grafana: more alertmanager config

The Personal Access Token we use isn't compatible with the default
Matrix alerting provider, so use a custom alert.

.forgejo/workflows/lint.yaml

@@ -10,7 +10,7 @@ jobs:
     name: Ansible Lint
     runs-on: docker
     steps:
-      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5
+      - uses: actions/checkout@v6
       - name: Install pip
         run: |
           apt update
@@ -24,7 +24,7 @@ jobs:
       # work in our environmnet.
       # Rather manually setup python (pip) before instead.
       - name: Run ansible-lint
-        uses: https://github.com/ansible/ansible-lint@d7cd7cfa2469536527aceaef9ef2ec6f2fb331cb # v25.9.2
+        uses: https://github.com/ansible/ansible-lint@v26.1.1
         with:
           setup_python: "false"
           requirements_file: "requirements.yml"

.sops.yaml

@@ -33,15 +33,37 @@ keys:
         - &host_public_reverse_proxy_ansible_pull_age_key age1p7pxgq5kwcpdkhkh3qq4pvnltrdk4gwf60hdhv8ka0mdxmgnjepqyleyen
         - &host_zammad_ansible_pull_age_key age1sv7uhpnk9d3u3je9zzvlux0kd83f627aclpamnz2h3ksg599838qjgrvqs
         - &host_ntfy_ansible_pull_age_key age1dkecypmfuj0tcm2cz8vnvq5drpu2ddhgnfkzxvscs7m4e79gpseqyhr9pg
+        - &host_spaceapiccc_ansible_pull_age_key age1mdtnk78aeqnwqadjqje5pfha04wu92d3ecchyqajjmy434kwq98qksq2wa
+        - &host_acmedns_ansible_pull_age_key age16pxqxdj25xz6w200sf8duc62vyk0xkhzc7y63nyhg29sm077vp8qy4sywv
+    external:
+      age: &host_external_age_keys
+        - &host_status_ansible_pull_age_key age1yl9ts8k6ceymaxjs72r5puetes5mtuzxuger7qgme9qkagfrm9hqzxx9qr
 creation_rules:
-  # group vars
+  ## group vars
   - path_regex: inventories/chaosknoten/group_vars/all.*
     key_groups:
       - pgp:
           *admin_gpg_keys
         age:
           *host_chaosknoten_age_keys
-  # host vars
+  - path_regex: inventories/external/group_vars/all.*
+    key_groups:
+      - pgp:
+          *admin_gpg_keys
+        age:
+          *host_external_age_keys
+  - path_regex: inventories/z9/group_vars/all.*
+    key_groups:
+      - pgp:
+          *admin_gpg_keys
+  ## host vars
+  # chaosknoten hosts
+  - path_regex: inventories/chaosknoten/host_vars/acmedns.*
+    key_groups:
+      - pgp:
+          *admin_gpg_keys
+        age:
+          - *host_acmedns_ansible_pull_age_key
   - path_regex: inventories/chaosknoten/host_vars/cloud.*
     key_groups:
       - pgp:
@@ -150,6 +172,20 @@ creation_rules:
           *admin_gpg_keys
         age:
           - *host_public_reverse_proxy_ansible_pull_age_key
+  - path_regex: inventories/chaosknoten/host_vars/spaceapiccc.*
+    key_groups:
+      - pgp:
+          *admin_gpg_keys
+        age:
+          - *host_spaceapiccc_ansible_pull_age_key
+  # external hosts
+  - path_regex: inventories/external/host_vars/status.*
+    key_groups:
+      - pgp:
+          *admin_gpg_keys
+        age:
+          - *host_status_ansible_pull_age_key
+  # z9 hosts
   - path_regex: inventories/z9/host_vars/dooris.*
     key_groups:
       - pgp:

docs/create-new-web-service-vm.md

@@ -0,0 +1,114 @@
+# How to create all necessary entries for new (web service) VM
+
+Let's assume that you want to add a new web service `example.hamburg.ccc.de` which is going to be hosted on the VM `example` on chaosknoten. These are the steps that you need to take to create the VM and add it to the Ansible repo.
+
+## IP, DNS, VM
+
+1. Allocate a fresh [IPv6 in Netbox in the 2a00:14b0:42:102::/64 net](https://netbox.hamburg.ccc.de/ipam/prefixes/47/ip-addresses/). This will be the management address for the VM. 
+2. On `ns-intern`:
+   1. Add an entry `example.hosts.hamburg.ccc.de` as an AAAA pointing to the allocated IP.
+   2. Add an entry `example.hamburg.ccc.de` as a CNAME for `public-reverse-proxy` to the same zone.
+   3. Commit and reload the zone.
