From 78a6be6f5d6fdf0d992a50f766ab4d605a8aa70f Mon Sep 17 00:00:00 2001 From: June Date: Wed, 22 Oct 2025 00:47:05 +0200 Subject: [PATCH 01/32] renovate: disable semantic commits --- renovate.json | 1 + 1 file changed, 1 insertion(+) diff --git a/renovate.json b/renovate.json index 1766469..9e6fe64 100644 --- a/renovate.json +++ b/renovate.json @@ -5,6 +5,7 @@ "config:best-practices", ":ignoreUnstable" ], + "semanticCommits": "disabled", "packageRules": [ // Create a package rule for grouping all stable non-major dependency updates together. // A combination of/inspired by: From d0d517d97dd32aa1644006bdaab101808de3257f Mon Sep 17 00:00:00 2001 From: June Date: Wed, 22 Oct 2025 16:42:02 +0200 Subject: [PATCH 02/32] renovate: add custom package rule for pretix calendar versioning Add custom package rule accounting for pretix calendar versioning to not have Renovate classify month updates as minor version updates, but major version updates instead. --- renovate.json | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/renovate.json b/renovate.json index 9e6fe64..9cd0c82 100644 --- a/renovate.json +++ b/renovate.json @@ -19,6 +19,11 @@ "minor", "patch" ] + }, + { + "matchDatasources": ["docker"], + "matchPackageNames": ["docker.io/pretix/standalone"], + "versioning": "regex:^(?\\d+\\.\\d+)(?:\\.(?\\d+))$" } ], "docker-compose": { From 8f612d1d9c80d88c957802b1417209e7410f9f51 Mon Sep 17 00:00:00 2001 From: June Date: Wed, 22 Oct 2025 19:42:20 +0200 Subject: [PATCH 03/32] renovate: add persistent volume for base (and therefore cache) dir --- roles/renovate/files/renovate.service | 2 ++ 1 file changed, 2 insertions(+) diff --git a/roles/renovate/files/renovate.service b/roles/renovate/files/renovate.service index ca9f7ed..6cb8f16 100644 --- a/roles/renovate/files/renovate.service +++ b/roles/renovate/files/renovate.service @@ -7,4 +7,6 @@ Wants=network-online.target Type=oneshot ExecStart=/usr/bin/docker run --rm \ -v "/etc/renovate/config.js:/usr/src/app/config.js" \ + --mount "type=volume,src=renovate,dst=/tmp/renovate" \ + --env "RENOVATE_BASE_DIR=/tmp/renovate" \ renovate/renovate From a60946b3b8b84641a1192862e65be4c0f6790ad4 Mon Sep 17 00:00:00 2001 From: Renovate Date: Wed, 22 Oct 2025 21:50:08 +0000 Subject: [PATCH 04/32] Update https://github.com/ansible/ansible-lint action to v25 --- .forgejo/workflows/lint.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.forgejo/workflows/lint.yaml b/.forgejo/workflows/lint.yaml index 1002532..3b09d8b 100644 --- a/.forgejo/workflows/lint.yaml +++ b/.forgejo/workflows/lint.yaml @@ -24,7 +24,7 @@ jobs: # work in our environmnet. # Rather manually setup python (pip) before instead. - name: Run ansible-lint - uses: https://github.com/ansible/ansible-lint@v24.10.0 + uses: https://github.com/ansible/ansible-lint@d7cd7cfa2469536527aceaef9ef2ec6f2fb331cb # v25.9.2 with: setup_python: "false" requirements_file: "requirements.yml" From 2f8897751b646fc26c44ddf32a06f8bbc1500629 Mon Sep 17 00:00:00 2001 From: Renovate Date: Thu, 23 Oct 2025 12:15:38 +0000 Subject: [PATCH 05/32] Pin dependencies --- .forgejo/workflows/lint.yaml | 2 +- .../ccchoir/docker_compose/compose.yaml.j2 | 4 ++-- .../grafana/docker_compose/compose.yaml.j2 | 18 +++++++++--------- .../keycloak/docker_compose/compose.yaml.j2 | 10 +++++----- .../lists/docker_compose/compose.yaml | 6 +++--- .../ntfy/docker_compose/compose.yaml.j2 | 2 +- .../onlyoffice/docker_compose/compose.yaml.j2 | 2 +- .../pad/docker_compose/compose.yaml.j2 | 6 +++--- .../pretalx/docker_compose/compose.yaml.j2 | 10 +++++----- .../tickets/docker_compose/compose.yaml.j2 | 6 +++--- .../z9/dooris/docker_compose/compose.yaml.j2 | 2 +- .../docker_compose/compose.yaml.j2 | 2 +- .../z9/yate/docker_compose/compose.yaml.j2 | 2 +- 13 files changed, 36 insertions(+), 36 deletions(-) diff --git a/.forgejo/workflows/lint.yaml b/.forgejo/workflows/lint.yaml index 3b09d8b..a0fd1d8 100644 --- a/.forgejo/workflows/lint.yaml +++ b/.forgejo/workflows/lint.yaml @@ -10,7 +10,7 @@ jobs: name: Ansible Lint runs-on: docker steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@08eba0b27e820071cde6df949e0beb9ba4906955 # v4 - name: Install pip run: | apt update diff --git a/resources/chaosknoten/ccchoir/docker_compose/compose.yaml.j2 b/resources/chaosknoten/ccchoir/docker_compose/compose.yaml.j2 index c2108d8..4c9d491 100644 --- a/resources/chaosknoten/ccchoir/docker_compose/compose.yaml.j2 +++ b/resources/chaosknoten/ccchoir/docker_compose/compose.yaml.j2 @@ -3,7 +3,7 @@ services: database: - image: docker.io/library/mariadb:11 + image: docker.io/library/mariadb:11@sha256:ae6119716edac6998ae85508431b3d2e666530ddf4e94c61a10710caec9b0f71 environment: - "MARIADB_DATABASE=wordpress" - "MARIADB_ROOT_PASSWORD={{ secret__mariadb_root_password }}" @@ -17,7 +17,7 @@ services: restart: unless-stopped app: - image: docker.io/library/wordpress:6-php8.1 + image: docker.io/library/wordpress:6-php8.1@sha256:d93a391bc1ba9d2db3e53c8c8421a88d6beadb7b654235ba83ccf9ea93ecdcd5 environment: - "WORDPRESS_DB_HOST=database" - "WORDPRESS_DB_NAME=wordpress" diff --git a/resources/chaosknoten/grafana/docker_compose/compose.yaml.j2 b/resources/chaosknoten/grafana/docker_compose/compose.yaml.j2 index 228382b..436669a 100644 --- a/resources/chaosknoten/grafana/docker_compose/compose.yaml.j2 +++ b/resources/chaosknoten/grafana/docker_compose/compose.yaml.j2 @@ -2,7 +2,7 @@ services: prometheus: - image: docker.io/prom/prometheus:v3.7.1 + image: docker.io/prom/prometheus:v3.7.1@sha256:ff7e389acbe064a4823212a500393d40a28a8f362e4b05cbf6742a9a3ef736b2 container_name: prometheus command: - '--config.file=/etc/prometheus/prometheus.yml' @@ -18,7 +18,7 @@ services: - prom_data:/prometheus alertmanager: - image: docker.io/prom/alertmanager:v0.28.1 + image: docker.io/prom/alertmanager:v0.28.1@sha256:27c475db5fb156cab31d5c18a4251ac7ed567746a2483ff264516437a39b15ba container_name: alertmanager command: - '--config.file=/etc/alertmanager/alertmanager.yaml' @@ -31,7 +31,7 @@ services: - alertmanager_data:/alertmanager grafana: - image: docker.io/grafana/grafana:12.2.1 + image: docker.io/grafana/grafana:12.2.1@sha256:35c41e0fd0295f5d0ee5db7e780cf33506abfaf47686196f825364889dee878b container_name: grafana ports: - 3000:3000 @@ -45,7 +45,7 @@ services: - graf_data:/var/lib/grafana pve-exporter: - image: docker.io/prompve/prometheus-pve-exporter:3.5.5 + image: docker.io/prompve/prometheus-pve-exporter:3.5.5@sha256:79a5598906697b1a5a006d09f0200528a77c6ff1568faf018539ac65824454df container_name: pve-exporter ports: - 9221:9221 @@ -58,7 +58,7 @@ services: - /dev/null:/etc/prometheus/pve.yml loki: - image: docker.io/grafana/loki:3.5.7 + image: docker.io/grafana/loki:3.5.7@sha256:0eaee7bf39cc83aaef46914fb58f287d4f4c4be6ec96b86c2ed55719a75e49c8 container_name: loki ports: - 13100:3100 @@ -69,7 +69,7 @@ services: - loki_data:/var/loki ntfy-alertmanager-ccchh-critical: - image: docker.io/xenrox/ntfy-alertmanager:0.5.0 + image: docker.io/xenrox/ntfy-alertmanager:0.5.0@sha256:5fea88db3bf0257d98c007ab0c4ef064c6d67d7b7ceead7d6956dfa0a5cb333b container_name: ntfy-alertmanager-ccchh-critical volumes: - ./configs/ntfy-alertmanager-ccchh-critical:/etc/ntfy-alertmanager/config @@ -78,7 +78,7 @@ services: restart: unless-stopped ntfy-alertmanager-fux-critical: - image: docker.io/xenrox/ntfy-alertmanager:0.5.0 + image: docker.io/xenrox/ntfy-alertmanager:0.5.0@sha256:5fea88db3bf0257d98c007ab0c4ef064c6d67d7b7ceead7d6956dfa0a5cb333b container_name: ntfy-alertmanager-fux-critical volumes: - ./configs/ntfy-alertmanager-fux-critical:/etc/ntfy-alertmanager/config @@ -87,7 +87,7 @@ services: restart: unless-stopped ntfy-alertmanager-ccchh: - image: docker.io/xenrox/ntfy-alertmanager:0.5.0 + image: docker.io/xenrox/ntfy-alertmanager:0.5.0@sha256:5fea88db3bf0257d98c007ab0c4ef064c6d67d7b7ceead7d6956dfa0a5cb333b container_name: ntfy-alertmanager-ccchh volumes: - ./configs/ntfy-alertmanager-ccchh:/etc/ntfy-alertmanager/config @@ -96,7 +96,7 @@ services: restart: unless-stopped ntfy-alertmanager-fux: - image: docker.io/xenrox/ntfy-alertmanager:0.5.0 + image: docker.io/xenrox/ntfy-alertmanager:0.5.0@sha256:5fea88db3bf0257d98c007ab0c4ef064c6d67d7b7ceead7d6956dfa0a5cb333b container_name: ntfy-alertmanager-fux volumes: - ./configs/ntfy-alertmanager-fux:/etc/ntfy-alertmanager/config diff --git a/resources/chaosknoten/keycloak/docker_compose/compose.yaml.j2 b/resources/chaosknoten/keycloak/docker_compose/compose.yaml.j2 index 9fde708..398d814 100644 --- a/resources/chaosknoten/keycloak/docker_compose/compose.yaml.j2 +++ b/resources/chaosknoten/keycloak/docker_compose/compose.yaml.j2 @@ -22,7 +22,7 @@ services: keycloak: - image: git.hamburg.ccc.de/ccchh/oci-images/keycloak:26.4 + image: git.hamburg.ccc.de/ccchh/oci-images/keycloak:26.4@sha256:65d65fa0e858a608fd3e7d16ecfd7a5ced2fba4ab22a8fd3b86f3742ecec0a83 pull_policy: always restart: unless-stopped command: start --optimized @@ -46,7 +46,7 @@ services: - "8080:8080" db: - image: docker.io/library/postgres:15.14 + image: docker.io/library/postgres:15.14@sha256:9541969afa16d1ac724e16d1cf3c26ddd0c5bae5dd1c230118a7f5b9c14cde1f restart: unless-stopped networks: - keycloak @@ -58,7 +58,7 @@ services: POSTGRES_DB: keycloak id-invite-web: - image: git.hamburg.ccc.de/ccchh/id-invite/id-invite:latest + image: git.hamburg.ccc.de/ccchh/id-invite/id-invite:latest@sha256:ba011f410bc1d2e112135857c236412f65b727f15197dbea1fffd955e0487a6a command: web restart: unless-stopped networks: @@ -84,7 +84,7 @@ services: - "BOTTLE_HOST=0.0.0.0" id-invite-email: - image: git.hamburg.ccc.de/ccchh/id-invite/id-invite:latest + image: git.hamburg.ccc.de/ccchh/id-invite/id-invite:latest@sha256:ba011f410bc1d2e112135857c236412f65b727f15197dbea1fffd955e0487a6a command: email restart: unless-stopped networks: @@ -99,7 +99,7 @@ services: - "SMTP_PASSWORD={{ secret__id_no_reply_smtp }}" id-invite-keycloak: - image: git.hamburg.ccc.de/ccchh/id-invite/id-invite:latest + image: git.hamburg.ccc.de/ccchh/id-invite/id-invite:latest@sha256:ba011f410bc1d2e112135857c236412f65b727f15197dbea1fffd955e0487a6a command: keycloak restart: unless-stopped networks: diff --git a/resources/chaosknoten/lists/docker_compose/compose.yaml b/resources/chaosknoten/lists/docker_compose/compose.yaml index cdfd70a..8537ead 100644 --- a/resources/chaosknoten/lists/docker_compose/compose.yaml +++ b/resources/chaosknoten/lists/docker_compose/compose.yaml @@ -1,7 +1,7 @@ services: mailman-core: restart: unless-stopped - image: docker.io/maxking/mailman-core:0.5 # Use a specific version tag (tag latest is not published) + image: docker.io/maxking/mailman-core:0.5@sha256:cb8e412bb18d74480f996da68f46e92473b6103995e71bc5aeba139b255cc3d2 # Use a specific version tag (tag latest is not published) container_name: mailman-core hostname: mailman-core volumes: @@ -25,7 +25,7 @@ services: mailman-web: restart: unless-stopped - image: docker.io/maxking/mailman-web:0.5 # Use a specific version tag (tag latest is not published) + image: docker.io/maxking/mailman-web:0.5@sha256:014726db85586fb53541f66f6ce964bf07e939791cfd5ffc796cd6d243696a18 # Use a specific version tag (tag latest is not published) container_name: mailman-web hostname: mailman-web depends_on: @@ -56,7 +56,7 @@ services: - POSTGRES_DB=mailmandb - POSTGRES_USER=mailman - POSTGRES_PASSWORD=wvQjbMRnwFuxGEPz - image: docker.io/library/postgres:12-alpine + image: docker.io/library/postgres:12-alpine@sha256:7c8f4870583184ebadf7f17a6513620aac5f365a7938dc6a6911c1d5df2f481a volumes: - /opt/mailman/database:/var/lib/postgresql/data networks: diff --git a/resources/chaosknoten/ntfy/docker_compose/compose.yaml.j2 b/resources/chaosknoten/ntfy/docker_compose/compose.yaml.j2 index 9fe2a7a..07e8d9e 100644 --- a/resources/chaosknoten/ntfy/docker_compose/compose.yaml.j2 +++ b/resources/chaosknoten/ntfy/docker_compose/compose.yaml.j2 @@ -1,7 +1,7 @@ --- services: ntfy: - image: docker.io/binwiederhier/ntfy:v2.14.0 + image: docker.io/binwiederhier/ntfy:v2.14.0@sha256:5a051798d14138c3ecb12c038652558ab6a077e1aceeb867c151cbf5fa8451ef container_name: ntfy command: - serve diff --git a/resources/chaosknoten/onlyoffice/docker_compose/compose.yaml.j2 b/resources/chaosknoten/onlyoffice/docker_compose/compose.yaml.j2 index f3444ac..5c9a42a 100644 --- a/resources/chaosknoten/onlyoffice/docker_compose/compose.yaml.j2 +++ b/resources/chaosknoten/onlyoffice/docker_compose/compose.yaml.j2 @@ -4,7 +4,7 @@ services: onlyoffice: - image: docker.io/onlyoffice/documentserver:9.1.0 + image: docker.io/onlyoffice/documentserver:9.1.0@sha256:34b92f4a67bfd939bd6b75893e8217556e3b977f81e49472f7e28737b741ba1d restart: unless-stopped volumes: - "./onlyoffice/DocumentServer/logs:/var/log/onlyoffice" diff --git a/resources/chaosknoten/pad/docker_compose/compose.yaml.j2 b/resources/chaosknoten/pad/docker_compose/compose.yaml.j2 index 455caa3..014b8af 100644 --- a/resources/chaosknoten/pad/docker_compose/compose.yaml.j2 +++ b/resources/chaosknoten/pad/docker_compose/compose.yaml.j2 @@ -3,7 +3,7 @@ services: database: - image: docker.io/library/postgres:15-alpine + image: docker.io/library/postgres:15-alpine@sha256:2e50ad404aead120409575d21758230cc295aec52dfa05ece9b4d0429bc38636 environment: - "POSTGRES_USER=hedgedoc" - "POSTGRES_PASSWORD={{ secret__hedgedoc_db_password }}" @@ -13,7 +13,7 @@ services: restart: unless-stopped app: - image: quay.io/hedgedoc/hedgedoc:1.10.3 + image: quay.io/hedgedoc/hedgedoc:1.10.3@sha256:ca58fd73ecf05c89559b384fb7a1519c18c8cbba5c21a0018674ed820b9bdb73 environment: - "CMD_DB_URL=postgres://hedgedoc:{{ secret__hedgedoc_db_password }}@database:5432/hedgedoc" - "CMD_DOMAIN=pad.hamburg.ccc.de" @@ -46,7 +46,7 @@ services: - database hedgedoc-expire: - image: git.hamburg.ccc.de/ccchh/hedgedoc-expire/hedgedoc-expire:latest + image: git.hamburg.ccc.de/ccchh/hedgedoc-expire/hedgedoc-expire:latest@sha256:9be261712a8ee57ff89068c3926a8c5d7c96ff80aa629f98eec239786c6158b1 # command: "emailcheck" command: "cron" environment: diff --git a/resources/chaosknoten/pretalx/docker_compose/compose.yaml.j2 b/resources/chaosknoten/pretalx/docker_compose/compose.yaml.j2 index 7b733cb..66f6172 100644 --- a/resources/chaosknoten/pretalx/docker_compose/compose.yaml.j2 +++ b/resources/chaosknoten/pretalx/docker_compose/compose.yaml.j2 @@ -3,7 +3,7 @@ services: database: - image: docker.io/library/postgres:15-alpine + image: docker.io/library/postgres:15-alpine@sha256:2e50ad404aead120409575d21758230cc295aec52dfa05ece9b4d0429bc38636 environment: - "POSTGRES_USER=pretalx" - "POSTGRES_PASSWORD={{ secret__pretalx_db_password }}" @@ -15,7 +15,7 @@ services: - pretalx_net redis: - image: docker.io/library/redis:8.2.2 + image: docker.io/library/redis:8.2.2@sha256:4521b581dbddea6e7d81f8fe95ede93f5648aaa66a9dacd581611bf6fe7527bd restart: unless-stopped volumes: - redis:/data @@ -23,7 +23,7 @@ services: - pretalx_net static: - image: docker.io/library/nginx:1.29.2 + image: docker.io/library/nginx:1.29.2@sha256:029d4461bd98f124e531380505ceea2072418fdf28752aa73b7b273ba3048903 restart: unless-stopped volumes: - public:/usr/share/nginx/html @@ -33,7 +33,7 @@ services: - pretalx_net pretalx: - image: docker.io/pretalx/standalone:v2025.1.0 + image: docker.io/pretalx/standalone:v2025.1.0@sha256:fb2d15f11bcae8bb15430084ed81a150cfdf7c79705450583b51e352ba486e8e entrypoint: gunicorn command: - "pretalx.wsgi" @@ -78,7 +78,7 @@ services: - pretalx_net celery: - image: docker.io/pretalx/standalone:v2025.1.0 + image: docker.io/pretalx/standalone:v2025.1.0@sha256:fb2d15f11bcae8bb15430084ed81a150cfdf7c79705450583b51e352ba486e8e command: - taskworker restart: unless-stopped diff --git a/resources/chaosknoten/tickets/docker_compose/compose.yaml.j2 b/resources/chaosknoten/tickets/docker_compose/compose.yaml.j2 index 6509a99..057da55 100644 --- a/resources/chaosknoten/tickets/docker_compose/compose.yaml.j2 +++ b/resources/chaosknoten/tickets/docker_compose/compose.yaml.j2 @@ -1,7 +1,7 @@ --- services: database: - image: docker.io/library/postgres:15-alpine + image: docker.io/library/postgres:15-alpine@sha256:2e50ad404aead120409575d21758230cc295aec52dfa05ece9b4d0429bc38636 environment: - "POSTGRES_USER=pretix" - "POSTGRES_PASSWORD={{ secret__pretix_db_password }}" @@ -13,7 +13,7 @@ services: restart: unless-stopped redis: - image: docker.io/library/redis:7.4.6 + image: docker.io/library/redis:7.4.6@sha256:a9cc41d6d01da2aa26c219e4f99ecbeead955a7b656c1c499cce8922311b2514 ports: - "6379:6379" volumes: @@ -25,7 +25,7 @@ services: backend: pretix: - image: docker.io/pretix/standalone:2024.8 + image: docker.io/pretix/standalone:2024.8@sha256:110bac37efa5f736227f158f38e421ed738d03dccc274dfb415b258ab0f75cfe command: ["all"] ports: - "8345:80" diff --git a/resources/z9/dooris/docker_compose/compose.yaml.j2 b/resources/z9/dooris/docker_compose/compose.yaml.j2 index 38db85a..b722aa7 100644 --- a/resources/z9/dooris/docker_compose/compose.yaml.j2 +++ b/resources/z9/dooris/docker_compose/compose.yaml.j2 @@ -2,7 +2,7 @@ services: dooris: - image: git.hamburg.ccc.de/ccchh/hmdooris/hmdooris:latest + image: git.hamburg.ccc.de/ccchh/hmdooris/hmdooris:latest@sha256:a895989b0955936cbe0641de0309bcb343a9da9c2c8d6184d906a66bf1151303 environment: HMDOORIS_ALLOWED_IPS: "2a07:c481:1:c8::/64 2a01:170:118b::/56 172.31.200.0/23 172.31.202.0/27" HMDOORIS_CCUJACK_CERTIFICATE_PATH: false diff --git a/resources/z9/waybackproxy/docker_compose/compose.yaml.j2 b/resources/z9/waybackproxy/docker_compose/compose.yaml.j2 index b6752fa..52d57df 100644 --- a/resources/z9/waybackproxy/docker_compose/compose.yaml.j2 +++ b/resources/z9/waybackproxy/docker_compose/compose.yaml.j2 @@ -1,7 +1,7 @@ services: # https://github.com/richardg867/WaybackProxy waybackproxy: - image: cttynul/waybackproxy:latest + image: cttynul/waybackproxy:latest@sha256:e001d5b1d746522cd1ab2728092173c0d96f08086cbd3e49cdf1e298b8add22e environment: DATE: 19990101 DATE_TOLERANCE: 730 diff --git a/resources/z9/yate/docker_compose/compose.yaml.j2 b/resources/z9/yate/docker_compose/compose.yaml.j2 index e3d6614..c39afa4 100644 --- a/resources/z9/yate/docker_compose/compose.yaml.j2 +++ b/resources/z9/yate/docker_compose/compose.yaml.j2 @@ -2,7 +2,7 @@ services: yate: - image: git.hamburg.ccc.de/ccchh/yate-image/yate-image:latest + image: git.hamburg.ccc.de/ccchh/yate-image/yate-image:latest@sha256:66f77d63dc52c9aeb09481e48b9d62f5f95439f86eab3766fce94daea7b2e26a # command: # - sh # - "-c" From a13d23c7eafd03bb2f2d7b4d87243f4fab583fad Mon Sep 17 00:00:00 2001 From: Renovate Date: Thu, 23 Oct 2025 13:45:41 +0000 Subject: [PATCH 06/32] Update actions/checkout action to v5 --- .forgejo/workflows/lint.