ci: move Ansible Lint job to ubuntu-latest runner to make it work again

Move Ansible Lint job to ubuntu-latest runner to make it work again. Moving it to the ubuntu-latest runner also removes the need for manual dependency setup.
(test) disable semantic commit prefixes
2025-10-22 00:42:30 +02:00 · 2025-10-22 00:29:59 +02:00
88 changed files with 419 additions and 846 deletions
--- a/.forgejo/workflows/lint.yaml
+++ b/.forgejo/workflows/lint.yaml
@ -8,25 +8,12 @@ on:
 jobs:
  ansible-lint:
    name: Ansible Lint
-    runs-on: docker
+    runs-on: ubuntu-latest
    steps:
-      - uses: actions/checkout@v5
+      - uses: actions/checkout@v4
      - name: Install pip
        run: |
          apt update
          apt install -y pip
      - name: Install python jmespath
        run: |
          pip install jmespath
        env:
          PIP_BREAK_SYSTEM_PACKAGES: 1
      # Don't let it setup python as the then called setup-python action doesn't
      # work in our environmnet.
      # Rather manually setup python (pip) before instead.
      - name: Run ansible-lint
-        uses: https://github.com/ansible/ansible-lint@v25.12.2
+        uses: https://github.com/ansible/ansible-lint@v24.10.0
        with:
          setup_python: "false"
          requirements_file: "requirements.yml"
        env:
          PIP_BREAK_SYSTEM_PACKAGES: 1
--- a/inventories/chaosknoten/group_vars/all.yaml
+++ b/inventories/chaosknoten/group_vars/all.yaml
@ -3,7 +3,7 @@
 ansible_pull__repo_url: https://git.hamburg.ccc.de/CCCHH/ansible-infra.git
 ansible_pull__inventory: inventories/chaosknoten
 ansible_pull__playbook: playbooks/maintenance.yaml
-ansible_pull__timer_on_calendar: "*-*-* 04:30:00 Europe/Berlin"
+ansible_pull__timer_on_calendar: "*-*-* 04:00:00 Europe/Berlin"
 ansible_pull__failure_notification_address: noc-notifications@lists.hamburg.ccc.de
 ansible_pull__timer_randomized_delay_sec: 30min
--- a/inventories/chaosknoten/host_vars/cloud.yaml
+++ b/inventories/chaosknoten/host_vars/cloud.yaml
@ -1,11 +1,9 @@
 # renovate: datasource=docker depName=git.hamburg.ccc.de/ccchh/oci-images/nextcloud
 nextcloud__version: 32
-# renovate: datasource=docker depName=docker.io/library/postgres
+nextcloud__postgres_version: 15.14
 nextcloud__postgres_version: 15.15
 nextcloud__fqdn: cloud.hamburg.ccc.de
 nextcloud__data_dir: /data/nextcloud
 nextcloud__extra_configuration: "{{ lookup('ansible.builtin.template', 'resources/chaosknoten/cloud/nextcloud/extra_configuration.config.php.j2') }}"
 nextcloud__use_custom_new_user_skeleton: true
 nextcloud__custom_new_user_skeleton_directory: "resources/chaosknoten/cloud/nextcloud/new_user_skeleton_directory/"
-nextcloud__proxy_protocol_reverse_proxy_ip: "2a00:14b0:4200:3000:125::1"
+nextcloud__proxy_protocol_reverse_proxy_ip: 172.31.17.140
 nextcloud__certbot_acme_account_email_address: le-admin@hamburg.ccc.de
--- a/inventories/chaosknoten/host_vars/grafana.yaml
+++ b/inventories/chaosknoten/host_vars/grafana.yaml
@ -53,6 +53,7 @@ nginx__configurations:
  - name: metrics.hamburg.ccc.de
    content: "{{ lookup('ansible.builtin.file', 'resources/chaosknoten/grafana/nginx/metrics.hamburg.ccc.de.conf') }}"
 alloy_config: |
  prometheus.remote_write "default" {
    endpoint {
--- a/inventories/chaosknoten/host_vars/netbox.yaml
+++ b/inventories/chaosknoten/host_vars/netbox.yaml
@ -1,5 +1,4 @@
-# renovate: datasource=github-releases depName=netbox packageName=netbox-community/netbox
+netbox__version: "v4.1.7"
 netbox__version: "v4.5.0"
 netbox__config: "{{ lookup('ansible.builtin.template', 'resources/chaosknoten/netbox/netbox/configuration.py.j2') }}"
 netbox__custom_pipeline_oidc_group_and_role_mapping: true
--- a/inventories/chaosknoten/host_vars/router.yaml
+++ b/inventories/chaosknoten/host_vars/router.yaml
@ -1,4 +0,0 @@
 systemd_networkd__config_dir: 'resources/chaosknoten/router/systemd_networkd/'
 nftables__config: "{{ lookup('ansible.builtin.file', 'resources/chaosknoten/router/nftables/nftables.conf') }}"
 ansible_pull__timer_on_calendar: "*-*-* 04:00:00 Europe/Berlin"
 ansible_pull__timer_randomized_delay_sec: 0min
--- a/inventories/chaosknoten/host_vars/sunders.sops.yaml
+++ b/inventories/chaosknoten/host_vars/sunders.sops.yaml
@ -1,7 +1,4 @@
 ansible_pull__age_private_key: ENC[AES256_GCM,data:tP84jDYh2zeWjf7wqDoefm9zaeg/Q2TWUyIstOcrjYHgrZdGLk64skLuGyH5q4FxQL9QEhe9qBT+AAxxKE6fU630/M1LVOR4Sls=,iv:I9W6KxIoisJFFMtOrN5u8KgnsmuIgF9RvzWanLNGVVM=,tag:w9bhDahR4Ai4/nLLeR58lA==,type:str]
 secret__sunders_db_root_password: ENC[AES256_GCM,data:m3Xt6dOKibRflon/rWG9KmdBPHEBbqE/GIpKdFI1Di7Lpl/THxzrgx12mTK6aZnwDrM=,iv:hD/UGwo88ye9CxyTCEQ0SVon2+ipPjeA9NF2/OhYwmc=,tag:DRdQ5hvTgUO5FVae/ul7kQ==,type:str]
 secret__sunders_db_camera_password: ENC[AES256_GCM,data:tOt4ImpedgfGvRpcThPO30YyEl/bP244ruJQzAYodJIsEhFuk5LxHpPASEnsqlN6m3M=,iv:rQXBjiYWZlzeUdaqDdTlrdbSSqGaPDeZOPhUaMjgcjU=,tag:lkSlIdJWFowyPfWEjpC/Zg==,type:str]
 secret__sunders_db_camera_select_password: ENC[AES256_GCM,data:PveGcD2WmvpMc8bafGY1c45aQ2XH/ym2yj5YacauQPeZO6Xem3kaxU0kwjs0Wd26ugc=,iv:tk288L9i0lxsJbTFq5ET5IiKkJfMQwc6uKNFXILcD7o=,tag:hOIivp3mOtDNBCsKvrSrBw==,type:str]
 sops:
  age:
    - recipient: age1na0nh9ndnr9cxpnlvstrxskr4fxf4spnkw48ufl7m43f98y40y7shhnvgd
@ -13,8 +10,8 @@ sops:
        S3NiK3R6UWQ5UU0xUmYwa1hqMUo5c28K4EVQwBcALc6k53CNsemfMy2s6AGO5LJf
        3U1zeFtEcsvEnUfkvFT//M7cB6pUqQF0KIq1VnnFoQF7IpvSN23lxg==
        -----END AGE ENCRYPTED FILE-----
-  lastmodified: "2025-11-01T16:32:10Z"
+  lastmodified: "2025-10-14T23:43:05Z"
-  mac: ENC[AES256_GCM,data:8Q6DBSFtzwHuVxduRlZYxlRWO0trSoesNGUR8r/dWnp9ashFBSZqVyffXb4Vq6DB5thANJ6/b3PCNsHdiAKn6Ai2UT8G0HimFjUUgNpZxo4xoNGmDhDvfdBgUL6O2pHhY+ojjguUXDYeYc99+eaxfKqZ3w+PAPaySltKm99foz8=,iv:ILOErdiWbUjk9kovXXZYcAqZFQp2Wo1Tm14sgK3niWg=,tag:Q2gT6wbQyhDXjoQEG2Lngw==,type:str]
+  mac: ENC[AES256_GCM,data:15TRSKlDhjQy3yMcFhz2Den2YorcrpJmCw0BVl10qlG8u9G7Vw/7aV/hJnZdkCz3w1ZkEbNS6DCKxCLs1Qgf2SEPaG/cRraO2mcl+YH7k4gb5LMzu81fRkbCx66B4LG+DY8fsAJeO4mxui2m0ZAHb2SNFIP4Q4vdLav3jTaiwAc=,iv:71qa6JTc+S5MLynGc27tx1WBGrpvTCSCoEv01SZnPF8=,tag:ju4WP1MK1/sWw7TAitzM0Q==,type:str]
  pgp:
    - created_at: "2025-10-15T08:45:25Z"
      enc: |-
@ -210,4 +207,4 @@ sops:
        -----END PGP MESSAGE-----
      fp: 878FEA3CB6A6F6E7CD80ECBE28506E3585F9F533
  unencrypted_suffix: _unencrypted
-  version: 3.11.0
+  version: 3.10.2
--- a/inventories/chaosknoten/host_vars/sunders.yaml
+++ b/inventories/chaosknoten/host_vars/sunders.yaml
@ -1,13 +0,0 @@
 docker_compose__compose_file_content: "{{ lookup('ansible.builtin.template', 'resources/chaosknoten/sunders/docker_compose/compose.yaml.j2') }}"
 certbot__version_spec: ""
 certbot__acme_account_email_address: le-admin@hamburg.ccc.de
 certbot__certificate_domains:
  - "sunders.hamburg.ccc.de"
 certbot__new_cert_commands:
  - "systemctl reload nginx.service"
 nginx__version_spec: ""
 nginx__configurations:
  - name: sunders.hamburg.ccc.de
    content: "{{ lookup('ansible.builtin.file', 'resources/chaosknoten/sunders/nginx/sunders.hamburg.ccc.de.conf') }}"
--- a/inventories/chaosknoten/host_vars/zammad.yaml
+++ b/inventories/chaosknoten/host_vars/zammad.yaml
@ -1,5 +1,4 @@
-docker_compose__compose_file_content: "{{ lookup('ansible.builtin.file', 'resources/chaosknoten/zammad/docker_compose/compose.yaml') }}"
+docker_compose__compose_file_content: "{{ lookup('ansible.builtin.template', 'resources/chaosknoten/zammad/docker_compose/compose.yaml.j2') }}"
 docker_compose__env_file_content: "{{ lookup('ansible.builtin.template', 'resources/chaosknoten/zammad/docker_compose/.env.j2') }}"
 docker_compose__configuration_files: [ ]
 certbot__version_spec: ""
--- a/inventories/chaosknoten/hosts.yaml
+++ b/inventories/chaosknoten/hosts.yaml
@ -1,31 +1,31 @@
 all:
  hosts:
    ccchoir:
-      ansible_host: ccchoir.hosts.hamburg.ccc.de
+      ansible_host: ccchoir-intern.hamburg.ccc.de
      ansible_user: chaos
-      ansible_ssh_common_args: -J ssh://chaos@router.hamburg.ccc.de
+      ansible_ssh_common_args: -J ssh://chaos@public-reverse-proxy.hamburg.ccc.de
    chaosknoten:
      ansible_host: chaosknoten.hamburg.ccc.de
    cloud:
-      ansible_host: cloud.hosts.hamburg.ccc.de
+      ansible_host: cloud-intern.hamburg.ccc.de
      ansible_user: chaos
-      ansible_ssh_common_args: -J ssh://chaos@router.hamburg.ccc.de
+      ansible_ssh_common_args: -J ssh://chaos@public-reverse-proxy.hamburg.ccc.de
    eh22-wiki:
-      ansible_host: eh22-wiki.hosts.hamburg.ccc.de
+      ansible_host: eh22-wiki-intern.hamburg.ccc.de
      ansible_user: chaos
-      ansible_ssh_common_args: -J ssh://chaos@router.hamburg.ccc.de
+      ansible_ssh_common_args: -J ssh://chaos@public-reverse-proxy.hamburg.ccc.de
    grafana:
-      ansible_host: grafana.hosts.hamburg.ccc.de
+      ansible_host: grafana-intern.hamburg.ccc.de
      ansible_user: chaos
-      ansible_ssh_common_args: -J ssh://chaos@router.hamburg.ccc.de
+      ansible_ssh_common_args: -J ssh://chaos@public-reverse-proxy.hamburg.ccc.de
    tickets:
-      ansible_host: tickets.hosts.hamburg.ccc.de
+      ansible_host: tickets-intern.hamburg.ccc.de
      ansible_user: chaos
