diff --git a/.sops.yaml b/.sops.yaml
index 0b9c245..60da9eb 100644
--- a/.sops.yaml
+++ b/.sops.yaml
@@ -34,6 +34,7 @@ keys:
- &host_zammad_ansible_pull_age_key age1sv7uhpnk9d3u3je9zzvlux0kd83f627aclpamnz2h3ksg599838qjgrvqs
- &host_ntfy_ansible_pull_age_key age1dkecypmfuj0tcm2cz8vnvq5drpu2ddhgnfkzxvscs7m4e79gpseqyhr9pg
- &host_spaceapiccc_ansible_pull_age_key age1mdtnk78aeqnwqadjqje5pfha04wu92d3ecchyqajjmy434kwq98qksq2wa
+ - &host_acmedns_ansible_pull_age_key age16pxqxdj25xz6w200sf8duc62vyk0xkhzc7y63nyhg29sm077vp8qy4sywv
external:
age: &host_external_age_keys
- &host_status_ansible_pull_age_key age1yl9ts8k6ceymaxjs72r5puetes5mtuzxuger7qgme9qkagfrm9hqzxx9qr
@@ -57,6 +58,12 @@ creation_rules:
*admin_gpg_keys
## host vars
# chaosknoten hosts
+ - path_regex: inventories/chaosknoten/host_vars/acmedns.*
+ key_groups:
+ - pgp:
+ *admin_gpg_keys
+ age:
+ - *host_acmedns_ansible_pull_age_key
- path_regex: inventories/chaosknoten/host_vars/cloud.*
key_groups:
- pgp:
diff --git a/inventories/chaosknoten/host_vars/acmedns.sops.yaml b/inventories/chaosknoten/host_vars/acmedns.sops.yaml
new file mode 100644
index 0000000..2e728ca
--- /dev/null
+++ b/inventories/chaosknoten/host_vars/acmedns.sops.yaml
@@ -0,0 +1,214 @@
+ansible_pull__age_private_key: ENC[AES256_GCM,data:R0FZVQXrUgqW04VltXpYhEuI8Q8i0gE4K1EI05NTZyTO+9QOynMVzfLOzOOT1Yh+oQNLsE0MFELX8eo3EFKyXIrkE/wr2ECgFqY=,iv:m4N6t03tklKRaRZ9eVl2vv9T8WUy6AiPQDNuyU0UEtI=,tag:XJMnT5GZthv9RPQFZTWZaA==,type:str]
+secret__oidc_client_secret: ENC[AES256_GCM,data:UHbIuftvyPHxtHGRvH+ydMetiCRu3z3JL+zFzLwVaSQ=,iv:1/KKB9IHZEWgEULoab1aVwbPIW7mxfRK7NABiSP2yIQ=,tag:8g3ej7ZJwAuPk9eGdPGyog==,type:str]
+secret__oidc_cookie_secret: ENC[AES256_GCM,data:epKralmaga5W0TK0njjTBP0GIlkUK2ogKEbWQ/zlIhQ=,iv:rDBiSE+DPkX2I2i2fJQ/SrkltlCnPOEyeMfud2xXbFA=,tag:SOGIJHiaKq1t+Dg0NJGnxA==,type:str]
+sops:
+ age:
+ - recipient: age16pxqxdj25xz6w200sf8duc62vyk0xkhzc7y63nyhg29sm077vp8qy4sywv
+ enc: |
+ -----BEGIN AGE ENCRYPTED FILE-----
+ YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA5SDJ0NHZkK3hvUSt2K2hV
+ TWNKUkFlUFVkaEFlM1lDVTdnZU5EeURiOURzCnQzcWE2RnpiZ3BmRzIwbFRDdkRr
+ VmcreVJvdTl2Z3lBVFJTNmNLZWdyMWcKLS0tIEkwcXAwY0NoNmhCZm9JUDMyRjVC
+ bUM2WC9QeWFrdm43a2N1eStEOFFXVGcKCCqwLQ67aEEjTAyXXabZ2AoBag/QY4HW
+ WwgmI8KNYpC0YXzDJ3fUUL6g4oiSqMxTGvQ+0oABOk+XFnVx+++aoQ==
+ -----END AGE ENCRYPTED FILE-----
+ lastmodified: "2026-01-25T16:16:15Z"
+ mac: ENC[AES256_GCM,data:dBBAJIXeVUXXPXB8Eq4gH5F/0jTpvb79hdu4KD9gV5RL36Tr3iU92SKAZdMcw3/+8zq5L32YWWpYR5HFVPXaSdgls3wtWdrz/1j/C/zRxup+Y8DSOdiebCtz1lJJvglQMZNznRvo7N58lTdF/XqJA4tY51xZZi/krsJXDxtlTgA=,iv:yhwXbXu1MKl4sSYaCKPVUK9aedmIMnt/rzXTcGqmqpk=,tag:hZX6YZrzkrr1mPe6FOs7Xw==,type:str]
+ pgp:
+ - created_at: "2026-01-25T14:20:25Z"
+ enc: |-
+ -----BEGIN PGP MESSAGE-----
+
+ hQIMAxK/JaB2/SdtARAAi+qxfJ++qxSRxZLZiJ6njtlaOvrmE3uDCxbBwK5/lc7K
+ rt1liJ3Ue1hR1Bt6ozbH72shd5EOQzDuwQiRLZSR/7q6dcM0wdGRrfXuNvsRbQFf
+ Mb1D5L5Md1zOH4HuUx38+GGoB1CchpQwdZpjzcU2+MI5O5YIw3DDcKOAAMa+Nfpy
+ m0aezDSM6zDYYrYKjZUrMCXZFn0cnWAosod1ZJDz+rNMfFaVCPUlcUO4/p8cPzvr
