From d2f95237a098abcb47525a4f0f2db5363f215023 Mon Sep 17 00:00:00 2001 From: lilly Date: Wed, 13 May 2026 15:11:23 +0200 Subject: [PATCH 01/11] add wieskes nameservers for reverse-dns zone transfers from auth-dns --- inventories/chaosknoten/host_vars/auth-dns.yaml | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/inventories/chaosknoten/host_vars/auth-dns.yaml b/inventories/chaosknoten/host_vars/auth-dns.yaml index 970e2f8..badd093 100644 --- a/inventories/chaosknoten/host_vars/auth-dns.yaml +++ b/inventories/chaosknoten/host_vars/auth-dns.yaml @@ -7,6 +7,12 @@ knot__dnssec_key_id: "auth-dns.hamburg.ccc.de-1" knot__remotes: - id: ns-intern.hamburg.ccc.de address: [ "2a00:14b0:f000:23::53", "172.31.17.53" ] + - id: p-dns.irz42.net + address: [ "192.76.134.30", "2a00:14b0:4200:8600::30" ] + - id: s-dns.irz42.net + address: [ "212.12.50.130", "2a00:14b0:4200:3280::130" ] + - id: k-dns.irz42.net + address: [ "212.12.54.252", "2a00:14b0:4200:3600::252" ] knot__catalog_zones: - domain: "hamburg.ccc.de.catalog." @@ -38,7 +44,7 @@ knot__zones: content: "{{ lookup('ansible.builtin.file', 'resources/chaosknoten/auth-dns/zones/eh22.easterhegg.eu.zone') }}" - domain: "3.2.0.0.0.0.0.f.0.b.4.1.0.0.a.2.ip6.arpa." - notify_targets: [ "ns-intern.hamburg.ccc.de" ] + notify_targets: [ "ns-intern.hamburg.ccc.de", "p-dns.irz42.net", "s-dns.irz42.net", "k-dns.irz42.net" ] content: "{{ lookup('ansible.builtin.file', 'resources/chaosknoten/auth-dns/zones/3.2.0.0.0.0.0.f.0.b.4.1.0.0.a.2.ip6.arpa.zone') }}" - domain: "2.2.1.0.0.0.0.3.0.0.2.4.0.b.4.1.0.0.a.2.ip6.arpa." From 18ffa42358029d9135c35b36d35ea0de7f29a01c Mon Sep 17 00:00:00 2001 From: lilly Date: Wed, 13 May 2026 15:11:23 +0200 Subject: [PATCH 02/11] remove actually unused reverse-dns zones --- .../chaosknoten/host_vars/auth-dns.yaml | 20 ------------------- ....0.3.0.0.2.4.0.b.4.1.0.0.a.2.ip6.arpa.zone | 16 --------------- ....0.3.0.0.2.4.0.b.4.1.0.0.a.2.ip6.arpa.zone | 15 -------------- ....0.3.0.0.2.4.0.b.4.1.0.0.a.2.ip6.arpa.zone | 15 -------------- ....0.3.0.0.2.4.0.b.4.1.0.0.a.2.ip6.arpa.zone | 15 -------------- ....0.3.0.0.2.4.0.b.4.1.0.0.a.2.ip6.arpa.zone | 15 -------------- 6 files changed, 96 deletions(-) delete mode 100644 resources/chaosknoten/auth-dns/zones/2.2.1.0.0.0.0.3.0.0.2.4.0.b.4.1.0.0.a.2.ip6.arpa.zone delete mode 100644 resources/chaosknoten/auth-dns/zones/3.2.1.0.0.0.0.3.0.0.2.4.0.b.4.1.0.0.a.2.ip6.arpa.zone delete mode 100644 resources/chaosknoten/auth-dns/zones/4.2.1.0.0.0.0.3.0.0.2.4.0.b.4.1.0.0.a.2.ip6.arpa.zone delete mode 100644 resources/chaosknoten/auth-dns/zones/5.2.1.0.0.0.0.3.0.0.2.4.0.b.4.1.0.0.a.2.ip6.arpa.zone delete mode 100644 resources/chaosknoten/auth-dns/zones/6.2.1.0.0.0.0.3.0.0.2.4.0.b.4.1.0.0.a.2.ip6.arpa.zone diff --git a/inventories/chaosknoten/host_vars/auth-dns.yaml b/inventories/chaosknoten/host_vars/auth-dns.yaml index badd093..3efb85d 100644 --- a/inventories/chaosknoten/host_vars/auth-dns.yaml +++ b/inventories/chaosknoten/host_vars/auth-dns.yaml @@ -46,23 +46,3 @@ knot__zones: - domain: "3.2.0.0.0.0.0.f.0.b.4.1.0.0.a.2.ip6.arpa." notify_targets: [ "ns-intern.hamburg.ccc.de", "p-dns.irz42.net", "s-dns.irz42.net", "k-dns.irz42.net" ] content: "{{ lookup('ansible.builtin.file', 'resources/chaosknoten/auth-dns/zones/3.2.0.0.0.0.0.f.0.b.4.1.0.0.a.2.ip6.arpa.zone') }}" - - - domain: "2.2.1.0.0.0.0.3.0.0.2.4.0.b.4.1.0.0.a.2.ip6.arpa." - notify_targets: [ "ns-intern.hamburg.ccc.de" ] - content: "{{ lookup('ansible.builtin.file', 'resources/chaosknoten/auth-dns/zones/2.2.1.0.0.0.0.3.0.0.2.4.0.b.4.1.0.0.a.2.ip6.arpa.zone') }}" - - - domain: "3.2.1.0.0.0.0.3.0.0.2.4.0.b.4.1.0.0.a.2.ip6.arpa." - notify_targets: [ "ns-intern.hamburg.ccc.de" ] - content: "{{ lookup('ansible.builtin.file', 'resources/chaosknoten/auth-dns/zones/3.2.1.0.0.0.0.3.0.0.2.4.0.b.4.1.0.0.a.2.ip6.arpa.zone') }}" - - - domain: "4.2.1.0.0.0.0.3.0.0.2.4.0.b.4.1.0.0.a.2.ip6.arpa." - notify_targets: [ "ns-intern.hamburg.ccc.de" ] - content: "{{ lookup('ansible.builtin.file', 'resources/chaosknoten/auth-dns/zones/4.2.1.0.0.0.0.3.0.0.2.4.0.b.4.1.0.0.a.2.ip6.arpa.zone') }}" - - - domain: "5.2.1.0.0.0.0.3.0.0.2.4.0.b.4.1.0.0.a.2.ip6.arpa." - notify_targets: [ "ns-intern.hamburg.ccc.de" ] - content: "{{ lookup('ansible.builtin.file', 'resources/chaosknoten/auth-dns/zones/5.2.1.0.0.0.0.3.0.0.2.4.0.b.4.1.0.0.a.2.ip6.arpa.zone') }}" - - - domain: "6.2.1.0.0.0.0.3.0.0.2.4.0.b.4.1.0.0.a.2.ip6.arpa." - notify_targets: [ "ns-intern.hamburg.ccc.de" ] - content: "{{ lookup('ansible.builtin.file', 'resources/chaosknoten/auth-dns/zones/6.2.1.0.0.0.0.3.0.0.2.4.0.b.4.1.0.0.a.2.ip6.arpa.zone') }}" diff --git a/resources/chaosknoten/auth-dns/zones/2.2.1.0.0.0.0.3.0.0.2.4.0.b.4.1.0.0.a.2.ip6.arpa.zone b/resources/chaosknoten/auth-dns/zones/2.2.1.0.0.0.0.3.0.0.2.4.0.b.4.1.0.0.a.2.ip6.arpa.zone deleted file mode 100644 index baacd63..0000000 --- a/resources/chaosknoten/auth-dns/zones/2.2.1.0.0.0.0.3.0.0.2.4.0.b.4.1.0.0.a.2.ip6.arpa.zone +++ /dev/null @@ -1,16 +0,0 @@ -$TTL 7200 - -@ IN SOA auth-dns.hamburg.ccc.de. noc.hamburg.ccc.de. ( - 2023073001 - 10800 - 3600 - 3600000 - 86400 ) - - IN NS auth-dns.hamburg.ccc.de. - IN NS ns.vie.ccc.de. - -; 2a00:14b0:4200:3000:122::1 - -1.0.0.0.0.0.0.0.0.0.0.0 IN PTR turing.hamburg.ccc.de. - diff --git a/resources/chaosknoten/auth-dns/zones/3.2.1.0.0.0.0.3.0.0.2.4.0.b.4.1.0.0.a.2.ip6.arpa.zone b/resources/chaosknoten/auth-dns/zones/3.2.1.0.0.0.0.3.0.0.2.4.0.b.4.1.0.0.a.2.ip6.arpa.zone deleted file mode 100644 index 6972a51..0000000 --- a/resources/chaosknoten/auth-dns/zones/3.2.1.0.0.0.0.3.0.0.2.4.0.b.4.1.0.0.a.2.ip6.arpa.zone +++ /dev/null @@ -1,15 +0,0 @@ -$TTL 7200 - -@ IN SOA auth-dns.hamburg.ccc.de. noc.hamburg.ccc.de. ( - 2023072900 - 10800 - 3600 - 3600000 - 86400 ) - - IN NS auth-dns.hamburg.ccc.de. - IN NS ns.vie.ccc.de. - -; 2a00:14b0:4200:3000:123::1 - -1.0.0.0.0.0.0.0.0.0.0.0 IN PTR unused.hamburg.ccc.de. diff --git a/resources/chaosknoten/auth-dns/zones/4.2.1.0.0.0.0.3.0.0.2.4.0.b.4.1.0.0.a.2.ip6.arpa.zone b/resources/chaosknoten/auth-dns/zones/4.2.1.0.0.0.0.3.0.0.2.4.0.b.4.1.0.0.a.2.ip6.arpa.zone deleted file mode 100644 index a43bc06..0000000 --- a/resources/chaosknoten/auth-dns/zones/4.2.1.0.0.0.0.3.0.0.2.4.0.b.4.1.0.0.a.2.ip6.arpa.zone +++ /dev/null @@ -1,15 +0,0 @@ -$TTL 7200 - -@ IN SOA auth-dns.hamburg.ccc.de. noc.hamburg.ccc.de. ( - 2023072900 - 10800 - 3600 - 3600000 - 86400 ) - - IN NS auth-dns.hamburg.ccc.de. - IN NS ns.vie.ccc.de. - -; 2a00:14b0:4200:3000:124::1 - -1.0.0.0.0.0.0.0.0.0.0.0 IN PTR unused.hamburg.ccc.de. diff --git a/resources/chaosknoten/auth-dns/zones/5.2.1.0.0.0.0.3.0.0.2.4.0.b.4.1.0.0.a.2.ip6.arpa.zone b/resources/chaosknoten/auth-dns/zones/5.2.1.0.0.0.0.3.0.0.2.4.0.b.4.1.0.0.a.2.ip6.arpa.zone deleted file mode 100644 index b03dcc7..0000000 --- a/resources/chaosknoten/auth-dns/zones/5.2.1.0.0.0.0.3.0.0.2.4.0.b.4.1.0.0.a.2.ip6.arpa.zone +++ /dev/null @@ -1,15 +0,0 @@ -$TTL 7200 - -@ IN SOA auth-dns.hamburg.ccc.de. noc.hamburg.ccc.de. ( - 2023072900 - 10800 - 3600 - 3600000 - 86400 ) - - IN NS auth-dns.hamburg.ccc.de. - IN NS ns.vie.ccc.de. - -; 2a00:14b0:4200:3000:125::1 - -1.0.0.0.0.0.0.0.0.0.0.0 IN PTR public-reverse-proxy.hamburg.ccc.de. diff --git a/resources/chaosknoten/auth-dns/zones/6.2.1.0.0.0.0.3.0.0.2.4.0.b.4.1.0.0.a.2.ip6.arpa.zone b/resources/chaosknoten/auth-dns/zones/6.2.1.0.0.0.0.3.0.0.2.4.0.b.4.1.0.0.a.2.ip6.arpa.zone deleted file mode 100644 index 3de9e09..0000000 --- a/resources/chaosknoten/auth-dns/zones/6.2.1.0.0.0.0.3.0.0.2.4.0.b.4.1.0.0.a.2.ip6.arpa.zone +++ /dev/null @@ -1,15 +0,0 @@ -$TTL 7200 - -@ IN SOA ns.hamburg.ccc.de. haegar.ccc.de. ( - 2023073001 - 10800 - 3600 - 3600000 - 86400 ) - - IN NS