From 72d8f940a9f68a14f5cceff7a03db32e8bf90595 Mon Sep 17 00:00:00 2001 From: Renovate Date: Tue, 27 Jan 2026 15:00:56 +0000 Subject: [PATCH 1/4] Update docker.io/library/postgres Docker tag to v18 --- inventories/chaosknoten/host_vars/cloud.yaml | 2 +- resources/chaosknoten/keycloak/docker_compose/compose.yaml.j2 | 2 +- resources/chaosknoten/lists/docker_compose/compose.yaml | 2 +- resources/chaosknoten/pad/docker_compose/compose.yaml.j2 | 2 +- resources/chaosknoten/pretalx/docker_compose/compose.yaml.j2 | 2 +- resources/chaosknoten/tickets/docker_compose/compose.yaml.j2 | 2 +- 6 files changed, 6 insertions(+), 6 deletions(-) diff --git a/inventories/chaosknoten/host_vars/cloud.yaml b/inventories/chaosknoten/host_vars/cloud.yaml index b6cf771..1164730 100644 --- a/inventories/chaosknoten/host_vars/cloud.yaml +++ b/inventories/chaosknoten/host_vars/cloud.yaml @@ -1,7 +1,7 @@ # renovate: datasource=docker depName=git.hamburg.ccc.de/ccchh/oci-images/nextcloud nextcloud__version: 32 # renovate: datasource=docker depName=docker.io/library/postgres -nextcloud__postgres_version: 15.15 +nextcloud__postgres_version: 18.1 nextcloud__fqdn: cloud.hamburg.ccc.de nextcloud__data_dir: /data/nextcloud nextcloud__extra_configuration: "{{ lookup('ansible.builtin.template', 'resources/chaosknoten/cloud/nextcloud/extra_configuration.config.php.j2') }}" diff --git a/resources/chaosknoten/keycloak/docker_compose/compose.yaml.j2 b/resources/chaosknoten/keycloak/docker_compose/compose.yaml.j2 index a260ab1..562df5c 100644 --- a/resources/chaosknoten/keycloak/docker_compose/compose.yaml.j2 +++ b/resources/chaosknoten/keycloak/docker_compose/compose.yaml.j2 @@ -46,7 +46,7 @@ services: - "8080:8080" db: - image: docker.io/library/postgres:15.15 + image: docker.io/library/postgres:18.1 restart: unless-stopped networks: - keycloak diff --git a/resources/chaosknoten/lists/docker_compose/compose.yaml b/resources/chaosknoten/lists/docker_compose/compose.yaml index cdfd70a..7050a8b 100644 --- a/resources/chaosknoten/lists/docker_compose/compose.yaml +++ b/resources/chaosknoten/lists/docker_compose/compose.yaml @@ -56,7 +56,7 @@ services: - POSTGRES_DB=mailmandb - POSTGRES_USER=mailman - POSTGRES_PASSWORD=wvQjbMRnwFuxGEPz - image: docker.io/library/postgres:12-alpine + image: docker.io/library/postgres:18-alpine volumes: - /opt/mailman/database:/var/lib/postgresql/data networks: diff --git a/resources/chaosknoten/pad/docker_compose/compose.yaml.j2 b/resources/chaosknoten/pad/docker_compose/compose.yaml.j2 index 790cf95..e13191a 100644 --- a/resources/chaosknoten/pad/docker_compose/compose.yaml.j2 +++ b/resources/chaosknoten/pad/docker_compose/compose.yaml.j2 @@ -3,7 +3,7 @@ services: database: - image: docker.io/library/postgres:15-alpine + image: docker.io/library/postgres:18-alpine environment: - "POSTGRES_USER=hedgedoc" - "POSTGRES_PASSWORD={{ secret__hedgedoc_db_password }}" diff --git a/resources/chaosknoten/pretalx/docker_compose/compose.yaml.j2 b/resources/chaosknoten/pretalx/docker_compose/compose.yaml.j2 index 091d113..2f6f990 100644 --- a/resources/chaosknoten/pretalx/docker_compose/compose.yaml.j2 +++ b/resources/chaosknoten/pretalx/docker_compose/compose.yaml.j2 @@ -3,7 +3,7 @@ services: database: - image: docker.io/library/postgres:15-alpine + image: docker.io/library/postgres:18-alpine environment: - "POSTGRES_USER=pretalx" - "POSTGRES_PASSWORD={{ secret__pretalx_db_password }}" diff --git a/resources/chaosknoten/tickets/docker_compose/compose.yaml.j2 b/resources/chaosknoten/tickets/docker_compose/compose.yaml.j2 index 938883b..3d35c0b 100644 --- a/resources/chaosknoten/tickets/docker_compose/compose.yaml.j2 +++ b/resources/chaosknoten/tickets/docker_compose/compose.yaml.j2 @@ -1,7 +1,7 @@ --- services: database: - image: docker.io/library/postgres:15-alpine + image: docker.io/library/postgres:18-alpine environment: - "POSTGRES_USER=pretix" - "POSTGRES_PASSWORD={{ secret__pretix_db_password }}" From ad783e4a15d0d635ad69fc2bfd069506c1d4aff3 Mon Sep 17 00:00:00 2001 From: Stefan Bethke Date: Tue, 27 Jan 2026 16:21:18 +0100 Subject: [PATCH 2/4] now in production --- inventories/chaosknoten/host_vars/spaceapiccc.