E164DAFC5EE1B61CD90954CD - - created_at: "2026-01-15T21:28:06Z" - enc: |- - -----BEGIN PGP MESSAGE----- - - hQIMA2pVdGTIrZI+ARAAvoshi1af/mG21B9x8XOtYn2CmsjZCLWYWuhdM+oMe204 - CJglTK8C8CzuJcXu84IKrdV8nx5Yk0VvtgtSXiKSouDKWeQDHHqhKEsPlc6+FL99 - e95uzp8ozvODxch4xaBP3FZkbgGgFHDZSF47NIC9AkyyGe4GARq+OvtADUMjpb4R - 6WXCzqaH976KRMcgH4PXlWIUiYvFJz+6k+chbLfcf+uJxWL02mvPV+ArSbGc1Ns1 - M2kRYdEPZ4c6FCU6DYaneJp22ywPNgJm3dL8WU7Nn5uv7iYGDyceh3dnGtF0p0jN - Mo5TT8MzobIGgD2RtsP4NrufV56+Y4G5oqk9jPMofC8QUeVR1j2GHDfHrls2N/2L - vt0VX1wsv7ToAY9bUUNDLutLnwQlpHNP/sacudw0VpYDl55ULa1dLC97qG/4va8G - k3wdzqwNwgzIOPDIiQ3P8xkn4RZ9b4SwPNFb9BRqufFaA+neZcNelfpTqsT3WNfm - MYdzDQtQdTNi9u0ADsuZ2JIX2uUVsB1ol5Wgw9D5+yksTeC3n89TTmbmt4PYkCZ/ - 3MH3gLGGlPLfc9w/q9JqfQ8idiPgWc6CMO83gGXUWbe0SkDCBY4evyP41s9ojSdF - XrkZQycNoardD+co14Se4d5g0oxYfhNUCIYEo2JwLkuE11iMXG1bjt8JB+F514vS - XAHzAelcyBaqqwZqKw1OKWz1Vr+hy9S+uOs+8Qg5G/H0nxa7BG+PhUB+O5i8x4Dn - 96Eq2r2OsVJ3z8YeLcH2FbnVECX+/nj8a4z8yqfpajmoKswOfhp2b2G49aYz - =IYeC - -----END PGP MESSAGE----- - fp: 878FEA3CB6A6F6E7CD80ECBE28506E3585F9F533 - unencrypted_suffix: _unencrypted - version: 3.11.0 diff --git a/inventories/external/group_vars/all.yaml b/inventories/external/group_vars/all.yaml deleted file mode 100644 index 80d3efc..0000000 --- a/inventories/external/group_vars/all.yaml +++ /dev/null @@ -1,16 +0,0 @@ -# ansible_pull -# ansible_pull__age_private_key needs to be defined per host (probably HOST.sops.yaml). -ansible_pull__repo_url: https://git.hamburg.ccc.de/CCCHH/ansible-infra.git -ansible_pull__inventory: inventories/external -ansible_pull__playbook: playbooks/maintenance.yaml -ansible_pull__timer_on_calendar: "*-*-* 04:30:00 Europe/Berlin" -ansible_pull__failure_notification_address: noc-notifications@lists.hamburg.ccc.de -ansible_pull__timer_randomized_delay_sec: 30min - -# msmtp -# msmtp__smtp_password is defined in the all.sops.yaml. -msmtp__smtp_host: cow.hamburg.ccc.de -msmtp__smtp_port: 465 -msmtp__smtp_tls_method: smtps -msmtp__smtp_user: any@external-hosts.hamburg.ccc.de -msmtp__smtp_from: "{{ inventory_hostname }}@external-hosts.hamburg.ccc.de" diff --git a/inventories/external/host_vars/status.sops.yaml b/inventories/external/host_vars/status.sops.yaml deleted file mode 100644 index a67b8a1..0000000 --- a/inventories/external/host_vars/status.sops.yaml +++ /dev/null @@ -1,213 +0,0 @@ -ansible_pull__age_private_key: ENC[AES256_GCM,data:u0tluAG5YmXTs71/F6RjuTITCrEoJco0K7+o/F7An4OMdOAwJVBvvMCnEaYsKhLhdesnMIoA24oz2j22lKRFgZUNtkF08ZwH9gw=,iv:oqTTeOi8l6ig4vvqOKict5bqxjmiBW+kwlZhbozoCSU=,tag:ZL2wuIczCHguGJIhbY0NuQ==,type:str] -secret__gatus_db_password: ENC[AES256_GCM,data:fwtdWmXVTA7odBsKnlxH7mKKGtplAt/rQqscFBAxbDky6DNqgk6PP2OsqbIEpnpzs9Yn7Kd2VAxzfJfK,iv:ox/Lm+LlxxRcssOPc++nRp6nVa2DF3/46eEsGzTOBmA=,tag:i1e71Gm01ojHr5pGy0S9rA==,type:str] -secret__gatus_matrix_access_token: ENC[AES256_GCM,data:adNtFvg2LXwRiNE7mvTZNO1hXxN3qasWZrDEQOGk5mYEVH0t9pglNrM=,iv:30xXR31qmrywLP3M34u6YgsyQY348zVvt9RM4/bGhtY=,tag:vhgpON0IdQ+FS4uQ/0TpsQ==,type:str] -secret__gatus_acme_dns_update_test_x_api_key: ENC[AES256_GCM,data:rBMHvYT7g+o6Rc+edjikYT2jn4wKnkOJWOMf5Ys1zjKpsRCKEF0PZA==,iv:Tp4ELKMfhxtwaJljW4sMCVgW3KCTL89NfW2/LQTmO1Y=,tag:YMbvE0xgLTYCFXche/mvFA==,type:str] -sops: - age: - - recipient: age1yl9ts8k6ceymaxjs72r5puetes5mtuzxuger7qgme9qkagfrm9hqzxx9qr - enc: | - -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA2Y0Vib1U3ZGpyZTlBNWMx - UEtCbnArRzAvZ0o1dmdJL0hSZERTR241RlNrCjZ6QzlJSEFhWk0wazlwRVlDeUlq - M0syWDZlc0o2d2NDYmVyUmJpWUdwdzAKLS0tIGR5NUVwMkprRnkxZnI0TmlGUGVk - RFl1MnI1K0h2MUhvYk40d2JjbDRaUmMKNlPo1s06hVdxAamKhJy4HhNDX8PKQlq2 - 13PjdTJub64fydGEJng5NigcnNcPo7goGLz5QV7vE+6bO0gNZxBmmw== - -----END AGE ENCRYPTED FILE----- - lastmodified: "2026-02-01T21:17:51Z" - mac: ENC[AES256_GCM,data:YO5RoJnkjZeouYJa3ui/cRGLcpSzbs1Ou4D+XU9fZ6ZEc8snmLoN/e8vK91+9qigQECOc/WHHaln4ghYs6wNH+xje4ImCYL92p1RbMPvT8OoS3qu+pTF3sUfQfV/Rju61njNHA7XNAmGCxSiJQxgq2o92aoEB7qKs+AwCFEmTpE=,iv:QrRkSv4novqk3+YCnfFW59df1mvcGONTDO3zCUyXUME=,tag:oBy402SSczs3qyHhBpQqnw==,type:str] - pgp: - - created_at: "2026-01-15T21:23:56Z" - enc: |- - -----BEGIN PGP MESSAGE----- - - hQIMAxK/JaB2/SdtAQ/+ORxsmaobaTVCnVlaaTlvG3GRPlL0G1NG18eF3Mra2FU/ - HSY4/QTu4BjGRzwOlKJt3NBMGlFZucwklIecAl1cCDXPSvIRnwuIsAI8gxNnjmVW - w7URAscgfVobWxpLqFhlnQ+8ozMPXW7D0ZDLe4wKPa5wNuE/kdzM5ZCl3NB4q3fi - o0C8uSnsTAp8clay/xnTtnJxOsyzyJ29JVsinxAyg64m6AYNa53yNZoy5kL6VIIr - dnNx4DtOsxFuNhKuvENePoGjuB68i0NWitsfei3G+GLUp+CbPisrzElM6vsXQ0wT - QAu2OpTnrQSv/YWi8Dv+1YXIKu6nOuMc+avQGLsiuZ6hagrvfRTmoQirbx6THDB+ - 97N/ZZUoGVdCtb5BRoBxzl7prwYGXsW+fP7B/PlBBBM5pI/s5jasFMOBfrrlJiDE - dyBcE2rjcehmZ0DN0YddZoo1UMYzsn6HEMH+kFp/VD3+y4A47Kk9Ou0d9+Q7ufsf - j8ThNihOBrwz8DlvOb5/5HacBFOH5T9b42j6yOmyrlAXnC8sQwFDMDERs7XcVSXT - B9SlX6OVZ6/xgG1UjkY5aqYiWkIBUO/9k1OP3OMoZM7WPitIJS0a92u8EASX4zT9 - cJjyym8oDojsM4+/GWMCHcEA5QVSEFsz5JBONiEJkv9UCYXOWj375SH6WjTHQyPS - XgFA0rCYobVrmH4oQ3EzmbqTGwBuejwcDVA++KiUePb6jhK9DGrETHEOzUyOonpI - tNfgyohULH3eDRjC/4gR9JDr+UCC2t31Rx5kNmonz4H3KQlgm/5UulKZZfFk6VQ= - =HCWY - -----END PGP MESSAGE----- - fp: EF643F59E008414882232C78FFA8331EEB7D6B70 - - created_at: "2026-01-15T21:23:56Z" - enc: |- - -----BEGIN PGP MESSAGE----- - - hQIMA6EyPtWBEI+2AQ/+Is5OSeCOwUDFocaFiGIpKKicsRkF5WJXcV0eTquCvn3M - UeDpYww0CatCOmx0u5/ELzyvr2NhLGwoblLxwwb2HA+dTWRzRiTGZrpGJ3DUwEK6 - KvqFgrOIDttnSCqrGiPsNBkGP3oIH/WIYXF4SJl5stlnujTOW+wNP8f+9gZspyY4 - JdDXIGL7cbvzEzionilKbroKgDTNCm/o/ATWnlvsd5qv8lsIVkZlaJqldRR+xXuu - RLHz9Mav9NgzzFERA0YY0Z56jpGikoywB7iBCbozXvPO5oY9YcuvdLoXELi3Rimf - LoqIyGv/dHepZvIIy/d+E7ltlQHLXdH0LMNyBRartVChR/p0G/YAzXDAgnARJm+J - SB7vUPBqFwFpkiIE0bRRDVDYW8VlNZta4V+hxb3iXuVHljuYUrIDh77VW3xNQyi5 - YfKxO9c9PRhq7sfeBj3iB2qAGoODOU1whdaWXJeNIvYmkQJw81eu2rzHT6NHsbrD - CcUGvbVAO7cx8xZxLiT2jZlbeRrTM68Uq8zC0ujzHavrLUWvCcAcFdk8Un8UJbaF - W4B5La8ZAQUg0HwDavrOEXFbbdkuMT0BIMIxysxrcetqMdRcMjQlbjHz7RuROp4q - melLD0F7L8cXAafDRXXkTTpDmaLN8s9v2j953/RzY7lS1FPQMTduWbn4Pg75HrbS - XgEWsmhgtxSNSgtg/c+VyS9VAykAaP0J4mVWUJZtpw3T8wtkAVeb2zFjmOWay98e - GC9m9N32zdg6MZDLnAABIEhDCGhuB0QjHJaXHcQxbuy8T0mgG081s8spTZnU/74= - =v7Jf - -----END PGP MESSAGE----- - fp: F155144FC925A1BEA1F8A2C59A2A4CD59BFDC5EC - - created_at: "2026-01-15T21:23:56Z" - enc: |- - -----BEGIN PGP MESSAGE----- - - hQIMAz5uSgHG2iMJAQ//f4YuazCNqBuU6RxLg7gbh2RQ7KQ9QDIPSh+YIBr2k9RJ - zSjTIR2cPu4JX7Bf9w378oyExhxe6bU00DKvfmQv+CPwjR/4NfzB+/UjmrOEmZqv - y/Gc/2ciT2csHiuAgmck/tKCdVLyXmlMpR+ru3LBVpXLc0wRqDLze9RKM22L5o5Y - Tkf5LCoj77ixhVWZJ/MUm1GlCKmtAJ5tZpSOUenSApSZ0mbRUMI6SEmLhf7ApmNo - FInztB8eMcgyV7vhEmhAiLTkB29kGh8Oe/TtDSmywhn/pTcs4tlY7fRfcxkJaYgw - sZFaF3b7/xhF04kJNEugKemTZTCOoXuPvjvDKQ0glojQQ36P5S01uyH1FOHAbItz - 8xilRiU5lHuu7BsZcb8rU8qNYnpEzY3DX/Ccpl0AoPWjY925XB7C8H8z1kk8UxR1 - +b3XXMktUugeTZeiFG2pJsp9dhiRqyuzvW73yJSdHjqZW+Tq4U2D9Je1WeZT4+Au - qTQh1uC2dRgQ0PMafX50aTxIK7lPxva+cOPgYeALXP58TCUqeNUyYQmvAGba7yyU - yec3Hz/SNLqEhSnOqCx+TXZOhV4PM8fTzpnNhqZQ2RX2uUXwXjuyAZ8fv3v5se8F - HvQGW8EvJaDSvLD5GjKblQqwNlFWf0HOPUf5UZSXV3MHsHLzYHKlOE4cJ778ih7S - XgGY+6q602ciOETbXexRAK4G0AaAY06iQqIvjqzTRmRgkftMI/8HAV2mfjfRuTXF - 9DClJje/SpRp/fS6jXFyRCc1MysABsxcyopIhHPxf2iy4UiipC1c15Z9VVK4cL4= - =l9vN - -----END PGP MESSAGE----- - fp: 18DFCE01456DAB52EA38A6584EDC64F35FA1D6A5 - - created_at: "2026-01-15T21:23:56Z" - enc: |- - -----BEGIN PGP MESSAGE----- - - hQIMAw5vwmoEJHQ1ARAAr6u7xDPFlylAf002AQkjASgSyCdLMD0LxXmTEihOxBnp - +ZcJN9cpuyCuDaIfSqGdDLUqZ6TuAfVaixtXbxT6Odl2q1DN/GaVkZbDVwGk/W3w - +lSjBz4miAcU9kaSFeeJ9BDEdqROduj8/fFc8jLyxpa51nnp6ON7wI3Uup3uNZN1 - oEwcav8u9hrbE5glS6IMFpGQAhJmvzWH9mHWCQT7A3GGK3DsYBWPH685vVk80VBw - 8IO35N2SMVD+ebvFbSnitBSOmSNUzHgv8DaBgJkcHb5EM8bCiZNI3VkbGdi8AmRx - wvuAclYkemq/bNu5I0sjpt/uxEOVqsymdPs+gOVgKceEy458ZfyRUPxV0Xp5Yi26 - MzAas8LCL+m561L8MTt01CfXJKllIh1aeNJEWYKyTtIxnWfhHnhAfiwiRaX+sAdK - ApLFSCtwAf2fvpqaUY0PvAwKUNKyEBrncu9cBuqK6EDx5YVQul6Mo2nx6W64G7mj - IUGQOoRATZP4y9bJJJMNU5BfK9j7Fdhh/VirB1XSSWSlkUduv8PVx99iLejfnknB - b0LVS0RW0W+XgbM0yvjRhDATalrcuBX4R7voQPeGFlw//fdg0qepSe9OeAPA+RNm - YTjWVWqXOmGJQ46sms4P1Fhd5NKgyv7qAaZDVf2lDZOensbhwWFKw1R65PSbi4DS - XgEDIaRdmRPMHOGoHzcSieR+sxDvklEAWyfUMn8D8u8dkgs1u8WL3gGixDaPMvcF - JgS3PA6hl0JOi3+UgBWGh6gx+C/mr+6jly+IhWd78HAsbsJcGIrs4Zlu54T8jV4= - =8IWz - -----END PGP MESSAGE----- - fp: 87AB00D45D37C9E9167B5A5A333448678B60E505 - - created_at: "2026-01-15T21:23:56Z" - enc: |- - -----BEGIN PGP MESSAGE----- - - hF4DerEtaFuTeewSAQdA7STwRBnvhKhEh9mdHz/GWujTMli/vbMrXv8WnZ1boUkw - 9Qtj+soJcdr8XxDREm//Q7wgGZJSJe6dBdxW5NC10H7bYDFc9aNkbT0/ceMj0tBM - 0l4BNU1LT9rZrkhGUTqA3Gs+bzP4xazBGuiucCkM1mbSvRAjWO2abLb17GKUWODr - 1uDStVFrPOTqN/0/O1lAfk/Xv5LQO2X/xVMDD42i9txP9G8+rCF42gKdODWF+DsQ - =FVIu - -----END PGP MESSAGE----- - fp: 057870A2C72CD82566A3EC983695F4FCBCAE4912 - - created_at: "2026-01-15T21:23:56Z" - enc: |- - -----BEGIN PGP MESSAGE----- - - hQIMAxjNhCKPP69fARAAkUEvumeteWHZ31xbvLAWezQr75Q45DVzBAX6MJIPnCcz - ofMYuDjz/ujOES7UtAYrRekCW4R+PZQ2pcC3tbNHxKQjdxsA6cY68mBQLj+TJ0+F - 15jlkAkL7utwOxOh8P1/yxO+hr3qZl6rmncQwiynRnyiAJa6FHK8dvAHVKhLWcRN - pxx2O5m8I/+sF2/XgVs0iq0KWG+WbwJWUlvWKJ+2LNvXDoPYD0sdo8G1hkuQGOLW - Lmc1xN4hbTzvgjTBoUt1HUEOgohau8TMWnT7x1jpMLBNqm0hQfcyNmBuK4vA3NYR - PjtMUvEuucjOrFvF1g+OaTQ3ZSkd431yqTHRbktZDXdCvhYhSfxJ2TKdqX5U+3p+ - 27hPOX5cVISd36T8Oxm7LTt2GSZp5JZJ2gzRuSn8HDEHHBa39+jmdsqmGMFjAJfU - amK3TNpLx9U/AGw9CYVyQxfnrRPArjuPXE+nVmuZVJhgOcex+5SAA6YRpzPLj5/I - bHv0zOQ+84ghaIPvA7OlehgE2DYQjFC7qMGV0Q/jEomzHmwaFLlbDiSX97SQM4+P - dwe2gbz5EfgVdXeSwyPH03W5Uq/D8GiNFASxe6ctfwY6G9cUJaY7gj+br2/WSjzc - bSQxbyA36q6tSR8sty4lOkRqfhvCsopnACe3UaPDD9aUPu5dkrPFD2DwGZqALjrS - XgGQM27HAK2eAWtmQk7wWZcK8EyeO4bPl/JX8hMU8xSnbHrFpY26RNY1C4mjqcnD - QoyU68TbPmGX522sseuygCNmEEM/5rhx6wwePH1X+C8WRHMmXyLjKD3eVkFJ3tA= - =EPrs - -----END PGP MESSAGE----- - fp: F38C9D4228FC6F674E322D9C3326D914EB9B8F55 - - created_at: "2026-01-15T21:23:56Z" - enc: |- - -----BEGIN PGP MESSAGE----- - - hQIMA1Hthzn+T1OoAQ//arOC3Dpt+X+GzGZFPngYFGl8SHgx9vrbNcNdRQBEBhX0 - RmkT3rBbXRNbJvZHW6YPzoMRzhDMHEs9osbr7RwpTQxpL4owFd1hx8bhDjZYQplC - Gfj1xNjL1iFsQV1kWx7dagpkDEoPVlPaDyTDyHkj/fmgg/aU4y5GVUHc6l7iClN9 - fn5HL8/sCROAPteReXnwxIWmn/03lldh7VMYwKaVIpiTf3QZzEsHAOYT0EdEcapC - 3d5ZhTDmOvOwy2PMfx5w5RpKXKe2cbhoS1N3KEHaZIochlvnvQHpVJ3jhn8YG8j9 - bJ5tklEauoi1YHsnj5vzm8sgQMj/p5DJHALfVKxzAMCCe0AqcVpVGTW9SR1ZMUXW - p0UZOmeNBfqhcOIbKXW+Hj2oSZ25KGxiXZwydF51xnUT8rsau7nPYOgg+9YARAVl - USZd85OX/dZcDqhfK1YZjdV3GPiTHGFUrTz53sW/nHrcCCKXL17uADLr1Z/rk3Dm - dayNuUVhlqgV6Z0ts0Z9blz2X/Bz2c95TUTze+pUoXCP6oKcxGbrEfHBzJrhqeFa - PYGRyna1t96c3Az94bz2orX69Ij3QPyd2p2B0nlv+qYNk55J/aVPIfioZSamnDk9 - NAQJksb2M7KIq1rjheWsf/CLZYHC1rcrhUnz5SYIXVDe8f3+uNc0JFGYPYZuF7DS - XgEa4Lw21RwQs3Es0wAZSnkku+yg1Lg2YJ6/d5xSZJs0c5mCYvvW3q9oTc8u+D3n - H1/Lu8HvZtHtGARagLqHw2MORNvoJXoCT0EhcPBK4PlJKSNye96U1ooNfwxbUMo= - =0Nal - -----END PGP MESSAGE----- - fp: 5DA93D5C9D7320E1BD3522C79C78172B3551C9FD - - created_at: "2026-01-15T21:23:56Z" - enc: |- - -----BEGIN PGP MESSAGE----- - - hQIMA46L6MuPqfJqARAAlYT9Xqnfvd7uWr/V8Ca5oKJ003yWKGwAMd06zyPmIYOK - ErTHC98r7LXuGaMcIUrJ+oLf6YipYB7PyHwfz+zpxhDRTPAxXTqkF1ecLi7qg2AV - Ez3Q1hpPJv1DWASrVfJgpnlQnQtnpqXQsInL7klGc10mtbgc2zHUndWFqjxtkAhl - IinLZHZVFaijFw10W+e6T0UUZ9WfIPdCOChcqVp5/86DDyl3S9dBLmAd7wywzbuH - i0y1uelIxLyYmzLxYTNgJwEHKzQvF6jrj40AjT8HtUD473ILD5M4p2vdvNCUANu9 - 1iF4q7YM5g6cgjGC29Y31wOAM4YzdkwNXJsUhn4ACzYNBAItXK7Aw0I8WK9AnUfq - lwmSirx5hi870GIfu/OYeNt4I3fWjm4qY1aFwoJJRWrUdH94I4P1O6xXZyTVqpmG - m0Ich3O16Ir1vS9oFLdFSFGP7UZgU7D5314OKXNsEGpFLGa9U7AG1ZPHGSb6tAQi - 9Df7TsWxYVWKBU2PbI/D9StVlWDVilt2QiKtIcRwLs3/3JrzTPJd9tvUtw6Tyjw7 - N12/SE3yHwWxVPUXF2AsopmOoHGh67Ki+6oc7xTmxtcJWSITUhBL16ZjMEEXFeHy - FMODciBLrXO1jWz65mkB32ttV+oPQuCdtFPTzuKneDhVBybuMJrx7DEIFaf5CmvS - XgFrqRe9fua4zRd9r9tJE4RSosQOAhmVgRVCJIg5B+qUGC0l2AwO4ro1+a02t6o7 - uBGGRHeQYrGv6HVUd/xfirUj/mtrguiSSpOy3UZ5SHIlPxuj/2jf3WxVkU0QP5k= - =e4Qe - -----END PGP MESSAGE----- - fp: 8996B62CBD159DCADD3B6DC08BB33A8ABCF7BC4A - - created_at: "2026-01-15T21:23:56Z" - enc: |- - -----BEGIN PGP MESSAGE----- - - hF4DQrf1tCqiJxoSAQdAqRvfYgKUyKqP1jy9+s3UQ+vqUWQVxC/zXkcXOs/G3kQw - 27MDd3dcADzCI4qrHxc0umrFegUizTg9UmseMgSJnr7oWXtuh6ocjuEe+irXw0Di - 0l4B7cvZtRObjrOUf0lupPAp2xPIIKekUcVSxiecn6z7zVUVUwpYvPmS8MBCFc5h - 7ad0LWml36Rj5UkBE/ph0YgLvz7ZDoC1yiagBGVX59MTjjZsZBVpRecxZ+ztuaci - =68na - -----END PGP MESSAGE----- - fp: B71138A6A8964A3C3B8899857B4F70C356765BAB - - created_at: "2026-01-15T21:23:56Z" - enc: |- - -----BEGIN PGP MESSAGE----- - - hF4DzAGzViGx4qcSAQdA95lt4L0inJjhMwQ2v5lvhW74zuvdpgktHsp5BSycbxcw - oUR2v3CcCHtNzWzgeWPm8L6JHRUJQWdg+XHsLujlZXsoqKirGI67NvToOk+yttsK - 0lgBW9AG8bUVUdXNNPfhc/FN8OJbQ2cj3E2z5kI05ZrkcOoZVXaRfXJiZPQDg1Kz - LhuKymMDmXXsSVd/VdLbSXpfeEqMJjTsDS+bU/TZAcRRPKxj9PPDJIWQ - =Kpzf - -----END PGP MESSAGE----- - fp: D2E9C0807BF681F5E164DAFC5EE1B61CD90954CD - - created_at: "2026-01-15T21:23:56Z" - enc: |- - -----BEGIN PGP MESSAGE----- - - hQIMA2pVdGTIrZI+ARAA2IaYLn8z593Kh+wAw2ecOXkW+B3qhi/x0qQLVw7Jc1hO - rVhrcTQoabL3elIIPZtxyTYIXq6EpPkSBMOBHO+tmqI8YsB5GvWtcGV1OBpRaZ3I - hgKjnxkJtaQizSZqZLgGUVXjMjcdkzTlIQfu7oGeTu8Ke1cwtOE1lvleDpHHK6gc - yRLJWsUfHdv3rCOmRCDtguc3NG7qzUUYcknPiFGx66hfnIaA0aJav2pqS3uuRwSD - Ay78U2PB7kYVg//Omz9BEuiUVhYsA0sl3hFVpJuKv7FQ9OcJOevQddfq90m2KGyo - 2Lpligwtj3evPfPReLR1D16HaGuzknoB9883jD027+fGr4/IFWx7ieVZ9iGeD3jR - yw/GdHCMueq1pdtyw8ArREspGmZldEKY3Qw6sfRdd71DAeTkD1zzWORCEk6OQefY - YX5ByUAOTUHvTey4Uy5WCj3HOUMW71CnVpsU6lDSuqBUnFlMvELtcjlmEAwvscXz - WFpTzphaX1fIqruS4BAzMxpKVTI1V3bnrb6wFRFnsErVjrty24R2auaoHvgslROu - 1QUTInC7JpFUpxiK9ke8xbhYlZ5JEhcxOXlfrZcVwlxziEZEqp429L/4gVz+IGVv - YQ4wU8ARBcXiEDEOmEl3tCxiprDlCeLpdSrqhq57/y7IMs6Fo7QrkA5XZG+mnfPS - XgHFg3iMBk0qKb6AiWiN8g3SHJtcehJgmAZsRxFRP329QKGGa+azQqT7Vp066keY - rOsmP8iwl+4KS71+cN9rLx/3U8EcSxRuMU6KtIKvhp7yfr2bhYo8P9JH2vrPTlk= - =lbdI - -----END PGP MESSAGE----- - fp: 878FEA3CB6A6F6E7CD80ECBE28506E3585F9F533 - unencrypted_suffix: _unencrypted - version: 3.11.0 diff --git a/inventories/external/host_vars/status.yaml b/inventories/external/host_vars/status.yaml deleted file mode 100644 index c2c26b3..0000000 --- a/inventories/external/host_vars/status.yaml +++ /dev/null @@ -1,27 +0,0 @@ -docker_compose__compose_file_content: "{{ lookup('ansible.builtin.template', 'resources/external/status/docker_compose/compose.yaml.j2') }}" -docker_compose__configuration_files: - - name: "general.yaml" - content: "{{ lookup('ansible.builtin.file', 'resources/external/status/docker_compose/config/general.yaml') }}" - - name: "sites.yaml" - content: "{{ lookup('ansible.builtin.file', 'resources/external/status/docker_compose/config/sites.yaml') }}" - - name: "services-chaosknoten.yaml" - content: "{{ lookup('ansible.builtin.file', 'resources/external/status/docker_compose/config/services-chaosknoten.yaml') }}" - - name: "websites.yaml" - content: "{{ lookup('ansible.builtin.file', 'resources/external/status/docker_compose/config/websites.yaml') }}" - - name: "easterhegg-websites.yaml" - content: "{{ lookup('ansible.builtin.file', 'resources/external/status/docker_compose/config/easterhegg-websites.yaml') }}" - -nginx__version_spec: "" -nginx__deploy_redirect_conf: false -nginx__configurations: - - name: status.hamburg.ccc.de - content: "{{ lookup('ansible.builtin.file', 'resources/external/status/nginx/status.hamburg.ccc.de.conf') }}" - - name: http_handler - content: "{{ lookup('ansible.builtin.file', 'resources/external/status/nginx/http_handler.conf') }}" - -certbot__version_spec: "" -certbot__acme_account_email_address: le-admin@hamburg.ccc.de -certbot__certificate_domains: - - "status.hamburg.ccc.de" -certbot__new_cert_commands: - - "systemctl reload nginx.service" diff --git a/inventories/external/hosts.yaml b/inventories/external/hosts.yaml deleted file mode 100644 index 435a9bf..0000000 --- a/inventories/external/hosts.yaml +++ /dev/null @@ -1,24 +0,0 @@ -all: - hosts: - status: - # TODO: Manually set up ufw on the host. Create a role for ufw. - ansible_host: status.hamburg.ccc.de - ansible_user: chaos -base_config_hosts: - hosts: - status: -docker_compose_hosts: - hosts: - status: -nginx_hosts: - hosts: - status: -certbot_hosts: - hosts: - status: -infrastructure_authorized_keys_hosts: - hosts: - status: -ansible_pull_hosts: - hosts: - status: diff --git a/inventories/z9/group_vars/all.sops.yaml b/inventories/z9/group_vars/all.sops.yaml deleted file mode 100644 index 7c25351..0000000 --- a/inventories/z9/group_vars/all.sops.yaml +++ /dev/null @@ -1,200 +0,0 @@ -metrics__chaos_password: ENC[AES256_GCM,data:seOU504dZ9K21+NK1MBf9isee2L2rueP6Bl0F66R,iv:ZtQ516gzJQSSgvOOAzPF9MuarXqHSLXy37/9z85KoQ8=,tag:dIal6OxPLli+7DbzhjNFsA==,type:str] -sops: - lastmodified: "2026-01-25T19:52:03Z" - mac: ENC[AES256_GCM,data:6JXc+K8fmANf22puWyllV5wVSxZSVnN+U7GM9lNhkxbUBM4AaIedIHOXz9zDaZh/nT6onrW2nhKNC00kWziaddOnBxBUCWUk7bDGea6qJMIk4GfyU0f/xX7mHpgYorF/KmQP1uvNNAryn7zeSfS8Vk27GFDPbBO3GvYlOZFUJD8=,iv:6X6uf9obhNix/qLrpiP3bw1CWM7dY+XAEdfhuTTmuVc=,tag:KJHK1Hc/uV8DOw/7txHfEw==,type:str] - pgp: - - created_at: "2026-01-25T19:51:13Z" - enc: |- - -----BEGIN PGP MESSAGE----- - - hQIMAxK/JaB2/SdtAQ/9GKyJ+6SzK5xucxIxUKPRdsxirJwd6LHuIDkVTr7JTjfi - sXQZKVtQ7ZXbbVgZKURLtsdbhayZoU/8xYCQsX4vzDeAKc4bS6X25PLxs2oBKCYB - 2oWl/jhKSAtVjtgnPnxljiEGxkDKW2sKlfjdjMj9yOYyif35AoQ8pIr2Tg4U8Z9C - ofaWBejvqxgaIShXe4jio3SIiOLYwTnaYmkoSY3QEA3RjckzNmqRE4aX+csB27cI - Vt8aGrcNzM8gCfi8IM1ypLHLw7Fg0OntF91RAUExG9OZJm2rGZabUixxhOCf/ttk - UOq7Eq29xFr9mTzyoZC2zmaOt7O+PIu8FDOvkvCgNv89ewn00DjT7DYSXB0AnPRD - VahAi4VAjKU2RXXbfZArdCXJpCTM2OPnXBh8Bfx/7eTnu2O8EK8OFbWuOWja8Ogr - 7z9bgsoK4Uva6F3BQcLlZppKmkLk0P8detZihvwNbS55kkkdsA9LiyYEoHpasWpG - HW4dcQOqyuKwGjLE7FsqPtlxmWD6psCK3GdHzKGQR9fbXfUyD+c0DmPgPh6roFW8 - XzvRGw6YUrP7/wtvUH4zSLQbB6kqz6nO88isPoLpClyQ/3Khj9QLljCDQB+yRBIu - p3a2HISwt4HQzuckk8W4yKIDdzf86dXVEMqUe4JTe+vW9PPobnUEXrPgRBNZYD7S - XgHOfGiWknFPa8s4KCHZK9sLB2joWAJTtQnk4cuaXoIgamiXB0qgiArc43PsjstE - N6kvVXrFVgQ9Xlrp8XDJHOsUYAy8admA8KNQF+XQ+KeHgQGKKX1RjbBFunIkaOc= - =1Rdp - -----END PGP MESSAGE----- - fp: EF643F59E008414882232C78FFA8331EEB7D6B70 - - created_at: "2026-01-25T19:51:13Z" - enc: |- - -----BEGIN PGP MESSAGE----- - - hQIMA6EyPtWBEI+2AQ//QgGTp9DYSoNWI5n0+9gMUP7asTRdRl7T+xT88k7cCO9Z - lNi86qeqiGGkqTffARBJNaq+ut/D7EKc6ivp+ewfySimM5E3ape3C6rulHybE/j8 - 3EpP4VW+5yA4Nq+CbZvzQb60oXR8LnGzVX1gePWwyQozVzRS72/hnxyecQYsc1IJ - OTQPSfclZXJO3k6fK+BrfHsjJkOpHYoLAnI/9ty9JBSuwGfzI+ur2Jimn0Y783Ou - orZNzxrRKfkIPjdFnWGY3i31nW9tnkEXLdsdOHfOu8Ahtdi2NhwReSv5hMKPXbOw - lxhL/Y1bG4ChgAAFVG5QYZ69tuzSov8XP2Wv6auVA7HC3H+689fNeO0C6GhDcVgc - LBF1nK/zJq95uxlSNy5dpTSzKqwlwRzvLOCPByXc3pLcDDW9Zp194bS/iDGfnfqe - UUPK9e0gX8TYOeQhF3K+H6JMdFO/uYbiaeVZWmvOV6jSiii0CXoGe4oVZqcfcfA3 - RScUjLx0f2w4xQwU60ZmHsmvs2PmdBsNDPeQXrqeyAfgFReDoI1RLo+k+3khoAJE - LzzNFg6bVBx3rRazWoASlHYK8i6dTHpMBompPC+kmjorZnoqnTRX4bix0atsFY7g - vt8CVfqy8YKrVIGPZnDAsrZ3ecShIQFB6OfxgSb6nqN1K3NwFcjXWH05SJOfFR3S - XgGrU49/hKqHTmAGHbWoe54qkPj+WvRkeGccEnvtum8yrPpDpmYg+wyEm3JeQf1S - gCHS/j0pJS/CnnfgoUgkYCMokGvtSoTJgIE/2XTA/BFNRg0vc1Dgk/WonG33PDU= - =ev2Q - -----END PGP MESSAGE----- - fp: F155144FC925A1BEA1F8A2C59A2A4CD59BFDC5EC - - created_at: "2026-01-25T19:51:13Z" - enc: |- - -----BEGIN PGP MESSAGE----- - - hQIMAz5uSgHG2iMJAQ//SxqxshraAR0pQf1lzhtZ5RHoNZJnaZKwic/pvJvIDUCA - 6zotOpu478rK4w8zWdX1gfjve+iu4BkaB16lZqvsV6lLq80dT3yfeil9ETFElKuA - womIEdAafq8W71eTffUZ3Klrg/WjDVjeDRRKqz8vv9pd9MQbYmDhrjRG/ySP5qgZ - +/apRAOrYnbtzgjlPAfLIGD65jvS3JRE3gbZfpzzkLB8P5M1JVOUf15FxAZ2tyhO - PZ3FYC2JbCzftp0Iiksq8sl42Fl0FzOTLFQb0GhQ60tJatFVWhG31NeXdRRuLnQU - 5bmanb2nJBroQJWM/8piG8npG8jhzRzeMTHboW5TezYAXBLxRQJct7pR9ZwDje2U - 5j9VkNyKQ+wMJ2vMiyshserEe6gjc2/E+XYDheAPrFPqwGNklb6OSemm4vWwd6GK - HNqDxA/C0du1b1vm9CTLgk7utbEpspnNQnZh32iifSfiQ3Zl7FwTxnA/2Bj0csQ/ - xrck7T2gzY39tOqXbq0QqIQA31BW4ukmxcAKn8pmJpguW0cBxDTaGNXQ4jo+8YtQ - MYYT4dR9S95MsOKWGREvMA0GMxzwbA2eMwZ7yUARCLVGD48MMiiDZcYqd03cnOO3 - hGj+vy0FbsVdknztBDeGttUYHOtjb+XO4gF4sHdpaWxdF7kVVknNUtciWa+Kw4LS - XgGqWekdWhsKZ+bPboinUPY9e5vkgLueSWrQ0aqi5Pte9lQ3pYPqT2U51fJG5G9/ - tYiofc0K7CB/qyxB7LpF5rtUla9oQQJd36xC0eO7laSapWiag2rzuIsMxR+4egA= - =a2qJ - -----END PGP MESSAGE----- - fp: 18DFCE01456DAB52EA38A6584EDC64F35FA1D6A5 - - created_at: "2026-01-25T19:51:13Z" - enc: |- - -----BEGIN PGP MESSAGE----- - - hQIMAw5vwmoEJHQ1AQ//U6R7Cb1kfojFwzVy9ky+y7Puhk7Jyog+jLabWhurkV30 - RO4EeTXMEJ1gVU9qJDeHn7Fr1HbYr9cdTf1yw5Y23p+pBZA1wRTkxHctEk1KNDRW - 8QdCmQOu8jTDc5cq0F6d6lD6vJpfjaQez5cT7dN9Eqp0jUsmQCSLmqmXvbNEv3fW - n+o/VsvtaqMTjhlPUHvhe/d0/YWvkp4xPycDVW/oYh2KE3QUV5AKUJSOLuSIFENy - f0hjnoz8xmY7eA20uXvTWPgUU9J+KCSgmy87wM/WkM3kjKWOUkijDFCsCWSEIx4W - E2iY6N7yaYBkKfQ6s+f77xg+vc7g1plheK3pdyYkYvgfeqg27QFV/3m80f0gULS4 - bNrZKNRrMD+grgjB75cj14PRHGQcaZEouE7l2uCUNbR/hFIF1M2F91HAW61mVLv6 - ZNluofRYqHf+YWUO4KtJwpfgfh0gsCF3KaeHnAA/Xy9e+7KRgWbAbsDIQr40Nqm1 - Cbv/HqjHCeS7ylw3TmYcwFoGO1XoL/toSQQ4/y0JPMCae+MGslDm2o/1X1VqAnIZ - sdhcTKY8HJWxn8uc5MFG4Mr0PhMIXirhBBQLYXdVJ/tOj9yVU+gJZe3lv64uQgDZ - Ey1KESfJu98uwrPS3Dzy2YPbT7Gh58sOfHeaDoeZAu+YzQMOQ7V260vu0XXMgSfS - XgE3PiMBjbW4eypClEK6H5iSL4SjEm+NweQNkwGaxqLSsb7LuOtSkiEmf4mdQEnI - SI14d0nNv7ki0T59Ssmi65A49SXjvLzsCBE1DgeqVD8IwKCewma0dgkNErdyG4s= - =rV/a - -----END PGP MESSAGE----- - fp: 87AB00D45D37C9E9167B5A5A333448678B60E505 - - created_at: "2026-01-25T19:51:13Z" - enc: |- - -----BEGIN PGP MESSAGE----- - - hF4DerEtaFuTeewSAQdAdDLPgKw0A+eoKiYGIKxOFZHYVg0V4UmuIti0XC5RJCIw - IPu2/Y45X9L40RRhH8N9lazjLeJv5Lbo08hMlo/CgshZ0BJVot8mBAiH/R2DsVRC - 0l4BL6ctQ/xivjWQBBhy/DCYVtDRv8JXIEXNJgU/+UjkSE8Auh4NASANg9GTcBBn - lukzOBGYF9nH69fAkVtZbNL5+dFoPLDPUzZTU19D15J6IJkt+gKPSzjbtWaJqIsQ - =dGU4 - -----END PGP MESSAGE----- - fp: 057870A2C72CD82566A3EC983695F4FCBCAE4912 - - created_at: "2026-01-25T19:51:13Z" - enc: |- - -----BEGIN PGP MESSAGE----- - - hQIMAxjNhCKPP69fAQ/+LQ3yEzhjYXoDkE9olsl0lVxQ9FdCbqDHFJZAIReI0jqg - WF+0GmoMuG4kFZu+ju3vCWpT5kH84SUxOFXyaXp1TCfcJ1zCUno93fVssOL/9Sma - vVPVIXpTqJqFBOWJNOe7wNjvQiDE4TxjGC/FXr+hOoLZXrf7gdNaUXxZOb+vPZih - t79eZhxALGwmwsMdZxkA8ERCmNJet1/wn7s5vUjwrDYRZL2zGf4yocSCjwGYHOCs - j+DcrYG7Cd5J+CS8rKu2Yh5KEAfMhgMxGjK0HKUVPk1cQxOgronnM1vrij30S4+9 - avNlOwAerg3RaFhXPj9UY7FGV+rZQY1CQKEWqr4AANkdDXb/LnLalwMBMcm+EDwT - zHxBhJ69QJmsZUP3Z5WQqxmyAux9+oodgehWKkY4sCR2huHuysbJNEStuI1HaTRj - ZJafiniHkFyQyTqc4wwJrRxkwJM6mVvcZdXuV7+QaEWr3FEF0t7tyEYUIRkUlJOQ - IUPDClDRLJnQGq11XT/QOlGfxET9fGoAkij1LrPqpvHxJ6IEGLMOPN4kw1yg02yO - u0HiB2wIUzKHJJ6vMR6zK3WY4MXCQISTZXpK7mILleRIIOWhw7C7gvlfuYkMT3fM - dXUQRhTblZXaeTxRuCUPqa0eGzac4UJBVoRAWXYiZWhdKxNJbyCMRQDcaOeho9/S - XgGENH9zFjI//pveCrlxx5BKDxTdqIn9R3iskbKbZRhVr+pU3IK4uCsUQlOBG3++ - zxQinHgNbqA22clcuRMZ1NeDrzDfBLndsWuSeyWaAA9qEG9XjmjCRRzPGACoDLs= - =dywj - -----END PGP MESSAGE----- - fp: F38C9D4228FC6F674E322D9C3326D914EB9B8F55 - - created_at: "2026-01-25T19:51:13Z" - enc: |- - -----BEGIN PGP MESSAGE----- - - hQIMA1Hthzn+T1OoAQ/+P4h9d4LPElJbVr4L3cE+6/9mhLF6n1hre14cCTSxTe20 - HqpY7U9yE4G/1IfAE3pueOgc5FsLRPn8VnHAzy6ygt4/xXXzH6aACDiUtweqyExE - K39J9PLjczWb7XGbZc3YKoz5x0Q/93s+CdjK7piamb41bMRVbmffNtEceH8Gld9u - t8SI18F1yrRtXpK8FvzFLvA1jEt9sduPVq51bWG2LjMFaMrsm7hXt1ArUGsOoGN3 - 36E4VrVp6gp8BVa+apsUY3mHBi3hUE0h2tO4iEsi1qYr1OTn3v4Dn9oxKrYIIom2 - hHszqVSq0fnIqoKOZbyUe2AdXtnTGpQQRxCBvtIEBNB1FS/CKCe7ceXVBZujU2Kd - JD3Lg5uXgkolfyjFCPzOp292xvJ83i7QMoTuVEw14PSjux3jAa4K3wpKUvF80ja2 - ugGj3zTLAHdAV37lKO2WYZuMMJLKWKX1p9yKZqteJdiLQHH8f24dFZ2Vtoly/GKM - KzGJ1fimB6divQ8TOHVFAr1qDksk8zf1PBJ/IlWoBKv5IWwoikf42IOL/P2c/nk7 - 4pYwHrlk8y71Cgjw50K9/T/Ul0Ov6ay4FK+0vy+zbokSVczZKsrL4/Tc6s0S9ty6 - SVKm7yL+BSGgZWmDNesYoRzboBT2mSb1N45ThUaeW7AwMo3hDJPjEkaFtZN3bqzS - XgEIFYvxWH6OEIl+VZ/J5qxxmi3Cz6XVzTliCnoTFUoVxHyOxN6HX0Jn/qRqmmlN - mJX4OT1FJ3WnqOHQ5Cm4403bm2H79mGCBKYiXPQeO/bVBh0mTbeYKRr8bjsm+rc= - =lIEt - -----END PGP MESSAGE----- - fp: 5DA93D5C9D7320E1BD3522C79C78172B3551C9FD - - created_at: "2026-01-25T19:51:13Z" - enc: |- - -----BEGIN PGP MESSAGE----- - - hQIMA46L6MuPqfJqAQ//Ue74vm+2K7chQcfdrY5GR0rPUKNiX9MMw9zgHpdyHlXa - FfL0NQbG8Rfc/6Yf7LH1sWMGED5Yvci3z+YkTWg8Fcv1pYQGj6Kul2L0aL4tvq/a - tdIJi+Ajp92jr+5jdae+GvJZedaHZYxykyeSe4/nk1j6k4u3TiVMBczk7z9701F+ - ZFtG1SBRcqjZ/Vx36B6s+10f9ft7TWCIJfeTimBJV3fFt7r698vTQ+S1/uxo5Ik0 - kQOtYDxsigBBeE0OX2ZBDyeGhfl/PZgN7GD7bgpjnfzDi+8kMXEMu4z88tOQulhk - qj+63irEydFCsMEC22XhLaqW8bjld0VAnkXv7DfoEbMt84XN6SejjDy6aXK9C0Qd - BIyQwTvsmgbInluw8Qu+GJPLLbY9qYjjuo5BbwUeBfiVxQaBYcm5lmPSKM0lq+Uq - fUYowpMS417L5kkp2yE/NmKOzi2ZuiFWMCpvPIvKea9zJxvEtIjohwtM86b4LH+j - 7yie9gWu0bhBw9keKtIbRmgbsilp8E5OUHXgOT0sNWTLenQDsWQ9dmgvtpeEb9ax - 6mw1QUpFz4CcHhuQixoI+q4y0SXcWxyN0U78U8igaELUtwpaRR7yf4VUJOEid+m1 - Rzu5jLCuhlLmmW03W6Y/Vl+n0QOyEl0uPCRiRgYeUzKiYw6NRYHPezbJnmNAeKnS - XgFCdzLc5Jl6OqJfy4V0yJucGq72oKK1wdJi74PqTNs44CaeEW8tDhxVWm367e5b - Ve88LJyDhOrMi57aKcAJ12HoL8pI5hambJ0qSs9RKpnQIJH7U60MBBTCBHN3H4k= - =az/q - -----END PGP MESSAGE----- - fp: 8996B62CBD159DCADD3B6DC08BB33A8ABCF7BC4A - - created_at: "2026-01-25T19:51:13Z" - enc: |- - -----BEGIN PGP MESSAGE----- - - hF4DQrf1tCqiJxoSAQdA04/sIHLMEFJO8wCB5+N5QWPzwyefW49JuNr/O2A+tTcw - Rm/CybmXPnSCx7p8QLruOG0tz8kM+YoSthSWlC9/B6TZgKLyrMOvx1U/fSNjKC4Q - 0l4BDFhVCnXKTQmfZtj5Qpwuj3H5fZ7QzKUQz542pvqN/fJVnc0Q4rQapKcU4AOx - JTdXpu6gP3FRGviA342GHJU0gq220vSzPu889dsdmtgNfAEQWPLVKKwjigDQN+SV - =2Eki - -----END PGP MESSAGE----- - fp: B71138A6A8964A3C3B8899857B4F70C356765BAB - - created_at: "2026-01-25T19:51:13Z" - enc: |- - -----BEGIN PGP MESSAGE----- - - hF4DzAGzViGx4qcSAQdAxLZsKVzF30df0Zk7Eg9u7fLJzApid00aEcZVxHQnZ0kw - 5SDeSOzzTue71lKcCyunbO1/e20jMrNVvYKQp0kKkNHpTWgjN0hW3vZt6zeLcrSo - 0lgBTOoJykoj24Y9WvIaQbae2K6M35drO2c7nhVmTzibUe7XEJ3C+vbUySdSTd+0 - WL1IjqZUGSUL4SUIW6kW0WFdSJ01O6vbXhw1gw7KwKMfBHgIUAzpENTW - =S45t - -----END PGP MESSAGE----- - fp: D2E9C0807BF681F5E164DAFC5EE1B61CD90954CD - - created_at: "2026-01-25T19:51:13Z" - enc: |- - -----BEGIN PGP MESSAGE----- - - hQIMA2pVdGTIrZI+AQ/8Dd/YnYUP9OA6qxJcerf9mCkQkC5PLehCPAOLOn4sNV5x - DnpdfAvgej1Vuy0CHK8//PAiEC7idLN+ictIdQgy0RaObp50tca44U2ssQOkmxcd - j5WpKKunHsKomksr7bRpwm/vtN4LoldQc7g1qaBlsaJE7iEOrB8I3n3fFhWD6xBG - TUzRe8r/M2/c25Agky9caILYvjm/etCsf/gZq3RwVvV48912JNqb+7o04vpj3MbO - AOsiEBCTNSZqN5XuRi/jCpQNe0p18M9irYkFWVe2be6Cb4wE2cdg904rC3K+v0QA - nwD6/bXWGI7WAF6nhvuiAS0vxmbvOePNI3KZ1CdEDeScqnAWUdkFuuAwmw0K7tHt - UJe/SlML6strnnjOGR6p3eeIjoDKtGBiqEjXYyEcXPVi8vFSd7muGcjLieyJUmfH - FVGA7bF+a6c4iTFSM2GNpANFV0qzZ/wa4aj9MqzOATTglQnr2LZJP7chnzoLyzx6 - 7cjTcWHsb3E+D7X37yF+mZAT6yvOoxaQNqTY6u1ZoY9NrGdJ1reudAlzg6k10cpf - O4Zww2Jjz5yEhvS9cTh8+bKOJYgKnbg/LLty/ade+rio4E0jn+a6VgRCqIMbGwgx - vf9ATU8S10/Es2cT6f99EpPgV0w9QCfhAGel/sjXk/zIT8rF2SbIlXf0/GK3yaXS - XgGrocZNe2RNZd3ZjsvtU6bBsPd9tekQLjC1vE6U/WXXPKapb6aOq2eL7Qb7QFu7 - XSGN+YA/c9OwmtJLP3y5mGBowa6vWT1Uf6NweamPYJBpNG27Bt5yLlnEnaDZokw= - =9ri7 - -----END PGP MESSAGE----- - fp: 878FEA3CB6A6F6E7CD80ECBE28506E3585F9F533 - unencrypted_suffix: _unencrypted - version: 3.11.0 diff --git a/inventories/z9/group_vars/all.yaml b/inventories/z9/group_vars/all.yaml deleted file mode 100644 index 9a31251..0000000 --- a/inventories/z9/group_vars/all.yaml +++ /dev/null @@ -1,43 +0,0 @@ -alloy_config_default: | - prometheus.remote_write "default" { - endpoint { - url = "https://metrics.hamburg.ccc.de/api/v1/write" - basic_auth { - username = "chaos" - password = "{{ metrics__chaos_password }}" - } - } - } - - prometheus.relabel "z9_common" { - forward_to = [prometheus.remote_write.default.receiver] - rule { - target_label = "org" - replacement = "ccchh" - } - rule { - target_label = "site" - replacement = "z9" - } - rule { - source_labels = ["instance"] - target_label = "instance" - regex = "([^:]+)" - replacement = "${1}.z9.ccchh.net" - action = "replace" - } - } - - logging { - level = "info" - } - - prometheus.exporter.unix "local_system" { - enable_collectors = ["systemd"] - } - - prometheus.scrape "scrape_metrics" { - targets = prometheus.exporter.unix.local_system.targets - forward_to = [prometheus.relabel.z9_common.receiver] - } - diff --git a/inventories/z9/host_vars/dooris.yaml b/inventories/z9/host_vars/dooris.yaml index 8ae5287..5813e3a 100644 --- a/inventories/z9/host_vars/dooris.yaml +++ b/inventories/z9/host_vars/dooris.yaml @@ -7,11 +7,9 @@ certbot__certificate_domains: - "dooris.ccchh.net" certbot__new_cert_commands: - "systemctl reload nginx.service" +certbot__http_01_port: 80 nginx__version_spec: "" -nginx__deploy_redirect_conf: false nginx__configurations: - name: dooris.ccchh.net content: "{{ lookup('ansible.builtin.file', 'resources/z9/dooris/nginx/dooris.ccchh.net.conf') }}" - - name: http_handler - content: "{{ lookup('ansible.builtin.file', 'resources/z9/dooris/nginx/http_handler.conf') }}" diff --git a/inventories/z9/host_vars/light.yaml b/inventories/z9/host_vars/light.yaml index 0c7e11d..0336d22 100644 --- a/inventories/z9/host_vars/light.yaml +++ b/inventories/z9/host_vars/light.yaml @@ -50,22 +50,10 @@ ola__configs: content: "{{ lookup('ansible.builtin.file', 'resources/z9/light/ola/ola-usbdmx.conf') }}" - name: ola-usbserial content: "{{ lookup('ansible.builtin.file', 'resources/z9/light/ola/ola-usbserial.conf') }}" - nginx__version_spec: "" nginx__deploy_redirect_conf: false nginx__configurations: - name: light content: "{{ lookup('ansible.builtin.file', 'resources/z9/light/nginx/light.conf') }}" - name: http_handler - content: "{{ lookup('ansible.builtin.file', 'resources/z9/dooris/nginx/http_handler.conf') }}" - -certbot__version_spec: "" -certbot__acme_account_email_address: le-admin@hamburg.ccc.de -certbot__certificate_domains: - - "light-werkstatt.ccchh.net" - - "light.ccchh.net" - - "light.z9.ccchh.net" -certbot__new_cert_commands: - - "systemctl reload nginx.service" - - + content: "{{ lookup('ansible.builtin.file', 'resources/z9/light/nginx/http_handler.conf') }}" diff --git a/inventories/z9/hosts.yaml b/inventories/z9/hosts.yaml index 319f817..9f4a692 100644 --- a/inventories/z9/hosts.yaml +++ b/inventories/z9/hosts.yaml @@ -20,7 +20,6 @@ all: certbot_hosts: hosts: dooris: - light: docker_compose_hosts: hosts: dooris: @@ -50,11 +49,5 @@ ola_hosts: proxmox_vm_template_hosts: hosts: thinkcccore0: -alloy_hosts: - hosts: - authoritative-dns: - light: - yate: - dooris: ansible_pull_hosts: hosts: diff --git a/playbooks/deploy.yaml b/playbooks/deploy.yaml index fe0cf78..f416b91 100644 --- a/playbooks/deploy.yaml +++ b/playbooks/deploy.yaml @@ -64,6 +64,11 @@ roles: - nginx +- name: Ensure prometheus_node_exporter deployment on prometheus_node_exporter_hosts + hosts: prometheus_node_exporter_hosts + roles: + - prometheus_node_exporter + - name: Configure unattended upgrades for all non-hypervisors hosts: all:!hypervisors become: true @@ -78,8 +83,10 @@ - name: Ensure Alloy is installed and Setup on alloy_hosts hosts: alloy_hosts become: true - roles: - - alloy + tasks: + - name: Setup Alloy + ansible.builtin.include_role: + name: grafana.grafana.alloy - name: Ensure ansible_pull deployment on ansible_pull_hosts hosts: ansible_pull_hosts diff --git a/renovate.json b/renovate.json index 0e2bd7f..711c627 100644 --- a/renovate.json +++ b/renovate.json @@ -32,11 +32,6 @@ "matchDatasources": ["docker"], "matchPackageNames": ["docker.io/pretix/standalone"], "versioning": "regex:^(?\\d+\\.\\d+)(?:\\.(?\\d+))$" - }, - { - "matchDatasources": ["docker"], - "matchPackageNames": ["docker.io/pretalx/standalone"], - "versioning": "regex:^v(?\\d+\\.\\d+)(?:\\.(?\\d+))$" } ], "customManagers": [ diff --git a/requirements.yml b/requirements.yml index dffe9d3..6011bda 100644 --- a/requirements.yml +++ b/requirements.yml @@ -1,17 +1,11 @@ collections: - # debops.debops - - source: https://github.com/debops/debops - type: git - version: "v3.2.5" - # community.sops - - source: https://github.com/ansible-collections/community.sops - type: git - version: "2.2.7" - # community.docker - - source: https://github.com/ansible-collections/community.docker - type: git - version: "5.0.5" - # grafana.grafana - - source: https://github.com/grafana/grafana-ansible-collection - type: git - version: "6.0.6" + # Install a collection from Ansible Galaxy. + - name: debops.debops + version: ">=3.1.0" + source: https://galaxy.ansible.com + - name: community.sops + version: ">=2.2.4" + source: https://galaxy.ansible.com + - name: community.docker + version: ">=5.0.0" + source: https://galaxy.ansible.com diff --git a/resources/chaosknoten/acmedns/docker_compose/acmedns.cfg.j2 b/resources/chaosknoten/acmedns/docker_compose/acmedns.cfg.j2 deleted file mode 100644 index 4f3b49c..0000000 --- a/resources/chaosknoten/acmedns/docker_compose/acmedns.cfg.j2 +++ /dev/null @@ -1,27 +0,0 @@ -# https://github.com/joohoi/acme-dns?tab=readme-ov-file#configuration -[general] -protocol = "both" -domain = "auth.acmedns.hamburg.ccc.de" -nsname = "acmedns.hosts.hamburg.ccc.de" -nsadmin = "noc.lists.hamburg.ccc.de" -records = [ - "auth.acmedns.hamburg.ccc.de. CNAME public-reverse-proxy.hamburg.ccc.de.", - "auth.acmedns.hamburg.ccc.de. NS acmedns.hosts.hamburg.ccc.de.", -] - -[database] -engine = "sqlite3" -connection = "/var/lib/acme-dns/acme-dns.db" - -[api] -ip = "0.0.0.0" -port = "80" -tls = "none" -corsorigins = [ - "*" -] - -[logconfig] -loglevel = "debug" -logtype = "stdout" -logformat = "text" diff --git a/resources/chaosknoten/acmedns/docker_compose/compose.yaml.j2 b/resources/chaosknoten/acmedns/docker_compose/compose.yaml.j2 deleted file mode 100644 index 8976852..0000000 --- a/resources/chaosknoten/acmedns/docker_compose/compose.yaml.j2 +++ /dev/null @@ -1,22 +0,0 @@ ---- -services: - oauth2-proxy: - container_name: oauth2-proxy - image: quay.io/oauth2-proxy/oauth2-proxy:v7.14.2 - command: --config /oauth2-proxy.cfg - hostname: oauth2-proxy - volumes: - - "./configs/oauth2-proxy.cfg:/oauth2-proxy.cfg" - restart: unless-stopped - ports: - - 4180:4180 - - acmedns: - image: docker.io/joohoi/acme-dns:latest - ports: - - "[::]:53:53" - - "[::]:53:53/udp" - - 8080:80 - volumes: - - ./configs/acmedns.cfg:/etc/acme-dns/config.cfg:ro - - ./data/acmedns:/var/lib/acme-dns \ No newline at end of file diff --git a/resources/chaosknoten/acmedns/docker_compose/index.html.j2 b/resources/chaosknoten/acmedns/docker_compose/index.html.j2 deleted file mode 100644 index 1170cec..0000000 --- a/resources/chaosknoten/acmedns/docker_compose/index.html.j2 +++ /dev/null @@ -1,74 +0,0 @@ - - -ACME DNS Register - - - -

Register an Entry in ACME DNS

- -

This is the page where you can create an entry in ACME DNS. Please only do so when you need a new entry; there is currently no way to remove entries once they have been created.

-

See the ACME DNS service entry in the wiki for further details.

- -

- - - - - - - - - - - - - - - - - -

Note: there is no way to delete registrations. Each registration is small, so it's not an immediate problem, but please do not click register unless you are planning to really create a new entry.

