Update all stable non-major dependencies

.forgejo/workflows/lint.yaml

@@ -24,7 +24,7 @@ jobs:
       # work in our environmnet.
       # Rather manually setup python (pip) before instead.
       - name: Run ansible-lint
-        uses: https://github.com/ansible/ansible-lint@v26.3.0
+        uses: https://github.com/ansible/ansible-lint@v26.4.0
         with:
           setup_python: "false"
           requirements_file: "requirements.yml"

README.md

@@ -17,25 +17,6 @@ ansible-galaxy install -r requirements.yml
 ansible-galaxy role install -r requirements.yml
 ```
 
-## Secrets
-
-Generally try to avoid secrets (e.g. use SSH keys instead of passwords).
-
-Because secrets are nonetheless needed sometimes, we use [SOPS](https://github.com/getsops/sops) to securely store secrets in this repository.  
-SOPS encrypts secrets according to "creation rules" which are defined in the `.sops.yaml`.
-Generally all secrets get encrypted for all GPG-keys of all members of the infrastructure team.  
-Ansible then has access to the secrets with the help of the [`community.sops.sops` vars plugin](https://docs.ansible.com/ansible/latest/collections/community/sops/docsite/guide.html#working-with-encrypted-variables), which is configured in this repository.
-A local Ansible run then uses the locally available GPG-key to decrypt the secrets.
-
-For a tutorial on how to set up SOPS for a new host, see [SOPS: New Host](./docs/guides/sops-new-host.md).
-
-### Updating SOPS files after swapping out a GPG key
-
-When a GPG key expires, it is necessary to update the config in `.sops.yaml` and then re-encrypt all files with the updated list of keys. Run this command. The will take a considerable amount of time (minutes).
-```
-find inventories -name "*.sops.*" | xargs sops updatekeys --yes
-```
-
 ## Playbook nur für einzelne Hosts ausführen
 
 Ein paar der Hosts haben den selben Namen, was es etwas schwieriger macht, das Playbook nur für einen der Hosts auszuführen, z. B. `public-reverse-proxy`. Die Kombination aus `--inventory` und `--limit` führt zum Erfolg:

docs/concepts-and-configurations/secrets.md

@@ -0,0 +1,27 @@
+---
+title: Secrets
+---
+
+# Secrets
+
+Generally one should try to avoid secrets (e.g. using SSH keys instead of passwords).  
+However, since one still needs to work with secrets, we use [SOPS](https://github.com/getsops/sops) to securely store them in our repository. The [`community.sops.sops` vars plugin](https://docs.ansible.com/ansible/latest/collections/community/sops/docsite/guide.html#working-with-encrypted-variables) is then used to access them in Ansible.
+
+All secrets are stored in the inventories in files ending with `.sops.yaml` to provide the secrets contents as variables for hosts and groups.  
+Accompanying creation rules are defined in the [`.sops.yaml`](https://git.hamburg.ccc.de/CCCHH/ansible-infra/src/branch/main/.sops.yaml).
+
+When running Ansible locally, then your GPG key is used for accessing the secrets.  
+Hosts on the other hand, when running Ansible against themselves using ansible-pull, use a configured [age](https://github.com/FiloSottile/age) key to be able to access the secrets relevant to them.
+
+## GPG Keys
+
+The secrets in this repository are encrypted against the GPG public keys of all Infra-Team members as defined in [infra-secrets](https://git.hamburg.ccc.de/CCCHH/infra-secrets).  
+In order to edit encrypted files, you need all the GPG public keys imported into your GPG Keychain. You should be able to find the necessary public keys in the [infra-secrets repo](https://git.hamburg.ccc.de/CCCHH/infra-secrets) as well.
+
+## Guides
+
+See the following pages for guidance on how to use SOPS:
+
+- [SOPS: New Host](../guides/sops-new-host.md)
+- [SOPS: Storing Secrets](../guides/sops-storing-secrets.md)
+- [SOPS: GPG-Key Replacement](../guides/sops-gpg-key-replacement.md)

docs/concepts-and-configurations/sops.md

@@ -1,18 +0,0 @@
----
-title: SOPS
----
-
-# SOPS
-
-We're using [SOPS](https://github.com/getsops/sops) for secret management together with the `community.sops.sops` vars plugin for Ansible.
-
-## GPG Keys
-
-In order to edit encrypted files, you need all the GPG public keys imported into your GPG Keychain. You should be able to find the necessary public keys in [infra-secrets](https://git.hamburg.ccc.de/CCCHH/infra-secrets).
-
-## Guides
-
-See the following pages for guidance on how to use SOPS:
-
-- [SOPS: New Host](../guides/sops-new-host.md)
-- [SOPS: Storing Secrets](../guides/sops-storing-secrets.md)

docs/guides/sops-gpg-key-replacement.md

@@ -0,0 +1,13 @@
+---
+title: "SOPS: GPG-Key Replacement"
