Update docker.io/library/postgres Docker tag to v18

secrets(role): introduce secrets role for storing secrets
Allows storage of secrets to then be referenced in other places. The motivation was storing WireGuard secrets for systemd-networkd.
2026-05-23 20:45:53 +00:00 · 2026-05-23 22:40:17 +02:00
11 changed files with 100 additions and 3 deletions
--- a/inventories/chaosknoten/host_vars/cloud.yaml
+++ b/inventories/chaosknoten/host_vars/cloud.yaml
@ -1,7 +1,7 @@
 # renovate: datasource=docker depName=git.hamburg.ccc.de/ccchh/oci-images/nextcloud
 nextcloud__version: 33
 # renovate: datasource=docker depName=docker.io/library/postgres
-nextcloud__postgres_version: 15.18
+nextcloud__postgres_version: 18.4
 nextcloud__fqdn: cloud.hamburg.ccc.de
 nextcloud__data_dir: /data/nextcloud
 nextcloud__extra_configuration: "{{ lookup('ansible.builtin.template', 'resources/chaosknoten/cloud/nextcloud/extra_configuration.config.php.j2') }}"
--- a/inventories/chaosknoten/hosts.yaml
+++ b/inventories/chaosknoten/hosts.yaml
@ -291,3 +291,5 @@ msmtp_hosts:
 renovate_hosts:
  hosts:
    renovate:
 secrets_hosts:
  hosts:
--- a/inventories/external/hosts.yaml
+++ b/inventories/external/hosts.yaml
@ -22,3 +22,5 @@ infrastructure_authorized_keys_hosts:
 ansible_pull_hosts:
  hosts:
    status:
 secrets_hosts:
  hosts:
--- a/inventories/z9/hosts.yaml
+++ b/inventories/z9/hosts.yaml
@ -57,3 +57,5 @@ ansible_pull_hosts:
    light:
    waybackproxy:
    yate:
 secrets_hosts:
  hosts:
--- a/playbooks/deploy.yaml
+++ b/playbooks/deploy.yaml
@ -6,6 +6,13 @@
  tags:
    - base_config
 - name: Ensure secrets deployment on secrets_hosts
  hosts: secrets_hosts
  roles:
    - secrets
  tags:
    - secrets
 - name: Ensure systemd-networkd config deployment on systemd_networkd_hosts
  hosts: systemd_networkd_hosts
  roles:
--- a/resources/chaosknoten/lists/docker_compose/compose.yaml.j2
+++ b/resources/chaosknoten/lists/docker_compose/compose.yaml.j2
@ -62,7 +62,7 @@ services:
      - POSTGRES_DB=mailmandb
      - POSTGRES_USER=mailman
      - "POSTGRES_PASSWORD={{ secret__lists__postgres_password }}"
-    image: docker.io/library/postgres:12-alpine
+    image: docker.io/library/postgres:18-alpine
    volumes:
      - /opt/mailman/database:/var/lib/postgresql/data
    networks:
--- a/resources/chaosknoten/pretalx/docker_compose/compose.yaml.j2
+++ b/resources/chaosknoten/pretalx/docker_compose/compose.yaml.j2
@ -3,7 +3,7 @@
 services:
  database:
-    image: docker.io/library/postgres:15-alpine
+    image: docker.io/library/postgres:18-alpine
    environment:
      - "POSTGRES_USER=pretalx"
      - "POSTGRES_PASSWORD={{ secret__pretalx_db_password }}"
--- a/roles/secrets/README.md
+++ b/roles/secrets/README.md
@ -0,0 +1,24 @@
 # Role `secrets`
 Allows storing the given secret contents in the configured files.
 ## Supported Distributions
 Should work on Debian-based distributions.
 ## Required Arguments
 None.
 ## Optional Arguments
 - `secrets__secrets`: List of secrets.
  Defaults to the empty list (`[ ]`).
 - `secrets__secrets.*.name`: (File)name for the secret (in the `/etc/ansible_secrets` directory).
 - `secrets__secrets.*.content`: The secret content to store.
 - `secrets__secrets.*.owner`: The owner of the secret file.
  Defaults to `root`.
 - `secrets__secrets.*.group`: The group of the secret file.
  Defaults to `root`.
 - `secrets__secrets.*.mode`: The mode of the secret file.
  Defaults to `0640`.
--- a/roles/secrets/defaults/main.yaml
+++ b/roles/secrets/defaults/main.yaml
@ -0,0 +1 @@
 secrets__secrets: [ ]
--- a/roles/secrets/meta/argument_specs.yaml
+++ b/roles/secrets/meta/argument_specs.yaml
@ -0,0 +1,6 @@
 argument_specs:
  main:
    options:
      secrets__secrets:
        type: list
        required: false
--- a/roles/secrets/tasks/main.yaml
+++ b/roles/secrets/tasks/main.yaml
@ -0,0 +1,53 @@
 - name: validate secret configs
  ansible.builtin.validate_argument_spec:
    argument_spec: "{{ required_data }}"
    provided_arguments:
      config: "{{ item }}"
  loop: "{{ secrets__secrets }}"
  loop_control:
    label: "{{ item.name }}"
  vars:
    required_data:
      config:
        type: dict
        required: true
        options:
          name:
            type: str
            required: true
          content:
            type: str
            required: true
          owner:
            type: str
            required: false
            default: root
          group:
            type: str
            required: false
            default: root
          mode:
            type: str
            required: false
            default: "0640"
 - name: ensure secrets directory exists
  ansible.builtin.file:
    path: "/etc/ansible_secrets"
    state: directory
    owner: root
    group: root
    mode: "0750"
  become: true
 - name: ensure secrets are present
  ansible.builtin.copy:
    content: "{{ item.content }}"
    dest: "/etc/ansible_secrets/{{ item.name }}"
    mode: "{{ item.mode | default('0640') }}"
    owner: "{{ item.owner | default('root') }}"
    group: "{{ item.group | default('root') }}"
  become: true
  loop: "{{ secrets__secrets }}"
  loop_control:
    label: "{{ item.name }}"
Author	SHA1	Message	Date
Renovate	4c0b3c9812	Update docker.io/library/postgres Docker tag to v18 Some checks failed / Ansible Lint (push) Successful in 2m37s Details / build (pull_request) Failing after 2m42s Details / Ansible Lint (pull_request) Successful in 2m22s Details	2026-05-23 20:45:53 +00:00
June	4574dbf4ba	secrets(role): introduce secrets role for storing secrets Some checks failed / Ansible Lint (push) Successful in 2m18s Details / build (push) Failing after 2m40s Details Allows storage of secrets to then be referenced in other places. The motivation was storing WireGuard secrets for systemd-networkd.	2026-05-23 22:40:17 +02:00