CCCHH/ansible-infra
CCCHH/ansible-infra
2
2
Fork 2
Code Issues 7 Pull requests 4 Wiki Activity Actions

Compare commits

base: CCCHH:main
Branches Tags
CCCHH:main
CCCHH:renovate/docker.io-library-redis-8.x
CCCHH:renovate/docker.io-library-postgres-18.x
CCCHH:renovate/docker.io-library-mariadb-12.x
CCCHH:renovate/all-stable-minor-patch
CCCHH:alloy
CCCHH:router-killing-turing
CCCHH:fix_ansible_lint
CCCHH:feature/add-new-router
CCCHH:fux-alerts
CCCHH:move_to_sops
..
compare: CCCHH:fix_ansible_lint
Branches Tags
CCCHH:main
CCCHH:renovate/docker.io-library-redis-8.x
CCCHH:renovate/docker.io-library-postgres-18.x
CCCHH:renovate/docker.io-library-mariadb-12.x
CCCHH:renovate/all-stable-minor-patch
CCCHH:alloy
CCCHH:router-killing-turing
CCCHH:fix_ansible_lint
CCCHH:feature/add-new-router
CCCHH:fux-alerts
CCCHH:move_to_sops

2 commits
main ... fix_ansibl

Author SHA1 Message Date
June
385f625c10
 		ci: move Ansible Lint job to ubuntu-latest runner to make it work again
Some checks failed
/ Ansible Lint (push) Failing after 1m20s
Details 
Move Ansible Lint job to ubuntu-latest runner to make it work again.
Moving it to the ubuntu-latest runner also removes the need for manual
dependency setup.
 2025-10-22 00:42:30 +02:00
June
96ecd033c8
 		(test) disable semantic commit prefixes
Some checks failed
/ Ansible Lint (push) Failing after 50s
Details
2025-10-22 00:29:59 +02:00
137 changed files with 908 additions and 4065 deletions
Download patch file Download diff file Expand all files Collapse all files

19
.forgejo/workflows/lint.yaml
View file

@ -8,25 +8,12 @@ on:
jobs:
ansible-lint:
name: Ansible Lint
runs-on: docker
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v6
- name: Install pip
run: |
apt update
apt install -y pip
- name: Install python jmespath
run: |
pip install jmespath
env:
PIP_BREAK_SYSTEM_PACKAGES: 1
# Don't let it setup python as the then called setup-python action doesn't
# work in our environmnet.
# Rather manually setup python (pip) before instead.
- uses: actions/checkout@v4
- name: Run ansible-lint
uses: https://github.com/ansible/ansible-lint@v26.1.1
uses: https://github.com/ansible/ansible-lint@v24.10.0
with:
setup_python: "false"
requirements_file: "requirements.yml"
env:
PIP_BREAK_SYSTEM_PACKAGES: 1

40
.sops.yaml
View file

@ -33,37 +33,15 @@ keys:
- &host_public_reverse_proxy_ansible_pull_age_key age1p7pxgq5kwcpdkhkh3qq4pvnltrdk4gwf60hdhv8ka0mdxmgnjepqyleyen
- &host_zammad_ansible_pull_age_key age1sv7uhpnk9d3u3je9zzvlux0kd83f627aclpamnz2h3ksg599838qjgrvqs
- &host_ntfy_ansible_pull_age_key age1dkecypmfuj0tcm2cz8vnvq5drpu2ddhgnfkzxvscs7m4e79gpseqyhr9pg
- &host_spaceapiccc_ansible_pull_age_key age1mdtnk78aeqnwqadjqje5pfha04wu92d3ecchyqajjmy434kwq98qksq2wa
- &host_acmedns_ansible_pull_age_key age16pxqxdj25xz6w200sf8duc62vyk0xkhzc7y63nyhg29sm077vp8qy4sywv
external:
age: &host_external_age_keys
- &host_status_ansible_pull_age_key age1yl9ts8k6ceymaxjs72r5puetes5mtuzxuger7qgme9qkagfrm9hqzxx9qr
creation_rules:
## group vars
# group vars
- path_regex: inventories/chaosknoten/group_vars/all.*
key_groups:
- pgp:
*admin_gpg_keys
age:
*host_chaosknoten_age_keys
- path_regex: inventories/external/group_vars/all.*
key_groups:
- pgp:
*admin_gpg_keys
age:
*host_external_age_keys
- path_regex: inventories/z9/group_vars/all.*
key_groups:
- pgp:
*admin_gpg_keys
## host vars
# chaosknoten hosts
- path_regex: inventories/chaosknoten/host_vars/acmedns.*
key_groups:
- pgp:
*admin_gpg_keys
age:
- *host_acmedns_ansible_pull_age_key
# host vars
- path_regex: inventories/chaosknoten/host_vars/cloud.*
key_groups:
- pgp:
@ -172,20 +150,6 @@ creation_rules:
*admin_gpg_keys
age:
- *host_public_reverse_proxy_ansible_pull_age_key
- path_regex: inventories/chaosknoten/host_vars/spaceapiccc.*
key_groups:
- pgp:
*admin_gpg_keys
age:
- *host_spaceapiccc_ansible_pull_age_key
# external hosts
- path_regex: inventories/external/host_vars/status.*
key_groups:
- pgp:
*admin_gpg_keys
age:
- *host_status_ansible_pull_age_key
# z9 hosts
- path_regex: inventories/z9/host_vars/dooris.*
key_groups:
- pgp:

114
docs/create-new-web-service-vm.md
View file

@ -1,114 +0,0 @@
# How to create all necessary entries for new (web service) VM
Let's assume that you want to add a new web service `example.hamburg.ccc.de` which is going to be hosted on the VM `example` on chaosknoten. These are the steps that you need to take to create the VM and add it to the Ansible repo.
## IP, DNS, VM
1. Allocate a fresh [IPv6 in Netbox in the 2a00:14b0:42:102::/64 net](https://netbox.hamburg.ccc.de/ipam/prefixes/47/ip-addresses/). This will be the management address for the VM.
2. On `ns-intern`:
1. Add an entry `example.hosts.hamburg.ccc.de` as an AAAA pointing to the allocated IP.
2. Add an entry `example.hamburg.ccc.de` as a CNAME for `public-reverse-proxy` to the same zone.
3. Commit and reload the zone.
3. On Chaosknoten:
1. Create a new VM, for example by cloning the Debian template 9023.
Give it the name `example`.
2. Edit the ethernet interface to be connected to `vmbr0`, VLAN tag `2`.
3. Configure the IPv6 address in the Cloud-Init section. Leave IPv4 set to DHCP.
4. Make sure the VM is started at boot (options).
5. Adjust any other VM parameters as needed.
6. Boot the VM.
4. Add the [VM to Netbox](https://netbox.hamburg.ccc.de/virtualization/virtual-machines/).
- Make sure to enter the VM ID.
- Add an Ethernet interface to the VM; we typically use `eth0` as a name.
- Add IP for that interface, then choose "Assign IP" and search for the IP you've created. Make it the primary IP of that interface.
## Ansible Basics
As the first step, we need to make the host known to Ansible.
1. In `.sops.yaml`, add an entry for the host. Follow the other entries there.
1. `keys.hosts.chaosknoten.age` needs an age public key (must be generated; the private key gets added later in the host-specific YAML)
2. `creation_rules` needs an entry for the host, referencing the age key.
3. Re-encrypt existing files with the new key (manly `group_var/all.sops.yaml`): `find inventories -name "*.sops.*" | xargs sops updatekeys --yes`
2. In `inventories/chaosknoten/hosts.yaml`:
1. Configure basic connection info:
```yaml
example:
ansible_host: example.hosts.hamburg.ccc.de
ansible_user: chaos
ansible_ssh_common_args: -J ssh://chaos@router.hamburg.ccc.de
```
You typically will want to use router as a jump host so that you can run Ansible on an IPv4 only connection.
2. Add the host to the desired roles.
1. As a minimum, you'll want the following roles:
- `base_config_hosts`
- `infrastructure_authorized_keys_hosts`
- `ansible_pull_hosts`
2. For a typical web service based on Docker Compose, you'll also want:
- `docker_compose_hosts`
- `nginx_hosts`
- `certbot_hosts`.
3. In the directory `inventories/chaosknoten/host_var/`:
1. A file `inventories/chaosknoten/host_var/example.yaml` with the host/service specific configuration.
2. A file `inventories/chaosknoten/host_var/example.sops.yaml` with the encrypted secrets for the host/service. Run `sops inventories/chaosknoten/host_var/example.yaml` to edit/create that file. Entries here should generally be prefixed with `secret__` to make it easier to see where that variable is coming from in templates etc.
* Add an entry `ansible_pull__age_private_key` with the age private key you generated above.
## Service-specific config
From here, we go into the details of the web service that you want to configure. For a typical web service with Docker Compose, you will likely want to configure the following.
Make `inventories/chaosknoten/host_var/example.yaml` look like this:
```yaml
certbot__version_spec: ""
certbot__acme_account_email_address: le-admin@hamburg.ccc.de
certbot__certificate_domains:
- "example.hamburg.ccc.de"
certbot__new_cert_commands:
- "systemctl reload nginx.service"
docker_compose__compose_file_content: "{{ lookup('ansible.builtin.template', 'resources/chaosknoten/example/docker_compose/compose.yaml.j2') }}"
nginx__version_spec: ""
nginx__configurations:
- name: example.hamburg.ccc.de
content: "{{ lookup('ansible.builtin.file', 'resources/chaosknoten/spaceapiccc/nginx/example.hamburg.ccc.de.conf') }}"
```
This will create `compose.yaml` from the template `resources/chaosknoten/example/docker_compose/compose.yaml.j2'`, and the nginx config from `resources/chaosknoten/spaceapiccc/nginx/example.hamburg.ccc.de.conf`. Of course, depending on your service, you might need additional entries. See the other hosts and the roles for more info.
## First Ansible run
Before you can run Ansible successfully, you will want to make sure you can connect to the VM, and that the host key has been added to your known hosts:
* `ssh chaos@example.hosts.hamburg.ccc.de`
* `ssh -J chaos@router.hamburg.ccc.de chaos@example.hosts.hamburg.ccc.de`
Then run Ansible for `public-reverse-proxy` to add the necessary entries:
```sh
ansible-playbook playbooks/deploy.yaml --inventory inventories/chaosknoten/hosts.yaml --limit public-reverse-proxy
```
Finally run Ansible for the new host:
```sh
ansible-playbook playbooks/deploy.yaml --inventory inventories/chaosknoten/hosts.yaml --limit example
```
# Commit your changes
Do not forget to commit your changes, whether it's a new host or you are making changes to an existing host.
And always `git pull` before you run Ansible so avoid reverting anything!
# Monitoring
## Gatus (`status.hamburg.ccc.de`)
After you configured a new service or website, add it to our status and uptime monitoring.
Take a look at the configuration in `resources/external/status/docker_compose/config` and extend it to cover the newly added service or website. The configuration should probably happen in either `services-chaosknoten.yaml` or `websites.yaml`. Taking the existing configuration as a reference should give guidance on how to configure new checks. Additionally there's also the comprehensive [Gatus Documentation](https://github.com/TwiN/gatus?tab=readme-ov-file#table-of-contents).
After you've added some checks, the configuration can be deployed using:
```sh
ansible-playbook playbooks/deploy.yaml --inventory inventories/external --limit status
```

21
docs/setting_up_secrets_using_sops_for_a_new_host.md
View file

@ -2,30 +2,19 @@
Because we're using the `community.sops.sops` vars plugin, the SOPS-encrypted secrets get stored in the inventory.
1. Create a new age key for Ansible pull on the host.
```
age-keygen
```
Then add an entry to `keys.hosts.chaosknoten.age`
2. Add a new creation rule for the hosts `host_vars` file in the sops config at `.sops.yaml`.
It should probably hold all admin keys plus the host entry.
1. Add a new creation rule for the hosts `host_vars` file in the sops config at `.sops.yaml`.
It should probably hold all admin keys.
You can use existing creation rules as a reference.
3. Re-encrypt existing files with the new key (manly `group_var/all.sops.yaml`): `find inventories -name "*.sops.*" | xargs sops updatekeys --yes`
4. Create a SOPS secrets file in the `host_vars` subdirectory of the relevant inventory.
2. Create a SOPS secrets file in the `host_vars` subdirectory of the relevant inventory.
The name of the file should be in the format `[HOSTNAME].sops.yaml` to get picked up by the vars plugin and to match the previously created creation rule.
This can be accomplished with a command similar to this:
```
sops inventories/[chaosknoten|z9]/host_vars/[HOSTNAME].secrets.yaml
```
5. With the editor now open, add the secrets you want to store.
3. With the editor now open, add the secrets you want to store.
Because we're using the `community.sops.sops` vars plugin, the stored secrets will be exposed as Ansible variables.
Also note that SOPS only encrypts the values, not the keys.
When now creating entries, try to adhere to the following variable naming convention:
- Make sure to put the prive age key in here under `ansible_pull__age_private_key`.
- Prefix variable names with `secret__`, if they are intended to be used in a template file or similar. (e.g. `secret__netbox_secret_key: secret_value`)
- Otherwise, if the variable is directly consumed by a role or similar, directly set the variable. (e.g. `netbox__db_password: secret_value`)
6. Now that the secrets are stored, they are exposed as variables and can simply be used like any other variable.
## GPG Keys
In order to edit encrypted files, you need all the GPG public keys imported into your GPG Keychain. You should be able to find the necessary public keys in https://git.hamburg.ccc.de/CCCHH/password-store.
4. Now that the secrets are stored, they are exposed as variables and can simply be used like any other variable.

