CCCHH/ansible-infra
CCCHH/ansible-infra
2
2
Fork 1
Code Issues 7 Pull requests 9 Wiki Activity Actions

Compare commits

base: CCCHH:f270ec1779daeec5b2ef2f65acc9b1332e87bd71
Branches Tags
CCCHH:main
CCCHH:renovate/docker.io-pretalx-standalone-2026.x
CCCHH:renovate/docker.io-library-postgres-18.x
CCCHH:renovate/docker.io-library-mariadb-12.x
CCCHH:renovate/major-github-artifact-actions
CCCHH:renovate/docker.io-pretix-standalone-2026.x
CCCHH:renovate/docker.io-pretalx-standalone-2025.x
CCCHH:renovate/all-stable-minor-patch
CCCHH:new_ccchh_router
CCCHH:docs-outline-style
CCCHH:alloy
CCCHH:old-dns-zones
...
compare: CCCHH:de72c4c5fcbe4f8abfd1afd6316d7809fce5a2a6
Branches Tags
CCCHH:renovate/docker.io-pretalx-standalone-2026.x
CCCHH:renovate/docker.io-library-postgres-18.x
CCCHH:renovate/docker.io-library-mariadb-12.x
CCCHH:renovate/major-github-artifact-actions
CCCHH:renovate/docker.io-pretix-standalone-2026.x
CCCHH:renovate/docker.io-pretalx-standalone-2025.x
CCCHH:renovate/all-stable-minor-patch
CCCHH:main
CCCHH:new_ccchh_router
CCCHH:docs-outline-style
CCCHH:alloy
CCCHH:old-dns-zones

11 commits
f270ec1779 ... de72c4c5fc

Author SHA1 Message Date
Renovate
de72c4c5fc Update docker.io/pretix/standalone Docker tag to v2026.4
All checks were successful
/ Ansible Lint (pull_request) Successful in 3m7s
Details
/ Ansible Lint (push) Successful in 3m8s
Details
2026-05-18 22:16:25 +00:00
June
b0347d64bf
 		remove configuration for deleted woodpecker host
All checks were successful
/ Ansible Lint (push) Successful in 34m8s
Details
2026-05-18 20:13:48 +02:00
June
1275d50bdf
 		dooris(host): use new dooris software
All checks were successful
/ Ansible Lint (push) Successful in 3m56s
Details 
Also fix DNS record not properly working anymore.
 2026-05-18 18:00:30 +02:00
Stefan Bethke
1757c36605 Postorious needs REST API as well
All checks were successful
/ Ansible Lint (push) Successful in 8m34s
Details
2026-05-16 13:31:18 +02:00
Stefan Bethke
a76f01aea7 Move secrets to SOPS, add REST_USER
All checks were successful
/ Ansible Lint (push) Successful in 9m15s
Details
2026-05-16 13:06:19 +02:00
Renovate
cc5dfb3cf7 Update docker.io/grafana/grafana Docker tag to v13
Some checks failed
/ Ansible Lint (push) Failing after 13m15s
Details
2026-05-15 19:41:57 +02:00
jtbx
83e6f76464 deploy_systemd_journal_config(role): Disable ForwardToSyslog
Some checks failed
/ Ansible Lint (pull_request) Failing after 29m12s
Details
/ Ansible Lint (push) Successful in 41m19s
Details 
We don't want hour journalctl logs mirrored to /var/log/syslog
 2026-05-15 19:25:44 +02:00
lilly
164f784957
 		remove errornously added irz42 reverse-dns secondaries
All checks were successful
/ Ansible Lint (push) Successful in 3m0s
Details
2026-05-15 14:50:15 +02:00
lilly
637dc6b25a
 		consider ansible-pull jobs failed after 30 minutes
All checks were successful
/ Ansible Lint (pull_request) Successful in 2m27s
Details
/ Ansible Lint (push) Successful in 2m32s
Details
2026-05-13 16:53:57 +02:00
lilly
18ffa42358
 		remove actually unused reverse-dns zones
All checks were successful
/ Ansible Lint (push) Successful in 3m0s
Details
2026-05-13 15:14:37 +02:00
lilly
d2f95237a0
 		add wieskes nameservers for reverse-dns zone transfers from auth-dns 2026-05-13 15:11:29 +02:00
21 changed files with 42 additions and 144 deletions
Download patch file Download diff file Expand all files Collapse all files