-      ansible_ssh_common_args: -J ssh://chaos@router.hamburg.ccc.de
+      ansible_ssh_common_args: -J ssh://chaos@public-reverse-proxy.hamburg.ccc.de
    keycloak:
-      ansible_host: keycloak.hosts.hamburg.ccc.de
+      ansible_host: keycloak-intern.hamburg.ccc.de
      ansible_user: chaos
-      ansible_ssh_common_args: -J ssh://chaos@router.hamburg.ccc.de
+      ansible_ssh_common_args: -J ssh://chaos@public-reverse-proxy.hamburg.ccc.de
    lists:
      ansible_host: lists.hamburg.ccc.de
      ansible_user: chaos
@ -33,47 +33,44 @@ all:
      ansible_host: mumble.hamburg.ccc.de
      ansible_user: chaos
    netbox:
-      ansible_host: netbox.hosts.hamburg.ccc.de
+      ansible_host: netbox-intern.hamburg.ccc.de
      ansible_user: chaos
-      ansible_ssh_common_args: -J ssh://chaos@router.hamburg.ccc.de
+      ansible_ssh_common_args: -J ssh://chaos@public-reverse-proxy.hamburg.ccc.de
    onlyoffice:
-      ansible_host: onlyoffice.hosts.hamburg.ccc.de
+      ansible_host: onlyoffice-intern.hamburg.ccc.de
      ansible_user: chaos
-      ansible_ssh_common_args: -J ssh://chaos@router.hamburg.ccc.de
+      ansible_ssh_common_args: -J ssh://chaos@public-reverse-proxy.hamburg.ccc.de
    pad:
-      ansible_host: pad.hosts.hamburg.ccc.de
+      ansible_host: pad-intern.hamburg.ccc.de
      ansible_user: chaos
-      ansible_ssh_common_args: -J ssh://chaos@router.hamburg.ccc.de
+      ansible_ssh_common_args: -J ssh://chaos@public-reverse-proxy.hamburg.ccc.de
    pretalx:
-      ansible_host: pretalx.hosts.hamburg.ccc.de
+      ansible_host: pretalx-intern.hamburg.ccc.de
      ansible_user: chaos
-      ansible_ssh_common_args: -J ssh://chaos@router.hamburg.ccc.de
+      ansible_ssh_common_args: -J ssh://chaos@public-reverse-proxy.hamburg.ccc.de
    public-reverse-proxy:
      ansible_host: public-reverse-proxy.hamburg.ccc.de
      ansible_user: chaos
    router:
      ansible_host: router.hamburg.ccc.de
      ansible_user: chaos
    wiki:
-      ansible_host: wiki.hosts.hamburg.ccc.de
+      ansible_host: wiki-intern.hamburg.ccc.de
      ansible_user: chaos
-      ansible_ssh_common_args: -J ssh://chaos@router.hamburg.ccc.de
+      ansible_ssh_common_args: -J ssh://chaos@public-reverse-proxy.hamburg.ccc.de
    zammad:
-      ansible_host: zammad.hosts.hamburg.ccc.de
+      ansible_host: zammad-intern.hamburg.ccc.de
      ansible_user: chaos
-      ansible_ssh_common_args: -J ssh://chaos@router.hamburg.ccc.de
+      ansible_ssh_common_args: -J ssh://chaos@public-reverse-proxy.hamburg.ccc.de
    ntfy:
-      ansible_host: ntfy.hosts.hamburg.ccc.de
+      ansible_host: ntfy-intern.hamburg.ccc.de
      ansible_user: chaos
-      ansible_ssh_common_args: -J ssh://chaos@router.hamburg.ccc.de
+      ansible_ssh_common_args: -J ssh://chaos@public-reverse-proxy.hamburg.ccc.de
    sunders:
-      ansible_host: sunders.hosts.hamburg.ccc.de
+      ansible_host: sunders-intern.hamburg.ccc.de
      ansible_user: chaos
-      ansible_ssh_common_args: -J ssh://chaos@router.hamburg.ccc.de
+      ansible_ssh_common_args: -J ssh://chaos@public-reverse-proxy.hamburg.ccc.de
    renovate:
-      ansible_host: renovate.hosts.hamburg.ccc.de
+      ansible_host: renovate-intern.hamburg.ccc.de
      ansible_user: chaos
-      ansible_ssh_common_args: -J ssh://chaos@router.hamburg.ccc.de
+      ansible_ssh_common_args: -J ssh://chaos@public-reverse-proxy.hamburg.ccc.de
 hypervisors:
  hosts:
    chaosknoten:
@ -91,19 +88,12 @@ base_config_hosts:
    pad:
    pretalx:
    public-reverse-proxy:
    router:
    tickets:
    wiki:
    zammad:
    ntfy:
    sunders:
    renovate:
 systemd_networkd_hosts:
  hosts:
    router:
 nftables_hosts:
  hosts:
    router:
 docker_compose_hosts:
  hosts:
    ccchoir:
@ -116,7 +106,6 @@ docker_compose_hosts:
    pretalx:
    zammad:
    ntfy:
    sunders:
 nextcloud_hosts:
  hosts:
    cloud:
@ -137,7 +126,6 @@ nginx_hosts:
    wiki:
    zammad:
    ntfy:
    sunders:
 public_reverse_proxy_hosts:
  hosts:
    public-reverse-proxy:
@ -157,7 +145,6 @@ certbot_hosts:
    wiki:
    zammad:
    ntfy:
    sunders:
 prometheus_node_exporter_hosts:
  hosts:
    ccchoir:
@ -183,7 +170,6 @@ infrastructure_authorized_keys_hosts:
    pad:
    pretalx:
    public-reverse-proxy:
    router:
    wiki:
    zammad:
    ntfy:
--- a/inventories/z9/host_vars/yate.yaml
+++ b/inventories/z9/host_vars/yate.yaml
@ -6,3 +6,4 @@ docker_compose__configuration_files:
    content: "{{ lookup('ansible.builtin.template', 'resources/z9/yate/docker_compose/regexroute.conf.j2') }}"
  - name: regfile.conf
    content: "{{ lookup('ansible.builtin.template', 'resources/z9/yate/docker_compose/regfile.conf.j2') }}"
 docker_compose__restart_cmd: "exec yate sh -c 'kill -1 1'"
--- a/inventories/z9/hosts.yaml
+++ b/inventories/z9/hosts.yaml
@ -4,7 +4,7 @@ all:
      ansible_host: authoritative-dns.z9.ccchh.net
      ansible_user: chaos
    dooris:
-      ansible_host: dooris.z9.ccchh.net
+      ansible_host: 10.31.208.201
      ansible_user: chaos
    light:
      ansible_host: light.z9.ccchh.net
--- a/playbooks/deploy.yaml
+++ b/playbooks/deploy.yaml
@ -4,16 +4,6 @@
  roles:
    - base_config
 - name: Ensure systemd-networkd config deployment on systemd_networkd_hosts
  hosts: systemd_networkd_hosts
  roles:
    - systemd_networkd
 - name: Ensure nftables deployment on nftables_hosts
  hosts: nftables_hosts
  roles:
    - nftables
 - name: Ensure deployment of infrastructure authorized keys
  hosts: infrastructure_authorized_keys_hosts
  roles:
--- a/renovate.json
+++ b/renovate.json
@ -1,17 +1,9 @@
 {
  "$schema": "https://docs.renovatebot.com/renovate-schema.json",
  "extends": [
-    "config:recommended",
+    "config:recommended", // Included in config:best-practices anyway, but added for clarity.
-    // Parts from config:best-practices:
+    "config:best-practices",
-    // https://docs.renovatebot.com/presets-config/#configbest-practices
+    ":ignoreUnstable"
    ":configMigration",
    "abandonments:recommended",
    "security:minimumReleaseAgeNpm",
    ":ignoreUnstable",
    ":disableRateLimiting",
    ":rebaseStalePrs",
    ":label(renovate)"
  ],
  "semanticCommits": "disabled",
  "packageRules": [
@ -27,23 +19,6 @@
        "minor",
        "patch"
      ]
    },
    {
      "matchDatasources": ["docker"],
      "matchPackageNames": ["docker.io/pretix/standalone"],
      "versioning": "regex:^(?<major>\\d+\\.\\d+)(?:\\.(?<minor>\\d+))$"
    }
  ],
  "customManagers": [
    // Custom manager using regex for letting Renovate find dependencies in inventory variables.
    {
      "customType": "regex",
      "managerFilePatterns": [
        "/^inventories/.*?_vars/.*?\\.ya?ml$/"
      ],
      "matchStrings": [
        "# renovate: datasource=(?<datasource>[a-zA-Z0-9-._]+?) depName=(?<depName>[^\\s]+?)(?: packageName=(?<packageName>[^\\s]+?))?(?: versioning=(?<versioning>[^\\s]+?))?\\s*.+?\\s*:\\s*[\"']?(?<currentValue>.+?)[\"']?\\s"
      ]
    }
  ],
  "docker-compose": {
--- a/requirements.yml
+++ b/requirements.yml
@ -6,6 +6,3 @@ collections:
  - name: community.sops
    version: ">=2.2.4"
    source: https://galaxy.ansible.com
  - name: community.docker
    version: ">=5.0.0"
    source: https://galaxy.ansible.com
--- a/resources/chaosknoten/ccchoir/nginx/ccchoir.de.conf
+++ b/resources/chaosknoten/ccchoir/nginx/ccchoir.de.conf
@ -2,12 +2,12 @@
 # https://ssl-config.mozilla.org/#server=nginx&version=1.17.7&config=intermediate&openssl=1.1.1k&guideline=5.6
 server {
    # Listen on a custom port for the proxy protocol.
-    listen [::]:8443 ssl http2 proxy_protocol;
+    listen 8443 ssl http2 proxy_protocol;
    # Make use of the ngx_http_realip_module to set the $remote_addr and
    # $remote_port to the client address and client port, when using proxy
    # protocol.
    # First set our proxy protocol proxy as trusted.
-    set_real_ip_from 2a00:14b0:4200:3000:125::1;
+    set_real_ip_from 172.31.17.140;
    # Then tell the realip_module to get the addreses from the proxy protocol
    # header.
    real_ip_header proxy_protocol;
@ -43,12 +43,12 @@ server {
 server {
    # Listen on a custom port for the proxy protocol.
-    listen [::]:8443 ssl http2 proxy_protocol;
+    listen 8443 ssl http2 proxy_protocol;
    # Make use of the ngx_http_realip_module to set the $remote_addr and
    # $remote_port to the client address and client port, when using proxy
    # protocol.
    # First set our proxy protocol proxy as trusted.
-    set_real_ip_from 2a00:14b0:4200:3000:125::1;
+    set_real_ip_from 172.31.17.140;
    # Then tell the realip_module to get the addreses from the proxy protocol
    # header.
    real_ip_header proxy_protocol;
--- a/resources/chaosknoten/eh22-wiki/nginx/eh22.easterhegg.eu.conf
+++ b/resources/chaosknoten/eh22-wiki/nginx/eh22.easterhegg.eu.conf
@ -2,12 +2,12 @@
 # https://ssl-config.mozilla.org/#server=nginx&version=1.17.7&config=intermediate&openssl=1.1.1k&guideline=5.6
 server {
    # Listen on a custom port for the proxy protocol.
-    listen [::]:8443 ssl http2 proxy_protocol;
+    listen 8443 ssl http2 proxy_protocol;
