CCCHH/ansible-infra
CCCHH/ansible-infra
3
2
Fork 2
Code Issues 7 Pull requests 5 Wiki Activity Actions

Compare commits

base: CCCHH:alloy
Branches Tags
CCCHH:main
CCCHH:renovate/https-github.com-ansible-ansible-lint-26.x
CCCHH:renovate/docker.io-library-redis-8.x
CCCHH:renovate/docker.io-library-postgres-18.x
CCCHH:renovate/docker.io-library-mariadb-12.x
CCCHH:renovate/actions-checkout-6.x
CCCHH:alloy
CCCHH:router-killing-turing
CCCHH:fix_ansible_lint
CCCHH:feature/add-new-router
CCCHH:fux-alerts
CCCHH:move_to_sops
..
compare: CCCHH:main
Branches Tags
CCCHH:renovate/https-github.com-ansible-ansible-lint-26.x
CCCHH:renovate/docker.io-library-redis-8.x
CCCHH:renovate/docker.io-library-postgres-18.x
CCCHH:renovate/docker.io-library-mariadb-12.x
CCCHH:renovate/actions-checkout-6.x
CCCHH:main
CCCHH:alloy
CCCHH:router-killing-turing
CCCHH:fix_ansible_lint
CCCHH:feature/add-new-router
CCCHH:fux-alerts
CCCHH:move_to_sops

17 commits
alloy ... main

Author SHA1 Message Date
Renovate
c638790819 Update all stable non-major dependencies
Some checks failed
/ Ansible Lint (pull_request) Failing after 2m31s
Details
/ Ansible Lint (push) Failing after 2m5s
Details
2026-01-12 02:30:47 +00:00
June
70461c98ba
 		first run ansible_pull for router, then for all other hosts
Some checks failed
/ Ansible Lint (push) Failing after 2m13s
Details 
Do this to avoid a restarting router affecting playbook runs on other
hosts.
 2026-01-12 03:29:06 +01:00
June
968e29ccb8
 		do v6-only for internal proxy protocol communication
Some checks failed
/ Ansible Lint (push) Failing after 2m5s
Details 
Since we want to do v6-only internally, only listen on v6 for proxy
protocol.
This is also needed as we only have set_real_ip_from pointing to a v6.
 2026-01-12 03:02:09 +01:00
June
255327952e
 		ntfy(host): move to new network and hostname
Some checks failed
/ Ansible Lint (push) Failing after 1m59s
Details
2026-01-11 03:57:11 +01:00
June
1971598e71
 		pretalx(host): move to new network and hostname
Some checks failed
/ Ansible Lint (push) Failing after 1m55s
Details
2026-01-11 03:23:18 +01:00
June
372f264bcb
 		ccchoir(host): move to new network and hostname 2026-01-11 03:23:14 +01:00
June
2fbb37db18
 		grafana(host): move to new network and hostname 2026-01-11 03:23:01 +01:00
June
bb30e88404
 		router(host): allowlist only certain icmpv6 types
Some checks failed
/ Ansible Lint (push) Failing after 2m14s
Details
2026-01-11 00:29:16 +01:00
June
a41b07949c
 		zammad(host): move to new network and hostname
Some checks failed
/ Ansible Lint (push) Failing after 1m56s
Details
2026-01-11 00:22:37 +01:00
June
ff550cbd8a
 		tickets(host): move to new network and hostname
Some checks failed
/ Ansible Lint (push) Failing after 2m22s
Details
2026-01-11 00:00:18 +01:00
June
49e3ecb986
 		netbox(host): move to new network and hostname
Some checks failed
/ Ansible Lint (push) Failing after 2m3s
Details
2026-01-09 03:05:29 +01:00
June
a622f21b54
 		renovate(host): move to new network and hostname 2026-01-07 18:46:27 +01:00
June
40b67c6bc3
 		sunders(host): move to new network and hostname 2026-01-07 18:46:16 +01:00
June
fbd3ea5496
 		base_config: disable cloud-init ssh module to avoid hostkey regeneration
Some checks failed
/ Ansible Lint (push) Failing after 1m55s
Details 
It should run once on first boot anyway and since it apparently runs for
every change in the Proxmox cloud init config, disable it, so it
doesn't, since it's annoying to have "random" hostkey changes.
 2026-01-07 18:09:48 +01:00
June
80ddb2efc9
 		router: enable a DHCP server for the v4-NAT network as well 
As the hosts don't really need a static v4, just do DHCP.
 2026-01-07 17:25:27 +01:00
Stefan Bethke
a328e92971 Should be compatible with trixie/13
Some checks failed
/ Ansible Lint (push) Failing after 2m5s
Details
2026-01-03 14:03:26 +01:00
Stefan Bethke
25db54b8ad Make sure pip is installed 2026-01-03 14:02:56 +01:00
41 changed files with 116 additions and 132 deletions
Download patch file Download diff file Expand all files Collapse all files

2
.forgejo/workflows/lint.yaml
View file

@ -24,7 +24,7 @@ jobs:
# work in our environmnet.
# Rather manually setup python (pip) before instead.
- name: Run ansible-lint
uses: https://github.com/ansible/ansible-lint@v25.11.0
uses: https://github.com/ansible/ansible-lint@v25.12.2
with:
setup_python: "false"
requirements_file: "requirements.yml"

