fix multiple typos

docs/guides/new-chaosknoten-vm.md

@@ -1,22 +1,18 @@
 ---
-title: Create a new VM on Chaosknoten
+title: New Chaosknoten VM
+summary: How to Create a New VM on Chaosknoten
 ---
 
-!!! success "Goal"
+# New Chaosknoten VM
 
-    Create a new VM on our Chaosknoten Server with DNS Name, Firewalling and network config.
+This guide outlines the steps to take for creating a new VM (`myservice`) on Chaosknoten. It might also act as a useful reference for other environments however.
 
-## 1. Reserve an IP Address
+## IP and DNS
 
-Decide on what kind of network configuration the VM needs.
+Decide on what kind of network configuration the VM needs. In this guide we assume a public v6 and a non-public v4 in the v4-NAT network. If you have special requirements, refer to TODO for more information on the different kinds of networks available on Chaosknoten.  
-In this guide we assume a public v6 and a non-public v4 in the v4-NAT network.
-If you have special requirements, refer to TODO for more information on the different kinds of networks available on Chaosknoten.  
 
 1. Allocate a fresh [v6 in NetBox in the v4-NAT v6-network](https://netbox.hamburg.ccc.de/ipam/prefixes/47/ip-addresses/).
     - The _hostname_ should be the full FQDN, like: `myservice.hosts.hamburg.ccc.de`
-
-## 2. Configure DNS
-
 2. Add a new `AAAA` record pointing to the chosen v6 to the [`hamburg.ccc.de` zone](https://git.hamburg.ccc.de/CCCHH/ansible-infra/src/branch/main/resources/chaosknoten/auth-dns/zones/hamburg.ccc.de.zone).  
   It should look something like this:
   ```
@@ -27,7 +23,7 @@ If you have special requirements, refer to TODO for more information on the diff
   ansible-playbook -i inventories/chaosknoten playbooks/deploy.yaml -l auth-dns -t knot
   ```
 
-## 3. Create A VM in Proxmox
+## VM Creation
 
 Now that we have a v6, let's create a new VM on Chaosknoten.
 
@@ -53,9 +49,6 @@ Now that we have a v6, let's create a new VM on Chaosknoten.
       ```
       ssh -J chaos@router.hamburg.ccc.de chaos@myservice.hosts.hamburg.ccc.de
       ```
-
-## 4. Enter VM into NetBox
-
 4. Finally add the VM to NetBox
     1. First [add the VM itself](https://netbox.hamburg.ccc.de/virtualization/virtual-machines/).
         - The _Name_ should be the hostname of the VM, so e.g. `myservice`.
@@ -70,7 +63,7 @@ Now that we have a v6, let's create a new VM on Chaosknoten.
     4. Finally assign the IP address created earlier in NetBox to the just created interface by going into the _Assignment_ section of the IP address configuration.
         - Also check _Make this the primary IP for the device/VM_ while doing so.
 
-## 5. Enroll the VM in ansible
+## Ansible
 
 Next up the VM should be added to the Ansible configuration management. While Ansible can and should be used to configure various services and configuration options, this section focuses on the basic setup to be done.
 
@@ -95,7 +88,7 @@ Next up the VM should be added to the Ansible configuration management. While An
 
 Feel free to commit at this point before continuing with further configuration.
 
-## 6. Configure the VM further for your needs
+## Further Setup
 
 With the basic configuration now done, the VM can be set up further. Here are some helpful pointers:
 
@@ -103,9 +96,4 @@ With the basic configuration now done, the VM can be set up further. Here are so
 - Secrets should be stored using SOPS, see: [SOPS: Storing Secrets](./sops-storing-secrets.md)
 - Guidance on setting up a web service can be found in the [Web Service](./web-service.md) guide.
 
