diff --git a/inventories/chaosknoten/host_vars/auth-dns.yaml b/inventories/chaosknoten/host_vars/auth-dns.yaml index dc91e90..970e2f8 100644 --- a/inventories/chaosknoten/host_vars/auth-dns.yaml +++ b/inventories/chaosknoten/host_vars/auth-dns.yaml @@ -40,3 +40,23 @@ knot__zones: - domain: "3.2.0.0.0.0.0.f.0.b.4.1.0.0.a.2.ip6.arpa." notify_targets: [ "ns-intern.hamburg.ccc.de" ] content: "{{ lookup('ansible.builtin.file', 'resources/chaosknoten/auth-dns/zones/3.2.0.0.0.0.0.f.0.b.4.1.0.0.a.2.ip6.arpa.zone') }}" + + - domain: "2.2.1.0.0.0.0.3.0.0.2.4.0.b.4.1.0.0.a.2.ip6.arpa." + notify_targets: [ "ns-intern.hamburg.ccc.de" ] + content: "{{ lookup('ansible.builtin.file', 'resources/chaosknoten/auth-dns/zones/2.2.1.0.0.0.0.3.0.0.2.4.0.b.4.1.0.0.a.2.ip6.arpa.zone') }}" + + - domain: "3.2.1.0.0.0.0.3.0.0.2.4.0.b.4.1.0.0.a.2.ip6.arpa." + notify_targets: [ "ns-intern.hamburg.ccc.de" ] + content: "{{ lookup('ansible.builtin.file', 'resources/chaosknoten/auth-dns/zones/3.2.1.0.0.0.0.3.0.0.2.4.0.b.4.1.0.0.a.2.ip6.arpa.zone') }}" + + - domain: "4.2.1.0.0.0.0.3.0.0.2.4.0.b.4.1.0.0.a.2.ip6.arpa." + notify_targets: [ "ns-intern.hamburg.ccc.de" ] + content: "{{ lookup('ansible.builtin.file', 'resources/chaosknoten/auth-dns/zones/4.2.1.0.0.0.0.3.0.0.2.4.0.b.4.1.0.0.a.2.ip6.arpa.zone') }}" + + - domain: "5.2.1.0.0.0.0.3.0.0.2.4.0.b.4.1.0.0.a.2.ip6.arpa." + notify_targets: [ "ns-intern.hamburg.ccc.de" ] + content: "{{ lookup('ansible.builtin.file', 'resources/chaosknoten/auth-dns/zones/5.2.1.0.0.0.0.3.0.0.2.4.0.b.4.1.0.0.a.2.ip6.arpa.zone') }}" + + - domain: "6.2.1.0.0.0.0.3.0.0.2.4.0.b.4.1.0.0.a.2.ip6.arpa." + notify_targets: [ "ns-intern.hamburg.ccc.de" ] + content: "{{ lookup('ansible.builtin.file', 'resources/chaosknoten/auth-dns/zones/6.2.1.0.0.0.0.3.0.0.2.4.0.b.4.1.0.0.a.2.ip6.arpa.zone') }}" diff --git a/inventories/chaosknoten/host_vars/lists.sops.yaml b/inventories/chaosknoten/host_vars/lists.sops.yaml index 21c97c8..76125b9 100644 --- a/inventories/chaosknoten/host_vars/lists.sops.yaml +++ b/inventories/chaosknoten/host_vars/lists.sops.yaml @@ -1,8 +1,4 @@ ansible_pull__age_private_key: ENC[AES256_GCM,data:pUFhg492OUXVIlDZ3Z9A/H0doJCuTX0zh9qLU88nz18jMzWmzXhc2kbQkk4QeSTnZ12juiTbpUFW+1cE1bOontIu5qiQgpe3c8s=,iv:bONSyFUibcszUcxBt749aiVVnqLKBuEJmfege0dGaM8=,tag:cvapTnTN62XTR6tQBSe+IQ==,type:str] -secret__lists__hyperkitty_api_key: ENC[AES256_GCM,data:byO7x/r3E9mwxOwiK0Is+Mp+d2uRIBgNsX2YWUg20Cs=,iv:H9ufaS6JlKhkbsG5aM3owR0U10e0JNYX/s3AJagB6kY=,tag:5umAs792BwNF9bMCX69PBw==,type:str] -secret__lists__postgres_password: ENC[AES256_GCM,data:HcH4Lyw9uuuqXGrrXkUqzg==,iv:3adzec+Wnh37LjzwMp7zhWMf9jZzI6EyUmEGS9TUYBg=,tag:8/jZrUzkcM+U3nME6+DSSA==,type:str] -secret__lists__rest_password: ENC[AES256_GCM,data:BMCNEikejiDET0Mdlrzfcg==,iv:U5hVjM/epfzz2m/wXKhYhwFI/3zKX7XS/UMlBqwTZNk=,tag:0n79+5mP7ocY7jVQmWm+WA==,type:str] -secret__lists__web_secret_key: ENC[AES256_GCM,data:3DntszkNw5ciwRUJJdmHTGTpjm9ZMBf9wO3MHAeiXuw=,iv:GqqjRcg0zG193Y04UYIipB8BBk/JUtGvtTCVQ4HCjDw=,tag:aY4d+CPGxMvRz8t983p9sw==,type:str] sops: age: - recipient: age17x20h3m6wgfhereusc224u95ac8aj68fzlkkj5ptvs9c5vlz3usqdu7crq @@ -14,8 +10,8 @@ sops: THpvS29mY1BIbktZYkhCYm1NMFdLcXcKBtXXokEi1nSVA099XXNrx3w4Fr1lnLMf 2KTuylUef8RUgHPx1wo5Q7xlYNR48GupHVQxb9VvyDTXOZEiAV7Pdw== -----END AGE ENCRYPTED FILE----- - lastmodified: "2026-05-16T11:00:16Z" - mac: ENC[AES256_GCM,data:vwQc2suUJ0KiSsYRcrvsYHNYF2c8SU58LxWoFpzTX5hSDNy8LOWJIa6Ouo8c7gk4gYB0mS/FbmgEo8LOCDvRKamfgrpZQ2wvxI7GdGRjR0LOsS8O2xZ8QZ3BK9DfEfnA5ESgzRzX6Iuc4ZBUGfAQoDDxXrnh2ogWUdYPC81T5qU=,iv:Vi74U97iZAqQ8DDW2p3ncg58l6+mxar4hC5f48AuPAQ=,tag:Jd09hXId+ogV4rB0AWS2NA==,type:str] + lastmodified: "2025-10-20T18:57:27Z" + mac: ENC[AES256_GCM,data:IAM6vn4rI1l6qvPWEcDJ5xoD3I8/GWOr+PmRQ0QdkVMD9Pt7cHtMhHPpYvH3e8MfDPhC2g2uwt9FHsPqpcOXpflme0aF4E9PndGi1Pzi+yh40FSBAzLT3MEQ50vZ2rifzqUe5KSrXByF1WAnZxLTMST+xIlvEZOV0gx6y0G/iHQ=,iv:15MZsyClZ+WLBZgcRSq740LgDakuHAXAb3hAQyLKVSU=,tag:7+lRz4XKKVlkSeDVs4Jy9g==,type:str] pgp: - created_at: "2026-04-18T22:36:23Z" enc: |- @@ -208,4 +204,4 @@ sops: -----END PGP MESSAGE----- fp: 41FFAF3D519CF5C039FBD8414BCC213729AF0E49 unencrypted_suffix: _unencrypted - version: 3.12.2 + version: 3.11.0 diff --git a/inventories/chaosknoten/host_vars/lists.yaml b/inventories/chaosknoten/host_vars/lists.yaml index e6680f4..0e53178 100644 --- a/inventories/chaosknoten/host_vars/lists.yaml +++ b/inventories/chaosknoten/host_vars/lists.yaml @@ -1,4 +1,4 @@ -docker_compose__compose_file_content: "{{ lookup('ansible.builtin.template', 'resources/chaosknoten/lists/docker_compose/compose.yaml.j2') }}" +docker_compose__compose_file_content: "{{ lookup('ansible.builtin.file', 'resources/chaosknoten/lists/docker_compose/compose.yaml') }}" docker_compose__configuration_files: - name: settings_local.py content: "{{ lookup('ansible.builtin.file', 'resources/chaosknoten/lists/docker_compose/settings_local.py') }}" diff --git a/resources/chaosknoten/auth-dns/zones/2.2.1.0.0.0.0.3.0.0.2.4.0.b.4.1.0.0.a.2.ip6.arpa.zone b/resources/chaosknoten/auth-dns/zones/2.2.1.0.0.0.0.3.0.0.2.4.0.b.4.1.0.0.a.2.ip6.arpa.zone new file mode 100644 index 0000000..baacd63 --- /dev/null +++ b/resources/chaosknoten/auth-dns/zones/2.2.1.0.0.0.0.3.0.0.2.4.0.b.4.1.0.0.a.2.ip6.arpa.zone @@ -0,0 +1,16 @@ +$TTL 7200 + +@ IN SOA auth-dns.hamburg.ccc.de. noc.hamburg.ccc.de. ( + 2023073001 + 10800 + 3600 + 3600000 + 86400 ) + + IN NS auth-dns.hamburg.ccc.de. + IN NS ns.vie.ccc.de. + +; 2a00:14b0:4200:3000:122::1 + +1.0.0.0.0.0.0.0.0.0.0.0 IN PTR turing.hamburg.ccc.de. + diff --git a/resources/chaosknoten/auth-dns/zones/3.2.1.0.0.0.0.3.0.0.2.4.0.b.4.1.0.0.a.2.ip6.arpa.zone b/resources/chaosknoten/auth-dns/zones/3.2.1.0.0.0.0.3.0.0.2.4.0.b.4.1.0.0.a.2.ip6.arpa.zone new file mode 100644 index 0000000..6972a51 --- /dev/null +++ b/resources/chaosknoten/auth-dns/zones/3.2.1.0.0.0.0.3.0.0.2.4.0.b.4.1.0.0.a.2.ip6.arpa.zone @@ -0,0 +1,15 @@ +$TTL 7200 + +@ IN SOA auth-dns.hamburg.ccc.de. noc.hamburg.ccc.de. ( + 2023072900 + 10800 + 3600 + 3600000 + 86400 ) + + IN NS auth-dns.hamburg.ccc.de. + IN NS ns.vie.ccc.de. + +; 2a00:14b0:4200:3000:123::1 + +1.0.0.0.0.0.0.0.0.0.0.0 IN PTR unused.hamburg.ccc.de. diff --git a/resources/chaosknoten/auth-dns/zones/4.2.1.0.0.0.0.3.0.0.2.4.0.b.4.1.0.0.a.2.ip6.arpa.zone b/resources/chaosknoten/auth-dns/zones/4.2.1.0.0.0.0.3.0.0.2.4.0.b.4.1.0.0.a.2.ip6.arpa.zone new file mode 100644 index 0000000..a43bc06 --- /dev/null +++ b/resources/chaosknoten/auth-dns/zones/4.2.1.0.0.0.0.3.0.0.2.4.0.b.4.1.0.0.a.2.ip6.arpa.zone @@ -0,0 +1,15 @@ +$TTL 7200 + +@ IN SOA auth-dns.hamburg.ccc.de. noc.hamburg.ccc.de. ( + 2023072900 + 10800 + 3600 + 3600000 + 86400 ) + + IN NS auth-dns.hamburg.ccc.de. + IN NS ns.vie.ccc.de. + +; 2a00:14b0:4200:3000:124::1 + +1.0.0.0.0.0.0.0.0.0.0.0 IN PTR unused.hamburg.ccc.de. diff --git a/resources/chaosknoten/auth-dns/zones/5.2.1.0.0.0.0.3.0.0.2.4.0.b.4.1.0.0.a.2.ip6.arpa.zone b/resources/chaosknoten/auth-dns/zones/5.2.1.0.0.0.0.3.0.0.2.4.0.b.4.1.0.0.a.2.ip6.arpa.zone new file mode 100644 index 0000000..b03dcc7 --- /dev/null +++ b/resources/chaosknoten/auth-dns/zones/5.2.1.0.0.0.0.3.0.0.2.4.0.b.4.1.0.0.a.2.ip6.arpa.zone @@ -0,0 +1,15 @@ +$TTL 7200 + +@ IN SOA auth-dns.hamburg.ccc.de. noc.hamburg.ccc.de. ( + 2023072900 + 10800 + 3600 + 3600000 + 86400 ) + + IN NS auth-dns.hamburg.ccc.de. + IN NS ns.vie.ccc.de. + +; 2a00:14b0:4200:3000:125::1 + +1.0.0.0.0.0.0.0.0.0.0.0 IN PTR public-reverse-proxy.hamburg.ccc.de. diff --git a/resources/chaosknoten/auth-dns/zones/6.2.1.0.0.0.0.3.0.0.2.4.0.b.4.1.0.0.a.2.ip6.arpa.zone b/resources/chaosknoten/auth-dns/zones/6.2.1.0.0.0.0.3.0.0.2.4.0.b.4.1.0.0.a.2.ip6.arpa.zone new file mode 100644 index 0000000..3de9e09 --- /dev/null +++ b/resources/chaosknoten/auth-dns/zones/6.2.1.0.0.0.0.3.0.0.2.4.0.b.4.1.0.0.a.2.ip6.arpa.zone @@ -0,0 +1,15 @@ +$TTL 7200 + +@ IN SOA