    # Make use of the ngx_http_realip_module to set the $remote_addr and
    # $remote_port to the client address and client port, when using proxy
    # protocol.
    # First set our proxy protocol proxy as trusted.
-    set_real_ip_from 2a00:14b0:4200:3000:125::1;
+    set_real_ip_from 172.31.17.140;
    # Then tell the realip_module to get the addreses from the proxy protocol
    # header.
    real_ip_header proxy_protocol;
--- a/resources/chaosknoten/grafana/docker_compose/compose.yaml.j2
+++ b/resources/chaosknoten/grafana/docker_compose/compose.yaml.j2
@ -2,13 +2,12 @@
 services:
  prometheus:
-    image: docker.io/prom/prometheus:v3.9.1
+    image: docker.io/prom/prometheus:v3.7.1
    container_name: prometheus
    command:
      - '--config.file=/etc/prometheus/prometheus.yml'
      - '--web.enable-remote-write-receiver'
      - '--enable-feature=promql-experimental-functions'
      - '--storage.tsdb.retention.time=28d'
    ports:
      - 9090:9090
    restart: unless-stopped
@ -19,7 +18,7 @@ services:
      - prom_data:/prometheus
  alertmanager:
-    image: docker.io/prom/alertmanager:v0.30.0
+    image: docker.io/prom/alertmanager:v0.28.1
    container_name: alertmanager
    command:
      - '--config.file=/etc/alertmanager/alertmanager.yaml'
@ -32,7 +31,7 @@ services:
      - alertmanager_data:/alertmanager
  grafana:
-    image: docker.io/grafana/grafana:12.3.1
+    image: docker.io/grafana/grafana:12.2.1
    container_name: grafana
    ports:
      - 3000:3000
@ -46,7 +45,7 @@ services:
      - graf_data:/var/lib/grafana
  pve-exporter:
-    image: docker.io/prompve/prometheus-pve-exporter:3.8.0
+    image: docker.io/prompve/prometheus-pve-exporter:3.5.5
    container_name: pve-exporter
    ports:
      - 9221:9221
@ -59,7 +58,7 @@ services:
      - /dev/null:/etc/prometheus/pve.yml
  loki:
-    image: docker.io/grafana/loki:3.6.3
+    image: docker.io/grafana/loki:3.5.7
    container_name: loki
    ports:
      - 13100:3100
--- a/resources/chaosknoten/grafana/nginx/grafana.hamburg.ccc.de.conf
+++ b/resources/chaosknoten/grafana/nginx/grafana.hamburg.ccc.de.conf
@ -2,13 +2,13 @@
 # https://ssl-config.mozilla.org/#server=nginx&version=1.17.7&config=intermediate&openssl=1.1.1k&guideline=5.6
 server {
    # Listen on a custom port for the proxy protocol.
-    listen [::]:8443 ssl proxy_protocol;
+    listen 8443 ssl proxy_protocol;
    http2 on;
    # Make use of the ngx_http_realip_module to set the $remote_addr and
    # $remote_port to the client address and client port, when using proxy
    # protocol.
    # First set our proxy protocol proxy as trusted.
-    set_real_ip_from 2a00:14b0:4200:3000:125::1;
+    set_real_ip_from 172.31.17.140;
    # Then tell the realip_module to get the addreses from the proxy protocol
    # header.
    real_ip_header proxy_protocol;
--- a/resources/chaosknoten/grafana/nginx/loki.hamburg.ccc.de.conf
+++ b/resources/chaosknoten/grafana/nginx/loki.hamburg.ccc.de.conf
@ -17,6 +17,7 @@ server {
    server_name loki.hamburg.ccc.de;
    listen [::]:50051 ssl;
    listen 172.31.17.145:50051 ssl;
    http2 on;
@ -58,6 +59,7 @@ server {
    server_name loki.hamburg.ccc.de;
    listen [::]:443 ssl;
    listen 172.31.17.145:443 ssl;
    http2 on;
--- a/resources/chaosknoten/grafana/nginx/metrics.hamburg.ccc.de.conf
+++ b/resources/chaosknoten/grafana/nginx/metrics.hamburg.ccc.de.conf
@ -18,6 +18,7 @@ server {
    server_name metrics.hamburg.ccc.de;
    listen [::]:443 ssl;
    listen 172.31.17.145:443 ssl;
    http2 on;
    client_body_buffer_size 512k;
--- a/resources/chaosknoten/keycloak/docker_compose/compose.yaml.j2
+++ b/resources/chaosknoten/keycloak/docker_compose/compose.yaml.j2
@ -46,7 +46,7 @@ services:
      - "8080:8080"
  db:
-    image: docker.io/library/postgres:15.15
+    image: docker.io/library/postgres:15.14
    restart: unless-stopped
    networks:
      - keycloak
--- a/resources/chaosknoten/keycloak/nginx/id.hamburg.ccc.de.conf
+++ b/resources/chaosknoten/keycloak/nginx/id.hamburg.ccc.de.conf
@ -3,12 +3,12 @@
 # Also see: https://www.keycloak.org/server/reverseproxy
 server {
    # Listen on a custom port for the proxy protocol.
-    listen [::]:8443 ssl http2 proxy_protocol;
+    listen 8443 ssl http2 proxy_protocol;
    # Make use of the ngx_http_realip_module to set the $remote_addr and
    # $remote_port to the client address and client port, when using proxy
    # protocol.
    # First set our proxy protocol proxy as trusted.
-    set_real_ip_from 2a00:14b0:4200:3000:125::1;
+    set_real_ip_from 172.31.17.140;
    # Then tell the realip_module to get the addreses from the proxy protocol
    # header.
    real_ip_header proxy_protocol;
--- a/resources/chaosknoten/keycloak/nginx/invite.hamburg.ccc.de.conf
+++ b/resources/chaosknoten/keycloak/nginx/invite.hamburg.ccc.de.conf
@ -3,12 +3,12 @@
 # Also see: https://www.keycloak.org/server/reverseproxy
 server {
    # Listen on a custom port for the proxy protocol.
-    listen [::]:8443 ssl http2 proxy_protocol;
+    listen 8443 ssl http2 proxy_protocol;
    # Make use of the ngx_http_realip_module to set the $remote_addr and
    # $remote_port to the client address and client port, when using proxy
    # protocol.
    # First set our proxy protocol proxy as trusted.
-    set_real_ip_from 2a00:14b0:4200:3000:125::1;
+    set_real_ip_from 172.31.17.140;
    # Then tell the realip_module to get the addreses from the proxy protocol
    # header.
    real_ip_header proxy_protocol;
--- a/resources/chaosknoten/keycloak/nginx/keycloak-admin.hamburg.ccc.de.conf
+++ b/resources/chaosknoten/keycloak/nginx/keycloak-admin.hamburg.ccc.de.conf
@ -7,12 +7,12 @@ server {
    ##listen [::]:443 ssl http2;
    # Listen on a custom port for the proxy protocol.
-    listen [::]:8443 ssl http2 proxy_protocol;
+    listen 8444 ssl http2 proxy_protocol;
    # Make use of the ngx_http_realip_module to set the $remote_addr and
    # $remote_port to the client address and client port, when using proxy
    # protocol.
    # First set our proxy protocol proxy as trusted.
-    set_real_ip_from 2a00:14b0:4200:3000:125::1;
+    set_real_ip_from 172.31.17.140;
    # Then tell the realip_module to get the addreses from the proxy protocol
    # header.
    real_ip_header proxy_protocol;
--- a/resources/chaosknoten/netbox/nginx/netbox.hamburg.ccc.de.conf
+++ b/resources/chaosknoten/netbox/nginx/netbox.hamburg.ccc.de.conf
@ -2,12 +2,12 @@
 # https://ssl-config.mozilla.org/#server=nginx&version=1.17.7&config=intermediate&openssl=1.1.1k&guideline=5.6
 server {
    # Listen on a custom port for the proxy protocol.
-    listen [::]:8443 ssl http2 proxy_protocol;
+    listen 8443 ssl http2 proxy_protocol;
    # Make use of the ngx_http_realip_module to set the $remote_addr and
    # $remote_port to the client address and client port, when using proxy
    # protocol.
    # First set our proxy protocol proxy as trusted.
-    set_real_ip_from 2a00:14b0:4200:3000:125::1;
+    set_real_ip_from 172.31.17.140;
    # Then tell the realip_module to get the addreses from the proxy protocol
    # header.
    real_ip_header proxy_protocol;
--- a/resources/chaosknoten/ntfy/docker_compose/compose.yaml.j2
+++ b/resources/chaosknoten/ntfy/docker_compose/compose.yaml.j2
@ -1,7 +1,7 @@
 ---
 services:
  ntfy:
-    image: docker.io/binwiederhier/ntfy:v2.15.0
+    image: docker.io/binwiederhier/ntfy:v2.14.0
    container_name: ntfy
    command:
      - serve
--- a/resources/chaosknoten/ntfy/nginx/ntfy.hamburg.ccc.de.conf
+++ b/resources/chaosknoten/ntfy/nginx/ntfy.hamburg.ccc.de.conf
@ -2,13 +2,13 @@
 # https://ssl-config.mozilla.org/#server=nginx&version=1.17.7&config=intermediate&openssl=1.1.1k&guideline=5.6
 server {
    # Listen on a custom port for the proxy protocol.
-    listen [::]:8443 ssl proxy_protocol;
+    listen 8443 ssl proxy_protocol;
    http2 on;
    # Make use of the ngx_http_realip_module to set the $remote_addr and
    # $remote_port to the client address and client port, when using proxy
    # protocol.
    # First set our proxy protocol proxy as trusted.
-    set_real_ip_from 2a00:14b0:4200:3000:125::1;
+    set_real_ip_from 172.31.17.140;
    # Then tell the realip_module to get the addreses from the proxy protocol
    # header.
    real_ip_header proxy_protocol;
--- a/resources/chaosknoten/onlyoffice/docker_compose/compose.yaml.j2
+++ b/resources/chaosknoten/onlyoffice/docker_compose/compose.yaml.j2
@ -4,7 +4,7 @@
 services:
  onlyoffice:
-    image: docker.io/onlyoffice/documentserver:9.2.1
+    image: docker.io/onlyoffice/documentserver:9.1.0
    restart: unless-stopped
    volumes:
      - "./onlyoffice/DocumentServer/logs:/var/log/onlyoffice"
--- a/resources/chaosknoten/onlyoffice/nginx/onlyoffice.hamburg.ccc.de.conf
+++ b/resources/chaosknoten/onlyoffice/nginx/onlyoffice.hamburg.ccc.de.conf
@ -2,13 +2,12 @@
 # https://ssl-config.mozilla.org/#server=nginx&version=1.17.7&config=intermediate&openssl=1.1.1k&guideline=5.6
 server {
    # Listen on a custom port for the proxy protocol.
-    listen [::]:8443 ssl http2 proxy_protocol;
+    listen 8443 ssl http2 proxy_protocol;
    # Make use of the ngx_http_realip_module to set the $remote_addr and
    # $remote_port to the client address and client port, when using proxy
    # protocol.
    # First set our proxy protocol proxy as trusted.
-    set_real_ip_from 2a00:14b0:4200:3000:125::1;
+    set_real_ip_from 172.31.17.140;
    # Then tell the realip_module to get the addreses from the proxy protocol
    # header.
    real_ip_header proxy_protocol;
--- a/resources/chaosknoten/pad/docker_compose/compose.yaml.j2
+++ b/resources/chaosknoten/pad/docker_compose/compose.yaml.j2
@ -13,7 +13,7 @@ services:
    restart: unless-stopped
  app:
-    image: quay.io/hedgedoc/hedgedoc:1.10.5
+    image: quay.io/hedgedoc/hedgedoc:1.10.3
    environment:
      - "CMD_DB_URL=postgres://hedgedoc:{{ secret__hedgedoc_db_password }}@database:5432/hedgedoc"
      - "CMD_DOMAIN=pad.hamburg.ccc.de"
--- a/resources/chaosknoten/pad/nginx/pad.hamburg.ccc.de.conf
+++ b/resources/chaosknoten/pad/nginx/pad.hamburg.ccc.de.conf
@ -2,12 +2,12 @@
 # https://ssl-config.mozilla.org/#server=nginx&version=1.17.7&config=intermediate&openssl=1.1.1k&guideline=5.6
 server {
    # Listen on a custom port for the proxy protocol.
-    listen [::]:8443 ssl http2 proxy_protocol;
+    listen 8443 ssl http2 proxy_protocol;