20
inventories/chaosknoten/host_vars/auth-dns.yaml
View file

@ -40,23 +40,3 @@ knot__zones:
- domain: "3.2.0.0.0.0.0.f.0.b.4.1.0.0.a.2.ip6.arpa." - domain: "3.2.0.0.0.0.0.f.0.b.4.1.0.0.a.2.ip6.arpa."
notify_targets: [ "ns-intern.hamburg.ccc.de" ] notify_targets: [ "ns-intern.hamburg.ccc.de" ]
content: "{{ lookup('ansible.builtin.file', 'resources/chaosknoten/auth-dns/zones/3.2.0.0.0.0.0.f.0.b.4.1.0.0.a.2.ip6.arpa.zone') }}" content: "{{ lookup('ansible.builtin.file', 'resources/chaosknoten/auth-dns/zones/3.2.0.0.0.0.0.f.0.b.4.1.0.0.a.2.ip6.arpa.zone') }}"
- domain: "2.2.1.0.0.0.0.3.0.0.2.4.0.b.4.1.0.0.a.2.ip6.arpa."
notify_targets: [ "ns-intern.hamburg.ccc.de" ]
content: "{{ lookup('ansible.builtin.file', 'resources/chaosknoten/auth-dns/zones/2.2.1.0.0.0.0.3.0.0.2.4.0.b.4.1.0.0.a.2.ip6.arpa.zone') }}"
- domain: "3.2.1.0.0.0.0.3.0.0.2.4.0.b.4.1.0.0.a.2.ip6.arpa."
notify_targets: [ "ns-intern.hamburg.ccc.de" ]
content: "{{ lookup('ansible.builtin.file', 'resources/chaosknoten/auth-dns/zones/3.2.1.0.0.0.0.3.0.0.2.4.0.b.4.1.0.0.a.2.ip6.arpa.zone') }}"
- domain: "4.2.1.0.0.0.0.3.0.0.2.4.0.b.4.1.0.0.a.2.ip6.arpa."
notify_targets: [ "ns-intern.hamburg.ccc.de" ]
content: "{{ lookup('ansible.builtin.file', 'resources/chaosknoten/auth-dns/zones/4.2.1.0.0.0.0.3.0.0.2.4.0.b.4.1.0.0.a.2.ip6.arpa.zone') }}"
- domain: "5.2.1.0.0.0.0.3.0.0.2.4.0.b.4.1.0.0.a.2.ip6.arpa."
notify_targets: [ "ns-intern.hamburg.ccc.de" ]
content: "{{ lookup('ansible.builtin.file', 'resources/chaosknoten/auth-dns/zones/5.2.1.0.0.0.0.3.0.0.2.4.0.b.4.1.0.0.a.2.ip6.arpa.zone') }}"
- domain: "6.2.1.0.0.0.0.3.0.0.2.4.0.b.4.1.0.0.a.2.ip6.arpa."
notify_targets: [ "ns-intern.hamburg.ccc.de" ]
content: "{{ lookup('ansible.builtin.file', 'resources/chaosknoten/auth-dns/zones/6.2.1.0.0.0.0.3.0.0.2.4.0.b.4.1.0.0.a.2.ip6.arpa.zone') }}"