ns.hamburg.ccc.de. haegar.ccc.de. ( + 2023073001 + 10800 + 3600 + 3600000 + 86400 ) + + IN NS auth-dns.hamburg.ccc.de. + IN NS ns.vie.ccc.de. + +; 2a00:14b0:4200:3000:126::1 + +1.0.0.0.0.0.0.0.0.0.0.0 IN PTR chaosknoten.hamburg.ccc.de. diff --git a/resources/chaosknoten/auth-dns/zones/ccchh.net.zone b/resources/chaosknoten/auth-dns/zones/ccchh.net.zone index bb5c16f..40d4c94 100644 --- a/resources/chaosknoten/auth-dns/zones/ccchh.net.zone +++ b/resources/chaosknoten/auth-dns/zones/ccchh.net.zone @@ -52,7 +52,7 @@ hmdooris-ccu A 10.31.208.202 buba A 10.31.211.137 buba.z9 A 10.31.211.137 dooris AAAA 2a07:c481:1:d0::1c -_acme-challenge.dooris CNAME 37caae1f-b77f-4eb1-aa71-dc3f7ed24360.auth.acmedns.hamburg.ccc.de. +_acme-challenge.dooris CNAME 37caae1f-b77f-4eb1-aa71-dc3f7ed24360.auth.acmedns.hamburg.ccc.de waybackproxy A 10.31.208.99 yate A 10.31.208.12 staubiv2 A 10.31.210.233 diff --git a/resources/chaosknoten/auth-dns/zones/hamburg.ccc.de.zone b/resources/chaosknoten/auth-dns/zones/hamburg.ccc.de.zone index a9c4851..21a8d0e 100644 --- a/resources/chaosknoten/auth-dns/zones/hamburg.ccc.de.zone +++ b/resources/chaosknoten/auth-dns/zones/hamburg.ccc.de.zone @@ -196,6 +196,7 @@ matrix-intern IN A 172.31.17.150 ; have this for compatibility (like references in CI) public-web-static-intern IN AAAA 2a00:14b0:42:102::17 git-intern IN A 172.31.17.154 +woodpecker-intern IN A 172.31.17.160 penpot-intern IN A 172.31.17.162 forgejo-runner-builder IN A 172.31.17.202 renovate-forgejo IN A 172.31.17.163 @@ -274,6 +275,7 @@ matrix IN CNAME public-reverse-proxy mas IN CNAME public-reverse-proxy element-admin IN CNAME public-reverse-proxy netbox IN CNAME public-reverse-proxy +woodpecker IN CNAME public-reverse-proxy onlyoffice IN CNAME public-reverse-proxy pad IN CNAME public-reverse-proxy pretalx IN CNAME public-reverse-proxy diff --git a/resources/chaosknoten/grafana/docker_compose/compose.yaml.j2 b/resources/chaosknoten/grafana/docker_compose/compose.yaml.j2 index 1f6c42f..8c38500 100644 --- a/resources/chaosknoten/grafana/docker_compose/compose.yaml.j2 +++ b/resources/chaosknoten/grafana/docker_compose/compose.yaml.j2 @@ -32,7 +32,7 @@ services: - alertmanager_data:/alertmanager grafana: - image: docker.io/grafana/grafana:13.0.1 + image: docker.io/grafana/grafana:12.4.2 container_name: grafana ports: - 3000:3000 diff --git a/resources/chaosknoten/grafana/docker_compose/prometheus_alerts.rules.yaml b/resources/chaosknoten/grafana/docker_compose/prometheus_alerts.rules.yaml index 15b9b1f..4a2bc6f 100644 --- a/resources/chaosknoten/grafana/docker_compose/prometheus_alerts.rules.yaml +++ b/resources/chaosknoten/grafana/docker_compose/prometheus_alerts.rules.yaml @@ -129,7 +129,7 @@ groups: # General high disk read and write rate alerts. # Excluding: hypervisor hosts, CI hosts - alert: HostUnusualDiskReadRate - expr: (sum by (instance) (rate(node_disk_read_bytes_total[2m])) / 1024 / 1024 > 50) * on(instance) group_left (nodename) node_uname_info{nodename=~".