From 0f8c0ffef9b96762618e5bd8164d8e983cc204bf Mon Sep 17 00:00:00 2001 From: ViMaSter Date: Sat, 1 Nov 2025 21:50:01 +0100 Subject: [PATCH 001/101] fix: Replaces password in healthcheck with dynamic secret --- resources/chaosknoten/sunders/docker_compose/compose.yaml.j2 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/resources/chaosknoten/sunders/docker_compose/compose.yaml.j2 b/resources/chaosknoten/sunders/docker_compose/compose.yaml.j2 index a5cfc5b..aa37f87 100644 --- a/resources/chaosknoten/sunders/docker_compose/compose.yaml.j2 +++ b/resources/chaosknoten/sunders/docker_compose/compose.yaml.j2 @@ -13,7 +13,7 @@ services: volumes: - mariadb:/var/lib/mysql healthcheck: - test: ["CMD", "mariadb-admin", "ping", "-h", "localhost", "-uroot", "-prootpassword"] + test: ["CMD", "mariadb-admin", "ping", "-h", "localhost", "-uroot", "-p{{ secret__sunders_db_camera_password }}"] interval: 10s timeout: 5s start_period: 30s From 53b2f491f87c8f3dac3c8240affaf96ddb33bda0 Mon Sep 17 00:00:00 2001 From: ViMaSter Date: Sat, 1 Nov 2025 21:53:43 +0100 Subject: [PATCH 002/101] fix: Uses root password --- resources/chaosknoten/sunders/docker_compose/compose.yaml.j2 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/resources/chaosknoten/sunders/docker_compose/compose.yaml.j2 b/resources/chaosknoten/sunders/docker_compose/compose.yaml.j2 index aa37f87..fbec258 100644 --- a/resources/chaosknoten/sunders/docker_compose/compose.yaml.j2 +++ b/resources/chaosknoten/sunders/docker_compose/compose.yaml.j2 @@ -13,7 +13,7 @@ services: volumes: - mariadb:/var/lib/mysql healthcheck: - test: ["CMD", "mariadb-admin", "ping", "-h", "localhost", "-uroot", "-p{{ secret__sunders_db_camera_password }}"] + test: ["CMD", "mariadb-admin", "ping", "-h", "localhost", "-uroot", "-p{{ secret__sunders_db_root_password }}"] interval: 10s timeout: 5s start_period: 30s From c3f71b1f0801ddf0f1265dbf057ebf295ed73acf Mon Sep 17 00:00:00 2001 From: ViMaSter Date: Sun, 2 Nov 2025 20:24:55 +0100 Subject: [PATCH 003/101] sunders: replace password in healthcheck with dynamic secret https://git.hamburg.ccc.de/CCCHH/ansible-infra/pulls/55 Co-authored-by: ViMaSter Co-committed-by: ViMaSter --- resources/chaosknoten/sunders/docker_compose/compose.yaml.j2 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/resources/chaosknoten/sunders/docker_compose/compose.yaml.j2 b/resources/chaosknoten/sunders/docker_compose/compose.yaml.j2 index a5cfc5b..fbec258 100644 --- a/resources/chaosknoten/sunders/docker_compose/compose.yaml.j2 +++ b/resources/chaosknoten/sunders/docker_compose/compose.yaml.j2 @@ -13,7 +13,7 @@ services: volumes: - mariadb:/var/lib/mysql healthcheck: - test: ["CMD", "mariadb-admin", "ping", "-h", "localhost", "-uroot", "-prootpassword"] + test: ["CMD", "mariadb-admin", "ping", "-h", "localhost", "-uroot", "-p{{ secret__sunders_db_root_password }}"] interval: 10s timeout: 5s start_period: 30s From 8cefd07618b575ce41ddecae05890a48a62bfa0a Mon Sep 17 00:00:00 2001 From: June Date: Fri, 24 Oct 2025 23:59:38 +0200 Subject: [PATCH 004/101] docker_compose(role): remove distribution check The distribution check isn't really needed in our setup anyway and just adds unnecessary noise. --- roles/docker_compose/README.md | 4 +--- roles/docker_compose/meta/main.yaml | 7 ------- 2 files changed, 1 insertion(+), 10 deletions(-) diff --git a/roles/docker_compose/README.md b/roles/docker_compose/README.md index d3204ec..14d0107 100644 --- a/roles/docker_compose/README.md +++ b/roles/docker_compose/README.md @@ -7,9 +7,7 @@ A use case for the deployment of the additional configuration files is Composes ## Supported Distributions -The following distributions are supported: - -- Debian 11 +Should work on Debian-based distributions. ## Required Arguments diff --git a/roles/docker_compose/meta/main.yaml b/roles/docker_compose/meta/main.yaml index b9a6980..cb7d8e0 100644 --- a/roles/docker_compose/meta/main.yaml +++ b/roles/docker_compose/meta/main.yaml @@ -1,10 +1,3 @@ --- dependencies: - - role: distribution_check - vars: - distribution_check__distribution_support_spec: - - name: Debian - major_versions: - - 11 - - 12 - role: docker From e390b7c20249b0eed56bf34ff3360f91f26958fa Mon Sep 17 00:00:00 2001 From: June Date: Sat, 25 Oct 2025 00:00:58 +0200 Subject: [PATCH 005/101] docker_compose(role): remove unnecessary hosts section from README The hosts section isn't really relevant for that role, so remove it. --- roles/docker_compose/README.md | 4 ---- 1 file changed, 4 deletions(-) diff --git a/roles/docker_compose/README.md b/roles/docker_compose/README.md index 14d0107..7246899 100644 --- a/roles/docker_compose/README.md +++ b/roles/docker_compose/README.md @@ -13,10 +13,6 @@ Should work on Debian-based distributions. For the required arguments look at the [`argument_specs.yaml`](./meta/argument_specs.yaml). -## `hosts` - -The `hosts` for this role need to be the machines, for which you want to make sure the given Compose file is deployed and all services of it are up-to-date and running. - ## Links & Resources - From 9f8d2d89cd8e17c2c23230764696410e2c9061d6 Mon Sep 17 00:00:00 2001 From: June Date: Sat, 25 Oct 2025 00:07:36 +0200 Subject: [PATCH 006/101] docker_compose(role): move argument documentation to README Do this to match newer roles and since reading documentation from argument_specs is quite unergonomic. --- roles/docker_compose/README.md | 9 ++++++++- roles/docker_compose/meta/argument_specs.yaml | 11 ----------- 2 files changed, 8 insertions(+), 12 deletions(-) diff --git a/roles/docker_compose/README.md b/roles/docker_compose/README.md index 7246899..c0a7a93 100644 --- a/roles/docker_compose/README.md +++ b/roles/docker_compose/README.md @@ -11,7 +11,14 @@ Should work on Debian-based distributions. ## Required Arguments -For the required arguments look at the [`argument_specs.yaml`](./meta/argument_specs.yaml). +- `docker_compose__compose_file_content`: The content to deploy to the Compose file at `/ansible_docker_compose/compose.yaml`. + +## Optional Arguments + +- `docker_compose__env_file_content`: The content to deploy to the `.env` file at `/ansible_docker_compose/.env`. +- `docker_compose__configuration_files`: A list of configuration files to deploy to the `/ansible_docker_compose/configs/` directory. +- `docker_compose__configuration_files.*.name`: The name of the configuration file. +- `docker_compose__configuration_files.*.content`: The content to deploy to the configuration file. ## Links & Resources diff --git a/roles/docker_compose/meta/argument_specs.yaml b/roles/docker_compose/meta/argument_specs.yaml index c588ba0..664496e 100644 --- a/roles/docker_compose/meta/argument_specs.yaml +++ b/roles/docker_compose/meta/argument_specs.yaml @@ -2,31 +2,20 @@ argument_specs: main: options: docker_compose__compose_file_content: - description: >- - The content of the Compose file at - `/ansible_docker_compose/compose.yaml`. type: str required: true docker_compose__env_file_content: - description: >- - The content of the .env file at - `/ansible_docker_compose/.env`. type: str required: false docker_compose__configuration_files: - description: >- - A list of configuration files to be deployed in the - `/ansible_docker_compose/configs/` directory. type: list elements: dict required: false default: [ ] options: name: - description: The name of the configuration file. type: str required: true content: - description: The content of the configuration file. type: str required: true From ae60d6fea6305f6719d33042373eea40d121e597 Mon Sep 17 00:00:00 2001 From: June Date: Sun, 2 Nov 2025 23:13:20 +0100 Subject: [PATCH 007/101] docker_compose(role): use community.docker.docker_compose_v2 module Use the community.docker.docker_compose_v2 module as it supports proper changed handling out of the box, making the roles code more straightforward and work. Also just do a docker compose restart instead of having the custom docker compose reload script. https://docs.ansible.com/ansible/latest/collections/community/docker/docker_compose_v2_module.html --- inventories/z9/host_vars/yate.yaml | 1 - requirements.yml | 3 ++ roles/docker_compose/defaults/main.yaml | 1 - roles/docker_compose/handlers/main.yaml | 18 +++++----- roles/docker_compose/tasks/main.yaml | 46 ++++++------------------- 5 files changed, 21 insertions(+), 48 deletions(-) diff --git a/inventories/z9/host_vars/yate.yaml b/inventories/z9/host_vars/yate.yaml index d2dc518..fecacb1 100644 --- a/inventories/z9/host_vars/yate.yaml +++ b/inventories/z9/host_vars/yate.yaml @@ -6,4 +6,3 @@ docker_compose__configuration_files: content: "{{ lookup('ansible.builtin.template', 'resources/z9/yate/docker_compose/regexroute.conf.j2') }}" - name: regfile.conf content: "{{ lookup('ansible.builtin.template', 'resources/z9/yate/docker_compose/regfile.conf.j2') }}" -docker_compose__restart_cmd: "exec yate sh -c 'kill -1 1'" diff --git a/requirements.yml b/requirements.yml index e5538cc..6011bda 100644 --- a/requirements.yml +++ b/requirements.yml @@ -6,3 +6,6 @@ collections: - name: community.sops version: ">=2.2.4" source: https://galaxy.ansible.com + - name: community.docker + version: ">=5.0.0" + source: https://galaxy.ansible.com diff --git a/roles/docker_compose/defaults/main.yaml b/roles/docker_compose/defaults/main.yaml index 1312972..76831d6 100644 --- a/roles/docker_compose/defaults/main.yaml +++ b/roles/docker_compose/defaults/main.yaml @@ -1,2 +1 @@ docker_compose__configuration_files: [ ] -docker_compose__restart_cmd: "" diff --git a/roles/docker_compose/handlers/main.yaml b/roles/docker_compose/handlers/main.yaml index 49e064c..2aff0fe 100644 --- a/roles/docker_compose/handlers/main.yaml +++ b/roles/docker_compose/handlers/main.yaml @@ -1,13 +1,11 @@ - name: docker compose down - ansible.builtin.command: - cmd: /usr/bin/docker compose down - chdir: /ansible_docker_compose + community.docker.docker_compose_v2: + project_src: /ansible_docker_compose + state: absent become: true - changed_when: true # This is always changed. -- name: docker compose reload script - ansible.builtin.command: - cmd: /usr/bin/docker compose {{ docker_compose__restart_cmd }} - chdir: /ansible_docker_compose + +- name: docker compose restart + community.docker.docker_compose_v2: + project_src: /ansible_docker_compose + state: restarted become: true - changed_when: true # Mark this as always changed (for now?). - when: docker_compose__restart_cmd != "" diff --git a/roles/docker_compose/tasks/main.yaml b/roles/docker_compose/tasks/main.yaml index 7b01304..bea3f4f 100644 --- a/roles/docker_compose/tasks/main.yaml +++ b/roles/docker_compose/tasks/main.yaml @@ -59,7 +59,7 @@ state: absent become: true loop: "{{ docker_compose__config_files_to_remove.files }}" - # notify: docker compose down + notify: docker compose restart - name: make sure all given configuration files are deployed ansible.builtin.copy: @@ -70,45 +70,19 @@ group: root become: true loop: "{{ docker_compose__configuration_files }}" - # notify: docker compose down - notify: docker compose reload script + notify: docker compose restart -- name: Flush handlers to make "docker compose down" handler run now +- name: Flush handlers to make "docker compose down" and "docker compose restart" handlers run now ansible.builtin.meta: flush_handlers -- name: docker compose ps --format json before docker compose up - ansible.builtin.command: - cmd: /usr/bin/docker compose ps --format json - chdir: /ansible_docker_compose +- name: docker compose up + community.docker.docker_compose_v2: + project_src: /ansible_docker_compose + state: present + build: always + pull: always + remove_orphans: true become: true - changed_when: false - register: docker_compose__ps_json_before_up - -- name: docker compose up --detach --pull always --build - ansible.builtin.command: - cmd: /usr/bin/docker compose up --detach --pull always --build --remove-orphans - chdir: /ansible_docker_compose - become: true - changed_when: false - # The changed for this task is tried to be determined by the "potentially - # report changed" task together with the "docker compose ps --format json - # [...]" tasks. - -- name: docker compose ps --format json after docker compose up - ansible.builtin.command: - cmd: /usr/bin/docker compose ps --format json - chdir: /ansible_docker_compose - become: true - changed_when: false - register: docker_compose__ps_json_after_up - -# Doesn't work anymore. Dunno why. -# TODO: Fix -# - name: potentially report changed -# ansible.builtin.debug: -# msg: "If this reports changed, then the docker compose containers changed." -# changed_when: (docker_compose__ps_json_before_up.stdout | from_json | community.general.json_query('[].ID') | sort) -# != (docker_compose__ps_json_after_up.stdout | from_json | community.general.json_query('[].ID') | sort) - name: Make sure anacron is installed become: true From d690f81e3df40f85665d3c52ddc8d8f4418aebe1 Mon Sep 17 00:00:00 2001 From: c6ristian Date: Wed, 5 Nov 2025 23:08:08 +0100 Subject: [PATCH 008/101] deploy_ssh_server_config: setup ssh pq cryptography --- roles/deploy_ssh_server_config/templates/sshd_config.j2 | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/roles/deploy_ssh_server_config/templates/sshd_config.j2 b/roles/deploy_ssh_server_config/templates/sshd_config.j2 index eefafa4..307f213 100644 --- a/roles/deploy_ssh_server_config/templates/sshd_config.j2 +++ b/roles/deploy_ssh_server_config/templates/sshd_config.j2 @@ -17,7 +17,15 @@ HostKey /etc/ssh/ssh_host_ed25519_key HostKey /etc/ssh/ssh_host_rsa_key HostKey /etc/ssh/ssh_host_ecdsa_key + +{% if ansible_facts["distribution"] == "Debian" and ansible_facts["distribution_major_version"] == "13" %} +KexAlgorithms mlkem768x25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,diffie-hellman-group-exchange-sha256 +{% elif ansible_facts["distribution"] == "Debian" and ansible_facts["distribution_major_version"] == "12" %} +KexAlgorithms sntrup761x25519-sha512,curve25519-sha256@libssh.org,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,diffie-hellman-group-exchange-sha256 +{% else %} KexAlgorithms curve25519-sha256@libssh.org,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,diffie-hellman-group-exchange-sha256 +{% endif %} + Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr From cffe5c2b1642c14839baf750e82d65bbe141d8fe Mon Sep 17 00:00:00 2001 From: June Date: Thu, 6 Nov 2025 18:25:29 +0100 Subject: [PATCH 009/101] dooris: use hostname instead of IP --- inventories/z9/hosts.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/inventories/z9/hosts.yaml b/inventories/z9/hosts.yaml index 9d5bb09..9f4a692 100644 --- a/inventories/z9/hosts.yaml +++ b/inventories/z9/hosts.yaml @@ -4,7 +4,7 @@ all: ansible_host: authoritative-dns.z9.ccchh.net ansible_user: chaos dooris: - ansible_host: 10.31.208.201 + ansible_host: dooris.z9.ccchh.net ansible_user: chaos light: ansible_host: light.z9.ccchh.net From aeec08fce8573b0625e60f9bee4027b575933fbe Mon Sep 17 00:00:00 2001 From: lilly Date: Thu, 6 Nov 2025 21:16:36 +0100 Subject: [PATCH 010/101] remove distribution checks Signed-Off-By: june --- roles/foobazdmx/meta/main.yaml | 8 -------- roles/ola/meta/main.yaml | 8 -------- 2 files changed, 16 deletions(-) delete mode 100644 roles/foobazdmx/meta/main.yaml delete mode 100644 roles/ola/meta/main.yaml diff --git a/roles/foobazdmx/meta/main.yaml b/roles/foobazdmx/meta/main.yaml deleted file mode 100644 index 386685c..0000000 --- a/roles/foobazdmx/meta/main.yaml +++ /dev/null @@ -1,8 +0,0 @@ ---- -dependencies: - - role: distribution_check - vars: - distribution_check__distribution_support_spec: - - name: Debian - major_versions: - - "11" diff --git a/roles/ola/meta/main.yaml b/roles/ola/meta/main.yaml deleted file mode 100644 index 386685c..0000000 --- a/roles/ola/meta/main.yaml +++ /dev/null @@ -1,8 +0,0 @@ ---- -dependencies: - - role: distribution_check - vars: - distribution_check__distribution_support_spec: - - name: Debian - major_versions: - - "11" From 63917722ff0a9d292aa012eaa2dfcc6baf15fcae Mon Sep 17 00:00:00 2001 From: lilly Date: Thu, 6 Nov 2025 21:16:36 +0100 Subject: [PATCH 011/101] fix foobazdmx role poetry is available via apt now so we install it that way --- roles/foobazdmx/tasks/main.yaml | 6 +----- 1 file changed, 1 insertion(+), 5 deletions(-) diff --git a/roles/foobazdmx/tasks/main.yaml b/roles/foobazdmx/tasks/main.yaml index f6e6097..33197b5 100644 --- a/roles/foobazdmx/tasks/main.yaml +++ b/roles/foobazdmx/tasks/main.yaml @@ -7,11 +7,7 @@ - python3 - python3-pip - python3-setuptools - -- name: Ensure python peotry is installed - become: true - ansible.builtin.pip: - name: poetry + - python3-poetry - name: Ensure foobazdmx user exists become: true From 6fea98ffd219395e206f227d9ebb47a8e9aacae9 Mon Sep 17 00:00:00 2001 From: Stefan Bethke Date: Fri, 7 Nov 2025 20:09:02 +0100 Subject: [PATCH 012/101] Redirect to 39c3 instead of eh22 --- .../chaosknoten/tickets/nginx/tickets.hamburg.ccc.de.conf | 6 +----- 1 file changed, 1 insertion(+), 5 deletions(-) diff --git a/resources/chaosknoten/tickets/nginx/tickets.hamburg.ccc.de.conf b/resources/chaosknoten/tickets/nginx/tickets.hamburg.ccc.de.conf index 40882d8..9e2ca26 100644 --- a/resources/chaosknoten/tickets/nginx/tickets.hamburg.ccc.de.conf +++ b/resources/chaosknoten/tickets/nginx/tickets.hamburg.ccc.de.conf @@ -38,11 +38,7 @@ server { location = / { #return 302 https://wiki.hamburg.ccc.de/infrastructure:service-overview#tickets_pretix; - return 302 https://tickets.hamburg.ccc.de/hackertours/eh22ht/; - } - - location = /hackertours/eh22/ { - return 302 https://tickets.hamburg.ccc.de/hackertours/eh22ht/; + return 302 https://tickets.hamburg.ccc.de/hackertours/39c3ht/; } location / { From 5f6000adcadb0be3dc917f2b5aaf55b15a7f5d9d Mon Sep 17 00:00:00 2001 From: c6ristian Date: Tue, 11 Nov 2025 22:47:42 +0100 Subject: [PATCH 013/101] ssh_config: also enable sntrup761x25519-sha512 for Debain 13 tldr: PQC algorithms are complex but sntrup still is not brocken --- roles/deploy_ssh_server_config/templates/sshd_config.j2 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/deploy_ssh_server_config/templates/sshd_config.j2 b/roles/deploy_ssh_server_config/templates/sshd_config.j2 index 307f213..c967502 100644 --- a/roles/deploy_ssh_server_config/templates/sshd_config.j2 +++ b/roles/deploy_ssh_server_config/templates/sshd_config.j2 @@ -19,7 +19,7 @@ HostKey /etc/ssh/ssh_host_ecdsa_key {% if ansible_facts["distribution"] == "Debian" and ansible_facts["distribution_major_version"] == "13" %} -KexAlgorithms mlkem768x25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,diffie-hellman-group-exchange-sha256 +KexAlgorithms sntrup761x25519-sha512,mlkem768x25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,diffie-hellman-group-exchange-sha256 {% elif ansible_facts["distribution"] == "Debian" and ansible_facts["distribution_major_version"] == "12" %} KexAlgorithms sntrup761x25519-sha512,curve25519-sha256@libssh.org,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,diffie-hellman-group-exchange-sha256 {% else %} From 80acd5fdc62366260a8d88113ed46963fe2616a7 Mon Sep 17 00:00:00 2001 From: c6ristian Date: Tue, 11 Nov 2025 23:03:59 +0100 Subject: [PATCH 014/101] grafana: store date for up to 28 days --- resources/chaosknoten/grafana/docker_compose/compose.yaml.j2 | 1 + 1 file changed, 1 insertion(+) diff --git a/resources/chaosknoten/grafana/docker_compose/compose.yaml.j2 b/resources/chaosknoten/grafana/docker_compose/compose.yaml.j2 index d739b2f..c5b8f2d 100644 --- a/resources/chaosknoten/grafana/docker_compose/compose.yaml.j2 +++ b/resources/chaosknoten/grafana/docker_compose/compose.yaml.j2 @@ -8,6 +8,7 @@ services: - '--config.file=/etc/prometheus/prometheus.yml' - '--web.enable-remote-write-receiver' - '--enable-feature=promql-experimental-functions' + - '--storage.tsdb.retention.time=28d' ports: - 9090:9090 restart: unless-stopped From ddab1576007b222cf9b1ff752626d7d979b47d5a Mon Sep 17 00:00:00 2001 From: June Date: Tue, 18 Nov 2025 14:24:21 +0100 Subject: [PATCH 015/101] don't pin digests anymore The benefit of digest pinning isn't that great for this project really and it comes at the cost of more issues and additional renovate noise, so just don't anymore. Adjust renovate config accordingly as well. --- .forgejo/workflows/lint.yaml | 4 ++-- renovate.json | 18 ++++++++---------- .../ccchoir/docker_compose/compose.yaml.j2 | 4 ++-- .../grafana/docker_compose/compose.yaml.j2 | 18 +++++++++--------- .../keycloak/docker_compose/compose.yaml.j2 | 2 +- .../lists/docker_compose/compose.yaml | 6 +++--- .../ntfy/docker_compose/compose.yaml.j2 | 2 +- .../onlyoffice/docker_compose/compose.yaml.j2 | 2 +- .../pad/docker_compose/compose.yaml.j2 | 4 ++-- .../pretalx/docker_compose/compose.yaml.j2 | 10 +++++----- .../tickets/docker_compose/compose.yaml.j2 | 6 +++--- .../docker_compose/compose.yaml.j2 | 2 +- 12 files changed, 38 insertions(+), 40 deletions(-) diff --git a/.forgejo/workflows/lint.yaml b/.forgejo/workflows/lint.yaml index a867c13..23bf6d2 100644 --- a/.forgejo/workflows/lint.yaml +++ b/.forgejo/workflows/lint.yaml @@ -10,7 +10,7 @@ jobs: name: Ansible Lint runs-on: docker steps: - - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5 + - uses: actions/checkout@v5 - name: Install pip run: | apt update @@ -24,7 +24,7 @@ jobs: # work in our environmnet. # Rather manually setup python (pip) before instead. - name: Run ansible-lint - uses: https://github.com/ansible/ansible-lint@d7cd7cfa2469536527aceaef9ef2ec6f2fb331cb # v25.9.2 + uses: https://github.com/ansible/ansible-lint@v25.9.2 with: setup_python: "false" requirements_file: "requirements.yml" diff --git a/renovate.json b/renovate.json index 7e604c1..711c627 100644 --- a/renovate.json +++ b/renovate.json @@ -1,13 +1,17 @@ { "$schema": "https://docs.renovatebot.com/renovate-schema.json", "extends": [ - "config:recommended", // Included in config:best-practices anyway, but added for clarity. - "config:best-practices", + "config:recommended", + // Parts from config:best-practices: + // https://docs.renovatebot.com/presets-config/#configbest-practices + ":configMigration", + "abandonments:recommended", + "security:minimumReleaseAgeNpm", + ":ignoreUnstable", ":disableRateLimiting", ":rebaseStalePrs", - ":label(renovate)", - "group:allDigest" + ":label(renovate)" ], "semanticCommits": "disabled", "packageRules": [ @@ -28,12 +32,6 @@ "matchDatasources": ["docker"], "matchPackageNames": ["docker.io/pretix/standalone"], "versioning": "regex:^(?\\d+\\.\\d+)(?:\\.(?\\d+))$" - }, - // Since Forgejo seems to clean up older tag versions, so older digests, disable digest pinning for our images. - { - "matchDatasources": ["docker"], - "matchPackageNames": ["git.hamburg.ccc.de/*"], - "pinDigests": false } ], "customManagers": [ diff --git a/resources/chaosknoten/ccchoir/docker_compose/compose.yaml.j2 b/resources/chaosknoten/ccchoir/docker_compose/compose.yaml.j2 index ffe491b..c2108d8 100644 --- a/resources/chaosknoten/ccchoir/docker_compose/compose.yaml.j2 +++ b/resources/chaosknoten/ccchoir/docker_compose/compose.yaml.j2 @@ -3,7 +3,7 @@ services: database: - image: docker.io/library/mariadb:11@sha256:ae6119716edac6998ae85508431b3d2e666530ddf4e94c61a10710caec9b0f71 + image: docker.io/library/mariadb:11 environment: - "MARIADB_DATABASE=wordpress" - "MARIADB_ROOT_PASSWORD={{ secret__mariadb_root_password }}" @@ -17,7 +17,7 @@ services: restart: unless-stopped app: - image: docker.io/library/wordpress:6-php8.1@sha256:75f79f9c45a587b283e47fd21c6e51077d0c9dbbba529377faaa0c28d5b8f5a4 + image: docker.io/library/wordpress:6-php8.1 environment: - "WORDPRESS_DB_HOST=database" - "WORDPRESS_DB_NAME=wordpress" diff --git a/resources/chaosknoten/grafana/docker_compose/compose.yaml.j2 b/resources/chaosknoten/grafana/docker_compose/compose.yaml.j2 index c5b8f2d..74d7916 100644 --- a/resources/chaosknoten/grafana/docker_compose/compose.yaml.j2 +++ b/resources/chaosknoten/grafana/docker_compose/compose.yaml.j2 @@ -2,7 +2,7 @@ services: prometheus: - image: docker.io/prom/prometheus:v3.7.2@sha256:23031bfe0e74a13004252caaa74eccd0d62b6c6e7a04711d5b8bf5b7e113adc7 + image: docker.io/prom/prometheus:v3.7.2 container_name: prometheus command: - '--config.file=/etc/prometheus/prometheus.yml' @@ -19,7 +19,7 @@ services: - prom_data:/prometheus alertmanager: - image: docker.io/prom/alertmanager:v0.28.1@sha256:27c475db5fb156cab31d5c18a4251ac7ed567746a2483ff264516437a39b15ba + image: docker.io/prom/alertmanager:v0.28.1 container_name: alertmanager command: - '--config.file=/etc/alertmanager/alertmanager.yaml' @@ -32,7 +32,7 @@ services: - alertmanager_data:/alertmanager grafana: - image: docker.io/grafana/grafana:12.2.1@sha256:35c41e0fd0295f5d0ee5db7e780cf33506abfaf47686196f825364889dee878b + image: docker.io/grafana/grafana:12.2.1 container_name: grafana ports: - 3000:3000 @@ -46,7 +46,7 @@ services: - graf_data:/var/lib/grafana pve-exporter: - image: docker.io/prompve/prometheus-pve-exporter:3.5.5@sha256:79a5598906697b1a5a006d09f0200528a77c6ff1568faf018539ac65824454df + image: docker.io/prompve/prometheus-pve-exporter:3.5.5 container_name: pve-exporter ports: - 9221:9221 @@ -59,7 +59,7 @@ services: - /dev/null:/etc/prometheus/pve.yml loki: - image: docker.io/grafana/loki:3.5.7@sha256:0eaee7bf39cc83aaef46914fb58f287d4f4c4be6ec96b86c2ed55719a75e49c8 + image: docker.io/grafana/loki:3.5.7 container_name: loki ports: - 13100:3100 @@ -70,7 +70,7 @@ services: - loki_data:/var/loki ntfy-alertmanager-ccchh-critical: - image: docker.io/xenrox/ntfy-alertmanager:0.5.0@sha256:5fea88db3bf0257d98c007ab0c4ef064c6d67d7b7ceead7d6956dfa0a5cb333b + image: docker.io/xenrox/ntfy-alertmanager:0.5.0 container_name: ntfy-alertmanager-ccchh-critical volumes: - ./configs/ntfy-alertmanager-ccchh-critical:/etc/ntfy-alertmanager/config @@ -79,7 +79,7 @@ services: restart: unless-stopped ntfy-alertmanager-fux-critical: - image: docker.io/xenrox/ntfy-alertmanager:0.5.0@sha256:5fea88db3bf0257d98c007ab0c4ef064c6d67d7b7ceead7d6956dfa0a5cb333b + image: docker.io/xenrox/ntfy-alertmanager:0.5.0 container_name: ntfy-alertmanager-fux-critical volumes: - ./configs/ntfy-alertmanager-fux-critical:/etc/ntfy-alertmanager/config @@ -88,7 +88,7 @@ services: restart: unless-stopped ntfy-alertmanager-ccchh: - image: docker.io/xenrox/ntfy-alertmanager:0.5.0@sha256:5fea88db3bf0257d98c007ab0c4ef064c6d67d7b7ceead7d6956dfa0a5cb333b + image: docker.io/xenrox/ntfy-alertmanager:0.5.0 container_name: ntfy-alertmanager-ccchh volumes: - ./configs/ntfy-alertmanager-ccchh:/etc/ntfy-alertmanager/config @@ -97,7 +97,7 @@ services: restart: unless-stopped ntfy-alertmanager-fux: - image: docker.io/xenrox/ntfy-alertmanager:0.5.0@sha256:5fea88db3bf0257d98c007ab0c4ef064c6d67d7b7ceead7d6956dfa0a5cb333b + image: docker.io/xenrox/ntfy-alertmanager:0.5.0 container_name: ntfy-alertmanager-fux volumes: - ./configs/ntfy-alertmanager-fux:/etc/ntfy-alertmanager/config diff --git a/resources/chaosknoten/keycloak/docker_compose/compose.yaml.j2 b/resources/chaosknoten/keycloak/docker_compose/compose.yaml.j2 index d91a254..9fde708 100644 --- a/resources/chaosknoten/keycloak/docker_compose/compose.yaml.j2 +++ b/resources/chaosknoten/keycloak/docker_compose/compose.yaml.j2 @@ -46,7 +46,7 @@ services: - "8080:8080" db: - image: docker.io/library/postgres:15.14@sha256:424e79b81868f5fc5cf515eaeac69d288692ebcca7db86d98f91b50d4bce64bb + image: docker.io/library/postgres:15.14 restart: unless-stopped networks: - keycloak diff --git a/resources/chaosknoten/lists/docker_compose/compose.yaml b/resources/chaosknoten/lists/docker_compose/compose.yaml index 8537ead..cdfd70a 100644 --- a/resources/chaosknoten/lists/docker_compose/compose.yaml +++ b/resources/chaosknoten/lists/docker_compose/compose.yaml @@ -1,7 +1,7 @@ services: mailman-core: restart: unless-stopped - image: docker.io/maxking/mailman-core:0.5@sha256:cb8e412bb18d74480f996da68f46e92473b6103995e71bc5aeba139b255cc3d2 # Use a specific version tag (tag latest is not published) + image: docker.io/maxking/mailman-core:0.5 # Use a specific version tag (tag latest is not published) container_name: mailman-core hostname: mailman-core volumes: @@ -25,7 +25,7 @@ services: mailman-web: restart: unless-stopped - image: docker.io/maxking/mailman-web:0.5@sha256:014726db85586fb53541f66f6ce964bf07e939791cfd5ffc796cd6d243696a18 # Use a specific version tag (tag latest is not published) + image: docker.io/maxking/mailman-web:0.5 # Use a specific version tag (tag latest is not published) container_name: mailman-web hostname: mailman-web depends_on: @@ -56,7 +56,7 @@ services: - POSTGRES_DB=mailmandb - POSTGRES_USER=mailman - POSTGRES_PASSWORD=wvQjbMRnwFuxGEPz - image: docker.io/library/postgres:12-alpine@sha256:7c8f4870583184ebadf7f17a6513620aac5f365a7938dc6a6911c1d5df2f481a + image: docker.io/library/postgres:12-alpine volumes: - /opt/mailman/database:/var/lib/postgresql/data networks: diff --git a/resources/chaosknoten/ntfy/docker_compose/compose.yaml.j2 b/resources/chaosknoten/ntfy/docker_compose/compose.yaml.j2 index 07e8d9e..9fe2a7a 100644 --- a/resources/chaosknoten/ntfy/docker_compose/compose.yaml.j2 +++ b/resources/chaosknoten/ntfy/docker_compose/compose.yaml.j2 @@ -1,7 +1,7 @@ --- services: ntfy: - image: docker.io/binwiederhier/ntfy:v2.14.0@sha256:5a051798d14138c3ecb12c038652558ab6a077e1aceeb867c151cbf5fa8451ef + image: docker.io/binwiederhier/ntfy:v2.14.0 container_name: ntfy command: - serve diff --git a/resources/chaosknoten/onlyoffice/docker_compose/compose.yaml.j2 b/resources/chaosknoten/onlyoffice/docker_compose/compose.yaml.j2 index 5c9a42a..f3444ac 100644 --- a/resources/chaosknoten/onlyoffice/docker_compose/compose.yaml.j2 +++ b/resources/chaosknoten/onlyoffice/docker_compose/compose.yaml.j2 @@ -4,7 +4,7 @@ services: onlyoffice: - image: docker.io/onlyoffice/documentserver:9.1.0@sha256:34b92f4a67bfd939bd6b75893e8217556e3b977f81e49472f7e28737b741ba1d + image: docker.io/onlyoffice/documentserver:9.1.0 restart: unless-stopped volumes: - "./onlyoffice/DocumentServer/logs:/var/log/onlyoffice" diff --git a/resources/chaosknoten/pad/docker_compose/compose.yaml.j2 b/resources/chaosknoten/pad/docker_compose/compose.yaml.j2 index 70dc7e6..455caa3 100644 --- a/resources/chaosknoten/pad/docker_compose/compose.yaml.j2 +++ b/resources/chaosknoten/pad/docker_compose/compose.yaml.j2 @@ -3,7 +3,7 @@ services: database: - image: docker.io/library/postgres:15-alpine@sha256:64583b3cb4f2010277bdd9749456de78e5c36f8956466ba14b0b96922e510950 + image: docker.io/library/postgres:15-alpine environment: - "POSTGRES_USER=hedgedoc" - "POSTGRES_PASSWORD={{ secret__hedgedoc_db_password }}" @@ -13,7 +13,7 @@ services: restart: unless-stopped app: - image: quay.io/hedgedoc/hedgedoc:1.10.3@sha256:ca58fd73ecf05c89559b384fb7a1519c18c8cbba5c21a0018674ed820b9bdb73 + image: quay.io/hedgedoc/hedgedoc:1.10.3 environment: - "CMD_DB_URL=postgres://hedgedoc:{{ secret__hedgedoc_db_password }}@database:5432/hedgedoc" - "CMD_DOMAIN=pad.hamburg.ccc.de" diff --git a/resources/chaosknoten/pretalx/docker_compose/compose.yaml.j2 b/resources/chaosknoten/pretalx/docker_compose/compose.yaml.j2 index 243a468..3de7eac 100644 --- a/resources/chaosknoten/pretalx/docker_compose/compose.yaml.j2 +++ b/resources/chaosknoten/pretalx/docker_compose/compose.yaml.j2 @@ -3,7 +3,7 @@ services: database: - image: docker.io/library/postgres:15-alpine@sha256:64583b3cb4f2010277bdd9749456de78e5c36f8956466ba14b0b96922e510950 + image: docker.io/library/postgres:15-alpine environment: - "POSTGRES_USER=pretalx" - "POSTGRES_PASSWORD={{ secret__pretalx_db_password }}" @@ -15,7 +15,7 @@ services: - pretalx_net redis: - image: docker.io/library/redis:8.2.2@sha256:4521b581dbddea6e7d81f8fe95ede93f5648aaa66a9dacd581611bf6fe7527bd + image: docker.io/library/redis:8.2.2 restart: unless-stopped volumes: - redis:/data @@ -23,7 +23,7 @@ services: - pretalx_net static: - image: docker.io/library/nginx:1.29.3@sha256:f547e3d0d5d02f7009737b284abc87d808e4252b42dceea361811e9fc606287f + image: docker.io/library/nginx:1.29.3 restart: unless-stopped volumes: - public:/usr/share/nginx/html @@ -33,7 +33,7 @@ services: - pretalx_net pretalx: - image: docker.io/pretalx/standalone:v2025.1.0@sha256:fb2d15f11bcae8bb15430084ed81a150cfdf7c79705450583b51e352ba486e8e + image: docker.io/pretalx/standalone:v2025.1.0 entrypoint: gunicorn command: - "pretalx.wsgi" @@ -78,7 +78,7 @@ services: - pretalx_net celery: - image: docker.io/pretalx/standalone:v2025.1.0@sha256:fb2d15f11bcae8bb15430084ed81a150cfdf7c79705450583b51e352ba486e8e + image: docker.io/pretalx/standalone:v2025.1.0 command: - taskworker restart: unless-stopped diff --git a/resources/chaosknoten/tickets/docker_compose/compose.yaml.j2 b/resources/chaosknoten/tickets/docker_compose/compose.yaml.j2 index deb9f50..6509a99 100644 --- a/resources/chaosknoten/tickets/docker_compose/compose.yaml.j2 +++ b/resources/chaosknoten/tickets/docker_compose/compose.yaml.j2 @@ -1,7 +1,7 @@ --- services: database: - image: docker.io/library/postgres:15-alpine@sha256:64583b3cb4f2010277bdd9749456de78e5c36f8956466ba14b0b96922e510950 + image: docker.io/library/postgres:15-alpine environment: - "POSTGRES_USER=pretix" - "POSTGRES_PASSWORD={{ secret__pretix_db_password }}" @@ -13,7 +13,7 @@ services: restart: unless-stopped redis: - image: docker.io/library/redis:7.4.6@sha256:a9cc41d6d01da2aa26c219e4f99ecbeead955a7b656c1c499cce8922311b2514 + image: docker.io/library/redis:7.4.6 ports: - "6379:6379" volumes: @@ -25,7 +25,7 @@ services: backend: pretix: - image: docker.io/pretix/standalone:2024.8@sha256:110bac37efa5f736227f158f38e421ed738d03dccc274dfb415b258ab0f75cfe + image: docker.io/pretix/standalone:2024.8 command: ["all"] ports: - "8345:80" diff --git a/resources/z9/waybackproxy/docker_compose/compose.yaml.j2 b/resources/z9/waybackproxy/docker_compose/compose.yaml.j2 index 52d57df..b6752fa 100644 --- a/resources/z9/waybackproxy/docker_compose/compose.yaml.j2 +++ b/resources/z9/waybackproxy/docker_compose/compose.yaml.j2 @@ -1,7 +1,7 @@ services: # https://github.com/richardg867/WaybackProxy waybackproxy: - image: cttynul/waybackproxy:latest@sha256:e001d5b1d746522cd1ab2728092173c0d96f08086cbd3e49cdf1e298b8add22e + image: cttynul/waybackproxy:latest environment: DATE: 19990101 DATE_TOLERANCE: 730 From 0eaaf9227c730d0c0efe9f60381ecd38fee1d0ef Mon Sep 17 00:00:00 2001 From: Renovate Date: Wed, 19 Nov 2025 13:30:39 +0000 Subject: [PATCH 016/101] Update all stable non-major dependencies --- .forgejo/workflows/lint.yaml | 2 +- inventories/chaosknoten/host_vars/cloud.yaml | 2 +- inventories/chaosknoten/host_vars/netbox.yaml | 2 +- .../chaosknoten/grafana/docker_compose/compose.yaml.j2 | 8 ++++---- .../chaosknoten/keycloak/docker_compose/compose.yaml.j2 | 2 +- resources/chaosknoten/ntfy/docker_compose/compose.yaml.j2 | 2 +- .../chaosknoten/pretalx/docker_compose/compose.yaml.j2 | 2 +- .../chaosknoten/tickets/docker_compose/compose.yaml.j2 | 2 +- 8 files changed, 11 insertions(+), 11 deletions(-) diff --git a/.forgejo/workflows/lint.yaml b/.forgejo/workflows/lint.yaml index 23bf6d2..d29fb6e 100644 --- a/.forgejo/workflows/lint.yaml +++ b/.forgejo/workflows/lint.yaml @@ -24,7 +24,7 @@ jobs: # work in our environmnet. # Rather manually setup python (pip) before instead. - name: Run ansible-lint - uses: https://github.com/ansible/ansible-lint@v25.9.2 + uses: https://github.com/ansible/ansible-lint@v25.11.0 with: setup_python: "false" requirements_file: "requirements.yml" diff --git a/inventories/chaosknoten/host_vars/cloud.yaml b/inventories/chaosknoten/host_vars/cloud.yaml index 0cbcd4d..fc4e23c 100644 --- a/inventories/chaosknoten/host_vars/cloud.yaml +++ b/inventories/chaosknoten/host_vars/cloud.yaml @@ -1,7 +1,7 @@ # renovate: datasource=docker depName=git.hamburg.ccc.de/ccchh/oci-images/nextcloud nextcloud__version: 32 # renovate: datasource=docker depName=docker.io/library/postgres -nextcloud__postgres_version: 15.14 +nextcloud__postgres_version: 15.15 nextcloud__fqdn: cloud.hamburg.ccc.de nextcloud__data_dir: /data/nextcloud nextcloud__extra_configuration: "{{ lookup('ansible.builtin.template', 'resources/chaosknoten/cloud/nextcloud/extra_configuration.config.php.j2') }}" diff --git a/inventories/chaosknoten/host_vars/netbox.yaml b/inventories/chaosknoten/host_vars/netbox.yaml index 60dd94a..3be8bdd 100644 --- a/inventories/chaosknoten/host_vars/netbox.yaml +++ b/inventories/chaosknoten/host_vars/netbox.yaml @@ -1,5 +1,5 @@ # renovate: datasource=github-releases depName=netbox packageName=netbox-community/netbox -netbox__version: "v4.4.5" +netbox__version: "v4.4.6" netbox__config: "{{ lookup('ansible.builtin.template', 'resources/chaosknoten/netbox/netbox/configuration.py.j2') }}" netbox__custom_pipeline_oidc_group_and_role_mapping: true diff --git a/resources/chaosknoten/grafana/docker_compose/compose.yaml.j2 b/resources/chaosknoten/grafana/docker_compose/compose.yaml.j2 index 74d7916..2d598f9 100644 --- a/resources/chaosknoten/grafana/docker_compose/compose.yaml.j2 +++ b/resources/chaosknoten/grafana/docker_compose/compose.yaml.j2 @@ -2,7 +2,7 @@ services: prometheus: - image: docker.io/prom/prometheus:v3.7.2 + image: docker.io/prom/prometheus:v3.7.3 container_name: prometheus command: - '--config.file=/etc/prometheus/prometheus.yml' @@ -19,7 +19,7 @@ services: - prom_data:/prometheus alertmanager: - image: docker.io/prom/alertmanager:v0.28.1 + image: docker.io/prom/alertmanager:v0.29.0 container_name: alertmanager command: - '--config.file=/etc/alertmanager/alertmanager.yaml' @@ -32,7 +32,7 @@ services: - alertmanager_data:/alertmanager grafana: - image: docker.io/grafana/grafana:12.2.1 + image: docker.io/grafana/grafana:12.3.0 container_name: grafana ports: - 3000:3000 @@ -59,7 +59,7 @@ services: - /dev/null:/etc/prometheus/pve.yml loki: - image: docker.io/grafana/loki:3.5.7 + image: docker.io/grafana/loki:3.6.0 container_name: loki ports: - 13100:3100 diff --git a/resources/chaosknoten/keycloak/docker_compose/compose.yaml.j2 b/resources/chaosknoten/keycloak/docker_compose/compose.yaml.j2 index 9fde708..a260ab1 100644 --- a/resources/chaosknoten/keycloak/docker_compose/compose.yaml.j2 +++ b/resources/chaosknoten/keycloak/docker_compose/compose.yaml.j2 @@ -46,7 +46,7 @@ services: - "8080:8080" db: - image: docker.io/library/postgres:15.14 + image: docker.io/library/postgres:15.15 restart: unless-stopped networks: - keycloak diff --git a/resources/chaosknoten/ntfy/docker_compose/compose.yaml.j2 b/resources/chaosknoten/ntfy/docker_compose/compose.yaml.j2 index 9fe2a7a..50df05d 100644 --- a/resources/chaosknoten/ntfy/docker_compose/compose.yaml.j2 +++ b/resources/chaosknoten/ntfy/docker_compose/compose.yaml.j2 @@ -1,7 +1,7 @@ --- services: ntfy: - image: docker.io/binwiederhier/ntfy:v2.14.0 + image: docker.io/binwiederhier/ntfy:v2.15.0 container_name: ntfy command: - serve diff --git a/resources/chaosknoten/pretalx/docker_compose/compose.yaml.j2 b/resources/chaosknoten/pretalx/docker_compose/compose.yaml.j2 index 3de7eac..dda67bb 100644 --- a/resources/chaosknoten/pretalx/docker_compose/compose.yaml.j2 +++ b/resources/chaosknoten/pretalx/docker_compose/compose.yaml.j2 @@ -15,7 +15,7 @@ services: - pretalx_net redis: - image: docker.io/library/redis:8.2.2 + image: docker.io/library/redis:8.4.0 restart: unless-stopped volumes: - redis:/data diff --git a/resources/chaosknoten/tickets/docker_compose/compose.yaml.j2 b/resources/chaosknoten/tickets/docker_compose/compose.yaml.j2 index 6509a99..938883b 100644 --- a/resources/chaosknoten/tickets/docker_compose/compose.yaml.j2 +++ b/resources/chaosknoten/tickets/docker_compose/compose.yaml.j2 @@ -13,7 +13,7 @@ services: restart: unless-stopped redis: - image: docker.io/library/redis:7.4.6 + image: docker.io/library/redis:7.4.7 ports: - "6379:6379" volumes: From df3710f0196206bbfae0996dcbc1ed7b9d8f09bf Mon Sep 17 00:00:00 2001 From: c6ristian Date: Tue, 2 Dec 2025 22:55:29 +0100 Subject: [PATCH 017/101] grafana: set alloy to version v1.11.3 1.12.0 is buggy --- inventories/chaosknoten/host_vars/grafana.