    # Make use of the ngx_http_realip_module to set the $remote_addr and
    # $remote_port to the client address and client port, when using proxy
    # protocol.
    # First set our proxy protocol proxy as trusted.
-    set_real_ip_from 2a00:14b0:4200:3000:125::1;
+    set_real_ip_from 172.31.17.140;
    # Then tell the realip_module to get the addreses from the proxy protocol
    # header.
    real_ip_header proxy_protocol;
--- a/resources/chaosknoten/pretalx/docker_compose/compose.yaml.j2
+++ b/resources/chaosknoten/pretalx/docker_compose/compose.yaml.j2
@ -15,7 +15,7 @@ services:
      - pretalx_net
  redis:
-    image: docker.io/library/redis:8.4.0
+    image: docker.io/library/redis:8.2.2
    restart: unless-stopped
    volumes:
      - redis:/data
@ -23,7 +23,7 @@ services:
      - pretalx_net
  static:
-    image: docker.io/library/nginx:1.29.4
+    image: docker.io/library/nginx:1.29.2
    restart: unless-stopped
    volumes:
      - public:/usr/share/nginx/html
@ -33,7 +33,7 @@ services:
      - pretalx_net
  pretalx:
-    image: docker.io/pretalx/standalone:v2025.2.2
+    image: docker.io/pretalx/standalone:v2025.1.0
    entrypoint: gunicorn
    command:
      - "pretalx.wsgi"
@ -78,7 +78,7 @@ services:
      - pretalx_net
  celery:
-    image: docker.io/pretalx/standalone:v2025.2.2
+    image: docker.io/pretalx/standalone:v2025.1.0
    command:
      - taskworker
    restart: unless-stopped
--- a/resources/chaosknoten/pretalx/nginx/cfp.eh22.easterhegg.eu.conf
+++ b/resources/chaosknoten/pretalx/nginx/cfp.eh22.easterhegg.eu.conf
@ -2,12 +2,12 @@
 # https://ssl-config.mozilla.org/#server=nginx&version=1.17.7&config=intermediate&openssl=1.1.1k&guideline=5.6
 server {
    # Listen on a custom port for the proxy protocol.
-    listen [::]:8443 ssl http2 proxy_protocol;
+    listen 8443 ssl http2 proxy_protocol;
    # Make use of the ngx_http_realip_module to set the $remote_addr and
    # $remote_port to the client address and client port, when using proxy
    # protocol.
    # First set our proxy protocol proxy as trusted.
-    set_real_ip_from 2a00:14b0:4200:3000:125::1;
+    set_real_ip_from 172.31.17.140;
    # Then tell the realip_module to get the addreses from the proxy protocol
    # header.
    real_ip_header proxy_protocol;
--- a/resources/chaosknoten/pretalx/nginx/pretalx.hamburg.ccc.de.conf
+++ b/resources/chaosknoten/pretalx/nginx/pretalx.hamburg.ccc.de.conf
@ -2,12 +2,12 @@
 # https://ssl-config.mozilla.org/#server=nginx&version=1.17.7&config=intermediate&openssl=1.1.1k&guideline=5.6
 server {
    # Listen on a custom port for the proxy protocol.
-    listen [::]:8443 ssl http2 proxy_protocol;
+    listen 8443 ssl http2 proxy_protocol;
    # Make use of the ngx_http_realip_module to set the $remote_addr and
    # $remote_port to the client address and client port, when using proxy
    # protocol.
    # First set our proxy protocol proxy as trusted.
-    set_real_ip_from 2a00:14b0:4200:3000:125::1;
+    set_real_ip_from 172.31.17.140;
    # Then tell the realip_module to get the addreses from the proxy protocol
    # header.
    real_ip_header proxy_protocol;
--- a/resources/chaosknoten/public-reverse-proxy/nginx/acme_challenge.conf
+++ b/resources/chaosknoten/public-reverse-proxy/nginx/acme_challenge.conf
@ -4,33 +4,32 @@ map $host $upstream_acme_challenge_host {
    c3cat.de 172.31.17.151:31820;
    www.c3cat.de 172.31.17.151:31820;
    staging.c3cat.de 172.31.17.151:31820;
-    ccchoir.de ccchoir.hosts.hamburg.ccc.de:31820;
+    ccchoir.de ccchoir-intern.hamburg.ccc.de:31820;
-    www.ccchoir.de ccchoir.hosts.hamburg.ccc.de:31820;
+    www.ccchoir.de ccchoir-intern.hamburg.ccc.de:31820;
-    cloud.hamburg.ccc.de cloud.hosts.hamburg.ccc.de:31820;
+    cloud.hamburg.ccc.de 172.31.17.143:31820;
    element.hamburg.ccc.de 172.31.17.151:31820;
    git.hamburg.ccc.de 172.31.17.154:31820;
-    grafana.hamburg.ccc.de grafana.hosts.hamburg.ccc.de:31820;
+    grafana.hamburg.ccc.de 172.31.17.145:31820;
    hackertours.hamburg.ccc.de 172.31.17.151:31820;
    staging.hackertours.hamburg.ccc.de 172.31.17.151:31820;
    hamburg.ccc.de 172.31.17.151:31820;
-    id.hamburg.ccc.de keycloak.hosts.hamburg.ccc.de:31820;
+    id.hamburg.ccc.de 172.31.17.144:31820;
-    invite.hamburg.ccc.de keycloak.hosts.hamburg.ccc.de:31820;
+    invite.hamburg.ccc.de 172.31.17.144:31820;
-    keycloak-admin.hamburg.ccc.de keycloak.hosts.hamburg.ccc.de:31820;
+    keycloak-admin.hamburg.ccc.de 172.31.17.144:31820;
    matrix.hamburg.ccc.de 172.31.17.150:31820;
    mas.hamburg.ccc.de 172.31.17.150:31820;
    element-admin.hamburg.ccc.de 172.31.17.151:31820;
-    netbox.hamburg.ccc.de netbox.hosts.hamburg.ccc.de:31820;
+    netbox.hamburg.ccc.de 172.31.17.167:31820;
-    onlyoffice.hamburg.ccc.de onlyoffice.hosts.hamburg.ccc.de:31820;
+    onlyoffice.hamburg.ccc.de 172.31.17.147:31820;
-    pad.hamburg.ccc.de pad.hosts.hamburg.ccc.de:31820;
+    pad.hamburg.ccc.de 172.31.17.141:31820;
-    pretalx.hamburg.ccc.de pretalx.hosts.hamburg.ccc.de:31820;
+    pretalx.hamburg.ccc.de 172.31.17.157:31820;
    spaceapi.hamburg.ccc.de 172.31.17.151:31820;
    staging.hamburg.ccc.de 172.31.17.151:31820;
-    wiki.ccchh.net wiki.hosts.hamburg.ccc.de:31820;
+    wiki.ccchh.net 172.31.17.146:31820;
-    wiki.hamburg.ccc.de wiki.hosts.hamburg.ccc.de:31820;
+    wiki.hamburg.ccc.de 172.31.17.146:31820;
    www.hamburg.ccc.de 172.31.17.151:31820;
-    tickets.hamburg.ccc.de tickets.hosts.hamburg.ccc.de:31820;
+    tickets.hamburg.ccc.de 172.31.17.148:31820;
-    sunders.hamburg.ccc.de sunders.hosts.hamburg.ccc.de:31820;
+    zammad.hamburg.ccc.de 172.31.17.152:31820;
    zammad.hamburg.ccc.de zammad.hosts.hamburg.ccc.de:31820;
    eh03.easterhegg.eu 172.31.17.151:31820;
    eh05.easterhegg.eu 172.31.17.151:31820;
    eh07.easterhegg.eu 172.31.17.151:31820;
@ -38,7 +37,7 @@ map $host $upstream_acme_challenge_host {
    eh11.easterhegg.eu 172.31.17.151:31820;
    eh20.easterhegg.eu 172.31.17.151:31820;
    www.eh20.easterhegg.eu 172.31.17.151:31820;
-    eh22.easterhegg.eu eh22-wiki.hosts.hamburg.ccc.de:31820;
+    eh22.easterhegg.eu 172.31.17.165:31820;
    easterheggxxxx.hamburg.ccc.de 172.31.17.151:31820;
    eh2003.hamburg.ccc.de 172.31.17.151:31820;
    www.eh2003.hamburg.ccc.de 172.31.17.151:31820;
@ -73,7 +72,7 @@ map $host $upstream_acme_challenge_host {
    design.hamburg.ccc.de 172.31.17.162:31820;
    hydra.hamburg.ccc.de 172.31.17.163:31820;
    cfp.eh22.easterhegg.eu 172.31.17.157:31820;
-    ntfy.hamburg.ccc.de ntfy.hosts.hamburg.ccc.de:31820;
+    ntfy.hamburg.ccc.de 172.31.17.149:31820;
    cryptoparty-hamburg.de 172.31.17.151:31820;
    cryptoparty.hamburg.ccc.de 172.31.17.151:31820;
    staging.cryptoparty-hamburg.de 172.31.17.151:31820;
--- a/resources/chaosknoten/public-reverse-proxy/nginx/nginx.conf
+++ b/resources/chaosknoten/public-reverse-proxy/nginx/nginx.conf
@ -18,21 +18,21 @@ stream {
    resolver 212.12.50.158 192.76.134.90;
    map $ssl_preread_server_name $address {
-        ccchoir.de ccchoir.hosts.hamburg.ccc.de:8443;
+        ccchoir.de ccchoir-intern.hamburg.ccc.de:8443;
-        www.ccchoir.de ccchoir.hosts.hamburg.ccc.de:8443;
+        www.ccchoir.de ccchoir-intern.hamburg.ccc.de:8443;
-        cloud.hamburg.ccc.de cloud.hosts.hamburg.ccc.de:8443;
+        cloud.hamburg.ccc.de cloud-intern.hamburg.ccc.de:8443;
-        pad.hamburg.ccc.de pad.hosts.hamburg.ccc.de:8443;
+        pad.hamburg.ccc.de pad-intern.hamburg.ccc.de:8443;
-        pretalx.hamburg.ccc.de pretalx.hosts.hamburg.ccc.de:8443;
+        pretalx.hamburg.ccc.de pretalx-intern.hamburg.ccc.de:8443;
-        id.hamburg.ccc.de keycloak.hosts.hamburg.ccc.de:8443;
+        id.hamburg.ccc.de 172.31.17.144:8443;
-        invite.hamburg.ccc.de keycloak.hosts.hamburg.ccc.de:8443;
+        invite.hamburg.ccc.de 172.31.17.144:8443;
-        keycloak-admin.hamburg.ccc.de keycloak.hosts.hamburg.ccc.de:8443;
+        keycloak-admin.hamburg.ccc.de 172.31.17.144:8444;
-        grafana.hamburg.ccc.de grafana.hosts.hamburg.ccc.de:8443;
+        grafana.hamburg.ccc.de 172.31.17.145:8443;
-        wiki.ccchh.net wiki.hosts.hamburg.ccc.de:8443;
+        wiki.ccchh.net 172.31.17.146:8443;
-        wiki.hamburg.ccc.de wiki.hosts.hamburg.ccc.de:8443;
+        wiki.hamburg.ccc.de 172.31.17.146:8443;
-        onlyoffice.hamburg.ccc.de onlyoffice.hosts.hamburg.ccc.de:8443;
+        onlyoffice.hamburg.ccc.de 172.31.17.147:8443;
        hackertours.hamburg.ccc.de 172.31.17.151:8443;
        staging.hackertours.hamburg.ccc.de 172.31.17.151:8443;
-        netbox.hamburg.ccc.de netbox.hosts.hamburg.ccc.de:8443;
+        netbox.hamburg.ccc.de 172.31.17.167:8443;
        matrix.hamburg.ccc.de 172.31.17.150:8443;
        mas.hamburg.ccc.de 172.31.17.150:8443;
        element-admin.hamburg.ccc.de 172.31.17.151:8443;
@ -42,9 +42,8 @@ stream {
        hamburg.ccc.de 172.31.17.151:8443;
        staging.hamburg.ccc.de 172.31.17.151:8443;
        spaceapi.hamburg.ccc.de 172.31.17.151:8443;
-        tickets.hamburg.ccc.de tickets.hosts.hamburg.ccc.de:8443;
+        tickets.hamburg.ccc.de 172.31.17.148:8443;
-        sunders.hamburg.ccc.de sunders.hosts.hamburg.ccc.de:8443;
+        zammad.hamburg.ccc.de 172.31.17.152:8443;
        zammad.hamburg.ccc.de zammad.hosts.hamburg.ccc.de:8443;
        c3cat.de 172.31.17.151:8443;
        www.c3cat.de 172.31.17.151:8443;
        staging.c3cat.de 172.31.17.151:8443;
@ -56,7 +55,7 @@ stream {
        eh11.easterhegg.eu 172.31.17.151:8443;
        eh20.easterhegg.eu 172.31.17.151:8443;
        www.eh20.easterhegg.eu 172.31.17.151:8443;
-        eh22.easterhegg.eu eh22-wiki.hosts.hamburg.ccc.de:8443;
+        eh22.easterhegg.eu 172.31.17.165:8443;
        easterheggxxxx.hamburg.ccc.de 172.31.17.151:8443;
        eh2003.hamburg.ccc.de 172.31.17.151:8443;
        www.eh2003.hamburg.ccc.de 172.31.17.151:8443;
@ -90,8 +89,8 @@ stream {
        woodpecker.hamburg.ccc.de 172.31.17.160:8443;
        design.hamburg.ccc.de 172.31.17.162:8443;
        hydra.hamburg.ccc.de 172.31.17.163:8443;
-        cfp.eh22.easterhegg.eu pretalx.hosts.hamburg.ccc.de:8443;
+        cfp.eh22.easterhegg.eu pretalx-intern.hamburg.ccc.de:8443;
-        ntfy.hamburg.ccc.de ntfy.hosts.hamburg.ccc.de:8443;
+        ntfy.hamburg.ccc.de 172.31.17.149:8443;
        cryptoparty-hamburg.de 172.31.17.151:8443;
        cryptoparty.hamburg.ccc.de 172.31.17.151:8443;
        staging.cryptoparty-hamburg.de 172.31.17.151:8443;
--- a/resources/chaosknoten/router/nftables/nftables.conf
+++ b/resources/chaosknoten/router/nftables/nftables.conf
@ -1,95 +0,0 @@
 #!/usr/sbin/nft -f
 ## Variables
 # Interfaces
 define if_net1_v4_wan = "net1"
 define if_net2_v6_wan = "net2"
 define if_net0_2_v4_nat = "net0.2"
 define if_net0_3_ci_runner = "net0.3"
 # Interface Groups
 define wan_ifs = { $if_net1_v4_wan,
                   $if_net2_v6_wan }
 define lan_ifs = { $if_net0_2_v4_nat,
                   $if_net0_3_ci_runner }
 # define v4_exposed_ifs = { }
 define v6_exposed_ifs = { $if_net0_2_v4_nat }
 ## Rules
 table inet reverse-path-forwarding {
    chain rpf-filter {
        type filter hook prerouting priority mangle + 10; policy drop;