+", nodename!="forgejo-actions-runner", nodename!="chaosknoten"} + expr: (sum by (instance) (rate(node_disk_read_bytes_total[2m])) / 1024 / 1024 > 50) * on(instance) group_left (nodename) node_uname_info{nodename=~".+", nodename!="forgejo-actions-runner", nodename!="woodpecker", nodename!="chaosknoten"} for: 5m labels: severity: warning @@ -137,7 +137,7 @@ groups: summary: Host unusual disk read rate (instance {{ $labels.instance }}) description: "Disk is probably reading too much data (> 50 MB/s)\n VALUE = {{ $value }}" - alert: HostUnusualDiskWriteRate - expr: (sum by (instance) (rate(node_disk_written_bytes_total[2m])) / 1024 / 1024 > 50) * on(instance) group_left (nodename) node_uname_info{nodename=~".+", nodename!="forgejo-actions-runner", nodename!="chaosknoten"} + expr: (sum by (instance) (rate(node_disk_written_bytes_total[2m])) / 1024 / 1024 > 50) * on(instance) group_left (nodename) node_uname_info{nodename=~".+", nodename!="forgejo-actions-runner", nodename!="woodpecker", nodename!="chaosknoten"} for: 2m labels: severity: warning @@ -147,7 +147,7 @@ groups: # CI hosts high disk read and write alerts. # Longer intervals to account for disk intensive CI tasks. - alert: CIHostUnusualDiskReadRate - expr: (sum by (instance) (rate(node_disk_read_bytes_total[2m])) / 1024 / 1024 > 50) * on(instance) group_left (nodename) node_uname_info{nodename="forgejo-actions-runner"} + expr: (sum by (instance) (rate(node_disk_read_bytes_total[2m])) / 1024 / 1024 > 50) * on(instance) group_left (nodename) node_uname_info{nodename="forgejo-actions-runner", nodename="woodpecker"} for: 10m labels: severity: warning @@ -155,7 +155,7 @@ groups: summary: CI host unusual disk read rate for 10 min (instance {{ $labels.instance }}) description: "Disk is probably reading too much data (> 50 MB/s)\n VALUE = {{ $value }}" - alert: VirtualHostUnusualDiskWriteRate - expr: (sum by (instance) (rate(node_disk_written_bytes_total[2m])) / 1024 / 1024 > 50) * on(instance) group_left (nodename) node_uname_info{nodename="forgejo-actions-runner"} + expr: (sum by (instance) (rate(node_disk_written_bytes_total[2m])) / 1024 / 1024 > 50) * on(instance) group_left (nodename) node_uname_info{nodename="forgejo-actions-runner", nodename="woodpecker"} for: 