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/inventories/chaosknoten/host_vars/grafana.yaml b/inventories/chaosknoten/host_vars/grafana.yaml index 2e3672e..0037fcc 100644 --- a/inventories/chaosknoten/host_vars/grafana.yaml +++ b/inventories/chaosknoten/host_vars/grafana.yaml @@ -53,7 +53,7 @@ nginx__configurations: - name: metrics.hamburg.ccc.de content: "{{ lookup('ansible.builtin.file', 'resources/chaosknoten/grafana/nginx/metrics.hamburg.ccc.de.conf') }}" - +alloy_version: "1.11.3" alloy_config: | prometheus.remote_write "default" { endpoint { From c39cb0e3909ca53df08e6389603cfbb77e32da2b Mon Sep 17 00:00:00 2001 From: c6ristian Date: Sat, 6 Dec 2025 22:11:53 +0100 Subject: [PATCH 018/101] we dont need to set a specific alloy version --- inventories/chaosknoten/host_vars/grafana.yaml | 1 - 1 file changed, 1 deletion(-) diff --git a/inventories/chaosknoten/host_vars/grafana.yaml b/inventories/chaosknoten/host_vars/grafana.yaml index 0037fcc..ecc942c 100644 --- a/inventories/chaosknoten/host_vars/grafana.yaml +++ b/inventories/chaosknoten/host_vars/grafana.yaml @@ -53,7 +53,6 @@ nginx__configurations: - name: metrics.hamburg.ccc.de content: "{{ lookup('ansible.builtin.file', 'resources/chaosknoten/grafana/nginx/metrics.hamburg.ccc.de.conf') }}" -alloy_version: "1.11.3" alloy_config: | prometheus.remote_write "default" { endpoint { From 766aa125c4da85009ae7d3023be55dbc37c47d65 Mon Sep 17 00:00:00 2001 From: jtbx Date: Sun, 23 Feb 2025 18:49:19 +0100 Subject: [PATCH 019/101] router(host): introduce router --- inventories/chaosknoten/hosts.yaml | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/inventories/chaosknoten/hosts.yaml b/inventories/chaosknoten/hosts.yaml index b9e6358..e668d49 100644 --- a/inventories/chaosknoten/hosts.yaml +++ b/inventories/chaosknoten/hosts.yaml @@ -51,6 +51,9 @@ all: public-reverse-proxy: ansible_host: public-reverse-proxy.hamburg.ccc.de ansible_user: chaos + router: + ansible_host: router.hamburg.ccc.de + ansible_user: chaos wiki: ansible_host: wiki-intern.hamburg.ccc.de ansible_user: chaos @@ -88,6 +91,7 @@ base_config_hosts: pad: pretalx: public-reverse-proxy: + router: tickets: wiki: zammad: @@ -173,6 +177,7 @@ infrastructure_authorized_keys_hosts: pad: pretalx: public-reverse-proxy: + router: wiki: zammad: ntfy: From d6ba70523cd45b95845acb49741bbaa699703994 Mon Sep 17 00:00:00 2001 From: June Date: Sat, 20 Sep 2025 20:05:02 +0200 Subject: [PATCH 020/101] systemd_networkd(role): introd. role for deploy. systemd-networkd config --- inventories/chaosknoten/hosts.yaml | 2 ++ playbooks/deploy.yaml | 5 +++++ roles/systemd_networkd/README.md | 11 +++++++++++ roles/systemd_networkd/meta/argument_specs.yaml | 6 ++++++ roles/systemd_networkd/tasks/main.yaml | 14 ++++++++++++++ 5 files changed, 38 insertions(+) create mode 100644 roles/systemd_networkd/README.md create mode 100644 roles/systemd_networkd/meta/argument_specs.yaml create mode 100644 roles/systemd_networkd/tasks/main.yaml diff --git a/inventories/chaosknoten/hosts.yaml b/inventories/chaosknoten/hosts.yaml index e668d49..51d2b56 100644 --- a/inventories/chaosknoten/hosts.yaml +++ b/inventories/chaosknoten/hosts.yaml @@ -98,6 +98,8 @@ base_config_hosts: ntfy: sunders: renovate: +systemd_networkd_hosts: + hosts: docker_compose_hosts: hosts: ccchoir: diff --git a/playbooks/deploy.yaml b/playbooks/deploy.yaml index d7bacac..ec7db50 100644 --- a/playbooks/deploy.yaml +++ b/playbooks/deploy.yaml @@ -4,6 +4,11 @@ roles: - base_config +- name: Ensure systemd-networkd config deployment on systemd_networkd_hosts + hosts: systemd_networkd_hosts + roles: + - systemd_networkd + - name: Ensure deployment of infrastructure authorized keys hosts: infrastructure_authorized_keys_hosts roles: diff --git a/roles/systemd_networkd/README.md b/roles/systemd_networkd/README.md new file mode 100644 index 0000000..3297c47 --- /dev/null +++ b/roles/systemd_networkd/README.md @@ -0,0 +1,11 @@ +# Role `systemd_networkd` + +Deploys the given systemd-networkd configuration files. + +## Support Distributions + +Should work on Debian-based distributions. + +## Required Arguments + +- `systemd_networkd__config_dir`: Directory with systemd-networkd configs to deploy. diff --git a/roles/systemd_networkd/meta/argument_specs.yaml b/roles/systemd_networkd/meta/argument_specs.yaml new file mode 100644 index 0000000..81b046a --- /dev/null +++ b/roles/systemd_networkd/meta/argument_specs.yaml @@ -0,0 +1,6 @@ +argument_specs: + main: + options: + systemd_networkd__config_dir: + type: path + required: true diff --git a/roles/systemd_networkd/tasks/main.yaml b/roles/systemd_networkd/tasks/main.yaml new file mode 100644 index 0000000..f88ed14 --- /dev/null +++ b/roles/systemd_networkd/tasks/main.yaml @@ -0,0 +1,14 @@ +- name: ensure rsync is installed + ansible.builtin.apt: + name: rsync + state: present + become: true + +- name: synchronize systemd-networkd configs + ansible.posix.synchronize: + src: "{{ systemd_networkd__config_dir }}" + dest: "/etc/systemd/network" + archive: false + recursive: true + delete: true + become: true From a9e394da063211b91f6c120dfa5a30f52aac64ad Mon Sep 17 00:00:00 2001 From: June Date: Sat, 20 Sep 2025 20:03:30 +0200 Subject: [PATCH 021/101] router(host): add systemd-networkd-based network config --- inventories/chaosknoten/host_vars/router.yaml | 1 + inventories/chaosknoten/hosts.yaml | 1 + .../router/systemd_networkd/00-net0.link | 6 ++++ .../router/systemd_networkd/00-net1.link | 6 ++++ .../router/systemd_networkd/00-net2.link | 6 ++++ .../systemd_networkd/10-net0.2-v4_nat.netdev | 7 +++++ .../10-net0.3-ci_runner.netdev | 7 +++++ .../router/systemd_networkd/20-net0.network | 12 ++++++++ .../router/systemd_networkd/20-net1.network | 14 +++++++++ .../router/systemd_networkd/20-net2.network | 14 +++++++++ .../systemd_networkd/21-net0.2-v4_nat.network | 23 +++++++++++++++ .../21-net0.3-ci_runners.network | 29 +++++++++++++++++++ 12 files changed, 126 insertions(+) create mode 100644 inventories/chaosknoten/host_vars/router.yaml create mode 100644 resources/chaosknoten/router/systemd_networkd/00-net0.link create mode 100644 resources/chaosknoten/router/systemd_networkd/00-net1.link create mode 100644 resources/chaosknoten/router/systemd_networkd/00-net2.link create mode 100644 resources/chaosknoten/router/systemd_networkd/10-net0.2-v4_nat.netdev create mode 100644 resources/chaosknoten/router/systemd_networkd/10-net0.3-ci_runner.netdev create mode 100644 resources/chaosknoten/router/systemd_networkd/20-net0.network create mode 100644 resources/chaosknoten/router/systemd_networkd/20-net1.network create mode 100644 resources/chaosknoten/router/systemd_networkd/20-net2.network create mode 100644 resources/chaosknoten/router/systemd_networkd/21-net0.2-v4_nat.network create mode 100644 resources/chaosknoten/router/systemd_networkd/21-net0.3-ci_runners.network diff --git a/inventories/chaosknoten/host_vars/router.yaml b/inventories/chaosknoten/host_vars/router.yaml new file mode 100644 index 0000000..b181c0a --- /dev/null +++ b/inventories/chaosknoten/host_vars/router.yaml @@ -0,0 +1 @@ +systemd_networkd__config_dir: 'resources/chaosknoten/router/systemd_networkd/' diff --git a/inventories/chaosknoten/hosts.yaml b/inventories/chaosknoten/hosts.yaml index 51d2b56..d3217ab 100644 --- a/inventories/chaosknoten/hosts.yaml +++ b/inventories/chaosknoten/hosts.yaml @@ -100,6 +100,7 @@ base_config_hosts: renovate: systemd_networkd_hosts: hosts: + router: docker_compose_hosts: hosts: ccchoir: diff --git a/resources/chaosknoten/router/systemd_networkd/00-net0.link b/resources/chaosknoten/router/systemd_networkd/00-net0.link new file mode 100644 index 0000000..0c55d13 --- /dev/null +++ b/resources/chaosknoten/router/systemd_networkd/00-net0.link @@ -0,0 +1,6 @@ +[Match] +MACAddress=BC:24:11:54:11:15 +Type=ether + +[Link] +Name=net0 diff --git a/resources/chaosknoten/router/systemd_networkd/00-net1.link b/resources/chaosknoten/router/systemd_networkd/00-net1.link new file mode 100644 index 0000000..ef04d04 --- /dev/null +++ b/resources/chaosknoten/router/systemd_networkd/00-net1.link @@ -0,0 +1,6 @@ +[Match] +MACAddress=BC:24:11:9A:FB:34 +Type=ether + +[Link] +Name=net1 diff --git a/resources/chaosknoten/router/systemd_networkd/00-net2.link b/resources/chaosknoten/router/systemd_networkd/00-net2.link new file mode 100644 index 0000000..2a56f72 --- /dev/null +++ b/resources/chaosknoten/router/systemd_networkd/00-net2.link @@ -0,0 +1,6 @@ +[Match] +MACAddress=BC:24:11:AE:C7:04 +Type=ether + +[Link] +Name=net2 diff --git a/resources/chaosknoten/router/systemd_networkd/10-net0.2-v4_nat.netdev b/resources/chaosknoten/router/systemd_networkd/10-net0.2-v4_nat.netdev new file mode 100644 index 0000000..a46afb4 --- /dev/null +++ b/resources/chaosknoten/router/systemd_networkd/10-net0.2-v4_nat.netdev @@ -0,0 +1,7 @@ +[NetDev] +Name=net0.2 +Kind=vlan + +[VLAN] +Id=2 + diff --git a/resources/chaosknoten/router/systemd_networkd/10-net0.3-ci_runner.netdev b/resources/chaosknoten/router/systemd_networkd/10-net0.3-ci_runner.netdev new file mode 100644 index 0000000..0cd60db --- /dev/null +++ b/resources/chaosknoten/router/systemd_networkd/10-net0.3-ci_runner.netdev @@ -0,0 +1,7 @@ +[NetDev] +Name=net0.3 +Kind=vlan + +[VLAN] +Id=3 + diff --git a/resources/chaosknoten/router/systemd_networkd/20-net0.network b/resources/chaosknoten/router/systemd_networkd/20-net0.network new file mode 100644 index 0000000..a32d75e --- /dev/null +++ b/resources/chaosknoten/router/systemd_networkd/20-net0.network @@ -0,0 +1,12 @@ +[Match] +Name=net0 + +[Link] +RequiredForOnline=no + +[Network] +VLAN=net0.2 +VLAN=net0.3 + +LinkLocalAddressing=no + diff --git a/resources/chaosknoten/router/systemd_networkd/20-net1.network b/resources/chaosknoten/router/systemd_networkd/20-net1.network new file mode 100644 index 0000000..c8bffc1 --- /dev/null +++ b/resources/chaosknoten/router/systemd_networkd/20-net1.network @@ -0,0 +1,14 @@ +[Match] +Name=net1 + +[Network] +DNS=212.12.50.158 +IPForward=ipv4 +IPv6AcceptRA=no + +[Address] +Address=212.12.48.123/24 + +[Route] +Gateway=212.12.48.55 + diff --git a/resources/chaosknoten/router/systemd_networkd/20-net2.network b/resources/chaosknoten/router/systemd_networkd/20-net2.network new file mode 100644 index 0000000..b3f497d --- /dev/null +++ b/resources/chaosknoten/router/systemd_networkd/20-net2.network @@ -0,0 +1,14 @@ +[Match] +Name=net2 + +[Network] +#DNS=212.12.50.158 +IPForward=ipv6 +IPv6AcceptRA=no + +[Address] +Address=2a00:14b0:4200:3500::130:2/112 + +[Route] +Gateway=2a00:14b0:4200:3500::130:1 + diff --git a/resources/chaosknoten/router/systemd_networkd/21-net0.2-v4_nat.network b/resources/chaosknoten/router/systemd_networkd/21-net0.2-v4_nat.network new file mode 100644 index 0000000..880dd1d --- /dev/null +++ b/resources/chaosknoten/router/systemd_networkd/21-net0.2-v4_nat.network @@ -0,0 +1,23 @@ +[Match] +Name=net0.2 +Type=vlan + +[Link] +RequiredForOnline=no + +[Network] +Description=v4-NAT + +IPMasquerade=ipv4 +IPv6SendRA=yes + +[Address] +Address=10.32.2.1/24 + +[IPv6SendRA] +UplinkInterface=net2 + +[IPv6Prefix] +Prefix=2a00:14b0:42:102::/64 +Assign=true +Token=static:::1 diff --git a/resources/chaosknoten/router/systemd_networkd/21-net0.3-ci_runners.network b/resources/chaosknoten/router/systemd_networkd/21-net0.3-ci_runners.network new file mode 100644 index 0000000..6f73beb --- /dev/null +++ b/resources/chaosknoten/router/systemd_networkd/21-net0.3-ci_runners.network @@ -0,0 +1,29 @@ +[Match] +Name=net0.3 +Type=vlan + +[Link] +RequiredForOnline=no + +[Network] +Description=ci-runners + +IPMasquerade=ipv4 +IPv6SendRA=yes + +DHCPServer=true + +[DHCPServer] +PoolOffset=100 +PoolSize=150 + +[Address] +Address=10.32.3.1/24 + +[IPv6SendRA] +UplinkInterface=net2 + +[IPv6Prefix] +Prefix=2a00:14b0:42:103::/64 +Assign=true +Token=static:::1 From d0618e382050aeabb4d50942df03d89bfb16f91a Mon Sep 17 00:00:00 2001 From: June Date: Sat, 20 Sep 2025 21:38:39 +0200 Subject: [PATCH 022/101] nftables(role): introduce role for deploying nftables --- inventories/chaosknoten/hosts.yaml | 2 ++ playbooks/deploy.yaml | 5 +++++ roles/nftables/README.md | 11 +++++++++++ roles/nftables/handlers/main.yaml | 5 +++++ roles/nftables/meta/argument_specs.yaml | 6 ++++++ roles/nftables/tasks/main.yaml | 15 +++++++++++++++ 6 files changed, 44 insertions(+) create mode 100644 roles/nftables/README.md create mode 100644 roles/nftables/handlers/main.yaml create mode 100644 roles/nftables/meta/argument_specs.yaml create mode 100644 roles/nftables/tasks/main.yaml diff --git a/inventories/chaosknoten/hosts.yaml b/inventories/chaosknoten/hosts.yaml index d3217ab..55ab696 100644 --- a/inventories/chaosknoten/hosts.yaml +++ b/inventories/chaosknoten/hosts.yaml @@ -101,6 +101,8 @@ base_config_hosts: systemd_networkd_hosts: hosts: router: +nftables_hosts: + hosts: docker_compose_hosts: hosts: ccchoir: diff --git a/playbooks/deploy.yaml b/playbooks/deploy.yaml index ec7db50..f416b91 100644 --- a/playbooks/deploy.yaml +++ b/playbooks/deploy.yaml @@ -9,6 +9,11 @@ roles: - systemd_networkd +- name: Ensure nftables deployment on nftables_hosts + hosts: nftables_hosts + roles: + - nftables + - name: Ensure deployment of infrastructure authorized keys hosts: infrastructure_authorized_keys_hosts roles: diff --git a/roles/nftables/README.md b/roles/nftables/README.md new file mode 100644 index 0000000..81d8871 --- /dev/null +++ b/roles/nftables/README.md @@ -0,0 +1,11 @@ +# Role `nftables` + +Deploys nftables. + +## Support Distributions + +Should work on Debian-based distributions. + +## Required Arguments + +- `nftables__config`: nftables configuration to deploy. diff --git a/roles/nftables/handlers/main.yaml b/roles/nftables/handlers/main.yaml new file mode 100644 index 0000000..3b72c54 --- /dev/null +++ b/roles/nftables/handlers/main.yaml @@ -0,0 +1,5 @@ +- name: Restart nftables service + ansible.builtin.systemd_service: + name: nftables + state: restarted + become: true diff --git a/roles/nftables/meta/argument_specs.yaml b/roles/nftables/meta/argument_specs.yaml new file mode 100644 index 0000000..aa56223 --- /dev/null +++ b/roles/nftables/meta/argument_specs.yaml @@ -0,0 +1,6 @@ +argument_specs: + main: + options: + nftables__config: + type: str + required: true diff --git a/roles/nftables/tasks/main.yaml b/roles/nftables/tasks/main.yaml new file mode 100644 index 0000000..46ea18d --- /dev/null +++ b/roles/nftables/tasks/main.yaml @@ -0,0 +1,15 @@ +- name: ensure nftables is installed + ansible.builtin.apt: + name: nftables + state: present + become: true + +- name: deploy nftables configuration + ansible.builtin.copy: + content: "{{ nftables__config }}" + dest: "/etc/nftables.conf" + mode: "0644" + owner: root + group: root + become: true + notify: Restart nftables service From 183b91b9f2d289fcbde59687f476632cef024250 Mon Sep 17 00:00:00 2001 From: June Date: Sat, 20 Sep 2025 23:34:17 +0200 Subject: [PATCH 023/101] router(host): add nftables config for basic router functionality --- inventories/chaosknoten/host_vars/router.yaml | 1 + inventories/chaosknoten/hosts.yaml | 1 + .../chaosknoten/router/nftables/nftables.conf | 73 +++++++++++++++++++ .../systemd_networkd/21-net0.2-v4_nat.network | 2 +- .../21-net0.3-ci_runners.network | 2 +- 5 files changed, 77 insertions(+), 2 deletions(-) create mode 100644 resources/chaosknoten/router/nftables/nftables.conf diff --git a/inventories/chaosknoten/host_vars/router.yaml b/inventories/chaosknoten/host_vars/router.yaml index b181c0a..134d29f 100644 --- a/inventories/chaosknoten/host_vars/router.yaml +++ b/inventories/chaosknoten/host_vars/router.yaml @@ -1 +1,2 @@ systemd_networkd__config_dir: 'resources/chaosknoten/router/systemd_networkd/' +nftables__config: "{{ lookup('ansible.builtin.file', 'resources/chaosknoten/router/nftables/nftables.conf') }}" diff --git a/inventories/chaosknoten/hosts.yaml b/inventories/chaosknoten/hosts.yaml index 55ab696..e592d23 100644 --- a/inventories/chaosknoten/hosts.yaml +++ b/inventories/chaosknoten/hosts.yaml @@ -103,6 +103,7 @@ systemd_networkd_hosts: router: nftables_hosts: hosts: + router: docker_compose_hosts: hosts: ccchoir: diff --git a/resources/chaosknoten/router/nftables/nftables.conf b/resources/chaosknoten/router/nftables/nftables.conf new file mode 100644 index 0000000..6bc6cbe --- /dev/null +++ b/resources/chaosknoten/router/nftables/nftables.conf @@ -0,0 +1,73 @@ +#!/usr/sbin/nft -f + +## Variables + +# Interfaces +define if_net1_v4_wan = "net1" +define if_net2_v6_wan = "net2" +define if_net0_2_v4_nat = "net0.2" +define if_net0_3_ci_runner = "net0.3" + +# Interface Groups +define wan_ifs = { $if_net1_v4_wan, + $if_net2_v6_wan } +define lan_ifs = { $if_net0_2_v4_nat, + $if_net0_3_ci_runner } + + +## Rules + +table inet reverse-path-forwarding { + chain rpf-filter { + type filter hook prerouting priority mangle + 10; policy drop; + + # Only allow packets if their source address is routed via their incoming interface. + # https://github.com/NixOS/nixpkgs/blob/d9d87c51960050e89c79e4025082ed965e770d68/nixos/modules/services/networking/firewall-nftables.nix#L100 + fib saddr . mark . iif oif exists accept + } +} + +table inet host { + chain input { + type filter hook input priority filter; policy drop; + + iifname "lo" accept comment "allow loopback" + + ct state invalid drop + ct state established,related accept + + ip protocol icmp accept + ip6 nexthdr icmpv6 accept + + # Allow SSH access. + tcp dport 22 accept comment "allow ssh access" + + # Allow DHCP server access. + iifname $if_net0_3_ci_runner udp dport 67 accept comment "allow dhcp server access" + } +} + +table ip v4nat { + chain prerouting { + type nat hook prerouting priority dstnat; policy accept; + } + + chain postrouting { + type nat hook postrouting priority srcnat; policy accept; + + oifname $if_net1_v4_wan masquerade + } +} + +table inet forward { + chain forward { + type filter hook forward priority filter; policy drop; + + ct state invalid drop + ct state established,related accept + + # Allow internet access. + meta nfproto ipv6 iifname $lan_ifs oifname $if_net2_v6_wan accept comment "allow v6 internet access" + meta nfproto ipv4 iifname $lan_ifs oifname $if_net1_v4_wan accept comment "allow v4 internet access" + } +} diff --git a/resources/chaosknoten/router/systemd_networkd/21-net0.2-v4_nat.network b/resources/chaosknoten/router/systemd_networkd/21-net0.2-v4_nat.network index 880dd1d..c7fd9a7 100644 --- a/resources/chaosknoten/router/systemd_networkd/21-net0.2-v4_nat.network +++ b/resources/chaosknoten/router/systemd_networkd/21-net0.2-v4_nat.network @@ -8,7 +8,7 @@ RequiredForOnline=no [Network] Description=v4-NAT -IPMasquerade=ipv4 +# Masquerading done in nftables (nftables.conf). IPv6SendRA=yes [Address] diff --git a/resources/chaosknoten/router/systemd_networkd/21-net0.3-ci_runners.network b/resources/chaosknoten/router/systemd_networkd/21-net0.3-ci_runners.network index 6f73beb..9caca86 100644 --- a/resources/chaosknoten/router/systemd_networkd/21-net0.3-ci_runners.network +++ b/resources/chaosknoten/router/systemd_networkd/21-net0.3-ci_runners.network @@ -8,7 +8,7 @@ RequiredForOnline=no [Network] Description=ci-runners -IPMasquerade=ipv4 +# Masquerading done in nftables (nftables.conf). IPv6SendRA=yes DHCPServer=true From 66ee44366b5e08b2368b82a25c1b1b4cd0882ff5 Mon Sep 17 00:00:00 2001 From: jtbx Date: Sun, 14 Dec 2025 15:39:03 +0100 Subject: [PATCH 024/101] public-reverse-proxy: New IP of wiki VM --- resources/chaosknoten/public-reverse-proxy/nginx/nginx.conf | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/resources/chaosknoten/public-reverse-proxy/nginx/nginx.conf b/resources/chaosknoten/public-reverse-proxy/nginx/nginx.conf index 4a449f5..de8ebdd 100644 --- a/resources/chaosknoten/public-reverse-proxy/nginx/nginx.conf +++ b/resources/chaosknoten/public-reverse-proxy/nginx/nginx.conf @@ -27,8 +27,8 @@ stream { invite.hamburg.ccc.de 172.31.17.144:8443; keycloak-admin.hamburg.ccc.de 172.31.17.144:8444; grafana.hamburg.ccc.de 172.31.17.145:8443; - wiki.ccchh.net 172.31.17.146:8443; - wiki.hamburg.ccc.de 172.31.17.146:8443; + wiki.ccchh.net wiki.hosts.hamburg.ccc.de:8443; + wiki.hamburg.ccc.de wiki.hosts.hamburg.ccc.de:8443; onlyoffice.hamburg.ccc.de 172.31.17.147:8443; hackertours.hamburg.ccc.de 172.31.17.151:8443; staging.hackertours.hamburg.ccc.de 172.31.17.151:8443; From 5f98dca56c258b10c58c7efced616867f56de551 Mon Sep 17 00:00:00 2001 From: June Date: Tue, 16 Dec 2025 19:03:36 +0100 Subject: [PATCH 025/101] router(host): expose public v6 networks Also prepare for exposing public v4 networks later. --- resources/chaosknoten/router/nftables/nftables.conf | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/resources/chaosknoten/router/nftables/nftables.conf b/resources/chaosknoten/router/nftables/nftables.conf index 6bc6cbe..6d04a4c 100644 --- a/resources/chaosknoten/router/nftables/nftables.conf +++ b/resources/chaosknoten/router/nftables/nftables.conf @@ -13,6 +13,8 @@ define wan_ifs = { $if_net1_v4_wan, $if_net2_v6_wan } define lan_ifs = { $if_net0_2_v4_nat, $if_net0_3_ci_runner } +# define v4_exposed_ifs = { } +define v6_exposed_ifs = { $if_net0_2_v4_nat } ## Rules @@ -69,5 +71,9 @@ table inet forward { # Allow internet access. meta nfproto ipv6 iifname $lan_ifs oifname $if_net2_v6_wan accept comment "allow v6 internet access" meta nfproto ipv4 iifname $lan_ifs oifname $if_net1_v4_wan accept comment "allow v4 internet access" + + # Allow access to exposed networks from internet. + # meta nfproto ipv4 oifname $v4_exposed_ifs accept comment "allow v4 exposed network access" + meta nfproto ipv6 oifname $v6_exposed_ifs accept comment "allow v6 exposed network access" } } From 8b94a49f5e3255377f349087b1e224903696329a Mon Sep 17 00:00:00 2001 From: June Date: Tue, 16 Dec 2025 19:23:33 +0100 Subject: [PATCH 026/101] wiki(host): move to new network and internal hostname --- inventories/chaosknoten/hosts.yaml | 4 ++-- .../public-reverse-proxy/nginx/acme_challenge.conf | 4 ++-- resources/chaosknoten/wiki/nginx/wiki.ccchh.net.conf | 4 ++-- resources/chaosknoten/wiki/nginx/wiki.hamburg.ccc.de.conf | 2 +- 4 files changed, 7 insertions(+), 7 deletions(-) diff --git a/inventories/chaosknoten/hosts.yaml b/inventories/chaosknoten/hosts.yaml index e592d23..a43e940 100644 --- a/inventories/chaosknoten/hosts.yaml +++ b/inventories/chaosknoten/hosts.yaml @@ -55,9 +55,9 @@ all: ansible_host: router.hamburg.ccc.de ansible_user: chaos wiki: - ansible_host: wiki-intern.hamburg.ccc.de + ansible_host: wiki.hosts.hamburg.ccc.de ansible_user: chaos - ansible_ssh_common_args: -J ssh://chaos@public-reverse-proxy.hamburg.ccc.de + ansible_ssh_common_args: -J ssh://chaos@router.hamburg.ccc.de zammad: ansible_host: zammad-intern.hamburg.ccc.de ansible_user: chaos diff --git a/resources/chaosknoten/public-reverse-proxy/nginx/acme_challenge.conf b/resources/chaosknoten/public-reverse-proxy/nginx/acme_challenge.conf index 165e166..dabf4aa 100644 --- a/resources/chaosknoten/public-reverse-proxy/nginx/acme_challenge.conf +++ b/resources/chaosknoten/public-reverse-proxy/nginx/acme_challenge.conf @@ -25,8 +25,8 @@ map $host $upstream_acme_challenge_host { pretalx.hamburg.ccc.de 172.31.17.157:31820; spaceapi.hamburg.ccc.de 172.31.17.151:31820; staging.hamburg.ccc.de 172.31.17.151:31820; - wiki.ccchh.net 172.31.17.146:31820; - wiki.hamburg.ccc.de 172.31.17.146:31820; + wiki.ccchh.net wiki.hosts.hamburg.ccc.de:31820; + wiki.hamburg.ccc.de wiki.hosts.hamburg.ccc.de:31820; www.hamburg.ccc.de 172.31.17.151:31820; tickets.hamburg.ccc.de 172.31.17.148:31820; sunders.hamburg.ccc.de 172.31.17.170:31820; diff --git a/resources/chaosknoten/wiki/nginx/wiki.ccchh.net.conf b/resources/chaosknoten/wiki/nginx/wiki.ccchh.net.conf index a564fc2..c393dd1 100644 --- a/resources/chaosknoten/wiki/nginx/wiki.ccchh.net.conf +++ b/resources/chaosknoten/wiki/nginx/wiki.ccchh.net.conf @@ -7,7 +7,7 @@ server { # $remote_port to the client address and client port, when using proxy # protocol. # First set our proxy protocol proxy as trusted. - set_real_ip_from 172.31.17.140; + set_real_ip_from 2a00:14b0:4200:3000:125::1; # Then tell the realip_module to get the addreses from the proxy protocol # header. real_ip_header proxy_protocol; @@ -21,6 +21,6 @@ server { # HSTS (ngx_http_headers_module is required) (63072000 seconds) add_header Strict-Transport-Security "max-age=63072000" always; - + return 302 https://wiki.hamburg.ccc.de$request_uri; } diff --git a/resources/chaosknoten/wiki/nginx/wiki.hamburg.ccc.de.conf b/resources/chaosknoten/wiki/nginx/wiki.hamburg.ccc.de.conf index ccdd224..255dc0a 100644 --- a/resources/chaosknoten/wiki/nginx/wiki.hamburg.ccc.de.conf +++ b/resources/chaosknoten/wiki/nginx/wiki.hamburg.ccc.de.conf @@ -7,7 +7,7 @@ server { # $remote_port to the client address and client port, when using proxy # protocol. # First set our proxy protocol proxy as trusted. - set_real_ip_from 172.31.17.140; + set_real_ip_from 2a00:14b0:4200:3000:125::1; # Then tell the realip_module to get the addreses from the proxy protocol # header. real_ip_header proxy_protocol; From b72dee0d6d9e0cfe9c3aea5143fe8c8cfe463604 Mon Sep 17 00:00:00 2001 From: June Date: Tue, 16 Dec 2025 19:52:24 +0100 Subject: [PATCH 027/101] wiki(host): actually have nginx listen on v6 --- resources/chaosknoten/wiki/nginx/wiki.ccchh.net.conf | 1 + resources/chaosknoten/wiki/nginx/wiki.hamburg.ccc.de.conf | 1 + 2 files changed, 2 insertions(+) diff --git a/resources/chaosknoten/wiki/nginx/wiki.ccchh.net.conf b/resources/chaosknoten/wiki/nginx/wiki.ccchh.net.conf index c393dd1..472236a 100644 --- a/resources/chaosknoten/wiki/nginx/wiki.ccchh.net.conf +++ b/resources/chaosknoten/wiki/nginx/wiki.ccchh.net.conf @@ -3,6 +3,7 @@ server { # Listen on a custom port for the proxy protocol. listen 8443 ssl http2 proxy_protocol; + listen [::]:8443 ssl http2 proxy_protocol; # Make use of the ngx_http_realip_module to set the $remote_addr and # $remote_port to the client address and client port, when using proxy # protocol. diff --git a/resources/chaosknoten/wiki/nginx/wiki.hamburg.ccc.de.conf b/resources/chaosknoten/wiki/nginx/wiki.hamburg.ccc.de.conf index 255dc0a..b4eab7f 100644 --- a/resources/chaosknoten/wiki/nginx/wiki.hamburg.ccc.de.conf +++ b/resources/chaosknoten/wiki/nginx/wiki.hamburg.ccc.de.conf @@ -3,6 +3,7 @@ server { # Listen on a custom port for the proxy protocol. listen 8443 ssl http2 proxy_protocol; + listen [::]:8443 ssl http2 proxy_protocol; # Make use of the ngx_http_realip_module to set the $remote_addr and # $remote_port to the client address and client port, when using proxy # protocol. From 5a476f21034dd48c3a6b17758be92d3dfe9f62f0 Mon Sep 17 00:00:00 2001 From: June Date: Tue, 16 Dec 2025 20:47:44 +0100 Subject: [PATCH 028/101] cloud(host): move to new network and hostname --- inventories/chaosknoten/hosts.yaml | 4 ++-- .../public-reverse-proxy/nginx/acme_challenge.conf | 2 +- resources/chaosknoten/public-reverse-proxy/nginx/nginx.conf | 2 +- roles/nextcloud/templates/nginx_nextcloud.conf.j2 | 1 + 4 files changed, 5 insertions(+), 4 deletions(-) diff --git a/inventories/chaosknoten/hosts.yaml b/inventories/chaosknoten/hosts.yaml index a43e940..5aa1363 100644 --- a/inventories/chaosknoten/hosts.yaml +++ b/inventories/chaosknoten/hosts.yaml @@ -7,9 +7,9 @@ all: chaosknoten: ansible_host: chaosknoten.hamburg.ccc.de cloud: - ansible_host: cloud-intern.hamburg.ccc.de + ansible_host: cloud.hosts.hamburg.ccc.de ansible_user: chaos - ansible_ssh_common_args: -J ssh://chaos@public-reverse-proxy.hamburg.ccc.de + ansible_ssh_common_args: -J ssh://chaos@router.hamburg.ccc.de eh22-wiki: ansible_host: eh22-wiki-intern.hamburg.ccc.de ansible_user: chaos diff --git a/resources/chaosknoten/public-reverse-proxy/nginx/acme_challenge.conf b/resources/chaosknoten/public-reverse-proxy/nginx/acme_challenge.conf index dabf4aa..9fdf0fc 100644 --- a/resources/chaosknoten/public-reverse-proxy/nginx/acme_challenge.conf +++ b/resources/chaosknoten/public-reverse-proxy/nginx/acme_challenge.conf @@ -6,7 +6,7 @@ map $host $upstream_acme_challenge_host { staging.c3cat.de 172.31.17.151:31820; ccchoir.de ccchoir-intern.hamburg.ccc.de:31820; www.ccchoir.de ccchoir-intern.hamburg.ccc.de:31820; - cloud.hamburg.ccc.de 172.31.17.143:31820; + cloud.hamburg.ccc.de cloud.hosts.hamburg.ccc.de:31820; element.hamburg.ccc.de 172.31.17.151:31820; git.hamburg.ccc.de 172.31.17.154:31820; grafana.hamburg.ccc.de 172.31.17.145:31820; diff --git a/resources/chaosknoten/public-reverse-proxy/nginx/nginx.conf b/resources/chaosknoten/public-reverse-proxy/nginx/nginx.conf index de8ebdd..84c1187 100644 --- a/resources/chaosknoten/public-reverse-proxy/nginx/nginx.conf +++ b/resources/chaosknoten/public-reverse-proxy/nginx/nginx.conf @@ -20,7 +20,7 @@ stream { map $ssl_preread_server_name $address { ccchoir.de ccchoir-intern.hamburg.ccc.de:8443; www.ccchoir.de ccchoir-intern.hamburg.ccc.de:8443; - cloud.hamburg.ccc.de cloud-intern.hamburg.ccc.de:8443; + cloud.hamburg.ccc.de cloud.hosts.hamburg.ccc.de:8443; pad.hamburg.ccc.de pad-intern.hamburg.ccc.de:8443; pretalx.hamburg.ccc.de pretalx-intern.hamburg.ccc.de:8443; id.hamburg.ccc.de 172.31.17.144:8443; diff --git a/roles/nextcloud/templates/nginx_nextcloud.conf.j2 b/roles/nextcloud/templates/nginx_nextcloud.conf.j2 index c15a653..1beeaf3 100644 --- a/roles/nextcloud/templates/nginx_nextcloud.conf.j2 +++ b/roles/nextcloud/templates/nginx_nextcloud.conf.j2 @@ -4,6 +4,7 @@ server { # Listen on a custom port for the proxy protocol. listen 8443 ssl http2 proxy_protocol; + listen [::]:8443 ssl http2 proxy_protocol; # Make use of the ngx_http_realip_module to set the $remote_addr and # $remote_port to the client address and client port, when using proxy # protocol. From 570600fce31e2df5fe2f11beedbe56cabffe377f Mon Sep 17 00:00:00 2001 From: June Date: Tue, 16 Dec 2025 20:58:05 +0100 Subject: [PATCH 029/101] eh22-wiki(host): move to new network and hostname --- inventories/chaosknoten/hosts.yaml | 4 ++-- resources/chaosknoten/eh22-wiki/nginx/eh22.easterhegg.eu.conf | 3 ++- .../public-reverse-proxy/nginx/acme_challenge.conf | 2 +- resources/chaosknoten/public-reverse-proxy/nginx/nginx.conf | 2 +- 4 files changed, 6 insertions(+), 5 deletions(-) diff --git a/inventories/chaosknoten/hosts.yaml b/inventories/chaosknoten/hosts.yaml index 5aa1363..c18788e 100644 --- a/inventories/chaosknoten/hosts.yaml +++ b/inventories/chaosknoten/hosts.yaml @@ -11,9 +11,9 @@ all: ansible_user: chaos ansible_ssh_common_args: -J ssh://chaos@router.hamburg.ccc.de eh22-wiki: - ansible_host: eh22-wiki-intern.hamburg.ccc.de + ansible_host: eh22-wiki.hosts.hamburg.ccc.de ansible_user: chaos - ansible_ssh_common_args: -J ssh://chaos@public-reverse-proxy.hamburg.ccc.de + ansible_ssh_common_args: -J ssh://chaos@router.hamburg.ccc.de grafana: ansible_host: grafana-intern.hamburg.ccc.de ansible_user: chaos diff --git a/resources/chaosknoten/eh22-wiki/nginx/eh22.easterhegg.eu.conf b/resources/chaosknoten/eh22-wiki/nginx/eh22.easterhegg.eu.conf index d3ed959..8c801fe 100644 --- a/resources/chaosknoten/eh22-wiki/nginx/eh22.easterhegg.eu.conf +++ b/resources/chaosknoten/eh22-wiki/nginx/eh22.easterhegg.eu.conf @@ -3,11 +3,12 @@ server { # Listen on a custom port for the proxy protocol. listen 8443 ssl http2 proxy_protocol; + listen [::]:8443 ssl http2 proxy_protocol; # Make use of the ngx_http_realip_module to set the $remote_addr and # $remote_port to the client address and client port, when using proxy # protocol. # First set our proxy protocol proxy as trusted. - set_real_ip_from 172.31.17.140; + set_real_ip_from 2a00:14b0:4200:3000:125::1; # Then tell the realip_module to get the addreses from the proxy protocol # header. real_ip_header proxy_protocol; diff --git a/resources/chaosknoten/public-reverse-proxy/nginx/acme_challenge.conf b/resources/chaosknoten/public-reverse-proxy/nginx/acme_challenge.conf index 9fdf0fc..290dbad 100644 --- a/resources/chaosknoten/public-reverse-proxy/nginx/acme_challenge.conf +++ b/resources/chaosknoten/public-reverse-proxy/nginx/acme_challenge.conf @@ -38,7 +38,7 @@ map $host $upstream_acme_challenge_host { eh11.easterhegg.eu 172.31.17.151:31820; eh20.easterhegg.eu 172.31.17.151:31820; www.eh20.easterhegg.eu 172.31.17.151:31820; - eh22.easterhegg.eu 172.31.17.165:31820; + eh22.easterhegg.eu eh22-wiki.hosts.hamburg.ccc.de:31820; easterheggxxxx.hamburg.ccc.de 172.31.17.151:31820; eh2003.hamburg.ccc.de 172.31.17.151:31820; www.eh2003.hamburg.ccc.de 172.31.17.151:31820; diff --git a/resources/chaosknoten/public-reverse-proxy/nginx/nginx.conf b/resources/chaosknoten/public-reverse-proxy/nginx/nginx.conf index 84c1187..076618a 100644 --- a/resources/chaosknoten/public-reverse-proxy/nginx/nginx.conf +++ b/resources/chaosknoten/public-reverse-proxy/nginx/nginx.conf @@ -56,7 +56,7 @@ stream { eh11.easterhegg.eu 172.31.17.151:8443; eh20.easterhegg.eu 172.31.17.151:8443; www.eh20.easterhegg.eu 172.31.17.151:8443; - eh22.easterhegg.eu 172.31.17.165:8443; + eh22.easterhegg.eu eh22-wiki.hosts.hamburg.ccc.de:8443; easterheggxxxx.hamburg.ccc.de 172.31.17.151:8443; eh2003.hamburg.ccc.de 172.31.17.151:8443; www.eh2003.hamburg.ccc.de 172.31.17.151:8443; From b9add5bda3957778dba8b3b5849a82e625ce0609 Mon Sep 17 00:00:00 2001 From: June Date: Tue, 16 Dec 2025 20:59:15 +0100 Subject: [PATCH 030/101] cloud(host): set correct new proxy protocol reverse proxy ip --- inventories/chaosknoten/host_vars/cloud.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/inventories/chaosknoten/host_vars/cloud.yaml b/inventories/chaosknoten/host_vars/cloud.yaml index fc4e23c..b6cf771 100644 --- a/inventories/chaosknoten/host_vars/cloud.yaml +++ b/inventories/chaosknoten/host_vars/cloud.yaml @@ -7,5 +7,5 @@ nextcloud__data_dir: /data/nextcloud nextcloud__extra_configuration: "{{ lookup('ansible.builtin.template', 'resources/chaosknoten/cloud/nextcloud/extra_configuration.config.php.j2') }}" nextcloud__use_custom_new_user_skeleton: true nextcloud__custom_new_user_skeleton_directory: "resources/chaosknoten/cloud/nextcloud/new_user_skeleton_directory/" -nextcloud__proxy_protocol_reverse_proxy_ip: 172.31.17.140 +nextcloud__proxy_protocol_reverse_proxy_ip: "2a00:14b0:4200:3000:125::1" nextcloud__certbot_acme_account_email_address: le-admin@hamburg.ccc.de From 1ca71a053e4f554ae8e1e53bc2accbe124afe78e Mon Sep 17 00:00:00 2001 From: June Date: Tue, 16 Dec 2025 21:12:21 +0100 Subject: [PATCH 031/101] pad(host): move to new network and hostname --- inventories/chaosknoten/hosts.yaml | 4 ++-- resources/chaosknoten/pad/nginx/pad.hamburg.ccc.de.conf | 3 ++- .../public-reverse-proxy/nginx/acme_challenge.conf | 2 +- resources/chaosknoten/public-reverse-proxy/nginx/nginx.conf | 2 +- 4 files changed, 6 insertions(+), 5 deletions(-) diff --git a/inventories/chaosknoten/hosts.yaml b/inventories/chaosknoten/hosts.yaml index c18788e..3d67707 100644 --- a/inventories/chaosknoten/hosts.yaml +++ b/inventories/chaosknoten/hosts.yaml @@ -41,9 +41,9 @@ all: ansible_user: chaos ansible_ssh_common_args: -J ssh://chaos@public-reverse-proxy.hamburg.ccc.de pad: - ansible_host: pad-intern.hamburg.ccc.de + ansible_host: pad.hosts.hamburg.ccc.de ansible_user: chaos - ansible_ssh_common_args: -J ssh://chaos@public-reverse-proxy.hamburg.ccc.de + ansible_ssh_common_args: -J ssh://chaos@router.hamburg.ccc.de pretalx: ansible_host: pretalx-intern.hamburg.ccc.de ansible_user: chaos diff --git a/resources/chaosknoten/pad/nginx/pad.hamburg.ccc.de.conf b/resources/chaosknoten/pad/nginx/pad.hamburg.ccc.de.conf index 53d0a0d..6c453d1 100644 --- a/resources/chaosknoten/pad/nginx/pad.hamburg.ccc.de.conf +++ b/resources/chaosknoten/pad/nginx/pad.hamburg.ccc.de.conf @@ -3,11 +3,12 @@ server { # Listen on a custom port for the proxy protocol. listen 8443 ssl http2 proxy_protocol; + listen [::]:8443 ssl http2 proxy_protocol; # Make use of the ngx_http_realip_module to set the $remote_addr and # $remote_port to the client address and client port, when using proxy # protocol. # First set our proxy protocol proxy as trusted. - set_real_ip_from 172.31.17.140; + set_real_ip_from 2a00:14b0:4200:3000:125::1; # Then tell the realip_module to get the addreses from the proxy protocol # header. real_ip_header proxy_protocol; diff --git a/resources/chaosknoten/public-reverse-proxy/nginx/acme_challenge.conf b/resources/chaosknoten/public-reverse-proxy/nginx/acme_challenge.conf index 290dbad..6899c57 100644 --- a/resources/chaosknoten/public-reverse-proxy/nginx/acme_challenge.conf +++ b/resources/chaosknoten/public-reverse-proxy/nginx/acme_challenge.conf @@ -21,7 +21,7 @@ map $host $upstream_acme_challenge_host { element-admin.hamburg.ccc.de 172.31.17.151:31820; netbox.hamburg.ccc.de 172.31.17.167:31820; onlyoffice.hamburg.ccc.de 172.31.17.147:31820; - pad.hamburg.ccc.de 172.31.17.141:31820; + pad.hamburg.ccc.de pad.hosts.hamburg.ccc.de:31820; pretalx.hamburg.ccc.de 172.31.17.157:31820; spaceapi.hamburg.ccc.de 172.31.17.151:31820; staging.hamburg.ccc.de 172.31.17.151:31820; diff --git a/resources/chaosknoten/public-reverse-proxy/nginx/nginx.conf b/resources/chaosknoten/public-reverse-proxy/nginx/nginx.conf index 076618a..d884bc1 100644 --- a/resources/chaosknoten/public-reverse-proxy/nginx/nginx.conf +++ b/resources/chaosknoten/public-reverse-proxy/nginx/nginx.conf @@ -21,7 +21,7 @@ stream { ccchoir.de ccchoir-intern.hamburg.ccc.de:8443; www.ccchoir.de ccchoir-intern.hamburg.ccc.de:8443; cloud.hamburg.ccc.de cloud.hosts.hamburg.ccc.de:8443; - pad.hamburg.ccc.de pad-intern.hamburg.ccc.de:8443; + pad.hamburg.ccc.de pad.hosts.hamburg.ccc.de:8443; pretalx.hamburg.ccc.de pretalx-intern.hamburg.ccc.de:8443; id.hamburg.ccc.de 172.31.17.144:8443; invite.hamburg.ccc.de 172.31.17.144:8443; From 366456eff8f5280b14d755aefbf8c0abda567fc0 Mon Sep 17 00:00:00 2001 From: June Date: Tue, 16 Dec 2025 21:50:40 +0100 Subject: [PATCH 032/101] keycloak(host): move to new network and hostname Also just listen on port 8443 for keycloak-admin proxy protocol. --- inventories/chaosknoten/hosts.yaml | 4 ++-- resources/chaosknoten/keycloak/nginx/id.hamburg.ccc.de.conf | 3 ++- .../chaosknoten/keycloak/nginx/invite.hamburg.ccc.de.conf | 3 ++- .../keycloak/nginx/keycloak-admin.hamburg.ccc.de.conf | 5 +++-- .../public-reverse-proxy/nginx/acme_challenge.conf | 6 +++--- resources/chaosknoten/public-reverse-proxy/nginx/nginx.conf | 6 +++--- 6 files changed, 15 insertions(+), 12 deletions(-) diff --git a/inventories/chaosknoten/hosts.yaml b/inventories/chaosknoten/hosts.yaml index 3d67707..dfa841e 100644 --- a/inventories/chaosknoten/hosts.yaml +++ b/inventories/chaosknoten/hosts.yaml @@ -23,9 +23,9 @@ all: ansible_user: chaos ansible_ssh_common_args: -J ssh://chaos@public-reverse-proxy.hamburg.ccc.de keycloak: - ansible_host: keycloak-intern.hamburg.ccc.de + ansible_host: keycloak.hosts.hamburg.ccc.de ansible_user: chaos - ansible_ssh_common_args: -J ssh://chaos@public-reverse-proxy.hamburg.ccc.de + ansible_ssh_common_args: -J ssh://chaos@router.hamburg.ccc.de lists: ansible_host: lists.hamburg.ccc.de ansible_user: chaos diff --git a/resources/chaosknoten/keycloak/nginx/id.hamburg.ccc.de.conf b/resources/chaosknoten/keycloak/nginx/id.hamburg.ccc.de.conf index 303b052..939e1da 100644 --- a/resources/chaosknoten/keycloak/nginx/id.hamburg.ccc.de.conf +++ b/resources/chaosknoten/keycloak/nginx/id.hamburg.ccc.de.conf @@ -4,11 +4,12 @@ server { # Listen on a custom port for the proxy protocol. listen 8443 ssl http2 proxy_protocol; + listen [::]:8443 ssl http2 proxy_protocol; # Make use of the ngx_http_realip_module to set the $remote_addr and # $remote_port to the client address and client port, when using proxy # protocol. # First set our proxy protocol proxy as trusted. - set_real_ip_from 172.31.17.140; + set_real_ip_from 2a00:14b0:4200:3000:125::1; # Then tell the realip_module to get the addreses from the proxy protocol # header. real_ip_header proxy_protocol; diff --git a/resources/chaosknoten/keycloak/nginx/invite.hamburg.ccc.de.conf b/resources/chaosknoten/keycloak/nginx/invite.hamburg.ccc.de.conf index 4a9cfe6..de1e9d6 100644 --- a/resources/chaosknoten/keycloak/nginx/invite.hamburg.ccc.de.conf +++ b/resources/chaosknoten/keycloak/nginx/invite.hamburg.ccc.de.conf @@ -4,11 +4,12 @@ server { # Listen on a custom port for the proxy protocol. listen 8443 ssl http2 proxy_protocol; + listen [::]:8443 ssl http2 proxy_protocol; # Make use of the ngx_http_realip_module to set the $remote_addr and # $remote_port to the client address and client port, when using proxy # protocol. # First set our proxy protocol proxy as trusted. - set_real_ip_from 172.31.17.140; + set_real_ip_from 2a00:14b0:4200:3000:125::1; # Then tell the realip_module to get the addreses from the proxy protocol # header. real_ip_header proxy_protocol; diff --git a/resources/chaosknoten/keycloak/nginx/keycloak-admin.hamburg.ccc.de.conf b/resources/chaosknoten/keycloak/nginx/keycloak-admin.hamburg.ccc.de.conf index 2b0d919..cd56b98 100644 --- a/resources/chaosknoten/keycloak/nginx/keycloak-admin.hamburg.ccc.de.conf +++ b/resources/chaosknoten/keycloak/nginx/keycloak-admin.hamburg.ccc.de.conf @@ -7,12 +7,13 @@ server { ##listen [::]:443 ssl http2; # Listen on a custom port for the proxy protocol. - listen 8444 ssl http2 proxy_protocol; + listen 8443 ssl http2 proxy_protocol; + listen [::]:8443 ssl http2 proxy_protocol; # Make use of the ngx_http_realip_module to set the $remote_addr and # $remote_port to the client address and client port, when using proxy # protocol. # First set our proxy protocol proxy as trusted. - set_real_ip_from 172.31.17.140; + set_real_ip_from 2a00:14b0:4200:3000:125::1; # Then tell the realip_module to get the addreses from the proxy protocol # header. real_ip_header proxy_protocol; diff --git a/resources/chaosknoten/public-reverse-proxy/nginx/acme_challenge.conf b/resources/chaosknoten/public-reverse-proxy/nginx/acme_challenge.conf index 6899c57..4d6d4c0 100644 --- a/resources/chaosknoten/public-reverse-proxy/nginx/acme_challenge.conf +++ b/resources/chaosknoten/public-reverse-proxy/nginx/acme_challenge.conf @@ -13,9 +13,9 @@ map $host $upstream_acme_challenge_host { hackertours.hamburg.ccc.de 172.31.17.151:31820; staging.hackertours.hamburg.ccc.de 172.31.17.151:31820; hamburg.ccc.de 172.31.17.151:31820; - id.hamburg.ccc.de 172.31.17.144:31820; - invite.hamburg.ccc.de 