CCCHH/ansible-infra
CCCHH/ansible-infra
2
2
Fork 2
Code Issues 7 Pull requests 4 Wiki Activity Actions

Compare commits

base: CCCHH:bb79d128198a2cf7b5a05b317aefedb7673b8b64
Branches Tags
CCCHH:main
CCCHH:tmp-chris-hier-bitte
CCCHH:renovate/docker.io-library-redis-8.x
CCCHH:renovate/docker.io-library-postgres-18.x
CCCHH:renovate/docker.io-library-mariadb-12.x
CCCHH:renovate/all-stable-minor-patch
CCCHH:alloy
CCCHH:router-killing-turing
CCCHH:fix_ansible_lint
CCCHH:feature/add-new-router
CCCHH:fux-alerts
CCCHH:move_to_sops
..
compare: CCCHH:5e23b86b95db573093a4e3c363160e814c63f8ae
Branches Tags
CCCHH:main
CCCHH:tmp-chris-hier-bitte
CCCHH:renovate/docker.io-library-redis-8.x
CCCHH:renovate/docker.io-library-postgres-18.x
CCCHH:renovate/docker.io-library-mariadb-12.x
CCCHH:renovate/all-stable-minor-patch
CCCHH:alloy
CCCHH:router-killing-turing
CCCHH:fix_ansible_lint
CCCHH:feature/add-new-router
CCCHH:fux-alerts
CCCHH:move_to_sops

32 commits
bb79d12819 ... 5e23b86b95

Author SHA1 Message Date
chris
5e23b86b95
 		rollout Alloy to replace prometheus_node_exporter
Some checks failed
/ Ansible Lint (push) Failing after 46s
Details 
With the new network we need to deploy a push based solution in order to get metrics into prometheus
 2026-01-25 20:03:13 +01:00
June
41d943a532
 		wip: alloy 2026-01-23 21:37:23 +01:00
June
ddaa069204
 		status(host): configure Gatus to store more results and events
All checks were successful
/ Ansible Lint (push) Successful in 1m52s
Details 
Also see:
https://github.com/TwiN/gatus?tab=readme-ov-file#storage
 2026-01-18 21:39:23 +01:00
fi
28f80a85f3 status(host): Switch to nekover.se user for personal token
All checks were successful
/ Ansible Lint (push) Successful in 1m53s
Details 
As access token now apparently expire with matrix authentication services,
use a nekover.se user where we can get a long-lived personal token.
 2026-01-18 19:49:59 +01:00
June
d514688574
 		systemd_networkd(role),router(host): support global config to fix forw.
All checks were successful
/ Ansible Lint (push) Successful in 1m58s
Details 
With the router upgrade to Debian 13 the systemd version got upgraded as
well breaking the current configuration for IP forwarding.
Add a variable for global systemd-networkd configuration and use that to
enable IPv4 and IPv6 forwarding on the router.

The systemd_networkd role could be a bit nicer, not deploying/deleting
the global configuration, if the variable is empty and
reloading/restarting systemd-networkd at appropriate times. But as is
works for now.
 2026-01-18 19:21:33 +01:00
June
d7b463ecb9
 		status(host): fix token not working by using a new one
All checks were successful
/ Ansible Lint (push) Successful in 1m59s
Details
2026-01-18 04:54:31 +01:00
Renovate
0b6847493c Update actions/checkout action to v6
All checks were successful
/ Ansible Lint (pull_request) Successful in 2m22s
Details
/ Ansible Lint (push) Successful in 1m52s
Details
2026-01-18 03:30:42 +00:00
Renovate
744dc00ae5 Update https://github.com/ansible/ansible-lint action to v26
All checks were successful
/ Ansible Lint (pull_request) Successful in 2m26s
Details
/ Ansible Lint (push) Successful in 1m57s
Details
2026-01-18 03:01:35 +00:00
June
fe52127e82
 		status(host): configure external status page and uptime monitoring host
Some checks failed
/ Ansible Lint (push) Failing after 2m0s
Details
2026-01-18 01:26:52 +01:00
June
51bbdd42a2
 		dooris(host): make certbot work
Some checks failed
/ Ansible Lint (push) Failing after 2m6s
Details
2026-01-13 16:55:22 +01:00
June
428b5c70bc
 		pretalx(host): roll back to pretalx v2025.1.0 for celery as well 2026-01-13 14:19:57 +01:00
June
92601ab9ea
 		renovate: add package rule for pretalx reclassifying major updates
Some checks failed
/ Ansible Lint (push) Failing after 2m8s
Details 
So that v2025.1.0 to v2025.2.2 counts as a major, not a minor, update.
 2026-01-13 03:48:34 +01:00
June
3e0fdfa8de
 		pretalx(host): roll back to pretalx v2025.1.0 as v2025.2.2 doesn't work
Some checks failed
/ Ansible Lint (push) Failing after 1m56s
Details
2026-01-13 03:43:28 +01:00
June
951ec7ebcd
 		netbox(role): fix oidc integration by no longer using is_staff
Some checks failed
/ Ansible Lint (push) Failing after 1m56s
Details 
is_staff got removed in 4.5.0.
See: https://github.com/netbox-community/netbox/releases/tag/v4.5.0
 2026-01-13 02:25:06 +01:00
June
a92e144cfc
 		base_config(role): ensure base set of admin tools is installed
Some checks failed
/ Ansible Lint (push) Failing after 1m55s
Details 
See:
https://git.hamburg.ccc.de/CCCHH/nix-infra/src/branch/main/config/common/admin-environment.nix
 2026-01-13 00:41:06 +01:00
Renovate
c638790819 Update all stable non-major dependencies
Some checks failed
/ Ansible Lint (pull_request) Failing after 2m31s
Details
/ Ansible Lint (push) Failing after 2m5s
Details
2026-01-12 02:30:47 +00:00
June
70461c98ba
 		first run ansible_pull for router, then for all other hosts
Some checks failed
/ Ansible Lint (push) Failing after 2m13s
Details 
Do this to avoid a restarting router affecting playbook runs on other
hosts.
 2026-01-12 03:29:06 +01:00
June
968e29ccb8
 		do v6-only for internal proxy protocol communication
Some checks failed
/ Ansible Lint (push) Failing after 2m5s
Details 
Since we want to do v6-only internally, only listen on v6 for proxy
protocol.
This is also needed as we only have set_real_ip_from pointing to a v6.
 2026-01-12 03:02:09 +01:00
June
255327952e
 		ntfy(host): move to new network and hostname
Some checks failed
/ Ansible Lint (push) Failing after 1m59s
Details
2026-01-11 03:57:11 +01:00
June
1971598e71
 		pretalx(host): move to new network and hostname
Some checks failed
/ Ansible Lint (push) Failing after 1m55s
Details
2026-01-11 03:23:18 +01:00
June
372f264bcb
 		ccchoir(host): move to new network and hostname 2026-01-11 03:23:14 +01:00
June
2fbb37db18
 		grafana(host): move to new network and hostname 2026-01-11 03:23:01 +01:00
June
bb30e88404
 		router(host): allowlist only certain icmpv6 types
Some checks failed
/ Ansible Lint (push) Failing after 2m14s
Details
2026-01-11 00:29:16 +01:00
June
a41b07949c
 		zammad(host): move to new network and hostname
Some checks failed
/ Ansible Lint (push) Failing after 1m56s
Details
2026-01-11 00:22:37 +01:00
June
ff550cbd8a
 		tickets(host): move to new network and hostname
Some checks failed
/ Ansible Lint (push) Failing after 2m22s
Details
2026-01-11 00:00:18 +01:00
June
49e3ecb986
 		netbox(host): move to new network and hostname
Some checks failed
/ Ansible Lint (push) Failing after 2m3s
Details
2026-01-09 03:05:29 +01:00
June
a622f21b54
 		renovate(host): move to new network and hostname 2026-01-07 18:46:27 +01:00
June
40b67c6bc3
 		sunders(host): move to new network and hostname 2026-01-07 18:46:16 +01:00
June
fbd3ea5496
 		base_config: disable cloud-init ssh module to avoid hostkey regeneration
Some checks failed
/ Ansible Lint (push) Failing after 1m55s
Details 
It should run once on first boot anyway and since it apparently runs for
every change in the Proxmox cloud init config, disable it, so it
doesn't, since it's annoying to have "random" hostkey changes.
 2026-01-07 18:09:48 +01:00
June
80ddb2efc9
 		router: enable a DHCP server for the v4-NAT network as well 
As the hosts don't really need a static v4, just do DHCP.
 2026-01-07 17:25:27 +01:00
Stefan Bethke
a328e92971 Should be compatible with trixie/13
Some checks failed
/ Ansible Lint (push) Failing after 2m5s
Details
2026-01-03 14:03:26 +01:00
Stefan Bethke
25db54b8ad Make sure pip is installed 2026-01-03 14:02:56 +01:00
73 changed files with 1633 additions and 296 deletions
Download patch file Download diff file Expand all files Collapse all files

4
.forgejo/workflows/lint.yaml
View file

@ -10,7 +10,7 @@ jobs:
name: Ansible Lint name: Ansible Lint
runs-on: docker runs-on: docker
steps: steps:
- uses: actions/checkout@v5 - uses: actions/checkout@v6
- name: Install pip - name: Install pip
run: | run: |
apt update apt update
@ -24,7 +24,7 @@ jobs:
# work in our environmnet. # work in our environmnet.
# Rather manually setup python (pip) before instead. # Rather manually setup python (pip) before instead.
- name: Run ansible-lint - name: Run ansible-lint
uses: https://github.com/ansible/ansible-lint@v25.11.0 uses: https://github.com/ansible/ansible-lint@v26.1.1
with: with:
setup_python: "false" setup_python: "false"
requirements_file: "requirements.yml" requirements_file: "requirements.yml"

22
.sops.yaml
View file

@ -33,15 +33,25 @@ keys:
- &host_public_reverse_proxy_ansible_pull_age_key age1p7pxgq5kwcpdkhkh3qq4pvnltrdk4gwf60hdhv8ka0mdxmgnjepqyleyen - &host_public_reverse_proxy_ansible_pull_age_key age1p7pxgq5kwcpdkhkh3qq4pvnltrdk4gwf60hdhv8ka0mdxmgnjepqyleyen
- &host_zammad_ansible_pull_age_key age1sv7uhpnk9d3u3je9zzvlux0kd83f627aclpamnz2h3ksg599838qjgrvqs - &host_zammad_ansible_pull_age_key age1sv7uhpnk9d3u3je9zzvlux0kd83f627aclpamnz2h3ksg599838qjgrvqs
- &host_ntfy_ansible_pull_age_key age1dkecypmfuj0tcm2cz8vnvq5drpu2ddhgnfkzxvscs7m4e79gpseqyhr9pg - &host_ntfy_ansible_pull_age_key age1dkecypmfuj0tcm2cz8vnvq5drpu2ddhgnfkzxvscs7m4e79gpseqyhr9pg
external:
age: &host_external_age_keys
- &host_status_ansible_pull_age_key age1yl9ts8k6ceymaxjs72r5puetes5mtuzxuger7qgme9qkagfrm9hqzxx9qr
creation_rules: creation_rules:
# group vars ## group vars
- path_regex: inventories/chaosknoten/group_vars/all.* - path_regex: inventories/chaosknoten/group_vars/all.*
key_groups: key_groups:
- pgp: - pgp:
*admin_gpg_keys *admin_gpg_keys
age: age:
*host_chaosknoten_age_keys *host_chaosknoten_age_keys
# host vars - path_regex: inventories/external/group_vars/all.*
key_groups:
- pgp:
*admin_gpg_keys
age:
*host_external_age_keys
## host vars
# chaosknoten hosts
- path_regex: inventories/chaosknoten/host_vars/cloud.* - path_regex: inventories/chaosknoten/host_vars/cloud.*
key_groups: key_groups:
- pgp: - pgp:
@ -150,6 +160,14 @@ creation_rules:
*admin_gpg_keys *admin_gpg_keys
age: age:
- *host_public_reverse_proxy_ansible_pull_age_key - *host_public_reverse_proxy_ansible_pull_age_key
# external hosts
- path_regex: inventories/external/host_vars/status.*
key_groups:
- pgp:
*admin_gpg_keys
age:
- *host_status_ansible_pull_age_key
# z9 hosts
- path_regex: inventories/z9/host_vars/dooris.* - path_regex: inventories/z9/host_vars/dooris.*
key_groups: key_groups:
- pgp: - pgp:

7
inventories/chaosknoten/group_vars/all.sops.yaml
View file

@ -1,4 +1,5 @@
msmtp__smtp_password: ENC[AES256_GCM,data:xcBVBTb6mfr5Ubyfga9ibKWKhrfrEEaDWD98vIbX8fl8lQ4YTovg8Ax1HTK4UQ6AkJGHq2A0D5B67KUTlp9eLw==,iv:TOp1G1LktRPj/KMCRU5CXBUsgKOqGssUvvk5oY0QnPM=,tag:SVBdDQy+fM0xeEToappP+A==,type:str] msmtp__smtp_password: ENC[AES256_GCM,data:xcBVBTb6mfr5Ubyfga9ibKWKhrfrEEaDWD98vIbX8fl8lQ4YTovg8Ax1HTK4UQ6AkJGHq2A0D5B67KUTlp9eLw==,iv:TOp1G1LktRPj/KMCRU5CXBUsgKOqGssUvvk5oY0QnPM=,tag:SVBdDQy+fM0xeEToappP+A==,type:str]
metrics__chaos_password: ENC[AES256_GCM,data:al234VSAH7oxka8X0hTvEJKVLD6O/WCrCKfVLLvm,iv:+TmA+0hXMV4OxvK7RH2g1dIzm88Lpm3zevxSZxK23QQ=,tag:txCVr5SEW3dVHgNFInR94g==,type:str]
sops: sops:
age: age:
- recipient: age1ss82zwqkj438re78355p886r89csqrrfmkfp8lrrf8v23nza492qza4ey3 - recipient: age1ss82zwqkj438re78355p886r89csqrrfmkfp8lrrf8v23nza492qza4ey3
@ -163,8 +164,8 @@ sops:
SnUrSUlvMXhnY3JrbER0TkxBcGJucmsKdBDkRY5FUtOo8zQ0QtfPFGJn0O2Fg5xn SnUrSUlvMXhnY3JrbER0TkxBcGJucmsKdBDkRY5FUtOo8zQ0QtfPFGJn0O2Fg5xn
mSloxLaFwdXAR9L1QfUdsW+9Vgez4s5bxMJtn8hkwqIfyJc25FEEcA== mSloxLaFwdXAR9L1QfUdsW+9Vgez4s5bxMJtn8hkwqIfyJc25FEEcA==
-----END AGE ENCRYPTED FILE----- -----END AGE ENCRYPTED FILE-----
lastmodified: "2025-10-13T23:45:06Z" lastmodified: "2026-01-25T18:06:26Z"
mac: ENC[AES256_GCM,data:QxH4lnNyCAAEJhzbgCrq7QeLs+OAtYgwQP4oFm93NE4Fbz7/Hz2dvL/2SopOdW7nYVeb1scuG1ra+yvgzuQDhg4lcgt9eBJoBiynM3qiHBs+FtcSJoKs16I/ACAadQwClALb4E0xxwKFJI8ewMZu5BAxi5EhYbgNfnKCIbhvgWo=,iv:LRa2vX0HUBugeEAVeOqXbPsMQrfrCpyzGUGjK6+VaQc=,tag:/sfhJM8V1IYBh94ZS/TDxQ==,type:str] mac: ENC[AES256_GCM,data:plHNLOgGWwNWbakKG6X5EOxwERE3rvYO4EOAzY/sz+uM7cZBEnqU5LZwjlD8B75hgRHqpnDBF0JbHgsEwVxfJJRL1phkeMJFOapQMjZVWMz6j7eb1hOwpdktd+bpuimy4XCD1aOxOoInKpFSK33usxLfyqSxjFDM5+i6D22qBTs=,iv:/iOIfNuSIDsa/UKLP0d63tpOrYMFO3Bk1qPssY0AzuI=,tag:k+824MXD+r0lNUcuvisudw==,type:str]
pgp: pgp:
- created_at: "2025-10-20T19:03:07Z" - created_at: "2025-10-20T19:03:07Z"
enc: |- enc: |-
@ -360,4 +361,4 @@ sops:
-----END PGP MESSAGE----- -----END PGP MESSAGE-----
fp: 878FEA3CB6A6F6E7CD80ECBE28506E3585F9F533 fp: 878FEA3CB6A6F6E7CD80ECBE28506E3585F9F533
unencrypted_suffix: _unencrypted unencrypted_suffix: _unencrypted
version: 3.10.2 version: 3.11.0

2
inventories/chaosknoten/group_vars/all.yaml
View file

@ -3,7 +3,7 @@
ansible_pull__repo_url: https://git.hamburg.ccc.de/CCCHH/ansible-infra.git ansible_pull__repo_url: https://git.hamburg.ccc.de/CCCHH/ansible-infra.git
ansible_pull__inventory: inventories/chaosknoten ansible_pull__inventory: inventories/chaosknoten
ansible_pull__playbook: playbooks/maintenance.yaml ansible_pull__playbook: playbooks/maintenance.yaml
ansible_pull__timer_on_calendar: "*-*-* 04:00:00 Europe/Berlin" ansible_pull__timer_on_calendar: "*-*-* 04:30:00 Europe/Berlin"
ansible_pull__failure_notification_address: noc-notifications@lists.hamburg.ccc.de ansible_pull__failure_notification_address: noc-notifications@lists.hamburg.ccc.de
ansible_pull__timer_randomized_delay_sec: 30min ansible_pull__timer_randomized_delay_sec: 30min

42
inventories/chaosknoten/host_vars/grafana.yaml
View file

@ -53,16 +53,7 @@ nginx__configurations:
- name: metrics.hamburg.ccc.de - name: metrics.hamburg.ccc.de
content: "{{ lookup('ansible.builtin.file', 'resources/chaosknoten/grafana/nginx/metrics.hamburg.ccc.de.conf') }}" content: "{{ lookup('ansible.builtin.file', 'resources/chaosknoten/grafana/nginx/metrics.hamburg.ccc.de.conf') }}"
alloy_config: | alloy_config_additional: |
prometheus.remote_write "default" {
endpoint {
url = "https://metrics.hamburg.ccc.de/api/v1/write"
basic_auth {
username = "chaos"
password = "{{ secret__metrics_chaos }}"
}
}
}
loki.write "default" { loki.write "default" {
endpoint { endpoint {
url = "https://loki.hamburg.ccc.de/loki/api/v1/push" url = "https://loki.hamburg.ccc.de/loki/api/v1/push"
@ -98,9 +89,9 @@ alloy_config: |
} }
rule { rule {
source_labels = ["__journal__hostname"] source_labels = ["__journal__hostname"]
target_label = "host" target_label = "instance"
regex = "([^:]+)" regex = "([^:]+)"
replacement = "${1}.hamburg.ccc.de" replacement = "${1}.hosts.hamburg.ccc.de"
action = "replace" action = "replace"
} }
} }
@ -111,30 +102,3 @@ alloy_config: |
format_as_json = true format_as_json = true
labels = {component = "loki.source.journal", org = "ccchh"} labels = {component = "loki.source.journal", org = "ccchh"}
} }
logging {
level = "info"
}
prometheus.exporter.unix "local_system" {
enable_collectors = ["systemd"]
}
prometheus.relabel "default" {
forward_to = [prometheus.remote_write.default.receiver]
rule {
target_label = "org"
replacement = "ccchh"
}
rule {
source_labels = ["instance"]
target_label = "host"
regex = "([^:]+)"
replacement = "${1}.hamburg.ccc.de"
action = "replace"
}
}
prometheus.scrape "scrape_metrics" {
targets = prometheus.exporter.unix.local_system.targets
forward_to = [prometheus.relabel.default.receiver]
}

2
inventories/chaosknoten/host_vars/netbox.yaml
View file

@ -1,5 +1,5 @@
# renovate: datasource=github-releases depName=netbox packageName=netbox-community/netbox # renovate: datasource=github-releases depName=netbox packageName=netbox-community/netbox
netbox__version: "v4.4.6" netbox__version: "v4.5.0"
netbox__config: "{{ lookup('ansible.builtin.template', 'resources/chaosknoten/netbox/netbox/configuration.py.j2') }}" netbox__config: "{{ lookup('ansible.builtin.template', 'resources/chaosknoten/netbox/netbox/configuration.py.j2') }}"
netbox__custom_pipeline_oidc_group_and_role_mapping: true netbox__custom_pipeline_oidc_group_and_role_mapping: true