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/inventories/chaosknoten/host_vars/spaceapiccc.yaml b/inventories/chaosknoten/host_vars/spaceapiccc.yaml index 377b909..d8b0242 100644 --- a/inventories/chaosknoten/host_vars/spaceapiccc.yaml +++ b/inventories/chaosknoten/host_vars/spaceapiccc.yaml @@ -5,7 +5,7 @@ docker_compose__pull: never certbot__version_spec: "" certbot__acme_account_email_address: le-admin@hamburg.ccc.de certbot__certificate_domains: - # - "spaceapi.ccc.de" # after DNS has been adjusted + - "spaceapi.ccc.de" # after DNS has been adjusted - "spaceapiccc.hamburg.ccc.de" certbot__new_cert_commands: - "systemctl reload nginx.service" From 3bba747dab80851b120afe8855221de96f74371c Mon Sep 17 00:00:00 2001 From: Stefan Bethke Date: Tue, 27 Jan 2026 16:30:00 +0100 Subject: [PATCH 3/4] Configure seperate server for spaceapi.ccc.de --- .../chaosknoten/host_vars/spaceapiccc.yaml | 2 +- .../nginx/spaceapiccc.hamburg.ccc.de.conf | 43 ++++++++++++++++++- 2 files changed, 43 insertions(+), 2 deletions(-) diff --git a/inventories/chaosknoten/host_vars/spaceapiccc.yaml b/inventories/chaosknoten/host_vars/spaceapiccc.yaml index d8b0242..baf5065 100644 --- a/inventories/chaosknoten/host_vars/spaceapiccc.yaml +++ b/inventories/chaosknoten/host_vars/spaceapiccc.yaml @@ -5,7 +5,7 @@ docker_compose__pull: never certbot__version_spec: "" certbot__acme_account_email_address: le-admin@hamburg.ccc.de certbot__certificate_domains: - - "spaceapi.ccc.de" # after DNS has been adjusted + - "spaceapi.ccc.de" - "spaceapiccc.hamburg.ccc.de" certbot__new_cert_commands: - "systemctl reload nginx.service" diff --git a/resources/chaosknoten/spaceapiccc/nginx/spaceapiccc.hamburg.ccc.de.conf b/resources/chaosknoten/spaceapiccc/nginx/spaceapiccc.hamburg.ccc.de.conf index f060996..9b74c0c 100644 --- a/resources/chaosknoten/spaceapiccc/nginx/spaceapiccc.hamburg.ccc.de.conf +++ b/resources/chaosknoten/spaceapiccc/nginx/spaceapiccc.hamburg.ccc.de.conf @@ -12,7 +12,7 @@ server { # header. real_ip_header proxy_protocol; - server_name spaceapi.ccc.de spaceapiccc.hamburg.ccc.de; + server_name spaceapi.ccc.de; ssl_certificate /etc/letsencrypt/live/spaceapiccc.hamburg.ccc.de/fullchain.pem; ssl_certificate_key /etc/letsencrypt/live/spaceapiccc.hamburg.ccc.de/privkey.pem; @@ -40,3 +40,44 @@ server { proxy_pass http://172.16.238.10/; } } + +server { + # Listen on a custom port for the proxy protocol. + listen [::]:8443 ssl http2 proxy_protocol; + # Make use of the ngx_http_realip_module to set the $remote_addr and + # $remote_port to the client address and client port, when using proxy + # protocol. + # First set our proxy protocol proxy as trusted. + set_real_ip_from 2a00:14b0:4200:3000:125::1; + # Then tell the realip_module to get the addreses from the proxy protocol + # header. + real_ip_header proxy_protocol; + + server_name spaceapi.ccc.de; + + ssl_certificate /etc/letsencrypt/live/spaceapi.ccc.de/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/spaceapi.ccc.de/privkey.pem; + # verify chain of trust of OCSP response using Root CA and Intermediate certs + ssl_trusted_certificate /etc/letsencrypt/live/spaceapiccc.hamburg.ccc.de/chain.pem; + + # HSTS (ngx_http_headers_module is required) (63072000 seconds) + add_header Strict-Transport-Security "max-age=63072000" always; + + proxy_set_header Host $host; + proxy_set_header X-Forwarded-Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Port 443; + # This is https in any case. + proxy_set_header X-Forwarded-Proto https; + # Hide the X-Forwarded header. + proxy_hide_header X-Forwarded; + # Assume we are the only Reverse Proxy (well using Proxy Protocol, but that + # is transparent). + # Also provide "_hidden" for by, since it's not relevant. + proxy_set_header Forwarded "for=$remote_addr;proto=https;host=$host;by=_hidden"; + + location / { + proxy_pass http://172.16.238.10/; + } +} From 9b8972f2fabcc96acc29a5631b0ef06744f277b6 Mon Sep 17 00:00:00 2001 From: Renovate Date: Tue, 27 Jan 2026 15:31:02 +0000 Subject: [PATCH 4/4] Update docker.io/library/postgres Docker tag to v18 --- inventories/chaosknoten/host_vars/cloud.yaml | 2 +- resources/chaosknoten/keycloak/docker_compose/compose.yaml.j2 | 2 +- resources/chaosknoten/lists/docker_compose/compose.yaml | 2 +- resources/chaosknoten/pad/docker_compose/compose.yaml.j2 | 2 +- resources/chaosknoten/pretalx/docker_compose/compose.yaml.j2 | 2 +- resources/chaosknoten/tickets/docker_compose/compose.yaml.j2 | 2 +- 6 files changed, 6 insertions(+), 6 deletions(-) diff --git a/inventories/chaosknoten/host_vars/cloud.yaml b/inventories/chaosknoten/host_vars/cloud.yaml index b6cf771..1164730 100644 --- a/inventories/chaosknoten/host_vars/cloud.yaml +++ b/inventories/chaosknoten/host_vars/cloud.yaml @@ -1,7 +1,7 @@ # renovate: datasource=docker depName=git.hamburg.ccc.de/ccchh/oci-images/nextcloud nextcloud__version: 32 # renovate: datasource=docker depName=docker.io/library/postgres -nextcloud__postgres_version: 15.15 +nextcloud__postgres_version: 18.1 nextcloud__fqdn: cloud.hamburg.ccc.de nextcloud__data_dir: /data/nextcloud nextcloud__extra_configuration: "{{ lookup('ansible.builtin.template', 'resources/chaosknoten/cloud/nextcloud/extra_configuration.config.php.j2') }}" diff --git a/resources/chaosknoten/keycloak/docker_compose/compose.yaml.j2 b/resources/chaosknoten/keycloak/docker_compose/compose.yaml.j2 index a260ab1..562df5c 100644 --- a/resources/chaosknoten/keycloak/docker_compose/compose.yaml.j2 +++ b/resources/chaosknoten/keycloak/docker_compose/compose.yaml.j2 @@ -46,7 +46,7 @@ services: - "8080:8080" db: - image: docker.io/library/postgres:15.15 + image: docker.io/library/postgres:18.1 restart: unless-stopped networks: - keycloak diff --git a/resources/chaosknoten/lists/docker_compose/compose.yaml b/resources/chaosknoten/lists/docker_compose/compose.yaml index cdfd70a..7050a8b 100644 --- a/resources/chaosknoten/lists/docker_compose/compose.yaml +++ b/resources/chaosknoten/lists/docker_compose/compose.yaml @@ -56,7 +56,7 @@ services: - POSTGRES_DB=mailmandb - POSTGRES_USER=mailman - POSTGRES_PASSWORD=wvQjbMRnwFuxGEPz - image: docker.io/library/postgres:12-alpine + image: docker.io/library/postgres:18-alpine volumes: - /opt/mailman/database:/var/lib/postgresql/data networks: diff --git a/resources/chaosknoten/pad/docker_compose/compose.yaml.j2 b/resources/chaosknoten/pad/docker_compose/compose.yaml.j2 index 790cf95..e13191a 100644 --- a/resources/chaosknoten/pad/docker_compose/compose.yaml.j2 +++ b/resources/chaosknoten/pad/docker_compose/compose.yaml.j2 @@ -3,7 +3,7 @@ services: database: - image: docker.io/library/postgres:15-alpine + image: docker.io/library/postgres:18-alpine environment: - "POSTGRES_USER=hedgedoc" - "POSTGRES_PASSWORD={{ secret__hedgedoc_db_password }}" diff --git a/resources/chaosknoten/pretalx/docker_compose/compose.yaml.j2 b/resources/chaosknoten/pretalx/docker_compose/compose.yaml.j2 index 091d113..2f6f990 100644 --- a/resources/chaosknoten/pretalx/docker_compose/compose.yaml.j2 +++ b/resources/chaosknoten/pretalx/docker_compose/compose.yaml.j2 @@ -3,7 +3,7 @@ services: database: - image: docker.io/library/postgres:15-alpine + image: docker.io/library/postgres:18-alpine environment: - "POSTGRES_USER=pretalx" - "POSTGRES_PASSWORD={{ secret__pretalx_db_password }}" diff --git a/resources/chaosknoten/tickets/docker_compose/compose.yaml.j2 b/resources/chaosknoten/tickets/docker_compose/compose.yaml.j2 index 938883b..3d35c0b 100644 --- a/resources/chaosknoten/tickets/docker_compose/compose.yaml.j2 +++ b/resources/chaosknoten/tickets/docker_compose/compose.yaml.j2 @@ -1,7 +1,7 @@ --- services: database: - image: docker.io/library/postgres:15-alpine + image: docker.io/library/postgres:18-alpine environment: - "POSTGRES_USER=pretix" - "POSTGRES_PASSWORD={{ secret__pretix_db_password }}"