+3. On Chaosknoten:
+   1. Create a new VM, for example by cloning the Debian template 9023.  
+      Give it the name `example`.
+   2. Edit the ethernet interface to be connected to `vmbr0`, VLAN tag `2`.
+   3. Configure the IPv6 address in the Cloud-Init section. Leave IPv4 set to DHCP.
+   4. Make sure the VM is started at boot (options).
+   5. Adjust any other VM parameters as needed.
+   6. Boot the VM.
+4. Add the [VM to Netbox](https://netbox.hamburg.ccc.de/virtualization/virtual-machines/).
+    - Make sure to enter the VM ID.
+    - Add an Ethernet interface to the VM; we typically use `eth0` as a name.
+    - Add IP for that interface, then choose "Assign IP" and search for the IP you've created. Make it the primary IP of that interface.
+
+## Ansible Basics
+
+As the first step, we need to make the host known to Ansible.
+
+1. In `.sops.yaml`, add an entry for the host. Follow the other entries there.
+   1. `keys.hosts.chaosknoten.age` needs an age public key (must be generated; the private key gets added later in the host-specific YAML)
+   2. `creation_rules` needs an entry for the host, referencing the age key.
+   3. Re-encrypt existing files with the new key (manly `group_var/all.sops.yaml`): `find inventories -name "*.sops.*" | xargs sops updatekeys --yes`
+2. In `inventories/chaosknoten/hosts.yaml`:
+   1. Configure basic connection info:
+        ```yaml
+        example:
+            ansible_host: example.hosts.hamburg.ccc.de
+            ansible_user: chaos
+            ansible_ssh_common_args: -J ssh://chaos@router.hamburg.ccc.de
+        ```
+        You typically will want to use router as a jump host so that you can run Ansible on an IPv4 only connection.
+    2. Add the host to the desired roles.
+       1. As a minimum, you'll want the following roles:
+          - `base_config_hosts`
+          - `infrastructure_authorized_keys_hosts`
+          - `ansible_pull_hosts`
+       2. For a typical web service based on Docker Compose, you'll also want:
+          - `docker_compose_hosts`
+          - `nginx_hosts`
+          - `certbot_hosts`.
+ 3. In the directory `inventories/chaosknoten/host_var/`:
+    1. A file `inventories/chaosknoten/host_var/example.yaml` with the host/service specific configuration.
+    2. A file `inventories/chaosknoten/host_var/example.sops.yaml` with the encrypted secrets for the host/service. Run `sops inventories/chaosknoten/host_var/example.yaml` to edit/create that file. Entries here should generally be prefixed with `secret__` to make it easier to see where that variable is coming from in templates etc.
+       * Add an entry `ansible_pull__age_private_key` with the age private key you generated above.
+
+## Service-specific config
+
+From here, we go into the details of the web service that you want to configure. For a typical web service with Docker Compose, you will likely want to configure the following.
+
+Make `inventories/chaosknoten/host_var/example.yaml` look like this:
+```yaml
+certbot__version_spec: ""
+certbot__acme_account_email_address: le-admin@hamburg.ccc.de
+certbot__certificate_domains:
+  - "example.hamburg.ccc.de"
+certbot__new_cert_commands:
+  - "systemctl reload nginx.service"
+
+docker_compose__compose_file_content: "{{ lookup('ansible.builtin.template', 'resources/chaosknoten/example/docker_compose/compose.yaml.j2') }}"
+
+nginx__version_spec: ""
+nginx__configurations:
+  - name: example.hamburg.ccc.de
+    content: "{{ lookup('ansible.builtin.file', 'resources/chaosknoten/spaceapiccc/nginx/example.hamburg.ccc.de.conf') }}"
+```
+
+This will create `compose.yaml` from the template `resources/chaosknoten/example/docker_compose/compose.yaml.j2'`, and the nginx config from `resources/chaosknoten/spaceapiccc/nginx/example.hamburg.ccc.de.conf`. Of course, depending on your service, you might need additional entries. See the other hosts and the roles for more info.
+
+## First Ansible run
+
+Before you can run Ansible successfully, you will want to make sure you can connect to the VM, and that the host key has been added to your known hosts:
+* `ssh chaos@example.hosts.hamburg.ccc.de`
+* `ssh -J chaos@router.hamburg.ccc.de chaos@example.hosts.hamburg.ccc.de`
+
+Then run Ansible for `public-reverse-proxy` to add the necessary entries:
+
+```sh
+ansible-playbook playbooks/deploy.yaml --inventory inventories/chaosknoten/hosts.yaml --limit public-reverse-proxy
+```
+
+Finally run Ansible for the new host:
+
+```sh
+ansible-playbook playbooks/deploy.yaml --inventory inventories/chaosknoten/hosts.yaml --limit example
+```
+
+# Commit your changes
+
+Do not forget to commit your changes, whether it's a new host or you are making changes to an existing host.