-Afterward you should also take care of setting up monitoring for the newly configured service, see: [Monitor a new service with Gatus](./monitor-a-new-service-with-gatus.md).
+Afterward you should also take care of setting up monitoring for the newly configured service, see: [Monitoring: Gatus](./monitoring-gatus.md)
-
-## Closing Up
-
-This section is optional but if there's any way for the reader to verify their goal has been achieved, you should mention it here.
-

inventories/chaosknoten/hosts.yaml

@@ -291,5 +291,3 @@ msmtp_hosts:
 renovate_hosts:
   hosts:
     renovate:
-secrets_hosts:
-  hosts:

inventories/external/hosts.yaml

@@ -22,5 +22,3 @@ infrastructure_authorized_keys_hosts:
 ansible_pull_hosts:
   hosts:
     status:
-secrets_hosts:
-  hosts:

inventories/z9/group_vars/all.sops.yaml

@@ -1,5 +1,5 @@
 metrics__chaos_password: ENC[AES256_GCM,data:seOU504dZ9K21+NK1MBf9isee2L2rueP6Bl0F66R,iv:ZtQ516gzJQSSgvOOAzPF9MuarXqHSLXy37/9z85KoQ8=,tag:dIal6OxPLli+7DbzhjNFsA==,type:str]
-msmtp__smtp_password: ENC[AES256_GCM,data:FAih8FghRYDx3QGFCjKoJ8Zq0TkeCIx4n1jTx4/sASgECqvucg==,iv:8NDn3wj/bXsbHbuce3ycJTBVWde6XAVxv4NuMUkMbIM=,tag:jeE2b0i/8JPtguLYQvdV1w==,type:str]
+msmtp__smtp_password: ENC[AES256_GCM,data:NlA0aN2SeP4Tl3G1Qg0v/SAicY8p6ZMdQPihGfFTohAmajNvteFJ19ELPezwTz7hia0oU7lwo3DfKuu92WMIKA==,iv:s44piFZZrF6ZYmkGqsBFjTUNiHc4IhBXJATRPETsAI8=,tag:Sj0Q/Y4hT4Hs1JxVOO/8xQ==,type:str]
 sops:
   age:
     - recipient: age1j0876shgsn7f2thxh9kx9x5uwnh45z6sy2jlk2qz5jhgedm26g5srn9kax
@@ -38,8 +38,8 @@ sops:
         cnlBL29XQVlsL1ZCenBIYTQ3S3JxQjQKq09vbn1XOC1jIXDpv+ThFMk9k7SyYknr
         MBJRBp/0PrKBo/Xk+RCSWSLjgali5Cc8KTjDTJyBG8rFzzvLIazBRg==
         -----END AGE ENCRYPTED FILE-----
-  lastmodified: "2026-05-23T22:10:20Z"
+  lastmodified: "2026-03-30T19:28:25Z"
-  mac: ENC[AES256_GCM,data:JbnKG1qyAkvFDXr2iHu+gk7nRjedmm+dEK8vBFW5YzndWE4QKoYWeaqRHBk7wdWO9kpZgU2rFiu4Be+ikotoMS8jKAcd5wWSrWtSreaZxxiD2TWMWX8HwPtETnYe0rjrEZ3kPcUj4QPyNTphfbH3ARLjthedRXNF70NDc+DIpAY=,iv:4LN3oslWUWqoY3rQNVDSmlJn1o0c8JQELzsWd5btn7Y=,tag:c8X1q9XMMUkXed93j9C6ww==,type:str]
+  mac: ENC[AES256_GCM,data:IGai2CmOI46XHekSSpLgQxEGw9zIf7Z10K8eQyi0rJGha5ZOjz9jP1VIhC9m6LjRxOKJuEPV2NvBACC5tBUCGwW1Ym31spcROjjtCzyqRF8E7R02oNMIQ32Byb9ij56/Trl5UOBOML+WOdeaq8r74kEfIyZBCx/tfGENuTlBqd4=,iv:Gjzb/IW6WcRL3c4ShOH46cVed4duTs1BFygYnGd4d4Y=,tag:DZAH6tA92mFP5Yo9b4kmkg==,type:str]
   pgp:
     - created_at: "2026-05-20T02:08:49Z"
       enc: |-
@@ -212,4 +212,4 @@ sops:
         -----END PGP MESSAGE-----
       fp: 41FFAF3D519CF5C039FBD8414BCC213729AF0E49
   unencrypted_suffix: _unencrypted
-  version: 3.12.2
+  version: 3.12.1