+ rz+B5MV6Nyft3FUpHntFAgGjwlt31ZANZoWeJxJ5/zFlmieXMihjC4x1QPBs42E2
+ den7NPprSZX1ynGdImaZfTHwuwP1bpLrVFegG1EPrMIUwjRbSZDdmWxaR0uvajgM
+ GcbJLRFdvOcc7g7NWh2n4AwjpjcPN0cNrAit5/S0PG7JYdZFi4abfxTur12p9BPk
+ xJacN4ZVnT5qRRnqinPDCCiR4MLg/L9fxG6Dap6xboBTnHS5GksuLiDFMjsSAVh7
+ /63SOn6/Po1BUiiZPRHkvlm1uhkP7k5iDT/cP+gV1QDjdrXbD27D3c2eJveBaX03
+ oLhXi+2/tmitsRw5vp+jTwHP3RDC9ZsORdEoshaGJ7Axbmai1wmUAabaz60vbTzV
+ W5KHaEAdC97YsUFUn4ZgqORJ5MlPRUGUGGmlYJq6peihLYx/wdCLw9DywhZAYiTU
+ aAEJAhACPP4YiVUAbMaXB3q7AJWnoF20oJVBcGD7nvAVIaJJL0zuYe3lsujo2O2L
+ wqzIw80YE0tSaHx9GWJorF3vQQ1/jxrgiZofZNrsrQ5mzVADGO5+JLuU1THyDWXV
+ PPvkTEc7AdD6
+ =GWYV
+ -----END PGP MESSAGE-----
+ fp: EF643F59E008414882232C78FFA8331EEB7D6B70
+ - created_at: "2026-01-25T14:20:25Z"
+ enc: |-
+ -----BEGIN PGP MESSAGE-----
+
+ hQIMA6EyPtWBEI+2AQ/+KKOoBqMu5MXGmEM70WGKs7qGiqcJ4jizWaf2BjO8JtcU
+ DUJ31xy+KOnZh4pNP3bYptBtv/FehKHfaC1HB+sXBqT7hhAT5k2WyNo6Y1EdsGeG
+ HuccJ8rEMxwRSp3rdpca/53mtFzYHFHDT2nOEc5wkl0KqPITIJAiaGVVeS/ANy6X
+ qijabdecK8Ekb0Ev7OHwxFQT92DdtN7xdQns4bUoxSy9j/7SDUII7btG3alhlH2Z
+ XF+aZ4Fo+P/O8yavyTuwm6GlKWaWtGn9xRhNXvMkpBXIa4rwHC0re3DJNlMqN7EV
+ gW2sxnAxBShNU/ZtpqaQ2ku8L7FPB4Y8hhbk08PVlqz6F1xFm9x5PEriuaIPd1pp
+ 0TQtekvntBWiRAQ8QPmrfg96BaLqvL+Hffb3PlIRvnXHmaJY/5Ci0HGgoUjodKIT
+ 0tZzP0xcElbm3Mf5z/uyRzCwpx7oLn+q9xiJ2yoYwn4IkMWd2VaJZJlVcKH1RRXS
+ A4OUERkDSV3Fz6VjnI0VQ/hpfLDLCaQp8TzUOtNy4MqzsB0fQbDWnPR1KFrmNmSv
+ SSkS04tSt9CMNDFllrwQg6fbaZMmS97JeXb723mfUrPa0o3MeTxa9EuB/NQvWYuS
+ iBqC+NxIAvUw/IJtKg3unA9ysigCDUTbi6P7F69NMJM9qHet7PSLgqsM9RPdPlLS
+ XgH+T9DivFMWNnGvAS+wMckvKcTtskHWnQMCYdx62VsXzS/LU3iWq+OBz/xf8yhD
+ 2vS25oi54fQKz6diOrq/TgO0Cx2/1LXqOYL5m/6+Qvv7wxHHZHeLcdwCRVceLZs=
+ =5SxJ
+ -----END PGP MESSAGE-----
+ fp: F155144FC925A1BEA1F8A2C59A2A4CD59BFDC5EC
+ - created_at: "2026-01-25T14:20:25Z"
+ enc: |-
+ -----BEGIN PGP MESSAGE-----
+
+ hQIMAz5uSgHG2iMJARAArv3KHUknyw89o/HA+T9vv1orrq0uztAOtOYLXIxF0mPL
+ S+Yrqs8uT0UmIJ/vdNZpf6HYw7Cmk4XErSsT4l15/5JbGfvqbc1ECdoz6j6kNfID
+ eHP3iJkySKbxSqflZ/3Hs8UXV65RU4F1HHK2SsQVvb0FCl03KNqkNAMicqiYZyzH
+ CAKOje7fnCHQ2oClUXakwXDQMnQwboXmhC26ghTvCYHIcb/VD8z91TSjxNitA1nG
+ 7Ky1VvBWTuC0qcfaxkrkkwDPcxdfA2BXyxwm7b/w2IwmQX1cce25MCgIhMCFuf0C
+ rvw8GgfJEQ/qI3Rk1R87cpyRte4itrl1cCJI1UgS088+eHhmeS8XOZL860Eiqho4
+ tQJLUCr0P+LSBgOxj6/hnzY56bpPxa1NjRjqCGh+WF9XzeM8vY1MkzIjqHXxq9bD
+ 9yGnFujzTcFbpEzdigPfAt6VgMe3jAEWqnr9fTK/f4qKWdXfycEHAJgL9UqHCtR0
+ DMy2+ZsHy5Hn9S5hmXLWpKo579FEWMLeCRA2DZvCHKIWUPhv3O4BAGovh8px9wRR
+ V7HeNK0efhiPm80alIQUGn+JEyNOaBrjAQmS0+ELF1S1AaHzXoLNrxfBCQJJCHd6
+ BvZIC6mVWF9DSeD+s/twk6qGNwAl17OAi3fyahunefODNqMcW73RI6x0BhkBfvnS
+ XgGEHYtdIiwWW+nCWBCrlXHrZ2AqgFKqNInB8lR5t7GtSjVxF6blysWXyv4JtegX
+ A3gMULNrOAZiPMe5Q1DDMNJ34jEnveojMIAOb/j+w7bvcgh7wbrUIUhNQSDgoaY=
+ =H3mo
+ -----END PGP MESSAGE-----
+ fp: 18DFCE01456DAB52EA38A6584EDC64F35FA1D6A5
+ - created_at: "2026-01-25T14:20:25Z"
+ enc: |-
+ -----BEGIN PGP MESSAGE-----
+
+ hQIMAw5vwmoEJHQ1ARAAqbv66yl/dyRf3f1ejNWsZxwD5oo99rHvbfWDCjTEFpzo
+ QUHgi7h+uF3GfRqkbE8YK7oFmTdxDS7DEkiQHw3jbJwI2+K1umubwq5sL1IMhSyG
+ SHZL+3r4ytBj6kuraXoTGqBFjNNht+3rRUEvgK8eXAixp8aHbx2LAVzjhxGTa9WY
