wip: alloy

2026-01-04 19:32:42 +01:00
41 changed files with 132 additions and 116 deletions
--- a/.forgejo/workflows/lint.yaml
+++ b/.forgejo/workflows/lint.yaml
@ -24,7 +24,7 @@ jobs:
      # work in our environmnet.
      # Rather manually setup python (pip) before instead.
      - name: Run ansible-lint
-        uses: https://github.com/ansible/ansible-lint@v25.12.2
+        uses: https://github.com/ansible/ansible-lint@v25.11.0
        with:
          setup_python: "false"
          requirements_file: "requirements.yml"
--- a/inventories/chaosknoten/group_vars/all.yaml
+++ b/inventories/chaosknoten/group_vars/all.yaml
@ -3,7 +3,7 @@
 ansible_pull__repo_url: https://git.hamburg.ccc.de/CCCHH/ansible-infra.git
 ansible_pull__inventory: inventories/chaosknoten
 ansible_pull__playbook: playbooks/maintenance.yaml
-ansible_pull__timer_on_calendar: "*-*-* 04:30:00 Europe/Berlin"
+ansible_pull__timer_on_calendar: "*-*-* 04:00:00 Europe/Berlin"
 ansible_pull__failure_notification_address: noc-notifications@lists.hamburg.ccc.de
 ansible_pull__timer_randomized_delay_sec: 30min
--- a/inventories/chaosknoten/host_vars/netbox.yaml
+++ b/inventories/chaosknoten/host_vars/netbox.yaml
@ -1,5 +1,5 @@
 # renovate: datasource=github-releases depName=netbox packageName=netbox-community/netbox
-netbox__version: "v4.5.0"
+netbox__version: "v4.4.6"
 netbox__config: "{{ lookup('ansible.builtin.template', 'resources/chaosknoten/netbox/netbox/configuration.py.j2') }}"
 netbox__custom_pipeline_oidc_group_and_role_mapping: true
--- a/inventories/chaosknoten/host_vars/router.yaml
+++ b/inventories/chaosknoten/host_vars/router.yaml
@ -1,4 +1,2 @@
 systemd_networkd__config_dir: 'resources/chaosknoten/router/systemd_networkd/'
 nftables__config: "{{ lookup('ansible.builtin.file', 'resources/chaosknoten/router/nftables/nftables.conf') }}"
 ansible_pull__timer_on_calendar: "*-*-* 04:00:00 Europe/Berlin"
 ansible_pull__timer_randomized_delay_sec: 0min
--- a/inventories/chaosknoten/hosts.yaml
+++ b/inventories/chaosknoten/hosts.yaml
@ -1,9 +1,9 @@
 all:
  hosts:
    ccchoir:
-      ansible_host: ccchoir.hosts.hamburg.ccc.de
+      ansible_host: ccchoir-intern.hamburg.ccc.de
      ansible_user: chaos
-      ansible_ssh_common_args: -J ssh://chaos@router.hamburg.ccc.de
+      ansible_ssh_common_args: -J ssh://chaos@public-reverse-proxy.hamburg.ccc.de
    chaosknoten:
      ansible_host: chaosknoten.hamburg.ccc.de
    cloud:
@ -15,13 +15,13 @@ all:
      ansible_user: chaos
      ansible_ssh_common_args: -J ssh://chaos@router.hamburg.ccc.de
    grafana:
-      ansible_host: grafana.hosts.hamburg.ccc.de
+      ansible_host: grafana-intern.hamburg.ccc.de
      ansible_user: chaos
-      ansible_ssh_common_args: -J ssh://chaos@router.hamburg.ccc.de
+      ansible_ssh_common_args: -J ssh://chaos@public-reverse-proxy.hamburg.ccc.de
    tickets:
-      ansible_host: tickets.hosts.hamburg.ccc.de
+      ansible_host: tickets-intern.hamburg.ccc.de
      ansible_user: chaos
-      ansible_ssh_common_args: -J ssh://chaos@router.hamburg.ccc.de
+      ansible_ssh_common_args: -J ssh://chaos@public-reverse-proxy.hamburg.ccc.de
    keycloak:
      ansible_host: keycloak.hosts.hamburg.ccc.de
      ansible_user: chaos
@ -33,9 +33,9 @@ all:
      ansible_host: mumble.hamburg.ccc.de
      ansible_user: chaos
    netbox:
-      ansible_host: netbox.hosts.hamburg.ccc.de
+      ansible_host: netbox-intern.hamburg.ccc.de
      ansible_user: chaos
-      ansible_ssh_common_args: -J ssh://chaos@router.hamburg.ccc.de