172.31.17.144:31820; - keycloak-admin.hamburg.ccc.de 172.31.17.144:31820; + id.hamburg.ccc.de keycloak.hosts.hamburg.ccc.de:31820; + invite.hamburg.ccc.de keycloak.hosts.hamburg.ccc.de:31820; + keycloak-admin.hamburg.ccc.de keycloak.hosts.hamburg.ccc.de:31820; matrix.hamburg.ccc.de 172.31.17.150:31820; mas.hamburg.ccc.de 172.31.17.150:31820; element-admin.hamburg.ccc.de 172.31.17.151:31820; diff --git a/resources/chaosknoten/public-reverse-proxy/nginx/nginx.conf b/resources/chaosknoten/public-reverse-proxy/nginx/nginx.conf index d884bc1..de99d40 100644 --- a/resources/chaosknoten/public-reverse-proxy/nginx/nginx.conf +++ b/resources/chaosknoten/public-reverse-proxy/nginx/nginx.conf @@ -23,9 +23,9 @@ stream { cloud.hamburg.ccc.de cloud.hosts.hamburg.ccc.de:8443; pad.hamburg.ccc.de pad.hosts.hamburg.ccc.de:8443; pretalx.hamburg.ccc.de pretalx-intern.hamburg.ccc.de:8443; - id.hamburg.ccc.de 172.31.17.144:8443; - invite.hamburg.ccc.de 172.31.17.144:8443; - keycloak-admin.hamburg.ccc.de 172.31.17.144:8444; + id.hamburg.ccc.de keycloak.hosts.hamburg.ccc.de:8443; + invite.hamburg.ccc.de keycloak.hosts.hamburg.ccc.de:8443; + keycloak-admin.hamburg.ccc.de keycloak.hosts.hamburg.ccc.de:8443; grafana.hamburg.ccc.de 172.31.17.145:8443; wiki.ccchh.net wiki.hosts.hamburg.ccc.de:8443; wiki.hamburg.ccc.de wiki.hosts.hamburg.ccc.de:8443; From 944c8cde8249673566e2e5bf20699e6c58a93049 Mon Sep 17 00:00:00 2001 From: June Date: Wed, 17 Dec 2025 03:34:39 +0100 Subject: [PATCH 033/101] onlyoffice(host): move to new network and hostname --- inventories/chaosknoten/hosts.yaml | 4 ++-- .../onlyoffice/nginx/onlyoffice.hamburg.ccc.de.conf | 4 +++- .../public-reverse-proxy/nginx/acme_challenge.conf | 2 +- resources/chaosknoten/public-reverse-proxy/nginx/nginx.conf | 2 +- 4 files changed, 7 insertions(+), 5 deletions(-) diff --git a/inventories/chaosknoten/hosts.yaml b/inventories/chaosknoten/hosts.yaml index dfa841e..1028deb 100644 --- a/inventories/chaosknoten/hosts.yaml +++ b/inventories/chaosknoten/hosts.yaml @@ -37,9 +37,9 @@ all: ansible_user: chaos ansible_ssh_common_args: -J ssh://chaos@public-reverse-proxy.hamburg.ccc.de onlyoffice: - ansible_host: onlyoffice-intern.hamburg.ccc.de + ansible_host: onlyoffice.hosts.hamburg.ccc.de ansible_user: chaos - ansible_ssh_common_args: -J ssh://chaos@public-reverse-proxy.hamburg.ccc.de + ansible_ssh_common_args: -J ssh://chaos@router.hamburg.ccc.de pad: ansible_host: pad.hosts.hamburg.ccc.de ansible_user: chaos diff --git a/resources/chaosknoten/onlyoffice/nginx/onlyoffice.hamburg.ccc.de.conf b/resources/chaosknoten/onlyoffice/nginx/onlyoffice.hamburg.ccc.de.conf index 2471525..8a9a486 100644 --- a/resources/chaosknoten/onlyoffice/nginx/onlyoffice.hamburg.ccc.de.conf +++ b/resources/chaosknoten/onlyoffice/nginx/onlyoffice.hamburg.ccc.de.conf @@ -3,11 +3,13 @@ server { # Listen on a custom port for the proxy protocol. listen 8443 ssl http2 proxy_protocol; + listen [::]:8443 ssl http2 proxy_protocol; # Make use of the ngx_http_realip_module to set the $remote_addr and # $remote_port to the client address and client port, when using proxy # protocol. # First set our proxy protocol proxy as trusted. - set_real_ip_from 172.31.17.140; + set_real_ip_from 2a00:14b0:4200:3000:125::1; + # Then tell the realip_module to get the addreses from the proxy protocol # header. real_ip_header proxy_protocol; diff --git a/resources/chaosknoten/public-reverse-proxy/nginx/acme_challenge.conf b/resources/chaosknoten/public-reverse-proxy/nginx/acme_challenge.conf index 4d6d4c0..409b5c6 100644 --- a/resources/chaosknoten/public-reverse-proxy/nginx/acme_challenge.conf +++ b/resources/chaosknoten/public-reverse-proxy/nginx/acme_challenge.conf @@ -20,7 +20,7 @@ map $host $upstream_acme_challenge_host { mas.hamburg.ccc.de 172.31.17.150:31820; element-admin.hamburg.ccc.de 172.31.17.151:31820; netbox.hamburg.ccc.de 172.31.17.167:31820; - onlyoffice.hamburg.ccc.de 172.31.17.147:31820; + onlyoffice.hamburg.ccc.de onlyoffice.hosts.hamburg.ccc.de:31820; pad.hamburg.ccc.de pad.hosts.hamburg.ccc.de:31820; pretalx.hamburg.ccc.de 172.31.17.157:31820; spaceapi.hamburg.ccc.de 172.31.17.151:31820; diff --git a/resources/chaosknoten/public-reverse-proxy/nginx/nginx.conf b/resources/chaosknoten/public-reverse-proxy/nginx/nginx.conf index de99d40..97e0e3c 100644 --- a/resources/chaosknoten/public-reverse-proxy/nginx/nginx.conf +++ b/resources/chaosknoten/public-reverse-proxy/nginx/nginx.conf @@ -29,7 +29,7 @@ stream { grafana.hamburg.ccc.de 172.31.17.145:8443; wiki.ccchh.net wiki.hosts.hamburg.ccc.de:8443; wiki.hamburg.ccc.de wiki.hosts.hamburg.ccc.de:8443; - onlyoffice.hamburg.ccc.de 172.31.17.147:8443; + onlyoffice.hamburg.ccc.de onlyoffice.hosts.hamburg.ccc.de:8443; hackertours.hamburg.ccc.de 172.31.17.151:8443; staging.hackertours.hamburg.ccc.de 172.31.17.151:8443; netbox.hamburg.ccc.de 172.31.17.167:8443; From 25db54b8ad8314aeb35af0d7775e87c40a9239a5 Mon Sep 17 00:00:00 2001 From: Stefan Bethke Date: Sat, 3 Jan 2026 14:02:56 +0100 Subject: [PATCH 034/101] Make sure pip is installed --- roles/ansible_pull/tasks/main.yaml | 1 + 1 file changed, 1 insertion(+) diff --git a/roles/ansible_pull/tasks/main.yaml b/roles/ansible_pull/tasks/main.yaml index 5abcd10..61a2635 100644 --- a/roles/ansible_pull/tasks/main.yaml +++ b/roles/ansible_pull/tasks/main.yaml @@ -3,6 +3,7 @@ - name: ensure apt dependencies are installed ansible.builtin.apt: name: + - python3-pip - virtualenv - git state: present From a328e9297102af66721951500cd90bedabb385a5 Mon Sep 17 00:00:00 2001 From: Stefan Bethke Date: Sat, 3 Jan 2026 14:03:26 +0100 Subject: [PATCH 035/101] Should be compatible with trixie/13 --- roles/certbot/meta/main.yaml | 1 + roles/docker/meta/main.yaml | 1 + roles/dokuwiki/meta/main.yml | 1 + roles/nginx/meta/main.yaml | 1 + roles/prometheus_node_exporter/meta/main.yaml | 1 + 5 files changed, 5 insertions(+) diff --git a/roles/certbot/meta/main.yaml b/roles/certbot/meta/main.yaml index b4a1c6f..9b678e9 100644 --- a/roles/certbot/meta/main.yaml +++ b/roles/certbot/meta/main.yaml @@ -7,3 +7,4 @@ dependencies: major_versions: - 11 - 12 + - 13 diff --git a/roles/docker/meta/main.yaml b/roles/docker/meta/main.yaml index b4a1c6f..9b678e9 100644 --- a/roles/docker/meta/main.yaml +++ b/roles/docker/meta/main.yaml @@ -7,3 +7,4 @@ dependencies: major_versions: - 11 - 12 + - 13 diff --git a/roles/dokuwiki/meta/main.yml b/roles/dokuwiki/meta/main.yml index b4a1c6f..9b678e9 100644 --- a/roles/dokuwiki/meta/main.yml +++ b/roles/dokuwiki/meta/main.yml @@ -7,3 +7,4 @@ dependencies: major_versions: - 11 - 12 + - 13 diff --git a/roles/nginx/meta/main.yaml b/roles/nginx/meta/main.yaml index 02b00ac..78bb770 100644 --- a/roles/nginx/meta/main.yaml +++ b/roles/nginx/meta/main.yaml @@ -7,3 +7,4 @@ dependencies: major_versions: - "11" - "12" + - "13" diff --git a/roles/prometheus_node_exporter/meta/main.yaml b/roles/prometheus_node_exporter/meta/main.yaml index 02b00ac..78bb770 100644 --- a/roles/prometheus_node_exporter/meta/main.yaml +++ b/roles/prometheus_node_exporter/meta/main.yaml @@ -7,3 +7,4 @@ dependencies: major_versions: - "11" - "12" + - "13" From 80ddb2efc927c894074558f0a8f13377bb934cb4 Mon Sep 17 00:00:00 2001 From: June Date: Wed, 7 Jan 2026 17:25:27 +0100 Subject: [PATCH 036/101] router: enable a DHCP server for the v4-NAT network as well As the hosts don't really need a static v4, just do DHCP. --- resources/chaosknoten/router/nftables/nftables.conf | 2 +- .../router/systemd_networkd/21-net0.2-v4_nat.network | 6 ++++++ 2 files changed, 7 insertions(+), 1 deletion(-) diff --git a/resources/chaosknoten/router/nftables/nftables.conf b/resources/chaosknoten/router/nftables/nftables.conf index 6d04a4c..3375bfb 100644 --- a/resources/chaosknoten/router/nftables/nftables.conf +++ b/resources/chaosknoten/router/nftables/nftables.conf @@ -45,7 +45,7 @@ table inet host { tcp dport 22 accept comment "allow ssh access" # Allow DHCP server access. - iifname $if_net0_3_ci_runner udp dport 67 accept comment "allow dhcp server access" + iifname { $if_net0_2_v4_nat, $if_net0_3_ci_runner } udp dport 67 accept comment "allow dhcp server access" } } diff --git a/resources/chaosknoten/router/systemd_networkd/21-net0.2-v4_nat.network b/resources/chaosknoten/router/systemd_networkd/21-net0.2-v4_nat.network index c7fd9a7..b15259d 100644 --- a/resources/chaosknoten/router/systemd_networkd/21-net0.2-v4_nat.network +++ b/resources/chaosknoten/router/systemd_networkd/21-net0.2-v4_nat.network @@ -11,6 +11,12 @@ Description=v4-NAT # Masquerading done in nftables (nftables.conf). IPv6SendRA=yes +DHCPServer=true + +[DHCPServer] +PoolOffset=100 +PoolSize=150 + [Address] Address=10.32.2.1/24 From fbd3ea54962e7b0348c9ccb4471f493c26002322 Mon Sep 17 00:00:00 2001 From: June Date: Wed, 7 Jan 2026 18:09:48 +0100 Subject: [PATCH 037/101] base_config: disable cloud-init ssh module to avoid hostkey regeneration It should run once on first boot anyway and since it apparently runs for every change in the Proxmox cloud init config, disable it, so it doesn't, since it's annoying to have "random" hostkey changes. --- roles/base_config/tasks/main.yaml | 13 +++++++++++++ 1 file changed, 13 insertions(+) create mode 100644 roles/base_config/tasks/main.yaml diff --git a/roles/base_config/tasks/main.yaml b/roles/base_config/tasks/main.yaml new file mode 100644 index 0000000..cd8affd --- /dev/null +++ b/roles/base_config/tasks/main.yaml @@ -0,0 +1,13 @@ +# Ensure the ssh module is disabled, so a cloud-init config change doesn't regenerate the host keys for no reason. +- name: check if cloud-init config file exists + ansible.builtin.stat: + path: /etc/cloud/cloud.cfg + register: base_config__stat_cloud_cfg + +- name: ensure the cloud-init ssh module is disabled + ansible.builtin.replace: + path: /etc/cloud/cloud.cfg + regexp: " - ssh$" + replace: " #- ssh" + become: true + when: base_config__stat_cloud_cfg.stat.exists From 40b67c6bc3cec86c72f7efe52f12b939d0db4291 Mon Sep 17 00:00:00 2001 From: June Date: Wed, 7 Jan 2026 18:46:16 +0100 Subject: [PATCH 038/101] sunders(host): move to new network and hostname --- inventories/chaosknoten/hosts.yaml | 4 ++-- .../public-reverse-proxy/nginx/acme_challenge.conf | 2 +- resources/chaosknoten/public-reverse-proxy/nginx/nginx.conf | 2 +- .../chaosknoten/sunders/nginx/sunders.hamburg.ccc.de.conf | 2 +- 4 files changed, 5 insertions(+), 5 deletions(-) diff --git a/inventories/chaosknoten/hosts.yaml b/inventories/chaosknoten/hosts.yaml index 1028deb..082a76a 100644 --- a/inventories/chaosknoten/hosts.yaml +++ b/inventories/chaosknoten/hosts.yaml @@ -67,9 +67,9 @@ all: ansible_user: chaos ansible_ssh_common_args: -J ssh://chaos@public-reverse-proxy.hamburg.ccc.de sunders: - ansible_host: sunders-intern.hamburg.ccc.de + ansible_host: sunders.hosts.hamburg.ccc.de ansible_user: chaos - ansible_ssh_common_args: -J ssh://chaos@public-reverse-proxy.hamburg.ccc.de + ansible_ssh_common_args: -J ssh://chaos@router.hamburg.ccc.de renovate: ansible_host: renovate-intern.hamburg.ccc.de ansible_user: chaos diff --git a/resources/chaosknoten/public-reverse-proxy/nginx/acme_challenge.conf b/resources/chaosknoten/public-reverse-proxy/nginx/acme_challenge.conf index 409b5c6..f02a657 100644 --- a/resources/chaosknoten/public-reverse-proxy/nginx/acme_challenge.conf +++ b/resources/chaosknoten/public-reverse-proxy/nginx/acme_challenge.conf @@ -29,7 +29,7 @@ map $host $upstream_acme_challenge_host { wiki.hamburg.ccc.de wiki.hosts.hamburg.ccc.de:31820; www.hamburg.ccc.de 172.31.17.151:31820; tickets.hamburg.ccc.de 172.31.17.148:31820; - sunders.hamburg.ccc.de 172.31.17.170:31820; + sunders.hamburg.ccc.de sunders.hosts.hamburg.ccc.de:31820; zammad.hamburg.ccc.de 172.31.17.152:31820; eh03.easterhegg.eu 172.31.17.151:31820; eh05.easterhegg.eu 172.31.17.151:31820; diff --git a/resources/chaosknoten/public-reverse-proxy/nginx/nginx.conf b/resources/chaosknoten/public-reverse-proxy/nginx/nginx.conf index 97e0e3c..90ec655 100644 --- a/resources/chaosknoten/public-reverse-proxy/nginx/nginx.conf +++ b/resources/chaosknoten/public-reverse-proxy/nginx/nginx.conf @@ -43,7 +43,7 @@ stream { staging.hamburg.ccc.de 172.31.17.151:8443; spaceapi.hamburg.ccc.de 172.31.17.151:8443; tickets.hamburg.ccc.de 172.31.17.148:8443; - sunders.hamburg.ccc.de 172.31.17.170:8443; + sunders.hamburg.ccc.de sunders.hosts.hamburg.ccc.de:8443; zammad.hamburg.ccc.de 172.31.17.152:8443; c3cat.de 172.31.17.151:8443; www.c3cat.de 172.31.17.151:8443; diff --git a/resources/chaosknoten/sunders/nginx/sunders.hamburg.ccc.de.conf b/resources/chaosknoten/sunders/nginx/sunders.hamburg.ccc.de.conf index 04cc006..ceb9b2b 100644 --- a/resources/chaosknoten/sunders/nginx/sunders.hamburg.ccc.de.conf +++ b/resources/chaosknoten/sunders/nginx/sunders.hamburg.ccc.de.conf @@ -2,7 +2,7 @@ # https://ssl-config.mozilla.org/#server=nginx&version=1.17.7&config=intermediate&openssl=1.1.1k&guideline=5.6 server { # Listen on a custom port for the proxy protocol. - listen 8443 ssl http2 proxy_protocol; + listen [::]:8443 ssl http2 proxy_protocol; # Make use of the ngx_http_realip_module to set the $remote_addr and # $remote_port to the client address and client port, when using proxy # protocol. From a622f21b54461ec4db77f3496212c55389621104 Mon Sep 17 00:00:00 2001 From: June Date: Wed, 7 Jan 2026 18:46:27 +0100 Subject: [PATCH 039/101] renovate(host): move to new network and hostname --- inventories/chaosknoten/hosts.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/inventories/chaosknoten/hosts.yaml b/inventories/chaosknoten/hosts.yaml index 082a76a..58b6c1a 100644 --- a/inventories/chaosknoten/hosts.yaml +++ b/inventories/chaosknoten/hosts.yaml @@ -71,9 +71,9 @@ all: ansible_user: chaos ansible_ssh_common_args: -J ssh://chaos@router.hamburg.ccc.de renovate: - ansible_host: renovate-intern.hamburg.ccc.de + ansible_host: renovate.hosts.hamburg.ccc.de ansible_user: chaos - ansible_ssh_common_args: -J ssh://chaos@public-reverse-proxy.hamburg.ccc.de + ansible_ssh_common_args: -J ssh://chaos@router.hamburg.ccc.de hypervisors: hosts: chaosknoten: From 49e3ecb9865ebc0de70b4757b0f2d05a7b8c3da4 Mon Sep 17 00:00:00 2001 From: June Date: Fri, 9 Jan 2026 03:05:29 +0100 Subject: [PATCH 040/101] netbox(host): move to new network and hostname --- inventories/chaosknoten/hosts.yaml | 4 ++-- resources/chaosknoten/netbox/nginx/netbox.hamburg.ccc.de.conf | 2 +- .../public-reverse-proxy/nginx/acme_challenge.conf | 2 +- resources/chaosknoten/public-reverse-proxy/nginx/nginx.conf | 2 +- 4 files changed, 5 insertions(+), 5 deletions(-) diff --git a/inventories/chaosknoten/hosts.yaml b/inventories/chaosknoten/hosts.yaml index 58b6c1a..14fe23a 100644 --- a/inventories/chaosknoten/hosts.yaml +++ b/inventories/chaosknoten/hosts.yaml @@ -33,9 +33,9 @@ all: ansible_host: mumble.hamburg.ccc.de ansible_user: chaos netbox: - ansible_host: netbox-intern.hamburg.ccc.de + ansible_host: netbox.hosts.hamburg.ccc.de ansible_user: chaos - ansible_ssh_common_args: -J ssh://chaos@public-reverse-proxy.hamburg.ccc.de + ansible_ssh_common_args: -J ssh://chaos@router.hamburg.ccc.de onlyoffice: ansible_host: onlyoffice.hosts.hamburg.ccc.de ansible_user: chaos diff --git a/resources/chaosknoten/netbox/nginx/netbox.hamburg.ccc.de.conf b/resources/chaosknoten/netbox/nginx/netbox.hamburg.ccc.de.conf index 5550686..533c9d2 100644 --- a/resources/chaosknoten/netbox/nginx/netbox.hamburg.ccc.de.conf +++ b/resources/chaosknoten/netbox/nginx/netbox.hamburg.ccc.de.conf @@ -2,7 +2,7 @@ # https://ssl-config.mozilla.org/#server=nginx&version=1.17.7&config=intermediate&openssl=1.1.1k&guideline=5.6 server { # Listen on a custom port for the proxy protocol. - listen 8443 ssl http2 proxy_protocol; + listen [::]:8443 ssl http2 proxy_protocol; # Make use of the ngx_http_realip_module to set the $remote_addr and # $remote_port to the client address and client port, when using proxy # protocol. diff --git a/resources/chaosknoten/public-reverse-proxy/nginx/acme_challenge.conf b/resources/chaosknoten/public-reverse-proxy/nginx/acme_challenge.conf index f02a657..06595e3 100644 --- a/resources/chaosknoten/public-reverse-proxy/nginx/acme_challenge.conf +++ b/resources/chaosknoten/public-reverse-proxy/nginx/acme_challenge.conf @@ -19,7 +19,7 @@ map $host $upstream_acme_challenge_host { matrix.hamburg.ccc.de 172.31.17.150:31820; mas.hamburg.ccc.de 172.31.17.150:31820; element-admin.hamburg.ccc.de 172.31.17.151:31820; - netbox.hamburg.ccc.de 172.31.17.167:31820; + netbox.hamburg.ccc.de netbox.hosts.hamburg.ccc.de:31820; onlyoffice.hamburg.ccc.de onlyoffice.hosts.hamburg.ccc.de:31820; pad.hamburg.ccc.de pad.hosts.hamburg.ccc.de:31820; pretalx.hamburg.ccc.de 172.31.17.157:31820; diff --git a/resources/chaosknoten/public-reverse-proxy/nginx/nginx.conf b/resources/chaosknoten/public-reverse-proxy/nginx/nginx.conf index 90ec655..78a91ff 100644 --- a/resources/chaosknoten/public-reverse-proxy/nginx/nginx.conf +++ b/resources/chaosknoten/public-reverse-proxy/nginx/nginx.conf @@ -32,7 +32,7 @@ stream { onlyoffice.hamburg.ccc.de onlyoffice.hosts.hamburg.ccc.de:8443; hackertours.hamburg.ccc.de 172.31.17.151:8443; staging.hackertours.hamburg.ccc.de 172.31.17.151:8443; - netbox.hamburg.ccc.de 172.31.17.167:8443; + netbox.hamburg.ccc.de netbox.hosts.hamburg.ccc.de:8443; matrix.hamburg.ccc.de 172.31.17.150:8443; mas.hamburg.ccc.de 172.31.17.150:8443; element-admin.hamburg.ccc.de 172.31.17.151:8443; From ff550cbd8ad8cfd9be7bbc9d5f4c620172e5d90f Mon Sep 17 00:00:00 2001 From: June Date: Sun, 11 Jan 2026 00:00:18 +0100 Subject: [PATCH 041/101] tickets(host): move to new network and hostname --- inventories/chaosknoten/hosts.yaml | 4 ++-- .../public-reverse-proxy/nginx/acme_challenge.conf | 2 +- resources/chaosknoten/public-reverse-proxy/nginx/nginx.conf | 2 +- .../chaosknoten/tickets/nginx/tickets.hamburg.ccc.de.conf | 2 +- 4 files changed, 5 insertions(+), 5 deletions(-) diff --git a/inventories/chaosknoten/hosts.yaml b/inventories/chaosknoten/hosts.yaml index 14fe23a..fab9127 100644 --- a/inventories/chaosknoten/hosts.yaml +++ b/inventories/chaosknoten/hosts.yaml @@ -19,9 +19,9 @@ all: ansible_user: chaos ansible_ssh_common_args: -J ssh://chaos@public-reverse-proxy.hamburg.ccc.de tickets: - ansible_host: tickets-intern.hamburg.ccc.de + ansible_host: tickets.hosts.hamburg.ccc.de ansible_user: chaos - ansible_ssh_common_args: -J ssh://chaos@public-reverse-proxy.hamburg.ccc.de + ansible_ssh_common_args: -J ssh://chaos@router.hamburg.ccc.de keycloak: ansible_host: keycloak.hosts.hamburg.ccc.de ansible_user: chaos diff --git a/resources/chaosknoten/public-reverse-proxy/nginx/acme_challenge.conf b/resources/chaosknoten/public-reverse-proxy/nginx/acme_challenge.conf index 06595e3..b8b44b5 100644 --- a/resources/chaosknoten/public-reverse-proxy/nginx/acme_challenge.conf +++ b/resources/chaosknoten/public-reverse-proxy/nginx/acme_challenge.conf @@ -28,7 +28,7 @@ map $host $upstream_acme_challenge_host { wiki.ccchh.net wiki.hosts.hamburg.ccc.de:31820; wiki.hamburg.ccc.de wiki.hosts.hamburg.ccc.de:31820; www.hamburg.ccc.de 172.31.17.151:31820; - tickets.hamburg.ccc.de 172.31.17.148:31820; + tickets.hamburg.ccc.de tickets.hosts.hamburg.ccc.de:31820; sunders.hamburg.ccc.de sunders.hosts.hamburg.ccc.de:31820; zammad.hamburg.ccc.de 172.31.17.152:31820; eh03.easterhegg.eu 172.31.17.151:31820; diff --git a/resources/chaosknoten/public-reverse-proxy/nginx/nginx.conf b/resources/chaosknoten/public-reverse-proxy/nginx/nginx.conf index 78a91ff..e540f13 100644 --- a/resources/chaosknoten/public-reverse-proxy/nginx/nginx.conf +++ b/resources/chaosknoten/public-reverse-proxy/nginx/nginx.conf @@ -42,7 +42,7 @@ stream { hamburg.ccc.de 172.31.17.151:8443; staging.hamburg.ccc.de 172.31.17.151:8443; spaceapi.hamburg.ccc.de 172.31.17.151:8443; - tickets.hamburg.ccc.de 172.31.17.148:8443; + tickets.hamburg.ccc.de tickets.hosts.hamburg.ccc.de:8443; sunders.hamburg.ccc.de sunders.hosts.hamburg.ccc.de:8443; zammad.hamburg.ccc.de 172.31.17.152:8443; c3cat.de 172.31.17.151:8443; diff --git a/resources/chaosknoten/tickets/nginx/tickets.hamburg.ccc.de.conf b/resources/chaosknoten/tickets/nginx/tickets.hamburg.ccc.de.conf index 9e2ca26..8d36244 100644 --- a/resources/chaosknoten/tickets/nginx/tickets.hamburg.ccc.de.conf +++ b/resources/chaosknoten/tickets/nginx/tickets.hamburg.ccc.de.conf @@ -2,7 +2,7 @@ # https://ssl-config.mozilla.org/#server=nginx&version=1.17.7&config=intermediate&openssl=1.1.1k&guideline=5.6 server { # Listen on a custom port for the proxy protocol. - listen 8443 ssl http2 proxy_protocol; + listen [::]:8443 ssl http2 proxy_protocol; # Make use of the ngx_http_realip_module to set the $remote_addr and # $remote_port to the client address and client port, when using proxy # protocol. From a41b07949cd6ffda5b334065c7b8ce362e11af16 Mon Sep 17 00:00:00 2001 From: June Date: Sun, 11 Jan 2026 00:22:37 +0100 Subject: [PATCH 042/101] zammad(host): move to new network and hostname --- inventories/chaosknoten/hosts.yaml | 4 ++-- .../public-reverse-proxy/nginx/acme_challenge.conf | 2 +- resources/chaosknoten/public-reverse-proxy/nginx/nginx.conf | 2 +- resources/chaosknoten/zammad/nginx/zammad.hamburg.ccc.de.conf | 2 +- 4 files changed, 5 insertions(+), 5 deletions(-) diff --git a/inventories/chaosknoten/hosts.yaml b/inventories/chaosknoten/hosts.yaml index fab9127..1b88df6 100644 --- a/inventories/chaosknoten/hosts.yaml +++ b/inventories/chaosknoten/hosts.yaml @@ -59,9 +59,9 @@ all: ansible_user: chaos ansible_ssh_common_args: -J ssh://chaos@router.hamburg.ccc.de zammad: - ansible_host: zammad-intern.hamburg.ccc.de + ansible_host: zammad.hosts.hamburg.ccc.de ansible_user: chaos - ansible_ssh_common_args: -J ssh://chaos@public-reverse-proxy.hamburg.ccc.de + ansible_ssh_common_args: -J ssh://chaos@router.hamburg.ccc.de ntfy: ansible_host: ntfy-intern.hamburg.ccc.de ansible_user: chaos diff --git a/resources/chaosknoten/public-reverse-proxy/nginx/acme_challenge.conf b/resources/chaosknoten/public-reverse-proxy/nginx/acme_challenge.conf index b8b44b5..d976089 100644 --- a/resources/chaosknoten/public-reverse-proxy/nginx/acme_challenge.conf +++ b/resources/chaosknoten/public-reverse-proxy/nginx/acme_challenge.conf @@ -30,7 +30,7 @@ map $host $upstream_acme_challenge_host { www.hamburg.ccc.de 172.31.17.151:31820; tickets.hamburg.ccc.de tickets.hosts.hamburg.ccc.de:31820; sunders.hamburg.ccc.de sunders.hosts.hamburg.ccc.de:31820; - zammad.hamburg.ccc.de 172.31.17.152:31820; + zammad.hamburg.ccc.de zammad.hosts.hamburg.ccc.de:31820; eh03.easterhegg.eu 172.31.17.151:31820; eh05.easterhegg.eu 172.31.17.151:31820; eh07.easterhegg.eu 172.31.17.151:31820; diff --git a/resources/chaosknoten/public-reverse-proxy/nginx/nginx.conf b/resources/chaosknoten/public-reverse-proxy/nginx/nginx.conf index e540f13..c4d1fbc 100644 --- a/resources/chaosknoten/public-reverse-proxy/nginx/nginx.conf +++ b/resources/chaosknoten/public-reverse-proxy/nginx/nginx.conf @@ -44,7 +44,7 @@ stream { spaceapi.hamburg.ccc.de 172.31.17.151:8443; tickets.hamburg.ccc.de tickets.hosts.hamburg.ccc.de:8443; sunders.hamburg.ccc.de sunders.hosts.hamburg.ccc.de:8443; - zammad.hamburg.ccc.de 172.31.17.152:8443; + zammad.hamburg.ccc.de zammad.hosts.hamburg.ccc.de:8443; c3cat.de 172.31.17.151:8443; www.c3cat.de 172.31.17.151:8443; staging.c3cat.de 172.31.17.151:8443; diff --git a/resources/chaosknoten/zammad/nginx/zammad.hamburg.ccc.de.conf b/resources/chaosknoten/zammad/nginx/zammad.hamburg.ccc.de.conf index c1f9182..5bb2435 100644 --- a/resources/chaosknoten/zammad/nginx/zammad.hamburg.ccc.de.conf +++ b/resources/chaosknoten/zammad/nginx/zammad.hamburg.ccc.de.conf @@ -2,7 +2,7 @@ # https://ssl-config.mozilla.org/#server=nginx&version=1.17.7&config=intermediate&openssl=1.1.1k&guideline=5.6 server { # Listen on a custom port for the proxy protocol. - listen 8443 ssl http2 proxy_protocol; + listen [::]:8443 ssl http2 proxy_protocol; # Make use of the ngx_http_realip_module to set the $remote_addr and # $remote_port to the client address and client port, when using proxy # protocol. From bb30e88404d9e3d6c2325a2572b45aac10113041 Mon Sep 17 00:00:00 2001 From: June Date: Sun, 11 Jan 2026 00:29:16 +0100 Subject: [PATCH 043/101] router(host): allowlist only certain icmpv6 types --- .../chaosknoten/router/nftables/nftables.conf | 18 +++++++++++++++++- 1 file changed, 17 insertions(+), 1 deletion(-) diff --git a/resources/chaosknoten/router/nftables/nftables.conf b/resources/chaosknoten/router/nftables/nftables.conf index 3375bfb..ca62a97 100644 --- a/resources/chaosknoten/router/nftables/nftables.conf +++ b/resources/chaosknoten/router/nftables/nftables.conf @@ -39,7 +39,23 @@ table inet host { ct state established,related accept ip protocol icmp accept - ip6 nexthdr icmpv6 accept + # ICMPv6 + # https://datatracker.ietf.org/doc/html/rfc4890#autoid-24 + # Allowlist consisting of: "Traffic That Must Not Be Dropped" and "Traffic That Normally Should Not Be Dropped" + # Error messages that are essential to the establishment and maintenance of communications: + icmpv6 type { destination-unreachable, packet-too-big } accept + icmpv6 type { time-exceeded } accept + icmpv6 type { parameter-problem } accept + # Connectivity checking messages: + icmpv6 type { echo-request, echo-reply } accept + # Address Configuration and Router Selection messages: + icmpv6 type { nd-router-solicit, nd-router-advert, nd-neighbor-solicit, nd-neighbor-advert, ind-neighbor-solicit, ind-neighbor-advert } accept + # Link-Local Multicast Receiver Notification messages: + icmpv6 type { mld-listener-query, mld-listener-report, mld-listener-done, mld2-listener-report } accept + # SEND Certificate Path Notification messages: + icmpv6 type { 148, 149 } accept + # Multicast Router Discovery messages: + icmpv6 type { 151, 152, 153 } accept # Allow SSH access. tcp dport 22 accept comment "allow ssh access" From 2fbb37db18c0cb3c01f00d83666524f6c5cc887e Mon Sep 17 00:00:00 2001 From: June Date: Sun, 11 Jan 2026 00:59:52 +0100 Subject: [PATCH 044/101] grafana(host): move to new network and hostname --- inventories/chaosknoten/hosts.yaml | 4 ++-- .../chaosknoten/grafana/nginx/grafana.hamburg.ccc.de.conf | 2 +- resources/chaosknoten/grafana/nginx/loki.hamburg.ccc.de.conf | 2 -- .../chaosknoten/grafana/nginx/metrics.hamburg.ccc.de.conf | 1 - .../public-reverse-proxy/nginx/acme_challenge.conf | 2 +- resources/chaosknoten/public-reverse-proxy/nginx/nginx.conf | 2 +- 6 files changed, 5 insertions(+), 8 deletions(-) diff --git a/inventories/chaosknoten/hosts.yaml b/inventories/chaosknoten/hosts.yaml index 1b88df6..f72e4ac 100644 --- a/inventories/chaosknoten/hosts.yaml +++ b/inventories/chaosknoten/hosts.yaml @@ -15,9 +15,9 @@ all: ansible_user: chaos ansible_ssh_common_args: -J ssh://chaos@router.hamburg.ccc.de grafana: - ansible_host: grafana-intern.hamburg.ccc.de + ansible_host: grafana.hosts.hamburg.ccc.de ansible_user: chaos - ansible_ssh_common_args: -J ssh://chaos@public-reverse-proxy.hamburg.ccc.de + ansible_ssh_common_args: -J ssh://chaos@router.hamburg.ccc.de tickets: ansible_host: tickets.hosts.hamburg.ccc.de ansible_user: chaos diff --git a/resources/chaosknoten/grafana/nginx/grafana.hamburg.ccc.de.conf b/resources/chaosknoten/grafana/nginx/grafana.hamburg.ccc.de.conf index c5b68e1..a6dcdc1 100644 --- a/resources/chaosknoten/grafana/nginx/grafana.hamburg.ccc.de.conf +++ b/resources/chaosknoten/grafana/nginx/grafana.hamburg.ccc.de.conf @@ -2,7 +2,7 @@ # https://ssl-config.mozilla.org/#server=nginx&version=1.17.7&config=intermediate&openssl=1.1.1k&guideline=5.6 server { # Listen on a custom port for the proxy protocol. - listen 8443 ssl proxy_protocol; + listen [::]:8443 ssl proxy_protocol; http2 on; # Make use of the ngx_http_realip_module to set the $remote_addr and # $remote_port to the client address and client port, when using proxy diff --git a/resources/chaosknoten/grafana/nginx/loki.hamburg.ccc.de.conf b/resources/chaosknoten/grafana/nginx/loki.hamburg.ccc.de.conf index e2bf4a7..8a509be 100644 --- a/resources/chaosknoten/grafana/nginx/loki.hamburg.ccc.de.conf +++ b/resources/chaosknoten/grafana/nginx/loki.hamburg.ccc.de.conf @@ -17,7 +17,6 @@ server { server_name loki.hamburg.ccc.de; listen [::]:50051 ssl; - listen 172.31.17.145:50051 ssl; http2 on; @@ -59,7 +58,6 @@ server { server_name loki.hamburg.ccc.de; listen [::]:443 ssl; - listen 172.31.17.145:443 ssl; http2 on; diff --git a/resources/chaosknoten/grafana/nginx/metrics.hamburg.ccc.de.conf b/resources/chaosknoten/grafana/nginx/metrics.hamburg.ccc.de.conf index 2c52523..ef2fe07 100644 --- a/resources/chaosknoten/grafana/nginx/metrics.hamburg.ccc.de.conf +++ b/resources/chaosknoten/grafana/nginx/metrics.hamburg.ccc.de.conf @@ -18,7 +18,6 @@ server { server_name metrics.hamburg.ccc.de; listen [::]:443 ssl; - listen 172.31.17.145:443 ssl; http2 on; client_body_buffer_size 512k; diff --git a/resources/chaosknoten/public-reverse-proxy/nginx/acme_challenge.conf b/resources/chaosknoten/public-reverse-proxy/nginx/acme_challenge.conf index d976089..7af3beb 100644 --- a/resources/chaosknoten/public-reverse-proxy/nginx/acme_challenge.conf +++ b/resources/chaosknoten/public-reverse-proxy/nginx/acme_challenge.conf @@ -9,7 +9,7 @@ map $host $upstream_acme_challenge_host { cloud.hamburg.ccc.de cloud.hosts.hamburg.ccc.de:31820; element.hamburg.ccc.de 172.31.17.151:31820; git.hamburg.ccc.de 172.31.17.154:31820; - grafana.hamburg.ccc.de 172.31.17.145:31820; + grafana.hamburg.ccc.de grafana.hosts.hamburg.ccc.de:31820; hackertours.hamburg.ccc.de 172.31.17.151:31820; staging.hackertours.hamburg.ccc.de 172.31.17.151:31820; hamburg.ccc.de 172.31.17.151:31820; diff --git a/resources/chaosknoten/public-reverse-proxy/nginx/nginx.conf b/resources/chaosknoten/public-reverse-proxy/nginx/nginx.conf index c4d1fbc..42120db 100644 --- a/resources/chaosknoten/public-reverse-proxy/nginx/nginx.conf +++ b/resources/chaosknoten/public-reverse-proxy/nginx/nginx.conf @@ -26,7 +26,7 @@ stream { id.hamburg.ccc.de keycloak.hosts.hamburg.ccc.de:8443; invite.hamburg.ccc.de keycloak.hosts.hamburg.ccc.de:8443; keycloak-admin.hamburg.ccc.de keycloak.hosts.hamburg.ccc.de:8443; - grafana.hamburg.ccc.de 172.31.17.145:8443; + grafana.hamburg.ccc.de grafana.hosts.hamburg.ccc.de:8443; wiki.ccchh.net wiki.hosts.hamburg.ccc.de:8443; wiki.hamburg.ccc.de wiki.hosts.hamburg.ccc.de:8443; onlyoffice.hamburg.ccc.de onlyoffice.hosts.hamburg.ccc.de:8443; From 372f264bcbc7de743c6cda57126395f7df906b47 Mon Sep 17 00:00:00 2001 From: June Date: Sun, 11 Jan 2026 01:29:15 +0100 Subject: [PATCH 045/101] ccchoir(host): move to new network and hostname --- inventories/chaosknoten/hosts.yaml | 4 ++-- resources/chaosknoten/ccchoir/nginx/ccchoir.de.conf | 8 ++++---- .../public-reverse-proxy/nginx/acme_challenge.conf | 4 ++-- .../chaosknoten/public-reverse-proxy/nginx/nginx.conf | 4 ++-- 4 files changed, 10 insertions(+), 10 deletions(-) diff --git a/inventories/chaosknoten/hosts.yaml b/inventories/chaosknoten/hosts.yaml index f72e4ac..4b8e388 100644 --- a/inventories/chaosknoten/hosts.yaml +++ b/inventories/chaosknoten/hosts.yaml @@ -1,9 +1,9 @@ all: hosts: ccchoir: - ansible_host: ccchoir-intern.hamburg.ccc.de + ansible_host: ccchoir.hosts.hamburg.ccc.de ansible_user: chaos - ansible_ssh_common_args: -J ssh://chaos@public-reverse-proxy.hamburg.ccc.de + ansible_ssh_common_args: -J ssh://chaos@router.hamburg.ccc.de chaosknoten: ansible_host: chaosknoten.hamburg.ccc.de cloud: diff --git a/resources/chaosknoten/ccchoir/nginx/ccchoir.de.conf b/resources/chaosknoten/ccchoir/nginx/ccchoir.de.conf index ff37e48..a8d71a9 100644 --- a/resources/chaosknoten/ccchoir/nginx/ccchoir.de.conf +++ b/resources/chaosknoten/ccchoir/nginx/ccchoir.de.conf @@ -2,12 +2,12 @@ # https://ssl-config.mozilla.org/#server=nginx&version=1.17.7&config=intermediate&openssl=1.1.1k&guideline=5.6 server { # Listen on a custom port for the proxy protocol. - listen 8443 ssl http2 proxy_protocol; + listen [::]:8443 ssl http2 proxy_protocol; # Make use of the ngx_http_realip_module to set the $remote_addr and # $remote_port to the client address and client port, when using proxy # protocol. # First set our proxy protocol proxy as trusted. - set_real_ip_from 172.31.17.140; + set_real_ip_from 2a00:14b0:4200:3000:125::1; # Then tell the realip_module to get the addreses from the proxy protocol # header. real_ip_header proxy_protocol; @@ -43,12 +43,12 @@ server { server { # Listen on a custom port for the proxy protocol. - listen 8443 ssl http2 proxy_protocol; + listen [::]:8443 ssl http2 proxy_protocol; # Make use of the ngx_http_realip_module to set the $remote_addr and # $remote_port to the client address and client port, when using proxy # protocol. # First set our proxy protocol proxy as trusted. - set_real_ip_from 172.31.17.140; + set_real_ip_from 2a00:14b0:4200:3000:125::1; # Then tell the realip_module to get the addreses from the proxy protocol # header. real_ip_header proxy_protocol; diff --git a/resources/chaosknoten/public-reverse-proxy/nginx/acme_challenge.conf b/resources/chaosknoten/public-reverse-proxy/nginx/acme_challenge.conf index 7af3beb..0c62760 100644 --- a/resources/chaosknoten/public-reverse-proxy/nginx/acme_challenge.conf +++ b/resources/chaosknoten/public-reverse-proxy/nginx/acme_challenge.conf @@ -4,8 +4,8 @@ map $host $upstream_acme_challenge_host { c3cat.de 172.31.17.151:31820; www.c3cat.de 172.31.17.151:31820; staging.c3cat.de 172.31.17.151:31820; - ccchoir.de ccchoir-intern.hamburg.ccc.de:31820; - www.ccchoir.de ccchoir-intern.hamburg.ccc.de:31820; + ccchoir.de ccchoir.hosts.hamburg.ccc.de:31820; + www.ccchoir.de ccchoir.hosts.hamburg.ccc.de:31820; cloud.hamburg.ccc.de cloud.hosts.hamburg.ccc.de:31820; element.hamburg.ccc.de 172.31.17.151:31820; git.hamburg.ccc.de 172.31.17.154:31820; diff --git a/resources/chaosknoten/public-reverse-proxy/nginx/nginx.conf b/resources/chaosknoten/public-reverse-proxy/nginx/nginx.conf index 42120db..b3f3636 100644 --- a/resources/chaosknoten/public-reverse-proxy/nginx/nginx.conf +++ b/resources/chaosknoten/public-reverse-proxy/nginx/nginx.conf @@ -18,8 +18,8 @@ stream { resolver 212.12.50.158 192.76.134.90; map $ssl_preread_server_name $address { - ccchoir.de ccchoir-intern.hamburg.ccc.de:8443; - www.ccchoir.de ccchoir-intern.hamburg.ccc.de:8443; + ccchoir.de ccchoir.hosts.hamburg.ccc.de:8443; + www.ccchoir.de ccchoir.hosts.hamburg.ccc.de:8443; cloud.hamburg.ccc.de cloud.hosts.hamburg.ccc.de:8443; pad.hamburg.ccc.de pad.hosts.hamburg.ccc.de:8443; pretalx.hamburg.ccc.de pretalx-intern.hamburg.ccc.de:8443; From 1971598e71379ed967b8790353dd2ac6dc854712 Mon Sep 17 00:00:00 2001 From: June Date: Sun, 11 Jan 2026 03:22:11 +0100 Subject: [PATCH 046/101] pretalx(host): move to new network and hostname --- inventories/chaosknoten/hosts.yaml | 4 ++-- .../chaosknoten/pretalx/nginx/cfp.eh22.easterhegg.eu.conf | 4 ++-- .../chaosknoten/pretalx/nginx/pretalx.hamburg.ccc.de.conf | 4 ++-- .../public-reverse-proxy/nginx/acme_challenge.conf | 2 +- resources/chaosknoten/public-reverse-proxy/nginx/nginx.conf | 4 ++-- 5 files changed, 9 insertions(+), 9 deletions(-) diff --git a/inventories/chaosknoten/hosts.yaml b/inventories/chaosknoten/hosts.yaml index 4b8e388..d5dea1c 100644 --- a/inventories/chaosknoten/hosts.yaml +++ b/inventories/chaosknoten/hosts.yaml @@ -45,9 +45,9 @@ all: ansible_user: chaos ansible_ssh_common_args: -J ssh://chaos@router.hamburg.ccc.de pretalx: - ansible_host: pretalx-intern.hamburg.ccc.de + ansible_host: pretalx.hosts.hamburg.ccc.de ansible_user: chaos - ansible_ssh_common_args: -J ssh://chaos@public-reverse-proxy.hamburg.ccc.de + ansible_ssh_common_args: -J ssh://chaos@router.hamburg.ccc.de public-reverse-proxy: ansible_host: public-reverse-proxy.hamburg.ccc.de ansible_user: chaos diff --git a/resources/chaosknoten/pretalx/nginx/cfp.eh22.easterhegg.eu.conf b/resources/chaosknoten/pretalx/nginx/cfp.eh22.easterhegg.eu.conf index 0fa99e7..a4f5bb9 100644 --- a/resources/chaosknoten/pretalx/nginx/cfp.eh22.easterhegg.eu.conf +++ b/resources/chaosknoten/pretalx/nginx/cfp.eh22.easterhegg.eu.conf @@ -2,12 +2,12 @@ # https://ssl-config.mozilla.org/#server=nginx&version=1.17.7&config=intermediate&openssl=1.1.1k&guideline=5.6 server { # Listen on a custom port for the proxy protocol. - listen 8443 ssl http2 proxy_protocol; + listen [::]:8443 ssl http2 proxy_protocol; # Make use of the ngx_http_realip_module to set the $remote_addr and # $remote_port to the client address and client port, when using proxy # protocol. # First set our proxy protocol proxy as trusted. - set_real_ip_from 172.31.17.140; + set_real_ip_from 2a00:14b0:4200:3000:125::1; # Then tell the realip_module to get the addreses from the proxy protocol # header. real_ip_header proxy_protocol; diff --git a/resources/chaosknoten/pretalx/nginx/pretalx.hamburg.ccc.de.conf b/resources/chaosknoten/pretalx/nginx/pretalx.hamburg.ccc.de.conf index f12067a..d66e977 100644 --- a/resources/chaosknoten/pretalx/nginx/pretalx.hamburg.ccc.de.conf +++ b/resources/chaosknoten/pretalx/nginx/pretalx.hamburg.ccc.de.conf @@ -2,12 +2,12 @@ # https://ssl-config.mozilla.org/#server=nginx&version=1.17.7&config=intermediate&openssl=1.1.1k&guideline=5.6 server { # Listen on a custom port for the proxy protocol. - listen 8443 ssl http2 proxy_protocol; + listen [::]:8443 ssl http2 proxy_protocol; # Make use of the ngx_http_realip_module to set the $remote_addr and # $remote_port to the client address and client port, when using proxy # protocol. # First set our proxy protocol proxy as trusted. - set_real_ip_from 172.31.17.140; + set_real_ip_from 2a00:14b0:4200:3000:125::1; # Then tell the realip_module to get the addreses from the proxy protocol # header. real_ip_header proxy_protocol; diff --git a/resources/chaosknoten/public-reverse-proxy/nginx/acme_challenge.conf b/resources/chaosknoten/public-reverse-proxy/nginx/acme_challenge.conf index 0c62760..71f0290 100644 --- a/resources/chaosknoten/public-reverse-proxy/nginx/acme_challenge.conf +++ b/resources/chaosknoten/public-reverse-proxy/nginx/acme_challenge.conf @@ -22,7 +22,7 @@ map $host $upstream_acme_challenge_host { netbox.hamburg.ccc.de netbox.hosts.hamburg.ccc.de:31820; onlyoffice.hamburg.ccc.de onlyoffice.hosts.hamburg.ccc.de:31820; pad.hamburg.ccc.de pad.hosts.hamburg.ccc.de:31820; - pretalx.hamburg.ccc.de 172.31.17.157:31820; + pretalx.hamburg.ccc.de pretalx.hosts.hamburg.ccc.de:31820; spaceapi.hamburg.ccc.de 172.31.17.151:31820; staging.hamburg.ccc.de 172.31.17.151:31820; wiki.ccchh.net wiki.hosts.hamburg.ccc.de:31820; diff --git a/resources/chaosknoten/public-reverse-proxy/nginx/nginx.conf b/resources/chaosknoten/public-reverse-proxy/nginx/nginx.conf index b3f3636..d7cd97e 100644 --- a/resources/chaosknoten/public-reverse-proxy/nginx/nginx.conf +++ b/resources/chaosknoten/public-reverse-proxy/nginx/nginx.conf @@ -22,7 +22,7 @@ stream { www.ccchoir.de ccchoir.hosts.hamburg.ccc.de:8443; cloud.hamburg.ccc.de cloud.hosts.hamburg.ccc.de:8443; pad.hamburg.ccc.de pad.hosts.hamburg.ccc.de:8443; - pretalx.hamburg.ccc.de pretalx-intern.hamburg.ccc.de:8443; + pretalx.hamburg.ccc.de pretalx.hosts.hamburg.ccc.de:8443; id.hamburg.ccc.de keycloak.hosts.hamburg.ccc.de:8443; invite.hamburg.ccc.de keycloak.hosts.hamburg.ccc.de:8443; keycloak-admin.hamburg.ccc.de keycloak.hosts.hamburg.ccc.de:8443; @@ -90,7 +90,7 @@ stream { woodpecker.hamburg.ccc.de 172.31.17.160:8443; design.hamburg.ccc.de 172.31.17.162:8443; hydra.hamburg.ccc.de 172.31.17.163:8443; - cfp.eh22.easterhegg.eu pretalx-intern.hamburg.ccc.de:8443; + cfp.eh22.easterhegg.eu pretalx.hosts.hamburg.ccc.de:8443; ntfy.hamburg.ccc.de 172.31.17.149:8443; cryptoparty-hamburg.de 172.31.17.151:8443; cryptoparty.hamburg.ccc.de 172.31.17.151:8443; From 255327952e3b1e718e7d0e53c0c189a6e6f13052 Mon Sep 17 00:00:00 2001 From: June Date: Sun, 11 Jan 2026 03:57:11 +0100 Subject: [PATCH 047/101] ntfy(host): move to new network and hostname --- inventories/chaosknoten/hosts.yaml | 4 ++-- resources/chaosknoten/ntfy/nginx/ntfy.hamburg.ccc.de.conf | 4 ++-- .../public-reverse-proxy/nginx/acme_challenge.conf | 2 +- resources/chaosknoten/public-reverse-proxy/nginx/nginx.conf | 2 +- 4 files changed, 6 insertions(+), 6 deletions(-) diff --git a/inventories/chaosknoten/hosts.yaml b/inventories/chaosknoten/hosts.yaml index d5dea1c..93c61be 100644 --- a/inventories/chaosknoten/hosts.yaml +++ b/inventories/chaosknoten/hosts.yaml @@ -63,9 +63,9 @@ all: ansible_user: chaos ansible_ssh_common_args: -J ssh://chaos@router.hamburg.ccc.de ntfy: - ansible_host: ntfy-intern.hamburg.ccc.de + ansible_host: ntfy.hosts.hamburg.ccc.de ansible_user: chaos - ansible_ssh_common_args: -J ssh://chaos@public-reverse-proxy.hamburg.ccc.de + ansible_ssh_common_args: -J ssh://chaos@router.hamburg.ccc.de sunders: ansible_host: sunders.hosts.hamburg.ccc.de ansible_user: chaos diff --git a/resources/chaosknoten/ntfy/nginx/ntfy.hamburg.ccc.de.conf b/resources/chaosknoten/ntfy/nginx/ntfy.hamburg.ccc.de.conf index e7d404d..ebae48d 100644 --- a/resources/chaosknoten/ntfy/nginx/ntfy.hamburg.ccc.de.conf +++ b/resources/chaosknoten/ntfy/nginx/ntfy.hamburg.ccc.de.conf @@ -2,13 +2,13 @@ # https://ssl-config.mozilla.org/#server=nginx&version=1.17.7&config=intermediate&openssl=1.1.1k&guideline=5.6 