auth-dns.hamburg.ccc.de. - IN NS ns.vie.ccc.de. - -; 2a00:14b0:4200:3000:126::1 - -1.0.0.0.0.0.0.0.0.0.0.0 IN PTR chaosknoten.hamburg.ccc.de. From 637dc6b25a7f1ed496a73b71d83e0b9a827f2a74 Mon Sep 17 00:00:00 2001 From: lilly Date: Wed, 13 May 2026 16:53:57 +0200 Subject: [PATCH 03/11] consider ansible-pull jobs failed after 30 minutes --- roles/ansible_pull/templates/ansible-pull.service.j2 | 1 + 1 file changed, 1 insertion(+) diff --git a/roles/ansible_pull/templates/ansible-pull.service.j2 b/roles/ansible_pull/templates/ansible-pull.service.j2 index b344505..9607fc9 100644 --- a/roles/ansible_pull/templates/ansible-pull.service.j2 +++ b/roles/ansible_pull/templates/ansible-pull.service.j2 @@ -6,6 +6,7 @@ OnFailure=ansible-pull-failure-notify.service [Service] Type=oneshot +TimeoutStartSec=30min Environment="SOPS_AGE_KEY_FILE=/etc/ansible_pull_secrets/age_private_key" ExecStartPre=/usr/bin/bash -c 'if [ ! -e /home/chaos/ansible_pull_checkout ]; then git clone --depth 1 "{{ ansible_pull__repo_url }}" /home/chaos/ansible_pull_checkout ; fi' ExecStartPre=/usr/local/lib/ansible_pull_venv/bin/ansible-galaxy role install -r /home/chaos/ansible_pull_checkout/requirements.yml From 164f78495735ad3085e1d74aa733fee6d2ac0597 Mon Sep 17 00:00:00 2001 From: lilly Date: Fri, 15 May 2026 14:48:38 +0200 Subject: [PATCH 04/11] remove errornously added irz42 reverse-dns secondaries --- inventories/chaosknoten/host_vars/auth-dns.yaml | 8 +------- 1 file changed, 1 insertion(+), 7 deletions(-) diff --git a/inventories/chaosknoten/host_vars/auth-dns.yaml b/inventories/chaosknoten/host_vars/auth-dns.yaml index 3efb85d..dc91e90 100644 --- a/inventories/chaosknoten/host_vars/auth-dns.yaml +++ b/inventories/chaosknoten/host_vars/auth-dns.yaml @@ -7,12 +7,6 @@ knot__dnssec_key_id: "auth-dns.hamburg.ccc.de-1" knot__remotes: - id: ns-intern.hamburg.ccc.de address: [ "2a00:14b0:f000:23::53", "172.31.17.53" ] - - id: p-dns.irz42.net - address: [ "192.76.134.30", "2a00:14b0:4200:8600::30" ] - - id: s-dns.irz42.net - address: [ "212.12.50.130", "2a00:14b0:4200:3280::130" ] - - id: k-dns.irz42.net - address: [ "212.12.54.252", "2a00:14b0:4200:3600::252" ] knot__catalog_zones: - domain: "hamburg.ccc.de.catalog." @@ -44,5 +38,5 @@ knot__zones: content: "{{ lookup('ansible.builtin.file', 'resources/chaosknoten/auth-dns/zones/eh22.easterhegg.eu.zone') }}" - domain: "3.2.0.0.0.0.0.f.0.b.4.1.0.0.a.2.ip6.arpa." - notify_targets: [ "ns-intern.hamburg.ccc.de", "p-dns.irz42.net", "s-dns.irz42.net", "k-dns.irz42.net" ] + notify_targets: [ "ns-intern.hamburg.ccc.de" ] content: "{{ lookup('ansible.builtin.file', 'resources/chaosknoten/auth-dns/zones/3.2.0.0.0.0.0.f.0.b.4.1.0.0.a.2.ip6.arpa.zone') }}" From 83e6f764648abff411746bdf899b8e2ef5dda17b Mon Sep 17 00:00:00 2001 From: jtbx Date: Fri, 15 May 2026 19:25:44 +0200 Subject: [PATCH 05/11] deploy_systemd_journal_config(role): Disable ForwardToSyslog We don't want hour journalctl logs mirrored to /var/log/syslog --- roles/deploy_systemd_journal_config/files/10-ccchh.conf | 2 ++ 1 file changed, 2 insertions(+) diff --git a/roles/deploy_systemd_journal_config/files/10-ccchh.conf b/roles/deploy_systemd_journal_config/files/10-ccchh.conf index 3419fd9..eea3754 100644 --- a/roles/deploy_systemd_journal_config/files/10-ccchh.conf +++ b/roles/deploy_systemd_journal_config/files/10-ccchh.conf @@ -1,3 +1,5 @@ [Journal] MaxFileSec=2day MaxRetentionSec=2week + +ForwardToSyslog=no From cc5dfb3cf703b3819838cb980d03fdb29efc4888 Mon Sep 17 00:00:00 2001 From: Renovate Date: Sun, 10 May 2026 01:16:09 +0000 Subject: [PATCH 06/11] Update docker.io/grafana/grafana Docker tag to v13 --- resources/chaosknoten/grafana/docker_compose/compose.yaml.j2 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/resources/chaosknoten/grafana/docker_compose/compose.yaml.j2 