        # Only allow packets if their source address is routed via their incoming interface.
        # https://github.com/NixOS/nixpkgs/blob/d9d87c51960050e89c79e4025082ed965e770d68/nixos/modules/services/networking/firewall-nftables.nix#L100
        fib saddr . mark . iif oif exists accept
    }
 }
 table inet host {
    chain input {
        type filter hook input priority filter; policy drop;
        iifname "lo" accept comment "allow loopback"
        ct state invalid drop
        ct state established,related accept
 		ip protocol icmp accept
        # ICMPv6
        # https://datatracker.ietf.org/doc/html/rfc4890#autoid-24
        # Allowlist consisting of: "Traffic That Must Not Be Dropped" and "Traffic That Normally Should Not Be Dropped"
        # Error messages that are essential to the establishment and maintenance of communications:
        icmpv6 type { destination-unreachable, packet-too-big } accept
        icmpv6 type { time-exceeded } accept
        icmpv6 type { parameter-problem } accept
        # Connectivity checking messages:
        icmpv6 type { echo-request, echo-reply } accept
        # Address Configuration and Router Selection messages:
        icmpv6 type { nd-router-solicit, nd-router-advert, nd-neighbor-solicit, nd-neighbor-advert, ind-neighbor-solicit, ind-neighbor-advert } accept
        # Link-Local Multicast Receiver Notification messages:
        icmpv6 type { mld-listener-query, mld-listener-report, mld-listener-done, mld2-listener-report } accept
        # SEND Certificate Path Notification messages:
        icmpv6 type { 148, 149 } accept
        # Multicast Router Discovery messages:
        icmpv6 type { 151, 152, 153 } accept
        # Allow SSH access.
        tcp dport 22 accept comment "allow ssh access"
        # Allow DHCP server access.
 		iifname { $if_net0_2_v4_nat, $if_net0_3_ci_runner } udp dport 67 accept comment "allow dhcp server access"
    }
 }
 table ip v4nat {
    chain prerouting {
        type nat hook prerouting priority dstnat; policy accept;
    }
    chain postrouting {
        type nat hook postrouting priority srcnat; policy accept;
        oifname $if_net1_v4_wan masquerade
    }
 }
 table inet forward {
    chain forward {
        type filter hook forward priority filter; policy drop;
        ct state invalid drop
        ct state established,related accept
        # Allow internet access.
 		meta nfproto ipv6 iifname $lan_ifs oifname $if_net2_v6_wan accept comment "allow v6 internet access"
 		meta nfproto ipv4 iifname $lan_ifs oifname $if_net1_v4_wan accept comment "allow v4 internet access"
        # Allow access to exposed networks from internet.
        # meta nfproto ipv4 oifname $v4_exposed_ifs accept comment "allow v4 exposed network access"
        meta nfproto ipv6 oifname $v6_exposed_ifs accept comment "allow v6 exposed network access"
    }
 }
--- a/resources/chaosknoten/router/systemd_networkd/00-net0.link
+++ b/resources/chaosknoten/router/systemd_networkd/00-net0.link
@ -1,6 +0,0 @@
 [Match]
 MACAddress=BC:24:11:54:11:15
 Type=ether
 [Link]
 Name=net0
--- a/resources/chaosknoten/router/systemd_networkd/00-net1.link
+++ b/resources/chaosknoten/router/systemd_networkd/00-net1.link
@ -1,6 +0,0 @@
 [Match]
 MACAddress=BC:24:11:9A:FB:34
 Type=ether
 [Link]
 Name=net1
--- a/resources/chaosknoten/router/systemd_networkd/00-net2.link
+++ b/resources/chaosknoten/router/systemd_networkd/00-net2.link
@ -1,6 +0,0 @@
 [Match]
 MACAddress=BC:24:11:AE:C7:04
 Type=ether
 [Link]
 Name=net2
--- a/resources/chaosknoten/router/systemd_networkd/10-net0.2-v4_nat.netdev
+++ b/resources/chaosknoten/router/systemd_networkd/10-net0.2-v4_nat.netdev
@ -1,7 +0,0 @@
 [NetDev]
 Name=net0.2
 Kind=vlan
 [VLAN]
 Id=2
--- a/resources/chaosknoten/router/systemd_networkd/10-net0.3-ci_runner.netdev
+++ b/resources/chaosknoten/router/systemd_networkd/10-net0.3-ci_runner.netdev
@ -1,7 +0,0 @@
 [NetDev]
 Name=net0.3
 Kind=vlan
 [VLAN]
 Id=3
--- a/resources/chaosknoten/router/systemd_networkd/20-net0.network
+++ b/resources/chaosknoten/router/systemd_networkd/20-net0.network
@ -1,12 +0,0 @@
 [Match]
 Name=net0
 [Link]
 RequiredForOnline=no
 [Network]
 VLAN=net0.2
 VLAN=net0.3
 LinkLocalAddressing=no
--- a/resources/chaosknoten/router/systemd_networkd/20-net1.network
+++ b/resources/chaosknoten/router/systemd_networkd/20-net1.network
@ -1,14 +0,0 @@
 [Match]
 Name=net1
 [Network]
 DNS=212.12.50.158
 IPForward=ipv4
 IPv6AcceptRA=no
 [Address]
 Address=212.12.48.123/24
 [Route]
 Gateway=212.12.48.55
--- a/resources/chaosknoten/router/systemd_networkd/20-net2.network
+++ b/resources/chaosknoten/router/systemd_networkd/20-net2.network
@ -1,14 +0,0 @@
 [Match]
 Name=net2
 [Network]
 #DNS=212.12.50.158
 IPForward=ipv6
 IPv6AcceptRA=no
 [Address]
 Address=2a00:14b0:4200:3500::130:2/112
 [Route]
 Gateway=2a00:14b0:4200:3500::130:1
--- a/resources/chaosknoten/router/systemd_networkd/21-net0.2-v4_nat.network
+++ b/resources/chaosknoten/router/systemd_networkd/21-net0.2-v4_nat.network
@ -1,29 +0,0 @@
 [Match]
 Name=net0.2
 Type=vlan
 [Link]
 RequiredForOnline=no
 [Network]
 Description=v4-NAT
 # Masquerading done in nftables (nftables.conf).
 IPv6SendRA=yes
 DHCPServer=true
 [DHCPServer]
 PoolOffset=100
 PoolSize=150
 [Address]
 Address=10.32.2.1/24
 [IPv6SendRA]
 UplinkInterface=net2
 [IPv6Prefix]
 Prefix=2a00:14b0:42:102::/64
 Assign=true
 Token=static:::1
--- a/resources/chaosknoten/router/systemd_networkd/21-net0.3-ci_runners.network
+++ b/resources/chaosknoten/router/systemd_networkd/21-net0.3-ci_runners.network
@ -1,29 +0,0 @@
 [Match]
 Name=net0.3
 Type=vlan
 [Link]
 RequiredForOnline=no
 [Network]
 Description=ci-runners
 # Masquerading done in nftables (nftables.conf).
 IPv6SendRA=yes
 DHCPServer=true
 [DHCPServer]
 PoolOffset=100
 PoolSize=150
 [Address]
 Address=10.32.3.1/24
 [IPv6SendRA]
 UplinkInterface=net2
 [IPv6Prefix]
 Prefix=2a00:14b0:42:103::/64
 Assign=true
 Token=static:::1
--- a/resources/chaosknoten/sunders/docker_compose/compose.yaml.j2
+++ b/resources/chaosknoten/sunders/docker_compose/compose.yaml.j2
@ -1,57 +0,0 @@
 # Source:
 # https://git.hamburg.ccc.de/CCCHH/sunders/src/branch/main/docker-compose.yml
 services:
  db:
    image: mariadb:12.1.2
    command: --max_allowed_packet=3250585600
    environment:
      MYSQL_ROOT_PASSWORD: "{{ secret__sunders_db_root_password }}"
      MYSQL_DATABASE: camera
      MYSQL_USER: camera
      MYSQL_PASSWORD: "{{ secret__sunders_db_camera_password }}"
    volumes:
        - mariadb:/var/lib/mysql
    healthcheck:
      test: ["CMD", "mariadb-admin", "ping", "-h", "localhost", "-uroot", "-p{{ secret__sunders_db_root_password }}"]
      interval: 10s
      timeout: 5s
      start_period: 30s
      retries: 5
  web:
    image: git.hamburg.ccc.de/ccchh/sunders/web:latest
    environment:
      MYSQL_HOST: db
      MYSQL_DB: camera
      CAMERA_SELECT_USER: camera_select
      CAMERA_SELECT_USER_PASSWORD: "{{ secret__sunders_db_camera_select_password }}"
      DEFAULT_ZOOM: 12
      DEFAULT_LAT: 0
      DEFAULT_LON: 0
      DEFAULT_LANGUAGE: en
      IMPRESSUM_URL: https://hamburg.ccc.de/imprint/
    ports:
      - "8080:80"
    depends_on:
      data_handler:
        condition: service_started
  data_handler:
    image: git.hamburg.ccc.de/ccchh/sunders/data_handler:latest
    environment:
      MYSQL_HOST: db
      MYSQL_DB: camera
      MYSQL_USER: root
      MYSQL_PASSWORD: "{{ secret__sunders_db_root_password }}"
      CAMERA_USER: camera
      CAMERA_USER_PASSWORD: "{{ secret__sunders_db_camera_password }}"
      CAMERA_SELECT_USER: camera_select
      CAMERA_SELECT_USER_PASSWORD: "{{ secret__sunders_db_camera_select_password }}"
    depends_on:
      db:
        condition: service_healthy
        restart: true
 volumes:
  mariadb:
--- a/resources/chaosknoten/sunders/nginx/sunders.hamburg.ccc.de.conf
+++ b/resources/chaosknoten/sunders/nginx/sunders.hamburg.ccc.de.conf
@ -1,42 +0,0 @@
 # partly generated 2022-01-08, Mozilla Guideline v5.6, nginx 1.17.7, OpenSSL 1.1.1k, intermediate configuration
 # https://ssl-config.mozilla.org/#server=nginx&version=1.17.7&config=intermediate&openssl=1.1.1k&guideline=5.6
 server {
    # Listen on a custom port for the proxy protocol.
    listen [::]:8443 ssl http2 proxy_protocol;
