CCCHH/ansible-infra
CCCHH/ansible-infra
2
2
Fork 1
Code Issues 7 Pull requests 9 Wiki Activity Actions

Compare commits

base: CCCHH:main
Branches Tags
CCCHH:main
CCCHH:new_ccchh_router
CCCHH:renovate/docker.io-pretalx-standalone-2026.x
CCCHH:renovate/docker.io-library-postgres-18.x
CCCHH:renovate/docker.io-library-mariadb-12.x
CCCHH:renovate/major-github-artifact-actions
CCCHH:renovate/docker.io-pretix-standalone-2026.x
CCCHH:renovate/docker.io-pretalx-standalone-2025.x
CCCHH:renovate/all-stable-minor-patch
CCCHH:docs-outline-style
CCCHH:alloy
CCCHH:old-dns-zones
..
compare: CCCHH:docs-outline-style
Branches Tags
CCCHH:new_ccchh_router
CCCHH:renovate/docker.io-pretalx-standalone-2026.x
CCCHH:renovate/docker.io-library-postgres-18.x
CCCHH:renovate/docker.io-library-mariadb-12.x
CCCHH:renovate/major-github-artifact-actions
CCCHH:renovate/docker.io-pretix-standalone-2026.x
CCCHH:renovate/docker.io-pretalx-standalone-2025.x
CCCHH:renovate/all-stable-minor-patch
CCCHH:main
CCCHH:docs-outline-style
CCCHH:alloy
CCCHH:old-dns-zones

3 commits
main ... docs-outli

Author SHA1 Message Date
forestcat-admin
8892f9e3bb
 		clarify the usage of the document scope and the differences between concept, configuration and guide
Some checks failed
/ Ansible Lint (pull_request) Successful in 2m32s
Details
/ Ansible Lint (push) Successful in 2m32s
Details
/ build (pull_request) Has been cancelled
Details
2026-05-24 02:55:58 +02:00
forestcat-admin
b287b367e4
 		add documentation-structure
Some checks failed
/ Ansible Lint (push) Successful in 2m30s
Details
/ build (pull_request) Failing after 2m40s
Details
/ Ansible Lint (pull_request) Successful in 10m29s
Details
2026-05-24 02:29:55 +02:00
forestcat-admin
f4eecfe082
 		fix setup instructions to use uv run
Some checks failed
/ Ansible Lint (push) Successful in 2m25s
Details
/ Ansible Lint (pull_request) Successful in 2m24s
Details
/ build (pull_request) Failing after 2m41s
Details
2026-05-23 22:40:09 +02:00
14 changed files with 174 additions and 195 deletions
Download patch file Download diff file Expand all files Collapse all files

