diff --git a/inventories/chaosknoten/host_vars/auth-dns.yaml b/inventories/chaosknoten/host_vars/auth-dns.yaml index 970e2f8..dc91e90 100644 --- a/inventories/chaosknoten/host_vars/auth-dns.yaml +++ b/inventories/chaosknoten/host_vars/auth-dns.yaml @@ -40,23 +40,3 @@ knot__zones: - domain: "3.2.0.0.0.0.0.f.0.b.4.1.0.0.a.2.ip6.arpa." notify_targets: [ "ns-intern.hamburg.ccc.de" ] content: "{{ lookup('ansible.builtin.file', 'resources/chaosknoten/auth-dns/zones/3.2.0.0.0.0.0.f.0.b.4.1.0.0.a.2.ip6.arpa.zone') }}" - - - domain: "2.2.1.0.0.0.0.3.0.0.2.4.0.b.4.1.0.0.a.2.ip6.arpa." - notify_targets: [ "ns-intern.hamburg.ccc.de" ] - content: "{{ lookup('ansible.builtin.file', 'resources/chaosknoten/auth-dns/zones/2.2.1.0.0.0.0.3.0.0.2.4.0.b.4.1.0.0.a.2.ip6.arpa.zone') }}" - - - domain: "3.2.1.0.0.0.0.3.0.0.2.4.0.b.4.1.0.0.a.2.ip6.arpa." - notify_targets: [ "ns-intern.hamburg.ccc.de" ] - content: "{{ lookup('ansible.builtin.file', 'resources/chaosknoten/auth-dns/zones/3.2.1.0.0.0.0.3.0.0.2.4.0.b.4.1.0.0.a.2.ip6.arpa.zone') }}" - - - domain: "4.2.1.0.0.0.0.3.0.0.2.4.0.b.4.1.0.0.a.2.ip6.arpa." - notify_targets: [ "ns-intern.hamburg.ccc.de" ] - content: "{{ lookup('ansible.builtin.file', 'resources/chaosknoten/auth-dns/zones/4.2.1.0.0.0.0.3.0.0.2.4.0.b.4.1.0.0.a.2.ip6.arpa.zone') }}" - - - domain: "5.2.1.0.0.0.0.3.0.0.2.4.0.b.4.1.0.0.a.2.ip6.arpa." - notify_targets: [ "ns-intern.hamburg.ccc.de" ] - content: "{{ lookup('ansible.builtin.file', 'resources/chaosknoten/auth-dns/zones/5.2.1.0.0.0.0.3.0.0.2.4.0.b.4.1.0.0.a.2.ip6.arpa.zone') }}" - - - domain: "6.2.1.0.0.0.0.3.0.0.2.4.0.b.4.1.0.0.a.2.ip6.arpa." - notify_targets: [ "ns-intern.hamburg.ccc.de" ] - content: "{{ lookup('ansible.builtin.file', 'resources/chaosknoten/auth-dns/zones/6.2.1.0.0.0.0.3.0.0.2.4.0.b.4.1.0.0.a.2.ip6.arpa.zone') }}" diff --git a/inventories/chaosknoten/host_vars/cloud.yaml b/inventories/chaosknoten/host_vars/cloud.yaml index 9c28d58..1cf8b4f 100644 --- a/inventories/chaosknoten/host_vars/cloud.yaml +++ b/inventories/chaosknoten/host_vars/cloud.yaml @@ -1,7 +1,7 @@ # renovate: datasource=docker depName=git.hamburg.ccc.de/ccchh/oci-images/nextcloud nextcloud__version: 32 # renovate: datasource=docker depName=docker.io/library/postgres -nextcloud__postgres_version: 15.17 +nextcloud__postgres_version: 15.18 nextcloud__fqdn: cloud.hamburg.ccc.de nextcloud__data_dir: /data/nextcloud nextcloud__extra_configuration: "{{ lookup('ansible.builtin.template', 'resources/chaosknoten/cloud/nextcloud/extra_configuration.config.php.j2') }}" diff --git a/inventories/chaosknoten/host_vars/lists.sops.yaml b/inventories/chaosknoten/host_vars/lists.sops.yaml index 76125b9..21c97c8 100644 --- a/inventories/chaosknoten/host_vars/lists.sops.yaml +++ b/inventories/chaosknoten/host_vars/lists.sops.yaml @@ -1,4 +1,8 @@ ansible_pull__age_private_key: ENC[AES256_GCM,data:pUFhg492OUXVIlDZ3Z9A/H0doJCuTX0zh9qLU88nz18jMzWmzXhc2kbQkk4QeSTnZ12juiTbpUFW+1cE1bOontIu5qiQgpe3c8s=,iv:bONSyFUibcszUcxBt749aiVVnqLKBuEJmfege0dGaM8=,tag:cvapTnTN62XTR6tQBSe+IQ==,type:str] +secret__lists__hyperkitty_api_key: ENC[AES256_GCM,data:byO7x/r3E9mwxOwiK0Is+Mp+d2uRIBgNsX2YWUg20Cs=,iv:H9ufaS6JlKhkbsG5aM3owR0U10e0JNYX/s3AJagB6kY=,tag:5umAs792BwNF9bMCX69PBw==,type:str] +secret__lists__postgres_password: ENC[AES256_GCM,data:HcH4Lyw9uuuqXGrrXkUqzg==,iv:3adzec+Wnh37LjzwMp7zhWMf9jZzI6EyUmEGS9TUYBg=,tag:8/jZrUzkcM+U3nME6+DSSA==,type:str] +secret__lists__rest_password: ENC[AES256_GCM,data:BMCNEikejiDET0Mdlrzfcg==,iv:U5hVjM/epfzz2m/wXKhYhwFI/3zKX7XS/UMlBqwTZNk=,tag:0n79+5mP7ocY7jVQmWm+WA==,type:str] +secret__lists__web_secret_key: ENC[AES256_GCM,data:3DntszkNw5ciwRUJJdmHTGTpjm9ZMBf9wO3MHAeiXuw=,iv:GqqjRcg0zG193Y04UYIipB8BBk/JUtGvtTCVQ4HCjDw=,tag:aY4d+CPGxMvRz8t983p9sw==,type:str] sops: age: - recipient: age17x20h3m6wgfhereusc224u95ac8aj68fzlkkj5ptvs9c5vlz3usqdu7crq @@ -10,8 +14,8 @@ sops: THpvS29mY1BIbktZYkhCYm1NMFdLcXcKBtXXokEi1nSVA099XXNrx3w4Fr1lnLMf 2KTuylUef8RUgHPx1wo5Q7xlYNR48GupHVQxb9VvyDTXOZEiAV7Pdw== -----END AGE ENCRYPTED FILE----- - lastmodified: "2025-10-20T18:57:27Z" - mac: ENC[AES256_GCM,data:IAM6vn4rI1l6qvPWEcDJ5xoD3I8/GWOr+PmRQ0QdkVMD9Pt7cHtMhHPpYvH3e8MfDPhC2g2uwt9FHsPqpcOXpflme0aF4E9PndGi1Pzi+yh40FSBAzLT3MEQ50vZ2rifzqUe5KSrXByF1WAnZxLTMST+xIlvEZOV0gx6y0G/iHQ=,iv:15MZsyClZ+WLBZgcRSq740LgDakuHAXAb3hAQyLKVSU=,tag:7+lRz4XKKVlkSeDVs4Jy9g==,type:str] + lastmodified: "2026-05-16T11:00:16Z" + mac: ENC[AES256_GCM,data:vwQc2suUJ0KiSsYRcrvsYHNYF2c8SU58LxWoFpzTX5hSDNy8LOWJIa6Ouo8c7gk4gYB0mS/FbmgEo8LOCDvRKamfgrpZQ2wvxI7GdGRjR0LOsS8O2xZ8QZ3BK9DfEfnA5ESgzRzX6Iuc4ZBUGfAQoDDxXrnh2ogWUdYPC81T5qU=,iv:Vi74U97iZAqQ8DDW2p3ncg58l6+mxar4hC5f48AuPAQ=,tag:Jd09hXId+ogV4rB0AWS2NA==,type:str] pgp: - created_at: "2026-04-18T22:36:23Z" enc: |- @@ -204,4 +208,4 @@ sops: -----END PGP MESSAGE----- fp: 41FFAF3D519CF5C039FBD8414BCC213729AF0E49 unencrypted_suffix: _unencrypted - version: 3.11.0 + version: 3.12.2 diff --git a/inventories/chaosknoten/host_vars/lists.yaml b/inventories/chaosknoten/host_vars/lists.yaml index 0e53178..e6680f4 100644 --- a/inventories/chaosknoten/host_vars/lists.yaml +++ b/inventories/chaosknoten/host_vars/lists.yaml @@ -1,4 +1,4 @@ -docker_compose__compose_file_content: "{{ lookup('ansible.builtin.file', 'resources/chaosknoten/lists/docker_compose/compose.yaml') }}" +docker_compose__compose_file_content: "{{ lookup('ansible.builtin.template', 'resources/chaosknoten/lists/docker_compose/compose.yaml.j2') }}" docker_compose__configuration_files: - name: settings_local.py content: "{{ lookup('ansible.builtin.file', 'resources/chaosknoten/lists/docker_compose/settings_local.py') }}" diff --git a/resources/chaosknoten/auth-dns/zones/2.2.1.0.0.0.0.3.0.0.2.4.0.b.4.1.0.0.a.2.ip6.arpa.zone b/resources/chaosknoten/auth-dns/zones/2.2.1.0.0.0.0.3.0.0.2.4.0.b.4.1.0.0.a.2.ip6.arpa.zone deleted file mode 100644 index baacd63..0000000 --- a/resources/chaosknoten/auth-dns/zones/2.2.1.0.0.0.0.3.0.0.2.4.0.b.4.1.0.0.a.2.ip6.arpa.zone +++ /dev/null @@ -1,16 +0,0 @@ -$TTL 7200 - -@ IN SOA auth-dns.hamburg.ccc.de. noc.hamburg.ccc.de. ( - 2023073001 - 10800 - 3600 - 3600000 - 86400 ) - - IN NS auth-dns.hamburg.ccc.de. - IN NS ns.vie.ccc.de. - -; 2a00:14b0:4200:3000:122::1 - -1.0.0.0.0.0.0.0.0.0.0.0 IN PTR turing.hamburg.ccc.de. - diff --git a/resources/chaosknoten/auth-dns/zones/3.2.1.0.0.0.0.3.0.0.2.4.0.b.4.1.0.0.a.2.ip6.arpa.zone b/resources/chaosknoten/auth-dns/zones/3.2.1.0.0.0.0.3.0.0.2.4.0.b.4.1.0.0.a.2.ip6.arpa.zone deleted file mode 100644 index 6972a51..0000000 --- a/resources/chaosknoten/auth-dns/zones/3.2.1.0.0.0.0.3.0.0.2.4.0.b.4.1.0.0.a.2.ip6.arpa.zone +++ /dev/null @@ -1,15 +0,0 @@ -$TTL 7200 - -@ IN SOA auth-dns.hamburg.ccc.de. noc.hamburg.ccc.de. ( - 2023072900 - 10800 - 3600 - 3600000 - 86400 ) - - IN NS auth-dns.hamburg.ccc.de. - IN NS ns.vie.ccc.de. - -; 2a00:14b0:4200:3000:123::1 - -1.0.0.0.0.0.0.0.0.0.0.0 IN PTR unused.hamburg.ccc.de. diff --git a/resources/chaosknoten/auth-dns/zones/4.2.1.0.0.0.0.3.0.0.2.4.0.b.4.1.0.0.a.2.ip6.arpa.zone b/resources/chaosknoten/auth-dns/zones/4.2.1.0.0.0.0.3.0.0.2.4.0.b.4.1.0.0.a.2.ip6.arpa.zone deleted file mode 100644 index a43bc06..0000000 --- a/resources/chaosknoten/auth-dns/zones/4.2.1.0.0.0.0.3.0.0.2.4.0.b.4.1.0.0.a.2.ip6.arpa.zone +++ /dev/null @@ -1,15 +0,0 @@ -$TTL 7200 - -@ IN SOA auth-dns.hamburg.ccc.de. noc.hamburg.ccc.de. ( - 2023072900 - 10800 - 3600 - 3600000 - 86400 ) - - IN NS auth-dns.hamburg.ccc.de. - IN NS ns.vie.ccc.de. - -; 2a00:14b0:4200:3000:124::1 - -1.0.0.0.0.0.0.0.0.0.0.0 IN PTR unused.hamburg.ccc.de. diff --git a/resources/chaosknoten/auth-dns/zones/5.2.1.0.0.0.0.3.0.0.2.4.0.b.4.1.0.0.a.2.ip6.arpa.zone b/resources/chaosknoten/auth-dns/zones/5.2.1.0.0.0.0.3.0.0.2.4.0.b.4.1.0.0.a.2.ip6.arpa.zone deleted file mode 100644 index b03dcc7..0000000 --- a/resources/chaosknoten/auth-dns/zones/5.2.1.0.0.0.0.3.0.0.2.4.0.b.4.1.0.0.a.2.ip6.arpa.zone +++ /dev/null @@ -1,15 +0,0 @@ -$TTL 7200 - -@ IN SOA auth-dns.hamburg.ccc.de. noc.hamburg.ccc.de. ( - 2023072900 - 10800 - 3600 - 3600000 - 86400 ) - - IN NS auth-dns.hamburg.ccc.de. - IN NS ns.vie.ccc.de. - -; 2a00:14b0:4200:3000:125::1 - -1.0.0.0.0.0.0.0.0.0.0.0 IN PTR public-reverse-proxy.hamburg.ccc.de. diff --git a/resources/chaosknoten/auth-dns/zones/6.2.1.0.0.0.0.3.0.0.2.4.0.b.4.1.0.0.a.2.ip6.arpa.zone b/resources/chaosknoten/auth-dns/zones/6.2.1.0.0.0.0.3.0.0.2.4.0.b.4.1.0.0.a.2.ip6.arpa.zone deleted file mode 100644 index 3de9e09..0000000 --- a/resources/chaosknoten/auth-dns/zones/6.2.1.0.0.0.0.3.0.0.2.4.0.b.4.1.0.0.a.2.ip6.arpa.zone +++ /dev/null @@ -1,15 +0,0 @@ -$TTL 7200 - -@ IN SOA ns.hamburg.ccc.de. haegar.ccc.de. ( - 2023073001 - 10800 - 3600 - 3600000 - 86400 ) - - IN NS auth-dns.hamburg.ccc.de. - IN NS ns.vie.ccc.de. - -; 2a00:14b0:4200:3000:126::1 - -1.0.0.0.0.0.0.0.0.0.0.0 IN PTR chaosknoten.hamburg.ccc.de. diff --git a/resources/chaosknoten/auth-dns/zones/ccchh.net.zone b/resources/chaosknoten/auth-dns/zones/ccchh.net.zone index 40d4c94..bb5c16f 100644 --- a/resources/chaosknoten/auth-dns/zones/ccchh.net.zone +++ b/resources/chaosknoten/auth-dns/zones/ccchh.net.zone @@ -52,7 +52,7 @@ hmdooris-ccu A 10.31.208.202 buba A 10.31.211.137 buba.z9 A 10.31.211.137 dooris AAAA 2a07:c481:1:d0::1c -_acme-challenge.dooris CNAME 37caae1f-b77f-4eb1-aa71-dc3f7ed24360.auth.acmedns.hamburg.ccc.de +_acme-challenge.dooris CNAME 37caae1f-b77f-4eb1-aa71-dc3f7ed24360.auth.acmedns.hamburg.ccc.de. waybackproxy A 10.31.208.99 yate A 10.31.208.12 staubiv2 A 10.31.210.233 diff --git a/resources/chaosknoten/auth-dns/zones/hamburg.ccc.de.zone b/resources/chaosknoten/auth-dns/zones/hamburg.ccc.de.zone index 21a8d0e..a9c4851 100644 --- a/resources/chaosknoten/auth-dns/zones/hamburg.ccc.de.zone +++ b/resources/chaosknoten/auth-dns/zones/hamburg.ccc.de.zone @@ -196,7 +196,6 @@ matrix-intern IN A 172.31.17.150 ; have this for compatibility (like references in CI) public-web-static-intern IN AAAA 2a00:14b0:42:102::17 git-intern IN A 172.31.17.154 -woodpecker-intern IN A 172.31.17.160 penpot-intern IN A 172.31.17.162 forgejo-runner-builder IN A 172.31.17.202 renovate-forgejo IN A 172.31.17.163 @@ -275,7 +274,6 @@ matrix IN CNAME public-reverse-proxy mas IN CNAME public-reverse-proxy element-admin IN CNAME public-reverse-proxy netbox IN CNAME public-reverse-proxy -woodpecker IN CNAME public-reverse-proxy onlyoffice IN CNAME public-reverse-proxy pad IN CNAME public-reverse-proxy pretalx IN CNAME public-reverse-proxy diff --git a/resources/chaosknoten/grafana/docker_compose/compose.yaml.j2 b/resources/chaosknoten/grafana/docker_compose/compose.yaml.j2 index 4b5b2c0..44dfa20 100644 --- a/resources/chaosknoten/grafana/docker_compose/compose.yaml.j2 +++ b/resources/chaosknoten/grafana/docker_compose/compose.yaml.j2 @@ -32,7 +32,7 @@ services: - alertmanager_data:/alertmanager grafana: - image: docker.io/grafana/grafana:12.4.3 + image: docker.io/grafana/grafana:13.0.1 container_name: grafana ports: - 3000:3000 @@ -46,7 +46,7 @@ services: - graf_data:/var/lib/grafana pve-exporter: - image: docker.io/prompve/prometheus-pve-exporter:3.8.3 + image: docker.io/prompve/prometheus-pve-exporter:3.9.0 container_name: pve-exporter ports: - 9221:9221 @@ -59,7 +59,7 @@ services: - /dev/null:/etc/prometheus/pve.yml loki: - image: docker.io/grafana/loki:3.7.1 + image: docker.io/grafana/loki:3.7.2 container_name: loki ports: - 13100:3100 diff --git a/resources/chaosknoten/grafana/docker_compose/prometheus_alerts.rules.yaml b/resources/chaosknoten/grafana/docker_compose/prometheus_alerts.rules.yaml index 4a2bc6f..15b9b1f 100644 --- a/resources/chaosknoten/grafana/docker_compose/prometheus_alerts.rules.yaml +++ b/resources/chaosknoten/grafana/docker_compose/prometheus_alerts.rules.yaml @@ -129,7 +129,7 @@ groups: # General high disk read and write rate alerts. # Excluding: hypervisor hosts, CI hosts - alert: HostUnusualDiskReadRate - expr: (sum by (instance) (rate(node_disk_read_bytes_total[2m])) / 1024 / 1024 > 50) * on(instance) group_left (nodename) node_uname_info{nodename=~".