+
+And always `git pull` before you run Ansible so avoid reverting anything!
+
+# Monitoring
+
+## Gatus (`status.hamburg.ccc.de`)
+
+After you configured a new service or website, add it to our status and uptime monitoring.  
+Take a look at the configuration in `resources/external/status/docker_compose/config` and extend it to cover the newly added service or website. The configuration should probably happen in either `services-chaosknoten.yaml` or `websites.yaml`. Taking the existing configuration as a reference should give guidance on how to configure new checks. Additionally there's also the comprehensive [Gatus Documentation](https://github.com/TwiN/gatus?tab=readme-ov-file#table-of-contents).
+
+After you've added some checks, the configuration can be deployed using:
+
+```sh
+ansible-playbook playbooks/deploy.yaml --inventory inventories/external --limit status 
+```

docs/setting_up_secrets_using_sops_for_a_new_host.md

@@ -2,19 +2,30 @@
 
 Because we're using the `community.sops.sops` vars plugin, the SOPS-encrypted secrets get stored in the inventory.
 
-1. Add a new creation rule for the hosts `host_vars` file in the sops config at `.sops.yaml`.
+1. Create a new age key for Ansible pull on the host.
-   It should probably hold all admin keys.  
+   ```
+   age-keygen
+   ```
+   Then add an entry to `keys.hosts.chaosknoten.age`
+2. Add a new creation rule for the hosts `host_vars` file in the sops config at `.sops.yaml`.
+   It should probably hold all admin keys plus the host entry.  
    You can use existing creation rules as a reference.
-2. Create a SOPS secrets file in the `host_vars` subdirectory of the relevant inventory.
+3. Re-encrypt existing files with the new key (manly `group_var/all.sops.yaml`): `find inventories -name "*.sops.*" | xargs sops updatekeys --yes`
+4. Create a SOPS secrets file in the `host_vars` subdirectory of the relevant inventory.
    The name of the file should be in the format `[HOSTNAME].sops.yaml` to get picked up by the vars plugin and to match the previously created creation rule.  
    This can be accomplished with a command similar to this:
    ```
    sops inventories/[chaosknoten|z9]/host_vars/[HOSTNAME].secrets.yaml
    ```
-3. With the editor now open, add the secrets you want to store.
+5. With the editor now open, add the secrets you want to store.
    Because we're using the `community.sops.sops` vars plugin, the stored secrets will be exposed as Ansible variables.  
    Also note that SOPS only encrypts the values, not the keys.  
    When now creating entries, try to adhere to the following variable naming convention:
+   - Make sure to put the prive age key in here under `ansible_pull__age_private_key`.
    - Prefix variable names with `secret__`, if they are intended to be used in a template file or similar. (e.g. `secret__netbox_secret_key: secret_value`)
    - Otherwise, if the variable is directly consumed by a role or similar, directly set the variable. (e.g. `netbox__db_password: secret_value`)
-4. Now that the secrets are stored, they are exposed as variables and can simply be used like any other variable.
+6. Now that the secrets are stored, they are exposed as variables and can simply be used like any other variable.
+
+## GPG Keys
+
+In order to edit encrypted files, you need all the GPG public keys imported into your GPG Keychain. You should be able to find the necessary public keys in https://git.hamburg.ccc.de/CCCHH/password-store.