+      ansible_ssh_common_args: -J ssh://chaos@public-reverse-proxy.hamburg.ccc.de
    onlyoffice:
      ansible_host: onlyoffice.hosts.hamburg.ccc.de
      ansible_user: chaos
@ -45,9 +45,9 @@ all:
      ansible_user: chaos
      ansible_ssh_common_args: -J ssh://chaos@router.hamburg.ccc.de
    pretalx:
-      ansible_host: pretalx.hosts.hamburg.ccc.de
+      ansible_host: pretalx-intern.hamburg.ccc.de
      ansible_user: chaos
-      ansible_ssh_common_args: -J ssh://chaos@router.hamburg.ccc.de
+      ansible_ssh_common_args: -J ssh://chaos@public-reverse-proxy.hamburg.ccc.de
    public-reverse-proxy:
      ansible_host: public-reverse-proxy.hamburg.ccc.de
      ansible_user: chaos
@ -59,21 +59,21 @@ all:
      ansible_user: chaos
      ansible_ssh_common_args: -J ssh://chaos@router.hamburg.ccc.de
    zammad:
-      ansible_host: zammad.hosts.hamburg.ccc.de
+      ansible_host: zammad-intern.hamburg.ccc.de
      ansible_user: chaos
-      ansible_ssh_common_args: -J ssh://chaos@router.hamburg.ccc.de
+      ansible_ssh_common_args: -J ssh://chaos@public-reverse-proxy.hamburg.ccc.de
    ntfy:
-      ansible_host: ntfy.hosts.hamburg.ccc.de
+      ansible_host: ntfy-intern.hamburg.ccc.de
      ansible_user: chaos
-      ansible_ssh_common_args: -J ssh://chaos@router.hamburg.ccc.de
+      ansible_ssh_common_args: -J ssh://chaos@public-reverse-proxy.hamburg.ccc.de
    sunders:
-      ansible_host: sunders.hosts.hamburg.ccc.de
+      ansible_host: sunders-intern.hamburg.ccc.de
      ansible_user: chaos
-      ansible_ssh_common_args: -J ssh://chaos@router.hamburg.ccc.de
+      ansible_ssh_common_args: -J ssh://chaos@public-reverse-proxy.hamburg.ccc.de
    renovate:
-      ansible_host: renovate.hosts.hamburg.ccc.de
+      ansible_host: renovate-intern.hamburg.ccc.de
      ansible_user: chaos
-      ansible_ssh_common_args: -J ssh://chaos@router.hamburg.ccc.de
+      ansible_ssh_common_args: -J ssh://chaos@public-reverse-proxy.hamburg.ccc.de
 hypervisors:
  hosts:
    chaosknoten:
--- a/resources/chaosknoten/ccchoir/nginx/ccchoir.de.conf
+++ b/resources/chaosknoten/ccchoir/nginx/ccchoir.de.conf
@ -2,12 +2,12 @@
 # https://ssl-config.mozilla.org/#server=nginx&version=1.17.7&config=intermediate&openssl=1.1.1k&guideline=5.6
 server {
    # Listen on a custom port for the proxy protocol.
-    listen [::]:8443 ssl http2 proxy_protocol;
+    listen 8443 ssl http2 proxy_protocol;
    # Make use of the ngx_http_realip_module to set the $remote_addr and
    # $remote_port to the client address and client port, when using proxy
    # protocol.
    # First set our proxy protocol proxy as trusted.
-    set_real_ip_from 2a00:14b0:4200:3000:125::1;
+    set_real_ip_from 172.31.17.140;
    # Then tell the realip_module to get the addreses from the proxy protocol
    # header.
    real_ip_header proxy_protocol;
@ -43,12 +43,12 @@ server {
 server {
    # Listen on a custom port for the proxy protocol.
-    listen [::]:8443 ssl http2 proxy_protocol;
+    listen 8443 ssl http2 proxy_protocol;
    # Make use of the ngx_http_realip_module to set the $remote_addr and
    # $remote_port to the client address and client port, when using proxy
    # protocol.
    # First set our proxy protocol proxy as trusted.
-    set_real_ip_from 2a00:14b0:4200:3000:125::1;
+    set_real_ip_from 172.31.17.140;
    # Then tell the realip_module to get the addreses from the proxy protocol
    # header.
    real_ip_header proxy_protocol;
