From 5f98dca56c258b10c58c7efced616867f56de551 Mon Sep 17 00:00:00 2001
From: June <june@jsts.xyz>
Date: Tue, 16 Dec 2025 19:03:36 +0100
Subject: [PATCH 1/2] router(host): expose public v6 networks

Also prepare for exposing public v4 networks later.
---
 resources/chaosknoten/router/nftables/nftables.conf | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/resources/chaosknoten/router/nftables/nftables.conf b/resources/chaosknoten/router/nftables/nftables.conf
index 6bc6cbe..6d04a4c 100644
--- a/resources/chaosknoten/router/nftables/nftables.conf
+++ b/resources/chaosknoten/router/nftables/nftables.conf
@@ -13,6 +13,8 @@ define wan_ifs = { $if_net1_v4_wan,
                    $if_net2_v6_wan }
 define lan_ifs = { $if_net0_2_v4_nat,
                    $if_net0_3_ci_runner }
+# define v4_exposed_ifs = { }
+define v6_exposed_ifs = { $if_net0_2_v4_nat }
 
 
 ## Rules
@@ -69,5 +71,9 @@ table inet forward {
         # Allow internet access.
 		meta nfproto ipv6 iifname $lan_ifs oifname $if_net2_v6_wan accept comment "allow v6 internet access"
 		meta nfproto ipv4 iifname $lan_ifs oifname $if_net1_v4_wan accept comment "allow v4 internet access"
+
+        # Allow access to exposed networks from internet.
+        # meta nfproto ipv4 oifname $v4_exposed_ifs accept comment "allow v4 exposed network access"
+        meta nfproto ipv6 oifname $v6_exposed_ifs accept comment "allow v6 exposed network access"
     }
 }

From 8b94a49f5e3255377f349087b1e224903696329a Mon Sep 17 00:00:00 2001
From: June <june@jsts.xyz>
Date: Tue, 16 Dec 2025 19:23:33 +0100
Subject: [PATCH 2/2] wiki(host): move to new network and internal hostname

---
 inventories/chaosknoten/hosts.yaml                            | 4 ++--
 .../public-reverse-proxy/nginx/acme_challenge.conf            | 4 ++--
 resources/chaosknoten/wiki/nginx/wiki.ccchh.net.conf          | 4 ++--
 resources/chaosknoten/wiki/nginx/wiki.hamburg.ccc.de.conf     | 2 +-
 4 files changed, 7 insertions(+), 7 deletions(-)

diff --git a/inventories/chaosknoten/hosts.yaml b/inventories/chaosknoten/hosts.yaml
index e592d23..a43e940 100644
--- a/inventories/chaosknoten/hosts.yaml
+++ b/inventories/chaosknoten/hosts.yaml
@@ -55,9 +55,9 @@ all:
       ansible_host: router.hamburg.ccc.de
       ansible_user: chaos
     wiki:
-      ansible_host: wiki-intern.hamburg.ccc.de
+      ansible_host: wiki.hosts.hamburg.ccc.de
       ansible_user: chaos
-      ansible_ssh_common_args: -J ssh://chaos@public-reverse-proxy.hamburg.ccc.de
+      ansible_ssh_common_args: -J ssh://chaos@router.hamburg.ccc.de
     zammad:
       ansible_host: zammad-intern.hamburg.ccc.de
       ansible_user: chaos
diff --git a/resources/chaosknoten/public-reverse-proxy/nginx/acme_challenge.conf b/resources/chaosknoten/public-reverse-proxy/nginx/acme_challenge.conf
index 165e166..dabf4aa 100644
--- a/resources/chaosknoten/public-reverse-proxy/nginx/acme_challenge.conf
+++ b/resources/chaosknoten/public-reverse-proxy/nginx/acme_challenge.conf
@@ -25,8 +25,8 @@ map $host $upstream_acme_challenge_host {
     pretalx.hamburg.ccc.de 172.31.17.157:31820;
     spaceapi.hamburg.ccc.de 172.31.17.151:31820;
     staging.hamburg.ccc.de 172.31.17.151:31820;
-    wiki.ccchh.net 172.31.17.146:31820;
-    wiki.hamburg.ccc.de 172.31.17.146:31820;
+    wiki.ccchh.net wiki.hosts.hamburg.ccc.de:31820;
+    wiki.hamburg.ccc.de wiki.hosts.hamburg.ccc.de:31820;
     www.hamburg.ccc.de 172.31.17.151:31820;
     tickets.hamburg.ccc.de 172.31.17.148:31820;
     sunders.hamburg.ccc.de 172.31.17.170:31820;
diff --git a/resources/chaosknoten/wiki/nginx/wiki.ccchh.net.conf b/resources/chaosknoten/wiki/nginx/wiki.ccchh.net.conf
index a564fc2..c393dd1 100644
--- a/resources/chaosknoten/wiki/nginx/wiki.ccchh.net.conf
+++ b/resources/chaosknoten/wiki/nginx/wiki.ccchh.net.conf
@@ -7,7 +7,7 @@ server {
     # $remote_port to the client address and client port, when using proxy
     # protocol.
     # First set our proxy protocol proxy as trusted.
-    set_real_ip_from 172.31.17.140;
+    set_real_ip_from 2a00:14b0:4200:3000:125::1;
     # Then tell the realip_module to get the addreses from the proxy protocol
     # header.
     real_ip_header proxy_protocol;
@@ -21,6 +21,6 @@ server {
 
     # HSTS (ngx_http_headers_module is required) (63072000 seconds)
     add_header Strict-Transport-Security "max-age=63072000" always;
-    
+
     return 302 https://wiki.hamburg.ccc.de$request_uri;
 }
diff --git a/resources/chaosknoten/wiki/nginx/wiki.hamburg.ccc.de.conf b/resources/chaosknoten/wiki/nginx/wiki.hamburg.ccc.de.conf
index ccdd224..255dc0a 100644
--- a/resources/chaosknoten/wiki/nginx/wiki.hamburg.ccc.de.conf
+++ b/resources/chaosknoten/wiki/nginx/wiki.hamburg.ccc.de.conf
@@ -7,7 +7,7 @@ server {
     # $remote_port to the client address and client port, when using proxy
     # protocol.
     # First set our proxy protocol proxy as trusted.
-    set_real_ip_from 172.31.17.140;
+    set_real_ip_from 2a00:14b0:4200:3000:125::1;
     # Then tell the realip_module to get the addreses from the proxy protocol
     # header.
     real_ip_header proxy_protocol;