483
inventories/chaosknoten/group_vars/all.sops.yaml
View file

@ -1,384 +1,363 @@
msmtp__smtp_password: ENC[AES256_GCM,data:xcBVBTb6mfr5Ubyfga9ibKWKhrfrEEaDWD98vIbX8fl8lQ4YTovg8Ax1HTK4UQ6AkJGHq2A0D5B67KUTlp9eLw==,iv:TOp1G1LktRPj/KMCRU5CXBUsgKOqGssUvvk5oY0QnPM=,tag:SVBdDQy+fM0xeEToappP+A==,type:str]
metrics__chaos_password: ENC[AES256_GCM,data:al234VSAH7oxka8X0hTvEJKVLD6O/WCrCKfVLLvm,iv:+TmA+0hXMV4OxvK7RH2g1dIzm88Lpm3zevxSZxK23QQ=,tag:txCVr5SEW3dVHgNFInR94g==,type:str]
sops:
age:
- recipient: age1ss82zwqkj438re78355p886r89csqrrfmkfp8lrrf8v23nza492qza4ey3
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBMc2k4SUxMUEtvODVGMnY2
U1gxeWRURmIwNUhYelNUZHVGQ05rRlI3TXljClREc0hCMjlPTFBEakVuOFFjTWVu
dHNrbzVHT1d0UklRNW0zSHZCWWJpeW8KLS0tIG85S2h1aEhITUI2aVRwempOVHlr
aWFyRDdEZ2RnQjFNUmVZQnBzNGhhR1EKeYR9qIuh/f/o/qXkQV9KZcir9iPQ2IEs
X6azikmig0stguQMUQB57+Sk10MlIDQGoY3C0YcmG3dtiUoo/vKTRw==
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB1S0d6cnB5UGJEZlNKcEpD
NGQyYTNwS0E1TjZTbkdaNXlTVHFyendtT3g4Ck0xRkJhZHR2a1RJVDd3bUE5RTl6
SVZrN0NIR2VKeTl6Qk9oTUd6VDdQYlEKLS0tIE82YXFoVkQ4bk1SRTU2YTZ0eVF4
akdQTFBoY1B1aVZHSGw4bXJPZTd0MHMKnchC61XZk3cPfe7QjijW5uBlDkf2Sjc3
/Spp+9cuf9jIJvFg+h3EY7CLAMVyAK59WnODM0HvQNhreXRg8CgK2g==
-----END AGE ENCRYPTED FILE-----
- recipient: age1gdfhx5hy829uqkw4nwjwlpvl7zqvljguzsnjv0dpwz5q5u7dtf6s90wndt
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBqazJTaVhjdkk2cStHNllr
VEhobDJIQ1NKajFNVmJ0NHFrRzJlMVVYL0M0CkVEbHFFbTZ3aU9sblNaTTR5T1hT
ZjM3TGZ0SVVkS1ZqMGZxQnh0eHhVaFkKLS0tIGs5RXFta3JJYmRZemNRQzBGbE9E
dlZqTStUVWNEWFk4RzNkSmM3dlRxU0EKR+IOa5r/mSl7jnmhEvbJqytWedRgdix6
0x0JCJe/q1l90F4IYIwd5onF5jF9DydmVnNdCbgAHF+DYrdwjwt7Uw==
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBSWW1ScXNWSEo3S1RpYitK
aEVsWklvS3Ryc2pqakpUc05mejIwWi9GaG1ZCk90UXdKVVZzdXBuTXowTURDekhM
NlJEbU5teThWaCs3R1ltUHBRMWVncGMKLS0tIGszeDJ0ekJIK2FYUW9Xdjcyc0Rl
Rlp0RXNhc1N5UXdmMG1NMkNoYkZZNkEK96GpdskKEXHK/ZQFSN+Y//wygKmnxP2b
ukFolURV7qlQVamWuDoUC/ToQtl3bU0jce/STQjGY67OwG5kecxEKw==
-----END AGE ENCRYPTED FILE-----
- recipient: age13nm6hfz66ce4wpn89fye05mag3l3h04etvz6wj7szm3vzrdlfupqhrp3fa
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBycmpzTFZ0MWN4TE9Bdld0
eXJXTVhVbFpmbHpVbDg3KzJTQjVoU2M5Vmg4CkY5MlBwTEsvVDlBUGp4Yy9KSEtW
M0thZncvcFhqcTluR0FRdHBlVERmWkkKLS0tIHlIZ1o3Zm5pcEJUOElKSDU3SEh5
MzQzRENjNitaNUtIUDNNM0VxVVZsVjAK8BM7kqL6Pjg8riOTti8tAH13MgD2b3jR
EPZEPzWM3vBNMQ71WYSTiljK+fdwQucQbTCZFKVHUyErCiI+7jYrXQ==
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBVYzlXY0FvUEtIa3BVTjUv
MzI3cE8vbVd6WWF3Q2J5RlRISW5kOU1XZEJjClFsS3VlbXZHVDlWMWZMUGwzdTFC
K0xpV3FjRGJmWThDbklNbFByLy9FTXcKLS0tIGpMYlM5S3dodTBhWDY0TjNkT0p4
WWpCdVN4cjIwMCtRZXJCR0kvWmV2TDQKeAE9hmGim0wdG7AC9Ypk1/zAOvpWEc9w
B5j3MGmJiDV5vqZ6YDJ158fkB3s3XDIohaTP0XT5Y1zEDnn0ee62zA==
-----END AGE ENCRYPTED FILE-----
- recipient: age1jtusr294t8mzar2qy857v6s329ret9s353y4kuulxwnlyy4dvpjsvyl67m
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB5YkdERkJKQnUxaXhuRk5O
cDlxOEZsM2djbk5laFVHWUNKaUNKSit0cDJ3Ck80eFYvajNId0NHdzRONktHZTBM
WENsSFZWL3JLeHNpanNBSDB0M1pselUKLS0tIGZPUTRlSW1hNjNPVnVoSEhKK1dJ
WFpiUW1QSXk4VktHNWVGemh5czZLdmsKaycC2cLTfboV5MT0W2+fWMg9JCAn4U7u
lMkTZausCp1hUlE68BXi8DuVivRif+gjVjVWsBabikQtzW8H//fFDw==
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA1cXdneDFCNUxZR2VYVXpo
RzhwNFZnYnhzOXBrTmQ5NlNhUThsbjA4ZENnCjRWVXpzb1lZcjNQeUVoY0lkZTRj
bVU1S2thNzg4T2UyaGFqdDlvLzRJVFEKLS0tIFBIMEIvaWtPU08vR1crSGxUSklx
Ujh3bDFVdktOOVdvbVNrRGEvM0ZiczgKDAvWbY515jRhcWEkZrNNmtBsSwchclVz
FvnQB3G8ZIxJliJCkOHrFokvRskCHt9KJNZogqPtGF9a5OWcKkWgNQ==
-----END AGE ENCRYPTED FILE-----
- recipient: age1a27euccw8j23wec76ls8vmzp7mntfcn4v8tkyegmg8alzfhk3suqwm6vgv
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBCWnlvR1BmUlRkcXhHbklZ
d2pzRkxxZTVtOGl4YjdGOTQxbEFnRUVGdG1rCkFQMHE1VTdIR3FPeWdlSHRKRGtl
Tk9FeHNuQ1ZIRWRFN29EVWh1ZjE2RDAKLS0tIGQrWnJWcjUyZFkwQmdZazBTQmR5
cWZ1N1NHVEVqMlc5MExyZThKYTdNc28KEaFjX16Bf0MZsmMTLytDnJFPICeu808r
t53faoADnTdhYKhKQYB1Fgk7h3DBvxM36VDw6v3oC0f6B0yEx7a3hQ==
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBvdkpuODFJZ2xPT3NOT3ZP
MmVuSkx1UmdwWVBEZzJQOUNodUpvUlJrSlNnCjJBT1AyNzZmNC9sZytNaGpEOUZT
Tmx3VkdRVGNHOGJkZzgrZmFmRFFFY3cKLS0tIDZONHQ3SUh1bXM0LytmYUVZSmRZ
VmEzUkRqdnUvc0s3SmRNcmpZRndvVUUKHRo25oFVNtzJlTqkQ03znzH+Ce8j2rgO
Bt/HQ2tJC/0PL67zjCr4oyxWs2RfSuswM6pGh3TXmSkUawzzyMAPTA==
-----END AGE ENCRYPTED FILE-----
- recipient: age133wy6sxhgx3kkwxecra6xf9ey2uhnvtjpgwawwfmpvz0jpd0s5dqe385u3
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBDVGpwdUVSbVRiVkdBREVX
ODl6bzlVNHRkTzk2UXMwNVp3K3A3V0hmdVRBCjlJenlmNDZEU2ZzMUpVYmpFdllR
NlNxaU1YYzNZdEVzdzJLTEVMWlloZUEKLS0tIDl0VnAzZUF3QWF3WXpFTjEvY3RP
T2J0Kys3WmJRZU1jRk1kUnZud3B3MlEKhgLTCcfyxOBL8X6JPlcuy+CcOlx09VP7
AZhfb8lf5JXe/4WqAMOh6s7ZrTM5JFBr8U5GQFo+syIIJeixn5SRBw==
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBMd3dwQ290Q3JCclBPbS9X
S1pnNVU5YlJjZkkzTEtuWWhlcmh6cEtMZmd3Cis2MW5henJ0dWZwNnpTcy9ia3Uz
QThPMlpBN0lkZVI3d1RqQ1pGeDkwTVkKLS0tIElGYWR6QXdkTS91cGRQVUZPZWVE
aXNhWGFQWncybG5ycTF3bGUxUEdRYlEKXMlP+iC1L+lCeFB9rnyDE6tKMNiqFAQQ
lvQKLGvZVRMk7RNR/OWb2IsZNtK3yGAgqjGpb8UwZKjUwYwgBzkklQ==
-----END AGE ENCRYPTED FILE-----
- recipient: age1na0nh9ndnr9cxpnlvstrxskr4fxf4spnkw48ufl7m43f98y40y7shhnvgd
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA4c2NFWkdaMVFTcUxOZWl3
Z1hsK1ZvbFRjQ0swbVZlQkIvNW9LU2pZdVgwCkJHcUpTYjMyZy9qKzdIbzExcVRj
V0UrWG5yaUF1cTJnK2RDT0E3aXRkK0UKLS0tIGRqTzBsbHdBdGlMTWt2NzNOVDBp
U1NVMzBIL3ZBUUFHLytGQXk3M01UK00KZBW1DUeDpN5sstZ1LuqcpxsQcjdUJe5L
5HS4O5h0D+/p8/aOW5NPoIf0A6f4/CLVm4o287GHsxkTXeH1sDr2Ng==
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA0enhNVHF0eHZkTlB3bTZN
ZWJaVDc5TUkrSHFFTnJ0UE9hTEg0Tkt0OVNFClFCNTlsTUJlQ1MySkdFa2o0WGRB
VWUzbkxFTkxQMVBqTXJtNEVCb2ZPYW8KLS0tIDR6ZXdoOWNwbjdNcmtxS2FBd1Zx
dWVLVUlZWEh0UWRXTlhYV3ZTT01ZQXcKz/ughevubxHCk315eL6WV0JETo4tblck
t2b4h0kcDpFO6aPCHBSX69QOLJpBCBnKI8ZBlxgTdTDLFlScG/8HRw==
-----END AGE ENCRYPTED FILE-----
- recipient: age1sqs05anv4acculyap35e6vehdxw3g6ycwnvh6hsuv8u33re984zsnqfvqv
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBINFVkbjFMY25pWHpPZEMy
Z0xsOW5NZ0cxZC9UR2RCMTBaTlNkRjJuU1dnCnRhVU9iL1lsUWpCTzdKS1RiYnMw
TWhjS29jOGNwQXU1Q0NmdjkwOHNRUFUKLS0tIFJnajRUMk9pTDVDdFI5Szd4RkV6
TnNkK1RVZnFaRGVmaFRwMnlmd3lUbEEK+CKPUsutEpo5/bHyXM7tMUUM4hka1hCV
oto6VkOSVoYnwHNzXSAei+jkfvT8dED7fUQKkZeqN3c4bUrha42BUg==
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA5MGlobGt4MG5YbXhYVWM5
SDlraHdnR0srZDF2T1FicVFGR3IvNzBhMkVFCm9Nc1JnZ2toOGUzbDZ6cTRTajc3
SVk0U2JlSStWQXFYY3htOTh2Uy80aDQKLS0tIHRkRkNwb1Q5dTZ5cDVoVXIwcmVi
MXBDdzdWZi84OXRRMUt2Mnh5QStLZWcKR/1GROkmyQWyY2GcZGplX8vYqHoeqvvX
ioWRF+QaK3GpgHOaSFybFt3r8wfeILbQ7zMs9qMARTg0kVMVvE/8pA==
-----END AGE ENCRYPTED FILE-----
- recipient: age18qam683rva3ee3wgue7r0ey4ws4jttz4a4dpe3q8kq8lmrp97ezq2cns8d
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBLY2JBTXFaWEFmNU1PVkgz
Uk0xeWJqMkpVOW1QU05Qc3hSeFM2eHVjc2tZCjB3bjZ2ZUZFTHIxSmZUb1V6THpW
dHFXZUM3a0ZKcEZSRklqUk5jWGJkaU0KLS0tIEVxUlREKzdCMEdvZG12UlhxUW1p
TTVGVllybHUvZkhMT0x5Ty8vb3AzMG8KfuZW6Yj21NHAvfaVs2HedYgGWxUDXWiP
aZTbarB/2UzYEacoEO7CMLHDS53X15plRPbzYRWhnRkb9WkDQ/0pOw==
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSByeGV1VTA3R0FsMkdKYWo5
K0VFK3VFR3Z5bmdmS2QzR0hRTWRvOEFEclgwCm9MQUZQSjZqVXJVQ3FoUTMzWjU4
Q0luVDE0RUhUNmZGSlZXYWEwNHprS2cKLS0tIHBRQnZibGkrUmU3OHNHVjcvelVF
UEtad0g0T1JZRFYxUnpiblNIV0VybE0KVCw68UXleN43Qi/MSFpyGjrbwZS/EtWw
tbfZMPLalJ52pv4cxT4nrPfipoUyX7tHxEEd2f1SDzt5RUk0TO7ojA==
-----END AGE ENCRYPTED FILE-----
- recipient: age19rg2cuj9smv8nzxmr03azfqe69edhep53dep6kvh83paf08zv58sntm0fg
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBoaU1FN2JEblVsK3hRNXVO
WnBISWgyYno1ZnNqeUtHV0tkcERrdzRhc3dvCmlEQXFrbmVibTVmOVQxVWFiaTdn
WUhyVjFvdHduNXpraHVldzNnLzVjYmMKLS0tIEJjODh2TGg3OUlodk1IWnltNGR5
SG1TS3l2clZOVkhyTW1INjZNc1E5V1EKCJo7uU1XbW4Z6i5ux2t323Um5TDTwTl+
mMirFUiosu62vTfd+nC3TwRyM1XwlpI54EEU27jTHMlF8oSgXeLumQ==
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB4QXVVSlZ2QXA5NWN6Zllh
REQ3UE05eWkrUHdyL3FRUHJMTkE3QWtwbENnClBGdnFhT3NzWEJKM0YzT3RpS2FY
cnNaczRIRUEzSDgxejNjbTdoaERiRkEKLS0tIEdOOHdISkF0YnNpcFNKekVLYWVN
allIenQ4OFoyaEdCK1YrM0tpM0FHRjAKwrOJS9RGCHS7lcPX+eufZnEjaIvO3f73
RWThSP0d2iy/vul18hdLF8PqKE2Hy0j6lvs9qhvwI1EQa53zHAWRDg==
-----END AGE ENCRYPTED FILE-----
- recipient: age16znyzvquuy8467gg27mdwdt8k6kcu3fjrvfm6gnl4nmqp8tuvqaspqgcet
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBldUpzVlhFc2k3U3ZlT2JK
U3N4L0FGZE1iWGRwN0tvNEtwd3VXYTV6N1ZZCmVnYUNpY2poazVibnpQRlZ1MXFN
SmtURDFLSmJmM0pHdytjVFM0c3B3eTgKLS0tIEZidTZmS1dpZ1VFRkFpc09EaWxZ
cUVIQmVDLysrQ3pMcFIvZ0NCWExJa3cKdwTrVM7aXAi4bBHfXCWllbZIa2c4IbRW
FNS1L6tP1mop2y9d0CgmVBiBFQdNAg8yVJRPWs25W9WVFHBDuB+X8g==
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAwYmNHaUcvMitRcklkbkU3
VDRyQnhhak82d2I4MnRKMk1qdTU3bDRzdlUwCnBzSEJHZmRTazZ3Rktmc2FKaXJC
cnJiMU9oUW03Q3dlbGtTZWNtZXZqZk0KLS0tIHVTNU1QU2dRQ3JMclhqQjN1VjBK
dHgrU2EyT0FHUng2L0R6dFFZSU1kU1UK2x72pMCRGCz/cyekHrTY/vXhxACPGjYn
PxEXKoi70Dq9ox3ggknmE6JLZqMvFoudLoE2GAzvimFomYWb4e3NmQ==
-----END AGE ENCRYPTED FILE-----
- recipient: age1azkgwrcwqhc6flj7gturptpl2uvay6pd94cam4t6yuk2n4wlnsqsj38hca
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAzMmR1TnRFVnlnV0t0N21P
Uk1QM2dnbEFTb2lJcUZDeW1sTDQxT3F2Q1FJCmJzdEFCQ1ZBeS9QWEZJcmJuVTJi
eEpIZUk3YmhKeFlwcE0rK0k3MUx5S3MKLS0tIEdoU2dXRitXeGlsQ1NXT1FqdmhE
R1MwNU16K25zdytaMXFQNnhYQVZTSzAKmVjQRe0SKfwh/JoSGGihkjr0Lvx1uVnJ
szOHESy/rEKiXUKVSMkBINAh2SUYIwrB4xM38Y+ZKkkXDDtZWLHulg==
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSArMVhJOFh6TTg5RFkybnBy
T3ozZ2MvZ2lCVFBvWW1jRElmNFBIUU05MkdjCnZZR0FjUUJlQXR1bnBGU3NPc2t2
a3hKVzJZbzNWMkd3dENMUzQ3bk14YTQKLS0tIG5kSEdYS3dLcXdlOXBmWTVzNDFt
ekdmK0Zid3A0aUNHUHhmeHp2NHFZMlEKb6116XqAHYMl7P4RFRcz0IlZfx1/buby
V8y9TiECFZfWhuY3XaES99wjPw06nGszn/U29C1XtZZ0pc5Soc3dxw==
-----END AGE ENCRYPTED FILE-----
- recipient: age17x20h3m6wgfhereusc224u95ac8aj68fzlkkj5ptvs9c5vlz3usqdu7crq
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBEb1I5cnJ6NDhvNDFsM2kx
aHEwdmJSc3ZQcGc5OXJOMVB0L1JFSlpiUGxFCmtNbW1NUVpEQVdLTkNOd0daMDEx
ZTdGVlB1T0M4K0t2VHZYSzBNNUJLVUEKLS0tIDMrVEE1Q3IxaHNTUHNTcGo4UTFX
WGo2TVdLS1F5RHNVTWgxbzdZSGV3Z0EKkOZfXMbUeJG62xn0SvqjtCKIkZDIzc7O
qSTGJYgl02Edp8smm4x1L9QF2CQYF93ZIjn4q12CyJy2ojBgxNTZNA==
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBhMVZWQlRZVnY2ZnZweW0x
VmswdHpRUjVrNytaS2lZNHdsYXM3WHVCVGlNCmJ0ME9LYjFWTkVrZ1QwOHdtempG
dEJ4NGpPcHZabGxJdFJNNStxTm9nREEKLS0tIFB5NkZnZTZjL29YRlZVZEJJOHNu
ejRmc0V5RzVwY3BtVGpIY3lqVGt3SGMKvSFU/FZw3CeOrkbVKqz9Nsfmw/DU/obE
6bIs15L7m9hOzqj8PeQYv09NO83WCfYj4cjh+Jsdtlvtz8Fz7yt2eA==
-----END AGE ENCRYPTED FILE-----
- recipient: age1wnympe3x8ce8hk87cymmt6wvccs4aes5rhhs44hq0s529v5z4g5sfyphwx
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSArZWZmTDRYYUloL3I1QkZ1
dnIyRVJSV2ZoaERCc1Z2Z21VYkkxb0F5SURNCmlFcjlPM1VibjQ0TkFNdEhqL0l5
eDlHOHdlTnMyb2JPUlMxRlZqTkhWNzAKLS0tIHI0cytiaXVpK2FqcW1XOVpneTR5
VDI2WFhud0hpRDRMTTlwMHV2T3RSekUKKi52AcUoATCmUo/+FIVeEEh0sTCjIGy+
gl/Ud0Nmuarz5T2HqGxJDBoH2MSfjpwhTkW2z0JW5Dah6MRtNetHZg==
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBQUVhSY2JnZUFjS1lySGlC
MUdVdTF1S2xLdDlVODk3Qm1FZ0RxQTdkQ3pnCmFPYVg1dDN0amtoOUdKQWFRNVJS
ZkhCM3VFbUc5RHJHS1ZJbit1N05OLzgKLS0tIEhCMmRFN3hLNDFlTkpzUWYvR2R3
Y0RZSHZrbnJ1SEc3aCszeG5tTkNvNlEK4pUz8bk/tDKYIxu6dCG/DTk8OtTTYJaL
qKNNZ1COhPtVTCHaIbRSPWu8MqFy9+9nf7Hoc9fEE8aM+Yohs4sySw==
-----END AGE ENCRYPTED FILE-----
- recipient: age172pk7lyc6p4ewy0f2h6pau5d5sz6z8cq66hm4u4tpzx3an496a2sljx7x5
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBNVWdMQXMvUHI3YVNqa3hn
QTF1V3lDZHB0ekVIcUVURUFGeURWaE92U0dVCjl5WnQ4Q0hGWGVhSnVqSXdIM3Qr
eTBWcW9MRDdsZzY0S1puTmt6bk5BVDAKLS0tIDlNaHF4VUt0YzMrVEtIaXhtMkh0
d1BJZHNOakIrejNHWXBkT2JnMDE2TlEKgFgEPOc7lgUvi/gBJi4qX8mJQQ0Lb+0J
oKgia+lWN+f0dMoQApxtH0R1vvrQB1CyKmYRgvYfEv1z2yibftxFJA==
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBaUERGWmwvRW5tQzJleExq
VXhmQ0dkMFJuWEwzbHlGMTNudE9UbUwrNEc0CmdMK0hCb0h3NjRuSVZRNEFwYlVl
L3VnTnpad2tJL0dCamVrT082ZmUxWUEKLS0tIGJFbG5ZU0Q2b0xQNFNjT3NBTE9I
Z2MwSm95Vy9XUDkrWDZMZUEvY3VHcDQKJanzV+qzgfuBpNzHLl2DS1GvXLV+UEKa
wD/2s/EkL4RR4F9mV/9+1vwFTNw6Lc8T8ezzxl3/Iu+VpziFgx8ypg==
-----END AGE ENCRYPTED FILE-----
- recipient: age1p7pxgq5kwcpdkhkh3qq4pvnltrdk4gwf60hdhv8ka0mdxmgnjepqyleyen
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBtWDBLRXVXUVVQNkZzVDZp
cjNaNzNseUxFZ3JDTkF3RjZ2Q0FnN09Ub0Y4CkpsaHl4VGtCRDBiaTc5cDErcUM3
eXYyK0tGdFVhblo0eUhHVkJWbERVakUKLS0tIHpmektqRjBHZDdDd0hEbWYvWnFr
S3BoWW9QYytMZ3RJSld2R0h0dXlZeEUKcifFwdLTAse4HxN48X/iErdi3evc/Hbt
dRgCkzWjb0Qc1DEPLm9MLHZqugcm1y0XStdWHCMIwXuh2fcoDUv0mQ==
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBHVXdkSHNOSHZmZ3pLWC9B
emc2S0NpenVZSW5GMWZha2ovS1VsbGs5OGhBCmZIWDBDaGVYMDhHRDR0bFgzbDN1
MlBnOW43Ky9PV0VwZ3VlekJPa2xwMTAKLS0tIGNEVUVkbWIwVmFzaS9vdGhPU2s4
a09LaU05VnVBa3ZGcUNMdFFZRXdaYkkKp1TYQXMSlZoGWgfSK9s4WXFu9xG7VFXP
3O+FYTXTRTVVnZCPE5V0P0/v3H/BRgdbM2yuIiXTtmz69J8DNjFaNA==
-----END AGE ENCRYPTED FILE-----
- recipient: age1sv7uhpnk9d3u3je9zzvlux0kd83f627aclpamnz2h3ksg599838qjgrvqs
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBrWGpORGVrclo5N2ZTSUxE
WFBYUVRjRlFyVFFXTFIwUDJNR04zYXgwSnprCitVT0JidGp1OEdXdm16WGY5am9R
djkxckJEUFpzbHNNZnhqb20rbzBTZEUKLS0tIFpheWIrMkpWalJNS3ZJMVhVNGJC
dzFuYXBGMTNRVHRrb2wxTlMyZ0FJWGMKnEtMyof3DN+9rIWRCYn4y0SLpIJbDEbN
iXmjwiEtlPIKZjQ34r54g1tsJd5b4fulRFYd6lqTzxtjYYFXDa76BQ==
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBtcUJ3cTNUZGp6Q29wTEgx
UjQ1RU1uSHREVEhwZGtmbUV0azJEQmtGbG1jCkQxbGZhSmRXTE1uUURaSUhZTlNF
U2loMmR5ZExXS2Y4eTBybGFsNFp0WGsKLS0tIHJjRDhDelB5N1BvbHFydW84ak1Z
YndpUERJbDJSZlBLQWdnVXpUU3dLdUEKQYddtnDd4U7bkjBeMnCQuYVddCCApnzQ
L/LgjBXfUav5ipWWUjW/loZJiHBsxrG5NkCYEyf72WMyDusd8mCN+A==
-----END AGE ENCRYPTED FILE-----
- recipient: age1dkecypmfuj0tcm2cz8vnvq5drpu2ddhgnfkzxvscs7m4e79gpseqyhr9pg
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBnWkw2NmJjdzdPbnBhNURh
SFRBTVhUanpvdFVNLzFWak52bWVJZnV1NHlzCk1SQzA4M3YwZHZIOG82d2lCUE4x
dDVWMUNuTW8xdVlkRG5RSnVJUFI2Z0UKLS0tIE9nOXA0LzgrenJKQ21xZ0o2M2hr
R3puc1ZOVFJ5Sm5qTks5M0JTbW9yZkkKv20552DPjujiVyr4a4KvTUN4pW8Sh7zA
Yxh4nx5mXAwfL4JxIwbvggy4AE3kbc2P3P9qUrRjQ4Iha2X11+fSCA==
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBOei9SYzNGMjAyUVJGYlJy
QlFBVnV0cDN1TmI4VEt3aGNtbWtvZHJFcXg0CkltM1V4UVp1THFrZEswOEZUUTJy
WVVPUDU2emNabFBDek9jMkhScUh4cjQKLS0tIGgrSytmcTZkbTJuUVE3Snp2RERn
SnUrSUlvMXhnY3JrbER0TkxBcGJucmsKdBDkRY5FUtOo8zQ0QtfPFGJn0O2Fg5xn
mSloxLaFwdXAR9L1QfUdsW+9Vgez4s5bxMJtn8hkwqIfyJc25FEEcA==
-----END AGE ENCRYPTED FILE-----
- recipient: age1mdtnk78aeqnwqadjqje5pfha04wu92d3ecchyqajjmy434kwq98qksq2wa
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBFZ0hYeG5hTWxtVFlTaUpY
V3lOMUJUNDZxRUhtMnFjK2IyTW9NZ3ZvNTBVCmVHVnFQTGMyd2JIZjZYSmtjZnZ1
THBMZW55RTZSR2IrSVd1NWppR0k5UFUKLS0tIEkxRlBsWHFxTlQ2S0xUQ293cHlU
ZUhwMUJCVmgyZmlVbDRtV2YxUW95Q2sK8JtVLO86dkYtrxMzXY3mj+S19+S2jIzV
MjAkijrdhz9XyEPNsZo38liiO0vwXUVpzmX9xcTTArzWvs/LHYDzQQ==
-----END AGE ENCRYPTED FILE-----
- recipient: age16pxqxdj25xz6w200sf8duc62vyk0xkhzc7y63nyhg29sm077vp8qy4sywv
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAwRXpCQUJxZ1JBWnZkZHRM
ejdtdkdqMzNMY1BvOWVuVlZuOXR5YS9UeFMwCjhtYTIyMnhBVm1CT25mRytkdm04
ZWg5TGllazVDZEpXNHQvZzUwclFEbTgKLS0tIGxDSDhJcVMvUlg3VkV6YTE2SE4v
QnBqalBlY2FqY3lsWEF4elVzamp5elkKaVNJrQ4wNJt0FrQ8PMz0R9VAhk4zIAri
QTojz+1HuRMZyDr5wmXz2Jg39yZsBsm4ZmaXSEGw5y/XHeg0ud0DAg==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2026-01-25T18:06:26Z"
mac: ENC[AES256_GCM,data:plHNLOgGWwNWbakKG6X5EOxwERE3rvYO4EOAzY/sz+uM7cZBEnqU5LZwjlD8B75hgRHqpnDBF0JbHgsEwVxfJJRL1phkeMJFOapQMjZVWMz6j7eb1hOwpdktd+bpuimy4XCD1aOxOoInKpFSK33usxLfyqSxjFDM5+i6D22qBTs=,iv:/iOIfNuSIDsa/UKLP0d63tpOrYMFO3Bk1qPssY0AzuI=,tag:k+824MXD+r0lNUcuvisudw==,type:str]
lastmodified: "2025-10-13T23:45:06Z"
mac: ENC[AES256_GCM,data:QxH4lnNyCAAEJhzbgCrq7QeLs+OAtYgwQP4oFm93NE4Fbz7/Hz2dvL/2SopOdW7nYVeb1scuG1ra+yvgzuQDhg4lcgt9eBJoBiynM3qiHBs+FtcSJoKs16I/ACAadQwClALb4E0xxwKFJI8ewMZu5BAxi5EhYbgNfnKCIbhvgWo=,iv:LRa2vX0HUBugeEAVeOqXbPsMQrfrCpyzGUGjK6+VaQc=,tag:/sfhJM8V1IYBh94ZS/TDxQ==,type:str]
pgp:
- created_at: "2026-01-27T08:41:15Z"
- created_at: "2025-10-20T19:03:07Z"
enc: |-
-----BEGIN PGP MESSAGE-----
hQIMAxK/JaB2/SdtAQ//SuDQLIlXIx+E1BfvxQFL4c8TmxEWat2nXHE5CHyuQ9bH
esOqdKYtnBMP1iRwQzAi9jVnNUtctCurMK5Lwr093BRHDLhpWqBErBz8FuoTFXGE
7WP8ylzno9OUjhhsg9sTrUAxghzU7r3Nr5alypnE3KsEprtEiAKqqqWhaGyMCK+G
v3shSx4XmB/MItuHM0BRI80M0uqRn5aQME0KpgTTD5/wsH6NKcPHEiNJTqc2I8K/
0dfqa9Hr0WcxooX+UwH/owfzHEkTFWP/3SHqz16osLzO9KOsqw3M4QIoeZwBpAOf
+aICTHV3nsbClQ8hQ0XI6xrOqwXYo7SXtx4uNVJdqBO5zfhSGx1yI2OAY258XQ+d
As9k4e/oHkzs72qOwCRa2OShDWA0oEWIJ1DZY85yaTyl3qMZJuOweR7lg3eXzITI
y4uYAWDfJBXdAOnFgkxQBgb5KSfm3GXQh4Gtu+yfoYqaAibjyJleOPIJFMcwb0yb
Y0gr5NflTZooJy2zMZg0u1Ndhike/BdMRQMiTZf8HXk3iiyNXCYTCqnIZRfzZGdy
C9Fur0KAOM1h8x6dqXGctMhy1sOmbI6LRyz5feejtE55qHIn9fkyR5wDObsIeiZd
OuT6josorB43aotD/XSDwGU8ZeYrUZ9zlwszGASHoji/kI1yXRMCPuNVax86v1HU
ZgEJAhAWCZPbbgU8qPifr7naCkxmR2TxtkOJ3Pq/JOeqxMqXXjdGa86A/+1baGdc
3z3ygenp34mYIGi4vSCqz7rApU8PHdlpCw2N94buR9/OFN1wHiIoYtVfT79mJsoK
yKswIQ1CXQ==
=yexT
hQIMAxK/JaB2/SdtAQ//QVwiv+sO4ibaxO8UMPFnMnLuNfaTJ+Nry109XkTwLkvp
+6I2TW9nAhL+M6cWBcWTJIm8Q9/EAKu0jFrmsmlJg1g7am2DcARoyDTXA2W7RM8x
kSshBHJxCjQn15cwWpMcGboKJDnn5uGqfdf1rbFLiJxWlFlIstO8Bia9YF2qSYXe
z/w5PQot7GDKa9AFC77I/I0k6hJduVX3jC88N0GZZO7oz017yit24QyOwTSaQtmO
J0NgoyC6uN50buRJ6cXbONwU1rOGYvMBc+I7mZrEBho8RbQObkNy8ndQpDbpMqSy
/FVECVfhAo1KOGsTSS/i8z+maBcFNnia2+hbOZTpq1gCJ7sgE/pJG9CKWltD8U0G
DkgO086x2xuuXGAksJpeiRelbjM4C3ScvFuQu0p+pbsG+0f2pNnkCm3Fi9zFYpqo
xzlOKxwwcBRpy76jWIQbVRodnaN8thinT/ySIfuIisfn8TgM6O0IA83jJEMy/CBc
QGwWiLFWOED864OOV4kFTBO2rGAi0rLPBoAfWPCpP/z5vpRHICCg35i+Y/Mg9tDJ
ToFbH/Q8ZpWaN3kM2J6wNKY58/AoVutODbJkC3ZydLA+m++fKsD122Sk4er335Ev
MH2txLTAcBXq6CAUTIYvEb1vSurIxh4vbgC1lN/Sg/b1p5IWKYmOx3onq0kUa7PS
XgFmbb6fq6VVS8GOD4bMCDheVGAwYG1z/1utYoiLcuyp3YKAWtwGB3WdawglzRWt
ceLfKBRuHl+CnMyMjdTNcRq9ATpupHPniCaoYMRpNy7GuLGHXgRybqxnqSySj0E=
=68mZ
-----END PGP MESSAGE-----
fp: EF643F59E008414882232C78FFA8331EEB7D6B70
- created_at: "2026-01-27T08:41:15Z"
- created_at: "2025-10-20T19:03:07Z"
enc: |-
-----BEGIN PGP MESSAGE-----
hQIMA6EyPtWBEI+2AQ/8CBUEfUOkvYlMChlGuHKv4CzbEqUrr0aKDbECK/8qGyqE
UQeZPMnVvwFL/l5lU1dky2PIqFDebd274h19CfLIcBGZZPwzg/XNJcYcEqeTN640
H2ze2Uz/tA79BSfo9Z+W0NfAnzsOZ+I0pPCIqSN1tmMNCNy/m4SxEc8wye5FdV6e
YLu0dTatwMG6jsK/PYYoAapNO1CRUDvQHHF8jsAmYlL6eYoYbuikrp5JEyk7Jcmc
5OyW49fTAaxmFYF6hjLnORI/WqdF9nTztfFAoH5eU+uzd3Exmunzw+hsZXdbDTWb
6YJ7uqwVTxziKwpB7lOxca1B/axYyvLYHNoV6A3Eu9/0ceUcjjLwtcBBAn43UAd6
eEwNr3RJ3LY3G6o1QD6tYPXNhY7J8vxb/MKGo7SzB5+Z3TItd1wUlnHDY7kfUtW0
hk1R8gug6mV4YEQtgPW3CPOGPsquN6zvxuRPcVqkNyN8+H3q3n0hg8i0xVr3ZyHB
G6pSNoQLaJ+x0oFhIgzy3Ndf6AH8MNxzh8Se5gLIhKQCN41wm1ZTguOgcklKdAAX
s0QlHXGsJLtev3HeZOfuR6D87rN9HNAaGqPxuKuoZWQBcxzOnsXSGsjJLJUN5bpt
RSy2UPlsV2iP9cE2/PTx7cQ3HWHIAjNNz65aJQQnfEM6uog85JRGoY8x6rns6xvS
XAHHUsw6hc0xHxgBE8nkVJfU+ynqtk27n+A9h/EaAFvuyHE00yRPM2cJwcSapOuI
gXSLjIoiRfbVNxFCgTFEA4KN6B/eqmOyiEoUhEhHXmwzb65bMB7puGbb7jET
=e4QR
hQIMA6EyPtWBEI+2ARAAgWVVIYSzPJeeRYdO7SHudkxO1miNVhEaTa6ArJXhvj9X
f7Onb+kPRJ2H45O06+k4QUBN//Jl2wsAayHGvGKb9NmlO1wT8cd8yAe4AllebcTA
FGBhWpgD1f8RNyhU6s9YQEmUMFFuze3Frkf5pF36KmSO9Kb0yXNgQebURbUKIwt7
W6KVBdlh9+y/8liH78X+QXFMneb8RA50mFvkSp4NxPyHGLV/S74jKaMv28q70ukC
3ExtiLu22ACzA3jdn+BGTh/0bp/WRRYEt1TBmt3HFnVcKDkdgxOub2cwYug6YeYt
dvA61xnK0mmkt39WfR3wFtmrnMQywJn0r9cRZZwdjfuuKzWmkDGKoaiX4oXcq8hl
GJsljraNnRdSZsYCWKeQwM9VnQdTumZZpeyzH99AgbPanNEocLNG3s3WB1MOTBMC
SdktojCvHSKg2HBykxApLY1wUOLiYdVGNuTjNyTg8lo8IlNgeEEIa/8MxtPN1U57
GDPXDvE9oJy3SvP7Tf0j4KVC7B30UYhb/jwqsG2wzjGKw3JMYucDX2JjgoTEXFxj
YqGDr+4/Vfd8bEadcQ8XJnoeCr/cUykflqO7EJnXt7kigQ8P5Jo+Vwu7oRFFlxRW
H9YZV0dOeVi3ux5Tw8ft5BRtYym7k0GP5ypQFzSSTeTTUa6QnZMWPssHMHQ+8xbS
XgEARDjMMwp6cl8adFfGJnuQmTC8pGCzOPLEhPY00t3Paz/WYvEwhioS6Lz2IsrF
QMgw8d2RrOZPJAAv9wq2ztTKk07aFxrQ8WYT9gscYPEgIpPmMUFR4nJ/fzSeiZ0=
=1N3o
-----END PGP MESSAGE-----
fp: F155144FC925A1BEA1F8A2C59A2A4CD59BFDC5EC
- created_at: "2026-01-27T08:41:15Z"
- created_at: "2025-10-20T19:03:07Z"
enc: |-
-----BEGIN PGP MESSAGE-----
hQIMAz5uSgHG2iMJARAAw43j5wveIlxO0Pi4ayjy6RxnIvB1cy4A3X3rIdbL0TVI
lBJfO4ErBitBtWy4F5MQDL5UmKnSvamG0G3Uo1z/PzAob2Fyb8nBM0P/jOcWB8KP
Lzv0IM2cQ308HrYsUSpxRBAApc1JWX7PAZgRBhvvm7KW3vLFOgm+aMEHAjLYxFNN
zlrWFhe8kLNZFMHr8GnWv4XhwHgicaXfP+hJQs4gHnKsZ1je3dhurgHRdu0PBu8b
QUHd+PB8S3dt4dacHGlMdqRRl61jj+ufYqQAVgPfj3m5bvDanJqQNXQubFDMW6kp
j6U/rYY0GwZ+r2xFHBr10zbx4TR+bxMQMqJ/YA+PZGVT7Y1S2rwLLdmMg66ENKQn
Hbk/rMibXTUab/uc17STBsOAdLam313WpTaa7kfqFZhqaiTARlmULtdPWyRBvOvi
PB+NrFI7hboakG8kOaiitdfD/NUanz/p1RKGBPkpL7GZE6B63SHxTKtLm/A141nI
9cPNeXNZWhkSZv/2akQ9ea91yBMeIuiydFJnBuZR6ygqvC+ShhAUV5Ag7h8AAlTi
2gDoZZvGqsXjRO7FtR82SSaWk+buzVbDtLRdzHiPPgIaDkLtVfXabqEhw2bqaP8/
UeH2gZW6MPuO4AWYRgpvQX0XOYJqA2RNsxO83HF3EjvvbUeJhz84iC+OD790ElPS
XAHizPVvoinf9dfxckUvFm1RUA5V7xwlHUh2a0Zj4mBkxFAJqGzOINAkg6UAV4sh
K9zPafVtVO/SiBdnR8JApH+rb7kXwal/jAOHJYjPtz2JRGeCrFz8YJR9lkaa
=jeRO
hQIMAz5uSgHG2iMJARAAl+0vmB2+PBg2aAZHZ1Fa9r/4zByhvLrjZ+5yWWcyf7fS
T/1Q2VbnDFvUwsEdbDs2RJYVejGxs5cyIge2ptn/9rnp1aMTu+FG1uQrY3lhGP6L
vpyDZWa2e1+bapttkrBBe79TZGZ4ABv+FCqHqWiH2HJ3V6ELXaooNhTrtlURCDqT
Cqgs8gH1qdVgISI9kvsxS8uGa58assuM/WW2+jATIoxBzUG9iHTugr75HWJw8xb7
R4Xbtfpev5exXicbbAvO8b3scnBU3Y1OUERo7xPxxskVSCu8q2gDtyeckOY9SN0i
V4sr+bUBfvPChlfoIq9kifZPo4Pv2yP8EhH6D5pVRqO/aiBYr9l0XtxDaHB+d1Dj
Q2f7azUuM5MDRotUM8mhn09hd61haag4R6dVAOq3mL9rxXLj8sdHS4A4ufkjn+dc
PI/Q93gL+sFy9N0wgCvHZEhY1QoKssSBCu03q2ZVlLFuYfcXWEIQU3XpbzyCmAA6
VkCvwXEA8xRs2ClrBpMOj7wRKzYoS3ATc3nFx0XL5pL74rUE68yiRlsZLccRB+9/
nJSY72QzR9FFUhFFv0/DxUFs4OVCUzLwQVVUT+Wi8EZen0aY4zFG1u59F6E03Pre
wC9TIxDCR5MY6/SGgYPep5qheeYVdXw7a0TQWrwXpaTPSj7tm2FFQES5DRkVNN3S
XgEMoELXGpBjzixYKSsQ0/yT5qX9v7vjrZ/a3EuXtkdh7MAfMbRV+YDl2hlN9IJM
vpAo/V/vH1AyWqBL0oQ00xZzNvxi4RiPk0KPZg2zH1C4aokELI7i8D4Dz3L83Tc=
=LofD
-----END PGP MESSAGE-----
fp: 18DFCE01456DAB52EA38A6584EDC64F35FA1D6A5
- created_at: "2026-01-27T08:41:15Z"
- created_at: "2025-10-20T19:03:07Z"
enc: |-
-----BEGIN PGP MESSAGE-----
hQIMAw5vwmoEJHQ1ARAAuuTaQOJdkhaTei934YczQbjX1g7cX4yWuxS4BHQ0+Jw+
MtZnUUYcjVY4hErlm+w9/iwr/ua6lvsTigHHy8IKiz7F/xuG3qAoQwIR4+bNP730
En1EYlczxFw4Xaa2WIayaRy4M34W5zvdDuUwN5SW0XDahcmmut/9WGRmz0K8chGp
8opG1KldRY4ynOgXcB00x8w2NnQ5kjisyk+zjtTNas1E9c4m2MJlvrGHy4ffVg9X
ID9/66wXr3nimAlaYvHmVW75hd2+MfWyqtrLccThPrB2aNPs2mN1xH2TODX4gEP6
pFHyyrAsjK9zP7M195pXw+WE3QnBPgbW2/zmCbPHwPGgP6ljLsDjo1SDXWsxZ6vt
88bCECCJCrurkP00HJdnbXd+dXddNMXfYLT15aQvta1nYPp8UmVahCN/QyaNthkN
rclV1jmr0sEtG44p4R0SV3yIsATCnFGmr/4pbI/r+aEakIVIPEK6GM/69o/6kW8b
7KGEc4riDefZn93jNEGmC4oqotSPLaLlaNg86gWazRrMUBu9hJ2QFpeqSX5Vl5uG
XnIokcaWjZmDgZgDOFa5inQBDfT/7wTJ7mGnLpt6Lnibnp/ATvIYBEI4zakHAJpz
0qWN89fpS4senq2bZJ2WZYfpLvHpspchxMhmNfjalQaEVdqPfEqQCImJv4h7VlfS
XAFGcZB2DSkd1fIxKcOB6XMDEbxGfBAVZq+k7Qw1oBdCa1Wi8uBoVS6QHLEUccbO
01Ptf7jWdTYgujdxRvyYSYS9YY4z0nR2GmFzynCB/oCylEwmsBR2ie8J1Ew4
=Gjvk
hQIMAw5vwmoEJHQ1AQ/+Pr/ATDoZJGDuIOTI2RgXFefWN0/iz3KeI8n/8F9/1vkY
1G/Bs0X9NkuzT6A/oIjBDa3630DMMvfdbY5Gclqrdwobft9dqhP05naf7BujX2DY
oL2SbTnfB06NUPiSsZ9aE/2yyzvnZjAxRczXZCi9DmhBhaXicILiJpJMUReldGtB
zbGtRzMUojwXqc1Fi52mXvn8XVTgrD//jX1IOUnpXmaFKa7zJCHe7Qfl0P7LMCw/
vTDAXSazVFqvgyASPPHgVFw9oFdJ9Na02ML4jynRnIIra9WoBe+9+aPoaNG5WePP
Lqxmaj3uz5Uh2S4Lr8Qr+n7swjPUlYkZKSRY0WDfhoi+aCC1ejtysZaAwH32+CQA
sbnh4m+/qnEiNZlgy2vS/6yQKMAQ6HnLkBfkXYTseI4egVw2X7byMFpmAlqo1pwl
kr4cKaYGYDBT7/fDDrB8AAdXUq+guABm+8UO4GHvvSCzWY+8ie2/wrTSB4O9rLnQ
WQABESou4c/w2hKordim25w1UWWPhiX6TdumBjtep/SPNMrVNShn8s+G8uh+eAwQ
blNH7H6EwHW1b7gvSmKrlczW5/TXsi5URl+cuel0C5/ckdWej+jIIbfCPd+D3BbH
pFkQWZR0vFpvUZcUfU5kSTUz8N6jh/nGvOuOKZ07645ZFAKHjxE1JqjhqcJEqDDS
XgFphkUBFPhmz2FJdIQvfkyl6/CCj+MUfNLsB1hZAd4GRxcBPFyLB1rAkB0kV1QY
RdIXX5ahmk6JmtkwJsO+m5aAWu0ft5xpsX3jJKqAyoVWcRO/3kER8b1K9IL57nA=
=I4Bv
-----END PGP MESSAGE-----
fp: 87AB00D45D37C9E9167B5A5A333448678B60E505
- created_at: "2026-01-27T08:41:15Z"
- created_at: "2025-10-20T19:03:07Z"
enc: |-
-----BEGIN PGP MESSAGE-----
hF4DerEtaFuTeewSAQdAgd5EW7q2vIPAOqEzhHiEI5O0WzrC59UqNnagUK8u5T4w
e6e9sEaNfzsZE3Ep61sWLZkDDddE1RqF8riVaBRHjFzpj4mNptePNQCCDJSU8jYf
0lwBJmRslhasFEdMhQjqJVWLyVeG+z45mcfkXT0VFkBWWs/RDchgiYQjXxi+tMXy
iIUKjmu2bb3Cr3KTEglA9P69aVkDtdDvol5LflkzlB925aDev6arSnqFuoZIcQ==
=xwmU
hF4DerEtaFuTeewSAQdA3oIk2sfUn8ZzJf8T1xFQ/gSWqIoOXZvpAf8R88A5+2ow
kM6YFiCCShgt2qGZi1k9xNxoRO1aRmSdEqdwMHAwpFRtEr+tOcE1pq0o1HQUzqqR
0l4BUDcJXeyrY44ufOXKRVd9J9LuwSf0GHfvSzGxCfFGQVKAtRx69TUwyo25Xwdb
mN/mmVecb+atPqdB5uMSvsMC2Tw+F313Y+uvgjK6B54iK9wjTiudD1TvzrTeaOPY
=QmFT
-----END PGP MESSAGE-----
fp: 057870A2C72CD82566A3EC983695F4FCBCAE4912
- created_at: "2026-01-27T08:41:15Z"
- created_at: "2025-10-20T19:03:07Z"
enc: |-
-----BEGIN PGP MESSAGE-----
hQIMAxjNhCKPP69fAQ//bv/NiT6dblP4GWghe9w9O4u/cwF9rF5x35lNaXUesu5a
b7mz1DkK2xzAIPFXpp2EhX4iRj6cQmEIDN4IrknsiKD18tMA6pqv5/1RA4DrjAWm
hlURDAJy3Q3kA92pgDcCOhIJu5gKFMUVUL6xG8TeNOr48VCw5LgmnxZ/6PuTJ9hm
L0r+OnWfUKZGxKPev5/N6hIWCGKuCpZ44IyPVHU48CK8+yJWRwK2Fb8WAy775RVz
NhTxD+IqQuHZlXnYy/6WunlkEmuV/G4bUzByjG0Uun9J9COaaLC+8OFVVm3MMD/l
R7JbZlXigj80IHPGybB+FVNu8rUk3JbGo9tOux1H21CTdd0Hmi4YtritLKpt37tK
I8lYNCFgfWOTcllRFB582BomMSObeDjffG4tASqtZ7lFYAA1tHO3akM7iQGWnsxE
oES2Ibp/bP+tKCh9BnXKzHbSlIiv6g/4AIALRyyLskM/LH1FP6Xwc2wAsck/DfOK
ApQRNpkqn0dnGCb8ZIDeT1EWlc2ZSzkP+X3yy71wX0TBZOs26n6crIAjR3LUiHt9
UzT09TAHk2Si3dSBcRr54Xitjg/f4lfKhQv9hV0tG1qFdITYjv6JFqihtBUEnNiT
BR5udNvLMKw5KOergEUl2EGPWlXDK9LsjI9vzWq9ZOS4cNWAR0zwTjC3LK7BNBLS
XAEBjZUJhvPKpa/f8oMGcZ18HP/m4M5MEKCrCbQkk+bYDy5zBjU3I3hqN2MpnGb6
UMGEx2tgHxuksdjSaDb1nTNfsanTC5UgqFAfsn5QAiBxQmeXRnjFpj2a4pc0
=R+3P
hQIMAxjNhCKPP69fAQ//QqFgN/hbCgpEB/KyJ+5uc8Nmi1FLWFBEPhnstvIlGx34
rPkmO+mLxa39ikwNg2bAwFxDRdwFREj/5lcdEPaKMgyxNxngS4PSs7TtHroNvyXk
jEsNsyanhaajctcBJNSEcDWNFItTn2gLGmHOuribULXBdixI3sXCjrrDKceNs5YS
XUIw4SIl4NS2nCUQcFlMqVlKOiw5d5aNfPND0UzFI2CFGo1740F/G9wugOIzsLwP
C69o2JZDmsvs7rwgfWYbS5prxD0hHzXrjuHnONyPD9NdtIRVU0jDEPrcmxJfbj4D
nzkTqeEyNmcIGnVhCCM0ysk54e/VxI6Xl3upp8qgz21h0vBu88liJFeQo+uegNsa
ozLyvzsFSdbxbIzcqnXxMurWIoDZW59d0AsitmACez1PFHXmC4KEH28bxFNek0/u
hpxFiPRvr4hxPouCTSx1pP7HnDGUfJtNOu4BLigO9hjU2K628WBkZt95L4wprBIm
kgt/st3Bk96EC6bWLtn4n6Zb6l7+mdv+6qg1XBzbLFDxcu+L62qtd4j7BjI3ckGY
hO5tkGroSyRdOkqw9IJ7KoDyk90IE4Q0xy/XM5dqAXQz59sPhIOPBxje1FursyaV
RY7tZARigq/JEWwwTLlbOYPd3XGdbw6N5LfDZoXe2Lz+isHsxL2cAqJ+wgYgfb3S
XgEIk9UCAztF21PD6IC4E4OkK1ARhpwIGwdluazSGzYeTqKEB2g7N9iowAlp+bcG
aZ2DU/R6XYdU5jch6fiU0zz421Li5gngNwg3FOVdZzhdrSiWdjRUFCJEbituyvs=
=Msjh
-----END PGP MESSAGE-----
fp: F38C9D4228FC6F674E322D9C3326D914EB9B8F55
- created_at: "2026-01-27T08:41:15Z"
- created_at: "2025-10-20T19:03:07Z"
enc: |-
-----BEGIN PGP MESSAGE-----
hQIMA1Hthzn+T1OoAQ//dfpU2ARKiqEam2TD2QF79ujIPoofrJXX+Rf9zwe9TBNC
rZCZLdWLECZzJcE1R/VHM1Np3AFPmze8FZ4onGBgI0Go2vwCrrYtBe6AomAlzXho
WXABvr56Eoe1ZmzDHZLPeGs6j2OfsQmq5UYDXOLEPZ6T32jA2f4dvI/k0UEFEbsb
Oi3gbmpQgiub4WDE8Czy2o9Jmcsxwq4NhmnGxx+ogXO3rS8jYQjaBG3P5mz8oA3R
P5zauE4sZ56WzT2z8rD6NPuNuMc5Dv8OMISQey+WfR9ysco7288v4qr2hMgJF+uc
uDQtH8ZFsRXwknyKFaph+KLkmvDBzSKoGiRtcaACzK1WWDbowN+KYcLsCf2WE76T
VJPWzZn0tjjyIWWaDLEqrKWuezXajMxW64zSjDje3oqIlJf41Sqr3yVtBI+Willn
m0iW883quAICS4ECaaY85+N5vwtaRntlYEGdYUm3k11Io4erEl1qw1fMplD0/E+P
I1jA790vOS9PDYzdK8nvGrEoGURW+Y3/q+fSKMBsfHATBCBSGRL6G/SHFvlDBLhK
ivJOOeQ2Hw4G7h0GGgQAEGk47EijL0j0+eEYDDvw8DQjVuUe9dWNr0K2qmBfm7p7
7ERZuLn2BPkk++h3IMTQL/OnaEgX+dIbGiekw5a26mVi3BB1t0Di8q6gtmThlTbS
XAHBzItP/jn8txvNRSHHZN5AvuU3TMyaEjFmhYf59x5vBa047U9WyTqGuwNj1IQR
oLJNQXb/qo4Lo1gd397zTecG2KDhHl/ael8SlZsaLkG5Lp/V7LGr9J2FX4Xe
=76+h
hQIMA1Hthzn+T1OoARAAlYlRUFLenIg5rQuMsq6Qd/3V1L+EomZcDTeVWUlvNBhJ
wdh58x2OqaXRbujPT7ekJY1xDg3S541yG+7al5eR3Sv4zcE5ZgNoM/rY/Ik4hnWr
03+a/jIRQxoFeIVKAhAMcj9hxjBUCaQeNwvfYRrkWRC2fKAe9X26oTRlk0oEobMI
5EZTi558D8ZVxIlK+LCBk5jGFepGkts0FlPjzH0+S43FLtFOqRVV5UGGahbUZ6aq
mF8ULy6+V0LxIqOaDYRwfUhX+BvPdCiBRf14yhkMIWKDpDa3lVuKWAzSF/CKk2z6
lO12dlpI3+50zwEuG5hyei0UlMPV9rR7nLL4kG7cjIaJKCeXtbgt6Qf9Ml3uAF+t
xBjsQmnPstsBJZlj3cBlo+U6RKktkfeiU2Fg2OGUxf+iER6rBfGwBiPLME6RPiXc
26RiEMMyIMqzgaM+2I0GL/cMEcsYj3OR/Q3q34EIFFTQXjz7dsWFjuRIELg3lxB2
hNJfn8JnDYsP/yw7GMZM9TQCHOcLL2+vzh/GhIy6kBEeI6DSbnMR92REezSUclHi
g1292f8mDidAmb7aVFkMPnVkTFrriKiXDMO7Lh6qkIWmnGfcecsLONGif2olW9e4
/PZb4d44UrHdG7FIn+iuTqWcwkIY0AuOZg0eDa6qi0pcePPG1IaGnF34R8amkYHS
XgFP1eurU9GajS2HDU5Ghd4KMFncCiibP5xA22inFdGwHK0Rc0JH5LbOwWugU/yC
5a60wP3Sg7LIxYriI4a4kpmKpqE7+ZhfuqQ10wC3eCXmca5bkqIOFd91X7gfnFc=
=m//a
-----END PGP MESSAGE-----
fp: 5DA93D5C9D7320E1BD3522C79C78172B3551C9FD
- created_at: "2026-01-27T08:41:15Z"
- created_at: "2025-10-20T19:03:07Z"
enc: |-
-----BEGIN PGP MESSAGE-----
hQIMA46L6MuPqfJqARAAhGXnruY2sbbMVeOpJKn0MfDowextWNPVlhRAcltNO6Pk
PUWbX3IOs2ardDbxPJ8QeVPG0QoLAVGwLqbfOulAvRXWoA/NSm+EpW96ofqTNA+P
CK9/ZHcef9wv4DK6kJ2Rkyu2rotToMYi9Hxpr7joOVIsI9ewb8s6SSa5S4qAAw/G
Y7mH8XMFqwZBKzmWP/9kXxACwas6vlx61s4F0cj0XCcAzmU9fKORydljrcc6hNI9
MRRS7j63it0fckq2v7IBQDgJyuNsLvZD6bZ1P/rdZUUqjTSOIQyb5yT6am1T+DvY
0ClubdaXhEaQplSL2D0VUEqZmTY7Cmw0yiDBgmyhU5zqjc4MHlJ8S2gssGySWTRo
tR+yEFgemtuIiUVFTJN9Set40968hAlN4jYPOqxjC6U7oC6YLah8nXRJasEN3lEg
9+fdaCAIQPfK6U/C4j8tEZ1sCXfxaZfaVGpHWrArcxN4L2nei2hT136yLkrIuo4j
vfDTBK77Rpwfc6bmg1Nf94ed7XWn9ZQgVvPKPANvvyhXmflE/wVxg2atofzCIe5i
1IXX/YHn6MiixqaSbHnzCAaqVQuJKC3b/EO8b3GZJfCcBHZratAQVZq1emnaK0id
35OwtOXKOagvk8YoIPY1vCVDvVrrT1RK2XGrRfnwoC2plg4cNws1aUhENEDt4NjS
XAE9IcqCFTz5RXO6A7/Q03Ge2GEXrXmI39CTT4gTzy6USEDUiniE7PRudm/2dY8c
ZA+AvTFrEdoGK1b/snAvw8dGTFv9lwQqkBr0JDqwD9SGQPIXD6CIUKioxQ78
=KPcz
hQIMA46L6MuPqfJqARAAlOnbIDuRQI95foLsmVkTz3iBPoAGWP4T+BmwRXbBzchI
xnb2bVuSp2XS8ndofmqwPVfIA/XzQeS6+R1wE8z7IxBZEr25Oe+l/vnz/iIHfoMy
LpJYqP4dAMf/VLQ0h2X/WfN0QYkxbBEHj4vwR8NIjYxb1iygIcZuBEl28/ZqNAAs
0CogIZpD057gX+SUdnL4HmpZJu1VcduOxEQq+4TBZELPw7yQ+obCtalncubnXGOh
COyjN4DkMeLNyZ5B8JKnsCCEzssn6/gI3nNzR8gTozvVdiPqmItix/lWgNZlxxnD
yxHtqs+RRxQrZxMBrVo7Z/2hNm15rT2XmpOYvs6eIKn0NILs46erKSFHi5Vbgu0f
rNshtzt8zwPsrGS2gyMauXBq4vB11hXMuOS1zgi9gA/mIzGbLLPl8JYVKjpZdRXj
BelPHOpEVEI+6Rk02+QuEGjN5XJnnLOshEt7Gg+be6APCpDsf9KhoxIPeG1e1MV0
W5yfykmCC4E059Q7jJp7npNzAk8Xnk6zkScUT1zibXi+DYcaN3sSKqB7UgmjpqJ6
vBn17pmhJYCa7CwlJif9abliw6mHt5qN8Xrg2064I3cPwJpzOSaTI/G+kl73Wn4Q
x4G2l2XTHAMnvAoL7I4r2F0I1MpmDiubj4BnKp3/C2YhICDOpsCE7e6ceuYI4HHS
XgHNkVi8iHF/02oV2nLDAfPASomsCTDQYRE6/dLbt4d38BaGJ6iIIcNMxGbUByMj
nAEWtH7+8crR42yJp/OxVPLlXLHKoDEd0IydLpFl9dnsaYAqdPYUqCQ8merJlPg=
=5z9a
-----END PGP MESSAGE-----
fp: 8996B62CBD159DCADD3B6DC08BB33A8ABCF7BC4A
- created_at: "2026-01-27T08:41:15Z"
- created_at: "2025-10-20T19:03:07Z"
enc: |-
-----BEGIN PGP MESSAGE-----
hF4DQrf1tCqiJxoSAQdAagtCn66tLHM3wXjb8nCEH8nh0g5pKSTzcx/re43tLCYw
IbatYjkYoqBofEDr0m4QHTyN7JAtq11Yk106M9zkktUHUPG0H/NG7TKOK65OC1U1
0lwBA0l+mdaX06nBkQE8xzXafXcJYJkTp0RvXrzZkXb6K0NBuQwcXO3A0xcJMIZ9
A3tWaza1HnUdtlUj3vj/0ykrYaUywLL4rdVgu5FunOMbg0QQV8zy2Kn1dNh6Jg==
=wy66
hF4DQrf1tCqiJxoSAQdATdhehHCg+P5ryd+GcDKRDMHgwv5c88CHXI+L/6meUSEw
EXNK49Y4NeLrDllZuDdS8Xd/U3BJtdw/Ef744lhv/CvSCEIBOVu0n7hsHZ6E+MQd
0l4BFNDMgxj51IVlf/vNyWKHrcf3iYLLJdDL31sSHiRk/zTElaM2W3s2zujSOgiB
cveF2p4/0TZ1lt+kzSWPdKZ7gixngC1vKtb1uok7sAzStAM3wdvpBjvouti/yduQ
=Nvpr
-----END PGP MESSAGE-----
fp: B71138A6A8964A3C3B8899857B4F70C356765BAB
- created_at: "2026-01-27T08:41:15Z"
- created_at: "2025-10-20T19:03:07Z"
enc: |-
-----BEGIN PGP MESSAGE-----
hF4DzAGzViGx4qcSAQdAuK7fsRq3IfaTb8M+wFYeMoAGK7pbIPnuC/i9GAVmaHIw
7iTd9Gh7qjZ4Z7BNvD9cH+MMoeKNYEI4iIgzyZBSwADiCwq+GOeeN752uTFzvysY
0lYBs4Ny83rYbSQU5eaA0VNrc2blc9D+3gc0NB1czac9pUsJ6w4P6vb8TdtrzvlS
zAUSYYWaU2aX1dI8274dFmHmF9o+9/kPsJLSTqkLUFaV8cje170cVQ==
=4Es4
hF4DzAGzViGx4qcSAQdAVM1+fV0H62T2slKovp8/rIF6CBYl28z6hbbAyixUQFYw
0qeyMu6ujpCHiSx9xps+FHYONtfEcjxpZHPk4C9fP6h3D+l4xnfGtzVXo7t1budp
0lgBJZCP7JuE7omAuo00L3hjTSaYpa6UWE8cZEbwkOGsm47m1xzMlEzSExBZ61wj
dKkSNVFLd7z/5SlKFgFJgbgwuAl7umjDVQjItyrqRNnhuPBUmZbYBEEJ
=Xu7e
-----END PGP MESSAGE-----
fp: D2E9C0807BF681F5E164DAFC5EE1B61CD90954CD
- created_at: "2026-01-27T08:41:15Z"
- created_at: "2025-10-20T19:03:07Z"
enc: |-
-----BEGIN PGP MESSAGE-----
hQIMA2pVdGTIrZI+ARAAypV2oZNd7o5dKeu+croXx4IgcbjGPl+jM4v4EwIa8kQ3
mqRDXYjz4XdFqoCO5Q7sALx06a3V/Gg3VBhxEmPwYtWIBOaEBjIuFy1TieVNCIz7
xZlDKUsUFVCMiaF7geRPvN1QMhP37HbKZEWWL3Dtp6d+9W8N3jjFS7qv+26nlhyT
QUtMc4wXYXsfuX+wI+Edb3Ibe2tN6s6rK03XiR456TG4Q5XlT0yuWfLA+uF4WMSe
9HmPmggwbZgTjagnzkf8/mLwROqFm+KDpCR0vfTGTW+XZOZxS19A3VRM4oCoPCqm
78t2XkLjoddqL/baJLdSsoFjrHh74+eYTvaBAorOXowfc/MTzXGTHlth9r2/HjJ2
9gXiQATn9fl7sxdRko4mKOn0ff0DhoC4gGgfxopUs2v/bu9dj5VTsyAe5TqGNnHU
Oeo1AaboJfWFRlQhsCT3Fpowuc8kRgHalVbARZqTtdRRZHNuf+ob5BYJq1SDFJiN
vxg01gUsqzcvcfZSc1IpLr0vF7tdSvmrKE4nq6GgkJEhHm6wwNftobjSxTYQPO3l
mXI7wghCU4G03zVhbIAwsUvdZ9K6K3ylUOf1MOkVEy78N5rR63FVzqpibPsTQCnc
myhdrYX8fN3GG/QlXF8NwNPFFwOW57577YQJ1d/K0ksiOEWKBzJlBgOu6Z99i8bU
ZgEJAhAZ128S/PPndkywgDN8PEvtH2tRvwt+tS+gMI3o2WiPltT28KmWJv9PoG/s
9ZAp6mtI6UDoc8yDVuy5BfTH+MuG0IpJLjkqZkY8XSuRD4zAXYIj+a2xHNuWOMhq
8471dLH2IQ==
=UCus
hQIMA2pVdGTIrZI+AQ//R6I646qRFql6ouszDIf24Jc1HU49sWK00jfEgfDAMXVX
FcHyARVKbjq+4Luzf0ut/KrHaGC17iEcohvfaWVds/j8fOA40RWXXG5wkiqmrXQ9
xgPpV418jCpLhrE85W5emNVH8a0sX746sulslm5NhCBbYsKgmvWB0NW/kSmPBAD7
xnx6ZysaDEt2kgFy+GhCBMjm+WUOEypF1xoH8YlOO8rtJPVwTX3QPkgEYxrEtloJ
T7cScRPJo66y5ne1E4FKFUApH5cDlD4et9/TpJKR76y1hml+geCM9S7oOD1LmHIM
PxQFfNVL8/RWUSxNtkA+4ixlERitMbW3x4rqq864m1MnZEyYGOiUgF4uU8t7VruJ
bE+qbqOdy+HROi5vBgB7NZ3S1k7iBweGll7xcEfRHWd+lIunezzb/V/lJoShuSBL
WEetGEijGGDLPwTWG2ZSGQQsrPZH0VoA2rRS/aZ75Bau3ctIFAEPuNLS2+AnSh1C
hWMCXsGu3JVwq53TS0Lg5scquaXWPcuEQPJ6ZEmQOGfq+zjJKCp0Wq3W1GqkMAR+
9WFvAeh8/fLFTuDnqGLqHoeO9YQ3AK8uraMRf+hVco7RjXOAYks1JvbGDCijlUhv
pUrmkELbYnZgnVvAy/uwpYhVdJkQq4Hev+ELFFfTjcX5i3lO9V9iZJ2UUrXj5cnS
XgEBs+srIKZqr9mNQlfc6t3+JfaRtRPs5ozaSgJIJx+K9x2e7Guci+ZSAoEP7kn6
163uoxaZiP3W7vW/fVe8IDnPsPAc2FuvI0MbpDlEmUcoHWU/s3aY6foYtwg+w0I=
=/9CT
-----END PGP MESSAGE-----
fp: 878FEA3CB6A6F6E7CD80ECBE28506E3585F9F533
unencrypted_suffix: _unencrypted
version: 3.11.0
version: 3.10.2

45
inventories/chaosknoten/group_vars/all.yaml
View file

@ -3,7 +3,7 @@
ansible_pull__repo_url: https://git.hamburg.ccc.de/CCCHH/ansible-infra.git
ansible_pull__inventory: inventories/chaosknoten
ansible_pull__playbook: playbooks/maintenance.yaml
ansible_pull__timer_on_calendar: "*-*-* 04:30:00 Europe/Berlin"
ansible_pull__timer_on_calendar: "*-*-* 04:00:00 Europe/Berlin"
ansible_pull__failure_notification_address: noc-notifications@lists.hamburg.ccc.de
ansible_pull__timer_randomized_delay_sec: 30min
@ -14,46 +14,3 @@ msmtp__smtp_port: 465
msmtp__smtp_tls_method: smtps
msmtp__smtp_user: any@hosts.hamburg.ccc.de
msmtp__smtp_from: "{{ inventory_hostname }}@hosts.hamburg.ccc.de"
alloy_config_default: |
prometheus.remote_write "default" {
endpoint {
url = "https://metrics.hamburg.ccc.de/api/v1/write"
basic_auth {
username = "chaos"
password = "{{ metrics__chaos_password }}"
}
}
}
prometheus.relabel "chaosknoten_common" {
forward_to = [prometheus.remote_write.default.receiver]
rule {
target_label = "org"
replacement = "ccchh"
}
rule {
target_label = "site"
replacement = "wieske"
}
rule {
source_labels = ["instance"]
target_label = "instance"
regex = "([^:]+)"
replacement = "${1}.hosts.hamburg.ccc.de"
action = "replace"
}
}
logging {
level = "info"
}
prometheus.exporter.unix "local_system" {
enable_collectors = ["systemd"]
}
prometheus.scrape "scrape_metrics" {
targets = prometheus.exporter.unix.local_system.targets
forward_to = [prometheus.relabel.chaosknoten_common.receiver]
}