- - - diff --git a/resources/chaosknoten/acmedns/docker_compose/oauth2-proxy.cfg.j2 b/resources/chaosknoten/acmedns/docker_compose/oauth2-proxy.cfg.j2 deleted file mode 100644 index f11eadf..0000000 --- a/resources/chaosknoten/acmedns/docker_compose/oauth2-proxy.cfg.j2 +++ /dev/null @@ -1,13 +0,0 @@ -reverse_proxy = true -http_address="0.0.0.0:4180" -cookie_secret="{{ secret__oidc_cookie_secret }}" -email_domains="*" - -# dex provider -oidc_issuer_url="https://id.hamburg.ccc.de/realms/ccchh" -provider="oidc" -provider_display_name="CCCHH ID" -client_id="acmedns" -client_secret="{{ secret__oidc_client_secret }}" -redirect_url="https://acmedns.hamburg.ccc.de/oauth2/callback" - diff --git a/resources/chaosknoten/acmedns/nginx/acmedns.hamburg.ccc.de.conf b/resources/chaosknoten/acmedns/nginx/acmedns.hamburg.ccc.de.conf deleted file mode 100644 index dd78d8c..0000000 --- a/resources/chaosknoten/acmedns/nginx/acmedns.hamburg.ccc.de.conf +++ /dev/null @@ -1,87 +0,0 @@ -# partly generated 2022-01-08, Mozilla Guideline v5.6, nginx 1.17.7, OpenSSL 1.1.1k, intermediate configuration -# https://ssl-config.mozilla.org/#server=nginx&version=1.17.7&config=intermediate&openssl=1.1.1k&guideline=5.6 -server { - # Listen on a custom port for the proxy protocol. - listen [::]:8443 ssl http2 proxy_protocol; - # Make use of the ngx_http_realip_module to set the $remote_addr and - # $remote_port to the client address and client port, when using proxy - # protocol. - # First set our proxy protocol proxy as trusted. - set_real_ip_from 2a00:14b0:4200:3000:125::1; - # Then tell the realip_module to get the addreses from the proxy protocol - # header. - real_ip_header proxy_protocol; - - server_name acmedns.hamburg.ccc.de; - - root /ansible_docker_compose/configs/html/; - - ssl_certificate /etc/letsencrypt/live/acmedns.hamburg.ccc.de/fullchain.pem; - ssl_certificate_key /etc/letsencrypt/live/acmedns.hamburg.ccc.de/privkey.pem; - # verify chain of trust of OCSP response using Root CA and Intermediate certs - ssl_trusted_certificate /etc/letsencrypt/live/acmedns.hamburg.ccc.de/chain.pem; - - # HSTS (ngx_http_headers_module is required) (63072000 seconds) - add_header Strict-Transport-Security "max-age=63072000" always; - - proxy_set_header Host $host; - proxy_set_header X-Forwarded-Host $host; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header X-Forwarded-Port 443; - # This is https in any case. - proxy_set_header X-Forwarded-Proto https; - # Hide the X-Forwarded header. - proxy_hide_header X-Forwarded; - # Assume we are the only Reverse Proxy (well using Proxy Protocol, but that - # is transparent). - # Also provide "_hidden" for by, since it's not relevant. - proxy_set_header Forwarded "for=$remote_addr;proto=https;host=$host;by=_hidden"; - proxy_buffer_size 8k; # needed for oauth2-proxy to work correctly - port_in_redirect off; - - location /oauth2/ { - proxy_pass http://127.0.0.1:4180; - proxy_set_header Host $host; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Auth-Request-Redirect $request_uri; - # or, if you are handling multiple domains: - # proxy_set_header X-Auth-Request-Redirect $scheme://$host$request_uri; - } - - location = /oauth2/auth { - proxy_pass http://127.0.0.1:4180; - proxy_set_header Host $host; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-Uri $request_uri; - # nginx auth_request includes headers but not body - proxy_set_header Content-Length ""; - proxy_pass_request_body off; - } - - location = / { - auth_request /oauth2/auth; - error_page 401 = @oauth2_signin; - - index index.html; - } - - location = /register { - auth_request /oauth2/auth; - error_page 401 = @oauth2_signin; - - proxy_pass http://127.0.0.1:8080/register; - } - - location = /update { # no auth by proxy required - proxy_pass http://127.0.0.1:8080/update; - } - - location = /health { # no auth by proxy required - proxy_pass http://127.0.0.1:8080/health; - } - - location @oauth2_signin { - return 302 /oauth2/sign_in?rd=$scheme://$host$request_uri; - } -} diff --git a/resources/chaosknoten/ccchoir/nginx/ccchoir.de.conf b/resources/chaosknoten/ccchoir/nginx/ccchoir.de.conf index a8d71a9..ff37e48 100644 --- a/resources/chaosknoten/ccchoir/nginx/ccchoir.de.conf +++ b/resources/chaosknoten/ccchoir/nginx/ccchoir.de.conf @@ -2,12 +2,12 @@ # https://ssl-config.mozilla.org/#server=nginx&version=1.17.7&config=intermediate&openssl=1.1.1k&guideline=5.6 server { # Listen on a custom port for the proxy protocol. - listen [::]:8443 ssl http2 proxy_protocol; + listen 8443 ssl http2 proxy_protocol; # Make use of the ngx_http_realip_module to set the $remote_addr and # $remote_port to the client address and client port, when using proxy # protocol. # First set our proxy protocol proxy as trusted. - set_real_ip_from 2a00:14b0:4200:3000:125::1; + set_real_ip_from 172.31.17.140; # Then tell the realip_module to get the addreses from the proxy protocol # header. real_ip_header proxy_protocol; @@ -43,12 +43,12 @@ server { server { # Listen on a custom port for the proxy protocol. - listen [::]:8443 ssl http2 proxy_protocol; + listen 8443 ssl http2 proxy_protocol; # Make use of the ngx_http_realip_module to set the $remote_addr and # $remote_port to the client address and client port, when using proxy # protocol. # First set our proxy protocol proxy as trusted. - set_real_ip_from 2a00:14b0:4200:3000:125::1; + set_real_ip_from 172.31.17.140; # Then tell the realip_module to get the addreses from the proxy protocol # header. real_ip_header proxy_protocol; diff --git a/resources/chaosknoten/eh22-wiki/nginx/eh22.easterhegg.eu.conf b/resources/chaosknoten/eh22-wiki/nginx/eh22.easterhegg.eu.conf index d213d61..d3ed959 100644 --- a/resources/chaosknoten/eh22-wiki/nginx/eh22.easterhegg.eu.conf +++ b/resources/chaosknoten/eh22-wiki/nginx/eh22.easterhegg.eu.conf @@ -2,12 +2,12 @@ # https://ssl-config.mozilla.org/#server=nginx&version=1.17.7&config=intermediate&openssl=1.1.1k&guideline=5.6 server { # Listen on a custom port for the proxy protocol. - listen [::]:8443 ssl http2 proxy_protocol; + listen 8443 ssl http2 proxy_protocol; # Make use of the ngx_http_realip_module to set the $remote_addr and # $remote_port to the client address and client port, when using proxy # protocol. # First set our proxy protocol proxy as trusted. - set_real_ip_from 2a00:14b0:4200:3000:125::1; + set_real_ip_from 172.31.17.140; # Then tell the realip_module to get the addreses from the proxy protocol # header. real_ip_header proxy_protocol; diff --git a/resources/chaosknoten/grafana/docker_compose/alertmanager.yaml.j2 b/resources/chaosknoten/grafana/docker_compose/alertmanager.yaml.j2 index 10fb346..51aeb63 100644 --- a/resources/chaosknoten/grafana/docker_compose/alertmanager.yaml.j2 +++ b/resources/chaosknoten/grafana/docker_compose/alertmanager.yaml.j2 @@ -7,7 +7,7 @@ route: group_by: [ "alertname", "site", "type", "hypervisor" ] group_wait: 30s group_interval: 5m - repeat_interval: 26h + repeat_interval: 6h routes: - receiver: "null" matchers: @@ -16,38 +16,49 @@ route: matchers: - org = "ccchh" - severity = "critical", - repeat_interval: 26h + repeat_interval: 18h continue: true - receiver: ntfy-ccchh matchers: - org = "ccchh" - severity =~ "info|warning", - repeat_interval: 52h + repeat_interval: 36h continue: true - receiver: ntfy-fux-critical matchers: - org = "fux" - severity = "critical", - repeat_interval: 26h + repeat_interval: 18h continue: true - receiver: email-fux-critical matchers: - org = "fux" - severity = "critical", - repeat_interval: 52h + repeat_interval: 36h continue: true - receiver: ntfy-fux matchers: - org = "fux" - severity =~ "info|warning", - repeat_interval: 52h + repeat_interval: 36h continue: true + - receiver: ccchh-infrastructure-alerts + matchers: + - org = "ccchh" + - severity =~ "info|warning|critical" templates: - "/etc/alertmanager/templates/*.tmpl" receivers: - name: "null" + - name: "ccchh-infrastructure-alerts" + telegram_configs: + - send_resolved: true + bot_token: {{ secret__alertmanager_telegram_bot_token }} + chat_id: -1002434372415 + parse_mode: HTML + message: {{ "'{{ template \"alert-message.telegram.ccchh\" . }}'" }} - name: "ntfy-ccchh-critical" webhook_configs: diff --git a/resources/chaosknoten/grafana/docker_compose/compose.yaml.j2 b/resources/chaosknoten/grafana/docker_compose/compose.yaml.j2 index c2c312c..2d598f9 100644 --- a/resources/chaosknoten/grafana/docker_compose/compose.yaml.j2 +++ b/resources/chaosknoten/grafana/docker_compose/compose.yaml.j2 @@ -2,7 +2,7 @@ services: prometheus: - image: docker.io/prom/prometheus:v3.9.1 + image: docker.io/prom/prometheus:v3.7.3 container_name: prometheus command: - '--config.file=/etc/prometheus/prometheus.yml' @@ -19,7 +19,7 @@ services: - prom_data:/prometheus alertmanager: - image: docker.io/prom/alertmanager:v0.30.1 + image: docker.io/prom/alertmanager:v0.29.0 container_name: alertmanager command: - '--config.file=/etc/alertmanager/alertmanager.yaml' @@ -32,7 +32,7 @@ services: - alertmanager_data:/alertmanager grafana: - image: docker.io/grafana/grafana:12.3.1 + image: docker.io/grafana/grafana:12.3.0 container_name: grafana ports: - 3000:3000 @@ -46,7 +46,7 @@ services: - graf_data:/var/lib/grafana pve-exporter: - image: docker.io/prompve/prometheus-pve-exporter:3.8.0 + image: docker.io/prompve/prometheus-pve-exporter:3.5.5 container_name: pve-exporter ports: - 9221:9221 @@ -59,7 +59,7 @@ services: - /dev/null:/etc/prometheus/pve.yml loki: - image: docker.io/grafana/loki:3.6.4 + image: docker.io/grafana/loki:3.6.0 container_name: loki ports: - 13100:3100 diff --git a/resources/chaosknoten/grafana/docker_compose/prometheus.yml b/resources/chaosknoten/grafana/docker_compose/prometheus.yml index 7f94ab0..fd59034 100644 --- a/resources/chaosknoten/grafana/docker_compose/prometheus.yml +++ b/resources/chaosknoten/grafana/docker_compose/prometheus.yml @@ -82,6 +82,41 @@ scrape_configs: target_label: instance - target_label: __address__ replacement: pve-exporter:9221 + - job_name: hosts + static_configs: + # Wieske Chaosknoten VMs + - labels: + org: ccchh + site: wieske + type: virtual_machine + hypervisor: chaosknoten + targets: + - netbox-intern.hamburg.ccc.de:9100 + - matrix-intern.hamburg.ccc.de:9100 + - public-web-static-intern.hamburg.ccc.de:9100 + - git-intern.hamburg.ccc.de:9100 + - forgejo-actions-runner-intern.hamburg.ccc.de:9100 + - eh22-wiki-intern.hamburg.ccc.de:9100 + - mjolnir-intern.hamburg.ccc.de:9100 + - woodpecker-intern.hamburg.ccc.de:9100 + - penpot-intern.hamburg.ccc.de:9100 + - jitsi.hamburg.ccc.de:9100 + - onlyoffice-intern.hamburg.ccc.de:9100 + - ccchoir-intern.hamburg.ccc.de:9100 + - tickets-intern.hamburg.ccc.de:9100 + - keycloak-intern.hamburg.ccc.de:9100 + - onlyoffice-intern.hamburg.ccc.de:9100 + - pad-intern.hamburg.ccc.de:9100 + - wiki-intern.hamburg.ccc.de:9100 + - zammad-intern.hamburg.ccc.de:9100 + - pretalx-intern.hamburg.ccc.de:9100 + - labels: + org: ccchh + site: wieske + type: physical_machine + targets: + - chaosknoten.hamburg.ccc.de:9100 + storage: tsdb: diff --git a/resources/chaosknoten/grafana/nginx/grafana.hamburg.ccc.de.conf b/resources/chaosknoten/grafana/nginx/grafana.hamburg.ccc.de.conf index 98f7f40..c5b68e1 100644 --- a/resources/chaosknoten/grafana/nginx/grafana.hamburg.ccc.de.conf +++ b/resources/chaosknoten/grafana/nginx/grafana.hamburg.ccc.de.conf @@ -2,13 +2,13 @@ # https://ssl-config.mozilla.org/#server=nginx&version=1.17.7&config=intermediate&openssl=1.1.1k&guideline=5.6 server { # Listen on a custom port for the proxy protocol. - listen [::]:8443 ssl proxy_protocol; + listen 8443 ssl proxy_protocol; http2 on; # Make use of the ngx_http_realip_module to set the $remote_addr and # $remote_port to the client address and client port, when using proxy # protocol. # First set our proxy protocol proxy as trusted. - set_real_ip_from 2a00:14b0:4200:3000:125::1; + set_real_ip_from 172.31.17.140; # Then tell the realip_module to get the addreses from the proxy protocol # header. real_ip_header proxy_protocol; diff --git a/resources/chaosknoten/grafana/nginx/loki.hamburg.ccc.de.conf b/resources/chaosknoten/grafana/nginx/loki.hamburg.ccc.de.conf index 8a509be..e2bf4a7 100644 --- a/resources/chaosknoten/grafana/nginx/loki.hamburg.ccc.de.conf +++ b/resources/chaosknoten/grafana/nginx/loki.hamburg.ccc.de.conf @@ -17,6 +17,7 @@ server { server_name loki.hamburg.ccc.de; listen [::]:50051 ssl; + listen 172.31.17.145:50051 ssl; http2 on; @@ -58,6 +59,7 @@ server { server_name loki.hamburg.ccc.de; listen [::]:443 ssl; + listen 172.31.17.145:443 ssl; http2 on; diff --git a/resources/chaosknoten/grafana/nginx/metrics.hamburg.ccc.de.conf b/resources/chaosknoten/grafana/nginx/metrics.hamburg.ccc.de.conf index 195b99d..2c52523 100644 --- a/resources/chaosknoten/grafana/nginx/metrics.hamburg.ccc.de.conf +++ b/resources/chaosknoten/grafana/nginx/metrics.hamburg.ccc.de.conf @@ -9,6 +9,7 @@ server { allow 2a00:14b0:4200:3380::/64; allow 2a00:14b0:f000:23::/64; #CCCHH v6 bei Wieske, geroutet über turing # Z9 + allow 2a07:c480:0:100::/56; allow 2a07:c481:1::/48; # fuxnoc allow 2a07:c481:0:1::/64; @@ -17,6 +18,7 @@ server { server_name metrics.hamburg.ccc.de; listen [::]:443 ssl; + listen 172.31.17.145:443 ssl; http2 on; client_body_buffer_size 512k; diff --git a/resources/chaosknoten/keycloak/nginx/id.hamburg.ccc.de.conf b/resources/chaosknoten/keycloak/nginx/id.hamburg.ccc.de.conf index 82ba082..303b052 100644 --- a/resources/chaosknoten/keycloak/nginx/id.hamburg.ccc.de.conf +++ b/resources/chaosknoten/keycloak/nginx/id.hamburg.ccc.de.conf @@ -3,12 +3,12 @@ # Also see: https://www.keycloak.org/server/reverseproxy server { # Listen on a custom port for the proxy protocol. - listen [::]:8443 ssl http2 proxy_protocol; + listen 8443 ssl http2 proxy_protocol; # Make use of the ngx_http_realip_module to set the $remote_addr and # $remote_port to the client address and client port, when using proxy # protocol. # First set our proxy protocol proxy as trusted. - set_real_ip_from 2a00:14b0:4200:3000:125::1; + set_real_ip_from 172.31.17.140; # Then tell the realip_module to get the addreses from the proxy protocol # header. real_ip_header proxy_protocol; diff --git a/resources/chaosknoten/keycloak/nginx/invite.hamburg.ccc.de.conf b/resources/chaosknoten/keycloak/nginx/invite.hamburg.ccc.de.conf index ecb7e2d..4a9cfe6 100644 --- a/resources/chaosknoten/keycloak/nginx/invite.hamburg.ccc.de.conf +++ b/resources/chaosknoten/keycloak/nginx/invite.hamburg.ccc.de.conf @@ -3,12 +3,12 @@ # Also see: https://www.keycloak.org/server/reverseproxy server { # Listen on a custom port for the proxy protocol. - listen [::]:8443 ssl http2 proxy_protocol; + listen 8443 ssl http2 proxy_protocol; # Make use of the ngx_http_realip_module to set the $remote_addr and # $remote_port to the client address and client port, when using proxy # protocol. # First set our proxy protocol proxy as trusted. - set_real_ip_from 2a00:14b0:4200:3000:125::1; + set_real_ip_from 172.31.17.140; # Then tell the realip_module to get the addreses from the proxy protocol # header. real_ip_header proxy_protocol; diff --git a/resources/chaosknoten/keycloak/nginx/keycloak-admin.hamburg.ccc.de.conf b/resources/chaosknoten/keycloak/nginx/keycloak-admin.hamburg.ccc.de.conf index b2e7eec..2b0d919 100644 --- a/resources/chaosknoten/keycloak/nginx/keycloak-admin.hamburg.ccc.de.conf +++ b/resources/chaosknoten/keycloak/nginx/keycloak-admin.hamburg.ccc.de.conf @@ -7,12 +7,12 @@ server { ##listen [::]:443 ssl http2; # Listen on a custom port for the proxy protocol. - listen [::]:8443 ssl http2 proxy_protocol; + listen 8444 ssl http2 proxy_protocol; # Make use of the ngx_http_realip_module to set the $remote_addr and # $remote_port to the client address and client port, when using proxy # protocol. # First set our proxy protocol proxy as trusted. - set_real_ip_from 2a00:14b0:4200:3000:125::1; + set_real_ip_from 172.31.17.140; # Then tell the realip_module to get the addreses from the proxy protocol # header. real_ip_header proxy_protocol; diff --git a/resources/chaosknoten/netbox/nginx/netbox.hamburg.ccc.de.conf b/resources/chaosknoten/netbox/nginx/netbox.hamburg.ccc.de.conf index 0c2a3be..5550686 100644 --- a/resources/chaosknoten/netbox/nginx/netbox.hamburg.ccc.de.conf +++ b/resources/chaosknoten/netbox/nginx/netbox.hamburg.ccc.de.conf @@ -2,12 +2,12 @@ # https://ssl-config.mozilla.org/#server=nginx&version=1.17.7&config=intermediate&openssl=1.1.1k&guideline=5.6 server { # Listen on a custom port for the proxy protocol. - listen [::]:8443 ssl http2 proxy_protocol; + listen 8443 ssl http2 proxy_protocol; # Make use of the ngx_http_realip_module to set the $remote_addr and # $remote_port to the client address and client port, when using proxy # protocol. # First set our proxy protocol proxy as trusted. - set_real_ip_from 2a00:14b0:4200:3000:125::1; + set_real_ip_from 172.31.17.140; # Then tell the realip_module to get the addreses from the proxy protocol # header. real_ip_header proxy_protocol; diff --git a/resources/chaosknoten/ntfy/nginx/ntfy.hamburg.ccc.de.conf b/resources/chaosknoten/ntfy/nginx/ntfy.hamburg.ccc.de.conf index ebae48d..e7d404d 100644 --- a/resources/chaosknoten/ntfy/nginx/ntfy.hamburg.ccc.de.conf +++ b/resources/chaosknoten/ntfy/nginx/ntfy.hamburg.ccc.de.conf @@ -2,13 +2,13 @@ # https://ssl-config.mozilla.org/#server=nginx&version=1.17.7&config=intermediate&openssl=1.1.1k&guideline=5.6 server { # Listen on a custom port for the proxy protocol. - listen [::]:8443 ssl proxy_protocol; + listen 8443 ssl proxy_protocol; http2 on; # Make use of the ngx_http_realip_module to set the $remote_addr and # $remote_port to the client address and client port, when using proxy # protocol. # First set our proxy protocol proxy as trusted. - set_real_ip_from 2a00:14b0:4200:3000:125::1; + set_real_ip_from 172.31.17.140; # Then tell the realip_module to get the addreses from the proxy protocol # header. real_ip_header proxy_protocol; diff --git a/resources/chaosknoten/onlyoffice/docker_compose/compose.yaml.j2 b/resources/chaosknoten/onlyoffice/docker_compose/compose.yaml.j2 index 8bc37e9..f3444ac 100644 --- a/resources/chaosknoten/onlyoffice/docker_compose/compose.yaml.j2 +++ b/resources/chaosknoten/onlyoffice/docker_compose/compose.yaml.j2 @@ -4,7 +4,7 @@ services: onlyoffice: - image: docker.io/onlyoffice/documentserver:9.2.1 + image: docker.io/onlyoffice/documentserver:9.1.0 restart: unless-stopped volumes: - "./onlyoffice/DocumentServer/logs:/var/log/onlyoffice" diff --git a/resources/chaosknoten/onlyoffice/nginx/onlyoffice.hamburg.ccc.de.conf b/resources/chaosknoten/onlyoffice/nginx/onlyoffice.hamburg.ccc.de.conf index f3e77f1..2471525 100644 --- a/resources/chaosknoten/onlyoffice/nginx/onlyoffice.hamburg.ccc.de.conf +++ b/resources/chaosknoten/onlyoffice/nginx/onlyoffice.hamburg.ccc.de.conf @@ -2,13 +2,12 @@ # https://ssl-config.mozilla.org/#server=nginx&version=1.17.7&config=intermediate&openssl=1.1.1k&guideline=5.6 