--- a/resources/chaosknoten/eh22-wiki/nginx/eh22.easterhegg.eu.conf
+++ b/resources/chaosknoten/eh22-wiki/nginx/eh22.easterhegg.eu.conf
@ -2,6 +2,7 @@
 # https://ssl-config.mozilla.org/#server=nginx&version=1.17.7&config=intermediate&openssl=1.1.1k&guideline=5.6
 server {
    # Listen on a custom port for the proxy protocol.
    listen 8443 ssl http2 proxy_protocol;
    listen [::]:8443 ssl http2 proxy_protocol;
    # Make use of the ngx_http_realip_module to set the $remote_addr and
    # $remote_port to the client address and client port, when using proxy
--- a/resources/chaosknoten/grafana/docker_compose/compose.yaml.j2
+++ b/resources/chaosknoten/grafana/docker_compose/compose.yaml.j2
@ -2,7 +2,7 @@
 services:
  prometheus:
-    image: docker.io/prom/prometheus:v3.9.1
+    image: docker.io/prom/prometheus:v3.7.3
    container_name: prometheus
    command:
      - '--config.file=/etc/prometheus/prometheus.yml'
@ -19,7 +19,7 @@ services:
      - prom_data:/prometheus
  alertmanager:
-    image: docker.io/prom/alertmanager:v0.30.0
+    image: docker.io/prom/alertmanager:v0.29.0
    container_name: alertmanager
    command:
      - '--config.file=/etc/alertmanager/alertmanager.yaml'
@ -32,7 +32,7 @@ services:
      - alertmanager_data:/alertmanager
  grafana:
-    image: docker.io/grafana/grafana:12.3.1
+    image: docker.io/grafana/grafana:12.3.0
    container_name: grafana
    ports:
      - 3000:3000
@ -46,7 +46,7 @@ services:
      - graf_data:/var/lib/grafana
  pve-exporter:
-    image: docker.io/prompve/prometheus-pve-exporter:3.8.0
+    image: docker.io/prompve/prometheus-pve-exporter:3.5.5
    container_name: pve-exporter
    ports:
      - 9221:9221
@ -59,7 +59,7 @@ services:
      - /dev/null:/etc/prometheus/pve.yml
  loki:
-    image: docker.io/grafana/loki:3.6.3
+    image: docker.io/grafana/loki:3.6.0
    container_name: loki
    ports:
      - 13100:3100
--- a/resources/chaosknoten/grafana/nginx/grafana.hamburg.ccc.de.conf
+++ b/resources/chaosknoten/grafana/nginx/grafana.hamburg.ccc.de.conf
@ -2,13 +2,13 @@
 # https://ssl-config.mozilla.org/#server=nginx&version=1.17.7&config=intermediate&openssl=1.1.1k&guideline=5.6
 server {
    # Listen on a custom port for the proxy protocol.
-    listen [::]:8443 ssl proxy_protocol;
+    listen 8443 ssl proxy_protocol;
    http2 on;
    # Make use of the ngx_http_realip_module to set the $remote_addr and
    # $remote_port to the client address and client port, when using proxy
    # protocol.
    # First set our proxy protocol proxy as trusted.
-    set_real_ip_from 2a00:14b0:4200:3000:125::1;
+    set_real_ip_from 172.31.17.140;
    # Then tell the realip_module to get the addreses from the proxy protocol
    # header.
    real_ip_header proxy_protocol;
--- a/resources/chaosknoten/grafana/nginx/loki.hamburg.ccc.de.conf
+++ b/resources/chaosknoten/grafana/nginx/loki.hamburg.ccc.de.conf
@ -17,6 +17,7 @@ server {
    server_name loki.hamburg.ccc.de;
    listen [::]:50051 ssl;
    listen 172.31.17.145:50051 ssl;
    http2 on;
@ -58,6 +59,7 @@ server {
    server_name loki.hamburg.ccc.de;
    listen [::]:443 ssl;
    listen 172.31.17.145:443 ssl;
    http2 on;
--- a/resources/chaosknoten/grafana/nginx/metrics.hamburg.ccc.de.conf
+++ b/resources/chaosknoten/grafana/nginx/metrics.hamburg.ccc.de.conf
@ -18,6 +18,7 @@ server {
    server_name metrics.hamburg.ccc.de;
    listen [::]:443 ssl;
    listen 172.31.17.145:443 ssl;
    http2 on;
    client_body_buffer_size 512k;
--- a/resources/chaosknoten/keycloak/nginx/id.hamburg.ccc.de.conf
+++ b/resources/chaosknoten/keycloak/nginx/id.hamburg.ccc.de.conf
@ -3,6 +3,7 @@
 # Also see: https://www.keycloak.org/server/reverseproxy
 server {
    # Listen on a custom port for the proxy protocol.
    listen 8443 ssl http2 proxy_protocol;
    listen [::]:8443 ssl http2 proxy_protocol;
    # Make use of the ngx_http_realip_module to set the $remote_addr and
    # $remote_port to the client address and client port, when using proxy
--- a/resources/chaosknoten/keycloak/nginx/invite.hamburg.ccc.de.conf
+++ b/resources/chaosknoten/keycloak/nginx/invite.hamburg.ccc.de.conf
@ -3,6 +3,7 @@
 # Also see: https://www.keycloak.org/server/reverseproxy
 server {
    # Listen on a custom port for the proxy protocol.
    listen 8443 ssl http2 proxy_protocol;
    listen [::]:8443 ssl http2 proxy_protocol;
    # Make use of the ngx_http_realip_module to set the $remote_addr and
    # $remote_port to the client address and client port, when using proxy
--- a/resources/chaosknoten/keycloak/nginx/keycloak-admin.hamburg.ccc.de.conf
+++ b/resources/chaosknoten/keycloak/nginx/keycloak-admin.hamburg.ccc.de.conf
@ -7,6 +7,7 @@ server {
    ##listen [::]:443 ssl http2;
    # Listen on a custom port for the proxy protocol.
    listen 8443 ssl http2 proxy_protocol;
    listen [::]:8443 ssl http2 proxy_protocol;