+ yT9H4XJgEac5ODiyhyu3wxzZFmcr9VVNpja7C3iJ5PymjKPnzMFHzdhYflVG4ptP
+ lscRsl5TakEL7p4wsjLszeXTSq38ueaH3Bhvts3Kl72BU2rICDzlBOzGszq3gI2c
+ o97Vydku1MBsIwbUdKAOdhjA4BFyPAg1z1VkeEOrH1ThaZ0cfalN6TxBfCeKftSv
+ VAn9ErK6cRjM5peyJPSHUjpXZEcomtZonhAIBUfDeFW3Sk4lE7+SnIvJkLtrvSZy
+ QDgbA4dE19d8MUL0uu+fyp85+OkXI+e1QOOoZX+7/Mco3wKbCbP5T21T/+SLsH0N
+ oNrQpQlDch5YB+vLISUE7+buFdlMpIlcHAnL9scjgIdU0Z/X75p/5t7g99D/0nc/
+ WGu4l2n9fbrvimnqc6wWzBHgQZVcPKr5tMB6jVQu4WCdHX9VkI+Ru2IfCFsQ09TD
+ RQMybPT3tTdYODVCeoE3NmilqE+igEzFYRDwFdKjR2eLnuli5mI7GlXrboPGjWPS
+ XgEpnUxHg7oik0vO8YsyRldQ2Vyw1vIskRq9cdUY0Ix3u0gyqUF56aWhA+4fhr3H
+ Q8RsT8OXXswSozzkw3AvKi3VaGjwDr1Wasq6YVRtV5pjS0Rx/ILo85grKi5vgpk=
+ =bY3Q
+ -----END PGP MESSAGE-----
+ fp: 87AB00D45D37C9E9167B5A5A333448678B60E505
+ - created_at: "2026-01-25T14:20:25Z"
+ enc: |-
+ -----BEGIN PGP MESSAGE-----
+
+ hF4DerEtaFuTeewSAQdAh8vUqXwXAq615cIswD1e2FbDgcFp4pDKWP4Of9bDRWYw
+ 5UMSvrCgWei0lytGCaApC6J+Ppd5o9D34fux8X0/ztoRopIV1RlrcepPr9jo3ROk
+ 0l4B4T+mFz+FNrO79ldBuysOEo6qX7kSfJ63cpy48nDNVi0pTDr87OiJTQQD3gfx
+ wQdkqjYs204YvFP8Zp/+Ow+52z0W2ecLwgByVxsiusf8JLlYQMHOL9QisPxWMErr
+ =C2Ii
+ -----END PGP MESSAGE-----
+ fp: 057870A2C72CD82566A3EC983695F4FCBCAE4912
+ - created_at: "2026-01-25T14:20:25Z"
+ enc: |-
+ -----BEGIN PGP MESSAGE-----
+
+ hQIMAxjNhCKPP69fAQ//YH0pZvxXkXYi9tRWPSVllAsKgwzZsKkXS2LrfysCvnNS
+ LmcLrWNV8upH8g6ubHwwq1Q6WcpaoraIGB2Pw7OPKvynqqhMamk6jAzuYF1hMsd/
+ efGlsIF/wE/MLo0AizDZ5H/k6g/BfdSm3VFvAYbdHObQld/+uEMdotBrUjtXJlA/
+ lare1GFxSt+P9J+h5U0kf8VFWbgzf7SkViWBvEpyUaBa0VLgyOc59e9BZzWX8h2R
+ FjNX40MkZHxdbqBx3Bw8MZmQz+Q1O8w7uNcf6YZxl7+tYka99DSoK2T6YxTqqqrt
+ FtqDAUAS+yweg4hP7CwUK05VzmH/y6S4brVJz73NzahVNUBRpPXJUWs8QsR96xx/
+ hUMRGOrfd0qJ/jv2P+oMJipGsWZ5b6rkj/LX9ZAyGW7TgWbelr4zwM2C/n5xDkKf
+ LSQFH1Nx9QG0Aq6JT6staq+xiw/w1ipn0IDL18YPvX5kkO3KNUZk1F7zF6rbXRXa
+ LQIY+lhDnslkOMHmUIvqPSFWDQT/a/ttg0jVazz9IHnCz/+ShCh8nwiXXa6swlGC
+ XFzJS0Lyz55JfRcEN2h4lc6U7sE7MN9WEo8DWNv2UJwIZtu5dHBI9PjFSAxm73KJ
+ FSQDFxqlR7a7BXKw+KfvHUzWcRInWLE3bMQlg9ECJX1sQf2Bu8/YxU9bFT2fzfLS
+ XgHsHSJqqcZ3gwwUPNeQMadRylccXoPOCns3rf3W+7zKRBb8poRpj0hK2J2eIkGG
+ M5kRRudGy07hLV2wQGitucekIFUStxumRSQqpcUhk+RKTOyTMIqT4o6ykVBgke0=
+ =/EHL
+ -----END PGP MESSAGE-----
+ fp: F38C9D4228FC6F674E322D9C3326D914EB9B8F55
+ - created_at: "2026-01-25T14:20:25Z"
+ enc: |-
+ -----BEGIN PGP MESSAGE-----
+
+ hQIMA1Hthzn+T1OoAQ/+IxC99h9NXy1lKs8K3O6zNPE4vvoUdlHyU7MngSUe7FID
+ cfVoJmqumGJ2VL052PyGNuJl4wwI0Bk4GJ1B17sDiROM21BgV2xJN44I8DzU/s2i
+ 1P/WOcpofsng7xBPib5vETo2ypfiNzurNwKidID6rc8k3TL2Eq3U9gPajdgaHWTx
+ jCBEiBs4B2H0Jv0teH7NK7VY21v/GQ6wCATUdFugjOocWT/Up9SbIKgvzXgxmoB7
+ glmOZGtqMsorMw7Rr9fy5qdL6HK50dYbzQ8IppZFG7PrFLyLsp//S7fReFbtp8oD
+ yCBbhOfywLuhyWmLu78F32l5upv4Q/RPfsOEQVRd13+4XeYIYqbVlBRI4c38iA8k
+ sKgN/l5mH4FPmFWhRfeMOQn51tTDiq/n8G86EJETJJxC2kAhfLXi5YLECH693Vzw
+ Mad81jxssJP5pTTUDBzog6oMNyCvs9paRgb0O4Bt0Zpox+BFdQcTNJahj9wDyfZV
+ TjV6lUtuQ7QvHDYyujxhkJWUOyd2Urfk9Ku8A/xeCGwLRJS9BKYgwvatc49zL5zZ
+ 3GZ59gBGERbBCBPoFZgpVh73ZF/riAMHbgh+ZzUlFxJNY4fVvCk79bMitsihAbp8
+ NAELn1kiDPjlW1SsiiIzkdq87ttJ7aVtR1vQBYWapWmU9eSkn8XZcX4PxFot68zS