6
inventories/chaosknoten/host_vars/ntfy.sops.yaml
View file

@ -1,5 +1,3 @@
secret__loki_chaos: ENC[AES256_GCM,data:LWFTOyER+m021ogmXYBrcr/2fUe3XuZhs5ho0KbM,iv:808LWnSUAPeclhsIgOyR6SutTvJGOu7mrGaVayo7v8M=,tag:f2WCPyUESfMiGDQ4Km5Dyw==,type:str]
secret__metrics_chaos: ENC[AES256_GCM,data:lAepzCI4pwkF8KiGYzGnC4dPASdHDn+LfbJTFSvt,iv:EUW+CGeYUqhY4G1kb2bbU16j9iLwABHfRCdn2vac5gY=,tag:IcyscB9lZuZgC04XTxDb5w==,type:str]
secret__ntfy_web_push_private_key: ENC[AES256_GCM,data:YqNEYa1Ln3NFpNoIuBUN1V/WRzod5HAtYueBJYHOwyM59cCaYhQR1S9aQg==,iv:t8bEs5ZAEe6pqbbOb0mpJdfgruX1P9Jd+sbNurGqkng=,tag:Cdy5HKkvb55V6AeRt+MVHg==,type:str] secret__ntfy_web_push_private_key: ENC[AES256_GCM,data:YqNEYa1Ln3NFpNoIuBUN1V/WRzod5HAtYueBJYHOwyM59cCaYhQR1S9aQg==,iv:t8bEs5ZAEe6pqbbOb0mpJdfgruX1P9Jd+sbNurGqkng=,tag:Cdy5HKkvb55V6AeRt+MVHg==,type:str]
ntfy: ntfy:
user: user:
@ -18,8 +16,8 @@ sops:
bUhGdEFwOEVxUzVZdERReVF6cmcxeDgKDlO+jacsYgWXqjoxAIKJiB8mCHZ8U7TM bUhGdEFwOEVxUzVZdERReVF6cmcxeDgKDlO+jacsYgWXqjoxAIKJiB8mCHZ8U7TM
sGD3oaCi9x6Uvse7hq0BaUe/LaJt2tDaqve9nm3n06V93HNcR9/cdw== sGD3oaCi9x6Uvse7hq0BaUe/LaJt2tDaqve9nm3n06V93HNcR9/cdw==
-----END AGE ENCRYPTED FILE----- -----END AGE ENCRYPTED FILE-----
lastmodified: "2025-10-20T19:01:39Z" lastmodified: "2026-01-25T18:41:48Z"
mac: ENC[AES256_GCM,data:a87jRAGBIypZfYCILYCOM+H8KCVUBgb2/1sG05wDbPmLe9IfDT6rzlljbRFOUozq9xsqxpFLsPQx1wPVDi1lhaRT+5oE/NDgVH8aQCofA96DQd3SeB8fWn3LhYjOpmo9ZsFSemvGcXYk/SjVvoU9aN8KG4DHYCOOseGIBTa/a2Y=,iv:5Atem3ACdfdCPUp184cAf/EI9BEXQ1i719l+sIlOnUY=,tag:LWQCxrsZ3660UCcOjY4gMQ==,type:str] mac: ENC[AES256_GCM,data:2+628ZxPIto0AUhRExTB0UF/XKD7l0qz/NVncKbk+E5nZ5IRGwnhvY5DPiaDNWxskngaYhSYaQZTJTuvC1TuflCr8+IsZRYobj22mYEsrK2KWbozQvYsuooK2HdSWAkE2U5xKKodev2KqxMT+ZY0AIq8ifCo033ro6t0rnIEVQI=,iv:ncKxlhfZ+04rylNmMtOaWyonCJO4gbsuABMAJfVDDIQ=,tag:6c141UrWXNuGM5giTS7Ecw==,type:str]
pgp: pgp:
- created_at: "2025-10-20T19:03:04Z" - created_at: "2025-10-20T19:03:04Z"
enc: |- enc: |-

86
inventories/chaosknoten/host_vars/ntfy.yaml
View file

@ -15,90 +15,8 @@ nginx__configurations:
- name: ntfy.hamburg.ccc.de - name: ntfy.hamburg.ccc.de
content: "{{ lookup('ansible.builtin.file', 'resources/chaosknoten/ntfy/nginx/ntfy.hamburg.ccc.de.conf') }}" content: "{{ lookup('ansible.builtin.file', 'resources/chaosknoten/ntfy/nginx/ntfy.hamburg.ccc.de.conf') }}"
alloy_config: | alloy_config_additional: |
prometheus.remote_write "default" {
endpoint {
url = "https://metrics.hamburg.ccc.de/api/v1/write"
basic_auth {
username = "chaos"
password = "{{ secret__metrics_chaos }}"
}
}
}
loki.write "default" {
endpoint {
url = "https://loki.hamburg.ccc.de/loki/api/v1/push"
basic_auth {
username = "chaos"
password = "{{ secret__loki_chaos }}"
}
}
}
loki.relabel "journal" {
forward_to = []
rule {
source_labels = ["__journal__systemd_unit"]
target_label = "systemd_unit"
}
rule {
source_labels = ["__journal__hostname"]
target_label = "instance"
}
rule {
source_labels = ["__journal__transport"]
target_label = "systemd_transport"
}
rule {
source_labels = ["__journal_syslog_identifier"]
target_label = "syslog_identifier"
}
rule {
source_labels = ["__journal_priority_keyword"]
target_label = "level"
}
rule {
source_labels = ["__journal__hostname"]
target_label = "host"
regex = "([^:]+)"
replacement = "${1}.hamburg.ccc.de"
action = "replace"
}
}
loki.source.journal "read_journal" {
forward_to = [loki.write.default.receiver]
relabel_rules = loki.relabel.journal.rules
format_as_json = true
labels = {component = "loki.source.journal", org = "ccchh"}
}
prometheus.exporter.unix "local_system" {
enable_collectors = ["systemd"]
}
prometheus.relabel "default" {
forward_to = [prometheus.remote_write.default.receiver]
rule {
target_label = "org"
replacement = "ccchh"
}
rule {
source_labels = ["instance"]
target_label = "host"
regex = "([^:]+)"
replacement = "${1}.hamburg.ccc.de"
action = "replace"
}
}
prometheus.scrape "unix_metrics" {
targets = prometheus.exporter.unix.local_system.targets
forward_to = [prometheus.relabel.default.receiver]
}
prometheus.scrape "ntfy_metrics" { prometheus.scrape "ntfy_metrics" {
targets = [{"__address__" = "localhost:9586", job = "ntfy", instance = "ntfy", __scrape_interval__ = "120s"}] targets = [{"__address__" = "localhost:9586", job = "ntfy", instance = "ntfy", __scrape_interval__ = "120s"}]
forward_to = [prometheus.relabel.default.receiver] forward_to = [prometheus.relabel.chaosknoten_common.receiver]
} }

3
inventories/chaosknoten/host_vars/router.yaml
View file

@ -1,2 +1,5 @@
systemd_networkd__config_dir: 'resources/chaosknoten/router/systemd_networkd/' systemd_networkd__config_dir: 'resources/chaosknoten/router/systemd_networkd/'
systemd_networkd__global_config: "{{ lookup('ansible.builtin.file', 'resources/chaosknoten/router/systemd_networkd_global_config.conf') }}"
nftables__config: "{{ lookup('ansible.builtin.file', 'resources/chaosknoten/router/nftables/nftables.conf') }}" nftables__config: "{{ lookup('ansible.builtin.file', 'resources/chaosknoten/router/nftables/nftables.conf') }}"
ansible_pull__timer_on_calendar: "*-*-* 04:00:00 Europe/Berlin"
ansible_pull__timer_randomized_delay_sec: 0min

51
inventories/chaosknoten/hosts.yaml
View file

@ -1,9 +1,9 @@
all: all:
hosts: hosts:
ccchoir: ccchoir:
ansible_host: ccchoir-intern.hamburg.ccc.de ansible_host: ccchoir.hosts.hamburg.ccc.de
ansible_user: chaos ansible_user: chaos
ansible_ssh_common_args: -J ssh://chaos@public-reverse-proxy.hamburg.ccc.de ansible_ssh_common_args: -J ssh://chaos@router.hamburg.ccc.de
chaosknoten: chaosknoten:
ansible_host: chaosknoten.hamburg.ccc.de ansible_host: chaosknoten.hamburg.ccc.de
cloud: cloud:
@ -15,13 +15,13 @@ all:
ansible_user: chaos ansible_user: chaos
ansible_ssh_common_args: -J ssh://chaos@router.hamburg.ccc.de ansible_ssh_common_args: -J ssh://chaos@router.hamburg.ccc.de
grafana: grafana:
ansible_host: grafana-intern.hamburg.ccc.de ansible_host: grafana.hosts.hamburg.ccc.de
ansible_user: chaos ansible_user: chaos
ansible_ssh_common_args: -J ssh://chaos@public-reverse-proxy.hamburg.ccc.de ansible_ssh_common_args: -J ssh://chaos@router.hamburg.ccc.de
tickets: tickets:
ansible_host: tickets-intern.hamburg.ccc.de ansible_host: tickets.hosts.hamburg.ccc.de
ansible_user: chaos ansible_user: chaos
ansible_ssh_common_args: -J ssh://chaos@public-reverse-proxy.hamburg.ccc.de ansible_ssh_common_args: -J ssh://chaos@router.hamburg.ccc.de
keycloak: keycloak:
ansible_host: keycloak.hosts.hamburg.ccc.de ansible_host: keycloak.hosts.hamburg.ccc.de
ansible_user: chaos ansible_user: chaos
@ -33,9 +33,9 @@ all:
ansible_host: mumble.hamburg.ccc.de ansible_host: mumble.hamburg.ccc.de
ansible_user: chaos ansible_user: chaos
netbox: netbox:
ansible_host: netbox-intern.hamburg.ccc.de ansible_host: netbox.hosts.hamburg.ccc.de
ansible_user: chaos ansible_user: chaos
ansible_ssh_common_args: -J ssh://chaos@public-reverse-proxy.hamburg.ccc.de ansible_ssh_common_args: -J ssh://chaos@router.hamburg.ccc.de
onlyoffice: onlyoffice:
ansible_host: onlyoffice.hosts.hamburg.ccc.de ansible_host: onlyoffice.hosts.hamburg.ccc.de
ansible_user: chaos ansible_user: chaos
@ -45,9 +45,9 @@ all:
ansible_user: chaos ansible_user: chaos
ansible_ssh_common_args: -J ssh://chaos@router.hamburg.ccc.de ansible_ssh_common_args: -J ssh://chaos@router.hamburg.ccc.de
pretalx: pretalx:
ansible_host: pretalx-intern.hamburg.ccc.de ansible_host: pretalx.hosts.hamburg.ccc.de
ansible_user: chaos ansible_user: chaos
ansible_ssh_common_args: -J ssh://chaos@public-reverse-proxy.hamburg.ccc.de ansible_ssh_common_args: -J ssh://chaos@router.hamburg.ccc.de
public-reverse-proxy: public-reverse-proxy:
ansible_host: public-reverse-proxy.hamburg.ccc.de ansible_host: public-reverse-proxy.hamburg.ccc.de
ansible_user: chaos ansible_user: chaos
@ -59,21 +59,21 @@ all:
ansible_user: chaos ansible_user: chaos
ansible_ssh_common_args: -J ssh://chaos@router.hamburg.ccc.de ansible_ssh_common_args: -J ssh://chaos@router.hamburg.ccc.de
zammad: zammad:
ansible_host: zammad-intern.hamburg.ccc.de ansible_host: zammad.hosts.hamburg.ccc.de
ansible_user: chaos ansible_user: chaos
ansible_ssh_common_args: -J ssh://chaos@public-reverse-proxy.hamburg.ccc.de ansible_ssh_common_args: -J ssh://chaos@router.hamburg.ccc.de
ntfy: ntfy:
ansible_host: ntfy-intern.hamburg.ccc.de ansible_host: ntfy.hosts.hamburg.ccc.de
ansible_user: chaos ansible_user: chaos
ansible_ssh_common_args: -J ssh://chaos@public-reverse-proxy.hamburg.ccc.de ansible_ssh_common_args: -J ssh://chaos@router.hamburg.ccc.de
sunders: sunders:
ansible_host: sunders-intern.hamburg.ccc.de ansible_host: sunders.hosts.hamburg.ccc.de
ansible_user: chaos ansible_user: chaos
ansible_ssh_common_args: -J ssh://chaos@public-reverse-proxy.hamburg.ccc.de ansible_ssh_common_args: -J ssh://chaos@router.hamburg.ccc.de
renovate: renovate:
ansible_host: renovate-intern.hamburg.ccc.de ansible_host: renovate.hosts.hamburg.ccc.de
ansible_user: chaos ansible_user: chaos
ansible_ssh_common_args: -J ssh://chaos@public-reverse-proxy.hamburg.ccc.de ansible_ssh_common_args: -J ssh://chaos@router.hamburg.ccc.de
hypervisors: hypervisors:
hosts: hosts:
chaosknoten: chaosknoten:
@ -158,11 +158,10 @@ certbot_hosts:
zammad: zammad:
ntfy: ntfy:
sunders: sunders:
prometheus_node_exporter_hosts: alloy_hosts:
hosts: hosts:
ccchoir: ccchoir:
eh22-wiki: eh22-wiki:
tickets:
keycloak: keycloak:
netbox: netbox:
onlyoffice: onlyoffice:
@ -170,6 +169,14 @@ prometheus_node_exporter_hosts:
pretalx: pretalx:
wiki: wiki:
zammad: zammad:
grafana:
ntfy:
tickets:
renovate:
cloud:
public-reverse-proxy:
router:
sunders:
infrastructure_authorized_keys_hosts: infrastructure_authorized_keys_hosts:
hosts: hosts:
ccchoir: ccchoir:
@ -199,10 +206,6 @@ netbox_hosts:
proxmox_vm_template_hosts: proxmox_vm_template_hosts:
hosts: hosts:
chaosknoten: chaosknoten:
alloy_hosts:
hosts:
grafana:
ntfy:
ansible_pull_hosts: ansible_pull_hosts:
hosts: hosts:
netbox: netbox:

