Update all stable non-major dependencies

.forgejo/workflows/lint.yaml

@@ -24,7 +24,7 @@ jobs:
       # work in our environmnet.
       # Rather manually setup python (pip) before instead.
       - name: Run ansible-lint
-        uses: https://github.com/ansible/ansible-lint@v26.3.0
+        uses: https://github.com/ansible/ansible-lint@v26.4.0
         with:
           setup_python: "false"
           requirements_file: "requirements.yml"

inventories/chaosknoten/host_vars/netbox.yaml

@@ -1,5 +1,5 @@
 # renovate: datasource=github-releases depName=netbox packageName=netbox-community/netbox
-netbox__version: "v4.5.5"
+netbox__version: "v4.5.9"
 netbox__config: "{{ lookup('ansible.builtin.template', 'resources/chaosknoten/netbox/netbox/configuration.py.j2') }}"
 netbox__custom_pipeline_oidc_group_and_role_mapping: true
 

resources/chaosknoten/acmedns/docker_compose/compose.yaml.j2

@@ -2,7 +2,7 @@
 services:
   oauth2-proxy:
     container_name: oauth2-proxy
-    image: quay.io/oauth2-proxy/oauth2-proxy:v7.15.1
+    image: quay.io/oauth2-proxy/oauth2-proxy:v7.15.2
     command: --config /oauth2-proxy.cfg
     hostname: oauth2-proxy
     volumes:

resources/chaosknoten/grafana/docker_compose/compose.yaml.j2

@@ -2,7 +2,7 @@
 services:
 
   prometheus:
-    image: docker.io/prom/prometheus:v3.10.0
+    image: docker.io/prom/prometheus:v3.11.3
     container_name: prometheus
     command:
       - '--config.file=/etc/prometheus/prometheus.yml'
@@ -19,7 +19,7 @@ services:
       - prom_data:/prometheus
 
   alertmanager:
-    image: docker.io/prom/alertmanager:v0.31.1
+    image: docker.io/prom/alertmanager:v0.32.1
     container_name: alertmanager
     command:
       - '--config.file=/etc/alertmanager/alertmanager.yaml'
@@ -32,7 +32,7 @@ services:
       - alertmanager_data:/alertmanager
 
   grafana:
-    image: docker.io/grafana/grafana:12.4.2
+    image: docker.io/grafana/grafana:12.4.3
     container_name: grafana
     ports:
       - 3000:3000
@@ -46,7 +46,7 @@ services:
       - graf_data:/var/lib/grafana
 
   pve-exporter:
-    image: docker.io/prompve/prometheus-pve-exporter:3.8.2
+    image: docker.io/prompve/prometheus-pve-exporter:3.8.3
     container_name: pve-exporter
     ports:
       - 9221:9221

resources/chaosknoten/keycloak/docker_compose/compose.yaml.j2

@@ -22,7 +22,7 @@
 
 services:
   keycloak:
-    image: git.hamburg.ccc.de/ccchh/oci-images/keycloak:26.5.7
+    image: git.hamburg.ccc.de/ccchh/oci-images/keycloak:26.6.0
     pull_policy: always
     restart: unless-stopped
     command: start --optimized

resources/chaosknoten/ntfy/docker_compose/compose.yaml.j2

@@ -1,7 +1,7 @@
 ---
 services:
   ntfy:
-    image: docker.io/binwiederhier/ntfy:v2.20.1
+    image: docker.io/binwiederhier/ntfy:v2.22.0
     container_name: ntfy
     command:
       - serve

resources/chaosknoten/pretalx/docker_compose/compose.yaml.j2

@@ -23,7 +23,7 @@ services:
       - pretalx_net
 
   static:
-    image: docker.io/library/nginx:1.29.7
+    image: docker.io/library/nginx:1.30.0
     restart: unless-stopped
     volumes:
       - public:/usr/share/nginx/html

roles/base_config/meta/main.yaml

@@ -2,3 +2,4 @@
 dependencies:
   - role: deploy_ssh_server_config
   - role: deploy_systemd_journal_config
+  - role: deploy_systemd_resolved_config

roles/deploy_systemd_resolved_config/README.md

@@ -0,0 +1,21 @@
+# Role `deploy_systemd_resolved_config`
+
+A role for deploying a minimal configuration for [systemd-resolved](https://man.archlinux.org/man/systemd-resolved.8) or alternatively completely disabling it.
+
+!! Note
+If systemd-resolved is disabled, the configuration is instead rendered directly into `/etc/resolv.conf` to ensure a node does not accidentally lose name resolving capabilities.
+
+## Optional Arguments
+
+- `deploy_systemd_resolved_config__enable` (defaults to `true`) decides whether systemd-resolved should be enabled or disabled.
+
+- `deploy_systemd_resolved_config__mode` (defaults to `stub`) controls which compatibility mode is used for `/etc/resolv.conf` when systemd-resolved is enabled. See [man systemd-resolved(8)](https://man.archlinux.org/man/systemd-resolved.8#/ETC/RESOLV.CONF).
+
+- `deploy_systemd_resolved_config__dns` is the list of primary DNS servers that will be configured. If e.g. a specific link configures other DNS servers, they will take precedence.
+
+- `deploy_systemd_resolved_config__fallback_dns` (defaults to Quad9) is the list of fallback DNS servers. If, at runtime, none of the configured primary DNS servers are reachable, these servers will be used as fallback.
+
+## Hosts
+
+This role is included as a dependency to [base_config](../base_config/) and therefore does not need to be explicitly pulled in.
+