10
inventories/chaosknoten/host_vars/lists.sops.yaml
View file

@ -1,4 +1,8 @@
ansible_pull__age_private_key: ENC[AES256_GCM,data:pUFhg492OUXVIlDZ3Z9A/H0doJCuTX0zh9qLU88nz18jMzWmzXhc2kbQkk4QeSTnZ12juiTbpUFW+1cE1bOontIu5qiQgpe3c8s=,iv:bONSyFUibcszUcxBt749aiVVnqLKBuEJmfege0dGaM8=,tag:cvapTnTN62XTR6tQBSe+IQ==,type:str] ansible_pull__age_private_key: ENC[AES256_GCM,data:pUFhg492OUXVIlDZ3Z9A/H0doJCuTX0zh9qLU88nz18jMzWmzXhc2kbQkk4QeSTnZ12juiTbpUFW+1cE1bOontIu5qiQgpe3c8s=,iv:bONSyFUibcszUcxBt749aiVVnqLKBuEJmfege0dGaM8=,tag:cvapTnTN62XTR6tQBSe+IQ==,type:str]
secret__lists__hyperkitty_api_key: ENC[AES256_GCM,data:byO7x/r3E9mwxOwiK0Is+Mp+d2uRIBgNsX2YWUg20Cs=,iv:H9ufaS6JlKhkbsG5aM3owR0U10e0JNYX/s3AJagB6kY=,tag:5umAs792BwNF9bMCX69PBw==,type:str]
secret__lists__postgres_password: ENC[AES256_GCM,data:HcH4Lyw9uuuqXGrrXkUqzg==,iv:3adzec+Wnh37LjzwMp7zhWMf9jZzI6EyUmEGS9TUYBg=,tag:8/jZrUzkcM+U3nME6+DSSA==,type:str]
secret__lists__rest_password: ENC[AES256_GCM,data:BMCNEikejiDET0Mdlrzfcg==,iv:U5hVjM/epfzz2m/wXKhYhwFI/3zKX7XS/UMlBqwTZNk=,tag:0n79+5mP7ocY7jVQmWm+WA==,type:str]
secret__lists__web_secret_key: ENC[AES256_GCM,data:3DntszkNw5ciwRUJJdmHTGTpjm9ZMBf9wO3MHAeiXuw=,iv:GqqjRcg0zG193Y04UYIipB8BBk/JUtGvtTCVQ4HCjDw=,tag:aY4d+CPGxMvRz8t983p9sw==,type:str]
sops: sops:
age: age:
- recipient: age17x20h3m6wgfhereusc224u95ac8aj68fzlkkj5ptvs9c5vlz3usqdu7crq - recipient: age17x20h3m6wgfhereusc224u95ac8aj68fzlkkj5ptvs9c5vlz3usqdu7crq
@ -10,8 +14,8 @@ sops:
THpvS29mY1BIbktZYkhCYm1NMFdLcXcKBtXXokEi1nSVA099XXNrx3w4Fr1lnLMf THpvS29mY1BIbktZYkhCYm1NMFdLcXcKBtXXokEi1nSVA099XXNrx3w4Fr1lnLMf
2KTuylUef8RUgHPx1wo5Q7xlYNR48GupHVQxb9VvyDTXOZEiAV7Pdw== 2KTuylUef8RUgHPx1wo5Q7xlYNR48GupHVQxb9VvyDTXOZEiAV7Pdw==
-----END AGE ENCRYPTED FILE----- -----END AGE ENCRYPTED FILE-----
lastmodified: "2025-10-20T18:57:27Z" lastmodified: "2026-05-16T11:00:16Z"
mac: ENC[AES256_GCM,data:IAM6vn4rI1l6qvPWEcDJ5xoD3I8/GWOr+PmRQ0QdkVMD9Pt7cHtMhHPpYvH3e8MfDPhC2g2uwt9FHsPqpcOXpflme0aF4E9PndGi1Pzi+yh40FSBAzLT3MEQ50vZ2rifzqUe5KSrXByF1WAnZxLTMST+xIlvEZOV0gx6y0G/iHQ=,iv:15MZsyClZ+WLBZgcRSq740LgDakuHAXAb3hAQyLKVSU=,tag:7+lRz4XKKVlkSeDVs4Jy9g==,type:str] mac: ENC[AES256_GCM,data:vwQc2suUJ0KiSsYRcrvsYHNYF2c8SU58LxWoFpzTX5hSDNy8LOWJIa6Ouo8c7gk4gYB0mS/FbmgEo8LOCDvRKamfgrpZQ2wvxI7GdGRjR0LOsS8O2xZ8QZ3BK9DfEfnA5ESgzRzX6Iuc4ZBUGfAQoDDxXrnh2ogWUdYPC81T5qU=,iv:Vi74U97iZAqQ8DDW2p3ncg58l6+mxar4hC5f48AuPAQ=,tag:Jd09hXId+ogV4rB0AWS2NA==,type:str]
pgp: pgp:
- created_at: "2026-04-18T22:36:23Z" - created_at: "2026-04-18T22:36:23Z"
enc: |- enc: |-
@ -204,4 +208,4 @@ sops:
-----END PGP MESSAGE----- -----END PGP MESSAGE-----
fp: 41FFAF3D519CF5C039FBD8414BCC213729AF0E49 fp: 41FFAF3D519CF5C039FBD8414BCC213729AF0E49
unencrypted_suffix: _unencrypted unencrypted_suffix: _unencrypted
version: 3.11.0 version: 3.12.2

2
inventories/chaosknoten/host_vars/lists.yaml
View file

@ -1,4 +1,4 @@
docker_compose__compose_file_content: "{{ lookup('ansible.builtin.file', 'resources/chaosknoten/lists/docker_compose/compose.yaml') }}" docker_compose__compose_file_content: "{{ lookup('ansible.builtin.template', 'resources/chaosknoten/lists/docker_compose/compose.yaml.j2') }}"
docker_compose__configuration_files: docker_compose__configuration_files:
- name: settings_local.py - name: settings_local.py
content: "{{ lookup('ansible.builtin.file', 'resources/chaosknoten/lists/docker_compose/settings_local.py') }}" content: "{{ lookup('ansible.builtin.file', 'resources/chaosknoten/lists/docker_compose/settings_local.py') }}"