server { # Listen on a custom port for the proxy protocol. - listen [::]:8443 ssl http2 proxy_protocol; + listen 8443 ssl http2 proxy_protocol; # Make use of the ngx_http_realip_module to set the $remote_addr and # $remote_port to the client address and client port, when using proxy # protocol. # First set our proxy protocol proxy as trusted. - set_real_ip_from 2a00:14b0:4200:3000:125::1; - + set_real_ip_from 172.31.17.140; # Then tell the realip_module to get the addreses from the proxy protocol # header. real_ip_header proxy_protocol; diff --git a/resources/chaosknoten/pad/docker_compose/compose.yaml.j2 b/resources/chaosknoten/pad/docker_compose/compose.yaml.j2 index 790cf95..455caa3 100644 --- a/resources/chaosknoten/pad/docker_compose/compose.yaml.j2 +++ b/resources/chaosknoten/pad/docker_compose/compose.yaml.j2 @@ -13,7 +13,7 @@ services: restart: unless-stopped app: - image: quay.io/hedgedoc/hedgedoc:1.10.5 + image: quay.io/hedgedoc/hedgedoc:1.10.3 environment: - "CMD_DB_URL=postgres://hedgedoc:{{ secret__hedgedoc_db_password }}@database:5432/hedgedoc" - "CMD_DOMAIN=pad.hamburg.ccc.de" diff --git a/resources/chaosknoten/pad/nginx/pad.hamburg.ccc.de.conf b/resources/chaosknoten/pad/nginx/pad.hamburg.ccc.de.conf index cf49d23..53d0a0d 100644 --- a/resources/chaosknoten/pad/nginx/pad.hamburg.ccc.de.conf +++ b/resources/chaosknoten/pad/nginx/pad.hamburg.ccc.de.conf @@ -2,12 +2,12 @@ # https://ssl-config.mozilla.org/#server=nginx&version=1.17.7&config=intermediate&openssl=1.1.1k&guideline=5.6 server { # Listen on a custom port for the proxy protocol. - listen [::]:8443 ssl http2 proxy_protocol; + listen 8443 ssl http2 proxy_protocol; # Make use of the ngx_http_realip_module to set the $remote_addr and # $remote_port to the client address and client port, when using proxy # protocol. # First set our proxy protocol proxy as trusted. - set_real_ip_from 2a00:14b0:4200:3000:125::1; + set_real_ip_from 172.31.17.140; # Then tell the realip_module to get the addreses from the proxy protocol # header. real_ip_header proxy_protocol; diff --git a/resources/chaosknoten/pretalx/docker_compose/compose.yaml.j2 b/resources/chaosknoten/pretalx/docker_compose/compose.yaml.j2 index 091d113..dda67bb 100644 --- a/resources/chaosknoten/pretalx/docker_compose/compose.yaml.j2 +++ b/resources/chaosknoten/pretalx/docker_compose/compose.yaml.j2 @@ -23,7 +23,7 @@ services: - pretalx_net static: - image: docker.io/library/nginx:1.29.4 + image: docker.io/library/nginx:1.29.3 restart: unless-stopped volumes: - public:/usr/share/nginx/html diff --git a/resources/chaosknoten/pretalx/nginx/cfp.eh22.easterhegg.eu.conf b/resources/chaosknoten/pretalx/nginx/cfp.eh22.easterhegg.eu.conf index a4f5bb9..0fa99e7 100644 --- a/resources/chaosknoten/pretalx/nginx/cfp.eh22.easterhegg.eu.conf +++ b/resources/chaosknoten/pretalx/nginx/cfp.eh22.easterhegg.eu.conf @@ -2,12 +2,12 @@ # https://ssl-config.mozilla.org/#server=nginx&version=1.17.7&config=intermediate&openssl=1.1.1k&guideline=5.6 server { # Listen on a custom port for the proxy protocol. - listen [::]:8443 ssl http2 proxy_protocol; + listen 8443 ssl http2 proxy_protocol; # Make use of the ngx_http_realip_module to set the $remote_addr and # $remote_port to the client address and client port, when using proxy # protocol. # First set our proxy protocol proxy as trusted. - set_real_ip_from 2a00:14b0:4200:3000:125::1; + set_real_ip_from 172.31.17.140; # Then tell the realip_module to get the addreses from the proxy protocol # header. real_ip_header proxy_protocol; diff --git a/resources/chaosknoten/pretalx/nginx/pretalx.hamburg.ccc.de.conf b/resources/chaosknoten/pretalx/nginx/pretalx.hamburg.ccc.de.conf index d66e977..f12067a 100644 --- a/resources/chaosknoten/pretalx/nginx/pretalx.hamburg.ccc.de.conf +++ b/resources/chaosknoten/pretalx/nginx/pretalx.hamburg.ccc.de.conf @@ -2,12 +2,12 @@ # https://ssl-config.mozilla.org/#server=nginx&version=1.17.7&config=intermediate&openssl=1.1.1k&guideline=5.6 server { # Listen on a custom port for the proxy protocol. - listen [::]:8443 ssl http2 proxy_protocol; + listen 8443 ssl http2 proxy_protocol; # Make use of the ngx_http_realip_module to set the $remote_addr and # $remote_port to the client address and client port, when using proxy # protocol. # First set our proxy protocol proxy as trusted. - set_real_ip_from 2a00:14b0:4200:3000:125::1; + set_real_ip_from 172.31.17.140; # Then tell the realip_module to get the addreses from the proxy protocol # header. real_ip_header proxy_protocol; diff --git a/resources/chaosknoten/public-reverse-proxy/nginx/acme_challenge.conf b/resources/chaosknoten/public-reverse-proxy/nginx/acme_challenge.conf index c5ef0ea..165e166 100644 --- a/resources/chaosknoten/public-reverse-proxy/nginx/acme_challenge.conf +++ b/resources/chaosknoten/public-reverse-proxy/nginx/acme_challenge.conf @@ -4,33 +4,33 @@ map $host $upstream_acme_challenge_host { c3cat.de 172.31.17.151:31820; www.c3cat.de 172.31.17.151:31820; staging.c3cat.de 172.31.17.151:31820; - ccchoir.de ccchoir.hosts.hamburg.ccc.de:31820; - www.ccchoir.de ccchoir.hosts.hamburg.ccc.de:31820; - cloud.hamburg.ccc.de cloud.hosts.hamburg.ccc.de:31820; + ccchoir.de ccchoir-intern.hamburg.ccc.de:31820; + www.ccchoir.de ccchoir-intern.hamburg.ccc.de:31820; + cloud.hamburg.ccc.de 172.31.17.143:31820; element.hamburg.ccc.de 172.31.17.151:31820; git.hamburg.ccc.de 172.31.17.154:31820; - grafana.hamburg.ccc.de grafana.hosts.hamburg.ccc.de:31820; + grafana.hamburg.ccc.de 172.31.17.145:31820; hackertours.hamburg.ccc.de 172.31.17.151:31820; staging.hackertours.hamburg.ccc.de 172.31.17.151:31820; hamburg.ccc.de 172.31.17.151:31820; - id.hamburg.ccc.de keycloak.hosts.hamburg.ccc.de:31820; - invite.hamburg.ccc.de keycloak.hosts.hamburg.ccc.de:31820; - keycloak-admin.hamburg.ccc.de keycloak.hosts.hamburg.ccc.de:31820; + id.hamburg.ccc.de 172.31.17.144:31820; + invite.hamburg.ccc.de 172.31.17.144:31820; + keycloak-admin.hamburg.ccc.de 172.31.17.144:31820; matrix.hamburg.ccc.de 172.31.17.150:31820; mas.hamburg.ccc.de 172.31.17.150:31820; element-admin.hamburg.ccc.de 172.31.17.151:31820; - netbox.hamburg.ccc.de netbox.hosts.hamburg.ccc.de:31820; - onlyoffice.hamburg.ccc.de onlyoffice.hosts.hamburg.ccc.de:31820; - pad.hamburg.ccc.de pad.hosts.hamburg.ccc.de:31820; - pretalx.hamburg.ccc.de pretalx.hosts.hamburg.ccc.de:31820; + netbox.hamburg.ccc.de 172.31.17.167:31820; + onlyoffice.hamburg.ccc.de 172.31.17.147:31820; + pad.hamburg.ccc.de 172.31.17.141:31820; + pretalx.hamburg.ccc.de 172.31.17.157:31820; spaceapi.hamburg.ccc.de 172.31.17.151:31820; staging.hamburg.ccc.de 172.31.17.151:31820; - wiki.ccchh.net wiki.hosts.hamburg.ccc.de:31820; - wiki.hamburg.ccc.de wiki.hosts.hamburg.ccc.de:31820; + wiki.ccchh.net 172.31.17.146:31820; + wiki.hamburg.ccc.de 172.31.17.146:31820; www.hamburg.ccc.de 172.31.17.151:31820; - tickets.hamburg.ccc.de tickets.hosts.hamburg.ccc.de:31820; - sunders.hamburg.ccc.de sunders.hosts.hamburg.ccc.de:31820; - zammad.hamburg.ccc.de zammad.hosts.hamburg.ccc.de:31820; + tickets.hamburg.ccc.de 172.31.17.148:31820; + sunders.hamburg.ccc.de 172.31.17.170:31820; + zammad.hamburg.ccc.de 172.31.17.152:31820; eh03.easterhegg.eu 172.31.17.151:31820; eh05.easterhegg.eu 172.31.17.151:31820; eh07.easterhegg.eu 172.31.17.151:31820; @@ -38,7 +38,7 @@ map $host $upstream_acme_challenge_host { eh11.easterhegg.eu 172.31.17.151:31820; eh20.easterhegg.eu 172.31.17.151:31820; www.eh20.easterhegg.eu 172.31.17.151:31820; - eh22.easterhegg.eu eh22-wiki.hosts.hamburg.ccc.de:31820; + eh22.easterhegg.eu 172.31.17.165:31820; easterheggxxxx.hamburg.ccc.de 172.31.17.151:31820; eh2003.hamburg.ccc.de 172.31.17.151:31820; www.eh2003.hamburg.ccc.de 172.31.17.151:31820; @@ -73,16 +73,11 @@ map $host $upstream_acme_challenge_host { design.hamburg.ccc.de 172.31.17.162:31820; hydra.hamburg.ccc.de 172.31.17.163:31820; cfp.eh22.easterhegg.eu 172.31.17.157:31820; - ntfy.hamburg.ccc.de ntfy.hosts.hamburg.ccc.de:31820; + ntfy.hamburg.ccc.de 172.31.17.149:31820; cryptoparty-hamburg.de 172.31.17.151:31820; cryptoparty.hamburg.ccc.de 172.31.17.151:31820; staging.cryptoparty-hamburg.de 172.31.17.151:31820; staging.cryptoparty.hamburg.ccc.de 172.31.17.151:31820; - spaceapi.ccc.de spaceapiccc.hosts.hamburg.ccc.de:31820; - cpu.ccc.de 172.31.17.151:31820; - lokal.ccc.de 172.31.17.151:31820; - local.ccc.de 172.31.17.151:31820; - acmedns.hamburg.ccc.de acmedns.hosts.hamburg.ccc.de:31820; default ""; } diff --git a/resources/chaosknoten/public-reverse-proxy/nginx/nginx.conf b/resources/chaosknoten/public-reverse-proxy/nginx/nginx.conf index a8b27fc..4a449f5 100644 --- a/resources/chaosknoten/public-reverse-proxy/nginx/nginx.conf +++ b/resources/chaosknoten/public-reverse-proxy/nginx/nginx.conf @@ -18,21 +18,21 @@ stream { resolver 212.12.50.158 192.76.134.90; map $ssl_preread_server_name $address { - ccchoir.de ccchoir.hosts.hamburg.ccc.de:8443; - www.ccchoir.de ccchoir.hosts.hamburg.ccc.de:8443; - cloud.hamburg.ccc.de cloud.hosts.hamburg.ccc.de:8443; - pad.hamburg.ccc.de pad.hosts.hamburg.ccc.de:8443; - pretalx.hamburg.ccc.de pretalx.hosts.hamburg.ccc.de:8443; - id.hamburg.ccc.de keycloak.hosts.hamburg.ccc.de:8443; - invite.hamburg.ccc.de keycloak.hosts.hamburg.ccc.de:8443; - keycloak-admin.hamburg.ccc.de keycloak.hosts.hamburg.ccc.de:8443; - grafana.hamburg.ccc.de grafana.hosts.hamburg.ccc.de:8443; - wiki.ccchh.net wiki.hosts.hamburg.ccc.de:8443; - wiki.hamburg.ccc.de wiki.hosts.hamburg.ccc.de:8443; - onlyoffice.hamburg.ccc.de onlyoffice.hosts.hamburg.ccc.de:8443; + ccchoir.de ccchoir-intern.hamburg.ccc.de:8443; + www.ccchoir.de ccchoir-intern.hamburg.ccc.de:8443; + cloud.hamburg.ccc.de cloud-intern.hamburg.ccc.de:8443; + pad.hamburg.ccc.de pad-intern.hamburg.ccc.de:8443; + pretalx.hamburg.ccc.de pretalx-intern.hamburg.ccc.de:8443; + id.hamburg.ccc.de 172.31.17.144:8443; + invite.hamburg.ccc.de 172.31.17.144:8443; + keycloak-admin.hamburg.ccc.de 172.31.17.144:8444; + grafana.hamburg.ccc.de 172.31.17.145:8443; + wiki.ccchh.net 172.31.17.146:8443; + wiki.hamburg.ccc.de 172.31.17.146:8443; + onlyoffice.hamburg.ccc.de 172.31.17.147:8443; hackertours.hamburg.ccc.de 172.31.17.151:8443; staging.hackertours.hamburg.ccc.de 172.31.17.151:8443; - netbox.hamburg.ccc.de netbox.hosts.hamburg.ccc.de:8443; + netbox.hamburg.ccc.de 172.31.17.167:8443; matrix.hamburg.ccc.de 172.31.17.150:8443; mas.hamburg.ccc.de 172.31.17.150:8443; element-admin.hamburg.ccc.de 172.31.17.151:8443; @@ -42,9 +42,9 @@ stream { hamburg.ccc.de 172.31.17.151:8443; staging.hamburg.ccc.de 172.31.17.151:8443; spaceapi.hamburg.ccc.de 172.31.17.151:8443; - tickets.hamburg.ccc.de tickets.hosts.hamburg.ccc.de:8443; - sunders.hamburg.ccc.de sunders.hosts.hamburg.ccc.de:8443; - zammad.hamburg.ccc.de zammad.hosts.hamburg.ccc.de:8443; + tickets.hamburg.ccc.de 172.31.17.148:8443; + sunders.hamburg.ccc.de 172.31.17.170:8443; + zammad.hamburg.ccc.de 172.31.17.152:8443; c3cat.de 172.31.17.151:8443; www.c3cat.de 172.31.17.151:8443; staging.c3cat.de 172.31.17.151:8443; @@ -56,7 +56,7 @@ stream { eh11.easterhegg.eu 172.31.17.151:8443; eh20.easterhegg.eu 172.31.17.151:8443; www.eh20.easterhegg.eu 172.31.17.151:8443; - eh22.easterhegg.eu eh22-wiki.hosts.hamburg.ccc.de:8443; + eh22.easterhegg.eu 172.31.17.165:8443; easterheggxxxx.hamburg.ccc.de 172.31.17.151:8443; eh2003.hamburg.ccc.de 172.31.17.151:8443; www.eh2003.hamburg.ccc.de 172.31.17.151:8443; @@ -90,17 +90,12 @@ stream { woodpecker.hamburg.ccc.de 172.31.17.160:8443; design.hamburg.ccc.de 172.31.17.162:8443; hydra.hamburg.ccc.de 172.31.17.163:8443; - cfp.eh22.easterhegg.eu pretalx.hosts.hamburg.ccc.de:8443; - ntfy.hamburg.ccc.de ntfy.hosts.hamburg.ccc.de:8443; + cfp.eh22.easterhegg.eu pretalx-intern.hamburg.ccc.de:8443; + ntfy.hamburg.ccc.de 172.31.17.149:8443; cryptoparty-hamburg.de 172.31.17.151:8443; cryptoparty.hamburg.ccc.de 172.31.17.151:8443; staging.cryptoparty-hamburg.de 172.31.17.151:8443; staging.cryptoparty.hamburg.ccc.de 172.31.17.151:8443; - spaceapi.ccc.de spaceapiccc.hosts.hamburg.ccc.de:8443; - cpu.ccc.de 172.31.17.151:8443; - lokal.ccc.de 172.31.17.151:8443; - local.ccc.de 172.31.17.151:8443; - acmedns.hamburg.ccc.de acmedns.hosts.hamburg.ccc.de:8443; } server { diff --git a/resources/chaosknoten/router/nftables/nftables.conf b/resources/chaosknoten/router/nftables/nftables.conf index ca62a97..8d30852 100644 --- a/resources/chaosknoten/router/nftables/nftables.conf +++ b/resources/chaosknoten/router/nftables/nftables.conf @@ -7,14 +7,20 @@ define if_net1_v4_wan = "net1" define if_net2_v6_wan = "net2" define if_net0_2_v4_nat = "net0.2" define if_net0_3_ci_runner = "net0.3" +define if_net0_4_v4_nat_legacy = "net0.4" +define if_net0_5_public = "net0.5" # Interface Groups define wan_ifs = { $if_net1_v4_wan, $if_net2_v6_wan } define lan_ifs = { $if_net0_2_v4_nat, - $if_net0_3_ci_runner } -# define v4_exposed_ifs = { } -define v6_exposed_ifs = { $if_net0_2_v4_nat } + $if_net0_3_ci_runner, + $if_net0_4_v4_nat_legacy, + $if_net0_5_public } +define v4_exposed_ifs = { $if_net0_5_public } +define v6_exposed_ifs = { $if_net0_2_v4_nat, + $if_net0_4_v4_nat_legacy, + $if_net0_5_public } ## Rules @@ -39,29 +45,13 @@ table inet host { ct state established,related accept ip protocol icmp accept - # ICMPv6 - # https://datatracker.ietf.org/doc/html/rfc4890#autoid-24 - # Allowlist consisting of: "Traffic That Must Not Be Dropped" and "Traffic That Normally Should Not Be Dropped" - # Error messages that are essential to the establishment and maintenance of communications: - icmpv6 type { destination-unreachable, packet-too-big } accept - icmpv6 type { time-exceeded } accept - icmpv6 type { parameter-problem } accept - # Connectivity checking messages: - icmpv6 type { echo-request, echo-reply } accept - # Address Configuration and Router Selection messages: - icmpv6 type { nd-router-solicit, nd-router-advert, nd-neighbor-solicit, nd-neighbor-advert, ind-neighbor-solicit, ind-neighbor-advert } accept - # Link-Local Multicast Receiver Notification messages: - icmpv6 type { mld-listener-query, mld-listener-report, mld-listener-done, mld2-listener-report } accept - # SEND Certificate Path Notification messages: - icmpv6 type { 148, 149 } accept - # Multicast Router Discovery messages: - icmpv6 type { 151, 152, 153 } accept + ip6 nexthdr icmpv6 accept # Allow SSH access. tcp dport 22 accept comment "allow ssh access" # Allow DHCP server access. - iifname { $if_net0_2_v4_nat, $if_net0_3_ci_runner } udp dport 67 accept comment "allow dhcp server access" + iifname $if_net0_3_ci_runner udp dport 67 accept comment "allow dhcp server access" } } @@ -85,11 +75,10 @@ table inet forward { ct state established,related accept # Allow internet access. - meta nfproto ipv6 iifname $lan_ifs oifname $if_net2_v6_wan accept comment "allow v6 internet access" - meta nfproto ipv4 iifname $lan_ifs oifname $if_net1_v4_wan accept comment "allow v4 internet access" + iifname $lan_ifs oifname $wan_ifs accept comment "allow internet access" # Allow access to exposed networks from internet. - # meta nfproto ipv4 oifname $v4_exposed_ifs accept comment "allow v4 exposed network access" + meta nfproto ipv4 oifname $v4_exposed_ifs accept comment "allow v4 exposed network access" meta nfproto ipv6 oifname $v6_exposed_ifs accept comment "allow v6 exposed network access" } } diff --git a/resources/chaosknoten/router/systemd_networkd/00-net1.link b/resources/chaosknoten/router/systemd_networkd/00-net1.link index ef04d04..9489f17 100644 --- a/resources/chaosknoten/router/systemd_networkd/00-net1.link +++ b/resources/chaosknoten/router/systemd_networkd/00-net1.link @@ -1,5 +1,6 @@ [Match] -MACAddress=BC:24:11:9A:FB:34 +# Stolen from turing to make 212.12.48.122 work. +MACAddress=0E:A4:E3:97:16:92 Type=ether [Link] diff --git a/resources/chaosknoten/router/systemd_networkd/10-net0.4-v4_nat_legacy.netdev b/resources/chaosknoten/router/systemd_networkd/10-net0.4-v4_nat_legacy.netdev new file mode 100644 index 0000000..5cb68ed --- /dev/null +++ b/resources/chaosknoten/router/systemd_networkd/10-net0.4-v4_nat_legacy.netdev @@ -0,0 +1,6 @@ +[NetDev] +Name=net0.4 +Kind=vlan + +[VLAN] +Id=4 diff --git a/resources/chaosknoten/router/systemd_networkd/10-net0.5-public.netdev b/resources/chaosknoten/router/systemd_networkd/10-net0.5-public.netdev new file mode 100644 index 0000000..be3c9d9 --- /dev/null +++ b/resources/chaosknoten/router/systemd_networkd/10-net0.5-public.netdev @@ -0,0 +1,6 @@ +[NetDev] +Name=net0.5 +Kind=vlan + +[VLAN] +Id=5 diff --git a/resources/chaosknoten/router/systemd_networkd/20-net0.network b/resources/chaosknoten/router/systemd_networkd/20-net0.network index a32d75e..59897cf 100644 --- a/resources/chaosknoten/router/systemd_networkd/20-net0.network +++ b/resources/chaosknoten/router/systemd_networkd/20-net0.network @@ -7,6 +7,7 @@ RequiredForOnline=no [Network] VLAN=net0.2 VLAN=net0.3 +VLAN=net0.4 +VLAN=net0.5 LinkLocalAddressing=no - diff --git a/resources/chaosknoten/router/systemd_networkd/20-net1.network b/resources/chaosknoten/router/systemd_networkd/20-net1.network index 5c14d8d..5789ef6 100644 --- a/resources/chaosknoten/router/systemd_networkd/20-net1.network +++ b/resources/chaosknoten/router/systemd_networkd/20-net1.network @@ -3,10 +3,13 @@ Name=net1 [Network] DNS=212.12.50.158 +IPForward=ipv4 IPv6AcceptRA=no - -[Address] +# v4 taken from turing for routing public v4 range and turing-compat for v4-NAT-legacy network. +# Also just the v4 for other purposes as well. +Address=212.12.48.122/24 Address=212.12.48.123/24 - -[Route] +# v6 for turing-compat for v4-NAT-legacy network routed v6. +Address=2a00:14b0:4200:3000:122::1 Gateway=212.12.48.55 +Gateway=2a00:14b0:4200:3000::1 diff --git a/resources/chaosknoten/router/systemd_networkd/20-net2.network b/resources/chaosknoten/router/systemd_networkd/20-net2.network index 39d1f03..b3f497d 100644 --- a/resources/chaosknoten/router/systemd_networkd/20-net2.network +++ b/resources/chaosknoten/router/systemd_networkd/20-net2.network @@ -3,6 +3,7 @@ Name=net2 [Network] #DNS=212.12.50.158 +IPForward=ipv6 IPv6AcceptRA=no [Address] @@ -10,3 +11,4 @@ Address=2a00:14b0:4200:3500::130:2/112 [Route] Gateway=2a00:14b0:4200:3500::130:1 + diff --git a/resources/chaosknoten/router/systemd_networkd/21-net0.2-v4_nat.network b/resources/chaosknoten/router/systemd_networkd/21-net0.2-v4_nat.network index b15259d..c7fd9a7 100644 --- a/resources/chaosknoten/router/systemd_networkd/21-net0.2-v4_nat.network +++ b/resources/chaosknoten/router/systemd_networkd/21-net0.2-v4_nat.network @@ -11,12 +11,6 @@ Description=v4-NAT # Masquerading done in nftables (nftables.conf). IPv6SendRA=yes -DHCPServer=true - -[DHCPServer] -PoolOffset=100 -PoolSize=150 - [Address] Address=10.32.2.1/24 diff --git a/resources/chaosknoten/router/systemd_networkd/21-net0.4-v4_nat_legacy.network b/resources/chaosknoten/router/systemd_networkd/21-net0.4-v4_nat_legacy.network new file mode 100644 index 0000000..dd63a73 --- /dev/null +++ b/resources/chaosknoten/router/systemd_networkd/21-net0.4-v4_nat_legacy.network @@ -0,0 +1,23 @@ +[Match] +Name=net0.4 +Type=vlan + +[Link] +RequiredForOnline=no + +[Network] +Description=v4-NAT-legacy + +# Masquerading done in nftables (nftables.conf). +IPv6SendRA=yes + +[Address] +Address=172.31.17.129/25 + +[IPv6SendRA] +UplinkInterface=net1 + +[IPv6Prefix] +Prefix=2a00:14b0:f000:23::/64 +Assign=true +Token=static:::1 diff --git a/resources/chaosknoten/router/systemd_networkd/21-net0.5-public.network b/resources/chaosknoten/router/systemd_networkd/21-net0.5-public.network new file mode 100644 index 0000000..d49eb60 --- /dev/null +++ b/resources/chaosknoten/router/systemd_networkd/21-net0.5-public.network @@ -0,0 +1,22 @@ +[Match] +Name=net0.5 +Type=vlan + +[Link] +RequiredForOnline=no + +[Network] +Description=public + +IPv6SendRA=yes + +[Address] +Address=212.12.50.209/29 + +[IPv6SendRA] +UplinkInterface=net2 + +[IPv6Prefix] +Prefix=2a00:14b0:42:105::/64 +Assign=true +Token=static:::1 diff --git a/resources/chaosknoten/router/systemd_networkd_global_config.conf b/resources/chaosknoten/router/systemd_networkd_global_config.conf deleted file mode 100644 index 2d3d8a3..0000000 --- a/resources/chaosknoten/router/systemd_networkd_global_config.conf +++ /dev/null @@ -1,3 +0,0 @@ -[Network] -IPv4Forwarding=true -IPv6Forwarding=true diff --git a/resources/chaosknoten/spaceapiccc/docker_compose/compose.yaml.j2 b/resources/chaosknoten/spaceapiccc/docker_compose/compose.yaml.j2 deleted file mode 100644 index 67e4b58..0000000 --- a/resources/chaosknoten/spaceapiccc/docker_compose/compose.yaml.j2 +++ /dev/null @@ -1,39 +0,0 @@ ---- -services: - frontend: - #build: ./frontend - networks: - spaceapi-network: - ipv4_address: 172.16.238.10 - image: gidsi/spaceapi-ccc-frontend:saved_from_old_host - restart: always - expose: - - "80" - depends_on: - - backend - backend: - #build: ./backend - networks: - - spaceapi-network - image: gidsi/spaceapi-ccc-backend:saved_from_old_host - restart: always - environment: - SHARED_SECRET: "{{ secret__spaceapiccc__shared_secret }}" - DOKU_WIKI_USER: "{{ secret__spaceapiccc__doku_ccc_de__username }}" - DOKU_WIKI_PASSWORD: "{{ secret__spaceapiccc__doku_ccc_de__password }}" - depends_on: - - database - database: - image: mongo:saved_from_old_host - networks: - - spaceapi-network - restart: always - volumes: - - ./data/database:/data/db - -networks: - spaceapi-network: - ipam: - driver: default - config: - - subnet: 172.16.238.0/24 diff --git a/resources/chaosknoten/spaceapiccc/nginx/spaceapi.ccc.de.conf b/resources/chaosknoten/spaceapiccc/nginx/spaceapi.ccc.de.conf deleted file mode 100644 index 8904f5d..0000000 --- a/resources/chaosknoten/spaceapiccc/nginx/spaceapi.ccc.de.conf +++ /dev/null @@ -1,42 +0,0 @@ -# partly generated 2022-01-08, Mozilla Guideline v5.6, nginx 1.17.7, OpenSSL 1.1.1k, intermediate configuration -# https://ssl-config.mozilla.org/#server=nginx&version=1.17.7&config=intermediate&openssl=1.1.1k&guideline=5.6 -server { - # Listen on a custom port for the proxy protocol. - listen [::]:8443 ssl http2 proxy_protocol; - # Make use of the ngx_http_realip_module to set the $remote_addr and - # $remote_port to the client address and client port, when using proxy - # protocol. - # First set our proxy protocol proxy as trusted. - set_real_ip_from 2a00:14b0:4200:3000:125::1; - # Then tell the realip_module to get the addreses from the proxy protocol - # header. - real_ip_header proxy_protocol; - - server_name spaceapi.ccc.de; - - ssl_certificate /etc/letsencrypt/live/spaceapi.ccc.de/fullchain.pem; - ssl_certificate_key /etc/letsencrypt/live/spaceapi.ccc.de/privkey.pem; - # verify chain of trust of OCSP response using Root CA and Intermediate certs - ssl_trusted_certificate /etc/letsencrypt/live/spaceapi.ccc.de/chain.pem; - - # HSTS (ngx_http_headers_module is required) (63072000 seconds) - add_header Strict-Transport-Security "max-age=63072000" always; - - proxy_set_header Host $host; - proxy_set_header X-Forwarded-Host $host; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header X-Forwarded-Port 443; - # This is https in any case. - proxy_set_header X-Forwarded-Proto https; - # Hide the X-Forwarded header. - proxy_hide_header X-Forwarded; - # Assume we are the only Reverse Proxy (well using Proxy Protocol, but that - # is transparent). - # Also provide "_hidden" for by, since it's not relevant. - proxy_set_header Forwarded "for=$remote_addr;proto=https;host=$host;by=_hidden"; - - location / { - proxy_pass http://172.16.238.10/; - } -} diff --git a/resources/chaosknoten/sunders/docker_compose/compose.yaml.j2 b/resources/chaosknoten/sunders/docker_compose/compose.yaml.j2 index 1df2bca..fbec258 100644 --- a/resources/chaosknoten/sunders/docker_compose/compose.yaml.j2 +++ b/resources/chaosknoten/sunders/docker_compose/compose.yaml.j2 @@ -3,7 +3,7 @@ services: db: - image: mariadb:12.1.2 + image: mariadb:12.0.2 command: --max_allowed_packet=3250585600 environment: MYSQL_ROOT_PASSWORD: "{{ secret__sunders_db_root_password }}" diff --git a/resources/chaosknoten/sunders/nginx/sunders.hamburg.ccc.de.conf b/resources/chaosknoten/sunders/nginx/sunders.hamburg.ccc.de.conf index 185c005..04cc006 100644 --- a/resources/chaosknoten/sunders/nginx/sunders.hamburg.ccc.de.conf +++ b/resources/chaosknoten/sunders/nginx/sunders.hamburg.ccc.de.conf @@ -2,12 +2,12 @@ # https://ssl-config.mozilla.org/#server=nginx&version=1.17.7&config=intermediate&openssl=1.1.1k&guideline=5.6 server { # Listen on a custom port for the proxy protocol. - listen [::]:8443 ssl http2 proxy_protocol; + listen 8443 ssl http2 proxy_protocol; # Make use of the ngx_http_realip_module to set the $remote_addr and # $remote_port to the client address and client port, when using proxy # protocol. # First set our proxy protocol proxy as trusted. - set_real_ip_from 2a00:14b0:4200:3000:125::1; + set_real_ip_from 172.31.17.140; # Then tell the realip_module to get the addreses from the proxy protocol # header. real_ip_header proxy_protocol; diff --git a/resources/chaosknoten/tickets/nginx/tickets.hamburg.ccc.de.conf b/resources/chaosknoten/tickets/nginx/tickets.hamburg.ccc.de.conf index e93ff93..9e2ca26 100644 --- a/resources/chaosknoten/tickets/nginx/tickets.hamburg.ccc.de.conf +++ b/resources/chaosknoten/tickets/nginx/tickets.hamburg.ccc.de.conf @@ -2,12 +2,12 @@ # https://ssl-config.mozilla.org/#server=nginx&version=1.17.7&config=intermediate&openssl=1.1.1k&guideline=5.6 server { # Listen on a custom port for the proxy protocol. - listen [::]:8443 ssl http2 proxy_protocol; + listen 8443 ssl http2 proxy_protocol; # Make use of the ngx_http_realip_module to set the $remote_addr and # $remote_port to the client address and client port, when using proxy # protocol. # First set our proxy protocol proxy as trusted. - set_real_ip_from 2a00:14b0:4200:3000:125::1; + set_real_ip_from 172.31.17.140; # Then tell the realip_module to get the addreses from the proxy protocol # header. real_ip_header proxy_protocol; diff --git a/resources/chaosknoten/wiki/nginx/wiki.ccchh.net.conf b/resources/chaosknoten/wiki/nginx/wiki.ccchh.net.conf index d89b5b8..a564fc2 100644 --- a/resources/chaosknoten/wiki/nginx/wiki.ccchh.net.conf +++ b/resources/chaosknoten/wiki/nginx/wiki.ccchh.net.conf @@ -2,12 +2,12 @@ # https://ssl-config.mozilla.org/#server=nginx&version=1.17.7&config=intermediate&openssl=1.1.1k&guideline=5.6 server { # Listen on a custom port for the proxy protocol. - listen [::]:8443 ssl http2 proxy_protocol; + listen 8443 ssl http2 proxy_protocol; # Make use of the ngx_http_realip_module to set the $remote_addr and # $remote_port to the client address and client port, when using proxy # protocol. # First set our proxy protocol proxy as trusted. - set_real_ip_from 2a00:14b0:4200:3000:125::1; + set_real_ip_from 172.31.17.140; # Then tell the realip_module to get the addreses from the proxy protocol # header. real_ip_header proxy_protocol; @@ -21,6 +21,6 @@ server { # HSTS (ngx_http_headers_module is required) (63072000 seconds) add_header Strict-Transport-Security "max-age=63072000" always; - + return 302 https://wiki.hamburg.ccc.de$request_uri; } diff --git a/resources/chaosknoten/wiki/nginx/wiki.hamburg.ccc.de.conf b/resources/chaosknoten/wiki/nginx/wiki.hamburg.ccc.de.conf index 5065c1d..ccdd224 100644 --- a/resources/chaosknoten/wiki/nginx/wiki.hamburg.ccc.de.conf +++ b/resources/chaosknoten/wiki/nginx/wiki.hamburg.ccc.de.conf @@ -2,12 +2,12 @@ # https://ssl-config.mozilla.org/#server=nginx&version=1.17.7&config=intermediate&openssl=1.1.1k&guideline=5.6 server { # Listen on a custom port for the proxy protocol. - listen [::]:8443 ssl http2 proxy_protocol; + listen 8443 ssl http2 proxy_protocol; # Make use of the ngx_http_realip_module to set the $remote_addr and # $remote_port to the client address and client port, when using proxy # protocol. # First set our proxy protocol proxy as trusted. - set_real_ip_from 2a00:14b0:4200:3000:125::1; + set_real_ip_from 172.31.17.140; # Then tell the realip_module to get the addreses from the proxy protocol # header. real_ip_header proxy_protocol; diff --git a/resources/chaosknoten/zammad/nginx/zammad.hamburg.ccc.de.conf b/resources/chaosknoten/zammad/nginx/zammad.hamburg.ccc.de.conf index b94cb5c..c1f9182 100644 --- a/resources/chaosknoten/zammad/nginx/zammad.hamburg.ccc.de.conf +++ b/resources/chaosknoten/zammad/nginx/zammad.hamburg.ccc.de.conf @@ -2,12 +2,12 @@ # https://ssl-config.mozilla.org/#server=nginx&version=1.17.7&config=intermediate&openssl=1.1.1k&guideline=5.6 server { # Listen on a custom port for the proxy protocol. - listen [::]:8443 ssl http2 proxy_protocol; + listen 8443 ssl http2 proxy_protocol; # Make use of the ngx_http_realip_module to set the $remote_addr and # $remote_port to the client address and client port, when using proxy # protocol. # First set our proxy protocol proxy as trusted. - set_real_ip_from 2a00:14b0:4200:3000:125::1; + set_real_ip_from 172.31.17.140; # Then tell the realip_module to get the addreses from the proxy protocol # header. real_ip_header proxy_protocol; diff --git a/resources/external/status/docker_compose/compose.yaml.j2 b/resources/external/status/docker_compose/compose.yaml.j2 deleted file mode 100644 index ae5681b..0000000 --- a/resources/external/status/docker_compose/compose.yaml.j2 +++ /dev/null @@ -1,37 +0,0 @@ -# https://gatus.io/ -# https://github.com/TwiN/gatus -# https://github.com/TwiN/gatus/blob/master/.examples/docker-compose-postgres-storage/compose.yaml - -services: - database: - image: docker.io/library/postgres:18.1 - volumes: - - ./database:/var/lib/postgresql - environment: - - "POSTGRES_DB=gatus" - - "POSTGRES_USER=gatus" - - "POSTGRES_PASSWORD={{ secret__gatus_db_password }}" - networks: - - gatus - - gatus: - image: ghcr.io/twin/gatus:v5.34.0 - restart: always - ports: - - "8080:8080" - environment: - - "GATUS_CONFIG_PATH=/config" - - "POSTGRES_DB=gatus" - - "POSTGRES_USER=gatus" - - "POSTGRES_PASSWORD={{ secret__gatus_db_password }}" - - "MATRIX_ACCESS_TOKEN={{ secret__gatus_matrix_access_token }}" - - "ACME_DNS_UPDATE_TEST_X_API_KEY={{ secret__gatus_acme_dns_update_test_x_api_key }}" - volumes: - - ./configs:/config - networks: - - gatus - depends_on: - - database - -networks: - gatus: diff --git a/resources/external/status/docker_compose/config/easterhegg-websites.yaml b/resources/external/status/docker_compose/config/easterhegg-websites.yaml deleted file mode 100644 index 97ba482..0000000 --- a/resources/external/status/docker_compose/config/easterhegg-websites.yaml +++ /dev/null @@ -1,305 +0,0 @@ -# Easterhegg Websites and Websites (Redirects) -# (hosted on public-web-static) -# One could probably also generate this list from the public-web-static config. -easterhegg-websites-defaults: &easterhegg_websites_defaults - group: Websites - interval: 5m - alerts: - # - type: matrix - - type: custom - failure-threshold: 3 - success-threshold: 1 - minimum-reminder-interval: "12h" - send-on-resolved: true - -easterhegg-websites-redirects-defaults: &easterhegg_websites_redirects_defaults - group: Websites (Redirects) - interval: 15m - alerts: - # - type: matrix - - type: custom - failure-threshold: 3 - success-threshold: 1 - minimum-reminder-interval: "24h" - send-on-resolved: true - -endpoints: - # Websites - - name: eh03.easterhegg.eu - url: "https://eh03.easterhegg.eu" - <<: *easterhegg_websites_defaults - conditions: - - "[STATUS] == 200" - - "[CERTIFICATE_EXPIRATION] > 48h" - - "[BODY] == pat(*Easter(h)egg 2003*)" - - - name: eh05.easterhegg.eu - url: "https://eh05.easterhegg.eu" - <<: *easterhegg_websites_defaults - conditions: - - "[STATUS] == 200" - - "[CERTIFICATE_EXPIRATION] > 48h" - - "[BODY] == pat(*Easterhegg 2005 - The workshop weekend*)" - - - name: eh07.easterhegg.eu - url: "https://eh07.easterhegg.eu" - <<: *easterhegg_websites_defaults - conditions: - - "[STATUS] == 200" - - "[CERTIFICATE_EXPIRATION] > 48h" - - "[BODY] == pat(*Easterhegg 2007 - The Workshop weekend*)" - - - name: eh09.easterhegg.eu - url: "https://eh09.easterhegg.eu" - <<: *easterhegg_websites_defaults - conditions: - - "[status] == 200" - - "[certificate_expiration] > 48h" - - "[BODY] == pat(*Easterhegg 2009*)" - - - name: eh11.easterhegg.eu - url: "https://eh11.easterhegg.eu" - <<: *easterhegg_websites_defaults - conditions: - - "[status] == 200" - - "[certificate_expiration] > 48h" - - "[BODY] == pat(*Easterhegg 2011*)" - - - name: eh20.easterhegg.eu - url: "https://eh20.easterhegg.eu" - <<: *easterhegg_websites_defaults - conditions: - - "[status] == 200" - - "[certificate_expiration] > 48h" - - "[BODY] == pat(*EH20 - Back to root*)" - - # Websites (Redirects) - # eh03.easterhegg.eu - - name: eh2003.hamburg.ccc.de - url: "https://eh2003.hamburg.ccc.de" - <<: *easterhegg_websites_redirects_defaults - conditions: - - "[STATUS] == 200" - - "[CERTIFICATE_EXPIRATION] > 48h" - - "[BODY] == pat(*Easter(h)egg 2003*)" - - - name: www.eh2003.hamburg.ccc.de - url: "https://www.eh2003.hamburg.ccc.de" - <<: *easterhegg_websites_redirects_defaults - conditions: - - "[STATUS] == 200" - - "[CERTIFICATE_EXPIRATION] > 48h" - - "[BODY] == pat(*Easter(h)egg 2003*)" - - - name: easterhegg2003.hamburg.ccc.de - url: "https://easterhegg2003.hamburg.ccc.de" - <<: *easterhegg_websites_redirects_defaults - conditions: - - "[STATUS] == 200" - - "[CERTIFICATE_EXPIRATION] > 48h" - - "[BODY] == pat(*Easter(h)egg 2003*)" - - - name: www.easterhegg2003.hamburg.ccc.de - url: "https://www.easterhegg2003.hamburg.ccc.de" - <<: *easterhegg_websites_redirects_defaults - conditions: - - "[STATUS] == 200" - - "[CERTIFICATE_EXPIRATION] > 48h" - - "[BODY] == pat(*Easter(h)egg 2003*)" - - # eh05.easterhegg.eu - - name: eh2005.hamburg.ccc.de - url: "https://eh2005.hamburg.ccc.de" - <<: *easterhegg_websites_redirects_defaults - conditions: - - "[STATUS] == 200" - - "[CERTIFICATE_EXPIRATION] > 48h" - - "[BODY] == pat(*Easterhegg 2005 - The workshop weekend*)" - - - name: www.eh2005.hamburg.ccc.de - url: "https://www.eh2005.hamburg.ccc.de" - <<: *easterhegg_websites_redirects_defaults - conditions: - - "[STATUS] == 200" - - "[CERTIFICATE_EXPIRATION] > 48h" - - "[BODY] == pat(*Easterhegg 2005 - The workshop weekend*)" - - - name: easterhegg2005.hamburg.ccc.de - url: "https://easterhegg2005.hamburg.ccc.de" - <<: *easterhegg_websites_redirects_defaults - conditions: - - "[STATUS] == 200" - - "[CERTIFICATE_EXPIRATION] > 48h" - - "[BODY] == pat(*Easterhegg 2005 - The workshop weekend*)" - - - name: www.easterhegg2005.hamburg.ccc.de - url: "https://www.easterhegg2005.hamburg.ccc.de" - <<: *easterhegg_websites_redirects_defaults - conditions: - - "[STATUS] == 200" - - "[CERTIFICATE_EXPIRATION] > 48h" - - "[BODY] == pat(*Easterhegg 2005 - The workshop weekend*)" - - # eh07.easterhegg.eu - - name: eh2007.hamburg.ccc.de - url: "https://eh2007.hamburg.ccc.de" - <<: *easterhegg_websites_redirects_defaults - conditions: - - "[STATUS] == 200" - - "[CERTIFICATE_EXPIRATION] > 48h" - - "[BODY] == pat(*Easterhegg 2007 - The Workshop weekend*)" - - - name: www.eh2007.hamburg.ccc.de - url: "https://www.eh2007.hamburg.ccc.de" - <<: *easterhegg_websites_redirects_defaults - conditions: - - "[STATUS] == 200" - - "[CERTIFICATE_EXPIRATION] > 48h" - - "[BODY] == pat(*Easterhegg 2007 - The Workshop weekend*)" - - - name: eh07.hamburg.ccc.de - url: "https://eh07.hamburg.ccc.de" - <<: *easterhegg_websites_redirects_defaults - conditions: - - "[STATUS] == 200" - - "[CERTIFICATE_EXPIRATION] > 48h" - - "[BODY] == pat(*Easterhegg 2007 - The Workshop weekend*)" - - - name: www.eh07.hamburg.ccc.de - url: "https://www.eh07.hamburg.ccc.de" - <<: *easterhegg_websites_redirects_defaults - conditions: - - "[STATUS] == 200" - - "[CERTIFICATE_EXPIRATION] > 48h" - - "[BODY] == pat(*Easterhegg 2007 - The Workshop weekend*)" - - - name: easterhegg2007.hamburg.ccc.de - url: "https://easterhegg2007.hamburg.ccc.de" - <<: *easterhegg_websites_redirects_defaults - conditions: - - "[STATUS] == 200" - - "[CERTIFICATE_EXPIRATION] > 48h" - - "[BODY] == pat(*Easterhegg 2007 - The Workshop weekend*)" - - - name: www.easterhegg2007.hamburg.ccc.de - url: "https://www.easterhegg2007.hamburg.ccc.de" - <<: *easterhegg_websites_redirects_defaults - conditions: - - "[STATUS] == 200" - - "[CERTIFICATE_EXPIRATION] > 48h" - - "[BODY] == pat(*Easterhegg 2007 - The Workshop weekend*)" - - # eh09.easterhegg.eu - - name: eh2009.hamburg.ccc.de - url: "https://eh2009.hamburg.ccc.de" - <<: *easterhegg_websites_redirects_defaults - conditions: - - "[status] == 200" - - "[certificate_expiration] > 48h" - - "[BODY] == pat(*Easterhegg 2009*)" - - - name: www.eh2009.hamburg.ccc.de - url: "https://www.eh2009.hamburg.ccc.de" - <<: *easterhegg_websites_redirects_defaults - conditions: - - "[status] == 200" - - "[certificate_expiration] > 48h" - - "[BODY] == pat(*Easterhegg 2009*)" - - - name: eh09.hamburg.ccc.de - url: "https://eh09.hamburg.ccc.de" - <<: *easterhegg_websites_redirects_defaults - conditions: - - "[status] == 200" - - "[certificate_expiration] > 48h" - - "[BODY] == pat(*Easterhegg 2009*)" - - - name: www.eh09.hamburg.ccc.de - url: "https://www.eh09.hamburg.ccc.de" - <<: *easterhegg_websites_redirects_defaults - conditions: - - "[status] == 200" - - "[certificate_expiration] > 48h" - - "[BODY] == pat(*Easterhegg 2009*)" - - - name: easterhegg2009.hamburg.ccc.de - url: "https://easterhegg2009.hamburg.ccc.de" - <<: *easterhegg_websites_redirects_defaults - conditions: - - "[status] == 200" - - "[certificate_expiration] > 48h" - - "[BODY] == pat(*Easterhegg 2009*)" - - - name: www.easterhegg2009.hamburg.ccc.de - url: "https://www.easterhegg2009.hamburg.ccc.de" - <<: *easterhegg_websites_redirects_defaults - conditions: - - "[status] == 200" - - "[certificate_expiration] > 48h" - - "[BODY] == pat(*Easterhegg 2009*)" - - # eh11.easterhegg.eu - - name: eh2011.hamburg.ccc.de - url: "https://eh2011.hamburg.ccc.de" - <<: *easterhegg_websites_redirects_defaults - conditions: - - "[status] == 200" - - "[certificate_expiration] > 48h" - - "[BODY] == pat(*Easterhegg 2011*)" - - - name: www.eh2011.hamburg.ccc.de - url: "https://www.eh2011.hamburg.ccc.de" - <<: *easterhegg_websites_redirects_defaults - conditions: - - "[status] == 200" - - "[certificate_expiration] > 48h" - - "[BODY] == pat(*Easterhegg 2011*)" - - - name: eh11.hamburg.ccc.de - url: "https://eh11.hamburg.ccc.de" - <<: *easterhegg_websites_redirects_defaults - conditions: - - "[status] == 200" - - "[certificate_expiration] > 48h" - - "[BODY] == pat(*Easterhegg 2011*)" - - - name: www.eh11.hamburg.ccc.de - url: "https://www.eh11.hamburg.ccc.de" - <<: *easterhegg_websites_redirects_defaults - conditions: - - "[status] == 200" - - "[certificate_expiration] > 48h" - - "[BODY] == pat(*Easterhegg 2011*)" - - - name: easterhegg2011.hamburg.ccc.de - url: "https://easterhegg2011.hamburg.ccc.de" - <<: *easterhegg_websites_redirects_defaults - conditions: - - "[status] == 200" - - "[certificate_expiration] > 48h" - - "[BODY] == pat(*Easterhegg 2011*)" - - - name: www.easterhegg2011.hamburg.ccc.de - url: "https://www.easterhegg2011.hamburg.ccc.de" - <<: *easterhegg_websites_redirects_defaults - conditions: - - "[status] == 200" - - "[certificate_expiration] > 48h" - - "[BODY] == pat(*Easterhegg 2011*)" - - # eh20.easterhegg.eu - - name: www.eh20.easterhegg.eu - url: "https://www.eh20.easterhegg.eu" - <<: *easterhegg_websites_redirects_defaults - conditions: - - "[status] == 200" - - "[certificate_expiration] > 48h" - - "[BODY] == pat(*EH20 - Back to root*)" - - - name: eh20.hamburg.ccc.de - url: "https://eh20.hamburg.ccc.de" - <<: *easterhegg_websites_redirects_defaults - conditions: - - "[status] == 200" - - "[certificate_expiration] > 48h" - - "[BODY] == pat(*EH20 - Back to root*)" diff --git a/resources/external/status/docker_compose/config/general.yaml b/resources/external/status/docker_compose/config/general.yaml deleted file mode 100644 index 53c620d..0000000 --- a/resources/external/status/docker_compose/config/general.yaml +++ /dev/null @@ -1,38 +0,0 @@ -storage: - type: postgres - path: "postgres://${POSTGRES_USER}:${POSTGRES_PASSWORD}@database:5432/${POSTGRES_DB}?sslmode=disable" - maximum-number-of-results: 240 # Default are 100. 