keycloak: allow access form new IPv6 subnet at z9

fix accidentally added personalized ansible_user by removing it
dep._hyperv.(playb.): add deps step to vm template generation setup play
2025-02-26 23:48:19 +01:00 · 2025-02-23 23:51:58 +01:00 · 2025-02-23 23:26:36 +01:00 · 2025-02-23 23:23:51 +01:00 · 2025-02-23 22:42:58 +01:00 · 2025-02-22 23:17:36 +01:00
6 changed files with 81 additions and 7 deletions
--- a/inventories/chaosknoten/host_vars/chaosknoten.yaml
+++ b/inventories/chaosknoten/host_vars/chaosknoten.yaml
@ -0,0 +1,6 @@
+# Used in deploy_hypervisor playbook.
+hypervisor__template_vm_config:
+  - name: STORAGE
+    value: nvme0
+  - name: BRIDGE
+    value: vmbr4
--- a/inventories/chaosknoten/hosts.yaml
+++ b/inventories/chaosknoten/hosts.yaml
@ -55,9 +55,6 @@ all:
    public-reverse-proxy:
      ansible_host: public-reverse-proxy.hamburg.ccc.de
      ansible_user: chaos
-    router:
-      ansible_host: router.hamburg.ccc.de
-      ansible_user: chaos
    wiki:
      ansible_host: wiki-intern.hamburg.ccc.de
      ansible_user: chaos
@ -84,7 +81,6 @@ base_config_hosts:
    pad:
    pretalx:
    public-reverse-proxy:
-    router:
    tickets:
    wiki:
    zammad:
@ -165,7 +161,6 @@ infrastructure_authorized_keys_hosts:
    pad:
    pretalx:
    public-reverse-proxy:
-    router:
    wiki:
    zammad:
 wiki_hosts:
@ -176,3 +171,6 @@ netbox_hosts:
  hosts:
    eh22-netbox:
    netbox:
+proxmox_vm_template_hosts:
+  hosts:
+    chaosknoten:
--- a/inventories/z9/hosts.yaml
+++ b/inventories/z9/hosts.yaml
@ -6,6 +6,11 @@ all:
    authoritative-dns:
      ansible_host: authoritative-dns.z9.ccchh.net
      ansible_user: chaos
+    thinkcccore0:
+      ansible_host: thinkcccore0.z9.ccchh.net
+hypervisors:
+  hosts:
+    thinkcccore0:
 nginx_hosts:
  hosts:
    light:
@ -19,3 +24,6 @@ infrastructure_authorized_keys_hosts:
  hosts:
    light:
    authoritative-dns:
+proxmox_vm_template_hosts:
+  hosts:
+    thinkcccore0:
--- a/playbooks/deploy_hypervisor.yaml
+++ b/playbooks/deploy_hypervisor.yaml
@ -0,0 +1,61 @@
+- name: Ensure the VM template generation is set up
+  hosts: proxmox_vm_template_hosts
+  tasks:
+    - name: Ensure dependencies are present
+      ansible.builtin.apt:
+        name:
+          - git
+          - libguestfs-tools
+      become: true
+
+    - name: Ensure /usr/local/{lib,sbin} exist
+      ansible.builtin.file:
+        path: "{{ item }}"
+        state: directory
+        owner: root
+        group: root
+        mode: "0755"
+      become: true
+      loop:
+        - "/usr/local/lib/"
+        - "/usr/local/sbin/"
+
+    - name: Ensure the pve-template-vm repo is present
+      ansible.builtin.git:
+        repo: https://git.hamburg.ccc.de/CCCHH/pve-template-vm.git
+        dest: /usr/local/lib/pve-template-vm
+        version: main
+        force: true
+        depth: 1
+        single_branch: true
+        track_submodules: true
+      become: true
+
+    # /usr/local/sbin as the script uses qm, which is also found in /usr/sbin.
+    - name: Ensure symlink to build-proxmox-template exists in /usr/local/sbin
+      ansible.builtin.file:
+        src: /usr/local/lib/pve-template-vm/build-proxmox-template
+        dest: /usr/local/sbin/build-proxmox-template
+        state: link
+        owner: root
+        group: root
+        mode: '0755'
+      become: true
+
+    # This sets up a cron job running /usr/local/sbin/build-proxmox-template using the env vars defined in hypervisor__template_vm_config.
+    - name: Ensure cron job is present for building a fresh VM template every week on Friday 04:00
+      ansible.builtin.cron:
+        name: "ansible build proxmox template"
+        cron_file: ansible_build_proxmox_template
+        minute: 0
+        hour: 4
+        weekday: 5
+        user: root
+        job: "{% if hypervisor__template_vm_config is defined and hypervisor__template_vm_config | length > 0 %}\
+              /usr/bin/env \
+              {% for item in hypervisor__template_vm_config | default([]) %}\
+              {{ item.name }}=\"{{ item.value }}\" \
+              {% endfor %}\
+              {% endif %}\
+              /usr/local/sbin/build-proxmox-template"
+      become: true
--- a/resources/chaosknoten/keycloak/docker_compose/compose.yaml.j2
+++ b/resources/chaosknoten/keycloak/docker_compose/compose.yaml.j2
@ -22,7 +22,7 @@

 services:
  keycloak:
-    image: git.hamburg.ccc.de/ccchh/oci-images/keycloak:26.0
+    image: git.hamburg.ccc.de/ccchh/oci-images/keycloak:26.1
    pull_policy: always
    restart: unless-stopped
    command: start --optimized
@ -46,7 +46,7 @@ services:
      - "8080:8080"

  db:
-    image: postgres:15.2
+    image: postgres:15.12
    restart: unless-stopped
    networks:
      - keycloak
--- a/resources/chaosknoten/keycloak/nginx/keycloak-admin.hamburg.ccc.de.conf
+++ b/resources/chaosknoten/keycloak/nginx/keycloak-admin.hamburg.ccc.de.conf
@ -43,6 +43,7 @@ server {

    allow 185.161.129.132/32; # z9
    allow 2a07:c480:0:100::/56; # z9
+    allow 2a07:c481:1::/48; # z9 new ipv6
    allow 213.240.180.39/32; # stbe home
    allow 2a01:170:118b::1/64; # stbe home
    deny all;
Author	SHA1	Message	Date
c6ristian	77e1d3bc3e	keycloak: allow access form new IPv6 subnet at z9	2025-02-26 23:48:19 +01:00
June	6b80f5b52a	fix accidentally added personalized ansible_user by removing it	2025-02-23 23:51:58 +01:00
June	41ba73d7c3	dep._hyperv.(playb.): add deps step to vm template generation setup play	2025-02-23 23:26:36 +01:00
June	fd13e5341b	add thinkcccore0 to inventory and enable VM template gen. setup on it	2025-02-23 23:23:51 +01:00
June	ca16e3d55f	dep._hypervisor(playb.): introduce play for setting up vm template gen.	2025-02-23 22:42:58 +01:00
c6ristian	98972e39c4	keycloak(host): update to 26.1 & postgres to 15.12	2025-02-22 23:17:36 +01:00