91
docs/concepts-and-configurations/documentation-structure.md
View file

@ -5,12 +5,91 @@ summary: >-
How our documentation is organized and what we do to balance ease of writing and understanding. How our documentation is organized and what we do to balance ease of writing and understanding.
--- ---
!!! info "ToDo" !!! info "Info"
This section needs updating If youre looking for a hands-on approach on how documentation is to be written you can find a [guide](../guides/writing-documentation.md) explaining the process. If youre unsure how to start you can find [templates](../guides/writing-documentation.md#3-addedit-your-markdown-file) there aswell.
- Docs should be english ## General Rules
- Guides are for step-by-step things Rules are formatting and writing decisions that apply to every document. Their goal is to provide a concise style across the whole documentation to keep the text easy to follow.
- Guides always have a "Goal" explicitly formulated
- Concepts and Configuration aim to make readers understand something in detail
- All documents written in this project should be written in **english** to maximize the compatability across readers.
- The documentation structure is intended to be followed, while not being **enforced** to keep a low entry barier for documentation authors.
- Use features like _Admonitions_ given by markdown and the theme whenever they can help by increasing the readability and outlining important parts. For instructions on how to use these theme specific features please refer down to the _MkDocs shadcn_ documentation in the References section.
## Defining a Document Scope
The scope for a document should be set to define responsibility and set boundaries to where that document applies. Especially lining out which services are affected by it. It **does not** need to be defined explicitly in the text, but should be kept in mind while writing.
!!! note "Example"
The scope for this document is aiming to convey the base concepts on how to structure concepts and configurations in this documentation. To provide high readability and a project wide concise structure that authors and readers can rely on.
We decide in this documentation between concepts, configurations and guides. Their separation should be clearified with folowing list:
- **Concept:** A concept includes an abstract definition about a specific structure while not going into implementation details.
- **Configuration:** A configuration can be a follow up of a concept, explaining the specific implementation in a given environment.
- **Guide:** A guide is a step-by-step hands-on instruction for the reader to follow along. It can reference concepts and configurations.
## Structuring Concepts
!!! note "Goal"
The goal for a concept is to provide the reader with a structured detailed explanation about an abstract concept, conveying why this concept was choosen and how it is intended to be used.
### Describing the Concept
This section is a summary to give the reader a quick overview about the concept answering following questions:
- What is this concept about?
- Why is this concept needed?
- What does this concept do?
### Explaining the Concept
This section should be an in depth explanation about the concept, explaining the concept as detailed as needed for the reader to be able to transfer it into an implementation. The usage of graphs and diagrams is advised when they can help the reader to understand the concept better.
### Referencing additional Sources
This section should include sources to other documentations, concepts and hand-on guides which the reader can look up to futher explore the defined concept.
## Structuring Configurations
!!! note "Goal"
A configuration document is intended to provide the reader with examples and best practices for configuring a specific item. It focuses on the technical implementation rather than an abstract concept.
### Describing the Configuration
This section should give the reader a quick overview which configuration files are being described.
### Providing the Configuration
Here should the author provide configuration sections or full templates. The configurations don't have to be fully complete, theyre rather a more structured view on which options are important and what to watch out for.
### Discussing Authors Thoughts
A discussion why the author choose which configuration options and what to watch out for. Best practices should be taught here. This section can also link to outside sources.
### Referencing Documentation
Here the author should provide upstream documentation which includes configuration options and further explanations why and how they are used.
## Structuring Guide
!!! note "Goal"
A guide intends to provide a hands-on approach to the reader which they can follow step-by-step to archive the guides defined goal. A good example for a guide can be found at [Writing Documentation](../guides/writing-documentation.md).
### Defining the Goal
A guide should always have a goal defined in the beginning, using the _Admonition_ for a success box is highly advised. An example for a goal box is shown below:
```markdown
!!! success "Goal"
How to setup, write its baseline documentation in ansible and deploy a service.
```
### Instructing the Reader
A guide should always have numbered instruction steps which are easy to follow. Important notices and information should written in _Admonitions_ as direct notices from the author to the reader. Dangerous steps or options should use a `danger` Admonition.
### Closing Up
A guide should be finished with steps and facts that can be checked by the reader to ensure that the guide worked as intended and all steps are completed correctly.
## References
Here you can find useful documentation regarding writing documentation:
- [MkDocs](https://www.mkdocs.org/user-guide/): This is the official mkdocs documentation, although it mostly explains configuring the mkdocs instance rather than explaining the usage.
- [MkDocs shadcn](https://asiffer.github.io/mkdocs-shadcn/): This is our theme for MkDocs which has its own syntax and quircks which can help writing more readable documentation

32
docs/guides/create-a-new-vm-on-chaosknoten.md → docs/guides/new-chaosknoten-vm.md
View file