240 are 4h for 1m interval checks. - maximum-number-of-events: 1000 # Default are 50. Let's keep a long history here - 1000 should suffice for a year with around 3 events a day. - -ui: - title: CCCHH Status - description: Automated uptime monitoring and status page for CCCHH services. Powered by Gatus. - header: CCCHH Status - buttons: - - name: Website - link: "https://hamburg.ccc.de" - - name: Git - link: "https://git.hamburg.ccc.de" - - name: Kontakt & Impressum - link: "https://hamburg.ccc.de/imprint/" - default-sort-by: group - -alerting: - # matrix: - # server-url: "https://matrix.nekover.se" - # access-token: "${MATRIX_ACCESS_TOKEN}" - # internal-room-id: "!jG755onbGAH-lZsZo8SRKtlsncSMvq7nzPhwCi5CgdQ" - custom: - url: "https://matrix.nekover.se/_matrix/client/v3/rooms/%21jG755onbGAH-lZsZo8SRKtlsncSMvq7nzPhwCi5CgdQ/send/m.room.message" - method: "POST" - body: | - { - "msgtype": "m.text", - "body": "[ALERT_TRIGGERED_OR_RESOLVED]: [ENDPOINT_GROUP] - [ENDPOINT_NAME] - [ALERT_DESCRIPTION] - [RESULT_ERRORS]" - } - headers: - Authorization: "Bearer ${MATRIX_ACCESS_TOKEN}" - - -# A bit more than the default 5 concurrent checks should be fine. -concurrency: 15 diff --git a/resources/external/status/docker_compose/config/services-chaosknoten.yaml b/resources/external/status/docker_compose/config/services-chaosknoten.yaml deleted file mode 100644 index 2c7d59f..0000000 --- a/resources/external/status/docker_compose/config/services-chaosknoten.yaml +++ /dev/null @@ -1,311 +0,0 @@ -# Services (Chaosknoten) -services-chaosknoten-defaults: &services_chaosknoten_defaults - group: Services (Chaosknoten) - interval: 1m - alerts: - # - type: matrix - - type: custom - failure-threshold: 5 - success-threshold: 2 - minimum-reminder-interval: "6h" - send-on-resolved: true - -endpoints: - - name: ACME DNS (main page/login) - url: "https://acmedns.hamburg.ccc.de" - <<: *services_chaosknoten_defaults - conditions: - - "[STATUS] == 200" - - "[CERTIFICATE_EXPIRATION] > 48h" - - "[BODY] == pat(*OAuth2 Proxy*)" - - - name: ACME DNS (health endpoint) - url: "https://acmedns.hamburg.ccc.de/health" - <<: *services_chaosknoten_defaults - conditions: - - "[STATUS] == 200" - - "[CERTIFICATE_EXPIRATION] > 48h" - - - name: ACME DNS (update endpoint) - url: "https://acmedns.hamburg.ccc.de/update" - <<: *services_chaosknoten_defaults - method: POST - # acme-dns validates that the value for the txt is 43 characters long. - # https://github.com/joohoi/acme-dns/blob/b7a0a8a7bcef39f6158dd596fe716594a170d362/validation.go#L34-L41 - body: | - { - "subdomain": "c621ef99-3da9-4ef6-a152-3a82b9b720f8", - "txt": "________________gatus_test_________________" - } - headers: - X-Api-User: "b897048a-1526-42aa-bc24-e4dfd654b722" - X-Api-Key: "${ACME_DNS_UPDATE_TEST_X_API_KEY}" - conditions: - - "[STATUS] == 200" - - "[CERTIFICATE_EXPIRATION] > 48h" - - "[BODY].txt == ________________gatus_test_________________" - - - name: ACME DNS (DNS) - url: "acmedns.hosts.hamburg.ccc.de" - <<: *services_chaosknoten_defaults - dns: - query-name: "c621ef99-3da9-4ef6-a152-3a82b9b720f8.auth.acmedns.hamburg.ccc.de" - query-type: "TXT" - conditions: - - "[DNS_RCODE] == NOERROR" - # error: query type is not supported yet - # apparently TXT records aren't supported yet. - # - "[BODY] == ________________gatus_test_________________" - - - name: CCCHH ID/Keycloak (main page/account console) - url: "https://id.hamburg.ccc.de/" - <<: *services_chaosknoten_defaults - conditions: - - "[STATUS] == 200" - - "[CERTIFICATE_EXPIRATION] > 48h" - - "[BODY] == pat(*JavaScript is required to use the Account Console.*)" - - - name: CCCHH ID/Keycloak (ccchh realm) - url: "https://id.hamburg.ccc.de/realms/ccchh/" - <<: *services_chaosknoten_defaults - conditions: - - "[STATUS] == 200" - - "[CERTIFICATE_EXPIRATION] > 48h" - - "[BODY].realm == ccchh" - - - name: ccchoir - url: "https://ccchoir.de/" - <<: *services_chaosknoten_defaults - conditions: - - "[STATUS] == 200" - - "[CERTIFICATE_EXPIRATION] > 48h" - - "[BODY] == pat(*The Choir of the Chaos Computer Club*)" - - - name: Cloud (status info) - url: "https://cloud.hamburg.ccc.de/status.php" - <<: *services_chaosknoten_defaults - conditions: - - "[STATUS] == 200" - - "[CERTIFICATE_EXPIRATION] > 48h" - - "[BODY].installed == true" - - "[BODY].maintenance == false" - - - name: Cloud (main page/login) - url: "https://cloud.hamburg.ccc.de/" - <<: *services_chaosknoten_defaults - conditions: - - "[STATUS] == 200" - - "[CERTIFICATE_EXPIRATION] > 48h" - - "[BODY] == pat(*Sign in to CCCHH*)" - - - name: cow (main page/login) - url: "https://cow.hamburg.ccc.de/" - <<: *services_chaosknoten_defaults - conditions: - - "[STATUS] == 200" - - "[CERTIFICATE_EXPIRATION] > 48h" - - "[BODY] == pat(*mailcow UI*)" - - - name: cow (SMTP port 25) - url: "tcp://cow.hamburg.ccc.de:25" - <<: *services_chaosknoten_defaults - conditions: - - "[CONNECTED] == true" - - - name: cow (SMTPS port 465) - url: "tls://cow.hamburg.ccc.de:465" - <<: *services_chaosknoten_defaults - conditions: - - "[CONNECTED] == true" - - - name: cow (SMTP with STARTTLS port 587) - url: "starttls://cow.hamburg.ccc.de:587" - <<: *services_chaosknoten_defaults - conditions: - - "[CONNECTED] == true" - - - name: cow (IMAP port 143) - url: "tcp://cow.hamburg.ccc.de:143" - <<: *services_chaosknoten_defaults - conditions: - - "[CONNECTED] == true" - - - name: cow (IMAPS port 465) - url: "tls://cow.hamburg.ccc.de:465" - <<: *services_chaosknoten_defaults - conditions: - - "[CONNECTED] == true" - - - name: Design/penpot - url: "https://design.hamburg.ccc.de/" - <<: *services_chaosknoten_defaults - conditions: - - "[STATUS] == 200" - - "[CERTIFICATE_EXPIRATION] > 48h" - - "[BODY] == pat(*Penpot - Design Freedom for Teams*)" - - - name: EH22 Website/Wiki - url: "https://eh22.easterhegg.eu/" - <<: *services_chaosknoten_defaults - conditions: - - "[STATUS] == 200" - - "[CERTIFICATE_EXPIRATION] > 48h" - - "[BODY] == pat(*Easterhegg 2025*)" - - - name: Git - url: "https://git.hamburg.ccc.de/" - <<: *services_chaosknoten_defaults - conditions: - - "[STATUS] == 200" - - "[CERTIFICATE_EXPIRATION] > 48h" - - "[BODY] == pat(*CCCHH Git*)" - - - name: GitLab - url: "https://gitlab.hamburg.ccc.de/" - <<: *services_chaosknoten_defaults - conditions: - - "[STATUS] == 200" - - "[CERTIFICATE_EXPIRATION] > 48h" - - "[BODY] == pat(*Moin beim Gitlab des CCC Hamburg!*)" - - - name: Grafana - url: "https://grafana.hamburg.ccc.de/" - <<: *services_chaosknoten_defaults - conditions: - - "[STATUS] == 200" - - "[CERTIFICATE_EXPIRATION] > 48h" - - "[BODY] == pat(*Sign in to CCCHH*)" - - - name: Jitsi - url: "https://jitsi.hamburg.ccc.de/" - <<: *services_chaosknoten_defaults - conditions: - - "[STATUS] == 200" - - "[CERTIFICATE_EXPIRATION] > 48h" - - "[BODY] == pat(*Jitsi Meet*)" - - - name: Lists - url: "https://lists.hamburg.ccc.de/" - <<: *services_chaosknoten_defaults - conditions: - - "[STATUS] == 200" - - "[CERTIFICATE_EXPIRATION] > 48h" - - "[BODY] == pat(*Mailing Lists*)" - - - name: Matrix - url: "https://matrix.hamburg.ccc.de/_matrix/client/versions" - <<: *services_chaosknoten_defaults - conditions: - - "[STATUS] == 200" - - "[CERTIFICATE_EXPIRATION] > 48h" - - "has([BODY].versions) == true" - - "has([BODY].unstable_features) == true" - - - name: Mumble (tcp) - url: "tcp://mumble.hamburg.ccc.de:64738" - <<: *services_chaosknoten_defaults - conditions: - - "[CONNECTED] == true" - - - name: Mumble (udp) - url: "udp://mumble.hamburg.ccc.de:64738" - <<: *services_chaosknoten_defaults - conditions: - - "[CONNECTED] == true" - - - name: NetBox - url: "https://NetBox.hamburg.ccc.de/" - <<: *services_chaosknoten_defaults - conditions: - - "[STATUS] == 200" - - "[CERTIFICATE_EXPIRATION] > 48h" - - "[BODY] == pat(*NetBox*)" - - - name: ntfy - url: "https://ntfy.hamburg.ccc.de/" - <<: *services_chaosknoten_defaults - conditions: - - "[STATUS] == 200" - - "[CERTIFICATE_EXPIRATION] > 48h" - - "[BODY] == pat(*ntfy web requires JavaScript*)" - - - name: OnlyOffice - url: "https://onlyoffice.hamburg.ccc.de/" - <<: *services_chaosknoten_defaults - conditions: - - "[STATUS] == 200" - - "[CERTIFICATE_EXPIRATION] > 48h" - - "[BODY] == pat(*ONLYOFFICE Docs Community Edition installed*)" - - - name: Pad - url: "https://pad.hamburg.ccc.de/" - <<: *services_chaosknoten_defaults - conditions: - - "[STATUS] == 200" - - "[CERTIFICATE_EXPIRATION] > 48h" - - "[BODY] == pat(*HedgeDoc - Ideas grow better together*)" - - - name: Pretalx (main page) - url: "https://pretalx.hamburg.ccc.de/" - <<: *services_chaosknoten_defaults - conditions: - - "[STATUS] == 200" - - "[CERTIFICATE_EXPIRATION] > 48h" - - "[BODY] == pat(*pretalx*)" - - - name: Pretalx (EH22/Easterhegg 2025) - url: "https://cfp.eh22.easterhegg.eu/" - <<: *services_chaosknoten_defaults - conditions: - - "[STATUS] == 200" - - "[CERTIFICATE_EXPIRATION] > 48h" - - "[BODY] == pat(*Easterhegg 2025*)" - - "[BODY] == pat(*pretalx*)" - - - name: SpaceAPI - url: "https://spaceapi.hamburg.ccc.de/" - <<: *services_chaosknoten_defaults - conditions: - - "[STATUS] == 200" - - "[CERTIFICATE_EXPIRATION] > 48h" - - "[BODY].space == CCCHH" - - - name: Surveillance under Surveillance - url: "https://sunders.hamburg.ccc.de/" - <<: *services_chaosknoten_defaults - conditions: - - "[STATUS] == 200" - - "[CERTIFICATE_EXPIRATION] > 48h" - - "[BODY] == pat(*Surveillance under Surveillance*)" - - - name: Tickets/pretix - url: "https://tickets.hamburg.ccc.de/" - <<: *services_chaosknoten_defaults - conditions: - - "[STATUS] == 200" - - "[CERTIFICATE_EXPIRATION] > 48h" - - "[BODY] == pat(*pretix*)" - - - name: Wiki - url: "https://wiki.hamburg.ccc.de/" - <<: *services_chaosknoten_defaults - conditions: - - "[STATUS] == 200" - - "[CERTIFICATE_EXPIRATION] > 48h" - - "[BODY] == pat(*CCCHH Wiki*)" - - - name: Woodpecker - url: "https://woodpecker.hamburg.ccc.de/" - <<: *services_chaosknoten_defaults - conditions: - - "[STATUS] == 200" - - "[CERTIFICATE_EXPIRATION] > 48h" - - "[BODY] == pat(*Woodpecker*)" - - - name: Zammad - url: "https://zammad.hamburg.ccc.de/" - <<: *services_chaosknoten_defaults - conditions: - - "[STATUS] == 200" - - "[CERTIFICATE_EXPIRATION] > 48h" - - "[BODY] == pat(*zammad*)" diff --git a/resources/external/status/docker_compose/config/sites.yaml b/resources/external/status/docker_compose/config/sites.yaml deleted file mode 100644 index a3444a6..0000000 --- a/resources/external/status/docker_compose/config/sites.yaml +++ /dev/null @@ -1,24 +0,0 @@ -# Sites -sites-defaults: &sites_defaults - group: Sites - interval: 1m - alerts: - # - type: matrix - - type: custom - failure-threshold: 5 - success-threshold: 2 - minimum-reminder-interval: "6h" - send-on-resolved: true - -endpoints: - - name: Chaosknoten/IRZ42 - url: "icmp://chaosknoten.hamburg.ccc.de" - <<: *sites_defaults - conditions: - - "[CONNECTED] == true" - - - name: Z9 - url: "icmp://185.161.129.129" - <<: *sites_defaults - conditions: - - "[CONNECTED] == true" diff --git a/resources/external/status/docker_compose/config/websites.yaml b/resources/external/status/docker_compose/config/websites.yaml deleted file mode 100644 index 964a866..0000000 --- a/resources/external/status/docker_compose/config/websites.yaml +++ /dev/null @@ -1,209 +0,0 @@ -# Websites, Websites (Staging) and Websites (Redirects) -# (hosted on public-web-static) -# One could probably also generate this list from the public-web-static config. -websites-defaults: &websites_defaults - group: Websites - interval: 1m - alerts: - # - type: matrix - - type: custom - failure-threshold: 5 - success-threshold: 2 - minimum-reminder-interval: "6h" - send-on-resolved: true - -websites-staging-defaults: &websites_staging_defaults - group: Websites (Staging) - interval: 5m - alerts: - # - type: matrix - - type: custom - failure-threshold: 3 - success-threshold: 1 - minimum-reminder-interval: "24h" - send-on-resolved: true - -websites-redirects-defaults: &websites_redirects_defaults - group: Websites (Redirects) - interval: 5m - alerts: - # - type: matrix - - type: custom - failure-threshold: 3 - success-threshold: 1 - minimum-reminder-interval: "24h" - send-on-resolved: true - -endpoints: - # Websites - - name: branding-resources.hamburg.ccc.de - url: "https://branding-resources.hamburg.ccc.de/logo/sources.txt" - <<: *websites_defaults - conditions: - - "[STATUS] == 200" - - "[CERTIFICATE_EXPIRATION] > 48h" - - "[BODY] == pat(*file: ccchh-logo.png*)" - - - name: c3cat.de - url: "https://c3cat.de" - <<: *websites_defaults - conditions: - - "[STATUS] == 200" - - "[CERTIFICATE_EXPIRATION] > 48h" - - "[BODY] == pat(*Cat Ears Operation Center*)" - - - name: cpu.ccc.de - url: "https://cpu.ccc.de" - <<: *websites_defaults - conditions: - - "[STATUS] == 200" - - "[CERTIFICATE_EXPIRATION] > 48h" - - "[BODY] == pat(*cpu.ccc.de | aus den Dezentralen*)" - - - name: cryptoparty-hamburg.de - url: "https://cryptoparty-hamburg.de" - <<: *websites_defaults - conditions: - - "[STATUS] == 200" - - "[CERTIFICATE_EXPIRATION] > 48h" - - "[BODY] == pat(*Digitale Selbstverteidigung in Hamburg*)" - - - name: element-admin.hamburg.ccc.de - url: "https://element-admin.hamburg.ccc.de" - <<: *websites_defaults - conditions: - - "[STATUS] == 200" - - "[CERTIFICATE_EXPIRATION] > 48h" - - "[BODY] == pat(*Loading Element Admin*)" - - - name: element.hamburg.ccc.de - url: "https://element.hamburg.ccc.de" - <<: *websites_defaults - conditions: - - "[STATUS] == 200" - - "[CERTIFICATE_EXPIRATION] > 48h" - - "[BODY] == pat(*Sorry, Element requires JavaScript to be enabled.*)" - - - name: hacker.tours - url: "https://hacker.tours" - <<: *websites_defaults - conditions: - - "[STATUS] == 200" - - "[CERTIFICATE_EXPIRATION] > 48h" - # Once suites support alerting, we can also monitor the target as well. - - "[BODY] == pat(**)" - - - name: hackertours.hamburg.ccc.de - url: "https://hackertours.hamburg.ccc.de" - <<: *websites_defaults - conditions: - - "[STATUS] == 200" - - "[CERTIFICATE_EXPIRATION] > 48h" - # Once suites support alerting, we can also monitor the target as well. - - "[BODY] == pat(**)" - - - name: hamburg.ccc.de - url: "https://hamburg.ccc.de" - <<: *websites_defaults - conditions: - - "[STATUS] == 200" - - "[CERTIFICATE_EXPIRATION] > 48h" - - "[BODY] == pat(*Wir sind der Chaos Computer Club der Hansestadt Hamburg.*)" - - - name: spaceapi.ccc.de - url: "https://spaceapi.ccc.de" - <<: *websites_defaults - conditions: - - "[STATUS] == 200" - - "[CERTIFICATE_EXPIRATION] > 48h" - - "[BODY] == pat(*Kein Javascript, keine Kekse.*)" - -# Websites (Staging) - - name: staging.c3cat.de - url: "https://staging.c3cat.de" - <<: *websites_staging_defaults - conditions: - - "[STATUS] == 200" - - "[CERTIFICATE_EXPIRATION] > 48h" - - "[BODY] == pat(*c3cat.de Staging Environment*)" - - - name: staging.cryptoparty-hamburg.de - url: "https://staging.cryptoparty-hamburg.de" - <<: *websites_staging_defaults - conditions: - - "[STATUS] == 200" - - "[CERTIFICATE_EXPIRATION] > 48h" - - "[BODY] == pat(*cryptoparty-hamburg.de Staging Environment*)" - - - name: staging.hacker.tours - url: "https://staging.hacker.tours" - <<: *websites_staging_defaults - conditions: - - "[STATUS] == 200" - - "[CERTIFICATE_EXPIRATION] > 48h" - - "[BODY] == pat(*hacker.tours Staging Environment*)" - - - name: staging.hackertours.hamburg.ccc.de - url: "https://staging.hackertours.hamburg.ccc.de" - <<: *websites_staging_defaults - conditions: - - "[STATUS] == 200" - - "[CERTIFICATE_EXPIRATION] > 48h" - - "[BODY] == pat(*hackertours.hamburg.ccc.de Staging Environment*)" - - - name: staging.hamburg.ccc.de - url: "https://staging.hamburg.ccc.de" - <<: *websites_staging_defaults - conditions: - - "[STATUS] == 200" - - "[CERTIFICATE_EXPIRATION] > 48h" - - "[BODY] == pat(*hamburg.ccc.de Staging Environment*)" - -# Website (Redirects) - - name: www.c3cat.de - url: "https://www.c3cat.de" - <<: *websites_redirects_defaults - conditions: - - "[STATUS] == 200" - - "[CERTIFICATE_EXPIRATION] > 48h" - - "[BODY] == pat(*Cat Ears Operation Center*)" - - - name: cryptoparty.hamburg.ccc.de - url: "https://cryptoparty.hamburg.ccc.de" - <<: *websites_redirects_defaults - conditions: - - "[STATUS] == 200" - - "[CERTIFICATE_EXPIRATION] > 48h" - - "[BODY] == pat(*Digitale Selbstverteidigung in Hamburg*)" - - - name: local.ccc.de - url: "https://local.ccc.de" - <<: *websites_redirects_defaults - conditions: - - "[STATUS] == 200" - - "[CERTIFICATE_EXPIRATION] > 48h" - - "[BODY] == pat(*cpu.ccc.de | aus den Dezentralen*)" - - - name: lokal.ccc.de - url: "https://lokal.ccc.de" - <<: *websites_redirects_defaults - conditions: - - "[STATUS] == 200" - - "[CERTIFICATE_EXPIRATION] > 48h" - - "[BODY] == pat(*cpu.ccc.de | aus den Dezentralen*)" - - - name: staging.cryptoparty.hamburg.ccc.de - url: "https://staging.cryptoparty.hamburg.ccc.de" - <<: *websites_redirects_defaults - conditions: - - "[STATUS] == 200" - - "[CERTIFICATE_EXPIRATION] > 48h" - - "[BODY] == pat(*cryptoparty-hamburg.de Staging Environment*)" - - - name: www.hamburg.ccc.de - url: "https://www.hamburg.ccc.de" - <<: *websites_redirects_defaults - conditions: - - "[STATUS] == 200" - - "[CERTIFICATE_EXPIRATION] > 48h" - - "[BODY] == pat(*Wir sind der Chaos Computer Club der Hansestadt Hamburg.