Update all stable non-major dependencies

amcedns to enable Let's Encrypt DNS-01 challenges
Enable IPv6 by default
2026-01-25 21:45:52 +00:00 · 2026-01-25 22:41:42 +01:00 · 2026-01-25 22:40:36 +01:00 · 2026-01-25 22:40:36 +01:00 · 2026-01-25 22:36:30 +01:00
17 changed files with 507 additions and 23 deletions
--- a/.sops.yaml
+++ b/.sops.yaml
@ -34,6 +34,7 @@ keys:
        - &host_zammad_ansible_pull_age_key age1sv7uhpnk9d3u3je9zzvlux0kd83f627aclpamnz2h3ksg599838qjgrvqs
        - &host_ntfy_ansible_pull_age_key age1dkecypmfuj0tcm2cz8vnvq5drpu2ddhgnfkzxvscs7m4e79gpseqyhr9pg
        - &host_spaceapiccc_ansible_pull_age_key age1mdtnk78aeqnwqadjqje5pfha04wu92d3ecchyqajjmy434kwq98qksq2wa
        - &host_acmedns_ansible_pull_age_key age16pxqxdj25xz6w200sf8duc62vyk0xkhzc7y63nyhg29sm077vp8qy4sywv
    external:
      age: &host_external_age_keys
        - &host_status_ansible_pull_age_key age1yl9ts8k6ceymaxjs72r5puetes5mtuzxuger7qgme9qkagfrm9hqzxx9qr
@ -57,6 +58,12 @@ creation_rules:
          *admin_gpg_keys
  ## host vars
  # chaosknoten hosts
  - path_regex: inventories/chaosknoten/host_vars/acmedns.*
    key_groups:
      - pgp:
          *admin_gpg_keys
        age:
          - *host_acmedns_ansible_pull_age_key
  - path_regex: inventories/chaosknoten/host_vars/cloud.*
    key_groups:
      - pgp:
--- a/inventories/chaosknoten/host_vars/acmedns.sops.yaml
+++ b/inventories/chaosknoten/host_vars/acmedns.sops.yaml
@ -0,0 +1,214 @@
 ansible_pull__age_private_key: ENC[AES256_GCM,data:R0FZVQXrUgqW04VltXpYhEuI8Q8i0gE4K1EI05NTZyTO+9QOynMVzfLOzOOT1Yh+oQNLsE0MFELX8eo3EFKyXIrkE/wr2ECgFqY=,iv:m4N6t03tklKRaRZ9eVl2vv9T8WUy6AiPQDNuyU0UEtI=,tag:XJMnT5GZthv9RPQFZTWZaA==,type:str]
 secret__oidc_client_secret: ENC[AES256_GCM,data:UHbIuftvyPHxtHGRvH+ydMetiCRu3z3JL+zFzLwVaSQ=,iv:1/KKB9IHZEWgEULoab1aVwbPIW7mxfRK7NABiSP2yIQ=,tag:8g3ej7ZJwAuPk9eGdPGyog==,type:str]
 secret__oidc_cookie_secret: ENC[AES256_GCM,data:epKralmaga5W0TK0njjTBP0GIlkUK2ogKEbWQ/zlIhQ=,iv:rDBiSE+DPkX2I2i2fJQ/SrkltlCnPOEyeMfud2xXbFA=,tag:SOGIJHiaKq1t+Dg0NJGnxA==,type:str]
 sops:
  age:
    - recipient: age16pxqxdj25xz6w200sf8duc62vyk0xkhzc7y63nyhg29sm077vp8qy4sywv
      enc: |
        -----BEGIN AGE ENCRYPTED FILE-----
        YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA5SDJ0NHZkK3hvUSt2K2hV
        TWNKUkFlUFVkaEFlM1lDVTdnZU5EeURiOURzCnQzcWE2RnpiZ3BmRzIwbFRDdkRr
        VmcreVJvdTl2Z3lBVFJTNmNLZWdyMWcKLS0tIEkwcXAwY0NoNmhCZm9JUDMyRjVC
        bUM2WC9QeWFrdm43a2N1eStEOFFXVGcKCCqwLQ67aEEjTAyXXabZ2AoBag/QY4HW
        WwgmI8KNYpC0YXzDJ3fUUL6g4oiSqMxTGvQ+0oABOk+XFnVx+++aoQ==
        -----END AGE ENCRYPTED FILE-----
  lastmodified: "2026-01-25T16:16:15Z"
  mac: ENC[AES256_GCM,data:dBBAJIXeVUXXPXB8Eq4gH5F/0jTpvb79hdu4KD9gV5RL36Tr3iU92SKAZdMcw3/+8zq5L32YWWpYR5HFVPXaSdgls3wtWdrz/1j/C/zRxup+Y8DSOdiebCtz1lJJvglQMZNznRvo7N58lTdF/XqJA4tY51xZZi/krsJXDxtlTgA=,iv:yhwXbXu1MKl4sSYaCKPVUK9aedmIMnt/rzXTcGqmqpk=,tag:hZX6YZrzkrr1mPe6FOs7Xw==,type:str]
  pgp:
    - created_at: "2026-01-25T14:20:25Z"
      enc: |-
        -----BEGIN PGP MESSAGE-----
        hQIMAxK/JaB2/SdtARAAi+qxfJ++qxSRxZLZiJ6njtlaOvrmE3uDCxbBwK5/lc7K
        rt1liJ3Ue1hR1Bt6ozbH72shd5EOQzDuwQiRLZSR/7q6dcM0wdGRrfXuNvsRbQFf
        Mb1D5L5Md1zOH4HuUx38+GGoB1CchpQwdZpjzcU2+MI5O5YIw3DDcKOAAMa+Nfpy
        m0aezDSM6zDYYrYKjZUrMCXZFn0cnWAosod1ZJDz+rNMfFaVCPUlcUO4/p8cPzvr
        rz+B5MV6Nyft3FUpHntFAgGjwlt31ZANZoWeJxJ5/zFlmieXMihjC4x1QPBs42E2
        den7NPprSZX1ynGdImaZfTHwuwP1bpLrVFegG1EPrMIUwjRbSZDdmWxaR0uvajgM