    # Make use of the ngx_http_realip_module to set the $remote_addr and
    # $remote_port to the client address and client port, when using proxy
--- a/resources/chaosknoten/netbox/nginx/netbox.hamburg.ccc.de.conf
+++ b/resources/chaosknoten/netbox/nginx/netbox.hamburg.ccc.de.conf
@ -2,12 +2,12 @@
 # https://ssl-config.mozilla.org/#server=nginx&version=1.17.7&config=intermediate&openssl=1.1.1k&guideline=5.6
 server {
    # Listen on a custom port for the proxy protocol.
-    listen [::]:8443 ssl http2 proxy_protocol;
+    listen 8443 ssl http2 proxy_protocol;
    # Make use of the ngx_http_realip_module to set the $remote_addr and
    # $remote_port to the client address and client port, when using proxy
    # protocol.
    # First set our proxy protocol proxy as trusted.
-    set_real_ip_from 2a00:14b0:4200:3000:125::1;
+    set_real_ip_from 172.31.17.140;
    # Then tell the realip_module to get the addreses from the proxy protocol
    # header.
    real_ip_header proxy_protocol;
--- a/resources/chaosknoten/ntfy/nginx/ntfy.hamburg.ccc.de.conf
+++ b/resources/chaosknoten/ntfy/nginx/ntfy.hamburg.ccc.de.conf
@ -2,13 +2,13 @@
 # https://ssl-config.mozilla.org/#server=nginx&version=1.17.7&config=intermediate&openssl=1.1.1k&guideline=5.6
 server {
    # Listen on a custom port for the proxy protocol.
-    listen [::]:8443 ssl proxy_protocol;
+    listen 8443 ssl proxy_protocol;
    http2 on;
    # Make use of the ngx_http_realip_module to set the $remote_addr and
    # $remote_port to the client address and client port, when using proxy
    # protocol.
    # First set our proxy protocol proxy as trusted.
-    set_real_ip_from 2a00:14b0:4200:3000:125::1;
+    set_real_ip_from 172.31.17.140;
    # Then tell the realip_module to get the addreses from the proxy protocol
    # header.
    real_ip_header proxy_protocol;
--- a/resources/chaosknoten/onlyoffice/docker_compose/compose.yaml.j2
+++ b/resources/chaosknoten/onlyoffice/docker_compose/compose.yaml.j2
@ -4,7 +4,7 @@
 services:
  onlyoffice:
-    image: docker.io/onlyoffice/documentserver:9.2.1
+    image: docker.io/onlyoffice/documentserver:9.1.0
    restart: unless-stopped
    volumes:
      - "./onlyoffice/DocumentServer/logs:/var/log/onlyoffice"
--- a/resources/chaosknoten/onlyoffice/nginx/onlyoffice.hamburg.ccc.de.conf
+++ b/resources/chaosknoten/onlyoffice/nginx/onlyoffice.hamburg.ccc.de.conf
@ -2,6 +2,7 @@
 # https://ssl-config.mozilla.org/#server=nginx&version=1.17.7&config=intermediate&openssl=1.1.1k&guideline=5.6
 server {
    # Listen on a custom port for the proxy protocol.
    listen 8443 ssl http2 proxy_protocol;
    listen [::]:8443 ssl http2 proxy_protocol;
    # Make use of the ngx_http_realip_module to set the $remote_addr and
    # $remote_port to the client address and client port, when using proxy
--- a/resources/chaosknoten/pad/docker_compose/compose.yaml.j2
+++ b/resources/chaosknoten/pad/docker_compose/compose.yaml.j2
@ -13,7 +13,7 @@ services:
    restart: unless-stopped
  app:
-    image: quay.io/hedgedoc/hedgedoc:1.10.5
+    image: quay.io/hedgedoc/hedgedoc:1.10.3
    environment:
      - "CMD_DB_URL=postgres://hedgedoc:{{ secret__hedgedoc_db_password }}@database:5432/hedgedoc"
      - "CMD_DOMAIN=pad.hamburg.ccc.de"
--- a/resources/chaosknoten/pad/nginx/pad.hamburg.ccc.de.conf
+++ b/resources/chaosknoten/pad/nginx/pad.hamburg.ccc.de.conf
@ -2,6 +2,7 @@
 # https://ssl-config.mozilla.org/#server=nginx&version=1.17.7&config=intermediate&openssl=1.1.1k&guideline=5.6
 server {
    # Listen on a custom port for the proxy protocol.
    listen 8443 ssl http2 proxy_protocol;
    listen [::]:8443 ssl http2 proxy_protocol;
    # Make use of the ngx_http_realip_module to set the $remote_addr and
    # $remote_port to the client address and client port, when using proxy
--- a/resources/chaosknoten/pretalx/docker_compose/compose.yaml.j2
+++ b/resources/chaosknoten/pretalx/docker_compose/compose.yaml.j2
@ -23,7 +23,7 @@ services:
      - pretalx_net
  static:
-    image: docker.io/library/nginx:1.29.4
+    image: docker.io/library/nginx:1.29.3
    restart: unless-stopped
    volumes:
      - public:/usr/share/nginx/html
@ -33,7 +33,7 @@ services:
      - pretalx_net
  pretalx:
-    image: docker.io/pretalx/standalone:v2025.2.2
+    image: docker.io/pretalx/standalone:v2025.1.0
    entrypoint: gunicorn
    command:
      - "pretalx.wsgi"
@ -78,7 +78,7 @@ services:
      - pretalx_net
  celery:
-    image: docker.io/pretalx/standalone:v2025.2.2
+    image: docker.io/pretalx/standalone:v2025.1.0
    command:
      - taskworker
    restart: unless-stopped
--- a/resources/chaosknoten/pretalx/nginx/cfp.eh22.easterhegg.eu.conf
+++ b/resources/chaosknoten/pretalx/nginx/cfp.eh22.easterhegg.eu.conf
@ -2,12 +2,12 @@
 # https://ssl-config.mozilla.org/#server=nginx&version=1.17.7&config=intermediate&openssl=1.1.1k&guideline=5.6
 server {
    # Listen on a custom port for the proxy protocol.
-    listen [::]:8443 ssl http2 proxy_protocol;
+    listen 8443 ssl http2 proxy_protocol;
    # Make use of the ngx_http_realip_module to set the $remote_addr and
    # $remote_port to the client address and client port, when using proxy
    # protocol.
    # First set our proxy protocol proxy as trusted.
-    set_real_ip_from 2a00:14b0:4200:3000:125::1;
+    set_real_ip_from 172.31.17.140;
    # Then tell the realip_module to get the addreses from the proxy protocol
    # header.
    real_ip_header proxy_protocol;
--- a/resources/chaosknoten/pretalx/nginx/pretalx.hamburg.ccc.de.conf
+++ b/resources/chaosknoten/pretalx/nginx/pretalx.hamburg.ccc.de.conf
@ -2,12 +2,12 @@
 # https://ssl-config.mozilla.org/#server=nginx&version=1.17.7&config=intermediate&openssl=1.1.1k&guideline=5.6
 server {
    # Listen on a custom port for the proxy protocol.
-    listen [::]:8443 ssl http2 proxy_protocol;
+    listen 8443 ssl http2 proxy_protocol;
    # Make use of the ngx_http_realip_module to set the $remote_addr and
    # $remote_port to the client address and client port, when using proxy
    # protocol.
    # First set our proxy protocol proxy as trusted.
-    set_real_ip_from 2a00:14b0:4200:3000:125::1;
+    set_real_ip_from 172.31.17.140;
    # Then tell the realip_module to get the addreses from the proxy protocol
    # header.
    real_ip_header proxy_protocol;
--- a/resources/chaosknoten/public-reverse-proxy/nginx/acme_challenge.conf
+++ b/resources/chaosknoten/public-reverse-proxy/nginx/acme_challenge.conf
@ -4,12 +4,12 @@ map $host $upstream_acme_challenge_host {
    c3cat.de 172.31.17.151:31820;
    www.c3cat.de 172.31.17.151:31820;
    staging.c3cat.de 172.31.17.151:31820;
-    ccchoir.de ccchoir.hosts.hamburg.ccc.de:31820;
+    ccchoir.de ccchoir-intern.hamburg.ccc.de:31820;
-    www.ccchoir.de ccchoir.hosts.hamburg.ccc.de:31820;
+    www.ccchoir.de ccchoir-intern.hamburg.ccc.de:31820;
    cloud.hamburg.ccc.de cloud.hosts.hamburg.ccc.de:31820;
    element.hamburg.ccc.de 172.31.17.151:31820;
    git.hamburg.ccc.de 172.31.17.154:31820;
-    grafana.hamburg.ccc.de grafana.hosts.hamburg.ccc.de:31820;
+    grafana.hamburg.ccc.de 172.31.17.145:31820;
    hackertours.hamburg.ccc.de 172.31.17.151:31820;
    staging.hackertours.hamburg.ccc.de 172.31.17.151:31820;
    hamburg.ccc.de 172.31.17.151:31820;
@ -19,18 +19,18 @@ map $host $upstream_acme_challenge_host {
    matrix.hamburg.ccc.de 172.31.17.150:31820;
    mas.hamburg.ccc.de 172.31.17.150:31820;
    element-admin.hamburg.ccc.de 172.31.17.151:31820;
-    netbox.hamburg.ccc.de netbox.hosts.hamburg.ccc.de:31820;
+    netbox.hamburg.ccc.de 172.31.17.167:31820;
    onlyoffice.hamburg.ccc.de onlyoffice.hosts.hamburg.ccc.de:31820;
    pad.hamburg.ccc.de pad.hosts.hamburg.ccc.de:31820;
-    pretalx.hamburg.ccc.de pretalx.hosts.hamburg.ccc.de:31820;
+    pretalx.hamburg.ccc.de 172.31.17.157:31820;
    spaceapi.hamburg.ccc.de 172.31.17.151:31820;
    staging.hamburg.ccc.de 172.31.17.151:31820;
    wiki.ccchh.net wiki.hosts.hamburg.ccc.de:31820;
    wiki.hamburg.ccc.de wiki.hosts.hamburg.ccc.de:31820;
    www.hamburg.ccc.de 172.31.17.151:31820;
-    tickets.hamburg.ccc.de tickets.hosts.hamburg.ccc.de:31820;
+    tickets.hamburg.ccc.de 172.31.17.148:31820;
-    sunders.hamburg.ccc.de sunders.hosts.hamburg.ccc.de:31820;
+    sunders.hamburg.ccc.de 172.31.17.170:31820;
-    zammad.hamburg.ccc.de zammad.hosts.hamburg.ccc.de:31820;
+    zammad.hamburg.ccc.de 172.31.17.152:31820;
    eh03.easterhegg.eu 172.31.17.151:31820;
    eh05.easterhegg.eu 172.31.17.151:31820;
    eh07.easterhegg.eu 172.31.17.151:31820;
@ -73,7 +73,7 @@ map $host $upstream_acme_challenge_host {
    design.hamburg.ccc.de 172.31.17.162:31820;
    hydra.hamburg.ccc.de 172.31.17.163:31820;
    cfp.eh22.easterhegg.eu 172.31.17.157:31820;
-    ntfy.hamburg.ccc.de ntfy.hosts.hamburg.ccc.de:31820;
