From 0f8c0ffef9b96762618e5bd8164d8e983cc204bf Mon Sep 17 00:00:00 2001 From: ViMaSter Date: Sat, 1 Nov 2025 21:50:01 +0100 Subject: [PATCH 001/104] fix: Replaces password in healthcheck with dynamic secret --- resources/chaosknoten/sunders/docker_compose/compose.yaml.j2 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/resources/chaosknoten/sunders/docker_compose/compose.yaml.j2 b/resources/chaosknoten/sunders/docker_compose/compose.yaml.j2 index a5cfc5b8..aa37f87d 100644 --- a/resources/chaosknoten/sunders/docker_compose/compose.yaml.j2 +++ b/resources/chaosknoten/sunders/docker_compose/compose.yaml.j2 @@ -13,7 +13,7 @@ services: volumes: - mariadb:/var/lib/mysql healthcheck: - test: ["CMD", "mariadb-admin", "ping", "-h", "localhost", "-uroot", "-prootpassword"] + test: ["CMD", "mariadb-admin", "ping", "-h", "localhost", "-uroot", "-p{{ secret__sunders_db_camera_password }}"] interval: 10s timeout: 5s start_period: 30s From 53b2f491f87c8f3dac3c8240affaf96ddb33bda0 Mon Sep 17 00:00:00 2001 From: ViMaSter Date: Sat, 1 Nov 2025 21:53:43 +0100 Subject: [PATCH 002/104] fix: Uses root password --- resources/chaosknoten/sunders/docker_compose/compose.yaml.j2 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/resources/chaosknoten/sunders/docker_compose/compose.yaml.j2 b/resources/chaosknoten/sunders/docker_compose/compose.yaml.j2 index aa37f87d..fbec2583 100644 --- a/resources/chaosknoten/sunders/docker_compose/compose.yaml.j2 +++ b/resources/chaosknoten/sunders/docker_compose/compose.yaml.j2 @@ -13,7 +13,7 @@ services: volumes: - mariadb:/var/lib/mysql healthcheck: - test: ["CMD", "mariadb-admin", "ping", "-h", "localhost", "-uroot", "-p{{ secret__sunders_db_camera_password }}"] + test: ["CMD", "mariadb-admin", "ping", "-h", "localhost", "-uroot", "-p{{ secret__sunders_db_root_password }}"] interval: 10s timeout: 5s start_period: 30s From c3f71b1f0801ddf0f1265dbf057ebf295ed73acf Mon Sep 17 00:00:00 2001 From: ViMaSter Date: Sun, 2 Nov 2025 20:24:55 +0100 Subject: [PATCH 003/104] sunders: replace password in healthcheck with dynamic secret https://git.hamburg.ccc.de/CCCHH/ansible-infra/pulls/55 Co-authored-by: ViMaSter Co-committed-by: ViMaSter --- resources/chaosknoten/sunders/docker_compose/compose.yaml.j2 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/resources/chaosknoten/sunders/docker_compose/compose.yaml.j2 b/resources/chaosknoten/sunders/docker_compose/compose.yaml.j2 index a5cfc5b8..fbec2583 100644 --- a/resources/chaosknoten/sunders/docker_compose/compose.yaml.j2 +++ b/resources/chaosknoten/sunders/docker_compose/compose.yaml.j2 @@ -13,7 +13,7 @@ services: volumes: - mariadb:/var/lib/mysql healthcheck: - test: ["CMD", "mariadb-admin", "ping", "-h", "localhost", "-uroot", "-prootpassword"] + test: ["CMD", "mariadb-admin", "ping", "-h", "localhost", "-uroot", "-p{{ secret__sunders_db_root_password }}"] interval: 10s timeout: 5s start_period: 30s From 8cefd07618b575ce41ddecae05890a48a62bfa0a Mon Sep 17 00:00:00 2001 From: June Date: Fri, 24 Oct 2025 23:59:38 +0200 Subject: [PATCH 004/104] docker_compose(role): remove distribution check The distribution check isn't really needed in our setup anyway and just adds unnecessary noise. --- roles/docker_compose/README.md | 4 +--- roles/docker_compose/meta/main.yaml | 7 ------- 2 files changed, 1 insertion(+), 10 deletions(-) diff --git a/roles/docker_compose/README.md b/roles/docker_compose/README.md index d3204ecf..14d0107e 100644 --- a/roles/docker_compose/README.md +++ b/roles/docker_compose/README.md @@ -7,9 +7,7 @@ A use case for the deployment of the additional configuration files is Composes ## Supported Distributions -The following distributions are supported: - -- Debian 11 +Should work on Debian-based distributions. ## Required Arguments diff --git a/roles/docker_compose/meta/main.yaml b/roles/docker_compose/meta/main.yaml index b9a6980e..cb7d8e04 100644 --- a/roles/docker_compose/meta/main.yaml +++ b/roles/docker_compose/meta/main.yaml @@ -1,10 +1,3 @@ --- dependencies: - - role: distribution_check - vars: - distribution_check__distribution_support_spec: - - name: Debian - major_versions: - - 11 - - 12 - role: docker From e390b7c20249b0eed56bf34ff3360f91f26958fa Mon Sep 17 00:00:00 2001 From: June Date: Sat, 25 Oct 2025 00:00:58 +0200 Subject: [PATCH 005/104] docker_compose(role): remove unnecessary hosts section from README The hosts section isn't really relevant for that role, so remove it. --- roles/docker_compose/README.md | 4 ---- 1 file changed, 4 deletions(-) diff --git a/roles/docker_compose/README.md b/roles/docker_compose/README.md index 14d0107e..7246899b 100644 --- a/roles/docker_compose/README.md +++ b/roles/docker_compose/README.md @@ -13,10 +13,6 @@ Should work on Debian-based distributions. For the required arguments look at the [`argument_specs.yaml`](./meta/argument_specs.yaml). -## `hosts` - -The `hosts` for this role need to be the machines, for which you want to make sure the given Compose file is deployed and all services of it are up-to-date and running. - ## Links & Resources - From 9f8d2d89cd8e17c2c23230764696410e2c9061d6 Mon Sep 17 00:00:00 2001 From: June Date: Sat, 25 Oct 2025 00:07:36 +0200 Subject: [PATCH 006/104] docker_compose(role): move argument documentation to README Do this to match newer roles and since reading documentation from argument_specs is quite unergonomic. --- roles/docker_compose/README.md | 9 ++++++++- roles/docker_compose/meta/argument_specs.yaml | 11 ----------- 2 files changed, 8 insertions(+), 12 deletions(-) diff --git a/roles/docker_compose/README.md b/roles/docker_compose/README.md index 7246899b..c0a7a93d 100644 --- a/roles/docker_compose/README.md +++ b/roles/docker_compose/README.md @@ -11,7 +11,14 @@ Should work on Debian-based distributions. ## Required Arguments -For the required arguments look at the [`argument_specs.yaml`](./meta/argument_specs.yaml). +- `docker_compose__compose_file_content`: The content to deploy to the Compose file at `/ansible_docker_compose/compose.yaml`. + +## Optional Arguments + +- `docker_compose__env_file_content`: The content to deploy to the `.env` file at `/ansible_docker_compose/.env`. +- `docker_compose__configuration_files`: A list of configuration files to deploy to the `/ansible_docker_compose/configs/` directory. +- `docker_compose__configuration_files.*.name`: The name of the configuration file. +- `docker_compose__configuration_files.*.content`: The content to deploy to the configuration file. ## Links & Resources diff --git a/roles/docker_compose/meta/argument_specs.yaml b/roles/docker_compose/meta/argument_specs.yaml index c588ba00..664496e1 100644 --- a/roles/docker_compose/meta/argument_specs.yaml +++ b/roles/docker_compose/meta/argument_specs.yaml @@ -2,31 +2,20 @@ argument_specs: main: options: docker_compose__compose_file_content: - description: >- - The content of the Compose file at - `/ansible_docker_compose/compose.yaml`. type: str required: true docker_compose__env_file_content: - description: >- - The content of the .env file at - `/ansible_docker_compose/.env`. type: str required: false docker_compose__configuration_files: - description: >- - A list of configuration files to be deployed in the - `/ansible_docker_compose/configs/` directory. type: list elements: dict required: false default: [ ] options: name: - description: The name of the configuration file. type: str required: true content: - description: The content of the configuration file. type: str required: true From ae60d6fea6305f6719d33042373eea40d121e597 Mon Sep 17 00:00:00 2001 From: June Date: Sun, 2 Nov 2025 23:13:20 +0100 Subject: [PATCH 007/104] docker_compose(role): use community.docker.docker_compose_v2 module Use the community.docker.docker_compose_v2 module as it supports proper changed handling out of the box, making the roles code more straightforward and work. Also just do a docker compose restart instead of having the custom docker compose reload script. https://docs.ansible.com/ansible/latest/collections/community/docker/docker_compose_v2_module.html --- inventories/z9/host_vars/yate.yaml | 1 - requirements.yml | 3 ++ roles/docker_compose/defaults/main.yaml | 1 - roles/docker_compose/handlers/main.yaml | 18 +++++----- roles/docker_compose/tasks/main.yaml | 46 ++++++------------------- 5 files changed, 21 insertions(+), 48 deletions(-) diff --git a/inventories/z9/host_vars/yate.yaml b/inventories/z9/host_vars/yate.yaml index d2dc5180..fecacb1e 100644 --- a/inventories/z9/host_vars/yate.yaml +++ b/inventories/z9/host_vars/yate.yaml @@ -6,4 +6,3 @@ docker_compose__configuration_files: content: "{{ lookup('ansible.builtin.template', 'resources/z9/yate/docker_compose/regexroute.conf.j2') }}" - name: regfile.conf content: "{{ lookup('ansible.builtin.template', 'resources/z9/yate/docker_compose/regfile.conf.j2') }}" -docker_compose__restart_cmd: "exec yate sh -c 'kill -1 1'" diff --git a/requirements.yml b/requirements.yml index e5538cc9..6011bdab 100644 --- a/requirements.yml +++ b/requirements.yml @@ -6,3 +6,6 @@ collections: - name: community.sops version: ">=2.2.4" source: https://galaxy.ansible.com + - name: community.docker + version: ">=5.0.0" + source: https://galaxy.ansible.com diff --git a/roles/docker_compose/defaults/main.yaml b/roles/docker_compose/defaults/main.yaml index 13129726..76831d6c 100644 --- a/roles/docker_compose/defaults/main.yaml +++ b/roles/docker_compose/defaults/main.yaml @@ -1,2 +1 @@ docker_compose__configuration_files: [ ] -docker_compose__restart_cmd: "" diff --git a/roles/docker_compose/handlers/main.yaml b/roles/docker_compose/handlers/main.yaml index 49e064cd..2aff0fef 100644 --- a/roles/docker_compose/handlers/main.yaml +++ b/roles/docker_compose/handlers/main.yaml @@ -1,13 +1,11 @@ - name: docker compose down - ansible.builtin.command: - cmd: /usr/bin/docker compose down - chdir: /ansible_docker_compose + community.docker.docker_compose_v2: + project_src: /ansible_docker_compose + state: absent become: true - changed_when: true # This is always changed. -- name: docker compose reload script - ansible.builtin.command: - cmd: /usr/bin/docker compose {{ docker_compose__restart_cmd }} - chdir: /ansible_docker_compose + +- name: docker compose restart + community.docker.docker_compose_v2: + project_src: /ansible_docker_compose + state: restarted become: true - changed_when: true # Mark this as always changed (for now?). - when: docker_compose__restart_cmd != "" diff --git a/roles/docker_compose/tasks/main.yaml b/roles/docker_compose/tasks/main.yaml index 7b013048..bea3f4fb 100644 --- a/roles/docker_compose/tasks/main.yaml +++ b/roles/docker_compose/tasks/main.yaml @@ -59,7 +59,7 @@ state: absent become: true loop: "{{ docker_compose__config_files_to_remove.files }}" - # notify: docker compose down + notify: docker compose restart - name: make sure all given configuration files are deployed ansible.builtin.copy: @@ -70,45 +70,19 @@ group: root become: true loop: "{{ docker_compose__configuration_files }}" - # notify: docker compose down - notify: docker compose reload script + notify: docker compose restart -- name: Flush handlers to make "docker compose down" handler run now +- name: Flush handlers to make "docker compose down" and "docker compose restart" handlers run now ansible.builtin.meta: flush_handlers -- name: docker compose ps --format json before docker compose up - ansible.builtin.command: - cmd: /usr/bin/docker compose ps --format json - chdir: /ansible_docker_compose +- name: docker compose up + community.docker.docker_compose_v2: + project_src: /ansible_docker_compose + state: present + build: always + pull: always + remove_orphans: true become: true - changed_when: false - register: docker_compose__ps_json_before_up - -- name: docker compose up --detach --pull always --build - ansible.builtin.command: - cmd: /usr/bin/docker compose up --detach --pull always --build --remove-orphans - chdir: /ansible_docker_compose - become: true - changed_when: false - # The changed for this task is tried to be determined by the "potentially - # report changed" task together with the "docker compose ps --format json - # [...]" tasks. - -- name: docker compose ps --format json after docker compose up - ansible.builtin.command: - cmd: /usr/bin/docker compose ps --format json - chdir: /ansible_docker_compose - become: true - changed_when: false - register: docker_compose__ps_json_after_up - -# Doesn't work anymore. Dunno why. -# TODO: Fix -# - name: potentially report changed -# ansible.builtin.debug: -# msg: "If this reports changed, then the docker compose containers changed." -# changed_when: (docker_compose__ps_json_before_up.stdout | from_json | community.general.json_query('[].ID') | sort) -# != (docker_compose__ps_json_after_up.stdout | from_json | community.general.json_query('[].ID') | sort) - name: Make sure anacron is installed become: true From d690f81e3df40f85665d3c52ddc8d8f4418aebe1 Mon Sep 17 00:00:00 2001 From: c6ristian Date: Wed, 5 Nov 2025 23:08:08 +0100 Subject: [PATCH 008/104] deploy_ssh_server_config: setup ssh pq cryptography --- roles/deploy_ssh_server_config/templates/sshd_config.j2 | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/roles/deploy_ssh_server_config/templates/sshd_config.j2 b/roles/deploy_ssh_server_config/templates/sshd_config.j2 index eefafa46..307f2133 100644 --- a/roles/deploy_ssh_server_config/templates/sshd_config.j2 +++ b/roles/deploy_ssh_server_config/templates/sshd_config.j2 @@ -17,7 +17,15 @@ HostKey /etc/ssh/ssh_host_ed25519_key HostKey /etc/ssh/ssh_host_rsa_key HostKey /etc/ssh/ssh_host_ecdsa_key + +{% if ansible_facts["distribution"] == "Debian" and ansible_facts["distribution_major_version"] == "13" %} +KexAlgorithms mlkem768x25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,diffie-hellman-group-exchange-sha256 +{% elif ansible_facts["distribution"] == "Debian" and ansible_facts["distribution_major_version"] == "12" %} +KexAlgorithms sntrup761x25519-sha512,curve25519-sha256@libssh.org,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,diffie-hellman-group-exchange-sha256 +{% else %} KexAlgorithms curve25519-sha256@libssh.org,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,diffie-hellman-group-exchange-sha256 +{% endif %} + Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr From cffe5c2b1642c14839baf750e82d65bbe141d8fe Mon Sep 17 00:00:00 2001 From: June Date: Thu, 6 Nov 2025 18:25:29 +0100 Subject: [PATCH 009/104] dooris: use hostname instead of IP --- inventories/z9/hosts.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/inventories/z9/hosts.yaml b/inventories/z9/hosts.yaml index 9d5bb09c..9f4a6920 100644 --- a/inventories/z9/hosts.yaml +++ b/inventories/z9/hosts.yaml @@ -4,7 +4,7 @@ all: ansible_host: authoritative-dns.z9.ccchh.net ansible_user: chaos dooris: - ansible_host: 10.31.208.201 + ansible_host: dooris.z9.ccchh.net ansible_user: chaos light: ansible_host: light.z9.ccchh.net From aeec08fce8573b0625e60f9bee4027b575933fbe Mon Sep 17 00:00:00 2001 From: lilly Date: Thu, 6 Nov 2025 21:16:36 +0100 Subject: [PATCH 010/104] remove distribution checks Signed-Off-By: june --- roles/foobazdmx/meta/main.yaml | 8 -------- roles/ola/meta/main.yaml | 8 -------- 2 files changed, 16 deletions(-) delete mode 100644 roles/foobazdmx/meta/main.yaml delete mode 100644 roles/ola/meta/main.yaml diff --git a/roles/foobazdmx/meta/main.yaml b/roles/foobazdmx/meta/main.yaml deleted file mode 100644 index 386685c3..00000000 --- a/roles/foobazdmx/meta/main.yaml +++ /dev/null @@ -1,8 +0,0 @@ ---- -dependencies: - - role: distribution_check - vars: - distribution_check__distribution_support_spec: - - name: Debian - major_versions: - - "11" diff --git a/roles/ola/meta/main.yaml b/roles/ola/meta/main.yaml deleted file mode 100644 index 386685c3..00000000 --- a/roles/ola/meta/main.yaml +++ /dev/null @@ -1,8 +0,0 @@ ---- -dependencies: - - role: distribution_check - vars: - distribution_check__distribution_support_spec: - - name: Debian - major_versions: - - "11" From 63917722ff0a9d292aa012eaa2dfcc6baf15fcae Mon Sep 17 00:00:00 2001 From: lilly Date: Thu, 6 Nov 2025 21:16:36 +0100 Subject: [PATCH 011/104] fix foobazdmx role poetry is available via apt now so we install it that way --- roles/foobazdmx/tasks/main.yaml | 6 +----- 1 file changed, 1 insertion(+), 5 deletions(-) diff --git a/roles/foobazdmx/tasks/main.yaml b/roles/foobazdmx/tasks/main.yaml index f6e60974..33197b5c 100644 --- a/roles/foobazdmx/tasks/main.yaml +++ b/roles/foobazdmx/tasks/main.yaml @@ -7,11 +7,7 @@ - python3 - python3-pip - python3-setuptools - -- name: Ensure python peotry is installed - become: true - ansible.builtin.pip: - name: poetry + - python3-poetry - name: Ensure foobazdmx user exists become: true From 6fea98ffd219395e206f227d9ebb47a8e9aacae9 Mon Sep 17 00:00:00 2001 From: Stefan Bethke Date: Fri, 7 Nov 2025 20:09:02 +0100 Subject: [PATCH 012/104] Redirect to 39c3 instead of eh22 --- .../chaosknoten/tickets/nginx/tickets.hamburg.ccc.de.conf | 6 +----- 1 file changed, 1 insertion(+), 5 deletions(-) diff --git a/resources/chaosknoten/tickets/nginx/tickets.hamburg.ccc.de.conf b/resources/chaosknoten/tickets/nginx/tickets.hamburg.ccc.de.conf index 40882d8f..9e2ca26b 100644 --- a/resources/chaosknoten/tickets/nginx/tickets.hamburg.ccc.de.conf +++ b/resources/chaosknoten/tickets/nginx/tickets.hamburg.ccc.de.conf @@ -38,11 +38,7 @@ server { location = / { #return 302 https://wiki.hamburg.ccc.de/infrastructure:service-overview#tickets_pretix; - return 302 https://tickets.hamburg.ccc.de/hackertours/eh22ht/; - } - - location = /hackertours/eh22/ { - return 302 https://tickets.hamburg.ccc.de/hackertours/eh22ht/; + return 302 https://tickets.hamburg.ccc.de/hackertours/39c3ht/; } location / { From 5f6000adcadb0be3dc917f2b5aaf55b15a7f5d9d Mon Sep 17 00:00:00 2001 From: c6ristian Date: Tue, 11 Nov 2025 22:47:42 +0100 Subject: [PATCH 013/104] ssh_config: also enable sntrup761x25519-sha512 for Debain 13 tldr: PQC algorithms are complex but sntrup still is not brocken --- roles/deploy_ssh_server_config/templates/sshd_config.j2 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/deploy_ssh_server_config/templates/sshd_config.j2 b/roles/deploy_ssh_server_config/templates/sshd_config.j2 index 307f2133..c967502c 100644 --- a/roles/deploy_ssh_server_config/templates/sshd_config.j2 +++ b/roles/deploy_ssh_server_config/templates/sshd_config.j2 @@ -19,7 +19,7 @@ HostKey /etc/ssh/ssh_host_ecdsa_key {% if ansible_facts["distribution"] == "Debian" and ansible_facts["distribution_major_version"] == "13" %} -KexAlgorithms mlkem768x25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,diffie-hellman-group-exchange-sha256 +KexAlgorithms sntrup761x25519-sha512,mlkem768x25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,diffie-hellman-group-exchange-sha256 {% elif ansible_facts["distribution"] == "Debian" and ansible_facts["distribution_major_version"] == "12" %} KexAlgorithms sntrup761x25519-sha512,curve25519-sha256@libssh.org,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,diffie-hellman-group-exchange-sha256 {% else %} From 80acd5fdc62366260a8d88113ed46963fe2616a7 Mon Sep 17 00:00:00 2001 From: c6ristian Date: Tue, 11 Nov 2025 23:03:59 +0100 Subject: [PATCH 014/104] grafana: store date for up to 28 days --- resources/chaosknoten/grafana/docker_compose/compose.yaml.j2 | 1 + 1 file changed, 1 insertion(+) diff --git a/resources/chaosknoten/grafana/docker_compose/compose.yaml.j2 b/resources/chaosknoten/grafana/docker_compose/compose.yaml.j2 index d739b2fa..c5b8f2d6 100644 --- a/resources/chaosknoten/grafana/docker_compose/compose.yaml.j2 +++ b/resources/chaosknoten/grafana/docker_compose/compose.yaml.j2 @@ -8,6 +8,7 @@ services: - '--config.file=/etc/prometheus/prometheus.yml' - '--web.enable-remote-write-receiver' - '--enable-feature=promql-experimental-functions' + - '--storage.tsdb.retention.time=28d' ports: - 9090:9090 restart: unless-stopped From ddab1576007b222cf9b1ff752626d7d979b47d5a Mon Sep 17 00:00:00 2001 From: June Date: Tue, 18 Nov 2025 14:24:21 +0100 Subject: [PATCH 015/104] don't pin digests anymore The benefit of digest pinning isn't that great for this project really and it comes at the cost of more issues and additional renovate noise, so just don't anymore. Adjust renovate config accordingly as well. --- .forgejo/workflows/lint.yaml | 4 ++-- renovate.json | 18 ++++++++---------- .../ccchoir/docker_compose/compose.yaml.j2 | 4 ++-- .../grafana/docker_compose/compose.yaml.j2 | 18 +++++++++--------- .../keycloak/docker_compose/compose.yaml.j2 | 2 +- .../lists/docker_compose/compose.yaml | 6 +++--- .../ntfy/docker_compose/compose.yaml.j2 | 2 +- .../onlyoffice/docker_compose/compose.yaml.j2 | 2 +- .../pad/docker_compose/compose.yaml.j2 | 4 ++-- .../pretalx/docker_compose/compose.yaml.j2 | 10 +++++----- .../tickets/docker_compose/compose.yaml.j2 | 6 +++--- .../docker_compose/compose.yaml.j2 | 2 +- 12 files changed, 38 insertions(+), 40 deletions(-) diff --git a/.forgejo/workflows/lint.yaml b/.forgejo/workflows/lint.yaml index a867c139..23bf6d2d 100644 --- a/.forgejo/workflows/lint.yaml +++ b/.forgejo/workflows/lint.yaml @@ -10,7 +10,7 @@ jobs: name: Ansible Lint runs-on: docker steps: - - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5 + - uses: actions/checkout@v5 - name: Install pip run: | apt update @@ -24,7 +24,7 @@ jobs: # work in our environmnet. # Rather manually setup python (pip) before instead. - name: Run ansible-lint - uses: https://github.com/ansible/ansible-lint@d7cd7cfa2469536527aceaef9ef2ec6f2fb331cb # v25.9.2 + uses: https://github.com/ansible/ansible-lint@v25.9.2 with: setup_python: "false" requirements_file: "requirements.yml" diff --git a/renovate.json b/renovate.json index 7e604c1c..711c6273 100644 --- a/renovate.json +++ b/renovate.json @@ -1,13 +1,17 @@ { "$schema": "https://docs.renovatebot.com/renovate-schema.json", "extends": [ - "config:recommended", // Included in config:best-practices anyway, but added for clarity. - "config:best-practices", + "config:recommended", + // Parts from config:best-practices: + // https://docs.renovatebot.com/presets-config/#configbest-practices + ":configMigration", + "abandonments:recommended", + "security:minimumReleaseAgeNpm", + ":ignoreUnstable", ":disableRateLimiting", ":rebaseStalePrs", - ":label(renovate)", - "group:allDigest" + ":label(renovate)" ], "semanticCommits": "disabled", "packageRules": [ @@ -28,12 +32,6 @@ "matchDatasources": ["docker"], "matchPackageNames": ["docker.io/pretix/standalone"], "versioning": "regex:^(?\\d+\\.\\d+)(?:\\.(?\\d+))$" - }, - // Since Forgejo seems to clean up older tag versions, so older digests, disable digest pinning for our images. - { - "matchDatasources": ["docker"], - "matchPackageNames": ["git.hamburg.ccc.de/*"], - "pinDigests": false } ], "customManagers": [ diff --git a/resources/chaosknoten/ccchoir/docker_compose/compose.yaml.j2 b/resources/chaosknoten/ccchoir/docker_compose/compose.yaml.j2 index ffe491bd..c2108d8a 100644 --- a/resources/chaosknoten/ccchoir/docker_compose/compose.yaml.j2 +++ b/resources/chaosknoten/ccchoir/docker_compose/compose.yaml.j2 @@ -3,7 +3,7 @@ services: database: - image: docker.io/library/mariadb:11@sha256:ae6119716edac6998ae85508431b3d2e666530ddf4e94c61a10710caec9b0f71 + image: docker.io/library/mariadb:11 environment: - "MARIADB_DATABASE=wordpress" - "MARIADB_ROOT_PASSWORD={{ secret__mariadb_root_password }}" @@ -17,7 +17,7 @@ services: restart: unless-stopped app: - image: docker.io/library/wordpress:6-php8.1@sha256:75f79f9c45a587b283e47fd21c6e51077d0c9dbbba529377faaa0c28d5b8f5a4 + image: docker.io/library/wordpress:6-php8.1 environment: - "WORDPRESS_DB_HOST=database" - "WORDPRESS_DB_NAME=wordpress" diff --git a/resources/chaosknoten/grafana/docker_compose/compose.yaml.j2 b/resources/chaosknoten/grafana/docker_compose/compose.yaml.j2 index c5b8f2d6..74d79166 100644 --- a/resources/chaosknoten/grafana/docker_compose/compose.yaml.j2 +++ b/resources/chaosknoten/grafana/docker_compose/compose.yaml.j2 @@ -2,7 +2,7 @@ services: prometheus: - image: docker.io/prom/prometheus:v3.7.2@sha256:23031bfe0e74a13004252caaa74eccd0d62b6c6e7a04711d5b8bf5b7e113adc7 + image: docker.io/prom/prometheus:v3.7.2 container_name: prometheus command: - '--config.file=/etc/prometheus/prometheus.yml' @@ -19,7 +19,7 @@ services: - prom_data:/prometheus alertmanager: - image: docker.io/prom/alertmanager:v0.28.1@sha256:27c475db5fb156cab31d5c18a4251ac7ed567746a2483ff264516437a39b15ba + image: docker.io/prom/alertmanager:v0.28.1 container_name: alertmanager command: - '--config.file=/etc/alertmanager/alertmanager.yaml' @@ -32,7 +32,7 @@ services: - alertmanager_data:/alertmanager grafana: - image: docker.io/grafana/grafana:12.2.1@sha256:35c41e0fd0295f5d0ee5db7e780cf33506abfaf47686196f825364889dee878b + image: docker.io/grafana/grafana:12.2.1 container_name: grafana ports: - 3000:3000 @@ -46,7 +46,7 @@ services: - graf_data:/var/lib/grafana pve-exporter: - image: docker.io/prompve/prometheus-pve-exporter:3.5.5@sha256:79a5598906697b1a5a006d09f0200528a77c6ff1568faf018539ac65824454df + image: docker.io/prompve/prometheus-pve-exporter:3.5.5 container_name: pve-exporter ports: - 9221:9221 @@ -59,7 +59,7 @@ services: - /dev/null:/etc/prometheus/pve.yml loki: - image: docker.io/grafana/loki:3.5.7@sha256:0eaee7bf39cc83aaef46914fb58f287d4f4c4be6ec96b86c2ed55719a75e49c8 + image: docker.io/grafana/loki:3.5.7 container_name: loki ports: - 13100:3100 @@ -70,7 +70,7 @@ services: - loki_data:/var/loki ntfy-alertmanager-ccchh-critical: - image: docker.io/xenrox/ntfy-alertmanager:0.5.0@sha256:5fea88db3bf0257d98c007ab0c4ef064c6d67d7b7ceead7d6956dfa0a5cb333b + image: docker.io/xenrox/ntfy-alertmanager:0.5.0 container_name: ntfy-alertmanager-ccchh-critical volumes: - ./configs/ntfy-alertmanager-ccchh-critical:/etc/ntfy-alertmanager/config @@ -79,7 +79,7 @@ services: restart: unless-stopped ntfy-alertmanager-fux-critical: - image: docker.io/xenrox/ntfy-alertmanager:0.5.0@sha256:5fea88db3bf0257d98c007ab0c4ef064c6d67d7b7ceead7d6956dfa0a5cb333b + image: docker.io/xenrox/ntfy-alertmanager:0.5.0 container_name: ntfy-alertmanager-fux-critical volumes: - ./configs/ntfy-alertmanager-fux-critical:/etc/ntfy-alertmanager/config @@ -88,7 +88,7 @@ services: restart: unless-stopped ntfy-alertmanager-ccchh: - image: docker.io/xenrox/ntfy-alertmanager:0.5.0@sha256:5fea88db3bf0257d98c007ab0c4ef064c6d67d7b7ceead7d6956dfa0a5cb333b + image: docker.io/xenrox/ntfy-alertmanager:0.5.0 container_name: ntfy-alertmanager-ccchh volumes: - ./configs/ntfy-alertmanager-ccchh:/etc/ntfy-alertmanager/config @@ -97,7 +97,7 @@ services: restart: unless-stopped ntfy-alertmanager-fux: - image: docker.io/xenrox/ntfy-alertmanager:0.5.0@sha256:5fea88db3bf0257d98c007ab0c4ef064c6d67d7b7ceead7d6956dfa0a5cb333b + image: docker.io/xenrox/ntfy-alertmanager:0.5.0 container_name: ntfy-alertmanager-fux volumes: - ./configs/ntfy-alertmanager-fux:/etc/ntfy-alertmanager/config diff --git a/resources/chaosknoten/keycloak/docker_compose/compose.yaml.j2 b/resources/chaosknoten/keycloak/docker_compose/compose.yaml.j2 index d91a2549..9fde7083 100644 --- a/resources/chaosknoten/keycloak/docker_compose/compose.yaml.j2 +++ b/resources/chaosknoten/keycloak/docker_compose/compose.yaml.j2 @@ -46,7 +46,7 @@ services: - "8080:8080" db: - image: docker.io/library/postgres:15.14@sha256:424e79b81868f5fc5cf515eaeac69d288692ebcca7db86d98f91b50d4bce64bb + image: docker.io/library/postgres:15.14 restart: unless-stopped networks: - keycloak diff --git a/resources/chaosknoten/lists/docker_compose/compose.yaml b/resources/chaosknoten/lists/docker_compose/compose.yaml index 8537ead0..cdfd70a2 100644 --- a/resources/chaosknoten/lists/docker_compose/compose.yaml +++ b/resources/chaosknoten/lists/docker_compose/compose.yaml @@ -1,7 +1,7 @@ services: mailman-core: restart: unless-stopped - image: docker.io/maxking/mailman-core:0.5@sha256:cb8e412bb18d74480f996da68f46e92473b6103995e71bc5aeba139b255cc3d2 # Use a specific version tag (tag latest is not published) + image: docker.io/maxking/mailman-core:0.5 # Use a specific version tag (tag latest is not published) container_name: mailman-core hostname: mailman-core volumes: @@ -25,7 +25,7 @@ services: mailman-web: restart: unless-stopped - image: docker.io/maxking/mailman-web:0.5@sha256:014726db85586fb53541f66f6ce964bf07e939791cfd5ffc796cd6d243696a18 # Use a specific version tag (tag latest is not published) + image: docker.io/maxking/mailman-web:0.5 # Use a specific version tag (tag latest is not published) container_name: mailman-web hostname: mailman-web depends_on: @@ -56,7 +56,7 @@ services: - POSTGRES_DB=mailmandb - POSTGRES_USER=mailman - POSTGRES_PASSWORD=wvQjbMRnwFuxGEPz - image: docker.io/library/postgres:12-alpine@sha256:7c8f4870583184ebadf7f17a6513620aac5f365a7938dc6a6911c1d5df2f481a + image: docker.io/library/postgres:12-alpine volumes: - /opt/mailman/database:/var/lib/postgresql/data networks: diff --git a/resources/chaosknoten/ntfy/docker_compose/compose.yaml.j2 b/resources/chaosknoten/ntfy/docker_compose/compose.yaml.j2 index 07e8d9ec..9fe2a7a6 100644 --- a/resources/chaosknoten/ntfy/docker_compose/compose.yaml.j2 +++ b/resources/chaosknoten/ntfy/docker_compose/compose.yaml.j2 @@ -1,7 +1,7 @@ --- services: ntfy: - image: docker.io/binwiederhier/ntfy:v2.14.0@sha256:5a051798d14138c3ecb12c038652558ab6a077e1aceeb867c151cbf5fa8451ef + image: docker.io/binwiederhier/ntfy:v2.14.0 container_name: ntfy command: - serve diff --git a/resources/chaosknoten/onlyoffice/docker_compose/compose.yaml.j2 b/resources/chaosknoten/onlyoffice/docker_compose/compose.yaml.j2 index 5c9a42a3..f3444ac8 100644 --- a/resources/chaosknoten/onlyoffice/docker_compose/compose.yaml.j2 +++ b/resources/chaosknoten/onlyoffice/docker_compose/compose.yaml.j2 @@ -4,7 +4,7 @@ services: onlyoffice: - image: docker.io/onlyoffice/documentserver:9.1.0@sha256:34b92f4a67bfd939bd6b75893e8217556e3b977f81e49472f7e28737b741ba1d + image: docker.io/onlyoffice/documentserver:9.1.0 restart: unless-stopped volumes: - "./onlyoffice/DocumentServer/logs:/var/log/onlyoffice" diff --git a/resources/chaosknoten/pad/docker_compose/compose.yaml.j2 b/resources/chaosknoten/pad/docker_compose/compose.yaml.j2 index 70dc7e6a..455caa39 100644 --- a/resources/chaosknoten/pad/docker_compose/compose.yaml.j2 +++ b/resources/chaosknoten/pad/docker_compose/compose.yaml.j2 @@ -3,7 +3,7 @@ services: database: - image: docker.io/library/postgres:15-alpine@sha256:64583b3cb4f2010277bdd9749456de78e5c36f8956466ba14b0b96922e510950 + image: docker.io/library/postgres:15-alpine environment: - "POSTGRES_USER=hedgedoc" - "POSTGRES_PASSWORD={{ secret__hedgedoc_db_password }}" @@ -13,7 +13,7 @@ services: restart: unless-stopped app: - image: quay.io/hedgedoc/hedgedoc:1.10.3@sha256:ca58fd73ecf05c89559b384fb7a1519c18c8cbba5c21a0018674ed820b9bdb73 + image: quay.io/hedgedoc/hedgedoc:1.10.3 environment: - "CMD_DB_URL=postgres://hedgedoc:{{ secret__hedgedoc_db_password }}@database:5432/hedgedoc" - "CMD_DOMAIN=pad.hamburg.ccc.de" diff --git a/resources/chaosknoten/pretalx/docker_compose/compose.yaml.j2 b/resources/chaosknoten/pretalx/docker_compose/compose.yaml.j2 index 243a468d..3de7eaca 100644 --- a/resources/chaosknoten/pretalx/docker_compose/compose.yaml.j2 +++ b/resources/chaosknoten/pretalx/docker_compose/compose.yaml.j2 @@ -3,7 +3,7 @@ services: database: - image: docker.io/library/postgres:15-alpine@sha256:64583b3cb4f2010277bdd9749456de78e5c36f8956466ba14b0b96922e510950 + image: docker.io/library/postgres:15-alpine environment: - "POSTGRES_USER=pretalx" - "POSTGRES_PASSWORD={{ secret__pretalx_db_password }}" @@ -15,7 +15,7 @@ services: - pretalx_net redis: - image: docker.io/library/redis:8.2.2@sha256:4521b581dbddea6e7d81f8fe95ede93f5648aaa66a9dacd581611bf6fe7527bd + image: docker.io/library/redis:8.2.2 restart: unless-stopped volumes: - redis:/data @@ -23,7 +23,7 @@ services: - pretalx_net static: - image: docker.io/library/nginx:1.29.3@sha256:f547e3d0d5d02f7009737b284abc87d808e4252b42dceea361811e9fc606287f + image: docker.io/library/nginx:1.29.3 restart: unless-stopped volumes: - public:/usr/share/nginx/html @@ -33,7 +33,7 @@ services: - pretalx_net pretalx: - image: docker.io/pretalx/standalone:v2025.1.0@sha256:fb2d15f11bcae8bb15430084ed81a150cfdf7c79705450583b51e352ba486e8e + image: docker.io/pretalx/standalone:v2025.1.0 entrypoint: gunicorn command: - "pretalx.wsgi" @@ -78,7 +78,7 @@ services: - pretalx_net celery: - image: docker.io/pretalx/standalone:v2025.1.0@sha256:fb2d15f11bcae8bb15430084ed81a150cfdf7c79705450583b51e352ba486e8e + image: docker.io/pretalx/standalone:v2025.1.0 command: - taskworker restart: unless-stopped diff --git a/resources/chaosknoten/tickets/docker_compose/compose.yaml.j2 b/resources/chaosknoten/tickets/docker_compose/compose.yaml.j2 index deb9f509..6509a99c 100644 --- a/resources/chaosknoten/tickets/docker_compose/compose.yaml.j2 +++ b/resources/chaosknoten/tickets/docker_compose/compose.yaml.j2 @@ -1,7 +1,7 @@ --- services: database: - image: docker.io/library/postgres:15-alpine@sha256:64583b3cb4f2010277bdd9749456de78e5c36f8956466ba14b0b96922e510950 + image: docker.io/library/postgres:15-alpine environment: - "POSTGRES_USER=pretix" - "POSTGRES_PASSWORD={{ secret__pretix_db_password }}" @@ -13,7 +13,7 @@ services: restart: unless-stopped redis: - image: docker.io/library/redis:7.4.6@sha256:a9cc41d6d01da2aa26c219e4f99ecbeead955a7b656c1c499cce8922311b2514 + image: docker.io/library/redis:7.4.6 ports: - "6379:6379" volumes: @@ -25,7 +25,7 @@ services: backend: pretix: - image: docker.io/pretix/standalone:2024.8@sha256:110bac37efa5f736227f158f38e421ed738d03dccc274dfb415b258ab0f75cfe + image: docker.io/pretix/standalone:2024.8 command: ["all"] ports: - "8345:80" diff --git a/resources/z9/waybackproxy/docker_compose/compose.yaml.j2 b/resources/z9/waybackproxy/docker_compose/compose.yaml.j2 index 52d57dfd..b6752faf 100644 --- a/resources/z9/waybackproxy/docker_compose/compose.yaml.j2 +++ b/resources/z9/waybackproxy/docker_compose/compose.yaml.j2 @@ -1,7 +1,7 @@ services: # https://github.com/richardg867/WaybackProxy waybackproxy: - image: cttynul/waybackproxy:latest@sha256:e001d5b1d746522cd1ab2728092173c0d96f08086cbd3e49cdf1e298b8add22e + image: cttynul/waybackproxy:latest environment: DATE: 19990101 DATE_TOLERANCE: 730 From 0eaaf9227c730d0c0efe9f60381ecd38fee1d0ef Mon Sep 17 00:00:00 2001 From: Renovate Date: Wed, 19 Nov 2025 13:30:39 +0000 Subject: [PATCH 016/104] Update all stable non-major dependencies --- .forgejo/workflows/lint.yaml | 2 +- inventories/chaosknoten/host_vars/cloud.yaml | 2 +- inventories/chaosknoten/host_vars/netbox.yaml | 2 +- .../chaosknoten/grafana/docker_compose/compose.yaml.j2 | 8 ++++---- .../chaosknoten/keycloak/docker_compose/compose.yaml.j2 | 2 +- resources/chaosknoten/ntfy/docker_compose/compose.yaml.j2 | 2 +- .../chaosknoten/pretalx/docker_compose/compose.yaml.j2 | 2 +- .../chaosknoten/tickets/docker_compose/compose.yaml.j2 | 2 +- 8 files changed, 11 insertions(+), 11 deletions(-) diff --git a/.forgejo/workflows/lint.yaml b/.forgejo/workflows/lint.yaml index 23bf6d2d..d29fb6e1 100644 --- a/.forgejo/workflows/lint.yaml +++ b/.forgejo/workflows/lint.yaml @@ -24,7 +24,7 @@ jobs: # work in our environmnet. # Rather manually setup python (pip) before instead. - name: Run ansible-lint - uses: https://github.com/ansible/ansible-lint@v25.9.2 + uses: https://github.com/ansible/ansible-lint@v25.11.0 with: setup_python: "false" requirements_file: "requirements.yml" diff --git a/inventories/chaosknoten/host_vars/cloud.yaml b/inventories/chaosknoten/host_vars/cloud.yaml index 0cbcd4d1..fc4e23c2 100644 --- a/inventories/chaosknoten/host_vars/cloud.yaml +++ b/inventories/chaosknoten/host_vars/cloud.yaml @@ -1,7 +1,7 @@ # renovate: datasource=docker depName=git.hamburg.ccc.de/ccchh/oci-images/nextcloud nextcloud__version: 32 # renovate: datasource=docker depName=docker.io/library/postgres -nextcloud__postgres_version: 15.14 +nextcloud__postgres_version: 15.15 nextcloud__fqdn: cloud.hamburg.ccc.de nextcloud__data_dir: /data/nextcloud nextcloud__extra_configuration: "{{ lookup('ansible.builtin.template', 'resources/chaosknoten/cloud/nextcloud/extra_configuration.config.php.j2') }}" diff --git a/inventories/chaosknoten/host_vars/netbox.yaml b/inventories/chaosknoten/host_vars/netbox.yaml index 60dd94ad..3be8bdde 100644 --- a/inventories/chaosknoten/host_vars/netbox.yaml +++ b/inventories/chaosknoten/host_vars/netbox.yaml @@ -1,5 +1,5 @@ # renovate: datasource=github-releases depName=netbox packageName=netbox-community/netbox -netbox__version: "v4.4.5" +netbox__version: "v4.4.6" netbox__config: "{{ lookup('ansible.builtin.template', 'resources/chaosknoten/netbox/netbox/configuration.py.j2') }}" netbox__custom_pipeline_oidc_group_and_role_mapping: true diff --git a/resources/chaosknoten/grafana/docker_compose/compose.yaml.j2 b/resources/chaosknoten/grafana/docker_compose/compose.yaml.j2 index 74d79166..2d598f96 100644 --- a/resources/chaosknoten/grafana/docker_compose/compose.yaml.j2 +++ b/resources/chaosknoten/grafana/docker_compose/compose.yaml.j2 @@ -2,7 +2,7 @@ services: prometheus: - image: docker.io/prom/prometheus:v3.7.2 + image: docker.io/prom/prometheus:v3.7.3 container_name: prometheus command: - '--config.file=/etc/prometheus/prometheus.yml' @@ -19,7 +19,7 @@ services: - prom_data:/prometheus alertmanager: - image: docker.io/prom/alertmanager:v0.28.1 + image: docker.io/prom/alertmanager:v0.29.0 container_name: alertmanager command: - '--config.file=/etc/alertmanager/alertmanager.yaml' @@ -32,7 +32,7 @@ services: - alertmanager_data:/alertmanager grafana: - image: docker.io/grafana/grafana:12.2.1 + image: docker.io/grafana/grafana:12.3.0 container_name: grafana ports: - 3000:3000 @@ -59,7 +59,7 @@ services: - /dev/null:/etc/prometheus/pve.yml loki: - image: docker.io/grafana/loki:3.5.7 + image: docker.io/grafana/loki:3.6.0 container_name: loki ports: - 13100:3100 diff --git a/resources/chaosknoten/keycloak/docker_compose/compose.yaml.j2 b/resources/chaosknoten/keycloak/docker_compose/compose.yaml.j2 index 9fde7083..a260ab11 100644 --- a/resources/chaosknoten/keycloak/docker_compose/compose.yaml.j2 +++ b/resources/chaosknoten/keycloak/docker_compose/compose.yaml.j2 @@ -46,7 +46,7 @@ services: - "8080:8080" db: - image: docker.io/library/postgres:15.14 + image: docker.io/library/postgres:15.15 restart: unless-stopped networks: - keycloak diff --git a/resources/chaosknoten/ntfy/docker_compose/compose.yaml.j2 b/resources/chaosknoten/ntfy/docker_compose/compose.yaml.j2 index 9fe2a7a6..50df05d5 100644 --- a/resources/chaosknoten/ntfy/docker_compose/compose.yaml.j2 +++ b/resources/chaosknoten/ntfy/docker_compose/compose.yaml.j2 @@ -1,7 +1,7 @@ --- services: ntfy: - image: docker.io/binwiederhier/ntfy:v2.14.0 + image: docker.io/binwiederhier/ntfy:v2.15.0 container_name: ntfy command: - serve diff --git a/resources/chaosknoten/pretalx/docker_compose/compose.yaml.j2 b/resources/chaosknoten/pretalx/docker_compose/compose.yaml.j2 index 3de7eaca..dda67bb0 100644 --- a/resources/chaosknoten/pretalx/docker_compose/compose.yaml.j2 +++ b/resources/chaosknoten/pretalx/docker_compose/compose.yaml.j2 @@ -15,7 +15,7 @@ services: - pretalx_net redis: - image: docker.io/library/redis:8.2.2 + image: docker.io/library/redis:8.4.0 restart: unless-stopped volumes: - redis:/data diff --git a/resources/chaosknoten/tickets/docker_compose/compose.yaml.j2 b/resources/chaosknoten/tickets/docker_compose/compose.yaml.j2 index 6509a99c..938883b0 100644 --- a/resources/chaosknoten/tickets/docker_compose/compose.yaml.j2 +++ b/resources/chaosknoten/tickets/docker_compose/compose.yaml.j2 @@ -13,7 +13,7 @@ services: restart: unless-stopped redis: - image: docker.io/library/redis:7.4.6 + image: docker.io/library/redis:7.4.7 ports: - "6379:6379" volumes: From df3710f0196206bbfae0996dcbc1ed7b9d8f09bf Mon Sep 17 00:00:00 2001 From: c6ristian Date: Tue, 2 Dec 2025 22:55:29 +0100 Subject: [PATCH 017/104] grafana: set alloy to version v1.11.3 1.12.0 is buggy --- inventories/chaosknoten/host_vars/grafana.