16
resources/chaosknoten/auth-dns/zones/2.2.1.0.0.0.0.3.0.0.2.4.0.b.4.1.0.0.a.2.ip6.arpa.zone
View file

@ -1,16 +0,0 @@
$TTL 7200
@ IN SOA auth-dns.hamburg.ccc.de. noc.hamburg.ccc.de. (
2023073001
10800
3600
3600000
86400 )
IN NS auth-dns.hamburg.ccc.de.
IN NS ns.vie.ccc.de.
; 2a00:14b0:4200:3000:122::1
1.0.0.0.0.0.0.0.0.0.0.0 IN PTR turing.hamburg.ccc.de.

15
resources/chaosknoten/auth-dns/zones/3.2.1.0.0.0.0.3.0.0.2.4.0.b.4.1.0.0.a.2.ip6.arpa.zone
View file

@ -1,15 +0,0 @@
$TTL 7200
@ IN SOA auth-dns.hamburg.ccc.de. noc.hamburg.ccc.de. (
2023072900
10800
3600
3600000
86400 )
IN NS auth-dns.hamburg.ccc.de.
IN NS ns.vie.ccc.de.
; 2a00:14b0:4200:3000:123::1
1.0.0.0.0.0.0.0.0.0.0.0 IN PTR unused.hamburg.ccc.de.

15
resources/chaosknoten/auth-dns/zones/4.2.1.0.0.0.0.3.0.0.2.4.0.b.4.1.0.0.a.2.ip6.arpa.zone
View file

@ -1,15 +0,0 @@
$TTL 7200
@ IN SOA auth-dns.hamburg.ccc.de. noc.hamburg.ccc.de. (
2023072900
10800
3600
3600000
86400 )
IN NS auth-dns.hamburg.ccc.de.
IN NS ns.vie.ccc.de.
; 2a00:14b0:4200:3000:124::1
1.0.0.0.0.0.0.0.0.0.0.0 IN PTR unused.hamburg.ccc.de.

15
resources/chaosknoten/auth-dns/zones/5.2.1.0.0.0.0.3.0.0.2.4.0.b.4.1.0.0.a.2.ip6.arpa.zone
View file

@ -1,15 +0,0 @@
$TTL 7200
@ IN SOA auth-dns.hamburg.ccc.de. noc.hamburg.ccc.de. (
2023072900
10800
3600
3600000
86400 )
IN NS auth-dns.hamburg.ccc.de.
IN NS ns.vie.ccc.de.
; 2a00:14b0:4200:3000:125::1
1.0.0.0.0.0.0.0.0.0.0.0 IN PTR public-reverse-proxy.hamburg.ccc.de.

15
resources/chaosknoten/auth-dns/zones/6.2.1.0.0.0.0.3.0.0.2.4.0.b.4.1.0.0.a.2.ip6.arpa.zone
View file

@ -1,15 +0,0 @@
$TTL 7200
@ IN SOA ns.hamburg.ccc.de. haegar.ccc.de. (
2023073001
10800
3600
3600000
86400 )
IN NS auth-dns.hamburg.ccc.de.
IN NS ns.vie.ccc.de.
; 2a00:14b0:4200:3000:126::1
1.0.0.0.0.0.0.0.0.0.0.0 IN PTR chaosknoten.hamburg.ccc.de.

2
resources/chaosknoten/auth-dns/zones/ccchh.net.zone
View file

@ -52,7 +52,7 @@ hmdooris-ccu A 10.31.208.202
buba A 10.31.211.137 buba A 10.31.211.137
buba.z9 A 10.31.211.137 buba.z9 A 10.31.211.137
dooris AAAA 2a07:c481:1:d0::1c dooris AAAA 2a07:c481:1:d0::1c
_acme-challenge.dooris CNAME 37caae1f-b77f-4eb1-aa71-dc3f7ed24360.auth.acmedns.hamburg.ccc.de _acme-challenge.dooris CNAME 37caae1f-b77f-4eb1-aa71-dc3f7ed24360.auth.acmedns.hamburg.ccc.de.
waybackproxy A 10.31.208.99 waybackproxy A 10.31.208.99
yate A 10.31.208.12 yate A 10.31.208.12
staubiv2 A 10.31.210.233 staubiv2 A 10.31.210.233