214
inventories/chaosknoten/host_vars/acmedns.sops.yaml
View file

@ -1,214 +0,0 @@
ansible_pull__age_private_key: ENC[AES256_GCM,data:R0FZVQXrUgqW04VltXpYhEuI8Q8i0gE4K1EI05NTZyTO+9QOynMVzfLOzOOT1Yh+oQNLsE0MFELX8eo3EFKyXIrkE/wr2ECgFqY=,iv:m4N6t03tklKRaRZ9eVl2vv9T8WUy6AiPQDNuyU0UEtI=,tag:XJMnT5GZthv9RPQFZTWZaA==,type:str]
secret__oidc_client_secret: ENC[AES256_GCM,data:UHbIuftvyPHxtHGRvH+ydMetiCRu3z3JL+zFzLwVaSQ=,iv:1/KKB9IHZEWgEULoab1aVwbPIW7mxfRK7NABiSP2yIQ=,tag:8g3ej7ZJwAuPk9eGdPGyog==,type:str]
secret__oidc_cookie_secret: ENC[AES256_GCM,data:epKralmaga5W0TK0njjTBP0GIlkUK2ogKEbWQ/zlIhQ=,iv:rDBiSE+DPkX2I2i2fJQ/SrkltlCnPOEyeMfud2xXbFA=,tag:SOGIJHiaKq1t+Dg0NJGnxA==,type:str]
sops:
age:
- recipient: age16pxqxdj25xz6w200sf8duc62vyk0xkhzc7y63nyhg29sm077vp8qy4sywv
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA5SDJ0NHZkK3hvUSt2K2hV
TWNKUkFlUFVkaEFlM1lDVTdnZU5EeURiOURzCnQzcWE2RnpiZ3BmRzIwbFRDdkRr
VmcreVJvdTl2Z3lBVFJTNmNLZWdyMWcKLS0tIEkwcXAwY0NoNmhCZm9JUDMyRjVC
bUM2WC9QeWFrdm43a2N1eStEOFFXVGcKCCqwLQ67aEEjTAyXXabZ2AoBag/QY4HW
WwgmI8KNYpC0YXzDJ3fUUL6g4oiSqMxTGvQ+0oABOk+XFnVx+++aoQ==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2026-01-25T16:16:15Z"
mac: ENC[AES256_GCM,data:dBBAJIXeVUXXPXB8Eq4gH5F/0jTpvb79hdu4KD9gV5RL36Tr3iU92SKAZdMcw3/+8zq5L32YWWpYR5HFVPXaSdgls3wtWdrz/1j/C/zRxup+Y8DSOdiebCtz1lJJvglQMZNznRvo7N58lTdF/XqJA4tY51xZZi/krsJXDxtlTgA=,iv:yhwXbXu1MKl4sSYaCKPVUK9aedmIMnt/rzXTcGqmqpk=,tag:hZX6YZrzkrr1mPe6FOs7Xw==,type:str]
pgp:
- created_at: "2026-01-25T14:20:25Z"
enc: |-
-----BEGIN PGP MESSAGE-----
hQIMAxK/JaB2/SdtARAAi+qxfJ++qxSRxZLZiJ6njtlaOvrmE3uDCxbBwK5/lc7K
rt1liJ3Ue1hR1Bt6ozbH72shd5EOQzDuwQiRLZSR/7q6dcM0wdGRrfXuNvsRbQFf
Mb1D5L5Md1zOH4HuUx38+GGoB1CchpQwdZpjzcU2+MI5O5YIw3DDcKOAAMa+Nfpy
m0aezDSM6zDYYrYKjZUrMCXZFn0cnWAosod1ZJDz+rNMfFaVCPUlcUO4/p8cPzvr
rz+B5MV6Nyft3FUpHntFAgGjwlt31ZANZoWeJxJ5/zFlmieXMihjC4x1QPBs42E2
den7NPprSZX1ynGdImaZfTHwuwP1bpLrVFegG1EPrMIUwjRbSZDdmWxaR0uvajgM
GcbJLRFdvOcc7g7NWh2n4AwjpjcPN0cNrAit5/S0PG7JYdZFi4abfxTur12p9BPk
xJacN4ZVnT5qRRnqinPDCCiR4MLg/L9fxG6Dap6xboBTnHS5GksuLiDFMjsSAVh7
/63SOn6/Po1BUiiZPRHkvlm1uhkP7k5iDT/cP+gV1QDjdrXbD27D3c2eJveBaX03
oLhXi+2/tmitsRw5vp+jTwHP3RDC9ZsORdEoshaGJ7Axbmai1wmUAabaz60vbTzV
W5KHaEAdC97YsUFUn4ZgqORJ5MlPRUGUGGmlYJq6peihLYx/wdCLw9DywhZAYiTU
aAEJAhACPP4YiVUAbMaXB3q7AJWnoF20oJVBcGD7nvAVIaJJL0zuYe3lsujo2O2L
wqzIw80YE0tSaHx9GWJorF3vQQ1/jxrgiZofZNrsrQ5mzVADGO5+JLuU1THyDWXV
PPvkTEc7AdD6
=GWYV
-----END PGP MESSAGE-----
fp: EF643F59E008414882232C78FFA8331EEB7D6B70
- created_at: "2026-01-25T14:20:25Z"
enc: |-
-----BEGIN PGP MESSAGE-----
hQIMA6EyPtWBEI+2AQ/+KKOoBqMu5MXGmEM70WGKs7qGiqcJ4jizWaf2BjO8JtcU
DUJ31xy+KOnZh4pNP3bYptBtv/FehKHfaC1HB+sXBqT7hhAT5k2WyNo6Y1EdsGeG
HuccJ8rEMxwRSp3rdpca/53mtFzYHFHDT2nOEc5wkl0KqPITIJAiaGVVeS/ANy6X
qijabdecK8Ekb0Ev7OHwxFQT92DdtN7xdQns4bUoxSy9j/7SDUII7btG3alhlH2Z
XF+aZ4Fo+P/O8yavyTuwm6GlKWaWtGn9xRhNXvMkpBXIa4rwHC0re3DJNlMqN7EV
gW2sxnAxBShNU/ZtpqaQ2ku8L7FPB4Y8hhbk08PVlqz6F1xFm9x5PEriuaIPd1pp
0TQtekvntBWiRAQ8QPmrfg96BaLqvL+Hffb3PlIRvnXHmaJY/5Ci0HGgoUjodKIT
0tZzP0xcElbm3Mf5z/uyRzCwpx7oLn+q9xiJ2yoYwn4IkMWd2VaJZJlVcKH1RRXS
A4OUERkDSV3Fz6VjnI0VQ/hpfLDLCaQp8TzUOtNy4MqzsB0fQbDWnPR1KFrmNmSv
SSkS04tSt9CMNDFllrwQg6fbaZMmS97JeXb723mfUrPa0o3MeTxa9EuB/NQvWYuS
iBqC+NxIAvUw/IJtKg3unA9ysigCDUTbi6P7F69NMJM9qHet7PSLgqsM9RPdPlLS
XgH+T9DivFMWNnGvAS+wMckvKcTtskHWnQMCYdx62VsXzS/LU3iWq+OBz/xf8yhD
2vS25oi54fQKz6diOrq/TgO0Cx2/1LXqOYL5m/6+Qvv7wxHHZHeLcdwCRVceLZs=
=5SxJ
-----END PGP MESSAGE-----
fp: F155144FC925A1BEA1F8A2C59A2A4CD59BFDC5EC
- created_at: "2026-01-25T14:20:25Z"
enc: |-
-----BEGIN PGP MESSAGE-----
hQIMAz5uSgHG2iMJARAArv3KHUknyw89o/HA+T9vv1orrq0uztAOtOYLXIxF0mPL
S+Yrqs8uT0UmIJ/vdNZpf6HYw7Cmk4XErSsT4l15/5JbGfvqbc1ECdoz6j6kNfID
eHP3iJkySKbxSqflZ/3Hs8UXV65RU4F1HHK2SsQVvb0FCl03KNqkNAMicqiYZyzH
CAKOje7fnCHQ2oClUXakwXDQMnQwboXmhC26ghTvCYHIcb/VD8z91TSjxNitA1nG
7Ky1VvBWTuC0qcfaxkrkkwDPcxdfA2BXyxwm7b/w2IwmQX1cce25MCgIhMCFuf0C
rvw8GgfJEQ/qI3Rk1R87cpyRte4itrl1cCJI1UgS088+eHhmeS8XOZL860Eiqho4
tQJLUCr0P+LSBgOxj6/hnzY56bpPxa1NjRjqCGh+WF9XzeM8vY1MkzIjqHXxq9bD
9yGnFujzTcFbpEzdigPfAt6VgMe3jAEWqnr9fTK/f4qKWdXfycEHAJgL9UqHCtR0
DMy2+ZsHy5Hn9S5hmXLWpKo579FEWMLeCRA2DZvCHKIWUPhv3O4BAGovh8px9wRR
V7HeNK0efhiPm80alIQUGn+JEyNOaBrjAQmS0+ELF1S1AaHzXoLNrxfBCQJJCHd6
BvZIC6mVWF9DSeD+s/twk6qGNwAl17OAi3fyahunefODNqMcW73RI6x0BhkBfvnS
XgGEHYtdIiwWW+nCWBCrlXHrZ2AqgFKqNInB8lR5t7GtSjVxF6blysWXyv4JtegX
A3gMULNrOAZiPMe5Q1DDMNJ34jEnveojMIAOb/j+w7bvcgh7wbrUIUhNQSDgoaY=
=H3mo
-----END PGP MESSAGE-----
fp: 18DFCE01456DAB52EA38A6584EDC64F35FA1D6A5
- created_at: "2026-01-25T14:20:25Z"
enc: |-
-----BEGIN PGP MESSAGE-----
hQIMAw5vwmoEJHQ1ARAAqbv66yl/dyRf3f1ejNWsZxwD5oo99rHvbfWDCjTEFpzo
QUHgi7h+uF3GfRqkbE8YK7oFmTdxDS7DEkiQHw3jbJwI2+K1umubwq5sL1IMhSyG
SHZL+3r4ytBj6kuraXoTGqBFjNNht+3rRUEvgK8eXAixp8aHbx2LAVzjhxGTa9WY
yT9H4XJgEac5ODiyhyu3wxzZFmcr9VVNpja7C3iJ5PymjKPnzMFHzdhYflVG4ptP
lscRsl5TakEL7p4wsjLszeXTSq38ueaH3Bhvts3Kl72BU2rICDzlBOzGszq3gI2c
o97Vydku1MBsIwbUdKAOdhjA4BFyPAg1z1VkeEOrH1ThaZ0cfalN6TxBfCeKftSv
VAn9ErK6cRjM5peyJPSHUjpXZEcomtZonhAIBUfDeFW3Sk4lE7+SnIvJkLtrvSZy
QDgbA4dE19d8MUL0uu+fyp85+OkXI+e1QOOoZX+7/Mco3wKbCbP5T21T/+SLsH0N
oNrQpQlDch5YB+vLISUE7+buFdlMpIlcHAnL9scjgIdU0Z/X75p/5t7g99D/0nc/
WGu4l2n9fbrvimnqc6wWzBHgQZVcPKr5tMB6jVQu4WCdHX9VkI+Ru2IfCFsQ09TD
RQMybPT3tTdYODVCeoE3NmilqE+igEzFYRDwFdKjR2eLnuli5mI7GlXrboPGjWPS
XgEpnUxHg7oik0vO8YsyRldQ2Vyw1vIskRq9cdUY0Ix3u0gyqUF56aWhA+4fhr3H
Q8RsT8OXXswSozzkw3AvKi3VaGjwDr1Wasq6YVRtV5pjS0Rx/ILo85grKi5vgpk=
=bY3Q
-----END PGP MESSAGE-----
fp: 87AB00D45D37C9E9167B5A5A333448678B60E505
- created_at: "2026-01-25T14:20:25Z"
enc: |-
-----BEGIN PGP MESSAGE-----
hF4DerEtaFuTeewSAQdAh8vUqXwXAq615cIswD1e2FbDgcFp4pDKWP4Of9bDRWYw
5UMSvrCgWei0lytGCaApC6J+Ppd5o9D34fux8X0/ztoRopIV1RlrcepPr9jo3ROk
0l4B4T+mFz+FNrO79ldBuysOEo6qX7kSfJ63cpy48nDNVi0pTDr87OiJTQQD3gfx
wQdkqjYs204YvFP8Zp/+Ow+52z0W2ecLwgByVxsiusf8JLlYQMHOL9QisPxWMErr
=C2Ii
-----END PGP MESSAGE-----
fp: 057870A2C72CD82566A3EC983695F4FCBCAE4912
- created_at: "2026-01-25T14:20:25Z"
enc: |-
-----BEGIN PGP MESSAGE-----
hQIMAxjNhCKPP69fAQ//YH0pZvxXkXYi9tRWPSVllAsKgwzZsKkXS2LrfysCvnNS
LmcLrWNV8upH8g6ubHwwq1Q6WcpaoraIGB2Pw7OPKvynqqhMamk6jAzuYF1hMsd/
efGlsIF/wE/MLo0AizDZ5H/k6g/BfdSm3VFvAYbdHObQld/+uEMdotBrUjtXJlA/
lare1GFxSt+P9J+h5U0kf8VFWbgzf7SkViWBvEpyUaBa0VLgyOc59e9BZzWX8h2R
FjNX40MkZHxdbqBx3Bw8MZmQz+Q1O8w7uNcf6YZxl7+tYka99DSoK2T6YxTqqqrt
FtqDAUAS+yweg4hP7CwUK05VzmH/y6S4brVJz73NzahVNUBRpPXJUWs8QsR96xx/
hUMRGOrfd0qJ/jv2P+oMJipGsWZ5b6rkj/LX9ZAyGW7TgWbelr4zwM2C/n5xDkKf
LSQFH1Nx9QG0Aq6JT6staq+xiw/w1ipn0IDL18YPvX5kkO3KNUZk1F7zF6rbXRXa
LQIY+lhDnslkOMHmUIvqPSFWDQT/a/ttg0jVazz9IHnCz/+ShCh8nwiXXa6swlGC
XFzJS0Lyz55JfRcEN2h4lc6U7sE7MN9WEo8DWNv2UJwIZtu5dHBI9PjFSAxm73KJ
FSQDFxqlR7a7BXKw+KfvHUzWcRInWLE3bMQlg9ECJX1sQf2Bu8/YxU9bFT2fzfLS
XgHsHSJqqcZ3gwwUPNeQMadRylccXoPOCns3rf3W+7zKRBb8poRpj0hK2J2eIkGG
M5kRRudGy07hLV2wQGitucekIFUStxumRSQqpcUhk+RKTOyTMIqT4o6ykVBgke0=
=/EHL
-----END PGP MESSAGE-----
fp: F38C9D4228FC6F674E322D9C3326D914EB9B8F55
- created_at: "2026-01-25T14:20:25Z"
enc: |-
-----BEGIN PGP MESSAGE-----
hQIMA1Hthzn+T1OoAQ/+IxC99h9NXy1lKs8K3O6zNPE4vvoUdlHyU7MngSUe7FID
cfVoJmqumGJ2VL052PyGNuJl4wwI0Bk4GJ1B17sDiROM21BgV2xJN44I8DzU/s2i
1P/WOcpofsng7xBPib5vETo2ypfiNzurNwKidID6rc8k3TL2Eq3U9gPajdgaHWTx
jCBEiBs4B2H0Jv0teH7NK7VY21v/GQ6wCATUdFugjOocWT/Up9SbIKgvzXgxmoB7
glmOZGtqMsorMw7Rr9fy5qdL6HK50dYbzQ8IppZFG7PrFLyLsp//S7fReFbtp8oD
yCBbhOfywLuhyWmLu78F32l5upv4Q/RPfsOEQVRd13+4XeYIYqbVlBRI4c38iA8k
sKgN/l5mH4FPmFWhRfeMOQn51tTDiq/n8G86EJETJJxC2kAhfLXi5YLECH693Vzw
Mad81jxssJP5pTTUDBzog6oMNyCvs9paRgb0O4Bt0Zpox+BFdQcTNJahj9wDyfZV
TjV6lUtuQ7QvHDYyujxhkJWUOyd2Urfk9Ku8A/xeCGwLRJS9BKYgwvatc49zL5zZ
3GZ59gBGERbBCBPoFZgpVh73ZF/riAMHbgh+ZzUlFxJNY4fVvCk79bMitsihAbp8
NAELn1kiDPjlW1SsiiIzkdq87ttJ7aVtR1vQBYWapWmU9eSkn8XZcX4PxFot68zS
XgEvZxgH4TgGrPuTYusDaopSObkq19jiEJ/A44Jiy2yvU9hXeOn8CeXHTJnwcSeQ
ey3QV0vu+gYPL26T5M8fp3DwgZYr+dtAX2jydweT9MKjgeUyZAZmIieY1gdguIw=
=WwLj
-----END PGP MESSAGE-----
fp: 5DA93D5C9D7320E1BD3522C79C78172B3551C9FD
- created_at: "2026-01-25T14:20:25Z"
enc: |-
-----BEGIN PGP MESSAGE-----
hQIMA46L6MuPqfJqAQ/9FcgBwOTVqwohN7+iNCiq13Na/qcvFvFxymSo5ZhtjB/q
rMfLaSwsVAZuN9ishdip+a9tFb4oBPpwZjztvsgetoVNvLOrP/ZQag9SDy1fe8KH
DDlPFFRjTYtPdS+5ScHc8pGTLmyQzYDfieD0FCdZsNwz5PpAtUu7itvpZKtNWMXr
k/N3Mjena5iv79ngDsRlc9O/YXWsAPf8scgApwi+lVilJ7E/jTkrXxiku0knrlfl
NnNJKqh5iT2NWXB3Dgw0fQMLbAuDUOlkvrdwxnaJsIyjo8D5g/gh9rXBCJsMMFCp
1qppPBTV2f/gZb1gKFpnlBJAiDhmBWoBhlgbmFXv0E/V7F/7bFtsHagb50nEHZlA
QH0JjRHN83eGCR9ZBUttxMh0FWV2ND3YlxnCNb43TEoCx9f5ml7L5GbGqu0+8Yrc
fHCGPW8DSUh7zTrmB0bn6R60hXcWchNcPdorPopROhGTSC4pkAKn+mt3jvEkyLsW
TGqNCEbFbMBJlhhn9w5fxT7vEX0Rt/vO4gXKIzPfcyzsgORIW1YxwtaGyRQErlqo
ITnLtowfgrlvU1hI+hwivD9kQ32kmEyYKa9J8fBx07XArYRR64+Eyaaq4lOeZbE4
1l0zskD5i1R8NO3yzxpIAqi+H7VPhYLwidjXT54QT8vyqrkmvksANR8UqydYUgnS
XgGuO1O1pKkiHHLcb8EydlgW61sLIZZjlkYynMRM5MjgPD5Z3ikeD6VaNSYnOw6c
gkisHXqY9EFSPfw8EHnGspyD/mvzDUz63GrylUO+wXgMKdByrsYRaj93j7vfYZ4=
=Bk3g
-----END PGP MESSAGE-----
fp: 8996B62CBD159DCADD3B6DC08BB33A8ABCF7BC4A
- created_at: "2026-01-25T14:20:25Z"
enc: |-
-----BEGIN PGP MESSAGE-----
hF4DQrf1tCqiJxoSAQdADv1xBEY68JQ6Xo2ZT1FV2BJgeB7Yaahi9OQ/aypT0i8w
FJRRTtmWVBRtOecoG6SrHLtmYozuLyNFG8/ZFOU7jTSZL6lXr5NV6GIyNZPFTjvE
0l4Bqjjh871cqN4Cq5CF3kDibHTyZYsvcQ0BmxSZy2v+moYqZGFPEjNiniS6JrK/
Ch+cZvlsGIjTmP96IZfHbO3+hL+tVhO78bmixnN6SE6UDOzdmWcMkQ9DHSZp+p4j
=xd/t
-----END PGP MESSAGE-----
fp: B71138A6A8964A3C3B8899857B4F70C356765BAB
- created_at: "2026-01-25T14:20:25Z"
enc: |-
-----BEGIN PGP MESSAGE-----
hF4DzAGzViGx4qcSAQdASnWlOX4oItUMy2BNF+UdGfSkijvIKK1WohLp2rJmQGMw
/rpiFcCiX7rZNyn3f+eOULjCPbNtfwqG5Ji6YzGJPEaLg9J/CCYDP7eZ0M13tK9V
0lgBjTZZwa7SYs+c49UkhUN92Jrt439mTud3Sa6hvfQTntISOUF3QsMyQO+2h0EH
zvaV7dmtiLZZ6ukp9vJG2asPcA1McYBHABUUcjlmFkQ74CYhPFU03/kb
=9oyC
-----END PGP MESSAGE-----
fp: D2E9C0807BF681F5E164DAFC5EE1B61CD90954CD
- created_at: "2026-01-25T14:20:25Z"
enc: |-
-----BEGIN PGP MESSAGE-----
hQIMA2pVdGTIrZI+ARAAvugr3SudoqZm6B9o/a2bYVlR8eee3Cxtqb/SDfFKJ42J
/KIJHOpfs0iyoJzeq4GXn89RU08EHz+1/rAqIHN/cMGc/IjOOXcqKcKVBqhb68+I
OyEyxx0YAV939Jc+L9rxb4FnqV/HFJuA087jqP43NgPWySoUzWZshK57Yw/VJNxd
U5zDMAciWNVISL/ArcJFroK0n9dvRRsHHHx3/OgQ9Lnl73X5JEAleIPJVb1SDV4e
HgmBrlRFpp9e/Mu94Gp9yFd9PqziSA47lkdMwjMYHntTwbT3dqUGOJLF1D1oqC9V
+t+5FO5fP+LbnmuFQIGRGqdPpCy4S60d2EqocwBl6q6xn/DLQw1j9hGNpMl3GwBI
O7zquV2MyXJR9JqyklWoCmKldLIhpsnPtTx/AhIsMLWq2hvNfbBBNA41sMkofcvl
H2Hggi+TkpOh6bre1/uPkr8T3MLsiZIUB/1uHcgYO3FH13K2Ow9ChxmkeLsW6Afu
hbQcG7SKr0sCHAmvzbTsIRCpryORDRw4vwrsKuVVgA7neD8HtCItJ/Vk1JmV2xYZ
96ilVPPpDs0tmQ/6dZZosoXLGi37Hs+FRgcAUuAdZ3bzb65e+CxtSVjRALG7hz9R
XPKmsD6tTgdLpau/zugxdKx3yKMCHzC+AouD+esea8GNuoeGug58IEoglLXDctbU
aAEJAhC0Js4STROmS43wGXP2v4umeLw9iF3Wp9L6o12BL3FZXi121py2ogosjAY2
30wzFU2KJGqS25/pnXw6r9ycgxdXeKsddR94Q4TOulO3SSEdjs7B+iOKwUkGKoBq
9iHTzz6Gpajo
=bBZ5
-----END PGP MESSAGE-----
fp: 878FEA3CB6A6F6E7CD80ECBE28506E3585F9F533
unencrypted_suffix: _unencrypted
version: 3.11.0

23
inventories/chaosknoten/host_vars/acmedns.yaml
View file

@ -1,23 +0,0 @@
---
docker_compose__compose_file_content: "{{ lookup('ansible.builtin.template', 'resources/chaosknoten/acmedns/docker_compose/compose.yaml.j2') }}"
docker_compose__configuration_files:
- name: acmedns.cfg
content: "{{ lookup('ansible.builtin.template', 'resources/chaosknoten/acmedns/docker_compose/acmedns.cfg.j2') }}"
- name: oauth2-proxy.cfg
content: "{{ lookup('ansible.builtin.template', 'resources/chaosknoten/acmedns/docker_compose/oauth2-proxy.cfg.j2') }}"
- name: html/index.html
content: "{{ lookup('ansible.builtin.template', 'resources/chaosknoten/acmedns/docker_compose/index.html.j2') }}"
docker_compose__pull: missing
certbot__version_spec: ""
certbot__acme_account_email_address: le-admin@hamburg.ccc.de
certbot__certificate_domains:
# - "spaceapi.ccc.de" # after DNS has been adjusted
- "acmedns.hamburg.ccc.de"
certbot__new_cert_commands:
- "systemctl reload nginx.service"
nginx__version_spec: ""
nginx__configurations:
- name: acmedns.hamburg.ccc.de
content: "{{ lookup('ansible.builtin.file', 'resources/chaosknoten/acmedns/nginx/acmedns.hamburg.ccc.de.conf') }}"

6
inventories/chaosknoten/host_vars/cloud.yaml
View file

@ -1,11 +1,9 @@
# renovate: datasource=docker depName=git.hamburg.ccc.de/ccchh/oci-images/nextcloud
nextcloud__version: 32
# renovate: datasource=docker depName=docker.io/library/postgres
nextcloud__postgres_version: 15.15
nextcloud__postgres_version: 15.14
nextcloud__fqdn: cloud.hamburg.ccc.de
nextcloud__data_dir: /data/nextcloud
nextcloud__extra_configuration: "{{ lookup('ansible.builtin.template', 'resources/chaosknoten/cloud/nextcloud/extra_configuration.config.php.j2') }}"
nextcloud__use_custom_new_user_skeleton: true
nextcloud__custom_new_user_skeleton_directory: "resources/chaosknoten/cloud/nextcloud/new_user_skeleton_directory/"
nextcloud__proxy_protocol_reverse_proxy_ip: "2a00:14b0:4200:3000:125::1"
nextcloud__proxy_protocol_reverse_proxy_ip: 172.31.17.140
nextcloud__certbot_acme_account_email_address: le-admin@hamburg.ccc.de

43
inventories/chaosknoten/host_vars/grafana.yaml
View file

@ -53,7 +53,17 @@ nginx__configurations:
- name: metrics.hamburg.ccc.de
content: "{{ lookup('ansible.builtin.file', 'resources/chaosknoten/grafana/nginx/metrics.hamburg.ccc.de.conf') }}"
alloy_config_additional: |
alloy_config: |
prometheus.remote_write "default" {
endpoint {
url = "https://metrics.hamburg.ccc.de/api/v1/write"
basic_auth {
username = "chaos"
password = "{{ secret__metrics_chaos }}"
}
}
}
loki.write "default" {
endpoint {
url = "https://loki.hamburg.ccc.de/loki/api/v1/push"
@ -89,9 +99,9 @@ alloy_config_additional: |
}
rule {
source_labels = ["__journal__hostname"]
target_label = "instance"
target_label = "host"
regex = "([^:]+)"
replacement = "${1}.hosts.hamburg.ccc.de"
replacement = "${1}.hamburg.ccc.de"
action = "replace"
}
}
@ -102,3 +112,30 @@ alloy_config_additional: |
format_as_json = true
labels = {component = "loki.source.journal", org = "ccchh"}
}
logging {
level = "info"
}
prometheus.exporter.unix "local_system" {
enable_collectors = ["systemd"]
}
prometheus.relabel "default" {
forward_to = [prometheus.remote_write.default.receiver]
rule {
target_label = "org"
replacement = "ccchh"
}
rule {
source_labels = ["instance"]
target_label = "host"
regex = "([^:]+)"
replacement = "${1}.hamburg.ccc.de"
action = "replace"
}
}
prometheus.scrape "scrape_metrics" {
targets = prometheus.exporter.unix.local_system.targets
forward_to = [prometheus.relabel.default.receiver]
}

3
inventories/chaosknoten/host_vars/netbox.yaml
View file

@ -1,5 +1,4 @@
# renovate: datasource=github-releases depName=netbox packageName=netbox-community/netbox
netbox__version: "v4.5.0"
netbox__version: "v4.1.7"
netbox__config: "{{ lookup('ansible.builtin.template', 'resources/chaosknoten/netbox/netbox/configuration.py.j2') }}"
netbox__custom_pipeline_oidc_group_and_role_mapping: true

6
inventories/chaosknoten/host_vars/ntfy.sops.yaml
View file

@ -1,3 +1,5 @@
secret__loki_chaos: ENC[AES256_GCM,data:LWFTOyER+m021ogmXYBrcr/2fUe3XuZhs5ho0KbM,iv:808LWnSUAPeclhsIgOyR6SutTvJGOu7mrGaVayo7v8M=,tag:f2WCPyUESfMiGDQ4Km5Dyw==,type:str]
secret__metrics_chaos: ENC[AES256_GCM,data:lAepzCI4pwkF8KiGYzGnC4dPASdHDn+LfbJTFSvt,iv:EUW+CGeYUqhY4G1kb2bbU16j9iLwABHfRCdn2vac5gY=,tag:IcyscB9lZuZgC04XTxDb5w==,type:str]
secret__ntfy_web_push_private_key: ENC[AES256_GCM,data:YqNEYa1Ln3NFpNoIuBUN1V/WRzod5HAtYueBJYHOwyM59cCaYhQR1S9aQg==,iv:t8bEs5ZAEe6pqbbOb0mpJdfgruX1P9Jd+sbNurGqkng=,tag:Cdy5HKkvb55V6AeRt+MVHg==,type:str]
ntfy:
user:
@ -16,8 +18,8 @@ sops:
bUhGdEFwOEVxUzVZdERReVF6cmcxeDgKDlO+jacsYgWXqjoxAIKJiB8mCHZ8U7TM
sGD3oaCi9x6Uvse7hq0BaUe/LaJt2tDaqve9nm3n06V93HNcR9/cdw==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2026-01-25T18:41:48Z"
mac: ENC[AES256_GCM,data:2+628ZxPIto0AUhRExTB0UF/XKD7l0qz/NVncKbk+E5nZ5IRGwnhvY5DPiaDNWxskngaYhSYaQZTJTuvC1TuflCr8+IsZRYobj22mYEsrK2KWbozQvYsuooK2HdSWAkE2U5xKKodev2KqxMT+ZY0AIq8ifCo033ro6t0rnIEVQI=,iv:ncKxlhfZ+04rylNmMtOaWyonCJO4gbsuABMAJfVDDIQ=,tag:6c141UrWXNuGM5giTS7Ecw==,type:str]
lastmodified: "2025-10-20T19:01:39Z"
mac: ENC[AES256_GCM,data:a87jRAGBIypZfYCILYCOM+H8KCVUBgb2/1sG05wDbPmLe9IfDT6rzlljbRFOUozq9xsqxpFLsPQx1wPVDi1lhaRT+5oE/NDgVH8aQCofA96DQd3SeB8fWn3LhYjOpmo9ZsFSemvGcXYk/SjVvoU9aN8KG4DHYCOOseGIBTa/a2Y=,iv:5Atem3ACdfdCPUp184cAf/EI9BEXQ1i719l+sIlOnUY=,tag:LWQCxrsZ3660UCcOjY4gMQ==,type:str]
pgp:
- created_at: "2025-10-20T19:03:04Z"
enc: |-

86
inventories/chaosknoten/host_vars/ntfy.yaml
View file

@ -15,8 +15,90 @@ nginx__configurations:
- name: ntfy.hamburg.ccc.de
content: "{{ lookup('ansible.builtin.file', 'resources/chaosknoten/ntfy/nginx/ntfy.hamburg.ccc.de.conf') }}"
alloy_config_additional: |
alloy_config: |
prometheus.remote_write "default" {
endpoint {
url = "https://metrics.hamburg.ccc.de/api/v1/write"
basic_auth {
username = "chaos"
password = "{{ secret__metrics_chaos }}"
}
}
}
loki.write "default" {
endpoint {
url = "https://loki.hamburg.ccc.de/loki/api/v1/push"
basic_auth {
username = "chaos"
password = "{{ secret__loki_chaos }}"
}
}
}
loki.relabel "journal" {
forward_to = []
rule {
source_labels = ["__journal__systemd_unit"]
target_label = "systemd_unit"
}
rule {
source_labels = ["__journal__hostname"]
target_label = "instance"
}
rule {
source_labels = ["__journal__transport"]
target_label = "systemd_transport"
}
rule {
source_labels = ["__journal_syslog_identifier"]
target_label = "syslog_identifier"
}
rule {
source_labels = ["__journal_priority_keyword"]
target_label = "level"
}
rule {
source_labels = ["__journal__hostname"]
target_label = "host"
regex = "([^:]+)"
replacement = "${1}.hamburg.ccc.de"
action = "replace"
}
}
loki.source.journal "read_journal" {
forward_to = [loki.write.default.receiver]
relabel_rules = loki.relabel.journal.rules
format_as_json = true
labels = {component = "loki.source.journal", org = "ccchh"}
}
prometheus.exporter.unix "local_system" {
enable_collectors = ["systemd"]
}
prometheus.relabel "default" {
forward_to = [prometheus.remote_write.default.receiver]
rule {
target_label = "org"
replacement = "ccchh"
}
rule {
source_labels = ["instance"]
target_label = "host"
regex = "([^:]+)"
replacement = "${1}.hamburg.ccc.de"
action = "replace"
}
}
prometheus.scrape "unix_metrics" {
targets = prometheus.exporter.unix.local_system.targets
forward_to = [prometheus.relabel.default.receiver]
}
prometheus.scrape "ntfy_metrics" {
targets = [{"__address__" = "localhost:9586", job = "ntfy", instance = "ntfy", __scrape_interval__ = "120s"}]
forward_to = [prometheus.relabel.chaosknoten_common.receiver]
forward_to = [prometheus.relabel.default.receiver]
}

5
inventories/chaosknoten/host_vars/router.yaml
View file

@ -1,5 +0,0 @@
systemd_networkd__config_dir: 'resources/chaosknoten/router/systemd_networkd/'
systemd_networkd__global_config: "{{ lookup('ansible.builtin.file', 'resources/chaosknoten/router/systemd_networkd_global_config.conf') }}"
nftables__config: "{{ lookup('ansible.builtin.file', 'resources/chaosknoten/router/nftables/nftables.conf') }}"
ansible_pull__timer_on_calendar: "*-*-* 04:00:00 Europe/Berlin"
ansible_pull__timer_randomized_delay_sec: 0min

