diff --git a/.sops.yaml b/.sops.yaml
index 60da9eb..0b9c245 100644
--- a/.sops.yaml
+++ b/.sops.yaml
@@ -34,7 +34,6 @@ keys:
- &host_zammad_ansible_pull_age_key age1sv7uhpnk9d3u3je9zzvlux0kd83f627aclpamnz2h3ksg599838qjgrvqs
- &host_ntfy_ansible_pull_age_key age1dkecypmfuj0tcm2cz8vnvq5drpu2ddhgnfkzxvscs7m4e79gpseqyhr9pg
- &host_spaceapiccc_ansible_pull_age_key age1mdtnk78aeqnwqadjqje5pfha04wu92d3ecchyqajjmy434kwq98qksq2wa
- - &host_acmedns_ansible_pull_age_key age16pxqxdj25xz6w200sf8duc62vyk0xkhzc7y63nyhg29sm077vp8qy4sywv
external:
age: &host_external_age_keys
- &host_status_ansible_pull_age_key age1yl9ts8k6ceymaxjs72r5puetes5mtuzxuger7qgme9qkagfrm9hqzxx9qr
@@ -58,12 +57,6 @@ creation_rules:
*admin_gpg_keys
## host vars
# chaosknoten hosts
- - path_regex: inventories/chaosknoten/host_vars/acmedns.*
- key_groups:
- - pgp:
- *admin_gpg_keys
- age:
- - *host_acmedns_ansible_pull_age_key
- path_regex: inventories/chaosknoten/host_vars/cloud.*
key_groups:
- pgp:
diff --git a/inventories/chaosknoten/host_vars/acmedns.sops.yaml b/inventories/chaosknoten/host_vars/acmedns.sops.yaml
deleted file mode 100644
index 2e728ca..0000000
--- a/inventories/chaosknoten/host_vars/acmedns.sops.yaml
+++ /dev/null
@@ -1,214 +0,0 @@
-ansible_pull__age_private_key: ENC[AES256_GCM,data:R0FZVQXrUgqW04VltXpYhEuI8Q8i0gE4K1EI05NTZyTO+9QOynMVzfLOzOOT1Yh+oQNLsE0MFELX8eo3EFKyXIrkE/wr2ECgFqY=,iv:m4N6t03tklKRaRZ9eVl2vv9T8WUy6AiPQDNuyU0UEtI=,tag:XJMnT5GZthv9RPQFZTWZaA==,type:str]
-secret__oidc_client_secret: ENC[AES256_GCM,data:UHbIuftvyPHxtHGRvH+ydMetiCRu3z3JL+zFzLwVaSQ=,iv:1/KKB9IHZEWgEULoab1aVwbPIW7mxfRK7NABiSP2yIQ=,tag:8g3ej7ZJwAuPk9eGdPGyog==,type:str]
-secret__oidc_cookie_secret: ENC[AES256_GCM,data:epKralmaga5W0TK0njjTBP0GIlkUK2ogKEbWQ/zlIhQ=,iv:rDBiSE+DPkX2I2i2fJQ/SrkltlCnPOEyeMfud2xXbFA=,tag:SOGIJHiaKq1t+Dg0NJGnxA==,type:str]
-sops:
- age:
- - recipient: age16pxqxdj25xz6w200sf8duc62vyk0xkhzc7y63nyhg29sm077vp8qy4sywv
- enc: |
- -----BEGIN AGE ENCRYPTED FILE-----
- YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA5SDJ0NHZkK3hvUSt2K2hV
- TWNKUkFlUFVkaEFlM1lDVTdnZU5EeURiOURzCnQzcWE2RnpiZ3BmRzIwbFRDdkRr
- VmcreVJvdTl2Z3lBVFJTNmNLZWdyMWcKLS0tIEkwcXAwY0NoNmhCZm9JUDMyRjVC
- bUM2WC9QeWFrdm43a2N1eStEOFFXVGcKCCqwLQ67aEEjTAyXXabZ2AoBag/QY4HW
- WwgmI8KNYpC0YXzDJ3fUUL6g4oiSqMxTGvQ+0oABOk+XFnVx+++aoQ==
- -----END AGE ENCRYPTED FILE-----
- lastmodified: "2026-01-25T16:16:15Z"
- mac: ENC[AES256_GCM,data:dBBAJIXeVUXXPXB8Eq4gH5F/0jTpvb79hdu4KD9gV5RL36Tr3iU92SKAZdMcw3/+8zq5L32YWWpYR5HFVPXaSdgls3wtWdrz/1j/C/zRxup+Y8DSOdiebCtz1lJJvglQMZNznRvo7N58lTdF/XqJA4tY51xZZi/krsJXDxtlTgA=,iv:yhwXbXu1MKl4sSYaCKPVUK9aedmIMnt/rzXTcGqmqpk=,tag:hZX6YZrzkrr1mPe6FOs7Xw==,type:str]
- pgp:
- - created_at: "2026-01-25T14:20:25Z"
- enc: |-
- -----BEGIN PGP MESSAGE-----
-
- hQIMAxK/JaB2/SdtARAAi+qxfJ++qxSRxZLZiJ6njtlaOvrmE3uDCxbBwK5/lc7K
- rt1liJ3Ue1hR1Bt6ozbH72shd5EOQzDuwQiRLZSR/7q6dcM0wdGRrfXuNvsRbQFf
- Mb1D5L5Md1zOH4HuUx38+GGoB1CchpQwdZpjzcU2+MI5O5YIw3DDcKOAAMa+Nfpy
- m0aezDSM6zDYYrYKjZUrMCXZFn0cnWAosod1ZJDz+rNMfFaVCPUlcUO4/p8cPzvr