+ XgEvZxgH4TgGrPuTYusDaopSObkq19jiEJ/A44Jiy2yvU9hXeOn8CeXHTJnwcSeQ
+ ey3QV0vu+gYPL26T5M8fp3DwgZYr+dtAX2jydweT9MKjgeUyZAZmIieY1gdguIw=
+ =WwLj
+ -----END PGP MESSAGE-----
+ fp: 5DA93D5C9D7320E1BD3522C79C78172B3551C9FD
+ - created_at: "2026-01-25T14:20:25Z"
+ enc: |-
+ -----BEGIN PGP MESSAGE-----
+
+ hQIMA46L6MuPqfJqAQ/9FcgBwOTVqwohN7+iNCiq13Na/qcvFvFxymSo5ZhtjB/q
+ rMfLaSwsVAZuN9ishdip+a9tFb4oBPpwZjztvsgetoVNvLOrP/ZQag9SDy1fe8KH
+ DDlPFFRjTYtPdS+5ScHc8pGTLmyQzYDfieD0FCdZsNwz5PpAtUu7itvpZKtNWMXr
+ k/N3Mjena5iv79ngDsRlc9O/YXWsAPf8scgApwi+lVilJ7E/jTkrXxiku0knrlfl
+ NnNJKqh5iT2NWXB3Dgw0fQMLbAuDUOlkvrdwxnaJsIyjo8D5g/gh9rXBCJsMMFCp
+ 1qppPBTV2f/gZb1gKFpnlBJAiDhmBWoBhlgbmFXv0E/V7F/7bFtsHagb50nEHZlA
+ QH0JjRHN83eGCR9ZBUttxMh0FWV2ND3YlxnCNb43TEoCx9f5ml7L5GbGqu0+8Yrc
+ fHCGPW8DSUh7zTrmB0bn6R60hXcWchNcPdorPopROhGTSC4pkAKn+mt3jvEkyLsW
+ TGqNCEbFbMBJlhhn9w5fxT7vEX0Rt/vO4gXKIzPfcyzsgORIW1YxwtaGyRQErlqo
+ ITnLtowfgrlvU1hI+hwivD9kQ32kmEyYKa9J8fBx07XArYRR64+Eyaaq4lOeZbE4
+ 1l0zskD5i1R8NO3yzxpIAqi+H7VPhYLwidjXT54QT8vyqrkmvksANR8UqydYUgnS
+ XgGuO1O1pKkiHHLcb8EydlgW61sLIZZjlkYynMRM5MjgPD5Z3ikeD6VaNSYnOw6c
+ gkisHXqY9EFSPfw8EHnGspyD/mvzDUz63GrylUO+wXgMKdByrsYRaj93j7vfYZ4=
+ =Bk3g
+ -----END PGP MESSAGE-----
+ fp: 8996B62CBD159DCADD3B6DC08BB33A8ABCF7BC4A
+ - created_at: "2026-01-25T14:20:25Z"
+ enc: |-
+ -----BEGIN PGP MESSAGE-----
+
+ hF4DQrf1tCqiJxoSAQdADv1xBEY68JQ6Xo2ZT1FV2BJgeB7Yaahi9OQ/aypT0i8w
+ FJRRTtmWVBRtOecoG6SrHLtmYozuLyNFG8/ZFOU7jTSZL6lXr5NV6GIyNZPFTjvE
+ 0l4Bqjjh871cqN4Cq5CF3kDibHTyZYsvcQ0BmxSZy2v+moYqZGFPEjNiniS6JrK/
+ Ch+cZvlsGIjTmP96IZfHbO3+hL+tVhO78bmixnN6SE6UDOzdmWcMkQ9DHSZp+p4j
+ =xd/t
+ -----END PGP MESSAGE-----
+ fp: B71138A6A8964A3C3B8899857B4F70C356765BAB
+ - created_at: "2026-01-25T14:20:25Z"
+ enc: |-
+ -----BEGIN PGP MESSAGE-----
+
+ hF4DzAGzViGx4qcSAQdASnWlOX4oItUMy2BNF+UdGfSkijvIKK1WohLp2rJmQGMw
+ /rpiFcCiX7rZNyn3f+eOULjCPbNtfwqG5Ji6YzGJPEaLg9J/CCYDP7eZ0M13tK9V
+ 0lgBjTZZwa7SYs+c49UkhUN92Jrt439mTud3Sa6hvfQTntISOUF3QsMyQO+2h0EH
+ zvaV7dmtiLZZ6ukp9vJG2asPcA1McYBHABUUcjlmFkQ74CYhPFU03/kb
+ =9oyC
+ -----END PGP MESSAGE-----
+ fp: D2E9C0807BF681F5E164DAFC5EE1B61CD90954CD
+ - created_at: "2026-01-25T14:20:25Z"
+ enc: |-
+ -----BEGIN PGP MESSAGE-----
+
+ hQIMA2pVdGTIrZI+ARAAvugr3SudoqZm6B9o/a2bYVlR8eee3Cxtqb/SDfFKJ42J
+ /KIJHOpfs0iyoJzeq4GXn89RU08EHz+1/rAqIHN/cMGc/IjOOXcqKcKVBqhb68+I
+ OyEyxx0YAV939Jc+L9rxb4FnqV/HFJuA087jqP43NgPWySoUzWZshK57Yw/VJNxd
+ U5zDMAciWNVISL/ArcJFroK0n9dvRRsHHHx3/OgQ9Lnl73X5JEAleIPJVb1SDV4e
+ HgmBrlRFpp9e/Mu94Gp9yFd9PqziSA47lkdMwjMYHntTwbT3dqUGOJLF1D1oqC9V
+ +t+5FO5fP+LbnmuFQIGRGqdPpCy4S60d2EqocwBl6q6xn/DLQw1j9hGNpMl3GwBI
+ O7zquV2MyXJR9JqyklWoCmKldLIhpsnPtTx/AhIsMLWq2hvNfbBBNA41sMkofcvl
+ H2Hggi+TkpOh6bre1/uPkr8T3MLsiZIUB/1uHcgYO3FH13K2Ow9ChxmkeLsW6Afu
+ hbQcG7SKr0sCHAmvzbTsIRCpryORDRw4vwrsKuVVgA7neD8HtCItJ/Vk1JmV2xYZ
+ 96ilVPPpDs0tmQ/6dZZosoXLGi37Hs+FRgcAUuAdZ3bzb65e+CxtSVjRALG7hz9R
+ XPKmsD6tTgdLpau/zugxdKx3yKMCHzC+AouD+esea8GNuoeGug58IEoglLXDctbU
+ aAEJAhC0Js4STROmS43wGXP2v4umeLw9iF3Wp9L6o12BL3FZXi121py2ogosjAY2
+ 30wzFU2KJGqS25/pnXw6r9ycgxdXeKsddR94Q4TOulO3SSEdjs7B+iOKwUkGKoBq
+ 9iHTzz6Gpajo
