CCCHH/ansible-infra
CCCHH/ansible-infra
2
2
Fork 2
Code Issues 7 Pull requests 4 Wiki Activity Actions

Compare commits

base: CCCHH:48ad1157c6f606f19c8c623c1cad78d3e67eb955
Branches Tags
CCCHH:main
CCCHH:renovate/docker.io-library-redis-8.x
CCCHH:renovate/docker.io-library-postgres-18.x
CCCHH:renovate/docker.io-library-mariadb-12.x
CCCHH:renovate/all-stable-minor-patch
CCCHH:alloy
CCCHH:router-killing-turing
CCCHH:fix_ansible_lint
CCCHH:feature/add-new-router
CCCHH:fux-alerts
CCCHH:move_to_sops
...
compare: CCCHH:4e0ac9fdc37c27638a84907a353e21db957caf38
Branches Tags
CCCHH:main
CCCHH:renovate/docker.io-library-redis-8.x
CCCHH:renovate/docker.io-library-postgres-18.x
CCCHH:renovate/docker.io-library-mariadb-12.x
CCCHH:renovate/all-stable-minor-patch
CCCHH:alloy
CCCHH:router-killing-turing
CCCHH:fix_ansible_lint
CCCHH:feature/add-new-router
CCCHH:fux-alerts
CCCHH:move_to_sops

2 commits
48ad1157c6 ... 4e0ac9fdc3

Author SHA1 Message Date
Renovate
4e0ac9fdc3 Update all stable non-major dependencies
Some checks failed
/ Ansible Lint (push) Failing after 50s
Details
/ Ansible Lint (pull_request) Failing after 51s
Details
2026-01-25 11:15:52 +00:00
Stefan Bethke
b492472179 Explain how to add age key for ansible pull
Some checks failed
/ Ansible Lint (push) Failing after 44s
Details
2026-01-25 12:12:30 +01:00
5 changed files with 21 additions and 11 deletions
Download patch file Download diff file Expand all files Collapse all files

20
docs/setting_up_secrets_using_sops_for_a_new_host.md
View file

@ -2,19 +2,29 @@
Because we're using the `community.sops.sops` vars plugin, the SOPS-encrypted secrets get stored in the inventory.
1. Add a new creation rule for the hosts `host_vars` file in the sops config at `.sops.yaml`.
It should probably hold all admin keys.
1. Create a new age key for Ansible pull on the host.
```
age-keygen
```
Then add an entry to `keys.hosts.chaosknoten.age`
2. Add a new creation rule for the hosts `host_vars` file in the sops config at `.sops.yaml`.
It should probably hold all admin keys plus the host entry.
You can use existing creation rules as a reference.
2. Create a SOPS secrets file in the `host_vars` subdirectory of the relevant inventory.
3. Create a SOPS secrets file in the `host_vars` subdirectory of the relevant inventory.
The name of the file should be in the format `[HOSTNAME].sops.yaml` to get picked up by the vars plugin and to match the previously created creation rule.
This can be accomplished with a command similar to this:
```
sops inventories/[chaosknoten|z9]/host_vars/[HOSTNAME].secrets.yaml
```
3. With the editor now open, add the secrets you want to store.
4. With the editor now open, add the secrets you want to store.
Because we're using the `community.sops.sops` vars plugin, the stored secrets will be exposed as Ansible variables.
Also note that SOPS only encrypts the values, not the keys.
When now creating entries, try to adhere to the following variable naming convention:
- Make sure to put the prive age key in here under `ansible_pull__age_private_key`.
- Prefix variable names with `secret__`, if they are intended to be used in a template file or similar. (e.g. `secret__netbox_secret_key: secret_value`)
- Otherwise, if the variable is directly consumed by a role or similar, directly set the variable. (e.g. `netbox__db_password: secret_value`)
4. Now that the secrets are stored, they are exposed as variables and can simply be used like any other variable.
5. Now that the secrets are stored, they are exposed as variables and can simply be used like any other variable.
## GPG Keys
In order to edit encrypted files, you need all the GPG public keys imported into your GPG Keychain. You should be able to find the necessary public keys in https://git.hamburg.ccc.de/CCCHH/password-store.

2
inventories/chaosknoten/host_vars/netbox.yaml
View file

@ -1,5 +1,5 @@
# renovate: datasource=github-releases depName=netbox packageName=netbox-community/netbox
netbox__version: "v4.5.0"
netbox__version: "v4.5.1"
netbox__config: "{{ lookup('ansible.builtin.template', 'resources/chaosknoten/netbox/netbox/configuration.py.j2') }}"
netbox__custom_pipeline_oidc_group_and_role_mapping: true

4
resources/chaosknoten/grafana/docker_compose/compose.yaml.j2
View file

@ -19,7 +19,7 @@ services:
- prom_data:/prometheus
alertmanager:
image: docker.io/prom/alertmanager:v0.30.0
image: docker.io/prom/alertmanager:v0.30.1
container_name: alertmanager
command:
- '--config.file=/etc/alertmanager/alertmanager.yaml'
@ -59,7 +59,7 @@ services:
- /dev/null:/etc/prometheus/pve.yml
loki:
image: docker.io/grafana/loki:3.6.3
image: docker.io/grafana/loki:3.6.4
container_name: loki
ports:
- 13100:3100

2
resources/chaosknoten/ntfy/docker_compose/compose.yaml.j2
View file

@ -1,7 +1,7 @@
---
services:
ntfy:
image: docker.io/binwiederhier/ntfy:v2.15.0
image: docker.io/binwiederhier/ntfy:v2.16.0
container_name: ntfy
command:
- serve

4
resources/chaosknoten/pretalx/docker_compose/compose.yaml.j2
View file

@ -33,7 +33,7 @@ services:
- pretalx_net
pretalx:
image: docker.io/pretalx/standalone:v2025.1.0
image: docker.io/pretalx/standalone:v2025.2.2
entrypoint: gunicorn
command:
- "pretalx.wsgi"
@ -78,7 +78,7 @@ services:
- pretalx_net
celery:
image: docker.io/pretalx/standalone:v2025.1.0
image: docker.io/pretalx/standalone:v2025.2.2
command:
- taskworker
restart: unless-stopped