ViMaSter/ansible-infra
0
0
Fork 0
forked from CCCHH/ansible-infra
Code Pull requests Activity

Compare commits

merge into: ViMaSter:main
Branches Tags
ViMaSter:main
CCCHH:main
CCCHH:renovate/docker.io-library-redis-8.x
CCCHH:renovate/docker.io-library-postgres-18.x
CCCHH:renovate/docker.io-library-mariadb-12.x
CCCHH:renovate/all-stable-minor-patch
CCCHH:alloy
CCCHH:router-killing-turing
CCCHH:fix_ansible_lint
CCCHH:feature/add-new-router
CCCHH:fux-alerts
CCCHH:move_to_sops
...
pull from: CCCHH:main
Branches Tags
CCCHH:main
CCCHH:renovate/docker.io-library-redis-8.x
CCCHH:renovate/docker.io-library-postgres-18.x
CCCHH:renovate/docker.io-library-mariadb-12.x
CCCHH:renovate/all-stable-minor-patch
CCCHH:alloy
CCCHH:router-killing-turing
CCCHH:fix_ansible_lint
CCCHH:feature/add-new-router
CCCHH:fux-alerts
CCCHH:move_to_sops
ViMaSter:main
Sign in to create a new pull request.

100 commits
main ... main

Author SHA1 Message Date
June
17ba7c04f2
 		acmdns(host): expose and monitor health endpoint 2026-02-01 23:14:15 +01:00
June
536eedeffc
 		status(host): add monitoring for ACME DNS 2026-02-01 22:44:42 +01:00
June
397285655b
 		status(host): add monitoring for spaceapi.ccc.de 2026-02-01 21:38:57 +01:00
June
8e75f1ad14
 		status(host): add monitoring for cpu.ccc.de and aliases 2026-02-01 21:30:40 +01:00
June
c3b20abab3
 		status(host): use custom alert for Matrix to make it work with PAT 
The Personal Access Token we use isn't compatible with the default
Matrix alerting provider, so use a custom alert.
 2026-02-01 20:49:33 +01:00
June
9c2fe5ea9b
 		public-reverse-proxy(host): remove cpuccc.hamburg.ccc.de alias 2026-01-28 15:32:29 +01:00
Stefan Bethke
06ae220857 Remove spaceapiccc.hamburg.ccc.de 2026-01-27 22:35:28 +01:00
Stefan Bethke
1f2a08cf15 Spell stuff correctly 2026-01-27 20:16:57 +01:00
June
2e5b0ab940
 		nginx(role): to not log IPs, just disable the access log 2026-01-27 18:18:17 +01:00
Stefan Bethke
3bba747dab Configure seperate server for spaceapi.ccc.de 2026-01-27 16:30:00 +01:00
Stefan Bethke
b90a57ffb0 Merge branch 'main' of git.hamburg.ccc.de:CCCHH/ansible-infra 2026-01-27 16:21:20 +01:00
Stefan Bethke
ad783e4a15 now in production 2026-01-27 16:21:18 +01:00
June
200e8019ed
 		public-reverse-proxy: add config for local/lokal.ccc.de 
local/lokal.ccc.de points to cpu.ccc.de.
 2026-01-27 15:49:38 +01:00
Stefan Bethke
4f0c4bb276 Explain need to re-encrypt after adding a host 2026-01-27 09:47:01 +01:00
Stefan Bethke
3abc375984 Re-encrypt for spaceapiccc 2026-01-27 09:46:47 +01:00
Stefan Bethke
c8edde4d11 Pretty up 2026-01-26 00:20:27 +01:00
June
ca20721f04
 		add missing grafana.grafana collection dependency 2026-01-25 23:55:57 +01:00
June
42b23eb181
 		get collections from repos directly instead of using Ansible Galaxy 
As Ansible Galaxy is currently down, switch to using the repos directly.
This avoids reliancy on Ansible Galaxy in the future as well.
 2026-01-25 23:55:48 +01:00
Stefan Bethke
0f3cd2c70a amcedns to enable Let's Encrypt DNS-01 challenges 2026-01-25 22:41:42 +01:00
Stefan Bethke
c33ae36af3 Enable IPv6 by default 2026-01-25 22:40:36 +01:00
Stefan Bethke
2cd0811b29 Fix warning 2026-01-25 22:40:36 +01:00
chris
6a92aa68c1
 		light: fix tls cert expiring and not renewing 2026-01-25 22:36:30 +01:00
chris
5693989c38
 		add alloy to the z9 hosts and some cleanup 2026-01-25 21:44:49 +01:00
chris
c7d51af5b4
 		rollout Alloy to replace prometheus_node_exporter 
With the new network we need to deploy a push based solution in order to get metrics into prometheus
 2026-01-25 21:44:49 +01:00
June
995dbb06e2
 		wip: alloy 2026-01-25 21:44:49 +01:00
chris
11779ab21d
 		grafana: get alertmanager to be more chill 
a bit of help to deal with alert fatigue
 2026-01-25 21:41:20 +01:00
June
8f7990acc0
 		docs: add ansible_pull_hosts to the desired minimum roles/groups 2026-01-25 21:17:28 +01:00
June
c6c0272448
 		docs: add section on conf. monitoring with Gatus (status.hamburg.ccc.de) 2026-01-25 21:16:38 +01:00
June
1523b15952
 		docs: improve formatting and wording a bit to make things clearer 2026-01-25 21:11:07 +01:00
June
a5d291cea8
 		spaceapiccc(host): setup ansible-pull 2026-01-25 20:58:57 +01:00
June
652aa32e21
 		docker_compose(role): document new build and pull arguments 2026-01-25 20:49:39 +01:00
June
0939771d08
 		public-reverse-proxy(host): add entries for cpu.ccc.de 2026-01-25 20:22:44 +01:00
Stefan Bethke
c285694aaa Add age private key 2026-01-25 15:47:41 +01:00
Stefan Bethke
d35f1cc779 GPG must be installed for the docker role to be able to add the repo 2026-01-25 15:31:42 +01:00
Stefan Bethke
cee1fe970a Add spaceapiccc as a replacement for erfafoo 2026-01-25 14:03:54 +01:00
Stefan Bethke
0c782caee7 Explain what all needs to be added for a new host 2026-01-25 14:03:34 +01:00
Stefan Bethke
f887de25c5 make building and pulling configurable 2026-01-25 13:26:20 +01:00
Stefan Bethke
664b9115b8 Fix warning 2026-01-25 13:01:52 +01:00
Stefan Bethke
b492472179 Explain how to add age key for ansible pull 2026-01-25 12:12:30 +01:00
June
ddaa069204
 		status(host): configure Gatus to store more results and events 
Also see:
https://github.com/TwiN/gatus?tab=readme-ov-file#storage
 2026-01-18 21:39:23 +01:00
fi
28f80a85f3 status(host): Switch to nekover.se user for personal token 
As access token now apparently expire with matrix authentication services,
use a nekover.se user where we can get a long-lived personal token.
 2026-01-18 19:49:59 +01:00
June
d514688574
 		systemd_networkd(role),router(host): support global config to fix forw. 
With the router upgrade to Debian 13 the systemd version got upgraded as
well breaking the current configuration for IP forwarding.
Add a variable for global systemd-networkd configuration and use that to
enable IPv4 and IPv6 forwarding on the router.

The systemd_networkd role could be a bit nicer, not deploying/deleting
the global configuration, if the variable is empty and
reloading/restarting systemd-networkd at appropriate times. But as is
works for now.
 2026-01-18 19:21:33 +01:00
June
d7b463ecb9
 		status(host): fix token not working by using a new one 2026-01-18 04:54:31 +01:00
Renovate
0b6847493c Update actions/checkout action to v6 2026-01-18 03:30:42 +00:00
Renovate
744dc00ae5 Update https://github.com/ansible/ansible-lint action to v26 2026-01-18 03:01:35 +00:00
June
fe52127e82
 		status(host): configure external status page and uptime monitoring host 2026-01-18 01:26:52 +01:00
June
51bbdd42a2
 		dooris(host): make certbot work 2026-01-13 16:55:22 +01:00
June
428b5c70bc
 		pretalx(host): roll back to pretalx v2025.1.0 for celery as well 2026-01-13 14:19:57 +01:00
June
92601ab9ea
 		renovate: add package rule for pretalx reclassifying major updates 
So that v2025.1.0 to v2025.2.2 counts as a major, not a minor, update.
 2026-01-13 03:48:34 +01:00
June
3e0fdfa8de
 		pretalx(host): roll back to pretalx v2025.1.0 as v2025.2.2 doesn't work 2026-01-13 03:43:28 +01:00
June
951ec7ebcd
 		netbox(role): fix oidc integration by no longer using is_staff 
is_staff got removed in 4.5.0.
See: https://github.com/netbox-community/netbox/releases/tag/v4.5.0
 2026-01-13 02:25:06 +01:00
June
a92e144cfc
 		base_config(role): ensure base set of admin tools is installed 
See:
https://git.hamburg.ccc.de/CCCHH/nix-infra/src/branch/main/config/common/admin-environment.nix
 2026-01-13 00:41:06 +01:00
Renovate
c638790819 Update all stable non-major dependencies 2026-01-12 02:30:47 +00:00
June
70461c98ba
 		first run ansible_pull for router, then for all other hosts 
Do this to avoid a restarting router affecting playbook runs on other
hosts.
 2026-01-12 03:29:06 +01:00
June
968e29ccb8
 		do v6-only for internal proxy protocol communication 
Since we want to do v6-only internally, only listen on v6 for proxy
protocol.
This is also needed as we only have set_real_ip_from pointing to a v6.
 2026-01-12 03:02:09 +01:00
June
255327952e
 		ntfy(host): move to new network and hostname 2026-01-11 03:57:11 +01:00
June
1971598e71
 		pretalx(host): move to new network and hostname 2026-01-11 03:23:18 +01:00
June
372f264bcb
 		ccchoir(host): move to new network and hostname 2026-01-11 03:23:14 +01:00
June
2fbb37db18
 		grafana(host): move to new network and hostname 2026-01-11 03:23:01 +01:00
June
bb30e88404
 		router(host): allowlist only certain icmpv6 types 2026-01-11 00:29:16 +01:00
June
a41b07949c
 		zammad(host): move to new network and hostname 2026-01-11 00:22:37 +01:00
June
ff550cbd8a
 		tickets(host): move to new network and hostname 2026-01-11 00:00:18 +01:00
June
49e3ecb986
 		netbox(host): move to new network and hostname 2026-01-09 03:05:29 +01:00
June
a622f21b54
 		renovate(host): move to new network and hostname 2026-01-07 18:46:27 +01:00
June
40b67c6bc3
 		sunders(host): move to new network and hostname 2026-01-07 18:46:16 +01:00
June
fbd3ea5496
 		base_config: disable cloud-init ssh module to avoid hostkey regeneration 
It should run once on first boot anyway and since it apparently runs for
every change in the Proxmox cloud init config, disable it, so it
doesn't, since it's annoying to have "random" hostkey changes.
 2026-01-07 18:09:48 +01:00
June
80ddb2efc9
 		router: enable a DHCP server for the v4-NAT network as well 
As the hosts don't really need a static v4, just do DHCP.
 2026-01-07 17:25:27 +01:00
Stefan Bethke
a328e92971 Should be compatible with trixie/13 2026-01-03 14:03:26 +01:00
Stefan Bethke
25db54b8ad Make sure pip is installed 2026-01-03 14:02:56 +01:00
June
944c8cde82
 		onlyoffice(host): move to new network and hostname 2025-12-17 03:34:39 +01:00
June
366456eff8
 		keycloak(host): move to new network and hostname 
Also just listen on port 8443 for keycloak-admin proxy protocol.
 2025-12-16 21:50:40 +01:00
June
1ca71a053e
 		pad(host): move to new network and hostname 2025-12-16 21:12:21 +01:00
June
b9add5bda3
 		cloud(host): set correct new proxy protocol reverse proxy ip 2025-12-16 20:59:15 +01:00
June
570600fce3
 		eh22-wiki(host): move to new network and hostname 2025-12-16 20:58:05 +01:00
June
5a476f2103
 		cloud(host): move to new network and hostname 2025-12-16 20:47:44 +01:00
June
b72dee0d6d
 		wiki(host): actually have nginx listen on v6 2025-12-16 19:52:24 +01:00
June
8b94a49f5e
 		wiki(host): move to new network and internal hostname 2025-12-16 19:23:33 +01:00
June
5f98dca56c
 		router(host): expose public v6 networks 
Also prepare for exposing public v4 networks later.
 2025-12-16 19:03:36 +01:00
jtbx
66ee44366b public-reverse-proxy: New IP of wiki VM 2025-12-14 15:39:03 +01:00
June
183b91b9f2
 		router(host): add nftables config for basic router functionality 2025-12-13 22:07:38 +01:00
June
d0618e3820
 		nftables(role): introduce role for deploying nftables 2025-12-13 22:07:37 +01:00
June
a9e394da06
 		router(host): add systemd-networkd-based network config 2025-12-13 22:07:37 +01:00
June
d6ba70523c
 		systemd_networkd(role): introd. role for deploy. systemd-networkd config 2025-12-13 22:07:35 +01:00
jtbx
766aa125c4
 		router(host): introduce router 2025-12-13 22:07:07 +01:00
c6ristian
c39cb0e390
 		we dont need to set a specific alloy version 2025-12-06 22:11:53 +01:00
c6ristian
df3710f019
 		grafana: set alloy to version v1.11.3 
1.12.0 is buggy
 2025-12-02 22:55:29 +01:00
Renovate
0eaaf9227c Update all stable non-major dependencies 2025-11-19 13:30:39 +00:00
June
ddab157600
 		don't pin digests anymore 
The benefit of digest pinning isn't that great for this project really
and it comes at the cost of more issues and additional renovate noise,
so just don't anymore.
Adjust renovate config accordingly as well.
 2025-11-18 14:24:21 +01:00
c6ristian
80acd5fdc6
 		grafana: store date for up to 28 days 2025-11-11 23:03:59 +01:00
c6ristian
5f6000adca
 		ssh_config: also enable sntrup761x25519-sha512 for Debain 13 
tldr: PQC algorithms are complex but sntrup still is not brocken
 2025-11-11 22:47:42 +01:00
Stefan Bethke
6fea98ffd2 Redirect to 39c3 instead of eh22 2025-11-07 20:09:02 +01:00
lilly
63917722ff
 		fix foobazdmx role 
poetry is available via apt now so we install it that way
 2025-11-06 21:19:20 +01:00
lilly
aeec08fce8
 		remove distribution checks 
Signed-Off-By: june
 2025-11-06 21:16:42 +01:00
June
cffe5c2b16
 		dooris: use hostname instead of IP 2025-11-06 18:25:29 +01:00
c6ristian
d690f81e3d
 		deploy_ssh_server_config: setup ssh pq cryptography 2025-11-05 23:08:28 +01:00
June
ae60d6fea6
 		docker_compose(role): use community.docker.docker_compose_v2 module 
Use the community.docker.docker_compose_v2 module as it supports proper
changed handling out of the box, making the roles code more
straightforward and work. Also just do a docker compose restart instead
of having the custom docker compose reload script.

https://docs.ansible.com/ansible/latest/collections/community/docker/docker_compose_v2_module.html
 2025-11-02 23:13:20 +01:00
June
9f8d2d89cd
 		docker_compose(role): move argument documentation to README 
Do this to match newer roles and since reading documentation from
argument_specs is quite unergonomic.
 2025-11-02 22:32:20 +01:00
June
e390b7c202
 		docker_compose(role): remove unnecessary hosts section from README 
The hosts section isn't really relevant for that role, so remove it.
 2025-11-02 22:32:20 +01:00
June
8cefd07618
 		docker_compose(role): remove distribution check 
The distribution check isn't really needed in our setup anyway and just
adds unnecessary noise.
 2025-11-02 22:32:20 +01:00
ViMaSter
c3f71b1f08 sunders: replace password in healthcheck with dynamic secret 
CCCHH/ansible-infra#55

Co-authored-by: ViMaSter <vincent@mahn.ke>
Co-committed-by: ViMaSter <vincent@mahn.ke>
 2025-11-02 20:24:55 +01:00
129 changed files with 3745 additions and 741 deletions
Download patch file Download diff file Expand all files Collapse all files

4
.forgejo/workflows/lint.yaml
View file

@ -10,7 +10,7 @@ jobs:
name: Ansible Lint
runs-on: docker
steps:
- uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5
- uses: actions/checkout@v6
- name: Install pip
run: |
apt update
@ -24,7 +24,7 @@ jobs:
# work in our environmnet.
# Rather manually setup python (pip) before instead.
- name: Run ansible-lint
uses: https://github.com/ansible/ansible-lint@d7cd7cfa2469536527aceaef9ef2ec6f2fb331cb # v25.9.2
uses: https://github.com/ansible/ansible-lint@v26.1.1
with:
setup_python: "false"
requirements_file: "requirements.yml"

40
.sops.yaml
View file

@ -33,15 +33,37 @@ keys:
- &host_public_reverse_proxy_ansible_pull_age_key age1p7pxgq5kwcpdkhkh3qq4pvnltrdk4gwf60hdhv8ka0mdxmgnjepqyleyen
- &host_zammad_ansible_pull_age_key age1sv7uhpnk9d3u3je9zzvlux0kd83f627aclpamnz2h3ksg599838qjgrvqs
- &host_ntfy_ansible_pull_age_key age1dkecypmfuj0tcm2cz8vnvq5drpu2ddhgnfkzxvscs7m4e79gpseqyhr9pg
- &host_spaceapiccc_ansible_pull_age_key age1mdtnk78aeqnwqadjqje5pfha04wu92d3ecchyqajjmy434kwq98qksq2wa
- &host_acmedns_ansible_pull_age_key age16pxqxdj25xz6w200sf8duc62vyk0xkhzc7y63nyhg29sm077vp8qy4sywv
external:
age: &host_external_age_keys
- &host_status_ansible_pull_age_key age1yl9ts8k6ceymaxjs72r5puetes5mtuzxuger7qgme9qkagfrm9hqzxx9qr
creation_rules:
# group vars
## group vars
- path_regex: inventories/chaosknoten/group_vars/all.*
key_groups:
- pgp:
*admin_gpg_keys
age:
*host_chaosknoten_age_keys
# host vars
- path_regex: inventories/external/group_vars/all.*
key_groups:
- pgp:
*admin_gpg_keys
age:
*host_external_age_keys
- path_regex: inventories/z9/group_vars/all.*
key_groups:
- pgp:
*admin_gpg_keys
## host vars
# chaosknoten hosts
- path_regex: inventories/chaosknoten/host_vars/acmedns.*
key_groups:
- pgp:
*admin_gpg_keys
age:
- *host_acmedns_ansible_pull_age_key
- path_regex: inventories/chaosknoten/host_vars/cloud.*
key_groups:
- pgp:
@ -150,6 +172,20 @@ creation_rules:
*admin_gpg_keys
age:
- *host_public_reverse_proxy_ansible_pull_age_key
- path_regex: inventories/chaosknoten/host_vars/spaceapiccc.*
key_groups:
- pgp:
*admin_gpg_keys
age:
- *host_spaceapiccc_ansible_pull_age_key
# external hosts
- path_regex: inventories/external/host_vars/status.*
key_groups:
- pgp:
*admin_gpg_keys
age:
- *host_status_ansible_pull_age_key
# z9 hosts
- path_regex: inventories/z9/host_vars/dooris.*
key_groups:
- pgp:

114
docs/create-new-web-service-vm.md Normal file
View file

@ -0,0 +1,114 @@
# How to create all necessary entries for new (web service) VM
Let's assume that you want to add a new web service `example.hamburg.ccc.de` which is going to be hosted on the VM `example` on chaosknoten. These are the steps that you need to take to create the VM and add it to the Ansible repo.
## IP, DNS, VM
1. Allocate a fresh [IPv6 in Netbox in the 2a00:14b0:42:102::/64 net](https://netbox.hamburg.ccc.de/ipam/prefixes/47/ip-addresses/). This will be the management address for the VM.
2. On `ns-intern`:
1. Add an entry `example.hosts.hamburg.ccc.de` as an AAAA pointing to the allocated IP.
2. Add an entry `example.hamburg.ccc.de` as a CNAME for `public-reverse-proxy` to the same zone.
3. Commit and reload the zone.
3. On Chaosknoten:
1. Create a new VM, for example by cloning the Debian template 9023.
Give it the name `example`.
2. Edit the ethernet interface to be connected to `vmbr0`, VLAN tag `2`.
3. Configure the IPv6 address in the Cloud-Init section. Leave IPv4 set to DHCP.
4. Make sure the VM is started at boot (options).
5. Adjust any other VM parameters as needed.
6. Boot the VM.
4. Add the [VM to Netbox](https://netbox.hamburg.ccc.de/virtualization/virtual-machines/).
- Make sure to enter the VM ID.
- Add an Ethernet interface to the VM; we typically use `eth0` as a name.
- Add IP for that interface, then choose "Assign IP" and search for the IP you've created. Make it the primary IP of that interface.
## Ansible Basics
As the first step, we need to make the host known to Ansible.
1. In `.sops.yaml`, add an entry for the host. Follow the other entries there.
1. `keys.hosts.chaosknoten.age` needs an age public key (must be generated; the private key gets added later in the host-specific YAML)
2. `creation_rules` needs an entry for the host, referencing the age key.
3. Re-encrypt existing files with the new key (manly `group_var/all.sops.yaml`): `find inventories -name "*.sops.*" | xargs sops updatekeys --yes`
2. In `inventories/chaosknoten/hosts.yaml`:
1. Configure basic connection info:
```yaml
example:
ansible_host: example.hosts.hamburg.ccc.de
ansible_user: chaos
ansible_ssh_common_args: -J ssh://chaos@router.hamburg.ccc.de
```
You typically will want to use router as a jump host so that you can run Ansible on an IPv4 only connection.
2. Add the host to the desired roles.
1. As a minimum, you'll want the following roles:
- `base_config_hosts`
- `infrastructure_authorized_keys_hosts`
- `ansible_pull_hosts`
2. For a typical web service based on Docker Compose, you'll also want:
- `docker_compose_hosts`
- `nginx_hosts`
- `certbot_hosts`.
3. In the directory `inventories/chaosknoten/host_var/`:
1. A file `inventories/chaosknoten/host_var/example.yaml` with the host/service specific configuration.
2. A file `inventories/chaosknoten/host_var/example.sops.yaml` with the encrypted secrets for the host/service. Run `sops inventories/chaosknoten/host_var/example.yaml` to edit/create that file. Entries here should generally be prefixed with `secret__` to make it easier to see where that variable is coming from in templates etc.
* Add an entry `ansible_pull__age_private_key` with the age private key you generated above.
## Service-specific config
From here, we go into the details of the web service that you want to configure. For a typical web service with Docker Compose, you will likely want to configure the following.
Make `inventories/chaosknoten/host_var/example.yaml` look like this:
```yaml
certbot__version_spec: ""
certbot__acme_account_email_address: le-admin@hamburg.ccc.de
certbot__certificate_domains:
- "example.hamburg.ccc.de"
certbot__new_cert_commands:
- "systemctl reload nginx.service"
docker_compose__compose_file_content: "{{ lookup('ansible.builtin.template', 'resources/chaosknoten/example/docker_compose/compose.yaml.j2') }}"
nginx__version_spec: ""
nginx__configurations:
- name: example.hamburg.ccc.de
content: "{{ lookup('ansible.builtin.file', 'resources/chaosknoten/spaceapiccc/nginx/example.hamburg.ccc.de.conf') }}"
```
This will create `compose.yaml` from the template `resources/chaosknoten/example/docker_compose/compose.yaml.j2'`, and the nginx config from `resources/chaosknoten/spaceapiccc/nginx/example.hamburg.ccc.de.conf`. Of course, depending on your service, you might need additional entries. See the other hosts and the roles for more info.
## First Ansible run
Before you can run Ansible successfully, you will want to make sure you can connect to the VM, and that the host key has been added to your known hosts:
* `ssh chaos@example.hosts.hamburg.ccc.de`
* `ssh -J chaos@router.hamburg.ccc.de chaos@example.hosts.hamburg.ccc.de`
Then run Ansible for `public-reverse-proxy` to add the necessary entries:
```sh
ansible-playbook playbooks/deploy.yaml --inventory inventories/chaosknoten/hosts.yaml --limit public-reverse-proxy
```
Finally run Ansible for the new host:
```sh
ansible-playbook playbooks/deploy.yaml --inventory inventories/chaosknoten/hosts.yaml --limit example
```
# Commit your changes
Do not forget to commit your changes, whether it's a new host or you are making changes to an existing host.
And always `git pull` before you run Ansible so avoid reverting anything!
# Monitoring
## Gatus (`status.hamburg.ccc.de`)
After you configured a new service or website, add it to our status and uptime monitoring.
Take a look at the configuration in `resources/external/status/docker_compose/config` and extend it to cover the newly added service or website. The configuration should probably happen in either `services-chaosknoten.yaml` or `websites.yaml`. Taking the existing configuration as a reference should give guidance on how to configure new checks. Additionally there's also the comprehensive [Gatus Documentation](https://github.com/TwiN/gatus?tab=readme-ov-file#table-of-contents).
After you've added some checks, the configuration can be deployed using:
```sh
ansible-playbook playbooks/deploy.yaml --inventory inventories/external --limit status
```

21
docs/setting_up_secrets_using_sops_for_a_new_host.md
View file

@ -2,19 +2,30 @@
Because we're using the `community.sops.sops` vars plugin, the SOPS-encrypted secrets get stored in the inventory.
1. Add a new creation rule for the hosts `host_vars` file in the sops config at `.sops.yaml`.
It should probably hold all admin keys.
1. Create a new age key for Ansible pull on the host.
```
age-keygen
```
Then add an entry to `keys.hosts.chaosknoten.age`
2. Add a new creation rule for the hosts `host_vars` file in the sops config at `.sops.yaml`.
It should probably hold all admin keys plus the host entry.
You can use existing creation rules as a reference.
2. Create a SOPS secrets file in the `host_vars` subdirectory of the relevant inventory.
3. Re-encrypt existing files with the new key (manly `group_var/all.sops.yaml`): `find inventories -name "*.sops.*" | xargs sops updatekeys --yes`
4. Create a SOPS secrets file in the `host_vars` subdirectory of the relevant inventory.
The name of the file should be in the format `[HOSTNAME].sops.yaml` to get picked up by the vars plugin and to match the previously created creation rule.
This can be accomplished with a command similar to this:
```
sops inventories/[chaosknoten|z9]/host_vars/[HOSTNAME].secrets.yaml
```
3. With the editor now open, add the secrets you want to store.
5. With the editor now open, add the secrets you want to store.
Because we're using the `community.sops.sops` vars plugin, the stored secrets will be exposed as Ansible variables.
Also note that SOPS only encrypts the values, not the keys.
When now creating entries, try to adhere to the following variable naming convention:
- Make sure to put the prive age key in here under `ansible_pull__age_private_key`.
- Prefix variable names with `secret__`, if they are intended to be used in a template file or similar. (e.g. `secret__netbox_secret_key: secret_value`)
- Otherwise, if the variable is directly consumed by a role or similar, directly set the variable. (e.g. `netbox__db_password: secret_value`)
4. Now that the secrets are stored, they are exposed as variables and can simply be used like any other variable.
6. Now that the secrets are stored, they are exposed as variables and can simply be used like any other variable.
## GPG Keys
In order to edit encrypted files, you need all the GPG public keys imported into your GPG Keychain. You should be able to find the necessary public keys in https://git.hamburg.ccc.de/CCCHH/password-store.

