From 25db54b8ad8314aeb35af0d7775e87c40a9239a5 Mon Sep 17 00:00:00 2001 From: Stefan Bethke Date: Sat, 3 Jan 2026 14:02:56 +0100 Subject: [PATCH 01/33] Make sure pip is installed --- roles/ansible_pull/tasks/main.yaml | 1 + 1 file changed, 1 insertion(+) diff --git a/roles/ansible_pull/tasks/main.yaml b/roles/ansible_pull/tasks/main.yaml index 5abcd10..61a2635 100644 --- a/roles/ansible_pull/tasks/main.yaml +++ b/roles/ansible_pull/tasks/main.yaml @@ -3,6 +3,7 @@ - name: ensure apt dependencies are installed ansible.builtin.apt: name: + - python3-pip - virtualenv - git state: present From a328e9297102af66721951500cd90bedabb385a5 Mon Sep 17 00:00:00 2001 From: Stefan Bethke Date: Sat, 3 Jan 2026 14:03:26 +0100 Subject: [PATCH 02/33] Should be compatible with trixie/13 --- roles/certbot/meta/main.yaml | 1 + roles/docker/meta/main.yaml | 1 + roles/dokuwiki/meta/main.yml | 1 + roles/nginx/meta/main.yaml | 1 + roles/prometheus_node_exporter/meta/main.yaml | 1 + 5 files changed, 5 insertions(+) diff --git a/roles/certbot/meta/main.yaml b/roles/certbot/meta/main.yaml index b4a1c6f..9b678e9 100644 --- a/roles/certbot/meta/main.yaml +++ b/roles/certbot/meta/main.yaml @@ -7,3 +7,4 @@ dependencies: major_versions: - 11 - 12 + - 13 diff --git a/roles/docker/meta/main.yaml b/roles/docker/meta/main.yaml index b4a1c6f..9b678e9 100644 --- a/roles/docker/meta/main.yaml +++ b/roles/docker/meta/main.yaml @@ -7,3 +7,4 @@ dependencies: major_versions: - 11 - 12 + - 13 diff --git a/roles/dokuwiki/meta/main.yml b/roles/dokuwiki/meta/main.yml index b4a1c6f..9b678e9 100644 --- a/roles/dokuwiki/meta/main.yml +++ b/roles/dokuwiki/meta/main.yml @@ -7,3 +7,4 @@ dependencies: major_versions: - 11 - 12 + - 13 diff --git a/roles/nginx/meta/main.yaml b/roles/nginx/meta/main.yaml index 02b00ac..78bb770 100644 --- a/roles/nginx/meta/main.yaml +++ b/roles/nginx/meta/main.yaml @@ -7,3 +7,4 @@ dependencies: major_versions: - "11" - "12" + - "13" diff --git a/roles/prometheus_node_exporter/meta/main.yaml b/roles/prometheus_node_exporter/meta/main.yaml index 02b00ac..78bb770 100644 --- a/roles/prometheus_node_exporter/meta/main.yaml +++ b/roles/prometheus_node_exporter/meta/main.yaml @@ -7,3 +7,4 @@ dependencies: major_versions: - "11" - "12" + - "13" From bb79d128198a2cf7b5a05b317aefedb7673b8b64 Mon Sep 17 00:00:00 2001 From: June Date: Sun, 4 Jan 2026 19:32:42 +0100 Subject: [PATCH 03/33] wip: alloy --- roles/alloy/tasks/main.yaml | 48 +++++++++++++++++++++++++++++++++++++ 1 file changed, 48 insertions(+) create mode 100644 roles/alloy/tasks/main.yaml diff --git a/roles/alloy/tasks/main.yaml b/roles/alloy/tasks/main.yaml new file mode 100644 index 0000000..2bc308a --- /dev/null +++ b/roles/alloy/tasks/main.yaml @@ -0,0 +1,48 @@ +# https://github.com/grafana/grafana-ansible-collection/blob/main/roles/alloy/tasks/deploy.yml#L124 +- name: ensure alloy user exists + ansible.builtin.user: + name: alloy + system: true + append: true + create_home: false + state: present + +- name: ensure the `/etc/alloy/` config directory exists + ansible.builtin.file: + path: /etc/alloy + state: directory + mode: "0770" + owner: root + group: alloy + become: true + +- name: synchronize the additional configuration files directory, if present + when: alloy__additional_configs_dir is defined and alloy__additional_configs_dir != "" + block: + - name: ensure rsync is installed + ansible.builtin.apt: + name: rsync + become: true + + - name: synchronize the additional configuration files directory, if present + ansible.posix.synchronize: + src: "{{ alloy__additional_configs_dir }}" + dest: /etc/alloy/additional + delete: true + recursive: true + use_ssh_args: true + rsync_opts: + - "--chown=root:alloy" + become: true + +- name: delete the additional configuration files directory, if not present + when: alloy__additional_configs_dir is not defined or alloy__additional_configs_dir == "" + ansible.builtin.file: + path: /etc/alloy/additional + state: absent + become: true + +- name: Setup Alloy + ansible.builtin.import_role: + name: grafana.grafana.alloy + become: true From 80ddb2efc927c894074558f0a8f13377bb934cb4 Mon Sep 17 00:00:00 2001 From: June Date: Wed, 7 Jan 2026 17:25:27 +0100 Subject: [PATCH 04/33] router: enable a DHCP server for the v4-NAT network as well As the hosts don't really need a static v4, just do DHCP. --- resources/chaosknoten/router/nftables/nftables.conf | 2 +- .../router/systemd_networkd/21-net0.2-v4_nat.network | 6 ++++++ 2 files changed, 7 insertions(+), 1 deletion(-) diff --git a/resources/chaosknoten/router/nftables/nftables.conf b/resources/chaosknoten/router/nftables/nftables.conf index 6d04a4c..3375bfb 100644 --- a/resources/chaosknoten/router/nftables/nftables.conf +++ b/resources/chaosknoten/router/nftables/nftables.conf @@ -45,7 +45,7 @@ table inet host { tcp dport 22 accept comment "allow ssh access" # Allow DHCP server access. - iifname $if_net0_3_ci_runner udp dport 67 accept comment "allow dhcp server access" + iifname { $if_net0_2_v4_nat, $if_net0_3_ci_runner } udp dport 67 accept comment "allow dhcp server access" } } diff --git a/resources/chaosknoten/router/systemd_networkd/21-net0.2-v4_nat.network b/resources/chaosknoten/router/systemd_networkd/21-net0.2-v4_nat.network index c7fd9a7..b15259d 100644 --- a/resources/chaosknoten/router/systemd_networkd/21-net0.2-v4_nat.network +++ b/resources/chaosknoten/router/systemd_networkd/21-net0.2-v4_nat.network @@ -11,6 +11,12 @@ Description=v4-NAT # Masquerading done in nftables (nftables.conf). IPv6SendRA=yes +DHCPServer=true + +[DHCPServer] +PoolOffset=100 +PoolSize=150 + [Address] Address=10.32.2.1/24 From fbd3ea54962e7b0348c9ccb4471f493c26002322 Mon Sep 17 00:00:00 2001 From: June Date: Wed, 7 Jan 2026 18:09:48 +0100 Subject: [PATCH 05/33] base_config: disable cloud-init ssh module to avoid hostkey regeneration It should run once on first boot anyway and since it apparently runs for every change in the Proxmox cloud init config, disable it, so it doesn't, since it's annoying to have "random" hostkey changes. --- roles/base_config/tasks/main.yaml | 13 +++++++++++++ 1 file changed, 13 insertions(+) create mode 100644 roles/base_config/tasks/main.yaml diff --git a/roles/base_config/tasks/main.yaml b/roles/base_config/tasks/main.yaml new file mode 100644 index 0000000..cd8affd --- /dev/null +++ b/roles/base_config/tasks/main.yaml @@ -0,0 +1,13 @@ +# Ensure the ssh module is disabled, so a cloud-init config change doesn't regenerate the host keys for no reason. +- name: check if cloud-init config file exists + ansible.builtin.stat: + path: /etc/cloud/cloud.cfg + register: base_config__stat_cloud_cfg + +- name: ensure the cloud-init ssh module is disabled + ansible.builtin.replace: + path: /etc/cloud/cloud.cfg + regexp: " - ssh$" + replace: " #- ssh" + become: true + when: base_config__stat_cloud_cfg.stat.exists From 40b67c6bc3cec86c72f7efe52f12b939d0db4291 Mon Sep 17 00:00:00 2001 From: June Date: Wed, 7 Jan 2026 18:46:16 +0100 Subject: [PATCH 06/33] sunders(host): move to new network and hostname --- inventories/chaosknoten/hosts.yaml | 4 ++-- .../public-reverse-proxy/nginx/acme_challenge.conf | 2 +- resources/chaosknoten/public-reverse-proxy/nginx/nginx.conf | 2 +- .../chaosknoten/sunders/nginx/sunders.hamburg.ccc.de.conf | 2 +- 4 files changed, 5 insertions(+), 5 deletions(-) diff --git a/inventories/chaosknoten/hosts.yaml b/inventories/chaosknoten/hosts.yaml index 1028deb..082a76a 100644 --- a/inventories/chaosknoten/hosts.yaml +++ b/inventories/chaosknoten/hosts.yaml @@ -67,9 +67,9 @@ all: ansible_user: chaos ansible_ssh_common_args: -J ssh://chaos@public-reverse-proxy.hamburg.ccc.de sunders: - ansible_host: sunders-intern.hamburg.ccc.de + ansible_host: sunders.hosts.hamburg.ccc.de ansible_user: chaos - ansible_ssh_common_args: -J ssh://chaos@public-reverse-proxy.hamburg.ccc.de + ansible_ssh_common_args: -J ssh://chaos@router.hamburg.ccc.de renovate: ansible_host: renovate-intern.hamburg.ccc.de ansible_user: chaos diff --git a/resources/chaosknoten/public-reverse-proxy/nginx/acme_challenge.conf b/resources/chaosknoten/public-reverse-proxy/nginx/acme_challenge.conf index 409b5c6..f02a657 100644 --- a/resources/chaosknoten/public-reverse-proxy/nginx/acme_challenge.conf +++ b/resources/chaosknoten/public-reverse-proxy/nginx/acme_challenge.conf @@ -29,7 +29,7 @@ map $host $upstream_acme_challenge_host { wiki.hamburg.ccc.de wiki.hosts.hamburg.ccc.de:31820; www.hamburg.ccc.de 172.31.17.151:31820; tickets.hamburg.ccc.de 172.31.17.148:31820; - sunders.hamburg.ccc.de 172.31.17.170:31820; + sunders.hamburg.ccc.de sunders.hosts.hamburg.ccc.de:31820; zammad.hamburg.ccc.de 172.31.17.152:31820; eh03.easterhegg.eu 172.31.17.151:31820; eh05.easterhegg.eu 172.31.17.151:31820; diff --git a/resources/chaosknoten/public-reverse-proxy/nginx/nginx.conf b/resources/chaosknoten/public-reverse-proxy/nginx/nginx.conf index 97e0e3c..90ec655 100644 --- a/resources/chaosknoten/public-reverse-proxy/nginx/nginx.conf +++ b/resources/chaosknoten/public-reverse-proxy/nginx/nginx.conf @@ -43,7 +43,7 @@ stream { staging.hamburg.ccc.de 172.31.17.151:8443; spaceapi.hamburg.ccc.de 172.31.17.151:8443; tickets.hamburg.ccc.de 172.31.17.148:8443; - sunders.hamburg.ccc.de 172.31.17.170:8443; + sunders.hamburg.ccc.de sunders.hosts.hamburg.ccc.de:8443; zammad.hamburg.ccc.de 172.31.17.152:8443; c3cat.de 172.31.17.151:8443; www.c3cat.de 172.31.17.151:8443; diff --git a/resources/chaosknoten/sunders/nginx/sunders.hamburg.ccc.de.conf b/resources/chaosknoten/sunders/nginx/sunders.hamburg.ccc.de.conf index 04cc006..ceb9b2b 100644 --- a/resources/chaosknoten/sunders/nginx/sunders.hamburg.ccc.de.conf +++ b/resources/chaosknoten/sunders/nginx/sunders.hamburg.ccc.de.conf @@ -2,7 +2,7 @@ # https://ssl-config.mozilla.org/#server=nginx&version=1.17.7&config=intermediate&openssl=1.1.1k&guideline=5.6 server { # Listen on a custom port for the proxy protocol. - listen 8443 ssl http2 proxy_protocol; + listen [::]:8443 ssl http2 proxy_protocol; # Make use of the ngx_http_realip_module to set the $remote_addr and # $remote_port to the client address and client port, when using proxy # protocol. From a622f21b54461ec4db77f3496212c55389621104 Mon Sep 17 00:00:00 2001 From: June Date: Wed, 7 Jan 2026 18:46:27 +0100 Subject: [PATCH 07/33] renovate(host): move to new network and hostname --- inventories/chaosknoten/hosts.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/inventories/chaosknoten/hosts.yaml b/inventories/chaosknoten/hosts.yaml index 082a76a..58b6c1a 100644 --- a/inventories/chaosknoten/hosts.yaml +++ b/inventories/chaosknoten/hosts.yaml @@ -71,9 +71,9 @@ all: ansible_user: chaos ansible_ssh_common_args: -J ssh://chaos@router.hamburg.ccc.de renovate: - ansible_host: renovate-intern.hamburg.ccc.de + ansible_host: renovate.hosts.hamburg.ccc.de ansible_user: chaos - ansible_ssh_common_args: -J ssh://chaos@public-reverse-proxy.hamburg.ccc.de + ansible_ssh_common_args: -J ssh://chaos@router.hamburg.ccc.de hypervisors: hosts: chaosknoten: From 49e3ecb9865ebc0de70b4757b0f2d05a7b8c3da4 Mon Sep 17 00:00:00 2001 From: June Date: Fri, 9 Jan 2026 03:05:29 +0100 Subject: [PATCH 08/33] netbox(host): move to new network and hostname --- inventories/chaosknoten/hosts.yaml | 4 ++-- resources/chaosknoten/netbox/nginx/netbox.hamburg.ccc.de.conf | 2 +- .../public-reverse-proxy/nginx/acme_challenge.conf | 2 +- resources/chaosknoten/public-reverse-proxy/nginx/nginx.conf | 2 +- 4 files changed, 5 insertions(+), 5 deletions(-) diff --git a/inventories/chaosknoten/hosts.yaml b/inventories/chaosknoten/hosts.yaml index 58b6c1a..14fe23a 100644 --- a/inventories/chaosknoten/hosts.yaml +++ b/inventories/chaosknoten/hosts.yaml @@ -33,9 +33,9 @@ all: ansible_host: mumble.hamburg.ccc.de ansible_user: chaos netbox: - ansible_host: netbox-intern.hamburg.ccc.de + ansible_host: netbox.hosts.hamburg.ccc.de ansible_user: chaos - ansible_ssh_common_args: -J ssh://chaos@public-reverse-proxy.hamburg.ccc.de + ansible_ssh_common_args: -J ssh://chaos@router.hamburg.ccc.de onlyoffice: ansible_host: onlyoffice.hosts.hamburg.ccc.de ansible_user: chaos diff --git a/resources/chaosknoten/netbox/nginx/netbox.hamburg.ccc.de.conf b/resources/chaosknoten/netbox/nginx/netbox.hamburg.ccc.de.conf index 5550686..533c9d2 100644 --- a/resources/chaosknoten/netbox/nginx/netbox.hamburg.ccc.de.conf +++ b/resources/chaosknoten/netbox/nginx/netbox.hamburg.ccc.de.conf @@ -2,7 +2,7 @@ # https://ssl-config.mozilla.org/#server=nginx&version=1.17.7&config=intermediate&openssl=1.1.1k&guideline=5.6 server { # Listen on a custom port for the proxy protocol. - listen 8443 ssl http2 proxy_protocol; + listen [::]:8443 ssl http2 proxy_protocol; # Make use of the ngx_http_realip_module to set the $remote_addr and # $remote_port to the client address and client port, when using proxy # protocol. diff --git a/resources/chaosknoten/public-reverse-proxy/nginx/acme_challenge.conf b/resources/chaosknoten/public-reverse-proxy/nginx/acme_challenge.conf index f02a657..06595e3 100644 --- a/resources/chaosknoten/public-reverse-proxy/nginx/acme_challenge.conf +++ b/resources/chaosknoten/public-reverse-proxy/nginx/acme_challenge.conf @@ -19,7 +19,7 @@ map $host $upstream_acme_challenge_host { matrix.hamburg.ccc.de 172.31.17.150:31820; mas.hamburg.ccc.de 172.31.17.150:31820; element-admin.hamburg.ccc.de 172.31.17.151:31820; - netbox.hamburg.ccc.de 172.31.17.167:31820; + netbox.hamburg.ccc.de netbox.hosts.hamburg.ccc.de:31820; onlyoffice.hamburg.ccc.de onlyoffice.hosts.hamburg.ccc.de:31820; pad.hamburg.ccc.de pad.hosts.hamburg.ccc.de:31820; pretalx.hamburg.ccc.de 172.31.17.157:31820; diff --git a/resources/chaosknoten/public-reverse-proxy/nginx/nginx.conf b/resources/chaosknoten/public-reverse-proxy/nginx/nginx.conf index 90ec655..78a91ff 100644 --- a/resources/chaosknoten/public-reverse-proxy/nginx/nginx.conf +++ b/resources/chaosknoten/public-reverse-proxy/nginx/nginx.conf @@ -32,7 +32,7 @@ stream { onlyoffice.hamburg.ccc.de onlyoffice.hosts.hamburg.ccc.de:8443; hackertours.hamburg.ccc.de 172.31.17.151:8443; staging.hackertours.hamburg.ccc.de 172.31.17.151:8443; - netbox.hamburg.ccc.de 172.31.17.167:8443; + netbox.hamburg.ccc.de netbox.hosts.hamburg.ccc.de:8443; matrix.hamburg.ccc.de 172.31.17.150:8443; mas.hamburg.ccc.de 172.31.17.150:8443; element-admin.hamburg.ccc.de 172.31.17.151:8443; From ff550cbd8ad8cfd9be7bbc9d5f4c620172e5d90f Mon Sep 17 00:00:00 2001 From: June Date: Sun, 11 Jan 2026 00:00:18 +0100 Subject: [PATCH 09/33] tickets(host): move to new network and hostname --- inventories/chaosknoten/hosts.yaml | 4 ++-- .../public-reverse-proxy/nginx/acme_challenge.conf | 2 +- resources/chaosknoten/public-reverse-proxy/nginx/nginx.conf | 2 +- .../chaosknoten/tickets/nginx/tickets.hamburg.ccc.de.conf | 2 +- 4 files changed, 5 insertions(+), 5 deletions(-) diff --git a/inventories/chaosknoten/hosts.yaml b/inventories/chaosknoten/hosts.yaml index 14fe23a..fab9127 100644 --- a/inventories/chaosknoten/hosts.yaml +++ b/inventories/chaosknoten/hosts.yaml @@ -19,9 +19,9 @@ all: ansible_user: chaos ansible_ssh_common_args: -J ssh://chaos@public-reverse-proxy.hamburg.ccc.de tickets: - ansible_host: tickets-intern.hamburg.ccc.de + ansible_host: tickets.hosts.hamburg.ccc.de ansible_user: chaos - ansible_ssh_common_args: -J ssh://chaos@public-reverse-proxy.hamburg.ccc.de + ansible_ssh_common_args: -J ssh://chaos@router.hamburg.ccc.de keycloak: ansible_host: keycloak.hosts.hamburg.ccc.de ansible_user: chaos diff --git a/resources/chaosknoten/public-reverse-proxy/nginx/acme_challenge.conf b/resources/chaosknoten/public-reverse-proxy/nginx/acme_challenge.conf index 06595e3..b8b44b5 100644 --- a/resources/chaosknoten/public-reverse-proxy/nginx/acme_challenge.conf +++ b/resources/chaosknoten/public-reverse-proxy/nginx/acme_challenge.conf @@ -28,7 +28,7 @@ map $host $upstream_acme_challenge_host { wiki.ccchh.net wiki.hosts.hamburg.ccc.de:31820; wiki.hamburg.ccc.de wiki.hosts.hamburg.ccc.de:31820; www.hamburg.ccc.de 172.31.17.151:31820; - tickets.hamburg.ccc.de 172.31.17.148:31820; + tickets.hamburg.ccc.de tickets.hosts.hamburg.ccc.de:31820; sunders.hamburg.ccc.de sunders.hosts.hamburg.ccc.de:31820; zammad.hamburg.ccc.de 172.31.17.152:31820; eh03.easterhegg.eu 172.31.17.151:31820; diff --git a/resources/chaosknoten/public-reverse-proxy/nginx/nginx.conf b/resources/chaosknoten/public-reverse-proxy/nginx/nginx.conf index 78a91ff..e540f13 100644 --- a/resources/chaosknoten/public-reverse-proxy/nginx/nginx.conf +++ b/resources/chaosknoten/public-reverse-proxy/nginx/nginx.conf @@ -42,7 +42,7 @@ stream { hamburg.ccc.de 172.31.17.151:8443; staging.hamburg.ccc.de 172.31.17.151:8443; spaceapi.hamburg.ccc.de 172.31.17.151:8443; - tickets.hamburg.ccc.de 172.31.17.148:8443; + tickets.hamburg.ccc.de tickets.hosts.hamburg.ccc.de:8443; sunders.hamburg.ccc.de sunders.hosts.hamburg.ccc.de:8443; zammad.hamburg.ccc.de 172.31.17.152:8443; c3cat.de 172.31.17.151:8443; diff --git a/resources/chaosknoten/tickets/nginx/tickets.hamburg.ccc.de.conf b/resources/chaosknoten/tickets/nginx/tickets.hamburg.ccc.de.conf index 9e2ca26..8d36244 100644 --- a/resources/chaosknoten/tickets/nginx/tickets.hamburg.ccc.de.conf +++ b/resources/chaosknoten/tickets/nginx/tickets.hamburg.ccc.de.conf @@ -2,7 +2,7 @@ # https://ssl-config.mozilla.org/#server=nginx&version=1.17.7&config=intermediate&openssl=1.1.1k&guideline=5.6 server { # Listen on a custom port for the proxy protocol. - listen 8443 ssl http2 proxy_protocol; + listen [::]:8443 ssl http2 proxy_protocol; # Make use of the ngx_http_realip_module to set the $remote_addr and # $remote_port to the client address and client port, when using proxy # protocol. From a41b07949cd6ffda5b334065c7b8ce362e11af16 Mon Sep 17 00:00:00 2001 From: June Date: Sun, 11 Jan 2026 00:22:37 +0100 Subject: [PATCH 10/33] zammad(host): move to new network and hostname --- inventories/chaosknoten/hosts.yaml | 4 ++-- .../public-reverse-proxy/nginx/acme_challenge.conf | 2 +- resources/chaosknoten/public-reverse-proxy/nginx/nginx.conf | 2 +- resources/chaosknoten/zammad/nginx/zammad.hamburg.ccc.de.conf | 2 +- 4 files changed, 5 insertions(+), 5 deletions(-) diff --git a/inventories/chaosknoten/hosts.yaml b/inventories/chaosknoten/hosts.yaml index fab9127..1b88df6 100644 --- a/inventories/chaosknoten/hosts.yaml +++ b/inventories/chaosknoten/hosts.yaml @@ -59,9 +59,9 @@ all: ansible_user: chaos ansible_ssh_common_args: -J ssh://chaos@router.hamburg.ccc.de zammad: - ansible_host: zammad-intern.hamburg.ccc.de + ansible_host: zammad.hosts.hamburg.ccc.de ansible_user: chaos - ansible_ssh_common_args: -J ssh://chaos@public-reverse-proxy.hamburg.ccc.de + ansible_ssh_common_args: -J ssh://chaos@router.hamburg.ccc.de ntfy: ansible_host: ntfy-intern.hamburg.ccc.de ansible_user: chaos diff --git a/resources/chaosknoten/public-reverse-proxy/nginx/acme_challenge.conf b/resources/chaosknoten/public-reverse-proxy/nginx/acme_challenge.conf index b8b44b5..d976089 100644 --- a/resources/chaosknoten/public-reverse-proxy/nginx/acme_challenge.conf +++ b/resources/chaosknoten/public-reverse-proxy/nginx/acme_challenge.conf @@ -30,7 +30,7 @@ map $host $upstream_acme_challenge_host { www.hamburg.ccc.de 172.31.17.151:31820; tickets.hamburg.ccc.de tickets.hosts.hamburg.ccc.de:31820; sunders.hamburg.ccc.de sunders.hosts.hamburg.ccc.de:31820; - zammad.hamburg.ccc.de 172.31.17.152:31820; + zammad.hamburg.ccc.de zammad.hosts.hamburg.ccc.de:31820; eh03.easterhegg.eu 172.31.17.151:31820; eh05.easterhegg.eu 172.31.17.151:31820; eh07.easterhegg.eu 172.31.17.151:31820; diff --git a/resources/chaosknoten/public-reverse-proxy/nginx/nginx.conf b/resources/chaosknoten/public-reverse-proxy/nginx/nginx.conf index e540f13..c4d1fbc 100644 --- a/resources/chaosknoten/public-reverse-proxy/nginx/nginx.conf +++ b/resources/chaosknoten/public-reverse-proxy/nginx/nginx.conf @@ -44,7 +44,7 @@ stream { spaceapi.hamburg.ccc.de 172.31.17.151:8443; tickets.hamburg.ccc.de tickets.hosts.hamburg.ccc.de:8443; sunders.hamburg.ccc.de sunders.hosts.hamburg.ccc.de:8443; - zammad.hamburg.ccc.de 172.31.17.152:8443; + zammad.hamburg.ccc.de zammad.hosts.hamburg.ccc.de:8443; c3cat.de 172.31.17.151:8443; www.c3cat.de 172.31.17.151:8443; staging.c3cat.de 172.31.17.151:8443; diff --git a/resources/chaosknoten/zammad/nginx/zammad.hamburg.ccc.de.conf b/resources/chaosknoten/zammad/nginx/zammad.hamburg.ccc.de.conf index c1f9182..5bb2435 100644 --- a/resources/chaosknoten/zammad/nginx/zammad.hamburg.ccc.de.conf +++ b/resources/chaosknoten/zammad/nginx/zammad.hamburg.ccc.de.conf @@ -2,7 +2,7 @@ # https://ssl-config.mozilla.org/#server=nginx&version=1.17.7&config=intermediate&openssl=1.1.1k&guideline=5.6 server { # Listen on a custom port for the proxy protocol. - listen 8443 ssl http2 proxy_protocol; + listen [::]:8443 ssl http2 proxy_protocol; # Make use of the ngx_http_realip_module to set the $remote_addr and # $remote_port to the client address and client port, when using proxy # protocol. From bb30e88404d9e3d6c2325a2572b45aac10113041 Mon Sep 17 00:00:00 2001 From: June Date: Sun, 11 Jan 2026 00:29:16 +0100 Subject: [PATCH 11/33] router(host): allowlist only certain icmpv6 types --- .../chaosknoten/router/nftables/nftables.conf | 18 +++++++++++++++++- 1 file changed, 17 insertions(+), 1 deletion(-) diff --git a/resources/chaosknoten/router/nftables/nftables.conf b/resources/chaosknoten/router/nftables/nftables.conf index 3375bfb..ca62a97 100644 --- a/resources/chaosknoten/router/nftables/nftables.conf +++ b/resources/chaosknoten/router/nftables/nftables.conf @@ -39,7 +39,23 @@ table inet host { ct state established,related accept ip protocol icmp accept - ip6 nexthdr icmpv6 accept + # ICMPv6 + # https://datatracker.ietf.org/doc/html/rfc4890#autoid-24 + # Allowlist consisting of: "Traffic That Must Not Be Dropped" and "Traffic That Normally Should Not Be Dropped" + # Error messages that are essential to the establishment and maintenance of communications: + icmpv6 type { destination-unreachable, packet-too-big } accept + icmpv6 type { time-exceeded } accept + icmpv6 type { parameter-problem } accept + # Connectivity checking messages: + icmpv6 type { echo-request, echo-reply } accept + # Address Configuration and Router Selection messages: + icmpv6 type { nd-router-solicit, nd-router-advert, nd-neighbor-solicit, nd-neighbor-advert, ind-neighbor-solicit, ind-neighbor-advert } accept + # Link-Local Multicast Receiver Notification messages: + icmpv6 type { mld-listener-query, mld-listener-report, mld-listener-done, mld2-listener-report } accept + # SEND Certificate Path Notification messages: + icmpv6 type { 148, 149 } accept + # Multicast Router Discovery messages: + icmpv6 type { 151, 152, 153 } accept # Allow SSH access. tcp dport 22 accept comment "allow ssh access" From 2fbb37db18c0cb3c01f00d83666524f6c5cc887e Mon Sep 17 00:00:00 2001 From: June Date: Sun, 11 Jan 2026 00:59:52 +0100 Subject: [PATCH 12/33] grafana(host): move to new network and hostname --- inventories/chaosknoten/hosts.yaml | 4 ++-- .../chaosknoten/grafana/nginx/grafana.hamburg.ccc.de.conf | 2 +- resources/chaosknoten/grafana/nginx/loki.hamburg.ccc.de.conf | 2 -- .../chaosknoten/grafana/nginx/metrics.hamburg.ccc.de.conf | 1 - .../public-reverse-proxy/nginx/acme_challenge.conf | 2 +- resources/chaosknoten/public-reverse-proxy/nginx/nginx.conf | 2 +- 6 files changed, 5 insertions(+), 8 deletions(-) diff --git a/inventories/chaosknoten/hosts.yaml b/inventories/chaosknoten/hosts.yaml index 1b88df6..f72e4ac 100644 --- a/inventories/chaosknoten/hosts.yaml +++ b/inventories/chaosknoten/hosts.yaml @@ -15,9 +15,9 @@ all: ansible_user: chaos ansible_ssh_common_args: -J ssh://chaos@router.hamburg.ccc.de grafana: - ansible_host: grafana-intern.hamburg.ccc.de + ansible_host: grafana.hosts.hamburg.ccc.de ansible_user: chaos - ansible_ssh_common_args: -J ssh://chaos@public-reverse-proxy.hamburg.ccc.de + ansible_ssh_common_args: -J ssh://chaos@router.hamburg.ccc.de tickets: ansible_host: tickets.hosts.hamburg.ccc.de ansible_user: chaos diff --git a/resources/chaosknoten/grafana/nginx/grafana.hamburg.ccc.de.conf b/resources/chaosknoten/grafana/nginx/grafana.hamburg.ccc.de.conf index c5b68e1..a6dcdc1 100644 --- a/resources/chaosknoten/grafana/nginx/grafana.hamburg.ccc.de.conf +++ b/resources/chaosknoten/grafana/nginx/grafana.hamburg.ccc.de.conf @@ -2,7 +2,7 @@ # https://ssl-config.mozilla.org/#server=nginx&version=1.17.7&config=intermediate&openssl=1.1.1k&guideline=5.6 server { # Listen on a custom port for the proxy protocol. - listen 8443 ssl proxy_protocol; + listen [::]:8443 ssl proxy_protocol; http2 on; # Make use of the ngx_http_realip_module to set the $remote_addr and # $remote_port to the client address and client port, when using proxy diff --git a/resources/chaosknoten/grafana/nginx/loki.hamburg.ccc.de.conf b/resources/chaosknoten/grafana/nginx/loki.hamburg.ccc.de.conf index e2bf4a7..8a509be 100644 --- a/resources/chaosknoten/grafana/nginx/loki.hamburg.ccc.de.conf +++ b/resources/chaosknoten/grafana/nginx/loki.hamburg.ccc.de.conf @@ -17,7 +17,6 @@ server { server_name loki.hamburg.ccc.de; listen [::]:50051 ssl; - listen 172.31.17.145:50051 ssl; http2 on; @@ -59,7 +58,6 @@ server { server_name loki.hamburg.ccc.de; listen [::]:443 ssl; - listen 172.31.17.145:443 ssl; http2 on; diff --git a/resources/chaosknoten/grafana/nginx/metrics.hamburg.ccc.de.conf b/resources/chaosknoten/grafana/nginx/metrics.hamburg.ccc.de.conf index 2c52523..ef2fe07 100644 --- a/resources/chaosknoten/grafana/nginx/metrics.hamburg.ccc.de.conf +++ b/resources/chaosknoten/grafana/nginx/metrics.hamburg.ccc.de.conf @@ -18,7 +18,6 @@ server { server_name metrics.hamburg.ccc.de; listen [::]:443 ssl; - listen 172.31.17.145:443 ssl; http2 on; client_body_buffer_size 512k; diff --git a/resources/chaosknoten/public-reverse-proxy/nginx/acme_challenge.conf b/resources/chaosknoten/public-reverse-proxy/nginx/acme_challenge.conf index d976089..7af3beb 100644 --- a/resources/chaosknoten/public-reverse-proxy/nginx/acme_challenge.conf +++ b/resources/chaosknoten/public-reverse-proxy/nginx/acme_challenge.conf @@ -9,7 +9,7 @@ map $host $upstream_acme_challenge_host { cloud.hamburg.ccc.de cloud.hosts.hamburg.ccc.de:31820; element.hamburg.ccc.de 172.31.17.151:31820; git.hamburg.ccc.de 172.31.17.154:31820; - grafana.hamburg.ccc.de 172.31.17.145:31820; + grafana.hamburg.ccc.de grafana.hosts.hamburg.ccc.de:31820; hackertours.hamburg.ccc.de 172.31.17.151:31820; staging.hackertours.hamburg.ccc.de 172.31.17.151:31820; hamburg.ccc.de 172.31.17.151:31820; diff --git a/resources/chaosknoten/public-reverse-proxy/nginx/nginx.conf b/resources/chaosknoten/public-reverse-proxy/nginx/nginx.conf index c4d1fbc..42120db 100644 --- a/resources/chaosknoten/public-reverse-proxy/nginx/nginx.conf +++ b/resources/chaosknoten/public-reverse-proxy/nginx/nginx.conf @@ -26,7 +26,7 @@ stream { id.hamburg.ccc.de keycloak.hosts.hamburg.ccc.de:8443; invite.hamburg.ccc.de keycloak.hosts.hamburg.ccc.de:8443; keycloak-admin.hamburg.ccc.de keycloak.hosts.hamburg.ccc.de:8443; - grafana.hamburg.ccc.de 172.31.17.145:8443; + grafana.hamburg.ccc.de grafana.hosts.hamburg.ccc.de:8443; wiki.ccchh.net wiki.hosts.hamburg.ccc.de:8443; wiki.hamburg.ccc.de wiki.hosts.hamburg.ccc.de:8443; onlyoffice.hamburg.ccc.de onlyoffice.hosts.hamburg.ccc.de:8443; From 372f264bcbc7de743c6cda57126395f7df906b47 Mon Sep 17 00:00:00 2001 From: June Date: Sun, 11 Jan 2026 01:29:15 +0100 Subject: [PATCH 13/33] ccchoir(host): move to new network and hostname --- inventories/chaosknoten/hosts.yaml | 4 ++-- resources/chaosknoten/ccchoir/nginx/ccchoir.de.conf | 8 ++++---- .../public-reverse-proxy/nginx/acme_challenge.conf | 4 ++-- .../chaosknoten/public-reverse-proxy/nginx/nginx.conf | 4 ++-- 4 files changed, 10 insertions(+), 10 deletions(-) diff --git a/inventories/chaosknoten/hosts.yaml b/inventories/chaosknoten/hosts.yaml index f72e4ac..4b8e388 100644 --- a/inventories/chaosknoten/hosts.yaml +++ b/inventories/chaosknoten/hosts.yaml @@ -1,9 +1,9 @@ all: hosts: ccchoir: - ansible_host: ccchoir-intern.hamburg.ccc.de + ansible_host: ccchoir.hosts.hamburg.ccc.de ansible_user: chaos - ansible_ssh_common_args: -J ssh://chaos@public-reverse-proxy.hamburg.ccc.de + ansible_ssh_common_args: -J ssh://chaos@router.hamburg.ccc.de chaosknoten: ansible_host: chaosknoten.hamburg.ccc.de cloud: diff --git a/resources/chaosknoten/ccchoir/nginx/ccchoir.de.conf b/resources/chaosknoten/ccchoir/nginx/ccchoir.de.conf index ff37e48..a8d71a9 100644 --- a/resources/chaosknoten/ccchoir/nginx/ccchoir.de.conf +++ b/resources/chaosknoten/ccchoir/nginx/ccchoir.de.conf @@ -2,12 +2,12 @@ # https://ssl-config.mozilla.org/#server=nginx&version=1.17.7&config=intermediate&openssl=1.1.1k&guideline=5.6 server { # Listen on a custom port for the proxy protocol. - listen 8443 ssl http2 proxy_protocol; + listen [::]:8443 ssl http2 proxy_protocol; # Make use of the ngx_http_realip_module to set the $remote_addr and # $remote_port to the client address and client port, when using proxy # protocol. # First set our proxy protocol proxy as trusted. - set_real_ip_from 172.31.17.140; + set_real_ip_from 2a00:14b0:4200:3000:125::1; # Then tell the realip_module to get the addreses from the proxy protocol # header. real_ip_header proxy_protocol; @@ -43,12 +43,12 @@ server { server { # Listen on a custom port for the proxy protocol. - listen 8443 ssl http2 proxy_protocol; + listen [::]:8443 ssl http2 proxy_protocol; # Make use of the ngx_http_realip_module to set the $remote_addr and # $remote_port to the client address and client port, when using proxy # protocol. # First set our proxy protocol proxy as trusted. - set_real_ip_from 172.31.17.140; + set_real_ip_from 2a00:14b0:4200:3000:125::1; # Then tell the realip_module to get the addreses from the proxy protocol # header. real_ip_header proxy_protocol; diff --git a/resources/chaosknoten/public-reverse-proxy/nginx/acme_challenge.conf b/resources/chaosknoten/public-reverse-proxy/nginx/acme_challenge.conf index 7af3beb..0c62760 100644 --- a/resources/chaosknoten/public-reverse-proxy/nginx/acme_challenge.conf +++ b/resources/chaosknoten/public-reverse-proxy/nginx/acme_challenge.conf @@ -4,8 +4,8 @@ map $host $upstream_acme_challenge_host { c3cat.de 172.31.17.151:31820; www.c3cat.de 172.31.17.151:31820; staging.c3cat.de 172.31.17.151:31820; - ccchoir.de ccchoir-intern.hamburg.ccc.de:31820; - www.ccchoir.de ccchoir-intern.hamburg.ccc.de:31820; + ccchoir.de ccchoir.hosts.hamburg.ccc.de:31820; + www.ccchoir.de ccchoir.hosts.hamburg.ccc.de:31820; cloud.hamburg.ccc.de cloud.hosts.hamburg.ccc.de:31820; element.hamburg.ccc.de 172.31.17.151:31820; git.hamburg.ccc.de 172.31.17.154:31820; diff --git a/resources/chaosknoten/public-reverse-proxy/nginx/nginx.conf b/resources/chaosknoten/public-reverse-proxy/nginx/nginx.conf index 42120db..b3f3636 100644 --- a/resources/chaosknoten/public-reverse-proxy/nginx/nginx.conf +++ b/resources/chaosknoten/public-reverse-proxy/nginx/nginx.conf @@ -18,8 +18,8 @@ stream { resolver 212.12.50.158 192.76.134.90; map $ssl_preread_server_name $address { - ccchoir.de ccchoir-intern.hamburg.ccc.de:8443; - www.ccchoir.de ccchoir-intern.hamburg.ccc.de:8443; + ccchoir.de ccchoir.hosts.hamburg.ccc.de:8443; + www.ccchoir.de ccchoir.hosts.hamburg.ccc.de:8443; cloud.hamburg.ccc.de cloud.hosts.hamburg.ccc.de:8443; pad.hamburg.ccc.de pad.hosts.hamburg.ccc.de:8443; pretalx.hamburg.ccc.de pretalx-intern.hamburg.ccc.de:8443; From 1971598e71379ed967b8790353dd2ac6dc854712 Mon Sep 17 00:00:00 2001 From: June Date: Sun, 11 Jan 2026 03:22:11 +0100 Subject: [PATCH 14/33] pretalx(host): move to new network and hostname --- inventories/chaosknoten/hosts.yaml | 4 ++-- .../chaosknoten/pretalx/nginx/cfp.eh22.easterhegg.eu.conf | 4 ++-- .../chaosknoten/pretalx/nginx/pretalx.hamburg.ccc.de.conf | 4 ++-- .../public-reverse-proxy/nginx/acme_challenge.conf | 2 +- resources/chaosknoten/public-reverse-proxy/nginx/nginx.conf | 4 ++-- 5 files changed, 9 insertions(+), 9 deletions(-) diff --git a/inventories/chaosknoten/hosts.yaml b/inventories/chaosknoten/hosts.yaml index 4b8e388..d5dea1c 100644 --- a/inventories/chaosknoten/hosts.yaml +++ b/inventories/chaosknoten/hosts.yaml @@ -45,9 +45,9 @@ all: ansible_user: chaos ansible_ssh_common_args: -J ssh://chaos@router.hamburg.ccc.de pretalx: - ansible_host: pretalx-intern.hamburg.ccc.de + ansible_host: pretalx.hosts.hamburg.ccc.de ansible_user: chaos - ansible_ssh_common_args: -J ssh://chaos@public-reverse-proxy.hamburg.ccc.de + ansible_ssh_common_args: -J ssh://chaos@router.hamburg.ccc.de public-reverse-proxy: ansible_host: public-reverse-proxy.hamburg.ccc.de ansible_user: chaos diff --git a/resources/chaosknoten/pretalx/nginx/cfp.eh22.easterhegg.eu.conf b/resources/chaosknoten/pretalx/nginx/cfp.eh22.easterhegg.eu.conf index 0fa99e7..a4f5bb9 100644 --- a/resources/chaosknoten/pretalx/nginx/cfp.eh22.easterhegg.eu.conf +++ b/resources/chaosknoten/pretalx/nginx/cfp.eh22.easterhegg.eu.conf @@ -2,12 +2,12 @@ # https://ssl-config.mozilla.org/#server=nginx&version=1.17.7&config=intermediate&openssl=1.1.1k&guideline=5.6 server { # Listen on a custom port for the proxy protocol. - listen 8443 ssl http2 proxy_protocol; + listen [::]:8443 ssl http2 proxy_protocol; # Make use of the ngx_http_realip_module to set the $remote_addr and # $remote_port to the client address and client port, when using proxy # protocol. # First set our proxy protocol proxy as trusted. - set_real_ip_from 172.31.17.140; + set_real_ip_from 2a00:14b0:4200:3000:125::1; # Then tell the realip_module to get the addreses from the proxy protocol # header. real_ip_header proxy_protocol; diff --git a/resources/chaosknoten/pretalx/nginx/pretalx.hamburg.ccc.de.conf b/resources/chaosknoten/pretalx/nginx/pretalx.hamburg.ccc.de.conf index f12067a..d66e977 100644 --- a/resources/chaosknoten/pretalx/nginx/pretalx.hamburg.ccc.de.conf +++ b/resources/chaosknoten/pretalx/nginx/pretalx.hamburg.ccc.de.conf @@ -2,12 +2,12 @@ # https://ssl-config.mozilla.org/#server=nginx&version=1.17.7&config=intermediate&openssl=1.1.1k&guideline=5.6 server { # Listen on a custom port for the proxy protocol. - listen 8443 ssl http2 proxy_protocol; + listen [::]:8443 ssl http2 proxy_protocol; # Make use of the ngx_http_realip_module to set the $remote_addr and # $remote_port to the client address and client port, when using proxy # protocol. # First set our proxy protocol proxy as trusted. - set_real_ip_from 172.31.17.140; + set_real_ip_from 2a00:14b0:4200:3000:125::1; # Then tell the realip_module to get the addreses from the proxy protocol # header. real_ip_header proxy_protocol; diff --git a/resources/chaosknoten/public-reverse-proxy/nginx/acme_challenge.conf b/resources/chaosknoten/public-reverse-proxy/nginx/acme_challenge.conf index 0c62760..71f0290 100644 --- a/resources/chaosknoten/public-reverse-proxy/nginx/acme_challenge.conf +++ b/resources/chaosknoten/public-reverse-proxy/nginx/acme_challenge.conf @@ -22,7 +22,7 @@ map $host $upstream_acme_challenge_host { netbox.hamburg.ccc.de netbox.hosts.hamburg.ccc.de:31820; onlyoffice.hamburg.ccc.de onlyoffice.hosts.hamburg.ccc.de:31820; pad.hamburg.ccc.de pad.hosts.hamburg.ccc.de:31820; - pretalx.hamburg.ccc.de 172.31.17.157:31820; + pretalx.hamburg.ccc.de pretalx.hosts.hamburg.ccc.de:31820; spaceapi.hamburg.ccc.de 172.31.17.151:31820; staging.hamburg.ccc.de 172.31.17.151:31820; wiki.ccchh.net wiki.hosts.hamburg.ccc.de:31820; diff --git a/resources/chaosknoten/public-reverse-proxy/nginx/nginx.conf b/resources/chaosknoten/public-reverse-proxy/nginx/nginx.conf index b3f3636..d7cd97e 100644 --- a/resources/chaosknoten/public-reverse-proxy/nginx/nginx.conf +++ b/resources/chaosknoten/public-reverse-proxy/nginx/nginx.conf @@ -22,7 +22,7 @@ stream { www.ccchoir.de ccchoir.hosts.hamburg.ccc.de:8443; cloud.hamburg.ccc.de cloud.hosts.hamburg.ccc.de:8443; pad.hamburg.ccc.de pad.hosts.hamburg.ccc.de:8443; - pretalx.hamburg.ccc.de pretalx-intern.hamburg.ccc.de:8443; + pretalx.hamburg.ccc.de pretalx.hosts.hamburg.ccc.de:8443; id.hamburg.ccc.de keycloak.hosts.hamburg.ccc.de:8443; invite.hamburg.ccc.de keycloak.hosts.hamburg.ccc.de:8443; keycloak-admin.hamburg.ccc.de keycloak.hosts.hamburg.ccc.de:8443; @@ -90,7 +90,7 @@ stream { woodpecker.hamburg.ccc.de 172.31.17.160:8443; design.hamburg.ccc.de 172.31.17.162:8443; hydra.hamburg.ccc.de 172.31.17.163:8443; - cfp.eh22.easterhegg.eu pretalx-intern.hamburg.ccc.de:8443; + cfp.eh22.easterhegg.eu pretalx.hosts.hamburg.ccc.de:8443; ntfy.hamburg.ccc.de 172.31.17.149:8443; cryptoparty-hamburg.de 172.31.17.151:8443; cryptoparty.hamburg.ccc.de 172.31.17.151:8443; From 255327952e3b1e718e7d0e53c0c189a6e6f13052 Mon Sep 17 00:00:00 2001 From: June Date: Sun, 11 Jan 2026 03:57:11 +0100 Subject: [PATCH 15/33] ntfy(host): move to new network and hostname --- inventories/chaosknoten/hosts.yaml | 4 ++-- resources/chaosknoten/ntfy/nginx/ntfy.hamburg.ccc.de.conf | 4 ++-- .../public-reverse-proxy/nginx/acme_challenge.conf | 2 +- resources/chaosknoten/public-reverse-proxy/nginx/nginx.conf | 2 +- 4 files changed, 6 insertions(+), 6 deletions(-) diff --git a/inventories/chaosknoten/hosts.yaml b/inventories/chaosknoten/hosts.yaml index d5dea1c..93c61be 100644 --- a/inventories/chaosknoten/hosts.yaml +++ b/inventories/chaosknoten/hosts.yaml @@ -63,9 +63,9 @@ all: ansible_user: chaos ansible_ssh_common_args: -J ssh://chaos@router.hamburg.ccc.de ntfy: - ansible_host: ntfy-intern.hamburg.ccc.de + ansible_host: ntfy.hosts.hamburg.ccc.de ansible_user: chaos - ansible_ssh_common_args: -J ssh://chaos@public-reverse-proxy.hamburg.ccc.de + ansible_ssh_common_args: -J ssh://chaos@router.hamburg.ccc.de sunders: ansible_host: sunders.hosts.hamburg.ccc.de ansible_user: chaos diff --git a/resources/chaosknoten/ntfy/nginx/ntfy.hamburg.ccc.de.conf b/resources/chaosknoten/ntfy/nginx/ntfy.hamburg.ccc.de.conf index e7d404d..ebae48d 100644 --- a/resources/chaosknoten/ntfy/nginx/ntfy.hamburg.ccc.de.conf +++ b/resources/chaosknoten/ntfy/nginx/ntfy.hamburg.ccc.de.conf @@ -2,13 +2,13 @@ # https://ssl-config.mozilla.org/#server=nginx&version=1.17.7&config=intermediate&openssl=1.1.1k&guideline=5.6 server { # Listen on a custom port for the proxy protocol. - listen 8443 ssl proxy_protocol; + listen [::]:8443 ssl proxy_protocol; http2 on; # Make use of the ngx_http_realip_module to set the $remote_addr and # $remote_port to the client address and client port, when using proxy # protocol. # First set our proxy protocol proxy as trusted. - set_real_ip_from 172.31.17.140; + set_real_ip_from 2a00:14b0:4200:3000:125::1; # Then tell the realip_module to get the addreses from the proxy protocol # header. real_ip_header proxy_protocol; diff --git a/resources/chaosknoten/public-reverse-proxy/nginx/acme_challenge.conf b/resources/chaosknoten/public-reverse-proxy/nginx/acme_challenge.conf index 71f0290..82e596a 100644 --- a/resources/chaosknoten/public-reverse-proxy/nginx/acme_challenge.conf +++ b/resources/chaosknoten/public-reverse-proxy/nginx/acme_challenge.conf @@ -73,7 +73,7 @@ map $host $upstream_acme_challenge_host { design.hamburg.ccc.de 172.31.17.162:31820; hydra.hamburg.ccc.de 172.31.17.163:31820; cfp.eh22.easterhegg.eu 172.31.17.157:31820; - ntfy.hamburg.ccc.de 172.31.17.149:31820; + ntfy.hamburg.ccc.de ntfy.hosts.hamburg.ccc.de:31820; cryptoparty-hamburg.de 172.31.17.151:31820; cryptoparty.hamburg.ccc.de 172.31.17.151:31820; staging.cryptoparty-hamburg.de 172.31.17.151:31820; diff --git a/resources/chaosknoten/public-reverse-proxy/nginx/nginx.conf b/resources/chaosknoten/public-reverse-proxy/nginx/nginx.conf index d7cd97e..489dda5 100644 --- a/resources/chaosknoten/public-reverse-proxy/nginx/nginx.conf +++ b/resources/chaosknoten/public-reverse-proxy/nginx/nginx.conf @@ -91,7 +91,7 @@ stream { design.hamburg.ccc.de 172.31.17.162:8443; hydra.hamburg.ccc.de 172.31.17.163:8443; cfp.eh22.easterhegg.eu pretalx.hosts.hamburg.ccc.de:8443; - ntfy.hamburg.ccc.de 172.31.17.149:8443; + ntfy.hamburg.ccc.de ntfy.hosts.hamburg.ccc.de:8443; cryptoparty-hamburg.de 172.31.17.151:8443; cryptoparty.hamburg.ccc.de 172.31.17.151:8443; staging.cryptoparty-hamburg.de 172.31.17.151:8443; From 968e29ccb8fa144c7ec3ebd56d8d38adb4416397 Mon Sep 17 00:00:00 2001 From: June Date: Mon, 12 Jan 2026 03:02:09 +0100 Subject: [PATCH 16/33] do v6-only for internal proxy protocol communication Since we want to do v6-only internally, only listen on v6 for proxy protocol. This is also needed as we only have set_real_ip_from pointing to a v6. --- resources/chaosknoten/eh22-wiki/nginx/eh22.easterhegg.eu.conf | 1 - resources/chaosknoten/grafana/nginx/grafana.hamburg.ccc.de.conf | 2 +- resources/chaosknoten/keycloak/nginx/id.hamburg.ccc.de.conf | 1 - resources/chaosknoten/keycloak/nginx/invite.hamburg.ccc.de.conf | 1 - .../keycloak/nginx/keycloak-admin.hamburg.ccc.de.conf | 1 - resources/chaosknoten/netbox/nginx/netbox.hamburg.ccc.de.conf | 2 +- .../chaosknoten/onlyoffice/nginx/onlyoffice.hamburg.ccc.de.conf | 1 - resources/chaosknoten/pad/nginx/pad.hamburg.ccc.de.conf | 1 - resources/chaosknoten/sunders/nginx/sunders.hamburg.ccc.de.conf | 2 +- resources/chaosknoten/tickets/nginx/tickets.hamburg.ccc.de.conf | 2 +- resources/chaosknoten/wiki/nginx/wiki.ccchh.net.conf | 1 - resources/chaosknoten/wiki/nginx/wiki.hamburg.ccc.de.conf | 1 - resources/chaosknoten/zammad/nginx/zammad.hamburg.ccc.de.conf | 2 +- 13 files changed, 5 insertions(+), 13 deletions(-) diff --git a/resources/chaosknoten/eh22-wiki/nginx/eh22.easterhegg.eu.conf b/resources/chaosknoten/eh22-wiki/nginx/eh22.easterhegg.eu.conf index 8c801fe..d213d61 100644 --- a/resources/chaosknoten/eh22-wiki/nginx/eh22.easterhegg.eu.conf +++ b/resources/chaosknoten/eh22-wiki/nginx/eh22.easterhegg.eu.conf @@ -2,7 +2,6 @@ # https://ssl-config.mozilla.org/#server=nginx&version=1.17.7&config=intermediate&openssl=1.1.1k&guideline=5.6 server { # Listen on a custom port for the proxy protocol. - listen 8443 ssl http2 proxy_protocol; listen [::]:8443 ssl http2 proxy_protocol; # Make use of the ngx_http_realip_module to set the $remote_addr and # $remote_port to the client address and client port, when using proxy diff --git a/resources/chaosknoten/grafana/nginx/grafana.hamburg.ccc.de.conf b/resources/chaosknoten/grafana/nginx/grafana.hamburg.ccc.de.conf index a6dcdc1..98f7f40 100644 --- a/resources/chaosknoten/grafana/nginx/grafana.hamburg.ccc.de.conf +++ b/resources/chaosknoten/grafana/nginx/grafana.hamburg.ccc.de.conf @@ -8,7 +8,7 @@ server { # $remote_port to the client address and client port, when using proxy # protocol. # First set our proxy protocol proxy as trusted. - set_real_ip_from 172.31.17.140; + set_real_ip_from 2a00:14b0:4200:3000:125::1; # Then tell the realip_module to get the addreses from the proxy protocol # header. real_ip_header proxy_protocol; diff --git a/resources/chaosknoten/keycloak/nginx/id.hamburg.ccc.de.conf b/resources/chaosknoten/keycloak/nginx/id.hamburg.ccc.de.conf index 939e1da..82ba082 100644 --- a/resources/chaosknoten/keycloak/nginx/id.hamburg.ccc.de.conf +++ b/resources/chaosknoten/keycloak/nginx/id.hamburg.ccc.de.conf @@ -3,7 +3,6 @@ # Also see: https://www.keycloak.org/server/reverseproxy server { # Listen on a custom port for the proxy protocol. - listen 8443 ssl http2 proxy_protocol; listen [::]:8443 ssl http2 proxy_protocol; # Make use of the ngx_http_realip_module to set the $remote_addr and # $remote_port to the client address and client port, when using proxy diff --git a/resources/chaosknoten/keycloak/nginx/invite.hamburg.ccc.de.conf b/resources/chaosknoten/keycloak/nginx/invite.hamburg.ccc.de.conf index de1e9d6..ecb7e2d 100644 --- a/resources/chaosknoten/keycloak/nginx/invite.hamburg.ccc.de.conf +++ b/resources/chaosknoten/keycloak/nginx/invite.hamburg.ccc.de.conf @@ -3,7 +3,6 @@ # Also see: https://www.keycloak.org/server/reverseproxy server { # Listen on a custom port for the proxy protocol. - listen 8443 ssl http2 proxy_protocol; listen [::]:8443 ssl http2 proxy_protocol; # Make use of the ngx_http_realip_module to set the $remote_addr and # $remote_port to the client address and client port, when using proxy diff --git a/resources/chaosknoten/keycloak/nginx/keycloak-admin.hamburg.ccc.de.conf b/resources/chaosknoten/keycloak/nginx/keycloak-admin.hamburg.ccc.de.conf index cd56b98..b2e7eec 100644 --- a/resources/chaosknoten/keycloak/nginx/keycloak-admin.hamburg.ccc.de.conf +++ b/resources/chaosknoten/keycloak/nginx/keycloak-admin.hamburg.ccc.de.conf @@ -7,7 +7,6 @@ server { ##listen [::]:443 ssl http2; # Listen on a custom port for the proxy protocol. - listen 8443 ssl http2 proxy_protocol; listen [::]:8443 ssl http2 proxy_protocol; # Make use of the ngx_http_realip_module to set the $remote_addr and # $remote_port to the client address and client port, when using proxy diff --git a/resources/chaosknoten/netbox/nginx/netbox.hamburg.ccc.de.conf b/resources/chaosknoten/netbox/nginx/netbox.hamburg.ccc.de.conf index 533c9d2..0c2a3be 100644 --- a/resources/chaosknoten/netbox/nginx/netbox.hamburg.ccc.de.conf +++ b/resources/chaosknoten/netbox/nginx/netbox.hamburg.ccc.de.conf @@ -7,7 +7,7 @@ server { # $remote_port to the client address and client port, when using proxy # protocol. # First set our proxy protocol proxy as trusted. - set_real_ip_from 172.31.17.140; + set_real_ip_from 2a00:14b0:4200:3000:125::1; # Then tell the realip_module to get the addreses from the proxy protocol # header. real_ip_header proxy_protocol; diff --git a/resources/chaosknoten/onlyoffice/nginx/onlyoffice.hamburg.ccc.de.conf b/resources/chaosknoten/onlyoffice/nginx/onlyoffice.hamburg.ccc.de.conf index 8a9a486..f3e77f1 100644 --- a/resources/chaosknoten/onlyoffice/nginx/onlyoffice.hamburg.ccc.de.conf +++ b/resources/chaosknoten/onlyoffice/nginx/onlyoffice.hamburg.ccc.de.conf @@ -2,7 +2,6 @@ # https://ssl-config.mozilla.org/#server=nginx&version=1.17.7&config=intermediate&openssl=1.1.1k&guideline=5.6 server { # Listen on a custom port for the proxy protocol. - listen 8443 ssl http2 proxy_protocol; listen [::]:8443 ssl http2 proxy_protocol; # Make use of the ngx_http_realip_module to set the $remote_addr and # $remote_port to the client address and client port, when using proxy diff --git a/resources/chaosknoten/pad/nginx/pad.hamburg.ccc.de.conf b/resources/chaosknoten/pad/nginx/pad.hamburg.ccc.de.conf index 6c453d1..cf49d23 100644 --- a/resources/chaosknoten/pad/nginx/pad.hamburg.ccc.de.conf +++ b/resources/chaosknoten/pad/nginx/pad.hamburg.ccc.de.conf @@ -2,7 +2,6 @@ # https://ssl-config.mozilla.org/#server=nginx&version=1.17.7&config=intermediate&openssl=1.1.1k&guideline=5.6 server { # Listen on a custom port for the proxy protocol. - listen 8443 ssl http2 proxy_protocol; listen [::]:8443 ssl http2 proxy_protocol; # Make use of the ngx_http_realip_module to set the $remote_addr and # $remote_port to the client address and client port, when using proxy diff --git a/resources/chaosknoten/sunders/nginx/sunders.hamburg.ccc.de.conf b/resources/chaosknoten/sunders/nginx/sunders.hamburg.ccc.de.conf index ceb9b2b..185c005 100644 --- a/resources/chaosknoten/sunders/nginx/sunders.hamburg.ccc.de.conf +++ b/resources/chaosknoten/sunders/nginx/sunders.hamburg.ccc.de.conf @@ -7,7 +7,7 @@ server { # $remote_port to the client address and client port, when using proxy # protocol. # First set our proxy protocol proxy as trusted. - set_real_ip_from 172.31.17.140; + set_real_ip_from 2a00:14b0:4200:3000:125::1; # Then tell the realip_module to get the addreses from the proxy protocol # header. real_ip_header proxy_protocol; diff --git a/resources/chaosknoten/tickets/nginx/tickets.hamburg.ccc.de.conf b/resources/chaosknoten/tickets/nginx/tickets.hamburg.ccc.de.conf index 8d36244..e93ff93 100644 --- a/resources/chaosknoten/tickets/nginx/tickets.hamburg.ccc.de.conf +++ b/resources/chaosknoten/tickets/nginx/tickets.hamburg.ccc.de.conf @@ -7,7 +7,7 @@ server { # $remote_port to the client address and client port, when using proxy # protocol. # First set our proxy protocol proxy as trusted. - set_real_ip_from 172.31.17.140; + set_real_ip_from 2a00:14b0:4200:3000:125::1; # Then tell the realip_module to get the addreses from the proxy protocol # header. real_ip_header proxy_protocol; diff --git a/resources/chaosknoten/wiki/nginx/wiki.ccchh.net.conf b/resources/chaosknoten/wiki/nginx/wiki.ccchh.net.conf index 472236a..d89b5b8 100644 --- a/resources/chaosknoten/wiki/nginx/wiki.ccchh.net.conf +++ b/resources/chaosknoten/wiki/nginx/wiki.ccchh.net.conf @@ -2,7 +2,6 @@ # https://ssl-config.mozilla.org/#server=nginx&version=1.17.7&config=intermediate&openssl=1.1.1k&guideline=5.6 server { # Listen on a custom port for the proxy protocol. - listen 8443 ssl http2 proxy_protocol; listen [::]:8443 ssl http2 proxy_protocol; # Make use of the ngx_http_realip_module to set the $remote_addr and # $remote_port to the client address and client port, when using proxy diff --git a/resources/chaosknoten/wiki/nginx/wiki.hamburg.ccc.de.conf b/resources/chaosknoten/wiki/nginx/wiki.hamburg.ccc.de.conf index b4eab7f..5065c1d 100644 --- a/resources/chaosknoten/wiki/nginx/wiki.hamburg.ccc.de.conf +++ b/resources/chaosknoten/wiki/nginx/wiki.hamburg.ccc.de.conf @@ -2,7 +2,6 @@ # https://ssl-config.mozilla.org/#server=nginx&version=1.17.7&config=intermediate&openssl=1.1.1k&guideline=5.6 server { # Listen on a custom port for the proxy protocol. - listen 8443 ssl http2 proxy_protocol; listen [::]:8443 ssl http2 proxy_protocol; # Make use of the ngx_http_realip_module to set the $remote_addr and # $remote_port to the client address and client port, when using proxy diff --git a/resources/chaosknoten/zammad/nginx/zammad.hamburg.ccc.de.conf b/resources/chaosknoten/zammad/nginx/zammad.hamburg.ccc.de.conf index 5bb2435..b94cb5c 100644 --- a/resources/chaosknoten/zammad/nginx/zammad.hamburg.ccc.de.conf +++ b/resources/chaosknoten/zammad/nginx/zammad.hamburg.ccc.de.conf @@ -7,7 +7,7 @@ server { # $remote_port to the client address and client port, when using proxy # protocol. # First set our proxy protocol proxy as trusted. - set_real_ip_from 172.31.17.140; + set_real_ip_from 2a00:14b0:4200:3000:125::1; # Then tell the realip_module to get the addreses from the proxy protocol # header. real_ip_header proxy_protocol; From 70461c98babcddd87dd208aa4041aee5f1fa2546 Mon Sep 17 00:00:00 2001 From: June Date: Mon, 12 Jan 2026 03:29:06 +0100 Subject: [PATCH 17/33] first run ansible_pull for router, then for all other hosts Do this to avoid a restarting router affecting playbook runs on other hosts. --- inventories/chaosknoten/group_vars/all.yaml | 2 +- inventories/chaosknoten/host_vars/router.yaml | 2 ++ 2 files changed, 3 insertions(+), 1 deletion(-) diff --git a/inventories/chaosknoten/group_vars/all.yaml b/inventories/chaosknoten/group_vars/all.yaml index b8f13d0..60349e0 100644 --- a/inventories/chaosknoten/group_vars/all.yaml +++ b/inventories/chaosknoten/group_vars/all.yaml @@ -3,7 +3,7 @@ ansible_pull__repo_url: https://git.hamburg.ccc.de/CCCHH/ansible-infra.git ansible_pull__inventory: inventories/chaosknoten ansible_pull__playbook: playbooks/maintenance.yaml -ansible_pull__timer_on_calendar: "*-*-* 04:00:00 Europe/Berlin" +ansible_pull__timer_on_calendar: "*-*-* 04:30:00 Europe/Berlin" ansible_pull__failure_notification_address: noc-notifications@lists.hamburg.ccc.de ansible_pull__timer_randomized_delay_sec: 30min diff --git a/inventories/chaosknoten/host_vars/router.yaml b/inventories/chaosknoten/host_vars/router.yaml index 134d29f..5e9c832 100644 --- a/inventories/chaosknoten/host_vars/router.yaml +++ b/inventories/chaosknoten/host_vars/router.yaml @@ -1,2 +1,4 @@ systemd_networkd__config_dir: 'resources/chaosknoten/router/systemd_networkd/' nftables__config: "{{ lookup('ansible.builtin.file', 'resources/chaosknoten/router/nftables/nftables.conf') }}" +ansible_pull__timer_on_calendar: "*-*-* 04:00:00 Europe/Berlin" +ansible_pull__timer_randomized_delay_sec: 0min From c6387908198c477178d59ea4e798600ffb201dc8 Mon Sep 17 00:00:00 2001 From: Renovate Date: Mon, 12 Jan 2026 02:30:47 +0000 Subject: [PATCH 18/33] Update all stable non-major dependencies --- .forgejo/workflows/lint.yaml | 2 +- inventories/chaosknoten/host_vars/netbox.yaml | 2 +- .../chaosknoten/grafana/docker_compose/compose.yaml.j2 | 10 +++++----- .../onlyoffice/docker_compose/compose.yaml.j2 | 2 +- .../chaosknoten/pad/docker_compose/compose.yaml.j2 | 2 +- .../chaosknoten/pretalx/docker_compose/compose.yaml.j2 | 6 +++--- .../chaosknoten/sunders/docker_compose/compose.yaml.j2 | 2 +- 7 files changed, 13 insertions(+), 13 deletions(-) diff --git a/.forgejo/workflows/lint.yaml b/.forgejo/workflows/lint.yaml index d29fb6e..b1168c9 100644 --- a/.forgejo/workflows/lint.yaml +++ b/.forgejo/workflows/lint.yaml @@ -24,7 +24,7 @@ jobs: # work in our environmnet. # Rather manually setup python (pip) before instead. - name: Run ansible-lint - uses: https://github.com/ansible/ansible-lint@v25.11.0 + uses: https://github.com/ansible/ansible-lint@v25.12.2 with: setup_python: "false" requirements_file: "requirements.yml" diff --git a/inventories/chaosknoten/host_vars/netbox.yaml b/inventories/chaosknoten/host_vars/netbox.yaml index 3be8bdd..2c68c17 100644 --- a/inventories/chaosknoten/host_vars/netbox.yaml +++ b/inventories/chaosknoten/host_vars/netbox.yaml @@ -1,5 +1,5 @@ # renovate: datasource=github-releases depName=netbox packageName=netbox-community/netbox -netbox__version: "v4.4.6" +netbox__version: "v4.5.0" netbox__config: "{{ lookup('ansible.builtin.template', 'resources/chaosknoten/netbox/netbox/configuration.py.j2') }}" netbox__custom_pipeline_oidc_group_and_role_mapping: true diff --git a/resources/chaosknoten/grafana/docker_compose/compose.yaml.j2 b/resources/chaosknoten/grafana/docker_compose/compose.yaml.j2 index 2d598f9..90952ee 100644 --- a/resources/chaosknoten/grafana/docker_compose/compose.yaml.j2 +++ b/resources/chaosknoten/grafana/docker_compose/compose.yaml.j2 @@ -2,7 +2,7 @@ services: prometheus: - image: docker.io/prom/prometheus:v3.7.3 + image: docker.io/prom/prometheus:v3.9.1 container_name: prometheus command: - '--config.file=/etc/prometheus/prometheus.yml' @@ -19,7 +19,7 @@ services: - prom_data:/prometheus alertmanager: - image: docker.io/prom/alertmanager:v0.29.0 + image: docker.io/prom/alertmanager:v0.30.0 container_name: alertmanager command: - '--config.file=/etc/alertmanager/alertmanager.yaml' @@ -32,7 +32,7 @@ services: - alertmanager_data:/alertmanager grafana: - image: docker.io/grafana/grafana:12.3.0 + image: docker.io/grafana/grafana:12.3.1 container_name: grafana ports: - 3000:3000 @@ -46,7 +46,7 @@ services: - graf_data:/var/lib/grafana pve-exporter: - image: docker.io/prompve/prometheus-pve-exporter:3.5.5 + image: docker.io/prompve/prometheus-pve-exporter:3.8.0 container_name: pve-exporter ports: - 9221:9221 @@ -59,7 +59,7 @@ services: - /dev/null:/etc/prometheus/pve.yml loki: - image: docker.io/grafana/loki:3.6.0 + image: docker.io/grafana/loki:3.6.3 container_name: loki ports: - 13100:3100 diff --git a/resources/chaosknoten/onlyoffice/docker_compose/compose.yaml.j2 b/resources/chaosknoten/onlyoffice/docker_compose/compose.yaml.j2 index f3444ac..8bc37e9 100644 --- a/resources/chaosknoten/onlyoffice/docker_compose/compose.yaml.j2 +++ b/resources/chaosknoten/onlyoffice/docker_compose/compose.yaml.j2 @@ -4,7 +4,7 @@ services: onlyoffice: - image: docker.io/onlyoffice/documentserver:9.1.0 + image: docker.io/onlyoffice/documentserver:9.2.1 restart: unless-stopped volumes: - "./onlyoffice/DocumentServer/logs:/var/log/onlyoffice" diff --git a/resources/chaosknoten/pad/docker_compose/compose.yaml.j2 b/resources/chaosknoten/pad/docker_compose/compose.yaml.j2 index 455caa3..790cf95 100644 --- a/resources/chaosknoten/pad/docker_compose/compose.yaml.j2 +++ b/resources/chaosknoten/pad/docker_compose/compose.yaml.j2 @@ -13,7 +13,7 @@ services: restart: unless-stopped app: - image: quay.io/hedgedoc/hedgedoc:1.10.3 + image: quay.io/hedgedoc/hedgedoc:1.10.5 environment: - "CMD_DB_URL=postgres://hedgedoc:{{ secret__hedgedoc_db_password }}@database:5432/hedgedoc" - "CMD_DOMAIN=pad.hamburg.ccc.de" diff --git a/resources/chaosknoten/pretalx/docker_compose/compose.yaml.j2 b/resources/chaosknoten/pretalx/docker_compose/compose.yaml.j2 index dda67bb..835ed50 100644 --- a/resources/chaosknoten/pretalx/docker_compose/compose.yaml.j2 +++ b/resources/chaosknoten/pretalx/docker_compose/compose.yaml.j2 @@ -23,7 +23,7 @@ services: - pretalx_net static: - image: docker.io/library/nginx:1.29.3 + image: docker.io/library/nginx:1.29.4 restart: unless-stopped volumes: - public:/usr/share/nginx/html @@ -33,7 +33,7 @@ services: - pretalx_net pretalx: - image: docker.io/pretalx/standalone:v2025.1.0 + image: docker.io/pretalx/standalone:v2025.2.2 entrypoint: gunicorn command: - "pretalx.wsgi" @@ -78,7 +78,7 @@ services: - pretalx_net celery: - image: docker.io/pretalx/standalone:v2025.1.0 + image: docker.io/pretalx/standalone:v2025.2.2 command: - taskworker restart: unless-stopped diff --git a/resources/chaosknoten/sunders/docker_compose/compose.yaml.j2 b/resources/chaosknoten/sunders/docker_compose/compose.yaml.j2 index fbec258..1df2bca 100644 --- a/resources/chaosknoten/sunders/docker_compose/compose.yaml.j2 +++ b/resources/chaosknoten/sunders/docker_compose/compose.yaml.j2 @@ -3,7 +3,7 @@ services: db: - image: mariadb:12.0.2 + image: mariadb:12.1.2 command: --max_allowed_packet=3250585600 environment: MYSQL_ROOT_PASSWORD: "{{ secret__sunders_db_root_password }}" From a92e144cfcdfb0813403b2e7b649d1fdeb641722 Mon Sep 17 00:00:00 2001 From: June Date: Tue, 13 Jan 2026 00:08:57 +0100 Subject: [PATCH 19/33] base_config(role): ensure base set of admin tools is installed See: https://git.hamburg.ccc.de/CCCHH/nix-infra/src/branch/main/config/common/admin-environment.nix --- roles/base_config/tasks/main.yaml | 20 ++++++++++++++++++++ 1 file changed, 20 insertions(+) diff --git a/roles/base_config/tasks/main.yaml b/roles/base_config/tasks/main.yaml index cd8affd..7f0281e 100644 --- a/roles/base_config/tasks/main.yaml +++ b/roles/base_config/tasks/main.yaml @@ -11,3 +11,23 @@ replace: " #- ssh" become: true when: base_config__stat_cloud_cfg.stat.exists + +# Ensure a base set of admin tools is installed. +- name: ensure a base set of admin tools is installed + ansible.builtin.apt: + name: + - vim + - joe + - nano + - htop + - btop + - ripgrep + - fd-find + - tmux + - git + - curl + - rsync + - dnsutils + - usbutils + - kitty + become: true From 951ec7ebcd9ea693f4f4c40b9ca1052b4bc0abf1 Mon Sep 17 00:00:00 2001 From: June Date: Tue, 13 Jan 2026 02:25:06 +0100 Subject: [PATCH 20/33] netbox(role): fix oidc integration by no longer using is_staff is_staff got removed in 4.5.0. See: https://github.com/netbox-community/netbox/releases/tag/v4.5.0 --- .../netbox/files/custom_pipeline_oidc_group_and_role_mapping.py | 2 -- 1 file changed, 2 deletions(-) diff --git a/roles/netbox/files/custom_pipeline_oidc_group_and_role_mapping.py b/roles/netbox/files/custom_pipeline_oidc_group_and_role_mapping.py index 470f388..79bd247 100644 --- a/roles/netbox/files/custom_pipeline_oidc_group_and_role_mapping.py +++ b/roles/netbox/files/custom_pipeline_oidc_group_and_role_mapping.py @@ -40,7 +40,6 @@ def remove_groups(response, user, backend, *args, **kwargs): def set_roles(response, user, backend, *args, **kwargs): # Remove Roles temporary user.is_superuser = False - user.is_staff = False try: groups = response['groups'] except KeyError: @@ -51,5 +50,4 @@ def set_roles(response, user, backend, *args, **kwargs): # Set roles is role (superuser or staff) is in groups user.is_superuser = True if 'superusers' in groups else False - user.is_staff = True if 'staff' in groups else False user.save() From 3e0fdfa8de7e0cbc97ef7d3a089c7db6b2885b92 Mon Sep 17 00:00:00 2001 From: June Date: Tue, 13 Jan 2026 03:43:28 +0100 Subject: [PATCH 21/33] pretalx(host): roll back to pretalx v2025.1.0 as v2025.2.2 doesn't work --- resources/chaosknoten/pretalx/docker_compose/compose.yaml.j2 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/resources/chaosknoten/pretalx/docker_compose/compose.yaml.j2 b/resources/chaosknoten/pretalx/docker_compose/compose.yaml.j2 index 835ed50..f61d6f7 100644 --- a/resources/chaosknoten/pretalx/docker_compose/compose.yaml.j2 +++ b/resources/chaosknoten/pretalx/docker_compose/compose.yaml.j2 @@ -33,7 +33,7 @@ services: - pretalx_net pretalx: - image: docker.io/pretalx/standalone:v2025.2.2 + image: docker.io/pretalx/standalone:v2025.1.0 entrypoint: gunicorn command: - "pretalx.wsgi" From 92601ab9ea4cceb6daa8b7c36c9a202a6ae9e30b Mon Sep 17 00:00:00 2001 From: June Date: Tue, 13 Jan 2026 03:48:34 +0100 Subject: [PATCH 22/33] renovate: add package rule for pretalx reclassifying major updates So that v2025.1.0 to v2025.2.2 counts as a major, not a minor, update. --- renovate.json | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/renovate.json b/renovate.json index 711c627..0e2bd7f 100644 --- a/renovate.json +++ b/renovate.json @@ -32,6 +32,11 @@ "matchDatasources": ["docker"], "matchPackageNames": ["docker.io/pretix/standalone"], "versioning": "regex:^(?\\d+\\.\\d+)(?:\\.(?\\d+))$" + }, + { + "matchDatasources": ["docker"], + "matchPackageNames": ["docker.io/pretalx/standalone"], + "versioning": "regex:^v(?\\d+\\.\\d+)(?:\\.(?\\d+))$" } ], "customManagers": [ From 428b5c70bc3d02be51283a69105cf36ce44139ff Mon Sep 17 00:00:00 2001 From: June Date: Tue, 13 Jan 2026 14:19:57 +0100 Subject: [PATCH 23/33] pretalx(host): roll back to pretalx v2025.1.0 for celery as well --- resources/chaosknoten/pretalx/docker_compose/compose.yaml.j2 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/resources/chaosknoten/pretalx/docker_compose/compose.yaml.j2 b/resources/chaosknoten/pretalx/docker_compose/compose.yaml.j2 index f61d6f7..091d113 100644 --- a/resources/chaosknoten/pretalx/docker_compose/compose.yaml.j2 +++ b/resources/chaosknoten/pretalx/docker_compose/compose.yaml.j2 @@ -78,7 +78,7 @@ services: - pretalx_net celery: - image: docker.io/pretalx/standalone:v2025.2.2 + image: docker.io/pretalx/standalone:v2025.1.0 command: - taskworker restart: unless-stopped From 51bbdd42a2504f0b3045349b0b08e3bb75b55fce Mon Sep 17 00:00:00 2001 From: June Date: Tue, 13 Jan 2026 16:55:22 +0100 Subject: [PATCH 24/33] dooris(host): make certbot work --- inventories/z9/host_vars/dooris.yaml | 4 +++- resources/z9/dooris/nginx/http_handler.conf | 12 ++++++++++++ 2 files changed, 15 insertions(+), 1 deletion(-) create mode 100644 resources/z9/dooris/nginx/http_handler.conf diff --git a/inventories/z9/host_vars/dooris.yaml b/inventories/z9/host_vars/dooris.yaml index 5813e3a..8ae5287 100644 --- a/inventories/z9/host_vars/dooris.yaml +++ b/inventories/z9/host_vars/dooris.yaml @@ -7,9 +7,11 @@ certbot__certificate_domains: - "dooris.ccchh.net" certbot__new_cert_commands: - "systemctl reload nginx.service" -certbot__http_01_port: 80 nginx__version_spec: "" +nginx__deploy_redirect_conf: false nginx__configurations: - name: dooris.ccchh.net content: "{{ lookup('ansible.builtin.file', 'resources/z9/dooris/nginx/dooris.ccchh.net.conf') }}" + - name: http_handler + content: "{{ lookup('ansible.builtin.file', 'resources/z9/dooris/nginx/http_handler.conf') }}" diff --git a/resources/z9/dooris/nginx/http_handler.conf b/resources/z9/dooris/nginx/http_handler.conf new file mode 100644 index 0000000..8572664 --- /dev/null +++ b/resources/z9/dooris/nginx/http_handler.conf @@ -0,0 +1,12 @@ +server { + listen 80 default_server; + listen [::]:80 default_server; + + location / { + return 301 https://$host$request_uri; + } + + location /.well-known/acme-challenge/ { + proxy_pass http://127.0.0.1:31820/.well-known/acme-challenge/; + } +} From fe52127e825b27693c56dc5f0620679fe12829c0 Mon Sep 17 00:00:00 2001 From: June Date: Sun, 18 Jan 2026 01:26:52 +0100 Subject: [PATCH 25/33] status(host): configure external status page and uptime monitoring host --- .sops.yaml | 22 +- inventories/external/group_vars/all.sops.yaml | 210 ++++++++++++ inventories/external/group_vars/all.yaml | 16 + .../external/host_vars/status.sops.yaml | 212 ++++++++++++ inventories/external/host_vars/status.yaml | 27 ++ inventories/external/hosts.yaml | 24 ++ .../status/docker_compose/compose.yaml.j2 | 36 +++ .../config/easterhegg-websites.yaml | 303 ++++++++++++++++++ .../status/docker_compose/config/general.yaml | 25 ++ .../config/services-chaosknoten.yaml | 264 +++++++++++++++ .../status/docker_compose/config/sites.yaml | 23 ++ .../docker_compose/config/websites.yaml | 174 ++++++++++ .../external/status/nginx/http_handler.conf | 14 + .../status/nginx/status.hamburg.ccc.de.conf | 33 ++ 14 files changed, 1381 insertions(+), 2 deletions(-) create mode 100644 inventories/external/group_vars/all.sops.yaml create mode 100644 inventories/external/group_vars/all.yaml create mode 100644 inventories/external/host_vars/status.sops.yaml create mode 100644 inventories/external/host_vars/status.yaml create mode 100644 inventories/external/hosts.yaml create mode 100644 resources/external/status/docker_compose/compose.yaml.j2 create mode 100644 resources/external/status/docker_compose/config/easterhegg-websites.yaml create mode 100644 resources/external/status/docker_compose/config/general.yaml create mode 100644 resources/external/status/docker_compose/config/services-chaosknoten.yaml create mode 100644 resources/external/status/docker_compose/config/sites.yaml create mode 100644 resources/external/status/docker_compose/config/websites.yaml create mode 100644 resources/external/status/nginx/http_handler.conf create mode 100644 resources/external/status/nginx/status.hamburg.ccc.de.conf diff --git a/.sops.yaml b/.sops.yaml index 98aaf3c..3b728e2 100644 --- a/.sops.yaml +++ b/.sops.yaml @@ -33,15 +33,25 @@ keys: - &host_public_reverse_proxy_ansible_pull_age_key age1p7pxgq5kwcpdkhkh3qq4pvnltrdk4gwf60hdhv8ka0mdxmgnjepqyleyen - &host_zammad_ansible_pull_age_key age1sv7uhpnk9d3u3je9zzvlux0kd83f627aclpamnz2h3ksg599838qjgrvqs - &host_ntfy_ansible_pull_age_key age1dkecypmfuj0tcm2cz8vnvq5drpu2ddhgnfkzxvscs7m4e79gpseqyhr9pg + external: + age: &host_external_age_keys + - &host_status_ansible_pull_age_key age1yl9ts8k6ceymaxjs72r5puetes5mtuzxuger7qgme9qkagfrm9hqzxx9qr creation_rules: - # group vars + ## group vars - path_regex: inventories/chaosknoten/group_vars/all.* key_groups: - pgp: *admin_gpg_keys age: *host_chaosknoten_age_keys - # host vars + - path_regex: inventories/external/group_vars/all.* + key_groups: + - pgp: + *admin_gpg_keys + age: + *host_external_age_keys + ## host vars + # chaosknoten hosts - path_regex: inventories/chaosknoten/host_vars/cloud.* key_groups: - pgp: @@ -150,6 +160,14 @@ creation_rules: *admin_gpg_keys age: - *host_public_reverse_proxy_ansible_pull_age_key + # external hosts + - path_regex: inventories/external/host_vars/status.* + key_groups: + - pgp: + *admin_gpg_keys + age: + - *host_status_ansible_pull_age_key + # z9 hosts - path_regex: inventories/z9/host_vars/dooris.* key_groups: - pgp: diff --git a/inventories/external/group_vars/all.sops.yaml b/inventories/external/group_vars/all.sops.yaml new file mode 100644 index 0000000..06eeb17 --- /dev/null +++ b/inventories/external/group_vars/all.sops.yaml @@ -0,0 +1,210 @@ +msmtp__smtp_password: ENC[AES256_GCM,data:0vb2d0BMSiG4DLwNeKk52/kGYM9rQpfRrtYiarbyVW9YOP/WIdpwesUZuad+o6XSODkAGqnU2RQZFs1h,iv:a/LwVf+tQKviYR4mIoSDiEgmsVyCl2v1vWXVFQkn6M4=,tag:bNf+N1bTIk8ppMEabcC6jg==,type:str] +sops: + age: + - recipient: age1yl9ts8k6ceymaxjs72r5puetes5mtuzxuger7qgme9qkagfrm9hqzxx9qr + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBkL1F2VVhGTGZ3QWlrZi8w + c2JVMVlnNGVHdUxJQVRZeDBlSkJjR3V4NHowCmdQVVJRVEZlWWVHZjdSYzRlcnRN + clVuRU1rRXdDSUJ6Tk4rajl1R3U3YzAKLS0tIFg0QXBieXdjYmRab2duckNsNWRQ + aGdmdDcwY3RPc28waGt0cm1salpNRkkK+X6LF1lCpxIS8P8nEUE7t3VxB817jm4Y + mXjKqdaM39MR3CyXWq8bVQ/QRxg1xA6MV7mLrQpJCSpr6uDJD84iJQ== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2026-01-15T21:28:28Z" + mac: ENC[AES256_GCM,data:Z9uyXhnckrVJ0LZM1aT8cSUZCPdQ0ufBC1HYxpzAGb6FS/p3Jni5tFfgijaCT3/T3yDGiV1zQqoSDLwjd48UaMjCtJYCUCAiVo7i4YJ3+aZfS87b4h4VsOFlTLFlBklNYxHd4pcPFl5X9fZGdD10Tvmtm6TlJ33Ma7gmuFs3Og4=,iv:tNeG2I9qNAgzbGwxTbCrrN7KorCneJtFildGvtPVX88=,tag:e0rXgetLFenA3zNBNe631A==,type:str] + pgp: + - created_at: "2026-01-15T21:28:06Z" + enc: |- + -----BEGIN PGP MESSAGE----- + + hQIMAxK/JaB2/SdtARAAlJ6HHQZKe3t86f1Y/DsKmO4f+xaMRd9mw9sNlxvmuX3I + b8Tvyl1abbJSEf+6SV3SXxlu+05DZEzerMQHdSNHCpO6oSMBH/fEBbtJh3mxYzwY + /fS09/CPpq1HYcaOUEB8YHKGDY7okN8ZCHYFF2fWmWsPNLq38nmtCQY3lKPdhKDu + Jg8w+9XT/kHJEjQRPjlJG0iRk90cMMBLaR5ToJVzpM3rOSkK/dFALP9PUGhjDVT/ + e27KW0OQERCxoc401DXFPJg5xrGMJaDpMlDxm+kzNC2/rt/OhhFd1pqMEMGHwZ8B + inHjCL8SNy4w3jKs3xvpE38vEUmKgbHavjjd4j8PU/z8PnIAKBCZClTbBARevMYw + P1qgwbAXEv0LwN6/Eu4mN6ogbREFk671PTabJ1O9zWFZBPKSOWVjvs6ka/5nRdow + RMobY/t6FDOe1i4eQM90QKyTcyBzyFZCl3piBKDvpG9tTEVHriX4bTXNtnGw3h1W + XoMUz27G0IZmKZRcYFkqSNPeg3yLXBgsL6by+euw/OwOXuxcR3G/5HpiO4XgWdDn + gYvOGvVa4WbG3yASWPJNJZ6ivtLhAgts44ClMIk5mjDgHz0yL2iwx93g6bUzmswV + HcpCLSy7wm5XNl4l5p4l90iy6/K32Zp0a7ftobA7U7VyeWfPalE3IYE3s6b+1gTS + XAFWL49B69eVA4YJ/iRSZcfqEPMkKzQUplODPUfaHHtLRwR7BhpFX/u3lly/YNQH + tCN+vKShpC2PM/Jw8+UxDZXoXNiGCtTIDFq5+VaifkYsEAIVqEFv5noY95/a + =Xw0f + -----END PGP MESSAGE----- + fp: EF643F59E008414882232C78FFA8331EEB7D6B70 + - created_at: "2026-01-15T21:28:06Z" + enc: |- + -----BEGIN PGP MESSAGE----- + + hQIMA6EyPtWBEI+2ARAAqcJfa4paWWvQxKnNQT230iT2iRCCskzkzrG9z9rnSbR+ + U4BO0QVcKZ06+4/WatZC6HuxIPyajAQthNsmMMBr83OFiT8FPHnOOGHc9lemO0/L + eshneJhJ7LeYUh3dOeN5lVwCQuw2Hy4MXmKJgdt2Nr5dXmRD8ypKxD/i5Nc4nkXW + TY61C/Q9QJF+HZG4toHt+zq+ROjdsTbIhNceRWnt4mIGvqIzhRwk65o5WILbCFQc + OL7R+JyyqouN579tO1O6bRT594ufnyQ6oxLRDQqKMdTHYwWijRuA/FyzieuYGbmo + b7e6tZeJzlm3H8sSz1WwAD6RoA/O3yyCw1gL9UWFLSfF7iwEKmr+oSN+mEUPJdhR + 8zZqSQUH3n59IVNdD4UyJB/I5AHmGW6QV3ZF42lwmmstIoY3uDzgf3US+ZvPPsem + Scg3PIDSxg+SV9G/53TJM+Og7V2XAA02EWIemiIaJZ7rPiySq1RmQOjnx4ZX+ORk + +PDF0gDpA10sTPXQM5NoN8YSilIV1VENjUnESfo+36BlCepmbC88Yr6oexIK2xoq + 5SnDYNOkVClYcEV6/URo0zr6Eh6+pWaK1MqruyZpRrZFbribK+5t65eIq0fc8oNb + ip7VfArpcpYINfL1GuWoFMI0Uj/IMevlN64Ci/Ub9NddCWCQy5WF7u8lAVNMoVbS + XAE70ICHJqH9SqHe/dchwYcsLIPwX7r2KoaI23XkK7iROX1NL6LC2nISh/Y5P+X7 + RX5sBhgiaSwY8L6QseSQzyqTmwxCaq7e/f/+grSUYKmf1FSJe+VxGsJ6Ji0u + =k6m5 + -----END PGP MESSAGE----- + fp: F155144FC925A1BEA1F8A2C59A2A4CD59BFDC5EC + - created_at: "2026-01-15T21:28:06Z" + enc: |- + -----BEGIN PGP MESSAGE----- + + hQIMAz5uSgHG2iMJARAAzD/3ycZW/qMLjjSG2T/7378ogylYenCyV5r97m7//MTJ + z2jCtWiAPDkiuDDfcqt5LxthPxCr3A/WSTaSsfZQ/zWedQlm/U/RBMEs30DBIUQr + AIckqIrJUrgPEo8A0/SnCBNS116BVspI+9n/u7PBPVb70JX3j4Xp3dRGrEYHVpwX + EGSk4GirHwutIRE6xP9fnvQxyK64jYTDCfo4t6cIUf2/we0LyK+fU4zrm6wRffzd + txiEu4YXvsGbxWeAV3/7/BRo2HJBc/Xqb7mzTnfScltC7hiRD2McmFJs1Hfv0Lg3 + CGaMOJ5w6Gk8Q+9pgg6R2MQu8DZA7PILm51Bc98ZdiVwg0i8l24ndswUx9+WIWeX + AeOxvIVvF0XtQK/JJAkoyoVssIQSFI1OjTDnSHWjFw0Vgev8hRzwqS6HKJUfCrnt + KeuGuUOa9QBf3bnbIINyL8QEj9/cnNDCQGoXSZIqPXUs7tIqcLgNryGVnrEn4dDf + 53Tudml438QRgzV1d87jEKSmUBtqzUDRNQdZqNbzOdaCQaQgkgZlQvWQtbZNMSdQ + iQ+v3Hz7pI4yKHhqxXrWrxPwC3KdGTA5qymUS1d1G0BwOWSr+cU6xJBeSqRc6fZn + Q8rBKS/gL2Lm3BAVhHBVWGwtbdBhV5ZL/bdT436pJd5ku3cWFTuiMY2SEC1ZvNXS + XAFb+jgjB5XzlRZhRosWl1X/qyWO4GXN4aypi14eAQDsbCjGnFZh6utoV3rNmNFX + OJ3kRhyHmF+gbp/e0YRq/BnWu+5uzTZQso4fzepgjui+rF/qk/2Oe1nODtM0 + =seAB + -----END PGP MESSAGE----- + fp: 18DFCE01456DAB52EA38A6584EDC64F35FA1D6A5 + - created_at: "2026-01-15T21:28:06Z" + enc: |- + -----BEGIN PGP MESSAGE----- + + hQIMAw5vwmoEJHQ1AQ/+J9MXLZrMucsbcgdZ/yflnA7Ai2WynSZ9NEzLX24NybGZ + ynq9daa+61w5S5thnEV1Be4YEyFXIXfD0bs9KEO2kv41HUySD9FR5QXXSiad5Ij7 + vPzZMMwjCfNg/JvGQ9p4h2Syc5LYtJ+4BNnl52zjKCJdp1scJqAist3aWbaHoCAh + GiJCjv/02NP25WoVShw9pNvvYPEhtPbvO1j3bnvUARXT8IzhblNbfntDwPb+fK4R + ksMBIvAN1171l530s0zPzzkJTkxRBohyCixvtgZKoEnYeUAAHk5Clah6GrLGErvA + q0XUAEridgDwe4xG+WpzFWwTaGzQPBLR5NPqtph13/02CdaABctbr80WQPoch5vN + F1BnObne8ZE+do30v0KYNTkFKhK5ek+w4RS/1rlBEgQMaNyGHsjUtoO1/6JfFXyT + 968gsga/YR/shZwLaxLQePi5qTcvUzGNgNvFLjy4sRlbWiNCrtZo0JpMmRc1YTXb + Tq7KhivgEB3gCYLdzWTCeYw3aZXsTFUFM8MpH0BMABpfpNCdiDrd+RZmgDa2KShH + RlpqvN1cXPVY4niGqb0TjQJGbmCrMfSbEXCCYLMP+T+jH+MUs0Br4IVcuXIV9EWM + WrYY/r2tCblU9DaVbgzLlIIu/2BtKV0/Iu4KLV2vWBocLPNlKnbhS8NxnIf1eHbS + XAFxlY0r1uOCI7d55ZRpih3NnccBWYKmxs/WZavFdooPcRS6QKV6d2ByZtjqlO0T + X8xmDpyoxkNahauxi3Vw4o78HyxEqQz2u0HNBJlFC6iFQJnylkOyitIyNCTt + =t5WG + -----END PGP MESSAGE----- + fp: 87AB00D45D37C9E9167B5A5A333448678B60E505 + - created_at: "2026-01-15T21:28:06Z" + enc: |- + -----BEGIN PGP MESSAGE----- + + hF4DerEtaFuTeewSAQdArBEh0/AnTDRmDT2r74ejRgmbbZpWjVBmvC7mgFdEq0gw + OdEsqFl/ihieW3XkAC0UWxUhacc03Vq3FTY4Fpj7eQTQdfDdn8X10YQcH94XGLxu + 0lwBvUseBCslA8gjyzFEtFp4TnDEi2JZV3nhfQg8SxrYIQ2Uo6vlsTzvYBvikwaD + kLu7fV7lxV09qoROlSpXVm6II6sIk0nmiajb49HM15md3ZElulGZf7A+6d86Wg== + =8Qs3 + -----END PGP MESSAGE----- + fp: 057870A2C72CD82566A3EC983695F4FCBCAE4912 + - created_at: "2026-01-15T21:28:06Z" + enc: |- + -----BEGIN PGP MESSAGE----- + + hQIMAxjNhCKPP69fAQ/7B2zWxGFqZr98hAyQwNaXp+/T534xRU63dXkYV15EL9q2 + SlmbEWhl5iVwWoZHl3r7yqy4zXZJkH0XX7g/MlwMTHIu/Sslvb+9ME+QmpI26Awm + +0pQN6gZXEhQ4RFtDMSc3PIZYgaJ5AdEk1p/nMwYsQ17Gu6RZeuSL/5b4oXEsIwB + nc8kqskd846KDspSoa4HprP3QUyfwChy5+d3/S/SMak/iY97UgYm3iyHXWr+sbAm + ykXGQo6Y/QpSiBBc9Z8hyekBQBjiftTpH5T/nzSn5O1p2G56NqK837SZj8CgyanH + xOIy1JZYbSfYiEzqXVSj7KGs3aNFFUi9H+Fy+wzDaOWeEYt76koTWZnutOg+JwCP + 2N5DiDOhoYGygh5aO+dAIoGLQufoTDrlMO9FWnNXXCPIwCUoyH5daiMyn7G9jfwv + 4rTkXe2mHXXkoNCDHzjNcAEpndpczdUO0CbDNyOuaZzyEYWObJMOdBP0+fmwhaRP + AWd0OSbUUkl6RTI7R9l+3wBC0A/be7kOvqvTru0RSZaY4Ba7zokZaNJsoUTvjjL5 + fjT5MhV/93wEvaHNmGy+IiXipS7ItTmW0xckaFkEbQUbw9p+9UZMxNqF3l5pw8hV + J5tTo+rlHda5KBDpTEEz3vUK7MgbgAzzERqqDaUqzWTJy4KeOjYCUfvNyQiT7m3S + XAFxCx0poAo6GCoNMhjyQT00iBfpjvUhDrWSHezKW/J/U+Z+TkcICC3Orsxy35uD + QtOZIayVIF5scDAIQa31zETB/Jjaq7YeUZvTzUv7Shhq+sJhVUQ7iUEVEXZn + =NJUn + -----END PGP MESSAGE----- + fp: F38C9D4228FC6F674E322D9C3326D914EB9B8F55 + - created_at: "2026-01-15T21:28:06Z" + enc: |- + -----BEGIN PGP MESSAGE----- + + hQIMA1Hthzn+T1OoARAAsc5cxMwr0YCwJq1j5EcQ2AF2LvyxH4dvwuCkyrqxuV33 + rTxOt40kqHcatZgHLfHt1qvfR/lGisUyvvtJ7Gdw/MEzunqwux6cKisRoyTB0dSU + b0DBQdNAxujVuBng6v2aoZDXAZNZ9I0epuGnBRcq2+FRAWjRH3YtwuRuChd/VtqB + VJJjUJDczermc0kvdrZ6AZ8bSemOIFOYWfZ1iw7qXMiuIXKJqY23KzWSpYC3F9S6 + z1XKviqJlWcb7VyCA7LDLfjYCAb6/yvj1mB0+fxYJJps6DWsbxvoZWF5mdh5f4oc + y74XZehQZTHp4JMs0uSdsuMV3w8zMGUXvFPEJXB1mvPlYAsyjwusf2fqeAJk3JZk + pPF/hkwR+LpbVNKk9KbauQLkt+p6E5YWDir1pzeIN6rsl0Carau0TRT9EEn04f/6 + DL1nF7crXl+7KTgEOt+ih4VuHpXz9lrboUD/WnUpjVu6XwmMH4wrxJggTq+tJzdS + 55PAZ0qiTGwnxtOn8NGa+01JGcrmtLnfwRUGUO6xxpyy4AtcyyHwEvBSjKRlBvV2 + Yx6v6l6OlpBdYdlKjEeOLPnQqn+iRolQtUTWWk1Hu/a2sfJjZPMpXNSKbgN9tMOS + 2zGLe8OOU1M9V9ESdD6He49GRCWNXD00Yv+IUdqFuY7laqxBQCcyIthGA2wfLITS + XAGKF54TE7VkuCQ2vw0HZG4TgQtmw7W/hBMcbSatGwFwyPSs2+9wsJFmJUniArCZ + e7RUz4C1MIFP97ZSFtfLd8tsIO0zTyK9fRAOUwh8wdAZhvS9Fv5/Mwmctj9h + =gUj7 + -----END PGP MESSAGE----- + fp: 5DA93D5C9D7320E1BD3522C79C78172B3551C9FD + - created_at: "2026-01-15T21:28:06Z" + enc: |- + -----BEGIN PGP MESSAGE----- + + hQIMA46L6MuPqfJqAQ/8CKPe91CQYybuRlIb4bRl3sZ2nXYw0OS2p8NYo3sawcsw + YFwgwT4GHMAMviZ3U/Dm1VVtUEH0dSZ/tYoPFE0pCOLWYrVjqLY69uM23ZHV1IX4 + W7A+jzNTv3ODj/lc/azjgBcBVZpSxgAQG2wiyX1Dq4Lx5cpOCYQm4KYp9hD6ddly + m6zk8vH3MBRvPAlacg3C6PSy1PV7sTgBZMBIE3DY/HIjv4nzV3/itIPZcf27dYTl + AEjiI6eGH6sUWTFRF5mCP4sRycaU2g8iZ471nZdHe7PpldginWJEN9SD06oewZJB + QjvXpVNjVu+RQ/hOl5LwIllAAkk0ghK2bRsh7gVB5b5Kjv+mKKNe8yjKxKcpZuVW + fUEaRpyILTCwe6aFnmUa6vUtpgU2QRKzv2ycqO1FGil1yZJ/RPVCc0RQoLSpZRsT + XvrZzw/OVfLespNRPcC/PTvNwhIhBYyIDvEAgQOnEnRCGoijnPAOE4Z5zA6Rtxfw + Kxw+E5s+xV1ff+qo5Dm0J/LyC90FR3vstzSkM5n2HEy5OkbACi9CiLRaIiYxlDfv + v5H3Gc0hdVRELkK1T9ND3I2RAyJVdDq0WvxjWRIfdRULLsk86pFoFjus0acx3ukt + zotRh1wI1o319j517B06v+Jn49bLx81ipeHfsiz69P0sDSRKyOcN/i4TA/Tj0OfS + XAFfmEOJHnhD1WOlbJO2EiGY3QD9PIV/lipja4lQKv7ROWlIPVtdvgBnaaNYAvUb + YLIA3oTcZB43vm5QW3hXsTz2cn/w/JvnuojtD0kKzT643dR5BC3D2XsWpHWV + =pL2f + -----END PGP MESSAGE----- + fp: 8996B62CBD159DCADD3B6DC08BB33A8ABCF7BC4A + - created_at: "2026-01-15T21:28:06Z" + enc: |- + -----BEGIN PGP MESSAGE----- + + hF4DQrf1tCqiJxoSAQdAxf+RXofQmgst0qgbY34RgfqVKCCYHHH3mbCdGKbfXiQw + 0307FFijrW2i+wHW/Ugob489EH46zUENkmEjxPcOao+p5TWqOhryWOmj+5K5iKin + 0lwBDuM+y3AsogL5PAerDRGMIqmUO9AAuRlKJb67O+n31fA0CSlRdYIlR/0IiXk8 + KmagDpdTyNWD0M8PRohazoKEiB6OrEuLfRiDwyMhyuRtIXRnckwZ8anC2B2cLg== + =slU2 + -----END PGP MESSAGE----- + fp: B71138A6A8964A3C3B8899857B4F70C356765BAB + - created_at: "2026-01-15T21:28:06Z" + enc: |- + -----BEGIN PGP MESSAGE----- + + hF4DzAGzViGx4qcSAQdAYTkme6X4+jr7/5qNidpUZjiwQzR9nhJMHU9ALot5mQkw + bVYbs+lqddtYRVKLh4jhqFb9WGjC05JMnb8o/OVqgvOV516WqCzg9qmn2JMn5CvL + 0lYBtBwzrQfqM7RbckekoQcabirca/67RzCAqB9O7Lud85+aQxBR/GB9qE/7FLfp + JVT42+KjcKSQBYWS+lyjgfXs7H4WhNYsai8OFn+JzqswG+MpWPQ+Fw== + =1DIj + -----END PGP MESSAGE----- + fp: D2E9C0807BF681F5E164DAFC5EE1B61CD90954CD + - created_at: "2026-01-15T21:28:06Z" + enc: |- + -----BEGIN PGP MESSAGE----- + + hQIMA2pVdGTIrZI+ARAAvoshi1af/mG21B9x8XOtYn2CmsjZCLWYWuhdM+oMe204 + CJglTK8C8CzuJcXu84IKrdV8nx5Yk0VvtgtSXiKSouDKWeQDHHqhKEsPlc6+FL99 + e95uzp8ozvODxch4xaBP3FZkbgGgFHDZSF47NIC9AkyyGe4GARq+OvtADUMjpb4R + 6WXCzqaH976KRMcgH4PXlWIUiYvFJz+6k+chbLfcf+uJxWL02mvPV+ArSbGc1Ns1 + M2kRYdEPZ4c6FCU6DYaneJp22ywPNgJm3dL8WU7Nn5uv7iYGDyceh3dnGtF0p0jN + Mo5TT8MzobIGgD2RtsP4NrufV56+Y4G5oqk9jPMofC8QUeVR1j2GHDfHrls2N/2L + vt0VX1wsv7ToAY9bUUNDLutLnwQlpHNP/sacudw0VpYDl55ULa1dLC97qG/4va8G + k3wdzqwNwgzIOPDIiQ3P8xkn4RZ9b4SwPNFb9BRqufFaA+neZcNelfpTqsT3WNfm + MYdzDQtQdTNi9u0ADsuZ2JIX2uUVsB1ol5Wgw9D5+yksTeC3n89TTmbmt4PYkCZ/ + 3MH3gLGGlPLfc9w/q9JqfQ8idiPgWc6CMO83gGXUWbe0SkDCBY4evyP41s9ojSdF + XrkZQycNoardD+co14Se4d5g0oxYfhNUCIYEo2JwLkuE11iMXG1bjt8JB+F514vS + XAHzAelcyBaqqwZqKw1OKWz1Vr+hy9S+uOs+8Qg5G/H0nxa7BG+PhUB+O5i8x4Dn + 96Eq2r2OsVJ3z8YeLcH2FbnVECX+/nj8a4z8yqfpajmoKswOfhp2b2G49aYz + =IYeC + -----END PGP MESSAGE----- + fp: 878FEA3CB6A6F6E7CD80ECBE28506E3585F9F533 + unencrypted_suffix: _unencrypted + version: 3.11.0 diff --git a/inventories/external/group_vars/all.yaml b/inventories/external/group_vars/all.yaml new file mode 100644 index 0000000..80d3efc --- /dev/null +++ b/inventories/external/group_vars/all.yaml @@ -0,0 +1,16 @@ +# ansible_pull +# ansible_pull__age_private_key needs to be defined per host (probably HOST.sops.yaml). +ansible_pull__repo_url: https://git.hamburg.ccc.de/CCCHH/ansible-infra.git +ansible_pull__inventory: inventories/external +ansible_pull__playbook: playbooks/maintenance.yaml +ansible_pull__timer_on_calendar: "*-*-* 04:30:00 Europe/Berlin" +ansible_pull__failure_notification_address: noc-notifications@lists.hamburg.ccc.de +ansible_pull__timer_randomized_delay_sec: 30min + +# msmtp +# msmtp__smtp_password is defined in the all.sops.yaml. +msmtp__smtp_host: cow.hamburg.ccc.de +msmtp__smtp_port: 465 +msmtp__smtp_tls_method: smtps +msmtp__smtp_user: any@external-hosts.hamburg.ccc.de +msmtp__smtp_from: "{{ inventory_hostname }}@external-hosts.hamburg.ccc.de" diff --git a/inventories/external/host_vars/status.sops.yaml b/inventories/external/host_vars/status.sops.yaml new file mode 100644 index 0000000..e300459 --- /dev/null +++ b/inventories/external/host_vars/status.sops.yaml @@ -0,0 +1,212 @@ +ansible_pull__age_private_key: ENC[AES256_GCM,data:u0tluAG5YmXTs71/F6RjuTITCrEoJco0K7+o/F7An4OMdOAwJVBvvMCnEaYsKhLhdesnMIoA24oz2j22lKRFgZUNtkF08ZwH9gw=,iv:oqTTeOi8l6ig4vvqOKict5bqxjmiBW+kwlZhbozoCSU=,tag:ZL2wuIczCHguGJIhbY0NuQ==,type:str] +secret__gatus_db_password: ENC[AES256_GCM,data:fwtdWmXVTA7odBsKnlxH7mKKGtplAt/rQqscFBAxbDky6DNqgk6PP2OsqbIEpnpzs9Yn7Kd2VAxzfJfK,iv:ox/Lm+LlxxRcssOPc++nRp6nVa2DF3/46eEsGzTOBmA=,tag:i1e71Gm01ojHr5pGy0S9rA==,type:str] +secret__gatus_matrix_access_token: ENC[AES256_GCM,data:wp6C2E/LM3grawu8oW5CZZU0Y2+3qnuEbcKmgZr16e8P1KG/v2kfxRQ=,iv:S96oyGg6hI2Co7PJ8BFtrzZag82PTfp2IyIgTbxfdiM=,tag:JROk5PdoaMzXq1qXGgaH7g==,type:str] +sops: + age: + - recipient: age1yl9ts8k6ceymaxjs72r5puetes5mtuzxuger7qgme9qkagfrm9hqzxx9qr + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA2Y0Vib1U3ZGpyZTlBNWMx + UEtCbnArRzAvZ0o1dmdJL0hSZERTR241RlNrCjZ6QzlJSEFhWk0wazlwRVlDeUlq + M0syWDZlc0o2d2NDYmVyUmJpWUdwdzAKLS0tIGR5NUVwMkprRnkxZnI0TmlGUGVk + RFl1MnI1K0h2MUhvYk40d2JjbDRaUmMKNlPo1s06hVdxAamKhJy4HhNDX8PKQlq2 + 13PjdTJub64fydGEJng5NigcnNcPo7goGLz5QV7vE+6bO0gNZxBmmw== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2026-01-17T23:54:35Z" + mac: ENC[AES256_GCM,data:K/uLPclyRgFOMhSxPpFOiH1fQF0EQHKUNnqI/LW0o6+ON07r+UWv9mXaT2M7xUNhgHkv4lVu/qfLAKXZUVGlDga5ufH3A6xbcArqtQ5oyPoE5HX0nbcU4QF1f8JyYLVKCQdI0pBQkLU2cpAFHrGVLI/8+RY/uqrtNee9f7fd4cM=,iv:WRfTSWo4cfJOvjQqeSrSUCOstCf0FggTv2W4eGRcTF8=,tag:GE9cLzmJZt3F11BZd82HFA==,type:str] + pgp: + - created_at: "2026-01-15T21:23:56Z" + enc: |- + -----BEGIN PGP MESSAGE----- + + hQIMAxK/JaB2/SdtAQ/+ORxsmaobaTVCnVlaaTlvG3GRPlL0G1NG18eF3Mra2FU/ + HSY4/QTu4BjGRzwOlKJt3NBMGlFZucwklIecAl1cCDXPSvIRnwuIsAI8gxNnjmVW + w7URAscgfVobWxpLqFhlnQ+8ozMPXW7D0ZDLe4wKPa5wNuE/kdzM5ZCl3NB4q3fi + o0C8uSnsTAp8clay/xnTtnJxOsyzyJ29JVsinxAyg64m6AYNa53yNZoy5kL6VIIr + dnNx4DtOsxFuNhKuvENePoGjuB68i0NWitsfei3G+GLUp+CbPisrzElM6vsXQ0wT + QAu2OpTnrQSv/YWi8Dv+1YXIKu6nOuMc+avQGLsiuZ6hagrvfRTmoQirbx6THDB+ + 97N/ZZUoGVdCtb5BRoBxzl7prwYGXsW+fP7B/PlBBBM5pI/s5jasFMOBfrrlJiDE + dyBcE2rjcehmZ0DN0YddZoo1UMYzsn6HEMH+kFp/VD3+y4A47Kk9Ou0d9+Q7ufsf + j8ThNihOBrwz8DlvOb5/5HacBFOH5T9b42j6yOmyrlAXnC8sQwFDMDERs7XcVSXT + B9SlX6OVZ6/xgG1UjkY5aqYiWkIBUO/9k1OP3OMoZM7WPitIJS0a92u8EASX4zT9 + cJjyym8oDojsM4+/GWMCHcEA5QVSEFsz5JBONiEJkv9UCYXOWj375SH6WjTHQyPS + XgFA0rCYobVrmH4oQ3EzmbqTGwBuejwcDVA++KiUePb6jhK9DGrETHEOzUyOonpI + tNfgyohULH3eDRjC/4gR9JDr+UCC2t31Rx5kNmonz4H3KQlgm/5UulKZZfFk6VQ= + =HCWY + -----END PGP MESSAGE----- + fp: EF643F59E008414882232C78FFA8331EEB7D6B70 + - created_at: "2026-01-15T21:23:56Z" + enc: |- + -----BEGIN PGP MESSAGE----- + + hQIMA6EyPtWBEI+2AQ/+Is5OSeCOwUDFocaFiGIpKKicsRkF5WJXcV0eTquCvn3M + UeDpYww0CatCOmx0u5/ELzyvr2NhLGwoblLxwwb2HA+dTWRzRiTGZrpGJ3DUwEK6 + KvqFgrOIDttnSCqrGiPsNBkGP3oIH/WIYXF4SJl5stlnujTOW+wNP8f+9gZspyY4 + JdDXIGL7cbvzEzionilKbroKgDTNCm/o/ATWnlvsd5qv8lsIVkZlaJqldRR+xXuu + RLHz9Mav9NgzzFERA0YY0Z56jpGikoywB7iBCbozXvPO5oY9YcuvdLoXELi3Rimf + LoqIyGv/dHepZvIIy/d+E7ltlQHLXdH0LMNyBRartVChR/p0G/YAzXDAgnARJm+J + SB7vUPBqFwFpkiIE0bRRDVDYW8VlNZta4V+hxb3iXuVHljuYUrIDh77VW3xNQyi5 + YfKxO9c9PRhq7sfeBj3iB2qAGoODOU1whdaWXJeNIvYmkQJw81eu2rzHT6NHsbrD + CcUGvbVAO7cx8xZxLiT2jZlbeRrTM68Uq8zC0ujzHavrLUWvCcAcFdk8Un8UJbaF + W4B5La8ZAQUg0HwDavrOEXFbbdkuMT0BIMIxysxrcetqMdRcMjQlbjHz7RuROp4q + melLD0F7L8cXAafDRXXkTTpDmaLN8s9v2j953/RzY7lS1FPQMTduWbn4Pg75HrbS + XgEWsmhgtxSNSgtg/c+VyS9VAykAaP0J4mVWUJZtpw3T8wtkAVeb2zFjmOWay98e + GC9m9N32zdg6MZDLnAABIEhDCGhuB0QjHJaXHcQxbuy8T0mgG081s8spTZnU/74= + =v7Jf + -----END PGP MESSAGE----- + fp: F155144FC925A1BEA1F8A2C59A2A4CD59BFDC5EC + - created_at: "2026-01-15T21:23:56Z" + enc: |- + -----BEGIN PGP MESSAGE----- + + hQIMAz5uSgHG2iMJAQ//f4YuazCNqBuU6RxLg7gbh2RQ7KQ9QDIPSh+YIBr2k9RJ + zSjTIR2cPu4JX7Bf9w378oyExhxe6bU00DKvfmQv+CPwjR/4NfzB+/UjmrOEmZqv + y/Gc/2ciT2csHiuAgmck/tKCdVLyXmlMpR+ru3LBVpXLc0wRqDLze9RKM22L5o5Y + Tkf5LCoj77ixhVWZJ/MUm1GlCKmtAJ5tZpSOUenSApSZ0mbRUMI6SEmLhf7ApmNo + FInztB8eMcgyV7vhEmhAiLTkB29kGh8Oe/TtDSmywhn/pTcs4tlY7fRfcxkJaYgw + sZFaF3b7/xhF04kJNEugKemTZTCOoXuPvjvDKQ0glojQQ36P5S01uyH1FOHAbItz + 8xilRiU5lHuu7BsZcb8rU8qNYnpEzY3DX/Ccpl0AoPWjY925XB7C8H8z1kk8UxR1 + +b3XXMktUugeTZeiFG2pJsp9dhiRqyuzvW73yJSdHjqZW+Tq4U2D9Je1WeZT4+Au + qTQh1uC2dRgQ0PMafX50aTxIK7lPxva+cOPgYeALXP58TCUqeNUyYQmvAGba7yyU + yec3Hz/SNLqEhSnOqCx+TXZOhV4PM8fTzpnNhqZQ2RX2uUXwXjuyAZ8fv3v5se8F + HvQGW8EvJaDSvLD5GjKblQqwNlFWf0HOPUf5UZSXV3MHsHLzYHKlOE4cJ778ih7S + XgGY+6q602ciOETbXexRAK4G0AaAY06iQqIvjqzTRmRgkftMI/8HAV2mfjfRuTXF + 9DClJje/SpRp/fS6jXFyRCc1MysABsxcyopIhHPxf2iy4UiipC1c15Z9VVK4cL4= + =l9vN + -----END PGP MESSAGE----- + fp: 18DFCE01456DAB52EA38A6584EDC64F35FA1D6A5 + - created_at: "2026-01-15T21:23:56Z" + enc: |- + -----BEGIN PGP MESSAGE----- + + hQIMAw5vwmoEJHQ1ARAAr6u7xDPFlylAf002AQkjASgSyCdLMD0LxXmTEihOxBnp + +ZcJN9cpuyCuDaIfSqGdDLUqZ6TuAfVaixtXbxT6Odl2q1DN/GaVkZbDVwGk/W3w + +lSjBz4miAcU9kaSFeeJ9BDEdqROduj8/fFc8jLyxpa51nnp6ON7wI3Uup3uNZN1 + oEwcav8u9hrbE5glS6IMFpGQAhJmvzWH9mHWCQT7A3GGK3DsYBWPH685vVk80VBw + 8IO35N2SMVD+ebvFbSnitBSOmSNUzHgv8DaBgJkcHb5EM8bCiZNI3VkbGdi8AmRx + wvuAclYkemq/bNu5I0sjpt/uxEOVqsymdPs+gOVgKceEy458ZfyRUPxV0Xp5Yi26 + MzAas8LCL+m561L8MTt01CfXJKllIh1aeNJEWYKyTtIxnWfhHnhAfiwiRaX+sAdK + ApLFSCtwAf2fvpqaUY0PvAwKUNKyEBrncu9cBuqK6EDx5YVQul6Mo2nx6W64G7mj + IUGQOoRATZP4y9bJJJMNU5BfK9j7Fdhh/VirB1XSSWSlkUduv8PVx99iLejfnknB + b0LVS0RW0W+XgbM0yvjRhDATalrcuBX4R7voQPeGFlw//fdg0qepSe9OeAPA+RNm + YTjWVWqXOmGJQ46sms4P1Fhd5NKgyv7qAaZDVf2lDZOensbhwWFKw1R65PSbi4DS + XgEDIaRdmRPMHOGoHzcSieR+sxDvklEAWyfUMn8D8u8dkgs1u8WL3gGixDaPMvcF + JgS3PA6hl0JOi3+UgBWGh6gx+C/mr+6jly+IhWd78HAsbsJcGIrs4Zlu54T8jV4= + =8IWz + -----END PGP MESSAGE----- + fp: 87AB00D45D37C9E9167B5A5A333448678B60E505 + - created_at: "2026-01-15T21:23:56Z" + enc: |- + -----BEGIN PGP MESSAGE----- + + hF4DerEtaFuTeewSAQdA7STwRBnvhKhEh9mdHz/GWujTMli/vbMrXv8WnZ1boUkw + 9Qtj+soJcdr8XxDREm//Q7wgGZJSJe6dBdxW5NC10H7bYDFc9aNkbT0/ceMj0tBM + 0l4BNU1LT9rZrkhGUTqA3Gs+bzP4xazBGuiucCkM1mbSvRAjWO2abLb17GKUWODr + 1uDStVFrPOTqN/0/O1lAfk/Xv5LQO2X/xVMDD42i9txP9G8+rCF42gKdODWF+DsQ + =FVIu + -----END PGP MESSAGE----- + fp: 057870A2C72CD82566A3EC983695F4FCBCAE4912 + - created_at: "2026-01-15T21:23:56Z" + enc: |- + -----BEGIN PGP MESSAGE----- + + hQIMAxjNhCKPP69fARAAkUEvumeteWHZ31xbvLAWezQr75Q45DVzBAX6MJIPnCcz + ofMYuDjz/ujOES7UtAYrRekCW4R+PZQ2pcC3tbNHxKQjdxsA6cY68mBQLj+TJ0+F + 15jlkAkL7utwOxOh8P1/yxO+hr3qZl6rmncQwiynRnyiAJa6FHK8dvAHVKhLWcRN + pxx2O5m8I/+sF2/XgVs0iq0KWG+WbwJWUlvWKJ+2LNvXDoPYD0sdo8G1hkuQGOLW + Lmc1xN4hbTzvgjTBoUt1HUEOgohau8TMWnT7x1jpMLBNqm0hQfcyNmBuK4vA3NYR + PjtMUvEuucjOrFvF1g+OaTQ3ZSkd431yqTHRbktZDXdCvhYhSfxJ2TKdqX5U+3p+ + 27hPOX5cVISd36T8Oxm7LTt2GSZp5JZJ2gzRuSn8HDEHHBa39+jmdsqmGMFjAJfU + amK3TNpLx9U/AGw9CYVyQxfnrRPArjuPXE+nVmuZVJhgOcex+5SAA6YRpzPLj5/I + bHv0zOQ+84ghaIPvA7OlehgE2DYQjFC7qMGV0Q/jEomzHmwaFLlbDiSX97SQM4+P + dwe2gbz5EfgVdXeSwyPH03W5Uq/D8GiNFASxe6ctfwY6G9cUJaY7gj+br2/WSjzc + bSQxbyA36q6tSR8sty4lOkRqfhvCsopnACe3UaPDD9aUPu5dkrPFD2DwGZqALjrS + XgGQM27HAK2eAWtmQk7wWZcK8EyeO4bPl/JX8hMU8xSnbHrFpY26RNY1C4mjqcnD + QoyU68TbPmGX522sseuygCNmEEM/5rhx6wwePH1X+C8WRHMmXyLjKD3eVkFJ3tA= + =EPrs + -----END PGP MESSAGE----- + fp: F38C9D4228FC6F674E322D9C3326D914EB9B8F55 + - created_at: "2026-01-15T21:23:56Z" + enc: |- + -----BEGIN PGP MESSAGE----- + + hQIMA1Hthzn+T1OoAQ//arOC3Dpt+X+GzGZFPngYFGl8SHgx9vrbNcNdRQBEBhX0 + RmkT3rBbXRNbJvZHW6YPzoMRzhDMHEs9osbr7RwpTQxpL4owFd1hx8bhDjZYQplC + Gfj1xNjL1iFsQV1kWx7dagpkDEoPVlPaDyTDyHkj/fmgg/aU4y5GVUHc6l7iClN9 + fn5HL8/sCROAPteReXnwxIWmn/03lldh7VMYwKaVIpiTf3QZzEsHAOYT0EdEcapC + 3d5ZhTDmOvOwy2PMfx5w5RpKXKe2cbhoS1N3KEHaZIochlvnvQHpVJ3jhn8YG8j9 + bJ5tklEauoi1YHsnj5vzm8sgQMj/p5DJHALfVKxzAMCCe0AqcVpVGTW9SR1ZMUXW + p0UZOmeNBfqhcOIbKXW+Hj2oSZ25KGxiXZwydF51xnUT8rsau7nPYOgg+9YARAVl + USZd85OX/dZcDqhfK1YZjdV3GPiTHGFUrTz53sW/nHrcCCKXL17uADLr1Z/rk3Dm + dayNuUVhlqgV6Z0ts0Z9blz2X/Bz2c95TUTze+pUoXCP6oKcxGbrEfHBzJrhqeFa + PYGRyna1t96c3Az94bz2orX69Ij3QPyd2p2B0nlv+qYNk55J/aVPIfioZSamnDk9 + NAQJksb2M7KIq1rjheWsf/CLZYHC1rcrhUnz5SYIXVDe8f3+uNc0JFGYPYZuF7DS + XgEa4Lw21RwQs3Es0wAZSnkku+yg1Lg2YJ6/d5xSZJs0c5mCYvvW3q9oTc8u+D3n + H1/Lu8HvZtHtGARagLqHw2MORNvoJXoCT0EhcPBK4PlJKSNye96U1ooNfwxbUMo= + =0Nal + -----END PGP MESSAGE----- + fp: 5DA93D5C9D7320E1BD3522C79C78172B3551C9FD + - created_at: "2026-01-15T21:23:56Z" + enc: |- + -----BEGIN PGP MESSAGE----- + + hQIMA46L6MuPqfJqARAAlYT9Xqnfvd7uWr/V8Ca5oKJ003yWKGwAMd06zyPmIYOK + ErTHC98r7LXuGaMcIUrJ+oLf6YipYB7PyHwfz+zpxhDRTPAxXTqkF1ecLi7qg2AV + Ez3Q1hpPJv1DWASrVfJgpnlQnQtnpqXQsInL7klGc10mtbgc2zHUndWFqjxtkAhl + IinLZHZVFaijFw10W+e6T0UUZ9WfIPdCOChcqVp5/86DDyl3S9dBLmAd7wywzbuH + i0y1uelIxLyYmzLxYTNgJwEHKzQvF6jrj40AjT8HtUD473ILD5M4p2vdvNCUANu9 + 1iF4q7YM5g6cgjGC29Y31wOAM4YzdkwNXJsUhn4ACzYNBAItXK7Aw0I8WK9AnUfq + lwmSirx5hi870GIfu/OYeNt4I3fWjm4qY1aFwoJJRWrUdH94I4P1O6xXZyTVqpmG + m0Ich3O16Ir1vS9oFLdFSFGP7UZgU7D5314OKXNsEGpFLGa9U7AG1ZPHGSb6tAQi + 9Df7TsWxYVWKBU2PbI/D9StVlWDVilt2QiKtIcRwLs3/3JrzTPJd9tvUtw6Tyjw7 + N12/SE3yHwWxVPUXF2AsopmOoHGh67Ki+6oc7xTmxtcJWSITUhBL16ZjMEEXFeHy + FMODciBLrXO1jWz65mkB32ttV+oPQuCdtFPTzuKneDhVBybuMJrx7DEIFaf5CmvS + XgFrqRe9fua4zRd9r9tJE4RSosQOAhmVgRVCJIg5B+qUGC0l2AwO4ro1+a02t6o7 + uBGGRHeQYrGv6HVUd/xfirUj/mtrguiSSpOy3UZ5SHIlPxuj/2jf3WxVkU0QP5k= + =e4Qe + -----END PGP MESSAGE----- + fp: 8996B62CBD159DCADD3B6DC08BB33A8ABCF7BC4A + - created_at: "2026-01-15T21:23:56Z" + enc: |- + -----BEGIN PGP MESSAGE----- + + hF4DQrf1tCqiJxoSAQdAqRvfYgKUyKqP1jy9+s3UQ+vqUWQVxC/zXkcXOs/G3kQw + 27MDd3dcADzCI4qrHxc0umrFegUizTg9UmseMgSJnr7oWXtuh6ocjuEe+irXw0Di + 0l4B7cvZtRObjrOUf0lupPAp2xPIIKekUcVSxiecn6z7zVUVUwpYvPmS8MBCFc5h + 7ad0LWml36Rj5UkBE/ph0YgLvz7ZDoC1yiagBGVX59MTjjZsZBVpRecxZ+ztuaci + =68na + -----END PGP MESSAGE----- + fp: B71138A6A8964A3C3B8899857B4F70C356765BAB + - created_at: "2026-01-15T21:23:56Z" + enc: |- + -----BEGIN PGP MESSAGE----- + + hF4DzAGzViGx4qcSAQdA95lt4L0inJjhMwQ2v5lvhW74zuvdpgktHsp5BSycbxcw + oUR2v3CcCHtNzWzgeWPm8L6JHRUJQWdg+XHsLujlZXsoqKirGI67NvToOk+yttsK + 0lgBW9AG8bUVUdXNNPfhc/FN8OJbQ2cj3E2z5kI05ZrkcOoZVXaRfXJiZPQDg1Kz + LhuKymMDmXXsSVd/VdLbSXpfeEqMJjTsDS+bU/TZAcRRPKxj9PPDJIWQ + =Kpzf + -----END PGP MESSAGE----- + fp: D2E9C0807BF681F5E164DAFC5EE1B61CD90954CD + - created_at: "2026-01-15T21:23:56Z" + enc: |- + -----BEGIN PGP MESSAGE----- + + hQIMA2pVdGTIrZI+ARAA2IaYLn8z593Kh+wAw2ecOXkW+B3qhi/x0qQLVw7Jc1hO + rVhrcTQoabL3elIIPZtxyTYIXq6EpPkSBMOBHO+tmqI8YsB5GvWtcGV1OBpRaZ3I + hgKjnxkJtaQizSZqZLgGUVXjMjcdkzTlIQfu7oGeTu8Ke1cwtOE1lvleDpHHK6gc + yRLJWsUfHdv3rCOmRCDtguc3NG7qzUUYcknPiFGx66hfnIaA0aJav2pqS3uuRwSD + Ay78U2PB7kYVg//Omz9BEuiUVhYsA0sl3hFVpJuKv7FQ9OcJOevQddfq90m2KGyo + 2Lpligwtj3evPfPReLR1D16HaGuzknoB9883jD027+fGr4/IFWx7ieVZ9iGeD3jR + yw/GdHCMueq1pdtyw8ArREspGmZldEKY3Qw6sfRdd71DAeTkD1zzWORCEk6OQefY + YX5ByUAOTUHvTey4Uy5WCj3HOUMW71CnVpsU6lDSuqBUnFlMvELtcjlmEAwvscXz + WFpTzphaX1fIqruS4BAzMxpKVTI1V3bnrb6wFRFnsErVjrty24R2auaoHvgslROu + 1QUTInC7JpFUpxiK9ke8xbhYlZ5JEhcxOXlfrZcVwlxziEZEqp429L/4gVz+IGVv + YQ4wU8ARBcXiEDEOmEl3tCxiprDlCeLpdSrqhq57/y7IMs6Fo7QrkA5XZG+mnfPS + XgHFg3iMBk0qKb6AiWiN8g3SHJtcehJgmAZsRxFRP329QKGGa+azQqT7Vp066keY + rOsmP8iwl+4KS71+cN9rLx/3U8EcSxRuMU6KtIKvhp7yfr2bhYo8P9JH2vrPTlk= + =lbdI + -----END PGP MESSAGE----- + fp: 878FEA3CB6A6F6E7CD80ECBE28506E3585F9F533 + unencrypted_suffix: _unencrypted + version: 3.11.0 diff --git a/inventories/external/host_vars/status.yaml b/inventories/external/host_vars/status.yaml new file mode 100644 index 0000000..c2c26b3 --- /dev/null +++ b/inventories/external/host_vars/status.yaml @@ -0,0 +1,27 @@ +docker_compose__compose_file_content: "{{ lookup('ansible.builtin.template', 'resources/external/status/docker_compose/compose.yaml.j2') }}" +docker_compose__configuration_files: + - name: "general.yaml" + content: "{{ lookup('ansible.builtin.file', 'resources/external/status/docker_compose/config/general.yaml') }}" + - name: "sites.yaml" + content: "{{ lookup('ansible.builtin.file', 'resources/external/status/docker_compose/config/sites.yaml') }}" + - name: "services-chaosknoten.yaml" + content: "{{ lookup('ansible.builtin.file', 'resources/external/status/docker_compose/config/services-chaosknoten.yaml') }}" + - name: "websites.yaml" + content: "{{ lookup('ansible.builtin.file', 'resources/external/status/docker_compose/config/websites.yaml') }}" + - name: "easterhegg-websites.yaml" + content: "{{ lookup('ansible.builtin.file', 'resources/external/status/docker_compose/config/easterhegg-websites.yaml') }}" + +nginx__version_spec: "" +nginx__deploy_redirect_conf: false +nginx__configurations: + - name: status.hamburg.ccc.de + content: "{{ lookup('ansible.builtin.file', 'resources/external/status/nginx/status.hamburg.ccc.de.conf') }}" + - name: http_handler + content: "{{ lookup('ansible.builtin.file', 'resources/external/status/nginx/http_handler.conf') }}" + +certbot__version_spec: "" +certbot__acme_account_email_address: le-admin@hamburg.ccc.de +certbot__certificate_domains: + - "status.hamburg.ccc.de" +certbot__new_cert_commands: + - "systemctl reload nginx.service" diff --git a/inventories/external/hosts.yaml b/inventories/external/hosts.yaml new file mode 100644 index 0000000..435a9bf --- /dev/null +++ b/inventories/external/hosts.yaml @@ -0,0 +1,24 @@ +all: + hosts: + status: + # TODO: Manually set up ufw on the host. Create a role for ufw. + ansible_host: status.hamburg.ccc.de + ansible_user: chaos +base_config_hosts: + hosts: + status: +docker_compose_hosts: + hosts: + status: +nginx_hosts: + hosts: + status: +certbot_hosts: + hosts: + status: +infrastructure_authorized_keys_hosts: + hosts: + status: +ansible_pull_hosts: + hosts: + status: diff --git a/resources/external/status/docker_compose/compose.yaml.j2 b/resources/external/status/docker_compose/compose.yaml.j2 new file mode 100644 index 0000000..04abf95 --- /dev/null +++ b/resources/external/status/docker_compose/compose.yaml.j2 @@ -0,0 +1,36 @@ +# https://gatus.io/ +# https://github.com/TwiN/gatus +# https://github.com/TwiN/gatus/blob/master/.examples/docker-compose-postgres-storage/compose.yaml + +services: + database: + image: docker.io/library/postgres:18.1 + volumes: + - ./database:/var/lib/postgresql + environment: + - "POSTGRES_DB=gatus" + - "POSTGRES_USER=gatus" + - "POSTGRES_PASSWORD={{ secret__gatus_db_password }}" + networks: + - gatus + + gatus: + image: ghcr.io/twin/gatus:v5.34.0 + restart: always + ports: + - "8080:8080" + environment: + - "GATUS_CONFIG_PATH=/config" + - "POSTGRES_DB=gatus" + - "POSTGRES_USER=gatus" + - "POSTGRES_PASSWORD={{ secret__gatus_db_password }}" + - "MATRIX_ACCESS_TOKEN={{ secret__gatus_matrix_access_token }}" + volumes: + - ./configs:/config + networks: + - gatus + depends_on: + - database + +networks: + gatus: diff --git a/resources/external/status/docker_compose/config/easterhegg-websites.yaml b/resources/external/status/docker_compose/config/easterhegg-websites.yaml new file mode 100644 index 0000000..87feb4c --- /dev/null +++ b/resources/external/status/docker_compose/config/easterhegg-websites.yaml @@ -0,0 +1,303 @@ +# Easterhegg Websites and Websites (Redirects) +# (hosted on public-web-static) +# One could probably also generate this list from the public-web-static config. +easterhegg-websites-defaults: &easterhegg_websites_defaults + group: Websites + interval: 5m + alerts: + - type: matrix + failure-threshold: 3 + success-threshold: 1 + minimum-reminder-interval: "12h" + send-on-resolved: true + +easterhegg-websites-redirects-defaults: &easterhegg_websites_redirects_defaults + group: Websites (Redirects) + interval: 15m + alerts: + - type: matrix + failure-threshold: 3 + success-threshold: 1 + minimum-reminder-interval: "24h" + send-on-resolved: true + +endpoints: + # Websites + - name: eh03.easterhegg.eu + url: "https://eh03.easterhegg.eu" + <<: *easterhegg_websites_defaults + conditions: + - "[STATUS] == 200" + - "[CERTIFICATE_EXPIRATION] > 48h" + - "[BODY] == pat(*Easter(h)egg 2003*)" + + - name: eh05.easterhegg.eu + url: "https://eh05.easterhegg.eu" + <<: *easterhegg_websites_defaults + conditions: + - "[STATUS] == 200" + - "[CERTIFICATE_EXPIRATION] > 48h" + - "[BODY] == pat(*Easterhegg 2005 - The workshop weekend*)" + + - name: eh07.easterhegg.eu + url: "https://eh07.easterhegg.eu" + <<: *easterhegg_websites_defaults + conditions: + - "[STATUS] == 200" + - "[CERTIFICATE_EXPIRATION] > 48h" + - "[BODY] == pat(*Easterhegg 2007 - The Workshop weekend*)" + + - name: eh09.easterhegg.eu + url: "https://eh09.easterhegg.eu" + <<: *easterhegg_websites_defaults + conditions: + - "[status] == 200" + - "[certificate_expiration] > 48h" + - "[BODY] == pat(*Easterhegg 2009*)" + + - name: eh11.easterhegg.eu + url: "https://eh11.easterhegg.eu" + <<: *easterhegg_websites_defaults + conditions: + - "[status] == 200" + - "[certificate_expiration] > 48h" + - "[BODY] == pat(*Easterhegg 2011*)" + + - name: eh20.easterhegg.eu + url: "https://eh20.easterhegg.eu" + <<: *easterhegg_websites_defaults + conditions: + - "[status] == 200" + - "[certificate_expiration] > 48h" + - "[BODY] == pat(*EH20 - Back to root*)" + + # Websites (Redirects) + # eh03.easterhegg.eu + - name: eh2003.hamburg.ccc.de + url: "https://eh2003.hamburg.ccc.de" + <<: *easterhegg_websites_redirects_defaults + conditions: + - "[STATUS] == 200" + - "[CERTIFICATE_EXPIRATION] > 48h" + - "[BODY] == pat(*Easter(h)egg 2003*)" + + - name: www.eh2003.hamburg.ccc.de + url: "https://www.eh2003.hamburg.ccc.de" + <<: *easterhegg_websites_redirects_defaults + conditions: + - "[STATUS] == 200" + - "[CERTIFICATE_EXPIRATION] > 48h" + - "[BODY] == pat(*Easter(h)egg 2003*)" + + - name: easterhegg2003.hamburg.ccc.de + url: "https://easterhegg2003.hamburg.ccc.de" + <<: *easterhegg_websites_redirects_defaults + conditions: + - "[STATUS] == 200" + - "[CERTIFICATE_EXPIRATION] > 48h" + - "[BODY] == pat(*Easter(h)egg 2003*)" + + - name: www.easterhegg2003.hamburg.ccc.de + url: "https://www.easterhegg2003.hamburg.ccc.de" + <<: *easterhegg_websites_redirects_defaults + conditions: + - "[STATUS] == 200" + - "[CERTIFICATE_EXPIRATION] > 48h" + - "[BODY] == pat(*Easter(h)egg 2003*)" + + # eh05.easterhegg.eu + - name: eh2005.hamburg.ccc.de + url: "https://eh2005.hamburg.ccc.de" + <<: *easterhegg_websites_redirects_defaults + conditions: + - "[STATUS] == 200" + - "[CERTIFICATE_EXPIRATION] > 48h" + - "[BODY] == pat(*Easterhegg 2005 - The workshop weekend*)" + + - name: www.eh2005.hamburg.ccc.de + url: "https://www.eh2005.hamburg.ccc.de" + <<: *easterhegg_websites_redirects_defaults + conditions: + - "[STATUS] == 200" + - "[CERTIFICATE_EXPIRATION] > 48h" + - "[BODY] == pat(*Easterhegg 2005 - The workshop weekend*)" + + - name: easterhegg2005.hamburg.ccc.de + url: "https://easterhegg2005.hamburg.ccc.de" + <<: *easterhegg_websites_redirects_defaults + conditions: + - "[STATUS] == 200" + - "[CERTIFICATE_EXPIRATION] > 48h" + - "[BODY] == pat(*Easterhegg 2005 - The workshop weekend*)" + + - name: www.easterhegg2005.hamburg.ccc.de + url: "https://www.easterhegg2005.hamburg.ccc.de" + <<: *easterhegg_websites_redirects_defaults + conditions: + - "[STATUS] == 200" + - "[CERTIFICATE_EXPIRATION] > 48h" + - "[BODY] == pat(*Easterhegg 2005 - The workshop weekend*)" + + # eh07.easterhegg.eu + - name: eh2007.hamburg.ccc.de + url: "https://eh2007.hamburg.ccc.de" + <<: *easterhegg_websites_redirects_defaults + conditions: + - "[STATUS] == 200" + - "[CERTIFICATE_EXPIRATION] > 48h" + - "[BODY] == pat(*Easterhegg 2007 - The Workshop weekend*)" + + - name: www.eh2007.hamburg.ccc.de + url: "https://www.eh2007.hamburg.ccc.de" + <<: *easterhegg_websites_redirects_defaults + conditions: + - "[STATUS] == 200" + - "[CERTIFICATE_EXPIRATION] > 48h" + - "[BODY] == pat(*Easterhegg 2007 - The Workshop weekend*)" + + - name: eh07.hamburg.ccc.de + url: "https://eh07.hamburg.ccc.de" + <<: *easterhegg_websites_redirects_defaults + conditions: + - "[STATUS] == 200" + - "[CERTIFICATE_EXPIRATION] > 48h" + - "[BODY] == pat(*Easterhegg 2007 - The Workshop weekend*)" + + - name: www.eh07.hamburg.ccc.de + url: "https://www.eh07.hamburg.ccc.de" + <<: *easterhegg_websites_redirects_defaults + conditions: + - "[STATUS] == 200" + - "[CERTIFICATE_EXPIRATION] > 48h" + - "[BODY] == pat(*Easterhegg 2007 - The Workshop weekend*)" + + - name: easterhegg2007.hamburg.ccc.de + url: "https://easterhegg2007.hamburg.ccc.de" + <<: *easterhegg_websites_redirects_defaults + conditions: + - "[STATUS] == 200" + - "[CERTIFICATE_EXPIRATION] > 48h" + - "[BODY] == pat(*Easterhegg 2007 - The Workshop weekend*)" + + - name: www.easterhegg2007.hamburg.ccc.de + url: "https://www.easterhegg2007.hamburg.ccc.de" + <<: *easterhegg_websites_redirects_defaults + conditions: + - "[STATUS] == 200" + - "[CERTIFICATE_EXPIRATION] > 48h" + - "[BODY] == pat(*Easterhegg 2007 - The Workshop weekend*)" + + # eh09.easterhegg.eu + - name: eh2009.hamburg.ccc.de + url: "https://eh2009.hamburg.ccc.de" + <<: *easterhegg_websites_redirects_defaults + conditions: + - "[status] == 200" + - "[certificate_expiration] > 48h" + - "[BODY] == pat(*Easterhegg 2009*)" + + - name: www.eh2009.hamburg.ccc.de + url: "https://www.eh2009.hamburg.ccc.de" + <<: *easterhegg_websites_redirects_defaults + conditions: + - "[status] == 200" + - "[certificate_expiration] > 48h" + - "[BODY] == pat(*Easterhegg 2009*)" + + - name: eh09.hamburg.ccc.de + url: "https://eh09.hamburg.ccc.de" + <<: *easterhegg_websites_redirects_defaults + conditions: + - "[status] == 200" + - "[certificate_expiration] > 48h" + - "[BODY] == pat(*Easterhegg 2009*)" + + - name: www.eh09.hamburg.ccc.de + url: "https://www.eh09.hamburg.ccc.de" + <<: *easterhegg_websites_redirects_defaults + conditions: + - "[status] == 200" + - "[certificate_expiration] > 48h" + - "[BODY] == pat(*Easterhegg 2009*)" + + - name: easterhegg2009.hamburg.ccc.de + url: "https://easterhegg2009.hamburg.ccc.de" + <<: *easterhegg_websites_redirects_defaults + conditions: + - "[status] == 200" + - "[certificate_expiration] > 48h" + - "[BODY] == pat(*Easterhegg 2009*)" + + - name: www.easterhegg2009.hamburg.ccc.de + url: "https://www.easterhegg2009.hamburg.ccc.de" + <<: *easterhegg_websites_redirects_defaults + conditions: + - "[status] == 200" + - "[certificate_expiration] > 48h" + - "[BODY] == pat(*Easterhegg 2009*)" + + # eh11.easterhegg.eu + - name: eh2011.hamburg.ccc.de + url: "https://eh2011.hamburg.ccc.de" + <<: *easterhegg_websites_redirects_defaults + conditions: + - "[status] == 200" + - "[certificate_expiration] > 48h" + - "[BODY] == pat(*Easterhegg 2011*)" + + - name: www.eh2011.hamburg.ccc.de + url: "https://www.eh2011.hamburg.ccc.de" + <<: *easterhegg_websites_redirects_defaults + conditions: + - "[status] == 200" + - "[certificate_expiration] > 48h" + - "[BODY] == pat(*Easterhegg 2011*)" + + - name: eh11.hamburg.ccc.de + url: "https://eh11.hamburg.ccc.de" + <<: *easterhegg_websites_redirects_defaults + conditions: + - "[status] == 200" + - "[certificate_expiration] > 48h" + - "[BODY] == pat(*Easterhegg 2011*)" + + - name: www.eh11.hamburg.ccc.de + url: "https://www.eh11.hamburg.ccc.de" + <<: *easterhegg_websites_redirects_defaults + conditions: + - "[status] == 200" + - "[certificate_expiration] > 48h" + - "[BODY] == pat(*Easterhegg 2011*)" + + - name: easterhegg2011.hamburg.ccc.de + url: "https://easterhegg2011.hamburg.ccc.de" + <<: *easterhegg_websites_redirects_defaults + conditions: + - "[status] == 200" + - "[certificate_expiration] > 48h" + - "[BODY] == pat(*Easterhegg 2011*)" + + - name: www.easterhegg2011.hamburg.ccc.de + url: "https://www.easterhegg2011.hamburg.ccc.de" + <<: *easterhegg_websites_redirects_defaults + conditions: + - "[status] == 200" + - "[certificate_expiration] > 48h" + - "[BODY] == pat(*Easterhegg 2011*)" + + # eh20.easterhegg.eu + - name: www.eh20.easterhegg.eu + url: "https://www.eh20.easterhegg.eu" + <<: *easterhegg_websites_redirects_defaults + conditions: + - "[status] == 200" + - "[certificate_expiration] > 48h" + - "[BODY] == pat(*EH20 - Back to root*)" + + - name: eh20.hamburg.ccc.de + url: "https://eh20.hamburg.ccc.de" + <<: *easterhegg_websites_redirects_defaults + conditions: + - "[status] == 200" + - "[certificate_expiration] > 48h" + - "[BODY] == pat(*EH20 - Back to root*)" diff --git a/resources/external/status/docker_compose/config/general.yaml b/resources/external/status/docker_compose/config/general.yaml new file mode 100644 index 0000000..c67811a --- /dev/null +++ b/resources/external/status/docker_compose/config/general.yaml @@ -0,0 +1,25 @@ +storage: + type: postgres + path: "postgres://${POSTGRES_USER}:${POSTGRES_PASSWORD}@database:5432/${POSTGRES_DB}?sslmode=disable" + +ui: + title: CCCHH Status + description: Automated uptime monitoring and status page for CCCHH services. Powered by Gatus. + header: CCCHH Status + buttons: + - name: Website + link: "https://hamburg.ccc.de" + - name: Git + link: "https://git.hamburg.ccc.de" + - name: Kontakt & Impressum + link: "https://hamburg.ccc.de/imprint/" + default-sort-by: group + +alerting: + matrix: + server-url: "https://matrix-client.matrix.org" + access-token: "${MATRIX_ACCESS_TOKEN}" + internal-room-id: "!jG755onbGAH-lZsZo8SRKtlsncSMvq7nzPhwCi5CgdQ" + +# A bit more than the default 5 concurrent checks should be fine. +concurrency: 15 diff --git a/resources/external/status/docker_compose/config/services-chaosknoten.yaml b/resources/external/status/docker_compose/config/services-chaosknoten.yaml new file mode 100644 index 0000000..0792e95 --- /dev/null +++ b/resources/external/status/docker_compose/config/services-chaosknoten.yaml @@ -0,0 +1,264 @@ +# Services (Chaosknoten) +services-chaosknoten-defaults: &services_chaosknoten_defaults + group: Services (Chaosknoten) + interval: 1m + alerts: + - type: matrix + failure-threshold: 5 + success-threshold: 2 + minimum-reminder-interval: "6h" + send-on-resolved: true + +endpoints: + - name: CCCHH ID/Keycloak (main page/account console) + url: "https://id.hamburg.ccc.de/" + <<: *services_chaosknoten_defaults + conditions: + - "[STATUS] == 200" + - "[CERTIFICATE_EXPIRATION] > 48h" + - "[BODY] == pat(*JavaScript is required to use the Account Console.*)" + + - name: CCCHH ID/Keycloak (ccchh realm) + url: "https://id.hamburg.ccc.de/realms/ccchh/" + <<: *services_chaosknoten_defaults + conditions: + - "[STATUS] == 200" + - "[CERTIFICATE_EXPIRATION] > 48h" + - "[BODY].realm == ccchh" + + - name: ccchoir + url: "https://ccchoir.de/" + <<: *services_chaosknoten_defaults + conditions: + - "[STATUS] == 200" + - "[CERTIFICATE_EXPIRATION] > 48h" + - "[BODY] == pat(*The Choir of the Chaos Computer Club*)" + + - name: Cloud (status info) + url: "https://cloud.hamburg.ccc.de/status.php" + <<: *services_chaosknoten_defaults + conditions: + - "[STATUS] == 200" + - "[CERTIFICATE_EXPIRATION] > 48h" + - "[BODY].installed == true" + - "[BODY].maintenance == false" + + - name: Cloud (main page/login) + url: "https://cloud.hamburg.ccc.de/" + <<: *services_chaosknoten_defaults + conditions: + - "[STATUS] == 200" + - "[CERTIFICATE_EXPIRATION] > 48h" + - "[BODY] == pat(*Sign in to CCCHH*)" + + - name: cow (main page/login) + url: "https://cow.hamburg.ccc.de/" + <<: *services_chaosknoten_defaults + conditions: + - "[STATUS] == 200" + - "[CERTIFICATE_EXPIRATION] > 48h" + - "[BODY] == pat(*mailcow UI*)" + + - name: cow (SMTP port 25) + url: "tcp://cow.hamburg.ccc.de:25" + <<: *services_chaosknoten_defaults + conditions: + - "[CONNECTED] == true" + + - name: cow (SMTPS port 465) + url: "tls://cow.hamburg.ccc.de:465" + <<: *services_chaosknoten_defaults + conditions: + - "[CONNECTED] == true" + + - name: cow (SMTP with STARTTLS port 587) + url: "starttls://cow.hamburg.ccc.de:587" + <<: *services_chaosknoten_defaults + conditions: + - "[CONNECTED] == true" + + - name: cow (IMAP port 143) + url: "tcp://cow.hamburg.ccc.de:143" + <<: *services_chaosknoten_defaults + conditions: + - "[CONNECTED] == true" + + - name: cow (IMAPS port 465) + url: "tls://cow.hamburg.ccc.de:465" + <<: *services_chaosknoten_defaults + conditions: + - "[CONNECTED] == true" + + - name: Design/penpot + url: "https://design.hamburg.ccc.de/" + <<: *services_chaosknoten_defaults + conditions: + - "[STATUS] == 200" + - "[CERTIFICATE_EXPIRATION] > 48h" + - "[BODY] == pat(*Penpot - Design Freedom for Teams*)" + + - name: EH22 Website/Wiki + url: "https://eh22.easterhegg.eu/" + <<: *services_chaosknoten_defaults + conditions: + - "[STATUS] == 200" + - "[CERTIFICATE_EXPIRATION] > 48h" + - "[BODY] == pat(*Easterhegg 2025*)" + + - name: Git + url: "https://git.hamburg.ccc.de/" + <<: *services_chaosknoten_defaults + conditions: + - "[STATUS] == 200" + - "[CERTIFICATE_EXPIRATION] > 48h" + - "[BODY] == pat(*CCCHH Git*)" + + - name: GitLab + url: "https://gitlab.hamburg.ccc.de/" + <<: *services_chaosknoten_defaults + conditions: + - "[STATUS] == 200" + - "[CERTIFICATE_EXPIRATION] > 48h" + - "[BODY] == pat(*Moin beim Gitlab des CCC Hamburg!*)" + + - name: Grafana + url: "https://grafana.hamburg.ccc.de/" + <<: *services_chaosknoten_defaults + conditions: + - "[STATUS] == 200" + - "[CERTIFICATE_EXPIRATION] > 48h" + - "[BODY] == pat(*Sign in to CCCHH*)" + + - name: Jitsi + url: "https://jitsi.hamburg.ccc.de/" + <<: *services_chaosknoten_defaults + conditions: + - "[STATUS] == 200" + - "[CERTIFICATE_EXPIRATION] > 48h" + - "[BODY] == pat(*Jitsi Meet*)" + + - name: Lists + url: "https://lists.hamburg.ccc.de/" + <<: *services_chaosknoten_defaults + conditions: + - "[STATUS] == 200" + - "[CERTIFICATE_EXPIRATION] > 48h" + - "[BODY] == pat(*Mailing Lists*)" + + - name: Matrix + url: "https://matrix.hamburg.ccc.de/_matrix/client/versions" + <<: *services_chaosknoten_defaults + conditions: + - "[STATUS] == 200" + - "[CERTIFICATE_EXPIRATION] > 48h" + - "has([BODY].versions) == true" + - "has([BODY].unstable_features) == true" + + - name: Mumble (tcp) + url: "tcp://mumble.hamburg.ccc.de:64738" + <<: *services_chaosknoten_defaults + conditions: + - "[CONNECTED] == true" + + - name: Mumble (udp) + url: "udp://mumble.hamburg.ccc.de:64738" + <<: *services_chaosknoten_defaults + conditions: + - "[CONNECTED] == true" + + - name: NetBox + url: "https://NetBox.hamburg.ccc.de/" + <<: *services_chaosknoten_defaults + conditions: + - "[STATUS] == 200" + - "[CERTIFICATE_EXPIRATION] > 48h" + - "[BODY] == pat(*NetBox*)" + + - name: ntfy + url: "https://ntfy.hamburg.ccc.de/" + <<: *services_chaosknoten_defaults + conditions: + - "[STATUS] == 200" + - "[CERTIFICATE_EXPIRATION] > 48h" + - "[BODY] == pat(*ntfy web requires JavaScript*)" + + - name: OnlyOffice + url: "https://onlyoffice.hamburg.ccc.de/" + <<: *services_chaosknoten_defaults + conditions: + - "[STATUS] == 200" + - "[CERTIFICATE_EXPIRATION] > 48h" + - "[BODY] == pat(*ONLYOFFICE Docs Community Edition installed*)" + + - name: Pad + url: "https://pad.hamburg.ccc.de/" + <<: *services_chaosknoten_defaults + conditions: + - "[STATUS] == 200" + - "[CERTIFICATE_EXPIRATION] > 48h" + - "[BODY] == pat(*HedgeDoc - Ideas grow better together*)" + + - name: Pretalx (main page) + url: "https://pretalx.hamburg.ccc.de/" + <<: *services_chaosknoten_defaults + conditions: + - "[STATUS] == 200" + - "[CERTIFICATE_EXPIRATION] > 48h" + - "[BODY] == pat(*pretalx*)" + + - name: Pretalx (EH22/Easterhegg 2025) + url: "https://cfp.eh22.easterhegg.eu/" + <<: *services_chaosknoten_defaults + conditions: + - "[STATUS] == 200" + - "[CERTIFICATE_EXPIRATION] > 48h" + - "[BODY] == pat(*Easterhegg 2025*)" + - "[BODY] == pat(*pretalx*)" + + - name: SpaceAPI + url: "https://spaceapi.hamburg.ccc.de/" + <<: *services_chaosknoten_defaults + conditions: + - "[STATUS] == 200" + - "[CERTIFICATE_EXPIRATION] > 48h" + - "[BODY].space == CCCHH" + + - name: Surveillance under Surveillance + url: "https://sunders.hamburg.ccc.de/" + <<: *services_chaosknoten_defaults + conditions: + - "[STATUS] == 200" + - "[CERTIFICATE_EXPIRATION] > 48h" + - "[BODY] == pat(*Surveillance under Surveillance*)" + + - name: Tickets/pretix + url: "https://tickets.hamburg.ccc.de/" + <<: *services_chaosknoten_defaults + conditions: + - "[STATUS] == 200" + - "[CERTIFICATE_EXPIRATION] > 48h" + - "[BODY] == pat(*pretix*)" + + - name: Wiki + url: "https://wiki.hamburg.ccc.de/" + <<: *services_chaosknoten_defaults + conditions: + - "[STATUS] == 200" + - "[CERTIFICATE_EXPIRATION] > 48h" + - "[BODY] == pat(*CCCHH Wiki*)" + + - name: Woodpecker + url: "https://woodpecker.hamburg.ccc.de/" + <<: *services_chaosknoten_defaults + conditions: + - "[STATUS] == 200" + - "[CERTIFICATE_EXPIRATION] > 48h" + - "[BODY] == pat(*Woodpecker*)" + + - name: Zammad + url: "https://zammad.hamburg.ccc.de/" + <<: *services_chaosknoten_defaults + conditions: + - "[STATUS] == 200" + - "[CERTIFICATE_EXPIRATION] > 48h" + - "[BODY] == pat(*zammad*)" diff --git a/resources/external/status/docker_compose/config/sites.yaml b/resources/external/status/docker_compose/config/sites.yaml new file mode 100644 index 0000000..7b0ce82 --- /dev/null +++ b/resources/external/status/docker_compose/config/sites.yaml @@ -0,0 +1,23 @@ +# Sites +sites-defaults: &sites_defaults + group: Sites + interval: 1m + alerts: + - type: matrix + failure-threshold: 5 + success-threshold: 2 + minimum-reminder-interval: "6h" + send-on-resolved: true + +endpoints: + - name: Chaosknoten/IRZ42 + url: "icmp://chaosknoten.hamburg.ccc.de" + <<: *sites_defaults + conditions: + - "[CONNECTED] == true" + + - name: Z9 + url: "icmp://185.161.129.129" + <<: *sites_defaults + conditions: + - "[CONNECTED] == true" diff --git a/resources/external/status/docker_compose/config/websites.yaml b/resources/external/status/docker_compose/config/websites.yaml new file mode 100644 index 0000000..e54337a --- /dev/null +++ b/resources/external/status/docker_compose/config/websites.yaml @@ -0,0 +1,174 @@ +# Websites, Websites (Staging) and Websites (Redirects) +# (hosted on public-web-static) +# One could probably also generate this list from the public-web-static config. +websites-defaults: &websites_defaults + group: Websites + interval: 1m + alerts: + - type: matrix + failure-threshold: 5 + success-threshold: 2 + minimum-reminder-interval: "6h" + send-on-resolved: true + +websites-staging-defaults: &websites_staging_defaults + group: Websites (Staging) + interval: 5m + alerts: + - type: matrix + failure-threshold: 3 + success-threshold: 1 + minimum-reminder-interval: "24h" + send-on-resolved: true + +websites-redirects-defaults: &websites_redirects_defaults + group: Websites (Redirects) + interval: 5m + alerts: + - type: matrix + failure-threshold: 3 + success-threshold: 1 + minimum-reminder-interval: "24h" + send-on-resolved: true + +endpoints: + # Websites + - name: branding-resources.hamburg.ccc.de + url: "https://branding-resources.hamburg.ccc.de/logo/sources.txt" + <<: *websites_defaults + conditions: + - "[STATUS] == 200" + - "[CERTIFICATE_EXPIRATION] > 48h" + - "[BODY] == pat(*file: ccchh-logo.png*)" + + - name: c3cat.de + url: "https://c3cat.de" + <<: *websites_defaults + conditions: + - "[STATUS] == 200" + - "[CERTIFICATE_EXPIRATION] > 48h" + - "[BODY] == pat(*Cat Ears Operation Center*)" + + - name: cryptoparty-hamburg.de + url: "https://cryptoparty-hamburg.de" + <<: *websites_defaults + conditions: + - "[STATUS] == 200" + - "[CERTIFICATE_EXPIRATION] > 48h" + - "[BODY] == pat(*Digitale Selbstverteidigung in Hamburg*)" + + - name: element-admin.hamburg.ccc.de + url: "https://element-admin.hamburg.ccc.de" + <<: *websites_defaults + conditions: + - "[STATUS] == 200" + - "[CERTIFICATE_EXPIRATION] > 48h" + - "[BODY] == pat(*Loading Element Admin*)" + + - name: element.hamburg.ccc.de + url: "https://element.hamburg.ccc.de" + <<: *websites_defaults + conditions: + - "[STATUS] == 200" + - "[CERTIFICATE_EXPIRATION] > 48h" + - "[BODY] == pat(*Sorry, Element requires JavaScript to be enabled.