From abcd622757245466faa4f658329c5060686d1710 Mon Sep 17 00:00:00 2001
From: bitwhisker <bitwhisker@noreply.git.hamburg.ccc.de>
Date: Sat, 11 Apr 2026 02:36:44 +0200
Subject: [PATCH 1/2] light(host): move to dns-01-acme-dns

---
 inventories/z9/host_vars/light.sops.yaml |  9 ++++++---
 inventories/z9/host_vars/light.yaml      | 23 +++++++++++++++++++----
 2 files changed, 25 insertions(+), 7 deletions(-)

diff --git a/inventories/z9/host_vars/light.sops.yaml b/inventories/z9/host_vars/light.sops.yaml
index 02cf01f..2ce8807 100644
--- a/inventories/z9/host_vars/light.sops.yaml
+++ b/inventories/z9/host_vars/light.sops.yaml
@@ -1,4 +1,7 @@
 ansible_pull__age_private_key: ENC[AES256_GCM,data:VEGxr8C7RlEhyQhf+to/OrbfPPKkyL7iUU1yDXGAzmmPCQ4VftK71eiyN7OS6pG8J89Mj4Sy/dcY4SUX+rTl/q1csZMn9t4NBN8=,iv:JcrdyFLX5srZfRj9SA+RXf+CRZi5GEcApgyYsHoHTGE=,tag:xdJ4GmK3afZDkXmkrriStg==,type:str]
+secret__acme_dns_api_key_light_ccchh_net: ENC[AES256_GCM,data:SLUNVJQ4Nkos+tYH0l9ndJI8mrfZFC9i/qQqkcHgfLaNjL1tFuAFfQ==,iv:cc7DsiqzMlc2lh3D63cElMQcOeYT7oNxmRy7irSr9/s=,tag:dBnTAJXvgWlmq5vVGxrykw==,type:str]
+secret__acme_dns_api_key_light_z9_ccchh_net: ENC[AES256_GCM,data:m6+Sk533qTRfhrwv7U2RydJh/j7KjJKHiEetyzgvJV1dgWXmE5AhYA==,iv:lAGv4vfxA+DQfwaHiDp3NMel0tjmZl96nKUAN8QGFe4=,tag:h0wM/F9E4dIy+NYLIVUpxg==,type:str]
+secret__acme_dns_api_key_light_werkstatt_ccchh_net: ENC[AES256_GCM,data:zJ9hQo1jmQ5+d0oU+CD+cQh89HshPpguZCak7Nfjdb2bygUXJrEIIw==,iv:y+FSB/k5LixKJOm9egWsjhByQAdv7TfJHvv3job2oYg=,tag:CmuUqnCI3V/aOOUitzYT9Q==,type:str]
 sops:
   age:
     - recipient: age1llkxtfx4dgnezmukj4ganx4ql9k4ga4ca9zuanf5r568jfp8peeqal490q
@@ -10,8 +13,8 @@ sops:
         SHgzd0IvZjJBamZFcHczNm1FN1Q1TzAKDgId6bAykxsgXAeBWXd6Dyxiiyh0gIb/
         Q6MHNtagsA5OrUtc7xEInVt8CYT8czI/Lr9pHzmx5bQPlDf8NkW0lA==
         -----END AGE ENCRYPTED FILE-----
-  lastmodified: "2026-03-30T18:56:30Z"
-  mac: ENC[AES256_GCM,data:XQJwF0MuaNoNssD3QvcDrlz+W7cccDdBaY82i6Qae7zBOQKlxLRJ7FteaDQEmQ7Yb1xBczpS+wBLgKNy5WbwIm8GELX1Hs91Y/SUguCnSualWhSVw9HW42T4oP9OEv2DC2aiJYHampSOgjmWgbPqawCU9xfsnP7RFGajQNNmRWU=,iv:O+A6tGFLhS4AVjLQ25eEjUfERPG2PnzgczZ0wczf7UY=,tag:yjFBjKtSE6vu9JMY9DQ0UA==,type:str]
+  lastmodified: "2026-04-11T01:24:10Z"
+  mac: ENC[AES256_GCM,data:D7qAgDZX8B0oNdZovHE74sSZI5X3qd8oDPHWl13Q2ohLnp9vJsFxrKntXxeeHASzQceDv2RQ1exwq7ZPor62sLFx+xO1Dc0Awpq1eoclDlHPyKlvT3pgkcB8IxDO/FuO+7hg/bJkmTHhbHTiHLGQDWN2sQev309Eka86lQyCzIQ=,iv:OBCobeUp+GwdDQhrNtTJhiRVMxRJafq5g1rhMoEFhjc=,tag:OSAWMn2NPZnVKcRX+eJf+Q==,type:str]
   pgp:
     - created_at: "2026-03-30T19:01:24Z"
       enc: |-
@@ -213,4 +216,4 @@ sops:
         -----END PGP MESSAGE-----
       fp: 41FFAF3D519CF5C039FBD8414BCC213729AF0E49
   unencrypted_suffix: _unencrypted
-  version: 3.12.1
+  version: 3.12.2
diff --git a/inventories/z9/host_vars/light.yaml b/inventories/z9/host_vars/light.yaml
index a5957e2..c14515d 100644
--- a/inventories/z9/host_vars/light.yaml
+++ b/inventories/z9/host_vars/light.yaml
@@ -60,9 +60,24 @@ nginx__configurations:
     content: "{{ lookup('ansible.builtin.file', 'resources/z9/dooris/nginx/http_handler.conf') }}"
 