483
inventories/chaosknoten/group_vars/all.sops.yaml
View file

@ -1,363 +1,384 @@
msmtp__smtp_password: ENC[AES256_GCM,data:xcBVBTb6mfr5Ubyfga9ibKWKhrfrEEaDWD98vIbX8fl8lQ4YTovg8Ax1HTK4UQ6AkJGHq2A0D5B67KUTlp9eLw==,iv:TOp1G1LktRPj/KMCRU5CXBUsgKOqGssUvvk5oY0QnPM=,tag:SVBdDQy+fM0xeEToappP+A==,type:str]
metrics__chaos_password: ENC[AES256_GCM,data:al234VSAH7oxka8X0hTvEJKVLD6O/WCrCKfVLLvm,iv:+TmA+0hXMV4OxvK7RH2g1dIzm88Lpm3zevxSZxK23QQ=,tag:txCVr5SEW3dVHgNFInR94g==,type:str]
sops:
age:
- recipient: age1ss82zwqkj438re78355p886r89csqrrfmkfp8lrrf8v23nza492qza4ey3
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB1S0d6cnB5UGJEZlNKcEpD
NGQyYTNwS0E1TjZTbkdaNXlTVHFyendtT3g4Ck0xRkJhZHR2a1RJVDd3bUE5RTl6
SVZrN0NIR2VKeTl6Qk9oTUd6VDdQYlEKLS0tIE82YXFoVkQ4bk1SRTU2YTZ0eVF4
akdQTFBoY1B1aVZHSGw4bXJPZTd0MHMKnchC61XZk3cPfe7QjijW5uBlDkf2Sjc3
/Spp+9cuf9jIJvFg+h3EY7CLAMVyAK59WnODM0HvQNhreXRg8CgK2g==
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBMc2k4SUxMUEtvODVGMnY2
U1gxeWRURmIwNUhYelNUZHVGQ05rRlI3TXljClREc0hCMjlPTFBEakVuOFFjTWVu
dHNrbzVHT1d0UklRNW0zSHZCWWJpeW8KLS0tIG85S2h1aEhITUI2aVRwempOVHlr
aWFyRDdEZ2RnQjFNUmVZQnBzNGhhR1EKeYR9qIuh/f/o/qXkQV9KZcir9iPQ2IEs
X6azikmig0stguQMUQB57+Sk10MlIDQGoY3C0YcmG3dtiUoo/vKTRw==
-----END AGE ENCRYPTED FILE-----
- recipient: age1gdfhx5hy829uqkw4nwjwlpvl7zqvljguzsnjv0dpwz5q5u7dtf6s90wndt
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBSWW1ScXNWSEo3S1RpYitK
aEVsWklvS3Ryc2pqakpUc05mejIwWi9GaG1ZCk90UXdKVVZzdXBuTXowTURDekhM
NlJEbU5teThWaCs3R1ltUHBRMWVncGMKLS0tIGszeDJ0ekJIK2FYUW9Xdjcyc0Rl
Rlp0RXNhc1N5UXdmMG1NMkNoYkZZNkEK96GpdskKEXHK/ZQFSN+Y//wygKmnxP2b
ukFolURV7qlQVamWuDoUC/ToQtl3bU0jce/STQjGY67OwG5kecxEKw==
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBqazJTaVhjdkk2cStHNllr
VEhobDJIQ1NKajFNVmJ0NHFrRzJlMVVYL0M0CkVEbHFFbTZ3aU9sblNaTTR5T1hT
ZjM3TGZ0SVVkS1ZqMGZxQnh0eHhVaFkKLS0tIGs5RXFta3JJYmRZemNRQzBGbE9E
dlZqTStUVWNEWFk4RzNkSmM3dlRxU0EKR+IOa5r/mSl7jnmhEvbJqytWedRgdix6
0x0JCJe/q1l90F4IYIwd5onF5jF9DydmVnNdCbgAHF+DYrdwjwt7Uw==
-----END AGE ENCRYPTED FILE-----
- recipient: age13nm6hfz66ce4wpn89fye05mag3l3h04etvz6wj7szm3vzrdlfupqhrp3fa
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBVYzlXY0FvUEtIa3BVTjUv
MzI3cE8vbVd6WWF3Q2J5RlRISW5kOU1XZEJjClFsS3VlbXZHVDlWMWZMUGwzdTFC
K0xpV3FjRGJmWThDbklNbFByLy9FTXcKLS0tIGpMYlM5S3dodTBhWDY0TjNkT0p4
WWpCdVN4cjIwMCtRZXJCR0kvWmV2TDQKeAE9hmGim0wdG7AC9Ypk1/zAOvpWEc9w
B5j3MGmJiDV5vqZ6YDJ158fkB3s3XDIohaTP0XT5Y1zEDnn0ee62zA==
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBycmpzTFZ0MWN4TE9Bdld0
eXJXTVhVbFpmbHpVbDg3KzJTQjVoU2M5Vmg4CkY5MlBwTEsvVDlBUGp4Yy9KSEtW
M0thZncvcFhqcTluR0FRdHBlVERmWkkKLS0tIHlIZ1o3Zm5pcEJUOElKSDU3SEh5
MzQzRENjNitaNUtIUDNNM0VxVVZsVjAK8BM7kqL6Pjg8riOTti8tAH13MgD2b3jR
EPZEPzWM3vBNMQ71WYSTiljK+fdwQucQbTCZFKVHUyErCiI+7jYrXQ==
-----END AGE ENCRYPTED FILE-----
- recipient: age1jtusr294t8mzar2qy857v6s329ret9s353y4kuulxwnlyy4dvpjsvyl67m
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA1cXdneDFCNUxZR2VYVXpo
RzhwNFZnYnhzOXBrTmQ5NlNhUThsbjA4ZENnCjRWVXpzb1lZcjNQeUVoY0lkZTRj
bVU1S2thNzg4T2UyaGFqdDlvLzRJVFEKLS0tIFBIMEIvaWtPU08vR1crSGxUSklx
Ujh3bDFVdktOOVdvbVNrRGEvM0ZiczgKDAvWbY515jRhcWEkZrNNmtBsSwchclVz
FvnQB3G8ZIxJliJCkOHrFokvRskCHt9KJNZogqPtGF9a5OWcKkWgNQ==
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB5YkdERkJKQnUxaXhuRk5O
cDlxOEZsM2djbk5laFVHWUNKaUNKSit0cDJ3Ck80eFYvajNId0NHdzRONktHZTBM
WENsSFZWL3JLeHNpanNBSDB0M1pselUKLS0tIGZPUTRlSW1hNjNPVnVoSEhKK1dJ
WFpiUW1QSXk4VktHNWVGemh5czZLdmsKaycC2cLTfboV5MT0W2+fWMg9JCAn4U7u
lMkTZausCp1hUlE68BXi8DuVivRif+gjVjVWsBabikQtzW8H//fFDw==
-----END AGE ENCRYPTED FILE-----
- recipient: age1a27euccw8j23wec76ls8vmzp7mntfcn4v8tkyegmg8alzfhk3suqwm6vgv
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBvdkpuODFJZ2xPT3NOT3ZP
MmVuSkx1UmdwWVBEZzJQOUNodUpvUlJrSlNnCjJBT1AyNzZmNC9sZytNaGpEOUZT
Tmx3VkdRVGNHOGJkZzgrZmFmRFFFY3cKLS0tIDZONHQ3SUh1bXM0LytmYUVZSmRZ
VmEzUkRqdnUvc0s3SmRNcmpZRndvVUUKHRo25oFVNtzJlTqkQ03znzH+Ce8j2rgO
Bt/HQ2tJC/0PL67zjCr4oyxWs2RfSuswM6pGh3TXmSkUawzzyMAPTA==
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBCWnlvR1BmUlRkcXhHbklZ
d2pzRkxxZTVtOGl4YjdGOTQxbEFnRUVGdG1rCkFQMHE1VTdIR3FPeWdlSHRKRGtl
Tk9FeHNuQ1ZIRWRFN29EVWh1ZjE2RDAKLS0tIGQrWnJWcjUyZFkwQmdZazBTQmR5
cWZ1N1NHVEVqMlc5MExyZThKYTdNc28KEaFjX16Bf0MZsmMTLytDnJFPICeu808r
t53faoADnTdhYKhKQYB1Fgk7h3DBvxM36VDw6v3oC0f6B0yEx7a3hQ==
-----END AGE ENCRYPTED FILE-----
- recipient: age133wy6sxhgx3kkwxecra6xf9ey2uhnvtjpgwawwfmpvz0jpd0s5dqe385u3
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBMd3dwQ290Q3JCclBPbS9X
S1pnNVU5YlJjZkkzTEtuWWhlcmh6cEtMZmd3Cis2MW5henJ0dWZwNnpTcy9ia3Uz
QThPMlpBN0lkZVI3d1RqQ1pGeDkwTVkKLS0tIElGYWR6QXdkTS91cGRQVUZPZWVE
aXNhWGFQWncybG5ycTF3bGUxUEdRYlEKXMlP+iC1L+lCeFB9rnyDE6tKMNiqFAQQ
lvQKLGvZVRMk7RNR/OWb2IsZNtK3yGAgqjGpb8UwZKjUwYwgBzkklQ==
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBDVGpwdUVSbVRiVkdBREVX
ODl6bzlVNHRkTzk2UXMwNVp3K3A3V0hmdVRBCjlJenlmNDZEU2ZzMUpVYmpFdllR
NlNxaU1YYzNZdEVzdzJLTEVMWlloZUEKLS0tIDl0VnAzZUF3QWF3WXpFTjEvY3RP
T2J0Kys3WmJRZU1jRk1kUnZud3B3MlEKhgLTCcfyxOBL8X6JPlcuy+CcOlx09VP7
AZhfb8lf5JXe/4WqAMOh6s7ZrTM5JFBr8U5GQFo+syIIJeixn5SRBw==
-----END AGE ENCRYPTED FILE-----
- recipient: age1na0nh9ndnr9cxpnlvstrxskr4fxf4spnkw48ufl7m43f98y40y7shhnvgd
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA0enhNVHF0eHZkTlB3bTZN
ZWJaVDc5TUkrSHFFTnJ0UE9hTEg0Tkt0OVNFClFCNTlsTUJlQ1MySkdFa2o0WGRB
VWUzbkxFTkxQMVBqTXJtNEVCb2ZPYW8KLS0tIDR6ZXdoOWNwbjdNcmtxS2FBd1Zx
dWVLVUlZWEh0UWRXTlhYV3ZTT01ZQXcKz/ughevubxHCk315eL6WV0JETo4tblck
t2b4h0kcDpFO6aPCHBSX69QOLJpBCBnKI8ZBlxgTdTDLFlScG/8HRw==
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA4c2NFWkdaMVFTcUxOZWl3
Z1hsK1ZvbFRjQ0swbVZlQkIvNW9LU2pZdVgwCkJHcUpTYjMyZy9qKzdIbzExcVRj
V0UrWG5yaUF1cTJnK2RDT0E3aXRkK0UKLS0tIGRqTzBsbHdBdGlMTWt2NzNOVDBp
U1NVMzBIL3ZBUUFHLytGQXk3M01UK00KZBW1DUeDpN5sstZ1LuqcpxsQcjdUJe5L
5HS4O5h0D+/p8/aOW5NPoIf0A6f4/CLVm4o287GHsxkTXeH1sDr2Ng==
-----END AGE ENCRYPTED FILE-----
- recipient: age1sqs05anv4acculyap35e6vehdxw3g6ycwnvh6hsuv8u33re984zsnqfvqv
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA5MGlobGt4MG5YbXhYVWM5
SDlraHdnR0srZDF2T1FicVFGR3IvNzBhMkVFCm9Nc1JnZ2toOGUzbDZ6cTRTajc3
SVk0U2JlSStWQXFYY3htOTh2Uy80aDQKLS0tIHRkRkNwb1Q5dTZ5cDVoVXIwcmVi
MXBDdzdWZi84OXRRMUt2Mnh5QStLZWcKR/1GROkmyQWyY2GcZGplX8vYqHoeqvvX
ioWRF+QaK3GpgHOaSFybFt3r8wfeILbQ7zMs9qMARTg0kVMVvE/8pA==
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBINFVkbjFMY25pWHpPZEMy
Z0xsOW5NZ0cxZC9UR2RCMTBaTlNkRjJuU1dnCnRhVU9iL1lsUWpCTzdKS1RiYnMw
TWhjS29jOGNwQXU1Q0NmdjkwOHNRUFUKLS0tIFJnajRUMk9pTDVDdFI5Szd4RkV6
TnNkK1RVZnFaRGVmaFRwMnlmd3lUbEEK+CKPUsutEpo5/bHyXM7tMUUM4hka1hCV
oto6VkOSVoYnwHNzXSAei+jkfvT8dED7fUQKkZeqN3c4bUrha42BUg==
-----END AGE ENCRYPTED FILE-----
- recipient: age18qam683rva3ee3wgue7r0ey4ws4jttz4a4dpe3q8kq8lmrp97ezq2cns8d
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSByeGV1VTA3R0FsMkdKYWo5
K0VFK3VFR3Z5bmdmS2QzR0hRTWRvOEFEclgwCm9MQUZQSjZqVXJVQ3FoUTMzWjU4
Q0luVDE0RUhUNmZGSlZXYWEwNHprS2cKLS0tIHBRQnZibGkrUmU3OHNHVjcvelVF
UEtad0g0T1JZRFYxUnpiblNIV0VybE0KVCw68UXleN43Qi/MSFpyGjrbwZS/EtWw
tbfZMPLalJ52pv4cxT4nrPfipoUyX7tHxEEd2f1SDzt5RUk0TO7ojA==
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBLY2JBTXFaWEFmNU1PVkgz
Uk0xeWJqMkpVOW1QU05Qc3hSeFM2eHVjc2tZCjB3bjZ2ZUZFTHIxSmZUb1V6THpW
dHFXZUM3a0ZKcEZSRklqUk5jWGJkaU0KLS0tIEVxUlREKzdCMEdvZG12UlhxUW1p
TTVGVllybHUvZkhMT0x5Ty8vb3AzMG8KfuZW6Yj21NHAvfaVs2HedYgGWxUDXWiP
aZTbarB/2UzYEacoEO7CMLHDS53X15plRPbzYRWhnRkb9WkDQ/0pOw==
-----END AGE ENCRYPTED FILE-----
- recipient: age19rg2cuj9smv8nzxmr03azfqe69edhep53dep6kvh83paf08zv58sntm0fg
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB4QXVVSlZ2QXA5NWN6Zllh
REQ3UE05eWkrUHdyL3FRUHJMTkE3QWtwbENnClBGdnFhT3NzWEJKM0YzT3RpS2FY
cnNaczRIRUEzSDgxejNjbTdoaERiRkEKLS0tIEdOOHdISkF0YnNpcFNKekVLYWVN
allIenQ4OFoyaEdCK1YrM0tpM0FHRjAKwrOJS9RGCHS7lcPX+eufZnEjaIvO3f73
RWThSP0d2iy/vul18hdLF8PqKE2Hy0j6lvs9qhvwI1EQa53zHAWRDg==
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBoaU1FN2JEblVsK3hRNXVO
WnBISWgyYno1ZnNqeUtHV0tkcERrdzRhc3dvCmlEQXFrbmVibTVmOVQxVWFiaTdn
WUhyVjFvdHduNXpraHVldzNnLzVjYmMKLS0tIEJjODh2TGg3OUlodk1IWnltNGR5
SG1TS3l2clZOVkhyTW1INjZNc1E5V1EKCJo7uU1XbW4Z6i5ux2t323Um5TDTwTl+
mMirFUiosu62vTfd+nC3TwRyM1XwlpI54EEU27jTHMlF8oSgXeLumQ==
-----END AGE ENCRYPTED FILE-----
- recipient: age16znyzvquuy8467gg27mdwdt8k6kcu3fjrvfm6gnl4nmqp8tuvqaspqgcet
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAwYmNHaUcvMitRcklkbkU3
VDRyQnhhak82d2I4MnRKMk1qdTU3bDRzdlUwCnBzSEJHZmRTazZ3Rktmc2FKaXJC
cnJiMU9oUW03Q3dlbGtTZWNtZXZqZk0KLS0tIHVTNU1QU2dRQ3JMclhqQjN1VjBK
dHgrU2EyT0FHUng2L0R6dFFZSU1kU1UK2x72pMCRGCz/cyekHrTY/vXhxACPGjYn
PxEXKoi70Dq9ox3ggknmE6JLZqMvFoudLoE2GAzvimFomYWb4e3NmQ==
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBldUpzVlhFc2k3U3ZlT2JK
U3N4L0FGZE1iWGRwN0tvNEtwd3VXYTV6N1ZZCmVnYUNpY2poazVibnpQRlZ1MXFN
SmtURDFLSmJmM0pHdytjVFM0c3B3eTgKLS0tIEZidTZmS1dpZ1VFRkFpc09EaWxZ
cUVIQmVDLysrQ3pMcFIvZ0NCWExJa3cKdwTrVM7aXAi4bBHfXCWllbZIa2c4IbRW
FNS1L6tP1mop2y9d0CgmVBiBFQdNAg8yVJRPWs25W9WVFHBDuB+X8g==
-----END AGE ENCRYPTED FILE-----
- recipient: age1azkgwrcwqhc6flj7gturptpl2uvay6pd94cam4t6yuk2n4wlnsqsj38hca
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSArMVhJOFh6TTg5RFkybnBy
T3ozZ2MvZ2lCVFBvWW1jRElmNFBIUU05MkdjCnZZR0FjUUJlQXR1bnBGU3NPc2t2
a3hKVzJZbzNWMkd3dENMUzQ3bk14YTQKLS0tIG5kSEdYS3dLcXdlOXBmWTVzNDFt
ekdmK0Zid3A0aUNHUHhmeHp2NHFZMlEKb6116XqAHYMl7P4RFRcz0IlZfx1/buby
V8y9TiECFZfWhuY3XaES99wjPw06nGszn/U29C1XtZZ0pc5Soc3dxw==
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAzMmR1TnRFVnlnV0t0N21P
Uk1QM2dnbEFTb2lJcUZDeW1sTDQxT3F2Q1FJCmJzdEFCQ1ZBeS9QWEZJcmJuVTJi
eEpIZUk3YmhKeFlwcE0rK0k3MUx5S3MKLS0tIEdoU2dXRitXeGlsQ1NXT1FqdmhE
R1MwNU16K25zdytaMXFQNnhYQVZTSzAKmVjQRe0SKfwh/JoSGGihkjr0Lvx1uVnJ
szOHESy/rEKiXUKVSMkBINAh2SUYIwrB4xM38Y+ZKkkXDDtZWLHulg==
-----END AGE ENCRYPTED FILE-----
- recipient: age17x20h3m6wgfhereusc224u95ac8aj68fzlkkj5ptvs9c5vlz3usqdu7crq
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBhMVZWQlRZVnY2ZnZweW0x
VmswdHpRUjVrNytaS2lZNHdsYXM3WHVCVGlNCmJ0ME9LYjFWTkVrZ1QwOHdtempG
dEJ4NGpPcHZabGxJdFJNNStxTm9nREEKLS0tIFB5NkZnZTZjL29YRlZVZEJJOHNu
ejRmc0V5RzVwY3BtVGpIY3lqVGt3SGMKvSFU/FZw3CeOrkbVKqz9Nsfmw/DU/obE
6bIs15L7m9hOzqj8PeQYv09NO83WCfYj4cjh+Jsdtlvtz8Fz7yt2eA==
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBEb1I5cnJ6NDhvNDFsM2kx
aHEwdmJSc3ZQcGc5OXJOMVB0L1JFSlpiUGxFCmtNbW1NUVpEQVdLTkNOd0daMDEx
ZTdGVlB1T0M4K0t2VHZYSzBNNUJLVUEKLS0tIDMrVEE1Q3IxaHNTUHNTcGo4UTFX
WGo2TVdLS1F5RHNVTWgxbzdZSGV3Z0EKkOZfXMbUeJG62xn0SvqjtCKIkZDIzc7O
qSTGJYgl02Edp8smm4x1L9QF2CQYF93ZIjn4q12CyJy2ojBgxNTZNA==
-----END AGE ENCRYPTED FILE-----
- recipient: age1wnympe3x8ce8hk87cymmt6wvccs4aes5rhhs44hq0s529v5z4g5sfyphwx
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBQUVhSY2JnZUFjS1lySGlC
MUdVdTF1S2xLdDlVODk3Qm1FZ0RxQTdkQ3pnCmFPYVg1dDN0amtoOUdKQWFRNVJS
ZkhCM3VFbUc5RHJHS1ZJbit1N05OLzgKLS0tIEhCMmRFN3hLNDFlTkpzUWYvR2R3
Y0RZSHZrbnJ1SEc3aCszeG5tTkNvNlEK4pUz8bk/tDKYIxu6dCG/DTk8OtTTYJaL
qKNNZ1COhPtVTCHaIbRSPWu8MqFy9+9nf7Hoc9fEE8aM+Yohs4sySw==
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSArZWZmTDRYYUloL3I1QkZ1
dnIyRVJSV2ZoaERCc1Z2Z21VYkkxb0F5SURNCmlFcjlPM1VibjQ0TkFNdEhqL0l5
eDlHOHdlTnMyb2JPUlMxRlZqTkhWNzAKLS0tIHI0cytiaXVpK2FqcW1XOVpneTR5
VDI2WFhud0hpRDRMTTlwMHV2T3RSekUKKi52AcUoATCmUo/+FIVeEEh0sTCjIGy+
gl/Ud0Nmuarz5T2HqGxJDBoH2MSfjpwhTkW2z0JW5Dah6MRtNetHZg==
-----END AGE ENCRYPTED FILE-----
- recipient: age172pk7lyc6p4ewy0f2h6pau5d5sz6z8cq66hm4u4tpzx3an496a2sljx7x5
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBaUERGWmwvRW5tQzJleExq
VXhmQ0dkMFJuWEwzbHlGMTNudE9UbUwrNEc0CmdMK0hCb0h3NjRuSVZRNEFwYlVl
L3VnTnpad2tJL0dCamVrT082ZmUxWUEKLS0tIGJFbG5ZU0Q2b0xQNFNjT3NBTE9I
Z2MwSm95Vy9XUDkrWDZMZUEvY3VHcDQKJanzV+qzgfuBpNzHLl2DS1GvXLV+UEKa
wD/2s/EkL4RR4F9mV/9+1vwFTNw6Lc8T8ezzxl3/Iu+VpziFgx8ypg==
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBNVWdMQXMvUHI3YVNqa3hn
QTF1V3lDZHB0ekVIcUVURUFGeURWaE92U0dVCjl5WnQ4Q0hGWGVhSnVqSXdIM3Qr
eTBWcW9MRDdsZzY0S1puTmt6bk5BVDAKLS0tIDlNaHF4VUt0YzMrVEtIaXhtMkh0
d1BJZHNOakIrejNHWXBkT2JnMDE2TlEKgFgEPOc7lgUvi/gBJi4qX8mJQQ0Lb+0J
oKgia+lWN+f0dMoQApxtH0R1vvrQB1CyKmYRgvYfEv1z2yibftxFJA==
-----END AGE ENCRYPTED FILE-----
- recipient: age1p7pxgq5kwcpdkhkh3qq4pvnltrdk4gwf60hdhv8ka0mdxmgnjepqyleyen
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBHVXdkSHNOSHZmZ3pLWC9B
emc2S0NpenVZSW5GMWZha2ovS1VsbGs5OGhBCmZIWDBDaGVYMDhHRDR0bFgzbDN1
MlBnOW43Ky9PV0VwZ3VlekJPa2xwMTAKLS0tIGNEVUVkbWIwVmFzaS9vdGhPU2s4
a09LaU05VnVBa3ZGcUNMdFFZRXdaYkkKp1TYQXMSlZoGWgfSK9s4WXFu9xG7VFXP
3O+FYTXTRTVVnZCPE5V0P0/v3H/BRgdbM2yuIiXTtmz69J8DNjFaNA==
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBtWDBLRXVXUVVQNkZzVDZp
cjNaNzNseUxFZ3JDTkF3RjZ2Q0FnN09Ub0Y4CkpsaHl4VGtCRDBiaTc5cDErcUM3
eXYyK0tGdFVhblo0eUhHVkJWbERVakUKLS0tIHpmektqRjBHZDdDd0hEbWYvWnFr
S3BoWW9QYytMZ3RJSld2R0h0dXlZeEUKcifFwdLTAse4HxN48X/iErdi3evc/Hbt
dRgCkzWjb0Qc1DEPLm9MLHZqugcm1y0XStdWHCMIwXuh2fcoDUv0mQ==
-----END AGE ENCRYPTED FILE-----
- recipient: age1sv7uhpnk9d3u3je9zzvlux0kd83f627aclpamnz2h3ksg599838qjgrvqs
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBtcUJ3cTNUZGp6Q29wTEgx
UjQ1RU1uSHREVEhwZGtmbUV0azJEQmtGbG1jCkQxbGZhSmRXTE1uUURaSUhZTlNF
U2loMmR5ZExXS2Y4eTBybGFsNFp0WGsKLS0tIHJjRDhDelB5N1BvbHFydW84ak1Z
YndpUERJbDJSZlBLQWdnVXpUU3dLdUEKQYddtnDd4U7bkjBeMnCQuYVddCCApnzQ
L/LgjBXfUav5ipWWUjW/loZJiHBsxrG5NkCYEyf72WMyDusd8mCN+A==
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBrWGpORGVrclo5N2ZTSUxE
WFBYUVRjRlFyVFFXTFIwUDJNR04zYXgwSnprCitVT0JidGp1OEdXdm16WGY5am9R
djkxckJEUFpzbHNNZnhqb20rbzBTZEUKLS0tIFpheWIrMkpWalJNS3ZJMVhVNGJC
dzFuYXBGMTNRVHRrb2wxTlMyZ0FJWGMKnEtMyof3DN+9rIWRCYn4y0SLpIJbDEbN
iXmjwiEtlPIKZjQ34r54g1tsJd5b4fulRFYd6lqTzxtjYYFXDa76BQ==
-----END AGE ENCRYPTED FILE-----
- recipient: age1dkecypmfuj0tcm2cz8vnvq5drpu2ddhgnfkzxvscs7m4e79gpseqyhr9pg
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBOei9SYzNGMjAyUVJGYlJy
QlFBVnV0cDN1TmI4VEt3aGNtbWtvZHJFcXg0CkltM1V4UVp1THFrZEswOEZUUTJy
WVVPUDU2emNabFBDek9jMkhScUh4cjQKLS0tIGgrSytmcTZkbTJuUVE3Snp2RERn
SnUrSUlvMXhnY3JrbER0TkxBcGJucmsKdBDkRY5FUtOo8zQ0QtfPFGJn0O2Fg5xn
mSloxLaFwdXAR9L1QfUdsW+9Vgez4s5bxMJtn8hkwqIfyJc25FEEcA==
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBnWkw2NmJjdzdPbnBhNURh
SFRBTVhUanpvdFVNLzFWak52bWVJZnV1NHlzCk1SQzA4M3YwZHZIOG82d2lCUE4x
dDVWMUNuTW8xdVlkRG5RSnVJUFI2Z0UKLS0tIE9nOXA0LzgrenJKQ21xZ0o2M2hr
R3puc1ZOVFJ5Sm5qTks5M0JTbW9yZkkKv20552DPjujiVyr4a4KvTUN4pW8Sh7zA
Yxh4nx5mXAwfL4JxIwbvggy4AE3kbc2P3P9qUrRjQ4Iha2X11+fSCA==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2025-10-13T23:45:06Z"
mac: ENC[AES256_GCM,data:QxH4lnNyCAAEJhzbgCrq7QeLs+OAtYgwQP4oFm93NE4Fbz7/Hz2dvL/2SopOdW7nYVeb1scuG1ra+yvgzuQDhg4lcgt9eBJoBiynM3qiHBs+FtcSJoKs16I/ACAadQwClALb4E0xxwKFJI8ewMZu5BAxi5EhYbgNfnKCIbhvgWo=,iv:LRa2vX0HUBugeEAVeOqXbPsMQrfrCpyzGUGjK6+VaQc=,tag:/sfhJM8V1IYBh94ZS/TDxQ==,type:str]
- recipient: age1mdtnk78aeqnwqadjqje5pfha04wu92d3ecchyqajjmy434kwq98qksq2wa
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBFZ0hYeG5hTWxtVFlTaUpY
V3lOMUJUNDZxRUhtMnFjK2IyTW9NZ3ZvNTBVCmVHVnFQTGMyd2JIZjZYSmtjZnZ1
THBMZW55RTZSR2IrSVd1NWppR0k5UFUKLS0tIEkxRlBsWHFxTlQ2S0xUQ293cHlU
ZUhwMUJCVmgyZmlVbDRtV2YxUW95Q2sK8JtVLO86dkYtrxMzXY3mj+S19+S2jIzV
MjAkijrdhz9XyEPNsZo38liiO0vwXUVpzmX9xcTTArzWvs/LHYDzQQ==
-----END AGE ENCRYPTED FILE-----
- recipient: age16pxqxdj25xz6w200sf8duc62vyk0xkhzc7y63nyhg29sm077vp8qy4sywv
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAwRXpCQUJxZ1JBWnZkZHRM
ejdtdkdqMzNMY1BvOWVuVlZuOXR5YS9UeFMwCjhtYTIyMnhBVm1CT25mRytkdm04
ZWg5TGllazVDZEpXNHQvZzUwclFEbTgKLS0tIGxDSDhJcVMvUlg3VkV6YTE2SE4v
QnBqalBlY2FqY3lsWEF4elVzamp5elkKaVNJrQ4wNJt0FrQ8PMz0R9VAhk4zIAri
QTojz+1HuRMZyDr5wmXz2Jg39yZsBsm4ZmaXSEGw5y/XHeg0ud0DAg==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2026-01-25T18:06:26Z"
mac: ENC[AES256_GCM,data:plHNLOgGWwNWbakKG6X5EOxwERE3rvYO4EOAzY/sz+uM7cZBEnqU5LZwjlD8B75hgRHqpnDBF0JbHgsEwVxfJJRL1phkeMJFOapQMjZVWMz6j7eb1hOwpdktd+bpuimy4XCD1aOxOoInKpFSK33usxLfyqSxjFDM5+i6D22qBTs=,iv:/iOIfNuSIDsa/UKLP0d63tpOrYMFO3Bk1qPssY0AzuI=,tag:k+824MXD+r0lNUcuvisudw==,type:str]
pgp:
- created_at: "2025-10-20T19:03:07Z"
- created_at: "2026-01-27T08:41:15Z"
enc: |-
-----BEGIN PGP MESSAGE-----
hQIMAxK/JaB2/SdtAQ//QVwiv+sO4ibaxO8UMPFnMnLuNfaTJ+Nry109XkTwLkvp
+6I2TW9nAhL+M6cWBcWTJIm8Q9/EAKu0jFrmsmlJg1g7am2DcARoyDTXA2W7RM8x
kSshBHJxCjQn15cwWpMcGboKJDnn5uGqfdf1rbFLiJxWlFlIstO8Bia9YF2qSYXe
z/w5PQot7GDKa9AFC77I/I0k6hJduVX3jC88N0GZZO7oz017yit24QyOwTSaQtmO
J0NgoyC6uN50buRJ6cXbONwU1rOGYvMBc+I7mZrEBho8RbQObkNy8ndQpDbpMqSy
/FVECVfhAo1KOGsTSS/i8z+maBcFNnia2+hbOZTpq1gCJ7sgE/pJG9CKWltD8U0G
DkgO086x2xuuXGAksJpeiRelbjM4C3ScvFuQu0p+pbsG+0f2pNnkCm3Fi9zFYpqo
xzlOKxwwcBRpy76jWIQbVRodnaN8thinT/ySIfuIisfn8TgM6O0IA83jJEMy/CBc
QGwWiLFWOED864OOV4kFTBO2rGAi0rLPBoAfWPCpP/z5vpRHICCg35i+Y/Mg9tDJ
ToFbH/Q8ZpWaN3kM2J6wNKY58/AoVutODbJkC3ZydLA+m++fKsD122Sk4er335Ev
MH2txLTAcBXq6CAUTIYvEb1vSurIxh4vbgC1lN/Sg/b1p5IWKYmOx3onq0kUa7PS
XgFmbb6fq6VVS8GOD4bMCDheVGAwYG1z/1utYoiLcuyp3YKAWtwGB3WdawglzRWt
ceLfKBRuHl+CnMyMjdTNcRq9ATpupHPniCaoYMRpNy7GuLGHXgRybqxnqSySj0E=
=68mZ
hQIMAxK/JaB2/SdtAQ//SuDQLIlXIx+E1BfvxQFL4c8TmxEWat2nXHE5CHyuQ9bH
esOqdKYtnBMP1iRwQzAi9jVnNUtctCurMK5Lwr093BRHDLhpWqBErBz8FuoTFXGE
7WP8ylzno9OUjhhsg9sTrUAxghzU7r3Nr5alypnE3KsEprtEiAKqqqWhaGyMCK+G
v3shSx4XmB/MItuHM0BRI80M0uqRn5aQME0KpgTTD5/wsH6NKcPHEiNJTqc2I8K/
0dfqa9Hr0WcxooX+UwH/owfzHEkTFWP/3SHqz16osLzO9KOsqw3M4QIoeZwBpAOf
+aICTHV3nsbClQ8hQ0XI6xrOqwXYo7SXtx4uNVJdqBO5zfhSGx1yI2OAY258XQ+d
As9k4e/oHkzs72qOwCRa2OShDWA0oEWIJ1DZY85yaTyl3qMZJuOweR7lg3eXzITI
y4uYAWDfJBXdAOnFgkxQBgb5KSfm3GXQh4Gtu+yfoYqaAibjyJleOPIJFMcwb0yb
Y0gr5NflTZooJy2zMZg0u1Ndhike/BdMRQMiTZf8HXk3iiyNXCYTCqnIZRfzZGdy
C9Fur0KAOM1h8x6dqXGctMhy1sOmbI6LRyz5feejtE55qHIn9fkyR5wDObsIeiZd
OuT6josorB43aotD/XSDwGU8ZeYrUZ9zlwszGASHoji/kI1yXRMCPuNVax86v1HU
ZgEJAhAWCZPbbgU8qPifr7naCkxmR2TxtkOJ3Pq/JOeqxMqXXjdGa86A/+1baGdc
3z3ygenp34mYIGi4vSCqz7rApU8PHdlpCw2N94buR9/OFN1wHiIoYtVfT79mJsoK
yKswIQ1CXQ==
=yexT
-----END PGP MESSAGE-----
fp: EF643F59E008414882232C78FFA8331EEB7D6B70
- created_at: "2025-10-20T19:03:07Z"
- created_at: "2026-01-27T08:41:15Z"
enc: |-
-----BEGIN PGP MESSAGE-----
hQIMA6EyPtWBEI+2ARAAgWVVIYSzPJeeRYdO7SHudkxO1miNVhEaTa6ArJXhvj9X
f7Onb+kPRJ2H45O06+k4QUBN//Jl2wsAayHGvGKb9NmlO1wT8cd8yAe4AllebcTA
FGBhWpgD1f8RNyhU6s9YQEmUMFFuze3Frkf5pF36KmSO9Kb0yXNgQebURbUKIwt7
W6KVBdlh9+y/8liH78X+QXFMneb8RA50mFvkSp4NxPyHGLV/S74jKaMv28q70ukC
3ExtiLu22ACzA3jdn+BGTh/0bp/WRRYEt1TBmt3HFnVcKDkdgxOub2cwYug6YeYt
dvA61xnK0mmkt39WfR3wFtmrnMQywJn0r9cRZZwdjfuuKzWmkDGKoaiX4oXcq8hl
GJsljraNnRdSZsYCWKeQwM9VnQdTumZZpeyzH99AgbPanNEocLNG3s3WB1MOTBMC
SdktojCvHSKg2HBykxApLY1wUOLiYdVGNuTjNyTg8lo8IlNgeEEIa/8MxtPN1U57
GDPXDvE9oJy3SvP7Tf0j4KVC7B30UYhb/jwqsG2wzjGKw3JMYucDX2JjgoTEXFxj
YqGDr+4/Vfd8bEadcQ8XJnoeCr/cUykflqO7EJnXt7kigQ8P5Jo+Vwu7oRFFlxRW
H9YZV0dOeVi3ux5Tw8ft5BRtYym7k0GP5ypQFzSSTeTTUa6QnZMWPssHMHQ+8xbS
XgEARDjMMwp6cl8adFfGJnuQmTC8pGCzOPLEhPY00t3Paz/WYvEwhioS6Lz2IsrF
QMgw8d2RrOZPJAAv9wq2ztTKk07aFxrQ8WYT9gscYPEgIpPmMUFR4nJ/fzSeiZ0=
=1N3o
hQIMA6EyPtWBEI+2AQ/8CBUEfUOkvYlMChlGuHKv4CzbEqUrr0aKDbECK/8qGyqE
UQeZPMnVvwFL/l5lU1dky2PIqFDebd274h19CfLIcBGZZPwzg/XNJcYcEqeTN640
H2ze2Uz/tA79BSfo9Z+W0NfAnzsOZ+I0pPCIqSN1tmMNCNy/m4SxEc8wye5FdV6e
YLu0dTatwMG6jsK/PYYoAapNO1CRUDvQHHF8jsAmYlL6eYoYbuikrp5JEyk7Jcmc
5OyW49fTAaxmFYF6hjLnORI/WqdF9nTztfFAoH5eU+uzd3Exmunzw+hsZXdbDTWb
6YJ7uqwVTxziKwpB7lOxca1B/axYyvLYHNoV6A3Eu9/0ceUcjjLwtcBBAn43UAd6
eEwNr3RJ3LY3G6o1QD6tYPXNhY7J8vxb/MKGo7SzB5+Z3TItd1wUlnHDY7kfUtW0
hk1R8gug6mV4YEQtgPW3CPOGPsquN6zvxuRPcVqkNyN8+H3q3n0hg8i0xVr3ZyHB
G6pSNoQLaJ+x0oFhIgzy3Ndf6AH8MNxzh8Se5gLIhKQCN41wm1ZTguOgcklKdAAX
s0QlHXGsJLtev3HeZOfuR6D87rN9HNAaGqPxuKuoZWQBcxzOnsXSGsjJLJUN5bpt
RSy2UPlsV2iP9cE2/PTx7cQ3HWHIAjNNz65aJQQnfEM6uog85JRGoY8x6rns6xvS
XAHHUsw6hc0xHxgBE8nkVJfU+ynqtk27n+A9h/EaAFvuyHE00yRPM2cJwcSapOuI
gXSLjIoiRfbVNxFCgTFEA4KN6B/eqmOyiEoUhEhHXmwzb65bMB7puGbb7jET
=e4QR
-----END PGP MESSAGE-----
fp: F155144FC925A1BEA1F8A2C59A2A4CD59BFDC5EC
- created_at: "2025-10-20T19:03:07Z"
- created_at: "2026-01-27T08:41:15Z"
enc: |-
-----BEGIN PGP MESSAGE-----
hQIMAz5uSgHG2iMJARAAl+0vmB2+PBg2aAZHZ1Fa9r/4zByhvLrjZ+5yWWcyf7fS
T/1Q2VbnDFvUwsEdbDs2RJYVejGxs5cyIge2ptn/9rnp1aMTu+FG1uQrY3lhGP6L
vpyDZWa2e1+bapttkrBBe79TZGZ4ABv+FCqHqWiH2HJ3V6ELXaooNhTrtlURCDqT
Cqgs8gH1qdVgISI9kvsxS8uGa58assuM/WW2+jATIoxBzUG9iHTugr75HWJw8xb7
R4Xbtfpev5exXicbbAvO8b3scnBU3Y1OUERo7xPxxskVSCu8q2gDtyeckOY9SN0i
V4sr+bUBfvPChlfoIq9kifZPo4Pv2yP8EhH6D5pVRqO/aiBYr9l0XtxDaHB+d1Dj
Q2f7azUuM5MDRotUM8mhn09hd61haag4R6dVAOq3mL9rxXLj8sdHS4A4ufkjn+dc
PI/Q93gL+sFy9N0wgCvHZEhY1QoKssSBCu03q2ZVlLFuYfcXWEIQU3XpbzyCmAA6
VkCvwXEA8xRs2ClrBpMOj7wRKzYoS3ATc3nFx0XL5pL74rUE68yiRlsZLccRB+9/
nJSY72QzR9FFUhFFv0/DxUFs4OVCUzLwQVVUT+Wi8EZen0aY4zFG1u59F6E03Pre
wC9TIxDCR5MY6/SGgYPep5qheeYVdXw7a0TQWrwXpaTPSj7tm2FFQES5DRkVNN3S
XgEMoELXGpBjzixYKSsQ0/yT5qX9v7vjrZ/a3EuXtkdh7MAfMbRV+YDl2hlN9IJM
vpAo/V/vH1AyWqBL0oQ00xZzNvxi4RiPk0KPZg2zH1C4aokELI7i8D4Dz3L83Tc=
=LofD
hQIMAz5uSgHG2iMJARAAw43j5wveIlxO0Pi4ayjy6RxnIvB1cy4A3X3rIdbL0TVI
lBJfO4ErBitBtWy4F5MQDL5UmKnSvamG0G3Uo1z/PzAob2Fyb8nBM0P/jOcWB8KP
Lzv0IM2cQ308HrYsUSpxRBAApc1JWX7PAZgRBhvvm7KW3vLFOgm+aMEHAjLYxFNN
zlrWFhe8kLNZFMHr8GnWv4XhwHgicaXfP+hJQs4gHnKsZ1je3dhurgHRdu0PBu8b
QUHd+PB8S3dt4dacHGlMdqRRl61jj+ufYqQAVgPfj3m5bvDanJqQNXQubFDMW6kp
j6U/rYY0GwZ+r2xFHBr10zbx4TR+bxMQMqJ/YA+PZGVT7Y1S2rwLLdmMg66ENKQn
Hbk/rMibXTUab/uc17STBsOAdLam313WpTaa7kfqFZhqaiTARlmULtdPWyRBvOvi
PB+NrFI7hboakG8kOaiitdfD/NUanz/p1RKGBPkpL7GZE6B63SHxTKtLm/A141nI
9cPNeXNZWhkSZv/2akQ9ea91yBMeIuiydFJnBuZR6ygqvC+ShhAUV5Ag7h8AAlTi
2gDoZZvGqsXjRO7FtR82SSaWk+buzVbDtLRdzHiPPgIaDkLtVfXabqEhw2bqaP8/
UeH2gZW6MPuO4AWYRgpvQX0XOYJqA2RNsxO83HF3EjvvbUeJhz84iC+OD790ElPS
XAHizPVvoinf9dfxckUvFm1RUA5V7xwlHUh2a0Zj4mBkxFAJqGzOINAkg6UAV4sh
K9zPafVtVO/SiBdnR8JApH+rb7kXwal/jAOHJYjPtz2JRGeCrFz8YJR9lkaa
=jeRO
-----END PGP MESSAGE-----
fp: 18DFCE01456DAB52EA38A6584EDC64F35FA1D6A5
- created_at: "2025-10-20T19:03:07Z"
- created_at: "2026-01-27T08:41:15Z"
enc: |-
-----BEGIN PGP MESSAGE-----
hQIMAw5vwmoEJHQ1AQ/+Pr/ATDoZJGDuIOTI2RgXFefWN0/iz3KeI8n/8F9/1vkY
1G/Bs0X9NkuzT6A/oIjBDa3630DMMvfdbY5Gclqrdwobft9dqhP05naf7BujX2DY
oL2SbTnfB06NUPiSsZ9aE/2yyzvnZjAxRczXZCi9DmhBhaXicILiJpJMUReldGtB
zbGtRzMUojwXqc1Fi52mXvn8XVTgrD//jX1IOUnpXmaFKa7zJCHe7Qfl0P7LMCw/
vTDAXSazVFqvgyASPPHgVFw9oFdJ9Na02ML4jynRnIIra9WoBe+9+aPoaNG5WePP
Lqxmaj3uz5Uh2S4Lr8Qr+n7swjPUlYkZKSRY0WDfhoi+aCC1ejtysZaAwH32+CQA
sbnh4m+/qnEiNZlgy2vS/6yQKMAQ6HnLkBfkXYTseI4egVw2X7byMFpmAlqo1pwl
kr4cKaYGYDBT7/fDDrB8AAdXUq+guABm+8UO4GHvvSCzWY+8ie2/wrTSB4O9rLnQ
WQABESou4c/w2hKordim25w1UWWPhiX6TdumBjtep/SPNMrVNShn8s+G8uh+eAwQ
blNH7H6EwHW1b7gvSmKrlczW5/TXsi5URl+cuel0C5/ckdWej+jIIbfCPd+D3BbH
pFkQWZR0vFpvUZcUfU5kSTUz8N6jh/nGvOuOKZ07645ZFAKHjxE1JqjhqcJEqDDS
XgFphkUBFPhmz2FJdIQvfkyl6/CCj+MUfNLsB1hZAd4GRxcBPFyLB1rAkB0kV1QY
RdIXX5ahmk6JmtkwJsO+m5aAWu0ft5xpsX3jJKqAyoVWcRO/3kER8b1K9IL57nA=
=I4Bv
hQIMAw5vwmoEJHQ1ARAAuuTaQOJdkhaTei934YczQbjX1g7cX4yWuxS4BHQ0+Jw+
MtZnUUYcjVY4hErlm+w9/iwr/ua6lvsTigHHy8IKiz7F/xuG3qAoQwIR4+bNP730
En1EYlczxFw4Xaa2WIayaRy4M34W5zvdDuUwN5SW0XDahcmmut/9WGRmz0K8chGp
8opG1KldRY4ynOgXcB00x8w2NnQ5kjisyk+zjtTNas1E9c4m2MJlvrGHy4ffVg9X
ID9/66wXr3nimAlaYvHmVW75hd2+MfWyqtrLccThPrB2aNPs2mN1xH2TODX4gEP6
pFHyyrAsjK9zP7M195pXw+WE3QnBPgbW2/zmCbPHwPGgP6ljLsDjo1SDXWsxZ6vt
88bCECCJCrurkP00HJdnbXd+dXddNMXfYLT15aQvta1nYPp8UmVahCN/QyaNthkN
rclV1jmr0sEtG44p4R0SV3yIsATCnFGmr/4pbI/r+aEakIVIPEK6GM/69o/6kW8b
7KGEc4riDefZn93jNEGmC4oqotSPLaLlaNg86gWazRrMUBu9hJ2QFpeqSX5Vl5uG
XnIokcaWjZmDgZgDOFa5inQBDfT/7wTJ7mGnLpt6Lnibnp/ATvIYBEI4zakHAJpz
0qWN89fpS4senq2bZJ2WZYfpLvHpspchxMhmNfjalQaEVdqPfEqQCImJv4h7VlfS
XAFGcZB2DSkd1fIxKcOB6XMDEbxGfBAVZq+k7Qw1oBdCa1Wi8uBoVS6QHLEUccbO
01Ptf7jWdTYgujdxRvyYSYS9YY4z0nR2GmFzynCB/oCylEwmsBR2ie8J1Ew4
=Gjvk
-----END PGP MESSAGE-----
fp: 87AB00D45D37C9E9167B5A5A333448678B60E505
- created_at: "2025-10-20T19:03:07Z"
- created_at: "2026-01-27T08:41:15Z"
enc: |-
-----BEGIN PGP MESSAGE-----
hF4DerEtaFuTeewSAQdA3oIk2sfUn8ZzJf8T1xFQ/gSWqIoOXZvpAf8R88A5+2ow
kM6YFiCCShgt2qGZi1k9xNxoRO1aRmSdEqdwMHAwpFRtEr+tOcE1pq0o1HQUzqqR
0l4BUDcJXeyrY44ufOXKRVd9J9LuwSf0GHfvSzGxCfFGQVKAtRx69TUwyo25Xwdb
mN/mmVecb+atPqdB5uMSvsMC2Tw+F313Y+uvgjK6B54iK9wjTiudD1TvzrTeaOPY
=QmFT
hF4DerEtaFuTeewSAQdAgd5EW7q2vIPAOqEzhHiEI5O0WzrC59UqNnagUK8u5T4w
e6e9sEaNfzsZE3Ep61sWLZkDDddE1RqF8riVaBRHjFzpj4mNptePNQCCDJSU8jYf
0lwBJmRslhasFEdMhQjqJVWLyVeG+z45mcfkXT0VFkBWWs/RDchgiYQjXxi+tMXy
iIUKjmu2bb3Cr3KTEglA9P69aVkDtdDvol5LflkzlB925aDev6arSnqFuoZIcQ==
=xwmU
-----END PGP MESSAGE-----
fp: 057870A2C72CD82566A3EC983695F4FCBCAE4912
- created_at: "2025-10-20T19:03:07Z"
- created_at: "2026-01-27T08:41:15Z"
enc: |-
-----BEGIN PGP MESSAGE-----
hQIMAxjNhCKPP69fAQ//QqFgN/hbCgpEB/KyJ+5uc8Nmi1FLWFBEPhnstvIlGx34
rPkmO+mLxa39ikwNg2bAwFxDRdwFREj/5lcdEPaKMgyxNxngS4PSs7TtHroNvyXk
jEsNsyanhaajctcBJNSEcDWNFItTn2gLGmHOuribULXBdixI3sXCjrrDKceNs5YS
XUIw4SIl4NS2nCUQcFlMqVlKOiw5d5aNfPND0UzFI2CFGo1740F/G9wugOIzsLwP
C69o2JZDmsvs7rwgfWYbS5prxD0hHzXrjuHnONyPD9NdtIRVU0jDEPrcmxJfbj4D
nzkTqeEyNmcIGnVhCCM0ysk54e/VxI6Xl3upp8qgz21h0vBu88liJFeQo+uegNsa
ozLyvzsFSdbxbIzcqnXxMurWIoDZW59d0AsitmACez1PFHXmC4KEH28bxFNek0/u
hpxFiPRvr4hxPouCTSx1pP7HnDGUfJtNOu4BLigO9hjU2K628WBkZt95L4wprBIm
kgt/st3Bk96EC6bWLtn4n6Zb6l7+mdv+6qg1XBzbLFDxcu+L62qtd4j7BjI3ckGY
hO5tkGroSyRdOkqw9IJ7KoDyk90IE4Q0xy/XM5dqAXQz59sPhIOPBxje1FursyaV
RY7tZARigq/JEWwwTLlbOYPd3XGdbw6N5LfDZoXe2Lz+isHsxL2cAqJ+wgYgfb3S
XgEIk9UCAztF21PD6IC4E4OkK1ARhpwIGwdluazSGzYeTqKEB2g7N9iowAlp+bcG
aZ2DU/R6XYdU5jch6fiU0zz421Li5gngNwg3FOVdZzhdrSiWdjRUFCJEbituyvs=
=Msjh
hQIMAxjNhCKPP69fAQ//bv/NiT6dblP4GWghe9w9O4u/cwF9rF5x35lNaXUesu5a
b7mz1DkK2xzAIPFXpp2EhX4iRj6cQmEIDN4IrknsiKD18tMA6pqv5/1RA4DrjAWm
hlURDAJy3Q3kA92pgDcCOhIJu5gKFMUVUL6xG8TeNOr48VCw5LgmnxZ/6PuTJ9hm
L0r+OnWfUKZGxKPev5/N6hIWCGKuCpZ44IyPVHU48CK8+yJWRwK2Fb8WAy775RVz
NhTxD+IqQuHZlXnYy/6WunlkEmuV/G4bUzByjG0Uun9J9COaaLC+8OFVVm3MMD/l
R7JbZlXigj80IHPGybB+FVNu8rUk3JbGo9tOux1H21CTdd0Hmi4YtritLKpt37tK
I8lYNCFgfWOTcllRFB582BomMSObeDjffG4tASqtZ7lFYAA1tHO3akM7iQGWnsxE
oES2Ibp/bP+tKCh9BnXKzHbSlIiv6g/4AIALRyyLskM/LH1FP6Xwc2wAsck/DfOK
ApQRNpkqn0dnGCb8ZIDeT1EWlc2ZSzkP+X3yy71wX0TBZOs26n6crIAjR3LUiHt9
UzT09TAHk2Si3dSBcRr54Xitjg/f4lfKhQv9hV0tG1qFdITYjv6JFqihtBUEnNiT
BR5udNvLMKw5KOergEUl2EGPWlXDK9LsjI9vzWq9ZOS4cNWAR0zwTjC3LK7BNBLS
XAEBjZUJhvPKpa/f8oMGcZ18HP/m4M5MEKCrCbQkk+bYDy5zBjU3I3hqN2MpnGb6
UMGEx2tgHxuksdjSaDb1nTNfsanTC5UgqFAfsn5QAiBxQmeXRnjFpj2a4pc0
=R+3P
-----END PGP MESSAGE-----
fp: F38C9D4228FC6F674E322D9C3326D914EB9B8F55
- created_at: "2025-10-20T19:03:07Z"
- created_at: "2026-01-27T08:41:15Z"
enc: |-
-----BEGIN PGP MESSAGE-----
hQIMA1Hthzn+T1OoARAAlYlRUFLenIg5rQuMsq6Qd/3V1L+EomZcDTeVWUlvNBhJ
wdh58x2OqaXRbujPT7ekJY1xDg3S541yG+7al5eR3Sv4zcE5ZgNoM/rY/Ik4hnWr
03+a/jIRQxoFeIVKAhAMcj9hxjBUCaQeNwvfYRrkWRC2fKAe9X26oTRlk0oEobMI
5EZTi558D8ZVxIlK+LCBk5jGFepGkts0FlPjzH0+S43FLtFOqRVV5UGGahbUZ6aq
mF8ULy6+V0LxIqOaDYRwfUhX+BvPdCiBRf14yhkMIWKDpDa3lVuKWAzSF/CKk2z6
lO12dlpI3+50zwEuG5hyei0UlMPV9rR7nLL4kG7cjIaJKCeXtbgt6Qf9Ml3uAF+t
xBjsQmnPstsBJZlj3cBlo+U6RKktkfeiU2Fg2OGUxf+iER6rBfGwBiPLME6RPiXc
26RiEMMyIMqzgaM+2I0GL/cMEcsYj3OR/Q3q34EIFFTQXjz7dsWFjuRIELg3lxB2
hNJfn8JnDYsP/yw7GMZM9TQCHOcLL2+vzh/GhIy6kBEeI6DSbnMR92REezSUclHi
g1292f8mDidAmb7aVFkMPnVkTFrriKiXDMO7Lh6qkIWmnGfcecsLONGif2olW9e4
/PZb4d44UrHdG7FIn+iuTqWcwkIY0AuOZg0eDa6qi0pcePPG1IaGnF34R8amkYHS
XgFP1eurU9GajS2HDU5Ghd4KMFncCiibP5xA22inFdGwHK0Rc0JH5LbOwWugU/yC
5a60wP3Sg7LIxYriI4a4kpmKpqE7+ZhfuqQ10wC3eCXmca5bkqIOFd91X7gfnFc=
=m//a
hQIMA1Hthzn+T1OoAQ//dfpU2ARKiqEam2TD2QF79ujIPoofrJXX+Rf9zwe9TBNC
rZCZLdWLECZzJcE1R/VHM1Np3AFPmze8FZ4onGBgI0Go2vwCrrYtBe6AomAlzXho
WXABvr56Eoe1ZmzDHZLPeGs6j2OfsQmq5UYDXOLEPZ6T32jA2f4dvI/k0UEFEbsb
Oi3gbmpQgiub4WDE8Czy2o9Jmcsxwq4NhmnGxx+ogXO3rS8jYQjaBG3P5mz8oA3R
P5zauE4sZ56WzT2z8rD6NPuNuMc5Dv8OMISQey+WfR9ysco7288v4qr2hMgJF+uc
uDQtH8ZFsRXwknyKFaph+KLkmvDBzSKoGiRtcaACzK1WWDbowN+KYcLsCf2WE76T
VJPWzZn0tjjyIWWaDLEqrKWuezXajMxW64zSjDje3oqIlJf41Sqr3yVtBI+Willn
m0iW883quAICS4ECaaY85+N5vwtaRntlYEGdYUm3k11Io4erEl1qw1fMplD0/E+P
I1jA790vOS9PDYzdK8nvGrEoGURW+Y3/q+fSKMBsfHATBCBSGRL6G/SHFvlDBLhK
ivJOOeQ2Hw4G7h0GGgQAEGk47EijL0j0+eEYDDvw8DQjVuUe9dWNr0K2qmBfm7p7
7ERZuLn2BPkk++h3IMTQL/OnaEgX+dIbGiekw5a26mVi3BB1t0Di8q6gtmThlTbS
XAHBzItP/jn8txvNRSHHZN5AvuU3TMyaEjFmhYf59x5vBa047U9WyTqGuwNj1IQR
oLJNQXb/qo4Lo1gd397zTecG2KDhHl/ael8SlZsaLkG5Lp/V7LGr9J2FX4Xe
=76+h
-----END PGP MESSAGE-----
fp: 5DA93D5C9D7320E1BD3522C79C78172B3551C9FD
- created_at: "2025-10-20T19:03:07Z"
- created_at: "2026-01-27T08:41:15Z"
enc: |-
-----BEGIN PGP MESSAGE-----
hQIMA46L6MuPqfJqARAAlOnbIDuRQI95foLsmVkTz3iBPoAGWP4T+BmwRXbBzchI
xnb2bVuSp2XS8ndofmqwPVfIA/XzQeS6+R1wE8z7IxBZEr25Oe+l/vnz/iIHfoMy
LpJYqP4dAMf/VLQ0h2X/WfN0QYkxbBEHj4vwR8NIjYxb1iygIcZuBEl28/ZqNAAs
0CogIZpD057gX+SUdnL4HmpZJu1VcduOxEQq+4TBZELPw7yQ+obCtalncubnXGOh
COyjN4DkMeLNyZ5B8JKnsCCEzssn6/gI3nNzR8gTozvVdiPqmItix/lWgNZlxxnD
yxHtqs+RRxQrZxMBrVo7Z/2hNm15rT2XmpOYvs6eIKn0NILs46erKSFHi5Vbgu0f
rNshtzt8zwPsrGS2gyMauXBq4vB11hXMuOS1zgi9gA/mIzGbLLPl8JYVKjpZdRXj
BelPHOpEVEI+6Rk02+QuEGjN5XJnnLOshEt7Gg+be6APCpDsf9KhoxIPeG1e1MV0
W5yfykmCC4E059Q7jJp7npNzAk8Xnk6zkScUT1zibXi+DYcaN3sSKqB7UgmjpqJ6
vBn17pmhJYCa7CwlJif9abliw6mHt5qN8Xrg2064I3cPwJpzOSaTI/G+kl73Wn4Q
x4G2l2XTHAMnvAoL7I4r2F0I1MpmDiubj4BnKp3/C2YhICDOpsCE7e6ceuYI4HHS
XgHNkVi8iHF/02oV2nLDAfPASomsCTDQYRE6/dLbt4d38BaGJ6iIIcNMxGbUByMj
nAEWtH7+8crR42yJp/OxVPLlXLHKoDEd0IydLpFl9dnsaYAqdPYUqCQ8merJlPg=
=5z9a
hQIMA46L6MuPqfJqARAAhGXnruY2sbbMVeOpJKn0MfDowextWNPVlhRAcltNO6Pk
PUWbX3IOs2ardDbxPJ8QeVPG0QoLAVGwLqbfOulAvRXWoA/NSm+EpW96ofqTNA+P
CK9/ZHcef9wv4DK6kJ2Rkyu2rotToMYi9Hxpr7joOVIsI9ewb8s6SSa5S4qAAw/G
Y7mH8XMFqwZBKzmWP/9kXxACwas6vlx61s4F0cj0XCcAzmU9fKORydljrcc6hNI9
MRRS7j63it0fckq2v7IBQDgJyuNsLvZD6bZ1P/rdZUUqjTSOIQyb5yT6am1T+DvY
0ClubdaXhEaQplSL2D0VUEqZmTY7Cmw0yiDBgmyhU5zqjc4MHlJ8S2gssGySWTRo
tR+yEFgemtuIiUVFTJN9Set40968hAlN4jYPOqxjC6U7oC6YLah8nXRJasEN3lEg
9+fdaCAIQPfK6U/C4j8tEZ1sCXfxaZfaVGpHWrArcxN4L2nei2hT136yLkrIuo4j
vfDTBK77Rpwfc6bmg1Nf94ed7XWn9ZQgVvPKPANvvyhXmflE/wVxg2atofzCIe5i
1IXX/YHn6MiixqaSbHnzCAaqVQuJKC3b/EO8b3GZJfCcBHZratAQVZq1emnaK0id
35OwtOXKOagvk8YoIPY1vCVDvVrrT1RK2XGrRfnwoC2plg4cNws1aUhENEDt4NjS
XAE9IcqCFTz5RXO6A7/Q03Ge2GEXrXmI39CTT4gTzy6USEDUiniE7PRudm/2dY8c
ZA+AvTFrEdoGK1b/snAvw8dGTFv9lwQqkBr0JDqwD9SGQPIXD6CIUKioxQ78
=KPcz
-----END PGP MESSAGE-----
fp: 8996B62CBD159DCADD3B6DC08BB33A8ABCF7BC4A
- created_at: "2025-10-20T19:03:07Z"
- created_at: "2026-01-27T08:41:15Z"
enc: |-
-----BEGIN PGP MESSAGE-----
hF4DQrf1tCqiJxoSAQdATdhehHCg+P5ryd+GcDKRDMHgwv5c88CHXI+L/6meUSEw
EXNK49Y4NeLrDllZuDdS8Xd/U3BJtdw/Ef744lhv/CvSCEIBOVu0n7hsHZ6E+MQd
0l4BFNDMgxj51IVlf/vNyWKHrcf3iYLLJdDL31sSHiRk/zTElaM2W3s2zujSOgiB
cveF2p4/0TZ1lt+kzSWPdKZ7gixngC1vKtb1uok7sAzStAM3wdvpBjvouti/yduQ
=Nvpr
hF4DQrf1tCqiJxoSAQdAagtCn66tLHM3wXjb8nCEH8nh0g5pKSTzcx/re43tLCYw
IbatYjkYoqBofEDr0m4QHTyN7JAtq11Yk106M9zkktUHUPG0H/NG7TKOK65OC1U1
0lwBA0l+mdaX06nBkQE8xzXafXcJYJkTp0RvXrzZkXb6K0NBuQwcXO3A0xcJMIZ9
A3tWaza1HnUdtlUj3vj/0ykrYaUywLL4rdVgu5FunOMbg0QQV8zy2Kn1dNh6Jg==
=wy66
-----END PGP MESSAGE-----
fp: B71138A6A8964A3C3B8899857B4F70C356765BAB
- created_at: "2025-10-20T19:03:07Z"
- created_at: "2026-01-27T08:41:15Z"
enc: |-
-----BEGIN PGP MESSAGE-----
hF4DzAGzViGx4qcSAQdAVM1+fV0H62T2slKovp8/rIF6CBYl28z6hbbAyixUQFYw
0qeyMu6ujpCHiSx9xps+FHYONtfEcjxpZHPk4C9fP6h3D+l4xnfGtzVXo7t1budp
0lgBJZCP7JuE7omAuo00L3hjTSaYpa6UWE8cZEbwkOGsm47m1xzMlEzSExBZ61wj
dKkSNVFLd7z/5SlKFgFJgbgwuAl7umjDVQjItyrqRNnhuPBUmZbYBEEJ
=Xu7e
hF4DzAGzViGx4qcSAQdAuK7fsRq3IfaTb8M+wFYeMoAGK7pbIPnuC/i9GAVmaHIw
7iTd9Gh7qjZ4Z7BNvD9cH+MMoeKNYEI4iIgzyZBSwADiCwq+GOeeN752uTFzvysY
0lYBs4Ny83rYbSQU5eaA0VNrc2blc9D+3gc0NB1czac9pUsJ6w4P6vb8TdtrzvlS
zAUSYYWaU2aX1dI8274dFmHmF9o+9/kPsJLSTqkLUFaV8cje170cVQ==
=4Es4
-----END PGP MESSAGE-----
fp: D2E9C0807BF681F5E164DAFC5EE1B61CD90954CD
- created_at: "2025-10-20T19:03:07Z"
- created_at: "2026-01-27T08:41:15Z"
enc: |-
-----BEGIN PGP MESSAGE-----
hQIMA2pVdGTIrZI+AQ//R6I646qRFql6ouszDIf24Jc1HU49sWK00jfEgfDAMXVX
FcHyARVKbjq+4Luzf0ut/KrHaGC17iEcohvfaWVds/j8fOA40RWXXG5wkiqmrXQ9
xgPpV418jCpLhrE85W5emNVH8a0sX746sulslm5NhCBbYsKgmvWB0NW/kSmPBAD7
xnx6ZysaDEt2kgFy+GhCBMjm+WUOEypF1xoH8YlOO8rtJPVwTX3QPkgEYxrEtloJ
T7cScRPJo66y5ne1E4FKFUApH5cDlD4et9/TpJKR76y1hml+geCM9S7oOD1LmHIM
PxQFfNVL8/RWUSxNtkA+4ixlERitMbW3x4rqq864m1MnZEyYGOiUgF4uU8t7VruJ
bE+qbqOdy+HROi5vBgB7NZ3S1k7iBweGll7xcEfRHWd+lIunezzb/V/lJoShuSBL
WEetGEijGGDLPwTWG2ZSGQQsrPZH0VoA2rRS/aZ75Bau3ctIFAEPuNLS2+AnSh1C
hWMCXsGu3JVwq53TS0Lg5scquaXWPcuEQPJ6ZEmQOGfq+zjJKCp0Wq3W1GqkMAR+
9WFvAeh8/fLFTuDnqGLqHoeO9YQ3AK8uraMRf+hVco7RjXOAYks1JvbGDCijlUhv
pUrmkELbYnZgnVvAy/uwpYhVdJkQq4Hev+ELFFfTjcX5i3lO9V9iZJ2UUrXj5cnS
XgEBs+srIKZqr9mNQlfc6t3+JfaRtRPs5ozaSgJIJx+K9x2e7Guci+ZSAoEP7kn6
163uoxaZiP3W7vW/fVe8IDnPsPAc2FuvI0MbpDlEmUcoHWU/s3aY6foYtwg+w0I=
=/9CT
hQIMA2pVdGTIrZI+ARAAypV2oZNd7o5dKeu+croXx4IgcbjGPl+jM4v4EwIa8kQ3
mqRDXYjz4XdFqoCO5Q7sALx06a3V/Gg3VBhxEmPwYtWIBOaEBjIuFy1TieVNCIz7
xZlDKUsUFVCMiaF7geRPvN1QMhP37HbKZEWWL3Dtp6d+9W8N3jjFS7qv+26nlhyT
QUtMc4wXYXsfuX+wI+Edb3Ibe2tN6s6rK03XiR456TG4Q5XlT0yuWfLA+uF4WMSe
9HmPmggwbZgTjagnzkf8/mLwROqFm+KDpCR0vfTGTW+XZOZxS19A3VRM4oCoPCqm
78t2XkLjoddqL/baJLdSsoFjrHh74+eYTvaBAorOXowfc/MTzXGTHlth9r2/HjJ2
9gXiQATn9fl7sxdRko4mKOn0ff0DhoC4gGgfxopUs2v/bu9dj5VTsyAe5TqGNnHU
Oeo1AaboJfWFRlQhsCT3Fpowuc8kRgHalVbARZqTtdRRZHNuf+ob5BYJq1SDFJiN
vxg01gUsqzcvcfZSc1IpLr0vF7tdSvmrKE4nq6GgkJEhHm6wwNftobjSxTYQPO3l
mXI7wghCU4G03zVhbIAwsUvdZ9K6K3ylUOf1MOkVEy78N5rR63FVzqpibPsTQCnc
myhdrYX8fN3GG/QlXF8NwNPFFwOW57577YQJ1d/K0ksiOEWKBzJlBgOu6Z99i8bU
ZgEJAhAZ128S/PPndkywgDN8PEvtH2tRvwt+tS+gMI3o2WiPltT28KmWJv9PoG/s
9ZAp6mtI6UDoc8yDVuy5BfTH+MuG0IpJLjkqZkY8XSuRD4zAXYIj+a2xHNuWOMhq
8471dLH2IQ==
=UCus
-----END PGP MESSAGE-----
fp: 878FEA3CB6A6F6E7CD80ECBE28506E3585F9F533
unencrypted_suffix: _unencrypted
version: 3.10.2
version: 3.11.0

