From de7098556eb132c53ff0d9b1d30b39c2a84997c1 Mon Sep 17 00:00:00 2001 From: June Date: Mon, 18 May 2026 21:15:45 +0200 Subject: [PATCH 01/13] add configuration for infra-docs and infra-docs staging --- resources/chaosknoten/auth-dns/zones/hamburg.ccc.de.zone | 2 ++ .../chaosknoten/public-reverse-proxy/nginx/acme_challenge.conf | 2 ++ resources/chaosknoten/public-reverse-proxy/nginx/nginx.conf | 2 ++ 3 files changed, 6 insertions(+) diff --git a/resources/chaosknoten/auth-dns/zones/hamburg.ccc.de.zone b/resources/chaosknoten/auth-dns/zones/hamburg.ccc.de.zone index a9c4851..8c30fb4 100644 --- a/resources/chaosknoten/auth-dns/zones/hamburg.ccc.de.zone +++ b/resources/chaosknoten/auth-dns/zones/hamburg.ccc.de.zone @@ -287,6 +287,8 @@ spaceapiccc IN CNAME public-reverse-proxy acmedns IN CNAME public-reverse-proxy cpuccc IN CNAME public-reverse-proxy did IN CNAME public-reverse-proxy +infra-docs IN CNAME public-reverse-proxy +staging.infra-docs IN CNAME public-reverse-proxy auth.acmedns IN NS acmedns.hosts.hamburg.ccc.de. diff --git a/resources/chaosknoten/public-reverse-proxy/nginx/acme_challenge.conf b/resources/chaosknoten/public-reverse-proxy/nginx/acme_challenge.conf index e8b8c8e..304072b 100644 --- a/resources/chaosknoten/public-reverse-proxy/nginx/acme_challenge.conf +++ b/resources/chaosknoten/public-reverse-proxy/nginx/acme_challenge.conf @@ -85,6 +85,8 @@ map $host $upstream_acme_challenge_host { diday.org public-web-static.hosts.hamburg.ccc.de:31820; docs.c3voc.de public-web-static.hosts.hamburg.ccc.de:31820; staging.docs.c3voc.de public-web-static.hosts.hamburg.ccc.de:31820; + infra-docs.hamburg.ccc.de public-web-static.hosts.hamburg.ccc.de:31820; + staging.infra-docs.hamburg.ccc.de public-web-static.hosts.hamburg.ccc.de:31820; default ""; } diff --git a/resources/chaosknoten/public-reverse-proxy/nginx/nginx.conf b/resources/chaosknoten/public-reverse-proxy/nginx/nginx.conf index 0a004c9..5e89aa9 100644 --- a/resources/chaosknoten/public-reverse-proxy/nginx/nginx.conf +++ b/resources/chaosknoten/public-reverse-proxy/nginx/nginx.conf @@ -108,6 +108,8 @@ stream { *.staging.diday.org public-web-static.hosts.hamburg.ccc.de:8443; docs.c3voc.de public-web-static.hosts.hamburg.ccc.de:8443; staging.docs.c3voc.de public-web-static.hosts.hamburg.ccc.de:8443; + infra-docs.hamburg.ccc.de public-web-static.hosts.hamburg.ccc.de:8443; + staging.infra-docs.hamburg.ccc.de public-web-static.hosts.hamburg.ccc.de:8443; } server { From 621a8151b4ac9e506b9414568b5bac6ec68bb178 Mon Sep 17 00:00:00 2001 From: June Date: Mon, 18 May 2026 23:09:43 +0200 Subject: [PATCH 02/13] docs: add mkdocs config and CI for building infra-docs website Heavily inspired by: https://forgejo.c3voc.de/voc/av-docs --- .forgejo/workflows/cleanup-docs.yaml | 24 +++++++++ .forgejo/workflows/deploy-docs.yaml | 75 ++++++++++++++++++++++++++++ docs_requirements.txt | 2 + mkdocs.yml | 19 +++++++ 4 files changed, 120 insertions(+) create mode 100644 .forgejo/workflows/cleanup-docs.yaml create mode 100644 .forgejo/workflows/deploy-docs.yaml create mode 100644 docs_requirements.txt create mode 100644 mkdocs.yml diff --git a/.forgejo/workflows/cleanup-docs.yaml b/.forgejo/workflows/cleanup-docs.yaml new file mode 100644 index 0000000..df56258 --- /dev/null +++ b/.forgejo/workflows/cleanup-docs.yaml @@ -0,0 +1,24 @@ +on: + pull_request: + types: + - closed + +jobs: + cleanup-staging: + runs-on: docker + container: + image: code.forgejo.org/oci/node:22-bookworm + steps: + - name: Pipeline info PR + run: | + echo "Run triggered by ${{ github.event_name }} (${{ github.event.action }}) on ref ${{ github.ref_name }}" + + - name: Staging Deployment - Prepare keys + run: | + echo "${{ secrets.SSH_DEPLOY_KEY }}" > deploykey.priv + chmod 400 deploykey.priv + echo "${{ vars.SSH_KNOWN_HOSTS }}" > ./known_hosts + + - name: Staging Deployment - Remove PR from staging + run: | + ssh -i deploykey.priv -o 'UserKnownHostsFile ./known_hosts' infra-docs-deploy@public-web-static.hosts.hamburg.ccc.de -t "rm -r /var/www/staging.infra-docs.hamburg.ccc.de/pr${{ github.event.pull_request.number }}/" diff --git a/.forgejo/workflows/deploy-docs.yaml b/.forgejo/workflows/deploy-docs.yaml