- rz+B5MV6Nyft3FUpHntFAgGjwlt31ZANZoWeJxJ5/zFlmieXMihjC4x1QPBs42E2
- den7NPprSZX1ynGdImaZfTHwuwP1bpLrVFegG1EPrMIUwjRbSZDdmWxaR0uvajgM
- GcbJLRFdvOcc7g7NWh2n4AwjpjcPN0cNrAit5/S0PG7JYdZFi4abfxTur12p9BPk
- xJacN4ZVnT5qRRnqinPDCCiR4MLg/L9fxG6Dap6xboBTnHS5GksuLiDFMjsSAVh7
- /63SOn6/Po1BUiiZPRHkvlm1uhkP7k5iDT/cP+gV1QDjdrXbD27D3c2eJveBaX03
- oLhXi+2/tmitsRw5vp+jTwHP3RDC9ZsORdEoshaGJ7Axbmai1wmUAabaz60vbTzV
- W5KHaEAdC97YsUFUn4ZgqORJ5MlPRUGUGGmlYJq6peihLYx/wdCLw9DywhZAYiTU
- aAEJAhACPP4YiVUAbMaXB3q7AJWnoF20oJVBcGD7nvAVIaJJL0zuYe3lsujo2O2L
- wqzIw80YE0tSaHx9GWJorF3vQQ1/jxrgiZofZNrsrQ5mzVADGO5+JLuU1THyDWXV
- PPvkTEc7AdD6
- =GWYV
- -----END PGP MESSAGE-----
- fp: EF643F59E008414882232C78FFA8331EEB7D6B70
- - created_at: "2026-01-25T14:20:25Z"
- enc: |-
- -----BEGIN PGP MESSAGE-----
-
- hQIMA6EyPtWBEI+2AQ/+KKOoBqMu5MXGmEM70WGKs7qGiqcJ4jizWaf2BjO8JtcU
- DUJ31xy+KOnZh4pNP3bYptBtv/FehKHfaC1HB+sXBqT7hhAT5k2WyNo6Y1EdsGeG
- HuccJ8rEMxwRSp3rdpca/53mtFzYHFHDT2nOEc5wkl0KqPITIJAiaGVVeS/ANy6X
- qijabdecK8Ekb0Ev7OHwxFQT92DdtN7xdQns4bUoxSy9j/7SDUII7btG3alhlH2Z
- XF+aZ4Fo+P/O8yavyTuwm6GlKWaWtGn9xRhNXvMkpBXIa4rwHC0re3DJNlMqN7EV
- gW2sxnAxBShNU/ZtpqaQ2ku8L7FPB4Y8hhbk08PVlqz6F1xFm9x5PEriuaIPd1pp
- 0TQtekvntBWiRAQ8QPmrfg96BaLqvL+Hffb3PlIRvnXHmaJY/5Ci0HGgoUjodKIT
- 0tZzP0xcElbm3Mf5z/uyRzCwpx7oLn+q9xiJ2yoYwn4IkMWd2VaJZJlVcKH1RRXS
- A4OUERkDSV3Fz6VjnI0VQ/hpfLDLCaQp8TzUOtNy4MqzsB0fQbDWnPR1KFrmNmSv
- SSkS04tSt9CMNDFllrwQg6fbaZMmS97JeXb723mfUrPa0o3MeTxa9EuB/NQvWYuS
- iBqC+NxIAvUw/IJtKg3unA9ysigCDUTbi6P7F69NMJM9qHet7PSLgqsM9RPdPlLS
- XgH+T9DivFMWNnGvAS+wMckvKcTtskHWnQMCYdx62VsXzS/LU3iWq+OBz/xf8yhD
- 2vS25oi54fQKz6diOrq/TgO0Cx2/1LXqOYL5m/6+Qvv7wxHHZHeLcdwCRVceLZs=
- =5SxJ
- -----END PGP MESSAGE-----
- fp: F155144FC925A1BEA1F8A2C59A2A4CD59BFDC5EC
- - created_at: "2026-01-25T14:20:25Z"
- enc: |-
- -----BEGIN PGP MESSAGE-----
-
- hQIMAz5uSgHG2iMJARAArv3KHUknyw89o/HA+T9vv1orrq0uztAOtOYLXIxF0mPL
- S+Yrqs8uT0UmIJ/vdNZpf6HYw7Cmk4XErSsT4l15/5JbGfvqbc1ECdoz6j6kNfID
- eHP3iJkySKbxSqflZ/3Hs8UXV65RU4F1HHK2SsQVvb0FCl03KNqkNAMicqiYZyzH
- CAKOje7fnCHQ2oClUXakwXDQMnQwboXmhC26ghTvCYHIcb/VD8z91TSjxNitA1nG
- 7Ky1VvBWTuC0qcfaxkrkkwDPcxdfA2BXyxwm7b/w2IwmQX1cce25MCgIhMCFuf0C
- rvw8GgfJEQ/qI3Rk1R87cpyRte4itrl1cCJI1UgS088+eHhmeS8XOZL860Eiqho4
- tQJLUCr0P+LSBgOxj6/hnzY56bpPxa1NjRjqCGh+WF9XzeM8vY1MkzIjqHXxq9bD
- 9yGnFujzTcFbpEzdigPfAt6VgMe3jAEWqnr9fTK/f4qKWdXfycEHAJgL9UqHCtR0
- DMy2+ZsHy5Hn9S5hmXLWpKo579FEWMLeCRA2DZvCHKIWUPhv3O4BAGovh8px9wRR
- V7HeNK0efhiPm80alIQUGn+JEyNOaBrjAQmS0+ELF1S1AaHzXoLNrxfBCQJJCHd6
- BvZIC6mVWF9DSeD+s/twk6qGNwAl17OAi3fyahunefODNqMcW73RI6x0BhkBfvnS
- XgGEHYtdIiwWW+nCWBCrlXHrZ2AqgFKqNInB8lR5t7GtSjVxF6blysWXyv4JtegX
- A3gMULNrOAZiPMe5Q1DDMNJ34jEnveojMIAOb/j+w7bvcgh7wbrUIUhNQSDgoaY=
- =H3mo
- -----END PGP MESSAGE-----
- fp: 18DFCE01456DAB52EA38A6584EDC64F35FA1D6A5
- - created_at: "2026-01-25T14:20:25Z"
- enc: |-
- -----BEGIN PGP MESSAGE-----
-
- hQIMAw5vwmoEJHQ1ARAAqbv66yl/dyRf3f1ejNWsZxwD5oo99rHvbfWDCjTEFpzo
- QUHgi7h+uF3GfRqkbE8YK7oFmTdxDS7DEkiQHw3jbJwI2+K1umubwq5sL1IMhSyG
- SHZL+3r4ytBj6kuraXoTGqBFjNNht+3rRUEvgK8eXAixp8aHbx2LAVzjhxGTa9WY