210
inventories/external/group_vars/all.sops.yaml vendored Normal file
View file

@ -0,0 +1,210 @@
msmtp__smtp_password: ENC[AES256_GCM,data:0vb2d0BMSiG4DLwNeKk52/kGYM9rQpfRrtYiarbyVW9YOP/WIdpwesUZuad+o6XSODkAGqnU2RQZFs1h,iv:a/LwVf+tQKviYR4mIoSDiEgmsVyCl2v1vWXVFQkn6M4=,tag:bNf+N1bTIk8ppMEabcC6jg==,type:str]
sops:
age:
- recipient: age1yl9ts8k6ceymaxjs72r5puetes5mtuzxuger7qgme9qkagfrm9hqzxx9qr
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBkL1F2VVhGTGZ3QWlrZi8w
c2JVMVlnNGVHdUxJQVRZeDBlSkJjR3V4NHowCmdQVVJRVEZlWWVHZjdSYzRlcnRN
clVuRU1rRXdDSUJ6Tk4rajl1R3U3YzAKLS0tIFg0QXBieXdjYmRab2duckNsNWRQ
aGdmdDcwY3RPc28waGt0cm1salpNRkkK+X6LF1lCpxIS8P8nEUE7t3VxB817jm4Y
mXjKqdaM39MR3CyXWq8bVQ/QRxg1xA6MV7mLrQpJCSpr6uDJD84iJQ==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2026-01-15T21:28:28Z"
mac: ENC[AES256_GCM,data:Z9uyXhnckrVJ0LZM1aT8cSUZCPdQ0ufBC1HYxpzAGb6FS/p3Jni5tFfgijaCT3/T3yDGiV1zQqoSDLwjd48UaMjCtJYCUCAiVo7i4YJ3+aZfS87b4h4VsOFlTLFlBklNYxHd4pcPFl5X9fZGdD10Tvmtm6TlJ33Ma7gmuFs3Og4=,iv:tNeG2I9qNAgzbGwxTbCrrN7KorCneJtFildGvtPVX88=,tag:e0rXgetLFenA3zNBNe631A==,type:str]
pgp:
- created_at: "2026-01-15T21:28:06Z"
enc: |-
-----BEGIN PGP MESSAGE-----
hQIMAxK/JaB2/SdtARAAlJ6HHQZKe3t86f1Y/DsKmO4f+xaMRd9mw9sNlxvmuX3I
b8Tvyl1abbJSEf+6SV3SXxlu+05DZEzerMQHdSNHCpO6oSMBH/fEBbtJh3mxYzwY
/fS09/CPpq1HYcaOUEB8YHKGDY7okN8ZCHYFF2fWmWsPNLq38nmtCQY3lKPdhKDu
Jg8w+9XT/kHJEjQRPjlJG0iRk90cMMBLaR5ToJVzpM3rOSkK/dFALP9PUGhjDVT/
e27KW0OQERCxoc401DXFPJg5xrGMJaDpMlDxm+kzNC2/rt/OhhFd1pqMEMGHwZ8B
inHjCL8SNy4w3jKs3xvpE38vEUmKgbHavjjd4j8PU/z8PnIAKBCZClTbBARevMYw
P1qgwbAXEv0LwN6/Eu4mN6ogbREFk671PTabJ1O9zWFZBPKSOWVjvs6ka/5nRdow
RMobY/t6FDOe1i4eQM90QKyTcyBzyFZCl3piBKDvpG9tTEVHriX4bTXNtnGw3h1W
XoMUz27G0IZmKZRcYFkqSNPeg3yLXBgsL6by+euw/OwOXuxcR3G/5HpiO4XgWdDn
gYvOGvVa4WbG3yASWPJNJZ6ivtLhAgts44ClMIk5mjDgHz0yL2iwx93g6bUzmswV
HcpCLSy7wm5XNl4l5p4l90iy6/K32Zp0a7ftobA7U7VyeWfPalE3IYE3s6b+1gTS
XAFWL49B69eVA4YJ/iRSZcfqEPMkKzQUplODPUfaHHtLRwR7BhpFX/u3lly/YNQH
tCN+vKShpC2PM/Jw8+UxDZXoXNiGCtTIDFq5+VaifkYsEAIVqEFv5noY95/a
=Xw0f
-----END PGP MESSAGE-----
fp: EF643F59E008414882232C78FFA8331EEB7D6B70
- created_at: "2026-01-15T21:28:06Z"
enc: |-
-----BEGIN PGP MESSAGE-----
hQIMA6EyPtWBEI+2ARAAqcJfa4paWWvQxKnNQT230iT2iRCCskzkzrG9z9rnSbR+
U4BO0QVcKZ06+4/WatZC6HuxIPyajAQthNsmMMBr83OFiT8FPHnOOGHc9lemO0/L
eshneJhJ7LeYUh3dOeN5lVwCQuw2Hy4MXmKJgdt2Nr5dXmRD8ypKxD/i5Nc4nkXW
TY61C/Q9QJF+HZG4toHt+zq+ROjdsTbIhNceRWnt4mIGvqIzhRwk65o5WILbCFQc
OL7R+JyyqouN579tO1O6bRT594ufnyQ6oxLRDQqKMdTHYwWijRuA/FyzieuYGbmo
b7e6tZeJzlm3H8sSz1WwAD6RoA/O3yyCw1gL9UWFLSfF7iwEKmr+oSN+mEUPJdhR
8zZqSQUH3n59IVNdD4UyJB/I5AHmGW6QV3ZF42lwmmstIoY3uDzgf3US+ZvPPsem
Scg3PIDSxg+SV9G/53TJM+Og7V2XAA02EWIemiIaJZ7rPiySq1RmQOjnx4ZX+ORk
+PDF0gDpA10sTPXQM5NoN8YSilIV1VENjUnESfo+36BlCepmbC88Yr6oexIK2xoq
5SnDYNOkVClYcEV6/URo0zr6Eh6+pWaK1MqruyZpRrZFbribK+5t65eIq0fc8oNb
ip7VfArpcpYINfL1GuWoFMI0Uj/IMevlN64Ci/Ub9NddCWCQy5WF7u8lAVNMoVbS
XAE70ICHJqH9SqHe/dchwYcsLIPwX7r2KoaI23XkK7iROX1NL6LC2nISh/Y5P+X7
RX5sBhgiaSwY8L6QseSQzyqTmwxCaq7e/f/+grSUYKmf1FSJe+VxGsJ6Ji0u
=k6m5
-----END PGP MESSAGE-----
fp: F155144FC925A1BEA1F8A2C59A2A4CD59BFDC5EC
- created_at: "2026-01-15T21:28:06Z"
enc: |-
-----BEGIN PGP MESSAGE-----
hQIMAz5uSgHG2iMJARAAzD/3ycZW/qMLjjSG2T/7378ogylYenCyV5r97m7//MTJ
z2jCtWiAPDkiuDDfcqt5LxthPxCr3A/WSTaSsfZQ/zWedQlm/U/RBMEs30DBIUQr
AIckqIrJUrgPEo8A0/SnCBNS116BVspI+9n/u7PBPVb70JX3j4Xp3dRGrEYHVpwX
EGSk4GirHwutIRE6xP9fnvQxyK64jYTDCfo4t6cIUf2/we0LyK+fU4zrm6wRffzd
txiEu4YXvsGbxWeAV3/7/BRo2HJBc/Xqb7mzTnfScltC7hiRD2McmFJs1Hfv0Lg3
CGaMOJ5w6Gk8Q+9pgg6R2MQu8DZA7PILm51Bc98ZdiVwg0i8l24ndswUx9+WIWeX
AeOxvIVvF0XtQK/JJAkoyoVssIQSFI1OjTDnSHWjFw0Vgev8hRzwqS6HKJUfCrnt
KeuGuUOa9QBf3bnbIINyL8QEj9/cnNDCQGoXSZIqPXUs7tIqcLgNryGVnrEn4dDf
53Tudml438QRgzV1d87jEKSmUBtqzUDRNQdZqNbzOdaCQaQgkgZlQvWQtbZNMSdQ
iQ+v3Hz7pI4yKHhqxXrWrxPwC3KdGTA5qymUS1d1G0BwOWSr+cU6xJBeSqRc6fZn
Q8rBKS/gL2Lm3BAVhHBVWGwtbdBhV5ZL/bdT436pJd5ku3cWFTuiMY2SEC1ZvNXS
XAFb+jgjB5XzlRZhRosWl1X/qyWO4GXN4aypi14eAQDsbCjGnFZh6utoV3rNmNFX
OJ3kRhyHmF+gbp/e0YRq/BnWu+5uzTZQso4fzepgjui+rF/qk/2Oe1nODtM0
=seAB
-----END PGP MESSAGE-----
fp: 18DFCE01456DAB52EA38A6584EDC64F35FA1D6A5
- created_at: "2026-01-15T21:28:06Z"
enc: |-
-----BEGIN PGP MESSAGE-----
hQIMAw5vwmoEJHQ1AQ/+J9MXLZrMucsbcgdZ/yflnA7Ai2WynSZ9NEzLX24NybGZ
ynq9daa+61w5S5thnEV1Be4YEyFXIXfD0bs9KEO2kv41HUySD9FR5QXXSiad5Ij7
vPzZMMwjCfNg/JvGQ9p4h2Syc5LYtJ+4BNnl52zjKCJdp1scJqAist3aWbaHoCAh
GiJCjv/02NP25WoVShw9pNvvYPEhtPbvO1j3bnvUARXT8IzhblNbfntDwPb+fK4R
ksMBIvAN1171l530s0zPzzkJTkxRBohyCixvtgZKoEnYeUAAHk5Clah6GrLGErvA
q0XUAEridgDwe4xG+WpzFWwTaGzQPBLR5NPqtph13/02CdaABctbr80WQPoch5vN
F1BnObne8ZE+do30v0KYNTkFKhK5ek+w4RS/1rlBEgQMaNyGHsjUtoO1/6JfFXyT
968gsga/YR/shZwLaxLQePi5qTcvUzGNgNvFLjy4sRlbWiNCrtZo0JpMmRc1YTXb
Tq7KhivgEB3gCYLdzWTCeYw3aZXsTFUFM8MpH0BMABpfpNCdiDrd+RZmgDa2KShH
RlpqvN1cXPVY4niGqb0TjQJGbmCrMfSbEXCCYLMP+T+jH+MUs0Br4IVcuXIV9EWM
WrYY/r2tCblU9DaVbgzLlIIu/2BtKV0/Iu4KLV2vWBocLPNlKnbhS8NxnIf1eHbS
XAFxlY0r1uOCI7d55ZRpih3NnccBWYKmxs/WZavFdooPcRS6QKV6d2ByZtjqlO0T
X8xmDpyoxkNahauxi3Vw4o78HyxEqQz2u0HNBJlFC6iFQJnylkOyitIyNCTt
=t5WG
-----END PGP MESSAGE-----
fp: 87AB00D45D37C9E9167B5A5A333448678B60E505
- created_at: "2026-01-15T21:28:06Z"
enc: |-
-----BEGIN PGP MESSAGE-----
hF4DerEtaFuTeewSAQdArBEh0/AnTDRmDT2r74ejRgmbbZpWjVBmvC7mgFdEq0gw
OdEsqFl/ihieW3XkAC0UWxUhacc03Vq3FTY4Fpj7eQTQdfDdn8X10YQcH94XGLxu
0lwBvUseBCslA8gjyzFEtFp4TnDEi2JZV3nhfQg8SxrYIQ2Uo6vlsTzvYBvikwaD
kLu7fV7lxV09qoROlSpXVm6II6sIk0nmiajb49HM15md3ZElulGZf7A+6d86Wg==
=8Qs3
-----END PGP MESSAGE-----
fp: 057870A2C72CD82566A3EC983695F4FCBCAE4912
- created_at: "2026-01-15T21:28:06Z"
enc: |-
-----BEGIN PGP MESSAGE-----
hQIMAxjNhCKPP69fAQ/7B2zWxGFqZr98hAyQwNaXp+/T534xRU63dXkYV15EL9q2
SlmbEWhl5iVwWoZHl3r7yqy4zXZJkH0XX7g/MlwMTHIu/Sslvb+9ME+QmpI26Awm
+0pQN6gZXEhQ4RFtDMSc3PIZYgaJ5AdEk1p/nMwYsQ17Gu6RZeuSL/5b4oXEsIwB
nc8kqskd846KDspSoa4HprP3QUyfwChy5+d3/S/SMak/iY97UgYm3iyHXWr+sbAm
ykXGQo6Y/QpSiBBc9Z8hyekBQBjiftTpH5T/nzSn5O1p2G56NqK837SZj8CgyanH
xOIy1JZYbSfYiEzqXVSj7KGs3aNFFUi9H+Fy+wzDaOWeEYt76koTWZnutOg+JwCP
2N5DiDOhoYGygh5aO+dAIoGLQufoTDrlMO9FWnNXXCPIwCUoyH5daiMyn7G9jfwv
4rTkXe2mHXXkoNCDHzjNcAEpndpczdUO0CbDNyOuaZzyEYWObJMOdBP0+fmwhaRP
AWd0OSbUUkl6RTI7R9l+3wBC0A/be7kOvqvTru0RSZaY4Ba7zokZaNJsoUTvjjL5
fjT5MhV/93wEvaHNmGy+IiXipS7ItTmW0xckaFkEbQUbw9p+9UZMxNqF3l5pw8hV
J5tTo+rlHda5KBDpTEEz3vUK7MgbgAzzERqqDaUqzWTJy4KeOjYCUfvNyQiT7m3S
XAFxCx0poAo6GCoNMhjyQT00iBfpjvUhDrWSHezKW/J/U+Z+TkcICC3Orsxy35uD
QtOZIayVIF5scDAIQa31zETB/Jjaq7YeUZvTzUv7Shhq+sJhVUQ7iUEVEXZn
=NJUn
-----END PGP MESSAGE-----
fp: F38C9D4228FC6F674E322D9C3326D914EB9B8F55
- created_at: "2026-01-15T21:28:06Z"
enc: |-
-----BEGIN PGP MESSAGE-----
hQIMA1Hthzn+T1OoARAAsc5cxMwr0YCwJq1j5EcQ2AF2LvyxH4dvwuCkyrqxuV33
rTxOt40kqHcatZgHLfHt1qvfR/lGisUyvvtJ7Gdw/MEzunqwux6cKisRoyTB0dSU
b0DBQdNAxujVuBng6v2aoZDXAZNZ9I0epuGnBRcq2+FRAWjRH3YtwuRuChd/VtqB
VJJjUJDczermc0kvdrZ6AZ8bSemOIFOYWfZ1iw7qXMiuIXKJqY23KzWSpYC3F9S6
z1XKviqJlWcb7VyCA7LDLfjYCAb6/yvj1mB0+fxYJJps6DWsbxvoZWF5mdh5f4oc
y74XZehQZTHp4JMs0uSdsuMV3w8zMGUXvFPEJXB1mvPlYAsyjwusf2fqeAJk3JZk
pPF/hkwR+LpbVNKk9KbauQLkt+p6E5YWDir1pzeIN6rsl0Carau0TRT9EEn04f/6
DL1nF7crXl+7KTgEOt+ih4VuHpXz9lrboUD/WnUpjVu6XwmMH4wrxJggTq+tJzdS
55PAZ0qiTGwnxtOn8NGa+01JGcrmtLnfwRUGUO6xxpyy4AtcyyHwEvBSjKRlBvV2
Yx6v6l6OlpBdYdlKjEeOLPnQqn+iRolQtUTWWk1Hu/a2sfJjZPMpXNSKbgN9tMOS
2zGLe8OOU1M9V9ESdD6He49GRCWNXD00Yv+IUdqFuY7laqxBQCcyIthGA2wfLITS
XAGKF54TE7VkuCQ2vw0HZG4TgQtmw7W/hBMcbSatGwFwyPSs2+9wsJFmJUniArCZ
e7RUz4C1MIFP97ZSFtfLd8tsIO0zTyK9fRAOUwh8wdAZhvS9Fv5/Mwmctj9h
=gUj7
-----END PGP MESSAGE-----
fp: 5DA93D5C9D7320E1BD3522C79C78172B3551C9FD
- created_at: "2026-01-15T21:28:06Z"
enc: |-
-----BEGIN PGP MESSAGE-----
hQIMA46L6MuPqfJqAQ/8CKPe91CQYybuRlIb4bRl3sZ2nXYw0OS2p8NYo3sawcsw
YFwgwT4GHMAMviZ3U/Dm1VVtUEH0dSZ/tYoPFE0pCOLWYrVjqLY69uM23ZHV1IX4
W7A+jzNTv3ODj/lc/azjgBcBVZpSxgAQG2wiyX1Dq4Lx5cpOCYQm4KYp9hD6ddly
m6zk8vH3MBRvPAlacg3C6PSy1PV7sTgBZMBIE3DY/HIjv4nzV3/itIPZcf27dYTl
AEjiI6eGH6sUWTFRF5mCP4sRycaU2g8iZ471nZdHe7PpldginWJEN9SD06oewZJB
QjvXpVNjVu+RQ/hOl5LwIllAAkk0ghK2bRsh7gVB5b5Kjv+mKKNe8yjKxKcpZuVW
fUEaRpyILTCwe6aFnmUa6vUtpgU2QRKzv2ycqO1FGil1yZJ/RPVCc0RQoLSpZRsT
XvrZzw/OVfLespNRPcC/PTvNwhIhBYyIDvEAgQOnEnRCGoijnPAOE4Z5zA6Rtxfw
Kxw+E5s+xV1ff+qo5Dm0J/LyC90FR3vstzSkM5n2HEy5OkbACi9CiLRaIiYxlDfv
v5H3Gc0hdVRELkK1T9ND3I2RAyJVdDq0WvxjWRIfdRULLsk86pFoFjus0acx3ukt
zotRh1wI1o319j517B06v+Jn49bLx81ipeHfsiz69P0sDSRKyOcN/i4TA/Tj0OfS
XAFfmEOJHnhD1WOlbJO2EiGY3QD9PIV/lipja4lQKv7ROWlIPVtdvgBnaaNYAvUb
YLIA3oTcZB43vm5QW3hXsTz2cn/w/JvnuojtD0kKzT643dR5BC3D2XsWpHWV
=pL2f
-----END PGP MESSAGE-----
fp: 8996B62CBD159DCADD3B6DC08BB33A8ABCF7BC4A
- created_at: "2026-01-15T21:28:06Z"
enc: |-
-----BEGIN PGP MESSAGE-----
hF4DQrf1tCqiJxoSAQdAxf+RXofQmgst0qgbY34RgfqVKCCYHHH3mbCdGKbfXiQw
0307FFijrW2i+wHW/Ugob489EH46zUENkmEjxPcOao+p5TWqOhryWOmj+5K5iKin
0lwBDuM+y3AsogL5PAerDRGMIqmUO9AAuRlKJb67O+n31fA0CSlRdYIlR/0IiXk8
KmagDpdTyNWD0M8PRohazoKEiB6OrEuLfRiDwyMhyuRtIXRnckwZ8anC2B2cLg==
=slU2
-----END PGP MESSAGE-----
fp: B71138A6A8964A3C3B8899857B4F70C356765BAB
- created_at: "2026-01-15T21:28:06Z"
enc: |-
-----BEGIN PGP MESSAGE-----
hF4DzAGzViGx4qcSAQdAYTkme6X4+jr7/5qNidpUZjiwQzR9nhJMHU9ALot5mQkw
bVYbs+lqddtYRVKLh4jhqFb9WGjC05JMnb8o/OVqgvOV516WqCzg9qmn2JMn5CvL
0lYBtBwzrQfqM7RbckekoQcabirca/67RzCAqB9O7Lud85+aQxBR/GB9qE/7FLfp
JVT42+KjcKSQBYWS+lyjgfXs7H4WhNYsai8OFn+JzqswG+MpWPQ+Fw==
=1DIj
-----END PGP MESSAGE-----
fp: D2E9C0807BF681F5E164DAFC5EE1B61CD90954CD
- created_at: "2026-01-15T21:28:06Z"
enc: |-
-----BEGIN PGP MESSAGE-----
hQIMA2pVdGTIrZI+ARAAvoshi1af/mG21B9x8XOtYn2CmsjZCLWYWuhdM+oMe204
CJglTK8C8CzuJcXu84IKrdV8nx5Yk0VvtgtSXiKSouDKWeQDHHqhKEsPlc6+FL99
e95uzp8ozvODxch4xaBP3FZkbgGgFHDZSF47NIC9AkyyGe4GARq+OvtADUMjpb4R
6WXCzqaH976KRMcgH4PXlWIUiYvFJz+6k+chbLfcf+uJxWL02mvPV+ArSbGc1Ns1
M2kRYdEPZ4c6FCU6DYaneJp22ywPNgJm3dL8WU7Nn5uv7iYGDyceh3dnGtF0p0jN
Mo5TT8MzobIGgD2RtsP4NrufV56+Y4G5oqk9jPMofC8QUeVR1j2GHDfHrls2N/2L
vt0VX1wsv7ToAY9bUUNDLutLnwQlpHNP/sacudw0VpYDl55ULa1dLC97qG/4va8G
k3wdzqwNwgzIOPDIiQ3P8xkn4RZ9b4SwPNFb9BRqufFaA+neZcNelfpTqsT3WNfm
MYdzDQtQdTNi9u0ADsuZ2JIX2uUVsB1ol5Wgw9D5+yksTeC3n89TTmbmt4PYkCZ/
3MH3gLGGlPLfc9w/q9JqfQ8idiPgWc6CMO83gGXUWbe0SkDCBY4evyP41s9ojSdF
XrkZQycNoardD+co14Se4d5g0oxYfhNUCIYEo2JwLkuE11iMXG1bjt8JB+F514vS
XAHzAelcyBaqqwZqKw1OKWz1Vr+hy9S+uOs+8Qg5G/H0nxa7BG+PhUB+O5i8x4Dn
96Eq2r2OsVJ3z8YeLcH2FbnVECX+/nj8a4z8yqfpajmoKswOfhp2b2G49aYz
=IYeC
-----END PGP MESSAGE-----
fp: 878FEA3CB6A6F6E7CD80ECBE28506E3585F9F533
unencrypted_suffix: _unencrypted
version: 3.11.0

16
inventories/external/group_vars/all.yaml vendored Normal file
View file

@ -0,0 +1,16 @@
# ansible_pull
# ansible_pull__age_private_key needs to be defined per host (probably HOST.sops.yaml).
ansible_pull__repo_url: https://git.hamburg.ccc.de/CCCHH/ansible-infra.git
ansible_pull__inventory: inventories/external
ansible_pull__playbook: playbooks/maintenance.yaml
ansible_pull__timer_on_calendar: "*-*-* 04:30:00 Europe/Berlin"
ansible_pull__failure_notification_address: noc-notifications@lists.hamburg.ccc.de
ansible_pull__timer_randomized_delay_sec: 30min
# msmtp
# msmtp__smtp_password is defined in the all.sops.yaml.
msmtp__smtp_host: cow.hamburg.ccc.de
msmtp__smtp_port: 465
msmtp__smtp_tls_method: smtps
msmtp__smtp_user: any@external-hosts.hamburg.ccc.de
msmtp__smtp_from: "{{ inventory_hostname }}@external-hosts.hamburg.ccc.de"

212
inventories/external/host_vars/status.sops.yaml vendored Normal file
View file