inventories/z9/group_vars/all.yaml

@@ -12,8 +12,8 @@ ansible_pull__timer_randomized_delay_sec: 30min
 msmtp__smtp_host: cow.hamburg.ccc.de
 msmtp__smtp_port: 465
 msmtp__smtp_tls_method: smtps
-msmtp__smtp_user: machine@ccchh.net
+msmtp__smtp_user: any@hosts.z9.ccchh.net
-msmtp__smtp_from: "{{ inventory_hostname }}@cchh.net"
+msmtp__smtp_from: "{{ inventory_hostname }}@hosts.z9.ccchh.net"
 
 alloy_config_default: |
   prometheus.remote_write "default" {

inventories/z9/hosts.yaml

@@ -57,5 +57,3 @@ ansible_pull_hosts:
     light:
     waybackproxy:
     yate:
-secrets_hosts:
-  hosts:

playbooks/deploy.yaml

@@ -6,13 +6,6 @@
   tags:
     - base_config
 
-- name: Ensure secrets deployment on secrets_hosts
-  hosts: secrets_hosts
-  roles:
-    - secrets
-  tags:
-    - secrets
-
 - name: Ensure systemd-networkd config deployment on systemd_networkd_hosts
   hosts: systemd_networkd_hosts
   roles:

resources/chaosknoten/auth-dns/zones/ccchh.net.zone

@@ -1,64 +1,73 @@
-$TTL 60	; 1 minutes
+$ORIGIN .
-@ SOA auth-dns.hamburg.ccc.de. noc.hamburg.ccc.de. (
+$TTL 900	; 15 minutes
-    1          ; serial (overwritten by knot automatically)
+ccchh.net		IN SOA	auth-dns.hamburg.ccc.de. noc.hamburg.ccc.de. (
-    86400      ; refresh (1 day)
+				2026042801 ; serial
-    7200       ; retry (2 hours)
+				86400      ; refresh (1 day)
-    3600000    ; expire (5 weeks 6 days 16 hours)
+				7200       ; retry (2 hours)
-    60         ; minimum/negative ttl (1 minute)
+				3600000    ; expire (5 weeks 6 days 16 hours)
-  )
+				7200       ; minimum (2 hours)
+				)
+            NS  auth-dns.hamburg.ccc.de.
+			NS	ns.vie.ccc.de.
 
