From 98972e39c4e7ce319aadef0e8758fb35bcbef138 Mon Sep 17 00:00:00 2001 From: c6ristian Date: Sat, 22 Feb 2025 22:56:40 +0100 Subject: [PATCH 01/10] keycloak(host): update to 26.1 & postgres to 15.12 --- resources/chaosknoten/keycloak/docker_compose/compose.yaml.j2 | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/resources/chaosknoten/keycloak/docker_compose/compose.yaml.j2 b/resources/chaosknoten/keycloak/docker_compose/compose.yaml.j2 index 9509654..231f581 100644 --- a/resources/chaosknoten/keycloak/docker_compose/compose.yaml.j2 +++ b/resources/chaosknoten/keycloak/docker_compose/compose.yaml.j2 @@ -22,7 +22,7 @@ services: keycloak: - image: git.hamburg.ccc.de/ccchh/oci-images/keycloak:26.0 + image: git.hamburg.ccc.de/ccchh/oci-images/keycloak:26.1 pull_policy: always restart: unless-stopped command: start --optimized @@ -46,7 +46,7 @@ services: - "8080:8080" db: - image: postgres:15.2 + image: postgres:15.12 restart: unless-stopped networks: - keycloak From 614eebadba380604be4908c8de9c69af35dec466 Mon Sep 17 00:00:00 2001 From: jtbx Date: Sun, 23 Feb 2025 18:49:19 +0100 Subject: [PATCH 02/10] WIP router(host): initial config --- inventories/chaosknoten/hosts.yaml | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/inventories/chaosknoten/hosts.yaml b/inventories/chaosknoten/hosts.yaml index cae283d..c164b0b 100644 --- a/inventories/chaosknoten/hosts.yaml +++ b/inventories/chaosknoten/hosts.yaml @@ -55,6 +55,9 @@ all: public-reverse-proxy: ansible_host: public-reverse-proxy.hamburg.ccc.de ansible_user: chaos + router: + ansible_host: router.hamburg.ccc.de + ansible_user: chaos wiki: ansible_host: wiki-intern.hamburg.ccc.de ansible_user: chaos @@ -81,6 +84,7 @@ base_config_hosts: pad: pretalx: public-reverse-proxy: + router: tickets: wiki: zammad: @@ -161,6 +165,7 @@ infrastructure_authorized_keys_hosts: pad: pretalx: public-reverse-proxy: + router: wiki: zammad: wiki_hosts: From ca16e3d55fe86ba054d8f114c8d4858ebf3a793a Mon Sep 17 00:00:00 2001 From: June Date: Sun, 23 Feb 2025 22:41:06 +0100 Subject: [PATCH 03/10] dep._hypervisor(playb.): introduce play for setting up vm template gen. --- .../chaosknoten/host_vars/chaosknoten.yaml | 6 +++ inventories/chaosknoten/hosts.yaml | 3 ++ playbooks/deploy_hypervisor.yaml | 54 +++++++++++++++++++ 3 files changed, 63 insertions(+) create mode 100644 inventories/chaosknoten/host_vars/chaosknoten.yaml create mode 100644 playbooks/deploy_hypervisor.yaml diff --git a/inventories/chaosknoten/host_vars/chaosknoten.yaml b/inventories/chaosknoten/host_vars/chaosknoten.yaml new file mode 100644 index 0000000..1c8fa93 --- /dev/null +++ b/inventories/chaosknoten/host_vars/chaosknoten.yaml @@ -0,0 +1,6 @@ +# Used in deploy_hypervisor playbook. +hypervisor__template_vm_config: + - name: STORAGE + value: nvme0 + - name: BRIDGE + value: vmbr4 diff --git a/inventories/chaosknoten/hosts.yaml b/inventories/chaosknoten/hosts.yaml index cae283d..1f5b31b 100644 --- a/inventories/chaosknoten/hosts.yaml +++ b/inventories/chaosknoten/hosts.yaml @@ -171,3 +171,6 @@ netbox_hosts: hosts: eh22-netbox: netbox: +proxmox_vm_template_hosts: + hosts: + chaosknoten: diff --git a/playbooks/deploy_hypervisor.yaml