45
inventories/chaosknoten/group_vars/all.yaml
View file

@ -3,7 +3,7 @@
ansible_pull__repo_url: https://git.hamburg.ccc.de/CCCHH/ansible-infra.git
ansible_pull__inventory: inventories/chaosknoten
ansible_pull__playbook: playbooks/maintenance.yaml
ansible_pull__timer_on_calendar: "*-*-* 04:00:00 Europe/Berlin"
ansible_pull__timer_on_calendar: "*-*-* 04:30:00 Europe/Berlin"
ansible_pull__failure_notification_address: noc-notifications@lists.hamburg.ccc.de
ansible_pull__timer_randomized_delay_sec: 30min
@ -14,3 +14,46 @@ msmtp__smtp_port: 465
msmtp__smtp_tls_method: smtps
msmtp__smtp_user: any@hosts.hamburg.ccc.de
msmtp__smtp_from: "{{ inventory_hostname }}@hosts.hamburg.ccc.de"
alloy_config_default: |
prometheus.remote_write "default" {
endpoint {
url = "https://metrics.hamburg.ccc.de/api/v1/write"
basic_auth {
username = "chaos"
password = "{{ metrics__chaos_password }}"
}
}
}
prometheus.relabel "chaosknoten_common" {
forward_to = [prometheus.remote_write.default.receiver]
rule {
target_label = "org"
replacement = "ccchh"
}
rule {
target_label = "site"
replacement = "wieske"
}
rule {
source_labels = ["instance"]
target_label = "instance"
regex = "([^:]+)"
replacement = "${1}.hosts.hamburg.ccc.de"
action = "replace"
}
}
logging {
level = "info"
}
prometheus.exporter.unix "local_system" {
enable_collectors = ["systemd"]
}
prometheus.scrape "scrape_metrics" {
targets = prometheus.exporter.unix.local_system.targets
forward_to = [prometheus.relabel.chaosknoten_common.receiver]
}

214
inventories/chaosknoten/host_vars/acmedns.sops.yaml Normal file
View file

@ -0,0 +1,214 @@
ansible_pull__age_private_key: ENC[AES256_GCM,data:R0FZVQXrUgqW04VltXpYhEuI8Q8i0gE4K1EI05NTZyTO+9QOynMVzfLOzOOT1Yh+oQNLsE0MFELX8eo3EFKyXIrkE/wr2ECgFqY=,iv:m4N6t03tklKRaRZ9eVl2vv9T8WUy6AiPQDNuyU0UEtI=,tag:XJMnT5GZthv9RPQFZTWZaA==,type:str]
secret__oidc_client_secret: ENC[AES256_GCM,data:UHbIuftvyPHxtHGRvH+ydMetiCRu3z3JL+zFzLwVaSQ=,iv:1/KKB9IHZEWgEULoab1aVwbPIW7mxfRK7NABiSP2yIQ=,tag:8g3ej7ZJwAuPk9eGdPGyog==,type:str]
secret__oidc_cookie_secret: ENC[AES256_GCM,data:epKralmaga5W0TK0njjTBP0GIlkUK2ogKEbWQ/zlIhQ=,iv:rDBiSE+DPkX2I2i2fJQ/SrkltlCnPOEyeMfud2xXbFA=,tag:SOGIJHiaKq1t+Dg0NJGnxA==,type:str]
sops:
age:
- recipient: age16pxqxdj25xz6w200sf8duc62vyk0xkhzc7y63nyhg29sm077vp8qy4sywv
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA5SDJ0NHZkK3hvUSt2K2hV
TWNKUkFlUFVkaEFlM1lDVTdnZU5EeURiOURzCnQzcWE2RnpiZ3BmRzIwbFRDdkRr
VmcreVJvdTl2Z3lBVFJTNmNLZWdyMWcKLS0tIEkwcXAwY0NoNmhCZm9JUDMyRjVC
bUM2WC9QeWFrdm43a2N1eStEOFFXVGcKCCqwLQ67aEEjTAyXXabZ2AoBag/QY4HW
WwgmI8KNYpC0YXzDJ3fUUL6g4oiSqMxTGvQ+0oABOk+XFnVx+++aoQ==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2026-01-25T16:16:15Z"
mac: ENC[AES256_GCM,data:dBBAJIXeVUXXPXB8Eq4gH5F/0jTpvb79hdu4KD9gV5RL36Tr3iU92SKAZdMcw3/+8zq5L32YWWpYR5HFVPXaSdgls3wtWdrz/1j/C/zRxup+Y8DSOdiebCtz1lJJvglQMZNznRvo7N58lTdF/XqJA4tY51xZZi/krsJXDxtlTgA=,iv:yhwXbXu1MKl4sSYaCKPVUK9aedmIMnt/rzXTcGqmqpk=,tag:hZX6YZrzkrr1mPe6FOs7Xw==,type:str]
pgp:
- created_at: "2026-01-25T14:20:25Z"
enc: |-
-----BEGIN PGP MESSAGE-----
hQIMAxK/JaB2/SdtARAAi+qxfJ++qxSRxZLZiJ6njtlaOvrmE3uDCxbBwK5/lc7K
rt1liJ3Ue1hR1Bt6ozbH72shd5EOQzDuwQiRLZSR/7q6dcM0wdGRrfXuNvsRbQFf
Mb1D5L5Md1zOH4HuUx38+GGoB1CchpQwdZpjzcU2+MI5O5YIw3DDcKOAAMa+Nfpy
m0aezDSM6zDYYrYKjZUrMCXZFn0cnWAosod1ZJDz+rNMfFaVCPUlcUO4/p8cPzvr
rz+B5MV6Nyft3FUpHntFAgGjwlt31ZANZoWeJxJ5/zFlmieXMihjC4x1QPBs42E2
den7NPprSZX1ynGdImaZfTHwuwP1bpLrVFegG1EPrMIUwjRbSZDdmWxaR0uvajgM
GcbJLRFdvOcc7g7NWh2n4AwjpjcPN0cNrAit5/S0PG7JYdZFi4abfxTur12p9BPk
xJacN4ZVnT5qRRnqinPDCCiR4MLg/L9fxG6Dap6xboBTnHS5GksuLiDFMjsSAVh7
/63SOn6/Po1BUiiZPRHkvlm1uhkP7k5iDT/cP+gV1QDjdrXbD27D3c2eJveBaX03
oLhXi+2/tmitsRw5vp+jTwHP3RDC9ZsORdEoshaGJ7Axbmai1wmUAabaz60vbTzV
W5KHaEAdC97YsUFUn4ZgqORJ5MlPRUGUGGmlYJq6peihLYx/wdCLw9DywhZAYiTU
aAEJAhACPP4YiVUAbMaXB3q7AJWnoF20oJVBcGD7nvAVIaJJL0zuYe3lsujo2O2L
wqzIw80YE0tSaHx9GWJorF3vQQ1/jxrgiZofZNrsrQ5mzVADGO5+JLuU1THyDWXV
PPvkTEc7AdD6
=GWYV
-----END PGP MESSAGE-----
fp: EF643F59E008414882232C78FFA8331EEB7D6B70
- created_at: "2026-01-25T14:20:25Z"
enc: |-
-----BEGIN PGP MESSAGE-----
hQIMA6EyPtWBEI+2AQ/+KKOoBqMu5MXGmEM70WGKs7qGiqcJ4jizWaf2BjO8JtcU
DUJ31xy+KOnZh4pNP3bYptBtv/FehKHfaC1HB+sXBqT7hhAT5k2WyNo6Y1EdsGeG
HuccJ8rEMxwRSp3rdpca/53mtFzYHFHDT2nOEc5wkl0KqPITIJAiaGVVeS/ANy6X
qijabdecK8Ekb0Ev7OHwxFQT92DdtN7xdQns4bUoxSy9j/7SDUII7btG3alhlH2Z
XF+aZ4Fo+P/O8yavyTuwm6GlKWaWtGn9xRhNXvMkpBXIa4rwHC0re3DJNlMqN7EV
gW2sxnAxBShNU/ZtpqaQ2ku8L7FPB4Y8hhbk08PVlqz6F1xFm9x5PEriuaIPd1pp
0TQtekvntBWiRAQ8QPmrfg96BaLqvL+Hffb3PlIRvnXHmaJY/5Ci0HGgoUjodKIT
0tZzP0xcElbm3Mf5z/uyRzCwpx7oLn+q9xiJ2yoYwn4IkMWd2VaJZJlVcKH1RRXS
A4OUERkDSV3Fz6VjnI0VQ/hpfLDLCaQp8TzUOtNy4MqzsB0fQbDWnPR1KFrmNmSv
SSkS04tSt9CMNDFllrwQg6fbaZMmS97JeXb723mfUrPa0o3MeTxa9EuB/NQvWYuS
iBqC+NxIAvUw/IJtKg3unA9ysigCDUTbi6P7F69NMJM9qHet7PSLgqsM9RPdPlLS
XgH+T9DivFMWNnGvAS+wMckvKcTtskHWnQMCYdx62VsXzS/LU3iWq+OBz/xf8yhD
2vS25oi54fQKz6diOrq/TgO0Cx2/1LXqOYL5m/6+Qvv7wxHHZHeLcdwCRVceLZs=
=5SxJ
-----END PGP MESSAGE-----
fp: F155144FC925A1BEA1F8A2C59A2A4CD59BFDC5EC
- created_at: "2026-01-25T14:20:25Z"
enc: |-
-----BEGIN PGP MESSAGE-----
hQIMAz5uSgHG2iMJARAArv3KHUknyw89o/HA+T9vv1orrq0uztAOtOYLXIxF0mPL
S+Yrqs8uT0UmIJ/vdNZpf6HYw7Cmk4XErSsT4l15/5JbGfvqbc1ECdoz6j6kNfID
eHP3iJkySKbxSqflZ/3Hs8UXV65RU4F1HHK2SsQVvb0FCl03KNqkNAMicqiYZyzH
CAKOje7fnCHQ2oClUXakwXDQMnQwboXmhC26ghTvCYHIcb/VD8z91TSjxNitA1nG
7Ky1VvBWTuC0qcfaxkrkkwDPcxdfA2BXyxwm7b/w2IwmQX1cce25MCgIhMCFuf0C
rvw8GgfJEQ/qI3Rk1R87cpyRte4itrl1cCJI1UgS088+eHhmeS8XOZL860Eiqho4
tQJLUCr0P+LSBgOxj6/hnzY56bpPxa1NjRjqCGh+WF9XzeM8vY1MkzIjqHXxq9bD
9yGnFujzTcFbpEzdigPfAt6VgMe3jAEWqnr9fTK/f4qKWdXfycEHAJgL9UqHCtR0
DMy2+ZsHy5Hn9S5hmXLWpKo579FEWMLeCRA2DZvCHKIWUPhv3O4BAGovh8px9wRR
V7HeNK0efhiPm80alIQUGn+JEyNOaBrjAQmS0+ELF1S1AaHzXoLNrxfBCQJJCHd6
BvZIC6mVWF9DSeD+s/twk6qGNwAl17OAi3fyahunefODNqMcW73RI6x0BhkBfvnS
XgGEHYtdIiwWW+nCWBCrlXHrZ2AqgFKqNInB8lR5t7GtSjVxF6blysWXyv4JtegX
A3gMULNrOAZiPMe5Q1DDMNJ34jEnveojMIAOb/j+w7bvcgh7wbrUIUhNQSDgoaY=
=H3mo
-----END PGP MESSAGE-----
fp: 18DFCE01456DAB52EA38A6584EDC64F35FA1D6A5
- created_at: "2026-01-25T14:20:25Z"
enc: |-
-----BEGIN PGP MESSAGE-----
hQIMAw5vwmoEJHQ1ARAAqbv66yl/dyRf3f1ejNWsZxwD5oo99rHvbfWDCjTEFpzo
QUHgi7h+uF3GfRqkbE8YK7oFmTdxDS7DEkiQHw3jbJwI2+K1umubwq5sL1IMhSyG
SHZL+3r4ytBj6kuraXoTGqBFjNNht+3rRUEvgK8eXAixp8aHbx2LAVzjhxGTa9WY
yT9H4XJgEac5ODiyhyu3wxzZFmcr9VVNpja7C3iJ5PymjKPnzMFHzdhYflVG4ptP
lscRsl5TakEL7p4wsjLszeXTSq38ueaH3Bhvts3Kl72BU2rICDzlBOzGszq3gI2c
o97Vydku1MBsIwbUdKAOdhjA4BFyPAg1z1VkeEOrH1ThaZ0cfalN6TxBfCeKftSv
VAn9ErK6cRjM5peyJPSHUjpXZEcomtZonhAIBUfDeFW3Sk4lE7+SnIvJkLtrvSZy
QDgbA4dE19d8MUL0uu+fyp85+OkXI+e1QOOoZX+7/Mco3wKbCbP5T21T/+SLsH0N
oNrQpQlDch5YB+vLISUE7+buFdlMpIlcHAnL9scjgIdU0Z/X75p/5t7g99D/0nc/
WGu4l2n9fbrvimnqc6wWzBHgQZVcPKr5tMB6jVQu4WCdHX9VkI+Ru2IfCFsQ09TD
RQMybPT3tTdYODVCeoE3NmilqE+igEzFYRDwFdKjR2eLnuli5mI7GlXrboPGjWPS
XgEpnUxHg7oik0vO8YsyRldQ2Vyw1vIskRq9cdUY0Ix3u0gyqUF56aWhA+4fhr3H
Q8RsT8OXXswSozzkw3AvKi3VaGjwDr1Wasq6YVRtV5pjS0Rx/ILo85grKi5vgpk=
=bY3Q
-----END PGP MESSAGE-----
fp: 87AB00D45D37C9E9167B5A5A333448678B60E505
- created_at: "2026-01-25T14:20:25Z"
enc: |-
-----BEGIN PGP MESSAGE-----
hF4DerEtaFuTeewSAQdAh8vUqXwXAq615cIswD1e2FbDgcFp4pDKWP4Of9bDRWYw
5UMSvrCgWei0lytGCaApC6J+Ppd5o9D34fux8X0/ztoRopIV1RlrcepPr9jo3ROk
0l4B4T+mFz+FNrO79ldBuysOEo6qX7kSfJ63cpy48nDNVi0pTDr87OiJTQQD3gfx
wQdkqjYs204YvFP8Zp/+Ow+52z0W2ecLwgByVxsiusf8JLlYQMHOL9QisPxWMErr
=C2Ii
-----END PGP MESSAGE-----
fp: 057870A2C72CD82566A3EC983695F4FCBCAE4912
- created_at: "2026-01-25T14:20:25Z"
enc: |-
-----BEGIN PGP MESSAGE-----
hQIMAxjNhCKPP69fAQ//YH0pZvxXkXYi9tRWPSVllAsKgwzZsKkXS2LrfysCvnNS
LmcLrWNV8upH8g6ubHwwq1Q6WcpaoraIGB2Pw7OPKvynqqhMamk6jAzuYF1hMsd/
efGlsIF/wE/MLo0AizDZ5H/k6g/BfdSm3VFvAYbdHObQld/+uEMdotBrUjtXJlA/
lare1GFxSt+P9J+h5U0kf8VFWbgzf7SkViWBvEpyUaBa0VLgyOc59e9BZzWX8h2R
FjNX40MkZHxdbqBx3Bw8MZmQz+Q1O8w7uNcf6YZxl7+tYka99DSoK2T6YxTqqqrt
FtqDAUAS+yweg4hP7CwUK05VzmH/y6S4brVJz73NzahVNUBRpPXJUWs8QsR96xx/
hUMRGOrfd0qJ/jv2P+oMJipGsWZ5b6rkj/LX9ZAyGW7TgWbelr4zwM2C/n5xDkKf
LSQFH1Nx9QG0Aq6JT6staq+xiw/w1ipn0IDL18YPvX5kkO3KNUZk1F7zF6rbXRXa
LQIY+lhDnslkOMHmUIvqPSFWDQT/a/ttg0jVazz9IHnCz/+ShCh8nwiXXa6swlGC
XFzJS0Lyz55JfRcEN2h4lc6U7sE7MN9WEo8DWNv2UJwIZtu5dHBI9PjFSAxm73KJ
FSQDFxqlR7a7BXKw+KfvHUzWcRInWLE3bMQlg9ECJX1sQf2Bu8/YxU9bFT2fzfLS
XgHsHSJqqcZ3gwwUPNeQMadRylccXoPOCns3rf3W+7zKRBb8poRpj0hK2J2eIkGG
M5kRRudGy07hLV2wQGitucekIFUStxumRSQqpcUhk+RKTOyTMIqT4o6ykVBgke0=
=/EHL
-----END PGP MESSAGE-----
fp: F38C9D4228FC6F674E322D9C3326D914EB9B8F55
- created_at: "2026-01-25T14:20:25Z"
enc: |-
-----BEGIN PGP MESSAGE-----
hQIMA1Hthzn+T1OoAQ/+IxC99h9NXy1lKs8K3O6zNPE4vvoUdlHyU7MngSUe7FID
cfVoJmqumGJ2VL052PyGNuJl4wwI0Bk4GJ1B17sDiROM21BgV2xJN44I8DzU/s2i
1P/WOcpofsng7xBPib5vETo2ypfiNzurNwKidID6rc8k3TL2Eq3U9gPajdgaHWTx
jCBEiBs4B2H0Jv0teH7NK7VY21v/GQ6wCATUdFugjOocWT/Up9SbIKgvzXgxmoB7
glmOZGtqMsorMw7Rr9fy5qdL6HK50dYbzQ8IppZFG7PrFLyLsp//S7fReFbtp8oD
yCBbhOfywLuhyWmLu78F32l5upv4Q/RPfsOEQVRd13+4XeYIYqbVlBRI4c38iA8k
sKgN/l5mH4FPmFWhRfeMOQn51tTDiq/n8G86EJETJJxC2kAhfLXi5YLECH693Vzw
Mad81jxssJP5pTTUDBzog6oMNyCvs9paRgb0O4Bt0Zpox+BFdQcTNJahj9wDyfZV
TjV6lUtuQ7QvHDYyujxhkJWUOyd2Urfk9Ku8A/xeCGwLRJS9BKYgwvatc49zL5zZ
3GZ59gBGERbBCBPoFZgpVh73ZF/riAMHbgh+ZzUlFxJNY4fVvCk79bMitsihAbp8
NAELn1kiDPjlW1SsiiIzkdq87ttJ7aVtR1vQBYWapWmU9eSkn8XZcX4PxFot68zS
XgEvZxgH4TgGrPuTYusDaopSObkq19jiEJ/A44Jiy2yvU9hXeOn8CeXHTJnwcSeQ
ey3QV0vu+gYPL26T5M8fp3DwgZYr+dtAX2jydweT9MKjgeUyZAZmIieY1gdguIw=
=WwLj
-----END PGP MESSAGE-----
fp: 5DA93D5C9D7320E1BD3522C79C78172B3551C9FD
- created_at: "2026-01-25T14:20:25Z"
enc: |-
-----BEGIN PGP MESSAGE-----
hQIMA46L6MuPqfJqAQ/9FcgBwOTVqwohN7+iNCiq13Na/qcvFvFxymSo5ZhtjB/q
rMfLaSwsVAZuN9ishdip+a9tFb4oBPpwZjztvsgetoVNvLOrP/ZQag9SDy1fe8KH
DDlPFFRjTYtPdS+5ScHc8pGTLmyQzYDfieD0FCdZsNwz5PpAtUu7itvpZKtNWMXr
k/N3Mjena5iv79ngDsRlc9O/YXWsAPf8scgApwi+lVilJ7E/jTkrXxiku0knrlfl
NnNJKqh5iT2NWXB3Dgw0fQMLbAuDUOlkvrdwxnaJsIyjo8D5g/gh9rXBCJsMMFCp
1qppPBTV2f/gZb1gKFpnlBJAiDhmBWoBhlgbmFXv0E/V7F/7bFtsHagb50nEHZlA
QH0JjRHN83eGCR9ZBUttxMh0FWV2ND3YlxnCNb43TEoCx9f5ml7L5GbGqu0+8Yrc
fHCGPW8DSUh7zTrmB0bn6R60hXcWchNcPdorPopROhGTSC4pkAKn+mt3jvEkyLsW
TGqNCEbFbMBJlhhn9w5fxT7vEX0Rt/vO4gXKIzPfcyzsgORIW1YxwtaGyRQErlqo
ITnLtowfgrlvU1hI+hwivD9kQ32kmEyYKa9J8fBx07XArYRR64+Eyaaq4lOeZbE4
1l0zskD5i1R8NO3yzxpIAqi+H7VPhYLwidjXT54QT8vyqrkmvksANR8UqydYUgnS
XgGuO1O1pKkiHHLcb8EydlgW61sLIZZjlkYynMRM5MjgPD5Z3ikeD6VaNSYnOw6c
gkisHXqY9EFSPfw8EHnGspyD/mvzDUz63GrylUO+wXgMKdByrsYRaj93j7vfYZ4=
=Bk3g
-----END PGP MESSAGE-----
fp: 8996B62CBD159DCADD3B6DC08BB33A8ABCF7BC4A
- created_at: "2026-01-25T14:20:25Z"
enc: |-
-----BEGIN PGP MESSAGE-----
hF4DQrf1tCqiJxoSAQdADv1xBEY68JQ6Xo2ZT1FV2BJgeB7Yaahi9OQ/aypT0i8w
FJRRTtmWVBRtOecoG6SrHLtmYozuLyNFG8/ZFOU7jTSZL6lXr5NV6GIyNZPFTjvE
0l4Bqjjh871cqN4Cq5CF3kDibHTyZYsvcQ0BmxSZy2v+moYqZGFPEjNiniS6JrK/
Ch+cZvlsGIjTmP96IZfHbO3+hL+tVhO78bmixnN6SE6UDOzdmWcMkQ9DHSZp+p4j
=xd/t
-----END PGP MESSAGE-----
fp: B71138A6A8964A3C3B8899857B4F70C356765BAB
- created_at: "2026-01-25T14:20:25Z"
enc: |-
-----BEGIN PGP MESSAGE-----
hF4DzAGzViGx4qcSAQdASnWlOX4oItUMy2BNF+UdGfSkijvIKK1WohLp2rJmQGMw
/rpiFcCiX7rZNyn3f+eOULjCPbNtfwqG5Ji6YzGJPEaLg9J/CCYDP7eZ0M13tK9V
0lgBjTZZwa7SYs+c49UkhUN92Jrt439mTud3Sa6hvfQTntISOUF3QsMyQO+2h0EH
zvaV7dmtiLZZ6ukp9vJG2asPcA1McYBHABUUcjlmFkQ74CYhPFU03/kb
=9oyC
-----END PGP MESSAGE-----
fp: D2E9C0807BF681F5E164DAFC5EE1B61CD90954CD
- created_at: "2026-01-25T14:20:25Z"
enc: |-
-----BEGIN PGP MESSAGE-----
hQIMA2pVdGTIrZI+ARAAvugr3SudoqZm6B9o/a2bYVlR8eee3Cxtqb/SDfFKJ42J
/KIJHOpfs0iyoJzeq4GXn89RU08EHz+1/rAqIHN/cMGc/IjOOXcqKcKVBqhb68+I
OyEyxx0YAV939Jc+L9rxb4FnqV/HFJuA087jqP43NgPWySoUzWZshK57Yw/VJNxd
U5zDMAciWNVISL/ArcJFroK0n9dvRRsHHHx3/OgQ9Lnl73X5JEAleIPJVb1SDV4e
HgmBrlRFpp9e/Mu94Gp9yFd9PqziSA47lkdMwjMYHntTwbT3dqUGOJLF1D1oqC9V
+t+5FO5fP+LbnmuFQIGRGqdPpCy4S60d2EqocwBl6q6xn/DLQw1j9hGNpMl3GwBI
O7zquV2MyXJR9JqyklWoCmKldLIhpsnPtTx/AhIsMLWq2hvNfbBBNA41sMkofcvl
H2Hggi+TkpOh6bre1/uPkr8T3MLsiZIUB/1uHcgYO3FH13K2Ow9ChxmkeLsW6Afu
hbQcG7SKr0sCHAmvzbTsIRCpryORDRw4vwrsKuVVgA7neD8HtCItJ/Vk1JmV2xYZ
96ilVPPpDs0tmQ/6dZZosoXLGi37Hs+FRgcAUuAdZ3bzb65e+CxtSVjRALG7hz9R
XPKmsD6tTgdLpau/zugxdKx3yKMCHzC+AouD+esea8GNuoeGug58IEoglLXDctbU
aAEJAhC0Js4STROmS43wGXP2v4umeLw9iF3Wp9L6o12BL3FZXi121py2ogosjAY2
30wzFU2KJGqS25/pnXw6r9ycgxdXeKsddR94Q4TOulO3SSEdjs7B+iOKwUkGKoBq
9iHTzz6Gpajo
=bBZ5
-----END PGP MESSAGE-----
fp: 878FEA3CB6A6F6E7CD80ECBE28506E3585F9F533
unencrypted_suffix: _unencrypted
version: 3.11.0

23
inventories/chaosknoten/host_vars/acmedns.yaml Normal file
View file

@ -0,0 +1,23 @@
---
docker_compose__compose_file_content: "{{ lookup('ansible.builtin.template', 'resources/chaosknoten/acmedns/docker_compose/compose.yaml.j2') }}"
docker_compose__configuration_files:
- name: acmedns.cfg
content: "{{ lookup('ansible.builtin.template', 'resources/chaosknoten/acmedns/docker_compose/acmedns.cfg.j2') }}"
- name: oauth2-proxy.cfg
content: "{{ lookup('ansible.builtin.template', 'resources/chaosknoten/acmedns/docker_compose/oauth2-proxy.cfg.j2') }}"
- name: html/index.html
content: "{{ lookup('ansible.builtin.template', 'resources/chaosknoten/acmedns/docker_compose/index.html.j2') }}"
docker_compose__pull: missing
certbot__version_spec: ""
certbot__acme_account_email_address: le-admin@hamburg.ccc.de
certbot__certificate_domains:
# - "spaceapi.ccc.de" # after DNS has been adjusted
- "acmedns.hamburg.ccc.de"
certbot__new_cert_commands:
- "systemctl reload nginx.service"
nginx__version_spec: ""
nginx__configurations:
- name: acmedns.hamburg.ccc.de
content: "{{ lookup('ansible.builtin.file', 'resources/chaosknoten/acmedns/nginx/acmedns.hamburg.ccc.de.conf') }}"

4
inventories/chaosknoten/host_vars/cloud.yaml
View file

@ -1,11 +1,11 @@
# renovate: datasource=docker depName=git.hamburg.ccc.de/ccchh/oci-images/nextcloud
nextcloud__version: 32
# renovate: datasource=docker depName=docker.io/library/postgres
nextcloud__postgres_version: 15.14
nextcloud__postgres_version: 15.15
nextcloud__fqdn: cloud.hamburg.ccc.de
nextcloud__data_dir: /data/nextcloud
nextcloud__extra_configuration: "{{ lookup('ansible.builtin.template', 'resources/chaosknoten/cloud/nextcloud/extra_configuration.config.php.j2') }}"
nextcloud__use_custom_new_user_skeleton: true
nextcloud__custom_new_user_skeleton_directory: "resources/chaosknoten/cloud/nextcloud/new_user_skeleton_directory/"
nextcloud__proxy_protocol_reverse_proxy_ip: 172.31.17.140
nextcloud__proxy_protocol_reverse_proxy_ip: "2a00:14b0:4200:3000:125::1"
nextcloud__certbot_acme_account_email_address: le-admin@hamburg.ccc.de

43
inventories/chaosknoten/host_vars/grafana.yaml
View file

@ -53,17 +53,7 @@ nginx__configurations:
- name: metrics.hamburg.ccc.de
content: "{{ lookup('ansible.builtin.file', 'resources/chaosknoten/grafana/nginx/metrics.hamburg.ccc.de.conf') }}"
alloy_config: |
prometheus.remote_write "default" {
endpoint {
url = "https://metrics.hamburg.ccc.de/api/v1/write"
basic_auth {
username = "chaos"
password = "{{ secret__metrics_chaos }}"
}
}
}
alloy_config_additional: |
loki.write "default" {
endpoint {
url = "https://loki.hamburg.ccc.de/loki/api/v1/push"
@ -99,9 +89,9 @@ alloy_config: |
}
rule {
source_labels = ["__journal__hostname"]
target_label = "host"
target_label = "instance"
regex = "([^:]+)"
replacement = "${1}.hamburg.ccc.de"
replacement = "${1}.hosts.hamburg.ccc.de"
action = "replace"
}
}
@ -112,30 +102,3 @@ alloy_config: |
format_as_json = true
labels = {component = "loki.source.journal", org = "ccchh"}
}
logging {
level = "info"
}
prometheus.exporter.unix "local_system" {
enable_collectors = ["systemd"]
}
prometheus.relabel "default" {
forward_to = [prometheus.remote_write.default.receiver]
rule {
target_label = "org"
replacement = "ccchh"
}
rule {
source_labels = ["instance"]
target_label = "host"
regex = "([^:]+)"
replacement = "${1}.hamburg.ccc.de"
action = "replace"
}
}
prometheus.scrape "scrape_metrics" {
targets = prometheus.exporter.unix.local_system.targets
forward_to = [prometheus.relabel.default.receiver]
}

2
inventories/chaosknoten/host_vars/netbox.yaml
View file

@ -1,5 +1,5 @@
# renovate: datasource=github-releases depName=netbox packageName=netbox-community/netbox
netbox__version: "v4.4.5"
netbox__version: "v4.5.0"
netbox__config: "{{ lookup('ansible.builtin.template', 'resources/chaosknoten/netbox/netbox/configuration.py.j2') }}"
netbox__custom_pipeline_oidc_group_and_role_mapping: true

6
inventories/chaosknoten/host_vars/ntfy.sops.yaml
View file

@ -1,5 +1,3 @@
secret__loki_chaos: ENC[AES256_GCM,data:LWFTOyER+m021ogmXYBrcr/2fUe3XuZhs5ho0KbM,iv:808LWnSUAPeclhsIgOyR6SutTvJGOu7mrGaVayo7v8M=,tag:f2WCPyUESfMiGDQ4Km5Dyw==,type:str]
secret__metrics_chaos: ENC[AES256_GCM,data:lAepzCI4pwkF8KiGYzGnC4dPASdHDn+LfbJTFSvt,iv:EUW+CGeYUqhY4G1kb2bbU16j9iLwABHfRCdn2vac5gY=,tag:IcyscB9lZuZgC04XTxDb5w==,type:str]
secret__ntfy_web_push_private_key: ENC[AES256_GCM,data:YqNEYa1Ln3NFpNoIuBUN1V/WRzod5HAtYueBJYHOwyM59cCaYhQR1S9aQg==,iv:t8bEs5ZAEe6pqbbOb0mpJdfgruX1P9Jd+sbNurGqkng=,tag:Cdy5HKkvb55V6AeRt+MVHg==,type:str]
ntfy:
user:
@ -18,8 +16,8 @@ sops:
bUhGdEFwOEVxUzVZdERReVF6cmcxeDgKDlO+jacsYgWXqjoxAIKJiB8mCHZ8U7TM
sGD3oaCi9x6Uvse7hq0BaUe/LaJt2tDaqve9nm3n06V93HNcR9/cdw==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2025-10-20T19:01:39Z"
mac: ENC[AES256_GCM,data:a87jRAGBIypZfYCILYCOM+H8KCVUBgb2/1sG05wDbPmLe9IfDT6rzlljbRFOUozq9xsqxpFLsPQx1wPVDi1lhaRT+5oE/NDgVH8aQCofA96DQd3SeB8fWn3LhYjOpmo9ZsFSemvGcXYk/SjVvoU9aN8KG4DHYCOOseGIBTa/a2Y=,iv:5Atem3ACdfdCPUp184cAf/EI9BEXQ1i719l+sIlOnUY=,tag:LWQCxrsZ3660UCcOjY4gMQ==,type:str]
lastmodified: "2026-01-25T18:41:48Z"
mac: ENC[AES256_GCM,data:2+628ZxPIto0AUhRExTB0UF/XKD7l0qz/NVncKbk+E5nZ5IRGwnhvY5DPiaDNWxskngaYhSYaQZTJTuvC1TuflCr8+IsZRYobj22mYEsrK2KWbozQvYsuooK2HdSWAkE2U5xKKodev2KqxMT+ZY0AIq8ifCo033ro6t0rnIEVQI=,iv:ncKxlhfZ+04rylNmMtOaWyonCJO4gbsuABMAJfVDDIQ=,tag:6c141UrWXNuGM5giTS7Ecw==,type:str]
pgp:
- created_at: "2025-10-20T19:03:04Z"
enc: |-