+    ntfy.hamburg.ccc.de 172.31.17.149:31820;
    cryptoparty-hamburg.de 172.31.17.151:31820;
    cryptoparty.hamburg.ccc.de 172.31.17.151:31820;
    staging.cryptoparty-hamburg.de 172.31.17.151:31820;
--- a/resources/chaosknoten/public-reverse-proxy/nginx/nginx.conf
+++ b/resources/chaosknoten/public-reverse-proxy/nginx/nginx.conf
@ -18,21 +18,21 @@ stream {
    resolver 212.12.50.158 192.76.134.90;
    map $ssl_preread_server_name $address {
-        ccchoir.de ccchoir.hosts.hamburg.ccc.de:8443;
+        ccchoir.de ccchoir-intern.hamburg.ccc.de:8443;
-        www.ccchoir.de ccchoir.hosts.hamburg.ccc.de:8443;
+        www.ccchoir.de ccchoir-intern.hamburg.ccc.de:8443;
        cloud.hamburg.ccc.de cloud.hosts.hamburg.ccc.de:8443;
        pad.hamburg.ccc.de pad.hosts.hamburg.ccc.de:8443;
-        pretalx.hamburg.ccc.de pretalx.hosts.hamburg.ccc.de:8443;
+        pretalx.hamburg.ccc.de pretalx-intern.hamburg.ccc.de:8443;
        id.hamburg.ccc.de keycloak.hosts.hamburg.ccc.de:8443;
        invite.hamburg.ccc.de keycloak.hosts.hamburg.ccc.de:8443;
        keycloak-admin.hamburg.ccc.de keycloak.hosts.hamburg.ccc.de:8443;
-        grafana.hamburg.ccc.de grafana.hosts.hamburg.ccc.de:8443;
+        grafana.hamburg.ccc.de 172.31.17.145:8443;
        wiki.ccchh.net wiki.hosts.hamburg.ccc.de:8443;
        wiki.hamburg.ccc.de wiki.hosts.hamburg.ccc.de:8443;
        onlyoffice.hamburg.ccc.de onlyoffice.hosts.hamburg.ccc.de:8443;
        hackertours.hamburg.ccc.de 172.31.17.151:8443;
        staging.hackertours.hamburg.ccc.de 172.31.17.151:8443;
-        netbox.hamburg.ccc.de netbox.hosts.hamburg.ccc.de:8443;
+        netbox.hamburg.ccc.de 172.31.17.167:8443;
        matrix.hamburg.ccc.de 172.31.17.150:8443;
        mas.hamburg.ccc.de 172.31.17.150:8443;
        element-admin.hamburg.ccc.de 172.31.17.151:8443;
@ -42,9 +42,9 @@ stream {
        hamburg.ccc.de 172.31.17.151:8443;
        staging.hamburg.ccc.de 172.31.17.151:8443;
        spaceapi.hamburg.ccc.de 172.31.17.151:8443;
-        tickets.hamburg.ccc.de tickets.hosts.hamburg.ccc.de:8443;
+        tickets.hamburg.ccc.de 172.31.17.148:8443;
-        sunders.hamburg.ccc.de sunders.hosts.hamburg.ccc.de:8443;
+        sunders.hamburg.ccc.de 172.31.17.170:8443;
-        zammad.hamburg.ccc.de zammad.hosts.hamburg.ccc.de:8443;
+        zammad.hamburg.ccc.de 172.31.17.152:8443;
        c3cat.de 172.31.17.151:8443;
        www.c3cat.de 172.31.17.151:8443;
        staging.c3cat.de 172.31.17.151:8443;
@ -90,8 +90,8 @@ stream {
        woodpecker.hamburg.ccc.de 172.31.17.160:8443;
        design.hamburg.ccc.de 172.31.17.162:8443;
        hydra.hamburg.ccc.de 172.31.17.163:8443;
-        cfp.eh22.easterhegg.eu pretalx.hosts.hamburg.ccc.de:8443;
+        cfp.eh22.easterhegg.eu pretalx-intern.hamburg.ccc.de:8443;
-        ntfy.hamburg.ccc.de ntfy.hosts.hamburg.ccc.de:8443;
+        ntfy.hamburg.ccc.de 172.31.17.149:8443;
        cryptoparty-hamburg.de 172.31.17.151:8443;
        cryptoparty.hamburg.ccc.de 172.31.17.151:8443;
        staging.cryptoparty-hamburg.de 172.31.17.151:8443;
--- a/resources/chaosknoten/router/nftables/nftables.conf
+++ b/resources/chaosknoten/router/nftables/nftables.conf
@ -39,29 +39,13 @@ table inet host {
        ct state established,related accept
 		ip protocol icmp accept
-        # ICMPv6
+		ip6 nexthdr icmpv6 accept
        # https://datatracker.ietf.org/doc/html/rfc4890#autoid-24
        # Allowlist consisting of: "Traffic That Must Not Be Dropped" and "Traffic That Normally Should Not Be Dropped"
        # Error messages that are essential to the establishment and maintenance of communications:
        icmpv6 type { destination-unreachable, packet-too-big } accept
        icmpv6 type { time-exceeded } accept
        icmpv6 type { parameter-problem } accept
        # Connectivity checking messages:
        icmpv6 type { echo-request, echo-reply } accept
        # Address Configuration and Router Selection messages:
        icmpv6 type { nd-router-solicit, nd-router-advert, nd-neighbor-solicit, nd-neighbor-advert, ind-neighbor-solicit, ind-neighbor-advert } accept
        # Link-Local Multicast Receiver Notification messages:
        icmpv6 type { mld-listener-query, mld-listener-report, mld-listener-done, mld2-listener-report } accept