server { # Listen on a custom port for the proxy protocol. - listen 8443 ssl proxy_protocol; + listen [::]:8443 ssl proxy_protocol; http2 on; # Make use of the ngx_http_realip_module to set the $remote_addr and # $remote_port to the client address and client port, when using proxy # protocol. # First set our proxy protocol proxy as trusted. - set_real_ip_from 172.31.17.140; + set_real_ip_from 2a00:14b0:4200:3000:125::1; # Then tell the realip_module to get the addreses from the proxy protocol # header. real_ip_header proxy_protocol; diff --git a/resources/chaosknoten/public-reverse-proxy/nginx/acme_challenge.conf b/resources/chaosknoten/public-reverse-proxy/nginx/acme_challenge.conf index 71f0290..82e596a 100644 --- a/resources/chaosknoten/public-reverse-proxy/nginx/acme_challenge.conf +++ b/resources/chaosknoten/public-reverse-proxy/nginx/acme_challenge.conf @@ -73,7 +73,7 @@ map $host $upstream_acme_challenge_host { design.hamburg.ccc.de 172.31.17.162:31820; hydra.hamburg.ccc.de 172.31.17.163:31820; cfp.eh22.easterhegg.eu 172.31.17.157:31820; - ntfy.hamburg.ccc.de 172.31.17.149:31820; + ntfy.hamburg.ccc.de ntfy.hosts.hamburg.ccc.de:31820; cryptoparty-hamburg.de 172.31.17.151:31820; cryptoparty.hamburg.ccc.de 172.31.17.151:31820; staging.cryptoparty-hamburg.de 172.31.17.151:31820; diff --git a/resources/chaosknoten/public-reverse-proxy/nginx/nginx.conf b/resources/chaosknoten/public-reverse-proxy/nginx/nginx.conf index d7cd97e..489dda5 100644 --- a/resources/chaosknoten/public-reverse-proxy/nginx/nginx.conf +++ b/resources/chaosknoten/public-reverse-proxy/nginx/nginx.conf @@ -91,7 +91,7 @@ stream { design.hamburg.ccc.de 172.31.17.162:8443; hydra.hamburg.ccc.de 172.31.17.163:8443; cfp.eh22.easterhegg.eu pretalx.hosts.hamburg.ccc.de:8443; - ntfy.hamburg.ccc.de 172.31.17.149:8443; + ntfy.hamburg.ccc.de ntfy.hosts.hamburg.ccc.de:8443; cryptoparty-hamburg.de 172.31.17.151:8443; cryptoparty.hamburg.ccc.de 172.31.17.151:8443; staging.cryptoparty-hamburg.de 172.31.17.151:8443; From 968e29ccb8fa144c7ec3ebd56d8d38adb4416397 Mon Sep 17 00:00:00 2001 From: June Date: Mon, 12 Jan 2026 03:02:09 +0100 Subject: [PATCH 048/101] do v6-only for internal proxy protocol communication Since we want to do v6-only internally, only listen on v6 for proxy protocol. This is also needed as we only have set_real_ip_from pointing to a v6. --- resources/chaosknoten/eh22-wiki/nginx/eh22.easterhegg.eu.conf | 1 - resources/chaosknoten/grafana/nginx/grafana.hamburg.ccc.de.conf | 2 +- resources/chaosknoten/keycloak/nginx/id.hamburg.ccc.de.conf | 1 - resources/chaosknoten/keycloak/nginx/invite.hamburg.ccc.de.conf | 1 - .../keycloak/nginx/keycloak-admin.hamburg.ccc.de.conf | 1 - resources/chaosknoten/netbox/nginx/netbox.hamburg.ccc.de.conf | 2 +- .../chaosknoten/onlyoffice/nginx/onlyoffice.hamburg.ccc.de.conf | 1 - resources/chaosknoten/pad/nginx/pad.hamburg.ccc.de.conf | 1 - resources/chaosknoten/sunders/nginx/sunders.hamburg.ccc.de.conf | 2 +- resources/chaosknoten/tickets/nginx/tickets.hamburg.ccc.de.conf | 2 +- resources/chaosknoten/wiki/nginx/wiki.ccchh.net.conf | 1 - resources/chaosknoten/wiki/nginx/wiki.hamburg.ccc.de.conf | 1 - resources/chaosknoten/zammad/nginx/zammad.hamburg.ccc.de.conf | 2 +- 13 files changed, 5 insertions(+), 13 deletions(-) diff --git a/resources/chaosknoten/eh22-wiki/nginx/eh22.easterhegg.eu.conf b/resources/chaosknoten/eh22-wiki/nginx/eh22.easterhegg.eu.conf index 8c801fe..d213d61 100644 --- a/resources/chaosknoten/eh22-wiki/nginx/eh22.easterhegg.eu.conf +++ b/resources/chaosknoten/eh22-wiki/nginx/eh22.easterhegg.eu.conf @@ -2,7 +2,6 @@ # https://ssl-config.mozilla.org/#server=nginx&version=1.17.7&config=intermediate&openssl=1.1.1k&guideline=5.6 server { # Listen on a custom port for the proxy protocol. - listen 8443 ssl http2 proxy_protocol; listen [::]:8443 ssl http2 proxy_protocol; # Make use of the ngx_http_realip_module to set the $remote_addr and # $remote_port to the client address and client port, when using proxy diff --git a/resources/chaosknoten/grafana/nginx/grafana.hamburg.ccc.de.conf b/resources/chaosknoten/grafana/nginx/grafana.hamburg.ccc.de.conf index a6dcdc1..98f7f40 100644 --- a/resources/chaosknoten/grafana/nginx/grafana.hamburg.ccc.de.conf +++ b/resources/chaosknoten/grafana/nginx/grafana.hamburg.ccc.de.conf @@ -8,7 +8,7 @@ server { # $remote_port to the client address and client port, when using proxy # protocol. # First set our proxy protocol proxy as trusted. - set_real_ip_from 172.31.17.140; + set_real_ip_from 2a00:14b0:4200:3000:125::1; # Then tell the realip_module to get the addreses from the proxy protocol # header. real_ip_header proxy_protocol; diff --git a/resources/chaosknoten/keycloak/nginx/id.hamburg.ccc.de.conf b/resources/chaosknoten/keycloak/nginx/id.hamburg.ccc.de.conf index 939e1da..82ba082 100644 --- a/resources/chaosknoten/keycloak/nginx/id.hamburg.ccc.de.conf +++ b/resources/chaosknoten/keycloak/nginx/id.hamburg.ccc.de.conf @@ -3,7 +3,6 @@ # Also see: https://www.keycloak.org/server/reverseproxy server { # Listen on a custom port for the proxy protocol. - listen 8443 ssl http2 proxy_protocol; listen [::]:8443 ssl http2 proxy_protocol; # Make use of the ngx_http_realip_module to set the $remote_addr and # $remote_port to the client address and client port, when using proxy diff --git a/resources/chaosknoten/keycloak/nginx/invite.hamburg.ccc.de.conf b/resources/chaosknoten/keycloak/nginx/invite.hamburg.ccc.de.conf index de1e9d6..ecb7e2d 100644 --- a/resources/chaosknoten/keycloak/nginx/invite.hamburg.ccc.de.conf +++ b/resources/chaosknoten/keycloak/nginx/invite.hamburg.ccc.de.conf @@ -3,7 +3,6 @@ # Also see: https://www.keycloak.org/server/reverseproxy server { # Listen on a custom port for the proxy protocol. - listen 8443 ssl http2 proxy_protocol; listen [::]:8443 ssl http2 proxy_protocol; # Make use of the ngx_http_realip_module to set the $remote_addr and # $remote_port to the client address and client port, when using proxy diff --git a/resources/chaosknoten/keycloak/nginx/keycloak-admin.hamburg.ccc.de.conf b/resources/chaosknoten/keycloak/nginx/keycloak-admin.hamburg.ccc.de.conf index cd56b98..b2e7eec 100644 --- a/resources/chaosknoten/keycloak/nginx/keycloak-admin.hamburg.ccc.de.conf +++ b/resources/chaosknoten/keycloak/nginx/keycloak-admin.hamburg.ccc.de.conf @@ -7,7 +7,6 @@ server { ##listen [::]:443 ssl http2; # Listen on a custom port for the proxy protocol. - listen 8443 ssl http2 proxy_protocol; listen [::]:8443 ssl http2 proxy_protocol; # Make use of the ngx_http_realip_module to set the $remote_addr and # $remote_port to the client address and client port, when using proxy diff --git a/resources/chaosknoten/netbox/nginx/netbox.hamburg.ccc.de.conf b/resources/chaosknoten/netbox/nginx/netbox.hamburg.ccc.de.conf index 533c9d2..0c2a3be 100644 --- a/resources/chaosknoten/netbox/nginx/netbox.hamburg.ccc.de.conf +++ b/resources/chaosknoten/netbox/nginx/netbox.hamburg.ccc.de.conf @@ -7,7 +7,7 @@ server { # $remote_port to the client address and client port, when using proxy # protocol. # First set our proxy protocol proxy as trusted. - set_real_ip_from 172.31.17.140; + set_real_ip_from 2a00:14b0:4200:3000:125::1; # Then tell the realip_module to get the addreses from the proxy protocol # header. real_ip_header proxy_protocol; diff --git a/resources/chaosknoten/onlyoffice/nginx/onlyoffice.hamburg.ccc.de.conf b/resources/chaosknoten/onlyoffice/nginx/onlyoffice.hamburg.ccc.de.conf index 8a9a486..f3e77f1 100644 --- a/resources/chaosknoten/onlyoffice/nginx/onlyoffice.hamburg.ccc.de.conf +++ b/resources/chaosknoten/onlyoffice/nginx/onlyoffice.hamburg.ccc.de.conf @@ -2,7 +2,6 @@ # https://ssl-config.mozilla.org/#server=nginx&version=1.17.7&config=intermediate&openssl=1.1.1k&guideline=5.6 server { # Listen on a custom port for the proxy protocol. - listen 8443 ssl http2 proxy_protocol; listen [::]:8443 ssl http2 proxy_protocol; # Make use of the ngx_http_realip_module to set the $remote_addr and # $remote_port to the client address and client port, when using proxy diff --git a/resources/chaosknoten/pad/nginx/pad.hamburg.ccc.de.conf b/resources/chaosknoten/pad/nginx/pad.hamburg.ccc.de.conf index 6c453d1..cf49d23 100644 --- a/resources/chaosknoten/pad/nginx/pad.hamburg.ccc.de.conf +++ b/resources/chaosknoten/pad/nginx/pad.hamburg.ccc.de.conf @@ -2,7 +2,6 @@ # https://ssl-config.mozilla.org/#server=nginx&version=1.17.7&config=intermediate&openssl=1.1.1k&guideline=5.6 server { # Listen on a custom port for the proxy protocol. - listen 8443 ssl http2 proxy_protocol; listen [::]:8443 ssl http2 proxy_protocol; # Make use of the ngx_http_realip_module to set the $remote_addr and # $remote_port to the client address and client port, when using proxy diff --git a/resources/chaosknoten/sunders/nginx/sunders.hamburg.ccc.de.conf b/resources/chaosknoten/sunders/nginx/sunders.hamburg.ccc.de.conf index ceb9b2b..185c005 100644 --- a/resources/chaosknoten/sunders/nginx/sunders.hamburg.ccc.de.conf +++ b/resources/chaosknoten/sunders/nginx/sunders.hamburg.ccc.de.conf @@ -7,7 +7,7 @@ server { # $remote_port to the client address and client port, when using proxy # protocol. # First set our proxy protocol proxy as trusted. - set_real_ip_from 172.31.17.140; + set_real_ip_from 2a00:14b0:4200:3000:125::1; # Then tell the realip_module to get the addreses from the proxy protocol # header. real_ip_header proxy_protocol; diff --git a/resources/chaosknoten/tickets/nginx/tickets.hamburg.ccc.de.conf b/resources/chaosknoten/tickets/nginx/tickets.hamburg.ccc.de.conf index 8d36244..e93ff93 100644 --- a/resources/chaosknoten/tickets/nginx/tickets.hamburg.ccc.de.conf +++ b/resources/chaosknoten/tickets/nginx/tickets.hamburg.ccc.de.conf @@ -7,7 +7,7 @@ server { # $remote_port to the client address and client port, when using proxy # protocol. # First set our proxy protocol proxy as trusted. - set_real_ip_from 172.31.17.140; + set_real_ip_from 2a00:14b0:4200:3000:125::1; # Then tell the realip_module to get the addreses from the proxy protocol # header. real_ip_header proxy_protocol; diff --git a/resources/chaosknoten/wiki/nginx/wiki.ccchh.net.conf b/resources/chaosknoten/wiki/nginx/wiki.ccchh.net.conf index 472236a..d89b5b8 100644 --- a/resources/chaosknoten/wiki/nginx/wiki.ccchh.net.conf +++ b/resources/chaosknoten/wiki/nginx/wiki.ccchh.net.conf @@ -2,7 +2,6 @@ # https://ssl-config.mozilla.org/#server=nginx&version=1.17.7&config=intermediate&openssl=1.1.1k&guideline=5.6 server { # Listen on a custom port for the proxy protocol. - listen 8443 ssl http2 proxy_protocol; listen [::]:8443 ssl http2 proxy_protocol; # Make use of the ngx_http_realip_module to set the $remote_addr and # $remote_port to the client address and client port, when using proxy diff --git a/resources/chaosknoten/wiki/nginx/wiki.hamburg.ccc.de.conf b/resources/chaosknoten/wiki/nginx/wiki.hamburg.ccc.de.conf index b4eab7f..5065c1d 100644 --- a/resources/chaosknoten/wiki/nginx/wiki.hamburg.ccc.de.conf +++ b/resources/chaosknoten/wiki/nginx/wiki.hamburg.ccc.de.conf @@ -2,7 +2,6 @@ # https://ssl-config.mozilla.org/#server=nginx&version=1.17.7&config=intermediate&openssl=1.1.1k&guideline=5.6 server { # Listen on a custom port for the proxy protocol. - listen 8443 ssl http2 proxy_protocol; listen [::]:8443 ssl http2 proxy_protocol; # Make use of the ngx_http_realip_module to set the $remote_addr and # $remote_port to the client address and client port, when using proxy diff --git a/resources/chaosknoten/zammad/nginx/zammad.hamburg.ccc.de.conf b/resources/chaosknoten/zammad/nginx/zammad.hamburg.ccc.de.conf index 5bb2435..b94cb5c 100644 --- a/resources/chaosknoten/zammad/nginx/zammad.hamburg.ccc.de.conf +++ b/resources/chaosknoten/zammad/nginx/zammad.hamburg.ccc.de.conf @@ -7,7 +7,7 @@ server { # $remote_port to the client address and client port, when using proxy # protocol. # First set our proxy protocol proxy as trusted. - set_real_ip_from 172.31.17.140; + set_real_ip_from 2a00:14b0:4200:3000:125::1; # Then tell the realip_module to get the addreses from the proxy protocol # header. real_ip_header proxy_protocol; From 70461c98babcddd87dd208aa4041aee5f1fa2546 Mon Sep 17 00:00:00 2001 From: June Date: Mon, 12 Jan 2026 03:29:06 +0100 Subject: [PATCH 049/101] first run ansible_pull for router, then for all other hosts Do this to avoid a restarting router affecting playbook runs on other hosts. --- inventories/chaosknoten/group_vars/all.yaml | 2 +- inventories/chaosknoten/host_vars/router.yaml | 2 ++ 2 files changed, 3 insertions(+), 1 deletion(-) diff --git a/inventories/chaosknoten/group_vars/all.yaml b/inventories/chaosknoten/group_vars/all.yaml index b8f13d0..60349e0 100644 --- a/inventories/chaosknoten/group_vars/all.yaml +++ b/inventories/chaosknoten/group_vars/all.yaml @@ -3,7 +3,7 @@ ansible_pull__repo_url: https://git.hamburg.ccc.de/CCCHH/ansible-infra.git ansible_pull__inventory: inventories/chaosknoten ansible_pull__playbook: playbooks/maintenance.yaml -ansible_pull__timer_on_calendar: "*-*-* 04:00:00 Europe/Berlin" +ansible_pull__timer_on_calendar: "*-*-* 04:30:00 Europe/Berlin" ansible_pull__failure_notification_address: noc-notifications@lists.hamburg.ccc.de ansible_pull__timer_randomized_delay_sec: 30min diff --git a/inventories/chaosknoten/host_vars/router.yaml b/inventories/chaosknoten/host_vars/router.yaml index 134d29f..5e9c832 100644 --- a/inventories/chaosknoten/host_vars/router.yaml +++ b/inventories/chaosknoten/host_vars/router.yaml @@ -1,2 +1,4 @@ systemd_networkd__config_dir: 'resources/chaosknoten/router/systemd_networkd/' nftables__config: "{{ lookup('ansible.builtin.file', 'resources/chaosknoten/router/nftables/nftables.conf') }}" +ansible_pull__timer_on_calendar: "*-*-* 04:00:00 Europe/Berlin" +ansible_pull__timer_randomized_delay_sec: 0min From c6387908198c477178d59ea4e798600ffb201dc8 Mon Sep 17 00:00:00 2001 From: Renovate Date: Mon, 12 Jan 2026 02:30:47 +0000 Subject: [PATCH 050/101] Update all stable non-major dependencies --- .forgejo/workflows/lint.yaml | 2 +- inventories/chaosknoten/host_vars/netbox.yaml | 2 +- .../chaosknoten/grafana/docker_compose/compose.yaml.j2 | 10 +++++----- .../onlyoffice/docker_compose/compose.yaml.j2 | 2 +- .../chaosknoten/pad/docker_compose/compose.yaml.j2 | 2 +- .../chaosknoten/pretalx/docker_compose/compose.yaml.j2 | 6 +++--- .../chaosknoten/sunders/docker_compose/compose.yaml.j2 | 2 +- 7 files changed, 13 insertions(+), 13 deletions(-) diff --git a/.forgejo/workflows/lint.yaml b/.forgejo/workflows/lint.yaml index d29fb6e..b1168c9 100644 --- a/.forgejo/workflows/lint.yaml +++ b/.forgejo/workflows/lint.yaml @@ -24,7 +24,7 @@ jobs: # work in our environmnet. # Rather manually setup python (pip) before instead. - name: Run ansible-lint - uses: https://github.com/ansible/ansible-lint@v25.11.0 + uses: https://github.com/ansible/ansible-lint@v25.12.2 with: setup_python: "false" requirements_file: "requirements.yml" diff --git a/inventories/chaosknoten/host_vars/netbox.yaml b/inventories/chaosknoten/host_vars/netbox.yaml index 3be8bdd..2c68c17 100644 --- a/inventories/chaosknoten/host_vars/netbox.yaml +++ b/inventories/chaosknoten/host_vars/netbox.yaml @@ -1,5 +1,5 @@ # renovate: datasource=github-releases depName=netbox packageName=netbox-community/netbox -netbox__version: "v4.4.6" +netbox__version: "v4.5.0" netbox__config: "{{ lookup('ansible.builtin.template', 'resources/chaosknoten/netbox/netbox/configuration.py.j2') }}" netbox__custom_pipeline_oidc_group_and_role_mapping: true diff --git a/resources/chaosknoten/grafana/docker_compose/compose.yaml.j2 b/resources/chaosknoten/grafana/docker_compose/compose.yaml.j2 index 2d598f9..90952ee 100644 --- a/resources/chaosknoten/grafana/docker_compose/compose.yaml.j2 +++ b/resources/chaosknoten/grafana/docker_compose/compose.yaml.j2 @@ -2,7 +2,7 @@ services: prometheus: - image: docker.io/prom/prometheus:v3.7.3 + image: docker.io/prom/prometheus:v3.9.1 container_name: prometheus command: - '--config.file=/etc/prometheus/prometheus.yml' @@ -19,7 +19,7 @@ services: - prom_data:/prometheus alertmanager: - image: docker.io/prom/alertmanager:v0.29.0 + image: docker.io/prom/alertmanager:v0.30.0 container_name: alertmanager command: - '--config.file=/etc/alertmanager/alertmanager.yaml' @@ -32,7 +32,7 @@ services: - alertmanager_data:/alertmanager grafana: - image: docker.io/grafana/grafana:12.3.0 + image: docker.io/grafana/grafana:12.3.1 container_name: grafana ports: - 3000:3000 @@ -46,7 +46,7 @@ services: - graf_data:/var/lib/grafana pve-exporter: - image: docker.io/prompve/prometheus-pve-exporter:3.5.5 + image: docker.io/prompve/prometheus-pve-exporter:3.8.0 container_name: pve-exporter ports: - 9221:9221 @@ -59,7 +59,7 @@ services: - /dev/null:/etc/prometheus/pve.yml loki: - image: docker.io/grafana/loki:3.6.0 + image: docker.io/grafana/loki:3.6.3 container_name: loki ports: - 13100:3100 diff --git a/resources/chaosknoten/onlyoffice/docker_compose/compose.yaml.j2 b/resources/chaosknoten/onlyoffice/docker_compose/compose.yaml.j2 index f3444ac..8bc37e9 100644 --- a/resources/chaosknoten/onlyoffice/docker_compose/compose.yaml.j2 +++ b/resources/chaosknoten/onlyoffice/docker_compose/compose.yaml.j2 @@ -4,7 +4,7 @@ services: onlyoffice: - image: docker.io/onlyoffice/documentserver:9.1.0 + image: docker.io/onlyoffice/documentserver:9.2.1 restart: unless-stopped volumes: - "./onlyoffice/DocumentServer/logs:/var/log/onlyoffice" diff --git a/resources/chaosknoten/pad/docker_compose/compose.yaml.j2 b/resources/chaosknoten/pad/docker_compose/compose.yaml.j2 index 455caa3..790cf95 100644 --- a/resources/chaosknoten/pad/docker_compose/compose.yaml.j2 +++ b/resources/chaosknoten/pad/docker_compose/compose.yaml.j2 @@ -13,7 +13,7 @@ services: restart: unless-stopped app: - image: quay.io/hedgedoc/hedgedoc:1.10.3 + image: quay.io/hedgedoc/hedgedoc:1.10.5 environment: - "CMD_DB_URL=postgres://hedgedoc:{{ secret__hedgedoc_db_password }}@database:5432/hedgedoc" - "CMD_DOMAIN=pad.hamburg.ccc.de" diff --git a/resources/chaosknoten/pretalx/docker_compose/compose.yaml.j2 b/resources/chaosknoten/pretalx/docker_compose/compose.yaml.j2 index dda67bb..835ed50 100644 --- a/resources/chaosknoten/pretalx/docker_compose/compose.yaml.j2 +++ b/resources/chaosknoten/pretalx/docker_compose/compose.yaml.j2 @@ -23,7 +23,7 @@ services: - pretalx_net static: - image: docker.io/library/nginx:1.29.3 + image: docker.io/library/nginx:1.29.4 restart: unless-stopped volumes: - public:/usr/share/nginx/html @@ -33,7 +33,7 @@ services: - pretalx_net pretalx: - image: docker.io/pretalx/standalone:v2025.1.0 + image: docker.io/pretalx/standalone:v2025.2.2 entrypoint: gunicorn command: - "pretalx.wsgi" @@ -78,7 +78,7 @@ services: - pretalx_net celery: - image: docker.io/pretalx/standalone:v2025.1.0 + image: docker.io/pretalx/standalone:v2025.2.2 command: - taskworker restart: unless-stopped diff --git a/resources/chaosknoten/sunders/docker_compose/compose.yaml.j2 b/resources/chaosknoten/sunders/docker_compose/compose.yaml.j2 index fbec258..1df2bca 100644 --- a/resources/chaosknoten/sunders/docker_compose/compose.yaml.j2 +++ b/resources/chaosknoten/sunders/docker_compose/compose.yaml.j2 @@ -3,7 +3,7 @@ services: db: - image: mariadb:12.0.2 + image: mariadb:12.1.2 command: --max_allowed_packet=3250585600 environment: MYSQL_ROOT_PASSWORD: "{{ secret__sunders_db_root_password }}" From a92e144cfcdfb0813403b2e7b649d1fdeb641722 Mon Sep 17 00:00:00 2001 From: June Date: Tue, 13 Jan 2026 00:08:57 +0100 Subject: [PATCH 051/101] base_config(role): ensure base set of admin tools is installed See: https://git.hamburg.ccc.de/CCCHH/nix-infra/src/branch/main/config/common/admin-environment.nix --- roles/base_config/tasks/main.yaml | 20 ++++++++++++++++++++ 1 file changed, 20 insertions(+) diff --git a/roles/base_config/tasks/main.yaml b/roles/base_config/tasks/main.yaml index cd8affd..7f0281e 100644 --- a/roles/base_config/tasks/main.yaml +++ b/roles/base_config/tasks/main.yaml @@ -11,3 +11,23 @@ replace: " #- ssh" become: true when: base_config__stat_cloud_cfg.stat.exists + +# Ensure a base set of admin tools is installed. +- name: ensure a base set of admin tools is installed + ansible.builtin.apt: + name: + - vim + - joe + - nano + - htop + - btop + - ripgrep + - fd-find + - tmux + - git + - curl + - rsync + - dnsutils + - usbutils + - kitty + become: true From 951ec7ebcd9ea693f4f4c40b9ca1052b4bc0abf1 Mon Sep 17 00:00:00 2001 From: June Date: Tue, 13 Jan 2026 02:25:06 +0100 Subject: [PATCH 052/101] netbox(role): fix oidc integration by no longer using is_staff is_staff got removed in 4.5.0. See: https://github.com/netbox-community/netbox/releases/tag/v4.5.0 --- .../netbox/files/custom_pipeline_oidc_group_and_role_mapping.py | 2 -- 1 file changed, 2 deletions(-) diff --git a/roles/netbox/files/custom_pipeline_oidc_group_and_role_mapping.py b/roles/netbox/files/custom_pipeline_oidc_group_and_role_mapping.py index 470f388..79bd247 100644 --- a/roles/netbox/files/custom_pipeline_oidc_group_and_role_mapping.py +++ b/roles/netbox/files/custom_pipeline_oidc_group_and_role_mapping.py @@ -40,7 +40,6 @@ def remove_groups(response, user, backend, *args, **kwargs): def set_roles(response, user, backend, *args, **kwargs): # Remove Roles temporary user.is_superuser = False - user.is_staff = False try: groups = response['groups'] except KeyError: @@ -51,5 +50,4 @@ def set_roles(response, user, backend, *args, **kwargs): # Set roles is role (superuser or staff) is in groups user.is_superuser = True if 'superusers' in groups else False - user.is_staff = True if 'staff' in groups else False user.save() From 3e0fdfa8de7e0cbc97ef7d3a089c7db6b2885b92 Mon Sep 17 00:00:00 2001 From: June Date: Tue, 13 Jan 2026 03:43:28 +0100 Subject: [PATCH 053/101] pretalx(host): roll back to pretalx v2025.1.0 as v2025.2.2 doesn't work --- resources/chaosknoten/pretalx/docker_compose/compose.yaml.j2 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/resources/chaosknoten/pretalx/docker_compose/compose.yaml.j2 b/resources/chaosknoten/pretalx/docker_compose/compose.yaml.j2 index 835ed50..f61d6f7 100644 --- a/resources/chaosknoten/pretalx/docker_compose/compose.yaml.j2 +++ b/resources/chaosknoten/pretalx/docker_compose/compose.yaml.j2 @@ -33,7 +33,7 @@ services: - pretalx_net pretalx: - image: docker.io/pretalx/standalone:v2025.2.2 + image: docker.io/pretalx/standalone:v2025.1.0 entrypoint: gunicorn command: - "pretalx.wsgi" From 92601ab9ea4cceb6daa8b7c36c9a202a6ae9e30b Mon Sep 17 00:00:00 2001 From: June Date: Tue, 13 Jan 2026 03:48:34 +0100 Subject: [PATCH 054/101] renovate: add package rule for pretalx reclassifying major updates So that v2025.1.0 to v2025.2.2 counts as a major, not a minor, update. --- renovate.json | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/renovate.json b/renovate.json index 711c627..0e2bd7f 100644 --- a/renovate.json +++ b/renovate.json @@ -32,6 +32,11 @@ "matchDatasources": ["docker"], "matchPackageNames": ["docker.io/pretix/standalone"], "versioning": "regex:^(?\\d+\\.\\d+)(?:\\.(?\\d+))$" + }, + { + "matchDatasources": ["docker"], + "matchPackageNames": ["docker.io/pretalx/standalone"], + "versioning": "regex:^v(?\\d+\\.\\d+)(?:\\.(?\\d+))$" } ], "customManagers": [ From 428b5c70bc3d02be51283a69105cf36ce44139ff Mon Sep 17 00:00:00 2001 From: June Date: Tue, 13 Jan 2026 14:19:57 +0100 Subject: [PATCH 055/101] pretalx(host): roll back to pretalx v2025.1.0 for celery as well --- resources/chaosknoten/pretalx/docker_compose/compose.yaml.j2 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/resources/chaosknoten/pretalx/docker_compose/compose.yaml.j2 b/resources/chaosknoten/pretalx/docker_compose/compose.yaml.j2 index f61d6f7..091d113 100644 --- a/resources/chaosknoten/pretalx/docker_compose/compose.yaml.j2 +++ b/resources/chaosknoten/pretalx/docker_compose/compose.yaml.j2 @@ -78,7 +78,7 @@ services: - pretalx_net celery: - image: docker.io/pretalx/standalone:v2025.2.2 + image: docker.io/pretalx/standalone:v2025.1.0 command: - taskworker restart: unless-stopped From 51bbdd42a2504f0b3045349b0b08e3bb75b55fce Mon Sep 17 00:00:00 2001 From: June Date: Tue, 13 Jan 2026 16:55:22 +0100 Subject: [PATCH 056/101] dooris(host): make certbot work --- inventories/z9/host_vars/dooris.yaml | 4 +++- resources/z9/dooris/nginx/http_handler.conf | 12 ++++++++++++ 2 files changed, 15 insertions(+), 1 deletion(-) create mode 100644 resources/z9/dooris/nginx/http_handler.conf diff --git a/inventories/z9/host_vars/dooris.yaml b/inventories/z9/host_vars/dooris.yaml index 5813e3a..8ae5287 100644 --- a/inventories/z9/host_vars/dooris.yaml +++ b/inventories/z9/host_vars/dooris.yaml @@ -7,9 +7,11 @@ certbot__certificate_domains: - "dooris.ccchh.net" certbot__new_cert_commands: - "systemctl reload nginx.service" -certbot__http_01_port: 80 nginx__version_spec: "" +nginx__deploy_redirect_conf: false nginx__configurations: - name: dooris.ccchh.net content: "{{ lookup('ansible.builtin.file', 'resources/z9/dooris/nginx/dooris.ccchh.net.conf') }}" + - name: http_handler + content: "{{ lookup('ansible.builtin.file', 'resources/z9/dooris/nginx/http_handler.conf') }}" diff --git a/resources/z9/dooris/nginx/http_handler.conf b/resources/z9/dooris/nginx/http_handler.conf new file mode 100644 index 0000000..8572664 --- /dev/null +++ b/resources/z9/dooris/nginx/http_handler.conf @@ -0,0 +1,12 @@ +server { + listen 80 default_server; + listen [::]:80 default_server; + + location / { + return 301 https://$host$request_uri; + } + + location /.well-known/acme-challenge/ { + proxy_pass http://127.0.0.1:31820/.well-known/acme-challenge/; + } +} From fe52127e825b27693c56dc5f0620679fe12829c0 Mon Sep 17 00:00:00 2001 From: June Date: Sun, 18 Jan 2026 01:26:52 +0100 Subject: [PATCH 057/101] status(host): configure external status page and uptime monitoring host --- .sops.yaml | 22 +- inventories/external/group_vars/all.sops.yaml | 210 ++++++++++++ inventories/external/group_vars/all.yaml | 16 + .../external/host_vars/status.sops.yaml | 212 ++++++++++++ inventories/external/host_vars/status.yaml | 27 ++ inventories/external/hosts.yaml | 24 ++ .../status/docker_compose/compose.yaml.j2 | 36 +++ .../config/easterhegg-websites.yaml | 303 ++++++++++++++++++ .../status/docker_compose/config/general.yaml | 25 ++ .../config/services-chaosknoten.yaml | 264 +++++++++++++++ .../status/docker_compose/config/sites.yaml | 23 ++ .../docker_compose/config/websites.yaml | 174 ++++++++++ .../external/status/nginx/http_handler.conf | 14 + .../status/nginx/status.hamburg.ccc.de.conf | 33 ++ 14 files changed, 1381 insertions(+), 2 deletions(-) create mode 100644 inventories/external/group_vars/all.sops.yaml create mode 100644 inventories/external/group_vars/all.yaml create mode 100644 inventories/external/host_vars/status.sops.yaml create mode 100644 inventories/external/host_vars/status.yaml create mode 100644 inventories/external/hosts.yaml create mode 100644 resources/external/status/docker_compose/compose.yaml.j2 create mode 100644 resources/external/status/docker_compose/config/easterhegg-websites.yaml create mode 100644 resources/external/status/docker_compose/config/general.yaml create mode 100644 resources/external/status/docker_compose/config/services-chaosknoten.yaml create mode 100644 resources/external/status/docker_compose/config/sites.yaml create mode 100644 resources/external/status/docker_compose/config/websites.yaml create mode 100644 resources/external/status/nginx/http_handler.conf create mode 100644 resources/external/status/nginx/status.hamburg.ccc.de.conf diff --git a/.sops.yaml b/.sops.yaml index 98aaf3c..3b728e2 100644 --- a/.sops.yaml +++ b/.sops.yaml @@ -33,15 +33,25 @@ keys: - &host_public_reverse_proxy_ansible_pull_age_key age1p7pxgq5kwcpdkhkh3qq4pvnltrdk4gwf60hdhv8ka0mdxmgnjepqyleyen - &host_zammad_ansible_pull_age_key age1sv7uhpnk9d3u3je9zzvlux0kd83f627aclpamnz2h3ksg599838qjgrvqs - &host_ntfy_ansible_pull_age_key age1dkecypmfuj0tcm2cz8vnvq5drpu2ddhgnfkzxvscs7m4e79gpseqyhr9pg + external: + age: &host_external_age_keys + - &host_status_ansible_pull_age_key age1yl9ts8k6ceymaxjs72r5puetes5mtuzxuger7qgme9qkagfrm9hqzxx9qr creation_rules: - # group vars + ## group vars - path_regex: inventories/chaosknoten/group_vars/all.* key_groups: - pgp: *admin_gpg_keys age: *host_chaosknoten_age_keys - # host vars + - path_regex: inventories/external/group_vars/all.* + key_groups: + - pgp: + *admin_gpg_keys + age: + *host_external_age_keys + ## host vars + # chaosknoten hosts - path_regex: inventories/chaosknoten/host_vars/cloud.* key_groups: - pgp: @@ -150,6 +160,14 @@ creation_rules: *admin_gpg_keys age: - *host_public_reverse_proxy_ansible_pull_age_key + # external hosts + - path_regex: inventories/external/host_vars/status.* + key_groups: + - pgp: + *admin_gpg_keys + age: + - *host_status_ansible_pull_age_key + # z9 hosts - path_regex: inventories/z9/host_vars/dooris.* key_groups: - pgp: diff --git a/inventories/external/group_vars/all.sops.yaml b/inventories/external/group_vars/all.sops.yaml new file mode 100644 index 0000000..06eeb17 --- /dev/null +++ b/inventories/external/group_vars/all.sops.yaml @@ -0,0 +1,210 @@ +msmtp__smtp_password: ENC[AES256_GCM,data:0vb2d0BMSiG4DLwNeKk52/kGYM9rQpfRrtYiarbyVW9YOP/WIdpwesUZuad+o6XSODkAGqnU2RQZFs1h,iv:a/LwVf+tQKviYR4mIoSDiEgmsVyCl2v1vWXVFQkn6M4=,tag:bNf+N1bTIk8ppMEabcC6jg==,type:str] +sops: + age: + - recipient: age1yl9ts8k6ceymaxjs72r5puetes5mtuzxuger7qgme9qkagfrm9hqzxx9qr + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBkL1F2VVhGTGZ3QWlrZi8w + c2JVMVlnNGVHdUxJQVRZeDBlSkJjR3V4NHowCmdQVVJRVEZlWWVHZjdSYzRlcnRN + clVuRU1rRXdDSUJ6Tk4rajl1R3U3YzAKLS0tIFg0QXBieXdjYmRab2duckNsNWRQ + aGdmdDcwY3RPc28waGt0cm1salpNRkkK+X6LF1lCpxIS8P8nEUE7t3VxB817jm4Y + mXjKqdaM39MR3CyXWq8bVQ/QRxg1xA6MV7mLrQpJCSpr6uDJD84iJQ== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2026-01-15T21:28:28Z" + mac: ENC[AES256_GCM,data:Z9uyXhnckrVJ0LZM1aT8cSUZCPdQ0ufBC1HYxpzAGb6FS/p3Jni5tFfgijaCT3/T3yDGiV1zQqoSDLwjd48UaMjCtJYCUCAiVo7i4YJ3+aZfS87b4h4VsOFlTLFlBklNYxHd4pcPFl5X9fZGdD10Tvmtm6TlJ33Ma7gmuFs3Og4=,iv:tNeG2I9qNAgzbGwxTbCrrN7KorCneJtFildGvtPVX88=,tag:e0rXgetLFenA3zNBNe631A==,type:str] + pgp: + - created_at: "2026-01-15T21:28:06Z" + enc: |- + -----BEGIN PGP MESSAGE----- + + hQIMAxK/JaB2/SdtARAAlJ6HHQZKe3t86f1Y/DsKmO4f+xaMRd9mw9sNlxvmuX3I + b8Tvyl1abbJSEf+6SV3SXxlu+05DZEzerMQHdSNHCpO6oSMBH/fEBbtJh3mxYzwY + /fS09/CPpq1HYcaOUEB8YHKGDY7okN8ZCHYFF2fWmWsPNLq38nmtCQY3lKPdhKDu + Jg8w+9XT/kHJEjQRPjlJG0iRk90cMMBLaR5ToJVzpM3rOSkK/dFALP9PUGhjDVT/ + e27KW0OQERCxoc401DXFPJg5xrGMJaDpMlDxm+kzNC2/rt/OhhFd1pqMEMGHwZ8B + inHjCL8SNy4w3jKs3xvpE38vEUmKgbHavjjd4j8PU/z8PnIAKBCZClTbBARevMYw + P1qgwbAXEv0LwN6/Eu4mN6ogbREFk671PTabJ1O9zWFZBPKSOWVjvs6ka/5nRdow + RMobY/t6FDOe1i4eQM90QKyTcyBzyFZCl3piBKDvpG9tTEVHriX4bTXNtnGw3h1W + XoMUz27G0IZmKZRcYFkqSNPeg3yLXBgsL6by+euw/OwOXuxcR3G/5HpiO4XgWdDn + gYvOGvVa4WbG3yASWPJNJZ6ivtLhAgts44ClMIk5mjDgHz0yL2iwx93g6bUzmswV + HcpCLSy7wm5XNl4l5p4l90iy6/K32Zp0a7ftobA7U7VyeWfPalE3IYE3s6b+1gTS + XAFWL49B69eVA4YJ/iRSZcfqEPMkKzQUplODPUfaHHtLRwR7BhpFX/u3lly/YNQH + tCN+vKShpC2PM/Jw8+UxDZXoXNiGCtTIDFq5+VaifkYsEAIVqEFv5noY95/a + =Xw0f + -----END PGP MESSAGE----- + fp: EF643F59E008414882232C78FFA8331EEB7D6B70 + - created_at: "2026-01-15T21:28:06Z" + enc: |- + -----BEGIN PGP MESSAGE----- + + hQIMA6EyPtWBEI+2ARAAqcJfa4paWWvQxKnNQT230iT2iRCCskzkzrG9z9rnSbR+ + U4BO0QVcKZ06+4/WatZC6HuxIPyajAQthNsmMMBr83OFiT8FPHnOOGHc9lemO0/L + eshneJhJ7LeYUh3dOeN5lVwCQuw2Hy4MXmKJgdt2Nr5dXmRD8ypKxD/i5Nc4nkXW + TY61C/Q9QJF+HZG4toHt+zq+ROjdsTbIhNceRWnt4mIGvqIzhRwk65o5WILbCFQc + OL7R+JyyqouN579tO1O6bRT594ufnyQ6oxLRDQqKMdTHYwWijRuA/FyzieuYGbmo + b7e6tZeJzlm3H8sSz1WwAD6RoA/O3yyCw1gL9UWFLSfF7iwEKmr+oSN+mEUPJdhR + 8zZqSQUH3n59IVNdD4UyJB/I5AHmGW6QV3ZF42lwmmstIoY3uDzgf3US+ZvPPsem + Scg3PIDSxg+SV9G/53TJM+Og7V2XAA02EWIemiIaJZ7rPiySq1RmQOjnx4ZX+ORk + +PDF0gDpA10sTPXQM5NoN8YSilIV1VENjUnESfo+36BlCepmbC88Yr6oexIK2xoq + 5SnDYNOkVClYcEV6/URo0zr6Eh6+pWaK1MqruyZpRrZFbribK+5t65eIq0fc8oNb + ip7VfArpcpYINfL1GuWoFMI0Uj/IMevlN64Ci/Ub9NddCWCQy5WF7u8lAVNMoVbS + XAE70ICHJqH9SqHe/dchwYcsLIPwX7r2KoaI23XkK7iROX1NL6LC2nISh/Y5P+X7 + RX5sBhgiaSwY8L6QseSQzyqTmwxCaq7e/f/+grSUYKmf1FSJe+VxGsJ6Ji0u + =k6m5 + -----END PGP MESSAGE----- + fp: F155144FC925A1BEA1F8A2C59A2A4CD59BFDC5EC + - created_at: "2026-01-15T21:28:06Z" + enc: |- + -----BEGIN PGP MESSAGE----- + + hQIMAz5uSgHG2iMJARAAzD/3ycZW/qMLjjSG2T/7378ogylYenCyV5r97m7//MTJ + z2jCtWiAPDkiuDDfcqt5LxthPxCr3A/WSTaSsfZQ/zWedQlm/U/RBMEs30DBIUQr + AIckqIrJUrgPEo8A0/SnCBNS116BVspI+9n/u7PBPVb70JX3j4Xp3dRGrEYHVpwX + EGSk4GirHwutIRE6xP9fnvQxyK64jYTDCfo4t6cIUf2/we0LyK+fU4zrm6wRffzd + txiEu4YXvsGbxWeAV3/7/BRo2HJBc/Xqb7mzTnfScltC7hiRD2McmFJs1Hfv0Lg3 + CGaMOJ5w6Gk8Q+9pgg6R2MQu8DZA7PILm51Bc98ZdiVwg0i8l24ndswUx9+WIWeX + AeOxvIVvF0XtQK/JJAkoyoVssIQSFI1OjTDnSHWjFw0Vgev8hRzwqS6HKJUfCrnt + KeuGuUOa9QBf3bnbIINyL8QEj9/cnNDCQGoXSZIqPXUs7tIqcLgNryGVnrEn4dDf + 53Tudml438QRgzV1d87jEKSmUBtqzUDRNQdZqNbzOdaCQaQgkgZlQvWQtbZNMSdQ + iQ+v3Hz7pI4yKHhqxXrWrxPwC3KdGTA5qymUS1d1G0BwOWSr+cU6xJBeSqRc6fZn + Q8rBKS/gL2Lm3BAVhHBVWGwtbdBhV5ZL/bdT436pJd5ku3cWFTuiMY2SEC1ZvNXS + XAFb+jgjB5XzlRZhRosWl1X/qyWO4GXN4aypi14eAQDsbCjGnFZh6utoV3rNmNFX + OJ3kRhyHmF+gbp/e0YRq/BnWu+5uzTZQso4fzepgjui+rF/qk/2Oe1nODtM0 + =seAB + -----END PGP MESSAGE----- + fp: 18DFCE01456DAB52EA38A6584EDC64F35FA1D6A5 + - created_at: "2026-01-15T21:28:06Z" + enc: |- + -----BEGIN PGP MESSAGE----- + + hQIMAw5vwmoEJHQ1AQ/+J9MXLZrMucsbcgdZ/yflnA7Ai2WynSZ9NEzLX24NybGZ + ynq9daa+61w5S5thnEV1Be4YEyFXIXfD0bs9KEO2kv41HUySD9FR5QXXSiad5Ij7 + vPzZMMwjCfNg/JvGQ9p4h2Syc5LYtJ+4BNnl52zjKCJdp1scJqAist3aWbaHoCAh + GiJCjv/02NP25WoVShw9pNvvYPEhtPbvO1j3bnvUARXT8IzhblNbfntDwPb+fK4R + ksMBIvAN1171l530s0zPzzkJTkxRBohyCixvtgZKoEnYeUAAHk5Clah6GrLGErvA + q0XUAEridgDwe4xG+WpzFWwTaGzQPBLR5NPqtph13/02CdaABctbr80WQPoch5vN + F1BnObne8ZE+do30v0KYNTkFKhK5ek+w4RS/1rlBEgQMaNyGHsjUtoO1/6JfFXyT + 968gsga/YR/shZwLaxLQePi5qTcvUzGNgNvFLjy4sRlbWiNCrtZo0JpMmRc1YTXb + Tq7KhivgEB3gCYLdzWTCeYw3aZXsTFUFM8MpH0BMABpfpNCdiDrd+RZmgDa2KShH + RlpqvN1cXPVY4niGqb0TjQJGbmCrMfSbEXCCYLMP+T+jH+MUs0Br4IVcuXIV9EWM + WrYY/r2tCblU9DaVbgzLlIIu/2BtKV0/Iu4KLV2vWBocLPNlKnbhS8NxnIf1eHbS + XAFxlY0r1uOCI7d55ZRpih3NnccBWYKmxs/WZavFdooPcRS6QKV6d2ByZtjqlO0T + X8xmDpyoxkNahauxi3Vw4o78HyxEqQz2u0HNBJlFC6iFQJnylkOyitIyNCTt + =t5WG + -----END PGP MESSAGE----- + fp: 87AB00D45D37C9E9167B5A5A333448678B60E505 + - created_at: "2026-01-15T21:28:06Z" + enc: |- + -----BEGIN PGP MESSAGE----- + + hF4DerEtaFuTeewSAQdArBEh0/AnTDRmDT2r74ejRgmbbZpWjVBmvC7mgFdEq0gw + OdEsqFl/ihieW3XkAC0UWxUhacc03Vq3FTY4Fpj7eQTQdfDdn8X10YQcH94XGLxu + 0lwBvUseBCslA8gjyzFEtFp4TnDEi2JZV3nhfQg8SxrYIQ2Uo6vlsTzvYBvikwaD + kLu7fV7lxV09qoROlSpXVm6II6sIk0nmiajb49HM15md3ZElulGZf7A+6d86Wg== + =8Qs3 + -----END PGP MESSAGE----- + fp: 057870A2C72CD82566A3EC983695F4FCBCAE4912 + - created_at: "2026-01-15T21:28:06Z" + enc: |- + -----BEGIN PGP MESSAGE----- + + hQIMAxjNhCKPP69fAQ/7B2zWxGFqZr98hAyQwNaXp+/T534xRU63dXkYV15EL9q2 + SlmbEWhl5iVwWoZHl3r7yqy4zXZJkH0XX7g/MlwMTHIu/Sslvb+9ME+QmpI26Awm + +0pQN6gZXEhQ4RFtDMSc3PIZYgaJ5AdEk1p/nMwYsQ17Gu6RZeuSL/5b4oXEsIwB + nc8kqskd846KDspSoa4HprP3QUyfwChy5+d3/S/SMak/iY97UgYm3iyHXWr+sbAm + ykXGQo6Y/QpSiBBc9Z8hyekBQBjiftTpH5T/nzSn5O1p2G56NqK837SZj8CgyanH + xOIy1JZYbSfYiEzqXVSj7KGs3aNFFUi9H+Fy+wzDaOWeEYt76koTWZnutOg+JwCP + 2N5DiDOhoYGygh5aO+dAIoGLQufoTDrlMO9FWnNXXCPIwCUoyH5daiMyn7G9jfwv + 4rTkXe2mHXXkoNCDHzjNcAEpndpczdUO0CbDNyOuaZzyEYWObJMOdBP0+fmwhaRP + AWd0OSbUUkl6RTI7R9l+3wBC0A/be7kOvqvTru0RSZaY4Ba7zokZaNJsoUTvjjL5 + fjT5MhV/93wEvaHNmGy+IiXipS7ItTmW0xckaFkEbQUbw9p+9UZMxNqF3l5pw8hV + J5tTo+rlHda5KBDpTEEz3vUK7MgbgAzzERqqDaUqzWTJy4KeOjYCUfvNyQiT7m3S + XAFxCx0poAo6GCoNMhjyQT00iBfpjvUhDrWSHezKW/J/U+Z+TkcICC3Orsxy35uD + QtOZIayVIF5scDAIQa31zETB/Jjaq7YeUZvTzUv7Shhq+sJhVUQ7iUEVEXZn + =NJUn + -----END PGP MESSAGE----- + fp: F38C9D4228FC6F674E322D9C3326D914EB9B8F55 + - created_at: "2026-01-15T21:28:06Z" + enc: |- + -----BEGIN PGP MESSAGE----- + + hQIMA1Hthzn+T1OoARAAsc5cxMwr0YCwJq1j5EcQ2AF2LvyxH4dvwuCkyrqxuV33 + rTxOt40kqHcatZgHLfHt1qvfR/lGisUyvvtJ7Gdw/MEzunqwux6cKisRoyTB0dSU + b0DBQdNAxujVuBng6v2aoZDXAZNZ9I0epuGnBRcq2+FRAWjRH3YtwuRuChd/VtqB + VJJjUJDczermc0kvdrZ6AZ8bSemOIFOYWfZ1iw7qXMiuIXKJqY23KzWSpYC3F9S6 + z1XKviqJlWcb7VyCA7LDLfjYCAb6/yvj1mB0+fxYJJps6DWsbxvoZWF5mdh5f4oc + y74XZehQZTHp4JMs0uSdsuMV3w8zMGUXvFPEJXB1mvPlYAsyjwusf2fqeAJk3JZk + pPF/hkwR+LpbVNKk9KbauQLkt+p6E5YWDir1pzeIN6rsl0Carau0TRT9EEn04f/6 + DL1nF7crXl+7KTgEOt+ih4VuHpXz9lrboUD/WnUpjVu6XwmMH4wrxJggTq+tJzdS + 55PAZ0qiTGwnxtOn8NGa+01JGcrmtLnfwRUGUO6xxpyy4AtcyyHwEvBSjKRlBvV2 + Yx6v6l6OlpBdYdlKjEeOLPnQqn+iRolQtUTWWk1Hu/a2sfJjZPMpXNSKbgN9tMOS + 2zGLe8OOU1M9V9ESdD6He49GRCWNXD00Yv+IUdqFuY7laqxBQCcyIthGA2wfLITS + XAGKF54TE7VkuCQ2vw0HZG4TgQtmw7W/hBMcbSatGwFwyPSs2+9wsJFmJUniArCZ + e7RUz4C1MIFP97ZSFtfLd8tsIO0zTyK9fRAOUwh8wdAZhvS9Fv5/Mwmctj9h + =gUj7 + -----END PGP MESSAGE----- + fp: 5DA93D5C9D7320E1BD3522C79C78172B3551C9FD + - created_at: "2026-01-15T21:28:06Z" + enc: |- + -----BEGIN PGP MESSAGE----- + + hQIMA46L6MuPqfJqAQ/8CKPe91CQYybuRlIb4bRl3sZ2nXYw0OS2p8NYo3sawcsw + YFwgwT4GHMAMviZ3U/Dm1VVtUEH0dSZ/tYoPFE0pCOLWYrVjqLY69uM23ZHV1IX4 + W7A+jzNTv3ODj/lc/azjgBcBVZpSxgAQG2wiyX1Dq4Lx5cpOCYQm4KYp9hD6ddly + m6zk8vH3MBRvPAlacg3C6PSy1PV7sTgBZMBIE3DY/HIjv4nzV3/itIPZcf27dYTl + AEjiI6eGH6sUWTFRF5mCP4sRycaU2g8iZ471nZdHe7PpldginWJEN9SD06oewZJB + QjvXpVNjVu+RQ/hOl5LwIllAAkk0ghK2bRsh7gVB5b5Kjv+mKKNe8yjKxKcpZuVW + fUEaRpyILTCwe6aFnmUa6vUtpgU2QRKzv2ycqO1FGil1yZJ/RPVCc0RQoLSpZRsT + XvrZzw/OVfLespNRPcC/PTvNwhIhBYyIDvEAgQOnEnRCGoijnPAOE4Z5zA6Rtxfw + Kxw+E5s+xV1ff+qo5Dm0J/LyC90FR3vstzSkM5n2HEy5OkbACi9CiLRaIiYxlDfv + v5H3Gc0hdVRELkK1T9ND3I2RAyJVdDq0WvxjWRIfdRULLsk86pFoFjus0acx3ukt + zotRh1wI1o319j517B06v+Jn49bLx81ipeHfsiz69P0sDSRKyOcN/i4TA/Tj0OfS + XAFfmEOJHnhD1WOlbJO2EiGY3QD9PIV/lipja4lQKv7ROWlIPVtdvgBnaaNYAvUb + YLIA3oTcZB43vm5QW3hXsTz2cn/w/JvnuojtD0kKzT643dR5BC3D2XsWpHWV + =pL2f + -----END PGP MESSAGE----- + fp: 8996B62CBD159DCADD3B6DC08BB33A8ABCF7BC4A + - created_at: "2026-01-15T21:28:06Z" + enc: |- + -----BEGIN PGP MESSAGE----- + + hF4DQrf1tCqiJxoSAQdAxf+RXofQmgst0qgbY34RgfqVKCCYHHH3mbCdGKbfXiQw + 0307FFijrW2i+wHW/Ugob489EH46zUENkmEjxPcOao+p5TWqOhryWOmj+5K5iKin + 0lwBDuM+y3AsogL5PAerDRGMIqmUO9AAuRlKJb67O+n31fA0CSlRdYIlR/0IiXk8 + KmagDpdTyNWD0M8PRohazoKEiB6OrEuLfRiDwyMhyuRtIXRnckwZ8anC2B2cLg== + =slU2 + -----END PGP MESSAGE----- + fp: B71138A6A8964A3C3B8899857B4F70C356765BAB + - created_at: "2026-01-15T21:28:06Z" + enc: |- + -----BEGIN PGP MESSAGE----- + + hF4DzAGzViGx4qcSAQdAYTkme6X4+jr7/5qNidpUZjiwQzR9nhJMHU9ALot5mQkw + bVYbs+lqddtYRVKLh4jhqFb9WGjC05JMnb8o/OVqgvOV516WqCzg9qmn2JMn5CvL + 0lYBtBwzrQfqM7RbckekoQcabirca/67RzCAqB9O7Lud85+aQxBR/GB9qE/7FLfp + JVT42+KjcKSQBYWS+lyjgfXs7H4WhNYsai8OFn+JzqswG+MpWPQ+Fw== + =1DIj + -----END PGP MESSAGE----- + fp: D2E9C0807BF681F5E164DAFC5EE1B61CD90954CD + - created_at: "2026-01-15T21:28:06Z" + enc: |- + -----BEGIN PGP MESSAGE----- + + hQIMA2pVdGTIrZI+ARAAvoshi1af/mG21B9x8XOtYn2CmsjZCLWYWuhdM+oMe204 + CJglTK8C8CzuJcXu84IKrdV8nx5Yk0VvtgtSXiKSouDKWeQDHHqhKEsPlc6+FL99 + e95uzp8ozvODxch4xaBP3FZkbgGgFHDZSF47NIC9AkyyGe4GARq+OvtADUMjpb4R + 6WXCzqaH976KRMcgH4PXlWIUiYvFJz+6k+chbLfcf+uJxWL02mvPV+ArSbGc1Ns1 + M2kRYdEPZ4c6FCU6DYaneJp22ywPNgJm3dL8WU7Nn5uv7iYGDyceh3dnGtF0p0jN + Mo5TT8MzobIGgD2RtsP4NrufV56+Y4G5oqk9jPMofC8QUeVR1j2GHDfHrls2N/2L + vt0VX1wsv7ToAY9bUUNDLutLnwQlpHNP/sacudw0VpYDl55ULa1dLC97qG/4va8G + k3wdzqwNwgzIOPDIiQ3P8xkn4RZ9b4SwPNFb9BRqufFaA+neZcNelfpTqsT3WNfm + MYdzDQtQdTNi9u0ADsuZ2JIX2uUVsB1ol5Wgw9D5+yksTeC3n89TTmbmt4PYkCZ/ + 3MH3gLGGlPLfc9w/q9JqfQ8idiPgWc6CMO83gGXUWbe0SkDCBY4evyP41s9ojSdF + XrkZQycNoardD+co14Se4d5g0oxYfhNUCIYEo2JwLkuE11iMXG1bjt8JB+F514vS + XAHzAelcyBaqqwZqKw1OKWz1Vr+hy9S+uOs+8Qg5G/H0nxa7BG+PhUB+O5i8x4Dn + 96Eq2r2OsVJ3z8YeLcH2FbnVECX+/nj8a4z8yqfpajmoKswOfhp2b2G49aYz + =IYeC + -----END PGP MESSAGE----- + fp: 878FEA3CB6A6F6E7CD80ECBE28506E3585F9F533 + unencrypted_suffix: _unencrypted + version: 3.11.0 diff --git a/inventories/external/group_vars/all.yaml b/inventories/external/group_vars/all.yaml new file mode 100644 index 0000000..80d3efc --- /dev/null +++ b/inventories/external/group_vars/all.yaml @@ -0,0 +1,16 @@ +# ansible_pull +# ansible_pull__age_private_key needs to be defined per host (probably HOST.sops.yaml). +ansible_pull__repo_url: https://git.hamburg.ccc.de/CCCHH/ansible-infra.git +ansible_pull__inventory: inventories/external +ansible_pull__playbook: playbooks/maintenance.yaml +ansible_pull__timer_on_calendar: "*-*-* 04:30:00 Europe/Berlin" +ansible_pull__failure_notification_address: noc-notifications@lists.hamburg.ccc.de +ansible_pull__timer_randomized_delay_sec: 30min + +# msmtp +# msmtp__smtp_password is defined in the all.sops.yaml. +msmtp__smtp_host: cow.hamburg.ccc.de +msmtp__smtp_port: 465 +msmtp__smtp_tls_method: smtps +msmtp__smtp_user: any@external-hosts.hamburg.ccc.de +msmtp__smtp_from: "{{ inventory_hostname }}@external-hosts.hamburg.ccc.de" diff --git a/inventories/external/host_vars/status.sops.yaml b/inventories/external/host_vars/status.sops.yaml new file mode 100644 index 0000000..e300459 --- /dev/null +++ b/inventories/external/host_vars/status.sops.yaml @@ -0,0 +1,212 @@ +ansible_pull__age_private_key: ENC[AES256_GCM,data:u0tluAG5YmXTs71/F6RjuTITCrEoJco0K7+o/F7An4OMdOAwJVBvvMCnEaYsKhLhdesnMIoA24oz2j22lKRFgZUNtkF08ZwH9gw=,iv:oqTTeOi8l6ig4vvqOKict5bqxjmiBW+kwlZhbozoCSU=,tag:ZL2wuIczCHguGJIhbY0NuQ==,type:str] +secret__gatus_db_password: ENC[AES256_GCM,data:fwtdWmXVTA7odBsKnlxH7mKKGtplAt/rQqscFBAxbDky6DNqgk6PP2OsqbIEpnpzs9Yn7Kd2VAxzfJfK,iv:ox/Lm+LlxxRcssOPc++nRp6nVa2DF3/46eEsGzTOBmA=,tag:i1e71Gm01ojHr5pGy0S9rA==,type:str] +secret__gatus_matrix_access_token: ENC[AES256_GCM,data:wp6C2E/LM3grawu8oW5CZZU0Y2+3qnuEbcKmgZr16e8P1KG/v2kfxRQ=,iv:S96oyGg6hI2Co7PJ8BFtrzZag82PTfp2IyIgTbxfdiM=,tag:JROk5PdoaMzXq1qXGgaH7g==,type:str] +sops: + age: + - recipient: age1yl9ts8k6ceymaxjs72r5puetes5mtuzxuger7qgme9qkagfrm9hqzxx9qr + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA2Y0Vib1U3ZGpyZTlBNWMx + UEtCbnArRzAvZ0o1dmdJL0hSZERTR241RlNrCjZ6QzlJSEFhWk0wazlwRVlDeUlq + M0syWDZlc0o2d2NDYmVyUmJpWUdwdzAKLS0tIGR5NUVwMkprRnkxZnI0TmlGUGVk + RFl1MnI1K0h2MUhvYk40d2JjbDRaUmMKNlPo1s06hVdxAamKhJy4HhNDX8PKQlq2 + 13PjdTJub64fydGEJng5NigcnNcPo7goGLz5QV7vE+6bO0gNZxBmmw== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2026-01-17T23:54:35Z" + mac: ENC[AES256_GCM,data:K/uLPclyRgFOMhSxPpFOiH1fQF0EQHKUNnqI/LW0o6+ON07r+UWv9mXaT2M7xUNhgHkv4lVu/qfLAKXZUVGlDga5ufH3A6xbcArqtQ5oyPoE5HX0nbcU4QF1f8JyYLVKCQdI0pBQkLU2cpAFHrGVLI/8+RY/uqrtNee9f7fd4cM=,iv:WRfTSWo4cfJOvjQqeSrSUCOstCf0FggTv2W4eGRcTF8=,tag:GE9cLzmJZt3F11BZd82HFA==,type:str] + pgp: + - created_at: "2026-01-15T21:23:56Z" + enc: |- + -----BEGIN PGP MESSAGE----- + + hQIMAxK/JaB2/SdtAQ/+ORxsmaobaTVCnVlaaTlvG3GRPlL0G1NG18eF3Mra2FU/ + HSY4/QTu4BjGRzwOlKJt3NBMGlFZucwklIecAl1cCDXPSvIRnwuIsAI8gxNnjmVW + w7URAscgfVobWxpLqFhlnQ+8ozMPXW7D0ZDLe4wKPa5wNuE/kdzM5ZCl3NB4q3fi + o0C8uSnsTAp8clay/xnTtnJxOsyzyJ29JVsinxAyg64m6AYNa53yNZoy5kL6VIIr + dnNx4DtOsxFuNhKuvENePoGjuB68i0NWitsfei3G+GLUp+CbPisrzElM6vsXQ0wT + QAu2OpTnrQSv/YWi8Dv+1YXIKu6nOuMc+avQGLsiuZ6hagrvfRTmoQirbx6THDB+ + 97N/ZZUoGVdCtb5BRoBxzl7prwYGXsW+fP7B/PlBBBM5pI/s5jasFMOBfrrlJiDE + dyBcE2rjcehmZ0DN0YddZoo1UMYzsn6HEMH+kFp/VD3+y4A47Kk9Ou0d9+Q7ufsf + j8ThNihOBrwz8DlvOb5/5HacBFOH5T9b42j6yOmyrlAXnC8sQwFDMDERs7XcVSXT + B9SlX6OVZ6/xgG1UjkY5aqYiWkIBUO/9k1OP3OMoZM7WPitIJS0a92u8EASX4zT9 + cJjyym8oDojsM4+/GWMCHcEA5QVSEFsz5JBONiEJkv9UCYXOWj375SH6WjTHQyPS + XgFA0rCYobVrmH4oQ3EzmbqTGwBuejwcDVA++KiUePb6jhK9DGrETHEOzUyOonpI + tNfgyohULH3eDRjC/4gR9JDr+UCC2t31Rx5kNmonz4H3KQlgm/5UulKZZfFk6VQ= + =HCWY + -----END PGP MESSAGE----- + fp: EF643F59E008414882232C78FFA8331EEB7D6B70 + - created_at: "2026-01-15T21:23:56Z" + enc: |- + -----BEGIN PGP MESSAGE----- + + hQIMA6EyPtWBEI+2AQ/+Is5OSeCOwUDFocaFiGIpKKicsRkF5WJXcV0eTquCvn3M + UeDpYww0CatCOmx0u5/ELzyvr2NhLGwoblLxwwb2HA+dTWRzRiTGZrpGJ3DUwEK6 + KvqFgrOIDttnSCqrGiPsNBkGP3oIH/WIYXF4SJl5stlnujTOW+wNP8f+9gZspyY4 + JdDXIGL7cbvzEzionilKbroKgDTNCm/o/ATWnlvsd5qv8lsIVkZlaJqldRR+xXuu + RLHz9Mav9NgzzFERA0YY0Z56jpGikoywB7iBCbozXvPO5oY9YcuvdLoXELi3Rimf + LoqIyGv/dHepZvIIy/d+E7ltlQHLXdH0LMNyBRartVChR/p0G/YAzXDAgnARJm+J + SB7vUPBqFwFpkiIE0bRRDVDYW8VlNZta4V+hxb3iXuVHljuYUrIDh77VW3xNQyi5 + YfKxO9c9PRhq7sfeBj3iB2qAGoODOU1whdaWXJeNIvYmkQJw81eu2rzHT6NHsbrD + CcUGvbVAO7cx8xZxLiT2jZlbeRrTM68Uq8zC0ujzHavrLUWvCcAcFdk8Un8UJbaF + W4B5La8ZAQUg0HwDavrOEXFbbdkuMT0BIMIxysxrcetqMdRcMjQlbjHz7RuROp4q + melLD0F7L8cXAafDRXXkTTpDmaLN8s9v2j953/RzY7lS1FPQMTduWbn4Pg75HrbS + XgEWsmhgtxSNSgtg/c+VyS9VAykAaP0J4mVWUJZtpw3T8wtkAVeb2zFjmOWay98e + GC9m9N32zdg6MZDLnAABIEhDCGhuB0QjHJaXHcQxbuy8T0mgG081s8spTZnU/74= + =v7Jf + -----END PGP MESSAGE----- + fp: F155144FC925A1BEA1F8A2C59A2A4CD59BFDC5EC + - created_at: "2026-01-15T21:23:56Z" + enc: |- + -----BEGIN PGP MESSAGE----- + + hQIMAz5uSgHG2iMJAQ//f4YuazCNqBuU6RxLg7gbh2RQ7KQ9QDIPSh+YIBr2k9RJ + zSjTIR2cPu4JX7Bf9w378oyExhxe6bU00DKvfmQv+CPwjR/4NfzB+/UjmrOEmZqv + y/Gc/2ciT2csHiuAgmck/tKCdVLyXmlMpR+ru3LBVpXLc0wRqDLze9RKM22L5o5Y + Tkf5LCoj77ixhVWZJ/MUm1GlCKmtAJ5tZpSOUenSApSZ0mbRUMI6SEmLhf7ApmNo + FInztB8eMcgyV7vhEmhAiLTkB29kGh8Oe/TtDSmywhn/pTcs4tlY7fRfcxkJaYgw + sZFaF3b7/xhF04kJNEugKemTZTCOoXuPvjvDKQ0glojQQ36P5S01uyH1FOHAbItz + 8xilRiU5lHuu7BsZcb8rU8qNYnpEzY3DX/Ccpl0AoPWjY925XB7C8H8z1kk8UxR1 + +b3XXMktUugeTZeiFG2pJsp9dhiRqyuzvW73yJSdHjqZW+Tq4U2D9Je1WeZT4+Au + qTQh1uC2dRgQ0PMafX50aTxIK7lPxva+cOPgYeALXP58TCUqeNUyYQmvAGba7yyU + yec3Hz/SNLqEhSnOqCx+TXZOhV4PM8fTzpnNhqZQ2RX2uUXwXjuyAZ8fv3v5se8F + HvQGW8EvJaDSvLD5GjKblQqwNlFWf0HOPUf5UZSXV3MHsHLzYHKlOE4cJ778ih7S + XgGY+6q602ciOETbXexRAK4G0AaAY06iQqIvjqzTRmRgkftMI/8HAV2mfjfRuTXF + 9DClJje/SpRp/fS6jXFyRCc1MysABsxcyopIhHPxf2iy4UiipC1c15Z9VVK4cL4= + =l9vN + -----END PGP MESSAGE----- + fp: 18DFCE01456DAB52EA38A6584EDC64F35FA1D6A5 + - created_at: "2026-01-15T21:23:56Z" + enc: |- + -----BEGIN PGP MESSAGE----- + + hQIMAw5vwmoEJHQ1ARAAr6u7xDPFlylAf002AQkjASgSyCdLMD0LxXmTEihOxBnp + +ZcJN9cpuyCuDaIfSqGdDLUqZ6TuAfVaixtXbxT6Odl2q1DN/GaVkZbDVwGk/W3w + +lSjBz4miAcU9kaSFeeJ9BDEdqROduj8/fFc8jLyxpa51nnp6ON7wI3Uup3uNZN1 + oEwcav8u9hrbE5glS6IMFpGQAhJmvzWH9mHWCQT7A3GGK3DsYBWPH685vVk80VBw + 8IO35N2SMVD+ebvFbSnitBSOmSNUzHgv8DaBgJkcHb5EM8bCiZNI3VkbGdi8AmRx + wvuAclYkemq/bNu5I0sjpt/uxEOVqsymdPs+gOVgKceEy458ZfyRUPxV0Xp5Yi26 + MzAas8LCL+m561L8MTt01CfXJKllIh1aeNJEWYKyTtIxnWfhHnhAfiwiRaX+sAdK + ApLFSCtwAf2fvpqaUY0PvAwKUNKyEBrncu9cBuqK6EDx5YVQul6Mo2nx6W64G7mj + IUGQOoRATZP4y9bJJJMNU5BfK9j7Fdhh/VirB1XSSWSlkUduv8PVx99iLejfnknB + b0LVS0RW0W+XgbM0yvjRhDATalrcuBX4R7voQPeGFlw//fdg0qepSe9OeAPA+RNm + YTjWVWqXOmGJQ46sms4P1Fhd5NKgyv7qAaZDVf2lDZOensbhwWFKw1R65PSbi4DS + XgEDIaRdmRPMHOGoHzcSieR+sxDvklEAWyfUMn8D8u8dkgs1u8WL3gGixDaPMvcF + JgS3PA6hl0JOi3+UgBWGh6gx+C/mr+6jly+IhWd78HAsbsJcGIrs4Zlu54T8jV4= + =8IWz + -----END PGP MESSAGE----- + fp: 87AB00D45D37C9E9167B5A5A333448678B60E505 + - created_at: "2026-01-15T21:23:56Z" + enc: |- + -----BEGIN PGP MESSAGE----- + + hF4DerEtaFuTeewSAQdA7STwRBnvhKhEh9mdHz/GWujTMli/vbMrXv8WnZ1boUkw + 9Qtj+soJcdr8XxDREm//Q7wgGZJSJe6dBdxW5NC10H7bYDFc9aNkbT0/ceMj0tBM + 0l4BNU1LT9rZrkhGUTqA3Gs+bzP4xazBGuiucCkM1mbSvRAjWO2abLb17GKUWODr + 1uDStVFrPOTqN/0/O1lAfk/Xv5LQO2X/xVMDD42i9txP9G8+rCF42gKdODWF+DsQ + =FVIu + -----END PGP MESSAGE----- + fp: 057870A2C72CD82566A3EC983695F4FCBCAE4912 + - created_at: "2026-01-15T21:23:56Z" + enc: |- + -----BEGIN PGP MESSAGE----- + + hQIMAxjNhCKPP69fARAAkUEvumeteWHZ31xbvLAWezQr75Q45DVzBAX6MJIPnCcz + ofMYuDjz/ujOES7UtAYrRekCW4R+PZQ2pcC3tbNHxKQjdxsA6cY68mBQLj+TJ0+F + 15jlkAkL7utwOxOh8P1/yxO+hr3qZl6rmncQwiynRnyiAJa6FHK8dvAHVKhLWcRN + pxx2O5m8I/+sF2/XgVs0iq0KWG+WbwJWUlvWKJ+2LNvXDoPYD0sdo8G1hkuQGOLW + Lmc1xN4hbTzvgjTBoUt1HUEOgohau8TMWnT7x1jpMLBNqm0hQfcyNmBuK4vA3NYR + PjtMUvEuucjOrFvF1g+OaTQ3ZSkd431yqTHRbktZDXdCvhYhSfxJ2TKdqX5U+3p+ + 27hPOX5cVISd36T8Oxm7LTt2GSZp5JZJ2gzRuSn8HDEHHBa39+jmdsqmGMFjAJfU + amK3TNpLx9U/AGw9CYVyQxfnrRPArjuPXE+nVmuZVJhgOcex+5SAA6YRpzPLj5/I + bHv0zOQ+84ghaIPvA7OlehgE2DYQjFC7qMGV0Q/jEomzHmwaFLlbDiSX97SQM4+P + dwe2gbz5EfgVdXeSwyPH03W5Uq/D8GiNFASxe6ctfwY6G9cUJaY7gj+br2/WSjzc + bSQxbyA36q6tSR8sty4lOkRqfhvCsopnACe3UaPDD9aUPu5dkrPFD2DwGZqALjrS + XgGQM27HAK2eAWtmQk7wWZcK8EyeO4bPl/JX8hMU8xSnbHrFpY26RNY1C4mjqcnD + QoyU68TbPmGX522sseuygCNmEEM/5rhx6wwePH1X+C8WRHMmXyLjKD3eVkFJ3tA= + =EPrs + -----END PGP MESSAGE----- + fp: F38C9D4228FC6F674E322D9C3326D914EB9B8F55 + - created_at: "2026-01-15T21:23:56Z" + enc: |- + -----BEGIN PGP MESSAGE----- + + hQIMA1Hthzn+T1OoAQ//arOC3Dpt+X+GzGZFPngYFGl8SHgx9vrbNcNdRQBEBhX0 + RmkT3rBbXRNbJvZHW6YPzoMRzhDMHEs9osbr7RwpTQxpL4owFd1hx8bhDjZYQplC + Gfj1xNjL1iFsQV1kWx7dagpkDEoPVlPaDyTDyHkj/fmgg/aU4y5GVUHc6l7iClN9 + fn5HL8/sCROAPteReXnwxIWmn/03lldh7VMYwKaVIpiTf3QZzEsHAOYT0EdEcapC + 3d5ZhTDmOvOwy2PMfx5w5RpKXKe2cbhoS1N3KEHaZIochlvnvQHpVJ3jhn8YG8j9 + bJ5tklEauoi1YHsnj5vzm8sgQMj/p5DJHALfVKxzAMCCe0AqcVpVGTW9SR1ZMUXW + p0UZOmeNBfqhcOIbKXW+Hj2oSZ25KGxiXZwydF51xnUT8rsau7nPYOgg+9YARAVl + USZd85OX/dZcDqhfK1YZjdV3GPiTHGFUrTz53sW/nHrcCCKXL17uADLr1Z/rk3Dm + dayNuUVhlqgV6Z0ts0Z9blz2X/Bz2c95TUTze+pUoXCP6oKcxGbrEfHBzJrhqeFa + PYGRyna1t96c3Az94bz2orX69Ij3QPyd2p2B0nlv+qYNk55J/aVPIfioZSamnDk9 + NAQJksb2M7KIq1rjheWsf/CLZYHC1rcrhUnz5SYIXVDe8f3+uNc0JFGYPYZuF7DS + XgEa4Lw21RwQs3Es0wAZSnkku+yg1Lg2YJ6/d5xSZJs0c5mCYvvW3q9oTc8u+D3n + H1/Lu8HvZtHtGARagLqHw2MORNvoJXoCT0EhcPBK4PlJKSNye96U1ooNfwxbUMo= + =0Nal + -----END PGP MESSAGE----- + fp: 5DA93D5C9D7320E1BD3522C79C78172B3551C9FD + - created_at: "2026-01-15T21:23:56Z" + enc: |- + -----BEGIN PGP MESSAGE----- + + hQIMA46L6MuPqfJqARAAlYT9Xqnfvd7uWr/V8Ca5oKJ003yWKGwAMd06zyPmIYOK + ErTHC98r7LXuGaMcIUrJ+oLf6YipYB7PyHwfz+zpxhDRTPAxXTqkF1ecLi7qg2AV + Ez3Q1hpPJv1DWASrVfJgpnlQnQtnpqXQsInL7klGc10mtbgc2zHUndWFqjxtkAhl + IinLZHZVFaijFw10W+e6T0UUZ9WfIPdCOChcqVp5/86DDyl3S9dBLmAd7wywzbuH + i0y1uelIxLyYmzLxYTNgJwEHKzQvF6jrj40AjT8HtUD473ILD5M4p2vdvNCUANu9 + 1iF4q7YM5g6cgjGC29Y31wOAM4YzdkwNXJsUhn4ACzYNBAItXK7Aw0I8WK9AnUfq + lwmSirx5hi870GIfu/OYeNt4I3fWjm4qY1aFwoJJRWrUdH94I4P1O6xXZyTVqpmG + m0Ich3O16Ir1vS9oFLdFSFGP7UZgU7D5314OKXNsEGpFLGa9U7AG1ZPHGSb6tAQi + 9Df7TsWxYVWKBU2PbI/D9StVlWDVilt2QiKtIcRwLs3/3JrzTPJd9tvUtw6Tyjw7 + N12/SE3yHwWxVPUXF2AsopmOoHGh67Ki+6oc7xTmxtcJWSITUhBL16ZjMEEXFeHy + FMODciBLrXO1jWz65mkB32ttV+oPQuCdtFPTzuKneDhVBybuMJrx7DEIFaf5CmvS + XgFrqRe9fua4zRd9r9tJE4RSosQOAhmVgRVCJIg5B+qUGC0l2AwO4ro1+a02t6o7 + uBGGRHeQYrGv6HVUd/xfirUj/mtrguiSSpOy3UZ5SHIlPxuj/2jf3WxVkU0QP5k= + =e4Qe + -----END PGP MESSAGE----- + fp: 8996B62CBD159DCADD3B6DC08BB33A8ABCF7BC4A + - created_at: "2026-01-15T21:23:56Z" + enc: |- + -----BEGIN PGP MESSAGE----- + + hF4DQrf1tCqiJxoSAQdAqRvfYgKUyKqP1jy9+s3UQ+vqUWQVxC/zXkcXOs/G3kQw + 27MDd3dcADzCI4qrHxc0umrFegUizTg9UmseMgSJnr7oWXtuh6ocjuEe+irXw0Di + 0l4B7cvZtRObjrOUf0lupPAp2xPIIKekUcVSxiecn6z7zVUVUwpYvPmS8MBCFc5h + 7ad0LWml36Rj5UkBE/ph0YgLvz7ZDoC1yiagBGVX59MTjjZsZBVpRecxZ+ztuaci + =68na + -----END PGP MESSAGE----- + fp: B71138A6A8964A3C3B8899857B4F70C356765BAB + - created_at: "2026-01-15T21:23:56Z" + enc: |- + -----BEGIN PGP MESSAGE----- + + hF4DzAGzViGx4qcSAQdA95lt4L0inJjhMwQ2v5lvhW74zuvdpgktHsp5BSycbxcw + oUR2v3CcCHtNzWzgeWPm8L6JHRUJQWdg+XHsLujlZXsoqKirGI67NvToOk+yttsK + 0lgBW9AG8bUVUdXNNPfhc/FN8OJbQ2cj3E2z5kI05ZrkcOoZVXaRfXJiZPQDg1Kz + LhuKymMDmXXsSVd/VdLbSXpfeEqMJjTsDS+bU/TZAcRRPKxj9PPDJIWQ + =Kpzf + -----END PGP MESSAGE----- + fp: D2E9C0807BF681F5E164DAFC5EE1B61CD90954CD + - created_at: "2026-01-15T21:23:56Z" + enc: |- + -----BEGIN PGP MESSAGE----- + + hQIMA2pVdGTIrZI+ARAA2IaYLn8z593Kh+wAw2ecOXkW+B3qhi/x0qQLVw7Jc1hO + rVhrcTQoabL3elIIPZtxyTYIXq6EpPkSBMOBHO+tmqI8YsB5GvWtcGV1OBpRaZ3I + hgKjnxkJtaQizSZqZLgGUVXjMjcdkzTlIQfu7oGeTu8Ke1cwtOE1lvleDpHHK6gc + yRLJWsUfHdv3rCOmRCDtguc3NG7qzUUYcknPiFGx66hfnIaA0aJav2pqS3uuRwSD + Ay78U2PB7kYVg//Omz9BEuiUVhYsA0sl3hFVpJuKv7FQ9OcJOevQddfq90m2KGyo + 2Lpligwtj3evPfPReLR1D16HaGuzknoB9883jD027+fGr4/IFWx7ieVZ9iGeD3jR + yw/GdHCMueq1pdtyw8ArREspGmZldEKY3Qw6sfRdd71DAeTkD1zzWORCEk6OQefY + YX5ByUAOTUHvTey4Uy5WCj3HOUMW71CnVpsU6lDSuqBUnFlMvELtcjlmEAwvscXz + WFpTzphaX1fIqruS4BAzMxpKVTI1V3bnrb6wFRFnsErVjrty24R2auaoHvgslROu + 1QUTInC7JpFUpxiK9ke8xbhYlZ5JEhcxOXlfrZcVwlxziEZEqp429L/4gVz+IGVv + YQ4wU8ARBcXiEDEOmEl3tCxiprDlCeLpdSrqhq57/y7IMs6Fo7QrkA5XZG+mnfPS + XgHFg3iMBk0qKb6AiWiN8g3SHJtcehJgmAZsRxFRP329QKGGa+azQqT7Vp066keY + rOsmP8iwl+4KS71+cN9rLx/3U8EcSxRuMU6KtIKvhp7yfr2bhYo8P9JH2vrPTlk= + =lbdI + -----END PGP MESSAGE----- + fp: 878FEA3CB6A6F6E7CD80ECBE28506E3585F9F533 + unencrypted_suffix: _unencrypted + version: 3.11.0 diff --git a/inventories/external/host_vars/status.yaml b/inventories/external/host_vars/status.yaml new file mode 100644 index 0000000..c2c26b3 --- /dev/null +++ b/inventories/external/host_vars/status.yaml @@ -0,0 +1,27 @@ +docker_compose__compose_file_content: "{{ lookup('ansible.builtin.template', 'resources/external/status/docker_compose/compose.yaml.j2') }}" +docker_compose__configuration_files: + - name: "general.yaml" + content: "{{ lookup('ansible.builtin.file', 'resources/external/status/docker_compose/config/general.yaml') }}" + - name: "sites.yaml" + content: "{{ lookup('ansible.builtin.file', 'resources/external/status/docker_compose/config/sites.yaml') }}" + - name: "services-chaosknoten.yaml" + content: "{{ lookup('ansible.builtin.file', 'resources/external/status/docker_compose/config/services-chaosknoten.yaml') }}" + - name: "websites.yaml" + content: "{{ lookup('ansible.builtin.file', 'resources/external/status/docker_compose/config/websites.yaml') }}" + - name: "easterhegg-websites.yaml" + content: "{{ lookup('ansible.builtin.file', 'resources/external/status/docker_compose/config/easterhegg-websites.yaml') }}" + +nginx__version_spec: "" +nginx__deploy_redirect_conf: false +nginx__configurations: + - name: status.hamburg.ccc.de + content: "{{ lookup('ansible.builtin.file', 'resources/external/status/nginx/status.hamburg.ccc.de.conf') }}" + - name: http_handler + content: "{{ lookup('ansible.builtin.file', 'resources/external/status/nginx/http_handler.conf') }}" + +certbot__version_spec: "" +certbot__acme_account_email_address: le-admin@hamburg.ccc.de +certbot__certificate_domains: + - "status.hamburg.ccc.de" +certbot__new_cert_commands: + - "systemctl reload nginx.service" diff --git a/inventories/external/hosts.yaml b/inventories/external/hosts.yaml new file mode 100644 index 0000000..435a9bf --- /dev/null +++ b/inventories/external/hosts.yaml @@ -0,0 +1,24 @@ +all: + hosts: + status: + # TODO: Manually set up ufw on the host. Create a role for ufw. + ansible_host: status.hamburg.ccc.de + ansible_user: chaos +base_config_hosts: + hosts: + status: +docker_compose_hosts: + hosts: + status: +nginx_hosts: + hosts: + status: +certbot_hosts: + hosts: + status: +infrastructure_authorized_keys_hosts: + hosts: + status: +ansible_pull_hosts: + hosts: + status: diff --git a/resources/external/status/docker_compose/compose.yaml.j2 b/resources/external/status/docker_compose/compose.yaml.j2 new file mode 100644 index 0000000..04abf95 --- /dev/null +++ b/resources/external/status/docker_compose/compose.yaml.j2 @@ -0,0 +1,36 @@ +# https://gatus.io/ +# https://github.com/TwiN/gatus +# https://github.com/TwiN/gatus/blob/master/.examples/docker-compose-postgres-storage/compose.yaml + +services: + database: + image: docker.io/library/postgres:18.1 + volumes: + - ./database:/var/lib/postgresql + environment: + - "POSTGRES_DB=gatus" + - "POSTGRES_USER=gatus" + - "POSTGRES_PASSWORD={{ secret__gatus_db_password }}" + networks: + - gatus + + gatus: + image: ghcr.io/twin/gatus:v5.34.0 + restart: always + ports: + - "8080:8080" + environment: + - "GATUS_CONFIG_PATH=/config" + - "POSTGRES_DB=gatus" + - "POSTGRES_USER=gatus" + - "POSTGRES_PASSWORD={{ secret__gatus_db_password }}" + - "MATRIX_ACCESS_TOKEN={{ secret__gatus_matrix_access_token }}" + volumes: + - ./configs:/config + networks: + - gatus + depends_on: + - database + +networks: + gatus: diff --git a/resources/external/status/docker_compose/config/easterhegg-websites.yaml b/resources/external/status/docker_compose/config/easterhegg-websites.yaml new file mode 100644 index 0000000..87feb4c --- /dev/null +++ b/resources/external/status/docker_compose/config/easterhegg-websites.yaml @@ -0,0 +1,303 @@ +# Easterhegg Websites and Websites (Redirects) +# (hosted on public-web-static) +# One could probably also generate this list from the public-web-static config. +easterhegg-websites-defaults: &easterhegg_websites_defaults + group: Websites + interval: 5m + alerts: + - type: matrix + failure-threshold: 3 + success-threshold: 1 + minimum-reminder-interval: "12h" + send-on-resolved: true + +easterhegg-websites-redirects-defaults: &easterhegg_websites_redirects_defaults + group: Websites (Redirects) + interval: 15m + alerts: + - type: matrix + failure-threshold: 3 + success-threshold: 1 + minimum-reminder-interval: "24h" + send-on-resolved: true + +endpoints: + # Websites + - name: eh03.easterhegg.eu + url: "https://eh03.easterhegg.eu" + <<: *easterhegg_websites_defaults + conditions: + - "[STATUS] == 200" + - "[CERTIFICATE_EXPIRATION] > 48h" + - "[BODY] == pat(*Easter(h)egg 2003*)" + + - name: eh05.easterhegg.eu + url: "https://eh05.easterhegg.eu" + <<: *easterhegg_websites_defaults + conditions: + - "[STATUS] == 200" + - "[CERTIFICATE_EXPIRATION] > 48h" + - "[BODY] == pat(*Easterhegg 2005 - The workshop weekend*)" + + - name: eh07.easterhegg.eu + url: "https://eh07.easterhegg.eu" + <<: *easterhegg_websites_defaults + conditions: + - "[STATUS] == 200" + - "[CERTIFICATE_EXPIRATION] > 48h" + - "[BODY] == pat(*Easterhegg 2007 - The Workshop weekend*)" + + - name: eh09.easterhegg.eu + url: "https://eh09.easterhegg.eu" + <<: *easterhegg_websites_defaults + conditions: + - "[status] == 200" + - "[certificate_expiration] > 48h" + - "[BODY] == pat(*Easterhegg 2009*)" + + - name: eh11.easterhegg.eu + url: "https://eh11.easterhegg.eu" + <<: *easterhegg_websites_defaults + conditions: + - "[status] == 200" + - "[certificate_expiration] > 48h" + - "[BODY] == pat(*Easterhegg 2011*)" + + - name: eh20.easterhegg.eu + url: "https://eh20.easterhegg.eu" + <<: *easterhegg_websites_defaults + conditions: + - "[status] == 200" + - "[certificate_expiration] > 48h" + - "[BODY] == pat(*EH20 - Back to root*)" + + # Websites (Redirects) + # eh03.easterhegg.eu + - name: eh2003.hamburg.ccc.de + url: "https://eh2003.hamburg.ccc.de" + <<: *easterhegg_websites_redirects_defaults + conditions: + - "[STATUS] == 200" + - "[CERTIFICATE_EXPIRATION] > 48h" + - "[BODY] == pat(*Easter(h)egg 2003*)" + + - name: www.eh2003.hamburg.ccc.de + url: "https://www.eh2003.hamburg.ccc.de" + <<: *easterhegg_websites_redirects_defaults + conditions: + - "[STATUS] == 200" + - "[CERTIFICATE_EXPIRATION] > 48h" + - "[BODY] == pat(*Easter(h)egg 2003*)" + + - name: easterhegg2003.hamburg.ccc.de + url: "https://easterhegg2003.hamburg.ccc.de" + <<: *easterhegg_websites_redirects_defaults + conditions: + - "[STATUS] == 200" + - "[CERTIFICATE_EXPIRATION] > 48h" + - "[BODY] == pat(*Easter(h)egg 2003*)" + + - name: www.easterhegg2003.hamburg.ccc.de + url: "https://www.easterhegg2003.hamburg.ccc.de" + <<: *easterhegg_websites_redirects_defaults + conditions: + - "[STATUS] == 200" + - "[CERTIFICATE_EXPIRATION] > 48h" + - "[BODY] == pat(*Easter(h)egg 2003*)" + + # eh05.easterhegg.eu + - name: eh2005.hamburg.ccc.de + url: "https://eh2005.hamburg.ccc.de" + <<: *easterhegg_websites_redirects_defaults + conditions: + - "[STATUS] == 200" + - "[CERTIFICATE_EXPIRATION] > 48h" + - "[BODY] == pat(*Easterhegg 2005 - The workshop weekend*)" + + - name: www.eh2005.hamburg.ccc.de + url: "https://www.eh2005.hamburg.ccc.de" + <<: *easterhegg_websites_redirects_defaults + conditions: + - "[STATUS] == 200" + - "[CERTIFICATE_EXPIRATION] > 48h" + - "[BODY] == pat(*Easterhegg 2005 - The workshop weekend*)" + + - name: easterhegg2005.hamburg.ccc.de + url: "https://easterhegg2005.hamburg.ccc.de" + <<: *easterhegg_websites_redirects_defaults + conditions: + - "[STATUS] == 200" + - "[CERTIFICATE_EXPIRATION] > 48h" + - "[BODY] == pat(*Easterhegg 2005 - The workshop weekend*)" + + - name: www.easterhegg2005.hamburg.ccc.de + url: "https://www.easterhegg2005.hamburg.ccc.de" + <<: *easterhegg_websites_redirects_defaults + conditions: + - "[STATUS] == 200" + - "[CERTIFICATE_EXPIRATION] > 48h" + - "[BODY] == pat(*Easterhegg 2005 - The workshop weekend*)" + + # eh07.easterhegg.eu + - name: eh2007.hamburg.ccc.de + url: "https://eh2007.hamburg.ccc.de" + <<: *easterhegg_websites_redirects_defaults + conditions: + - "[STATUS] == 200" + - "[CERTIFICATE_EXPIRATION] > 48h" + - "[BODY] == pat(*Easterhegg 2007 - The Workshop weekend*)" + + - name: www.eh2007.hamburg.ccc.de + url: "https://www.eh2007.hamburg.ccc.de" + <<: *easterhegg_websites_redirects_defaults + conditions: + - "[STATUS] == 200" + - "[CERTIFICATE_EXPIRATION] > 48h" + - "[BODY] == pat(*Easterhegg 2007 - The Workshop weekend*)" + + - name: eh07.hamburg.ccc.de + url: "https://eh07.hamburg.ccc.de" + <<: *easterhegg_websites_redirects_defaults + conditions: + - "[STATUS] == 200" + - "[CERTIFICATE_EXPIRATION] > 48h" + - "[BODY] == pat(*Easterhegg 2007 - The Workshop weekend*)" + + - name: www.eh07.hamburg.ccc.de + url: "https://www.eh07.hamburg.ccc.de" + <<: *easterhegg_websites_redirects_defaults + conditions: + - "[STATUS] == 200" + - "[CERTIFICATE_EXPIRATION] > 48h" + - "[BODY] == pat(*Easterhegg 2007 - The Workshop weekend*)" + + - name: easterhegg2007.hamburg.ccc.de + url: "https://easterhegg2007.hamburg.ccc.de" + <<: *easterhegg_websites_redirects_defaults + conditions: + - "[STATUS] == 200" + - "[CERTIFICATE_EXPIRATION] > 48h" + - "[BODY] == pat(*Easterhegg 2007 - The Workshop weekend*)" + + - name: www.easterhegg2007.hamburg.ccc.de + url: "https://www.easterhegg2007.hamburg.ccc.de" + <<: *easterhegg_websites_redirects_defaults + conditions: + - "[STATUS] == 200" + - "[CERTIFICATE_EXPIRATION] > 48h" + - "[BODY] == pat(*Easterhegg 2007 - The Workshop weekend*)" + + # eh09.easterhegg.eu + - name: eh2009.hamburg.ccc.de + url: "https://eh2009.hamburg.ccc.de" + <<: *easterhegg_websites_redirects_defaults + conditions: + - "[status] == 200" + - "[certificate_expiration] > 48h" + - "[BODY] == pat(*Easterhegg 2009*)" + + - name: www.eh2009.hamburg.ccc.de + url: "https://www.eh2009.hamburg.ccc.de" + <<: *easterhegg_websites_redirects_defaults + conditions: + - "[status] == 200" + - "[certificate_expiration] > 48h" + - "[BODY] == pat(*Easterhegg 2009*)" + + - name: eh09.hamburg.ccc.de + url: "https://eh09.hamburg.ccc.de" + <<: *easterhegg_websites_redirects_defaults + conditions: + - "[status] == 200" + - "[certificate_expiration] > 48h" + - "[BODY] == pat(*Easterhegg 2009*)" + + - name: www.eh09.hamburg.ccc.de + url: "https://www.eh09.hamburg.ccc.de" + <<: *easterhegg_websites_redirects_defaults + conditions: + - "[status] == 200" + - "[certificate_expiration] > 48h" + - "[BODY] == pat(*Easterhegg 2009*)" + + - name: easterhegg2009.hamburg.ccc.de + url: "https://easterhegg2009.hamburg.ccc.de" + <<: *easterhegg_websites_redirects_defaults + conditions: + - "[status] == 200" + - "[certificate_expiration] > 48h" + - "[BODY] == pat(*Easterhegg 2009*)" + + - name: www.easterhegg2009.hamburg.ccc.de + url: "https://www.easterhegg2009.hamburg.ccc.de" + <<: *easterhegg_websites_redirects_defaults + conditions: + - "[status] == 200" + - "[certificate_expiration] > 48h" + - "[BODY] == pat(*Easterhegg 2009*)" + + # eh11.easterhegg.eu + - name: eh2011.hamburg.ccc.de + url: "https://eh2011.hamburg.ccc.de" + <<: *easterhegg_websites_redirects_defaults + conditions: + - "[status] == 200" + - "[certificate_expiration] > 48h" + - "[BODY] == pat(*Easterhegg 2011*)" + + - name: www.eh2011.hamburg.ccc.de + url: "https://www.eh2011.hamburg.ccc.de" + <<: *easterhegg_websites_redirects_defaults + conditions: + - "[status] == 200" + - "[certificate_expiration] > 48h" + - "[BODY] == pat(*Easterhegg 2011*)" + + - name: eh11.hamburg.ccc.de + url: "https://eh11.hamburg.ccc.de" + <<: *easterhegg_websites_redirects_defaults + conditions: + - "[status] == 200" + - "[certificate_expiration] > 48h" + - "[BODY] == pat(*Easterhegg 2011*)" + + - name: www.eh11.hamburg.ccc.de + url: "https://www.eh11.hamburg.ccc.de" + <<: *easterhegg_websites_redirects_defaults + conditions: + - "[status] == 200" + - "[certificate_expiration] > 48h" + - "[BODY] == pat(*Easterhegg 2011*)" + + - name: easterhegg2011.hamburg.ccc.de + url: "https://easterhegg2011.hamburg.ccc.de" + <<: *easterhegg_websites_redirects_defaults + conditions: + - "[status] == 200" + - "[certificate_expiration] > 48h" + - "[BODY] == pat(*Easterhegg 2011*)" + + - name: www.easterhegg2011.hamburg.ccc.de + url: "https://www.easterhegg2011.hamburg.ccc.de" + <<: *easterhegg_websites_redirects_defaults + conditions: + - "[status] == 200" + - "[certificate_expiration] > 48h" + - "[BODY] == pat(*Easterhegg 2011*)" + + # eh20.easterhegg.eu + - name: www.eh20.easterhegg.eu + url: "https://www.eh20.easterhegg.eu" + <<: *easterhegg_websites_redirects_defaults + conditions: + - "[status] == 200" + - "[certificate_expiration] > 48h" + - "[BODY] == pat(*EH20 - Back to root*)" + + - name: eh20.hamburg.ccc.de + url: "https://eh20.hamburg.ccc.de" + <<: *easterhegg_websites_redirects_defaults + conditions: + - "[status] == 200" + - "[certificate_expiration] > 48h" + - "[BODY] == pat(*EH20 - Back to root*)" diff --git a/resources/external/status/docker_compose/config/general.yaml b/resources/external/status/docker_compose/config/general.yaml new file mode 100644 index 0000000..c67811a --- /dev/null +++ b/resources/external/status/docker_compose/config/general.yaml @@ -0,0 +1,25 @@ +storage: + type: postgres + path: "postgres://${POSTGRES_USER}:${POSTGRES_PASSWORD}@database:5432/${POSTGRES_DB}?sslmode=disable" + +ui: + title: CCCHH Status + description: Automated uptime monitoring and status page for CCCHH services. Powered by Gatus. + header: CCCHH Status + buttons: + - name: Website + link: "https://hamburg.ccc.de" + - name: Git + link: "https://git.hamburg.ccc.de" + - name: Kontakt & Impressum + link: "https://hamburg.ccc.de/imprint/" + default-sort-by: group + +alerting: + matrix: + server-url: "https://matrix-client.matrix.org" + access-token: "${MATRIX_ACCESS_TOKEN}" + internal-room-id: "!jG755onbGAH-lZsZo8SRKtlsncSMvq7nzPhwCi5CgdQ" + +# A bit more than the default 5 concurrent checks should be fine. +concurrency: 15 diff --git a/resources/external/status/docker_compose/config/services-chaosknoten.yaml b/resources/external/status/docker_compose/config/services-chaosknoten.yaml new file mode 100644 index 0000000..0792e95 --- /dev/null +++ b/resources/external/status/docker_compose/config/services-chaosknoten.yaml @@ -0,0 +1,264 @@ +# Services (Chaosknoten) +services-chaosknoten-defaults: &services_chaosknoten_defaults + group: Services (Chaosknoten) + interval: 1m + alerts: + - type: matrix + failure-threshold: 5 + success-threshold: 2 + minimum-reminder-interval: "6h" + send-on-resolved: true + +endpoints: + - name: CCCHH ID/Keycloak (main page/account console) + url: "https://id.hamburg.ccc.de/" + <<: *services_chaosknoten_defaults + conditions: + - "[STATUS] == 200" + - "[CERTIFICATE_EXPIRATION] > 48h" + - "[BODY] == pat(*JavaScript is required to use the Account Console.*)" + + - name: CCCHH ID/Keycloak (ccchh realm) + url: "https://id.hamburg.ccc.de/realms/ccchh/" + <<: *services_chaosknoten_defaults + conditions: + - "[STATUS] == 200" + - "[CERTIFICATE_EXPIRATION] > 48h" + - "[BODY].realm == ccchh" + + - name: ccchoir + url: "https://ccchoir.de/" + <<: *services_chaosknoten_defaults + conditions: + - "[STATUS] == 200" + - "[CERTIFICATE_EXPIRATION] > 48h" + - "[BODY] == pat(*The Choir of the Chaos Computer Club*)" + + - name: Cloud (status info) + url: "https://cloud.hamburg.ccc.de/status.php" + <<: *services_chaosknoten_defaults + conditions: + - "[STATUS] == 200" + - "[CERTIFICATE_EXPIRATION] > 48h" + - "[BODY].installed == true" + - "[BODY].maintenance == false" + + - name: Cloud (main page/login) + url: "https://cloud.hamburg.ccc.de/" + <<: *services_chaosknoten_defaults + conditions: + - "[STATUS] == 200" + - "[CERTIFICATE_EXPIRATION] > 48h" + - "[BODY] == pat(*Sign in to CCCHH*)" + + - name: cow (main page/login) + url: "https://cow.hamburg.ccc.de/" + <<: *services_chaosknoten_defaults + conditions: + - "[STATUS] == 200" + - "[CERTIFICATE_EXPIRATION] > 48h" + - "[BODY] == pat(*mailcow UI*)" + + - name: cow (SMTP port 25) + url: "tcp://cow.hamburg.ccc.de:25" + <<: *services_chaosknoten_defaults + conditions: + - "[CONNECTED] == true" + + - name: cow (SMTPS port 465) + url: "tls://cow.hamburg.ccc.de:465" + <<: *services_chaosknoten_defaults + conditions: + - "[CONNECTED] == true" + + - name: cow (SMTP with STARTTLS port 587) + url: "starttls://cow.hamburg.ccc.de:587" + <<: *services_chaosknoten_defaults + conditions: + - "[CONNECTED] == true" + + - name: cow (IMAP port 143) + url: "tcp://cow.hamburg.ccc.de:143" + <<: *services_chaosknoten_defaults + conditions: + - "[CONNECTED] == true" + + - name: cow (IMAPS port 465) + url: "tls://cow.hamburg.ccc.de:465" + <<: *services_chaosknoten_defaults + conditions: + - "[CONNECTED] == true" + + - name: Design/penpot + url: "https://design.hamburg.ccc.de/" + <<: *services_chaosknoten_defaults + conditions: + - "[STATUS] == 200" + - "[CERTIFICATE_EXPIRATION] > 48h" + - "[BODY] == pat(*Penpot - Design Freedom for Teams*)" + + - name: EH22 Website/Wiki + url: "https://eh22.easterhegg.eu/" + <<: *services_chaosknoten_defaults + conditions: + - "[STATUS] == 200" + - "[CERTIFICATE_EXPIRATION] > 48h" + - "[BODY] == pat(*Easterhegg 2025*)" + + - name: Git + url: "https://git.hamburg.ccc.de/" + <<: *services_chaosknoten_defaults + conditions: + - "[STATUS] == 200" + - "[CERTIFICATE_EXPIRATION] > 48h" + - "[BODY] == pat(*CCCHH Git*)" + + - name: GitLab + url: "https://gitlab.hamburg.ccc.de/" + <<: *services_chaosknoten_defaults + conditions: + - "[STATUS] == 200" + - "[CERTIFICATE_EXPIRATION] > 48h" + - "[BODY] == pat(*Moin beim Gitlab des CCC Hamburg!*)" + + - name: Grafana + url: "https://grafana.hamburg.ccc.de/" + <<: *services_chaosknoten_defaults + conditions: + - "[STATUS] == 200" + - "[CERTIFICATE_EXPIRATION] > 48h" + - "[BODY] == pat(*Sign in to CCCHH*)" + + - name: Jitsi + url: "https://jitsi.hamburg.ccc.de/" + <<: *services_chaosknoten_defaults + conditions: + - "[STATUS] == 200" + - "[CERTIFICATE_EXPIRATION] > 48h" + - "[BODY] == pat(*Jitsi Meet*)" + + - name: Lists + url: "https://lists.hamburg.ccc.de/" + <<: *services_chaosknoten_defaults + conditions: + - "[STATUS] == 200" + - "[CERTIFICATE_EXPIRATION] > 48h" + - "[BODY] == pat(*Mailing Lists*)" + + - name: Matrix + url: "https://matrix.hamburg.ccc.de/_matrix/client/versions" + <<: *services_chaosknoten_defaults + conditions: + - "[STATUS] == 200" + - "[CERTIFICATE_EXPIRATION] > 48h" + - "has([BODY].versions) == true" + - "has([BODY].unstable_features) == true" + + - name: Mumble (tcp) + url: "tcp://mumble.hamburg.ccc.de:64738" + <<: *services_chaosknoten_defaults + conditions: + - "[CONNECTED] == true" + + - name: Mumble (udp) + url: "udp://mumble.hamburg.ccc.de:64738" + <<: *services_chaosknoten_defaults + conditions: + - "[CONNECTED] == true" + + - name: NetBox + url: "https://NetBox.hamburg.ccc.de/" + <<: *services_chaosknoten_defaults + conditions: + - "[STATUS] == 200" + - "[CERTIFICATE_EXPIRATION] > 48h" + - "[BODY] == pat(*NetBox*)" + + - name: ntfy + url: "https://ntfy.hamburg.ccc.de/" + <<: *services_chaosknoten_defaults + conditions: + - "[STATUS] == 200" + - "[CERTIFICATE_EXPIRATION] > 48h" + - "[BODY] == pat(*ntfy web requires JavaScript*)" + + - name: OnlyOffice + url: "https://onlyoffice.hamburg.ccc.de/" + <<: *services_chaosknoten_defaults + conditions: + - "[STATUS] == 200" + - "[CERTIFICATE_EXPIRATION] > 48h" + - "[BODY] == pat(*ONLYOFFICE Docs Community Edition installed*)" + + - name: Pad + url: "https://pad.hamburg.ccc.de/" + <<: *services_chaosknoten_defaults + conditions: + - "[STATUS] == 200" + - "[CERTIFICATE_EXPIRATION] > 48h" + - "[BODY] == pat(*HedgeDoc - Ideas grow better together*)" + + - name: Pretalx (main page) + url: "https://pretalx.hamburg.ccc.de/" + <<: *services_chaosknoten_defaults + conditions: + - "[STATUS] == 200" + - "[CERTIFICATE_EXPIRATION] > 48h" + - "[BODY] == pat(*pretalx*)" + + - name: Pretalx (EH22/Easterhegg 2025) + url: "https://cfp.eh22.easterhegg.eu/" + <<: *services_chaosknoten_defaults + conditions: + - "[STATUS] == 200" + - "[CERTIFICATE_EXPIRATION] > 48h" + - "[BODY] == pat(*Easterhegg 2025*)" + - "[BODY] == pat(*pretalx*)" + + - name: SpaceAPI + url: "https://spaceapi.hamburg.ccc.de/" + <<: *services_chaosknoten_defaults + conditions: + - "[STATUS] == 200" + - "[CERTIFICATE_EXPIRATION] > 48h" + - "[BODY].space == CCCHH" + + - name: Surveillance under Surveillance + url: "https://sunders.hamburg.ccc.de/" + <<: *services_chaosknoten_defaults + conditions: + - "[STATUS] == 200" + - "[CERTIFICATE_EXPIRATION] > 48h" + - "[BODY] == pat(*Surveillance under Surveillance*)" + + - name: Tickets/pretix + url: "https://tickets.hamburg.ccc.de/" + <<: *services_chaosknoten_defaults + conditions: + - "[STATUS] == 200" + - "[CERTIFICATE_EXPIRATION] > 48h" + - "[BODY] == pat(*pretix*)" + + - name: Wiki + url: "https://wiki.hamburg.ccc.de/" + <<: *services_chaosknoten_defaults + conditions: + - "[STATUS] == 200" + - "[CERTIFICATE_EXPIRATION] > 48h" + - "[BODY] == pat(*CCCHH Wiki*)" + + - name: Woodpecker + url: "https://woodpecker.hamburg.ccc.de/" + <<: *services_chaosknoten_defaults + conditions: + - "[STATUS] == 200" + - "[CERTIFICATE_EXPIRATION] > 48h" + - "[BODY] == pat(*Woodpecker*)" + + - name: Zammad + url: "https://zammad.hamburg.ccc.de/" + <<: *services_chaosknoten_defaults + conditions: + - "[STATUS] == 200" + - "[CERTIFICATE_EXPIRATION] > 48h" + - "[BODY] == pat(*zammad*)" diff --git a/resources/external/status/docker_compose/config/sites.yaml b/resources/external/status/docker_compose/config/sites.yaml new file mode 100644 index 0000000..7b0ce82 --- /dev/null +++ b/resources/external/status/docker_compose/config/sites.yaml @@ -0,0 +1,23 @@ +# Sites +sites-defaults: &sites_defaults + group: Sites + interval: 1m + alerts: + - type: matrix + failure-threshold: 5 + success-threshold: 2 + minimum-reminder-interval: "6h" + send-on-resolved: true + +endpoints: + - name: Chaosknoten/IRZ42 + url: "icmp://chaosknoten.hamburg.ccc.de" + <<: *sites_defaults + conditions: + - "[CONNECTED] == true" + + - name: Z9 + url: "icmp://185.161.129.129" + <<: *sites_defaults + conditions: + - "[CONNECTED] == true" diff --git a/resources/external/status/docker_compose/config/websites.yaml b/resources/external/status/docker_compose/config/websites.yaml new file mode 100644 index 0000000..e54337a --- /dev/null +++ b/resources/external/status/docker_compose/config/websites.yaml @@ -0,0 +1,174 @@ +# Websites, Websites (Staging) and Websites (Redirects) +# (hosted on public-web-static) +# One could probably also generate this list from the public-web-static config. +websites-defaults: &websites_defaults + group: Websites + interval: 1m + alerts: + - type: matrix + failure-threshold: 5 + success-threshold: 2 + minimum-reminder-interval: "6h" + send-on-resolved: true + +websites-staging-defaults: &websites_staging_defaults + group: Websites (Staging) + interval: 5m + alerts: + - type: matrix + failure-threshold: 3 + success-threshold: 1 + minimum-reminder-interval: "24h" + send-on-resolved: true + +websites-redirects-defaults: &websites_redirects_defaults + group: Websites (Redirects) + interval: 5m + alerts: + - type: matrix + failure-threshold: 3 + success-threshold: 1 + minimum-reminder-interval: "24h" + send-on-resolved: true + +endpoints: + # Websites + - name: branding-resources.hamburg.ccc.de + url: "https://branding-resources.hamburg.ccc.de/logo/sources.txt" + <<: *websites_defaults + conditions: + - "[STATUS] == 200" + - "[CERTIFICATE_EXPIRATION] > 48h" + - "[BODY] == pat(*file: ccchh-logo.png*)" + + - name: c3cat.de + url: "https://c3cat.de" + <<: *websites_defaults + conditions: + - "[STATUS] == 200" + - "[CERTIFICATE_EXPIRATION] > 48h" + - "[BODY] == pat(*Cat Ears Operation Center*)" + + - name: cryptoparty-hamburg.de + url: "https://cryptoparty-hamburg.de" + <<: *websites_defaults + conditions: + - "[STATUS] == 200" + - "[CERTIFICATE_EXPIRATION] > 48h" + - "[BODY] == pat(*Digitale Selbstverteidigung in Hamburg*)" + + - name: element-admin.hamburg.ccc.de + url: "https://element-admin.hamburg.ccc.de" + <<: *websites_defaults + conditions: + - "[STATUS] == 200" + - "[CERTIFICATE_EXPIRATION] > 48h" + - "[BODY] == pat(*Loading Element Admin*)" + + - name: element.hamburg.ccc.de + url: "https://element.hamburg.ccc.de" + <<: *websites_defaults + conditions: + - "[STATUS] == 200" + - "[CERTIFICATE_EXPIRATION] > 48h" + - "[BODY] == pat(*Sorry, Element requires JavaScript to be enabled.*)" + + - name: hacker.tours + url: "https://hacker.tours" + <<: *websites_defaults + conditions: + - "[STATUS] == 200" + - "[CERTIFICATE_EXPIRATION] > 48h" + # Once suites support alerting, we can also monitor the target as well. + - "[BODY] == pat(**)" + + - name: hackertours.hamburg.ccc.de + url: "https://hackertours.hamburg.ccc.de" + <<: *websites_defaults + conditions: + - "[STATUS] == 200" + - "[CERTIFICATE_EXPIRATION] > 48h" + # Once suites support alerting, we can also monitor the target as well. + - "[BODY] == pat(**)" + + - name: hamburg.ccc.de + url: "https://hamburg.ccc.de" + <<: *websites_defaults + conditions: + - "[STATUS] == 200" + - "[CERTIFICATE_EXPIRATION] > 48h" + - "[BODY] == pat(*Wir sind der Chaos Computer Club der Hansestadt Hamburg.*)" + +# Websites (Staging) + - name: staging.c3cat.de + url: "https://staging.c3cat.de" + <<: *websites_staging_defaults + conditions: + - "[STATUS] == 200" + - "[CERTIFICATE_EXPIRATION] > 48h" + - "[BODY] == pat(*c3cat.de Staging Environment*)" + + - name: staging.cryptoparty-hamburg.de + url: "https://staging.cryptoparty-hamburg.de" + <<: *websites_staging_defaults + conditions: + - "[STATUS] == 200" + - "[CERTIFICATE_EXPIRATION] > 48h" + - "[BODY] == pat(*cryptoparty-hamburg.de Staging Environment*)" + + - name: staging.hacker.tours + url: "https://staging.hacker.tours" + <<: *websites_staging_defaults + conditions: + - "[STATUS] == 200" + - "[CERTIFICATE_EXPIRATION] > 48h" + - "[BODY] == pat(*hacker.tours Staging Environment*)" + + - name: staging.hackertours.hamburg.ccc.de + url: "https://staging.hackertours.hamburg.ccc.de" + <<: *websites_staging_defaults + conditions: + - "[STATUS] == 200" + - "[CERTIFICATE_EXPIRATION] > 48h" + - "[BODY] == pat(*hackertours.hamburg.ccc.de Staging Environment*)" + + - name: staging.hamburg.ccc.de + url: "https://staging.hamburg.ccc.de" + <<: *websites_staging_defaults + conditions: + - "[STATUS] == 200" + - "[CERTIFICATE_EXPIRATION] > 48h" + - "[BODY] == pat(*hamburg.ccc.de Staging Environment*)" + +# Website (Redirects) + - name: www.c3cat.de + url: "https://www.c3cat.de" + <<: *websites_redirects_defaults + conditions: + - "[STATUS] == 200" + - "[CERTIFICATE_EXPIRATION] > 48h" + - "[BODY] == pat(*Cat Ears Operation Center*)" + + - name: cryptoparty.hamburg.ccc.de + url: "https://cryptoparty.hamburg.ccc.de" + <<: *websites_redirects_defaults + conditions: + - "[STATUS] == 200" + - "[CERTIFICATE_EXPIRATION] > 48h" + - "[BODY] == pat(*Digitale Selbstverteidigung in Hamburg*)" + + - name: staging.cryptoparty.hamburg.ccc.de + url: "https://staging.cryptoparty.hamburg.ccc.de" + <<: *websites_redirects_defaults + conditions: + - "[STATUS] == 200" + - "[CERTIFICATE_EXPIRATION] > 48h" + - "[BODY] == pat(*cryptoparty-hamburg.de Staging Environment*)" + + - name: www.hamburg.ccc.de + url: "https://www.hamburg.ccc.de" + <<: *websites_redirects_defaults + conditions: + - "[STATUS] == 200" + - "[CERTIFICATE_EXPIRATION] > 48h" + - "[BODY] == pat(*Wir sind der Chaos Computer Club der Hansestadt Hamburg.*)" diff --git a/resources/external/status/nginx/http_handler.conf b/resources/external/status/nginx/http_handler.conf new file mode 100644 index 0000000..c989ede --- /dev/null +++ b/resources/external/status/nginx/http_handler.conf @@ -0,0 +1,14 @@ +server { + listen 80 default_server; + listen [::]:80 default_server; + + server_name status.hamburg.ccc.de; + + location / { + return 301 https://$host$request_uri; + } + + location /.well-known/acme-challenge/ { + proxy_pass http://127.0.0.1:31820/.well-known/acme-challenge/; + } +} diff --git a/resources/external/status/nginx/status.hamburg.ccc.de.conf b/resources/external/status/nginx/status.hamburg.ccc.de.conf new file mode 100644 index 0000000..510966a --- /dev/null +++ b/resources/external/status/nginx/status.hamburg.ccc.de.conf @@ -0,0 +1,33 @@ +# partly generated 2022-01-08, Mozilla Guideline v5.6, nginx 1.17.7, OpenSSL 1.1.1k, intermediate configuration +# https://ssl-config.mozilla.org/#server=nginx&version=1.17.7&config=intermediate&openssl=1.1.1k&guideline=5.6 +server { + listen 443 ssl http2 default_server; + listen [::]:443 ssl http2 default_server; + + server_name status.hamburg.ccc.de; + + ssl_certificate /etc/letsencrypt/live/status.hamburg.ccc.de/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/status.hamburg.ccc.de/privkey.pem; + # verify chain of trust of OCSP response using Root CA and Intermediate certs + ssl_trusted_certificate /etc/letsencrypt/live/status.hamburg.ccc.de/chain.pem; + + # HSTS (ngx_http_headers_module is required) (63072000 seconds) + add_header Strict-Transport-Security "max-age=63072000" always; + + proxy_set_header Host $host; + proxy_set_header X-Forwarded-Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Port 443; + # This is https in any case. + proxy_set_header X-Forwarded-Proto https; + # Hide the X-Forwarded header. + proxy_hide_header X-Forwarded; + # Assume we are the only Reverse Proxy. + # Also provide "_hidden" for by, since it's not relevant. + proxy_set_header Forwarded "for=$remote_addr;proto=https;host=$host;by=_hidden"; + + location / { + proxy_pass http://127.0.0.1:8080/; + } +} From 744dc00ae5f6209481df3b1b0cd42fec4fa194f4 Mon Sep 17 00:00:00 2001 From: Renovate Date: Sun, 18 Jan 2026 03:01:35 +0000 Subject: [PATCH 058/101] Update https://github.com/ansible/ansible-lint action to v26 --- .forgejo/workflows/lint.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.forgejo/workflows/lint.yaml b/.forgejo/workflows/lint.yaml index b1168c9..588d38c 100644 --- a/.forgejo/workflows/lint.yaml +++ b/.forgejo/workflows/lint.yaml @@ -24,7 +24,7 @@ jobs: # work in our environmnet. # Rather manually setup python (pip) before instead. - name: Run ansible-lint - uses: https://github.com/ansible/ansible-lint@v25.12.2 + uses: https://github.com/ansible/ansible-lint@v26.1.1 with: setup_python: "false" requirements_file: "requirements.yml" From 0b6847493cfe44d03c645efe0bf54e6b2b2941a9 Mon Sep 17 00:00:00 2001 From: Renovate Date: Sun, 18 Jan 2026 03:30:42 +0000 Subject: [PATCH 059/101] Update actions/checkout action to v6 --- .forgejo/workflows/lint.