2
resources/chaosknoten/auth-dns/zones/hamburg.ccc.de.zone
View file

@ -196,7 +196,6 @@ matrix-intern IN A 172.31.17.150
; have this for compatibility (like references in CI) ; have this for compatibility (like references in CI)
public-web-static-intern IN AAAA 2a00:14b0:42:102::17 public-web-static-intern IN AAAA 2a00:14b0:42:102::17
git-intern IN A 172.31.17.154 git-intern IN A 172.31.17.154
woodpecker-intern IN A 172.31.17.160
penpot-intern IN A 172.31.17.162 penpot-intern IN A 172.31.17.162
forgejo-runner-builder IN A 172.31.17.202 forgejo-runner-builder IN A 172.31.17.202
renovate-forgejo IN A 172.31.17.163 renovate-forgejo IN A 172.31.17.163
@ -275,7 +274,6 @@ matrix IN CNAME public-reverse-proxy
mas IN CNAME public-reverse-proxy mas IN CNAME public-reverse-proxy
element-admin IN CNAME public-reverse-proxy element-admin IN CNAME public-reverse-proxy
netbox IN CNAME public-reverse-proxy netbox IN CNAME public-reverse-proxy
woodpecker IN CNAME public-reverse-proxy
onlyoffice IN CNAME public-reverse-proxy onlyoffice IN CNAME public-reverse-proxy
pad IN CNAME public-reverse-proxy pad IN CNAME public-reverse-proxy
pretalx IN CNAME public-reverse-proxy pretalx IN CNAME public-reverse-proxy

2
resources/chaosknoten/grafana/docker_compose/compose.yaml.j2
View file

@ -32,7 +32,7 @@ services:
- alertmanager_data:/alertmanager - alertmanager_data:/alertmanager
grafana: grafana:
image: docker.io/grafana/grafana:12.4.2 image: docker.io/grafana/grafana:13.0.1
container_name: grafana container_name: grafana
ports: ports:
- 3000:3000 - 3000:3000

8
resources/chaosknoten/grafana/docker_compose/prometheus_alerts.rules.yaml
View file

@ -129,7 +129,7 @@ groups:
# General high disk read and write rate alerts. # General high disk read and write rate alerts.
# Excluding: hypervisor hosts, CI hosts # Excluding: hypervisor hosts, CI hosts
- alert: HostUnusualDiskReadRate - alert: HostUnusualDiskReadRate
expr: (sum by (instance) (rate(node_disk_read_bytes_total[2m])) / 1024 / 1024 > 50) * on(instance) group_left (nodename) node_uname_info{nodename=~".+", nodename!="forgejo-actions-runner", nodename!="woodpecker", nodename!="chaosknoten"} expr: (sum by (instance) (rate(node_disk_read_bytes_total[2m])) / 1024 / 1024 > 50) * on(instance) group_left (nodename) node_uname_info{nodename=~".+", nodename!="forgejo-actions-runner", nodename!="chaosknoten"}
for: 5m for: 5m
labels: labels:
severity: warning severity: warning
@ -137,7 +137,7 @@ groups:
summary: Host unusual disk read rate (instance {{ $labels.instance }}) summary: Host unusual disk read rate (instance {{ $labels.instance }})
description: "Disk is probably reading too much data (> 50 MB/s)\n VALUE = {{ $value }}" description: "Disk is probably reading too much data (> 50 MB/s)\n VALUE = {{ $value }}"
- alert: HostUnusualDiskWriteRate - alert: HostUnusualDiskWriteRate
expr: (sum by (instance) (rate(node_disk_written_bytes_total[2m])) / 1024 / 1024 > 50) * on(instance) group_left (nodename) node_uname_info{nodename=~".+", nodename!="forgejo-actions-runner", nodename!="woodpecker", nodename!="chaosknoten"} expr: (sum by (instance) (rate(node_disk_written_bytes_total[2m])) / 1024 / 1024 > 50) * on(instance) group_left (nodename) node_uname_info{nodename=~".+", nodename!="forgejo-actions-runner", nodename!="chaosknoten"}
for: 2m for: 2m
labels: labels:
severity: warning severity: warning
@ -147,7 +147,7 @@ groups:
# CI hosts high disk read and write alerts. # CI hosts high disk read and write alerts.
# Longer intervals to account for disk intensive CI tasks. # Longer intervals to account for disk intensive CI tasks.
- alert: CIHostUnusualDiskReadRate - alert: CIHostUnusualDiskReadRate
expr: (sum by (instance) (rate(node_disk_read_bytes_total[2m])) / 1024 / 1024 > 50) * on(instance) group_left (nodename) node_uname_info{nodename="forgejo-actions-runner", nodename="woodpecker"} expr: (sum by (instance) (rate(node_disk_read_bytes_total[2m])) / 1024 / 1024 > 50) * on(instance) group_left (nodename) node_uname_info{nodename="forgejo-actions-runner"}
for: 10m for: 10m
labels: labels:
severity: warning severity: warning
@ -155,7 +155,7 @@ groups:
summary: CI host unusual disk read rate for 10 min (instance {{ $labels.instance }}) summary: CI host unusual disk read rate for 10 min (instance {{ $labels.instance }})
description: "Disk is probably reading too much data (> 50 MB/s)\n VALUE = {{ $value }}" description: "Disk is probably reading too much data (> 50 MB/s)\n VALUE = {{ $value }}"
- alert: VirtualHostUnusualDiskWriteRate - alert: VirtualHostUnusualDiskWriteRate
expr: (sum by (instance) (rate(node_disk_written_bytes_total[2m])) / 1024 / 1024 > 50) * on(instance) group_left (nodename) node_uname_info{nodename="forgejo-actions-runner", nodename="woodpecker"} expr: (sum by (instance) (rate(node_disk_written_bytes_total[2m])) / 1024 / 1024 > 50) * on(instance) group_left (nodename) node_uname_info{nodename="forgejo-actions-runner"}
for: 4m for: 4m
labels: labels:
severity: warning severity: warning