        GcbJLRFdvOcc7g7NWh2n4AwjpjcPN0cNrAit5/S0PG7JYdZFi4abfxTur12p9BPk
        xJacN4ZVnT5qRRnqinPDCCiR4MLg/L9fxG6Dap6xboBTnHS5GksuLiDFMjsSAVh7
        /63SOn6/Po1BUiiZPRHkvlm1uhkP7k5iDT/cP+gV1QDjdrXbD27D3c2eJveBaX03
        oLhXi+2/tmitsRw5vp+jTwHP3RDC9ZsORdEoshaGJ7Axbmai1wmUAabaz60vbTzV
        W5KHaEAdC97YsUFUn4ZgqORJ5MlPRUGUGGmlYJq6peihLYx/wdCLw9DywhZAYiTU
        aAEJAhACPP4YiVUAbMaXB3q7AJWnoF20oJVBcGD7nvAVIaJJL0zuYe3lsujo2O2L
        wqzIw80YE0tSaHx9GWJorF3vQQ1/jxrgiZofZNrsrQ5mzVADGO5+JLuU1THyDWXV
        PPvkTEc7AdD6
        =GWYV
        -----END PGP MESSAGE-----
      fp: EF643F59E008414882232C78FFA8331EEB7D6B70
    - created_at: "2026-01-25T14:20:25Z"
      enc: |-
        -----BEGIN PGP MESSAGE-----
        hQIMA6EyPtWBEI+2AQ/+KKOoBqMu5MXGmEM70WGKs7qGiqcJ4jizWaf2BjO8JtcU
        DUJ31xy+KOnZh4pNP3bYptBtv/FehKHfaC1HB+sXBqT7hhAT5k2WyNo6Y1EdsGeG
        HuccJ8rEMxwRSp3rdpca/53mtFzYHFHDT2nOEc5wkl0KqPITIJAiaGVVeS/ANy6X
        qijabdecK8Ekb0Ev7OHwxFQT92DdtN7xdQns4bUoxSy9j/7SDUII7btG3alhlH2Z
        XF+aZ4Fo+P/O8yavyTuwm6GlKWaWtGn9xRhNXvMkpBXIa4rwHC0re3DJNlMqN7EV
        gW2sxnAxBShNU/ZtpqaQ2ku8L7FPB4Y8hhbk08PVlqz6F1xFm9x5PEriuaIPd1pp
        0TQtekvntBWiRAQ8QPmrfg96BaLqvL+Hffb3PlIRvnXHmaJY/5Ci0HGgoUjodKIT
        0tZzP0xcElbm3Mf5z/uyRzCwpx7oLn+q9xiJ2yoYwn4IkMWd2VaJZJlVcKH1RRXS
        A4OUERkDSV3Fz6VjnI0VQ/hpfLDLCaQp8TzUOtNy4MqzsB0fQbDWnPR1KFrmNmSv
        SSkS04tSt9CMNDFllrwQg6fbaZMmS97JeXb723mfUrPa0o3MeTxa9EuB/NQvWYuS
        iBqC+NxIAvUw/IJtKg3unA9ysigCDUTbi6P7F69NMJM9qHet7PSLgqsM9RPdPlLS
        XgH+T9DivFMWNnGvAS+wMckvKcTtskHWnQMCYdx62VsXzS/LU3iWq+OBz/xf8yhD
        2vS25oi54fQKz6diOrq/TgO0Cx2/1LXqOYL5m/6+Qvv7wxHHZHeLcdwCRVceLZs=
        =5SxJ
        -----END PGP MESSAGE-----
      fp: F155144FC925A1BEA1F8A2C59A2A4CD59BFDC5EC
    - created_at: "2026-01-25T14:20:25Z"
      enc: |-
        -----BEGIN PGP MESSAGE-----
        hQIMAz5uSgHG2iMJARAArv3KHUknyw89o/HA+T9vv1orrq0uztAOtOYLXIxF0mPL
        S+Yrqs8uT0UmIJ/vdNZpf6HYw7Cmk4XErSsT4l15/5JbGfvqbc1ECdoz6j6kNfID
        eHP3iJkySKbxSqflZ/3Hs8UXV65RU4F1HHK2SsQVvb0FCl03KNqkNAMicqiYZyzH
        CAKOje7fnCHQ2oClUXakwXDQMnQwboXmhC26ghTvCYHIcb/VD8z91TSjxNitA1nG
        7Ky1VvBWTuC0qcfaxkrkkwDPcxdfA2BXyxwm7b/w2IwmQX1cce25MCgIhMCFuf0C
        rvw8GgfJEQ/qI3Rk1R87cpyRte4itrl1cCJI1UgS088+eHhmeS8XOZL860Eiqho4
        tQJLUCr0P+LSBgOxj6/hnzY56bpPxa1NjRjqCGh+WF9XzeM8vY1MkzIjqHXxq9bD
        9yGnFujzTcFbpEzdigPfAt6VgMe3jAEWqnr9fTK/f4qKWdXfycEHAJgL9UqHCtR0
        DMy2+ZsHy5Hn9S5hmXLWpKo579FEWMLeCRA2DZvCHKIWUPhv3O4BAGovh8px9wRR
        V7HeNK0efhiPm80alIQUGn+JEyNOaBrjAQmS0+ELF1S1AaHzXoLNrxfBCQJJCHd6
        BvZIC6mVWF9DSeD+s/twk6qGNwAl17OAi3fyahunefODNqMcW73RI6x0BhkBfvnS
        XgGEHYtdIiwWW+nCWBCrlXHrZ2AqgFKqNInB8lR5t7GtSjVxF6blysWXyv4JtegX
        A3gMULNrOAZiPMe5Q1DDMNJ34jEnveojMIAOb/j+w7bvcgh7wbrUIUhNQSDgoaY=
        =H3mo
        -----END PGP MESSAGE-----
      fp: 18DFCE01456DAB52EA38A6584EDC64F35FA1D6A5
    - created_at: "2026-01-25T14:20:25Z"
      enc: |-
        -----BEGIN PGP MESSAGE-----
        hQIMAw5vwmoEJHQ1ARAAqbv66yl/dyRf3f1ejNWsZxwD5oo99rHvbfWDCjTEFpzo
        QUHgi7h+uF3GfRqkbE8YK7oFmTdxDS7DEkiQHw3jbJwI2+K1umubwq5sL1IMhSyG
        SHZL+3r4ytBj6kuraXoTGqBFjNNht+3rRUEvgK8eXAixp8aHbx2LAVzjhxGTa9WY
        yT9H4XJgEac5ODiyhyu3wxzZFmcr9VVNpja7C3iJ5PymjKPnzMFHzdhYflVG4ptP
        lscRsl5TakEL7p4wsjLszeXTSq38ueaH3Bhvts3Kl72BU2rICDzlBOzGszq3gI2c
        o97Vydku1MBsIwbUdKAOdhjA4BFyPAg1z1VkeEOrH1ThaZ0cfalN6TxBfCeKftSv
