Update all stable non-major dependencies

first run ansible_pull for router, then for all other hosts
Do this to avoid a restarting router affecting playbook runs on other hosts.
2026-01-12 02:30:47 +00:00 · 2026-01-12 03:29:06 +01:00 · 2026-01-12 03:02:09 +01:00 · 2026-01-11 03:57:11 +01:00 · 2026-01-11 03:23:18 +01:00 · 2026-01-11 03:23:14 +01:00
40 changed files with 116 additions and 84 deletions
--- a/.forgejo/workflows/lint.yaml
+++ b/.forgejo/workflows/lint.yaml
@ -24,7 +24,7 @@ jobs:
      # work in our environmnet.
      # Rather manually setup python (pip) before instead.
      - name: Run ansible-lint
-        uses: https://github.com/ansible/ansible-lint@v25.11.0
+        uses: https://github.com/ansible/ansible-lint@v25.12.2
        with:
          setup_python: "false"
          requirements_file: "requirements.yml"
--- a/inventories/chaosknoten/group_vars/all.yaml
+++ b/inventories/chaosknoten/group_vars/all.yaml
@ -3,7 +3,7 @@
 ansible_pull__repo_url: https://git.hamburg.ccc.de/CCCHH/ansible-infra.git
 ansible_pull__inventory: inventories/chaosknoten
 ansible_pull__playbook: playbooks/maintenance.yaml
-ansible_pull__timer_on_calendar: "*-*-* 04:00:00 Europe/Berlin"
+ansible_pull__timer_on_calendar: "*-*-* 04:30:00 Europe/Berlin"
 ansible_pull__failure_notification_address: noc-notifications@lists.hamburg.ccc.de
 ansible_pull__timer_randomized_delay_sec: 30min
--- a/inventories/chaosknoten/host_vars/netbox.yaml
+++ b/inventories/chaosknoten/host_vars/netbox.yaml
@ -1,5 +1,5 @@
 # renovate: datasource=github-releases depName=netbox packageName=netbox-community/netbox
-netbox__version: "v4.4.6"
+netbox__version: "v4.5.0"
 netbox__config: "{{ lookup('ansible.builtin.template', 'resources/chaosknoten/netbox/netbox/configuration.py.j2') }}"
 netbox__custom_pipeline_oidc_group_and_role_mapping: true
--- a/inventories/chaosknoten/host_vars/router.yaml
+++ b/inventories/chaosknoten/host_vars/router.yaml
@ -1,2 +1,4 @@
 systemd_networkd__config_dir: 'resources/chaosknoten/router/systemd_networkd/'
 nftables__config: "{{ lookup('ansible.builtin.file', 'resources/chaosknoten/router/nftables/nftables.conf') }}"
 ansible_pull__timer_on_calendar: "*-*-* 04:00:00 Europe/Berlin"
 ansible_pull__timer_randomized_delay_sec: 0min
--- a/inventories/chaosknoten/hosts.yaml
+++ b/inventories/chaosknoten/hosts.yaml
@ -1,9 +1,9 @@
 all:
  hosts:
    ccchoir:
-      ansible_host: ccchoir-intern.hamburg.ccc.de
+      ansible_host: ccchoir.hosts.hamburg.ccc.de
      ansible_user: chaos
-      ansible_ssh_common_args: -J ssh://chaos@public-reverse-proxy.hamburg.ccc.de
+      ansible_ssh_common_args: -J ssh://chaos@router.hamburg.ccc.de
    chaosknoten:
      ansible_host: chaosknoten.hamburg.ccc.de
    cloud:
@ -15,13 +15,13 @@ all:
      ansible_user: chaos
      ansible_ssh_common_args: -J ssh://chaos@router.hamburg.ccc.de
    grafana:
-      ansible_host: grafana-intern.hamburg.ccc.de
+      ansible_host: grafana.hosts.hamburg.ccc.de
      ansible_user: chaos
-      ansible_ssh_common_args: -J ssh://chaos@public-reverse-proxy.hamburg.ccc.de
+      ansible_ssh_common_args: -J ssh://chaos@router.hamburg.ccc.de
    tickets:
-      ansible_host: tickets-intern.hamburg.ccc.de
+      ansible_host: tickets.hosts.hamburg.ccc.de
      ansible_user: chaos
-      ansible_ssh_common_args: -J ssh://chaos@public-reverse-proxy.hamburg.ccc.de
+      ansible_ssh_common_args: -J ssh://chaos@router.hamburg.ccc.de
    keycloak:
      ansible_host: keycloak.hosts.hamburg.ccc.de
      ansible_user: chaos
@ -33,9 +33,9 @@ all:
      ansible_host: mumble.hamburg.ccc.de
      ansible_user: chaos
    netbox:
-      ansible_host: netbox-intern.hamburg.ccc.de
+      ansible_host: netbox.hosts.hamburg.ccc.de
      ansible_user: chaos
-      ansible_ssh_common_args: -J ssh://chaos@public-reverse-proxy.hamburg.ccc.de
+      ansible_ssh_common_args: -J ssh://chaos@router.hamburg.ccc.de
    onlyoffice:
      ansible_host: onlyoffice.hosts.hamburg.ccc.de
      ansible_user: chaos
@ -45,9 +45,9 @@ all:
      ansible_user: chaos
      ansible_ssh_common_args: -J ssh://chaos@router.hamburg.ccc.de
    pretalx:
-      ansible_host: pretalx-intern.hamburg.ccc.de
+      ansible_host: pretalx.hosts.hamburg.ccc.de
      ansible_user: chaos
-      ansible_ssh_common_args: -J ssh://chaos@public-reverse-proxy.hamburg.ccc.de
+      ansible_ssh_common_args: -J ssh://chaos@router.hamburg.ccc.de
    public-reverse-proxy:
      ansible_host: public-reverse-proxy.hamburg.ccc.de
      ansible_user: chaos
@ -59,21 +59,21 @@ all:
      ansible_user: chaos
      ansible_ssh_common_args: -J ssh://chaos@router.hamburg.ccc.de
    zammad:
-      ansible_host: zammad-intern.hamburg.ccc.de
+      ansible_host: zammad.hosts.hamburg.ccc.de
      ansible_user: chaos
-      ansible_ssh_common_args: -J ssh://chaos@public-reverse-proxy.hamburg.ccc.de
+      ansible_ssh_common_args: -J ssh://chaos@router.hamburg.ccc.de
    ntfy:
-      ansible_host: ntfy-intern.hamburg.ccc.de
+      ansible_host: ntfy.hosts.hamburg.ccc.de
      ansible_user: chaos
-      ansible_ssh_common_args: -J ssh://chaos@public-reverse-proxy.hamburg.ccc.de
+      ansible_ssh_common_args: -J ssh://chaos@router.hamburg.ccc.de
    sunders:
-      ansible_host: sunders-intern.hamburg.ccc.de
+      ansible_host: sunders.hosts.hamburg.ccc.de
      ansible_user: chaos
-      ansible_ssh_common_args: -J ssh://chaos@public-reverse-proxy.hamburg.ccc.de
+      ansible_ssh_common_args: -J ssh://chaos@router.hamburg.ccc.de
    renovate:
-      ansible_host: renovate-intern.hamburg.ccc.de
+      ansible_host: renovate.hosts.hamburg.ccc.de
      ansible_user: chaos
-      ansible_ssh_common_args: -J ssh://chaos@public-reverse-proxy.hamburg.ccc.de
+      ansible_ssh_common_args: -J ssh://chaos@router.hamburg.ccc.de
 hypervisors:
  hosts:
    chaosknoten:
--- a/resources/chaosknoten/ccchoir/nginx/ccchoir.de.conf
+++ b/resources/chaosknoten/ccchoir/nginx/ccchoir.de.conf
@ -2,12 +2,12 @@
 # https://ssl-config.mozilla.org/#server=nginx&version=1.17.7&config=intermediate&openssl=1.1.1k&guideline=5.6
 server {
    # Listen on a custom port for the proxy protocol.
-    listen 8443 ssl http2 proxy_protocol;
+    listen [::]:8443 ssl http2 proxy_protocol;
    # Make use of the ngx_http_realip_module to set the $remote_addr and
    # $remote_port to the client address and client port, when using proxy
    # protocol.
    # First set our proxy protocol proxy as trusted.
-    set_real_ip_from 172.31.17.140;
+    set_real_ip_from 2a00:14b0:4200:3000:125::1;
    # Then tell the realip_module to get the addreses from the proxy protocol
    # header.
    real_ip_header proxy_protocol;
@ -43,12 +43,12 @@ server {
 server {
    # Listen on a custom port for the proxy protocol.
-    listen 8443 ssl http2 proxy_protocol;
+    listen [::]:8443 ssl http2 proxy_protocol;
    # Make use of the ngx_http_realip_module to set the $remote_addr and
    # $remote_port to the client address and client port, when using proxy
    # protocol.
    # First set our proxy protocol proxy as trusted.
-    set_real_ip_from 172.31.17.140;
+    set_real_ip_from 2a00:14b0:4200:3000:125::1;
    # Then tell the realip_module to get the addreses from the proxy protocol
    # header.
    real_ip_header proxy_protocol;
