From 0788fde69dd514a9e891ac00d493eaea01b7d78a Mon Sep 17 00:00:00 2001 From: lilly Date: Thu, 5 Mar 2026 20:23:36 +0100 Subject: [PATCH 1/2] only allow sops encryption of *.sops.* files --- .sops.yaml | 60 +++++++++++++++++++++++++++--------------------------- 1 file changed, 30 insertions(+), 30 deletions(-) diff --git a/.sops.yaml b/.sops.yaml index c659d62..fcb0b45 100644 --- a/.sops.yaml +++ b/.sops.yaml @@ -43,170 +43,170 @@ keys: creation_rules: ## group vars - - path_regex: inventories/chaosknoten/group_vars/all.* + - path_regex: "inventories/chaosknoten/group_vars/.+\\.sops\\..+" key_groups: - pgp: *admin_gpg_keys age: *host_chaosknoten_age_keys - - path_regex: inventories/external/group_vars/all.* + - path_regex: "inventories/external/group_vars/.+\\.sops\\..+" key_groups: - pgp: *admin_gpg_keys age: *host_external_age_keys - - path_regex: inventories/z9/group_vars/all.* + - path_regex: "inventories/z9/group_vars/.+\\.sops\\..+" key_groups: - pgp: *admin_gpg_keys ## host vars # chaosknoten hosts - - path_regex: inventories/chaosknoten/host_vars/acmedns.* + - path_regex: "inventories/chaosknoten/host_vars/acmedns\\.sops\\..+" key_groups: - pgp: *admin_gpg_keys age: - *host_acmedns_ansible_pull_age_key - - path_regex: inventories/chaosknoten/host_vars/cloud.* + - path_regex: "inventories/chaosknoten/host_vars/cloud\\.sops\\..+" key_groups: - pgp: *admin_gpg_keys age: - *host_cloud_ansible_pull_age_key - - path_regex: inventories/chaosknoten/host_vars/keycloak.* + - path_regex: "inventories/chaosknoten/host_vars/keycloak\\.sops\\..+" key_groups: - pgp: *admin_gpg_keys age: - *host_keycloak_ansible_pull_age_key - - path_regex: inventories/chaosknoten/host_vars/grafana.* + - path_regex: "inventories/chaosknoten/host_vars/grafana\\.sops\\..+" key_groups: - pgp: *admin_gpg_keys age: - *host_grafana_ansible_pull_age_key - - path_regex: inventories/chaosknoten/host_vars/pad.* + - path_regex: "inventories/chaosknoten/host_vars/pad\\.sops\\..+" key_groups: - pgp: *admin_gpg_keys age: - *host_pad_ansible_pull_age_key - - path_regex: inventories/chaosknoten/host_vars/ccchoir.* + - path_regex: "inventories/chaosknoten/host_vars/ccchoir\\.sops\\..+" key_groups: - pgp: *admin_gpg_keys age: - *host_ccchoir_ansible_pull_age_key - - path_regex: inventories/chaosknoten/host_vars/pretalx.* + - path_regex: "inventories/chaosknoten/host_vars/pretalx\\.sops\\..+" key_groups: - pgp: *admin_gpg_keys age: - *host_pretalx_ansible_pull_age_key - - path_regex: inventories/chaosknoten/host_vars/netbox.* + - path_regex: "inventories/chaosknoten/host_vars/netbox\\.sops\\..+" key_groups: - pgp: *admin_gpg_keys age: - *host_netbox_ansible_pull_age_key - - path_regex: inventories/chaosknoten/host_vars/tickets.* + - path_regex: "inventories/chaosknoten/host_vars/tickets\\.sops\\..+" key_groups: - pgp: *admin_gpg_keys age: - *host_tickets_ansible_pull_age_key - - path_regex: inventories/chaosknoten/host_vars/onlyoffice.* + - path_regex: "inventories/chaosknoten/host_vars/onlyoffice\\.sops\\..+" key_groups: - pgp: *admin_gpg_keys age: - *host_onlyoffice_ansible_pull_age_key - - path_regex: inventories/chaosknoten/host_vars/zammad.* + - path_regex: "inventories/chaosknoten/host_vars/zammad\\.sops\\..+" key_groups: - pgp: *admin_gpg_keys age: - *host_zammad_ansible_pull_age_key - - path_regex: inventories/chaosknoten/host_vars/ntfy.