b/resources/chaosknoten/grafana/docker_compose/compose.yaml.j2 index 8c38500..1f6c42f 100644 --- a/resources/chaosknoten/grafana/docker_compose/compose.yaml.j2 +++ b/resources/chaosknoten/grafana/docker_compose/compose.yaml.j2 @@ -32,7 +32,7 @@ services: - alertmanager_data:/alertmanager grafana: - image: docker.io/grafana/grafana:12.4.2 + image: docker.io/grafana/grafana:13.0.1 container_name: grafana ports: - 3000:3000 From a76f01aea7fba1aec8fe6e639a82d6799562ef14 Mon Sep 17 00:00:00 2001 From: Stefan Bethke Date: Sat, 16 May 2026 13:06:19 +0200 Subject: [PATCH 07/11] Move secrets to SOPS, add REST_USER --- .../chaosknoten/host_vars/lists.sops.yaml | 10 +++++++--- inventories/chaosknoten/host_vars/lists.yaml | 2 +- .../{compose.yaml => compose.yaml.j2} | 17 +++++++++-------- 3 files changed, 17 insertions(+), 12 deletions(-) rename resources/chaosknoten/lists/docker_compose/{compose.yaml => compose.yaml.j2} (75%) diff --git a/inventories/chaosknoten/host_vars/lists.sops.yaml b/inventories/chaosknoten/host_vars/lists.sops.yaml index 76125b9..21c97c8 100644 --- a/inventories/chaosknoten/host_vars/lists.sops.yaml +++ b/inventories/chaosknoten/host_vars/lists.sops.yaml @@ -1,4 +1,8 @@ ansible_pull__age_private_key: ENC[AES256_GCM,data:pUFhg492OUXVIlDZ3Z9A/H0doJCuTX0zh9qLU88nz18jMzWmzXhc2kbQkk4QeSTnZ12juiTbpUFW+1cE1bOontIu5qiQgpe3c8s=,iv:bONSyFUibcszUcxBt749aiVVnqLKBuEJmfege0dGaM8=,tag:cvapTnTN62XTR6tQBSe+IQ==,type:str] +secret__lists__hyperkitty_api_key: ENC[AES256_GCM,data:byO7x/r3E9mwxOwiK0Is+Mp+d2uRIBgNsX2YWUg20Cs=,iv:H9ufaS6JlKhkbsG5aM3owR0U10e0JNYX/s3AJagB6kY=,tag:5umAs792BwNF9bMCX69PBw==,type:str] +secret__lists__postgres_password: ENC[AES256_GCM,data:HcH4Lyw9uuuqXGrrXkUqzg==,iv:3adzec+Wnh37LjzwMp7zhWMf9jZzI6EyUmEGS9TUYBg=,tag:8/jZrUzkcM+U3nME6+DSSA==,type:str] +secret__lists__rest_password: ENC[AES256_GCM,data:BMCNEikejiDET0Mdlrzfcg==,iv:U5hVjM/epfzz2m/wXKhYhwFI/3zKX7XS/UMlBqwTZNk=,tag:0n79+5mP7ocY7jVQmWm+WA==,type:str] +secret__lists__web_secret_key: ENC[AES256_GCM,data:3DntszkNw5ciwRUJJdmHTGTpjm9ZMBf9wO3MHAeiXuw=,iv:GqqjRcg0zG193Y04UYIipB8BBk/JUtGvtTCVQ4HCjDw=,tag:aY4d+CPGxMvRz8t983p9sw==,type:str] sops: age: - recipient: age17x20h3m6wgfhereusc224u95ac8aj68fzlkkj5ptvs9c5vlz3usqdu7crq @@ -10,8 +14,8 @@ sops: THpvS29mY1BIbktZYkhCYm1NMFdLcXcKBtXXokEi1nSVA099XXNrx3w4Fr1lnLMf 2KTuylUef8RUgHPx1wo5Q7xlYNR48GupHVQxb9VvyDTXOZEiAV7Pdw== -----END AGE ENCRYPTED FILE----- - lastmodified: "2025-10-20T18:57:27Z" - mac: ENC[AES256_GCM,data:IAM6vn4rI1l6qvPWEcDJ5xoD3I8/GWOr+PmRQ0QdkVMD9Pt7cHtMhHPpYvH3e8MfDPhC2g2uwt9FHsPqpcOXpflme0aF4E9PndGi1Pzi+yh40FSBAzLT3MEQ50vZ2rifzqUe5KSrXByF1WAnZxLTMST+xIlvEZOV0gx6y0G/iHQ=,iv:15MZsyClZ+WLBZgcRSq740LgDakuHAXAb3hAQyLKVSU=,tag:7+lRz4XKKVlkSeDVs4Jy9g==,type:str] + lastmodified: "2026-05-16T11:00:16Z" + mac: ENC[AES256_GCM,data:vwQc2suUJ0KiSsYRcrvsYHNYF2c8SU58LxWoFpzTX5hSDNy8LOWJIa6Ouo8c7gk4gYB0mS/FbmgEo8LOCDvRKamfgrpZQ2wvxI7GdGRjR0LOsS8O2xZ8QZ3BK9DfEfnA5ESgzRzX6Iuc4ZBUGfAQoDDxXrnh2ogWUdYPC81T5qU=,iv:Vi74U97iZAqQ8DDW2p3ncg58l6+mxar4hC5f48AuPAQ=,tag:Jd09hXId+ogV4rB0AWS2NA==,type:str] pgp: - created_at: "2026-04-18T22:36:23Z" enc: |- @@ -204,4 +208,4 @@ sops: -----END PGP MESSAGE----- fp: 41FFAF3D519CF5C039FBD8414BCC213729AF0E49 unencrypted_suffix: _unencrypted - version: 3.11.0 + version: 3.12.2 diff --git a/inventories/chaosknoten/host_vars/lists.yaml b/inventories/chaosknoten/host_vars/lists.yaml index 0e53178..e6680f4 100644 --- a/inventories/chaosknoten/host_vars/lists.yaml +++ b/inventories/chaosknoten/host_vars/lists.yaml @@ -1,4 +1,4 @@ -docker_compose__compose_file_content: "{{ lookup('ansible.builtin.file', 'resources/chaosknoten/lists/docker_compose/compose.yaml') }}" +docker_compose__compose_file_content: "{{ lookup('ansible.builtin.template', 'resources/chaosknoten/lists/docker_compose/compose.yaml.j2') }}" docker_compose__configuration_files: - name: settings_local.py content: "{{ lookup('ansible.builtin.file', 'resources/chaosknoten/lists/docker_compose/settings_local.py') }}" diff --git a/resources/chaosknoten/lists/docker_compose/compose.yaml b/resources/chaosknoten/lists/docker_compose/compose.yaml.j2 similarity index 75% rename from resources/chaosknoten/lists/docker_compose/compose.yaml rename to resources/chaosknoten/lists/docker_compose/compose.yaml.j2 index fb65594..11ea8a4 100644 --- a/resources/chaosknoten/lists/docker_compose/compose.yaml +++ b/resources/chaosknoten/lists/docker_compose/compose.yaml.j2 @@ -12,11 +12,13 @@ services: depends_on: - database environment: - - DATABASE_URL=postgresql://mailman:wvQjbMRnwFuxGEPz@database/mailmandb + - "DATABASE_URL=postgresql://mailman:{{ secret__lists__postgres_password }}@database/mailmandb" - DATABASE_TYPE=postgres - DATABASE_CLASS=mailman.database.postgresql.PostgreSQLDatabase - - HYPERKITTY_API_KEY=ITfRjushI6FP0TLMnRpZxlfB2e17DN86 + - HYPERKITTY_API_KEY={{ secret__lists__hyperkitty_api_key }} - MTA=postfix + - MAILMAN_REST_USER=restuser + - MAILMAN_REST_PASSWORD={{ secret__lists__rest_password }} ports: - "127.0.0.1:8001:8001" # API - "127.0.0.1:8024:8024" # LMTP - incoming emails @@ -39,11 +41,11 @@ services: - ./files/templates:/opt/mailman-web/templates environment: - DATABASE_TYPE=postgres - - DATABASE_URL=postgresql://mailman:wvQjbMRnwFuxGEPz@database/mailmandb + - "DATABASE_URL=postgresql://mailman:{{ secret__lists__postgres_password }}@database/mailmandb" - "DJANGO_ALLOWED_HOSTS=lists.hamburg.ccc.de,lists.c3lingo.org" - - HYPERKITTY_API_KEY=ITfRjushI6FP0TLMnRpZxlfB2e17DN86 + - HYPERKITTY_API_KEY={{ secret__lists__hyperkitty_api_key }} - SERVE_FROM_DOMAIN=lists.hamburg.ccc.de - - SECRET_KEY=ugfknEYBaFVc62R1jlIjnkizQaqr7tSt + - SECRET_KEY={{ secret__lists__web_secret_key }} - MAILMAN_ADMIN_USER=ccchh-admin - MAILMAN_ADMIN_EMAIL=tony@cowtest.hamburg.ccc.de ports: @@ -57,7 +59,7 @@ services: environment: - POSTGRES_DB=mailmandb - POSTGRES_USER=mailman - - POSTGRES_PASSWORD=wvQjbMRnwFuxGEPz + - "POSTGRES_PASSWORD={{ secret__lists__postgres_password }}" image: docker.io/library/postgres:12-alpine volumes: - /opt/mailman/database:/var/lib/postgresql/data @@ -70,5 +72,4 @@ networks: ipam: driver: default config: - - - subnet: 172.19.199.0/24 + - subnet: 172.19.199.0/24 From 1757c366059fcae5e4e70553c1283d24ff41a3d5 Mon Sep 17 00:00:00 2001 From: Stefan Bethke Date: Sat, 16 May 2026 13:31:18 +0200 Subject: [PATCH 08/11] Postorious needs REST API as well --- resources/chaosknoten/lists/docker_compose/compose.yaml.j2 | 2 ++ 1 file changed, 2 insertions(+) diff --git a/resources/chaosknoten/lists/docker_compose/compose.yaml.j2 b/resources/chaosknoten/lists/docker_compose/compose.yaml.j2 index 11ea8a4..db605b5 100644 --- a/resources/chaosknoten/lists/docker_compose/compose.yaml.j2 +++ b/resources/chaosknoten/lists/docker_compose/compose.yaml.j2 @@ -48,6 +48,8 @@ services: - SECRET_KEY={{ secret__lists__web_secret_key }} - MAILMAN_ADMIN_USER=ccchh-admin - MAILMAN_ADMIN_EMAIL=tony@cowtest.hamburg.ccc.de + - MAILMAN_REST_USER=restuser + - MAILMAN_REST_PASSWORD={{ secret__lists__rest_password }} ports: - "127.0.0.1:8000:8000" # HTTP - "127.0.0.1:8080:8080" # uwsgi From 1275d50bdffbf5419a20241d39c4615b882d8ceb Mon Sep 17 00:00:00 2001 From: June Date: Mon, 18 May 2026 18:00:30 +0200 Subject: [PATCH 09/11] dooris(host): use new dooris software Also fix DNS record not properly working anymore. --- .../chaosknoten/auth-dns/zones/ccchh.net.zone | 2 +- .../z9/dooris/docker_compose/compose.yaml.j2 | 24 +++++++------------ .../z9/dooris/nginx/dooris.ccchh.net.conf | 6 ++++- 3 files changed, 14 insertions(+), 18 deletions(-) diff --git a/resources/chaosknoten/auth-dns/zones/ccchh.net.zone b/resources/chaosknoten/auth-dns/zones/ccchh.net.zone index 40d4c94..bb5c16f 100644 --- a/resources/chaosknoten/auth-dns/zones/ccchh.net.zone +++ b/resources/chaosknoten/auth-dns/zones/ccchh.net.zone @@ -52,7 +52,7 @@ hmdooris-ccu A 10.31.208.202 buba A 10.31.211.137 buba.z9 A 10.31.211.137 dooris AAAA 2a07:c481:1:d0::1c -_acme-challenge.dooris CNAME 37caae1f-b77f-4eb1-aa71-dc3f7ed24360.auth.acmedns.hamburg.ccc.de +_acme-challenge.dooris CNAME 37caae1f-b77f-4eb1-aa71-dc3f7ed24360.auth.acmedns.hamburg.ccc.de. waybackproxy A 10.31.208.99 yate A 10.31.208.12 staubiv2 A 10.31.210.233 diff --git a/resources/z9/dooris/docker_compose/compose.yaml.j2 b/resources/z9/dooris/docker_compose/compose.yaml.j2 index 38db85a..d16c8ad 100644 --- a/resources/z9/dooris/docker_compose/compose.yaml.j2 +++ b/resources/z9/dooris/docker_compose/compose.yaml.j2 @@ -2,21 +2,13 @@ services: dooris: - image: git.hamburg.ccc.de/ccchh/hmdooris/hmdooris:latest + image: git.hamburg.ccc.de/ccchh/dooris:latest environment: - HMDOORIS_ALLOWED_IPS: "2a07:c481:1:c8::/64 2a01:170:118b::/56 172.31.200.0/23 172.31.202.0/27" - HMDOORIS_CCUJACK_CERTIFICATE_PATH: false - HMDOORIS_CCUJACK_PASSWORD: "{{ secret__dooris_ccujack_password }}" - HMDOORIS_CCUJACK_URL: https://hmdooris-ccu.ccchh.net:2122 - HMDOORIS_CCUJACK_USERNAME: dooris - HMDOORIS_CLIENT_ID: dooris - HMDOORIS_CLIENT_SECRET: "{{ secret__dooris_client_secret }}" - HMDOORIS_DISCOVERY_URL: https://id.hamburg.ccc.de/realms/ccchh/.well-known/openid-configuration - HMDOORIS_LISTEN: '0.0.0.0:3000' - HMDOORIS_REQUIRES_GROUP: /intern - HMDOORIS_URL: https://dooris.ccchh.net - PYTHONWARNINGS: "ignore:Unverified HTTPS request" - #DEBUG: true - ports: - - "127.0.0.1:3000:3000" + DOORIS_OPENID_ISSUER: https://id.hamburg.ccc.de/realms/ccchh/ + DOORIS_OPENID_CLIENT_ID: dooris + DOORIS_OPENID_CLIENT_SECRET: "{{ secret__dooris_client_secret }}" + DOORIS_BASE_URL: https://dooris.ccchh.net + DOORIS_CCUJACK_USER: "dooris" + DOORIS_CCUJACK_PASSWORD: "{{ secret__dooris_ccujack_password }}" + network_mode: host restart: unless-stopped diff --git a/resources/z9/dooris/nginx/dooris.ccchh.net.conf b/resources/z9/dooris/nginx/dooris.ccchh.net.conf index c1ca082..efb5b1f 100644 --- a/resources/z9/dooris/nginx/dooris.ccchh.net.conf +++ b/resources/z9/dooris/nginx/dooris.ccchh.net.conf @@ -32,6 +32,10 @@ server { proxy_set_header Connection "upgrade"; location / { - proxy_pass http://127.0.0.1:3000/; + proxy_pass http://127.0.0.1:8000/; + # Increase size to fix nginx error: "upstream sent too big header while reading response header from upstream" + proxy_buffer_size 64k; + proxy_busy_buffers_size 64k; + proxy_buffers 20 4k; } } From b0347d64bf9603c9bce1a05ef5e145ed9bb7d6a6 Mon Sep 17 00:00:00 2001 From: June Date: Mon, 18 May 2026 20:13:48 +0200 Subject: [PATCH 10/11] remove configuration for deleted woodpecker host --- resources/chaosknoten/auth-dns/zones/hamburg.ccc.de.zone | 2 -- .../grafana/docker_compose/prometheus_alerts.rules.yaml | 8 ++++---- .../public-reverse-proxy/nginx/acme_challenge.conf | 1 - .../chaosknoten/public-reverse-proxy/nginx/nginx.conf | 1 - .../docker_compose/config/services-chaosknoten.yaml | 8 -------- 5 files changed, 4 insertions(+), 16 deletions(-) diff --git a/resources/chaosknoten/auth-dns/zones/hamburg.ccc.de.zone b/resources/chaosknoten/auth-dns/zones/hamburg.ccc.de.zone index 21a8d0e..a9c4851 100644 --- a/resources/chaosknoten/auth-dns/zones/hamburg.ccc.de.zone +++ b/resources/chaosknoten/auth-dns/zones/hamburg.ccc.de.zone @@ -196,7 +196,6 @@ matrix-intern IN A 172.31.17.150 ; have this for compatibility (like references in CI) public-web-static-intern IN AAAA 2a00:14b0:42:102::17 git-intern IN A 172.31.17.154 -woodpecker-intern IN A 172.31.17.160 penpot-intern IN A 172.31.17.162 forgejo-runner-builder IN A 172.31.17.202 renovate-forgejo IN A 172.31.17.163 @@ -275,7 +274,6 @@ matrix IN CNAME public-reverse-proxy mas IN CNAME