19
resources/chaosknoten/lists/docker_compose/compose.yaml → resources/chaosknoten/lists/docker_compose/compose.yaml.j2
View file

@ -12,11 +12,13 @@ services:
depends_on: depends_on:
- database - database
environment: environment:
- DATABASE_URL=postgresql://mailman:wvQjbMRnwFuxGEPz@database/mailmandb - "DATABASE_URL=postgresql://mailman:{{ secret__lists__postgres_password }}@database/mailmandb"
- DATABASE_TYPE=postgres - DATABASE_TYPE=postgres
- DATABASE_CLASS=mailman.database.postgresql.PostgreSQLDatabase - DATABASE_CLASS=mailman.database.postgresql.PostgreSQLDatabase
- HYPERKITTY_API_KEY=ITfRjushI6FP0TLMnRpZxlfB2e17DN86 - HYPERKITTY_API_KEY={{ secret__lists__hyperkitty_api_key }}
- MTA=postfix - MTA=postfix
- MAILMAN_REST_USER=restuser
- MAILMAN_REST_PASSWORD={{ secret__lists__rest_password }}
ports: ports:
- "127.0.0.1:8001:8001" # API - "127.0.0.1:8001:8001" # API
- "127.0.0.1:8024:8024" # LMTP - incoming emails - "127.0.0.1:8024:8024" # LMTP - incoming emails
@ -39,13 +41,15 @@ services:
- ./files/templates:/opt/mailman-web/templates - ./files/templates:/opt/mailman-web/templates
environment: environment:
- DATABASE_TYPE=postgres - DATABASE_TYPE=postgres
- DATABASE_URL=postgresql://mailman:wvQjbMRnwFuxGEPz@database/mailmandb - "DATABASE_URL=postgresql://mailman:{{ secret__lists__postgres_password }}@database/mailmandb"
- "DJANGO_ALLOWED_HOSTS=lists.hamburg.ccc.de,lists.c3lingo.org" - "DJANGO_ALLOWED_HOSTS=lists.hamburg.ccc.de,lists.c3lingo.org"
- HYPERKITTY_API_KEY=ITfRjushI6FP0TLMnRpZxlfB2e17DN86 - HYPERKITTY_API_KEY={{ secret__lists__hyperkitty_api_key }}
- SERVE_FROM_DOMAIN=lists.hamburg.ccc.de - SERVE_FROM_DOMAIN=lists.hamburg.ccc.de
- SECRET_KEY=ugfknEYBaFVc62R1jlIjnkizQaqr7tSt - SECRET_KEY={{ secret__lists__web_secret_key }}
- MAILMAN_ADMIN_USER=ccchh-admin - MAILMAN_ADMIN_USER=ccchh-admin
- MAILMAN_ADMIN_EMAIL=tony@cowtest.hamburg.ccc.de - MAILMAN_ADMIN_EMAIL=tony@cowtest.hamburg.ccc.de
- MAILMAN_REST_USER=restuser
- MAILMAN_REST_PASSWORD={{ secret__lists__rest_password }}
ports: ports:
- "127.0.0.1:8000:8000" # HTTP - "127.0.0.1:8000:8000" # HTTP
- "127.0.0.1:8080:8080" # uwsgi - "127.0.0.1:8080:8080" # uwsgi
@ -57,7 +61,7 @@ services:
environment: environment:
- POSTGRES_DB=mailmandb - POSTGRES_DB=mailmandb
- POSTGRES_USER=mailman - POSTGRES_USER=mailman
- POSTGRES_PASSWORD=wvQjbMRnwFuxGEPz - "POSTGRES_PASSWORD={{ secret__lists__postgres_password }}"
image: docker.io/library/postgres:12-alpine image: docker.io/library/postgres:12-alpine
volumes: volumes:
- /opt/mailman/database:/var/lib/postgresql/data - /opt/mailman/database:/var/lib/postgresql/data
@ -70,5 +74,4 @@ networks:
ipam: ipam:
driver: default driver: default
config: config:
- - subnet: 172.19.199.0/24
subnet: 172.19.199.0/24