*)" diff --git a/resources/external/status/nginx/http_handler.conf b/resources/external/status/nginx/http_handler.conf deleted file mode 100644 index c989ede..0000000 --- a/resources/external/status/nginx/http_handler.conf +++ /dev/null @@ -1,14 +0,0 @@ -server { - listen 80 default_server; - listen [::]:80 default_server; - - server_name status.hamburg.ccc.de; - - location / { - return 301 https://$host$request_uri; - } - - location /.well-known/acme-challenge/ { - proxy_pass http://127.0.0.1:31820/.well-known/acme-challenge/; - } -} diff --git a/resources/external/status/nginx/status.hamburg.ccc.de.conf b/resources/external/status/nginx/status.hamburg.ccc.de.conf deleted file mode 100644 index 510966a..0000000 --- a/resources/external/status/nginx/status.hamburg.ccc.de.conf +++ /dev/null @@ -1,33 +0,0 @@ -# partly generated 2022-01-08, Mozilla Guideline v5.6, nginx 1.17.7, OpenSSL 1.1.1k, intermediate configuration -# https://ssl-config.mozilla.org/#server=nginx&version=1.17.7&config=intermediate&openssl=1.1.1k&guideline=5.6 -server { - listen 443 ssl http2 default_server; - listen [::]:443 ssl http2 default_server; - - server_name status.hamburg.ccc.de; - - ssl_certificate /etc/letsencrypt/live/status.hamburg.ccc.de/fullchain.pem; - ssl_certificate_key /etc/letsencrypt/live/status.hamburg.ccc.de/privkey.pem; - # verify chain of trust of OCSP response using Root CA and Intermediate certs - ssl_trusted_certificate /etc/letsencrypt/live/status.hamburg.ccc.de/chain.pem; - - # HSTS (ngx_http_headers_module is required) (63072000 seconds) - add_header Strict-Transport-Security "max-age=63072000" always; - - proxy_set_header Host $host; - proxy_set_header X-Forwarded-Host $host; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header X-Forwarded-Port 443; - # This is https in any case. - proxy_set_header X-Forwarded-Proto https; - # Hide the X-Forwarded header. - proxy_hide_header X-Forwarded; - # Assume we are the only Reverse Proxy. - # Also provide "_hidden" for by, since it's not relevant. - proxy_set_header Forwarded "for=$remote_addr;proto=https;host=$host;by=_hidden"; - - location / { - proxy_pass http://127.0.0.1:8080/; - } -} diff --git a/resources/z9/dooris/nginx/http_handler.conf b/resources/z9/dooris/nginx/http_handler.conf deleted file mode 100644 index 8572664..0000000 --- a/resources/z9/dooris/nginx/http_handler.conf +++ /dev/null @@ -1,12 +0,0 @@ -server { - listen 80 default_server; - listen [::]:80 default_server; - - location / { - return 301 https://$host$request_uri; - } - - location /.well-known/acme-challenge/ { - proxy_pass http://127.0.0.1:31820/.well-known/acme-challenge/; - } -} diff --git a/resources/z9/light/nginx/http_handler.conf b/resources/z9/light/nginx/http_handler.conf index 8572664..d9b336c 100644 --- a/resources/z9/light/nginx/http_handler.conf +++ b/resources/z9/light/nginx/http_handler.conf @@ -1,12 +1,14 @@ server { listen 80 default_server; listen [::]:80 default_server; + server_name _; + + location /.well-known/acme-challenge/ { + autoindex on; + root /webroot-for-acme-challenge; + } location / { return 301 https://$host$request_uri; } - - location /.well-known/acme-challenge/ { - proxy_pass http://127.0.0.1:31820/.well-known/acme-challenge/; - } } diff --git a/resources/z9/light/nginx/light.conf b/resources/z9/light/nginx/light.conf index 6217e04..9f70cf8 100644 --- a/resources/z9/light/nginx/light.conf +++ b/resources/z9/light/nginx/light.conf @@ -1,16 +1,15 @@ # partly generated 2022-01-08, Mozilla Guideline v5.6, nginx 1.17.7, OpenSSL 1.1.1k, intermediate configuration # https://ssl-config.mozilla.org/#server=nginx&version=1.17.7&config=intermediate&openssl=1.1.1k&guideline=5.6 server { - listen 443 ssl; - listen [::]:443 ssl; - http2 on; + listen 443 ssl http2; + listen [::]:443 ssl http2; server_name light-werkstatt.ccchh.net; - ssl_certificate /etc/letsencrypt/live/light-werkstatt.ccchh.net/fullchain.pem; - ssl_certificate_key /etc/letsencrypt/live/light-werkstatt.ccchh.net/privkey.pem; + ssl_certificate /etc/letsencrypt/live/light.ccchh.net/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/light.ccchh.net/privkey.pem; # verify chain of trust of OCSP response using Root CA and Intermediate certs - ssl_trusted_certificate /etc/letsencrypt/live/light-werkstatt.ccchh.net/chain.pem; + ssl_trusted_certificate /etc/letsencrypt/live/light.ccchh.net/chain.pem; # replace with the IP address of your resolver resolver 10.31.208.1; @@ -26,16 +25,15 @@ server { } server { - listen 443 ssl; - listen [::]:443 ssl; - http2 on; + listen 443 ssl http2; + listen [::]:443 ssl http2; - server_name light.z9.ccchh.net; + server_name light.z9.ccchh.net ; - ssl_certificate /etc/letsencrypt/live/light.z9.ccchh.net/fullchain.pem; - ssl_certificate_key /etc/letsencrypt/live/light.z9.ccchh.net/privkey.pem; + ssl_certificate /etc/letsencrypt/live/light.ccchh.net/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/light.ccchh.net/privkey.pem; # verify chain of trust of OCSP response using Root CA and Intermediate certs - ssl_trusted_certificate /etc/letsencrypt/live/light.z9.ccchh.net/chain.pem; + ssl_trusted_certificate /etc/letsencrypt/live/light.ccchh.net/chain.pem; location / { return 307 https://light.ccchh.net$request_uri; @@ -43,9 +41,8 @@ server { } server { - listen 443 ssl; - listen [::]:443 ssl; - http2 on; + listen 443 ssl http2; + listen [::]:443 ssl http2; server_name light.ccchh.net; diff --git a/roles/alloy/defaults/main.yaml b/roles/alloy/defaults/main.yaml deleted file mode 100644 index 09c99ee..0000000 --- a/roles/alloy/defaults/main.yaml +++ /dev/null @@ -1,44 +0,0 @@ -alloy_config_default: | - prometheus.remote_write "default" { - endpoint { - url = "https://metrics.hamburg.ccc.de/api/v1/write" - basic_auth { - username = "chaos" - password = "chaos_password" - } - } - } - - prometheus.relabel "common" { - forward_to = [prometheus.remote_write.default.receiver] - rule { - target_label = "org" - replacement = "noorg" - } - rule { - target_label = "site" - replacement = "nosite" - } - rule { - source_labels = ["instance"] - target_label = "instance" - regex = "([^:]+)" - replacement = "${1}.hosts.test" - action = "replace" - } - } - - logging { - level = "info" - } - - prometheus.exporter.unix "local_system" { - enable_collectors = ["systemd"] - } - - prometheus.scrape "scrape_metrics" { - targets = prometheus.exporter.unix.local_system.targets - forward_to = [prometheus.relabel.common.receiver] - } - -alloy_config_additional: "" diff --git a/roles/alloy/tasks/main.yaml b/roles/alloy/tasks/main.yaml deleted file mode 100644 index 5e3cd64..0000000 --- a/roles/alloy/tasks/main.yaml +++ /dev/null @@ -1,50 +0,0 @@ -# https://github.com/grafana/grafana-ansible-collection/blob/main/roles/alloy/tasks/deploy.yml#L124 -- name: ensure alloy user exists - ansible.builtin.user: - name: alloy - system: true - append: true - create_home: false - state: present - -- name: ensure the `/etc/alloy/` config directory exists - ansible.builtin.file: - path: /etc/alloy - state: directory - mode: "0770" - owner: root - group: alloy - become: true - -- name: synchronize the additional configuration files directory, if present - when: alloy__additional_configs_dir is defined and alloy__additional_configs_dir != "" - block: - - name: ensure rsync is installed - ansible.builtin.apt: - name: rsync - become: true - - - name: synchronize the additional configuration files directory, if present - ansible.posix.synchronize: - src: "{{ alloy__additional_configs_dir }}" - dest: /etc/alloy/additional - delete: true - recursive: true - use_ssh_args: true - rsync_opts: - - "--chown=root:alloy" - become: true - -- name: delete the additional configuration files directory, if not present - when: alloy__additional_configs_dir is not defined or alloy__additional_configs_dir == "" - ansible.builtin.file: - path: /etc/alloy/additional - state: absent - become: true - -- name: Setup Alloy - ansible.builtin.import_role: - name: grafana.grafana.alloy - vars: - alloy_config: "{{ alloy_config_default ~ alloy_config_additional }}" - become: true diff --git a/roles/ansible_pull/tasks/main.yaml b/roles/ansible_pull/tasks/main.yaml index 61a2635..5abcd10 100644 --- a/roles/ansible_pull/tasks/main.yaml +++ b/roles/ansible_pull/tasks/main.yaml @@ -3,7 +3,6 @@ - name: ensure apt dependencies are installed ansible.builtin.apt: name: - - python3-pip - virtualenv - git state: present diff --git a/roles/base_config/tasks/main.yaml b/roles/base_config/tasks/main.yaml deleted file mode 100644 index ab737b7..0000000 --- a/roles/base_config/tasks/main.yaml +++ /dev/null @@ -1,34 +0,0 @@ -# Ensure the ssh module is disabled, so a cloud-init config change doesn't regenerate the host keys for no reason. -- name: check if cloud-init config file exists - ansible.builtin.stat: - path: /etc/cloud/cloud.cfg - register: base_config__stat_cloud_cfg - -- name: ensure the cloud-init ssh module is disabled - ansible.builtin.replace: - path: /etc/cloud/cloud.cfg - regexp: " - ssh$" - replace: " #- ssh" - become: true - when: base_config__stat_cloud_cfg.stat.exists - -# Ensure a base set of admin tools is installed. -- name: ensure a base set of admin tools is installed - ansible.builtin.apt: - name: - - vim - - joe - - nano - - htop - - btop - - ripgrep - - fd-find - - tmux - - git - - curl - - rsync - - dnsutils - - usbutils - - kitty - - gpg - become: true diff --git a/roles/certbot/meta/main.yaml b/roles/certbot/meta/main.yaml index 9b678e9..b4a1c6f 100644 --- a/roles/certbot/meta/main.yaml +++ b/roles/certbot/meta/main.yaml @@ -7,4 +7,3 @@ dependencies: major_versions: - 11 - 12 - - 13 diff --git a/roles/docker/files/daemon.json b/roles/docker/files/daemon.json index d55e4cb..49d4108 100644 --- a/roles/docker/files/daemon.json +++ b/roles/docker/files/daemon.json @@ -2,13 +2,5 @@ "log-driver": "journald", "log-opts": { "tag": "{{.Name}}" - }, - "ipv6": true, - "ip6tables": true, - "fixed-cidr-v6": "fd00:1::/64", - "default-network-opts": { - "bridge": { - "com.docker.network.enable_ipv6":"true" - } } } diff --git a/roles/docker/meta/main.yaml b/roles/docker/meta/main.yaml index 9b678e9..b4a1c6f 100644 --- a/roles/docker/meta/main.yaml +++ b/roles/docker/meta/main.yaml @@ -7,4 +7,3 @@ dependencies: major_versions: - 11 - 12 - - 13 diff --git a/roles/docker/tasks/main/01_repo_setup.yaml b/roles/docker/tasks/main/01_repo_setup.yaml index 63bdb91..aa77521 100644 --- a/roles/docker/tasks/main/01_repo_setup.yaml +++ b/roles/docker/tasks/main/01_repo_setup.yaml @@ -9,7 +9,7 @@ - name: Ensure Docker APT repository is added ansible.builtin.apt_repository: - repo: "deb [arch=amd64 signed-by=/etc/apt/trusted.gpg.d/docker.asc] https://download.docker.com/linux/debian {{ ansible_facts['distribution_release'] }} stable" + repo: "deb [arch=amd64 signed-by=/etc/apt/trusted.gpg.d/docker.asc] https://download.docker.com/linux/debian {{ ansible_distribution_release }} stable" filename: docker state: present become: true diff --git a/roles/docker_compose/README.md b/roles/docker_compose/README.md index 6f2c841..c0a7a93 100644 --- a/roles/docker_compose/README.md +++ b/roles/docker_compose/README.md @@ -19,10 +19,6 @@ Should work on Debian-based distributions. - `docker_compose__configuration_files`: A list of configuration files to deploy to the `/ansible_docker_compose/configs/` directory. - `docker_compose__configuration_files.*.name`: The name of the configuration file. - `docker_compose__configuration_files.*.content`: The content to deploy to the configuration file. -- `docker_compose__build`: Whether or not to build images before starting containers. - Defaults to `always`. -- `docker_compose__pull`: Whether or not to pull images before starting containers. - Defaults to `always`. ## Links & Resources diff --git a/roles/docker_compose/defaults/main.yaml b/roles/docker_compose/defaults/main.yaml index 621ee7b..76831d6 100644 --- a/roles/docker_compose/defaults/main.yaml +++ b/roles/docker_compose/defaults/main.yaml @@ -1,3 +1 @@ -docker_compose__build: always docker_compose__configuration_files: [ ] -docker_compose__pull: always diff --git a/roles/docker_compose/tasks/main.yaml b/roles/docker_compose/tasks/main.yaml index a706ab2..bea3f4f 100644 --- a/roles/docker_compose/tasks/main.yaml +++ b/roles/docker_compose/tasks/main.yaml @@ -79,8 +79,8 @@ community.docker.docker_compose_v2: project_src: /ansible_docker_compose state: present - build: "{{ docker_compose__build }}" - pull: "{{ docker_compose__pull }}" + build: always + pull: always remove_orphans: true become: true diff --git a/roles/dokuwiki/meta/main.yml b/roles/dokuwiki/meta/main.yml index 9b678e9..b4a1c6f 100644 --- a/roles/dokuwiki/meta/main.yml +++ b/roles/dokuwiki/meta/main.yml @@ -7,4 +7,3 @@ dependencies: major_versions: - 11 - 12 - - 13 diff --git a/roles/netbox/files/custom_pipeline_oidc_group_and_role_mapping.py b/roles/netbox/files/custom_pipeline_oidc_group_and_role_mapping.py index 79bd247..470f388 100644 --- a/roles/netbox/files/custom_pipeline_oidc_group_and_role_mapping.py +++ b/roles/netbox/files/custom_pipeline_oidc_group_and_role_mapping.py @@ -40,6 +40,7 @@ def remove_groups(response, user, backend, *args, **kwargs): def set_roles(response, user, backend, *args, **kwargs): # Remove Roles temporary user.is_superuser = False + user.is_staff = False try: groups = response['groups'] except KeyError: @@ -50,4 +51,5 @@ def set_roles(response, user, backend, *args, **kwargs): # Set roles is role (superuser or staff) is in groups user.is_superuser = True if 'superusers' in groups else False + user.is_staff = True if 'staff' in groups else False user.save() diff --git a/roles/nextcloud/templates/nginx_nextcloud.conf.j2 b/roles/nextcloud/templates/nginx_nextcloud.conf.j2 index 1beeaf3..c15a653 100644 --- a/roles/nextcloud/templates/nginx_nextcloud.conf.j2 +++ b/roles/nextcloud/templates/nginx_nextcloud.conf.j2 @@ -4,7 +4,6 @@ server { # Listen on a custom port for the proxy protocol. listen 8443 ssl http2 proxy_protocol; - listen [::]:8443 ssl http2 proxy_protocol; # Make use of the ngx_http_realip_module to set the $remote_addr and # $remote_port to the client address and client port, when using proxy # protocol. diff --git a/roles/nginx/files/logging.conf b/roles/nginx/files/logging.conf index 3a399a6..304996f 100644 --- a/roles/nginx/files/logging.conf +++ b/roles/nginx/files/logging.conf @@ -1,2 +1,2 @@ error_log syslog:server=unix:/run/systemd/journal/dev-log,nohostname,severity=warn debug; -access_log off; +access_log syslog:server=unix:/run/systemd/journal/dev-log,nohostname,severity=info main; diff --git a/roles/nginx/meta/main.yaml b/roles/nginx/meta/main.yaml index 78bb770..02b00ac 100644 --- a/roles/nginx/meta/main.yaml +++ b/roles/nginx/meta/main.yaml @@ -7,4 +7,3 @@ dependencies: major_versions: - "11" - "12" - - "13" diff --git a/roles/nginx/tasks/main/02_repo_setup.yaml b/roles/nginx/tasks/main/02_repo_setup.yaml index b4720c1..eaaec30 100644 --- a/roles/nginx/tasks/main/02_repo_setup.yaml +++ b/roles/nginx/tasks/main/02_repo_setup.yaml @@ -15,13 +15,13 @@ - name: Ensure NGINX APT repository is added ansible.builtin.apt_repository: - repo: "deb [arch=amd64 signed-by=/etc/apt/trusted.gpg.d/nginx.asc] https://nginx.org/packages/debian/ {{ ansible_facts['distribution_release'] }} nginx" + repo: "deb [arch=amd64 signed-by=/etc/apt/trusted.gpg.d/nginx.asc] https://nginx.org/packages/debian/ {{ ansible_distribution_release }} nginx" state: present become: true - name: Ensure NGINX APT source repository is added ansible.builtin.apt_repository: - repo: "deb-src [arch=amd64 signed-by=/etc/apt/trusted.gpg.d/nginx.asc] https://nginx.org/packages/debian/ {{ ansible_facts['distribution_release'] }} nginx" + repo: "deb-src [arch=amd64 signed-by=/etc/apt/trusted.gpg.d/nginx.asc] https://nginx.org/packages/debian/ {{ ansible_distribution_release }} nginx" state: present become: true diff --git a/roles/prometheus_node_exporter/meta/main.yaml b/roles/prometheus_node_exporter/meta/main.yaml new file mode 100644 index 0000000..02b00ac --- /dev/null +++ b/roles/prometheus_node_exporter/meta/main.yaml @@ -0,0 +1,9 @@ +--- +dependencies: + - role: distribution_check + vars: + distribution_check__distribution_support_spec: + - name: Debian + major_versions: + - "11" + - "12" diff --git a/roles/prometheus_node_exporter/tasks/main.yaml b/roles/prometheus_node_exporter/tasks/main.yaml new file mode 100644 index 0000000..c138f18 --- /dev/null +++ b/roles/prometheus_node_exporter/tasks/main.yaml @@ -0,0 +1,14 @@ +- name: make sure the `prometheus-node-exporter` package is installed + ansible.builtin.apt: + name: prometheus-node-exporter + state: present + allow_change_held_packages: true + update_cache: true + become: true + +- name: make sure `prometheus-node-exporter.service` is started and ansibled + ansible.builtin.systemd: + name: prometheus-node-exporter.service + state: started + enabled: true + become: true diff --git a/roles/systemd_networkd/README.md b/roles/systemd_networkd/README.md index ac7f115..3297c47 100644 --- a/roles/systemd_networkd/README.md +++ b/roles/systemd_networkd/README.md @@ -9,8 +9,3 @@ Should work on Debian-based distributions. ## Required Arguments - `systemd_networkd__config_dir`: Directory with systemd-networkd configs to deploy. - -## Optional Arguments - -- `systemd_networkd__global_config`: systemd-networkd global configuration to deploy (see `man 5 networkd.conf`). - Defaults to `` (the empty string); diff --git a/roles/systemd_networkd/defaults/main.yaml b/roles/systemd_networkd/defaults/main.yaml deleted file mode 100644 index e84ed28..0000000 --- a/roles/systemd_networkd/defaults/main.yaml +++ /dev/null @@ -1 +0,0 @@ -systemd_networkd__global_config: "" diff --git a/roles/systemd_networkd/tasks/main.yaml b/roles/systemd_networkd/tasks/main.yaml index cc8f4d9..f88ed14 100644 --- a/roles/systemd_networkd/tasks/main.yaml +++ b/roles/systemd_networkd/tasks/main.yaml @@ -12,21 +12,3 @@ recursive: true delete: true become: true - -- name: ensure global systemd-networkd config directory exists - ansible.builtin.file: - path: "/etc/systemd/networkd.conf.d" - state: directory - owner: root - group: root - mode: "0755" - become: true - -- name: ensure global systemd-networkd config is deployed - ansible.builtin.copy: - content: "{{ systemd_networkd__global_config }}" - dest: "/etc/systemd/networkd.conf.d/20-ansible.conf" - mode: "0644" - owner: root - group: root - become: true