new file mode 100644 index 0000000..537d983 --- /dev/null +++ b/.forgejo/workflows/deploy-docs.yaml @@ -0,0 +1,75 @@ +on: + push: + branches: + - main + pull_request: + +env: + TZ: Europe/Berlin + +jobs: + build: + runs-on: docker + container: + image: docker.io/library/python:3.14-trixie + steps: + - name: Pipeline info + run: | + echo "Run triggered by ${{ github.event_name }} (${{ github.event.action }}) on ref ${{ github.ref_name }}" + + - name: Install packages + run: | + apt update + apt -y install nodejs git rsync openssh-client + pip install --upgrade pip + + - uses: actions/checkout@v6 + + - name: Install Python packages + run: | + pip install -r docs_requirements.txt + + - name: Build website - prod + if: github.event_name != 'pull_request' + run: | + mkdocs build + + - name: Build website - staging + if: github.event_name == 'pull_request' + run: | + sed -i "s#site_url: https://infra-docs.hamburg.ccc.de#site_url: https://staging.infra-docs.hamburg.ccc.de/pr${{ github.event.pull_request.number }}/#" mkdocs.yml + mkdocs build + + - name: Deploy - Prepare keys + run: | + echo "${{ secrets.SSH_DEPLOY_KEY }}" > deploykey.priv + chmod 400 deploykey.priv + echo "${{ vars.SSH_KNOWN_HOSTS }}" > ./known_hosts + + - name: Deploy - Upload PR to staging + if: github.event_name == 'pull_request' + run: | + echo "Deploying to staging.infra-docs.hamburg.ccc.de/pr${{ github.event.pull_request.number }}" + rsync -v -r --delete -e "ssh -i deploykey.priv -o 'UserKnownHostsFile ./known_hosts'" site/ infra-docs-deploy@public-web-static.hosts.hamburg.ccc.de:/var/www/staging.infra-docs.hamburg.ccc.de/pr${{ github.event.pull_request.number }}/ + + - name: Deploy - Add comment to PR with staging URL + if: github.event_name == 'pull_request' && github.event.action == 'opened' + run: | + curl \ + -X POST \ + ${{ github.event.pull_request.base.repo.url }}/issues/${{ github.event.pull_request.number }}/comments \ + -H "Content-Type: application/json" \ + -H "Authorization: token $FORGEJO_TOKEN" \ + --data '{ "body": "You can view your changes at https://staging.infra-docs.hamburg.ccc.de/pr${{ github.event.pull_request.number }}/" }' + + - name: Deploy - Upload to prod + if: github.event_name != 'pull_request' + run: | + rsync -v -r --delete -e "ssh -i deploykey.priv -o 'UserKnownHostsFile ./known_hosts'" site/ infra-docs-deploy@public-web-static.hosts.hamburg.ccc.de:/var/www/infra-docs.hamburg.ccc.de/ + + - uses: actions/upload-artifact@v3 + if: github.event_name == 'pull_request' + with: + name: docs-build + path: site/ + retention-days: 3 diff --git a/docs_requirements.txt b/docs_requirements.txt new file mode 100644 index 0000000..f6167f1 --- /dev/null +++ b/docs_requirements.txt @@ -0,0 +1,2 @@ +mkdocs +mkdocs-shadcn diff --git a/mkdocs.yml b/mkdocs.yml new file mode 100644 index 0000000..c258e2e --- /dev/null +++ b/mkdocs.yml @@ -0,0 +1,19 @@ +site_name: CCCHH Infrastructure Documentation +site_url: https://infra-docs.hamburg.ccc.de +repo_url: https://git.hamburg.ccc.de/CCCHH/ansible-infra +copyright: MIT +markdown_extensions: + - smarty + - admonition + - attr_list + +theme: + name: shadcn + show_title: true + show_stargazers: false + pygments_style: + light: shadcn-light + dark: github-dark + icon: oui:documentation + topbar_sections: false + show_datetime: false From c838939641f64a6ce31212197e2c21ad0b336b1e Mon Sep 17 00:00:00 2001 From: June Date: Mon, 18 May 2026 21:53:38 +0200 Subject: [PATCH 03/13] docs: add index page --- docs/index.md | 3 +++ 1 file changed, 3 insertions(+) create mode 100644 docs/index.md diff --git a/docs/index.md b/docs/index.md new file mode 100644 index 0000000..e390c5e --- /dev/null +++ b/docs/index.md @@ -0,0 +1,3 @@ +# CCCHH Infrastructure Documentation + +Home for CCCHH infrastructure documentation. From 73e77bde703ce52026e19edd56d482e89afa46ba Mon Sep 17 00:00:00 2001 From: June Date: Mon, 18 May 2026 18:14:51 +0200 Subject: [PATCH 04/13] tag plays in playbooks (instead of tasks in roles) --- playbooks/deploy.yaml | 43 +++++++++++++++++++ playbooks/maintenance.yaml | 6 +++ .../handlers/main.yaml | 1 - .../tasks/disable.yaml | 3 -- .../tasks/enable.yaml | 4 -- .../tasks/main.yaml | 