WIP router(host): initial config

2025-02-23 18:49:19 +01:00
11 changed files with 13 additions and 93 deletions
--- a/inventories/chaosknoten/host_vars/chaosknoten.yaml
+++ b/inventories/chaosknoten/host_vars/chaosknoten.yaml
@ -1,6 +0,0 @@
-# Used in deploy_hypervisor playbook.
-hypervisor__template_vm_config:
-  - name: STORAGE
-    value: nvme0
-  - name: BRIDGE
-    value: vmbr4
--- a/inventories/chaosknoten/hosts.yaml
+++ b/inventories/chaosknoten/hosts.yaml
@ -55,6 +55,9 @@ all:
    public-reverse-proxy:
      ansible_host: public-reverse-proxy.hamburg.ccc.de
      ansible_user: chaos
+    router:
+      ansible_host: router.hamburg.ccc.de
+      ansible_user: chaos
    wiki:
      ansible_host: wiki-intern.hamburg.ccc.de
      ansible_user: chaos
@ -81,6 +84,7 @@ base_config_hosts:
    pad:
    pretalx:
    public-reverse-proxy:
+    router:
    tickets:
    wiki:
    zammad:
@ -161,6 +165,7 @@ infrastructure_authorized_keys_hosts:
    pad:
    pretalx:
    public-reverse-proxy:
+    router:
    wiki:
    zammad:
 wiki_hosts:
@ -171,9 +176,3 @@ netbox_hosts:
  hosts:
    eh22-netbox:
    netbox:
-proxmox_vm_template_hosts:
-  hosts:
-    chaosknoten:
-ansible_pull_hosts:
-  hosts:
-    netbox:
--- a/inventories/z9/hosts.yaml
+++ b/inventories/z9/hosts.yaml
@ -6,11 +6,6 @@ all:
    authoritative-dns:
      ansible_host: authoritative-dns.z9.ccchh.net
      ansible_user: chaos
-    thinkcccore0:
-      ansible_host: thinkcccore0.z9.ccchh.net
-hypervisors:
-  hosts:
-    thinkcccore0:
 nginx_hosts:
  hosts:
    light:
@ -24,6 +19,3 @@ infrastructure_authorized_keys_hosts:
  hosts:
    light:
    authoritative-dns:
-proxmox_vm_template_hosts:
-  hosts:
-    thinkcccore0:
--- a/playbooks/deploy_hypervisor.yaml
+++ b/playbooks/deploy_hypervisor.yaml
@ -1,61 +0,0 @@
- name: Ensure the VM template generation is set up
-  hosts: proxmox_vm_template_hosts
-  tasks:
-    - name: Ensure dependencies are present
-      ansible.builtin.apt:
-        name:
-          - git
-          - libguestfs-tools
-      become: true
-
-    - name: Ensure /usr/local/{lib,sbin} exist
-      ansible.builtin.file:
-        path: "{{ item }}"
-        state: directory
-        owner: root
-        group: root
-        mode: "0755"
-      become: true
-      loop:
-        - "/usr/local/lib/"
-        - "/usr/local/sbin/"
-
-    - name: Ensure the pve-template-vm repo is present
-      ansible.builtin.git:
-        repo: https://git.hamburg.ccc.de/CCCHH/pve-template-vm.git
-        dest: /usr/local/lib/pve-template-vm
-        version: main
-        force: true
-        depth: 1
-        single_branch: true
-        track_submodules: true
-      become: true
-
-    # /usr/local/sbin as the script uses qm, which is also found in /usr/sbin.
-    - name: Ensure symlink to build-proxmox-template exists in /usr/local/sbin
-      ansible.builtin.file:
-        src: /usr/local/lib/pve-template-vm/build-proxmox-template
-        dest: /usr/local/sbin/build-proxmox-template
-        state: link
-        owner: root
-        group: root
-        mode: '0755'
-      become: true
-
-    # This sets up a cron job running /usr/local/sbin/build-proxmox-template using the env vars defined in hypervisor__template_vm_config.
-    - name: Ensure cron job is present for building a fresh VM template every week on Friday 04:00
-      ansible.builtin.cron:
-        name: "ansible build proxmox template"
-        cron_file: ansible_build_proxmox_template
-        minute: 0
-        hour: 4
-        weekday: 5
-        user: root
-        job: "{% if hypervisor__template_vm_config is defined and hypervisor__template_vm_config | length > 0 %}\
-              /usr/bin/env \
-              {% for item in hypervisor__template_vm_config | default([]) %}\
-              {{ item.name }}=\"{{ item.value }}\" \
-              {% endfor %}\
-              {% endif %}\
-              /usr/local/sbin/build-proxmox-template"
-      become: true
--- a/resources/chaosknoten/keycloak/docker_compose/compose.yaml.j2
+++ b/resources/chaosknoten/keycloak/docker_compose/compose.yaml.j2
@ -22,7 +22,7 @@