b/playbooks/deploy_hypervisor.yaml new file mode 100644 index 0000000..0739d35 --- /dev/null +++ b/playbooks/deploy_hypervisor.yaml @@ -0,0 +1,54 @@ +- name: Ensure the VM template generation is set up + hosts: proxmox_vm_template_hosts + tasks: + - name: Ensure /usr/local/{lib,sbin} exist + ansible.builtin.file: + path: "{{ item }}" + state: directory + owner: root + group: root + mode: "0755" + become: true + loop: + - "/usr/local/lib/" + - "/usr/local/sbin/" + + - name: Ensure the pve-template-vm repo is present + ansible.builtin.git: + repo: https://git.hamburg.ccc.de/CCCHH/pve-template-vm.git + dest: /usr/local/lib/pve-template-vm + version: main + force: true + depth: 1 + single_branch: true + track_submodules: true + become: true + + # /usr/local/sbin as the script uses qm, which is also found in /usr/sbin. + - name: Ensure symlink to build-proxmox-template exists in /usr/local/sbin + ansible.builtin.file: + src: /usr/local/lib/pve-template-vm/build-proxmox-template + dest: /usr/local/sbin/build-proxmox-template + state: link + owner: root + group: root + mode: '0755' + become: true + + # This sets up a cron job running /usr/local/sbin/build-proxmox-template using the env vars defined in hypervisor__template_vm_config. + - name: Ensure cron job is present for building a fresh VM template every week on Friday 04:00 + ansible.builtin.cron: + name: "ansible build proxmox template" + cron_file: ansible_build_proxmox_template + minute: 0 + hour: 4 + weekday: 5 + user: root + job: "{% if hypervisor__template_vm_config is defined and hypervisor__template_vm_config | length > 0 %}\ + /usr/bin/env \ + {% for item in hypervisor__template_vm_config | default([]) %}\ + {{ item.name }}=\"{{ item.value }}\" \ + {% endfor %}\ + {% endif %}\ + /usr/local/sbin/build-proxmox-template" + become: true From fd13e5341b6285480b956ec784b61dd5bf2715e8 Mon Sep 17 00:00:00 2001 From: June Date: Sun, 23 Feb 2025 23:23:51 +0100 Subject: [PATCH 04/10] add thinkcccore0 to inventory and enable VM template gen. setup on it --- inventories/z9/hosts.yaml | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/inventories/z9/hosts.yaml b/inventories/z9/hosts.yaml index 0dde922..74428f3 100644 --- a/inventories/z9/hosts.yaml +++ b/inventories/z9/hosts.yaml @@ -6,6 +6,12 @@ all: authoritative-dns: ansible_host: authoritative-dns.z9.ccchh.net ansible_user: chaos + thinkcccore0: + ansible_host: thinkcccore0.z9.ccchh.net + ansible_user: june +hypervisors: + hosts: + thinkcccore0: nginx_hosts: hosts: light: @@ -19,3 +25,6 @@ infrastructure_authorized_keys_hosts: hosts: light: authoritative-dns: +proxmox_vm_template_hosts: + hosts: + thinkcccore0: From 41ba73d7c36cf791e372cc212c8587db3bcdd607 Mon Sep 17 00:00:00 2001 From: June Date: Sun, 23 Feb 2025 23:26:36 +0100 Subject: [PATCH 05/10] dep._hyperv.