@ -0,0 +1,212 @@
ansible_pull__age_private_key: ENC[AES256_GCM,data:u0tluAG5YmXTs71/F6RjuTITCrEoJco0K7+o/F7An4OMdOAwJVBvvMCnEaYsKhLhdesnMIoA24oz2j22lKRFgZUNtkF08ZwH9gw=,iv:oqTTeOi8l6ig4vvqOKict5bqxjmiBW+kwlZhbozoCSU=,tag:ZL2wuIczCHguGJIhbY0NuQ==,type:str]
secret__gatus_db_password: ENC[AES256_GCM,data:fwtdWmXVTA7odBsKnlxH7mKKGtplAt/rQqscFBAxbDky6DNqgk6PP2OsqbIEpnpzs9Yn7Kd2VAxzfJfK,iv:ox/Lm+LlxxRcssOPc++nRp6nVa2DF3/46eEsGzTOBmA=,tag:i1e71Gm01ojHr5pGy0S9rA==,type:str]
secret__gatus_matrix_access_token: ENC[AES256_GCM,data:adNtFvg2LXwRiNE7mvTZNO1hXxN3qasWZrDEQOGk5mYEVH0t9pglNrM=,iv:30xXR31qmrywLP3M34u6YgsyQY348zVvt9RM4/bGhtY=,tag:vhgpON0IdQ+FS4uQ/0TpsQ==,type:str]
sops:
age:
- recipient: age1yl9ts8k6ceymaxjs72r5puetes5mtuzxuger7qgme9qkagfrm9hqzxx9qr
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA2Y0Vib1U3ZGpyZTlBNWMx
UEtCbnArRzAvZ0o1dmdJL0hSZERTR241RlNrCjZ6QzlJSEFhWk0wazlwRVlDeUlq
M0syWDZlc0o2d2NDYmVyUmJpWUdwdzAKLS0tIGR5NUVwMkprRnkxZnI0TmlGUGVk
RFl1MnI1K0h2MUhvYk40d2JjbDRaUmMKNlPo1s06hVdxAamKhJy4HhNDX8PKQlq2
13PjdTJub64fydGEJng5NigcnNcPo7goGLz5QV7vE+6bO0gNZxBmmw==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2026-01-18T18:40:32Z"
mac: ENC[AES256_GCM,data:7bP0fmn6TJKA8zLuXE8F47sHn1qqX33z/078KkCJx5yRSKBGyLnTeKNha8EODEBkMG0eXQ2BEQDPfNB892R5OW69xCInCa0+sEPONd3YELMvFVoM7/+avDi94X/tdJKCHVPnF/kpqnGhKlwikKlCFLIcbkfEAHJgDlze32C0QKU=,iv:1Q5dsJP2FToAYDJYWXJufHuIlXGfj93NaBWHfZ5rhHk=,tag:dFNYdMJOwUwr6/zwlRollg==,type:str]
pgp:
- created_at: "2026-01-15T21:23:56Z"
enc: |-
-----BEGIN PGP MESSAGE-----
hQIMAxK/JaB2/SdtAQ/+ORxsmaobaTVCnVlaaTlvG3GRPlL0G1NG18eF3Mra2FU/
HSY4/QTu4BjGRzwOlKJt3NBMGlFZucwklIecAl1cCDXPSvIRnwuIsAI8gxNnjmVW
w7URAscgfVobWxpLqFhlnQ+8ozMPXW7D0ZDLe4wKPa5wNuE/kdzM5ZCl3NB4q3fi
o0C8uSnsTAp8clay/xnTtnJxOsyzyJ29JVsinxAyg64m6AYNa53yNZoy5kL6VIIr
dnNx4DtOsxFuNhKuvENePoGjuB68i0NWitsfei3G+GLUp+CbPisrzElM6vsXQ0wT
QAu2OpTnrQSv/YWi8Dv+1YXIKu6nOuMc+avQGLsiuZ6hagrvfRTmoQirbx6THDB+
97N/ZZUoGVdCtb5BRoBxzl7prwYGXsW+fP7B/PlBBBM5pI/s5jasFMOBfrrlJiDE
dyBcE2rjcehmZ0DN0YddZoo1UMYzsn6HEMH+kFp/VD3+y4A47Kk9Ou0d9+Q7ufsf
j8ThNihOBrwz8DlvOb5/5HacBFOH5T9b42j6yOmyrlAXnC8sQwFDMDERs7XcVSXT
B9SlX6OVZ6/xgG1UjkY5aqYiWkIBUO/9k1OP3OMoZM7WPitIJS0a92u8EASX4zT9
cJjyym8oDojsM4+/GWMCHcEA5QVSEFsz5JBONiEJkv9UCYXOWj375SH6WjTHQyPS
XgFA0rCYobVrmH4oQ3EzmbqTGwBuejwcDVA++KiUePb6jhK9DGrETHEOzUyOonpI
tNfgyohULH3eDRjC/4gR9JDr+UCC2t31Rx5kNmonz4H3KQlgm/5UulKZZfFk6VQ=
=HCWY
-----END PGP MESSAGE-----
fp: EF643F59E008414882232C78FFA8331EEB7D6B70
- created_at: "2026-01-15T21:23:56Z"
enc: |-
-----BEGIN PGP MESSAGE-----
hQIMA6EyPtWBEI+2AQ/+Is5OSeCOwUDFocaFiGIpKKicsRkF5WJXcV0eTquCvn3M
UeDpYww0CatCOmx0u5/ELzyvr2NhLGwoblLxwwb2HA+dTWRzRiTGZrpGJ3DUwEK6
KvqFgrOIDttnSCqrGiPsNBkGP3oIH/WIYXF4SJl5stlnujTOW+wNP8f+9gZspyY4
JdDXIGL7cbvzEzionilKbroKgDTNCm/o/ATWnlvsd5qv8lsIVkZlaJqldRR+xXuu
RLHz9Mav9NgzzFERA0YY0Z56jpGikoywB7iBCbozXvPO5oY9YcuvdLoXELi3Rimf
LoqIyGv/dHepZvIIy/d+E7ltlQHLXdH0LMNyBRartVChR/p0G/YAzXDAgnARJm+J
SB7vUPBqFwFpkiIE0bRRDVDYW8VlNZta4V+hxb3iXuVHljuYUrIDh77VW3xNQyi5
YfKxO9c9PRhq7sfeBj3iB2qAGoODOU1whdaWXJeNIvYmkQJw81eu2rzHT6NHsbrD
CcUGvbVAO7cx8xZxLiT2jZlbeRrTM68Uq8zC0ujzHavrLUWvCcAcFdk8Un8UJbaF
W4B5La8ZAQUg0HwDavrOEXFbbdkuMT0BIMIxysxrcetqMdRcMjQlbjHz7RuROp4q
melLD0F7L8cXAafDRXXkTTpDmaLN8s9v2j953/RzY7lS1FPQMTduWbn4Pg75HrbS
XgEWsmhgtxSNSgtg/c+VyS9VAykAaP0J4mVWUJZtpw3T8wtkAVeb2zFjmOWay98e
GC9m9N32zdg6MZDLnAABIEhDCGhuB0QjHJaXHcQxbuy8T0mgG081s8spTZnU/74=
=v7Jf
-----END PGP MESSAGE-----
fp: F155144FC925A1BEA1F8A2C59A2A4CD59BFDC5EC
- created_at: "2026-01-15T21:23:56Z"
enc: |-
-----BEGIN PGP MESSAGE-----
hQIMAz5uSgHG2iMJAQ//f4YuazCNqBuU6RxLg7gbh2RQ7KQ9QDIPSh+YIBr2k9RJ
zSjTIR2cPu4JX7Bf9w378oyExhxe6bU00DKvfmQv+CPwjR/4NfzB+/UjmrOEmZqv
y/Gc/2ciT2csHiuAgmck/tKCdVLyXmlMpR+ru3LBVpXLc0wRqDLze9RKM22L5o5Y
Tkf5LCoj77ixhVWZJ/MUm1GlCKmtAJ5tZpSOUenSApSZ0mbRUMI6SEmLhf7ApmNo
FInztB8eMcgyV7vhEmhAiLTkB29kGh8Oe/TtDSmywhn/pTcs4tlY7fRfcxkJaYgw
sZFaF3b7/xhF04kJNEugKemTZTCOoXuPvjvDKQ0glojQQ36P5S01uyH1FOHAbItz
8xilRiU5lHuu7BsZcb8rU8qNYnpEzY3DX/Ccpl0AoPWjY925XB7C8H8z1kk8UxR1
+b3XXMktUugeTZeiFG2pJsp9dhiRqyuzvW73yJSdHjqZW+Tq4U2D9Je1WeZT4+Au
qTQh1uC2dRgQ0PMafX50aTxIK7lPxva+cOPgYeALXP58TCUqeNUyYQmvAGba7yyU
yec3Hz/SNLqEhSnOqCx+TXZOhV4PM8fTzpnNhqZQ2RX2uUXwXjuyAZ8fv3v5se8F
HvQGW8EvJaDSvLD5GjKblQqwNlFWf0HOPUf5UZSXV3MHsHLzYHKlOE4cJ778ih7S
XgGY+6q602ciOETbXexRAK4G0AaAY06iQqIvjqzTRmRgkftMI/8HAV2mfjfRuTXF
9DClJje/SpRp/fS6jXFyRCc1MysABsxcyopIhHPxf2iy4UiipC1c15Z9VVK4cL4=
=l9vN
-----END PGP MESSAGE-----
fp: 18DFCE01456DAB52EA38A6584EDC64F35FA1D6A5
- created_at: "2026-01-15T21:23:56Z"
enc: |-
-----BEGIN PGP MESSAGE-----
hQIMAw5vwmoEJHQ1ARAAr6u7xDPFlylAf002AQkjASgSyCdLMD0LxXmTEihOxBnp
+ZcJN9cpuyCuDaIfSqGdDLUqZ6TuAfVaixtXbxT6Odl2q1DN/GaVkZbDVwGk/W3w
+lSjBz4miAcU9kaSFeeJ9BDEdqROduj8/fFc8jLyxpa51nnp6ON7wI3Uup3uNZN1
oEwcav8u9hrbE5glS6IMFpGQAhJmvzWH9mHWCQT7A3GGK3DsYBWPH685vVk80VBw
8IO35N2SMVD+ebvFbSnitBSOmSNUzHgv8DaBgJkcHb5EM8bCiZNI3VkbGdi8AmRx
wvuAclYkemq/bNu5I0sjpt/uxEOVqsymdPs+gOVgKceEy458ZfyRUPxV0Xp5Yi26
MzAas8LCL+m561L8MTt01CfXJKllIh1aeNJEWYKyTtIxnWfhHnhAfiwiRaX+sAdK
ApLFSCtwAf2fvpqaUY0PvAwKUNKyEBrncu9cBuqK6EDx5YVQul6Mo2nx6W64G7mj
IUGQOoRATZP4y9bJJJMNU5BfK9j7Fdhh/VirB1XSSWSlkUduv8PVx99iLejfnknB
b0LVS0RW0W+XgbM0yvjRhDATalrcuBX4R7voQPeGFlw//fdg0qepSe9OeAPA+RNm
YTjWVWqXOmGJQ46sms4P1Fhd5NKgyv7qAaZDVf2lDZOensbhwWFKw1R65PSbi4DS
XgEDIaRdmRPMHOGoHzcSieR+sxDvklEAWyfUMn8D8u8dkgs1u8WL3gGixDaPMvcF
JgS3PA6hl0JOi3+UgBWGh6gx+C/mr+6jly+IhWd78HAsbsJcGIrs4Zlu54T8jV4=
=8IWz
-----END PGP MESSAGE-----
fp: 87AB00D45D37C9E9167B5A5A333448678B60E505
- created_at: "2026-01-15T21:23:56Z"
enc: |-
-----BEGIN PGP MESSAGE-----
hF4DerEtaFuTeewSAQdA7STwRBnvhKhEh9mdHz/GWujTMli/vbMrXv8WnZ1boUkw
9Qtj+soJcdr8XxDREm//Q7wgGZJSJe6dBdxW5NC10H7bYDFc9aNkbT0/ceMj0tBM
0l4BNU1LT9rZrkhGUTqA3Gs+bzP4xazBGuiucCkM1mbSvRAjWO2abLb17GKUWODr
1uDStVFrPOTqN/0/O1lAfk/Xv5LQO2X/xVMDD42i9txP9G8+rCF42gKdODWF+DsQ
=FVIu
-----END PGP MESSAGE-----
fp: 057870A2C72CD82566A3EC983695F4FCBCAE4912
- created_at: "2026-01-15T21:23:56Z"
enc: |-
-----BEGIN PGP MESSAGE-----
hQIMAxjNhCKPP69fARAAkUEvumeteWHZ31xbvLAWezQr75Q45DVzBAX6MJIPnCcz
ofMYuDjz/ujOES7UtAYrRekCW4R+PZQ2pcC3tbNHxKQjdxsA6cY68mBQLj+TJ0+F
15jlkAkL7utwOxOh8P1/yxO+hr3qZl6rmncQwiynRnyiAJa6FHK8dvAHVKhLWcRN
pxx2O5m8I/+sF2/XgVs0iq0KWG+WbwJWUlvWKJ+2LNvXDoPYD0sdo8G1hkuQGOLW
Lmc1xN4hbTzvgjTBoUt1HUEOgohau8TMWnT7x1jpMLBNqm0hQfcyNmBuK4vA3NYR
PjtMUvEuucjOrFvF1g+OaTQ3ZSkd431yqTHRbktZDXdCvhYhSfxJ2TKdqX5U+3p+
27hPOX5cVISd36T8Oxm7LTt2GSZp5JZJ2gzRuSn8HDEHHBa39+jmdsqmGMFjAJfU
amK3TNpLx9U/AGw9CYVyQxfnrRPArjuPXE+nVmuZVJhgOcex+5SAA6YRpzPLj5/I
bHv0zOQ+84ghaIPvA7OlehgE2DYQjFC7qMGV0Q/jEomzHmwaFLlbDiSX97SQM4+P
dwe2gbz5EfgVdXeSwyPH03W5Uq/D8GiNFASxe6ctfwY6G9cUJaY7gj+br2/WSjzc
bSQxbyA36q6tSR8sty4lOkRqfhvCsopnACe3UaPDD9aUPu5dkrPFD2DwGZqALjrS
XgGQM27HAK2eAWtmQk7wWZcK8EyeO4bPl/JX8hMU8xSnbHrFpY26RNY1C4mjqcnD
QoyU68TbPmGX522sseuygCNmEEM/5rhx6wwePH1X+C8WRHMmXyLjKD3eVkFJ3tA=
=EPrs
-----END PGP MESSAGE-----
fp: F38C9D4228FC6F674E322D9C3326D914EB9B8F55
- created_at: "2026-01-15T21:23:56Z"
enc: |-
-----BEGIN PGP MESSAGE-----
hQIMA1Hthzn+T1OoAQ//arOC3Dpt+X+GzGZFPngYFGl8SHgx9vrbNcNdRQBEBhX0
RmkT3rBbXRNbJvZHW6YPzoMRzhDMHEs9osbr7RwpTQxpL4owFd1hx8bhDjZYQplC
Gfj1xNjL1iFsQV1kWx7dagpkDEoPVlPaDyTDyHkj/fmgg/aU4y5GVUHc6l7iClN9
fn5HL8/sCROAPteReXnwxIWmn/03lldh7VMYwKaVIpiTf3QZzEsHAOYT0EdEcapC
3d5ZhTDmOvOwy2PMfx5w5RpKXKe2cbhoS1N3KEHaZIochlvnvQHpVJ3jhn8YG8j9
bJ5tklEauoi1YHsnj5vzm8sgQMj/p5DJHALfVKxzAMCCe0AqcVpVGTW9SR1ZMUXW
p0UZOmeNBfqhcOIbKXW+Hj2oSZ25KGxiXZwydF51xnUT8rsau7nPYOgg+9YARAVl
USZd85OX/dZcDqhfK1YZjdV3GPiTHGFUrTz53sW/nHrcCCKXL17uADLr1Z/rk3Dm
dayNuUVhlqgV6Z0ts0Z9blz2X/Bz2c95TUTze+pUoXCP6oKcxGbrEfHBzJrhqeFa
PYGRyna1t96c3Az94bz2orX69Ij3QPyd2p2B0nlv+qYNk55J/aVPIfioZSamnDk9
NAQJksb2M7KIq1rjheWsf/CLZYHC1rcrhUnz5SYIXVDe8f3+uNc0JFGYPYZuF7DS
XgEa4Lw21RwQs3Es0wAZSnkku+yg1Lg2YJ6/d5xSZJs0c5mCYvvW3q9oTc8u+D3n
H1/Lu8HvZtHtGARagLqHw2MORNvoJXoCT0EhcPBK4PlJKSNye96U1ooNfwxbUMo=
=0Nal
-----END PGP MESSAGE-----
fp: 5DA93D5C9D7320E1BD3522C79C78172B3551C9FD
- created_at: "2026-01-15T21:23:56Z"
enc: |-
-----BEGIN PGP MESSAGE-----
hQIMA46L6MuPqfJqARAAlYT9Xqnfvd7uWr/V8Ca5oKJ003yWKGwAMd06zyPmIYOK
ErTHC98r7LXuGaMcIUrJ+oLf6YipYB7PyHwfz+zpxhDRTPAxXTqkF1ecLi7qg2AV
Ez3Q1hpPJv1DWASrVfJgpnlQnQtnpqXQsInL7klGc10mtbgc2zHUndWFqjxtkAhl
IinLZHZVFaijFw10W+e6T0UUZ9WfIPdCOChcqVp5/86DDyl3S9dBLmAd7wywzbuH
i0y1uelIxLyYmzLxYTNgJwEHKzQvF6jrj40AjT8HtUD473ILD5M4p2vdvNCUANu9
1iF4q7YM5g6cgjGC29Y31wOAM4YzdkwNXJsUhn4ACzYNBAItXK7Aw0I8WK9AnUfq
lwmSirx5hi870GIfu/OYeNt4I3fWjm4qY1aFwoJJRWrUdH94I4P1O6xXZyTVqpmG
m0Ich3O16Ir1vS9oFLdFSFGP7UZgU7D5314OKXNsEGpFLGa9U7AG1ZPHGSb6tAQi
9Df7TsWxYVWKBU2PbI/D9StVlWDVilt2QiKtIcRwLs3/3JrzTPJd9tvUtw6Tyjw7
N12/SE3yHwWxVPUXF2AsopmOoHGh67Ki+6oc7xTmxtcJWSITUhBL16ZjMEEXFeHy
FMODciBLrXO1jWz65mkB32ttV+oPQuCdtFPTzuKneDhVBybuMJrx7DEIFaf5CmvS
XgFrqRe9fua4zRd9r9tJE4RSosQOAhmVgRVCJIg5B+qUGC0l2AwO4ro1+a02t6o7
uBGGRHeQYrGv6HVUd/xfirUj/mtrguiSSpOy3UZ5SHIlPxuj/2jf3WxVkU0QP5k=
=e4Qe
-----END PGP MESSAGE-----
fp: 8996B62CBD159DCADD3B6DC08BB33A8ABCF7BC4A
- created_at: "2026-01-15T21:23:56Z"
enc: |-
-----BEGIN PGP MESSAGE-----
hF4DQrf1tCqiJxoSAQdAqRvfYgKUyKqP1jy9+s3UQ+vqUWQVxC/zXkcXOs/G3kQw
27MDd3dcADzCI4qrHxc0umrFegUizTg9UmseMgSJnr7oWXtuh6ocjuEe+irXw0Di
0l4B7cvZtRObjrOUf0lupPAp2xPIIKekUcVSxiecn6z7zVUVUwpYvPmS8MBCFc5h
7ad0LWml36Rj5UkBE/ph0YgLvz7ZDoC1yiagBGVX59MTjjZsZBVpRecxZ+ztuaci
=68na
-----END PGP MESSAGE-----
fp: B71138A6A8964A3C3B8899857B4F70C356765BAB
- created_at: "2026-01-15T21:23:56Z"
enc: |-
-----BEGIN PGP MESSAGE-----
hF4DzAGzViGx4qcSAQdA95lt4L0inJjhMwQ2v5lvhW74zuvdpgktHsp5BSycbxcw
oUR2v3CcCHtNzWzgeWPm8L6JHRUJQWdg+XHsLujlZXsoqKirGI67NvToOk+yttsK
0lgBW9AG8bUVUdXNNPfhc/FN8OJbQ2cj3E2z5kI05ZrkcOoZVXaRfXJiZPQDg1Kz
LhuKymMDmXXsSVd/VdLbSXpfeEqMJjTsDS+bU/TZAcRRPKxj9PPDJIWQ
=Kpzf
-----END PGP MESSAGE-----
fp: D2E9C0807BF681F5E164DAFC5EE1B61CD90954CD
- created_at: "2026-01-15T21:23:56Z"
enc: |-
-----BEGIN PGP MESSAGE-----
hQIMA2pVdGTIrZI+ARAA2IaYLn8z593Kh+wAw2ecOXkW+B3qhi/x0qQLVw7Jc1hO
rVhrcTQoabL3elIIPZtxyTYIXq6EpPkSBMOBHO+tmqI8YsB5GvWtcGV1OBpRaZ3I
hgKjnxkJtaQizSZqZLgGUVXjMjcdkzTlIQfu7oGeTu8Ke1cwtOE1lvleDpHHK6gc
yRLJWsUfHdv3rCOmRCDtguc3NG7qzUUYcknPiFGx66hfnIaA0aJav2pqS3uuRwSD
Ay78U2PB7kYVg//Omz9BEuiUVhYsA0sl3hFVpJuKv7FQ9OcJOevQddfq90m2KGyo
2Lpligwtj3evPfPReLR1D16HaGuzknoB9883jD027+fGr4/IFWx7ieVZ9iGeD3jR
yw/GdHCMueq1pdtyw8ArREspGmZldEKY3Qw6sfRdd71DAeTkD1zzWORCEk6OQefY
YX5ByUAOTUHvTey4Uy5WCj3HOUMW71CnVpsU6lDSuqBUnFlMvELtcjlmEAwvscXz
WFpTzphaX1fIqruS4BAzMxpKVTI1V3bnrb6wFRFnsErVjrty24R2auaoHvgslROu
1QUTInC7JpFUpxiK9ke8xbhYlZ5JEhcxOXlfrZcVwlxziEZEqp429L/4gVz+IGVv
YQ4wU8ARBcXiEDEOmEl3tCxiprDlCeLpdSrqhq57/y7IMs6Fo7QrkA5XZG+mnfPS
XgHFg3iMBk0qKb6AiWiN8g3SHJtcehJgmAZsRxFRP329QKGGa+azQqT7Vp066keY
rOsmP8iwl+4KS71+cN9rLx/3U8EcSxRuMU6KtIKvhp7yfr2bhYo8P9JH2vrPTlk=
=lbdI
-----END PGP MESSAGE-----
fp: 878FEA3CB6A6F6E7CD80ECBE28506E3585F9F533
unencrypted_suffix: _unencrypted
version: 3.11.0

27
inventories/external/host_vars/status.yaml vendored Normal file
View file

@ -0,0 +1,27 @@
docker_compose__compose_file_content: "{{ lookup('ansible.builtin.template', 'resources/external/status/docker_compose/compose.yaml.j2') }}"
docker_compose__configuration_files:
- name: "general.yaml"
content: "{{ lookup('ansible.builtin.file', 'resources/external/status/docker_compose/config/general.yaml') }}"
- name: "sites.yaml"
content: "{{ lookup('ansible.builtin.file', 'resources/external/status/docker_compose/config/sites.yaml') }}"
- name: "services-chaosknoten.yaml"
content: "{{ lookup('ansible.builtin.file', 'resources/external/status/docker_compose/config/services-chaosknoten.yaml') }}"
- name: "websites.yaml"
content: "{{ lookup('ansible.builtin.file', 'resources/external/status/docker_compose/config/websites.yaml') }}"
- name: "easterhegg-websites.yaml"
content: "{{ lookup('ansible.builtin.file', 'resources/external/status/docker_compose/config/easterhegg-websites.yaml') }}"
nginx__version_spec: ""
nginx__deploy_redirect_conf: false
nginx__configurations:
- name: status.hamburg.ccc.de
content: "{{ lookup('ansible.builtin.file', 'resources/external/status/nginx/status.hamburg.ccc.de.conf') }}"
- name: http_handler
content: "{{ lookup('ansible.builtin.file', 'resources/external/status/nginx/http_handler.conf') }}"
certbot__version_spec: ""
certbot__acme_account_email_address: le-admin@hamburg.ccc.de
certbot__certificate_domains:
- "status.hamburg.ccc.de"
certbot__new_cert_commands:
- "systemctl reload nginx.service"

24
inventories/external/hosts.yaml vendored Normal file
View file

@ -0,0 +1,24 @@
all:
hosts:
status:
# TODO: Manually set up ufw on the host. Create a role for ufw.
ansible_host: status.hamburg.ccc.de
ansible_user: chaos
base_config_hosts:
hosts:
status:
docker_compose_hosts:
hosts:
status:
nginx_hosts:
hosts:
status:
certbot_hosts:
hosts:
status:
infrastructure_authorized_keys_hosts:
hosts:
status:
ansible_pull_hosts:
hosts:
status:

4
inventories/z9/host_vars/dooris.yaml
View file

@ -7,9 +7,11 @@ certbot__certificate_domains:
- "dooris.ccchh.net" - "dooris.ccchh.net"
certbot__new_cert_commands: certbot__new_cert_commands:
- "systemctl reload nginx.service" - "systemctl reload nginx.service"
certbot__http_01_port: 80
nginx__version_spec: "" nginx__version_spec: ""
nginx__deploy_redirect_conf: false
nginx__configurations: nginx__configurations:
- name: dooris.ccchh.net - name: dooris.ccchh.net
content: "{{ lookup('ansible.builtin.file', 'resources/z9/dooris/nginx/dooris.ccchh.net.conf') }}" content: "{{ lookup('ansible.builtin.file', 'resources/z9/dooris/nginx/dooris.ccchh.net.conf') }}"
- name: http_handler
content: "{{ lookup('ansible.builtin.file', 'resources/z9/dooris/nginx/http_handler.conf') }}"

11
playbooks/deploy.yaml
View file

@ -64,11 +64,6 @@
roles: roles:
- nginx - nginx
- name: Ensure prometheus_node_exporter deployment on prometheus_node_exporter_hosts
hosts: prometheus_node_exporter_hosts
roles:
- prometheus_node_exporter
- name: Configure unattended upgrades for all non-hypervisors - name: Configure unattended upgrades for all non-hypervisors
hosts: all:!hypervisors hosts: all:!hypervisors
become: true become: true
@ -83,10 +78,8 @@
- name: Ensure Alloy is installed and Setup on alloy_hosts - name: Ensure Alloy is installed and Setup on alloy_hosts
hosts: alloy_hosts hosts: alloy_hosts
become: true become: true
tasks: roles:
- name: Setup Alloy - alloy
ansible.builtin.include_role:
name: grafana.grafana.alloy
- name: Ensure ansible_pull deployment on ansible_pull_hosts - name: Ensure ansible_pull deployment on ansible_pull_hosts
hosts: ansible_pull_hosts hosts: ansible_pull_hosts

5
renovate.json
View file

@ -32,6 +32,11 @@
"matchDatasources": ["docker"], "matchDatasources": ["docker"],
"matchPackageNames": ["docker.io/pretix/standalone"], "matchPackageNames": ["docker.io/pretix/standalone"],
"versioning": "regex:^(?<major>\\d+\\.\\d+)(?:\\.(?<minor>\\d+))$" "versioning": "regex:^(?<major>\\d+\\.\\d+)(?:\\.(?<minor>\\d+))$"
},
{
"matchDatasources": ["docker"],
"matchPackageNames": ["docker.io/pretalx/standalone"],
"versioning": "regex:^v(?<major>\\d+\\.\\d+)(?:\\.(?<minor>\\d+))$"
} }
], ],
"customManagers": [ "customManagers": [

8
resources/chaosknoten/ccchoir/nginx/ccchoir.de.conf
View file

@ -2,12 +2,12 @@
# https://ssl-config.mozilla.org/#server=nginx&version=1.17.7&config=intermediate&openssl=1.1.1k&guideline=5.6 # https://ssl-config.mozilla.org/#server=nginx&version=1.17.7&config=intermediate&openssl=1.1.1k&guideline=5.6
server { server {
# Listen on a custom port for the proxy protocol. # Listen on a custom port for the proxy protocol.
listen 8443 ssl http2 proxy_protocol; listen [::]:8443 ssl http2 proxy_protocol;
# Make use of the ngx_http_realip_module to set the $remote_addr and # Make use of the ngx_http_realip_module to set the $remote_addr and
# $remote_port to the client address and client port, when using proxy # $remote_port to the client address and client port, when using proxy
# protocol. # protocol.
# First set our proxy protocol proxy as trusted. # First set our proxy protocol proxy as trusted.
set_real_ip_from 172.31.17.140; set_real_ip_from 2a00:14b0:4200:3000:125::1;
# Then tell the realip_module to get the addreses from the proxy protocol # Then tell the realip_module to get the addreses from the proxy protocol
# header. # header.
real_ip_header proxy_protocol; real_ip_header proxy_protocol;
@ -43,12 +43,12 @@ server {
server { server {
# Listen on a custom port for the proxy protocol. # Listen on a custom port for the proxy protocol.
listen 8443 ssl http2 proxy_protocol; listen [::]:8443 ssl http2 proxy_protocol;
# Make use of the ngx_http_realip_module to set the $remote_addr and # Make use of the ngx_http_realip_module to set the $remote_addr and
# $remote_port to the client address and client port, when using proxy # $remote_port to the client address and client port, when using proxy
# protocol. # protocol.
# First set our proxy protocol proxy as trusted. # First set our proxy protocol proxy as trusted.
set_real_ip_from 172.31.17.140; set_real_ip_from 2a00:14b0:4200:3000:125::1;
# Then tell the realip_module to get the addreses from the proxy protocol # Then tell the realip_module to get the addreses from the proxy protocol
# header. # header.
real_ip_header proxy_protocol; real_ip_header proxy_protocol;

1
resources/chaosknoten/eh22-wiki/nginx/eh22.easterhegg.eu.conf
View file

@ -2,7 +2,6 @@
# https://ssl-config.mozilla.org/#server=nginx&version=1.17.7&config=intermediate&openssl=1.1.1k&guideline=5.6 # https://ssl-config.mozilla.org/#server=nginx&version=1.17.7&config=intermediate&openssl=1.1.1k&guideline=5.6
server { server {
# Listen on a custom port for the proxy protocol. # Listen on a custom port for the proxy protocol.
listen 8443 ssl http2 proxy_protocol;
listen [::]:8443 ssl http2 proxy_protocol; listen [::]:8443 ssl http2 proxy_protocol;
# Make use of the ngx_http_realip_module to set the $remote_addr and # Make use of the ngx_http_realip_module to set the $remote_addr and
# $remote_port to the client address and client port, when using proxy # $remote_port to the client address and client port, when using proxy

10
resources/chaosknoten/grafana/docker_compose/compose.yaml.j2
View file

@ -2,7 +2,7 @@
services: services:
prometheus: prometheus:
image: docker.io/prom/prometheus:v3.7.3 image: docker.io/prom/prometheus:v3.9.1
container_name: prometheus container_name: prometheus
command: command:
- '--config.file=/etc/prometheus/prometheus.yml' - '--config.file=/etc/prometheus/prometheus.yml'
@ -19,7 +19,7 @@ services:
- prom_data:/prometheus - prom_data:/prometheus
alertmanager: alertmanager:
image: docker.io/prom/alertmanager:v0.29.0 image: docker.io/prom/alertmanager:v0.30.0
container_name: alertmanager container_name: alertmanager
command: command:
- '--config.file=/etc/alertmanager/alertmanager.yaml' - '--config.file=/etc/alertmanager/alertmanager.yaml'
@ -32,7 +32,7 @@ services:
- alertmanager_data:/alertmanager - alertmanager_data:/alertmanager
grafana: grafana:
image: docker.io/grafana/grafana:12.3.0 image: docker.io/grafana/grafana:12.3.1
container_name: grafana container_name: grafana
ports: ports:
- 3000:3000 - 3000:3000
@ -46,7 +46,7 @@ services:
- graf_data:/var/lib/grafana - graf_data:/var/lib/grafana
pve-exporter: pve-exporter:
image: docker.io/prompve/prometheus-pve-exporter:3.5.5 image: docker.io/prompve/prometheus-pve-exporter:3.8.0
container_name: pve-exporter container_name: pve-exporter
ports: ports:
- 9221:9221 - 9221:9221
@ -59,7 +59,7 @@ services:
- /dev/null:/etc/prometheus/pve.yml - /dev/null:/etc/prometheus/pve.yml
loki: loki:
image: docker.io/grafana/loki:3.6.0 image: docker.io/grafana/loki:3.6.3
container_name: loki container_name: loki
ports: ports:
- 13100:3100 - 13100:3100

35
resources/chaosknoten/grafana/docker_compose/prometheus.yml
View file

@ -82,41 +82,6 @@ scrape_configs:
target_label: instance target_label: instance
- target_label: __address__ - target_label: __address__
replacement: pve-exporter:9221 replacement: pve-exporter:9221
- job_name: hosts
static_configs:
# Wieske Chaosknoten VMs
- labels:
org: ccchh
site: wieske
type: virtual_machine
hypervisor: chaosknoten
targets:
- netbox-intern.hamburg.ccc.de:9100
- matrix-intern.hamburg.ccc.de:9100
- public-web-static-intern.hamburg.ccc.de:9100
- git-intern.hamburg.ccc.de:9100
- forgejo-actions-runner-intern.hamburg.ccc.de:9100
- eh22-wiki-intern.hamburg.ccc.de:9100
- mjolnir-intern.hamburg.ccc.de:9100
- woodpecker-intern.hamburg.ccc.de:9100
- penpot-intern.hamburg.ccc.de:9100
- jitsi.hamburg.ccc.de:9100
- onlyoffice-intern.hamburg.ccc.de:9100
- ccchoir-intern.hamburg.ccc.de:9100
- tickets-intern.hamburg.ccc.de:9100
- keycloak-intern.hamburg.ccc.de:9100
- onlyoffice-intern.hamburg.ccc.de:9100
- pad-intern.hamburg.ccc.de:9100
- wiki-intern.hamburg.ccc.de:9100
- zammad-intern.hamburg.ccc.de:9100
- pretalx-intern.hamburg.ccc.de:9100
- labels:
org: ccchh
site: wieske
type: physical_machine
targets:
- chaosknoten.hamburg.ccc.de:9100
storage: storage:
tsdb: tsdb:

4
resources/chaosknoten/grafana/nginx/grafana.hamburg.ccc.de.conf
View file

@ -2,13 +2,13 @@
# https://ssl-config.mozilla.org/#server=nginx&version=1.17.7&config=intermediate&openssl=1.1.1k&guideline=5.6 # https://ssl-config.mozilla.org/#server=nginx&version=1.17.7&config=intermediate&openssl=1.1.1k&guideline=5.6
server { server {
# Listen on a custom port for the proxy protocol. # Listen on a custom port for the proxy protocol.
listen 8443 ssl proxy_protocol; listen [::]:8443 ssl proxy_protocol;
http2 on; http2 on;
# Make use of the ngx_http_realip_module to set the $remote_addr and # Make use of the ngx_http_realip_module to set the $remote_addr and
# $remote_port to the client address and client port, when using proxy # $remote_port to the client address and client port, when using proxy
# protocol. # protocol.
# First set our proxy protocol proxy as trusted. # First set our proxy protocol proxy as trusted.
set_real_ip_from 172.31.17.140; set_real_ip_from 2a00:14b0:4200:3000:125::1;
# Then tell the realip_module to get the addreses from the proxy protocol # Then tell the realip_module to get the addreses from the proxy protocol
# header. # header.
real_ip_header proxy_protocol; real_ip_header proxy_protocol;

2
resources/chaosknoten/grafana/nginx/loki.hamburg.ccc.de.conf
View file

@ -17,7 +17,6 @@ server {
server_name loki.hamburg.ccc.de; server_name loki.hamburg.ccc.de;
listen [::]:50051 ssl; listen [::]:50051 ssl;
listen 172.31.17.145:50051 ssl;
http2 on; http2 on;
@ -59,7 +58,6 @@ server {
server_name loki.hamburg.ccc.de; server_name loki.hamburg.ccc.de;
listen [::]:443 ssl; listen [::]:443 ssl;
listen 172.31.17.145:443 ssl;
http2 on; http2 on;

2
resources/chaosknoten/grafana/nginx/metrics.hamburg.ccc.de.conf
View file

@ -9,7 +9,6 @@ server {
allow 2a00:14b0:4200:3380::/64; allow 2a00:14b0:4200:3380::/64;
allow 2a00:14b0:f000:23::/64; #CCCHH v6 bei Wieske, geroutet über turing allow 2a00:14b0:f000:23::/64; #CCCHH v6 bei Wieske, geroutet über turing
# Z9 # Z9
allow 2a07:c480:0:100::/56;
allow 2a07:c481:1::/48; allow 2a07:c481:1::/48;
# fuxnoc # fuxnoc
allow 2a07:c481:0:1::/64; allow 2a07:c481:0:1::/64;
@ -18,7 +17,6 @@ server {
server_name metrics.hamburg.ccc.de; server_name metrics.hamburg.ccc.de;
listen [::]:443 ssl; listen [::]:443 ssl;
listen 172.31.17.145:443 ssl;
http2 on; http2 on;
client_body_buffer_size 512k; client_body_buffer_size 512k;

1
resources/chaosknoten/keycloak/nginx/id.hamburg.ccc.de.conf
View file

@ -3,7 +3,6 @@
# Also see: https://www.keycloak.org/server/reverseproxy # Also see: https://www.keycloak.org/server/reverseproxy
server { server {
# Listen on a custom port for the proxy protocol. # Listen on a custom port for the proxy protocol.
listen 8443 ssl http2 proxy_protocol;
listen [::]:8443 ssl http2 proxy_protocol; listen [::]:8443 ssl http2 proxy_protocol;
# Make use of the ngx_http_realip_module to set the $remote_addr and # Make use of the ngx_http_realip_module to set the $remote_addr and
# $remote_port to the client address and client port, when using proxy # $remote_port to the client address and client port, when using proxy

1
resources/chaosknoten/keycloak/nginx/invite.hamburg.ccc.de.conf
View file

@ -3,7 +3,6 @@
# Also see: https://www.keycloak.org/server/reverseproxy # Also see: https://www.keycloak.org/server/reverseproxy
server { server {
# Listen on a custom port for the proxy protocol. # Listen on a custom port for the proxy protocol.
listen 8443 ssl http2 proxy_protocol;
listen [::]:8443 ssl http2 proxy_protocol; listen [::]:8443 ssl http2 proxy_protocol;
# Make use of the ngx_http_realip_module to set the $remote_addr and # Make use of the ngx_http_realip_module to set the $remote_addr and
# $remote_port to the client address and client port, when using proxy # $remote_port to the client address and client port, when using proxy

1
resources/chaosknoten/keycloak/nginx/keycloak-admin.hamburg.ccc.de.conf
View file

@ -7,7 +7,6 @@ server {
##listen [::]:443 ssl http2; ##listen [::]:443 ssl http2;
# Listen on a custom port for the proxy protocol. # Listen on a custom port for the proxy protocol.
listen 8443 ssl http2 proxy_protocol;
listen [::]:8443 ssl http2 proxy_protocol; listen [::]:8443 ssl http2 proxy_protocol;
# Make use of the ngx_http_realip_module to set the $remote_addr and # Make use of the ngx_http_realip_module to set the $remote_addr and
# $remote_port to the client address and client port, when using proxy # $remote_port to the client address and client port, when using proxy

4
resources/chaosknoten/netbox/nginx/netbox.hamburg.ccc.de.conf
View file

@ -2,12 +2,12 @@
# https://ssl-config.mozilla.org/#server=nginx&version=1.17.7&config=intermediate&openssl=1.1.1k&guideline=5.6 # https://ssl-config.mozilla.org/#server=nginx&version=1.17.7&config=intermediate&openssl=1.1.1k&guideline=5.6
server { server {
# Listen on a custom port for the proxy protocol. # Listen on a custom port for the proxy protocol.
listen 8443 ssl http2 proxy_protocol; listen [::]:8443 ssl http2 proxy_protocol;
# Make use of the ngx_http_realip_module to set the $remote_addr and # Make use of the ngx_http_realip_module to set the $remote_addr and
# $remote_port to the client address and client port, when using proxy # $remote_port to the client address and client port, when using proxy
# protocol. # protocol.
# First set our proxy protocol proxy as trusted. # First set our proxy protocol proxy as trusted.
set_real_ip_from 172.31.17.140; set_real_ip_from 2a00:14b0:4200:3000:125::1;
# Then tell the realip_module to get the addreses from the proxy protocol # Then tell the realip_module to get the addreses from the proxy protocol
# header. # header.
real_ip_header proxy_protocol; real_ip_header proxy_protocol;

4
resources/chaosknoten/ntfy/nginx/ntfy.hamburg.ccc.de.conf
View file

@ -2,13 +2,13 @@
# https://ssl-config.mozilla.org/#server=nginx&version=1.17.7&config=intermediate&openssl=1.1.1k&guideline=5.6 # https://ssl-config.mozilla.org/#server=nginx&version=1.17.7&config=intermediate&openssl=1.1.1k&guideline=5.6
server { server {
# Listen on a custom port for the proxy protocol. # Listen on a custom port for the proxy protocol.
listen 8443 ssl proxy_protocol; listen [::]:8443 ssl proxy_protocol;
http2 on; http2 on;
# Make use of the ngx_http_realip_module to set the $remote_addr and # Make use of the ngx_http_realip_module to set the $remote_addr and
# $remote_port to the client address and client port, when using proxy # $remote_port to the client address and client port, when using proxy
# protocol. # protocol.
# First set our proxy protocol proxy as trusted. # First set our proxy protocol proxy as trusted.
set_real_ip_from 172.31.17.140; set_real_ip_from 2a00:14b0:4200:3000:125::1;
# Then tell the realip_module to get the addreses from the proxy protocol # Then tell the realip_module to get the addreses from the proxy protocol
# header. # header.
real_ip_header proxy_protocol; real_ip_header proxy_protocol;

2
resources/chaosknoten/onlyoffice/docker_compose/compose.yaml.j2
View file

@ -4,7 +4,7 @@
services: services:
onlyoffice: onlyoffice:
image: docker.io/onlyoffice/documentserver:9.1.0 image: docker.io/onlyoffice/documentserver:9.2.1
restart: unless-stopped restart: unless-stopped
volumes: volumes:
- "./onlyoffice/DocumentServer/logs:/var/log/onlyoffice" - "./onlyoffice/DocumentServer/logs:/var/log/onlyoffice"

1
resources/chaosknoten/onlyoffice/nginx/onlyoffice.hamburg.ccc.de.conf
View file

@ -2,7 +2,6 @@
# https://ssl-config.mozilla.org/#server=nginx&version=1.17.7&config=intermediate&openssl=1.1.1k&guideline=5.6 # https://ssl-config.mozilla.org/#server=nginx&version=1.17.7&config=intermediate&openssl=1.1.1k&guideline=5.6
server { server {
# Listen on a custom port for the proxy protocol. # Listen on a custom port for the proxy protocol.
listen 8443 ssl http2 proxy_protocol;
listen [::]:8443 ssl http2 proxy_protocol; listen [::]:8443 ssl http2 proxy_protocol;
# Make use of the ngx_http_realip_module to set the $remote_addr and # Make use of the ngx_http_realip_module to set the $remote_addr and
# $remote_port to the client address and client port, when using proxy # $remote_port to the client address and client port, when using proxy

2
resources/chaosknoten/pad/docker_compose/compose.yaml.j2
View file

@ -13,7 +13,7 @@ services:
restart: unless-stopped restart: unless-stopped
app: app:
image: quay.io/hedgedoc/hedgedoc:1.10.3 image: quay.io/hedgedoc/hedgedoc:1.10.5
environment: environment:
- "CMD_DB_URL=postgres://hedgedoc:{{ secret__hedgedoc_db_password }}@database:5432/hedgedoc" - "CMD_DB_URL=postgres://hedgedoc:{{ secret__hedgedoc_db_password }}@database:5432/hedgedoc"
- "CMD_DOMAIN=pad.hamburg.ccc.de" - "CMD_DOMAIN=pad.hamburg.ccc.de"

1
resources/chaosknoten/pad/nginx/pad.hamburg.ccc.de.conf
View file

@ -2,7 +2,6 @@
# https://ssl-config.mozilla.org/#server=nginx&version=1.17.7&config=intermediate&openssl=1.1.1k&guideline=5.6 # https://ssl-config.mozilla.org/#server=nginx&version=1.17.7&config=intermediate&openssl=1.1.1k&guideline=5.6
server { server {
# Listen on a custom port for the proxy protocol. # Listen on a custom port for the proxy protocol.
listen 8443 ssl http2 proxy_protocol;
listen [::]:8443 ssl http2 proxy_protocol; listen [::]:8443 ssl http2 proxy_protocol;
# Make use of the ngx_http_realip_module to set the $remote_addr and # Make use of the ngx_http_realip_module to set the $remote_addr and
# $remote_port to the client address and client port, when using proxy # $remote_port to the client address and client port, when using proxy

2
resources/chaosknoten/pretalx/docker_compose/compose.yaml.j2
View file

@ -23,7 +23,7 @@ services:
- pretalx_net - pretalx_net
static: static:
image: docker.io/library/nginx:1.29.3 image: docker.io/library/nginx:1.29.4
restart: unless-stopped restart: unless-stopped
volumes: volumes:
- public:/usr/share/nginx/html - public:/usr/share/nginx/html