--- a/resources/chaosknoten/eh22-wiki/nginx/eh22.easterhegg.eu.conf
+++ b/resources/chaosknoten/eh22-wiki/nginx/eh22.easterhegg.eu.conf
@ -2,7 +2,6 @@
 # https://ssl-config.mozilla.org/#server=nginx&version=1.17.7&config=intermediate&openssl=1.1.1k&guideline=5.6
 server {
    # Listen on a custom port for the proxy protocol.
    listen 8443 ssl http2 proxy_protocol;
    listen [::]:8443 ssl http2 proxy_protocol;
    # Make use of the ngx_http_realip_module to set the $remote_addr and
    # $remote_port to the client address and client port, when using proxy
--- a/resources/chaosknoten/grafana/docker_compose/compose.yaml.j2
+++ b/resources/chaosknoten/grafana/docker_compose/compose.yaml.j2
@ -2,7 +2,7 @@
 services:
  prometheus:
-    image: docker.io/prom/prometheus:v3.7.3
+    image: docker.io/prom/prometheus:v3.9.1
    container_name: prometheus
    command:
      - '--config.file=/etc/prometheus/prometheus.yml'
@ -19,7 +19,7 @@ services:
      - prom_data:/prometheus
  alertmanager:
-    image: docker.io/prom/alertmanager:v0.29.0
+    image: docker.io/prom/alertmanager:v0.30.0
    container_name: alertmanager
    command:
      - '--config.file=/etc/alertmanager/alertmanager.yaml'
@ -32,7 +32,7 @@ services:
      - alertmanager_data:/alertmanager
  grafana:
-    image: docker.io/grafana/grafana:12.3.0
+    image: docker.io/grafana/grafana:12.3.1
    container_name: grafana
    ports:
      - 3000:3000
@ -46,7 +46,7 @@ services:
      - graf_data:/var/lib/grafana
  pve-exporter:
-    image: docker.io/prompve/prometheus-pve-exporter:3.5.5
+    image: docker.io/prompve/prometheus-pve-exporter:3.8.0
    container_name: pve-exporter
    ports:
      - 9221:9221
@ -59,7 +59,7 @@ services:
      - /dev/null:/etc/prometheus/pve.yml
  loki:
-    image: docker.io/grafana/loki:3.6.0
+    image: docker.io/grafana/loki:3.6.3
    container_name: loki
    ports:
      - 13100:3100
--- a/resources/chaosknoten/grafana/nginx/grafana.hamburg.ccc.de.conf
+++ b/resources/chaosknoten/grafana/nginx/grafana.hamburg.ccc.de.conf
@ -2,13 +2,13 @@
 # https://ssl-config.mozilla.org/#server=nginx&version=1.17.7&config=intermediate&openssl=1.1.1k&guideline=5.6
 server {
    # Listen on a custom port for the proxy protocol.
-    listen 8443 ssl proxy_protocol;
+    listen [::]:8443 ssl proxy_protocol;
    http2 on;
    # Make use of the ngx_http_realip_module to set the $remote_addr and
    # $remote_port to the client address and client port, when using proxy
    # protocol.
    # First set our proxy protocol proxy as trusted.
-    set_real_ip_from 172.31.17.140;
+    set_real_ip_from 2a00:14b0:4200:3000:125::1;
    # Then tell the realip_module to get the addreses from the proxy protocol
    # header.
    real_ip_header proxy_protocol;
--- a/resources/chaosknoten/grafana/nginx/loki.hamburg.ccc.de.conf
+++ b/resources/chaosknoten/grafana/nginx/loki.hamburg.ccc.de.conf
@ -17,7 +17,6 @@ server {
    server_name loki.hamburg.ccc.de;
    listen [::]:50051 ssl;
    listen 172.31.17.145:50051 ssl;
    http2 on;
@ -59,7 +58,6 @@ server {
    server_name loki.hamburg.ccc.de;
    listen [::]:443 ssl;
    listen 172.31.17.145:443 ssl;
    http2 on;
--- a/resources/chaosknoten/grafana/nginx/metrics.hamburg.ccc.de.conf
+++ b/resources/chaosknoten/grafana/nginx/metrics.hamburg.ccc.de.conf
@ -18,7 +18,6 @@ server {
    server_name metrics.hamburg.ccc.de;
    listen [::]:443 ssl;
    listen 172.31.17.145:443 ssl;
    http2 on;
    client_body_buffer_size 512k;
--- a/resources/chaosknoten/keycloak/nginx/id.hamburg.ccc.de.conf
+++ b/resources/chaosknoten/keycloak/nginx/id.hamburg.ccc.de.conf
@ -3,7 +3,6 @@
 # Also see: https://www.keycloak.org/server/reverseproxy
 server {
    # Listen on a custom port for the proxy protocol.
    listen 8443 ssl http2 proxy_protocol;
    listen [::]:8443 ssl http2 proxy_protocol;
    # Make use of the ngx_http_realip_module to set the $remote_addr and
    # $remote_port to the client address and client port, when using proxy
--- a/resources/chaosknoten/keycloak/nginx/invite.hamburg.ccc.de.conf
+++ b/resources/chaosknoten/keycloak/nginx/invite.hamburg.ccc.de.conf
@ -3,7 +3,6 @@
 # Also see: https://www.keycloak.org/server/reverseproxy
 server {
    # Listen on a custom port for the proxy protocol.
    listen 8443 ssl http2 proxy_protocol;
    listen [::]:8443 ssl http2 proxy_protocol;
    # Make use of the ngx_http_realip_module to set the $remote_addr and
    # $remote_port to the client address and client port, when using proxy
--- a/resources/chaosknoten/keycloak/nginx/keycloak-admin.hamburg.ccc.de.conf
+++ b/resources/chaosknoten/keycloak/nginx/keycloak-admin.hamburg.ccc.de.conf
@ -7,7 +7,6 @@ server {
    ##listen [::]:443 ssl http2;
    # Listen on a custom port for the proxy protocol.
    listen 8443 ssl http2 proxy_protocol;
    listen [::]:8443 ssl http2 proxy_protocol;
    # Make use of the ngx_http_realip_module to set the $remote_addr and
    # $remote_port to the client address and client port, when using proxy
--- a/resources/chaosknoten/netbox/nginx/netbox.hamburg.ccc.de.conf
+++ b/resources/chaosknoten/netbox/nginx/netbox.hamburg.ccc.de.conf
@ -2,12 +2,12 @@
 # https://ssl-config.mozilla.org/#server=nginx&version=1.17.7&config=intermediate&openssl=1.1.1k&guideline=5.6
 server {
    # Listen on a custom port for the proxy protocol.
-    listen 8443 ssl http2 proxy_protocol;
+    listen [::]:8443 ssl http2 proxy_protocol;