*)" + + - name: hacker.tours + url: "https://hacker.tours" + <<: *websites_defaults + conditions: + - "[STATUS] == 200" + - "[CERTIFICATE_EXPIRATION] > 48h" + # Once suites support alerting, we can also monitor the target as well. + - "[BODY] == pat(**)" + + - name: hackertours.hamburg.ccc.de + url: "https://hackertours.hamburg.ccc.de" + <<: *websites_defaults + conditions: + - "[STATUS] == 200" + - "[CERTIFICATE_EXPIRATION] > 48h" + # Once suites support alerting, we can also monitor the target as well. + - "[BODY] == pat(**)" + + - name: hamburg.ccc.de + url: "https://hamburg.ccc.de" + <<: *websites_defaults + conditions: + - "[STATUS] == 200" + - "[CERTIFICATE_EXPIRATION] > 48h" + - "[BODY] == pat(*Wir sind der Chaos Computer Club der Hansestadt Hamburg.*)" + +# Websites (Staging) + - name: staging.c3cat.de + url: "https://staging.c3cat.de" + <<: *websites_staging_defaults + conditions: + - "[STATUS] == 200" + - "[CERTIFICATE_EXPIRATION] > 48h" + - "[BODY] == pat(*c3cat.de Staging Environment*)" + + - name: staging.cryptoparty-hamburg.de + url: "https://staging.cryptoparty-hamburg.de" + <<: *websites_staging_defaults + conditions: + - "[STATUS] == 200" + - "[CERTIFICATE_EXPIRATION] > 48h" + - "[BODY] == pat(*cryptoparty-hamburg.de Staging Environment*)" + + - name: staging.hacker.tours + url: "https://staging.hacker.tours" + <<: *websites_staging_defaults + conditions: + - "[STATUS] == 200" + - "[CERTIFICATE_EXPIRATION] > 48h" + - "[BODY] == pat(*hacker.tours Staging Environment*)" + + - name: staging.hackertours.hamburg.ccc.de + url: "https://staging.hackertours.hamburg.ccc.de" + <<: *websites_staging_defaults + conditions: + - "[STATUS] == 200" + - "[CERTIFICATE_EXPIRATION] > 48h" + - "[BODY] == pat(*hackertours.hamburg.ccc.de Staging Environment*)" + + - name: staging.hamburg.ccc.de + url: "https://staging.hamburg.ccc.de" + <<: *websites_staging_defaults + conditions: + - "[STATUS] == 200" + - "[CERTIFICATE_EXPIRATION] > 48h" + - "[BODY] == pat(*hamburg.ccc.de Staging Environment*)" + +# Website (Redirects) + - name: www.c3cat.de + url: "https://www.c3cat.de" + <<: *websites_redirects_defaults + conditions: + - "[STATUS] == 200" + - "[CERTIFICATE_EXPIRATION] > 48h" + - "[BODY] == pat(*Cat Ears Operation Center*)" + + - name: cryptoparty.hamburg.ccc.de + url: "https://cryptoparty.hamburg.ccc.de" + <<: *websites_redirects_defaults + conditions: + - "[STATUS] == 200" + - "[CERTIFICATE_EXPIRATION] > 48h" + - "[BODY] == pat(*Digitale Selbstverteidigung in Hamburg*)" + + - name: staging.cryptoparty.hamburg.ccc.de + url: "https://staging.cryptoparty.hamburg.ccc.de" + <<: *websites_redirects_defaults + conditions: + - "[STATUS] == 200" + - "[CERTIFICATE_EXPIRATION] > 48h" + - "[BODY] == pat(*cryptoparty-hamburg.de Staging Environment*)" + + - name: www.hamburg.ccc.de + url: "https://www.hamburg.ccc.de" + <<: *websites_redirects_defaults + conditions: + - "[STATUS] == 200" + - "[CERTIFICATE_EXPIRATION] > 48h" + - "[BODY] == pat(*Wir sind der Chaos Computer Club der Hansestadt Hamburg.*)" diff --git a/resources/external/status/nginx/http_handler.conf b/resources/external/status/nginx/http_handler.conf new file mode 100644 index 0000000..c989ede --- /dev/null +++ b/resources/external/status/nginx/http_handler.conf @@ -0,0 +1,14 @@ +server { + listen 80 default_server; + listen [::]:80 default_server; + + server_name status.hamburg.ccc.de; + + location / { + return 301 https://$host$request_uri; + } + + location /.well-known/acme-challenge/ { + proxy_pass http://127.0.0.1:31820/.well-known/acme-challenge/; + } +} diff --git a/resources/external/status/nginx/status.hamburg.ccc.de.conf b/resources/external/status/nginx/status.hamburg.ccc.de.conf new file mode 100644 index 0000000..510966a --- /dev/null +++ b/resources/external/status/nginx/status.hamburg.ccc.de.conf @@ -0,0 +1,33 @@ +# partly generated 2022-01-08, Mozilla Guideline v5.6, nginx 1.17.7, OpenSSL 1.1.1k, intermediate configuration +# https://ssl-config.mozilla.org/#server=nginx&version=1.17.7&config=intermediate&openssl=1.1.1k&guideline=5.6 +server { + listen 443 ssl http2 default_server; + listen [::]:443 ssl http2 default_server; + + server_name status.hamburg.ccc.de; + + ssl_certificate /etc/letsencrypt/live/status.hamburg.ccc.de/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/status.hamburg.ccc.de/privkey.pem; + # verify chain of trust of OCSP response using Root CA and Intermediate certs + ssl_trusted_certificate /etc/letsencrypt/live/status.hamburg.ccc.de/chain.pem; + + # HSTS (ngx_http_headers_module is required) (63072000 seconds) + add_header Strict-Transport-Security "max-age=63072000" always; + + proxy_set_header Host $host; + proxy_set_header X-Forwarded-Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Port 443; + # This is https in any case. + proxy_set_header X-Forwarded-Proto https; + # Hide the X-Forwarded header. + proxy_hide_header X-Forwarded; + # Assume we are the only Reverse Proxy. + # Also provide "_hidden" for by, since it's not relevant. + proxy_set_header Forwarded "for=$remote_addr;proto=https;host=$host;by=_hidden"; + + location / { + proxy_pass http://127.0.0.1:8080/; + } +} From 744dc00ae5f6209481df3b1b0cd42fec4fa194f4 Mon Sep 17 00:00:00 2001 From: Renovate Date: Sun, 18 Jan 2026 03:01:35 +0000 Subject: [PATCH 26/33] Update https://github.com/ansible/ansible-lint action to v26 --- .forgejo/workflows/lint.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.forgejo/workflows/lint.yaml b/.forgejo/workflows/lint.yaml index b1168c9..588d38c 100644 --- a/.forgejo/workflows/lint.yaml +++ b/.forgejo/workflows/lint.yaml @@ -24,7 +24,7 @@ jobs: # work in our environmnet. # Rather manually setup python (pip) before instead. - name: Run ansible-lint - uses: https://github.com/ansible/ansible-lint@v25.12.2 + uses: https://github.com/ansible/ansible-lint@v26.1.1 with: setup_python: "false" requirements_file: "requirements.yml" From 0b6847493cfe44d03c645efe0bf54e6b2b2941a9 Mon Sep 17 00:00:00 2001 From: Renovate Date: Sun, 18 Jan 2026 03:30:42 +0000 Subject: [PATCH 27/33] Update actions/checkout action to v6 --- .forgejo/workflows/lint.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.forgejo/workflows/lint.yaml b/.forgejo/workflows/lint.yaml index 588d38c..5113e9f 100644 --- a/.forgejo/workflows/lint.yaml +++ b/.forgejo/workflows/lint.yaml @@ -10,7 +10,7 @@ jobs: name: Ansible Lint runs-on: docker steps: - - uses: actions/checkout@v5 + - uses: actions/checkout@v6 - name: Install pip run: | apt update From d7b463ecb9a1d4cf3d13d0ad9d3c3f064c271235 Mon Sep 17 00:00:00 2001 From: June Date: Sun, 18 Jan 2026 04:53:14 +0100 Subject: [PATCH 28/33] status(host): fix token not working by using a new one --- inventories/external/host_vars/status.sops.yaml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/inventories/external/host_vars/status.sops.yaml b/inventories/external/host_vars/status.sops.yaml index e300459..4dd3471 100644 --- a/inventories/external/host_vars/status.sops.yaml +++ b/inventories/external/host_vars/status.sops.yaml @@ -1,6 +1,6 @@ ansible_pull__age_private_key: ENC[AES256_GCM,data:u0tluAG5YmXTs71/F6RjuTITCrEoJco0K7+o/F7An4OMdOAwJVBvvMCnEaYsKhLhdesnMIoA24oz2j22lKRFgZUNtkF08ZwH9gw=,iv:oqTTeOi8l6ig4vvqOKict5bqxjmiBW+kwlZhbozoCSU=,tag:ZL2wuIczCHguGJIhbY0NuQ==,type:str] secret__gatus_db_password: ENC[AES256_GCM,data:fwtdWmXVTA7odBsKnlxH7mKKGtplAt/rQqscFBAxbDky6DNqgk6PP2OsqbIEpnpzs9Yn7Kd2VAxzfJfK,iv:ox/Lm+LlxxRcssOPc++nRp6nVa2DF3/46eEsGzTOBmA=,tag:i1e71Gm01ojHr5pGy0S9rA==,type:str] -secret__gatus_matrix_access_token: ENC[AES256_GCM,data:wp6C2E/LM3grawu8oW5CZZU0Y2+3qnuEbcKmgZr16e8P1KG/v2kfxRQ=,iv:S96oyGg6hI2Co7PJ8BFtrzZag82PTfp2IyIgTbxfdiM=,tag:JROk5PdoaMzXq1qXGgaH7g==,type:str] +secret__gatus_matrix_access_token: ENC[AES256_GCM,data:4qfXOyp+wAyYKw+KslCvE+6GxxdVfykkHJQUvaYBAebvdHlkRtIlyaI=,iv:axS2IRonJpZR2eanFBfc/LWc7Uhc2bi9eQAebsobtPc=,tag:TkaVZLgJzDz1UHDcDfsJ2A==,type:str] sops: age: - recipient: age1yl9ts8k6ceymaxjs72r5puetes5mtuzxuger7qgme9qkagfrm9hqzxx9qr @@ -12,8 +12,8 @@ sops: RFl1MnI1K0h2MUhvYk40d2JjbDRaUmMKNlPo1s06hVdxAamKhJy4HhNDX8PKQlq2 13PjdTJub64fydGEJng5NigcnNcPo7goGLz5QV7vE+6bO0gNZxBmmw== -----END AGE ENCRYPTED FILE----- - lastmodified: "2026-01-17T23:54:35Z" - mac: ENC[AES256_GCM,data:K/uLPclyRgFOMhSxPpFOiH1fQF0EQHKUNnqI/LW0o6+ON07r+UWv9mXaT2M7xUNhgHkv4lVu/qfLAKXZUVGlDga5ufH3A6xbcArqtQ5oyPoE5HX0nbcU4QF1f8JyYLVKCQdI0pBQkLU2cpAFHrGVLI/8+RY/uqrtNee9f7fd4cM=,iv:WRfTSWo4cfJOvjQqeSrSUCOstCf0FggTv2W4eGRcTF8=,tag:GE9cLzmJZt3F11BZd82HFA==,type:str] + lastmodified: "2026-01-18T03:53:06Z" + mac: ENC[AES256_GCM,data:yCgEtVm+HZfCL2sYg1+2cePBXg5xKoPX/fXln5NLLRJu5hUnsMOTa1VT41rAc6jJKFwbE4GWECkvjwfFReVjplwSJ4jvaY5usWvKjDLG7c8wPqgogR2vRNwxkI9aHU2VtBh7ArjCfmbY9++uWx577OPEdzUmup0TLlHxP68ueAw=,iv:YJjrm1HxCOakgm3c0JhlFfAb/MVi/ykQ1oeomeyQBus=,tag:UFFR6Fy9smzgzOef3NZlOA==,type:str] pgp: - created_at: "2026-01-15T21:23:56Z" enc: |- From d514688574e84f8da76aa357782953fce5e4cb0c Mon Sep 17 00:00:00 2001 From: June Date: Sun, 18 Jan 2026 19:21:33 +0100 Subject: [PATCH 29/33] systemd_networkd(role),router(host): support global config to fix forw. With the router upgrade to Debian 13 the systemd version got upgraded as well breaking the current configuration for IP forwarding. Add a variable for global systemd-networkd configuration and use that to enable IPv4 and IPv6 forwarding on the router. The systemd_networkd role could be a bit nicer, not deploying/deleting the global configuration, if the variable is empty and reloading/restarting systemd-networkd at appropriate times. But as is works for now. --- inventories/chaosknoten/host_vars/router.yaml | 1 + .../router/systemd_networkd/20-net1.network | 2 -- .../router/systemd_networkd/20-net2.network | 2 -- .../router/systemd_networkd_global_config.conf | 3 +++ roles/systemd_networkd/README.md | 5 +++++ roles/systemd_networkd/defaults/main.yaml | 1 + roles/systemd_networkd/tasks/main.yaml | 18 ++++++++++++++++++ 7 files changed, 28 insertions(+), 4 deletions(-) create mode 100644 resources/chaosknoten/router/systemd_networkd_global_config.conf create mode 100644 roles/systemd_networkd/defaults/main.yaml diff --git a/inventories/chaosknoten/host_vars/router.yaml b/inventories/chaosknoten/host_vars/router.yaml index 5e9c832..adbc8d9 100644 --- a/inventories/chaosknoten/host_vars/router.yaml +++ b/inventories/chaosknoten/host_vars/router.yaml @@ -1,4 +1,5 @@ systemd_networkd__config_dir: 'resources/chaosknoten/router/systemd_networkd/' +systemd_networkd__global_config: "{{ lookup('ansible.builtin.file', 'resources/chaosknoten/router/systemd_networkd_global_config.conf') }}" nftables__config: "{{ lookup('ansible.builtin.file', 'resources/chaosknoten/router/nftables/nftables.conf') }}" ansible_pull__timer_on_calendar: "*-*-* 04:00:00 Europe/Berlin" ansible_pull__timer_randomized_delay_sec: 0min diff --git a/resources/chaosknoten/router/systemd_networkd/20-net1.network b/resources/chaosknoten/router/systemd_networkd/20-net1.network index c8bffc1..5c14d8d 100644 --- a/resources/chaosknoten/router/systemd_networkd/20-net1.network +++ b/resources/chaosknoten/router/systemd_networkd/20-net1.network @@ -3,7 +3,6 @@ Name=net1 [Network] DNS=212.12.50.158 -IPForward=ipv4 IPv6AcceptRA=no [Address] @@ -11,4 +10,3 @@ Address=212.12.48.123/24 [Route] Gateway=212.12.48.55 - diff --git a/resources/chaosknoten/router/systemd_networkd/20-net2.network b/resources/chaosknoten/router/systemd_networkd/20-net2.network index b3f497d..39d1f03 100644 --- a/resources/chaosknoten/router/systemd_networkd/20-net2.network +++ b/resources/chaosknoten/router/systemd_networkd/20-net2.network @@ -3,7 +3,6 @@ Name=net2 [Network] #DNS=212.12.50.158 -IPForward=ipv6 IPv6AcceptRA=no [Address] @@ -11,4 +10,3 @@ Address=2a00:14b0:4200:3500::130:2/112 [Route] Gateway=2a00:14b0:4200:3500::130:1 - diff --git a/resources/chaosknoten/router/systemd_networkd_global_config.conf b/resources/chaosknoten/router/systemd_networkd_global_config.conf new file mode 100644 index 0000000..2d3d8a3 --- /dev/null +++ b/resources/chaosknoten/router/systemd_networkd_global_config.conf @@ -0,0 +1,3 @@ +[Network] +IPv4Forwarding=true +IPv6Forwarding=true diff --git a/roles/systemd_networkd/README.md b/roles/systemd_networkd/README.md index 3297c47..ac7f115 100644 --- a/roles/systemd_networkd/README.md +++ b/roles/systemd_networkd/README.md @@ -9,3 +9,8 @@ Should work on Debian-based distributions. ## Required Arguments - `systemd_networkd__config_dir`: Directory with systemd-networkd configs to deploy. + +## Optional Arguments + +- `systemd_networkd__global_config`: systemd-networkd global configuration to deploy (see `man 5 networkd.conf`). + Defaults to `` (the empty string); diff --git a/roles/systemd_networkd/defaults/main.yaml b/roles/systemd_networkd/defaults/main.yaml new file mode 100644 index 0000000..e84ed28 --- /dev/null +++ b/roles/systemd_networkd/defaults/main.yaml @@ -0,0 +1 @@ +systemd_networkd__global_config: "" diff --git a/roles/systemd_networkd/tasks/main.yaml b/roles/systemd_networkd/tasks/main.yaml index f88ed14..cc8f4d9 100644 --- a/roles/systemd_networkd/tasks/main.yaml +++ b/roles/systemd_networkd/tasks/main.yaml @@ -12,3 +12,21 @@ recursive: true delete: true become: true + +- name: ensure global systemd-networkd config directory exists + ansible.builtin.file: + path: "/etc/systemd/networkd.conf.d" + state: directory + owner: root + group: root + mode: "0755" + become: true + +- name: ensure global systemd-networkd config is deployed + ansible.builtin.copy: + content: "{{ systemd_networkd__global_config }}" + dest: "/etc/systemd/networkd.conf.d/20-ansible.conf" + mode: "0644" + owner: root + group: root + become: true From 28f80a85f33413cd0de40708623f281c93c78c76 Mon Sep 17 00:00:00 2001 From: fi Date: Sun, 18 Jan 2026 19:47:19 +0100 Subject: [PATCH 30/33] status(host): Switch to nekover.se user for personal token As access token now apparently expire with matrix authentication services, use a nekover.se user where we can get a long-lived personal token. --- inventories/external/host_vars/status.sops.yaml | 6 +++--- .../external/status/docker_compose/config/general.yaml | 2 +- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/inventories/external/host_vars/status.sops.yaml b/inventories/external/host_vars/status.sops.yaml index 4dd3471..366b641 100644 --- a/inventories/external/host_vars/status.sops.yaml +++ b/inventories/external/host_vars/status.sops.yaml @@ -1,6 +1,6 @@ ansible_pull__age_private_key: ENC[AES256_GCM,data:u0tluAG5YmXTs71/F6RjuTITCrEoJco0K7+o/F7An4OMdOAwJVBvvMCnEaYsKhLhdesnMIoA24oz2j22lKRFgZUNtkF08ZwH9gw=,iv:oqTTeOi8l6ig4vvqOKict5bqxjmiBW+kwlZhbozoCSU=,tag:ZL2wuIczCHguGJIhbY0NuQ==,type:str] secret__gatus_db_password: ENC[AES256_GCM,data:fwtdWmXVTA7odBsKnlxH7mKKGtplAt/rQqscFBAxbDky6DNqgk6PP2OsqbIEpnpzs9Yn7Kd2VAxzfJfK,iv:ox/Lm+LlxxRcssOPc++nRp6nVa2DF3/46eEsGzTOBmA=,tag:i1e71Gm01ojHr5pGy0S9rA==,type:str] -secret__gatus_matrix_access_token: ENC[AES256_GCM,data:4qfXOyp+wAyYKw+KslCvE+6GxxdVfykkHJQUvaYBAebvdHlkRtIlyaI=,iv:axS2IRonJpZR2eanFBfc/LWc7Uhc2bi9eQAebsobtPc=,tag:TkaVZLgJzDz1UHDcDfsJ2A==,type:str] +secret__gatus_matrix_access_token: ENC[AES256_GCM,data:adNtFvg2LXwRiNE7mvTZNO1hXxN3qasWZrDEQOGk5mYEVH0t9pglNrM=,iv:30xXR31qmrywLP3M34u6YgsyQY348zVvt9RM4/bGhtY=,tag:vhgpON0IdQ+FS4uQ/0TpsQ==,type:str] sops: age: - recipient: age1yl9ts8k6ceymaxjs72r5puetes5mtuzxuger7qgme9qkagfrm9hqzxx9qr @@ -12,8 +12,8 @@ sops: RFl1MnI1K0h2MUhvYk40d2JjbDRaUmMKNlPo1s06hVdxAamKhJy4HhNDX8PKQlq2 13PjdTJub64fydGEJng5NigcnNcPo7goGLz5QV7vE+6bO0gNZxBmmw== -----END AGE ENCRYPTED FILE----- - lastmodified: "2026-01-18T03:53:06Z" - mac: ENC[AES256_GCM,data:yCgEtVm+HZfCL2sYg1+2cePBXg5xKoPX/fXln5NLLRJu5hUnsMOTa1VT41rAc6jJKFwbE4GWECkvjwfFReVjplwSJ4jvaY5usWvKjDLG7c8wPqgogR2vRNwxkI9aHU2VtBh7ArjCfmbY9++uWx577OPEdzUmup0TLlHxP68ueAw=,iv:YJjrm1HxCOakgm3c0JhlFfAb/MVi/ykQ1oeomeyQBus=,tag:UFFR6Fy9smzgzOef3NZlOA==,type:str] + lastmodified: "2026-01-18T18:40:32Z" + mac: ENC[AES256_GCM,data:7bP0fmn6TJKA8zLuXE8F47sHn1qqX33z/078KkCJx5yRSKBGyLnTeKNha8EODEBkMG0eXQ2BEQDPfNB892R5OW69xCInCa0+sEPONd3YELMvFVoM7/+avDi94X/tdJKCHVPnF/kpqnGhKlwikKlCFLIcbkfEAHJgDlze32C0QKU=,iv:1Q5dsJP2FToAYDJYWXJufHuIlXGfj93NaBWHfZ5rhHk=,tag:dFNYdMJOwUwr6/zwlRollg==,type:str] pgp: - created_at: "2026-01-15T21:23:56Z" enc: |- diff --git a/resources/external/status/docker_compose/config/general.yaml b/resources/external/status/docker_compose/config/general.yaml index c67811a..0b30725 100644 --- a/resources/external/status/docker_compose/config/general.yaml +++ b/resources/external/status/docker_compose/config/general.yaml @@ -17,7 +17,7 @@ ui: alerting: matrix: - server-url: "https://matrix-client.matrix.org" + server-url: "https://matrix.nekover.se" access-token: "${MATRIX_ACCESS_TOKEN}" internal-room-id: "!jG755onbGAH-lZsZo8SRKtlsncSMvq7nzPhwCi5CgdQ" From ddaa069204bb49b8d1033e42292019ce9b594da8 Mon Sep 17 00:00:00 2001 From: June Date: Sun, 18 Jan 2026 21:39:23 +0100 Subject: [PATCH 31/33] status(host): configure Gatus to store more results and events Also see: https://github.com/TwiN/gatus?tab=readme-ov-file#storage --- resources/external/status/docker_compose/config/general.yaml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/resources/external/status/docker_compose/config/general.yaml b/resources/external/status/docker_compose/config/general.yaml index 0b30725..fb1c3ed 100644 --- a/resources/external/status/docker_compose/config/general.yaml +++ b/resources/external/status/docker_compose/config/general.yaml @@ -1,6 +1,8 @@ storage: type: postgres path: "postgres://${POSTGRES_USER}:${POSTGRES_PASSWORD}@database:5432/${POSTGRES_DB}?sslmode=disable" + maximum-number-of-results: 240 # Default are 100. 