2
inventories/chaosknoten/group_vars/all.yaml
View file

@ -3,7 +3,7 @@
ansible_pull__repo_url: https://git.hamburg.ccc.de/CCCHH/ansible-infra.git
ansible_pull__inventory: inventories/chaosknoten
ansible_pull__playbook: playbooks/maintenance.yaml
ansible_pull__timer_on_calendar: "*-*-* 04:00:00 Europe/Berlin"
ansible_pull__timer_on_calendar: "*-*-* 04:30:00 Europe/Berlin"
ansible_pull__failure_notification_address: noc-notifications@lists.hamburg.ccc.de
ansible_pull__timer_randomized_delay_sec: 30min

2
inventories/chaosknoten/host_vars/netbox.yaml
View file

@ -1,5 +1,5 @@
# renovate: datasource=github-releases depName=netbox packageName=netbox-community/netbox
netbox__version: "v4.4.6"
netbox__version: "v4.5.0"
netbox__config: "{{ lookup('ansible.builtin.template', 'resources/chaosknoten/netbox/netbox/configuration.py.j2') }}"
netbox__custom_pipeline_oidc_group_and_role_mapping: true

2
inventories/chaosknoten/host_vars/router.yaml
View file

@ -1,2 +1,4 @@
systemd_networkd__config_dir: 'resources/chaosknoten/router/systemd_networkd/'
nftables__config: "{{ lookup('ansible.builtin.file', 'resources/chaosknoten/router/nftables/nftables.conf') }}"
ansible_pull__timer_on_calendar: "*-*-* 04:00:00 Europe/Berlin"
ansible_pull__timer_randomized_delay_sec: 0min

36
inventories/chaosknoten/hosts.yaml
View file

@ -1,9 +1,9 @@
all:
hosts:
ccchoir:
ansible_host: ccchoir-intern.hamburg.ccc.de
ansible_host: ccchoir.hosts.hamburg.ccc.de
ansible_user: chaos
ansible_ssh_common_args: -J ssh://chaos@public-reverse-proxy.hamburg.ccc.de
ansible_ssh_common_args: -J ssh://chaos@router.hamburg.ccc.de
chaosknoten:
ansible_host: chaosknoten.hamburg.ccc.de
cloud:
@ -15,13 +15,13 @@ all:
ansible_user: chaos
ansible_ssh_common_args: -J ssh://chaos@router.hamburg.ccc.de
grafana:
ansible_host: grafana-intern.hamburg.ccc.de
ansible_host: grafana.hosts.hamburg.ccc.de
ansible_user: chaos
ansible_ssh_common_args: -J ssh://chaos@public-reverse-proxy.hamburg.ccc.de
ansible_ssh_common_args: -J ssh://chaos@router.hamburg.ccc.de
tickets:
ansible_host: tickets-intern.hamburg.ccc.de
ansible_host: tickets.hosts.hamburg.ccc.de
ansible_user: chaos
ansible_ssh_common_args: -J ssh://chaos@public-reverse-proxy.hamburg.ccc.de
ansible_ssh_common_args: -J ssh://chaos@router.hamburg.ccc.de
keycloak:
ansible_host: keycloak.hosts.hamburg.ccc.de
ansible_user: chaos
@ -33,9 +33,9 @@ all:
ansible_host: mumble.hamburg.ccc.de
ansible_user: chaos
netbox:
ansible_host: netbox-intern.hamburg.ccc.de
ansible_host: netbox.hosts.hamburg.ccc.de
ansible_user: chaos
ansible_ssh_common_args: -J ssh://chaos@public-reverse-proxy.hamburg.ccc.de
ansible_ssh_common_args: -J ssh://chaos@router.hamburg.ccc.de
onlyoffice:
ansible_host: onlyoffice.hosts.hamburg.ccc.de
ansible_user: chaos
@ -45,9 +45,9 @@ all:
ansible_user: chaos
ansible_ssh_common_args: -J ssh://chaos@router.hamburg.ccc.de
pretalx:
ansible_host: pretalx-intern.hamburg.ccc.de
ansible_host: pretalx.hosts.hamburg.ccc.de
ansible_user: chaos
ansible_ssh_common_args: -J ssh://chaos@public-reverse-proxy.hamburg.ccc.de
ansible_ssh_common_args: -J ssh://chaos@router.hamburg.ccc.de
public-reverse-proxy:
ansible_host: public-reverse-proxy.hamburg.ccc.de
ansible_user: chaos
@ -59,21 +59,21 @@ all:
ansible_user: chaos
ansible_ssh_common_args: -J ssh://chaos@router.hamburg.ccc.de
zammad:
ansible_host: zammad-intern.hamburg.ccc.de
ansible_host: zammad.hosts.hamburg.ccc.de
ansible_user: chaos
ansible_ssh_common_args: -J ssh://chaos@public-reverse-proxy.hamburg.ccc.de
ansible_ssh_common_args: -J ssh://chaos@router.hamburg.ccc.de
ntfy:
ansible_host: ntfy-intern.hamburg.ccc.de
ansible_host: ntfy.hosts.hamburg.ccc.de
ansible_user: chaos
ansible_ssh_common_args: -J ssh://chaos@public-reverse-proxy.hamburg.ccc.de
ansible_ssh_common_args: -J ssh://chaos@router.hamburg.ccc.de
sunders:
ansible_host: sunders-intern.hamburg.ccc.de
ansible_host: sunders.hosts.hamburg.ccc.de
ansible_user: chaos
ansible_ssh_common_args: -J ssh://chaos@public-reverse-proxy.hamburg.ccc.de
ansible_ssh_common_args: -J ssh://chaos@router.hamburg.ccc.de
renovate:
ansible_host: renovate-intern.hamburg.ccc.de
ansible_host: renovate.hosts.hamburg.ccc.de
ansible_user: chaos
ansible_ssh_common_args: -J ssh://chaos@public-reverse-proxy.hamburg.ccc.de
ansible_ssh_common_args: -J ssh://chaos@router.hamburg.ccc.de
hypervisors:
hosts:
chaosknoten:

8
resources/chaosknoten/ccchoir/nginx/ccchoir.de.conf
View file

@ -2,12 +2,12 @@
# https://ssl-config.mozilla.org/#server=nginx&version=1.17.7&config=intermediate&openssl=1.1.1k&guideline=5.6
server {
# Listen on a custom port for the proxy protocol.
listen 8443 ssl http2 proxy_protocol;
listen [::]:8443 ssl http2 proxy_protocol;
# Make use of the ngx_http_realip_module to set the $remote_addr and
# $remote_port to the client address and client port, when using proxy
# protocol.
# First set our proxy protocol proxy as trusted.
set_real_ip_from 172.31.17.140;
set_real_ip_from 2a00:14b0:4200:3000:125::1;
# Then tell the realip_module to get the addreses from the proxy protocol
# header.
real_ip_header proxy_protocol;
@ -43,12 +43,12 @@ server {
server {
# Listen on a custom port for the proxy protocol.
listen 8443 ssl http2 proxy_protocol;
listen [::]:8443 ssl http2 proxy_protocol;
# Make use of the ngx_http_realip_module to set the $remote_addr and
# $remote_port to the client address and client port, when using proxy
# protocol.
# First set our proxy protocol proxy as trusted.
set_real_ip_from 172.31.17.140;
set_real_ip_from 2a00:14b0:4200:3000:125::1;
# Then tell the realip_module to get the addreses from the proxy protocol
# header.
real_ip_header proxy_protocol;

1
resources/chaosknoten/eh22-wiki/nginx/eh22.easterhegg.eu.conf
View file

@ -2,7 +2,6 @@
# https://ssl-config.mozilla.org/#server=nginx&version=1.17.7&config=intermediate&openssl=1.1.1k&guideline=5.6
server {
# Listen on a custom port for the proxy protocol.
listen 8443 ssl http2 proxy_protocol;
listen [::]:8443 ssl http2 proxy_protocol;
# Make use of the ngx_http_realip_module to set the $remote_addr and
# $remote_port to the client address and client port, when using proxy

10
resources/chaosknoten/grafana/docker_compose/compose.yaml.j2
View file

@ -2,7 +2,7 @@
services:
prometheus:
image: docker.io/prom/prometheus:v3.7.3
image: docker.io/prom/prometheus:v3.9.1
container_name: prometheus
command:
- '--config.file=/etc/prometheus/prometheus.yml'
@ -19,7 +19,7 @@ services:
- prom_data:/prometheus
alertmanager:
image: docker.io/prom/alertmanager:v0.29.0
image: docker.io/prom/alertmanager:v0.30.0
container_name: alertmanager
command:
- '--config.file=/etc/alertmanager/alertmanager.yaml'
@ -32,7 +32,7 @@ services:
- alertmanager_data:/alertmanager
grafana:
image: docker.io/grafana/grafana:12.3.0
image: docker.io/grafana/grafana:12.3.1
container_name: grafana
ports:
- 3000:3000
@ -46,7 +46,7 @@ services:
- graf_data:/var/lib/grafana
pve-exporter:
image: docker.io/prompve/prometheus-pve-exporter:3.5.5
image: docker.io/prompve/prometheus-pve-exporter:3.8.0
container_name: pve-exporter
ports:
- 9221:9221
@ -59,7 +59,7 @@ services:
- /dev/null:/etc/prometheus/pve.yml
loki:
image: docker.io/grafana/loki:3.6.0
image: docker.io/grafana/loki:3.6.3
container_name: loki
ports:
- 13100:3100

4
resources/chaosknoten/grafana/nginx/grafana.hamburg.ccc.de.conf
View file

@ -2,13 +2,13 @@
# https://ssl-config.mozilla.org/#server=nginx&version=1.17.7&config=intermediate&openssl=1.1.1k&guideline=5.6
server {
# Listen on a custom port for the proxy protocol.
listen 8443 ssl proxy_protocol;
listen [::]:8443 ssl proxy_protocol;
http2 on;
# Make use of the ngx_http_realip_module to set the $remote_addr and
# $remote_port to the client address and client port, when using proxy
# protocol.
# First set our proxy protocol proxy as trusted.
set_real_ip_from 172.31.17.140;
set_real_ip_from 2a00:14b0:4200:3000:125::1;
# Then tell the realip_module to get the addreses from the proxy protocol
# header.
real_ip_header proxy_protocol;