 services:
  keycloak:
-    image: git.hamburg.ccc.de/ccchh/oci-images/keycloak:26.1
+    image: git.hamburg.ccc.de/ccchh/oci-images/keycloak:26.0
    pull_policy: always
    restart: unless-stopped
    command: start --optimized
@ -46,7 +46,7 @@ services:
      - "8080:8080"

  db:
-    image: postgres:15.12
+    image: postgres:15.2
    restart: unless-stopped
    networks:
      - keycloak
--- a/resources/chaosknoten/keycloak/nginx/keycloak-admin.hamburg.ccc.de.conf
+++ b/resources/chaosknoten/keycloak/nginx/keycloak-admin.hamburg.ccc.de.conf
@ -43,7 +43,6 @@ server {

    allow 185.161.129.132/32; # z9
    allow 2a07:c480:0:100::/56; # z9
-    allow 2a07:c481:1::/48; # z9 new ipv6
    allow 213.240.180.39/32; # stbe home
    allow 2a01:170:118b::1/64; # stbe home
    deny all;
--- a/resources/chaosknoten/pretalx/docker_compose/compose.yaml.j2
+++ b/resources/chaosknoten/pretalx/docker_compose/compose.yaml.j2
@ -53,7 +53,6 @@ services:
    restart: unless-stopped
    environment:
      PRETALX_DATA_DIR: /data
-      PRETALX_FILE_UPLOAD_LIMIT: 1000 # MB
      PRETALX_FILESYSTEM_MEDIA: /public/media
      PRETALX_FILESYSTEM_STATIC: /public/static
      PRETALX_SITE_URL: https://pretalx.hamburg.ccc.de
--- a/resources/chaosknoten/public-reverse-proxy/nginx/acme_challenge.conf
+++ b/resources/chaosknoten/public-reverse-proxy/nginx/acme_challenge.conf
@ -71,7 +71,6 @@ map $host $upstream_acme_challenge_host {
    hydra.hamburg.ccc.de 172.31.17.163:31820;
    cfp.eh22.easterhegg.eu 172.31.17.157:31820;
    hub.eh22.easterhegg.eu eh22hub-intern.hamburg.ccc.de:31820;
-    hub-usercontent.eh22.easterhegg.eu eh22hub-intern.hamburg.ccc.de:31820;
    netbox.eh22.easterhegg.eu eh22-netbox-intern.hamburg.ccc.de:31820;
    default "";
 }
--- a/resources/chaosknoten/public-reverse-proxy/nginx/nginx.conf
+++ b/resources/chaosknoten/public-reverse-proxy/nginx/nginx.conf
@ -89,7 +89,6 @@ stream {
        hydra.hamburg.ccc.de 172.31.17.163:8443;
        cfp.eh22.easterhegg.eu pretalx-intern.hamburg.ccc.de:8443;
        hub.eh22.easterhegg.eu eh22hub-intern.hamburg.ccc.de:8443;
-        hub-usercontent.eh22.easterhegg.eu eh22hub-intern.hamburg.ccc.de:8443;
        netbox.eh22.easterhegg.eu eh22-netbox-intern.hamburg.ccc.de:8443;
    }

--- a/roles/deploy_ssh_server_config/handlers/main.yaml
+++ b/roles/deploy_ssh_server_config/handlers/main.yaml
@ -1,5 +1,3 @@
- name: restart the ssh service
-  ansible.builtin.systemd:
-    name: ssh.service
-    state: restarted
+- name: reboot the system
  become: true
+  ansible.builtin.reboot:
--- a/roles/deploy_ssh_server_config/tasks/main.yaml
+++ b/roles/deploy_ssh_server_config/tasks/main.yaml
@ -12,7 +12,8 @@
        group: root
        src: sshd_config.j2
      notify:
-        - restart the ssh service
+        # Reboot instead of just restarting the ssh service, since I don't know how Ansible reacts, when it restarts the service it probably needs for the connection.
+        - reboot the system

    - name: deactivate short moduli
      ansible.builtin.shell:
@ -31,4 +32,5 @@
      changed_when:
        - '"ansible-changed" in result.stdout'
      notify:
-        - restart the ssh service
+        # Reboot instead of just restarting the ssh service, since I don't know how Ansible reacts, when it restarts the service it probably needs for the connection.
+        - reboot the system