roles/deploy_systemd_resolved_config/defaults/main.yaml

@@ -0,0 +1,9 @@
+---
+deploy_systemd_resolved_config__enable: true
+deploy_systemd_resolved_config__mode: "stub"
+deploy_systemd_resolved_config__dns: [ ]
+deploy_systemd_resolved_config__fallback_dns:
+  - "9.9.9.9"
+  - "149.112.112.112"
+  - "2620:fe::fe"
+  - "2620:fe::9"

roles/deploy_systemd_resolved_config/handlers/main.yaml

@@ -0,0 +1,7 @@
+---
+- name: "reload systemd-resolved"
+  tags: [ "deploy_systemd_resolved_config" ]
+  become: true
+  ansible.builtin.systemd:
+    name: "systemd-resolved.service"
+    state: "restarted"

roles/deploy_systemd_resolved_config/meta/argument_specs.yaml

@@ -0,0 +1,21 @@
+---
+argument_specs:
+  main:
+    options:
+      deploy_systemd_resolved_config__enable:
+        description: "Whether systemd-resolved should be enabled or disabled"
+        type: bool
+        required: false
+      deploy_systemd_resolved_config__mode:
+        description: "Which /etc/resolv.conf compatibility mode should be configured"
+        type: str
+        required: false
+        choices: [ "stub", "static-stub", "passthru", "extern" ]
+      deploy_systemd_resolved_config__dns:
+        description: "A list of DNS servers that will be configured as default dns servers"
+        type: list
+        required: false
+      deploy_systemd_resolved_config__fallback_dns:
+        description: "A list of fallback DNS servers that will be configured"
+        type: list
+        required: false

roles/deploy_systemd_resolved_config/tasks/disable.yaml

@@ -0,0 +1,25 @@
+---
+- name: Ensure /etc/resolv.conf is a plain file
+  tags: [ "deploy_systemd_resolved_config" ]
+  become: true
+  ansible.builtin.file:
+    path: "/etc/resolv.conf"
+    state: file
+
+- name: Write nameserver config directly into /etc/resolv.conf
+  tags: [ "deploy_systemd_resolved_config" ]
+  become: true
+  ansible.builtin.template:
+    src: "resolv.conf.j2"
+    dest: "/etc/resolv.conf"
+    owner: root
+    group: root
+    mode: u=rw,g=r,o=r
+
+- name: Disable systemd-resolved
+  tags: [ "deploy_systemd_resolved_config" ]
+  become: true
+  ansible.builtin.systemd:
+    name: "systemd-resolved.service"
+    state: stopped
+    enabled: false

roles/deploy_systemd_resolved_config/tasks/enable.yaml

@@ -0,0 +1,36 @@
+---
+- name: Deploy systemd-resolved config
+  tags: [ "deploy_systemd_resolved_config" ]
+  become: true
+  notify: "reload systemd-resolved"
+  ansible.builtin.template:
+    src: resolved.conf.j2
+    dest: /etc/systemd/resolved.conf
+    owner: root
+    group: root
+    mode: u=rw,g=r,o=r
+
+- name: Make /etc/resolv.conf points to systemd-resolved
+  tags: [ "deploy_systemd_resolved_config" ]
+  become: true
+  when: deploy_systemd_resolved_config__mode != "extern"
+  ansible.builtin.file: # noqa: jinja
+    path: /etc/resolv.conf
+    state: link
+    force: true
+    src: >-
+      {%- if deploy_systemd_resolved_config__mode == "stub" -%}
+      /run/systemd/resolve/stub-resolv.conf
+      {%- elif deploy_systemd_resolved_config__mode == "static-stub" -%}
+      /usr/lib/systemd/resolv.conf
+      {%- elif deploy_systemd_resolved_config__mode == "passthru" -%}
+      /run/systemd/resolve/resolv.conf
+      {%- endif -%}
+
+- name: Ensure systemd-resolved is running and enabled
+  tags: [ "deploy_systemd_resolved_config" ]
+  become: true
+  ansible.builtin.systemd:
+    name: systemd-resolved.service
+    state: started
+    enabled: true

roles/deploy_systemd_resolved_config/tasks/main.yaml

@@ -0,0 +1,10 @@
+---
+- name: Include enable.yaml
+  tags: [ "deploy_systemd_resolved_config" ]
+  ansible.builtin.include_tasks: enable.yaml
+  when: deploy_systemd_resolved_config__enable
+
+- name: Include disable.yaml
+  tags: [ "deploy_systemd_resolved_config" ]
+  ansible.builtin.include_tasks: disable.yaml
+  when: not deploy_systemd_resolved_config__enable

roles/deploy_systemd_resolved_config/templates/resolv.conf.j2

@@ -0,0 +1,11 @@
+# {{ ansible_managed }}
+
+{% for i in deploy_systemd_resolved_config__dns %}
+nameserver {{ i }}
+{% endfor %}
+
+{% for i in deploy_systemd_resolved_config__fallback_dns %}
+nameserver {{ i }}
+{% endfor %}
+
+options edns0

roles/deploy_systemd_resolved_config/templates/resolved.conf.j2

@@ -0,0 +1,11 @@
+# {{ ansible_managed }}
+
+# Since the config supports drop-in files,
+# use 'systemd-analyze cat-config systemd/resolved.conf' to display the full config.'
+#
+# See resolved.conf(5) for details
+
+[Resolve]
+DNS={{ deploy_systemd_resolved_config__dns | join(" ") }}
+FallbackDNS={{ deploy_systemd_resolved_config__fallback_dns | join(" ") }}
+