2
resources/chaosknoten/grafana/nginx/loki.hamburg.ccc.de.conf
View file

@ -17,7 +17,6 @@ server {
server_name loki.hamburg.ccc.de;
listen [::]:50051 ssl;
listen 172.31.17.145:50051 ssl;
http2 on;
@ -59,7 +58,6 @@ server {
server_name loki.hamburg.ccc.de;
listen [::]:443 ssl;
listen 172.31.17.145:443 ssl;
http2 on;

1
resources/chaosknoten/grafana/nginx/metrics.hamburg.ccc.de.conf
View file

@ -18,7 +18,6 @@ server {
server_name metrics.hamburg.ccc.de;
listen [::]:443 ssl;
listen 172.31.17.145:443 ssl;
http2 on;
client_body_buffer_size 512k;

1
resources/chaosknoten/keycloak/nginx/id.hamburg.ccc.de.conf
View file

@ -3,7 +3,6 @@
# Also see: https://www.keycloak.org/server/reverseproxy
server {
# Listen on a custom port for the proxy protocol.
listen 8443 ssl http2 proxy_protocol;
listen [::]:8443 ssl http2 proxy_protocol;
# Make use of the ngx_http_realip_module to set the $remote_addr and
# $remote_port to the client address and client port, when using proxy

1
resources/chaosknoten/keycloak/nginx/invite.hamburg.ccc.de.conf
View file

@ -3,7 +3,6 @@
# Also see: https://www.keycloak.org/server/reverseproxy
server {
# Listen on a custom port for the proxy protocol.
listen 8443 ssl http2 proxy_protocol;
listen [::]:8443 ssl http2 proxy_protocol;
# Make use of the ngx_http_realip_module to set the $remote_addr and
# $remote_port to the client address and client port, when using proxy

1
resources/chaosknoten/keycloak/nginx/keycloak-admin.hamburg.ccc.de.conf
View file

@ -7,7 +7,6 @@ server {
##listen [::]:443 ssl http2;
# Listen on a custom port for the proxy protocol.
listen 8443 ssl http2 proxy_protocol;
listen [::]:8443 ssl http2 proxy_protocol;
# Make use of the ngx_http_realip_module to set the $remote_addr and
# $remote_port to the client address and client port, when using proxy

4
resources/chaosknoten/netbox/nginx/netbox.hamburg.ccc.de.conf
View file

@ -2,12 +2,12 @@
# https://ssl-config.mozilla.org/#server=nginx&version=1.17.7&config=intermediate&openssl=1.1.1k&guideline=5.6
server {
# Listen on a custom port for the proxy protocol.
listen 8443 ssl http2 proxy_protocol;
listen [::]:8443 ssl http2 proxy_protocol;
# Make use of the ngx_http_realip_module to set the $remote_addr and
# $remote_port to the client address and client port, when using proxy
# protocol.
# First set our proxy protocol proxy as trusted.
set_real_ip_from 172.31.17.140;
set_real_ip_from 2a00:14b0:4200:3000:125::1;
# Then tell the realip_module to get the addreses from the proxy protocol
# header.
real_ip_header proxy_protocol;

4
resources/chaosknoten/ntfy/nginx/ntfy.hamburg.ccc.de.conf
View file

@ -2,13 +2,13 @@
# https://ssl-config.mozilla.org/#server=nginx&version=1.17.7&config=intermediate&openssl=1.1.1k&guideline=5.6
server {
# Listen on a custom port for the proxy protocol.
listen 8443 ssl proxy_protocol;
listen [::]:8443 ssl proxy_protocol;
http2 on;
# Make use of the ngx_http_realip_module to set the $remote_addr and
# $remote_port to the client address and client port, when using proxy
# protocol.
# First set our proxy protocol proxy as trusted.
set_real_ip_from 172.31.17.140;
set_real_ip_from 2a00:14b0:4200:3000:125::1;
# Then tell the realip_module to get the addreses from the proxy protocol
# header.
real_ip_header proxy_protocol;

2
resources/chaosknoten/onlyoffice/docker_compose/compose.yaml.j2
View file

@ -4,7 +4,7 @@
services:
onlyoffice:
image: docker.io/onlyoffice/documentserver:9.1.0
image: docker.io/onlyoffice/documentserver:9.2.1
restart: unless-stopped
volumes:
- "./onlyoffice/DocumentServer/logs:/var/log/onlyoffice"

1
resources/chaosknoten/onlyoffice/nginx/onlyoffice.hamburg.ccc.de.conf
View file

@ -2,7 +2,6 @@
# https://ssl-config.mozilla.org/#server=nginx&version=1.17.7&config=intermediate&openssl=1.1.1k&guideline=5.6
server {
# Listen on a custom port for the proxy protocol.
listen 8443 ssl http2 proxy_protocol;
listen [::]:8443 ssl http2 proxy_protocol;
# Make use of the ngx_http_realip_module to set the $remote_addr and
# $remote_port to the client address and client port, when using proxy