- yT9H4XJgEac5ODiyhyu3wxzZFmcr9VVNpja7C3iJ5PymjKPnzMFHzdhYflVG4ptP
- lscRsl5TakEL7p4wsjLszeXTSq38ueaH3Bhvts3Kl72BU2rICDzlBOzGszq3gI2c
- o97Vydku1MBsIwbUdKAOdhjA4BFyPAg1z1VkeEOrH1ThaZ0cfalN6TxBfCeKftSv
- VAn9ErK6cRjM5peyJPSHUjpXZEcomtZonhAIBUfDeFW3Sk4lE7+SnIvJkLtrvSZy
- QDgbA4dE19d8MUL0uu+fyp85+OkXI+e1QOOoZX+7/Mco3wKbCbP5T21T/+SLsH0N
- oNrQpQlDch5YB+vLISUE7+buFdlMpIlcHAnL9scjgIdU0Z/X75p/5t7g99D/0nc/
- WGu4l2n9fbrvimnqc6wWzBHgQZVcPKr5tMB6jVQu4WCdHX9VkI+Ru2IfCFsQ09TD
- RQMybPT3tTdYODVCeoE3NmilqE+igEzFYRDwFdKjR2eLnuli5mI7GlXrboPGjWPS
- XgEpnUxHg7oik0vO8YsyRldQ2Vyw1vIskRq9cdUY0Ix3u0gyqUF56aWhA+4fhr3H
- Q8RsT8OXXswSozzkw3AvKi3VaGjwDr1Wasq6YVRtV5pjS0Rx/ILo85grKi5vgpk=
- =bY3Q
- -----END PGP MESSAGE-----
- fp: 87AB00D45D37C9E9167B5A5A333448678B60E505
- - created_at: "2026-01-25T14:20:25Z"
- enc: |-
- -----BEGIN PGP MESSAGE-----
-
- hF4DerEtaFuTeewSAQdAh8vUqXwXAq615cIswD1e2FbDgcFp4pDKWP4Of9bDRWYw
- 5UMSvrCgWei0lytGCaApC6J+Ppd5o9D34fux8X0/ztoRopIV1RlrcepPr9jo3ROk
- 0l4B4T+mFz+FNrO79ldBuysOEo6qX7kSfJ63cpy48nDNVi0pTDr87OiJTQQD3gfx
- wQdkqjYs204YvFP8Zp/+Ow+52z0W2ecLwgByVxsiusf8JLlYQMHOL9QisPxWMErr
- =C2Ii
- -----END PGP MESSAGE-----
- fp: 057870A2C72CD82566A3EC983695F4FCBCAE4912
- - created_at: "2026-01-25T14:20:25Z"
- enc: |-
- -----BEGIN PGP MESSAGE-----
-
- hQIMAxjNhCKPP69fAQ//YH0pZvxXkXYi9tRWPSVllAsKgwzZsKkXS2LrfysCvnNS
- LmcLrWNV8upH8g6ubHwwq1Q6WcpaoraIGB2Pw7OPKvynqqhMamk6jAzuYF1hMsd/
- efGlsIF/wE/MLo0AizDZ5H/k6g/BfdSm3VFvAYbdHObQld/+uEMdotBrUjtXJlA/
- lare1GFxSt+P9J+h5U0kf8VFWbgzf7SkViWBvEpyUaBa0VLgyOc59e9BZzWX8h2R
- FjNX40MkZHxdbqBx3Bw8MZmQz+Q1O8w7uNcf6YZxl7+tYka99DSoK2T6YxTqqqrt
- FtqDAUAS+yweg4hP7CwUK05VzmH/y6S4brVJz73NzahVNUBRpPXJUWs8QsR96xx/
- hUMRGOrfd0qJ/jv2P+oMJipGsWZ5b6rkj/LX9ZAyGW7TgWbelr4zwM2C/n5xDkKf
- LSQFH1Nx9QG0Aq6JT6staq+xiw/w1ipn0IDL18YPvX5kkO3KNUZk1F7zF6rbXRXa
- LQIY+lhDnslkOMHmUIvqPSFWDQT/a/ttg0jVazz9IHnCz/+ShCh8nwiXXa6swlGC
- XFzJS0Lyz55JfRcEN2h4lc6U7sE7MN9WEo8DWNv2UJwIZtu5dHBI9PjFSAxm73KJ
- FSQDFxqlR7a7BXKw+KfvHUzWcRInWLE3bMQlg9ECJX1sQf2Bu8/YxU9bFT2fzfLS
- XgHsHSJqqcZ3gwwUPNeQMadRylccXoPOCns3rf3W+7zKRBb8poRpj0hK2J2eIkGG
- M5kRRudGy07hLV2wQGitucekIFUStxumRSQqpcUhk+RKTOyTMIqT4o6ykVBgke0=
- =/EHL
- -----END PGP MESSAGE-----
- fp: F38C9D4228FC6F674E322D9C3326D914EB9B8F55
- - created_at: "2026-01-25T14:20:25Z"
- enc: |-
- -----BEGIN PGP MESSAGE-----
-
- hQIMA1Hthzn+T1OoAQ/+IxC99h9NXy1lKs8K3O6zNPE4vvoUdlHyU7MngSUe7FID
- cfVoJmqumGJ2VL052PyGNuJl4wwI0Bk4GJ1B17sDiROM21BgV2xJN44I8DzU/s2i
- 1P/WOcpofsng7xBPib5vETo2ypfiNzurNwKidID6rc8k3TL2Eq3U9gPajdgaHWTx
- jCBEiBs4B2H0Jv0teH7NK7VY21v/GQ6wCATUdFugjOocWT/Up9SbIKgvzXgxmoB7
- glmOZGtqMsorMw7Rr9fy5qdL6HK50dYbzQ8IppZFG7PrFLyLsp//S7fReFbtp8oD
- yCBbhOfywLuhyWmLu78F32l5upv4Q/RPfsOEQVRd13+4XeYIYqbVlBRI4c38iA8k
- sKgN/l5mH4FPmFWhRfeMOQn51tTDiq/n8G86EJETJJxC2kAhfLXi5YLECH693Vzw
- Mad81jxssJP5pTTUDBzog6oMNyCvs9paRgb0O4Bt0Zpox+BFdQcTNJahj9wDyfZV
- TjV6lUtuQ7QvHDYyujxhkJWUOyd2Urfk9Ku8A/xeCGwLRJS9BKYgwvatc49zL5zZ
- 3GZ59gBGERbBCBPoFZgpVh73ZF/riAMHbgh+ZzUlFxJNY4fVvCk79bMitsihAbp8
- NAELn1kiDPjlW1SsiiIzkdq87ttJ7aVtR1vQBYWapWmU9eSkn8XZcX4PxFot68zS
- XgEvZxgH4TgGrPuTYusDaopSObkq19jiEJ/A44Jiy2yvU9hXeOn8CeXHTJnwcSeQ