        VAn9ErK6cRjM5peyJPSHUjpXZEcomtZonhAIBUfDeFW3Sk4lE7+SnIvJkLtrvSZy
        QDgbA4dE19d8MUL0uu+fyp85+OkXI+e1QOOoZX+7/Mco3wKbCbP5T21T/+SLsH0N
        oNrQpQlDch5YB+vLISUE7+buFdlMpIlcHAnL9scjgIdU0Z/X75p/5t7g99D/0nc/
        WGu4l2n9fbrvimnqc6wWzBHgQZVcPKr5tMB6jVQu4WCdHX9VkI+Ru2IfCFsQ09TD
        RQMybPT3tTdYODVCeoE3NmilqE+igEzFYRDwFdKjR2eLnuli5mI7GlXrboPGjWPS
        XgEpnUxHg7oik0vO8YsyRldQ2Vyw1vIskRq9cdUY0Ix3u0gyqUF56aWhA+4fhr3H
        Q8RsT8OXXswSozzkw3AvKi3VaGjwDr1Wasq6YVRtV5pjS0Rx/ILo85grKi5vgpk=
        =bY3Q
        -----END PGP MESSAGE-----
      fp: 87AB00D45D37C9E9167B5A5A333448678B60E505
    - created_at: "2026-01-25T14:20:25Z"
      enc: |-
        -----BEGIN PGP MESSAGE-----
        hF4DerEtaFuTeewSAQdAh8vUqXwXAq615cIswD1e2FbDgcFp4pDKWP4Of9bDRWYw
        5UMSvrCgWei0lytGCaApC6J+Ppd5o9D34fux8X0/ztoRopIV1RlrcepPr9jo3ROk
        0l4B4T+mFz+FNrO79ldBuysOEo6qX7kSfJ63cpy48nDNVi0pTDr87OiJTQQD3gfx
        wQdkqjYs204YvFP8Zp/+Ow+52z0W2ecLwgByVxsiusf8JLlYQMHOL9QisPxWMErr
        =C2Ii
        -----END PGP MESSAGE-----
      fp: 057870A2C72CD82566A3EC983695F4FCBCAE4912
    - created_at: "2026-01-25T14:20:25Z"
      enc: |-
        -----BEGIN PGP MESSAGE-----
        hQIMAxjNhCKPP69fAQ//YH0pZvxXkXYi9tRWPSVllAsKgwzZsKkXS2LrfysCvnNS
        LmcLrWNV8upH8g6ubHwwq1Q6WcpaoraIGB2Pw7OPKvynqqhMamk6jAzuYF1hMsd/
        efGlsIF/wE/MLo0AizDZ5H/k6g/BfdSm3VFvAYbdHObQld/+uEMdotBrUjtXJlA/
        lare1GFxSt+P9J+h5U0kf8VFWbgzf7SkViWBvEpyUaBa0VLgyOc59e9BZzWX8h2R
        FjNX40MkZHxdbqBx3Bw8MZmQz+Q1O8w7uNcf6YZxl7+tYka99DSoK2T6YxTqqqrt
        FtqDAUAS+yweg4hP7CwUK05VzmH/y6S4brVJz73NzahVNUBRpPXJUWs8QsR96xx/
        hUMRGOrfd0qJ/jv2P+oMJipGsWZ5b6rkj/LX9ZAyGW7TgWbelr4zwM2C/n5xDkKf
        LSQFH1Nx9QG0Aq6JT6staq+xiw/w1ipn0IDL18YPvX5kkO3KNUZk1F7zF6rbXRXa
        LQIY+lhDnslkOMHmUIvqPSFWDQT/a/ttg0jVazz9IHnCz/+ShCh8nwiXXa6swlGC
        XFzJS0Lyz55JfRcEN2h4lc6U7sE7MN9WEo8DWNv2UJwIZtu5dHBI9PjFSAxm73KJ
        FSQDFxqlR7a7BXKw+KfvHUzWcRInWLE3bMQlg9ECJX1sQf2Bu8/YxU9bFT2fzfLS
        XgHsHSJqqcZ3gwwUPNeQMadRylccXoPOCns3rf3W+7zKRBb8poRpj0hK2J2eIkGG
        M5kRRudGy07hLV2wQGitucekIFUStxumRSQqpcUhk+RKTOyTMIqT4o6ykVBgke0=
        =/EHL
        -----END PGP MESSAGE-----
      fp: F38C9D4228FC6F674E322D9C3326D914EB9B8F55
    - created_at: "2026-01-25T14:20:25Z"
      enc: |-
        -----BEGIN PGP MESSAGE-----
        hQIMA1Hthzn+T1OoAQ/+IxC99h9NXy1lKs8K3O6zNPE4vvoUdlHyU7MngSUe7FID
        cfVoJmqumGJ2VL052PyGNuJl4wwI0Bk4GJ1B17sDiROM21BgV2xJN44I8DzU/s2i
        1P/WOcpofsng7xBPib5vETo2ypfiNzurNwKidID6rc8k3TL2Eq3U9gPajdgaHWTx
        jCBEiBs4B2H0Jv0teH7NK7VY21v/GQ6wCATUdFugjOocWT/Up9SbIKgvzXgxmoB7
        glmOZGtqMsorMw7Rr9fy5qdL6HK50dYbzQ8IppZFG7PrFLyLsp//S7fReFbtp8oD
        yCBbhOfywLuhyWmLu78F32l5upv4Q/RPfsOEQVRd13+4XeYIYqbVlBRI4c38iA8k
        sKgN/l5mH4FPmFWhRfeMOQn51tTDiq/n8G86EJETJJxC2kAhfLXi5YLECH693Vzw
        Mad81jxssJP5pTTUDBzog6oMNyCvs9paRgb0O4Bt0Zpox+BFdQcTNJahj9wDyfZV
        TjV6lUtuQ7QvHDYyujxhkJWUOyd2Urfk9Ku8A/xeCGwLRJS9BKYgwvatc49zL5zZ
        3GZ59gBGERbBCBPoFZgpVh73ZF/riAMHbgh+ZzUlFxJNY4fVvCk79bMitsihAbp8
        NAELn1kiDPjlW1SsiiIzkdq87ttJ7aVtR1vQBYWapWmU9eSkn8XZcX4PxFot68zS
        XgEvZxgH4TgGrPuTYusDaopSObkq19jiEJ/A44Jiy2yvU9hXeOn8CeXHTJnwcSeQ
        ey3QV0vu+gYPL26T5M8fp3DwgZYr+dtAX2jydweT9MKjgeUyZAZmIieY1gdguIw=
        =WwLj
        -----END PGP MESSAGE-----
      fp: 5DA93D5C9D7320E1BD3522C79C78172B3551C9FD
    - created_at: "2026-01-25T14:20:25Z"
      enc: |-
        -----BEGIN PGP MESSAGE-----
        hQIMA46L6MuPqfJqAQ/9FcgBwOTVqwohN7+iNCiq13Na/qcvFvFxymSo5ZhtjB/q