2
resources/chaosknoten/pad/docker_compose/compose.yaml.j2
View file

@ -13,7 +13,7 @@ services:
restart: unless-stopped
app:
image: quay.io/hedgedoc/hedgedoc:1.10.3
image: quay.io/hedgedoc/hedgedoc:1.10.5
environment:
- "CMD_DB_URL=postgres://hedgedoc:{{ secret__hedgedoc_db_password }}@database:5432/hedgedoc"
- "CMD_DOMAIN=pad.hamburg.ccc.de"

1
resources/chaosknoten/pad/nginx/pad.hamburg.ccc.de.conf
View file

@ -2,7 +2,6 @@
# https://ssl-config.mozilla.org/#server=nginx&version=1.17.7&config=intermediate&openssl=1.1.1k&guideline=5.6
server {
# Listen on a custom port for the proxy protocol.
listen 8443 ssl http2 proxy_protocol;
listen [::]:8443 ssl http2 proxy_protocol;
# Make use of the ngx_http_realip_module to set the $remote_addr and
# $remote_port to the client address and client port, when using proxy

6
resources/chaosknoten/pretalx/docker_compose/compose.yaml.j2
View file

@ -23,7 +23,7 @@ services:
- pretalx_net
static:
image: docker.io/library/nginx:1.29.3
image: docker.io/library/nginx:1.29.4
restart: unless-stopped
volumes:
- public:/usr/share/nginx/html
@ -33,7 +33,7 @@ services:
- pretalx_net
pretalx:
image: docker.io/pretalx/standalone:v2025.1.0
image: docker.io/pretalx/standalone:v2025.2.2
entrypoint: gunicorn
command:
- "pretalx.wsgi"
@ -78,7 +78,7 @@ services:
- pretalx_net
celery:
image: docker.io/pretalx/standalone:v2025.1.0
image: docker.io/pretalx/standalone:v2025.2.2
command:
- taskworker
restart: unless-stopped

4
resources/chaosknoten/pretalx/nginx/cfp.eh22.easterhegg.eu.conf
View file

@ -2,12 +2,12 @@
# https://ssl-config.mozilla.org/#server=nginx&version=1.17.7&config=intermediate&openssl=1.1.1k&guideline=5.6
server {
# Listen on a custom port for the proxy protocol.
listen 8443 ssl http2 proxy_protocol;
listen [::]:8443 ssl http2 proxy_protocol;
# Make use of the ngx_http_realip_module to set the $remote_addr and
# $remote_port to the client address and client port, when using proxy
# protocol.
# First set our proxy protocol proxy as trusted.
set_real_ip_from 172.31.17.140;
set_real_ip_from 2a00:14b0:4200:3000:125::1;
# Then tell the realip_module to get the addreses from the proxy protocol
# header.
real_ip_header proxy_protocol;

4
resources/chaosknoten/pretalx/nginx/pretalx.hamburg.ccc.de.conf
View file

@ -2,12 +2,12 @@
# https://ssl-config.mozilla.org/#server=nginx&version=1.17.7&config=intermediate&openssl=1.1.1k&guideline=5.6
server {
# Listen on a custom port for the proxy protocol.
listen 8443 ssl http2 proxy_protocol;
listen [::]:8443 ssl http2 proxy_protocol;
# Make use of the ngx_http_realip_module to set the $remote_addr and
# $remote_port to the client address and client port, when using proxy
# protocol.
# First set our proxy protocol proxy as trusted.
set_real_ip_from 172.31.17.140;
set_real_ip_from 2a00:14b0:4200:3000:125::1;
# Then tell the realip_module to get the addreses from the proxy protocol
# header.
real_ip_header proxy_protocol;

18
resources/chaosknoten/public-reverse-proxy/nginx/acme_challenge.conf
View file