- ey3QV0vu+gYPL26T5M8fp3DwgZYr+dtAX2jydweT9MKjgeUyZAZmIieY1gdguIw=
- =WwLj
- -----END PGP MESSAGE-----
- fp: 5DA93D5C9D7320E1BD3522C79C78172B3551C9FD
- - created_at: "2026-01-25T14:20:25Z"
- enc: |-
- -----BEGIN PGP MESSAGE-----
-
- hQIMA46L6MuPqfJqAQ/9FcgBwOTVqwohN7+iNCiq13Na/qcvFvFxymSo5ZhtjB/q
- rMfLaSwsVAZuN9ishdip+a9tFb4oBPpwZjztvsgetoVNvLOrP/ZQag9SDy1fe8KH
- DDlPFFRjTYtPdS+5ScHc8pGTLmyQzYDfieD0FCdZsNwz5PpAtUu7itvpZKtNWMXr
- k/N3Mjena5iv79ngDsRlc9O/YXWsAPf8scgApwi+lVilJ7E/jTkrXxiku0knrlfl
- NnNJKqh5iT2NWXB3Dgw0fQMLbAuDUOlkvrdwxnaJsIyjo8D5g/gh9rXBCJsMMFCp
- 1qppPBTV2f/gZb1gKFpnlBJAiDhmBWoBhlgbmFXv0E/V7F/7bFtsHagb50nEHZlA
- QH0JjRHN83eGCR9ZBUttxMh0FWV2ND3YlxnCNb43TEoCx9f5ml7L5GbGqu0+8Yrc
- fHCGPW8DSUh7zTrmB0bn6R60hXcWchNcPdorPopROhGTSC4pkAKn+mt3jvEkyLsW
- TGqNCEbFbMBJlhhn9w5fxT7vEX0Rt/vO4gXKIzPfcyzsgORIW1YxwtaGyRQErlqo
- ITnLtowfgrlvU1hI+hwivD9kQ32kmEyYKa9J8fBx07XArYRR64+Eyaaq4lOeZbE4
- 1l0zskD5i1R8NO3yzxpIAqi+H7VPhYLwidjXT54QT8vyqrkmvksANR8UqydYUgnS
- XgGuO1O1pKkiHHLcb8EydlgW61sLIZZjlkYynMRM5MjgPD5Z3ikeD6VaNSYnOw6c
- gkisHXqY9EFSPfw8EHnGspyD/mvzDUz63GrylUO+wXgMKdByrsYRaj93j7vfYZ4=
- =Bk3g
- -----END PGP MESSAGE-----
- fp: 8996B62CBD159DCADD3B6DC08BB33A8ABCF7BC4A
- - created_at: "2026-01-25T14:20:25Z"
- enc: |-
- -----BEGIN PGP MESSAGE-----
-
- hF4DQrf1tCqiJxoSAQdADv1xBEY68JQ6Xo2ZT1FV2BJgeB7Yaahi9OQ/aypT0i8w
- FJRRTtmWVBRtOecoG6SrHLtmYozuLyNFG8/ZFOU7jTSZL6lXr5NV6GIyNZPFTjvE
- 0l4Bqjjh871cqN4Cq5CF3kDibHTyZYsvcQ0BmxSZy2v+moYqZGFPEjNiniS6JrK/
- Ch+cZvlsGIjTmP96IZfHbO3+hL+tVhO78bmixnN6SE6UDOzdmWcMkQ9DHSZp+p4j
- =xd/t
- -----END PGP MESSAGE-----
- fp: B71138A6A8964A3C3B8899857B4F70C356765BAB
- - created_at: "2026-01-25T14:20:25Z"
- enc: |-
- -----BEGIN PGP MESSAGE-----
-
- hF4DzAGzViGx4qcSAQdASnWlOX4oItUMy2BNF+UdGfSkijvIKK1WohLp2rJmQGMw
- /rpiFcCiX7rZNyn3f+eOULjCPbNtfwqG5Ji6YzGJPEaLg9J/CCYDP7eZ0M13tK9V
- 0lgBjTZZwa7SYs+c49UkhUN92Jrt439mTud3Sa6hvfQTntISOUF3QsMyQO+2h0EH
- zvaV7dmtiLZZ6ukp9vJG2asPcA1McYBHABUUcjlmFkQ74CYhPFU03/kb
- =9oyC
- -----END PGP MESSAGE-----
- fp: D2E9C0807BF681F5E164DAFC5EE1B61CD90954CD
- - created_at: "2026-01-25T14:20:25Z"
- enc: |-
- -----BEGIN PGP MESSAGE-----
-
- hQIMA2pVdGTIrZI+ARAAvugr3SudoqZm6B9o/a2bYVlR8eee3Cxtqb/SDfFKJ42J
- /KIJHOpfs0iyoJzeq4GXn89RU08EHz+1/rAqIHN/cMGc/IjOOXcqKcKVBqhb68+I
- OyEyxx0YAV939Jc+L9rxb4FnqV/HFJuA087jqP43NgPWySoUzWZshK57Yw/VJNxd
- U5zDMAciWNVISL/ArcJFroK0n9dvRRsHHHx3/OgQ9Lnl73X5JEAleIPJVb1SDV4e
- HgmBrlRFpp9e/Mu94Gp9yFd9PqziSA47lkdMwjMYHntTwbT3dqUGOJLF1D1oqC9V
- +t+5FO5fP+LbnmuFQIGRGqdPpCy4S60d2EqocwBl6q6xn/DLQw1j9hGNpMl3GwBI
- O7zquV2MyXJR9JqyklWoCmKldLIhpsnPtTx/AhIsMLWq2hvNfbBBNA41sMkofcvl
- H2Hggi+TkpOh6bre1/uPkr8T3MLsiZIUB/1uHcgYO3FH13K2Ow9ChxmkeLsW6Afu
- hbQcG7SKr0sCHAmvzbTsIRCpryORDRw4vwrsKuVVgA7neD8HtCItJ/Vk1JmV2xYZ
- 96ilVPPpDs0tmQ/6dZZosoXLGi37Hs+FRgcAUuAdZ3bzb65e+CxtSVjRALG7hz9R
- XPKmsD6tTgdLpau/zugxdKx3yKMCHzC+AouD+esea8GNuoeGug58IEoglLXDctbU
- aAEJAhC0Js4STROmS43wGXP2v4umeLw9iF3Wp9L6o12BL3FZXi121py2ogosjAY2
- 30wzFU2KJGqS25/pnXw6r9ycgxdXeKsddR94Q4TOulO3SSEdjs7B+iOKwUkGKoBq
- 9iHTzz6Gpajo
- =bBZ5