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/inventories/chaosknoten/host_vars/grafana.yaml b/inventories/chaosknoten/host_vars/grafana.yaml index 2e3672e2..0037fcc0 100644 --- a/inventories/chaosknoten/host_vars/grafana.yaml +++ b/inventories/chaosknoten/host_vars/grafana.yaml @@ -53,7 +53,7 @@ nginx__configurations: - name: metrics.hamburg.ccc.de content: "{{ lookup('ansible.builtin.file', 'resources/chaosknoten/grafana/nginx/metrics.hamburg.ccc.de.conf') }}" - +alloy_version: "1.11.3" alloy_config: | prometheus.remote_write "default" { endpoint { From c39cb0e3909ca53df08e6389603cfbb77e32da2b Mon Sep 17 00:00:00 2001 From: c6ristian Date: Sat, 6 Dec 2025 22:11:53 +0100 Subject: [PATCH 018/104] we dont need to set a specific alloy version --- inventories/chaosknoten/host_vars/grafana.yaml | 1 - 1 file changed, 1 deletion(-) diff --git a/inventories/chaosknoten/host_vars/grafana.yaml b/inventories/chaosknoten/host_vars/grafana.yaml index 0037fcc0..ecc942c8 100644 --- a/inventories/chaosknoten/host_vars/grafana.yaml +++ b/inventories/chaosknoten/host_vars/grafana.yaml @@ -53,7 +53,6 @@ nginx__configurations: - name: metrics.hamburg.ccc.de content: "{{ lookup('ansible.builtin.file', 'resources/chaosknoten/grafana/nginx/metrics.hamburg.ccc.de.conf') }}" -alloy_version: "1.11.3" alloy_config: | prometheus.remote_write "default" { endpoint { From 766aa125c4da85009ae7d3023be55dbc37c47d65 Mon Sep 17 00:00:00 2001 From: jtbx Date: Sun, 23 Feb 2025 18:49:19 +0100 Subject: [PATCH 019/104] router(host): introduce router --- inventories/chaosknoten/hosts.yaml | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/inventories/chaosknoten/hosts.yaml b/inventories/chaosknoten/hosts.yaml index b9e6358b..e668d498 100644 --- a/inventories/chaosknoten/hosts.yaml +++ b/inventories/chaosknoten/hosts.yaml @@ -51,6 +51,9 @@ all: public-reverse-proxy: ansible_host: public-reverse-proxy.hamburg.ccc.de ansible_user: chaos + router: + ansible_host: router.hamburg.ccc.de + ansible_user: chaos wiki: ansible_host: wiki-intern.hamburg.ccc.de ansible_user: chaos @@ -88,6 +91,7 @@ base_config_hosts: pad: pretalx: public-reverse-proxy: + router: tickets: wiki: zammad: @@ -173,6 +177,7 @@ infrastructure_authorized_keys_hosts: pad: pretalx: public-reverse-proxy: + router: wiki: zammad: ntfy: From d6ba70523cd45b95845acb49741bbaa699703994 Mon Sep 17 00:00:00 2001 From: June Date: Sat, 20 Sep 2025 20:05:02 +0200 Subject: [PATCH 020/104] systemd_networkd(role): introd. role for deploy. systemd-networkd config --- inventories/chaosknoten/hosts.yaml | 2 ++ playbooks/deploy.yaml | 5 +++++ roles/systemd_networkd/README.md | 11 +++++++++++ roles/systemd_networkd/meta/argument_specs.yaml | 6 ++++++ roles/systemd_networkd/tasks/main.yaml | 14 ++++++++++++++ 5 files changed, 38 insertions(+) create mode 100644 roles/systemd_networkd/README.md create mode 100644 roles/systemd_networkd/meta/argument_specs.yaml create mode 100644 roles/systemd_networkd/tasks/main.yaml diff --git a/inventories/chaosknoten/hosts.yaml b/inventories/chaosknoten/hosts.yaml index e668d498..51d2b562 100644 --- a/inventories/chaosknoten/hosts.yaml +++ b/inventories/chaosknoten/hosts.yaml @@ -98,6 +98,8 @@ base_config_hosts: ntfy: sunders: renovate: +systemd_networkd_hosts: + hosts: docker_compose_hosts: hosts: ccchoir: diff --git a/playbooks/deploy.yaml b/playbooks/deploy.yaml index d7bacac2..ec7db509 100644 --- a/playbooks/deploy.yaml +++ b/playbooks/deploy.yaml @@ -4,6 +4,11 @@ roles: - base_config +- name: Ensure systemd-networkd config deployment on systemd_networkd_hosts + hosts: systemd_networkd_hosts + roles: + - systemd_networkd + - name: Ensure deployment of infrastructure authorized keys hosts: infrastructure_authorized_keys_hosts roles: diff --git a/roles/systemd_networkd/README.md b/roles/systemd_networkd/README.md new file mode 100644 index 00000000..3297c47e --- /dev/null +++ b/roles/systemd_networkd/README.md @@ -0,0 +1,11 @@ +# Role `systemd_networkd` + +Deploys the given systemd-networkd configuration files. + +## Support Distributions + +Should work on Debian-based distributions. + +## Required Arguments + +- `systemd_networkd__config_dir`: Directory with systemd-networkd configs to deploy. diff --git a/roles/systemd_networkd/meta/argument_specs.yaml b/roles/systemd_networkd/meta/argument_specs.yaml new file mode 100644 index 00000000..81b046a5 --- /dev/null +++ b/roles/systemd_networkd/meta/argument_specs.yaml @@ -0,0 +1,6 @@ +argument_specs: + main: + options: + systemd_networkd__config_dir: + type: path + required: true diff --git a/roles/systemd_networkd/tasks/main.yaml b/roles/systemd_networkd/tasks/main.yaml new file mode 100644 index 00000000..f88ed146 --- /dev/null +++ b/roles/systemd_networkd/tasks/main.yaml @@ -0,0 +1,14 @@ +- name: ensure rsync is installed + ansible.builtin.apt: + name: rsync + state: present + become: true + +- name: synchronize systemd-networkd configs + ansible.posix.synchronize: + src: "{{ systemd_networkd__config_dir }}" + dest: "/etc/systemd/network" + archive: false + recursive: true + delete: true + become: true From a9e394da063211b91f6c120dfa5a30f52aac64ad Mon Sep 17 00:00:00 2001 From: June Date: Sat, 20 Sep 2025 20:03:30 +0200 Subject: [PATCH 021/104] router(host): add systemd-networkd-based network config --- inventories/chaosknoten/host_vars/router.yaml | 1 + inventories/chaosknoten/hosts.yaml | 1 + .../router/systemd_networkd/00-net0.link | 6 ++++ .../router/systemd_networkd/00-net1.link | 6 ++++ .../router/systemd_networkd/00-net2.link | 6 ++++ .../systemd_networkd/10-net0.2-v4_nat.netdev | 7 +++++ .../10-net0.3-ci_runner.netdev | 7 +++++ .../router/systemd_networkd/20-net0.network | 12 ++++++++ .../router/systemd_networkd/20-net1.network | 14 +++++++++ .../router/systemd_networkd/20-net2.network | 14 +++++++++ .../systemd_networkd/21-net0.2-v4_nat.network | 23 +++++++++++++++ .../21-net0.3-ci_runners.network | 29 +++++++++++++++++++ 12 files changed, 126 insertions(+) create mode 100644 inventories/chaosknoten/host_vars/router.yaml create mode 100644 resources/chaosknoten/router/systemd_networkd/00-net0.link create mode 100644 resources/chaosknoten/router/systemd_networkd/00-net1.link create mode 100644 resources/chaosknoten/router/systemd_networkd/00-net2.link create mode 100644 resources/chaosknoten/router/systemd_networkd/10-net0.2-v4_nat.netdev create mode 100644 resources/chaosknoten/router/systemd_networkd/10-net0.3-ci_runner.netdev create mode 100644 resources/chaosknoten/router/systemd_networkd/20-net0.network create mode 100644 resources/chaosknoten/router/systemd_networkd/20-net1.network create mode 100644 resources/chaosknoten/router/systemd_networkd/20-net2.network create mode 100644 resources/chaosknoten/router/systemd_networkd/21-net0.2-v4_nat.network create mode 100644 resources/chaosknoten/router/systemd_networkd/21-net0.3-ci_runners.network diff --git a/inventories/chaosknoten/host_vars/router.yaml b/inventories/chaosknoten/host_vars/router.yaml new file mode 100644 index 00000000..b181c0a6 --- /dev/null +++ b/inventories/chaosknoten/host_vars/router.yaml @@ -0,0 +1 @@ +systemd_networkd__config_dir: 'resources/chaosknoten/router/systemd_networkd/' diff --git a/inventories/chaosknoten/hosts.yaml b/inventories/chaosknoten/hosts.yaml index 51d2b562..d3217ab6 100644 --- a/inventories/chaosknoten/hosts.yaml +++ b/inventories/chaosknoten/hosts.yaml @@ -100,6 +100,7 @@ base_config_hosts: renovate: systemd_networkd_hosts: hosts: + router: docker_compose_hosts: hosts: ccchoir: diff --git a/resources/chaosknoten/router/systemd_networkd/00-net0.link b/resources/chaosknoten/router/systemd_networkd/00-net0.link new file mode 100644 index 00000000..0c55d133 --- /dev/null +++ b/resources/chaosknoten/router/systemd_networkd/00-net0.link @@ -0,0 +1,6 @@ +[Match] +MACAddress=BC:24:11:54:11:15 +Type=ether + +[Link] +Name=net0 diff --git a/resources/chaosknoten/router/systemd_networkd/00-net1.link b/resources/chaosknoten/router/systemd_networkd/00-net1.link new file mode 100644 index 00000000..ef04d043 --- /dev/null +++ b/resources/chaosknoten/router/systemd_networkd/00-net1.link @@ -0,0 +1,6 @@ +[Match] +MACAddress=BC:24:11:9A:FB:34 +Type=ether + +[Link] +Name=net1 diff --git a/resources/chaosknoten/router/systemd_networkd/00-net2.link b/resources/chaosknoten/router/systemd_networkd/00-net2.link new file mode 100644 index 00000000..2a56f728 --- /dev/null +++ b/resources/chaosknoten/router/systemd_networkd/00-net2.link @@ -0,0 +1,6 @@ +[Match] +MACAddress=BC:24:11:AE:C7:04 +Type=ether + +[Link] +Name=net2 diff --git a/resources/chaosknoten/router/systemd_networkd/10-net0.2-v4_nat.netdev b/resources/chaosknoten/router/systemd_networkd/10-net0.2-v4_nat.netdev new file mode 100644 index 00000000..a46afb49 --- /dev/null +++ b/resources/chaosknoten/router/systemd_networkd/10-net0.2-v4_nat.netdev @@ -0,0 +1,7 @@ +[NetDev] +Name=net0.2 +Kind=vlan + +[VLAN] +Id=2 + diff --git a/resources/chaosknoten/router/systemd_networkd/10-net0.3-ci_runner.netdev b/resources/chaosknoten/router/systemd_networkd/10-net0.3-ci_runner.netdev new file mode 100644 index 00000000..0cd60db5 --- /dev/null +++ b/resources/chaosknoten/router/systemd_networkd/10-net0.3-ci_runner.netdev @@ -0,0 +1,7 @@ +[NetDev] +Name=net0.3 +Kind=vlan + +[VLAN] +Id=3 + diff --git a/resources/chaosknoten/router/systemd_networkd/20-net0.network b/resources/chaosknoten/router/systemd_networkd/20-net0.network new file mode 100644 index 00000000..a32d75ea --- /dev/null +++ b/resources/chaosknoten/router/systemd_networkd/20-net0.network @@ -0,0 +1,12 @@ +[Match] +Name=net0 + +[Link] +RequiredForOnline=no + +[Network] +VLAN=net0.2 +VLAN=net0.3 + +LinkLocalAddressing=no + diff --git a/resources/chaosknoten/router/systemd_networkd/20-net1.network b/resources/chaosknoten/router/systemd_networkd/20-net1.network new file mode 100644 index 00000000..c8bffc1e --- /dev/null +++ b/resources/chaosknoten/router/systemd_networkd/20-net1.network @@ -0,0 +1,14 @@ +[Match] +Name=net1 + +[Network] +DNS=212.12.50.158 +IPForward=ipv4 +IPv6AcceptRA=no + +[Address] +Address=212.12.48.123/24 + +[Route] +Gateway=212.12.48.55 + diff --git a/resources/chaosknoten/router/systemd_networkd/20-net2.network b/resources/chaosknoten/router/systemd_networkd/20-net2.network new file mode 100644 index 00000000..b3f497dd --- /dev/null +++ b/resources/chaosknoten/router/systemd_networkd/20-net2.network @@ -0,0 +1,14 @@ +[Match] +Name=net2 + +[Network] +#DNS=212.12.50.158 +IPForward=ipv6 +IPv6AcceptRA=no + +[Address] +Address=2a00:14b0:4200:3500::130:2/112 + +[Route] +Gateway=2a00:14b0:4200:3500::130:1 + diff --git a/resources/chaosknoten/router/systemd_networkd/21-net0.2-v4_nat.network b/resources/chaosknoten/router/systemd_networkd/21-net0.2-v4_nat.network new file mode 100644 index 00000000..880dd1df --- /dev/null +++ b/resources/chaosknoten/router/systemd_networkd/21-net0.2-v4_nat.network @@ -0,0 +1,23 @@ +[Match] +Name=net0.2 +Type=vlan + +[Link] +RequiredForOnline=no + +[Network] +Description=v4-NAT + +IPMasquerade=ipv4 +IPv6SendRA=yes + +[Address] +Address=10.32.2.1/24 + +[IPv6SendRA] +UplinkInterface=net2 + +[IPv6Prefix] +Prefix=2a00:14b0:42:102::/64 +Assign=true +Token=static:::1 diff --git a/resources/chaosknoten/router/systemd_networkd/21-net0.3-ci_runners.network b/resources/chaosknoten/router/systemd_networkd/21-net0.3-ci_runners.network new file mode 100644 index 00000000..6f73beb2 --- /dev/null +++ b/resources/chaosknoten/router/systemd_networkd/21-net0.3-ci_runners.network @@ -0,0 +1,29 @@ +[Match] +Name=net0.3 +Type=vlan + +[Link] +RequiredForOnline=no + +[Network] +Description=ci-runners + +IPMasquerade=ipv4 +IPv6SendRA=yes + +DHCPServer=true + +[DHCPServer] +PoolOffset=100 +PoolSize=150 + +[Address] +Address=10.32.3.1/24 + +[IPv6SendRA] +UplinkInterface=net2 + +[IPv6Prefix] +Prefix=2a00:14b0:42:103::/64 +Assign=true +Token=static:::1 From d0618e382050aeabb4d50942df03d89bfb16f91a Mon Sep 17 00:00:00 2001 From: June Date: Sat, 20 Sep 2025 21:38:39 +0200 Subject: [PATCH 022/104] nftables(role): introduce role for deploying nftables --- inventories/chaosknoten/hosts.yaml | 2 ++ playbooks/deploy.yaml | 5 +++++ roles/nftables/README.md | 11 +++++++++++ roles/nftables/handlers/main.yaml | 5 +++++ roles/nftables/meta/argument_specs.yaml | 6 ++++++ roles/nftables/tasks/main.yaml | 15 +++++++++++++++ 6 files changed, 44 insertions(+) create mode 100644 roles/nftables/README.md create mode 100644 roles/nftables/handlers/main.yaml create mode 100644 roles/nftables/meta/argument_specs.yaml create mode 100644 roles/nftables/tasks/main.yaml diff --git a/inventories/chaosknoten/hosts.yaml b/inventories/chaosknoten/hosts.yaml index d3217ab6..55ab6967 100644 --- a/inventories/chaosknoten/hosts.yaml +++ b/inventories/chaosknoten/hosts.yaml @@ -101,6 +101,8 @@ base_config_hosts: systemd_networkd_hosts: hosts: router: +nftables_hosts: + hosts: docker_compose_hosts: hosts: ccchoir: diff --git a/playbooks/deploy.yaml b/playbooks/deploy.yaml index ec7db509..f416b914 100644 --- a/playbooks/deploy.yaml +++ b/playbooks/deploy.yaml @@ -9,6 +9,11 @@ roles: - systemd_networkd +- name: Ensure nftables deployment on nftables_hosts + hosts: nftables_hosts + roles: + - nftables + - name: Ensure deployment of infrastructure authorized keys hosts: infrastructure_authorized_keys_hosts roles: diff --git a/roles/nftables/README.md b/roles/nftables/README.md new file mode 100644 index 00000000..81d8871a --- /dev/null +++ b/roles/nftables/README.md @@ -0,0 +1,11 @@ +# Role `nftables` + +Deploys nftables. + +## Support Distributions + +Should work on Debian-based distributions. + +## Required Arguments + +- `nftables__config`: nftables configuration to deploy. diff --git a/roles/nftables/handlers/main.yaml b/roles/nftables/handlers/main.yaml new file mode 100644 index 00000000..3b72c54c --- /dev/null +++ b/roles/nftables/handlers/main.yaml @@ -0,0 +1,5 @@ +- name: Restart nftables service + ansible.builtin.systemd_service: + name: nftables + state: restarted + become: true diff --git a/roles/nftables/meta/argument_specs.yaml b/roles/nftables/meta/argument_specs.yaml new file mode 100644 index 00000000..aa562239 --- /dev/null +++ b/roles/nftables/meta/argument_specs.yaml @@ -0,0 +1,6 @@ +argument_specs: + main: + options: + nftables__config: + type: str + required: true diff --git a/roles/nftables/tasks/main.yaml b/roles/nftables/tasks/main.yaml new file mode 100644 index 00000000..46ea18dc --- /dev/null +++ b/roles/nftables/tasks/main.yaml @@ -0,0 +1,15 @@ +- name: ensure nftables is installed + ansible.builtin.apt: + name: nftables + state: present + become: true + +- name: deploy nftables configuration + ansible.builtin.copy: + content: "{{ nftables__config }}" + dest: "/etc/nftables.conf" + mode: "0644" + owner: root + group: root + become: true + notify: Restart nftables service From 183b91b9f2d289fcbde59687f476632cef024250 Mon Sep 17 00:00:00 2001 From: June Date: Sat, 20 Sep 2025 23:34:17 +0200 Subject: [PATCH 023/104] router(host): add nftables config for basic router functionality --- inventories/chaosknoten/host_vars/router.yaml | 1 + inventories/chaosknoten/hosts.yaml | 1 + .../chaosknoten/router/nftables/nftables.conf | 73 +++++++++++++++++++ .../systemd_networkd/21-net0.2-v4_nat.network | 2 +- .../21-net0.3-ci_runners.network | 2 +- 5 files changed, 77 insertions(+), 2 deletions(-) create mode 100644 resources/chaosknoten/router/nftables/nftables.conf diff --git a/inventories/chaosknoten/host_vars/router.yaml b/inventories/chaosknoten/host_vars/router.yaml index b181c0a6..134d29f9 100644 --- a/inventories/chaosknoten/host_vars/router.yaml +++ b/inventories/chaosknoten/host_vars/router.yaml @@ -1 +1,2 @@ systemd_networkd__config_dir: 'resources/chaosknoten/router/systemd_networkd/' +nftables__config: "{{ lookup('ansible.builtin.file', 'resources/chaosknoten/router/nftables/nftables.conf') }}" diff --git a/inventories/chaosknoten/hosts.yaml b/inventories/chaosknoten/hosts.yaml index 55ab6967..e592d235 100644 --- a/inventories/chaosknoten/hosts.yaml +++ b/inventories/chaosknoten/hosts.yaml @@ -103,6 +103,7 @@ systemd_networkd_hosts: router: nftables_hosts: hosts: + router: docker_compose_hosts: hosts: ccchoir: diff --git a/resources/chaosknoten/router/nftables/nftables.conf b/resources/chaosknoten/router/nftables/nftables.conf new file mode 100644 index 00000000..6bc6cbe3 --- /dev/null +++ b/resources/chaosknoten/router/nftables/nftables.conf @@ -0,0 +1,73 @@ +#!/usr/sbin/nft -f + +## Variables + +# Interfaces +define if_net1_v4_wan = "net1" +define if_net2_v6_wan = "net2" +define if_net0_2_v4_nat = "net0.2" +define if_net0_3_ci_runner = "net0.3" + +# Interface Groups +define wan_ifs = { $if_net1_v4_wan, + $if_net2_v6_wan } +define lan_ifs = { $if_net0_2_v4_nat, + $if_net0_3_ci_runner } + + +## Rules + +table inet reverse-path-forwarding { + chain rpf-filter { + type filter hook prerouting priority mangle + 10; policy drop; + + # Only allow packets if their source address is routed via their incoming interface. + # https://github.com/NixOS/nixpkgs/blob/d9d87c51960050e89c79e4025082ed965e770d68/nixos/modules/services/networking/firewall-nftables.nix#L100 + fib saddr . mark . iif oif exists accept + } +} + +table inet host { + chain input { + type filter hook input priority filter; policy drop; + + iifname "lo" accept comment "allow loopback" + + ct state invalid drop + ct state established,related accept + + ip protocol icmp accept + ip6 nexthdr icmpv6 accept + + # Allow SSH access. + tcp dport 22 accept comment "allow ssh access" + + # Allow DHCP server access. + iifname $if_net0_3_ci_runner udp dport 67 accept comment "allow dhcp server access" + } +} + +table ip v4nat { + chain prerouting { + type nat hook prerouting priority dstnat; policy accept; + } + + chain postrouting { + type nat hook postrouting priority srcnat; policy accept; + + oifname $if_net1_v4_wan masquerade + } +} + +table inet forward { + chain forward { + type filter hook forward priority filter; policy drop; + + ct state invalid drop + ct state established,related accept + + # Allow internet access. + meta nfproto ipv6 iifname $lan_ifs oifname $if_net2_v6_wan accept comment "allow v6 internet access" + meta nfproto ipv4 iifname $lan_ifs oifname $if_net1_v4_wan accept comment "allow v4 internet access" + } +} diff --git a/resources/chaosknoten/router/systemd_networkd/21-net0.2-v4_nat.network b/resources/chaosknoten/router/systemd_networkd/21-net0.2-v4_nat.network index 880dd1df..c7fd9a7e 100644 --- a/resources/chaosknoten/router/systemd_networkd/21-net0.2-v4_nat.network +++ b/resources/chaosknoten/router/systemd_networkd/21-net0.2-v4_nat.network @@ -8,7 +8,7 @@ RequiredForOnline=no [Network] Description=v4-NAT -IPMasquerade=ipv4 +# Masquerading done in nftables (nftables.conf). IPv6SendRA=yes [Address] diff --git a/resources/chaosknoten/router/systemd_networkd/21-net0.3-ci_runners.network b/resources/chaosknoten/router/systemd_networkd/21-net0.3-ci_runners.network index 6f73beb2..9caca86c 100644 --- a/resources/chaosknoten/router/systemd_networkd/21-net0.3-ci_runners.network +++ b/resources/chaosknoten/router/systemd_networkd/21-net0.3-ci_runners.network @@ -8,7 +8,7 @@ RequiredForOnline=no [Network] Description=ci-runners -IPMasquerade=ipv4 +# Masquerading done in nftables (nftables.conf). IPv6SendRA=yes DHCPServer=true From 66ee44366b5e08b2368b82a25c1b1b4cd0882ff5 Mon Sep 17 00:00:00 2001 From: jtbx Date: Sun, 14 Dec 2025 15:39:03 +0100 Subject: [PATCH 024/104] public-reverse-proxy: New IP of wiki VM --- resources/chaosknoten/public-reverse-proxy/nginx/nginx.conf | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/resources/chaosknoten/public-reverse-proxy/nginx/nginx.conf b/resources/chaosknoten/public-reverse-proxy/nginx/nginx.conf index 4a449f5b..de8ebdd9 100644 --- a/resources/chaosknoten/public-reverse-proxy/nginx/nginx.conf +++ b/resources/chaosknoten/public-reverse-proxy/nginx/nginx.conf @@ -27,8 +27,8 @@ stream { invite.hamburg.ccc.de 172.31.17.144:8443; keycloak-admin.hamburg.ccc.de 172.31.17.144:8444; grafana.hamburg.ccc.de 172.31.17.145:8443; - wiki.ccchh.net 172.31.17.146:8443; - wiki.hamburg.ccc.de 172.31.17.146:8443; + wiki.ccchh.net wiki.hosts.hamburg.ccc.de:8443; + wiki.hamburg.ccc.de wiki.hosts.hamburg.ccc.de:8443; onlyoffice.hamburg.ccc.de 172.31.17.147:8443; hackertours.hamburg.ccc.de 172.31.17.151:8443; staging.hackertours.hamburg.ccc.de 172.31.17.151:8443; From 5f98dca56c258b10c58c7efced616867f56de551 Mon Sep 17 00:00:00 2001 From: June Date: Tue, 16 Dec 2025 19:03:36 +0100 Subject: [PATCH 025/104] router(host): expose public v6 networks Also prepare for exposing public v4 networks later. --- resources/chaosknoten/router/nftables/nftables.conf | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/resources/chaosknoten/router/nftables/nftables.conf b/resources/chaosknoten/router/nftables/nftables.conf index 6bc6cbe3..6d04a4c4 100644 --- a/resources/chaosknoten/router/nftables/nftables.conf +++ b/resources/chaosknoten/router/nftables/nftables.conf @@ -13,6 +13,8 @@ define wan_ifs = { $if_net1_v4_wan, $if_net2_v6_wan } define lan_ifs = { $if_net0_2_v4_nat, $if_net0_3_ci_runner } +# define v4_exposed_ifs = { } +define v6_exposed_ifs = { $if_net0_2_v4_nat } ## Rules @@ -69,5 +71,9 @@ table inet forward { # Allow internet access. meta nfproto ipv6 iifname $lan_ifs oifname $if_net2_v6_wan accept comment "allow v6 internet access" meta nfproto ipv4 iifname $lan_ifs oifname $if_net1_v4_wan accept comment "allow v4 internet access" + + # Allow access to exposed networks from internet. + # meta nfproto ipv4 oifname $v4_exposed_ifs accept comment "allow v4 exposed network access" + meta nfproto ipv6 oifname $v6_exposed_ifs accept comment "allow v6 exposed network access" } } From 8b94a49f5e3255377f349087b1e224903696329a Mon Sep 17 00:00:00 2001 From: June Date: Tue, 16 Dec 2025 19:23:33 +0100 Subject: [PATCH 026/104] wiki(host): move to new network and internal hostname --- inventories/chaosknoten/hosts.yaml | 4 ++-- .../public-reverse-proxy/nginx/acme_challenge.conf | 4 ++-- resources/chaosknoten/wiki/nginx/wiki.ccchh.net.conf | 4 ++-- resources/chaosknoten/wiki/nginx/wiki.hamburg.ccc.de.conf | 2 +- 4 files changed, 7 insertions(+), 7 deletions(-) diff --git a/inventories/chaosknoten/hosts.yaml b/inventories/chaosknoten/hosts.yaml index e592d235..a43e9408 100644 --- a/inventories/chaosknoten/hosts.yaml +++ b/inventories/chaosknoten/hosts.yaml @@ -55,9 +55,9 @@ all: ansible_host: router.hamburg.ccc.de ansible_user: chaos wiki: - ansible_host: wiki-intern.hamburg.ccc.de + ansible_host: wiki.hosts.hamburg.ccc.de ansible_user: chaos - ansible_ssh_common_args: -J ssh://chaos@public-reverse-proxy.hamburg.ccc.de + ansible_ssh_common_args: -J ssh://chaos@router.hamburg.ccc.de zammad: ansible_host: zammad-intern.hamburg.ccc.de ansible_user: chaos diff --git a/resources/chaosknoten/public-reverse-proxy/nginx/acme_challenge.conf b/resources/chaosknoten/public-reverse-proxy/nginx/acme_challenge.conf index 165e1664..dabf4aaf 100644 --- a/resources/chaosknoten/public-reverse-proxy/nginx/acme_challenge.conf +++ b/resources/chaosknoten/public-reverse-proxy/nginx/acme_challenge.conf @@ -25,8 +25,8 @@ map $host $upstream_acme_challenge_host { pretalx.hamburg.ccc.de 172.31.17.157:31820; spaceapi.hamburg.ccc.de 172.31.17.151:31820; staging.hamburg.ccc.de 172.31.17.151:31820; - wiki.ccchh.net 172.31.17.146:31820; - wiki.hamburg.ccc.de 172.31.17.146:31820; + wiki.ccchh.net wiki.hosts.hamburg.ccc.de:31820; + wiki.hamburg.ccc.de wiki.hosts.hamburg.ccc.de:31820; www.hamburg.ccc.de 172.31.17.151:31820; tickets.hamburg.ccc.de 172.31.17.148:31820; sunders.hamburg.ccc.de 172.31.17.170:31820; diff --git a/resources/chaosknoten/wiki/nginx/wiki.ccchh.net.conf b/resources/chaosknoten/wiki/nginx/wiki.ccchh.net.conf index a564fc2f..c393dd12 100644 --- a/resources/chaosknoten/wiki/nginx/wiki.ccchh.net.conf +++ b/resources/chaosknoten/wiki/nginx/wiki.ccchh.net.conf @@ -7,7 +7,7 @@ server { # $remote_port to the client address and client port, when using proxy # protocol. # First set our proxy protocol proxy as trusted. - set_real_ip_from 172.31.17.140; + set_real_ip_from 2a00:14b0:4200:3000:125::1; # Then tell the realip_module to get the addreses from the proxy protocol # header. real_ip_header proxy_protocol; @@ -21,6 +21,6 @@ server { # HSTS (ngx_http_headers_module is required) (63072000 seconds) add_header Strict-Transport-Security "max-age=63072000" always; - + return 302 https://wiki.hamburg.ccc.de$request_uri; } diff --git a/resources/chaosknoten/wiki/nginx/wiki.hamburg.ccc.de.conf b/resources/chaosknoten/wiki/nginx/wiki.hamburg.ccc.de.conf index ccdd2247..255dc0a6 100644 --- a/resources/chaosknoten/wiki/nginx/wiki.hamburg.ccc.de.conf +++ b/resources/chaosknoten/wiki/nginx/wiki.hamburg.ccc.de.conf @@ -7,7 +7,7 @@ server { # $remote_port to the client address and client port, when using proxy # protocol. # First set our proxy protocol proxy as trusted. - set_real_ip_from 172.31.17.140; + set_real_ip_from 2a00:14b0:4200:3000:125::1; # Then tell the realip_module to get the addreses from the proxy protocol # header. real_ip_header proxy_protocol; From b72dee0d6d9e0cfe9c3aea5143fe8c8cfe463604 Mon Sep 17 00:00:00 2001 From: June Date: Tue, 16 Dec 2025 19:52:24 +0100 Subject: [PATCH 027/104] wiki(host): actually have nginx listen on v6 --- resources/chaosknoten/wiki/nginx/wiki.ccchh.net.conf | 1 + resources/chaosknoten/wiki/nginx/wiki.hamburg.ccc.de.conf | 1 + 2 files changed, 2 insertions(+) diff --git a/resources/chaosknoten/wiki/nginx/wiki.ccchh.net.conf b/resources/chaosknoten/wiki/nginx/wiki.ccchh.net.conf index c393dd12..472236ae 100644 --- a/resources/chaosknoten/wiki/nginx/wiki.ccchh.net.conf +++ b/resources/chaosknoten/wiki/nginx/wiki.ccchh.net.conf @@ -3,6 +3,7 @@ server { # Listen on a custom port for the proxy protocol. listen 8443 ssl http2 proxy_protocol; + listen [::]:8443 ssl http2 proxy_protocol; # Make use of the ngx_http_realip_module to set the $remote_addr and # $remote_port to the client address and client port, when using proxy # protocol. diff --git a/resources/chaosknoten/wiki/nginx/wiki.hamburg.ccc.de.conf b/resources/chaosknoten/wiki/nginx/wiki.hamburg.ccc.de.conf index 255dc0a6..b4eab7ff 100644 --- a/resources/chaosknoten/wiki/nginx/wiki.hamburg.ccc.de.conf +++ b/resources/chaosknoten/wiki/nginx/wiki.hamburg.ccc.de.conf @@ -3,6 +3,7 @@ server { # Listen on a custom port for the proxy protocol. listen 8443 ssl http2 proxy_protocol; + listen [::]:8443 ssl http2 proxy_protocol; # Make use of the ngx_http_realip_module to set the $remote_addr and # $remote_port to the client address and client port, when using proxy # protocol. From 5a476f21034dd48c3a6b17758be92d3dfe9f62f0 Mon Sep 17 00:00:00 2001 From: June Date: Tue, 16 Dec 2025 20:47:44 +0100 Subject: [PATCH 028/104] cloud(host): move to new network and hostname --- inventories/chaosknoten/hosts.yaml | 4 ++-- .../public-reverse-proxy/nginx/acme_challenge.conf | 2 +- resources/chaosknoten/public-reverse-proxy/nginx/nginx.conf | 2 +- roles/nextcloud/templates/nginx_nextcloud.conf.j2 | 1 + 4 files changed, 5 insertions(+), 4 deletions(-) diff --git a/inventories/chaosknoten/hosts.yaml b/inventories/chaosknoten/hosts.yaml index a43e9408..5aa1363c 100644 --- a/inventories/chaosknoten/hosts.yaml +++ b/inventories/chaosknoten/hosts.yaml @@ -7,9 +7,9 @@ all: chaosknoten: ansible_host: chaosknoten.hamburg.ccc.de cloud: - ansible_host: cloud-intern.hamburg.ccc.de + ansible_host: cloud.hosts.hamburg.ccc.de ansible_user: chaos - ansible_ssh_common_args: -J ssh://chaos@public-reverse-proxy.hamburg.ccc.de + ansible_ssh_common_args: -J ssh://chaos@router.hamburg.ccc.de eh22-wiki: ansible_host: eh22-wiki-intern.hamburg.ccc.de ansible_user: chaos diff --git a/resources/chaosknoten/public-reverse-proxy/nginx/acme_challenge.conf b/resources/chaosknoten/public-reverse-proxy/nginx/acme_challenge.conf index dabf4aaf..9fdf0fc6 100644 --- a/resources/chaosknoten/public-reverse-proxy/nginx/acme_challenge.conf +++ b/resources/chaosknoten/public-reverse-proxy/nginx/acme_challenge.conf @@ -6,7 +6,7 @@ map $host $upstream_acme_challenge_host { staging.c3cat.de 172.31.17.151:31820; ccchoir.de ccchoir-intern.hamburg.ccc.de:31820; www.ccchoir.de ccchoir-intern.hamburg.ccc.de:31820; - cloud.hamburg.ccc.de 172.31.17.143:31820; + cloud.hamburg.ccc.de cloud.hosts.hamburg.ccc.de:31820; element.hamburg.ccc.de 172.31.17.151:31820; git.hamburg.ccc.de 172.31.17.154:31820; grafana.hamburg.ccc.de 172.31.17.145:31820; diff --git a/resources/chaosknoten/public-reverse-proxy/nginx/nginx.conf b/resources/chaosknoten/public-reverse-proxy/nginx/nginx.conf index de8ebdd9..84c1187e 100644 --- a/resources/chaosknoten/public-reverse-proxy/nginx/nginx.conf +++ b/resources/chaosknoten/public-reverse-proxy/nginx/nginx.conf @@ -20,7 +20,7 @@ stream { map $ssl_preread_server_name $address { ccchoir.de ccchoir-intern.hamburg.ccc.de:8443; www.ccchoir.de ccchoir-intern.hamburg.ccc.de:8443; - cloud.hamburg.ccc.de cloud-intern.hamburg.ccc.de:8443; + cloud.hamburg.ccc.de cloud.hosts.hamburg.ccc.de:8443; pad.hamburg.ccc.de pad-intern.hamburg.ccc.de:8443; pretalx.hamburg.ccc.de pretalx-intern.hamburg.ccc.de:8443; id.hamburg.ccc.de 172.31.17.144:8443; diff --git a/roles/nextcloud/templates/nginx_nextcloud.conf.j2 b/roles/nextcloud/templates/nginx_nextcloud.conf.j2 index c15a6539..1beeaf3f 100644 --- a/roles/nextcloud/templates/nginx_nextcloud.conf.j2 +++ b/roles/nextcloud/templates/nginx_nextcloud.conf.j2 @@ -4,6 +4,7 @@ server { # Listen on a custom port for the proxy protocol. listen 8443 ssl http2 proxy_protocol; + listen [::]:8443 ssl http2 proxy_protocol; # Make use of the ngx_http_realip_module to set the $remote_addr and # $remote_port to the client address and client port, when using proxy # protocol. From 570600fce31e2df5fe2f11beedbe56cabffe377f Mon Sep 17 00:00:00 2001 From: June Date: Tue, 16 Dec 2025 20:58:05 +0100 Subject: [PATCH 029/104] eh22-wiki(host): move to new network and hostname --- inventories/chaosknoten/hosts.yaml | 4 ++-- resources/chaosknoten/eh22-wiki/nginx/eh22.easterhegg.eu.conf | 3 ++- .../public-reverse-proxy/nginx/acme_challenge.conf | 2 +- resources/chaosknoten/public-reverse-proxy/nginx/nginx.conf | 2 +- 4 files changed, 6 insertions(+), 5 deletions(-) diff --git a/inventories/chaosknoten/hosts.yaml b/inventories/chaosknoten/hosts.yaml index 5aa1363c..c18788ec 100644 --- a/inventories/chaosknoten/hosts.yaml +++ b/inventories/chaosknoten/hosts.yaml @@ -11,9 +11,9 @@ all: ansible_user: chaos ansible_ssh_common_args: -J ssh://chaos@router.hamburg.ccc.de eh22-wiki: - ansible_host: eh22-wiki-intern.hamburg.ccc.de + ansible_host: eh22-wiki.hosts.hamburg.ccc.de ansible_user: chaos - ansible_ssh_common_args: -J ssh://chaos@public-reverse-proxy.hamburg.ccc.de + ansible_ssh_common_args: -J ssh://chaos@router.hamburg.ccc.de grafana: ansible_host: grafana-intern.hamburg.ccc.de ansible_user: chaos diff --git a/resources/chaosknoten/eh22-wiki/nginx/eh22.easterhegg.eu.conf b/resources/chaosknoten/eh22-wiki/nginx/eh22.easterhegg.eu.conf index d3ed9592..8c801fe7 100644 --- a/resources/chaosknoten/eh22-wiki/nginx/eh22.easterhegg.eu.conf +++ b/resources/chaosknoten/eh22-wiki/nginx/eh22.easterhegg.eu.conf @@ -3,11 +3,12 @@ server { # Listen on a custom port for the proxy protocol. listen 8443 ssl http2 proxy_protocol; + listen [::]:8443 ssl http2 proxy_protocol; # Make use of the ngx_http_realip_module to set the $remote_addr and # $remote_port to the client address and client port, when using proxy # protocol. # First set our proxy protocol proxy as trusted. - set_real_ip_from 172.31.17.140; + set_real_ip_from 2a00:14b0:4200:3000:125::1; # Then tell the realip_module to get the addreses from the proxy protocol # header. real_ip_header proxy_protocol; diff --git a/resources/chaosknoten/public-reverse-proxy/nginx/acme_challenge.conf b/resources/chaosknoten/public-reverse-proxy/nginx/acme_challenge.conf index 9fdf0fc6..290dbad1 100644 --- a/resources/chaosknoten/public-reverse-proxy/nginx/acme_challenge.conf +++ b/resources/chaosknoten/public-reverse-proxy/nginx/acme_challenge.conf @@ -38,7 +38,7 @@ map $host $upstream_acme_challenge_host { eh11.easterhegg.eu 172.31.17.151:31820; eh20.easterhegg.eu 172.31.17.151:31820; www.eh20.easterhegg.eu 172.31.17.151:31820; - eh22.easterhegg.eu 172.31.17.165:31820; + eh22.easterhegg.eu eh22-wiki.hosts.hamburg.ccc.de:31820; easterheggxxxx.hamburg.ccc.de 172.31.17.151:31820; eh2003.hamburg.ccc.de 172.31.17.151:31820; www.eh2003.hamburg.ccc.de 172.31.17.151:31820; diff --git a/resources/chaosknoten/public-reverse-proxy/nginx/nginx.conf b/resources/chaosknoten/public-reverse-proxy/nginx/nginx.conf index 84c1187e..076618ad 100644 --- a/resources/chaosknoten/public-reverse-proxy/nginx/nginx.conf +++ b/resources/chaosknoten/public-reverse-proxy/nginx/nginx.conf @@ -56,7 +56,7 @@ stream { eh11.easterhegg.eu 172.31.17.151:8443; eh20.easterhegg.eu 172.31.17.151:8443; www.eh20.easterhegg.eu 172.31.17.151:8443; - eh22.easterhegg.eu 172.31.17.165:8443; + eh22.easterhegg.eu eh22-wiki.hosts.hamburg.ccc.de:8443; easterheggxxxx.hamburg.ccc.de 172.31.17.151:8443; eh2003.hamburg.ccc.de 172.31.17.151:8443; www.eh2003.hamburg.ccc.de 172.31.17.151:8443; From b9add5bda3957778dba8b3b5849a82e625ce0609 Mon Sep 17 00:00:00 2001 From: June Date: Tue, 16 Dec 2025 20:59:15 +0100 Subject: [PATCH 030/104] cloud(host): set correct new proxy protocol reverse proxy ip --- inventories/chaosknoten/host_vars/cloud.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/inventories/chaosknoten/host_vars/cloud.yaml b/inventories/chaosknoten/host_vars/cloud.yaml index fc4e23c2..b6cf7715 100644 --- a/inventories/chaosknoten/host_vars/cloud.yaml +++ b/inventories/chaosknoten/host_vars/cloud.yaml @@ -7,5 +7,5 @@ nextcloud__data_dir: /data/nextcloud nextcloud__extra_configuration: "{{ lookup('ansible.builtin.template', 'resources/chaosknoten/cloud/nextcloud/extra_configuration.config.php.j2') }}" nextcloud__use_custom_new_user_skeleton: true nextcloud__custom_new_user_skeleton_directory: "resources/chaosknoten/cloud/nextcloud/new_user_skeleton_directory/" -nextcloud__proxy_protocol_reverse_proxy_ip: 172.31.17.140 +nextcloud__proxy_protocol_reverse_proxy_ip: "2a00:14b0:4200:3000:125::1" nextcloud__certbot_acme_account_email_address: le-admin@hamburg.ccc.de From 1ca71a053e4f554ae8e1e53bc2accbe124afe78e Mon Sep 17 00:00:00 2001 From: June Date: Tue, 16 Dec 2025 21:12:21 +0100 Subject: [PATCH 031/104] pad(host): move to new network and hostname --- inventories/chaosknoten/hosts.yaml | 4 ++-- resources/chaosknoten/pad/nginx/pad.hamburg.ccc.de.conf | 3 ++- .../public-reverse-proxy/nginx/acme_challenge.conf | 2 +- resources/chaosknoten/public-reverse-proxy/nginx/nginx.conf | 2 +- 4 files changed, 6 insertions(+), 5 deletions(-) diff --git a/inventories/chaosknoten/hosts.yaml b/inventories/chaosknoten/hosts.yaml index c18788ec..3d677074 100644 --- a/inventories/chaosknoten/hosts.yaml +++ b/inventories/chaosknoten/hosts.yaml @@ -41,9 +41,9 @@ all: ansible_user: chaos ansible_ssh_common_args: -J ssh://chaos@public-reverse-proxy.hamburg.ccc.de pad: - ansible_host: pad-intern.hamburg.ccc.de + ansible_host: pad.hosts.hamburg.ccc.de ansible_user: chaos - ansible_ssh_common_args: -J ssh://chaos@public-reverse-proxy.hamburg.ccc.de + ansible_ssh_common_args: -J ssh://chaos@router.hamburg.ccc.de pretalx: ansible_host: pretalx-intern.hamburg.ccc.de ansible_user: chaos diff --git a/resources/chaosknoten/pad/nginx/pad.hamburg.ccc.de.conf b/resources/chaosknoten/pad/nginx/pad.hamburg.ccc.de.conf index 53d0a0df..6c453d1b 100644 --- a/resources/chaosknoten/pad/nginx/pad.hamburg.ccc.de.conf +++ b/resources/chaosknoten/pad/nginx/pad.hamburg.ccc.de.conf @@ -3,11 +3,12 @@ server { # Listen on a custom port for the proxy protocol. listen 8443 ssl http2 proxy_protocol; + listen [::]:8443 ssl http2 proxy_protocol; # Make use of the ngx_http_realip_module to set the $remote_addr and # $remote_port to the client address and client port, when using proxy # protocol. # First set our proxy protocol proxy as trusted. - set_real_ip_from 172.31.17.140; + set_real_ip_from 2a00:14b0:4200:3000:125::1; # Then tell the realip_module to get the addreses from the proxy protocol # header. real_ip_header proxy_protocol; diff --git a/resources/chaosknoten/public-reverse-proxy/nginx/acme_challenge.conf b/resources/chaosknoten/public-reverse-proxy/nginx/acme_challenge.conf index 290dbad1..6899c57a 100644 --- a/resources/chaosknoten/public-reverse-proxy/nginx/acme_challenge.conf +++ b/resources/chaosknoten/public-reverse-proxy/nginx/acme_challenge.conf @@ -21,7 +21,7 @@ map $host $upstream_acme_challenge_host { element-admin.hamburg.ccc.de 172.31.17.151:31820; netbox.hamburg.ccc.de 172.31.17.167:31820; onlyoffice.hamburg.ccc.de 172.31.17.147:31820; - pad.hamburg.ccc.de 172.31.17.141:31820; + pad.hamburg.ccc.de pad.hosts.hamburg.ccc.de:31820; pretalx.hamburg.ccc.de 172.31.17.157:31820; spaceapi.hamburg.ccc.de 172.31.17.151:31820; staging.hamburg.ccc.de 172.31.17.151:31820; diff --git a/resources/chaosknoten/public-reverse-proxy/nginx/nginx.conf b/resources/chaosknoten/public-reverse-proxy/nginx/nginx.conf index 076618ad..d884bc11 100644 --- a/resources/chaosknoten/public-reverse-proxy/nginx/nginx.conf +++ b/resources/chaosknoten/public-reverse-proxy/nginx/nginx.conf @@ -21,7 +21,7 @@ stream { ccchoir.de ccchoir-intern.hamburg.ccc.de:8443; www.ccchoir.de ccchoir-intern.hamburg.ccc.de:8443; cloud.hamburg.ccc.de cloud.hosts.hamburg.ccc.de:8443; - pad.hamburg.ccc.de pad-intern.hamburg.ccc.de:8443; + pad.hamburg.ccc.de pad.hosts.hamburg.ccc.de:8443; pretalx.hamburg.ccc.de pretalx-intern.hamburg.ccc.de:8443; id.hamburg.ccc.de 172.31.17.144:8443; invite.hamburg.ccc.de 172.31.17.144:8443; From 366456eff8f5280b14d755aefbf8c0abda567fc0 Mon Sep 17 00:00:00 2001 From: June Date: Tue, 16 Dec 2025 21:50:40 +0100 Subject: [PATCH 032/104] keycloak(host): move to new network and hostname Also just listen on port 8443 for keycloak-admin proxy protocol. --- inventories/chaosknoten/hosts.yaml | 4 ++-- resources/chaosknoten/keycloak/nginx/id.hamburg.ccc.de.conf | 3 ++- .../chaosknoten/keycloak/nginx/invite.hamburg.ccc.de.conf | 3 ++- .../keycloak/nginx/keycloak-admin.hamburg.ccc.de.conf | 5 +++-- .../public-reverse-proxy/nginx/acme_challenge.conf | 6 +++--- resources/chaosknoten/public-reverse-proxy/nginx/nginx.conf | 6 +++--- 6 files changed, 15 insertions(+), 12 deletions(-) diff --git a/inventories/chaosknoten/hosts.yaml b/inventories/chaosknoten/hosts.yaml index 3d677074..dfa841e7 100644 --- a/inventories/chaosknoten/hosts.yaml +++ b/inventories/chaosknoten/hosts.yaml @@ -23,9 +23,9 @@ all: ansible_user: chaos ansible_ssh_common_args: -J ssh://chaos@public-reverse-proxy.hamburg.ccc.de keycloak: - ansible_host: keycloak-intern.hamburg.ccc.de + ansible_host: keycloak.hosts.hamburg.ccc.de ansible_user: chaos - ansible_ssh_common_args: -J ssh://chaos@public-reverse-proxy.hamburg.ccc.de + ansible_ssh_common_args: -J ssh://chaos@router.hamburg.ccc.de lists: ansible_host: lists.hamburg.ccc.de ansible_user: chaos diff --git a/resources/chaosknoten/keycloak/nginx/id.hamburg.ccc.de.conf b/resources/chaosknoten/keycloak/nginx/id.hamburg.ccc.de.conf index 303b052c..939e1da5 100644 --- a/resources/chaosknoten/keycloak/nginx/id.hamburg.ccc.de.conf +++ b/resources/chaosknoten/keycloak/nginx/id.hamburg.ccc.de.conf @@ -4,11 +4,12 @@ server { # Listen on a custom port for the proxy protocol. listen 8443 ssl http2 proxy_protocol; + listen [::]:8443 ssl http2 proxy_protocol; # Make use of the ngx_http_realip_module to set the $remote_addr and # $remote_port to the client address and client port, when using proxy # protocol. # First set our proxy protocol proxy as trusted. - set_real_ip_from 172.31.17.140; + set_real_ip_from 2a00:14b0:4200:3000:125::1; # Then tell the realip_module to get the addreses from the proxy protocol # header. real_ip_header proxy_protocol; diff --git a/resources/chaosknoten/keycloak/nginx/invite.hamburg.ccc.de.conf b/resources/chaosknoten/keycloak/nginx/invite.hamburg.ccc.de.conf index 4a9cfe65..de1e9d6f 100644 --- a/resources/chaosknoten/keycloak/nginx/invite.hamburg.ccc.de.conf +++ b/resources/chaosknoten/keycloak/nginx/invite.hamburg.ccc.de.conf @@ -4,11 +4,12 @@ server { # Listen on a custom port for the proxy protocol. listen 8443 ssl http2 proxy_protocol; + listen [::]:8443 ssl http2 proxy_protocol; # Make use of the ngx_http_realip_module to set the $remote_addr and # $remote_port to the client address and client port, when using proxy # protocol. # First set our proxy protocol proxy as trusted. - set_real_ip_from 172.31.17.140; + set_real_ip_from 2a00:14b0:4200:3000:125::1; # Then tell the realip_module to get the addreses from the proxy protocol # header. real_ip_header proxy_protocol; diff --git a/resources/chaosknoten/keycloak/nginx/keycloak-admin.hamburg.ccc.de.conf b/resources/chaosknoten/keycloak/nginx/keycloak-admin.hamburg.ccc.de.conf index 2b0d919a..cd56b98f 100644 --- a/resources/chaosknoten/keycloak/nginx/keycloak-admin.hamburg.ccc.de.conf +++ b/resources/chaosknoten/keycloak/nginx/keycloak-admin.hamburg.ccc.de.conf @@ -7,12 +7,13 @@ server { ##listen [::]:443 ssl http2; # Listen on a custom port for the proxy protocol. - listen 8444 ssl http2 proxy_protocol; + listen 8443 ssl http2 proxy_protocol; + listen [::]:8443 ssl http2 proxy_protocol; # Make use of the ngx_http_realip_module to set the $remote_addr and # $remote_port to the client address and client port, when using proxy # protocol. # First set our proxy protocol proxy as trusted. - set_real_ip_from 172.31.17.140; + set_real_ip_from 2a00:14b0:4200:3000:125::1; # Then tell the realip_module to get the addreses from the proxy protocol # header. real_ip_header proxy_protocol; diff --git a/resources/chaosknoten/public-reverse-proxy/nginx/acme_challenge.conf b/resources/chaosknoten/public-reverse-proxy/nginx/acme_challenge.conf index 6899c57a..4d6d4c0a 100644 --- a/resources/chaosknoten/public-reverse-proxy/nginx/acme_challenge.conf +++ b/resources/chaosknoten/public-reverse-proxy/nginx/acme_challenge.conf @@ -13,9 +13,9 @@ map $host $upstream_acme_challenge_host { hackertours.hamburg.ccc.de 172.31.17.151:31820; staging.hackertours.hamburg.ccc.de 172.31.17.151:31820; hamburg.ccc.de 172.31.17.151:31820; - id.hamburg.ccc.de 