From 51cd583dff02047b2ffc35773608e39d22606365 Mon Sep 17 00:00:00 2001 From: June Date: Wed, 20 May 2026 22:54:32 +0200 Subject: [PATCH 1/2] docs: move information on secrets and sops into docs --- README.md | 19 --------------- docs/concepts-and-configurations/secrets.md | 27 +++++++++++++++++++++ docs/concepts-and-configurations/sops.md | 18 -------------- docs/guides/sops-gpg-key-replacement.md | 13 ++++++++++ 4 files changed, 40 insertions(+), 37 deletions(-) create mode 100644 docs/concepts-and-configurations/secrets.md delete mode 100644 docs/concepts-and-configurations/sops.md create mode 100644 docs/guides/sops-gpg-key-replacement.md diff --git a/README.md b/README.md index 08e60f5..bd980d8 100644 --- a/README.md +++ b/README.md @@ -17,25 +17,6 @@ ansible-galaxy install -r requirements.yml ansible-galaxy role install -r requirements.yml ``` -## Secrets - -Generally try to avoid secrets (e.g. use SSH keys instead of passwords). - -Because secrets are nonetheless needed sometimes, we use [SOPS](https://github.com/getsops/sops) to securely store secrets in this repository. -SOPS encrypts secrets according to "creation rules" which are defined in the `.sops.yaml`. -Generally all secrets get encrypted for all GPG-keys of all members of the infrastructure team. -Ansible then has access to the secrets with the help of the [`community.sops.sops` vars plugin](https://docs.ansible.com/ansible/latest/collections/community/sops/docsite/guide.html#working-with-encrypted-variables), which is configured in this repository. -A local Ansible run then uses the locally available GPG-key to decrypt the secrets. - -For a tutorial on how to set up SOPS for a new host, see [SOPS: New Host](./docs/guides/sops-new-host.md). - -### Updating SOPS files after swapping out a GPG key - -When a GPG key expires, it is necessary to update the config in `.sops.yaml` and then re-encrypt all files with the updated list of keys. Run this command. The will take a considerable amount of time (minutes). -``` -find inventories -name "*.sops.*" | xargs sops updatekeys --yes -``` - ## Playbook nur für einzelne Hosts ausführen Ein paar der Hosts haben den selben Namen, was es etwas schwieriger macht, das Playbook nur für einen der Hosts auszuführen, z. B. `public-reverse-proxy`. Die Kombination aus `--inventory` und `--limit` führt zum Erfolg: diff --git a/docs/concepts-and-configurations/secrets.md b/docs/concepts-and-configurations/secrets.md new file mode 100644 index 0000000..5734384 --- /dev/null +++ b/docs/concepts-and-configurations/secrets.md @@ -0,0 +1,27 @@ +--- +title: Secrets +--- + +# Secrets + +Generally one should try to avoid secrets (e.g. using SSH keys instead of passwords). +However, since one still needs to work with secrets, we use [SOPS](https://github.com/getsops/sops) to securely store them in our repository. The [`community.sops.sops` vars plugin](https://docs.ansible.com/ansible/latest/collections/community/sops/docsite/guide.html#working-with-encrypted-variables) is then used to access them in Ansible. + +All secrets are stored in the inventories in files ending with `.sops.yaml` to provide the secrets contents as variables for hosts and groups. +Accompanying creation rules are defined in the [`.sops.yaml`](https://git.hamburg.ccc.de/CCCHH/ansible-infra/src/branch/main/.sops.yaml). + +When running Ansible locally, then your GPG key is used for accessing the secrets. +Hosts on the other hand, when running Ansible against themselves using ansible-pull, use a configured [age](https://github.com/FiloSottile/age) key to be able to access the secrets relevant to them. + +## GPG Keys + +The secrets in this repository are encrypted against the GPG public keys of all Infra-Team members as defined in [infra-secrets](https://git.hamburg.ccc.de/CCCHH/infra-secrets). +In order to edit encrypted files, you need all the GPG public keys imported into your GPG Keychain. You should be able to find the necessary public keys in the [infra-secrets repo](https://git.hamburg.ccc.de/CCCHH/infra-secrets) as well. + +## Guides + +See the following pages for guidance on how to use SOPS: + +- [SOPS: New Host](../guides/sops-new-host.md) +- [SOPS: Storing Secrets](../guides/sops-storing-secrets.md) +- [SOPS: GPG-Key Replacement](../guides/sops-gpg-key-replacement.md) diff --git