+ =bBZ5
+ -----END PGP MESSAGE-----
+ fp: 878FEA3CB6A6F6E7CD80ECBE28506E3585F9F533
+ unencrypted_suffix: _unencrypted
+ version: 3.11.0
diff --git a/inventories/chaosknoten/host_vars/acmedns.yaml b/inventories/chaosknoten/host_vars/acmedns.yaml
new file mode 100644
index 0000000..364aa9a
--- /dev/null
+++ b/inventories/chaosknoten/host_vars/acmedns.yaml
@@ -0,0 +1,23 @@
+---
+docker_compose__compose_file_content: "{{ lookup('ansible.builtin.template', 'resources/chaosknoten/acmedns/docker_compose/compose.yaml.j2') }}"
+docker_compose__configuration_files:
+ - name: acmedns.cfg
+ content: "{{ lookup('ansible.builtin.template', 'resources/chaosknoten/acmedns/docker_compose/acmedns.cfg.j2') }}"
+ - name: oauth2-proxy.cfg
+ content: "{{ lookup('ansible.builtin.template', 'resources/chaosknoten/acmedns/docker_compose/oauth2-proxy.cfg.j2') }}"
+ - name: html/index.html
+ content: "{{ lookup('ansible.builtin.template', 'resources/chaosknoten/acmedns/docker_compose/index.html.j2') }}"
+docker_compose__pull: missing
+
+certbot__version_spec: ""
+certbot__acme_account_email_address: le-admin@hamburg.ccc.de
+certbot__certificate_domains:
+ # - "spaceapi.ccc.de" # after DNS has been adjusted
+ - "acmedns.hamburg.ccc.de"
+certbot__new_cert_commands:
+ - "systemctl reload nginx.service"
+
+nginx__version_spec: ""
+nginx__configurations:
+ - name: acmedns.hamburg.ccc.de
+ content: "{{ lookup('ansible.builtin.file', 'resources/chaosknoten/acmedns/nginx/acmedns.hamburg.ccc.de.conf') }}"
diff --git a/inventories/chaosknoten/hosts.yaml b/inventories/chaosknoten/hosts.yaml
index 5c114c9..395b154 100644
--- a/inventories/chaosknoten/hosts.yaml
+++ b/inventories/chaosknoten/hosts.yaml
@@ -78,11 +78,16 @@ all:
ansible_host: spaceapiccc.hosts.hamburg.ccc.de
ansible_user: chaos
ansible_ssh_common_args: -J ssh://chaos@router.hamburg.ccc.de
+ acmedns:
+ ansible_host: acmedns.hosts.hamburg.ccc.de
+ ansible_user: chaos
+ ansible_ssh_common_args: -J ssh://chaos@router.hamburg.ccc.de
hypervisors:
hosts:
chaosknoten:
base_config_hosts:
hosts:
+ acmedns:
ccchoir:
cloud:
eh22-wiki:
@@ -110,7 +115,8 @@ nftables_hosts:
hosts:
router:
docker_compose_hosts:
- hosts:
+ hosts:
+ acmedns:
ccchoir:
grafana:
tickets:
@@ -128,6 +134,7 @@ nextcloud_hosts:
cloud:
nginx_hosts:
hosts:
+ acmedns:
ccchoir:
eh22-wiki:
grafana:
@@ -150,6 +157,7 @@ public_reverse_proxy_hosts:
public-reverse-proxy:
certbot_hosts:
hosts:
+ acmedns:
ccchoir:
eh22-wiki:
grafana:
diff --git a/inventories/z9/host_vars/light.yaml b/inventories/z9/host_vars/light.yaml
index 0336d22..0c7e11d 100644
--- a/inventories/z9/host_vars/light.yaml
+++ b/inventories/z9/host_vars/light.yaml
@@ -50,10 +50,22 @@ ola__configs:
content: "{{ lookup('ansible.builtin.file', 'resources/z9/light/ola/ola-usbdmx.conf') }}"
- name: ola-usbserial
content: "{{ lookup('ansible.builtin.file', 'resources/z9/light/ola/ola-usbserial.conf') }}"
+
nginx__version_spec: ""
nginx__deploy_redirect_conf: false
nginx__configurations:
- name: light
content: "{{ lookup('ansible.builtin.file', 'resources/z9/light/nginx/light.conf') }}"
