From a943b152f27ea9f25bd0c88dff3a34054d41fbf7 Mon Sep 17 00:00:00 2001 From: June Date: Sat, 3 May 2025 23:26:58 +0200 Subject: [PATCH 1/2] zammad(host): move secrets to SOPS --- .sops.yaml | 15 ++ .../zammad/docker_compose/compose.yaml.j2 | 2 +- resources/chaosknoten/zammad/secrets.yaml | 236 ++++++++++++++++++ 3 files changed, 252 insertions(+), 1 deletion(-) create mode 100644 resources/chaosknoten/zammad/secrets.yaml diff --git a/.sops.yaml b/.sops.yaml index 2852493..49bd543 100644 --- a/.sops.yaml +++ b/.sops.yaml @@ -147,6 +147,21 @@ creation_rules: - *admin_gpg_c6ristian - *admin_gpg_lilly - *admin_gpg_langoor + - path_regex: resources/chaosknoten/zammad/.* + key_groups: + - pgp: + - *admin_gpg_djerun + - *admin_gpg_stb + - *admin_gpg_jtbx + - *admin_gpg_yuri + - *admin_gpg_june + - *admin_gpg_haegar + - *admin_gpg_dario + - *admin_gpg_echtnurich + - *admin_gpg_max + - *admin_gpg_c6ristian + - *admin_gpg_lilly + - *admin_gpg_langoor - key_groups: - pgp: - *admin_gpg_djerun diff --git a/resources/chaosknoten/zammad/docker_compose/compose.yaml.j2 b/resources/chaosknoten/zammad/docker_compose/compose.yaml.j2 index 8d345de..8ea5265 100644 --- a/resources/chaosknoten/zammad/docker_compose/compose.yaml.j2 +++ b/resources/chaosknoten/zammad/docker_compose/compose.yaml.j2 @@ -11,7 +11,7 @@ see https://github.com/zammad/zammad-docker-compose/blob/master/.env {%- set POSTGRES_DB = "zammad_production" | quote -%} {%- set POSTGRES_HOST = "zammad-postgresql" | quote -%} {%- set POSTGRES_USER = "zammad" | quote -%} -{%- set POSTGRES_PASS = lookup("community.general.passwordstore", "noc/vm-secrets/chaosknoten/zammad/DB_PASSWORD", create=false, missing="error") | quote -%} +{%- set POSTGRES_PASS = lookup("community.sops.sops", "resources/chaosknoten/zammad/secrets.yaml", extract="['DB_PASSWORD']") | quote -%} {%- set POSTGRES_PORT = "5432" | quote -%} {%- set POSTGRES_VERSION = "15-alpine" | quote -%} {%- set REDIS_URL = "redis://zammad-redis:6379" | quote -%} diff --git a/resources/chaosknoten/zammad/secrets.yaml b/resources/chaosknoten/zammad/secrets.yaml new file mode 100644 index 0000000..79b9dc7 --- /dev/null +++ b/resources/chaosknoten/zammad/secrets.yaml @@ -0,0 +1,236 @@ +DB_PASSWORD: ENC[AES256_GCM,data:ytb/AQ8UP47KTdUHI5RVZejZBW1vVI7v,iv:AIYEngDj4BHgXnz+pF45Z40EwJSsibVdCeF2IdVvmZE=,tag:dlBva94ytOeuzW71flhTaA==,type:str] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: [] + lastmodified: "2025-05-03T21:25:46Z" + mac: ENC[AES256_GCM,data:SO6TcvQJNQ3cAAy3yr2S4/PkQm33jLie/MEiLVhWRajfVD0BTyEMG5RJT6eMN/2AW8HxMBs9Dgz2aOWosL3tXWsxp5PY9ZaCg1rlz7UPPp1lsoQLB03LYAl6Ez674WqTmUrb+SjNvbxi66diYBXZj0b1zawMD0J0EMifKqOzJiE=,iv:WTr2qtfazMonEG4hxcE1KNCdq/GtQinMVHXwT5A7yxQ=,tag:c1wBDOXeHwmHF+J5GXIlmA==,type:str] + pgp: + - created_at: "2025-05-03T21:25:04Z" + enc: |- + -----BEGIN PGP MESSAGE----- + + hQIMAxK/JaB2/SdtAQ//SahMO2M35vCWkHxIHLDO0hiap+RBvab+H35B+6rHsBBA + q3hyXieM1uW1OFKNegRPifazytyUVYi7DP+t0vUqXo/CY8BqmjM19ChOvaAPlif2 + DApPJvV3sYLbUdkYBx0sdpTiWHXmRP0JXtcvQxRMgOuRt+EhWoEnSsf1joMVhR4x + aGRmOiZhw4ZMI0GhxlVmonb/B0Bo6/3GIScVY9AzJIcmDqDd8DP7SEsYUxFzBfST + KAW2cJBn6rT1OtB97odr5Ir2TkS4H36euSNew/8caHGlKgcnewgF+zpIvjeWUimk + cUybZ2UssmBtfWHsypAMg7pKFO/OmV57OWqi8zKYNeLwXeFQvHB1265oJN4szyFJ + raCAB02Y1r4E5S3wSeqhjE7lvj37/JTjr5VXmz0tASPpgdcLKyik/qTSMQVLs2gY + nUjVnPbpakQ/9cFCElWEhFDwALZjsAef/+mqmA8h9Z84X9gi+EAwee/9uT4Mu/0H + 1xKdlAjo0ubkhTbxDf/Zp4RGEQ3ERffj5mtL/DxuBp2jvQ/feljJtO3Lo93Skbti + 7s+kOblHH0bBS+/YNP8yQUFZ0V0Jpvn52RMOKiMlrnlbmI2u9x478uF7cT6iQ8xf + HlIIGZHJ+dGU10sxmflp3TiSRAOyy5YJOFiBYl08QHREqPoEfn20hWIaf8avJHLU + aAEJAhA3M6o9TmOuAV9+n8lrZr+WcRQDovlZmyGb8/mjqupcW7QTsmdjIGFi8ttT + VgwJVseKZsTC0dyYNRroBUMyxEhtvsMkoAf6i5t9hr0XcaWQkacd4oYpkFIS+cDk + GGZyXPivuky7 + =Tw63 + -----END PGP MESSAGE----- + fp: EF643F59E008414882232C78FFA8331EEB7D6B70 + - created_at: "2025-05-03T21:25:04Z" + enc: |- + -----BEGIN PGP MESSAGE----- + + hQIMA6EyPtWBEI+2AQ//QEj1kGg89Sim6kcAyZR6qi7yU9NIsQUUgNxTD4Dn+AS7 + w5rKd3ympVFVO3oQTJNLmxssJGyC1mgB9dqBulAPjKepnyHa/EolpGq69mPlO8pH + CFxSSz/rxj5h5vojyWE8VhDQtMeKKGMYwwqREkHkOMIvgoXPvcwwiLVDkRMkf7ss + xewqL5dlBkmHCHYE3gIE6BrGNoQEZ6vO19P+13KDgHxZN7RfXrQDLYEb8Rse/X24 + lsQxlaJr1fNsHzEPHkfZzWx0IFLJIPCwLJa7iY96Ku2qZOo+WkGhUiDHo/m9Ru04 + iwEVzucWHCYt3kKKq3kEyR57jOwzONUAuWl4otO0U3a3+dbHAkEqzU7WcnS2UOy2 + ajYmAq/j6kn74zCw+FV9tT1S+6WDHW95jXIPr3zKqRSL8V4UK0jc87Nb06w3yRCz + f8C2lrzH7iQFajDDuJ/vUI5g2NR10FafOdI83XlWkpd8i33nF7eoMZTagAFLw0C8 + OPr32i0Ppdz/fAedkYqqRys1tryQGiq3PeumxQTQQj9OKlkYlPIWLsQkSgRNQrc7 + EuIkm0YT4zpGzcoiQT586GDVsOiEb5yMmOjLqB8BHrSEUQwHL1cZvbGUooFqWX7K + iljdQ9RneaZH7REdJcN9+y15vd17pz8y1e8rd3mh2PGGkoVHyspklYvykzCDoNrS + XgHjMWrj/QCDI+GB02fql1ZFHodIbFPseWNlf3XVW8/lu2m3FDNYEsJCsBeK5OLW + Oti/DyVz2cNdescNEfH0W8OJ2f3C+R07l9FU1x8hjifjd+xURu9z+xrGdHwCYVQ= + =v+tQ + -----END PGP MESSAGE----- + fp: F155144FC925A1BEA1F8A2C59A2A4CD59BFDC5EC + - created_at: "2025-05-03T21:25:04Z" + enc: |- + -----BEGIN PGP MESSAGE----- + + hQIMAz5uSgHG2iMJAQ//SwMT8P0+0S2zrf3/ActFB3m3BRUn93t2MdnAYQZRjil4 + nhcw7JpMjxD7Qe3klNHdeBK8DxXlr9ou9KvdnVWr4vdnzTdAiSiM9n5AHOCoRnT0 + rz4A4tTide2kGjmU4nWICAivr1YQqt9c/2D3BL4NAHTy0d4DK88jUe9wcoo8MnPW + nKk2LUr6DCR3+/3d9OJrWNlWrCmmSRfgpbmsGOV+TlKO7EaDTjc3Iz+T9zOaFXVj + /8VLyksQ6OtYnpOsniOsAb0GxiAGoeXayDvIijqesQ6AUf5HDGMcWCQcqMzITYWe + RNKceYd1MU5iSmqbCQ23WVCHMvgwqQJ1hRj9Rj3E4j5QVFzwniwmEK5XIOhvkL8Z + McrJ47zYi+QRx9xyhqczv0W2oX4aLZFW3dJtbpNzUMUmgDYZ+d16Iu3AxsMuOx4D + HovgP8+fy41+VgQvlGJE1pez/xo6muP6TMR8zD/s/eFnZop18bBK2OYW8yd/kp/B + AY9mpq6dDs4IuUBlo5c0YPIfWMWhh4GlaEsbggB/AUsrbJfYMX1MlLiHALAN0+xo + swRp0pPm+7mZmv7LnQCzNUM4rjGhJfzljjFmi+RwSS2h6bXbNqiedRbJbfrYWsCh + P9Ww4PhI9+kKb2PcNa7Ibzd5Ac3RpN1tMVsVzHOa0WhDCR+TkI9wnsGtHPi3CJbS + XgENsQcISscNzddDkTkI5fGogQohsQAQY4UfZDA5QuyFaNLihaWCr9OpUqFMXu+A + tSkVmHBVdYT8jIxO5YHYRieSxE0SEmYJf6+Ckxf2TWMJxWxsvwHgekI+kPR1Byc= + =VkXh + -----END PGP MESSAGE----- + fp: 18DFCE01456DAB52EA38A6584EDC64F35FA1D6A5 + - created_at: "2025-05-03T21:25:04Z" + enc: |- + -----BEGIN PGP