86
inventories/chaosknoten/host_vars/ntfy.yaml
View file

@ -15,90 +15,8 @@ nginx__configurations:
- name: ntfy.hamburg.ccc.de
content: "{{ lookup('ansible.builtin.file', 'resources/chaosknoten/ntfy/nginx/ntfy.hamburg.ccc.de.conf') }}"
alloy_config: |
prometheus.remote_write "default" {
endpoint {
url = "https://metrics.hamburg.ccc.de/api/v1/write"
basic_auth {
username = "chaos"
password = "{{ secret__metrics_chaos }}"
}
}
}
loki.write "default" {
endpoint {
url = "https://loki.hamburg.ccc.de/loki/api/v1/push"
basic_auth {
username = "chaos"
password = "{{ secret__loki_chaos }}"
}
}
}
loki.relabel "journal" {
forward_to = []
rule {
source_labels = ["__journal__systemd_unit"]
target_label = "systemd_unit"
}
rule {
source_labels = ["__journal__hostname"]
target_label = "instance"
}
rule {
source_labels = ["__journal__transport"]
target_label = "systemd_transport"
}
rule {
source_labels = ["__journal_syslog_identifier"]
target_label = "syslog_identifier"
}
rule {
source_labels = ["__journal_priority_keyword"]
target_label = "level"
}
rule {
source_labels = ["__journal__hostname"]
target_label = "host"
regex = "([^:]+)"
replacement = "${1}.hamburg.ccc.de"
action = "replace"
}
}
loki.source.journal "read_journal" {
forward_to = [loki.write.default.receiver]
relabel_rules = loki.relabel.journal.rules
format_as_json = true
labels = {component = "loki.source.journal", org = "ccchh"}
}
prometheus.exporter.unix "local_system" {
enable_collectors = ["systemd"]
}
prometheus.relabel "default" {
forward_to = [prometheus.remote_write.default.receiver]
rule {
target_label = "org"
replacement = "ccchh"
}
rule {
source_labels = ["instance"]
target_label = "host"
regex = "([^:]+)"
replacement = "${1}.hamburg.ccc.de"
action = "replace"
}
}
prometheus.scrape "unix_metrics" {
targets = prometheus.exporter.unix.local_system.targets
forward_to = [prometheus.relabel.default.receiver]
}
alloy_config_additional: |
prometheus.scrape "ntfy_metrics" {
targets = [{"__address__" = "localhost:9586", job = "ntfy", instance = "ntfy", __scrape_interval__ = "120s"}]
forward_to = [prometheus.relabel.default.receiver]
forward_to = [prometheus.relabel.chaosknoten_common.receiver]
}

5
inventories/chaosknoten/host_vars/router.yaml Normal file
View file

@ -0,0 +1,5 @@
systemd_networkd__config_dir: 'resources/chaosknoten/router/systemd_networkd/'
systemd_networkd__global_config: "{{ lookup('ansible.builtin.file', 'resources/chaosknoten/router/systemd_networkd_global_config.conf') }}"
nftables__config: "{{ lookup('ansible.builtin.file', 'resources/chaosknoten/router/nftables/nftables.conf') }}"
ansible_pull__timer_on_calendar: "*-*-* 04:00:00 Europe/Berlin"
ansible_pull__timer_randomized_delay_sec: 0min

215
inventories/chaosknoten/host_vars/spaceapiccc.sops.yaml Normal file
View file

@ -0,0 +1,215 @@
ansible_pull__age_private_key: ENC[AES256_GCM,data:ZQJCVOcc2UTH/3tZRZEZAig2A7Vc/zBBz5IY+gKYMYpIKhLZN9S/OGrRdCc8VbXkN7pmZhzDL531PapI54cmFeCKr2yFJMlfXdE=,iv:1ilb+njcqgYVdownNiMNcAcG/TNpyRnLtAjEUGsCsl0=,tag:Od7kvNn8ZBl1LUnMyFwxpA==,type:str]
secret__spaceapiccc__shared_secret: ENC[AES256_GCM,data:0foffl4HF1SeL9rE3g==,iv:GzRTZAmr7zSBs1W+Vhyv6sMGhPnSy/SUZOSO39lzWHk=,tag:8IAS6Lt9vfpsJQwQfcunXg==,type:str]
secret__spaceapiccc__doku_ccc_de__username: ENC[AES256_GCM,data:fbrZROQz8Fzg/vI=,iv:LaR5UmkS3IhtroJp3C3xNF4ja7IhIiPRzGBHAfQbQGw=,tag:/VCNMKkw5qRbnRNHDnPj/w==,type:str]
secret__spaceapiccc__doku_ccc_de__password: ENC[AES256_GCM,data:mwkjOjRT7gOv,iv:wBzSeLzSWWe0j3LJesN/wnZ0tmUmXMVkRIBnp00qRhg=,tag:JSsbq1+qs2yA9BM2LouG1w==,type:str]
sops:
age:
- recipient: age1mdtnk78aeqnwqadjqje5pfha04wu92d3ecchyqajjmy434kwq98qksq2wa
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBCY1Z0Slg4UmpQQUhGKzJX
S0ROZ2owdmNVRUFzbDhjWEJpNkxGQnF1RFFVClgrZDlZRDNCbllWeElEWFN4Uy95
YXNzUGptcU9adjdJQVphSS9NQ1NaVTQKLS0tIEtQUlIyTURXK2lDbWtmMXU2OWtx
TnNtQjVpMUIzZjgzQnZicHV6OXE3ZlUKtChQKJlUmTV42FEpO2S1sTAI2+K/mro+
C3cvwiqydpOlbH6tulcP6HSeDVExAAMeDZMfjebg/5cfq7Yfh6xa5Q==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2026-01-25T11:18:43Z"
mac: ENC[AES256_GCM,data:4s5GiYhU/+kieEGUY9bS5W0MAQ/AUS3TbvLezSypH8Div5HRoM7YfMeqgLq4jC+TjUL9d+ZfusjAmsOEG9PjHbIH051gg8U5TvB38wzmw3RpJxnpDtmiFrRh9QbXl+Fz8V/Oigf6hhXbgu01zZpZY9jy6YLNtUZc6AoqAQh27us=,iv:YUS/vGXcbgQPM1CKcK8YjOH5+KPlzBXcOtx3jmUblqA=,tag:jYzqaMfHv4Tyv2NelSSVvQ==,type:str]
pgp:
- created_at: "2026-01-25T11:17:03Z"
enc: |-
-----BEGIN PGP MESSAGE-----
hQIMAxK/JaB2/SdtARAAoP0ZuYWL+Z9vrnMN+ISg6/yx8Z3Oq2GufmYMowk/nQ7A
wk+xQQcywn7zLCweaTNtNb8CXtAcInnLhXZNRjviOecyAexZdFxcX+SIiT9x32aZ
xk2M3Bgnrtf9GQMV9q/mr7fgn+iaILyRjWTQMjUYFGuA5Hu7PNICxZZtA1y6p3G8
iBDROt1vZS2M6WorA5n3FGSwCRFUCqWnRsBR+AkR0vjb/0xEmS4YpDZCdsqWVITq
fBxDZntznqQpmlTH9AxJV48QlfYMLAYFV7seHxp5VSjgDxaPJD4QIiNZMOylRa/y
9hx1S5VN8KIfT9eW5piOeyNikE3Wv7hdwd4zOQ/ObESADh/QWFN582Smk+fxf76Q
/KlP7BM8JW7afjkvTHXg7cvc1qo9+GilWcWX9pK04v9bZtXTbO6H+uOhydlSmtUe
FGoHgQsMi52S4vHTFF1A8o76pvpQAIYNC2Zif2zZYq9ERvbLeAcgoIoo7bQihttc
lY8ZOqxQj9KbkFNbyLTlyekebNhfa512XjJij14YkYUVU2Y65kxtimZ3WpwKvLO2
JcDWHOJduhUC+21TGTq6QFo1LNhpowyC447eybi8T0/WxMCBms/fhW+m4Mkt4bRi
ByjgQe8makgLqw2/EUlFl1qyF4zU0zjn+97pISvg0YBfQYhPIb5k8AWWkUF4mHHU
aAEJAhDMVlvoC4bopmVlgoCrCejX5wb+ULW9hle6S69440PVK4uN94Ral+NSH99o
CU4gmqngD9N6sw8SBp8lFFUzjhoqfcNwJ9cv8T9PIPgHLriPnRqwPsy4dHSYSsv1
wWY4KUeOqk6Y
=Wm7O
-----END PGP MESSAGE-----
fp: EF643F59E008414882232C78FFA8331EEB7D6B70
- created_at: "2026-01-25T11:17:03Z"
enc: |-
-----BEGIN PGP MESSAGE-----
hQIMA6EyPtWBEI+2ARAAh2b51c4cFL0wOPTuQtxjthkEZGVv0sQC19PiDOWAy/zi
457Ix+QPA31Wmun4uGQF8E+vJC9StDXvOuEku2639wK7Gx8UVHSJM+QhFt+f9tiI
df5mVRPz4R1tVMU6P/f2rTOqqQyugR2pi3wCcwntnZplEuL/Gxw2SI4gGAq9B1Kb
FVVdMkJOxhx33QWFhIEOqLLfMU+gdvGPtRaDPkMA5KJD5FDO0xYzgd+5j6wKLsdb
rY7MVvaP3HWbmsMOpJD+8zo3ONBeaG3OwdhhF8KgbHxGP/49r25WwI5YWqXI44K9
xIQvtBJFTLaisO3q5rTOZgqKEvWAAX3e82cY3tCUG4aDyKEeF8dOqQ9GbI+KWaKh
kqTFDz3gh9sWI3Ex2/JHxq4xGJE433x4ArxHgSmXxfKWfc9zhiDuhtE1GBfEWP8t
a+07FWvsG8TCbS8pzFu40z/6we2O/VGXnZBa+vlc/9YPyLBN+zmAH3+jfhgYzV22
oF0HPQTzLdd6FoUx771ETTOqDgwg2H8Lqv+cC5MjPgxUPyScP4G7t0r9TMSydxFv
85Yo7ZWiBjo5TgdiU7agCCLKYct1C1R+9M20uRyrttDBhrVSjDlsIKmuStIdI7jk
k/PPLjxUKf5osTw8KKsSLvHTxt0G+rRzt38HgOCsOPBSoE6zlMTn79rgy+Ipm7fS
XgHPPTT78/y2Xvx3QGx9C2X9YqPDGhs12uzQ7HdcRlUu3Ay9akrSiV99CKCFb6ZZ
lDzOZrWvuWHcOLLqykhK3x8uhieMmwsM5WCNopr1j7i74b8UlVCmItXFXCaTRqg=
=ytkN
-----END PGP MESSAGE-----
fp: F155144FC925A1BEA1F8A2C59A2A4CD59BFDC5EC
- created_at: "2026-01-25T11:17:03Z"
enc: |-
-----BEGIN PGP MESSAGE-----
hQIMAz5uSgHG2iMJARAA7Wenq30iYLUH7qTgwPJyIyPz0blUzqEpEeDyVjfLVxee
VzXUfrxL8ybD+1JNISQNogDRP+gi4Sa/kTwAwEudqg9nv8DTff2l+Ge7YRifTgoO
tK1yjPKpl/iH33s2tIRRPI9DJ38NKtIN7pFrZ9Icyinyx8O+Tx0U/rVOs+4I4i0K
eIhsjG2tD6z5AvDkTqJ70S16LWdlr+hrHfEFmZ9NDbesoVj6YlDjx8yXr6UAdBAd
nx4aVjy2vygBJFZHN3iqitD6pnBvFC6QM1SZTRfe1l0lb1NXiVbT42ir7hsQ1/Di
MKRw/GuD+5jwHWLAzFbmMeirLY1hw418AzMPmCUqg3xJxmm53v4abD/j6cnHaM8h
vkSEsO9iA9exDjM9RPqS5GXCGx3E2MdBzgBMZIdvRmEV8G7FTqBZAJZsElAA/wTl
WhCEB3iDqdTSuDUnEj2FHIrUGNG4IDKOm9mIexqkpdvF6ByXYHeOAVbeb0ByJmgO
3QIYGsOYiWW2Uq1OCT2F+sP9ogn2GxInfMgPK7shFcUiXUbUKSnfBh4b5DbKPcJJ
wFtuJA4NbWgXbDPn0k2Lwbv33tMVuwQBRbCjseXD5JYUA+wEbNg341oNEl7gIBCp
oNyNJ0y2rkp8rxvf5mYLjk6VsMs0VO4vgRItg8oi78cZMmSrk2zdCda9yZA+JeHS
XgGnSemRkXBLcDcZMa1M178H/YTxispkRvsGyscxn7sjBRUgrFHnWM9j9P0GHtHE
RzBflQuBiG60jDb14l0SBEGDAm3Dp1bT5Up8attUJ0+03ta6E4G6iAR+fMXiBJA=
=LEoh
-----END PGP MESSAGE-----
fp: 18DFCE01456DAB52EA38A6584EDC64F35FA1D6A5
- created_at: "2026-01-25T11:17:03Z"
enc: |-
-----BEGIN PGP MESSAGE-----
hQIMAw5vwmoEJHQ1AQ/7Be0MaQ6HSb4N2DW+z2ALOuKSljRhSHLiLXt6bmhot+2Z
RRMsfsPGHWwDFzy5WWL6117ViPsxdFy88ZC8IhfT2ysf9d7IsNqBAj/W/a1kUXBg
b3PLPGXT3yHRitmRA0PxBWjmKBHuiKJgpj2AvKPBqmpJOpyWU8Yr0yu+fdPgHHmO
9gMPwmoeDKCuVUQMtg78cxx3b9v3WzBXbx+VuhPepVPPUr7/iTWYnLWy8+s55hOV
A6qQS8f6JH9rhS7dqoSCMQ3wrqkSVzXhluhjfUXa/FW/EVp0g1r+lLMXHARA1Gtp
EGQS2SfwDB95xl6uLfqKblezzxt52yPvGp+hisAhgkCyoLonhL27fMTmtZ0+q9RX
FJoT2pPNTSP/zoLxfEJzsa9MgTCDKQL55215hTGHS2I/2ZeDtfINyc+/4LE/AhSc
4OOdPSbgG7bIPkCepphBAccjbCVmPOQqaEOk5C9TfLbZREEBv0mQA7pzWVIsa6Gc
xep0qJGMSmRT5rmqs9pFFISAx57H7w91cRaEtwtGkg9/90+wTW2kIvnHMLXV/T6z
wxVG4RHn7eXlDdh9oz0ncpA1uh2A4fvEJN5dAbQHawiAUaOokm8cmv42LQ1zTF0x
4EcZPQ1VAFzKsZE7/3TnCWoLPOUSNSOG+uJm2Gaps8P1DzIfgUAcSybaB+3cbGjS
XgEVALzLzyRrFB48McT/fU4l0dMiQ49OdFmWm5oWgOWDCCrHBomxPmWRQ5cUzVSV
wvgo/MrfGVOLrwinfeu/izoy9U0LxFcJtqiVLyxtUTARDlDcjv6OYWoRzvb0DzA=
=KudR
-----END PGP MESSAGE-----
fp: 87AB00D45D37C9E9167B5A5A333448678B60E505
- created_at: "2026-01-25T11:17:03Z"
enc: |-
-----BEGIN PGP MESSAGE-----
hF4DerEtaFuTeewSAQdAlSeQVBNgJ8WxD85XYmcCHmlNXIyIkAJPEu0coBpNpVQw
mGZKY6j0WkQSmHdCVAeh8/z6LOEgXMphP2jn0ZpZHiMu3FGNJJtWFloRKxOvOxr5
0l4BXq0oVpIYhcxeVxS1prF1F2EJf/OuRX8Zz9ngZuL7UlMoToBYHksPMaBfLlKB
iFcXPURafpmhvWpRaqD9CRqM3XRagm1nYPS6Zg8Yae9cfSmU7UnYMtJZwdMmJ+x4
=gfNC
-----END PGP MESSAGE-----
fp: 057870A2C72CD82566A3EC983695F4FCBCAE4912
- created_at: "2026-01-25T11:17:03Z"
enc: |-
-----BEGIN PGP MESSAGE-----
hQILAxjNhCKPP69fAQ/4mdGngFM8WhiX5P5RFo679yRMp5iHtiPqD0V1dE1byyje
d7WzceQwOYfYq/UEEw2ruiqIPhUjHlzB/GQ6wqFbj0+1tm7+/X2B42tO7vkO9gQf
2mvG0gCGB1iykMnfARQ6EH1s90oAHCBcPFamjBZ3oawS0sI34aSInQGqLl7Ss+O+
UgoOc2fbhYmRriZW7Elyx+8DuQg4RZ6/oPs18mtwQdLfKB8dwrt1TQrJvBx7iPh4
RQWrRf3id+C8EeysmWPtMotukh1FgvBtBFEXIL66wntJTDC65AlNU1c2xkgUTATI
rA6ucSoyROTGDOTAWhBdwA+yV9Tf2zw5hzu8G2vT1nFLU+DFQiuQWj6TNn1s5xzc
63bQ9bFzY/0pKKB2T1TLdeU6xoSt9QoJukagFS86Tgh3NcoMi69dFSSlchldgeX2
wiJwpUjl8DgeJFEXcQES1vbn+MNJHYZHSSAcZecQX5rauSj6EmTFTXxYg7Vp98D9
S4lVnXl6P7OByxqRJyQUzBmSD21KYeVXs6O4hY4cAxKx+pXYXqlGMmSpQi4SqJKF
xyD0f7Iz1FjB1u3dpcJmf5/71wLkZWc9smKfJICLaFZzYKfbfrF32xbAPGRuTq50
Fv5d3R1YJKA9afQUI3HT0PpCEOnsI44WPqgnoOPHyT032gruZt9geL7yM1sRj9Je
AfCwLc18oeiRWhnZLw/K1YMTnDACVhMMRufyoE7MEEixsV3xhuG54+5FIufERSO3
aW2vmDt65mLjqGVcepqbEz/Ip4hfGeMOnPfNbNil79Hc6TV1SzTcPnem40QPAA==
=7Qbv
-----END PGP MESSAGE-----
fp: F38C9D4228FC6F674E322D9C3326D914EB9B8F55
- created_at: "2026-01-25T11:17:03Z"
enc: |-
-----BEGIN PGP MESSAGE-----
hQIMA1Hthzn+T1OoAQ//QizKfdVMoIVzretcwqPNQPhXnKYbHNI/AHhpsK2AeOFw
N2pP+8itgzpoJ+l3qYc1s7HnUYqN69cVXNOkuB9+EKUmEoubj9oLJEJQdfr1apux
wrqgvIfeXuQZWp4E4aI/02ndyWzzedfVV3/qf+JC0ZColccmKFReSsMedz7dOmWK
BM2bieM1PajS65leCAO2VVFTrwayKiHWpURMUY8HvrMk8N6GQkXqe1XDdxXNJqFr
irXgWtBaKbl/KJgrxnT9HwlH9YkCebsyCi2sZKmJEqyIi78SOrhmWzeoTs5Mgg/M
EqZLWrGhOOD2/ineOxiDhFPOEDVjgoprghxei2Ef0i9pYITJmGMuB76KayMW3nbY
mEJgASKsWFN10zTiZK5DjxJoDEq4fyqtzFhYhRenwcvZqiklr2JudSzBWkKfx4Y/
TOoLwwn93TQDLoIIEsOlLaWMBxm3LsAe4MAr2k9/gAkGGMzeOiTRISHJeFtaNRPe
xPv2hJBKqAJJkWu5nlcn5FEtAqdG8hPRPqEZWDyWRmQDlk0Rx286UFIS+BKSfwvo
Ak52YxruVlkwxn4lRJ8yCrIneZocLFlBgTNoqbr0uYSHkg6XHwzniN+qGRHxjrm8
hDYcnVeAnLCDGEwPpMcx7KYVtLeEcr2Tm5btAlHugpQ1pNrUuZ3Lf47AdneMSY7S
XgE32gbAcEaZVQRl1fnehRIwqqNIuFDxjhFpDYpvX1Rep2NEUtEaxd50aqMh3PKm
XE6ZBkKbhSylRnOs8dgVZK3nqEe1xDsdcx5hFAoyyhs1QhWVT/MHUtfuB2PBcjo=
=T4dN
-----END PGP MESSAGE-----
fp: 5DA93D5C9D7320E1BD3522C79C78172B3551C9FD
- created_at: "2026-01-25T11:17:03Z"
enc: |-
-----BEGIN PGP MESSAGE-----
hQIMA46L6MuPqfJqAQ//SZac3kFkPkHZ4CveGECwnJLKA/UJO/XoV44mjiQDtY4Q
tFJ+YauR7GHK3CYMvpx8uWejiW6PzMkuqVuKwk5QMBsRA7q/6SmQeLUNNIPx8AAm
s1Lo1Cdjv5Ku8AnR7gAJ9w3O+qM635xo7zgtvEv5qJuPrwbqy8kstvS2fnxg9Zb3
Dl4J+Wp1kRs8hHsFIkECKPqKNB0LfP57s63Vwd5tI2TltDMlMkvKvjgsQSPhUqQl
z0AIPT+zON37P4EW5buJ5NKvojYZ/QyzoqJ+Zb+2jn3uyMRDo4lqaT+uiVDcmB6w
jg2yBGKgU5XGAU5NyCSldBGW3yQfNHAEjTPHWIvcplfUOUQ2mKIV31c3ci8cBWa5
zfA4K2UOFPSHSraohaT770Ani/qvm5XH9HvAA2HOI50LuIh4t8cWGocbW1f5PfvZ
gMIuA27UfWWD10tz+J3qvz2RGcfBPV+3BS8BJUh2SRC80ba8nDM/VSuQUkxQA1go
AHogKohH7v5vIPEN6ggRxZ3yCroQ3zfdABekrP8sfKXU652/vhw5MFPtqp8ow5hU
uJ3S3lCoKQCKE8tc+288WuJXIGaYG4LKhaVlFWFqQDib+0jfm8RfwqqxV5vis7np
mbPMIyl/MTAeevsQC2yqbHeZ+nDXhrb8b4lfWCnn5jpNwZFpP+RZpJT6XxFbONTS
XgGQowdDlIEa1Hs1klR8lPOScW3VyhWbTyfWkhg4cI6js21/0MMsC22myhjxjZKU
rCn8k0mgZw+HyB9qfm3eM4fYXHs+CXQM22eBQK+IK2VvzT9jbpSBIoJEDW0B47c=
=PbAZ
-----END PGP MESSAGE-----
fp: 8996B62CBD159DCADD3B6DC08BB33A8ABCF7BC4A
- created_at: "2026-01-25T11:17:03Z"
enc: |-
-----BEGIN PGP MESSAGE-----
hF4DQrf1tCqiJxoSAQdArbiHTkrjSYBSPIIgSNnEoAWkU43Zn8/6rtksEivhPVgw
ik9/LvTH3VUSS1pDtLNoJq3wfE8aCoGTVXHjCtaEQqp7PJ9c83afZuT0/jSs20vo
0l4Bbp+AopvK8wlLakYZM0rbXzJw7LyW7hyA3wSN/gL0MwT8sW6hb08BB3+zRY+f
dQGtPMDNZ0aJ8nzJ/WLVxi4GdC3pAWxqw/1AX0SwwMb0PEf9kdYSgnrmYQsqx9KU
=Cbzj
-----END PGP MESSAGE-----
fp: B71138A6A8964A3C3B8899857B4F70C356765BAB
- created_at: "2026-01-25T11:17:03Z"
enc: |-
-----BEGIN PGP MESSAGE-----
hF4DzAGzViGx4qcSAQdAQKsWq8NPJbW2SBhKhlgkW1gzYnx9baL8spEk1Wv31Asw
fuq75JZ/m8yR6+jnchE8ikuWrVQ1IRwyQBB2qlaArrdwnVpkF5HG/ggpDy4l5UYK
0lgBhuKG36g1P7G0incMXR+S+UswYQhzm+19LqoB247HvZZoyIT4m0k7XndHBpUw
fzQyFTKdwQpmWyQWsbkW/ycvxkKyKcEce6xkga0e8UbB8w1fJ0P6gErz
=g5Ck
-----END PGP MESSAGE-----
fp: D2E9C0807BF681F5E164DAFC5EE1B61CD90954CD
- created_at: "2026-01-25T11:17:03Z"
enc: |-
-----BEGIN PGP MESSAGE-----
hQIMA2pVdGTIrZI+AQ//X0eMLW5Con7f2J4S15RwQX/uMc+p0tabrfSYAT8cg1oR
X8qyFgBWL4EK/VAcgS+Loe6cOCO8pDv7R81nn18wg2D6hVN3BOcotgLtLpqWEdMz
FguVIc++/Nh5+s+H1oDxqfwO6LbcuewBvvNS9xvBUtHBMuoAGVO0mUu7jpxrg+4k
dh2QeA/YWc4hGly/lO6eOhq61arAY4tukqs1K4JRY7z1vZYb2658HamfruLcRP1j
kM6yvJ9bgrg3hIEPG48lWX3SATRpKDP4ukyTYMFPN5rePUu67rnkwCvXwvBzWV4v
fvjmDZ4U2AD6Ihn5Be3ThZyQivZJPmxBlgit6uQOdu08Q5/S0DDWSS/MnbRnElQt
caQMnIcSbwLJfum2/0AS/dcl6f36vOl5t9eiy3nnrgufFEUcAMgJ2bJk8+6nPRli
MImBTXLMor97XD4DS+xyQ8NjYzf8XxEDduCzWA/EQborLkkaXj5J9ZmQSKDfv6bb
wcGfxt0+JGEPmOuOD/BwZHhEcd6eV8k3cM6k4oQ3k9cMGele+dtSkrlkyFKnnBNV
NrZVBE5j62sgnUUgKCesbKPfauETE5Z+R2uvOK5Y0gqjTfaw8hV1YF2q+x2qRWig
6NjHheUtjigCgF61OK4x1a5WDJmVeuAe03JnwKYMujN4H5Oi9YMhSX65lX1+fhrU
aAEJAhCV01dJAuYksyvp+F5Dx62eKZj7gL/MHL3zHw97WbONvI7ApC3/Q7fkupYm
oPfYKQD5ov77V3u+Y8nVOoYM+Hb4thFQdEV01r90g9WUj8LrXvxd08j3GwAnzDMG
xU5hdDPzz/jT
=zb8A
-----END PGP MESSAGE-----
fp: 878FEA3CB6A6F6E7CD80ECBE28506E3585F9F533
unencrypted_suffix: _unencrypted
version: 3.11.0

15
inventories/chaosknoten/host_vars/spaceapiccc.yaml Normal file
View file

@ -0,0 +1,15 @@
docker_compose__compose_file_content: "{{ lookup('ansible.builtin.template', 'resources/chaosknoten/spaceapiccc/docker_compose/compose.yaml.j2') }}"
docker_compose__build: never
docker_compose__pull: never
certbot__version_spec: ""
certbot__acme_account_email_address: le-admin@hamburg.ccc.de
certbot__certificate_domains:
- "spaceapi.ccc.de"
certbot__new_cert_commands:
- "systemctl reload nginx.service"
nginx__version_spec: ""
nginx__configurations:
- name: spaceapi.ccc.de
content: "{{ lookup('ansible.builtin.file', 'resources/chaosknoten/spaceapiccc/nginx/spaceapi.ccc.de.conf') }}"

107
inventories/chaosknoten/hosts.yaml
View file

@ -1,31 +1,31 @@
all:
hosts:
ccchoir:
ansible_host: ccchoir-intern.hamburg.ccc.de
ansible_host: ccchoir.hosts.hamburg.ccc.de
ansible_user: chaos
ansible_ssh_common_args: -J ssh://chaos@public-reverse-proxy.hamburg.ccc.de
ansible_ssh_common_args: -J ssh://chaos@router.hamburg.ccc.de
chaosknoten:
ansible_host: chaosknoten.hamburg.ccc.de
cloud:
ansible_host: cloud-intern.hamburg.ccc.de
ansible_host: cloud.hosts.hamburg.ccc.de
ansible_user: chaos
ansible_ssh_common_args: -J ssh://chaos@public-reverse-proxy.hamburg.ccc.de
ansible_ssh_common_args: -J ssh://chaos@router.hamburg.ccc.de
eh22-wiki:
ansible_host: eh22-wiki-intern.hamburg.ccc.de
ansible_host: eh22-wiki.hosts.hamburg.ccc.de
ansible_user: chaos
ansible_ssh_common_args: -J ssh://chaos@public-reverse-proxy.hamburg.ccc.de
ansible_ssh_common_args: -J ssh://chaos@router.hamburg.ccc.de
grafana:
ansible_host: grafana-intern.hamburg.ccc.de
ansible_host: grafana.hosts.hamburg.ccc.de
ansible_user: chaos
ansible_ssh_common_args: -J ssh://chaos@public-reverse-proxy.hamburg.ccc.de
ansible_ssh_common_args: -J ssh://chaos@router.hamburg.ccc.de
tickets:
ansible_host: tickets-intern.hamburg.ccc.de
ansible_host: tickets.hosts.hamburg.ccc.de
ansible_user: chaos
ansible_ssh_common_args: -J ssh://chaos@public-reverse-proxy.hamburg.ccc.de
ansible_ssh_common_args: -J ssh://chaos@router.hamburg.ccc.de
keycloak:
ansible_host: keycloak-intern.hamburg.ccc.de
ansible_host: keycloak.hosts.hamburg.ccc.de
ansible_user: chaos
ansible_ssh_common_args: -J ssh://chaos@public-reverse-proxy.hamburg.ccc.de
ansible_ssh_common_args: -J ssh://chaos@router.hamburg.ccc.de
lists:
ansible_host: lists.hamburg.ccc.de
ansible_user: chaos
@ -33,49 +33,61 @@ all:
ansible_host: mumble.hamburg.ccc.de
ansible_user: chaos
netbox:
ansible_host: netbox-intern.hamburg.ccc.de
ansible_host: netbox.hosts.hamburg.ccc.de
ansible_user: chaos
ansible_ssh_common_args: -J ssh://chaos@public-reverse-proxy.hamburg.ccc.de
ansible_ssh_common_args: -J ssh://chaos@router.hamburg.ccc.de
onlyoffice:
ansible_host: onlyoffice-intern.hamburg.ccc.de
ansible_host: onlyoffice.hosts.hamburg.ccc.de
ansible_user: chaos
ansible_ssh_common_args: -J ssh://chaos@public-reverse-proxy.hamburg.ccc.de
ansible_ssh_common_args: -J ssh://chaos@router.hamburg.ccc.de
pad:
ansible_host: pad-intern.hamburg.ccc.de
ansible_host: pad.hosts.hamburg.ccc.de
ansible_user: chaos
ansible_ssh_common_args: -J ssh://chaos@public-reverse-proxy.hamburg.ccc.de
ansible_ssh_common_args: -J ssh://chaos@router.hamburg.ccc.de
pretalx:
ansible_host: pretalx-intern.hamburg.ccc.de
ansible_host: pretalx.hosts.hamburg.ccc.de
ansible_user: chaos
ansible_ssh_common_args: -J ssh://chaos@public-reverse-proxy.hamburg.ccc.de
ansible_ssh_common_args: -J ssh://chaos@router.hamburg.ccc.de
public-reverse-proxy:
ansible_host: public-reverse-proxy.hamburg.ccc.de
ansible_user: chaos
router:
ansible_host: router.hamburg.ccc.de
ansible_user: chaos
wiki:
ansible_host: wiki-intern.hamburg.ccc.de
ansible_host: wiki.hosts.hamburg.ccc.de
ansible_user: chaos
ansible_ssh_common_args: -J ssh://chaos@public-reverse-proxy.hamburg.ccc.de
ansible_ssh_common_args: -J ssh://chaos@router.hamburg.ccc.de
zammad:
ansible_host: zammad-intern.hamburg.ccc.de
ansible_host: zammad.hosts.hamburg.ccc.de
ansible_user: chaos
ansible_ssh_common_args: -J ssh://chaos@public-reverse-proxy.hamburg.ccc.de
ansible_ssh_common_args: -J ssh://chaos@router.hamburg.ccc.de
ntfy:
ansible_host: ntfy-intern.hamburg.ccc.de
ansible_host: ntfy.hosts.hamburg.ccc.de
ansible_user: chaos
ansible_ssh_common_args: -J ssh://chaos@public-reverse-proxy.hamburg.ccc.de
ansible_ssh_common_args: -J ssh://chaos@router.hamburg.ccc.de
sunders:
ansible_host: sunders-intern.hamburg.ccc.de
ansible_host: sunders.hosts.hamburg.ccc.de
ansible_user: chaos
ansible_ssh_common_args: -J ssh://chaos@public-reverse-proxy.hamburg.ccc.de
ansible_ssh_common_args: -J ssh://chaos@router.hamburg.ccc.de
renovate:
ansible_host: renovate-intern.hamburg.ccc.de
ansible_host: renovate.hosts.hamburg.ccc.de
ansible_user: chaos
ansible_ssh_common_args: -J ssh://chaos@public-reverse-proxy.hamburg.ccc.de
ansible_ssh_common_args: -J ssh://chaos@router.hamburg.ccc.de
spaceapiccc:
ansible_host: spaceapiccc.hosts.hamburg.ccc.de
ansible_user: chaos
ansible_ssh_common_args: -J ssh://chaos@router.hamburg.ccc.de
acmedns:
ansible_host: acmedns.hosts.hamburg.ccc.de
ansible_user: chaos
ansible_ssh_common_args: -J ssh://chaos@router.hamburg.ccc.de
hypervisors:
hosts:
chaosknoten:
base_config_hosts:
hosts:
acmedns:
ccchoir:
cloud:
eh22-wiki:
@ -88,14 +100,23 @@ base_config_hosts:
pad:
pretalx:
public-reverse-proxy:
router:
tickets:
wiki:
zammad:
ntfy:
sunders:
renovate:
docker_compose_hosts:
spaceapiccc:
systemd_networkd_hosts:
hosts:
router:
nftables_hosts:
hosts:
router:
docker_compose_hosts:
hosts:
acmedns:
ccchoir:
grafana:
tickets:
@ -107,11 +128,13 @@ docker_compose_hosts:
zammad:
ntfy:
sunders:
spaceapiccc:
nextcloud_hosts:
hosts:
cloud:
nginx_hosts:
hosts:
acmedns:
ccchoir:
eh22-wiki:
grafana:
@ -128,11 +151,13 @@ nginx_hosts:
zammad:
ntfy:
sunders:
spaceapiccc:
public_reverse_proxy_hosts:
hosts:
public-reverse-proxy:
certbot_hosts:
hosts:
acmedns:
ccchoir:
eh22-wiki:
grafana:
@ -148,11 +173,11 @@ certbot_hosts:
zammad:
ntfy:
sunders:
prometheus_node_exporter_hosts:
spaceapiccc:
alloy_hosts:
hosts:
ccchoir:
eh22-wiki:
tickets:
keycloak:
netbox:
onlyoffice:
@ -160,6 +185,15 @@ prometheus_node_exporter_hosts:
pretalx:
wiki:
zammad:
grafana:
ntfy:
tickets:
renovate:
cloud:
public-reverse-proxy:
router:
sunders:
spaceapiccc:
infrastructure_authorized_keys_hosts:
hosts:
ccchoir:
@ -173,11 +207,13 @@ infrastructure_authorized_keys_hosts:
pad:
pretalx:
public-reverse-proxy:
router:
wiki:
zammad:
ntfy:
sunders:
renovate:
spaceapiccc:
wiki_hosts:
hosts:
eh22-wiki:
@ -188,10 +224,6 @@ netbox_hosts:
proxmox_vm_template_hosts:
hosts:
chaosknoten:
alloy_hosts:
hosts:
grafana:
ntfy:
ansible_pull_hosts:
hosts:
netbox:
@ -212,6 +244,7 @@ ansible_pull_hosts:
public-reverse-proxy:
zammad:
ntfy:
spaceapiccc:
msmtp_hosts:
hosts:
renovate_hosts:

210
inventories/external/group_vars/all.sops.yaml vendored Normal file
View file

@ -0,0 +1,210 @@
msmtp__smtp_password: ENC[AES256_GCM,data:0vb2d0BMSiG4DLwNeKk52/kGYM9rQpfRrtYiarbyVW9YOP/WIdpwesUZuad+o6XSODkAGqnU2RQZFs1h,iv:a/LwVf+tQKviYR4mIoSDiEgmsVyCl2v1vWXVFQkn6M4=,tag:bNf+N1bTIk8ppMEabcC6jg==,type:str]
sops:
age:
- recipient: age1yl9ts8k6ceymaxjs72r5puetes5mtuzxuger7qgme9qkagfrm9hqzxx9qr
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBkL1F2VVhGTGZ3QWlrZi8w
c2JVMVlnNGVHdUxJQVRZeDBlSkJjR3V4NHowCmdQVVJRVEZlWWVHZjdSYzRlcnRN
clVuRU1rRXdDSUJ6Tk4rajl1R3U3YzAKLS0tIFg0QXBieXdjYmRab2duckNsNWRQ
aGdmdDcwY3RPc28waGt0cm1salpNRkkK+X6LF1lCpxIS8P8nEUE7t3VxB817jm4Y
mXjKqdaM39MR3CyXWq8bVQ/QRxg1xA6MV7mLrQpJCSpr6uDJD84iJQ==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2026-01-15T21:28:28Z"
mac: ENC[AES256_GCM,data:Z9uyXhnckrVJ0LZM1aT8cSUZCPdQ0ufBC1HYxpzAGb6FS/p3Jni5tFfgijaCT3/T3yDGiV1zQqoSDLwjd48UaMjCtJYCUCAiVo7i4YJ3+aZfS87b4h4VsOFlTLFlBklNYxHd4pcPFl5X9fZGdD10Tvmtm6TlJ33Ma7gmuFs3Og4=,iv:tNeG2I9qNAgzbGwxTbCrrN7KorCneJtFildGvtPVX88=,tag:e0rXgetLFenA3zNBNe631A==,type:str]
pgp:
- created_at: "2026-01-15T21:28:06Z"
enc: |-
-----BEGIN PGP MESSAGE-----
hQIMAxK/JaB2/SdtARAAlJ6HHQZKe3t86f1Y/DsKmO4f+xaMRd9mw9sNlxvmuX3I
b8Tvyl1abbJSEf+6SV3SXxlu+05DZEzerMQHdSNHCpO6oSMBH/fEBbtJh3mxYzwY
/fS09/CPpq1HYcaOUEB8YHKGDY7okN8ZCHYFF2fWmWsPNLq38nmtCQY3lKPdhKDu
Jg8w+9XT/kHJEjQRPjlJG0iRk90cMMBLaR5ToJVzpM3rOSkK/dFALP9PUGhjDVT/
e27KW0OQERCxoc401DXFPJg5xrGMJaDpMlDxm+kzNC2/rt/OhhFd1pqMEMGHwZ8B
inHjCL8SNy4w3jKs3xvpE38vEUmKgbHavjjd4j8PU/z8PnIAKBCZClTbBARevMYw
P1qgwbAXEv0LwN6/Eu4mN6ogbREFk671PTabJ1O9zWFZBPKSOWVjvs6ka/5nRdow
RMobY/t6FDOe1i4eQM90QKyTcyBzyFZCl3piBKDvpG9tTEVHriX4bTXNtnGw3h1W
XoMUz27G0IZmKZRcYFkqSNPeg3yLXBgsL6by+euw/OwOXuxcR3G/5HpiO4XgWdDn
gYvOGvVa4WbG3yASWPJNJZ6ivtLhAgts44ClMIk5mjDgHz0yL2iwx93g6bUzmswV
HcpCLSy7wm5XNl4l5p4l90iy6/K32Zp0a7ftobA7U7VyeWfPalE3IYE3s6b+1gTS
XAFWL49B69eVA4YJ/iRSZcfqEPMkKzQUplODPUfaHHtLRwR7BhpFX/u3lly/YNQH
tCN+vKShpC2PM/Jw8+UxDZXoXNiGCtTIDFq5+VaifkYsEAIVqEFv5noY95/a
=Xw0f
-----END PGP MESSAGE-----
fp: EF643F59E008414882232C78FFA8331EEB7D6B70
- created_at: "2026-01-15T21:28:06Z"
enc: |-
-----BEGIN PGP MESSAGE-----
hQIMA6EyPtWBEI+2ARAAqcJfa4paWWvQxKnNQT230iT2iRCCskzkzrG9z9rnSbR+
U4BO0QVcKZ06+4/WatZC6HuxIPyajAQthNsmMMBr83OFiT8FPHnOOGHc9lemO0/L
eshneJhJ7LeYUh3dOeN5lVwCQuw2Hy4MXmKJgdt2Nr5dXmRD8ypKxD/i5Nc4nkXW
TY61C/Q9QJF+HZG4toHt+zq+ROjdsTbIhNceRWnt4mIGvqIzhRwk65o5WILbCFQc
OL7R+JyyqouN579tO1O6bRT594ufnyQ6oxLRDQqKMdTHYwWijRuA/FyzieuYGbmo
b7e6tZeJzlm3H8sSz1WwAD6RoA/O3yyCw1gL9UWFLSfF7iwEKmr+oSN+mEUPJdhR
8zZqSQUH3n59IVNdD4UyJB/I5AHmGW6QV3ZF42lwmmstIoY3uDzgf3US+ZvPPsem
Scg3PIDSxg+SV9G/53TJM+Og7V2XAA02EWIemiIaJZ7rPiySq1RmQOjnx4ZX+ORk
+PDF0gDpA10sTPXQM5NoN8YSilIV1VENjUnESfo+36BlCepmbC88Yr6oexIK2xoq
5SnDYNOkVClYcEV6/URo0zr6Eh6+pWaK1MqruyZpRrZFbribK+5t65eIq0fc8oNb
ip7VfArpcpYINfL1GuWoFMI0Uj/IMevlN64Ci/Ub9NddCWCQy5WF7u8lAVNMoVbS
XAE70ICHJqH9SqHe/dchwYcsLIPwX7r2KoaI23XkK7iROX1NL6LC2nISh/Y5P+X7
RX5sBhgiaSwY8L6QseSQzyqTmwxCaq7e/f/+grSUYKmf1FSJe+VxGsJ6Ji0u
=k6m5
-----END PGP MESSAGE-----
fp: F155144FC925A1BEA1F8A2C59A2A4CD59BFDC5EC
- created_at: "2026-01-15T21:28:06Z"
enc: |-
-----BEGIN PGP MESSAGE-----
hQIMAz5uSgHG2iMJARAAzD/3ycZW/qMLjjSG2T/7378ogylYenCyV5r97m7//MTJ
z2jCtWiAPDkiuDDfcqt5LxthPxCr3A/WSTaSsfZQ/zWedQlm/U/RBMEs30DBIUQr
AIckqIrJUrgPEo8A0/SnCBNS116BVspI+9n/u7PBPVb70JX3j4Xp3dRGrEYHVpwX
EGSk4GirHwutIRE6xP9fnvQxyK64jYTDCfo4t6cIUf2/we0LyK+fU4zrm6wRffzd
txiEu4YXvsGbxWeAV3/7/BRo2HJBc/Xqb7mzTnfScltC7hiRD2McmFJs1Hfv0Lg3
CGaMOJ5w6Gk8Q+9pgg6R2MQu8DZA7PILm51Bc98ZdiVwg0i8l24ndswUx9+WIWeX
AeOxvIVvF0XtQK/JJAkoyoVssIQSFI1OjTDnSHWjFw0Vgev8hRzwqS6HKJUfCrnt
KeuGuUOa9QBf3bnbIINyL8QEj9/cnNDCQGoXSZIqPXUs7tIqcLgNryGVnrEn4dDf
53Tudml438QRgzV1d87jEKSmUBtqzUDRNQdZqNbzOdaCQaQgkgZlQvWQtbZNMSdQ
iQ+v3Hz7pI4yKHhqxXrWrxPwC3KdGTA5qymUS1d1G0BwOWSr+cU6xJBeSqRc6fZn
Q8rBKS/gL2Lm3BAVhHBVWGwtbdBhV5ZL/bdT436pJd5ku3cWFTuiMY2SEC1ZvNXS
XAFb+jgjB5XzlRZhRosWl1X/qyWO4GXN4aypi14eAQDsbCjGnFZh6utoV3rNmNFX
OJ3kRhyHmF+gbp/e0YRq/BnWu+5uzTZQso4fzepgjui+rF/qk/2Oe1nODtM0
=seAB
-----END PGP MESSAGE-----
fp: 18DFCE01456DAB52EA38A6584EDC64F35FA1D6A5
- created_at: "2026-01-15T21:28:06Z"
enc: |-
-----BEGIN PGP MESSAGE-----
hQIMAw5vwmoEJHQ1AQ/+J9MXLZrMucsbcgdZ/yflnA7Ai2WynSZ9NEzLX24NybGZ
ynq9daa+61w5S5thnEV1Be4YEyFXIXfD0bs9KEO2kv41HUySD9FR5QXXSiad5Ij7
vPzZMMwjCfNg/JvGQ9p4h2Syc5LYtJ+4BNnl52zjKCJdp1scJqAist3aWbaHoCAh
GiJCjv/02NP25WoVShw9pNvvYPEhtPbvO1j3bnvUARXT8IzhblNbfntDwPb+fK4R
ksMBIvAN1171l530s0zPzzkJTkxRBohyCixvtgZKoEnYeUAAHk5Clah6GrLGErvA
q0XUAEridgDwe4xG+WpzFWwTaGzQPBLR5NPqtph13/02CdaABctbr80WQPoch5vN
F1BnObne8ZE+do30v0KYNTkFKhK5ek+w4RS/1rlBEgQMaNyGHsjUtoO1/6JfFXyT
968gsga/YR/shZwLaxLQePi5qTcvUzGNgNvFLjy4sRlbWiNCrtZo0JpMmRc1YTXb
Tq7KhivgEB3gCYLdzWTCeYw3aZXsTFUFM8MpH0BMABpfpNCdiDrd+RZmgDa2KShH
RlpqvN1cXPVY4niGqb0TjQJGbmCrMfSbEXCCYLMP+T+jH+MUs0Br4IVcuXIV9EWM
WrYY/r2tCblU9DaVbgzLlIIu/2BtKV0/Iu4KLV2vWBocLPNlKnbhS8NxnIf1eHbS
XAFxlY0r1uOCI7d55ZRpih3NnccBWYKmxs/WZavFdooPcRS6QKV6d2ByZtjqlO0T
X8xmDpyoxkNahauxi3Vw4o78HyxEqQz2u0HNBJlFC6iFQJnylkOyitIyNCTt
=t5WG
-----END PGP MESSAGE-----
fp: 87AB00D45D37C9E9167B5A5A333448678B60E505
- created_at: "2026-01-15T21:28:06Z"
enc: |-
-----BEGIN PGP MESSAGE-----
hF4DerEtaFuTeewSAQdArBEh0/AnTDRmDT2r74ejRgmbbZpWjVBmvC7mgFdEq0gw
OdEsqFl/ihieW3XkAC0UWxUhacc03Vq3FTY4Fpj7eQTQdfDdn8X10YQcH94XGLxu
0lwBvUseBCslA8gjyzFEtFp4TnDEi2JZV3nhfQg8SxrYIQ2Uo6vlsTzvYBvikwaD
kLu7fV7lxV09qoROlSpXVm6II6sIk0nmiajb49HM15md3ZElulGZf7A+6d86Wg==
=8Qs3
-----END PGP MESSAGE-----
fp: 057870A2C72CD82566A3EC983695F4FCBCAE4912
- created_at: "2026-01-15T21:28:06Z"
enc: |-
-----BEGIN PGP MESSAGE-----
hQIMAxjNhCKPP69fAQ/7B2zWxGFqZr98hAyQwNaXp+/T534xRU63dXkYV15EL9q2
SlmbEWhl5iVwWoZHl3r7yqy4zXZJkH0XX7g/MlwMTHIu/Sslvb+9ME+QmpI26Awm
+0pQN6gZXEhQ4RFtDMSc3PIZYgaJ5AdEk1p/nMwYsQ17Gu6RZeuSL/5b4oXEsIwB
nc8kqskd846KDspSoa4HprP3QUyfwChy5+d3/S/SMak/iY97UgYm3iyHXWr+sbAm
ykXGQo6Y/QpSiBBc9Z8hyekBQBjiftTpH5T/nzSn5O1p2G56NqK837SZj8CgyanH
xOIy1JZYbSfYiEzqXVSj7KGs3aNFFUi9H+Fy+wzDaOWeEYt76koTWZnutOg+JwCP
2N5DiDOhoYGygh5aO+dAIoGLQufoTDrlMO9FWnNXXCPIwCUoyH5daiMyn7G9jfwv
4rTkXe2mHXXkoNCDHzjNcAEpndpczdUO0CbDNyOuaZzyEYWObJMOdBP0+fmwhaRP
AWd0OSbUUkl6RTI7R9l+3wBC0A/be7kOvqvTru0RSZaY4Ba7zokZaNJsoUTvjjL5
fjT5MhV/93wEvaHNmGy+IiXipS7ItTmW0xckaFkEbQUbw9p+9UZMxNqF3l5pw8hV
J5tTo+rlHda5KBDpTEEz3vUK7MgbgAzzERqqDaUqzWTJy4KeOjYCUfvNyQiT7m3S
XAFxCx0poAo6GCoNMhjyQT00iBfpjvUhDrWSHezKW/J/U+Z+TkcICC3Orsxy35uD
QtOZIayVIF5scDAIQa31zETB/Jjaq7YeUZvTzUv7Shhq+sJhVUQ7iUEVEXZn
=NJUn
-----END PGP MESSAGE-----
fp: F38C9D4228FC6F674E322D9C3326D914EB9B8F55
- created_at: "2026-01-15T21:28:06Z"
enc: |-
-----BEGIN PGP MESSAGE-----
hQIMA1Hthzn+T1OoARAAsc5cxMwr0YCwJq1j5EcQ2AF2LvyxH4dvwuCkyrqxuV33
rTxOt40kqHcatZgHLfHt1qvfR/lGisUyvvtJ7Gdw/MEzunqwux6cKisRoyTB0dSU
b0DBQdNAxujVuBng6v2aoZDXAZNZ9I0epuGnBRcq2+FRAWjRH3YtwuRuChd/VtqB
VJJjUJDczermc0kvdrZ6AZ8bSemOIFOYWfZ1iw7qXMiuIXKJqY23KzWSpYC3F9S6
z1XKviqJlWcb7VyCA7LDLfjYCAb6/yvj1mB0+fxYJJps6DWsbxvoZWF5mdh5f4oc
y74XZehQZTHp4JMs0uSdsuMV3w8zMGUXvFPEJXB1mvPlYAsyjwusf2fqeAJk3JZk
pPF/hkwR+LpbVNKk9KbauQLkt+p6E5YWDir1pzeIN6rsl0Carau0TRT9EEn04f/6
DL1nF7crXl+7KTgEOt+ih4VuHpXz9lrboUD/WnUpjVu6XwmMH4wrxJggTq+tJzdS
55PAZ0qiTGwnxtOn8NGa+01JGcrmtLnfwRUGUO6xxpyy4AtcyyHwEvBSjKRlBvV2
Yx6v6l6OlpBdYdlKjEeOLPnQqn+iRolQtUTWWk1Hu/a2sfJjZPMpXNSKbgN9tMOS
2zGLe8OOU1M9V9ESdD6He49GRCWNXD00Yv+IUdqFuY7laqxBQCcyIthGA2wfLITS
XAGKF54TE7VkuCQ2vw0HZG4TgQtmw7W/hBMcbSatGwFwyPSs2+9wsJFmJUniArCZ
e7RUz4C1MIFP97ZSFtfLd8tsIO0zTyK9fRAOUwh8wdAZhvS9Fv5/Mwmctj9h
=gUj7
-----END PGP MESSAGE-----
fp: 5DA93D5C9D7320E1BD3522C79C78172B3551C9FD
- created_at: "2026-01-15T21:28:06Z"
enc: |-
-----BEGIN PGP MESSAGE-----
hQIMA46L6MuPqfJqAQ/8CKPe91CQYybuRlIb4bRl3sZ2nXYw0OS2p8NYo3sawcsw
YFwgwT4GHMAMviZ3U/Dm1VVtUEH0dSZ/tYoPFE0pCOLWYrVjqLY69uM23ZHV1IX4
W7A+jzNTv3ODj/lc/azjgBcBVZpSxgAQG2wiyX1Dq4Lx5cpOCYQm4KYp9hD6ddly
m6zk8vH3MBRvPAlacg3C6PSy1PV7sTgBZMBIE3DY/HIjv4nzV3/itIPZcf27dYTl
AEjiI6eGH6sUWTFRF5mCP4sRycaU2g8iZ471nZdHe7PpldginWJEN9SD06oewZJB
QjvXpVNjVu+RQ/hOl5LwIllAAkk0ghK2bRsh7gVB5b5Kjv+mKKNe8yjKxKcpZuVW
fUEaRpyILTCwe6aFnmUa6vUtpgU2QRKzv2ycqO1FGil1yZJ/RPVCc0RQoLSpZRsT
XvrZzw/OVfLespNRPcC/PTvNwhIhBYyIDvEAgQOnEnRCGoijnPAOE4Z5zA6Rtxfw
Kxw+E5s+xV1ff+qo5Dm0J/LyC90FR3vstzSkM5n2HEy5OkbACi9CiLRaIiYxlDfv
v5H3Gc0hdVRELkK1T9ND3I2RAyJVdDq0WvxjWRIfdRULLsk86pFoFjus0acx3ukt
zotRh1wI1o319j517B06v+Jn49bLx81ipeHfsiz69P0sDSRKyOcN/i4TA/Tj0OfS
XAFfmEOJHnhD1WOlbJO2EiGY3QD9PIV/lipja4lQKv7ROWlIPVtdvgBnaaNYAvUb
YLIA3oTcZB43vm5QW3hXsTz2cn/w/JvnuojtD0kKzT643dR5BC3D2XsWpHWV
=pL2f
-----END PGP MESSAGE-----
fp: 8996B62CBD159DCADD3B6DC08BB33A8ABCF7BC4A
- created_at: "2026-01-15T21:28:06Z"
enc: |-
-----BEGIN PGP MESSAGE-----
hF4DQrf1tCqiJxoSAQdAxf+RXofQmgst0qgbY34RgfqVKCCYHHH3mbCdGKbfXiQw
0307FFijrW2i+wHW/Ugob489EH46zUENkmEjxPcOao+p5TWqOhryWOmj+5K5iKin
0lwBDuM+y3AsogL5PAerDRGMIqmUO9AAuRlKJb67O+n31fA0CSlRdYIlR/0IiXk8
KmagDpdTyNWD0M8PRohazoKEiB6OrEuLfRiDwyMhyuRtIXRnckwZ8anC2B2cLg==
=slU2
-----END PGP MESSAGE-----
fp: B71138A6A8964A3C3B8899857B4F70C356765BAB
- created_at: "2026-01-15T21:28:06Z"
enc: |-
-----BEGIN PGP MESSAGE-----
hF4DzAGzViGx4qcSAQdAYTkme6X4+jr7/5qNidpUZjiwQzR9nhJMHU9ALot5mQkw
bVYbs+lqddtYRVKLh4jhqFb9WGjC05JMnb8o/OVqgvOV516WqCzg9qmn2JMn5CvL
0lYBtBwzrQfqM7RbckekoQcabirca/67RzCAqB9O7Lud85+aQxBR/GB9qE/7FLfp
JVT42+KjcKSQBYWS+lyjgfXs7H4WhNYsai8OFn+JzqswG+MpWPQ+Fw==
=1DIj
-----END PGP MESSAGE-----
fp: D2E9C0807BF681F5E164DAFC5EE1B61CD90954CD
- created_at: "2026-01-15T21:28:06Z"
enc: |-
-----BEGIN PGP MESSAGE-----
hQIMA2pVdGTIrZI+ARAAvoshi1af/mG21B9x8XOtYn2CmsjZCLWYWuhdM+oMe204
CJglTK8C8CzuJcXu84IKrdV8nx5Yk0VvtgtSXiKSouDKWeQDHHqhKEsPlc6+FL99
e95uzp8ozvODxch4xaBP3FZkbgGgFHDZSF47NIC9AkyyGe4GARq+OvtADUMjpb4R
6WXCzqaH976KRMcgH4PXlWIUiYvFJz+6k+chbLfcf+uJxWL02mvPV+ArSbGc1Ns1
M2kRYdEPZ4c6FCU6DYaneJp22ywPNgJm3dL8WU7Nn5uv7iYGDyceh3dnGtF0p0jN
Mo5TT8MzobIGgD2RtsP4NrufV56+Y4G5oqk9jPMofC8QUeVR1j2GHDfHrls2N/2L
vt0VX1wsv7ToAY9bUUNDLutLnwQlpHNP/sacudw0VpYDl55ULa1dLC97qG/4va8G
k3wdzqwNwgzIOPDIiQ3P8xkn4RZ9b4SwPNFb9BRqufFaA+neZcNelfpTqsT3WNfm
MYdzDQtQdTNi9u0ADsuZ2JIX2uUVsB1ol5Wgw9D5+yksTeC3n89TTmbmt4PYkCZ/
3MH3gLGGlPLfc9w/q9JqfQ8idiPgWc6CMO83gGXUWbe0SkDCBY4evyP41s9ojSdF
XrkZQycNoardD+co14Se4d5g0oxYfhNUCIYEo2JwLkuE11iMXG1bjt8JB+F514vS
XAHzAelcyBaqqwZqKw1OKWz1Vr+hy9S+uOs+8Qg5G/H0nxa7BG+PhUB+O5i8x4Dn
96Eq2r2OsVJ3z8YeLcH2FbnVECX+/nj8a4z8yqfpajmoKswOfhp2b2G49aYz
=IYeC
-----END PGP MESSAGE-----
fp: 878FEA3CB6A6F6E7CD80ECBE28506E3585F9F533
unencrypted_suffix: _unencrypted
version: 3.11.0

16
inventories/external/group_vars/all.yaml vendored Normal file
View file

@ -0,0 +1,16 @@
# ansible_pull
# ansible_pull__age_private_key needs to be defined per host (probably HOST.sops.yaml).
ansible_pull__repo_url: https://git.hamburg.ccc.de/CCCHH/ansible-infra.git
ansible_pull__inventory: inventories/external
ansible_pull__playbook: playbooks/maintenance.yaml
ansible_pull__timer_on_calendar: "*-*-* 04:30:00 Europe/Berlin"
ansible_pull__failure_notification_address: noc-notifications@lists.hamburg.ccc.de
ansible_pull__timer_randomized_delay_sec: 30min
# msmtp
# msmtp__smtp_password is defined in the all.sops.yaml.
msmtp__smtp_host: cow.hamburg.ccc.de
msmtp__smtp_port: 465
msmtp__smtp_tls_method: smtps
msmtp__smtp_user: any@external-hosts.hamburg.ccc.de
msmtp__smtp_from: "{{ inventory_hostname }}@external-hosts.hamburg.ccc.de"

213
inventories/external/host_vars/status.sops.yaml vendored Normal file
View file

@ -0,0 +1,213 @@
ansible_pull__age_private_key: ENC[AES256_GCM,data:u0tluAG5YmXTs71/F6RjuTITCrEoJco0K7+o/F7An4OMdOAwJVBvvMCnEaYsKhLhdesnMIoA24oz2j22lKRFgZUNtkF08ZwH9gw=,iv:oqTTeOi8l6ig4vvqOKict5bqxjmiBW+kwlZhbozoCSU=,tag:ZL2wuIczCHguGJIhbY0NuQ==,type:str]
secret__gatus_db_password: ENC[AES256_GCM,data:fwtdWmXVTA7odBsKnlxH7mKKGtplAt/rQqscFBAxbDky6DNqgk6PP2OsqbIEpnpzs9Yn7Kd2VAxzfJfK,iv:ox/Lm+LlxxRcssOPc++nRp6nVa2DF3/46eEsGzTOBmA=,tag:i1e71Gm01ojHr5pGy0S9rA==,type:str]
secret__gatus_matrix_access_token: ENC[AES256_GCM,data:adNtFvg2LXwRiNE7mvTZNO1hXxN3qasWZrDEQOGk5mYEVH0t9pglNrM=,iv:30xXR31qmrywLP3M34u6YgsyQY348zVvt9RM4/bGhtY=,tag:vhgpON0IdQ+FS4uQ/0TpsQ==,type:str]
secret__gatus_acme_dns_update_test_x_api_key: ENC[AES256_GCM,data:rBMHvYT7g+o6Rc+edjikYT2jn4wKnkOJWOMf5Ys1zjKpsRCKEF0PZA==,iv:Tp4ELKMfhxtwaJljW4sMCVgW3KCTL89NfW2/LQTmO1Y=,tag:YMbvE0xgLTYCFXche/mvFA==,type:str]
sops:
age:
- recipient: age1yl9ts8k6ceymaxjs72r5puetes5mtuzxuger7qgme9qkagfrm9hqzxx9qr
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA2Y0Vib1U3ZGpyZTlBNWMx
UEtCbnArRzAvZ0o1dmdJL0hSZERTR241RlNrCjZ6QzlJSEFhWk0wazlwRVlDeUlq
M0syWDZlc0o2d2NDYmVyUmJpWUdwdzAKLS0tIGR5NUVwMkprRnkxZnI0TmlGUGVk
RFl1MnI1K0h2MUhvYk40d2JjbDRaUmMKNlPo1s06hVdxAamKhJy4HhNDX8PKQlq2
13PjdTJub64fydGEJng5NigcnNcPo7goGLz5QV7vE+6bO0gNZxBmmw==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2026-02-01T21:17:51Z"
mac: ENC[AES256_GCM,data:YO5RoJnkjZeouYJa3ui/cRGLcpSzbs1Ou4D+XU9fZ6ZEc8snmLoN/e8vK91+9qigQECOc/WHHaln4ghYs6wNH+xje4ImCYL92p1RbMPvT8OoS3qu+pTF3sUfQfV/Rju61njNHA7XNAmGCxSiJQxgq2o92aoEB7qKs+AwCFEmTpE=,iv:QrRkSv4novqk3+YCnfFW59df1mvcGONTDO3zCUyXUME=,tag:oBy402SSczs3qyHhBpQqnw==,type:str]
pgp:
- created_at: "2026-01-15T21:23:56Z"
enc: |-
-----BEGIN PGP MESSAGE-----
hQIMAxK/JaB2/SdtAQ/+ORxsmaobaTVCnVlaaTlvG3GRPlL0G1NG18eF3Mra2FU/
HSY4/QTu4BjGRzwOlKJt3NBMGlFZucwklIecAl1cCDXPSvIRnwuIsAI8gxNnjmVW
w7URAscgfVobWxpLqFhlnQ+8ozMPXW7D0ZDLe4wKPa5wNuE/kdzM5ZCl3NB4q3fi
o0C8uSnsTAp8clay/xnTtnJxOsyzyJ29JVsinxAyg64m6AYNa53yNZoy5kL6VIIr
dnNx4DtOsxFuNhKuvENePoGjuB68i0NWitsfei3G+GLUp+CbPisrzElM6vsXQ0wT
QAu2OpTnrQSv/YWi8Dv+1YXIKu6nOuMc+avQGLsiuZ6hagrvfRTmoQirbx6THDB+
97N/ZZUoGVdCtb5BRoBxzl7prwYGXsW+fP7B/PlBBBM5pI/s5jasFMOBfrrlJiDE
dyBcE2rjcehmZ0DN0YddZoo1UMYzsn6HEMH+kFp/VD3+y4A47Kk9Ou0d9+Q7ufsf
j8ThNihOBrwz8DlvOb5/5HacBFOH5T9b42j6yOmyrlAXnC8sQwFDMDERs7XcVSXT
B9SlX6OVZ6/xgG1UjkY5aqYiWkIBUO/9k1OP3OMoZM7WPitIJS0a92u8EASX4zT9
cJjyym8oDojsM4+/GWMCHcEA5QVSEFsz5JBONiEJkv9UCYXOWj375SH6WjTHQyPS
XgFA0rCYobVrmH4oQ3EzmbqTGwBuejwcDVA++KiUePb6jhK9DGrETHEOzUyOonpI
tNfgyohULH3eDRjC/4gR9JDr+UCC2t31Rx5kNmonz4H3KQlgm/5UulKZZfFk6VQ=
=HCWY
-----END PGP MESSAGE-----
fp: EF643F59E008414882232C78FFA8331EEB7D6B70
- created_at: "2026-01-15T21:23:56Z"
enc: |-
-----BEGIN PGP MESSAGE-----
hQIMA6EyPtWBEI+2AQ/+Is5OSeCOwUDFocaFiGIpKKicsRkF5WJXcV0eTquCvn3M
UeDpYww0CatCOmx0u5/ELzyvr2NhLGwoblLxwwb2HA+dTWRzRiTGZrpGJ3DUwEK6
KvqFgrOIDttnSCqrGiPsNBkGP3oIH/WIYXF4SJl5stlnujTOW+wNP8f+9gZspyY4
JdDXIGL7cbvzEzionilKbroKgDTNCm/o/ATWnlvsd5qv8lsIVkZlaJqldRR+xXuu
RLHz9Mav9NgzzFERA0YY0Z56jpGikoywB7iBCbozXvPO5oY9YcuvdLoXELi3Rimf
LoqIyGv/dHepZvIIy/d+E7ltlQHLXdH0LMNyBRartVChR/p0G/YAzXDAgnARJm+J
SB7vUPBqFwFpkiIE0bRRDVDYW8VlNZta4V+hxb3iXuVHljuYUrIDh77VW3xNQyi5
YfKxO9c9PRhq7sfeBj3iB2qAGoODOU1whdaWXJeNIvYmkQJw81eu2rzHT6NHsbrD
CcUGvbVAO7cx8xZxLiT2jZlbeRrTM68Uq8zC0ujzHavrLUWvCcAcFdk8Un8UJbaF
W4B5La8ZAQUg0HwDavrOEXFbbdkuMT0BIMIxysxrcetqMdRcMjQlbjHz7RuROp4q
melLD0F7L8cXAafDRXXkTTpDmaLN8s9v2j953/RzY7lS1FPQMTduWbn4Pg75HrbS
XgEWsmhgtxSNSgtg/c+VyS9VAykAaP0J4mVWUJZtpw3T8wtkAVeb2zFjmOWay98e
GC9m9N32zdg6MZDLnAABIEhDCGhuB0QjHJaXHcQxbuy8T0mgG081s8spTZnU/74=
=v7Jf
-----END PGP MESSAGE-----
fp: F155144FC925A1BEA1F8A2C59A2A4CD59BFDC5EC
- created_at: "2026-01-15T21:23:56Z"
enc: |-
-----BEGIN PGP MESSAGE-----
hQIMAz5uSgHG2iMJAQ//f4YuazCNqBuU6RxLg7gbh2RQ7KQ9QDIPSh+YIBr2k9RJ
zSjTIR2cPu4JX7Bf9w378oyExhxe6bU00DKvfmQv+CPwjR/4NfzB+/UjmrOEmZqv
y/Gc/2ciT2csHiuAgmck/tKCdVLyXmlMpR+ru3LBVpXLc0wRqDLze9RKM22L5o5Y
Tkf5LCoj77ixhVWZJ/MUm1GlCKmtAJ5tZpSOUenSApSZ0mbRUMI6SEmLhf7ApmNo
FInztB8eMcgyV7vhEmhAiLTkB29kGh8Oe/TtDSmywhn/pTcs4tlY7fRfcxkJaYgw
sZFaF3b7/xhF04kJNEugKemTZTCOoXuPvjvDKQ0glojQQ36P5S01uyH1FOHAbItz
8xilRiU5lHuu7BsZcb8rU8qNYnpEzY3DX/Ccpl0AoPWjY925XB7C8H8z1kk8UxR1
+b3XXMktUugeTZeiFG2pJsp9dhiRqyuzvW73yJSdHjqZW+Tq4U2D9Je1WeZT4+Au
qTQh1uC2dRgQ0PMafX50aTxIK7lPxva+cOPgYeALXP58TCUqeNUyYQmvAGba7yyU
yec3Hz/SNLqEhSnOqCx+TXZOhV4PM8fTzpnNhqZQ2RX2uUXwXjuyAZ8fv3v5se8F
HvQGW8EvJaDSvLD5GjKblQqwNlFWf0HOPUf5UZSXV3MHsHLzYHKlOE4cJ778ih7S
XgGY+6q602ciOETbXexRAK4G0AaAY06iQqIvjqzTRmRgkftMI/8HAV2mfjfRuTXF
9DClJje/SpRp/fS6jXFyRCc1MysABsxcyopIhHPxf2iy4UiipC1c15Z9VVK4cL4=
=l9vN
-----END PGP MESSAGE-----
fp: 18DFCE01456DAB52EA38A6584EDC64F35FA1D6A5
- created_at: "2026-01-15T21:23:56Z"
enc: |-
-----BEGIN PGP MESSAGE-----
hQIMAw5vwmoEJHQ1ARAAr6u7xDPFlylAf002AQkjASgSyCdLMD0LxXmTEihOxBnp
+ZcJN9cpuyCuDaIfSqGdDLUqZ6TuAfVaixtXbxT6Odl2q1DN/GaVkZbDVwGk/W3w
+lSjBz4miAcU9kaSFeeJ9BDEdqROduj8/fFc8jLyxpa51nnp6ON7wI3Uup3uNZN1
oEwcav8u9hrbE5glS6IMFpGQAhJmvzWH9mHWCQT7A3GGK3DsYBWPH685vVk80VBw
8IO35N2SMVD+ebvFbSnitBSOmSNUzHgv8DaBgJkcHb5EM8bCiZNI3VkbGdi8AmRx
wvuAclYkemq/bNu5I0sjpt/uxEOVqsymdPs+gOVgKceEy458ZfyRUPxV0Xp5Yi26
MzAas8LCL+m561L8MTt01CfXJKllIh1aeNJEWYKyTtIxnWfhHnhAfiwiRaX+sAdK
ApLFSCtwAf2fvpqaUY0PvAwKUNKyEBrncu9cBuqK6EDx5YVQul6Mo2nx6W64G7mj
IUGQOoRATZP4y9bJJJMNU5BfK9j7Fdhh/VirB1XSSWSlkUduv8PVx99iLejfnknB
b0LVS0RW0W+XgbM0yvjRhDATalrcuBX4R7voQPeGFlw//fdg0qepSe9OeAPA+RNm
YTjWVWqXOmGJQ46sms4P1Fhd5NKgyv7qAaZDVf2lDZOensbhwWFKw1R65PSbi4DS
XgEDIaRdmRPMHOGoHzcSieR+sxDvklEAWyfUMn8D8u8dkgs1u8WL3gGixDaPMvcF
JgS3PA6hl0JOi3+UgBWGh6gx+C/mr+6jly+IhWd78HAsbsJcGIrs4Zlu54T8jV4=
=8IWz
-----END PGP MESSAGE-----
fp: 87AB00D45D37C9E9167B5A5A333448678B60E505
- created_at: "2026-01-15T21:23:56Z"
enc: |-
-----BEGIN PGP MESSAGE-----
hF4DerEtaFuTeewSAQdA7STwRBnvhKhEh9mdHz/GWujTMli/vbMrXv8WnZ1boUkw
9Qtj+soJcdr8XxDREm//Q7wgGZJSJe6dBdxW5NC10H7bYDFc9aNkbT0/ceMj0tBM
0l4BNU1LT9rZrkhGUTqA3Gs+bzP4xazBGuiucCkM1mbSvRAjWO2abLb17GKUWODr
1uDStVFrPOTqN/0/O1lAfk/Xv5LQO2X/xVMDD42i9txP9G8+rCF42gKdODWF+DsQ
=FVIu
-----END PGP MESSAGE-----
fp: 057870A2C72CD82566A3EC983695F4FCBCAE4912
- created_at: "2026-01-15T21:23:56Z"
enc: |-
-----BEGIN PGP MESSAGE-----
hQIMAxjNhCKPP69fARAAkUEvumeteWHZ31xbvLAWezQr75Q45DVzBAX6MJIPnCcz
ofMYuDjz/ujOES7UtAYrRekCW4R+PZQ2pcC3tbNHxKQjdxsA6cY68mBQLj+TJ0+F
15jlkAkL7utwOxOh8P1/yxO+hr3qZl6rmncQwiynRnyiAJa6FHK8dvAHVKhLWcRN
pxx2O5m8I/+sF2/XgVs0iq0KWG+WbwJWUlvWKJ+2LNvXDoPYD0sdo8G1hkuQGOLW
Lmc1xN4hbTzvgjTBoUt1HUEOgohau8TMWnT7x1jpMLBNqm0hQfcyNmBuK4vA3NYR
PjtMUvEuucjOrFvF1g+OaTQ3ZSkd431yqTHRbktZDXdCvhYhSfxJ2TKdqX5U+3p+
27hPOX5cVISd36T8Oxm7LTt2GSZp5JZJ2gzRuSn8HDEHHBa39+jmdsqmGMFjAJfU
amK3TNpLx9U/AGw9CYVyQxfnrRPArjuPXE+nVmuZVJhgOcex+5SAA6YRpzPLj5/I
bHv0zOQ+84ghaIPvA7OlehgE2DYQjFC7qMGV0Q/jEomzHmwaFLlbDiSX97SQM4+P
dwe2gbz5EfgVdXeSwyPH03W5Uq/D8GiNFASxe6ctfwY6G9cUJaY7gj+br2/WSjzc
bSQxbyA36q6tSR8sty4lOkRqfhvCsopnACe3UaPDD9aUPu5dkrPFD2DwGZqALjrS
XgGQM27HAK2eAWtmQk7wWZcK8EyeO4bPl/JX8hMU8xSnbHrFpY26RNY1C4mjqcnD
QoyU68TbPmGX522sseuygCNmEEM/5rhx6wwePH1X+C8WRHMmXyLjKD3eVkFJ3tA=
=EPrs
-----END PGP MESSAGE-----
fp: F38C9D4228FC6F674E322D9C3326D914EB9B8F55
- created_at: "2026-01-15T21:23:56Z"
enc: |-
-----BEGIN PGP MESSAGE-----
hQIMA1Hthzn+T1OoAQ//arOC3Dpt+X+GzGZFPngYFGl8SHgx9vrbNcNdRQBEBhX0
RmkT3rBbXRNbJvZHW6YPzoMRzhDMHEs9osbr7RwpTQxpL4owFd1hx8bhDjZYQplC
Gfj1xNjL1iFsQV1kWx7dagpkDEoPVlPaDyTDyHkj/fmgg/aU4y5GVUHc6l7iClN9
fn5HL8/sCROAPteReXnwxIWmn/03lldh7VMYwKaVIpiTf3QZzEsHAOYT0EdEcapC
3d5ZhTDmOvOwy2PMfx5w5RpKXKe2cbhoS1N3KEHaZIochlvnvQHpVJ3jhn8YG8j9
bJ5tklEauoi1YHsnj5vzm8sgQMj/p5DJHALfVKxzAMCCe0AqcVpVGTW9SR1ZMUXW
p0UZOmeNBfqhcOIbKXW+Hj2oSZ25KGxiXZwydF51xnUT8rsau7nPYOgg+9YARAVl
USZd85OX/dZcDqhfK1YZjdV3GPiTHGFUrTz53sW/nHrcCCKXL17uADLr1Z/rk3Dm
dayNuUVhlqgV6Z0ts0Z9blz2X/Bz2c95TUTze+pUoXCP6oKcxGbrEfHBzJrhqeFa
PYGRyna1t96c3Az94bz2orX69Ij3QPyd2p2B0nlv+qYNk55J/aVPIfioZSamnDk9
NAQJksb2M7KIq1rjheWsf/CLZYHC1rcrhUnz5SYIXVDe8f3+uNc0JFGYPYZuF7DS
XgEa4Lw21RwQs3Es0wAZSnkku+yg1Lg2YJ6/d5xSZJs0c5mCYvvW3q9oTc8u+D3n
H1/Lu8HvZtHtGARagLqHw2MORNvoJXoCT0EhcPBK4PlJKSNye96U1ooNfwxbUMo=
=0Nal
-----END PGP MESSAGE-----
fp: 5DA93D5C9D7320E1BD3522C79C78172B3551C9FD
- created_at: "2026-01-15T21:23:56Z"
enc: |-
-----BEGIN PGP MESSAGE-----
hQIMA46L6MuPqfJqARAAlYT9Xqnfvd7uWr/V8Ca5oKJ003yWKGwAMd06zyPmIYOK
ErTHC98r7LXuGaMcIUrJ+oLf6YipYB7PyHwfz+zpxhDRTPAxXTqkF1ecLi7qg2AV
Ez3Q1hpPJv1DWASrVfJgpnlQnQtnpqXQsInL7klGc10mtbgc2zHUndWFqjxtkAhl
IinLZHZVFaijFw10W+e6T0UUZ9WfIPdCOChcqVp5/86DDyl3S9dBLmAd7wywzbuH
i0y1uelIxLyYmzLxYTNgJwEHKzQvF6jrj40AjT8HtUD473ILD5M4p2vdvNCUANu9
1iF4q7YM5g6cgjGC29Y31wOAM4YzdkwNXJsUhn4ACzYNBAItXK7Aw0I8WK9AnUfq
lwmSirx5hi870GIfu/OYeNt4I3fWjm4qY1aFwoJJRWrUdH94I4P1O6xXZyTVqpmG
m0Ich3O16Ir1vS9oFLdFSFGP7UZgU7D5314OKXNsEGpFLGa9U7AG1ZPHGSb6tAQi
9Df7TsWxYVWKBU2PbI/D9StVlWDVilt2QiKtIcRwLs3/3JrzTPJd9tvUtw6Tyjw7
N12/SE3yHwWxVPUXF2AsopmOoHGh67Ki+6oc7xTmxtcJWSITUhBL16ZjMEEXFeHy
FMODciBLrXO1jWz65mkB32ttV+oPQuCdtFPTzuKneDhVBybuMJrx7DEIFaf5CmvS
XgFrqRe9fua4zRd9r9tJE4RSosQOAhmVgRVCJIg5B+qUGC0l2AwO4ro1+a02t6o7
uBGGRHeQYrGv6HVUd/xfirUj/mtrguiSSpOy3UZ5SHIlPxuj/2jf3WxVkU0QP5k=
=e4Qe
-----END PGP MESSAGE-----
fp: 8996B62CBD159DCADD3B6DC08BB33A8ABCF7BC4A
- created_at: "2026-01-15T21:23:56Z"
enc: |-
-----BEGIN PGP MESSAGE-----
hF4DQrf1tCqiJxoSAQdAqRvfYgKUyKqP1jy9+s3UQ+vqUWQVxC/zXkcXOs/G3kQw
27MDd3dcADzCI4qrHxc0umrFegUizTg9UmseMgSJnr7oWXtuh6ocjuEe+irXw0Di
0l4B7cvZtRObjrOUf0lupPAp2xPIIKekUcVSxiecn6z7zVUVUwpYvPmS8MBCFc5h
7ad0LWml36Rj5UkBE/ph0YgLvz7ZDoC1yiagBGVX59MTjjZsZBVpRecxZ+ztuaci
=68na
-----END PGP MESSAGE-----
fp: B71138A6A8964A3C3B8899857B4F70C356765BAB
- created_at: "2026-01-15T21:23:56Z"
enc: |-
-----BEGIN PGP MESSAGE-----
hF4DzAGzViGx4qcSAQdA95lt4L0inJjhMwQ2v5lvhW74zuvdpgktHsp5BSycbxcw
oUR2v3CcCHtNzWzgeWPm8L6JHRUJQWdg+XHsLujlZXsoqKirGI67NvToOk+yttsK
0lgBW9AG8bUVUdXNNPfhc/FN8OJbQ2cj3E2z5kI05ZrkcOoZVXaRfXJiZPQDg1Kz
LhuKymMDmXXsSVd/VdLbSXpfeEqMJjTsDS+bU/TZAcRRPKxj9PPDJIWQ
=Kpzf
-----END PGP MESSAGE-----
fp: D2E9C0807BF681F5E164DAFC5EE1B61CD90954CD
- created_at: "2026-01-15T21:23:56Z"
enc: |-
-----BEGIN PGP MESSAGE-----
hQIMA2pVdGTIrZI+ARAA2IaYLn8z593Kh+wAw2ecOXkW+B3qhi/x0qQLVw7Jc1hO
rVhrcTQoabL3elIIPZtxyTYIXq6EpPkSBMOBHO+tmqI8YsB5GvWtcGV1OBpRaZ3I
hgKjnxkJtaQizSZqZLgGUVXjMjcdkzTlIQfu7oGeTu8Ke1cwtOE1lvleDpHHK6gc
yRLJWsUfHdv3rCOmRCDtguc3NG7qzUUYcknPiFGx66hfnIaA0aJav2pqS3uuRwSD
Ay78U2PB7kYVg//Omz9BEuiUVhYsA0sl3hFVpJuKv7FQ9OcJOevQddfq90m2KGyo
2Lpligwtj3evPfPReLR1D16HaGuzknoB9883jD027+fGr4/IFWx7ieVZ9iGeD3jR
yw/GdHCMueq1pdtyw8ArREspGmZldEKY3Qw6sfRdd71DAeTkD1zzWORCEk6OQefY
YX5ByUAOTUHvTey4Uy5WCj3HOUMW71CnVpsU6lDSuqBUnFlMvELtcjlmEAwvscXz
WFpTzphaX1fIqruS4BAzMxpKVTI1V3bnrb6wFRFnsErVjrty24R2auaoHvgslROu
1QUTInC7JpFUpxiK9ke8xbhYlZ5JEhcxOXlfrZcVwlxziEZEqp429L/4gVz+IGVv
YQ4wU8ARBcXiEDEOmEl3tCxiprDlCeLpdSrqhq57/y7IMs6Fo7QrkA5XZG+mnfPS
XgHFg3iMBk0qKb6AiWiN8g3SHJtcehJgmAZsRxFRP329QKGGa+azQqT7Vp066keY
rOsmP8iwl+4KS71+cN9rLx/3U8EcSxRuMU6KtIKvhp7yfr2bhYo8P9JH2vrPTlk=
=lbdI
-----END PGP MESSAGE-----
fp: 878FEA3CB6A6F6E7CD80ECBE28506E3585F9F533
unencrypted_suffix: _unencrypted
version: 3.11.0

27
inventories/external/host_vars/status.yaml vendored Normal file
View file

@ -0,0 +1,27 @@
docker_compose__compose_file_content: "{{ lookup('ansible.builtin.template', 'resources/external/status/docker_compose/compose.yaml.j2') }}"
docker_compose__configuration_files:
- name: "general.yaml"
content: "{{ lookup('ansible.builtin.file', 'resources/external/status/docker_compose/config/general.yaml') }}"
- name: "sites.yaml"
content: "{{ lookup('ansible.builtin.file', 'resources/external/status/docker_compose/config/sites.yaml') }}"
- name: "services-chaosknoten.yaml"
content: "{{ lookup('ansible.builtin.file', 'resources/external/status/docker_compose/config/services-chaosknoten.yaml') }}"
- name: "websites.yaml"
content: "{{ lookup('ansible.builtin.file', 'resources/external/status/docker_compose/config/websites.yaml') }}"
- name: "easterhegg-websites.yaml"
content: "{{ lookup('ansible.builtin.file', 'resources/external/status/docker_compose/config/easterhegg-websites.yaml') }}"
nginx__version_spec: ""
nginx__deploy_redirect_conf: false
nginx__configurations:
- name: status.hamburg.ccc.de
content: "{{ lookup('ansible.builtin.file', 'resources/external/status/nginx/status.hamburg.ccc.de.conf') }}"
- name: http_handler
content: "{{ lookup('ansible.builtin.file', 'resources/external/status/nginx/http_handler.conf') }}"
certbot__version_spec: ""
certbot__acme_account_email_address: le-admin@hamburg.ccc.de
certbot__certificate_domains:
- "status.hamburg.ccc.de"
certbot__new_cert_commands:
- "systemctl reload nginx.service"

24
inventories/external/hosts.yaml vendored Normal file
View file

@ -0,0 +1,24 @@
all:
hosts:
status:
# TODO: Manually set up ufw on the host. Create a role for ufw.
ansible_host: status.hamburg.ccc.de
ansible_user: chaos
base_config_hosts:
hosts:
status:
docker_compose_hosts:
hosts:
status:
nginx_hosts:
hosts:
status:
certbot_hosts:
hosts:
status:
infrastructure_authorized_keys_hosts:
hosts:
status:
ansible_pull_hosts:
hosts:
status:

200
inventories/z9/group_vars/all.sops.yaml Normal file
View file

@ -0,0 +1,200 @@
metrics__chaos_password: ENC[AES256_GCM,data:seOU504dZ9K21+NK1MBf9isee2L2rueP6Bl0F66R,iv:ZtQ516gzJQSSgvOOAzPF9MuarXqHSLXy37/9z85KoQ8=,tag:dIal6OxPLli+7DbzhjNFsA==,type:str]
sops:
lastmodified: "2026-01-25T19:52:03Z"
mac: ENC[AES256_GCM,data:6JXc+K8fmANf22puWyllV5wVSxZSVnN+U7GM9lNhkxbUBM4AaIedIHOXz9zDaZh/nT6onrW2nhKNC00kWziaddOnBxBUCWUk7bDGea6qJMIk4GfyU0f/xX7mHpgYorF/KmQP1uvNNAryn7zeSfS8Vk27GFDPbBO3GvYlOZFUJD8=,iv:6X6uf9obhNix/qLrpiP3bw1CWM7dY+XAEdfhuTTmuVc=,tag:KJHK1Hc/uV8DOw/7txHfEw==,type:str]
pgp:
- created_at: "2026-01-25T19:51:13Z"
enc: |-
-----BEGIN PGP MESSAGE-----
hQIMAxK/JaB2/SdtAQ/9GKyJ+6SzK5xucxIxUKPRdsxirJwd6LHuIDkVTr7JTjfi
sXQZKVtQ7ZXbbVgZKURLtsdbhayZoU/8xYCQsX4vzDeAKc4bS6X25PLxs2oBKCYB
2oWl/jhKSAtVjtgnPnxljiEGxkDKW2sKlfjdjMj9yOYyif35AoQ8pIr2Tg4U8Z9C
ofaWBejvqxgaIShXe4jio3SIiOLYwTnaYmkoSY3QEA3RjckzNmqRE4aX+csB27cI
Vt8aGrcNzM8gCfi8IM1ypLHLw7Fg0OntF91RAUExG9OZJm2rGZabUixxhOCf/ttk
UOq7Eq29xFr9mTzyoZC2zmaOt7O+PIu8FDOvkvCgNv89ewn00DjT7DYSXB0AnPRD
VahAi4VAjKU2RXXbfZArdCXJpCTM2OPnXBh8Bfx/7eTnu2O8EK8OFbWuOWja8Ogr
7z9bgsoK4Uva6F3BQcLlZppKmkLk0P8detZihvwNbS55kkkdsA9LiyYEoHpasWpG
HW4dcQOqyuKwGjLE7FsqPtlxmWD6psCK3GdHzKGQR9fbXfUyD+c0DmPgPh6roFW8
XzvRGw6YUrP7/wtvUH4zSLQbB6kqz6nO88isPoLpClyQ/3Khj9QLljCDQB+yRBIu
p3a2HISwt4HQzuckk8W4yKIDdzf86dXVEMqUe4JTe+vW9PPobnUEXrPgRBNZYD7S
XgHOfGiWknFPa8s4KCHZK9sLB2joWAJTtQnk4cuaXoIgamiXB0qgiArc43PsjstE
N6kvVXrFVgQ9Xlrp8XDJHOsUYAy8admA8KNQF+XQ+KeHgQGKKX1RjbBFunIkaOc=
=1Rdp
-----END PGP MESSAGE-----
fp: EF643F59E008414882232C78FFA8331EEB7D6B70
- created_at: "2026-01-25T19:51:13Z"
enc: |-
-----BEGIN PGP MESSAGE-----
hQIMA6EyPtWBEI+2AQ//QgGTp9DYSoNWI5n0+9gMUP7asTRdRl7T+xT88k7cCO9Z
lNi86qeqiGGkqTffARBJNaq+ut/D7EKc6ivp+ewfySimM5E3ape3C6rulHybE/j8
3EpP4VW+5yA4Nq+CbZvzQb60oXR8LnGzVX1gePWwyQozVzRS72/hnxyecQYsc1IJ
OTQPSfclZXJO3k6fK+BrfHsjJkOpHYoLAnI/9ty9JBSuwGfzI+ur2Jimn0Y783Ou
orZNzxrRKfkIPjdFnWGY3i31nW9tnkEXLdsdOHfOu8Ahtdi2NhwReSv5hMKPXbOw
lxhL/Y1bG4ChgAAFVG5QYZ69tuzSov8XP2Wv6auVA7HC3H+689fNeO0C6GhDcVgc
LBF1nK/zJq95uxlSNy5dpTSzKqwlwRzvLOCPByXc3pLcDDW9Zp194bS/iDGfnfqe
UUPK9e0gX8TYOeQhF3K+H6JMdFO/uYbiaeVZWmvOV6jSiii0CXoGe4oVZqcfcfA3
RScUjLx0f2w4xQwU60ZmHsmvs2PmdBsNDPeQXrqeyAfgFReDoI1RLo+k+3khoAJE
LzzNFg6bVBx3rRazWoASlHYK8i6dTHpMBompPC+kmjorZnoqnTRX4bix0atsFY7g
vt8CVfqy8YKrVIGPZnDAsrZ3ecShIQFB6OfxgSb6nqN1K3NwFcjXWH05SJOfFR3S
XgGrU49/hKqHTmAGHbWoe54qkPj+WvRkeGccEnvtum8yrPpDpmYg+wyEm3JeQf1S
gCHS/j0pJS/CnnfgoUgkYCMokGvtSoTJgIE/2XTA/BFNRg0vc1Dgk/WonG33PDU=
=ev2Q
-----END PGP MESSAGE-----
fp: F155144FC925A1BEA1F8A2C59A2A4CD59BFDC5EC
- created_at: "2026-01-25T19:51:13Z"
enc: |-
-----BEGIN PGP MESSAGE-----
hQIMAz5uSgHG2iMJAQ//SxqxshraAR0pQf1lzhtZ5RHoNZJnaZKwic/pvJvIDUCA
6zotOpu478rK4w8zWdX1gfjve+iu4BkaB16lZqvsV6lLq80dT3yfeil9ETFElKuA
womIEdAafq8W71eTffUZ3Klrg/WjDVjeDRRKqz8vv9pd9MQbYmDhrjRG/ySP5qgZ
+/apRAOrYnbtzgjlPAfLIGD65jvS3JRE3gbZfpzzkLB8P5M1JVOUf15FxAZ2tyhO
PZ3FYC2JbCzftp0Iiksq8sl42Fl0FzOTLFQb0GhQ60tJatFVWhG31NeXdRRuLnQU
5bmanb2nJBroQJWM/8piG8npG8jhzRzeMTHboW5TezYAXBLxRQJct7pR9ZwDje2U
5j9VkNyKQ+wMJ2vMiyshserEe6gjc2/E+XYDheAPrFPqwGNklb6OSemm4vWwd6GK
HNqDxA/C0du1b1vm9CTLgk7utbEpspnNQnZh32iifSfiQ3Zl7FwTxnA/2Bj0csQ/
xrck7T2gzY39tOqXbq0QqIQA31BW4ukmxcAKn8pmJpguW0cBxDTaGNXQ4jo+8YtQ
MYYT4dR9S95MsOKWGREvMA0GMxzwbA2eMwZ7yUARCLVGD48MMiiDZcYqd03cnOO3
hGj+vy0FbsVdknztBDeGttUYHOtjb+XO4gF4sHdpaWxdF7kVVknNUtciWa+Kw4LS
XgGqWekdWhsKZ+bPboinUPY9e5vkgLueSWrQ0aqi5Pte9lQ3pYPqT2U51fJG5G9/
tYiofc0K7CB/qyxB7LpF5rtUla9oQQJd36xC0eO7laSapWiag2rzuIsMxR+4egA=
=a2qJ
-----END PGP MESSAGE-----
fp: 18DFCE01456DAB52EA38A6584EDC64F35FA1D6A5
- created_at: "2026-01-25T19:51:13Z"
enc: |-
-----BEGIN PGP MESSAGE-----
hQIMAw5vwmoEJHQ1AQ//U6R7Cb1kfojFwzVy9ky+y7Puhk7Jyog+jLabWhurkV30
RO4EeTXMEJ1gVU9qJDeHn7Fr1HbYr9cdTf1yw5Y23p+pBZA1wRTkxHctEk1KNDRW
8QdCmQOu8jTDc5cq0F6d6lD6vJpfjaQez5cT7dN9Eqp0jUsmQCSLmqmXvbNEv3fW
n+o/VsvtaqMTjhlPUHvhe/d0/YWvkp4xPycDVW/oYh2KE3QUV5AKUJSOLuSIFENy
f0hjnoz8xmY7eA20uXvTWPgUU9J+KCSgmy87wM/WkM3kjKWOUkijDFCsCWSEIx4W
E2iY6N7yaYBkKfQ6s+f77xg+vc7g1plheK3pdyYkYvgfeqg27QFV/3m80f0gULS4
bNrZKNRrMD+grgjB75cj14PRHGQcaZEouE7l2uCUNbR/hFIF1M2F91HAW61mVLv6
ZNluofRYqHf+YWUO4KtJwpfgfh0gsCF3KaeHnAA/Xy9e+7KRgWbAbsDIQr40Nqm1
Cbv/HqjHCeS7ylw3TmYcwFoGO1XoL/toSQQ4/y0JPMCae+MGslDm2o/1X1VqAnIZ
sdhcTKY8HJWxn8uc5MFG4Mr0PhMIXirhBBQLYXdVJ/tOj9yVU+gJZe3lv64uQgDZ
Ey1KESfJu98uwrPS3Dzy2YPbT7Gh58sOfHeaDoeZAu+YzQMOQ7V260vu0XXMgSfS
XgE3PiMBjbW4eypClEK6H5iSL4SjEm+NweQNkwGaxqLSsb7LuOtSkiEmf4mdQEnI
SI14d0nNv7ki0T59Ssmi65A49SXjvLzsCBE1DgeqVD8IwKCewma0dgkNErdyG4s=
=rV/a
-----END PGP MESSAGE-----
fp: 87AB00D45D37C9E9167B5A5A333448678B60E505
- created_at: "2026-01-25T19:51:13Z"
enc: |-
-----BEGIN PGP MESSAGE-----
hF4DerEtaFuTeewSAQdAdDLPgKw0A+eoKiYGIKxOFZHYVg0V4UmuIti0XC5RJCIw
IPu2/Y45X9L40RRhH8N9lazjLeJv5Lbo08hMlo/CgshZ0BJVot8mBAiH/R2DsVRC
0l4BL6ctQ/xivjWQBBhy/DCYVtDRv8JXIEXNJgU/+UjkSE8Auh4NASANg9GTcBBn
lukzOBGYF9nH69fAkVtZbNL5+dFoPLDPUzZTU19D15J6IJkt+gKPSzjbtWaJqIsQ
=dGU4
-----END PGP MESSAGE-----
fp: 057870A2C72CD82566A3EC983695F4FCBCAE4912
- created_at: "2026-01-25T19:51:13Z"
enc: |-
-----BEGIN PGP MESSAGE-----
hQIMAxjNhCKPP69fAQ/+LQ3yEzhjYXoDkE9olsl0lVxQ9FdCbqDHFJZAIReI0jqg
WF+0GmoMuG4kFZu+ju3vCWpT5kH84SUxOFXyaXp1TCfcJ1zCUno93fVssOL/9Sma
vVPVIXpTqJqFBOWJNOe7wNjvQiDE4TxjGC/FXr+hOoLZXrf7gdNaUXxZOb+vPZih
t79eZhxALGwmwsMdZxkA8ERCmNJet1/wn7s5vUjwrDYRZL2zGf4yocSCjwGYHOCs
j+DcrYG7Cd5J+CS8rKu2Yh5KEAfMhgMxGjK0HKUVPk1cQxOgronnM1vrij30S4+9
avNlOwAerg3RaFhXPj9UY7FGV+rZQY1CQKEWqr4AANkdDXb/LnLalwMBMcm+EDwT
zHxBhJ69QJmsZUP3Z5WQqxmyAux9+oodgehWKkY4sCR2huHuysbJNEStuI1HaTRj
ZJafiniHkFyQyTqc4wwJrRxkwJM6mVvcZdXuV7+QaEWr3FEF0t7tyEYUIRkUlJOQ
IUPDClDRLJnQGq11XT/QOlGfxET9fGoAkij1LrPqpvHxJ6IEGLMOPN4kw1yg02yO
u0HiB2wIUzKHJJ6vMR6zK3WY4MXCQISTZXpK7mILleRIIOWhw7C7gvlfuYkMT3fM
dXUQRhTblZXaeTxRuCUPqa0eGzac4UJBVoRAWXYiZWhdKxNJbyCMRQDcaOeho9/S
XgGENH9zFjI//pveCrlxx5BKDxTdqIn9R3iskbKbZRhVr+pU3IK4uCsUQlOBG3++
zxQinHgNbqA22clcuRMZ1NeDrzDfBLndsWuSeyWaAA9qEG9XjmjCRRzPGACoDLs=
=dywj
-----END PGP MESSAGE-----
fp: F38C9D4228FC6F674E322D9C3326D914EB9B8F55
- created_at: "2026-01-25T19:51:13Z"
enc: |-
-----BEGIN PGP MESSAGE-----
hQIMA1Hthzn+T1OoAQ/+P4h9d4LPElJbVr4L3cE+6/9mhLF6n1hre14cCTSxTe20
HqpY7U9yE4G/1IfAE3pueOgc5FsLRPn8VnHAzy6ygt4/xXXzH6aACDiUtweqyExE
K39J9PLjczWb7XGbZc3YKoz5x0Q/93s+CdjK7piamb41bMRVbmffNtEceH8Gld9u
t8SI18F1yrRtXpK8FvzFLvA1jEt9sduPVq51bWG2LjMFaMrsm7hXt1ArUGsOoGN3
36E4VrVp6gp8BVa+apsUY3mHBi3hUE0h2tO4iEsi1qYr1OTn3v4Dn9oxKrYIIom2
hHszqVSq0fnIqoKOZbyUe2AdXtnTGpQQRxCBvtIEBNB1FS/CKCe7ceXVBZujU2Kd
JD3Lg5uXgkolfyjFCPzOp292xvJ83i7QMoTuVEw14PSjux3jAa4K3wpKUvF80ja2
ugGj3zTLAHdAV37lKO2WYZuMMJLKWKX1p9yKZqteJdiLQHH8f24dFZ2Vtoly/GKM
KzGJ1fimB6divQ8TOHVFAr1qDksk8zf1PBJ/IlWoBKv5IWwoikf42IOL/P2c/nk7
4pYwHrlk8y71Cgjw50K9/T/Ul0Ov6ay4FK+0vy+zbokSVczZKsrL4/Tc6s0S9ty6
SVKm7yL+BSGgZWmDNesYoRzboBT2mSb1N45ThUaeW7AwMo3hDJPjEkaFtZN3bqzS
XgEIFYvxWH6OEIl+VZ/J5qxxmi3Cz6XVzTliCnoTFUoVxHyOxN6HX0Jn/qRqmmlN
mJX4OT1FJ3WnqOHQ5Cm4403bm2H79mGCBKYiXPQeO/bVBh0mTbeYKRr8bjsm+rc=
=lIEt
-----END PGP MESSAGE-----
fp: 5DA93D5C9D7320E1BD3522C79C78172B3551C9FD
- created_at: "2026-01-25T19:51:13Z"
enc: |-
-----BEGIN PGP MESSAGE-----
hQIMA46L6MuPqfJqAQ//Ue74vm+2K7chQcfdrY5GR0rPUKNiX9MMw9zgHpdyHlXa
FfL0NQbG8Rfc/6Yf7LH1sWMGED5Yvci3z+YkTWg8Fcv1pYQGj6Kul2L0aL4tvq/a
tdIJi+Ajp92jr+5jdae+GvJZedaHZYxykyeSe4/nk1j6k4u3TiVMBczk7z9701F+
ZFtG1SBRcqjZ/Vx36B6s+10f9ft7TWCIJfeTimBJV3fFt7r698vTQ+S1/uxo5Ik0
kQOtYDxsigBBeE0OX2ZBDyeGhfl/PZgN7GD7bgpjnfzDi+8kMXEMu4z88tOQulhk
qj+63irEydFCsMEC22XhLaqW8bjld0VAnkXv7DfoEbMt84XN6SejjDy6aXK9C0Qd
BIyQwTvsmgbInluw8Qu+GJPLLbY9qYjjuo5BbwUeBfiVxQaBYcm5lmPSKM0lq+Uq
fUYowpMS417L5kkp2yE/NmKOzi2ZuiFWMCpvPIvKea9zJxvEtIjohwtM86b4LH+j
7yie9gWu0bhBw9keKtIbRmgbsilp8E5OUHXgOT0sNWTLenQDsWQ9dmgvtpeEb9ax
6mw1QUpFz4CcHhuQixoI+q4y0SXcWxyN0U78U8igaELUtwpaRR7yf4VUJOEid+m1
Rzu5jLCuhlLmmW03W6Y/Vl+n0QOyEl0uPCRiRgYeUzKiYw6NRYHPezbJnmNAeKnS
XgFCdzLc5Jl6OqJfy4V0yJucGq72oKK1wdJi74PqTNs44CaeEW8tDhxVWm367e5b
Ve88LJyDhOrMi57aKcAJ12HoL8pI5hambJ0qSs9RKpnQIJH7U60MBBTCBHN3H4k=
=az/q
-----END PGP MESSAGE-----
fp: 8996B62CBD159DCADD3B6DC08BB33A8ABCF7BC4A
- created_at: "2026-01-25T19:51:13Z"
enc: |-
-----BEGIN PGP MESSAGE-----
hF4DQrf1tCqiJxoSAQdA04/sIHLMEFJO8wCB5+N5QWPzwyefW49JuNr/O2A+tTcw
Rm/CybmXPnSCx7p8QLruOG0tz8kM+YoSthSWlC9/B6TZgKLyrMOvx1U/fSNjKC4Q
0l4BDFhVCnXKTQmfZtj5Qpwuj3H5fZ7QzKUQz542pvqN/fJVnc0Q4rQapKcU4AOx
JTdXpu6gP3FRGviA342GHJU0gq220vSzPu889dsdmtgNfAEQWPLVKKwjigDQN+SV
=2Eki
-----END PGP MESSAGE-----
fp: B71138A6A8964A3C3B8899857B4F70C356765BAB
- created_at: "2026-01-25T19:51:13Z"
enc: |-
-----BEGIN PGP MESSAGE-----
hF4DzAGzViGx4qcSAQdAxLZsKVzF30df0Zk7Eg9u7fLJzApid00aEcZVxHQnZ0kw
5SDeSOzzTue71lKcCyunbO1/e20jMrNVvYKQp0kKkNHpTWgjN0hW3vZt6zeLcrSo
0lgBTOoJykoj24Y9WvIaQbae2K6M35drO2c7nhVmTzibUe7XEJ3C+vbUySdSTd+0
WL1IjqZUGSUL4SUIW6kW0WFdSJ01O6vbXhw1gw7KwKMfBHgIUAzpENTW
=S45t
-----END PGP MESSAGE-----
fp: D2E9C0807BF681F5E164DAFC5EE1B61CD90954CD
- created_at: "2026-01-25T19:51:13Z"
enc: |-
-----BEGIN PGP MESSAGE-----
hQIMA2pVdGTIrZI+AQ/8Dd/YnYUP9OA6qxJcerf9mCkQkC5PLehCPAOLOn4sNV5x
DnpdfAvgej1Vuy0CHK8//PAiEC7idLN+ictIdQgy0RaObp50tca44U2ssQOkmxcd
j5WpKKunHsKomksr7bRpwm/vtN4LoldQc7g1qaBlsaJE7iEOrB8I3n3fFhWD6xBG
TUzRe8r/M2/c25Agky9caILYvjm/etCsf/gZq3RwVvV48912JNqb+7o04vpj3MbO
AOsiEBCTNSZqN5XuRi/jCpQNe0p18M9irYkFWVe2be6Cb4wE2cdg904rC3K+v0QA
nwD6/bXWGI7WAF6nhvuiAS0vxmbvOePNI3KZ1CdEDeScqnAWUdkFuuAwmw0K7tHt
UJe/SlML6strnnjOGR6p3eeIjoDKtGBiqEjXYyEcXPVi8vFSd7muGcjLieyJUmfH
FVGA7bF+a6c4iTFSM2GNpANFV0qzZ/wa4aj9MqzOATTglQnr2LZJP7chnzoLyzx6
7cjTcWHsb3E+D7X37yF+mZAT6yvOoxaQNqTY6u1ZoY9NrGdJ1reudAlzg6k10cpf
O4Zww2Jjz5yEhvS9cTh8+bKOJYgKnbg/LLty/ade+rio4E0jn+a6VgRCqIMbGwgx
vf9ATU8S10/Es2cT6f99EpPgV0w9QCfhAGel/sjXk/zIT8rF2SbIlXf0/GK3yaXS
XgGrocZNe2RNZd3ZjsvtU6bBsPd9tekQLjC1vE6U/WXXPKapb6aOq2eL7Qb7QFu7
XSGN+YA/c9OwmtJLP3y5mGBowa6vWT1Uf6NweamPYJBpNG27Bt5yLlnEnaDZokw=
=9ri7
-----END PGP MESSAGE-----
fp: 878FEA3CB6A6F6E7CD80ECBE28506E3585F9F533
unencrypted_suffix: _unencrypted
version: 3.11.0

43
inventories/z9/group_vars/all.yaml Normal file
View file

@ -0,0 +1,43 @@
alloy_config_default: |
prometheus.remote_write "default" {
endpoint {
url = "https://metrics.hamburg.ccc.de/api/v1/write"
basic_auth {
username = "chaos"
password = "{{ metrics__chaos_password }}"
}
}
}
prometheus.relabel "z9_common" {
forward_to = [prometheus.remote_write.default.receiver]
rule {
target_label = "org"
replacement = "ccchh"
}
rule {
target_label = "site"
replacement = "z9"
}
rule {
source_labels = ["instance"]
target_label = "instance"
regex = "([^:]+)"
replacement = "${1}.z9.ccchh.net"
action = "replace"
}
}
logging {
level = "info"
}
prometheus.exporter.unix "local_system" {
enable_collectors = ["systemd"]
}
prometheus.scrape "scrape_metrics" {
targets = prometheus.exporter.unix.local_system.targets
forward_to = [prometheus.relabel.z9_common.receiver]
}

4
inventories/z9/host_vars/dooris.yaml
View file

@ -7,9 +7,11 @@ certbot__certificate_domains:
- "dooris.ccchh.net"
certbot__new_cert_commands:
- "systemctl reload nginx.service"
certbot__http_01_port: 80
nginx__version_spec: ""
nginx__deploy_redirect_conf: false
nginx__configurations:
- name: dooris.ccchh.net
content: "{{ lookup('ansible.builtin.file', 'resources/z9/dooris/nginx/dooris.ccchh.net.conf') }}"
- name: http_handler
content: "{{ lookup('ansible.builtin.file', 'resources/z9/dooris/nginx/http_handler.conf') }}"

14
inventories/z9/host_vars/light.yaml
View file

@ -50,10 +50,22 @@ ola__configs:
content: "{{ lookup('ansible.builtin.file', 'resources/z9/light/ola/ola-usbdmx.conf') }}"
- name: ola-usbserial
content: "{{ lookup('ansible.builtin.file', 'resources/z9/light/ola/ola-usbserial.conf') }}"
nginx__version_spec: ""
nginx__deploy_redirect_conf: false
nginx__configurations:
- name: light
content: "{{ lookup('ansible.builtin.file', 'resources/z9/light/nginx/light.conf') }}"
- name: http_handler
content: "{{ lookup('ansible.builtin.file', 'resources/z9/light/nginx/http_handler.conf') }}"
content: "{{ lookup('ansible.builtin.file', 'resources/z9/dooris/nginx/http_handler.conf') }}"
certbot__version_spec: ""
certbot__acme_account_email_address: le-admin@hamburg.ccc.de
certbot__certificate_domains:
- "light-werkstatt.ccchh.net"
- "light.ccchh.net"
- "light.z9.ccchh.net"
certbot__new_cert_commands:
- "systemctl reload nginx.service"

1
inventories/z9/host_vars/yate.yaml
View file

@ -6,4 +6,3 @@ docker_compose__configuration_files:
content: "{{ lookup('ansible.builtin.template', 'resources/z9/yate/docker_compose/regexroute.conf.j2') }}"
- name: regfile.conf
content: "{{ lookup('ansible.builtin.template', 'resources/z9/yate/docker_compose/regfile.conf.j2') }}"
docker_compose__restart_cmd: "exec yate sh -c 'kill -1 1'"

9
inventories/z9/hosts.yaml
View file

@ -4,7 +4,7 @@ all:
ansible_host: authoritative-dns.z9.ccchh.net
ansible_user: chaos
dooris:
ansible_host: 10.31.208.201
ansible_host: dooris.z9.ccchh.net
ansible_user: chaos
light:
ansible_host: light.z9.ccchh.net
@ -20,6 +20,7 @@ all:
certbot_hosts:
hosts:
dooris:
light:
docker_compose_hosts:
hosts:
dooris:
@ -49,5 +50,11 @@ ola_hosts:
proxmox_vm_template_hosts:
hosts:
thinkcccore0:
alloy_hosts:
hosts:
authoritative-dns:
light:
yate:
dooris:
ansible_pull_hosts:
hosts:

21
playbooks/deploy.yaml
View file

@ -4,6 +4,16 @@
roles:
- base_config
- name: Ensure systemd-networkd config deployment on systemd_networkd_hosts
hosts: systemd_networkd_hosts
roles:
- systemd_networkd
- name: Ensure nftables deployment on nftables_hosts
hosts: nftables_hosts
roles:
- nftables
- name: Ensure deployment of infrastructure authorized keys
hosts: infrastructure_authorized_keys_hosts
roles:
@ -54,11 +64,6 @@
roles:
- nginx
- name: Ensure prometheus_node_exporter deployment on prometheus_node_exporter_hosts
hosts: prometheus_node_exporter_hosts
roles:
- prometheus_node_exporter
- name: Configure unattended upgrades for all non-hypervisors
hosts: all:!hypervisors
become: true
@ -73,10 +78,8 @@
- name: Ensure Alloy is installed and Setup on alloy_hosts
hosts: alloy_hosts
become: true
tasks:
- name: Setup Alloy
ansible.builtin.include_role:
name: grafana.grafana.alloy
roles:
- alloy
- name: Ensure ansible_pull deployment on ansible_pull_hosts
hosts: ansible_pull_hosts

17
renovate.json
View file

@ -1,13 +1,17 @@
{
"$schema": "https://docs.renovatebot.com/renovate-schema.json",
"extends": [
"config:recommended", // Included in config:best-practices anyway, but added for clarity.
"config:best-practices",
"config:recommended",
// Parts from config:best-practices:
// https://docs.renovatebot.com/presets-config/#configbest-practices
":configMigration",
"abandonments:recommended",
"security:minimumReleaseAgeNpm",
":ignoreUnstable",
":disableRateLimiting",
":rebaseStalePrs",
":label(renovate)",
"group:allDigest"
":label(renovate)"
],
"semanticCommits": "disabled",
"packageRules": [
@ -29,11 +33,10 @@
"matchPackageNames": ["docker.io/pretix/standalone"],
"versioning": "regex:^(?<major>\\d+\\.\\d+)(?:\\.(?<minor>\\d+))$"
},
// Since Forgejo seems to clean up older tag versions, so older digests, disable digest pinning for our images.
{
"matchDatasources": ["docker"],
"matchPackageNames": ["git.hamburg.ccc.de/*"],
"pinDigests": false
"matchPackageNames": ["docker.io/pretalx/standalone"],
"versioning": "regex:^v(?<major>\\d+\\.\\d+)(?:\\.(?<minor>\\d+))$"
}
],
"customManagers": [

23
requirements.yml
View file

@ -1,8 +1,17 @@
collections:
# Install a collection from Ansible Galaxy.
- name: debops.debops
version: ">=3.1.0"
source: https://galaxy.ansible.com
- name: community.sops
version: ">=2.2.4"
source: https://galaxy.ansible.com
# debops.debops
- source: https://github.com/debops/debops
type: git
version: "v3.2.5"
# community.sops
- source: https://github.com/ansible-collections/community.sops
type: git
version: "2.2.7"
# community.docker
- source: https://github.com/ansible-collections/community.docker
type: git
version: "5.0.5"
# grafana.grafana
- source: https://github.com/grafana/grafana-ansible-collection
type: git
version: "6.0.6"

27
resources/chaosknoten/acmedns/docker_compose/acmedns.cfg.j2 Normal file
View file

@ -0,0 +1,27 @@
# https://github.com/joohoi/acme-dns?tab=readme-ov-file#configuration
[general]
protocol = "both"
domain = "auth.acmedns.hamburg.ccc.de"
nsname = "acmedns.hosts.hamburg.ccc.de"
nsadmin = "noc.lists.hamburg.ccc.de"
records = [
"auth.acmedns.hamburg.ccc.de. CNAME public-reverse-proxy.hamburg.ccc.de.",
"auth.acmedns.hamburg.ccc.de. NS acmedns.hosts.hamburg.ccc.de.",
]
[database]
engine = "sqlite3"
connection = "/var/lib/acme-dns/acme-dns.db"
[api]
ip = "0.0.0.0"
port = "80"
tls = "none"
corsorigins = [
"*"
]
[logconfig]
loglevel = "debug"
logtype = "stdout"
logformat = "text"

22
resources/chaosknoten/acmedns/docker_compose/compose.yaml.j2 Normal file
View file

@ -0,0 +1,22 @@
---
services:
oauth2-proxy:
container_name: oauth2-proxy
image: quay.io/oauth2-proxy/oauth2-proxy:v7.14.2
command: --config /oauth2-proxy.cfg
hostname: oauth2-proxy
volumes:
- "./configs/oauth2-proxy.cfg:/oauth2-proxy.cfg"
restart: unless-stopped
ports:
- 4180:4180
acmedns:
image: docker.io/joohoi/acme-dns:latest
ports:
- "[::]:53:53"
- "[::]:53:53/udp"
- 8080:80
volumes:
- ./configs/acmedns.cfg:/etc/acme-dns/config.cfg:ro
- ./data/acmedns:/var/lib/acme-dns

74
resources/chaosknoten/acmedns/docker_compose/index.html.j2 Normal file
View file

@ -0,0 +1,74 @@
<html>
<head>
<title>ACME DNS Register</title>
<style>
table, tr, th, td {
border-collapse: collapse;
}
caption {
caption-side: bottom;
padding: 2px 4px;
}
th, td {
border: 1px solid black;
padding: 2px 4px;
}
th {
text-align: left;
}
td {
font-family: "Courier", monospace;
}
</style>
</head>
<body>
<h1>Register an Entry in ACME DNS</h1>
<p>This is the page where you can create an entry in ACME DNS. Please only do so when you need a new entry; there is currently no way to remove entries once they have been created.</p>
<p>See <a href="https://wiki.hamburg.ccc.de/infrastructure:services:acme_dns">the ACME DNS service</a> entry in the wiki for further details.</p>
<p><button id="register">Register a new entry</button></p>
<table id="results" style="display: none">
<tr>
<th>Full Domain</th><td id="fulldomain">undefined</td>
</tr>
<tr>
<th>Subdomain</th><td id="subdomain">undefined</td>
</tr>
<tr>
<th>X-Api-User</th><td id="username">undefined</td>
</tr>
<tr>
<th>X-Api-Key</th><td id="password">undefined</td>
</tr>
<caption><b>Important!</b> This information will only be shown once. Please
copy or otherwise save it immediately.</caption>
</table>
<p><b>Note: there is no way to delete registrations.</b> Each registration is small, so it's not an immediate problem, but please do not click register unless you are planning to really create a new entry.</p>
<script>
document.getElementById("register").addEventListener("click", (event) => {
const register = async () => {
const response = await fetch("/register", {
method: "POST"
});
if (!response.ok) {
console.log(response);
alert("Unable to register a new entry.");
return;
}
const registration = await response.json()
for (const key in registration) {
const e = document.getElementById(key);
if (e !== null) {
e.innerText = registration[key];
}
}
document.getElementById("results").style.display = "block";
}
register();
});
</script>
</body>

13
resources/chaosknoten/acmedns/docker_compose/oauth2-proxy.cfg.j2 Normal file
View file

@ -0,0 +1,13 @@
reverse_proxy = true
http_address="0.0.0.0:4180"
cookie_secret="{{ secret__oidc_cookie_secret }}"
email_domains="*"
# dex provider
oidc_issuer_url="https://id.hamburg.ccc.de/realms/ccchh"
provider="oidc"
provider_display_name="CCCHH ID"
client_id="acmedns"
client_secret="{{ secret__oidc_client_secret }}"
redirect_url="https://acmedns.hamburg.ccc.de/oauth2/callback"

87
resources/chaosknoten/acmedns/nginx/acmedns.hamburg.ccc.de.conf Normal file
View file

@ -0,0 +1,87 @@
# partly generated 2022-01-08, Mozilla Guideline v5.6, nginx 1.17.7, OpenSSL 1.1.1k, intermediate configuration
# https://ssl-config.mozilla.org/#server=nginx&version=1.17.7&config=intermediate&openssl=1.1.1k&guideline=5.6
server {
# Listen on a custom port for the proxy protocol.
listen [::]:8443 ssl http2 proxy_protocol;
# Make use of the ngx_http_realip_module to set the $remote_addr and
# $remote_port to the client address and client port, when using proxy
# protocol.
# First set our proxy protocol proxy as trusted.
set_real_ip_from 2a00:14b0:4200:3000:125::1;
# Then tell the realip_module to get the addreses from the proxy protocol
# header.
real_ip_header proxy_protocol;
server_name acmedns.hamburg.ccc.de;
root /ansible_docker_compose/configs/html/;
ssl_certificate /etc/letsencrypt/live/acmedns.hamburg.ccc.de/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/acmedns.hamburg.ccc.de/privkey.pem;
# verify chain of trust of OCSP response using Root CA and Intermediate certs
ssl_trusted_certificate /etc/letsencrypt/live/acmedns.hamburg.ccc.de/chain.pem;
# HSTS (ngx_http_headers_module is required) (63072000 seconds)
add_header Strict-Transport-Security "max-age=63072000" always;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Port 443;
# This is https in any case.
proxy_set_header X-Forwarded-Proto https;
# Hide the X-Forwarded header.
proxy_hide_header X-Forwarded;
# Assume we are the only Reverse Proxy (well using Proxy Protocol, but that
# is transparent).
# Also provide "_hidden" for by, since it's not relevant.
proxy_set_header Forwarded "for=$remote_addr;proto=https;host=$host;by=_hidden";
proxy_buffer_size 8k; # needed for oauth2-proxy to work correctly
port_in_redirect off;
location /oauth2/ {
proxy_pass http://127.0.0.1:4180;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Auth-Request-Redirect $request_uri;
# or, if you are handling multiple domains:
# proxy_set_header X-Auth-Request-Redirect $scheme://$host$request_uri;
}
location = /oauth2/auth {
proxy_pass http://127.0.0.1:4180;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-Uri $request_uri;
# nginx auth_request includes headers but not body
proxy_set_header Content-Length "";
proxy_pass_request_body off;
}
location = / {
auth_request /oauth2/auth;
error_page 401 = @oauth2_signin;
index index.html;
}
location = /register {
auth_request /oauth2/auth;
error_page 401 = @oauth2_signin;
proxy_pass http://127.0.0.1:8080/register;
}
location = /update { # no auth by proxy required
proxy_pass http://127.0.0.1:8080/update;
}
location = /health { # no auth by proxy required
proxy_pass http://127.0.0.1:8080/health;
}
location @oauth2_signin {
return 302 /oauth2/sign_in?rd=$scheme://$host$request_uri;
}
}

4
resources/chaosknoten/ccchoir/docker_compose/compose.yaml.j2
View file

@ -3,7 +3,7 @@
services:
database:
image: docker.io/library/mariadb:11@sha256:ae6119716edac6998ae85508431b3d2e666530ddf4e94c61a10710caec9b0f71
image: docker.io/library/mariadb:11
environment:
- "MARIADB_DATABASE=wordpress"
- "MARIADB_ROOT_PASSWORD={{ secret__mariadb_root_password }}"
@ -17,7 +17,7 @@ services:
restart: unless-stopped
app:
image: docker.io/library/wordpress:6-php8.1@sha256:75f79f9c45a587b283e47fd21c6e51077d0c9dbbba529377faaa0c28d5b8f5a4
image: docker.io/library/wordpress:6-php8.1
environment:
- "WORDPRESS_DB_HOST=database"
- "WORDPRESS_DB_NAME=wordpress"

8
resources/chaosknoten/ccchoir/nginx/ccchoir.de.conf
View file

@ -2,12 +2,12 @@
# https://ssl-config.mozilla.org/#server=nginx&version=1.17.7&config=intermediate&openssl=1.1.1k&guideline=5.6
server {
# Listen on a custom port for the proxy protocol.
listen 8443 ssl http2 proxy_protocol;
listen [::]:8443 ssl http2 proxy_protocol;
# Make use of the ngx_http_realip_module to set the $remote_addr and
# $remote_port to the client address and client port, when using proxy
# protocol.
# First set our proxy protocol proxy as trusted.
set_real_ip_from 172.31.17.140;
set_real_ip_from 2a00:14b0:4200:3000:125::1;
# Then tell the realip_module to get the addreses from the proxy protocol
# header.
real_ip_header proxy_protocol;
@ -43,12 +43,12 @@ server {
server {
# Listen on a custom port for the proxy protocol.
listen 8443 ssl http2 proxy_protocol;
listen [::]:8443 ssl http2 proxy_protocol;
# Make use of the ngx_http_realip_module to set the $remote_addr and
# $remote_port to the client address and client port, when using proxy
# protocol.
# First set our proxy protocol proxy as trusted.
set_real_ip_from 172.31.17.140;
set_real_ip_from 2a00:14b0:4200:3000:125::1;
# Then tell the realip_module to get the addreses from the proxy protocol
# header.
real_ip_header proxy_protocol;

4
resources/chaosknoten/eh22-wiki/nginx/eh22.easterhegg.eu.conf
View file

@ -2,12 +2,12 @@
# https://ssl-config.mozilla.org/#server=nginx&version=1.17.7&config=intermediate&openssl=1.1.1k&guideline=5.6
server {
# Listen on a custom port for the proxy protocol.
listen 8443 ssl http2 proxy_protocol;
listen [::]:8443 ssl http2 proxy_protocol;
# Make use of the ngx_http_realip_module to set the $remote_addr and
# $remote_port to the client address and client port, when using proxy
# protocol.
# First set our proxy protocol proxy as trusted.
set_real_ip_from 172.31.17.140;
set_real_ip_from 2a00:14b0:4200:3000:125::1;
# Then tell the realip_module to get the addreses from the proxy protocol
# header.
real_ip_header proxy_protocol;

23
resources/chaosknoten/grafana/docker_compose/alertmanager.yaml.j2
View file

@ -7,7 +7,7 @@ route:
group_by: [ "alertname", "site", "type", "hypervisor" ]
group_wait: 30s
group_interval: 5m
repeat_interval: 6h
repeat_interval: 26h
routes:
- receiver: "null"
matchers:
@ -16,49 +16,38 @@ route:
matchers:
- org = "ccchh"
- severity = "critical",
repeat_interval: 18h
repeat_interval: 26h
continue: true
- receiver: ntfy-ccchh
matchers:
- org = "ccchh"
- severity =~ "info|warning",
repeat_interval: 36h
repeat_interval: 52h
continue: true
- receiver: ntfy-fux-critical
matchers:
- org = "fux"
- severity = "critical",
repeat_interval: 18h
repeat_interval: 26h
continue: true
- receiver: email-fux-critical
matchers:
- org = "fux"
- severity = "critical",
repeat_interval: 36h
repeat_interval: 52h
continue: true
- receiver: ntfy-fux
matchers:
- org = "fux"
- severity =~ "info|warning",
repeat_interval: 36h
repeat_interval: 52h
continue: true
- receiver: ccchh-infrastructure-alerts
matchers:
- org = "ccchh"
- severity =~ "info|warning|critical"
templates:
- "/etc/alertmanager/templates/*.tmpl"
receivers:
- name: "null"
- name: "ccchh-infrastructure-alerts"
telegram_configs:
- send_resolved: true
bot_token: {{ secret__alertmanager_telegram_bot_token }}
chat_id: -1002434372415
parse_mode: HTML
message: {{ "'{{ template \"alert-message.telegram.ccchh\" . }}'" }}
- name: "ntfy-ccchh-critical"
webhook_configs:

19
resources/chaosknoten/grafana/docker_compose/compose.yaml.j2
View file

@ -2,12 +2,13 @@
services:
prometheus:
image: docker.io/prom/prometheus:v3.7.2@sha256:23031bfe0e74a13004252caaa74eccd0d62b6c6e7a04711d5b8bf5b7e113adc7
image: docker.io/prom/prometheus:v3.9.1
container_name: prometheus
command:
- '--config.file=/etc/prometheus/prometheus.yml'
- '--web.enable-remote-write-receiver'
- '--enable-feature=promql-experimental-functions'
- '--storage.tsdb.retention.time=28d'
ports:
- 9090:9090
restart: unless-stopped
@ -18,7 +19,7 @@ services:
- prom_data:/prometheus
alertmanager:
image: docker.io/prom/alertmanager:v0.28.1@sha256:27c475db5fb156cab31d5c18a4251ac7ed567746a2483ff264516437a39b15ba
image: docker.io/prom/alertmanager:v0.30.1
container_name: alertmanager
command:
- '--config.file=/etc/alertmanager/alertmanager.yaml'
@ -31,7 +32,7 @@ services:
- alertmanager_data:/alertmanager
grafana:
image: docker.io/grafana/grafana:12.2.1@sha256:35c41e0fd0295f5d0ee5db7e780cf33506abfaf47686196f825364889dee878b
image: docker.io/grafana/grafana:12.3.1
container_name: grafana
ports:
- 3000:3000
@ -45,7 +46,7 @@ services:
- graf_data:/var/lib/grafana
pve-exporter:
image: docker.io/prompve/prometheus-pve-exporter:3.5.5@sha256:79a5598906697b1a5a006d09f0200528a77c6ff1568faf018539ac65824454df
image: docker.io/prompve/prometheus-pve-exporter:3.8.0
container_name: pve-exporter
ports:
- 9221:9221
@ -58,7 +59,7 @@ services:
- /dev/null:/etc/prometheus/pve.yml
loki:
image: docker.io/grafana/loki:3.5.7@sha256:0eaee7bf39cc83aaef46914fb58f287d4f4c4be6ec96b86c2ed55719a75e49c8
image: docker.io/grafana/loki:3.6.4
container_name: loki
ports:
- 13100:3100
@ -69,7 +70,7 @@ services:
- loki_data:/var/loki
ntfy-alertmanager-ccchh-critical:
image: docker.io/xenrox/ntfy-alertmanager:0.5.0@sha256:5fea88db3bf0257d98c007ab0c4ef064c6d67d7b7ceead7d6956dfa0a5cb333b
image: docker.io/xenrox/ntfy-alertmanager:0.5.0
container_name: ntfy-alertmanager-ccchh-critical
volumes:
- ./configs/ntfy-alertmanager-ccchh-critical:/etc/ntfy-alertmanager/config
@ -78,7 +79,7 @@ services:
restart: unless-stopped
ntfy-alertmanager-fux-critical:
image: docker.io/xenrox/ntfy-alertmanager:0.5.0@sha256:5fea88db3bf0257d98c007ab0c4ef064c6d67d7b7ceead7d6956dfa0a5cb333b
image: docker.io/xenrox/ntfy-alertmanager:0.5.0
container_name: ntfy-alertmanager-fux-critical
volumes:
- ./configs/ntfy-alertmanager-fux-critical:/etc/ntfy-alertmanager/config
@ -87,7 +88,7 @@ services:
restart: unless-stopped
ntfy-alertmanager-ccchh:
image: docker.io/xenrox/ntfy-alertmanager:0.5.0@sha256:5fea88db3bf0257d98c007ab0c4ef064c6d67d7b7ceead7d6956dfa0a5cb333b
image: docker.io/xenrox/ntfy-alertmanager:0.5.0
container_name: ntfy-alertmanager-ccchh
volumes:
- ./configs/ntfy-alertmanager-ccchh:/etc/ntfy-alertmanager/config
@ -96,7 +97,7 @@ services:
restart: unless-stopped
ntfy-alertmanager-fux:
image: docker.io/xenrox/ntfy-alertmanager:0.5.0@sha256:5fea88db3bf0257d98c007ab0c4ef064c6d67d7b7ceead7d6956dfa0a5cb333b
image: docker.io/xenrox/ntfy-alertmanager:0.5.0
container_name: ntfy-alertmanager-fux
volumes:
- ./configs/ntfy-alertmanager-fux:/etc/ntfy-alertmanager/config