        # SEND Certificate Path Notification messages:
        icmpv6 type { 148, 149 } accept
        # Multicast Router Discovery messages:
        icmpv6 type { 151, 152, 153 } accept
        # Allow SSH access.
        tcp dport 22 accept comment "allow ssh access"
        # Allow DHCP server access.
-		iifname { $if_net0_2_v4_nat, $if_net0_3_ci_runner } udp dport 67 accept comment "allow dhcp server access"
+		iifname $if_net0_3_ci_runner udp dport 67 accept comment "allow dhcp server access"
    }
 }
--- a/resources/chaosknoten/router/systemd_networkd/21-net0.2-v4_nat.network
+++ b/resources/chaosknoten/router/systemd_networkd/21-net0.2-v4_nat.network
@ -11,12 +11,6 @@ Description=v4-NAT
 # Masquerading done in nftables (nftables.conf).
 IPv6SendRA=yes
 DHCPServer=true
 [DHCPServer]
 PoolOffset=100
 PoolSize=150
 [Address]
 Address=10.32.2.1/24
--- a/resources/chaosknoten/sunders/docker_compose/compose.yaml.j2
+++ b/resources/chaosknoten/sunders/docker_compose/compose.yaml.j2
@ -3,7 +3,7 @@
 services:
  db:
-    image: mariadb:12.1.2
+    image: mariadb:12.0.2
    command: --max_allowed_packet=3250585600
    environment:
      MYSQL_ROOT_PASSWORD: "{{ secret__sunders_db_root_password }}"
--- a/resources/chaosknoten/sunders/nginx/sunders.hamburg.ccc.de.conf
+++ b/resources/chaosknoten/sunders/nginx/sunders.hamburg.ccc.de.conf
@ -2,12 +2,12 @@
 # https://ssl-config.mozilla.org/#server=nginx&version=1.17.7&config=intermediate&openssl=1.1.1k&guideline=5.6
 server {
    # Listen on a custom port for the proxy protocol.
-    listen [::]:8443 ssl http2 proxy_protocol;
+    listen 8443 ssl http2 proxy_protocol;
    # Make use of the ngx_http_realip_module to set the $remote_addr and
    # $remote_port to the client address and client port, when using proxy
    # protocol.
    # First set our proxy protocol proxy as trusted.
-    set_real_ip_from 2a00:14b0:4200:3000:125::1;
+    set_real_ip_from 172.31.17.140;
    # Then tell the realip_module to get the addreses from the proxy protocol
    # header.
    real_ip_header proxy_protocol;
--- a/resources/chaosknoten/tickets/nginx/tickets.hamburg.ccc.de.conf
+++ b/resources/chaosknoten/tickets/nginx/tickets.hamburg.ccc.de.conf
@ -2,12 +2,12 @@
 # https://ssl-config.mozilla.org/#server=nginx&version=1.17.7&config=intermediate&openssl=1.1.1k&guideline=5.6
 server {
    # Listen on a custom port for the proxy protocol.
-    listen [::]:8443 ssl http2 proxy_protocol;
+    listen 8443 ssl http2 proxy_protocol;
    # Make use of the ngx_http_realip_module to set the $remote_addr and
    # $remote_port to the client address and client port, when using proxy
    # protocol.
    # First set our proxy protocol proxy as trusted.
-    set_real_ip_from 2a00:14b0:4200:3000:125::1;
+    set_real_ip_from 172.31.17.140;
    # Then tell the realip_module to get the addreses from the proxy protocol
    # header.
    real_ip_header proxy_protocol;
--- a/resources/chaosknoten/wiki/nginx/wiki.ccchh.net.conf
+++ b/resources/chaosknoten/wiki/nginx/wiki.ccchh.net.conf
@ -2,6 +2,7 @@
 # https://ssl-config.mozilla.org/#server=nginx&version=1.17.7&config=intermediate&openssl=1.1.1k&guideline=5.6
 server {
    # Listen on a custom port for the proxy protocol.
    listen 8443 ssl http2 proxy_protocol;
    listen [::]:8443 ssl http2 proxy_protocol;