    # Make use of the ngx_http_realip_module to set the $remote_addr and
    # $remote_port to the client address and client port, when using proxy
    # protocol.
    # First set our proxy protocol proxy as trusted.
-    set_real_ip_from 172.31.17.140;
+    set_real_ip_from 2a00:14b0:4200:3000:125::1;
    # Then tell the realip_module to get the addreses from the proxy protocol
    # header.
    real_ip_header proxy_protocol;
--- a/resources/chaosknoten/ntfy/nginx/ntfy.hamburg.ccc.de.conf
+++ b/resources/chaosknoten/ntfy/nginx/ntfy.hamburg.ccc.de.conf
@ -2,13 +2,13 @@
 # https://ssl-config.mozilla.org/#server=nginx&version=1.17.7&config=intermediate&openssl=1.1.1k&guideline=5.6
 server {
    # Listen on a custom port for the proxy protocol.
-    listen 8443 ssl proxy_protocol;
+    listen [::]:8443 ssl proxy_protocol;
    http2 on;
    # Make use of the ngx_http_realip_module to set the $remote_addr and
    # $remote_port to the client address and client port, when using proxy
    # protocol.
    # First set our proxy protocol proxy as trusted.
-    set_real_ip_from 172.31.17.140;
+    set_real_ip_from 2a00:14b0:4200:3000:125::1;
    # Then tell the realip_module to get the addreses from the proxy protocol
    # header.
    real_ip_header proxy_protocol;
--- a/resources/chaosknoten/onlyoffice/docker_compose/compose.yaml.j2
+++ b/resources/chaosknoten/onlyoffice/docker_compose/compose.yaml.j2
@ -4,7 +4,7 @@
 services:
  onlyoffice:
-    image: docker.io/onlyoffice/documentserver:9.1.0
+    image: docker.io/onlyoffice/documentserver:9.2.1
    restart: unless-stopped
    volumes:
      - "./onlyoffice/DocumentServer/logs:/var/log/onlyoffice"
--- a/resources/chaosknoten/onlyoffice/nginx/onlyoffice.hamburg.ccc.de.conf
+++ b/resources/chaosknoten/onlyoffice/nginx/onlyoffice.hamburg.ccc.de.conf
@ -2,7 +2,6 @@
 # https://ssl-config.mozilla.org/#server=nginx&version=1.17.7&config=intermediate&openssl=1.1.1k&guideline=5.6
 server {
    # Listen on a custom port for the proxy protocol.
    listen 8443 ssl http2 proxy_protocol;
    listen [::]:8443 ssl http2 proxy_protocol;
    # Make use of the ngx_http_realip_module to set the $remote_addr and
    # $remote_port to the client address and client port, when using proxy
--- a/resources/chaosknoten/pad/docker_compose/compose.yaml.j2
+++ b/resources/chaosknoten/pad/docker_compose/compose.yaml.j2
@ -13,7 +13,7 @@ services:
    restart: unless-stopped
  app:
-    image: quay.io/hedgedoc/hedgedoc:1.10.3
+    image: quay.io/hedgedoc/hedgedoc:1.10.5
    environment:
      - "CMD_DB_URL=postgres://hedgedoc:{{ secret__hedgedoc_db_password }}@database:5432/hedgedoc"
      - "CMD_DOMAIN=pad.hamburg.ccc.de"
--- a/resources/chaosknoten/pad/nginx/pad.hamburg.ccc.de.conf
+++ b/resources/chaosknoten/pad/nginx/pad.hamburg.ccc.de.conf
@ -2,7 +2,6 @@
 # https://ssl-config.mozilla.org/#server=nginx&version=1.17.7&config=intermediate&openssl=1.1.1k&guideline=5.6
 server {
    # Listen on a custom port for the proxy protocol.
    listen 8443 ssl http2 proxy_protocol;
    listen [::]:8443 ssl http2 proxy_protocol;
    # Make use of the ngx_http_realip_module to set the $remote_addr and
    # $remote_port to the client address and client port, when using proxy
--- a/resources/chaosknoten/pretalx/docker_compose/compose.yaml.j2
+++ b/resources/chaosknoten/pretalx/docker_compose/compose.yaml.j2
@ -23,7 +23,7 @@ services:
      - pretalx_net
  static:
-    image: docker.io/library/nginx:1.29.3
+    image: docker.io/library/nginx:1.29.4
    restart: unless-stopped
    volumes:
      - public:/usr/share/nginx/html
@ -33,7 +33,7 @@ services:
      - pretalx_net
  pretalx:
-    image: docker.io/pretalx/standalone:v2025.1.0
+    image: docker.io/pretalx/standalone:v2025.2.2
    entrypoint: gunicorn
    command:
      - "pretalx.wsgi"
@ -78,7 +78,7 @@ services:
      - pretalx_net
  celery:
-    image: docker.io/pretalx/standalone:v2025.1.0
+    image: docker.io/pretalx/standalone:v2025.2.2
    command:
      - taskworker
    restart: unless-stopped
--- a/resources/chaosknoten/pretalx/nginx/cfp.eh22.easterhegg.eu.conf
+++ b/resources/chaosknoten/pretalx/nginx/cfp.eh22.easterhegg.eu.conf
@ -2,12 +2,12 @@
 # https://ssl-config.mozilla.org/#server=nginx&version=1.17.7&config=intermediate&openssl=1.1.1k&guideline=5.6
 server {
    # Listen on a custom port for the proxy protocol.
-    listen 8443 ssl http2 proxy_protocol;
+    listen [::]:8443 ssl http2 proxy_protocol;