- name: http_handler
- content: "{{ lookup('ansible.builtin.file', 'resources/z9/light/nginx/http_handler.conf') }}"
+ content: "{{ lookup('ansible.builtin.file', 'resources/z9/dooris/nginx/http_handler.conf') }}"
+
+certbot__version_spec: ""
+certbot__acme_account_email_address: le-admin@hamburg.ccc.de
+certbot__certificate_domains:
+ - "light-werkstatt.ccchh.net"
+ - "light.ccchh.net"
+ - "light.z9.ccchh.net"
+certbot__new_cert_commands:
+ - "systemctl reload nginx.service"
+
+
diff --git a/inventories/z9/hosts.yaml b/inventories/z9/hosts.yaml
index f88f106..319f817 100644
--- a/inventories/z9/hosts.yaml
+++ b/inventories/z9/hosts.yaml
@@ -20,6 +20,7 @@ all:
certbot_hosts:
hosts:
dooris:
+ light:
docker_compose_hosts:
hosts:
dooris:
diff --git a/resources/chaosknoten/acmedns/docker_compose/acmedns.cfg.j2 b/resources/chaosknoten/acmedns/docker_compose/acmedns.cfg.j2
new file mode 100644
index 0000000..4f3b49c
--- /dev/null
+++ b/resources/chaosknoten/acmedns/docker_compose/acmedns.cfg.j2
@@ -0,0 +1,27 @@
+# https://github.com/joohoi/acme-dns?tab=readme-ov-file#configuration
+[general]
+protocol = "both"
+domain = "auth.acmedns.hamburg.ccc.de"
+nsname = "acmedns.hosts.hamburg.ccc.de"
+nsadmin = "noc.lists.hamburg.ccc.de"
+records = [
+ "auth.acmedns.hamburg.ccc.de. CNAME public-reverse-proxy.hamburg.ccc.de.",
+ "auth.acmedns.hamburg.ccc.de. NS acmedns.hosts.hamburg.ccc.de.",
+]
+
+[database]
+engine = "sqlite3"
+connection = "/var/lib/acme-dns/acme-dns.db"
+
+[api]
+ip = "0.0.0.0"
+port = "80"
+tls = "none"
+corsorigins = [
+ "*"
+]
+
+[logconfig]
+loglevel = "debug"
+logtype = "stdout"
+logformat = "text"
diff --git a/resources/chaosknoten/acmedns/docker_compose/compose.yaml.j2 b/resources/chaosknoten/acmedns/docker_compose/compose.yaml.j2
new file mode 100644
index 0000000..8976852
--- /dev/null
+++ b/resources/chaosknoten/acmedns/docker_compose/compose.yaml.j2
@@ -0,0 +1,22 @@
+---
+services:
+ oauth2-proxy:
+ container_name: oauth2-proxy
+ image: quay.io/oauth2-proxy/oauth2-proxy:v7.14.2
+ command: --config /oauth2-proxy.cfg
+ hostname: oauth2-proxy
+ volumes:
+ - "./configs/oauth2-proxy.cfg:/oauth2-proxy.cfg"
+ restart: unless-stopped
+ ports:
+ - 4180:4180
+
+ acmedns:
+ image: docker.io/joohoi/acme-dns:latest
+ ports:
+ - "[::]:53:53"
+ - "[::]:53:53/udp"
+ - 8080:80
+ volumes:
+ - ./configs/acmedns.cfg:/etc/acme-dns/config.cfg:ro
+ - ./data/acmedns:/var/lib/acme-dns
\ No newline at end of file
diff --git a/resources/chaosknoten/acmedns/docker_compose/index.html.j2 b/resources/chaosknoten/acmedns/docker_compose/index.html.j2
new file mode 100644
index 0000000..02216da
--- /dev/null
+++ b/resources/chaosknoten/acmedns/docker_compose/index.html.j2
@@ -0,0 +1,63 @@
+
+
+ACME DNS Register
+
+
+
+Register an Entry in ACME DNS
+
+This is the page where you can create an entry in ACME DNS. Please only do so when you need a new entry; there is currently no way to remove entries once they have been created.
+See the ACME DNS service entry in the wiki for further details.