@ -1,22 +1,18 @@
--- ---
title: Create a new VM on Chaosknoten title: New Chaosknoten VM
summary: How to Create a New VM on Chaosknoten
--- ---
!!! success "Goal" # New Chaosknoten VM
Create a new VM on our Chaosknoten Server with DNS Name, Firewalling and network config. This guide outlines the steps to take for creating a new VM (`myservice`) on Chaosknoten. It might also act as a useful reference for other environments however.
## 1. Reserve an IP Address ## IP and DNS
Decide on what kind of network configuration the VM needs. Decide on what kind of network configuration the VM needs. In this guide we assume a public v6 and a non-public v4 in the v4-NAT network. If you have special requirements, refer to TODO for more information on the different kinds of networks available on Chaosknoten.
In this guide we assume a public v6 and a non-public v4 in the v4-NAT network.
If you have special requirements, refer to TODO for more information on the different kinds of networks available on Chaosknoten.
1. Allocate a fresh [v6 in NetBox in the v4-NAT v6-network](https://netbox.hamburg.ccc.de/ipam/prefixes/47/ip-addresses/). 1. Allocate a fresh [v6 in NetBox in the v4-NAT v6-network](https://netbox.hamburg.ccc.de/ipam/prefixes/47/ip-addresses/).
- The _hostname_ should be the full FQDN, like: `myservice.hosts.hamburg.ccc.de` - The _hostname_ should be the full FQDN, like: `myservice.hosts.hamburg.ccc.de`
## 2. Configure DNS
2. Add a new `AAAA` record pointing to the chosen v6 to the [`hamburg.ccc.de` zone](https://git.hamburg.ccc.de/CCCHH/ansible-infra/src/branch/main/resources/chaosknoten/auth-dns/zones/hamburg.ccc.de.zone). 2. Add a new `AAAA` record pointing to the chosen v6 to the [`hamburg.ccc.de` zone](https://git.hamburg.ccc.de/CCCHH/ansible-infra/src/branch/main/resources/chaosknoten/auth-dns/zones/hamburg.ccc.de.zone).
It should look something like this: It should look something like this:
``` ```
@ -27,7 +23,7 @@ If you have special requirements, refer to TODO for more information on the diff
ansible-playbook -i inventories/chaosknoten playbooks/deploy.yaml -l auth-dns -t knot ansible-playbook -i inventories/chaosknoten playbooks/deploy.yaml -l auth-dns -t knot
``` ```
## 3. Create A VM in Proxmox ## VM Creation
Now that we have a v6, let's create a new VM on Chaosknoten. Now that we have a v6, let's create a new VM on Chaosknoten.
@ -53,9 +49,6 @@ Now that we have a v6, let's create a new VM on Chaosknoten.
``` ```
ssh -J chaos@router.hamburg.ccc.de chaos@myservice.hosts.hamburg.ccc.de ssh -J chaos@router.hamburg.ccc.de chaos@myservice.hosts.hamburg.ccc.de
``` ```
## 4. Enter VM into NetBox
4. Finally add the VM to NetBox 4. Finally add the VM to NetBox
1. First [add the VM itself](https://netbox.hamburg.ccc.de/virtualization/virtual-machines/). 1. First [add the VM itself](https://netbox.hamburg.ccc.de/virtualization/virtual-machines/).
- The _Name_ should be the hostname of the VM, so e.g. `myservice`. - The _Name_ should be the hostname of the VM, so e.g. `myservice`.
@ -70,7 +63,7 @@ Now that we have a v6, let's create a new VM on Chaosknoten.
4. Finally assign the IP address created earlier in NetBox to the just created interface by going into the _Assignment_ section of the IP address configuration. 4. Finally assign the IP address created earlier in NetBox to the just created interface by going into the _Assignment_ section of the IP address configuration.
- Also check _Make this the primary IP for the device/VM_ while doing so. - Also check _Make this the primary IP for the device/VM_ while doing so.
## 5. Enroll the VM in ansible ## Ansible
Next up the VM should be added to the Ansible configuration management. While Ansible can and should be used to configure various services and configuration options, this section focuses on the basic setup to be done. Next up the VM should be added to the Ansible configuration management. While Ansible can and should be used to configure various services and configuration options, this section focuses on the basic setup to be done.
@ -95,7 +88,7 @@ Next up the VM should be added to the Ansible configuration management. While An
Feel free to commit at this point before continuing with further configuration. Feel free to commit at this point before continuing with further configuration.
## 6. Configure the VM further for your needs ## Further Setup
With the basic configuration now done, the VM can be set up further. Here are some helpful pointers: With the basic configuration now done, the VM can be set up further. Here are some helpful pointers:
@ -103,9 +96,4 @@ With the basic configuration now done, the VM can be set up further. Here are so
- Secrets should be stored using SOPS, see: [SOPS: Storing Secrets](./sops-storing-secrets.md) - Secrets should be stored using SOPS, see: [SOPS: Storing Secrets](./sops-storing-secrets.md)
- Guidance on setting up a web service can be found in the [Web Service](./web-service.md) guide. - Guidance on setting up a web service can be found in the [Web Service](./web-service.md) guide.
Afterward you should also take care of setting up monitoring for the newly configured service, see: [Monitor a new service with Gatus](./monitor-a-new-service-with-gatus.md). Afterward you should also take care of setting up monitoring for the newly configured service, see: [Monitoring: Gatus](./monitoring-gatus.md)
## Closing Up
This section is optional but if there's any way for the reader to verify their goal has been achieved, you should mention it here.