4
resources/chaosknoten/pretalx/nginx/cfp.eh22.easterhegg.eu.conf
View file

@ -2,12 +2,12 @@
# https://ssl-config.mozilla.org/#server=nginx&version=1.17.7&config=intermediate&openssl=1.1.1k&guideline=5.6 # https://ssl-config.mozilla.org/#server=nginx&version=1.17.7&config=intermediate&openssl=1.1.1k&guideline=5.6
server { server {
# Listen on a custom port for the proxy protocol. # Listen on a custom port for the proxy protocol.
listen 8443 ssl http2 proxy_protocol; listen [::]:8443 ssl http2 proxy_protocol;
# Make use of the ngx_http_realip_module to set the $remote_addr and # Make use of the ngx_http_realip_module to set the $remote_addr and
# $remote_port to the client address and client port, when using proxy # $remote_port to the client address and client port, when using proxy
# protocol. # protocol.
# First set our proxy protocol proxy as trusted. # First set our proxy protocol proxy as trusted.
set_real_ip_from 172.31.17.140; set_real_ip_from 2a00:14b0:4200:3000:125::1;
# Then tell the realip_module to get the addreses from the proxy protocol # Then tell the realip_module to get the addreses from the proxy protocol
# header. # header.
real_ip_header proxy_protocol; real_ip_header proxy_protocol;

4
resources/chaosknoten/pretalx/nginx/pretalx.hamburg.ccc.de.conf
View file

@ -2,12 +2,12 @@
# https://ssl-config.mozilla.org/#server=nginx&version=1.17.7&config=intermediate&openssl=1.1.1k&guideline=5.6 # https://ssl-config.mozilla.org/#server=nginx&version=1.17.7&config=intermediate&openssl=1.1.1k&guideline=5.6
server { server {
# Listen on a custom port for the proxy protocol. # Listen on a custom port for the proxy protocol.
listen 8443 ssl http2 proxy_protocol; listen [::]:8443 ssl http2 proxy_protocol;
# Make use of the ngx_http_realip_module to set the $remote_addr and # Make use of the ngx_http_realip_module to set the $remote_addr and
# $remote_port to the client address and client port, when using proxy # $remote_port to the client address and client port, when using proxy
# protocol. # protocol.
# First set our proxy protocol proxy as trusted. # First set our proxy protocol proxy as trusted.
set_real_ip_from 172.31.17.140; set_real_ip_from 2a00:14b0:4200:3000:125::1;
# Then tell the realip_module to get the addreses from the proxy protocol # Then tell the realip_module to get the addreses from the proxy protocol
# header. # header.
real_ip_header proxy_protocol; real_ip_header proxy_protocol;

18
resources/chaosknoten/public-reverse-proxy/nginx/acme_challenge.conf
View file

@ -4,12 +4,12 @@ map $host $upstream_acme_challenge_host {
c3cat.de 172.31.17.151:31820; c3cat.de 172.31.17.151:31820;
www.c3cat.de 172.31.17.151:31820; www.c3cat.de 172.31.17.151:31820;
staging.c3cat.de 172.31.17.151:31820; staging.c3cat.de 172.31.17.151:31820;
ccchoir.de ccchoir-intern.hamburg.ccc.de:31820; ccchoir.de ccchoir.hosts.hamburg.ccc.de:31820;
www.ccchoir.de ccchoir-intern.hamburg.ccc.de:31820; www.ccchoir.de ccchoir.hosts.hamburg.ccc.de:31820;
cloud.hamburg.ccc.de cloud.hosts.hamburg.ccc.de:31820; cloud.hamburg.ccc.de cloud.hosts.hamburg.ccc.de:31820;
element.hamburg.ccc.de 172.31.17.151:31820; element.hamburg.ccc.de 172.31.17.151:31820;
git.hamburg.ccc.de 172.31.17.154:31820; git.hamburg.ccc.de 172.31.17.154:31820;
grafana.hamburg.ccc.de 172.31.17.145:31820; grafana.hamburg.ccc.de grafana.hosts.hamburg.ccc.de:31820;
hackertours.hamburg.ccc.de 172.31.17.151:31820; hackertours.hamburg.ccc.de 172.31.17.151:31820;
staging.hackertours.hamburg.ccc.de 172.31.17.151:31820; staging.hackertours.hamburg.ccc.de 172.31.17.151:31820;
hamburg.ccc.de 172.31.17.151:31820; hamburg.ccc.de 172.31.17.151:31820;
@ -19,18 +19,18 @@ map $host $upstream_acme_challenge_host {
matrix.hamburg.ccc.de 172.31.17.150:31820; matrix.hamburg.ccc.de 172.31.17.150:31820;
mas.hamburg.ccc.de 172.31.17.150:31820; mas.hamburg.ccc.de 172.31.17.150:31820;
element-admin.hamburg.ccc.de 172.31.17.151:31820; element-admin.hamburg.ccc.de 172.31.17.151:31820;
netbox.hamburg.ccc.de 172.31.17.167:31820; netbox.hamburg.ccc.de netbox.hosts.hamburg.ccc.de:31820;
onlyoffice.hamburg.ccc.de onlyoffice.hosts.hamburg.ccc.de:31820; onlyoffice.hamburg.ccc.de onlyoffice.hosts.hamburg.ccc.de:31820;
pad.hamburg.ccc.de pad.hosts.hamburg.ccc.de:31820; pad.hamburg.ccc.de pad.hosts.hamburg.ccc.de:31820;
pretalx.hamburg.ccc.de 172.31.17.157:31820; pretalx.hamburg.ccc.de pretalx.hosts.hamburg.ccc.de:31820;
spaceapi.hamburg.ccc.de 172.31.17.151:31820; spaceapi.hamburg.ccc.de 172.31.17.151:31820;
staging.hamburg.ccc.de 172.31.17.151:31820; staging.hamburg.ccc.de 172.31.17.151:31820;
wiki.ccchh.net wiki.hosts.hamburg.ccc.de:31820; wiki.ccchh.net wiki.hosts.hamburg.ccc.de:31820;
wiki.hamburg.ccc.de wiki.hosts.hamburg.ccc.de:31820; wiki.hamburg.ccc.de wiki.hosts.hamburg.ccc.de:31820;
www.hamburg.ccc.de 172.31.17.151:31820; www.hamburg.ccc.de 172.31.17.151:31820;
tickets.hamburg.ccc.de 172.31.17.148:31820; tickets.hamburg.ccc.de tickets.hosts.hamburg.ccc.de:31820;
sunders.hamburg.ccc.de 172.31.17.170:31820; sunders.hamburg.ccc.de sunders.hosts.hamburg.ccc.de:31820;
zammad.hamburg.ccc.de 172.31.17.152:31820; zammad.hamburg.ccc.de zammad.hosts.hamburg.ccc.de:31820;
eh03.easterhegg.eu 172.31.17.151:31820; eh03.easterhegg.eu 172.31.17.151:31820;
eh05.easterhegg.eu 172.31.17.151:31820; eh05.easterhegg.eu 172.31.17.151:31820;
eh07.easterhegg.eu 172.31.17.151:31820; eh07.easterhegg.eu 172.31.17.151:31820;
@ -73,7 +73,7 @@ map $host $upstream_acme_challenge_host {
design.hamburg.ccc.de 172.31.17.162:31820; design.hamburg.ccc.de 172.31.17.162:31820;
hydra.hamburg.ccc.de 172.31.17.163:31820; hydra.hamburg.ccc.de 172.31.17.163:31820;
cfp.eh22.easterhegg.eu 172.31.17.157:31820; cfp.eh22.easterhegg.eu 172.31.17.157:31820;
ntfy.hamburg.ccc.de 172.31.17.149:31820; ntfy.hamburg.ccc.de ntfy.hosts.hamburg.ccc.de:31820;
cryptoparty-hamburg.de 172.31.17.151:31820; cryptoparty-hamburg.de 172.31.17.151:31820;
cryptoparty.hamburg.ccc.de 172.31.17.151:31820; cryptoparty.hamburg.ccc.de 172.31.17.151:31820;
staging.cryptoparty-hamburg.de 172.31.17.151:31820; staging.cryptoparty-hamburg.de 172.31.17.151:31820;

20
resources/chaosknoten/public-reverse-proxy/nginx/nginx.conf
View file

@ -18,21 +18,21 @@ stream {
resolver 212.12.50.158 192.76.134.90; resolver 212.12.50.158 192.76.134.90;
map $ssl_preread_server_name $address { map $ssl_preread_server_name $address {
ccchoir.de ccchoir-intern.hamburg.ccc.de:8443; ccchoir.de ccchoir.hosts.hamburg.ccc.de:8443;
www.ccchoir.de ccchoir-intern.hamburg.ccc.de:8443; www.ccchoir.de ccchoir.hosts.hamburg.ccc.de:8443;
cloud.hamburg.ccc.de cloud.hosts.hamburg.ccc.de:8443; cloud.hamburg.ccc.de cloud.hosts.hamburg.ccc.de:8443;
pad.hamburg.ccc.de pad.hosts.hamburg.ccc.de:8443; pad.hamburg.ccc.de pad.hosts.hamburg.ccc.de:8443;
pretalx.hamburg.ccc.de pretalx-intern.hamburg.ccc.de:8443; pretalx.hamburg.ccc.de pretalx.hosts.hamburg.ccc.de:8443;
id.hamburg.ccc.de keycloak.hosts.hamburg.ccc.de:8443; id.hamburg.ccc.de keycloak.hosts.hamburg.ccc.de:8443;
invite.hamburg.ccc.de keycloak.hosts.hamburg.ccc.de:8443; invite.hamburg.ccc.de keycloak.hosts.hamburg.ccc.de:8443;
keycloak-admin.hamburg.ccc.de keycloak.hosts.hamburg.ccc.de:8443; keycloak-admin.hamburg.ccc.de keycloak.hosts.hamburg.ccc.de:8443;
grafana.hamburg.ccc.de 172.31.17.145:8443; grafana.hamburg.ccc.de grafana.hosts.hamburg.ccc.de:8443;
wiki.ccchh.net wiki.hosts.hamburg.ccc.de:8443; wiki.ccchh.net wiki.hosts.hamburg.ccc.de:8443;
wiki.hamburg.ccc.de wiki.hosts.hamburg.ccc.de:8443; wiki.hamburg.ccc.de wiki.hosts.hamburg.ccc.de:8443;
onlyoffice.hamburg.ccc.de onlyoffice.hosts.hamburg.ccc.de:8443; onlyoffice.hamburg.ccc.de onlyoffice.hosts.hamburg.ccc.de:8443;
hackertours.hamburg.ccc.de 172.31.17.151:8443; hackertours.hamburg.ccc.de 172.31.17.151:8443;
staging.hackertours.hamburg.ccc.de 172.31.17.151:8443; staging.hackertours.hamburg.ccc.de 172.31.17.151:8443;
netbox.hamburg.ccc.de 172.31.17.167:8443; netbox.hamburg.ccc.de netbox.hosts.hamburg.ccc.de:8443;
matrix.hamburg.ccc.de 172.31.17.150:8443; matrix.hamburg.ccc.de 172.31.17.150:8443;
mas.hamburg.ccc.de 172.31.17.150:8443; mas.hamburg.ccc.de 172.31.17.150:8443;
element-admin.hamburg.ccc.de 172.31.17.151:8443; element-admin.hamburg.ccc.de 172.31.17.151:8443;
@ -42,9 +42,9 @@ stream {
hamburg.ccc.de 172.31.17.151:8443; hamburg.ccc.de 172.31.17.151:8443;
staging.hamburg.ccc.de 172.31.17.151:8443; staging.hamburg.ccc.de 172.31.17.151:8443;
spaceapi.hamburg.ccc.de 172.31.17.151:8443; spaceapi.hamburg.ccc.de 172.31.17.151:8443;
tickets.hamburg.ccc.de 172.31.17.148:8443; tickets.hamburg.ccc.de tickets.hosts.hamburg.ccc.de:8443;
sunders.hamburg.ccc.de 172.31.17.170:8443; sunders.hamburg.ccc.de sunders.hosts.hamburg.ccc.de:8443;
zammad.hamburg.ccc.de 172.31.17.152:8443; zammad.hamburg.ccc.de zammad.hosts.hamburg.ccc.de:8443;
c3cat.de 172.31.17.151:8443; c3cat.de 172.31.17.151:8443;
www.c3cat.de 172.31.17.151:8443; www.c3cat.de 172.31.17.151:8443;
staging.c3cat.de 172.31.17.151:8443; staging.c3cat.de 172.31.17.151:8443;
@ -90,8 +90,8 @@ stream {
woodpecker.hamburg.ccc.de 172.31.17.160:8443; woodpecker.hamburg.ccc.de 172.31.17.160:8443;
design.hamburg.ccc.de 172.31.17.162:8443; design.hamburg.ccc.de 172.31.17.162:8443;
hydra.hamburg.ccc.de 172.31.17.163:8443; hydra.hamburg.ccc.de 172.31.17.163:8443;
cfp.eh22.easterhegg.eu pretalx-intern.hamburg.ccc.de:8443; cfp.eh22.easterhegg.eu pretalx.hosts.hamburg.ccc.de:8443;
ntfy.hamburg.ccc.de 172.31.17.149:8443; ntfy.hamburg.ccc.de ntfy.hosts.hamburg.ccc.de:8443;
cryptoparty-hamburg.de 172.31.17.151:8443; cryptoparty-hamburg.de 172.31.17.151:8443;
cryptoparty.hamburg.ccc.de 172.31.17.151:8443; cryptoparty.hamburg.ccc.de 172.31.17.151:8443;
staging.cryptoparty-hamburg.de 172.31.17.151:8443; staging.cryptoparty-hamburg.de 172.31.17.151:8443;

20
resources/chaosknoten/router/nftables/nftables.conf
View file

@ -39,13 +39,29 @@ table inet host {
ct state established,related accept ct state established,related accept
ip protocol icmp accept ip protocol icmp accept
ip6 nexthdr icmpv6 accept # ICMPv6
# https://datatracker.ietf.org/doc/html/rfc4890#autoid-24
# Allowlist consisting of: "Traffic That Must Not Be Dropped" and "Traffic That Normally Should Not Be Dropped"
# Error messages that are essential to the establishment and maintenance of communications:
icmpv6 type { destination-unreachable, packet-too-big } accept
icmpv6 type { time-exceeded } accept
icmpv6 type { parameter-problem } accept
# Connectivity checking messages:
icmpv6 type { echo-request, echo-reply } accept
# Address Configuration and Router Selection messages:
icmpv6 type { nd-router-solicit, nd-router-advert, nd-neighbor-solicit, nd-neighbor-advert, ind-neighbor-solicit, ind-neighbor-advert } accept
# Link-Local Multicast Receiver Notification messages:
icmpv6 type { mld-listener-query, mld-listener-report, mld-listener-done, mld2-listener-report } accept
# SEND Certificate Path Notification messages:
icmpv6 type { 148, 149 } accept
# Multicast Router Discovery messages:
icmpv6 type { 151, 152, 153 } accept
# Allow SSH access. # Allow SSH access.
tcp dport 22 accept comment "allow ssh access" tcp dport 22 accept comment "allow ssh access"
# Allow DHCP server access. # Allow DHCP server access.
iifname $if_net0_3_ci_runner udp dport 67 accept comment "allow dhcp server access" iifname { $if_net0_2_v4_nat, $if_net0_3_ci_runner } udp dport 67 accept comment "allow dhcp server access"
} }
} }

2
resources/chaosknoten/router/systemd_networkd/20-net1.network
View file

@ -3,7 +3,6 @@ Name=net1
[Network] [Network]
DNS=212.12.50.158 DNS=212.12.50.158
IPForward=ipv4
IPv6AcceptRA=no IPv6AcceptRA=no
[Address] [Address]
@ -11,4 +10,3 @@ Address=212.12.48.123/24
[Route] [Route]
Gateway=212.12.48.55 Gateway=212.12.48.55

2
resources/chaosknoten/router/systemd_networkd/20-net2.network
View file

@ -3,7 +3,6 @@ Name=net2
[Network] [Network]
#DNS=212.12.50.158 #DNS=212.12.50.158
IPForward=ipv6
IPv6AcceptRA=no IPv6AcceptRA=no
[Address] [Address]
@ -11,4 +10,3 @@ Address=2a00:14b0:4200:3500::130:2/112
[Route] [Route]
Gateway=2a00:14b0:4200:3500::130:1 Gateway=2a00:14b0:4200:3500::130:1

6
resources/chaosknoten/router/systemd_networkd/21-net0.2-v4_nat.network
View file

@ -11,6 +11,12 @@ Description=v4-NAT
# Masquerading done in nftables (nftables.conf). # Masquerading done in nftables (nftables.conf).
IPv6SendRA=yes IPv6SendRA=yes
DHCPServer=true
[DHCPServer]
PoolOffset=100
PoolSize=150
[Address] [Address]
Address=10.32.2.1/24 Address=10.32.2.1/24

3
resources/chaosknoten/router/systemd_networkd_global_config.conf Normal file
View file

@ -0,0 +1,3 @@
[Network]
IPv4Forwarding=true
IPv6Forwarding=true

2
resources/chaosknoten/sunders/docker_compose/compose.yaml.j2
View file

@ -3,7 +3,7 @@
services: services:
db: db:
image: mariadb:12.0.2 image: mariadb:12.1.2
command: --max_allowed_packet=3250585600 command: --max_allowed_packet=3250585600
environment: environment:
MYSQL_ROOT_PASSWORD: "{{ secret__sunders_db_root_password }}" MYSQL_ROOT_PASSWORD: "{{ secret__sunders_db_root_password }}"

4
resources/chaosknoten/sunders/nginx/sunders.hamburg.ccc.de.conf
View file

@ -2,12 +2,12 @@
# https://ssl-config.mozilla.org/#server=nginx&version=1.17.7&config=intermediate&openssl=1.1.1k&guideline=5.6 # https://ssl-config.mozilla.org/#server=nginx&version=1.17.7&config=intermediate&openssl=1.1.1k&guideline=5.6
server { server {
# Listen on a custom port for the proxy protocol. # Listen on a custom port for the proxy protocol.
listen 8443 ssl http2 proxy_protocol; listen [::]:8443 ssl http2 proxy_protocol;
# Make use of the ngx_http_realip_module to set the $remote_addr and # Make use of the ngx_http_realip_module to set the $remote_addr and
# $remote_port to the client address and client port, when using proxy # $remote_port to the client address and client port, when using proxy
# protocol. # protocol.
# First set our proxy protocol proxy as trusted. # First set our proxy protocol proxy as trusted.
set_real_ip_from 172.31.17.140; set_real_ip_from 2a00:14b0:4200:3000:125::1;
# Then tell the realip_module to get the addreses from the proxy protocol # Then tell the realip_module to get the addreses from the proxy protocol
# header. # header.
real_ip_header proxy_protocol; real_ip_header proxy_protocol;

4
resources/chaosknoten/tickets/nginx/tickets.hamburg.ccc.de.conf
View file

@ -2,12 +2,12 @@
# https://ssl-config.mozilla.org/#server=nginx&version=1.17.7&config=intermediate&openssl=1.1.1k&guideline=5.6 # https://ssl-config.mozilla.org/#server=nginx&version=1.17.7&config=intermediate&openssl=1.1.1k&guideline=5.6
server { server {
# Listen on a custom port for the proxy protocol. # Listen on a custom port for the proxy protocol.
listen 8443 ssl http2 proxy_protocol; listen [::]:8443 ssl http2 proxy_protocol;
# Make use of the ngx_http_realip_module to set the $remote_addr and # Make use of the ngx_http_realip_module to set the $remote_addr and
# $remote_port to the client address and client port, when using proxy # $remote_port to the client address and client port, when using proxy
# protocol. # protocol.
# First set our proxy protocol proxy as trusted. # First set our proxy protocol proxy as trusted.
set_real_ip_from 172.31.17.140; set_real_ip_from 2a00:14b0:4200:3000:125::1;
# Then tell the realip_module to get the addreses from the proxy protocol # Then tell the realip_module to get the addreses from the proxy protocol
# header. # header.
real_ip_header proxy_protocol; real_ip_header proxy_protocol;

1
resources/chaosknoten/wiki/nginx/wiki.ccchh.net.conf
View file

@ -2,7 +2,6 @@
# https://ssl-config.mozilla.org/#server=nginx&version=1.17.7&config=intermediate&openssl=1.1.1k&guideline=5.6 # https://ssl-config.mozilla.org/#server=nginx&version=1.17.7&config=intermediate&openssl=1.1.1k&guideline=5.6
server { server {
# Listen on a custom port for the proxy protocol. # Listen on a custom port for the proxy protocol.
listen 8443 ssl http2 proxy_protocol;
listen [::]:8443 ssl http2 proxy_protocol; listen [::]:8443 ssl http2 proxy_protocol;
# Make use of the ngx_http_realip_module to set the $remote_addr and # Make use of the ngx_http_realip_module to set the $remote_addr and
# $remote_port to the client address and client port, when using proxy # $remote_port to the client address and client port, when using proxy