inventories/chaosknoten/group_vars/all.sops.yaml

@@ -1,363 +1,384 @@
 msmtp__smtp_password: ENC[AES256_GCM,data:xcBVBTb6mfr5Ubyfga9ibKWKhrfrEEaDWD98vIbX8fl8lQ4YTovg8Ax1HTK4UQ6AkJGHq2A0D5B67KUTlp9eLw==,iv:TOp1G1LktRPj/KMCRU5CXBUsgKOqGssUvvk5oY0QnPM=,tag:SVBdDQy+fM0xeEToappP+A==,type:str]
+metrics__chaos_password: ENC[AES256_GCM,data:al234VSAH7oxka8X0hTvEJKVLD6O/WCrCKfVLLvm,iv:+TmA+0hXMV4OxvK7RH2g1dIzm88Lpm3zevxSZxK23QQ=,tag:txCVr5SEW3dVHgNFInR94g==,type:str]
 sops:
   age:
     - recipient: age1ss82zwqkj438re78355p886r89csqrrfmkfp8lrrf8v23nza492qza4ey3
       enc: |
         -----BEGIN AGE ENCRYPTED FILE-----
-        YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB1S0d6cnB5UGJEZlNKcEpD
+        YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBMc2k4SUxMUEtvODVGMnY2
-        NGQyYTNwS0E1TjZTbkdaNXlTVHFyendtT3g4Ck0xRkJhZHR2a1RJVDd3bUE5RTl6
+        U1gxeWRURmIwNUhYelNUZHVGQ05rRlI3TXljClREc0hCMjlPTFBEakVuOFFjTWVu
-        SVZrN0NIR2VKeTl6Qk9oTUd6VDdQYlEKLS0tIE82YXFoVkQ4bk1SRTU2YTZ0eVF4
+        dHNrbzVHT1d0UklRNW0zSHZCWWJpeW8KLS0tIG85S2h1aEhITUI2aVRwempOVHlr
-        akdQTFBoY1B1aVZHSGw4bXJPZTd0MHMKnchC61XZk3cPfe7QjijW5uBlDkf2Sjc3
+        aWFyRDdEZ2RnQjFNUmVZQnBzNGhhR1EKeYR9qIuh/f/o/qXkQV9KZcir9iPQ2IEs
-        /Spp+9cuf9jIJvFg+h3EY7CLAMVyAK59WnODM0HvQNhreXRg8CgK2g==
+        X6azikmig0stguQMUQB57+Sk10MlIDQGoY3C0YcmG3dtiUoo/vKTRw==
         -----END AGE ENCRYPTED FILE-----
     - recipient: age1gdfhx5hy829uqkw4nwjwlpvl7zqvljguzsnjv0dpwz5q5u7dtf6s90wndt
       enc: |
         -----BEGIN AGE ENCRYPTED FILE-----
-        YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBSWW1ScXNWSEo3S1RpYitK
+        YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBqazJTaVhjdkk2cStHNllr
-        aEVsWklvS3Ryc2pqakpUc05mejIwWi9GaG1ZCk90UXdKVVZzdXBuTXowTURDekhM
+        VEhobDJIQ1NKajFNVmJ0NHFrRzJlMVVYL0M0CkVEbHFFbTZ3aU9sblNaTTR5T1hT
-        NlJEbU5teThWaCs3R1ltUHBRMWVncGMKLS0tIGszeDJ0ekJIK2FYUW9Xdjcyc0Rl
+        ZjM3TGZ0SVVkS1ZqMGZxQnh0eHhVaFkKLS0tIGs5RXFta3JJYmRZemNRQzBGbE9E
-        Rlp0RXNhc1N5UXdmMG1NMkNoYkZZNkEK96GpdskKEXHK/ZQFSN+Y//wygKmnxP2b
+        dlZqTStUVWNEWFk4RzNkSmM3dlRxU0EKR+IOa5r/mSl7jnmhEvbJqytWedRgdix6
-        ukFolURV7qlQVamWuDoUC/ToQtl3bU0jce/STQjGY67OwG5kecxEKw==
+        0x0JCJe/q1l90F4IYIwd5onF5jF9DydmVnNdCbgAHF+DYrdwjwt7Uw==
         -----END AGE ENCRYPTED FILE-----
     - recipient: age13nm6hfz66ce4wpn89fye05mag3l3h04etvz6wj7szm3vzrdlfupqhrp3fa
       enc: |
         -----BEGIN AGE ENCRYPTED FILE-----
-        YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBVYzlXY0FvUEtIa3BVTjUv
+        YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBycmpzTFZ0MWN4TE9Bdld0
-        MzI3cE8vbVd6WWF3Q2J5RlRISW5kOU1XZEJjClFsS3VlbXZHVDlWMWZMUGwzdTFC