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.forgejo/workflows/lint.yaml b/.forgejo/workflows/lint.yaml index a0fd1d8..a867c13 100644 --- a/.forgejo/workflows/lint.yaml +++ b/.forgejo/workflows/lint.yaml @@ -10,7 +10,7 @@ jobs: name: Ansible Lint runs-on: docker steps: - - uses: actions/checkout@08eba0b27e820071cde6df949e0beb9ba4906955 # v4 + - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5 - name: Install pip run: | apt update From b2961c5664aeecef4d90ed5b6c2f4fb2602d41ec Mon Sep 17 00:00:00 2001 From: June Date: Fri, 24 Oct 2025 18:59:58 +0200 Subject: [PATCH 07/32] renovate: disable rate-limiting --- renovate.json | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/renovate.json b/renovate.json index 9cd0c82..2975de6 100644 --- a/renovate.json +++ b/renovate.json @@ -3,7 +3,8 @@ "extends": [ "config:recommended", // Included in config:best-practices anyway, but added for clarity. "config:best-practices", - ":ignoreUnstable" + ":ignoreUnstable", + ":disableRateLimiting" ], "semanticCommits": "disabled", "packageRules": [ From 658a50d19bdce7d8c66e06d95c98b8ee40542fc0 Mon Sep 17 00:00:00 2001 From: June Date: Fri, 24 Oct 2025 19:18:04 +0200 Subject: [PATCH 08/32] renovate: use rebase stale PRs preset to rebase once base branch updated Use this configuration to always have the fast-forward option. https://docs.renovatebot.com/presets-default/#rebasestaleprs --- renovate.json | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/renovate.json b/renovate.json index 2975de6..56d20ff 100644 --- a/renovate.json +++ b/renovate.json @@ -4,7 +4,8 @@ "config:recommended", // Included in config:best-practices anyway, but added for clarity. "config:best-practices", ":ignoreUnstable", - ":disableRateLimiting" + ":disableRateLimiting", + ":rebaseStalePrs" ], "semanticCommits": "disabled", "packageRules": [ From 37cedb1ad0954b63a4d6509286897ce5639778a5 Mon Sep 17 00:00:00 2001 From: June Date: Fri, 24 Oct 2025 19:28:49 +0200 Subject: [PATCH 09/32] renovate: label all PRs with the "renovate" label --- renovate.json | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/renovate.json b/renovate.json index 56d20ff..13774e4 100644 --- a/renovate.json +++ b/renovate.json @@ -5,7 +5,8 @@ "config:best-practices", ":ignoreUnstable", ":disableRateLimiting", - ":rebaseStalePrs" + ":rebaseStalePrs", + ":label(renovate)" ], "semanticCommits": "disabled", "packageRules": [ From 839a9b2c0a8e0213aa4ac88a4ecabe0230d777e7 Mon Sep 17 00:00:00 2001 From: June Date: Fri, 24 Oct 2025 19:59:35 +0200 Subject: [PATCH 10/32] renovate: group all digest updates together https://docs.renovatebot.com/presets-group/#groupalldigest --- renovate.json | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/renovate.json b/renovate.json index 13774e4..f72babb 100644 --- a/renovate.json +++ b/renovate.json @@ -6,7 +6,8 @@ ":ignoreUnstable", ":disableRateLimiting", ":rebaseStalePrs", - ":label(renovate)" + ":label(renovate)", + "group:allDigest" ], "semanticCommits": "disabled", "packageRules": [ From 3840553f9d2231d2c36d5a44dee63f252c63f956 Mon Sep 17 00:00:00 2001 From: June Date: Fri, 24 Oct 2025 22:05:54 +0200 Subject: [PATCH 11/32] docker_compose(role): add support for deploying optional .env file This is needed for situations, where one wants to use a vendor-provided compose file and configure it using environment variables. Like for example: https://github.com/zammad/zammad-docker-compose --- roles/docker_compose/README.md | 4 ++-- roles/docker_compose/meta/argument_specs.yaml | 6 ++++++ roles/docker_compose/tasks/main.yaml | 11 +++++++++++ 3 files changed, 19 insertions(+), 2 deletions(-) diff --git a/roles/docker_compose/README.md b/roles/docker_compose/README.md index d407a62..d3204ec 100644 --- a/roles/docker_compose/README.md +++ b/roles/docker_compose/README.md @@ -1,8 +1,8 @@ # Role `docker_compose` A role for deploying a Docker-Compose-based application. -It deploys the given Compose file as well as configuration files to the specified hosts and makes sure all services are up-to-date and running. -The Compose file gets deployed to `/ansible_docker_compose/compose.yaml` and the configuration files get deployed into the `/ansible_docker_compose/configs/` directory. +It deploys the given Compose file, an optional `.env` file, as well as configuration files to the specified hosts and makes sure all services are up-to-date and running. +The Compose file gets deployed to `/ansible_docker_compose/compose.yaml`, the `.env` file to `/ansible_docker_compose/.env` and the configuration files get deployed into the `/ansible_docker_compose/configs/` directory. A use case for the deployment of the additional configuration files is Composes top-level element `configs` in conjunction with the `configs` option for services. ## Supported Distributions diff --git a/roles/docker_compose/meta/argument_specs.yaml b/roles/docker_compose/meta/argument_specs.yaml index 81ce504..c588ba0 100644 --- a/roles/docker_compose/meta/argument_specs.yaml +++ b/roles/docker_compose/meta/argument_specs.yaml @@ -7,6 +7,12 @@ argument_specs: `/ansible_docker_compose/compose.yaml`. type: str required: true + docker_compose__env_file_content: + description: >- + The content of the .env file at + `/ansible_docker_compose/.env`. + type: str + required: false docker_compose__configuration_files: description: >- A list of configuration files to be deployed in the diff --git a/roles/docker_compose/tasks/main.yaml b/roles/docker_compose/tasks/main.yaml index af7f717..7b01304 100644 --- a/roles/docker_compose/tasks/main.yaml +++ b/roles/docker_compose/tasks/main.yaml @@ -17,6 +17,17 @@ become: true notify: docker compose down +- name: deploy the .env file + ansible.builtin.copy: + content: "{{ docker_compose__env_file_content }}" + dest: /ansible_docker_compose/.env + mode: "0644" + owner: root + group: root + become: true + when: docker_compose__env_file_content is defined + notify: docker compose down + - name: make sure the `/ansible_docker_compose/configs` directory exists ansible.builtin.file: path: /ansible_docker_compose/configs From 747e5b2d4c1d3286fc4636180000b0d7bef2f658 Mon Sep 17 00:00:00 2001 From: June Date: Fri, 24 Oct 2025 22:15:48 +0200 Subject: [PATCH 12/32] zammad(host): change to .env configuration Align the compose.yaml to upstreams v11.2.0 version. This is a first step to hopefully then just use the upstreams version directly and not vendor it. --- inventories/chaosknoten/host_vars/zammad.yaml | 3 +- .../chaosknoten/zammad/docker_compose/.env.j2 | 15 +++++ .../{compose.yaml.j2 => compose.yaml} | 67 +++++++------------ 3 files changed, 42 insertions(+), 43 deletions(-) create mode 100644 resources/chaosknoten/zammad/docker_compose/.env.j2 rename resources/chaosknoten/zammad/docker_compose/{compose.yaml.j2 => compose.yaml} (61%) diff --git a/inventories/chaosknoten/host_vars/zammad.yaml b/inventories/chaosknoten/host_vars/zammad.yaml index 88ad99c..65ea352 100644 --- a/inventories/chaosknoten/host_vars/zammad.yaml +++ b/inventories/chaosknoten/host_vars/zammad.yaml @@ -1,4 +1,5 @@ -docker_compose__compose_file_content: "{{ lookup('ansible.builtin.template', 'resources/chaosknoten/zammad/docker_compose/compose.yaml.j2') }}" +docker_compose__compose_file_content: "{{ lookup('ansible.builtin.file', 'resources/chaosknoten/zammad/docker_compose/compose.yaml') }}" +docker_compose__env_file_content: "{{ lookup('ansible.builtin.template', 'resources/chaosknoten/zammad/docker_compose/.env.j2') }}" docker_compose__configuration_files: [ ] certbot__version_spec: "" diff --git a/resources/chaosknoten/zammad/docker_compose/.env.j2 b/resources/chaosknoten/zammad/docker_compose/.env.j2 new file mode 100644 index 0000000..85a848b --- /dev/null +++ b/resources/chaosknoten/zammad/docker_compose/.env.j2 @@ -0,0 +1,15 @@ +ELASTICSEARCH_VERSION=8.19.4 +IMAGE_REPO=ghcr.io/zammad/zammad +MEMCACHE_SERVERS=zammad-memcached:11211 +MEMCACHE_VERSION=1.6-alpine +POSTGRES_DB=zammad_production +POSTGRES_PASS={{ secret__zammad_db_password }} +POSTGRES_USER=zammad +POSTGRES_HOST=zammad-postgresql +POSTGRES_PORT=5432 +POSTGRES_VERSION=15-alpine +REDIS_URL=redis://zammad-redis:6379 +REDIS_VERSION=7-alpine +RESTART=always +VERSION=6 +NGINX_SERVER_SCHEME=https diff --git a/resources/chaosknoten/zammad/docker_compose/compose.yaml.j2 b/resources/chaosknoten/zammad/docker_compose/compose.yaml similarity index 61% rename from resources/chaosknoten/zammad/docker_compose/compose.yaml.j2 rename to resources/chaosknoten/zammad/docker_compose/compose.yaml index ab1ed85..55446e1 100644 --- a/resources/chaosknoten/zammad/docker_compose/compose.yaml.j2 +++ b/resources/chaosknoten/zammad/docker_compose/compose.yaml @@ -1,33 +1,16 @@ --- -{# -https://github.com/zammad/zammad-docker-compose -Docker Compose does not allow defining variables in the compose file (only in .env files), so we use Jinja variables instead -see https://github.com/zammad/zammad-docker-compose/blob/master/.env -#} -{%- set ELASTICSEARCH_VERSION = "8.19.4" | quote -%} -{%- set IMAGE_REPO = "ghcr.io/zammad/zammad" | quote -%} -{%- set MEMCACHE_SERVERS = "zammad-memcached:11211" | quote -%} -{%- set MEMCACHE_VERSION = "1.6-alpine" | quote -%} -{%- set POSTGRES_DB = "zammad_production" | quote -%} -{%- set POSTGRES_HOST = "zammad-postgresql" | quote -%} -{%- set POSTGRES_USER = "zammad" | quote -%} -{%- set POSTGRES_PASS = secret__zammad_db_password | quote -%} -{%- set POSTGRES_PORT = "5432" | quote -%} -{%- set POSTGRES_VERSION = "15-alpine" | quote -%} -{%- set REDIS_URL = "redis://zammad-redis:6379" | quote -%} -{%- set REDIS_VERSION = "7-alpine" | quote -%} -{%- set RESTART = "always" | quote -%} -{%- set VERSION = "6" | quote -%} +version: '3.8' + x-shared: zammad-service: &zammad-service environment: &zammad-environment - MEMCACHE_SERVERS: {{ MEMCACHE_SERVERS }} - POSTGRESQL_DB: {{ POSTGRES_DB }} - POSTGRESQL_HOST: {{ POSTGRES_HOST }} - POSTGRESQL_USER: {{ POSTGRES_USER }} - POSTGRESQL_PASS: {{ POSTGRES_PASS }} - POSTGRESQL_PORT: {{ POSTGRES_PORT }} - REDIS_URL: {{ REDIS_URL }} + MEMCACHE_SERVERS: ${MEMCACHE_SERVERS} + POSTGRESQL_DB: ${POSTGRES_DB} + POSTGRESQL_HOST: ${POSTGRES_HOST} + POSTGRESQL_USER: ${POSTGRES_USER} + POSTGRESQL_PASS: ${POSTGRES_PASS} + POSTGRESQL_PORT: ${POSTGRES_PORT} + REDIS_URL: ${REDIS_URL} # Allow passing in these variables via .env: AUTOWIZARD_JSON: AUTOWIZARD_RELATIVE_PATH: @@ -40,7 +23,7 @@ x-shared: ELASTICSEARCH_SSL_VERIFY: NGINX_PORT: NGINX_SERVER_NAME: - NGINX_SERVER_SCHEME: https + NGINX_SERVER_SCHEME: POSTGRESQL_DB_CREATE: POSTGRESQL_OPTIONS: RAILS_TRUSTED_PROXIES: @@ -48,8 +31,8 @@ x-shared: ZAMMAD_SESSION_JOBS: ZAMMAD_PROCESS_SCHEDULED: ZAMMAD_PROCESS_DELAYED_JOBS_WORKERS: - image: {{ IMAGE_REPO }}:{{ VERSION }} - restart: {{ RESTART }} + image: ${IMAGE_REPO}:${VERSION} + restart: ${RESTART} volumes: - zammad-storage:/opt/zammad/storage - zammad-var:/opt/zammad/var @@ -71,8 +54,8 @@ services: BACKUP_TIME: "03:00" HOLD_DAYS: "10" TZ: Europe/Berlin - image: postgres:{{ POSTGRES_VERSION }} - restart: {{ RESTART }} + image: postgres:${POSTGRES_VERSION} + restart: ${RESTART} volumes: - zammad-backup:/var/tmp/zammad - zammad-storage:/opt/zammad/storage:ro @@ -80,8 +63,8 @@ services: - ./scripts/backup.sh:/usr/local/bin/backup.sh:ro zammad-elasticsearch: - image: elasticsearch:{{ ELASTICSEARCH_VERSION }} - restart: {{ RESTART }} + image: elasticsearch:${ELASTICSEARCH_VERSION} + restart: ${RESTART} volumes: - elasticsearch-data:/usr/share/elasticsearch/data environment: @@ -102,8 +85,8 @@ services: zammad-memcached: command: memcached -m 256M - image: memcached:{{ MEMCACHE_VERSION }} - restart: {{ RESTART }} + image: memcached:${MEMCACHE_VERSION} + restart: ${RESTART} zammad-nginx: <<: *zammad-service @@ -119,11 +102,11 @@ services: zammad-postgresql: environment: - POSTGRES_DB: {{ POSTGRES_DB }} - POSTGRES_USER: {{ POSTGRES_USER }} - POSTGRES_PASSWORD: {{ POSTGRES_PASS }} - image: postgres:{{ POSTGRES_VERSION }} - restart: {{ RESTART }} + POSTGRES_DB: ${POSTGRES_DB} + POSTGRES_USER: ${POSTGRES_USER} + POSTGRES_PASSWORD: ${POSTGRES_PASS} + image: postgres:${POSTGRES_VERSION} + restart: ${RESTART} volumes: - postgresql-data:/var/lib/postgresql/data @@ -132,8 +115,8 @@ services: command: ["zammad-railsserver"] zammad-redis: - image: redis:{{ REDIS_VERSION }} - restart: {{ RESTART }} + image: redis:${REDIS_VERSION} + restart: ${RESTART} volumes: - redis-data:/data From df32e1cac87262bdda6f4aaa24816e6b4f8e110f Mon Sep 17 00:00:00 2001 From: June Date: Fri, 24 Oct 2025 22:57:03 +0200 Subject: [PATCH 13/32] zammad(host): move to latest upstream compose file version (v14.1.1) It hopefully fixes bugs we had in the past, so removing the workarounds and it also comes with default values now, so removing all variables set to those defaults. --- .../chaosknoten/zammad/docker_compose/.env.j2 | 11 -- .../zammad/docker_compose/compose.yaml | 110 +++++++++--------- 2 files changed, 57 insertions(+), 64 deletions(-) diff --git a/resources/chaosknoten/zammad/docker_compose/.env.j2 b/resources/chaosknoten/zammad/docker_compose/.env.j2 index 85a848b..adeeb48 100644 --- a/resources/chaosknoten/zammad/docker_compose/.env.j2 +++ b/resources/chaosknoten/zammad/docker_compose/.env.j2 @@ -1,15 +1,4 @@ -ELASTICSEARCH_VERSION=8.19.4 -IMAGE_REPO=ghcr.io/zammad/zammad -MEMCACHE_SERVERS=zammad-memcached:11211 -MEMCACHE_VERSION=1.6-alpine -POSTGRES_DB=zammad_production POSTGRES_PASS={{ secret__zammad_db_password }} -POSTGRES_USER=zammad -POSTGRES_HOST=zammad-postgresql -POSTGRES_PORT=5432 POSTGRES_VERSION=15-alpine -REDIS_URL=redis://zammad-redis:6379 REDIS_VERSION=7-alpine -RESTART=always -VERSION=6 NGINX_SERVER_SCHEME=https diff --git a/resources/chaosknoten/zammad/docker_compose/compose.yaml b/resources/chaosknoten/zammad/docker_compose/compose.yaml index 55446e1..66192da 100644 --- a/resources/chaosknoten/zammad/docker_compose/compose.yaml +++ b/resources/chaosknoten/zammad/docker_compose/compose.yaml @@ -1,70 +1,83 @@ --- -version: '3.8' +version: "3.8" + +# Taken from: https://github.com/zammad/zammad-docker-compose/blob/master/docker-compose.yml +# Version: v14.1.1 +# Update from new tag by replacing all content. +# Configuration should be done in the .env.j2. x-shared: zammad-service: &zammad-service environment: &zammad-environment - MEMCACHE_SERVERS: ${MEMCACHE_SERVERS} - POSTGRESQL_DB: ${POSTGRES_DB} - POSTGRESQL_HOST: ${POSTGRES_HOST} - POSTGRESQL_USER: ${POSTGRES_USER} - POSTGRESQL_PASS: ${POSTGRES_PASS} - POSTGRESQL_PORT: ${POSTGRES_PORT} - REDIS_URL: ${REDIS_URL} + MEMCACHE_SERVERS: ${MEMCACHE_SERVERS:-zammad-memcached:11211} + POSTGRESQL_DB: ${POSTGRES_DB:-zammad_production} + POSTGRESQL_HOST: ${POSTGRES_HOST:-zammad-postgresql} + POSTGRESQL_USER: ${POSTGRES_USER:-zammad} + POSTGRESQL_PASS: ${POSTGRES_PASS:-zammad} + POSTGRESQL_PORT: ${POSTGRES_PORT:-5432} + POSTGRESQL_OPTIONS: ${POSTGRESQL_OPTIONS:-?pool=50} + POSTGRESQL_DB_CREATE: + REDIS_URL: ${REDIS_URL:-redis://zammad-redis:6379} + S3_URL: + # Backup settings + BACKUP_DIR: "${BACKUP_DIR:-/var/tmp/zammad}" + BACKUP_TIME: "${BACKUP_TIME:-03:00}" + HOLD_DAYS: "${HOLD_DAYS:-10}" + TZ: "${TZ:-Europe/Berlin}" # Allow passing in these variables via .env: AUTOWIZARD_JSON: AUTOWIZARD_RELATIVE_PATH: ELASTICSEARCH_ENABLED: + ELASTICSEARCH_SCHEMA: ELASTICSEARCH_HOST: ELASTICSEARCH_PORT: - ELASTICSEARCH_SCHEMA: + ELASTICSEARCH_USER: + ELASTICSEARCH_PASS: ELASTICSEARCH_NAMESPACE: ELASTICSEARCH_REINDEX: - ELASTICSEARCH_SSL_VERIFY: NGINX_PORT: + NGINX_CLIENT_MAX_BODY_SIZE: NGINX_SERVER_NAME: NGINX_SERVER_SCHEME: - POSTGRESQL_DB_CREATE: - POSTGRESQL_OPTIONS: RAILS_TRUSTED_PROXIES: + ZAMMAD_HTTP_TYPE: + ZAMMAD_FQDN: ZAMMAD_WEB_CONCURRENCY: - ZAMMAD_SESSION_JOBS: - ZAMMAD_PROCESS_SCHEDULED: + ZAMMAD_PROCESS_SESSIONS_JOBS_WORKERS: + ZAMMAD_PROCESS_SCHEDULED_JOBS_WORKERS: ZAMMAD_PROCESS_DELAYED_JOBS_WORKERS: - image: ${IMAGE_REPO}:${VERSION} - restart: ${RESTART} + # ZAMMAD_SESSION_JOBS_CONCURRENT is deprecated, please use ZAMMAD_PROCESS_SESSIONS_JOBS_WORKERS instead. + ZAMMAD_SESSION_JOBS_CONCURRENT: + # Variables used by ngingx-proxy container for reverse proxy creations + # for docs refer to https://github.com/nginx-proxy/nginx-proxy + VIRTUAL_HOST: + VIRTUAL_PORT: + # Variables used by acme-companion for retrieval of LetsEncrypt certificate + # for docs refer to https://github.com/nginx-proxy/acme-companion + LETSENCRYPT_HOST: + LETSENCRYPT_EMAIL: + + image: ${IMAGE_REPO:-ghcr.io/zammad/zammad}:${VERSION:-6.5.2} + restart: ${RESTART:-always} volumes: - zammad-storage:/opt/zammad/storage - - zammad-var:/opt/zammad/var depends_on: - zammad-memcached - zammad-postgresql - zammad-redis services: - zammad-backup: + <<: *zammad-service command: ["zammad-backup"] - depends_on: - - zammad-railsserver - - zammad-postgresql - entrypoint: /usr/local/bin/backup.sh - environment: - <<: *zammad-environment - BACKUP_TIME: "03:00" - HOLD_DAYS: "10" - TZ: Europe/Berlin - image: postgres:${POSTGRES_VERSION} - restart: ${RESTART} volumes: - zammad-backup:/var/tmp/zammad - zammad-storage:/opt/zammad/storage:ro - - zammad-var:/opt/zammad/var:ro - - ./scripts/backup.sh:/usr/local/bin/backup.sh:ro + user: 0:0 zammad-elasticsearch: - image: elasticsearch:${ELASTICSEARCH_VERSION} - restart: ${RESTART} + image: elasticsearch:${ELASTICSEARCH_VERSION:-8.19.4} + restart: ${RESTART:-always} volumes: - elasticsearch-data:/usr/share/elasticsearch/data environment: @@ -79,34 +92,29 @@ services: - zammad-postgresql restart: on-failure user: 0:0 - volumes: - - zammad-storage:/opt/zammad/storage - - zammad-var:/opt/zammad/var zammad-memcached: command: memcached -m 256M - image: memcached:${MEMCACHE_VERSION} - restart: ${RESTART} + image: memcached:${MEMCACHE_VERSION:-1.6.39-alpine} + restart: ${RESTART:-always} zammad-nginx: <<: *zammad-service command: ["zammad-nginx"] expose: - - "8080" + - "${NGINX_PORT:-8080}" ports: - - "8080:8080" + - "${NGINX_EXPOSE_PORT:-8080}:${NGINX_PORT:-8080}" depends_on: - zammad-railsserver - volumes: - - zammad-var:/opt/zammad/var:ro # required for the zammad-ready check file zammad-postgresql: environment: - POSTGRES_DB: ${POSTGRES_DB} - POSTGRES_USER: ${POSTGRES_USER} - POSTGRES_PASSWORD: ${POSTGRES_PASS} - image: postgres:${POSTGRES_VERSION} - restart: ${RESTART} + POSTGRES_DB: ${POSTGRES_DB:-zammad_production} + POSTGRES_USER: ${POSTGRES_USER:-zammad} + POSTGRES_PASSWORD: ${POSTGRES_PASS:-zammad} + image: postgres:${POSTGRES_VERSION:-17.6-alpine} + restart: ${RESTART:-always} volumes: - postgresql-data:/var/lib/postgresql/data @@ -115,16 +123,14 @@ services: command: ["zammad-railsserver"] zammad-redis: - image: redis:${REDIS_VERSION} - restart: ${RESTART} + image: redis:${REDIS_VERSION:-7.4.5-alpine} + restart: ${RESTART:-always} volumes: - redis-data:/data zammad-scheduler: <<: *zammad-service command: ["zammad-scheduler"] - volumes: - - /ansible_docker_compose/zammad-scheduler-database.yml:/opt/zammad/config/database.yml # workaround for connection pool issue zammad-websocket: <<: *zammad-service @@ -141,5 +147,3 @@ volumes: driver: local zammad-storage: driver: local - zammad-var: - driver: local From 01890fecbdcd98628b6b375fff78fe4d3d99a6f6 Mon Sep 17 00:00:00 2001 From: Renovate Date: Wed, 29 Oct 2025 00:30:36 +0000 Subject: [PATCH 14/32] Update all digest updates --- resources/chaosknoten/ccchoir/docker_compose/compose.yaml.j2 | 2 +- resources/chaosknoten/keycloak/docker_compose/compose.yaml.j2 | 4 ++-- resources/chaosknoten/pad/docker_compose/compose.yaml.j2 | 2 +- resources/chaosknoten/pretalx/docker_compose/compose.yaml.j2 | 2 +- resources/chaosknoten/tickets/docker_compose/compose.yaml.j2 | 2 +- 5 files changed, 6 insertions(+), 6 deletions(-) diff --git a/resources/chaosknoten/ccchoir/docker_compose/compose.yaml.j2 b/resources/chaosknoten/ccchoir/docker_compose/compose.yaml.j2 index 4c9d491..ffe491b 100644 --- a/resources/chaosknoten/ccchoir/docker_compose/compose.yaml.j2 +++ b/resources/chaosknoten/ccchoir/docker_compose/compose.yaml.j2 @@ -17,7 +17,7 @@ services: restart: unless-stopped app: - image: docker.io/library/wordpress:6-php8.1@sha256:d93a391bc1ba9d2db3e53c8c8421a88d6beadb7b654235ba83ccf9ea93ecdcd5 + image: docker.io/library/wordpress:6-php8.1@sha256:75f79f9c45a587b283e47fd21c6e51077d0c9dbbba529377faaa0c28d5b8f5a4 environment: - "WORDPRESS_DB_HOST=database" - "WORDPRESS_DB_NAME=wordpress" diff --git a/resources/chaosknoten/keycloak/docker_compose/compose.yaml.j2 b/resources/chaosknoten/keycloak/docker_compose/compose.yaml.j2 index 398d814..92a6afb 100644 --- a/resources/chaosknoten/keycloak/docker_compose/compose.yaml.j2 +++ b/resources/chaosknoten/keycloak/docker_compose/compose.yaml.j2 @@ -22,7 +22,7 @@ services: keycloak: - image: git.hamburg.ccc.de/ccchh/oci-images/keycloak:26.4@sha256:65d65fa0e858a608fd3e7d16ecfd7a5ced2fba4ab22a8fd3b86f3742ecec0a83 + image: git.hamburg.ccc.de/ccchh/oci-images/keycloak:26.4@sha256:06bfa760dfa40bd3d4305a67ce02e9dc70113151f09820a3bc6c75f5f7ece855 pull_policy: always restart: unless-stopped command: start --optimized @@ -46,7 +46,7 @@ services: - "8080:8080" db: - image: docker.io/library/postgres:15.14@sha256:9541969afa16d1ac724e16d1cf3c26ddd0c5bae5dd1c230118a7f5b9c14cde1f + image: docker.io/library/postgres:15.14@sha256:424e79b81868f5fc5cf515eaeac69d288692ebcca7db86d98f91b50d4bce64bb restart: unless-stopped networks: - keycloak diff --git