4m labels: severity: warning diff --git a/resources/chaosknoten/lists/docker_compose/compose.yaml.j2 b/resources/chaosknoten/lists/docker_compose/compose.yaml similarity index 72% rename from resources/chaosknoten/lists/docker_compose/compose.yaml.j2 rename to resources/chaosknoten/lists/docker_compose/compose.yaml index db605b5..fb65594 100644 --- a/resources/chaosknoten/lists/docker_compose/compose.yaml.j2 +++ b/resources/chaosknoten/lists/docker_compose/compose.yaml @@ -12,13 +12,11 @@ services: depends_on: - database environment: - - "DATABASE_URL=postgresql://mailman:{{ secret__lists__postgres_password }}@database/mailmandb" + - DATABASE_URL=postgresql://mailman:wvQjbMRnwFuxGEPz@database/mailmandb - DATABASE_TYPE=postgres - DATABASE_CLASS=mailman.database.postgresql.PostgreSQLDatabase - - HYPERKITTY_API_KEY={{ secret__lists__hyperkitty_api_key }} + - HYPERKITTY_API_KEY=ITfRjushI6FP0TLMnRpZxlfB2e17DN86 - MTA=postfix - - MAILMAN_REST_USER=restuser - - MAILMAN_REST_PASSWORD={{ secret__lists__rest_password }} ports: - "127.0.0.1:8001:8001" # API - "127.0.0.1:8024:8024" # LMTP - incoming emails @@ -41,15 +39,13 @@ services: - ./files/templates:/opt/mailman-web/templates environment: - DATABASE_TYPE=postgres - - "DATABASE_URL=postgresql://mailman:{{ secret__lists__postgres_password }}@database/mailmandb" + - DATABASE_URL=postgresql://mailman:wvQjbMRnwFuxGEPz@database/mailmandb - "DJANGO_ALLOWED_HOSTS=lists.hamburg.ccc.de,lists.c3lingo.org" - - HYPERKITTY_API_KEY={{ secret__lists__hyperkitty_api_key }} + - HYPERKITTY_API_KEY=ITfRjushI6FP0TLMnRpZxlfB2e17DN86 - SERVE_FROM_DOMAIN=lists.hamburg.ccc.de - - SECRET_KEY={{ secret__lists__web_secret_key }} + - SECRET_KEY=ugfknEYBaFVc62R1jlIjnkizQaqr7tSt - MAILMAN_ADMIN_USER=ccchh-admin - MAILMAN_ADMIN_EMAIL=tony@cowtest.hamburg.ccc.de - - MAILMAN_REST_USER=restuser - - MAILMAN_REST_PASSWORD={{ secret__lists__rest_password }} ports: - "127.0.0.1:8000:8000" # HTTP - "127.0.0.1:8080:8080" # uwsgi @@ -61,7 +57,7 @@ services: environment: - POSTGRES_DB=mailmandb - POSTGRES_USER=mailman - - "POSTGRES_PASSWORD={{ secret__lists__postgres_password }}" + - POSTGRES_PASSWORD=wvQjbMRnwFuxGEPz image: docker.io/library/postgres:12-alpine volumes: - /opt/mailman/database:/var/lib/postgresql/data @@ -74,4 +70,5 @@ networks: ipam: driver: default config: - - subnet: 172.19.199.0/24 + - + subnet: 172.19.199.0/24 diff --git a/resources/chaosknoten/public-reverse-proxy/nginx/acme_challenge.conf b/resources/chaosknoten/public-reverse-proxy/nginx/acme_challenge.conf index e8b8c8e..93968b0 100644 --- a/resources/chaosknoten/public-reverse-proxy/nginx/acme_challenge.conf +++ b/resources/chaosknoten/public-reverse-proxy/nginx/acme_challenge.conf @@ -70,6 +70,7 @@ map $host $upstream_acme_challenge_host { eh20.hamburg.ccc.de public-web-static.hosts.hamburg.ccc.de:31820; hacker.tours public-web-static.hosts.hamburg.ccc.de:31820; staging.hacker.tours public-web-static.hosts.hamburg.ccc.de:31820; + woodpecker.hamburg.ccc.de 172.31.17.160:31820; design.hamburg.ccc.de 172.31.17.162:31820; hydra.hamburg.ccc.de 172.31.17.163:31820; ntfy.hamburg.ccc.de ntfy.hosts.hamburg.ccc.de:31820; diff --git a/resources/chaosknoten/public-reverse-proxy/nginx/nginx.conf b/resources/chaosknoten/public-reverse-proxy/nginx/nginx.conf index 0a004c9..843c094 100644 --- a/resources/chaosknoten/public-reverse-proxy/nginx/nginx.conf +++ b/resources/chaosknoten/public-reverse-proxy/nginx/nginx.conf @@ -91,6 +91,7 @@ stream { eh20.hamburg.ccc.de public-web-static.hosts.hamburg.ccc.de:8443; hacker.tours public-web-static.hosts.hamburg.ccc.de:8443; staging.hacker.tours public-web-static.hosts.hamburg.ccc.de:8443; + woodpecker.hamburg.ccc.de 172.31.17.160:8443; design.hamburg.ccc.de 172.31.17.162:8443; hydra.hamburg.ccc.de 172.31.17.163:8443; cfp.eh22.easterhegg.eu pretalx.hosts.hamburg.ccc.de:8443; diff --git a/resources/external/status/docker_compose/config/services-chaosknoten.yaml b/resources/external/status/docker_compose/config/services-chaosknoten.yaml index 74991b7..0ee6ef4 100644 --- a/resources/external/status/docker_compose/config/services-chaosknoten.yaml +++ b/resources/external/status/docker_compose/config/services-chaosknoten.yaml @@ -294,6 +294,14 @@ endpoints: - "[CERTIFICATE_EXPIRATION] > 48h" - "[BODY] == pat(*CCCHH Wiki*)" + - name: Woodpecker + url: "https://woodpecker.hamburg.ccc.de/" + <<: *services_chaosknoten_defaults + conditions: + - "[STATUS] == 200" + - "[CERTIFICATE_EXPIRATION] > 48h" + - "[BODY] == pat(*Woodpecker*)" + - name: Zammad url: "https://zammad.hamburg.ccc.de/" <<: *services_chaosknoten_defaults diff --git a/resources/z9/dooris/docker_compose/compose.yaml.j2 b/resources/z9/dooris/docker_compose/compose.yaml.j2 index d16c8ad..38db85a 100644 --- a/resources/z9/dooris/docker_compose/compose.yaml.j2 +++ b/resources/z9/dooris/docker_compose/compose.yaml.j2 @@ -2,13 +2,21 @@ services: dooris: - image: git.hamburg.ccc.de/ccchh/dooris:latest + image: git.hamburg.ccc.de/ccchh/hmdooris/hmdooris:latest environment: - DOORIS_OPENID_ISSUER: https://id.hamburg.ccc.de/realms/ccchh/ - DOORIS_OPENID_CLIENT_ID: dooris - DOORIS_OPENID_CLIENT_SECRET: "{{ secret__dooris_client_secret }}" - DOORIS_BASE_URL: https://dooris.ccchh.net - DOORIS_CCUJACK_USER: "dooris" - DOORIS_CCUJACK_PASSWORD: "{{ secret__dooris_ccujack_password }}" - network_mode: host + HMDOORIS_ALLOWED_IPS: "2a07:c481:1:c8::/64 2a01:170:118b::/56 172.31.200.0/23 172.31.202.0/27" + HMDOORIS_CCUJACK_CERTIFICATE_PATH: false + HMDOORIS_CCUJACK_PASSWORD: "{{ secret__dooris_ccujack_password }}" + HMDOORIS_CCUJACK_URL: https://hmdooris-ccu.ccchh.net:2122 + HMDOORIS_CCUJACK_USERNAME: dooris + HMDOORIS_CLIENT_ID: dooris + HMDOORIS_CLIENT_SECRET: "{{ secret__dooris_client_secret }}" + HMDOORIS_DISCOVERY_URL: https://id.hamburg.ccc.de/realms/ccchh/.well-known/openid-configuration + HMDOORIS_LISTEN: '0.0.0.0:3000' + HMDOORIS_REQUIRES_GROUP: /intern + HMDOORIS_URL: https://dooris.ccchh.net + PYTHONWARNINGS: "ignore:Unverified HTTPS request" + #DEBUG: true + ports: + - "127.0.0.1:3000:3000" restart: unless-stopped diff --git a/resources/z9/dooris/nginx/dooris.ccchh.net.conf b/resources/z9/dooris/nginx/dooris.ccchh.net.conf index efb5b1f..c1ca082 100644 --- a/resources/z9/dooris/nginx/dooris.ccchh.net.conf +++ b/resources/z9/dooris/nginx/dooris.ccchh.net.conf @@ -32,10 +32,6 @@ server { proxy_set_header Connection "upgrade"; location / { - proxy_pass http://127.0.0.1:8000/; - # Increase size to fix nginx error: "upstream sent too big header while reading response header from upstream" - proxy_buffer_size 64k; - proxy_busy_buffers_size 64k; - proxy_buffers 20 4k; + proxy_pass http://127.0.0.1:3000/; } } diff --git a/roles/ansible_pull/templates/ansible-pull.service.j2 b/roles/ansible_pull/templates/ansible-pull.service.j2 index 9607fc9..b344505 100644 --- a/roles/ansible_pull/templates/ansible-pull.service.j2 +++ b/roles/ansible_pull/templates/ansible-pull.service.j2 @@ -6,7 +6,6 @@ OnFailure=ansible-pull-failure-notify.service [Service] Type=oneshot -TimeoutStartSec=30min Environment="SOPS_AGE_KEY_FILE=/etc/ansible_pull_secrets/age_private_key" ExecStartPre=/usr/bin/bash -c 'if [ ! -e /home/chaos/ansible_pull_checkout ]; then git clone --depth 1 "{{ ansible_pull__repo_url }}" /home/chaos/ansible_pull_checkout ; fi' ExecStartPre=/usr/local/lib/ansible_pull_venv/bin/ansible-galaxy role install -r /home/chaos/ansible_pull_checkout/requirements.yml diff --git a/roles/deploy_systemd_journal_config/files/10-ccchh.conf b/roles/deploy_systemd_journal_config/files/10-ccchh.conf index eea3754..3419fd9 100644 --- a/roles/deploy_systemd_journal_config/files/10-ccchh.conf +++ b/roles/deploy_systemd_journal_config/files/10-ccchh.conf @@ -1,5 +1,3 @@ [Journal] MaxFileSec=2day MaxRetentionSec=2week - -ForwardToSyslog=no