+        eXJXTVhVbFpmbHpVbDg3KzJTQjVoU2M5Vmg4CkY5MlBwTEsvVDlBUGp4Yy9KSEtW
-        K0xpV3FjRGJmWThDbklNbFByLy9FTXcKLS0tIGpMYlM5S3dodTBhWDY0TjNkT0p4
+        M0thZncvcFhqcTluR0FRdHBlVERmWkkKLS0tIHlIZ1o3Zm5pcEJUOElKSDU3SEh5
-        WWpCdVN4cjIwMCtRZXJCR0kvWmV2TDQKeAE9hmGim0wdG7AC9Ypk1/zAOvpWEc9w
+        MzQzRENjNitaNUtIUDNNM0VxVVZsVjAK8BM7kqL6Pjg8riOTti8tAH13MgD2b3jR
-        B5j3MGmJiDV5vqZ6YDJ158fkB3s3XDIohaTP0XT5Y1zEDnn0ee62zA==
+        EPZEPzWM3vBNMQ71WYSTiljK+fdwQucQbTCZFKVHUyErCiI+7jYrXQ==
         -----END AGE ENCRYPTED FILE-----
     - recipient: age1jtusr294t8mzar2qy857v6s329ret9s353y4kuulxwnlyy4dvpjsvyl67m
       enc: |
         -----BEGIN AGE ENCRYPTED FILE-----
-        YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA1cXdneDFCNUxZR2VYVXpo
+        YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB5YkdERkJKQnUxaXhuRk5O
-        RzhwNFZnYnhzOXBrTmQ5NlNhUThsbjA4ZENnCjRWVXpzb1lZcjNQeUVoY0lkZTRj
+        cDlxOEZsM2djbk5laFVHWUNKaUNKSit0cDJ3Ck80eFYvajNId0NHdzRONktHZTBM
-        bVU1S2thNzg4T2UyaGFqdDlvLzRJVFEKLS0tIFBIMEIvaWtPU08vR1crSGxUSklx
+        WENsSFZWL3JLeHNpanNBSDB0M1pselUKLS0tIGZPUTRlSW1hNjNPVnVoSEhKK1dJ
-        Ujh3bDFVdktOOVdvbVNrRGEvM0ZiczgKDAvWbY515jRhcWEkZrNNmtBsSwchclVz
+        WFpiUW1QSXk4VktHNWVGemh5czZLdmsKaycC2cLTfboV5MT0W2+fWMg9JCAn4U7u
-        FvnQB3G8ZIxJliJCkOHrFokvRskCHt9KJNZogqPtGF9a5OWcKkWgNQ==
+        lMkTZausCp1hUlE68BXi8DuVivRif+gjVjVWsBabikQtzW8H//fFDw==
         -----END AGE ENCRYPTED FILE-----
     - recipient: age1a27euccw8j23wec76ls8vmzp7mntfcn4v8tkyegmg8alzfhk3suqwm6vgv
       enc: |
         -----BEGIN AGE ENCRYPTED FILE-----
-        YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBvdkpuODFJZ2xPT3NOT3ZP
+        YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBCWnlvR1BmUlRkcXhHbklZ
-        MmVuSkx1UmdwWVBEZzJQOUNodUpvUlJrSlNnCjJBT1AyNzZmNC9sZytNaGpEOUZT
+        d2pzRkxxZTVtOGl4YjdGOTQxbEFnRUVGdG1rCkFQMHE1VTdIR3FPeWdlSHRKRGtl
-        Tmx3VkdRVGNHOGJkZzgrZmFmRFFFY3cKLS0tIDZONHQ3SUh1bXM0LytmYUVZSmRZ
+        Tk9FeHNuQ1ZIRWRFN29EVWh1ZjE2RDAKLS0tIGQrWnJWcjUyZFkwQmdZazBTQmR5
-        VmEzUkRqdnUvc0s3SmRNcmpZRndvVUUKHRo25oFVNtzJlTqkQ03znzH+Ce8j2rgO
+        cWZ1N1NHVEVqMlc5MExyZThKYTdNc28KEaFjX16Bf0MZsmMTLytDnJFPICeu808r
-        Bt/HQ2tJC/0PL67zjCr4oyxWs2RfSuswM6pGh3TXmSkUawzzyMAPTA==
+        t53faoADnTdhYKhKQYB1Fgk7h3DBvxM36VDw6v3oC0f6B0yEx7a3hQ==
         -----END AGE ENCRYPTED FILE-----
     - recipient: age133wy6sxhgx3kkwxecra6xf9ey2uhnvtjpgwawwfmpvz0jpd0s5dqe385u3
       enc: |
         -----BEGIN AGE ENCRYPTED FILE-----
-        YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBMd3dwQ290Q3JCclBPbS9X
+        YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBDVGpwdUVSbVRiVkdBREVX