- -----END PGP MESSAGE-----
- fp: 878FEA3CB6A6F6E7CD80ECBE28506E3585F9F533
- unencrypted_suffix: _unencrypted
- version: 3.11.0
diff --git a/inventories/chaosknoten/host_vars/acmedns.yaml b/inventories/chaosknoten/host_vars/acmedns.yaml
deleted file mode 100644
index 364aa9a..0000000
--- a/inventories/chaosknoten/host_vars/acmedns.yaml
+++ /dev/null
@@ -1,23 +0,0 @@
----
-docker_compose__compose_file_content: "{{ lookup('ansible.builtin.template', 'resources/chaosknoten/acmedns/docker_compose/compose.yaml.j2') }}"
-docker_compose__configuration_files:
- - name: acmedns.cfg
- content: "{{ lookup('ansible.builtin.template', 'resources/chaosknoten/acmedns/docker_compose/acmedns.cfg.j2') }}"
- - name: oauth2-proxy.cfg
- content: "{{ lookup('ansible.builtin.template', 'resources/chaosknoten/acmedns/docker_compose/oauth2-proxy.cfg.j2') }}"
- - name: html/index.html
- content: "{{ lookup('ansible.builtin.template', 'resources/chaosknoten/acmedns/docker_compose/index.html.j2') }}"
-docker_compose__pull: missing
-
-certbot__version_spec: ""
-certbot__acme_account_email_address: le-admin@hamburg.ccc.de
-certbot__certificate_domains:
- # - "spaceapi.ccc.de" # after DNS has been adjusted
- - "acmedns.hamburg.ccc.de"
-certbot__new_cert_commands:
- - "systemctl reload nginx.service"
-
-nginx__version_spec: ""
-nginx__configurations:
- - name: acmedns.hamburg.ccc.de
- content: "{{ lookup('ansible.builtin.file', 'resources/chaosknoten/acmedns/nginx/acmedns.hamburg.ccc.de.conf') }}"
diff --git a/inventories/chaosknoten/hosts.yaml b/inventories/chaosknoten/hosts.yaml
index 395b154..5c114c9 100644
--- a/inventories/chaosknoten/hosts.yaml
+++ b/inventories/chaosknoten/hosts.yaml
@@ -78,16 +78,11 @@ all:
ansible_host: spaceapiccc.hosts.hamburg.ccc.de
ansible_user: chaos
ansible_ssh_common_args: -J ssh://chaos@router.hamburg.ccc.de
- acmedns:
- ansible_host: acmedns.hosts.hamburg.ccc.de
- ansible_user: chaos
- ansible_ssh_common_args: -J ssh://chaos@router.hamburg.ccc.de
hypervisors:
hosts:
chaosknoten:
base_config_hosts:
hosts:
- acmedns:
ccchoir:
cloud:
eh22-wiki:
@@ -115,8 +110,7 @@ nftables_hosts:
hosts:
router:
docker_compose_hosts:
- hosts:
- acmedns:
+ hosts:
ccchoir:
grafana:
tickets:
@@ -134,7 +128,6 @@ nextcloud_hosts:
cloud:
nginx_hosts:
hosts:
- acmedns:
ccchoir:
eh22-wiki:
grafana:
@@ -157,7 +150,6 @@ public_reverse_proxy_hosts:
public-reverse-proxy:
certbot_hosts:
hosts:
- acmedns:
ccchoir:
eh22-wiki:
grafana:
diff --git a/inventories/z9/host_vars/light.yaml b/inventories/z9/host_vars/light.yaml
index 0c7e11d..0336d22 100644
--- a/inventories/z9/host_vars/light.yaml
+++ b/inventories/z9/host_vars/light.yaml
@@ -50,22 +50,10 @@ ola__configs:
content: "{{ lookup('ansible.builtin.file', 'resources/z9/light/ola/ola-usbdmx.conf') }}"
- name: ola-usbserial
content: "{{ lookup('ansible.builtin.file', 'resources/z9/light/ola/ola-usbserial.conf') }}"
-
nginx__version_spec: ""
nginx__deploy_redirect_conf: false
nginx__configurations:
- name: light
content: "{{ lookup('ansible.builtin.file', 'resources/z9/light/nginx/light.conf') }}"