MESSAGE----- + + hQIMAw5vwmoEJHQ1AQ//Uxtqgh64BFkNnCxUvaU0dvhrwuhAfrI2QAgX7Gghky7M + QwY5/HGBs34wCHlIJqV6E8AdXN0VyzhBiKiryaqTSECDXZbFsb+q0VhxWTs4T/G5 + oCvlvOC6rM7XT6puTsIiqjb4YO/8aVbkQCcE3QlwWxQP9DAk6I/Xxc+hTKStiYeC + uqON51LEtE1/pqfmf/K4j5kPLBuRYf5IUaBp5WVs9MMbf/vyN235odT8Z29Nz5kq + DidBkSq7A9Y64rncvvZ4+U3L0HTFcfyiTNOYPL1W45OgPFN4hRU047u/JjP1/vU+ + dLwWNwyYqq7KmEsRu8vi1p636KDios6MDo4n0Ma74APpM/3c8GEVeuz+rY6RoHbK + FzZ9Eswe5otqmfhfLqBGNYW9+RNu3nUD6U45ES5YqNOH9yk4OqrObVMrUh97IpF8 + 876cL+RDqI+KhnW1sgpJ5x+v7XrS12/LnjArBUJtHEsTxDWoAFHuVKJdr895M8+U + 1rMKOzhREbklNNgF33T4ysk6IE7PhGAJn8Wta2B7GfpBGBnzGdi6fvbuf+RtlZi4 + 86LkFNI7iOvVV4uiG02yqxlLsCYt6ww6MZuGLREsNeHLuQkrVfF9aVw/+++3PJan + tIYl/WSLQ2sAjj6uxoXkBciidqFhtlD+4hvRky3enrYW09EeBOZY+4sE16ALCnHS + XgEz/69zcjJK5d3yEdcYeoHRMFVH6haEc48kg3WKlOKQ2HrPS9rKRGSwG8CC4a75 + iw1OBZGFeaacydhq5XzU7QFlRXx7n8oi9zBHKPb0ND8zm13LQF4oTHogkZInmm0= + =Ks/U + -----END PGP MESSAGE----- + fp: 87AB00D45D37C9E9167B5A5A333448678B60E505 + - created_at: "2025-05-03T21:25:04Z" + enc: |- + -----BEGIN PGP MESSAGE----- + + hQIMA4HMJd/cQYrVAQ/+MJYZ6RlUXXfn3JFBUMOFMOCR3QYKYyYxFi++34qdw6FP + 56KibbYsAs2yLksHy3XdgFgw9ki3AOFK7zb2Urs36/S/lofK592u+bKK+EYqVwIK + YdDynzaxA46WlRx8zMufEjyUBimAppOwePeaNPeI5+ElsYT+IBYB59xNEDHx0Gql + SzQVj326qkp3J3vYnoV8Srt7MvU+21ysT7eXSFrYP6d7imG4Mc9CuO9Rf4ZzovY3 + ZcIHGGg5B5/34eeVGfAFw+LfSTAcicidXDjSs9baG9jmoZYiJjF/qw4+mYRJ7Cox + CFQmeitar/tAAS8Q/wU9//a4dSupreAIRkA6V6/OsoWli2wY+1fL3TnHeTjskeh+ + BYCTuWqjAXqk/VEHkzgxqEbmJr9wHrUl5BWnaF+Ic1i3Udmm9UdFx6jgja3IbJpy + TlofZx7EhEd2VR29AF4HQV7vjeno+wp8mKJMtaG1gCpxAlaBvpJX8lsH/oDpuYMK + HhFNiI/ytFd5rGsthIImzUqe5eqAnl2+JNS5vxY26JU06uN1kPcPifeV9DqJ86OC + EfwFs3mHAIdiyn2LfA9ESCiqMEBv7NsyIFEve02y+hJZ+G/6x0Ob//AfrhgTOmSt + 2QRA0WMhavJpn3gcnO3OHoHqYzckI315ZLglgPYqP+8Uc8fx6RpA6vXaj7l9aaLS + XgGrtCK2C5MJQX8pMYhOhNWCDcXspLlAJMNFLnBh7ngujttyLCbufx3h37evh8DY + 4PZ70A4TjPbyiHvQWYhVGmYTdS3TmoE5eY0vlmIHABYvKflkdYp9JPLeqqPLxQE= + =Aw8A + -----END PGP MESSAGE----- + fp: 91213ABAA73B0B73D3C02B5B4E5F372D17BBE67C + - created_at: "2025-05-03T21:25:04Z" + enc: |- + -----BEGIN PGP MESSAGE----- + + hQIMAxjNhCKPP69fAQ/8DmSZ5hZ04QC8G4G2P2xsTg+hb6Cu+v2leOwhRNhYQtPa + 9fa8e5Hd7lhLfdDSfABmWZTW34lyzj2MEi4ZFMaNU7zk/iBTfFFWZkOuaSTLHD0J + D28PROIEOVZIjUSqQ1iGT/jRP2fCEsSWexkGJyOrXKUsVi5kSdK8XygG/Hx9uiS5 + JoyjKMgPRNCqjvZdF12Qr+0QrM57CPE8fTy9MauN6M7CTiktQw9bdVc5hjNf4AZt + 8OCwNJLrAiB85iPVrUYO3nxmRETH092N1aw2HPv7/cOCst9jyUAQq3AEFpiaK+PD + 4uM+A+bkX3fOaCpNe1ePAnG/hV/456ZkNW3cR1tkRXXcXROFg4hOdZ2b3Rn4X35Z + xAHahfyOor15vAbmeAUo0ebdaAICmSoYT+JuLEdaE9hRBOfQkehRMvp2qHhYSe7X + 8j/cQP6M9lSPKYy1wATj3ALmLMvab3CCv9Amu3F4JtJLH3bgyWtMhiPWwxgnFRTm + OQgf6mXzRgJnnBJwtwdauSIxD758NyvqJgRq87dsrnUi8rp3fRq34jMVAWnrKVBz + kL4DMfr06mCMFLEG8B4Im4jfy0W3oVCrRrFgfB3HoiTbrnKOdYJ5e+XvlFxgXQ52 + h0WaRnPDQK1kx75nJlF72vr0ZgTWogm0OQUadxU+LiaQkQrcBkTmpjyz16l46O/S + XgGXzsbwjXq3hMptCN2tD65Ryzra1BGLBPyF39UOj6xNaUcfB0Aht/huvTaWUE1x + up3gAnVub2M7PpamJMqAe4vucIuS11+VflWV/zlUFkaqhhlghTEeR7mEt3/1cCU= + =6lrH + -----END PGP MESSAGE----- + fp: F38C9D4228FC6F674E322D9C3326D914EB9B8F55 + - created_at: "2025-05-03T21:25:04Z" + enc: |- + -----BEGIN PGP MESSAGE----- + + hQIMA1Hthzn+T1OoAQ/+PbfW/BhAzQ88YgicYVYeqw784T1C2EPbUeBRLJWbKyCL + LXm/coGFBpzebUk26spFK151jWOgUfyFeMqYTAKPntV2w+L/sBsuN+hJ12egIKGi + 5vdwosq+dgo4jPg86kohepmfh4obv3QQ1P9ESmu3UswTCsn7WnRKLscVcPAFd2Wl + m0EaonTQbpW6zPLUJXd+/UnTsj1PrYijazDjUEcfoj5UwQ7vXfzoeNqvkpMzQxFT + mCm4hL4iV0E5av/8eP3jYFxz7S13MPvyN9M5I0lCDAYENrQDvDbaKWCYGNRsG07E + TULw0TXwvP5KtEORR7OAPGlon+1JQ7AM4RpTvsql+dEYq8t6pFrMw12TAKsCR3e/ + vmx12aX6eiBxZfcV/l9ykl+ypNE/YcKMjJxrDo/jeypXrHhEieuT+Otxe5OMh6+o + D1tydz4GKNJVsL97hlAKizs+h7Kg1KLucXVpWWUyowldzHOWA8ffh7uoM5pDk4wO + cYY4ROhy92n9njAzuAJfotTT2Jo/3J9vizlwFEr7F/sHEACIMgU8yJ+yqBiZK+G+ + Dx735M17sWTbPaV7s+fKwGD213c9lNCqLCqMd0udB2cpItKH6leIQ3wkMOCs384a + qs5/zxVorCvMul2iB74mEw3KcbwEuQDS9sJ3G6zXTV05hgx19/qM4IJX0WxkhjPS + XgHiuGDuve1w8W3sfT51/I4YsGonYwQe4lfRgQie7efzySidP85lwcfYcjhhaeqy + /Ly0kISbmO/AkJ/94TRIw39TePjP34tcYJ7B51ZyIyyJqE9LD7U5Cg/zK5KVqSw= + =Pqms + -----END PGP MESSAGE----- + fp: 5DA93D5C9D7320E1BD3522C79C78172B3551C9FD + - created_at: "2025-05-03T21:25:04Z" + enc: |- + -----BEGIN PGP MESSAGE----- + + hQIMA46L6MuPqfJqARAAmHTz9QCo5nl2Mv5vK+yDYrbVgfgWXqD8s0sinylq4f4K + r4U1b8cxGfmsbm+Y3MgvOLja4mHrzAaHdGo4rZWrnGKuhgQ0DNzi3ScDZ3mkTSyS + Nn62K65zjG/JaqS9M2tXyjuSq648jy3o/PnZnMY24H4hpw73EvxLudYyz1DaXQoJ + lhi/k4Nv+cGyVxCXzBklMJ0KW+VPIKQqf6TxqBRrQzPG1BNIWul9S0YJ5hZKvxqj + eEHPetDiQNjAJ9tPsVqXMe+TH3otz0shks5j9PzRGklwcHQjIwZrSwd6Ajs4Y24N + DTqAWH6ZosGERCe7Qp9YInTQ67J3VubYqtzpqDPKsu59+c5CYrhZooPHFOSt4WmD + bfGVdyogsXAfRVq8eAa3ShRVTYN21eUH+qQfwmo8Vw6GKSeeXiBclP20gJvmasKS + ifCLzEV9rhnE4YB2z7wUwOfJL3CFcnd96UqpGvQH6cAJmrKPN9U9pEWRVueMYhnp + ZE2NGu3spAFdEcCtd2Yh+nrAMklLMClvqtyp/HA6jg5pVDNcckBUXs2a/9uc0MNJ + 3RfrWaTuBRa9iEFJ6LHrjdWkRCMg6b2VrjVdrC6OwaV4vUQhc+VFNJGvkZ684K8l + olNX1efLZuVLVCEt9s8CQWktZDkm8hXEc+JLgZa+y7/o+Q2L+ILz2uuFp8nET9LS + XgFJ6Ktg3HSq8d8OYDmmKViYvqc8sazpt9RZybbQWxofCPP9Jum2AtxXsV8EvpIJ + uGMaJTCrwcIzlGXi+kic5EJJ9mR0woJNTMFLJgmm7CnfCQP9OsPb8IYNzvWK9zg= + =jmjo + -----END PGP MESSAGE----- + fp: 8996B62CBD159DCADD3B6DC08BB33A8ABCF7BC4A + - created_at: "2025-05-03T21:25:04Z" + enc: |- + -----BEGIN PGP MESSAGE----- + + hQIMA4EEKdYEzV0pAQ/8D9QO1hysKECDBPWs+vuWeaYp6nJL3WyoehsD+5NcUgu5 + n7k6gWdb6qdnX22pG2Y1sXVUbLHpBwGPFmV8yYEz/Wvilu6XbagWOaidIJg4n//t + nIEUXun7592rod636coaLdHF2xrFsh3e1RaTmFI4loOhDKZiiQtnGkFKcaukBJrM + cZwmuJNCT34RAodzWQI1zYbMKz0RSgALVBTcr1uVcdNfU/QCaqt7zYw75NnaTV/i + n5EsKAFcva5H//9lYHSzh38zOpz7eika4q9pBR6AwQ+4qmQEJE2x6cqqKVBAxpJO + aKBvWxxD6xZ5euoKYVdNnESaSrDXbBwJjcaWELhf9zGjJ9lh02rrdNyeRYkoBIGm + Fgc35S7TG0jK0KnNO/Cx0lOSwKZVdS/wAn4G7UFBAi9wvN5dgW/4+5YJ3FvIP+JQ + +WtlhbVuRnytjBoMPXdmhtlMifPqcCCe9tfWzeDshRFkYZYj7fCYahb1RMayckSE + mzL09qD/1NWpvCxahd8klOom3i8UZUsF7/f+MvL/qDDrOQNYUkZZlyXMxK6PtHxD + 8EllsS7LSKEjyOVKUZARaAVa+4xNRPoekgPGb87c33KcaDTHpAdnR4+OAsdrZqdH + m7uDUmFwBl9oUuOSDH5/SzYDwCmzji4fF+RB3y2rN++iMHaoW0cdfrMFJLNh0p/S + XgHytHnTUNQHpcO9DvDOJ/k6CMKEy8pqHsJtA6w4qjDBvxp2+MZvLtaiu0+cdIdn + Pv4/vMcPQ487w1Bai/RSPpFT/mvul2cx+rvGAvSBOJdJ36IqS77XS7q98oqsLXg= + =iE5q + -----END PGP MESSAGE----- + fp: 9DFA033E3DAEBAD7FDD71B056C7AAA54BE05F7BA + - created_at: "2025-05-03T21:25:04Z" + enc: |- + -----BEGIN PGP MESSAGE----- + + hF4DQrf1tCqiJxoSAQdAplgn1U9MWtBhmrJn4nWktxeHY59U0ksE1XliNX8mr0Mw + 3xD0QuwfaohrhdgX3La+4/OY582zxkSwEP8Jw/JoBOSuEx+HBUreKKPuxO9uHzig + 0l4BPz6xZxRAI202Qajo1H9z32HbS95b05bBUapW50sUAAmNUhXW79guW7PjPeE4 + 1baTqk/BaJEreZshjwlJ92GXqrdbWmsYPRKKMSa1NoZu/uVQYvGXPvtmtE387OAs + =gwSv + -----END PGP MESSAGE----- + fp: B71138A6A8964A3C3B8899857B4F70C356765BAB + - created_at: "2025-05-03T21:25:04Z" + enc: |- + -----BEGIN PGP MESSAGE----- + + hF4DzAGzViGx4qcSAQdApLDqh0CvSd674B/iVxpxBih7clT+mIDyINRGECvxBBgw + Afw8LvDzNDt1SX/xWNqZTYiJOQMq4V5HfSkSMt9mPPbSP9sT0OAHNN2dW/wZh2ZQ + 0lgBl47uynaVtrGVFU6ztl1YspN5OirXNIV/QqQIui/iaeeEdY8M/O7Blw2riktx + swLDw0o3UQTa76cCcBY0bLv0Vv8zdjKTSP5nBhMDS0pNxkKCuTqXCYkr + =VCUK + -----END PGP MESSAGE----- + fp: D2E9C0807BF681F5E164DAFC5EE1B61CD90954CD + - created_at: "2025-05-03T21:25:04Z" + enc: |- + -----BEGIN PGP MESSAGE----- + + hQIMA2pVdGTIrZI+ARAAiYsQ5CFabAY1WYopL7Q14NoAdQmo41mCMK7VwObHTwRP + 7fIc2ug1UvunZsHSnC+IX6L9FXR8SUqFg4P9sWRPnnId/lI23zkBDCYuwCy2F/qa + e/GEh4Eha3OSd/ljZADddAIn+mjb6nc2YU/DvLg60h3A317RZassGavSFxYdPmKi + mfGVdnM8d4fnBIVaaUBjMVgiiTZnp1JGsaSewGkAie5qbhsqM4DT/se2RoNHmRjk + hZw8UNi2gPm27er9q3iBvEe/TKr6diA/ELWzNBXZS9uhOqKAlUKsHMNx9t/aLGXV + zSuyM0KuIMX61isHPXvKv1majyjGJ52UIfoUJ29FL9XmRbW2AUjmJnJ0AF8tpUrC + 6mqrzKTouOdmAdLmlPnZKlzt32AzkAlg97u1tllWUJstYndl2IwJ69BMaDhQVVgp + 6LkxUw5gmgCyj6hjDNjX98IhacGMYBhjjJ39Z+3AGlhuAegN91MGaE3TIrPjmx/H + KAXEC5Wv/yp5ezz2FtY41e5selMKcMgn8OuOvdyQZ0wWfqebLd3LMRis3hV04a8u + FzfkGo1jG5FWJQj0Nlc9mdgh6mLO43LKdq3Y6P/2pJ/Xdh3/tm1vzY3VOxtuelBO + NcB3lYB8ukouKH8yx3LvnB0oD3EsQC0/Uq8HUx4B75Mi7xnG2uo0sR05ALTLMePU + aAEJAhCqABkvXA7TWGsj9ohR+1d+6A47/6drox/KI/axPWoSFb/9SfPoSQR8U1Rp + NNrUA9GRUEFAsAzU7PaUYL5ZjF7uHN0MbZL7XI1X7qWz8I6qVYtuJAjBTdaKen3N + pRg6v53Ytj/L + =yFV4 + -----END PGP MESSAGE----- + fp: 878FEA3CB6A6F6E7CD80ECBE28506E3585F9F533 + unencrypted_suffix: _unencrypted + version: 3.9.4 From 08e6feec2538555737eb6e2675869dc6c7bb1f06 Mon Sep 17 00:00:00 2001 From: June Date: Sat, 3 May 2025 23:33:51 +0200 Subject: [PATCH 2/2] eh22-netbox: remove eh22-netbox as its being decommissioned --- .../chaosknoten/host_vars/eh22-netbox.yaml | 16 ----- inventories/chaosknoten/hosts.yaml | 10 ---- .../eh22-netbox/netbox/configuration.py.j2 | 60 ------------------- .../nginx/netbox.eh22.easterhegg.eu.conf | 48 --------------- .../nginx/acme_challenge.conf | 1 - .../public-reverse-proxy/nginx/nginx.conf | 1 - 6 files changed, 136 deletions(-) delete mode 100644 inventories/chaosknoten/host_vars/eh22-netbox.yaml delete mode 100644 resources/chaosknoten/eh22-netbox/netbox/configuration.py.j2 delete mode 100644 resources/chaosknoten/eh22-netbox/nginx/netbox.eh22.easterhegg.eu.conf diff --git a/inventories/chaosknoten/host_vars/eh22-netbox.yaml