-        S1pnNVU5YlJjZkkzTEtuWWhlcmh6cEtMZmd3Cis2MW5henJ0dWZwNnpTcy9ia3Uz
+        ODl6bzlVNHRkTzk2UXMwNVp3K3A3V0hmdVRBCjlJenlmNDZEU2ZzMUpVYmpFdllR
-        QThPMlpBN0lkZVI3d1RqQ1pGeDkwTVkKLS0tIElGYWR6QXdkTS91cGRQVUZPZWVE
+        NlNxaU1YYzNZdEVzdzJLTEVMWlloZUEKLS0tIDl0VnAzZUF3QWF3WXpFTjEvY3RP
-        aXNhWGFQWncybG5ycTF3bGUxUEdRYlEKXMlP+iC1L+lCeFB9rnyDE6tKMNiqFAQQ
+        T2J0Kys3WmJRZU1jRk1kUnZud3B3MlEKhgLTCcfyxOBL8X6JPlcuy+CcOlx09VP7
-        lvQKLGvZVRMk7RNR/OWb2IsZNtK3yGAgqjGpb8UwZKjUwYwgBzkklQ==
+        AZhfb8lf5JXe/4WqAMOh6s7ZrTM5JFBr8U5GQFo+syIIJeixn5SRBw==
         -----END AGE ENCRYPTED FILE-----
     - recipient: age1na0nh9ndnr9cxpnlvstrxskr4fxf4spnkw48ufl7m43f98y40y7shhnvgd
       enc: |
         -----BEGIN AGE ENCRYPTED FILE-----
-        YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA0enhNVHF0eHZkTlB3bTZN
+        YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA4c2NFWkdaMVFTcUxOZWl3
-        ZWJaVDc5TUkrSHFFTnJ0UE9hTEg0Tkt0OVNFClFCNTlsTUJlQ1MySkdFa2o0WGRB
+        Z1hsK1ZvbFRjQ0swbVZlQkIvNW9LU2pZdVgwCkJHcUpTYjMyZy9qKzdIbzExcVRj
-        VWUzbkxFTkxQMVBqTXJtNEVCb2ZPYW8KLS0tIDR6ZXdoOWNwbjdNcmtxS2FBd1Zx
+        V0UrWG5yaUF1cTJnK2RDT0E3aXRkK0UKLS0tIGRqTzBsbHdBdGlMTWt2NzNOVDBp
-        dWVLVUlZWEh0UWRXTlhYV3ZTT01ZQXcKz/ughevubxHCk315eL6WV0JETo4tblck
+        U1NVMzBIL3ZBUUFHLytGQXk3M01UK00KZBW1DUeDpN5sstZ1LuqcpxsQcjdUJe5L
-        t2b4h0kcDpFO6aPCHBSX69QOLJpBCBnKI8ZBlxgTdTDLFlScG/8HRw==
+        5HS4O5h0D+/p8/aOW5NPoIf0A6f4/CLVm4o287GHsxkTXeH1sDr2Ng==
         -----END AGE ENCRYPTED FILE-----
     - recipient: age1sqs05anv4acculyap35e6vehdxw3g6ycwnvh6hsuv8u33re984zsnqfvqv
       enc: |
         -----BEGIN AGE ENCRYPTED FILE-----
-        YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA5MGlobGt4MG5YbXhYVWM5
+        YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBINFVkbjFMY25pWHpPZEMy
-        SDlraHdnR0srZDF2T1FicVFGR3IvNzBhMkVFCm9Nc1JnZ2toOGUzbDZ6cTRTajc3
+        Z0xsOW5NZ0cxZC9UR2RCMTBaTlNkRjJuU1dnCnRhVU9iL1lsUWpCTzdKS1RiYnMw
-        SVk0U2JlSStWQXFYY3htOTh2Uy80aDQKLS0tIHRkRkNwb1Q5dTZ5cDVoVXIwcmVi
+        TWhjS29jOGNwQXU1Q0NmdjkwOHNRUFUKLS0tIFJnajRUMk9pTDVDdFI5Szd4RkV6
-        MXBDdzdWZi84OXRRMUt2Mnh5QStLZWcKR/1GROkmyQWyY2GcZGplX8vYqHoeqvvX
+        TnNkK1RVZnFaRGVmaFRwMnlmd3lUbEEK+CKPUsutEpo5/bHyXM7tMUUM4hka1hCV
-        ioWRF+QaK3GpgHOaSFybFt3r8wfeILbQ7zMs9qMARTg0kVMVvE/8pA==
+        oto6VkOSVoYnwHNzXSAei+jkfvT8dED7fUQKkZeqN3c4bUrha42BUg==
         -----END AGE ENCRYPTED FILE-----
     - recipient: age18qam683rva3ee3wgue7r0ey4ws4jttz4a4dpe3q8kq8lmrp97ezq2cns8d
       enc: |
         -----BEGIN AGE ENCRYPTED FILE-----
-        YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSByeGV1VTA3R0FsMkdKYWo5
