From 4574dbf4ba9ec144253625f67eeffdd86659ac51 Mon Sep 17 00:00:00 2001 From: June Date: Sat, 23 May 2026 22:40:17 +0200 Subject: [PATCH 1/2] secrets(role): introduce secrets role for storing secrets Allows storage of secrets to then be referenced in other places. The motivation was storing WireGuard secrets for systemd-networkd. --- inventories/chaosknoten/hosts.yaml | 2 + inventories/external/hosts.yaml | 2 + inventories/z9/hosts.yaml | 2 + playbooks/deploy.yaml | 7 ++++ roles/secrets/README.md | 24 ++++++++++++ roles/secrets/defaults/main.yaml | 1 + roles/secrets/meta/argument_specs.yaml | 6 +++ roles/secrets/tasks/main.yaml | 53 ++++++++++++++++++++++++++ 8 files changed, 97 insertions(+) create mode 100644 roles/secrets/README.md create mode 100644 roles/secrets/defaults/main.yaml create mode 100644 roles/secrets/meta/argument_specs.yaml create mode 100644 roles/secrets/tasks/main.yaml diff --git a/inventories/chaosknoten/hosts.yaml b/inventories/chaosknoten/hosts.yaml index c737f34..1c3f84e 100644 --- a/inventories/chaosknoten/hosts.yaml +++ b/inventories/chaosknoten/hosts.yaml @@ -291,3 +291,5 @@ msmtp_hosts: renovate_hosts: hosts: renovate: +secrets_hosts: + hosts: diff --git a/inventories/external/hosts.yaml b/inventories/external/hosts.yaml index 435a9bf..5d0f9d4 100644 --- a/inventories/external/hosts.yaml +++ b/inventories/external/hosts.yaml @@ -22,3 +22,5 @@ infrastructure_authorized_keys_hosts: ansible_pull_hosts: hosts: status: +secrets_hosts: + hosts: diff --git a/inventories/z9/hosts.yaml b/inventories/z9/hosts.yaml index 1b37c59..eab3880 100644 --- a/inventories/z9/hosts.yaml +++ b/inventories/z9/hosts.yaml @@ -57,3 +57,5 @@ ansible_pull_hosts: light: waybackproxy: yate: +secrets_hosts: + hosts: diff --git a/playbooks/deploy.yaml b/playbooks/deploy.yaml index ad866cc..b7ce104 100644 --- a/playbooks/deploy.yaml +++ b/playbooks/deploy.yaml @@ -6,6 +6,13 @@ tags: - base_config +- name: Ensure secrets deployment on secrets_hosts + hosts: secrets_hosts + roles: + - secrets + tags: + - secrets + - name: Ensure systemd-networkd config deployment on systemd_networkd_hosts hosts: systemd_networkd_hosts roles: diff --git a/roles/secrets/README.md b/roles/secrets/README.md new file mode 100644 index 0000000..ec04665 --- /dev/null +++ b/roles/secrets/README.md @@ -0,0 +1,24 @@ +# Role `secrets` + +Allows storing the given secret contents in the configured files. + +## Supported Distributions + +Should work on Debian-based distributions. + +## Required Arguments + +None. + +## Optional Arguments + +- `secrets__secrets`: List of secrets. + Defaults to the empty list (`[ ]`). +- `secrets__secrets.*.name`: (File)name for the secret (in the `/etc/ansible_secrets` directory). +- `secrets__secrets.*.content`: The secret content to store. +- `secrets__secrets.*.owner`: The owner of the secret file. + Defaults to `root`. +- `secrets__secrets.*.group`: The group of the secret file. + Defaults to `root`. +- `secrets__secrets.*.mode`: The mode of the secret file. + Defaults to `0640`. diff --git a/roles/secrets/defaults/main.yaml b/roles/secrets/defaults/main.yaml new file mode 100644 index 0000000..882d77b --- /dev/null +++ b/roles/secrets/defaults/main.yaml @@ -0,0 +1 @@ +secrets__secrets: [ ] diff --git a/roles/secrets/meta/argument_specs.yaml b/roles/secrets/meta/argument_specs.yaml new file mode 100644 index 0000000..2562138 --- /dev/null +++ b/roles/secrets/meta/argument_specs.yaml @@ -0,0 +1,6 @@ +argument_specs: + main: + options: + secrets__secrets: + type: list + required: false diff --git a/roles/secrets/tasks/main.yaml b/roles/secrets/tasks/main.yaml new file mode 100644 index 0000000..8923397 --- /dev/null +++ b/roles/secrets/tasks/main.yaml @@ -0,0 +1,53 @@ +- name: validate secret configs + ansible.builtin.validate_argument_spec: + argument_spec: "{{ required_data }}" + provided_arguments: + config: "{{ item }}" + loop: "{{ secrets__secrets }}" + loop_control: + label: "{{ item.name }}" + vars: + required_data: + config: + type: dict + required: true + options: + name: + type: str + required: true + content: + type: str + required: true + owner: + type: str + required: false + default: root + group: + type: str + required: false + default: root + mode: + type: str + required: false + default: "0640" + +- name: ensure secrets directory exists + ansible.builtin.file: + path: "/etc/ansible_secrets" + state: directory + owner: root + group: root + mode: "0750" + become: true + +- name: ensure secrets are present + ansible.builtin.copy: + content: "{{ item.content }}" + dest: "/etc/ansible_secrets/{{ item.name }}" + mode: "{{ item.mode | default('0640') }}" + owner: "{{ item.owner | default('root') }}" + group: "{{ item.group | default('root') }}" + become: true + loop: "{{ secrets__secrets }}" + loop_control: + label: "{{ item.name }}" From 9ab49e8eb44d5f7a337b9748948f89c3241f02fd Mon Sep 17 00:00:00 2001 From: Renovate Date: Sat, 23 May 2026 20:45:44 +0000 Subject: [PATCH 2/2] Update all stable non-major dependencies --- .forgejo/workflows/lint.yaml | 2 +- inventories/chaosknoten/host_vars/netbox.yaml | 2 +- .../chaosknoten/acmedns/docker_compose/compose.yaml.j2 | 2 +- .../chaosknoten/grafana/docker_compose/compose.yaml.j2 | 8 ++++---- .../chaosknoten/keycloak/docker_compose/compose.yaml.j2 | 2 +- resources/chaosknoten/ntfy/docker_compose/compose.yaml.j2 | 2 +- .../chaosknoten/onlyoffice/docker_compose/compose.yaml.j2 | 2 +- .../chaosknoten/pretalx/docker_compose/compose.yaml.j2 | 4 ++-- .../chaosknoten/tickets/docker_compose/compose.yaml.j2 | 2 +- resources/external/status/docker_compose/compose.yaml.j2 | 4 ++-- 10 files changed, 15 insertions(+), 15 deletions(-) diff --git a/.forgejo/workflows/lint.yaml b/.forgejo/workflows/lint.yaml index bdd53f5..600d044 100644 --- a/.forgejo/workflows/lint.yaml +++ b/.forgejo/workflows/lint.yaml @@ -24,7 +24,7 @@ jobs: # work in our environmnet. # Rather manually setup python (pip) before instead. - name: Run ansible-lint - uses: https://github.com/ansible/ansible-lint@v26.3.0 + uses: https://github.com/ansible/ansible-lint@v26.4.0 with: setup_python: "false" requirements_file: "requirements.yml" diff --git a/inventories/chaosknoten/host_vars/netbox.yaml b/inventories/chaosknoten/host_vars/netbox.yaml index f28d193..7aaff28 100644 --- a/inventories/chaosknoten/host_vars/netbox.yaml +++ b/inventories/chaosknoten/host_vars/netbox.yaml @@ -1,5 +1,5 @@ # renovate: datasource=github-releases depName=netbox packageName=netbox-community/netbox -netbox__version: "v4.5.5" +netbox__version: "v4.6.1" netbox__config: "{{ lookup('ansible.builtin.template', 'resources/chaosknoten/netbox/netbox/configuration.py.j2') }}" netbox__custom_pipeline_oidc_group_and_role_mapping: true diff --git a/resources/chaosknoten/acmedns/docker_compose/compose.yaml.j2 b/resources/chaosknoten/acmedns/docker_compose/compose.yaml.j2 index 3fcd8c6..c68973f 100644 --- a/resources/chaosknoten/acmedns/docker_compose/compose.yaml.j2 +++ b/resources/chaosknoten/acmedns/docker_compose/compose.yaml.j2 @@ -2,7 +2,7 @@ services: oauth2-proxy: container_name: oauth2-proxy - image: quay.io/oauth2-proxy/oauth2-proxy:v7.15.1 + image: quay.io/oauth2-proxy/oauth2-proxy:v7.15.2 command: --config /oauth2-proxy.cfg hostname: oauth2-proxy volumes: diff --git a/resources/chaosknoten/grafana/docker_compose/compose.yaml.j2 b/resources/chaosknoten/grafana/docker_compose/compose.yaml.j2 index 1f6c42f..44dfa20 100644 --- a/resources/chaosknoten/grafana/docker_compose/compose.yaml.j2 +++ b/resources/chaosknoten/grafana/docker_compose/compose.yaml.j2 @@ -2,7 +2,7 @@ services: prometheus: - image: docker.io/prom/prometheus:v3.10.0 + image: docker.io/prom/prometheus:v3.11.3 container_name: prometheus command: - '--config.file=/etc/prometheus/prometheus.yml' @@ -19,7 +19,7 @@ services: - prom_data:/prometheus alertmanager: - image: docker.io/prom/alertmanager:v0.31.1 + image: docker.io/prom/alertmanager:v0.32.1 container_name: alertmanager command: - '--config.file=/etc/alertmanager/alertmanager.yaml' @@ -46,7 +46,7 @@ services: - graf_data:/var/lib/grafana pve-exporter: - image: docker.io/prompve/prometheus-pve-exporter:3.8.2 + image: docker.io/prompve/prometheus-pve-exporter:3.9.0 container_name: pve-exporter ports: - 9221:9221 @@ -59,7 +59,7 @@ services: - /dev/null:/etc/prometheus/pve.yml loki: - image: docker.io/grafana/loki:3.7.1 + image: docker.io/grafana/loki:3.7.2 container_name: loki ports: - 13100:3100 diff --git a/resources/chaosknoten/keycloak/docker_compose/compose.yaml.j2 b/resources/chaosknoten/keycloak/docker_compose/compose.yaml.j2 index d239bb4..8db3526 100644 --- a/resources/chaosknoten/keycloak/docker_compose/compose.yaml.j2 +++ b/resources/chaosknoten/keycloak/docker_compose/compose.yaml.j2 @@ -22,7 +22,7 @@ services: keycloak: - image: git.hamburg.ccc.de/ccchh/oci-images/keycloak:26.5.7 + image: git.hamburg.ccc.de/ccchh/oci-images/keycloak:26.6.0 pull_policy: always restart: unless-stopped command: start --optimized diff --git a/resources/chaosknoten/ntfy/docker_compose/compose.yaml.j2 b/resources/chaosknoten/ntfy/docker_compose/compose.yaml.j2 index af1b531..cadfa54 100644 --- a/resources/chaosknoten/ntfy/docker_compose/compose.yaml.j2 +++ b/resources/chaosknoten/ntfy/docker_compose/compose.yaml.j2 @@ -1,7 +1,7 @@ --- services: ntfy: - image: docker.io/binwiederhier/ntfy:v2.20.1 + image: docker.io/binwiederhier/ntfy:v2.23.0 container_name: ntfy command: - serve diff --git a/resources/chaosknoten/onlyoffice/docker_compose/compose.yaml.j2 b/resources/chaosknoten/onlyoffice/docker_compose/compose.yaml.j2 index 77f1395..58dddb2 100644 --- a/resources/chaosknoten/onlyoffice/docker_compose/compose.yaml.j2 +++ b/resources/chaosknoten/onlyoffice/docker_compose/compose.yaml.j2 @@ -4,7 +4,7 @@ services: onlyoffice: - image: docker.io/onlyoffice/documentserver:9.3.1 + image: docker.io/onlyoffice/documentserver:9.4.0 restart: unless-stopped volumes: - "./onlyoffice/DocumentServer/logs:/var/log/onlyoffice" diff --git a/resources/chaosknoten/pretalx/docker_compose/compose.yaml.j2 b/resources/chaosknoten/pretalx/docker_compose/compose.yaml.j2 index 0bbfcb8..5a489a5 100644 --- a/resources/chaosknoten/pretalx/docker_compose/compose.yaml.j2 +++ b/resources/chaosknoten/pretalx/docker_compose/compose.yaml.j2 @@ -15,7 +15,7 @@ services: - pretalx_net redis: - image: docker.io/library/redis:8.6.2 + image: docker.io/library/redis:8.6.3 restart: unless-stopped volumes: - redis:/data @@ -23,7 +23,7 @@ services: - pretalx_net static: - image: docker.io/library/nginx:1.29.7 + image: docker.io/library/nginx:1.31.1 restart: unless-stopped volumes: - public:/usr/share/nginx/html diff --git a/resources/chaosknoten/tickets/docker_compose/compose.yaml.j2 b/resources/chaosknoten/tickets/docker_compose/compose.yaml.j2 index b8a4cf2..11593ce 100644 --- a/resources/chaosknoten/tickets/docker_compose/compose.yaml.j2 +++ b/resources/chaosknoten/tickets/docker_compose/compose.yaml.j2 @@ -13,7 +13,7 @@ services: restart: unless-stopped redis: - image: docker.io/library/redis:8.6.2 + image: docker.io/library/redis:8.6.3 ports: - "6379:6379" volumes: diff --git a/resources/external/status/docker_compose/compose.yaml.j2 b/resources/external/status/docker_compose/compose.yaml.j2 index 58abefa..638ebbe 100644 --- a/resources/external/status/docker_compose/compose.yaml.j2 +++ b/resources/external/status/docker_compose/compose.yaml.j2 @@ -4,7 +4,7 @@ services: database: - image: docker.io/library/postgres:18.3 + image: docker.io/library/postgres:18.4 restart: always volumes: - ./database:/var/lib/postgresql @@ -16,7 +16,7 @@ services: - gatus gatus: - image: ghcr.io/twin/gatus:v5.35.0 + image: ghcr.io/twin/gatus:v5.36.0 restart: always ports: - "8080:8080"