    # Make use of the ngx_http_realip_module to set the $remote_addr and
    # $remote_port to the client address and client port, when using proxy
--- a/resources/chaosknoten/wiki/nginx/wiki.hamburg.ccc.de.conf
+++ b/resources/chaosknoten/wiki/nginx/wiki.hamburg.ccc.de.conf
@ -2,6 +2,7 @@
 # https://ssl-config.mozilla.org/#server=nginx&version=1.17.7&config=intermediate&openssl=1.1.1k&guideline=5.6
 server {
    # Listen on a custom port for the proxy protocol.
    listen 8443 ssl http2 proxy_protocol;
    listen [::]:8443 ssl http2 proxy_protocol;
    # Make use of the ngx_http_realip_module to set the $remote_addr and
    # $remote_port to the client address and client port, when using proxy
--- a/resources/chaosknoten/zammad/nginx/zammad.hamburg.ccc.de.conf
+++ b/resources/chaosknoten/zammad/nginx/zammad.hamburg.ccc.de.conf
@ -2,12 +2,12 @@
 # https://ssl-config.mozilla.org/#server=nginx&version=1.17.7&config=intermediate&openssl=1.1.1k&guideline=5.6
 server {
    # Listen on a custom port for the proxy protocol.
-    listen [::]:8443 ssl http2 proxy_protocol;
+    listen 8443 ssl http2 proxy_protocol;
    # Make use of the ngx_http_realip_module to set the $remote_addr and
    # $remote_port to the client address and client port, when using proxy
    # protocol.
    # First set our proxy protocol proxy as trusted.
-    set_real_ip_from 2a00:14b0:4200:3000:125::1;
+    set_real_ip_from 172.31.17.140;
    # Then tell the realip_module to get the addreses from the proxy protocol
    # header.
    real_ip_header proxy_protocol;
--- a/roles/alloy/tasks/main.yaml
+++ b/roles/alloy/tasks/main.yaml
@ -0,0 +1,48 @@
 # https://github.com/grafana/grafana-ansible-collection/blob/main/roles/alloy/tasks/deploy.yml#L124
 - name: ensure alloy user exists
  ansible.builtin.user:
    name: alloy
    system: true
    append: true
    create_home: false
    state: present
 - name: ensure the `/etc/alloy/` config directory exists
  ansible.builtin.file:
    path: /etc/alloy
    state: directory
    mode: "0770"
    owner: root
    group: alloy
  become: true
 - name: synchronize the additional configuration files directory, if present
  when: alloy__additional_configs_dir is defined and alloy__additional_configs_dir != ""
  block:
    - name: ensure rsync is installed
      ansible.builtin.apt:
        name: rsync
      become: true
    - name: synchronize the additional configuration files directory, if present
      ansible.posix.synchronize:
        src: "{{ alloy__additional_configs_dir }}"
        dest: /etc/alloy/additional
        delete: true
        recursive: true
        use_ssh_args: true
        rsync_opts:
          - "--chown=root:alloy"
      become: true
 - name: delete the additional configuration files directory, if not present
  when: alloy__additional_configs_dir is not defined or alloy__additional_configs_dir == ""
  ansible.builtin.file:
    path: /etc/alloy/additional
    state: absent
  become: true
 - name: Setup Alloy
  ansible.builtin.import_role:
    name: grafana.grafana.alloy
  become: true
--- a/roles/ansible_pull/tasks/main.yaml
+++ b/roles/ansible_pull/tasks/main.yaml
@ -3,7 +3,6 @@
    - name: ensure apt dependencies are installed
      ansible.builtin.apt:
        name:
          - python3-pip
          - virtualenv
          - git
        state: present
--- a/roles/base_config/tasks/main.yaml
+++ b/roles/base_config/tasks/main.yaml
@ -1,13 +0,0 @@
 # Ensure the ssh module is disabled, so a cloud-init config change doesn't regenerate the host keys for no reason.
 - name: check if cloud-init config file exists
  ansible.builtin.stat:
    path: /etc/cloud/cloud.cfg
  register: base_config__stat_cloud_cfg
 - name: ensure the cloud-init ssh module is disabled
  ansible.builtin.replace:
    path: /etc/cloud/cloud.cfg
    regexp: " - ssh$"
    replace: " #- ssh"
  become: true
  when: base_config__stat_cloud_cfg.stat.exists
--- a/roles/certbot/meta/main.yaml
+++ b/roles/certbot/meta/main.yaml
@ -7,4 +7,3 @@ dependencies:
          major_versions:
            - 11
            - 12
            - 13
--- a/roles/docker/meta/main.yaml
+++ b/roles/docker/meta/main.yaml
@ -7,4 +7,3 @@ dependencies:
          major_versions:
            - 11
            - 12
            - 13
--- a/roles/dokuwiki/meta/main.yml
+++ b/roles/dokuwiki/meta/main.yml
@ -7,4 +7,3 @@ dependencies:
          major_versions:
            - 11
            - 12
            - 13
--- a/roles/nginx/meta/main.yaml
+++ b/roles/nginx/meta/main.yaml
@ -7,4 +7,3 @@ dependencies:
          major_versions:
            - "11"
            - "12"
            - "13"
--- a/roles/prometheus_node_exporter/meta/main.yaml
+++ b/roles/prometheus_node_exporter/meta/main.yaml
@ -7,4 +7,3 @@ dependencies:
          major_versions:
            - "11"
            - "12"
            - "13"