CCCHH/ansible-infra
CCCHH/ansible-infra
2
2
Fork 1
Code Issues 7 Pull requests 9 Wiki Activity Actions
Ansible Playbooks and related configuration for CCCHH infrastructure https://infra-docs.hamburg.ccc.de/
723 commits 11 branches 1 tag 8.2 MiB
  • Python 56.6%
  • Jinja 34.8%
  • Shell 8.1%
  • HTML 0.3%
Find a file
Renovate 4f06e145be
Some checks failed
/ Ansible Lint (push) Successful in 2m40s
Details
/ build (pull_request) Failing after 2m41s
Details
/ Ansible Lint (pull_request) Successful in 2m44s
Details
Update docker.io/library/postgres Docker tag to v18
2026-05-20 18:16:22 +00:00
.forgejo/workflows docs: add mkdocs config and CI for building infra-docs website 2026-05-19 18:33:03 +02:00
.vscode vscode settings: exclude vendored collections and roles from search 2026-02-09 19:53:27 +01:00
ansible_collections Vendor Galaxy Roles and Collections 2026-02-06 22:07:16 +01:00
collections prometheus remote write with alloy using it 2025-04-30 01:11:17 +02:00
docs docs: rework and split up docs on creating a new web service 2026-05-20 20:06:57 +02:00
inventories Update docker.io/library/postgres Docker tag to v18 2026-05-20 18:16:22 +00:00
playbooks tag plays in playbooks (instead of tasks in roles) 2026-05-19 00:24:10 +02:00
resources Update docker.io/library/postgres Docker tag to v18 2026-05-20 18:16:22 +00:00
roles disable dnssec for catalog zones on auth-dns 2026-05-19 11:01:52 +02:00
.ansible-lint ansible-lint: add collections and roles directories to excluded paths 2026-02-06 22:27:18 +01:00
.editorconfig add .editorconfig to ensure some style and format consistency 2024-11-23 02:11:48 +01:00
.gitignore Ignore pycaches 2026-02-22 18:21:15 +01:00
.sops.yaml sops: darios key expired, so remove for now 2026-05-20 04:09:28 +02:00
.yamllint.yaml add .yamllint.yaml for some nicer yaml configuration for ansible-lint 2024-11-23 02:31:31 +01:00
ansible.cfg mute ansible discovered interpreter warning 2026-05-06 11:44:41 +02:00
docs_requirements.txt docs: fix code blocks overflowing and add syntax highlighting 2026-05-19 18:33:03 +02:00
LICENSE Add LICENSE 2023-04-15 14:28:45 +00:00
mkdocs.yml docs: use pymdownx.superfences to make codeblocks in lists work properly 2026-05-19 23:49:06 +02:00
README.md docs: delete outdated section on web service setup from README 2026-05-20 20:09:28 +02:00
renovate.json renovate: make exclusion of CalVer non-patch/-minor upgrades work 2026-03-06 19:53:24 +01:00
requirements.yml add missing grafana.grafana collection dependency 2026-01-25 23:55:57 +01:00

README.md

CCCHH Ansible Repository

Folgende Geräte und Server werden duch dieses Ansible Repository verwaltet:

  • Diverse VMs auf dem ThinkCCCluster
  • Diverse VMs auf dem Chaosknoten

Host-spezifische Konfigurationsdateien liegen unter resources/ und werden für jeweils über eine host_vars-Datei im Inventory geladen.

Galaxy-Collections und -Rollen

Für einige Aspekte verwenden wir Collections und Rollen aus Ansible Galaxy. Diese werden in ansible_collections bzw. galaxy-roles hier im Repo vorgehalten.

Um unsere gevendorte Version zu aktualisieren, kann man folgendes machen:

ansible-galaxy install -r requirements.yml
ansible-galaxy role install -r requirements.yml

Secrets

Generally try to avoid secrets (e.g. use SSH keys instead of passwords).

Because secrets are nonetheless needed sometimes, we use SOPS to securely store secrets in this repository.
SOPS encrypts secrets according to "creation rules" which are defined in the .sops.yaml. Generally all secrets get encrypted for all GPG-keys of all members of the infrastructure team.
Ansible then has access to the secrets with the help of the community.sops.sops vars plugin, which is configured in this repository. A local Ansible run then uses the locally available GPG-key to decrypt the secrets.

For a tutorial on how to set up SOPS for a new host, see SOPS: New Host.

Updating SOPS files after swapping out a GPG key

When a GPG key expires, it is necessary to update the config in .sops.yaml and then re-encrypt all files with the updated list of keys. Run this command. The will take a considerable amount of time (minutes).

find inventories -name "*.sops.*" | xargs sops updatekeys --yes

Playbook nur für einzelne Hosts ausführen

Ein paar der Hosts haben den selben Namen, was es etwas schwieriger macht, das Playbook nur für einen der Hosts auszuführen, z. B. public-reverse-proxy. Die Kombination aus --inventory und --limit führt zum Erfolg:

ansible-playbook playbooks/deploy.yaml --inventory inventories/chaosknoten/hosts.yaml --limit public-reverse-proxy

License

This CCCHH ansible-ccchh repository is licensed under the MIT License.
custom_pipeline_oidc_group_and_role_mapping.py is licensed under the Creative Commons: CC BY-SA 4.0 license.