    # Make use of the ngx_http_realip_module to set the $remote_addr and
    # $remote_port to the client address and client port, when using proxy
    # protocol.
    # First set our proxy protocol proxy as trusted.
-    set_real_ip_from 172.31.17.140;
+    set_real_ip_from 2a00:14b0:4200:3000:125::1;
    # Then tell the realip_module to get the addreses from the proxy protocol
    # header.
    real_ip_header proxy_protocol;
--- a/resources/chaosknoten/pretalx/nginx/pretalx.hamburg.ccc.de.conf
+++ b/resources/chaosknoten/pretalx/nginx/pretalx.hamburg.ccc.de.conf
@ -2,12 +2,12 @@
 # https://ssl-config.mozilla.org/#server=nginx&version=1.17.7&config=intermediate&openssl=1.1.1k&guideline=5.6
 server {
    # Listen on a custom port for the proxy protocol.
-    listen 8443 ssl http2 proxy_protocol;
+    listen [::]:8443 ssl http2 proxy_protocol;
    # Make use of the ngx_http_realip_module to set the $remote_addr and
    # $remote_port to the client address and client port, when using proxy
    # protocol.
    # First set our proxy protocol proxy as trusted.
-    set_real_ip_from 172.31.17.140;
+    set_real_ip_from 2a00:14b0:4200:3000:125::1;
    # Then tell the realip_module to get the addreses from the proxy protocol
    # header.
    real_ip_header proxy_protocol;
--- a/resources/chaosknoten/public-reverse-proxy/nginx/acme_challenge.conf
+++ b/resources/chaosknoten/public-reverse-proxy/nginx/acme_challenge.conf
@ -4,12 +4,12 @@ map $host $upstream_acme_challenge_host {
    c3cat.de 172.31.17.151:31820;
    www.c3cat.de 172.31.17.151:31820;
    staging.c3cat.de 172.31.17.151:31820;
-    ccchoir.de ccchoir-intern.hamburg.ccc.de:31820;
+    ccchoir.de ccchoir.hosts.hamburg.ccc.de:31820;
-    www.ccchoir.de ccchoir-intern.hamburg.ccc.de:31820;
+    www.ccchoir.de ccchoir.hosts.hamburg.ccc.de:31820;
    cloud.hamburg.ccc.de cloud.hosts.hamburg.ccc.de:31820;
    element.hamburg.ccc.de 172.31.17.151:31820;
    git.hamburg.ccc.de 172.31.17.154:31820;
-    grafana.hamburg.ccc.de 172.31.17.145:31820;
+    grafana.hamburg.ccc.de grafana.hosts.hamburg.ccc.de:31820;
    hackertours.hamburg.ccc.de 172.31.17.151:31820;
    staging.hackertours.hamburg.ccc.de 172.31.17.151:31820;
    hamburg.ccc.de 172.31.17.151:31820;
@ -19,18 +19,18 @@ map $host $upstream_acme_challenge_host {
    matrix.hamburg.ccc.de 172.31.17.150:31820;
    mas.hamburg.ccc.de 172.31.17.150:31820;
    element-admin.hamburg.ccc.de 172.31.17.151:31820;
-    netbox.hamburg.ccc.de 172.31.17.167:31820;
+    netbox.hamburg.ccc.de netbox.hosts.hamburg.ccc.de:31820;
    onlyoffice.hamburg.ccc.de onlyoffice.hosts.hamburg.ccc.de:31820;
    pad.hamburg.ccc.de pad.hosts.hamburg.ccc.de:31820;
-    pretalx.hamburg.ccc.de 172.31.17.157:31820;
+    pretalx.hamburg.ccc.de pretalx.hosts.hamburg.ccc.de:31820;
    spaceapi.hamburg.ccc.de 172.31.17.151:31820;
    staging.hamburg.ccc.de 172.31.17.151:31820;
    wiki.ccchh.net wiki.hosts.hamburg.ccc.de:31820;
    wiki.hamburg.ccc.de wiki.hosts.hamburg.ccc.de:31820;
    www.hamburg.ccc.de 172.31.17.151:31820;
-    tickets.hamburg.ccc.de 172.31.17.148:31820;
+    tickets.hamburg.ccc.de tickets.hosts.hamburg.ccc.de:31820;
-    sunders.hamburg.ccc.de 172.31.17.170:31820;
+    sunders.hamburg.ccc.de sunders.hosts.hamburg.ccc.de:31820;
-    zammad.hamburg.ccc.de 172.31.17.152:31820;
+    zammad.hamburg.ccc.de zammad.hosts.hamburg.ccc.de:31820;
    eh03.easterhegg.eu 172.31.17.151:31820;
    eh05.easterhegg.eu 172.31.17.151:31820;
    eh07.easterhegg.eu 172.31.17.151:31820;
@ -73,7 +73,7 @@ map $host $upstream_acme_challenge_host {
    design.hamburg.ccc.de 172.31.17.162:31820;
    hydra.hamburg.ccc.de 172.31.17.163:31820;
    cfp.eh22.easterhegg.eu 172.31.17.157:31820;
-    ntfy.hamburg.ccc.de 172.31.17.149:31820;
+    ntfy.hamburg.ccc.de ntfy.hosts.hamburg.ccc.de:31820;
    cryptoparty-hamburg.de 172.31.17.151:31820;
    cryptoparty.hamburg.ccc.de 172.31.17.151:31820;
    staging.cryptoparty-hamburg.de 172.31.17.151:31820;
--- a/resources/chaosknoten/public-reverse-proxy/nginx/nginx.conf
+++ b/resources/chaosknoten/public-reverse-proxy/nginx/nginx.conf
@ -18,21 +18,21 @@ stream {
    resolver 212.12.50.158 192.76.134.90;