@ -4,12 +4,12 @@ map $host $upstream_acme_challenge_host {
c3cat.de 172.31.17.151:31820;
www.c3cat.de 172.31.17.151:31820;
staging.c3cat.de 172.31.17.151:31820;
ccchoir.de ccchoir-intern.hamburg.ccc.de:31820;
www.ccchoir.de ccchoir-intern.hamburg.ccc.de:31820;
ccchoir.de ccchoir.hosts.hamburg.ccc.de:31820;
www.ccchoir.de ccchoir.hosts.hamburg.ccc.de:31820;
cloud.hamburg.ccc.de cloud.hosts.hamburg.ccc.de:31820;
element.hamburg.ccc.de 172.31.17.151:31820;
git.hamburg.ccc.de 172.31.17.154:31820;
grafana.hamburg.ccc.de 172.31.17.145:31820;
grafana.hamburg.ccc.de grafana.hosts.hamburg.ccc.de:31820;
hackertours.hamburg.ccc.de 172.31.17.151:31820;
staging.hackertours.hamburg.ccc.de 172.31.17.151:31820;
hamburg.ccc.de 172.31.17.151:31820;
@ -19,18 +19,18 @@ map $host $upstream_acme_challenge_host {
matrix.hamburg.ccc.de 172.31.17.150:31820;
mas.hamburg.ccc.de 172.31.17.150:31820;
element-admin.hamburg.ccc.de 172.31.17.151:31820;
netbox.hamburg.ccc.de 172.31.17.167:31820;
netbox.hamburg.ccc.de netbox.hosts.hamburg.ccc.de:31820;
onlyoffice.hamburg.ccc.de onlyoffice.hosts.hamburg.ccc.de:31820;
pad.hamburg.ccc.de pad.hosts.hamburg.ccc.de:31820;
pretalx.hamburg.ccc.de 172.31.17.157:31820;
pretalx.hamburg.ccc.de pretalx.hosts.hamburg.ccc.de:31820;
spaceapi.hamburg.ccc.de 172.31.17.151:31820;
staging.hamburg.ccc.de 172.31.17.151:31820;
wiki.ccchh.net wiki.hosts.hamburg.ccc.de:31820;
wiki.hamburg.ccc.de wiki.hosts.hamburg.ccc.de:31820;
www.hamburg.ccc.de 172.31.17.151:31820;
tickets.hamburg.ccc.de 172.31.17.148:31820;
sunders.hamburg.ccc.de 172.31.17.170:31820;
zammad.hamburg.ccc.de 172.31.17.152:31820;
tickets.hamburg.ccc.de tickets.hosts.hamburg.ccc.de:31820;
sunders.hamburg.ccc.de sunders.hosts.hamburg.ccc.de:31820;
zammad.hamburg.ccc.de zammad.hosts.hamburg.ccc.de:31820;
eh03.easterhegg.eu 172.31.17.151:31820;
eh05.easterhegg.eu 172.31.17.151:31820;
eh07.easterhegg.eu 172.31.17.151:31820;
@ -73,7 +73,7 @@ map $host $upstream_acme_challenge_host {
design.hamburg.ccc.de 172.31.17.162:31820;
hydra.hamburg.ccc.de 172.31.17.163:31820;
cfp.eh22.easterhegg.eu 172.31.17.157:31820;
ntfy.hamburg.ccc.de 172.31.17.149:31820;
ntfy.hamburg.ccc.de ntfy.hosts.hamburg.ccc.de:31820;
cryptoparty-hamburg.de 172.31.17.151:31820;
cryptoparty.hamburg.ccc.de 172.31.17.151:31820;
staging.cryptoparty-hamburg.de 172.31.17.151:31820;

20
resources/chaosknoten/public-reverse-proxy/nginx/nginx.conf
View file

@ -18,21 +18,21 @@ stream {
resolver 212.12.50.158 192.76.134.90;
map $ssl_preread_server_name $address {
ccchoir.de ccchoir-intern.hamburg.ccc.de:8443;
www.ccchoir.de ccchoir-intern.hamburg.ccc.de:8443;
ccchoir.de ccchoir.hosts.hamburg.ccc.de:8443;
www.ccchoir.de ccchoir.hosts.hamburg.ccc.de:8443;
cloud.hamburg.ccc.de cloud.hosts.hamburg.ccc.de:8443;
pad.hamburg.ccc.de pad.hosts.hamburg.ccc.de:8443;
pretalx.hamburg.ccc.de pretalx-intern.hamburg.ccc.de:8443;
pretalx.hamburg.ccc.de pretalx.hosts.hamburg.ccc.de:8443;
id.hamburg.ccc.de keycloak.hosts.hamburg.ccc.de:8443;
invite.hamburg.ccc.de keycloak.hosts.hamburg.ccc.de:8443;
keycloak-admin.hamburg.ccc.de keycloak.hosts.hamburg.ccc.de:8443;
grafana.hamburg.ccc.de 172.31.17.145:8443;
grafana.hamburg.ccc.de grafana.hosts.hamburg.ccc.de:8443;
wiki.ccchh.net wiki.hosts.hamburg.ccc.de:8443;
wiki.hamburg.ccc.de wiki.hosts.hamburg.ccc.de:8443;
onlyoffice.hamburg.ccc.de onlyoffice.hosts.hamburg.ccc.de:8443;
hackertours.hamburg.ccc.de 172.31.17.151:8443;
staging.hackertours.hamburg.ccc.de 172.31.17.151:8443;
netbox.hamburg.ccc.de 172.31.17.167:8443;
netbox.hamburg.ccc.de netbox.hosts.hamburg.ccc.de:8443;
matrix.hamburg.ccc.de 172.31.17.150:8443;
mas.hamburg.ccc.de 172.31.17.150:8443;
element-admin.hamburg.ccc.de 172.31.17.151:8443;
@ -42,9 +42,9 @@ stream {
hamburg.ccc.de 172.31.17.151:8443;
staging.hamburg.ccc.de 172.31.17.151:8443;
spaceapi.hamburg.ccc.de 172.31.17.151:8443;
tickets.hamburg.ccc.de 172.31.17.148:8443;
sunders.hamburg.ccc.de 172.31.17.170:8443;
zammad.hamburg.ccc.de 172.31.17.152:8443;
tickets.hamburg.ccc.de tickets.hosts.hamburg.ccc.de:8443;
sunders.hamburg.ccc.de sunders.hosts.hamburg.ccc.de:8443;
zammad.hamburg.ccc.de zammad.hosts.hamburg.ccc.de:8443;
c3cat.de 172.31.17.151:8443;
www.c3cat.de 172.31.17.151:8443;
staging.c3cat.de 172.31.17.151:8443;
@ -90,8 +90,8 @@ stream {
woodpecker.hamburg.ccc.de 172.31.17.160:8443;
design.hamburg.ccc.de 172.31.17.162:8443;
hydra.hamburg.ccc.de 172.31.17.163:8443;
cfp.eh22.easterhegg.eu pretalx-intern.hamburg.ccc.de:8443;
ntfy.hamburg.ccc.de 172.31.17.149:8443;
cfp.eh22.easterhegg.eu pretalx.hosts.hamburg.ccc.de:8443;
ntfy.hamburg.ccc.de ntfy.hosts.hamburg.ccc.de:8443;
cryptoparty-hamburg.de 172.31.17.151:8443;
cryptoparty.hamburg.ccc.de 172.31.17.151:8443;
staging.cryptoparty-hamburg.de 172.31.17.151:8443;