    # Make use of the ngx_http_realip_module to set the $remote_addr and
    # $remote_port to the client address and client port, when using proxy
    # protocol.
    # First set our proxy protocol proxy as trusted.
    set_real_ip_from 2a00:14b0:4200:3000:125::1;
    # Then tell the realip_module to get the addreses from the proxy protocol
    # header.
    real_ip_header proxy_protocol;
    server_name sunders.hamburg.ccc.de;
    ssl_certificate /etc/letsencrypt/live/sunders.hamburg.ccc.de/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/sunders.hamburg.ccc.de/privkey.pem;
    # verify chain of trust of OCSP response using Root CA and Intermediate certs
    ssl_trusted_certificate /etc/letsencrypt/live/sunders.hamburg.ccc.de/chain.pem;
    # HSTS (ngx_http_headers_module is required) (63072000 seconds)
    add_header Strict-Transport-Security "max-age=63072000" always;
    proxy_set_header Host $host;
    proxy_set_header X-Forwarded-Host $host;
    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header X-Forwarded-Port 443;
    # This is https in any case.
    proxy_set_header X-Forwarded-Proto https;
    # Hide the X-Forwarded header.
    proxy_hide_header X-Forwarded;
    # Assume we are the only Reverse Proxy (well using Proxy Protocol, but that
    # is transparent).
    # Also provide "_hidden" for by, since it's not relevant.
    proxy_set_header Forwarded "for=$remote_addr;proto=https;host=$host;by=_hidden";
    location / {
        proxy_pass http://127.0.0.1:8080/;
    }
 }
--- a/resources/chaosknoten/tickets/docker_compose/compose.yaml.j2
+++ b/resources/chaosknoten/tickets/docker_compose/compose.yaml.j2
@ -13,7 +13,7 @@ services:
    restart: unless-stopped
  redis:
-    image: docker.io/library/redis:7.4.7
+    image: docker.io/library/redis:7.4.6
    ports:
      - "6379:6379"
    volumes:
--- a/resources/chaosknoten/tickets/nginx/tickets.hamburg.ccc.de.conf
+++ b/resources/chaosknoten/tickets/nginx/tickets.hamburg.ccc.de.conf
@ -2,12 +2,12 @@
 # https://ssl-config.mozilla.org/#server=nginx&version=1.17.7&config=intermediate&openssl=1.1.1k&guideline=5.6
 server {
    # Listen on a custom port for the proxy protocol.
-    listen [::]:8443 ssl http2 proxy_protocol;
+    listen 8443 ssl http2 proxy_protocol;
    # Make use of the ngx_http_realip_module to set the $remote_addr and
    # $remote_port to the client address and client port, when using proxy
    # protocol.
    # First set our proxy protocol proxy as trusted.
-    set_real_ip_from 2a00:14b0:4200:3000:125::1;
+    set_real_ip_from 172.31.17.140;
    # Then tell the realip_module to get the addreses from the proxy protocol
    # header.
    real_ip_header proxy_protocol;
@ -38,7 +38,11 @@ server {
    location = / {
        #return 302 https://wiki.hamburg.ccc.de/infrastructure:service-overview#tickets_pretix;
-        return 302 https://tickets.hamburg.ccc.de/hackertours/39c3ht/;
+        return 302 https://tickets.hamburg.ccc.de/hackertours/eh22ht/;
    }
    location = /hackertours/eh22/ {
        return 302 https://tickets.hamburg.ccc.de/hackertours/eh22ht/;
    }
    location / {
--- a/resources/chaosknoten/wiki/nginx/wiki.ccchh.net.conf
+++ b/resources/chaosknoten/wiki/nginx/wiki.ccchh.net.conf
@ -2,12 +2,12 @@
 # https://ssl-config.mozilla.org/#server=nginx&version=1.17.7&config=intermediate&openssl=1.1.1k&guideline=5.6
 server {
    # Listen on a custom port for the proxy protocol.
-    listen [::]:8443 ssl http2 proxy_protocol;
+    listen 8443 ssl http2 proxy_protocol;
    # Make use of the ngx_http_realip_module to set the $remote_addr and
    # $remote_port to the client address and client port, when using proxy
    # protocol.
    # First set our proxy protocol proxy as trusted.
-    set_real_ip_from 2a00:14b0:4200:3000:125::1;
+    set_real_ip_from 172.31.17.140;
    # Then tell the realip_module to get the addreses from the proxy protocol
    # header.
    real_ip_header proxy_protocol;
@ -21,6 +21,6 @@ server {
    # HSTS (ngx_http_headers_module is required) (63072000 seconds)
    add_header Strict-Transport-Security "max-age=63072000" always;
-
+    
    return 302 https://wiki.hamburg.ccc.de$request_uri;
 }
--- a/resources/chaosknoten/wiki/nginx/wiki.hamburg.ccc.de.conf
+++ b/resources/chaosknoten/wiki/nginx/wiki.hamburg.ccc.de.conf
@ -2,12 +2,12 @@
 # https://ssl-config.mozilla.org/#server=nginx&version=1.17.7&config=intermediate&openssl=1.1.1k&guideline=5.6
 server {
    # Listen on a custom port for the proxy protocol.
-    listen [::]:8443 ssl http2 proxy_protocol;
+    listen 8443 ssl http2 proxy_protocol;
    # Make use of the ngx_http_realip_module to set the $remote_addr and
    # $remote_port to the client address and client port, when using proxy
    # protocol.
    # First set our proxy protocol proxy as trusted.
-    set_real_ip_from 2a00:14b0:4200:3000:125::1;
+    set_real_ip_from 172.31.17.140;
    # Then tell the realip_module to get the addreses from the proxy protocol
    # header.
    real_ip_header proxy_protocol;
--- a/resources/chaosknoten/zammad/docker_compose/.env.j2
+++ b/resources/chaosknoten/zammad/docker_compose/.env.j2
@ -1,4 +0,0 @@
 POSTGRES_PASS={{ secret__zammad_db_password }}
 POSTGRES_VERSION=15-alpine
 REDIS_VERSION=7-alpine
 NGINX_SERVER_SCHEME=https
--- a/resources/chaosknoten/zammad/docker_compose/compose.yaml
+++ b/resources/chaosknoten/zammad/docker_compose/compose.yaml
@ -1,149 +0,0 @@
 ---
 version: "3.8"
 # Taken from: https://github.com/zammad/zammad-docker-compose/blob/master/docker-compose.yml
 # Version: v14.1.1
 # Update from new tag by replacing all content.
 # Configuration should be done in the .env.j2.
 x-shared:
  zammad-service: &zammad-service
    environment: &zammad-environment
      MEMCACHE_SERVERS: ${MEMCACHE_SERVERS:-zammad-memcached:11211}
      POSTGRESQL_DB: ${POSTGRES_DB:-zammad_production}
      POSTGRESQL_HOST: ${POSTGRES_HOST:-zammad-postgresql}
      POSTGRESQL_USER: ${POSTGRES_USER:-zammad}
      POSTGRESQL_PASS: ${POSTGRES_PASS:-zammad}
      POSTGRESQL_PORT: ${POSTGRES_PORT:-5432}
      POSTGRESQL_OPTIONS: ${POSTGRESQL_OPTIONS:-?pool=50}
      POSTGRESQL_DB_CREATE:
      REDIS_URL: ${REDIS_URL:-redis://zammad-redis:6379}
      S3_URL:
      # Backup settings
      BACKUP_DIR: "${BACKUP_DIR:-/var/tmp/zammad}"
      BACKUP_TIME: "${BACKUP_TIME:-03:00}"
      HOLD_DAYS: "${HOLD_DAYS:-10}"
      TZ: "${TZ:-Europe/Berlin}"
      # Allow passing in these variables via .env:
      AUTOWIZARD_JSON:
      AUTOWIZARD_RELATIVE_PATH:
      ELASTICSEARCH_ENABLED:
      ELASTICSEARCH_SCHEMA:
      ELASTICSEARCH_HOST:
      ELASTICSEARCH_PORT:
      ELASTICSEARCH_USER:
      ELASTICSEARCH_PASS:
      ELASTICSEARCH_NAMESPACE:
      ELASTICSEARCH_REINDEX:
      NGINX_PORT:
      NGINX_CLIENT_MAX_BODY_SIZE:
      NGINX_SERVER_NAME:
      NGINX_SERVER_SCHEME:
      RAILS_TRUSTED_PROXIES:
      ZAMMAD_HTTP_TYPE:
      ZAMMAD_FQDN:
      ZAMMAD_WEB_CONCURRENCY:
      ZAMMAD_PROCESS_SESSIONS_JOBS_WORKERS:
      ZAMMAD_PROCESS_SCHEDULED_JOBS_WORKERS:
      ZAMMAD_PROCESS_DELAYED_JOBS_WORKERS:
      # ZAMMAD_SESSION_JOBS_CONCURRENT is deprecated, please use ZAMMAD_PROCESS_SESSIONS_JOBS_WORKERS instead.
      ZAMMAD_SESSION_JOBS_CONCURRENT:
      # Variables used by ngingx-proxy container for reverse proxy creations
      # for docs refer to https://github.com/nginx-proxy/nginx-proxy
      VIRTUAL_HOST:
      VIRTUAL_PORT:
      # Variables used by acme-companion for retrieval of LetsEncrypt certificate
      # for docs refer to https://github.com/nginx-proxy/acme-companion
      LETSENCRYPT_HOST:
      LETSENCRYPT_EMAIL:
    image: ${IMAGE_REPO:-ghcr.io/zammad/zammad}:${VERSION:-6.5.2}
    restart: ${RESTART:-always}
    volumes:
      - zammad-storage:/opt/zammad/storage
    depends_on:
      - zammad-memcached
      - zammad-postgresql
      - zammad-redis
 services:
  zammad-backup:
    <<: *zammad-service
    command: ["zammad-backup"]
    volumes:
      - zammad-backup:/var/tmp/zammad
      - zammad-storage:/opt/zammad/storage:ro
    user: 0:0
  zammad-elasticsearch:
    image: elasticsearch:${ELASTICSEARCH_VERSION:-8.19.4}
    restart: ${RESTART:-always}
    volumes:
      - elasticsearch-data:/usr/share/elasticsearch/data
    environment:
      discovery.type: single-node
      xpack.security.enabled: 'false'
      ES_JAVA_OPTS: ${ELASTICSEARCH_JAVA_OPTS:--Xms1g -Xmx1g}
  zammad-init:
    <<: *zammad-service
    command: ["zammad-init"]
    depends_on:
      - zammad-postgresql
    restart: on-failure
    user: 0:0
  zammad-memcached:
    command: memcached -m 256M
    image: memcached:${MEMCACHE_VERSION:-1.6.39-alpine}
    restart: ${RESTART:-always}
  zammad-nginx:
    <<: *zammad-service
    command: ["zammad-nginx"]
    expose:
      - "${NGINX_PORT:-8080}"
    ports:
      - "${NGINX_EXPOSE_PORT:-8080}:${NGINX_PORT:-8080}"
    depends_on:
      - zammad-railsserver
  zammad-postgresql:
    environment:
      POSTGRES_DB: ${POSTGRES_DB:-zammad_production}
      POSTGRES_USER: ${POSTGRES_USER:-zammad}
      POSTGRES_PASSWORD: ${POSTGRES_PASS:-zammad}
    image: postgres:${POSTGRES_VERSION:-17.6-alpine}
    restart: ${RESTART:-always}
    volumes:
      - postgresql-data:/var/lib/postgresql/data
  zammad-railsserver:
    <<: *zammad-service
    command: ["zammad-railsserver"]
  zammad-redis:
    image: redis:${REDIS_VERSION:-7.4.5-alpine}
    restart: ${RESTART:-always}
    volumes:
      - redis-data:/data
  zammad-scheduler:
    <<: *zammad-service
    command: ["zammad-scheduler"]
  zammad-websocket:
    <<: *zammad-service
    command: ["zammad-websocket"]
 volumes:
  elasticsearch-data:
    driver: local
  postgresql-data:
    driver: local
  redis-data:
    driver: local
  zammad-backup:
    driver: local
  zammad-storage:
    driver: local
--- a/resources/chaosknoten/zammad/docker_compose/compose.yaml.j2
+++ b/resources/chaosknoten/zammad/docker_compose/compose.yaml.j2
@ -0,0 +1,162 @@
 ---
 {#
 https://github.com/zammad/zammad-docker-compose
 Docker Compose does not allow defining variables in the compose file (only in .env files), so we use Jinja variables instead
 see https://github.com/zammad/zammad-docker-compose/blob/master/.env
 #}
 {%- set ELASTICSEARCH_VERSION = "8.19.4" | quote -%}
 {%- set IMAGE_REPO = "ghcr.io/zammad/zammad" | quote -%}
 {%- set MEMCACHE_SERVERS = "zammad-memcached:11211" | quote -%}
 {%- set MEMCACHE_VERSION = "1.6-alpine" | quote -%}
 {%- set POSTGRES_DB = "zammad_production" | quote -%}
 {%- set POSTGRES_HOST = "zammad-postgresql" | quote -%}
 {%- set POSTGRES_USER = "zammad" | quote -%}
 {%- set POSTGRES_PASS = secret__zammad_db_password | quote -%}
 {%- set POSTGRES_PORT = "5432" | quote -%}
 {%- set POSTGRES_VERSION = "15-alpine" | quote -%}
 {%- set REDIS_URL = "redis://zammad-redis:6379" | quote -%}
 {%- set REDIS_VERSION = "7-alpine" | quote -%}
 {%- set RESTART = "always" | quote -%}
 {%- set VERSION = "6" | quote -%}
 x-shared:
  zammad-service: &zammad-service
    environment: &zammad-environment
      MEMCACHE_SERVERS: {{ MEMCACHE_SERVERS }}
      POSTGRESQL_DB: {{ POSTGRES_DB }}
      POSTGRESQL_HOST: {{ POSTGRES_HOST }}
      POSTGRESQL_USER: {{ POSTGRES_USER }}
      POSTGRESQL_PASS: {{ POSTGRES_PASS }}
      POSTGRESQL_PORT: {{ POSTGRES_PORT }}
      REDIS_URL: {{ REDIS_URL }}
      # Allow passing in these variables via .env:
      AUTOWIZARD_JSON:
      AUTOWIZARD_RELATIVE_PATH:
      ELASTICSEARCH_ENABLED:
      ELASTICSEARCH_HOST:
      ELASTICSEARCH_PORT:
      ELASTICSEARCH_SCHEMA:
      ELASTICSEARCH_NAMESPACE:
      ELASTICSEARCH_REINDEX:
      ELASTICSEARCH_SSL_VERIFY:
      NGINX_PORT:
      NGINX_SERVER_NAME:
      NGINX_SERVER_SCHEME: https
      POSTGRESQL_DB_CREATE:
      POSTGRESQL_OPTIONS:
      RAILS_TRUSTED_PROXIES:
      ZAMMAD_WEB_CONCURRENCY:
      ZAMMAD_SESSION_JOBS:
      ZAMMAD_PROCESS_SCHEDULED:
      ZAMMAD_PROCESS_DELAYED_JOBS_WORKERS:
    image: {{ IMAGE_REPO }}:{{ VERSION }}
    restart: {{ RESTART }}
    volumes:
      - zammad-storage:/opt/zammad/storage
      - zammad-var:/opt/zammad/var
    depends_on:
      - zammad-memcached
      - zammad-postgresql
      - zammad-redis
 services:
  zammad-backup:
    command: ["zammad-backup"]
    depends_on:
      - zammad-railsserver
      - zammad-postgresql
    entrypoint: /usr/local/bin/backup.sh
    environment:
      <<: *zammad-environment
      BACKUP_TIME: "03:00"
      HOLD_DAYS: "10"
      TZ: Europe/Berlin
    image: postgres:{{ POSTGRES_VERSION }}
    restart: {{ RESTART }}
    volumes:
      - zammad-backup:/var/tmp/zammad
      - zammad-storage:/opt/zammad/storage:ro
      - zammad-var:/opt/zammad/var:ro
      - ./scripts/backup.sh:/usr/local/bin/backup.sh:ro
  zammad-elasticsearch:
    image: elasticsearch:{{ ELASTICSEARCH_VERSION }}
    restart: {{ RESTART }}
    volumes:
      - elasticsearch-data:/usr/share/elasticsearch/data
    environment:
      discovery.type: single-node
      xpack.security.enabled: 'false'
      ES_JAVA_OPTS: ${ELASTICSEARCH_JAVA_OPTS:--Xms1g -Xmx1g}
  zammad-init:
    <<: *zammad-service
    command: ["zammad-init"]
    depends_on:
      - zammad-postgresql
    restart: on-failure
    user: 0:0
    volumes:
      - zammad-storage:/opt/zammad/storage
      - zammad-var:/opt/zammad/var
  zammad-memcached:
    command: memcached -m 256M
    image: memcached:{{ MEMCACHE_VERSION }}
    restart: {{ RESTART }}
  zammad-nginx:
    <<: *zammad-service
    command: ["zammad-nginx"]
    expose:
      - "8080"
    ports:
      - "8080:8080"
    depends_on:
      - zammad-railsserver
    volumes:
      - zammad-var:/opt/zammad/var:ro # required for the zammad-ready check file
  zammad-postgresql:
    environment:
      POSTGRES_DB: {{ POSTGRES_DB }}
      POSTGRES_USER: {{ POSTGRES_USER }}
      POSTGRES_PASSWORD: {{ POSTGRES_PASS }}
    image: postgres:{{ POSTGRES_VERSION }}
    restart: {{ RESTART }}
    volumes:
      - postgresql-data:/var/lib/postgresql/data
  zammad-railsserver:
    <<: *zammad-service
    command: ["zammad-railsserver"]
  zammad-redis:
    image: redis:{{ REDIS_VERSION }}
    restart: {{ RESTART }}
    volumes:
      - redis-data:/data
  zammad-scheduler:
    <<: *zammad-service
    command: ["zammad-scheduler"]
    volumes:
      - /ansible_docker_compose/zammad-scheduler-database.yml:/opt/zammad/config/database.yml # workaround for connection pool issue
  zammad-websocket:
    <<: *zammad-service
    command: ["zammad-websocket"]
 volumes:
  elasticsearch-data:
    driver: local
  postgresql-data:
    driver: local
  redis-data:
    driver: local
  zammad-backup:
    driver: local
  zammad-storage:
    driver: local
  zammad-var:
    driver: local
--- a/resources/chaosknoten/zammad/nginx/zammad.hamburg.ccc.de.conf
+++ b/resources/chaosknoten/zammad/nginx/zammad.hamburg.ccc.de.conf
@ -2,12 +2,12 @@
 # https://ssl-config.mozilla.org/#server=nginx&version=1.17.7&config=intermediate&openssl=1.1.1k&guideline=5.6
 server {
    # Listen on a custom port for the proxy protocol.
-    listen [::]:8443 ssl http2 proxy_protocol;
+    listen 8443 ssl http2 proxy_protocol;
    # Make use of the ngx_http_realip_module to set the $remote_addr and
    # $remote_port to the client address and client port, when using proxy
    # protocol.
    # First set our proxy protocol proxy as trusted.
-    set_real_ip_from 2a00:14b0:4200:3000:125::1;
+    set_real_ip_from 172.31.17.140;
    # Then tell the realip_module to get the addreses from the proxy protocol
    # header.
    real_ip_header proxy_protocol;
--- a/resources/z9/yate/docker_compose/compose.yaml.j2
+++ b/resources/z9/yate/docker_compose/compose.yaml.j2
@ -17,4 +17,4 @@ services:
      - ./configs/accfile.conf:/opt/yate/etc/yate/accfile.conf
      - ./configs/regexroute.conf:/opt/yate/etc/yate/regexroute.conf
      - ./configs/regfile.conf:/opt/yate/etc/yate/regfile.conf
-      - ./lib-yate:/var/lib/yate
+      - ./lib-yate:/var/lib/yate
--- a/roles/ansible_pull/tasks/main.yaml
+++ b/roles/ansible_pull/tasks/main.yaml
@ -3,7 +3,6 @@
    - name: ensure apt dependencies are installed
      ansible.builtin.apt:
        name:
          - python3-pip
          - virtualenv
          - git
        state: present
--- a/roles/base_config/tasks/main.yaml
+++ b/roles/base_config/tasks/main.yaml
@ -1,13 +0,0 @@
 # Ensure the ssh module is disabled, so a cloud-init config change doesn't regenerate the host keys for no reason.
 - name: check if cloud-init config file exists
  ansible.builtin.stat:
    path: /etc/cloud/cloud.cfg
  register: base_config__stat_cloud_cfg
 - name: ensure the cloud-init ssh module is disabled
  ansible.builtin.replace:
    path: /etc/cloud/cloud.cfg
    regexp: " - ssh$"
    replace: " #- ssh"
  become: true
  when: base_config__stat_cloud_cfg.stat.exists
--- a/roles/certbot/meta/main.yaml
+++ b/roles/certbot/meta/main.yaml
@ -7,4 +7,3 @@ dependencies:
          major_versions:
            - 11
            - 12
            - 13
--- a/roles/deploy_ssh_server_config/templates/sshd_config.j2
+++ b/roles/deploy_ssh_server_config/templates/sshd_config.j2
@ -17,15 +17,7 @@ HostKey /etc/ssh/ssh_host_ed25519_key
 HostKey /etc/ssh/ssh_host_rsa_key
 HostKey /etc/ssh/ssh_host_ecdsa_key
 {% if ansible_facts["distribution"] == "Debian" and ansible_facts["distribution_major_version"] == "13" %}
 KexAlgorithms sntrup761x25519-sha512,mlkem768x25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,diffie-hellman-group-exchange-sha256
 {% elif ansible_facts["distribution"] == "Debian" and ansible_facts["distribution_major_version"] == "12" %}
 KexAlgorithms sntrup761x25519-sha512,curve25519-sha256@libssh.org,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,diffie-hellman-group-exchange-sha256
 {% else %}
 KexAlgorithms curve25519-sha256@libssh.org,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,diffie-hellman-group-exchange-sha256
 {% endif %}
 Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr
--- a/roles/docker/meta/main.yaml
+++ b/roles/docker/meta/main.yaml
@ -7,4 +7,3 @@ dependencies:
          major_versions:
            - 11
            - 12
            - 13
--- a/roles/docker_compose/README.md
+++ b/roles/docker_compose/README.md
@ -1,24 +1,23 @@
 # Role `docker_compose`
 A role for deploying a Docker-Compose-based application.
-It deploys the given Compose file, an optional `.env` file, as well as configuration files to the specified hosts and makes sure all services are up-to-date and running.
+It deploys the given Compose file as well as configuration files to the specified hosts and makes sure all services are up-to-date and running.
-The Compose file gets deployed to `/ansible_docker_compose/compose.yaml`, the `.env` file to `/ansible_docker_compose/.env` and the configuration files get deployed into the `/ansible_docker_compose/configs/` directory.
+The Compose file gets deployed to `/ansible_docker_compose/compose.yaml` and the configuration files get deployed into the `/ansible_docker_compose/configs/` directory.
 A use case for the deployment of the additional configuration files is Composes top-level element `configs` in conjunction with the `configs` option for services.
 ## Supported Distributions
-Should work on Debian-based distributions.
+The following distributions are supported:
 - Debian 11
 ## Required Arguments
- `docker_compose__compose_file_content`: The content to deploy to the Compose file at `/ansible_docker_compose/compose.yaml`.
+For the required arguments look at the [`argument_specs.yaml`](./meta/argument_specs.yaml).
-## Optional Arguments
+## `hosts`
- `docker_compose__env_file_content`: The content to deploy to the `.env` file at `/ansible_docker_compose/.env`.
+The `hosts` for this role need to be the machines, for which you want to make sure the given Compose file is deployed and all services of it are up-to-date and running.
 - `docker_compose__configuration_files`: A list of configuration files to deploy to the `/ansible_docker_compose/configs/` directory.
 - `docker_compose__configuration_files.*.name`: The name of the configuration file.
 - `docker_compose__configuration_files.*.content`: The content to deploy to the configuration file.
 ## Links & Resources
--- a/roles/docker_compose/defaults/main.yaml
+++ b/roles/docker_compose/defaults/main.yaml
@ -1 +1,2 @@
 docker_compose__configuration_files: [ ]
 docker_compose__restart_cmd: ""
--- a/roles/docker_compose/handlers/main.yaml
+++ b/roles/docker_compose/handlers/main.yaml
@ -1,11 +1,13 @@
 - name: docker compose down
-  community.docker.docker_compose_v2:
+  ansible.builtin.command:
-    project_src: /ansible_docker_compose
+    cmd: /usr/bin/docker compose down
-    state: absent
+    chdir: /ansible_docker_compose
  become: true
-
+  changed_when: true  # This is always changed.