215
inventories/chaosknoten/host_vars/spaceapiccc.sops.yaml
View file

@ -1,215 +0,0 @@
ansible_pull__age_private_key: ENC[AES256_GCM,data:ZQJCVOcc2UTH/3tZRZEZAig2A7Vc/zBBz5IY+gKYMYpIKhLZN9S/OGrRdCc8VbXkN7pmZhzDL531PapI54cmFeCKr2yFJMlfXdE=,iv:1ilb+njcqgYVdownNiMNcAcG/TNpyRnLtAjEUGsCsl0=,tag:Od7kvNn8ZBl1LUnMyFwxpA==,type:str]
secret__spaceapiccc__shared_secret: ENC[AES256_GCM,data:0foffl4HF1SeL9rE3g==,iv:GzRTZAmr7zSBs1W+Vhyv6sMGhPnSy/SUZOSO39lzWHk=,tag:8IAS6Lt9vfpsJQwQfcunXg==,type:str]
secret__spaceapiccc__doku_ccc_de__username: ENC[AES256_GCM,data:fbrZROQz8Fzg/vI=,iv:LaR5UmkS3IhtroJp3C3xNF4ja7IhIiPRzGBHAfQbQGw=,tag:/VCNMKkw5qRbnRNHDnPj/w==,type:str]
secret__spaceapiccc__doku_ccc_de__password: ENC[AES256_GCM,data:mwkjOjRT7gOv,iv:wBzSeLzSWWe0j3LJesN/wnZ0tmUmXMVkRIBnp00qRhg=,tag:JSsbq1+qs2yA9BM2LouG1w==,type:str]
sops:
age:
- recipient: age1mdtnk78aeqnwqadjqje5pfha04wu92d3ecchyqajjmy434kwq98qksq2wa
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBCY1Z0Slg4UmpQQUhGKzJX
S0ROZ2owdmNVRUFzbDhjWEJpNkxGQnF1RFFVClgrZDlZRDNCbllWeElEWFN4Uy95
YXNzUGptcU9adjdJQVphSS9NQ1NaVTQKLS0tIEtQUlIyTURXK2lDbWtmMXU2OWtx
TnNtQjVpMUIzZjgzQnZicHV6OXE3ZlUKtChQKJlUmTV42FEpO2S1sTAI2+K/mro+
C3cvwiqydpOlbH6tulcP6HSeDVExAAMeDZMfjebg/5cfq7Yfh6xa5Q==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2026-01-25T11:18:43Z"
mac: ENC[AES256_GCM,data:4s5GiYhU/+kieEGUY9bS5W0MAQ/AUS3TbvLezSypH8Div5HRoM7YfMeqgLq4jC+TjUL9d+ZfusjAmsOEG9PjHbIH051gg8U5TvB38wzmw3RpJxnpDtmiFrRh9QbXl+Fz8V/Oigf6hhXbgu01zZpZY9jy6YLNtUZc6AoqAQh27us=,iv:YUS/vGXcbgQPM1CKcK8YjOH5+KPlzBXcOtx3jmUblqA=,tag:jYzqaMfHv4Tyv2NelSSVvQ==,type:str]
pgp:
- created_at: "2026-01-25T11:17:03Z"
enc: |-
-----BEGIN PGP MESSAGE-----
hQIMAxK/JaB2/SdtARAAoP0ZuYWL+Z9vrnMN+ISg6/yx8Z3Oq2GufmYMowk/nQ7A
wk+xQQcywn7zLCweaTNtNb8CXtAcInnLhXZNRjviOecyAexZdFxcX+SIiT9x32aZ
xk2M3Bgnrtf9GQMV9q/mr7fgn+iaILyRjWTQMjUYFGuA5Hu7PNICxZZtA1y6p3G8
iBDROt1vZS2M6WorA5n3FGSwCRFUCqWnRsBR+AkR0vjb/0xEmS4YpDZCdsqWVITq
fBxDZntznqQpmlTH9AxJV48QlfYMLAYFV7seHxp5VSjgDxaPJD4QIiNZMOylRa/y
9hx1S5VN8KIfT9eW5piOeyNikE3Wv7hdwd4zOQ/ObESADh/QWFN582Smk+fxf76Q
/KlP7BM8JW7afjkvTHXg7cvc1qo9+GilWcWX9pK04v9bZtXTbO6H+uOhydlSmtUe
FGoHgQsMi52S4vHTFF1A8o76pvpQAIYNC2Zif2zZYq9ERvbLeAcgoIoo7bQihttc
lY8ZOqxQj9KbkFNbyLTlyekebNhfa512XjJij14YkYUVU2Y65kxtimZ3WpwKvLO2
JcDWHOJduhUC+21TGTq6QFo1LNhpowyC447eybi8T0/WxMCBms/fhW+m4Mkt4bRi
ByjgQe8makgLqw2/EUlFl1qyF4zU0zjn+97pISvg0YBfQYhPIb5k8AWWkUF4mHHU
aAEJAhDMVlvoC4bopmVlgoCrCejX5wb+ULW9hle6S69440PVK4uN94Ral+NSH99o
CU4gmqngD9N6sw8SBp8lFFUzjhoqfcNwJ9cv8T9PIPgHLriPnRqwPsy4dHSYSsv1
wWY4KUeOqk6Y
=Wm7O
-----END PGP MESSAGE-----
fp: EF643F59E008414882232C78FFA8331EEB7D6B70
- created_at: "2026-01-25T11:17:03Z"
enc: |-
-----BEGIN PGP MESSAGE-----
hQIMA6EyPtWBEI+2ARAAh2b51c4cFL0wOPTuQtxjthkEZGVv0sQC19PiDOWAy/zi
457Ix+QPA31Wmun4uGQF8E+vJC9StDXvOuEku2639wK7Gx8UVHSJM+QhFt+f9tiI
df5mVRPz4R1tVMU6P/f2rTOqqQyugR2pi3wCcwntnZplEuL/Gxw2SI4gGAq9B1Kb
FVVdMkJOxhx33QWFhIEOqLLfMU+gdvGPtRaDPkMA5KJD5FDO0xYzgd+5j6wKLsdb
rY7MVvaP3HWbmsMOpJD+8zo3ONBeaG3OwdhhF8KgbHxGP/49r25WwI5YWqXI44K9
xIQvtBJFTLaisO3q5rTOZgqKEvWAAX3e82cY3tCUG4aDyKEeF8dOqQ9GbI+KWaKh
kqTFDz3gh9sWI3Ex2/JHxq4xGJE433x4ArxHgSmXxfKWfc9zhiDuhtE1GBfEWP8t
a+07FWvsG8TCbS8pzFu40z/6we2O/VGXnZBa+vlc/9YPyLBN+zmAH3+jfhgYzV22
oF0HPQTzLdd6FoUx771ETTOqDgwg2H8Lqv+cC5MjPgxUPyScP4G7t0r9TMSydxFv
85Yo7ZWiBjo5TgdiU7agCCLKYct1C1R+9M20uRyrttDBhrVSjDlsIKmuStIdI7jk
k/PPLjxUKf5osTw8KKsSLvHTxt0G+rRzt38HgOCsOPBSoE6zlMTn79rgy+Ipm7fS
XgHPPTT78/y2Xvx3QGx9C2X9YqPDGhs12uzQ7HdcRlUu3Ay9akrSiV99CKCFb6ZZ
lDzOZrWvuWHcOLLqykhK3x8uhieMmwsM5WCNopr1j7i74b8UlVCmItXFXCaTRqg=
=ytkN
-----END PGP MESSAGE-----
fp: F155144FC925A1BEA1F8A2C59A2A4CD59BFDC5EC
- created_at: "2026-01-25T11:17:03Z"
enc: |-
-----BEGIN PGP MESSAGE-----
hQIMAz5uSgHG2iMJARAA7Wenq30iYLUH7qTgwPJyIyPz0blUzqEpEeDyVjfLVxee
VzXUfrxL8ybD+1JNISQNogDRP+gi4Sa/kTwAwEudqg9nv8DTff2l+Ge7YRifTgoO
tK1yjPKpl/iH33s2tIRRPI9DJ38NKtIN7pFrZ9Icyinyx8O+Tx0U/rVOs+4I4i0K
eIhsjG2tD6z5AvDkTqJ70S16LWdlr+hrHfEFmZ9NDbesoVj6YlDjx8yXr6UAdBAd
nx4aVjy2vygBJFZHN3iqitD6pnBvFC6QM1SZTRfe1l0lb1NXiVbT42ir7hsQ1/Di
MKRw/GuD+5jwHWLAzFbmMeirLY1hw418AzMPmCUqg3xJxmm53v4abD/j6cnHaM8h
vkSEsO9iA9exDjM9RPqS5GXCGx3E2MdBzgBMZIdvRmEV8G7FTqBZAJZsElAA/wTl
WhCEB3iDqdTSuDUnEj2FHIrUGNG4IDKOm9mIexqkpdvF6ByXYHeOAVbeb0ByJmgO
3QIYGsOYiWW2Uq1OCT2F+sP9ogn2GxInfMgPK7shFcUiXUbUKSnfBh4b5DbKPcJJ
wFtuJA4NbWgXbDPn0k2Lwbv33tMVuwQBRbCjseXD5JYUA+wEbNg341oNEl7gIBCp
oNyNJ0y2rkp8rxvf5mYLjk6VsMs0VO4vgRItg8oi78cZMmSrk2zdCda9yZA+JeHS
XgGnSemRkXBLcDcZMa1M178H/YTxispkRvsGyscxn7sjBRUgrFHnWM9j9P0GHtHE
RzBflQuBiG60jDb14l0SBEGDAm3Dp1bT5Up8attUJ0+03ta6E4G6iAR+fMXiBJA=
=LEoh
-----END PGP MESSAGE-----
fp: 18DFCE01456DAB52EA38A6584EDC64F35FA1D6A5
- created_at: "2026-01-25T11:17:03Z"
enc: |-
-----BEGIN PGP MESSAGE-----
hQIMAw5vwmoEJHQ1AQ/7Be0MaQ6HSb4N2DW+z2ALOuKSljRhSHLiLXt6bmhot+2Z
RRMsfsPGHWwDFzy5WWL6117ViPsxdFy88ZC8IhfT2ysf9d7IsNqBAj/W/a1kUXBg
b3PLPGXT3yHRitmRA0PxBWjmKBHuiKJgpj2AvKPBqmpJOpyWU8Yr0yu+fdPgHHmO
9gMPwmoeDKCuVUQMtg78cxx3b9v3WzBXbx+VuhPepVPPUr7/iTWYnLWy8+s55hOV
A6qQS8f6JH9rhS7dqoSCMQ3wrqkSVzXhluhjfUXa/FW/EVp0g1r+lLMXHARA1Gtp
EGQS2SfwDB95xl6uLfqKblezzxt52yPvGp+hisAhgkCyoLonhL27fMTmtZ0+q9RX
FJoT2pPNTSP/zoLxfEJzsa9MgTCDKQL55215hTGHS2I/2ZeDtfINyc+/4LE/AhSc
4OOdPSbgG7bIPkCepphBAccjbCVmPOQqaEOk5C9TfLbZREEBv0mQA7pzWVIsa6Gc
xep0qJGMSmRT5rmqs9pFFISAx57H7w91cRaEtwtGkg9/90+wTW2kIvnHMLXV/T6z
wxVG4RHn7eXlDdh9oz0ncpA1uh2A4fvEJN5dAbQHawiAUaOokm8cmv42LQ1zTF0x
4EcZPQ1VAFzKsZE7/3TnCWoLPOUSNSOG+uJm2Gaps8P1DzIfgUAcSybaB+3cbGjS
XgEVALzLzyRrFB48McT/fU4l0dMiQ49OdFmWm5oWgOWDCCrHBomxPmWRQ5cUzVSV
wvgo/MrfGVOLrwinfeu/izoy9U0LxFcJtqiVLyxtUTARDlDcjv6OYWoRzvb0DzA=
=KudR
-----END PGP MESSAGE-----
fp: 87AB00D45D37C9E9167B5A5A333448678B60E505
- created_at: "2026-01-25T11:17:03Z"
enc: |-
-----BEGIN PGP MESSAGE-----
hF4DerEtaFuTeewSAQdAlSeQVBNgJ8WxD85XYmcCHmlNXIyIkAJPEu0coBpNpVQw
mGZKY6j0WkQSmHdCVAeh8/z6LOEgXMphP2jn0ZpZHiMu3FGNJJtWFloRKxOvOxr5
0l4BXq0oVpIYhcxeVxS1prF1F2EJf/OuRX8Zz9ngZuL7UlMoToBYHksPMaBfLlKB
iFcXPURafpmhvWpRaqD9CRqM3XRagm1nYPS6Zg8Yae9cfSmU7UnYMtJZwdMmJ+x4
=gfNC
-----END PGP MESSAGE-----
fp: 057870A2C72CD82566A3EC983695F4FCBCAE4912
- created_at: "2026-01-25T11:17:03Z"
enc: |-
-----BEGIN PGP MESSAGE-----
hQILAxjNhCKPP69fAQ/4mdGngFM8WhiX5P5RFo679yRMp5iHtiPqD0V1dE1byyje
d7WzceQwOYfYq/UEEw2ruiqIPhUjHlzB/GQ6wqFbj0+1tm7+/X2B42tO7vkO9gQf
2mvG0gCGB1iykMnfARQ6EH1s90oAHCBcPFamjBZ3oawS0sI34aSInQGqLl7Ss+O+
UgoOc2fbhYmRriZW7Elyx+8DuQg4RZ6/oPs18mtwQdLfKB8dwrt1TQrJvBx7iPh4
RQWrRf3id+C8EeysmWPtMotukh1FgvBtBFEXIL66wntJTDC65AlNU1c2xkgUTATI
rA6ucSoyROTGDOTAWhBdwA+yV9Tf2zw5hzu8G2vT1nFLU+DFQiuQWj6TNn1s5xzc
63bQ9bFzY/0pKKB2T1TLdeU6xoSt9QoJukagFS86Tgh3NcoMi69dFSSlchldgeX2
wiJwpUjl8DgeJFEXcQES1vbn+MNJHYZHSSAcZecQX5rauSj6EmTFTXxYg7Vp98D9
S4lVnXl6P7OByxqRJyQUzBmSD21KYeVXs6O4hY4cAxKx+pXYXqlGMmSpQi4SqJKF
xyD0f7Iz1FjB1u3dpcJmf5/71wLkZWc9smKfJICLaFZzYKfbfrF32xbAPGRuTq50
Fv5d3R1YJKA9afQUI3HT0PpCEOnsI44WPqgnoOPHyT032gruZt9geL7yM1sRj9Je
AfCwLc18oeiRWhnZLw/K1YMTnDACVhMMRufyoE7MEEixsV3xhuG54+5FIufERSO3
aW2vmDt65mLjqGVcepqbEz/Ip4hfGeMOnPfNbNil79Hc6TV1SzTcPnem40QPAA==
=7Qbv
-----END PGP MESSAGE-----
fp: F38C9D4228FC6F674E322D9C3326D914EB9B8F55
- created_at: "2026-01-25T11:17:03Z"
enc: |-
-----BEGIN PGP MESSAGE-----
hQIMA1Hthzn+T1OoAQ//QizKfdVMoIVzretcwqPNQPhXnKYbHNI/AHhpsK2AeOFw
N2pP+8itgzpoJ+l3qYc1s7HnUYqN69cVXNOkuB9+EKUmEoubj9oLJEJQdfr1apux
wrqgvIfeXuQZWp4E4aI/02ndyWzzedfVV3/qf+JC0ZColccmKFReSsMedz7dOmWK
BM2bieM1PajS65leCAO2VVFTrwayKiHWpURMUY8HvrMk8N6GQkXqe1XDdxXNJqFr
irXgWtBaKbl/KJgrxnT9HwlH9YkCebsyCi2sZKmJEqyIi78SOrhmWzeoTs5Mgg/M
EqZLWrGhOOD2/ineOxiDhFPOEDVjgoprghxei2Ef0i9pYITJmGMuB76KayMW3nbY
mEJgASKsWFN10zTiZK5DjxJoDEq4fyqtzFhYhRenwcvZqiklr2JudSzBWkKfx4Y/
TOoLwwn93TQDLoIIEsOlLaWMBxm3LsAe4MAr2k9/gAkGGMzeOiTRISHJeFtaNRPe
xPv2hJBKqAJJkWu5nlcn5FEtAqdG8hPRPqEZWDyWRmQDlk0Rx286UFIS+BKSfwvo
Ak52YxruVlkwxn4lRJ8yCrIneZocLFlBgTNoqbr0uYSHkg6XHwzniN+qGRHxjrm8
hDYcnVeAnLCDGEwPpMcx7KYVtLeEcr2Tm5btAlHugpQ1pNrUuZ3Lf47AdneMSY7S
XgE32gbAcEaZVQRl1fnehRIwqqNIuFDxjhFpDYpvX1Rep2NEUtEaxd50aqMh3PKm
XE6ZBkKbhSylRnOs8dgVZK3nqEe1xDsdcx5hFAoyyhs1QhWVT/MHUtfuB2PBcjo=
=T4dN
-----END PGP MESSAGE-----
fp: 5DA93D5C9D7320E1BD3522C79C78172B3551C9FD
- created_at: "2026-01-25T11:17:03Z"
enc: |-
-----BEGIN PGP MESSAGE-----
hQIMA46L6MuPqfJqAQ//SZac3kFkPkHZ4CveGECwnJLKA/UJO/XoV44mjiQDtY4Q
tFJ+YauR7GHK3CYMvpx8uWejiW6PzMkuqVuKwk5QMBsRA7q/6SmQeLUNNIPx8AAm
s1Lo1Cdjv5Ku8AnR7gAJ9w3O+qM635xo7zgtvEv5qJuPrwbqy8kstvS2fnxg9Zb3
Dl4J+Wp1kRs8hHsFIkECKPqKNB0LfP57s63Vwd5tI2TltDMlMkvKvjgsQSPhUqQl
z0AIPT+zON37P4EW5buJ5NKvojYZ/QyzoqJ+Zb+2jn3uyMRDo4lqaT+uiVDcmB6w
jg2yBGKgU5XGAU5NyCSldBGW3yQfNHAEjTPHWIvcplfUOUQ2mKIV31c3ci8cBWa5
zfA4K2UOFPSHSraohaT770Ani/qvm5XH9HvAA2HOI50LuIh4t8cWGocbW1f5PfvZ
gMIuA27UfWWD10tz+J3qvz2RGcfBPV+3BS8BJUh2SRC80ba8nDM/VSuQUkxQA1go
AHogKohH7v5vIPEN6ggRxZ3yCroQ3zfdABekrP8sfKXU652/vhw5MFPtqp8ow5hU
uJ3S3lCoKQCKE8tc+288WuJXIGaYG4LKhaVlFWFqQDib+0jfm8RfwqqxV5vis7np
mbPMIyl/MTAeevsQC2yqbHeZ+nDXhrb8b4lfWCnn5jpNwZFpP+RZpJT6XxFbONTS
XgGQowdDlIEa1Hs1klR8lPOScW3VyhWbTyfWkhg4cI6js21/0MMsC22myhjxjZKU
rCn8k0mgZw+HyB9qfm3eM4fYXHs+CXQM22eBQK+IK2VvzT9jbpSBIoJEDW0B47c=
=PbAZ
-----END PGP MESSAGE-----
fp: 8996B62CBD159DCADD3B6DC08BB33A8ABCF7BC4A
- created_at: "2026-01-25T11:17:03Z"
enc: |-
-----BEGIN PGP MESSAGE-----
hF4DQrf1tCqiJxoSAQdArbiHTkrjSYBSPIIgSNnEoAWkU43Zn8/6rtksEivhPVgw
ik9/LvTH3VUSS1pDtLNoJq3wfE8aCoGTVXHjCtaEQqp7PJ9c83afZuT0/jSs20vo
0l4Bbp+AopvK8wlLakYZM0rbXzJw7LyW7hyA3wSN/gL0MwT8sW6hb08BB3+zRY+f
dQGtPMDNZ0aJ8nzJ/WLVxi4GdC3pAWxqw/1AX0SwwMb0PEf9kdYSgnrmYQsqx9KU
=Cbzj
-----END PGP MESSAGE-----
fp: B71138A6A8964A3C3B8899857B4F70C356765BAB
- created_at: "2026-01-25T11:17:03Z"
enc: |-
-----BEGIN PGP MESSAGE-----
hF4DzAGzViGx4qcSAQdAQKsWq8NPJbW2SBhKhlgkW1gzYnx9baL8spEk1Wv31Asw
fuq75JZ/m8yR6+jnchE8ikuWrVQ1IRwyQBB2qlaArrdwnVpkF5HG/ggpDy4l5UYK
0lgBhuKG36g1P7G0incMXR+S+UswYQhzm+19LqoB247HvZZoyIT4m0k7XndHBpUw
fzQyFTKdwQpmWyQWsbkW/ycvxkKyKcEce6xkga0e8UbB8w1fJ0P6gErz
=g5Ck
-----END PGP MESSAGE-----
fp: D2E9C0807BF681F5E164DAFC5EE1B61CD90954CD
- created_at: "2026-01-25T11:17:03Z"
enc: |-
-----BEGIN PGP MESSAGE-----
hQIMA2pVdGTIrZI+AQ//X0eMLW5Con7f2J4S15RwQX/uMc+p0tabrfSYAT8cg1oR
X8qyFgBWL4EK/VAcgS+Loe6cOCO8pDv7R81nn18wg2D6hVN3BOcotgLtLpqWEdMz
FguVIc++/Nh5+s+H1oDxqfwO6LbcuewBvvNS9xvBUtHBMuoAGVO0mUu7jpxrg+4k
dh2QeA/YWc4hGly/lO6eOhq61arAY4tukqs1K4JRY7z1vZYb2658HamfruLcRP1j
kM6yvJ9bgrg3hIEPG48lWX3SATRpKDP4ukyTYMFPN5rePUu67rnkwCvXwvBzWV4v
fvjmDZ4U2AD6Ihn5Be3ThZyQivZJPmxBlgit6uQOdu08Q5/S0DDWSS/MnbRnElQt
caQMnIcSbwLJfum2/0AS/dcl6f36vOl5t9eiy3nnrgufFEUcAMgJ2bJk8+6nPRli
MImBTXLMor97XD4DS+xyQ8NjYzf8XxEDduCzWA/EQborLkkaXj5J9ZmQSKDfv6bb
wcGfxt0+JGEPmOuOD/BwZHhEcd6eV8k3cM6k4oQ3k9cMGele+dtSkrlkyFKnnBNV
NrZVBE5j62sgnUUgKCesbKPfauETE5Z+R2uvOK5Y0gqjTfaw8hV1YF2q+x2qRWig
6NjHheUtjigCgF61OK4x1a5WDJmVeuAe03JnwKYMujN4H5Oi9YMhSX65lX1+fhrU
aAEJAhCV01dJAuYksyvp+F5Dx62eKZj7gL/MHL3zHw97WbONvI7ApC3/Q7fkupYm
oPfYKQD5ov77V3u+Y8nVOoYM+Hb4thFQdEV01r90g9WUj8LrXvxd08j3GwAnzDMG
xU5hdDPzz/jT
=zb8A
-----END PGP MESSAGE-----
fp: 878FEA3CB6A6F6E7CD80ECBE28506E3585F9F533
unencrypted_suffix: _unencrypted
version: 3.11.0

15
inventories/chaosknoten/host_vars/spaceapiccc.yaml
View file

@ -1,15 +0,0 @@
docker_compose__compose_file_content: "{{ lookup('ansible.builtin.template', 'resources/chaosknoten/spaceapiccc/docker_compose/compose.yaml.j2') }}"
docker_compose__build: never
docker_compose__pull: never
certbot__version_spec: ""
certbot__acme_account_email_address: le-admin@hamburg.ccc.de
certbot__certificate_domains:
- "spaceapi.ccc.de"
certbot__new_cert_commands:
- "systemctl reload nginx.service"
nginx__version_spec: ""
nginx__configurations:
- name: spaceapi.ccc.de
content: "{{ lookup('ansible.builtin.file', 'resources/chaosknoten/spaceapiccc/nginx/spaceapi.ccc.de.conf') }}"

9
inventories/chaosknoten/host_vars/sunders.sops.yaml
View file

@ -1,7 +1,4 @@
ansible_pull__age_private_key: ENC[AES256_GCM,data:tP84jDYh2zeWjf7wqDoefm9zaeg/Q2TWUyIstOcrjYHgrZdGLk64skLuGyH5q4FxQL9QEhe9qBT+AAxxKE6fU630/M1LVOR4Sls=,iv:I9W6KxIoisJFFMtOrN5u8KgnsmuIgF9RvzWanLNGVVM=,tag:w9bhDahR4Ai4/nLLeR58lA==,type:str]
secret__sunders_db_root_password: ENC[AES256_GCM,data:m3Xt6dOKibRflon/rWG9KmdBPHEBbqE/GIpKdFI1Di7Lpl/THxzrgx12mTK6aZnwDrM=,iv:hD/UGwo88ye9CxyTCEQ0SVon2+ipPjeA9NF2/OhYwmc=,tag:DRdQ5hvTgUO5FVae/ul7kQ==,type:str]
secret__sunders_db_camera_password: ENC[AES256_GCM,data:tOt4ImpedgfGvRpcThPO30YyEl/bP244ruJQzAYodJIsEhFuk5LxHpPASEnsqlN6m3M=,iv:rQXBjiYWZlzeUdaqDdTlrdbSSqGaPDeZOPhUaMjgcjU=,tag:lkSlIdJWFowyPfWEjpC/Zg==,type:str]
secret__sunders_db_camera_select_password: ENC[AES256_GCM,data:PveGcD2WmvpMc8bafGY1c45aQ2XH/ym2yj5YacauQPeZO6Xem3kaxU0kwjs0Wd26ugc=,iv:tk288L9i0lxsJbTFq5ET5IiKkJfMQwc6uKNFXILcD7o=,tag:hOIivp3mOtDNBCsKvrSrBw==,type:str]
sops:
age:
- recipient: age1na0nh9ndnr9cxpnlvstrxskr4fxf4spnkw48ufl7m43f98y40y7shhnvgd
@ -13,8 +10,8 @@ sops:
S3NiK3R6UWQ5UU0xUmYwa1hqMUo5c28K4EVQwBcALc6k53CNsemfMy2s6AGO5LJf
3U1zeFtEcsvEnUfkvFT//M7cB6pUqQF0KIq1VnnFoQF7IpvSN23lxg==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2025-11-01T16:32:10Z"
mac: ENC[AES256_GCM,data:8Q6DBSFtzwHuVxduRlZYxlRWO0trSoesNGUR8r/dWnp9ashFBSZqVyffXb4Vq6DB5thANJ6/b3PCNsHdiAKn6Ai2UT8G0HimFjUUgNpZxo4xoNGmDhDvfdBgUL6O2pHhY+ojjguUXDYeYc99+eaxfKqZ3w+PAPaySltKm99foz8=,iv:ILOErdiWbUjk9kovXXZYcAqZFQp2Wo1Tm14sgK3niWg=,tag:Q2gT6wbQyhDXjoQEG2Lngw==,type:str]
lastmodified: "2025-10-14T23:43:05Z"
mac: ENC[AES256_GCM,data:15TRSKlDhjQy3yMcFhz2Den2YorcrpJmCw0BVl10qlG8u9G7Vw/7aV/hJnZdkCz3w1ZkEbNS6DCKxCLs1Qgf2SEPaG/cRraO2mcl+YH7k4gb5LMzu81fRkbCx66B4LG+DY8fsAJeO4mxui2m0ZAHb2SNFIP4Q4vdLav3jTaiwAc=,iv:71qa6JTc+S5MLynGc27tx1WBGrpvTCSCoEv01SZnPF8=,tag:ju4WP1MK1/sWw7TAitzM0Q==,type:str]
pgp:
- created_at: "2025-10-15T08:45:25Z"
enc: |-
@ -210,4 +207,4 @@ sops:
-----END PGP MESSAGE-----
fp: 878FEA3CB6A6F6E7CD80ECBE28506E3585F9F533
unencrypted_suffix: _unencrypted
version: 3.11.0
version: 3.10.2

13
inventories/chaosknoten/host_vars/sunders.yaml
View file

@ -1,13 +0,0 @@
docker_compose__compose_file_content: "{{ lookup('ansible.builtin.template', 'resources/chaosknoten/sunders/docker_compose/compose.yaml.j2') }}"
certbot__version_spec: ""
certbot__acme_account_email_address: le-admin@hamburg.ccc.de
certbot__certificate_domains:
- "sunders.hamburg.ccc.de"
certbot__new_cert_commands:
- "systemctl reload nginx.service"
nginx__version_spec: ""
nginx__configurations:
- name: sunders.hamburg.ccc.de
content: "{{ lookup('ansible.builtin.file', 'resources/chaosknoten/sunders/nginx/sunders.hamburg.ccc.de.conf') }}"

3
inventories/chaosknoten/host_vars/zammad.yaml
View file

@ -1,5 +1,4 @@
docker_compose__compose_file_content: "{{ lookup('ansible.builtin.file', 'resources/chaosknoten/zammad/docker_compose/compose.yaml') }}"
docker_compose__env_file_content: "{{ lookup('ansible.builtin.template', 'resources/chaosknoten/zammad/docker_compose/.env.j2') }}"
docker_compose__compose_file_content: "{{ lookup('ansible.builtin.template', 'resources/chaosknoten/zammad/docker_compose/compose.yaml.j2') }}"
docker_compose__configuration_files: [ ]
certbot__version_spec: ""

110
inventories/chaosknoten/hosts.yaml
View file

@ -1,31 +1,31 @@
all:
hosts:
ccchoir:
ansible_host: ccchoir.hosts.hamburg.ccc.de
ansible_host: ccchoir-intern.hamburg.ccc.de
ansible_user: chaos
ansible_ssh_common_args: -J ssh://chaos@router.hamburg.ccc.de
ansible_ssh_common_args: -J ssh://chaos@public-reverse-proxy.hamburg.ccc.de
chaosknoten:
ansible_host: chaosknoten.hamburg.ccc.de
cloud:
ansible_host: cloud.hosts.hamburg.ccc.de
ansible_host: cloud-intern.hamburg.ccc.de
ansible_user: chaos
ansible_ssh_common_args: -J ssh://chaos@router.hamburg.ccc.de
ansible_ssh_common_args: -J ssh://chaos@public-reverse-proxy.hamburg.ccc.de
eh22-wiki:
ansible_host: eh22-wiki.hosts.hamburg.ccc.de
ansible_host: eh22-wiki-intern.hamburg.ccc.de
ansible_user: chaos
ansible_ssh_common_args: -J ssh://chaos@router.hamburg.ccc.de
ansible_ssh_common_args: -J ssh://chaos@public-reverse-proxy.hamburg.ccc.de
grafana:
ansible_host: grafana.hosts.hamburg.ccc.de
ansible_host: grafana-intern.hamburg.ccc.de
ansible_user: chaos
ansible_ssh_common_args: -J ssh://chaos@router.hamburg.ccc.de
ansible_ssh_common_args: -J ssh://chaos@public-reverse-proxy.hamburg.ccc.de
tickets:
ansible_host: tickets.hosts.hamburg.ccc.de
ansible_host: tickets-intern.hamburg.ccc.de
ansible_user: chaos
ansible_ssh_common_args: -J ssh://chaos@router.hamburg.ccc.de
ansible_ssh_common_args: -J ssh://chaos@public-reverse-proxy.hamburg.ccc.de
keycloak:
ansible_host: keycloak.hosts.hamburg.ccc.de
ansible_host: keycloak-intern.hamburg.ccc.de
ansible_user: chaos
ansible_ssh_common_args: -J ssh://chaos@router.hamburg.ccc.de
ansible_ssh_common_args: -J ssh://chaos@public-reverse-proxy.hamburg.ccc.de
lists:
ansible_host: lists.hamburg.ccc.de
ansible_user: chaos
@ -33,61 +33,49 @@ all:
ansible_host: mumble.hamburg.ccc.de
ansible_user: chaos
netbox:
ansible_host: netbox.hosts.hamburg.ccc.de
ansible_host: netbox-intern.hamburg.ccc.de
ansible_user: chaos
ansible_ssh_common_args: -J ssh://chaos@router.hamburg.ccc.de
ansible_ssh_common_args: -J ssh://chaos@public-reverse-proxy.hamburg.ccc.de
onlyoffice:
ansible_host: onlyoffice.hosts.hamburg.ccc.de
ansible_host: onlyoffice-intern.hamburg.ccc.de
ansible_user: chaos
ansible_ssh_common_args: -J ssh://chaos@router.hamburg.ccc.de
ansible_ssh_common_args: -J ssh://chaos@public-reverse-proxy.hamburg.ccc.de
pad:
ansible_host: pad.hosts.hamburg.ccc.de
ansible_host: pad-intern.hamburg.ccc.de
ansible_user: chaos
ansible_ssh_common_args: -J ssh://chaos@router.hamburg.ccc.de
ansible_ssh_common_args: -J ssh://chaos@public-reverse-proxy.hamburg.ccc.de
pretalx:
ansible_host: pretalx.hosts.hamburg.ccc.de
ansible_host: pretalx-intern.hamburg.ccc.de
ansible_user: chaos
ansible_ssh_common_args: -J ssh://chaos@router.hamburg.ccc.de
ansible_ssh_common_args: -J ssh://chaos@public-reverse-proxy.hamburg.ccc.de
public-reverse-proxy:
ansible_host: public-reverse-proxy.hamburg.ccc.de
ansible_user: chaos
router:
ansible_host: router.hamburg.ccc.de
ansible_user: chaos
wiki:
ansible_host: wiki.hosts.hamburg.ccc.de
ansible_host: wiki-intern.hamburg.ccc.de
ansible_user: chaos
ansible_ssh_common_args: -J ssh://chaos@router.hamburg.ccc.de
ansible_ssh_common_args: -J ssh://chaos@public-reverse-proxy.hamburg.ccc.de
zammad:
ansible_host: zammad.hosts.hamburg.ccc.de
ansible_host: zammad-intern.hamburg.ccc.de
ansible_user: chaos
ansible_ssh_common_args: -J ssh://chaos@router.hamburg.ccc.de
ansible_ssh_common_args: -J ssh://chaos@public-reverse-proxy.hamburg.ccc.de
ntfy:
ansible_host: ntfy.hosts.hamburg.ccc.de
ansible_host: ntfy-intern.hamburg.ccc.de
ansible_user: chaos
ansible_ssh_common_args: -J ssh://chaos@router.hamburg.ccc.de
ansible_ssh_common_args: -J ssh://chaos@public-reverse-proxy.hamburg.ccc.de
sunders:
ansible_host: sunders.hosts.hamburg.ccc.de
ansible_host: sunders-intern.hamburg.ccc.de
ansible_user: chaos
ansible_ssh_common_args: -J ssh://chaos@router.hamburg.ccc.de
ansible_ssh_common_args: -J ssh://chaos@public-reverse-proxy.hamburg.ccc.de
renovate:
ansible_host: renovate.hosts.hamburg.ccc.de
ansible_host: renovate-intern.hamburg.ccc.de
ansible_user: chaos
ansible_ssh_common_args: -J ssh://chaos@router.hamburg.ccc.de
spaceapiccc:
ansible_host: spaceapiccc.hosts.hamburg.ccc.de
ansible_user: chaos
ansible_ssh_common_args: -J ssh://chaos@router.hamburg.ccc.de
acmedns:
ansible_host: acmedns.hosts.hamburg.ccc.de
ansible_user: chaos
ansible_ssh_common_args: -J ssh://chaos@router.hamburg.ccc.de
ansible_ssh_common_args: -J ssh://chaos@public-reverse-proxy.hamburg.ccc.de
hypervisors:
hosts:
chaosknoten:
base_config_hosts:
hosts:
acmedns:
ccchoir:
cloud:
eh22-wiki:
@ -100,23 +88,14 @@ base_config_hosts:
pad:
pretalx:
public-reverse-proxy:
router:
tickets:
wiki:
zammad:
ntfy:
sunders:
renovate:
spaceapiccc:
systemd_networkd_hosts:
hosts:
router:
nftables_hosts:
hosts:
router:
docker_compose_hosts:
hosts:
acmedns:
hosts:
ccchoir:
grafana:
tickets:
@ -127,14 +106,11 @@ docker_compose_hosts:
pretalx:
zammad:
ntfy:
sunders:
spaceapiccc:
nextcloud_hosts:
hosts:
cloud:
nginx_hosts:
hosts:
acmedns:
ccchoir:
eh22-wiki:
grafana:
@ -150,14 +126,11 @@ nginx_hosts:
wiki:
zammad:
ntfy:
sunders:
spaceapiccc:
public_reverse_proxy_hosts:
hosts:
public-reverse-proxy:
certbot_hosts:
hosts:
acmedns:
ccchoir:
eh22-wiki:
grafana:
@ -172,12 +145,11 @@ certbot_hosts:
wiki:
zammad:
ntfy:
sunders:
spaceapiccc:
alloy_hosts:
prometheus_node_exporter_hosts:
hosts:
ccchoir:
eh22-wiki:
tickets:
keycloak:
netbox:
onlyoffice:
@ -185,15 +157,6 @@ alloy_hosts:
pretalx:
wiki:
zammad:
grafana:
ntfy:
tickets:
renovate:
cloud:
public-reverse-proxy:
router:
sunders:
spaceapiccc:
infrastructure_authorized_keys_hosts:
hosts:
ccchoir:
@ -207,13 +170,11 @@ infrastructure_authorized_keys_hosts:
pad:
pretalx:
public-reverse-proxy:
router:
wiki:
zammad:
ntfy:
sunders:
renovate:
spaceapiccc:
wiki_hosts:
hosts:
eh22-wiki:
@ -224,6 +185,10 @@ netbox_hosts:
proxmox_vm_template_hosts:
hosts:
chaosknoten:
alloy_hosts:
hosts:
grafana:
ntfy:
ansible_pull_hosts:
hosts:
netbox:
@ -244,7 +209,6 @@ ansible_pull_hosts:
public-reverse-proxy:
zammad:
ntfy:
spaceapiccc:
msmtp_hosts:
hosts:
renovate_hosts:

210
inventories/external/group_vars/all.sops.yaml vendored
View file

@ -1,210 +0,0 @@
msmtp__smtp_password: ENC[AES256_GCM,data:0vb2d0BMSiG4DLwNeKk52/kGYM9rQpfRrtYiarbyVW9YOP/WIdpwesUZuad+o6XSODkAGqnU2RQZFs1h,iv:a/LwVf+tQKviYR4mIoSDiEgmsVyCl2v1vWXVFQkn6M4=,tag:bNf+N1bTIk8ppMEabcC6jg==,type:str]
sops:
age:
- recipient: age1yl9ts8k6ceymaxjs72r5puetes5mtuzxuger7qgme9qkagfrm9hqzxx9qr
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBkL1F2VVhGTGZ3QWlrZi8w
c2JVMVlnNGVHdUxJQVRZeDBlSkJjR3V4NHowCmdQVVJRVEZlWWVHZjdSYzRlcnRN
clVuRU1rRXdDSUJ6Tk4rajl1R3U3YzAKLS0tIFg0QXBieXdjYmRab2duckNsNWRQ
aGdmdDcwY3RPc28waGt0cm1salpNRkkK+X6LF1lCpxIS8P8nEUE7t3VxB817jm4Y
mXjKqdaM39MR3CyXWq8bVQ/QRxg1xA6MV7mLrQpJCSpr6uDJD84iJQ==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2026-01-15T21:28:28Z"
mac: ENC[AES256_GCM,data:Z9uyXhnckrVJ0LZM1aT8cSUZCPdQ0ufBC1HYxpzAGb6FS/p3Jni5tFfgijaCT3/T3yDGiV1zQqoSDLwjd48UaMjCtJYCUCAiVo7i4YJ3+aZfS87b4h4VsOFlTLFlBklNYxHd4pcPFl5X9fZGdD10Tvmtm6TlJ33Ma7gmuFs3Og4=,iv:tNeG2I9qNAgzbGwxTbCrrN7KorCneJtFildGvtPVX88=,tag:e0rXgetLFenA3zNBNe631A==,type:str]
pgp:
- created_at: "2026-01-15T21:28:06Z"
enc: |-
-----BEGIN PGP MESSAGE-----
hQIMAxK/JaB2/SdtARAAlJ6HHQZKe3t86f1Y/DsKmO4f+xaMRd9mw9sNlxvmuX3I
b8Tvyl1abbJSEf+6SV3SXxlu+05DZEzerMQHdSNHCpO6oSMBH/fEBbtJh3mxYzwY
/fS09/CPpq1HYcaOUEB8YHKGDY7okN8ZCHYFF2fWmWsPNLq38nmtCQY3lKPdhKDu
Jg8w+9XT/kHJEjQRPjlJG0iRk90cMMBLaR5ToJVzpM3rOSkK/dFALP9PUGhjDVT/
e27KW0OQERCxoc401DXFPJg5xrGMJaDpMlDxm+kzNC2/rt/OhhFd1pqMEMGHwZ8B
inHjCL8SNy4w3jKs3xvpE38vEUmKgbHavjjd4j8PU/z8PnIAKBCZClTbBARevMYw
P1qgwbAXEv0LwN6/Eu4mN6ogbREFk671PTabJ1O9zWFZBPKSOWVjvs6ka/5nRdow
RMobY/t6FDOe1i4eQM90QKyTcyBzyFZCl3piBKDvpG9tTEVHriX4bTXNtnGw3h1W
XoMUz27G0IZmKZRcYFkqSNPeg3yLXBgsL6by+euw/OwOXuxcR3G/5HpiO4XgWdDn
gYvOGvVa4WbG3yASWPJNJZ6ivtLhAgts44ClMIk5mjDgHz0yL2iwx93g6bUzmswV
HcpCLSy7wm5XNl4l5p4l90iy6/K32Zp0a7ftobA7U7VyeWfPalE3IYE3s6b+1gTS
XAFWL49B69eVA4YJ/iRSZcfqEPMkKzQUplODPUfaHHtLRwR7BhpFX/u3lly/YNQH
tCN+vKShpC2PM/Jw8+UxDZXoXNiGCtTIDFq5+VaifkYsEAIVqEFv5noY95/a
=Xw0f
-----END PGP MESSAGE-----
fp: EF643F59E008414882232C78FFA8331EEB7D6B70
- created_at: "2026-01-15T21:28:06Z"
enc: |-
-----BEGIN PGP MESSAGE-----
hQIMA6EyPtWBEI+2ARAAqcJfa4paWWvQxKnNQT230iT2iRCCskzkzrG9z9rnSbR+
U4BO0QVcKZ06+4/WatZC6HuxIPyajAQthNsmMMBr83OFiT8FPHnOOGHc9lemO0/L
eshneJhJ7LeYUh3dOeN5lVwCQuw2Hy4MXmKJgdt2Nr5dXmRD8ypKxD/i5Nc4nkXW
TY61C/Q9QJF+HZG4toHt+zq+ROjdsTbIhNceRWnt4mIGvqIzhRwk65o5WILbCFQc
OL7R+JyyqouN579tO1O6bRT594ufnyQ6oxLRDQqKMdTHYwWijRuA/FyzieuYGbmo
b7e6tZeJzlm3H8sSz1WwAD6RoA/O3yyCw1gL9UWFLSfF7iwEKmr+oSN+mEUPJdhR
8zZqSQUH3n59IVNdD4UyJB/I5AHmGW6QV3ZF42lwmmstIoY3uDzgf3US+ZvPPsem
Scg3PIDSxg+SV9G/53TJM+Og7V2XAA02EWIemiIaJZ7rPiySq1RmQOjnx4ZX+ORk
+PDF0gDpA10sTPXQM5NoN8YSilIV1VENjUnESfo+36BlCepmbC88Yr6oexIK2xoq
5SnDYNOkVClYcEV6/URo0zr6Eh6+pWaK1MqruyZpRrZFbribK+5t65eIq0fc8oNb
ip7VfArpcpYINfL1GuWoFMI0Uj/IMevlN64Ci/Ub9NddCWCQy5WF7u8lAVNMoVbS
XAE70ICHJqH9SqHe/dchwYcsLIPwX7r2KoaI23XkK7iROX1NL6LC2nISh/Y5P+X7
RX5sBhgiaSwY8L6QseSQzyqTmwxCaq7e/f/+grSUYKmf1FSJe+VxGsJ6Ji0u
=k6m5
-----END PGP MESSAGE-----
fp: F155144FC925A1BEA1F8A2C59A2A4CD59BFDC5EC
- created_at: "2026-01-15T21:28:06Z"
enc: |-
-----BEGIN PGP MESSAGE-----
hQIMAz5uSgHG2iMJARAAzD/3ycZW/qMLjjSG2T/7378ogylYenCyV5r97m7//MTJ
z2jCtWiAPDkiuDDfcqt5LxthPxCr3A/WSTaSsfZQ/zWedQlm/U/RBMEs30DBIUQr
AIckqIrJUrgPEo8A0/SnCBNS116BVspI+9n/u7PBPVb70JX3j4Xp3dRGrEYHVpwX
EGSk4GirHwutIRE6xP9fnvQxyK64jYTDCfo4t6cIUf2/we0LyK+fU4zrm6wRffzd
txiEu4YXvsGbxWeAV3/7/BRo2HJBc/Xqb7mzTnfScltC7hiRD2McmFJs1Hfv0Lg3
CGaMOJ5w6Gk8Q+9pgg6R2MQu8DZA7PILm51Bc98ZdiVwg0i8l24ndswUx9+WIWeX
AeOxvIVvF0XtQK/JJAkoyoVssIQSFI1OjTDnSHWjFw0Vgev8hRzwqS6HKJUfCrnt
KeuGuUOa9QBf3bnbIINyL8QEj9/cnNDCQGoXSZIqPXUs7tIqcLgNryGVnrEn4dDf
53Tudml438QRgzV1d87jEKSmUBtqzUDRNQdZqNbzOdaCQaQgkgZlQvWQtbZNMSdQ
iQ+v3Hz7pI4yKHhqxXrWrxPwC3KdGTA5qymUS1d1G0BwOWSr+cU6xJBeSqRc6fZn
Q8rBKS/gL2Lm3BAVhHBVWGwtbdBhV5ZL/bdT436pJd5ku3cWFTuiMY2SEC1ZvNXS
XAFb+jgjB5XzlRZhRosWl1X/qyWO4GXN4aypi14eAQDsbCjGnFZh6utoV3rNmNFX
OJ3kRhyHmF+gbp/e0YRq/BnWu+5uzTZQso4fzepgjui+rF/qk/2Oe1nODtM0
=seAB
-----END PGP MESSAGE-----
fp: 18DFCE01456DAB52EA38A6584EDC64F35FA1D6A5
- created_at: "2026-01-15T21:28:06Z"
enc: |-
-----BEGIN PGP MESSAGE-----
hQIMAw5vwmoEJHQ1AQ/+J9MXLZrMucsbcgdZ/yflnA7Ai2WynSZ9NEzLX24NybGZ
ynq9daa+61w5S5thnEV1Be4YEyFXIXfD0bs9KEO2kv41HUySD9FR5QXXSiad5Ij7
vPzZMMwjCfNg/JvGQ9p4h2Syc5LYtJ+4BNnl52zjKCJdp1scJqAist3aWbaHoCAh
GiJCjv/02NP25WoVShw9pNvvYPEhtPbvO1j3bnvUARXT8IzhblNbfntDwPb+fK4R
ksMBIvAN1171l530s0zPzzkJTkxRBohyCixvtgZKoEnYeUAAHk5Clah6GrLGErvA
q0XUAEridgDwe4xG+WpzFWwTaGzQPBLR5NPqtph13/02CdaABctbr80WQPoch5vN
F1BnObne8ZE+do30v0KYNTkFKhK5ek+w4RS/1rlBEgQMaNyGHsjUtoO1/6JfFXyT
968gsga/YR/shZwLaxLQePi5qTcvUzGNgNvFLjy4sRlbWiNCrtZo0JpMmRc1YTXb
Tq7KhivgEB3gCYLdzWTCeYw3aZXsTFUFM8MpH0BMABpfpNCdiDrd+RZmgDa2KShH
RlpqvN1cXPVY4niGqb0TjQJGbmCrMfSbEXCCYLMP+T+jH+MUs0Br4IVcuXIV9EWM
WrYY/r2tCblU9DaVbgzLlIIu/2BtKV0/Iu4KLV2vWBocLPNlKnbhS8NxnIf1eHbS
XAFxlY0r1uOCI7d55ZRpih3NnccBWYKmxs/WZavFdooPcRS6QKV6d2ByZtjqlO0T
X8xmDpyoxkNahauxi3Vw4o78HyxEqQz2u0HNBJlFC6iFQJnylkOyitIyNCTt
=t5WG
-----END PGP MESSAGE-----
fp: 87AB00D45D37C9E9167B5A5A333448678B60E505
- created_at: "2026-01-15T21:28:06Z"
enc: |-
-----BEGIN PGP MESSAGE-----
hF4DerEtaFuTeewSAQdArBEh0/AnTDRmDT2r74ejRgmbbZpWjVBmvC7mgFdEq0gw
OdEsqFl/ihieW3XkAC0UWxUhacc03Vq3FTY4Fpj7eQTQdfDdn8X10YQcH94XGLxu
0lwBvUseBCslA8gjyzFEtFp4TnDEi2JZV3nhfQg8SxrYIQ2Uo6vlsTzvYBvikwaD
kLu7fV7lxV09qoROlSpXVm6II6sIk0nmiajb49HM15md3ZElulGZf7A+6d86Wg==
=8Qs3
-----END PGP MESSAGE-----
fp: 057870A2C72CD82566A3EC983695F4FCBCAE4912
- created_at: "2026-01-15T21:28:06Z"
enc: |-
-----BEGIN PGP MESSAGE-----
hQIMAxjNhCKPP69fAQ/7B2zWxGFqZr98hAyQwNaXp+/T534xRU63dXkYV15EL9q2
SlmbEWhl5iVwWoZHl3r7yqy4zXZJkH0XX7g/MlwMTHIu/Sslvb+9ME+QmpI26Awm
+0pQN6gZXEhQ4RFtDMSc3PIZYgaJ5AdEk1p/nMwYsQ17Gu6RZeuSL/5b4oXEsIwB
nc8kqskd846KDspSoa4HprP3QUyfwChy5+d3/S/SMak/iY97UgYm3iyHXWr+sbAm
ykXGQo6Y/QpSiBBc9Z8hyekBQBjiftTpH5T/nzSn5O1p2G56NqK837SZj8CgyanH
xOIy1JZYbSfYiEzqXVSj7KGs3aNFFUi9H+Fy+wzDaOWeEYt76koTWZnutOg+JwCP
2N5DiDOhoYGygh5aO+dAIoGLQufoTDrlMO9FWnNXXCPIwCUoyH5daiMyn7G9jfwv
4rTkXe2mHXXkoNCDHzjNcAEpndpczdUO0CbDNyOuaZzyEYWObJMOdBP0+fmwhaRP
AWd0OSbUUkl6RTI7R9l+3wBC0A/be7kOvqvTru0RSZaY4Ba7zokZaNJsoUTvjjL5
fjT5MhV/93wEvaHNmGy+IiXipS7ItTmW0xckaFkEbQUbw9p+9UZMxNqF3l5pw8hV
J5tTo+rlHda5KBDpTEEz3vUK7MgbgAzzERqqDaUqzWTJy4KeOjYCUfvNyQiT7m3S
XAFxCx0poAo6GCoNMhjyQT00iBfpjvUhDrWSHezKW/J/U+Z+TkcICC3Orsxy35uD
QtOZIayVIF5scDAIQa31zETB/Jjaq7YeUZvTzUv7Shhq+sJhVUQ7iUEVEXZn
=NJUn
-----END PGP MESSAGE-----
fp: F38C9D4228FC6F674E322D9C3326D914EB9B8F55
- created_at: "2026-01-15T21:28:06Z"
enc: |-
-----BEGIN PGP MESSAGE-----
hQIMA1Hthzn+T1OoARAAsc5cxMwr0YCwJq1j5EcQ2AF2LvyxH4dvwuCkyrqxuV33
rTxOt40kqHcatZgHLfHt1qvfR/lGisUyvvtJ7Gdw/MEzunqwux6cKisRoyTB0dSU
b0DBQdNAxujVuBng6v2aoZDXAZNZ9I0epuGnBRcq2+FRAWjRH3YtwuRuChd/VtqB
VJJjUJDczermc0kvdrZ6AZ8bSemOIFOYWfZ1iw7qXMiuIXKJqY23KzWSpYC3F9S6
z1XKviqJlWcb7VyCA7LDLfjYCAb6/yvj1mB0+fxYJJps6DWsbxvoZWF5mdh5f4oc
y74XZehQZTHp4JMs0uSdsuMV3w8zMGUXvFPEJXB1mvPlYAsyjwusf2fqeAJk3JZk
pPF/hkwR+LpbVNKk9KbauQLkt+p6E5YWDir1pzeIN6rsl0Carau0TRT9EEn04f/6
DL1nF7crXl+7KTgEOt+ih4VuHpXz9lrboUD/WnUpjVu6XwmMH4wrxJggTq+tJzdS
55PAZ0qiTGwnxtOn8NGa+01JGcrmtLnfwRUGUO6xxpyy4AtcyyHwEvBSjKRlBvV2
Yx6v6l6OlpBdYdlKjEeOLPnQqn+iRolQtUTWWk1Hu/a2sfJjZPMpXNSKbgN9tMOS
2zGLe8OOU1M9V9ESdD6He49GRCWNXD00Yv+IUdqFuY7laqxBQCcyIthGA2wfLITS
XAGKF54TE7VkuCQ2vw0HZG4TgQtmw7W/hBMcbSatGwFwyPSs2+9wsJFmJUniArCZ
e7RUz4C1MIFP97ZSFtfLd8tsIO0zTyK9fRAOUwh8wdAZhvS9Fv5/Mwmctj9h
=gUj7
-----END PGP MESSAGE-----
fp: 5DA93D5C9D7320E1BD3522C79C78172B3551C9FD
- created_at: "2026-01-15T21:28:06Z"
enc: |-
-----BEGIN PGP MESSAGE-----
hQIMA46L6MuPqfJqAQ/8CKPe91CQYybuRlIb4bRl3sZ2nXYw0OS2p8NYo3sawcsw
YFwgwT4GHMAMviZ3U/Dm1VVtUEH0dSZ/tYoPFE0pCOLWYrVjqLY69uM23ZHV1IX4
W7A+jzNTv3ODj/lc/azjgBcBVZpSxgAQG2wiyX1Dq4Lx5cpOCYQm4KYp9hD6ddly
m6zk8vH3MBRvPAlacg3C6PSy1PV7sTgBZMBIE3DY/HIjv4nzV3/itIPZcf27dYTl
AEjiI6eGH6sUWTFRF5mCP4sRycaU2g8iZ471nZdHe7PpldginWJEN9SD06oewZJB
QjvXpVNjVu+RQ/hOl5LwIllAAkk0ghK2bRsh7gVB5b5Kjv+mKKNe8yjKxKcpZuVW
fUEaRpyILTCwe6aFnmUa6vUtpgU2QRKzv2ycqO1FGil1yZJ/RPVCc0RQoLSpZRsT
XvrZzw/OVfLespNRPcC/PTvNwhIhBYyIDvEAgQOnEnRCGoijnPAOE4Z5zA6Rtxfw
Kxw+E5s+xV1ff+qo5Dm0J/LyC90FR3vstzSkM5n2HEy5OkbACi9CiLRaIiYxlDfv
v5H3Gc0hdVRELkK1T9ND3I2RAyJVdDq0WvxjWRIfdRULLsk86pFoFjus0acx3ukt
zotRh1wI1o319j517B06v+Jn49bLx81ipeHfsiz69P0sDSRKyOcN/i4TA/Tj0OfS
XAFfmEOJHnhD1WOlbJO2EiGY3QD9PIV/lipja4lQKv7ROWlIPVtdvgBnaaNYAvUb
YLIA3oTcZB43vm5QW3hXsTz2cn/w/JvnuojtD0kKzT643dR5BC3D2XsWpHWV
=pL2f
-----END PGP MESSAGE-----
fp: 8996B62CBD159DCADD3B6DC08BB33A8ABCF7BC4A
- created_at: "2026-01-15T21:28:06Z"
enc: |-
-----BEGIN PGP MESSAGE-----
hF4DQrf1tCqiJxoSAQdAxf+RXofQmgst0qgbY34RgfqVKCCYHHH3mbCdGKbfXiQw
0307FFijrW2i+wHW/Ugob489EH46zUENkmEjxPcOao+p5TWqOhryWOmj+5K5iKin
0lwBDuM+y3AsogL5PAerDRGMIqmUO9AAuRlKJb67O+n31fA0CSlRdYIlR/0IiXk8
KmagDpdTyNWD0M8PRohazoKEiB6OrEuLfRiDwyMhyuRtIXRnckwZ8anC2B2cLg==
=slU2
-----END PGP MESSAGE-----
fp: B71138A6A8964A3C3B8899857B4F70C356765BAB
- created_at: "2026-01-15T21:28:06Z"
enc: |-
-----BEGIN PGP MESSAGE-----
hF4DzAGzViGx4qcSAQdAYTkme6X4+jr7/5qNidpUZjiwQzR9nhJMHU9ALot5mQkw
bVYbs+lqddtYRVKLh4jhqFb9WGjC05JMnb8o/OVqgvOV516WqCzg9qmn2JMn5CvL
0lYBtBwzrQfqM7RbckekoQcabirca/67RzCAqB9O7Lud85+aQxBR/GB9qE/7FLfp
JVT42+KjcKSQBYWS+lyjgfXs7H4WhNYsai8OFn+JzqswG+MpWPQ+Fw==
=1DIj
-----END PGP MESSAGE-----
fp: D2E9C0807BF681F5E164DAFC5EE1B61CD90954CD
- created_at: "2026-01-15T21:28:06Z"
enc: |-
-----BEGIN PGP MESSAGE-----
hQIMA2pVdGTIrZI+ARAAvoshi1af/mG21B9x8XOtYn2CmsjZCLWYWuhdM+oMe204
CJglTK8C8CzuJcXu84IKrdV8nx5Yk0VvtgtSXiKSouDKWeQDHHqhKEsPlc6+FL99
e95uzp8ozvODxch4xaBP3FZkbgGgFHDZSF47NIC9AkyyGe4GARq+OvtADUMjpb4R
6WXCzqaH976KRMcgH4PXlWIUiYvFJz+6k+chbLfcf+uJxWL02mvPV+ArSbGc1Ns1
M2kRYdEPZ4c6FCU6DYaneJp22ywPNgJm3dL8WU7Nn5uv7iYGDyceh3dnGtF0p0jN
Mo5TT8MzobIGgD2RtsP4NrufV56+Y4G5oqk9jPMofC8QUeVR1j2GHDfHrls2N/2L
vt0VX1wsv7ToAY9bUUNDLutLnwQlpHNP/sacudw0VpYDl55ULa1dLC97qG/4va8G
k3wdzqwNwgzIOPDIiQ3P8xkn4RZ9b4SwPNFb9BRqufFaA+neZcNelfpTqsT3WNfm
MYdzDQtQdTNi9u0ADsuZ2JIX2uUVsB1ol5Wgw9D5+yksTeC3n89TTmbmt4PYkCZ/
3MH3gLGGlPLfc9w/q9JqfQ8idiPgWc6CMO83gGXUWbe0SkDCBY4evyP41s9ojSdF
XrkZQycNoardD+co14Se4d5g0oxYfhNUCIYEo2JwLkuE11iMXG1bjt8JB+F514vS
XAHzAelcyBaqqwZqKw1OKWz1Vr+hy9S+uOs+8Qg5G/H0nxa7BG+PhUB+O5i8x4Dn
96Eq2r2OsVJ3z8YeLcH2FbnVECX+/nj8a4z8yqfpajmoKswOfhp2b2G49aYz
=IYeC
-----END PGP MESSAGE-----
fp: 878FEA3CB6A6F6E7CD80ECBE28506E3585F9F533
unencrypted_suffix: _unencrypted
version: 3.11.0