- name: http_handler
- content: "{{ lookup('ansible.builtin.file', 'resources/z9/dooris/nginx/http_handler.conf') }}"
-
-certbot__version_spec: ""
-certbot__acme_account_email_address: le-admin@hamburg.ccc.de
-certbot__certificate_domains:
- - "light-werkstatt.ccchh.net"
- - "light.ccchh.net"
- - "light.z9.ccchh.net"
-certbot__new_cert_commands:
- - "systemctl reload nginx.service"
-
-
+ content: "{{ lookup('ansible.builtin.file', 'resources/z9/light/nginx/http_handler.conf') }}"
diff --git a/inventories/z9/hosts.yaml b/inventories/z9/hosts.yaml
index 319f817..f88f106 100644
--- a/inventories/z9/hosts.yaml
+++ b/inventories/z9/hosts.yaml
@@ -20,7 +20,6 @@ all:
certbot_hosts:
hosts:
dooris:
- light:
docker_compose_hosts:
hosts:
dooris:
diff --git a/resources/chaosknoten/acmedns/docker_compose/acmedns.cfg.j2 b/resources/chaosknoten/acmedns/docker_compose/acmedns.cfg.j2
deleted file mode 100644
index 4f3b49c..0000000
--- a/resources/chaosknoten/acmedns/docker_compose/acmedns.cfg.j2
+++ /dev/null
@@ -1,27 +0,0 @@
-# https://github.com/joohoi/acme-dns?tab=readme-ov-file#configuration
-[general]
-protocol = "both"
-domain = "auth.acmedns.hamburg.ccc.de"
-nsname = "acmedns.hosts.hamburg.ccc.de"
-nsadmin = "noc.lists.hamburg.ccc.de"
-records = [
- "auth.acmedns.hamburg.ccc.de. CNAME public-reverse-proxy.hamburg.ccc.de.",
- "auth.acmedns.hamburg.ccc.de. NS acmedns.hosts.hamburg.ccc.de.",
-]
-
-[database]
-engine = "sqlite3"
-connection = "/var/lib/acme-dns/acme-dns.db"
-
-[api]
-ip = "0.0.0.0"
-port = "80"
-tls = "none"
-corsorigins = [
- "*"
-]
-
-[logconfig]
-loglevel = "debug"
-logtype = "stdout"
-logformat = "text"
diff --git a/resources/chaosknoten/acmedns/docker_compose/compose.yaml.j2 b/resources/chaosknoten/acmedns/docker_compose/compose.yaml.j2
deleted file mode 100644
index 8976852..0000000
--- a/resources/chaosknoten/acmedns/docker_compose/compose.yaml.j2
+++ /dev/null
@@ -1,22 +0,0 @@
----
-services:
- oauth2-proxy:
- container_name: oauth2-proxy
- image: quay.io/oauth2-proxy/oauth2-proxy:v7.14.2
- command: --config /oauth2-proxy.cfg
- hostname: oauth2-proxy
- volumes:
- - "./configs/oauth2-proxy.cfg:/oauth2-proxy.cfg"
- restart: unless-stopped
- ports:
- - 4180:4180
-
- acmedns:
- image: docker.io/joohoi/acme-dns:latest
- ports:
- - "[::]:53:53"
- - "[::]:53:53/udp"
- - 8080:80
- volumes:
- - ./configs/acmedns.cfg:/etc/acme-dns/config.cfg:ro
- - ./data/acmedns:/var/lib/acme-dns
\ No newline at end of file
diff --git a/resources/chaosknoten/acmedns/docker_compose/index.html.j2 b/resources/chaosknoten/acmedns/docker_compose/index.html.j2
deleted file mode 100644
index 02216da..0000000
--- a/resources/chaosknoten/acmedns/docker_compose/index.html.j2
+++ /dev/null
@@ -1,63 +0,0 @@
-
-
-ACME DNS Register
-
-
-
-Register an Entry in ACME DNS
-
-This is the page where you can create an entry in ACME DNS. Please only do so when you need a new entry; there is currently no way to remove entries once they have been created.
-See the ACME DNS service entry in the wiki for further details.