- name: docker compose restart
+- name: docker compose reload script
-  community.docker.docker_compose_v2:
+  ansible.builtin.command:
-    project_src: /ansible_docker_compose
+    cmd: /usr/bin/docker compose {{ docker_compose__restart_cmd }}
-    state: restarted
+    chdir: /ansible_docker_compose
  become: true
  changed_when: true  # Mark this as always changed (for now?).
  when: docker_compose__restart_cmd != ""
--- a/roles/docker_compose/meta/argument_specs.yaml
+++ b/roles/docker_compose/meta/argument_specs.yaml
@ -2,20 +2,25 @@ argument_specs:
  main:
    options:
      docker_compose__compose_file_content:
        description: >-
          The content of the Compose file at
          `/ansible_docker_compose/compose.yaml`.
        type: str
        required: true
      docker_compose__env_file_content:
        type: str
        required: false
      docker_compose__configuration_files:
        description: >-
          A list of configuration files to be deployed in the
          `/ansible_docker_compose/configs/` directory.
        type: list
        elements: dict
        required: false
        default: [ ]
        options:
          name:
            description: The name of the configuration file.
            type: str
            required: true
          content:
            description: The content of the configuration file.
            type: str
            required: true
--- a/roles/docker_compose/meta/main.yaml
+++ b/roles/docker_compose/meta/main.yaml
@ -1,3 +1,10 @@
 ---
 dependencies:
  - role: distribution_check
    vars:
      distribution_check__distribution_support_spec:
        - name: Debian
          major_versions:
            - 11
            - 12
  - role: docker
--- a/roles/docker_compose/tasks/main.yaml
+++ b/roles/docker_compose/tasks/main.yaml
@ -17,17 +17,6 @@
  become: true
  notify: docker compose down
 - name: deploy the .env file
  ansible.builtin.copy:
    content: "{{ docker_compose__env_file_content }}"
    dest: /ansible_docker_compose/.env
    mode: "0644"
    owner: root
    group: root
  become: true
  when: docker_compose__env_file_content is defined
  notify: docker compose down
 - name: make sure the `/ansible_docker_compose/configs` directory exists
  ansible.builtin.file:
    path: /ansible_docker_compose/configs
@ -59,7 +48,7 @@
    state: absent
  become: true
  loop: "{{ docker_compose__config_files_to_remove.files }}"
-  notify: docker compose restart
+  # notify: docker compose down
 - name: make sure all given configuration files are deployed
  ansible.builtin.copy:
@ -70,19 +59,45 @@
    group: root
  become: true
  loop: "{{ docker_compose__configuration_files }}"
-  notify: docker compose restart
+  # notify: docker compose down
  notify: docker compose reload script
- name: Flush handlers to make "docker compose down" and "docker compose restart" handlers run now
+- name: Flush handlers to make "docker compose down" handler run now
  ansible.builtin.meta: flush_handlers
- name: docker compose up
+- name: docker compose ps --format json before docker compose up
-  community.docker.docker_compose_v2:
+  ansible.builtin.command:
-    project_src: /ansible_docker_compose
+    cmd: /usr/bin/docker compose ps --format json
-    state: present
+    chdir: /ansible_docker_compose
    build: always
    pull: always
    remove_orphans: true
  become: true
  changed_when: false
  register: docker_compose__ps_json_before_up
 - name: docker compose up --detach --pull always --build
  ansible.builtin.command:
    cmd: /usr/bin/docker compose up --detach --pull always --build --remove-orphans
    chdir: /ansible_docker_compose
  become: true
  changed_when: false
  # The changed for this task is tried to be determined by the "potentially
  # report changed" task together with the "docker compose ps --format json
  # [...]" tasks.
 - name: docker compose ps --format json after docker compose up
  ansible.builtin.command:
    cmd: /usr/bin/docker compose ps --format json
    chdir: /ansible_docker_compose
  become: true
  changed_when: false
  register: docker_compose__ps_json_after_up
 # Doesn't work anymore. Dunno why.
 # TODO: Fix
 # - name: potentially report changed
 #   ansible.builtin.debug:
 #     msg: "If this reports changed, then the docker compose containers changed."
 #   changed_when: (docker_compose__ps_json_before_up.stdout | from_json | community.general.json_query('[].ID') | sort)
 #                 != (docker_compose__ps_json_after_up.stdout | from_json | community.general.json_query('[].ID') | sort)
 - name: Make sure anacron is installed
  become: true
--- a/roles/dokuwiki/meta/main.yml
+++ b/roles/dokuwiki/meta/main.yml
@ -7,4 +7,3 @@ dependencies:
          major_versions:
            - 11
            - 12
            - 13
--- a/roles/foobazdmx/meta/main.yaml
+++ b/roles/foobazdmx/meta/main.yaml
@ -0,0 +1,8 @@
 ---
 dependencies:
  - role: distribution_check
    vars:
      distribution_check__distribution_support_spec:
        - name: Debian
          major_versions:
            - "11"
--- a/roles/foobazdmx/tasks/main.yaml
+++ b/roles/foobazdmx/tasks/main.yaml
@ -7,7 +7,11 @@
      - python3
      - python3-pip
      - python3-setuptools
-      - python3-poetry
+
 - name: Ensure python peotry is installed
  become: true
  ansible.builtin.pip:
    name: poetry
 - name: Ensure foobazdmx user exists
  become: true
--- a/roles/netbox/handlers/main.yaml
+++ b/roles/netbox/handlers/main.yaml
@ -14,3 +14,11 @@
  loop:
    - "netbox.service"
    - "netbox-rq.service"
 - name: Ensure netbox housekeeping timer is set up and up-to-date
  ansible.builtin.systemd_service:
    daemon_reload: true
    name: "netbox-housekeeping.timer"
    enabled: true
    state: restarted
  become: true
--- a/roles/netbox/tasks/main.yaml
+++ b/roles/netbox/tasks/main.yaml
@ -108,3 +108,17 @@
    - "netbox.service"
    - "netbox-rq.service"
  notify: Ensure netbox systemd services are set up and up-to-date
 - name: Ensure provided housekeeping systemd service and timer are copied
  ansible.builtin.copy:
    remote_src: true
    src: "/opt/netbox/contrib/{{ item }}"
    dest: "/etc/systemd/system/{{ item }}"
    mode: "0644"
    owner: root
    group: root
  become: true
  loop:
    - "netbox-housekeeping.service"
    - "netbox-housekeeping.timer"
  notify: Ensure netbox housekeeping timer is set up and up-to-date
--- a/roles/nextcloud/templates/compose.yaml.j2
+++ b/roles/nextcloud/templates/compose.yaml.j2
@ -32,9 +32,9 @@ services:
      OVERWRITECLIURL: "https://{{ nextcloud__fqdn }}/"
      OVERWRITEHOST: "{{ nextcloud__fqdn }}"
      OVERWRITEPROTOCOL: "https"
-
+    
  db:
-    image: docker.io/library/postgres:{{ nextcloud__postgres_version }}
+    image: postgres:{{ nextcloud__postgres_version }}
    restart: unless-stopped
    #ports:
    #  - 127.0.0.1:5432:5432
@ -48,7 +48,7 @@ services:
      POSTGRES_PASSWORD: "{{ nextcloud__postgres_password }}"
  redis:
-    image: docker.io/library/redis:alpine
+    image: redis:alpine
    restart: unless-stopped
    networks:
      - nextcloud
--- a/roles/nextcloud/templates/nginx_nextcloud.conf.j2
+++ b/roles/nextcloud/templates/nginx_nextcloud.conf.j2
@ -4,7 +4,6 @@
 server {
    # Listen on a custom port for the proxy protocol.
    listen 8443 ssl http2 proxy_protocol;
    listen [::]:8443 ssl http2 proxy_protocol;
    # Make use of the ngx_http_realip_module to set the $remote_addr and
    # $remote_port to the client address and client port, when using proxy
    # protocol.
--- a/roles/nftables/README.md
+++ b/roles/nftables/README.md
@ -1,11 +0,0 @@
 # Role `nftables`
 Deploys nftables.
 ## Support Distributions
 Should work on Debian-based distributions.
 ## Required Arguments
 - `nftables__config`: nftables configuration to deploy.
--- a/roles/nftables/handlers/main.yaml
+++ b/roles/nftables/handlers/main.yaml
@ -1,5 +0,0 @@
 - name: Restart nftables service
  ansible.builtin.systemd_service:
    name: nftables
    state: restarted
  become: true
--- a/roles/nftables/meta/argument_specs.yaml
+++ b/roles/nftables/meta/argument_specs.yaml
@ -1,6 +0,0 @@
 argument_specs:
  main:
    options:
      nftables__config:
        type: str
        required: true
--- a/roles/nftables/tasks/main.yaml
+++ b/roles/nftables/tasks/main.yaml
@ -1,15 +0,0 @@
 - name: ensure nftables is installed
  ansible.builtin.apt:
    name: nftables
    state: present
  become: true
 - name: deploy nftables configuration
  ansible.builtin.copy:
    content: "{{ nftables__config }}"
    dest: "/etc/nftables.conf"
    mode: "0644"
    owner: root
    group: root
  become: true
  notify: Restart nftables service
--- a/roles/nginx/meta/main.yaml
+++ b/roles/nginx/meta/main.yaml
@ -7,4 +7,3 @@ dependencies:
          major_versions:
            - "11"
            - "12"
            - "13"
--- a/roles/ola/meta/main.yaml
+++ b/roles/ola/meta/main.yaml
@ -0,0 +1,8 @@
 ---
 dependencies:
  - role: distribution_check
    vars:
      distribution_check__distribution_support_spec:
        - name: Debian
          major_versions:
            - "11"
--- a/roles/prometheus_node_exporter/meta/main.yaml
+++ b/roles/prometheus_node_exporter/meta/main.yaml
@ -7,4 +7,3 @@ dependencies:
          major_versions:
            - "11"
            - "12"
            - "13"
--- a/roles/renovate/files/renovate.service
+++ b/roles/renovate/files/renovate.service
@ -6,8 +6,5 @@ Wants=network-online.target
 [Service]
 Type=oneshot
 ExecStart=/usr/bin/docker run --rm \
    --pull=always \
    -v "/etc/renovate/config.js:/usr/src/app/config.js" \
-    --mount "type=volume,src=renovate,dst=/tmp/renovate" \
+    renovate/renovate
    --env "RENOVATE_BASE_DIR=/tmp/renovate" \
    docker.io/renovate/renovate:latest
--- a/roles/systemd_networkd/README.md
+++ b/roles/systemd_networkd/README.md
@ -1,11 +0,0 @@
 # Role `systemd_networkd`
 Deploys the given systemd-networkd configuration files.
 ## Support Distributions
 Should work on Debian-based distributions.
 ## Required Arguments
 - `systemd_networkd__config_dir`: Directory with systemd-networkd configs to deploy.
--- a/roles/systemd_networkd/meta/argument_specs.yaml
+++ b/roles/systemd_networkd/meta/argument_specs.yaml
@ -1,6 +0,0 @@
 argument_specs:
  main:
    options:
      systemd_networkd__config_dir:
        type: path
        required: true
--- a/roles/systemd_networkd/tasks/main.yaml
+++ b/roles/systemd_networkd/tasks/main.yaml
@ -1,14 +0,0 @@
 - name: ensure rsync is installed
  ansible.builtin.apt:
    name: rsync
    state: present
  become: true
 - name: synchronize systemd-networkd configs
  ansible.posix.synchronize:
    src: "{{ systemd_networkd__config_dir }}"
    dest: "/etc/systemd/network"
    archive: false
    recursive: true
    delete: true
  become: true
Author	SHA1	Message	Date
June	385f625c10	ci: move Ansible Lint job to ubuntu-latest runner to make it work again Some checks failed / Ansible Lint (push) Failing after 1m20s Details Move Ansible Lint job to ubuntu-latest runner to make it work again. Moving it to the ubuntu-latest runner also removes the need for manual dependency setup.	2025-10-22 00:42:30 +02:00
June	96ecd033c8	(test) disable semantic commit prefixes Some checks failed / Ansible Lint (push) Failing after 50s Details	2025-10-22 00:29:59 +02:00
`@ -1 +1,2 @@`
	`docker_compose__configuration_files: [ ]`	`docker_compose__configuration_files: [ ]`
		`docker_compose__restart_cmd: ""`