public-reverse-proxy element-admin IN CNAME public-reverse-proxy netbox IN CNAME public-reverse-proxy -woodpecker IN CNAME public-reverse-proxy onlyoffice IN CNAME public-reverse-proxy pad IN CNAME public-reverse-proxy pretalx IN CNAME public-reverse-proxy diff --git a/resources/chaosknoten/grafana/docker_compose/prometheus_alerts.rules.yaml b/resources/chaosknoten/grafana/docker_compose/prometheus_alerts.rules.yaml index 4a2bc6f..15b9b1f 100644 --- a/resources/chaosknoten/grafana/docker_compose/prometheus_alerts.rules.yaml +++ b/resources/chaosknoten/grafana/docker_compose/prometheus_alerts.rules.yaml @@ -129,7 +129,7 @@ groups: # General high disk read and write rate alerts. # Excluding: hypervisor hosts, CI hosts - alert: HostUnusualDiskReadRate - expr: (sum by (instance) (rate(node_disk_read_bytes_total[2m])) / 1024 / 1024 > 50) * on(instance) group_left (nodename) node_uname_info{nodename=~".+", nodename!="forgejo-actions-runner", nodename!="woodpecker", nodename!="chaosknoten"} + expr: (sum by (instance) (rate(node_disk_read_bytes_total[2m])) / 1024 / 1024 > 50) * on(instance) group_left (nodename) node_uname_info{nodename=~".+", nodename!="forgejo-actions-runner", nodename!="chaosknoten"} for: 5m labels: severity: warning @@ -137,7 +137,7 @@ groups: summary: Host unusual disk read rate (instance {{ $labels.instance }}) description: "Disk is probably reading too much data (> 50 MB/s)\n VALUE = {{ $value }}" - alert: HostUnusualDiskWriteRate - expr: (sum by (instance) (rate(node_disk_written_bytes_total[2m])) / 1024 / 1024 > 50) * on(instance) group_left (nodename) node_uname_info{nodename=~".+", nodename!="forgejo-actions-runner", nodename!="woodpecker", nodename!="chaosknoten"} + expr: (sum by (instance) (rate(node_disk_written_bytes_total[2m])) / 1024 / 1024 > 50) * on(instance) group_left (nodename) node_uname_info{nodename=~".+", nodename!="forgejo-actions-runner", nodename!="chaosknoten"} for: 2m labels: severity: warning @@ -147,7 +147,7 @@ groups: # CI hosts high disk read and write alerts. # Longer intervals to account for disk intensive CI tasks. - alert: CIHostUnusualDiskReadRate - expr: (sum by (instance) (rate(node_disk_read_bytes_total[2m])) / 1024 / 1024 > 50) * on(instance) group_left (nodename) node_uname_info{nodename="forgejo-actions-runner", nodename="woodpecker"} + expr: (sum by (instance) (rate(node_disk_read_bytes_total[2m])) / 1024 / 1024 > 50) * on(instance) group_left (nodename) node_uname_info{nodename="forgejo-actions-runner"} for: 10m labels: severity: warning @@ -155,7 +155,7 @@ groups: summary: CI host unusual disk read rate for 10 min (instance {{ $labels.instance }}) description: "Disk is probably reading too much data (> 50 MB/s)\n VALUE = {{ $value }}" - alert: VirtualHostUnusualDiskWriteRate - expr: (sum by (instance) (rate(node_disk_written_bytes_total[2m])) / 1024 / 1024 > 50) * on(instance) group_left (nodename) node_uname_info{nodename="forgejo-actions-runner", nodename="woodpecker"} + expr: (sum by (instance) (rate(node_disk_written_bytes_total[2m])) / 1024 / 1024 > 50) * on(instance) group_left (nodename) node_uname_info{nodename="forgejo-actions-runner"} for: 4m labels: severity: warning diff --git a/resources/chaosknoten/public-reverse-proxy/nginx/acme_challenge.conf b/resources/chaosknoten/public-reverse-proxy/nginx/acme_challenge.conf index 93968b0..e8b8c8e 100644 --- a/resources/chaosknoten/public-reverse-proxy/nginx/acme_challenge.conf +++ b/resources/chaosknoten/public-reverse-proxy/nginx/acme_challenge.conf @@ -70,7 +70,6 @@ map $host $upstream_acme_challenge_host { eh20.hamburg.ccc.de public-web-static.hosts.hamburg.ccc.de:31820; hacker.tours public-web-static.hosts.hamburg.ccc.de:31820; staging.hacker.tours public-web-static.hosts.hamburg.ccc.de:31820; - woodpecker.hamburg.ccc.de 172.31.17.160:31820; design.hamburg.ccc.de 