240 are 4h for 1m interval checks. + maximum-number-of-events: 1000 # Default are 50. Let's keep a long history here - 1000 should suffice for a year with around 3 events a day. ui: title: CCCHH Status From 41d943a532186868f556a6ad026b38a5bb455731 Mon Sep 17 00:00:00 2001 From: June Date: Sun, 4 Jan 2026 19:32:42 +0100 Subject: [PATCH 32/33] wip: alloy --- roles/alloy/tasks/main.yaml | 48 +++++++++++++++++++++++++++++++++++++ 1 file changed, 48 insertions(+) create mode 100644 roles/alloy/tasks/main.yaml diff --git a/roles/alloy/tasks/main.yaml b/roles/alloy/tasks/main.yaml new file mode 100644 index 0000000..2bc308a --- /dev/null +++ b/roles/alloy/tasks/main.yaml @@ -0,0 +1,48 @@ +# https://github.com/grafana/grafana-ansible-collection/blob/main/roles/alloy/tasks/deploy.yml#L124 +- name: ensure alloy user exists + ansible.builtin.user: + name: alloy + system: true + append: true + create_home: false + state: present + +- name: ensure the `/etc/alloy/` config directory exists + ansible.builtin.file: + path: /etc/alloy + state: directory + mode: "0770" + owner: root + group: alloy + become: true + +- name: synchronize the additional configuration files directory, if present + when: alloy__additional_configs_dir is defined and alloy__additional_configs_dir != "" + block: + - name: ensure rsync is installed + ansible.builtin.apt: + name: rsync + become: true + + - name: synchronize the additional configuration files directory, if present + ansible.posix.synchronize: + src: "{{ alloy__additional_configs_dir }}" + dest: /etc/alloy/additional + delete: true + recursive: true + use_ssh_args: true + rsync_opts: + - "--chown=root:alloy" + become: true + +- name: delete the additional configuration files directory, if not present + when: alloy__additional_configs_dir is not defined or alloy__additional_configs_dir == "" + ansible.builtin.file: + path: /etc/alloy/additional + state: absent + become: true + +- name: Setup Alloy + ansible.builtin.import_role: + name: grafana.grafana.alloy + become: true From 5e23b86b95db573093a4e3c363160e814c63f8ae Mon Sep 17 00:00:00 2001 From: chris Date: Sun, 25 Jan 2026 20:03:13 +0100 Subject: [PATCH 33/33] rollout Alloy to replace prometheus_node_exporter With the new network we need to deploy a push based solution in order to get metrics into prometheus --- .../chaosknoten/group_vars/all.sops.yaml | 7 +- .../chaosknoten/host_vars/grafana.yaml | 42 +-------- .../chaosknoten/host_vars/ntfy.sops.yaml | 6 +- inventories/chaosknoten/host_vars/ntfy.yaml | 86 +------------------ inventories/chaosknoten/hosts.yaml | 15 ++-- playbooks/deploy.yaml | 11 +-- .../grafana/docker_compose/prometheus.yml | 35 -------- .../grafana/nginx/metrics.hamburg.ccc.de.conf | 1 - roles/alloy/defaults/main.yaml | 44 ++++++++++ roles/alloy/tasks/main.yaml | 2 + roles/prometheus_node_exporter/meta/main.yaml | 10 --- .../prometheus_node_exporter/tasks/main.yaml | 14 --- 12 files changed, 68 insertions(+), 205 deletions(-) create mode 100644 roles/alloy/defaults/main.yaml delete mode 100644 roles/prometheus_node_exporter/meta/main.yaml delete mode 100644 roles/prometheus_node_exporter/tasks/main.yaml diff --git a/inventories/chaosknoten/group_vars/all.sops.yaml b/inventories/chaosknoten/group_vars/all.sops.yaml index ebc53b7..0c5762d 100644 --- a/inventories/chaosknoten/group_vars/all.sops.yaml +++ b/inventories/chaosknoten/group_vars/all.sops.yaml @@ -1,4 +1,5 @@ msmtp__smtp_password: ENC[AES256_GCM,data:xcBVBTb6mfr5Ubyfga9ibKWKhrfrEEaDWD98vIbX8fl8lQ4YTovg8Ax1HTK4UQ6AkJGHq2A0D5B67KUTlp9eLw==,iv:TOp1G1LktRPj/KMCRU5CXBUsgKOqGssUvvk5oY0QnPM=,tag:SVBdDQy+fM0xeEToappP+A==,type:str] +metrics__chaos_password: ENC[AES256_GCM,data:al234VSAH7oxka8X0hTvEJKVLD6O/WCrCKfVLLvm,iv:+TmA+0hXMV4OxvK7RH2g1dIzm88Lpm3zevxSZxK23QQ=,tag:txCVr5SEW3dVHgNFInR94g==,type:str] sops: age: - recipient: age1ss82zwqkj438re78355p886r89csqrrfmkfp8lrrf8v23nza492qza4ey3 @@ -163,8 +164,8 @@ sops: SnUrSUlvMXhnY3JrbER0TkxBcGJucmsKdBDkRY5FUtOo8zQ0QtfPFGJn0O2Fg5xn mSloxLaFwdXAR9L1QfUdsW+9Vgez4s5bxMJtn8hkwqIfyJc25FEEcA== -----END AGE ENCRYPTED FILE----- - lastmodified: "2025-10-13T23:45:06Z" - mac: ENC[AES256_GCM,data:QxH4lnNyCAAEJhzbgCrq7QeLs+OAtYgwQP4oFm93NE4Fbz7/Hz2dvL/2SopOdW7nYVeb1scuG1ra+yvgzuQDhg4lcgt9eBJoBiynM3qiHBs+FtcSJoKs16I/ACAadQwClALb4E0xxwKFJI8ewMZu5BAxi5EhYbgNfnKCIbhvgWo=,iv:LRa2vX0HUBugeEAVeOqXbPsMQrfrCpyzGUGjK6+VaQc=,tag:/sfhJM8V1IYBh94ZS/TDxQ==,type:str] + lastmodified: "2026-01-25T18:06:26Z" + mac: ENC[AES256_GCM,data:plHNLOgGWwNWbakKG6X5EOxwERE3rvYO4EOAzY/sz+uM7cZBEnqU5LZwjlD8B75hgRHqpnDBF0JbHgsEwVxfJJRL1phkeMJFOapQMjZVWMz6j7eb1hOwpdktd+bpuimy4XCD1aOxOoInKpFSK33usxLfyqSxjFDM5+i6D22qBTs=,iv:/iOIfNuSIDsa/UKLP0d63tpOrYMFO3Bk1qPssY0AzuI=,tag:k+824MXD+r0lNUcuvisudw==,type:str] pgp: - created_at: "2025-10-20T19:03:07Z" enc: |- @@ -360,4 +361,4 @@ sops: -----END PGP MESSAGE----- fp: 878FEA3CB6A6F6E7CD80ECBE28506E3585F9F533 unencrypted_suffix: _unencrypted - version: 3.10.2 + version: 3.11.0 diff --git a/inventories/chaosknoten/host_vars/grafana.yaml b/inventories/chaosknoten/host_vars/grafana.yaml index ecc942c..b87a198 100644 --- a/inventories/chaosknoten/host_vars/grafana.yaml +++ b/inventories/chaosknoten/host_vars/grafana.yaml @@ -53,16 +53,7 @@ nginx__configurations: - name: metrics.hamburg.ccc.de content: "{{ lookup('ansible.builtin.file', 'resources/chaosknoten/grafana/nginx/metrics.hamburg.ccc.de.conf') }}" -alloy_config: | - prometheus.remote_write "default" { - endpoint { - url = "https://metrics.hamburg.ccc.de/api/v1/write" - basic_auth { - username = "chaos" - password = "{{ secret__metrics_chaos }}" - } - } - } +alloy_config_additional: | loki.write "default" { endpoint { url = "https://loki.hamburg.ccc.de/loki/api/v1/push" @@ -98,9 +89,9 @@ alloy_config: | } rule { source_labels = ["__journal__hostname"] - target_label = "host" + target_label = "instance" regex = "([^:]+)" - replacement = "${1}.hamburg.ccc.de" + replacement = "${1}.hosts.hamburg.ccc.de" action = "replace" } } @@ -111,30 +102,3 @@ alloy_config: | format_as_json = true labels = {component = "loki.source.journal", org = "ccchh"} } - - logging { - level = "info" - } - prometheus.exporter.unix "local_system" { - enable_collectors = ["systemd"] - } - - prometheus.relabel "default" { - forward_to = [prometheus.remote_write.default.receiver] - rule { - target_label = "org" - replacement = "ccchh" - } - rule { - source_labels = ["instance"] - target_label = "host" - regex = "([^:]+)" - replacement = "${1}.hamburg.ccc.de" - action = "replace" - } - } - - prometheus.scrape "scrape_metrics" { - targets = prometheus.exporter.unix.local_system.targets - forward_to = [prometheus.relabel.default.receiver] - } diff --git a/inventories/chaosknoten/host_vars/ntfy.sops.yaml b/inventories/chaosknoten/host_vars/ntfy.sops.yaml index e860cca..1328d66 100644 --- a/inventories/chaosknoten/host_vars/ntfy.sops.yaml +++ b/inventories/chaosknoten/host_vars/ntfy.sops.yaml @@ -1,5 +1,3 @@ -secret__loki_chaos: ENC[AES256_GCM,data:LWFTOyER+m021ogmXYBrcr/2fUe3XuZhs5ho0KbM,iv:808LWnSUAPeclhsIgOyR6SutTvJGOu7mrGaVayo7v8M=,tag:f2WCPyUESfMiGDQ4Km5Dyw==,type:str] -secret__metrics_chaos: ENC[AES256_GCM,data:lAepzCI4pwkF8KiGYzGnC4dPASdHDn+LfbJTFSvt,iv:EUW+CGeYUqhY4G1kb2bbU16j9iLwABHfRCdn2vac5gY=,tag:IcyscB9lZuZgC04XTxDb5w==,type:str] secret__ntfy_web_push_private_key: ENC[AES256_GCM,data:YqNEYa1Ln3NFpNoIuBUN1V/WRzod5HAtYueBJYHOwyM59cCaYhQR1S9aQg==,iv:t8bEs5ZAEe6pqbbOb0mpJdfgruX1P9Jd+sbNurGqkng=,tag:Cdy5HKkvb55V6AeRt+MVHg==,type:str] ntfy: user: @@ -18,8 +16,8 @@ sops: bUhGdEFwOEVxUzVZdERReVF6cmcxeDgKDlO+jacsYgWXqjoxAIKJiB8mCHZ8U7TM sGD3oaCi9x6Uvse7hq0BaUe/LaJt2tDaqve9nm3n06V93HNcR9/cdw== -----END AGE ENCRYPTED FILE----- - lastmodified: "2025-10-20T19:01:39Z" - mac: ENC[AES256_GCM,data:a87jRAGBIypZfYCILYCOM+H8KCVUBgb2/1sG05wDbPmLe9IfDT6rzlljbRFOUozq9xsqxpFLsPQx1wPVDi1lhaRT+5oE/NDgVH8aQCofA96DQd3SeB8fWn3LhYjOpmo9ZsFSemvGcXYk/SjVvoU9aN8KG4DHYCOOseGIBTa/a2Y=,iv:5Atem3ACdfdCPUp184cAf/EI9BEXQ1i719l+sIlOnUY=,tag:LWQCxrsZ3660UCcOjY4gMQ==,type:str] + lastmodified: "2026-01-25T18:41:48Z" + mac: ENC[AES256_GCM,data:2+628ZxPIto0AUhRExTB0UF/XKD7l0qz/NVncKbk+E5nZ5IRGwnhvY5DPiaDNWxskngaYhSYaQZTJTuvC1TuflCr8+IsZRYobj22mYEsrK2KWbozQvYsuooK2HdSWAkE2U5xKKodev2KqxMT+ZY0AIq8ifCo033ro6t0rnIEVQI=,iv:ncKxlhfZ+04rylNmMtOaWyonCJO4gbsuABMAJfVDDIQ=,tag:6c141UrWXNuGM5giTS7Ecw==,type:str] pgp: - created_at: "2025-10-20T19:03:04Z" enc: |- diff --git a/inventories/chaosknoten/host_vars/ntfy.yaml b/inventories/chaosknoten/host_vars/ntfy.yaml index cab4e76..2d68bfa 100644 --- a/inventories/chaosknoten/host_vars/ntfy.yaml +++ b/inventories/chaosknoten/host_vars/ntfy.yaml @@ -15,90 +15,8 @@ nginx__configurations: - name: ntfy.hamburg.ccc.de content: "{{ lookup('ansible.builtin.file', 'resources/chaosknoten/ntfy/nginx/ntfy.hamburg.ccc.de.conf') }}" -alloy_config: | - prometheus.remote_write "default" { - endpoint { - url = "https://metrics.hamburg.ccc.de/api/v1/write" - basic_auth { - username = "chaos" - password = "{{ secret__metrics_chaos }}" - } - } - } - loki.write "default" { - endpoint { - url = "https://loki.hamburg.ccc.de/loki/api/v1/push" - basic_auth { - username = "chaos" - password = "{{ secret__loki_chaos }}" - } - } - } - - loki.relabel "journal" { - forward_to = [] - - rule { - source_labels = ["__journal__systemd_unit"] - target_label = "systemd_unit" - } - rule { - source_labels = ["__journal__hostname"] - target_label = "instance" - } - rule { - source_labels = ["__journal__transport"] - target_label = "systemd_transport" - } - rule { - source_labels = ["__journal_syslog_identifier"] - target_label = "syslog_identifier" - } - rule { - source_labels = ["__journal_priority_keyword"] - target_label = "level" - } - rule { - source_labels = ["__journal__hostname"] - target_label = "host" - regex = "([^:]+)" - replacement = "${1}.hamburg.ccc.de" - action = "replace" - } - } - - loki.source.journal "read_journal" { - forward_to = [loki.write.default.receiver] - relabel_rules = loki.relabel.journal.rules - format_as_json = true - labels = {component = "loki.source.journal", org = "ccchh"} - } - - prometheus.exporter.unix "local_system" { - enable_collectors = ["systemd"] - } - - prometheus.relabel "default" { - forward_to = [prometheus.remote_write.default.receiver] - rule { - target_label = "org" - replacement = "ccchh" - } - rule { - source_labels = ["instance"] - target_label = "host" - regex = "([^:]+)" - replacement = "${1}.hamburg.ccc.de" - action = "replace" - } - } - - prometheus.scrape "unix_metrics" { - targets = prometheus.exporter.unix.local_system.targets - forward_to = [prometheus.relabel.default.receiver] - } - +alloy_config_additional: | prometheus.scrape "ntfy_metrics" { targets = [{"__address__" = "localhost:9586", job = "ntfy", instance = "ntfy", __scrape_interval__ = "120s"}] - forward_to = [prometheus.relabel.default.receiver] + forward_to = [prometheus.relabel.chaosknoten_common.receiver] } diff --git a/inventories/chaosknoten/hosts.yaml b/inventories/chaosknoten/hosts.yaml index 93c61be..1251806 100644 --- a/inventories/chaosknoten/hosts.yaml +++ b/inventories/chaosknoten/hosts.yaml @@ -158,11 +158,10 @@ certbot_hosts: zammad: ntfy: sunders: -prometheus_node_exporter_hosts: +alloy_hosts: hosts: ccchoir: eh22-wiki: - tickets: keycloak: netbox: onlyoffice: @@ -170,6 +169,14 @@ prometheus_node_exporter_hosts: pretalx: wiki: zammad: + grafana: + ntfy: + tickets: + renovate: + cloud: + public-reverse-proxy: + router: + sunders: infrastructure_authorized_keys_hosts: hosts: ccchoir: @@ -199,10 +206,6 @@ netbox_hosts: proxmox_vm_template_hosts: hosts: chaosknoten: -alloy_hosts: - hosts: - grafana: - ntfy: ansible_pull_hosts: hosts: netbox: diff --git a/playbooks/deploy.yaml b/playbooks/deploy.yaml index f416b91..fe0cf78 100644 --- a/playbooks/deploy.yaml +++ b/playbooks/deploy.yaml @@ -64,11 +64,6 @@ roles: - nginx -- name: Ensure prometheus_node_exporter deployment on prometheus_node_exporter_hosts - hosts: prometheus_node_exporter_hosts - roles: - - prometheus_node_exporter - - name: Configure unattended upgrades for all non-hypervisors hosts: all:!hypervisors become: true @@ -83,10 +78,8 @@ - name: Ensure Alloy is installed and Setup on alloy_hosts hosts: alloy_hosts become: true - tasks: - - name: Setup Alloy - ansible.builtin.include_role: - name: grafana.grafana.alloy + roles: + - alloy - name: Ensure ansible_pull deployment on ansible_pull_hosts hosts: ansible_pull_hosts diff --git a/resources/chaosknoten/grafana/docker_compose/prometheus.yml b/resources/chaosknoten/grafana/docker_compose/prometheus.yml index fd59034..7f94ab0 100644 --- a/resources/chaosknoten/grafana/docker_compose/prometheus.yml +++ b/resources/chaosknoten/grafana/docker_compose/prometheus.yml @@ -82,41 +82,6 @@ scrape_configs: target_label: instance - target_label: __address__ replacement: pve-exporter:9221 - - job_name: hosts - static_configs: - # Wieske Chaosknoten VMs - - labels: - org: ccchh - site: wieske - type: virtual_machine - hypervisor: chaosknoten - targets: - - netbox-intern.hamburg.ccc.de:9100 - - matrix-intern.hamburg.ccc.de:9100 - - public-web-static-intern.hamburg.ccc.de:9100 - - git-intern.hamburg.ccc.de:9100 - - forgejo-actions-runner-intern.hamburg.ccc.de:9100 - - eh22-wiki-intern.hamburg.ccc.de:9100 - - mjolnir-intern.hamburg.ccc.de:9100 - - woodpecker-intern.hamburg.ccc.de:9100 - - penpot-intern.hamburg.ccc.de:9100 - - jitsi.hamburg.ccc.de:9100 - - onlyoffice-intern.hamburg.ccc.de:9100 - - ccchoir-intern.hamburg.ccc.de:9100 - - tickets-intern.hamburg.ccc.de:9100 - - keycloak-intern.hamburg.ccc.de:9100 - - onlyoffice-intern.hamburg.ccc.de:9100 - - pad-intern.hamburg.ccc.de:9100 - - wiki-intern.hamburg.ccc.de:9100 - - zammad-intern.hamburg.ccc.de:9100 - - pretalx-intern.hamburg.ccc.de:9100 - - labels: - org: ccchh - site: wieske - type: physical_machine - targets: - - chaosknoten.hamburg.ccc.de:9100 - storage: tsdb: diff --git a/resources/chaosknoten/grafana/nginx/metrics.hamburg.ccc.de.conf b/resources/chaosknoten/grafana/nginx/metrics.hamburg.ccc.de.conf index ef2fe07..195b99d 100644 --- a/resources/chaosknoten/grafana/nginx/metrics.hamburg.ccc.de.conf +++ b/resources/chaosknoten/grafana/nginx/metrics.hamburg.ccc.de.conf @@ -9,7 +9,6 @@ server { allow 2a00:14b0:4200:3380::/64; allow 2a00:14b0:f000:23::/64; #CCCHH v6 bei Wieske, geroutet über turing # Z9 - allow 2a07:c480:0:100::/56; allow 2a07:c481:1::/48; # fuxnoc allow 2a07:c481:0:1::/64; diff --git a/roles/alloy/defaults/main.yaml b/roles/alloy/defaults/main.yaml new file mode 100644 index 0000000..92bc960 --- /dev/null +++ b/roles/alloy/defaults/main.yaml @@ -0,0 +1,44 @@ +alloy_config_default: | + prometheus.remote_write "default" { + endpoint { + url = "https://metrics.hamburg.ccc.de/api/v1/write" + basic_auth { + username = "chaos" + password = "{{ metrics__chaos_password }}" + } + } + } + + prometheus.relabel "chaosknoten_common" { + forward_to = [prometheus.remote_write.default.receiver] + rule { + target_label = "org" + replacement = "ccchh" + } + rule { + target_label = "site" + replacement = "wieske" + } + rule { + source_labels = ["instance"] + target_label = "instance" + regex = "([^:]+)" + replacement = "${1}.hosts.hamburg.ccc.de" + action = "replace" + } + } + + logging { + level = "info" + } + + prometheus.exporter.unix "local_system" { + enable_collectors = ["systemd"] + } + + prometheus.scrape "scrape_metrics" { + targets = prometheus.exporter.unix.local_system.targets + forward_to = [prometheus.relabel.chaosknoten_common.receiver] + } + +alloy_config_additional: "" diff --git a/roles/alloy/tasks/main.yaml b/roles/alloy/tasks/main.yaml index 2bc308a..5e3cd64 100644 --- a/roles/alloy/tasks/main.yaml +++ b/roles/alloy/tasks/main.yaml @@ -45,4 +45,6 @@ - name: Setup Alloy ansible.builtin.import_role: name: grafana.grafana.alloy + vars: + alloy_config: "{{ alloy_config_default ~ alloy_config_additional }}" become: true diff --git a/roles/prometheus_node_exporter/meta/main.yaml b/roles/prometheus_node_exporter/meta/main.yaml deleted file mode 100644 index 78bb770..0000000 --- a/roles/prometheus_node_exporter/meta/main.yaml +++ /dev/null @@ -1,10 +0,0 @@ ---- -dependencies: - - role: distribution_check - vars: - distribution_check__distribution_support_spec: - - name: Debian - major_versions: - - "11" - - "12" - - "13" diff --git a/roles/prometheus_node_exporter/tasks/main.yaml b/roles/prometheus_node_exporter/tasks/main.yaml deleted file mode 100644 index c138f18..0000000 --- a/roles/prometheus_node_exporter/tasks/main.yaml +++ /dev/null @@ -1,14 +0,0 @@ -- name: make sure the `prometheus-node-exporter` package is installed - ansible.builtin.apt: - name: prometheus-node-exporter - state: present - allow_change_held_packages: true - update_cache: true - become: true - -- name: make sure `prometheus-node-exporter.service` is started and ansibled - ansible.builtin.systemd: - name: prometheus-node-exporter.service - state: started - enabled: true - become: true