a/resources/chaosknoten/pad/docker_compose/compose.yaml.j2 b/resources/chaosknoten/pad/docker_compose/compose.yaml.j2 index 014b8af..5513381 100644 --- a/resources/chaosknoten/pad/docker_compose/compose.yaml.j2 +++ b/resources/chaosknoten/pad/docker_compose/compose.yaml.j2 @@ -3,7 +3,7 @@ services: database: - image: docker.io/library/postgres:15-alpine@sha256:2e50ad404aead120409575d21758230cc295aec52dfa05ece9b4d0429bc38636 + image: docker.io/library/postgres:15-alpine@sha256:64583b3cb4f2010277bdd9749456de78e5c36f8956466ba14b0b96922e510950 environment: - "POSTGRES_USER=hedgedoc" - "POSTGRES_PASSWORD={{ secret__hedgedoc_db_password }}" diff --git a/resources/chaosknoten/pretalx/docker_compose/compose.yaml.j2 b/resources/chaosknoten/pretalx/docker_compose/compose.yaml.j2 index 66f6172..081aa2a 100644 --- a/resources/chaosknoten/pretalx/docker_compose/compose.yaml.j2 +++ b/resources/chaosknoten/pretalx/docker_compose/compose.yaml.j2 @@ -3,7 +3,7 @@ services: database: - image: docker.io/library/postgres:15-alpine@sha256:2e50ad404aead120409575d21758230cc295aec52dfa05ece9b4d0429bc38636 + image: docker.io/library/postgres:15-alpine@sha256:64583b3cb4f2010277bdd9749456de78e5c36f8956466ba14b0b96922e510950 environment: - "POSTGRES_USER=pretalx" - "POSTGRES_PASSWORD={{ secret__pretalx_db_password }}" diff --git a/resources/chaosknoten/tickets/docker_compose/compose.yaml.j2 b/resources/chaosknoten/tickets/docker_compose/compose.yaml.j2 index 057da55..deb9f50 100644 --- a/resources/chaosknoten/tickets/docker_compose/compose.yaml.j2 +++ b/resources/chaosknoten/tickets/docker_compose/compose.yaml.j2 @@ -1,7 +1,7 @@ --- services: database: - image: docker.io/library/postgres:15-alpine@sha256:2e50ad404aead120409575d21758230cc295aec52dfa05ece9b4d0429bc38636 + image: docker.io/library/postgres:15-alpine@sha256:64583b3cb4f2010277bdd9749456de78e5c36f8956466ba14b0b96922e510950 environment: - "POSTGRES_USER=pretix" - "POSTGRES_PASSWORD={{ secret__pretix_db_password }}" From a03ed9a362603dd8102ecff4c044c94c56d520a6 Mon Sep 17 00:00:00 2001 From: Renovate Date: Wed, 29 Oct 2025 23:45:38 +0000 Subject: [PATCH 15/32] Update all stable non-major dependencies --- resources/chaosknoten/grafana/docker_compose/compose.yaml.j2 | 2 +- resources/chaosknoten/pretalx/docker_compose/compose.yaml.j2 | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/resources/chaosknoten/grafana/docker_compose/compose.yaml.j2 b/resources/chaosknoten/grafana/docker_compose/compose.yaml.j2 index 436669a..d739b2f 100644 --- a/resources/chaosknoten/grafana/docker_compose/compose.yaml.j2 +++ b/resources/chaosknoten/grafana/docker_compose/compose.yaml.j2 @@ -2,7 +2,7 @@ services: prometheus: - image: docker.io/prom/prometheus:v3.7.1@sha256:ff7e389acbe064a4823212a500393d40a28a8f362e4b05cbf6742a9a3ef736b2 + image: docker.io/prom/prometheus:v3.7.2@sha256:23031bfe0e74a13004252caaa74eccd0d62b6c6e7a04711d5b8bf5b7e113adc7 container_name: prometheus command: - '--config.file=/etc/prometheus/prometheus.yml' diff --git a/resources/chaosknoten/pretalx/docker_compose/compose.yaml.j2 b/resources/chaosknoten/pretalx/docker_compose/compose.yaml.j2 index 081aa2a..243a468 100644 --- a/resources/chaosknoten/pretalx/docker_compose/compose.yaml.j2 +++ b/resources/chaosknoten/pretalx/docker_compose/compose.yaml.j2 @@ -23,7 +23,7 @@ services: - pretalx_net static: - image: docker.io/library/nginx:1.29.2@sha256:029d4461bd98f124e531380505ceea2072418fdf28752aa73b7b273ba3048903 + image: docker.io/library/nginx:1.29.3@sha256:f547e3d0d5d02f7009737b284abc87d808e4252b42dceea361811e9fc606287f restart: unless-stopped volumes: - public:/usr/share/nginx/html From a979fccd12de1bcd1c2ea8c7eb11e7e379101a89 Mon Sep 17 00:00:00 2001 From: June Date: Thu, 30 Oct 2025 04:47:10 +0100 Subject: [PATCH 16/32] renovate: add custom regex manager for inventory vars dependencies Inspiration taken from/documentation: https://docs.renovatebot.com/presets-customManagers/#custommanagersdockerfileversions https://docs.renovatebot.com/modules/manager/regex/ --- renovate.json | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/renovate.json b/renovate.json index f72babb..9dc45bf 100644 --- a/renovate.json +++ b/renovate.json @@ -30,6 +30,18 @@ "versioning": "regex:^(?\\d+\\.\\d+)(?:\\.(?\\d+))$" } ], + "customManagers": [ + // Custom manager using regex for letting Renovate find dependencies in inventory variables. + { + "customType": "regex", + "managerFilePatterns": [ + "/^inventories/.*?_vars/.*?\\.ya?ml$/" + ], + "matchStrings": [ + "# renovate: datasource=(?[a-zA-Z0-9-._]+?) depName=(?[^\\s]+?)(?: packageName=(?[^\\s]+?))?(?: versioning=(?[^\\s]+?))?\\s*.+?\\s*:\\s*[\"']?(?.+?)[\"']?\\s" + ] + } + ], "docker-compose": { "managerFilePatterns": [ "/(^|/)(?:docker-)?compose[^/]*\\.ya?ml.j2$/" From 83fd86897796e66e1ea59a188efbb582c83fb7ae Mon Sep 17 00:00:00 2001 From: June Date: Thu, 30 Oct 2025 04:49:44 +0100 Subject: [PATCH 17/32] docker(role): use full image sources --- roles/nextcloud/templates/compose.yaml.j2 | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/roles/nextcloud/templates/compose.yaml.j2 b/roles/nextcloud/templates/compose.yaml.j2 index 4644d8b..9e28735 100644 --- a/roles/nextcloud/templates/compose.yaml.j2 +++ b/roles/nextcloud/templates/compose.yaml.j2 @@ -32,9 +32,9 @@ services: OVERWRITECLIURL: "https://{{ nextcloud__fqdn }}/" OVERWRITEHOST: "{{ nextcloud__fqdn }}" OVERWRITEPROTOCOL: "https" - + db: - image: postgres:{{ nextcloud__postgres_version }} + image: docker.io/library/postgres:{{ nextcloud__postgres_version }} restart: unless-stopped #ports: # - 127.0.0.1:5432:5432 @@ -48,7 +48,7 @@ services: POSTGRES_PASSWORD: "{{ nextcloud__postgres_password }}" redis: - image: redis:alpine + image: docker.io/library/redis:alpine restart: unless-stopped networks: - nextcloud From f7918e7b6ff92529ba8cc7de02b3e217a1dcb32b Mon Sep 17 00:00:00 2001 From: June Date: Thu, 30 Oct 2025 05:01:02 +0100 Subject: [PATCH 18/32] add renovate comment for custom regex matcher to inventory version vars --- inventories/chaosknoten/host_vars/cloud.yaml | 2 ++ inventories/chaosknoten/host_vars/netbox.yaml | 1 + 2 files changed, 3 insertions(+) diff --git a/inventories/chaosknoten/host_vars/cloud.yaml b/inventories/chaosknoten/host_vars/cloud.yaml index 35fb162..0cbcd4d 100644 --- a/inventories/chaosknoten/host_vars/cloud.yaml +++ b/inventories/chaosknoten/host_vars/cloud.yaml @@ -1,4 +1,6 @@ +# renovate: datasource=docker depName=git.hamburg.ccc.de/ccchh/oci-images/nextcloud nextcloud__version: 32 +# renovate: datasource=docker depName=docker.io/library/postgres nextcloud__postgres_version: 15.14 nextcloud__fqdn: cloud.hamburg.ccc.de nextcloud__data_dir: /data/nextcloud diff --git a/inventories/chaosknoten/host_vars/netbox.yaml b/inventories/chaosknoten/host_vars/netbox.yaml index 4726885..fb99f0e 100644 --- a/inventories/chaosknoten/host_vars/netbox.yaml +++ b/inventories/chaosknoten/host_vars/netbox.yaml @@ -1,3 +1,4 @@ +# renovate: datasource=github-releases depName=netbox packageName=netbox-community/netbox netbox__version: "v4.1.7" netbox__config: "{{ lookup('ansible.builtin.template', 'resources/chaosknoten/netbox/netbox/configuration.py.j2') }}" netbox__custom_pipeline_oidc_group_and_role_mapping: true From 23ea6669065fc73237297182de672a0e9119a10c Mon Sep 17 00:00:00 2001 From: June Date: Thu, 30 Oct 2025 05:13:23 +0100 Subject: [PATCH 19/32] renovate(role): always pull and use full image source Ensure we're always running the latest Renovate version. --- roles/renovate/files/renovate.service | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/roles/renovate/files/renovate.service b/roles/renovate/files/renovate.service index 6cb8f16..52e64f5 100644 --- a/roles/renovate/files/renovate.service +++ b/roles/renovate/files/renovate.service @@ -6,7 +6,8 @@ Wants=network-online.target [Service] Type=oneshot ExecStart=/usr/bin/docker run --rm \ + --pull=always \ -v "/etc/renovate/config.js:/usr/src/app/config.js" \ --mount "type=volume,src=renovate,dst=/tmp/renovate" \ --env "RENOVATE_BASE_DIR=/tmp/renovate" \ - renovate/renovate + docker.io/renovate/renovate:latest From ea5b4b8d69bad8c14102daf01699a0b18763bf3c Mon Sep 17 00:00:00 2001 From: Renovate Date: Thu, 30 Oct 2025 04:17:13 +0000 Subject: [PATCH 20/32] Update dependency netbox to v4.4.5 --- inventories/chaosknoten/host_vars/netbox.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/inventories/chaosknoten/host_vars/netbox.yaml b/inventories/chaosknoten/host_vars/netbox.yaml index fb99f0e..60dd94a 100644 --- a/inventories/chaosknoten/host_vars/netbox.yaml +++ b/inventories/chaosknoten/host_vars/netbox.yaml @@ -1,5 +1,5 @@ # renovate: datasource=github-releases depName=netbox packageName=netbox-community/netbox -netbox__version: "v4.1.7" +netbox__version: "v4.4.5" netbox__config: "{{ lookup('ansible.builtin.template', 'resources/chaosknoten/netbox/netbox/configuration.py.j2') }}" netbox__custom_pipeline_oidc_group_and_role_mapping: true From 0f4fb68c97c22a3913cc45cb2f52f6cfa467d8da Mon Sep 17 00:00:00 2001 From: June Date: Thu, 30 Oct 2025 05:25:26 +0100 Subject: [PATCH 21/32] netbox(role): don't try to deploy removed housekeeping service and timer https://github.com/netbox-community/netbox/releases/tag/v4.4.0 https://github.com/netbox-community/netbox/issues/18349 --- roles/netbox/handlers/main.yaml | 8 -------- roles/netbox/tasks/main.yaml | 14 -------------- 2 files changed, 22 deletions(-) diff --git a/roles/netbox/handlers/main.yaml b/roles/netbox/handlers/main.yaml index fd7eb62..427569a 100644 --- a/roles/netbox/handlers/main.yaml +++ b/roles/netbox/handlers/main.yaml @@ -14,11 +14,3 @@ loop: - "netbox.service" - "netbox-rq.service" - -- name: Ensure netbox housekeeping timer is set up and up-to-date - ansible.builtin.systemd_service: - daemon_reload: true - name: "netbox-housekeeping.timer" - enabled: true - state: restarted - become: true diff --git a/roles/netbox/tasks/main.yaml b/roles/netbox/tasks/main.yaml index dffa746..87f249e 