+", nodename!="forgejo-actions-runner", nodename!="woodpecker", nodename!="chaosknoten"} + expr: (sum by (instance) (rate(node_disk_read_bytes_total[2m])) / 1024 / 1024 > 50) * on(instance) group_left (nodename) node_uname_info{nodename=~".+", nodename!="forgejo-actions-runner", nodename!="chaosknoten"} for: 5m labels: severity: warning @@ -137,7 +137,7 @@ groups: summary: Host unusual disk read rate (instance {{ $labels.instance }}) description: "Disk is probably reading too much data (> 50 MB/s)\n VALUE = {{ $value }}" - alert: HostUnusualDiskWriteRate - expr: (sum by (instance) (rate(node_disk_written_bytes_total[2m])) / 1024 / 1024 > 50) * on(instance) group_left (nodename) node_uname_info{nodename=~".+", nodename!="forgejo-actions-runner", nodename!="woodpecker", nodename!="chaosknoten"} + expr: (sum by (instance) (rate(node_disk_written_bytes_total[2m])) / 1024 / 1024 > 50) * on(instance) group_left (nodename) node_uname_info{nodename=~".+", nodename!="forgejo-actions-runner", nodename!="chaosknoten"} for: 2m labels: severity: warning @@ -147,7 +147,7 @@ groups: # CI hosts high disk read and write alerts. # Longer intervals to account for disk intensive CI tasks. - alert: CIHostUnusualDiskReadRate - expr: (sum by (instance) (rate(node_disk_read_bytes_total[2m])) / 1024 / 1024 > 50) * on(instance) group_left (nodename) node_uname_info{nodename="forgejo-actions-runner", nodename="woodpecker"} + expr: (sum by (instance) (rate(node_disk_read_bytes_total[2m])) / 1024 / 1024 > 50) * on(instance) group_left (nodename) node_uname_info{nodename="forgejo-actions-runner"} for: 10m labels: severity: warning @@ -155,7 +155,7 @@ groups: summary: CI host unusual disk read rate for 10 min (instance {{ $labels.instance }}) description: "Disk is probably reading too much data (> 50 MB/s)\n VALUE = {{ $value }}" - alert: VirtualHostUnusualDiskWriteRate - expr: (sum by (instance) (rate(node_disk_written_bytes_total[2m])) / 1024 / 1024 > 50) * on(instance) group_left (nodename) node_uname_info{nodename="forgejo-actions-runner", nodename="woodpecker"} + expr: (sum by (instance) (rate(node_disk_written_bytes_total[2m])) / 1024 / 1024 > 50) * on(instance) group_left (nodename) node_uname_info{nodename="forgejo-actions-runner"} for: 4m labels: severity: warning diff --git a/resources/chaosknoten/lists/docker_compose/compose.yaml b/resources/chaosknoten/lists/docker_compose/compose.yaml.j2 similarity index 72% rename from resources/chaosknoten/lists/docker_compose/compose.yaml rename to resources/chaosknoten/lists/docker_compose/compose.yaml.j2 index fb65594..db605b5 100644 --- a/resources/chaosknoten/lists/docker_compose/compose.yaml +++ b/resources/chaosknoten/lists/docker_compose/compose.yaml.j2 @@ -12,11 +12,13 @@ services: depends_on: - database environment: - - DATABASE_URL=postgresql://mailman:wvQjbMRnwFuxGEPz@database/mailmandb + - "DATABASE_URL=postgresql://mailman:{{ secret__lists__postgres_password }}@database/mailmandb" - DATABASE_TYPE=postgres - DATABASE_CLASS=mailman.database.postgresql.PostgreSQLDatabase - - HYPERKITTY_API_KEY=ITfRjushI6FP0TLMnRpZxlfB2e17DN86 + - HYPERKITTY_API_KEY={{ secret__lists__hyperkitty_api_key }} - MTA=postfix + - MAILMAN_REST_USER=restuser + - MAILMAN_REST_PASSWORD={{ secret__lists__rest_password }} ports: - "127.0.0.1:8001:8001" # API - "127.0.0.1:8024:8024" # LMTP - incoming emails @@ -39,13 +41,15 @@ services: - ./files/templates:/opt/mailman-web/templates environment: - DATABASE_TYPE=postgres - - DATABASE_URL=postgresql://mailman:wvQjbMRnwFuxGEPz@database/mailmandb + - "DATABASE_URL=postgresql://mailman:{{ secret__lists__postgres_password }}@database/mailmandb" - "DJANGO_ALLOWED_HOSTS=lists.hamburg.ccc.de,lists.c3lingo.org" - - HYPERKITTY_API_KEY=ITfRjushI6FP0TLMnRpZxlfB2e17DN86 + - HYPERKITTY_API_KEY={{ secret__lists__hyperkitty_api_key }} - SERVE_FROM_DOMAIN=lists.hamburg.ccc.de - - SECRET_KEY=ugfknEYBaFVc62R1jlIjnkizQaqr7tSt + - SECRET_KEY={{ secret__lists__web_secret_key }} - MAILMAN_ADMIN_USER=ccchh-admin - MAILMAN_ADMIN_EMAIL=tony@cowtest.hamburg.ccc.de + - MAILMAN_REST_USER=restuser + - MAILMAN_REST_PASSWORD={{ secret__lists__rest_password }} ports: - "127.0.0.1:8000:8000" # HTTP - "127.0.0.1:8080:8080" # uwsgi @@ -57,7 +61,7 @@ services: environment: - POSTGRES_DB=mailmandb - POSTGRES_USER=mailman - - POSTGRES_PASSWORD=wvQjbMRnwFuxGEPz + - "POSTGRES_PASSWORD={{ secret__lists__postgres_password }}" image: docker.io/library/postgres:12-alpine volumes: - /opt/mailman/database:/var/lib/postgresql/data @@ -70,5 +74,4 @@ networks: ipam: driver: default config: - - - subnet: 172.19.199.0/24 + - subnet: 172.19.199.0/24 diff --git a/resources/chaosknoten/ntfy/docker_compose/compose.yaml.j2 b/resources/chaosknoten/ntfy/docker_compose/compose.yaml.j2 index 09a71e4..cadfa54 100644 --- a/resources/chaosknoten/ntfy/docker_compose/compose.yaml.j2 +++ b/resources/chaosknoten/ntfy/docker_compose/compose.yaml.j2 @@ -1,7 +1,7 @@ --- services: ntfy: - image: docker.io/binwiederhier/ntfy:v2.22.0 + image: docker.io/binwiederhier/ntfy:v2.23.0 container_name: ntfy command: - serve diff --git a/resources/chaosknoten/pretalx/docker_compose/compose.yaml.j2 b/resources/chaosknoten/pretalx/docker_compose/compose.yaml.j2 index 0217f66..226b21d 100644 --- a/resources/chaosknoten/pretalx/docker_compose/compose.yaml.j2 +++ b/resources/chaosknoten/pretalx/docker_compose/compose.yaml.j2 @@ -23,7 +23,7 @@ services: - pretalx_net static: - image: docker.io/library/nginx:1.30.0 + image: docker.io/library/nginx:1.31.0 restart: unless-stopped volumes: - public:/usr/share/nginx/html diff --git