From c3f71b1f0801ddf0f1265dbf057ebf295ed73acf Mon Sep 17 00:00:00 2001 From: ViMaSter Date: Sun, 2 Nov 2025 20:24:55 +0100 Subject: [PATCH 01/31] sunders: replace password in healthcheck with dynamic secret https://git.hamburg.ccc.de/CCCHH/ansible-infra/pulls/55 Co-authored-by: ViMaSter Co-committed-by: ViMaSter --- resources/chaosknoten/sunders/docker_compose/compose.yaml.j2 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/resources/chaosknoten/sunders/docker_compose/compose.yaml.j2 b/resources/chaosknoten/sunders/docker_compose/compose.yaml.j2 index a5cfc5b..fbec258 100644 --- a/resources/chaosknoten/sunders/docker_compose/compose.yaml.j2 +++ b/resources/chaosknoten/sunders/docker_compose/compose.yaml.j2 @@ -13,7 +13,7 @@ services: volumes: - mariadb:/var/lib/mysql healthcheck: - test: ["CMD", "mariadb-admin", "ping", "-h", "localhost", "-uroot", "-prootpassword"] + test: ["CMD", "mariadb-admin", "ping", "-h", "localhost", "-uroot", "-p{{ secret__sunders_db_root_password }}"] interval: 10s timeout: 5s start_period: 30s From 8cefd07618b575ce41ddecae05890a48a62bfa0a Mon Sep 17 00:00:00 2001 From: June Date: Fri, 24 Oct 2025 23:59:38 +0200 Subject: [PATCH 02/31] docker_compose(role): remove distribution check The distribution check isn't really needed in our setup anyway and just adds unnecessary noise. --- roles/docker_compose/README.md | 4 +--- roles/docker_compose/meta/main.yaml | 7 ------- 2 files changed, 1 insertion(+), 10 deletions(-) diff --git a/roles/docker_compose/README.md b/roles/docker_compose/README.md index d3204ec..14d0107 100644 --- a/roles/docker_compose/README.md +++ b/roles/docker_compose/README.md @@ -7,9 +7,7 @@ A use case for the deployment of the additional configuration files is Composes ## Supported Distributions -The following distributions are supported: - -- Debian 11 +Should work on Debian-based distributions. ## Required Arguments diff --git a/roles/docker_compose/meta/main.yaml b/roles/docker_compose/meta/main.yaml index b9a6980..cb7d8e0 100644 --- a/roles/docker_compose/meta/main.yaml +++ b/roles/docker_compose/meta/main.yaml @@ -1,10 +1,3 @@ --- dependencies: - - role: distribution_check - vars: - distribution_check__distribution_support_spec: - - name: Debian - major_versions: - - 11 - - 12 - role: docker From e390b7c20249b0eed56bf34ff3360f91f26958fa Mon Sep 17 00:00:00 2001 From: June Date: Sat, 25 Oct 2025 00:00:58 +0200 Subject: [PATCH 03/31] docker_compose(role): remove unnecessary hosts section from README The hosts section isn't really relevant for that role, so remove it. --- roles/docker_compose/README.md | 4 ---- 1 file changed, 4 deletions(-) diff --git a/roles/docker_compose/README.md b/roles/docker_compose/README.md index 14d0107..7246899 100644 --- a/roles/docker_compose/README.md +++ b/roles/docker_compose/README.md @@ -13,10 +13,6 @@ Should work on Debian-based distributions. For the required arguments look at the [`argument_specs.yaml`](./meta/argument_specs.yaml). -## `hosts` - -The `hosts` for this role need to be the machines, for which you want to make sure the given Compose file is deployed and all services of it are up-to-date and running. - ## Links & Resources - From 9f8d2d89cd8e17c2c23230764696410e2c9061d6 Mon Sep 17 00:00:00 2001 From: June Date: Sat, 25 Oct 2025 00:07:36 +0200 Subject: [PATCH 04/31] docker_compose(role): move argument documentation to README Do this to match newer roles and since reading documentation from argument_specs is quite unergonomic. --- roles/docker_compose/README.md | 9 ++++++++- roles/docker_compose/meta/argument_specs.yaml | 11 ----------- 2 files changed, 8 insertions(+), 12 deletions(-) diff --git a/roles/docker_compose/README.md b/roles/docker_compose/README.md index 7246899..c0a7a93 100644 --- a/roles/docker_compose/README.md +++ b/roles/docker_compose/README.md @@ -11,7 +11,14 @@ Should work on Debian-based distributions. ## Required Arguments -For the required arguments look at the [`argument_specs.yaml`](./meta/argument_specs.yaml). +- `docker_compose__compose_file_content`: The content to deploy to the Compose file at `/ansible_docker_compose/compose.yaml`. + +## Optional Arguments + +- `docker_compose__env_file_content`: The content to deploy to the `.env` file at `/ansible_docker_compose/.env`. +- `docker_compose__configuration_files`: A list of configuration files to deploy to the `/ansible_docker_compose/configs/` directory. +- `docker_compose__configuration_files.*.name`: The name of the configuration file. +- `docker_compose__configuration_files.*.content`: The content to deploy to the configuration file. ## Links & Resources diff --git a/roles/docker_compose/meta/argument_specs.yaml b/roles/docker_compose/meta/argument_specs.yaml index c588ba0..664496e 100644 --- a/roles/docker_compose/meta/argument_specs.yaml +++ b/roles/docker_compose/meta/argument_specs.yaml @@ -2,31 +2,20 @@ argument_specs: main: options: docker_compose__compose_file_content: - description: >- - The content of the Compose file at - `/ansible_docker_compose/compose.yaml`. type: str required: true docker_compose__env_file_content: - description: >- - The content of the .env file at - `/ansible_docker_compose/.env`. type: str required: false docker_compose__configuration_files: - description: >- - A list of configuration files to be deployed in the - `/ansible_docker_compose/configs/` directory. type: list elements: dict required: false default: [ ] options: name: - description: The name of the configuration file. type: str required: true content: - description: The content of the configuration file. type: str required: true From ae60d6fea6305f6719d33042373eea40d121e597 Mon Sep 17 00:00:00 2001 From: June Date: Sun, 2 Nov 2025 23:13:20 +0100 Subject: [PATCH 05/31] docker_compose(role): use community.docker.docker_compose_v2 module Use the community.docker.docker_compose_v2 module as it supports proper changed handling out of the box, making the roles code more straightforward and work. Also just do a docker compose restart instead of having the custom docker compose reload script. https://docs.ansible.com/ansible/latest/collections/community/docker/docker_compose_v2_module.html --- inventories/z9/host_vars/yate.yaml | 1 - requirements.yml | 3 ++ roles/docker_compose/defaults/main.yaml | 1 - roles/docker_compose/handlers/main.yaml | 18 +++++----- roles/docker_compose/tasks/main.yaml | 46 ++++++------------------- 5 files changed, 21 insertions(+), 48 deletions(-) diff --git a/inventories/z9/host_vars/yate.yaml b/inventories/z9/host_vars/yate.yaml index d2dc518..fecacb1 100644 --- a/inventories/z9/host_vars/yate.yaml +++ b/inventories/z9/host_vars/yate.yaml @@ -6,4 +6,3 @@ docker_compose__configuration_files: content: "{{ lookup('ansible.builtin.template', 'resources/z9/yate/docker_compose/regexroute.conf.j2') }}" - name: regfile.conf content: "{{ lookup('ansible.builtin.template', 'resources/z9/yate/docker_compose/regfile.conf.j2') }}" -docker_compose__restart_cmd: "exec yate sh -c 'kill -1 1'" diff --git a/requirements.yml b/requirements.yml index e5538cc..6011bda 100644 --- a/requirements.yml +++ b/requirements.yml @@ -6,3 +6,6 @@ collections: - name: community.sops version: ">=2.2.4" source: https://galaxy.ansible.com + - name: community.docker + version: ">=5.0.0" + source: https://galaxy.ansible.com diff --git a/roles/docker_compose/defaults/main.yaml b/roles/docker_compose/defaults/main.yaml index 1312972..76831d6 100644 --- a/roles/docker_compose/defaults/main.yaml +++ b/roles/docker_compose/defaults/main.yaml @@ -1,2 +1 @@ docker_compose__configuration_files: [ ] -docker_compose__restart_cmd: "" diff --git a/roles/docker_compose/handlers/main.yaml b/roles/docker_compose/handlers/main.yaml index 49e064c..2aff0fe 100644 --- a/roles/docker_compose/handlers/main.yaml +++ b/roles/docker_compose/handlers/main.yaml @@ -1,13 +1,11 @@ - name: docker compose down - ansible.builtin.command: - cmd: /usr/bin/docker compose down - chdir: /ansible_docker_compose + community.docker.docker_compose_v2: + project_src: /ansible_docker_compose + state: absent become: true - changed_when: true # This is always changed. -- name: docker compose reload script - ansible.builtin.command: - cmd: /usr/bin/docker compose {{ docker_compose__restart_cmd }} - chdir: /ansible_docker_compose + +- name: docker compose restart + community.docker.docker_compose_v2: + project_src: /ansible_docker_compose + state: restarted become: true - changed_when: true # Mark this as always changed (for now?). - when: docker_compose__restart_cmd != "" diff --git a/roles/docker_compose/tasks/main.yaml b/roles/docker_compose/tasks/main.yaml index 7b01304..bea3f4f 100644 --- a/roles/docker_compose/tasks/main.yaml +++ b/roles/docker_compose/tasks/main.yaml @@ -59,7 +59,7 @@ state: absent become: true loop: "{{ docker_compose__config_files_to_remove.files }}" - # notify: docker compose down + notify: docker compose restart - name: make sure all given configuration files are deployed ansible.builtin.copy: @@ -70,45 +70,19 @@ group: root become: true loop: "{{ docker_compose__configuration_files }}" - # notify: docker compose down - notify: docker compose reload script + notify: docker compose restart -- name: Flush handlers to make "docker compose down" handler run now +- name: Flush handlers to make "docker compose down" and "docker compose restart" handlers run now ansible.builtin.meta: flush_handlers -- name: docker compose ps --format json before docker compose up - ansible.builtin.command: - cmd: /usr/bin/docker compose ps --format json - chdir: /ansible_docker_compose +- name: docker compose up + community.docker.docker_compose_v2: + project_src: /ansible_docker_compose + state: present + build: always + pull: always + remove_orphans: true become: true - changed_when: false - register: docker_compose__ps_json_before_up - -- name: docker compose up --detach --pull always --build - ansible.builtin.command: - cmd: /usr/bin/docker compose up --detach --pull always --build --remove-orphans - chdir: /ansible_docker_compose - become: true - changed_when: false - # The changed for this task is tried to be determined by the "potentially - # report changed" task together with the "docker compose ps --format json - # [...]" tasks. - -- name: docker compose ps --format json after docker compose up - ansible.builtin.command: - cmd: /usr/bin/docker compose ps --format json - chdir: /ansible_docker_compose - become: true - changed_when: false - register: docker_compose__ps_json_after_up - -# Doesn't work anymore. Dunno why. -# TODO: Fix -# - name: potentially report changed -# ansible.builtin.debug: -# msg: "If this reports changed, then