2 - roles/knot/handlers/main.yaml | 3 -- roles/knot/tasks/01-install.yaml | 1 - roles/knot/tasks/02-configure.yaml | 4 -- roles/knot/tasks/03-configure-exporter.yaml | 2 - 10 files changed, 49 insertions(+), 20 deletions(-) diff --git a/playbooks/deploy.yaml b/playbooks/deploy.yaml index a3b047b..ad866cc 100644 --- a/playbooks/deploy.yaml +++ b/playbooks/deploy.yaml @@ -3,69 +3,98 @@ hosts: base_config_hosts roles: - base_config + tags: + - base_config - name: Ensure systemd-networkd config deployment on systemd_networkd_hosts hosts: systemd_networkd_hosts roles: - systemd_networkd + tags: + - systemd_networkd - name: Ensure nftables deployment on nftables_hosts hosts: nftables_hosts roles: - nftables + tags: + - nftables - name: Ensure deployment of infrastructure authorized keys hosts: infrastructure_authorized_keys_hosts roles: - infrastructure_authorized_keys + tags: + - infrastructure_authorized_keys - name: Ensure Nextcloud config hosts: nextcloud_hosts roles: - nextcloud + tags: + - nextcloud - name: Ensure ola deployment on ola_hosts hosts: ola_hosts roles: - ola + tags: + - ola - name: Ensure foobazdmx deployment on foobazdmx_hosts hosts: foobazdmx_hosts roles: - foobazdmx + tags: + - foobazdmx - name: Ensure Dokuwiki config hosts: wiki_hosts roles: - dokuwiki + tags: + - dokuwiki - name: Ensure NetBox deployment on netbox_hosts hosts: netbox_hosts roles: - netbox + tags: + - netbox - name: Ensure NGINX deployment on nginx_hosts, which are also public_reverse_proxy_hosts, before certbot role runs hosts: nginx_hosts:&public_reverse_proxy_hosts roles: - nginx + tags: + - nginx + - public_reverse_proxy - name: Ensure certbot and certificate deployment on certbot_hosts hosts: certbot_hosts roles: - certbot + tags: + - certbot - name: Ensure OnlyOffice custom fonts ansible.builtin.import_playbook: onlyoffice_fonts.yaml + tags: + - onlyoffice_fonts - name: Ensure Docker Compose deployment on docker_compose_hosts hosts: docker_compose_hosts roles: - docker_compose + tags: + - docker_compose - name: Ensure NGINX deployment on nginx_hosts hosts: nginx_hosts:!public_reverse_proxy_hosts roles: - nginx + tags: + - nginx - name: Configure unattended upgrades for all non-hypervisors hosts: all:!hypervisors @@ -77,32 +106,46 @@ - "o=${distro_id},n=${distro_codename}" - "o=Docker,n=${distro_codename}" - "o=nginx,n=${distro_codename}" + tags: + - unattended_upgrades - name: Ensure Alloy is installed and Setup on alloy_hosts hosts: alloy_hosts become: true roles: - alloy + tags: + - alloy - name: Ensure ansible_pull deployment on ansible_pull_hosts hosts: ansible_pull_hosts roles: - ansible_pull + tags: + - ansible_pull - name: Ensure msmtp is setup on msmtp_hosts hosts: msmtp_hosts roles: - msmtp + tags: + - msmtp - name: Ensure Renovate is setup on renovate_hosts hosts: renovate_hosts roles: - renovate + tags: + - renovate - name: Run ensure_eh22_styleguide_dir Playbook ansible.builtin.import_playbook: ensure_eh22_styleguide_dir.yaml + tags: + - eh22_styleguide_dir - name: Setup authoritative dns servers hosts: auth-dns roles: - knot + tags: + - knot diff --git a/playbooks/maintenance.yaml b/playbooks/maintenance.yaml index c912a53..9fe3886 100644 --- a/playbooks/maintenance.yaml +++ b/playbooks/maintenance.yaml @@ -1,5 +1,7 @@ - name: Ensure NGINX repo setup and nginx install on relevant hosts hosts: nginx_hosts:nextcloud_hosts + tags: + - nextcloud_nginx tasks: - name: Ensure NGINX repo is setup ansible.builtin.include_role: @@ -13,6 +15,8 @@ - name: Ensure Docker repo setup and package install on relevant hosts hosts: docker_compose_hosts:nextcloud_hosts + tags: + - nextcloud_docker tasks: - name: Ensure Docker repo is setup ansible.builtin.include_role: @@ -28,6 +32,8 @@ hosts: all:!hypervisors roles: - apt_update_and_upgrade + tags: + - apt_update_and_upgrade - name: Run deploy Playbook ansible.builtin.import_playbook: deploy.yaml diff --git a/roles/deploy_systemd_resolved_config/handlers/main.yaml b/roles/deploy_systemd_resolved_config/handlers/main.yaml index b40760b..05b7521 100644 --- a/roles/deploy_systemd_resolved_config/handlers/main.yaml +++ b/roles/deploy_systemd_resolved_config/handlers/main.yaml @@ -1,6 +1,5 @@ --- - name: "reload systemd-resolved" - tags: [ "deploy_systemd_resolved_config" ] become: true ansible.builtin.systemd: name: "systemd-resolved.service" diff --git a/roles/deploy_systemd_resolved_config/tasks/disable.yaml b/roles/deploy_systemd_resolved_config/tasks/disable.yaml index 9092116..afa646a 100644 --- a/roles/deploy_systemd_resolved_config/tasks/disable.yaml +++ b/roles/deploy_systemd_resolved_config/tasks/disable.yaml @@ -1,13 +1,11 @@ --- - name: Ensure /etc/resolv.conf is a plain file - tags: [ "deploy_systemd_resolved_config" ] become: true ansible.builtin.file: path: "/etc/resolv.conf" state: file - name: Write nameserver config directly into /etc/resolv.conf - tags: [ "deploy_systemd_resolved_config" ] become: true ansible.builtin.template: src: "resolv.conf.j2" @@ -17,7 +15,6 @@ mode: u=rw,g=r,o=r - name: Disable systemd-resolved - tags: [ "deploy_systemd_resolved_config" ] become: true ansible.builtin.systemd: name: "systemd-resolved.service" diff --git a/roles/deploy_systemd_resolved_config/tasks/enable.yaml b/roles/deploy_systemd_resolved_config/tasks/enable.yaml index 9a7438e..2659c32 100644 --- a/roles/deploy_systemd_resolved_config/tasks/enable.yaml +++ b/roles/deploy_systemd_resolved_config/tasks/enable.yaml @@ -1,13 +1,11 @@ --- - name: Ensure systemd-resolved is installed - tags: [ "deploy_systemd_resolved_config" ] become: true when: ansible_facts["distribution"] == "Debian" ansible.builtin.package: name: [ "systemd-resolved" ] - name: Deploy systemd-resolved config - tags: [ "deploy_systemd_resolved_config" ] become: true notify: "reload systemd-resolved" ansible.builtin.template: @@ -18,7 +16,6 @@ mode: u=rw,g=r,o=r - name: Make /etc/resolv.conf points to systemd-resolved - tags: [ "deploy_systemd_resolved_config" ] become: true when: deploy_systemd_resolved_config__mode != "extern" ansible.builtin.file: # noqa: jinja @@ -35,7 +32,6 @@ {%- endif -%} - name: Ensure systemd-resolved is running and enabled - tags: [ "deploy_systemd_resolved_config" ] become: true ansible.builtin.systemd: name: systemd-resolved.service diff --git a/roles/deploy_systemd_resolved_config/tasks/main.yaml b/roles/deploy_systemd_resolved_config/tasks/main.yaml index 00bc293..00558dc 100644 --- a/roles/deploy_systemd_resolved_config/tasks/main.yaml +++ b/roles/deploy_systemd_resolved_config/tasks/main.yaml @@ -1,10 +1,8 @@ --- - name: Include enable.yaml - tags: [ "deploy_systemd_resolved_config" ] ansible.builtin.include_tasks: enable.yaml when: deploy_systemd_resolved_config__enable - name: Include disable.yaml - tags: [ "deploy_systemd_resolved_config" ] ansible.builtin.include_tasks: disable.yaml when: not deploy_systemd_resolved_config__enable diff --git a/roles/knot/handlers/main.yaml b/roles/knot/handlers/main.yaml index 38fce75..feb3ceb 100644 --- a/roles/knot/handlers/main.yaml +++ b/roles/knot/handlers/main.yaml @@ -1,19 +1,16 @@ --- - name: reload knot - tags: [ auth-dns ] become: true ansible.builtin.systemd: name: knot.service state: reloaded - name: netplan apply - tags: [ auth-dns ] become: true changed_when: true ansible.builtin.command: "netplan apply" - name: restart knot-exporter - tags: [ auth-dns ] become: true ansible.builtin.systemd: name: knot-exporter.service diff --git a/roles/knot/tasks/01-install.yaml b/roles/knot/tasks/01-install.yaml index 0a269d6..8a5feed 100644 --- a/roles/knot/tasks/01-install.yaml +++ b/roles/knot/tasks/01-install.yaml @@ -1,6 +1,5 @@ --- - name: Install knot - tags: [ auth-dns ] become: true ansible.builtin.package: name: diff --git a/roles/knot/tasks/02-configure.yaml b/roles/knot/tasks/02-configure.yaml index 2b0b0fa..a2a8e55 100644 --- a/roles/knot/tasks/02-configure.yaml +++ b/roles/knot/tasks/02-configure.yaml @@ -1,6 +1,5 @@ --- - name: Ensure required directories exist - tags: [ auth-dns ] become: true loop: [ "/etc/knot", "/etc/knot/zones" ] ansible.builtin.file: @@ -11,7 +10,6 @@ mode: u=rwx,g=rx,o= - name: Deploy knot configuration file - tags: [ auth-dns ] become: true notify: reload knot ansible.builtin.template: @@ -22,7 +20,6 @@ mode: u=rw,g=r,o= - name: Deploy configured zones - tags: [ auth-dns ] become: true notify: reload