    map $ssl_preread_server_name $address {
-        ccchoir.de ccchoir-intern.hamburg.ccc.de:8443;
+        ccchoir.de ccchoir.hosts.hamburg.ccc.de:8443;
-        www.ccchoir.de ccchoir-intern.hamburg.ccc.de:8443;
+        www.ccchoir.de ccchoir.hosts.hamburg.ccc.de:8443;
        cloud.hamburg.ccc.de cloud.hosts.hamburg.ccc.de:8443;
        pad.hamburg.ccc.de pad.hosts.hamburg.ccc.de:8443;
-        pretalx.hamburg.ccc.de pretalx-intern.hamburg.ccc.de:8443;
+        pretalx.hamburg.ccc.de pretalx.hosts.hamburg.ccc.de:8443;
        id.hamburg.ccc.de keycloak.hosts.hamburg.ccc.de:8443;
        invite.hamburg.ccc.de keycloak.hosts.hamburg.ccc.de:8443;
        keycloak-admin.hamburg.ccc.de keycloak.hosts.hamburg.ccc.de:8443;
-        grafana.hamburg.ccc.de 172.31.17.145:8443;
+        grafana.hamburg.ccc.de grafana.hosts.hamburg.ccc.de:8443;
        wiki.ccchh.net wiki.hosts.hamburg.ccc.de:8443;
        wiki.hamburg.ccc.de wiki.hosts.hamburg.ccc.de:8443;
        onlyoffice.hamburg.ccc.de onlyoffice.hosts.hamburg.ccc.de:8443;
        hackertours.hamburg.ccc.de 172.31.17.151:8443;
        staging.hackertours.hamburg.ccc.de 172.31.17.151:8443;
-        netbox.hamburg.ccc.de 172.31.17.167:8443;
+        netbox.hamburg.ccc.de netbox.hosts.hamburg.ccc.de:8443;
        matrix.hamburg.ccc.de 172.31.17.150:8443;
        mas.hamburg.ccc.de 172.31.17.150:8443;
        element-admin.hamburg.ccc.de 172.31.17.151:8443;
@ -42,9 +42,9 @@ stream {
        hamburg.ccc.de 172.31.17.151:8443;
        staging.hamburg.ccc.de 172.31.17.151:8443;
        spaceapi.hamburg.ccc.de 172.31.17.151:8443;
-        tickets.hamburg.ccc.de 172.31.17.148:8443;
+        tickets.hamburg.ccc.de tickets.hosts.hamburg.ccc.de:8443;
-        sunders.hamburg.ccc.de 172.31.17.170:8443;
+        sunders.hamburg.ccc.de sunders.hosts.hamburg.ccc.de:8443;
-        zammad.hamburg.ccc.de 172.31.17.152:8443;
+        zammad.hamburg.ccc.de zammad.hosts.hamburg.ccc.de:8443;
        c3cat.de 172.31.17.151:8443;
        www.c3cat.de 172.31.17.151:8443;
        staging.c3cat.de 172.31.17.151:8443;
@ -90,8 +90,8 @@ stream {
        woodpecker.hamburg.ccc.de 172.31.17.160:8443;
        design.hamburg.ccc.de 172.31.17.162:8443;
        hydra.hamburg.ccc.de 172.31.17.163:8443;
-        cfp.eh22.easterhegg.eu pretalx-intern.hamburg.ccc.de:8443;
+        cfp.eh22.easterhegg.eu pretalx.hosts.hamburg.ccc.de:8443;
-        ntfy.hamburg.ccc.de 172.31.17.149:8443;
+        ntfy.hamburg.ccc.de ntfy.hosts.hamburg.ccc.de:8443;
        cryptoparty-hamburg.de 172.31.17.151:8443;
        cryptoparty.hamburg.ccc.de 172.31.17.151:8443;
        staging.cryptoparty-hamburg.de 172.31.17.151:8443;
--- a/resources/chaosknoten/router/nftables/nftables.conf
+++ b/resources/chaosknoten/router/nftables/nftables.conf
@ -39,13 +39,29 @@ table inet host {
        ct state established,related accept
 		ip protocol icmp accept
-		ip6 nexthdr icmpv6 accept
+        # ICMPv6
        # https://datatracker.ietf.org/doc/html/rfc4890#autoid-24
        # Allowlist consisting of: "Traffic That Must Not Be Dropped" and "Traffic That Normally Should Not Be Dropped"
        # Error messages that are essential to the establishment and maintenance of communications:
        icmpv6 type { destination-unreachable, packet-too-big } accept
        icmpv6 type { time-exceeded } accept
        icmpv6 type { parameter-problem } accept
        # Connectivity checking messages:
        icmpv6 type { echo-request, echo-reply } accept
        # Address Configuration and Router Selection messages:
        icmpv6 type { nd-router-solicit, nd-router-advert, nd-neighbor-solicit, nd-neighbor-advert, ind-neighbor-solicit, ind-neighbor-advert } accept
        # Link-Local Multicast Receiver Notification messages:
        icmpv6 type { mld-listener-query, mld-listener-report, mld-listener-done, mld2-listener-report } accept
        # SEND Certificate Path Notification messages:
        icmpv6 type { 148, 149 } accept
        # Multicast Router Discovery messages:
        icmpv6 type { 151, 152, 153 } accept
        # Allow SSH access.
        tcp dport 22 accept comment "allow ssh access"