100644 --- a/roles/netbox/tasks/main.yaml +++ b/roles/netbox/tasks/main.yaml @@ -108,17 +108,3 @@ - "netbox.service" - "netbox-rq.service" notify: Ensure netbox systemd services are set up and up-to-date - -- name: Ensure provided housekeeping systemd service and timer are copied - ansible.builtin.copy: - remote_src: true - src: "/opt/netbox/contrib/{{ item }}" - dest: "/etc/systemd/system/{{ item }}" - mode: "0644" - owner: root - group: root - become: true - loop: - - "netbox-housekeeping.service" - - "netbox-housekeeping.timer" - notify: Ensure netbox housekeeping timer is set up and up-to-date From a11ccaf16ca77cdb93d05a07ce7bf3e54f87220b Mon Sep 17 00:00:00 2001 From: June Date: Thu, 30 Oct 2025 05:50:42 +0100 Subject: [PATCH 22/32] disable digest pinning for our images, since Forgejo cleans them up Since Forgejo seems to clean up older tag versions, so older digests, disable digest pinning for our images. While generally resulting in undeployable config, with ansible-pull the breakage is especially noticeable. --- renovate.json | 6 ++++++ .../chaosknoten/keycloak/docker_compose/compose.yaml.j2 | 8 ++++---- resources/chaosknoten/pad/docker_compose/compose.yaml.j2 | 2 +- resources/z9/dooris/docker_compose/compose.yaml.j2 | 2 +- resources/z9/yate/docker_compose/compose.yaml.j2 | 4 ++-- 5 files changed, 14 insertions(+), 8 deletions(-) diff --git a/renovate.json b/renovate.json index 9dc45bf..7e604c1 100644 --- a/renovate.json +++ b/renovate.json @@ -28,6 +28,12 @@ "matchDatasources": ["docker"], "matchPackageNames": ["docker.io/pretix/standalone"], "versioning": "regex:^(?\\d+\\.\\d+)(?:\\.(?\\d+))$" + }, + // Since Forgejo seems to clean up older tag versions, so older digests, disable digest pinning for our images. + { + "matchDatasources": ["docker"], + "matchPackageNames": ["git.hamburg.ccc.de/*"], + "pinDigests": false } ], "customManagers": [ diff --git a/resources/chaosknoten/keycloak/docker_compose/compose.yaml.j2 b/resources/chaosknoten/keycloak/docker_compose/compose.yaml.j2 index 92a6afb..d91a254 100644 --- a/resources/chaosknoten/keycloak/docker_compose/compose.yaml.j2 +++ b/resources/chaosknoten/keycloak/docker_compose/compose.yaml.j2 @@ -22,7 +22,7 @@ services: keycloak: - image: git.hamburg.ccc.de/ccchh/oci-images/keycloak:26.4@sha256:06bfa760dfa40bd3d4305a67ce02e9dc70113151f09820a3bc6c75f5f7ece855 + image: git.hamburg.ccc.de/ccchh/oci-images/keycloak:26.4 pull_policy: always restart: unless-stopped command: start --optimized @@ -58,7 +58,7 @@ services: POSTGRES_DB: keycloak id-invite-web: - image: git.hamburg.ccc.de/ccchh/id-invite/id-invite:latest@sha256:ba011f410bc1d2e112135857c236412f65b727f15197dbea1fffd955e0487a6a + image: git.hamburg.ccc.de/ccchh/id-invite/id-invite:latest command: web restart: unless-stopped networks: @@ -84,7 +84,7 @@ services: - "BOTTLE_HOST=0.0.0.0" id-invite-email: - image: git.hamburg.ccc.de/ccchh/id-invite/id-invite:latest@sha256:ba011f410bc1d2e112135857c236412f65b727f15197dbea1fffd955e0487a6a + image: git.hamburg.ccc.de/ccchh/id-invite/id-invite:latest command: email restart: unless-stopped networks: @@ -99,7 +99,7 @@ services: - "SMTP_PASSWORD={{ secret__id_no_reply_smtp }}" id-invite-keycloak: - image: git.hamburg.ccc.de/ccchh/id-invite/id-invite:latest@sha256:ba011f410bc1d2e112135857c236412f65b727f15197dbea1fffd955e0487a6a + image: git.hamburg.ccc.de/ccchh/id-invite/id-invite:latest command: keycloak restart: unless-stopped networks: diff --git a/resources/chaosknoten/pad/docker_compose/compose.yaml.j2 b/resources/chaosknoten/pad/docker_compose/compose.yaml.j2 index 5513381..70dc7e6 100644 --- a/resources/chaosknoten/pad/docker_compose/compose.yaml.j2 +++ b/resources/chaosknoten/pad/docker_compose/compose.yaml.j2 @@ -46,7 +46,7 @@ services: - database hedgedoc-expire: - image: git.hamburg.ccc.de/ccchh/hedgedoc-expire/hedgedoc-expire:latest@sha256:9be261712a8ee57ff89068c3926a8c5d7c96ff80aa629f98eec239786c6158b1 + image: git.hamburg.ccc.de/ccchh/hedgedoc-expire/hedgedoc-expire:latest # command: "emailcheck" command: "cron" environment: diff --git a/resources/z9/dooris/docker_compose/compose.yaml.j2 b/resources/z9/dooris/docker_compose/compose.yaml.j2 index b722aa7..38db85a 100644 --- a/resources/z9/dooris/docker_compose/compose.yaml.j2 +++ b/resources/z9/dooris/docker_compose/compose.yaml.j2 @@ -2,7 +2,7 @@ services: dooris: - image: git.hamburg.ccc.de/ccchh/hmdooris/hmdooris:latest@sha256:a895989b0955936cbe0641de0309bcb343a9da9c2c8d6184d906a66bf1151303 + image: git.hamburg.ccc.de/ccchh/hmdooris/hmdooris:latest environment: HMDOORIS_ALLOWED_IPS: "2a07:c481:1:c8::/64 2a01:170:118b::/56 172.31.200.0/23 172.31.202.0/27" HMDOORIS_CCUJACK_CERTIFICATE_PATH: false diff --git a/resources/z9/yate/docker_compose/compose.yaml.j2 b/resources/z9/yate/docker_compose/compose.yaml.j2 index c39afa4..562b318 100644 --- a/resources/z9/yate/docker_compose/compose.yaml.j2 +++ b/resources/z9/yate/docker_compose/compose.yaml.j2 @@ -2,7 +2,7 @@ services: yate: - image: git.hamburg.ccc.de/ccchh/yate-image/yate-image:latest@sha256:66f77d63dc52c9aeb09481e48b9d62f5f95439f86eab3766fce94daea7b2e26a + image: git.hamburg.ccc.de/ccchh/yate-image/yate-image:latest # command: # - sh # - "-c" @@ -17,4 +17,4 @@ services: - ./configs/accfile.conf:/opt/yate/etc/yate/accfile.conf - ./configs/regexroute.conf:/opt/yate/etc/yate/regexroute.conf - ./configs/regfile.conf:/opt/yate/etc/yate/regfile.conf - - ./lib-yate:/var/lib/yate \ No newline at end of file + - ./lib-yate:/var/lib/yate From dc6c7cbfb78de0e66205030d19233ccd2647688e Mon Sep 17 00:00:00 2001 From: June Date: Sat, 1 Nov 2025 17:53:08 +0100 Subject: [PATCH 23/32] sunders(host): deploy sunders using docker compose https://git.hamburg.ccc.de/CCCHH/sunders --- .../chaosknoten/host_vars/sunders.sops.yaml | 9 ++- .../chaosknoten/host_vars/sunders.yaml | 13 +++++ inventories/chaosknoten/hosts.yaml | 3 + .../nginx/acme_challenge.conf | 1 + .../public-reverse-proxy/nginx/nginx.conf | 1 + .../sunders/docker_compose/compose.yaml.j2 | 57 +++++++++++++++++++ .../sunders/nginx/sunders.hamburg.ccc.de.conf | 42 ++++++++++++++ 7 files changed, 123 insertions(+), 3 deletions(-) create mode 100644 inventories/chaosknoten/host_vars/sunders.yaml create mode 100644 resources/chaosknoten/sunders/docker_compose/compose.yaml.j2 create mode 100644 resources/chaosknoten/sunders/nginx/sunders.hamburg.ccc.de.conf diff --git a/inventories/chaosknoten/host_vars/sunders.sops.yaml b/inventories/chaosknoten/host_vars/sunders.sops.yaml index 98b3917..559bc80 100644 --- a/inventories/chaosknoten/host_vars/sunders.sops.yaml +++ b/inventories/chaosknoten/host_vars/sunders.sops.yaml @@ -1,4 +1,7 @@ ansible_pull__age_private_key: ENC[AES256_GCM,data:tP84jDYh2zeWjf7wqDoefm9zaeg/Q2TWUyIstOcrjYHgrZdGLk64skLuGyH5q4FxQL9QEhe9qBT+AAxxKE6fU630/M1LVOR4Sls=,iv:I9W6KxIoisJFFMtOrN5u8KgnsmuIgF9RvzWanLNGVVM=,tag:w9bhDahR4Ai4/nLLeR58lA==,type:str] +secret__sunders_db_root_password: ENC[AES256_GCM,data:m3Xt6dOKibRflon/rWG9KmdBPHEBbqE/GIpKdFI1Di7Lpl/THxzrgx12mTK6aZnwDrM=,iv:hD/UGwo88ye9CxyTCEQ0SVon2+ipPjeA9NF2/OhYwmc=,tag:DRdQ5hvTgUO5FVae/ul7kQ==,type:str] +secret__sunders_db_camera_password: ENC[AES256_GCM,data:tOt4ImpedgfGvRpcThPO30YyEl/bP244ruJQzAYodJIsEhFuk5LxHpPASEnsqlN6m3M=,iv:rQXBjiYWZlzeUdaqDdTlrdbSSqGaPDeZOPhUaMjgcjU=,tag:lkSlIdJWFowyPfWEjpC/Zg==,type:str] +secret__sunders_db_camera_select_password: ENC[AES256_GCM,data:PveGcD2WmvpMc8bafGY1c45aQ2XH/ym2yj5YacauQPeZO6Xem3kaxU0kwjs0Wd26ugc=,iv:tk288L9i0lxsJbTFq5ET5IiKkJfMQwc6uKNFXILcD7o=,tag:hOIivp3mOtDNBCsKvrSrBw==,type:str] sops: age: - recipient: age1na0nh9ndnr9cxpnlvstrxskr4fxf4spnkw48ufl7m43f98y40y7shhnvgd @@ -10,8 +13,8 @@ sops: S3NiK3R6UWQ5UU0xUmYwa1hqMUo5c28K4EVQwBcALc6k53CNsemfMy2s6AGO5LJf 3U1zeFtEcsvEnUfkvFT//M7cB6pUqQF0KIq1VnnFoQF7IpvSN23lxg== -----END AGE ENCRYPTED FILE----- - lastmodified: "2025-10-14T23:43:05Z" - mac: ENC[AES256_GCM,data:15TRSKlDhjQy3yMcFhz2Den2YorcrpJmCw0BVl10qlG8u9G7Vw/7aV/hJnZdkCz3w1ZkEbNS6DCKxCLs1Qgf2SEPaG/cRraO2mcl+YH7k4gb5LMzu81fRkbCx66B4LG+DY8fsAJeO4mxui2m0ZAHb2SNFIP4Q4vdLav3jTaiwAc=,iv:71qa6JTc+S5MLynGc27tx1WBGrpvTCSCoEv01SZnPF8=,tag:ju4WP1MK1/sWw7TAitzM0Q==,type:str] + lastmodified: "2025-11-01T16:32:10Z" + mac: ENC[AES256_GCM,data:8Q6DBSFtzwHuVxduRlZYxlRWO0trSoesNGUR8r/dWnp9ashFBSZqVyffXb4Vq6DB5thANJ6/b3PCNsHdiAKn6Ai2UT8G0HimFjUUgNpZxo4xoNGmDhDvfdBgUL6O2pHhY+ojjguUXDYeYc99+eaxfKqZ3w+PAPaySltKm99foz8=,iv:ILOErdiWbUjk9kovXXZYcAqZFQp2Wo1Tm14sgK3niWg=,tag:Q2gT6wbQyhDXjoQEG2Lngw==,type:str] pgp: - created_at: "2025-10-15T08:45:25Z" enc: |- @@ -207,4 +210,4 @@ sops: -----END PGP MESSAGE----- fp: 878FEA3CB6A6F6E7CD80ECBE28506E3585F9F533 unencrypted_suffix: _unencrypted - version: 3.10.2 + version: 3.11.0 diff --git a/inventories/chaosknoten/host_vars/sunders.yaml b/inventories/chaosknoten/host_vars/sunders.yaml new file mode 100644 index 0000000..b3d50d8 --- /dev/null +++ b/inventories/chaosknoten/host_vars/sunders.yaml @@ -0,0 +1,13 @@ +docker_compose__compose_file_content: "{{ lookup('ansible.builtin.template', 'resources/chaosknoten/sunders/docker_compose/compose.yaml.j2') }}" + +certbot__version_spec: "" +certbot__acme_account_email_address: le-admin@hamburg.ccc.de +certbot__certificate_domains: + - "sunders.hamburg.ccc.de" +certbot__new_cert_commands: + - "systemctl reload nginx.service" + +nginx__version_spec: "" +nginx__configurations: + - name: sunders.hamburg.ccc.de + content: "{{ lookup('ansible.builtin.file', 'resources/chaosknoten/sunders/nginx/sunders.hamburg.ccc.de.conf') }}" diff --git a/inventories/chaosknoten/hosts.yaml b/inventories/chaosknoten/hosts.yaml index 1f1445c..b9e6358 100644 --- a/inventories/chaosknoten/hosts.yaml +++ b/inventories/chaosknoten/hosts.yaml @@ -106,6 +106,7 @@ docker_compose_hosts: pretalx: zammad: ntfy: + sunders: nextcloud_hosts: hosts: cloud: @@ -126,6 +127,7 @@ nginx_hosts: wiki: zammad: ntfy: + sunders: public_reverse_proxy_hosts: hosts: public-reverse-proxy: @@ -145,6 +147,7 @@ certbot_hosts: wiki: zammad: ntfy: + sunders: prometheus_node_exporter_hosts: hosts: ccchoir: diff --git a/resources/chaosknoten/public-reverse-proxy/nginx/acme_challenge.conf b/resources/chaosknoten/public-reverse-proxy/nginx/acme_challenge.conf index 790ca77..165e166 100644 --- a/resources/chaosknoten/public-reverse-proxy/nginx/acme_challenge.conf +++ b/resources/chaosknoten/public-reverse-proxy/nginx/acme_challenge.conf @@ -29,6 +29,7 @@ map $host $upstream_acme_challenge_host { wiki.hamburg.ccc.de 172.31.17.146:31820; www.hamburg.ccc.de 172.31.17.151:31820; tickets.hamburg.ccc.de 172.31.17.148:31820; + sunders.hamburg.ccc.de 172.31.17.170:31820; zammad.hamburg.ccc.de 172.31.17.152:31820; eh03.easterhegg.eu 172.31.17.151:31820; eh05.easterhegg.eu 172.31.17.151:31820; diff --git a/resources/chaosknoten/public-reverse-proxy/nginx/nginx.conf b/resources/chaosknoten/public-reverse-proxy/nginx/nginx.conf index 87b5408..4a449f5 100644 --- a/resources/chaosknoten/public-reverse-proxy/nginx/nginx.conf +++ b/resources/chaosknoten/public-reverse-proxy/nginx/nginx.conf @@ -43,6 +43,7 @@ stream { staging.hamburg.ccc.de 172.31.17.151:8443; spaceapi.hamburg.ccc.de 172.31.17.151:8443; tickets.hamburg.ccc.de 172.31.17.148:8443; + sunders.hamburg.ccc.de 172.31.17.170:8443; zammad.hamburg.ccc.de 172.31.17.152:8443; c3cat.de 172.31.17.151:8443; www.c3cat.de 172.31.17.151:8443; diff --git a/resources/chaosknoten/sunders/docker_compose/compose.yaml.j2 b/resources/chaosknoten/sunders/docker_compose/compose.yaml.j2 new file mode 100644 index 0000000..a5cfc5b --- /dev/null +++ b/resources/chaosknoten/sunders/docker_compose/compose.yaml.j2 @@ -0,0 +1,57 @@ +# Source: +# https://git.hamburg.ccc.de/CCCHH/sunders/src/branch/main/docker-compose.yml + +services: + db: + image: mariadb:12.0.2 + command: --max_allowed_packet=3250585600 + environment: + MYSQL_ROOT_PASSWORD: "{{ secret__sunders_db_root_password }}" + MYSQL_DATABASE: camera + MYSQL_USER: camera + MYSQL_PASSWORD: "{{ secret__sunders_db_camera_password }}" + volumes: + - mariadb:/var/lib/mysql + healthcheck: + test: ["CMD", "mariadb-admin", "ping", "-h", "localhost", "-uroot", "-prootpassword"] + interval: 10s + timeout: 5s + start_period: 30s + retries: 5 + + web: + image: git.hamburg.ccc.de/ccchh/sunders/web:latest + environment: + MYSQL_HOST: db + MYSQL_DB: camera + CAMERA_SELECT_USER: camera_select + CAMERA_SELECT_USER_PASSWORD: "{{ secret__sunders_db_camera_select_password }}" + DEFAULT_ZOOM: 12 + DEFAULT_LAT: 0 + DEFAULT_LON: 0 + DEFAULT_LANGUAGE: en + IMPRESSUM_URL: https://hamburg.ccc.de/imprint/ + ports: + - "8080:80" + depends_on: + data_handler: + condition: service_started + + data_handler: + image: git.hamburg.ccc.de/ccchh/sunders/data_handler:latest + environment: + MYSQL_HOST: db + MYSQL_DB: camera + MYSQL_USER: root + MYSQL_PASSWORD: "{{ secret__sunders_db_root_password }}" + CAMERA_USER: camera + CAMERA_USER_PASSWORD: "{{ secret__sunders_db_camera_password }}" + CAMERA_SELECT_USER: camera_select + CAMERA_SELECT_USER_PASSWORD: "{{ secret__sunders_db_camera_select_password }}" + depends_on: + db: + condition: service_healthy + restart: true + +volumes: + mariadb: diff --git a/resources/chaosknoten/sunders/nginx/sunders.hamburg.ccc.de.conf b/resources/chaosknoten/sunders/nginx/sunders.hamburg.ccc.de.conf new file mode 100644 index 0000000..04cc006 --- /dev/null +++ b/resources/chaosknoten/sunders/nginx/sunders.hamburg.ccc.de.conf @@ -0,0 +1,42 @@ +# partly generated 2022-01-08, Mozilla Guideline v5.6, nginx 1.17.7, OpenSSL 1.1.1k, intermediate configuration +# https://ssl-config.mozilla.org/#server=nginx&version=1.17.7&config=intermediate&openssl=1.1.1k&guideline=5.6 +server { + # Listen on a custom port for the proxy protocol. + listen 8443 ssl http2 proxy_protocol; + # Make use of the ngx_http_realip_module to set the $remote_addr and + # $remote_port to the client address and client port, when using proxy + # protocol. + # First set our proxy protocol proxy as trusted. + set_real_ip_from 172.31.17.140; + # Then tell the realip_module to get the addreses from the proxy protocol + # header. + real_ip_header proxy_protocol; + + server_name sunders.hamburg.ccc.de; + + ssl_certificate /etc/letsencrypt/live/sunders.hamburg.ccc.de/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/sunders.hamburg.ccc.de/privkey.pem; + # verify chain of trust of OCSP response using Root CA and Intermediate certs + ssl_trusted_certificate /etc/letsencrypt/live/sunders.hamburg.ccc.de/chain.pem; + + # HSTS (ngx_http_headers_module is required) (63072000 seconds) + add_header Strict-Transport-Security "max-age=63072000" always; + + proxy_set_header Host $host; + proxy_set_header X-Forwarded-Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Port 443; + # This is https in any case. + proxy_set_header X-Forwarded-Proto https; + # Hide the X-Forwarded header. + proxy_hide_header X-Forwarded; + # Assume we are the only Reverse Proxy (well using Proxy Protocol, but that + # is transparent). + # Also provide "_hidden" for by, since it's not relevant. + proxy_set_header Forwarded "for=$remote_addr;proto=https;host=$host;by=_hidden"; + + location / { + proxy_pass http://127.0.0.1:8080/; + } +} From c3f71b1f0801ddf0f1265dbf057ebf295ed73acf Mon Sep 17 00:00:00 2001 From: ViMaSter Date: Sun, 2 Nov 2025 20:24:55 +0100 Subject: [PATCH 24/32] sunders: replace password in healthcheck with dynamic secret https://git.hamburg.ccc.de/CCCHH/ansible-infra/pulls/55 Co-authored-by: ViMaSter Co-committed-by: ViMaSter --- resources/chaosknoten/sunders/docker_compose/compose.yaml.j2 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/resources/chaosknoten/sunders/docker_compose/compose.yaml.j2 b/resources/chaosknoten/sunders/docker_compose/compose.yaml.j2 index a5cfc5b..fbec258 100644 --- a/resources/chaosknoten/sunders/docker_compose/compose.yaml.j2 +++ b/resources/chaosknoten/sunders/docker_compose/compose.yaml.j2 @@ -13,7 +13,7 @@ services: volumes: - mariadb:/var/lib/mysql healthcheck: - test: ["CMD", "mariadb-admin", "ping", "-h", "localhost", "-uroot", "-prootpassword"] + test: ["CMD", "mariadb-admin", "ping", "-h", "localhost", "-uroot", "-p{{ secret__sunders_db_root_password }}"] interval: 10s timeout: 5s start_period: 30s From 8cefd07618b575ce41ddecae05890a48a62bfa0a Mon Sep 17 00:00:00 2001 From: June Date: Fri, 24 Oct 2025 23:59:38 +0200 Subject: [PATCH 25/32] docker_compose(role): remove distribution check The distribution check isn't really needed in our setup anyway and just adds unnecessary noise. --- roles/docker_compose/README.md | 4 +--- roles/docker_compose/meta/main.yaml | 7 ------- 2 files changed, 1 insertion(+), 10 deletions(-) diff --git a/roles/docker_compose/README.md b/roles/docker_compose/README.md index d3204ec..14d0107 100644 --- a/roles/docker_compose/README.md +++ b/roles/docker_compose/README.md @@ -7,9 +7,7 @@ A use case for the deployment of the additional configuration files is Composes ## Supported Distributions -The following distributions are supported: - -- Debian 11 +Should work on Debian-based distributions. ## Required Arguments diff --git a/roles/docker_compose/meta/main.yaml b/roles/docker_compose/meta/main.yaml index b9a6980..cb7d8e0 100644 --- a/roles/docker_compose/meta/main.yaml +++ b/roles/docker_compose/meta/main.yaml @@ -1,10 +1,3 @@ --- dependencies: - - role: distribution_check - vars: - distribution_check__distribution_support_spec: - - name: Debian - major_versions: - - 11 - - 12 - role: docker From e390b7c20249b0eed56bf34ff3360f91f26958fa Mon Sep 17 00:00:00 2001 From: June Date: Sat, 25 Oct 2025 00:00:58 +0200 Subject: [PATCH 26/32] docker_compose(role): remove unnecessary hosts section from README The hosts section isn't really relevant for that role, so remove it. --- roles/docker_compose/README.md | 4 ---- 1 file changed, 4 deletions(-) diff --git a/roles/docker_compose/README.md b/roles/docker_compose/README.md index 14d0107..7246899 100644 --- a/roles/docker_compose/README.md +++ b/roles/docker_compose/README.md @@ -13,10 +13,6 @@ Should work on Debian-based distributions. For the required arguments look at the [`argument_specs.yaml`](./meta/argument_specs.yaml). -## `hosts` - -The `hosts` for this role need to be the machines, for which you want to make sure the given Compose file is deployed and all services of it are up-to-date and running. - ## Links & Resources - From 9f8d2d89cd8e17c2c23230764696410e2c9061d6 Mon Sep 17 00:00:00 2001 From: June Date: Sat, 25 Oct 2025 00:07:36 +0200 Subject: [PATCH 27/32] docker_compose(role): move argument documentation to README Do this to match newer roles and since reading documentation from argument_specs is quite unergonomic. --- roles/docker_compose/README.md | 9 ++++++++- roles/docker_compose/meta/argument_specs.yaml | 11 ----------- 2 files changed, 8 insertions(+), 12 deletions(-) diff --git a/roles/docker_compose/README.md b/roles/docker_compose/README.md index 7246899..c0a7a93 100644 --- a/roles/docker_compose/README.md +++ b/roles/docker_compose/README.md @@ -11,7 +11,14 @@ Should work on Debian-based distributions. ## Required Arguments -For the required arguments look at the [`argument_specs.yaml`](./meta/argument_specs.yaml). +- `docker_compose__compose_file_content`: The content to deploy to the Compose file at `/ansible_docker_compose/compose.yaml`. + +## Optional Arguments + +- `docker_compose__env_file_content`: The content to deploy to the `.env` file at `/ansible_docker_compose/.env`. +- `docker_compose__configuration_files`: A list of configuration files to deploy to the `/ansible_docker_compose/configs/` directory. +- `docker_compose__configuration_files.*.name`: The name of the configuration file. +- `docker_compose__configuration_files.