16
inventories/external/group_vars/all.yaml vendored
View file

@ -1,16 +0,0 @@
# ansible_pull
# ansible_pull__age_private_key needs to be defined per host (probably HOST.sops.yaml).
ansible_pull__repo_url: https://git.hamburg.ccc.de/CCCHH/ansible-infra.git
ansible_pull__inventory: inventories/external
ansible_pull__playbook: playbooks/maintenance.yaml
ansible_pull__timer_on_calendar: "*-*-* 04:30:00 Europe/Berlin"
ansible_pull__failure_notification_address: noc-notifications@lists.hamburg.ccc.de
ansible_pull__timer_randomized_delay_sec: 30min
# msmtp
# msmtp__smtp_password is defined in the all.sops.yaml.
msmtp__smtp_host: cow.hamburg.ccc.de
msmtp__smtp_port: 465
msmtp__smtp_tls_method: smtps
msmtp__smtp_user: any@external-hosts.hamburg.ccc.de
msmtp__smtp_from: "{{ inventory_hostname }}@external-hosts.hamburg.ccc.de"

213
inventories/external/host_vars/status.sops.yaml vendored
View file

@ -1,213 +0,0 @@
ansible_pull__age_private_key: ENC[AES256_GCM,data:u0tluAG5YmXTs71/F6RjuTITCrEoJco0K7+o/F7An4OMdOAwJVBvvMCnEaYsKhLhdesnMIoA24oz2j22lKRFgZUNtkF08ZwH9gw=,iv:oqTTeOi8l6ig4vvqOKict5bqxjmiBW+kwlZhbozoCSU=,tag:ZL2wuIczCHguGJIhbY0NuQ==,type:str]
secret__gatus_db_password: ENC[AES256_GCM,data:fwtdWmXVTA7odBsKnlxH7mKKGtplAt/rQqscFBAxbDky6DNqgk6PP2OsqbIEpnpzs9Yn7Kd2VAxzfJfK,iv:ox/Lm+LlxxRcssOPc++nRp6nVa2DF3/46eEsGzTOBmA=,tag:i1e71Gm01ojHr5pGy0S9rA==,type:str]
secret__gatus_matrix_access_token: ENC[AES256_GCM,data:adNtFvg2LXwRiNE7mvTZNO1hXxN3qasWZrDEQOGk5mYEVH0t9pglNrM=,iv:30xXR31qmrywLP3M34u6YgsyQY348zVvt9RM4/bGhtY=,tag:vhgpON0IdQ+FS4uQ/0TpsQ==,type:str]
secret__gatus_acme_dns_update_test_x_api_key: ENC[AES256_GCM,data:rBMHvYT7g+o6Rc+edjikYT2jn4wKnkOJWOMf5Ys1zjKpsRCKEF0PZA==,iv:Tp4ELKMfhxtwaJljW4sMCVgW3KCTL89NfW2/LQTmO1Y=,tag:YMbvE0xgLTYCFXche/mvFA==,type:str]
sops:
age:
- recipient: age1yl9ts8k6ceymaxjs72r5puetes5mtuzxuger7qgme9qkagfrm9hqzxx9qr
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA2Y0Vib1U3ZGpyZTlBNWMx
UEtCbnArRzAvZ0o1dmdJL0hSZERTR241RlNrCjZ6QzlJSEFhWk0wazlwRVlDeUlq
M0syWDZlc0o2d2NDYmVyUmJpWUdwdzAKLS0tIGR5NUVwMkprRnkxZnI0TmlGUGVk
RFl1MnI1K0h2MUhvYk40d2JjbDRaUmMKNlPo1s06hVdxAamKhJy4HhNDX8PKQlq2
13PjdTJub64fydGEJng5NigcnNcPo7goGLz5QV7vE+6bO0gNZxBmmw==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2026-02-01T21:17:51Z"
mac: ENC[AES256_GCM,data:YO5RoJnkjZeouYJa3ui/cRGLcpSzbs1Ou4D+XU9fZ6ZEc8snmLoN/e8vK91+9qigQECOc/WHHaln4ghYs6wNH+xje4ImCYL92p1RbMPvT8OoS3qu+pTF3sUfQfV/Rju61njNHA7XNAmGCxSiJQxgq2o92aoEB7qKs+AwCFEmTpE=,iv:QrRkSv4novqk3+YCnfFW59df1mvcGONTDO3zCUyXUME=,tag:oBy402SSczs3qyHhBpQqnw==,type:str]
pgp:
- created_at: "2026-01-15T21:23:56Z"
enc: |-
-----BEGIN PGP MESSAGE-----
hQIMAxK/JaB2/SdtAQ/+ORxsmaobaTVCnVlaaTlvG3GRPlL0G1NG18eF3Mra2FU/
HSY4/QTu4BjGRzwOlKJt3NBMGlFZucwklIecAl1cCDXPSvIRnwuIsAI8gxNnjmVW
w7URAscgfVobWxpLqFhlnQ+8ozMPXW7D0ZDLe4wKPa5wNuE/kdzM5ZCl3NB4q3fi
o0C8uSnsTAp8clay/xnTtnJxOsyzyJ29JVsinxAyg64m6AYNa53yNZoy5kL6VIIr
dnNx4DtOsxFuNhKuvENePoGjuB68i0NWitsfei3G+GLUp+CbPisrzElM6vsXQ0wT
QAu2OpTnrQSv/YWi8Dv+1YXIKu6nOuMc+avQGLsiuZ6hagrvfRTmoQirbx6THDB+
97N/ZZUoGVdCtb5BRoBxzl7prwYGXsW+fP7B/PlBBBM5pI/s5jasFMOBfrrlJiDE
dyBcE2rjcehmZ0DN0YddZoo1UMYzsn6HEMH+kFp/VD3+y4A47Kk9Ou0d9+Q7ufsf
j8ThNihOBrwz8DlvOb5/5HacBFOH5T9b42j6yOmyrlAXnC8sQwFDMDERs7XcVSXT
B9SlX6OVZ6/xgG1UjkY5aqYiWkIBUO/9k1OP3OMoZM7WPitIJS0a92u8EASX4zT9
cJjyym8oDojsM4+/GWMCHcEA5QVSEFsz5JBONiEJkv9UCYXOWj375SH6WjTHQyPS
XgFA0rCYobVrmH4oQ3EzmbqTGwBuejwcDVA++KiUePb6jhK9DGrETHEOzUyOonpI
tNfgyohULH3eDRjC/4gR9JDr+UCC2t31Rx5kNmonz4H3KQlgm/5UulKZZfFk6VQ=
=HCWY
-----END PGP MESSAGE-----
fp: EF643F59E008414882232C78FFA8331EEB7D6B70
- created_at: "2026-01-15T21:23:56Z"
enc: |-
-----BEGIN PGP MESSAGE-----
hQIMA6EyPtWBEI+2AQ/+Is5OSeCOwUDFocaFiGIpKKicsRkF5WJXcV0eTquCvn3M
UeDpYww0CatCOmx0u5/ELzyvr2NhLGwoblLxwwb2HA+dTWRzRiTGZrpGJ3DUwEK6
KvqFgrOIDttnSCqrGiPsNBkGP3oIH/WIYXF4SJl5stlnujTOW+wNP8f+9gZspyY4
JdDXIGL7cbvzEzionilKbroKgDTNCm/o/ATWnlvsd5qv8lsIVkZlaJqldRR+xXuu
RLHz9Mav9NgzzFERA0YY0Z56jpGikoywB7iBCbozXvPO5oY9YcuvdLoXELi3Rimf
LoqIyGv/dHepZvIIy/d+E7ltlQHLXdH0LMNyBRartVChR/p0G/YAzXDAgnARJm+J
SB7vUPBqFwFpkiIE0bRRDVDYW8VlNZta4V+hxb3iXuVHljuYUrIDh77VW3xNQyi5
YfKxO9c9PRhq7sfeBj3iB2qAGoODOU1whdaWXJeNIvYmkQJw81eu2rzHT6NHsbrD
CcUGvbVAO7cx8xZxLiT2jZlbeRrTM68Uq8zC0ujzHavrLUWvCcAcFdk8Un8UJbaF
W4B5La8ZAQUg0HwDavrOEXFbbdkuMT0BIMIxysxrcetqMdRcMjQlbjHz7RuROp4q
melLD0F7L8cXAafDRXXkTTpDmaLN8s9v2j953/RzY7lS1FPQMTduWbn4Pg75HrbS
XgEWsmhgtxSNSgtg/c+VyS9VAykAaP0J4mVWUJZtpw3T8wtkAVeb2zFjmOWay98e
GC9m9N32zdg6MZDLnAABIEhDCGhuB0QjHJaXHcQxbuy8T0mgG081s8spTZnU/74=
=v7Jf
-----END PGP MESSAGE-----
fp: F155144FC925A1BEA1F8A2C59A2A4CD59BFDC5EC
- created_at: "2026-01-15T21:23:56Z"
enc: |-
-----BEGIN PGP MESSAGE-----
hQIMAz5uSgHG2iMJAQ//f4YuazCNqBuU6RxLg7gbh2RQ7KQ9QDIPSh+YIBr2k9RJ
zSjTIR2cPu4JX7Bf9w378oyExhxe6bU00DKvfmQv+CPwjR/4NfzB+/UjmrOEmZqv
y/Gc/2ciT2csHiuAgmck/tKCdVLyXmlMpR+ru3LBVpXLc0wRqDLze9RKM22L5o5Y
Tkf5LCoj77ixhVWZJ/MUm1GlCKmtAJ5tZpSOUenSApSZ0mbRUMI6SEmLhf7ApmNo
FInztB8eMcgyV7vhEmhAiLTkB29kGh8Oe/TtDSmywhn/pTcs4tlY7fRfcxkJaYgw
sZFaF3b7/xhF04kJNEugKemTZTCOoXuPvjvDKQ0glojQQ36P5S01uyH1FOHAbItz
8xilRiU5lHuu7BsZcb8rU8qNYnpEzY3DX/Ccpl0AoPWjY925XB7C8H8z1kk8UxR1
+b3XXMktUugeTZeiFG2pJsp9dhiRqyuzvW73yJSdHjqZW+Tq4U2D9Je1WeZT4+Au
qTQh1uC2dRgQ0PMafX50aTxIK7lPxva+cOPgYeALXP58TCUqeNUyYQmvAGba7yyU
yec3Hz/SNLqEhSnOqCx+TXZOhV4PM8fTzpnNhqZQ2RX2uUXwXjuyAZ8fv3v5se8F
HvQGW8EvJaDSvLD5GjKblQqwNlFWf0HOPUf5UZSXV3MHsHLzYHKlOE4cJ778ih7S
XgGY+6q602ciOETbXexRAK4G0AaAY06iQqIvjqzTRmRgkftMI/8HAV2mfjfRuTXF
9DClJje/SpRp/fS6jXFyRCc1MysABsxcyopIhHPxf2iy4UiipC1c15Z9VVK4cL4=
=l9vN
-----END PGP MESSAGE-----
fp: 18DFCE01456DAB52EA38A6584EDC64F35FA1D6A5
- created_at: "2026-01-15T21:23:56Z"
enc: |-
-----BEGIN PGP MESSAGE-----
hQIMAw5vwmoEJHQ1ARAAr6u7xDPFlylAf002AQkjASgSyCdLMD0LxXmTEihOxBnp
+ZcJN9cpuyCuDaIfSqGdDLUqZ6TuAfVaixtXbxT6Odl2q1DN/GaVkZbDVwGk/W3w
+lSjBz4miAcU9kaSFeeJ9BDEdqROduj8/fFc8jLyxpa51nnp6ON7wI3Uup3uNZN1
oEwcav8u9hrbE5glS6IMFpGQAhJmvzWH9mHWCQT7A3GGK3DsYBWPH685vVk80VBw
8IO35N2SMVD+ebvFbSnitBSOmSNUzHgv8DaBgJkcHb5EM8bCiZNI3VkbGdi8AmRx
wvuAclYkemq/bNu5I0sjpt/uxEOVqsymdPs+gOVgKceEy458ZfyRUPxV0Xp5Yi26
MzAas8LCL+m561L8MTt01CfXJKllIh1aeNJEWYKyTtIxnWfhHnhAfiwiRaX+sAdK
ApLFSCtwAf2fvpqaUY0PvAwKUNKyEBrncu9cBuqK6EDx5YVQul6Mo2nx6W64G7mj
IUGQOoRATZP4y9bJJJMNU5BfK9j7Fdhh/VirB1XSSWSlkUduv8PVx99iLejfnknB
b0LVS0RW0W+XgbM0yvjRhDATalrcuBX4R7voQPeGFlw//fdg0qepSe9OeAPA+RNm
YTjWVWqXOmGJQ46sms4P1Fhd5NKgyv7qAaZDVf2lDZOensbhwWFKw1R65PSbi4DS
XgEDIaRdmRPMHOGoHzcSieR+sxDvklEAWyfUMn8D8u8dkgs1u8WL3gGixDaPMvcF
JgS3PA6hl0JOi3+UgBWGh6gx+C/mr+6jly+IhWd78HAsbsJcGIrs4Zlu54T8jV4=
=8IWz
-----END PGP MESSAGE-----
fp: 87AB00D45D37C9E9167B5A5A333448678B60E505
- created_at: "2026-01-15T21:23:56Z"
enc: |-
-----BEGIN PGP MESSAGE-----
hF4DerEtaFuTeewSAQdA7STwRBnvhKhEh9mdHz/GWujTMli/vbMrXv8WnZ1boUkw
9Qtj+soJcdr8XxDREm//Q7wgGZJSJe6dBdxW5NC10H7bYDFc9aNkbT0/ceMj0tBM
0l4BNU1LT9rZrkhGUTqA3Gs+bzP4xazBGuiucCkM1mbSvRAjWO2abLb17GKUWODr
1uDStVFrPOTqN/0/O1lAfk/Xv5LQO2X/xVMDD42i9txP9G8+rCF42gKdODWF+DsQ
=FVIu
-----END PGP MESSAGE-----
fp: 057870A2C72CD82566A3EC983695F4FCBCAE4912
- created_at: "2026-01-15T21:23:56Z"
enc: |-
-----BEGIN PGP MESSAGE-----
hQIMAxjNhCKPP69fARAAkUEvumeteWHZ31xbvLAWezQr75Q45DVzBAX6MJIPnCcz
ofMYuDjz/ujOES7UtAYrRekCW4R+PZQ2pcC3tbNHxKQjdxsA6cY68mBQLj+TJ0+F
15jlkAkL7utwOxOh8P1/yxO+hr3qZl6rmncQwiynRnyiAJa6FHK8dvAHVKhLWcRN
pxx2O5m8I/+sF2/XgVs0iq0KWG+WbwJWUlvWKJ+2LNvXDoPYD0sdo8G1hkuQGOLW
Lmc1xN4hbTzvgjTBoUt1HUEOgohau8TMWnT7x1jpMLBNqm0hQfcyNmBuK4vA3NYR
PjtMUvEuucjOrFvF1g+OaTQ3ZSkd431yqTHRbktZDXdCvhYhSfxJ2TKdqX5U+3p+
27hPOX5cVISd36T8Oxm7LTt2GSZp5JZJ2gzRuSn8HDEHHBa39+jmdsqmGMFjAJfU
amK3TNpLx9U/AGw9CYVyQxfnrRPArjuPXE+nVmuZVJhgOcex+5SAA6YRpzPLj5/I
bHv0zOQ+84ghaIPvA7OlehgE2DYQjFC7qMGV0Q/jEomzHmwaFLlbDiSX97SQM4+P
dwe2gbz5EfgVdXeSwyPH03W5Uq/D8GiNFASxe6ctfwY6G9cUJaY7gj+br2/WSjzc
bSQxbyA36q6tSR8sty4lOkRqfhvCsopnACe3UaPDD9aUPu5dkrPFD2DwGZqALjrS
XgGQM27HAK2eAWtmQk7wWZcK8EyeO4bPl/JX8hMU8xSnbHrFpY26RNY1C4mjqcnD
QoyU68TbPmGX522sseuygCNmEEM/5rhx6wwePH1X+C8WRHMmXyLjKD3eVkFJ3tA=
=EPrs
-----END PGP MESSAGE-----
fp: F38C9D4228FC6F674E322D9C3326D914EB9B8F55
- created_at: "2026-01-15T21:23:56Z"
enc: |-
-----BEGIN PGP MESSAGE-----
hQIMA1Hthzn+T1OoAQ//arOC3Dpt+X+GzGZFPngYFGl8SHgx9vrbNcNdRQBEBhX0
RmkT3rBbXRNbJvZHW6YPzoMRzhDMHEs9osbr7RwpTQxpL4owFd1hx8bhDjZYQplC
Gfj1xNjL1iFsQV1kWx7dagpkDEoPVlPaDyTDyHkj/fmgg/aU4y5GVUHc6l7iClN9
fn5HL8/sCROAPteReXnwxIWmn/03lldh7VMYwKaVIpiTf3QZzEsHAOYT0EdEcapC
3d5ZhTDmOvOwy2PMfx5w5RpKXKe2cbhoS1N3KEHaZIochlvnvQHpVJ3jhn8YG8j9
bJ5tklEauoi1YHsnj5vzm8sgQMj/p5DJHALfVKxzAMCCe0AqcVpVGTW9SR1ZMUXW
p0UZOmeNBfqhcOIbKXW+Hj2oSZ25KGxiXZwydF51xnUT8rsau7nPYOgg+9YARAVl
USZd85OX/dZcDqhfK1YZjdV3GPiTHGFUrTz53sW/nHrcCCKXL17uADLr1Z/rk3Dm
dayNuUVhlqgV6Z0ts0Z9blz2X/Bz2c95TUTze+pUoXCP6oKcxGbrEfHBzJrhqeFa
PYGRyna1t96c3Az94bz2orX69Ij3QPyd2p2B0nlv+qYNk55J/aVPIfioZSamnDk9
NAQJksb2M7KIq1rjheWsf/CLZYHC1rcrhUnz5SYIXVDe8f3+uNc0JFGYPYZuF7DS
XgEa4Lw21RwQs3Es0wAZSnkku+yg1Lg2YJ6/d5xSZJs0c5mCYvvW3q9oTc8u+D3n
H1/Lu8HvZtHtGARagLqHw2MORNvoJXoCT0EhcPBK4PlJKSNye96U1ooNfwxbUMo=
=0Nal
-----END PGP MESSAGE-----
fp: 5DA93D5C9D7320E1BD3522C79C78172B3551C9FD
- created_at: "2026-01-15T21:23:56Z"
enc: |-
-----BEGIN PGP MESSAGE-----
hQIMA46L6MuPqfJqARAAlYT9Xqnfvd7uWr/V8Ca5oKJ003yWKGwAMd06zyPmIYOK
ErTHC98r7LXuGaMcIUrJ+oLf6YipYB7PyHwfz+zpxhDRTPAxXTqkF1ecLi7qg2AV
Ez3Q1hpPJv1DWASrVfJgpnlQnQtnpqXQsInL7klGc10mtbgc2zHUndWFqjxtkAhl
IinLZHZVFaijFw10W+e6T0UUZ9WfIPdCOChcqVp5/86DDyl3S9dBLmAd7wywzbuH
i0y1uelIxLyYmzLxYTNgJwEHKzQvF6jrj40AjT8HtUD473ILD5M4p2vdvNCUANu9
1iF4q7YM5g6cgjGC29Y31wOAM4YzdkwNXJsUhn4ACzYNBAItXK7Aw0I8WK9AnUfq
lwmSirx5hi870GIfu/OYeNt4I3fWjm4qY1aFwoJJRWrUdH94I4P1O6xXZyTVqpmG
m0Ich3O16Ir1vS9oFLdFSFGP7UZgU7D5314OKXNsEGpFLGa9U7AG1ZPHGSb6tAQi
9Df7TsWxYVWKBU2PbI/D9StVlWDVilt2QiKtIcRwLs3/3JrzTPJd9tvUtw6Tyjw7
N12/SE3yHwWxVPUXF2AsopmOoHGh67Ki+6oc7xTmxtcJWSITUhBL16ZjMEEXFeHy
FMODciBLrXO1jWz65mkB32ttV+oPQuCdtFPTzuKneDhVBybuMJrx7DEIFaf5CmvS
XgFrqRe9fua4zRd9r9tJE4RSosQOAhmVgRVCJIg5B+qUGC0l2AwO4ro1+a02t6o7
uBGGRHeQYrGv6HVUd/xfirUj/mtrguiSSpOy3UZ5SHIlPxuj/2jf3WxVkU0QP5k=
=e4Qe
-----END PGP MESSAGE-----
fp: 8996B62CBD159DCADD3B6DC08BB33A8ABCF7BC4A
- created_at: "2026-01-15T21:23:56Z"
enc: |-
-----BEGIN PGP MESSAGE-----
hF4DQrf1tCqiJxoSAQdAqRvfYgKUyKqP1jy9+s3UQ+vqUWQVxC/zXkcXOs/G3kQw
27MDd3dcADzCI4qrHxc0umrFegUizTg9UmseMgSJnr7oWXtuh6ocjuEe+irXw0Di
0l4B7cvZtRObjrOUf0lupPAp2xPIIKekUcVSxiecn6z7zVUVUwpYvPmS8MBCFc5h
7ad0LWml36Rj5UkBE/ph0YgLvz7ZDoC1yiagBGVX59MTjjZsZBVpRecxZ+ztuaci
=68na
-----END PGP MESSAGE-----
fp: B71138A6A8964A3C3B8899857B4F70C356765BAB
- created_at: "2026-01-15T21:23:56Z"
enc: |-
-----BEGIN PGP MESSAGE-----
hF4DzAGzViGx4qcSAQdA95lt4L0inJjhMwQ2v5lvhW74zuvdpgktHsp5BSycbxcw
oUR2v3CcCHtNzWzgeWPm8L6JHRUJQWdg+XHsLujlZXsoqKirGI67NvToOk+yttsK
0lgBW9AG8bUVUdXNNPfhc/FN8OJbQ2cj3E2z5kI05ZrkcOoZVXaRfXJiZPQDg1Kz
LhuKymMDmXXsSVd/VdLbSXpfeEqMJjTsDS+bU/TZAcRRPKxj9PPDJIWQ
=Kpzf
-----END PGP MESSAGE-----
fp: D2E9C0807BF681F5E164DAFC5EE1B61CD90954CD
- created_at: "2026-01-15T21:23:56Z"
enc: |-
-----BEGIN PGP MESSAGE-----
hQIMA2pVdGTIrZI+ARAA2IaYLn8z593Kh+wAw2ecOXkW+B3qhi/x0qQLVw7Jc1hO
rVhrcTQoabL3elIIPZtxyTYIXq6EpPkSBMOBHO+tmqI8YsB5GvWtcGV1OBpRaZ3I
hgKjnxkJtaQizSZqZLgGUVXjMjcdkzTlIQfu7oGeTu8Ke1cwtOE1lvleDpHHK6gc
yRLJWsUfHdv3rCOmRCDtguc3NG7qzUUYcknPiFGx66hfnIaA0aJav2pqS3uuRwSD
Ay78U2PB7kYVg//Omz9BEuiUVhYsA0sl3hFVpJuKv7FQ9OcJOevQddfq90m2KGyo
2Lpligwtj3evPfPReLR1D16HaGuzknoB9883jD027+fGr4/IFWx7ieVZ9iGeD3jR
yw/GdHCMueq1pdtyw8ArREspGmZldEKY3Qw6sfRdd71DAeTkD1zzWORCEk6OQefY
YX5ByUAOTUHvTey4Uy5WCj3HOUMW71CnVpsU6lDSuqBUnFlMvELtcjlmEAwvscXz
WFpTzphaX1fIqruS4BAzMxpKVTI1V3bnrb6wFRFnsErVjrty24R2auaoHvgslROu
1QUTInC7JpFUpxiK9ke8xbhYlZ5JEhcxOXlfrZcVwlxziEZEqp429L/4gVz+IGVv
YQ4wU8ARBcXiEDEOmEl3tCxiprDlCeLpdSrqhq57/y7IMs6Fo7QrkA5XZG+mnfPS
XgHFg3iMBk0qKb6AiWiN8g3SHJtcehJgmAZsRxFRP329QKGGa+azQqT7Vp066keY
rOsmP8iwl+4KS71+cN9rLx/3U8EcSxRuMU6KtIKvhp7yfr2bhYo8P9JH2vrPTlk=
=lbdI
-----END PGP MESSAGE-----
fp: 878FEA3CB6A6F6E7CD80ECBE28506E3585F9F533
unencrypted_suffix: _unencrypted
version: 3.11.0

27
inventories/external/host_vars/status.yaml vendored
View file

@ -1,27 +0,0 @@
docker_compose__compose_file_content: "{{ lookup('ansible.builtin.template', 'resources/external/status/docker_compose/compose.yaml.j2') }}"
docker_compose__configuration_files:
- name: "general.yaml"
content: "{{ lookup('ansible.builtin.file', 'resources/external/status/docker_compose/config/general.yaml') }}"
- name: "sites.yaml"
content: "{{ lookup('ansible.builtin.file', 'resources/external/status/docker_compose/config/sites.yaml') }}"
- name: "services-chaosknoten.yaml"
content: "{{ lookup('ansible.builtin.file', 'resources/external/status/docker_compose/config/services-chaosknoten.yaml') }}"
- name: "websites.yaml"
content: "{{ lookup('ansible.builtin.file', 'resources/external/status/docker_compose/config/websites.yaml') }}"
- name: "easterhegg-websites.yaml"
content: "{{ lookup('ansible.builtin.file', 'resources/external/status/docker_compose/config/easterhegg-websites.yaml') }}"
nginx__version_spec: ""
nginx__deploy_redirect_conf: false
nginx__configurations:
- name: status.hamburg.ccc.de
content: "{{ lookup('ansible.builtin.file', 'resources/external/status/nginx/status.hamburg.ccc.de.conf') }}"
- name: http_handler
content: "{{ lookup('ansible.builtin.file', 'resources/external/status/nginx/http_handler.conf') }}"
certbot__version_spec: ""
certbot__acme_account_email_address: le-admin@hamburg.ccc.de
certbot__certificate_domains:
- "status.hamburg.ccc.de"
certbot__new_cert_commands:
- "systemctl reload nginx.service"

24
inventories/external/hosts.yaml vendored
View file

@ -1,24 +0,0 @@
all:
hosts:
status:
# TODO: Manually set up ufw on the host. Create a role for ufw.
ansible_host: status.hamburg.ccc.de
ansible_user: chaos
base_config_hosts:
hosts:
status:
docker_compose_hosts:
hosts:
status:
nginx_hosts:
hosts:
status:
certbot_hosts:
hosts:
status:
infrastructure_authorized_keys_hosts:
hosts:
status:
ansible_pull_hosts:
hosts:
status:

200
inventories/z9/group_vars/all.sops.yaml
View file

@ -1,200 +0,0 @@
metrics__chaos_password: ENC[AES256_GCM,data:seOU504dZ9K21+NK1MBf9isee2L2rueP6Bl0F66R,iv:ZtQ516gzJQSSgvOOAzPF9MuarXqHSLXy37/9z85KoQ8=,tag:dIal6OxPLli+7DbzhjNFsA==,type:str]
sops:
lastmodified: "2026-01-25T19:52:03Z"
mac: ENC[AES256_GCM,data:6JXc+K8fmANf22puWyllV5wVSxZSVnN+U7GM9lNhkxbUBM4AaIedIHOXz9zDaZh/nT6onrW2nhKNC00kWziaddOnBxBUCWUk7bDGea6qJMIk4GfyU0f/xX7mHpgYorF/KmQP1uvNNAryn7zeSfS8Vk27GFDPbBO3GvYlOZFUJD8=,iv:6X6uf9obhNix/qLrpiP3bw1CWM7dY+XAEdfhuTTmuVc=,tag:KJHK1Hc/uV8DOw/7txHfEw==,type:str]
pgp:
- created_at: "2026-01-25T19:51:13Z"
enc: |-
-----BEGIN PGP MESSAGE-----
hQIMAxK/JaB2/SdtAQ/9GKyJ+6SzK5xucxIxUKPRdsxirJwd6LHuIDkVTr7JTjfi
sXQZKVtQ7ZXbbVgZKURLtsdbhayZoU/8xYCQsX4vzDeAKc4bS6X25PLxs2oBKCYB
2oWl/jhKSAtVjtgnPnxljiEGxkDKW2sKlfjdjMj9yOYyif35AoQ8pIr2Tg4U8Z9C
ofaWBejvqxgaIShXe4jio3SIiOLYwTnaYmkoSY3QEA3RjckzNmqRE4aX+csB27cI
Vt8aGrcNzM8gCfi8IM1ypLHLw7Fg0OntF91RAUExG9OZJm2rGZabUixxhOCf/ttk
UOq7Eq29xFr9mTzyoZC2zmaOt7O+PIu8FDOvkvCgNv89ewn00DjT7DYSXB0AnPRD
VahAi4VAjKU2RXXbfZArdCXJpCTM2OPnXBh8Bfx/7eTnu2O8EK8OFbWuOWja8Ogr
7z9bgsoK4Uva6F3BQcLlZppKmkLk0P8detZihvwNbS55kkkdsA9LiyYEoHpasWpG
HW4dcQOqyuKwGjLE7FsqPtlxmWD6psCK3GdHzKGQR9fbXfUyD+c0DmPgPh6roFW8
XzvRGw6YUrP7/wtvUH4zSLQbB6kqz6nO88isPoLpClyQ/3Khj9QLljCDQB+yRBIu
p3a2HISwt4HQzuckk8W4yKIDdzf86dXVEMqUe4JTe+vW9PPobnUEXrPgRBNZYD7S
XgHOfGiWknFPa8s4KCHZK9sLB2joWAJTtQnk4cuaXoIgamiXB0qgiArc43PsjstE
N6kvVXrFVgQ9Xlrp8XDJHOsUYAy8admA8KNQF+XQ+KeHgQGKKX1RjbBFunIkaOc=
=1Rdp
-----END PGP MESSAGE-----
fp: EF643F59E008414882232C78FFA8331EEB7D6B70
- created_at: "2026-01-25T19:51:13Z"
enc: |-
-----BEGIN PGP MESSAGE-----
hQIMA6EyPtWBEI+2AQ//QgGTp9DYSoNWI5n0+9gMUP7asTRdRl7T+xT88k7cCO9Z
lNi86qeqiGGkqTffARBJNaq+ut/D7EKc6ivp+ewfySimM5E3ape3C6rulHybE/j8
3EpP4VW+5yA4Nq+CbZvzQb60oXR8LnGzVX1gePWwyQozVzRS72/hnxyecQYsc1IJ
OTQPSfclZXJO3k6fK+BrfHsjJkOpHYoLAnI/9ty9JBSuwGfzI+ur2Jimn0Y783Ou
orZNzxrRKfkIPjdFnWGY3i31nW9tnkEXLdsdOHfOu8Ahtdi2NhwReSv5hMKPXbOw
lxhL/Y1bG4ChgAAFVG5QYZ69tuzSov8XP2Wv6auVA7HC3H+689fNeO0C6GhDcVgc
LBF1nK/zJq95uxlSNy5dpTSzKqwlwRzvLOCPByXc3pLcDDW9Zp194bS/iDGfnfqe
UUPK9e0gX8TYOeQhF3K+H6JMdFO/uYbiaeVZWmvOV6jSiii0CXoGe4oVZqcfcfA3
RScUjLx0f2w4xQwU60ZmHsmvs2PmdBsNDPeQXrqeyAfgFReDoI1RLo+k+3khoAJE
LzzNFg6bVBx3rRazWoASlHYK8i6dTHpMBompPC+kmjorZnoqnTRX4bix0atsFY7g
vt8CVfqy8YKrVIGPZnDAsrZ3ecShIQFB6OfxgSb6nqN1K3NwFcjXWH05SJOfFR3S
XgGrU49/hKqHTmAGHbWoe54qkPj+WvRkeGccEnvtum8yrPpDpmYg+wyEm3JeQf1S
gCHS/j0pJS/CnnfgoUgkYCMokGvtSoTJgIE/2XTA/BFNRg0vc1Dgk/WonG33PDU=
=ev2Q
-----END PGP MESSAGE-----
fp: F155144FC925A1BEA1F8A2C59A2A4CD59BFDC5EC
- created_at: "2026-01-25T19:51:13Z"
enc: |-
-----BEGIN PGP MESSAGE-----
hQIMAz5uSgHG2iMJAQ//SxqxshraAR0pQf1lzhtZ5RHoNZJnaZKwic/pvJvIDUCA
6zotOpu478rK4w8zWdX1gfjve+iu4BkaB16lZqvsV6lLq80dT3yfeil9ETFElKuA
womIEdAafq8W71eTffUZ3Klrg/WjDVjeDRRKqz8vv9pd9MQbYmDhrjRG/ySP5qgZ
+/apRAOrYnbtzgjlPAfLIGD65jvS3JRE3gbZfpzzkLB8P5M1JVOUf15FxAZ2tyhO
PZ3FYC2JbCzftp0Iiksq8sl42Fl0FzOTLFQb0GhQ60tJatFVWhG31NeXdRRuLnQU
5bmanb2nJBroQJWM/8piG8npG8jhzRzeMTHboW5TezYAXBLxRQJct7pR9ZwDje2U
5j9VkNyKQ+wMJ2vMiyshserEe6gjc2/E+XYDheAPrFPqwGNklb6OSemm4vWwd6GK
HNqDxA/C0du1b1vm9CTLgk7utbEpspnNQnZh32iifSfiQ3Zl7FwTxnA/2Bj0csQ/
xrck7T2gzY39tOqXbq0QqIQA31BW4ukmxcAKn8pmJpguW0cBxDTaGNXQ4jo+8YtQ
MYYT4dR9S95MsOKWGREvMA0GMxzwbA2eMwZ7yUARCLVGD48MMiiDZcYqd03cnOO3
hGj+vy0FbsVdknztBDeGttUYHOtjb+XO4gF4sHdpaWxdF7kVVknNUtciWa+Kw4LS
XgGqWekdWhsKZ+bPboinUPY9e5vkgLueSWrQ0aqi5Pte9lQ3pYPqT2U51fJG5G9/
tYiofc0K7CB/qyxB7LpF5rtUla9oQQJd36xC0eO7laSapWiag2rzuIsMxR+4egA=
=a2qJ
-----END PGP MESSAGE-----
fp: 18DFCE01456DAB52EA38A6584EDC64F35FA1D6A5
- created_at: "2026-01-25T19:51:13Z"
enc: |-
-----BEGIN PGP MESSAGE-----
hQIMAw5vwmoEJHQ1AQ//U6R7Cb1kfojFwzVy9ky+y7Puhk7Jyog+jLabWhurkV30
RO4EeTXMEJ1gVU9qJDeHn7Fr1HbYr9cdTf1yw5Y23p+pBZA1wRTkxHctEk1KNDRW
8QdCmQOu8jTDc5cq0F6d6lD6vJpfjaQez5cT7dN9Eqp0jUsmQCSLmqmXvbNEv3fW
n+o/VsvtaqMTjhlPUHvhe/d0/YWvkp4xPycDVW/oYh2KE3QUV5AKUJSOLuSIFENy
f0hjnoz8xmY7eA20uXvTWPgUU9J+KCSgmy87wM/WkM3kjKWOUkijDFCsCWSEIx4W
E2iY6N7yaYBkKfQ6s+f77xg+vc7g1plheK3pdyYkYvgfeqg27QFV/3m80f0gULS4
bNrZKNRrMD+grgjB75cj14PRHGQcaZEouE7l2uCUNbR/hFIF1M2F91HAW61mVLv6
ZNluofRYqHf+YWUO4KtJwpfgfh0gsCF3KaeHnAA/Xy9e+7KRgWbAbsDIQr40Nqm1
Cbv/HqjHCeS7ylw3TmYcwFoGO1XoL/toSQQ4/y0JPMCae+MGslDm2o/1X1VqAnIZ
sdhcTKY8HJWxn8uc5MFG4Mr0PhMIXirhBBQLYXdVJ/tOj9yVU+gJZe3lv64uQgDZ
Ey1KESfJu98uwrPS3Dzy2YPbT7Gh58sOfHeaDoeZAu+YzQMOQ7V260vu0XXMgSfS
XgE3PiMBjbW4eypClEK6H5iSL4SjEm+NweQNkwGaxqLSsb7LuOtSkiEmf4mdQEnI
SI14d0nNv7ki0T59Ssmi65A49SXjvLzsCBE1DgeqVD8IwKCewma0dgkNErdyG4s=
=rV/a
-----END PGP MESSAGE-----
fp: 87AB00D45D37C9E9167B5A5A333448678B60E505
- created_at: "2026-01-25T19:51:13Z"
enc: |-
-----BEGIN PGP MESSAGE-----
hF4DerEtaFuTeewSAQdAdDLPgKw0A+eoKiYGIKxOFZHYVg0V4UmuIti0XC5RJCIw
IPu2/Y45X9L40RRhH8N9lazjLeJv5Lbo08hMlo/CgshZ0BJVot8mBAiH/R2DsVRC
0l4BL6ctQ/xivjWQBBhy/DCYVtDRv8JXIEXNJgU/+UjkSE8Auh4NASANg9GTcBBn
lukzOBGYF9nH69fAkVtZbNL5+dFoPLDPUzZTU19D15J6IJkt+gKPSzjbtWaJqIsQ
=dGU4
-----END PGP MESSAGE-----
fp: 057870A2C72CD82566A3EC983695F4FCBCAE4912
- created_at: "2026-01-25T19:51:13Z"
enc: |-
-----BEGIN PGP MESSAGE-----
hQIMAxjNhCKPP69fAQ/+LQ3yEzhjYXoDkE9olsl0lVxQ9FdCbqDHFJZAIReI0jqg
WF+0GmoMuG4kFZu+ju3vCWpT5kH84SUxOFXyaXp1TCfcJ1zCUno93fVssOL/9Sma
vVPVIXpTqJqFBOWJNOe7wNjvQiDE4TxjGC/FXr+hOoLZXrf7gdNaUXxZOb+vPZih
t79eZhxALGwmwsMdZxkA8ERCmNJet1/wn7s5vUjwrDYRZL2zGf4yocSCjwGYHOCs
j+DcrYG7Cd5J+CS8rKu2Yh5KEAfMhgMxGjK0HKUVPk1cQxOgronnM1vrij30S4+9
avNlOwAerg3RaFhXPj9UY7FGV+rZQY1CQKEWqr4AANkdDXb/LnLalwMBMcm+EDwT
zHxBhJ69QJmsZUP3Z5WQqxmyAux9+oodgehWKkY4sCR2huHuysbJNEStuI1HaTRj
ZJafiniHkFyQyTqc4wwJrRxkwJM6mVvcZdXuV7+QaEWr3FEF0t7tyEYUIRkUlJOQ
IUPDClDRLJnQGq11XT/QOlGfxET9fGoAkij1LrPqpvHxJ6IEGLMOPN4kw1yg02yO
u0HiB2wIUzKHJJ6vMR6zK3WY4MXCQISTZXpK7mILleRIIOWhw7C7gvlfuYkMT3fM
dXUQRhTblZXaeTxRuCUPqa0eGzac4UJBVoRAWXYiZWhdKxNJbyCMRQDcaOeho9/S
XgGENH9zFjI//pveCrlxx5BKDxTdqIn9R3iskbKbZRhVr+pU3IK4uCsUQlOBG3++
zxQinHgNbqA22clcuRMZ1NeDrzDfBLndsWuSeyWaAA9qEG9XjmjCRRzPGACoDLs=
=dywj
-----END PGP MESSAGE-----
fp: F38C9D4228FC6F674E322D9C3326D914EB9B8F55
- created_at: "2026-01-25T19:51:13Z"
enc: |-
-----BEGIN PGP MESSAGE-----
hQIMA1Hthzn+T1OoAQ/+P4h9d4LPElJbVr4L3cE+6/9mhLF6n1hre14cCTSxTe20
HqpY7U9yE4G/1IfAE3pueOgc5FsLRPn8VnHAzy6ygt4/xXXzH6aACDiUtweqyExE
K39J9PLjczWb7XGbZc3YKoz5x0Q/93s+CdjK7piamb41bMRVbmffNtEceH8Gld9u
t8SI18F1yrRtXpK8FvzFLvA1jEt9sduPVq51bWG2LjMFaMrsm7hXt1ArUGsOoGN3
36E4VrVp6gp8BVa+apsUY3mHBi3hUE0h2tO4iEsi1qYr1OTn3v4Dn9oxKrYIIom2
hHszqVSq0fnIqoKOZbyUe2AdXtnTGpQQRxCBvtIEBNB1FS/CKCe7ceXVBZujU2Kd
JD3Lg5uXgkolfyjFCPzOp292xvJ83i7QMoTuVEw14PSjux3jAa4K3wpKUvF80ja2
ugGj3zTLAHdAV37lKO2WYZuMMJLKWKX1p9yKZqteJdiLQHH8f24dFZ2Vtoly/GKM
KzGJ1fimB6divQ8TOHVFAr1qDksk8zf1PBJ/IlWoBKv5IWwoikf42IOL/P2c/nk7
4pYwHrlk8y71Cgjw50K9/T/Ul0Ov6ay4FK+0vy+zbokSVczZKsrL4/Tc6s0S9ty6
SVKm7yL+BSGgZWmDNesYoRzboBT2mSb1N45ThUaeW7AwMo3hDJPjEkaFtZN3bqzS
XgEIFYvxWH6OEIl+VZ/J5qxxmi3Cz6XVzTliCnoTFUoVxHyOxN6HX0Jn/qRqmmlN
mJX4OT1FJ3WnqOHQ5Cm4403bm2H79mGCBKYiXPQeO/bVBh0mTbeYKRr8bjsm+rc=
=lIEt
-----END PGP MESSAGE-----
fp: 5DA93D5C9D7320E1BD3522C79C78172B3551C9FD
- created_at: "2026-01-25T19:51:13Z"
enc: |-
-----BEGIN PGP MESSAGE-----
hQIMA46L6MuPqfJqAQ//Ue74vm+2K7chQcfdrY5GR0rPUKNiX9MMw9zgHpdyHlXa
FfL0NQbG8Rfc/6Yf7LH1sWMGED5Yvci3z+YkTWg8Fcv1pYQGj6Kul2L0aL4tvq/a
tdIJi+Ajp92jr+5jdae+GvJZedaHZYxykyeSe4/nk1j6k4u3TiVMBczk7z9701F+
ZFtG1SBRcqjZ/Vx36B6s+10f9ft7TWCIJfeTimBJV3fFt7r698vTQ+S1/uxo5Ik0
kQOtYDxsigBBeE0OX2ZBDyeGhfl/PZgN7GD7bgpjnfzDi+8kMXEMu4z88tOQulhk
qj+63irEydFCsMEC22XhLaqW8bjld0VAnkXv7DfoEbMt84XN6SejjDy6aXK9C0Qd
BIyQwTvsmgbInluw8Qu+GJPLLbY9qYjjuo5BbwUeBfiVxQaBYcm5lmPSKM0lq+Uq
fUYowpMS417L5kkp2yE/NmKOzi2ZuiFWMCpvPIvKea9zJxvEtIjohwtM86b4LH+j
7yie9gWu0bhBw9keKtIbRmgbsilp8E5OUHXgOT0sNWTLenQDsWQ9dmgvtpeEb9ax
6mw1QUpFz4CcHhuQixoI+q4y0SXcWxyN0U78U8igaELUtwpaRR7yf4VUJOEid+m1
Rzu5jLCuhlLmmW03W6Y/Vl+n0QOyEl0uPCRiRgYeUzKiYw6NRYHPezbJnmNAeKnS
XgFCdzLc5Jl6OqJfy4V0yJucGq72oKK1wdJi74PqTNs44CaeEW8tDhxVWm367e5b
Ve88LJyDhOrMi57aKcAJ12HoL8pI5hambJ0qSs9RKpnQIJH7U60MBBTCBHN3H4k=
=az/q
-----END PGP MESSAGE-----
fp: 8996B62CBD159DCADD3B6DC08BB33A8ABCF7BC4A
- created_at: "2026-01-25T19:51:13Z"
enc: |-
-----BEGIN PGP MESSAGE-----
hF4DQrf1tCqiJxoSAQdA04/sIHLMEFJO8wCB5+N5QWPzwyefW49JuNr/O2A+tTcw
Rm/CybmXPnSCx7p8QLruOG0tz8kM+YoSthSWlC9/B6TZgKLyrMOvx1U/fSNjKC4Q
0l4BDFhVCnXKTQmfZtj5Qpwuj3H5fZ7QzKUQz542pvqN/fJVnc0Q4rQapKcU4AOx
JTdXpu6gP3FRGviA342GHJU0gq220vSzPu889dsdmtgNfAEQWPLVKKwjigDQN+SV
=2Eki
-----END PGP MESSAGE-----
fp: B71138A6A8964A3C3B8899857B4F70C356765BAB
- created_at: "2026-01-25T19:51:13Z"
enc: |-
-----BEGIN PGP MESSAGE-----
hF4DzAGzViGx4qcSAQdAxLZsKVzF30df0Zk7Eg9u7fLJzApid00aEcZVxHQnZ0kw
5SDeSOzzTue71lKcCyunbO1/e20jMrNVvYKQp0kKkNHpTWgjN0hW3vZt6zeLcrSo
0lgBTOoJykoj24Y9WvIaQbae2K6M35drO2c7nhVmTzibUe7XEJ3C+vbUySdSTd+0
WL1IjqZUGSUL4SUIW6kW0WFdSJ01O6vbXhw1gw7KwKMfBHgIUAzpENTW
=S45t
-----END PGP MESSAGE-----
fp: D2E9C0807BF681F5E164DAFC5EE1B61CD90954CD
- created_at: "2026-01-25T19:51:13Z"
enc: |-
-----BEGIN PGP MESSAGE-----
hQIMA2pVdGTIrZI+AQ/8Dd/YnYUP9OA6qxJcerf9mCkQkC5PLehCPAOLOn4sNV5x
DnpdfAvgej1Vuy0CHK8//PAiEC7idLN+ictIdQgy0RaObp50tca44U2ssQOkmxcd
j5WpKKunHsKomksr7bRpwm/vtN4LoldQc7g1qaBlsaJE7iEOrB8I3n3fFhWD6xBG
TUzRe8r/M2/c25Agky9caILYvjm/etCsf/gZq3RwVvV48912JNqb+7o04vpj3MbO
AOsiEBCTNSZqN5XuRi/jCpQNe0p18M9irYkFWVe2be6Cb4wE2cdg904rC3K+v0QA
nwD6/bXWGI7WAF6nhvuiAS0vxmbvOePNI3KZ1CdEDeScqnAWUdkFuuAwmw0K7tHt
UJe/SlML6strnnjOGR6p3eeIjoDKtGBiqEjXYyEcXPVi8vFSd7muGcjLieyJUmfH
FVGA7bF+a6c4iTFSM2GNpANFV0qzZ/wa4aj9MqzOATTglQnr2LZJP7chnzoLyzx6
7cjTcWHsb3E+D7X37yF+mZAT6yvOoxaQNqTY6u1ZoY9NrGdJ1reudAlzg6k10cpf
O4Zww2Jjz5yEhvS9cTh8+bKOJYgKnbg/LLty/ade+rio4E0jn+a6VgRCqIMbGwgx
vf9ATU8S10/Es2cT6f99EpPgV0w9QCfhAGel/sjXk/zIT8rF2SbIlXf0/GK3yaXS
XgGrocZNe2RNZd3ZjsvtU6bBsPd9tekQLjC1vE6U/WXXPKapb6aOq2eL7Qb7QFu7
XSGN+YA/c9OwmtJLP3y5mGBowa6vWT1Uf6NweamPYJBpNG27Bt5yLlnEnaDZokw=
=9ri7
-----END PGP MESSAGE-----
fp: 878FEA3CB6A6F6E7CD80ECBE28506E3585F9F533
unencrypted_suffix: _unencrypted
version: 3.11.0

43
inventories/z9/group_vars/all.yaml
View file

@ -1,43 +0,0 @@
alloy_config_default: |
prometheus.remote_write "default" {
endpoint {
url = "https://metrics.hamburg.ccc.de/api/v1/write"
basic_auth {
username = "chaos"
password = "{{ metrics__chaos_password }}"
}
}
}
prometheus.relabel "z9_common" {
forward_to = [prometheus.remote_write.default.receiver]
rule {
target_label = "org"
replacement = "ccchh"
}
rule {
target_label = "site"
replacement = "z9"
}
rule {
source_labels = ["instance"]
target_label = "instance"
regex = "([^:]+)"
replacement = "${1}.z9.ccchh.net"
action = "replace"
}
}
logging {
level = "info"
}
prometheus.exporter.unix "local_system" {
enable_collectors = ["systemd"]
}
prometheus.scrape "scrape_metrics" {
targets = prometheus.exporter.unix.local_system.targets
forward_to = [prometheus.relabel.z9_common.receiver]
}

4
inventories/z9/host_vars/dooris.yaml
View file

@ -7,11 +7,9 @@ certbot__certificate_domains:
- "dooris.ccchh.net"
certbot__new_cert_commands:
- "systemctl reload nginx.service"
certbot__http_01_port: 80
nginx__version_spec: ""
nginx__deploy_redirect_conf: false
nginx__configurations:
- name: dooris.ccchh.net
content: "{{ lookup('ansible.builtin.file', 'resources/z9/dooris/nginx/dooris.ccchh.net.conf') }}"
- name: http_handler
content: "{{ lookup('ansible.builtin.file', 'resources/z9/dooris/nginx/http_handler.conf') }}"

14
inventories/z9/host_vars/light.yaml
View file

@ -50,22 +50,10 @@ ola__configs:
content: "{{ lookup('ansible.builtin.file', 'resources/z9/light/ola/ola-usbdmx.conf') }}"
- name: ola-usbserial
content: "{{ lookup('ansible.builtin.file', 'resources/z9/light/ola/ola-usbserial.conf') }}"
nginx__version_spec: ""
nginx__deploy_redirect_conf: false
nginx__configurations:
- name: light
content: "{{ lookup('ansible.builtin.file', 'resources/z9/light/nginx/light.conf') }}"
- name: http_handler
content: "{{ lookup('ansible.builtin.file', 'resources/z9/dooris/nginx/http_handler.conf') }}"
certbot__version_spec: ""
certbot__acme_account_email_address: le-admin@hamburg.ccc.de
certbot__certificate_domains:
- "light-werkstatt.ccchh.net"
- "light.ccchh.net"
- "light.z9.ccchh.net"
certbot__new_cert_commands:
- "systemctl reload nginx.service"
content: "{{ lookup('ansible.builtin.file', 'resources/z9/light/nginx/http_handler.conf') }}"

1
inventories/z9/host_vars/yate.yaml
View file

@ -6,3 +6,4 @@ docker_compose__configuration_files:
content: "{{ lookup('ansible.builtin.template', 'resources/z9/yate/docker_compose/regexroute.conf.j2') }}"
- name: regfile.conf
content: "{{ lookup('ansible.builtin.template', 'resources/z9/yate/docker_compose/regfile.conf.j2') }}"
docker_compose__restart_cmd: "exec yate sh -c 'kill -1 1'"

9
inventories/z9/hosts.yaml
View file

@ -4,7 +4,7 @@ all:
ansible_host: authoritative-dns.z9.ccchh.net
ansible_user: chaos
dooris:
ansible_host: dooris.z9.ccchh.net
ansible_host: 10.31.208.201
ansible_user: chaos
light:
ansible_host: light.z9.ccchh.net
@ -20,7 +20,6 @@ all:
certbot_hosts:
hosts:
dooris:
light:
docker_compose_hosts:
hosts:
dooris:
@ -50,11 +49,5 @@ ola_hosts:
proxmox_vm_template_hosts:
hosts:
thinkcccore0:
alloy_hosts:
hosts:
authoritative-dns:
light:
yate:
dooris:
ansible_pull_hosts:
hosts:

21
playbooks/deploy.yaml
View file

@ -4,16 +4,6 @@
roles:
- base_config
- name: Ensure systemd-networkd config deployment on systemd_networkd_hosts
hosts: systemd_networkd_hosts
roles:
- systemd_networkd
- name: Ensure nftables deployment on nftables_hosts
hosts: nftables_hosts
roles:
- nftables
- name: Ensure deployment of infrastructure authorized keys
hosts: infrastructure_authorized_keys_hosts
roles:
@ -64,6 +54,11 @@
roles:
- nginx
- name: Ensure prometheus_node_exporter deployment on prometheus_node_exporter_hosts
hosts: prometheus_node_exporter_hosts
roles:
- prometheus_node_exporter
- name: Configure unattended upgrades for all non-hypervisors
hosts: all:!hypervisors
become: true
@ -78,8 +73,10 @@
- name: Ensure Alloy is installed and Setup on alloy_hosts
hosts: alloy_hosts
become: true
roles:
- alloy
tasks:
- name: Setup Alloy
ansible.builtin.include_role:
name: grafana.grafana.alloy
- name: Ensure ansible_pull deployment on ansible_pull_hosts
hosts: ansible_pull_hosts

36
renovate.json
View file

@ -1,17 +1,9 @@
{
"$schema": "https://docs.renovatebot.com/renovate-schema.json",
"extends": [
"config:recommended",
// Parts from config:best-practices:
// https://docs.renovatebot.com/presets-config/#configbest-practices
":configMigration",
"abandonments:recommended",
"security:minimumReleaseAgeNpm",
":ignoreUnstable",
":disableRateLimiting",
":rebaseStalePrs",
":label(renovate)"
"config:recommended", // Included in config:best-practices anyway, but added for clarity.
"config:best-practices",
":ignoreUnstable"
],
"semanticCommits": "disabled",
"packageRules": [
@ -27,28 +19,6 @@
"minor",
"patch"
]
},
{
"matchDatasources": ["docker"],
"matchPackageNames": ["docker.io/pretix/standalone"],
"versioning": "regex:^(?<major>\\d+\\.\\d+)(?:\\.(?<minor>\\d+))$"
},
{
"matchDatasources": ["docker"],
"matchPackageNames": ["docker.io/pretalx/standalone"],
"versioning": "regex:^v(?<major>\\d+\\.\\d+)(?:\\.(?<minor>\\d+))$"
}
],
"customManagers": [
// Custom manager using regex for letting Renovate find dependencies in inventory variables.
{
"customType": "regex",
"managerFilePatterns": [
"/^inventories/.*?_vars/.*?\\.ya?ml$/"
],
"matchStrings": [
"# renovate: datasource=(?<datasource>[a-zA-Z0-9-._]+?) depName=(?<depName>[^\\s]+?)(?: packageName=(?<packageName>[^\\s]+?))?(?: versioning=(?<versioning>[^\\s]+?))?\\s*.+?\\s*:\\s*[\"']?(?<currentValue>.+?)[\"']?\\s"
]
}
],
"docker-compose": {

23
requirements.yml
View file

@ -1,17 +1,8 @@
collections:
# debops.debops
- source: https://github.com/debops/debops
type: git
version: "v3.2.5"
# community.sops
- source: https://github.com/ansible-collections/community.sops
type: git
version: "2.2.7"
# community.docker
- source: https://github.com/ansible-collections/community.docker
type: git
version: "5.0.5"
# grafana.grafana
- source: https://github.com/grafana/grafana-ansible-collection
type: git
version: "6.0.6"
# Install a collection from Ansible Galaxy.
- name: debops.debops
version: ">=3.1.0"
source: https://galaxy.ansible.com
- name: community.sops
version: ">=2.2.4"
source: https://galaxy.ansible.com

27
resources/chaosknoten/acmedns/docker_compose/acmedns.cfg.j2
View file

@ -1,27 +0,0 @@
# https://github.com/joohoi/acme-dns?tab=readme-ov-file#configuration
[general]
protocol = "both"
domain = "auth.acmedns.hamburg.ccc.de"
nsname = "acmedns.hosts.hamburg.ccc.de"
nsadmin = "noc.lists.hamburg.ccc.de"
records = [
"auth.acmedns.hamburg.ccc.de. CNAME public-reverse-proxy.hamburg.ccc.de.",
"auth.acmedns.hamburg.ccc.de. NS acmedns.hosts.hamburg.ccc.de.",
]
[database]
engine = "sqlite3"
connection = "/var/lib/acme-dns/acme-dns.db"
[api]
ip = "0.0.0.0"
port = "80"
tls = "none"
corsorigins = [
"*"
]
[logconfig]
loglevel = "debug"
logtype = "stdout"
logformat = "text"

22
resources/chaosknoten/acmedns/docker_compose/compose.yaml.j2
View file

@ -1,22 +0,0 @@
---
services:
oauth2-proxy:
container_name: oauth2-proxy
image: quay.io/oauth2-proxy/oauth2-proxy:v7.14.2
command: --config /oauth2-proxy.cfg
hostname: oauth2-proxy
volumes:
- "./configs/oauth2-proxy.cfg:/oauth2-proxy.cfg"
restart: unless-stopped
ports:
- 4180:4180
acmedns:
image: docker.io/joohoi/acme-dns:latest
ports:
- "[::]:53:53"
- "[::]:53:53/udp"
- 8080:80
volumes:
- ./configs/acmedns.cfg:/etc/acme-dns/config.cfg:ro
- ./data/acmedns:/var/lib/acme-dns

74
resources/chaosknoten/acmedns/docker_compose/index.html.j2
View file

@ -1,74 +0,0 @@
<html>
<head>
<title>ACME DNS Register</title>
<style>
table, tr, th, td {
border-collapse: collapse;
}
caption {
caption-side: bottom;
padding: 2px 4px;
}
th, td {
border: 1px solid black;
padding: 2px 4px;
}
th {
text-align: left;
}
td {
font-family: "Courier", monospace;
}
</style>
</head>
<body>
<h1>Register an Entry in ACME DNS</h1>
<p>This is the page where you can create an entry in ACME DNS. Please only do so when you need a new entry; there is currently no way to remove entries once they have been created.</p>
<p>See <a href="https://wiki.hamburg.ccc.de/infrastructure:services:acme_dns">the ACME DNS service</a> entry in the wiki for further details.</p>
<p><button id="register">Register a new entry</button></p>
<table id="results" style="display: none">
<tr>
<th>Full Domain</th><td id="fulldomain">undefined</td>
</tr>
<tr>
<th>Subdomain</th><td id="subdomain">undefined</td>
</tr>
<tr>
<th>X-Api-User</th><td id="username">undefined</td>
</tr>
<tr>
<th>X-Api-Key</th><td id="password">undefined</td>
</tr>
<caption><b>Important!</b> This information will only be shown once. Please
copy or otherwise save it immediately.</caption>
</table>
<p><b>Note: there is no way to delete registrations.</b> Each registration is small, so it's not an immediate problem, but please do not click register unless you are planning to really create a new entry.</p>
<script>
document.getElementById("register").addEventListener("click", (event) => {
const register = async () => {
const response = await fetch("/register", {
method: "POST"
});
if (!response.ok) {
console.log(response);
alert("Unable to register a new entry.");
return;
}
const registration = await response.json()
for (const key in registration) {
const e = document.getElementById(key);
if (e !== null) {
e.innerText = registration[key];
}
}
document.getElementById("results").style.display = "block";
}
register();
});
</script>
</body>

13
resources/chaosknoten/acmedns/docker_compose/oauth2-proxy.cfg.j2
View file

@ -1,13 +0,0 @@
reverse_proxy = true
http_address="0.0.0.0:4180"
cookie_secret="{{ secret__oidc_cookie_secret }}"
email_domains="*"
# dex provider
oidc_issuer_url="https://id.hamburg.ccc.de/realms/ccchh"
provider="oidc"
provider_display_name="CCCHH ID"
client_id="acmedns"
client_secret="{{ secret__oidc_client_secret }}"
redirect_url="https://acmedns.hamburg.ccc.de/oauth2/callback"

87
resources/chaosknoten/acmedns/nginx/acmedns.hamburg.ccc.de.conf
View file

@ -1,87 +0,0 @@
# partly generated 2022-01-08, Mozilla Guideline v5.6, nginx 1.17.7, OpenSSL 1.1.1k, intermediate configuration
# https://ssl-config.mozilla.org/#server=nginx&version=1.17.7&config=intermediate&openssl=1.1.1k&guideline=5.6
server {
# Listen on a custom port for the proxy protocol.
listen [::]:8443 ssl http2 proxy_protocol;
# Make use of the ngx_http_realip_module to set the $remote_addr and
# $remote_port to the client address and client port, when using proxy
# protocol.
# First set our proxy protocol proxy as trusted.
set_real_ip_from 2a00:14b0:4200:3000:125::1;
# Then tell the realip_module to get the addreses from the proxy protocol
# header.
real_ip_header proxy_protocol;
server_name acmedns.hamburg.ccc.de;
root /ansible_docker_compose/configs/html/;
ssl_certificate /etc/letsencrypt/live/acmedns.hamburg.ccc.de/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/acmedns.hamburg.ccc.de/privkey.pem;
# verify chain of trust of OCSP response using Root CA and Intermediate certs
ssl_trusted_certificate /etc/letsencrypt/live/acmedns.hamburg.ccc.de/chain.pem;
# HSTS (ngx_http_headers_module is required) (63072000 seconds)
add_header Strict-Transport-Security "max-age=63072000" always;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Port 443;
# This is https in any case.
proxy_set_header X-Forwarded-Proto https;
# Hide the X-Forwarded header.
proxy_hide_header X-Forwarded;
# Assume we are the only Reverse Proxy (well using Proxy Protocol, but that
# is transparent).
# Also provide "_hidden" for by, since it's not relevant.
proxy_set_header Forwarded "for=$remote_addr;proto=https;host=$host;by=_hidden";
proxy_buffer_size 8k; # needed for oauth2-proxy to work correctly
port_in_redirect off;
location /oauth2/ {
proxy_pass http://127.0.0.1:4180;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Auth-Request-Redirect $request_uri;
# or, if you are handling multiple domains:
# proxy_set_header X-Auth-Request-Redirect $scheme://$host$request_uri;
}
location = /oauth2/auth {
proxy_pass http://127.0.0.1:4180;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-Uri $request_uri;
# nginx auth_request includes headers but not body
proxy_set_header Content-Length "";
proxy_pass_request_body off;
}
location = / {
auth_request /oauth2/auth;
error_page 401 = @oauth2_signin;
index index.html;
}
location = /register {
auth_request /oauth2/auth;
error_page 401 = @oauth2_signin;
proxy_pass http://127.0.0.1:8080/register;
}
location = /update { # no auth by proxy required
proxy_pass http://127.0.0.1:8080/update;
}
location = /health { # no auth by proxy required
proxy_pass http://127.0.0.1:8080/health;
}
location @oauth2_signin {
return 302 /oauth2/sign_in?rd=$scheme://$host$request_uri;
}
}

8
resources/chaosknoten/ccchoir/nginx/ccchoir.de.conf
View file

@ -2,12 +2,12 @@
# https://ssl-config.mozilla.org/#server=nginx&version=1.17.7&config=intermediate&openssl=1.1.1k&guideline=5.6
server {
# Listen on a custom port for the proxy protocol.
listen [::]:8443 ssl http2 proxy_protocol;
listen 8443 ssl http2 proxy_protocol;
# Make use of the ngx_http_realip_module to set the $remote_addr and
# $remote_port to the client address and client port, when using proxy
# protocol.
# First set our proxy protocol proxy as trusted.
set_real_ip_from 2a00:14b0:4200:3000:125::1;
set_real_ip_from 172.31.17.140;
# Then tell the realip_module to get the addreses from the proxy protocol
# header.
real_ip_header proxy_protocol;
@ -43,12 +43,12 @@ server {
server {
# Listen on a custom port for the proxy protocol.
listen [::]:8443 ssl http2 proxy_protocol;
listen 8443 ssl http2 proxy_protocol;
# Make use of the ngx_http_realip_module to set the $remote_addr and
# $remote_port to the client address and client port, when using proxy
# protocol.
# First set our proxy protocol proxy as trusted.
set_real_ip_from 2a00:14b0:4200:3000:125::1;
set_real_ip_from 172.31.17.140;
# Then tell the realip_module to get the addreses from the proxy protocol
# header.
real_ip_header proxy_protocol;

4
resources/chaosknoten/eh22-wiki/nginx/eh22.easterhegg.eu.conf
View file

@ -2,12 +2,12 @@
# https://ssl-config.mozilla.org/#server=nginx&version=1.17.7&config=intermediate&openssl=1.1.1k&guideline=5.6
server {
# Listen on a custom port for the proxy protocol.
listen [::]:8443 ssl http2 proxy_protocol;
listen 8443 ssl http2 proxy_protocol;
# Make use of the ngx_http_realip_module to set the $remote_addr and
# $remote_port to the client address and client port, when using proxy
# protocol.
# First set our proxy protocol proxy as trusted.
set_real_ip_from 2a00:14b0:4200:3000:125::1;
set_real_ip_from 172.31.17.140;
# Then tell the realip_module to get the addreses from the proxy protocol
# header.
real_ip_header proxy_protocol;

23
resources/chaosknoten/grafana/docker_compose/alertmanager.yaml.j2
View file

@ -7,7 +7,7 @@ route:
group_by: [ "alertname", "site", "type", "hypervisor" ]
group_wait: 30s
group_interval: 5m
repeat_interval: 26h
repeat_interval: 6h
routes:
- receiver: "null"
matchers:
@ -16,38 +16,49 @@ route:
matchers:
- org = "ccchh"
- severity = "critical",
repeat_interval: 26h
repeat_interval: 18h
continue: true
- receiver: ntfy-ccchh
matchers:
- org = "ccchh"
- severity =~ "info|warning",
repeat_interval: 52h
repeat_interval: 36h
continue: true
- receiver: ntfy-fux-critical
matchers:
- org = "fux"
- severity = "critical",
repeat_interval: 26h
repeat_interval: 18h
continue: true
- receiver: email-fux-critical
matchers:
- org = "fux"
- severity = "critical",
repeat_interval: 52h
repeat_interval: 36h
continue: true
- receiver: ntfy-fux
matchers:
- org = "fux"
- severity =~ "info|warning",
repeat_interval: 52h
repeat_interval: 36h
continue: true
- receiver: ccchh-infrastructure-alerts
matchers:
- org = "ccchh"
- severity =~ "info|warning|critical"
templates:
- "/etc/alertmanager/templates/*.tmpl"
receivers:
- name: "null"
- name: "ccchh-infrastructure-alerts"
telegram_configs:
- send_resolved: true
bot_token: {{ secret__alertmanager_telegram_bot_token }}
chat_id: -1002434372415
parse_mode: HTML
message: {{ "'{{ template \"alert-message.telegram.ccchh\" . }}'" }}
- name: "ntfy-ccchh-critical"
webhook_configs:

11
resources/chaosknoten/grafana/docker_compose/compose.yaml.j2
View file

@ -2,13 +2,12 @@
services:
prometheus:
image: docker.io/prom/prometheus:v3.9.1
image: docker.io/prom/prometheus:v3.7.1
container_name: prometheus
command:
- '--config.file=/etc/prometheus/prometheus.yml'
- '--web.enable-remote-write-receiver'
- '--enable-feature=promql-experimental-functions'
- '--storage.tsdb.retention.time=28d'
ports:
- 9090:9090
restart: unless-stopped
@ -19,7 +18,7 @@ services:
- prom_data:/prometheus
alertmanager:
image: docker.io/prom/alertmanager:v0.30.1
image: docker.io/prom/alertmanager:v0.28.1
container_name: alertmanager
command:
- '--config.file=/etc/alertmanager/alertmanager.yaml'
@ -32,7 +31,7 @@ services:
- alertmanager_data:/alertmanager
grafana:
image: docker.io/grafana/grafana:12.3.1
image: docker.io/grafana/grafana:12.2.1
container_name: grafana
ports:
- 3000:3000
@ -46,7 +45,7 @@ services:
- graf_data:/var/lib/grafana
pve-exporter:
image: docker.io/prompve/prometheus-pve-exporter:3.8.0
image: docker.io/prompve/prometheus-pve-exporter:3.5.5
container_name: pve-exporter
ports:
- 9221:9221
@ -59,7 +58,7 @@ services:
- /dev/null:/etc/prometheus/pve.yml
loki:
image: docker.io/grafana/loki:3.6.4
image: docker.io/grafana/loki:3.5.7
container_name: loki
ports:
- 13100:3100

35
resources/chaosknoten/grafana/docker_compose/prometheus.yml
View file

@ -82,6 +82,41 @@ scrape_configs:
target_label: instance
- target_label: __address__
replacement: pve-exporter:9221
- job_name: hosts
static_configs:
# Wieske Chaosknoten VMs
- labels:
org: ccchh
site: wieske
type: virtual_machine
hypervisor: chaosknoten
targets:
- netbox-intern.hamburg.ccc.de:9100
- matrix-intern.hamburg.ccc.de:9100
- public-web-static-intern.hamburg.ccc.de:9100
- git-intern.hamburg.ccc.de:9100
- forgejo-actions-runner-intern.hamburg.ccc.de:9100
- eh22-wiki-intern.hamburg.ccc.de:9100
- mjolnir-intern.hamburg.ccc.de:9100
- woodpecker-intern.hamburg.ccc.de:9100
- penpot-intern.hamburg.ccc.de:9100
- jitsi.hamburg.ccc.de:9100
- onlyoffice-intern.hamburg.ccc.de:9100
- ccchoir-intern.hamburg.ccc.de:9100
- tickets-intern.hamburg.ccc.de:9100
- keycloak-intern.hamburg.ccc.de:9100
- onlyoffice-intern.hamburg.ccc.de:9100
- pad-intern.hamburg.ccc.de:9100
- wiki-intern.hamburg.ccc.de:9100
- zammad-intern.hamburg.ccc.de:9100
- pretalx-intern.hamburg.ccc.de:9100
- labels:
org: ccchh
site: wieske
type: physical_machine
targets:
- chaosknoten.hamburg.ccc.de:9100
storage:
tsdb:

4
resources/chaosknoten/grafana/nginx/grafana.hamburg.ccc.de.conf
View file

@ -2,13 +2,13 @@
# https://ssl-config.mozilla.org/#server=nginx&version=1.17.7&config=intermediate&openssl=1.1.1k&guideline=5.6
server {
# Listen on a custom port for the proxy protocol.
listen [::]:8443 ssl proxy_protocol;
listen 8443 ssl proxy_protocol;
http2 on;
# Make use of the ngx_http_realip_module to set the $remote_addr and
# $remote_port to the client address and client port, when using proxy
# protocol.
# First set our proxy protocol proxy as trusted.
set_real_ip_from 2a00:14b0:4200:3000:125::1;
set_real_ip_from 172.31.17.140;
# Then tell the realip_module to get the addreses from the proxy protocol
# header.
real_ip_header proxy_protocol;

2
resources/chaosknoten/grafana/nginx/loki.hamburg.ccc.de.conf
View file

@ -17,6 +17,7 @@ server {
server_name loki.hamburg.ccc.de;
listen [::]:50051 ssl;
listen 172.31.17.145:50051 ssl;
http2 on;
@ -58,6 +59,7 @@ server {
server_name loki.hamburg.ccc.de;
listen [::]:443 ssl;
listen 172.31.17.145:443 ssl;
http2 on;

2
resources/chaosknoten/grafana/nginx/metrics.hamburg.ccc.de.conf
View file

@ -9,6 +9,7 @@ server {
allow 2a00:14b0:4200:3380::/64;
allow 2a00:14b0:f000:23::/64; #CCCHH v6 bei Wieske, geroutet über turing
# Z9
allow 2a07:c480:0:100::/56;
allow 2a07:c481:1::/48;
# fuxnoc
allow 2a07:c481:0:1::/64;
@ -17,6 +18,7 @@ server {
server_name metrics.hamburg.ccc.de;
listen [::]:443 ssl;
listen 172.31.17.145:443 ssl;
http2 on;
client_body_buffer_size 512k;

2
resources/chaosknoten/keycloak/docker_compose/compose.yaml.j2
View file

@ -46,7 +46,7 @@ services:
- "8080:8080"
db:
image: docker.io/library/postgres:15.15
image: docker.io/library/postgres:15.14
restart: unless-stopped
networks:
- keycloak

4
resources/chaosknoten/keycloak/nginx/id.hamburg.ccc.de.conf
View file

@ -3,12 +3,12 @@
# Also see: https://www.keycloak.org/server/reverseproxy
server {
# Listen on a custom port for the proxy protocol.
listen [::]:8443 ssl http2 proxy_protocol;
listen 8443 ssl http2 proxy_protocol;
# Make use of the ngx_http_realip_module to set the $remote_addr and
# $remote_port to the client address and client port, when using proxy
# protocol.
# First set our proxy protocol proxy as trusted.
set_real_ip_from 2a00:14b0:4200:3000:125::1;
set_real_ip_from 172.31.17.140;
# Then tell the realip_module to get the addreses from the proxy protocol
# header.
real_ip_header proxy_protocol;

4
resources/chaosknoten/keycloak/nginx/invite.hamburg.ccc.de.conf
View file

@ -3,12 +3,12 @@
# Also see: https://www.keycloak.org/server/reverseproxy
server {
# Listen on a custom port for the proxy protocol.
listen [::]:8443 ssl http2 proxy_protocol;
listen 8443 ssl http2 proxy_protocol;
# Make use of the ngx_http_realip_module to set the $remote_addr and
# $remote_port to the client address and client port, when using proxy
# protocol.
# First set our proxy protocol proxy as trusted.
set_real_ip_from 2a00:14b0:4200:3000:125::1;
set_real_ip_from 172.31.17.140;
# Then tell the realip_module to get the addreses from the proxy protocol
# header.
real_ip_header proxy_protocol;

4
resources/chaosknoten/keycloak/nginx/keycloak-admin.hamburg.ccc.de.conf
View file

@ -7,12 +7,12 @@ server {
##listen [::]:443 ssl http2;
# Listen on a custom port for the proxy protocol.
listen [::]:8443 ssl http2 proxy_protocol;
listen 8444 ssl http2 proxy_protocol;
# Make use of the ngx_http_realip_module to set the $remote_addr and
# $remote_port to the client address and client port, when using proxy
# protocol.
# First set our proxy protocol proxy as trusted.
set_real_ip_from 2a00:14b0:4200:3000:125::1;
set_real_ip_from 172.31.17.140;
# Then tell the realip_module to get the addreses from the proxy protocol
# header.
real_ip_header proxy_protocol;

4
resources/chaosknoten/netbox/nginx/netbox.hamburg.ccc.de.conf
View file

@ -2,12 +2,12 @@
# https://ssl-config.mozilla.org/#server=nginx&version=1.17.7&config=intermediate&openssl=1.1.1k&guideline=5.6
server {
# Listen on a custom port for the proxy protocol.
listen [::]:8443 ssl http2 proxy_protocol;
listen 8443 ssl http2 proxy_protocol;
# Make use of the ngx_http_realip_module to set the $remote_addr and
# $remote_port to the client address and client port, when using proxy
# protocol.
# First set our proxy protocol proxy as trusted.
set_real_ip_from 2a00:14b0:4200:3000:125::1;
set_real_ip_from 172.31.17.140;
# Then tell the realip_module to get the addreses from the proxy protocol
# header.
real_ip_header proxy_protocol;

2
resources/chaosknoten/ntfy/docker_compose/compose.yaml.j2
View file

@ -1,7 +1,7 @@
---
services:
ntfy:
image: docker.io/binwiederhier/ntfy:v2.15.0
image: docker.io/binwiederhier/ntfy:v2.14.0
container_name: ntfy
command:
- serve

4
resources/chaosknoten/ntfy/nginx/ntfy.hamburg.ccc.de.conf
View file

@ -2,13 +2,13 @@
# https://ssl-config.mozilla.org/#server=nginx&version=1.17.7&config=intermediate&openssl=1.1.1k&guideline=5.6
server {
# Listen on a custom port for the proxy protocol.
listen [::]:8443 ssl proxy_protocol;
listen 8443 ssl proxy_protocol;
http2 on;
# Make use of the ngx_http_realip_module to set the $remote_addr and
# $remote_port to the client address and client port, when using proxy
# protocol.
# First set our proxy protocol proxy as trusted.
set_real_ip_from 2a00:14b0:4200:3000:125::1;
set_real_ip_from 172.31.17.140;
# Then tell the realip_module to get the addreses from the proxy protocol
# header.
real_ip_header proxy_protocol;

2
resources/chaosknoten/onlyoffice/docker_compose/compose.yaml.j2
View file

@ -4,7 +4,7 @@
services:
onlyoffice:
image: docker.io/onlyoffice/documentserver:9.2.1
image: docker.io/onlyoffice/documentserver:9.1.0
restart: unless-stopped
volumes:
- "./onlyoffice/DocumentServer/logs:/var/log/onlyoffice"

5
resources/chaosknoten/onlyoffice/nginx/onlyoffice.hamburg.ccc.de.conf
View file