-
-Register a new entry
-
-
-
- Full Domain foo
-
-
- Sub Domain foo
-
-
- Username foo
-
-
- Password foo
-
-
-
-
-
diff --git a/resources/chaosknoten/acmedns/docker_compose/oauth2-proxy.cfg.j2 b/resources/chaosknoten/acmedns/docker_compose/oauth2-proxy.cfg.j2
deleted file mode 100644
index f11eadf..0000000
--- a/resources/chaosknoten/acmedns/docker_compose/oauth2-proxy.cfg.j2
+++ /dev/null
@@ -1,13 +0,0 @@
-reverse_proxy = true
-http_address="0.0.0.0:4180"
-cookie_secret="{{ secret__oidc_cookie_secret }}"
-email_domains="*"
-
-# dex provider
-oidc_issuer_url="https://id.hamburg.ccc.de/realms/ccchh"
-provider="oidc"
-provider_display_name="CCCHH ID"
-client_id="acmedns"
-client_secret="{{ secret__oidc_client_secret }}"
-redirect_url="https://acmedns.hamburg.ccc.de/oauth2/callback"
-
diff --git a/resources/chaosknoten/acmedns/nginx/acmedns.hamburg.ccc.de.conf b/resources/chaosknoten/acmedns/nginx/acmedns.hamburg.ccc.de.conf
deleted file mode 100644
index b360d40..0000000
--- a/resources/chaosknoten/acmedns/nginx/acmedns.hamburg.ccc.de.conf
+++ /dev/null
@@ -1,83 +0,0 @@
-# partly generated 2022-01-08, Mozilla Guideline v5.6, nginx 1.17.7, OpenSSL 1.1.1k, intermediate configuration
-# https://ssl-config.mozilla.org/#server=nginx&version=1.17.7&config=intermediate&openssl=1.1.1k&guideline=5.6
-server {
- # Listen on a custom port for the proxy protocol.
- listen [::]:8443 ssl http2 proxy_protocol;
- # Make use of the ngx_http_realip_module to set the $remote_addr and
- # $remote_port to the client address and client port, when using proxy
- # protocol.
- # First set our proxy protocol proxy as trusted.
- set_real_ip_from 2a00:14b0:4200:3000:125::1;
- # Then tell the realip_module to get the addreses from the proxy protocol
- # header.
- real_ip_header proxy_protocol;
-
- server_name acmedns.hamburg.ccc.de;
-
- root /ansible_docker_compose/configs/html/;
-
- ssl_certificate /etc/letsencrypt/live/acmedns.hamburg.ccc.de/fullchain.pem;
- ssl_certificate_key /etc/letsencrypt/live/acmedns.hamburg.ccc.de/privkey.pem;
- # verify chain of trust of OCSP response using Root CA and Intermediate certs
- ssl_trusted_certificate /etc/letsencrypt/live/acmedns.hamburg.ccc.de/chain.pem;
-
- # HSTS (ngx_http_headers_module is required) (63072000 seconds)
- add_header Strict-Transport-Security "max-age=63072000" always;
-
- proxy_set_header Host $host;
- proxy_set_header X-Forwarded-Host $host;
- proxy_set_header X-Real-IP $remote_addr;
- proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
- proxy_set_header X-Forwarded-Port 443;
- # This is https in any case.
- proxy_set_header X-Forwarded-Proto https;
- # Hide the X-Forwarded header.
- proxy_hide_header X-Forwarded;
- # Assume we are the only Reverse Proxy (well using Proxy Protocol, but that
- # is transparent).
- # Also provide "_hidden" for by, since it's not relevant.
- proxy_set_header Forwarded "for=$remote_addr;proto=https;host=$host;by=_hidden";
- proxy_buffer_size 8k; # needed for oauth2-proxy to work correctly
- port_in_redirect off;
-
- location /oauth2/ {
- proxy_pass http://127.0.0.1:4180;
- proxy_set_header Host $host;
- proxy_set_header X-Real-IP $remote_addr;
- proxy_set_header X-Auth-Request-Redirect $request_uri;
- # or, if you are handling multiple domains:
- # proxy_set_header X-Auth-Request-Redirect $scheme://$host$request_uri;
- }
-
- location = /oauth2/auth {
- proxy_pass http://127.0.0.1:4180;
- proxy_set_header Host $host;
- proxy_set_header X-Real-IP $remote_addr;
- proxy_set_header X-Forwarded-Uri $request_uri;
- # nginx auth_request includes headers but not body
- proxy_set_header Content-Length "";
- proxy_pass_request_body off;
- }
-
- location = / {
- auth_request /oauth2/auth;
- error_page 401 = @oauth2_signin;
-
- index index.html;
- }
-
- location = /register {
- auth_request /oauth2/auth;
- error_page 401 = @oauth2_signin;
-
- proxy_pass http://127.0.0.1:8080/register;
- }
-
- location = /update { # no auth by proxy required
- proxy_pass http://127.0.0.1:8080/update;
- }
-
- location @oauth2_signin {
- return 302 /oauth2/sign_in?rd=$scheme://$host$request_uri;
- }
-}
diff --git a/resources/chaosknoten/public-reverse-proxy/nginx/acme_challenge.conf b/resources/chaosknoten/public-reverse-proxy/nginx/acme_challenge.conf
index feacfa7..71ae729 100644
--- a/resources/chaosknoten/public-reverse-proxy/nginx/acme_challenge.conf
+++ b/resources/chaosknoten/public-reverse-proxy/nginx/acme_challenge.conf
@@ -82,7 +82,6 @@ map $host $upstream_acme_challenge_host {
spaceapi.ccc.de spaceapiccc.hosts.hamburg.ccc.de:31820;
cpuccc.hamburg.ccc.de 172.31.17.151:31820;
cpu.ccc.de 172.31.17.151:31820;
- acmedns.hamburg.ccc.de acmedns.hosts.hamburg.ccc.de:31820;
default "";
}