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.forgejo/workflows/lint.yaml b/.forgejo/workflows/lint.yaml index 588d38c..5113e9f 100644 --- a/.forgejo/workflows/lint.yaml +++ b/.forgejo/workflows/lint.yaml @@ -10,7 +10,7 @@ jobs: name: Ansible Lint runs-on: docker steps: - - uses: actions/checkout@v5 + - uses: actions/checkout@v6 - name: Install pip run: | apt update From d7b463ecb9a1d4cf3d13d0ad9d3c3f064c271235 Mon Sep 17 00:00:00 2001 From: June Date: Sun, 18 Jan 2026 04:53:14 +0100 Subject: [PATCH 060/101] status(host): fix token not working by using a new one --- inventories/external/host_vars/status.sops.yaml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/inventories/external/host_vars/status.sops.yaml b/inventories/external/host_vars/status.sops.yaml index e300459..4dd3471 100644 --- a/inventories/external/host_vars/status.sops.yaml +++ b/inventories/external/host_vars/status.sops.yaml @@ -1,6 +1,6 @@ ansible_pull__age_private_key: ENC[AES256_GCM,data:u0tluAG5YmXTs71/F6RjuTITCrEoJco0K7+o/F7An4OMdOAwJVBvvMCnEaYsKhLhdesnMIoA24oz2j22lKRFgZUNtkF08ZwH9gw=,iv:oqTTeOi8l6ig4vvqOKict5bqxjmiBW+kwlZhbozoCSU=,tag:ZL2wuIczCHguGJIhbY0NuQ==,type:str] secret__gatus_db_password: ENC[AES256_GCM,data:fwtdWmXVTA7odBsKnlxH7mKKGtplAt/rQqscFBAxbDky6DNqgk6PP2OsqbIEpnpzs9Yn7Kd2VAxzfJfK,iv:ox/Lm+LlxxRcssOPc++nRp6nVa2DF3/46eEsGzTOBmA=,tag:i1e71Gm01ojHr5pGy0S9rA==,type:str] -secret__gatus_matrix_access_token: ENC[AES256_GCM,data:wp6C2E/LM3grawu8oW5CZZU0Y2+3qnuEbcKmgZr16e8P1KG/v2kfxRQ=,iv:S96oyGg6hI2Co7PJ8BFtrzZag82PTfp2IyIgTbxfdiM=,tag:JROk5PdoaMzXq1qXGgaH7g==,type:str] +secret__gatus_matrix_access_token: ENC[AES256_GCM,data:4qfXOyp+wAyYKw+KslCvE+6GxxdVfykkHJQUvaYBAebvdHlkRtIlyaI=,iv:axS2IRonJpZR2eanFBfc/LWc7Uhc2bi9eQAebsobtPc=,tag:TkaVZLgJzDz1UHDcDfsJ2A==,type:str] sops: age: - recipient: age1yl9ts8k6ceymaxjs72r5puetes5mtuzxuger7qgme9qkagfrm9hqzxx9qr @@ -12,8 +12,8 @@ sops: RFl1MnI1K0h2MUhvYk40d2JjbDRaUmMKNlPo1s06hVdxAamKhJy4HhNDX8PKQlq2 13PjdTJub64fydGEJng5NigcnNcPo7goGLz5QV7vE+6bO0gNZxBmmw== -----END AGE ENCRYPTED FILE----- - lastmodified: "2026-01-17T23:54:35Z" - mac: ENC[AES256_GCM,data:K/uLPclyRgFOMhSxPpFOiH1fQF0EQHKUNnqI/LW0o6+ON07r+UWv9mXaT2M7xUNhgHkv4lVu/qfLAKXZUVGlDga5ufH3A6xbcArqtQ5oyPoE5HX0nbcU4QF1f8JyYLVKCQdI0pBQkLU2cpAFHrGVLI/8+RY/uqrtNee9f7fd4cM=,iv:WRfTSWo4cfJOvjQqeSrSUCOstCf0FggTv2W4eGRcTF8=,tag:GE9cLzmJZt3F11BZd82HFA==,type:str] + lastmodified: "2026-01-18T03:53:06Z" + mac: ENC[AES256_GCM,data:yCgEtVm+HZfCL2sYg1+2cePBXg5xKoPX/fXln5NLLRJu5hUnsMOTa1VT41rAc6jJKFwbE4GWECkvjwfFReVjplwSJ4jvaY5usWvKjDLG7c8wPqgogR2vRNwxkI9aHU2VtBh7ArjCfmbY9++uWx577OPEdzUmup0TLlHxP68ueAw=,iv:YJjrm1HxCOakgm3c0JhlFfAb/MVi/ykQ1oeomeyQBus=,tag:UFFR6Fy9smzgzOef3NZlOA==,type:str] pgp: - created_at: "2026-01-15T21:23:56Z" enc: |- From d514688574e84f8da76aa357782953fce5e4cb0c Mon Sep 17 00:00:00 2001 From: June Date: Sun, 18 Jan 2026 19:21:33 +0100 Subject: [PATCH 061/101] systemd_networkd(role),router(host): support global config to fix forw. With the router upgrade to Debian 13 the systemd version got upgraded as well breaking the current configuration for IP forwarding. Add a variable for global systemd-networkd configuration and use that to enable IPv4 and IPv6 forwarding on the router. The systemd_networkd role could be a bit nicer, not deploying/deleting the global configuration, if the variable is empty and reloading/restarting systemd-networkd at appropriate times. But as is works for now. --- inventories/chaosknoten/host_vars/router.yaml | 1 + .../router/systemd_networkd/20-net1.network | 2 -- .../router/systemd_networkd/20-net2.network | 2 -- .../router/systemd_networkd_global_config.conf | 3 +++ roles/systemd_networkd/README.md | 5 +++++ roles/systemd_networkd/defaults/main.yaml | 1 + roles/systemd_networkd/tasks/main.yaml | 18 ++++++++++++++++++ 7 files changed, 28 insertions(+), 4 deletions(-) create mode 100644 resources/chaosknoten/router/systemd_networkd_global_config.conf create mode 100644 roles/systemd_networkd/defaults/main.yaml diff --git a/inventories/chaosknoten/host_vars/router.yaml b/inventories/chaosknoten/host_vars/router.yaml index 5e9c832..adbc8d9 100644 --- a/inventories/chaosknoten/host_vars/router.yaml +++ b/inventories/chaosknoten/host_vars/router.yaml @@ -1,4 +1,5 @@ systemd_networkd__config_dir: 'resources/chaosknoten/router/systemd_networkd/' +systemd_networkd__global_config: "{{ lookup('ansible.builtin.file', 'resources/chaosknoten/router/systemd_networkd_global_config.conf') }}" nftables__config: "{{ lookup('ansible.builtin.file', 'resources/chaosknoten/router/nftables/nftables.conf') }}" ansible_pull__timer_on_calendar: "*-*-* 04:00:00 Europe/Berlin" ansible_pull__timer_randomized_delay_sec: 0min diff --git a/resources/chaosknoten/router/systemd_networkd/20-net1.network b/resources/chaosknoten/router/systemd_networkd/20-net1.network index c8bffc1..5c14d8d 100644 --- a/resources/chaosknoten/router/systemd_networkd/20-net1.network +++ b/resources/chaosknoten/router/systemd_networkd/20-net1.network @@ -3,7 +3,6 @@ Name=net1 [Network] DNS=212.12.50.158 -IPForward=ipv4 IPv6AcceptRA=no [Address] @@ -11,4 +10,3 @@ Address=212.12.48.123/24 [Route] Gateway=212.12.48.55 - diff --git a/resources/chaosknoten/router/systemd_networkd/20-net2.network b/resources/chaosknoten/router/systemd_networkd/20-net2.network index b3f497d..39d1f03 100644 --- a/resources/chaosknoten/router/systemd_networkd/20-net2.network +++ b/resources/chaosknoten/router/systemd_networkd/20-net2.network @@ -3,7 +3,6 @@ Name=net2 [Network] #DNS=212.12.50.158 -IPForward=ipv6 IPv6AcceptRA=no [Address] @@ -11,4 +10,3 @@ Address=2a00:14b0:4200:3500::130:2/112 [Route] Gateway=2a00:14b0:4200:3500::130:1 - diff --git a/resources/chaosknoten/router/systemd_networkd_global_config.conf b/resources/chaosknoten/router/systemd_networkd_global_config.conf new file mode 100644 index 0000000..2d3d8a3 --- /dev/null +++ b/resources/chaosknoten/router/systemd_networkd_global_config.conf @@ -0,0 +1,3 @@ +[Network] +IPv4Forwarding=true +IPv6Forwarding=true diff --git a/roles/systemd_networkd/README.md b/roles/systemd_networkd/README.md index 3297c47..ac7f115 100644 --- a/roles/systemd_networkd/README.md +++ b/roles/systemd_networkd/README.md @@ -9,3 +9,8 @@ Should work on Debian-based distributions. ## Required Arguments - `systemd_networkd__config_dir`: Directory with systemd-networkd configs to deploy. + +## Optional Arguments + +- `systemd_networkd__global_config`: systemd-networkd global configuration to deploy (see `man 5 networkd.conf`). + Defaults to `` (the empty string); diff --git a/roles/systemd_networkd/defaults/main.yaml b/roles/systemd_networkd/defaults/main.yaml new file mode 100644 index 0000000..e84ed28 --- /dev/null +++ b/roles/systemd_networkd/defaults/main.yaml @@ -0,0 +1 @@ +systemd_networkd__global_config: "" diff --git a/roles/systemd_networkd/tasks/main.yaml b/roles/systemd_networkd/tasks/main.yaml index f88ed14..cc8f4d9 100644 --- a/roles/systemd_networkd/tasks/main.yaml +++ b/roles/systemd_networkd/tasks/main.yaml @@ -12,3 +12,21 @@ recursive: true delete: true become: true + +- name: ensure global systemd-networkd config directory exists + ansible.builtin.file: + path: "/etc/systemd/networkd.conf.d" + state: directory + owner: root + group: root + mode: "0755" + become: true + +- name: ensure global systemd-networkd config is deployed + ansible.builtin.copy: + content: "{{ systemd_networkd__global_config }}" + dest: "/etc/systemd/networkd.conf.d/20-ansible.conf" + mode: "0644" + owner: root + group: root + become: true From 28f80a85f33413cd0de40708623f281c93c78c76 Mon Sep 17 00:00:00 2001 From: fi Date: Sun, 18 Jan 2026 19:47:19 +0100 Subject: [PATCH 062/101] status(host): Switch to nekover.se user for personal token As access token now apparently expire with matrix authentication services, use a nekover.se user where we can get a long-lived personal token. --- inventories/external/host_vars/status.sops.yaml | 6 +++--- .../external/status/docker_compose/config/general.yaml | 2 +- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/inventories/external/host_vars/status.sops.yaml b/inventories/external/host_vars/status.sops.yaml index 4dd3471..366b641 100644 --- a/inventories/external/host_vars/status.sops.yaml +++ b/inventories/external/host_vars/status.sops.yaml @@ -1,6 +1,6 @@ ansible_pull__age_private_key: ENC[AES256_GCM,data:u0tluAG5YmXTs71/F6RjuTITCrEoJco0K7+o/F7An4OMdOAwJVBvvMCnEaYsKhLhdesnMIoA24oz2j22lKRFgZUNtkF08ZwH9gw=,iv:oqTTeOi8l6ig4vvqOKict5bqxjmiBW+kwlZhbozoCSU=,tag:ZL2wuIczCHguGJIhbY0NuQ==,type:str] secret__gatus_db_password: ENC[AES256_GCM,data:fwtdWmXVTA7odBsKnlxH7mKKGtplAt/rQqscFBAxbDky6DNqgk6PP2OsqbIEpnpzs9Yn7Kd2VAxzfJfK,iv:ox/Lm+LlxxRcssOPc++nRp6nVa2DF3/46eEsGzTOBmA=,tag:i1e71Gm01ojHr5pGy0S9rA==,type:str] -secret__gatus_matrix_access_token: ENC[AES256_GCM,data:4qfXOyp+wAyYKw+KslCvE+6GxxdVfykkHJQUvaYBAebvdHlkRtIlyaI=,iv:axS2IRonJpZR2eanFBfc/LWc7Uhc2bi9eQAebsobtPc=,tag:TkaVZLgJzDz1UHDcDfsJ2A==,type:str] +secret__gatus_matrix_access_token: ENC[AES256_GCM,data:adNtFvg2LXwRiNE7mvTZNO1hXxN3qasWZrDEQOGk5mYEVH0t9pglNrM=,iv:30xXR31qmrywLP3M34u6YgsyQY348zVvt9RM4/bGhtY=,tag:vhgpON0IdQ+FS4uQ/0TpsQ==,type:str] sops: age: - recipient: age1yl9ts8k6ceymaxjs72r5puetes5mtuzxuger7qgme9qkagfrm9hqzxx9qr @@ -12,8 +12,8 @@ sops: RFl1MnI1K0h2MUhvYk40d2JjbDRaUmMKNlPo1s06hVdxAamKhJy4HhNDX8PKQlq2 13PjdTJub64fydGEJng5NigcnNcPo7goGLz5QV7vE+6bO0gNZxBmmw== -----END AGE ENCRYPTED FILE----- - lastmodified: "2026-01-18T03:53:06Z" - mac: ENC[AES256_GCM,data:yCgEtVm+HZfCL2sYg1+2cePBXg5xKoPX/fXln5NLLRJu5hUnsMOTa1VT41rAc6jJKFwbE4GWECkvjwfFReVjplwSJ4jvaY5usWvKjDLG7c8wPqgogR2vRNwxkI9aHU2VtBh7ArjCfmbY9++uWx577OPEdzUmup0TLlHxP68ueAw=,iv:YJjrm1HxCOakgm3c0JhlFfAb/MVi/ykQ1oeomeyQBus=,tag:UFFR6Fy9smzgzOef3NZlOA==,type:str] + lastmodified: "2026-01-18T18:40:32Z" + mac: ENC[AES256_GCM,data:7bP0fmn6TJKA8zLuXE8F47sHn1qqX33z/078KkCJx5yRSKBGyLnTeKNha8EODEBkMG0eXQ2BEQDPfNB892R5OW69xCInCa0+sEPONd3YELMvFVoM7/+avDi94X/tdJKCHVPnF/kpqnGhKlwikKlCFLIcbkfEAHJgDlze32C0QKU=,iv:1Q5dsJP2FToAYDJYWXJufHuIlXGfj93NaBWHfZ5rhHk=,tag:dFNYdMJOwUwr6/zwlRollg==,type:str] pgp: - created_at: "2026-01-15T21:23:56Z" enc: |- diff --git a/resources/external/status/docker_compose/config/general.yaml b/resources/external/status/docker_compose/config/general.yaml index c67811a..0b30725 100644 --- a/resources/external/status/docker_compose/config/general.yaml +++ b/resources/external/status/docker_compose/config/general.yaml @@ -17,7 +17,7 @@ ui: alerting: matrix: - server-url: "https://matrix-client.matrix.org" + server-url: "https://matrix.nekover.se" access-token: "${MATRIX_ACCESS_TOKEN}" internal-room-id: "!jG755onbGAH-lZsZo8SRKtlsncSMvq7nzPhwCi5CgdQ" From ddaa069204bb49b8d1033e42292019ce9b594da8 Mon Sep 17 00:00:00 2001 From: June Date: Sun, 18 Jan 2026 21:39:23 +0100 Subject: [PATCH 063/101] status(host): configure Gatus to store more results and events Also see: https://github.com/TwiN/gatus?tab=readme-ov-file#storage --- resources/external/status/docker_compose/config/general.yaml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/resources/external/status/docker_compose/config/general.yaml b/resources/external/status/docker_compose/config/general.yaml index 0b30725..fb1c3ed 100644 --- a/resources/external/status/docker_compose/config/general.yaml +++ b/resources/external/status/docker_compose/config/general.yaml @@ -1,6 +1,8 @@ storage: type: postgres path: "postgres://${POSTGRES_USER}:${POSTGRES_PASSWORD}@database:5432/${POSTGRES_DB}?sslmode=disable" + maximum-number-of-results: 240 # Default are 100. 240 are 4h for 1m interval checks. + maximum-number-of-events: 1000 # Default are 50. Let's keep a long history here - 1000 should suffice for a year with around 3 events a day. ui: title: CCCHH Status From b492472179f8f56a6f46dd0aad0fdc036e99cdde Mon Sep 17 00:00:00 2001 From: Stefan Bethke Date: Sun, 25 Jan 2026 12:12:30 +0100 Subject: [PATCH 064/101] Explain how to add age key for ansible pull --- ...ng_up_secrets_using_sops_for_a_new_host.md | 20 ++++++++++++++----- 1 file changed, 15 insertions(+), 5 deletions(-) diff --git a/docs/setting_up_secrets_using_sops_for_a_new_host.md b/docs/setting_up_secrets_using_sops_for_a_new_host.md index c88315f..df7b024 100644 --- a/docs/setting_up_secrets_using_sops_for_a_new_host.md +++ b/docs/setting_up_secrets_using_sops_for_a_new_host.md @@ -2,19 +2,29 @@ Because we're using the `community.sops.sops` vars plugin, the SOPS-encrypted secrets get stored in the inventory. -1. Add a new creation rule for the hosts `host_vars` file in the sops config at `.sops.yaml`. - It should probably hold all admin keys. +1. Create a new age key for Ansible pull on the host. + ``` + age-keygen + ``` + Then add an entry to `keys.hosts.chaosknoten.age` +2. Add a new creation rule for the hosts `host_vars` file in the sops config at `.sops.yaml`. + It should probably hold all admin keys plus the host entry. You can use existing creation rules as a reference. -2. Create a SOPS secrets file in the `host_vars` subdirectory of the relevant inventory. +3. Create a SOPS secrets file in the `host_vars` subdirectory of the relevant inventory. The name of the file should be in the format `[HOSTNAME].sops.yaml` to get picked up by the vars plugin and to match the previously created creation rule. This can be accomplished with a command similar to this: ``` sops inventories/[chaosknoten|z9]/host_vars/[HOSTNAME].secrets.yaml ``` -3. With the editor now open, add the secrets you want to store. +4. With the editor now open, add the secrets you want to store. Because we're using the `community.sops.sops` vars plugin, the stored secrets will be exposed as Ansible variables. Also note that SOPS only encrypts the values, not the keys. When now creating entries, try to adhere to the following variable naming convention: + - Make sure to put the prive age key in here under `ansible_pull__age_private_key`. - Prefix variable names with `secret__`, if they are intended to be used in a template file or similar. (e.g. `secret__netbox_secret_key: secret_value`) - Otherwise, if the variable is directly consumed by a role or similar, directly set the variable. (e.g. `netbox__db_password: secret_value`) -4. Now that the secrets are stored, they are exposed as variables and can simply be used like any other variable. +5. Now that the secrets are stored, they are exposed as variables and can simply be used like any other variable. + +## GPG Keys + +In order to edit encrypted files, you need all the GPG public keys imported into your GPG Keychain. You should be able to find the necessary public keys in https://git.hamburg.ccc.de/CCCHH/password-store. From 664b9115b8d4e01ae774bf33e041855ed10de585 Mon Sep 17 00:00:00 2001 From: Stefan Bethke Date: Sun, 25 Jan 2026 13:01:52 +0100 Subject: [PATCH 065/101] Fix warning --- roles/docker/tasks/main/01_repo_setup.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/docker/tasks/main/01_repo_setup.yaml b/roles/docker/tasks/main/01_repo_setup.yaml index aa77521..63bdb91 100644 --- a/roles/docker/tasks/main/01_repo_setup.yaml +++ b/roles/docker/tasks/main/01_repo_setup.yaml @@ -9,7 +9,7 @@ - name: Ensure Docker APT repository is added ansible.builtin.apt_repository: - repo: "deb [arch=amd64 signed-by=/etc/apt/trusted.gpg.d/docker.asc] https://download.docker.com/linux/debian {{ ansible_distribution_release }} stable" + repo: "deb [arch=amd64 signed-by=/etc/apt/trusted.gpg.d/docker.asc] https://download.docker.com/linux/debian {{ ansible_facts['distribution_release'] }} stable" filename: docker state: present become: true From f887de25c521e52375ae828cab59dd6a17f3b258 Mon Sep 17 00:00:00 2001 From: Stefan Bethke Date: Sun, 25 Jan 2026 13:26:20 +0100 Subject: [PATCH 066/101] make building and pulling configurable --- roles/docker_compose/defaults/main.yaml | 2 ++ roles/docker_compose/tasks/main.yaml | 4 ++-- 2 files changed, 4 insertions(+), 2 deletions(-) diff --git a/roles/docker_compose/defaults/main.yaml b/roles/docker_compose/defaults/main.yaml index 76831d6..621ee7b 100644 --- a/roles/docker_compose/defaults/main.yaml +++ b/roles/docker_compose/defaults/main.yaml @@ -1 +1,3 @@ +docker_compose__build: always docker_compose__configuration_files: [ ] +docker_compose__pull: always diff --git a/roles/docker_compose/tasks/main.yaml b/roles/docker_compose/tasks/main.yaml index bea3f4f..a706ab2 100644 --- a/roles/docker_compose/tasks/main.yaml +++ b/roles/docker_compose/tasks/main.yaml @@ -79,8 +79,8 @@ community.docker.docker_compose_v2: project_src: /ansible_docker_compose state: present - build: always - pull: always + build: "{{ docker_compose__build }}" + pull: "{{ docker_compose__pull }}" remove_orphans: true become: true From 0c782caee7a9e68e9b5247f681cf7222b1703ca7 Mon Sep 17 00:00:00 2001 From: Stefan Bethke Date: Sun, 25 Jan 2026 14:03:34 +0100 Subject: [PATCH 067/101] Explain what all needs to be added for a new host --- docs/create-new-web-service-vm.md | 79 +++++++++++++++++++++++++++++++ 1 file changed, 79 insertions(+) create mode 100644 docs/create-new-web-service-vm.md diff --git a/docs/create-new-web-service-vm.md b/docs/create-new-web-service-vm.md new file mode 100644 index 0000000..76eca21 --- /dev/null +++ b/docs/create-new-web-service-vm.md @@ -0,0 +1,79 @@ +# How to create all necessary entries for new (web service) VM + +Let's assume that you want to add a new web service `example.hamburg.ccc.de` which is going to be hosted on the VM `example` on chaosknoten. These are the steps that you need to take to create the VM and add it to the Ansible repo. + +## IP, DNS, VM + +1. Allocate a fresh [IPv6 in Netbox in the 2a00:14b0:42:102::/64 net](https://netbox.hamburg.ccc.de/ipam/prefixes/47/ip-addresses/). This will be the management address for the VM. +2. Add an entry `example.hosts.hamburg.ccc.de` with that AAAA to the name server (`ns-intern`). +3. Add an entry `example.hamburg.ccc.de` as a CNAME for `public-reverse-proxy` to the same zone. +4. Commit and reload the zone. +5. Create a new VM on chaosknoten, for example by cloning the Debian template 9023. Give it the name `example`. +6. Edit the ethernet interface to be connected to `vmbr0`, VLAN tag `2`. +7. Configure the IPv6 address in the Cloud-Init section. Leave IPv4 set to DHCP. +8. Make sure the VM is started at boot (options). +9. Adjust any other VM parameters as needed. +10. Boot the VM. +11. Add the [VM to Netbox](https://netbox.hamburg.ccc.de/virtualization/virtual-machines/). Make sure to enter the VM ID. +12. Add an Ethernet interface to the VM; we typically use `eth0` as a name. +13. Add IP for that interface, then choose "Assign IP" and search for the IP you've created. Make it the primary IP of that interface. + +## Ansible Basics + +As the first step, we need to make the host known to Ansible. + +1. In `.sops.yaml`, add an entry for the host. Follow the other entries there. + 1. `keys.hosts.chaosknoten.age` needs an age public key (the private key is needed in the host-specific YAML) + 2. `creation_rules` needs an entry for the host, referencing the age key. +2. In `inventories/chaosknoten/hosts.yaml`: + 1. Configure basic connection info: + ``` + example: + ansible_host: example.hosts.hamburg.ccc.de + ansible_user: chaos + ansible_ssh_common_args: -J ssh://chaos@router.hamburg.ccc.de + ``` + You typically will want to use router as a jump host so that you can run Ansible on an IPv4 only connection. + 2. Add the host to the desired roles. As a minimum, you'll want `base_config_hosts` and `infrastructure_authorized_keys_hosts`. For a typical web service based on Docker Compose, you'll want `docker_compose_hosts`, `nginx_hosts`, and `certbot_hosts`. + 3. In the directorry `inventories/chaosknoten/host_var/`: + 1. A file `inventories/chaosknoten/host_var/example.yaml` with the host/service specific configuration. + 2. A file `inventories/chaosknoten/host_var/example.sops.yaml` with the encrypted secrets for the host/service. Run `sops inventories/chaosknoten/host_var/example.yaml` to edit/create that file. Entries there should generally be prefixed with `secret__` to make it easier to see where that variable is coming from in templates etc. + +## Service-specific config + +From here, we go into the details of the web service that you want to configure. For a typical web service with Docker Compose, you will likely want to configure the following. + +Make `inventories/chaosknoten/host_var/example.yaml` look like this: +```yaml +certbot__version_spec: "" +certbot__acme_account_email_address: le-admin@hamburg.ccc.de +certbot__certificate_domains: + - "example.hamburg.ccc.de" +certbot__new_cert_commands: + - "systemctl reload nginx.service" + +docker_compose__compose_file_content: "{{ lookup('ansible.builtin.template', 'resources/chaosknoten/example/docker_compose/compose.yaml.j2') }}" + +nginx__version_spec: "" +nginx__configurations: + - name: example.hamburg.ccc.de + content: "{{ lookup('ansible.builtin.file', 'resources/chaosknoten/spaceapiccc/nginx/example.hamburg.ccc.de.conf') }}" +``` + +This will create `compose.yaml` from the template `resources/chaosknoten/example/docker_compose/compose.yaml.j2'`, and the nginx config from `resources/chaosknoten/spaceapiccc/nginx/example.hamburg.ccc.de.conf`. Of course, depending on your service, you might need additional entries. See the other hosts and the roles for more info. + +## First Ansible run + +Before you can run Ansible successfully, you will want to make sure you can connect to the VM, and that the host key has been added to your known hosts: +* `ssh chaos@example.hosts.hamburg.ccc.de` +* `ssh -J chaos@router.hamburg.ccc.de chaos@example.hosts.hamburg.ccc.de` + +Then run Ansible for `public-reverse-proxy` to add the necessary entries: `ansible-playbook playbooks/deploy.yaml --inventory inventories/chaosknoten/hosts.yaml --limit public-reverse-proxy`. + +Finally run Ansible for the new host: `ansible-playbook playbooks/deploy.yaml --inventory inventories/chaosknoten/hosts.yaml --limit example` + +# Commit your changes + +Do not forget to commit your changes, whether it's a new host or you are making changes to an existing host. + +And always `git pull` before you run Ansible so avoid reverting anything! \ No newline at end of file From cee1fe970aa629d5b2f9bf58de2a8ed18b1726c9 Mon Sep 17 00:00:00 2001 From: Stefan Bethke Date: Sun, 25 Jan 2026 14:03:54 +0100 Subject: [PATCH 068/101] Add spaceapiccc as a replacement for erfafoo --- .sops.yaml | 7 + .../host_vars/spaceapiccc.sops.yaml | 215 ++++++++++++++++++ .../chaosknoten/host_vars/spaceapiccc.yaml | 16 ++ inventories/chaosknoten/hosts.yaml | 9 + .../nginx/acme_challenge.conf | 2 + .../public-reverse-proxy/nginx/nginx.conf | 2 + .../docker_compose/compose.yaml.j2 | 39 ++++ .../nginx/spaceapiccc.hamburg.ccc.de.conf | 42 ++++ 8 files changed, 332 insertions(+) create mode 100644 inventories/chaosknoten/host_vars/spaceapiccc.sops.yaml create mode 100644 inventories/chaosknoten/host_vars/spaceapiccc.yaml create mode 100644 resources/chaosknoten/spaceapiccc/docker_compose/compose.yaml.j2 create mode 100644 resources/chaosknoten/spaceapiccc/nginx/spaceapiccc.hamburg.ccc.de.conf diff --git a/.sops.yaml b/.sops.yaml index 3b728e2..bb83e39 100644 --- a/.sops.yaml +++ b/.sops.yaml @@ -33,6 +33,7 @@ keys: - &host_public_reverse_proxy_ansible_pull_age_key age1p7pxgq5kwcpdkhkh3qq4pvnltrdk4gwf60hdhv8ka0mdxmgnjepqyleyen - &host_zammad_ansible_pull_age_key age1sv7uhpnk9d3u3je9zzvlux0kd83f627aclpamnz2h3ksg599838qjgrvqs - &host_ntfy_ansible_pull_age_key age1dkecypmfuj0tcm2cz8vnvq5drpu2ddhgnfkzxvscs7m4e79gpseqyhr9pg + - &host_spaceapiccc_ansible_pull_age_key age1mdtnk78aeqnwqadjqje5pfha04wu92d3ecchyqajjmy434kwq98qksq2wa external: age: &host_external_age_keys - &host_status_ansible_pull_age_key age1yl9ts8k6ceymaxjs72r5puetes5mtuzxuger7qgme9qkagfrm9hqzxx9qr @@ -160,6 +161,12 @@ creation_rules: *admin_gpg_keys age: - *host_public_reverse_proxy_ansible_pull_age_key + - path_regex: inventories/chaosknoten/host_vars/spaceapiccc.* + key_groups: + - pgp: + *admin_gpg_keys + age: + - *host_spaceapiccc_ansible_pull_age_key # external hosts - path_regex: inventories/external/host_vars/status.* key_groups: diff --git a/inventories/chaosknoten/host_vars/spaceapiccc.sops.yaml b/inventories/chaosknoten/host_vars/spaceapiccc.sops.yaml new file mode 100644 index 0000000..4f06e92 --- /dev/null +++ b/inventories/chaosknoten/host_vars/spaceapiccc.sops.yaml @@ -0,0 +1,215 @@ +ansible_pull__age_private_key: ENC[AES256_GCM,data:ZQJCVOcc2UTH/3tZRZEZAig2A7Vc/zBBz5IY+gKYMYpIKhLZN9S/OGrRdCc8VbXkN7pmZhzDL531PapI54cmFeCKr2yFJMlfXdE=,iv:1ilb+njcqgYVdownNiMNcAcG/TNpyRnLtAjEUGsCsl0=,tag:Od7kvNn8ZBl1LUnMyFwxpA==,type:str] +secret__spaceapiccc__shared_secret: ENC[AES256_GCM,data:0foffl4HF1SeL9rE3g==,iv:GzRTZAmr7zSBs1W+Vhyv6sMGhPnSy/SUZOSO39lzWHk=,tag:8IAS6Lt9vfpsJQwQfcunXg==,type:str] +secret__spaceapiccc__doku_ccc_de__username: ENC[AES256_GCM,data:fbrZROQz8Fzg/vI=,iv:LaR5UmkS3IhtroJp3C3xNF4ja7IhIiPRzGBHAfQbQGw=,tag:/VCNMKkw5qRbnRNHDnPj/w==,type:str] +secret__spaceapiccc__doku_ccc_de__password: ENC[AES256_GCM,data:mwkjOjRT7gOv,iv:wBzSeLzSWWe0j3LJesN/wnZ0tmUmXMVkRIBnp00qRhg=,tag:JSsbq1+qs2yA9BM2LouG1w==,type:str] +sops: + age: + - recipient: age1mdtnk78aeqnwqadjqje5pfha04wu92d3ecchyqajjmy434kwq98qksq2wa + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBCY1Z0Slg4UmpQQUhGKzJX + S0ROZ2owdmNVRUFzbDhjWEJpNkxGQnF1RFFVClgrZDlZRDNCbllWeElEWFN4Uy95 + YXNzUGptcU9adjdJQVphSS9NQ1NaVTQKLS0tIEtQUlIyTURXK2lDbWtmMXU2OWtx + TnNtQjVpMUIzZjgzQnZicHV6OXE3ZlUKtChQKJlUmTV42FEpO2S1sTAI2+K/mro+ + C3cvwiqydpOlbH6tulcP6HSeDVExAAMeDZMfjebg/5cfq7Yfh6xa5Q== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2026-01-25T11:18:43Z" + mac: ENC[AES256_GCM,data:4s5GiYhU/+kieEGUY9bS5W0MAQ/AUS3TbvLezSypH8Div5HRoM7YfMeqgLq4jC+TjUL9d+ZfusjAmsOEG9PjHbIH051gg8U5TvB38wzmw3RpJxnpDtmiFrRh9QbXl+Fz8V/Oigf6hhXbgu01zZpZY9jy6YLNtUZc6AoqAQh27us=,iv:YUS/vGXcbgQPM1CKcK8YjOH5+KPlzBXcOtx3jmUblqA=,tag:jYzqaMfHv4Tyv2NelSSVvQ==,type:str] + pgp: + - created_at: "2026-01-25T11:17:03Z" + enc: |- + -----BEGIN PGP MESSAGE----- + + hQIMAxK/JaB2/SdtARAAoP0ZuYWL+Z9vrnMN+ISg6/yx8Z3Oq2GufmYMowk/nQ7A + wk+xQQcywn7zLCweaTNtNb8CXtAcInnLhXZNRjviOecyAexZdFxcX+SIiT9x32aZ + xk2M3Bgnrtf9GQMV9q/mr7fgn+iaILyRjWTQMjUYFGuA5Hu7PNICxZZtA1y6p3G8 + iBDROt1vZS2M6WorA5n3FGSwCRFUCqWnRsBR+AkR0vjb/0xEmS4YpDZCdsqWVITq + fBxDZntznqQpmlTH9AxJV48QlfYMLAYFV7seHxp5VSjgDxaPJD4QIiNZMOylRa/y + 9hx1S5VN8KIfT9eW5piOeyNikE3Wv7hdwd4zOQ/ObESADh/QWFN582Smk+fxf76Q + /KlP7BM8JW7afjkvTHXg7cvc1qo9+GilWcWX9pK04v9bZtXTbO6H+uOhydlSmtUe + FGoHgQsMi52S4vHTFF1A8o76pvpQAIYNC2Zif2zZYq9ERvbLeAcgoIoo7bQihttc + lY8ZOqxQj9KbkFNbyLTlyekebNhfa512XjJij14YkYUVU2Y65kxtimZ3WpwKvLO2 + JcDWHOJduhUC+21TGTq6QFo1LNhpowyC447eybi8T0/WxMCBms/fhW+m4Mkt4bRi + ByjgQe8makgLqw2/EUlFl1qyF4zU0zjn+97pISvg0YBfQYhPIb5k8AWWkUF4mHHU + aAEJAhDMVlvoC4bopmVlgoCrCejX5wb+ULW9hle6S69440PVK4uN94Ral+NSH99o + CU4gmqngD9N6sw8SBp8lFFUzjhoqfcNwJ9cv8T9PIPgHLriPnRqwPsy4dHSYSsv1 + wWY4KUeOqk6Y + =Wm7O + -----END PGP MESSAGE----- + fp: EF643F59E008414882232C78FFA8331EEB7D6B70 + - created_at: "2026-01-25T11:17:03Z" + enc: |- + -----BEGIN PGP MESSAGE----- + + hQIMA6EyPtWBEI+2ARAAh2b51c4cFL0wOPTuQtxjthkEZGVv0sQC19PiDOWAy/zi + 457Ix+QPA31Wmun4uGQF8E+vJC9StDXvOuEku2639wK7Gx8UVHSJM+QhFt+f9tiI + df5mVRPz4R1tVMU6P/f2rTOqqQyugR2pi3wCcwntnZplEuL/Gxw2SI4gGAq9B1Kb + FVVdMkJOxhx33QWFhIEOqLLfMU+gdvGPtRaDPkMA5KJD5FDO0xYzgd+5j6wKLsdb + rY7MVvaP3HWbmsMOpJD+8zo3ONBeaG3OwdhhF8KgbHxGP/49r25WwI5YWqXI44K9 + xIQvtBJFTLaisO3q5rTOZgqKEvWAAX3e82cY3tCUG4aDyKEeF8dOqQ9GbI+KWaKh + kqTFDz3gh9sWI3Ex2/JHxq4xGJE433x4ArxHgSmXxfKWfc9zhiDuhtE1GBfEWP8t + a+07FWvsG8TCbS8pzFu40z/6we2O/VGXnZBa+vlc/9YPyLBN+zmAH3+jfhgYzV22 + oF0HPQTzLdd6FoUx771ETTOqDgwg2H8Lqv+cC5MjPgxUPyScP4G7t0r9TMSydxFv + 85Yo7ZWiBjo5TgdiU7agCCLKYct1C1R+9M20uRyrttDBhrVSjDlsIKmuStIdI7jk + k/PPLjxUKf5osTw8KKsSLvHTxt0G+rRzt38HgOCsOPBSoE6zlMTn79rgy+Ipm7fS + XgHPPTT78/y2Xvx3QGx9C2X9YqPDGhs12uzQ7HdcRlUu3Ay9akrSiV99CKCFb6ZZ + lDzOZrWvuWHcOLLqykhK3x8uhieMmwsM5WCNopr1j7i74b8UlVCmItXFXCaTRqg= + =ytkN + -----END PGP MESSAGE----- + fp: F155144FC925A1BEA1F8A2C59A2A4CD59BFDC5EC + - created_at: "2026-01-25T11:17:03Z" + enc: |- + -----BEGIN PGP MESSAGE----- + + hQIMAz5uSgHG2iMJARAA7Wenq30iYLUH7qTgwPJyIyPz0blUzqEpEeDyVjfLVxee + VzXUfrxL8ybD+1JNISQNogDRP+gi4Sa/kTwAwEudqg9nv8DTff2l+Ge7YRifTgoO + tK1yjPKpl/iH33s2tIRRPI9DJ38NKtIN7pFrZ9Icyinyx8O+Tx0U/rVOs+4I4i0K + eIhsjG2tD6z5AvDkTqJ70S16LWdlr+hrHfEFmZ9NDbesoVj6YlDjx8yXr6UAdBAd + nx4aVjy2vygBJFZHN3iqitD6pnBvFC6QM1SZTRfe1l0lb1NXiVbT42ir7hsQ1/Di + MKRw/GuD+5jwHWLAzFbmMeirLY1hw418AzMPmCUqg3xJxmm53v4abD/j6cnHaM8h + vkSEsO9iA9exDjM9RPqS5GXCGx3E2MdBzgBMZIdvRmEV8G7FTqBZAJZsElAA/wTl + WhCEB3iDqdTSuDUnEj2FHIrUGNG4IDKOm9mIexqkpdvF6ByXYHeOAVbeb0ByJmgO + 3QIYGsOYiWW2Uq1OCT2F+sP9ogn2GxInfMgPK7shFcUiXUbUKSnfBh4b5DbKPcJJ + wFtuJA4NbWgXbDPn0k2Lwbv33tMVuwQBRbCjseXD5JYUA+wEbNg341oNEl7gIBCp + oNyNJ0y2rkp8rxvf5mYLjk6VsMs0VO4vgRItg8oi78cZMmSrk2zdCda9yZA+JeHS + XgGnSemRkXBLcDcZMa1M178H/YTxispkRvsGyscxn7sjBRUgrFHnWM9j9P0GHtHE + RzBflQuBiG60jDb14l0SBEGDAm3Dp1bT5Up8attUJ0+03ta6E4G6iAR+fMXiBJA= + =LEoh + -----END PGP MESSAGE----- + fp: 18DFCE01456DAB52EA38A6584EDC64F35FA1D6A5 + - created_at: "2026-01-25T11:17:03Z" + enc: |- + -----BEGIN PGP MESSAGE----- + + hQIMAw5vwmoEJHQ1AQ/7Be0MaQ6HSb4N2DW+z2ALOuKSljRhSHLiLXt6bmhot+2Z + RRMsfsPGHWwDFzy5WWL6117ViPsxdFy88ZC8IhfT2ysf9d7IsNqBAj/W/a1kUXBg + b3PLPGXT3yHRitmRA0PxBWjmKBHuiKJgpj2AvKPBqmpJOpyWU8Yr0yu+fdPgHHmO + 9gMPwmoeDKCuVUQMtg78cxx3b9v3WzBXbx+VuhPepVPPUr7/iTWYnLWy8+s55hOV + A6qQS8f6JH9rhS7dqoSCMQ3wrqkSVzXhluhjfUXa/FW/EVp0g1r+lLMXHARA1Gtp + EGQS2SfwDB95xl6uLfqKblezzxt52yPvGp+hisAhgkCyoLonhL27fMTmtZ0+q9RX + FJoT2pPNTSP/zoLxfEJzsa9MgTCDKQL55215hTGHS2I/2ZeDtfINyc+/4LE/AhSc + 4OOdPSbgG7bIPkCepphBAccjbCVmPOQqaEOk5C9TfLbZREEBv0mQA7pzWVIsa6Gc + xep0qJGMSmRT5rmqs9pFFISAx57H7w91cRaEtwtGkg9/90+wTW2kIvnHMLXV/T6z + wxVG4RHn7eXlDdh9oz0ncpA1uh2A4fvEJN5dAbQHawiAUaOokm8cmv42LQ1zTF0x + 4EcZPQ1VAFzKsZE7/3TnCWoLPOUSNSOG+uJm2Gaps8P1DzIfgUAcSybaB+3cbGjS + XgEVALzLzyRrFB48McT/fU4l0dMiQ49OdFmWm5oWgOWDCCrHBomxPmWRQ5cUzVSV + wvgo/MrfGVOLrwinfeu/izoy9U0LxFcJtqiVLyxtUTARDlDcjv6OYWoRzvb0DzA= + =KudR + -----END PGP MESSAGE----- + fp: 87AB00D45D37C9E9167B5A5A333448678B60E505 + - created_at: "2026-01-25T11:17:03Z" + enc: |- + -----BEGIN PGP MESSAGE----- + + hF4DerEtaFuTeewSAQdAlSeQVBNgJ8WxD85XYmcCHmlNXIyIkAJPEu0coBpNpVQw + mGZKY6j0WkQSmHdCVAeh8/z6LOEgXMphP2jn0ZpZHiMu3FGNJJtWFloRKxOvOxr5 + 0l4BXq0oVpIYhcxeVxS1prF1F2EJf/OuRX8Zz9ngZuL7UlMoToBYHksPMaBfLlKB + iFcXPURafpmhvWpRaqD9CRqM3XRagm1nYPS6Zg8Yae9cfSmU7UnYMtJZwdMmJ+x4 + =gfNC + -----END PGP MESSAGE----- + fp: 057870A2C72CD82566A3EC983695F4FCBCAE4912 + - created_at: "2026-01-25T11:17:03Z" + enc: |- + -----BEGIN PGP MESSAGE----- + + hQILAxjNhCKPP69fAQ/4mdGngFM8WhiX5P5RFo679yRMp5iHtiPqD0V1dE1byyje + d7WzceQwOYfYq/UEEw2ruiqIPhUjHlzB/GQ6wqFbj0+1tm7+/X2B42tO7vkO9gQf + 2mvG0gCGB1iykMnfARQ6EH1s90oAHCBcPFamjBZ3oawS0sI34aSInQGqLl7Ss+O+ + UgoOc2fbhYmRriZW7Elyx+8DuQg4RZ6/oPs18mtwQdLfKB8dwrt1TQrJvBx7iPh4 + RQWrRf3id+C8EeysmWPtMotukh1FgvBtBFEXIL66wntJTDC65AlNU1c2xkgUTATI + rA6ucSoyROTGDOTAWhBdwA+yV9Tf2zw5hzu8G2vT1nFLU+DFQiuQWj6TNn1s5xzc + 63bQ9bFzY/0pKKB2T1TLdeU6xoSt9QoJukagFS86Tgh3NcoMi69dFSSlchldgeX2 + wiJwpUjl8DgeJFEXcQES1vbn+MNJHYZHSSAcZecQX5rauSj6EmTFTXxYg7Vp98D9 + S4lVnXl6P7OByxqRJyQUzBmSD21KYeVXs6O4hY4cAxKx+pXYXqlGMmSpQi4SqJKF + xyD0f7Iz1FjB1u3dpcJmf5/71wLkZWc9smKfJICLaFZzYKfbfrF32xbAPGRuTq50 + Fv5d3R1YJKA9afQUI3HT0PpCEOnsI44WPqgnoOPHyT032gruZt9geL7yM1sRj9Je + AfCwLc18oeiRWhnZLw/K1YMTnDACVhMMRufyoE7MEEixsV3xhuG54+5FIufERSO3 + aW2vmDt65mLjqGVcepqbEz/Ip4hfGeMOnPfNbNil79Hc6TV1SzTcPnem40QPAA== + =7Qbv + -----END PGP MESSAGE----- + fp: F38C9D4228FC6F674E322D9C3326D914EB9B8F55 + - created_at: "2026-01-25T11:17:03Z" + enc: |- + -----BEGIN PGP MESSAGE----- + + hQIMA1Hthzn+T1OoAQ//QizKfdVMoIVzretcwqPNQPhXnKYbHNI/AHhpsK2AeOFw + N2pP+8itgzpoJ+l3qYc1s7HnUYqN69cVXNOkuB9+EKUmEoubj9oLJEJQdfr1apux + wrqgvIfeXuQZWp4E4aI/02ndyWzzedfVV3/qf+JC0ZColccmKFReSsMedz7dOmWK + BM2bieM1PajS65leCAO2VVFTrwayKiHWpURMUY8HvrMk8N6GQkXqe1XDdxXNJqFr + irXgWtBaKbl/KJgrxnT9HwlH9YkCebsyCi2sZKmJEqyIi78SOrhmWzeoTs5Mgg/M + EqZLWrGhOOD2/ineOxiDhFPOEDVjgoprghxei2Ef0i9pYITJmGMuB76KayMW3nbY + mEJgASKsWFN10zTiZK5DjxJoDEq4fyqtzFhYhRenwcvZqiklr2JudSzBWkKfx4Y/ + TOoLwwn93TQDLoIIEsOlLaWMBxm3LsAe4MAr2k9/gAkGGMzeOiTRISHJeFtaNRPe + xPv2hJBKqAJJkWu5nlcn5FEtAqdG8hPRPqEZWDyWRmQDlk0Rx286UFIS+BKSfwvo + Ak52YxruVlkwxn4lRJ8yCrIneZocLFlBgTNoqbr0uYSHkg6XHwzniN+qGRHxjrm8 + hDYcnVeAnLCDGEwPpMcx7KYVtLeEcr2Tm5btAlHugpQ1pNrUuZ3Lf47AdneMSY7S + XgE32gbAcEaZVQRl1fnehRIwqqNIuFDxjhFpDYpvX1Rep2NEUtEaxd50aqMh3PKm + XE6ZBkKbhSylRnOs8dgVZK3nqEe1xDsdcx5hFAoyyhs1QhWVT/MHUtfuB2PBcjo= + =T4dN + -----END PGP MESSAGE----- + fp: 5DA93D5C9D7320E1BD3522C79C78172B3551C9FD + - created_at: "2026-01-25T11:17:03Z" + enc: |- + -----BEGIN PGP MESSAGE----- + + hQIMA46L6MuPqfJqAQ//SZac3kFkPkHZ4CveGECwnJLKA/UJO/XoV44mjiQDtY4Q + tFJ+YauR7GHK3CYMvpx8uWejiW6PzMkuqVuKwk5QMBsRA7q/6SmQeLUNNIPx8AAm + s1Lo1Cdjv5Ku8AnR7gAJ9w3O+qM635xo7zgtvEv5qJuPrwbqy8kstvS2fnxg9Zb3 + Dl4J+Wp1kRs8hHsFIkECKPqKNB0LfP57s63Vwd5tI2TltDMlMkvKvjgsQSPhUqQl + z0AIPT+zON37P4EW5buJ5NKvojYZ/QyzoqJ+Zb+2jn3uyMRDo4lqaT+uiVDcmB6w + jg2yBGKgU5XGAU5NyCSldBGW3yQfNHAEjTPHWIvcplfUOUQ2mKIV31c3ci8cBWa5 + zfA4K2UOFPSHSraohaT770Ani/qvm5XH9HvAA2HOI50LuIh4t8cWGocbW1f5PfvZ + gMIuA27UfWWD10tz+J3qvz2RGcfBPV+3BS8BJUh2SRC80ba8nDM/VSuQUkxQA1go + AHogKohH7v5vIPEN6ggRxZ3yCroQ3zfdABekrP8sfKXU652/vhw5MFPtqp8ow5hU + uJ3S3lCoKQCKE8tc+288WuJXIGaYG4LKhaVlFWFqQDib+0jfm8RfwqqxV5vis7np + mbPMIyl/MTAeevsQC2yqbHeZ+nDXhrb8b4lfWCnn5jpNwZFpP+RZpJT6XxFbONTS + XgGQowdDlIEa1Hs1klR8lPOScW3VyhWbTyfWkhg4cI6js21/0MMsC22myhjxjZKU + rCn8k0mgZw+HyB9qfm3eM4fYXHs+CXQM22eBQK+IK2VvzT9jbpSBIoJEDW0B47c= + =PbAZ + -----END PGP MESSAGE----- + fp: 8996B62CBD159DCADD3B6DC08BB33A8ABCF7BC4A + - created_at: "2026-01-25T11:17:03Z" + enc: |- + -----BEGIN PGP MESSAGE----- + + hF4DQrf1tCqiJxoSAQdArbiHTkrjSYBSPIIgSNnEoAWkU43Zn8/6rtksEivhPVgw + ik9/LvTH3VUSS1pDtLNoJq3wfE8aCoGTVXHjCtaEQqp7PJ9c83afZuT0/jSs20vo + 0l4Bbp+AopvK8wlLakYZM0rbXzJw7LyW7hyA3wSN/gL0MwT8sW6hb08BB3+zRY+f + dQGtPMDNZ0aJ8nzJ/WLVxi4GdC3pAWxqw/1AX0SwwMb0PEf9kdYSgnrmYQsqx9KU + =Cbzj + -----END PGP MESSAGE----- + fp: B71138A6A8964A3C3B8899857B4F70C356765BAB + - created_at: "2026-01-25T11:17:03Z" + enc: |- + -----BEGIN PGP MESSAGE----- + + hF4DzAGzViGx4qcSAQdAQKsWq8NPJbW2SBhKhlgkW1gzYnx9baL8spEk1Wv31Asw + fuq75JZ/m8yR6+jnchE8ikuWrVQ1IRwyQBB2qlaArrdwnVpkF5HG/ggpDy4l5UYK + 0lgBhuKG36g1P7G0incMXR+S+UswYQhzm+19LqoB247HvZZoyIT4m0k7XndHBpUw + fzQyFTKdwQpmWyQWsbkW/ycvxkKyKcEce6xkga0e8UbB8w1fJ0P6gErz + =g5Ck + -----END PGP MESSAGE----- + fp: D2E9C0807BF681F5E164DAFC5EE1B61CD90954CD + - created_at: "2026-01-25T11:17:03Z" + enc: |- + -----BEGIN PGP MESSAGE----- + + hQIMA2pVdGTIrZI+AQ//X0eMLW5Con7f2J4S15RwQX/uMc+p0tabrfSYAT8cg1oR + X8qyFgBWL4EK/VAcgS+Loe6cOCO8pDv7R81nn18wg2D6hVN3BOcotgLtLpqWEdMz + FguVIc++/Nh5+s+H1oDxqfwO6LbcuewBvvNS9xvBUtHBMuoAGVO0mUu7jpxrg+4k + dh2QeA/YWc4hGly/lO6eOhq61arAY4tukqs1K4JRY7z1vZYb2658HamfruLcRP1j + kM6yvJ9bgrg3hIEPG48lWX3SATRpKDP4ukyTYMFPN5rePUu67rnkwCvXwvBzWV4v + fvjmDZ4U2AD6Ihn5Be3ThZyQivZJPmxBlgit6uQOdu08Q5/S0DDWSS/MnbRnElQt + caQMnIcSbwLJfum2/0AS/dcl6f36vOl5t9eiy3nnrgufFEUcAMgJ2bJk8+6nPRli + MImBTXLMor97XD4DS+xyQ8NjYzf8XxEDduCzWA/EQborLkkaXj5J9ZmQSKDfv6bb + wcGfxt0+JGEPmOuOD/BwZHhEcd6eV8k3cM6k4oQ3k9cMGele+dtSkrlkyFKnnBNV + NrZVBE5j62sgnUUgKCesbKPfauETE5Z+R2uvOK5Y0gqjTfaw8hV1YF2q+x2qRWig + 6NjHheUtjigCgF61OK4x1a5WDJmVeuAe03JnwKYMujN4H5Oi9YMhSX65lX1+fhrU + aAEJAhCV01dJAuYksyvp+F5Dx62eKZj7gL/MHL3zHw97WbONvI7ApC3/Q7fkupYm + oPfYKQD5ov77V3u+Y8nVOoYM+Hb4thFQdEV01r90g9WUj8LrXvxd08j3GwAnzDMG + xU5hdDPzz/jT + =zb8A + -----END PGP MESSAGE----- + fp: 878FEA3CB6A6F6E7CD80ECBE28506E3585F9F533 + unencrypted_suffix: _unencrypted + version: 3.11.0 diff --git a/inventories/chaosknoten/host_vars/spaceapiccc.yaml b/inventories/chaosknoten/host_vars/spaceapiccc.yaml new file mode 100644 index 0000000..377b909 --- /dev/null +++ b/inventories/chaosknoten/host_vars/spaceapiccc.yaml @@ -0,0 +1,16 @@ +docker_compose__compose_file_content: "{{ lookup('ansible.builtin.template', 'resources/chaosknoten/spaceapiccc/docker_compose/compose.yaml.j2') }}" +docker_compose__build: never +docker_compose__pull: never + +certbot__version_spec: "" +certbot__acme_account_email_address: le-admin@hamburg.ccc.de +certbot__certificate_domains: + # - "spaceapi.ccc.de" # after DNS has been adjusted + - "spaceapiccc.hamburg.ccc.de" +certbot__new_cert_commands: + - "systemctl reload nginx.service" + +nginx__version_spec: "" +nginx__configurations: + - name: spaceapiccc.hamburg.ccc.de + content: "{{ lookup('ansible.builtin.file', 'resources/chaosknoten/spaceapiccc/nginx/spaceapiccc.hamburg.ccc.de.conf') }}" diff --git a/inventories/chaosknoten/hosts.yaml b/inventories/chaosknoten/hosts.yaml index 93c61be..6246119 100644 --- a/inventories/chaosknoten/hosts.yaml +++ b/inventories/chaosknoten/hosts.yaml @@ -74,6 +74,10 @@ all: ansible_host: renovate.hosts.hamburg.ccc.de ansible_user: chaos ansible_ssh_common_args: -J ssh://chaos@router.hamburg.ccc.de + spaceapiccc: + ansible_host: spaceapiccc.hosts.hamburg.ccc.de + ansible_user: chaos + ansible_ssh_common_args: -J ssh://chaos@router.hamburg.ccc.de hypervisors: hosts: chaosknoten: @@ -98,6 +102,7 @@ base_config_hosts: ntfy: sunders: renovate: + spaceapiccc: systemd_networkd_hosts: hosts: router: @@ -117,6 +122,7 @@ docker_compose_hosts: zammad: ntfy: sunders: + spaceapiccc: nextcloud_hosts: hosts: cloud: @@ -138,6 +144,7 @@ nginx_hosts: zammad: ntfy: sunders: + spaceapiccc: public_reverse_proxy_hosts: hosts: public-reverse-proxy: @@ -158,6 +165,7 @@ certbot_hosts: zammad: ntfy: sunders: + spaceapiccc: prometheus_node_exporter_hosts: hosts: ccchoir: @@ -189,6 +197,7 @@ infrastructure_authorized_keys_hosts: ntfy: sunders: renovate: + spaceapiccc: wiki_hosts: hosts: eh22-wiki: diff --git a/resources/chaosknoten/public-reverse-proxy/nginx/acme_challenge.conf b/resources/chaosknoten/public-reverse-proxy/nginx/acme_challenge.conf index 82e596a..0a6a70d 100644 --- a/resources/chaosknoten/public-reverse-proxy/nginx/acme_challenge.conf +++ b/resources/chaosknoten/public-reverse-proxy/nginx/acme_challenge.conf @@ -78,6 +78,8 @@ map $host $upstream_acme_challenge_host { cryptoparty.hamburg.ccc.de 172.31.17.151:31820; staging.cryptoparty-hamburg.de 172.31.17.151:31820; staging.cryptoparty.hamburg.ccc.de 172.31.17.151:31820; + spaceapiccc.hamburg.ccc.de spaceapiccc.hosts.hamburg.ccc.de:31820; + spaceapi.ccc.de spaceapiccc.hosts.hamburg.ccc.de:31820; default ""; } diff --git a/resources/chaosknoten/public-reverse-proxy/nginx/nginx.conf b/resources/chaosknoten/public-reverse-proxy/nginx/nginx.conf index 489dda5..2ad5dc4 100644 --- a/resources/chaosknoten/public-reverse-proxy/nginx/nginx.conf +++ b/resources/chaosknoten/public-reverse-proxy/nginx/nginx.conf @@ -96,6 +96,8 @@ stream { cryptoparty.hamburg.ccc.de 172.31.17.151:8443; staging.cryptoparty-hamburg.de 172.31.17.151:8443; staging.cryptoparty.hamburg.ccc.de 172.31.17.151:8443; + spaceapiccc.hamburg.ccc.de spaceapiccc.hosts.hamburg.ccc.de:8443; + spaceapi.ccc.de spaceapiccc.hosts.hamburg.ccc.de:8443; } server { diff --git a/resources/chaosknoten/spaceapiccc/docker_compose/compose.yaml.j2 b/resources/chaosknoten/spaceapiccc/docker_compose/compose.yaml.j2 new file mode 100644 index 0000000..67e4b58 --- /dev/null +++ b/resources/chaosknoten/spaceapiccc/docker_compose/compose.yaml.j2 @@ -0,0 +1,39 @@ +--- +services: + frontend: + #build: ./frontend + networks: + spaceapi-network: + ipv4_address: 172.16.238.10 + image: gidsi/spaceapi-ccc-frontend:saved_from_old_host + restart: always + expose: + - "80" + depends_on: + - backend + backend: + #build: ./backend + networks: + - spaceapi-network + image: gidsi/spaceapi-ccc-backend:saved_from_old_host + restart: always + environment: + SHARED_SECRET: "{{ secret__spaceapiccc__shared_secret }}" + DOKU_WIKI_USER: "{{ secret__spaceapiccc__doku_ccc_de__username }}" + DOKU_WIKI_PASSWORD: "{{ secret__spaceapiccc__doku_ccc_de__password }}" + depends_on: + - database + database: + image: mongo:saved_from_old_host + networks: + - spaceapi-network + restart: always + volumes: + - ./data/database:/data/db + +networks: + spaceapi-network: + ipam: + driver: default + config: + - subnet: 172.16.238.0/24 diff --git a/resources/chaosknoten/spaceapiccc/nginx/spaceapiccc.hamburg.ccc.de.conf b/resources/chaosknoten/spaceapiccc/nginx/spaceapiccc.hamburg.ccc.de.conf new file mode 100644 index 0000000..f060996 --- /dev/null +++ b/resources/chaosknoten/spaceapiccc/nginx/spaceapiccc.hamburg.ccc.de.conf @@ -0,0 +1,42 @@ +# partly generated 2022-01-08, Mozilla Guideline v5.6, nginx 1.17.7, OpenSSL 1.1.1k, intermediate configuration +# https://ssl-config.mozilla.org/#server=nginx&version=1.17.7&config=intermediate&openssl=1.1.1k&guideline=5.6 +server { + # Listen on a custom port for the proxy protocol. + listen [::]:8443 ssl http2 proxy_protocol; + # Make use of the ngx_http_realip_module to set the $remote_addr and + # $remote_port to the client address and client port, when using proxy + # protocol. + # First set our proxy protocol proxy as trusted. + set_real_ip_from 2a00:14b0:4200:3000:125::1; + # Then tell the realip_module to get the addreses from the proxy protocol + # header. + real_ip_header proxy_protocol; + + server_name spaceapi.ccc.de spaceapiccc.hamburg.ccc.de; + + ssl_certificate /etc/letsencrypt/live/spaceapiccc.hamburg.ccc.de/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/spaceapiccc.hamburg.ccc.de/privkey.pem; + # verify chain of trust of OCSP response using Root CA and Intermediate certs + ssl_trusted_certificate /etc/letsencrypt/live/spaceapiccc.hamburg.ccc.de/chain.pem; + + # HSTS (ngx_http_headers_module is required) (63072000 seconds) + add_header Strict-Transport-Security "max-age=63072000" always; + + proxy_set_header Host $host; + proxy_set_header X-Forwarded-Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Port 443; + # This is https in any case. + proxy_set_header X-Forwarded-Proto https; + # Hide the X-Forwarded header. + proxy_hide_header X-Forwarded; + # Assume we are the only Reverse Proxy (well using Proxy Protocol, but that + # is transparent). + # Also provide "_hidden" for by, since it's not relevant. + proxy_set_header Forwarded "for=$remote_addr;proto=https;host=$host;by=_hidden"; + + location / { + proxy_pass http://172.16.238.10/; + } +} From d35f1cc779b9ed4a23ddc8e376c393cf1c33f2e7 Mon Sep 17 00:00:00 2001 From: Stefan Bethke Date: Sun, 25 Jan 2026 15:31:42 +0100 Subject: [PATCH 069/101] GPG must be installed for the docker role to be able to add the repo --- roles/base_config/tasks/main.yaml | 1 + 1 file changed, 1 insertion(+) diff --git a/roles/base_config/tasks/main.yaml b/roles/base_config/tasks/main.yaml index 7f0281e..ab737b7 100644 --- a/roles/base_config/tasks/main.yaml +++ b/roles/base_config/tasks/main.yaml @@ -30,4 +30,5 @@ - dnsutils - usbutils - kitty + - gpg become: true From c285694aaadd49374745c9749d54b2ece5c7afaa Mon Sep 17 00:00:00 2001 From: Stefan Bethke Date: Sun, 25 Jan 2026 15:47:41 +0100 Subject: [PATCH 070/101] Add age private key --- docs/create-new-web-service-vm.md | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/docs/create-new-web-service-vm.md b/docs/create-new-web-service-vm.md index 76eca21..1f5874d 100644 --- a/docs/create-new-web-service-vm.md +++ b/docs/create-new-web-service-vm.md @@ -37,7 +37,8 @@ As the first step, we need to make the host known to Ansible. 