35
resources/chaosknoten/grafana/docker_compose/prometheus.yml
View file

@ -82,41 +82,6 @@ scrape_configs:
target_label: instance
- target_label: __address__
replacement: pve-exporter:9221
- job_name: hosts
static_configs:
# Wieske Chaosknoten VMs
- labels:
org: ccchh
site: wieske
type: virtual_machine
hypervisor: chaosknoten
targets:
- netbox-intern.hamburg.ccc.de:9100
- matrix-intern.hamburg.ccc.de:9100
- public-web-static-intern.hamburg.ccc.de:9100
- git-intern.hamburg.ccc.de:9100
- forgejo-actions-runner-intern.hamburg.ccc.de:9100
- eh22-wiki-intern.hamburg.ccc.de:9100
- mjolnir-intern.hamburg.ccc.de:9100
- woodpecker-intern.hamburg.ccc.de:9100
- penpot-intern.hamburg.ccc.de:9100
- jitsi.hamburg.ccc.de:9100
- onlyoffice-intern.hamburg.ccc.de:9100
- ccchoir-intern.hamburg.ccc.de:9100
- tickets-intern.hamburg.ccc.de:9100
- keycloak-intern.hamburg.ccc.de:9100
- onlyoffice-intern.hamburg.ccc.de:9100
- pad-intern.hamburg.ccc.de:9100
- wiki-intern.hamburg.ccc.de:9100
- zammad-intern.hamburg.ccc.de:9100
- pretalx-intern.hamburg.ccc.de:9100
- labels:
org: ccchh
site: wieske
type: physical_machine
targets:
- chaosknoten.hamburg.ccc.de:9100
storage:
tsdb:

4
resources/chaosknoten/grafana/nginx/grafana.hamburg.ccc.de.conf
View file

@ -2,13 +2,13 @@
# https://ssl-config.mozilla.org/#server=nginx&version=1.17.7&config=intermediate&openssl=1.1.1k&guideline=5.6
server {
# Listen on a custom port for the proxy protocol.
listen 8443 ssl proxy_protocol;
listen [::]:8443 ssl proxy_protocol;
http2 on;
# Make use of the ngx_http_realip_module to set the $remote_addr and
# $remote_port to the client address and client port, when using proxy
# protocol.
# First set our proxy protocol proxy as trusted.
set_real_ip_from 172.31.17.140;
set_real_ip_from 2a00:14b0:4200:3000:125::1;
# Then tell the realip_module to get the addreses from the proxy protocol
# header.
real_ip_header proxy_protocol;

2
resources/chaosknoten/grafana/nginx/loki.hamburg.ccc.de.conf
View file

@ -17,7 +17,6 @@ server {
server_name loki.hamburg.ccc.de;
listen [::]:50051 ssl;
listen 172.31.17.145:50051 ssl;
http2 on;
@ -59,7 +58,6 @@ server {
server_name loki.hamburg.ccc.de;
listen [::]:443 ssl;
listen 172.31.17.145:443 ssl;
http2 on;

2
resources/chaosknoten/grafana/nginx/metrics.hamburg.ccc.de.conf
View file

@ -9,7 +9,6 @@ server {
allow 2a00:14b0:4200:3380::/64;
allow 2a00:14b0:f000:23::/64; #CCCHH v6 bei Wieske, geroutet über turing
# Z9
allow 2a07:c480:0:100::/56;
allow 2a07:c481:1::/48;
# fuxnoc
allow 2a07:c481:0:1::/64;
@ -18,7 +17,6 @@ server {
server_name metrics.hamburg.ccc.de;
listen [::]:443 ssl;
listen 172.31.17.145:443 ssl;
http2 on;
client_body_buffer_size 512k;

2
resources/chaosknoten/keycloak/docker_compose/compose.yaml.j2
View file

@ -46,7 +46,7 @@ services:
- "8080:8080"
db:
image: docker.io/library/postgres:15.14@sha256:424e79b81868f5fc5cf515eaeac69d288692ebcca7db86d98f91b50d4bce64bb
image: docker.io/library/postgres:15.15
restart: unless-stopped
networks:
- keycloak

4
resources/chaosknoten/keycloak/nginx/id.hamburg.ccc.de.conf
View file

@ -3,12 +3,12 @@
# Also see: https://www.keycloak.org/server/reverseproxy
server {
# Listen on a custom port for the proxy protocol.
listen 8443 ssl http2 proxy_protocol;
listen [::]:8443 ssl http2 proxy_protocol;
# Make use of the ngx_http_realip_module to set the $remote_addr and
# $remote_port to the client address and client port, when using proxy
# protocol.
# First set our proxy protocol proxy as trusted.
set_real_ip_from 172.31.17.140;
set_real_ip_from 2a00:14b0:4200:3000:125::1;
# Then tell the realip_module to get the addreses from the proxy protocol
# header.
real_ip_header proxy_protocol;

4
resources/chaosknoten/keycloak/nginx/invite.hamburg.ccc.de.conf
View file

@ -3,12 +3,12 @@
# Also see: https://www.keycloak.org/server/reverseproxy
server {
# Listen on a custom port for the proxy protocol.
listen 8443 ssl http2 proxy_protocol;
listen [::]:8443 ssl http2 proxy_protocol;
# Make use of the ngx_http_realip_module to set the $remote_addr and
# $remote_port to the client address and client port, when using proxy
# protocol.
# First set our proxy protocol proxy as trusted.
set_real_ip_from 172.31.17.140;
set_real_ip_from 2a00:14b0:4200:3000:125::1;
# Then tell the realip_module to get the addreses from the proxy protocol
# header.
real_ip_header proxy_protocol;

4
resources/chaosknoten/keycloak/nginx/keycloak-admin.hamburg.ccc.de.conf
View file

@ -7,12 +7,12 @@ server {
##listen [::]:443 ssl http2;
# Listen on a custom port for the proxy protocol.
listen 8444 ssl http2 proxy_protocol;
listen [::]:8443 ssl http2 proxy_protocol;
# Make use of the ngx_http_realip_module to set the $remote_addr and
# $remote_port to the client address and client port, when using proxy
# protocol.
# First set our proxy protocol proxy as trusted.
set_real_ip_from 172.31.17.140;
set_real_ip_from 2a00:14b0:4200:3000:125::1;
# Then tell the realip_module to get the addreses from the proxy protocol
# header.
real_ip_header proxy_protocol;

6
resources/chaosknoten/lists/docker_compose/compose.yaml
View file

@ -1,7 +1,7 @@
services:
mailman-core:
restart: unless-stopped
image: docker.io/maxking/mailman-core:0.5@sha256:cb8e412bb18d74480f996da68f46e92473b6103995e71bc5aeba139b255cc3d2 # Use a specific version tag (tag latest is not published)
image: docker.io/maxking/mailman-core:0.5 # Use a specific version tag (tag latest is not published)
container_name: mailman-core
hostname: mailman-core
volumes:
@ -25,7 +25,7 @@ services:
mailman-web:
restart: unless-stopped
image: docker.io/maxking/mailman-web:0.5@sha256:014726db85586fb53541f66f6ce964bf07e939791cfd5ffc796cd6d243696a18 # Use a specific version tag (tag latest is not published)
image: docker.io/maxking/mailman-web:0.5 # Use a specific version tag (tag latest is not published)
container_name: mailman-web
hostname: mailman-web
depends_on:
@ -56,7 +56,7 @@ services:
- POSTGRES_DB=mailmandb
- POSTGRES_USER=mailman
- POSTGRES_PASSWORD=wvQjbMRnwFuxGEPz
image: docker.io/library/postgres:12-alpine@sha256:7c8f4870583184ebadf7f17a6513620aac5f365a7938dc6a6911c1d5df2f481a
image: docker.io/library/postgres:12-alpine
volumes:
- /opt/mailman/database:/var/lib/postgresql/data
networks:

4
resources/chaosknoten/netbox/nginx/netbox.hamburg.ccc.de.conf
View file

@ -2,12 +2,12 @@
# https://ssl-config.mozilla.org/#server=nginx&version=1.17.7&config=intermediate&openssl=1.1.1k&guideline=5.6
server {
# Listen on a custom port for the proxy protocol.
listen 8443 ssl http2 proxy_protocol;
listen [::]:8443 ssl http2 proxy_protocol;
# Make use of the ngx_http_realip_module to set the $remote_addr and
# $remote_port to the client address and client port, when using proxy
# protocol.
# First set our proxy protocol proxy as trusted.
set_real_ip_from 172.31.17.140;
set_real_ip_from 2a00:14b0:4200:3000:125::1;
# Then tell the realip_module to get the addreses from the proxy protocol
# header.
real_ip_header proxy_protocol;

2
resources/chaosknoten/ntfy/docker_compose/compose.yaml.j2
View file

@ -1,7 +1,7 @@
---
services:
ntfy:
image: docker.io/binwiederhier/ntfy:v2.14.0@sha256:5a051798d14138c3ecb12c038652558ab6a077e1aceeb867c151cbf5fa8451ef
image: docker.io/binwiederhier/ntfy:v2.15.0
container_name: ntfy
command:
- serve

4
resources/chaosknoten/ntfy/nginx/ntfy.hamburg.ccc.de.conf
View file

@ -2,13 +2,13 @@
# https://ssl-config.mozilla.org/#server=nginx&version=1.17.7&config=intermediate&openssl=1.1.1k&guideline=5.6
server {
# Listen on a custom port for the proxy protocol.
listen 8443 ssl proxy_protocol;
listen [::]:8443 ssl proxy_protocol;
http2 on;
# Make use of the ngx_http_realip_module to set the $remote_addr and
# $remote_port to the client address and client port, when using proxy
# protocol.
# First set our proxy protocol proxy as trusted.
set_real_ip_from 172.31.17.140;
set_real_ip_from 2a00:14b0:4200:3000:125::1;
# Then tell the realip_module to get the addreses from the proxy protocol
# header.
real_ip_header proxy_protocol;

2
resources/chaosknoten/onlyoffice/docker_compose/compose.yaml.j2
View file

@ -4,7 +4,7 @@
services:
onlyoffice:
image: docker.io/onlyoffice/documentserver:9.1.0@sha256:34b92f4a67bfd939bd6b75893e8217556e3b977f81e49472f7e28737b741ba1d
image: docker.io/onlyoffice/documentserver:9.2.1
restart: unless-stopped
volumes:
- "./onlyoffice/DocumentServer/logs:/var/log/onlyoffice"

5
resources/chaosknoten/onlyoffice/nginx/onlyoffice.hamburg.ccc.de.conf
View file

@ -2,12 +2,13 @@
# https://ssl-config.mozilla.org/#server=nginx&version=1.17.7&config=intermediate&openssl=1.1.1k&guideline=5.6
server {
# Listen on a custom port for the proxy protocol.
listen 8443 ssl http2 proxy_protocol;
listen [::]:8443 ssl http2 proxy_protocol;
# Make use of the ngx_http_realip_module to set the $remote_addr and
# $remote_port to the client address and client port, when using proxy
# protocol.
# First set our proxy protocol proxy as trusted.
set_real_ip_from 172.31.17.140;
set_real_ip_from 2a00:14b0:4200:3000:125::1;
# Then tell the realip_module to get the addreses from the proxy protocol
# header.
real_ip_header proxy_protocol;

4
resources/chaosknoten/pad/docker_compose/compose.yaml.j2
View file

@ -3,7 +3,7 @@
services:
database:
image: docker.io/library/postgres:15-alpine@sha256:64583b3cb4f2010277bdd9749456de78e5c36f8956466ba14b0b96922e510950
image: docker.io/library/postgres:15-alpine
environment:
- "POSTGRES_USER=hedgedoc"
- "POSTGRES_PASSWORD={{ secret__hedgedoc_db_password }}"
@ -13,7 +13,7 @@ services:
restart: unless-stopped
app:
image: quay.io/hedgedoc/hedgedoc:1.10.3@sha256:ca58fd73ecf05c89559b384fb7a1519c18c8cbba5c21a0018674ed820b9bdb73
image: quay.io/hedgedoc/hedgedoc:1.10.5
environment:
- "CMD_DB_URL=postgres://hedgedoc:{{ secret__hedgedoc_db_password }}@database:5432/hedgedoc"
- "CMD_DOMAIN=pad.hamburg.ccc.de"

4
resources/chaosknoten/pad/nginx/pad.hamburg.ccc.de.conf
View file

@ -2,12 +2,12 @@
# https://ssl-config.mozilla.org/#server=nginx&version=1.17.7&config=intermediate&openssl=1.1.1k&guideline=5.6
server {
# Listen on a custom port for the proxy protocol.
listen 8443 ssl http2 proxy_protocol;
listen [::]:8443 ssl http2 proxy_protocol;
# Make use of the ngx_http_realip_module to set the $remote_addr and
# $remote_port to the client address and client port, when using proxy
# protocol.
# First set our proxy protocol proxy as trusted.
set_real_ip_from 172.31.17.140;
set_real_ip_from 2a00:14b0:4200:3000:125::1;
# Then tell the realip_module to get the addreses from the proxy protocol
# header.
real_ip_header proxy_protocol;

10
resources/chaosknoten/pretalx/docker_compose/compose.yaml.j2
View file

@ -3,7 +3,7 @@
services:
database:
image: docker.io/library/postgres:15-alpine@sha256:64583b3cb4f2010277bdd9749456de78e5c36f8956466ba14b0b96922e510950
image: docker.io/library/postgres:15-alpine
environment:
- "POSTGRES_USER=pretalx"
- "POSTGRES_PASSWORD={{ secret__pretalx_db_password }}"
@ -15,7 +15,7 @@ services:
- pretalx_net
redis:
image: docker.io/library/redis:8.2.2@sha256:4521b581dbddea6e7d81f8fe95ede93f5648aaa66a9dacd581611bf6fe7527bd
image: docker.io/library/redis:8.4.0
restart: unless-stopped
volumes:
- redis:/data
@ -23,7 +23,7 @@ services:
- pretalx_net
static:
image: docker.io/library/nginx:1.29.3@sha256:f547e3d0d5d02f7009737b284abc87d808e4252b42dceea361811e9fc606287f
image: docker.io/library/nginx:1.29.4
restart: unless-stopped
volumes:
- public:/usr/share/nginx/html
@ -33,7 +33,7 @@ services:
- pretalx_net
pretalx:
image: docker.io/pretalx/standalone:v2025.1.0@sha256:fb2d15f11bcae8bb15430084ed81a150cfdf7c79705450583b51e352ba486e8e
image: docker.io/pretalx/standalone:v2025.1.0
entrypoint: gunicorn
command:
- "pretalx.wsgi"
@ -78,7 +78,7 @@ services:
- pretalx_net
celery:
image: docker.io/pretalx/standalone:v2025.1.0@sha256:fb2d15f11bcae8bb15430084ed81a150cfdf7c79705450583b51e352ba486e8e
image: docker.io/pretalx/standalone:v2025.1.0
command:
- taskworker
restart: unless-stopped

4
resources/chaosknoten/pretalx/nginx/cfp.eh22.easterhegg.eu.conf
View file

@ -2,12 +2,12 @@
# https://ssl-config.mozilla.org/#server=nginx&version=1.17.7&config=intermediate&openssl=1.1.1k&guideline=5.6
server {
# Listen on a custom port for the proxy protocol.
listen 8443 ssl http2 proxy_protocol;
listen [::]:8443 ssl http2 proxy_protocol;
# Make use of the ngx_http_realip_module to set the $remote_addr and
# $remote_port to the client address and client port, when using proxy
# protocol.
# First set our proxy protocol proxy as trusted.
set_real_ip_from 172.31.17.140;
set_real_ip_from 2a00:14b0:4200:3000:125::1;
# Then tell the realip_module to get the addreses from the proxy protocol
# header.
real_ip_header proxy_protocol;

4
resources/chaosknoten/pretalx/nginx/pretalx.hamburg.ccc.de.conf
View file

@ -2,12 +2,12 @@
# https://ssl-config.mozilla.org/#server=nginx&version=1.17.7&config=intermediate&openssl=1.1.1k&guideline=5.6
server {
# Listen on a custom port for the proxy protocol.
listen 8443 ssl http2 proxy_protocol;
listen [::]:8443 ssl http2 proxy_protocol;
# Make use of the ngx_http_realip_module to set the $remote_addr and
# $remote_port to the client address and client port, when using proxy
# protocol.
# First set our proxy protocol proxy as trusted.
set_real_ip_from 172.31.17.140;
set_real_ip_from 2a00:14b0:4200:3000:125::1;
# Then tell the realip_module to get the addreses from the proxy protocol
# header.
real_ip_header proxy_protocol;

41
resources/chaosknoten/public-reverse-proxy/nginx/acme_challenge.conf
View file

@ -4,33 +4,33 @@ map $host $upstream_acme_challenge_host {
c3cat.de 172.31.17.151:31820;
www.c3cat.de 172.31.17.151:31820;
staging.c3cat.de 172.31.17.151:31820;
ccchoir.de ccchoir-intern.hamburg.ccc.de:31820;
www.ccchoir.de ccchoir-intern.hamburg.ccc.de:31820;
cloud.hamburg.ccc.de 172.31.17.143:31820;
ccchoir.de ccchoir.hosts.hamburg.ccc.de:31820;
www.ccchoir.de ccchoir.hosts.hamburg.ccc.de:31820;
cloud.hamburg.ccc.de cloud.hosts.hamburg.ccc.de:31820;
element.hamburg.ccc.de 172.31.17.151:31820;
git.hamburg.ccc.de 172.31.17.154:31820;
grafana.hamburg.ccc.de 172.31.17.145:31820;
grafana.hamburg.ccc.de grafana.hosts.hamburg.ccc.de:31820;
hackertours.hamburg.ccc.de 172.31.17.151:31820;
staging.hackertours.hamburg.ccc.de 172.31.17.151:31820;
hamburg.ccc.de 172.31.17.151:31820;
id.hamburg.ccc.de 172.31.17.144:31820;
invite.hamburg.ccc.de 172.31.17.144:31820;
keycloak-admin.hamburg.ccc.de 172.31.17.144:31820;
id.hamburg.ccc.de keycloak.hosts.hamburg.ccc.de:31820;
invite.hamburg.ccc.de keycloak.hosts.hamburg.ccc.de:31820;
keycloak-admin.hamburg.ccc.de keycloak.hosts.hamburg.ccc.de:31820;
matrix.hamburg.ccc.de 172.31.17.150:31820;
mas.hamburg.ccc.de 172.31.17.150:31820;
element-admin.hamburg.ccc.de 172.31.17.151:31820;
netbox.hamburg.ccc.de 172.31.17.167:31820;
onlyoffice.hamburg.ccc.de 172.31.17.147:31820;
pad.hamburg.ccc.de 172.31.17.141:31820;
pretalx.hamburg.ccc.de 172.31.17.157:31820;
netbox.hamburg.ccc.de netbox.hosts.hamburg.ccc.de:31820;
onlyoffice.hamburg.ccc.de onlyoffice.hosts.hamburg.ccc.de:31820;
pad.hamburg.ccc.de pad.hosts.hamburg.ccc.de:31820;
pretalx.hamburg.ccc.de pretalx.hosts.hamburg.ccc.de:31820;
spaceapi.hamburg.ccc.de 172.31.17.151:31820;
staging.hamburg.ccc.de 172.31.17.151:31820;
wiki.ccchh.net 172.31.17.146:31820;
wiki.hamburg.ccc.de 172.31.17.146:31820;
wiki.ccchh.net wiki.hosts.hamburg.ccc.de:31820;
wiki.hamburg.ccc.de wiki.hosts.hamburg.ccc.de:31820;
www.hamburg.ccc.de 172.31.17.151:31820;
tickets.hamburg.ccc.de 172.31.17.148:31820;
sunders.hamburg.ccc.de 172.31.17.170:31820;
zammad.hamburg.ccc.de 172.31.17.152:31820;
tickets.hamburg.ccc.de tickets.hosts.hamburg.ccc.de:31820;
sunders.hamburg.ccc.de sunders.hosts.hamburg.ccc.de:31820;
zammad.hamburg.ccc.de zammad.hosts.hamburg.ccc.de:31820;
eh03.easterhegg.eu 172.31.17.151:31820;
eh05.easterhegg.eu 172.31.17.151:31820;
eh07.easterhegg.eu 172.31.17.151:31820;
@ -38,7 +38,7 @@ map $host $upstream_acme_challenge_host {
eh11.easterhegg.eu 172.31.17.151:31820;
eh20.easterhegg.eu 172.31.17.151:31820;
www.eh20.easterhegg.eu 172.31.17.151:31820;
eh22.easterhegg.eu 172.31.17.165:31820;
eh22.easterhegg.eu eh22-wiki.hosts.hamburg.ccc.de:31820;
easterheggxxxx.hamburg.ccc.de 172.31.17.151:31820;
eh2003.hamburg.ccc.de 172.31.17.151:31820;
www.eh2003.hamburg.ccc.de 172.31.17.151:31820;
@ -73,11 +73,16 @@ map $host $upstream_acme_challenge_host {
design.hamburg.ccc.de 172.31.17.162:31820;
hydra.hamburg.ccc.de 172.31.17.163:31820;
cfp.eh22.easterhegg.eu 172.31.17.157:31820;
ntfy.hamburg.ccc.de 172.31.17.149:31820;
ntfy.hamburg.ccc.de ntfy.hosts.hamburg.ccc.de:31820;
cryptoparty-hamburg.de 172.31.17.151:31820;
cryptoparty.hamburg.ccc.de 172.31.17.151:31820;
staging.cryptoparty-hamburg.de 172.31.17.151:31820;
staging.cryptoparty.hamburg.ccc.de 172.31.17.151:31820;
spaceapi.ccc.de spaceapiccc.hosts.hamburg.ccc.de:31820;
cpu.ccc.de 172.31.17.151:31820;
lokal.ccc.de 172.31.17.151:31820;
local.ccc.de 172.31.17.151:31820;
acmedns.hamburg.ccc.de acmedns.hosts.hamburg.ccc.de:31820;
default "";
}

43
resources/chaosknoten/public-reverse-proxy/nginx/nginx.conf
View file

@ -18,21 +18,21 @@ stream {
resolver 212.12.50.158 192.76.134.90;
map $ssl_preread_server_name $address {
ccchoir.de ccchoir-intern.hamburg.ccc.de:8443;
www.ccchoir.de ccchoir-intern.hamburg.ccc.de:8443;
cloud.hamburg.ccc.de cloud-intern.hamburg.ccc.de:8443;
pad.hamburg.ccc.de pad-intern.hamburg.ccc.de:8443;
pretalx.hamburg.ccc.de pretalx-intern.hamburg.ccc.de:8443;
id.hamburg.ccc.de 172.31.17.144:8443;
invite.hamburg.ccc.de 172.31.17.144:8443;
keycloak-admin.hamburg.ccc.de 172.31.17.144:8444;
grafana.hamburg.ccc.de 172.31.17.145:8443;
wiki.ccchh.net 172.31.17.146:8443;
wiki.hamburg.ccc.de 172.31.17.146:8443;
onlyoffice.hamburg.ccc.de 172.31.17.147:8443;
ccchoir.de ccchoir.hosts.hamburg.ccc.de:8443;
www.ccchoir.de ccchoir.hosts.hamburg.ccc.de:8443;
cloud.hamburg.ccc.de cloud.hosts.hamburg.ccc.de:8443;
pad.hamburg.ccc.de pad.hosts.hamburg.ccc.de:8443;
pretalx.hamburg.ccc.de pretalx.hosts.hamburg.ccc.de:8443;
id.hamburg.ccc.de keycloak.hosts.hamburg.ccc.de:8443;
invite.hamburg.ccc.de keycloak.hosts.hamburg.ccc.de:8443;
keycloak-admin.hamburg.ccc.de keycloak.hosts.hamburg.ccc.de:8443;
grafana.hamburg.ccc.de grafana.hosts.hamburg.ccc.de:8443;
wiki.ccchh.net wiki.hosts.hamburg.ccc.de:8443;
wiki.hamburg.ccc.de wiki.hosts.hamburg.ccc.de:8443;
onlyoffice.hamburg.ccc.de onlyoffice.hosts.hamburg.ccc.de:8443;
hackertours.hamburg.ccc.de 172.31.17.151:8443;
staging.hackertours.hamburg.ccc.de 172.31.17.151:8443;
netbox.hamburg.ccc.de 172.31.17.167:8443;
netbox.hamburg.ccc.de netbox.hosts.hamburg.ccc.de:8443;
matrix.hamburg.ccc.de 172.31.17.150:8443;
mas.hamburg.ccc.de 172.31.17.150:8443;
element-admin.hamburg.ccc.de 172.31.17.151:8443;
@ -42,9 +42,9 @@ stream {
hamburg.ccc.de 172.31.17.151:8443;
staging.hamburg.ccc.de 172.31.17.151:8443;
spaceapi.hamburg.ccc.de 172.31.17.151:8443;
tickets.hamburg.ccc.de 172.31.17.148:8443;
sunders.hamburg.ccc.de 172.31.17.170:8443;
zammad.hamburg.ccc.de 172.31.17.152:8443;
tickets.hamburg.ccc.de tickets.hosts.hamburg.ccc.de:8443;
sunders.hamburg.ccc.de sunders.hosts.hamburg.ccc.de:8443;
zammad.hamburg.ccc.de zammad.hosts.hamburg.ccc.de:8443;
c3cat.de 172.31.17.151:8443;
www.c3cat.de 172.31.17.151:8443;
staging.c3cat.de 172.31.17.151:8443;
@ -56,7 +56,7 @@ stream {
eh11.easterhegg.eu 172.31.17.151:8443;
eh20.easterhegg.eu 172.31.17.151:8443;
www.eh20.easterhegg.eu 172.31.17.151:8443;
eh22.easterhegg.eu 172.31.17.165:8443;
eh22.easterhegg.eu eh22-wiki.hosts.hamburg.ccc.de:8443;
easterheggxxxx.hamburg.ccc.de 172.31.17.151:8443;
eh2003.hamburg.ccc.de 172.31.17.151:8443;
www.eh2003.hamburg.ccc.de 172.31.17.151:8443;
@ -90,12 +90,17 @@ stream {
woodpecker.hamburg.ccc.de 172.31.17.160:8443;
design.hamburg.ccc.de 172.31.17.162:8443;
hydra.hamburg.ccc.de 172.31.17.163:8443;
cfp.eh22.easterhegg.eu pretalx-intern.hamburg.ccc.de:8443;
ntfy.hamburg.ccc.de 172.31.17.149:8443;
cfp.eh22.easterhegg.eu pretalx.hosts.hamburg.ccc.de:8443;
ntfy.hamburg.ccc.de ntfy.hosts.hamburg.ccc.de:8443;
cryptoparty-hamburg.de 172.31.17.151:8443;
cryptoparty.hamburg.ccc.de 172.31.17.151:8443;
staging.cryptoparty-hamburg.de 172.31.17.151:8443;
staging.cryptoparty.hamburg.ccc.de 172.31.17.151:8443;
spaceapi.ccc.de spaceapiccc.hosts.hamburg.ccc.de:8443;
cpu.ccc.de 172.31.17.151:8443;
lokal.ccc.de 172.31.17.151:8443;
local.ccc.de 172.31.17.151:8443;
acmedns.hamburg.ccc.de acmedns.hosts.hamburg.ccc.de:8443;
}
server {

95
resources/chaosknoten/router/nftables/nftables.conf Normal file
View file

@ -0,0 +1,95 @@
#!/usr/sbin/nft -f
## Variables
# Interfaces
define if_net1_v4_wan = "net1"
define if_net2_v6_wan = "net2"
define if_net0_2_v4_nat = "net0.2"
define if_net0_3_ci_runner = "net0.3"
# Interface Groups
define wan_ifs = { $if_net1_v4_wan,
$if_net2_v6_wan }
define lan_ifs = { $if_net0_2_v4_nat,
$if_net0_3_ci_runner }
# define v4_exposed_ifs = { }
define v6_exposed_ifs = { $if_net0_2_v4_nat }
## Rules
table inet reverse-path-forwarding {
chain rpf-filter {
type filter hook prerouting priority mangle + 10; policy drop;
# Only allow packets if their source address is routed via their incoming interface.
# https://github.com/NixOS/nixpkgs/blob/d9d87c51960050e89c79e4025082ed965e770d68/nixos/modules/services/networking/firewall-nftables.nix#L100
fib saddr . mark . iif oif exists accept
}
}
table inet host {
chain input {
type filter hook input priority filter; policy drop;
iifname "lo" accept comment "allow loopback"
ct state invalid drop
ct state established,related accept
ip protocol icmp accept
# ICMPv6
# https://datatracker.ietf.org/doc/html/rfc4890#autoid-24
# Allowlist consisting of: "Traffic That Must Not Be Dropped" and "Traffic That Normally Should Not Be Dropped"
# Error messages that are essential to the establishment and maintenance of communications:
icmpv6 type { destination-unreachable, packet-too-big } accept
icmpv6 type { time-exceeded } accept
icmpv6 type { parameter-problem } accept
# Connectivity checking messages:
icmpv6 type { echo-request, echo-reply } accept
# Address Configuration and Router Selection messages:
icmpv6 type { nd-router-solicit, nd-router-advert, nd-neighbor-solicit, nd-neighbor-advert, ind-neighbor-solicit, ind-neighbor-advert } accept
# Link-Local Multicast Receiver Notification messages:
icmpv6 type { mld-listener-query, mld-listener-report, mld-listener-done, mld2-listener-report } accept
# SEND Certificate Path Notification messages:
icmpv6 type { 148, 149 } accept
# Multicast Router Discovery messages:
icmpv6 type { 151, 152, 153 } accept
# Allow SSH access.
tcp dport 22 accept comment "allow ssh access"
# Allow DHCP server access.
iifname { $if_net0_2_v4_nat, $if_net0_3_ci_runner } udp dport 67 accept comment "allow dhcp server access"
}
}
table ip v4nat {
chain prerouting {
type nat hook prerouting priority dstnat; policy accept;
}
chain postrouting {
type nat hook postrouting priority srcnat; policy accept;
oifname $if_net1_v4_wan masquerade
}
}
table inet forward {
chain forward {
type filter hook forward priority filter; policy drop;
ct state invalid drop
ct state established,related accept
# Allow internet access.
meta nfproto ipv6 iifname $lan_ifs oifname $if_net2_v6_wan accept comment "allow v6 internet access"
meta nfproto ipv4 iifname $lan_ifs oifname $if_net1_v4_wan accept comment "allow v4 internet access"
# Allow access to exposed networks from internet.
# meta nfproto ipv4 oifname $v4_exposed_ifs accept comment "allow v4 exposed network access"
meta nfproto ipv6 oifname $v6_exposed_ifs accept comment "allow v6 exposed network access"
}
}

6
resources/chaosknoten/router/systemd_networkd/00-net0.link Normal file
View file

@ -0,0 +1,6 @@
[Match]
MACAddress=BC:24:11:54:11:15
Type=ether
[Link]
Name=net0

6
resources/chaosknoten/router/systemd_networkd/00-net1.link Normal file
View file

@ -0,0 +1,6 @@
[Match]
MACAddress=BC:24:11:9A:FB:34
Type=ether
[Link]
Name=net1

6
resources/chaosknoten/router/systemd_networkd/00-net2.link Normal file
View file

@ -0,0 +1,6 @@
[Match]
MACAddress=BC:24:11:AE:C7:04
Type=ether
[Link]
Name=net2

7
resources/chaosknoten/router/systemd_networkd/10-net0.2-v4_nat.netdev Normal file
View file

@ -0,0 +1,7 @@
[NetDev]
Name=net0.2
Kind=vlan
[VLAN]
Id=2

7
resources/chaosknoten/router/systemd_networkd/10-net0.3-ci_runner.netdev Normal file
View file

@ -0,0 +1,7 @@
[NetDev]
Name=net0.3
Kind=vlan
[VLAN]
Id=3

12
resources/chaosknoten/router/systemd_networkd/20-net0.network Normal file
View file

@ -0,0 +1,12 @@
[Match]
Name=net0
[Link]
RequiredForOnline=no
[Network]
VLAN=net0.2
VLAN=net0.3
LinkLocalAddressing=no

12
resources/chaosknoten/router/systemd_networkd/20-net1.network Normal file
View file

@ -0,0 +1,12 @@
[Match]
Name=net1
[Network]
DNS=212.12.50.158
IPv6AcceptRA=no
[Address]
Address=212.12.48.123/24
[Route]
Gateway=212.12.48.55

12
resources/chaosknoten/router/systemd_networkd/20-net2.network Normal file
View file

@ -0,0 +1,12 @@
[Match]
Name=net2
[Network]
#DNS=212.12.50.158
IPv6AcceptRA=no
[Address]
Address=2a00:14b0:4200:3500::130:2/112
[Route]
Gateway=2a00:14b0:4200:3500::130:1

29
resources/chaosknoten/router/systemd_networkd/21-net0.2-v4_nat.network Normal file
View file

@ -0,0 +1,29 @@
[Match]
Name=net0.2
Type=vlan
[Link]
RequiredForOnline=no
[Network]
Description=v4-NAT
# Masquerading done in nftables (nftables.conf).
IPv6SendRA=yes
DHCPServer=true
[DHCPServer]
PoolOffset=100
PoolSize=150
[Address]
Address=10.32.2.1/24
[IPv6SendRA]
UplinkInterface=net2
[IPv6Prefix]
Prefix=2a00:14b0:42:102::/64
Assign=true
Token=static:::1

29
resources/chaosknoten/router/systemd_networkd/21-net0.3-ci_runners.network Normal file
View file

@ -0,0 +1,29 @@
[Match]
Name=net0.3
Type=vlan
[Link]
RequiredForOnline=no
[Network]
Description=ci-runners
# Masquerading done in nftables (nftables.conf).
IPv6SendRA=yes
DHCPServer=true
[DHCPServer]
PoolOffset=100
PoolSize=150
[Address]
Address=10.32.3.1/24
[IPv6SendRA]
UplinkInterface=net2
[IPv6Prefix]
Prefix=2a00:14b0:42:103::/64
Assign=true
Token=static:::1

3
resources/chaosknoten/router/systemd_networkd_global_config.conf Normal file
View file

@ -0,0 +1,3 @@
[Network]
IPv4Forwarding=true
IPv6Forwarding=true

39
resources/chaosknoten/spaceapiccc/docker_compose/compose.yaml.j2 Normal file
View file

@ -0,0 +1,39 @@
---
services:
frontend:
#build: ./frontend
networks:
spaceapi-network:
ipv4_address: 172.16.238.10
image: gidsi/spaceapi-ccc-frontend:saved_from_old_host
restart: always
expose:
- "80"
depends_on:
- backend
backend:
#build: ./backend
networks:
- spaceapi-network
image: gidsi/spaceapi-ccc-backend:saved_from_old_host
restart: always
environment:
SHARED_SECRET: "{{ secret__spaceapiccc__shared_secret }}"
DOKU_WIKI_USER: "{{ secret__spaceapiccc__doku_ccc_de__username }}"
DOKU_WIKI_PASSWORD: "{{ secret__spaceapiccc__doku_ccc_de__password }}"
depends_on:
- database
database:
image: mongo:saved_from_old_host
networks:
- spaceapi-network
restart: always
volumes:
- ./data/database:/data/db
networks:
spaceapi-network:
ipam:
driver: default
config:
- subnet: 172.16.238.0/24

42
resources/chaosknoten/spaceapiccc/nginx/spaceapi.ccc.de.conf Normal file
View file

@ -0,0 +1,42 @@
# partly generated 2022-01-08, Mozilla Guideline v5.6, nginx 1.17.7, OpenSSL 1.1.1k, intermediate configuration
# https://ssl-config.mozilla.org/#server=nginx&version=1.17.7&config=intermediate&openssl=1.1.1k&guideline=5.6
server {
# Listen on a custom port for the proxy protocol.
listen [::]:8443 ssl http2 proxy_protocol;
# Make use of the ngx_http_realip_module to set the $remote_addr and
# $remote_port to the client address and client port, when using proxy
# protocol.
# First set our proxy protocol proxy as trusted.
set_real_ip_from 2a00:14b0:4200:3000:125::1;
# Then tell the realip_module to get the addreses from the proxy protocol
# header.
real_ip_header proxy_protocol;
server_name spaceapi.ccc.de;
ssl_certificate /etc/letsencrypt/live/spaceapi.ccc.de/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/spaceapi.ccc.de/privkey.pem;
# verify chain of trust of OCSP response using Root CA and Intermediate certs
ssl_trusted_certificate /etc/letsencrypt/live/spaceapi.ccc.de/chain.pem;
# HSTS (ngx_http_headers_module is required) (63072000 seconds)
add_header Strict-Transport-Security "max-age=63072000" always;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Port 443;
# This is https in any case.
proxy_set_header X-Forwarded-Proto https;
# Hide the X-Forwarded header.
proxy_hide_header X-Forwarded;
# Assume we are the only Reverse Proxy (well using Proxy Protocol, but that
# is transparent).
# Also provide "_hidden" for by, since it's not relevant.
proxy_set_header Forwarded "for=$remote_addr;proto=https;host=$host;by=_hidden";
location / {
proxy_pass http://172.16.238.10/;
}
}

4
resources/chaosknoten/sunders/docker_compose/compose.yaml.j2
View file

@ -3,7 +3,7 @@
services:
db:
image: mariadb:12.0.2
image: mariadb:12.1.2
command: --max_allowed_packet=3250585600
environment:
MYSQL_ROOT_PASSWORD: "{{ secret__sunders_db_root_password }}"
@ -13,7 +13,7 @@ services:
volumes:
- mariadb:/var/lib/mysql
healthcheck:
test: ["CMD", "mariadb-admin", "ping", "-h", "localhost", "-uroot", "-prootpassword"]
test: ["CMD", "mariadb-admin", "ping", "-h", "localhost", "-uroot", "-p{{ secret__sunders_db_root_password }}"]
interval: 10s
timeout: 5s
start_period: 30s

4
resources/chaosknoten/sunders/nginx/sunders.hamburg.ccc.de.conf
View file

@ -2,12 +2,12 @@
# https://ssl-config.mozilla.org/#server=nginx&version=1.17.7&config=intermediate&openssl=1.1.1k&guideline=5.6
server {
# Listen on a custom port for the proxy protocol.
listen 8443 ssl http2 proxy_protocol;
listen [::]:8443 ssl http2 proxy_protocol;
# Make use of the ngx_http_realip_module to set the $remote_addr and
# $remote_port to the client address and client port, when using proxy
# protocol.
# First set our proxy protocol proxy as trusted.
set_real_ip_from 172.31.17.140;
set_real_ip_from 2a00:14b0:4200:3000:125::1;
# Then tell the realip_module to get the addreses from the proxy protocol
# header.
real_ip_header proxy_protocol;

6
resources/chaosknoten/tickets/docker_compose/compose.yaml.j2
View file

@ -1,7 +1,7 @@
---
services:
database:
image: docker.io/library/postgres:15-alpine@sha256:64583b3cb4f2010277bdd9749456de78e5c36f8956466ba14b0b96922e510950
image: docker.io/library/postgres:15-alpine
environment:
- "POSTGRES_USER=pretix"
- "POSTGRES_PASSWORD={{ secret__pretix_db_password }}"
@ -13,7 +13,7 @@ services:
restart: unless-stopped
redis:
image: docker.io/library/redis:7.4.6@sha256:a9cc41d6d01da2aa26c219e4f99ecbeead955a7b656c1c499cce8922311b2514
image: docker.io/library/redis:7.4.7
ports:
- "6379:6379"
volumes:
@ -25,7 +25,7 @@ services:
backend:
pretix:
image: docker.io/pretix/standalone:2024.8@sha256:110bac37efa5f736227f158f38e421ed738d03dccc274dfb415b258ab0f75cfe
image: docker.io/pretix/standalone:2024.8
command: ["all"]
ports:
- "8345:80"

10
resources/chaosknoten/tickets/nginx/tickets.hamburg.ccc.de.conf
View file

@ -2,12 +2,12 @@
# https://ssl-config.mozilla.org/#server=nginx&version=1.17.7&config=intermediate&openssl=1.1.1k&guideline=5.6
server {
# Listen on a custom port for the proxy protocol.
listen 8443 ssl http2 proxy_protocol;
listen [::]:8443 ssl http2 proxy_protocol;
# Make use of the ngx_http_realip_module to set the $remote_addr and
# $remote_port to the client address and client port, when using proxy
# protocol.
# First set our proxy protocol proxy as trusted.
set_real_ip_from 172.31.17.140;
set_real_ip_from 2a00:14b0:4200:3000:125::1;
# Then tell the realip_module to get the addreses from the proxy protocol
# header.
real_ip_header proxy_protocol;
@ -38,11 +38,7 @@ server {
location = / {
#return 302 https://wiki.hamburg.ccc.de/infrastructure:service-overview#tickets_pretix;
return 302 https://tickets.hamburg.ccc.de/hackertours/eh22ht/;
}
location = /hackertours/eh22/ {
return 302 https://tickets.hamburg.ccc.de/hackertours/eh22ht/;
return 302 https://tickets.hamburg.ccc.de/hackertours/39c3ht/;
}
location / {

6
resources/chaosknoten/wiki/nginx/wiki.ccchh.net.conf
View file

@ -2,12 +2,12 @@
# https://ssl-config.mozilla.org/#server=nginx&version=1.17.7&config=intermediate&openssl=1.1.1k&guideline=5.6
server {
# Listen on a custom port for the proxy protocol.
listen 8443 ssl http2 proxy_protocol;
listen [::]:8443 ssl http2 proxy_protocol;
# Make use of the ngx_http_realip_module to set the $remote_addr and
# $remote_port to the client address and client port, when using proxy
# protocol.
# First set our proxy protocol proxy as trusted.
set_real_ip_from 172.31.17.140;
set_real_ip_from 2a00:14b0:4200:3000:125::1;
# Then tell the realip_module to get the addreses from the proxy protocol
# header.
real_ip_header proxy_protocol;
@ -21,6 +21,6 @@ server {
# HSTS (ngx_http_headers_module is required) (63072000 seconds)
add_header Strict-Transport-Security "max-age=63072000" always;
return 302 https://wiki.hamburg.ccc.de$request_uri;
}

4
resources/chaosknoten/wiki/nginx/wiki.hamburg.ccc.de.conf
View file

@ -2,12 +2,12 @@
# https://ssl-config.mozilla.org/#server=nginx&version=1.17.7&config=intermediate&openssl=1.1.1k&guideline=5.6
server {
# Listen on a custom port for the proxy protocol.
listen 8443 ssl http2 proxy_protocol;
listen [::]:8443 ssl http2 proxy_protocol;
# Make use of the ngx_http_realip_module to set the $remote_addr and
# $remote_port to the client address and client port, when using proxy
# protocol.
# First set our proxy protocol proxy as trusted.
set_real_ip_from 172.31.17.140;
set_real_ip_from 2a00:14b0:4200:3000:125::1;
# Then tell the realip_module to get the addreses from the proxy protocol
# header.
real_ip_header proxy_protocol;

4
resources/chaosknoten/zammad/nginx/zammad.hamburg.ccc.de.conf
View file

@ -2,12 +2,12 @@
# https://ssl-config.mozilla.org/#server=nginx&version=1.17.7&config=intermediate&openssl=1.1.1k&guideline=5.6
server {
# Listen on a custom port for the proxy protocol.
listen 8443 ssl http2 proxy_protocol;
listen [::]:8443 ssl http2 proxy_protocol;
# Make use of the ngx_http_realip_module to set the $remote_addr and
# $remote_port to the client address and client port, when using proxy
# protocol.
# First set our proxy protocol proxy as trusted.
set_real_ip_from 172.31.17.140;
set_real_ip_from 2a00:14b0:4200:3000:125::1;
# Then tell the realip_module to get the addreses from the proxy protocol
# header.
real_ip_header proxy_protocol;