* + - path_regex: "inventories/chaosknoten/host_vars/ntfy\\.sops\\..+" key_groups: - pgp: *admin_gpg_keys age: - *host_ntfy_ansible_pull_age_key - - path_regex: inventories/chaosknoten/host_vars/eh22-wiki.* + - path_regex: "inventories/chaosknoten/host_vars/eh22-wiki\\.sops\\..+" key_groups: - pgp: *admin_gpg_keys age: - *host_eh22_wiki_ansible_pull_age_key - - path_regex: inventories/chaosknoten/host_vars/sunders.* + - path_regex: "inventories/chaosknoten/host_vars/sunders\\.sops\\..+" key_groups: - pgp: *admin_gpg_keys age: - *host_sunders_ansible_pull_age_key - - path_regex: inventories/chaosknoten/host_vars/wiki.* + - path_regex: "inventories/chaosknoten/host_vars/wiki\\.sops\\..+" key_groups: - pgp: *admin_gpg_keys age: - *host_wiki_ansible_pull_age_key - - path_regex: inventories/chaosknoten/host_vars/renovate.* + - path_regex: "inventories/chaosknoten/host_vars/renovate\\.sops\\..+" key_groups: - pgp: *admin_gpg_keys age: - *host_renovate_ansible_pull_age_key - - path_regex: inventories/chaosknoten/host_vars/lists.* + - path_regex: "inventories/chaosknoten/host_vars/lists\\.sops\\..+" key_groups: - pgp: *admin_gpg_keys age: - *host_lists_ansible_pull_age_key - - path_regex: inventories/chaosknoten/host_vars/mumble.* + - path_regex: "inventories/chaosknoten/host_vars/mumble\\.sops\\..+" key_groups: - pgp: *admin_gpg_keys age: - *host_mumble_ansible_pull_age_key - - path_regex: inventories/chaosknoten/host_vars/public-reverse-proxy.* + - path_regex: "inventories/chaosknoten/host_vars/public-reverse-proxy\\.sops\\..+" key_groups: - pgp: *admin_gpg_keys age: - *host_public_reverse_proxy_ansible_pull_age_key - - path_regex: inventories/chaosknoten/host_vars/spaceapiccc.* + - path_regex: "inventories/chaosknoten/host_vars/spaceapiccc\\.sops\\..+" key_groups: - pgp: *admin_gpg_keys age: - *host_spaceapiccc_ansible_pull_age_key - - path_regex: inventories/chaosknoten/host_vars/mjolnir.* + - path_regex: "inventories/chaosknoten/host_vars/mjolnir\\.sops\\..+" key_groups: - pgp: *admin_gpg_keys age: - *host_mjolnir_ansible_pull_age_key # external hosts - - path_regex: inventories/external/host_vars/status.* + - path_regex: "inventories/external/host_vars/status\\.sops\\..+" key_groups: - pgp: *admin_gpg_keys age: - *host_status_ansible_pull_age_key # z9 hosts - - path_regex: inventories/z9/host_vars/dooris.* + - path_regex: "inventories/z9/host_vars/dooris\\.sops\\..+" key_groups: - pgp: *admin_gpg_keys - - path_regex: inventories/z9/host_vars/yate.* + - path_regex: "inventories/z9/host_vars/yate\\.sops\\..+" key_groups: - pgp: *admin_gpg_keys # general - - key_groups: - - pgp: - *admin_gpg_keys + - path_regex: ".+\\.sops\\..+" + key_groups: + - pgp: *admin_gpg_keys stores: yaml: From c47f7eeee2d69d2a4bd5531d95070e422c7b073d Mon Sep 17 00:00:00 2001 From: Renovate Date: Fri, 6 Mar 2026 19:31:00 +0000 Subject: [PATCH 2/2] Update docker.io/library/postgres Docker tag to v18 --- inventories/chaosknoten/host_vars/cloud.yaml | 2 +- resources/chaosknoten/keycloak/docker_compose/compose.yaml.j2 | 2 +- resources/chaosknoten/lists/docker_compose/compose.yaml | 2 +- resources/chaosknoten/pad/docker_compose/compose.yaml.j2 | 2 +- resources/chaosknoten/pretalx/docker_compose/compose.yaml.j2 | 2 +- resources/chaosknoten/tickets/docker_compose/compose.yaml.j2 | 2 +- 6 files changed, 