a/docs/concepts-and-configurations/sops.md b/docs/concepts-and-configurations/sops.md deleted file mode 100644 index e4519e5..0000000 --- a/docs/concepts-and-configurations/sops.md +++ /dev/null @@ -1,18 +0,0 @@ ---- -title: SOPS ---- - -# SOPS - -We're using [SOPS](https://github.com/getsops/sops) for secret management together with the `community.sops.sops` vars plugin for Ansible. - -## GPG Keys - -In order to edit encrypted files, you need all the GPG public keys imported into your GPG Keychain. You should be able to find the necessary public keys in [infra-secrets](https://git.hamburg.ccc.de/CCCHH/infra-secrets). - -## Guides - -See the following pages for guidance on how to use SOPS: - -- [SOPS: New Host](../guides/sops-new-host.md) -- [SOPS: Storing Secrets](../guides/sops-storing-secrets.md) diff --git a/docs/guides/sops-gpg-key-replacement.md b/docs/guides/sops-gpg-key-replacement.md new file mode 100644 index 0000000..8edb5f4 --- /dev/null +++ b/docs/guides/sops-gpg-key-replacement.md @@ -0,0 +1,13 @@ +--- +title: "SOPS: GPG-Key Replacement" +summary: How to Replace an Expired GPG-Key +--- + +# SOPS: GPG-Key Replacement + +- When a GPG key expires, it is necessary to update the config in the [`.sops.yaml`](https://git.hamburg.ccc.de/CCCHH/ansible-infra/src/branch/main/.sops.yaml) and then re-encrypt all files with the updated list of keys. + - If no new key is available, simply remove the key and re-encrypt all files to keep the repository in a working state. Whenever the relevant member provides a new key, add it again and re-encrypt for it again. +- The re-encryption can be achieved by running the following command (which could take a considerable amount of time): + ```bash + find inventories -name "*.sops.*" | xargs sops updatekeys --yes + ``` From 2d17176c4e914c3d889b14f5b3b48e5a89f09639 Mon Sep 17 00:00:00 2001 From: Renovate Date: Wed, 20 May 2026 21:00:58 +0000 Subject: [PATCH 2/2] Update all stable non-major dependencies --- .forgejo/workflows/lint.yaml | 2 +- inventories/chaosknoten/host_vars/netbox.yaml | 2 +- .../chaosknoten/acmedns/docker_compose/compose.yaml.j2 | 2 +- .../chaosknoten/grafana/docker_compose/compose.yaml.j2 | 8 ++++---- .../chaosknoten/keycloak/docker_compose/compose.yaml.j2 | 2 +- resources/chaosknoten/ntfy/docker_compose/compose.yaml.j2 | 2 +- .../chaosknoten/onlyoffice/docker_compose/compose.yaml.j2 | 2 +- .../chaosknoten/pretalx/docker_compose/compose.yaml.j2 | 4 ++-- .../chaosknoten/tickets/docker_compose/compose.yaml.j2 | 2 +- resources/external/status/docker_compose/compose.yaml.j2 | 4 ++-- 10 files changed, 15 insertions(+), 15 deletions(-) diff --git a/.forgejo/workflows/lint.yaml b/.forgejo/workflows/lint.yaml index bdd53f5..600d044 100644 --- a/.forgejo/workflows/lint.yaml +++ b/.forgejo/workflows/lint.yaml @@ -24,7 +24,7 @@ jobs: # work in our environmnet. # Rather manually setup python (pip) before instead. - name: Run ansible-lint - uses: https://github.com/ansible/ansible-lint@v26.3.0 + uses: https://github.com/ansible/ansible-lint@v26.4.0 with: setup_python: "false" requirements_file: "requirements.yml" diff --git a/inventories/chaosknoten/host_vars/netbox.yaml b/inventories/chaosknoten/host_vars/netbox.yaml index f28d193..7aaff28 100644 --- a/inventories/chaosknoten/host_vars/netbox.yaml +++ b/inventories/chaosknoten/host_vars/netbox.yaml @@ -1,5 +1,5 @@ # renovate: datasource=github-releases depName=netbox packageName=netbox-community/netbox -netbox__version: "v4.5.5" +netbox__version: "v4.6.1" netbox__config: "{{ lookup('ansible.builtin.template', 'resources/chaosknoten/netbox/netbox/configuration.py.j2') }}" netbox__custom_pipeline_oidc_group_and_role_mapping: true diff --git a/resources/chaosknoten/acmedns/docker_compose/compose.yaml.j2 b/resources/chaosknoten/acmedns/docker_compose/compose.yaml.j2 index 3fcd8c6..c68973f 100644 --- a/resources/chaosknoten/acmedns/docker_compose/compose.yaml.j2 +++ b/resources/chaosknoten/acmedns/docker_compose/compose.yaml.j2 @@ -2,7 +2,7 @@ services: oauth2-proxy: container_name: oauth2-proxy - image: quay.io/oauth2-proxy/oauth2-proxy:v7.15.1 + image: quay.io/oauth2-proxy/oauth2-proxy:v7.15.2 command: --config /oauth2-proxy.cfg hostname: oauth2-proxy volumes: diff --git a/resources/chaosknoten/grafana/docker_compose/compose.yaml.j2 b/resources/chaosknoten/grafana/docker_compose/compose.yaml.j2 