-@ NS auth-dns.hamburg.ccc.de.
+$ORIGIN ccchh.net.
-@ NS ns.vie.ccc.de.
+aes			A	212.12.48.125
-
+club-assistant		AAAA	2a07:c481:1:d0::a
-
+;_acme-challenge.club-assistant CNAME d50ad73a-f82d-4244-87f0-6f5195b37d21.auth.acmedns.hamburg.ccc.de
-;
+club-assistant.z9	AAAA	2a07:c481:1:d0::a
-; Network-Infrastructure
+;_acme-challenge.club-assistant.z9 CNAME 0efa74d1-7dcd-478b-bdc5-5b76d0f07642.auth.acmedns.hamburg.ccc.de
-;
+esphome			AAAA	2a07:c481:1:d0::66
-rt-wan         A    185.161.129.134
+esphome.z9		AAAA	2a07:c481:1:d0::66
-               AAAA 2a07:c481::1:2
+zigbee2mqtt		A	185.161.129.132
-sw-rack-1      A    10.89.213.2
+light			AAAA	2a07:c481:1:d0::16
-               AAAA 2a07:c481:1:36::2
+_acme-challenge.light	CNAME	e59f55ee-9013-469d-a146-a159721b6fea.auth.acmedns.hamburg.ccc.de.
-sw-rack-2-poe  A    10.89.213.3
+light.z9		AAAA	2a07:c481:1:d0::16
-               AAAA 2a07:c481:1:36::3
+_acme-challenge.light.z9 CNAME	3bc9e7ce-03dd-4533-a059-b5d38407eaa5.auth.acmedns.hamburg.ccc.de.
-sw-main-1      A    10.89.213.4
+light-werkstatt		AAAA	2a07:c481:1:d0::16
-               AAAA 2a07:c481:1:36::4
+_acme-challenge.light-werkstatt CNAME f408acc0-d9f5-4525-bb01-28938e3bb7d0.auth.acmedns.hamburg.ccc.de.
-sw-main-2      A    10.89.213.5
+mailserver-endpoint	A	82.165.121.46
-               AAAA 2a07:c481:1:36::5
+ns1			A	185.161.129.133
-sw-shop-1      A    10.89.213.6
+send-only-mail		MX	10 send-only-mailserver
-               AAAA 2a07:c481:1:36::6
+			TXT	"v=spf1 mx -all"
-sw-shop-2-poe  A    10.89.213.7
+send-only-mailserver	A	82.165.121.46
-               AAAA 2a07:c481:1:36::7
+send-only-mailserver-access A	185.161.129.132
-sw-shop-3-poe  A    10.89.213.8
+thinkcccore0		AAAA	2a07:c481:1:f2::3
-               AAAA 2a07:c481:1:36::8
+thinkcccore0.z9		AAAA	2a07:c481:1:f2::3
-pve01          A    10.89.213.11
+thinkcccore1		AAAA	2a07:c481:1:f2::4
-               AAAA 2a07:c481:1:36::11
+thinkcccore1.z9		AAAA	2a07:c481:1:f2::4
-pve02          A    10.89.213.12
+opnsense		AAAA	2a07:c481:1:f2::1
-               AAAA 2a07:c481:1:36::12
+opnsense.z9		AAAA	2a07:c481:1:f2::1
-pve03          A    10.89.213.13
+pbs			AAAA	2a07:c481:1:f2::4
-               AAAA 2a07:c481:1:36::13
+thinkcccore2		AAAA	2a07:c481:1:f2::5
-pve04          A    10.89.213.14
+thinkcccore2.z9		AAAA	2a07:c481:1:f2::5
-               AAAA 2a07:c481:1:36::14
+thinkcccore3		AAAA	2a07:c481:1:f2::6
-pbs            A    10.89.213.15
+thinkcccore3.z9		AAAA	2a07:c481:1:f2::6
-               AAAA 2a07:c481:1:36::15
+miniscccore0		AAAA	2a07:c481:1:f2::9
-unifi          A    10.89.213.21
+miniscccore0.z9		AAAA	2a07:c481:1:f2::9
-
+uptime-kuma		A	185.161.129.132
-
+status			AAAA	2a07:c481:1:ce::a
-;
+status.z9		AAAA	2a07:c481:1:ce::a
-; Club-Services
+wiki			A	212.12.48.125
-;
+hmdooris-ccu		A	10.31.208.202
-xr18           A    172.31.200.21
+buba			A	10.31.211.137
-
+buba.z9			A	10.31.211.137
-;club-assistant                  AAAA  2a07:c481:1:d0::a
+dooris			AAAA	2a07:c481:1:d0::1c
-;;_acme-challenge.club-assistant CNAME d50ad73a-f82d-4244-87f0-6f5195b37d21.auth.acmedns.hamburg.ccc.de
+_acme-challenge.dooris	CNAME	37caae1f-b77f-4eb1-aa71-dc3f7ed24360.auth.acmedns.hamburg.ccc.de.
-;esphome                         AAAA  2a07:c481:1:d0::66
+waybackproxy		A	10.31.208.99
-;zigbee2mqtt                     A     185.161.129.132
+yate			A	10.31.208.12
-;light                           AAAA  2a07:c481:1:d0::16
+staubiv2		A	10.31.210.233
-;_acme-challenge.light           CNAME e59f55ee-9013-469d-a146-a159721b6fea.auth.acmedns.hamburg.ccc.de.
+staubiv2.z9		A	10.31.210.233
-;light-werkstatt                 AAAA  2a07:c481:1:d0::16
+; Mail: hosts.z9.ccchh.net
-;_acme-challenge.light-werkstatt CNAME f408acc0-d9f5-4525-bb01-28938e3bb7d0.auth.acmedns.hamburg.ccc.de.
+hosts.z9			MX	10 cow.hamburg.ccc.de
-;hmdooris-ccu                    A     10.31.208.202
+				TXT	"v=spf1 mx -all"
-;buba                            A     10.31.211.137
+dkim._domainkey.hosts.z9	TXT	("v=DKIM1;k=rsa;t=s;s=email;"
-;dooris                          AAAA  2a07:c481:1:d0::1c
+	"p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAvsdypQ/tlrzto5KVP"
-;_acme-challenge.dooris          CNAME 37caae1f-b77f-4eb1-aa71-dc3f7ed24360.auth.acmedns.hamburg.ccc.de.
+	"5o7tEblXK/hOVRFB683uODzo26XTFMSRGjumMuo/tej59GMePdUu0uIsdq8hfj8"
-;yate                            A     10.31.208.12
+	"ot0R2OQNazdyp4NW4TUWfFGJ4S2f6LR3lE3I5Lw7fHiYHz0GnCGTqZIItkHK+xQ"
-;staubiv2                        A     10.31.210.233
+	"i5Fdhwd1YbFJtO0XiZ0jY5w6pvny6pEH8WaKX85rEmz2zqCtpiYPRPmoK/Tn+rV"
+	"2e8fVioMRm9W8E4PU42WLds66qOkFR0KjKIavE6y7JahESEoVGcVnSPdtMOX0Ln"
+	"KbSMQNrTvNbBoPdLYvNaXOw7TmVPKjDV+FRCIIdK+m0fL82/vm5jPBvDr5+WlM1"
+	"xV/P/KlSnQIDAQAB")
+$ORIGIN send-only-mail.ccchh.net.
+_dmarc			TXT	"v=DMARC1;p=quarantine;"
+key._domainkey		TXT	"v=DKIM1;k=rsa;p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDqduM4+SQ+IQ2uAxbjFkd+0hAjohTgT3nM76jyrWGHJ8TizNU2PGkta0NjCq+m9VLBZUjIJphW2vrnlJsnN0JkGAdoLBL3Qs0kShT6V+xsxslZG2KHApihnJUp34tPSMES+aTnD+jEPGyxFLeoiK+3gywNhCGalHSQ+G88Z2n59wIDAQAB"