172.31.17.162:31820; hydra.hamburg.ccc.de 172.31.17.163:31820; ntfy.hamburg.ccc.de ntfy.hosts.hamburg.ccc.de:31820; diff --git a/resources/chaosknoten/public-reverse-proxy/nginx/nginx.conf b/resources/chaosknoten/public-reverse-proxy/nginx/nginx.conf index 843c094..0a004c9 100644 --- a/resources/chaosknoten/public-reverse-proxy/nginx/nginx.conf +++ b/resources/chaosknoten/public-reverse-proxy/nginx/nginx.conf @@ -91,7 +91,6 @@ stream { eh20.hamburg.ccc.de public-web-static.hosts.hamburg.ccc.de:8443; hacker.tours public-web-static.hosts.hamburg.ccc.de:8443; staging.hacker.tours public-web-static.hosts.hamburg.ccc.de:8443; - woodpecker.hamburg.ccc.de 172.31.17.160:8443; design.hamburg.ccc.de 172.31.17.162:8443; hydra.hamburg.ccc.de 172.31.17.163:8443; cfp.eh22.easterhegg.eu pretalx.hosts.hamburg.ccc.de:8443; diff --git a/resources/external/status/docker_compose/config/services-chaosknoten.yaml b/resources/external/status/docker_compose/config/services-chaosknoten.yaml index 0ee6ef4..74991b7 100644 --- a/resources/external/status/docker_compose/config/services-chaosknoten.yaml +++ b/resources/external/status/docker_compose/config/services-chaosknoten.yaml @@ -294,14 +294,6 @@ endpoints: - "[CERTIFICATE_EXPIRATION] > 48h" - "[BODY] == pat(*CCCHH Wiki*)" - - name: Woodpecker - url: "https://woodpecker.hamburg.ccc.de/" - <<: *services_chaosknoten_defaults - conditions: - - "[STATUS] == 200" - - "[CERTIFICATE_EXPIRATION] > 48h" - - "[BODY] == pat(*Woodpecker*)" - - name: Zammad url: "https://zammad.hamburg.ccc.de/" <<: *services_chaosknoten_defaults From 56f57d85ac0ff68fdd1ae1164ee09ba864670834 Mon Sep 17 00:00:00 2001 From: Renovate Date: Mon, 18 May 2026 22:16:29 +0000 Subject: [PATCH 11/11] Update docker.io/library/postgres Docker tag to v18 --- inventories/chaosknoten/host_vars/cloud.yaml | 2 +- resources/chaosknoten/lists/docker_compose/compose.yaml.j2 | 2 +- resources/chaosknoten/pretalx/docker_compose/compose.yaml.j2 | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/inventories/chaosknoten/host_vars/cloud.yaml b/inventories/chaosknoten/host_vars/cloud.yaml index 9c28d58..765a86b 100644 --- a/inventories/chaosknoten/host_vars/cloud.yaml +++ b/inventories/chaosknoten/host_vars/cloud.yaml @@ -1,7 +1,7 @@ # renovate: datasource=docker depName=git.hamburg.ccc.de/ccchh/oci-images/nextcloud nextcloud__version: 32 # renovate: datasource=docker depName=docker.io/library/postgres -nextcloud__postgres_version: 15.17 +nextcloud__postgres_version: 18.4 nextcloud__fqdn: cloud.hamburg.ccc.de nextcloud__data_dir: /data/nextcloud nextcloud__extra_configuration: "{{ lookup('ansible.builtin.template', 'resources/chaosknoten/cloud/nextcloud/extra_configuration.config.php.j2') }}" diff --git a/resources/chaosknoten/lists/docker_compose/compose.yaml.j2 b/resources/chaosknoten/lists/docker_compose/compose.yaml.j2 index db605b5..58d1ed5 100644 --- a/resources/chaosknoten/lists/docker_compose/compose.yaml.j2 +++ b/resources/chaosknoten/lists/docker_compose/compose.yaml.j2 @@ -62,7 +62,7 @@ services: - POSTGRES_DB=mailmandb - POSTGRES_USER=mailman - "POSTGRES_PASSWORD={{ secret__lists__postgres_password }}" - image: docker.io/library/postgres:12-alpine + image: docker.io/library/postgres:18-alpine volumes: - /opt/mailman/database:/var/lib/postgresql/data networks: diff --git a/resources/chaosknoten/pretalx/docker_compose/compose.yaml.j2 b/resources/chaosknoten/pretalx/docker_compose/compose.yaml.j2 index 0bbfcb8..091bd44 100644 --- a/resources/chaosknoten/pretalx/docker_compose/compose.yaml.j2 +++ b/resources/chaosknoten/pretalx/docker_compose/compose.yaml.j2 @@ -3,7 +3,7 @@ services: database: - image: docker.io/library/postgres:15-alpine + image: docker.io/library/postgres:18-alpine environment: - "POSTGRES_USER=pretalx" - "POSTGRES_PASSWORD={{ secret__pretalx_db_password }}"