@ -2,13 +2,12 @@
# https://ssl-config.mozilla.org/#server=nginx&version=1.17.7&config=intermediate&openssl=1.1.1k&guideline=5.6
server {
# Listen on a custom port for the proxy protocol.
listen [::]:8443 ssl http2 proxy_protocol;
listen 8443 ssl http2 proxy_protocol;
# Make use of the ngx_http_realip_module to set the $remote_addr and
# $remote_port to the client address and client port, when using proxy
# protocol.
# First set our proxy protocol proxy as trusted.
set_real_ip_from 2a00:14b0:4200:3000:125::1;
set_real_ip_from 172.31.17.140;
# Then tell the realip_module to get the addreses from the proxy protocol
# header.
real_ip_header proxy_protocol;

2
resources/chaosknoten/pad/docker_compose/compose.yaml.j2
View file

@ -13,7 +13,7 @@ services:
restart: unless-stopped
app:
image: quay.io/hedgedoc/hedgedoc:1.10.5
image: quay.io/hedgedoc/hedgedoc:1.10.3
environment:
- "CMD_DB_URL=postgres://hedgedoc:{{ secret__hedgedoc_db_password }}@database:5432/hedgedoc"
- "CMD_DOMAIN=pad.hamburg.ccc.de"

4
resources/chaosknoten/pad/nginx/pad.hamburg.ccc.de.conf
View file

@ -2,12 +2,12 @@
# https://ssl-config.mozilla.org/#server=nginx&version=1.17.7&config=intermediate&openssl=1.1.1k&guideline=5.6
server {
# Listen on a custom port for the proxy protocol.
listen [::]:8443 ssl http2 proxy_protocol;
listen 8443 ssl http2 proxy_protocol;
# Make use of the ngx_http_realip_module to set the $remote_addr and
# $remote_port to the client address and client port, when using proxy
# protocol.
# First set our proxy protocol proxy as trusted.
set_real_ip_from 2a00:14b0:4200:3000:125::1;
set_real_ip_from 172.31.17.140;
# Then tell the realip_module to get the addreses from the proxy protocol
# header.
real_ip_header proxy_protocol;

4
resources/chaosknoten/pretalx/docker_compose/compose.yaml.j2
View file

@ -15,7 +15,7 @@ services:
- pretalx_net
redis:
image: docker.io/library/redis:8.4.0
image: docker.io/library/redis:8.2.2
restart: unless-stopped
volumes:
- redis:/data
@ -23,7 +23,7 @@ services:
- pretalx_net
static:
image: docker.io/library/nginx:1.29.4
image: docker.io/library/nginx:1.29.2
restart: unless-stopped
volumes:
- public:/usr/share/nginx/html

4
resources/chaosknoten/pretalx/nginx/cfp.eh22.easterhegg.eu.conf
View file

@ -2,12 +2,12 @@
# https://ssl-config.mozilla.org/#server=nginx&version=1.17.7&config=intermediate&openssl=1.1.1k&guideline=5.6
server {
# Listen on a custom port for the proxy protocol.
listen [::]:8443 ssl http2 proxy_protocol;
listen 8443 ssl http2 proxy_protocol;
# Make use of the ngx_http_realip_module to set the $remote_addr and
# $remote_port to the client address and client port, when using proxy
# protocol.
# First set our proxy protocol proxy as trusted.
set_real_ip_from 2a00:14b0:4200:3000:125::1;
set_real_ip_from 172.31.17.140;
# Then tell the realip_module to get the addreses from the proxy protocol
# header.
real_ip_header proxy_protocol;

4
resources/chaosknoten/pretalx/nginx/pretalx.hamburg.ccc.de.conf
View file

@ -2,12 +2,12 @@
# https://ssl-config.mozilla.org/#server=nginx&version=1.17.7&config=intermediate&openssl=1.1.1k&guideline=5.6
server {
# Listen on a custom port for the proxy protocol.
listen [::]:8443 ssl http2 proxy_protocol;
listen 8443 ssl http2 proxy_protocol;
# Make use of the ngx_http_realip_module to set the $remote_addr and
# $remote_port to the client address and client port, when using proxy
# protocol.
# First set our proxy protocol proxy as trusted.
set_real_ip_from 2a00:14b0:4200:3000:125::1;
set_real_ip_from 172.31.17.140;
# Then tell the realip_module to get the addreses from the proxy protocol
# header.
real_ip_header proxy_protocol;

40
resources/chaosknoten/public-reverse-proxy/nginx/acme_challenge.conf
View file

@ -4,33 +4,32 @@ map $host $upstream_acme_challenge_host {
c3cat.de 172.31.17.151:31820;
www.c3cat.de 172.31.17.151:31820;
staging.c3cat.de 172.31.17.151:31820;
ccchoir.de ccchoir.hosts.hamburg.ccc.de:31820;
www.ccchoir.de ccchoir.hosts.hamburg.ccc.de:31820;
cloud.hamburg.ccc.de cloud.hosts.hamburg.ccc.de:31820;
ccchoir.de ccchoir-intern.hamburg.ccc.de:31820;
www.ccchoir.de ccchoir-intern.hamburg.ccc.de:31820;
cloud.hamburg.ccc.de 172.31.17.143:31820;
element.hamburg.ccc.de 172.31.17.151:31820;
git.hamburg.ccc.de 172.31.17.154:31820;
grafana.hamburg.ccc.de grafana.hosts.hamburg.ccc.de:31820;
grafana.hamburg.ccc.de 172.31.17.145:31820;
hackertours.hamburg.ccc.de 172.31.17.151:31820;
staging.hackertours.hamburg.ccc.de 172.31.17.151:31820;
hamburg.ccc.de 172.31.17.151:31820;
id.hamburg.ccc.de keycloak.hosts.hamburg.ccc.de:31820;
invite.hamburg.ccc.de keycloak.hosts.hamburg.ccc.de:31820;
keycloak-admin.hamburg.ccc.de keycloak.hosts.hamburg.ccc.de:31820;
id.hamburg.ccc.de 172.31.17.144:31820;
invite.hamburg.ccc.de 172.31.17.144:31820;
keycloak-admin.hamburg.ccc.de 172.31.17.144:31820;
matrix.hamburg.ccc.de 172.31.17.150:31820;
mas.hamburg.ccc.de 172.31.17.150:31820;
element-admin.hamburg.ccc.de 172.31.17.151:31820;
netbox.hamburg.ccc.de netbox.hosts.hamburg.ccc.de:31820;
onlyoffice.hamburg.ccc.de onlyoffice.hosts.hamburg.ccc.de:31820;
pad.hamburg.ccc.de pad.hosts.hamburg.ccc.de:31820;
pretalx.hamburg.ccc.de pretalx.hosts.hamburg.ccc.de:31820;
netbox.hamburg.ccc.de 172.31.17.167:31820;
onlyoffice.hamburg.ccc.de 172.31.17.147:31820;
pad.hamburg.ccc.de 172.31.17.141:31820;
pretalx.hamburg.ccc.de 172.31.17.157:31820;
spaceapi.hamburg.ccc.de 172.31.17.151:31820;
staging.hamburg.ccc.de 172.31.17.151:31820;
wiki.ccchh.net wiki.hosts.hamburg.ccc.de:31820;
wiki.hamburg.ccc.de wiki.hosts.hamburg.ccc.de:31820;
wiki.ccchh.net 172.31.17.146:31820;
wiki.hamburg.ccc.de 172.31.17.146:31820;
www.hamburg.ccc.de 172.31.17.151:31820;
tickets.hamburg.ccc.de tickets.hosts.hamburg.ccc.de:31820;
sunders.hamburg.ccc.de sunders.hosts.hamburg.ccc.de:31820;
zammad.hamburg.ccc.de zammad.hosts.hamburg.ccc.de:31820;
tickets.hamburg.ccc.de 172.31.17.148:31820;
zammad.hamburg.ccc.de 172.31.17.152:31820;
eh03.easterhegg.eu 172.31.17.151:31820;
eh05.easterhegg.eu 172.31.17.151:31820;
eh07.easterhegg.eu 172.31.17.151:31820;
@ -38,7 +37,7 @@ map $host $upstream_acme_challenge_host {
eh11.easterhegg.eu 172.31.17.151:31820;
eh20.easterhegg.eu 172.31.17.151:31820;
www.eh20.easterhegg.eu 172.31.17.151:31820;
eh22.easterhegg.eu eh22-wiki.hosts.hamburg.ccc.de:31820;
eh22.easterhegg.eu 172.31.17.165:31820;
easterheggxxxx.hamburg.ccc.de 172.31.17.151:31820;
eh2003.hamburg.ccc.de 172.31.17.151:31820;
www.eh2003.hamburg.ccc.de 172.31.17.151:31820;
@ -73,16 +72,11 @@ map $host $upstream_acme_challenge_host {
design.hamburg.ccc.de 172.31.17.162:31820;
hydra.hamburg.ccc.de 172.31.17.163:31820;
cfp.eh22.easterhegg.eu 172.31.17.157:31820;
ntfy.hamburg.ccc.de ntfy.hosts.hamburg.ccc.de:31820;
ntfy.hamburg.ccc.de 172.31.17.149:31820;
cryptoparty-hamburg.de 172.31.17.151:31820;
cryptoparty.hamburg.ccc.de 172.31.17.151:31820;
staging.cryptoparty-hamburg.de 172.31.17.151:31820;
staging.cryptoparty.hamburg.ccc.de 172.31.17.151:31820;
spaceapi.ccc.de spaceapiccc.hosts.hamburg.ccc.de:31820;
cpu.ccc.de 172.31.17.151:31820;
lokal.ccc.de 172.31.17.151:31820;
local.ccc.de 172.31.17.151:31820;
acmedns.hamburg.ccc.de acmedns.hosts.hamburg.ccc.de:31820;
default "";
}

42
resources/chaosknoten/public-reverse-proxy/nginx/nginx.conf
View file

@ -18,21 +18,21 @@ stream {
resolver 212.12.50.158 192.76.134.90;
map $ssl_preread_server_name $address {
ccchoir.de ccchoir.hosts.hamburg.ccc.de:8443;
www.ccchoir.de ccchoir.hosts.hamburg.ccc.de:8443;
cloud.hamburg.ccc.de cloud.hosts.hamburg.ccc.de:8443;
pad.hamburg.ccc.de pad.hosts.hamburg.ccc.de:8443;
pretalx.hamburg.ccc.de pretalx.hosts.hamburg.ccc.de:8443;
id.hamburg.ccc.de keycloak.hosts.hamburg.ccc.de:8443;
invite.hamburg.ccc.de keycloak.hosts.hamburg.ccc.de:8443;
keycloak-admin.hamburg.ccc.de keycloak.hosts.hamburg.ccc.de:8443;
grafana.hamburg.ccc.de grafana.hosts.hamburg.ccc.de:8443;
wiki.ccchh.net wiki.hosts.hamburg.ccc.de:8443;
wiki.hamburg.ccc.de wiki.hosts.hamburg.ccc.de:8443;
onlyoffice.hamburg.ccc.de onlyoffice.hosts.hamburg.ccc.de:8443;
ccchoir.de ccchoir-intern.hamburg.ccc.de:8443;
www.ccchoir.de ccchoir-intern.hamburg.ccc.de:8443;
cloud.hamburg.ccc.de cloud-intern.hamburg.ccc.de:8443;
pad.hamburg.ccc.de pad-intern.hamburg.ccc.de:8443;
pretalx.hamburg.ccc.de pretalx-intern.hamburg.ccc.de:8443;
id.hamburg.ccc.de 172.31.17.144:8443;
invite.hamburg.ccc.de 172.31.17.144:8443;
keycloak-admin.hamburg.ccc.de 172.31.17.144:8444;
grafana.hamburg.ccc.de 172.31.17.145:8443;
wiki.ccchh.net 172.31.17.146:8443;
wiki.hamburg.ccc.de 172.31.17.146:8443;
onlyoffice.hamburg.ccc.de 172.31.17.147:8443;
hackertours.hamburg.ccc.de 172.31.17.151:8443;
staging.hackertours.hamburg.ccc.de 172.31.17.151:8443;
netbox.hamburg.ccc.de netbox.hosts.hamburg.ccc.de:8443;
netbox.hamburg.ccc.de 172.31.17.167:8443;
matrix.hamburg.ccc.de 172.31.17.150:8443;
mas.hamburg.ccc.de 172.31.17.150:8443;
element-admin.hamburg.ccc.de 172.31.17.151:8443;
@ -42,9 +42,8 @@ stream {
hamburg.ccc.de 172.31.17.151:8443;
staging.hamburg.ccc.de 172.31.17.151:8443;
spaceapi.hamburg.ccc.de 172.31.17.151:8443;
tickets.hamburg.ccc.de tickets.hosts.hamburg.ccc.de:8443;
sunders.hamburg.ccc.de sunders.hosts.hamburg.ccc.de:8443;
zammad.hamburg.ccc.de zammad.hosts.hamburg.ccc.de:8443;
tickets.hamburg.ccc.de 172.31.17.148:8443;
zammad.hamburg.ccc.de 172.31.17.152:8443;
c3cat.de 172.31.17.151:8443;
www.c3cat.de 172.31.17.151:8443;
staging.c3cat.de 172.31.17.151:8443;
@ -56,7 +55,7 @@ stream {
eh11.easterhegg.eu 172.31.17.151:8443;
eh20.easterhegg.eu 172.31.17.151:8443;
www.eh20.easterhegg.eu 172.31.17.151:8443;
eh22.easterhegg.eu eh22-wiki.hosts.hamburg.ccc.de:8443;
eh22.easterhegg.eu 172.31.17.165:8443;
easterheggxxxx.hamburg.ccc.de 172.31.17.151:8443;
eh2003.hamburg.ccc.de 172.31.17.151:8443;
www.eh2003.hamburg.ccc.de 172.31.17.151:8443;
@ -90,17 +89,12 @@ stream {
woodpecker.hamburg.ccc.de 172.31.17.160:8443;
design.hamburg.ccc.de 172.31.17.162:8443;
hydra.hamburg.ccc.de 172.31.17.163:8443;
cfp.eh22.easterhegg.eu pretalx.hosts.hamburg.ccc.de:8443;
ntfy.hamburg.ccc.de ntfy.hosts.hamburg.ccc.de:8443;
cfp.eh22.easterhegg.eu pretalx-intern.hamburg.ccc.de:8443;
ntfy.hamburg.ccc.de 172.31.17.149:8443;
cryptoparty-hamburg.de 172.31.17.151:8443;
cryptoparty.hamburg.ccc.de 172.31.17.151:8443;
staging.cryptoparty-hamburg.de 172.31.17.151:8443;
staging.cryptoparty.hamburg.ccc.de 172.31.17.151:8443;
spaceapi.ccc.de spaceapiccc.hosts.hamburg.ccc.de:8443;
cpu.ccc.de 172.31.17.151:8443;
lokal.ccc.de 172.31.17.151:8443;
local.ccc.de 172.31.17.151:8443;
acmedns.hamburg.ccc.de acmedns.hosts.hamburg.ccc.de:8443;
}
server {

95
resources/chaosknoten/router/nftables/nftables.conf
View file

@ -1,95 +0,0 @@
#!/usr/sbin/nft -f
## Variables
# Interfaces
define if_net1_v4_wan = "net1"
define if_net2_v6_wan = "net2"
define if_net0_2_v4_nat = "net0.2"
define if_net0_3_ci_runner = "net0.3"
# Interface Groups
define wan_ifs = { $if_net1_v4_wan,
$if_net2_v6_wan }
define lan_ifs = { $if_net0_2_v4_nat,
$if_net0_3_ci_runner }
# define v4_exposed_ifs = { }
define v6_exposed_ifs = { $if_net0_2_v4_nat }
## Rules
table inet reverse-path-forwarding {
chain rpf-filter {
type filter hook prerouting priority mangle + 10; policy drop;
# Only allow packets if their source address is routed via their incoming interface.
# https://github.com/NixOS/nixpkgs/blob/d9d87c51960050e89c79e4025082ed965e770d68/nixos/modules/services/networking/firewall-nftables.nix#L100
fib saddr . mark . iif oif exists accept
}
}
table inet host {
chain input {
type filter hook input priority filter; policy drop;
iifname "lo" accept comment "allow loopback"
ct state invalid drop
ct state established,related accept
ip protocol icmp accept
# ICMPv6
# https://datatracker.ietf.org/doc/html/rfc4890#autoid-24
# Allowlist consisting of: "Traffic That Must Not Be Dropped" and "Traffic That Normally Should Not Be Dropped"
# Error messages that are essential to the establishment and maintenance of communications:
icmpv6 type { destination-unreachable, packet-too-big } accept
icmpv6 type { time-exceeded } accept
icmpv6 type { parameter-problem } accept
# Connectivity checking messages:
icmpv6 type { echo-request, echo-reply } accept
# Address Configuration and Router Selection messages:
icmpv6 type { nd-router-solicit, nd-router-advert, nd-neighbor-solicit, nd-neighbor-advert, ind-neighbor-solicit, ind-neighbor-advert } accept
# Link-Local Multicast Receiver Notification messages:
icmpv6 type { mld-listener-query, mld-listener-report, mld-listener-done, mld2-listener-report } accept
# SEND Certificate Path Notification messages:
icmpv6 type { 148, 149 } accept
# Multicast Router Discovery messages:
icmpv6 type { 151, 152, 153 } accept
# Allow SSH access.
tcp dport 22 accept comment "allow ssh access"
# Allow DHCP server access.
iifname { $if_net0_2_v4_nat, $if_net0_3_ci_runner } udp dport 67 accept comment "allow dhcp server access"
}
}
table ip v4nat {
chain prerouting {
type nat hook prerouting priority dstnat; policy accept;
}
chain postrouting {
type nat hook postrouting priority srcnat; policy accept;
oifname $if_net1_v4_wan masquerade
}
}
table inet forward {
chain forward {
type filter hook forward priority filter; policy drop;
ct state invalid drop
ct state established,related accept
# Allow internet access.
meta nfproto ipv6 iifname $lan_ifs oifname $if_net2_v6_wan accept comment "allow v6 internet access"
meta nfproto ipv4 iifname $lan_ifs oifname $if_net1_v4_wan accept comment "allow v4 internet access"
# Allow access to exposed networks from internet.
# meta nfproto ipv4 oifname $v4_exposed_ifs accept comment "allow v4 exposed network access"
meta nfproto ipv6 oifname $v6_exposed_ifs accept comment "allow v6 exposed network access"
}
}

6
resources/chaosknoten/router/systemd_networkd/00-net0.link
View file

@ -1,6 +0,0 @@
[Match]
MACAddress=BC:24:11:54:11:15
Type=ether
[Link]
Name=net0

6
resources/chaosknoten/router/systemd_networkd/00-net1.link
View file

@ -1,6 +0,0 @@
[Match]
MACAddress=BC:24:11:9A:FB:34
Type=ether
[Link]
Name=net1

6
resources/chaosknoten/router/systemd_networkd/00-net2.link
View file

@ -1,6 +0,0 @@
[Match]
MACAddress=BC:24:11:AE:C7:04
Type=ether
[Link]
Name=net2

7
resources/chaosknoten/router/systemd_networkd/10-net0.2-v4_nat.netdev
View file

@ -1,7 +0,0 @@
[NetDev]
Name=net0.2
Kind=vlan
[VLAN]
Id=2

7
resources/chaosknoten/router/systemd_networkd/10-net0.3-ci_runner.netdev
View file

@ -1,7 +0,0 @@
[NetDev]
Name=net0.3
Kind=vlan
[VLAN]
Id=3

12
resources/chaosknoten/router/systemd_networkd/20-net0.network
View file

@ -1,12 +0,0 @@
[Match]
Name=net0
[Link]
RequiredForOnline=no
[Network]
VLAN=net0.2
VLAN=net0.3
LinkLocalAddressing=no

12
resources/chaosknoten/router/systemd_networkd/20-net1.network
View file

@ -1,12 +0,0 @@
[Match]
Name=net1
[Network]
DNS=212.12.50.158
IPv6AcceptRA=no
[Address]
Address=212.12.48.123/24
[Route]
Gateway=212.12.48.55

12
resources/chaosknoten/router/systemd_networkd/20-net2.network
View file

@ -1,12 +0,0 @@
[Match]
Name=net2
[Network]
#DNS=212.12.50.158
IPv6AcceptRA=no
[Address]
Address=2a00:14b0:4200:3500::130:2/112
[Route]
Gateway=2a00:14b0:4200:3500::130:1

29
resources/chaosknoten/router/systemd_networkd/21-net0.2-v4_nat.network
View file

@ -1,29 +0,0 @@
[Match]
Name=net0.2
Type=vlan
[Link]
RequiredForOnline=no
[Network]
Description=v4-NAT
# Masquerading done in nftables (nftables.conf).
IPv6SendRA=yes
DHCPServer=true
[DHCPServer]
PoolOffset=100
PoolSize=150
[Address]
Address=10.32.2.1/24
[IPv6SendRA]
UplinkInterface=net2
[IPv6Prefix]
Prefix=2a00:14b0:42:102::/64
Assign=true
Token=static:::1

29
resources/chaosknoten/router/systemd_networkd/21-net0.3-ci_runners.network
View file

@ -1,29 +0,0 @@
[Match]
Name=net0.3
Type=vlan
[Link]
RequiredForOnline=no
[Network]
Description=ci-runners
# Masquerading done in nftables (nftables.conf).
IPv6SendRA=yes
DHCPServer=true
[DHCPServer]
PoolOffset=100
PoolSize=150
[Address]
Address=10.32.3.1/24
[IPv6SendRA]
UplinkInterface=net2
[IPv6Prefix]
Prefix=2a00:14b0:42:103::/64
Assign=true
Token=static:::1

3
resources/chaosknoten/router/systemd_networkd_global_config.conf
View file

@ -1,3 +0,0 @@
[Network]
IPv4Forwarding=true
IPv6Forwarding=true

39
resources/chaosknoten/spaceapiccc/docker_compose/compose.yaml.j2
View file

@ -1,39 +0,0 @@
---
services:
frontend:
#build: ./frontend
networks:
spaceapi-network:
ipv4_address: 172.16.238.10
image: gidsi/spaceapi-ccc-frontend:saved_from_old_host
restart: always
expose:
- "80"
depends_on:
- backend
backend:
#build: ./backend
networks:
- spaceapi-network
image: gidsi/spaceapi-ccc-backend:saved_from_old_host
restart: always
environment:
SHARED_SECRET: "{{ secret__spaceapiccc__shared_secret }}"
DOKU_WIKI_USER: "{{ secret__spaceapiccc__doku_ccc_de__username }}"
DOKU_WIKI_PASSWORD: "{{ secret__spaceapiccc__doku_ccc_de__password }}"
depends_on:
- database
database:
image: mongo:saved_from_old_host
networks:
- spaceapi-network
restart: always
volumes:
- ./data/database:/data/db
networks:
spaceapi-network:
ipam:
driver: default
config:
- subnet: 172.16.238.0/24

42
resources/chaosknoten/spaceapiccc/nginx/spaceapi.ccc.de.conf
View file

@ -1,42 +0,0 @@
# partly generated 2022-01-08, Mozilla Guideline v5.6, nginx 1.17.7, OpenSSL 1.1.1k, intermediate configuration
# https://ssl-config.mozilla.org/#server=nginx&version=1.17.7&config=intermediate&openssl=1.1.1k&guideline=5.6
server {
# Listen on a custom port for the proxy protocol.
listen [::]:8443 ssl http2 proxy_protocol;
# Make use of the ngx_http_realip_module to set the $remote_addr and
# $remote_port to the client address and client port, when using proxy
# protocol.
# First set our proxy protocol proxy as trusted.
set_real_ip_from 2a00:14b0:4200:3000:125::1;
# Then tell the realip_module to get the addreses from the proxy protocol
# header.
real_ip_header proxy_protocol;
server_name spaceapi.ccc.de;
ssl_certificate /etc/letsencrypt/live/spaceapi.ccc.de/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/spaceapi.ccc.de/privkey.pem;
# verify chain of trust of OCSP response using Root CA and Intermediate certs
ssl_trusted_certificate /etc/letsencrypt/live/spaceapi.ccc.de/chain.pem;
# HSTS (ngx_http_headers_module is required) (63072000 seconds)
add_header Strict-Transport-Security "max-age=63072000" always;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Port 443;
# This is https in any case.
proxy_set_header X-Forwarded-Proto https;
# Hide the X-Forwarded header.
proxy_hide_header X-Forwarded;
# Assume we are the only Reverse Proxy (well using Proxy Protocol, but that
# is transparent).
# Also provide "_hidden" for by, since it's not relevant.
proxy_set_header Forwarded "for=$remote_addr;proto=https;host=$host;by=_hidden";
location / {
proxy_pass http://172.16.238.10/;
}
}

57
resources/chaosknoten/sunders/docker_compose/compose.yaml.j2
View file

@ -1,57 +0,0 @@
# Source:
# https://git.hamburg.ccc.de/CCCHH/sunders/src/branch/main/docker-compose.yml
services:
db:
image: mariadb:12.1.2
command: --max_allowed_packet=3250585600
environment:
MYSQL_ROOT_PASSWORD: "{{ secret__sunders_db_root_password }}"
MYSQL_DATABASE: camera
MYSQL_USER: camera
MYSQL_PASSWORD: "{{ secret__sunders_db_camera_password }}"
volumes:
- mariadb:/var/lib/mysql
healthcheck:
test: ["CMD", "mariadb-admin", "ping", "-h", "localhost", "-uroot", "-p{{ secret__sunders_db_root_password }}"]
interval: 10s
timeout: 5s
start_period: 30s
retries: 5
web:
image: git.hamburg.ccc.de/ccchh/sunders/web:latest
environment:
MYSQL_HOST: db
MYSQL_DB: camera
CAMERA_SELECT_USER: camera_select
CAMERA_SELECT_USER_PASSWORD: "{{ secret__sunders_db_camera_select_password }}"
DEFAULT_ZOOM: 12
DEFAULT_LAT: 0
DEFAULT_LON: 0
DEFAULT_LANGUAGE: en
IMPRESSUM_URL: https://hamburg.ccc.de/imprint/
ports:
- "8080:80"
depends_on:
data_handler:
condition: service_started
data_handler:
image: git.hamburg.ccc.de/ccchh/sunders/data_handler:latest
environment:
MYSQL_HOST: db
MYSQL_DB: camera
MYSQL_USER: root
MYSQL_PASSWORD: "{{ secret__sunders_db_root_password }}"
CAMERA_USER: camera
CAMERA_USER_PASSWORD: "{{ secret__sunders_db_camera_password }}"
CAMERA_SELECT_USER: camera_select
CAMERA_SELECT_USER_PASSWORD: "{{ secret__sunders_db_camera_select_password }}"
depends_on:
db:
condition: service_healthy
restart: true
volumes:
mariadb:

42
resources/chaosknoten/sunders/nginx/sunders.hamburg.ccc.de.conf
View file

@ -1,42 +0,0 @@
# partly generated 2022-01-08, Mozilla Guideline v5.6, nginx 1.17.7, OpenSSL 1.1.1k, intermediate configuration
# https://ssl-config.mozilla.org/#server=nginx&version=1.17.7&config=intermediate&openssl=1.1.1k&guideline=5.6
server {
# Listen on a custom port for the proxy protocol.
listen [::]:8443 ssl http2 proxy_protocol;
# Make use of the ngx_http_realip_module to set the $remote_addr and
# $remote_port to the client address and client port, when using proxy
# protocol.
# First set our proxy protocol proxy as trusted.
set_real_ip_from 2a00:14b0:4200:3000:125::1;
# Then tell the realip_module to get the addreses from the proxy protocol
# header.
real_ip_header proxy_protocol;
server_name sunders.hamburg.ccc.de;
ssl_certificate /etc/letsencrypt/live/sunders.hamburg.ccc.de/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/sunders.hamburg.ccc.de/privkey.pem;
# verify chain of trust of OCSP response using Root CA and Intermediate certs
ssl_trusted_certificate /etc/letsencrypt/live/sunders.hamburg.ccc.de/chain.pem;
# HSTS (ngx_http_headers_module is required) (63072000 seconds)
add_header Strict-Transport-Security "max-age=63072000" always;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Port 443;
# This is https in any case.
proxy_set_header X-Forwarded-Proto https;
# Hide the X-Forwarded header.
proxy_hide_header X-Forwarded;
# Assume we are the only Reverse Proxy (well using Proxy Protocol, but that
# is transparent).
# Also provide "_hidden" for by, since it's not relevant.
proxy_set_header Forwarded "for=$remote_addr;proto=https;host=$host;by=_hidden";
location / {
proxy_pass http://127.0.0.1:8080/;
}
}

2
resources/chaosknoten/tickets/docker_compose/compose.yaml.j2
View file

@ -13,7 +13,7 @@ services:
restart: unless-stopped
redis:
image: docker.io/library/redis:7.4.7
image: docker.io/library/redis:7.4.6
ports:
- "6379:6379"
volumes:

10
resources/chaosknoten/tickets/nginx/tickets.hamburg.ccc.de.conf
View file

@ -2,12 +2,12 @@
# https://ssl-config.mozilla.org/#server=nginx&version=1.17.7&config=intermediate&openssl=1.1.1k&guideline=5.6
server {
# Listen on a custom port for the proxy protocol.
listen [::]:8443 ssl http2 proxy_protocol;
listen 8443 ssl http2 proxy_protocol;
# Make use of the ngx_http_realip_module to set the $remote_addr and
# $remote_port to the client address and client port, when using proxy
# protocol.
# First set our proxy protocol proxy as trusted.
set_real_ip_from 2a00:14b0:4200:3000:125::1;
set_real_ip_from 172.31.17.140;
# Then tell the realip_module to get the addreses from the proxy protocol
# header.
real_ip_header proxy_protocol;
@ -38,7 +38,11 @@ server {
location = / {
#return 302 https://wiki.hamburg.ccc.de/infrastructure:service-overview#tickets_pretix;
return 302 https://tickets.hamburg.ccc.de/hackertours/39c3ht/;
return 302 https://tickets.hamburg.ccc.de/hackertours/eh22ht/;
}
location = /hackertours/eh22/ {
return 302 https://tickets.hamburg.ccc.de/hackertours/eh22ht/;
}
location / {

6
resources/chaosknoten/wiki/nginx/wiki.ccchh.net.conf
View file

@ -2,12 +2,12 @@
# https://ssl-config.mozilla.org/#server=nginx&version=1.17.7&config=intermediate&openssl=1.1.1k&guideline=5.6
server {
# Listen on a custom port for the proxy protocol.
listen [::]:8443 ssl http2 proxy_protocol;
listen 8443 ssl http2 proxy_protocol;
# Make use of the ngx_http_realip_module to set the $remote_addr and
# $remote_port to the client address and client port, when using proxy
# protocol.
# First set our proxy protocol proxy as trusted.
set_real_ip_from 2a00:14b0:4200:3000:125::1;
set_real_ip_from 172.31.17.140;
# Then tell the realip_module to get the addreses from the proxy protocol
# header.
real_ip_header proxy_protocol;
@ -21,6 +21,6 @@ server {
# HSTS (ngx_http_headers_module is required) (63072000 seconds)
add_header Strict-Transport-Security "max-age=63072000" always;
return 302 https://wiki.hamburg.ccc.de$request_uri;
}

4
resources/chaosknoten/wiki/nginx/wiki.hamburg.ccc.de.conf
View file

@ -2,12 +2,12 @@
# https://ssl-config.mozilla.org/#server=nginx&version=1.17.7&config=intermediate&openssl=1.1.1k&guideline=5.6
server {
# Listen on a custom port for the proxy protocol.
listen [::]:8443 ssl http2 proxy_protocol;
listen 8443 ssl http2 proxy_protocol;
# Make use of the ngx_http_realip_module to set the $remote_addr and
# $remote_port to the client address and client port, when using proxy
# protocol.
# First set our proxy protocol proxy as trusted.
set_real_ip_from 2a00:14b0:4200:3000:125::1;
set_real_ip_from 172.31.17.140;
# Then tell the realip_module to get the addreses from the proxy protocol
# header.
real_ip_header proxy_protocol;

4
resources/chaosknoten/zammad/docker_compose/.env.j2
View file

@ -1,4 +0,0 @@
POSTGRES_PASS={{ secret__zammad_db_password }}
POSTGRES_VERSION=15-alpine
REDIS_VERSION=7-alpine
NGINX_SERVER_SCHEME=https

149
resources/chaosknoten/zammad/docker_compose/compose.yaml
View file

@ -1,149 +0,0 @@
---
version: "3.8"
# Taken from: https://github.com/zammad/zammad-docker-compose/blob/master/docker-compose.yml
# Version: v14.1.1
# Update from new tag by replacing all content.
# Configuration should be done in the .env.j2.
x-shared:
zammad-service: &zammad-service
environment: &zammad-environment
MEMCACHE_SERVERS: ${MEMCACHE_SERVERS:-zammad-memcached:11211}
POSTGRESQL_DB: ${POSTGRES_DB:-zammad_production}
POSTGRESQL_HOST: ${POSTGRES_HOST:-zammad-postgresql}
POSTGRESQL_USER: ${POSTGRES_USER:-zammad}
POSTGRESQL_PASS: ${POSTGRES_PASS:-zammad}
POSTGRESQL_PORT: ${POSTGRES_PORT:-5432}
POSTGRESQL_OPTIONS: ${POSTGRESQL_OPTIONS:-?pool=50}
POSTGRESQL_DB_CREATE:
REDIS_URL: ${REDIS_URL:-redis://zammad-redis:6379}
S3_URL:
# Backup settings
BACKUP_DIR: "${BACKUP_DIR:-/var/tmp/zammad}"
BACKUP_TIME: "${BACKUP_TIME:-03:00}"
HOLD_DAYS: "${HOLD_DAYS:-10}"
TZ: "${TZ:-Europe/Berlin}"
# Allow passing in these variables via .env:
AUTOWIZARD_JSON:
AUTOWIZARD_RELATIVE_PATH:
ELASTICSEARCH_ENABLED:
ELASTICSEARCH_SCHEMA:
ELASTICSEARCH_HOST:
ELASTICSEARCH_PORT:
ELASTICSEARCH_USER:
ELASTICSEARCH_PASS:
ELASTICSEARCH_NAMESPACE:
ELASTICSEARCH_REINDEX:
NGINX_PORT:
NGINX_CLIENT_MAX_BODY_SIZE:
NGINX_SERVER_NAME:
NGINX_SERVER_SCHEME:
RAILS_TRUSTED_PROXIES:
ZAMMAD_HTTP_TYPE:
ZAMMAD_FQDN:
ZAMMAD_WEB_CONCURRENCY:
ZAMMAD_PROCESS_SESSIONS_JOBS_WORKERS:
ZAMMAD_PROCESS_SCHEDULED_JOBS_WORKERS:
ZAMMAD_PROCESS_DELAYED_JOBS_WORKERS:
# ZAMMAD_SESSION_JOBS_CONCURRENT is deprecated, please use ZAMMAD_PROCESS_SESSIONS_JOBS_WORKERS instead.
ZAMMAD_SESSION_JOBS_CONCURRENT:
# Variables used by ngingx-proxy container for reverse proxy creations
# for docs refer to https://github.com/nginx-proxy/nginx-proxy
VIRTUAL_HOST:
VIRTUAL_PORT:
# Variables used by acme-companion for retrieval of LetsEncrypt certificate
# for docs refer to https://github.com/nginx-proxy/acme-companion
LETSENCRYPT_HOST:
LETSENCRYPT_EMAIL:
image: ${IMAGE_REPO:-ghcr.io/zammad/zammad}:${VERSION:-6.5.2}
restart: ${RESTART:-always}
volumes:
- zammad-storage:/opt/zammad/storage
depends_on:
- zammad-memcached
- zammad-postgresql
- zammad-redis
services:
zammad-backup:
<<: *zammad-service
command: ["zammad-backup"]
volumes:
- zammad-backup:/var/tmp/zammad
- zammad-storage:/opt/zammad/storage:ro
user: 0:0
zammad-elasticsearch:
image: elasticsearch:${ELASTICSEARCH_VERSION:-8.19.4}
restart: ${RESTART:-always}
volumes:
- elasticsearch-data:/usr/share/elasticsearch/data
environment:
discovery.type: single-node
xpack.security.enabled: 'false'
ES_JAVA_OPTS: ${ELASTICSEARCH_JAVA_OPTS:--Xms1g -Xmx1g}
zammad-init:
<<: *zammad-service
command: ["zammad-init"]
depends_on:
- zammad-postgresql
restart: on-failure
user: 0:0
zammad-memcached:
command: memcached -m 256M
image: memcached:${MEMCACHE_VERSION:-1.6.39-alpine}
restart: ${RESTART:-always}
zammad-nginx:
<<: *zammad-service
command: ["zammad-nginx"]
expose:
- "${NGINX_PORT:-8080}"
ports:
- "${NGINX_EXPOSE_PORT:-8080}:${NGINX_PORT:-8080}"
depends_on:
- zammad-railsserver
zammad-postgresql:
environment:
POSTGRES_DB: ${POSTGRES_DB:-zammad_production}
POSTGRES_USER: ${POSTGRES_USER:-zammad}
POSTGRES_PASSWORD: ${POSTGRES_PASS:-zammad}
image: postgres:${POSTGRES_VERSION:-17.6-alpine}
restart: ${RESTART:-always}
volumes:
- postgresql-data:/var/lib/postgresql/data
zammad-railsserver:
<<: *zammad-service
command: ["zammad-railsserver"]
zammad-redis:
image: redis:${REDIS_VERSION:-7.4.5-alpine}
restart: ${RESTART:-always}
volumes:
- redis-data:/data
zammad-scheduler:
<<: *zammad-service
command: ["zammad-scheduler"]
zammad-websocket:
<<: *zammad-service
command: ["zammad-websocket"]
volumes:
elasticsearch-data:
driver: local
postgresql-data:
driver: local
redis-data:
driver: local
zammad-backup:
driver: local
zammad-storage:
driver: local

162
resources/chaosknoten/zammad/docker_compose/compose.yaml.j2 Normal file
View file

@ -0,0 +1,162 @@
---
{#
https://github.com/zammad/zammad-docker-compose
Docker Compose does not allow defining variables in the compose file (only in .env files), so we use Jinja variables instead
see https://github.com/zammad/zammad-docker-compose/blob/master/.env
#}
{%- set ELASTICSEARCH_VERSION = "8.19.4" | quote -%}
{%- set IMAGE_REPO = "ghcr.io/zammad/zammad" | quote -%}
{%- set MEMCACHE_SERVERS = "zammad-memcached:11211" | quote -%}
{%- set MEMCACHE_VERSION = "1.6-alpine" | quote -%}
{%- set POSTGRES_DB = "zammad_production" | quote -%}
{%- set POSTGRES_HOST = "zammad-postgresql" | quote -%}
{%- set POSTGRES_USER = "zammad" | quote -%}
{%- set POSTGRES_PASS = secret__zammad_db_password | quote -%}
{%- set POSTGRES_PORT = "5432" | quote -%}
{%- set POSTGRES_VERSION = "15-alpine" | quote -%}
{%- set REDIS_URL = "redis://zammad-redis:6379" | quote -%}
{%- set REDIS_VERSION = "7-alpine" | quote -%}
{%- set RESTART = "always" | quote -%}
{%- set VERSION = "6" | quote -%}
x-shared:
zammad-service: &zammad-service
environment: &zammad-environment
MEMCACHE_SERVERS: {{ MEMCACHE_SERVERS }}
POSTGRESQL_DB: {{ POSTGRES_DB }}
POSTGRESQL_HOST: {{ POSTGRES_HOST }}
POSTGRESQL_USER: {{ POSTGRES_USER }}
POSTGRESQL_PASS: {{ POSTGRES_PASS }}
POSTGRESQL_PORT: {{ POSTGRES_PORT }}
REDIS_URL: {{ REDIS_URL }}
# Allow passing in these variables via .env:
AUTOWIZARD_JSON:
AUTOWIZARD_RELATIVE_PATH:
ELASTICSEARCH_ENABLED:
ELASTICSEARCH_HOST:
ELASTICSEARCH_PORT:
ELASTICSEARCH_SCHEMA:
ELASTICSEARCH_NAMESPACE:
ELASTICSEARCH_REINDEX:
ELASTICSEARCH_SSL_VERIFY:
NGINX_PORT:
NGINX_SERVER_NAME:
NGINX_SERVER_SCHEME: https
POSTGRESQL_DB_CREATE:
POSTGRESQL_OPTIONS:
RAILS_TRUSTED_PROXIES:
ZAMMAD_WEB_CONCURRENCY:
ZAMMAD_SESSION_JOBS:
ZAMMAD_PROCESS_SCHEDULED:
ZAMMAD_PROCESS_DELAYED_JOBS_WORKERS:
image: {{ IMAGE_REPO }}:{{ VERSION }}
restart: {{ RESTART }}
volumes:
- zammad-storage:/opt/zammad/storage
- zammad-var:/opt/zammad/var
depends_on:
- zammad-memcached
- zammad-postgresql
- zammad-redis
services:
zammad-backup:
command: ["zammad-backup"]
depends_on:
- zammad-railsserver
- zammad-postgresql
entrypoint: /usr/local/bin/backup.sh
environment:
<<: *zammad-environment
BACKUP_TIME: "03:00"
HOLD_DAYS: "10"
TZ: Europe/Berlin
image: postgres:{{ POSTGRES_VERSION }}
restart: {{ RESTART }}
volumes:
- zammad-backup:/var/tmp/zammad
- zammad-storage:/opt/zammad/storage:ro
- zammad-var:/opt/zammad/var:ro
- ./scripts/backup.sh:/usr/local/bin/backup.sh:ro
zammad-elasticsearch:
image: elasticsearch:{{ ELASTICSEARCH_VERSION }}
restart: {{ RESTART }}
volumes:
- elasticsearch-data:/usr/share/elasticsearch/data
environment:
discovery.type: single-node
xpack.security.enabled: 'false'
ES_JAVA_OPTS: ${ELASTICSEARCH_JAVA_OPTS:--Xms1g -Xmx1g}
zammad-init:
<<: *zammad-service
command: ["zammad-init"]
depends_on:
- zammad-postgresql
restart: on-failure
user: 0:0
volumes:
- zammad-storage:/opt/zammad/storage
- zammad-var:/opt/zammad/var
zammad-memcached:
command: memcached -m 256M
image: memcached:{{ MEMCACHE_VERSION }}
restart: {{ RESTART }}
zammad-nginx:
<<: *zammad-service
command: ["zammad-nginx"]
expose:
- "8080"
ports:
- "8080:8080"
depends_on:
- zammad-railsserver
volumes:
- zammad-var:/opt/zammad/var:ro # required for the zammad-ready check file
zammad-postgresql:
environment:
POSTGRES_DB: {{ POSTGRES_DB }}
POSTGRES_USER: {{ POSTGRES_USER }}
POSTGRES_PASSWORD: {{ POSTGRES_PASS }}
image: postgres:{{ POSTGRES_VERSION }}
restart: {{ RESTART }}
volumes:
- postgresql-data:/var/lib/postgresql/data
zammad-railsserver:
<<: *zammad-service
command: ["zammad-railsserver"]
zammad-redis:
image: redis:{{ REDIS_VERSION }}
restart: {{ RESTART }}
volumes:
- redis-data:/data
zammad-scheduler:
<<: *zammad-service
command: ["zammad-scheduler"]
volumes:
- /ansible_docker_compose/zammad-scheduler-database.yml:/opt/zammad/config/database.yml # workaround for connection pool issue
zammad-websocket:
<<: *zammad-service
command: ["zammad-websocket"]
volumes:
elasticsearch-data:
driver: local
postgresql-data:
driver: local
redis-data:
driver: local
zammad-backup:
driver: local
zammad-storage:
driver: local
zammad-var:
driver: local