        rMfLaSwsVAZuN9ishdip+a9tFb4oBPpwZjztvsgetoVNvLOrP/ZQag9SDy1fe8KH
        DDlPFFRjTYtPdS+5ScHc8pGTLmyQzYDfieD0FCdZsNwz5PpAtUu7itvpZKtNWMXr
        k/N3Mjena5iv79ngDsRlc9O/YXWsAPf8scgApwi+lVilJ7E/jTkrXxiku0knrlfl
        NnNJKqh5iT2NWXB3Dgw0fQMLbAuDUOlkvrdwxnaJsIyjo8D5g/gh9rXBCJsMMFCp
        1qppPBTV2f/gZb1gKFpnlBJAiDhmBWoBhlgbmFXv0E/V7F/7bFtsHagb50nEHZlA
        QH0JjRHN83eGCR9ZBUttxMh0FWV2ND3YlxnCNb43TEoCx9f5ml7L5GbGqu0+8Yrc
        fHCGPW8DSUh7zTrmB0bn6R60hXcWchNcPdorPopROhGTSC4pkAKn+mt3jvEkyLsW
        TGqNCEbFbMBJlhhn9w5fxT7vEX0Rt/vO4gXKIzPfcyzsgORIW1YxwtaGyRQErlqo
        ITnLtowfgrlvU1hI+hwivD9kQ32kmEyYKa9J8fBx07XArYRR64+Eyaaq4lOeZbE4
        1l0zskD5i1R8NO3yzxpIAqi+H7VPhYLwidjXT54QT8vyqrkmvksANR8UqydYUgnS
        XgGuO1O1pKkiHHLcb8EydlgW61sLIZZjlkYynMRM5MjgPD5Z3ikeD6VaNSYnOw6c
        gkisHXqY9EFSPfw8EHnGspyD/mvzDUz63GrylUO+wXgMKdByrsYRaj93j7vfYZ4=
        =Bk3g
        -----END PGP MESSAGE-----
      fp: 8996B62CBD159DCADD3B6DC08BB33A8ABCF7BC4A
    - created_at: "2026-01-25T14:20:25Z"
      enc: |-
        -----BEGIN PGP MESSAGE-----
        hF4DQrf1tCqiJxoSAQdADv1xBEY68JQ6Xo2ZT1FV2BJgeB7Yaahi9OQ/aypT0i8w
        FJRRTtmWVBRtOecoG6SrHLtmYozuLyNFG8/ZFOU7jTSZL6lXr5NV6GIyNZPFTjvE
        0l4Bqjjh871cqN4Cq5CF3kDibHTyZYsvcQ0BmxSZy2v+moYqZGFPEjNiniS6JrK/
        Ch+cZvlsGIjTmP96IZfHbO3+hL+tVhO78bmixnN6SE6UDOzdmWcMkQ9DHSZp+p4j
        =xd/t
        -----END PGP MESSAGE-----
      fp: B71138A6A8964A3C3B8899857B4F70C356765BAB
    - created_at: "2026-01-25T14:20:25Z"
      enc: |-
        -----BEGIN PGP MESSAGE-----
        hF4DzAGzViGx4qcSAQdASnWlOX4oItUMy2BNF+UdGfSkijvIKK1WohLp2rJmQGMw
        /rpiFcCiX7rZNyn3f+eOULjCPbNtfwqG5Ji6YzGJPEaLg9J/CCYDP7eZ0M13tK9V
        0lgBjTZZwa7SYs+c49UkhUN92Jrt439mTud3Sa6hvfQTntISOUF3QsMyQO+2h0EH
        zvaV7dmtiLZZ6ukp9vJG2asPcA1McYBHABUUcjlmFkQ74CYhPFU03/kb
        =9oyC
        -----END PGP MESSAGE-----
      fp: D2E9C0807BF681F5E164DAFC5EE1B61CD90954CD
    - created_at: "2026-01-25T14:20:25Z"
      enc: |-
        -----BEGIN PGP MESSAGE-----
        hQIMA2pVdGTIrZI+ARAAvugr3SudoqZm6B9o/a2bYVlR8eee3Cxtqb/SDfFKJ42J
        /KIJHOpfs0iyoJzeq4GXn89RU08EHz+1/rAqIHN/cMGc/IjOOXcqKcKVBqhb68+I
        OyEyxx0YAV939Jc+L9rxb4FnqV/HFJuA087jqP43NgPWySoUzWZshK57Yw/VJNxd
        U5zDMAciWNVISL/ArcJFroK0n9dvRRsHHHx3/OgQ9Lnl73X5JEAleIPJVb1SDV4e
        HgmBrlRFpp9e/Mu94Gp9yFd9PqziSA47lkdMwjMYHntTwbT3dqUGOJLF1D1oqC9V
        +t+5FO5fP+LbnmuFQIGRGqdPpCy4S60d2EqocwBl6q6xn/DLQw1j9hGNpMl3GwBI
        O7zquV2MyXJR9JqyklWoCmKldLIhpsnPtTx/AhIsMLWq2hvNfbBBNA41sMkofcvl
        H2Hggi+TkpOh6bre1/uPkr8T3MLsiZIUB/1uHcgYO3FH13K2Ow9ChxmkeLsW6Afu
        hbQcG7SKr0sCHAmvzbTsIRCpryORDRw4vwrsKuVVgA7neD8HtCItJ/Vk1JmV2xYZ
        96ilVPPpDs0tmQ/6dZZosoXLGi37Hs+FRgcAUuAdZ3bzb65e+CxtSVjRALG7hz9R
        XPKmsD6tTgdLpau/zugxdKx3yKMCHzC+AouD+esea8GNuoeGug58IEoglLXDctbU
        aAEJAhC0Js4STROmS43wGXP2v4umeLw9iF3Wp9L6o12BL3FZXi121py2ogosjAY2
        30wzFU2KJGqS25/pnXw6r9ycgxdXeKsddR94Q4TOulO3SSEdjs7B+iOKwUkGKoBq
        9iHTzz6Gpajo
        =bBZ5
        -----END PGP MESSAGE-----
      fp: 878FEA3CB6A6F6E7CD80ECBE28506E3585F9F533
  unencrypted_suffix: _unencrypted
  version: 3.11.0
--- a/inventories/chaosknoten/host_vars/acmedns.yaml
+++ b/inventories/chaosknoten/host_vars/acmedns.yaml
@ -0,0 +1,23 @@
 ---
 docker_compose__compose_file_content: "{{ lookup('ansible.builtin.template', 'resources/chaosknoten/acmedns/docker_compose/compose.yaml.j2') }}"
 docker_compose__configuration_files:
  - name: acmedns.cfg
    content: "{{ lookup('ansible.builtin.template', 'resources/chaosknoten/acmedns/docker_compose/acmedns.cfg.j2') }}"
  - name: oauth2-proxy.cfg
    content: "{{ lookup('ansible.builtin.template', 'resources/chaosknoten/acmedns/docker_compose/oauth2-proxy.cfg.j2') }}"
  - name: html/index.html
    content: "{{ lookup('ansible.builtin.template', 'resources/chaosknoten/acmedns/docker_compose/index.html.j2') }}"
 docker_compose__pull: missing
 certbot__version_spec: ""
 certbot__acme_account_email_address: le-admin@hamburg.ccc.de
 certbot__certificate_domains:
  # - "spaceapi.ccc.de" # after DNS has been adjusted
  - "acmedns.hamburg.ccc.de"
 certbot__new_cert_commands:
  - "systemctl reload nginx.service"
 nginx__version_spec: ""
 nginx__configurations:
  - name: acmedns.hamburg.ccc.de
    content: "{{ lookup('ansible.builtin.file', 'resources/chaosknoten/acmedns/nginx/acmedns.hamburg.ccc.de.conf') }}"
--- a/inventories/chaosknoten/hosts.yaml
+++ b/inventories/chaosknoten/hosts.yaml
@ -78,11 +78,16 @@ all:
      ansible_host: spaceapiccc.hosts.hamburg.ccc.de
      ansible_user: chaos
      ansible_ssh_common_args: -J ssh://chaos@router.hamburg.ccc.de
    acmedns:
      ansible_host: acmedns.hosts.hamburg.ccc.de
      ansible_user: chaos
      ansible_ssh_common_args: -J ssh://chaos@router.hamburg.ccc.de
 hypervisors:
  hosts:
    chaosknoten:
 base_config_hosts:
  hosts:
    acmedns:
    ccchoir:
    cloud:
    eh22-wiki:
@ -110,7 +115,8 @@ nftables_hosts:
  hosts:
    router:
 docker_compose_hosts:
-  hosts:
+  hosts: 
    acmedns:
    ccchoir:
    grafana:
    tickets:
@ -128,6 +134,7 @@ nextcloud_hosts:
    cloud:
 nginx_hosts:
  hosts:
    acmedns:
    ccchoir:
    eh22-wiki:
    grafana:
@ -150,6 +157,7 @@ public_reverse_proxy_hosts:
    public-reverse-proxy:
 certbot_hosts:
  hosts:
    acmedns:
    ccchoir:
    eh22-wiki:
    grafana:
--- a/inventories/z9/host_vars/light.yaml
+++ b/inventories/z9/host_vars/light.yaml
@ -50,10 +50,22 @@ ola__configs:
    content: "{{ lookup('ansible.builtin.file', 'resources/z9/light/ola/ola-usbdmx.conf') }}"
  - name: ola-usbserial
    content: "{{ lookup('ansible.builtin.file', 'resources/z9/light/ola/ola-usbserial.conf') }}"
 nginx__version_spec: ""
 nginx__deploy_redirect_conf: false
 nginx__configurations:
  - name: light
    content: "{{ lookup('ansible.builtin.file', 'resources/z9/light/nginx/light.conf') }}"
  - name: http_handler
-    content: "{{ lookup('ansible.builtin.file', 'resources/z9/light/nginx/http_handler.conf') }}"
+    content: "{{ lookup('ansible.builtin.file', 'resources/z9/dooris/nginx/http_handler.conf') }}"
 certbot__version_spec: ""
 certbot__acme_account_email_address: le-admin@hamburg.ccc.de
 certbot__certificate_domains:
  - "light-werkstatt.ccchh.net"
  - "light.ccchh.net"
  - "light.z9.ccchh.net"
 certbot__new_cert_commands:
  - "systemctl reload nginx.service"
--- a/inventories/z9/hosts.yaml
+++ b/inventories/z9/hosts.yaml
@ -20,6 +20,7 @@ all:
 certbot_hosts:
  hosts:
    dooris:
    light:
 docker_compose_hosts:
  hosts:
    dooris:
--- a/resources/chaosknoten/acmedns/docker_compose/acmedns.cfg.j2
+++ b/resources/chaosknoten/acmedns/docker_compose/acmedns.cfg.j2
@ -0,0 +1,27 @@
 # https://github.com/joohoi/acme-dns?tab=readme-ov-file#configuration
 [general]
 protocol = "both"
 domain = "auth.acmedns.hamburg.ccc.de"
 nsname = "acmedns.hosts.hamburg.ccc.de"
 nsadmin = "noc.lists.hamburg.ccc.de"