b/inventories/chaosknoten/host_vars/eh22-netbox.yaml deleted file mode 100644 index 56ba344..0000000 --- a/inventories/chaosknoten/host_vars/eh22-netbox.yaml +++ /dev/null @@ -1,16 +0,0 @@ -netbox__version: "v4.1.7" -netbox__db_password: "{{ lookup('community.general.passwordstore', 'noc/vm-secrets/chaosknoten/eh22-netbox/DATABASE_PASSWORD', create=false, missing='error') }}" -netbox__config: "{{ lookup('ansible.builtin.template', 'resources/chaosknoten/eh22-netbox/netbox/configuration.py.j2') }}" -netbox__custom_pipeline_oidc_group_and_role_mapping: true - -nginx__version_spec: "" -nginx__configurations: - - name: netbox.eh22.easterhegg.eu - content: "{{ lookup('ansible.builtin.file', 'resources/chaosknoten/eh22-netbox/nginx/netbox.eh22.easterhegg.eu.conf') }}" - -certbot__version_spec: "" -certbot__acme_account_email_address: j+letsencrypt-ccchh@jsts.xyz -certbot__certificate_domains: - - "netbox.eh22.easterhegg.eu" -certbot__new_cert_commands: - - "systemctl reload nginx.service" diff --git a/inventories/chaosknoten/hosts.yaml b/inventories/chaosknoten/hosts.yaml index ed0d042..2450ca8 100644 --- a/inventories/chaosknoten/hosts.yaml +++ b/inventories/chaosknoten/hosts.yaml @@ -10,10 +10,6 @@ all: ansible_host: cloud-intern.hamburg.ccc.de ansible_user: chaos ansible_ssh_common_args: -J ssh://chaos@public-reverse-proxy.hamburg.ccc.de - eh22-netbox: - ansible_host: eh22-netbox-intern.hamburg.ccc.de - ansible_user: chaos - ansible_ssh_common_args: -J ssh://chaos@public-reverse-proxy.hamburg.ccc.de eh22-wiki: ansible_host: eh22-wiki-intern.hamburg.ccc.de ansible_user: chaos @@ -70,7 +66,6 @@ base_config_hosts: hosts: ccchoir: cloud: - eh22-netbox: eh22-wiki: grafana: keycloak: @@ -101,7 +96,6 @@ nextcloud_hosts: nginx_hosts: hosts: ccchoir: - eh22-netbox: eh22-wiki: grafana: tickets: @@ -121,7 +115,6 @@ public_reverse_proxy_hosts: certbot_hosts: hosts: ccchoir: - eh22-netbox: eh22-wiki: grafana: tickets: @@ -137,7 +130,6 @@ certbot_hosts: prometheus_node_exporter_hosts: hosts: ccchoir: - eh22-netbox: eh22-wiki: tickets: keycloak: @@ -150,7 +142,6 @@ prometheus_node_exporter_hosts: infrastructure_authorized_keys_hosts: hosts: ccchoir: - eh22-netbox: eh22-wiki: grafana: tickets: @@ -169,7 +160,6 @@ wiki_hosts: wiki: netbox_hosts: hosts: - eh22-netbox: netbox: proxmox_vm_template_hosts: hosts: diff --git a/resources/chaosknoten/eh22-netbox/netbox/configuration.py.j2 b/resources/chaosknoten/eh22-netbox/netbox/configuration.py.j2 deleted file mode 100644 index 56995ca..0000000 --- a/resources/chaosknoten/eh22-netbox/netbox/configuration.py.j2 +++ /dev/null @@ -1,60 +0,0 @@ -ALLOWED_HOSTS = [ "netbox.eh22.easterhegg.eu" ] -DATABASE = { - "HOST": "localhost", - "NAME": "netbox", - "USER": "netbox", - "PASSWORD": "{{ lookup('community.general.passwordstore', 'noc/vm-secrets/chaosknoten/eh22-netbox/DATABASE_PASSWORD', create=false, missing='error') }}", -} -REDIS = { - "tasks": { - "HOST": "localhost", - "PORT": 6379, - "USERNAME": "", - "PASSWORD": "", - "DATABASE": 