2
docs/guides/writing-documentation.md
View file

@ -38,7 +38,7 @@ Once you have cloned the repository, you can just edit a file in the [`docs/`](h
```shell ```shell
uv venv uv venv
uv pip install -r docs_requirements.txt uv pip install -r docs_requirements.txt
mkdocs serve uv run mkdocs serve
``` ```
When adding new content, you can use one of the templates below to get started: When adding new content, you can use one of the templates below to get started:

2
inventories/chaosknoten/hosts.yaml
View file

@ -291,5 +291,3 @@ msmtp_hosts:
renovate_hosts: renovate_hosts:
hosts: hosts:
renovate: renovate:
secrets_hosts:
hosts:

2
inventories/external/hosts.yaml vendored
View file

@ -22,5 +22,3 @@ infrastructure_authorized_keys_hosts:
ansible_pull_hosts: ansible_pull_hosts:
hosts: hosts:
status: status:
secrets_hosts:
hosts:

8
inventories/z9/group_vars/all.sops.yaml
View file

@ -1,5 +1,5 @@
metrics__chaos_password: ENC[AES256_GCM,data:seOU504dZ9K21+NK1MBf9isee2L2rueP6Bl0F66R,iv:ZtQ516gzJQSSgvOOAzPF9MuarXqHSLXy37/9z85KoQ8=,tag:dIal6OxPLli+7DbzhjNFsA==,type:str] metrics__chaos_password: ENC[AES256_GCM,data:seOU504dZ9K21+NK1MBf9isee2L2rueP6Bl0F66R,iv:ZtQ516gzJQSSgvOOAzPF9MuarXqHSLXy37/9z85KoQ8=,tag:dIal6OxPLli+7DbzhjNFsA==,type:str]
msmtp__smtp_password: ENC[AES256_GCM,data:FAih8FghRYDx3QGFCjKoJ8Zq0TkeCIx4n1jTx4/sASgECqvucg==,iv:8NDn3wj/bXsbHbuce3ycJTBVWde6XAVxv4NuMUkMbIM=,tag:jeE2b0i/8JPtguLYQvdV1w==,type:str] msmtp__smtp_password: ENC[AES256_GCM,data:NlA0aN2SeP4Tl3G1Qg0v/SAicY8p6ZMdQPihGfFTohAmajNvteFJ19ELPezwTz7hia0oU7lwo3DfKuu92WMIKA==,iv:s44piFZZrF6ZYmkGqsBFjTUNiHc4IhBXJATRPETsAI8=,tag:Sj0Q/Y4hT4Hs1JxVOO/8xQ==,type:str]
sops: sops:
age: age:
- recipient: age1j0876shgsn7f2thxh9kx9x5uwnh45z6sy2jlk2qz5jhgedm26g5srn9kax - recipient: age1j0876shgsn7f2thxh9kx9x5uwnh45z6sy2jlk2qz5jhgedm26g5srn9kax
@ -38,8 +38,8 @@ sops:
cnlBL29XQVlsL1ZCenBIYTQ3S3JxQjQKq09vbn1XOC1jIXDpv+ThFMk9k7SyYknr cnlBL29XQVlsL1ZCenBIYTQ3S3JxQjQKq09vbn1XOC1jIXDpv+ThFMk9k7SyYknr
MBJRBp/0PrKBo/Xk+RCSWSLjgali5Cc8KTjDTJyBG8rFzzvLIazBRg== MBJRBp/0PrKBo/Xk+RCSWSLjgali5Cc8KTjDTJyBG8rFzzvLIazBRg==
-----END AGE ENCRYPTED FILE----- -----END AGE ENCRYPTED FILE-----
lastmodified: "2026-05-23T22:10:20Z" lastmodified: "2026-03-30T19:28:25Z"
mac: ENC[AES256_GCM,data:JbnKG1qyAkvFDXr2iHu+gk7nRjedmm+dEK8vBFW5YzndWE4QKoYWeaqRHBk7wdWO9kpZgU2rFiu4Be+ikotoMS8jKAcd5wWSrWtSreaZxxiD2TWMWX8HwPtETnYe0rjrEZ3kPcUj4QPyNTphfbH3ARLjthedRXNF70NDc+DIpAY=,iv:4LN3oslWUWqoY3rQNVDSmlJn1o0c8JQELzsWd5btn7Y=,tag:c8X1q9XMMUkXed93j9C6ww==,type:str] mac: ENC[AES256_GCM,data:IGai2CmOI46XHekSSpLgQxEGw9zIf7Z10K8eQyi0rJGha5ZOjz9jP1VIhC9m6LjRxOKJuEPV2NvBACC5tBUCGwW1Ym31spcROjjtCzyqRF8E7R02oNMIQ32Byb9ij56/Trl5UOBOML+WOdeaq8r74kEfIyZBCx/tfGENuTlBqd4=,iv:Gjzb/IW6WcRL3c4ShOH46cVed4duTs1BFygYnGd4d4Y=,tag:DZAH6tA92mFP5Yo9b4kmkg==,type:str]
pgp: pgp:
- created_at: "2026-05-20T02:08:49Z" - created_at: "2026-05-20T02:08:49Z"
enc: |- enc: |-
@ -212,4 +212,4 @@ sops:
-----END PGP MESSAGE----- -----END PGP MESSAGE-----
fp: 41FFAF3D519CF5C039FBD8414BCC213729AF0E49 fp: 41FFAF3D519CF5C039FBD8414BCC213729AF0E49
unencrypted_suffix: _unencrypted unencrypted_suffix: _unencrypted
version: 3.12.2 version: 3.12.1