the docker compose containers changed." -# changed_when: (docker_compose__ps_json_before_up.stdout | from_json | community.general.json_query('[].ID') | sort) -# != (docker_compose__ps_json_after_up.stdout | from_json | community.general.json_query('[].ID') | sort) - name: Make sure anacron is installed become: true From d690f81e3df40f85665d3c52ddc8d8f4418aebe1 Mon Sep 17 00:00:00 2001 From: c6ristian Date: Wed, 5 Nov 2025 23:08:08 +0100 Subject: [PATCH 06/31] deploy_ssh_server_config: setup ssh pq cryptography --- roles/deploy_ssh_server_config/templates/sshd_config.j2 | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/roles/deploy_ssh_server_config/templates/sshd_config.j2 b/roles/deploy_ssh_server_config/templates/sshd_config.j2 index eefafa4..307f213 100644 --- a/roles/deploy_ssh_server_config/templates/sshd_config.j2 +++ b/roles/deploy_ssh_server_config/templates/sshd_config.j2 @@ -17,7 +17,15 @@ HostKey /etc/ssh/ssh_host_ed25519_key HostKey /etc/ssh/ssh_host_rsa_key HostKey /etc/ssh/ssh_host_ecdsa_key + +{% if ansible_facts["distribution"] == "Debian" and ansible_facts["distribution_major_version"] == "13" %} +KexAlgorithms mlkem768x25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,diffie-hellman-group-exchange-sha256 +{% elif ansible_facts["distribution"] == "Debian" and ansible_facts["distribution_major_version"] == "12" %} +KexAlgorithms sntrup761x25519-sha512,curve25519-sha256@libssh.org,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,diffie-hellman-group-exchange-sha256 +{% else %} KexAlgorithms curve25519-sha256@libssh.org,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,diffie-hellman-group-exchange-sha256 +{% endif %} + Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr From cffe5c2b1642c14839baf750e82d65bbe141d8fe Mon Sep 17 00:00:00 2001 From: June Date: Thu, 6 Nov 2025 18:25:29 +0100 Subject: [PATCH 07/31] dooris: use hostname instead of IP --- inventories/z9/hosts.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/inventories/z9/hosts.yaml b/inventories/z9/hosts.yaml index 9d5bb09..9f4a692 100644 --- a/inventories/z9/hosts.yaml +++ b/inventories/z9/hosts.yaml @@ -4,7 +4,7 @@ all: ansible_host: authoritative-dns.z9.ccchh.net ansible_user: chaos dooris: - ansible_host: 10.31.208.201 + ansible_host: dooris.z9.ccchh.net ansible_user: chaos light: ansible_host: light.z9.ccchh.net From aeec08fce8573b0625e60f9bee4027b575933fbe Mon Sep 17 00:00:00 2001 From: lilly Date: Thu, 6 Nov 2025 21:16:36 +0100 Subject: [PATCH 08/31] remove distribution checks Signed-Off-By: june --- roles/foobazdmx/meta/main.yaml | 8 -------- roles/ola/meta/main.yaml | 8 -------- 2 files changed, 16 deletions(-) delete mode 100644 roles/foobazdmx/meta/main.yaml delete mode 100644 roles/ola/meta/main.yaml diff --git a/roles/foobazdmx/meta/main.yaml b/roles/foobazdmx/meta/main.yaml deleted file mode 100644 index 386685c..0000000 --- a/roles/foobazdmx/meta/main.yaml +++ /dev/null @@ -1,8 +0,0 @@ ---- -dependencies: - - role: distribution_check - vars: - distribution_check__distribution_support_spec: - - name: Debian - major_versions: - - "11" diff --git a/roles/ola/meta/main.yaml b/roles/ola/meta/main.yaml deleted file mode 100644 index 386685c..0000000 --- a/roles/ola/meta/main.yaml +++ /dev/null @@ -1,8 +0,0 @@ ---- -dependencies: - - role: distribution_check - vars: - distribution_check__distribution_support_spec: - - name: Debian - major_versions: - - "11" From 63917722ff0a9d292aa012eaa2dfcc6baf15fcae Mon Sep 17 00:00:00 2001 From: lilly Date: Thu, 6 Nov 2025 21:16:36 +0100 Subject: [PATCH 09/31] fix foobazdmx role poetry is available via apt now so we install it that way --- roles/foobazdmx/tasks/main.yaml | 6 +----- 1 file changed, 1 insertion(+), 5 deletions(-) diff --git a/roles/foobazdmx/tasks/main.yaml b/roles/foobazdmx/tasks/main.yaml index f6e6097..33197b5 100644 --- a/roles/foobazdmx/tasks/main.yaml +++ b/roles/foobazdmx/tasks/main.yaml @@ -7,11 +7,7 @@ - python3 - python3-pip - python3-setuptools - -- name: Ensure python peotry is installed - become: true - ansible.builtin.pip: - name: poetry + - python3-poetry - name: Ensure foobazdmx user exists become: true From 6fea98ffd219395e206f227d9ebb47a8e9aacae9 Mon Sep 17 00:00:00 2001 From: Stefan Bethke Date: Fri, 7 Nov 2025 20:09:02 +0100 Subject: [PATCH 10/31] Redirect to 39c3 instead of eh22 --- .../chaosknoten/tickets/nginx/tickets.hamburg.ccc.de.conf | 6 +----- 1 file changed, 1 insertion(+), 5 deletions(-) diff --git a/resources/chaosknoten/tickets/nginx/tickets.hamburg.ccc.de.conf b/resources/chaosknoten/tickets/nginx/tickets.hamburg.ccc.de.conf index 40882d8..9e2ca26 100644 --- a/resources/chaosknoten/tickets/nginx/tickets.hamburg.ccc.de.conf +++ b/resources/chaosknoten/tickets/nginx/tickets.hamburg.ccc.de.conf @@ -38,11 +38,7 @@ server { location = / { #return 302 https://wiki.hamburg.ccc.de/infrastructure:service-overview#tickets_pretix; - return 302 https://tickets.hamburg.ccc.de/hackertours/eh22ht/; - } - - location = /hackertours/eh22/ { - return 302 https://tickets.hamburg.ccc.de/hackertours/eh22ht/; + return 302 https://tickets.hamburg.ccc.de/hackertours/39c3ht/; } location / { From 5f6000adcadb0be3dc917f2b5aaf55b15a7f5d9d Mon Sep 17 00:00:00 2001 From: c6ristian Date: Tue, 11 Nov 2025 22:47:42 +0100 Subject: [PATCH 11/31] ssh_config: also enable sntrup761x25519-sha512 for Debain 13 tldr: PQC algorithms are complex but sntrup still is not brocken --- roles/deploy_ssh_server_config/templates/sshd_config.j2 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/deploy_ssh_server_config/templates/sshd_config.j2 b/roles/deploy_ssh_server_config/templates/sshd_config.j2 index 307f213..c967502 100644 --- a/roles/deploy_ssh_server_config/templates/sshd_config.j2 +++ b/roles/deploy_ssh_server_config/templates/sshd_config.j2 @@ -19,7 +19,7 @@ HostKey /etc/ssh/ssh_host_ecdsa_key {% if ansible_facts["distribution"] == "Debian" and ansible_facts["distribution_major_version"] == "13" %} -KexAlgorithms mlkem768x25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,diffie-hellman-group-exchange-sha256 +KexAlgorithms sntrup761x25519-sha512,mlkem768x25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,diffie-hellman-group-exchange-sha256 {% elif ansible_facts["distribution"] == "Debian" and ansible_facts["distribution_major_version"] == "12" %} KexAlgorithms sntrup761x25519-sha512,curve25519-sha256@libssh.org,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,diffie-hellman-group-exchange-sha256 {% else %} From 80acd5fdc62366260a8d88113ed46963fe2616a7 Mon Sep 17 00:00:00 2001 From: c6ristian Date: Tue, 11 Nov 2025 23:03:59 +0100 Subject: [PATCH 12/31] grafana: store date for up to 28 days --- resources/chaosknoten/grafana/docker_compose/compose.yaml.j2 | 1 + 1 file changed, 1 insertion(+) diff --git a/resources/chaosknoten/grafana/docker_compose/compose.yaml.j2 b/resources/chaosknoten/grafana/docker_compose/compose.yaml.j2 index d739b2f..c5b8f2d 100644 --- a/resources/chaosknoten/grafana/docker_compose/compose.yaml.j2 +++ b/resources/chaosknoten/grafana/docker_compose/compose.yaml.j2 @@ -8,6 +8,7 @@ services: - '--config.file=/etc/prometheus/prometheus.yml' - '--web.enable-remote-write-receiver' - '--enable-feature=promql-experimental-functions' + - '--storage.tsdb.retention.time=28d' ports: - 9090:9090 restart: unless-stopped From ddab1576007b222cf9b1ff752626d7d979b47d5a Mon Sep 17 00:00:00 2001 From: June Date: Tue, 18 Nov 2025 14:24:21 +0100 Subject: [PATCH 13/31] don't pin digests anymore The benefit of digest pinning isn't that great for this project really and it comes at the cost of more issues and additional renovate noise, so just don't anymore. Adjust renovate config accordingly as well. --- .forgejo/workflows/lint.yaml | 4 ++-- renovate.json | 18 ++++++++---------- .../ccchoir/docker_compose/compose.yaml.j2 | 4 ++-- .../grafana/docker_compose/compose.yaml.j2 | 18 +++++++++--------- .../keycloak/docker_compose/compose.yaml.j2 | 2 +- .../lists/docker_compose/compose.yaml | 6 +++--- .../ntfy/docker_compose/compose.yaml.j2 | 2 +- .../onlyoffice/docker_compose/compose.yaml.j2 | 2 +- .../pad/docker_compose/compose.yaml.j2 | 4 ++-- .../pretalx/docker_compose/compose.yaml.j2 | 10 +++++----- .../tickets/docker_compose/compose.yaml.j2 | 6 +++--- .../docker_compose/compose.yaml.j2 | 2 +- 12 files changed, 38 insertions(+), 40 deletions(-) diff --git a/.forgejo/workflows/lint.yaml b/.forgejo/workflows/lint.yaml index a867c13..23bf6d2 100644 --- a/.forgejo/workflows/lint.yaml +++ b/.forgejo/workflows/lint.yaml @@ -10,7 +10,7 @@ jobs: name: Ansible Lint runs-on: docker steps: - - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5 + - uses: actions/checkout@v5 - name: Install pip run: | apt update @@ -24,7 +24,7 @@ jobs: # work in our environmnet. # Rather manually setup python (pip) before instead. - name: Run ansible-lint - uses: https://github.com/ansible/ansible-lint@d7cd7cfa2469536527aceaef9ef2ec6f2fb331cb # v25.9.2 + uses: https://github.com/ansible/ansible-lint@v25.9.2 with: setup_python: "false" requirements_file: "requirements.yml" diff --git a/renovate.json b/renovate.json index 7e604c1..711c627 100644 --- a/renovate.json +++ b/renovate.json @@ -1,13 +1,17 @@ { "$schema": "https://docs.renovatebot.com/renovate-schema.json", "extends": [ - "config:recommended", // Included in config:best-practices anyway, but added for clarity. - "config:best-practices", + "config:recommended", + // Parts from config:best-practices: + // https://docs.renovatebot.com/presets-config/#configbest-practices + ":configMigration", + "abandonments:recommended", + "security:minimumReleaseAgeNpm", + ":ignoreUnstable", ":disableRateLimiting", ":rebaseStalePrs", - ":label(renovate)", - "group:allDigest" + ":label(renovate)" ], "semanticCommits": "disabled", "packageRules": [ @@ -28,12 +32,6 @@ "matchDatasources": ["docker"], "matchPackageNames": ["docker.io/pretix/standalone"], "versioning": "regex:^(?\\d+\\.\\d+)(?:\\.(?