 records = [
    "auth.acmedns.hamburg.ccc.de. CNAME public-reverse-proxy.hamburg.ccc.de.",
    "auth.acmedns.hamburg.ccc.de. NS acmedns.hosts.hamburg.ccc.de.",
 ]
 [database]
 engine = "sqlite3"
 connection = "/var/lib/acme-dns/acme-dns.db"
 [api]
 ip = "0.0.0.0"
 port = "80"
 tls = "none"
 corsorigins = [
    "*"
 ]
 [logconfig]
 loglevel = "debug"
 logtype = "stdout"
 logformat = "text"
--- a/resources/chaosknoten/acmedns/docker_compose/compose.yaml.j2
+++ b/resources/chaosknoten/acmedns/docker_compose/compose.yaml.j2
@ -0,0 +1,22 @@
 ---
 services:
  oauth2-proxy:
    container_name: oauth2-proxy
    image: quay.io/oauth2-proxy/oauth2-proxy:v7.14.2
    command: --config /oauth2-proxy.cfg
    hostname: oauth2-proxy
    volumes:
      - "./configs/oauth2-proxy.cfg:/oauth2-proxy.cfg"
    restart: unless-stopped
    ports:
      - 4180:4180
  acmedns:
    image: docker.io/joohoi/acme-dns:latest
    ports:
      - "[::]:53:53"
      - "[::]:53:53/udp"
      - 8080:80
    volumes:
      - ./configs/acmedns.cfg:/etc/acme-dns/config.cfg:ro
      - ./data/acmedns:/var/lib/acme-dns
--- a/resources/chaosknoten/acmedns/docker_compose/index.html.j2
+++ b/resources/chaosknoten/acmedns/docker_compose/index.html.j2
@ -0,0 +1,63 @@
 <html>
 <head>
 <title>ACME DNS Register</title>
 <style>
 table, tr, th, td {
    border-collapse: collapse;
    border: 1px solid black;
 }
 th, td {
    padding: 2px 4px;
 }
 th {
    text-align: left;
 }
 </style>
 </head>
 <body>
 <h1>Register an Entry in ACME DNS</h1>
 <p>This is the page where you can create an entry in ACME DNS. Please only do so when you need a new entry; there is currently no way to remove entries once they have been created.</p>
 <p>See <a href="https://wiki.hamburg.ccc.de/infrastructure:services:acme_dns">the ACME DNS service</a> entry in the wiki for further details.</p>
 <p><button id="register">Register a new entry</button></p>
 <table id="results" style="display: none">
 <tr>
    <th>Full Domain</th><td id="fulldomain">foo</td>
 </tr>
 <tr>
    <th>Sub Domain</th><td id="subdomain">foo</td>
 </tr>
 <tr>
    <th>Username</th><td id="username">foo</td>
 </tr>
 <tr>
    <th>Password</th><td id="password">foo</td>
 </tr>
 </table>
 <script>
 document.getElementById("register").addEventListener("click", (event) => {
    const register = async () => {
        const response = await fetch("/register", {
            method: "POST"
        });
        if (!response.ok) {
            console.log(response);
            alert("Unable to register a new entry.");
            return;
        }
        const registration = await response.json()
        for (const key in registration) {
            const e = document.getElementById(key);
            if (e !== null) {
                e.innerText = registration[key];
            }
        }
        document.getElementById("results").style.display = "block";
    }
    register();
 });
 </script>
 </body>
--- a/resources/chaosknoten/acmedns/docker_compose/oauth2-proxy.cfg.j2
+++ b/resources/chaosknoten/acmedns/docker_compose/oauth2-proxy.cfg.j2
@ -0,0 +1,13 @@
 reverse_proxy = true
 http_address="0.0.0.0:4180"
 cookie_secret="{{ secret__oidc_cookie_secret }}"
 email_domains="*"
 # dex provider
 oidc_issuer_url="https://id.hamburg.ccc.de/realms/ccchh"
 provider="oidc"
 provider_display_name="CCCHH ID"
 client_id="acmedns"
 client_secret="{{ secret__oidc_client_secret }}"
 redirect_url="https://acmedns.hamburg.ccc.de/oauth2/callback"