6 insertions(+), 6 deletions(-) diff --git a/inventories/chaosknoten/host_vars/cloud.yaml b/inventories/chaosknoten/host_vars/cloud.yaml index b6cf771..0a1d845 100644 --- a/inventories/chaosknoten/host_vars/cloud.yaml +++ b/inventories/chaosknoten/host_vars/cloud.yaml @@ -1,7 +1,7 @@ # renovate: datasource=docker depName=git.hamburg.ccc.de/ccchh/oci-images/nextcloud nextcloud__version: 32 # renovate: datasource=docker depName=docker.io/library/postgres -nextcloud__postgres_version: 15.15 +nextcloud__postgres_version: 18.3 nextcloud__fqdn: cloud.hamburg.ccc.de nextcloud__data_dir: /data/nextcloud nextcloud__extra_configuration: "{{ lookup('ansible.builtin.template', 'resources/chaosknoten/cloud/nextcloud/extra_configuration.config.php.j2') }}" diff --git a/resources/chaosknoten/keycloak/docker_compose/compose.yaml.j2 b/resources/chaosknoten/keycloak/docker_compose/compose.yaml.j2 index a260ab1..ee22a40 100644 --- a/resources/chaosknoten/keycloak/docker_compose/compose.yaml.j2 +++ b/resources/chaosknoten/keycloak/docker_compose/compose.yaml.j2 @@ -46,7 +46,7 @@ services: - "8080:8080" db: - image: docker.io/library/postgres:15.15 + image: docker.io/library/postgres:18.3 restart: unless-stopped networks: - keycloak diff --git a/resources/chaosknoten/lists/docker_compose/compose.yaml b/resources/chaosknoten/lists/docker_compose/compose.yaml index fb65594..65248bb 100644 --- a/resources/chaosknoten/lists/docker_compose/compose.yaml +++ b/resources/chaosknoten/lists/docker_compose/compose.yaml @@ -58,7 +58,7 @@ services: - POSTGRES_DB=mailmandb - POSTGRES_USER=mailman - POSTGRES_PASSWORD=wvQjbMRnwFuxGEPz - image: docker.io/library/postgres:12-alpine + image: docker.io/library/postgres:18-alpine volumes: - /opt/mailman/database:/var/lib/postgresql/data networks: diff --git a/resources/chaosknoten/pad/docker_compose/compose.yaml.j2 b/resources/chaosknoten/pad/docker_compose/compose.yaml.j2 index 790cf95..e13191a 100644 --- a/resources/chaosknoten/pad/docker_compose/compose.yaml.j2 +++ b/resources/chaosknoten/pad/docker_compose/compose.yaml.j2 @@ -3,7 +3,7 @@ services: database: - image: docker.io/library/postgres:15-alpine + image: docker.io/library/postgres:18-alpine environment: - "POSTGRES_USER=hedgedoc" - "POSTGRES_PASSWORD={{ secret__hedgedoc_db_password }}" diff --git a/resources/chaosknoten/pretalx/docker_compose/compose.yaml.j2 b/resources/chaosknoten/pretalx/docker_compose/compose.yaml.j2 index 091d113..2f6f990 100644 --- a/resources/chaosknoten/pretalx/docker_compose/compose.yaml.j2 +++ b/resources/chaosknoten/pretalx/docker_compose/compose.yaml.j2 @@ -3,7 +3,7 @@ services: database: - image: docker.io/library/postgres:15-alpine + image: docker.io/library/postgres:18-alpine environment: - "POSTGRES_USER=pretalx" - "POSTGRES_PASSWORD={{ secret__pretalx_db_password }}" diff --git a/resources/chaosknoten/tickets/docker_compose/compose.yaml.j2 b/resources/chaosknoten/tickets/docker_compose/compose.yaml.j2 index 938883b..3d35c0b 100644 --- a/resources/chaosknoten/tickets/docker_compose/compose.yaml.j2 +++ b/resources/chaosknoten/tickets/docker_compose/compose.yaml.j2 @@ -1,7 +1,7 @@ --- services: database: - image: docker.io/library/postgres:15-alpine + image: docker.io/library/postgres:18-alpine environment: - "POSTGRES_USER=pretix" - "POSTGRES_PASSWORD={{ secret__pretix_db_password }}"