1
resources/chaosknoten/wiki/nginx/wiki.hamburg.ccc.de.conf
View file

@ -2,7 +2,6 @@
# https://ssl-config.mozilla.org/#server=nginx&version=1.17.7&config=intermediate&openssl=1.1.1k&guideline=5.6 # https://ssl-config.mozilla.org/#server=nginx&version=1.17.7&config=intermediate&openssl=1.1.1k&guideline=5.6
server { server {
# Listen on a custom port for the proxy protocol. # Listen on a custom port for the proxy protocol.
listen 8443 ssl http2 proxy_protocol;
listen [::]:8443 ssl http2 proxy_protocol; listen [::]:8443 ssl http2 proxy_protocol;
# Make use of the ngx_http_realip_module to set the $remote_addr and # Make use of the ngx_http_realip_module to set the $remote_addr and
# $remote_port to the client address and client port, when using proxy # $remote_port to the client address and client port, when using proxy

4
resources/chaosknoten/zammad/nginx/zammad.hamburg.ccc.de.conf
View file

@ -2,12 +2,12 @@
# https://ssl-config.mozilla.org/#server=nginx&version=1.17.7&config=intermediate&openssl=1.1.1k&guideline=5.6 # https://ssl-config.mozilla.org/#server=nginx&version=1.17.7&config=intermediate&openssl=1.1.1k&guideline=5.6
server { server {
# Listen on a custom port for the proxy protocol. # Listen on a custom port for the proxy protocol.
listen 8443 ssl http2 proxy_protocol; listen [::]:8443 ssl http2 proxy_protocol;
# Make use of the ngx_http_realip_module to set the $remote_addr and # Make use of the ngx_http_realip_module to set the $remote_addr and
# $remote_port to the client address and client port, when using proxy # $remote_port to the client address and client port, when using proxy
# protocol. # protocol.
# First set our proxy protocol proxy as trusted. # First set our proxy protocol proxy as trusted.
set_real_ip_from 172.31.17.140; set_real_ip_from 2a00:14b0:4200:3000:125::1;
# Then tell the realip_module to get the addreses from the proxy protocol # Then tell the realip_module to get the addreses from the proxy protocol
# header. # header.
real_ip_header proxy_protocol; real_ip_header proxy_protocol;

36
resources/external/status/docker_compose/compose.yaml.j2 vendored Normal file
View file

@ -0,0 +1,36 @@
# https://gatus.io/
# https://github.com/TwiN/gatus
# https://github.com/TwiN/gatus/blob/master/.examples/docker-compose-postgres-storage/compose.yaml
services:
database:
image: docker.io/library/postgres:18.1
volumes:
- ./database:/var/lib/postgresql
environment:
- "POSTGRES_DB=gatus"
- "POSTGRES_USER=gatus"
- "POSTGRES_PASSWORD={{ secret__gatus_db_password }}"
networks:
- gatus
gatus:
image: ghcr.io/twin/gatus:v5.34.0
restart: always
ports:
- "8080:8080"
environment:
- "GATUS_CONFIG_PATH=/config"
- "POSTGRES_DB=gatus"
- "POSTGRES_USER=gatus"
- "POSTGRES_PASSWORD={{ secret__gatus_db_password }}"
- "MATRIX_ACCESS_TOKEN={{ secret__gatus_matrix_access_token }}"
volumes:
- ./configs:/config
networks:
- gatus
depends_on:
- database
networks:
gatus:

303
resources/external/status/docker_compose/config/easterhegg-websites.yaml vendored Normal file
View file

@ -0,0 +1,303 @@
# Easterhegg Websites and Websites (Redirects)
# (hosted on public-web-static)
# One could probably also generate this list from the public-web-static config.
easterhegg-websites-defaults: &easterhegg_websites_defaults
group: Websites
interval: 5m
alerts:
- type: matrix
failure-threshold: 3
success-threshold: 1
minimum-reminder-interval: "12h"
send-on-resolved: true
easterhegg-websites-redirects-defaults: &easterhegg_websites_redirects_defaults
group: Websites (Redirects)
interval: 15m
alerts:
- type: matrix
failure-threshold: 3
success-threshold: 1
minimum-reminder-interval: "24h"
send-on-resolved: true
endpoints:
# Websites
- name: eh03.easterhegg.eu
url: "https://eh03.easterhegg.eu"
<<: *easterhegg_websites_defaults
conditions:
- "[STATUS] == 200"
- "[CERTIFICATE_EXPIRATION] > 48h"
- "[BODY] == pat(*Easter(h)egg 2003*)"
- name: eh05.easterhegg.eu
url: "https://eh05.easterhegg.eu"
<<: *easterhegg_websites_defaults
conditions:
- "[STATUS] == 200"
- "[CERTIFICATE_EXPIRATION] > 48h"
- "[BODY] == pat(*Easterhegg 2005 - The workshop weekend*)"
- name: eh07.easterhegg.eu
url: "https://eh07.easterhegg.eu"
<<: *easterhegg_websites_defaults
conditions:
- "[STATUS] == 200"
- "[CERTIFICATE_EXPIRATION] > 48h"
- "[BODY] == pat(*Easterhegg 2007 - The Workshop weekend*)"
- name: eh09.easterhegg.eu
url: "https://eh09.easterhegg.eu"
<<: *easterhegg_websites_defaults
conditions:
- "[status] == 200"
- "[certificate_expiration] > 48h"
- "[BODY] == pat(*Easterhegg 2009*)"
- name: eh11.easterhegg.eu
url: "https://eh11.easterhegg.eu"
<<: *easterhegg_websites_defaults
conditions:
- "[status] == 200"
- "[certificate_expiration] > 48h"
- "[BODY] == pat(*Easterhegg 2011*)"
- name: eh20.easterhegg.eu
url: "https://eh20.easterhegg.eu"
<<: *easterhegg_websites_defaults
conditions:
- "[status] == 200"
- "[certificate_expiration] > 48h"
- "[BODY] == pat(*EH20 - Back to root*)"
# Websites (Redirects)
# eh03.easterhegg.eu
- name: eh2003.hamburg.ccc.de
url: "https://eh2003.hamburg.ccc.de"
<<: *easterhegg_websites_redirects_defaults
conditions:
- "[STATUS] == 200"
- "[CERTIFICATE_EXPIRATION] > 48h"
- "[BODY] == pat(*Easter(h)egg 2003*)"
- name: www.eh2003.hamburg.ccc.de
url: "https://www.eh2003.hamburg.ccc.de"
<<: *easterhegg_websites_redirects_defaults
conditions:
- "[STATUS] == 200"
- "[CERTIFICATE_EXPIRATION] > 48h"
- "[BODY] == pat(*Easter(h)egg 2003*)"
- name: easterhegg2003.hamburg.ccc.de
url: "https://easterhegg2003.hamburg.ccc.de"
<<: *easterhegg_websites_redirects_defaults
conditions:
- "[STATUS] == 200"
- "[CERTIFICATE_EXPIRATION] > 48h"
- "[BODY] == pat(*Easter(h)egg 2003*)"
- name: www.easterhegg2003.hamburg.ccc.de
url: "https://www.easterhegg2003.hamburg.ccc.de"
<<: *easterhegg_websites_redirects_defaults
conditions:
- "[STATUS] == 200"
- "[CERTIFICATE_EXPIRATION] > 48h"
- "[BODY] == pat(*Easter(h)egg 2003*)"
# eh05.easterhegg.eu
- name: eh2005.hamburg.ccc.de
url: "https://eh2005.hamburg.ccc.de"
<<: *easterhegg_websites_redirects_defaults
conditions:
- "[STATUS] == 200"
- "[CERTIFICATE_EXPIRATION] > 48h"
- "[BODY] == pat(*Easterhegg 2005 - The workshop weekend*)"
- name: www.eh2005.hamburg.ccc.de
url: "https://www.eh2005.hamburg.ccc.de"
<<: *easterhegg_websites_redirects_defaults
conditions:
- "[STATUS] == 200"
- "[CERTIFICATE_EXPIRATION] > 48h"
- "[BODY] == pat(*Easterhegg 2005 - The workshop weekend*)"
- name: easterhegg2005.hamburg.ccc.de
url: "https://easterhegg2005.hamburg.ccc.de"
<<: *easterhegg_websites_redirects_defaults
conditions:
- "[STATUS] == 200"
- "[CERTIFICATE_EXPIRATION] > 48h"
- "[BODY] == pat(*Easterhegg 2005 - The workshop weekend*)"
- name: www.easterhegg2005.hamburg.ccc.de
url: "https://www.easterhegg2005.hamburg.ccc.de"
<<: *easterhegg_websites_redirects_defaults
conditions:
- "[STATUS] == 200"
- "[CERTIFICATE_EXPIRATION] > 48h"
- "[BODY] == pat(*Easterhegg 2005 - The workshop weekend*)"
# eh07.easterhegg.eu
- name: eh2007.hamburg.ccc.de
url: "https://eh2007.hamburg.ccc.de"
<<: *easterhegg_websites_redirects_defaults
conditions:
- "[STATUS] == 200"
- "[CERTIFICATE_EXPIRATION] > 48h"
- "[BODY] == pat(*Easterhegg 2007 - The Workshop weekend*)"
- name: www.eh2007.hamburg.ccc.de
url: "https://www.eh2007.hamburg.ccc.de"
<<: *easterhegg_websites_redirects_defaults
conditions:
- "[STATUS] == 200"
- "[CERTIFICATE_EXPIRATION] > 48h"
- "[BODY] == pat(*Easterhegg 2007 - The Workshop weekend*)"
- name: eh07.hamburg.ccc.de
url: "https://eh07.hamburg.ccc.de"
<<: *easterhegg_websites_redirects_defaults
conditions:
- "[STATUS] == 200"
- "[CERTIFICATE_EXPIRATION] > 48h"
- "[BODY] == pat(*Easterhegg 2007 - The Workshop weekend*)"
- name: www.eh07.hamburg.ccc.de
url: "https://www.eh07.hamburg.ccc.de"
<<: *easterhegg_websites_redirects_defaults
conditions:
- "[STATUS] == 200"
- "[CERTIFICATE_EXPIRATION] > 48h"
- "[BODY] == pat(*Easterhegg 2007 - The Workshop weekend*)"
- name: easterhegg2007.hamburg.ccc.de
url: "https://easterhegg2007.hamburg.ccc.de"
<<: *easterhegg_websites_redirects_defaults
conditions:
- "[STATUS] == 200"
- "[CERTIFICATE_EXPIRATION] > 48h"
- "[BODY] == pat(*Easterhegg 2007 - The Workshop weekend*)"
- name: www.easterhegg2007.hamburg.ccc.de
url: "https://www.easterhegg2007.hamburg.ccc.de"
<<: *easterhegg_websites_redirects_defaults
conditions:
- "[STATUS] == 200"
- "[CERTIFICATE_EXPIRATION] > 48h"
- "[BODY] == pat(*Easterhegg 2007 - The Workshop weekend*)"
# eh09.easterhegg.eu
- name: eh2009.hamburg.ccc.de
url: "https://eh2009.hamburg.ccc.de"
<<: *easterhegg_websites_redirects_defaults
conditions:
- "[status] == 200"
- "[certificate_expiration] > 48h"
- "[BODY] == pat(*Easterhegg 2009*)"
- name: www.eh2009.hamburg.ccc.de
url: "https://www.eh2009.hamburg.ccc.de"
<<: *easterhegg_websites_redirects_defaults
conditions:
- "[status] == 200"
- "[certificate_expiration] > 48h"
- "[BODY] == pat(*Easterhegg 2009*)"
- name: eh09.hamburg.ccc.de
url: "https://eh09.hamburg.ccc.de"
<<: *easterhegg_websites_redirects_defaults
conditions:
- "[status] == 200"
- "[certificate_expiration] > 48h"
- "[BODY] == pat(*Easterhegg 2009*)"
- name: www.eh09.hamburg.ccc.de
url: "https://www.eh09.hamburg.ccc.de"
<<: *easterhegg_websites_redirects_defaults
conditions:
- "[status] == 200"
- "[certificate_expiration] > 48h"
- "[BODY] == pat(*Easterhegg 2009*)"
- name: easterhegg2009.hamburg.ccc.de
url: "https://easterhegg2009.hamburg.ccc.de"
<<: *easterhegg_websites_redirects_defaults
conditions:
- "[status] == 200"
- "[certificate_expiration] > 48h"
- "[BODY] == pat(*Easterhegg 2009*)"
- name: www.easterhegg2009.hamburg.ccc.de
url: "https://www.easterhegg2009.hamburg.ccc.de"
<<: *easterhegg_websites_redirects_defaults
conditions:
- "[status] == 200"
- "[certificate_expiration] > 48h"
- "[BODY] == pat(*Easterhegg 2009*)"
# eh11.easterhegg.eu
- name: eh2011.hamburg.ccc.de
url: "https://eh2011.hamburg.ccc.de"
<<: *easterhegg_websites_redirects_defaults
conditions:
- "[status] == 200"
- "[certificate_expiration] > 48h"
- "[BODY] == pat(*Easterhegg 2011*)"
- name: www.eh2011.hamburg.ccc.de
url: "https://www.eh2011.hamburg.ccc.de"
<<: *easterhegg_websites_redirects_defaults
conditions:
- "[status] == 200"
- "[certificate_expiration] > 48h"
- "[BODY] == pat(*Easterhegg 2011*)"
- name: eh11.hamburg.ccc.de
url: "https://eh11.hamburg.ccc.de"
<<: *easterhegg_websites_redirects_defaults
conditions:
- "[status] == 200"
- "[certificate_expiration] > 48h"
- "[BODY] == pat(*Easterhegg 2011*)"
- name: www.eh11.hamburg.ccc.de
url: "https://www.eh11.hamburg.ccc.de"
<<: *easterhegg_websites_redirects_defaults
conditions:
- "[status] == 200"
- "[certificate_expiration] > 48h"
- "[BODY] == pat(*Easterhegg 2011*)"
- name: easterhegg2011.hamburg.ccc.de
url: "https://easterhegg2011.hamburg.ccc.de"
<<: *easterhegg_websites_redirects_defaults
conditions:
- "[status] == 200"
- "[certificate_expiration] > 48h"
- "[BODY] == pat(*Easterhegg 2011*)"
- name: www.easterhegg2011.hamburg.ccc.de
url: "https://www.easterhegg2011.hamburg.ccc.de"
<<: *easterhegg_websites_redirects_defaults
conditions:
- "[status] == 200"
- "[certificate_expiration] > 48h"
- "[BODY] == pat(*Easterhegg 2011*)"
# eh20.easterhegg.eu
- name: www.eh20.easterhegg.eu
url: "https://www.eh20.easterhegg.eu"
<<: *easterhegg_websites_redirects_defaults
conditions:
- "[status] == 200"
- "[certificate_expiration] > 48h"
- "[BODY] == pat(*EH20 - Back to root*)"
- name: eh20.hamburg.ccc.de
url: "https://eh20.hamburg.ccc.de"
<<: *easterhegg_websites_redirects_defaults
conditions:
- "[status] == 200"
- "[certificate_expiration] > 48h"
- "[BODY] == pat(*EH20 - Back to root*)"

27
resources/external/status/docker_compose/config/general.yaml vendored Normal file
View file

@ -0,0 +1,27 @@
storage:
type: postgres
path: "postgres://${POSTGRES_USER}:${POSTGRES_PASSWORD}@database:5432/${POSTGRES_DB}?sslmode=disable"
maximum-number-of-results: 240 # Default are 100. 240 are 4h for 1m interval checks.
maximum-number-of-events: 1000 # Default are 50. Let's keep a long history here - 1000 should suffice for a year with around 3 events a day.
ui:
title: CCCHH Status
description: Automated uptime monitoring and status page for CCCHH services. Powered by Gatus.
header: CCCHH Status
buttons:
- name: Website
link: "https://hamburg.ccc.de"
- name: Git
link: "https://git.hamburg.ccc.de"
- name: Kontakt & Impressum
link: "https://hamburg.ccc.de/imprint/"
default-sort-by: group
alerting:
matrix:
server-url: "https://matrix.nekover.se"
access-token: "${MATRIX_ACCESS_TOKEN}"
internal-room-id: "!jG755onbGAH-lZsZo8SRKtlsncSMvq7nzPhwCi5CgdQ"
# A bit more than the default 5 concurrent checks should be fine.
concurrency: 15

264
resources/external/status/docker_compose/config/services-chaosknoten.yaml vendored Normal file
View file