1
resources/chaosknoten/public-reverse-proxy/nginx/acme_challenge.conf
View file

@ -70,7 +70,6 @@ map $host $upstream_acme_challenge_host {
eh20.hamburg.ccc.de public-web-static.hosts.hamburg.ccc.de:31820; eh20.hamburg.ccc.de public-web-static.hosts.hamburg.ccc.de:31820;
hacker.tours public-web-static.hosts.hamburg.ccc.de:31820; hacker.tours public-web-static.hosts.hamburg.ccc.de:31820;
staging.hacker.tours public-web-static.hosts.hamburg.ccc.de:31820; staging.hacker.tours public-web-static.hosts.hamburg.ccc.de:31820;
woodpecker.hamburg.ccc.de 172.31.17.160:31820;
design.hamburg.ccc.de 172.31.17.162:31820; design.hamburg.ccc.de 172.31.17.162:31820;
hydra.hamburg.ccc.de 172.31.17.163:31820; hydra.hamburg.ccc.de 172.31.17.163:31820;
ntfy.hamburg.ccc.de ntfy.hosts.hamburg.ccc.de:31820; ntfy.hamburg.ccc.de ntfy.hosts.hamburg.ccc.de:31820;

1
resources/chaosknoten/public-reverse-proxy/nginx/nginx.conf
View file

@ -91,7 +91,6 @@ stream {
eh20.hamburg.ccc.de public-web-static.hosts.hamburg.ccc.de:8443; eh20.hamburg.ccc.de public-web-static.hosts.hamburg.ccc.de:8443;
hacker.tours public-web-static.hosts.hamburg.ccc.de:8443; hacker.tours public-web-static.hosts.hamburg.ccc.de:8443;
staging.hacker.tours public-web-static.hosts.hamburg.ccc.de:8443; staging.hacker.tours public-web-static.hosts.hamburg.ccc.de:8443;
woodpecker.hamburg.ccc.de 172.31.17.160:8443;
design.hamburg.ccc.de 172.31.17.162:8443; design.hamburg.ccc.de 172.31.17.162:8443;
hydra.hamburg.ccc.de 172.31.17.163:8443; hydra.hamburg.ccc.de 172.31.17.163:8443;
cfp.eh22.easterhegg.eu pretalx.hosts.hamburg.ccc.de:8443; cfp.eh22.easterhegg.eu pretalx.hosts.hamburg.ccc.de:8443;

2
resources/chaosknoten/tickets/docker_compose/compose.yaml.j2
View file

@ -25,7 +25,7 @@ services:
backend: backend:
pretix: pretix:
image: docker.io/pretix/standalone:2026.3 image: docker.io/pretix/standalone:2026.4
command: ["all"] command: ["all"]
ports: ports:
- "8345:80" - "8345:80"

8
resources/external/status/docker_compose/config/services-chaosknoten.yaml vendored
View file

@ -294,14 +294,6 @@ endpoints:
- "[CERTIFICATE_EXPIRATION] > 48h" - "[CERTIFICATE_EXPIRATION] > 48h"
- "[BODY] == pat(*CCCHH Wiki*)" - "[BODY] == pat(*CCCHH Wiki*)"
- name: Woodpecker
url: "https://woodpecker.hamburg.ccc.de/"
<<: *services_chaosknoten_defaults
conditions:
- "[STATUS] == 200"
- "[CERTIFICATE_EXPIRATION] > 48h"
- "[BODY] == pat(*Woodpecker*)"
- name: Zammad - name: Zammad
url: "https://zammad.hamburg.ccc.de/" url: "https://zammad.hamburg.ccc.de/"
<<: *services_chaosknoten_defaults <<: *services_chaosknoten_defaults