0, - "SSL": False, - }, - "caching": { - "HOST": "localhost", - "PORT": 6379, - "USERNAME": "", - "PASSWORD": "", - "DATABASE": 1, - "SSL": False, - }, -} -SECRET_KEY = "{{ lookup('community.general.passwordstore', 'noc/vm-secrets/chaosknoten/eh22-netbox/SECRET_KEY', create=false, missing='error') }}" -SESSION_COOKIE_SECURE = True - -# CCCHH ID (Keycloak) integration. -# https://github.com/python-social-auth/social-core/blob/0925304a9e437f8b729862687d3a808c7fb88a95/social_core/backends/keycloak.py#L7 -# https://python-social-auth.readthedocs.io/en/latest/backends/keycloak.html -REMOTE_AUTH_BACKEND = "social_core.backends.keycloak.KeycloakOAuth2" -SOCIAL_AUTH_KEYCLOAK_ACCESS_TOKEN_URL = ( - "https://id.hamburg.ccc.de/realms/ccchh/protocol/openid-connect/token" -) -SOCIAL_AUTH_KEYCLOAK_AUTHORIZATION_URL = ( - "https://id.hamburg.ccc.de/realms/ccchh/protocol/openid-connect/auth" -) -SOCIAL_AUTH_KEYCLOAK_KEY = "eh22-netbox" -SOCIAL_AUTH_KEYCLOAK_PUBLIC_KEY = "MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAi/Shi+b2OyYNGVFPsa6qf9SesEpRl5U5rpwgmt8H7NawMvwpPUYVW9o46QW0ulYcDmysT3BzpP3tagO/SFNoOjZdYe0D9nJ7vEp8KHbzR09KCfkyQIi0wLssKnDotVHL5JeUY+iKk+gjiwF9FSFSHPBqsST7hXVAut9LkOvs2aDod9AzbTH/uYbt4wfUm5l/1Ii8D+K7YcsFGUIqxv4XS/ylKqObqN4M2dac69iIwapoh6reaBQEm66vrOzJ+3yi4DZuPrkShJqi2hddtoyZihyCkF+eJJKEI5LrBf1KZB3Ec2YUrqk93ZGUGs/XY6R87QSfR3hJ82B1wnF+c2pw+QIDAQAB" -SOCIAL_AUTH_KEYCLOAK_SECRET = "{{ lookup('community.general.passwordstore', 'noc/vm-secrets/chaosknoten/eh22-netbox/SOCIAL_AUTH_KEYCLOAK_SECRET', create=false, missing='error') }}" -# Use custom OIDC group and role mapping pipeline functions added in via -# netbox__custom_pipeline_oidc_group_and_role_mapping. -# The default pipeline this is based on can be found here: -# https://github.com/netbox-community/netbox/blob/main/netbox/netbox/settings.py -SOCIAL_AUTH_PIPELINE = [ - "social_core.pipeline.social_auth.social_details", - "social_core.pipeline.social_auth.social_uid", - "social_core.pipeline.social_auth.social_user", - "social_core.pipeline.user.get_username", - "social_core.pipeline.user.create_user", - "social_core.pipeline.social_auth.associate_user", - "netbox.authentication.user_default_groups_handler", - "social_core.pipeline.social_auth.load_extra_data", - "social_core.pipeline.user.user_details", - # Custom OIDC group and role mapping functions. - "netbox.custom_pipeline_oidc_mapping.add_groups", - "netbox.custom_pipeline_oidc_mapping.remove_groups", - "netbox.custom_pipeline_oidc_mapping.set_roles", -] diff --git a/resources/chaosknoten/eh22-netbox/nginx/netbox.eh22.easterhegg.eu.conf b/resources/chaosknoten/eh22-netbox/nginx/netbox.eh22.easterhegg.eu.conf deleted file mode 100644 index 6c9d458..0000000 --- a/resources/chaosknoten/eh22-netbox/nginx/netbox.eh22.easterhegg.eu.conf +++ /dev/null @@ -1,48 +0,0 @@ -# partly generated 2022-01-08, Mozilla Guideline v5.6, nginx 1.17.7, OpenSSL 1.1.1k, intermediate configuration -# https://ssl-config.mozilla.org/#server=nginx&version=1.17.7&config=intermediate&openssl=1.1.1k&guideline=5.6 -server { - # Listen on a custom port for the proxy protocol. - listen 8443 ssl http2 proxy_protocol; - # Make use of the ngx_http_realip_module to set the $remote_addr and - # $remote_port to the client address and client port, when using proxy - # protocol. - # First set our proxy protocol proxy as trusted. - set_real_ip_from 172.31.17.140; - # Then tell the realip_module to get the addreses from the proxy protocol - # header. - real_ip_header proxy_protocol; - - server_name netbox.eh22.easterhegg.eu; - - ssl_certificate /etc/letsencrypt/live/netbox.eh22.easterhegg.eu/fullchain.pem; - ssl_certificate_key /etc/letsencrypt/live/netbox.eh22.easterhegg.eu/privkey.pem; - # verify chain of trust of OCSP response using Root CA and Intermediate certs - ssl_trusted_certificate /etc/letsencrypt/live/netbox.eh22.easterhegg.eu/chain.pem; - - # HSTS (ngx_http_headers_module is required) (63072000 seconds) - add_header Strict-Transport-Security "max-age=63072000" always; - - proxy_set_header Host $host; - proxy_set_header X-Forwarded-Host $host; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header X-Forwarded-Port 443; - # This is https in any case. - proxy_set_header X-Forwarded-Proto https; - # Hide the X-Forwarded header. - proxy_hide_header X-Forwarded; - # Assume we are the only Reverse Proxy (well using Proxy Protocol, but that - # is transparent). - # Also provide "_hidden" for by, since it's not relevant. - proxy_set_header Forwarded "for=$remote_addr;proto=https;host=$host;by=_hidden"; - - client_max_body_size 25m; - - location /static/ { - alias /opt/netbox/netbox/static/; - } - - location / { - proxy_pass http://127.0.0.1:8001; - } -} diff --git a/resources/chaosknoten/public-reverse-proxy/nginx/acme_challenge.conf b/resources/chaosknoten/public-reverse-proxy/nginx/acme_challenge.conf index e2b89d9..319347b 100644 --- a/resources/chaosknoten/public-reverse-proxy/nginx/acme_challenge.conf +++ b/resources/chaosknoten/public-reverse-proxy/nginx/acme_challenge.conf @@ -72,7 +72,6 @@ map $host $upstream_acme_challenge_host { cfp.eh22.easterhegg.eu 172.31.17.157:31820; hub.eh22.easterhegg.eu eh22hub-intern.hamburg.ccc.de:31820; hub-usercontent.eh22.easterhegg.eu eh22hub-intern.hamburg.ccc.de:31820; - netbox.eh22.easterhegg.eu eh22-netbox-intern.hamburg.ccc.de:31820; default ""; } diff --git a/resources/chaosknoten/public-reverse-proxy/nginx/nginx.conf b/resources/chaosknoten/public-reverse-proxy/nginx/nginx.conf index 6560b75..e732052 100644 --- a/resources/chaosknoten/public-reverse-proxy/nginx/nginx.conf +++ b/resources/chaosknoten/public-reverse-proxy/nginx/nginx.conf @@ -90,7 +90,6 @@ stream { cfp.eh22.easterhegg.eu pretalx-intern.hamburg.ccc.de:8443; hub.eh22.easterhegg.eu eh22hub-intern.hamburg.ccc.de:8443; hub-usercontent.eh22.easterhegg.eu eh22hub-intern.hamburg.ccc.de:8443; - netbox.eh22.easterhegg.eu eh22-netbox-intern.hamburg.ccc.de:8443; } server {