Update docker.io/library/postgres Docker tag to v18

README.md

@@ -27,7 +27,7 @@ Generally all secrets get encrypted for all GPG-keys of all members of the infra
 Ansible then has access to the secrets with the help of the [`community.sops.sops` vars plugin](https://docs.ansible.com/ansible/latest/collections/community/sops/docsite/guide.html#working-with-encrypted-variables), which is configured in this repository.
 A local Ansible run then uses the locally available GPG-key to decrypt the secrets.
 
-For a tutorial on how to set up secrets using SOPS for a new host, see [Setting Up Secrets Using SOPS for a New Host](./docs/setting_up_secrets_using_sops_for_a_new_host.md).
+For a tutorial on how to set up SOPS for a new host, see [SOPS: New Host](./docs/guides/sops-new-host.md).
 
 ### Updating SOPS files after swapping out a GPG key
 

docs/concepts-and-configurations/sops.md

@@ -0,0 +1,18 @@
+---
+title: SOPS
+---
+
+# SOPS
+
+We're using [SOPS](https://github.com/getsops/sops) for secret management together with the `community.sops.sops` vars plugin for Ansible.
+
+## GPG Keys
+
+In order to edit encrypted files, you need all the GPG public keys imported into your GPG Keychain. You should be able to find the necessary public keys in [infra-secrets](https://git.hamburg.ccc.de/CCCHH/infra-secrets).
+
+## Guides
+
+See the following pages for guidance on how to use SOPS:
+
+- [SOPS: New Host](../guides/sops-new-host.md)
+- [SOPS: Storing Secrets](../guides/sops-storing-secrets.md)

docs/guides/create-new-web-service-vm.md

@@ -57,7 +57,7 @@ As the first step, we need to make the host known to Ansible.
 
 ## Ansible-Pull Configuration
 
-Since you added your host to the `ansible_pull_hosts`, you also need to follow [Setting Up Secrets Using SOPS for a New Host](/docs/setting_up_secrets_using_sops_for_a_new_host.md) before continuing.
+Since you added your host to the `ansible_pull_hosts`, you also need to follow [SOPS: New Host](./sops-new-host.md) before continuing.
 
 ## Service-specific config
 

docs/guides/setting_up_secrets_using_sops_for_a_new_host.md

@@ -1,33 +0,0 @@
-# Setting Up Secrets Using SOPS for a New Host
-
-Because we're using the `community.sops.sops` vars plugin, the SOPS-encrypted secrets get stored in the inventory.
-
-1. Create a new age key for Ansible pull on the host.
-   ```
-   age-keygen
-   ```
-   Then add the public key part under `keys.hosts.chaosknoten.age` in [.sops.yaml](../.sops.yaml).
-2. Add a new creation rule for the hosts `host_vars` file in the sops config at `.sops.yaml`.
-   It should probably hold all admin keys plus the host entry you just added.
-   You can use existing creation rules as a reference.
-3. Re-encrypt existing files with the new key (manly `group_var/all.sops.yaml`): `find inventories -name "*.sops.*" | xargs sops updatekeys --yes`.
-
-   If GPG yells at you, follow the instructions in our [password-store](https://git.hamburg.ccc.de/CCCHH/password-store).
-4. Create a SOPS secrets file in the `host_vars` subdirectory of the relevant inventory.
-   The name of the file should be in the format `[HOSTNAME].sops.yaml` to get picked up by the vars plugin and to match the previously created creation rule.  
-   This can be accomplished with a command similar to this:
-   ```
-   sops inventories/[chaosknoten|z9]/host_vars/[HOSTNAME].sops.yaml
-   ```
-5. With the editor now open, add the secrets you want to store.
-   Because we're using the `community.sops.sops` vars plugin, the stored secrets will be exposed as Ansible variables.  
-   Also note that SOPS only encrypts the values, not the keys.  
-   When now creating entries, try to adhere to the following variable naming convention:
-   - Make sure to put the prive age key in here under `ansible_pull__age_private_key`.
-   - Prefix variable names with `secret__`, if they are intended to be used in a template file or similar. (e.g. `secret__netbox_secret_key: secret_value`)
-   - Otherwise, if the variable is directly consumed by a role or similar, directly set the variable. (e.g. `netbox__db_password: secret_value`)
-6. Now that the secrets are stored, they are exposed as variables and can simply be used like any other variable.
-
-## GPG Keys
-
-In order to edit encrypted files, you need all the GPG public keys imported into your GPG Keychain. You should be able to find the necessary public keys in https://git.hamburg.ccc.de/CCCHH/password-store.