172.31.17.144:31820; - invite.hamburg.ccc.de 172.31.17.144:31820; - keycloak-admin.hamburg.ccc.de 172.31.17.144:31820; + id.hamburg.ccc.de keycloak.hosts.hamburg.ccc.de:31820; + invite.hamburg.ccc.de keycloak.hosts.hamburg.ccc.de:31820; + keycloak-admin.hamburg.ccc.de keycloak.hosts.hamburg.ccc.de:31820; matrix.hamburg.ccc.de 172.31.17.150:31820; mas.hamburg.ccc.de 172.31.17.150:31820; element-admin.hamburg.ccc.de 172.31.17.151:31820; diff --git a/resources/chaosknoten/public-reverse-proxy/nginx/nginx.conf b/resources/chaosknoten/public-reverse-proxy/nginx/nginx.conf index d884bc11..de99d40c 100644 --- a/resources/chaosknoten/public-reverse-proxy/nginx/nginx.conf +++ b/resources/chaosknoten/public-reverse-proxy/nginx/nginx.conf @@ -23,9 +23,9 @@ stream { cloud.hamburg.ccc.de cloud.hosts.hamburg.ccc.de:8443; pad.hamburg.ccc.de pad.hosts.hamburg.ccc.de:8443; pretalx.hamburg.ccc.de pretalx-intern.hamburg.ccc.de:8443; - id.hamburg.ccc.de 172.31.17.144:8443; - invite.hamburg.ccc.de 172.31.17.144:8443; - keycloak-admin.hamburg.ccc.de 172.31.17.144:8444; + id.hamburg.ccc.de keycloak.hosts.hamburg.ccc.de:8443; + invite.hamburg.ccc.de keycloak.hosts.hamburg.ccc.de:8443; + keycloak-admin.hamburg.ccc.de keycloak.hosts.hamburg.ccc.de:8443; grafana.hamburg.ccc.de 172.31.17.145:8443; wiki.ccchh.net wiki.hosts.hamburg.ccc.de:8443; wiki.hamburg.ccc.de wiki.hosts.hamburg.ccc.de:8443; From 944c8cde8249673566e2e5bf20699e6c58a93049 Mon Sep 17 00:00:00 2001 From: June Date: Wed, 17 Dec 2025 03:34:39 +0100 Subject: [PATCH 033/104] onlyoffice(host): move to new network and hostname --- inventories/chaosknoten/hosts.yaml | 4 ++-- .../onlyoffice/nginx/onlyoffice.hamburg.ccc.de.conf | 4 +++- .../public-reverse-proxy/nginx/acme_challenge.conf | 2 +- resources/chaosknoten/public-reverse-proxy/nginx/nginx.conf | 2 +- 4 files changed, 7 insertions(+), 5 deletions(-) diff --git a/inventories/chaosknoten/hosts.yaml b/inventories/chaosknoten/hosts.yaml index dfa841e7..1028deb8 100644 --- a/inventories/chaosknoten/hosts.yaml +++ b/inventories/chaosknoten/hosts.yaml @@ -37,9 +37,9 @@ all: ansible_user: chaos ansible_ssh_common_args: -J ssh://chaos@public-reverse-proxy.hamburg.ccc.de onlyoffice: - ansible_host: onlyoffice-intern.hamburg.ccc.de + ansible_host: onlyoffice.hosts.hamburg.ccc.de ansible_user: chaos - ansible_ssh_common_args: -J ssh://chaos@public-reverse-proxy.hamburg.ccc.de + ansible_ssh_common_args: -J ssh://chaos@router.hamburg.ccc.de pad: ansible_host: pad.hosts.hamburg.ccc.de ansible_user: chaos diff --git a/resources/chaosknoten/onlyoffice/nginx/onlyoffice.hamburg.ccc.de.conf b/resources/chaosknoten/onlyoffice/nginx/onlyoffice.hamburg.ccc.de.conf index 24715254..8a9a486a 100644 --- a/resources/chaosknoten/onlyoffice/nginx/onlyoffice.hamburg.ccc.de.conf +++ b/resources/chaosknoten/onlyoffice/nginx/onlyoffice.hamburg.ccc.de.conf @@ -3,11 +3,13 @@ server { # Listen on a custom port for the proxy protocol. listen 8443 ssl http2 proxy_protocol; + listen [::]:8443 ssl http2 proxy_protocol; # Make use of the ngx_http_realip_module to set the $remote_addr and # $remote_port to the client address and client port, when using proxy # protocol. # First set our proxy protocol proxy as trusted. - set_real_ip_from 172.31.17.140; + set_real_ip_from 2a00:14b0:4200:3000:125::1; + # Then tell the realip_module to get the addreses from the proxy protocol # header. real_ip_header proxy_protocol; diff --git a/resources/chaosknoten/public-reverse-proxy/nginx/acme_challenge.conf b/resources/chaosknoten/public-reverse-proxy/nginx/acme_challenge.conf index 4d6d4c0a..409b5c60 100644 --- a/resources/chaosknoten/public-reverse-proxy/nginx/acme_challenge.conf +++ b/resources/chaosknoten/public-reverse-proxy/nginx/acme_challenge.conf @@ -20,7 +20,7 @@ map $host $upstream_acme_challenge_host { mas.hamburg.ccc.de 172.31.17.150:31820; element-admin.hamburg.ccc.de 172.31.17.151:31820; netbox.hamburg.ccc.de 172.31.17.167:31820; - onlyoffice.hamburg.ccc.de 172.31.17.147:31820; + onlyoffice.hamburg.ccc.de onlyoffice.hosts.hamburg.ccc.de:31820; pad.hamburg.ccc.de pad.hosts.hamburg.ccc.de:31820; pretalx.hamburg.ccc.de 172.31.17.157:31820; spaceapi.hamburg.ccc.de 172.31.17.151:31820; diff --git a/resources/chaosknoten/public-reverse-proxy/nginx/nginx.conf b/resources/chaosknoten/public-reverse-proxy/nginx/nginx.conf index de99d40c..97e0e3c9 100644 --- a/resources/chaosknoten/public-reverse-proxy/nginx/nginx.conf +++ b/resources/chaosknoten/public-reverse-proxy/nginx/nginx.conf @@ -29,7 +29,7 @@ stream { grafana.hamburg.ccc.de 172.31.17.145:8443; wiki.ccchh.net wiki.hosts.hamburg.ccc.de:8443; wiki.hamburg.ccc.de wiki.hosts.hamburg.ccc.de:8443; - onlyoffice.hamburg.ccc.de 172.31.17.147:8443; + onlyoffice.hamburg.ccc.de onlyoffice.hosts.hamburg.ccc.de:8443; hackertours.hamburg.ccc.de 172.31.17.151:8443; staging.hackertours.hamburg.ccc.de 172.31.17.151:8443; netbox.hamburg.ccc.de 172.31.17.167:8443; From 25db54b8ad8314aeb35af0d7775e87c40a9239a5 Mon Sep 17 00:00:00 2001 From: Stefan Bethke Date: Sat, 3 Jan 2026 14:02:56 +0100 Subject: [PATCH 034/104] Make sure pip is installed --- roles/ansible_pull/tasks/main.yaml | 1 + 1 file changed, 1 insertion(+) diff --git a/roles/ansible_pull/tasks/main.yaml b/roles/ansible_pull/tasks/main.yaml index 5abcd10e..61a2635f 100644 --- a/roles/ansible_pull/tasks/main.yaml +++ b/roles/ansible_pull/tasks/main.yaml @@ -3,6 +3,7 @@ - name: ensure apt dependencies are installed ansible.builtin.apt: name: + - python3-pip - virtualenv - git state: present From a328e9297102af66721951500cd90bedabb385a5 Mon Sep 17 00:00:00 2001 From: Stefan Bethke Date: Sat, 3 Jan 2026 14:03:26 +0100 Subject: [PATCH 035/104] Should be compatible with trixie/13 --- roles/certbot/meta/main.yaml | 1 + roles/docker/meta/main.yaml | 1 + roles/dokuwiki/meta/main.yml | 1 + roles/nginx/meta/main.yaml | 1 + roles/prometheus_node_exporter/meta/main.yaml | 1 + 5 files changed, 5 insertions(+) diff --git a/roles/certbot/meta/main.yaml b/roles/certbot/meta/main.yaml index b4a1c6f7..9b678e9f 100644 --- a/roles/certbot/meta/main.yaml +++ b/roles/certbot/meta/main.yaml @@ -7,3 +7,4 @@ dependencies: major_versions: - 11 - 12 + - 13 diff --git a/roles/docker/meta/main.yaml b/roles/docker/meta/main.yaml index b4a1c6f7..9b678e9f 100644 --- a/roles/docker/meta/main.yaml +++ b/roles/docker/meta/main.yaml @@ -7,3 +7,4 @@ dependencies: major_versions: - 11 - 12 + - 13 diff --git a/roles/dokuwiki/meta/main.yml b/roles/dokuwiki/meta/main.yml index b4a1c6f7..9b678e9f 100644 --- a/roles/dokuwiki/meta/main.yml +++ b/roles/dokuwiki/meta/main.yml @@ -7,3 +7,4 @@ dependencies: major_versions: - 11 - 12 + - 13 diff --git a/roles/nginx/meta/main.yaml b/roles/nginx/meta/main.yaml index 02b00ac3..78bb7705 100644 --- a/roles/nginx/meta/main.yaml +++ b/roles/nginx/meta/main.yaml @@ -7,3 +7,4 @@ dependencies: major_versions: - "11" - "12" + - "13" diff --git a/roles/prometheus_node_exporter/meta/main.yaml b/roles/prometheus_node_exporter/meta/main.yaml index 02b00ac3..78bb7705 100644 --- a/roles/prometheus_node_exporter/meta/main.yaml +++ b/roles/prometheus_node_exporter/meta/main.yaml @@ -7,3 +7,4 @@ dependencies: major_versions: - "11" - "12" + - "13" From 80ddb2efc927c894074558f0a8f13377bb934cb4 Mon Sep 17 00:00:00 2001 From: June Date: Wed, 7 Jan 2026 17:25:27 +0100 Subject: [PATCH 036/104] router: enable a DHCP server for the v4-NAT network as well As the hosts don't really need a static v4, just do DHCP. --- resources/chaosknoten/router/nftables/nftables.conf | 2 +- .../router/systemd_networkd/21-net0.2-v4_nat.network | 6 ++++++ 2 files changed, 7 insertions(+), 1 deletion(-) diff --git a/resources/chaosknoten/router/nftables/nftables.conf b/resources/chaosknoten/router/nftables/nftables.conf index 6d04a4c4..3375bfba 100644 --- a/resources/chaosknoten/router/nftables/nftables.conf +++ b/resources/chaosknoten/router/nftables/nftables.conf @@ -45,7 +45,7 @@ table inet host { tcp dport 22 accept comment "allow ssh access" # Allow DHCP server access. - iifname $if_net0_3_ci_runner udp dport 67 accept comment "allow dhcp server access" + iifname { $if_net0_2_v4_nat, $if_net0_3_ci_runner } udp dport 67 accept comment "allow dhcp server access" } } diff --git a/resources/chaosknoten/router/systemd_networkd/21-net0.2-v4_nat.network b/resources/chaosknoten/router/systemd_networkd/21-net0.2-v4_nat.network index c7fd9a7e..b15259d6 100644 --- a/resources/chaosknoten/router/systemd_networkd/21-net0.2-v4_nat.network +++ b/resources/chaosknoten/router/systemd_networkd/21-net0.2-v4_nat.network @@ -11,6 +11,12 @@ Description=v4-NAT # Masquerading done in nftables (nftables.conf). IPv6SendRA=yes +DHCPServer=true + +[DHCPServer] +PoolOffset=100 +PoolSize=150 + [Address] Address=10.32.2.1/24 From fbd3ea54962e7b0348c9ccb4471f493c26002322 Mon Sep 17 00:00:00 2001 From: June Date: Wed, 7 Jan 2026 18:09:48 +0100 Subject: [PATCH 037/104] base_config: disable cloud-init ssh module to avoid hostkey regeneration It should run once on first boot anyway and since it apparently runs for every change in the Proxmox cloud init config, disable it, so it doesn't, since it's annoying to have "random" hostkey changes. --- roles/base_config/tasks/main.yaml | 13 +++++++++++++ 1 file changed, 13 insertions(+) create mode 100644 roles/base_config/tasks/main.yaml diff --git a/roles/base_config/tasks/main.yaml b/roles/base_config/tasks/main.yaml new file mode 100644 index 00000000..cd8affd8 --- /dev/null +++ b/roles/base_config/tasks/main.yaml @@ -0,0 +1,13 @@ +# Ensure the ssh module is disabled, so a cloud-init config change doesn't regenerate the host keys for no reason. +- name: check if cloud-init config file exists + ansible.builtin.stat: + path: /etc/cloud/cloud.cfg + register: base_config__stat_cloud_cfg + +- name: ensure the cloud-init ssh module is disabled + ansible.builtin.replace: + path: /etc/cloud/cloud.cfg + regexp: " - ssh$" + replace: " #- ssh" + become: true + when: base_config__stat_cloud_cfg.stat.exists From 40b67c6bc3cec86c72f7efe52f12b939d0db4291 Mon Sep 17 00:00:00 2001 From: June Date: Wed, 7 Jan 2026 18:46:16 +0100 Subject: [PATCH 038/104] sunders(host): move to new network and hostname --- inventories/chaosknoten/hosts.yaml | 4 ++-- .../public-reverse-proxy/nginx/acme_challenge.conf | 2 +- resources/chaosknoten/public-reverse-proxy/nginx/nginx.conf | 2 +- .../chaosknoten/sunders/nginx/sunders.hamburg.ccc.de.conf | 2 +- 4 files changed, 5 insertions(+), 5 deletions(-) diff --git a/inventories/chaosknoten/hosts.yaml b/inventories/chaosknoten/hosts.yaml index 1028deb8..082a76af 100644 --- a/inventories/chaosknoten/hosts.yaml +++ b/inventories/chaosknoten/hosts.yaml @@ -67,9 +67,9 @@ all: ansible_user: chaos ansible_ssh_common_args: -J ssh://chaos@public-reverse-proxy.hamburg.ccc.de sunders: - ansible_host: sunders-intern.hamburg.ccc.de + ansible_host: sunders.hosts.hamburg.ccc.de ansible_user: chaos - ansible_ssh_common_args: -J ssh://chaos@public-reverse-proxy.hamburg.ccc.de + ansible_ssh_common_args: -J ssh://chaos@router.hamburg.ccc.de renovate: ansible_host: renovate-intern.hamburg.ccc.de ansible_user: chaos diff --git a/resources/chaosknoten/public-reverse-proxy/nginx/acme_challenge.conf b/resources/chaosknoten/public-reverse-proxy/nginx/acme_challenge.conf index 409b5c60..f02a6579 100644 --- a/resources/chaosknoten/public-reverse-proxy/nginx/acme_challenge.conf +++ b/resources/chaosknoten/public-reverse-proxy/nginx/acme_challenge.conf @@ -29,7 +29,7 @@ map $host $upstream_acme_challenge_host { wiki.hamburg.ccc.de wiki.hosts.hamburg.ccc.de:31820; www.hamburg.ccc.de 172.31.17.151:31820; tickets.hamburg.ccc.de 172.31.17.148:31820; - sunders.hamburg.ccc.de 172.31.17.170:31820; + sunders.hamburg.ccc.de sunders.hosts.hamburg.ccc.de:31820; zammad.hamburg.ccc.de 172.31.17.152:31820; eh03.easterhegg.eu 172.31.17.151:31820; eh05.easterhegg.eu 172.31.17.151:31820; diff --git a/resources/chaosknoten/public-reverse-proxy/nginx/nginx.conf b/resources/chaosknoten/public-reverse-proxy/nginx/nginx.conf index 97e0e3c9..90ec655e 100644 --- a/resources/chaosknoten/public-reverse-proxy/nginx/nginx.conf +++ b/resources/chaosknoten/public-reverse-proxy/nginx/nginx.conf @@ -43,7 +43,7 @@ stream { staging.hamburg.ccc.de 172.31.17.151:8443; spaceapi.hamburg.ccc.de 172.31.17.151:8443; tickets.hamburg.ccc.de 172.31.17.148:8443; - sunders.hamburg.ccc.de 172.31.17.170:8443; + sunders.hamburg.ccc.de sunders.hosts.hamburg.ccc.de:8443; zammad.hamburg.ccc.de 172.31.17.152:8443; c3cat.de 172.31.17.151:8443; www.c3cat.de 172.31.17.151:8443; diff --git a/resources/chaosknoten/sunders/nginx/sunders.hamburg.ccc.de.conf b/resources/chaosknoten/sunders/nginx/sunders.hamburg.ccc.de.conf index 04cc006c..ceb9b2b7 100644 --- a/resources/chaosknoten/sunders/nginx/sunders.hamburg.ccc.de.conf +++ b/resources/chaosknoten/sunders/nginx/sunders.hamburg.ccc.de.conf @@ -2,7 +2,7 @@ # https://ssl-config.mozilla.org/#server=nginx&version=1.17.7&config=intermediate&openssl=1.1.1k&guideline=5.6 server { # Listen on a custom port for the proxy protocol. - listen 8443 ssl http2 proxy_protocol; + listen [::]:8443 ssl http2 proxy_protocol; # Make use of the ngx_http_realip_module to set the $remote_addr and # $remote_port to the client address and client port, when using proxy # protocol. From a622f21b54461ec4db77f3496212c55389621104 Mon Sep 17 00:00:00 2001 From: June Date: Wed, 7 Jan 2026 18:46:27 +0100 Subject: [PATCH 039/104] renovate(host): move to new network and hostname --- inventories/chaosknoten/hosts.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/inventories/chaosknoten/hosts.yaml b/inventories/chaosknoten/hosts.yaml index 082a76af..58b6c1a8 100644 --- a/inventories/chaosknoten/hosts.yaml +++ b/inventories/chaosknoten/hosts.yaml @@ -71,9 +71,9 @@ all: ansible_user: chaos ansible_ssh_common_args: -J ssh://chaos@router.hamburg.ccc.de renovate: - ansible_host: renovate-intern.hamburg.ccc.de + ansible_host: renovate.hosts.hamburg.ccc.de ansible_user: chaos - ansible_ssh_common_args: -J ssh://chaos@public-reverse-proxy.hamburg.ccc.de + ansible_ssh_common_args: -J ssh://chaos@router.hamburg.ccc.de hypervisors: hosts: chaosknoten: From 49e3ecb9865ebc0de70b4757b0f2d05a7b8c3da4 Mon Sep 17 00:00:00 2001 From: June Date: Fri, 9 Jan 2026 03:05:29 +0100 Subject: [PATCH 040/104] netbox(host): move to new network and hostname --- inventories/chaosknoten/hosts.yaml | 4 ++-- resources/chaosknoten/netbox/nginx/netbox.hamburg.ccc.de.conf | 2 +- .../public-reverse-proxy/nginx/acme_challenge.conf | 2 +- resources/chaosknoten/public-reverse-proxy/nginx/nginx.conf | 2 +- 4 files changed, 5 insertions(+), 5 deletions(-) diff --git a/inventories/chaosknoten/hosts.yaml b/inventories/chaosknoten/hosts.yaml index 58b6c1a8..14fe23ae 100644 --- a/inventories/chaosknoten/hosts.yaml +++ b/inventories/chaosknoten/hosts.yaml @@ -33,9 +33,9 @@ all: ansible_host: mumble.hamburg.ccc.de ansible_user: chaos netbox: - ansible_host: netbox-intern.hamburg.ccc.de + ansible_host: netbox.hosts.hamburg.ccc.de ansible_user: chaos - ansible_ssh_common_args: -J ssh://chaos@public-reverse-proxy.hamburg.ccc.de + ansible_ssh_common_args: -J ssh://chaos@router.hamburg.ccc.de onlyoffice: ansible_host: onlyoffice.hosts.hamburg.ccc.de ansible_user: chaos diff --git a/resources/chaosknoten/netbox/nginx/netbox.hamburg.ccc.de.conf b/resources/chaosknoten/netbox/nginx/netbox.hamburg.ccc.de.conf index 55506866..533c9d21 100644 --- a/resources/chaosknoten/netbox/nginx/netbox.hamburg.ccc.de.conf +++ b/resources/chaosknoten/netbox/nginx/netbox.hamburg.ccc.de.conf @@ -2,7 +2,7 @@ # https://ssl-config.mozilla.org/#server=nginx&version=1.17.7&config=intermediate&openssl=1.1.1k&guideline=5.6 server { # Listen on a custom port for the proxy protocol. - listen 8443 ssl http2 proxy_protocol; + listen [::]:8443 ssl http2 proxy_protocol; # Make use of the ngx_http_realip_module to set the $remote_addr and # $remote_port to the client address and client port, when using proxy # protocol. diff --git a/resources/chaosknoten/public-reverse-proxy/nginx/acme_challenge.conf b/resources/chaosknoten/public-reverse-proxy/nginx/acme_challenge.conf index f02a6579..06595e3f 100644 --- a/resources/chaosknoten/public-reverse-proxy/nginx/acme_challenge.conf +++ b/resources/chaosknoten/public-reverse-proxy/nginx/acme_challenge.conf @@ -19,7 +19,7 @@ map $host $upstream_acme_challenge_host { matrix.hamburg.ccc.de 172.31.17.150:31820; mas.hamburg.ccc.de 172.31.17.150:31820; element-admin.hamburg.ccc.de 172.31.17.151:31820; - netbox.hamburg.ccc.de 172.31.17.167:31820; + netbox.hamburg.ccc.de netbox.hosts.hamburg.ccc.de:31820; onlyoffice.hamburg.ccc.de onlyoffice.hosts.hamburg.ccc.de:31820; pad.hamburg.ccc.de pad.hosts.hamburg.ccc.de:31820; pretalx.hamburg.ccc.de 172.31.17.157:31820; diff --git a/resources/chaosknoten/public-reverse-proxy/nginx/nginx.conf b/resources/chaosknoten/public-reverse-proxy/nginx/nginx.conf index 90ec655e..78a91ff2 100644 --- a/resources/chaosknoten/public-reverse-proxy/nginx/nginx.conf +++ b/resources/chaosknoten/public-reverse-proxy/nginx/nginx.conf @@ -32,7 +32,7 @@ stream { onlyoffice.hamburg.ccc.de onlyoffice.hosts.hamburg.ccc.de:8443; hackertours.hamburg.ccc.de 172.31.17.151:8443; staging.hackertours.hamburg.ccc.de 172.31.17.151:8443; - netbox.hamburg.ccc.de 172.31.17.167:8443; + netbox.hamburg.ccc.de netbox.hosts.hamburg.ccc.de:8443; matrix.hamburg.ccc.de 172.31.17.150:8443; mas.hamburg.ccc.de 172.31.17.150:8443; element-admin.hamburg.ccc.de 172.31.17.151:8443; From ff550cbd8ad8cfd9be7bbc9d5f4c620172e5d90f Mon Sep 17 00:00:00 2001 From: June Date: Sun, 11 Jan 2026 00:00:18 +0100 Subject: [PATCH 041/104] tickets(host): move to new network and hostname --- inventories/chaosknoten/hosts.yaml | 4 ++-- .../public-reverse-proxy/nginx/acme_challenge.conf | 2 +- resources/chaosknoten/public-reverse-proxy/nginx/nginx.conf | 2 +- .../chaosknoten/tickets/nginx/tickets.hamburg.ccc.de.conf | 2 +- 4 files changed, 5 insertions(+), 5 deletions(-) diff --git a/inventories/chaosknoten/hosts.yaml b/inventories/chaosknoten/hosts.yaml index 14fe23ae..fab91277 100644 --- a/inventories/chaosknoten/hosts.yaml +++ b/inventories/chaosknoten/hosts.yaml @@ -19,9 +19,9 @@ all: ansible_user: chaos ansible_ssh_common_args: -J ssh://chaos@public-reverse-proxy.hamburg.ccc.de tickets: - ansible_host: tickets-intern.hamburg.ccc.de + ansible_host: tickets.hosts.hamburg.ccc.de ansible_user: chaos - ansible_ssh_common_args: -J ssh://chaos@public-reverse-proxy.hamburg.ccc.de + ansible_ssh_common_args: -J ssh://chaos@router.hamburg.ccc.de keycloak: ansible_host: keycloak.hosts.hamburg.ccc.de ansible_user: chaos diff --git a/resources/chaosknoten/public-reverse-proxy/nginx/acme_challenge.conf b/resources/chaosknoten/public-reverse-proxy/nginx/acme_challenge.conf index 06595e3f..b8b44b5d 100644 --- a/resources/chaosknoten/public-reverse-proxy/nginx/acme_challenge.conf +++ b/resources/chaosknoten/public-reverse-proxy/nginx/acme_challenge.conf @@ -28,7 +28,7 @@ map $host $upstream_acme_challenge_host { wiki.ccchh.net wiki.hosts.hamburg.ccc.de:31820; wiki.hamburg.ccc.de wiki.hosts.hamburg.ccc.de:31820; www.hamburg.ccc.de 172.31.17.151:31820; - tickets.hamburg.ccc.de 172.31.17.148:31820; + tickets.hamburg.ccc.de tickets.hosts.hamburg.ccc.de:31820; sunders.hamburg.ccc.de sunders.hosts.hamburg.ccc.de:31820; zammad.hamburg.ccc.de 172.31.17.152:31820; eh03.easterhegg.eu 172.31.17.151:31820; diff --git a/resources/chaosknoten/public-reverse-proxy/nginx/nginx.conf b/resources/chaosknoten/public-reverse-proxy/nginx/nginx.conf index 78a91ff2..e540f134 100644 --- a/resources/chaosknoten/public-reverse-proxy/nginx/nginx.conf +++ b/resources/chaosknoten/public-reverse-proxy/nginx/nginx.conf @@ -42,7 +42,7 @@ stream { hamburg.ccc.de 172.31.17.151:8443; staging.hamburg.ccc.de 172.31.17.151:8443; spaceapi.hamburg.ccc.de 172.31.17.151:8443; - tickets.hamburg.ccc.de 172.31.17.148:8443; + tickets.hamburg.ccc.de tickets.hosts.hamburg.ccc.de:8443; sunders.hamburg.ccc.de sunders.hosts.hamburg.ccc.de:8443; zammad.hamburg.ccc.de 172.31.17.152:8443; c3cat.de 172.31.17.151:8443; diff --git a/resources/chaosknoten/tickets/nginx/tickets.hamburg.ccc.de.conf b/resources/chaosknoten/tickets/nginx/tickets.hamburg.ccc.de.conf index 9e2ca26b..8d36244c 100644 --- a/resources/chaosknoten/tickets/nginx/tickets.hamburg.ccc.de.conf +++ b/resources/chaosknoten/tickets/nginx/tickets.hamburg.ccc.de.conf @@ -2,7 +2,7 @@ # https://ssl-config.mozilla.org/#server=nginx&version=1.17.7&config=intermediate&openssl=1.1.1k&guideline=5.6 server { # Listen on a custom port for the proxy protocol. - listen 8443 ssl http2 proxy_protocol; + listen [::]:8443 ssl http2 proxy_protocol; # Make use of the ngx_http_realip_module to set the $remote_addr and # $remote_port to the client address and client port, when using proxy # protocol. From a41b07949cd6ffda5b334065c7b8ce362e11af16 Mon Sep 17 00:00:00 2001 From: June Date: Sun, 11 Jan 2026 00:22:37 +0100 Subject: [PATCH 042/104] zammad(host): move to new network and hostname --- inventories/chaosknoten/hosts.yaml | 4 ++-- .../public-reverse-proxy/nginx/acme_challenge.conf | 2 +- resources/chaosknoten/public-reverse-proxy/nginx/nginx.conf | 2 +- resources/chaosknoten/zammad/nginx/zammad.hamburg.ccc.de.conf | 2 +- 4 files changed, 5 insertions(+), 5 deletions(-) diff --git a/inventories/chaosknoten/hosts.yaml b/inventories/chaosknoten/hosts.yaml index fab91277..1b88df6c 100644 --- a/inventories/chaosknoten/hosts.yaml +++ b/inventories/chaosknoten/hosts.yaml @@ -59,9 +59,9 @@ all: ansible_user: chaos ansible_ssh_common_args: -J ssh://chaos@router.hamburg.ccc.de zammad: - ansible_host: zammad-intern.hamburg.ccc.de + ansible_host: zammad.hosts.hamburg.ccc.de ansible_user: chaos - ansible_ssh_common_args: -J ssh://chaos@public-reverse-proxy.hamburg.ccc.de + ansible_ssh_common_args: -J ssh://chaos@router.hamburg.ccc.de ntfy: ansible_host: ntfy-intern.hamburg.ccc.de ansible_user: chaos diff --git a/resources/chaosknoten/public-reverse-proxy/nginx/acme_challenge.conf b/resources/chaosknoten/public-reverse-proxy/nginx/acme_challenge.conf index b8b44b5d..d9760890 100644 --- a/resources/chaosknoten/public-reverse-proxy/nginx/acme_challenge.conf +++ b/resources/chaosknoten/public-reverse-proxy/nginx/acme_challenge.conf @@ -30,7 +30,7 @@ map $host $upstream_acme_challenge_host { www.hamburg.ccc.de 172.31.17.151:31820; tickets.hamburg.ccc.de tickets.hosts.hamburg.ccc.de:31820; sunders.hamburg.ccc.de sunders.hosts.hamburg.ccc.de:31820; - zammad.hamburg.ccc.de 172.31.17.152:31820; + zammad.hamburg.ccc.de zammad.hosts.hamburg.ccc.de:31820; eh03.easterhegg.eu 172.31.17.151:31820; eh05.easterhegg.eu 172.31.17.151:31820; eh07.easterhegg.eu 172.31.17.151:31820; diff --git a/resources/chaosknoten/public-reverse-proxy/nginx/nginx.conf b/resources/chaosknoten/public-reverse-proxy/nginx/nginx.conf index e540f134..c4d1fbcd 100644 --- a/resources/chaosknoten/public-reverse-proxy/nginx/nginx.conf +++ b/resources/chaosknoten/public-reverse-proxy/nginx/nginx.conf @@ -44,7 +44,7 @@ stream { spaceapi.hamburg.ccc.de 172.31.17.151:8443; tickets.hamburg.ccc.de tickets.hosts.hamburg.ccc.de:8443; sunders.hamburg.ccc.de sunders.hosts.hamburg.ccc.de:8443; - zammad.hamburg.ccc.de 172.31.17.152:8443; + zammad.hamburg.ccc.de zammad.hosts.hamburg.ccc.de:8443; c3cat.de 172.31.17.151:8443; www.c3cat.de 172.31.17.151:8443; staging.c3cat.de 172.31.17.151:8443; diff --git a/resources/chaosknoten/zammad/nginx/zammad.hamburg.ccc.de.conf b/resources/chaosknoten/zammad/nginx/zammad.hamburg.ccc.de.conf index c1f91827..5bb24352 100644 --- a/resources/chaosknoten/zammad/nginx/zammad.hamburg.ccc.de.conf +++ b/resources/chaosknoten/zammad/nginx/zammad.hamburg.ccc.de.conf @@ -2,7 +2,7 @@ # https://ssl-config.mozilla.org/#server=nginx&version=1.17.7&config=intermediate&openssl=1.1.1k&guideline=5.6 server { # Listen on a custom port for the proxy protocol. - listen 8443 ssl http2 proxy_protocol; + listen [::]:8443 ssl http2 proxy_protocol; # Make use of the ngx_http_realip_module to set the $remote_addr and # $remote_port to the client address and client port, when using proxy # protocol. From bb30e88404d9e3d6c2325a2572b45aac10113041 Mon Sep 17 00:00:00 2001 From: June Date: Sun, 11 Jan 2026 00:29:16 +0100 Subject: [PATCH 043/104] router(host): allowlist only certain icmpv6 types --- .../chaosknoten/router/nftables/nftables.conf | 18 +++++++++++++++++- 1 file changed, 17 insertions(+), 1 deletion(-) diff --git a/resources/chaosknoten/router/nftables/nftables.conf b/resources/chaosknoten/router/nftables/nftables.conf index 3375bfba..ca62a972 100644 --- a/resources/chaosknoten/router/nftables/nftables.conf +++ b/resources/chaosknoten/router/nftables/nftables.conf @@ -39,7 +39,23 @@ table inet host { ct state established,related accept ip protocol icmp accept - ip6 nexthdr icmpv6 accept + # ICMPv6 + # https://datatracker.ietf.org/doc/html/rfc4890#autoid-24 + # Allowlist consisting of: "Traffic That Must Not Be Dropped" and "Traffic That Normally Should Not Be Dropped" + # Error messages that are essential to the establishment and maintenance of communications: + icmpv6 type { destination-unreachable, packet-too-big } accept + icmpv6 type { time-exceeded } accept + icmpv6 type { parameter-problem } accept + # Connectivity checking messages: + icmpv6 type { echo-request, echo-reply } accept + # Address Configuration and Router Selection messages: + icmpv6 type { nd-router-solicit, nd-router-advert, nd-neighbor-solicit, nd-neighbor-advert, ind-neighbor-solicit, ind-neighbor-advert } accept + # Link-Local Multicast Receiver Notification messages: + icmpv6 type { mld-listener-query, mld-listener-report, mld-listener-done, mld2-listener-report } accept + # SEND Certificate Path Notification messages: + icmpv6 type { 148, 149 } accept + # Multicast Router Discovery messages: + icmpv6 type { 151, 152, 153 } accept # Allow SSH access. tcp dport 22 accept comment "allow ssh access" From 2fbb37db18c0cb3c01f00d83666524f6c5cc887e Mon Sep 17 00:00:00 2001 From: June Date: Sun, 11 Jan 2026 00:59:52 +0100 Subject: [PATCH 044/104] grafana(host): move to new network and hostname --- inventories/chaosknoten/hosts.yaml | 4 ++-- .../chaosknoten/grafana/nginx/grafana.hamburg.ccc.de.conf | 2 +- resources/chaosknoten/grafana/nginx/loki.hamburg.ccc.de.conf | 2 -- .../chaosknoten/grafana/nginx/metrics.hamburg.ccc.de.conf | 1 - .../public-reverse-proxy/nginx/acme_challenge.conf | 2 +- resources/chaosknoten/public-reverse-proxy/nginx/nginx.conf | 2 +- 6 files changed, 5 insertions(+), 8 deletions(-) diff --git a/inventories/chaosknoten/hosts.yaml b/inventories/chaosknoten/hosts.yaml index 1b88df6c..f72e4aca 100644 --- a/inventories/chaosknoten/hosts.yaml +++ b/inventories/chaosknoten/hosts.yaml @@ -15,9 +15,9 @@ all: ansible_user: chaos ansible_ssh_common_args: -J ssh://chaos@router.hamburg.ccc.de grafana: - ansible_host: grafana-intern.hamburg.ccc.de + ansible_host: grafana.hosts.hamburg.ccc.de ansible_user: chaos - ansible_ssh_common_args: -J ssh://chaos@public-reverse-proxy.hamburg.ccc.de + ansible_ssh_common_args: -J ssh://chaos@router.hamburg.ccc.de tickets: ansible_host: tickets.hosts.hamburg.ccc.de ansible_user: chaos diff --git a/resources/chaosknoten/grafana/nginx/grafana.hamburg.ccc.de.conf b/resources/chaosknoten/grafana/nginx/grafana.hamburg.ccc.de.conf index c5b68e1a..a6dcdc1e 100644 --- a/resources/chaosknoten/grafana/nginx/grafana.hamburg.ccc.de.conf +++ b/resources/chaosknoten/grafana/nginx/grafana.hamburg.ccc.de.conf @@ -2,7 +2,7 @@ # https://ssl-config.mozilla.org/#server=nginx&version=1.17.7&config=intermediate&openssl=1.1.1k&guideline=5.6 server { # Listen on a custom port for the proxy protocol. - listen 8443 ssl proxy_protocol; + listen [::]:8443 ssl proxy_protocol; http2 on; # Make use of the ngx_http_realip_module to set the $remote_addr and # $remote_port to the client address and client port, when using proxy diff --git a/resources/chaosknoten/grafana/nginx/loki.hamburg.ccc.de.conf b/resources/chaosknoten/grafana/nginx/loki.hamburg.ccc.de.conf index e2bf4a78..8a509bee 100644 --- a/resources/chaosknoten/grafana/nginx/loki.hamburg.ccc.de.conf +++ b/resources/chaosknoten/grafana/nginx/loki.hamburg.ccc.de.conf @@ -17,7 +17,6 @@ server { server_name loki.hamburg.ccc.de; listen [::]:50051 ssl; - listen 172.31.17.145:50051 ssl; http2 on; @@ -59,7 +58,6 @@ server { server_name loki.hamburg.ccc.de; listen [::]:443 ssl; - listen 172.31.17.145:443 ssl; http2 on; diff --git a/resources/chaosknoten/grafana/nginx/metrics.hamburg.ccc.de.conf b/resources/chaosknoten/grafana/nginx/metrics.hamburg.ccc.de.conf index 2c525239..ef2fe079 100644 --- a/resources/chaosknoten/grafana/nginx/metrics.hamburg.ccc.de.conf +++ b/resources/chaosknoten/grafana/nginx/metrics.hamburg.ccc.de.conf @@ -18,7 +18,6 @@ server { server_name metrics.hamburg.ccc.de; listen [::]:443 ssl; - listen 172.31.17.145:443 ssl; http2 on; client_body_buffer_size 512k; diff --git a/resources/chaosknoten/public-reverse-proxy/nginx/acme_challenge.conf b/resources/chaosknoten/public-reverse-proxy/nginx/acme_challenge.conf index d9760890..7af3beb0 100644 --- a/resources/chaosknoten/public-reverse-proxy/nginx/acme_challenge.conf +++ b/resources/chaosknoten/public-reverse-proxy/nginx/acme_challenge.conf @@ -9,7 +9,7 @@ map $host $upstream_acme_challenge_host { cloud.hamburg.ccc.de cloud.hosts.hamburg.ccc.de:31820; element.hamburg.ccc.de 172.31.17.151:31820; git.hamburg.ccc.de 172.31.17.154:31820; - grafana.hamburg.ccc.de 172.31.17.145:31820; + grafana.hamburg.ccc.de grafana.hosts.hamburg.ccc.de:31820; hackertours.hamburg.ccc.de 172.31.17.151:31820; staging.hackertours.hamburg.ccc.de 172.31.17.151:31820; hamburg.ccc.de 172.31.17.151:31820; diff --git a/resources/chaosknoten/public-reverse-proxy/nginx/nginx.conf b/resources/chaosknoten/public-reverse-proxy/nginx/nginx.conf index c4d1fbcd..42120db7 100644 --- a/resources/chaosknoten/public-reverse-proxy/nginx/nginx.conf +++ b/resources/chaosknoten/public-reverse-proxy/nginx/nginx.conf @@ -26,7 +26,7 @@ stream { id.hamburg.ccc.de keycloak.hosts.hamburg.ccc.de:8443; invite.hamburg.ccc.de keycloak.hosts.hamburg.ccc.de:8443; keycloak-admin.hamburg.ccc.de keycloak.hosts.hamburg.ccc.de:8443; - grafana.hamburg.ccc.de 172.31.17.145:8443; + grafana.hamburg.ccc.de grafana.hosts.hamburg.ccc.de:8443; wiki.ccchh.net wiki.hosts.hamburg.ccc.de:8443; wiki.hamburg.ccc.de wiki.hosts.hamburg.ccc.de:8443; onlyoffice.hamburg.ccc.de onlyoffice.hosts.hamburg.ccc.de:8443; From 372f264bcbc7de743c6cda57126395f7df906b47 Mon Sep 17 00:00:00 2001 From: June Date: Sun, 11 Jan 2026 01:29:15 +0100 Subject: [PATCH 045/104] ccchoir(host): move to new network and hostname --- inventories/chaosknoten/hosts.yaml | 4 ++-- resources/chaosknoten/ccchoir/nginx/ccchoir.de.conf | 8 ++++---- .../public-reverse-proxy/nginx/acme_challenge.conf | 4 ++-- .../chaosknoten/public-reverse-proxy/nginx/nginx.conf | 4 ++-- 4 files changed, 10 insertions(+), 10 deletions(-) diff --git a/inventories/chaosknoten/hosts.yaml b/inventories/chaosknoten/hosts.yaml index f72e4aca..4b8e3881 100644 --- a/inventories/chaosknoten/hosts.yaml +++ b/inventories/chaosknoten/hosts.yaml @@ -1,9 +1,9 @@ all: hosts: ccchoir: - ansible_host: ccchoir-intern.hamburg.ccc.de + ansible_host: ccchoir.hosts.hamburg.ccc.de ansible_user: chaos - ansible_ssh_common_args: -J ssh://chaos@public-reverse-proxy.hamburg.ccc.de + ansible_ssh_common_args: -J ssh://chaos@router.hamburg.ccc.de chaosknoten: ansible_host: chaosknoten.hamburg.ccc.de cloud: diff --git a/resources/chaosknoten/ccchoir/nginx/ccchoir.de.conf b/resources/chaosknoten/ccchoir/nginx/ccchoir.de.conf index ff37e487..a8d71a99 100644 --- a/resources/chaosknoten/ccchoir/nginx/ccchoir.de.conf +++ b/resources/chaosknoten/ccchoir/nginx/ccchoir.de.conf @@ -2,12 +2,12 @@ # https://ssl-config.mozilla.org/#server=nginx&version=1.17.7&config=intermediate&openssl=1.1.1k&guideline=5.6 server { # Listen on a custom port for the proxy protocol. - listen 8443 ssl http2 proxy_protocol; + listen [::]:8443 ssl http2 proxy_protocol; # Make use of the ngx_http_realip_module to set the $remote_addr and # $remote_port to the client address and client port, when using proxy # protocol. # First set our proxy protocol proxy as trusted. - set_real_ip_from 172.31.17.140; + set_real_ip_from 2a00:14b0:4200:3000:125::1; # Then tell the realip_module to get the addreses from the proxy protocol # header. real_ip_header proxy_protocol; @@ -43,12 +43,12 @@ server { server { # Listen on a custom port for the proxy protocol. - listen 8443 ssl http2 proxy_protocol; + listen [::]:8443 ssl http2 proxy_protocol; # Make use of the ngx_http_realip_module to set the $remote_addr and # $remote_port to the client address and client port, when using proxy # protocol. # First set our proxy protocol proxy as trusted. - set_real_ip_from 172.31.17.140; + set_real_ip_from 2a00:14b0:4200:3000:125::1; # Then tell the realip_module to get the addreses from the proxy protocol # header. real_ip_header proxy_protocol; diff --git a/resources/chaosknoten/public-reverse-proxy/nginx/acme_challenge.conf b/resources/chaosknoten/public-reverse-proxy/nginx/acme_challenge.conf index 7af3beb0..0c627603 100644 --- a/resources/chaosknoten/public-reverse-proxy/nginx/acme_challenge.conf +++ b/resources/chaosknoten/public-reverse-proxy/nginx/acme_challenge.conf @@ -4,8 +4,8 @@ map $host $upstream_acme_challenge_host { c3cat.de 172.31.17.151:31820; www.c3cat.de 172.31.17.151:31820; staging.c3cat.de 172.31.17.151:31820; - ccchoir.de ccchoir-intern.hamburg.ccc.de:31820; - www.ccchoir.de ccchoir-intern.hamburg.ccc.de:31820; + ccchoir.de ccchoir.hosts.hamburg.ccc.de:31820; + www.ccchoir.de ccchoir.hosts.hamburg.ccc.de:31820; cloud.hamburg.ccc.de cloud.hosts.hamburg.ccc.de:31820; element.hamburg.ccc.de 172.31.17.151:31820; git.hamburg.ccc.de 172.31.17.154:31820; diff --git a/resources/chaosknoten/public-reverse-proxy/nginx/nginx.conf b/resources/chaosknoten/public-reverse-proxy/nginx/nginx.conf index 42120db7..b3f36366 100644 --- a/resources/chaosknoten/public-reverse-proxy/nginx/nginx.conf +++ b/resources/chaosknoten/public-reverse-proxy/nginx/nginx.conf @@ -18,8 +18,8 @@ stream { resolver 212.12.50.158 192.76.134.90; map $ssl_preread_server_name $address { - ccchoir.de ccchoir-intern.hamburg.ccc.de:8443; - www.ccchoir.de ccchoir-intern.hamburg.ccc.de:8443; + ccchoir.de ccchoir.hosts.hamburg.ccc.de:8443; + www.ccchoir.de ccchoir.hosts.hamburg.ccc.de:8443; cloud.hamburg.ccc.de cloud.hosts.hamburg.ccc.de:8443; pad.hamburg.ccc.de pad.hosts.hamburg.ccc.de:8443; pretalx.hamburg.ccc.de pretalx-intern.hamburg.ccc.de:8443; From 1971598e71379ed967b8790353dd2ac6dc854712 Mon Sep 17 00:00:00 2001 From: June Date: Sun, 11 Jan 2026 03:22:11 +0100 Subject: [PATCH 046/104] pretalx(host): move to new network and hostname --- inventories/chaosknoten/hosts.yaml | 4 ++-- .../chaosknoten/pretalx/nginx/cfp.eh22.easterhegg.eu.conf | 4 ++-- .../chaosknoten/pretalx/nginx/pretalx.hamburg.ccc.de.conf | 4 ++-- .../public-reverse-proxy/nginx/acme_challenge.conf | 2 +- resources/chaosknoten/public-reverse-proxy/nginx/nginx.conf | 4 ++-- 5 files changed, 9 insertions(+), 9 deletions(-) diff --git a/inventories/chaosknoten/hosts.yaml b/inventories/chaosknoten/hosts.yaml index 4b8e3881..d5dea1c5 100644 --- a/inventories/chaosknoten/hosts.yaml +++ b/inventories/chaosknoten/hosts.yaml @@ -45,9 +45,9 @@ all: ansible_user: chaos ansible_ssh_common_args: -J ssh://chaos@router.hamburg.ccc.de pretalx: - ansible_host: pretalx-intern.hamburg.ccc.de + ansible_host: pretalx.hosts.hamburg.ccc.de ansible_user: chaos - ansible_ssh_common_args: -J ssh://chaos@public-reverse-proxy.hamburg.ccc.de + ansible_ssh_common_args: -J ssh://chaos@router.hamburg.ccc.de public-reverse-proxy: ansible_host: public-reverse-proxy.hamburg.ccc.de ansible_user: chaos diff --git a/resources/chaosknoten/pretalx/nginx/cfp.eh22.easterhegg.eu.conf b/resources/chaosknoten/pretalx/nginx/cfp.eh22.easterhegg.eu.conf index 0fa99e7f..a4f5bb93 100644 --- a/resources/chaosknoten/pretalx/nginx/cfp.eh22.easterhegg.eu.conf +++ b/resources/chaosknoten/pretalx/nginx/cfp.eh22.easterhegg.eu.conf @@ -2,12 +2,12 @@ # https://ssl-config.mozilla.org/#server=nginx&version=1.17.7&config=intermediate&openssl=1.1.1k&guideline=5.6 server { # Listen on a custom port for the proxy protocol. - listen 8443 ssl http2 proxy_protocol; + listen [::]:8443 ssl http2 proxy_protocol; # Make use of the ngx_http_realip_module to set the $remote_addr and # $remote_port to the client address and client port, when using proxy # protocol. # First set our proxy protocol proxy as trusted. - set_real_ip_from 172.31.17.140; + set_real_ip_from 2a00:14b0:4200:3000:125::1; # Then tell the realip_module to get the addreses from the proxy protocol # header. real_ip_header proxy_protocol; diff --git a/resources/chaosknoten/pretalx/nginx/pretalx.hamburg.ccc.de.conf b/resources/chaosknoten/pretalx/nginx/pretalx.hamburg.ccc.de.conf index f12067ab..d66e9770 100644 --- a/resources/chaosknoten/pretalx/nginx/pretalx.hamburg.ccc.de.conf +++ b/resources/chaosknoten/pretalx/nginx/pretalx.hamburg.ccc.de.conf @@ -2,12 +2,12 @@ # https://ssl-config.mozilla.org/#server=nginx&version=1.17.7&config=intermediate&openssl=1.1.1k&guideline=5.6 server { # Listen on a custom port for the proxy protocol. - listen 8443 ssl http2 proxy_protocol; + listen [::]:8443 ssl http2 proxy_protocol; # Make use of the ngx_http_realip_module to set the $remote_addr and # $remote_port to the client address and client port, when using proxy # protocol. # First set our proxy protocol proxy as trusted. - set_real_ip_from 172.31.17.140; + set_real_ip_from 2a00:14b0:4200:3000:125::1; # Then tell the realip_module to get the addreses from the proxy protocol # header. real_ip_header proxy_protocol; diff --git a/resources/chaosknoten/public-reverse-proxy/nginx/acme_challenge.conf b/resources/chaosknoten/public-reverse-proxy/nginx/acme_challenge.conf index 0c627603..71f0290e 100644 --- a/resources/chaosknoten/public-reverse-proxy/nginx/acme_challenge.conf +++ b/resources/chaosknoten/public-reverse-proxy/nginx/acme_challenge.conf @@ -22,7 +22,7 @@ map $host $upstream_acme_challenge_host { netbox.hamburg.ccc.de netbox.hosts.hamburg.ccc.de:31820; onlyoffice.hamburg.ccc.de onlyoffice.hosts.hamburg.ccc.de:31820; pad.hamburg.ccc.de pad.hosts.hamburg.ccc.de:31820; - pretalx.hamburg.ccc.de 172.31.17.157:31820; + pretalx.hamburg.ccc.de pretalx.hosts.hamburg.ccc.de:31820; spaceapi.hamburg.ccc.de 172.31.17.151:31820; staging.hamburg.ccc.de 172.31.17.151:31820; wiki.ccchh.net wiki.hosts.hamburg.ccc.de:31820; diff --git a/resources/chaosknoten/public-reverse-proxy/nginx/nginx.conf b/resources/chaosknoten/public-reverse-proxy/nginx/nginx.conf index b3f36366..d7cd97ea 100644 --- a/resources/chaosknoten/public-reverse-proxy/nginx/nginx.conf +++ b/resources/chaosknoten/public-reverse-proxy/nginx/nginx.conf @@ -22,7 +22,7 @@ stream { www.ccchoir.de ccchoir.hosts.hamburg.ccc.de:8443; cloud.hamburg.ccc.de cloud.hosts.hamburg.ccc.de:8443; pad.hamburg.ccc.de pad.hosts.hamburg.ccc.de:8443; - pretalx.hamburg.ccc.de pretalx-intern.hamburg.ccc.de:8443; + pretalx.hamburg.ccc.de pretalx.hosts.hamburg.ccc.de:8443; id.hamburg.ccc.de keycloak.hosts.hamburg.ccc.de:8443; invite.hamburg.ccc.de keycloak.hosts.hamburg.ccc.de:8443; keycloak-admin.hamburg.ccc.de keycloak.hosts.hamburg.ccc.de:8443; @@ -90,7 +90,7 @@ stream { woodpecker.hamburg.ccc.de 172.31.17.160:8443; design.hamburg.ccc.de 172.31.17.162:8443; hydra.hamburg.ccc.de 172.31.17.163:8443; - cfp.eh22.easterhegg.eu pretalx-intern.hamburg.ccc.de:8443; + cfp.eh22.easterhegg.eu pretalx.hosts.hamburg.ccc.de:8443; ntfy.hamburg.ccc.de 172.31.17.149:8443; cryptoparty-hamburg.de 172.31.17.151:8443; cryptoparty.hamburg.ccc.de 172.31.17.151:8443; From 255327952e3b1e718e7d0e53c0c189a6e6f13052 Mon Sep 17 00:00:00 2001 From: June Date: Sun, 11 Jan 2026 03:57:11 +0100 Subject: [PATCH 047/104] ntfy(host): move to new network and hostname --- inventories/chaosknoten/hosts.yaml | 4 ++-- resources/chaosknoten/ntfy/nginx/ntfy.hamburg.ccc.de.conf | 4 ++-- .../public-reverse-proxy/nginx/acme_challenge.conf | 2 +- resources/chaosknoten/public-reverse-proxy/nginx/nginx.conf | 2 +- 4 files changed, 6 insertions(+), 6 deletions(-) diff --git a/inventories/chaosknoten/hosts.yaml b/inventories/chaosknoten/hosts.yaml index d5dea1c5..93c61be8 100644 --- a/inventories/chaosknoten/hosts.yaml +++ b/inventories/chaosknoten/hosts.yaml @@ -63,9 +63,9 @@ all: ansible_user: chaos ansible_ssh_common_args: -J ssh://chaos@router.hamburg.ccc.de ntfy: - ansible_host: ntfy-intern.hamburg.ccc.de + ansible_host: ntfy.hosts.hamburg.ccc.de ansible_user: chaos - ansible_ssh_common_args: -J ssh://chaos@public-reverse-proxy.hamburg.ccc.de + ansible_ssh_common_args: -J ssh://chaos@router.hamburg.ccc.de sunders: ansible_host: sunders.hosts.hamburg.ccc.de ansible_user: chaos diff --git a/resources/chaosknoten/ntfy/nginx/ntfy.hamburg.ccc.de.conf b/resources/chaosknoten/ntfy/nginx/ntfy.hamburg.ccc.de.conf index e7d404da..ebae48d1 100644 --- a/resources/chaosknoten/ntfy/nginx/ntfy.hamburg.ccc.de.conf +++ b/resources/chaosknoten/ntfy/nginx/ntfy.hamburg.ccc.de.conf @@ -2,13 +2,13 @@ # https://ssl-config.mozilla.org/#server=nginx&version=1.17.7&config=intermediate&openssl=1.1.1k&guideline=5.6 server { # Listen on a custom port for the proxy protocol. - listen 8443 ssl proxy_protocol; + listen [::]:8443 ssl proxy_protocol; http2 on; # Make use of the ngx_http_realip_module to set the $remote_addr and # $remote_port to the client address and client port, when using proxy # protocol. # First set our proxy protocol proxy as trusted. - set_real_ip_from 172.31.17.140; + set_real_ip_from 2a00:14b0:4200:3000:125::1; # Then tell the realip_module to get the addreses from the proxy protocol # header. real_ip_header proxy_protocol; diff --git a/resources/chaosknoten/public-reverse-proxy/nginx/acme_challenge.conf b/resources/chaosknoten/public-reverse-proxy/nginx/acme_challenge.conf index 71f0290e..82e596aa 100644 --- a/resources/chaosknoten/public-reverse-proxy/nginx/acme_challenge.conf +++ b/resources/chaosknoten/public-reverse-proxy/nginx/acme_challenge.conf @@ -73,7 +73,7 @@ map $host $upstream_acme_challenge_host { design.hamburg.ccc.de 172.31.17.162:31820; hydra.hamburg.ccc.de 172.31.17.163:31820; cfp.eh22.easterhegg.eu 172.31.17.157:31820; - ntfy.hamburg.ccc.de 172.31.17.149:31820; + ntfy.hamburg.ccc.de ntfy.hosts.hamburg.ccc.de:31820; cryptoparty-hamburg.de 172.31.17.151:31820; cryptoparty.hamburg.ccc.de 172.31.17.151:31820; staging.cryptoparty-hamburg.de 172.31.17.151:31820; diff --git a/resources/chaosknoten/public-reverse-proxy/nginx/nginx.conf b/resources/chaosknoten/public-reverse-proxy/nginx/nginx.conf index d7cd97ea..489dda55 100644 --- a/resources/chaosknoten/public-reverse-proxy/nginx/nginx.conf +++ b/resources/chaosknoten/public-reverse-proxy/nginx/nginx.conf @@ -91,7 +91,7 @@ stream { design.hamburg.ccc.de 172.31.17.162:8443; hydra.hamburg.ccc.de 172.31.17.163:8443; cfp.eh22.easterhegg.eu pretalx.hosts.hamburg.ccc.de:8443; - ntfy.hamburg.ccc.de 172.31.17.149:8443; + ntfy.hamburg.ccc.de ntfy.hosts.hamburg.ccc.de:8443; cryptoparty-hamburg.de 172.31.17.151:8443; cryptoparty.hamburg.ccc.de 172.31.17.151:8443; staging.cryptoparty-hamburg.de 172.31.17.151:8443; From 968e29ccb8fa144c7ec3ebd56d8d38adb4416397 Mon Sep 17 00:00:00 2001 From: June Date: Mon, 12 Jan 2026 03:02:09 +0100 Subject: [PATCH 048/104] do v6-only for internal proxy protocol communication Since we want to do v6-only internally, only listen on v6 for proxy protocol. This is also needed as we only have set_real_ip_from pointing to a v6. --- resources/chaosknoten/eh22-wiki/nginx/eh22.easterhegg.eu.conf | 1 - resources/chaosknoten/grafana/nginx/grafana.hamburg.ccc.de.conf | 2 +- resources/chaosknoten/keycloak/nginx/id.hamburg.ccc.de.conf | 1 - resources/chaosknoten/keycloak/nginx/invite.hamburg.ccc.de.conf | 1 - .../keycloak/nginx/keycloak-admin.hamburg.ccc.de.conf | 1 - resources/chaosknoten/netbox/nginx/netbox.hamburg.ccc.de.conf | 2 +- .../chaosknoten/onlyoffice/nginx/onlyoffice.hamburg.ccc.de.conf | 1 - resources/chaosknoten/pad/nginx/pad.hamburg.ccc.de.conf | 1 - resources/chaosknoten/sunders/nginx/sunders.hamburg.ccc.de.conf | 2 +- resources/chaosknoten/tickets/nginx/tickets.hamburg.ccc.de.conf | 2 +- resources/chaosknoten/wiki/nginx/wiki.ccchh.net.conf | 1 - resources/chaosknoten/wiki/nginx/wiki.hamburg.ccc.de.conf | 1 - resources/chaosknoten/zammad/nginx/zammad.hamburg.ccc.de.conf | 2 +- 13 files changed, 5 insertions(+), 13 deletions(-) diff --git a/resources/chaosknoten/eh22-wiki/nginx/eh22.easterhegg.eu.conf b/resources/chaosknoten/eh22-wiki/nginx/eh22.easterhegg.eu.conf index 8c801fe7..d213d615 100644 --- a/resources/chaosknoten/eh22-wiki/nginx/eh22.easterhegg.eu.conf +++ b/resources/chaosknoten/eh22-wiki/nginx/eh22.easterhegg.eu.conf @@ -2,7 +2,6 @@ # https://ssl-config.mozilla.org/#server=nginx&version=1.17.7&config=intermediate&openssl=1.1.1k&guideline=5.6 server { # Listen on a custom port for the proxy protocol. - listen 8443 ssl http2 proxy_protocol; listen [::]:8443 ssl http2 proxy_protocol; # Make use of the ngx_http_realip_module to set the $remote_addr and # $remote_port to the client address and client port, when using proxy diff --git a/resources/chaosknoten/grafana/nginx/grafana.hamburg.ccc.de.conf b/resources/chaosknoten/grafana/nginx/grafana.hamburg.ccc.de.conf index a6dcdc1e..98f7f40b 100644 --- a/resources/chaosknoten/grafana/nginx/grafana.hamburg.ccc.de.conf +++ b/resources/chaosknoten/grafana/nginx/grafana.hamburg.ccc.de.conf @@ -8,7 +8,7 @@ server { # $remote_port to the client address and client port, when using proxy # protocol. # First set our proxy protocol proxy as trusted. - set_real_ip_from 172.31.17.140; + set_real_ip_from 2a00:14b0:4200:3000:125::1; # Then tell the realip_module to get the addreses from the proxy protocol # header. real_ip_header proxy_protocol; diff --git a/resources/chaosknoten/keycloak/nginx/id.hamburg.ccc.de.conf b/resources/chaosknoten/keycloak/nginx/id.hamburg.ccc.de.conf index 939e1da5..82ba082d 100644 --- a/resources/chaosknoten/keycloak/nginx/id.hamburg.ccc.de.conf +++ b/resources/chaosknoten/keycloak/nginx/id.hamburg.ccc.de.conf @@ -3,7 +3,6 @@ # Also see: https://www.keycloak.org/server/reverseproxy server { # Listen on a custom port for the proxy protocol. - listen 8443 ssl http2 proxy_protocol; listen [::]:8443 ssl http2 proxy_protocol; # Make use of the ngx_http_realip_module to set the $remote_addr and # $remote_port to the client address and client port, when using proxy diff --git a/resources/chaosknoten/keycloak/nginx/invite.hamburg.ccc.de.conf b/resources/chaosknoten/keycloak/nginx/invite.hamburg.ccc.de.conf index de1e9d6f..ecb7e2d4 100644 --- a/resources/chaosknoten/keycloak/nginx/invite.hamburg.ccc.de.conf +++ b/resources/chaosknoten/keycloak/nginx/invite.hamburg.ccc.de.conf @@ -3,7 +3,6 @@ # Also see: https://www.keycloak.org/server/reverseproxy server { # Listen on a custom port for the proxy protocol. - listen 8443 ssl http2 proxy_protocol; listen [::]:8443 ssl http2 proxy_protocol; # Make use of the ngx_http_realip_module to set the $remote_addr and # $remote_port to the client address and client port, when using proxy diff --git a/resources/chaosknoten/keycloak/nginx/keycloak-admin.hamburg.ccc.de.conf b/resources/chaosknoten/keycloak/nginx/keycloak-admin.hamburg.ccc.de.conf index cd56b98f..b2e7eece 100644 --- a/resources/chaosknoten/keycloak/nginx/keycloak-admin.hamburg.ccc.de.conf +++ b/resources/chaosknoten/keycloak/nginx/keycloak-admin.hamburg.ccc.de.conf @@ -7,7 +7,6 @@ server { ##listen [::]:443 ssl http2; # Listen on a custom port for the proxy protocol. - listen 8443 ssl http2 proxy_protocol; listen [::]:8443 ssl http2 proxy_protocol; # Make use of the ngx_http_realip_module to set the $remote_addr and # $remote_port to the client address and client port, when using proxy diff --git a/resources/chaosknoten/netbox/nginx/netbox.hamburg.ccc.de.conf b/resources/chaosknoten/netbox/nginx/netbox.hamburg.ccc.de.conf index 533c9d21..0c2a3be0 100644 --- a/resources/chaosknoten/netbox/nginx/netbox.hamburg.ccc.de.conf +++ b/resources/chaosknoten/netbox/nginx/netbox.hamburg.ccc.de.conf @@ -7,7 +7,7 @@ server { # $remote_port to the client address and client port, when using proxy # protocol. # First set our proxy protocol proxy as trusted. - set_real_ip_from 172.31.17.140; + set_real_ip_from 2a00:14b0:4200:3000:125::1; # Then tell the realip_module to get the addreses from the proxy protocol # header. real_ip_header proxy_protocol; diff --git a/resources/chaosknoten/onlyoffice/nginx/onlyoffice.hamburg.ccc.de.conf b/resources/chaosknoten/onlyoffice/nginx/onlyoffice.hamburg.ccc.de.conf index 8a9a486a..f3e77f17 100644 --- a/resources/chaosknoten/onlyoffice/nginx/onlyoffice.hamburg.ccc.de.conf +++ b/resources/chaosknoten/onlyoffice/nginx/onlyoffice.hamburg.ccc.de.conf @@ -2,7 +2,6 @@ # https://ssl-config.mozilla.org/#server=nginx&version=1.17.7&config=intermediate&openssl=1.1.1k&guideline=5.6 server { # Listen on a custom port for the proxy protocol. - listen 8443 ssl http2 proxy_protocol; listen [::]:8443 ssl http2 proxy_protocol; # Make use of the ngx_http_realip_module to set the $remote_addr and # $remote_port to the client address and client port, when using proxy diff --git a/resources/chaosknoten/pad/nginx/pad.hamburg.ccc.de.conf b/resources/chaosknoten/pad/nginx/pad.hamburg.ccc.de.conf index 6c453d1b..cf49d232 100644 --- a/resources/chaosknoten/pad/nginx/pad.hamburg.ccc.de.conf +++ b/resources/chaosknoten/pad/nginx/pad.hamburg.ccc.de.conf @@ -2,7 +2,6 @@ # https://ssl-config.mozilla.org/#server=nginx&version=1.17.7&config=intermediate&openssl=1.1.1k&guideline=5.6 server { # Listen on a custom port for the proxy protocol. - listen 8443 ssl http2 proxy_protocol; listen [::]:8443 ssl http2 proxy_protocol; # Make use of the ngx_http_realip_module to set the $remote_addr and # $remote_port to the client address and client port, when using proxy diff --git a/resources/chaosknoten/sunders/nginx/sunders.hamburg.ccc.de.conf b/resources/chaosknoten/sunders/nginx/sunders.hamburg.ccc.de.conf index ceb9b2b7..185c005a 100644 --- a/resources/chaosknoten/sunders/nginx/sunders.hamburg.ccc.de.conf +++ b/resources/chaosknoten/sunders/nginx/sunders.hamburg.ccc.de.conf @@ -7,7 +7,7 @@ server { # $remote_port to the client address and client port, when using proxy # protocol. # First set our proxy protocol proxy as trusted. - set_real_ip_from 172.31.17.140; + set_real_ip_from 2a00:14b0:4200:3000:125::1; # Then tell the realip_module to get the addreses from the proxy protocol # header. real_ip_header proxy_protocol; diff --git a/resources/chaosknoten/tickets/nginx/tickets.hamburg.ccc.de.conf b/resources/chaosknoten/tickets/nginx/tickets.hamburg.ccc.de.conf index 8d36244c..e93ff935 100644 --- a/resources/chaosknoten/tickets/nginx/tickets.hamburg.ccc.de.conf +++ b/resources/chaosknoten/tickets/nginx/tickets.hamburg.ccc.de.conf @@ -7,7 +7,7 @@ server { # $remote_port to the client address and client port, when using proxy # protocol. # First set our proxy protocol proxy as trusted. - set_real_ip_from 172.31.17.140; + set_real_ip_from 2a00:14b0:4200:3000:125::1; # Then tell the realip_module to get the addreses from the proxy protocol # header. real_ip_header proxy_protocol; diff --git a/resources/chaosknoten/wiki/nginx/wiki.ccchh.net.conf b/resources/chaosknoten/wiki/nginx/wiki.ccchh.net.conf index 472236ae..d89b5b88 100644 --- a/resources/chaosknoten/wiki/nginx/wiki.ccchh.net.conf +++ b/resources/chaosknoten/wiki/nginx/wiki.ccchh.net.conf @@ -2,7 +2,6 @@ # https://ssl-config.mozilla.org/#server=nginx&version=1.17.7&config=intermediate&openssl=1.1.1k&guideline=5.6 server { # Listen on a custom port for the proxy protocol. - listen 8443 ssl http2 proxy_protocol; listen [::]:8443 ssl http2 proxy_protocol; # Make use of the ngx_http_realip_module to set the $remote_addr and # $remote_port to the client address and client port, when using proxy diff --git a/resources/chaosknoten/wiki/nginx/wiki.hamburg.ccc.de.conf b/resources/chaosknoten/wiki/nginx/wiki.hamburg.ccc.de.conf index b4eab7ff..5065c1d7 100644 --- a/resources/chaosknoten/wiki/nginx/wiki.hamburg.ccc.de.conf +++ b/resources/chaosknoten/wiki/nginx/wiki.hamburg.ccc.de.conf @@ -2,7 +2,6 @@ # https://ssl-config.mozilla.org/#server=nginx&version=1.17.7&config=intermediate&openssl=1.1.1k&guideline=5.6 server { # Listen on a custom port for the proxy protocol. - listen 8443 ssl http2 proxy_protocol; listen [::]:8443 ssl http2 proxy_protocol; # Make use of the ngx_http_realip_module to set the $remote_addr and # $remote_port to the client address and client port, when using proxy diff --git a/resources/chaosknoten/zammad/nginx/zammad.hamburg.ccc.de.conf b/resources/chaosknoten/zammad/nginx/zammad.hamburg.ccc.de.conf index 5bb24352..b94cb5c2 100644 --- a/resources/chaosknoten/zammad/nginx/zammad.hamburg.ccc.de.conf +++ b/resources/chaosknoten/zammad/nginx/zammad.hamburg.ccc.de.conf @@ -7,7 +7,7 @@ server { # $remote_port to the client address and client port, when using proxy # protocol. # First set our proxy protocol proxy as trusted. - set_real_ip_from 172.31.17.140; + set_real_ip_from 2a00:14b0:4200:3000:125::1; # Then tell the realip_module to get the addreses from the proxy protocol # header. real_ip_header proxy_protocol; From 70461c98babcddd87dd208aa4041aee5f1fa2546 Mon Sep 17 00:00:00 2001 From: June Date: Mon, 12 Jan 2026 03:29:06 +0100 Subject: [PATCH 049/104] first run ansible_pull for router, then for all other hosts Do this to avoid a restarting router affecting playbook runs on other hosts. --- inventories/chaosknoten/group_vars/all.yaml | 2 +- inventories/chaosknoten/host_vars/router.yaml | 2 ++ 2 files changed, 3 insertions(+), 1 deletion(-) diff --git a/inventories/chaosknoten/group_vars/all.yaml b/inventories/chaosknoten/group_vars/all.yaml index b8f13d0a..60349e08 100644 --- a/inventories/chaosknoten/group_vars/all.yaml +++ b/inventories/chaosknoten/group_vars/all.yaml @@ -3,7 +3,7 @@ ansible_pull__repo_url: https://git.hamburg.ccc.de/CCCHH/ansible-infra.git ansible_pull__inventory: inventories/chaosknoten ansible_pull__playbook: playbooks/maintenance.yaml -ansible_pull__timer_on_calendar: "*-*-* 04:00:00 Europe/Berlin" +ansible_pull__timer_on_calendar: "*-*-* 04:30:00 Europe/Berlin" ansible_pull__failure_notification_address: noc-notifications@lists.hamburg.ccc.de ansible_pull__timer_randomized_delay_sec: 30min diff --git a/inventories/chaosknoten/host_vars/router.yaml b/inventories/chaosknoten/host_vars/router.yaml index 134d29f9..5e9c8325 100644 --- a/inventories/chaosknoten/host_vars/router.yaml +++ b/inventories/chaosknoten/host_vars/router.yaml @@ -1,2 +1,4 @@ systemd_networkd__config_dir: 'resources/chaosknoten/router/systemd_networkd/' nftables__config: "{{ lookup('ansible.builtin.file', 'resources/chaosknoten/router/nftables/nftables.conf') }}" +ansible_pull__timer_on_calendar: "*-*-* 04:00:00 Europe/Berlin" +ansible_pull__timer_randomized_delay_sec: 0min From c6387908198c477178d59ea4e798600ffb201dc8 Mon Sep 17 00:00:00 2001 From: Renovate Date: Mon, 12 Jan 2026 02:30:47 +0000 Subject: [PATCH 050/104] Update all stable non-major dependencies --- .forgejo/workflows/lint.yaml | 2 +- inventories/chaosknoten/host_vars/netbox.yaml | 2 +- .../chaosknoten/grafana/docker_compose/compose.yaml.j2 | 10 +++++----- .../onlyoffice/docker_compose/compose.yaml.j2 | 2 +- .../chaosknoten/pad/docker_compose/compose.yaml.j2 | 2 +- .../chaosknoten/pretalx/docker_compose/compose.yaml.j2 | 6 +++--- .../chaosknoten/sunders/docker_compose/compose.yaml.j2 | 2 +- 7 files changed, 13 insertions(+), 13 deletions(-) diff --git a/.forgejo/workflows/lint.yaml b/.forgejo/workflows/lint.yaml index d29fb6e1..b1168c9c 100644 --- a/.forgejo/workflows/lint.yaml +++ b/.forgejo/workflows/lint.yaml @@ -24,7 +24,7 @@ jobs: # work in our environmnet. # Rather manually setup python (pip) before instead. - name: Run ansible-lint - uses: https://github.com/ansible/ansible-lint@v25.11.0 + uses: https://github.com/ansible/ansible-lint@v25.12.2 with: setup_python: "false" requirements_file: "requirements.yml" diff --git a/inventories/chaosknoten/host_vars/netbox.yaml b/inventories/chaosknoten/host_vars/netbox.yaml index 3be8bdde..2c68c171 100644 --- a/inventories/chaosknoten/host_vars/netbox.yaml +++ b/inventories/chaosknoten/host_vars/netbox.yaml @@ -1,5 +1,5 @@ # renovate: datasource=github-releases depName=netbox packageName=netbox-community/netbox -netbox__version: "v4.4.6" +netbox__version: "v4.5.0" netbox__config: "{{ lookup('ansible.builtin.template', 'resources/chaosknoten/netbox/netbox/configuration.py.j2') }}" netbox__custom_pipeline_oidc_group_and_role_mapping: true diff --git a/resources/chaosknoten/grafana/docker_compose/compose.yaml.j2 b/resources/chaosknoten/grafana/docker_compose/compose.yaml.j2 index 2d598f96..90952ee8 100644 --- a/resources/chaosknoten/grafana/docker_compose/compose.yaml.j2 +++ b/resources/chaosknoten/grafana/docker_compose/compose.yaml.j2 @@ -2,7 +2,7 @@ services: prometheus: - image: docker.io/prom/prometheus:v3.7.3 + image: docker.io/prom/prometheus:v3.9.1 container_name: prometheus command: - '--config.file=/etc/prometheus/prometheus.yml' @@ -19,7 +19,7 @@ services: - prom_data:/prometheus alertmanager: - image: docker.io/prom/alertmanager:v0.29.0 + image: docker.io/prom/alertmanager:v0.30.0 container_name: alertmanager command: - '--config.file=/etc/alertmanager/alertmanager.yaml' @@ -32,7 +32,7 @@ services: - alertmanager_data:/alertmanager grafana: - image: docker.io/grafana/grafana:12.3.0 + image: docker.io/grafana/grafana:12.3.1 container_name: grafana ports: - 3000:3000 @@ -46,7 +46,7 @@ services: - graf_data:/var/lib/grafana pve-exporter: - image: docker.io/prompve/prometheus-pve-exporter:3.5.5 + image: docker.io/prompve/prometheus-pve-exporter:3.8.0 container_name: pve-exporter ports: - 9221:9221 @@ -59,7 +59,7 @@ services: - /dev/null:/etc/prometheus/pve.yml loki: - image: docker.io/grafana/loki:3.6.0 + image: docker.io/grafana/loki:3.6.3 container_name: loki ports: - 13100:3100 diff --git a/resources/chaosknoten/onlyoffice/docker_compose/compose.yaml.j2 b/resources/chaosknoten/onlyoffice/docker_compose/compose.yaml.j2 index f3444ac8..8bc37e93 100644 --- a/resources/chaosknoten/onlyoffice/docker_compose/compose.yaml.j2 +++ b/resources/chaosknoten/onlyoffice/docker_compose/compose.yaml.j2 @@ -4,7 +4,7 @@ services: onlyoffice: - image: docker.io/onlyoffice/documentserver:9.1.0 + image: docker.io/onlyoffice/documentserver:9.2.1 restart: unless-stopped volumes: - "./onlyoffice/DocumentServer/logs:/var/log/onlyoffice" diff --git a/resources/chaosknoten/pad/docker_compose/compose.yaml.j2 b/resources/chaosknoten/pad/docker_compose/compose.yaml.j2 index 455caa39..790cf952 100644 --- a/resources/chaosknoten/pad/docker_compose/compose.yaml.j2 +++ b/resources/chaosknoten/pad/docker_compose/compose.yaml.j2 @@ -13,7 +13,7 @@ services: restart: unless-stopped app: - image: quay.io/hedgedoc/hedgedoc:1.10.3 + image: quay.io/hedgedoc/hedgedoc:1.10.5 environment: - "CMD_DB_URL=postgres://hedgedoc:{{ secret__hedgedoc_db_password }}@database:5432/hedgedoc" - "CMD_DOMAIN=pad.hamburg.ccc.de" diff --git a/resources/chaosknoten/pretalx/docker_compose/compose.yaml.j2 b/resources/chaosknoten/pretalx/docker_compose/compose.yaml.j2 index dda67bb0..835ed501 100644 --- a/resources/chaosknoten/pretalx/docker_compose/compose.yaml.j2 +++ b/resources/chaosknoten/pretalx/docker_compose/compose.yaml.j2 @@ -23,7 +23,7 @@ services: - pretalx_net static: - image: docker.io/library/nginx:1.29.3 + image: docker.io/library/nginx:1.29.4 restart: unless-stopped volumes: - public:/usr/share/nginx/html @@ -33,7 +33,7 @@ services: - pretalx_net pretalx: - image: docker.io/pretalx/standalone:v2025.1.0 + image: docker.io/pretalx/standalone:v2025.2.2 entrypoint: gunicorn command: - "pretalx.wsgi" @@ -78,7 +78,7 @@ services: - pretalx_net celery: - image: docker.io/pretalx/standalone:v2025.1.0 + image: docker.io/pretalx/standalone:v2025.2.2 command: - taskworker restart: unless-stopped diff --git a/resources/chaosknoten/sunders/docker_compose/compose.yaml.j2 b/resources/chaosknoten/sunders/docker_compose/compose.yaml.j2 index fbec2583..1df2bcae 100644 --- a/resources/chaosknoten/sunders/docker_compose/compose.yaml.j2 +++ b/resources/chaosknoten/sunders/docker_compose/compose.yaml.j2 @@ -3,7 +3,7 @@ services: db: - image: mariadb:12.0.2 + image: mariadb:12.1.2 command: --max_allowed_packet=3250585600 environment: MYSQL_ROOT_PASSWORD: "{{ secret__sunders_db_root_password }}" From a92e144cfcdfb0813403b2e7b649d1fdeb641722 Mon Sep 17 00:00:00 2001 From: June Date: Tue, 13 Jan 2026 00:08:57 +0100 Subject: [PATCH 051/104] base_config(role): ensure base set of admin tools is installed See: https://git.hamburg.ccc.de/CCCHH/nix-infra/src/branch/main/config/common/admin-environment.nix --- roles/base_config/tasks/main.yaml | 20 ++++++++++++++++++++ 1 file changed, 20 insertions(+) diff --git a/roles/base_config/tasks/main.yaml b/roles/base_config/tasks/main.yaml index cd8affd8..7f0281eb 100644 --- a/roles/base_config/tasks/main.yaml +++ b/roles/base_config/tasks/main.yaml @@ -11,3 +11,23 @@ replace: " #- ssh" become: true when: base_config__stat_cloud_cfg.stat.exists + +# Ensure a base set of admin tools is installed. +- name: ensure a base set of admin tools is installed + ansible.builtin.apt: + name: + - vim + - joe + - nano + - htop + - btop + - ripgrep + - fd-find + - tmux + - git + - curl + - rsync + - dnsutils + - usbutils + - kitty + become: true From 951ec7ebcd9ea693f4f4c40b9ca1052b4bc0abf1 Mon Sep 17 00:00:00 2001 From: June Date: Tue, 13 Jan 2026 02:25:06 +0100 Subject: [PATCH 052/104] netbox(role): fix oidc integration by no longer using is_staff is_staff got removed in 4.5.0. See: https://github.com/netbox-community/netbox/releases/tag/v4.5.0 --- .../netbox/files/custom_pipeline_oidc_group_and_role_mapping.py | 2 -- 1 file changed, 2 deletions(-) diff --git a/roles/netbox/files/custom_pipeline_oidc_group_and_role_mapping.py b/roles/netbox/files/custom_pipeline_oidc_group_and_role_mapping.py index 470f388d..79bd247a 100644 --- a/roles/netbox/files/custom_pipeline_oidc_group_and_role_mapping.py +++ b/roles/netbox/files/custom_pipeline_oidc_group_and_role_mapping.py @@ -40,7 +40,6 @@ def remove_groups(response, user, backend, *args, **kwargs): def set_roles(response, user, backend, *args, **kwargs): # Remove Roles temporary user.is_superuser = False - user.is_staff = False try: groups = response['groups'] except KeyError: @@ -51,5 +50,4 @@ def set_roles(response, user, backend, *args, **kwargs): # Set roles is role (superuser or staff) is in groups user.is_superuser = True if 'superusers' in groups else False - user.is_staff = True if 'staff' in groups else False user.save() From 3e0fdfa8de7e0cbc97ef7d3a089c7db6b2885b92 Mon Sep 17 00:00:00 2001 From: June Date: Tue, 13 Jan 2026 03:43:28 +0100 Subject: [PATCH 053/104] pretalx(host): roll back to pretalx v2025.1.0 as v2025.2.2 doesn't work --- resources/chaosknoten/pretalx/docker_compose/compose.yaml.j2 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/resources/chaosknoten/pretalx/docker_compose/compose.yaml.j2 b/resources/chaosknoten/pretalx/docker_compose/compose.yaml.j2 index 835ed501..f61d6f72 100644 --- a/resources/chaosknoten/pretalx/docker_compose/compose.yaml.j2 +++ b/resources/chaosknoten/pretalx/docker_compose/compose.yaml.j2 @@ -33,7 +33,7 @@ services: - pretalx_net pretalx: - image: docker.io/pretalx/standalone:v2025.2.2 + image: docker.io/pretalx/standalone:v2025.1.0 entrypoint: gunicorn command: - "pretalx.wsgi" From 92601ab9ea4cceb6daa8b7c36c9a202a6ae9e30b Mon Sep 17 00:00:00 2001 From: June Date: Tue, 13 Jan 2026 03:48:34 +0100 Subject: [PATCH 054/104] renovate: add package rule for pretalx reclassifying major updates So that v2025.1.0 to v2025.2.2 counts as a major, not a minor, update. --- renovate.json | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/renovate.json b/renovate.json index 711c6273..0e2bd7fb 100644 --- a/renovate.json +++ b/renovate.json @@ -32,6 +32,11 @@ "matchDatasources": ["docker"], "matchPackageNames": ["docker.io/pretix/standalone"], "versioning": "regex:^(?\\d+\\.\\d+)(?:\\.(?\\d+))$" + }, + { + "matchDatasources": ["docker"], + "matchPackageNames": ["docker.io/pretalx/standalone"], + "versioning": "regex:^v(?\\d+\\.\\d+)(?:\\.(?\\d+))$" } ], "customManagers": [ From 428b5c70bc3d02be51283a69105cf36ce44139ff Mon Sep 17 00:00:00 2001 From: June Date: Tue, 13 Jan 2026 14:19:57 +0100 Subject: [PATCH 055/104] pretalx(host): roll back to pretalx v2025.1.0 for celery as well --- resources/chaosknoten/pretalx/docker_compose/compose.yaml.j2 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/resources/chaosknoten/pretalx/docker_compose/compose.yaml.j2 b/resources/chaosknoten/pretalx/docker_compose/compose.yaml.j2 index f61d6f72..091d1133 100644 --- a/resources/chaosknoten/pretalx/docker_compose/compose.yaml.j2 +++ b/resources/chaosknoten/pretalx/docker_compose/compose.yaml.j2 @@ -78,7 +78,7 @@ services: - pretalx_net celery: - image: docker.io/pretalx/standalone:v2025.2.2 + image: docker.io/pretalx/standalone:v2025.1.0 command: - taskworker restart: unless-stopped From 51bbdd42a2504f0b3045349b0b08e3bb75b55fce Mon Sep 17 00:00:00 2001 From: June Date: Tue, 13 Jan 2026 16:55:22 +0100 Subject: [PATCH 056/104] dooris(host): make certbot work --- inventories/z9/host_vars/dooris.yaml | 4 +++- resources/z9/dooris/nginx/http_handler.conf | 12 ++++++++++++ 2 files changed, 15 insertions(+), 1 deletion(-) create mode 100644 resources/z9/dooris/nginx/http_handler.conf diff --git a/inventories/z9/host_vars/dooris.yaml b/inventories/z9/host_vars/dooris.yaml index 5813e3a5..8ae5287f 100644 --- a/inventories/z9/host_vars/dooris.yaml +++ b/inventories/z9/host_vars/dooris.yaml @@ -7,9 +7,11 @@ certbot__certificate_domains: - "dooris.ccchh.net" certbot__new_cert_commands: - "systemctl reload nginx.service" -certbot__http_01_port: 80 nginx__version_spec: "" +nginx__deploy_redirect_conf: false nginx__configurations: - name: dooris.ccchh.net content: "{{ lookup('ansible.builtin.file', 'resources/z9/dooris/nginx/dooris.ccchh.net.conf') }}" + - name: http_handler + content: "{{ lookup('ansible.builtin.file', 'resources/z9/dooris/nginx/http_handler.conf') }}" diff --git a/resources/z9/dooris/nginx/http_handler.conf b/resources/z9/dooris/nginx/http_handler.conf new file mode 100644 index 00000000..8572664d --- /dev/null +++ b/resources/z9/dooris/nginx/http_handler.conf @@ -0,0 +1,12 @@ +server { + listen 80 default_server; + listen [::]:80 default_server; + + location / { + return 301 https://$host$request_uri; + } + + location /.well-known/acme-challenge/ { + proxy_pass http://127.0.0.1:31820/.well-known/acme-challenge/; + } +} From fe52127e825b27693c56dc5f0620679fe12829c0 Mon Sep 17 00:00:00 2001 From: June Date: Sun, 18 Jan 2026 01:26:52 +0100 Subject: [PATCH 057/104] status(host): configure external status page and uptime monitoring host --- .sops.yaml | 22 +- inventories/external/group_vars/all.sops.yaml | 210 ++++++++++++ inventories/external/group_vars/all.yaml | 16 + .../external/host_vars/status.sops.yaml | 212 ++++++++++++ inventories/external/host_vars/status.yaml | 27 ++ inventories/external/hosts.yaml | 24 ++ .../status/docker_compose/compose.yaml.j2 | 36 +++ .../config/easterhegg-websites.yaml | 303 ++++++++++++++++++ .../status/docker_compose/config/general.yaml | 25 ++ .../config/services-chaosknoten.yaml | 264 +++++++++++++++ .../status/docker_compose/config/sites.yaml | 23 ++ .../docker_compose/config/websites.yaml | 174 ++++++++++ .../external/status/nginx/http_handler.conf | 14 + .../status/nginx/status.hamburg.ccc.de.conf | 33 ++ 14 files changed, 1381 insertions(+), 2 deletions(-) create mode 100644 inventories/external/group_vars/all.sops.yaml create mode 100644 inventories/external/group_vars/all.yaml create mode 100644 inventories/external/host_vars/status.sops.yaml create mode 100644 inventories/external/host_vars/status.yaml create mode 100644 inventories/external/hosts.yaml create mode 100644 resources/external/status/docker_compose/compose.yaml.j2 create mode 100644 resources/external/status/docker_compose/config/easterhegg-websites.yaml create mode 100644 resources/external/status/docker_compose/config/general.yaml create mode 100644 resources/external/status/docker_compose/config/services-chaosknoten.yaml create mode 100644 resources/external/status/docker_compose/config/sites.yaml create mode 100644 resources/external/status/docker_compose/config/websites.yaml create mode 100644 resources/external/status/nginx/http_handler.conf create mode 100644 resources/external/status/nginx/status.hamburg.ccc.de.conf diff --git a/.sops.yaml b/.sops.yaml index 98aaf3cd..3b728e2d 100644 --- a/.sops.yaml +++ b/.sops.yaml @@ -33,15 +33,25 @@ keys: - &host_public_reverse_proxy_ansible_pull_age_key age1p7pxgq5kwcpdkhkh3qq4pvnltrdk4gwf60hdhv8ka0mdxmgnjepqyleyen - &host_zammad_ansible_pull_age_key age1sv7uhpnk9d3u3je9zzvlux0kd83f627aclpamnz2h3ksg599838qjgrvqs - &host_ntfy_ansible_pull_age_key age1dkecypmfuj0tcm2cz8vnvq5drpu2ddhgnfkzxvscs7m4e79gpseqyhr9pg + external: + age: &host_external_age_keys + - &host_status_ansible_pull_age_key age1yl9ts8k6ceymaxjs72r5puetes5mtuzxuger7qgme9qkagfrm9hqzxx9qr creation_rules: - # group vars + ## group vars - path_regex: inventories/chaosknoten/group_vars/all.* key_groups: - pgp: *admin_gpg_keys age: *host_chaosknoten_age_keys - # host vars + - path_regex: inventories/external/group_vars/all.* + key_groups: + - pgp: + *admin_gpg_keys + age: + *host_external_age_keys + ## host vars + # chaosknoten hosts - path_regex: inventories/chaosknoten/host_vars/cloud.* key_groups: - pgp: @@ -150,6 +160,14 @@ creation_rules: *admin_gpg_keys age: - *host_public_reverse_proxy_ansible_pull_age_key + # external hosts + - path_regex: inventories/external/host_vars/status.* + key_groups: + - pgp: + *admin_gpg_keys + age: + - *host_status_ansible_pull_age_key + # z9 hosts - path_regex: inventories/z9/host_vars/dooris.* key_groups: - pgp: diff --git a/inventories/external/group_vars/all.sops.yaml b/inventories/external/group_vars/all.sops.yaml new file mode 100644 index 00000000..06eeb17c --- /dev/null +++ b/inventories/external/group_vars/all.sops.yaml @@ -0,0 +1,210 @@ +msmtp__smtp_password: ENC[AES256_GCM,data:0vb2d0BMSiG4DLwNeKk52/kGYM9rQpfRrtYiarbyVW9YOP/WIdpwesUZuad+o6XSODkAGqnU2RQZFs1h,iv:a/LwVf+tQKviYR4mIoSDiEgmsVyCl2v1vWXVFQkn6M4=,tag:bNf+N1bTIk8ppMEabcC6jg==,type:str] +sops: + age: + - recipient: age1yl9ts8k6ceymaxjs72r5puetes5mtuzxuger7qgme9qkagfrm9hqzxx9qr + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBkL1F2VVhGTGZ3QWlrZi8w + c2JVMVlnNGVHdUxJQVRZeDBlSkJjR3V4NHowCmdQVVJRVEZlWWVHZjdSYzRlcnRN + clVuRU1rRXdDSUJ6Tk4rajl1R3U3YzAKLS0tIFg0QXBieXdjYmRab2duckNsNWRQ + aGdmdDcwY3RPc28waGt0cm1salpNRkkK+X6LF1lCpxIS8P8nEUE7t3VxB817jm4Y + mXjKqdaM39MR3CyXWq8bVQ/QRxg1xA6MV7mLrQpJCSpr6uDJD84iJQ== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2026-01-15T21:28:28Z" + mac: ENC[AES256_GCM,data:Z9uyXhnckrVJ0LZM1aT8cSUZCPdQ0ufBC1HYxpzAGb6FS/p3Jni5tFfgijaCT3/T3yDGiV1zQqoSDLwjd48UaMjCtJYCUCAiVo7i4YJ3+aZfS87b4h4VsOFlTLFlBklNYxHd4pcPFl5X9fZGdD10Tvmtm6TlJ33Ma7gmuFs3Og4=,iv:tNeG2I9qNAgzbGwxTbCrrN7KorCneJtFildGvtPVX88=,tag:e0rXgetLFenA3zNBNe631A==,type:str] + pgp: + - created_at: "2026-01-15T21:28:06Z" + enc: |- + -----BEGIN PGP MESSAGE----- + + hQIMAxK/JaB2/SdtARAAlJ6HHQZKe3t86f1Y/DsKmO4f+xaMRd9mw9sNlxvmuX3I + b8Tvyl1abbJSEf+6SV3SXxlu+05DZEzerMQHdSNHCpO6oSMBH/fEBbtJh3mxYzwY + /fS09/CPpq1HYcaOUEB8YHKGDY7okN8ZCHYFF2fWmWsPNLq38nmtCQY3lKPdhKDu + Jg8w+9XT/kHJEjQRPjlJG0iRk90cMMBLaR5ToJVzpM3rOSkK/dFALP9PUGhjDVT/ + e27KW0OQERCxoc401DXFPJg5xrGMJaDpMlDxm+kzNC2/rt/OhhFd1pqMEMGHwZ8B + inHjCL8SNy4w3jKs3xvpE38vEUmKgbHavjjd4j8PU/z8PnIAKBCZClTbBARevMYw + P1qgwbAXEv0LwN6/Eu4mN6ogbREFk671PTabJ1O9zWFZBPKSOWVjvs6ka/5nRdow + RMobY/t6FDOe1i4eQM90QKyTcyBzyFZCl3piBKDvpG9tTEVHriX4bTXNtnGw3h1W + XoMUz27G0IZmKZRcYFkqSNPeg3yLXBgsL6by+euw/OwOXuxcR3G/5HpiO4XgWdDn + gYvOGvVa4WbG3yASWPJNJZ6ivtLhAgts44ClMIk5mjDgHz0yL2iwx93g6bUzmswV + HcpCLSy7wm5XNl4l5p4l90iy6/K32Zp0a7ftobA7U7VyeWfPalE3IYE3s6b+1gTS + XAFWL49B69eVA4YJ/iRSZcfqEPMkKzQUplODPUfaHHtLRwR7BhpFX/u3lly/YNQH + tCN+vKShpC2PM/Jw8+UxDZXoXNiGCtTIDFq5+VaifkYsEAIVqEFv5noY95/a + =Xw0f + -----END PGP MESSAGE----- + fp: EF643F59E008414882232C78FFA8331EEB7D6B70 + - created_at: "2026-01-15T21:28:06Z" + enc: |- + -----BEGIN PGP MESSAGE----- + + hQIMA6EyPtWBEI+2ARAAqcJfa4paWWvQxKnNQT230iT2iRCCskzkzrG9z9rnSbR+ + U4BO0QVcKZ06+4/WatZC6HuxIPyajAQthNsmMMBr83OFiT8FPHnOOGHc9lemO0/L + eshneJhJ7LeYUh3dOeN5lVwCQuw2Hy4MXmKJgdt2Nr5dXmRD8ypKxD/i5Nc4nkXW + TY61C/Q9QJF+HZG4toHt+zq+ROjdsTbIhNceRWnt4mIGvqIzhRwk65o5WILbCFQc + OL7R+JyyqouN579tO1O6bRT594ufnyQ6oxLRDQqKMdTHYwWijRuA/FyzieuYGbmo + b7e6tZeJzlm3H8sSz1WwAD6RoA/O3yyCw1gL9UWFLSfF7iwEKmr+oSN+mEUPJdhR + 8zZqSQUH3n59IVNdD4UyJB/I5AHmGW6QV3ZF42lwmmstIoY3uDzgf3US+ZvPPsem + Scg3PIDSxg+SV9G/53TJM+Og7V2XAA02EWIemiIaJZ7rPiySq1RmQOjnx4ZX+ORk + +PDF0gDpA10sTPXQM5NoN8YSilIV1VENjUnESfo+36BlCepmbC88Yr6oexIK2xoq + 5SnDYNOkVClYcEV6/URo0zr6Eh6+pWaK1MqruyZpRrZFbribK+5t65eIq0fc8oNb + ip7VfArpcpYINfL1GuWoFMI0Uj/IMevlN64Ci/Ub9NddCWCQy5WF7u8lAVNMoVbS + XAE70ICHJqH9SqHe/dchwYcsLIPwX7r2KoaI23XkK7iROX1NL6LC2nISh/Y5P+X7 + RX5sBhgiaSwY8L6QseSQzyqTmwxCaq7e/f/+grSUYKmf1FSJe+VxGsJ6Ji0u + =k6m5 + -----END PGP MESSAGE----- + fp: F155144FC925A1BEA1F8A2C59A2A4CD59BFDC5EC + - created_at: "2026-01-15T21:28:06Z" + enc: |- + -----BEGIN PGP MESSAGE----- + + hQIMAz5uSgHG2iMJARAAzD/3ycZW/qMLjjSG2T/7378ogylYenCyV5r97m7//MTJ + z2jCtWiAPDkiuDDfcqt5LxthPxCr3A/WSTaSsfZQ/zWedQlm/U/RBMEs30DBIUQr + AIckqIrJUrgPEo8A0/SnCBNS116BVspI+9n/u7PBPVb70JX3j4Xp3dRGrEYHVpwX + EGSk4GirHwutIRE6xP9fnvQxyK64jYTDCfo4t6cIUf2/we0LyK+fU4zrm6wRffzd + txiEu4YXvsGbxWeAV3/7/BRo2HJBc/Xqb7mzTnfScltC7hiRD2McmFJs1Hfv0Lg3 + CGaMOJ5w6Gk8Q+9pgg6R2MQu8DZA7PILm51Bc98ZdiVwg0i8l24ndswUx9+WIWeX + AeOxvIVvF0XtQK/JJAkoyoVssIQSFI1OjTDnSHWjFw0Vgev8hRzwqS6HKJUfCrnt + KeuGuUOa9QBf3bnbIINyL8QEj9/cnNDCQGoXSZIqPXUs7tIqcLgNryGVnrEn4dDf + 53Tudml438QRgzV1d87jEKSmUBtqzUDRNQdZqNbzOdaCQaQgkgZlQvWQtbZNMSdQ + iQ+v3Hz7pI4yKHhqxXrWrxPwC3KdGTA5qymUS1d1G0BwOWSr+cU6xJBeSqRc6fZn + Q8rBKS/gL2Lm3BAVhHBVWGwtbdBhV5ZL/bdT436pJd5ku3cWFTuiMY2SEC1ZvNXS + XAFb+jgjB5XzlRZhRosWl1X/qyWO4GXN4aypi14eAQDsbCjGnFZh6utoV3rNmNFX + OJ3kRhyHmF+gbp/e0YRq/BnWu+5uzTZQso4fzepgjui+rF/qk/2Oe1nODtM0 + =seAB + -----END PGP MESSAGE----- + fp: 18DFCE01456DAB52EA38A6584EDC64F35FA1D6A5 + - created_at: "2026-01-15T21:28:06Z" + enc: |- + -----BEGIN PGP MESSAGE----- + + hQIMAw5vwmoEJHQ1AQ/+J9MXLZrMucsbcgdZ/yflnA7Ai2WynSZ9NEzLX24NybGZ + ynq9daa+61w5S5thnEV1Be4YEyFXIXfD0bs9KEO2kv41HUySD9FR5QXXSiad5Ij7 + vPzZMMwjCfNg/JvGQ9p4h2Syc5LYtJ+4BNnl52zjKCJdp1scJqAist3aWbaHoCAh + GiJCjv/02NP25WoVShw9pNvvYPEhtPbvO1j3bnvUARXT8IzhblNbfntDwPb+fK4R + ksMBIvAN1171l530s0zPzzkJTkxRBohyCixvtgZKoEnYeUAAHk5Clah6GrLGErvA + q0XUAEridgDwe4xG+WpzFWwTaGzQPBLR5NPqtph13/02CdaABctbr80WQPoch5vN + F1BnObne8ZE+do30v0KYNTkFKhK5ek+w4RS/1rlBEgQMaNyGHsjUtoO1/6JfFXyT + 968gsga/YR/shZwLaxLQePi5qTcvUzGNgNvFLjy4sRlbWiNCrtZo0JpMmRc1YTXb + Tq7KhivgEB3gCYLdzWTCeYw3aZXsTFUFM8MpH0BMABpfpNCdiDrd+RZmgDa2KShH + RlpqvN1cXPVY4niGqb0TjQJGbmCrMfSbEXCCYLMP+T+jH+MUs0Br4IVcuXIV9EWM + WrYY/r2tCblU9DaVbgzLlIIu/2BtKV0/Iu4KLV2vWBocLPNlKnbhS8NxnIf1eHbS + XAFxlY0r1uOCI7d55ZRpih3NnccBWYKmxs/WZavFdooPcRS6QKV6d2ByZtjqlO0T + X8xmDpyoxkNahauxi3Vw4o78HyxEqQz2u0HNBJlFC6iFQJnylkOyitIyNCTt + =t5WG + -----END PGP MESSAGE----- + fp: 87AB00D45D37C9E9167B5A5A333448678B60E505 + - created_at: "2026-01-15T21:28:06Z" + enc: |- + -----BEGIN PGP MESSAGE----- + + hF4DerEtaFuTeewSAQdArBEh0/AnTDRmDT2r74ejRgmbbZpWjVBmvC7mgFdEq0gw + OdEsqFl/ihieW3XkAC0UWxUhacc03Vq3FTY4Fpj7eQTQdfDdn8X10YQcH94XGLxu + 0lwBvUseBCslA8gjyzFEtFp4TnDEi2JZV3nhfQg8SxrYIQ2Uo6vlsTzvYBvikwaD + kLu7fV7lxV09qoROlSpXVm6II6sIk0nmiajb49HM15md3ZElulGZf7A+6d86Wg== + =8Qs3 + -----END PGP MESSAGE----- + fp: 057870A2C72CD82566A3EC983695F4FCBCAE4912 + - created_at: "2026-01-15T21:28:06Z" + enc: |- + -----BEGIN PGP MESSAGE----- + + hQIMAxjNhCKPP69fAQ/7B2zWxGFqZr98hAyQwNaXp+/T534xRU63dXkYV15EL9q2 + SlmbEWhl5iVwWoZHl3r7yqy4zXZJkH0XX7g/MlwMTHIu/Sslvb+9ME+QmpI26Awm + +0pQN6gZXEhQ4RFtDMSc3PIZYgaJ5AdEk1p/nMwYsQ17Gu6RZeuSL/5b4oXEsIwB + nc8kqskd846KDspSoa4HprP3QUyfwChy5+d3/S/SMak/iY97UgYm3iyHXWr+sbAm + ykXGQo6Y/QpSiBBc9Z8hyekBQBjiftTpH5T/nzSn5O1p2G56NqK837SZj8CgyanH + xOIy1JZYbSfYiEzqXVSj7KGs3aNFFUi9H+Fy+wzDaOWeEYt76koTWZnutOg+JwCP + 2N5DiDOhoYGygh5aO+dAIoGLQufoTDrlMO9FWnNXXCPIwCUoyH5daiMyn7G9jfwv + 4rTkXe2mHXXkoNCDHzjNcAEpndpczdUO0CbDNyOuaZzyEYWObJMOdBP0+fmwhaRP + AWd0OSbUUkl6RTI7R9l+3wBC0A/be7kOvqvTru0RSZaY4Ba7zokZaNJsoUTvjjL5 + fjT5MhV/93wEvaHNmGy+IiXipS7ItTmW0xckaFkEbQUbw9p+9UZMxNqF3l5pw8hV + J5tTo+rlHda5KBDpTEEz3vUK7MgbgAzzERqqDaUqzWTJy4KeOjYCUfvNyQiT7m3S + XAFxCx0poAo6GCoNMhjyQT00iBfpjvUhDrWSHezKW/J/U+Z+TkcICC3Orsxy35uD + QtOZIayVIF5scDAIQa31zETB/Jjaq7YeUZvTzUv7Shhq+sJhVUQ7iUEVEXZn + =NJUn + -----END PGP MESSAGE----- + fp: F38C9D4228FC6F674E322D9C3326D914EB9B8F55 + - created_at: "2026-01-15T21:28:06Z" + enc: |- + -----BEGIN PGP MESSAGE----- + + hQIMA1Hthzn+T1OoARAAsc5cxMwr0YCwJq1j5EcQ2AF2LvyxH4dvwuCkyrqxuV33 + rTxOt40kqHcatZgHLfHt1qvfR/lGisUyvvtJ7Gdw/MEzunqwux6cKisRoyTB0dSU + b0DBQdNAxujVuBng6v2aoZDXAZNZ9I0epuGnBRcq2+FRAWjRH3YtwuRuChd/VtqB + VJJjUJDczermc0kvdrZ6AZ8bSemOIFOYWfZ1iw7qXMiuIXKJqY23KzWSpYC3F9S6 + z1XKviqJlWcb7VyCA7LDLfjYCAb6/yvj1mB0+fxYJJps6DWsbxvoZWF5mdh5f4oc + y74XZehQZTHp4JMs0uSdsuMV3w8zMGUXvFPEJXB1mvPlYAsyjwusf2fqeAJk3JZk + pPF/hkwR+LpbVNKk9KbauQLkt+p6E5YWDir1pzeIN6rsl0Carau0TRT9EEn04f/6 + DL1nF7crXl+7KTgEOt+ih4VuHpXz9lrboUD/WnUpjVu6XwmMH4wrxJggTq+tJzdS + 55PAZ0qiTGwnxtOn8NGa+01JGcrmtLnfwRUGUO6xxpyy4AtcyyHwEvBSjKRlBvV2 + Yx6v6l6OlpBdYdlKjEeOLPnQqn+iRolQtUTWWk1Hu/a2sfJjZPMpXNSKbgN9tMOS + 2zGLe8OOU1M9V9ESdD6He49GRCWNXD00Yv+IUdqFuY7laqxBQCcyIthGA2wfLITS + XAGKF54TE7VkuCQ2vw0HZG4TgQtmw7W/hBMcbSatGwFwyPSs2+9wsJFmJUniArCZ + e7RUz4C1MIFP97ZSFtfLd8tsIO0zTyK9fRAOUwh8wdAZhvS9Fv5/Mwmctj9h + =gUj7 + -----END PGP MESSAGE----- + fp: 5DA93D5C9D7320E1BD3522C79C78172B3551C9FD + - created_at: "2026-01-15T21:28:06Z" + enc: |- + -----BEGIN PGP MESSAGE----- + + hQIMA46L6MuPqfJqAQ/8CKPe91CQYybuRlIb4bRl3sZ2nXYw0OS2p8NYo3sawcsw + YFwgwT4GHMAMviZ3U/Dm1VVtUEH0dSZ/tYoPFE0pCOLWYrVjqLY69uM23ZHV1IX4 + W7A+jzNTv3ODj/lc/azjgBcBVZpSxgAQG2wiyX1Dq4Lx5cpOCYQm4KYp9hD6ddly + m6zk8vH3MBRvPAlacg3C6PSy1PV7sTgBZMBIE3DY/HIjv4nzV3/itIPZcf27dYTl + AEjiI6eGH6sUWTFRF5mCP4sRycaU2g8iZ471nZdHe7PpldginWJEN9SD06oewZJB + QjvXpVNjVu+RQ/hOl5LwIllAAkk0ghK2bRsh7gVB5b5Kjv+mKKNe8yjKxKcpZuVW + fUEaRpyILTCwe6aFnmUa6vUtpgU2QRKzv2ycqO1FGil1yZJ/RPVCc0RQoLSpZRsT + XvrZzw/OVfLespNRPcC/PTvNwhIhBYyIDvEAgQOnEnRCGoijnPAOE4Z5zA6Rtxfw + Kxw+E5s+xV1ff+qo5Dm0J/LyC90FR3vstzSkM5n2HEy5OkbACi9CiLRaIiYxlDfv + v5H3Gc0hdVRELkK1T9ND3I2RAyJVdDq0WvxjWRIfdRULLsk86pFoFjus0acx3ukt + zotRh1wI1o319j517B06v+Jn49bLx81ipeHfsiz69P0sDSRKyOcN/i4TA/Tj0OfS + XAFfmEOJHnhD1WOlbJO2EiGY3QD9PIV/lipja4lQKv7ROWlIPVtdvgBnaaNYAvUb + YLIA3oTcZB43vm5QW3hXsTz2cn/w/JvnuojtD0kKzT643dR5BC3D2XsWpHWV + =pL2f + -----END PGP MESSAGE----- + fp: 8996B62CBD159DCADD3B6DC08BB33A8ABCF7BC4A + - created_at: "2026-01-15T21:28:06Z" + enc: |- + -----BEGIN PGP MESSAGE----- + + hF4DQrf1tCqiJxoSAQdAxf+RXofQmgst0qgbY34RgfqVKCCYHHH3mbCdGKbfXiQw + 0307FFijrW2i+wHW/Ugob489EH46zUENkmEjxPcOao+p5TWqOhryWOmj+5K5iKin + 0lwBDuM+y3AsogL5PAerDRGMIqmUO9AAuRlKJb67O+n31fA0CSlRdYIlR/0IiXk8 + KmagDpdTyNWD0M8PRohazoKEiB6OrEuLfRiDwyMhyuRtIXRnckwZ8anC2B2cLg== + =slU2 + -----END PGP MESSAGE----- + fp: B71138A6A8964A3C3B8899857B4F70C356765BAB + - created_at: "2026-01-15T21:28:06Z" + enc: |- + -----BEGIN PGP MESSAGE----- + + hF4DzAGzViGx4qcSAQdAYTkme6X4+jr7/5qNidpUZjiwQzR9nhJMHU9ALot5mQkw + bVYbs+lqddtYRVKLh4jhqFb9WGjC05JMnb8o/OVqgvOV516WqCzg9qmn2JMn5CvL + 0lYBtBwzrQfqM7RbckekoQcabirca/67RzCAqB9O7Lud85+aQxBR/GB9qE/7FLfp + JVT42+KjcKSQBYWS+lyjgfXs7H4WhNYsai8OFn+JzqswG+MpWPQ+Fw== + =1DIj + -----END PGP MESSAGE----- + fp: D2E9C0807BF681F5E164DAFC5EE1B61CD90954CD + - created_at: "2026-01-15T21:28:06Z" + enc: |- + -----BEGIN PGP MESSAGE----- + + hQIMA2pVdGTIrZI+ARAAvoshi1af/mG21B9x8XOtYn2CmsjZCLWYWuhdM+oMe204 + CJglTK8C8CzuJcXu84IKrdV8nx5Yk0VvtgtSXiKSouDKWeQDHHqhKEsPlc6+FL99 + e95uzp8ozvODxch4xaBP3FZkbgGgFHDZSF47NIC9AkyyGe4GARq+OvtADUMjpb4R + 6WXCzqaH976KRMcgH4PXlWIUiYvFJz+6k+chbLfcf+uJxWL02mvPV+ArSbGc1Ns1 + M2kRYdEPZ4c6FCU6DYaneJp22ywPNgJm3dL8WU7Nn5uv7iYGDyceh3dnGtF0p0jN + Mo5TT8MzobIGgD2RtsP4NrufV56+Y4G5oqk9jPMofC8QUeVR1j2GHDfHrls2N/2L + vt0VX1wsv7ToAY9bUUNDLutLnwQlpHNP/sacudw0VpYDl55ULa1dLC97qG/4va8G + k3wdzqwNwgzIOPDIiQ3P8xkn4RZ9b4SwPNFb9BRqufFaA+neZcNelfpTqsT3WNfm + MYdzDQtQdTNi9u0ADsuZ2JIX2uUVsB1ol5Wgw9D5+yksTeC3n89TTmbmt4PYkCZ/ + 3MH3gLGGlPLfc9w/q9JqfQ8idiPgWc6CMO83gGXUWbe0SkDCBY4evyP41s9ojSdF + XrkZQycNoardD+co14Se4d5g0oxYfhNUCIYEo2JwLkuE11iMXG1bjt8JB+F514vS + XAHzAelcyBaqqwZqKw1OKWz1Vr+hy9S+uOs+8Qg5G/H0nxa7BG+PhUB+O5i8x4Dn + 96Eq2r2OsVJ3z8YeLcH2FbnVECX+/nj8a4z8yqfpajmoKswOfhp2b2G49aYz + =IYeC + -----END PGP MESSAGE----- + fp: 878FEA3CB6A6F6E7CD80ECBE28506E3585F9F533 + unencrypted_suffix: _unencrypted + version: 3.11.0 diff --git a/inventories/external/group_vars/all.yaml b/inventories/external/group_vars/all.yaml new file mode 100644 index 00000000..80d3efc2 --- /dev/null +++ b/inventories/external/group_vars/all.yaml @@ -0,0 +1,16 @@ +# ansible_pull +# ansible_pull__age_private_key needs to be defined per host (probably HOST.sops.yaml). +ansible_pull__repo_url: https://git.hamburg.ccc.de/CCCHH/ansible-infra.git +ansible_pull__inventory: inventories/external +ansible_pull__playbook: playbooks/maintenance.yaml +ansible_pull__timer_on_calendar: "*-*-* 04:30:00 Europe/Berlin" +ansible_pull__failure_notification_address: noc-notifications@lists.hamburg.ccc.de +ansible_pull__timer_randomized_delay_sec: 30min + +# msmtp +# msmtp__smtp_password is defined in the all.sops.yaml. +msmtp__smtp_host: cow.hamburg.ccc.de +msmtp__smtp_port: 465 +msmtp__smtp_tls_method: smtps +msmtp__smtp_user: any@external-hosts.hamburg.ccc.de +msmtp__smtp_from: "{{ inventory_hostname }}@external-hosts.hamburg.ccc.de" diff --git a/inventories/external/host_vars/status.sops.yaml b/inventories/external/host_vars/status.sops.yaml new file mode 100644 index 00000000..e3004595 --- /dev/null +++ b/inventories/external/host_vars/status.sops.yaml @@ -0,0 +1,212 @@ +ansible_pull__age_private_key: ENC[AES256_GCM,data:u0tluAG5YmXTs71/F6RjuTITCrEoJco0K7+o/F7An4OMdOAwJVBvvMCnEaYsKhLhdesnMIoA24oz2j22lKRFgZUNtkF08ZwH9gw=,iv:oqTTeOi8l6ig4vvqOKict5bqxjmiBW+kwlZhbozoCSU=,tag:ZL2wuIczCHguGJIhbY0NuQ==,type:str] +secret__gatus_db_password: ENC[AES256_GCM,data:fwtdWmXVTA7odBsKnlxH7mKKGtplAt/rQqscFBAxbDky6DNqgk6PP2OsqbIEpnpzs9Yn7Kd2VAxzfJfK,iv:ox/Lm+LlxxRcssOPc++nRp6nVa2DF3/46eEsGzTOBmA=,tag:i1e71Gm01ojHr5pGy0S9rA==,type:str] +secret__gatus_matrix_access_token: ENC[AES256_GCM,data:wp6C2E/LM3grawu8oW5CZZU0Y2+3qnuEbcKmgZr16e8P1KG/v2kfxRQ=,iv:S96oyGg6hI2Co7PJ8BFtrzZag82PTfp2IyIgTbxfdiM=,tag:JROk5PdoaMzXq1qXGgaH7g==,type:str] +sops: + age: + - recipient: age1yl9ts8k6ceymaxjs72r5puetes5mtuzxuger7qgme9qkagfrm9hqzxx9qr + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA2Y0Vib1U3ZGpyZTlBNWMx + UEtCbnArRzAvZ0o1dmdJL0hSZERTR241RlNrCjZ6QzlJSEFhWk0wazlwRVlDeUlq + M0syWDZlc0o2d2NDYmVyUmJpWUdwdzAKLS0tIGR5NUVwMkprRnkxZnI0TmlGUGVk + RFl1MnI1K0h2MUhvYk40d2JjbDRaUmMKNlPo1s06hVdxAamKhJy4HhNDX8PKQlq2 + 13PjdTJub64fydGEJng5NigcnNcPo7goGLz5QV7vE+6bO0gNZxBmmw== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2026-01-17T23:54:35Z" + mac: ENC[AES256_GCM,data:K/uLPclyRgFOMhSxPpFOiH1fQF0EQHKUNnqI/LW0o6+ON07r+UWv9mXaT2M7xUNhgHkv4lVu/qfLAKXZUVGlDga5ufH3A6xbcArqtQ5oyPoE5HX0nbcU4QF1f8JyYLVKCQdI0pBQkLU2cpAFHrGVLI/8+RY/uqrtNee9f7fd4cM=,iv:WRfTSWo4cfJOvjQqeSrSUCOstCf0FggTv2W4eGRcTF8=,tag:GE9cLzmJZt3F11BZd82HFA==,type:str] + pgp: + - created_at: "2026-01-15T21:23:56Z" + enc: |- + -----BEGIN PGP MESSAGE----- + + hQIMAxK/JaB2/SdtAQ/+ORxsmaobaTVCnVlaaTlvG3GRPlL0G1NG18eF3Mra2FU/ + HSY4/QTu4BjGRzwOlKJt3NBMGlFZucwklIecAl1cCDXPSvIRnwuIsAI8gxNnjmVW + w7URAscgfVobWxpLqFhlnQ+8ozMPXW7D0ZDLe4wKPa5wNuE/kdzM5ZCl3NB4q3fi + o0C8uSnsTAp8clay/xnTtnJxOsyzyJ29JVsinxAyg64m6AYNa53yNZoy5kL6VIIr + dnNx4DtOsxFuNhKuvENePoGjuB68i0NWitsfei3G+GLUp+CbPisrzElM6vsXQ0wT + QAu2OpTnrQSv/YWi8Dv+1YXIKu6nOuMc+avQGLsiuZ6hagrvfRTmoQirbx6THDB+ + 97N/ZZUoGVdCtb5BRoBxzl7prwYGXsW+fP7B/PlBBBM5pI/s5jasFMOBfrrlJiDE + dyBcE2rjcehmZ0DN0YddZoo1UMYzsn6HEMH+kFp/VD3+y4A47Kk9Ou0d9+Q7ufsf + j8ThNihOBrwz8DlvOb5/5HacBFOH5T9b42j6yOmyrlAXnC8sQwFDMDERs7XcVSXT + B9SlX6OVZ6/xgG1UjkY5aqYiWkIBUO/9k1OP3OMoZM7WPitIJS0a92u8EASX4zT9 + cJjyym8oDojsM4+/GWMCHcEA5QVSEFsz5JBONiEJkv9UCYXOWj375SH6WjTHQyPS + XgFA0rCYobVrmH4oQ3EzmbqTGwBuejwcDVA++KiUePb6jhK9DGrETHEOzUyOonpI + tNfgyohULH3eDRjC/4gR9JDr+UCC2t31Rx5kNmonz4H3KQlgm/5UulKZZfFk6VQ= + =HCWY + -----END PGP MESSAGE----- + fp: EF643F59E008414882232C78FFA8331EEB7D6B70 + - created_at: "2026-01-15T21:23:56Z" + enc: |- + -----BEGIN PGP MESSAGE----- + + hQIMA6EyPtWBEI+2AQ/+Is5OSeCOwUDFocaFiGIpKKicsRkF5WJXcV0eTquCvn3M + UeDpYww0CatCOmx0u5/ELzyvr2NhLGwoblLxwwb2HA+dTWRzRiTGZrpGJ3DUwEK6 + KvqFgrOIDttnSCqrGiPsNBkGP3oIH/WIYXF4SJl5stlnujTOW+wNP8f+9gZspyY4 + JdDXIGL7cbvzEzionilKbroKgDTNCm/o/ATWnlvsd5qv8lsIVkZlaJqldRR+xXuu + RLHz9Mav9NgzzFERA0YY0Z56jpGikoywB7iBCbozXvPO5oY9YcuvdLoXELi3Rimf + LoqIyGv/dHepZvIIy/d+E7ltlQHLXdH0LMNyBRartVChR/p0G/YAzXDAgnARJm+J + SB7vUPBqFwFpkiIE0bRRDVDYW8VlNZta4V+hxb3iXuVHljuYUrIDh77VW3xNQyi5 + YfKxO9c9PRhq7sfeBj3iB2qAGoODOU1whdaWXJeNIvYmkQJw81eu2rzHT6NHsbrD + CcUGvbVAO7cx8xZxLiT2jZlbeRrTM68Uq8zC0ujzHavrLUWvCcAcFdk8Un8UJbaF + W4B5La8ZAQUg0HwDavrOEXFbbdkuMT0BIMIxysxrcetqMdRcMjQlbjHz7RuROp4q + melLD0F7L8cXAafDRXXkTTpDmaLN8s9v2j953/RzY7lS1FPQMTduWbn4Pg75HrbS + XgEWsmhgtxSNSgtg/c+VyS9VAykAaP0J4mVWUJZtpw3T8wtkAVeb2zFjmOWay98e + GC9m9N32zdg6MZDLnAABIEhDCGhuB0QjHJaXHcQxbuy8T0mgG081s8spTZnU/74= + =v7Jf + -----END PGP MESSAGE----- + fp: F155144FC925A1BEA1F8A2C59A2A4CD59BFDC5EC + - created_at: "2026-01-15T21:23:56Z" + enc: |- + -----BEGIN PGP MESSAGE----- + + hQIMAz5uSgHG2iMJAQ//f4YuazCNqBuU6RxLg7gbh2RQ7KQ9QDIPSh+YIBr2k9RJ + zSjTIR2cPu4JX7Bf9w378oyExhxe6bU00DKvfmQv+CPwjR/4NfzB+/UjmrOEmZqv + y/Gc/2ciT2csHiuAgmck/tKCdVLyXmlMpR+ru3LBVpXLc0wRqDLze9RKM22L5o5Y + Tkf5LCoj77ixhVWZJ/MUm1GlCKmtAJ5tZpSOUenSApSZ0mbRUMI6SEmLhf7ApmNo + FInztB8eMcgyV7vhEmhAiLTkB29kGh8Oe/TtDSmywhn/pTcs4tlY7fRfcxkJaYgw + sZFaF3b7/xhF04kJNEugKemTZTCOoXuPvjvDKQ0glojQQ36P5S01uyH1FOHAbItz + 8xilRiU5lHuu7BsZcb8rU8qNYnpEzY3DX/Ccpl0AoPWjY925XB7C8H8z1kk8UxR1 + +b3XXMktUugeTZeiFG2pJsp9dhiRqyuzvW73yJSdHjqZW+Tq4U2D9Je1WeZT4+Au + qTQh1uC2dRgQ0PMafX50aTxIK7lPxva+cOPgYeALXP58TCUqeNUyYQmvAGba7yyU + yec3Hz/SNLqEhSnOqCx+TXZOhV4PM8fTzpnNhqZQ2RX2uUXwXjuyAZ8fv3v5se8F + HvQGW8EvJaDSvLD5GjKblQqwNlFWf0HOPUf5UZSXV3MHsHLzYHKlOE4cJ778ih7S + XgGY+6q602ciOETbXexRAK4G0AaAY06iQqIvjqzTRmRgkftMI/8HAV2mfjfRuTXF + 9DClJje/SpRp/fS6jXFyRCc1MysABsxcyopIhHPxf2iy4UiipC1c15Z9VVK4cL4= + =l9vN + -----END PGP MESSAGE----- + fp: 18DFCE01456DAB52EA38A6584EDC64F35FA1D6A5 + - created_at: "2026-01-15T21:23:56Z" + enc: |- + -----BEGIN PGP MESSAGE----- + + hQIMAw5vwmoEJHQ1ARAAr6u7xDPFlylAf002AQkjASgSyCdLMD0LxXmTEihOxBnp + +ZcJN9cpuyCuDaIfSqGdDLUqZ6TuAfVaixtXbxT6Odl2q1DN/GaVkZbDVwGk/W3w + +lSjBz4miAcU9kaSFeeJ9BDEdqROduj8/fFc8jLyxpa51nnp6ON7wI3Uup3uNZN1 + oEwcav8u9hrbE5glS6IMFpGQAhJmvzWH9mHWCQT7A3GGK3DsYBWPH685vVk80VBw + 8IO35N2SMVD+ebvFbSnitBSOmSNUzHgv8DaBgJkcHb5EM8bCiZNI3VkbGdi8AmRx + wvuAclYkemq/bNu5I0sjpt/uxEOVqsymdPs+gOVgKceEy458ZfyRUPxV0Xp5Yi26 + MzAas8LCL+m561L8MTt01CfXJKllIh1aeNJEWYKyTtIxnWfhHnhAfiwiRaX+sAdK + ApLFSCtwAf2fvpqaUY0PvAwKUNKyEBrncu9cBuqK6EDx5YVQul6Mo2nx6W64G7mj + IUGQOoRATZP4y9bJJJMNU5BfK9j7Fdhh/VirB1XSSWSlkUduv8PVx99iLejfnknB + b0LVS0RW0W+XgbM0yvjRhDATalrcuBX4R7voQPeGFlw//fdg0qepSe9OeAPA+RNm + YTjWVWqXOmGJQ46sms4P1Fhd5NKgyv7qAaZDVf2lDZOensbhwWFKw1R65PSbi4DS + XgEDIaRdmRPMHOGoHzcSieR+sxDvklEAWyfUMn8D8u8dkgs1u8WL3gGixDaPMvcF + JgS3PA6hl0JOi3+UgBWGh6gx+C/mr+6jly+IhWd78HAsbsJcGIrs4Zlu54T8jV4= + =8IWz + -----END PGP MESSAGE----- + fp: 87AB00D45D37C9E9167B5A5A333448678B60E505 + - created_at: "2026-01-15T21:23:56Z" + enc: |- + -----BEGIN PGP MESSAGE----- + + hF4DerEtaFuTeewSAQdA7STwRBnvhKhEh9mdHz/GWujTMli/vbMrXv8WnZ1boUkw + 9Qtj+soJcdr8XxDREm//Q7wgGZJSJe6dBdxW5NC10H7bYDFc9aNkbT0/ceMj0tBM + 0l4BNU1LT9rZrkhGUTqA3Gs+bzP4xazBGuiucCkM1mbSvRAjWO2abLb17GKUWODr + 1uDStVFrPOTqN/0/O1lAfk/Xv5LQO2X/xVMDD42i9txP9G8+rCF42gKdODWF+DsQ + =FVIu + -----END PGP MESSAGE----- + fp: 057870A2C72CD82566A3EC983695F4FCBCAE4912 + - created_at: "2026-01-15T21:23:56Z" + enc: |- + -----BEGIN PGP MESSAGE----- + + hQIMAxjNhCKPP69fARAAkUEvumeteWHZ31xbvLAWezQr75Q45DVzBAX6MJIPnCcz + ofMYuDjz/ujOES7UtAYrRekCW4R+PZQ2pcC3tbNHxKQjdxsA6cY68mBQLj+TJ0+F + 15jlkAkL7utwOxOh8P1/yxO+hr3qZl6rmncQwiynRnyiAJa6FHK8dvAHVKhLWcRN + pxx2O5m8I/+sF2/XgVs0iq0KWG+WbwJWUlvWKJ+2LNvXDoPYD0sdo8G1hkuQGOLW + Lmc1xN4hbTzvgjTBoUt1HUEOgohau8TMWnT7x1jpMLBNqm0hQfcyNmBuK4vA3NYR + PjtMUvEuucjOrFvF1g+OaTQ3ZSkd431yqTHRbktZDXdCvhYhSfxJ2TKdqX5U+3p+ + 27hPOX5cVISd36T8Oxm7LTt2GSZp5JZJ2gzRuSn8HDEHHBa39+jmdsqmGMFjAJfU + amK3TNpLx9U/AGw9CYVyQxfnrRPArjuPXE+nVmuZVJhgOcex+5SAA6YRpzPLj5/I + bHv0zOQ+84ghaIPvA7OlehgE2DYQjFC7qMGV0Q/jEomzHmwaFLlbDiSX97SQM4+P + dwe2gbz5EfgVdXeSwyPH03W5Uq/D8GiNFASxe6ctfwY6G9cUJaY7gj+br2/WSjzc + bSQxbyA36q6tSR8sty4lOkRqfhvCsopnACe3UaPDD9aUPu5dkrPFD2DwGZqALjrS + XgGQM27HAK2eAWtmQk7wWZcK8EyeO4bPl/JX8hMU8xSnbHrFpY26RNY1C4mjqcnD + QoyU68TbPmGX522sseuygCNmEEM/5rhx6wwePH1X+C8WRHMmXyLjKD3eVkFJ3tA= + =EPrs + -----END PGP MESSAGE----- + fp: F38C9D4228FC6F674E322D9C3326D914EB9B8F55 + - created_at: "2026-01-15T21:23:56Z" + enc: |- + -----BEGIN PGP MESSAGE----- + + hQIMA1Hthzn+T1OoAQ//arOC3Dpt+X+GzGZFPngYFGl8SHgx9vrbNcNdRQBEBhX0 + RmkT3rBbXRNbJvZHW6YPzoMRzhDMHEs9osbr7RwpTQxpL4owFd1hx8bhDjZYQplC + Gfj1xNjL1iFsQV1kWx7dagpkDEoPVlPaDyTDyHkj/fmgg/aU4y5GVUHc6l7iClN9 + fn5HL8/sCROAPteReXnwxIWmn/03lldh7VMYwKaVIpiTf3QZzEsHAOYT0EdEcapC + 3d5ZhTDmOvOwy2PMfx5w5RpKXKe2cbhoS1N3KEHaZIochlvnvQHpVJ3jhn8YG8j9 + bJ5tklEauoi1YHsnj5vzm8sgQMj/p5DJHALfVKxzAMCCe0AqcVpVGTW9SR1ZMUXW + p0UZOmeNBfqhcOIbKXW+Hj2oSZ25KGxiXZwydF51xnUT8rsau7nPYOgg+9YARAVl + USZd85OX/dZcDqhfK1YZjdV3GPiTHGFUrTz53sW/nHrcCCKXL17uADLr1Z/rk3Dm + dayNuUVhlqgV6Z0ts0Z9blz2X/Bz2c95TUTze+pUoXCP6oKcxGbrEfHBzJrhqeFa + PYGRyna1t96c3Az94bz2orX69Ij3QPyd2p2B0nlv+qYNk55J/aVPIfioZSamnDk9 + NAQJksb2M7KIq1rjheWsf/CLZYHC1rcrhUnz5SYIXVDe8f3+uNc0JFGYPYZuF7DS + XgEa4Lw21RwQs3Es0wAZSnkku+yg1Lg2YJ6/d5xSZJs0c5mCYvvW3q9oTc8u+D3n + H1/Lu8HvZtHtGARagLqHw2MORNvoJXoCT0EhcPBK4PlJKSNye96U1ooNfwxbUMo= + =0Nal + -----END PGP MESSAGE----- + fp: 5DA93D5C9D7320E1BD3522C79C78172B3551C9FD + - created_at: "2026-01-15T21:23:56Z" + enc: |- + -----BEGIN PGP MESSAGE----- + + hQIMA46L6MuPqfJqARAAlYT9Xqnfvd7uWr/V8Ca5oKJ003yWKGwAMd06zyPmIYOK + ErTHC98r7LXuGaMcIUrJ+oLf6YipYB7PyHwfz+zpxhDRTPAxXTqkF1ecLi7qg2AV + Ez3Q1hpPJv1DWASrVfJgpnlQnQtnpqXQsInL7klGc10mtbgc2zHUndWFqjxtkAhl + IinLZHZVFaijFw10W+e6T0UUZ9WfIPdCOChcqVp5/86DDyl3S9dBLmAd7wywzbuH + i0y1uelIxLyYmzLxYTNgJwEHKzQvF6jrj40AjT8HtUD473ILD5M4p2vdvNCUANu9 + 1iF4q7YM5g6cgjGC29Y31wOAM4YzdkwNXJsUhn4ACzYNBAItXK7Aw0I8WK9AnUfq + lwmSirx5hi870GIfu/OYeNt4I3fWjm4qY1aFwoJJRWrUdH94I4P1O6xXZyTVqpmG + m0Ich3O16Ir1vS9oFLdFSFGP7UZgU7D5314OKXNsEGpFLGa9U7AG1ZPHGSb6tAQi + 9Df7TsWxYVWKBU2PbI/D9StVlWDVilt2QiKtIcRwLs3/3JrzTPJd9tvUtw6Tyjw7 + N12/SE3yHwWxVPUXF2AsopmOoHGh67Ki+6oc7xTmxtcJWSITUhBL16ZjMEEXFeHy + FMODciBLrXO1jWz65mkB32ttV+oPQuCdtFPTzuKneDhVBybuMJrx7DEIFaf5CmvS + XgFrqRe9fua4zRd9r9tJE4RSosQOAhmVgRVCJIg5B+qUGC0l2AwO4ro1+a02t6o7 + uBGGRHeQYrGv6HVUd/xfirUj/mtrguiSSpOy3UZ5SHIlPxuj/2jf3WxVkU0QP5k= + =e4Qe + -----END PGP MESSAGE----- + fp: 8996B62CBD159DCADD3B6DC08BB33A8ABCF7BC4A + - created_at: "2026-01-15T21:23:56Z" + enc: |- + -----BEGIN PGP MESSAGE----- + + hF4DQrf1tCqiJxoSAQdAqRvfYgKUyKqP1jy9+s3UQ+vqUWQVxC/zXkcXOs/G3kQw + 27MDd3dcADzCI4qrHxc0umrFegUizTg9UmseMgSJnr7oWXtuh6ocjuEe+irXw0Di + 0l4B7cvZtRObjrOUf0lupPAp2xPIIKekUcVSxiecn6z7zVUVUwpYvPmS8MBCFc5h + 7ad0LWml36Rj5UkBE/ph0YgLvz7ZDoC1yiagBGVX59MTjjZsZBVpRecxZ+ztuaci + =68na + -----END PGP MESSAGE----- + fp: B71138A6A8964A3C3B8899857B4F70C356765BAB + - created_at: "2026-01-15T21:23:56Z" + enc: |- + -----BEGIN PGP MESSAGE----- + + hF4DzAGzViGx4qcSAQdA95lt4L0inJjhMwQ2v5lvhW74zuvdpgktHsp5BSycbxcw + oUR2v3CcCHtNzWzgeWPm8L6JHRUJQWdg+XHsLujlZXsoqKirGI67NvToOk+yttsK + 0lgBW9AG8bUVUdXNNPfhc/FN8OJbQ2cj3E2z5kI05ZrkcOoZVXaRfXJiZPQDg1Kz + LhuKymMDmXXsSVd/VdLbSXpfeEqMJjTsDS+bU/TZAcRRPKxj9PPDJIWQ + =Kpzf + -----END PGP MESSAGE----- + fp: D2E9C0807BF681F5E164DAFC5EE1B61CD90954CD + - created_at: "2026-01-15T21:23:56Z" + enc: |- + -----BEGIN PGP MESSAGE----- + + hQIMA2pVdGTIrZI+ARAA2IaYLn8z593Kh+wAw2ecOXkW+B3qhi/x0qQLVw7Jc1hO + rVhrcTQoabL3elIIPZtxyTYIXq6EpPkSBMOBHO+tmqI8YsB5GvWtcGV1OBpRaZ3I + hgKjnxkJtaQizSZqZLgGUVXjMjcdkzTlIQfu7oGeTu8Ke1cwtOE1lvleDpHHK6gc + yRLJWsUfHdv3rCOmRCDtguc3NG7qzUUYcknPiFGx66hfnIaA0aJav2pqS3uuRwSD + Ay78U2PB7kYVg//Omz9BEuiUVhYsA0sl3hFVpJuKv7FQ9OcJOevQddfq90m2KGyo + 2Lpligwtj3evPfPReLR1D16HaGuzknoB9883jD027+fGr4/IFWx7ieVZ9iGeD3jR + yw/GdHCMueq1pdtyw8ArREspGmZldEKY3Qw6sfRdd71DAeTkD1zzWORCEk6OQefY + YX5ByUAOTUHvTey4Uy5WCj3HOUMW71CnVpsU6lDSuqBUnFlMvELtcjlmEAwvscXz + WFpTzphaX1fIqruS4BAzMxpKVTI1V3bnrb6wFRFnsErVjrty24R2auaoHvgslROu + 1QUTInC7JpFUpxiK9ke8xbhYlZ5JEhcxOXlfrZcVwlxziEZEqp429L/4gVz+IGVv + YQ4wU8ARBcXiEDEOmEl3tCxiprDlCeLpdSrqhq57/y7IMs6Fo7QrkA5XZG+mnfPS + XgHFg3iMBk0qKb6AiWiN8g3SHJtcehJgmAZsRxFRP329QKGGa+azQqT7Vp066keY + rOsmP8iwl+4KS71+cN9rLx/3U8EcSxRuMU6KtIKvhp7yfr2bhYo8P9JH2vrPTlk= + =lbdI + -----END PGP MESSAGE----- + fp: 878FEA3CB6A6F6E7CD80ECBE28506E3585F9F533 + unencrypted_suffix: _unencrypted + version: 3.11.0 diff --git a/inventories/external/host_vars/status.yaml b/inventories/external/host_vars/status.yaml new file mode 100644 index 00000000..c2c26b30 --- /dev/null +++ b/inventories/external/host_vars/status.yaml @@ -0,0 +1,27 @@ +docker_compose__compose_file_content: "{{ lookup('ansible.builtin.template', 'resources/external/status/docker_compose/compose.yaml.j2') }}" +docker_compose__configuration_files: + - name: "general.yaml" + content: "{{ lookup('ansible.builtin.file', 'resources/external/status/docker_compose/config/general.yaml') }}" + - name: "sites.yaml" + content: "{{ lookup('ansible.builtin.file', 'resources/external/status/docker_compose/config/sites.yaml') }}" + - name: "services-chaosknoten.yaml" + content: "{{ lookup('ansible.builtin.file', 'resources/external/status/docker_compose/config/services-chaosknoten.yaml') }}" + - name: "websites.yaml" + content: "{{ lookup('ansible.builtin.file', 'resources/external/status/docker_compose/config/websites.yaml') }}" + - name: "easterhegg-websites.yaml" + content: "{{ lookup('ansible.builtin.file', 'resources/external/status/docker_compose/config/easterhegg-websites.yaml') }}" + +nginx__version_spec: "" +nginx__deploy_redirect_conf: false +nginx__configurations: + - name: status.hamburg.ccc.de + content: "{{ lookup('ansible.builtin.file', 'resources/external/status/nginx/status.hamburg.ccc.de.conf') }}" + - name: http_handler + content: "{{ lookup('ansible.builtin.file', 'resources/external/status/nginx/http_handler.conf') }}" + +certbot__version_spec: "" +certbot__acme_account_email_address: le-admin@hamburg.ccc.de +certbot__certificate_domains: + - "status.hamburg.ccc.de" +certbot__new_cert_commands: + - "systemctl reload nginx.service" diff --git a/inventories/external/hosts.yaml b/inventories/external/hosts.yaml new file mode 100644 index 00000000..435a9bf8 --- /dev/null +++ b/inventories/external/hosts.yaml @@ -0,0 +1,24 @@ +all: + hosts: + status: + # TODO: Manually set up ufw on the host. Create a role for ufw. + ansible_host: status.hamburg.ccc.de + ansible_user: chaos +base_config_hosts: + hosts: + status: +docker_compose_hosts: + hosts: + status: +nginx_hosts: + hosts: + status: +certbot_hosts: + hosts: + status: +infrastructure_authorized_keys_hosts: + hosts: + status: +ansible_pull_hosts: + hosts: + status: diff --git a/resources/external/status/docker_compose/compose.yaml.j2 b/resources/external/status/docker_compose/compose.yaml.j2 new file mode 100644 index 00000000..04abf953 --- /dev/null +++ b/resources/external/status/docker_compose/compose.yaml.j2 @@ -0,0 +1,36 @@ +# https://gatus.io/ +# https://github.com/TwiN/gatus +# https://github.com/TwiN/gatus/blob/master/.examples/docker-compose-postgres-storage/compose.yaml + +services: + database: + image: docker.io/library/postgres:18.1 + volumes: + - ./database:/var/lib/postgresql + environment: + - "POSTGRES_DB=gatus" + - "POSTGRES_USER=gatus" + - "POSTGRES_PASSWORD={{ secret__gatus_db_password }}" + networks: + - gatus + + gatus: + image: ghcr.io/twin/gatus:v5.34.0 + restart: always + ports: + - "8080:8080" + environment: + - "GATUS_CONFIG_PATH=/config" + - "POSTGRES_DB=gatus" + - "POSTGRES_USER=gatus" + - "POSTGRES_PASSWORD={{ secret__gatus_db_password }}" + - "MATRIX_ACCESS_TOKEN={{ secret__gatus_matrix_access_token }}" + volumes: + - ./configs:/config + networks: + - gatus + depends_on: + - database + +networks: + gatus: diff --git a/resources/external/status/docker_compose/config/easterhegg-websites.yaml b/resources/external/status/docker_compose/config/easterhegg-websites.yaml new file mode 100644 index 00000000..87feb4c0 --- /dev/null +++ b/resources/external/status/docker_compose/config/easterhegg-websites.yaml @@ -0,0 +1,303 @@ +# Easterhegg Websites and Websites (Redirects) +# (hosted on public-web-static) +# One could probably also generate this list from the public-web-static config. +easterhegg-websites-defaults: &easterhegg_websites_defaults + group: Websites + interval: 5m + alerts: + - type: matrix + failure-threshold: 3 + success-threshold: 1 + minimum-reminder-interval: "12h" + send-on-resolved: true + +easterhegg-websites-redirects-defaults: &easterhegg_websites_redirects_defaults + group: Websites (Redirects) + interval: 15m + alerts: + - type: matrix + failure-threshold: 3 + success-threshold: 1 + minimum-reminder-interval: "24h" + send-on-resolved: true + +endpoints: + # Websites + - name: eh03.easterhegg.eu + url: "https://eh03.easterhegg.eu" + <<: *easterhegg_websites_defaults + conditions: + - "[STATUS] == 200" + - "[CERTIFICATE_EXPIRATION] > 48h" + - "[BODY] == pat(*Easter(h)egg 2003*)" + + - name: eh05.easterhegg.eu + url: "https://eh05.easterhegg.eu" + <<: *easterhegg_websites_defaults + conditions: + - "[STATUS] == 200" + - "[CERTIFICATE_EXPIRATION] > 48h" + - "[BODY] == pat(*Easterhegg 2005 - The workshop weekend*)" + + - name: eh07.easterhegg.eu + url: "https://eh07.easterhegg.eu" + <<: *easterhegg_websites_defaults + conditions: + - "[STATUS] == 200" + - "[CERTIFICATE_EXPIRATION] > 48h" + - "[BODY] == pat(*Easterhegg 2007 - The Workshop weekend*)" + + - name: eh09.easterhegg.eu + url: "https://eh09.easterhegg.eu" + <<: *easterhegg_websites_defaults + conditions: + - "[status] == 200" + - "[certificate_expiration] > 48h" + - "[BODY] == pat(*Easterhegg 2009*)" + + - name: eh11.easterhegg.eu + url: "https://eh11.easterhegg.eu" + <<: *easterhegg_websites_defaults + conditions: + - "[status] == 200" + - "[certificate_expiration] > 48h" + - "[BODY] == pat(*Easterhegg 2011*)" + + - name: eh20.easterhegg.eu + url: "https://eh20.easterhegg.eu" + <<: *easterhegg_websites_defaults + conditions: + - "[status] == 200" + - "[certificate_expiration] > 48h" + - "[BODY] == pat(*EH20 - Back to root*)" + + # Websites (Redirects) + # eh03.easterhegg.eu + - name: eh2003.hamburg.ccc.de + url: "https://eh2003.hamburg.ccc.de" + <<: *easterhegg_websites_redirects_defaults + conditions: + - "[STATUS] == 200" + - "[CERTIFICATE_EXPIRATION] > 48h" + - "[BODY] == pat(*Easter(h)egg 2003*)" + + - name: www.eh2003.hamburg.ccc.de + url: "https://www.eh2003.hamburg.ccc.de" + <<: *easterhegg_websites_redirects_defaults + conditions: + - "[STATUS] == 200" + - "[CERTIFICATE_EXPIRATION] > 48h" + - "[BODY] == pat(*Easter(h)egg 2003*)" + + - name: easterhegg2003.hamburg.ccc.de + url: "https://easterhegg2003.hamburg.ccc.de" + <<: *easterhegg_websites_redirects_defaults + conditions: + - "[STATUS] == 200" + - "[CERTIFICATE_EXPIRATION] > 48h" + - "[BODY] == pat(*Easter(h)egg 2003*)" + + - name: www.easterhegg2003.hamburg.ccc.de + url: "https://www.easterhegg2003.hamburg.ccc.de" + <<: *easterhegg_websites_redirects_defaults + conditions: + - "[STATUS] == 200" + - "[CERTIFICATE_EXPIRATION] > 48h" + - "[BODY] == pat(*Easter(h)egg 2003*)" + + # eh05.easterhegg.eu + - name: eh2005.hamburg.ccc.de + url: "https://eh2005.hamburg.ccc.de" + <<: *easterhegg_websites_redirects_defaults + conditions: + - "[STATUS] == 200" + - "[CERTIFICATE_EXPIRATION] > 48h" + - "[BODY] == pat(*Easterhegg 2005 - The workshop weekend*)" + + - name: www.eh2005.hamburg.ccc.de + url: "https://www.eh2005.hamburg.ccc.de" + <<: *easterhegg_websites_redirects_defaults + conditions: + - "[STATUS] == 200" + - "[CERTIFICATE_EXPIRATION] > 48h" + - "[BODY] == pat(*Easterhegg 2005 - The workshop weekend*)" + + - name: easterhegg2005.hamburg.ccc.de + url: "https://easterhegg2005.hamburg.ccc.de" + <<: *easterhegg_websites_redirects_defaults + conditions: + - "[STATUS] == 200" + - "[CERTIFICATE_EXPIRATION] > 48h" + - "[BODY] == pat(*Easterhegg 2005 - The workshop weekend*)" + + - name: www.easterhegg2005.hamburg.ccc.de + url: "https://www.easterhegg2005.hamburg.ccc.de" + <<: *easterhegg_websites_redirects_defaults + conditions: + - "[STATUS] == 200" + - "[CERTIFICATE_EXPIRATION] > 48h" + - "[BODY] == pat(*Easterhegg 2005 - The workshop weekend*)" + + # eh07.easterhegg.eu + - name: eh2007.hamburg.ccc.de + url: "https://eh2007.hamburg.ccc.de" + <<: *easterhegg_websites_redirects_defaults + conditions: + - "[STATUS] == 200" + - "[CERTIFICATE_EXPIRATION] > 48h" + - "[BODY] == pat(*Easterhegg 2007 - The Workshop weekend*)" + + - name: www.eh2007.hamburg.ccc.de + url: "https://www.eh2007.hamburg.ccc.de" + <<: *easterhegg_websites_redirects_defaults + conditions: + - "[STATUS] == 200" + - "[CERTIFICATE_EXPIRATION] > 48h" + - "[BODY] == pat(*Easterhegg 2007 - The Workshop weekend*)" + + - name: eh07.hamburg.ccc.de + url: "https://eh07.hamburg.ccc.de" + <<: *easterhegg_websites_redirects_defaults + conditions: + - "[STATUS] == 200" + - "[CERTIFICATE_EXPIRATION] > 48h" + - "[BODY] == pat(*Easterhegg 2007 - The Workshop weekend*)" + + - name: www.eh07.hamburg.ccc.de + url: "https://www.eh07.hamburg.ccc.de" + <<: *easterhegg_websites_redirects_defaults + conditions: + - "[STATUS] == 200" + - "[CERTIFICATE_EXPIRATION] > 48h" + - "[BODY] == pat(*Easterhegg 2007 - The Workshop weekend*)" + + - name: easterhegg2007.hamburg.ccc.de + url: "https://easterhegg2007.hamburg.ccc.de" + <<: *easterhegg_websites_redirects_defaults + conditions: + - "[STATUS] == 200" + - "[CERTIFICATE_EXPIRATION] > 48h" + - "[BODY] == pat(*Easterhegg 2007 - The Workshop weekend*)" + + - name: www.easterhegg2007.hamburg.ccc.de + url: "https://www.easterhegg2007.hamburg.ccc.de" + <<: *easterhegg_websites_redirects_defaults + conditions: + - "[STATUS] == 200" + - "[CERTIFICATE_EXPIRATION] > 48h" + - "[BODY] == pat(*Easterhegg 2007 - The Workshop weekend*)" + + # eh09.easterhegg.eu + - name: eh2009.hamburg.ccc.de + url: "https://eh2009.hamburg.ccc.de" + <<: *easterhegg_websites_redirects_defaults + conditions: + - "[status] == 200" + - "[certificate_expiration] > 48h" + - "[BODY] == pat(*Easterhegg 2009*)" + + - name: www.eh2009.hamburg.ccc.de + url: "https://www.eh2009.hamburg.ccc.de" + <<: *easterhegg_websites_redirects_defaults + conditions: + - "[status] == 200" + - "[certificate_expiration] > 48h" + - "[BODY] == pat(*Easterhegg 2009*)" + + - name: eh09.hamburg.ccc.de + url: "https://eh09.hamburg.ccc.de" + <<: *easterhegg_websites_redirects_defaults + conditions: + - "[status] == 200" + - "[certificate_expiration] > 48h" + - "[BODY] == pat(*Easterhegg 2009*)" + + - name: www.eh09.hamburg.ccc.de + url: "https://www.eh09.hamburg.ccc.de" + <<: *easterhegg_websites_redirects_defaults + conditions: + - "[status] == 200" + - "[certificate_expiration] > 48h" + - "[BODY] == pat(*Easterhegg 2009*)" + + - name: easterhegg2009.hamburg.ccc.de + url: "https://easterhegg2009.hamburg.ccc.de" + <<: *easterhegg_websites_redirects_defaults + conditions: + - "[status] == 200" + - "[certificate_expiration] > 48h" + - "[BODY] == pat(*Easterhegg 2009*)" + + - name: www.easterhegg2009.hamburg.ccc.de + url: "https://www.easterhegg2009.hamburg.ccc.de" + <<: *easterhegg_websites_redirects_defaults + conditions: + - "[status] == 200" + - "[certificate_expiration] > 48h" + - "[BODY] == pat(*Easterhegg 2009*)" + + # eh11.easterhegg.eu + - name: eh2011.hamburg.ccc.de + url: "https://eh2011.hamburg.ccc.de" + <<: *easterhegg_websites_redirects_defaults + conditions: + - "[status] == 200" + - "[certificate_expiration] > 48h" + - "[BODY] == pat(*Easterhegg 2011*)" + + - name: www.eh2011.hamburg.ccc.de + url: "https://www.eh2011.hamburg.ccc.de" + <<: *easterhegg_websites_redirects_defaults + conditions: + - "[status] == 200" + - "[certificate_expiration] > 48h" + - "[BODY] == pat(*Easterhegg 2011*)" + + - name: eh11.hamburg.ccc.de + url: "https://eh11.hamburg.ccc.de" + <<: *easterhegg_websites_redirects_defaults + conditions: + - "[status] == 200" + - "[certificate_expiration] > 48h" + - "[BODY] == pat(*Easterhegg 2011*)" + + - name: www.eh11.hamburg.ccc.de + url: "https://www.eh11.hamburg.ccc.de" + <<: *easterhegg_websites_redirects_defaults + conditions: + - "[status] == 200" + - "[certificate_expiration] > 48h" + - "[BODY] == pat(*Easterhegg 2011*)" + + - name: easterhegg2011.hamburg.ccc.de + url: "https://easterhegg2011.hamburg.ccc.de" + <<: *easterhegg_websites_redirects_defaults + conditions: + - "[status] == 200" + - "[certificate_expiration] > 48h" + - "[BODY] == pat(*Easterhegg 2011*)" + + - name: www.easterhegg2011.hamburg.ccc.de + url: "https://www.easterhegg2011.hamburg.ccc.de" + <<: *easterhegg_websites_redirects_defaults + conditions: + - "[status] == 200" + - "[certificate_expiration] > 48h" + - "[BODY] == pat(*Easterhegg 2011*)" + + # eh20.easterhegg.eu + - name: www.eh20.easterhegg.eu + url: "https://www.eh20.easterhegg.eu" + <<: *easterhegg_websites_redirects_defaults + conditions: + - "[status] == 200" + - "[certificate_expiration] > 48h" + - "[BODY] == pat(*EH20 - Back to root*)" + + - name: eh20.hamburg.ccc.de + url: "https://eh20.hamburg.ccc.de" + <<: *easterhegg_websites_redirects_defaults + conditions: + - "[status] == 200" + - "[certificate_expiration] > 48h" + - "[BODY] == pat(*EH20 - Back to root*)" diff --git a/resources/external/status/docker_compose/config/general.yaml b/resources/external/status/docker_compose/config/general.yaml new file mode 100644 index 00000000..c67811a3 --- /dev/null +++ b/resources/external/status/docker_compose/config/general.yaml @@ -0,0 +1,25 @@ +storage: + type: postgres + path: "postgres://${POSTGRES_USER}:${POSTGRES_PASSWORD}@database:5432/${POSTGRES_DB}?sslmode=disable" + +ui: + title: CCCHH Status + description: Automated uptime monitoring and status page for CCCHH services. Powered by Gatus. + header: CCCHH Status + buttons: + - name: Website + link: "https://hamburg.ccc.de" + - name: Git + link: "https://git.hamburg.ccc.de" + - name: Kontakt & Impressum + link: "https://hamburg.ccc.de/imprint/" + default-sort-by: group + +alerting: + matrix: + server-url: "https://matrix-client.matrix.org" + access-token: "${MATRIX_ACCESS_TOKEN}" + internal-room-id: "!jG755onbGAH-lZsZo8SRKtlsncSMvq7nzPhwCi5CgdQ" + +# A bit more than the default 5 concurrent checks should be fine. +concurrency: 15 diff --git a/resources/external/status/docker_compose/config/services-chaosknoten.yaml b/resources/external/status/docker_compose/config/services-chaosknoten.yaml new file mode 100644 index 00000000..0792e951 --- /dev/null +++ b/resources/external/status/docker_compose/config/services-chaosknoten.yaml @@ -0,0 +1,264 @@ +# Services (Chaosknoten) +services-chaosknoten-defaults: &services_chaosknoten_defaults + group: Services (Chaosknoten) + interval: 1m + alerts: + - type: matrix + failure-threshold: 5 + success-threshold: 2 + minimum-reminder-interval: "6h" + send-on-resolved: true + +endpoints: + - name: CCCHH ID/Keycloak (main page/account console) + url: "https://id.hamburg.ccc.de/" + <<: *services_chaosknoten_defaults + conditions: + - "[STATUS] == 200" + - "[CERTIFICATE_EXPIRATION] > 48h" + - "[BODY] == pat(*JavaScript is required to use the Account Console.*)" + + - name: CCCHH ID/Keycloak (ccchh realm) + url: "https://id.hamburg.ccc.de/realms/ccchh/" + <<: *services_chaosknoten_defaults + conditions: + - "[STATUS] == 200" + - "[CERTIFICATE_EXPIRATION] > 48h" + - "[BODY].realm == ccchh" + + - name: ccchoir + url: "https://ccchoir.de/" + <<: *services_chaosknoten_defaults + conditions: + - "[STATUS] == 200" + - "[CERTIFICATE_EXPIRATION] > 48h" + - "[BODY] == pat(*The Choir of the Chaos Computer Club*)" + + - name: Cloud (status info) + url: "https://cloud.hamburg.ccc.de/status.php" + <<: *services_chaosknoten_defaults + conditions: + - "[STATUS] == 200" + - "[CERTIFICATE_EXPIRATION] > 48h" + - "[BODY].installed == true" + - "[BODY].maintenance == false" + + - name: Cloud (main page/login) + url: "https://cloud.hamburg.ccc.de/" + <<: *services_chaosknoten_defaults + conditions: + - "[STATUS] == 200" + - "[CERTIFICATE_EXPIRATION] > 48h" + - "[BODY] == pat(*Sign in to CCCHH*)" + + - name: cow (main page/login) + url: "https://cow.hamburg.ccc.de/" + <<: *services_chaosknoten_defaults + conditions: + - "[STATUS] == 200" + - "[CERTIFICATE_EXPIRATION] > 48h" + - "[BODY] == pat(*mailcow UI*)" + + - name: cow (SMTP port 25) + url: "tcp://cow.hamburg.ccc.de:25" + <<: *services_chaosknoten_defaults + conditions: + - "[CONNECTED] == true" + + - name: cow (SMTPS port 465) + url: "tls://cow.hamburg.ccc.de:465" + <<: *services_chaosknoten_defaults + conditions: + - "[CONNECTED] == true" + + - name: cow (SMTP with STARTTLS port 587) + url: "starttls://cow.hamburg.ccc.de:587" + <<: *services_chaosknoten_defaults + conditions: + - "[CONNECTED] == true" + + - name: cow (IMAP port 143) + url: "tcp://cow.hamburg.ccc.de:143" + <<: *services_chaosknoten_defaults + conditions: + - "[CONNECTED] == true" + + - name: cow (IMAPS port 465) + url: "tls://cow.hamburg.ccc.de:465" + <<: *services_chaosknoten_defaults + conditions: + - "[CONNECTED] == true" + + - name: Design/penpot + url: "https://design.hamburg.ccc.de/" + <<: *services_chaosknoten_defaults + conditions: + - "[STATUS] == 200" + - "[CERTIFICATE_EXPIRATION] > 48h" + - "[BODY] == pat(*Penpot - Design Freedom for Teams*)" + + - name: EH22 Website/Wiki + url: "https://eh22.easterhegg.eu/" + <<: *services_chaosknoten_defaults + conditions: + - "[STATUS] == 200" + - "[CERTIFICATE_EXPIRATION] > 48h" + - "[BODY] == pat(*Easterhegg 2025*)" + + - name: Git + url: "https://git.hamburg.ccc.de/" + <<: *services_chaosknoten_defaults + conditions: + - "[STATUS] == 200" + - "[CERTIFICATE_EXPIRATION] > 48h" + - "[BODY] == pat(*CCCHH Git*)" + + - name: GitLab + url: "https://gitlab.hamburg.ccc.de/" + <<: *services_chaosknoten_defaults + conditions: + - "[STATUS] == 200" + - "[CERTIFICATE_EXPIRATION] > 48h" + - "[BODY] == pat(*Moin beim Gitlab des CCC Hamburg!*)" + + - name: Grafana + url: "https://grafana.hamburg.ccc.de/" + <<: *services_chaosknoten_defaults + conditions: + - "[STATUS] == 200" + - "[CERTIFICATE_EXPIRATION] > 48h" + - "[BODY] == pat(*Sign in to CCCHH*)" + + - name: Jitsi + url: "https://jitsi.hamburg.ccc.de/" + <<: *services_chaosknoten_defaults + conditions: + - "[STATUS] == 200" + - "[CERTIFICATE_EXPIRATION] > 48h" + - "[BODY] == pat(*Jitsi Meet*)" + + - name: Lists + url: "https://lists.hamburg.ccc.de/" + <<: *services_chaosknoten_defaults + conditions: + - "[STATUS] == 200" + - "[CERTIFICATE_EXPIRATION] > 48h" + - "[BODY] == pat(*Mailing Lists*)" + + - name: Matrix + url: "https://matrix.hamburg.ccc.de/_matrix/client/versions" + <<: *services_chaosknoten_defaults + conditions: + - "[STATUS] == 200" + - "[CERTIFICATE_EXPIRATION] > 48h" + - "has([BODY].versions) == true" + - "has([BODY].unstable_features) == true" + + - name: Mumble (tcp) + url: "tcp://mumble.hamburg.ccc.de:64738" + <<: *services_chaosknoten_defaults + conditions: + - "[CONNECTED] == true" + + - name: Mumble (udp) + url: "udp://mumble.hamburg.ccc.de:64738" + <<: *services_chaosknoten_defaults + conditions: + - "[CONNECTED] == true" + + - name: NetBox + url: "https://NetBox.hamburg.ccc.de/" + <<: *services_chaosknoten_defaults + conditions: + - "[STATUS] == 200" + - "[CERTIFICATE_EXPIRATION] > 48h" + - "[BODY] == pat(*NetBox*)" + + - name: ntfy + url: "https://ntfy.hamburg.ccc.de/" + <<: *services_chaosknoten_defaults + conditions: + - "[STATUS] == 200" + - "[CERTIFICATE_EXPIRATION] > 48h" + - "[BODY] == pat(*ntfy web requires JavaScript*)" + + - name: OnlyOffice + url: "https://onlyoffice.hamburg.ccc.de/" + <<: *services_chaosknoten_defaults + conditions: + - "[STATUS] == 200" + - "[CERTIFICATE_EXPIRATION] > 48h" + - "[BODY] == pat(*ONLYOFFICE Docs Community Edition installed*)" + + - name: Pad + url: "https://pad.hamburg.ccc.de/" + <<: *services_chaosknoten_defaults + conditions: + - "[STATUS] == 200" + - "[CERTIFICATE_EXPIRATION] > 48h" + - "[BODY] == pat(*HedgeDoc - Ideas grow better together*)" + + - name: Pretalx (main page) + url: "https://pretalx.hamburg.ccc.de/" + <<: *services_chaosknoten_defaults + conditions: + - "[STATUS] == 200" + - "[CERTIFICATE_EXPIRATION] > 48h" + - "[BODY] == pat(*pretalx*)" + + - name: Pretalx (EH22/Easterhegg 2025) + url: "https://cfp.eh22.easterhegg.eu/" + <<: *services_chaosknoten_defaults + conditions: + - "[STATUS] == 200" + - "[CERTIFICATE_EXPIRATION] > 48h" + - "[BODY] == pat(*Easterhegg 2025*)" + - "[BODY] == pat(*pretalx*)" + + - name: SpaceAPI + url: "https://spaceapi.hamburg.ccc.de/" + <<: *services_chaosknoten_defaults + conditions: + - "[STATUS] == 200" + - "[CERTIFICATE_EXPIRATION] > 48h" + - "[BODY].space == CCCHH" + + - name: Surveillance under Surveillance + url: "https://sunders.hamburg.ccc.de/" + <<: *services_chaosknoten_defaults + conditions: + - "[STATUS] == 200" + - "[CERTIFICATE_EXPIRATION] > 48h" + - "[BODY] == pat(*Surveillance under Surveillance*)" + + - name: Tickets/pretix + url: "https://tickets.hamburg.ccc.de/" + <<: *services_chaosknoten_defaults + conditions: + - "[STATUS] == 200" + - "[CERTIFICATE_EXPIRATION] > 48h" + - "[BODY] == pat(*pretix*)" + + - name: Wiki + url: "https://wiki.hamburg.ccc.de/" + <<: *services_chaosknoten_defaults + conditions: + - "[STATUS] == 200" + - "[CERTIFICATE_EXPIRATION] > 48h" + - "[BODY] == pat(*CCCHH Wiki*)" + + - name: Woodpecker + url: "https://woodpecker.hamburg.ccc.de/" + <<: *services_chaosknoten_defaults + conditions: + - "[STATUS] == 200" + - "[CERTIFICATE_EXPIRATION] > 48h" + - "[BODY] == pat(*Woodpecker*)" + + - name: Zammad + url: "https://zammad.hamburg.ccc.de/" + <<: *services_chaosknoten_defaults + conditions: + - "[STATUS] == 200" + - "[CERTIFICATE_EXPIRATION] > 48h" + - "[BODY] == pat(*zammad*)" diff --git a/resources/external/status/docker_compose/config/sites.yaml b/resources/external/status/docker_compose/config/sites.yaml new file mode 100644 index 00000000..7b0ce828 --- /dev/null +++ b/resources/external/status/docker_compose/config/sites.yaml @@ -0,0 +1,23 @@ +# Sites +sites-defaults: &sites_defaults + group: Sites + interval: 1m + alerts: + - type: matrix + failure-threshold: 5 + success-threshold: 2 + minimum-reminder-interval: "6h" + send-on-resolved: true + +endpoints: + - name: Chaosknoten/IRZ42 + url: "icmp://chaosknoten.hamburg.ccc.de" + <<: *sites_defaults + conditions: + - "[CONNECTED] == true" + + - name: Z9 + url: "icmp://185.161.129.129" + <<: *sites_defaults + conditions: + - "[CONNECTED] == true" diff --git a/resources/external/status/docker_compose/config/websites.yaml b/resources/external/status/docker_compose/config/websites.yaml new file mode 100644 index 00000000..e54337a3 --- /dev/null +++ b/resources/external/status/docker_compose/config/websites.yaml @@ -0,0 +1,174 @@ +# Websites, Websites (Staging) and Websites (Redirects) +# (hosted on public-web-static) +# One could probably also generate this list from the public-web-static config. +websites-defaults: &websites_defaults + group: Websites + interval: 1m + alerts: + - type: matrix + failure-threshold: 5 + success-threshold: 2 + minimum-reminder-interval: "6h" + send-on-resolved: true + +websites-staging-defaults: &websites_staging_defaults + group: Websites (Staging) + interval: 5m + alerts: + - type: matrix + failure-threshold: 3 + success-threshold: 1 + minimum-reminder-interval: "24h" + send-on-resolved: true + +websites-redirects-defaults: &websites_redirects_defaults + group: Websites (Redirects) + interval: 5m + alerts: + - type: matrix + failure-threshold: 3 + success-threshold: 1 + minimum-reminder-interval: "24h" + send-on-resolved: true + +endpoints: + # Websites + - name: branding-resources.hamburg.ccc.de + url: "https://branding-resources.hamburg.ccc.de/logo/sources.txt" + <<: *websites_defaults + conditions: + - "[STATUS] == 200" + - "[CERTIFICATE_EXPIRATION] > 48h" + - "[BODY] == pat(*file: ccchh-logo.png*)" + + - name: c3cat.de + url: "https://c3cat.de" + <<: *websites_defaults + conditions: + - "[STATUS] == 200" + - "[CERTIFICATE_EXPIRATION] > 48h" + - "[BODY] == pat(*Cat Ears Operation Center*)" + + - name: cryptoparty-hamburg.de + url: "https://cryptoparty-hamburg.de" + <<: *websites_defaults + conditions: + - "[STATUS] == 200" + - "[CERTIFICATE_EXPIRATION] > 48h" + - "[BODY] == pat(*Digitale Selbstverteidigung in Hamburg*)" + + - name: element-admin.hamburg.ccc.de + url: "https://element-admin.hamburg.ccc.de" + <<: *websites_defaults + conditions: + - "[STATUS] == 200" + - "[CERTIFICATE_EXPIRATION] > 48h" + - "[BODY] == pat(*Loading Element Admin*)" + + - name: element.hamburg.ccc.de + url: "https://element.hamburg.ccc.de" + <<: *websites_defaults + conditions: + - "[STATUS] == 200" + - "[CERTIFICATE_EXPIRATION] > 48h" + - "[BODY] == pat(*Sorry, Element requires JavaScript to be enabled.*)" + + - name: hacker.tours + url: "https://hacker.tours" + <<: *websites_defaults + conditions: + - "[STATUS] == 200" + - "[CERTIFICATE_EXPIRATION] > 48h" + # Once suites support alerting, we can also monitor the target as well. + - "[BODY] == pat(**)" + + - name: hackertours.hamburg.ccc.de + url: "https://hackertours.hamburg.ccc.de" + <<: *websites_defaults + conditions: + - "[STATUS] == 200" + - "[CERTIFICATE_EXPIRATION] > 48h" + # Once suites support alerting, we can also monitor the target as well. + - "[BODY] == pat(**)" + + - name: hamburg.ccc.de + url: "https://hamburg.ccc.de" + <<: *websites_defaults + conditions: + - "[STATUS] == 200" + - "[CERTIFICATE_EXPIRATION] > 48h" + - "[BODY] == pat(*Wir sind der Chaos Computer Club der Hansestadt Hamburg.*)" + +# Websites (Staging) + - name: staging.c3cat.de + url: "https://staging.c3cat.de" + <<: *websites_staging_defaults + conditions: + - "[STATUS] == 200" + - "[CERTIFICATE_EXPIRATION] > 48h" + - "[BODY] == pat(*c3cat.de Staging Environment*)" + + - name: staging.cryptoparty-hamburg.de + url: "https://staging.cryptoparty-hamburg.de" + <<: *websites_staging_defaults + conditions: + - "[STATUS] == 200" + - "[CERTIFICATE_EXPIRATION] > 48h" + - "[BODY] == pat(*cryptoparty-hamburg.de Staging Environment*)" + + - name: staging.hacker.tours + url: "https://staging.hacker.tours" + <<: *websites_staging_defaults + conditions: + - "[STATUS] == 200" + - "[CERTIFICATE_EXPIRATION] > 48h" + - "[BODY] == pat(*hacker.tours Staging Environment*)" + + - name: staging.hackertours.hamburg.ccc.de + url: "https://staging.hackertours.hamburg.ccc.de" + <<: *websites_staging_defaults + conditions: + - "[STATUS] == 200" + - "[CERTIFICATE_EXPIRATION] > 48h" + - "[BODY] == pat(*hackertours.hamburg.ccc.de Staging Environment*)" + + - name: staging.hamburg.ccc.de + url: "https://staging.hamburg.ccc.de" + <<: *websites_staging_defaults + conditions: + - "[STATUS] == 200" + - "[CERTIFICATE_EXPIRATION] > 48h" + - "[BODY] == pat(*hamburg.ccc.de Staging Environment*)" + +# Website (Redirects) + - name: www.c3cat.de + url: "https://www.c3cat.de" + <<: *websites_redirects_defaults + conditions: + - "[STATUS] == 200" + - "[CERTIFICATE_EXPIRATION] > 48h" + - "[BODY] == pat(*Cat Ears Operation Center*)" + + - name: cryptoparty.hamburg.ccc.de + url: "https://cryptoparty.hamburg.ccc.de" + <<: *websites_redirects_defaults + conditions: + - "[STATUS] == 200" + - "[CERTIFICATE_EXPIRATION] > 48h" + - "[BODY] == pat(*Digitale Selbstverteidigung in Hamburg*)" + + - name: staging.cryptoparty.hamburg.ccc.de + url: "https://staging.cryptoparty.hamburg.ccc.de" + <<: *websites_redirects_defaults + conditions: + - "[STATUS] == 200" + - "[CERTIFICATE_EXPIRATION] > 48h" + - "[BODY] == pat(*cryptoparty-hamburg.de Staging Environment*)" + + - name: www.hamburg.ccc.de + url: "https://www.hamburg.ccc.de" + <<: *websites_redirects_defaults + conditions: + - "[STATUS] == 200" + - "[CERTIFICATE_EXPIRATION] > 48h" + - "[BODY] == pat(*Wir sind der Chaos Computer Club der Hansestadt Hamburg.*)" diff --git a/resources/external/status/nginx/http_handler.conf b/resources/external/status/nginx/http_handler.conf new file mode 100644 index 00000000..c989edee --- /dev/null +++ b/resources/external/status/nginx/http_handler.conf @@ -0,0 +1,14 @@ +server { + listen 80 default_server; + listen [::]:80 default_server; + + server_name status.hamburg.ccc.de; + + location / { + return 301 https://$host$request_uri; + } + + location /.well-known/acme-challenge/ { + proxy_pass http://127.0.0.1:31820/.well-known/acme-challenge/; + } +} diff --git a/resources/external/status/nginx/status.hamburg.ccc.de.conf b/resources/external/status/nginx/status.hamburg.ccc.de.conf new file mode 100644 index 00000000..510966a8 --- /dev/null +++ b/resources/external/status/nginx/status.hamburg.ccc.de.conf @@ -0,0 +1,33 @@ +# partly generated 2022-01-08, Mozilla Guideline v5.6, nginx 1.17.7, OpenSSL 1.1.1k, intermediate configuration +# https://ssl-config.mozilla.org/#server=nginx&version=1.17.7&config=intermediate&openssl=1.1.1k&guideline=5.6 +server { + listen 443 ssl http2 default_server; + listen [::]:443 ssl http2 default_server; + + server_name status.hamburg.ccc.de; + + ssl_certificate /etc/letsencrypt/live/status.hamburg.ccc.de/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/status.hamburg.ccc.de/privkey.pem; + # verify chain of trust of OCSP response using Root CA and Intermediate certs + ssl_trusted_certificate /etc/letsencrypt/live/status.hamburg.ccc.de/chain.pem; + + # HSTS (ngx_http_headers_module is required) (63072000 seconds) + add_header Strict-Transport-Security "max-age=63072000" always; + + proxy_set_header Host $host; + proxy_set_header X-Forwarded-Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Port 443; + # This is https in any case. + proxy_set_header X-Forwarded-Proto https; + # Hide the X-Forwarded header. + proxy_hide_header X-Forwarded; + # Assume we are the only Reverse Proxy. + # Also provide "_hidden" for by, since it's not relevant. + proxy_set_header Forwarded "for=$remote_addr;proto=https;host=$host;by=_hidden"; + + location / { + proxy_pass http://127.0.0.1:8080/; + } +} From 744dc00ae5f6209481df3b1b0cd42fec4fa194f4 Mon Sep 17 00:00:00 2001 From: Renovate Date: Sun, 18 Jan 2026 03:01:35 +0000 Subject: [PATCH 058/104] Update https://github.com/ansible/ansible-lint action to v26 --- .forgejo/workflows/lint.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.forgejo/workflows/lint.yaml b/.forgejo/workflows/lint.yaml index b1168c9c..588d38c9 100644 --- a/.forgejo/workflows/lint.yaml +++ b/.forgejo/workflows/lint.yaml @@ -24,7 +24,7 @@ jobs: # work in our environmnet. # Rather manually setup python (pip) before instead. - name: Run ansible-lint - uses: https://github.com/ansible/ansible-lint@v25.12.2 + uses: https://github.com/ansible/ansible-lint@v26.1.1 with: setup_python: "false" requirements_file: "requirements.yml" From 0b6847493cfe44d03c645efe0bf54e6b2b2941a9 Mon Sep 17 00:00:00 2001 From: Renovate Date: Sun, 18 Jan 2026 03:30:42 +0000 Subject: [PATCH 059/104] Update actions/checkout action to v6 --- .forgejo/workflows/lint.