4
inventories/z9/group_vars/all.yaml
View file

@ -12,8 +12,8 @@ ansible_pull__timer_randomized_delay_sec: 30min
msmtp__smtp_host: cow.hamburg.ccc.de msmtp__smtp_host: cow.hamburg.ccc.de
msmtp__smtp_port: 465 msmtp__smtp_port: 465
msmtp__smtp_tls_method: smtps msmtp__smtp_tls_method: smtps
msmtp__smtp_user: machine@ccchh.net msmtp__smtp_user: any@hosts.z9.ccchh.net
msmtp__smtp_from: "{{ inventory_hostname }}@cchh.net" msmtp__smtp_from: "{{ inventory_hostname }}@hosts.z9.ccchh.net"
alloy_config_default: | alloy_config_default: |
prometheus.remote_write "default" { prometheus.remote_write "default" {

2
inventories/z9/hosts.yaml
View file

@ -57,5 +57,3 @@ ansible_pull_hosts:
light: light:
waybackproxy: waybackproxy:
yate: yate:
secrets_hosts:
hosts:

7
playbooks/deploy.yaml
View file

@ -6,13 +6,6 @@
tags: tags:
- base_config - base_config
- name: Ensure secrets deployment on secrets_hosts
hosts: secrets_hosts
roles:
- secrets
tags:
- secrets
- name: Ensure systemd-networkd config deployment on systemd_networkd_hosts - name: Ensure systemd-networkd config deployment on systemd_networkd_hosts
hosts: systemd_networkd_hosts hosts: systemd_networkd_hosts
roles: roles:

127
resources/chaosknoten/auth-dns/zones/ccchh.net.zone
View file

@ -1,64 +1,73 @@
$TTL 60 ; 1 minutes $ORIGIN .
@ SOA auth-dns.hamburg.ccc.de. noc.hamburg.ccc.de. ( $TTL 900 ; 15 minutes
1 ; serial (overwritten by knot automatically) ccchh.net IN SOA auth-dns.hamburg.ccc.de. noc.hamburg.ccc.de. (
2026042801 ; serial
86400 ; refresh (1 day) 86400 ; refresh (1 day)
7200 ; retry (2 hours) 7200 ; retry (2 hours)
3600000 ; expire (5 weeks 6 days 16 hours) 3600000 ; expire (5 weeks 6 days 16 hours)
60 ; minimum/negative ttl (1 minute) 7200 ; minimum (2 hours)
) )
NS auth-dns.hamburg.ccc.de.
NS ns.vie.ccc.de.
@ NS auth-dns.hamburg.ccc.de. $ORIGIN ccchh.net.
@ NS ns.vie.ccc.de. aes A 212.12.48.125
club-assistant AAAA 2a07:c481:1:d0::a
;_acme-challenge.club-assistant CNAME d50ad73a-f82d-4244-87f0-6f5195b37d21.auth.acmedns.hamburg.ccc.de
; club-assistant.z9 AAAA 2a07:c481:1:d0::a
; Network-Infrastructure ;_acme-challenge.club-assistant.z9 CNAME 0efa74d1-7dcd-478b-bdc5-5b76d0f07642.auth.acmedns.hamburg.ccc.de
; esphome AAAA 2a07:c481:1:d0::66
rt-wan A 185.161.129.134 esphome.z9 AAAA 2a07:c481:1:d0::66
AAAA 2a07:c481::1:2 zigbee2mqtt A 185.161.129.132
sw-rack-1 A 10.89.213.2 light AAAA 2a07:c481:1:d0::16
AAAA 2a07:c481:1:36::2 _acme-challenge.light CNAME e59f55ee-9013-469d-a146-a159721b6fea.auth.acmedns.hamburg.ccc.de.
sw-rack-2-poe A 10.89.213.3 light.z9 AAAA 2a07:c481:1:d0::16
AAAA 2a07:c481:1:36::3 _acme-challenge.light.z9 CNAME 3bc9e7ce-03dd-4533-a059-b5d38407eaa5.auth.acmedns.hamburg.ccc.de.
sw-main-1 A 10.89.213.4 light-werkstatt AAAA 2a07:c481:1:d0::16
AAAA 2a07:c481:1:36::4 _acme-challenge.light-werkstatt CNAME f408acc0-d9f5-4525-bb01-28938e3bb7d0.auth.acmedns.hamburg.ccc.de.
sw-main-2 A 10.89.213.5 mailserver-endpoint A 82.165.121.46
AAAA 2a07:c481:1:36::5 ns1 A 185.161.129.133
sw-shop-1 A 10.89.213.6 send-only-mail MX 10 send-only-mailserver
AAAA 2a07:c481:1:36::6 TXT "v=spf1 mx -all"
sw-shop-2-poe A 10.89.213.7 send-only-mailserver A 82.165.121.46
AAAA 2a07:c481:1:36::7 send-only-mailserver-access A 185.161.129.132
sw-shop-3-poe A 10.89.213.8 thinkcccore0 AAAA 2a07:c481:1:f2::3
AAAA 2a07:c481:1:36::8 thinkcccore0.z9 AAAA 2a07:c481:1:f2::3
pve01 A 10.89.213.11 thinkcccore1 AAAA 2a07:c481:1:f2::4
AAAA 2a07:c481:1:36::11 thinkcccore1.z9 AAAA 2a07:c481:1:f2::4
pve02 A 10.89.213.12 opnsense AAAA 2a07:c481:1:f2::1
AAAA 2a07:c481:1:36::12 opnsense.z9 AAAA 2a07:c481:1:f2::1
pve03 A 10.89.213.13 pbs AAAA 2a07:c481:1:f2::4
AAAA 2a07:c481:1:36::13 thinkcccore2 AAAA 2a07:c481:1:f2::5
pve04 A 10.89.213.14 thinkcccore2.z9 AAAA 2a07:c481:1:f2::5
AAAA 2a07:c481:1:36::14 thinkcccore3 AAAA 2a07:c481:1:f2::6
pbs A 10.89.213.15 thinkcccore3.z9 AAAA 2a07:c481:1:f2::6
AAAA 2a07:c481:1:36::15 miniscccore0 AAAA 2a07:c481:1:f2::9
unifi A 10.89.213.21 miniscccore0.z9 AAAA 2a07:c481:1:f2::9
uptime-kuma A 185.161.129.132
status AAAA 2a07:c481:1:ce::a
; status.z9 AAAA 2a07:c481:1:ce::a
; Club-Services wiki A 212.12.48.125
; hmdooris-ccu A 10.31.208.202
xr18 A 172.31.200.21 buba A 10.31.211.137
buba.z9 A 10.31.211.137
;club-assistant AAAA 2a07:c481:1:d0::a dooris AAAA 2a07:c481:1:d0::1c
;;_acme-challenge.club-assistant CNAME d50ad73a-f82d-4244-87f0-6f5195b37d21.auth.acmedns.hamburg.ccc.de _acme-challenge.dooris CNAME 37caae1f-b77f-4eb1-aa71-dc3f7ed24360.auth.acmedns.hamburg.ccc.de.
;esphome AAAA 2a07:c481:1:d0::66 waybackproxy A 10.31.208.99
;zigbee2mqtt A 185.161.129.132 yate A 10.31.208.12
;light AAAA 2a07:c481:1:d0::16 staubiv2 A 10.31.210.233
;_acme-challenge.light CNAME e59f55ee-9013-469d-a146-a159721b6fea.auth.acmedns.hamburg.ccc.de. staubiv2.z9 A 10.31.210.233
;light-werkstatt AAAA 2a07:c481:1:d0::16 ; Mail: hosts.z9.ccchh.net
;_acme-challenge.light-werkstatt CNAME f408acc0-d9f5-4525-bb01-28938e3bb7d0.auth.acmedns.hamburg.ccc.de. hosts.z9 MX 10 cow.hamburg.ccc.de
;hmdooris-ccu A 10.31.208.202 TXT "v=spf1 mx -all"
;buba A 10.31.211.137 dkim._domainkey.hosts.z9 TXT ("v=DKIM1;k=rsa;t=s;s=email;"
;dooris AAAA 2a07:c481:1:d0::1c "p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAvsdypQ/tlrzto5KVP"
;_acme-challenge.dooris CNAME 37caae1f-b77f-4eb1-aa71-dc3f7ed24360.auth.acmedns.hamburg.ccc.de. "5o7tEblXK/hOVRFB683uODzo26XTFMSRGjumMuo/tej59GMePdUu0uIsdq8hfj8"
;yate A 10.31.208.12 "ot0R2OQNazdyp4NW4TUWfFGJ4S2f6LR3lE3I5Lw7fHiYHz0GnCGTqZIItkHK+xQ"
;staubiv2 A 10.31.210.233 "i5Fdhwd1YbFJtO0XiZ0jY5w6pvny6pEH8WaKX85rEmz2zqCtpiYPRPmoK/Tn+rV"
"2e8fVioMRm9W8E4PU42WLds66qOkFR0KjKIavE6y7JahESEoVGcVnSPdtMOX0Ln"
"KbSMQNrTvNbBoPdLYvNaXOw7TmVPKjDV+FRCIIdK+m0fL82/vm5jPBvDr5+WlM1"
"xV/P/KlSnQIDAQAB")
$ORIGIN send-only-mail.ccchh.net.
_dmarc TXT "v=DMARC1;p=quarantine;"
key._domainkey TXT "v=DKIM1;k=rsa;p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDqduM4+SQ+IQ2uAxbjFkd+0hAjohTgT3nM76jyrWGHJ8TizNU2PGkta0NjCq+m9VLBZUjIJphW2vrnlJsnN0JkGAdoLBL3Qs0kShT6V+xsxslZG2KHApihnJUp34tPSMES+aTnD+jEPGyxFLeoiK+3gywNhCGalHSQ+G88Z2n59wIDAQAB"