\\d+))$" - }, - // Since Forgejo seems to clean up older tag versions, so older digests, disable digest pinning for our images. - { - "matchDatasources": ["docker"], - "matchPackageNames": ["git.hamburg.ccc.de/*"], - "pinDigests": false } ], "customManagers": [ diff --git a/resources/chaosknoten/ccchoir/docker_compose/compose.yaml.j2 b/resources/chaosknoten/ccchoir/docker_compose/compose.yaml.j2 index ffe491b..c2108d8 100644 --- a/resources/chaosknoten/ccchoir/docker_compose/compose.yaml.j2 +++ b/resources/chaosknoten/ccchoir/docker_compose/compose.yaml.j2 @@ -3,7 +3,7 @@ services: database: - image: docker.io/library/mariadb:11@sha256:ae6119716edac6998ae85508431b3d2e666530ddf4e94c61a10710caec9b0f71 + image: docker.io/library/mariadb:11 environment: - "MARIADB_DATABASE=wordpress" - "MARIADB_ROOT_PASSWORD={{ secret__mariadb_root_password }}" @@ -17,7 +17,7 @@ services: restart: unless-stopped app: - image: docker.io/library/wordpress:6-php8.1@sha256:75f79f9c45a587b283e47fd21c6e51077d0c9dbbba529377faaa0c28d5b8f5a4 + image: docker.io/library/wordpress:6-php8.1 environment: - "WORDPRESS_DB_HOST=database" - "WORDPRESS_DB_NAME=wordpress" diff --git a/resources/chaosknoten/grafana/docker_compose/compose.yaml.j2 b/resources/chaosknoten/grafana/docker_compose/compose.yaml.j2 index c5b8f2d..74d7916 100644 --- a/resources/chaosknoten/grafana/docker_compose/compose.yaml.j2 +++ b/resources/chaosknoten/grafana/docker_compose/compose.yaml.j2 @@ -2,7 +2,7 @@ services: prometheus: - image: docker.io/prom/prometheus:v3.7.2@sha256:23031bfe0e74a13004252caaa74eccd0d62b6c6e7a04711d5b8bf5b7e113adc7 + image: docker.io/prom/prometheus:v3.7.2 container_name: prometheus command: - '--config.file=/etc/prometheus/prometheus.yml' @@ -19,7 +19,7 @@ services: - prom_data:/prometheus alertmanager: - image: docker.io/prom/alertmanager:v0.28.1@sha256:27c475db5fb156cab31d5c18a4251ac7ed567746a2483ff264516437a39b15ba + image: docker.io/prom/alertmanager:v0.28.1 container_name: alertmanager command: - '--config.file=/etc/alertmanager/alertmanager.yaml' @@ -32,7 +32,7 @@ services: - alertmanager_data:/alertmanager grafana: - image: docker.io/grafana/grafana:12.2.1@sha256:35c41e0fd0295f5d0ee5db7e780cf33506abfaf47686196f825364889dee878b + image: docker.io/grafana/grafana:12.2.1 container_name: grafana ports: - 3000:3000 @@ -46,7 +46,7 @@ services: - graf_data:/var/lib/grafana pve-exporter: - image: docker.io/prompve/prometheus-pve-exporter:3.5.5@sha256:79a5598906697b1a5a006d09f0200528a77c6ff1568faf018539ac65824454df + image: docker.io/prompve/prometheus-pve-exporter:3.5.5 container_name: pve-exporter ports: - 9221:9221 @@ -59,7 +59,7 @@ services: - /dev/null:/etc/prometheus/pve.yml loki: - image: docker.io/grafana/loki:3.5.7@sha256:0eaee7bf39cc83aaef46914fb58f287d4f4c4be6ec96b86c2ed55719a75e49c8 + image: docker.io/grafana/loki:3.5.7 container_name: loki ports: - 13100:3100 @@ -70,7 +70,7 @@ services: - loki_data:/var/loki ntfy-alertmanager-ccchh-critical: - image: docker.io/xenrox/ntfy-alertmanager:0.5.0@sha256:5fea88db3bf0257d98c007ab0c4ef064c6d67d7b7ceead7d6956dfa0a5cb333b + image: docker.io/xenrox/ntfy-alertmanager:0.5.0 container_name: ntfy-alertmanager-ccchh-critical volumes: - ./configs/ntfy-alertmanager-ccchh-critical:/etc/ntfy-alertmanager/config @@ -79,7 +79,7 @@ services: restart: unless-stopped ntfy-alertmanager-fux-critical: - image: docker.io/xenrox/ntfy-alertmanager:0.5.0@sha256:5fea88db3bf0257d98c007ab0c4ef064c6d67d7b7ceead7d6956dfa0a5cb333b + image: docker.io/xenrox/ntfy-alertmanager:0.5.0 container_name: ntfy-alertmanager-fux-critical volumes: - ./configs/ntfy-alertmanager-fux-critical:/etc/ntfy-alertmanager/config @@ -88,7 +88,7 @@ services: restart: unless-stopped ntfy-alertmanager-ccchh: - image: docker.io/xenrox/ntfy-alertmanager:0.5.0@sha256:5fea88db3bf0257d98c007ab0c4ef064c6d67d7b7ceead7d6956dfa0a5cb333b + image: docker.io/xenrox/ntfy-alertmanager:0.5.0 container_name: ntfy-alertmanager-ccchh volumes: - ./configs/ntfy-alertmanager-ccchh:/etc/ntfy-alertmanager/config @@ -97,7 +97,7 @@ services: restart: unless-stopped ntfy-alertmanager-fux: - image: docker.io/xenrox/ntfy-alertmanager:0.5.0@sha256:5fea88db3bf0257d98c007ab0c4ef064c6d67d7b7ceead7d6956dfa0a5cb333b + image: docker.io/xenrox/ntfy-alertmanager:0.5.0 container_name: ntfy-alertmanager-fux volumes: - ./configs/ntfy-alertmanager-fux:/etc/ntfy-alertmanager/config diff --git a/resources/chaosknoten/keycloak/docker_compose/compose.yaml.j2 b/resources/chaosknoten/keycloak/docker_compose/compose.yaml.j2 index d91a254..9fde708 100644 --- a/resources/chaosknoten/keycloak/docker_compose/compose.yaml.j2 +++ b/resources/chaosknoten/keycloak/docker_compose/compose.yaml.j2 @@ -46,7 +46,7 @@ services: - "8080:8080" db: - image: docker.io/library/postgres:15.14@sha256:424e79b81868f5fc5cf515eaeac69d288692ebcca7db86d98f91b50d4bce64bb + image: docker.io/library/postgres:15.14 restart: unless-stopped networks: - keycloak diff --git a/resources/chaosknoten/lists/docker_compose/compose.yaml b/resources/chaosknoten/lists/docker_compose/compose.yaml index 8537ead..cdfd70a 100644 --- a/resources/chaosknoten/lists/docker_compose/compose.yaml +++ b/resources/chaosknoten/lists/docker_compose/compose.yaml @@ -1,7 +1,7 @@ services: mailman-core: restart: unless-stopped - image: docker.io/maxking/mailman-core:0.5@sha256:cb8e412bb18d74480f996da68f46e92473b6103995e71bc5aeba139b255cc3d2 # Use a specific version tag (tag latest is not published) + image: docker.io/maxking/mailman-core:0.5 # Use a specific version tag (tag latest is not published) container_name: mailman-core hostname: mailman-core volumes: @@ -25,7 +25,7 @@ services: mailman-web: restart: unless-stopped - image: docker.io/maxking/mailman-web:0.5@sha256:014726db85586fb53541f66f6ce964bf07e939791cfd5ffc796cd6d243696a18 # Use a specific version tag (tag latest is not published) + image: docker.io/maxking/mailman-web:0.5 # Use a specific version tag (tag latest is not published) container_name: mailman-web hostname: mailman-web depends_on: @@ -56,7 +56,7 @@ services: - POSTGRES_DB=mailmandb - POSTGRES_USER=mailman - POSTGRES_PASSWORD=wvQjbMRnwFuxGEPz - image: docker.io/library/postgres:12-alpine@sha256:7c8f4870583184ebadf7f17a6513620aac5f365a7938dc6a6911c1d5df2f481a + image: docker.io/library/postgres:12-alpine volumes: - /opt/mailman/database:/var/lib/postgresql/data networks: diff --git a/resources/chaosknoten/ntfy/docker_compose/compose.yaml.j2 b/resources/chaosknoten/ntfy/docker_compose/compose.yaml.j2 index 07e8d9e..9fe2a7a 100644 --- a/resources/chaosknoten/ntfy/docker_compose/compose.yaml.j2 +++ b/resources/chaosknoten/ntfy/docker_compose/compose.yaml.j2 @@ -1,7 +1,7 @@ --- services: ntfy: - image: docker.io/binwiederhier/ntfy:v2.14.0@sha256:5a051798d14138c3ecb12c038652558ab6a077e1aceeb867c151cbf5fa8451ef + image: docker.io/binwiederhier/ntfy:v2.14.0 container_name: ntfy command: - serve diff --git a/resources/chaosknoten/onlyoffice/docker_compose/compose.yaml.j2 b/resources/chaosknoten/onlyoffice/docker_compose/compose.yaml.j2 index 5c9a42a..f3444ac 100644 --- a/resources/chaosknoten/onlyoffice/docker_compose/compose.yaml.j2 +++ b/resources/chaosknoten/onlyoffice/docker_compose/compose.yaml.j2 @@ -4,7 +4,7 @@ services: onlyoffice: - image: docker.io/onlyoffice/documentserver:9.1.0@sha256:34b92f4a67bfd939bd6b75893e8217556e3b977f81e49472f7e28737b741ba1d + image: docker.io/onlyoffice/documentserver:9.1.0 restart: unless-stopped volumes: - "./onlyoffice/DocumentServer/logs:/var/log/onlyoffice" diff --git a/resources/chaosknoten/pad/docker_compose/compose.yaml.j2 b/resources/chaosknoten/pad/docker_compose/compose.yaml.j2 index 70dc7e6..455caa3 100644 --- a/resources/chaosknoten/pad/docker_compose/compose.yaml.j2 +++ b/resources/chaosknoten/pad/docker_compose/compose.yaml.j2 @@ -3,7 +3,7 @@ services: database: - image: docker.io/library/postgres:15-alpine@sha256:64583b3cb4f2010277bdd9749456de78e5c36f8956466ba14b0b96922e510950 + image: docker.io/library/postgres:15-alpine environment: - "POSTGRES_USER=hedgedoc" - "POSTGRES_PASSWORD={{ secret__hedgedoc_db_password }}" @@ -13,7 +13,7 @@ services: restart: unless-stopped app: - image: quay.io/hedgedoc/hedgedoc:1.10.3@sha256:ca58fd73ecf05c89559b384fb7a1519c18c8cbba5c21a0018674ed820b9bdb73 + image: quay.io/hedgedoc/hedgedoc:1.10.3 environment: - "CMD_DB_URL=postgres://hedgedoc:{{ secret__hedgedoc_db_password }}@database:5432/hedgedoc" - "CMD_DOMAIN=pad.hamburg.ccc.de" diff --git a/resources/chaosknoten/pretalx/docker_compose/compose.yaml.j2 b/resources/chaosknoten/pretalx/docker_compose/compose.yaml.j2 index 243a468..3de7eac 100644 --- a/resources/chaosknoten/pretalx/docker_compose/compose.yaml.j2 +++ b/resources/chaosknoten/pretalx/docker_compose/compose.yaml.j2 @@ -3,7 +3,7 @@ services: database: - image: docker.io/library/postgres:15-alpine@sha256:64583b3cb4f2010277bdd9749456de78e5c36f8956466ba14b0b96922e510950 + image: docker.io/library/postgres:15-alpine environment: - "POSTGRES_USER=pretalx" - "POSTGRES_PASSWORD={{ secret__pretalx_db_password }}" @@ -15,7 +15,7 @@ services: - pretalx_net redis: - image: docker.io/library/redis:8.2.2@sha256:4521b581dbddea6e7d81f8fe95ede93f5648aaa66a9dacd581611bf6fe7527bd + image: docker.io/library/redis:8.2.2 restart: unless-stopped volumes: - redis:/data @@ -23,7 +23,7 @@ services: - pretalx_net static: - image: docker.io/library/nginx:1.29.3@sha256:f547e3d0d5d02f7009737b284abc87d808e4252b42dceea361811e9fc606287f + image: docker.io/library/nginx:1.29.3 restart: unless-stopped volumes: - public:/usr/share/nginx/html @@ -33,7 +33,7 @@ services: - pretalx_net pretalx: - image: docker.io/pretalx/standalone:v2025.1.0@sha256:fb2d15f11bcae8bb15430084ed81a150cfdf7c79705450583b51e352ba486e8e + image: docker.io/pretalx/standalone:v2025.1.0 entrypoint: gunicorn command: - "pretalx.wsgi" @@ -78,7 +78,7 @@ services: - pretalx_net celery: - image: docker.io/pretalx/standalone:v2025.1.0@sha256:fb2d15f11bcae8bb15430084ed81a150cfdf7c79705450583b51e352ba486e8e + image: docker.io/pretalx/standalone:v2025.1.0 command: - taskworker restart: unless-stopped diff --git a/resources/chaosknoten/tickets/docker_compose/compose.yaml.j2 b/resources/chaosknoten/tickets/docker_compose/compose.yaml.j2 index deb9f50..6509a99 100644 --- a/resources/chaosknoten/tickets/docker_compose/compose.yaml.j2 +++ b/resources/chaosknoten/tickets/docker_compose/compose.yaml.j2 @@ -1,7 +1,7 @@ --- services: database: - image: docker.io/library/postgres:15-alpine@sha256:64583b3cb4f2010277bdd9749456de78e5c36f8956466ba14b0b96922e510950 + image: docker.io/library/postgres:15-alpine environment: - "POSTGRES_USER=pretix" - "POSTGRES_PASSWORD={{ secret__pretix_db_password }}" @@ -13,7 +13,7 @@ services: restart: unless-stopped redis: - image: docker.io/library/redis:7.4.6@sha256:a9cc41d6d01da2aa26c219e4f99ecbeead955a7b656c1c499cce8922311b2514 + image: docker.io/library/redis:7.4.6 ports: - "6379:6379" volumes: @@ -25,7 +25,7 @@ services: backend: pretix: - image: docker.io/pretix/standalone:2024.8@sha256:110bac37efa5f736227f158f38e421ed738d03dccc274dfb415b258ab0f75cfe + image: docker.io/pretix/standalone:2024.8 command: ["all"] ports: - "8345:80" diff --git a/resources/z9/waybackproxy/docker_compose/compose.yaml.j2 b/resources/z9/waybackproxy/docker_compose/compose.yaml.j2 index 52d57df..b6752fa 100644 --- a/resources/z9/waybackproxy/docker_compose/compose.yaml.j2 +++ b/resources/z9/waybackproxy/docker_compose/compose.yaml.j2 @@ -1,7 +1,7 @@ services: # https://github.com/richardg867/WaybackProxy waybackproxy: - image: cttynul/waybackproxy:latest@sha256:e001d5b1d746522cd1ab2728092173c0d96f08086cbd3e49cdf1e298b8add22e + image: cttynul/waybackproxy:latest environment: DATE: 19990101 DATE_TOLERANCE: 730 From 0eaaf9227c730d0c0efe9f60381ecd38fee1d0ef Mon Sep 17 00:00:00 2001 From: Renovate Date: Wed, 19 Nov 2025 13:30:39 +0000 Subject: [PATCH 14/31] Update all stable non-major dependencies --- .forgejo/workflows/lint.yaml | 2 +- inventories/chaosknoten/host_vars/cloud.yaml | 2 +- inventories/chaosknoten/host_vars/netbox.yaml | 2 +- .../chaosknoten/grafana/docker_compose/compose.yaml.j2 | 8 ++++---- .../chaosknoten/keycloak/docker_compose/compose.yaml.j2 | 2 +- resources/chaosknoten/ntfy/docker_compose/compose.yaml.j2 | 2 +- .../chaosknoten/pretalx/docker_compose/compose.yaml.j2 | 2 +- .../chaosknoten/tickets/docker_compose/compose.yaml.j2 | 2 +- 8 files changed, 11 insertions(+), 11 deletions(-) diff --git a/.forgejo/workflows/lint.yaml b/.forgejo/workflows/lint.yaml index 23bf6d2..d29fb6e 100644 --- a/.forgejo/workflows/lint.yaml +++ b/.forgejo/workflows/lint.yaml @@ -24,7 +24,7 @@ jobs: # work in our environmnet. # Rather manually setup python (pip) before instead. - name: Run ansible-lint - uses: https://github.com/ansible/ansible-lint@v25.9.2 + uses: https://github.com/ansible/ansible-lint@v25.11.0 with: setup_python: "false" requirements_file: "requirements.yml" diff --git a/inventories/chaosknoten/host_vars/cloud.yaml b/inventories/chaosknoten/host_vars/cloud.yaml index 0cbcd4d..fc4e23c 100644 --- a/inventories/chaosknoten/host_vars/cloud.yaml +++ b/inventories/chaosknoten/host_vars/cloud.yaml @@ -1,7 +1,7 @@ # renovate: datasource=docker depName=git.hamburg.ccc.de/ccchh/oci-images/nextcloud nextcloud__version: 32 # renovate: datasource=docker depName=docker.io/library/postgres -nextcloud__postgres_version: 15.14 +nextcloud__postgres_version: 15.15 nextcloud__fqdn: cloud.hamburg.ccc.de nextcloud__data_dir: /data/nextcloud nextcloud__extra_configuration: "{{ lookup('ansible.builtin.template', 'resources/chaosknoten/cloud/nextcloud/extra_configuration.config.php.j2') }}" diff --git a/inventories/chaosknoten/host_vars/netbox.yaml b/inventories/chaosknoten/host_vars/netbox.yaml index 60dd94a..3be8bdd 100644 --- a/inventories/chaosknoten/host_vars/netbox.yaml +++ b/inventories/chaosknoten/host_vars/netbox.yaml @@ -1,5 +1,5 @@ # renovate: datasource=github-releases depName=netbox packageName=netbox-community/netbox -netbox__version: "v4.4.5" +netbox__version: "v4.4.6" netbox__config: "{{ lookup('ansible.builtin.template', 'resources/chaosknoten/netbox/netbox/configuration.py.j2') }}" netbox__custom_pipeline_oidc_group_and_role_mapping: true diff --git a/resources/chaosknoten/grafana/docker_compose/compose.yaml.j2 b/resources/chaosknoten/grafana/docker_compose/compose.yaml.j2 index 74d7916..2d598f9 100644 --- a/resources/chaosknoten/grafana/docker_compose/compose.yaml.j2 +++ b/resources/chaosknoten/grafana/docker_compose/compose.yaml.j2 @@ -2,7 +2,7 @@ services: prometheus: - image: docker.io/prom/prometheus:v3.7.2 + image: docker.io/prom/prometheus:v3.7.3 container_name: prometheus command: - '--config.file=/etc/prometheus/prometheus.yml' @@ -19,7 +19,7 @@ services: - prom_data:/prometheus alertmanager: - image: docker.io/prom/alertmanager:v0.28.1 + image: docker.io/prom/alertmanager:v0.29.0 container_name: alertmanager command: - '--config.file=/etc/alertmanager/alertmanager.yaml' @@ -32,7 +32,7 @@ services: - alertmanager_data:/alertmanager grafana: - image: docker.io/grafana/grafana:12.2.1 + image: docker.io/grafana/grafana:12.3.0 container_name: grafana ports: - 3000:3000 @@ -59,7 +59,7 @@ services: - /dev/null:/etc/prometheus/pve.yml loki: - image: docker.io/grafana/loki:3.5.7 + image: docker.io/grafana/loki:3.6.0 container_name: loki ports: - 13100:3100 diff --git a/resources/chaosknoten/keycloak/docker_compose/compose.yaml.j2 b/resources/chaosknoten/keycloak/docker_compose/compose.yaml.j2 index 9fde708..a260ab1 100644 --- a/resources/chaosknoten/keycloak/docker_compose/compose.yaml.j2 +++ b/resources/chaosknoten/keycloak/docker_compose/compose.yaml.j2 @@ -46,7 +46,7 @@ services: - "8080:8080" db: - image: docker.io/library/postgres:15.14 + image: docker.io/library/postgres:15.15 restart: unless-stopped networks: - keycloak diff --git a/resources/chaosknoten/ntfy/docker_compose/compose.yaml.j2 b/resources/chaosknoten/ntfy/docker_compose/compose.yaml.j2 index 9fe2a7a..50df05d 100644 --- a/resources/chaosknoten/ntfy/docker_compose/compose.yaml.j2 +++ b/resources/chaosknoten/ntfy/docker_compose/compose.yaml.j2 @@ -1,7 +1,7 @@ --- services: ntfy: - image: docker.io/binwiederhier/ntfy:v2.14.0 + image: docker.io/binwiederhier/ntfy:v2.15.0 container_name: ntfy command: - serve diff --git a/resources/chaosknoten/pretalx/docker_compose/compose.yaml.j2 b/resources/chaosknoten/pretalx/docker_compose/compose.yaml.j2 index 3de7eac..dda67bb 100644 --- a/resources/chaosknoten/pretalx/docker_compose/compose.yaml.j2 +++ b/resources/chaosknoten/pretalx/docker_compose/compose.yaml.j2 @@ -15,7 +15,7 @@ services: - pretalx_net redis: - image: docker.io/library/redis:8.2.2 + image: docker.io/library/redis:8.4.0 restart: unless-stopped volumes: - redis:/data diff --git a/resources/chaosknoten/tickets/docker_compose/compose.yaml.j2 b/resources/chaosknoten/tickets/docker_compose/compose.yaml.j2 index 6509a99..938883b 100644 --- a/resources/chaosknoten/tickets/docker_compose/compose.yaml.j2 +++ b/resources/chaosknoten/tickets/docker_compose/compose.yaml.j2 @@ -13,7 +13,7 @@ services: restart: unless-stopped redis: - image: docker.io/library/redis:7.4.6 + image: docker.io/library/redis:7.4.7 ports: - "6379:6379" volumes: From df3710f0196206bbfae0996dcbc1ed7b9d8f09bf Mon Sep 17 00:00:00 2001 From: c6ristian Date: Tue, 2 Dec 2025 22:55:29 +0100 Subject: [PATCH 15/31] grafana: set alloy to version v1.11.3 1.12.0 is buggy --- inventories/chaosknoten/host_vars/grafana.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/inventories/chaosknoten/host_vars/grafana.yaml b/inventories/chaosknoten/host_vars/grafana.yaml index 2e3672e..0037fcc 100644 --- a/inventories/chaosknoten/host_vars/grafana.yaml +++ b/inventories/chaosknoten/host_vars/grafana.yaml @@ -53,7 +53,7 @@ nginx__configurations: - name: metrics.hamburg.ccc.de content: "{{ lookup('ansible.builtin.file', 'resources/chaosknoten/grafana/nginx/metrics.hamburg.ccc.de.conf') }}" - +alloy_version: "1.11.3" alloy_config: | prometheus.remote_write "default" { endpoint { From c39cb0e3909ca53df08e6389603cfbb77e32da2b Mon Sep 17 00:00:00 2001 From: c6ristian Date: Sat, 6 Dec 2025 22:11:53 +0100 Subject: [PATCH 16/31] we dont need to set a specific alloy version --- inventories/chaosknoten/host_vars/grafana.yaml | 1 - 1 file changed, 1 deletion(-) diff --git a/inventories/chaosknoten/host_vars/grafana.yaml b/inventories/chaosknoten/host_vars/grafana.yaml index 0037fcc..ecc942c 100644 --- a/inventories/chaosknoten/host_vars/grafana.yaml +++ b/inventories/chaosknoten/host_vars/grafana.yaml @@ -53,7 +53,6 @@ nginx__configurations: - name: metrics.hamburg.ccc.de content: "{{ lookup('ansible.builtin.file', 'resources/chaosknoten/grafana/nginx/metrics.hamburg.ccc.de.conf') }}" -alloy_version: "1.11.3" alloy_config: | prometheus.remote_write "default" { endpoint { From 766aa125c4da85009ae7d3023be55dbc37c47d65 Mon Sep 17 00:00:00 2001 From: jtbx Date: Sun, 23 Feb 2025 18:49:19 +0100 Subject: [PATCH 17/31] router(host): introduce router --- inventories/chaosknoten/hosts.yaml | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/inventories/chaosknoten/hosts.yaml b/inventories/chaosknoten/hosts.yaml index b9e6358..e668d49 100644 --- a/inventories/chaosknoten/hosts.yaml +++ b/inventories/chaosknoten/hosts.yaml @@ -51,6 +51,9 @@ all: public-reverse-proxy: ansible_host: public-reverse-proxy.hamburg.ccc.de ansible_user: chaos + router: + ansible_host: router.hamburg.ccc.de + ansible_user: chaos wiki: ansible_host: wiki-intern.hamburg.ccc.de ansible_user: chaos @@ -88,6 +91,7 @@ base_config_hosts: pad: pretalx: public-reverse-proxy: + router: tickets: wiki: zammad: @@ -173,6 +177,7 @@ infrastructure_authorized_keys_hosts: pad: pretalx: public-reverse-proxy: + router: wiki: zammad: ntfy: From d6ba70523cd45b95845acb49741bbaa699703994 Mon Sep 17 00:00:00 2001 From: June Date: Sat, 20 Sep 2025 20:05:02 +0200 Subject: [PATCH 18/31] systemd_networkd(role): introd. role for deploy. systemd-networkd config --- inventories/chaosknoten/hosts.yaml | 2 ++ playbooks/deploy.yaml | 5 +++++ roles/systemd_networkd/README.md | 11 +++++++++++ roles/systemd_networkd/meta/argument_specs.yaml | 6 ++++++ roles/systemd_networkd/tasks/main.yaml | 14 ++++++++++++++ 5 files changed, 38 insertions(+) create mode 100644 roles/systemd_networkd/README.md create mode 100644 roles/systemd_networkd/meta/argument_specs.yaml create mode 100644 roles/systemd_networkd/tasks/main.yaml diff --git a/inventories/chaosknoten/hosts.yaml b/inventories/chaosknoten/hosts.yaml index e668d49..51d2b56 100644 --- a/inventories/chaosknoten/hosts.yaml +++ b/inventories/chaosknoten/hosts.yaml @@ -98,6 +98,8 @@ base_config_hosts: ntfy: sunders: renovate: +systemd_networkd_hosts: + hosts: docker_compose_hosts: hosts: ccchoir: diff --git a/playbooks/deploy.yaml b/playbooks/deploy.yaml index d7bacac..ec7db50 100644 --- a/playbooks/deploy.yaml +++ b/playbooks/deploy.yaml @@ -4,6 +4,11 @@ roles: - base_config +- name: Ensure systemd-networkd config deployment on systemd_networkd_hosts + hosts: systemd_networkd_hosts + roles: + - systemd_networkd + - name: Ensure deployment of infrastructure authorized keys hosts: infrastructure_authorized_keys_hosts roles: diff --git a/roles/systemd_networkd/README.md b/roles/systemd_networkd/README.md new file mode 100644 index 0000000..3297c47 --- /dev/null +++ b/roles/systemd_networkd/README.md @@ -0,0 +1,11 @@ +# Role `systemd_networkd` + +Deploys the given systemd-networkd configuration files. + +## Support Distributions + +Should work on Debian-based distributions. + +## Required Arguments + +- `systemd_networkd__config_dir`: Directory with systemd-networkd configs to deploy. diff --git a/roles/systemd_networkd/meta/argument_specs.yaml b/roles/systemd_networkd/meta/argument_specs.yaml new file mode 100644 index 0000000..81b046a --- /dev/null +++ b/roles/systemd_networkd/meta/argument_specs.yaml @@ -0,0 +1,6 @@ +argument_specs: + main: + options: + systemd_networkd__config_dir: + type: path + required: true diff --git a/roles/systemd_networkd/tasks/main.yaml b/roles/systemd_networkd/tasks/main.yaml new file mode 100644 index 0000000..f88ed14 --- /dev/null +++ b/roles/systemd_networkd/tasks/main.yaml @@ -0,0 +1,14 @@ +- name: ensure rsync is installed + ansible.builtin.apt: + name: rsync + state: present + become: true + +- name: synchronize systemd-networkd configs + ansible.posix.synchronize: + src: "{{ systemd_networkd__config_dir }}" + dest: "/etc/systemd/network" + archive: false + recursive: true + delete: true + become: true From a9e394da063211b91f6c120dfa5a30f52aac64ad Mon Sep 17 00:00:00 2001 From: June Date: Sat, 20 Sep 2025 20:03:30 +0200 Subject: [PATCH 19/31] router(host): add systemd-networkd-based network config --- inventories/chaosknoten/host_vars/router.yaml | 1 + inventories/chaosknoten/hosts.yaml | 1 + .../router/systemd_networkd/00-net0.link | 6 ++++ .../router/systemd_networkd/00-net1.link | 6 ++++ .../router/systemd_networkd/00-net2.link | 6 ++++ .../systemd_networkd/10-net0.2-v4_nat.netdev | 7 +++++ .../10-net0.3-ci_runner.netdev | 7 +++++ .../router/systemd_networkd/20-net0.network | 12 ++++++++ .../router/systemd_networkd/20-net1.network | 14 +++++++++ .../router/systemd_networkd/20-net2.network | 14 +++++++++ .../systemd_networkd/21-net0.2-v4_nat.network | 23 +++++++++++++++ .../21-net0.3-ci_runners.network | 29 +++++++++++++++++++ 12 files changed, 126 insertions(+) create mode 100644 inventories/chaosknoten/host_vars/router.yaml create mode 100644 resources/chaosknoten/router/systemd_networkd/00-net0.link create mode 100644 resources/chaosknoten/router/systemd_networkd/00-net1.link create mode 100644 resources/chaosknoten/router/systemd_networkd/00-net2.link create mode 100644 resources/chaosknoten/router/systemd_networkd/10-net0.2-v4_nat.netdev create mode 100644 resources/chaosknoten/router/systemd_networkd/10-net0.3-ci_runner.netdev create mode 100644 resources/chaosknoten/router/systemd_networkd/20-net0.network create mode 100644 resources/chaosknoten/router/systemd_networkd/20-net1.network create mode 100644 resources/chaosknoten/router/systemd_networkd/20-net2.network create mode 100644 resources/chaosknoten/router/systemd_networkd/21-net0.2-v4_nat.network create mode 100644 resources/chaosknoten/router/systemd_networkd/21-net0.3-ci_runners.network diff --git a/inventories/chaosknoten/host_vars/router.yaml b/inventories/chaosknoten/host_vars/router.yaml new file mode 100644 index 0000000..b181c0a --- /dev/null +++ b/inventories/chaosknoten/host_vars/router.yaml @@ -0,0 +1 @@ +systemd_networkd__config_dir: 'resources/chaosknoten/router/systemd_networkd/' diff --git a/inventories/chaosknoten/hosts.yaml b/inventories/chaosknoten/hosts.yaml index 51d2b56..d3217ab 100644 --- a/inventories/chaosknoten/hosts.yaml +++ b/inventories/chaosknoten/hosts.yaml @@ -100,6 +100,7 @@ base_config_hosts: renovate: systemd_networkd_hosts: hosts: + router: docker_compose_hosts: hosts: ccchoir: diff --git a/resources/chaosknoten/router/systemd_networkd/00-net0.link b/resources/chaosknoten/router/systemd_networkd/00-net0.link new file mode 100644 index 0000000..0c55d13 --- /dev/null +++ b/resources/chaosknoten/router/systemd_networkd/00-net0.link @@ -0,0 +1,6 @@ +[Match] +MACAddress=BC:24:11:54:11:15 +Type=ether + +[Link] +Name=net0 diff --git a/resources/chaosknoten/router/systemd_networkd/00-net1.link b/resources/chaosknoten/router/systemd_networkd/00-net1.link new file mode 100644 index 0000000..ef04d04 --- /dev/null +++ b/resources/chaosknoten/router/systemd_networkd/00-net1.link @@ -0,0 +1,6 @@ +[Match] +MACAddress=BC:24:11:9A:FB:34 +Type=ether + +[Link] +Name=net1 diff --git a/resources/chaosknoten/router/systemd_networkd/00-net2.link b/resources/chaosknoten/router/systemd_networkd/00-net2.link new file mode 100644 index 0000000..2a56f72 --- /dev/null +++ b/resources/chaosknoten/router/systemd_networkd/00-net2.link @@ -0,0 +1,6 @@ +[Match] +MACAddress=BC:24:11:AE:C7:04 +Type=ether + +[Link] +Name=net2 diff --git a/resources/chaosknoten/router/systemd_networkd/10-net0.2-v4_nat.netdev b/resources/chaosknoten/router/systemd_networkd/10-net0.2-v4_nat.netdev new file mode 100644 index 0000000..a46afb4 --- /dev/null +++ b/resources/chaosknoten/router/systemd_networkd/10-net0.2-v4_nat.netdev @@ -0,0 +1,7 @@ +[NetDev] +Name=net0.2 +Kind=vlan + +[VLAN] +Id=2 + diff --git a/resources/chaosknoten/router/systemd_networkd/10-net0.3-ci_runner.netdev b/resources/chaosknoten/router/systemd_networkd/10-net0.3-ci_runner.netdev new file mode 100644 index 0000000..0cd60db --- /dev/null +++ b/resources/chaosknoten/router/systemd_networkd/10-net0.3-ci_runner.netdev @@ -0,0 +1,7 @@ +[NetDev] +Name=net0.3 +Kind=vlan + +[VLAN] +Id=3 + diff --git a/resources/chaosknoten/router/systemd_networkd/20-net0.network b/resources/chaosknoten/router/systemd_networkd/20-net0.network new file mode 100644 index 0000000..a32d75e --- /dev/null +++ b/resources/chaosknoten/router/systemd_networkd/20-net0.network @@ -0,0 +1,12 @@ +[Match] +Name=net0 + +[Link] +RequiredForOnline=no + +[Network] +VLAN=net0.2 +VLAN=net0.3 + +LinkLocalAddressing=no + diff --git a/resources/chaosknoten/router/systemd_networkd/20-net1.network b/resources/chaosknoten/router/systemd_networkd/20-net1.network new file mode 100644 index 0000000..c8bffc1 --- /dev/null +++ b/resources/chaosknoten/router/systemd_networkd/20-net1.network @@ -0,0 +1,14 @@ +[Match] +Name=net1 + +[Network] +DNS=212.12.50.158 +IPForward=ipv4 +IPv6AcceptRA=no + +[Address] +Address=212.12.48.123/24 + +[Route] +Gateway=212.12.48.55 + diff --git a/resources/chaosknoten/router/systemd_networkd/20-net2.network b/resources/chaosknoten/router/systemd_networkd/20-net2.network new file mode 100644 index 0000000..b3f497d --- /dev/null +++ b/resources/chaosknoten/router/systemd_networkd/20-net2.network @@ -0,0 +1,14 @@ +[Match] +Name=net2 + +[Network] +#DNS=212.12.50.158 +IPForward=ipv6 +IPv6AcceptRA=no + +[Address] +Address=2a00:14b0:4200:3500::130:2/112 + +[Route] +Gateway=2a00:14b0:4200:3500::130:1 + diff --git a/resources/chaosknoten/router/systemd_networkd/21-net0.2-v4_nat.network b/resources/chaosknoten/router/systemd_networkd/21-net0.2-v4_nat.network new file mode 100644 index 0000000..880dd1d --- /dev/null +++ b/resources/chaosknoten/router/systemd_networkd/21-net0.2-v4_nat.network @@ -0,0 +1,23 @@ +[Match] +Name=net0.2 +Type=vlan + +[Link] +RequiredForOnline=no + +[Network] +Description=v4-NAT + +IPMasquerade=ipv4 +IPv6SendRA=yes + +[Address] +Address=10.32.2.1/24 + +[IPv6SendRA] +UplinkInterface=net2 + +[IPv6Prefix] +Prefix=2a00:14b0:42:102::/64 +Assign=true +Token=static:::1 diff --git a/resources/chaosknoten/router/systemd_networkd/21-net0.3-ci_runners.network b/resources/chaosknoten/router/systemd_networkd/21-net0.3-ci_runners.network new file mode 100644 index 0000000..6f73beb --- /dev/null +++ b/resources/chaosknoten/router/systemd_networkd/21-net0.3-ci_runners.network @@ -0,0 +1,29 @@ +[Match] +Name=net0.3 +Type=vlan + +[Link] +RequiredForOnline=no + +[Network] +Description=ci-runners + +IPMasquerade=ipv4 +IPv6SendRA=yes + +DHCPServer=true + +[DHCPServer] +PoolOffset=100 +PoolSize=150 + +[Address] +Address=10.32.3.1/24 + +[IPv6SendRA] +UplinkInterface=net2 + +[IPv6Prefix] +Prefix=2a00:14b0:42:103::/64 +Assign=true +Token=static:::1 From d0618e382050aeabb4d50942df03d89bfb16f91a Mon Sep 17 00:00:00 2001 From: June Date: Sat, 20 Sep 2025 21:38:39 +0200 Subject: [PATCH 20/31] nftables(role): introduce role for deploying nftables --- inventories/chaosknoten/hosts.yaml | 2 ++ playbooks/deploy.yaml | 5 +++++ roles/nftables/README.md | 11 +++++++++++ roles/nftables/handlers/main.yaml | 5 +++++ roles/nftables/meta/argument_specs.yaml | 6 ++++++ roles/nftables/tasks/main.yaml | 15 +++++++++++++++ 6 files changed, 44 insertions(+) create mode 100644 roles/nftables/README.md create mode 100644 roles/nftables/handlers/main.yaml create mode 100644 roles/nftables/meta/argument_specs.yaml create mode 100644 roles/nftables/tasks/main.yaml diff --git a/inventories/chaosknoten/hosts.yaml b/inventories/chaosknoten/hosts.yaml index d3217ab..55ab696 100644 --- a/inventories/chaosknoten/hosts.yaml +++ b/inventories/chaosknoten/hosts.yaml @@ -101,6 +101,8 @@ base_config_hosts: systemd_networkd_hosts: hosts: router: +nftables_hosts: + hosts: docker_compose_hosts: hosts: ccchoir: diff --git a/playbooks/deploy.yaml b/playbooks/deploy.yaml index ec7db50..f416b91 100644 --- a/playbooks/deploy.yaml +++ b/playbooks/deploy.yaml @@ -9,6 +9,11 @@ roles: - systemd_networkd +- name: Ensure nftables deployment on nftables_hosts + hosts: nftables_hosts + roles: + - nftables + - name: Ensure deployment of infrastructure authorized keys hosts: infrastructure_authorized_keys_hosts roles: diff --git a/roles/nftables/README.md b/roles/nftables/README.md new file mode 100644 index 0000000..81d8871 --- /dev/null +++ b/roles/nftables/README.md @@ -0,0 +1,11 @@ +# Role `nftables` + +Deploys nftables. + +## Support Distributions + +Should work on Debian-based distributions. + +## Required Arguments + +- `nftables__config`: nftables configuration to deploy. diff --git a/roles/nftables/handlers/main.yaml b/roles/nftables/handlers/main.yaml new file mode 100644 index 0000000..3b72c54 --- /dev/null +++ b/roles/nftables/handlers/main.yaml @@ -0,0 +1,5 @@ +- name: Restart nftables service + ansible.builtin.systemd_service: + name: nftables + state: restarted + become: true diff --git a/roles/nftables/meta/argument_specs.yaml b/roles/nftables/meta/argument_specs.yaml new file mode 100644 index 0000000..aa56223 --- /dev/null +++ b/roles/nftables/meta/argument_specs.yaml @@ -0,0 +1,6 @@ +argument_specs: + main: + options: + nftables__config: + type: str + required: true diff --git a/roles/nftables/tasks/main.yaml b/roles/nftables/tasks/main.yaml new file mode 100644 index 0000000..46ea18d --- /dev/null +++ b/roles/nftables/tasks/main.yaml @@ -0,0 +1,15 @@ +- name: ensure nftables is installed + ansible.builtin.apt: + name: nftables + state: present + become: true + +- name: deploy nftables configuration + ansible.builtin.copy: + content: "{{ nftables__config }}" + dest: "/etc/nftables.conf" + mode: "0644" + owner: root + group: root + become: true + notify: Restart nftables service From 183b91b9f2d289fcbde59687f476632cef024250 Mon Sep 17 00:00:00 2001 From: June Date: Sat, 20 Sep 2025 23:34:17 +0200 Subject: [PATCH 21/31] router(host): add nftables config for basic router functionality --- inventories/chaosknoten/host_vars/router.yaml | 1 + inventories/chaosknoten/hosts.yaml | 1 + .../chaosknoten/router/nftables/nftables.conf | 73 +++++++++++++++++++ .../systemd_networkd/21-net0.2-v4_nat.network | 2 +- .../21-net0.3-ci_runners.network | 2 +- 5 files changed, 77 insertions(+), 2 deletions(-) create mode 100644 resources/chaosknoten/router/nftables/nftables.conf diff --git a/inventories/chaosknoten/host_vars/router.yaml b/inventories/chaosknoten/host_vars/router.yaml index b181c0a..134d29f 100644 --- a/inventories/chaosknoten/host_vars/router.yaml +++ b/inventories/chaosknoten/host_vars/router.yaml @@ -1 +1,2 @@ systemd_networkd__config_dir: 'resources/chaosknoten/router/systemd_networkd/' +nftables__config: "{{ lookup('ansible.builtin.file', 'resources/chaosknoten/router/nftables/nftables.conf') }}" diff --git a/inventories/chaosknoten/hosts.yaml b/inventories/chaosknoten/hosts.yaml index 55ab696..e592d23 100644 --- a/inventories/chaosknoten/hosts.yaml +++ b/inventories/chaosknoten/hosts.yaml @@ -103,6 +103,7 @@ systemd_networkd_hosts: router: nftables_hosts: hosts: + router: docker_compose_hosts: hosts: ccchoir: diff --git a/resources/chaosknoten/router/nftables/nftables.conf b/resources/chaosknoten/router/nftables/nftables.conf new file mode 100644 index 0000000..6bc6cbe --- /dev/null +++ b/resources/chaosknoten/router/nftables/nftables.conf @@ -0,0 +1,73 @@ +#!