+        YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBLY2JBTXFaWEFmNU1PVkgz
-        K0VFK3VFR3Z5bmdmS2QzR0hRTWRvOEFEclgwCm9MQUZQSjZqVXJVQ3FoUTMzWjU4
+        Uk0xeWJqMkpVOW1QU05Qc3hSeFM2eHVjc2tZCjB3bjZ2ZUZFTHIxSmZUb1V6THpW
-        Q0luVDE0RUhUNmZGSlZXYWEwNHprS2cKLS0tIHBRQnZibGkrUmU3OHNHVjcvelVF
+        dHFXZUM3a0ZKcEZSRklqUk5jWGJkaU0KLS0tIEVxUlREKzdCMEdvZG12UlhxUW1p
-        UEtad0g0T1JZRFYxUnpiblNIV0VybE0KVCw68UXleN43Qi/MSFpyGjrbwZS/EtWw
+        TTVGVllybHUvZkhMT0x5Ty8vb3AzMG8KfuZW6Yj21NHAvfaVs2HedYgGWxUDXWiP
-        tbfZMPLalJ52pv4cxT4nrPfipoUyX7tHxEEd2f1SDzt5RUk0TO7ojA==
+        aZTbarB/2UzYEacoEO7CMLHDS53X15plRPbzYRWhnRkb9WkDQ/0pOw==
         -----END AGE ENCRYPTED FILE-----
     - recipient: age19rg2cuj9smv8nzxmr03azfqe69edhep53dep6kvh83paf08zv58sntm0fg
       enc: |
         -----BEGIN AGE ENCRYPTED FILE-----
-        YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB4QXVVSlZ2QXA5NWN6Zllh
+        YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBoaU1FN2JEblVsK3hRNXVO
-        REQ3UE05eWkrUHdyL3FRUHJMTkE3QWtwbENnClBGdnFhT3NzWEJKM0YzT3RpS2FY
+        WnBISWgyYno1ZnNqeUtHV0tkcERrdzRhc3dvCmlEQXFrbmVibTVmOVQxVWFiaTdn
-        cnNaczRIRUEzSDgxejNjbTdoaERiRkEKLS0tIEdOOHdISkF0YnNpcFNKekVLYWVN
+        WUhyVjFvdHduNXpraHVldzNnLzVjYmMKLS0tIEJjODh2TGg3OUlodk1IWnltNGR5
-        allIenQ4OFoyaEdCK1YrM0tpM0FHRjAKwrOJS9RGCHS7lcPX+eufZnEjaIvO3f73
+        SG1TS3l2clZOVkhyTW1INjZNc1E5V1EKCJo7uU1XbW4Z6i5ux2t323Um5TDTwTl+
-        RWThSP0d2iy/vul18hdLF8PqKE2Hy0j6lvs9qhvwI1EQa53zHAWRDg==
+        mMirFUiosu62vTfd+nC3TwRyM1XwlpI54EEU27jTHMlF8oSgXeLumQ==
         -----END AGE ENCRYPTED FILE-----
     - recipient: age16znyzvquuy8467gg27mdwdt8k6kcu3fjrvfm6gnl4nmqp8tuvqaspqgcet
       enc: |
         -----BEGIN AGE ENCRYPTED FILE-----
-        YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAwYmNHaUcvMitRcklkbkU3
+        YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBldUpzVlhFc2k3U3ZlT2JK
-        VDRyQnhhak82d2I4MnRKMk1qdTU3bDRzdlUwCnBzSEJHZmRTazZ3Rktmc2FKaXJC
+        U3N4L0FGZE1iWGRwN0tvNEtwd3VXYTV6N1ZZCmVnYUNpY2poazVibnpQRlZ1MXFN
-        cnJiMU9oUW03Q3dlbGtTZWNtZXZqZk0KLS0tIHVTNU1QU2dRQ3JMclhqQjN1VjBK
+        SmtURDFLSmJmM0pHdytjVFM0c3B3eTgKLS0tIEZidTZmS1dpZ1VFRkFpc09EaWxZ
-        dHgrU2EyT0FHUng2L0R6dFFZSU1kU1UK2x72pMCRGCz/cyekHrTY/vXhxACPGjYn
+        cUVIQmVDLysrQ3pMcFIvZ0NCWExJa3cKdwTrVM7aXAi4bBHfXCWllbZIa2c4IbRW
-        PxEXKoi70Dq9ox3ggknmE6JLZqMvFoudLoE2GAzvimFomYWb4e3NmQ==
+        FNS1L6tP1mop2y9d0CgmVBiBFQdNAg8yVJRPWs25W9WVFHBDuB+X8g==
         -----END AGE ENCRYPTED FILE-----
     - recipient: age1azkgwrcwqhc6flj7gturptpl2uvay6pd94cam4t6yuk2n4wlnsqsj38hca
       enc: |