*.content`: The content to deploy to the configuration file. ## Links & Resources diff --git a/roles/docker_compose/meta/argument_specs.yaml b/roles/docker_compose/meta/argument_specs.yaml index c588ba0..664496e 100644 --- a/roles/docker_compose/meta/argument_specs.yaml +++ b/roles/docker_compose/meta/argument_specs.yaml @@ -2,31 +2,20 @@ argument_specs: main: options: docker_compose__compose_file_content: - description: >- - The content of the Compose file at - `/ansible_docker_compose/compose.yaml`. type: str required: true docker_compose__env_file_content: - description: >- - The content of the .env file at - `/ansible_docker_compose/.env`. type: str required: false docker_compose__configuration_files: - description: >- - A list of configuration files to be deployed in the - `/ansible_docker_compose/configs/` directory. type: list elements: dict required: false default: [ ] options: name: - description: The name of the configuration file. type: str required: true content: - description: The content of the configuration file. type: str required: true From ae60d6fea6305f6719d33042373eea40d121e597 Mon Sep 17 00:00:00 2001 From: June Date: Sun, 2 Nov 2025 23:13:20 +0100 Subject: [PATCH 28/32] docker_compose(role): use community.docker.docker_compose_v2 module Use the community.docker.docker_compose_v2 module as it supports proper changed handling out of the box, making the roles code more straightforward and work. Also just do a docker compose restart instead of having the custom docker compose reload script. https://docs.ansible.com/ansible/latest/collections/community/docker/docker_compose_v2_module.html --- inventories/z9/host_vars/yate.yaml | 1 - requirements.yml | 3 ++ roles/docker_compose/defaults/main.yaml | 1 - roles/docker_compose/handlers/main.yaml | 18 +++++----- roles/docker_compose/tasks/main.yaml | 46 ++++++------------------- 5 files changed, 21 insertions(+), 48 deletions(-) diff --git a/inventories/z9/host_vars/yate.yaml b/inventories/z9/host_vars/yate.yaml index d2dc518..fecacb1 100644 --- a/inventories/z9/host_vars/yate.yaml +++ b/inventories/z9/host_vars/yate.yaml @@ -6,4 +6,3 @@ docker_compose__configuration_files: content: "{{ lookup('ansible.builtin.template', 'resources/z9/yate/docker_compose/regexroute.conf.j2') }}" - name: regfile.conf content: "{{ lookup('ansible.builtin.template', 'resources/z9/yate/docker_compose/regfile.conf.j2') }}" -docker_compose__restart_cmd: "exec yate sh -c 'kill -1 1'" diff --git a/requirements.yml b/requirements.yml index e5538cc..6011bda 100644 --- a/requirements.yml +++ b/requirements.yml @@ -6,3 +6,6 @@ collections: - name: community.sops version: ">=2.2.4" source: https://galaxy.ansible.com + - name: community.docker + version: ">=5.0.0" + source: https://galaxy.ansible.com diff --git a/roles/docker_compose/defaults/main.yaml b/roles/docker_compose/defaults/main.yaml index 1312972..76831d6 100644 --- a/roles/docker_compose/defaults/main.yaml +++ b/roles/docker_compose/defaults/main.yaml @@ -1,2 +1 @@ docker_compose__configuration_files: [ ] -docker_compose__restart_cmd: "" diff --git a/roles/docker_compose/handlers/main.yaml b/roles/docker_compose/handlers/main.yaml index 49e064c..2aff0fe 100644 --- a/roles/docker_compose/handlers/main.yaml +++ b/roles/docker_compose/handlers/main.yaml @@ -1,13 +1,11 @@ - name: docker compose down - ansible.builtin.command: - cmd: /usr/bin/docker compose down - chdir: /ansible_docker_compose + community.docker.docker_compose_v2: + project_src: /ansible_docker_compose + state: absent become: true - changed_when: true # This is always changed. -- name: docker compose reload script - ansible.builtin.command: - cmd: /usr/bin/docker compose {{ docker_compose__restart_cmd }} - chdir: /ansible_docker_compose + +- name: docker compose restart + community.docker.docker_compose_v2: + project_src: /ansible_docker_compose + state: restarted become: true - changed_when: true # Mark this as always changed (for now?). - when: docker_compose__restart_cmd != "" diff --git a/roles/docker_compose/tasks/main.yaml b/roles/docker_compose/tasks/main.yaml index 7b01304..bea3f4f 100644 --- a/roles/docker_compose/tasks/main.yaml +++ b/roles/docker_compose/tasks/main.yaml @@ -59,7 +59,7 @@ state: absent become: true loop: "{{ docker_compose__config_files_to_remove.files }}" - # notify: docker compose down + notify: docker compose restart - name: make sure all given configuration files are deployed ansible.builtin.copy: @@ -70,45 +70,19 @@ group: root become: true loop: "{{ docker_compose__configuration_files }}" - # notify: docker compose down - notify: docker compose reload script + notify: docker compose restart -- name: Flush handlers to make "docker compose down" handler run now +- name: Flush handlers to make "docker compose down" and "docker compose restart" handlers run now ansible.builtin.meta: flush_handlers -- name: docker compose ps --format json before docker compose up - ansible.builtin.command: - cmd: /usr/bin/docker compose ps --format json - chdir: /ansible_docker_compose +- name: docker compose up + community.docker.docker_compose_v2: + project_src: /ansible_docker_compose + state: present + build: always + pull: always + remove_orphans: true become: true - changed_when: false - register: docker_compose__ps_json_before_up - -- name: docker compose up --detach --pull always --build - ansible.builtin.command: - cmd: /usr/bin/docker compose up --detach --pull always --build --remove-orphans - chdir: /ansible_docker_compose - become: true - changed_when: false - # The changed for this task is tried to be determined by the "potentially - # report changed" task together with the "docker compose ps --format json - # [...]" tasks. - -- name: docker compose ps --format json after docker compose up - ansible.builtin.command: - cmd: /usr/bin/docker compose ps --format json - chdir: /ansible_docker_compose - become: true - changed_when: false - register: docker_compose__ps_json_after_up - -# Doesn't work anymore. Dunno why. -# TODO: Fix -# - name: potentially report changed -# ansible.builtin.debug: -# msg: "If this reports changed, then the docker compose containers changed." -# changed_when: (docker_compose__ps_json_before_up.stdout | from_json | community.general.json_query('[].ID') | sort) -# != (docker_compose__ps_json_after_up.stdout | from_json | community.general.json_query('[].ID') | sort) - name: Make sure anacron is installed become: true From d690f81e3df40f85665d3c52ddc8d8f4418aebe1 Mon Sep 17 00:00:00 2001 From: c6ristian Date: Wed, 5 Nov 2025 23:08:08 +0100 Subject: [PATCH 29/32] deploy_ssh_server_config: setup ssh pq cryptography --- roles/deploy_ssh_server_config/templates/sshd_config.j2 | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/roles/deploy_ssh_server_config/templates/sshd_config.j2 b/roles/deploy_ssh_server_config/templates/sshd_config.j2 index eefafa4..307f213 100644 --- a/roles/deploy_ssh_server_config/templates/sshd_config.j2 +++ b/roles/deploy_ssh_server_config/templates/sshd_config.j2 @@ -17,7 +17,15 @@ HostKey /etc/ssh/ssh_host_ed25519_key HostKey /etc/ssh/ssh_host_rsa_key HostKey /etc/ssh/ssh_host_ecdsa_key + +{% if ansible_facts["distribution"] == "Debian" and ansible_facts["distribution_major_version"] == "13" %} +KexAlgorithms mlkem768x25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,diffie-hellman-group-exchange-sha256 +{% elif ansible_facts["distribution"] == "Debian" and ansible_facts["distribution_major_version"] == "12" %} +KexAlgorithms sntrup761x25519-sha512,curve25519-sha256@libssh.org,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,diffie-hellman-group-exchange-sha256 +{% else %} KexAlgorithms curve25519-sha256@libssh.org,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,diffie-hellman-group-exchange-sha256 +{% endif %} + Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr From cffe5c2b1642c14839baf750e82d65bbe141d8fe Mon Sep 17 00:00:00 2001 From: June Date: Thu, 6 Nov 2025 18:25:29 +0100 Subject: [PATCH 30/32] dooris: use hostname instead of IP --- inventories/z9/hosts.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/inventories/z9/hosts.yaml b/inventories/z9/hosts.yaml index 9d5bb09..9f4a692 100644 --- a/inventories/z9/hosts.yaml +++ b/inventories/z9/hosts.yaml @@ -4,7 +4,7 @@ all: ansible_host: authoritative-dns.z9.ccchh.net ansible_user: chaos dooris: - ansible_host: 10.31.208.201 + ansible_host: dooris.z9.ccchh.net ansible_user: chaos light: ansible_host: light.z9.ccchh.net From aeec08fce8573b0625e60f9bee4027b575933fbe Mon Sep 17 00:00:00 2001 From: lilly Date: Thu, 6 Nov 2025 21:16:36 +0100 Subject: [PATCH 31/32] remove distribution checks Signed-Off-By: june --- roles/foobazdmx/meta/main.yaml | 8 -------- roles/ola/meta/main.yaml | 8 -------- 2 files changed, 16 deletions(-) delete mode 100644 roles/foobazdmx/meta/main.yaml delete mode 100644 roles/ola/meta/main.yaml diff --git a/roles/foobazdmx/meta/main.yaml b/roles/foobazdmx/meta/main.yaml deleted file mode 100644 index 386685c..0000000 --- a/roles/foobazdmx/meta/main.yaml +++ /dev/null @@ -1,8 +0,0 @@ ---- -dependencies: - - role: distribution_check - vars: - distribution_check__distribution_support_spec: - - name: Debian - major_versions: - - "11" diff --git a/roles/ola/meta/main.yaml b/roles/ola/meta/main.yaml deleted file mode 100644 index 386685c..0000000 --- a/roles/ola/meta/main.yaml +++ /dev/null @@ -1,8 +0,0 @@ ---- -dependencies: - - role: distribution_check - vars: - distribution_check__distribution_support_spec: - - name: Debian - major_versions: - - "11" From 63917722ff0a9d292aa012eaa2dfcc6baf15fcae Mon Sep 17 00:00:00 2001 From: lilly Date: Thu, 6 Nov 2025 21:16:36 +0100 Subject: [PATCH 32/32] fix foobazdmx role poetry is available via apt now so we install it that way --- roles/foobazdmx/tasks/main.yaml | 6 +----- 1 file changed, 1 insertion(+), 5 deletions(-) diff --git a/roles/foobazdmx/tasks/main.yaml b/roles/foobazdmx/tasks/main.yaml index f6e6097..33197b5 100644 --- a/roles/foobazdmx/tasks/main.yaml +++ b/roles/foobazdmx/tasks/main.yaml @@ -7,11 +7,7 @@ - python3 - python3-pip - python3-setuptools - -- name: Ensure python peotry is installed - become: true - ansible.builtin.pip: - name: poetry + - python3-poetry - name: Ensure foobazdmx user exists become: true