a/resources/chaosknoten/public-reverse-proxy/nginx/acme_challenge.conf b/resources/chaosknoten/public-reverse-proxy/nginx/acme_challenge.conf index 93968b0..e8b8c8e 100644 --- a/resources/chaosknoten/public-reverse-proxy/nginx/acme_challenge.conf +++ b/resources/chaosknoten/public-reverse-proxy/nginx/acme_challenge.conf @@ -70,7 +70,6 @@ map $host $upstream_acme_challenge_host { eh20.hamburg.ccc.de public-web-static.hosts.hamburg.ccc.de:31820; hacker.tours public-web-static.hosts.hamburg.ccc.de:31820; staging.hacker.tours public-web-static.hosts.hamburg.ccc.de:31820; - woodpecker.hamburg.ccc.de 172.31.17.160:31820; design.hamburg.ccc.de 172.31.17.162:31820; hydra.hamburg.ccc.de 172.31.17.163:31820; ntfy.hamburg.ccc.de ntfy.hosts.hamburg.ccc.de:31820; diff --git a/resources/chaosknoten/public-reverse-proxy/nginx/nginx.conf b/resources/chaosknoten/public-reverse-proxy/nginx/nginx.conf index 843c094..0a004c9 100644 --- a/resources/chaosknoten/public-reverse-proxy/nginx/nginx.conf +++ b/resources/chaosknoten/public-reverse-proxy/nginx/nginx.conf @@ -91,7 +91,6 @@ stream { eh20.hamburg.ccc.de public-web-static.hosts.hamburg.ccc.de:8443; hacker.tours public-web-static.hosts.hamburg.ccc.de:8443; staging.hacker.tours public-web-static.hosts.hamburg.ccc.de:8443; - woodpecker.hamburg.ccc.de 172.31.17.160:8443; design.hamburg.ccc.de 172.31.17.162:8443; hydra.hamburg.ccc.de 172.31.17.163:8443; cfp.eh22.easterhegg.eu pretalx.hosts.hamburg.ccc.de:8443; diff --git a/resources/external/status/docker_compose/compose.yaml.j2 b/resources/external/status/docker_compose/compose.yaml.j2 index 58abefa..d7694ad 100644 --- a/resources/external/status/docker_compose/compose.yaml.j2 +++ b/resources/external/status/docker_compose/compose.yaml.j2 @@ -4,7 +4,7 @@ services: database: - image: docker.io/library/postgres:18.3 + image: docker.io/library/postgres:18.4 restart: always volumes: - ./database:/var/lib/postgresql diff --git a/resources/external/status/docker_compose/config/services-chaosknoten.yaml b/resources/external/status/docker_compose/config/services-chaosknoten.yaml index 0ee6ef4..74991b7 100644 --- a/resources/external/status/docker_compose/config/services-chaosknoten.yaml +++ b/resources/external/status/docker_compose/config/services-chaosknoten.yaml @@ -294,14 +294,6 @@ endpoints: - "[CERTIFICATE_EXPIRATION] > 48h" - "[BODY] == pat(*CCCHH Wiki*)" - - name: Woodpecker - url: "https://woodpecker.hamburg.ccc.de/" - <<: *services_chaosknoten_defaults - conditions: - - "[STATUS] == 200" - - "[CERTIFICATE_EXPIRATION] > 48h" - - "[BODY] == pat(*Woodpecker*)" - - name: Zammad url: "https://zammad.hamburg.ccc.de/" <<: *services_chaosknoten_defaults diff --git a/resources/z9/dooris/docker_compose/compose.yaml.j2 b/resources/z9/dooris/docker_compose/compose.yaml.j2 index 38db85a..d16c8ad 100644 --- a/resources/z9/dooris/docker_compose/compose.yaml.j2 +++ b/resources/z9/dooris/docker_compose/compose.yaml.j2 @@ -2,21 +2,13 @@ services: dooris: - image: git.hamburg.ccc.de/ccchh/hmdooris/hmdooris:latest + image: git.hamburg.ccc.de/ccchh/dooris:latest environment: - HMDOORIS_ALLOWED_IPS: "2a07:c481:1:c8::/64 2a01:170:118b::/56 172.31.200.0/23 172.31.202.0/27" - HMDOORIS_CCUJACK_CERTIFICATE_PATH: false - HMDOORIS_CCUJACK_PASSWORD: "{{ secret__dooris_ccujack_password }}" - HMDOORIS_CCUJACK_URL: https://hmdooris-ccu.ccchh.net:2122 - HMDOORIS_CCUJACK_USERNAME: dooris - HMDOORIS_CLIENT_ID: dooris - HMDOORIS_CLIENT_SECRET: "{{ secret__dooris_client_secret }}" - HMDOORIS_DISCOVERY_URL: https://id.hamburg.ccc.de/realms/ccchh/.well-known/openid-configuration - HMDOORIS_LISTEN: '0.0.0.0:3000' - HMDOORIS_REQUIRES_GROUP: /intern - HMDOORIS_URL: https://dooris.ccchh.net - PYTHONWARNINGS: "ignore:Unverified HTTPS request" - #DEBUG: true - ports: - - "127.0.0.1:3000:3000" + DOORIS_OPENID_ISSUER: https://id.hamburg.ccc.de/realms/ccchh/ + DOORIS_OPENID_CLIENT_ID: dooris + DOORIS_OPENID_CLIENT_SECRET: "{{ secret__dooris_client_secret }}" + DOORIS_BASE_URL: https://dooris.ccchh.net + DOORIS_CCUJACK_USER: "dooris" + DOORIS_CCUJACK_PASSWORD: "{{ secret__dooris_ccujack_password }}" + network_mode: host restart: unless-stopped diff --git a/resources/z9/dooris/nginx/dooris.ccchh.net.conf b/resources/z9/dooris/nginx/dooris.ccchh.net.conf index c1ca082..efb5b1f 100644 --- a/resources/z9/dooris/nginx/dooris.ccchh.net.conf +++ b/resources/z9/dooris/nginx/dooris.ccchh.net.conf @@ -32,6 +32,10 @@ server { proxy_set_header Connection "upgrade"; location / { - proxy_pass http://127.0.0.1:3000/; + proxy_pass http://127.0.0.1:8000/; + # Increase size to fix nginx error: "upstream sent too big header while reading response header from upstream" + proxy_buffer_size 64k; + proxy_busy_buffers_size 64k; + proxy_buffers 20 4k; } } diff --git a/roles/ansible_pull/templates/ansible-pull.service.j2 b/roles/ansible_pull/templates/ansible-pull.service.j2 index b344505..9607fc9 100644 --- a/roles/ansible_pull/templates/ansible-pull.service.j2 +++ b/roles/ansible_pull/templates/ansible-pull.service.j2 @@ -6,6 +6,7 @@ OnFailure=ansible-pull-failure-notify.service [Service] Type=oneshot +TimeoutStartSec=30min Environment="SOPS_AGE_KEY_FILE=/etc/ansible_pull_secrets/age_private_key" ExecStartPre=/usr/bin/bash -c 'if [ ! -e /home/chaos/ansible_pull_checkout ]; then git clone --depth 1 "{{ ansible_pull__repo_url }}" /home/chaos/ansible_pull_checkout ; fi' ExecStartPre=/usr/local/lib/ansible_pull_venv/bin/ansible-galaxy role install -r /home/chaos/ansible_pull_checkout/requirements.yml diff --git a/roles/deploy_systemd_journal_config/files/10-ccchh.conf b/roles/deploy_systemd_journal_config/files/10-ccchh.conf index 3419fd9..eea3754 100644 --- a/roles/deploy_systemd_journal_config/files/10-ccchh.conf +++ b/roles/deploy_systemd_journal_config/files/10-ccchh.conf @@ -1,3 +1,5 @@ [Journal] MaxFileSec=2day MaxRetentionSec=2week + +ForwardToSyslog=no