2. Add the host to the desired roles. As a minimum, you'll want `base_config_hosts` and `infrastructure_authorized_keys_hosts`. For a typical web service based on Docker Compose, you'll want `docker_compose_hosts`, `nginx_hosts`, and `certbot_hosts`. 3. In the directorry `inventories/chaosknoten/host_var/`: 1. A file `inventories/chaosknoten/host_var/example.yaml` with the host/service specific configuration. - 2. A file `inventories/chaosknoten/host_var/example.sops.yaml` with the encrypted secrets for the host/service. Run `sops inventories/chaosknoten/host_var/example.yaml` to edit/create that file. Entries there should generally be prefixed with `secret__` to make it easier to see where that variable is coming from in templates etc. + 2. A file `inventories/chaosknoten/host_var/example.sops.yaml` with the encrypted secrets for the host/service. Run `sops inventories/chaosknoten/host_var/example.yaml` to edit/create that file. Entries here should generally be prefixed with `secret__` to make it easier to see where that variable is coming from in templates etc. + * Add an entry `ansible_pull__age_private_key` with the age private key you generated above. ## Service-specific config From 0939771d0812e71fad69074420223a706353ec98 Mon Sep 17 00:00:00 2001 From: June Date: Sun, 25 Jan 2026 20:22:44 +0100 Subject: [PATCH 071/101] public-reverse-proxy(host): add entries for cpu.ccc.de --- .../chaosknoten/public-reverse-proxy/nginx/acme_challenge.conf | 2 ++ resources/chaosknoten/public-reverse-proxy/nginx/nginx.conf | 2 ++ 2 files changed, 4 insertions(+) diff --git a/resources/chaosknoten/public-reverse-proxy/nginx/acme_challenge.conf b/resources/chaosknoten/public-reverse-proxy/nginx/acme_challenge.conf index 0a6a70d..71ae729 100644 --- a/resources/chaosknoten/public-reverse-proxy/nginx/acme_challenge.conf +++ b/resources/chaosknoten/public-reverse-proxy/nginx/acme_challenge.conf @@ -80,6 +80,8 @@ map $host $upstream_acme_challenge_host { staging.cryptoparty.hamburg.ccc.de 172.31.17.151:31820; spaceapiccc.hamburg.ccc.de spaceapiccc.hosts.hamburg.ccc.de:31820; spaceapi.ccc.de spaceapiccc.hosts.hamburg.ccc.de:31820; + cpuccc.hamburg.ccc.de 172.31.17.151:31820; + cpu.ccc.de 172.31.17.151:31820; default ""; } diff --git a/resources/chaosknoten/public-reverse-proxy/nginx/nginx.conf b/resources/chaosknoten/public-reverse-proxy/nginx/nginx.conf index 2ad5dc4..bdf7184 100644 --- a/resources/chaosknoten/public-reverse-proxy/nginx/nginx.conf +++ b/resources/chaosknoten/public-reverse-proxy/nginx/nginx.conf @@ -98,6 +98,8 @@ stream { staging.cryptoparty.hamburg.ccc.de 172.31.17.151:8443; spaceapiccc.hamburg.ccc.de spaceapiccc.hosts.hamburg.ccc.de:8443; spaceapi.ccc.de spaceapiccc.hosts.hamburg.ccc.de:8443; + cpuccc.hamburg.ccc.de 172.31.17.151:8443; + cpu.ccc.de 172.31.17.151:8443; } server { From 652aa32e217fe21f864d9e24d2c80ccd520776c0 Mon Sep 17 00:00:00 2001 From: June Date: Sun, 25 Jan 2026 20:49:39 +0100 Subject: [PATCH 072/101] docker_compose(role): document new build and pull arguments --- roles/docker_compose/README.md | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/roles/docker_compose/README.md b/roles/docker_compose/README.md index c0a7a93..6f2c841 100644 --- a/roles/docker_compose/README.md +++ b/roles/docker_compose/README.md @@ -19,6 +19,10 @@ Should work on Debian-based distributions. - `docker_compose__configuration_files`: A list of configuration files to deploy to the `/ansible_docker_compose/configs/` directory. - `docker_compose__configuration_files.*.name`: The name of the configuration file. - `docker_compose__configuration_files.*.content`: The content to deploy to the configuration file. +- `docker_compose__build`: Whether or not to build images before starting containers. + Defaults to `always`. +- `docker_compose__pull`: Whether or not to pull images before starting containers. + Defaults to `always`. ## Links & Resources From a5d291cea8829f7098929b3da0640c5effdc06c4 Mon Sep 17 00:00:00 2001 From: June Date: Sun, 25 Jan 2026 20:58:57 +0100 Subject: [PATCH 073/101] spaceapiccc(host): setup ansible-pull --- inventories/chaosknoten/hosts.yaml | 1 + 1 file changed, 1 insertion(+) diff --git a/inventories/chaosknoten/hosts.yaml b/inventories/chaosknoten/hosts.yaml index 6246119..2a95ba8 100644 --- a/inventories/chaosknoten/hosts.yaml +++ b/inventories/chaosknoten/hosts.yaml @@ -232,6 +232,7 @@ ansible_pull_hosts: public-reverse-proxy: zammad: ntfy: + spaceapiccc: msmtp_hosts: hosts: renovate_hosts: From 1523b15952987cc23f87a7845d480be9bf89327c Mon Sep 17 00:00:00 2001 From: June Date: Sun, 25 Jan 2026 21:11:07 +0100 Subject: [PATCH 074/101] docs: improve formatting and wording a bit to make things clearer --- docs/create-new-web-service-vm.md | 55 +++++++++++++++++++++---------- 1 file changed, 37 insertions(+), 18 deletions(-) diff --git a/docs/create-new-web-service-vm.md b/docs/create-new-web-service-vm.md index 1f5874d..da8293b 100644 --- a/docs/create-new-web-service-vm.md +++ b/docs/create-new-web-service-vm.md @@ -5,36 +5,47 @@ Let's assume that you want to add a new web service `example.hamburg.ccc.de` whi ## IP, DNS, VM 1. Allocate a fresh [IPv6 in Netbox in the 2a00:14b0:42:102::/64 net](https://netbox.hamburg.ccc.de/ipam/prefixes/47/ip-addresses/). This will be the management address for the VM. -2. Add an entry `example.hosts.hamburg.ccc.de` with that AAAA to the name server (`ns-intern`). -3. Add an entry `example.hamburg.ccc.de` as a CNAME for `public-reverse-proxy` to the same zone. -4. Commit and reload the zone. -5. Create a new VM on chaosknoten, for example by cloning the Debian template 9023. Give it the name `example`. -6. Edit the ethernet interface to be connected to `vmbr0`, VLAN tag `2`. -7. Configure the IPv6 address in the Cloud-Init section. Leave IPv4 set to DHCP. -8. Make sure the VM is started at boot (options). -9. Adjust any other VM parameters as needed. -10. Boot the VM. -11. Add the [VM to Netbox](https://netbox.hamburg.ccc.de/virtualization/virtual-machines/). Make sure to enter the VM ID. -12. Add an Ethernet interface to the VM; we typically use `eth0` as a name. -13. Add IP for that interface, then choose "Assign IP" and search for the IP you've created. Make it the primary IP of that interface. +2. On `ns-intern`: + 1. Add an entry `example.hosts.hamburg.ccc.de` as an AAAA pointing to the allocated IP. + 2. Add an entry `example.hamburg.ccc.de` as a CNAME for `public-reverse-proxy` to the same zone. + 3. Commit and reload the zone. +3. On Chaosknoten: + 1. Create a new VM, for example by cloning the Debian template 9023. + Give it the name `example`. + 2. Edit the ethernet interface to be connected to `vmbr0`, VLAN tag `2`. + 3. Configure the IPv6 address in the Cloud-Init section. Leave IPv4 set to DHCP. + 4. Make sure the VM is started at boot (options). + 5. Adjust any other VM parameters as needed. + 6. Boot the VM. +4. Add the [VM to Netbox](https://netbox.hamburg.ccc.de/virtualization/virtual-machines/). + - Make sure to enter the VM ID. + - Add an Ethernet interface to the VM; we typically use `eth0` as a name. + - Add IP for that interface, then choose "Assign IP" and search for the IP you've created. Make it the primary IP of that interface. ## Ansible Basics As the first step, we need to make the host known to Ansible. 1. In `.sops.yaml`, add an entry for the host. Follow the other entries there. - 1. `keys.hosts.chaosknoten.age` needs an age public key (the private key is needed in the host-specific YAML) + 1. `keys.hosts.chaosknoten.age` needs an age public key (must be generated; the private key gets added later in the host-specific YAML) 2. `creation_rules` needs an entry for the host, referencing the age key. 2. In `inventories/chaosknoten/hosts.yaml`: 1. Configure basic connection info: - ``` + ```yaml example: ansible_host: example.hosts.hamburg.ccc.de ansible_user: chaos ansible_ssh_common_args: -J ssh://chaos@router.hamburg.ccc.de ``` You typically will want to use router as a jump host so that you can run Ansible on an IPv4 only connection. - 2. Add the host to the desired roles. As a minimum, you'll want `base_config_hosts` and `infrastructure_authorized_keys_hosts`. For a typical web service based on Docker Compose, you'll want `docker_compose_hosts`, `nginx_hosts`, and `certbot_hosts`. + 2. Add the host to the desired roles. + 1. As a minimum, you'll want the following roles: + - `base_config_hosts` + - `infrastructure_authorized_keys_hosts` + 2. For a typical web service based on Docker Compose, you'll also want: + - `docker_compose_hosts` + - `nginx_hosts` + - `certbot_hosts`. 3. In the directorry `inventories/chaosknoten/host_var/`: 1. A file `inventories/chaosknoten/host_var/example.yaml` with the host/service specific configuration. 2. A file `inventories/chaosknoten/host_var/example.sops.yaml` with the encrypted secrets for the host/service. Run `sops inventories/chaosknoten/host_var/example.yaml` to edit/create that file. Entries here should generally be prefixed with `secret__` to make it easier to see where that variable is coming from in templates etc. @@ -69,12 +80,20 @@ Before you can run Ansible successfully, you will want to make sure you can conn * `ssh chaos@example.hosts.hamburg.ccc.de` * `ssh -J chaos@router.hamburg.ccc.de chaos@example.hosts.hamburg.ccc.de` -Then run Ansible for `public-reverse-proxy` to add the necessary entries: `ansible-playbook playbooks/deploy.yaml --inventory inventories/chaosknoten/hosts.yaml --limit public-reverse-proxy`. +Then run Ansible for `public-reverse-proxy` to add the necessary entries: -Finally run Ansible for the new host: `ansible-playbook playbooks/deploy.yaml --inventory inventories/chaosknoten/hosts.yaml --limit example` +```sh +ansible-playbook playbooks/deploy.yaml --inventory inventories/chaosknoten/hosts.yaml --limit public-reverse-proxy +``` + +Finally run Ansible for the new host: + +```sh +ansible-playbook playbooks/deploy.yaml --inventory inventories/chaosknoten/hosts.yaml --limit example +``` # Commit your changes Do not forget to commit your changes, whether it's a new host or you are making changes to an existing host. -And always `git pull` before you run Ansible so avoid reverting anything! \ No newline at end of file +And always `git pull` before you run Ansible so avoid reverting anything! From c6c02724487ab278aa9904483d66efb8d4872d64 Mon Sep 17 00:00:00 2001 From: June Date: Sun, 25 Jan 2026 21:16:38 +0100 Subject: [PATCH 075/101] docs: add section on conf. monitoring with Gatus (status.hamburg.ccc.de) --- docs/create-new-web-service-vm.md | 13 +++++++++++++ 1 file changed, 13 insertions(+) diff --git a/docs/create-new-web-service-vm.md b/docs/create-new-web-service-vm.md index da8293b..57a1e81 100644 --- a/docs/create-new-web-service-vm.md +++ b/docs/create-new-web-service-vm.md @@ -97,3 +97,16 @@ ansible-playbook playbooks/deploy.yaml --inventory inventories/chaosknoten/hosts Do not forget to commit your changes, whether it's a new host or you are making changes to an existing host. And always `git pull` before you run Ansible so avoid reverting anything! + +# Monitoring + +## Gatus (`status.hamburg.ccc.de`) + +After you configured a new service or website, add it to our status and uptime monitoring. +Take a look at the configuration in `resources/external/status/docker_compose/config` and extend it to cover the newly added service or website. The configuration should probably happen in either `services-chaosknoten.yaml` or `websites.yaml`. Taking the existing configuration as a reference should give guidance on how to configure new checks. Additionally there's also the comprehensive [Gatus Documentation](https://github.com/TwiN/gatus?tab=readme-ov-file#table-of-contents). + +After you've added some checks, the configuration can be deployed using: + +```sh +ansible-playbook playbooks/deploy.yaml --inventory inventories/external --limit status +``` From 8f7990acc0240123d2d488c334ba2904060ece12 Mon Sep 17 00:00:00 2001 From: June Date: Sun, 25 Jan 2026 21:17:28 +0100 Subject: [PATCH 076/101] docs: add ansible_pull_hosts to the desired minimum roles/groups --- docs/create-new-web-service-vm.md | 1 + 1 file changed, 1 insertion(+) diff --git a/docs/create-new-web-service-vm.md b/docs/create-new-web-service-vm.md index 57a1e81..46ff19f 100644 --- a/docs/create-new-web-service-vm.md +++ b/docs/create-new-web-service-vm.md @@ -42,6 +42,7 @@ As the first step, we need to make the host known to Ansible. 1. As a minimum, you'll want the following roles: - `base_config_hosts` - `infrastructure_authorized_keys_hosts` + - `ansible_pull_hosts` 2. For a typical web service based on Docker Compose, you'll also want: - `docker_compose_hosts` - `nginx_hosts` From 11779ab21d742da75e4ab13e001be29ee74ccd52 Mon Sep 17 00:00:00 2001 From: chris Date: Sun, 25 Jan 2026 21:41:20 +0100 Subject: [PATCH 077/101] grafana: get alertmanager to be more chill a bit of help to deal with alert fatigue --- .../docker_compose/alertmanager.yaml.j2 | 23 +++++-------------- .../grafana/docker_compose/compose.yaml.j2 | 4 ++-- 2 files changed, 8 insertions(+), 19 deletions(-) diff --git a/resources/chaosknoten/grafana/docker_compose/alertmanager.yaml.j2 b/resources/chaosknoten/grafana/docker_compose/alertmanager.yaml.j2 index 51aeb63..10fb346 100644 --- a/resources/chaosknoten/grafana/docker_compose/alertmanager.yaml.j2 +++ b/resources/chaosknoten/grafana/docker_compose/alertmanager.yaml.j2 @@ -7,7 +7,7 @@ route: group_by: [ "alertname", "site", "type", "hypervisor" ] group_wait: 30s group_interval: 5m - repeat_interval: 6h + repeat_interval: 26h routes: - receiver: "null" matchers: @@ -16,49 +16,38 @@ route: matchers: - org = "ccchh" - severity = "critical", - repeat_interval: 18h + repeat_interval: 26h continue: true - receiver: ntfy-ccchh matchers: - org = "ccchh" - severity =~ "info|warning", - repeat_interval: 36h + repeat_interval: 52h continue: true - receiver: ntfy-fux-critical matchers: - org = "fux" - severity = "critical", - repeat_interval: 18h + repeat_interval: 26h continue: true - receiver: email-fux-critical matchers: - org = "fux" - severity = "critical", - repeat_interval: 36h + repeat_interval: 52h continue: true - receiver: ntfy-fux matchers: - org = "fux" - severity =~ "info|warning", - repeat_interval: 36h + repeat_interval: 52h continue: true - - receiver: ccchh-infrastructure-alerts - matchers: - - org = "ccchh" - - severity =~ "info|warning|critical" templates: - "/etc/alertmanager/templates/*.tmpl" receivers: - name: "null" - - name: "ccchh-infrastructure-alerts" - telegram_configs: - - send_resolved: true - bot_token: {{ secret__alertmanager_telegram_bot_token }} - chat_id: -1002434372415 - parse_mode: HTML - message: {{ "'{{ template \"alert-message.telegram.ccchh\" . }}'" }} - name: "ntfy-ccchh-critical" webhook_configs: diff --git a/resources/chaosknoten/grafana/docker_compose/compose.yaml.j2 b/resources/chaosknoten/grafana/docker_compose/compose.yaml.j2 index 90952ee..c2c312c 100644 --- a/resources/chaosknoten/grafana/docker_compose/compose.yaml.j2 +++ b/resources/chaosknoten/grafana/docker_compose/compose.yaml.j2 @@ -19,7 +19,7 @@ services: - prom_data:/prometheus alertmanager: - image: docker.io/prom/alertmanager:v0.30.0 + image: docker.io/prom/alertmanager:v0.30.1 container_name: alertmanager command: - '--config.file=/etc/alertmanager/alertmanager.yaml' @@ -59,7 +59,7 @@ services: - /dev/null:/etc/prometheus/pve.yml loki: - image: docker.io/grafana/loki:3.6.3 + image: docker.io/grafana/loki:3.6.4 container_name: loki ports: - 13100:3100 From 995dbb06e2ea547177b00566b64b4fde595456cb Mon Sep 17 00:00:00 2001 From: June Date: Sun, 4 Jan 2026 19:32:42 +0100 Subject: [PATCH 078/101] wip: alloy --- roles/alloy/tasks/main.yaml | 48 +++++++++++++++++++++++++++++++++++++ 1 file changed, 48 insertions(+) create mode 100644 roles/alloy/tasks/main.yaml diff --git a/roles/alloy/tasks/main.yaml b/roles/alloy/tasks/main.yaml new file mode 100644 index 0000000..2bc308a --- /dev/null +++ b/roles/alloy/tasks/main.yaml @@ -0,0 +1,48 @@ +# https://github.com/grafana/grafana-ansible-collection/blob/main/roles/alloy/tasks/deploy.yml#L124 +- name: ensure alloy user exists + ansible.builtin.user: + name: alloy + system: true + append: true + create_home: false + state: present + +- name: ensure the `/etc/alloy/` config directory exists + ansible.builtin.file: + path: /etc/alloy + state: directory + mode: "0770" + owner: root + group: alloy + become: true + +- name: synchronize the additional configuration files directory, if present + when: alloy__additional_configs_dir is defined and alloy__additional_configs_dir != "" + block: + - name: ensure rsync is installed + ansible.builtin.apt: + name: rsync + become: true + + - name: synchronize the additional configuration files directory, if present + ansible.posix.synchronize: + src: "{{ alloy__additional_configs_dir }}" + dest: /etc/alloy/additional + delete: true + recursive: true + use_ssh_args: true + rsync_opts: + - "--chown=root:alloy" + become: true + +- name: delete the additional configuration files directory, if not present + when: alloy__additional_configs_dir is not defined or alloy__additional_configs_dir == "" + ansible.builtin.file: + path: /etc/alloy/additional + state: absent + become: true + +- name: Setup Alloy + ansible.builtin.import_role: + name: grafana.grafana.alloy + become: true From c7d51af5b428b7b1fe065c23fbfa1d1b6bd51980 Mon Sep 17 00:00:00 2001 From: chris Date: Sun, 25 Jan 2026 20:03:13 +0100 Subject: [PATCH 079/101] rollout Alloy to replace prometheus_node_exporter With the new network we need to deploy a push based solution in order to get metrics into prometheus --- .../chaosknoten/group_vars/all.sops.yaml | 7 +- .../chaosknoten/host_vars/grafana.yaml | 42 +-------- .../chaosknoten/host_vars/ntfy.sops.yaml | 6 +- inventories/chaosknoten/host_vars/ntfy.yaml | 86 +------------------ inventories/chaosknoten/hosts.yaml | 16 ++-- playbooks/deploy.yaml | 11 +-- .../grafana/docker_compose/prometheus.yml | 35 -------- .../grafana/nginx/metrics.hamburg.ccc.de.conf | 1 - roles/alloy/defaults/main.yaml | 44 ++++++++++ roles/alloy/tasks/main.yaml | 2 + roles/prometheus_node_exporter/meta/main.yaml | 10 --- .../prometheus_node_exporter/tasks/main.yaml | 14 --- 12 files changed, 69 insertions(+), 205 deletions(-) create mode 100644 roles/alloy/defaults/main.yaml delete mode 100644 roles/prometheus_node_exporter/meta/main.yaml delete mode 100644 roles/prometheus_node_exporter/tasks/main.yaml diff --git a/inventories/chaosknoten/group_vars/all.sops.yaml b/inventories/chaosknoten/group_vars/all.sops.yaml index ebc53b7..0c5762d 100644 --- a/inventories/chaosknoten/group_vars/all.sops.yaml +++ b/inventories/chaosknoten/group_vars/all.sops.yaml @@ -1,4 +1,5 @@ msmtp__smtp_password: ENC[AES256_GCM,data:xcBVBTb6mfr5Ubyfga9ibKWKhrfrEEaDWD98vIbX8fl8lQ4YTovg8Ax1HTK4UQ6AkJGHq2A0D5B67KUTlp9eLw==,iv:TOp1G1LktRPj/KMCRU5CXBUsgKOqGssUvvk5oY0QnPM=,tag:SVBdDQy+fM0xeEToappP+A==,type:str] +metrics__chaos_password: ENC[AES256_GCM,data:al234VSAH7oxka8X0hTvEJKVLD6O/WCrCKfVLLvm,iv:+TmA+0hXMV4OxvK7RH2g1dIzm88Lpm3zevxSZxK23QQ=,tag:txCVr5SEW3dVHgNFInR94g==,type:str] sops: age: - recipient: age1ss82zwqkj438re78355p886r89csqrrfmkfp8lrrf8v23nza492qza4ey3 @@ -163,8 +164,8 @@ sops: SnUrSUlvMXhnY3JrbER0TkxBcGJucmsKdBDkRY5FUtOo8zQ0QtfPFGJn0O2Fg5xn mSloxLaFwdXAR9L1QfUdsW+9Vgez4s5bxMJtn8hkwqIfyJc25FEEcA== -----END AGE ENCRYPTED FILE----- - lastmodified: "2025-10-13T23:45:06Z" - mac: ENC[AES256_GCM,data:QxH4lnNyCAAEJhzbgCrq7QeLs+OAtYgwQP4oFm93NE4Fbz7/Hz2dvL/2SopOdW7nYVeb1scuG1ra+yvgzuQDhg4lcgt9eBJoBiynM3qiHBs+FtcSJoKs16I/ACAadQwClALb4E0xxwKFJI8ewMZu5BAxi5EhYbgNfnKCIbhvgWo=,iv:LRa2vX0HUBugeEAVeOqXbPsMQrfrCpyzGUGjK6+VaQc=,tag:/sfhJM8V1IYBh94ZS/TDxQ==,type:str] + lastmodified: "2026-01-25T18:06:26Z" + mac: ENC[AES256_GCM,data:plHNLOgGWwNWbakKG6X5EOxwERE3rvYO4EOAzY/sz+uM7cZBEnqU5LZwjlD8B75hgRHqpnDBF0JbHgsEwVxfJJRL1phkeMJFOapQMjZVWMz6j7eb1hOwpdktd+bpuimy4XCD1aOxOoInKpFSK33usxLfyqSxjFDM5+i6D22qBTs=,iv:/iOIfNuSIDsa/UKLP0d63tpOrYMFO3Bk1qPssY0AzuI=,tag:k+824MXD+r0lNUcuvisudw==,type:str] pgp: - created_at: "2025-10-20T19:03:07Z" enc: |- @@ -360,4 +361,4 @@ sops: -----END PGP MESSAGE----- fp: 878FEA3CB6A6F6E7CD80ECBE28506E3585F9F533 unencrypted_suffix: _unencrypted - version: 3.10.2 + version: 3.11.0 diff --git a/inventories/chaosknoten/host_vars/grafana.yaml b/inventories/chaosknoten/host_vars/grafana.yaml index ecc942c..b87a198 100644 --- a/inventories/chaosknoten/host_vars/grafana.yaml +++ b/inventories/chaosknoten/host_vars/grafana.yaml @@ -53,16 +53,7 @@ nginx__configurations: - name: metrics.hamburg.ccc.de content: "{{ lookup('ansible.builtin.file', 'resources/chaosknoten/grafana/nginx/metrics.hamburg.ccc.de.conf') }}" -alloy_config: | - prometheus.remote_write "default" { - endpoint { - url = "https://metrics.hamburg.ccc.de/api/v1/write" - basic_auth { - username = "chaos" - password = "{{ secret__metrics_chaos }}" - } - } - } +alloy_config_additional: | loki.write "default" { endpoint { url = "https://loki.hamburg.ccc.de/loki/api/v1/push" @@ -98,9 +89,9 @@ alloy_config: | } rule { source_labels = ["__journal__hostname"] - target_label = "host" + target_label = "instance" regex = "([^:]+)" - replacement = "${1}.hamburg.ccc.de" + replacement = "${1}.hosts.hamburg.ccc.de" action = "replace" } } @@ -111,30 +102,3 @@ alloy_config: | format_as_json = true labels = {component = "loki.source.journal", org = "ccchh"} } - - logging { - level = "info" - } - prometheus.exporter.unix "local_system" { - enable_collectors = ["systemd"] - } - - prometheus.relabel "default" { - forward_to = [prometheus.remote_write.default.receiver] - rule { - target_label = "org" - replacement = "ccchh" - } - rule { - source_labels = ["instance"] - target_label = "host" - regex = "([^:]+)" - replacement = "${1}.hamburg.ccc.de" - action = "replace" - } - } - - prometheus.scrape "scrape_metrics" { - targets = prometheus.exporter.unix.local_system.targets - forward_to = [prometheus.relabel.default.receiver] - } diff --git a/inventories/chaosknoten/host_vars/ntfy.sops.yaml b/inventories/chaosknoten/host_vars/ntfy.sops.yaml index e860cca..1328d66 100644 --- a/inventories/chaosknoten/host_vars/ntfy.sops.yaml +++ b/inventories/chaosknoten/host_vars/ntfy.sops.yaml @@ -1,5 +1,3 @@ -secret__loki_chaos: ENC[AES256_GCM,data:LWFTOyER+m021ogmXYBrcr/2fUe3XuZhs5ho0KbM,iv:808LWnSUAPeclhsIgOyR6SutTvJGOu7mrGaVayo7v8M=,tag:f2WCPyUESfMiGDQ4Km5Dyw==,type:str] -secret__metrics_chaos: ENC[AES256_GCM,data:lAepzCI4pwkF8KiGYzGnC4dPASdHDn+LfbJTFSvt,iv:EUW+CGeYUqhY4G1kb2bbU16j9iLwABHfRCdn2vac5gY=,tag:IcyscB9lZuZgC04XTxDb5w==,type:str] secret__ntfy_web_push_private_key: ENC[AES256_GCM,data:YqNEYa1Ln3NFpNoIuBUN1V/WRzod5HAtYueBJYHOwyM59cCaYhQR1S9aQg==,iv:t8bEs5ZAEe6pqbbOb0mpJdfgruX1P9Jd+sbNurGqkng=,tag:Cdy5HKkvb55V6AeRt+MVHg==,type:str] ntfy: user: @@ -18,8 +16,8 @@ sops: bUhGdEFwOEVxUzVZdERReVF6cmcxeDgKDlO+jacsYgWXqjoxAIKJiB8mCHZ8U7TM sGD3oaCi9x6Uvse7hq0BaUe/LaJt2tDaqve9nm3n06V93HNcR9/cdw== -----END AGE ENCRYPTED FILE----- - lastmodified: "2025-10-20T19:01:39Z" - mac: ENC[AES256_GCM,data:a87jRAGBIypZfYCILYCOM+H8KCVUBgb2/1sG05wDbPmLe9IfDT6rzlljbRFOUozq9xsqxpFLsPQx1wPVDi1lhaRT+5oE/NDgVH8aQCofA96DQd3SeB8fWn3LhYjOpmo9ZsFSemvGcXYk/SjVvoU9aN8KG4DHYCOOseGIBTa/a2Y=,iv:5Atem3ACdfdCPUp184cAf/EI9BEXQ1i719l+sIlOnUY=,tag:LWQCxrsZ3660UCcOjY4gMQ==,type:str] + lastmodified: "2026-01-25T18:41:48Z" + mac: ENC[AES256_GCM,data:2+628ZxPIto0AUhRExTB0UF/XKD7l0qz/NVncKbk+E5nZ5IRGwnhvY5DPiaDNWxskngaYhSYaQZTJTuvC1TuflCr8+IsZRYobj22mYEsrK2KWbozQvYsuooK2HdSWAkE2U5xKKodev2KqxMT+ZY0AIq8ifCo033ro6t0rnIEVQI=,iv:ncKxlhfZ+04rylNmMtOaWyonCJO4gbsuABMAJfVDDIQ=,tag:6c141UrWXNuGM5giTS7Ecw==,type:str] pgp: - created_at: "2025-10-20T19:03:04Z" enc: |- diff --git a/inventories/chaosknoten/host_vars/ntfy.yaml b/inventories/chaosknoten/host_vars/ntfy.yaml index cab4e76..2d68bfa 100644 --- a/inventories/chaosknoten/host_vars/ntfy.yaml +++ b/inventories/chaosknoten/host_vars/ntfy.yaml @@ -15,90 +15,8 @@ nginx__configurations: - name: ntfy.hamburg.ccc.de content: "{{ lookup('ansible.builtin.file', 'resources/chaosknoten/ntfy/nginx/ntfy.hamburg.ccc.de.conf') }}" -alloy_config: | - prometheus.remote_write "default" { - endpoint { - url = "https://metrics.hamburg.ccc.de/api/v1/write" - basic_auth { - username = "chaos" - password = "{{ secret__metrics_chaos }}" - } - } - } - loki.write "default" { - endpoint { - url = "https://loki.hamburg.ccc.de/loki/api/v1/push" - basic_auth { - username = "chaos" - password = "{{ secret__loki_chaos }}" - } - } - } - - loki.relabel "journal" { - forward_to = [] - - rule { - source_labels = ["__journal__systemd_unit"] - target_label = "systemd_unit" - } - rule { - source_labels = ["__journal__hostname"] - target_label = "instance" - } - rule { - source_labels = ["__journal__transport"] - target_label = "systemd_transport" - } - rule { - source_labels = ["__journal_syslog_identifier"] - target_label = "syslog_identifier" - } - rule { - source_labels = ["__journal_priority_keyword"] - target_label = "level" - } - rule { - source_labels = ["__journal__hostname"] - target_label = "host" - regex = "([^:]+)" - replacement = "${1}.hamburg.ccc.de" - action = "replace" - } - } - - loki.source.journal "read_journal" { - forward_to = [loki.write.default.receiver] - relabel_rules = loki.relabel.journal.rules - format_as_json = true - labels = {component = "loki.source.journal", org = "ccchh"} - } - - prometheus.exporter.unix "local_system" { - enable_collectors = ["systemd"] - } - - prometheus.relabel "default" { - forward_to = [prometheus.remote_write.default.receiver] - rule { - target_label = "org" - replacement = "ccchh" - } - rule { - source_labels = ["instance"] - target_label = "host" - regex = "([^:]+)" - replacement = "${1}.hamburg.ccc.de" - action = "replace" - } - } - - prometheus.scrape "unix_metrics" { - targets = prometheus.exporter.unix.local_system.targets - forward_to = [prometheus.relabel.default.receiver] - } - +alloy_config_additional: | prometheus.scrape "ntfy_metrics" { targets = [{"__address__" = "localhost:9586", job = "ntfy", instance = "ntfy", __scrape_interval__ = "120s"}] - forward_to = [prometheus.relabel.default.receiver] + forward_to = [prometheus.relabel.chaosknoten_common.receiver] } diff --git a/inventories/chaosknoten/hosts.yaml b/inventories/chaosknoten/hosts.yaml index 2a95ba8..5c114c9 100644 --- a/inventories/chaosknoten/hosts.yaml +++ b/inventories/chaosknoten/hosts.yaml @@ -166,11 +166,10 @@ certbot_hosts: ntfy: sunders: spaceapiccc: -prometheus_node_exporter_hosts: +alloy_hosts: hosts: ccchoir: eh22-wiki: - tickets: keycloak: netbox: onlyoffice: @@ -178,6 +177,15 @@ prometheus_node_exporter_hosts: pretalx: wiki: zammad: + grafana: + ntfy: + tickets: + renovate: + cloud: + public-reverse-proxy: + router: + sunders: + spaceapiccc: infrastructure_authorized_keys_hosts: hosts: ccchoir: @@ -208,10 +216,6 @@ netbox_hosts: proxmox_vm_template_hosts: hosts: chaosknoten: -alloy_hosts: - hosts: - grafana: - ntfy: ansible_pull_hosts: hosts: netbox: diff --git a/playbooks/deploy.yaml b/playbooks/deploy.yaml index f416b91..fe0cf78 100644 --- a/playbooks/deploy.yaml +++ b/playbooks/deploy.yaml @@ -64,11 +64,6 @@ roles: - nginx -- name: Ensure prometheus_node_exporter deployment on prometheus_node_exporter_hosts - hosts: prometheus_node_exporter_hosts - roles: - - prometheus_node_exporter - - name: Configure unattended upgrades for all non-hypervisors hosts: all:!hypervisors become: true @@ -83,10 +78,8 @@ - name: Ensure Alloy is installed and Setup on alloy_hosts hosts: alloy_hosts become: true - tasks: - - name: Setup Alloy - ansible.builtin.include_role: - name: grafana.grafana.alloy + roles: + - alloy - name: Ensure ansible_pull deployment on ansible_pull_hosts hosts: ansible_pull_hosts diff --git a/resources/chaosknoten/grafana/docker_compose/prometheus.yml b/resources/chaosknoten/grafana/docker_compose/prometheus.yml index fd59034..7f94ab0 100644 --- a/resources/chaosknoten/grafana/docker_compose/prometheus.yml +++ b/resources/chaosknoten/grafana/docker_compose/prometheus.yml @@ -82,41 +82,6 @@ scrape_configs: target_label: instance - target_label: __address__ replacement: pve-exporter:9221 - - job_name: hosts - static_configs: - # Wieske Chaosknoten VMs - - labels: - org: ccchh - site: wieske - type: virtual_machine - hypervisor: chaosknoten - targets: - - netbox-intern.hamburg.ccc.de:9100 - - matrix-intern.hamburg.ccc.de:9100 - - public-web-static-intern.hamburg.ccc.de:9100 - - git-intern.hamburg.ccc.de:9100 - - forgejo-actions-runner-intern.hamburg.ccc.de:9100 - - eh22-wiki-intern.hamburg.ccc.de:9100 - - mjolnir-intern.hamburg.ccc.de:9100 - - woodpecker-intern.hamburg.ccc.de:9100 - - penpot-intern.hamburg.ccc.de:9100 - - jitsi.hamburg.ccc.de:9100 - - onlyoffice-intern.hamburg.ccc.de:9100 - - ccchoir-intern.hamburg.ccc.de:9100 - - tickets-intern.hamburg.ccc.de:9100 - - keycloak-intern.hamburg.ccc.de:9100 - - onlyoffice-intern.hamburg.ccc.de:9100 - - pad-intern.hamburg.ccc.de:9100 - - wiki-intern.hamburg.ccc.de:9100 - - zammad-intern.hamburg.ccc.de:9100 - - pretalx-intern.hamburg.ccc.de:9100 - - labels: - org: ccchh - site: wieske - type: physical_machine - targets: - - chaosknoten.hamburg.ccc.de:9100 - storage: tsdb: diff --git a/resources/chaosknoten/grafana/nginx/metrics.hamburg.ccc.de.conf b/resources/chaosknoten/grafana/nginx/metrics.hamburg.ccc.de.conf index ef2fe07..195b99d 100644 --- a/resources/chaosknoten/grafana/nginx/metrics.hamburg.ccc.de.conf +++ b/resources/chaosknoten/grafana/nginx/metrics.hamburg.ccc.de.conf @@ -9,7 +9,6 @@ server { allow 2a00:14b0:4200:3380::/64; allow 2a00:14b0:f000:23::/64; #CCCHH v6 bei Wieske, geroutet über turing # Z9 - allow 2a07:c480:0:100::/56; allow 2a07:c481:1::/48; # fuxnoc allow 2a07:c481:0:1::/64; diff --git a/roles/alloy/defaults/main.yaml b/roles/alloy/defaults/main.yaml new file mode 100644 index 0000000..92bc960 --- /dev/null +++ b/roles/alloy/defaults/main.yaml @@ -0,0 +1,44 @@ +alloy_config_default: | + prometheus.remote_write "default" { + endpoint { + url = "https://metrics.hamburg.ccc.de/api/v1/write" + basic_auth { + username = "chaos" + password = "{{ metrics__chaos_password }}" + } + } + } + + prometheus.relabel "chaosknoten_common" { + forward_to = [prometheus.remote_write.default.receiver] + rule { + target_label = "org" + replacement = "ccchh" + } + rule { + target_label = "site" + replacement = "wieske" + } + rule { + source_labels = ["instance"] + target_label = "instance" + regex = "([^:]+)" + replacement = "${1}.hosts.hamburg.ccc.de" + action = "replace" + } + } + + logging { + level = "info" + } + + prometheus.exporter.unix "local_system" { + enable_collectors = ["systemd"] + } + + prometheus.scrape "scrape_metrics" { + targets = prometheus.exporter.unix.local_system.targets + forward_to = [prometheus.relabel.chaosknoten_common.receiver] + } + +alloy_config_additional: "" diff --git a/roles/alloy/tasks/main.yaml b/roles/alloy/tasks/main.yaml index 2bc308a..5e3cd64 100644 --- a/roles/alloy/tasks/main.yaml +++ b/roles/alloy/tasks/main.yaml @@ -45,4 +45,6 @@ - name: Setup Alloy ansible.builtin.import_role: name: grafana.grafana.alloy + vars: + alloy_config: "{{ alloy_config_default ~ alloy_config_additional }}" become: true diff --git a/roles/prometheus_node_exporter/meta/main.yaml b/roles/prometheus_node_exporter/meta/main.yaml deleted file mode 100644 index 78bb770..0000000 --- a/roles/prometheus_node_exporter/meta/main.yaml +++ /dev/null @@ -1,10 +0,0 @@ ---- -dependencies: - - role: distribution_check - vars: - distribution_check__distribution_support_spec: - - name: Debian - major_versions: - - "11" - - "12" - - "13" diff --git a/roles/prometheus_node_exporter/tasks/main.yaml b/roles/prometheus_node_exporter/tasks/main.yaml deleted file mode 100644 index c138f18..0000000 --- a/roles/prometheus_node_exporter/tasks/main.yaml +++ /dev/null @@ -1,14 +0,0 @@ -- name: make sure the `prometheus-node-exporter` package is installed - ansible.builtin.apt: - name: prometheus-node-exporter - state: present - allow_change_held_packages: true - update_cache: true - become: true - -- name: make sure `prometheus-node-exporter.service` is started and ansibled - ansible.builtin.systemd: - name: prometheus-node-exporter.service - state: started - enabled: true - become: true From 5693989c384646d260ad8b37f85d45aa5d5827b8 Mon Sep 17 00:00:00 2001 From: chris Date: Sun, 25 Jan 2026 20:58:14 +0100 Subject: [PATCH 080/101] add alloy to the z9 hosts and some cleanup --- .sops.yaml | 4 + inventories/chaosknoten/group_vars/all.yaml | 43 +++++ inventories/z9/group_vars/all.sops.yaml | 200 ++++++++++++++++++++ inventories/z9/group_vars/all.yaml | 43 +++++ inventories/z9/hosts.yaml | 6 + roles/alloy/defaults/main.yaml | 12 +- 6 files changed, 302 insertions(+), 6 deletions(-) create mode 100644 inventories/z9/group_vars/all.sops.yaml create mode 100644 inventories/z9/group_vars/all.yaml diff --git a/.sops.yaml b/.sops.yaml index bb83e39..0b9c245 100644 --- a/.sops.yaml +++ b/.sops.yaml @@ -51,6 +51,10 @@ creation_rules: *admin_gpg_keys age: *host_external_age_keys + - path_regex: inventories/z9/group_vars/all.* + key_groups: + - pgp: + *admin_gpg_keys ## host vars # chaosknoten hosts - path_regex: inventories/chaosknoten/host_vars/cloud.