--- a/resources/chaosknoten/acmedns/nginx/acmedns.hamburg.ccc.de.conf
+++ b/resources/chaosknoten/acmedns/nginx/acmedns.hamburg.ccc.de.conf
@ -0,0 +1,83 @@
 # partly generated 2022-01-08, Mozilla Guideline v5.6, nginx 1.17.7, OpenSSL 1.1.1k, intermediate configuration
 # https://ssl-config.mozilla.org/#server=nginx&version=1.17.7&config=intermediate&openssl=1.1.1k&guideline=5.6
 server {
    # Listen on a custom port for the proxy protocol.
    listen [::]:8443 ssl http2 proxy_protocol;
    # Make use of the ngx_http_realip_module to set the $remote_addr and
    # $remote_port to the client address and client port, when using proxy
    # protocol.
    # First set our proxy protocol proxy as trusted.
    set_real_ip_from 2a00:14b0:4200:3000:125::1;
    # Then tell the realip_module to get the addreses from the proxy protocol
    # header.
    real_ip_header proxy_protocol;
    server_name acmedns.hamburg.ccc.de;
    root /ansible_docker_compose/configs/html/;
    ssl_certificate /etc/letsencrypt/live/acmedns.hamburg.ccc.de/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/acmedns.hamburg.ccc.de/privkey.pem;
    # verify chain of trust of OCSP response using Root CA and Intermediate certs
    ssl_trusted_certificate /etc/letsencrypt/live/acmedns.hamburg.ccc.de/chain.pem;
    # HSTS (ngx_http_headers_module is required) (63072000 seconds)
    add_header Strict-Transport-Security "max-age=63072000" always;
    proxy_set_header Host $host;
    proxy_set_header X-Forwarded-Host $host;
    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header X-Forwarded-Port 443;
    # This is https in any case.
    proxy_set_header X-Forwarded-Proto https;
    # Hide the X-Forwarded header.
    proxy_hide_header X-Forwarded;
    # Assume we are the only Reverse Proxy (well using Proxy Protocol, but that
    # is transparent).
    # Also provide "_hidden" for by, since it's not relevant.
    proxy_set_header Forwarded "for=$remote_addr;proto=https;host=$host;by=_hidden";
    proxy_buffer_size 8k; # needed for oauth2-proxy to work correctly
    port_in_redirect off;
    location /oauth2/ {
        proxy_pass       http://127.0.0.1:4180;
        proxy_set_header Host                    $host;
        proxy_set_header X-Real-IP               $remote_addr;
        proxy_set_header X-Auth-Request-Redirect $request_uri;
        # or, if you are handling multiple domains:
        # proxy_set_header X-Auth-Request-Redirect $scheme://$host$request_uri;
    }
    location = /oauth2/auth {
        proxy_pass       http://127.0.0.1:4180;
        proxy_set_header Host             $host;
        proxy_set_header X-Real-IP        $remote_addr;
        proxy_set_header X-Forwarded-Uri  $request_uri;
        # nginx auth_request includes headers but not body
        proxy_set_header Content-Length   "";
        proxy_pass_request_body           off;
    }
    location = / {
        auth_request /oauth2/auth;
        error_page 401 = @oauth2_signin;
        index index.html;
    }
    location = /register {
        auth_request /oauth2/auth;
        error_page 401 = @oauth2_signin;
        proxy_pass http://127.0.0.1:8080/register;
    }
    location = /update { # no auth by proxy required
        proxy_pass http://127.0.0.1:8080/update;
    }
    location @oauth2_signin {
        return 302 /oauth2/sign_in?rd=$scheme://$host$request_uri;
    }
 }
--- a/resources/chaosknoten/public-reverse-proxy/nginx/acme_challenge.conf
+++ b/resources/chaosknoten/public-reverse-proxy/nginx/acme_challenge.conf
@ -82,6 +82,7 @@ map $host $upstream_acme_challenge_host {
    spaceapi.ccc.de spaceapiccc.hosts.hamburg.ccc.de:31820;
    cpuccc.hamburg.ccc.de 172.31.17.151:31820;
    cpu.ccc.de 172.31.17.151:31820;
    acmedns.hamburg.ccc.de acmedns.hosts.hamburg.ccc.de:31820;
    default "";
 }
--- a/resources/chaosknoten/public-reverse-proxy/nginx/nginx.conf
+++ b/resources/chaosknoten/public-reverse-proxy/nginx/nginx.conf
@ -100,6 +100,7 @@ stream {
        spaceapi.ccc.de spaceapiccc.hosts.hamburg.ccc.de:8443;
        cpuccc.hamburg.ccc.de 172.31.17.151:8443;
        cpu.ccc.de 172.31.17.151:8443;
        acmedns.hamburg.ccc.de acmedns.hosts.hamburg.ccc.de:8443;
    }
    server {
--- a/resources/z9/light/nginx/http_handler.conf
+++ b/resources/z9/light/nginx/http_handler.conf
@ -1,14 +1,12 @@
 server {
    listen 80 default_server;
    listen [::]:80 default_server;
    server_name _;
    location /.well-known/acme-challenge/ {
        autoindex on;