(playb.): add deps step to vm template generation setup play --- playbooks/deploy_hypervisor.yaml | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/playbooks/deploy_hypervisor.yaml b/playbooks/deploy_hypervisor.yaml index 0739d35..4d3200f 100644 --- a/playbooks/deploy_hypervisor.yaml +++ b/playbooks/deploy_hypervisor.yaml @@ -1,6 +1,13 @@ - name: Ensure the VM template generation is set up hosts: proxmox_vm_template_hosts tasks: + - name: Ensure dependencies are present + ansible.builtin.apt: + name: + - git + - libguestfs-tools + become: true + - name: Ensure /usr/local/{lib,sbin} exist ansible.builtin.file: path: "{{ item }}" From 6b80f5b52a23cca4fa24ebf20d054b30a7427a36 Mon Sep 17 00:00:00 2001 From: June Date: Sun, 23 Feb 2025 23:51:58 +0100 Subject: [PATCH 06/10] fix accidentally added personalized ansible_user by removing it --- inventories/z9/hosts.yaml | 1 - 1 file changed, 1 deletion(-) diff --git a/inventories/z9/hosts.yaml b/inventories/z9/hosts.yaml index 74428f3..13e2cc9 100644 --- a/inventories/z9/hosts.yaml +++ b/inventories/z9/hosts.yaml @@ -8,7 +8,6 @@ all: ansible_user: chaos thinkcccore0: ansible_host: thinkcccore0.z9.ccchh.net - ansible_user: june hypervisors: hosts: thinkcccore0: From 77e1d3bc3e4f8d35517ee476dfb8c4b075bda61f Mon Sep 17 00:00:00 2001 From: c6ristian Date: Wed, 26 Feb 2025 23:47:20 +0100 Subject: [PATCH 07/10] keycloak: allow access form new IPv6 subnet at z9 --- .../keycloak/nginx/keycloak-admin.hamburg.ccc.de.conf | 1 + 1 file changed, 1 insertion(+) diff --git a/resources/chaosknoten/keycloak/nginx/keycloak-admin.hamburg.ccc.de.conf b/resources/chaosknoten/keycloak/nginx/keycloak-admin.hamburg.ccc.de.conf index 372715d..2b0d919 100644 --- a/resources/chaosknoten/keycloak/nginx/keycloak-admin.hamburg.ccc.de.conf +++ b/resources/chaosknoten/keycloak/nginx/keycloak-admin.hamburg.ccc.de.conf @@ -43,6 +43,7 @@ server { allow 185.161.129.132/32; # z9 allow 2a07:c480:0:100::/56; # z9 + allow 2a07:c481:1::/48; # z9 new ipv6 allow 213.240.180.39/32; # stbe home allow 2a01:170:118b::1/64; # stbe home deny all; From 811b5832da0b2fc3fd70786c6776a100b321ef22 Mon Sep 17 00:00:00 2001 From: Stefan Bethke Date: Wed, 16 Apr 2025 16:27:02 +0200 Subject: [PATCH 08/10] Incread file upload limit to 1G (from 10MB) --- resources/chaosknoten/pretalx/docker_compose/compose.yaml.j2 | 1 + 1 file changed, 1 insertion(+) diff --git a/resources/chaosknoten/pretalx/docker_compose/compose.yaml.j2 b/resources/chaosknoten/pretalx/docker_compose/compose.yaml.j2 index b210098..20dbd9c 100644 --- a/resources/chaosknoten/pretalx/docker_compose/compose.yaml.j2 +++ b/resources/chaosknoten/pretalx/docker_compose/compose.yaml.j2 @@ -53,6 +53,7 @@ services: restart: unless-stopped environment: PRETALX_DATA_DIR: /data + PRETALX_FILE_UPLOAD_LIMIT: 1000 # MB PRETALX_FILESYSTEM_MEDIA: /public/media PRETALX_FILESYSTEM_STATIC: /public/static PRETALX_SITE_URL: https://pretalx.hamburg.ccc.de From 9c57fca87635e69b918098ec825c85ad6d8b5ccf Mon Sep 17 00:00:00 2001 From: Stefan Bethke Date: Wed, 16 Apr 2025 16:27:21 +0200 Subject: [PATCH 09/10] Also supply a dmoain for user content --- .../chaosknoten/public-reverse-proxy/nginx/acme_challenge.conf | 1 + resources/chaosknoten/public-reverse-proxy/nginx/nginx.conf | 1 + 2 files changed, 2 insertions(+) diff --git a/resources/chaosknoten/public-reverse-proxy/nginx/acme_challenge.conf b/resources/chaosknoten/public-reverse-proxy/nginx/acme_challenge.conf index 4e0e8e3..e2b89d9 100644 --- a/resources/chaosknoten/public-reverse-proxy/nginx/acme_challenge.conf +++ b/resources/chaosknoten/public-reverse-proxy/nginx/acme_challenge.conf @@ -71,6 +71,7 @@ map $host $upstream_acme_challenge_host { hydra.hamburg.ccc.de 172.31.17.163:31820; cfp.eh22.easterhegg.eu 172.31.17.157:31820; hub.eh22.easterhegg.eu eh22hub-intern.hamburg.ccc.de:31820; + hub-usercontent.eh22.easterhegg.eu eh22hub-intern.hamburg.ccc.de:31820; netbox.eh22.easterhegg.eu eh22-netbox-intern.hamburg.ccc.de:31820; default ""; } diff --git a/resources/chaosknoten/public-reverse-proxy/nginx/nginx.conf b/resources/chaosknoten/public-reverse-proxy/nginx/nginx.conf index 4a7f84c..6560b75 100644 --- a/resources/chaosknoten/public-reverse-proxy/nginx/nginx.conf +++ b/resources/chaosknoten/public-reverse-proxy/nginx/nginx.conf @@ -89,6 +89,7 @@ stream { hydra.hamburg.ccc.de 172.31.17.163:8443; cfp.eh22.easterhegg.eu pretalx-intern.hamburg.ccc.de:8443; hub.eh22.easterhegg.eu eh22hub-intern.hamburg.ccc.de:8443; + hub-usercontent.eh22.easterhegg.eu eh22hub-intern.hamburg.ccc.de:8443; netbox.eh22.easterhegg.eu eh22-netbox-intern.hamburg.ccc.de:8443; } From 3548c1f4d6763b2a2f53201603a9d1917a7951a8 Mon Sep 17 00:00:00 2001 From: June Date: Fri, 25 Apr 2025 02:01:29 +0200 Subject: [PATCH 10/10] restart ssh service instead of rebooting as this should be fine Active connections should survive a restart of the service and testing also didn't show any issues. --- inventories/chaosknoten/hosts.yaml | 3 +++ roles/deploy_ssh_server_config/handlers/main.yaml | 6 ++++-- roles/deploy_ssh_server_config/tasks/main.yaml | 6 ++---- 3 files changed, 9 insertions(+), 6 deletions(-) diff --git a/inventories/chaosknoten/hosts.yaml b/inventories/chaosknoten/hosts.yaml index 1f5b31b..92185ed 100644 --- a/inventories/chaosknoten/hosts.yaml +++ b/inventories/chaosknoten/hosts.yaml @@ -174,3 +174,6 @@ netbox_hosts: proxmox_vm_template_hosts: hosts: chaosknoten: +ansible_pull_hosts: + hosts: + netbox: diff --git a/roles/deploy_ssh_server_config/handlers/main.yaml b/roles/deploy_ssh_server_config/handlers/main.yaml index 001bbe4..721a348 100644 --- a/roles/deploy_ssh_server_config/handlers/main.yaml +++ b/roles/deploy_ssh_server_config/handlers/main.yaml @@ -1,3 +1,5 @@ -- name: reboot the system +- name: restart the ssh service + ansible.builtin.systemd: + name: ssh.service + state: restarted become: true - ansible.builtin.reboot: diff --git a/roles/deploy_ssh_server_config/tasks/main.yaml b/roles/deploy_ssh_server_config/tasks/main.yaml index f5d00f5..4350790 100644 --- a/roles/deploy_ssh_server_config/tasks/main.yaml +++ b/roles/deploy_ssh_server_config/tasks/main.yaml @@ -12,8 +12,7 @@ group: root src: sshd_config.j2 notify: - # Reboot instead of just restarting the ssh service, since I don't know how Ansible reacts, when it restarts the service it probably needs for the connection. - - reboot the system + - restart the ssh service - name: deactivate short moduli ansible.builtin.shell: @@ -32,5 +31,4 @@ changed_when: - '"ansible-changed" in result.stdout' notify: - # Reboot instead of just restarting the ssh service, since I don't know how Ansible reacts, when it restarts the service it probably needs for the connection. - - reboot the system + - restart the ssh service