* diff --git a/inventories/chaosknoten/group_vars/all.yaml b/inventories/chaosknoten/group_vars/all.yaml index 60349e0..76147d8 100644 --- a/inventories/chaosknoten/group_vars/all.yaml +++ b/inventories/chaosknoten/group_vars/all.yaml @@ -14,3 +14,46 @@ msmtp__smtp_port: 465 msmtp__smtp_tls_method: smtps msmtp__smtp_user: any@hosts.hamburg.ccc.de msmtp__smtp_from: "{{ inventory_hostname }}@hosts.hamburg.ccc.de" + +alloy_config_default: | + prometheus.remote_write "default" { + endpoint { + url = "https://metrics.hamburg.ccc.de/api/v1/write" + basic_auth { + username = "chaos" + password = "{{ metrics__chaos_password }}" + } + } + } + + prometheus.relabel "chaosknoten_common" { + forward_to = [prometheus.remote_write.default.receiver] + rule { + target_label = "org" + replacement = "ccchh" + } + rule { + target_label = "site" + replacement = "wieske" + } + rule { + source_labels = ["instance"] + target_label = "instance" + regex = "([^:]+)" + replacement = "${1}.hosts.hamburg.ccc.de" + action = "replace" + } + } + + logging { + level = "info" + } + + prometheus.exporter.unix "local_system" { + enable_collectors = ["systemd"] + } + + prometheus.scrape "scrape_metrics" { + targets = prometheus.exporter.unix.local_system.targets + forward_to = [prometheus.relabel.chaosknoten_common.receiver] + } diff --git a/inventories/z9/group_vars/all.sops.yaml b/inventories/z9/group_vars/all.sops.yaml new file mode 100644 index 0000000..7c25351 --- /dev/null +++ b/inventories/z9/group_vars/all.sops.yaml @@ -0,0 +1,200 @@ +metrics__chaos_password: ENC[AES256_GCM,data:seOU504dZ9K21+NK1MBf9isee2L2rueP6Bl0F66R,iv:ZtQ516gzJQSSgvOOAzPF9MuarXqHSLXy37/9z85KoQ8=,tag:dIal6OxPLli+7DbzhjNFsA==,type:str] +sops: + lastmodified: "2026-01-25T19:52:03Z" + mac: ENC[AES256_GCM,data:6JXc+K8fmANf22puWyllV5wVSxZSVnN+U7GM9lNhkxbUBM4AaIedIHOXz9zDaZh/nT6onrW2nhKNC00kWziaddOnBxBUCWUk7bDGea6qJMIk4GfyU0f/xX7mHpgYorF/KmQP1uvNNAryn7zeSfS8Vk27GFDPbBO3GvYlOZFUJD8=,iv:6X6uf9obhNix/qLrpiP3bw1CWM7dY+XAEdfhuTTmuVc=,tag:KJHK1Hc/uV8DOw/7txHfEw==,type:str] + pgp: + - created_at: "2026-01-25T19:51:13Z" + enc: |- + -----BEGIN PGP MESSAGE----- + + hQIMAxK/JaB2/SdtAQ/9GKyJ+6SzK5xucxIxUKPRdsxirJwd6LHuIDkVTr7JTjfi + sXQZKVtQ7ZXbbVgZKURLtsdbhayZoU/8xYCQsX4vzDeAKc4bS6X25PLxs2oBKCYB + 2oWl/jhKSAtVjtgnPnxljiEGxkDKW2sKlfjdjMj9yOYyif35AoQ8pIr2Tg4U8Z9C + ofaWBejvqxgaIShXe4jio3SIiOLYwTnaYmkoSY3QEA3RjckzNmqRE4aX+csB27cI + Vt8aGrcNzM8gCfi8IM1ypLHLw7Fg0OntF91RAUExG9OZJm2rGZabUixxhOCf/ttk + UOq7Eq29xFr9mTzyoZC2zmaOt7O+PIu8FDOvkvCgNv89ewn00DjT7DYSXB0AnPRD + VahAi4VAjKU2RXXbfZArdCXJpCTM2OPnXBh8Bfx/7eTnu2O8EK8OFbWuOWja8Ogr + 7z9bgsoK4Uva6F3BQcLlZppKmkLk0P8detZihvwNbS55kkkdsA9LiyYEoHpasWpG + HW4dcQOqyuKwGjLE7FsqPtlxmWD6psCK3GdHzKGQR9fbXfUyD+c0DmPgPh6roFW8 + XzvRGw6YUrP7/wtvUH4zSLQbB6kqz6nO88isPoLpClyQ/3Khj9QLljCDQB+yRBIu + p3a2HISwt4HQzuckk8W4yKIDdzf86dXVEMqUe4JTe+vW9PPobnUEXrPgRBNZYD7S + XgHOfGiWknFPa8s4KCHZK9sLB2joWAJTtQnk4cuaXoIgamiXB0qgiArc43PsjstE + N6kvVXrFVgQ9Xlrp8XDJHOsUYAy8admA8KNQF+XQ+KeHgQGKKX1RjbBFunIkaOc= + =1Rdp + -----END PGP MESSAGE----- + fp: EF643F59E008414882232C78FFA8331EEB7D6B70 + - created_at: "2026-01-25T19:51:13Z" + enc: |- + -----BEGIN PGP MESSAGE----- + + hQIMA6EyPtWBEI+2AQ//QgGTp9DYSoNWI5n0+9gMUP7asTRdRl7T+xT88k7cCO9Z + lNi86qeqiGGkqTffARBJNaq+ut/D7EKc6ivp+ewfySimM5E3ape3C6rulHybE/j8 + 3EpP4VW+5yA4Nq+CbZvzQb60oXR8LnGzVX1gePWwyQozVzRS72/hnxyecQYsc1IJ + OTQPSfclZXJO3k6fK+BrfHsjJkOpHYoLAnI/9ty9JBSuwGfzI+ur2Jimn0Y783Ou + orZNzxrRKfkIPjdFnWGY3i31nW9tnkEXLdsdOHfOu8Ahtdi2NhwReSv5hMKPXbOw + lxhL/Y1bG4ChgAAFVG5QYZ69tuzSov8XP2Wv6auVA7HC3H+689fNeO0C6GhDcVgc + LBF1nK/zJq95uxlSNy5dpTSzKqwlwRzvLOCPByXc3pLcDDW9Zp194bS/iDGfnfqe + UUPK9e0gX8TYOeQhF3K+H6JMdFO/uYbiaeVZWmvOV6jSiii0CXoGe4oVZqcfcfA3 + RScUjLx0f2w4xQwU60ZmHsmvs2PmdBsNDPeQXrqeyAfgFReDoI1RLo+k+3khoAJE + LzzNFg6bVBx3rRazWoASlHYK8i6dTHpMBompPC+kmjorZnoqnTRX4bix0atsFY7g + vt8CVfqy8YKrVIGPZnDAsrZ3ecShIQFB6OfxgSb6nqN1K3NwFcjXWH05SJOfFR3S + XgGrU49/hKqHTmAGHbWoe54qkPj+WvRkeGccEnvtum8yrPpDpmYg+wyEm3JeQf1S + gCHS/j0pJS/CnnfgoUgkYCMokGvtSoTJgIE/2XTA/BFNRg0vc1Dgk/WonG33PDU= + =ev2Q + -----END PGP MESSAGE----- + fp: F155144FC925A1BEA1F8A2C59A2A4CD59BFDC5EC + - created_at: "2026-01-25T19:51:13Z" + enc: |- + -----BEGIN PGP MESSAGE----- + + hQIMAz5uSgHG2iMJAQ//SxqxshraAR0pQf1lzhtZ5RHoNZJnaZKwic/pvJvIDUCA + 6zotOpu478rK4w8zWdX1gfjve+iu4BkaB16lZqvsV6lLq80dT3yfeil9ETFElKuA + womIEdAafq8W71eTffUZ3Klrg/WjDVjeDRRKqz8vv9pd9MQbYmDhrjRG/ySP5qgZ + +/apRAOrYnbtzgjlPAfLIGD65jvS3JRE3gbZfpzzkLB8P5M1JVOUf15FxAZ2tyhO + PZ3FYC2JbCzftp0Iiksq8sl42Fl0FzOTLFQb0GhQ60tJatFVWhG31NeXdRRuLnQU + 5bmanb2nJBroQJWM/8piG8npG8jhzRzeMTHboW5TezYAXBLxRQJct7pR9ZwDje2U + 5j9VkNyKQ+wMJ2vMiyshserEe6gjc2/E+XYDheAPrFPqwGNklb6OSemm4vWwd6GK + HNqDxA/C0du1b1vm9CTLgk7utbEpspnNQnZh32iifSfiQ3Zl7FwTxnA/2Bj0csQ/ + xrck7T2gzY39tOqXbq0QqIQA31BW4ukmxcAKn8pmJpguW0cBxDTaGNXQ4jo+8YtQ + MYYT4dR9S95MsOKWGREvMA0GMxzwbA2eMwZ7yUARCLVGD48MMiiDZcYqd03cnOO3 + hGj+vy0FbsVdknztBDeGttUYHOtjb+XO4gF4sHdpaWxdF7kVVknNUtciWa+Kw4LS + XgGqWekdWhsKZ+bPboinUPY9e5vkgLueSWrQ0aqi5Pte9lQ3pYPqT2U51fJG5G9/ + tYiofc0K7CB/qyxB7LpF5rtUla9oQQJd36xC0eO7laSapWiag2rzuIsMxR+4egA= + =a2qJ + -----END PGP MESSAGE----- + fp: 18DFCE01456DAB52EA38A6584EDC64F35FA1D6A5 + - created_at: "2026-01-25T19:51:13Z" + enc: |- + -----BEGIN PGP MESSAGE----- + + hQIMAw5vwmoEJHQ1AQ//U6R7Cb1kfojFwzVy9ky+y7Puhk7Jyog+jLabWhurkV30 + RO4EeTXMEJ1gVU9qJDeHn7Fr1HbYr9cdTf1yw5Y23p+pBZA1wRTkxHctEk1KNDRW + 8QdCmQOu8jTDc5cq0F6d6lD6vJpfjaQez5cT7dN9Eqp0jUsmQCSLmqmXvbNEv3fW + n+o/VsvtaqMTjhlPUHvhe/d0/YWvkp4xPycDVW/oYh2KE3QUV5AKUJSOLuSIFENy + f0hjnoz8xmY7eA20uXvTWPgUU9J+KCSgmy87wM/WkM3kjKWOUkijDFCsCWSEIx4W + E2iY6N7yaYBkKfQ6s+f77xg+vc7g1plheK3pdyYkYvgfeqg27QFV/3m80f0gULS4 + bNrZKNRrMD+grgjB75cj14PRHGQcaZEouE7l2uCUNbR/hFIF1M2F91HAW61mVLv6 + ZNluofRYqHf+YWUO4KtJwpfgfh0gsCF3KaeHnAA/Xy9e+7KRgWbAbsDIQr40Nqm1 + Cbv/HqjHCeS7ylw3TmYcwFoGO1XoL/toSQQ4/y0JPMCae+MGslDm2o/1X1VqAnIZ + sdhcTKY8HJWxn8uc5MFG4Mr0PhMIXirhBBQLYXdVJ/tOj9yVU+gJZe3lv64uQgDZ + Ey1KESfJu98uwrPS3Dzy2YPbT7Gh58sOfHeaDoeZAu+YzQMOQ7V260vu0XXMgSfS + XgE3PiMBjbW4eypClEK6H5iSL4SjEm+NweQNkwGaxqLSsb7LuOtSkiEmf4mdQEnI + SI14d0nNv7ki0T59Ssmi65A49SXjvLzsCBE1DgeqVD8IwKCewma0dgkNErdyG4s= + =rV/a + -----END PGP MESSAGE----- + fp: 87AB00D45D37C9E9167B5A5A333448678B60E505 + - created_at: "2026-01-25T19:51:13Z" + enc: |- + -----BEGIN PGP MESSAGE----- + + hF4DerEtaFuTeewSAQdAdDLPgKw0A+eoKiYGIKxOFZHYVg0V4UmuIti0XC5RJCIw + IPu2/Y45X9L40RRhH8N9lazjLeJv5Lbo08hMlo/CgshZ0BJVot8mBAiH/R2DsVRC + 0l4BL6ctQ/xivjWQBBhy/DCYVtDRv8JXIEXNJgU/+UjkSE8Auh4NASANg9GTcBBn + lukzOBGYF9nH69fAkVtZbNL5+dFoPLDPUzZTU19D15J6IJkt+gKPSzjbtWaJqIsQ + =dGU4 + -----END PGP MESSAGE----- + fp: 057870A2C72CD82566A3EC983695F4FCBCAE4912 + - created_at: "2026-01-25T19:51:13Z" + enc: |- + -----BEGIN PGP MESSAGE----- + + hQIMAxjNhCKPP69fAQ/+LQ3yEzhjYXoDkE9olsl0lVxQ9FdCbqDHFJZAIReI0jqg + WF+0GmoMuG4kFZu+ju3vCWpT5kH84SUxOFXyaXp1TCfcJ1zCUno93fVssOL/9Sma + vVPVIXpTqJqFBOWJNOe7wNjvQiDE4TxjGC/FXr+hOoLZXrf7gdNaUXxZOb+vPZih + t79eZhxALGwmwsMdZxkA8ERCmNJet1/wn7s5vUjwrDYRZL2zGf4yocSCjwGYHOCs + j+DcrYG7Cd5J+CS8rKu2Yh5KEAfMhgMxGjK0HKUVPk1cQxOgronnM1vrij30S4+9 + avNlOwAerg3RaFhXPj9UY7FGV+rZQY1CQKEWqr4AANkdDXb/LnLalwMBMcm+EDwT + zHxBhJ69QJmsZUP3Z5WQqxmyAux9+oodgehWKkY4sCR2huHuysbJNEStuI1HaTRj + ZJafiniHkFyQyTqc4wwJrRxkwJM6mVvcZdXuV7+QaEWr3FEF0t7tyEYUIRkUlJOQ + IUPDClDRLJnQGq11XT/QOlGfxET9fGoAkij1LrPqpvHxJ6IEGLMOPN4kw1yg02yO + u0HiB2wIUzKHJJ6vMR6zK3WY4MXCQISTZXpK7mILleRIIOWhw7C7gvlfuYkMT3fM + dXUQRhTblZXaeTxRuCUPqa0eGzac4UJBVoRAWXYiZWhdKxNJbyCMRQDcaOeho9/S + XgGENH9zFjI//pveCrlxx5BKDxTdqIn9R3iskbKbZRhVr+pU3IK4uCsUQlOBG3++ + zxQinHgNbqA22clcuRMZ1NeDrzDfBLndsWuSeyWaAA9qEG9XjmjCRRzPGACoDLs= + =dywj + -----END PGP MESSAGE----- + fp: F38C9D4228FC6F674E322D9C3326D914EB9B8F55 + - created_at: "2026-01-25T19:51:13Z" + enc: |- + -----BEGIN PGP MESSAGE----- + + hQIMA1Hthzn+T1OoAQ/+P4h9d4LPElJbVr4L3cE+6/9mhLF6n1hre14cCTSxTe20 + HqpY7U9yE4G/1IfAE3pueOgc5FsLRPn8VnHAzy6ygt4/xXXzH6aACDiUtweqyExE + K39J9PLjczWb7XGbZc3YKoz5x0Q/93s+CdjK7piamb41bMRVbmffNtEceH8Gld9u + t8SI18F1yrRtXpK8FvzFLvA1jEt9sduPVq51bWG2LjMFaMrsm7hXt1ArUGsOoGN3 + 36E4VrVp6gp8BVa+apsUY3mHBi3hUE0h2tO4iEsi1qYr1OTn3v4Dn9oxKrYIIom2 + hHszqVSq0fnIqoKOZbyUe2AdXtnTGpQQRxCBvtIEBNB1FS/CKCe7ceXVBZujU2Kd + JD3Lg5uXgkolfyjFCPzOp292xvJ83i7QMoTuVEw14PSjux3jAa4K3wpKUvF80ja2 + ugGj3zTLAHdAV37lKO2WYZuMMJLKWKX1p9yKZqteJdiLQHH8f24dFZ2Vtoly/GKM + KzGJ1fimB6divQ8TOHVFAr1qDksk8zf1PBJ/IlWoBKv5IWwoikf42IOL/P2c/nk7 + 4pYwHrlk8y71Cgjw50K9/T/Ul0Ov6ay4FK+0vy+zbokSVczZKsrL4/Tc6s0S9ty6 + SVKm7yL+BSGgZWmDNesYoRzboBT2mSb1N45ThUaeW7AwMo3hDJPjEkaFtZN3bqzS + XgEIFYvxWH6OEIl+VZ/J5qxxmi3Cz6XVzTliCnoTFUoVxHyOxN6HX0Jn/qRqmmlN + mJX4OT1FJ3WnqOHQ5Cm4403bm2H79mGCBKYiXPQeO/bVBh0mTbeYKRr8bjsm+rc= + =lIEt + -----END PGP MESSAGE----- + fp: 5DA93D5C9D7320E1BD3522C79C78172B3551C9FD + - created_at: "2026-01-25T19:51:13Z" + enc: |- + -----BEGIN PGP MESSAGE----- + + hQIMA46L6MuPqfJqAQ//Ue74vm+2K7chQcfdrY5GR0rPUKNiX9MMw9zgHpdyHlXa + FfL0NQbG8Rfc/6Yf7LH1sWMGED5Yvci3z+YkTWg8Fcv1pYQGj6Kul2L0aL4tvq/a + tdIJi+Ajp92jr+5jdae+GvJZedaHZYxykyeSe4/nk1j6k4u3TiVMBczk7z9701F+ + ZFtG1SBRcqjZ/Vx36B6s+10f9ft7TWCIJfeTimBJV3fFt7r698vTQ+S1/uxo5Ik0 + kQOtYDxsigBBeE0OX2ZBDyeGhfl/PZgN7GD7bgpjnfzDi+8kMXEMu4z88tOQulhk + qj+63irEydFCsMEC22XhLaqW8bjld0VAnkXv7DfoEbMt84XN6SejjDy6aXK9C0Qd + BIyQwTvsmgbInluw8Qu+GJPLLbY9qYjjuo5BbwUeBfiVxQaBYcm5lmPSKM0lq+Uq + fUYowpMS417L5kkp2yE/NmKOzi2ZuiFWMCpvPIvKea9zJxvEtIjohwtM86b4LH+j + 7yie9gWu0bhBw9keKtIbRmgbsilp8E5OUHXgOT0sNWTLenQDsWQ9dmgvtpeEb9ax + 6mw1QUpFz4CcHhuQixoI+q4y0SXcWxyN0U78U8igaELUtwpaRR7yf4VUJOEid+m1 + Rzu5jLCuhlLmmW03W6Y/Vl+n0QOyEl0uPCRiRgYeUzKiYw6NRYHPezbJnmNAeKnS + XgFCdzLc5Jl6OqJfy4V0yJucGq72oKK1wdJi74PqTNs44CaeEW8tDhxVWm367e5b + Ve88LJyDhOrMi57aKcAJ12HoL8pI5hambJ0qSs9RKpnQIJH7U60MBBTCBHN3H4k= + =az/q + -----END PGP MESSAGE----- + fp: 8996B62CBD159DCADD3B6DC08BB33A8ABCF7BC4A + - created_at: "2026-01-25T19:51:13Z" + enc: |- + -----BEGIN PGP MESSAGE----- + + hF4DQrf1tCqiJxoSAQdA04/sIHLMEFJO8wCB5+N5QWPzwyefW49JuNr/O2A+tTcw + Rm/CybmXPnSCx7p8QLruOG0tz8kM+YoSthSWlC9/B6TZgKLyrMOvx1U/fSNjKC4Q + 0l4BDFhVCnXKTQmfZtj5Qpwuj3H5fZ7QzKUQz542pvqN/fJVnc0Q4rQapKcU4AOx + JTdXpu6gP3FRGviA342GHJU0gq220vSzPu889dsdmtgNfAEQWPLVKKwjigDQN+SV + =2Eki + -----END PGP MESSAGE----- + fp: B71138A6A8964A3C3B8899857B4F70C356765BAB + - created_at: "2026-01-25T19:51:13Z" + enc: |- + -----BEGIN PGP MESSAGE----- + + hF4DzAGzViGx4qcSAQdAxLZsKVzF30df0Zk7Eg9u7fLJzApid00aEcZVxHQnZ0kw + 5SDeSOzzTue71lKcCyunbO1/e20jMrNVvYKQp0kKkNHpTWgjN0hW3vZt6zeLcrSo + 0lgBTOoJykoj24Y9WvIaQbae2K6M35drO2c7nhVmTzibUe7XEJ3C+vbUySdSTd+0 + WL1IjqZUGSUL4SUIW6kW0WFdSJ01O6vbXhw1gw7KwKMfBHgIUAzpENTW + =S45t + -----END PGP MESSAGE----- + fp: D2E9C0807BF681F5E164DAFC5EE1B61CD90954CD + - created_at: "2026-01-25T19:51:13Z" + enc: |- + -----BEGIN PGP MESSAGE----- + + hQIMA2pVdGTIrZI+AQ/8Dd/YnYUP9OA6qxJcerf9mCkQkC5PLehCPAOLOn4sNV5x + DnpdfAvgej1Vuy0CHK8//PAiEC7idLN+ictIdQgy0RaObp50tca44U2ssQOkmxcd + j5WpKKunHsKomksr7bRpwm/vtN4LoldQc7g1qaBlsaJE7iEOrB8I3n3fFhWD6xBG + TUzRe8r/M2/c25Agky9caILYvjm/etCsf/gZq3RwVvV48912JNqb+7o04vpj3MbO + AOsiEBCTNSZqN5XuRi/jCpQNe0p18M9irYkFWVe2be6Cb4wE2cdg904rC3K+v0QA + nwD6/bXWGI7WAF6nhvuiAS0vxmbvOePNI3KZ1CdEDeScqnAWUdkFuuAwmw0K7tHt + UJe/SlML6strnnjOGR6p3eeIjoDKtGBiqEjXYyEcXPVi8vFSd7muGcjLieyJUmfH + FVGA7bF+a6c4iTFSM2GNpANFV0qzZ/wa4aj9MqzOATTglQnr2LZJP7chnzoLyzx6 + 7cjTcWHsb3E+D7X37yF+mZAT6yvOoxaQNqTY6u1ZoY9NrGdJ1reudAlzg6k10cpf + O4Zww2Jjz5yEhvS9cTh8+bKOJYgKnbg/LLty/ade+rio4E0jn+a6VgRCqIMbGwgx + vf9ATU8S10/Es2cT6f99EpPgV0w9QCfhAGel/sjXk/zIT8rF2SbIlXf0/GK3yaXS + XgGrocZNe2RNZd3ZjsvtU6bBsPd9tekQLjC1vE6U/WXXPKapb6aOq2eL7Qb7QFu7 + XSGN+YA/c9OwmtJLP3y5mGBowa6vWT1Uf6NweamPYJBpNG27Bt5yLlnEnaDZokw= + =9ri7 + -----END PGP MESSAGE----- + fp: 878FEA3CB6A6F6E7CD80ECBE28506E3585F9F533 + unencrypted_suffix: _unencrypted + version: 3.11.0 diff --git a/inventories/z9/group_vars/all.yaml b/inventories/z9/group_vars/all.yaml new file mode 100644 index 0000000..9a31251 --- /dev/null +++ b/inventories/z9/group_vars/all.yaml @@ -0,0 +1,43 @@ +alloy_config_default: | + prometheus.remote_write "default" { + endpoint { + url = "https://metrics.hamburg.ccc.de/api/v1/write" + basic_auth { + username = "chaos" + password = "{{ metrics__chaos_password }}" + } + } + } + + prometheus.relabel "z9_common" { + forward_to = [prometheus.remote_write.default.receiver] + rule { + target_label = "org" + replacement = "ccchh" + } + rule { + target_label = "site" + replacement = "z9" + } + rule { + source_labels = ["instance"] + target_label = "instance" + regex = "([^:]+)" + replacement = "${1}.z9.ccchh.net" + action = "replace" + } + } + + logging { + level = "info" + } + + prometheus.exporter.unix "local_system" { + enable_collectors = ["systemd"] + } + + prometheus.scrape "scrape_metrics" { + targets = prometheus.exporter.unix.local_system.targets + forward_to = [prometheus.relabel.z9_common.receiver] + } + diff --git a/inventories/z9/hosts.yaml b/inventories/z9/hosts.yaml index 9f4a692..f88f106 100644 --- a/inventories/z9/hosts.yaml +++ b/inventories/z9/hosts.yaml @@ -49,5 +49,11 @@ ola_hosts: proxmox_vm_template_hosts: hosts: thinkcccore0: +alloy_hosts: + hosts: + authoritative-dns: + light: + yate: + dooris: ansible_pull_hosts: hosts: diff --git a/roles/alloy/defaults/main.yaml b/roles/alloy/defaults/main.yaml index 92bc960..09c99ee 100644 --- a/roles/alloy/defaults/main.yaml +++ b/roles/alloy/defaults/main.yaml @@ -4,26 +4,26 @@ alloy_config_default: | url = "https://metrics.hamburg.ccc.de/api/v1/write" basic_auth { username = "chaos" - password = "{{ metrics__chaos_password }}" + password = "chaos_password" } } } - prometheus.relabel "chaosknoten_common" { + prometheus.relabel "common" { forward_to = [prometheus.remote_write.default.receiver] rule { target_label = "org" - replacement = "ccchh" + replacement = "noorg" } rule { target_label = "site" - replacement = "wieske" + replacement = "nosite" } rule { source_labels = ["instance"] target_label = "instance" regex = "([^:]+)" - replacement = "${1}.hosts.hamburg.ccc.de" + replacement = "${1}.hosts.test" action = "replace" } } @@ -38,7 +38,7 @@ alloy_config_default: | prometheus.scrape "scrape_metrics" { targets = prometheus.exporter.unix.local_system.targets - forward_to = [prometheus.relabel.chaosknoten_common.receiver] + forward_to = [prometheus.relabel.common.receiver] } alloy_config_additional: "" From 6a92aa68c1846d4c3713a2f81487894ba57fcfc1 Mon Sep 17 00:00:00 2001 From: chris Date: Sun, 25 Jan 2026 22:36:30 +0100 Subject: [PATCH 081/101] light: fix tls cert expiring and not renewing --- inventories/z9/host_vars/light.yaml | 14 ++++++++++- inventories/z9/hosts.yaml | 1 + resources/z9/light/nginx/http_handler.conf | 10 +++----- resources/z9/light/nginx/light.conf | 29 ++++++++++++---------- 4 files changed, 34 insertions(+), 20 deletions(-) diff --git a/inventories/z9/host_vars/light.yaml b/inventories/z9/host_vars/light.yaml index 0336d22..0c7e11d 100644 --- a/inventories/z9/host_vars/light.yaml +++ b/inventories/z9/host_vars/light.yaml @@ -50,10 +50,22 @@ ola__configs: content: "{{ lookup('ansible.builtin.file', 'resources/z9/light/ola/ola-usbdmx.conf') }}" - name: ola-usbserial content: "{{ lookup('ansible.builtin.file', 'resources/z9/light/ola/ola-usbserial.conf') }}" + nginx__version_spec: "" nginx__deploy_redirect_conf: false nginx__configurations: - name: light content: "{{ lookup('ansible.builtin.file', 'resources/z9/light/nginx/light.conf') }}" - name: http_handler - content: "{{ lookup('ansible.builtin.file', 'resources/z9/light/nginx/http_handler.conf') }}" + content: "{{ lookup('ansible.builtin.file', 'resources/z9/dooris/nginx/http_handler.conf') }}" + +certbot__version_spec: "" +certbot__acme_account_email_address: le-admin@hamburg.ccc.de +certbot__certificate_domains: + - "light-werkstatt.ccchh.net" + - "light.ccchh.net" + - "light.z9.ccchh.net" +certbot__new_cert_commands: + - "systemctl reload nginx.service" + + diff --git a/inventories/z9/hosts.yaml b/inventories/z9/hosts.yaml index f88f106..319f817 100644 --- a/inventories/z9/hosts.yaml +++ b/inventories/z9/hosts.yaml @@ -20,6 +20,7 @@ all: certbot_hosts: hosts: dooris: + light: docker_compose_hosts: hosts: dooris: diff --git a/resources/z9/light/nginx/http_handler.conf b/resources/z9/light/nginx/http_handler.conf index d9b336c..8572664 100644 --- a/resources/z9/light/nginx/http_handler.conf +++ b/resources/z9/light/nginx/http_handler.conf @@ -1,14 +1,12 @@ server { listen 80 default_server; listen [::]:80 default_server; - server_name _; - - location /.well-known/acme-challenge/ { - autoindex on; - root /webroot-for-acme-challenge; - } location / { return 301 https://$host$request_uri; } + + location /.well-known/acme-challenge/ { + proxy_pass http://127.0.0.1:31820/.well-known/acme-challenge/; + } } diff --git a/resources/z9/light/nginx/light.conf b/resources/z9/light/nginx/light.conf index 9f70cf8..6217e04 100644 --- a/resources/z9/light/nginx/light.conf +++ b/resources/z9/light/nginx/light.conf @@ -1,15 +1,16 @@ # partly generated 2022-01-08, Mozilla Guideline v5.6, nginx 1.17.7, OpenSSL 1.1.1k, intermediate configuration # https://ssl-config.mozilla.org/#server=nginx&version=1.17.7&config=intermediate&openssl=1.1.1k&guideline=5.6 server { - listen 443 ssl http2; - listen [::]:443 ssl http2; + listen 443 ssl; + listen [::]:443 ssl; + http2 on; server_name light-werkstatt.ccchh.net; - ssl_certificate /etc/letsencrypt/live/light.ccchh.net/fullchain.pem; - ssl_certificate_key /etc/letsencrypt/live/light.ccchh.net/privkey.pem; + ssl_certificate /etc/letsencrypt/live/light-werkstatt.ccchh.net/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/light-werkstatt.ccchh.net/privkey.pem; # verify chain of trust of OCSP response using Root CA and Intermediate certs - ssl_trusted_certificate /etc/letsencrypt/live/light.ccchh.net/chain.pem; + ssl_trusted_certificate /etc/letsencrypt/live/light-werkstatt.ccchh.net/chain.pem; # replace with the IP address of your resolver resolver 10.31.208.1; @@ -25,15 +26,16 @@ server { } server { - listen 443 ssl http2; - listen [::]:443 ssl http2; + listen 443 ssl; + listen [::]:443 ssl; + http2 on; - server_name light.z9.ccchh.net ; + server_name light.z9.ccchh.net; - ssl_certificate /etc/letsencrypt/live/light.ccchh.net/fullchain.pem; - ssl_certificate_key /etc/letsencrypt/live/light.ccchh.net/privkey.pem; + ssl_certificate /etc/letsencrypt/live/light.z9.ccchh.net/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/light.z9.ccchh.net/privkey.pem; # verify chain of trust of OCSP response using Root CA and Intermediate certs - ssl_trusted_certificate /etc/letsencrypt/live/light.ccchh.net/chain.pem; + ssl_trusted_certificate /etc/letsencrypt/live/light.z9.ccchh.net/chain.pem; location / { return 307 https://light.ccchh.net$request_uri; @@ -41,8 +43,9 @@ server { } server { - listen 443 ssl http2; - listen [::]:443 ssl http2; + listen 443 ssl; + listen [::]:443 ssl; + http2 on; server_name light.ccchh.net; From 2cd0811b2965a62c9b073ac03e66edc5e30cfd83 Mon Sep 17 00:00:00 2001 From: Stefan Bethke Date: Sun, 25 Jan 2026 22:21:25 +0100 Subject: [PATCH 082/101] Fix warning --- roles/nginx/tasks/main/02_repo_setup.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/roles/nginx/tasks/main/02_repo_setup.yaml b/roles/nginx/tasks/main/02_repo_setup.yaml index eaaec30..b4720c1 100644 --- a/roles/nginx/tasks/main/02_repo_setup.yaml +++ b/roles/nginx/tasks/main/02_repo_setup.yaml @@ -15,13 +15,13 @@ - name: Ensure NGINX APT repository is added ansible.builtin.apt_repository: - repo: "deb [arch=amd64 signed-by=/etc/apt/trusted.gpg.d/nginx.asc] https://nginx.org/packages/debian/ {{ ansible_distribution_release }} nginx" + repo: "deb [arch=amd64 signed-by=/etc/apt/trusted.gpg.d/nginx.asc] https://nginx.org/packages/debian/ {{ ansible_facts['distribution_release'] }} nginx" state: present become: true - name: Ensure NGINX APT source repository is added ansible.builtin.apt_repository: - repo: "deb-src [arch=amd64 signed-by=/etc/apt/trusted.gpg.d/nginx.asc] https://nginx.org/packages/debian/ {{ ansible_distribution_release }} nginx" + repo: "deb-src [arch=amd64 signed-by=/etc/apt/trusted.gpg.d/nginx.asc] https://nginx.org/packages/debian/ {{ ansible_facts['distribution_release'] }} nginx" state: present become: true From c33ae36af326b2649f74424ad32364b7d9e7ea9c Mon Sep 17 00:00:00 2001 From: Stefan Bethke Date: Sun, 25 Jan 2026 22:21:45 +0100 Subject: [PATCH 083/101] Enable IPv6 by default --- roles/docker/files/daemon.json | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/roles/docker/files/daemon.json b/roles/docker/files/daemon.json index 49d4108..d55e4cb 100644 --- a/roles/docker/files/daemon.json +++ b/roles/docker/files/daemon.json @@ -2,5 +2,13 @@ "log-driver": "journald", "log-opts": { "tag": "{{.Name}}" + }, + "ipv6": true, + "ip6tables": true, + "fixed-cidr-v6": "fd00:1::/64", + "default-network-opts": { + "bridge": { + "com.docker.network.enable_ipv6":"true" + } } } From 0f3cd2c70ab2a937327280adec5194402247aa2b Mon Sep 17 00:00:00 2001 From: Stefan Bethke Date: Sun, 25 Jan 2026 22:40:22 +0100 Subject: [PATCH 084/101] amcedns to enable Let's Encrypt DNS-01 challenges --- .sops.yaml | 7 + .../chaosknoten/host_vars/acmedns.sops.yaml | 214 ++++++++++++++++++ .../chaosknoten/host_vars/acmedns.yaml | 23 ++ inventories/chaosknoten/hosts.yaml | 10 +- .../acmedns/docker_compose/acmedns.cfg.j2 | 27 +++ .../acmedns/docker_compose/compose.yaml.j2 | 22 ++ .../acmedns/docker_compose/index.html.j2 | 63 ++++++ .../docker_compose/oauth2-proxy.cfg.j2 | 13 ++ .../acmedns/nginx/acmedns.hamburg.ccc.de.conf | 83 +++++++ .../nginx/acme_challenge.conf | 1 + .../public-reverse-proxy/nginx/nginx.conf | 1 + 11 files changed, 463 insertions(+), 1 deletion(-) create mode 100644 inventories/chaosknoten/host_vars/acmedns.sops.yaml create mode 100644 inventories/chaosknoten/host_vars/acmedns.yaml create mode 100644 resources/chaosknoten/acmedns/docker_compose/acmedns.cfg.j2 create mode 100644 resources/chaosknoten/acmedns/docker_compose/compose.yaml.j2 create mode 100644 resources/chaosknoten/acmedns/docker_compose/index.html.j2 create mode 100644 resources/chaosknoten/acmedns/docker_compose/oauth2-proxy.cfg.j2 create mode 100644 resources/chaosknoten/acmedns/nginx/acmedns.hamburg.ccc.de.conf diff --git a/.sops.yaml b/.sops.yaml index 0b9c245..60da9eb 100644 --- a/.sops.yaml +++ b/.sops.yaml @@ -34,6 +34,7 @@ keys: - &host_zammad_ansible_pull_age_key age1sv7uhpnk9d3u3je9zzvlux0kd83f627aclpamnz2h3ksg599838qjgrvqs - &host_ntfy_ansible_pull_age_key age1dkecypmfuj0tcm2cz8vnvq5drpu2ddhgnfkzxvscs7m4e79gpseqyhr9pg - &host_spaceapiccc_ansible_pull_age_key age1mdtnk78aeqnwqadjqje5pfha04wu92d3ecchyqajjmy434kwq98qksq2wa + - &host_acmedns_ansible_pull_age_key age16pxqxdj25xz6w200sf8duc62vyk0xkhzc7y63nyhg29sm077vp8qy4sywv external: age: &host_external_age_keys - &host_status_ansible_pull_age_key age1yl9ts8k6ceymaxjs72r5puetes5mtuzxuger7qgme9qkagfrm9hqzxx9qr @@ -57,6 +58,12 @@ creation_rules: *admin_gpg_keys ## host vars # chaosknoten hosts + - path_regex: inventories/chaosknoten/host_vars/acmedns.* + key_groups: + - pgp: + *admin_gpg_keys + age: + - *host_acmedns_ansible_pull_age_key - path_regex: inventories/chaosknoten/host_vars/cloud.* key_groups: - pgp: diff --git a/inventories/chaosknoten/host_vars/acmedns.sops.yaml b/inventories/chaosknoten/host_vars/acmedns.sops.yaml new file mode 100644 index 0000000..2e728ca --- /dev/null +++ b/inventories/chaosknoten/host_vars/acmedns.sops.yaml @@ -0,0 +1,214 @@ +ansible_pull__age_private_key: ENC[AES256_GCM,data:R0FZVQXrUgqW04VltXpYhEuI8Q8i0gE4K1EI05NTZyTO+9QOynMVzfLOzOOT1Yh+oQNLsE0MFELX8eo3EFKyXIrkE/wr2ECgFqY=,iv:m4N6t03tklKRaRZ9eVl2vv9T8WUy6AiPQDNuyU0UEtI=,tag:XJMnT5GZthv9RPQFZTWZaA==,type:str] +secret__oidc_client_secret: ENC[AES256_GCM,data:UHbIuftvyPHxtHGRvH+ydMetiCRu3z3JL+zFzLwVaSQ=,iv:1/KKB9IHZEWgEULoab1aVwbPIW7mxfRK7NABiSP2yIQ=,tag:8g3ej7ZJwAuPk9eGdPGyog==,type:str] +secret__oidc_cookie_secret: ENC[AES256_GCM,data:epKralmaga5W0TK0njjTBP0GIlkUK2ogKEbWQ/zlIhQ=,iv:rDBiSE+DPkX2I2i2fJQ/SrkltlCnPOEyeMfud2xXbFA=,tag:SOGIJHiaKq1t+Dg0NJGnxA==,type:str] +sops: + age: + - recipient: age16pxqxdj25xz6w200sf8duc62vyk0xkhzc7y63nyhg29sm077vp8qy4sywv + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA5SDJ0NHZkK3hvUSt2K2hV + TWNKUkFlUFVkaEFlM1lDVTdnZU5EeURiOURzCnQzcWE2RnpiZ3BmRzIwbFRDdkRr + VmcreVJvdTl2Z3lBVFJTNmNLZWdyMWcKLS0tIEkwcXAwY0NoNmhCZm9JUDMyRjVC + bUM2WC9QeWFrdm43a2N1eStEOFFXVGcKCCqwLQ67aEEjTAyXXabZ2AoBag/QY4HW + WwgmI8KNYpC0YXzDJ3fUUL6g4oiSqMxTGvQ+0oABOk+XFnVx+++aoQ== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2026-01-25T16:16:15Z" + mac: ENC[AES256_GCM,data:dBBAJIXeVUXXPXB8Eq4gH5F/0jTpvb79hdu4KD9gV5RL36Tr3iU92SKAZdMcw3/+8zq5L32YWWpYR5HFVPXaSdgls3wtWdrz/1j/C/zRxup+Y8DSOdiebCtz1lJJvglQMZNznRvo7N58lTdF/XqJA4tY51xZZi/krsJXDxtlTgA=,iv:yhwXbXu1MKl4sSYaCKPVUK9aedmIMnt/rzXTcGqmqpk=,tag:hZX6YZrzkrr1mPe6FOs7Xw==,type:str] + pgp: + - created_at: "2026-01-25T14:20:25Z" + enc: |- + -----BEGIN PGP MESSAGE----- + + hQIMAxK/JaB2/SdtARAAi+qxfJ++qxSRxZLZiJ6njtlaOvrmE3uDCxbBwK5/lc7K + rt1liJ3Ue1hR1Bt6ozbH72shd5EOQzDuwQiRLZSR/7q6dcM0wdGRrfXuNvsRbQFf + Mb1D5L5Md1zOH4HuUx38+GGoB1CchpQwdZpjzcU2+MI5O5YIw3DDcKOAAMa+Nfpy + m0aezDSM6zDYYrYKjZUrMCXZFn0cnWAosod1ZJDz+rNMfFaVCPUlcUO4/p8cPzvr + rz+B5MV6Nyft3FUpHntFAgGjwlt31ZANZoWeJxJ5/zFlmieXMihjC4x1QPBs42E2 + den7NPprSZX1ynGdImaZfTHwuwP1bpLrVFegG1EPrMIUwjRbSZDdmWxaR0uvajgM + GcbJLRFdvOcc7g7NWh2n4AwjpjcPN0cNrAit5/S0PG7JYdZFi4abfxTur12p9BPk + xJacN4ZVnT5qRRnqinPDCCiR4MLg/L9fxG6Dap6xboBTnHS5GksuLiDFMjsSAVh7 + /63SOn6/Po1BUiiZPRHkvlm1uhkP7k5iDT/cP+gV1QDjdrXbD27D3c2eJveBaX03 + oLhXi+2/tmitsRw5vp+jTwHP3RDC9ZsORdEoshaGJ7Axbmai1wmUAabaz60vbTzV + W5KHaEAdC97YsUFUn4ZgqORJ5MlPRUGUGGmlYJq6peihLYx/wdCLw9DywhZAYiTU + aAEJAhACPP4YiVUAbMaXB3q7AJWnoF20oJVBcGD7nvAVIaJJL0zuYe3lsujo2O2L + wqzIw80YE0tSaHx9GWJorF3vQQ1/jxrgiZofZNrsrQ5mzVADGO5+JLuU1THyDWXV + PPvkTEc7AdD6 + =GWYV + -----END PGP MESSAGE----- + fp: EF643F59E008414882232C78FFA8331EEB7D6B70 + - created_at: "2026-01-25T14:20:25Z" + enc: |- + -----BEGIN PGP MESSAGE----- + + hQIMA6EyPtWBEI+2AQ/+KKOoBqMu5MXGmEM70WGKs7qGiqcJ4jizWaf2BjO8JtcU + DUJ31xy+KOnZh4pNP3bYptBtv/FehKHfaC1HB+sXBqT7hhAT5k2WyNo6Y1EdsGeG + HuccJ8rEMxwRSp3rdpca/53mtFzYHFHDT2nOEc5wkl0KqPITIJAiaGVVeS/ANy6X + qijabdecK8Ekb0Ev7OHwxFQT92DdtN7xdQns4bUoxSy9j/7SDUII7btG3alhlH2Z + XF+aZ4Fo+P/O8yavyTuwm6GlKWaWtGn9xRhNXvMkpBXIa4rwHC0re3DJNlMqN7EV + gW2sxnAxBShNU/ZtpqaQ2ku8L7FPB4Y8hhbk08PVlqz6F1xFm9x5PEriuaIPd1pp + 0TQtekvntBWiRAQ8QPmrfg96BaLqvL+Hffb3PlIRvnXHmaJY/5Ci0HGgoUjodKIT + 0tZzP0xcElbm3Mf5z/uyRzCwpx7oLn+q9xiJ2yoYwn4IkMWd2VaJZJlVcKH1RRXS + A4OUERkDSV3Fz6VjnI0VQ/hpfLDLCaQp8TzUOtNy4MqzsB0fQbDWnPR1KFrmNmSv + SSkS04tSt9CMNDFllrwQg6fbaZMmS97JeXb723mfUrPa0o3MeTxa9EuB/NQvWYuS + iBqC+NxIAvUw/IJtKg3unA9ysigCDUTbi6P7F69NMJM9qHet7PSLgqsM9RPdPlLS + XgH+T9DivFMWNnGvAS+wMckvKcTtskHWnQMCYdx62VsXzS/LU3iWq+OBz/xf8yhD + 2vS25oi54fQKz6diOrq/TgO0Cx2/1LXqOYL5m/6+Qvv7wxHHZHeLcdwCRVceLZs= + =5SxJ + -----END PGP MESSAGE----- + fp: F155144FC925A1BEA1F8A2C59A2A4CD59BFDC5EC + - created_at: "2026-01-25T14:20:25Z" + enc: |- + -----BEGIN PGP MESSAGE----- + + hQIMAz5uSgHG2iMJARAArv3KHUknyw89o/HA+T9vv1orrq0uztAOtOYLXIxF0mPL + S+Yrqs8uT0UmIJ/vdNZpf6HYw7Cmk4XErSsT4l15/5JbGfvqbc1ECdoz6j6kNfID + eHP3iJkySKbxSqflZ/3Hs8UXV65RU4F1HHK2SsQVvb0FCl03KNqkNAMicqiYZyzH + CAKOje7fnCHQ2oClUXakwXDQMnQwboXmhC26ghTvCYHIcb/VD8z91TSjxNitA1nG + 7Ky1VvBWTuC0qcfaxkrkkwDPcxdfA2BXyxwm7b/w2IwmQX1cce25MCgIhMCFuf0C + rvw8GgfJEQ/qI3Rk1R87cpyRte4itrl1cCJI1UgS088+eHhmeS8XOZL860Eiqho4 + tQJLUCr0P+LSBgOxj6/hnzY56bpPxa1NjRjqCGh+WF9XzeM8vY1MkzIjqHXxq9bD + 9yGnFujzTcFbpEzdigPfAt6VgMe3jAEWqnr9fTK/f4qKWdXfycEHAJgL9UqHCtR0 + DMy2+ZsHy5Hn9S5hmXLWpKo579FEWMLeCRA2DZvCHKIWUPhv3O4BAGovh8px9wRR + V7HeNK0efhiPm80alIQUGn+JEyNOaBrjAQmS0+ELF1S1AaHzXoLNrxfBCQJJCHd6 + BvZIC6mVWF9DSeD+s/twk6qGNwAl17OAi3fyahunefODNqMcW73RI6x0BhkBfvnS + XgGEHYtdIiwWW+nCWBCrlXHrZ2AqgFKqNInB8lR5t7GtSjVxF6blysWXyv4JtegX + A3gMULNrOAZiPMe5Q1DDMNJ34jEnveojMIAOb/j+w7bvcgh7wbrUIUhNQSDgoaY= + =H3mo + -----END PGP MESSAGE----- + fp: 18DFCE01456DAB52EA38A6584EDC64F35FA1D6A5 + - created_at: "2026-01-25T14:20:25Z" + enc: |- + -----BEGIN PGP MESSAGE----- + + hQIMAw5vwmoEJHQ1ARAAqbv66yl/dyRf3f1ejNWsZxwD5oo99rHvbfWDCjTEFpzo + QUHgi7h+uF3GfRqkbE8YK7oFmTdxDS7DEkiQHw3jbJwI2+K1umubwq5sL1IMhSyG + SHZL+3r4ytBj6kuraXoTGqBFjNNht+3rRUEvgK8eXAixp8aHbx2LAVzjhxGTa9WY + yT9H4XJgEac5ODiyhyu3wxzZFmcr9VVNpja7C3iJ5PymjKPnzMFHzdhYflVG4ptP + lscRsl5TakEL7p4wsjLszeXTSq38ueaH3Bhvts3Kl72BU2rICDzlBOzGszq3gI2c + o97Vydku1MBsIwbUdKAOdhjA4BFyPAg1z1VkeEOrH1ThaZ0cfalN6TxBfCeKftSv + VAn9ErK6cRjM5peyJPSHUjpXZEcomtZonhAIBUfDeFW3Sk4lE7+SnIvJkLtrvSZy + QDgbA4dE19d8MUL0uu+fyp85+OkXI+e1QOOoZX+7/Mco3wKbCbP5T21T/+SLsH0N + oNrQpQlDch5YB+vLISUE7+buFdlMpIlcHAnL9scjgIdU0Z/X75p/5t7g99D/0nc/ + WGu4l2n9fbrvimnqc6wWzBHgQZVcPKr5tMB6jVQu4WCdHX9VkI+Ru2IfCFsQ09TD + RQMybPT3tTdYODVCeoE3NmilqE+igEzFYRDwFdKjR2eLnuli5mI7GlXrboPGjWPS + XgEpnUxHg7oik0vO8YsyRldQ2Vyw1vIskRq9cdUY0Ix3u0gyqUF56aWhA+4fhr3H + Q8RsT8OXXswSozzkw3AvKi3VaGjwDr1Wasq6YVRtV5pjS0Rx/ILo85grKi5vgpk= + =bY3Q + -----END PGP MESSAGE----- + fp: 87AB00D45D37C9E9167B5A5A333448678B60E505 + - created_at: "2026-01-25T14:20:25Z" + enc: |- + -----BEGIN PGP MESSAGE----- + + hF4DerEtaFuTeewSAQdAh8vUqXwXAq615cIswD1e2FbDgcFp4pDKWP4Of9bDRWYw + 5UMSvrCgWei0lytGCaApC6J+Ppd5o9D34fux8X0/ztoRopIV1RlrcepPr9jo3ROk + 0l4B4T+mFz+FNrO79ldBuysOEo6qX7kSfJ63cpy48nDNVi0pTDr87OiJTQQD3gfx + wQdkqjYs204YvFP8Zp/+Ow+52z0W2ecLwgByVxsiusf8JLlYQMHOL9QisPxWMErr + =C2Ii + -----END PGP MESSAGE----- + fp: 057870A2C72CD82566A3EC983695F4FCBCAE4912 + - created_at: "2026-01-25T14:20:25Z" + enc: |- + -----BEGIN PGP MESSAGE----- + + hQIMAxjNhCKPP69fAQ//YH0pZvxXkXYi9tRWPSVllAsKgwzZsKkXS2LrfysCvnNS + LmcLrWNV8upH8g6ubHwwq1Q6WcpaoraIGB2Pw7OPKvynqqhMamk6jAzuYF1hMsd/ + efGlsIF/wE/MLo0AizDZ5H/k6g/BfdSm3VFvAYbdHObQld/+uEMdotBrUjtXJlA/ + lare1GFxSt+P9J+h5U0kf8VFWbgzf7SkViWBvEpyUaBa0VLgyOc59e9BZzWX8h2R + FjNX40MkZHxdbqBx3Bw8MZmQz+Q1O8w7uNcf6YZxl7+tYka99DSoK2T6YxTqqqrt + FtqDAUAS+yweg4hP7CwUK05VzmH/y6S4brVJz73NzahVNUBRpPXJUWs8QsR96xx/ + hUMRGOrfd0qJ/jv2P+oMJipGsWZ5b6rkj/LX9ZAyGW7TgWbelr4zwM2C/n5xDkKf + LSQFH1Nx9QG0Aq6JT6staq+xiw/w1ipn0IDL18YPvX5kkO3KNUZk1F7zF6rbXRXa + LQIY+lhDnslkOMHmUIvqPSFWDQT/a/ttg0jVazz9IHnCz/+ShCh8nwiXXa6swlGC + XFzJS0Lyz55JfRcEN2h4lc6U7sE7MN9WEo8DWNv2UJwIZtu5dHBI9PjFSAxm73KJ + FSQDFxqlR7a7BXKw+KfvHUzWcRInWLE3bMQlg9ECJX1sQf2Bu8/YxU9bFT2fzfLS + XgHsHSJqqcZ3gwwUPNeQMadRylccXoPOCns3rf3W+7zKRBb8poRpj0hK2J2eIkGG + M5kRRudGy07hLV2wQGitucekIFUStxumRSQqpcUhk+RKTOyTMIqT4o6ykVBgke0= + =/EHL + -----END PGP MESSAGE----- + fp: F38C9D4228FC6F674E322D9C3326D914EB9B8F55 + - created_at: "2026-01-25T14:20:25Z" + enc: |- + -----BEGIN PGP MESSAGE----- + + hQIMA1Hthzn+T1OoAQ/+IxC99h9NXy1lKs8K3O6zNPE4vvoUdlHyU7MngSUe7FID + cfVoJmqumGJ2VL052PyGNuJl4wwI0Bk4GJ1B17sDiROM21BgV2xJN44I8DzU/s2i + 1P/WOcpofsng7xBPib5vETo2ypfiNzurNwKidID6rc8k3TL2Eq3U9gPajdgaHWTx + jCBEiBs4B2H0Jv0teH7NK7VY21v/GQ6wCATUdFugjOocWT/Up9SbIKgvzXgxmoB7 + glmOZGtqMsorMw7Rr9fy5qdL6HK50dYbzQ8IppZFG7PrFLyLsp//S7fReFbtp8oD + yCBbhOfywLuhyWmLu78F32l5upv4Q/RPfsOEQVRd13+4XeYIYqbVlBRI4c38iA8k + sKgN/l5mH4FPmFWhRfeMOQn51tTDiq/n8G86EJETJJxC2kAhfLXi5YLECH693Vzw + Mad81jxssJP5pTTUDBzog6oMNyCvs9paRgb0O4Bt0Zpox+BFdQcTNJahj9wDyfZV + TjV6lUtuQ7QvHDYyujxhkJWUOyd2Urfk9Ku8A/xeCGwLRJS9BKYgwvatc49zL5zZ + 3GZ59gBGERbBCBPoFZgpVh73ZF/riAMHbgh+ZzUlFxJNY4fVvCk79bMitsihAbp8 + NAELn1kiDPjlW1SsiiIzkdq87ttJ7aVtR1vQBYWapWmU9eSkn8XZcX4PxFot68zS + XgEvZxgH4TgGrPuTYusDaopSObkq19jiEJ/A44Jiy2yvU9hXeOn8CeXHTJnwcSeQ + ey3QV0vu+gYPL26T5M8fp3DwgZYr+dtAX2jydweT9MKjgeUyZAZmIieY1gdguIw= + =WwLj + -----END PGP MESSAGE----- + fp: 5DA93D5C9D7320E1BD3522C79C78172B3551C9FD + - created_at: "2026-01-25T14:20:25Z" + enc: |- + -----BEGIN PGP MESSAGE----- + + hQIMA46L6MuPqfJqAQ/9FcgBwOTVqwohN7+iNCiq13Na/qcvFvFxymSo5ZhtjB/q + rMfLaSwsVAZuN9ishdip+a9tFb4oBPpwZjztvsgetoVNvLOrP/ZQag9SDy1fe8KH + DDlPFFRjTYtPdS+5ScHc8pGTLmyQzYDfieD0FCdZsNwz5PpAtUu7itvpZKtNWMXr + k/N3Mjena5iv79ngDsRlc9O/YXWsAPf8scgApwi+lVilJ7E/jTkrXxiku0knrlfl + NnNJKqh5iT2NWXB3Dgw0fQMLbAuDUOlkvrdwxnaJsIyjo8D5g/gh9rXBCJsMMFCp + 1qppPBTV2f/gZb1gKFpnlBJAiDhmBWoBhlgbmFXv0E/V7F/7bFtsHagb50nEHZlA + QH0JjRHN83eGCR9ZBUttxMh0FWV2ND3YlxnCNb43TEoCx9f5ml7L5GbGqu0+8Yrc + fHCGPW8DSUh7zTrmB0bn6R60hXcWchNcPdorPopROhGTSC4pkAKn+mt3jvEkyLsW + TGqNCEbFbMBJlhhn9w5fxT7vEX0Rt/vO4gXKIzPfcyzsgORIW1YxwtaGyRQErlqo + ITnLtowfgrlvU1hI+hwivD9kQ32kmEyYKa9J8fBx07XArYRR64+Eyaaq4lOeZbE4 + 1l0zskD5i1R8NO3yzxpIAqi+H7VPhYLwidjXT54QT8vyqrkmvksANR8UqydYUgnS + XgGuO1O1pKkiHHLcb8EydlgW61sLIZZjlkYynMRM5MjgPD5Z3ikeD6VaNSYnOw6c + gkisHXqY9EFSPfw8EHnGspyD/mvzDUz63GrylUO+wXgMKdByrsYRaj93j7vfYZ4= + =Bk3g + -----END PGP MESSAGE----- + fp: 8996B62CBD159DCADD3B6DC08BB33A8ABCF7BC4A + - created_at: "2026-01-25T14:20:25Z" + enc: |- + -----BEGIN PGP MESSAGE----- + + hF4DQrf1tCqiJxoSAQdADv1xBEY68JQ6Xo2ZT1FV2BJgeB7Yaahi9OQ/aypT0i8w + FJRRTtmWVBRtOecoG6SrHLtmYozuLyNFG8/ZFOU7jTSZL6lXr5NV6GIyNZPFTjvE + 0l4Bqjjh871cqN4Cq5CF3kDibHTyZYsvcQ0BmxSZy2v+moYqZGFPEjNiniS6JrK/ + Ch+cZvlsGIjTmP96IZfHbO3+hL+tVhO78bmixnN6SE6UDOzdmWcMkQ9DHSZp+p4j + =xd/t + -----END PGP MESSAGE----- + fp: B71138A6A8964A3C3B8899857B4F70C356765BAB + - created_at: "2026-01-25T14:20:25Z" + enc: |- + -----BEGIN PGP MESSAGE----- + + hF4DzAGzViGx4qcSAQdASnWlOX4oItUMy2BNF+UdGfSkijvIKK1WohLp2rJmQGMw + /rpiFcCiX7rZNyn3f+eOULjCPbNtfwqG5Ji6YzGJPEaLg9J/CCYDP7eZ0M13tK9V + 0lgBjTZZwa7SYs+c49UkhUN92Jrt439mTud3Sa6hvfQTntISOUF3QsMyQO+2h0EH + zvaV7dmtiLZZ6ukp9vJG2asPcA1McYBHABUUcjlmFkQ74CYhPFU03/kb + =9oyC + -----END PGP MESSAGE----- + fp: D2E9C0807BF681F5E164DAFC5EE1B61CD90954CD + - created_at: "2026-01-25T14:20:25Z" + enc: |- + -----BEGIN PGP MESSAGE----- + + hQIMA2pVdGTIrZI+ARAAvugr3SudoqZm6B9o/a2bYVlR8eee3Cxtqb/SDfFKJ42J + /KIJHOpfs0iyoJzeq4GXn89RU08EHz+1/rAqIHN/cMGc/IjOOXcqKcKVBqhb68+I + OyEyxx0YAV939Jc+L9rxb4FnqV/HFJuA087jqP43NgPWySoUzWZshK57Yw/VJNxd + U5zDMAciWNVISL/ArcJFroK0n9dvRRsHHHx3/OgQ9Lnl73X5JEAleIPJVb1SDV4e + HgmBrlRFpp9e/Mu94Gp9yFd9PqziSA47lkdMwjMYHntTwbT3dqUGOJLF1D1oqC9V + +t+5FO5fP+LbnmuFQIGRGqdPpCy4S60d2EqocwBl6q6xn/DLQw1j9hGNpMl3GwBI + O7zquV2MyXJR9JqyklWoCmKldLIhpsnPtTx/AhIsMLWq2hvNfbBBNA41sMkofcvl + H2Hggi+TkpOh6bre1/uPkr8T3MLsiZIUB/1uHcgYO3FH13K2Ow9ChxmkeLsW6Afu + hbQcG7SKr0sCHAmvzbTsIRCpryORDRw4vwrsKuVVgA7neD8HtCItJ/Vk1JmV2xYZ + 96ilVPPpDs0tmQ/6dZZosoXLGi37Hs+FRgcAUuAdZ3bzb65e+CxtSVjRALG7hz9R + XPKmsD6tTgdLpau/zugxdKx3yKMCHzC+AouD+esea8GNuoeGug58IEoglLXDctbU + aAEJAhC0Js4STROmS43wGXP2v4umeLw9iF3Wp9L6o12BL3FZXi121py2ogosjAY2 + 30wzFU2KJGqS25/pnXw6r9ycgxdXeKsddR94Q4TOulO3SSEdjs7B+iOKwUkGKoBq + 9iHTzz6Gpajo + =bBZ5 + -----END PGP MESSAGE----- + fp: 878FEA3CB6A6F6E7CD80ECBE28506E3585F9F533 + unencrypted_suffix: _unencrypted + version: 3.11.0 diff --git a/inventories/chaosknoten/host_vars/acmedns.yaml b/inventories/chaosknoten/host_vars/acmedns.yaml new file mode 100644 index 0000000..364aa9a --- /dev/null +++ b/inventories/chaosknoten/host_vars/acmedns.yaml @@ -0,0 +1,23 @@ +--- +docker_compose__compose_file_content: "{{ lookup('ansible.builtin.template', 'resources/chaosknoten/acmedns/docker_compose/compose.yaml.j2') }}" +docker_compose__configuration_files: + - name: acmedns.cfg + content: "{{ lookup('ansible.builtin.template', 'resources/chaosknoten/acmedns/docker_compose/acmedns.cfg.j2') }}" + - name: oauth2-proxy.cfg + content: "{{ lookup('ansible.builtin.template', 'resources/chaosknoten/acmedns/docker_compose/oauth2-proxy.cfg.j2') }}" + - name: html/index.html + content: "{{ lookup('ansible.builtin.template', 'resources/chaosknoten/acmedns/docker_compose/index.html.j2') }}" +docker_compose__pull: missing + +certbot__version_spec: "" +certbot__acme_account_email_address: le-admin@hamburg.ccc.de +certbot__certificate_domains: + # - "spaceapi.ccc.de" # after DNS has been adjusted + - "acmedns.hamburg.ccc.de" +certbot__new_cert_commands: + - "systemctl reload nginx.service" + +nginx__version_spec: "" +nginx__configurations: + - name: acmedns.hamburg.ccc.de + content: "{{ lookup('ansible.builtin.file', 'resources/chaosknoten/acmedns/nginx/acmedns.hamburg.ccc.de.conf') }}" diff --git a/inventories/chaosknoten/hosts.yaml b/inventories/chaosknoten/hosts.yaml index 5c114c9..395b154 100644 --- a/inventories/chaosknoten/hosts.yaml +++ b/inventories/chaosknoten/hosts.yaml @@ -78,11 +78,16 @@ all: ansible_host: spaceapiccc.hosts.hamburg.ccc.de ansible_user: chaos ansible_ssh_common_args: -J ssh://chaos@router.hamburg.ccc.de + acmedns: + ansible_host: acmedns.hosts.hamburg.ccc.de + ansible_user: chaos + ansible_ssh_common_args: -J ssh://chaos@router.hamburg.ccc.de hypervisors: hosts: chaosknoten: base_config_hosts: hosts: + acmedns: ccchoir: cloud: eh22-wiki: @@ -110,7 +115,8 @@ nftables_hosts: hosts: router: docker_compose_hosts: - hosts: + hosts: + acmedns: ccchoir: grafana: tickets: @@ -128,6 +134,7 @@ nextcloud_hosts: cloud: nginx_hosts: hosts: + acmedns: ccchoir: eh22-wiki: grafana: @@ -150,6 +157,7 @@ public_reverse_proxy_hosts: public-reverse-proxy: certbot_hosts: hosts: + acmedns: ccchoir: eh22-wiki: grafana: diff --git a/resources/chaosknoten/acmedns/docker_compose/acmedns.cfg.j2 b/resources/chaosknoten/acmedns/docker_compose/acmedns.cfg.j2 new file mode 100644 index 0000000..4f3b49c --- /dev/null +++ b/resources/chaosknoten/acmedns/docker_compose/acmedns.cfg.j2 @@ -0,0 +1,27 @@ +# https://github.com/joohoi/acme-dns?tab=readme-ov-file#configuration +[general] +protocol = "both" +domain = "auth.acmedns.hamburg.ccc.de" +nsname = "acmedns.hosts.hamburg.ccc.de" +nsadmin = "noc.lists.hamburg.ccc.de" +records = [ + "auth.acmedns.hamburg.ccc.de. CNAME public-reverse-proxy.hamburg.ccc.de.", + "auth.acmedns.hamburg.ccc.de. NS acmedns.hosts.hamburg.ccc.de.", +] + +[database] +engine = "sqlite3" +connection = "/var/lib/acme-dns/acme-dns.db" + +[api] +ip = "0.0.0.0" +port = "80" +tls = "none" +corsorigins = [ + "*" +] + +[logconfig] +loglevel = "debug" +logtype = "stdout" +logformat = "text" diff --git a/resources/chaosknoten/acmedns/docker_compose/compose.yaml.j2 b/resources/chaosknoten/acmedns/docker_compose/compose.yaml.j2 new file mode 100644 index 0000000..8976852 --- /dev/null +++ b/resources/chaosknoten/acmedns/docker_compose/compose.yaml.j2 @@ -0,0 +1,22 @@ +--- +services: + oauth2-proxy: + container_name: oauth2-proxy + image: quay.io/oauth2-proxy/oauth2-proxy:v7.14.2 + command: --config /oauth2-proxy.cfg + hostname: oauth2-proxy + volumes: + - "./configs/oauth2-proxy.cfg:/oauth2-proxy.cfg" + restart: unless-stopped + ports: + - 4180:4180 + + acmedns: + image: docker.io/joohoi/acme-dns:latest + ports: + - "[::]:53:53" + - "[::]:53:53/udp" + - 8080:80 + volumes: + - ./configs/acmedns.cfg:/etc/acme-dns/config.cfg:ro + - ./data/acmedns:/var/lib/acme-dns \ No newline at end of file diff --git a/resources/chaosknoten/acmedns/docker_compose/index.html.j2 b/resources/chaosknoten/acmedns/docker_compose/index.html.j2 new file mode 100644 index 0000000..02216da --- /dev/null +++ b/resources/chaosknoten/acmedns/docker_compose/index.html.j2 @@ -0,0 +1,63 @@ + + +ACME DNS Register + + + +

Register an Entry in ACME DNS

+ +

This is the page where you can create an entry in ACME DNS. Please only do so when you need a new entry; there is currently no way to remove entries once they have been created.

+

See the ACME DNS service entry in the wiki for further details.

+ +

+ + + + + + + + + + + + + + + + + + diff --git a/resources/chaosknoten/acmedns/docker_compose/oauth2-proxy.cfg.j2 b/resources/chaosknoten/acmedns/docker_compose/oauth2-proxy.cfg.j2 new file mode 100644 index 0000000..f11eadf --- /dev/null +++ b/resources/chaosknoten/acmedns/docker_compose/oauth2-proxy.cfg.j2 @@ -0,0 +1,13 @@ +reverse_proxy = true +http_address="0.0.0.0:4180" +cookie_secret="{{ secret__oidc_cookie_secret }}" +email_domains="*" + +# dex provider +oidc_issuer_url="https://id.hamburg.ccc.de/realms/ccchh" +provider="oidc" +provider_display_name="CCCHH ID" +client_id="acmedns" +client_secret="{{ secret__oidc_client_secret }}" +redirect_url="https://acmedns.hamburg.ccc.de/oauth2/callback" + diff --git a/resources/chaosknoten/acmedns/nginx/acmedns.hamburg.ccc.de.conf b/resources/chaosknoten/acmedns/nginx/acmedns.hamburg.ccc.de.conf new file mode 100644 index 0000000..b360d40 --- /dev/null +++ b/resources/chaosknoten/acmedns/nginx/acmedns.hamburg.ccc.de.conf @@ -0,0 +1,83 @@ +# partly generated 2022-01-08, Mozilla Guideline v5.6, nginx 1.17.7, OpenSSL 1.1.1k, intermediate configuration +# https://ssl-config.mozilla.org/#server=nginx&version=1.17.7&config=intermediate&openssl=1.1.1k&guideline=5.6 +server { + # Listen on a custom port for the proxy protocol. + listen [::]:8443 ssl http2 proxy_protocol; + # Make use of the ngx_http_realip_module to set the $remote_addr and + # $remote_port to the client address and client port, when using proxy + # protocol. + # First set our proxy protocol proxy as trusted. + set_real_ip_from 2a00:14b0:4200:3000:125::1; + # Then tell the realip_module to get the addreses from the proxy protocol + # header. + real_ip_header proxy_protocol; + + server_name acmedns.hamburg.ccc.de; + + root /ansible_docker_compose/configs/html/; + + ssl_certificate /etc/letsencrypt/live/acmedns.hamburg.ccc.de/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/acmedns.hamburg.ccc.de/privkey.pem; + # verify chain of trust of OCSP response using Root CA and Intermediate certs + ssl_trusted_certificate /etc/letsencrypt/live/acmedns.hamburg.ccc.de/chain.pem; + + # HSTS (ngx_http_headers_module is required) (63072000 seconds) + add_header Strict-Transport-Security "max-age=63072000" always; + + proxy_set_header Host $host; + proxy_set_header X-Forwarded-Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Port 443; + # This is https in any case. + proxy_set_header X-Forwarded-Proto https; + # Hide the X-Forwarded header. + proxy_hide_header X-Forwarded; + # Assume we are the only Reverse Proxy (well using Proxy Protocol, but that + # is transparent). + # Also provide "_hidden" for by, since it's not relevant. + proxy_set_header Forwarded "for=$remote_addr;proto=https;host=$host;by=_hidden"; + proxy_buffer_size 8k; # needed for oauth2-proxy to work correctly + port_in_redirect off; + + location /oauth2/ { + proxy_pass http://127.0.0.1:4180; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Auth-Request-Redirect $request_uri; + # or, if you are handling multiple domains: + # proxy_set_header X-Auth-Request-Redirect $scheme://$host$request_uri; + } + + location = /oauth2/auth { + proxy_pass http://127.0.0.1:4180; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-Uri $request_uri; + # nginx auth_request includes headers but not body + proxy_set_header Content-Length ""; + proxy_pass_request_body off; + } + + location = / { + auth_request /oauth2/auth; + error_page 401 = @oauth2_signin; + + index index.html; + } + + location = /register { + auth_request /oauth2/auth; + error_page 401 = @oauth2_signin; + + proxy_pass http://127.0.0.1:8080/register; + } + + location = /update { # no auth by proxy required + proxy_pass http://127.0.0.1:8080/update; + } + + location @oauth2_signin { + return 302 /oauth2/sign_in?rd=$scheme://$host$request_uri; + } +} diff --git a/resources/chaosknoten/public-reverse-proxy/nginx/acme_challenge.conf b/resources/chaosknoten/public-reverse-proxy/nginx/acme_challenge.conf index 71ae729..feacfa7 100644 --- a/resources/chaosknoten/public-reverse-proxy/nginx/acme_challenge.conf +++ b/resources/chaosknoten/public-reverse-proxy/nginx/acme_challenge.conf @@ -82,6 +82,7 @@ map $host $upstream_acme_challenge_host { spaceapi.ccc.de spaceapiccc.hosts.hamburg.ccc.de:31820; cpuccc.hamburg.ccc.de 172.31.17.151:31820; cpu.ccc.de 172.31.17.151:31820; + acmedns.hamburg.ccc.de acmedns.hosts.hamburg.ccc.de:31820; default ""; } diff --git a/resources/chaosknoten/public-reverse-proxy/nginx/nginx.conf b/resources/chaosknoten/public-reverse-proxy/nginx/nginx.conf index bdf7184..fc62a89 100644 --- a/resources/chaosknoten/public-reverse-proxy/nginx/nginx.conf +++ b/resources/chaosknoten/public-reverse-proxy/nginx/nginx.conf @@ -100,6 +100,7 @@ stream { spaceapi.ccc.de spaceapiccc.hosts.hamburg.ccc.de:8443; cpuccc.hamburg.ccc.de 172.31.17.151:8443; cpu.ccc.de 172.31.17.151:8443; + acmedns.hamburg.ccc.de acmedns.hosts.hamburg.ccc.de:8443; } server { From 42b23eb1817995f2fa5edef34980382aace7a84d Mon Sep 17 00:00:00 2001 From: June Date: Sun, 25 Jan 2026 23:55:48 +0100 Subject: [PATCH 085/101] get collections from repos directly instead of using Ansible Galaxy As Ansible Galaxy is currently down, switch to using the repos directly. This avoids reliancy on Ansible Galaxy in the future as well. --- requirements.yml | 22 ++++++++++++---------- 1 file changed, 12 insertions(+), 10 deletions(-) diff --git a/requirements.yml b/requirements.yml index 6011bda..8f48358 100644 --- a/requirements.yml +++ b/requirements.yml @@ -1,11 +1,13 @@ collections: - # Install a collection from Ansible Galaxy. - - name: debops.debops - version: ">=3.1.0" - source: https://galaxy.ansible.com - - name: community.sops - version: ">=2.2.4" - source: https://galaxy.ansible.com - - name: community.docker - version: ">=5.0.0" - source: https://galaxy.ansible.com + # debops.debops + - source: https://github.com/debops/debops + type: git + version: "v3.2.5" + # community.sops + - source: https://github.com/ansible-collections/community.sops + type: git + version: "2.2.7" + # community.docker + - source: https://github.com/ansible-collections/community.docker + type: git + version: "5.0.5" From ca20721f04b46d49b423d61cecd0e88fc7090e78 Mon Sep 17 00:00:00 2001 From: June Date: Sun, 25 Jan 2026 23:55:57 +0100 Subject: [PATCH 086/101] add missing grafana.grafana collection dependency --- requirements.yml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/requirements.yml b/requirements.yml index 8f48358..dffe9d3 100644 --- a/requirements.yml +++ b/requirements.yml @@ -11,3 +11,7 @@ collections: - source: https://github.com/ansible-collections/community.docker type: git version: "5.0.5" + # grafana.grafana + - source: https://github.com/grafana/grafana-ansible-collection + type: git + version: "6.0.6" From c8edde4d113d30f3a71ea383b525e55646766c6b Mon Sep 17 00:00:00 2001 From: Stefan Bethke Date: Mon, 26 Jan 2026 00:20:27 +0100 Subject: [PATCH 087/101] Pretty up --- .../acmedns/docker_compose/index.html.j2 | 21 ++++++++++++++----- 1 file changed, 16 insertions(+), 5 deletions(-) diff --git a/resources/chaosknoten/acmedns/docker_compose/index.html.j2 b/resources/chaosknoten/acmedns/docker_compose/index.html.j2 index 02216da..1170cec 100644 --- a/resources/chaosknoten/acmedns/docker_compose/index.html.j2 +++ b/resources/chaosknoten/acmedns/docker_compose/index.html.j2 @@ -4,14 +4,21 @@ @@ -24,19 +31,23 @@ th { - + - + - + - + + +

Note: there is no way to delete registrations. Each registration is small, so it's not an immediate problem, but please do not click register unless you are planning to really create a new entry.

+