20
resources/chaosknoten/router/nftables/nftables.conf
View file

@ -39,13 +39,29 @@ table inet host {
ct state established,related accept
ip protocol icmp accept
ip6 nexthdr icmpv6 accept
# ICMPv6
# https://datatracker.ietf.org/doc/html/rfc4890#autoid-24
# Allowlist consisting of: "Traffic That Must Not Be Dropped" and "Traffic That Normally Should Not Be Dropped"
# Error messages that are essential to the establishment and maintenance of communications:
icmpv6 type { destination-unreachable, packet-too-big } accept
icmpv6 type { time-exceeded } accept
icmpv6 type { parameter-problem } accept
# Connectivity checking messages:
icmpv6 type { echo-request, echo-reply } accept
# Address Configuration and Router Selection messages:
icmpv6 type { nd-router-solicit, nd-router-advert, nd-neighbor-solicit, nd-neighbor-advert, ind-neighbor-solicit, ind-neighbor-advert } accept
# Link-Local Multicast Receiver Notification messages:
icmpv6 type { mld-listener-query, mld-listener-report, mld-listener-done, mld2-listener-report } accept
# SEND Certificate Path Notification messages:
icmpv6 type { 148, 149 } accept
# Multicast Router Discovery messages:
icmpv6 type { 151, 152, 153 } accept
# Allow SSH access.
tcp dport 22 accept comment "allow ssh access"
# Allow DHCP server access.
iifname $if_net0_3_ci_runner udp dport 67 accept comment "allow dhcp server access"
iifname { $if_net0_2_v4_nat, $if_net0_3_ci_runner } udp dport 67 accept comment "allow dhcp server access"
}
}

6
resources/chaosknoten/router/systemd_networkd/21-net0.2-v4_nat.network
View file

@ -11,6 +11,12 @@ Description=v4-NAT
# Masquerading done in nftables (nftables.conf).
IPv6SendRA=yes
DHCPServer=true
[DHCPServer]
PoolOffset=100
PoolSize=150
[Address]
Address=10.32.2.1/24

2
resources/chaosknoten/sunders/docker_compose/compose.yaml.j2
View file

@ -3,7 +3,7 @@
services:
db:
image: mariadb:12.0.2
image: mariadb:12.1.2
command: --max_allowed_packet=3250585600
environment:
MYSQL_ROOT_PASSWORD: "{{ secret__sunders_db_root_password }}"

4
resources/chaosknoten/sunders/nginx/sunders.hamburg.ccc.de.conf
View file

@ -2,12 +2,12 @@
# https://ssl-config.mozilla.org/#server=nginx&version=1.17.7&config=intermediate&openssl=1.1.1k&guideline=5.6
server {
# Listen on a custom port for the proxy protocol.
listen 8443 ssl http2 proxy_protocol;
listen [::]:8443 ssl http2 proxy_protocol;
# Make use of the ngx_http_realip_module to set the $remote_addr and
# $remote_port to the client address and client port, when using proxy
# protocol.
# First set our proxy protocol proxy as trusted.
set_real_ip_from 172.31.17.140;
set_real_ip_from 2a00:14b0:4200:3000:125::1;
# Then tell the realip_module to get the addreses from the proxy protocol
# header.
real_ip_header proxy_protocol;

4
resources/chaosknoten/tickets/nginx/tickets.hamburg.ccc.de.conf
View file

@ -2,12 +2,12 @@
# https://ssl-config.mozilla.org/#server=nginx&version=1.17.7&config=intermediate&openssl=1.1.1k&guideline=5.6
server {
# Listen on a custom port for the proxy protocol.
listen 8443 ssl http2 proxy_protocol;
listen [::]:8443 ssl http2 proxy_protocol;
# Make use of the ngx_http_realip_module to set the $remote_addr and
# $remote_port to the client address and client port, when using proxy
# protocol.
# First set our proxy protocol proxy as trusted.
set_real_ip_from 172.31.17.140;
set_real_ip_from 2a00:14b0:4200:3000:125::1;
# Then tell the realip_module to get the addreses from the proxy protocol
# header.
real_ip_header proxy_protocol;