37
resources/external/status/docker_compose/compose.yaml.j2 vendored Normal file
View file

@ -0,0 +1,37 @@
# https://gatus.io/
# https://github.com/TwiN/gatus
# https://github.com/TwiN/gatus/blob/master/.examples/docker-compose-postgres-storage/compose.yaml
services:
database:
image: docker.io/library/postgres:18.1
volumes:
- ./database:/var/lib/postgresql
environment:
- "POSTGRES_DB=gatus"
- "POSTGRES_USER=gatus"
- "POSTGRES_PASSWORD={{ secret__gatus_db_password }}"
networks:
- gatus
gatus:
image: ghcr.io/twin/gatus:v5.34.0
restart: always
ports:
- "8080:8080"
environment:
- "GATUS_CONFIG_PATH=/config"
- "POSTGRES_DB=gatus"
- "POSTGRES_USER=gatus"
- "POSTGRES_PASSWORD={{ secret__gatus_db_password }}"
- "MATRIX_ACCESS_TOKEN={{ secret__gatus_matrix_access_token }}"
- "ACME_DNS_UPDATE_TEST_X_API_KEY={{ secret__gatus_acme_dns_update_test_x_api_key }}"
volumes:
- ./configs:/config
networks:
- gatus
depends_on:
- database
networks:
gatus:

305
resources/external/status/docker_compose/config/easterhegg-websites.yaml vendored Normal file
View file

@ -0,0 +1,305 @@
# Easterhegg Websites and Websites (Redirects)
# (hosted on public-web-static)
# One could probably also generate this list from the public-web-static config.
easterhegg-websites-defaults: &easterhegg_websites_defaults
group: Websites
interval: 5m
alerts:
# - type: matrix
- type: custom
failure-threshold: 3
success-threshold: 1
minimum-reminder-interval: "12h"
send-on-resolved: true
easterhegg-websites-redirects-defaults: &easterhegg_websites_redirects_defaults
group: Websites (Redirects)
interval: 15m
alerts:
# - type: matrix
- type: custom
failure-threshold: 3
success-threshold: 1
minimum-reminder-interval: "24h"
send-on-resolved: true
endpoints:
# Websites
- name: eh03.easterhegg.eu
url: "https://eh03.easterhegg.eu"
<<: *easterhegg_websites_defaults
conditions:
- "[STATUS] == 200"
- "[CERTIFICATE_EXPIRATION] > 48h"
- "[BODY] == pat(*Easter(h)egg 2003*)"
- name: eh05.easterhegg.eu
url: "https://eh05.easterhegg.eu"
<<: *easterhegg_websites_defaults
conditions:
- "[STATUS] == 200"
- "[CERTIFICATE_EXPIRATION] > 48h"
- "[BODY] == pat(*Easterhegg 2005 - The workshop weekend*)"
- name: eh07.easterhegg.eu
url: "https://eh07.easterhegg.eu"
<<: *easterhegg_websites_defaults
conditions:
- "[STATUS] == 200"
- "[CERTIFICATE_EXPIRATION] > 48h"
- "[BODY] == pat(*Easterhegg 2007 - The Workshop weekend*)"
- name: eh09.easterhegg.eu
url: "https://eh09.easterhegg.eu"
<<: *easterhegg_websites_defaults
conditions:
- "[status] == 200"
- "[certificate_expiration] > 48h"
- "[BODY] == pat(*Easterhegg 2009*)"
- name: eh11.easterhegg.eu
url: "https://eh11.easterhegg.eu"
<<: *easterhegg_websites_defaults
conditions:
- "[status] == 200"
- "[certificate_expiration] > 48h"
- "[BODY] == pat(*Easterhegg 2011*)"
- name: eh20.easterhegg.eu
url: "https://eh20.easterhegg.eu"
<<: *easterhegg_websites_defaults
conditions:
- "[status] == 200"
- "[certificate_expiration] > 48h"
- "[BODY] == pat(*EH20 - Back to root*)"
# Websites (Redirects)
# eh03.easterhegg.eu
- name: eh2003.hamburg.ccc.de
url: "https://eh2003.hamburg.ccc.de"
<<: *easterhegg_websites_redirects_defaults
conditions:
- "[STATUS] == 200"
- "[CERTIFICATE_EXPIRATION] > 48h"
- "[BODY] == pat(*Easter(h)egg 2003*)"
- name: www.eh2003.hamburg.ccc.de
url: "https://www.eh2003.hamburg.ccc.de"
<<: *easterhegg_websites_redirects_defaults
conditions:
- "[STATUS] == 200"
- "[CERTIFICATE_EXPIRATION] > 48h"
- "[BODY] == pat(*Easter(h)egg 2003*)"
- name: easterhegg2003.hamburg.ccc.de
url: "https://easterhegg2003.hamburg.ccc.de"
<<: *easterhegg_websites_redirects_defaults
conditions:
- "[STATUS] == 200"
- "[CERTIFICATE_EXPIRATION] > 48h"
- "[BODY] == pat(*Easter(h)egg 2003*)"
- name: www.easterhegg2003.hamburg.ccc.de
url: "https://www.easterhegg2003.hamburg.ccc.de"
<<: *easterhegg_websites_redirects_defaults
conditions:
- "[STATUS] == 200"
- "[CERTIFICATE_EXPIRATION] > 48h"
- "[BODY] == pat(*Easter(h)egg 2003*)"
# eh05.easterhegg.eu
- name: eh2005.hamburg.ccc.de
url: "https://eh2005.hamburg.ccc.de"
<<: *easterhegg_websites_redirects_defaults
conditions:
- "[STATUS] == 200"
- "[CERTIFICATE_EXPIRATION] > 48h"
- "[BODY] == pat(*Easterhegg 2005 - The workshop weekend*)"
- name: www.eh2005.hamburg.ccc.de
url: "https://www.eh2005.hamburg.ccc.de"
<<: *easterhegg_websites_redirects_defaults
conditions:
- "[STATUS] == 200"
- "[CERTIFICATE_EXPIRATION] > 48h"
- "[BODY] == pat(*Easterhegg 2005 - The workshop weekend*)"
- name: easterhegg2005.hamburg.ccc.de
url: "https://easterhegg2005.hamburg.ccc.de"
<<: *easterhegg_websites_redirects_defaults
conditions:
- "[STATUS] == 200"
- "[CERTIFICATE_EXPIRATION] > 48h"
- "[BODY] == pat(*Easterhegg 2005 - The workshop weekend*)"
- name: www.easterhegg2005.hamburg.ccc.de
url: "https://www.easterhegg2005.hamburg.ccc.de"
<<: *easterhegg_websites_redirects_defaults
conditions:
- "[STATUS] == 200"
- "[CERTIFICATE_EXPIRATION] > 48h"
- "[BODY] == pat(*Easterhegg 2005 - The workshop weekend*)"
# eh07.easterhegg.eu
- name: eh2007.hamburg.ccc.de
url: "https://eh2007.hamburg.ccc.de"
<<: *easterhegg_websites_redirects_defaults
conditions:
- "[STATUS] == 200"
- "[CERTIFICATE_EXPIRATION] > 48h"
- "[BODY] == pat(*Easterhegg 2007 - The Workshop weekend*)"
- name: www.eh2007.hamburg.ccc.de
url: "https://www.eh2007.hamburg.ccc.de"
<<: *easterhegg_websites_redirects_defaults
conditions:
- "[STATUS] == 200"
- "[CERTIFICATE_EXPIRATION] > 48h"
- "[BODY] == pat(*Easterhegg 2007 - The Workshop weekend*)"
- name: eh07.hamburg.ccc.de
url: "https://eh07.hamburg.ccc.de"
<<: *easterhegg_websites_redirects_defaults
conditions:
- "[STATUS] == 200"
- "[CERTIFICATE_EXPIRATION] > 48h"
- "[BODY] == pat(*Easterhegg 2007 - The Workshop weekend*)"
- name: www.eh07.hamburg.ccc.de
url: "https://www.eh07.hamburg.ccc.de"
<<: *easterhegg_websites_redirects_defaults
conditions:
- "[STATUS] == 200"
- "[CERTIFICATE_EXPIRATION] > 48h"
- "[BODY] == pat(*Easterhegg 2007 - The Workshop weekend*)"
- name: easterhegg2007.hamburg.ccc.de
url: "https://easterhegg2007.hamburg.ccc.de"
<<: *easterhegg_websites_redirects_defaults
conditions:
- "[STATUS] == 200"
- "[CERTIFICATE_EXPIRATION] > 48h"
- "[BODY] == pat(*Easterhegg 2007 - The Workshop weekend*)"
- name: www.easterhegg2007.hamburg.ccc.de
url: "https://www.easterhegg2007.hamburg.ccc.de"
<<: *easterhegg_websites_redirects_defaults
conditions:
- "[STATUS] == 200"
- "[CERTIFICATE_EXPIRATION] > 48h"
- "[BODY] == pat(*Easterhegg 2007 - The Workshop weekend*)"
# eh09.easterhegg.eu
- name: eh2009.hamburg.ccc.de
url: "https://eh2009.hamburg.ccc.de"
<<: *easterhegg_websites_redirects_defaults
conditions:
- "[status] == 200"
- "[certificate_expiration] > 48h"
- "[BODY] == pat(*Easterhegg 2009*)"
- name: www.eh2009.hamburg.ccc.de
url: "https://www.eh2009.hamburg.ccc.de"
<<: *easterhegg_websites_redirects_defaults
conditions:
- "[status] == 200"
- "[certificate_expiration] > 48h"
- "[BODY] == pat(*Easterhegg 2009*)"
- name: eh09.hamburg.ccc.de
url: "https://eh09.hamburg.ccc.de"
<<: *easterhegg_websites_redirects_defaults
conditions:
- "[status] == 200"
- "[certificate_expiration] > 48h"
- "[BODY] == pat(*Easterhegg 2009*)"
- name: www.eh09.hamburg.ccc.de
url: "https://www.eh09.hamburg.ccc.de"
<<: *easterhegg_websites_redirects_defaults
conditions:
- "[status] == 200"
- "[certificate_expiration] > 48h"
- "[BODY] == pat(*Easterhegg 2009*)"
- name: easterhegg2009.hamburg.ccc.de
url: "https://easterhegg2009.hamburg.ccc.de"
<<: *easterhegg_websites_redirects_defaults
conditions:
- "[status] == 200"
- "[certificate_expiration] > 48h"
- "[BODY] == pat(*Easterhegg 2009*)"
- name: www.easterhegg2009.hamburg.ccc.de
url: "https://www.easterhegg2009.hamburg.ccc.de"
<<: *easterhegg_websites_redirects_defaults
conditions:
- "[status] == 200"
- "[certificate_expiration] > 48h"
- "[BODY] == pat(*Easterhegg 2009*)"
# eh11.easterhegg.eu
- name: eh2011.hamburg.ccc.de
url: "https://eh2011.hamburg.ccc.de"
<<: *easterhegg_websites_redirects_defaults
conditions:
- "[status] == 200"
- "[certificate_expiration] > 48h"
- "[BODY] == pat(*Easterhegg 2011*)"
- name: www.eh2011.hamburg.ccc.de
url: "https://www.eh2011.hamburg.ccc.de"
<<: *easterhegg_websites_redirects_defaults
conditions:
- "[status] == 200"
- "[certificate_expiration] > 48h"
- "[BODY] == pat(*Easterhegg 2011*)"
- name: eh11.hamburg.ccc.de
url: "https://eh11.hamburg.ccc.de"
<<: *easterhegg_websites_redirects_defaults
conditions:
- "[status] == 200"
- "[certificate_expiration] > 48h"
- "[BODY] == pat(*Easterhegg 2011*)"
- name: www.eh11.hamburg.ccc.de
url: "https://www.eh11.hamburg.ccc.de"
<<: *easterhegg_websites_redirects_defaults
conditions:
- "[status] == 200"
- "[certificate_expiration] > 48h"
- "[BODY] == pat(*Easterhegg 2011*)"
- name: easterhegg2011.hamburg.ccc.de
url: "https://easterhegg2011.hamburg.ccc.de"
<<: *easterhegg_websites_redirects_defaults
conditions:
- "[status] == 200"
- "[certificate_expiration] > 48h"
- "[BODY] == pat(*Easterhegg 2011*)"
- name: www.easterhegg2011.hamburg.ccc.de
url: "https://www.easterhegg2011.hamburg.ccc.de"
<<: *easterhegg_websites_redirects_defaults
conditions:
- "[status] == 200"
- "[certificate_expiration] > 48h"
- "[BODY] == pat(*Easterhegg 2011*)"
# eh20.easterhegg.eu
- name: www.eh20.easterhegg.eu
url: "https://www.eh20.easterhegg.eu"
<<: *easterhegg_websites_redirects_defaults
conditions:
- "[status] == 200"
- "[certificate_expiration] > 48h"
- "[BODY] == pat(*EH20 - Back to root*)"
- name: eh20.hamburg.ccc.de
url: "https://eh20.hamburg.ccc.de"
<<: *easterhegg_websites_redirects_defaults
conditions:
- "[status] == 200"
- "[certificate_expiration] > 48h"
- "[BODY] == pat(*EH20 - Back to root*)"

38
resources/external/status/docker_compose/config/general.yaml vendored Normal file
View file

@ -0,0 +1,38 @@
storage:
type: postgres
path: "postgres://${POSTGRES_USER}:${POSTGRES_PASSWORD}@database:5432/${POSTGRES_DB}?sslmode=disable"
maximum-number-of-results: 240 # Default are 100. 240 are 4h for 1m interval checks.
maximum-number-of-events: 1000 # Default are 50. Let's keep a long history here - 1000 should suffice for a year with around 3 events a day.
ui:
title: CCCHH Status
description: Automated uptime monitoring and status page for CCCHH services. Powered by Gatus.
header: CCCHH Status
buttons:
- name: Website
link: "https://hamburg.ccc.de"
- name: Git
link: "https://git.hamburg.ccc.de"
- name: Kontakt & Impressum
link: "https://hamburg.ccc.de/imprint/"
default-sort-by: group
alerting:
# matrix:
# server-url: "https://matrix.nekover.se"
# access-token: "${MATRIX_ACCESS_TOKEN}"
# internal-room-id: "!jG755onbGAH-lZsZo8SRKtlsncSMvq7nzPhwCi5CgdQ"
custom:
url: "https://matrix.nekover.se/_matrix/client/v3/rooms/%21jG755onbGAH-lZsZo8SRKtlsncSMvq7nzPhwCi5CgdQ/send/m.room.message"
method: "POST"
body: |
{
"msgtype": "m.text",
"body": "[ALERT_TRIGGERED_OR_RESOLVED]: [ENDPOINT_GROUP] - [ENDPOINT_NAME] - [ALERT_DESCRIPTION] - [RESULT_ERRORS]"
}
headers:
Authorization: "Bearer ${MATRIX_ACCESS_TOKEN}"
# A bit more than the default 5 concurrent checks should be fine.
concurrency: 15

311
resources/external/status/docker_compose/config/services-chaosknoten.yaml vendored Normal file
View file

@ -0,0 +1,311 @@
# Services (Chaosknoten)
services-chaosknoten-defaults: &services_chaosknoten_defaults
group: Services (Chaosknoten)
interval: 1m
alerts:
# - type: matrix
- type: custom
failure-threshold: 5
success-threshold: 2
minimum-reminder-interval: "6h"
send-on-resolved: true
endpoints:
- name: ACME DNS (main page/login)
url: "https://acmedns.hamburg.ccc.de"
<<: *services_chaosknoten_defaults
conditions:
- "[STATUS] == 200"
- "[CERTIFICATE_EXPIRATION] > 48h"
- "[BODY] == pat(*OAuth2 Proxy*)"
- name: ACME DNS (health endpoint)
url: "https://acmedns.hamburg.ccc.de/health"
<<: *services_chaosknoten_defaults
conditions:
- "[STATUS] == 200"
- "[CERTIFICATE_EXPIRATION] > 48h"
- name: ACME DNS (update endpoint)
url: "https://acmedns.hamburg.ccc.de/update"
<<: *services_chaosknoten_defaults
method: POST
# acme-dns validates that the value for the txt is 43 characters long.
# https://github.com/joohoi/acme-dns/blob/b7a0a8a7bcef39f6158dd596fe716594a170d362/validation.go#L34-L41
body: |
{
"subdomain": "c621ef99-3da9-4ef6-a152-3a82b9b720f8",
"txt": "________________gatus_test_________________"
}
headers:
X-Api-User: "b897048a-1526-42aa-bc24-e4dfd654b722"
X-Api-Key: "${ACME_DNS_UPDATE_TEST_X_API_KEY}"
conditions:
- "[STATUS] == 200"
- "[CERTIFICATE_EXPIRATION] > 48h"
- "[BODY].txt == ________________gatus_test_________________"
- name: ACME DNS (DNS)
url: "acmedns.hosts.hamburg.ccc.de"
<<: *services_chaosknoten_defaults
dns:
query-name: "c621ef99-3da9-4ef6-a152-3a82b9b720f8.auth.acmedns.hamburg.ccc.de"
query-type: "TXT"
conditions:
- "[DNS_RCODE] == NOERROR"
# error: query type is not supported yet
# apparently TXT records aren't supported yet.
# - "[BODY] == ________________gatus_test_________________"
- name: CCCHH ID/Keycloak (main page/account console)
url: "https://id.hamburg.ccc.de/"
<<: *services_chaosknoten_defaults
conditions:
- "[STATUS] == 200"
- "[CERTIFICATE_EXPIRATION] > 48h"
- "[BODY] == pat(*JavaScript is required to use the Account Console.*)"
- name: CCCHH ID/Keycloak (ccchh realm)
url: "https://id.hamburg.ccc.de/realms/ccchh/"
<<: *services_chaosknoten_defaults
conditions:
- "[STATUS] == 200"
- "[CERTIFICATE_EXPIRATION] > 48h"
- "[BODY].realm == ccchh"
- name: ccchoir
url: "https://ccchoir.de/"
<<: *services_chaosknoten_defaults
conditions:
- "[STATUS] == 200"
- "[CERTIFICATE_EXPIRATION] > 48h"
- "[BODY] == pat(*The Choir of the Chaos Computer Club*)"
- name: Cloud (status info)
url: "https://cloud.hamburg.ccc.de/status.php"
<<: *services_chaosknoten_defaults
conditions:
- "[STATUS] == 200"
- "[CERTIFICATE_EXPIRATION] > 48h"
- "[BODY].installed == true"
- "[BODY].maintenance == false"
- name: Cloud (main page/login)
url: "https://cloud.hamburg.ccc.de/"
<<: *services_chaosknoten_defaults
conditions:
- "[STATUS] == 200"
- "[CERTIFICATE_EXPIRATION] > 48h"
- "[BODY] == pat(*Sign in to CCCHH*)"
- name: cow (main page/login)
url: "https://cow.hamburg.ccc.de/"
<<: *services_chaosknoten_defaults
conditions:
- "[STATUS] == 200"
- "[CERTIFICATE_EXPIRATION] > 48h"
- "[BODY] == pat(*mailcow UI*)"
- name: cow (SMTP port 25)
url: "tcp://cow.hamburg.ccc.de:25"
<<: *services_chaosknoten_defaults
conditions:
- "[CONNECTED] == true"
- name: cow (SMTPS port 465)
url: "tls://cow.hamburg.ccc.de:465"
<<: *services_chaosknoten_defaults
conditions:
- "[CONNECTED] == true"
- name: cow (SMTP with STARTTLS port 587)
url: "starttls://cow.hamburg.ccc.de:587"
<<: *services_chaosknoten_defaults
conditions:
- "[CONNECTED] == true"
- name: cow (IMAP port 143)
url: "tcp://cow.hamburg.ccc.de:143"
<<: *services_chaosknoten_defaults
conditions:
- "[CONNECTED] == true"
- name: cow (IMAPS port 465)
url: "tls://cow.hamburg.ccc.de:465"
<<: *services_chaosknoten_defaults
conditions:
- "[CONNECTED] == true"
- name: Design/penpot
url: "https://design.hamburg.ccc.de/"
<<: *services_chaosknoten_defaults
conditions:
- "[STATUS] == 200"
- "[CERTIFICATE_EXPIRATION] > 48h"
- "[BODY] == pat(*Penpot - Design Freedom for Teams*)"
- name: EH22 Website/Wiki
url: "https://eh22.easterhegg.eu/"
<<: *services_chaosknoten_defaults
conditions:
- "[STATUS] == 200"
- "[CERTIFICATE_EXPIRATION] > 48h"
- "[BODY] == pat(*Easterhegg 2025*)"
- name: Git
url: "https://git.hamburg.ccc.de/"
<<: *services_chaosknoten_defaults
conditions:
- "[STATUS] == 200"
- "[CERTIFICATE_EXPIRATION] > 48h"
- "[BODY] == pat(*CCCHH Git*)"
- name: GitLab
url: "https://gitlab.hamburg.ccc.de/"
<<: *services_chaosknoten_defaults
conditions:
- "[STATUS] == 200"
- "[CERTIFICATE_EXPIRATION] > 48h"
- "[BODY] == pat(*Moin beim Gitlab des CCC Hamburg!*)"
- name: Grafana
url: "https://grafana.hamburg.ccc.de/"
<<: *services_chaosknoten_defaults
conditions:
- "[STATUS] == 200"
- "[CERTIFICATE_EXPIRATION] > 48h"
- "[BODY] == pat(*Sign in to CCCHH*)"
- name: Jitsi
url: "https://jitsi.hamburg.ccc.de/"
<<: *services_chaosknoten_defaults
conditions:
- "[STATUS] == 200"
- "[CERTIFICATE_EXPIRATION] > 48h"
- "[BODY] == pat(*Jitsi Meet*)"
- name: Lists
url: "https://lists.hamburg.ccc.de/"
<<: *services_chaosknoten_defaults
conditions:
- "[STATUS] == 200"
- "[CERTIFICATE_EXPIRATION] > 48h"
- "[BODY] == pat(*Mailing Lists*)"
- name: Matrix
url: "https://matrix.hamburg.ccc.de/_matrix/client/versions"
<<: *services_chaosknoten_defaults
conditions:
- "[STATUS] == 200"
- "[CERTIFICATE_EXPIRATION] > 48h"
- "has([BODY].versions) == true"
- "has([BODY].unstable_features) == true"
- name: Mumble (tcp)
url: "tcp://mumble.hamburg.ccc.de:64738"
<<: *services_chaosknoten_defaults
conditions:
- "[CONNECTED] == true"
- name: Mumble (udp)
url: "udp://mumble.hamburg.ccc.de:64738"
<<: *services_chaosknoten_defaults
conditions:
- "[CONNECTED] == true"
- name: NetBox
url: "https://NetBox.hamburg.ccc.de/"
<<: *services_chaosknoten_defaults
conditions:
- "[STATUS] == 200"
- "[CERTIFICATE_EXPIRATION] > 48h"
- "[BODY] == pat(*NetBox*)"
- name: ntfy
url: "https://ntfy.hamburg.ccc.de/"
<<: *services_chaosknoten_defaults
conditions:
- "[STATUS] == 200"
- "[CERTIFICATE_EXPIRATION] > 48h"
- "[BODY] == pat(*ntfy web requires JavaScript*)"
- name: OnlyOffice
url: "https://onlyoffice.hamburg.ccc.de/"
<<: *services_chaosknoten_defaults
conditions:
- "[STATUS] == 200"
- "[CERTIFICATE_EXPIRATION] > 48h"
- "[BODY] == pat(*ONLYOFFICE Docs Community Edition installed*)"
- name: Pad
url: "https://pad.hamburg.ccc.de/"
<<: *services_chaosknoten_defaults
conditions:
- "[STATUS] == 200"
- "[CERTIFICATE_EXPIRATION] > 48h"
- "[BODY] == pat(*HedgeDoc - Ideas grow better together*)"
- name: Pretalx (main page)
url: "https://pretalx.hamburg.ccc.de/"
<<: *services_chaosknoten_defaults
conditions:
- "[STATUS] == 200"
- "[CERTIFICATE_EXPIRATION] > 48h"
- "[BODY] == pat(*pretalx*)"
- name: Pretalx (EH22/Easterhegg 2025)
url: "https://cfp.eh22.easterhegg.eu/"
<<: *services_chaosknoten_defaults
conditions:
- "[STATUS] == 200"
- "[CERTIFICATE_EXPIRATION] > 48h"
- "[BODY] == pat(*Easterhegg 2025*)"
- "[BODY] == pat(*pretalx*)"
- name: SpaceAPI
url: "https://spaceapi.hamburg.ccc.de/"
<<: *services_chaosknoten_defaults
conditions:
- "[STATUS] == 200"
- "[CERTIFICATE_EXPIRATION] > 48h"
- "[BODY].space == CCCHH"
- name: Surveillance under Surveillance
url: "https://sunders.hamburg.ccc.de/"
<<: *services_chaosknoten_defaults
conditions:
- "[STATUS] == 200"
- "[CERTIFICATE_EXPIRATION] > 48h"
- "[BODY] == pat(*Surveillance under Surveillance*)"
- name: Tickets/pretix
url: "https://tickets.hamburg.ccc.de/"
<<: *services_chaosknoten_defaults
conditions:
- "[STATUS] == 200"
- "[CERTIFICATE_EXPIRATION] > 48h"
- "[BODY] == pat(*pretix*)"
- name: Wiki
url: "https://wiki.hamburg.ccc.de/"
<<: *services_chaosknoten_defaults
conditions:
- "[STATUS] == 200"
- "[CERTIFICATE_EXPIRATION] > 48h"
- "[BODY] == pat(*CCCHH Wiki*)"
- name: Woodpecker
url: "https://woodpecker.hamburg.ccc.de/"
<<: *services_chaosknoten_defaults
conditions:
- "[STATUS] == 200"
- "[CERTIFICATE_EXPIRATION] > 48h"
- "[BODY] == pat(*Woodpecker*)"
- name: Zammad
url: "https://zammad.hamburg.ccc.de/"
<<: *services_chaosknoten_defaults
conditions:
- "[STATUS] == 200"
- "[CERTIFICATE_EXPIRATION] > 48h"
- "[BODY] == pat(*zammad*)"

24
resources/external/status/docker_compose/config/sites.yaml vendored Normal file
View file

@ -0,0 +1,24 @@
# Sites
sites-defaults: &sites_defaults
group: Sites
interval: 1m
alerts:
# - type: matrix
- type: custom
failure-threshold: 5
success-threshold: 2
minimum-reminder-interval: "6h"
send-on-resolved: true
endpoints:
- name: Chaosknoten/IRZ42
url: "icmp://chaosknoten.hamburg.ccc.de"
<<: *sites_defaults
conditions:
- "[CONNECTED] == true"
- name: Z9
url: "icmp://185.161.129.129"
<<: *sites_defaults
conditions:
- "[CONNECTED] == true"

209
resources/external/status/docker_compose/config/websites.yaml vendored Normal file
View file

@ -0,0 +1,209 @@
# Websites, Websites (Staging) and Websites (Redirects)
# (hosted on public-web-static)
# One could probably also generate this list from the public-web-static config.
websites-defaults: &websites_defaults
group: Websites
interval: 1m
alerts:
# - type: matrix
- type: custom
failure-threshold: 5
success-threshold: 2
minimum-reminder-interval: "6h"
send-on-resolved: true
websites-staging-defaults: &websites_staging_defaults
group: Websites (Staging)
interval: 5m
alerts:
# - type: matrix
- type: custom
failure-threshold: 3
success-threshold: 1
minimum-reminder-interval: "24h"
send-on-resolved: true
websites-redirects-defaults: &websites_redirects_defaults
group: Websites (Redirects)
interval: 5m
alerts:
# - type: matrix
- type: custom
failure-threshold: 3
success-threshold: 1
minimum-reminder-interval: "24h"
send-on-resolved: true
endpoints:
# Websites
- name: branding-resources.hamburg.ccc.de
url: "https://branding-resources.hamburg.ccc.de/logo/sources.txt"
<<: *websites_defaults
conditions:
- "[STATUS] == 200"
- "[CERTIFICATE_EXPIRATION] > 48h"
- "[BODY] == pat(*file: ccchh-logo.png*)"
- name: c3cat.de
url: "https://c3cat.de"
<<: *websites_defaults
conditions:
- "[STATUS] == 200"
- "[CERTIFICATE_EXPIRATION] > 48h"
- "[BODY] == pat(*Cat Ears Operation Center*)"
- name: cpu.ccc.de
url: "https://cpu.ccc.de"
<<: *websites_defaults
conditions:
- "[STATUS] == 200"
- "[CERTIFICATE_EXPIRATION] > 48h"
- "[BODY] == pat(*cpu.ccc.de | aus den Dezentralen*)"
- name: cryptoparty-hamburg.de
url: "https://cryptoparty-hamburg.de"
<<: *websites_defaults
conditions:
- "[STATUS] == 200"
- "[CERTIFICATE_EXPIRATION] > 48h"
- "[BODY] == pat(*Digitale Selbstverteidigung in Hamburg*)"
- name: element-admin.hamburg.ccc.de
url: "https://element-admin.hamburg.ccc.de"
<<: *websites_defaults
conditions:
- "[STATUS] == 200"
- "[CERTIFICATE_EXPIRATION] > 48h"
- "[BODY] == pat(*Loading Element Admin*)"
- name: element.hamburg.ccc.de
url: "https://element.hamburg.ccc.de"
<<: *websites_defaults
conditions:
- "[STATUS] == 200"
- "[CERTIFICATE_EXPIRATION] > 48h"
- "[BODY] == pat(*Sorry, Element requires JavaScript to be enabled.*)"
- name: hacker.tours
url: "https://hacker.tours"
<<: *websites_defaults
conditions:
- "[STATUS] == 200"
- "[CERTIFICATE_EXPIRATION] > 48h"
# Once suites support alerting, we can also monitor the target as well.
- "[BODY] == pat(*<meta http-equiv=\"refresh\" content=\"0; url=https://hacker.tours/de/\">*)"
- name: hackertours.hamburg.ccc.de
url: "https://hackertours.hamburg.ccc.de"
<<: *websites_defaults
conditions:
- "[STATUS] == 200"
- "[CERTIFICATE_EXPIRATION] > 48h"
# Once suites support alerting, we can also monitor the target as well.
- "[BODY] == pat(*<meta http-equiv=\"refresh\" content=\"0; url=https://hackertours.hamburg.ccc.de/de/\">*)"
- name: hamburg.ccc.de
url: "https://hamburg.ccc.de"
<<: *websites_defaults
conditions:
- "[STATUS] == 200"
- "[CERTIFICATE_EXPIRATION] > 48h"
- "[BODY] == pat(*Wir sind der Chaos Computer Club der Hansestadt Hamburg.*)"
- name: spaceapi.ccc.de
url: "https://spaceapi.ccc.de"
<<: *websites_defaults
conditions:
- "[STATUS] == 200"
- "[CERTIFICATE_EXPIRATION] > 48h"
- "[BODY] == pat(*Kein Javascript, keine Kekse.*)"
# Websites (Staging)
- name: staging.c3cat.de
url: "https://staging.c3cat.de"
<<: *websites_staging_defaults
conditions:
- "[STATUS] == 200"
- "[CERTIFICATE_EXPIRATION] > 48h"
- "[BODY] == pat(*c3cat.de Staging Environment*)"
- name: staging.cryptoparty-hamburg.de
url: "https://staging.cryptoparty-hamburg.de"
<<: *websites_staging_defaults
conditions:
- "[STATUS] == 200"
- "[CERTIFICATE_EXPIRATION] > 48h"
- "[BODY] == pat(*cryptoparty-hamburg.de Staging Environment*)"
- name: staging.hacker.tours
url: "https://staging.hacker.tours"
<<: *websites_staging_defaults
conditions:
- "[STATUS] == 200"
- "[CERTIFICATE_EXPIRATION] > 48h"
- "[BODY] == pat(*hacker.tours Staging Environment*)"
- name: staging.hackertours.hamburg.ccc.de
url: "https://staging.hackertours.hamburg.ccc.de"
<<: *websites_staging_defaults
conditions:
- "[STATUS] == 200"
- "[CERTIFICATE_EXPIRATION] > 48h"
- "[BODY] == pat(*hackertours.hamburg.ccc.de Staging Environment*)"
- name: staging.hamburg.ccc.de
url: "https://staging.hamburg.ccc.de"
<<: *websites_staging_defaults
conditions:
- "[STATUS] == 200"
- "[CERTIFICATE_EXPIRATION] > 48h"
- "[BODY] == pat(*hamburg.ccc.de Staging Environment*)"
# Website (Redirects)
- name: www.c3cat.de
url: "https://www.c3cat.de"
<<: *websites_redirects_defaults
conditions:
- "[STATUS] == 200"
- "[CERTIFICATE_EXPIRATION] > 48h"
- "[BODY] == pat(*Cat Ears Operation Center*)"
- name: cryptoparty.hamburg.ccc.de
url: "https://cryptoparty.hamburg.ccc.de"
<<: *websites_redirects_defaults
conditions:
- "[STATUS] == 200"
- "[CERTIFICATE_EXPIRATION] > 48h"
- "[BODY] == pat(*Digitale Selbstverteidigung in Hamburg*)"
- name: local.ccc.de
url: "https://local.ccc.de"
<<: *websites_redirects_defaults
conditions:
- "[STATUS] == 200"
- "[CERTIFICATE_EXPIRATION] > 48h"
- "[BODY] == pat(*cpu.ccc.de | aus den Dezentralen*)"
- name: lokal.ccc.de
url: "https://lokal.ccc.de"
<<: *websites_redirects_defaults
conditions:
- "[STATUS] == 200"
- "[CERTIFICATE_EXPIRATION] > 48h"
- "[BODY] == pat(*cpu.ccc.de | aus den Dezentralen*)"
- name: staging.cryptoparty.hamburg.ccc.de
url: "https://staging.cryptoparty.hamburg.ccc.de"
<<: *websites_redirects_defaults
conditions:
- "[STATUS] == 200"
- "[CERTIFICATE_EXPIRATION] > 48h"
- "[BODY] == pat(*cryptoparty-hamburg.de Staging Environment*)"
- name: www.hamburg.ccc.de
url: "https://www.hamburg.ccc.de"
<<: *websites_redirects_defaults
conditions:
- "[STATUS] == 200"
- "[CERTIFICATE_EXPIRATION] > 48h"
- "[BODY] == pat(*Wir sind der Chaos Computer Club der Hansestadt Hamburg.*)"

14
resources/external/status/nginx/http_handler.conf vendored Normal file
View file

@ -0,0 +1,14 @@
server {
listen 80 default_server;
listen [::]:80 default_server;
server_name status.hamburg.ccc.de;
location / {
return 301 https://$host$request_uri;
}
location /.well-known/acme-challenge/ {
proxy_pass http://127.0.0.1:31820/.well-known/acme-challenge/;
}
}

33
resources/external/status/nginx/status.hamburg.ccc.de.conf vendored Normal file
View file

@ -0,0 +1,33 @@
# partly generated 2022-01-08, Mozilla Guideline v5.6, nginx 1.17.7, OpenSSL 1.1.1k, intermediate configuration
# https://ssl-config.mozilla.org/#server=nginx&version=1.17.7&config=intermediate&openssl=1.1.1k&guideline=5.6
server {
listen 443 ssl http2 default_server;
listen [::]:443 ssl http2 default_server;
server_name status.hamburg.ccc.de;
ssl_certificate /etc/letsencrypt/live/status.hamburg.ccc.de/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/status.hamburg.ccc.de/privkey.pem;
# verify chain of trust of OCSP response using Root CA and Intermediate certs
ssl_trusted_certificate /etc/letsencrypt/live/status.hamburg.ccc.de/chain.pem;
# HSTS (ngx_http_headers_module is required) (63072000 seconds)
add_header Strict-Transport-Security "max-age=63072000" always;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Port 443;
# This is https in any case.
proxy_set_header X-Forwarded-Proto https;
# Hide the X-Forwarded header.
proxy_hide_header X-Forwarded;
# Assume we are the only Reverse Proxy.
# Also provide "_hidden" for by, since it's not relevant.
proxy_set_header Forwarded "for=$remote_addr;proto=https;host=$host;by=_hidden";
location / {
proxy_pass http://127.0.0.1:8080/;
}
}

12
resources/z9/dooris/nginx/http_handler.conf Normal file
View file

@ -0,0 +1,12 @@
server {
listen 80 default_server;
listen [::]:80 default_server;
location / {
return 301 https://$host$request_uri;
}
location /.well-known/acme-challenge/ {
proxy_pass http://127.0.0.1:31820/.well-known/acme-challenge/;
}
}

10
resources/z9/light/nginx/http_handler.conf
View file

@ -1,14 +1,12 @@
server {
listen 80 default_server;
listen [::]:80 default_server;
server_name _;
location /.well-known/acme-challenge/ {
autoindex on;
root /webroot-for-acme-challenge;
}
location / {
return 301 https://$host$request_uri;
}
location /.well-known/acme-challenge/ {
proxy_pass http://127.0.0.1:31820/.well-known/acme-challenge/;
}
}

29
resources/z9/light/nginx/light.conf
View file

@ -1,15 +1,16 @@
# partly generated 2022-01-08, Mozilla Guideline v5.6, nginx 1.17.7, OpenSSL 1.1.1k, intermediate configuration
# https://ssl-config.mozilla.org/#server=nginx&version=1.17.7&config=intermediate&openssl=1.1.1k&guideline=5.6
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
listen 443 ssl;
listen [::]:443 ssl;
http2 on;
server_name light-werkstatt.ccchh.net;
ssl_certificate /etc/letsencrypt/live/light.ccchh.net/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/light.ccchh.net/privkey.pem;
ssl_certificate /etc/letsencrypt/live/light-werkstatt.ccchh.net/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/light-werkstatt.ccchh.net/privkey.pem;
# verify chain of trust of OCSP response using Root CA and Intermediate certs
ssl_trusted_certificate /etc/letsencrypt/live/light.ccchh.net/chain.pem;
ssl_trusted_certificate /etc/letsencrypt/live/light-werkstatt.ccchh.net/chain.pem;
# replace with the IP address of your resolver
resolver 10.31.208.1;
@ -25,15 +26,16 @@ server {
}
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
listen 443 ssl;
listen [::]:443 ssl;
http2 on;
server_name light.z9.ccchh.net ;
server_name light.z9.ccchh.net;
ssl_certificate /etc/letsencrypt/live/light.ccchh.net/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/light.ccchh.net/privkey.pem;
ssl_certificate /etc/letsencrypt/live/light.z9.ccchh.net/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/light.z9.ccchh.net/privkey.pem;
# verify chain of trust of OCSP response using Root CA and Intermediate certs
ssl_trusted_certificate /etc/letsencrypt/live/light.ccchh.net/chain.pem;
ssl_trusted_certificate /etc/letsencrypt/live/light.z9.ccchh.net/chain.pem;
location / {
return 307 https://light.ccchh.net$request_uri;
@ -41,8 +43,9 @@ server {
}
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
listen 443 ssl;
listen [::]:443 ssl;
http2 on;
server_name light.ccchh.net;

2
resources/z9/waybackproxy/docker_compose/compose.yaml.j2
View file

@ -1,7 +1,7 @@
services:
# https://github.com/richardg867/WaybackProxy
waybackproxy:
image: cttynul/waybackproxy:latest@sha256:e001d5b1d746522cd1ab2728092173c0d96f08086cbd3e49cdf1e298b8add22e
image: cttynul/waybackproxy:latest
environment:
DATE: 19990101
DATE_TOLERANCE: 730

44
roles/alloy/defaults/main.yaml Normal file
View file

@ -0,0 +1,44 @@
alloy_config_default: |
prometheus.remote_write "default" {
endpoint {
url = "https://metrics.hamburg.ccc.de/api/v1/write"
basic_auth {
username = "chaos"
password = "chaos_password"
}
}
}
prometheus.relabel "common" {
forward_to = [prometheus.remote_write.default.receiver]
rule {
target_label = "org"
replacement = "noorg"
}
rule {
target_label = "site"
replacement = "nosite"
}
rule {
source_labels = ["instance"]
target_label = "instance"
regex = "([^:]+)"
replacement = "${1}.hosts.test"
action = "replace"
}
}
logging {
level = "info"
}
prometheus.exporter.unix "local_system" {
enable_collectors = ["systemd"]
}
prometheus.scrape "scrape_metrics" {
targets = prometheus.exporter.unix.local_system.targets
forward_to = [prometheus.relabel.common.receiver]
}
alloy_config_additional: ""

50
roles/alloy/tasks/main.yaml Normal file
View file

@ -0,0 +1,50 @@
# https://github.com/grafana/grafana-ansible-collection/blob/main/roles/alloy/tasks/deploy.yml#L124
- name: ensure alloy user exists
ansible.builtin.user:
name: alloy
system: true
append: true
create_home: false
state: present
- name: ensure the `/etc/alloy/` config directory exists
ansible.builtin.file:
path: /etc/alloy
state: directory
mode: "0770"
owner: root
group: alloy
become: true
- name: synchronize the additional configuration files directory, if present
when: alloy__additional_configs_dir is defined and alloy__additional_configs_dir != ""
block:
- name: ensure rsync is installed
ansible.builtin.apt:
name: rsync
become: true
- name: synchronize the additional configuration files directory, if present
ansible.posix.synchronize:
src: "{{ alloy__additional_configs_dir }}"
dest: /etc/alloy/additional
delete: true
recursive: true
use_ssh_args: true
rsync_opts:
- "--chown=root:alloy"
become: true
- name: delete the additional configuration files directory, if not present
when: alloy__additional_configs_dir is not defined or alloy__additional_configs_dir == ""
ansible.builtin.file:
path: /etc/alloy/additional
state: absent
become: true
- name: Setup Alloy
ansible.builtin.import_role:
name: grafana.grafana.alloy
vars:
alloy_config: "{{ alloy_config_default ~ alloy_config_additional }}"
become: true

1
roles/ansible_pull/tasks/main.yaml
View file

@ -3,6 +3,7 @@
- name: ensure apt dependencies are installed
ansible.builtin.apt:
name:
- python3-pip
- virtualenv
- git
state: present

34
roles/base_config/tasks/main.yaml Normal file
View file

@ -0,0 +1,34 @@
# Ensure the ssh module is disabled, so a cloud-init config change doesn't regenerate the host keys for no reason.
- name: check if cloud-init config file exists
ansible.builtin.stat:
path: /etc/cloud/cloud.cfg
register: base_config__stat_cloud_cfg
- name: ensure the cloud-init ssh module is disabled
ansible.builtin.replace:
path: /etc/cloud/cloud.cfg
regexp: " - ssh$"
replace: " #- ssh"
become: true
when: base_config__stat_cloud_cfg.stat.exists
# Ensure a base set of admin tools is installed.
- name: ensure a base set of admin tools is installed
ansible.builtin.apt:
name:
- vim
- joe
- nano
- htop
- btop
- ripgrep
- fd-find
- tmux
- git
- curl
- rsync
- dnsutils
- usbutils
- kitty
- gpg
become: true

1
roles/certbot/meta/main.yaml
View file

@ -7,3 +7,4 @@ dependencies:
major_versions:
- 11
- 12
- 13

Some files were not shown because too many files have changed in this diff Show more