        # Allow DHCP server access.
-		iifname $if_net0_3_ci_runner udp dport 67 accept comment "allow dhcp server access"
+		iifname { $if_net0_2_v4_nat, $if_net0_3_ci_runner } udp dport 67 accept comment "allow dhcp server access"
    }
 }
--- a/resources/chaosknoten/router/systemd_networkd/21-net0.2-v4_nat.network
+++ b/resources/chaosknoten/router/systemd_networkd/21-net0.2-v4_nat.network
@ -11,6 +11,12 @@ Description=v4-NAT
 # Masquerading done in nftables (nftables.conf).
 IPv6SendRA=yes
 DHCPServer=true
 [DHCPServer]
 PoolOffset=100
 PoolSize=150
 [Address]
 Address=10.32.2.1/24
--- a/resources/chaosknoten/sunders/docker_compose/compose.yaml.j2
+++ b/resources/chaosknoten/sunders/docker_compose/compose.yaml.j2
@ -3,7 +3,7 @@
 services:
  db:
-    image: mariadb:12.0.2
+    image: mariadb:12.1.2
    command: --max_allowed_packet=3250585600
    environment:
      MYSQL_ROOT_PASSWORD: "{{ secret__sunders_db_root_password }}"
--- a/resources/chaosknoten/sunders/nginx/sunders.hamburg.ccc.de.conf
+++ b/resources/chaosknoten/sunders/nginx/sunders.hamburg.ccc.de.conf
@ -2,12 +2,12 @@
 # https://ssl-config.mozilla.org/#server=nginx&version=1.17.7&config=intermediate&openssl=1.1.1k&guideline=5.6
 server {
    # Listen on a custom port for the proxy protocol.
-    listen 8443 ssl http2 proxy_protocol;
+    listen [::]:8443 ssl http2 proxy_protocol;
    # Make use of the ngx_http_realip_module to set the $remote_addr and
    # $remote_port to the client address and client port, when using proxy
    # protocol.
    # First set our proxy protocol proxy as trusted.
-    set_real_ip_from 172.31.17.140;
+    set_real_ip_from 2a00:14b0:4200:3000:125::1;
    # Then tell the realip_module to get the addreses from the proxy protocol
    # header.
    real_ip_header proxy_protocol;
--- a/resources/chaosknoten/tickets/nginx/tickets.hamburg.ccc.de.conf
+++ b/resources/chaosknoten/tickets/nginx/tickets.hamburg.ccc.de.conf
@ -2,12 +2,12 @@
 # https://ssl-config.mozilla.org/#server=nginx&version=1.17.7&config=intermediate&openssl=1.1.1k&guideline=5.6
 server {
    # Listen on a custom port for the proxy protocol.
-    listen 8443 ssl http2 proxy_protocol;
+    listen [::]:8443 ssl http2 proxy_protocol;
    # Make use of the ngx_http_realip_module to set the $remote_addr and
    # $remote_port to the client address and client port, when using proxy
    # protocol.
    # First set our proxy protocol proxy as trusted.
-    set_real_ip_from 172.31.17.140;
+    set_real_ip_from 2a00:14b0:4200:3000:125::1;
    # Then tell the realip_module to get the addreses from the proxy protocol
    # header.
    real_ip_header proxy_protocol;
--- a/resources/chaosknoten/wiki/nginx/wiki.ccchh.net.conf
+++ b/resources/chaosknoten/wiki/nginx/wiki.ccchh.net.conf
@ -2,7 +2,6 @@
 # https://ssl-config.mozilla.org/#server=nginx&version=1.17.7&config=intermediate&openssl=1.1.1k&guideline=5.6
 server {
    # Listen on a custom port for the proxy protocol.
    listen 8443 ssl http2 proxy_protocol;
    listen [::]:8443 ssl http2 proxy_protocol;
    # Make use of the ngx_http_realip_module to set the $remote_addr and
    # $remote_port to the client address and client port, when using proxy
--- a/resources/chaosknoten/wiki/nginx/wiki.hamburg.ccc.de.conf
+++ b/resources/chaosknoten/wiki/nginx/wiki.hamburg.ccc.de.conf
@ -2,7 +2,6 @@
 # https://ssl-config.mozilla.org/#server=nginx&version=1.17.7&config=intermediate&openssl=1.1.1k&guideline=5.6
 server {
    # Listen on a custom port for the proxy protocol.
    listen 8443 ssl http2 proxy_protocol;
    listen [::]:8443 ssl http2 proxy_protocol;
    # Make use of the ngx_http_realip_module to set the $remote_addr and
    # $remote_port to the client address and client port, when using proxy
--- a/resources/chaosknoten/zammad/nginx/zammad.hamburg.ccc.de.conf
+++ b/resources/chaosknoten/zammad/nginx/zammad.hamburg.ccc.de.conf
@ -2,12 +2,12 @@
 # https://ssl-config.mozilla.org/#server=nginx&version=1.17.7&config=intermediate&openssl=1.1.1k&guideline=5.6
 server {
    # Listen on a custom port for the proxy protocol.
-    listen 8443 ssl http2 proxy_protocol;
+    listen [::]:8443 ssl http2 proxy_protocol;