24
roles/secrets/README.md
View file

@ -1,24 +0,0 @@
# Role `secrets`
Allows storing the given secret contents in the configured files.
## Supported Distributions
Should work on Debian-based distributions.
## Required Arguments
None.
## Optional Arguments
- `secrets__secrets`: List of secrets.
Defaults to the empty list (`[ ]`).
- `secrets__secrets.*.name`: (File)name for the secret (in the `/etc/ansible_secrets` directory).
- `secrets__secrets.*.content`: The secret content to store.
- `secrets__secrets.*.owner`: The owner of the secret file.
Defaults to `root`.
- `secrets__secrets.*.group`: The group of the secret file.
Defaults to `root`.
- `secrets__secrets.*.mode`: The mode of the secret file.
Defaults to `0640`.

1
roles/secrets/defaults/main.yaml
View file

@ -1 +0,0 @@
secrets__secrets: [ ]

6
roles/secrets/meta/argument_specs.yaml
View file

@ -1,6 +0,0 @@
argument_specs:
main:
options:
secrets__secrets:
type: list
required: false

53
roles/secrets/tasks/main.yaml
View file

@ -1,53 +0,0 @@
- name: validate secret configs
ansible.builtin.validate_argument_spec:
argument_spec: "{{ required_data }}"
provided_arguments:
config: "{{ item }}"
loop: "{{ secrets__secrets }}"
loop_control:
label: "{{ item.name }}"
vars:
required_data:
config:
type: dict
required: true
options:
name:
type: str
required: true
content:
type: str
required: true
owner:
type: str
required: false
default: root
group:
type: str
required: false
default: root
mode:
type: str
required: false
default: "0640"
- name: ensure secrets directory exists
ansible.builtin.file:
path: "/etc/ansible_secrets"
state: directory
owner: root
group: root
mode: "0750"
become: true
- name: ensure secrets are present
ansible.builtin.copy:
content: "{{ item.content }}"
dest: "/etc/ansible_secrets/{{ item.name }}"
mode: "{{ item.mode | default('0640') }}"
owner: "{{ item.owner | default('root') }}"
group: "{{ item.group | default('root') }}"
become: true
loop: "{{ secrets__secrets }}"
loop_control:
label: "{{ item.name }}"