roles/secrets/README.md

@@ -1,24 +0,0 @@
-# Role `secrets`
-
-Allows storing the given secret contents in the configured files.
-
-## Supported Distributions
-
-Should work on Debian-based distributions.
-
-## Required Arguments
-
-None.
-
-## Optional Arguments
-
-- `secrets__secrets`: List of secrets.
-  Defaults to the empty list (`[ ]`).
-- `secrets__secrets.*.name`: (File)name for the secret (in the `/etc/ansible_secrets` directory).
-- `secrets__secrets.*.content`: The secret content to store.
-- `secrets__secrets.*.owner`: The owner of the secret file.
-  Defaults to `root`.
-- `secrets__secrets.*.group`: The group of the secret file.
-  Defaults to `root`.
-- `secrets__secrets.*.mode`: The mode of the secret file.
-  Defaults to `0640`.

roles/secrets/defaults/main.yaml

@@ -1 +0,0 @@
-secrets__secrets: [ ]

roles/secrets/meta/argument_specs.yaml

@@ -1,6 +0,0 @@
-argument_specs:
-  main:
-    options:
-      secrets__secrets:
-        type: list
-        required: false

roles/secrets/tasks/main.yaml

@@ -1,53 +0,0 @@
-- name: validate secret configs
-  ansible.builtin.validate_argument_spec:
-    argument_spec: "{{ required_data }}"
-    provided_arguments:
-      config: "{{ item }}"
-  loop: "{{ secrets__secrets }}"
-  loop_control:
-    label: "{{ item.name }}"
-  vars:
-    required_data:
-      config:
-        type: dict
-        required: true
-        options:
-          name:
-            type: str
-            required: true
-          content:
-            type: str
-            required: true
-          owner:
-            type: str
-            required: false
-            default: root
-          group:
-            type: str
-            required: false
-            default: root
-          mode:
-            type: str
-            required: false
-            default: "0640"
-
-- name: ensure secrets directory exists
-  ansible.builtin.file:
-    path: "/etc/ansible_secrets"
-    state: directory
-    owner: root
-    group: root
-    mode: "0750"
-  become: true
-
-- name: ensure secrets are present
-  ansible.builtin.copy:
-    content: "{{ item.content }}"
-    dest: "/etc/ansible_secrets/{{ item.name }}"
-    mode: "{{ item.mode | default('0640') }}"
-    owner: "{{ item.owner | default('root') }}"
-    group: "{{ item.group | default('root') }}"
-  become: true
-  loop: "{{ secrets__secrets }}"
-  loop_control:
-    label: "{{ item.name }}"