1
resources/chaosknoten/wiki/nginx/wiki.ccchh.net.conf
View file

@ -2,7 +2,6 @@
# https://ssl-config.mozilla.org/#server=nginx&version=1.17.7&config=intermediate&openssl=1.1.1k&guideline=5.6
server {
# Listen on a custom port for the proxy protocol.
listen 8443 ssl http2 proxy_protocol;
listen [::]:8443 ssl http2 proxy_protocol;
# Make use of the ngx_http_realip_module to set the $remote_addr and
# $remote_port to the client address and client port, when using proxy

1
resources/chaosknoten/wiki/nginx/wiki.hamburg.ccc.de.conf
View file

@ -2,7 +2,6 @@
# https://ssl-config.mozilla.org/#server=nginx&version=1.17.7&config=intermediate&openssl=1.1.1k&guideline=5.6
server {
# Listen on a custom port for the proxy protocol.
listen 8443 ssl http2 proxy_protocol;
listen [::]:8443 ssl http2 proxy_protocol;
# Make use of the ngx_http_realip_module to set the $remote_addr and
# $remote_port to the client address and client port, when using proxy

4
resources/chaosknoten/zammad/nginx/zammad.hamburg.ccc.de.conf
View file

@ -2,12 +2,12 @@
# https://ssl-config.mozilla.org/#server=nginx&version=1.17.7&config=intermediate&openssl=1.1.1k&guideline=5.6
server {
# Listen on a custom port for the proxy protocol.
listen 8443 ssl http2 proxy_protocol;
listen [::]:8443 ssl http2 proxy_protocol;
# Make use of the ngx_http_realip_module to set the $remote_addr and
# $remote_port to the client address and client port, when using proxy
# protocol.
# First set our proxy protocol proxy as trusted.
set_real_ip_from 172.31.17.140;
set_real_ip_from 2a00:14b0:4200:3000:125::1;
# Then tell the realip_module to get the addreses from the proxy protocol
# header.
real_ip_header proxy_protocol;

48
roles/alloy/tasks/main.yaml
View file

@ -1,48 +0,0 @@
# https://github.com/grafana/grafana-ansible-collection/blob/main/roles/alloy/tasks/deploy.yml#L124
- name: ensure alloy user exists
ansible.builtin.user:
name: alloy
system: true
append: true
create_home: false
state: present
- name: ensure the `/etc/alloy/` config directory exists
ansible.builtin.file:
path: /etc/alloy
state: directory
mode: "0770"
owner: root
group: alloy
become: true
- name: synchronize the additional configuration files directory, if present
when: alloy__additional_configs_dir is defined and alloy__additional_configs_dir != ""
block:
- name: ensure rsync is installed
ansible.builtin.apt:
name: rsync
become: true
- name: synchronize the additional configuration files directory, if present
ansible.posix.synchronize:
src: "{{ alloy__additional_configs_dir }}"
dest: /etc/alloy/additional
delete: true
recursive: true
use_ssh_args: true
rsync_opts:
- "--chown=root:alloy"
become: true
- name: delete the additional configuration files directory, if not present
when: alloy__additional_configs_dir is not defined or alloy__additional_configs_dir == ""
ansible.builtin.file:
path: /etc/alloy/additional
state: absent
become: true
- name: Setup Alloy
ansible.builtin.import_role:
name: grafana.grafana.alloy
become: true

1
roles/ansible_pull/tasks/main.yaml
View file

@ -3,6 +3,7 @@
- name: ensure apt dependencies are installed
ansible.builtin.apt:
name:
- python3-pip
- virtualenv
- git
state: present

13
roles/base_config/tasks/main.yaml Normal file
View file

@ -0,0 +1,13 @@
# Ensure the ssh module is disabled, so a cloud-init config change doesn't regenerate the host keys for no reason.
- name: check if cloud-init config file exists
ansible.builtin.stat:
path: /etc/cloud/cloud.cfg
register: base_config__stat_cloud_cfg
- name: ensure the cloud-init ssh module is disabled
ansible.builtin.replace:
path: /etc/cloud/cloud.cfg
regexp: " - ssh$"
replace: " #- ssh"
become: true
when: base_config__stat_cloud_cfg.stat.exists

1
roles/certbot/meta/main.yaml
View file

@ -7,3 +7,4 @@ dependencies:
major_versions:
- 11
- 12
- 13

1
roles/docker/meta/main.yaml
View file

@ -7,3 +7,4 @@ dependencies:
major_versions:
- 11
- 12
- 13

1
roles/dokuwiki/meta/main.yml
View file

@ -7,3 +7,4 @@ dependencies:
major_versions:
- 11
- 12
- 13

1
roles/nginx/meta/main.yaml
View file

@ -7,3 +7,4 @@ dependencies:
major_versions:
- "11"
- "12"
- "13"

1
roles/prometheus_node_exporter/meta/main.yaml
View file

@ -7,3 +7,4 @@ dependencies:
major_versions:
- "11"
- "12"
- "13"