docs/guides/sops-new-host.md

@@ -0,0 +1,58 @@
+---
+title: "SOPS: New Host"
+summary: How to Setup SOPS for a New Host
+---
+
+# SOPS: New Host
+
+The following outlines the steps to take for setting up [SOPS](../concepts-and-configurations/sops.md) for a new host (`myservice`).  
+Every host needs a SOPS configuration as every host should be set up to run ansible-pull.
+
+1. Create a new age key for ansible-pull for the host:
+   ```
+   age-keygen
+   ```
+2. Add the public key part to the [`.sops.yaml`](https://git.hamburg.ccc.de/CCCHH/ansible-infra/src/branch/main/.sops.yaml) under:
+   ```yaml
+   keys:
+    # ...
+    hosts:
+      chaosknoten:
+        age: &host_chaosknoten_age_keys
+          # ...
+          - &host_myservice_ansible_pull_age_key <age public key here>
+   ```
+   You can use the existing configuration as guidance.  
+   For VMs not on Chaosknoten, choose the appropriate section.
+3. Add a new creation rule for the hosts `host_vars` file to the [`.sops.yaml`](https://git.hamburg.ccc.de/CCCHH/ansible-infra/src/branch/main/.sops.yaml).  
+   It should most likely hold all admin keys plus the host entry you just added and look something like this:
+   ```yaml
+   creation_rules:
+    # ...
+    ## host vars
+    # chaosknoten hosts
+    # ...
+    - path_regex: "inventories/chaosknoten/host_vars/myservice\\.sops\\..+"
+      key_groups:
+        - pgp:
+            *admin_gpg_keys
+          age:
+            - *host_myservice_ansible_pull_age_key
+   ```  
+   You can use existing creation rules as a reference.  
+   For VMs not on Chaosknoten, choose the appropriate section.
+4. Re-encrypt for the newly added key (mainly `group_vars/all.sops.yaml`):
+   ```bash
+   find inventories -name "*.sops.*" | xargs sops updatekeys --yes
+   ```
+   If GPG yells at you, follow the instructions in [infra-secrets](https://git.hamburg.ccc.de/CCCHH/infra-secrets).
+5. Create a SOPS secrets file in the `host_vars` subdirectory of the relevant inventory. The name of the file should be of the format `<hostname>.sops.yaml` to get picked up by the vars plugin and to match the previously created creation rule.  
+   For this example the following command accomplishes this:
+   ```
+   sops inventories/chaosknoten/host_vars/myservice.sops.yaml
+   ```
+    - With the editor now open, delete the example content and add the previously generated age private key like this:
+      ```yaml
+      ansible_pull__age_private_key: <age private key here>
+      ```
+      Note that SOPS only encrypts the values, not the keys.  

docs/guides/sops-storing-secrets.md

@@ -0,0 +1,29 @@
+---
+title: "SOPS: Storing Secrets"
+summary: How to Store Secrets Using SOPS
+---
+
+# SOPS: Storing Secrets
+
+Some guidance on how to store secrets using [SOPS](../concepts-and-configurations/sops.md). For a guide on how to setup SOPS for a new host, see [SOPS: New Host](./sops-new-host.md).
+
+1. For storing host-specific secrets, open the host-specific SOPS file:
+   ```
+   sops inventories/<chaosknoten/z9/...>/host_vars/<hostname>.sops.yaml
+   ```
+   For inventory-wide secrets, open the inventories `all` group SOPS file:
+   ```
+   sops inventories/<chaosknoten/z9/...>/group_vars/all.sops.yaml
+   ```
+2. Now the secrets can be added to the opened file. Because we're using the `community.sops.sops` vars plugin, the stored secrets will then be exposed as Ansible variables.  
+   Note that SOPS only encrypts the values, not the keys.  
+   When creating entries, try to adhere to the following variable naming conventions:
+    - Prefix variable names with `secret__`, if they are intended to be used in a template file or similar, e.g.:
+      ```yaml
+      secret__netbox_secret_key: secret_value
+      ```
+    - Otherwise, if the variable is directly consumed by a role or similar, directly set the variable, e.g.:
+      ```yaml
+      netbox__db_password: secret_value
+      ```
+3. After closing the editor, the secrets are stored. In Ansible they are exposed as variables and can simply be used like any other variable.

inventories/chaosknoten/host_vars/cloud.yaml

@@ -1,7 +1,7 @@
 # renovate: datasource=docker depName=git.hamburg.ccc.de/ccchh/oci-images/nextcloud
 nextcloud__version: 32
 # renovate: datasource=docker depName=docker.io/library/postgres
-nextcloud__postgres_version: 15.17
+nextcloud__postgres_version: 18.4
 nextcloud__fqdn: cloud.hamburg.ccc.de
 nextcloud__data_dir: /data/nextcloud
 nextcloud__extra_configuration: "{{ lookup('ansible.builtin.template', 'resources/chaosknoten/cloud/nextcloud/extra_configuration.config.php.j2') }}"

resources/chaosknoten/lists/docker_compose/compose.yaml.j2

@@ -62,7 +62,7 @@ services:
       - POSTGRES_DB=mailmandb
       - POSTGRES_USER=mailman
       - "POSTGRES_PASSWORD={{ secret__lists__postgres_password }}"
-    image: docker.io/library/postgres:12-alpine
+    image: docker.io/library/postgres:18-alpine
     volumes:
       - /opt/mailman/database:/var/lib/postgresql/data
     networks:

resources/chaosknoten/pretalx/docker_compose/compose.yaml.j2

@@ -3,7 +3,7 @@
 
 services:
   database:
-    image: docker.io/library/postgres:15-alpine
+    image: docker.io/library/postgres:18-alpine
     environment:
       - "POSTGRES_USER=pretalx"
       - "POSTGRES_PASSWORD={{ secret__pretalx_db_password }}"