+summary: How to Replace an Expired GPG-Key
+---
+
+# SOPS: GPG-Key Replacement
+
+- When a GPG key expires, it is necessary to update the config in the [`.sops.yaml`](https://git.hamburg.ccc.de/CCCHH/ansible-infra/src/branch/main/.sops.yaml) and then re-encrypt all files with the updated list of keys.
+    - If no new key is available, simply remove the key and re-encrypt all files to keep the repository in a working state. Whenever the relevant member provides a new key, add it again and re-encrypt for it again.
+- The re-encryption can be achieved by running the following command (which could take a considerable amount of time):
+  ```bash
+  find inventories -name "*.sops.*" | xargs sops updatekeys --yes
+  ```

inventories/chaosknoten/host_vars/netbox.yaml

@@ -1,5 +1,5 @@
 # renovate: datasource=github-releases depName=netbox packageName=netbox-community/netbox
-netbox__version: "v4.5.5"
+netbox__version: "v4.6.1"
 netbox__config: "{{ lookup('ansible.builtin.template', 'resources/chaosknoten/netbox/netbox/configuration.py.j2') }}"
 netbox__custom_pipeline_oidc_group_and_role_mapping: true
 

resources/chaosknoten/acmedns/docker_compose/compose.yaml.j2

@@ -2,7 +2,7 @@
 services:
   oauth2-proxy:
     container_name: oauth2-proxy
-    image: quay.io/oauth2-proxy/oauth2-proxy:v7.15.1
+    image: quay.io/oauth2-proxy/oauth2-proxy:v7.15.2
     command: --config /oauth2-proxy.cfg
     hostname: oauth2-proxy
     volumes:

resources/chaosknoten/grafana/docker_compose/compose.yaml.j2

@@ -2,7 +2,7 @@
 services:
 
   prometheus:
-    image: docker.io/prom/prometheus:v3.10.0
+    image: docker.io/prom/prometheus:v3.11.3
     container_name: prometheus
     command:
       - '--config.file=/etc/prometheus/prometheus.yml'
@@ -19,7 +19,7 @@ services:
       - prom_data:/prometheus
 
   alertmanager:
-    image: docker.io/prom/alertmanager:v0.31.1
+    image: docker.io/prom/alertmanager:v0.32.1
     container_name: alertmanager
     command:
       - '--config.file=/etc/alertmanager/alertmanager.yaml'
@@ -46,7 +46,7 @@ services:
       - graf_data:/var/lib/grafana
 
   pve-exporter:
-    image: docker.io/prompve/prometheus-pve-exporter:3.8.2
+    image: docker.io/prompve/prometheus-pve-exporter:3.9.0
     container_name: pve-exporter
     ports:
       - 9221:9221
@@ -59,7 +59,7 @@ services:
       - /dev/null:/etc/prometheus/pve.yml
 
   loki:
-    image: docker.io/grafana/loki:3.7.1
+    image: docker.io/grafana/loki:3.7.2
     container_name: loki
     ports:
       - 13100:3100

resources/chaosknoten/keycloak/docker_compose/compose.yaml.j2

@@ -22,7 +22,7 @@
 
 services:
   keycloak:
-    image: git.hamburg.ccc.de/ccchh/oci-images/keycloak:26.5.7
+    image: git.hamburg.ccc.de/ccchh/oci-images/keycloak:26.6.0
     pull_policy: always
     restart: unless-stopped
     command: start --optimized

resources/chaosknoten/ntfy/docker_compose/compose.yaml.j2

@@ -1,7 +1,7 @@
 ---
 services:
   ntfy:
-    image: docker.io/binwiederhier/ntfy:v2.20.1
+    image: docker.io/binwiederhier/ntfy:v2.23.0
     container_name: ntfy
     command:
       - serve

resources/chaosknoten/onlyoffice/docker_compose/compose.yaml.j2

@@ -4,7 +4,7 @@
 
 services:
   onlyoffice:
-    image: docker.io/onlyoffice/documentserver:9.3.1
+    image: docker.io/onlyoffice/documentserver:9.4.0
     restart: unless-stopped
     volumes:
       - "./onlyoffice/DocumentServer/logs:/var/log/onlyoffice"

resources/chaosknoten/pretalx/docker_compose/compose.yaml.j2

@@ -15,7 +15,7 @@ services:
       - pretalx_net
 
   redis:
-    image: docker.io/library/redis:8.6.2
+    image: docker.io/library/redis:8.6.3
     restart: unless-stopped
     volumes:
       - redis:/data
@@ -23,7 +23,7 @@ services:
       - pretalx_net
 
   static:
-    image: docker.io/library/nginx:1.29.7
+    image: docker.io/library/nginx:1.31.0
     restart: unless-stopped
     volumes:
       - public:/usr/share/nginx/html

resources/chaosknoten/tickets/docker_compose/compose.yaml.j2

@@ -13,7 +13,7 @@ services:
     restart: unless-stopped
 
   redis:
-    image: docker.io/library/redis:8.6.2
+    image: docker.io/library/redis:8.6.3
     ports:
       - "6379:6379"
     volumes:

resources/external/status/docker_compose/compose.yaml.j2

@@ -4,7 +4,7 @@
 
 services:
   database:
-    image: docker.io/library/postgres:18.3
+    image: docker.io/library/postgres:18.4
     restart: always
     volumes:
       - ./database:/var/lib/postgresql
@@ -16,7 +16,7 @@ services:
       - gatus
 
   gatus:
-    image: ghcr.io/twin/gatus:v5.35.0
+    image: ghcr.io/twin/gatus:v5.36.0
     restart: always
     ports:
       - "8080:8080"