    # Make use of the ngx_http_realip_module to set the $remote_addr and
    # $remote_port to the client address and client port, when using proxy
    # protocol.
    # First set our proxy protocol proxy as trusted.
-    set_real_ip_from 172.31.17.140;
+    set_real_ip_from 2a00:14b0:4200:3000:125::1;
    # Then tell the realip_module to get the addreses from the proxy protocol
    # header.
    real_ip_header proxy_protocol;
--- a/roles/ansible_pull/tasks/main.yaml
+++ b/roles/ansible_pull/tasks/main.yaml
@ -3,6 +3,7 @@
    - name: ensure apt dependencies are installed
      ansible.builtin.apt:
        name:
          - python3-pip
          - virtualenv
          - git
        state: present
--- a/roles/base_config/tasks/main.yaml
+++ b/roles/base_config/tasks/main.yaml
@ -0,0 +1,13 @@
 # Ensure the ssh module is disabled, so a cloud-init config change doesn't regenerate the host keys for no reason.
 - name: check if cloud-init config file exists
  ansible.builtin.stat:
    path: /etc/cloud/cloud.cfg
  register: base_config__stat_cloud_cfg
 - name: ensure the cloud-init ssh module is disabled
  ansible.builtin.replace:
    path: /etc/cloud/cloud.cfg
    regexp: " - ssh$"
    replace: " #- ssh"
  become: true
  when: base_config__stat_cloud_cfg.stat.exists
--- a/roles/certbot/meta/main.yaml
+++ b/roles/certbot/meta/main.yaml
@ -7,3 +7,4 @@ dependencies:
          major_versions:
            - 11
            - 12
            - 13
--- a/roles/docker/meta/main.yaml
+++ b/roles/docker/meta/main.yaml
@ -7,3 +7,4 @@ dependencies:
          major_versions:
            - 11
            - 12
            - 13
--- a/roles/dokuwiki/meta/main.yml
+++ b/roles/dokuwiki/meta/main.yml
@ -7,3 +7,4 @@ dependencies:
          major_versions:
            - 11
            - 12
            - 13
--- a/roles/nginx/meta/main.yaml
+++ b/roles/nginx/meta/main.yaml
@ -7,3 +7,4 @@ dependencies:
          major_versions:
            - "11"
            - "12"
            - "13"
--- a/roles/prometheus_node_exporter/meta/main.yaml
+++ b/roles/prometheus_node_exporter/meta/main.yaml
@ -7,3 +7,4 @@ dependencies:
          major_versions:
            - "11"
            - "12"
            - "13"
Author	SHA1	Message	Date
Renovate	c638790819	Update all stable non-major dependencies Some checks failed / Ansible Lint (pull_request) Failing after 2m31s Details / Ansible Lint (push) Failing after 2m5s Details	2026-01-12 02:30:47 +00:00
June	70461c98ba	first run ansible_pull for router, then for all other hosts Some checks failed / Ansible Lint (push) Failing after 2m13s Details Do this to avoid a restarting router affecting playbook runs on other hosts.	2026-01-12 03:29:06 +01:00
June	968e29ccb8	do v6-only for internal proxy protocol communication Some checks failed / Ansible Lint (push) Failing after 2m5s Details Since we want to do v6-only internally, only listen on v6 for proxy protocol. This is also needed as we only have set_real_ip_from pointing to a v6.	2026-01-12 03:02:09 +01:00
June	255327952e	ntfy(host): move to new network and hostname Some checks failed / Ansible Lint (push) Failing after 1m59s Details	2026-01-11 03:57:11 +01:00
June	1971598e71	pretalx(host): move to new network and hostname Some checks failed / Ansible Lint (push) Failing after 1m55s Details	2026-01-11 03:23:18 +01:00
June	372f264bcb	ccchoir(host): move to new network and hostname	2026-01-11 03:23:14 +01:00
June	2fbb37db18	grafana(host): move to new network and hostname	2026-01-11 03:23:01 +01:00
June	bb30e88404	router(host): allowlist only certain icmpv6 types Some checks failed / Ansible Lint (push) Failing after 2m14s Details	2026-01-11 00:29:16 +01:00
June	a41b07949c	zammad(host): move to new network and hostname Some checks failed / Ansible Lint (push) Failing after 1m56s Details	2026-01-11 00:22:37 +01:00
June	ff550cbd8a	tickets(host): move to new network and hostname Some checks failed / Ansible Lint (push) Failing after 2m22s Details	2026-01-11 00:00:18 +01:00
June	49e3ecb986	netbox(host): move to new network and hostname Some checks failed / Ansible Lint (push) Failing after 2m3s Details	2026-01-09 03:05:29 +01:00
June	a622f21b54	renovate(host): move to new network and hostname	2026-01-07 18:46:27 +01:00
June	40b67c6bc3	sunders(host): move to new network and hostname	2026-01-07 18:46:16 +01:00
June	fbd3ea5496	base_config: disable cloud-init ssh module to avoid hostkey regeneration Some checks failed / Ansible Lint (push) Failing after 1m55s Details It should run once on first boot anyway and since it apparently runs for every change in the Proxmox cloud init config, disable it, so it doesn't, since it's annoying to have "random" hostkey changes.	2026-01-07 18:09:48 +01:00
June	80ddb2efc9	router: enable a DHCP server for the v4-NAT network as well As the hosts don't really need a static v4, just do DHCP.	2026-01-07 17:25:27 +01:00
Stefan Bethke	a328e92971	Should be compatible with trixie/13 Some checks failed / Ansible Lint (push) Failing after 2m5s Details	2026-01-03 14:03:26 +01:00
Stefan Bethke	25db54b8ad	Make sure pip is installed	2026-01-03 14:02:56 +01:00