@ -0,0 +1,264 @@
# Services (Chaosknoten)
services-chaosknoten-defaults: &services_chaosknoten_defaults
group: Services (Chaosknoten)
interval: 1m
alerts:
- type: matrix
failure-threshold: 5
success-threshold: 2
minimum-reminder-interval: "6h"
send-on-resolved: true
endpoints:
- name: CCCHH ID/Keycloak (main page/account console)
url: "https://id.hamburg.ccc.de/"
<<: *services_chaosknoten_defaults
conditions:
- "[STATUS] == 200"
- "[CERTIFICATE_EXPIRATION] > 48h"
- "[BODY] == pat(*JavaScript is required to use the Account Console.*)"
- name: CCCHH ID/Keycloak (ccchh realm)
url: "https://id.hamburg.ccc.de/realms/ccchh/"
<<: *services_chaosknoten_defaults
conditions:
- "[STATUS] == 200"
- "[CERTIFICATE_EXPIRATION] > 48h"
- "[BODY].realm == ccchh"
- name: ccchoir
url: "https://ccchoir.de/"
<<: *services_chaosknoten_defaults
conditions:
- "[STATUS] == 200"
- "[CERTIFICATE_EXPIRATION] > 48h"
- "[BODY] == pat(*The Choir of the Chaos Computer Club*)"
- name: Cloud (status info)
url: "https://cloud.hamburg.ccc.de/status.php"
<<: *services_chaosknoten_defaults
conditions:
- "[STATUS] == 200"
- "[CERTIFICATE_EXPIRATION] > 48h"
- "[BODY].installed == true"
- "[BODY].maintenance == false"
- name: Cloud (main page/login)
url: "https://cloud.hamburg.ccc.de/"
<<: *services_chaosknoten_defaults
conditions:
- "[STATUS] == 200"
- "[CERTIFICATE_EXPIRATION] > 48h"
- "[BODY] == pat(*Sign in to CCCHH*)"
- name: cow (main page/login)
url: "https://cow.hamburg.ccc.de/"
<<: *services_chaosknoten_defaults
conditions:
- "[STATUS] == 200"
- "[CERTIFICATE_EXPIRATION] > 48h"
- "[BODY] == pat(*mailcow UI*)"
- name: cow (SMTP port 25)
url: "tcp://cow.hamburg.ccc.de:25"
<<: *services_chaosknoten_defaults
conditions:
- "[CONNECTED] == true"
- name: cow (SMTPS port 465)
url: "tls://cow.hamburg.ccc.de:465"
<<: *services_chaosknoten_defaults
conditions:
- "[CONNECTED] == true"
- name: cow (SMTP with STARTTLS port 587)
url: "starttls://cow.hamburg.ccc.de:587"
<<: *services_chaosknoten_defaults
conditions:
- "[CONNECTED] == true"
- name: cow (IMAP port 143)
url: "tcp://cow.hamburg.ccc.de:143"
<<: *services_chaosknoten_defaults
conditions:
- "[CONNECTED] == true"
- name: cow (IMAPS port 465)
url: "tls://cow.hamburg.ccc.de:465"
<<: *services_chaosknoten_defaults
conditions:
- "[CONNECTED] == true"
- name: Design/penpot
url: "https://design.hamburg.ccc.de/"
<<: *services_chaosknoten_defaults
conditions:
- "[STATUS] == 200"
- "[CERTIFICATE_EXPIRATION] > 48h"
- "[BODY] == pat(*Penpot - Design Freedom for Teams*)"
- name: EH22 Website/Wiki
url: "https://eh22.easterhegg.eu/"
<<: *services_chaosknoten_defaults
conditions:
- "[STATUS] == 200"
- "[CERTIFICATE_EXPIRATION] > 48h"
- "[BODY] == pat(*Easterhegg 2025*)"
- name: Git
url: "https://git.hamburg.ccc.de/"
<<: *services_chaosknoten_defaults
conditions:
- "[STATUS] == 200"
- "[CERTIFICATE_EXPIRATION] > 48h"
- "[BODY] == pat(*CCCHH Git*)"
- name: GitLab
url: "https://gitlab.hamburg.ccc.de/"
<<: *services_chaosknoten_defaults
conditions:
- "[STATUS] == 200"
- "[CERTIFICATE_EXPIRATION] > 48h"
- "[BODY] == pat(*Moin beim Gitlab des CCC Hamburg!*)"
- name: Grafana
url: "https://grafana.hamburg.ccc.de/"
<<: *services_chaosknoten_defaults
conditions:
- "[STATUS] == 200"
- "[CERTIFICATE_EXPIRATION] > 48h"
- "[BODY] == pat(*Sign in to CCCHH*)"
- name: Jitsi
url: "https://jitsi.hamburg.ccc.de/"
<<: *services_chaosknoten_defaults
conditions:
- "[STATUS] == 200"
- "[CERTIFICATE_EXPIRATION] > 48h"
- "[BODY] == pat(*Jitsi Meet*)"
- name: Lists
url: "https://lists.hamburg.ccc.de/"
<<: *services_chaosknoten_defaults
conditions:
- "[STATUS] == 200"
- "[CERTIFICATE_EXPIRATION] > 48h"
- "[BODY] == pat(*Mailing Lists*)"
- name: Matrix
url: "https://matrix.hamburg.ccc.de/_matrix/client/versions"
<<: *services_chaosknoten_defaults
conditions:
- "[STATUS] == 200"
- "[CERTIFICATE_EXPIRATION] > 48h"
- "has([BODY].versions) == true"
- "has([BODY].unstable_features) == true"
- name: Mumble (tcp)
url: "tcp://mumble.hamburg.ccc.de:64738"
<<: *services_chaosknoten_defaults
conditions:
- "[CONNECTED] == true"
- name: Mumble (udp)
url: "udp://mumble.hamburg.ccc.de:64738"
<<: *services_chaosknoten_defaults
conditions:
- "[CONNECTED] == true"
- name: NetBox
url: "https://NetBox.hamburg.ccc.de/"
<<: *services_chaosknoten_defaults
conditions:
- "[STATUS] == 200"
- "[CERTIFICATE_EXPIRATION] > 48h"
- "[BODY] == pat(*NetBox*)"
- name: ntfy
url: "https://ntfy.hamburg.ccc.de/"
<<: *services_chaosknoten_defaults
conditions:
- "[STATUS] == 200"
- "[CERTIFICATE_EXPIRATION] > 48h"
- "[BODY] == pat(*ntfy web requires JavaScript*)"
- name: OnlyOffice
url: "https://onlyoffice.hamburg.ccc.de/"
<<: *services_chaosknoten_defaults
conditions:
- "[STATUS] == 200"
- "[CERTIFICATE_EXPIRATION] > 48h"
- "[BODY] == pat(*ONLYOFFICE Docs Community Edition installed*)"
- name: Pad
url: "https://pad.hamburg.ccc.de/"
<<: *services_chaosknoten_defaults
conditions:
- "[STATUS] == 200"
- "[CERTIFICATE_EXPIRATION] > 48h"
- "[BODY] == pat(*HedgeDoc - Ideas grow better together*)"
- name: Pretalx (main page)
url: "https://pretalx.hamburg.ccc.de/"
<<: *services_chaosknoten_defaults
conditions:
- "[STATUS] == 200"
- "[CERTIFICATE_EXPIRATION] > 48h"
- "[BODY] == pat(*pretalx*)"
- name: Pretalx (EH22/Easterhegg 2025)
url: "https://cfp.eh22.easterhegg.eu/"
<<: *services_chaosknoten_defaults
conditions:
- "[STATUS] == 200"
- "[CERTIFICATE_EXPIRATION] > 48h"
- "[BODY] == pat(*Easterhegg 2025*)"
- "[BODY] == pat(*pretalx*)"
- name: SpaceAPI
url: "https://spaceapi.hamburg.ccc.de/"
<<: *services_chaosknoten_defaults
conditions:
- "[STATUS] == 200"
- "[CERTIFICATE_EXPIRATION] > 48h"
- "[BODY].space == CCCHH"
- name: Surveillance under Surveillance
url: "https://sunders.hamburg.ccc.de/"
<<: *services_chaosknoten_defaults
conditions:
- "[STATUS] == 200"
- "[CERTIFICATE_EXPIRATION] > 48h"
- "[BODY] == pat(*Surveillance under Surveillance*)"
- name: Tickets/pretix
url: "https://tickets.hamburg.ccc.de/"
<<: *services_chaosknoten_defaults
conditions:
- "[STATUS] == 200"
- "[CERTIFICATE_EXPIRATION] > 48h"
- "[BODY] == pat(*pretix*)"
- name: Wiki
url: "https://wiki.hamburg.ccc.de/"
<<: *services_chaosknoten_defaults
conditions:
- "[STATUS] == 200"
- "[CERTIFICATE_EXPIRATION] > 48h"
- "[BODY] == pat(*CCCHH Wiki*)"
- name: Woodpecker
url: "https://woodpecker.hamburg.ccc.de/"
<<: *services_chaosknoten_defaults
conditions:
- "[STATUS] == 200"
- "[CERTIFICATE_EXPIRATION] > 48h"
- "[BODY] == pat(*Woodpecker*)"
- name: Zammad
url: "https://zammad.hamburg.ccc.de/"
<<: *services_chaosknoten_defaults
conditions:
- "[STATUS] == 200"
- "[CERTIFICATE_EXPIRATION] > 48h"
- "[BODY] == pat(*zammad*)"

23
resources/external/status/docker_compose/config/sites.yaml vendored Normal file
View file

@ -0,0 +1,23 @@
# Sites
sites-defaults: &sites_defaults
group: Sites
interval: 1m
alerts:
- type: matrix
failure-threshold: 5
success-threshold: 2
minimum-reminder-interval: "6h"
send-on-resolved: true
endpoints:
- name: Chaosknoten/IRZ42
url: "icmp://chaosknoten.hamburg.ccc.de"
<<: *sites_defaults
conditions:
- "[CONNECTED] == true"
- name: Z9
url: "icmp://185.161.129.129"
<<: *sites_defaults
conditions:
- "[CONNECTED] == true"

174
resources/external/status/docker_compose/config/websites.yaml vendored Normal file
View file

@ -0,0 +1,174 @@
# Websites, Websites (Staging) and Websites (Redirects)
# (hosted on public-web-static)
# One could probably also generate this list from the public-web-static config.
websites-defaults: &websites_defaults
group: Websites
interval: 1m
alerts:
- type: matrix
failure-threshold: 5
success-threshold: 2
minimum-reminder-interval: "6h"
send-on-resolved: true
websites-staging-defaults: &websites_staging_defaults
group: Websites (Staging)
interval: 5m
alerts:
- type: matrix
failure-threshold: 3
success-threshold: 1
minimum-reminder-interval: "24h"
send-on-resolved: true
websites-redirects-defaults: &websites_redirects_defaults
group: Websites (Redirects)
interval: 5m
alerts:
- type: matrix
failure-threshold: 3
success-threshold: 1
minimum-reminder-interval: "24h"
send-on-resolved: true
endpoints:
# Websites
- name: branding-resources.hamburg.ccc.de
url: "https://branding-resources.hamburg.ccc.de/logo/sources.txt"
<<: *websites_defaults
conditions:
- "[STATUS] == 200"
- "[CERTIFICATE_EXPIRATION] > 48h"
- "[BODY] == pat(*file: ccchh-logo.png*)"
- name: c3cat.de
url: "https://c3cat.de"
<<: *websites_defaults
conditions:
- "[STATUS] == 200"
- "[CERTIFICATE_EXPIRATION] > 48h"
- "[BODY] == pat(*Cat Ears Operation Center*)"
- name: cryptoparty-hamburg.de
url: "https://cryptoparty-hamburg.de"
<<: *websites_defaults
conditions:
- "[STATUS] == 200"
- "[CERTIFICATE_EXPIRATION] > 48h"
- "[BODY] == pat(*Digitale Selbstverteidigung in Hamburg*)"
- name: element-admin.hamburg.ccc.de
url: "https://element-admin.hamburg.ccc.de"
<<: *websites_defaults
conditions:
- "[STATUS] == 200"
- "[CERTIFICATE_EXPIRATION] > 48h"
- "[BODY] == pat(*Loading Element Admin*)"
- name: element.hamburg.ccc.de
url: "https://element.hamburg.ccc.de"
<<: *websites_defaults
conditions:
- "[STATUS] == 200"
- "[CERTIFICATE_EXPIRATION] > 48h"
- "[BODY] == pat(*Sorry, Element requires JavaScript to be enabled.*)"
- name: hacker.tours
url: "https://hacker.tours"
<<: *websites_defaults
conditions:
- "[STATUS] == 200"
- "[CERTIFICATE_EXPIRATION] > 48h"
# Once suites support alerting, we can also monitor the target as well.
- "[BODY] == pat(*<meta http-equiv=\"refresh\" content=\"0; url=https://hacker.tours/de/\">*)"
- name: hackertours.hamburg.ccc.de
url: "https://hackertours.hamburg.ccc.de"
<<: *websites_defaults
conditions:
- "[STATUS] == 200"
- "[CERTIFICATE_EXPIRATION] > 48h"
# Once suites support alerting, we can also monitor the target as well.
- "[BODY] == pat(*<meta http-equiv=\"refresh\" content=\"0; url=https://hackertours.hamburg.ccc.de/de/\">*)"
- name: hamburg.ccc.de
url: "https://hamburg.ccc.de"
<<: *websites_defaults
conditions:
- "[STATUS] == 200"
- "[CERTIFICATE_EXPIRATION] > 48h"
- "[BODY] == pat(*Wir sind der Chaos Computer Club der Hansestadt Hamburg.*)"
# Websites (Staging)
- name: staging.c3cat.de
url: "https://staging.c3cat.de"
<<: *websites_staging_defaults
conditions:
- "[STATUS] == 200"
- "[CERTIFICATE_EXPIRATION] > 48h"
- "[BODY] == pat(*c3cat.de Staging Environment*)"
- name: staging.cryptoparty-hamburg.de
url: "https://staging.cryptoparty-hamburg.de"
<<: *websites_staging_defaults
conditions:
- "[STATUS] == 200"
- "[CERTIFICATE_EXPIRATION] > 48h"
- "[BODY] == pat(*cryptoparty-hamburg.de Staging Environment*)"
- name: staging.hacker.tours
url: "https://staging.hacker.tours"
<<: *websites_staging_defaults
conditions:
- "[STATUS] == 200"
- "[CERTIFICATE_EXPIRATION] > 48h"
- "[BODY] == pat(*hacker.tours Staging Environment*)"
- name: staging.hackertours.hamburg.ccc.de
url: "https://staging.hackertours.hamburg.ccc.de"
<<: *websites_staging_defaults
conditions:
- "[STATUS] == 200"
- "[CERTIFICATE_EXPIRATION] > 48h"
- "[BODY] == pat(*hackertours.hamburg.ccc.de Staging Environment*)"
- name: staging.hamburg.ccc.de
url: "https://staging.hamburg.ccc.de"
<<: *websites_staging_defaults
conditions:
- "[STATUS] == 200"
- "[CERTIFICATE_EXPIRATION] > 48h"
- "[BODY] == pat(*hamburg.ccc.de Staging Environment*)"
# Website (Redirects)
- name: www.c3cat.de
url: "https://www.c3cat.de"
<<: *websites_redirects_defaults
conditions:
- "[STATUS] == 200"
- "[CERTIFICATE_EXPIRATION] > 48h"
- "[BODY] == pat(*Cat Ears Operation Center*)"
- name: cryptoparty.hamburg.ccc.de
url: "https://cryptoparty.hamburg.ccc.de"
<<: *websites_redirects_defaults
conditions:
- "[STATUS] == 200"
- "[CERTIFICATE_EXPIRATION] > 48h"
- "[BODY] == pat(*Digitale Selbstverteidigung in Hamburg*)"
- name: staging.cryptoparty.hamburg.ccc.de
url: "https://staging.cryptoparty.hamburg.ccc.de"
<<: *websites_redirects_defaults
conditions:
- "[STATUS] == 200"
- "[CERTIFICATE_EXPIRATION] > 48h"
- "[BODY] == pat(*cryptoparty-hamburg.de Staging Environment*)"
- name: www.hamburg.ccc.de
url: "https://www.hamburg.ccc.de"
<<: *websites_redirects_defaults
conditions:
- "[STATUS] == 200"
- "[CERTIFICATE_EXPIRATION] > 48h"
- "[BODY] == pat(*Wir sind der Chaos Computer Club der Hansestadt Hamburg.*)"

14
resources/external/status/nginx/http_handler.conf vendored Normal file
View file

@ -0,0 +1,14 @@
server {
listen 80 default_server;
listen [::]:80 default_server;
server_name status.hamburg.ccc.de;
location / {
return 301 https://$host$request_uri;
}
location /.well-known/acme-challenge/ {
proxy_pass http://127.0.0.1:31820/.well-known/acme-challenge/;
}
}

33
resources/external/status/nginx/status.hamburg.ccc.de.conf vendored Normal file
View file

@ -0,0 +1,33 @@
# partly generated 2022-01-08, Mozilla Guideline v5.6, nginx 1.17.7, OpenSSL 1.1.1k, intermediate configuration
# https://ssl-config.mozilla.org/#server=nginx&version=1.17.7&config=intermediate&openssl=1.1.1k&guideline=5.6
server {
listen 443 ssl http2 default_server;
listen [::]:443 ssl http2 default_server;
server_name status.hamburg.ccc.de;
ssl_certificate /etc/letsencrypt/live/status.hamburg.ccc.de/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/status.hamburg.ccc.de/privkey.pem;
# verify chain of trust of OCSP response using Root CA and Intermediate certs
ssl_trusted_certificate /etc/letsencrypt/live/status.hamburg.ccc.de/chain.pem;
# HSTS (ngx_http_headers_module is required) (63072000 seconds)
add_header Strict-Transport-Security "max-age=63072000" always;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Port 443;
# This is https in any case.
proxy_set_header X-Forwarded-Proto https;
# Hide the X-Forwarded header.
proxy_hide_header X-Forwarded;
# Assume we are the only Reverse Proxy.
# Also provide "_hidden" for by, since it's not relevant.
proxy_set_header Forwarded "for=$remote_addr;proto=https;host=$host;by=_hidden";
location / {
proxy_pass http://127.0.0.1:8080/;
}
}

12
resources/z9/dooris/nginx/http_handler.conf Normal file
View file

@ -0,0 +1,12 @@
server {
listen 80 default_server;
listen [::]:80 default_server;
location / {
return 301 https://$host$request_uri;
}
location /.well-known/acme-challenge/ {
proxy_pass http://127.0.0.1:31820/.well-known/acme-challenge/;
}
}

44
roles/alloy/defaults/main.yaml Normal file
View file

@ -0,0 +1,44 @@
alloy_config_default: |
prometheus.remote_write "default" {
endpoint {
url = "https://metrics.hamburg.ccc.de/api/v1/write"
basic_auth {
username = "chaos"
password = "{{ metrics__chaos_password }}"
}
}
}
prometheus.relabel "chaosknoten_common" {
forward_to = [prometheus.remote_write.default.receiver]
rule {
target_label = "org"
replacement = "ccchh"
}
rule {
target_label = "site"
replacement = "wieske"
}
rule {
source_labels = ["instance"]
target_label = "instance"
regex = "([^:]+)"
replacement = "${1}.hosts.hamburg.ccc.de"
action = "replace"
}
}
logging {
level = "info"
}
prometheus.exporter.unix "local_system" {
enable_collectors = ["systemd"]
}
prometheus.scrape "scrape_metrics" {
targets = prometheus.exporter.unix.local_system.targets
forward_to = [prometheus.relabel.chaosknoten_common.receiver]
}
alloy_config_additional: ""

2
roles/alloy/tasks/main.yaml
View file

@ -45,4 +45,6 @@
- name: Setup Alloy - name: Setup Alloy
ansible.builtin.import_role: ansible.builtin.import_role:
name: grafana.grafana.alloy name: grafana.grafana.alloy
vars:
alloy_config: "{{ alloy_config_default ~ alloy_config_additional }}"
become: true become: true

1
roles/ansible_pull/tasks/main.yaml
View file

@ -3,6 +3,7 @@
- name: ensure apt dependencies are installed - name: ensure apt dependencies are installed
ansible.builtin.apt: ansible.builtin.apt:
name: name:
- python3-pip
- virtualenv - virtualenv
- git - git
state: present state: present

33
roles/base_config/tasks/main.yaml Normal file
View file

@ -0,0 +1,33 @@
# Ensure the ssh module is disabled, so a cloud-init config change doesn't regenerate the host keys for no reason.
- name: check if cloud-init config file exists
ansible.builtin.stat:
path: /etc/cloud/cloud.cfg
register: base_config__stat_cloud_cfg
- name: ensure the cloud-init ssh module is disabled
ansible.builtin.replace:
path: /etc/cloud/cloud.cfg
regexp: " - ssh$"
replace: " #- ssh"
become: true
when: base_config__stat_cloud_cfg.stat.exists
# Ensure a base set of admin tools is installed.
- name: ensure a base set of admin tools is installed
ansible.builtin.apt:
name:
- vim
- joe
- nano
- htop
- btop
- ripgrep
- fd-find
- tmux
- git
- curl
- rsync
- dnsutils
- usbutils
- kitty
become: true

1
roles/certbot/meta/main.yaml
View file

@ -7,3 +7,4 @@ dependencies:
major_versions: major_versions:
- 11 - 11
- 12 - 12
- 13

1
roles/docker/meta/main.yaml
View file

@ -7,3 +7,4 @@ dependencies:
major_versions: major_versions:
- 11 - 11
- 12 - 12
- 13

1
roles/dokuwiki/meta/main.yml
View file

@ -7,3 +7,4 @@ dependencies:
major_versions: major_versions:
- 11 - 11
- 12 - 12
- 13

2
roles/netbox/files/custom_pipeline_oidc_group_and_role_mapping.py
View file

@ -40,7 +40,6 @@ def remove_groups(response, user, backend, *args, **kwargs):
def set_roles(response, user, backend, *args, **kwargs): def set_roles(response, user, backend, *args, **kwargs):
# Remove Roles temporary # Remove Roles temporary
user.is_superuser = False user.is_superuser = False
user.is_staff = False
try: try:
groups = response['groups'] groups = response['groups']
except KeyError: except KeyError:
@ -51,5 +50,4 @@ def set_roles(response, user, backend, *args, **kwargs):
# Set roles is role (superuser or staff) is in groups # Set roles is role (superuser or staff) is in groups
user.is_superuser = True if 'superusers' in groups else False user.is_superuser = True if 'superusers' in groups else False
user.is_staff = True if 'staff' in groups else False
user.save() user.save()

1
roles/nginx/meta/main.yaml
View file

@ -7,3 +7,4 @@ dependencies:
major_versions: major_versions:
- "11" - "11"
- "12" - "12"
- "13"

9
roles/prometheus_node_exporter/meta/main.yaml
View file

@ -1,9 +0,0 @@
---
dependencies:
- role: distribution_check
vars:
distribution_check__distribution_support_spec:
- name: Debian
major_versions:
- "11"
- "12"

14
roles/prometheus_node_exporter/tasks/main.yaml
View file

@ -1,14 +0,0 @@
- name: make sure the `prometheus-node-exporter` package is installed
ansible.builtin.apt:
name: prometheus-node-exporter
state: present
allow_change_held_packages: true
update_cache: true
become: true
- name: make sure `prometheus-node-exporter.service` is started and ansibled
ansible.builtin.systemd:
name: prometheus-node-exporter.service
state: started
enabled: true
become: true

5
roles/systemd_networkd/README.md
View file

@ -9,3 +9,8 @@ Should work on Debian-based distributions.
## Required Arguments ## Required Arguments
- `systemd_networkd__config_dir`: Directory with systemd-networkd configs to deploy. - `systemd_networkd__config_dir`: Directory with systemd-networkd configs to deploy.
## Optional Arguments
- `systemd_networkd__global_config`: systemd-networkd global configuration to deploy (see `man 5 networkd.conf`).
Defaults to `` (the empty string);

1
roles/systemd_networkd/defaults/main.yaml Normal file
View file

@ -0,0 +1 @@
systemd_networkd__global_config: ""

18
roles/systemd_networkd/tasks/main.yaml
View file

@ -12,3 +12,21 @@
recursive: true recursive: true
delete: true delete: true
become: true become: true
- name: ensure global systemd-networkd config directory exists
ansible.builtin.file:
path: "/etc/systemd/networkd.conf.d"
state: directory
owner: root
group: root
mode: "0755"
become: true
- name: ensure global systemd-networkd config is deployed
ansible.builtin.copy:
content: "{{ systemd_networkd__global_config }}"
dest: "/etc/systemd/networkd.conf.d/20-ansible.conf"
mode: "0644"
owner: root
group: root
become: true