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.forgejo/workflows/lint.yaml b/.forgejo/workflows/lint.yaml index 588d38c9..5113e9fb 100644 --- a/.forgejo/workflows/lint.yaml +++ b/.forgejo/workflows/lint.yaml @@ -10,7 +10,7 @@ jobs: name: Ansible Lint runs-on: docker steps: - - uses: actions/checkout@v5 + - uses: actions/checkout@v6 - name: Install pip run: | apt update From d7b463ecb9a1d4cf3d13d0ad9d3c3f064c271235 Mon Sep 17 00:00:00 2001 From: June Date: Sun, 18 Jan 2026 04:53:14 +0100 Subject: [PATCH 060/104] status(host): fix token not working by using a new one --- inventories/external/host_vars/status.sops.yaml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/inventories/external/host_vars/status.sops.yaml b/inventories/external/host_vars/status.sops.yaml index e3004595..4dd3471c 100644 --- a/inventories/external/host_vars/status.sops.yaml +++ b/inventories/external/host_vars/status.sops.yaml @@ -1,6 +1,6 @@ ansible_pull__age_private_key: ENC[AES256_GCM,data:u0tluAG5YmXTs71/F6RjuTITCrEoJco0K7+o/F7An4OMdOAwJVBvvMCnEaYsKhLhdesnMIoA24oz2j22lKRFgZUNtkF08ZwH9gw=,iv:oqTTeOi8l6ig4vvqOKict5bqxjmiBW+kwlZhbozoCSU=,tag:ZL2wuIczCHguGJIhbY0NuQ==,type:str] secret__gatus_db_password: ENC[AES256_GCM,data:fwtdWmXVTA7odBsKnlxH7mKKGtplAt/rQqscFBAxbDky6DNqgk6PP2OsqbIEpnpzs9Yn7Kd2VAxzfJfK,iv:ox/Lm+LlxxRcssOPc++nRp6nVa2DF3/46eEsGzTOBmA=,tag:i1e71Gm01ojHr5pGy0S9rA==,type:str] -secret__gatus_matrix_access_token: ENC[AES256_GCM,data:wp6C2E/LM3grawu8oW5CZZU0Y2+3qnuEbcKmgZr16e8P1KG/v2kfxRQ=,iv:S96oyGg6hI2Co7PJ8BFtrzZag82PTfp2IyIgTbxfdiM=,tag:JROk5PdoaMzXq1qXGgaH7g==,type:str] +secret__gatus_matrix_access_token: ENC[AES256_GCM,data:4qfXOyp+wAyYKw+KslCvE+6GxxdVfykkHJQUvaYBAebvdHlkRtIlyaI=,iv:axS2IRonJpZR2eanFBfc/LWc7Uhc2bi9eQAebsobtPc=,tag:TkaVZLgJzDz1UHDcDfsJ2A==,type:str] sops: age: - recipient: age1yl9ts8k6ceymaxjs72r5puetes5mtuzxuger7qgme9qkagfrm9hqzxx9qr @@ -12,8 +12,8 @@ sops: RFl1MnI1K0h2MUhvYk40d2JjbDRaUmMKNlPo1s06hVdxAamKhJy4HhNDX8PKQlq2 13PjdTJub64fydGEJng5NigcnNcPo7goGLz5QV7vE+6bO0gNZxBmmw== -----END AGE ENCRYPTED FILE----- - lastmodified: "2026-01-17T23:54:35Z" - mac: ENC[AES256_GCM,data:K/uLPclyRgFOMhSxPpFOiH1fQF0EQHKUNnqI/LW0o6+ON07r+UWv9mXaT2M7xUNhgHkv4lVu/qfLAKXZUVGlDga5ufH3A6xbcArqtQ5oyPoE5HX0nbcU4QF1f8JyYLVKCQdI0pBQkLU2cpAFHrGVLI/8+RY/uqrtNee9f7fd4cM=,iv:WRfTSWo4cfJOvjQqeSrSUCOstCf0FggTv2W4eGRcTF8=,tag:GE9cLzmJZt3F11BZd82HFA==,type:str] + lastmodified: "2026-01-18T03:53:06Z" + mac: ENC[AES256_GCM,data:yCgEtVm+HZfCL2sYg1+2cePBXg5xKoPX/fXln5NLLRJu5hUnsMOTa1VT41rAc6jJKFwbE4GWECkvjwfFReVjplwSJ4jvaY5usWvKjDLG7c8wPqgogR2vRNwxkI9aHU2VtBh7ArjCfmbY9++uWx577OPEdzUmup0TLlHxP68ueAw=,iv:YJjrm1HxCOakgm3c0JhlFfAb/MVi/ykQ1oeomeyQBus=,tag:UFFR6Fy9smzgzOef3NZlOA==,type:str] pgp: - created_at: "2026-01-15T21:23:56Z" enc: |- From d514688574e84f8da76aa357782953fce5e4cb0c Mon Sep 17 00:00:00 2001 From: June Date: Sun, 18 Jan 2026 19:21:33 +0100 Subject: [PATCH 061/104] systemd_networkd(role),router(host): support global config to fix forw. With the router upgrade to Debian 13 the systemd version got upgraded as well breaking the current configuration for IP forwarding. Add a variable for global systemd-networkd configuration and use that to enable IPv4 and IPv6 forwarding on the router. The systemd_networkd role could be a bit nicer, not deploying/deleting the global configuration, if the variable is empty and reloading/restarting systemd-networkd at appropriate times. But as is works for now. --- inventories/chaosknoten/host_vars/router.yaml | 1 + .../router/systemd_networkd/20-net1.network | 2 -- .../router/systemd_networkd/20-net2.network | 2 -- .../router/systemd_networkd_global_config.conf | 3 +++ roles/systemd_networkd/README.md | 5 +++++ roles/systemd_networkd/defaults/main.yaml | 1 + roles/systemd_networkd/tasks/main.yaml | 18 ++++++++++++++++++ 7 files changed, 28 insertions(+), 4 deletions(-) create mode 100644 resources/chaosknoten/router/systemd_networkd_global_config.conf create mode 100644 roles/systemd_networkd/defaults/main.yaml diff --git a/inventories/chaosknoten/host_vars/router.yaml b/inventories/chaosknoten/host_vars/router.yaml index 5e9c8325..adbc8d95 100644 --- a/inventories/chaosknoten/host_vars/router.yaml +++ b/inventories/chaosknoten/host_vars/router.yaml @@ -1,4 +1,5 @@ systemd_networkd__config_dir: 'resources/chaosknoten/router/systemd_networkd/' +systemd_networkd__global_config: "{{ lookup('ansible.builtin.file', 'resources/chaosknoten/router/systemd_networkd_global_config.conf') }}" nftables__config: "{{ lookup('ansible.builtin.file', 'resources/chaosknoten/router/nftables/nftables.conf') }}" ansible_pull__timer_on_calendar: "*-*-* 04:00:00 Europe/Berlin" ansible_pull__timer_randomized_delay_sec: 0min diff --git a/resources/chaosknoten/router/systemd_networkd/20-net1.network b/resources/chaosknoten/router/systemd_networkd/20-net1.network index c8bffc1e..5c14d8d8 100644 --- a/resources/chaosknoten/router/systemd_networkd/20-net1.network +++ b/resources/chaosknoten/router/systemd_networkd/20-net1.network @@ -3,7 +3,6 @@ Name=net1 [Network] DNS=212.12.50.158 -IPForward=ipv4 IPv6AcceptRA=no [Address] @@ -11,4 +10,3 @@ Address=212.12.48.123/24 [Route] Gateway=212.12.48.55 - diff --git a/resources/chaosknoten/router/systemd_networkd/20-net2.network b/resources/chaosknoten/router/systemd_networkd/20-net2.network index b3f497dd..39d1f03f 100644 --- a/resources/chaosknoten/router/systemd_networkd/20-net2.network +++ b/resources/chaosknoten/router/systemd_networkd/20-net2.network @@ -3,7 +3,6 @@ Name=net2 [Network] #DNS=212.12.50.158 -IPForward=ipv6 IPv6AcceptRA=no [Address] @@ -11,4 +10,3 @@ Address=2a00:14b0:4200:3500::130:2/112 [Route] Gateway=2a00:14b0:4200:3500::130:1 - diff --git a/resources/chaosknoten/router/systemd_networkd_global_config.conf b/resources/chaosknoten/router/systemd_networkd_global_config.conf new file mode 100644 index 00000000..2d3d8a34 --- /dev/null +++ b/resources/chaosknoten/router/systemd_networkd_global_config.conf @@ -0,0 +1,3 @@ +[Network] +IPv4Forwarding=true +IPv6Forwarding=true diff --git a/roles/systemd_networkd/README.md b/roles/systemd_networkd/README.md index 3297c47e..ac7f115d 100644 --- a/roles/systemd_networkd/README.md +++ b/roles/systemd_networkd/README.md @@ -9,3 +9,8 @@ Should work on Debian-based distributions. ## Required Arguments - `systemd_networkd__config_dir`: Directory with systemd-networkd configs to deploy. + +## Optional Arguments + +- `systemd_networkd__global_config`: systemd-networkd global configuration to deploy (see `man 5 networkd.conf`). + Defaults to `` (the empty string); diff --git a/roles/systemd_networkd/defaults/main.yaml b/roles/systemd_networkd/defaults/main.yaml new file mode 100644 index 00000000..e84ed280 --- /dev/null +++ b/roles/systemd_networkd/defaults/main.yaml @@ -0,0 +1 @@ +systemd_networkd__global_config: "" diff --git a/roles/systemd_networkd/tasks/main.yaml b/roles/systemd_networkd/tasks/main.yaml index f88ed146..cc8f4d9b 100644 --- a/roles/systemd_networkd/tasks/main.yaml +++ b/roles/systemd_networkd/tasks/main.yaml @@ -12,3 +12,21 @@ recursive: true delete: true become: true + +- name: ensure global systemd-networkd config directory exists + ansible.builtin.file: + path: "/etc/systemd/networkd.conf.d" + state: directory + owner: root + group: root + mode: "0755" + become: true + +- name: ensure global systemd-networkd config is deployed + ansible.builtin.copy: + content: "{{ systemd_networkd__global_config }}" + dest: "/etc/systemd/networkd.conf.d/20-ansible.conf" + mode: "0644" + owner: root + group: root + become: true From 28f80a85f33413cd0de40708623f281c93c78c76 Mon Sep 17 00:00:00 2001 From: fi Date: Sun, 18 Jan 2026 19:47:19 +0100 Subject: [PATCH 062/104] status(host): Switch to nekover.se user for personal token As access token now apparently expire with matrix authentication services, use a nekover.se user where we can get a long-lived personal token. --- inventories/external/host_vars/status.sops.yaml | 6 +++--- .../external/status/docker_compose/config/general.yaml | 2 +- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/inventories/external/host_vars/status.sops.yaml b/inventories/external/host_vars/status.sops.yaml index 4dd3471c..366b6410 100644 --- a/inventories/external/host_vars/status.sops.yaml +++ b/inventories/external/host_vars/status.sops.yaml @@ -1,6 +1,6 @@ ansible_pull__age_private_key: ENC[AES256_GCM,data:u0tluAG5YmXTs71/F6RjuTITCrEoJco0K7+o/F7An4OMdOAwJVBvvMCnEaYsKhLhdesnMIoA24oz2j22lKRFgZUNtkF08ZwH9gw=,iv:oqTTeOi8l6ig4vvqOKict5bqxjmiBW+kwlZhbozoCSU=,tag:ZL2wuIczCHguGJIhbY0NuQ==,type:str] secret__gatus_db_password: ENC[AES256_GCM,data:fwtdWmXVTA7odBsKnlxH7mKKGtplAt/rQqscFBAxbDky6DNqgk6PP2OsqbIEpnpzs9Yn7Kd2VAxzfJfK,iv:ox/Lm+LlxxRcssOPc++nRp6nVa2DF3/46eEsGzTOBmA=,tag:i1e71Gm01ojHr5pGy0S9rA==,type:str] -secret__gatus_matrix_access_token: ENC[AES256_GCM,data:4qfXOyp+wAyYKw+KslCvE+6GxxdVfykkHJQUvaYBAebvdHlkRtIlyaI=,iv:axS2IRonJpZR2eanFBfc/LWc7Uhc2bi9eQAebsobtPc=,tag:TkaVZLgJzDz1UHDcDfsJ2A==,type:str] +secret__gatus_matrix_access_token: ENC[AES256_GCM,data:adNtFvg2LXwRiNE7mvTZNO1hXxN3qasWZrDEQOGk5mYEVH0t9pglNrM=,iv:30xXR31qmrywLP3M34u6YgsyQY348zVvt9RM4/bGhtY=,tag:vhgpON0IdQ+FS4uQ/0TpsQ==,type:str] sops: age: - recipient: age1yl9ts8k6ceymaxjs72r5puetes5mtuzxuger7qgme9qkagfrm9hqzxx9qr @@ -12,8 +12,8 @@ sops: RFl1MnI1K0h2MUhvYk40d2JjbDRaUmMKNlPo1s06hVdxAamKhJy4HhNDX8PKQlq2 13PjdTJub64fydGEJng5NigcnNcPo7goGLz5QV7vE+6bO0gNZxBmmw== -----END AGE ENCRYPTED FILE----- - lastmodified: "2026-01-18T03:53:06Z" - mac: ENC[AES256_GCM,data:yCgEtVm+HZfCL2sYg1+2cePBXg5xKoPX/fXln5NLLRJu5hUnsMOTa1VT41rAc6jJKFwbE4GWECkvjwfFReVjplwSJ4jvaY5usWvKjDLG7c8wPqgogR2vRNwxkI9aHU2VtBh7ArjCfmbY9++uWx577OPEdzUmup0TLlHxP68ueAw=,iv:YJjrm1HxCOakgm3c0JhlFfAb/MVi/ykQ1oeomeyQBus=,tag:UFFR6Fy9smzgzOef3NZlOA==,type:str] + lastmodified: "2026-01-18T18:40:32Z" + mac: ENC[AES256_GCM,data:7bP0fmn6TJKA8zLuXE8F47sHn1qqX33z/078KkCJx5yRSKBGyLnTeKNha8EODEBkMG0eXQ2BEQDPfNB892R5OW69xCInCa0+sEPONd3YELMvFVoM7/+avDi94X/tdJKCHVPnF/kpqnGhKlwikKlCFLIcbkfEAHJgDlze32C0QKU=,iv:1Q5dsJP2FToAYDJYWXJufHuIlXGfj93NaBWHfZ5rhHk=,tag:dFNYdMJOwUwr6/zwlRollg==,type:str] pgp: - created_at: "2026-01-15T21:23:56Z" enc: |- diff --git a/resources/external/status/docker_compose/config/general.yaml b/resources/external/status/docker_compose/config/general.yaml index c67811a3..0b30725d 100644 --- a/resources/external/status/docker_compose/config/general.yaml +++ b/resources/external/status/docker_compose/config/general.yaml @@ -17,7 +17,7 @@ ui: alerting: matrix: - server-url: "https://matrix-client.matrix.org" + server-url: "https://matrix.nekover.se" access-token: "${MATRIX_ACCESS_TOKEN}" internal-room-id: "!jG755onbGAH-lZsZo8SRKtlsncSMvq7nzPhwCi5CgdQ" From ddaa069204bb49b8d1033e42292019ce9b594da8 Mon Sep 17 00:00:00 2001 From: June Date: Sun, 18 Jan 2026 21:39:23 +0100 Subject: [PATCH 063/104] status(host): configure Gatus to store more results and events Also see: https://github.com/TwiN/gatus?tab=readme-ov-file#storage --- resources/external/status/docker_compose/config/general.yaml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/resources/external/status/docker_compose/config/general.yaml b/resources/external/status/docker_compose/config/general.yaml index 0b30725d..fb1c3ed0 100644 --- a/resources/external/status/docker_compose/config/general.yaml +++ b/resources/external/status/docker_compose/config/general.yaml @@ -1,6 +1,8 @@ storage: type: postgres path: "postgres://${POSTGRES_USER}:${POSTGRES_PASSWORD}@database:5432/${POSTGRES_DB}?sslmode=disable" + maximum-number-of-results: 240 # Default are 100. 240 are 4h for 1m interval checks. + maximum-number-of-events: 1000 # Default are 50. Let's keep a long history here - 1000 should suffice for a year with around 3 events a day. ui: title: CCCHH Status From b492472179f8f56a6f46dd0aad0fdc036e99cdde Mon Sep 17 00:00:00 2001 From: Stefan Bethke Date: Sun, 25 Jan 2026 12:12:30 +0100 Subject: [PATCH 064/104] Explain how to add age key for ansible pull --- ...ng_up_secrets_using_sops_for_a_new_host.md | 20 ++++++++++++++----- 1 file changed, 15 insertions(+), 5 deletions(-) diff --git a/docs/setting_up_secrets_using_sops_for_a_new_host.md b/docs/setting_up_secrets_using_sops_for_a_new_host.md index c88315f9..df7b0247 100644 --- a/docs/setting_up_secrets_using_sops_for_a_new_host.md +++ b/docs/setting_up_secrets_using_sops_for_a_new_host.md @@ -2,19 +2,29 @@ Because we're using the `community.sops.sops` vars plugin, the SOPS-encrypted secrets get stored in the inventory. -1. Add a new creation rule for the hosts `host_vars` file in the sops config at `.sops.yaml`. - It should probably hold all admin keys. +1. Create a new age key for Ansible pull on the host. + ``` + age-keygen + ``` + Then add an entry to `keys.hosts.chaosknoten.age` +2. Add a new creation rule for the hosts `host_vars` file in the sops config at `.sops.yaml`. + It should probably hold all admin keys plus the host entry. You can use existing creation rules as a reference. -2. Create a SOPS secrets file in the `host_vars` subdirectory of the relevant inventory. +3. Create a SOPS secrets file in the `host_vars` subdirectory of the relevant inventory. The name of the file should be in the format `[HOSTNAME].sops.yaml` to get picked up by the vars plugin and to match the previously created creation rule. This can be accomplished with a command similar to this: ``` sops inventories/[chaosknoten|z9]/host_vars/[HOSTNAME].secrets.yaml ``` -3. With the editor now open, add the secrets you want to store. +4. With the editor now open, add the secrets you want to store. Because we're using the `community.sops.sops` vars plugin, the stored secrets will be exposed as Ansible variables. Also note that SOPS only encrypts the values, not the keys. When now creating entries, try to adhere to the following variable naming convention: + - Make sure to put the prive age key in here under `ansible_pull__age_private_key`. - Prefix variable names with `secret__`, if they are intended to be used in a template file or similar. (e.g. `secret__netbox_secret_key: secret_value`) - Otherwise, if the variable is directly consumed by a role or similar, directly set the variable. (e.g. `netbox__db_password: secret_value`) -4. Now that the secrets are stored, they are exposed as variables and can simply be used like any other variable. +5. Now that the secrets are stored, they are exposed as variables and can simply be used like any other variable. + +## GPG Keys + +In order to edit encrypted files, you need all the GPG public keys imported into your GPG Keychain. You should be able to find the necessary public keys in https://git.hamburg.ccc.de/CCCHH/password-store. From 664b9115b8d4e01ae774bf33e041855ed10de585 Mon Sep 17 00:00:00 2001 From: Stefan Bethke Date: Sun, 25 Jan 2026 13:01:52 +0100 Subject: [PATCH 065/104] Fix warning --- roles/docker/tasks/main/01_repo_setup.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/docker/tasks/main/01_repo_setup.yaml b/roles/docker/tasks/main/01_repo_setup.yaml index aa775212..63bdb918 100644 --- a/roles/docker/tasks/main/01_repo_setup.yaml +++ b/roles/docker/tasks/main/01_repo_setup.yaml @@ -9,7 +9,7 @@ - name: Ensure Docker APT repository is added ansible.builtin.apt_repository: - repo: "deb [arch=amd64 signed-by=/etc/apt/trusted.gpg.d/docker.asc] https://download.docker.com/linux/debian {{ ansible_distribution_release }} stable" + repo: "deb [arch=amd64 signed-by=/etc/apt/trusted.gpg.d/docker.asc] https://download.docker.com/linux/debian {{ ansible_facts['distribution_release'] }} stable" filename: docker state: present become: true From f887de25c521e52375ae828cab59dd6a17f3b258 Mon Sep 17 00:00:00 2001 From: Stefan Bethke Date: Sun, 25 Jan 2026 13:26:20 +0100 Subject: [PATCH 066/104] make building and pulling configurable --- roles/docker_compose/defaults/main.yaml | 2 ++ roles/docker_compose/tasks/main.yaml | 4 ++-- 2 files changed, 4 insertions(+), 2 deletions(-) diff --git a/roles/docker_compose/defaults/main.yaml b/roles/docker_compose/defaults/main.yaml index 76831d6c..621ee7b3 100644 --- a/roles/docker_compose/defaults/main.yaml +++ b/roles/docker_compose/defaults/main.yaml @@ -1 +1,3 @@ +docker_compose__build: always docker_compose__configuration_files: [ ] +docker_compose__pull: always diff --git a/roles/docker_compose/tasks/main.yaml b/roles/docker_compose/tasks/main.yaml index bea3f4fb..a706ab23 100644 --- a/roles/docker_compose/tasks/main.yaml +++ b/roles/docker_compose/tasks/main.yaml @@ -79,8 +79,8 @@ community.docker.docker_compose_v2: project_src: /ansible_docker_compose state: present - build: always - pull: always + build: "{{ docker_compose__build }}" + pull: "{{ docker_compose__pull }}" remove_orphans: true become: true From 0c782caee7a9e68e9b5247f681cf7222b1703ca7 Mon Sep 17 00:00:00 2001 From: Stefan Bethke Date: Sun, 25 Jan 2026 14:03:34 +0100 Subject: [PATCH 067/104] Explain what all needs to be added for a new host --- docs/create-new-web-service-vm.md | 79 +++++++++++++++++++++++++++++++ 1 file changed, 79 insertions(+) create mode 100644 docs/create-new-web-service-vm.md diff --git a/docs/create-new-web-service-vm.md b/docs/create-new-web-service-vm.md new file mode 100644 index 00000000..76eca216 --- /dev/null +++ b/docs/create-new-web-service-vm.md @@ -0,0 +1,79 @@ +# How to create all necessary entries for new (web service) VM + +Let's assume that you want to add a new web service `example.hamburg.ccc.de` which is going to be hosted on the VM `example` on chaosknoten. These are the steps that you need to take to create the VM and add it to the Ansible repo. + +## IP, DNS, VM + +1. Allocate a fresh [IPv6 in Netbox in the 2a00:14b0:42:102::/64 net](https://netbox.hamburg.ccc.de/ipam/prefixes/47/ip-addresses/). This will be the management address for the VM. +2. Add an entry `example.hosts.hamburg.ccc.de` with that AAAA to the name server (`ns-intern`). +3. Add an entry `example.hamburg.ccc.de` as a CNAME for `public-reverse-proxy` to the same zone. +4. Commit and reload the zone. +5. Create a new VM on chaosknoten, for example by cloning the Debian template 9023. Give it the name `example`. +6. Edit the ethernet interface to be connected to `vmbr0`, VLAN tag `2`. +7. Configure the IPv6 address in the Cloud-Init section. Leave IPv4 set to DHCP. +8. Make sure the VM is started at boot (options). +9. Adjust any other VM parameters as needed. +10. Boot the VM. +11. Add the [VM to Netbox](https://netbox.hamburg.ccc.de/virtualization/virtual-machines/). Make sure to enter the VM ID. +12. Add an Ethernet interface to the VM; we typically use `eth0` as a name. +13. Add IP for that interface, then choose "Assign IP" and search for the IP you've created. Make it the primary IP of that interface. + +## Ansible Basics + +As the first step, we need to make the host known to Ansible. + +1. In `.sops.yaml`, add an entry for the host. Follow the other entries there. + 1. `keys.hosts.chaosknoten.age` needs an age public key (the private key is needed in the host-specific YAML) + 2. `creation_rules` needs an entry for the host, referencing the age key. +2. In `inventories/chaosknoten/hosts.yaml`: + 1. Configure basic connection info: + ``` + example: + ansible_host: example.hosts.hamburg.ccc.de + ansible_user: chaos + ansible_ssh_common_args: -J ssh://chaos@router.hamburg.ccc.de + ``` + You typically will want to use router as a jump host so that you can run Ansible on an IPv4 only connection. + 2. Add the host to the desired roles. As a minimum, you'll want `base_config_hosts` and `infrastructure_authorized_keys_hosts`. For a typical web service based on Docker Compose, you'll want `docker_compose_hosts`, `nginx_hosts`, and `certbot_hosts`. + 3. In the directorry `inventories/chaosknoten/host_var/`: + 1. A file `inventories/chaosknoten/host_var/example.yaml` with the host/service specific configuration. + 2. A file `inventories/chaosknoten/host_var/example.sops.yaml` with the encrypted secrets for the host/service. Run `sops inventories/chaosknoten/host_var/example.yaml` to edit/create that file. Entries there should generally be prefixed with `secret__` to make it easier to see where that variable is coming from in templates etc. + +## Service-specific config + +From here, we go into the details of the web service that you want to configure. For a typical web service with Docker Compose, you will likely want to configure the following. + +Make `inventories/chaosknoten/host_var/example.yaml` look like this: +```yaml +certbot__version_spec: "" +certbot__acme_account_email_address: le-admin@hamburg.ccc.de +certbot__certificate_domains: + - "example.hamburg.ccc.de" +certbot__new_cert_commands: + - "systemctl reload nginx.service" + +docker_compose__compose_file_content: "{{ lookup('ansible.builtin.template', 'resources/chaosknoten/example/docker_compose/compose.yaml.j2') }}" + +nginx__version_spec: "" +nginx__configurations: + - name: example.hamburg.ccc.de + content: "{{ lookup('ansible.builtin.file', 'resources/chaosknoten/spaceapiccc/nginx/example.hamburg.ccc.de.conf') }}" +``` + +This will create `compose.yaml` from the template `resources/chaosknoten/example/docker_compose/compose.yaml.j2'`, and the nginx config from `resources/chaosknoten/spaceapiccc/nginx/example.hamburg.ccc.de.conf`. Of course, depending on your service, you might need additional entries. See the other hosts and the roles for more info. + +## First Ansible run + +Before you can run Ansible successfully, you will want to make sure you can connect to the VM, and that the host key has been added to your known hosts: +* `ssh chaos@example.hosts.hamburg.ccc.de` +* `ssh -J chaos@router.hamburg.ccc.de chaos@example.hosts.hamburg.ccc.de` + +Then run Ansible for `public-reverse-proxy` to add the necessary entries: `ansible-playbook playbooks/deploy.yaml --inventory inventories/chaosknoten/hosts.yaml --limit public-reverse-proxy`. + +Finally run Ansible for the new host: `ansible-playbook playbooks/deploy.yaml --inventory inventories/chaosknoten/hosts.yaml --limit example` + +# Commit your changes + +Do not forget to commit your changes, whether it's a new host or you are making changes to an existing host. + +And always `git pull` before you run Ansible so avoid reverting anything! \ No newline at end of file From cee1fe970aa629d5b2f9bf58de2a8ed18b1726c9 Mon Sep 17 00:00:00 2001 From: Stefan Bethke Date: Sun, 25 Jan 2026 14:03:54 +0100 Subject: [PATCH 068/104] Add spaceapiccc as a replacement for erfafoo --- .sops.yaml | 7 + .../host_vars/spaceapiccc.sops.yaml | 215 ++++++++++++++++++ .../chaosknoten/host_vars/spaceapiccc.yaml | 16 ++ inventories/chaosknoten/hosts.yaml | 9 + .../nginx/acme_challenge.conf | 2 + .../public-reverse-proxy/nginx/nginx.conf | 2 + .../docker_compose/compose.yaml.j2 | 39 ++++ .../nginx/spaceapiccc.hamburg.ccc.de.conf | 42 ++++ 8 files changed, 332 insertions(+) create mode 100644 inventories/chaosknoten/host_vars/spaceapiccc.sops.yaml create mode 100644 inventories/chaosknoten/host_vars/spaceapiccc.yaml create mode 100644 resources/chaosknoten/spaceapiccc/docker_compose/compose.yaml.j2 create mode 100644 resources/chaosknoten/spaceapiccc/nginx/spaceapiccc.hamburg.ccc.de.conf diff --git a/.sops.yaml b/.sops.yaml index 3b728e2d..bb83e394 100644 --- a/.sops.yaml +++ b/.sops.yaml @@ -33,6 +33,7 @@ keys: - &host_public_reverse_proxy_ansible_pull_age_key age1p7pxgq5kwcpdkhkh3qq4pvnltrdk4gwf60hdhv8ka0mdxmgnjepqyleyen - &host_zammad_ansible_pull_age_key age1sv7uhpnk9d3u3je9zzvlux0kd83f627aclpamnz2h3ksg599838qjgrvqs - &host_ntfy_ansible_pull_age_key age1dkecypmfuj0tcm2cz8vnvq5drpu2ddhgnfkzxvscs7m4e79gpseqyhr9pg + - &host_spaceapiccc_ansible_pull_age_key age1mdtnk78aeqnwqadjqje5pfha04wu92d3ecchyqajjmy434kwq98qksq2wa external: age: &host_external_age_keys - &host_status_ansible_pull_age_key age1yl9ts8k6ceymaxjs72r5puetes5mtuzxuger7qgme9qkagfrm9hqzxx9qr @@ -160,6 +161,12 @@ creation_rules: *admin_gpg_keys age: - *host_public_reverse_proxy_ansible_pull_age_key + - path_regex: inventories/chaosknoten/host_vars/spaceapiccc.* + key_groups: + - pgp: + *admin_gpg_keys + age: + - *host_spaceapiccc_ansible_pull_age_key # external hosts - path_regex: inventories/external/host_vars/status.* key_groups: diff --git a/inventories/chaosknoten/host_vars/spaceapiccc.sops.yaml b/inventories/chaosknoten/host_vars/spaceapiccc.sops.yaml new file mode 100644 index 00000000..4f06e92a --- /dev/null +++ b/inventories/chaosknoten/host_vars/spaceapiccc.sops.yaml @@ -0,0 +1,215 @@ +ansible_pull__age_private_key: ENC[AES256_GCM,data:ZQJCVOcc2UTH/3tZRZEZAig2A7Vc/zBBz5IY+gKYMYpIKhLZN9S/OGrRdCc8VbXkN7pmZhzDL531PapI54cmFeCKr2yFJMlfXdE=,iv:1ilb+njcqgYVdownNiMNcAcG/TNpyRnLtAjEUGsCsl0=,tag:Od7kvNn8ZBl1LUnMyFwxpA==,type:str] +secret__spaceapiccc__shared_secret: ENC[AES256_GCM,data:0foffl4HF1SeL9rE3g==,iv:GzRTZAmr7zSBs1W+Vhyv6sMGhPnSy/SUZOSO39lzWHk=,tag:8IAS6Lt9vfpsJQwQfcunXg==,type:str] +secret__spaceapiccc__doku_ccc_de__username: ENC[AES256_GCM,data:fbrZROQz8Fzg/vI=,iv:LaR5UmkS3IhtroJp3C3xNF4ja7IhIiPRzGBHAfQbQGw=,tag:/VCNMKkw5qRbnRNHDnPj/w==,type:str] +secret__spaceapiccc__doku_ccc_de__password: ENC[AES256_GCM,data:mwkjOjRT7gOv,iv:wBzSeLzSWWe0j3LJesN/wnZ0tmUmXMVkRIBnp00qRhg=,tag:JSsbq1+qs2yA9BM2LouG1w==,type:str] +sops: + age: + - recipient: age1mdtnk78aeqnwqadjqje5pfha04wu92d3ecchyqajjmy434kwq98qksq2wa + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBCY1Z0Slg4UmpQQUhGKzJX + S0ROZ2owdmNVRUFzbDhjWEJpNkxGQnF1RFFVClgrZDlZRDNCbllWeElEWFN4Uy95 + YXNzUGptcU9adjdJQVphSS9NQ1NaVTQKLS0tIEtQUlIyTURXK2lDbWtmMXU2OWtx + TnNtQjVpMUIzZjgzQnZicHV6OXE3ZlUKtChQKJlUmTV42FEpO2S1sTAI2+K/mro+ + C3cvwiqydpOlbH6tulcP6HSeDVExAAMeDZMfjebg/5cfq7Yfh6xa5Q== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2026-01-25T11:18:43Z" + mac: ENC[AES256_GCM,data:4s5GiYhU/+kieEGUY9bS5W0MAQ/AUS3TbvLezSypH8Div5HRoM7YfMeqgLq4jC+TjUL9d+ZfusjAmsOEG9PjHbIH051gg8U5TvB38wzmw3RpJxnpDtmiFrRh9QbXl+Fz8V/Oigf6hhXbgu01zZpZY9jy6YLNtUZc6AoqAQh27us=,iv:YUS/vGXcbgQPM1CKcK8YjOH5+KPlzBXcOtx3jmUblqA=,tag:jYzqaMfHv4Tyv2NelSSVvQ==,type:str] + pgp: + - created_at: "2026-01-25T11:17:03Z" + enc: |- + -----BEGIN PGP MESSAGE----- + + hQIMAxK/JaB2/SdtARAAoP0ZuYWL+Z9vrnMN+ISg6/yx8Z3Oq2GufmYMowk/nQ7A + wk+xQQcywn7zLCweaTNtNb8CXtAcInnLhXZNRjviOecyAexZdFxcX+SIiT9x32aZ + xk2M3Bgnrtf9GQMV9q/mr7fgn+iaILyRjWTQMjUYFGuA5Hu7PNICxZZtA1y6p3G8 + iBDROt1vZS2M6WorA5n3FGSwCRFUCqWnRsBR+AkR0vjb/0xEmS4YpDZCdsqWVITq + fBxDZntznqQpmlTH9AxJV48QlfYMLAYFV7seHxp5VSjgDxaPJD4QIiNZMOylRa/y + 9hx1S5VN8KIfT9eW5piOeyNikE3Wv7hdwd4zOQ/ObESADh/QWFN582Smk+fxf76Q + /KlP7BM8JW7afjkvTHXg7cvc1qo9+GilWcWX9pK04v9bZtXTbO6H+uOhydlSmtUe + FGoHgQsMi52S4vHTFF1A8o76pvpQAIYNC2Zif2zZYq9ERvbLeAcgoIoo7bQihttc + lY8ZOqxQj9KbkFNbyLTlyekebNhfa512XjJij14YkYUVU2Y65kxtimZ3WpwKvLO2 + JcDWHOJduhUC+21TGTq6QFo1LNhpowyC447eybi8T0/WxMCBms/fhW+m4Mkt4bRi + ByjgQe8makgLqw2/EUlFl1qyF4zU0zjn+97pISvg0YBfQYhPIb5k8AWWkUF4mHHU + aAEJAhDMVlvoC4bopmVlgoCrCejX5wb+ULW9hle6S69440PVK4uN94Ral+NSH99o + CU4gmqngD9N6sw8SBp8lFFUzjhoqfcNwJ9cv8T9PIPgHLriPnRqwPsy4dHSYSsv1 + wWY4KUeOqk6Y + =Wm7O + -----END PGP MESSAGE----- + fp: EF643F59E008414882232C78FFA8331EEB7D6B70 + - created_at: "2026-01-25T11:17:03Z" + enc: |- + -----BEGIN PGP MESSAGE----- + + hQIMA6EyPtWBEI+2ARAAh2b51c4cFL0wOPTuQtxjthkEZGVv0sQC19PiDOWAy/zi + 457Ix+QPA31Wmun4uGQF8E+vJC9StDXvOuEku2639wK7Gx8UVHSJM+QhFt+f9tiI + df5mVRPz4R1tVMU6P/f2rTOqqQyugR2pi3wCcwntnZplEuL/Gxw2SI4gGAq9B1Kb + FVVdMkJOxhx33QWFhIEOqLLfMU+gdvGPtRaDPkMA5KJD5FDO0xYzgd+5j6wKLsdb + rY7MVvaP3HWbmsMOpJD+8zo3ONBeaG3OwdhhF8KgbHxGP/49r25WwI5YWqXI44K9 + xIQvtBJFTLaisO3q5rTOZgqKEvWAAX3e82cY3tCUG4aDyKEeF8dOqQ9GbI+KWaKh + kqTFDz3gh9sWI3Ex2/JHxq4xGJE433x4ArxHgSmXxfKWfc9zhiDuhtE1GBfEWP8t + a+07FWvsG8TCbS8pzFu40z/6we2O/VGXnZBa+vlc/9YPyLBN+zmAH3+jfhgYzV22 + oF0HPQTzLdd6FoUx771ETTOqDgwg2H8Lqv+cC5MjPgxUPyScP4G7t0r9TMSydxFv + 85Yo7ZWiBjo5TgdiU7agCCLKYct1C1R+9M20uRyrttDBhrVSjDlsIKmuStIdI7jk + k/PPLjxUKf5osTw8KKsSLvHTxt0G+rRzt38HgOCsOPBSoE6zlMTn79rgy+Ipm7fS + XgHPPTT78/y2Xvx3QGx9C2X9YqPDGhs12uzQ7HdcRlUu3Ay9akrSiV99CKCFb6ZZ + lDzOZrWvuWHcOLLqykhK3x8uhieMmwsM5WCNopr1j7i74b8UlVCmItXFXCaTRqg= + =ytkN + -----END PGP MESSAGE----- + fp: F155144FC925A1BEA1F8A2C59A2A4CD59BFDC5EC + - created_at: "2026-01-25T11:17:03Z" + enc: |- + -----BEGIN PGP MESSAGE----- + + hQIMAz5uSgHG2iMJARAA7Wenq30iYLUH7qTgwPJyIyPz0blUzqEpEeDyVjfLVxee + VzXUfrxL8ybD+1JNISQNogDRP+gi4Sa/kTwAwEudqg9nv8DTff2l+Ge7YRifTgoO + tK1yjPKpl/iH33s2tIRRPI9DJ38NKtIN7pFrZ9Icyinyx8O+Tx0U/rVOs+4I4i0K + eIhsjG2tD6z5AvDkTqJ70S16LWdlr+hrHfEFmZ9NDbesoVj6YlDjx8yXr6UAdBAd + nx4aVjy2vygBJFZHN3iqitD6pnBvFC6QM1SZTRfe1l0lb1NXiVbT42ir7hsQ1/Di + MKRw/GuD+5jwHWLAzFbmMeirLY1hw418AzMPmCUqg3xJxmm53v4abD/j6cnHaM8h + vkSEsO9iA9exDjM9RPqS5GXCGx3E2MdBzgBMZIdvRmEV8G7FTqBZAJZsElAA/wTl + WhCEB3iDqdTSuDUnEj2FHIrUGNG4IDKOm9mIexqkpdvF6ByXYHeOAVbeb0ByJmgO + 3QIYGsOYiWW2Uq1OCT2F+sP9ogn2GxInfMgPK7shFcUiXUbUKSnfBh4b5DbKPcJJ + wFtuJA4NbWgXbDPn0k2Lwbv33tMVuwQBRbCjseXD5JYUA+wEbNg341oNEl7gIBCp + oNyNJ0y2rkp8rxvf5mYLjk6VsMs0VO4vgRItg8oi78cZMmSrk2zdCda9yZA+JeHS + XgGnSemRkXBLcDcZMa1M178H/YTxispkRvsGyscxn7sjBRUgrFHnWM9j9P0GHtHE + RzBflQuBiG60jDb14l0SBEGDAm3Dp1bT5Up8attUJ0+03ta6E4G6iAR+fMXiBJA= + =LEoh + -----END PGP MESSAGE----- + fp: 18DFCE01456DAB52EA38A6584EDC64F35FA1D6A5 + - created_at: "2026-01-25T11:17:03Z" + enc: |- + -----BEGIN PGP MESSAGE----- + + hQIMAw5vwmoEJHQ1AQ/7Be0MaQ6HSb4N2DW+z2ALOuKSljRhSHLiLXt6bmhot+2Z + RRMsfsPGHWwDFzy5WWL6117ViPsxdFy88ZC8IhfT2ysf9d7IsNqBAj/W/a1kUXBg + b3PLPGXT3yHRitmRA0PxBWjmKBHuiKJgpj2AvKPBqmpJOpyWU8Yr0yu+fdPgHHmO + 9gMPwmoeDKCuVUQMtg78cxx3b9v3WzBXbx+VuhPepVPPUr7/iTWYnLWy8+s55hOV + A6qQS8f6JH9rhS7dqoSCMQ3wrqkSVzXhluhjfUXa/FW/EVp0g1r+lLMXHARA1Gtp + EGQS2SfwDB95xl6uLfqKblezzxt52yPvGp+hisAhgkCyoLonhL27fMTmtZ0+q9RX + FJoT2pPNTSP/zoLxfEJzsa9MgTCDKQL55215hTGHS2I/2ZeDtfINyc+/4LE/AhSc + 4OOdPSbgG7bIPkCepphBAccjbCVmPOQqaEOk5C9TfLbZREEBv0mQA7pzWVIsa6Gc + xep0qJGMSmRT5rmqs9pFFISAx57H7w91cRaEtwtGkg9/90+wTW2kIvnHMLXV/T6z + wxVG4RHn7eXlDdh9oz0ncpA1uh2A4fvEJN5dAbQHawiAUaOokm8cmv42LQ1zTF0x + 4EcZPQ1VAFzKsZE7/3TnCWoLPOUSNSOG+uJm2Gaps8P1DzIfgUAcSybaB+3cbGjS + XgEVALzLzyRrFB48McT/fU4l0dMiQ49OdFmWm5oWgOWDCCrHBomxPmWRQ5cUzVSV + wvgo/MrfGVOLrwinfeu/izoy9U0LxFcJtqiVLyxtUTARDlDcjv6OYWoRzvb0DzA= + =KudR + -----END PGP MESSAGE----- + fp: 87AB00D45D37C9E9167B5A5A333448678B60E505 + - created_at: "2026-01-25T11:17:03Z" + enc: |- + -----BEGIN PGP MESSAGE----- + + hF4DerEtaFuTeewSAQdAlSeQVBNgJ8WxD85XYmcCHmlNXIyIkAJPEu0coBpNpVQw + mGZKY6j0WkQSmHdCVAeh8/z6LOEgXMphP2jn0ZpZHiMu3FGNJJtWFloRKxOvOxr5 + 0l4BXq0oVpIYhcxeVxS1prF1F2EJf/OuRX8Zz9ngZuL7UlMoToBYHksPMaBfLlKB + iFcXPURafpmhvWpRaqD9CRqM3XRagm1nYPS6Zg8Yae9cfSmU7UnYMtJZwdMmJ+x4 + =gfNC + -----END PGP MESSAGE----- + fp: 057870A2C72CD82566A3EC983695F4FCBCAE4912 + - created_at: "2026-01-25T11:17:03Z" + enc: |- + -----BEGIN PGP MESSAGE----- + + hQILAxjNhCKPP69fAQ/4mdGngFM8WhiX5P5RFo679yRMp5iHtiPqD0V1dE1byyje + d7WzceQwOYfYq/UEEw2ruiqIPhUjHlzB/GQ6wqFbj0+1tm7+/X2B42tO7vkO9gQf + 2mvG0gCGB1iykMnfARQ6EH1s90oAHCBcPFamjBZ3oawS0sI34aSInQGqLl7Ss+O+ + UgoOc2fbhYmRriZW7Elyx+8DuQg4RZ6/oPs18mtwQdLfKB8dwrt1TQrJvBx7iPh4 + RQWrRf3id+C8EeysmWPtMotukh1FgvBtBFEXIL66wntJTDC65AlNU1c2xkgUTATI + rA6ucSoyROTGDOTAWhBdwA+yV9Tf2zw5hzu8G2vT1nFLU+DFQiuQWj6TNn1s5xzc + 63bQ9bFzY/0pKKB2T1TLdeU6xoSt9QoJukagFS86Tgh3NcoMi69dFSSlchldgeX2 + wiJwpUjl8DgeJFEXcQES1vbn+MNJHYZHSSAcZecQX5rauSj6EmTFTXxYg7Vp98D9 + S4lVnXl6P7OByxqRJyQUzBmSD21KYeVXs6O4hY4cAxKx+pXYXqlGMmSpQi4SqJKF + xyD0f7Iz1FjB1u3dpcJmf5/71wLkZWc9smKfJICLaFZzYKfbfrF32xbAPGRuTq50 + Fv5d3R1YJKA9afQUI3HT0PpCEOnsI44WPqgnoOPHyT032gruZt9geL7yM1sRj9Je + AfCwLc18oeiRWhnZLw/K1YMTnDACVhMMRufyoE7MEEixsV3xhuG54+5FIufERSO3 + aW2vmDt65mLjqGVcepqbEz/Ip4hfGeMOnPfNbNil79Hc6TV1SzTcPnem40QPAA== + =7Qbv + -----END PGP MESSAGE----- + fp: F38C9D4228FC6F674E322D9C3326D914EB9B8F55 + - created_at: "2026-01-25T11:17:03Z" + enc: |- + -----BEGIN PGP MESSAGE----- + + hQIMA1Hthzn+T1OoAQ//QizKfdVMoIVzretcwqPNQPhXnKYbHNI/AHhpsK2AeOFw + N2pP+8itgzpoJ+l3qYc1s7HnUYqN69cVXNOkuB9+EKUmEoubj9oLJEJQdfr1apux + wrqgvIfeXuQZWp4E4aI/02ndyWzzedfVV3/qf+JC0ZColccmKFReSsMedz7dOmWK + BM2bieM1PajS65leCAO2VVFTrwayKiHWpURMUY8HvrMk8N6GQkXqe1XDdxXNJqFr + irXgWtBaKbl/KJgrxnT9HwlH9YkCebsyCi2sZKmJEqyIi78SOrhmWzeoTs5Mgg/M + EqZLWrGhOOD2/ineOxiDhFPOEDVjgoprghxei2Ef0i9pYITJmGMuB76KayMW3nbY + mEJgASKsWFN10zTiZK5DjxJoDEq4fyqtzFhYhRenwcvZqiklr2JudSzBWkKfx4Y/ + TOoLwwn93TQDLoIIEsOlLaWMBxm3LsAe4MAr2k9/gAkGGMzeOiTRISHJeFtaNRPe + xPv2hJBKqAJJkWu5nlcn5FEtAqdG8hPRPqEZWDyWRmQDlk0Rx286UFIS+BKSfwvo + Ak52YxruVlkwxn4lRJ8yCrIneZocLFlBgTNoqbr0uYSHkg6XHwzniN+qGRHxjrm8 + hDYcnVeAnLCDGEwPpMcx7KYVtLeEcr2Tm5btAlHugpQ1pNrUuZ3Lf47AdneMSY7S + XgE32gbAcEaZVQRl1fnehRIwqqNIuFDxjhFpDYpvX1Rep2NEUtEaxd50aqMh3PKm + XE6ZBkKbhSylRnOs8dgVZK3nqEe1xDsdcx5hFAoyyhs1QhWVT/MHUtfuB2PBcjo= + =T4dN + -----END PGP MESSAGE----- + fp: 5DA93D5C9D7320E1BD3522C79C78172B3551C9FD + - created_at: "2026-01-25T11:17:03Z" + enc: |- + -----BEGIN PGP MESSAGE----- + + hQIMA46L6MuPqfJqAQ//SZac3kFkPkHZ4CveGECwnJLKA/UJO/XoV44mjiQDtY4Q + tFJ+YauR7GHK3CYMvpx8uWejiW6PzMkuqVuKwk5QMBsRA7q/6SmQeLUNNIPx8AAm + s1Lo1Cdjv5Ku8AnR7gAJ9w3O+qM635xo7zgtvEv5qJuPrwbqy8kstvS2fnxg9Zb3 + Dl4J+Wp1kRs8hHsFIkECKPqKNB0LfP57s63Vwd5tI2TltDMlMkvKvjgsQSPhUqQl + z0AIPT+zON37P4EW5buJ5NKvojYZ/QyzoqJ+Zb+2jn3uyMRDo4lqaT+uiVDcmB6w + jg2yBGKgU5XGAU5NyCSldBGW3yQfNHAEjTPHWIvcplfUOUQ2mKIV31c3ci8cBWa5 + zfA4K2UOFPSHSraohaT770Ani/qvm5XH9HvAA2HOI50LuIh4t8cWGocbW1f5PfvZ + gMIuA27UfWWD10tz+J3qvz2RGcfBPV+3BS8BJUh2SRC80ba8nDM/VSuQUkxQA1go + AHogKohH7v5vIPEN6ggRxZ3yCroQ3zfdABekrP8sfKXU652/vhw5MFPtqp8ow5hU + uJ3S3lCoKQCKE8tc+288WuJXIGaYG4LKhaVlFWFqQDib+0jfm8RfwqqxV5vis7np + mbPMIyl/MTAeevsQC2yqbHeZ+nDXhrb8b4lfWCnn5jpNwZFpP+RZpJT6XxFbONTS + XgGQowdDlIEa1Hs1klR8lPOScW3VyhWbTyfWkhg4cI6js21/0MMsC22myhjxjZKU + rCn8k0mgZw+HyB9qfm3eM4fYXHs+CXQM22eBQK+IK2VvzT9jbpSBIoJEDW0B47c= + =PbAZ + -----END PGP MESSAGE----- + fp: 8996B62CBD159DCADD3B6DC08BB33A8ABCF7BC4A + - created_at: "2026-01-25T11:17:03Z" + enc: |- + -----BEGIN PGP MESSAGE----- + + hF4DQrf1tCqiJxoSAQdArbiHTkrjSYBSPIIgSNnEoAWkU43Zn8/6rtksEivhPVgw + ik9/LvTH3VUSS1pDtLNoJq3wfE8aCoGTVXHjCtaEQqp7PJ9c83afZuT0/jSs20vo + 0l4Bbp+AopvK8wlLakYZM0rbXzJw7LyW7hyA3wSN/gL0MwT8sW6hb08BB3+zRY+f + dQGtPMDNZ0aJ8nzJ/WLVxi4GdC3pAWxqw/1AX0SwwMb0PEf9kdYSgnrmYQsqx9KU + =Cbzj + -----END PGP MESSAGE----- + fp: B71138A6A8964A3C3B8899857B4F70C356765BAB + - created_at: "2026-01-25T11:17:03Z" + enc: |- + -----BEGIN PGP MESSAGE----- + + hF4DzAGzViGx4qcSAQdAQKsWq8NPJbW2SBhKhlgkW1gzYnx9baL8spEk1Wv31Asw + fuq75JZ/m8yR6+jnchE8ikuWrVQ1IRwyQBB2qlaArrdwnVpkF5HG/ggpDy4l5UYK + 0lgBhuKG36g1P7G0incMXR+S+UswYQhzm+19LqoB247HvZZoyIT4m0k7XndHBpUw + fzQyFTKdwQpmWyQWsbkW/ycvxkKyKcEce6xkga0e8UbB8w1fJ0P6gErz + =g5Ck + -----END PGP MESSAGE----- + fp: D2E9C0807BF681F5E164DAFC5EE1B61CD90954CD + - created_at: "2026-01-25T11:17:03Z" + enc: |- + -----BEGIN PGP MESSAGE----- + + hQIMA2pVdGTIrZI+AQ//X0eMLW5Con7f2J4S15RwQX/uMc+p0tabrfSYAT8cg1oR + X8qyFgBWL4EK/VAcgS+Loe6cOCO8pDv7R81nn18wg2D6hVN3BOcotgLtLpqWEdMz + FguVIc++/Nh5+s+H1oDxqfwO6LbcuewBvvNS9xvBUtHBMuoAGVO0mUu7jpxrg+4k + dh2QeA/YWc4hGly/lO6eOhq61arAY4tukqs1K4JRY7z1vZYb2658HamfruLcRP1j + kM6yvJ9bgrg3hIEPG48lWX3SATRpKDP4ukyTYMFPN5rePUu67rnkwCvXwvBzWV4v + fvjmDZ4U2AD6Ihn5Be3ThZyQivZJPmxBlgit6uQOdu08Q5/S0DDWSS/MnbRnElQt + caQMnIcSbwLJfum2/0AS/dcl6f36vOl5t9eiy3nnrgufFEUcAMgJ2bJk8+6nPRli + MImBTXLMor97XD4DS+xyQ8NjYzf8XxEDduCzWA/EQborLkkaXj5J9ZmQSKDfv6bb + wcGfxt0+JGEPmOuOD/BwZHhEcd6eV8k3cM6k4oQ3k9cMGele+dtSkrlkyFKnnBNV + NrZVBE5j62sgnUUgKCesbKPfauETE5Z+R2uvOK5Y0gqjTfaw8hV1YF2q+x2qRWig + 6NjHheUtjigCgF61OK4x1a5WDJmVeuAe03JnwKYMujN4H5Oi9YMhSX65lX1+fhrU + aAEJAhCV01dJAuYksyvp+F5Dx62eKZj7gL/MHL3zHw97WbONvI7ApC3/Q7fkupYm + oPfYKQD5ov77V3u+Y8nVOoYM+Hb4thFQdEV01r90g9WUj8LrXvxd08j3GwAnzDMG + xU5hdDPzz/jT + =zb8A + -----END PGP MESSAGE----- + fp: 878FEA3CB6A6F6E7CD80ECBE28506E3585F9F533 + unencrypted_suffix: _unencrypted + version: 3.11.0 diff --git a/inventories/chaosknoten/host_vars/spaceapiccc.yaml b/inventories/chaosknoten/host_vars/spaceapiccc.yaml new file mode 100644 index 00000000..377b9097 --- /dev/null +++ b/inventories/chaosknoten/host_vars/spaceapiccc.yaml @@ -0,0 +1,16 @@ +docker_compose__compose_file_content: "{{ lookup('ansible.builtin.template', 'resources/chaosknoten/spaceapiccc/docker_compose/compose.yaml.j2') }}" +docker_compose__build: never +docker_compose__pull: never + +certbot__version_spec: "" +certbot__acme_account_email_address: le-admin@hamburg.ccc.de +certbot__certificate_domains: + # - "spaceapi.ccc.de" # after DNS has been adjusted + - "spaceapiccc.hamburg.ccc.de" +certbot__new_cert_commands: + - "systemctl reload nginx.service" + +nginx__version_spec: "" +nginx__configurations: + - name: spaceapiccc.hamburg.ccc.de + content: "{{ lookup('ansible.builtin.file', 'resources/chaosknoten/spaceapiccc/nginx/spaceapiccc.hamburg.ccc.de.conf') }}" diff --git a/inventories/chaosknoten/hosts.yaml b/inventories/chaosknoten/hosts.yaml index 93c61be8..62461192 100644 --- a/inventories/chaosknoten/hosts.yaml +++ b/inventories/chaosknoten/hosts.yaml @@ -74,6 +74,10 @@ all: ansible_host: renovate.hosts.hamburg.ccc.de ansible_user: chaos ansible_ssh_common_args: -J ssh://chaos@router.hamburg.ccc.de + spaceapiccc: + ansible_host: spaceapiccc.hosts.hamburg.ccc.de + ansible_user: chaos + ansible_ssh_common_args: -J ssh://chaos@router.hamburg.ccc.de hypervisors: hosts: chaosknoten: @@ -98,6 +102,7 @@ base_config_hosts: ntfy: sunders: renovate: + spaceapiccc: systemd_networkd_hosts: hosts: router: @@ -117,6 +122,7 @@ docker_compose_hosts: zammad: ntfy: sunders: + spaceapiccc: nextcloud_hosts: hosts: cloud: @@ -138,6 +144,7 @@ nginx_hosts: zammad: ntfy: sunders: + spaceapiccc: public_reverse_proxy_hosts: hosts: public-reverse-proxy: @@ -158,6 +165,7 @@ certbot_hosts: zammad: ntfy: sunders: + spaceapiccc: prometheus_node_exporter_hosts: hosts: ccchoir: @@ -189,6 +197,7 @@ infrastructure_authorized_keys_hosts: ntfy: sunders: renovate: + spaceapiccc: wiki_hosts: hosts: eh22-wiki: diff --git a/resources/chaosknoten/public-reverse-proxy/nginx/acme_challenge.conf b/resources/chaosknoten/public-reverse-proxy/nginx/acme_challenge.conf index 82e596aa..0a6a70dd 100644 --- a/resources/chaosknoten/public-reverse-proxy/nginx/acme_challenge.conf +++ b/resources/chaosknoten/public-reverse-proxy/nginx/acme_challenge.conf @@ -78,6 +78,8 @@ map $host $upstream_acme_challenge_host { cryptoparty.hamburg.ccc.de 172.31.17.151:31820; staging.cryptoparty-hamburg.de 172.31.17.151:31820; staging.cryptoparty.hamburg.ccc.de 172.31.17.151:31820; + spaceapiccc.hamburg.ccc.de spaceapiccc.hosts.hamburg.ccc.de:31820; + spaceapi.ccc.de spaceapiccc.hosts.hamburg.ccc.de:31820; default ""; } diff --git a/resources/chaosknoten/public-reverse-proxy/nginx/nginx.conf b/resources/chaosknoten/public-reverse-proxy/nginx/nginx.conf index 489dda55..2ad5dc4d 100644 --- a/resources/chaosknoten/public-reverse-proxy/nginx/nginx.conf +++ b/resources/chaosknoten/public-reverse-proxy/nginx/nginx.conf @@ -96,6 +96,8 @@ stream { cryptoparty.hamburg.ccc.de 172.31.17.151:8443; staging.cryptoparty-hamburg.de 172.31.17.151:8443; staging.cryptoparty.hamburg.ccc.de 172.31.17.151:8443; + spaceapiccc.hamburg.ccc.de spaceapiccc.hosts.hamburg.ccc.de:8443; + spaceapi.ccc.de spaceapiccc.hosts.hamburg.ccc.de:8443; } server { diff --git a/resources/chaosknoten/spaceapiccc/docker_compose/compose.yaml.j2 b/resources/chaosknoten/spaceapiccc/docker_compose/compose.yaml.j2 new file mode 100644 index 00000000..67e4b581 --- /dev/null +++ b/resources/chaosknoten/spaceapiccc/docker_compose/compose.yaml.j2 @@ -0,0 +1,39 @@ +--- +services: + frontend: + #build: ./frontend + networks: + spaceapi-network: + ipv4_address: 172.16.238.10 + image: gidsi/spaceapi-ccc-frontend:saved_from_old_host + restart: always + expose: + - "80" + depends_on: + - backend + backend: + #build: ./backend + networks: + - spaceapi-network + image: gidsi/spaceapi-ccc-backend:saved_from_old_host + restart: always + environment: + SHARED_SECRET: "{{ secret__spaceapiccc__shared_secret }}" + DOKU_WIKI_USER: "{{ secret__spaceapiccc__doku_ccc_de__username }}" + DOKU_WIKI_PASSWORD: "{{ secret__spaceapiccc__doku_ccc_de__password }}" + depends_on: + - database + database: + image: mongo:saved_from_old_host + networks: + - spaceapi-network + restart: always + volumes: + - ./data/database:/data/db + +networks: + spaceapi-network: + ipam: + driver: default + config: + - subnet: 172.16.238.0/24 diff --git a/resources/chaosknoten/spaceapiccc/nginx/spaceapiccc.hamburg.ccc.de.conf b/resources/chaosknoten/spaceapiccc/nginx/spaceapiccc.hamburg.ccc.de.conf new file mode 100644 index 00000000..f060996a --- /dev/null +++ b/resources/chaosknoten/spaceapiccc/nginx/spaceapiccc.hamburg.ccc.de.conf @@ -0,0 +1,42 @@ +# partly generated 2022-01-08, Mozilla Guideline v5.6, nginx 1.17.7, OpenSSL 1.1.1k, intermediate configuration +# https://ssl-config.mozilla.org/#server=nginx&version=1.17.7&config=intermediate&openssl=1.1.1k&guideline=5.6 +server { + # Listen on a custom port for the proxy protocol. + listen [::]:8443 ssl http2 proxy_protocol; + # Make use of the ngx_http_realip_module to set the $remote_addr and + # $remote_port to the client address and client port, when using proxy + # protocol. + # First set our proxy protocol proxy as trusted. + set_real_ip_from 2a00:14b0:4200:3000:125::1; + # Then tell the realip_module to get the addreses from the proxy protocol + # header. + real_ip_header proxy_protocol; + + server_name spaceapi.ccc.de spaceapiccc.hamburg.ccc.de; + + ssl_certificate /etc/letsencrypt/live/spaceapiccc.hamburg.ccc.de/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/spaceapiccc.hamburg.ccc.de/privkey.pem; + # verify chain of trust of OCSP response using Root CA and Intermediate certs + ssl_trusted_certificate /etc/letsencrypt/live/spaceapiccc.hamburg.ccc.de/chain.pem; + + # HSTS (ngx_http_headers_module is required) (63072000 seconds) + add_header Strict-Transport-Security "max-age=63072000" always; + + proxy_set_header Host $host; + proxy_set_header X-Forwarded-Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Port 443; + # This is https in any case. + proxy_set_header X-Forwarded-Proto https; + # Hide the X-Forwarded header. + proxy_hide_header X-Forwarded; + # Assume we are the only Reverse Proxy (well using Proxy Protocol, but that + # is transparent). + # Also provide "_hidden" for by, since it's not relevant. + proxy_set_header Forwarded "for=$remote_addr;proto=https;host=$host;by=_hidden"; + + location / { + proxy_pass http://172.16.238.10/; + } +} From d35f1cc779b9ed4a23ddc8e376c393cf1c33f2e7 Mon Sep 17 00:00:00 2001 From: Stefan Bethke Date: Sun, 25 Jan 2026 15:31:42 +0100 Subject: [PATCH 069/104] GPG must be installed for the docker role to be able to add the repo --- roles/base_config/tasks/main.yaml | 1 + 1 file changed, 1 insertion(+) diff --git a/roles/base_config/tasks/main.yaml b/roles/base_config/tasks/main.yaml index 7f0281eb..ab737b76 100644 --- a/roles/base_config/tasks/main.yaml +++ b/roles/base_config/tasks/main.yaml @@ -30,4 +30,5 @@ - dnsutils - usbutils - kitty + - gpg become: true From c285694aaadd49374745c9749d54b2ece5c7afaa Mon Sep 17 00:00:00 2001 From: Stefan Bethke Date: Sun, 25 Jan 2026 15:47:41 +0100 Subject: [PATCH 070/104] Add age private key --- docs/create-new-web-service-vm.md | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/docs/create-new-web-service-vm.md b/docs/create-new-web-service-vm.md index 76eca216..1f5874d7 100644 --- a/docs/create-new-web-service-vm.md +++ b/docs/create-new-web-service-vm.md @@ -37,7 +37,8 @@ As the first step, we need to make the host known to Ansible. 