From 57d2a94990459ff045820d436f6aabfb87fb0084 Mon Sep 17 00:00:00 2001
From: lilly <li@lly.sh>
Date: Wed, 10 Jun 2026 16:17:18 +0200
Subject: [PATCH 1/3] dns: fix syntax error in diday.org zone

---
 resources/chaosknoten/auth-dns/zones/diday.org.zone | 5 ++---
 1 file changed, 2 insertions(+), 3 deletions(-)

diff --git a/resources/chaosknoten/auth-dns/zones/diday.org.zone b/resources/chaosknoten/auth-dns/zones/diday.org.zone
index 2aeefcf..bf93208 100644
--- a/resources/chaosknoten/auth-dns/zones/diday.org.zone
+++ b/resources/chaosknoten/auth-dns/zones/diday.org.zone
@@ -1,4 +1,4 @@
-$TTL 3600  ; 1 minutes
+$TTL 3600
 @ SOA auth-dns.hamburg.ccc.de. noc.hamburg.ccc.de. (
     1          ; serial (overwritten by knot automatically)
     10800      ; refresh
@@ -27,8 +27,7 @@ diday.org.                    TXT     "google-site-verification=pJq0LANnNJlkIflK
 diday.org.                    MX      10 cow.hamburg.ccc.de.
 diday.org.                    TXT     "v=spf1 mx ip4:212.12.51.133 ip6:2a00:14b0:f000:23:51:133:0:1 ip4:212.12.48.122 ip6:2a00:14b0:4200:3000:122::1 -all"
 _dmarc.diday.org.             TXT     "v=DMARC1; p=none"
-dkim._domainkey.diday.org.    TXT     "v=DKIM1;k=rsa;t=s;s=email;p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAv2YlBjR5oNm7eDeMXmQF6Izx1A17+vBHNapHlV2Rlj3N4Cjo9kSn0y8rlrqkASUKszDgToGrh1vkHhtYN6EE5QS5iVVSnXcWPiHnBzrxK4OmhVZZtrgGsM17pq9udAEEapc371dQQsL3WhXOvilGGSIQ9u5VDlc+y/ApXi79J6DHSf66t0JUU1e8vLn8ZI8hcXe3nsHXqbW4ot24rk8EvaugsK40jbhqxZ+BrJTBq/iP8w5RsF6KdYjTaqPfr/D4dbvUU6fc8jLyy3OWZgSkkOmv7m0UdbOm2Kk6c+1hNjQJZVEhQrpGrpAcjE37/v8ZNbQMgaasiugH6ElnKb13ZQIDAQAB
-"
+dkim._domainkey.diday.org.    TXT     "v=DKIM1;k=rsa;t=s;s=email;p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAv2YlBjR5oNm7eDeMXmQF6Izx1A17+vBHNapHlV2Rlj3N4Cjo9kSn0y8rlrqkASUKszDgToGrh1vkHhtYN6EE5QS5iVVSnXcWPiHnBzrxK4OmhVZZtrgGsM17pq9udAEEapc371dQQsL3WhXOvilGGSIQ9u5VDlc+y/ApXi79J6DHSf66t0JUU1e8vLn8ZI8hcXe3nsHXqbW4ot24rk8EvaugsK40jbhqxZ+BrJTBq/iP8w5RsF6KdYjTaqPfr/D4dbvUU6fc8jLyy3OWZgSkkOmv7m0UdbOm2Kk6c+1hNjQJZVEhQrpGrpAcjE37/v8ZNbQMgaasiugH6ElnKb13ZQIDAQAB"
 
 events.diday.org.     A       91.98.167.209
 events.diday.org.     AAAA    2a01:4f8:c2c:44b::1

From 5973de0959242cc5832c361616c5848d002aa6f8 Mon Sep 17 00:00:00 2001
From: lilly <li@lly.sh>
Date: Wed, 10 Jun 2026 16:17:18 +0200
Subject: [PATCH 2/3] dns: validate zone files before apply in knot role