/usr/sbin/nft -f + +## Variables + +# Interfaces +define if_net1_v4_wan = "net1" +define if_net2_v6_wan = "net2" +define if_net0_2_v4_nat = "net0.2" +define if_net0_3_ci_runner = "net0.3" + +# Interface Groups +define wan_ifs = { $if_net1_v4_wan, + $if_net2_v6_wan } +define lan_ifs = { $if_net0_2_v4_nat, + $if_net0_3_ci_runner } + + +## Rules + +table inet reverse-path-forwarding { + chain rpf-filter { + type filter hook prerouting priority mangle + 10; policy drop; + + # Only allow packets if their source address is routed via their incoming interface. + # https://github.com/NixOS/nixpkgs/blob/d9d87c51960050e89c79e4025082ed965e770d68/nixos/modules/services/networking/firewall-nftables.nix#L100 + fib saddr . mark . iif oif exists accept + } +} + +table inet host { + chain input { + type filter hook input priority filter; policy drop; + + iifname "lo" accept comment "allow loopback" + + ct state invalid drop + ct state established,related accept + + ip protocol icmp accept + ip6 nexthdr icmpv6 accept + + # Allow SSH access. + tcp dport 22 accept comment "allow ssh access" + + # Allow DHCP server access. + iifname $if_net0_3_ci_runner udp dport 67 accept comment "allow dhcp server access" + } +} + +table ip v4nat { + chain prerouting { + type nat hook prerouting priority dstnat; policy accept; + } + + chain postrouting { + type nat hook postrouting priority srcnat; policy accept; + + oifname $if_net1_v4_wan masquerade + } +} + +table inet forward { + chain forward { + type filter hook forward priority filter; policy drop; + + ct state invalid drop + ct state established,related accept + + # Allow internet access. + meta nfproto ipv6 iifname $lan_ifs oifname $if_net2_v6_wan accept comment "allow v6 internet access" + meta nfproto ipv4 iifname $lan_ifs oifname $if_net1_v4_wan accept comment "allow v4 internet access" + } +} diff --git a/resources/chaosknoten/router/systemd_networkd/21-net0.2-v4_nat.network b/resources/chaosknoten/router/systemd_networkd/21-net0.2-v4_nat.network index 880dd1d..c7fd9a7 100644 --- a/resources/chaosknoten/router/systemd_networkd/21-net0.2-v4_nat.network +++ b/resources/chaosknoten/router/systemd_networkd/21-net0.2-v4_nat.network @@ -8,7 +8,7 @@ RequiredForOnline=no [Network] Description=v4-NAT -IPMasquerade=ipv4 +# Masquerading done in nftables (nftables.conf). IPv6SendRA=yes [Address] diff --git a/resources/chaosknoten/router/systemd_networkd/21-net0.3-ci_runners.network b/resources/chaosknoten/router/systemd_networkd/21-net0.3-ci_runners.network index 6f73beb..9caca86 100644 --- a/resources/chaosknoten/router/systemd_networkd/21-net0.3-ci_runners.network +++ b/resources/chaosknoten/router/systemd_networkd/21-net0.3-ci_runners.network @@ -8,7 +8,7 @@ RequiredForOnline=no [Network] Description=ci-runners -IPMasquerade=ipv4 +# Masquerading done in nftables (nftables.conf). IPv6SendRA=yes DHCPServer=true From 66ee44366b5e08b2368b82a25c1b1b4cd0882ff5 Mon Sep 17 00:00:00 2001 From: jtbx Date: Sun, 14 Dec 2025 15:39:03 +0100 Subject: [PATCH 22/31] public-reverse-proxy: New IP of wiki VM --- resources/chaosknoten/public-reverse-proxy/nginx/nginx.conf | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/resources/chaosknoten/public-reverse-proxy/nginx/nginx.conf b/resources/chaosknoten/public-reverse-proxy/nginx/nginx.conf index 4a449f5..de8ebdd 100644 --- a/resources/chaosknoten/public-reverse-proxy/nginx/nginx.conf +++ b/resources/chaosknoten/public-reverse-proxy/nginx/nginx.conf @@ -27,8 +27,8 @@ stream { invite.hamburg.ccc.de 172.31.17.144:8443; keycloak-admin.hamburg.ccc.de 172.31.17.144:8444; grafana.hamburg.ccc.de 172.31.17.145:8443; - wiki.ccchh.net 172.31.17.146:8443; - wiki.hamburg.ccc.de 172.31.17.146:8443; + wiki.ccchh.net wiki.hosts.hamburg.ccc.de:8443; + wiki.hamburg.ccc.de wiki.hosts.hamburg.ccc.de:8443; onlyoffice.hamburg.ccc.de 172.31.17.147:8443; hackertours.hamburg.ccc.de 172.31.17.151:8443; staging.hackertours.hamburg.ccc.de 172.31.17.151:8443; From 5f98dca56c258b10c58c7efced616867f56de551 Mon Sep 17 00:00:00 2001 From: June Date: Tue, 16 Dec 2025 19:03:36 +0100 Subject: [PATCH 23/31] router(host): expose public v6 networks Also prepare for exposing public v4 networks later. --- resources/chaosknoten/router/nftables/nftables.conf | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/resources/chaosknoten/router/nftables/nftables.conf b/resources/chaosknoten/router/nftables/nftables.conf index 6bc6cbe..6d04a4c 100644 --- a/resources/chaosknoten/router/nftables/nftables.conf +++ b/resources/chaosknoten/router/nftables/nftables.conf @@ -13,6 +13,8 @@ define wan_ifs = { $if_net1_v4_wan, $if_net2_v6_wan } define lan_ifs = { $if_net0_2_v4_nat, $if_net0_3_ci_runner } +# define v4_exposed_ifs = { } +define v6_exposed_ifs = { $if_net0_2_v4_nat } ## Rules @@ -69,5 +71,9 @@ table inet forward { # Allow internet access. meta nfproto ipv6 iifname $lan_ifs oifname $if_net2_v6_wan accept comment "allow v6 internet access" meta nfproto ipv4 iifname $lan_ifs oifname $if_net1_v4_wan accept comment "allow v4 internet access" + + # Allow access to exposed networks from internet. + # meta nfproto ipv4 oifname $v4_exposed_ifs accept comment "allow v4 exposed network access" + meta nfproto ipv6 oifname $v6_exposed_ifs accept comment "allow v6 exposed network access" } } From 8b94a49f5e3255377f349087b1e224903696329a Mon Sep 17 00:00:00 2001 From: June Date: Tue, 16 Dec 2025 19:23:33 +0100 Subject: [PATCH 24/31] wiki(host): move to new network and internal hostname --- inventories/chaosknoten/hosts.yaml | 4 ++-- .../public-reverse-proxy/nginx/acme_challenge.conf | 4 ++-- resources/chaosknoten/wiki/nginx/wiki.ccchh.net.conf | 4 ++-- resources/chaosknoten/wiki/nginx/wiki.hamburg.ccc.de.conf | 2 +- 4 files changed, 7 insertions(+), 7 deletions(-) diff --git a/inventories/chaosknoten/hosts.yaml b/inventories/chaosknoten/hosts.yaml index e592d23..a43e940 100644 --- a/inventories/chaosknoten/hosts.yaml +++ b/inventories/chaosknoten/hosts.yaml @@ -55,9 +55,9 @@ all: ansible_host: router.hamburg.ccc.de ansible_user: chaos wiki: - ansible_host: wiki-intern.hamburg.ccc.de + ansible_host: wiki.hosts.hamburg.ccc.de ansible_user: chaos - ansible_ssh_common_args: -J ssh://chaos@public-reverse-proxy.hamburg.ccc.de + ansible_ssh_common_args: -J ssh://chaos@router.hamburg.ccc.de zammad: ansible_host: zammad-intern.hamburg.ccc.de ansible_user: chaos diff --git a/resources/chaosknoten/public-reverse-proxy/nginx/acme_challenge.conf b/resources/chaosknoten/public-reverse-proxy/nginx/acme_challenge.conf index 165e166..dabf4aa 100644 --- a/resources/chaosknoten/public-reverse-proxy/nginx/acme_challenge.conf +++ b/resources/chaosknoten/public-reverse-proxy/nginx/acme_challenge.conf @@ -25,8 +25,8 @@ map $host $upstream_acme_challenge_host { pretalx.hamburg.ccc.de 172.31.17.157:31820; spaceapi.hamburg.ccc.de 172.31.17.151:31820; staging.hamburg.ccc.de 172.31.17.151:31820; - wiki.ccchh.net 172.31.17.146:31820; - wiki.hamburg.ccc.de 172.31.17.146:31820; + wiki.ccchh.net wiki.hosts.hamburg.ccc.de:31820; + wiki.hamburg.ccc.de wiki.hosts.hamburg.ccc.de:31820; www.hamburg.ccc.de 172.31.17.151:31820; tickets.hamburg.ccc.de 172.31.17.148:31820; sunders.hamburg.ccc.de 172.31.17.170:31820; diff --git a/resources/chaosknoten/wiki/nginx/wiki.ccchh.net.conf b/resources/chaosknoten/wiki/nginx/wiki.ccchh.net.conf index a564fc2..c393dd1 100644 --- a/resources/chaosknoten/wiki/nginx/wiki.ccchh.net.conf +++ b/resources/chaosknoten/wiki/nginx/wiki.ccchh.net.conf @@ -7,7 +7,7 @@ server { # $remote_port to the client address and client port, when using proxy # protocol. # First set our proxy protocol proxy as trusted. - set_real_ip_from 172.31.17.140; + set_real_ip_from 2a00:14b0:4200:3000:125::1; # Then tell the realip_module to get the addreses from the proxy protocol # header. real_ip_header proxy_protocol; @@ -21,6 +21,6 @@ server { # HSTS (ngx_http_headers_module is required) (63072000 seconds) add_header Strict-Transport-Security "max-age=63072000" always; - + return 302 https://wiki.hamburg.ccc.de$request_uri; } diff --git a/resources/chaosknoten/wiki/nginx/wiki.hamburg.ccc.de.conf b/resources/chaosknoten/wiki/nginx/wiki.hamburg.ccc.de.conf index ccdd224..255dc0a 100644 --- a/resources/chaosknoten/wiki/nginx/wiki.hamburg.ccc.de.conf +++ b/resources/chaosknoten/wiki/nginx/wiki.hamburg.ccc.de.conf @@ -7,7 +7,7 @@ server { # $remote_port to the client address and client port, when using proxy # protocol. # First set our proxy protocol proxy as trusted. - set_real_ip_from 172.31.17.140; + set_real_ip_from 2a00:14b0:4200:3000:125::1; # Then tell the realip_module to get the addreses from the proxy protocol # header. real_ip_header proxy_protocol; From b72dee0d6d9e0cfe9c3aea5143fe8c8cfe463604 Mon Sep 17 00:00:00 2001 From: June Date: Tue, 16 Dec 2025 19:52:24 +0100 Subject: [PATCH 25/31] wiki(host): actually have nginx listen on v6 --- resources/chaosknoten/wiki/nginx/wiki.ccchh.net.conf | 1 + resources/chaosknoten/wiki/nginx/wiki.hamburg.ccc.de.conf | 1 + 2 files changed, 2 insertions(+) diff --git a/resources/chaosknoten/wiki/nginx/wiki.ccchh.net.conf b/resources/chaosknoten/wiki/nginx/wiki.ccchh.net.conf index c393dd1..472236a 100644 --- a/resources/chaosknoten/wiki/nginx/wiki.ccchh.net.conf +++ b/resources/chaosknoten/wiki/nginx/wiki.ccchh.net.conf @@ -3,6 +3,7 @@ server { # Listen on a custom port for the proxy protocol. listen 8443 ssl http2 proxy_protocol; + listen [::]:8443 ssl http2 proxy_protocol; # Make