2. Add the host to the desired roles. As a minimum, you'll want `base_config_hosts` and `infrastructure_authorized_keys_hosts`. For a typical web service based on Docker Compose, you'll want `docker_compose_hosts`, `nginx_hosts`, and `certbot_hosts`. 3. In the directorry `inventories/chaosknoten/host_var/`: 1. A file `inventories/chaosknoten/host_var/example.yaml` with the host/service specific configuration. - 2. A file `inventories/chaosknoten/host_var/example.sops.yaml` with the encrypted secrets for the host/service. Run `sops inventories/chaosknoten/host_var/example.yaml` to edit/create that file. Entries there should generally be prefixed with `secret__` to make it easier to see where that variable is coming from in templates etc. + 2. A file `inventories/chaosknoten/host_var/example.sops.yaml` with the encrypted secrets for the host/service. Run `sops inventories/chaosknoten/host_var/example.yaml` to edit/create that file. Entries here should generally be prefixed with `secret__` to make it easier to see where that variable is coming from in templates etc. + * Add an entry `ansible_pull__age_private_key` with the age private key you generated above. ## Service-specific config From 0939771d0812e71fad69074420223a706353ec98 Mon Sep 17 00:00:00 2001 From: June Date: Sun, 25 Jan 2026 20:22:44 +0100 Subject: [PATCH 071/104] public-reverse-proxy(host): add entries for cpu.ccc.de --- .../chaosknoten/public-reverse-proxy/nginx/acme_challenge.conf | 2 ++ resources/chaosknoten/public-reverse-proxy/nginx/nginx.conf | 2 ++ 2 files changed, 4 insertions(+) diff --git a/resources/chaosknoten/public-reverse-proxy/nginx/acme_challenge.conf b/resources/chaosknoten/public-reverse-proxy/nginx/acme_challenge.conf index 0a6a70dd..71ae7292 100644 --- a/resources/chaosknoten/public-reverse-proxy/nginx/acme_challenge.conf +++ b/resources/chaosknoten/public-reverse-proxy/nginx/acme_challenge.conf @@ -80,6 +80,8 @@ map $host $upstream_acme_challenge_host { staging.cryptoparty.hamburg.ccc.de 172.31.17.151:31820; spaceapiccc.hamburg.ccc.de spaceapiccc.hosts.hamburg.ccc.de:31820; spaceapi.ccc.de spaceapiccc.hosts.hamburg.ccc.de:31820; + cpuccc.hamburg.ccc.de 172.31.17.151:31820; + cpu.ccc.de 172.31.17.151:31820; default ""; } diff --git a/resources/chaosknoten/public-reverse-proxy/nginx/nginx.conf b/resources/chaosknoten/public-reverse-proxy/nginx/nginx.conf index 2ad5dc4d..bdf71846 100644 --- a/resources/chaosknoten/public-reverse-proxy/nginx/nginx.conf +++ b/resources/chaosknoten/public-reverse-proxy/nginx/nginx.conf @@ -98,6 +98,8 @@ stream { staging.cryptoparty.hamburg.ccc.de 172.31.17.151:8443; spaceapiccc.hamburg.ccc.de spaceapiccc.hosts.hamburg.ccc.de:8443; spaceapi.ccc.de spaceapiccc.hosts.hamburg.ccc.de:8443; + cpuccc.hamburg.ccc.de 172.31.17.151:8443; + cpu.ccc.de 172.31.17.151:8443; } server { From 652aa32e217fe21f864d9e24d2c80ccd520776c0 Mon Sep 17 00:00:00 2001 From: June Date: Sun, 25 Jan 2026 20:49:39 +0100 Subject: [PATCH 072/104] docker_compose(role): document new build and pull arguments --- roles/docker_compose/README.md | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/roles/docker_compose/README.md b/roles/docker_compose/README.md index c0a7a93d..6f2c8413 100644 --- a/roles/docker_compose/README.md +++ b/roles/docker_compose/README.md @@ -19,6 +19,10 @@ Should work on Debian-based distributions. - `docker_compose__configuration_files`: A list of configuration files to deploy to the `/ansible_docker_compose/configs/` directory. - `docker_compose__configuration_files.*.name`: The name of the configuration file. - `docker_compose__configuration_files.*.content`: The content to deploy to the configuration file. +- `docker_compose__build`: Whether or not to build images before starting containers. + Defaults to `always`. +- `docker_compose__pull`: Whether or not to pull images before starting containers. + Defaults to `always`. ## Links & Resources From a5d291cea8829f7098929b3da0640c5effdc06c4 Mon Sep 17 00:00:00 2001 From: June Date: Sun, 25 Jan 2026 20:58:57 +0100 Subject: [PATCH 073/104] spaceapiccc(host): setup ansible-pull --- inventories/chaosknoten/hosts.yaml | 1 + 1 file changed, 1 insertion(+) diff --git a/inventories/chaosknoten/hosts.yaml b/inventories/chaosknoten/hosts.yaml index 62461192..2a95ba87 100644 --- a/inventories/chaosknoten/hosts.yaml +++ b/inventories/chaosknoten/hosts.yaml @@ -232,6 +232,7 @@ ansible_pull_hosts: public-reverse-proxy: zammad: ntfy: + spaceapiccc: msmtp_hosts: hosts: renovate_hosts: From 1523b15952987cc23f87a7845d480be9bf89327c Mon Sep 17 00:00:00 2001 From: June Date: Sun, 25 Jan 2026 21:11:07 +0100 Subject: [PATCH 074/104] docs: improve formatting and wording a bit to make things clearer --- docs/create-new-web-service-vm.md | 55 +++++++++++++++++++++---------- 1 file changed, 37 insertions(+), 18 deletions(-) diff --git a/docs/create-new-web-service-vm.md b/docs/create-new-web-service-vm.md index 1f5874d7..da8293bc 100644 --- a/docs/create-new-web-service-vm.md +++ b/docs/create-new-web-service-vm.md @@ -5,36 +5,47 @@ Let's assume that you want to add a new web service `example.hamburg.ccc.de` whi ## IP, DNS, VM 1. Allocate a fresh [IPv6 in Netbox in the 2a00:14b0:42:102::/64 net](https://netbox.hamburg.ccc.de/ipam/prefixes/47/ip-addresses/). This will be the management address for the VM. -2. Add an entry `example.hosts.hamburg.ccc.de` with that AAAA to the name server (`ns-intern`). -3. Add an entry `example.hamburg.ccc.de` as a CNAME for `public-reverse-proxy` to the same zone. -4. Commit and reload the zone. -5. Create a new VM on chaosknoten, for example by cloning the Debian template 9023. Give it the name `example`. -6. Edit the ethernet interface to be connected to `vmbr0`, VLAN tag `2`. -7. Configure the IPv6 address in the Cloud-Init section. Leave IPv4 set to DHCP. -8. Make sure the VM is started at boot (options). -9. Adjust any other VM parameters as needed. -10. Boot the VM. -11. Add the [VM to Netbox](https://netbox.hamburg.ccc.de/virtualization/virtual-machines/). Make sure to enter the VM ID. -12. Add an Ethernet interface to the VM; we typically use `eth0` as a name. -13. Add IP for that interface, then choose "Assign IP" and search for the IP you've created. Make it the primary IP of that interface. +2. On `ns-intern`: + 1. Add an entry `example.hosts.hamburg.ccc.de` as an AAAA pointing to the allocated IP. + 2. Add an entry `example.hamburg.ccc.de` as a CNAME for `public-reverse-proxy` to the same zone. + 3. Commit and reload the zone. +3. On Chaosknoten: + 1. Create a new VM, for example by cloning the Debian template 9023. + Give it the name `example`. + 2. Edit the ethernet interface to be connected to `vmbr0`, VLAN tag `2`. + 3. Configure the IPv6 address in the Cloud-Init section. Leave IPv4 set to DHCP. + 4. Make sure the VM is started at boot (options). + 5. Adjust any other VM parameters as needed. + 6. Boot the VM. +4. Add the [VM to Netbox](https://netbox.hamburg.ccc.de/virtualization/virtual-machines/). + - Make sure to enter the VM ID. + - Add an Ethernet interface to the VM; we typically use `eth0` as a name. + - Add IP for that interface, then choose "Assign IP" and search for the IP you've created. Make it the primary IP of that interface. ## Ansible Basics As the first step, we need to make the host known to Ansible. 1. In `.sops.yaml`, add an entry for the host. Follow the other entries there. - 1. `keys.hosts.chaosknoten.age` needs an age public key (the private key is needed in the host-specific YAML) + 1. `keys.hosts.chaosknoten.age` needs an age public key (must be generated; the private key gets added later in the host-specific YAML) 2. `creation_rules` needs an entry for the host, referencing the age key. 2. In `inventories/chaosknoten/hosts.yaml`: 1. Configure basic connection info: - ``` + ```yaml example: ansible_host: example.hosts.hamburg.ccc.de ansible_user: chaos ansible_ssh_common_args: -J ssh://chaos@router.hamburg.ccc.de ``` You typically will want to use router as a jump host so that you can run Ansible on an IPv4 only connection. - 2. Add the host to the desired roles. As a minimum, you'll want `base_config_hosts` and `infrastructure_authorized_keys_hosts`. For a typical web service based on Docker Compose, you'll want `docker_compose_hosts`, `nginx_hosts`, and `certbot_hosts`. + 2. Add the host to the desired roles. + 1. As a minimum, you'll want the following roles: + - `base_config_hosts` + - `infrastructure_authorized_keys_hosts` + 2. For a typical web service based on Docker Compose, you'll also want: + - `docker_compose_hosts` + - `nginx_hosts` + - `certbot_hosts`. 3. In the directorry `inventories/chaosknoten/host_var/`: 1. A file `inventories/chaosknoten/host_var/example.yaml` with the host/service specific configuration. 2. A file `inventories/chaosknoten/host_var/example.sops.yaml` with the encrypted secrets for the host/service. Run `sops inventories/chaosknoten/host_var/example.yaml` to edit/create that file. Entries here should generally be prefixed with `secret__` to make it easier to see where that variable is coming from in templates etc. @@ -69,12 +80,20 @@ Before you can run Ansible successfully, you will want to make sure you can conn * `ssh chaos@example.hosts.hamburg.ccc.de` * `ssh -J chaos@router.hamburg.ccc.de chaos@example.hosts.hamburg.ccc.de` -Then run Ansible for `public-reverse-proxy` to add the necessary entries: `ansible-playbook playbooks/deploy.yaml --inventory inventories/chaosknoten/hosts.yaml --limit public-reverse-proxy`. +Then run Ansible for `public-reverse-proxy` to add the necessary entries: -Finally run Ansible for the new host: `ansible-playbook playbooks/deploy.yaml --inventory inventories/chaosknoten/hosts.yaml --limit example` +```sh +ansible-playbook playbooks/deploy.yaml --inventory inventories/chaosknoten/hosts.yaml --limit public-reverse-proxy +``` + +Finally run Ansible for the new host: + +```sh +ansible-playbook playbooks/deploy.yaml --inventory inventories/chaosknoten/hosts.yaml --limit example +``` # Commit your changes Do not forget to commit your changes, whether it's a new host or you are making changes to an existing host. -And always `git pull` before you run Ansible so avoid reverting anything! \ No newline at end of file +And always `git pull` before you run Ansible so avoid reverting anything! From c6c02724487ab278aa9904483d66efb8d4872d64 Mon Sep 17 00:00:00 2001 From: June Date: Sun, 25 Jan 2026 21:16:38 +0100 Subject: [PATCH 075/104] docs: add section on conf. monitoring with Gatus (status.hamburg.ccc.de) --- docs/create-new-web-service-vm.md | 13 +++++++++++++ 1 file changed, 13 insertions(+) diff --git a/docs/create-new-web-service-vm.md b/docs/create-new-web-service-vm.md index da8293bc..57a1e81c 100644 --- a/docs/create-new-web-service-vm.md +++ b/docs/create-new-web-service-vm.md @@ -97,3 +97,16 @@ ansible-playbook playbooks/deploy.yaml --inventory inventories/chaosknoten/hosts Do not forget to commit your changes, whether it's a new host or you are making changes to an existing host. And always `git pull` before you run Ansible so avoid reverting anything! + +# Monitoring + +## Gatus (`status.hamburg.ccc.de`) + +After you configured a new service or website, add it to our status and uptime monitoring. +Take a look at the configuration in `resources/external/status/docker_compose/config` and extend it to cover the newly added service or website. The configuration should probably happen in either `services-chaosknoten.yaml` or `websites.yaml`. Taking the existing configuration as a reference should give guidance on how to configure new checks. Additionally there's also the comprehensive [Gatus Documentation](https://github.com/TwiN/gatus?tab=readme-ov-file#table-of-contents). + +After you've added some checks, the configuration can be deployed using: + +```sh +ansible-playbook playbooks/deploy.yaml --inventory inventories/external --limit status +``` From 8f7990acc0240123d2d488c334ba2904060ece12 Mon Sep 17 00:00:00 2001 From: June Date: Sun, 25 Jan 2026 21:17:28 +0100 Subject: [PATCH 076/104] docs: add ansible_pull_hosts to the desired minimum roles/groups --- docs/create-new-web-service-vm.md | 1 + 1 file changed, 1 insertion(+) diff --git a/docs/create-new-web-service-vm.md b/docs/create-new-web-service-vm.md index 57a1e81c..46ff19f1 100644 --- a/docs/create-new-web-service-vm.md +++ b/docs/create-new-web-service-vm.md @@ -42,6 +42,7 @@ As the first step, we need to make the host known to Ansible. 1. As a minimum, you'll want the following roles: - `base_config_hosts` - `infrastructure_authorized_keys_hosts` + - `ansible_pull_hosts` 2. For a typical web service based on Docker Compose, you'll also want: - `docker_compose_hosts` - `nginx_hosts` From 11779ab21d742da75e4ab13e001be29ee74ccd52 Mon Sep 17 00:00:00 2001 From: chris Date: Sun, 25 Jan 2026 21:41:20 +0100 Subject: [PATCH 077/104] grafana: get alertmanager to be more chill a bit of help to deal with alert fatigue --- .../docker_compose/alertmanager.yaml.j2 | 23 +++++-------------- .../grafana/docker_compose/compose.yaml.j2 | 4 ++-- 2 files changed, 8 insertions(+), 19 deletions(-) diff --git a/resources/chaosknoten/grafana/docker_compose/alertmanager.yaml.j2 b/resources/chaosknoten/grafana/docker_compose/alertmanager.yaml.j2 index 51aeb63e..10fb3463 100644 --- a/resources/chaosknoten/grafana/docker_compose/alertmanager.yaml.j2 +++ b/resources/chaosknoten/grafana/docker_compose/alertmanager.yaml.j2 @@ -7,7 +7,7 @@ route: group_by: [ "alertname", "site", "type", "hypervisor" ] group_wait: 30s group_interval: 5m - repeat_interval: 6h + repeat_interval: 26h routes: - receiver: "null" matchers: @@ -16,49 +16,38 @@ route: matchers: - org = "ccchh" - severity = "critical", - repeat_interval: 18h + repeat_interval: 26h continue: true - receiver: ntfy-ccchh matchers: - org = "ccchh" - severity =~ "info|warning", - repeat_interval: 36h + repeat_interval: 52h continue: true - receiver: ntfy-fux-critical matchers: - org = "fux" - severity = "critical", - repeat_interval: 18h + repeat_interval: 26h continue: true - receiver: email-fux-critical matchers: - org = "fux" - severity = "critical", - repeat_interval: 36h + repeat_interval: 52h continue: true - receiver: ntfy-fux matchers: - org = "fux" - severity =~ "info|warning", - repeat_interval: 36h + repeat_interval: 52h continue: true - - receiver: ccchh-infrastructure-alerts - matchers: - - org = "ccchh" - - severity =~ "info|warning|critical" templates: - "/etc/alertmanager/templates/*.tmpl" receivers: - name: "null" - - name: "ccchh-infrastructure-alerts" - telegram_configs: - - send_resolved: true - bot_token: {{ secret__alertmanager_telegram_bot_token }} - chat_id: -1002434372415 - parse_mode: HTML - message: {{ "'{{ template \"alert-message.telegram.ccchh\" . }}'" }} - name: "ntfy-ccchh-critical" webhook_configs: diff --git a/resources/chaosknoten/grafana/docker_compose/compose.yaml.j2 b/resources/chaosknoten/grafana/docker_compose/compose.yaml.j2 index 90952ee8..c2c312c2 100644 --- a/resources/chaosknoten/grafana/docker_compose/compose.yaml.j2 +++ b/resources/chaosknoten/grafana/docker_compose/compose.yaml.j2 @@ -19,7 +19,7 @@ services: - prom_data:/prometheus alertmanager: - image: docker.io/prom/alertmanager:v0.30.0 + image: docker.io/prom/alertmanager:v0.30.1 container_name: alertmanager command: - '--config.file=/etc/alertmanager/alertmanager.yaml' @@ -59,7 +59,7 @@ services: - /dev/null:/etc/prometheus/pve.yml loki: - image: docker.io/grafana/loki:3.6.3 + image: docker.io/grafana/loki:3.6.4 container_name: loki ports: - 13100:3100 From 995dbb06e2ea547177b00566b64b4fde595456cb Mon Sep 17 00:00:00 2001 From: June Date: Sun, 4 Jan 2026 19:32:42 +0100 Subject: [PATCH 078/104] wip: alloy --- roles/alloy/tasks/main.yaml | 48 +++++++++++++++++++++++++++++++++++++ 1 file changed, 48 insertions(+) create mode 100644 roles/alloy/tasks/main.yaml diff --git a/roles/alloy/tasks/main.yaml b/roles/alloy/tasks/main.yaml new file mode 100644 index 00000000..2bc308ac --- /dev/null +++ b/roles/alloy/tasks/main.yaml @@ -0,0 +1,48 @@ +# https://github.com/grafana/grafana-ansible-collection/blob/main/roles/alloy/tasks/deploy.yml#L124 +- name: ensure alloy user exists + ansible.builtin.user: + name: alloy + system: true + append: true + create_home: false + state: present + +- name: ensure the `/etc/alloy/` config directory exists + ansible.builtin.file: + path: /etc/alloy + state: directory + mode: "0770" + owner: root + group: alloy + become: true + +- name: synchronize the additional configuration files directory, if present + when: alloy__additional_configs_dir is defined and alloy__additional_configs_dir != "" + block: + - name: ensure rsync is installed + ansible.builtin.apt: + name: rsync + become: true + + - name: synchronize the additional configuration files directory, if present + ansible.posix.synchronize: + src: "{{ alloy__additional_configs_dir }}" + dest: /etc/alloy/additional + delete: true + recursive: true + use_ssh_args: true + rsync_opts: + - "--chown=root:alloy" + become: true + +- name: delete the additional configuration files directory, if not present + when: alloy__additional_configs_dir is not defined or alloy__additional_configs_dir == "" + ansible.builtin.file: + path: /etc/alloy/additional + state: absent + become: true + +- name: Setup Alloy + ansible.builtin.import_role: + name: grafana.grafana.alloy + become: true From c7d51af5b428b7b1fe065c23fbfa1d1b6bd51980 Mon Sep 17 00:00:00 2001 From: chris Date: Sun, 25 Jan 2026 20:03:13 +0100 Subject: [PATCH 079/104] rollout Alloy to replace prometheus_node_exporter With the new network we need to deploy a push based solution in order to get metrics into prometheus --- .../chaosknoten/group_vars/all.sops.yaml | 7 +- .../chaosknoten/host_vars/grafana.yaml | 42 +-------- .../chaosknoten/host_vars/ntfy.sops.yaml | 6 +- inventories/chaosknoten/host_vars/ntfy.yaml | 86 +------------------ inventories/chaosknoten/hosts.yaml | 16 ++-- playbooks/deploy.yaml | 11 +-- .../grafana/docker_compose/prometheus.yml | 35 -------- .../grafana/nginx/metrics.hamburg.ccc.de.conf | 1 - roles/alloy/defaults/main.yaml | 44 ++++++++++ roles/alloy/tasks/main.yaml | 2 + roles/prometheus_node_exporter/meta/main.yaml | 10 --- .../prometheus_node_exporter/tasks/main.yaml | 14 --- 12 files changed, 69 insertions(+), 205 deletions(-) create mode 100644 roles/alloy/defaults/main.yaml delete mode 100644 roles/prometheus_node_exporter/meta/main.yaml delete mode 100644 roles/prometheus_node_exporter/tasks/main.yaml diff --git a/inventories/chaosknoten/group_vars/all.sops.yaml b/inventories/chaosknoten/group_vars/all.sops.yaml index ebc53b75..0c5762de 100644 --- a/inventories/chaosknoten/group_vars/all.sops.yaml +++ b/inventories/chaosknoten/group_vars/all.sops.yaml @@ -1,4 +1,5 @@ msmtp__smtp_password: ENC[AES256_GCM,data:xcBVBTb6mfr5Ubyfga9ibKWKhrfrEEaDWD98vIbX8fl8lQ4YTovg8Ax1HTK4UQ6AkJGHq2A0D5B67KUTlp9eLw==,iv:TOp1G1LktRPj/KMCRU5CXBUsgKOqGssUvvk5oY0QnPM=,tag:SVBdDQy+fM0xeEToappP+A==,type:str] +metrics__chaos_password: ENC[AES256_GCM,data:al234VSAH7oxka8X0hTvEJKVLD6O/WCrCKfVLLvm,iv:+TmA+0hXMV4OxvK7RH2g1dIzm88Lpm3zevxSZxK23QQ=,tag:txCVr5SEW3dVHgNFInR94g==,type:str] sops: age: - recipient: age1ss82zwqkj438re78355p886r89csqrrfmkfp8lrrf8v23nza492qza4ey3 @@ -163,8 +164,8 @@ sops: SnUrSUlvMXhnY3JrbER0TkxBcGJucmsKdBDkRY5FUtOo8zQ0QtfPFGJn0O2Fg5xn mSloxLaFwdXAR9L1QfUdsW+9Vgez4s5bxMJtn8hkwqIfyJc25FEEcA== -----END AGE ENCRYPTED FILE----- - lastmodified: "2025-10-13T23:45:06Z" - mac: ENC[AES256_GCM,data:QxH4lnNyCAAEJhzbgCrq7QeLs+OAtYgwQP4oFm93NE4Fbz7/Hz2dvL/2SopOdW7nYVeb1scuG1ra+yvgzuQDhg4lcgt9eBJoBiynM3qiHBs+FtcSJoKs16I/ACAadQwClALb4E0xxwKFJI8ewMZu5BAxi5EhYbgNfnKCIbhvgWo=,iv:LRa2vX0HUBugeEAVeOqXbPsMQrfrCpyzGUGjK6+VaQc=,tag:/sfhJM8V1IYBh94ZS/TDxQ==,type:str] + lastmodified: "2026-01-25T18:06:26Z" + mac: ENC[AES256_GCM,data:plHNLOgGWwNWbakKG6X5EOxwERE3rvYO4EOAzY/sz+uM7cZBEnqU5LZwjlD8B75hgRHqpnDBF0JbHgsEwVxfJJRL1phkeMJFOapQMjZVWMz6j7eb1hOwpdktd+bpuimy4XCD1aOxOoInKpFSK33usxLfyqSxjFDM5+i6D22qBTs=,iv:/iOIfNuSIDsa/UKLP0d63tpOrYMFO3Bk1qPssY0AzuI=,tag:k+824MXD+r0lNUcuvisudw==,type:str] pgp: - created_at: "2025-10-20T19:03:07Z" enc: |- @@ -360,4 +361,4 @@ sops: -----END PGP MESSAGE----- fp: 878FEA3CB6A6F6E7CD80ECBE28506E3585F9F533 unencrypted_suffix: _unencrypted - version: 3.10.2 + version: 3.11.0 diff --git a/inventories/chaosknoten/host_vars/grafana.yaml b/inventories/chaosknoten/host_vars/grafana.yaml index ecc942c8..b87a1989 100644 --- a/inventories/chaosknoten/host_vars/grafana.yaml +++ b/inventories/chaosknoten/host_vars/grafana.yaml @@ -53,16 +53,7 @@ nginx__configurations: - name: metrics.hamburg.ccc.de content: "{{ lookup('ansible.builtin.file', 'resources/chaosknoten/grafana/nginx/metrics.hamburg.ccc.de.conf') }}" -alloy_config: | - prometheus.remote_write "default" { - endpoint { - url = "https://metrics.hamburg.ccc.de/api/v1/write" - basic_auth { - username = "chaos" - password = "{{ secret__metrics_chaos }}" - } - } - } +alloy_config_additional: | loki.write "default" { endpoint { url = "https://loki.hamburg.ccc.de/loki/api/v1/push" @@ -98,9 +89,9 @@ alloy_config: | } rule { source_labels = ["__journal__hostname"] - target_label = "host" + target_label = "instance" regex = "([^:]+)" - replacement = "${1}.hamburg.ccc.de" + replacement = "${1}.hosts.hamburg.ccc.de" action = "replace" } } @@ -111,30 +102,3 @@ alloy_config: | format_as_json = true labels = {component = "loki.source.journal", org = "ccchh"} } - - logging { - level = "info" - } - prometheus.exporter.unix "local_system" { - enable_collectors = ["systemd"] - } - - prometheus.relabel "default" { - forward_to = [prometheus.remote_write.default.receiver] - rule { - target_label = "org" - replacement = "ccchh" - } - rule { - source_labels = ["instance"] - target_label = "host" - regex = "([^:]+)" - replacement = "${1}.hamburg.ccc.de" - action = "replace" - } - } - - prometheus.scrape "scrape_metrics" { - targets = prometheus.exporter.unix.local_system.targets - forward_to = [prometheus.relabel.default.receiver] - } diff --git a/inventories/chaosknoten/host_vars/ntfy.sops.yaml b/inventories/chaosknoten/host_vars/ntfy.sops.yaml index e860cca5..1328d664 100644 --- a/inventories/chaosknoten/host_vars/ntfy.sops.yaml +++ b/inventories/chaosknoten/host_vars/ntfy.sops.yaml @@ -1,5 +1,3 @@ -secret__loki_chaos: ENC[AES256_GCM,data:LWFTOyER+m021ogmXYBrcr/2fUe3XuZhs5ho0KbM,iv:808LWnSUAPeclhsIgOyR6SutTvJGOu7mrGaVayo7v8M=,tag:f2WCPyUESfMiGDQ4Km5Dyw==,type:str] -secret__metrics_chaos: ENC[AES256_GCM,data:lAepzCI4pwkF8KiGYzGnC4dPASdHDn+LfbJTFSvt,iv:EUW+CGeYUqhY4G1kb2bbU16j9iLwABHfRCdn2vac5gY=,tag:IcyscB9lZuZgC04XTxDb5w==,type:str] secret__ntfy_web_push_private_key: ENC[AES256_GCM,data:YqNEYa1Ln3NFpNoIuBUN1V/WRzod5HAtYueBJYHOwyM59cCaYhQR1S9aQg==,iv:t8bEs5ZAEe6pqbbOb0mpJdfgruX1P9Jd+sbNurGqkng=,tag:Cdy5HKkvb55V6AeRt+MVHg==,type:str] ntfy: user: @@ -18,8 +16,8 @@ sops: bUhGdEFwOEVxUzVZdERReVF6cmcxeDgKDlO+jacsYgWXqjoxAIKJiB8mCHZ8U7TM sGD3oaCi9x6Uvse7hq0BaUe/LaJt2tDaqve9nm3n06V93HNcR9/cdw== -----END AGE ENCRYPTED FILE----- - lastmodified: "2025-10-20T19:01:39Z" - mac: ENC[AES256_GCM,data:a87jRAGBIypZfYCILYCOM+H8KCVUBgb2/1sG05wDbPmLe9IfDT6rzlljbRFOUozq9xsqxpFLsPQx1wPVDi1lhaRT+5oE/NDgVH8aQCofA96DQd3SeB8fWn3LhYjOpmo9ZsFSemvGcXYk/SjVvoU9aN8KG4DHYCOOseGIBTa/a2Y=,iv:5Atem3ACdfdCPUp184cAf/EI9BEXQ1i719l+sIlOnUY=,tag:LWQCxrsZ3660UCcOjY4gMQ==,type:str] + lastmodified: "2026-01-25T18:41:48Z" + mac: ENC[AES256_GCM,data:2+628ZxPIto0AUhRExTB0UF/XKD7l0qz/NVncKbk+E5nZ5IRGwnhvY5DPiaDNWxskngaYhSYaQZTJTuvC1TuflCr8+IsZRYobj22mYEsrK2KWbozQvYsuooK2HdSWAkE2U5xKKodev2KqxMT+ZY0AIq8ifCo033ro6t0rnIEVQI=,iv:ncKxlhfZ+04rylNmMtOaWyonCJO4gbsuABMAJfVDDIQ=,tag:6c141UrWXNuGM5giTS7Ecw==,type:str] pgp: - created_at: "2025-10-20T19:03:04Z" enc: |- diff --git a/inventories/chaosknoten/host_vars/ntfy.yaml b/inventories/chaosknoten/host_vars/ntfy.yaml index cab4e761..2d68bfaa 100644 --- a/inventories/chaosknoten/host_vars/ntfy.yaml +++ b/inventories/chaosknoten/host_vars/ntfy.yaml @@ -15,90 +15,8 @@ nginx__configurations: - name: ntfy.hamburg.ccc.de content: "{{ lookup('ansible.builtin.file', 'resources/chaosknoten/ntfy/nginx/ntfy.hamburg.ccc.de.conf') }}" -alloy_config: | - prometheus.remote_write "default" { - endpoint { - url = "https://metrics.hamburg.ccc.de/api/v1/write" - basic_auth { - username = "chaos" - password = "{{ secret__metrics_chaos }}" - } - } - } - loki.write "default" { - endpoint { - url = "https://loki.hamburg.ccc.de/loki/api/v1/push" - basic_auth { - username = "chaos" - password = "{{ secret__loki_chaos }}" - } - } - } - - loki.relabel "journal" { - forward_to = [] - - rule { - source_labels = ["__journal__systemd_unit"] - target_label = "systemd_unit" - } - rule { - source_labels = ["__journal__hostname"] - target_label = "instance" - } - rule { - source_labels = ["__journal__transport"] - target_label = "systemd_transport" - } - rule { - source_labels = ["__journal_syslog_identifier"] - target_label = "syslog_identifier" - } - rule { - source_labels = ["__journal_priority_keyword"] - target_label = "level" - } - rule { - source_labels = ["__journal__hostname"] - target_label = "host" - regex = "([^:]+)" - replacement = "${1}.hamburg.ccc.de" - action = "replace" - } - } - - loki.source.journal "read_journal" { - forward_to = [loki.write.default.receiver] - relabel_rules = loki.relabel.journal.rules - format_as_json = true - labels = {component = "loki.source.journal", org = "ccchh"} - } - - prometheus.exporter.unix "local_system" { - enable_collectors = ["systemd"] - } - - prometheus.relabel "default" { - forward_to = [prometheus.remote_write.default.receiver] - rule { - target_label = "org" - replacement = "ccchh" - } - rule { - source_labels = ["instance"] - target_label = "host" - regex = "([^:]+)" - replacement = "${1}.hamburg.ccc.de" - action = "replace" - } - } - - prometheus.scrape "unix_metrics" { - targets = prometheus.exporter.unix.local_system.targets - forward_to = [prometheus.relabel.default.receiver] - } - +alloy_config_additional: | prometheus.scrape "ntfy_metrics" { targets = [{"__address__" = "localhost:9586", job = "ntfy", instance = "ntfy", __scrape_interval__ = "120s"}] - forward_to = [prometheus.relabel.default.receiver] + forward_to = [prometheus.relabel.chaosknoten_common.receiver] } diff --git a/inventories/chaosknoten/hosts.yaml b/inventories/chaosknoten/hosts.yaml index 2a95ba87..5c114c9f 100644 --- a/inventories/chaosknoten/hosts.yaml +++ b/inventories/chaosknoten/hosts.yaml @@ -166,11 +166,10 @@ certbot_hosts: ntfy: sunders: spaceapiccc: -prometheus_node_exporter_hosts: +alloy_hosts: hosts: ccchoir: eh22-wiki: - tickets: keycloak: netbox: onlyoffice: @@ -178,6 +177,15 @@ prometheus_node_exporter_hosts: pretalx: wiki: zammad: + grafana: + ntfy: + tickets: + renovate: + cloud: + public-reverse-proxy: + router: + sunders: + spaceapiccc: infrastructure_authorized_keys_hosts: hosts: ccchoir: @@ -208,10 +216,6 @@ netbox_hosts: proxmox_vm_template_hosts: hosts: chaosknoten: -alloy_hosts: - hosts: - grafana: - ntfy: ansible_pull_hosts: hosts: netbox: diff --git a/playbooks/deploy.yaml b/playbooks/deploy.yaml index f416b914..fe0cf78e 100644 --- a/playbooks/deploy.yaml +++ b/playbooks/deploy.yaml @@ -64,11 +64,6 @@ roles: - nginx -- name: Ensure prometheus_node_exporter deployment on prometheus_node_exporter_hosts - hosts: prometheus_node_exporter_hosts - roles: - - prometheus_node_exporter - - name: Configure unattended upgrades for all non-hypervisors hosts: all:!hypervisors become: true @@ -83,10 +78,8 @@ - name: Ensure Alloy is installed and Setup on alloy_hosts hosts: alloy_hosts become: true - tasks: - - name: Setup Alloy - ansible.builtin.include_role: - name: grafana.grafana.alloy + roles: + - alloy - name: Ensure ansible_pull deployment on ansible_pull_hosts hosts: ansible_pull_hosts diff --git a/resources/chaosknoten/grafana/docker_compose/prometheus.yml b/resources/chaosknoten/grafana/docker_compose/prometheus.yml index fd59034a..7f94ab04 100644 --- a/resources/chaosknoten/grafana/docker_compose/prometheus.yml +++ b/resources/chaosknoten/grafana/docker_compose/prometheus.yml @@ -82,41 +82,6 @@ scrape_configs: target_label: instance - target_label: __address__ replacement: pve-exporter:9221 - - job_name: hosts - static_configs: - # Wieske Chaosknoten VMs - - labels: - org: ccchh - site: wieske - type: virtual_machine - hypervisor: chaosknoten - targets: - - netbox-intern.hamburg.ccc.de:9100 - - matrix-intern.hamburg.ccc.de:9100 - - public-web-static-intern.hamburg.ccc.de:9100 - - git-intern.hamburg.ccc.de:9100 - - forgejo-actions-runner-intern.hamburg.ccc.de:9100 - - eh22-wiki-intern.hamburg.ccc.de:9100 - - mjolnir-intern.hamburg.ccc.de:9100 - - woodpecker-intern.hamburg.ccc.de:9100 - - penpot-intern.hamburg.ccc.de:9100 - - jitsi.hamburg.ccc.de:9100 - - onlyoffice-intern.hamburg.ccc.de:9100 - - ccchoir-intern.hamburg.ccc.de:9100 - - tickets-intern.hamburg.ccc.de:9100 - - keycloak-intern.hamburg.ccc.de:9100 - - onlyoffice-intern.hamburg.ccc.de:9100 - - pad-intern.hamburg.ccc.de:9100 - - wiki-intern.hamburg.ccc.de:9100 - - zammad-intern.hamburg.ccc.de:9100 - - pretalx-intern.hamburg.ccc.de:9100 - - labels: - org: ccchh - site: wieske - type: physical_machine - targets: - - chaosknoten.hamburg.ccc.de:9100 - storage: tsdb: diff --git a/resources/chaosknoten/grafana/nginx/metrics.hamburg.ccc.de.conf b/resources/chaosknoten/grafana/nginx/metrics.hamburg.ccc.de.conf index ef2fe079..195b99dc 100644 --- a/resources/chaosknoten/grafana/nginx/metrics.hamburg.ccc.de.conf +++ b/resources/chaosknoten/grafana/nginx/metrics.hamburg.ccc.de.conf @@ -9,7 +9,6 @@ server { allow 2a00:14b0:4200:3380::/64; allow 2a00:14b0:f000:23::/64; #CCCHH v6 bei Wieske, geroutet über turing # Z9 - allow 2a07:c480:0:100::/56; allow 2a07:c481:1::/48; # fuxnoc allow 2a07:c481:0:1::/64; diff --git a/roles/alloy/defaults/main.yaml b/roles/alloy/defaults/main.yaml new file mode 100644 index 00000000..92bc960f --- /dev/null +++ b/roles/alloy/defaults/main.yaml @@ -0,0 +1,44 @@ +alloy_config_default: | + prometheus.remote_write "default" { + endpoint { + url = "https://metrics.hamburg.ccc.de/api/v1/write" + basic_auth { + username = "chaos" + password = "{{ metrics__chaos_password }}" + } + } + } + + prometheus.relabel "chaosknoten_common" { + forward_to = [prometheus.remote_write.default.receiver] + rule { + target_label = "org" + replacement = "ccchh" + } + rule { + target_label = "site" + replacement = "wieske" + } + rule { + source_labels = ["instance"] + target_label = "instance" + regex = "([^:]+)" + replacement = "${1}.hosts.hamburg.ccc.de" + action = "replace" + } + } + + logging { + level = "info" + } + + prometheus.exporter.unix "local_system" { + enable_collectors = ["systemd"] + } + + prometheus.scrape "scrape_metrics" { + targets = prometheus.exporter.unix.local_system.targets + forward_to = [prometheus.relabel.chaosknoten_common.receiver] + } + +alloy_config_additional: "" diff --git a/roles/alloy/tasks/main.yaml b/roles/alloy/tasks/main.yaml index 2bc308ac..5e3cd64c 100644 --- a/roles/alloy/tasks/main.yaml +++ b/roles/alloy/tasks/main.yaml @@ -45,4 +45,6 @@ - name: Setup Alloy ansible.builtin.import_role: name: grafana.grafana.alloy + vars: + alloy_config: "{{ alloy_config_default ~ alloy_config_additional }}" become: true diff --git a/roles/prometheus_node_exporter/meta/main.yaml b/roles/prometheus_node_exporter/meta/main.yaml deleted file mode 100644 index 78bb7705..00000000 --- a/roles/prometheus_node_exporter/meta/main.yaml +++ /dev/null @@ -1,10 +0,0 @@ ---- -dependencies: - - role: distribution_check - vars: - distribution_check__distribution_support_spec: - - name: Debian - major_versions: - - "11" - - "12" - - "13" diff --git a/roles/prometheus_node_exporter/tasks/main.yaml b/roles/prometheus_node_exporter/tasks/main.yaml deleted file mode 100644 index c138f18e..00000000 --- a/roles/prometheus_node_exporter/tasks/main.yaml +++ /dev/null @@ -1,14 +0,0 @@ -- name: make sure the `prometheus-node-exporter` package is installed - ansible.builtin.apt: - name: prometheus-node-exporter - state: present - allow_change_held_packages: true - update_cache: true - become: true - -- name: make sure `prometheus-node-exporter.service` is started and ansibled - ansible.builtin.systemd: - name: prometheus-node-exporter.service - state: started - enabled: true - become: true From 5693989c384646d260ad8b37f85d45aa5d5827b8 Mon Sep 17 00:00:00 2001 From: chris Date: Sun, 25 Jan 2026 20:58:14 +0100 Subject: [PATCH 080/104] add alloy to the z9 hosts and some cleanup --- .sops.yaml | 4 + inventories/chaosknoten/group_vars/all.yaml | 43 +++++ inventories/z9/group_vars/all.sops.yaml | 200 ++++++++++++++++++++ inventories/z9/group_vars/all.yaml | 43 +++++ inventories/z9/hosts.yaml | 6 + roles/alloy/defaults/main.yaml | 12 +- 6 files changed, 302 insertions(+), 6 deletions(-) create mode 100644 inventories/z9/group_vars/all.sops.yaml create mode 100644 inventories/z9/group_vars/all.yaml diff --git a/.sops.yaml b/.sops.yaml index bb83e394..0b9c2459 100644 --- a/.sops.yaml +++ b/.sops.yaml @@ -51,6 +51,10 @@ creation_rules: *admin_gpg_keys age: *host_external_age_keys + - path_regex: inventories/z9/group_vars/all.* + key_groups: + - pgp: + *admin_gpg_keys ## host vars # chaosknoten hosts - path_regex: inventories/chaosknoten/host_vars/cloud.