diff --git a/resources/chaosknoten/public-reverse-proxy/nginx/nginx.conf b/resources/chaosknoten/public-reverse-proxy/nginx/nginx.conf
index fc62a89..bdf7184 100644
--- a/resources/chaosknoten/public-reverse-proxy/nginx/nginx.conf
+++ b/resources/chaosknoten/public-reverse-proxy/nginx/nginx.conf
@@ -100,7 +100,6 @@ stream {
spaceapi.ccc.de spaceapiccc.hosts.hamburg.ccc.de:8443;
cpuccc.hamburg.ccc.de 172.31.17.151:8443;
cpu.ccc.de 172.31.17.151:8443;
- acmedns.hamburg.ccc.de acmedns.hosts.hamburg.ccc.de:8443;
}
server {
diff --git a/resources/z9/light/nginx/http_handler.conf b/resources/z9/light/nginx/http_handler.conf
index 8572664..d9b336c 100644
--- a/resources/z9/light/nginx/http_handler.conf
+++ b/resources/z9/light/nginx/http_handler.conf
@@ -1,12 +1,14 @@
server {
listen 80 default_server;
listen [::]:80 default_server;
+ server_name _;
+
+ location /.well-known/acme-challenge/ {
+ autoindex on;
+ root /webroot-for-acme-challenge;
+ }
location / {
return 301 https://$host$request_uri;
}
-
- location /.well-known/acme-challenge/ {
- proxy_pass http://127.0.0.1:31820/.well-known/acme-challenge/;
- }
}
diff --git a/resources/z9/light/nginx/light.conf b/resources/z9/light/nginx/light.conf
index 6217e04..9f70cf8 100644
--- a/resources/z9/light/nginx/light.conf
+++ b/resources/z9/light/nginx/light.conf
@@ -1,16 +1,15 @@
# partly generated 2022-01-08, Mozilla Guideline v5.6, nginx 1.17.7, OpenSSL 1.1.1k, intermediate configuration
# https://ssl-config.mozilla.org/#server=nginx&version=1.17.7&config=intermediate&openssl=1.1.1k&guideline=5.6
server {
- listen 443 ssl;
- listen [::]:443 ssl;
- http2 on;
+ listen 443 ssl http2;
+ listen [::]:443 ssl http2;
server_name light-werkstatt.ccchh.net;
- ssl_certificate /etc/letsencrypt/live/light-werkstatt.ccchh.net/fullchain.pem;
- ssl_certificate_key /etc/letsencrypt/live/light-werkstatt.ccchh.net/privkey.pem;
+ ssl_certificate /etc/letsencrypt/live/light.ccchh.net/fullchain.pem;
+ ssl_certificate_key /etc/letsencrypt/live/light.ccchh.net/privkey.pem;
# verify chain of trust of OCSP response using Root CA and Intermediate certs
- ssl_trusted_certificate /etc/letsencrypt/live/light-werkstatt.ccchh.net/chain.pem;
+ ssl_trusted_certificate /etc/letsencrypt/live/light.ccchh.net/chain.pem;
# replace with the IP address of your resolver
resolver 10.31.208.1;
@@ -26,16 +25,15 @@ server {
}
server {
- listen 443 ssl;
- listen [::]:443 ssl;
- http2 on;
+ listen 443 ssl http2;
+ listen [::]:443 ssl http2;
- server_name light.z9.ccchh.net;
+ server_name light.z9.ccchh.net ;
- ssl_certificate /etc/letsencrypt/live/light.z9.ccchh.net/fullchain.pem;
- ssl_certificate_key /etc/letsencrypt/live/light.z9.ccchh.net/privkey.pem;
+ ssl_certificate /etc/letsencrypt/live/light.ccchh.net/fullchain.pem;
+ ssl_certificate_key /etc/letsencrypt/live/light.ccchh.net/privkey.pem;
# verify chain of trust of OCSP response using Root CA and Intermediate certs
- ssl_trusted_certificate /etc/letsencrypt/live/light.z9.ccchh.net/chain.pem;
+ ssl_trusted_certificate /etc/letsencrypt/live/light.ccchh.net/chain.pem;
location / {
return 307 https://light.ccchh.net$request_uri;
@@ -43,9 +41,8 @@ server {
}
server {
- listen 443 ssl;
- listen [::]:443 ssl;
- http2 on;
+ listen 443 ssl http2;
+ listen [::]:443 ssl http2;
server_name light.ccchh.net;
diff --git a/roles/docker/files/daemon.json b/roles/docker/files/daemon.json
index d55e4cb..49d4108 100644
--- a/roles/docker/files/daemon.json
+++ b/roles/docker/files/daemon.json
@@ -2,13 +2,5 @@
"log-driver": "journald",
"log-opts": {
"tag": "{{.Name}}"
- },
- "ipv6": true,
- "ip6tables": true,
- "fixed-cidr-v6": "fd00:1::/64",
- "default-network-opts": {
- "bridge": {
- "com.docker.network.enable_ipv6":"true"
- }
}
}
diff --git a/roles/nginx/tasks/main/02_repo_setup.yaml b/roles/nginx/tasks/main/02_repo_setup.yaml
index b4720c1..eaaec30 100644
--- a/roles/nginx/tasks/main/02_repo_setup.yaml
+++ b/roles/nginx/tasks/main/02_repo_setup.yaml
@@ -15,13 +15,13 @@
- name: Ensure NGINX APT repository is added
ansible.builtin.apt_repository:
- repo: "deb [arch=amd64 signed-by=/etc/apt/trusted.gpg.d/nginx.asc] https://nginx.org/packages/debian/ {{ ansible_facts['distribution_release'] }} nginx"
+ repo: "deb [arch=amd64 signed-by=/etc/apt/trusted.gpg.d/nginx.asc] https://nginx.org/packages/debian/ {{ ansible_distribution_release }} nginx"
state: present
become: true
- name: Ensure NGINX APT source repository is added
ansible.builtin.apt_repository:
- repo: "deb-src [arch=amd64 signed-by=/etc/apt/trusted.gpg.d/nginx.asc] https://nginx.org/packages/debian/ {{ ansible_facts['distribution_release'] }} nginx"
+ repo: "deb-src [arch=amd64 signed-by=/etc/apt/trusted.gpg.d/nginx.asc] https://nginx.org/packages/debian/ {{ ansible_distribution_release }} nginx"
state: present
become: true