 certbot__acme_account_email_address: le-admin@hamburg.ccc.de
-certbot__certificate_domains:
-  - "light-werkstatt.ccchh.net"
-  - "light.ccchh.net"
-  - "light.z9.ccchh.net"
+certbot__certs:
+  - commonName: "light.ccchh.net"
+    challengeType: "dns-01-acme-dns"
+    dns_01_acme_dns:
+      subdomain: "e59f55ee-9013-469d-a146-a159721b6fea"
+      apiUser: "33e96ec7-1f98-4f70-92be-85a42dabd211"
+      apiKey: "{{ secret__acme_dns_api_key_light_ccchh_net }}"
+  - commonName: "light.z9.ccchh.net"
+    challengeType: "dns-01-acme-dns"
+    dns_01_acme_dns:
+      subdomain: "3bc9e7ce-03dd-4533-a059-b5d38407eaa5"
+      apiUser: "c3b00882-ca2a-4d11-9ebd-fccfb8618b75"
+      apiKey: "{{ secret__acme_dns_api_key_light_z9_ccchh_net }}"
+  - commonName: "light-werkstatt.ccchh.net"
+    challengeType: "dns-01-acme-dns"
+    dns_01_acme_dns:
+      subdomain: "f408acc0-d9f5-4525-bb01-28938e3bb7d0"
+      apiUser: "a030e419-6ed8-43ee-8425-a451b457f83a"
+      apiKey: "{{ secret__acme_dns_api_key_light_werkstatt_ccchh_net }}"
 certbot__new_cert_commands:
   - "systemctl reload nginx.service"

From d27ac9b4e09a8dfd7bfeb08de4197038b19df999 Mon Sep 17 00:00:00 2001
From: Renovate <no-reply@git.hamburg.ccc.de>
Date: Sat, 11 Apr 2026 02:46:07 +0000
Subject: [PATCH 2/2] Update docker.io/pretalx/standalone Docker tag to
 v2025.2.3

---
 resources/chaosknoten/pretalx/docker_compose/compose.yaml.j2 | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/resources/chaosknoten/pretalx/docker_compose/compose.yaml.j2 b/resources/chaosknoten/pretalx/docker_compose/compose.yaml.j2
index 0bbfcb8..78dba42 100644
--- a/resources/chaosknoten/pretalx/docker_compose/compose.yaml.j2
+++ b/resources/chaosknoten/pretalx/docker_compose/compose.yaml.j2
@@ -33,7 +33,7 @@ services:
       - pretalx_net
 
   pretalx:
-    image: docker.io/pretalx/standalone:v2025.1.0
+    image: docker.io/pretalx/standalone:v2025.2.3
     entrypoint: gunicorn
     command:
       - "pretalx.wsgi"
@@ -78,7 +78,7 @@ services:
       - pretalx_net
 
   celery:
-    image: docker.io/pretalx/standalone:v2025.1.0
+    image: docker.io/pretalx/standalone:v2025.2.3
     command:
       - taskworker
     restart: unless-stopped