* diff --git a/inventories/chaosknoten/group_vars/all.yaml b/inventories/chaosknoten/group_vars/all.yaml index 60349e08..76147d88 100644 --- a/inventories/chaosknoten/group_vars/all.yaml +++ b/inventories/chaosknoten/group_vars/all.yaml @@ -14,3 +14,46 @@ msmtp__smtp_port: 465 msmtp__smtp_tls_method: smtps msmtp__smtp_user: any@hosts.hamburg.ccc.de msmtp__smtp_from: "{{ inventory_hostname }}@hosts.hamburg.ccc.de" + +alloy_config_default: | + prometheus.remote_write "default" { + endpoint { + url = "https://metrics.hamburg.ccc.de/api/v1/write" + basic_auth { + username = "chaos" + password = "{{ metrics__chaos_password }}" + } + } + } + + prometheus.relabel "chaosknoten_common" { + forward_to = [prometheus.remote_write.default.receiver] + rule { + target_label = "org" + replacement = "ccchh" + } + rule { + target_label = "site" + replacement = "wieske" + } + rule { + source_labels = ["instance"] + target_label = "instance" + regex = "([^:]+)" + replacement = "${1}.hosts.hamburg.ccc.de" + action = "replace" + } + } + + logging { + level = "info" + } + + prometheus.exporter.unix "local_system" { + enable_collectors = ["systemd"] + } + + prometheus.scrape "scrape_metrics" { + targets = prometheus.exporter.unix.local_system.targets + forward_to = [prometheus.relabel.chaosknoten_common.receiver] + } diff --git a/inventories/z9/group_vars/all.sops.yaml b/inventories/z9/group_vars/all.sops.yaml new file mode 100644 index 00000000..7c25351b --- /dev/null +++ b/inventories/z9/group_vars/all.sops.yaml @@ -0,0 +1,200 @@ +metrics__chaos_password: ENC[AES256_GCM,data:seOU504dZ9K21+NK1MBf9isee2L2rueP6Bl0F66R,iv:ZtQ516gzJQSSgvOOAzPF9MuarXqHSLXy37/9z85KoQ8=,tag:dIal6OxPLli+7DbzhjNFsA==,type:str] +sops: + lastmodified: "2026-01-25T19:52:03Z" + mac: ENC[AES256_GCM,data:6JXc+K8fmANf22puWyllV5wVSxZSVnN+U7GM9lNhkxbUBM4AaIedIHOXz9zDaZh/nT6onrW2nhKNC00kWziaddOnBxBUCWUk7bDGea6qJMIk4GfyU0f/xX7mHpgYorF/KmQP1uvNNAryn7zeSfS8Vk27GFDPbBO3GvYlOZFUJD8=,iv:6X6uf9obhNix/qLrpiP3bw1CWM7dY+XAEdfhuTTmuVc=,tag:KJHK1Hc/uV8DOw/7txHfEw==,type:str] + pgp: + - created_at: "2026-01-25T19:51:13Z" + enc: |- + -----BEGIN PGP MESSAGE----- + + hQIMAxK/JaB2/SdtAQ/9GKyJ+6SzK5xucxIxUKPRdsxirJwd6LHuIDkVTr7JTjfi + sXQZKVtQ7ZXbbVgZKURLtsdbhayZoU/8xYCQsX4vzDeAKc4bS6X25PLxs2oBKCYB + 2oWl/jhKSAtVjtgnPnxljiEGxkDKW2sKlfjdjMj9yOYyif35AoQ8pIr2Tg4U8Z9C + ofaWBejvqxgaIShXe4jio3SIiOLYwTnaYmkoSY3QEA3RjckzNmqRE4aX+csB27cI + Vt8aGrcNzM8gCfi8IM1ypLHLw7Fg0OntF91RAUExG9OZJm2rGZabUixxhOCf/ttk + UOq7Eq29xFr9mTzyoZC2zmaOt7O+PIu8FDOvkvCgNv89ewn00DjT7DYSXB0AnPRD + VahAi4VAjKU2RXXbfZArdCXJpCTM2OPnXBh8Bfx/7eTnu2O8EK8OFbWuOWja8Ogr + 7z9bgsoK4Uva6F3BQcLlZppKmkLk0P8detZihvwNbS55kkkdsA9LiyYEoHpasWpG + HW4dcQOqyuKwGjLE7FsqPtlxmWD6psCK3GdHzKGQR9fbXfUyD+c0DmPgPh6roFW8 + XzvRGw6YUrP7/wtvUH4zSLQbB6kqz6nO88isPoLpClyQ/3Khj9QLljCDQB+yRBIu + p3a2HISwt4HQzuckk8W4yKIDdzf86dXVEMqUe4JTe+vW9PPobnUEXrPgRBNZYD7S + XgHOfGiWknFPa8s4KCHZK9sLB2joWAJTtQnk4cuaXoIgamiXB0qgiArc43PsjstE + N6kvVXrFVgQ9Xlrp8XDJHOsUYAy8admA8KNQF+XQ+KeHgQGKKX1RjbBFunIkaOc= + =1Rdp + -----END PGP MESSAGE----- + fp: EF643F59E008414882232C78FFA8331EEB7D6B70 + - created_at: "2026-01-25T19:51:13Z" + enc: |- + -----BEGIN PGP MESSAGE----- + + hQIMA6EyPtWBEI+2AQ//QgGTp9DYSoNWI5n0+9gMUP7asTRdRl7T+xT88k7cCO9Z + lNi86qeqiGGkqTffARBJNaq+ut/D7EKc6ivp+ewfySimM5E3ape3C6rulHybE/j8 + 3EpP4VW+5yA4Nq+CbZvzQb60oXR8LnGzVX1gePWwyQozVzRS72/hnxyecQYsc1IJ + OTQPSfclZXJO3k6fK+BrfHsjJkOpHYoLAnI/9ty9JBSuwGfzI+ur2Jimn0Y783Ou + orZNzxrRKfkIPjdFnWGY3i31nW9tnkEXLdsdOHfOu8Ahtdi2NhwReSv5hMKPXbOw + lxhL/Y1bG4ChgAAFVG5QYZ69tuzSov8XP2Wv6auVA7HC3H+689fNeO0C6GhDcVgc + LBF1nK/zJq95uxlSNy5dpTSzKqwlwRzvLOCPByXc3pLcDDW9Zp194bS/iDGfnfqe + UUPK9e0gX8TYOeQhF3K+H6JMdFO/uYbiaeVZWmvOV6jSiii0CXoGe4oVZqcfcfA3 + RScUjLx0f2w4xQwU60ZmHsmvs2PmdBsNDPeQXrqeyAfgFReDoI1RLo+k+3khoAJE + LzzNFg6bVBx3rRazWoASlHYK8i6dTHpMBompPC+kmjorZnoqnTRX4bix0atsFY7g + vt8CVfqy8YKrVIGPZnDAsrZ3ecShIQFB6OfxgSb6nqN1K3NwFcjXWH05SJOfFR3S + XgGrU49/hKqHTmAGHbWoe54qkPj+WvRkeGccEnvtum8yrPpDpmYg+wyEm3JeQf1S + gCHS/j0pJS/CnnfgoUgkYCMokGvtSoTJgIE/2XTA/BFNRg0vc1Dgk/WonG33PDU= + =ev2Q + -----END PGP MESSAGE----- + fp: F155144FC925A1BEA1F8A2C59A2A4CD59BFDC5EC + - created_at: "2026-01-25T19:51:13Z" + enc: |- + -----BEGIN PGP MESSAGE----- + + hQIMAz5uSgHG2iMJAQ//SxqxshraAR0pQf1lzhtZ5RHoNZJnaZKwic/pvJvIDUCA + 6zotOpu478rK4w8zWdX1gfjve+iu4BkaB16lZqvsV6lLq80dT3yfeil9ETFElKuA + womIEdAafq8W71eTffUZ3Klrg/WjDVjeDRRKqz8vv9pd9MQbYmDhrjRG/ySP5qgZ + +/apRAOrYnbtzgjlPAfLIGD65jvS3JRE3gbZfpzzkLB8P5M1JVOUf15FxAZ2tyhO + PZ3FYC2JbCzftp0Iiksq8sl42Fl0FzOTLFQb0GhQ60tJatFVWhG31NeXdRRuLnQU + 5bmanb2nJBroQJWM/8piG8npG8jhzRzeMTHboW5TezYAXBLxRQJct7pR9ZwDje2U + 5j9VkNyKQ+wMJ2vMiyshserEe6gjc2/E+XYDheAPrFPqwGNklb6OSemm4vWwd6GK + HNqDxA/C0du1b1vm9CTLgk7utbEpspnNQnZh32iifSfiQ3Zl7FwTxnA/2Bj0csQ/ + xrck7T2gzY39tOqXbq0QqIQA31BW4ukmxcAKn8pmJpguW0cBxDTaGNXQ4jo+8YtQ + MYYT4dR9S95MsOKWGREvMA0GMxzwbA2eMwZ7yUARCLVGD48MMiiDZcYqd03cnOO3 + hGj+vy0FbsVdknztBDeGttUYHOtjb+XO4gF4sHdpaWxdF7kVVknNUtciWa+Kw4LS + XgGqWekdWhsKZ+bPboinUPY9e5vkgLueSWrQ0aqi5Pte9lQ3pYPqT2U51fJG5G9/ + tYiofc0K7CB/qyxB7LpF5rtUla9oQQJd36xC0eO7laSapWiag2rzuIsMxR+4egA= + =a2qJ + -----END PGP MESSAGE----- + fp: 18DFCE01456DAB52EA38A6584EDC64F35FA1D6A5 + - created_at: "2026-01-25T19:51:13Z" + enc: |- + -----BEGIN PGP MESSAGE----- + + hQIMAw5vwmoEJHQ1AQ//U6R7Cb1kfojFwzVy9ky+y7Puhk7Jyog+jLabWhurkV30 + RO4EeTXMEJ1gVU9qJDeHn7Fr1HbYr9cdTf1yw5Y23p+pBZA1wRTkxHctEk1KNDRW + 8QdCmQOu8jTDc5cq0F6d6lD6vJpfjaQez5cT7dN9Eqp0jUsmQCSLmqmXvbNEv3fW + n+o/VsvtaqMTjhlPUHvhe/d0/YWvkp4xPycDVW/oYh2KE3QUV5AKUJSOLuSIFENy + f0hjnoz8xmY7eA20uXvTWPgUU9J+KCSgmy87wM/WkM3kjKWOUkijDFCsCWSEIx4W + E2iY6N7yaYBkKfQ6s+f77xg+vc7g1plheK3pdyYkYvgfeqg27QFV/3m80f0gULS4 + bNrZKNRrMD+grgjB75cj14PRHGQcaZEouE7l2uCUNbR/hFIF1M2F91HAW61mVLv6 + ZNluofRYqHf+YWUO4KtJwpfgfh0gsCF3KaeHnAA/Xy9e+7KRgWbAbsDIQr40Nqm1 + Cbv/HqjHCeS7ylw3TmYcwFoGO1XoL/toSQQ4/y0JPMCae+MGslDm2o/1X1VqAnIZ + sdhcTKY8HJWxn8uc5MFG4Mr0PhMIXirhBBQLYXdVJ/tOj9yVU+gJZe3lv64uQgDZ + Ey1KESfJu98uwrPS3Dzy2YPbT7Gh58sOfHeaDoeZAu+YzQMOQ7V260vu0XXMgSfS + XgE3PiMBjbW4eypClEK6H5iSL4SjEm+NweQNkwGaxqLSsb7LuOtSkiEmf4mdQEnI + SI14d0nNv7ki0T59Ssmi65A49SXjvLzsCBE1DgeqVD8IwKCewma0dgkNErdyG4s= + =rV/a + -----END PGP MESSAGE----- + fp: 87AB00D45D37C9E9167B5A5A333448678B60E505 + - created_at: "2026-01-25T19:51:13Z" + enc: |- + -----BEGIN PGP MESSAGE----- + + hF4DerEtaFuTeewSAQdAdDLPgKw0A+eoKiYGIKxOFZHYVg0V4UmuIti0XC5RJCIw + IPu2/Y45X9L40RRhH8N9lazjLeJv5Lbo08hMlo/CgshZ0BJVot8mBAiH/R2DsVRC + 0l4BL6ctQ/xivjWQBBhy/DCYVtDRv8JXIEXNJgU/+UjkSE8Auh4NASANg9GTcBBn + lukzOBGYF9nH69fAkVtZbNL5+dFoPLDPUzZTU19D15J6IJkt+gKPSzjbtWaJqIsQ + =dGU4 + -----END PGP MESSAGE----- + fp: 057870A2C72CD82566A3EC983695F4FCBCAE4912 + - created_at: "2026-01-25T19:51:13Z" + enc: |- + -----BEGIN PGP MESSAGE----- + + hQIMAxjNhCKPP69fAQ/+LQ3yEzhjYXoDkE9olsl0lVxQ9FdCbqDHFJZAIReI0jqg + WF+0GmoMuG4kFZu+ju3vCWpT5kH84SUxOFXyaXp1TCfcJ1zCUno93fVssOL/9Sma + vVPVIXpTqJqFBOWJNOe7wNjvQiDE4TxjGC/FXr+hOoLZXrf7gdNaUXxZOb+vPZih + t79eZhxALGwmwsMdZxkA8ERCmNJet1/wn7s5vUjwrDYRZL2zGf4yocSCjwGYHOCs + j+DcrYG7Cd5J+CS8rKu2Yh5KEAfMhgMxGjK0HKUVPk1cQxOgronnM1vrij30S4+9 + avNlOwAerg3RaFhXPj9UY7FGV+rZQY1CQKEWqr4AANkdDXb/LnLalwMBMcm+EDwT + zHxBhJ69QJmsZUP3Z5WQqxmyAux9+oodgehWKkY4sCR2huHuysbJNEStuI1HaTRj + ZJafiniHkFyQyTqc4wwJrRxkwJM6mVvcZdXuV7+QaEWr3FEF0t7tyEYUIRkUlJOQ + IUPDClDRLJnQGq11XT/QOlGfxET9fGoAkij1LrPqpvHxJ6IEGLMOPN4kw1yg02yO + u0HiB2wIUzKHJJ6vMR6zK3WY4MXCQISTZXpK7mILleRIIOWhw7C7gvlfuYkMT3fM + dXUQRhTblZXaeTxRuCUPqa0eGzac4UJBVoRAWXYiZWhdKxNJbyCMRQDcaOeho9/S + XgGENH9zFjI//pveCrlxx5BKDxTdqIn9R3iskbKbZRhVr+pU3IK4uCsUQlOBG3++ + zxQinHgNbqA22clcuRMZ1NeDrzDfBLndsWuSeyWaAA9qEG9XjmjCRRzPGACoDLs= + =dywj + -----END PGP MESSAGE----- + fp: F38C9D4228FC6F674E322D9C3326D914EB9B8F55 + - created_at: "2026-01-25T19:51:13Z" + enc: |- + -----BEGIN PGP MESSAGE----- + + hQIMA1Hthzn+T1OoAQ/+P4h9d4LPElJbVr4L3cE+6/9mhLF6n1hre14cCTSxTe20 + HqpY7U9yE4G/1IfAE3pueOgc5FsLRPn8VnHAzy6ygt4/xXXzH6aACDiUtweqyExE + K39J9PLjczWb7XGbZc3YKoz5x0Q/93s+CdjK7piamb41bMRVbmffNtEceH8Gld9u + t8SI18F1yrRtXpK8FvzFLvA1jEt9sduPVq51bWG2LjMFaMrsm7hXt1ArUGsOoGN3 + 36E4VrVp6gp8BVa+apsUY3mHBi3hUE0h2tO4iEsi1qYr1OTn3v4Dn9oxKrYIIom2 + hHszqVSq0fnIqoKOZbyUe2AdXtnTGpQQRxCBvtIEBNB1FS/CKCe7ceXVBZujU2Kd + JD3Lg5uXgkolfyjFCPzOp292xvJ83i7QMoTuVEw14PSjux3jAa4K3wpKUvF80ja2 + ugGj3zTLAHdAV37lKO2WYZuMMJLKWKX1p9yKZqteJdiLQHH8f24dFZ2Vtoly/GKM + KzGJ1fimB6divQ8TOHVFAr1qDksk8zf1PBJ/IlWoBKv5IWwoikf42IOL/P2c/nk7 + 4pYwHrlk8y71Cgjw50K9/T/Ul0Ov6ay4FK+0vy+zbokSVczZKsrL4/Tc6s0S9ty6 + SVKm7yL+BSGgZWmDNesYoRzboBT2mSb1N45ThUaeW7AwMo3hDJPjEkaFtZN3bqzS + XgEIFYvxWH6OEIl+VZ/J5qxxmi3Cz6XVzTliCnoTFUoVxHyOxN6HX0Jn/qRqmmlN + mJX4OT1FJ3WnqOHQ5Cm4403bm2H79mGCBKYiXPQeO/bVBh0mTbeYKRr8bjsm+rc= + =lIEt + -----END PGP MESSAGE----- + fp: 5DA93D5C9D7320E1BD3522C79C78172B3551C9FD + - created_at: "2026-01-25T19:51:13Z" + enc: |- + -----BEGIN PGP MESSAGE----- + + hQIMA46L6MuPqfJqAQ//Ue74vm+2K7chQcfdrY5GR0rPUKNiX9MMw9zgHpdyHlXa + FfL0NQbG8Rfc/6Yf7LH1sWMGED5Yvci3z+YkTWg8Fcv1pYQGj6Kul2L0aL4tvq/a + tdIJi+Ajp92jr+5jdae+GvJZedaHZYxykyeSe4/nk1j6k4u3TiVMBczk7z9701F+ + ZFtG1SBRcqjZ/Vx36B6s+10f9ft7TWCIJfeTimBJV3fFt7r698vTQ+S1/uxo5Ik0 + kQOtYDxsigBBeE0OX2ZBDyeGhfl/PZgN7GD7bgpjnfzDi+8kMXEMu4z88tOQulhk + qj+63irEydFCsMEC22XhLaqW8bjld0VAnkXv7DfoEbMt84XN6SejjDy6aXK9C0Qd + BIyQwTvsmgbInluw8Qu+GJPLLbY9qYjjuo5BbwUeBfiVxQaBYcm5lmPSKM0lq+Uq + fUYowpMS417L5kkp2yE/NmKOzi2ZuiFWMCpvPIvKea9zJxvEtIjohwtM86b4LH+j + 7yie9gWu0bhBw9keKtIbRmgbsilp8E5OUHXgOT0sNWTLenQDsWQ9dmgvtpeEb9ax + 6mw1QUpFz4CcHhuQixoI+q4y0SXcWxyN0U78U8igaELUtwpaRR7yf4VUJOEid+m1 + Rzu5jLCuhlLmmW03W6Y/Vl+n0QOyEl0uPCRiRgYeUzKiYw6NRYHPezbJnmNAeKnS + XgFCdzLc5Jl6OqJfy4V0yJucGq72oKK1wdJi74PqTNs44CaeEW8tDhxVWm367e5b + Ve88LJyDhOrMi57aKcAJ12HoL8pI5hambJ0qSs9RKpnQIJH7U60MBBTCBHN3H4k= + =az/q + -----END PGP MESSAGE----- + fp: 8996B62CBD159DCADD3B6DC08BB33A8ABCF7BC4A + - created_at: "2026-01-25T19:51:13Z" + enc: |- + -----BEGIN PGP MESSAGE----- + + hF4DQrf1tCqiJxoSAQdA04/sIHLMEFJO8wCB5+N5QWPzwyefW49JuNr/O2A+tTcw + Rm/CybmXPnSCx7p8QLruOG0tz8kM+YoSthSWlC9/B6TZgKLyrMOvx1U/fSNjKC4Q + 0l4BDFhVCnXKTQmfZtj5Qpwuj3H5fZ7QzKUQz542pvqN/fJVnc0Q4rQapKcU4AOx + JTdXpu6gP3FRGviA342GHJU0gq220vSzPu889dsdmtgNfAEQWPLVKKwjigDQN+SV + =2Eki + -----END PGP MESSAGE----- + fp: B71138A6A8964A3C3B8899857B4F70C356765BAB + - created_at: "2026-01-25T19:51:13Z" + enc: |- + -----BEGIN PGP MESSAGE----- + + hF4DzAGzViGx4qcSAQdAxLZsKVzF30df0Zk7Eg9u7fLJzApid00aEcZVxHQnZ0kw + 5SDeSOzzTue71lKcCyunbO1/e20jMrNVvYKQp0kKkNHpTWgjN0hW3vZt6zeLcrSo + 0lgBTOoJykoj24Y9WvIaQbae2K6M35drO2c7nhVmTzibUe7XEJ3C+vbUySdSTd+0 + WL1IjqZUGSUL4SUIW6kW0WFdSJ01O6vbXhw1gw7KwKMfBHgIUAzpENTW + =S45t + -----END PGP MESSAGE----- + fp: D2E9C0807BF681F5E164DAFC5EE1B61CD90954CD + - created_at: "2026-01-25T19:51:13Z" + enc: |- + -----BEGIN PGP MESSAGE----- + + hQIMA2pVdGTIrZI+AQ/8Dd/YnYUP9OA6qxJcerf9mCkQkC5PLehCPAOLOn4sNV5x + DnpdfAvgej1Vuy0CHK8//PAiEC7idLN+ictIdQgy0RaObp50tca44U2ssQOkmxcd + j5WpKKunHsKomksr7bRpwm/vtN4LoldQc7g1qaBlsaJE7iEOrB8I3n3fFhWD6xBG + TUzRe8r/M2/c25Agky9caILYvjm/etCsf/gZq3RwVvV48912JNqb+7o04vpj3MbO + AOsiEBCTNSZqN5XuRi/jCpQNe0p18M9irYkFWVe2be6Cb4wE2cdg904rC3K+v0QA + nwD6/bXWGI7WAF6nhvuiAS0vxmbvOePNI3KZ1CdEDeScqnAWUdkFuuAwmw0K7tHt + UJe/SlML6strnnjOGR6p3eeIjoDKtGBiqEjXYyEcXPVi8vFSd7muGcjLieyJUmfH + FVGA7bF+a6c4iTFSM2GNpANFV0qzZ/wa4aj9MqzOATTglQnr2LZJP7chnzoLyzx6 + 7cjTcWHsb3E+D7X37yF+mZAT6yvOoxaQNqTY6u1ZoY9NrGdJ1reudAlzg6k10cpf + O4Zww2Jjz5yEhvS9cTh8+bKOJYgKnbg/LLty/ade+rio4E0jn+a6VgRCqIMbGwgx + vf9ATU8S10/Es2cT6f99EpPgV0w9QCfhAGel/sjXk/zIT8rF2SbIlXf0/GK3yaXS + XgGrocZNe2RNZd3ZjsvtU6bBsPd9tekQLjC1vE6U/WXXPKapb6aOq2eL7Qb7QFu7 + XSGN+YA/c9OwmtJLP3y5mGBowa6vWT1Uf6NweamPYJBpNG27Bt5yLlnEnaDZokw= + =9ri7 + -----END PGP MESSAGE----- + fp: 878FEA3CB6A6F6E7CD80ECBE28506E3585F9F533 + unencrypted_suffix: _unencrypted + version: 3.11.0 diff --git a/inventories/z9/group_vars/all.yaml b/inventories/z9/group_vars/all.yaml new file mode 100644 index 00000000..9a312517 --- /dev/null +++ b/inventories/z9/group_vars/all.yaml @@ -0,0 +1,43 @@ +alloy_config_default: | + prometheus.remote_write "default" { + endpoint { + url = "https://metrics.hamburg.ccc.de/api/v1/write" + basic_auth { + username = "chaos" + password = "{{ metrics__chaos_password }}" + } + } + } + + prometheus.relabel "z9_common" { + forward_to = [prometheus.remote_write.default.receiver] + rule { + target_label = "org" + replacement = "ccchh" + } + rule { + target_label = "site" + replacement = "z9" + } + rule { + source_labels = ["instance"] + target_label = "instance" + regex = "([^:]+)" + replacement = "${1}.z9.ccchh.net" + action = "replace" + } + } + + logging { + level = "info" + } + + prometheus.exporter.unix "local_system" { + enable_collectors = ["systemd"] + } + + prometheus.scrape "scrape_metrics" { + targets = prometheus.exporter.unix.local_system.targets + forward_to = [prometheus.relabel.z9_common.receiver] + } + diff --git a/inventories/z9/hosts.yaml b/inventories/z9/hosts.yaml index 9f4a6920..f88f1061 100644 --- a/inventories/z9/hosts.yaml +++ b/inventories/z9/hosts.yaml @@ -49,5 +49,11 @@ ola_hosts: proxmox_vm_template_hosts: hosts: thinkcccore0: +alloy_hosts: + hosts: + authoritative-dns: + light: + yate: + dooris: ansible_pull_hosts: hosts: diff --git a/roles/alloy/defaults/main.yaml b/roles/alloy/defaults/main.yaml index 92bc960f..09c99ee4 100644 --- a/roles/alloy/defaults/main.yaml +++ b/roles/alloy/defaults/main.yaml @@ -4,26 +4,26 @@ alloy_config_default: | url = "https://metrics.hamburg.ccc.de/api/v1/write" basic_auth { username = "chaos" - password = "{{ metrics__chaos_password }}" + password = "chaos_password" } } } - prometheus.relabel "chaosknoten_common" { + prometheus.relabel "common" { forward_to = [prometheus.remote_write.default.receiver] rule { target_label = "org" - replacement = "ccchh" + replacement = "noorg" } rule { target_label = "site" - replacement = "wieske" + replacement = "nosite" } rule { source_labels = ["instance"] target_label = "instance" regex = "([^:]+)" - replacement = "${1}.hosts.hamburg.ccc.de" + replacement = "${1}.hosts.test" action = "replace" } } @@ -38,7 +38,7 @@ alloy_config_default: | prometheus.scrape "scrape_metrics" { targets = prometheus.exporter.unix.local_system.targets - forward_to = [prometheus.relabel.chaosknoten_common.receiver] + forward_to = [prometheus.relabel.common.receiver] } alloy_config_additional: "" From 6a92aa68c1846d4c3713a2f81487894ba57fcfc1 Mon Sep 17 00:00:00 2001 From: chris Date: Sun, 25 Jan 2026 22:36:30 +0100 Subject: [PATCH 081/104] light: fix tls cert expiring and not renewing --- inventories/z9/host_vars/light.yaml | 14 ++++++++++- inventories/z9/hosts.yaml | 1 + resources/z9/light/nginx/http_handler.conf | 10 +++----- resources/z9/light/nginx/light.conf | 29 ++++++++++++---------- 4 files changed, 34 insertions(+), 20 deletions(-) diff --git a/inventories/z9/host_vars/light.yaml b/inventories/z9/host_vars/light.yaml index 0336d220..0c7e11d7 100644 --- a/inventories/z9/host_vars/light.yaml +++ b/inventories/z9/host_vars/light.yaml @@ -50,10 +50,22 @@ ola__configs: content: "{{ lookup('ansible.builtin.file', 'resources/z9/light/ola/ola-usbdmx.conf') }}" - name: ola-usbserial content: "{{ lookup('ansible.builtin.file', 'resources/z9/light/ola/ola-usbserial.conf') }}" + nginx__version_spec: "" nginx__deploy_redirect_conf: false nginx__configurations: - name: light content: "{{ lookup('ansible.builtin.file', 'resources/z9/light/nginx/light.conf') }}" - name: http_handler - content: "{{ lookup('ansible.builtin.file', 'resources/z9/light/nginx/http_handler.conf') }}" + content: "{{ lookup('ansible.builtin.file', 'resources/z9/dooris/nginx/http_handler.conf') }}" + +certbot__version_spec: "" +certbot__acme_account_email_address: le-admin@hamburg.ccc.de +certbot__certificate_domains: + - "light-werkstatt.ccchh.net" + - "light.ccchh.net" + - "light.z9.ccchh.net" +certbot__new_cert_commands: + - "systemctl reload nginx.service" + + diff --git a/inventories/z9/hosts.yaml b/inventories/z9/hosts.yaml index f88f1061..319f8175 100644 --- a/inventories/z9/hosts.yaml +++ b/inventories/z9/hosts.yaml @@ -20,6 +20,7 @@ all: certbot_hosts: hosts: dooris: + light: docker_compose_hosts: hosts: dooris: diff --git a/resources/z9/light/nginx/http_handler.conf b/resources/z9/light/nginx/http_handler.conf index d9b336c5..8572664d 100644 --- a/resources/z9/light/nginx/http_handler.conf +++ b/resources/z9/light/nginx/http_handler.conf @@ -1,14 +1,12 @@ server { listen 80 default_server; listen [::]:80 default_server; - server_name _; - - location /.well-known/acme-challenge/ { - autoindex on; - root /webroot-for-acme-challenge; - } location / { return 301 https://$host$request_uri; } + + location /.well-known/acme-challenge/ { + proxy_pass http://127.0.0.1:31820/.well-known/acme-challenge/; + } } diff --git a/resources/z9/light/nginx/light.conf b/resources/z9/light/nginx/light.conf index 9f70cf87..6217e045 100644 --- a/resources/z9/light/nginx/light.conf +++ b/resources/z9/light/nginx/light.conf @@ -1,15 +1,16 @@ # partly generated 2022-01-08, Mozilla Guideline v5.6, nginx 1.17.7, OpenSSL 1.1.1k, intermediate configuration # https://ssl-config.mozilla.org/#server=nginx&version=1.17.7&config=intermediate&openssl=1.1.1k&guideline=5.6 server { - listen 443 ssl http2; - listen [::]:443 ssl http2; + listen 443 ssl; + listen [::]:443 ssl; + http2 on; server_name light-werkstatt.ccchh.net; - ssl_certificate /etc/letsencrypt/live/light.ccchh.net/fullchain.pem; - ssl_certificate_key /etc/letsencrypt/live/light.ccchh.net/privkey.pem; + ssl_certificate /etc/letsencrypt/live/light-werkstatt.ccchh.net/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/light-werkstatt.ccchh.net/privkey.pem; # verify chain of trust of OCSP response using Root CA and Intermediate certs - ssl_trusted_certificate /etc/letsencrypt/live/light.ccchh.net/chain.pem; + ssl_trusted_certificate /etc/letsencrypt/live/light-werkstatt.ccchh.net/chain.pem; # replace with the IP address of your resolver resolver 10.31.208.1; @@ -25,15 +26,16 @@ server { } server { - listen 443 ssl http2; - listen [::]:443 ssl http2; + listen 443 ssl; + listen [::]:443 ssl; + http2 on; - server_name light.z9.ccchh.net ; + server_name light.z9.ccchh.net; - ssl_certificate /etc/letsencrypt/live/light.ccchh.net/fullchain.pem; - ssl_certificate_key /etc/letsencrypt/live/light.ccchh.net/privkey.pem; + ssl_certificate /etc/letsencrypt/live/light.z9.ccchh.net/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/light.z9.ccchh.net/privkey.pem; # verify chain of trust of OCSP response using Root CA and Intermediate certs - ssl_trusted_certificate /etc/letsencrypt/live/light.ccchh.net/chain.pem; + ssl_trusted_certificate /etc/letsencrypt/live/light.z9.ccchh.net/chain.pem; location / { return 307 https://light.ccchh.net$request_uri; @@ -41,8 +43,9 @@ server { } server { - listen 443 ssl http2; - listen [::]:443 ssl http2; + listen 443 ssl; + listen [::]:443 ssl; + http2 on; server_name light.ccchh.net; From 2cd0811b2965a62c9b073ac03e66edc5e30cfd83 Mon Sep 17 00:00:00 2001 From: Stefan Bethke Date: Sun, 25 Jan 2026 22:21:25 +0100 Subject: [PATCH 082/104] Fix warning --- roles/nginx/tasks/main/02_repo_setup.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/roles/nginx/tasks/main/02_repo_setup.yaml b/roles/nginx/tasks/main/02_repo_setup.yaml index eaaec30e..b4720c14 100644 --- a/roles/nginx/tasks/main/02_repo_setup.yaml +++ b/roles/nginx/tasks/main/02_repo_setup.yaml @@ -15,13 +15,13 @@ - name: Ensure NGINX APT repository is added ansible.builtin.apt_repository: - repo: "deb [arch=amd64 signed-by=/etc/apt/trusted.gpg.d/nginx.asc] https://nginx.org/packages/debian/ {{ ansible_distribution_release }} nginx" + repo: "deb [arch=amd64 signed-by=/etc/apt/trusted.gpg.d/nginx.asc] https://nginx.org/packages/debian/ {{ ansible_facts['distribution_release'] }} nginx" state: present become: true - name: Ensure NGINX APT source repository is added ansible.builtin.apt_repository: - repo: "deb-src [arch=amd64 signed-by=/etc/apt/trusted.gpg.d/nginx.asc] https://nginx.org/packages/debian/ {{ ansible_distribution_release }} nginx" + repo: "deb-src [arch=amd64 signed-by=/etc/apt/trusted.gpg.d/nginx.asc] https://nginx.org/packages/debian/ {{ ansible_facts['distribution_release'] }} nginx" state: present become: true From c33ae36af326b2649f74424ad32364b7d9e7ea9c Mon Sep 17 00:00:00 2001 From: Stefan Bethke Date: Sun, 25 Jan 2026 22:21:45 +0100 Subject: [PATCH 083/104] Enable IPv6 by default --- roles/docker/files/daemon.json | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/roles/docker/files/daemon.json b/roles/docker/files/daemon.json index 49d41083..d55e4cb4 100644 --- a/roles/docker/files/daemon.json +++ b/roles/docker/files/daemon.json @@ -2,5 +2,13 @@ "log-driver": "journald", "log-opts": { "tag": "{{.Name}}" + }, + "ipv6": true, + "ip6tables": true, + "fixed-cidr-v6": "fd00:1::/64", + "default-network-opts": { + "bridge": { + "com.docker.network.enable_ipv6":"true" + } } } From 0f3cd2c70ab2a937327280adec5194402247aa2b Mon Sep 17 00:00:00 2001 From: Stefan Bethke Date: Sun, 25 Jan 2026 22:40:22 +0100 Subject: [PATCH 084/104] amcedns to enable Let's Encrypt DNS-01 challenges --- .sops.yaml | 7 + .../chaosknoten/host_vars/acmedns.sops.yaml | 214 ++++++++++++++++++ .../chaosknoten/host_vars/acmedns.yaml | 23 ++ inventories/chaosknoten/hosts.yaml | 10 +- .../acmedns/docker_compose/acmedns.cfg.j2 | 27 +++ .../acmedns/docker_compose/compose.yaml.j2 | 22 ++ .../acmedns/docker_compose/index.html.j2 | 63 ++++++ .../docker_compose/oauth2-proxy.cfg.j2 | 13 ++ .../acmedns/nginx/acmedns.hamburg.ccc.de.conf | 83 +++++++ .../nginx/acme_challenge.conf | 1 + .../public-reverse-proxy/nginx/nginx.conf | 1 + 11 files changed, 463 insertions(+), 1 deletion(-) create mode 100644 inventories/chaosknoten/host_vars/acmedns.sops.yaml create mode 100644 inventories/chaosknoten/host_vars/acmedns.yaml create mode 100644 resources/chaosknoten/acmedns/docker_compose/acmedns.cfg.j2 create mode 100644 resources/chaosknoten/acmedns/docker_compose/compose.yaml.j2 create mode 100644 resources/chaosknoten/acmedns/docker_compose/index.html.j2 create mode 100644 resources/chaosknoten/acmedns/docker_compose/oauth2-proxy.cfg.j2 create mode 100644 resources/chaosknoten/acmedns/nginx/acmedns.hamburg.ccc.de.conf diff --git a/.sops.yaml b/.sops.yaml index 0b9c2459..60da9eb9 100644 --- a/.sops.yaml +++ b/.sops.yaml @@ -34,6 +34,7 @@ keys: - &host_zammad_ansible_pull_age_key age1sv7uhpnk9d3u3je9zzvlux0kd83f627aclpamnz2h3ksg599838qjgrvqs - &host_ntfy_ansible_pull_age_key age1dkecypmfuj0tcm2cz8vnvq5drpu2ddhgnfkzxvscs7m4e79gpseqyhr9pg - &host_spaceapiccc_ansible_pull_age_key age1mdtnk78aeqnwqadjqje5pfha04wu92d3ecchyqajjmy434kwq98qksq2wa + - &host_acmedns_ansible_pull_age_key age16pxqxdj25xz6w200sf8duc62vyk0xkhzc7y63nyhg29sm077vp8qy4sywv external: age: &host_external_age_keys - &host_status_ansible_pull_age_key age1yl9ts8k6ceymaxjs72r5puetes5mtuzxuger7qgme9qkagfrm9hqzxx9qr @@ -57,6 +58,12 @@ creation_rules: *admin_gpg_keys ## host vars # chaosknoten hosts + - path_regex: inventories/chaosknoten/host_vars/acmedns.* + key_groups: + - pgp: + *admin_gpg_keys + age: + - *host_acmedns_ansible_pull_age_key - path_regex: inventories/chaosknoten/host_vars/cloud.* key_groups: - pgp: diff --git a/inventories/chaosknoten/host_vars/acmedns.sops.yaml b/inventories/chaosknoten/host_vars/acmedns.sops.yaml new file mode 100644 index 00000000..2e728ca5 --- /dev/null +++ b/inventories/chaosknoten/host_vars/acmedns.sops.yaml @@ -0,0 +1,214 @@ +ansible_pull__age_private_key: ENC[AES256_GCM,data:R0FZVQXrUgqW04VltXpYhEuI8Q8i0gE4K1EI05NTZyTO+9QOynMVzfLOzOOT1Yh+oQNLsE0MFELX8eo3EFKyXIrkE/wr2ECgFqY=,iv:m4N6t03tklKRaRZ9eVl2vv9T8WUy6AiPQDNuyU0UEtI=,tag:XJMnT5GZthv9RPQFZTWZaA==,type:str] +secret__oidc_client_secret: ENC[AES256_GCM,data:UHbIuftvyPHxtHGRvH+ydMetiCRu3z3JL+zFzLwVaSQ=,iv:1/KKB9IHZEWgEULoab1aVwbPIW7mxfRK7NABiSP2yIQ=,tag:8g3ej7ZJwAuPk9eGdPGyog==,type:str] +secret__oidc_cookie_secret: ENC[AES256_GCM,data:epKralmaga5W0TK0njjTBP0GIlkUK2ogKEbWQ/zlIhQ=,iv:rDBiSE+DPkX2I2i2fJQ/SrkltlCnPOEyeMfud2xXbFA=,tag:SOGIJHiaKq1t+Dg0NJGnxA==,type:str] +sops: + age: + - recipient: age16pxqxdj25xz6w200sf8duc62vyk0xkhzc7y63nyhg29sm077vp8qy4sywv + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA5SDJ0NHZkK3hvUSt2K2hV + TWNKUkFlUFVkaEFlM1lDVTdnZU5EeURiOURzCnQzcWE2RnpiZ3BmRzIwbFRDdkRr + VmcreVJvdTl2Z3lBVFJTNmNLZWdyMWcKLS0tIEkwcXAwY0NoNmhCZm9JUDMyRjVC + bUM2WC9QeWFrdm43a2N1eStEOFFXVGcKCCqwLQ67aEEjTAyXXabZ2AoBag/QY4HW + WwgmI8KNYpC0YXzDJ3fUUL6g4oiSqMxTGvQ+0oABOk+XFnVx+++aoQ== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2026-01-25T16:16:15Z" + mac: ENC[AES256_GCM,data:dBBAJIXeVUXXPXB8Eq4gH5F/0jTpvb79hdu4KD9gV5RL36Tr3iU92SKAZdMcw3/+8zq5L32YWWpYR5HFVPXaSdgls3wtWdrz/1j/C/zRxup+Y8DSOdiebCtz1lJJvglQMZNznRvo7N58lTdF/XqJA4tY51xZZi/krsJXDxtlTgA=,iv:yhwXbXu1MKl4sSYaCKPVUK9aedmIMnt/rzXTcGqmqpk=,tag:hZX6YZrzkrr1mPe6FOs7Xw==,type:str] + pgp: + - created_at: "2026-01-25T14:20:25Z" + enc: |- + -----BEGIN PGP MESSAGE----- + + hQIMAxK/JaB2/SdtARAAi+qxfJ++qxSRxZLZiJ6njtlaOvrmE3uDCxbBwK5/lc7K + rt1liJ3Ue1hR1Bt6ozbH72shd5EOQzDuwQiRLZSR/7q6dcM0wdGRrfXuNvsRbQFf + Mb1D5L5Md1zOH4HuUx38+GGoB1CchpQwdZpjzcU2+MI5O5YIw3DDcKOAAMa+Nfpy + m0aezDSM6zDYYrYKjZUrMCXZFn0cnWAosod1ZJDz+rNMfFaVCPUlcUO4/p8cPzvr + rz+B5MV6Nyft3FUpHntFAgGjwlt31ZANZoWeJxJ5/zFlmieXMihjC4x1QPBs42E2 + den7NPprSZX1ynGdImaZfTHwuwP1bpLrVFegG1EPrMIUwjRbSZDdmWxaR0uvajgM + GcbJLRFdvOcc7g7NWh2n4AwjpjcPN0cNrAit5/S0PG7JYdZFi4abfxTur12p9BPk + xJacN4ZVnT5qRRnqinPDCCiR4MLg/L9fxG6Dap6xboBTnHS5GksuLiDFMjsSAVh7 + /63SOn6/Po1BUiiZPRHkvlm1uhkP7k5iDT/cP+gV1QDjdrXbD27D3c2eJveBaX03 + oLhXi+2/tmitsRw5vp+jTwHP3RDC9ZsORdEoshaGJ7Axbmai1wmUAabaz60vbTzV + W5KHaEAdC97YsUFUn4ZgqORJ5MlPRUGUGGmlYJq6peihLYx/wdCLw9DywhZAYiTU + aAEJAhACPP4YiVUAbMaXB3q7AJWnoF20oJVBcGD7nvAVIaJJL0zuYe3lsujo2O2L + wqzIw80YE0tSaHx9GWJorF3vQQ1/jxrgiZofZNrsrQ5mzVADGO5+JLuU1THyDWXV + PPvkTEc7AdD6 + =GWYV + -----END PGP MESSAGE----- + fp: EF643F59E008414882232C78FFA8331EEB7D6B70 + - created_at: "2026-01-25T14:20:25Z" + enc: |- + -----BEGIN PGP MESSAGE----- + + hQIMA6EyPtWBEI+2AQ/+KKOoBqMu5MXGmEM70WGKs7qGiqcJ4jizWaf2BjO8JtcU + DUJ31xy+KOnZh4pNP3bYptBtv/FehKHfaC1HB+sXBqT7hhAT5k2WyNo6Y1EdsGeG + HuccJ8rEMxwRSp3rdpca/53mtFzYHFHDT2nOEc5wkl0KqPITIJAiaGVVeS/ANy6X + qijabdecK8Ekb0Ev7OHwxFQT92DdtN7xdQns4bUoxSy9j/7SDUII7btG3alhlH2Z + XF+aZ4Fo+P/O8yavyTuwm6GlKWaWtGn9xRhNXvMkpBXIa4rwHC0re3DJNlMqN7EV + gW2sxnAxBShNU/ZtpqaQ2ku8L7FPB4Y8hhbk08PVlqz6F1xFm9x5PEriuaIPd1pp + 0TQtekvntBWiRAQ8QPmrfg96BaLqvL+Hffb3PlIRvnXHmaJY/5Ci0HGgoUjodKIT + 0tZzP0xcElbm3Mf5z/uyRzCwpx7oLn+q9xiJ2yoYwn4IkMWd2VaJZJlVcKH1RRXS + A4OUERkDSV3Fz6VjnI0VQ/hpfLDLCaQp8TzUOtNy4MqzsB0fQbDWnPR1KFrmNmSv + SSkS04tSt9CMNDFllrwQg6fbaZMmS97JeXb723mfUrPa0o3MeTxa9EuB/NQvWYuS + iBqC+NxIAvUw/IJtKg3unA9ysigCDUTbi6P7F69NMJM9qHet7PSLgqsM9RPdPlLS + XgH+T9DivFMWNnGvAS+wMckvKcTtskHWnQMCYdx62VsXzS/LU3iWq+OBz/xf8yhD + 2vS25oi54fQKz6diOrq/TgO0Cx2/1LXqOYL5m/6+Qvv7wxHHZHeLcdwCRVceLZs= + =5SxJ + -----END PGP MESSAGE----- + fp: F155144FC925A1BEA1F8A2C59A2A4CD59BFDC5EC + - created_at: "2026-01-25T14:20:25Z" + enc: |- + -----BEGIN PGP MESSAGE----- + + hQIMAz5uSgHG2iMJARAArv3KHUknyw89o/HA+T9vv1orrq0uztAOtOYLXIxF0mPL + S+Yrqs8uT0UmIJ/vdNZpf6HYw7Cmk4XErSsT4l15/5JbGfvqbc1ECdoz6j6kNfID + eHP3iJkySKbxSqflZ/3Hs8UXV65RU4F1HHK2SsQVvb0FCl03KNqkNAMicqiYZyzH + CAKOje7fnCHQ2oClUXakwXDQMnQwboXmhC26ghTvCYHIcb/VD8z91TSjxNitA1nG + 7Ky1VvBWTuC0qcfaxkrkkwDPcxdfA2BXyxwm7b/w2IwmQX1cce25MCgIhMCFuf0C + rvw8GgfJEQ/qI3Rk1R87cpyRte4itrl1cCJI1UgS088+eHhmeS8XOZL860Eiqho4 + tQJLUCr0P+LSBgOxj6/hnzY56bpPxa1NjRjqCGh+WF9XzeM8vY1MkzIjqHXxq9bD + 9yGnFujzTcFbpEzdigPfAt6VgMe3jAEWqnr9fTK/f4qKWdXfycEHAJgL9UqHCtR0 + DMy2+ZsHy5Hn9S5hmXLWpKo579FEWMLeCRA2DZvCHKIWUPhv3O4BAGovh8px9wRR + V7HeNK0efhiPm80alIQUGn+JEyNOaBrjAQmS0+ELF1S1AaHzXoLNrxfBCQJJCHd6 + BvZIC6mVWF9DSeD+s/twk6qGNwAl17OAi3fyahunefODNqMcW73RI6x0BhkBfvnS + XgGEHYtdIiwWW+nCWBCrlXHrZ2AqgFKqNInB8lR5t7GtSjVxF6blysWXyv4JtegX + A3gMULNrOAZiPMe5Q1DDMNJ34jEnveojMIAOb/j+w7bvcgh7wbrUIUhNQSDgoaY= + =H3mo + -----END PGP MESSAGE----- + fp: 18DFCE01456DAB52EA38A6584EDC64F35FA1D6A5 + - created_at: "2026-01-25T14:20:25Z" + enc: |- + -----BEGIN PGP MESSAGE----- + + hQIMAw5vwmoEJHQ1ARAAqbv66yl/dyRf3f1ejNWsZxwD5oo99rHvbfWDCjTEFpzo + QUHgi7h+uF3GfRqkbE8YK7oFmTdxDS7DEkiQHw3jbJwI2+K1umubwq5sL1IMhSyG + SHZL+3r4ytBj6kuraXoTGqBFjNNht+3rRUEvgK8eXAixp8aHbx2LAVzjhxGTa9WY + yT9H4XJgEac5ODiyhyu3wxzZFmcr9VVNpja7C3iJ5PymjKPnzMFHzdhYflVG4ptP + lscRsl5TakEL7p4wsjLszeXTSq38ueaH3Bhvts3Kl72BU2rICDzlBOzGszq3gI2c + o97Vydku1MBsIwbUdKAOdhjA4BFyPAg1z1VkeEOrH1ThaZ0cfalN6TxBfCeKftSv + VAn9ErK6cRjM5peyJPSHUjpXZEcomtZonhAIBUfDeFW3Sk4lE7+SnIvJkLtrvSZy + QDgbA4dE19d8MUL0uu+fyp85+OkXI+e1QOOoZX+7/Mco3wKbCbP5T21T/+SLsH0N + oNrQpQlDch5YB+vLISUE7+buFdlMpIlcHAnL9scjgIdU0Z/X75p/5t7g99D/0nc/ + WGu4l2n9fbrvimnqc6wWzBHgQZVcPKr5tMB6jVQu4WCdHX9VkI+Ru2IfCFsQ09TD + RQMybPT3tTdYODVCeoE3NmilqE+igEzFYRDwFdKjR2eLnuli5mI7GlXrboPGjWPS + XgEpnUxHg7oik0vO8YsyRldQ2Vyw1vIskRq9cdUY0Ix3u0gyqUF56aWhA+4fhr3H + Q8RsT8OXXswSozzkw3AvKi3VaGjwDr1Wasq6YVRtV5pjS0Rx/ILo85grKi5vgpk= + =bY3Q + -----END PGP MESSAGE----- + fp: 87AB00D45D37C9E9167B5A5A333448678B60E505 + - created_at: "2026-01-25T14:20:25Z" + enc: |- + -----BEGIN PGP MESSAGE----- + + hF4DerEtaFuTeewSAQdAh8vUqXwXAq615cIswD1e2FbDgcFp4pDKWP4Of9bDRWYw + 5UMSvrCgWei0lytGCaApC6J+Ppd5o9D34fux8X0/ztoRopIV1RlrcepPr9jo3ROk + 0l4B4T+mFz+FNrO79ldBuysOEo6qX7kSfJ63cpy48nDNVi0pTDr87OiJTQQD3gfx + wQdkqjYs204YvFP8Zp/+Ow+52z0W2ecLwgByVxsiusf8JLlYQMHOL9QisPxWMErr + =C2Ii + -----END PGP MESSAGE----- + fp: 057870A2C72CD82566A3EC983695F4FCBCAE4912 + - created_at: "2026-01-25T14:20:25Z" + enc: |- + -----BEGIN PGP MESSAGE----- + + hQIMAxjNhCKPP69fAQ//YH0pZvxXkXYi9tRWPSVllAsKgwzZsKkXS2LrfysCvnNS + LmcLrWNV8upH8g6ubHwwq1Q6WcpaoraIGB2Pw7OPKvynqqhMamk6jAzuYF1hMsd/ + efGlsIF/wE/MLo0AizDZ5H/k6g/BfdSm3VFvAYbdHObQld/+uEMdotBrUjtXJlA/ + lare1GFxSt+P9J+h5U0kf8VFWbgzf7SkViWBvEpyUaBa0VLgyOc59e9BZzWX8h2R + FjNX40MkZHxdbqBx3Bw8MZmQz+Q1O8w7uNcf6YZxl7+tYka99DSoK2T6YxTqqqrt + FtqDAUAS+yweg4hP7CwUK05VzmH/y6S4brVJz73NzahVNUBRpPXJUWs8QsR96xx/ + hUMRGOrfd0qJ/jv2P+oMJipGsWZ5b6rkj/LX9ZAyGW7TgWbelr4zwM2C/n5xDkKf + LSQFH1Nx9QG0Aq6JT6staq+xiw/w1ipn0IDL18YPvX5kkO3KNUZk1F7zF6rbXRXa + LQIY+lhDnslkOMHmUIvqPSFWDQT/a/ttg0jVazz9IHnCz/+ShCh8nwiXXa6swlGC + XFzJS0Lyz55JfRcEN2h4lc6U7sE7MN9WEo8DWNv2UJwIZtu5dHBI9PjFSAxm73KJ + FSQDFxqlR7a7BXKw+KfvHUzWcRInWLE3bMQlg9ECJX1sQf2Bu8/YxU9bFT2fzfLS + XgHsHSJqqcZ3gwwUPNeQMadRylccXoPOCns3rf3W+7zKRBb8poRpj0hK2J2eIkGG + M5kRRudGy07hLV2wQGitucekIFUStxumRSQqpcUhk+RKTOyTMIqT4o6ykVBgke0= + =/EHL + -----END PGP MESSAGE----- + fp: F38C9D4228FC6F674E322D9C3326D914EB9B8F55 + - created_at: "2026-01-25T14:20:25Z" + enc: |- + -----BEGIN PGP MESSAGE----- + + hQIMA1Hthzn+T1OoAQ/+IxC99h9NXy1lKs8K3O6zNPE4vvoUdlHyU7MngSUe7FID + cfVoJmqumGJ2VL052PyGNuJl4wwI0Bk4GJ1B17sDiROM21BgV2xJN44I8DzU/s2i + 1P/WOcpofsng7xBPib5vETo2ypfiNzurNwKidID6rc8k3TL2Eq3U9gPajdgaHWTx + jCBEiBs4B2H0Jv0teH7NK7VY21v/GQ6wCATUdFugjOocWT/Up9SbIKgvzXgxmoB7 + glmOZGtqMsorMw7Rr9fy5qdL6HK50dYbzQ8IppZFG7PrFLyLsp//S7fReFbtp8oD + yCBbhOfywLuhyWmLu78F32l5upv4Q/RPfsOEQVRd13+4XeYIYqbVlBRI4c38iA8k + sKgN/l5mH4FPmFWhRfeMOQn51tTDiq/n8G86EJETJJxC2kAhfLXi5YLECH693Vzw + Mad81jxssJP5pTTUDBzog6oMNyCvs9paRgb0O4Bt0Zpox+BFdQcTNJahj9wDyfZV + TjV6lUtuQ7QvHDYyujxhkJWUOyd2Urfk9Ku8A/xeCGwLRJS9BKYgwvatc49zL5zZ + 3GZ59gBGERbBCBPoFZgpVh73ZF/riAMHbgh+ZzUlFxJNY4fVvCk79bMitsihAbp8 + NAELn1kiDPjlW1SsiiIzkdq87ttJ7aVtR1vQBYWapWmU9eSkn8XZcX4PxFot68zS + XgEvZxgH4TgGrPuTYusDaopSObkq19jiEJ/A44Jiy2yvU9hXeOn8CeXHTJnwcSeQ + ey3QV0vu+gYPL26T5M8fp3DwgZYr+dtAX2jydweT9MKjgeUyZAZmIieY1gdguIw= + =WwLj + -----END PGP MESSAGE----- + fp: 5DA93D5C9D7320E1BD3522C79C78172B3551C9FD + - created_at: "2026-01-25T14:20:25Z" + enc: |- + -----BEGIN PGP MESSAGE----- + + hQIMA46L6MuPqfJqAQ/9FcgBwOTVqwohN7+iNCiq13Na/qcvFvFxymSo5ZhtjB/q + rMfLaSwsVAZuN9ishdip+a9tFb4oBPpwZjztvsgetoVNvLOrP/ZQag9SDy1fe8KH + DDlPFFRjTYtPdS+5ScHc8pGTLmyQzYDfieD0FCdZsNwz5PpAtUu7itvpZKtNWMXr + k/N3Mjena5iv79ngDsRlc9O/YXWsAPf8scgApwi+lVilJ7E/jTkrXxiku0knrlfl + NnNJKqh5iT2NWXB3Dgw0fQMLbAuDUOlkvrdwxnaJsIyjo8D5g/gh9rXBCJsMMFCp + 1qppPBTV2f/gZb1gKFpnlBJAiDhmBWoBhlgbmFXv0E/V7F/7bFtsHagb50nEHZlA + QH0JjRHN83eGCR9ZBUttxMh0FWV2ND3YlxnCNb43TEoCx9f5ml7L5GbGqu0+8Yrc + fHCGPW8DSUh7zTrmB0bn6R60hXcWchNcPdorPopROhGTSC4pkAKn+mt3jvEkyLsW + TGqNCEbFbMBJlhhn9w5fxT7vEX0Rt/vO4gXKIzPfcyzsgORIW1YxwtaGyRQErlqo + ITnLtowfgrlvU1hI+hwivD9kQ32kmEyYKa9J8fBx07XArYRR64+Eyaaq4lOeZbE4 + 1l0zskD5i1R8NO3yzxpIAqi+H7VPhYLwidjXT54QT8vyqrkmvksANR8UqydYUgnS + XgGuO1O1pKkiHHLcb8EydlgW61sLIZZjlkYynMRM5MjgPD5Z3ikeD6VaNSYnOw6c + gkisHXqY9EFSPfw8EHnGspyD/mvzDUz63GrylUO+wXgMKdByrsYRaj93j7vfYZ4= + =Bk3g + -----END PGP MESSAGE----- + fp: 8996B62CBD159DCADD3B6DC08BB33A8ABCF7BC4A + - created_at: "2026-01-25T14:20:25Z" + enc: |- + -----BEGIN PGP MESSAGE----- + + hF4DQrf1tCqiJxoSAQdADv1xBEY68JQ6Xo2ZT1FV2BJgeB7Yaahi9OQ/aypT0i8w + FJRRTtmWVBRtOecoG6SrHLtmYozuLyNFG8/ZFOU7jTSZL6lXr5NV6GIyNZPFTjvE + 0l4Bqjjh871cqN4Cq5CF3kDibHTyZYsvcQ0BmxSZy2v+moYqZGFPEjNiniS6JrK/ + Ch+cZvlsGIjTmP96IZfHbO3+hL+tVhO78bmixnN6SE6UDOzdmWcMkQ9DHSZp+p4j + =xd/t + -----END PGP MESSAGE----- + fp: B71138A6A8964A3C3B8899857B4F70C356765BAB + - created_at: "2026-01-25T14:20:25Z" + enc: |- + -----BEGIN PGP MESSAGE----- + + hF4DzAGzViGx4qcSAQdASnWlOX4oItUMy2BNF+UdGfSkijvIKK1WohLp2rJmQGMw + /rpiFcCiX7rZNyn3f+eOULjCPbNtfwqG5Ji6YzGJPEaLg9J/CCYDP7eZ0M13tK9V + 0lgBjTZZwa7SYs+c49UkhUN92Jrt439mTud3Sa6hvfQTntISOUF3QsMyQO+2h0EH + zvaV7dmtiLZZ6ukp9vJG2asPcA1McYBHABUUcjlmFkQ74CYhPFU03/kb + =9oyC + -----END PGP MESSAGE----- + fp: D2E9C0807BF681F5E164DAFC5EE1B61CD90954CD + - created_at: "2026-01-25T14:20:25Z" + enc: |- + -----BEGIN PGP MESSAGE----- + + hQIMA2pVdGTIrZI+ARAAvugr3SudoqZm6B9o/a2bYVlR8eee3Cxtqb/SDfFKJ42J + /KIJHOpfs0iyoJzeq4GXn89RU08EHz+1/rAqIHN/cMGc/IjOOXcqKcKVBqhb68+I + OyEyxx0YAV939Jc+L9rxb4FnqV/HFJuA087jqP43NgPWySoUzWZshK57Yw/VJNxd + U5zDMAciWNVISL/ArcJFroK0n9dvRRsHHHx3/OgQ9Lnl73X5JEAleIPJVb1SDV4e + HgmBrlRFpp9e/Mu94Gp9yFd9PqziSA47lkdMwjMYHntTwbT3dqUGOJLF1D1oqC9V + +t+5FO5fP+LbnmuFQIGRGqdPpCy4S60d2EqocwBl6q6xn/DLQw1j9hGNpMl3GwBI + O7zquV2MyXJR9JqyklWoCmKldLIhpsnPtTx/AhIsMLWq2hvNfbBBNA41sMkofcvl + H2Hggi+TkpOh6bre1/uPkr8T3MLsiZIUB/1uHcgYO3FH13K2Ow9ChxmkeLsW6Afu + hbQcG7SKr0sCHAmvzbTsIRCpryORDRw4vwrsKuVVgA7neD8HtCItJ/Vk1JmV2xYZ + 96ilVPPpDs0tmQ/6dZZosoXLGi37Hs+FRgcAUuAdZ3bzb65e+CxtSVjRALG7hz9R + XPKmsD6tTgdLpau/zugxdKx3yKMCHzC+AouD+esea8GNuoeGug58IEoglLXDctbU + aAEJAhC0Js4STROmS43wGXP2v4umeLw9iF3Wp9L6o12BL3FZXi121py2ogosjAY2 + 30wzFU2KJGqS25/pnXw6r9ycgxdXeKsddR94Q4TOulO3SSEdjs7B+iOKwUkGKoBq + 9iHTzz6Gpajo + =bBZ5 + -----END PGP MESSAGE----- + fp: 878FEA3CB6A6F6E7CD80ECBE28506E3585F9F533 + unencrypted_suffix: _unencrypted + version: 3.11.0 diff --git a/inventories/chaosknoten/host_vars/acmedns.yaml b/inventories/chaosknoten/host_vars/acmedns.yaml new file mode 100644 index 00000000..364aa9af --- /dev/null +++ b/inventories/chaosknoten/host_vars/acmedns.yaml @@ -0,0 +1,23 @@ +--- +docker_compose__compose_file_content: "{{ lookup('ansible.builtin.template', 'resources/chaosknoten/acmedns/docker_compose/compose.yaml.j2') }}" +docker_compose__configuration_files: + - name: acmedns.cfg + content: "{{ lookup('ansible.builtin.template', 'resources/chaosknoten/acmedns/docker_compose/acmedns.cfg.j2') }}" + - name: oauth2-proxy.cfg + content: "{{ lookup('ansible.builtin.template', 'resources/chaosknoten/acmedns/docker_compose/oauth2-proxy.cfg.j2') }}" + - name: html/index.html + content: "{{ lookup('ansible.builtin.template', 'resources/chaosknoten/acmedns/docker_compose/index.html.j2') }}" +docker_compose__pull: missing + +certbot__version_spec: "" +certbot__acme_account_email_address: le-admin@hamburg.ccc.de +certbot__certificate_domains: + # - "spaceapi.ccc.de" # after DNS has been adjusted + - "acmedns.hamburg.ccc.de" +certbot__new_cert_commands: + - "systemctl reload nginx.service" + +nginx__version_spec: "" +nginx__configurations: + - name: acmedns.hamburg.ccc.de + content: "{{ lookup('ansible.builtin.file', 'resources/chaosknoten/acmedns/nginx/acmedns.hamburg.ccc.de.conf') }}" diff --git a/inventories/chaosknoten/hosts.yaml b/inventories/chaosknoten/hosts.yaml index 5c114c9f..395b154f 100644 --- a/inventories/chaosknoten/hosts.yaml +++ b/inventories/chaosknoten/hosts.yaml @@ -78,11 +78,16 @@ all: ansible_host: spaceapiccc.hosts.hamburg.ccc.de ansible_user: chaos ansible_ssh_common_args: -J ssh://chaos@router.hamburg.ccc.de + acmedns: + ansible_host: acmedns.hosts.hamburg.ccc.de + ansible_user: chaos + ansible_ssh_common_args: -J ssh://chaos@router.hamburg.ccc.de hypervisors: hosts: chaosknoten: base_config_hosts: hosts: + acmedns: ccchoir: cloud: eh22-wiki: @@ -110,7 +115,8 @@ nftables_hosts: hosts: router: docker_compose_hosts: - hosts: + hosts: + acmedns: ccchoir: grafana: tickets: @@ -128,6 +134,7 @@ nextcloud_hosts: cloud: nginx_hosts: hosts: + acmedns: ccchoir: eh22-wiki: grafana: @@ -150,6 +157,7 @@ public_reverse_proxy_hosts: public-reverse-proxy: certbot_hosts: hosts: + acmedns: ccchoir: eh22-wiki: grafana: diff --git a/resources/chaosknoten/acmedns/docker_compose/acmedns.cfg.j2 b/resources/chaosknoten/acmedns/docker_compose/acmedns.cfg.j2 new file mode 100644 index 00000000..4f3b49c5 --- /dev/null +++ b/resources/chaosknoten/acmedns/docker_compose/acmedns.cfg.j2 @@ -0,0 +1,27 @@ +# https://github.com/joohoi/acme-dns?tab=readme-ov-file#configuration +[general] +protocol = "both" +domain = "auth.acmedns.hamburg.ccc.de" +nsname = "acmedns.hosts.hamburg.ccc.de" +nsadmin = "noc.lists.hamburg.ccc.de" +records = [ + "auth.acmedns.hamburg.ccc.de. CNAME public-reverse-proxy.hamburg.ccc.de.", + "auth.acmedns.hamburg.ccc.de. NS acmedns.hosts.hamburg.ccc.de.", +] + +[database] +engine = "sqlite3" +connection = "/var/lib/acme-dns/acme-dns.db" + +[api] +ip = "0.0.0.0" +port = "80" +tls = "none" +corsorigins = [ + "*" +] + +[logconfig] +loglevel = "debug" +logtype = "stdout" +logformat = "text" diff --git a/resources/chaosknoten/acmedns/docker_compose/compose.yaml.j2 b/resources/chaosknoten/acmedns/docker_compose/compose.yaml.j2 new file mode 100644 index 00000000..89768523 --- /dev/null +++ b/resources/chaosknoten/acmedns/docker_compose/compose.yaml.j2 @@ -0,0 +1,22 @@ +--- +services: + oauth2-proxy: + container_name: oauth2-proxy + image: quay.io/oauth2-proxy/oauth2-proxy:v7.14.2 + command: --config /oauth2-proxy.cfg + hostname: oauth2-proxy + volumes: + - "./configs/oauth2-proxy.cfg:/oauth2-proxy.cfg" + restart: unless-stopped + ports: + - 4180:4180 + + acmedns: + image: docker.io/joohoi/acme-dns:latest + ports: + - "[::]:53:53" + - "[::]:53:53/udp" + - 8080:80 + volumes: + - ./configs/acmedns.cfg:/etc/acme-dns/config.cfg:ro + - ./data/acmedns:/var/lib/acme-dns \ No newline at end of file diff --git a/resources/chaosknoten/acmedns/docker_compose/index.html.j2 b/resources/chaosknoten/acmedns/docker_compose/index.html.j2 new file mode 100644 index 00000000..02216da4 --- /dev/null +++ b/resources/chaosknoten/acmedns/docker_compose/index.html.j2 @@ -0,0 +1,63 @@ + + +ACME DNS Register + + + +

Register an Entry in ACME DNS

+ +

This is the page where you can create an entry in ACME DNS. Please only do so when you need a new entry; there is currently no way to remove entries once they have been created.

+

See the ACME DNS service entry in the wiki for further details.

+ +

+ + + + + + + + + + + + + + + + + + diff --git a/resources/chaosknoten/acmedns/docker_compose/oauth2-proxy.cfg.j2 b/resources/chaosknoten/acmedns/docker_compose/oauth2-proxy.cfg.j2 new file mode 100644 index 00000000..f11eadf5 --- /dev/null +++ b/resources/chaosknoten/acmedns/docker_compose/oauth2-proxy.cfg.j2 @@ -0,0 +1,13 @@ +reverse_proxy = true +http_address="0.0.0.0:4180" +cookie_secret="{{ secret__oidc_cookie_secret }}" +email_domains="*" + +# dex provider +oidc_issuer_url="https://id.hamburg.ccc.de/realms/ccchh" +provider="oidc" +provider_display_name="CCCHH ID" +client_id="acmedns" +client_secret="{{ secret__oidc_client_secret }}" +redirect_url="https://acmedns.hamburg.ccc.de/oauth2/callback" + diff --git a/resources/chaosknoten/acmedns/nginx/acmedns.hamburg.ccc.de.conf b/resources/chaosknoten/acmedns/nginx/acmedns.hamburg.ccc.de.conf new file mode 100644 index 00000000..b360d40e --- /dev/null +++ b/resources/chaosknoten/acmedns/nginx/acmedns.hamburg.ccc.de.conf @@ -0,0 +1,83 @@ +# partly generated 2022-01-08, Mozilla Guideline v5.6, nginx 1.17.7, OpenSSL 1.1.1k, intermediate configuration +# https://ssl-config.mozilla.org/#server=nginx&version=1.17.7&config=intermediate&openssl=1.1.1k&guideline=5.6 +server { + # Listen on a custom port for the proxy protocol. + listen [::]:8443 ssl http2 proxy_protocol; + # Make use of the ngx_http_realip_module to set the $remote_addr and + # $remote_port to the client address and client port, when using proxy + # protocol. + # First set our proxy protocol proxy as trusted. + set_real_ip_from 2a00:14b0:4200:3000:125::1; + # Then tell the realip_module to get the addreses from the proxy protocol + # header. + real_ip_header proxy_protocol; + + server_name acmedns.hamburg.ccc.de; + + root /ansible_docker_compose/configs/html/; + + ssl_certificate /etc/letsencrypt/live/acmedns.hamburg.ccc.de/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/acmedns.hamburg.ccc.de/privkey.pem; + # verify chain of trust of OCSP response using Root CA and Intermediate certs + ssl_trusted_certificate /etc/letsencrypt/live/acmedns.hamburg.ccc.de/chain.pem; + + # HSTS (ngx_http_headers_module is required) (63072000 seconds) + add_header Strict-Transport-Security "max-age=63072000" always; + + proxy_set_header Host $host; + proxy_set_header X-Forwarded-Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Port 443; + # This is https in any case. + proxy_set_header X-Forwarded-Proto https; + # Hide the X-Forwarded header. + proxy_hide_header X-Forwarded; + # Assume we are the only Reverse Proxy (well using Proxy Protocol, but that + # is transparent). + # Also provide "_hidden" for by, since it's not relevant. + proxy_set_header Forwarded "for=$remote_addr;proto=https;host=$host;by=_hidden"; + proxy_buffer_size 8k; # needed for oauth2-proxy to work correctly + port_in_redirect off; + + location /oauth2/ { + proxy_pass http://127.0.0.1:4180; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Auth-Request-Redirect $request_uri; + # or, if you are handling multiple domains: + # proxy_set_header X-Auth-Request-Redirect $scheme://$host$request_uri; + } + + location = /oauth2/auth { + proxy_pass http://127.0.0.1:4180; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-Uri $request_uri; + # nginx auth_request includes headers but not body + proxy_set_header Content-Length ""; + proxy_pass_request_body off; + } + + location = / { + auth_request /oauth2/auth; + error_page 401 = @oauth2_signin; + + index index.html; + } + + location = /register { + auth_request /oauth2/auth; + error_page 401 = @oauth2_signin; + + proxy_pass http://127.0.0.1:8080/register; + } + + location = /update { # no auth by proxy required + proxy_pass http://127.0.0.1:8080/update; + } + + location @oauth2_signin { + return 302 /oauth2/sign_in?rd=$scheme://$host$request_uri; + } +} diff --git a/resources/chaosknoten/public-reverse-proxy/nginx/acme_challenge.conf b/resources/chaosknoten/public-reverse-proxy/nginx/acme_challenge.conf index 71ae7292..feacfa7e 100644 --- a/resources/chaosknoten/public-reverse-proxy/nginx/acme_challenge.conf +++ b/resources/chaosknoten/public-reverse-proxy/nginx/acme_challenge.conf @@ -82,6 +82,7 @@ map $host $upstream_acme_challenge_host { spaceapi.ccc.de spaceapiccc.hosts.hamburg.ccc.de:31820; cpuccc.hamburg.ccc.de 172.31.17.151:31820; cpu.ccc.de 172.31.17.151:31820; + acmedns.hamburg.ccc.de acmedns.hosts.hamburg.ccc.de:31820; default ""; } diff --git a/resources/chaosknoten/public-reverse-proxy/nginx/nginx.conf b/resources/chaosknoten/public-reverse-proxy/nginx/nginx.conf index bdf71846..fc62a892 100644 --- a/resources/chaosknoten/public-reverse-proxy/nginx/nginx.conf +++ b/resources/chaosknoten/public-reverse-proxy/nginx/nginx.conf @@ -100,6 +100,7 @@ stream { spaceapi.ccc.de spaceapiccc.hosts.hamburg.ccc.de:8443; cpuccc.hamburg.ccc.de 172.31.17.151:8443; cpu.ccc.de 172.31.17.151:8443; + acmedns.hamburg.ccc.de acmedns.hosts.hamburg.ccc.de:8443; } server { From 42b23eb1817995f2fa5edef34980382aace7a84d Mon Sep 17 00:00:00 2001 From: June Date: Sun, 25 Jan 2026 23:55:48 +0100 Subject: [PATCH 085/104] get collections from repos directly instead of using Ansible Galaxy As Ansible Galaxy is currently down, switch to using the repos directly. This avoids reliancy on Ansible Galaxy in the future as well. --- requirements.yml | 22 ++++++++++++---------- 1 file changed, 12 insertions(+), 10 deletions(-) diff --git a/requirements.yml b/requirements.yml index 6011bdab..8f483589 100644 --- a/requirements.yml +++ b/requirements.yml @@ -1,11 +1,13 @@ collections: - # Install a collection from Ansible Galaxy. - - name: debops.debops - version: ">=3.1.0" - source: https://galaxy.ansible.com - - name: community.sops - version: ">=2.2.4" - source: https://galaxy.ansible.com - - name: community.docker - version: ">=5.0.0" - source: https://galaxy.ansible.com + # debops.debops + - source: https://github.com/debops/debops + type: git + version: "v3.2.5" + # community.sops + - source: https://github.com/ansible-collections/community.sops + type: git + version: "2.2.7" + # community.docker + - source: https://github.com/ansible-collections/community.docker + type: git + version: "5.0.5" From ca20721f04b46d49b423d61cecd0e88fc7090e78 Mon Sep 17 00:00:00 2001 From: June Date: Sun, 25 Jan 2026 23:55:57 +0100 Subject: [PATCH 086/104] add missing grafana.grafana collection dependency --- requirements.yml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/requirements.yml b/requirements.yml index 8f483589..dffe9d35 100644 --- a/requirements.yml +++ b/requirements.yml @@ -11,3 +11,7 @@ collections: - source: https://github.com/ansible-collections/community.docker type: git version: "5.0.5" + # grafana.grafana + - source: https://github.com/grafana/grafana-ansible-collection + type: git + version: "6.0.6" From c8edde4d113d30f3a71ea383b525e55646766c6b Mon Sep 17 00:00:00 2001 From: Stefan Bethke Date: Mon, 26 Jan 2026 00:20:27 +0100 Subject: [PATCH 087/104] Pretty up --- .../acmedns/docker_compose/index.html.j2 | 21 ++++++++++++++----- 1 file changed, 16 insertions(+), 5 deletions(-) diff --git a/resources/chaosknoten/acmedns/docker_compose/index.html.j2 b/resources/chaosknoten/acmedns/docker_compose/index.html.j2 index 02216da4..1170cec7 100644 --- a/resources/chaosknoten/acmedns/docker_compose/index.html.j2 +++ b/resources/chaosknoten/acmedns/docker_compose/index.html.j2 @@ -4,14 +4,21 @@ @@ -24,19 +31,23 @@ th { - + - + - + - + + +

Note: there is no way to delete registrations. Each registration is small, so it's not an immediate problem, but please do not click register unless you are planning to really create a new entry.

+