knot loop: "{{ knot__zones }}" @@ -42,7 +39,6 @@ # this results in outgoing zone transfers failing because knot will prefer to use the dynamic address over the statically configured one. # so because we are configuring a DNS Nameserver where known IP-Addresses are actually important for ACL reasons, SLAAC is disabled - name: Disable IPv6 SLAAC - tags: [ auth-dns ] become: true notify: netplan apply ansible.builtin.template: diff --git a/roles/knot/tasks/03-configure-exporter.yaml b/roles/knot/tasks/03-configure-exporter.yaml index 4254acb..8077ecd 100644 --- a/roles/knot/tasks/03-configure-exporter.yaml +++ b/roles/knot/tasks/03-configure-exporter.yaml @@ -1,5 +1,4 @@ - name: Deploy knot-exporter systemd unit - tags: [ auth-dns ] become: true register: knot_deploy_service_file notify: restart knot-exporter @@ -11,7 +10,6 @@ mode: u=rw,g=r,o=r - name: Ensure knot-exporter is running and enabled - tags: [ auth-dns ] become: true ansible.builtin.systemd: name: knot-exporter.service From 5c5ea5aeef010c6ff42bbbe5080987eaf2c234d3 Mon Sep 17 00:00:00 2001 From: June Date: Tue, 19 May 2026 01:11:34 +0200 Subject: [PATCH 05/13] docs: fix code blocks overflowing and add syntax highlighting Without these options code blocks would overflow. See: https://github.com/asiffer/mkdocs-shadcn/issues/57 And it also provides nice syntax highlighting. --- docs_requirements.txt | 1 + mkdocs.yml | 1 + 2 files changed, 2 insertions(+) diff --git a/docs_requirements.txt b/docs_requirements.txt index f6167f1..ddabb05 100644 --- a/docs_requirements.txt +++ b/docs_requirements.txt @@ -1,2 +1,3 @@ mkdocs mkdocs-shadcn +pygments diff --git a/mkdocs.yml b/mkdocs.yml index c258e2e..5a8af7b 100644 --- a/mkdocs.yml +++ b/mkdocs.yml @@ -6,6 +6,7 @@ markdown_extensions: - smarty - admonition - attr_list + - codehilite theme: name: shadcn From 6bb09901a04be03371bf936686e92dc9e8913eda Mon Sep 17 00:00:00 2001 From: lilly Date: Tue, 19 May 2026 10:58:40 +0200 Subject: [PATCH 06/13] add ns.vie.ccc.de. as direct secondary for authoritative DNS zones --- inventories/chaosknoten/host_vars/auth-dns.yaml | 15 +++++++++------ 1 file changed, 9 insertions(+), 6 deletions(-) diff --git a/inventories/chaosknoten/host_vars/auth-dns.yaml b/inventories/chaosknoten/host_vars/auth-dns.yaml index dc91e90..9191e8b 100644 --- a/inventories/chaosknoten/host_vars/auth-dns.yaml +++ b/inventories/chaosknoten/host_vars/auth-dns.yaml @@ -7,36 +7,39 @@ knot__dnssec_key_id: "auth-dns.hamburg.ccc.de-1" knot__remotes: - id: ns-intern.hamburg.ccc.de address: [ "2a00:14b0:f000:23::53", "172.31.17.53" ] + - id: ns.vie.ccc.de + address: [ "2a02:1b8:10:31::228", "146.255.57.228" ] knot__catalog_zones: - domain: "hamburg.ccc.de.catalog." + notify_targets: [ "ns.vie.ccc.de" ] knot__zones: - domain: "hh.ccc.de." catalog_member: "hamburg.ccc.de.catalog." - notify_targets: [ "ns-intern.hamburg.ccc.de" ] + notify_targets: [ "ns-intern.hamburg.ccc.de", "ns.vie.ccc.de" ] content: "{{ lookup('ansible.builtin.file', 'resources/chaosknoten/auth-dns/zones/hh.ccc.de.zone') }}" - domain: "ccchh.net." catalog_member: "hamburg.ccc.de.catalog." - notify_targets: [ "ns-intern.hamburg.ccc.de" ] + notify_targets: [ "ns-intern.hamburg.ccc.de", "ns.vie.ccc.de" ] content: "{{ lookup('ansible.builtin.file', 'resources/chaosknoten/auth-dns/zones/ccchh.net.zone') }}" - domain: "hamburg.ccc.de." catalog_member: "hamburg.ccc.de.catalog." - notify_targets: [ "ns-intern.hamburg.ccc.de" ] + notify_targets: [ "ns-intern.hamburg.ccc.de", "ns.vie.ccc.de" ] content: "{{ lookup('ansible.builtin.file', 'resources/chaosknoten/auth-dns/zones/hamburg.ccc.de.zone') }}" - domain: "eh20.easterhegg.eu." catalog_member: "hamburg.ccc.de.catalog." - notify_targets: [ "ns-intern.hamburg.ccc.de" ] + notify_targets: [ "ns-intern.hamburg.ccc.de", "ns.vie.ccc.de" ] content: "{{ lookup('ansible.builtin.file', 'resources/chaosknoten/auth-dns/zones/eh20.easterhegg.eu.zone') }}" - domain: "eh22.easterhegg.eu." catalog_member: "hamburg.ccc.de.catalog." - notify_targets: [ "ns-intern.hamburg.ccc.de" ] + notify_targets: [ "ns-intern.hamburg.ccc.de", "ns.vie.ccc.de" ] content: "{{ lookup('ansible.builtin.file', 