4
resources/chaosknoten/zammad/nginx/zammad.hamburg.ccc.de.conf
View file

@ -2,12 +2,12 @@
# https://ssl-config.mozilla.org/#server=nginx&version=1.17.7&config=intermediate&openssl=1.1.1k&guideline=5.6
server {
# Listen on a custom port for the proxy protocol.
listen [::]:8443 ssl http2 proxy_protocol;
listen 8443 ssl http2 proxy_protocol;
# Make use of the ngx_http_realip_module to set the $remote_addr and
# $remote_port to the client address and client port, when using proxy
# protocol.
# First set our proxy protocol proxy as trusted.
set_real_ip_from 2a00:14b0:4200:3000:125::1;
set_real_ip_from 172.31.17.140;
# Then tell the realip_module to get the addreses from the proxy protocol
# header.
real_ip_header proxy_protocol;

37
resources/external/status/docker_compose/compose.yaml.j2 vendored
View file

@ -1,37 +0,0 @@
# https://gatus.io/
# https://github.com/TwiN/gatus
# https://github.com/TwiN/gatus/blob/master/.examples/docker-compose-postgres-storage/compose.yaml
services:
database:
image: docker.io/library/postgres:18.1
volumes:
- ./database:/var/lib/postgresql
environment:
- "POSTGRES_DB=gatus"
- "POSTGRES_USER=gatus"
- "POSTGRES_PASSWORD={{ secret__gatus_db_password }}"
networks:
- gatus
gatus:
image: ghcr.io/twin/gatus:v5.34.0
restart: always
ports:
- "8080:8080"
environment:
- "GATUS_CONFIG_PATH=/config"
- "POSTGRES_DB=gatus"
- "POSTGRES_USER=gatus"
- "POSTGRES_PASSWORD={{ secret__gatus_db_password }}"
- "MATRIX_ACCESS_TOKEN={{ secret__gatus_matrix_access_token }}"
- "ACME_DNS_UPDATE_TEST_X_API_KEY={{ secret__gatus_acme_dns_update_test_x_api_key }}"
volumes:
- ./configs:/config
networks:
- gatus
depends_on:
- database
networks:
gatus:

305
resources/external/status/docker_compose/config/easterhegg-websites.yaml vendored
View file

@ -1,305 +0,0 @@
# Easterhegg Websites and Websites (Redirects)
# (hosted on public-web-static)
# One could probably also generate this list from the public-web-static config.
easterhegg-websites-defaults: &easterhegg_websites_defaults
group: Websites
interval: 5m
alerts:
# - type: matrix
- type: custom
failure-threshold: 3
success-threshold: 1
minimum-reminder-interval: "12h"
send-on-resolved: true
easterhegg-websites-redirects-defaults: &easterhegg_websites_redirects_defaults
group: Websites (Redirects)
interval: 15m
alerts:
# - type: matrix
- type: custom
failure-threshold: 3
success-threshold: 1
minimum-reminder-interval: "24h"
send-on-resolved: true
endpoints:
# Websites
- name: eh03.easterhegg.eu
url: "https://eh03.easterhegg.eu"
<<: *easterhegg_websites_defaults
conditions:
- "[STATUS] == 200"
- "[CERTIFICATE_EXPIRATION] > 48h"
- "[BODY] == pat(*Easter(h)egg 2003*)"
- name: eh05.easterhegg.eu
url: "https://eh05.easterhegg.eu"
<<: *easterhegg_websites_defaults
conditions:
- "[STATUS] == 200"
- "[CERTIFICATE_EXPIRATION] > 48h"
- "[BODY] == pat(*Easterhegg 2005 - The workshop weekend*)"
- name: eh07.easterhegg.eu
url: "https://eh07.easterhegg.eu"
<<: *easterhegg_websites_defaults
conditions:
- "[STATUS] == 200"
- "[CERTIFICATE_EXPIRATION] > 48h"
- "[BODY] == pat(*Easterhegg 2007 - The Workshop weekend*)"
- name: eh09.easterhegg.eu
url: "https://eh09.easterhegg.eu"
<<: *easterhegg_websites_defaults
conditions:
- "[status] == 200"
- "[certificate_expiration] > 48h"
- "[BODY] == pat(*Easterhegg 2009*)"
- name: eh11.easterhegg.eu
url: "https://eh11.easterhegg.eu"
<<: *easterhegg_websites_defaults
conditions:
- "[status] == 200"
- "[certificate_expiration] > 48h"
- "[BODY] == pat(*Easterhegg 2011*)"
- name: eh20.easterhegg.eu
url: "https://eh20.easterhegg.eu"
<<: *easterhegg_websites_defaults
conditions:
- "[status] == 200"
- "[certificate_expiration] > 48h"
- "[BODY] == pat(*EH20 - Back to root*)"
# Websites (Redirects)
# eh03.easterhegg.eu
- name: eh2003.hamburg.ccc.de
url: "https://eh2003.hamburg.ccc.de"
<<: *easterhegg_websites_redirects_defaults
conditions:
- "[STATUS] == 200"
- "[CERTIFICATE_EXPIRATION] > 48h"
- "[BODY] == pat(*Easter(h)egg 2003*)"
- name: www.eh2003.hamburg.ccc.de
url: "https://www.eh2003.hamburg.ccc.de"
<<: *easterhegg_websites_redirects_defaults
conditions:
- "[STATUS] == 200"
- "[CERTIFICATE_EXPIRATION] > 48h"
- "[BODY] == pat(*Easter(h)egg 2003*)"
- name: easterhegg2003.hamburg.ccc.de
url: "https://easterhegg2003.hamburg.ccc.de"
<<: *easterhegg_websites_redirects_defaults
conditions:
- "[STATUS] == 200"
- "[CERTIFICATE_EXPIRATION] > 48h"
- "[BODY] == pat(*Easter(h)egg 2003*)"
- name: www.easterhegg2003.hamburg.ccc.de
url: "https://www.easterhegg2003.hamburg.ccc.de"
<<: *easterhegg_websites_redirects_defaults
conditions:
- "[STATUS] == 200"
- "[CERTIFICATE_EXPIRATION] > 48h"
- "[BODY] == pat(*Easter(h)egg 2003*)"
# eh05.easterhegg.eu
- name: eh2005.hamburg.ccc.de
url: "https://eh2005.hamburg.ccc.de"
<<: *easterhegg_websites_redirects_defaults
conditions:
- "[STATUS] == 200"
- "[CERTIFICATE_EXPIRATION] > 48h"
- "[BODY] == pat(*Easterhegg 2005 - The workshop weekend*)"
- name: www.eh2005.hamburg.ccc.de
url: "https://www.eh2005.hamburg.ccc.de"
<<: *easterhegg_websites_redirects_defaults
conditions:
- "[STATUS] == 200"
- "[CERTIFICATE_EXPIRATION] > 48h"
- "[BODY] == pat(*Easterhegg 2005 - The workshop weekend*)"
- name: easterhegg2005.hamburg.ccc.de
url: "https://easterhegg2005.hamburg.ccc.de"
<<: *easterhegg_websites_redirects_defaults
conditions:
- "[STATUS] == 200"
- "[CERTIFICATE_EXPIRATION] > 48h"
- "[BODY] == pat(*Easterhegg 2005 - The workshop weekend*)"
- name: www.easterhegg2005.hamburg.ccc.de
url: "https://www.easterhegg2005.hamburg.ccc.de"
<<: *easterhegg_websites_redirects_defaults
conditions:
- "[STATUS] == 200"
- "[CERTIFICATE_EXPIRATION] > 48h"
- "[BODY] == pat(*Easterhegg 2005 - The workshop weekend*)"
# eh07.easterhegg.eu
- name: eh2007.hamburg.ccc.de
url: "https://eh2007.hamburg.ccc.de"
<<: *easterhegg_websites_redirects_defaults
conditions:
- "[STATUS] == 200"
- "[CERTIFICATE_EXPIRATION] > 48h"
- "[BODY] == pat(*Easterhegg 2007 - The Workshop weekend*)"
- name: www.eh2007.hamburg.ccc.de
url: "https://www.eh2007.hamburg.ccc.de"
<<: *easterhegg_websites_redirects_defaults
conditions:
- "[STATUS] == 200"
- "[CERTIFICATE_EXPIRATION] > 48h"
- "[BODY] == pat(*Easterhegg 2007 - The Workshop weekend*)"
- name: eh07.hamburg.ccc.de
url: "https://eh07.hamburg.ccc.de"
<<: *easterhegg_websites_redirects_defaults
conditions:
- "[STATUS] == 200"
- "[CERTIFICATE_EXPIRATION] > 48h"
- "[BODY] == pat(*Easterhegg 2007 - The Workshop weekend*)"
- name: www.eh07.hamburg.ccc.de
url: "https://www.eh07.hamburg.ccc.de"
<<: *easterhegg_websites_redirects_defaults
conditions:
- "[STATUS] == 200"
- "[CERTIFICATE_EXPIRATION] > 48h"
- "[BODY] == pat(*Easterhegg 2007 - The Workshop weekend*)"
- name: easterhegg2007.hamburg.ccc.de
url: "https://easterhegg2007.hamburg.ccc.de"
<<: *easterhegg_websites_redirects_defaults
conditions:
- "[STATUS] == 200"
- "[CERTIFICATE_EXPIRATION] > 48h"
- "[BODY] == pat(*Easterhegg 2007 - The Workshop weekend*)"
- name: www.easterhegg2007.hamburg.ccc.de
url: "https://www.easterhegg2007.hamburg.ccc.de"
<<: *easterhegg_websites_redirects_defaults
conditions:
- "[STATUS] == 200"
- "[CERTIFICATE_EXPIRATION] > 48h"
- "[BODY] == pat(*Easterhegg 2007 - The Workshop weekend*)"
# eh09.easterhegg.eu
- name: eh2009.hamburg.ccc.de
url: "https://eh2009.hamburg.ccc.de"
<<: *easterhegg_websites_redirects_defaults
conditions:
- "[status] == 200"
- "[certificate_expiration] > 48h"
- "[BODY] == pat(*Easterhegg 2009*)"
- name: www.eh2009.hamburg.ccc.de
url: "https://www.eh2009.hamburg.ccc.de"
<<: *easterhegg_websites_redirects_defaults
conditions:
- "[status] == 200"
- "[certificate_expiration] > 48h"
- "[BODY] == pat(*Easterhegg 2009*)"
- name: eh09.hamburg.ccc.de
url: "https://eh09.hamburg.ccc.de"
<<: *easterhegg_websites_redirects_defaults
conditions:
- "[status] == 200"
- "[certificate_expiration] > 48h"
- "[BODY] == pat(*Easterhegg 2009*)"
- name: www.eh09.hamburg.ccc.de
url: "https://www.eh09.hamburg.ccc.de"
<<: *easterhegg_websites_redirects_defaults
conditions:
- "[status] == 200"
- "[certificate_expiration] > 48h"
- "[BODY] == pat(*Easterhegg 2009*)"
- name: easterhegg2009.hamburg.ccc.de
url: "https://easterhegg2009.hamburg.ccc.de"
<<: *easterhegg_websites_redirects_defaults
conditions:
- "[status] == 200"
- "[certificate_expiration] > 48h"
- "[BODY] == pat(*Easterhegg 2009*)"
- name: www.easterhegg2009.hamburg.ccc.de
url: "https://www.easterhegg2009.hamburg.ccc.de"
<<: *easterhegg_websites_redirects_defaults
conditions:
- "[status] == 200"
- "[certificate_expiration] > 48h"
- "[BODY] == pat(*Easterhegg 2009*)"
# eh11.easterhegg.eu
- name: eh2011.hamburg.ccc.de
url: "https://eh2011.hamburg.ccc.de"
<<: *easterhegg_websites_redirects_defaults
conditions:
- "[status] == 200"
- "[certificate_expiration] > 48h"
- "[BODY] == pat(*Easterhegg 2011*)"
- name: www.eh2011.hamburg.ccc.de
url: "https://www.eh2011.hamburg.ccc.de"
<<: *easterhegg_websites_redirects_defaults
conditions:
- "[status] == 200"
- "[certificate_expiration] > 48h"
- "[BODY] == pat(*Easterhegg 2011*)"
- name: eh11.hamburg.ccc.de
url: "https://eh11.hamburg.ccc.de"
<<: *easterhegg_websites_redirects_defaults
conditions:
- "[status] == 200"
- "[certificate_expiration] > 48h"
- "[BODY] == pat(*Easterhegg 2011*)"
- name: www.eh11.hamburg.ccc.de
url: "https://www.eh11.hamburg.ccc.de"
<<: *easterhegg_websites_redirects_defaults
conditions:
- "[status] == 200"
- "[certificate_expiration] > 48h"
- "[BODY] == pat(*Easterhegg 2011*)"
- name: easterhegg2011.hamburg.ccc.de
url: "https://easterhegg2011.hamburg.ccc.de"
<<: *easterhegg_websites_redirects_defaults
conditions:
- "[status] == 200"
- "[certificate_expiration] > 48h"
- "[BODY] == pat(*Easterhegg 2011*)"
- name: www.easterhegg2011.hamburg.ccc.de
url: "https://www.easterhegg2011.hamburg.ccc.de"
<<: *easterhegg_websites_redirects_defaults
conditions:
- "[status] == 200"
- "[certificate_expiration] > 48h"
- "[BODY] == pat(*Easterhegg 2011*)"
# eh20.easterhegg.eu
- name: www.eh20.easterhegg.eu
url: "https://www.eh20.easterhegg.eu"
<<: *easterhegg_websites_redirects_defaults
conditions:
- "[status] == 200"
- "[certificate_expiration] > 48h"
- "[BODY] == pat(*EH20 - Back to root*)"
- name: eh20.hamburg.ccc.de
url: "https://eh20.hamburg.ccc.de"
<<: *easterhegg_websites_redirects_defaults
conditions:
- "[status] == 200"
- "[certificate_expiration] > 48h"
- "[BODY] == pat(*EH20 - Back to root*)"

38
resources/external/status/docker_compose/config/general.yaml vendored
View file

@ -1,38 +0,0 @@
storage:
type: postgres
path: "postgres://${POSTGRES_USER}:${POSTGRES_PASSWORD}@database:5432/${POSTGRES_DB}?sslmode=disable"
maximum-number-of-results: 240 # Default are 100. 240 are 4h for 1m interval checks.
maximum-number-of-events: 1000 # Default are 50. Let's keep a long history here - 1000 should suffice for a year with around 3 events a day.
ui:
title: CCCHH Status
description: Automated uptime monitoring and status page for CCCHH services. Powered by Gatus.
header: CCCHH Status
buttons:
- name: Website
link: "https://hamburg.ccc.de"
- name: Git
link: "https://git.hamburg.ccc.de"
- name: Kontakt & Impressum
link: "https://hamburg.ccc.de/imprint/"
default-sort-by: group
alerting:
# matrix:
# server-url: "https://matrix.nekover.se"
# access-token: "${MATRIX_ACCESS_TOKEN}"
# internal-room-id: "!jG755onbGAH-lZsZo8SRKtlsncSMvq7nzPhwCi5CgdQ"
custom:
url: "https://matrix.nekover.se/_matrix/client/v3/rooms/%21jG755onbGAH-lZsZo8SRKtlsncSMvq7nzPhwCi5CgdQ/send/m.room.message"
method: "POST"
body: |
{
"msgtype": "m.text",
"body": "[ALERT_TRIGGERED_OR_RESOLVED]: [ENDPOINT_GROUP] - [ENDPOINT_NAME] - [ALERT_DESCRIPTION] - [RESULT_ERRORS]"
}
headers:
Authorization: "Bearer ${MATRIX_ACCESS_TOKEN}"
# A bit more than the default 5 concurrent checks should be fine.
concurrency: 15

311
resources/external/status/docker_compose/config/services-chaosknoten.yaml vendored
View file

@ -1,311 +0,0 @@
# Services (Chaosknoten)
services-chaosknoten-defaults: &services_chaosknoten_defaults
group: Services (Chaosknoten)
interval: 1m
alerts:
# - type: matrix
- type: custom
failure-threshold: 5
success-threshold: 2
minimum-reminder-interval: "6h"
send-on-resolved: true
endpoints:
- name: ACME DNS (main page/login)
url: "https://acmedns.hamburg.ccc.de"
<<: *services_chaosknoten_defaults
conditions:
- "[STATUS] == 200"
- "[CERTIFICATE_EXPIRATION] > 48h"
- "[BODY] == pat(*OAuth2 Proxy*)"
- name: ACME DNS (health endpoint)
url: "https://acmedns.hamburg.ccc.de/health"
<<: *services_chaosknoten_defaults
conditions:
- "[STATUS] == 200"
- "[CERTIFICATE_EXPIRATION] > 48h"
- name: ACME DNS (update endpoint)
url: "https://acmedns.hamburg.ccc.de/update"
<<: *services_chaosknoten_defaults
method: POST
# acme-dns validates that the value for the txt is 43 characters long.
# https://github.com/joohoi/acme-dns/blob/b7a0a8a7bcef39f6158dd596fe716594a170d362/validation.go#L34-L41
body: |
{
"subdomain": "c621ef99-3da9-4ef6-a152-3a82b9b720f8",
"txt": "________________gatus_test_________________"
}
headers:
X-Api-User: "b897048a-1526-42aa-bc24-e4dfd654b722"
X-Api-Key: "${ACME_DNS_UPDATE_TEST_X_API_KEY}"
conditions:
- "[STATUS] == 200"
- "[CERTIFICATE_EXPIRATION] > 48h"
- "[BODY].txt == ________________gatus_test_________________"
- name: ACME DNS (DNS)
url: "acmedns.hosts.hamburg.ccc.de"
<<: *services_chaosknoten_defaults
dns:
query-name: "c621ef99-3da9-4ef6-a152-3a82b9b720f8.auth.acmedns.hamburg.ccc.de"
query-type: "TXT"
conditions:
- "[DNS_RCODE] == NOERROR"
# error: query type is not supported yet
# apparently TXT records aren't supported yet.
# - "[BODY] == ________________gatus_test_________________"
- name: CCCHH ID/Keycloak (main page/account console)
url: "https://id.hamburg.ccc.de/"
<<: *services_chaosknoten_defaults
conditions:
- "[STATUS] == 200"
- "[CERTIFICATE_EXPIRATION] > 48h"
- "[BODY] == pat(*JavaScript is required to use the Account Console.*)"
- name: CCCHH ID/Keycloak (ccchh realm)
url: "https://id.hamburg.ccc.de/realms/ccchh/"
<<: *services_chaosknoten_defaults
conditions:
- "[STATUS] == 200"
- "[CERTIFICATE_EXPIRATION] > 48h"
- "[BODY].realm == ccchh"
- name: ccchoir
url: "https://ccchoir.de/"
<<: *services_chaosknoten_defaults
conditions:
- "[STATUS] == 200"
- "[CERTIFICATE_EXPIRATION] > 48h"
- "[BODY] == pat(*The Choir of the Chaos Computer Club*)"
- name: Cloud (status info)
url: "https://cloud.hamburg.ccc.de/status.php"
<<: *services_chaosknoten_defaults
conditions:
- "[STATUS] == 200"
- "[CERTIFICATE_EXPIRATION] > 48h"
- "[BODY].installed == true"
- "[BODY].maintenance == false"
- name: Cloud (main page/login)
url: "https://cloud.hamburg.ccc.de/"
<<: *services_chaosknoten_defaults
conditions:
- "[STATUS] == 200"
- "[CERTIFICATE_EXPIRATION] > 48h"
- "[BODY] == pat(*Sign in to CCCHH*)"
- name: cow (main page/login)
url: "https://cow.hamburg.ccc.de/"
<<: *services_chaosknoten_defaults
conditions:
- "[STATUS] == 200"
- "[CERTIFICATE_EXPIRATION] > 48h"
- "[BODY] == pat(*mailcow UI*)"
- name: cow (SMTP port 25)
url: "tcp://cow.hamburg.ccc.de:25"
<<: *services_chaosknoten_defaults
conditions:
- "[CONNECTED] == true"
- name: cow (SMTPS port 465)
url: "tls://cow.hamburg.ccc.de:465"
<<: *services_chaosknoten_defaults
conditions:
- "[CONNECTED] == true"
- name: cow (SMTP with STARTTLS port 587)
url: "starttls://cow.hamburg.ccc.de:587"
<<: *services_chaosknoten_defaults
conditions:
- "[CONNECTED] == true"
- name: cow (IMAP port 143)
url: "tcp://cow.hamburg.ccc.de:143"
<<: *services_chaosknoten_defaults
conditions:
- "[CONNECTED] == true"
- name: cow (IMAPS port 465)
url: "tls://cow.hamburg.ccc.de:465"
<<: *services_chaosknoten_defaults
conditions:
- "[CONNECTED] == true"
- name: Design/penpot
url: "https://design.hamburg.ccc.de/"
<<: *services_chaosknoten_defaults
conditions:
- "[STATUS] == 200"
- "[CERTIFICATE_EXPIRATION] > 48h"
- "[BODY] == pat(*Penpot - Design Freedom for Teams*)"
- name: EH22 Website/Wiki
url: "https://eh22.easterhegg.eu/"
<<: *services_chaosknoten_defaults
conditions:
- "[STATUS] == 200"
- "[CERTIFICATE_EXPIRATION] > 48h"
- "[BODY] == pat(*Easterhegg 2025*)"
- name: Git
url: "https://git.hamburg.ccc.de/"
<<: *services_chaosknoten_defaults
conditions:
- "[STATUS] == 200"
- "[CERTIFICATE_EXPIRATION] > 48h"
- "[BODY] == pat(*CCCHH Git*)"
- name: GitLab
url: "https://gitlab.hamburg.ccc.de/"
<<: *services_chaosknoten_defaults
conditions:
- "[STATUS] == 200"
- "[CERTIFICATE_EXPIRATION] > 48h"
- "[BODY] == pat(*Moin beim Gitlab des CCC Hamburg!*)"
- name: Grafana
url: "https://grafana.hamburg.ccc.de/"
<<: *services_chaosknoten_defaults
conditions:
- "[STATUS] == 200"
- "[CERTIFICATE_EXPIRATION] > 48h"
- "[BODY] == pat(*Sign in to CCCHH*)"
- name: Jitsi
url: "https://jitsi.hamburg.ccc.de/"
<<: *services_chaosknoten_defaults
conditions:
- "[STATUS] == 200"
- "[CERTIFICATE_EXPIRATION] > 48h"
- "[BODY] == pat(*Jitsi Meet*)"
- name: Lists
url: "https://lists.hamburg.ccc.de/"
<<: *services_chaosknoten_defaults
conditions:
- "[STATUS] == 200"
- "[CERTIFICATE_EXPIRATION] > 48h"
- "[BODY] == pat(*Mailing Lists*)"
- name: Matrix
url: "https://matrix.hamburg.ccc.de/_matrix/client/versions"
<<: *services_chaosknoten_defaults
conditions:
- "[STATUS] == 200"
- "[CERTIFICATE_EXPIRATION] > 48h"
- "has([BODY].versions) == true"
- "has([BODY].unstable_features) == true"
- name: Mumble (tcp)
url: "tcp://mumble.hamburg.ccc.de:64738"
<<: *services_chaosknoten_defaults
conditions:
- "[CONNECTED] == true"
- name: Mumble (udp)
url: "udp://mumble.hamburg.ccc.de:64738"
<<: *services_chaosknoten_defaults
conditions:
- "[CONNECTED] == true"
- name: NetBox
url: "https://NetBox.hamburg.ccc.de/"
<<: *services_chaosknoten_defaults
conditions:
- "[STATUS] == 200"
- "[CERTIFICATE_EXPIRATION] > 48h"
- "[BODY] == pat(*NetBox*)"
- name: ntfy
url: "https://ntfy.hamburg.ccc.de/"
<<: *services_chaosknoten_defaults
conditions:
- "[STATUS] == 200"
- "[CERTIFICATE_EXPIRATION] > 48h"
- "[BODY] == pat(*ntfy web requires JavaScript*)"
- name: OnlyOffice
url: "https://onlyoffice.hamburg.ccc.de/"
<<: *services_chaosknoten_defaults
conditions:
- "[STATUS] == 200"
- "[CERTIFICATE_EXPIRATION] > 48h"
- "[BODY] == pat(*ONLYOFFICE Docs Community Edition installed*)"
- name: Pad
url: "https://pad.hamburg.ccc.de/"
<<: *services_chaosknoten_defaults
conditions:
- "[STATUS] == 200"
- "[CERTIFICATE_EXPIRATION] > 48h"
- "[BODY] == pat(*HedgeDoc - Ideas grow better together*)"
- name: Pretalx (main page)
url: "https://pretalx.hamburg.ccc.de/"
<<: *services_chaosknoten_defaults
conditions:
- "[STATUS] == 200"
- "[CERTIFICATE_EXPIRATION] > 48h"
- "[BODY] == pat(*pretalx*)"
- name: Pretalx (EH22/Easterhegg 2025)
url: "https://cfp.eh22.easterhegg.eu/"
<<: *services_chaosknoten_defaults
conditions:
- "[STATUS] == 200"
- "[CERTIFICATE_EXPIRATION] > 48h"
- "[BODY] == pat(*Easterhegg 2025*)"
- "[BODY] == pat(*pretalx*)"
- name: SpaceAPI
url: "https://spaceapi.hamburg.ccc.de/"
<<: *services_chaosknoten_defaults
conditions:
- "[STATUS] == 200"
- "[CERTIFICATE_EXPIRATION] > 48h"
- "[BODY].space == CCCHH"
- name: Surveillance under Surveillance
url: "https://sunders.hamburg.ccc.de/"
<<: *services_chaosknoten_defaults
conditions:
- "[STATUS] == 200"
- "[CERTIFICATE_EXPIRATION] > 48h"
- "[BODY] == pat(*Surveillance under Surveillance*)"
- name: Tickets/pretix
url: "https://tickets.hamburg.ccc.de/"
<<: *services_chaosknoten_defaults
conditions:
- "[STATUS] == 200"
- "[CERTIFICATE_EXPIRATION] > 48h"
- "[BODY] == pat(*pretix*)"
- name: Wiki
url: "https://wiki.hamburg.ccc.de/"
<<: *services_chaosknoten_defaults
conditions:
- "[STATUS] == 200"
- "[CERTIFICATE_EXPIRATION] > 48h"
- "[BODY] == pat(*CCCHH Wiki*)"
- name: Woodpecker
url: "https://woodpecker.hamburg.ccc.de/"
<<: *services_chaosknoten_defaults
conditions:
- "[STATUS] == 200"
- "[CERTIFICATE_EXPIRATION] > 48h"
- "[BODY] == pat(*Woodpecker*)"
- name: Zammad
url: "https://zammad.hamburg.ccc.de/"
<<: *services_chaosknoten_defaults
conditions:
- "[STATUS] == 200"
- "[CERTIFICATE_EXPIRATION] > 48h"
- "[BODY] == pat(*zammad*)"

24
resources/external/status/docker_compose/config/sites.yaml vendored
View file

@ -1,24 +0,0 @@
# Sites
sites-defaults: &sites_defaults
group: Sites
interval: 1m
alerts:
# - type: matrix
- type: custom
failure-threshold: 5
success-threshold: 2
minimum-reminder-interval: "6h"
send-on-resolved: true
endpoints:
- name: Chaosknoten/IRZ42
url: "icmp://chaosknoten.hamburg.ccc.de"
<<: *sites_defaults
conditions:
- "[CONNECTED] == true"
- name: Z9
url: "icmp://185.161.129.129"
<<: *sites_defaults
conditions:
- "[CONNECTED] == true"

209
resources/external/status/docker_compose/config/websites.yaml vendored
View file

@ -1,209 +0,0 @@
# Websites, Websites (Staging) and Websites (Redirects)
# (hosted on public-web-static)
# One could probably also generate this list from the public-web-static config.
websites-defaults: &websites_defaults
group: Websites
interval: 1m
alerts:
# - type: matrix
- type: custom
failure-threshold: 5
success-threshold: 2
minimum-reminder-interval: "6h"
send-on-resolved: true
websites-staging-defaults: &websites_staging_defaults
group: Websites (Staging)
interval: 5m
alerts:
# - type: matrix
- type: custom
failure-threshold: 3
success-threshold: 1
minimum-reminder-interval: "24h"
send-on-resolved: true
websites-redirects-defaults: &websites_redirects_defaults
group: Websites (Redirects)
interval: 5m
alerts:
# - type: matrix
- type: custom
failure-threshold: 3
success-threshold: 1
minimum-reminder-interval: "24h"
send-on-resolved: true
endpoints:
# Websites
- name: branding-resources.hamburg.ccc.de
url: "https://branding-resources.hamburg.ccc.de/logo/sources.txt"
<<: *websites_defaults
conditions:
- "[STATUS] == 200"
- "[CERTIFICATE_EXPIRATION] > 48h"
- "[BODY] == pat(*file: ccchh-logo.png*)"
- name: c3cat.de
url: "https://c3cat.de"
<<: *websites_defaults
conditions:
- "[STATUS] == 200"
- "[CERTIFICATE_EXPIRATION] > 48h"
- "[BODY] == pat(*Cat Ears Operation Center*)"
- name: cpu.ccc.de
url: "https://cpu.ccc.de"
<<: *websites_defaults
conditions:
- "[STATUS] == 200"
- "[CERTIFICATE_EXPIRATION] > 48h"
- "[BODY] == pat(*cpu.ccc.de | aus den Dezentralen*)"
- name: cryptoparty-hamburg.de
url: "https://cryptoparty-hamburg.de"
<<: *websites_defaults
conditions:
- "[STATUS] == 200"
- "[CERTIFICATE_EXPIRATION] > 48h"
- "[BODY] == pat(*Digitale Selbstverteidigung in Hamburg*)"
- name: element-admin.hamburg.ccc.de
url: "https://element-admin.hamburg.ccc.de"
<<: *websites_defaults
conditions:
- "[STATUS] == 200"
- "[CERTIFICATE_EXPIRATION] > 48h"
- "[BODY] == pat(*Loading Element Admin*)"
- name: element.hamburg.ccc.de
url: "https://element.hamburg.ccc.de"
<<: *websites_defaults
conditions:
- "[STATUS] == 200"
- "[CERTIFICATE_EXPIRATION] > 48h"
- "[BODY] == pat(*Sorry, Element requires JavaScript to be enabled.*)"
- name: hacker.tours
url: "https://hacker.tours"
<<: *websites_defaults
conditions:
- "[STATUS] == 200"
- "[CERTIFICATE_EXPIRATION] > 48h"
# Once suites support alerting, we can also monitor the target as well.
- "[BODY] == pat(*<meta http-equiv=\"refresh\" content=\"0; url=https://hacker.tours/de/\">*)"
- name: hackertours.hamburg.ccc.de
url: "https://hackertours.hamburg.ccc.de"
<<: *websites_defaults
conditions:
- "[STATUS] == 200"
- "[CERTIFICATE_EXPIRATION] > 48h"
# Once suites support alerting, we can also monitor the target as well.
- "[BODY] == pat(*<meta http-equiv=\"refresh\" content=\"0; url=https://hackertours.hamburg.ccc.de/de/\">*)"
- name: hamburg.ccc.de
url: "https://hamburg.ccc.de"
<<: *websites_defaults
conditions:
- "[STATUS] == 200"
- "[CERTIFICATE_EXPIRATION] > 48h"
- "[BODY] == pat(*Wir sind der Chaos Computer Club der Hansestadt Hamburg.*)"
- name: spaceapi.ccc.de
url: "https://spaceapi.ccc.de"
<<: *websites_defaults
conditions:
- "[STATUS] == 200"
- "[CERTIFICATE_EXPIRATION] > 48h"
- "[BODY] == pat(*Kein Javascript, keine Kekse.*)"
# Websites (Staging)
- name: staging.c3cat.de
url: "https://staging.c3cat.de"
<<: *websites_staging_defaults
conditions:
- "[STATUS] == 200"
- "[CERTIFICATE_EXPIRATION] > 48h"
- "[BODY] == pat(*c3cat.de Staging Environment*)"
- name: staging.cryptoparty-hamburg.de
url: "https://staging.cryptoparty-hamburg.de"
<<: *websites_staging_defaults
conditions:
- "[STATUS] == 200"
- "[CERTIFICATE_EXPIRATION] > 48h"
- "[BODY] == pat(*cryptoparty-hamburg.de Staging Environment*)"
- name: staging.hacker.tours
url: "https://staging.hacker.tours"
<<: *websites_staging_defaults
conditions:
- "[STATUS] == 200"
- "[CERTIFICATE_EXPIRATION] > 48h"
- "[BODY] == pat(*hacker.tours Staging Environment*)"
- name: staging.hackertours.hamburg.ccc.de
url: "https://staging.hackertours.hamburg.ccc.de"
<<: *websites_staging_defaults
conditions:
- "[STATUS] == 200"
- "[CERTIFICATE_EXPIRATION] > 48h"
- "[BODY] == pat(*hackertours.hamburg.ccc.de Staging Environment*)"
- name: staging.hamburg.ccc.de
url: "https://staging.hamburg.ccc.de"
<<: *websites_staging_defaults
conditions:
- "[STATUS] == 200"
- "[CERTIFICATE_EXPIRATION] > 48h"
- "[BODY] == pat(*hamburg.ccc.de Staging Environment*)"
# Website (Redirects)
- name: www.c3cat.de
url: "https://www.c3cat.de"
<<: *websites_redirects_defaults
conditions:
- "[STATUS] == 200"
- "[CERTIFICATE_EXPIRATION] > 48h"
- "[BODY] == pat(*Cat Ears Operation Center*)"
- name: cryptoparty.hamburg.ccc.de
url: "https://cryptoparty.hamburg.ccc.de"
<<: *websites_redirects_defaults
conditions:
- "[STATUS] == 200"
- "[CERTIFICATE_EXPIRATION] > 48h"
- "[BODY] == pat(*Digitale Selbstverteidigung in Hamburg*)"
- name: local.ccc.de
url: "https://local.ccc.de"
<<: *websites_redirects_defaults
conditions:
- "[STATUS] == 200"
- "[CERTIFICATE_EXPIRATION] > 48h"
- "[BODY] == pat(*cpu.ccc.de | aus den Dezentralen*)"
- name: lokal.ccc.de
url: "https://lokal.ccc.de"
<<: *websites_redirects_defaults
conditions:
- "[STATUS] == 200"
- "[CERTIFICATE_EXPIRATION] > 48h"
- "[BODY] == pat(*cpu.ccc.de | aus den Dezentralen*)"
- name: staging.cryptoparty.hamburg.ccc.de
url: "https://staging.cryptoparty.hamburg.ccc.de"
<<: *websites_redirects_defaults
conditions:
- "[STATUS] == 200"
- "[CERTIFICATE_EXPIRATION] > 48h"
- "[BODY] == pat(*cryptoparty-hamburg.de Staging Environment*)"
- name: www.hamburg.ccc.de
url: "https://www.hamburg.ccc.de"
<<: *websites_redirects_defaults
conditions:
- "[STATUS] == 200"
- "[CERTIFICATE_EXPIRATION] > 48h"
- "[BODY] == pat(*Wir sind der Chaos Computer Club der Hansestadt Hamburg.*)"

14
resources/external/status/nginx/http_handler.conf vendored
View file

@ -1,14 +0,0 @@
server {
listen 80 default_server;
listen [::]:80 default_server;
server_name status.hamburg.ccc.de;
location / {
return 301 https://$host$request_uri;
}
location /.well-known/acme-challenge/ {
proxy_pass http://127.0.0.1:31820/.well-known/acme-challenge/;
}
}

33
resources/external/status/nginx/status.hamburg.ccc.de.conf vendored
View file

@ -1,33 +0,0 @@
# partly generated 2022-01-08, Mozilla Guideline v5.6, nginx 1.17.7, OpenSSL 1.1.1k, intermediate configuration
# https://ssl-config.mozilla.org/#server=nginx&version=1.17.7&config=intermediate&openssl=1.1.1k&guideline=5.6
server {
listen 443 ssl http2 default_server;
listen [::]:443 ssl http2 default_server;
server_name status.hamburg.ccc.de;
ssl_certificate /etc/letsencrypt/live/status.hamburg.ccc.de/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/status.hamburg.ccc.de/privkey.pem;
# verify chain of trust of OCSP response using Root CA and Intermediate certs
ssl_trusted_certificate /etc/letsencrypt/live/status.hamburg.ccc.de/chain.pem;
# HSTS (ngx_http_headers_module is required) (63072000 seconds)
add_header Strict-Transport-Security "max-age=63072000" always;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Port 443;
# This is https in any case.
proxy_set_header X-Forwarded-Proto https;
# Hide the X-Forwarded header.
proxy_hide_header X-Forwarded;
# Assume we are the only Reverse Proxy.
# Also provide "_hidden" for by, since it's not relevant.
proxy_set_header Forwarded "for=$remote_addr;proto=https;host=$host;by=_hidden";
location / {
proxy_pass http://127.0.0.1:8080/;
}
}

12
resources/z9/dooris/nginx/http_handler.conf
View file

@ -1,12 +0,0 @@
server {
listen 80 default_server;
listen [::]:80 default_server;
location / {
return 301 https://$host$request_uri;
}
location /.well-known/acme-challenge/ {
proxy_pass http://127.0.0.1:31820/.well-known/acme-challenge/;
}
}

10
resources/z9/light/nginx/http_handler.conf
View file

@ -1,12 +1,14 @@
server {
listen 80 default_server;
listen [::]:80 default_server;
server_name _;
location /.well-known/acme-challenge/ {
autoindex on;
root /webroot-for-acme-challenge;
}
location / {
return 301 https://$host$request_uri;
}
location /.well-known/acme-challenge/ {
proxy_pass http://127.0.0.1:31820/.well-known/acme-challenge/;
}
}

29
resources/z9/light/nginx/light.conf
View file

@ -1,16 +1,15 @@
# partly generated 2022-01-08, Mozilla Guideline v5.6, nginx 1.17.7, OpenSSL 1.1.1k, intermediate configuration
# https://ssl-config.mozilla.org/#server=nginx&version=1.17.7&config=intermediate&openssl=1.1.1k&guideline=5.6
server {
listen 443 ssl;
listen [::]:443 ssl;
http2 on;
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name light-werkstatt.ccchh.net;
ssl_certificate /etc/letsencrypt/live/light-werkstatt.ccchh.net/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/light-werkstatt.ccchh.net/privkey.pem;
ssl_certificate /etc/letsencrypt/live/light.ccchh.net/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/light.ccchh.net/privkey.pem;
# verify chain of trust of OCSP response using Root CA and Intermediate certs
ssl_trusted_certificate /etc/letsencrypt/live/light-werkstatt.ccchh.net/chain.pem;
ssl_trusted_certificate /etc/letsencrypt/live/light.ccchh.net/chain.pem;
# replace with the IP address of your resolver
resolver 10.31.208.1;
@ -26,16 +25,15 @@ server {
}
server {
listen 443 ssl;
listen [::]:443 ssl;
http2 on;
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name light.z9.ccchh.net;
server_name light.z9.ccchh.net ;
ssl_certificate /etc/letsencrypt/live/light.z9.ccchh.net/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/light.z9.ccchh.net/privkey.pem;
ssl_certificate /etc/letsencrypt/live/light.ccchh.net/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/light.ccchh.net/privkey.pem;
# verify chain of trust of OCSP response using Root CA and Intermediate certs
ssl_trusted_certificate /etc/letsencrypt/live/light.z9.ccchh.net/chain.pem;
ssl_trusted_certificate /etc/letsencrypt/live/light.ccchh.net/chain.pem;
location / {
return 307 https://light.ccchh.net$request_uri;
@ -43,9 +41,8 @@ server {
}
server {
listen 443 ssl;
listen [::]:443 ssl;
http2 on;
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name light.ccchh.net;

2
resources/z9/yate/docker_compose/compose.yaml.j2
View file

@ -17,4 +17,4 @@ services:
- ./configs/accfile.conf:/opt/yate/etc/yate/accfile.conf
- ./configs/regexroute.conf:/opt/yate/etc/yate/regexroute.conf
- ./configs/regfile.conf:/opt/yate/etc/yate/regfile.conf
- ./lib-yate:/var/lib/yate
- ./lib-yate:/var/lib/yate

44
roles/alloy/defaults/main.yaml
View file

@ -1,44 +0,0 @@
alloy_config_default: |
prometheus.remote_write "default" {
endpoint {
url = "https://metrics.hamburg.ccc.de/api/v1/write"
basic_auth {
username = "chaos"
password = "chaos_password"
}
}
}
prometheus.relabel "common" {
forward_to = [prometheus.remote_write.default.receiver]
rule {
target_label = "org"
replacement = "noorg"
}
rule {
target_label = "site"
replacement = "nosite"
}
rule {
source_labels = ["instance"]
target_label = "instance"
regex = "([^:]+)"
replacement = "${1}.hosts.test"
action = "replace"
}
}
logging {
level = "info"
}
prometheus.exporter.unix "local_system" {
enable_collectors = ["systemd"]
}
prometheus.scrape "scrape_metrics" {
targets = prometheus.exporter.unix.local_system.targets
forward_to = [prometheus.relabel.common.receiver]
}
alloy_config_additional: ""

Some files were not shown because too many files have changed in this diff Show more