---
 roles/knot/tasks/02-configure.yaml | 1 +
 1 file changed, 1 insertion(+)

diff --git a/roles/knot/tasks/02-configure.yaml b/roles/knot/tasks/02-configure.yaml
index a2a8e55..e79143f 100644
--- a/roles/knot/tasks/02-configure.yaml
+++ b/roles/knot/tasks/02-configure.yaml
@@ -33,6 +33,7 @@
     owner: knot
     group: knot
     mode: u=rw,g=r
+    validate: "kzonecheck -v -o '{{ item.domain }}' %s"
 
 # this seems weird but hear me out:
 # if we don't disable SLAAC, the node automatically gets an address based on IPv6 Router-Advertisements

From b47145454617ba3881bf87cce932e92b09961f0e Mon Sep 17 00:00:00 2001
From: Renovate <no-reply@git.hamburg.ccc.de>
Date: Wed, 10 Jun 2026 14:31:28 +0000
Subject: [PATCH 3/3] Update docker.io/library/postgres Docker tag to v18

---
 inventories/chaosknoten/host_vars/cloud.yaml                 | 2 +-
 resources/chaosknoten/lists/docker_compose/compose.yaml.j2   | 2 +-
 resources/chaosknoten/pretalx/docker_compose/compose.yaml.j2 | 2 +-
 3 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/inventories/chaosknoten/host_vars/cloud.yaml b/inventories/chaosknoten/host_vars/cloud.yaml
index 19aca7b..7d0ee89 100644
--- a/inventories/chaosknoten/host_vars/cloud.yaml
+++ b/inventories/chaosknoten/host_vars/cloud.yaml
@@ -1,7 +1,7 @@
 # renovate: datasource=docker depName=git.hamburg.ccc.de/ccchh/oci-images/nextcloud
 nextcloud__version: 33
 # renovate: datasource=docker depName=docker.io/library/postgres
-nextcloud__postgres_version: 15.18
+nextcloud__postgres_version: 18.4
 nextcloud__fqdn: cloud.hamburg.ccc.de
 nextcloud__data_dir: /data/nextcloud
 nextcloud__extra_configuration: "{{ lookup('ansible.builtin.template', 'resources/chaosknoten/cloud/nextcloud/extra_configuration.config.php.j2') }}"
diff --git a/resources/chaosknoten/lists/docker_compose/compose.yaml.j2 b/resources/chaosknoten/lists/docker_compose/compose.yaml.j2
index db605b5..58d1ed5 100644
--- a/resources/chaosknoten/lists/docker_compose/compose.yaml.j2
+++ b/resources/chaosknoten/lists/docker_compose/compose.yaml.j2
@@ -62,7 +62,7 @@ services:
       - POSTGRES_DB=mailmandb
       - POSTGRES_USER=mailman
       - "POSTGRES_PASSWORD={{ secret__lists__postgres_password }}"
-    image: docker.io/library/postgres:12-alpine
+    image: docker.io/library/postgres:18-alpine
     volumes:
       - /opt/mailman/database:/var/lib/postgresql/data
     networks:
diff --git a/resources/chaosknoten/pretalx/docker_compose/compose.yaml.j2 b/resources/chaosknoten/pretalx/docker_compose/compose.yaml.j2
index 0bbfcb8..091bd44 100644
--- a/resources/chaosknoten/pretalx/docker_compose/compose.yaml.j2
+++ b/resources/chaosknoten/pretalx/docker_compose/compose.yaml.j2
@@ -3,7 +3,7 @@
 
 services:
   database:
-    image: docker.io/library/postgres:15-alpine
+    image: docker.io/library/postgres:18-alpine
     environment:
       - "POSTGRES_USER=pretalx"
       - "POSTGRES_PASSWORD={{ secret__pretalx_db_password }}"