'resources/chaosknoten/auth-dns/zones/eh22.easterhegg.eu.zone') }}" - domain: "3.2.0.0.0.0.0.f.0.b.4.1.0.0.a.2.ip6.arpa." - notify_targets: [ "ns-intern.hamburg.ccc.de" ] + notify_targets: [ "ns-intern.hamburg.ccc.de", "ns.vie.ccc.de" ] content: "{{ lookup('ansible.builtin.file', 'resources/chaosknoten/auth-dns/zones/3.2.0.0.0.0.0.f.0.b.4.1.0.0.a.2.ip6.arpa.zone') }}" From 3541c68357d2e8367714b414a9ac6d828670ba2b Mon Sep 17 00:00:00 2001 From: lilly Date: Tue, 19 May 2026 11:01:51 +0200 Subject: [PATCH 07/13] disable dnssec for catalog zones on auth-dns Catalog zones are not real zones in the DNS hierarchy and don't have a parent zone. Therefore they will never have a valid DNSSEC delegation so we should skip signing those zones. --- roles/knot/templates/knot.conf.j2 | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/roles/knot/templates/knot.conf.j2 b/roles/knot/templates/knot.conf.j2 index c661e25..45a0f8d 100644 --- a/roles/knot/templates/knot.conf.j2 +++ b/roles/knot/templates/knot.conf.j2 @@ -67,8 +67,7 @@ template: # template for automatically created special zones - id: catalog catalog-role: generate - dnssec-signing: on - dnssec-policy: default + dnssec-signing: off # define zones on this server From 55d1279c3ead8327b4bcdc62967834add3725ed9 Mon Sep 17 00:00:00 2001 From: June Date: Tue, 19 May 2026 14:16:50 +0200 Subject: [PATCH 08/13] status(host): add check for diday.org --- .../external/status/docker_compose/config/websites.yaml | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/resources/external/status/docker_compose/config/websites.yaml b/resources/external/status/docker_compose/config/websites.yaml index 78426f6..7ac34a2 100644 --- a/resources/external/status/docker_compose/config/websites.yaml +++ b/resources/external/status/docker_compose/config/websites.yaml @@ -76,6 +76,14 @@ endpoints: - "[CERTIFICATE_EXPIRATION] > 48h" - "[BODY] == pat(*Digitale Selbstverteidigung in Hamburg*)" + - name: diday.org + url: "https://diday.org" + <<: *websites_defaults + conditions: + - "[STATUS] == 200" + - "[CERTIFICATE_EXPIRATION] > 48h" + - "[BODY] == pat(*DIDay*)" + - name: element-admin.hamburg.ccc.de url: "https://element-admin.hamburg.ccc.de" <<: *websites_defaults From dcd454011f877931c07c76af211ad9c28662a79a Mon Sep 17 00:00:00 2001 From: June Date: Tue, 19 May 2026 14:27:54 +0200 Subject: [PATCH 09/13] status(host): add checks for auth-dns --- .../config/services-chaosknoten.yaml | 27 +++++++++++++++++++ 1 file changed, 27 insertions(+) diff --git a/resources/external/status/docker_compose/config/services-chaosknoten.yaml b/resources/external/status/docker_compose/config/services-chaosknoten.yaml index 74991b7..ab426bc 100644 --- a/resources/external/status/docker_compose/config/services-chaosknoten.yaml +++ b/resources/external/status/docker_compose/config/services-chaosknoten.yaml @@ -57,6 +57,33 @@ endpoints: # apparently TXT records aren't supported yet. # - "[BODY] == ________________gatus_test_________________" + - name: auth-dns (hamburg.ccc.de) + url: "auth-dns.hamburg.ccc.de" + <<: *services_chaosknoten_defaults + dns: + query-name: "hamburg.ccc.de" + query-type: "A" + conditions: + - "[DNS_RCODE] == NOERROR" + + - name: auth-dns (eh22.easterhegg.eu) + url: "auth-dns.hamburg.ccc.de" + <<: *services_chaosknoten_defaults + dns: + query-name: "eh22.easterhegg.eu" + query-type: "A" + conditions: + - "[DNS_RCODE] == NOERROR" + + - name: auth-dns (club-assistant.ccchh.net) + url: "auth-dns.hamburg.ccc.de" + <<: *services_chaosknoten_defaults + dns: + query-name: "club-assistant.ccchh.net" + query-type: "AAAA" + conditions: + - "[DNS_RCODE] == NOERROR" + - name: CCCHH ID/Keycloak (main page/account console) url: "https://id.hamburg.ccc.de/" <<: *services_chaosknoten_defaults From 75bfa61fbcc62459092b496c5a6cccf8b2ee311a Mon Sep 17 00:00:00 2001 From: June Date: Mon, 18 May 2026 21:15:45 +0200 Subject: [PATCH 10/13] add configuration for infra-docs and infra-docs staging --- resources/chaosknoten/auth-dns/zones/hamburg.ccc.de.zone | 2 ++ .../chaosknoten/public-reverse-proxy/nginx/acme_challenge.conf | 2 ++ resources/chaosknoten/public-reverse-proxy/nginx/nginx.conf | 2 ++ 3 files changed, 6 insertions(+) diff --git