        root /webroot-for-acme-challenge;
    }
    location / {
        return 301 https://$host$request_uri;
    }
    location /.well-known/acme-challenge/ {
        proxy_pass http://127.0.0.1:31820/.well-known/acme-challenge/;
    }
 }
--- a/resources/z9/light/nginx/light.conf
+++ b/resources/z9/light/nginx/light.conf
@ -1,15 +1,16 @@
 # partly generated 2022-01-08, Mozilla Guideline v5.6, nginx 1.17.7, OpenSSL 1.1.1k, intermediate configuration
 # https://ssl-config.mozilla.org/#server=nginx&version=1.17.7&config=intermediate&openssl=1.1.1k&guideline=5.6
 server {
-    listen 443 ssl http2;
+    listen 443 ssl;
-    listen [::]:443 ssl http2;
+    listen [::]:443 ssl;
    http2 on;
    server_name light-werkstatt.ccchh.net;
-    ssl_certificate /etc/letsencrypt/live/light.ccchh.net/fullchain.pem;
+    ssl_certificate /etc/letsencrypt/live/light-werkstatt.ccchh.net/fullchain.pem;
-    ssl_certificate_key /etc/letsencrypt/live/light.ccchh.net/privkey.pem;
+    ssl_certificate_key /etc/letsencrypt/live/light-werkstatt.ccchh.net/privkey.pem;
    # verify chain of trust of OCSP response using Root CA and Intermediate certs
-    ssl_trusted_certificate /etc/letsencrypt/live/light.ccchh.net/chain.pem;
+    ssl_trusted_certificate /etc/letsencrypt/live/light-werkstatt.ccchh.net/chain.pem;
    # replace with the IP address of your resolver
    resolver 10.31.208.1;
@ -25,15 +26,16 @@ server {
 }
 server {
-    listen 443 ssl http2;
+    listen 443 ssl;
-    listen [::]:443 ssl http2;
+    listen [::]:443 ssl;
    http2 on;
-    server_name light.z9.ccchh.net ;
+    server_name light.z9.ccchh.net;
-    ssl_certificate /etc/letsencrypt/live/light.ccchh.net/fullchain.pem;
+    ssl_certificate /etc/letsencrypt/live/light.z9.ccchh.net/fullchain.pem;
-    ssl_certificate_key /etc/letsencrypt/live/light.ccchh.net/privkey.pem;
+    ssl_certificate_key /etc/letsencrypt/live/light.z9.ccchh.net/privkey.pem;
    # verify chain of trust of OCSP response using Root CA and Intermediate certs
-    ssl_trusted_certificate /etc/letsencrypt/live/light.ccchh.net/chain.pem;
+    ssl_trusted_certificate /etc/letsencrypt/live/light.z9.ccchh.net/chain.pem;
    location / {
        return 307 https://light.ccchh.net$request_uri;
@ -41,8 +43,9 @@ server {
 }
 server {
-    listen 443 ssl http2;
+    listen 443 ssl;
-    listen [::]:443 ssl http2;
+    listen [::]:443 ssl;
    http2 on;
    server_name light.ccchh.net;
--- a/roles/docker/files/daemon.json
+++ b/roles/docker/files/daemon.json
@ -2,5 +2,13 @@
    "log-driver": "journald",
    "log-opts": {
        "tag": "{{.Name}}"
    },
    "ipv6": true,
    "ip6tables": true,
    "fixed-cidr-v6": "fd00:1::/64",
    "default-network-opts": {
        "bridge": {
            "com.docker.network.enable_ipv6":"true"
        }
    }
 }
--- a/roles/nginx/tasks/main/02_repo_setup.yaml
+++ b/roles/nginx/tasks/main/02_repo_setup.yaml
@ -15,13 +15,13 @@
 - name: Ensure NGINX APT repository is added
  ansible.builtin.apt_repository:
-    repo: "deb [arch=amd64 signed-by=/etc/apt/trusted.gpg.d/nginx.asc] https://nginx.org/packages/debian/ {{ ansible_distribution_release }} nginx"
+    repo: "deb [arch=amd64 signed-by=/etc/apt/trusted.gpg.d/nginx.asc] https://nginx.org/packages/debian/ {{ ansible_facts['distribution_release'] }} nginx"
    state: present
  become: true
 - name: Ensure NGINX APT source repository is added
  ansible.builtin.apt_repository:
-    repo: "deb-src [arch=amd64 signed-by=/etc/apt/trusted.gpg.d/nginx.asc] https://nginx.org/packages/debian/ {{ ansible_distribution_release }} nginx"
+    repo: "deb-src [arch=amd64 signed-by=/etc/apt/trusted.gpg.d/nginx.asc] https://nginx.org/packages/debian/ {{ ansible_facts['distribution_release'] }} nginx"
    state: present
  become: true
Author	SHA1	Message	Date
Renovate	3a2a68e789	Update all stable non-major dependencies Some checks failed / Ansible Lint (push) Failing after 44s Details / Ansible Lint (pull_request) Failing after 44s Details	2026-01-25 21:45:52 +00:00
Stefan Bethke	0f3cd2c70a	amcedns to enable Let's Encrypt DNS-01 challenges Some checks failed / Ansible Lint (push) Failing after 38s Details	2026-01-25 22:41:42 +01:00
Stefan Bethke	c33ae36af3	Enable IPv6 by default	2026-01-25 22:40:36 +01:00
Stefan Bethke	2cd0811b29	Fix warning	2026-01-25 22:40:36 +01:00
chris	6a92aa68c1	light: fix tls cert expiring and not renewing Some checks failed / Ansible Lint (push) Failing after 39s Details	2026-01-25 22:36:30 +01:00