24
resources/z9/dooris/docker_compose/compose.yaml.j2
View file

@ -2,21 +2,13 @@
services: services:
dooris: dooris:
image: git.hamburg.ccc.de/ccchh/hmdooris/hmdooris:latest image: git.hamburg.ccc.de/ccchh/dooris:latest
environment: environment:
HMDOORIS_ALLOWED_IPS: "2a07:c481:1:c8::/64 2a01:170:118b::/56 172.31.200.0/23 172.31.202.0/27" DOORIS_OPENID_ISSUER: https://id.hamburg.ccc.de/realms/ccchh/
HMDOORIS_CCUJACK_CERTIFICATE_PATH: false DOORIS_OPENID_CLIENT_ID: dooris
HMDOORIS_CCUJACK_PASSWORD: "{{ secret__dooris_ccujack_password }}" DOORIS_OPENID_CLIENT_SECRET: "{{ secret__dooris_client_secret }}"
HMDOORIS_CCUJACK_URL: https://hmdooris-ccu.ccchh.net:2122 DOORIS_BASE_URL: https://dooris.ccchh.net
HMDOORIS_CCUJACK_USERNAME: dooris DOORIS_CCUJACK_USER: "dooris"
HMDOORIS_CLIENT_ID: dooris DOORIS_CCUJACK_PASSWORD: "{{ secret__dooris_ccujack_password }}"
HMDOORIS_CLIENT_SECRET: "{{ secret__dooris_client_secret }}" network_mode: host
HMDOORIS_DISCOVERY_URL: https://id.hamburg.ccc.de/realms/ccchh/.well-known/openid-configuration
HMDOORIS_LISTEN: '0.0.0.0:3000'
HMDOORIS_REQUIRES_GROUP: /intern
HMDOORIS_URL: https://dooris.ccchh.net
PYTHONWARNINGS: "ignore:Unverified HTTPS request"
#DEBUG: true
ports:
- "127.0.0.1:3000:3000"
restart: unless-stopped restart: unless-stopped

6
resources/z9/dooris/nginx/dooris.ccchh.net.conf
View file

@ -32,6 +32,10 @@ server {
proxy_set_header Connection "upgrade"; proxy_set_header Connection "upgrade";
location / { location / {
proxy_pass http://127.0.0.1:3000/; proxy_pass http://127.0.0.1:8000/;
# Increase size to fix nginx error: "upstream sent too big header while reading response header from upstream"
proxy_buffer_size 64k;
proxy_busy_buffers_size 64k;
proxy_buffers 20 4k;
} }
} }

1
roles/ansible_pull/templates/ansible-pull.service.j2
View file

@ -6,6 +6,7 @@ OnFailure=ansible-pull-failure-notify.service
[Service] [Service]
Type=oneshot Type=oneshot
TimeoutStartSec=30min
Environment="SOPS_AGE_KEY_FILE=/etc/ansible_pull_secrets/age_private_key" Environment="SOPS_AGE_KEY_FILE=/etc/ansible_pull_secrets/age_private_key"
ExecStartPre=/usr/bin/bash -c 'if [ ! -e /home/chaos/ansible_pull_checkout ]; then git clone --depth 1 "{{ ansible_pull__repo_url }}" /home/chaos/ansible_pull_checkout ; fi' ExecStartPre=/usr/bin/bash -c 'if [ ! -e /home/chaos/ansible_pull_checkout ]; then git clone --depth 1 "{{ ansible_pull__repo_url }}" /home/chaos/ansible_pull_checkout ; fi'
ExecStartPre=/usr/local/lib/ansible_pull_venv/bin/ansible-galaxy role install -r /home/chaos/ansible_pull_checkout/requirements.yml ExecStartPre=/usr/local/lib/ansible_pull_venv/bin/ansible-galaxy role install -r /home/chaos/ansible_pull_checkout/requirements.yml

2
roles/deploy_systemd_journal_config/files/10-ccchh.conf
View file

@ -1,3 +1,5 @@
[Journal] [Journal]
MaxFileSec=2day MaxFileSec=2day
MaxRetentionSec=2week MaxRetentionSec=2week
ForwardToSyslog=no