a/resources/chaosknoten/auth-dns/zones/hamburg.ccc.de.zone b/resources/chaosknoten/auth-dns/zones/hamburg.ccc.de.zone index a9c4851..8c30fb4 100644 --- a/resources/chaosknoten/auth-dns/zones/hamburg.ccc.de.zone +++ b/resources/chaosknoten/auth-dns/zones/hamburg.ccc.de.zone @@ -287,6 +287,8 @@ spaceapiccc IN CNAME public-reverse-proxy acmedns IN CNAME public-reverse-proxy cpuccc IN CNAME public-reverse-proxy did IN CNAME public-reverse-proxy +infra-docs IN CNAME public-reverse-proxy +staging.infra-docs IN CNAME public-reverse-proxy auth.acmedns IN NS acmedns.hosts.hamburg.ccc.de. diff --git a/resources/chaosknoten/public-reverse-proxy/nginx/acme_challenge.conf b/resources/chaosknoten/public-reverse-proxy/nginx/acme_challenge.conf index e8b8c8e..304072b 100644 --- a/resources/chaosknoten/public-reverse-proxy/nginx/acme_challenge.conf +++ b/resources/chaosknoten/public-reverse-proxy/nginx/acme_challenge.conf @@ -85,6 +85,8 @@ map $host $upstream_acme_challenge_host { diday.org public-web-static.hosts.hamburg.ccc.de:31820; docs.c3voc.de public-web-static.hosts.hamburg.ccc.de:31820; staging.docs.c3voc.de public-web-static.hosts.hamburg.ccc.de:31820; + infra-docs.hamburg.ccc.de public-web-static.hosts.hamburg.ccc.de:31820; + staging.infra-docs.hamburg.ccc.de public-web-static.hosts.hamburg.ccc.de:31820; default ""; } diff --git a/resources/chaosknoten/public-reverse-proxy/nginx/nginx.conf b/resources/chaosknoten/public-reverse-proxy/nginx/nginx.conf index 0a004c9..5e89aa9 100644 --- a/resources/chaosknoten/public-reverse-proxy/nginx/nginx.conf +++ b/resources/chaosknoten/public-reverse-proxy/nginx/nginx.conf @@ -108,6 +108,8 @@ stream { *.staging.diday.org public-web-static.hosts.hamburg.ccc.de:8443; docs.c3voc.de public-web-static.hosts.hamburg.ccc.de:8443; staging.docs.c3voc.de public-web-static.hosts.hamburg.ccc.de:8443; + infra-docs.hamburg.ccc.de public-web-static.hosts.hamburg.ccc.de:8443; + staging.infra-docs.hamburg.ccc.de public-web-static.hosts.hamburg.ccc.de:8443; } server { From 843c6da2c31e622efa167cb6b787970a3624fa8c Mon Sep 17 00:00:00 2001 From: June Date: Mon, 18 May 2026 23:09:43 +0200 Subject: [PATCH 11/13] docs: add mkdocs config and CI for building infra-docs website Heavily inspired by: https://forgejo.c3voc.de/voc/av-docs --- .forgejo/workflows/cleanup-docs.yaml | 24 +++++++++ .forgejo/workflows/deploy-docs.yaml | 75 ++++++++++++++++++++++++++++ docs_requirements.txt | 2 + mkdocs.yml | 19 +++++++ 4 files changed, 120 insertions(+) create mode 100644 .forgejo/workflows/cleanup-docs.yaml create mode 100644 .forgejo/workflows/deploy-docs.yaml create mode 100644 docs_requirements.txt create mode 100644 mkdocs.yml diff --git a/.forgejo/workflows/cleanup-docs.yaml b/.forgejo/workflows/cleanup-docs.yaml new file mode 100644 index 0000000..df56258 --- /dev/null +++ b/.forgejo/workflows/cleanup-docs.yaml @@ -0,0 +1,24 @@ +on: + pull_request: + types: + - closed + +jobs: + cleanup-staging: + runs-on: docker + container: + image: code.forgejo.org/oci/node:22-bookworm + steps: + - name: Pipeline info PR + run: | + echo "Run triggered by ${{ github.event_name }} (${{ github.event.action }}) on ref ${{ github.ref_name }}" + + - name: Staging Deployment - Prepare keys + run: | + echo "${{ secrets.SSH_DEPLOY_KEY }}" > deploykey.priv + chmod 400 deploykey.priv + echo "${{ vars.SSH_KNOWN_HOSTS }}" > ./known_hosts + + - name: Staging Deployment - Remove PR from staging + run: | + ssh -i deploykey.priv -o 'UserKnownHostsFile ./known_hosts' infra-docs-deploy@public-web-static.hosts.hamburg.ccc.de -t "rm -r /var/www/staging.infra-docs.hamburg.ccc.de/pr${{ github.event.pull_request.number }}/" diff --git a/.forgejo/workflows/deploy-docs.yaml b/.forgejo/workflows/deploy-docs.yaml new file mode 100644 index 0000000..537d983 --- /dev/null +++ b/.forgejo/workflows/deploy-docs.yaml @@ -0,0 +1,75 @@ +on: + push: + branches: + - main + pull_request: + +env: + TZ: Europe/Berlin + +jobs: + build: + runs-on: docker + container: + image: docker.io/library/python:3.14-trixie + steps: + - name: Pipeline info + run: | + echo "Run triggered by ${{ github.event_name }} (${{ github.event.action }}) on ref ${{ github.ref_name }}" + + - name: Install packages + run: | + apt update + apt -y install nodejs git rsync openssh-client + pip install --upgrade pip + + - uses: actions/checkout@v6 + + - name: Install Python packages + run: | + pip install -r docs_requirements.txt + + - name: Build website - prod + if: github.event_name != 'pull_request' + run: | + mkdocs build + + - name: Build website - staging + if: github.event_name == 'pull_request' + run: | + sed -i "s#site_url: https://infra-docs.hamburg.ccc.de#site_url: https://staging.infra-docs.hamburg.ccc.de/pr${{ github.event.pull_request.number }}/#" mkdocs.yml + mkdocs build + + - name: Deploy - Prepare keys + run: | + echo "${{ secrets.SSH_DEPLOY_KEY }}" > deploykey.priv + chmod 400 deploykey.priv + echo "${{ vars.SSH_KNOWN_HOSTS }}" > ./known_hosts + + - name: Deploy - Upload PR to staging + if: github.event_name == 'pull_request' + run: | + echo "Deploying to staging.infra-docs.hamburg.ccc.de/pr${{ github.event.pull_request.number }}" + rsync -v -r --delete -e "ssh -i deploykey.priv -o 'UserKnownHostsFile ./known_hosts'" site/ infra-docs-deploy@public-web-static.hosts.hamburg.ccc.de:/var/www/staging.infra-docs.hamburg.ccc.de/pr${{ github.event.pull_request.number }}/ + + - name: Deploy - Add comment to PR with staging URL + if: github.event_name == 'pull_request' && github.event.action == 'opened' + run: | + curl \ + -X POST \ + ${{ github.event.pull_request.base.repo.url }}/issues/${{ github.event.pull_request.number }}/comments \ + -H "Content-Type: application/json" \ + -H "Authorization: token $FORGEJO_TOKEN" \ + --data '{ "body": "You can view your changes at https://staging.infra-docs.hamburg.ccc.de/pr${{ github.event.pull_request.number }}/" }' + + - name: Deploy - Upload to prod + if: github.event_name != 'pull_request' + run: | + rsync -v -r --delete -e "ssh -i deploykey.priv -o 'UserKnownHostsFile ./known_hosts'" site/ infra-docs-deploy@public-web-static.hosts.hamburg.ccc.de:/var/www/infra-docs.hamburg.ccc.de/ + + - uses: actions/upload-artifact@v3 + if: github.event_name == 'pull_request' + with: + name: docs-build + path: site/ + retention-days: 3 diff --git a/docs_requirements.txt b/docs_requirements.txt new file mode 100644 index 0000000..f6167f1 --- /dev/null +++ b/docs_requirements.txt @@ -0,0 +1,2 @@ +mkdocs +mkdocs-shadcn diff --git a/mkdocs.yml b/mkdocs.yml new file mode 100644 index 0000000..c258e2e --- /dev/null +++ b/mkdocs.yml @@ -0,0 +1,19 @@ +site_name: CCCHH Infrastructure Documentation +site_url: https://infra-docs.hamburg.ccc.de +repo_url: https://git.hamburg.ccc.de/CCCHH/ansible-infra +copyright: MIT +markdown_extensions: + - smarty + - admonition + - attr_list + +theme: + name: shadcn + show_title: true + show_stargazers: false + pygments_style: + light: shadcn-light + dark: github-dark + icon: oui:documentation + topbar_sections: false + show_datetime: false From 3680de107d07a13184fdbec9db7b8039f5f38724 Mon Sep 17 00:00:00 2001 From: June Date: Mon, 18 May 2026 21:53:38 +0200 Subject: [PATCH 12/13] docs: add index page --- docs/index.md | 3 +++ 1 file changed, 3 insertions(+) create mode 100644 docs/index.md diff --git a/docs/index.md b/docs/index.md new file mode 100644 index 0000000..e390c5e --- /dev/null +++ b/docs/index.md @@ -0,0 +1,3 @@ +# CCCHH Infrastructure Documentation + +Home for CCCHH infrastructure documentation. From 063ed3b46a870a45fcd9a15635181c945140b551 Mon Sep 17 00:00:00 2001 From: June Date: Tue, 19 May 2026 01:11:34 +0200 Subject: [PATCH 13/13] docs: fix code blocks overflowing and add syntax highlighting Without these options code blocks would overflow. See: https://github.com/asiffer/mkdocs-shadcn/issues/57 And it also provides nice syntax highlighting. --- docs_requirements.txt | 1 + mkdocs.yml | 1 + 2 files changed, 2 insertions(+) diff --git a/docs_requirements.txt b/docs_requirements.txt index f6167f1..ddabb05 100644 --- a/docs_requirements.txt +++ b/docs_requirements.txt @@ -1,2 +1,3 @@ mkdocs mkdocs-shadcn +pygments diff --git a/mkdocs.yml b/mkdocs.yml index c258e2e..5a8af7b 100644 --- a/mkdocs.yml +++ b/mkdocs.yml @@ -6,6 +6,7 @@ markdown_extensions: - smarty - admonition - attr_list + - codehilite theme: name: shadcn