+
+Register a new entry
+
+
+
+ Full Domain foo
+
+
+ Sub Domain foo
+
+
+ Username foo
+
+
+ Password foo
+
+
+
+
+
diff --git a/resources/chaosknoten/acmedns/docker_compose/oauth2-proxy.cfg.j2 b/resources/chaosknoten/acmedns/docker_compose/oauth2-proxy.cfg.j2
new file mode 100644
index 0000000..f11eadf
--- /dev/null
+++ b/resources/chaosknoten/acmedns/docker_compose/oauth2-proxy.cfg.j2
@@ -0,0 +1,13 @@
+reverse_proxy = true
+http_address="0.0.0.0:4180"
+cookie_secret="{{ secret__oidc_cookie_secret }}"
+email_domains="*"
+
+# dex provider
+oidc_issuer_url="https://id.hamburg.ccc.de/realms/ccchh"
+provider="oidc"
+provider_display_name="CCCHH ID"
+client_id="acmedns"
+client_secret="{{ secret__oidc_client_secret }}"
+redirect_url="https://acmedns.hamburg.ccc.de/oauth2/callback"
+
diff --git a/resources/chaosknoten/acmedns/nginx/acmedns.hamburg.ccc.de.conf b/resources/chaosknoten/acmedns/nginx/acmedns.hamburg.ccc.de.conf
new file mode 100644
index 0000000..b360d40
--- /dev/null
+++ b/resources/chaosknoten/acmedns/nginx/acmedns.hamburg.ccc.de.conf
@@ -0,0 +1,83 @@
+# partly generated 2022-01-08, Mozilla Guideline v5.6, nginx 1.17.7, OpenSSL 1.1.1k, intermediate configuration
+# https://ssl-config.mozilla.org/#server=nginx&version=1.17.7&config=intermediate&openssl=1.1.1k&guideline=5.6
+server {
+ # Listen on a custom port for the proxy protocol.
+ listen [::]:8443 ssl http2 proxy_protocol;
+ # Make use of the ngx_http_realip_module to set the $remote_addr and
+ # $remote_port to the client address and client port, when using proxy
+ # protocol.
+ # First set our proxy protocol proxy as trusted.
+ set_real_ip_from 2a00:14b0:4200:3000:125::1;
+ # Then tell the realip_module to get the addreses from the proxy protocol
+ # header.
+ real_ip_header proxy_protocol;
+
+ server_name acmedns.hamburg.ccc.de;
+
+ root /ansible_docker_compose/configs/html/;
+
+ ssl_certificate /etc/letsencrypt/live/acmedns.hamburg.ccc.de/fullchain.pem;
+ ssl_certificate_key /etc/letsencrypt/live/acmedns.hamburg.ccc.de/privkey.pem;
+ # verify chain of trust of OCSP response using Root CA and Intermediate certs
+ ssl_trusted_certificate /etc/letsencrypt/live/acmedns.hamburg.ccc.de/chain.pem;
+
+ # HSTS (ngx_http_headers_module is required) (63072000 seconds)
+ add_header Strict-Transport-Security "max-age=63072000" always;
+
+ proxy_set_header Host $host;
+ proxy_set_header X-Forwarded-Host $host;
+ proxy_set_header X-Real-IP $remote_addr;
+ proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+ proxy_set_header X-Forwarded-Port 443;
+ # This is https in any case.
+ proxy_set_header X-Forwarded-Proto https;
+ # Hide the X-Forwarded header.
+ proxy_hide_header X-Forwarded;
+ # Assume we are the only Reverse Proxy (well using Proxy Protocol, but that
+ # is transparent).
+ # Also provide "_hidden" for by, since it's not relevant.
+ proxy_set_header Forwarded "for=$remote_addr;proto=https;host=$host;by=_hidden";
+ proxy_buffer_size 8k; # needed for oauth2-proxy to work correctly
+ port_in_redirect off;
+
+ location /oauth2/ {
+ proxy_pass http://127.0.0.1:4180;
+ proxy_set_header Host $host;
+ proxy_set_header X-Real-IP $remote_addr;
+ proxy_set_header X-Auth-Request-Redirect $request_uri;
+ # or, if you are handling multiple domains:
+ # proxy_set_header X-Auth-Request-Redirect $scheme://$host$request_uri;
+ }
+
+ location = /oauth2/auth {
+ proxy_pass http://127.0.0.1:4180;
+ proxy_set_header Host $host;
+ proxy_set_header X-Real-IP $remote_addr;
+ proxy_set_header X-Forwarded-Uri $request_uri;
+ # nginx auth_request includes headers but not body
+ proxy_set_header Content-Length "";
+ proxy_pass_request_body off;
+ }
+
+ location = / {
+ auth_request /oauth2/auth;
+ error_page 401 = @oauth2_signin;
+
+ index index.html;
+ }
+
+ location = /register {
+ auth_request /oauth2/auth;
+ error_page 401 = @oauth2_signin;
+
+ proxy_pass http://127.0.0.1:8080/register;
+ }
+
+ location = /update { # no auth by proxy required
+ proxy_pass http://127.0.0.1:8080/update;
+ }
+
+ location @oauth2_signin {
+ return 302 /oauth2/sign_in?rd=$scheme://$host$request_uri;
+ }
+}
diff --git a/resources/chaosknoten/public-reverse-proxy/nginx/acme_challenge.conf b/resources/chaosknoten/public-reverse-proxy/nginx/acme_challenge.conf
index 71ae729..feacfa7 100644
--- a/resources/chaosknoten/public-reverse-proxy/nginx/acme_challenge.conf
+++ b/resources/chaosknoten/public-reverse-proxy/nginx/acme_challenge.conf
@@ -82,6 +82,7 @@ map $host $upstream_acme_challenge_host {
spaceapi.ccc.de spaceapiccc.hosts.hamburg.ccc.de:31820;
cpuccc.hamburg.ccc.de 172.31.17.151:31820;
cpu.ccc.de 172.31.17.151:31820;
+ acmedns.hamburg.ccc.de acmedns.hosts.hamburg.ccc.de:31820;
default "";
}