use of the ngx_http_realip_module to set the $remote_addr and # $remote_port to the client address and client port, when using proxy # protocol. diff --git a/resources/chaosknoten/wiki/nginx/wiki.hamburg.ccc.de.conf b/resources/chaosknoten/wiki/nginx/wiki.hamburg.ccc.de.conf index 255dc0a..b4eab7f 100644 --- a/resources/chaosknoten/wiki/nginx/wiki.hamburg.ccc.de.conf +++ b/resources/chaosknoten/wiki/nginx/wiki.hamburg.ccc.de.conf @@ -3,6 +3,7 @@ server { # Listen on a custom port for the proxy protocol. listen 8443 ssl http2 proxy_protocol; + listen [::]:8443 ssl http2 proxy_protocol; # Make use of the ngx_http_realip_module to set the $remote_addr and # $remote_port to the client address and client port, when using proxy # protocol. From 5a476f21034dd48c3a6b17758be92d3dfe9f62f0 Mon Sep 17 00:00:00 2001 From: June Date: Tue, 16 Dec 2025 20:47:44 +0100 Subject: [PATCH 26/31] cloud(host): move to new network and hostname --- inventories/chaosknoten/hosts.yaml | 4 ++-- .../public-reverse-proxy/nginx/acme_challenge.conf | 2 +- resources/chaosknoten/public-reverse-proxy/nginx/nginx.conf | 2 +- roles/nextcloud/templates/nginx_nextcloud.conf.j2 | 1 + 4 files changed, 5 insertions(+), 4 deletions(-) diff --git a/inventories/chaosknoten/hosts.yaml b/inventories/chaosknoten/hosts.yaml index a43e940..5aa1363 100644 --- a/inventories/chaosknoten/hosts.yaml +++ b/inventories/chaosknoten/hosts.yaml @@ -7,9 +7,9 @@ all: chaosknoten: ansible_host: chaosknoten.hamburg.ccc.de cloud: - ansible_host: cloud-intern.hamburg.ccc.de + ansible_host: cloud.hosts.hamburg.ccc.de ansible_user: chaos - ansible_ssh_common_args: -J ssh://chaos@public-reverse-proxy.hamburg.ccc.de + ansible_ssh_common_args: -J ssh://chaos@router.hamburg.ccc.de eh22-wiki: ansible_host: eh22-wiki-intern.hamburg.ccc.de ansible_user: chaos diff --git a/resources/chaosknoten/public-reverse-proxy/nginx/acme_challenge.conf b/resources/chaosknoten/public-reverse-proxy/nginx/acme_challenge.conf index dabf4aa..9fdf0fc 100644 --- a/resources/chaosknoten/public-reverse-proxy/nginx/acme_challenge.conf +++ b/resources/chaosknoten/public-reverse-proxy/nginx/acme_challenge.conf @@ -6,7 +6,7 @@ map $host $upstream_acme_challenge_host { staging.c3cat.de 172.31.17.151:31820; ccchoir.de ccchoir-intern.hamburg.ccc.de:31820; www.ccchoir.de ccchoir-intern.hamburg.ccc.de:31820; - cloud.hamburg.ccc.de 172.31.17.143:31820; + cloud.hamburg.ccc.de cloud.hosts.hamburg.ccc.de:31820; element.hamburg.ccc.de 172.31.17.151:31820; git.hamburg.ccc.de 172.31.17.154:31820; grafana.hamburg.ccc.de 172.31.17.145:31820; diff --git a/resources/chaosknoten/public-reverse-proxy/nginx/nginx.conf b/resources/chaosknoten/public-reverse-proxy/nginx/nginx.conf index de8ebdd..84c1187 100644 --- a/resources/chaosknoten/public-reverse-proxy/nginx/nginx.conf +++ b/resources/chaosknoten/public-reverse-proxy/nginx/nginx.conf @@ -20,7 +20,7 @@ stream { map $ssl_preread_server_name $address { ccchoir.de ccchoir-intern.hamburg.ccc.de:8443; www.ccchoir.de ccchoir-intern.hamburg.ccc.de:8443; - cloud.hamburg.ccc.de cloud-intern.hamburg.ccc.de:8443; + cloud.hamburg.ccc.de cloud.hosts.hamburg.ccc.de:8443; pad.hamburg.ccc.de pad-intern.hamburg.ccc.de:8443; pretalx.hamburg.ccc.de pretalx-intern.hamburg.ccc.de:8443; id.hamburg.ccc.de 172.31.17.144:8443; diff --git a/roles/nextcloud/templates/nginx_nextcloud.conf.j2 b/roles/nextcloud/templates/nginx_nextcloud.conf.j2 index c15a653..1beeaf3 100644 --- a/roles/nextcloud/templates/nginx_nextcloud.conf.j2 +++ b/roles/nextcloud/templates/nginx_nextcloud.conf.j2 @@ -4,6 +4,7 @@ server { # Listen on a custom port for the proxy protocol. listen 8443 ssl http2 proxy_protocol; + listen [::]:8443 ssl http2 proxy_protocol; # Make use of the ngx_http_realip_module to set the $remote_addr and # $remote_port to the client address and client port, when using proxy # protocol. From 570600fce31e2df5fe2f11beedbe56cabffe377f Mon Sep 17 00:00:00 2001 From: June Date: Tue, 16 Dec 2025 20:58:05 +0100 Subject: [PATCH 27/31] eh22-wiki(host): move to new network and hostname --- inventories/chaosknoten/hosts.yaml | 4 ++-- resources/chaosknoten/eh22-wiki/nginx/eh22.easterhegg.eu.conf | 3 ++- .../public-reverse-proxy/nginx/acme_challenge.conf | 2 +- resources/chaosknoten/public-reverse-proxy/nginx/nginx.conf | 2 +- 4 files changed, 6 insertions(+), 5 deletions(-) diff --git a/inventories/chaosknoten/hosts.yaml b/inventories/chaosknoten/hosts.yaml index 5aa1363..c18788e 100644 --- a/inventories/chaosknoten/hosts.yaml +++ b/inventories/chaosknoten/hosts.yaml @@ -11,9 +11,9 @@ all: ansible_user: chaos ansible_ssh_common_args: -J ssh://chaos@router.hamburg.ccc.de eh22-wiki: - ansible_host: eh22-wiki-intern.hamburg.ccc.de + ansible_host: eh22-wiki.hosts.hamburg.ccc.de ansible_user: chaos - ansible_ssh_common_args: -J ssh://chaos@public-reverse-proxy.hamburg.ccc.de + ansible_ssh_common_args: -J ssh://chaos@router.hamburg.ccc.de grafana: ansible_host: grafana-intern.hamburg.ccc.de ansible_user: chaos diff --git a/resources/chaosknoten/eh22-wiki/nginx/eh22.easterhegg.eu.conf b/resources/chaosknoten/eh22-wiki/nginx/eh22.easterhegg.eu.conf index d3ed959..8c801fe 100644 --- a/resources/chaosknoten/eh22-wiki/nginx/eh22.easterhegg.eu.conf +++ b/resources/chaosknoten/eh22-wiki/nginx/eh22.easterhegg.eu.conf @@ -3,11 +3,12 @@ server { # Listen on a custom port for the proxy protocol. listen 8443 ssl http2 proxy_protocol; + listen [::]:8443 ssl http2 proxy_protocol; # Make use of the ngx_http_realip_module to set the $remote_addr and # $remote_port to the client address and client port, when using proxy # protocol. # First set our proxy protocol proxy as trusted. - set_real_ip_from 172.31.17.140; + set_real_ip_from 2a00:14b0:4200:3000:125::1; # Then tell the realip_module to get the addreses from the proxy protocol # header. real_ip_header proxy_protocol; diff --git a/resources/chaosknoten/public-reverse-proxy/nginx/acme_challenge.conf b/resources/chaosknoten/public-reverse-proxy/nginx/acme_challenge.conf index 9fdf0fc..290dbad 100644 --- a/resources/chaosknoten/public-reverse-proxy/nginx/acme_challenge.conf +++ b/resources/chaosknoten/public-reverse-proxy/nginx/acme_challenge.conf @@ -38,7 +38,7 @@ map $host $upstream_acme_challenge_host { eh11.easterhegg.eu 172.31.17.151:31820; eh20.easterhegg.eu 172.31.17.151:31820; www.eh20.easterhegg.eu 172.31.17.151:31820; - eh22.easterhegg.eu 172.31.17.165:31820; + eh22.easterhegg.eu eh22-wiki.hosts.hamburg.ccc.de:31820; easterheggxxxx.hamburg.ccc.de 172.31.17.151:31820; eh2003.hamburg.ccc.de 172.31.17.151:31820; www.eh2003.hamburg.ccc.de 172.31.17.151:31820; diff --git a/resources/chaosknoten/public-reverse-proxy/nginx/nginx.conf b/resources/chaosknoten/public-reverse-proxy/nginx/nginx.conf index 84c1187..076618a 100644 --- a/resources/chaosknoten/public-reverse-proxy/nginx/nginx.conf +++ b/resources/chaosknoten/public-reverse-proxy/nginx/nginx.conf @@ -56,7 +56,7 @@ stream { eh11.easterhegg.eu 172.31.17.151:8443; eh20.easterhegg.eu 172.31.17.151:8443; www.eh20.easterhegg.eu 172.31.17.151:8443; - eh22.easterhegg.eu 172.31.17.165:8443; + eh22.easterhegg.eu eh22-wiki.hosts.hamburg.ccc.de:8443; easterheggxxxx.hamburg.ccc.de 172.31.17.151:8443; eh2003.hamburg.ccc.de 172.31.17.151:8443; www.eh2003.hamburg.ccc.de 172.31.17.151:8443; From b9add5bda3957778dba8b3b5849a82e625ce0609 Mon Sep 17 00:00:00 2001 From: June Date: Tue, 16 Dec 2025 20:59:15 +0100 Subject: [PATCH 28/31] cloud(host): set correct new proxy protocol reverse proxy ip --- inventories/chaosknoten/host_vars/cloud.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/inventories/chaosknoten/host_vars/cloud.yaml b/inventories/chaosknoten/host_vars/cloud.yaml index fc4e23c..b6cf771 100644 --- a/inventories/chaosknoten/host_vars/cloud.yaml +++ b/inventories/chaosknoten/host_vars/cloud.yaml @@ -7,5 +7,5 @@ nextcloud__data_dir: /data/nextcloud nextcloud__extra_configuration: "{{ lookup('ansible.builtin.template', 'resources/chaosknoten/cloud/nextcloud/extra_configuration.config.php.j2') }}" nextcloud__use_custom_new_user_skeleton: true nextcloud__custom_new_user_skeleton_directory: "resources/chaosknoten/cloud/nextcloud/new_user_skeleton_directory/" -nextcloud__proxy_protocol_reverse_proxy_ip: 172.31.17.140 +nextcloud__proxy_protocol_reverse_proxy_ip: "2a00:14b0:4200:3000:125::1" nextcloud__certbot_acme_account_email_address: le-admin@hamburg.ccc.de From 1ca71a053e4f554ae8e1e53bc2accbe124afe78e Mon Sep 17 00:00:00 2001 From: June Date: Tue, 16 Dec 2025 21:12:21 +0100 Subject: [PATCH 29/31] pad(host): move to new network and hostname --- inventories/chaosknoten/hosts.yaml | 4 ++-- resources/chaosknoten/pad/nginx/pad.hamburg.ccc.de.conf | 3 ++- .../public-reverse-proxy/nginx/acme_challenge.conf | 2 +- resources/chaosknoten/public-reverse-proxy/nginx/nginx.conf | 2 +- 4 files changed, 6 insertions(+), 5 deletions(-) diff --git a/inventories/chaosknoten/hosts.yaml b/inventories/chaosknoten/hosts.yaml index c18788e..3d67707 100644 --- a/inventories/chaosknoten/hosts.yaml +++ b/inventories/chaosknoten/hosts.yaml @@ -41,9 +41,9 @@ all: ansible_user: chaos ansible_ssh_common_args: -J ssh://chaos@public-reverse-proxy.hamburg.ccc.de pad: - ansible_host: pad-intern.hamburg.ccc.de + ansible_host: pad.hosts.hamburg.ccc.de ansible_user: chaos - ansible_ssh_common_args: -J ssh://chaos@public-reverse-proxy.hamburg.ccc.de + ansible_ssh_common_args: -J ssh://chaos@router.hamburg.ccc.de pretalx: ansible_host: pretalx-intern.hamburg.ccc.de ansible_user: chaos diff --git a/resources/chaosknoten/pad/nginx/pad.hamburg.ccc.de.conf b/resources/chaosknoten/pad/nginx/pad.hamburg.ccc.de.conf index 53d0a0d..6c453d1 100644 --- a/resources/chaosknoten/pad/nginx/pad.hamburg.ccc.de.conf +++ b/resources/chaosknoten/pad/nginx/pad.hamburg.ccc.de.conf @@ -3,11 +3,12 @@ server { # Listen on a custom port for the proxy protocol. listen 8443 ssl http2 proxy_protocol; + listen [::]:8443 ssl http2 proxy_protocol; # Make use of the ngx_http_realip_module to set the $remote_addr and # $remote_port to the client address and client port, when using proxy # protocol. # First set our proxy protocol proxy as trusted. - set_real_ip_from 172.31.17.140; + set_real_ip_from 2a00:14b0:4200:3000:125::1; # Then tell the realip_module to get the addreses from the proxy protocol # header. real_ip_header proxy_protocol; diff --git a/resources/chaosknoten/public-reverse-proxy/nginx/acme_challenge.conf b/resources/chaosknoten/public-reverse-proxy/nginx/acme_challenge.conf index 290dbad..6899c57 100644 --- a/resources/chaosknoten/public-reverse-proxy/nginx/acme_challenge.conf +++ b/resources/chaosknoten/public-reverse-proxy/nginx/acme_challenge.conf @@ -21,7 +21,7 @@ map $host $upstream_acme_challenge_host { element-admin.hamburg.ccc.de 172.31.17.151:31820; netbox.hamburg.ccc.de 172.31.17.167:31820; onlyoffice.hamburg.ccc.de 172.31.17.147:31820; - pad.hamburg.ccc.de 172.31.17.141:31820; + pad.hamburg.ccc.de pad.hosts.hamburg.ccc.de:31820; pretalx.hamburg.ccc.de 172.31.17.157:31820; spaceapi.hamburg.ccc.de 172.31.17.151:31820; staging.hamburg.ccc.de 172.31.17.151:31820; diff --git a/resources/chaosknoten/public-reverse-proxy/nginx/nginx.conf b/resources/chaosknoten/public-reverse-proxy/nginx/nginx.conf index 076618a..d884bc1 100644 --- a/resources/chaosknoten/public-reverse-proxy/nginx/nginx.conf +++ b/resources/chaosknoten/public-reverse-proxy/nginx/nginx.conf @@ -21,7 +21,7 @@ stream { ccchoir.de ccchoir-intern.hamburg.ccc.de:8443; www.ccchoir.de ccchoir-intern.hamburg.ccc.de:8443; cloud.hamburg.ccc.de cloud.hosts.hamburg.ccc.de:8443; - pad.hamburg.ccc.de pad-intern.hamburg.ccc.de:8443; + pad.hamburg.ccc.de pad.hosts.hamburg.ccc.de:8443; pretalx.hamburg.ccc.de pretalx-intern.hamburg.ccc.de:8443; id.hamburg.ccc.de 172.31.17.144:8443; invite.hamburg.ccc.de 172.31.17.144:8443; From 366456eff8f5280b14d755aefbf8c0abda567fc0 Mon Sep 17 00:00:00 2001 From: June Date: Tue, 16 Dec 2025 21:50:40 +0100 Subject: [PATCH 30/31] keycloak(host): move to new network and hostname Also just listen on port 8443 for keycloak-admin proxy protocol. --- inventories/chaosknoten/hosts.yaml | 4 ++-- resources/chaosknoten/keycloak/nginx/id.hamburg.ccc.de.conf | 3 ++- .../chaosknoten/keycloak/nginx/invite.hamburg.ccc.de.conf | 3 ++- .../keycloak/nginx/keycloak-admin.hamburg.ccc.de.conf | 5 +++-- .../public-reverse-proxy/nginx/acme_challenge.conf | 6 +++--- resources/chaosknoten/public-reverse-proxy/nginx/nginx.conf | 6 +++--- 6 files changed, 15 insertions(+), 12 deletions(-) diff --git a/inventories/chaosknoten/hosts.yaml b/inventories/chaosknoten/hosts.yaml index 3d67707..dfa841e 100644 --- a/inventories/chaosknoten/hosts.yaml +++ b/inventories/chaosknoten/hosts.yaml @@ -23,9 +23,9 @@ all: ansible_user: chaos ansible_ssh_common_args: -J ssh://chaos@public-reverse-proxy.hamburg.ccc.de keycloak: - ansible_host: keycloak-intern.hamburg.ccc.de + ansible_host: keycloak.hosts.hamburg.ccc.de ansible_user: chaos - ansible_ssh_common_args: -J ssh://chaos@public-reverse-proxy.hamburg.ccc.de + ansible_ssh_common_args: -J ssh://chaos@router.hamburg.ccc.de lists: ansible_host: lists.hamburg.ccc.de ansible_user: chaos diff --git a/resources/chaosknoten/keycloak/nginx/id.hamburg.ccc.de.conf b/resources/chaosknoten/keycloak/nginx/id.hamburg.ccc.de.conf index 303b052..939e1da 100644 --- a/resources/chaosknoten/keycloak/nginx/id.hamburg.ccc.de.conf +++ b/resources/chaosknoten/keycloak/nginx/id.hamburg.ccc.de.conf @@ -4,11 +4,12 @@ server { # Listen on a custom port for the proxy protocol. listen 8443 ssl http2 proxy_protocol; + listen [::]:8443 ssl http2 proxy_protocol; # Make use of the ngx_http_realip_module to set the $remote_addr and # $remote_port to the client address and client port, when using proxy # protocol. # First set our proxy protocol proxy as trusted. - set_real_ip_from 172.31.17.140; + set_real_ip_from 2a00:14b0:4200:3000:125::1; # Then tell the realip_module to get the addreses from the proxy protocol # header. real_ip_header proxy_protocol; diff --git a/resources/chaosknoten/keycloak/nginx/invite.hamburg.ccc.de.conf b/resources/chaosknoten/keycloak/nginx/invite.hamburg.ccc.de.conf index 4a9cfe6..de1e9d6 100644 --- a/resources/chaosknoten/keycloak/nginx/invite.hamburg.ccc.de.conf +++ b/resources/chaosknoten/keycloak/nginx/invite.hamburg.ccc.de.conf @@ -4,11 +4,12 @@ server { # Listen on a custom port for the proxy protocol. listen 8443 ssl http2 proxy_protocol; + listen [::]:8443 ssl http2 proxy_protocol; # Make use of the ngx_http_realip_module to set the $remote_addr and # $remote_port to the client address and client port, when using proxy # protocol. # First set our proxy protocol proxy as trusted. - set_real_ip_from 172.31.17.140; + set_real_ip_from 2a00:14b0:4200:3000:125::1; # Then tell the realip_module to get the addreses from the proxy protocol # header. real_ip_header proxy_protocol; diff --git a/resources/chaosknoten/keycloak/nginx/keycloak-admin.hamburg.ccc.de.conf b/resources/chaosknoten/keycloak/nginx/keycloak-admin.hamburg.ccc.de.conf index 2b0d919..cd56b98 100644 --- a/resources/chaosknoten/keycloak/nginx/keycloak-admin.hamburg.ccc.de.conf +++ b/resources/chaosknoten/keycloak/nginx/keycloak-admin.hamburg.ccc.de.conf @@ -7,12 +7,13 @@ server { ##listen [::]:443 ssl http2; # Listen on a custom port for the proxy protocol. - listen 8444 ssl http2 proxy_protocol; + listen 8443 ssl http2 proxy_protocol; + listen [::]:8443 ssl http2 proxy_protocol; # Make use of the ngx_http_realip_module to set the $remote_addr and # $remote_port to the client address and client port, when using proxy # protocol. # First set our proxy protocol proxy as trusted. - set_real_ip_from 172.31.17.140; + set_real_ip_from 2a00:14b0:4200:3000:125::1; # Then tell the realip_module to get the addreses from the proxy protocol # header. real_ip_header proxy_protocol; diff --git a/resources/chaosknoten/public-reverse-proxy/nginx/acme_challenge.conf b/resources/chaosknoten/public-reverse-proxy/nginx/acme_challenge.conf index 6899c57..4d6d4c0 100644 --- a/resources/chaosknoten/public-reverse-proxy/nginx/acme_challenge.conf +++ b/resources/chaosknoten/public-reverse-proxy/nginx/acme_challenge.conf @@ -13,9 +13,9 @@ map $host $upstream_acme_challenge_host { hackertours.hamburg.ccc.de 172.31.17.151:31820; staging.hackertours.hamburg.ccc.de 172.31.17.151:31820; hamburg.ccc.de 172.31.17.151:31820; - id.hamburg.ccc.de 172.31.17.144:31820; - invite.hamburg.ccc.de 172.31.17.144:31820; - keycloak-admin.hamburg.ccc.de 172.31.17.144:31820; + id.hamburg.ccc.de keycloak.hosts.hamburg.ccc.de:31820; + invite.hamburg.ccc.de keycloak.hosts.hamburg.ccc.de:31820; + keycloak-admin.hamburg.ccc.de keycloak.hosts.hamburg.ccc.de:31820; matrix.hamburg.ccc.de 172.31.17.150:31820; mas.hamburg.ccc.de 172.31.17.150:31820; element-admin.hamburg.ccc.de 172.31.17.151:31820; diff --git a/resources/chaosknoten/public-reverse-proxy/nginx/nginx.conf b/resources/chaosknoten/public-reverse-proxy/nginx/nginx.conf index d884bc1..de99d40 100644 --- a/resources/chaosknoten/public-reverse-proxy/nginx/nginx.conf +++ b/resources/chaosknoten/public-reverse-proxy/nginx/nginx.conf @@ -23,9 +23,9 @@ stream { cloud.hamburg.ccc.de cloud.hosts.hamburg.ccc.de:8443; pad.hamburg.ccc.de pad.hosts.hamburg.ccc.de:8443; pretalx.hamburg.ccc.de pretalx-intern.hamburg.ccc.de:8443; - id.hamburg.ccc.de 172.31.17.144:8443; - invite.hamburg.ccc.de 172.31.17.144:8443; - keycloak-admin.hamburg.ccc.de 172.31.17.144:8444; + id.hamburg.ccc.de keycloak.hosts.hamburg.ccc.de:8443; + invite.hamburg.ccc.de keycloak.hosts.hamburg.ccc.de:8443; + keycloak-admin.hamburg.ccc.de keycloak.hosts.hamburg.ccc.de:8443; grafana.hamburg.ccc.de 172.31.17.145:8443; wiki.ccchh.net wiki.hosts.hamburg.ccc.de:8443; wiki.hamburg.ccc.de wiki.hosts.hamburg.ccc.de:8443; From 944c8cde8249673566e2e5bf20699e6c58a93049 Mon Sep 17 00:00:00 2001 From: June Date: Wed, 17 Dec 2025 03:34:39 +0100 Subject: [PATCH 31/31] onlyoffice(host): move to new network and hostname --- inventories/chaosknoten/hosts.yaml | 4 ++-- .../onlyoffice/nginx/onlyoffice.hamburg.ccc.de.conf | 4 +++- .../public-reverse-proxy/nginx/acme_challenge.conf | 2 +- resources/chaosknoten/public-reverse-proxy/nginx/nginx.conf | 2 +- 4 files changed, 7 insertions(+), 5 deletions(-) diff --git a/inventories/chaosknoten/hosts.yaml b/inventories/chaosknoten/hosts.yaml index dfa841e..1028deb 100644 --- a/inventories/chaosknoten/hosts.yaml +++ b/inventories/chaosknoten/hosts.yaml @@ -37,9 +37,9 @@ all: ansible_user: chaos ansible_ssh_common_args: -J ssh://chaos@public-reverse-proxy.hamburg.ccc.de onlyoffice: - ansible_host: onlyoffice-intern.hamburg.ccc.de + ansible_host: onlyoffice.hosts.hamburg.ccc.de ansible_user: chaos - ansible_ssh_common_args: -J ssh://chaos@public-reverse-proxy.hamburg.ccc.de + ansible_ssh_common_args: -J ssh://chaos@router.hamburg.ccc.de pad: ansible_host: pad.hosts.hamburg.ccc.de ansible_user: chaos diff --git a/resources/chaosknoten/onlyoffice/nginx/onlyoffice.hamburg.ccc.de.conf b/resources/chaosknoten/onlyoffice/nginx/onlyoffice.hamburg.ccc.de.conf index 2471525..8a9a486 100644 --- a/resources/chaosknoten/onlyoffice/nginx/onlyoffice.hamburg.ccc.de.conf +++ b/resources/chaosknoten/onlyoffice/nginx/onlyoffice.hamburg.ccc.de.conf @@ -3,11 +3,13 @@ server { # Listen on a custom port for the proxy protocol. listen 8443 ssl http2 proxy_protocol; + listen [::]:8443 ssl http2 proxy_protocol; # Make use of the ngx_http_realip_module to set the $remote_addr and # $remote_port to the client address and client port, when using proxy # protocol. # First set our proxy protocol proxy as trusted. - set_real_ip_from 172.31.17.140; + set_real_ip_from 2a00:14b0:4200:3000:125::1; + # Then tell the realip_module to get the addreses from the proxy protocol # header. real_ip_header proxy_protocol; diff --git a/resources/chaosknoten/public-reverse-proxy/nginx/acme_challenge.conf b/resources/chaosknoten/public-reverse-proxy/nginx/acme_challenge.conf index 4d6d4c0..409b5c6 100644 --- a/resources/chaosknoten/public-reverse-proxy/nginx/acme_challenge.conf +++ b/resources/chaosknoten/public-reverse-proxy/nginx/acme_challenge.conf @@ -20,7 +20,7 @@ map $host $upstream_acme_challenge_host { mas.hamburg.ccc.de 172.31.17.150:31820; element-admin.hamburg.ccc.de 172.31.17.151:31820; netbox.hamburg.ccc.de 172.31.17.167:31820; - onlyoffice.hamburg.ccc.de 172.31.17.147:31820; + onlyoffice.hamburg.ccc.de onlyoffice.hosts.hamburg.ccc.de:31820; pad.hamburg.ccc.de pad.hosts.hamburg.ccc.de:31820; pretalx.hamburg.ccc.de 172.31.17.157:31820; spaceapi.hamburg.ccc.de 172.31.17.151:31820; diff --git a/resources/chaosknoten/public-reverse-proxy/nginx/nginx.conf b/resources/chaosknoten/public-reverse-proxy/nginx/nginx.conf index de99d40..97e0e3c 100644 --- a/resources/chaosknoten/public-reverse-proxy/nginx/nginx.conf +++ b/resources/chaosknoten/public-reverse-proxy/nginx/nginx.conf @@ -29,7 +29,7 @@ stream { grafana.hamburg.ccc.de 172.31.17.145:8443; wiki.ccchh.net wiki.hosts.hamburg.ccc.de:8443; wiki.hamburg.ccc.de wiki.hosts.hamburg.ccc.de:8443; - onlyoffice.hamburg.ccc.de 172.31.17.147:8443; + onlyoffice.hamburg.ccc.de onlyoffice.hosts.hamburg.ccc.de:8443; hackertours.hamburg.ccc.de 172.31.17.151:8443; staging.hackertours.hamburg.ccc.de 172.31.17.151:8443; netbox.hamburg.ccc.de 172.31.17.167:8443;