index 1f6c42f..44dfa20 100644 --- a/resources/chaosknoten/grafana/docker_compose/compose.yaml.j2 +++ b/resources/chaosknoten/grafana/docker_compose/compose.yaml.j2 @@ -2,7 +2,7 @@ services: prometheus: - image: docker.io/prom/prometheus:v3.10.0 + image: docker.io/prom/prometheus:v3.11.3 container_name: prometheus command: - '--config.file=/etc/prometheus/prometheus.yml' @@ -19,7 +19,7 @@ services: - prom_data:/prometheus alertmanager: - image: docker.io/prom/alertmanager:v0.31.1 + image: docker.io/prom/alertmanager:v0.32.1 container_name: alertmanager command: - '--config.file=/etc/alertmanager/alertmanager.yaml' @@ -46,7 +46,7 @@ services: - graf_data:/var/lib/grafana pve-exporter: - image: docker.io/prompve/prometheus-pve-exporter:3.8.2 + image: docker.io/prompve/prometheus-pve-exporter:3.9.0 container_name: pve-exporter ports: - 9221:9221 @@ -59,7 +59,7 @@ services: - /dev/null:/etc/prometheus/pve.yml loki: - image: docker.io/grafana/loki:3.7.1 + image: docker.io/grafana/loki:3.7.2 container_name: loki ports: - 13100:3100 diff --git a/resources/chaosknoten/keycloak/docker_compose/compose.yaml.j2 b/resources/chaosknoten/keycloak/docker_compose/compose.yaml.j2 index d239bb4..8db3526 100644 --- a/resources/chaosknoten/keycloak/docker_compose/compose.yaml.j2 +++ b/resources/chaosknoten/keycloak/docker_compose/compose.yaml.j2 @@ -22,7 +22,7 @@ services: keycloak: - image: git.hamburg.ccc.de/ccchh/oci-images/keycloak:26.5.7 + image: git.hamburg.ccc.de/ccchh/oci-images/keycloak:26.6.0 pull_policy: always restart: unless-stopped command: start --optimized diff --git a/resources/chaosknoten/ntfy/docker_compose/compose.yaml.j2 b/resources/chaosknoten/ntfy/docker_compose/compose.yaml.j2 index af1b531..cadfa54 100644 --- a/resources/chaosknoten/ntfy/docker_compose/compose.yaml.j2 +++ b/resources/chaosknoten/ntfy/docker_compose/compose.yaml.j2 @@ -1,7 +1,7 @@ --- services: ntfy: - image: docker.io/binwiederhier/ntfy:v2.20.1 + image: docker.io/binwiederhier/ntfy:v2.23.0 container_name: ntfy command: - serve diff --git a/resources/chaosknoten/onlyoffice/docker_compose/compose.yaml.j2 b/resources/chaosknoten/onlyoffice/docker_compose/compose.yaml.j2 index 77f1395..58dddb2 100644 --- a/resources/chaosknoten/onlyoffice/docker_compose/compose.yaml.j2 +++ b/resources/chaosknoten/onlyoffice/docker_compose/compose.yaml.j2 @@ -4,7 +4,7 @@ services: onlyoffice: - image: docker.io/onlyoffice/documentserver:9.3.1 + image: docker.io/onlyoffice/documentserver:9.4.0 restart: unless-stopped volumes: - "./onlyoffice/DocumentServer/logs:/var/log/onlyoffice" diff --git a/resources/chaosknoten/pretalx/docker_compose/compose.yaml.j2 b/resources/chaosknoten/pretalx/docker_compose/compose.yaml.j2 index 0bbfcb8..226b21d 100644 --- a/resources/chaosknoten/pretalx/docker_compose/compose.yaml.j2 +++ b/resources/chaosknoten/pretalx/docker_compose/compose.yaml.j2 @@ -15,7 +15,7 @@ services: - pretalx_net redis: - image: docker.io/library/redis:8.6.2 + image: docker.io/library/redis:8.6.3 restart: unless-stopped volumes: - redis:/data @@ -23,7 +23,7 @@ services: - pretalx_net static: - image: docker.io/library/nginx:1.29.7 + image: docker.io/library/nginx:1.31.0 restart: unless-stopped volumes: - public:/usr/share/nginx/html diff --git a/resources/chaosknoten/tickets/docker_compose/compose.yaml.j2 b/resources/chaosknoten/tickets/docker_compose/compose.yaml.j2 index b8a4cf2..11593ce 100644 --- a/resources/chaosknoten/tickets/docker_compose/compose.yaml.j2 +++ b/resources/chaosknoten/tickets/docker_compose/compose.yaml.j2 @@ -13,7 +13,7 @@ services: restart: unless-stopped redis: - image: docker.io/library/redis:8.6.2 + image: docker.io/library/redis:8.6.3 ports: - "6379:6379" volumes: diff --git a/resources/external/status/docker_compose/compose.yaml.j2 b/resources/external/status/docker_compose/compose.yaml.j2 index 58abefa..638ebbe 100644 --- a/resources/external/status/docker_compose/compose.yaml.j2 +++ b/resources/external/status/docker_compose/compose.yaml.j2 @@ -4,7 +4,7 @@ services: database: - image: docker.io/library/postgres:18.3 + image: docker.io/library/postgres:18.4 restart: always volumes: - ./database:/var/lib/postgresql @@ -16,7 +16,7 @@ services: - gatus gatus: - image: ghcr.io/twin/gatus:v5.35.0 + image: ghcr.io/twin/gatus:v5.36.0 restart: always ports: - "8080:8080"