diff --git a/resources/chaosknoten/public-reverse-proxy/nginx/nginx.conf b/resources/chaosknoten/public-reverse-proxy/nginx/nginx.conf
index bdf7184..fc62a89 100644
--- a/resources/chaosknoten/public-reverse-proxy/nginx/nginx.conf
+++ b/resources/chaosknoten/public-reverse-proxy/nginx/nginx.conf
@@ -100,6 +100,7 @@ stream {
spaceapi.ccc.de spaceapiccc.hosts.hamburg.ccc.de:8443;
cpuccc.hamburg.ccc.de 172.31.17.151:8443;
cpu.ccc.de 172.31.17.151:8443;
+ acmedns.hamburg.ccc.de acmedns.hosts.hamburg.ccc.de:8443;
}
server {
diff --git a/resources/z9/light/nginx/http_handler.conf b/resources/z9/light/nginx/http_handler.conf
index d9b336c..8572664 100644
--- a/resources/z9/light/nginx/http_handler.conf
+++ b/resources/z9/light/nginx/http_handler.conf
@@ -1,14 +1,12 @@
server {
listen 80 default_server;
listen [::]:80 default_server;
- server_name _;
-
- location /.well-known/acme-challenge/ {
- autoindex on;
- root /webroot-for-acme-challenge;
- }
location / {
return 301 https://$host$request_uri;
}
+
+ location /.well-known/acme-challenge/ {
+ proxy_pass http://127.0.0.1:31820/.well-known/acme-challenge/;
+ }
}
diff --git a/resources/z9/light/nginx/light.conf b/resources/z9/light/nginx/light.conf
index 9f70cf8..6217e04 100644
--- a/resources/z9/light/nginx/light.conf
+++ b/resources/z9/light/nginx/light.conf
@@ -1,15 +1,16 @@
# partly generated 2022-01-08, Mozilla Guideline v5.6, nginx 1.17.7, OpenSSL 1.1.1k, intermediate configuration
# https://ssl-config.mozilla.org/#server=nginx&version=1.17.7&config=intermediate&openssl=1.1.1k&guideline=5.6
server {
- listen 443 ssl http2;
- listen [::]:443 ssl http2;
+ listen 443 ssl;
+ listen [::]:443 ssl;
+ http2 on;
server_name light-werkstatt.ccchh.net;
- ssl_certificate /etc/letsencrypt/live/light.ccchh.net/fullchain.pem;
- ssl_certificate_key /etc/letsencrypt/live/light.ccchh.net/privkey.pem;
+ ssl_certificate /etc/letsencrypt/live/light-werkstatt.ccchh.net/fullchain.pem;
+ ssl_certificate_key /etc/letsencrypt/live/light-werkstatt.ccchh.net/privkey.pem;
# verify chain of trust of OCSP response using Root CA and Intermediate certs
- ssl_trusted_certificate /etc/letsencrypt/live/light.ccchh.net/chain.pem;
+ ssl_trusted_certificate /etc/letsencrypt/live/light-werkstatt.ccchh.net/chain.pem;
# replace with the IP address of your resolver
resolver 10.31.208.1;
@@ -25,15 +26,16 @@ server {
}
server {
- listen 443 ssl http2;
- listen [::]:443 ssl http2;
+ listen 443 ssl;
+ listen [::]:443 ssl;
+ http2 on;
- server_name light.z9.ccchh.net ;
+ server_name light.z9.ccchh.net;
- ssl_certificate /etc/letsencrypt/live/light.ccchh.net/fullchain.pem;
- ssl_certificate_key /etc/letsencrypt/live/light.ccchh.net/privkey.pem;
+ ssl_certificate /etc/letsencrypt/live/light.z9.ccchh.net/fullchain.pem;
+ ssl_certificate_key /etc/letsencrypt/live/light.z9.ccchh.net/privkey.pem;
# verify chain of trust of OCSP response using Root CA and Intermediate certs
- ssl_trusted_certificate /etc/letsencrypt/live/light.ccchh.net/chain.pem;
+ ssl_trusted_certificate /etc/letsencrypt/live/light.z9.ccchh.net/chain.pem;
location / {
return 307 https://light.ccchh.net$request_uri;
@@ -41,8 +43,9 @@ server {
}
server {
- listen 443 ssl http2;
- listen [::]:443 ssl http2;
+ listen 443 ssl;
+ listen [::]:443 ssl;
+ http2 on;
server_name light.ccchh.net;
diff --git a/roles/docker/files/daemon.json b/roles/docker/files/daemon.json
index 49d4108..d55e4cb 100644
--- a/roles/docker/files/daemon.json
+++ b/roles/docker/files/daemon.json
@@ -2,5 +2,13 @@
"log-driver": "journald",
"log-opts": {
"tag": "{{.Name}}"
+ },
+ "ipv6": true,
+ "ip6tables": true,
+ "fixed-cidr-v6": "fd00:1::/64",
+ "default-network-opts": {
+ "bridge": {
+ "com.docker.network.enable_ipv6":"true"
+ }
}
}
diff --git a/roles/nginx/tasks/main/02_repo_setup.yaml b/roles/nginx/tasks/main/02_repo_setup.yaml
index eaaec30..b4720c1 100644
--- a/roles/nginx/tasks/main/02_repo_setup.yaml
+++ b/roles/nginx/tasks/main/02_repo_setup.yaml
@@ -15,13 +15,13 @@
- name: Ensure NGINX APT repository is added
ansible.builtin.apt_repository:
- repo: "deb [arch=amd64 signed-by=/etc/apt/trusted.gpg.d/nginx.asc] https://nginx.org/packages/debian/ {{ ansible_distribution_release }} nginx"
+ repo: "deb [arch=amd64 signed-by=/etc/apt/trusted.gpg.d/nginx.asc] https://nginx.org/packages/debian/ {{ ansible_facts['distribution_release'] }} nginx"
state: present
become: true
- name: Ensure NGINX APT source repository is added
ansible.builtin.apt_repository:
- repo: "deb-src [arch=amd64 signed-by=/etc/apt/trusted.gpg.d/nginx.asc] https://nginx.org/packages/debian/ {{ ansible_distribution_release }} nginx"
+ repo: "deb-src [arch=amd64 signed-by=/etc/apt/trusted.gpg.d/nginx.asc] https://nginx.org/packages/debian/ {{ ansible_facts['distribution_release'] }} nginx"
state: present
become: true