         -----BEGIN AGE ENCRYPTED FILE-----
-        YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSArMVhJOFh6TTg5RFkybnBy
+        YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAzMmR1TnRFVnlnV0t0N21P
-        T3ozZ2MvZ2lCVFBvWW1jRElmNFBIUU05MkdjCnZZR0FjUUJlQXR1bnBGU3NPc2t2
+        Uk1QM2dnbEFTb2lJcUZDeW1sTDQxT3F2Q1FJCmJzdEFCQ1ZBeS9QWEZJcmJuVTJi
-        a3hKVzJZbzNWMkd3dENMUzQ3bk14YTQKLS0tIG5kSEdYS3dLcXdlOXBmWTVzNDFt
+        eEpIZUk3YmhKeFlwcE0rK0k3MUx5S3MKLS0tIEdoU2dXRitXeGlsQ1NXT1FqdmhE
-        ekdmK0Zid3A0aUNHUHhmeHp2NHFZMlEKb6116XqAHYMl7P4RFRcz0IlZfx1/buby
+        R1MwNU16K25zdytaMXFQNnhYQVZTSzAKmVjQRe0SKfwh/JoSGGihkjr0Lvx1uVnJ
-        V8y9TiECFZfWhuY3XaES99wjPw06nGszn/U29C1XtZZ0pc5Soc3dxw==
+        szOHESy/rEKiXUKVSMkBINAh2SUYIwrB4xM38Y+ZKkkXDDtZWLHulg==
         -----END AGE ENCRYPTED FILE-----
     - recipient: age17x20h3m6wgfhereusc224u95ac8aj68fzlkkj5ptvs9c5vlz3usqdu7crq
       enc: |
         -----BEGIN AGE ENCRYPTED FILE-----
-        YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBhMVZWQlRZVnY2ZnZweW0x
+        YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBEb1I5cnJ6NDhvNDFsM2kx
-        VmswdHpRUjVrNytaS2lZNHdsYXM3WHVCVGlNCmJ0ME9LYjFWTkVrZ1QwOHdtempG
+        aHEwdmJSc3ZQcGc5OXJOMVB0L1JFSlpiUGxFCmtNbW1NUVpEQVdLTkNOd0daMDEx
-        dEJ4NGpPcHZabGxJdFJNNStxTm9nREEKLS0tIFB5NkZnZTZjL29YRlZVZEJJOHNu
+        ZTdGVlB1T0M4K0t2VHZYSzBNNUJLVUEKLS0tIDMrVEE1Q3IxaHNTUHNTcGo4UTFX
-        ejRmc0V5RzVwY3BtVGpIY3lqVGt3SGMKvSFU/FZw3CeOrkbVKqz9Nsfmw/DU/obE
+        WGo2TVdLS1F5RHNVTWgxbzdZSGV3Z0EKkOZfXMbUeJG62xn0SvqjtCKIkZDIzc7O
-        6bIs15L7m9hOzqj8PeQYv09NO83WCfYj4cjh+Jsdtlvtz8Fz7yt2eA==
+        qSTGJYgl02Edp8smm4x1L9QF2CQYF93ZIjn4q12CyJy2ojBgxNTZNA==
         -----END AGE ENCRYPTED FILE-----
     - recipient: age1wnympe3x8ce8hk87cymmt6wvccs4aes5rhhs44hq0s529v5z4g5sfyphwx
       enc: |
         -----BEGIN AGE ENCRYPTED FILE-----
-        YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBQUVhSY2JnZUFjS1lySGlC
+        YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSArZWZmTDRYYUloL3I1QkZ1
-        MUdVdTF1S2xLdDlVODk3Qm1FZ0RxQTdkQ3pnCmFPYVg1dDN0amtoOUdKQWFRNVJS
+        dnIyRVJSV2ZoaERCc1Z2Z21VYkkxb0F5SURNCmlFcjlPM1VibjQ0TkFNdEhqL0l5
-        ZkhCM3VFbUc5RHJHS1ZJbit1N05OLzgKLS0tIEhCMmRFN3hLNDFlTkpzUWYvR2R3
+        eDlHOHdlTnMyb2JPUlMxRlZqTkhWNzAKLS0tIHI0cytiaXVpK2FqcW1XOVpneTR5
-        Y0RZSHZrbnJ1SEc3aCszeG5tTkNvNlEK4pUz8bk/tDKYIxu6dCG/DTk8OtTTYJaL
+        VDI2WFhud0hpRDRMTTlwMHV2T3RSekUKKi52AcUoATCmUo/+FIVeEEh0sTCjIGy+
-        qKNNZ1COhPtVTCHaIbRSPWu8MqFy9+9nf7Hoc9fEE8aM+Yohs4sySw==
+        gl/Ud0Nmuarz5T2HqGxJDBoH2MSfjpwhTkW2z0JW5Dah6MRtNetHZg==
         -----END AGE ENCRYPTED FILE-----
     - recipient: age172pk7lyc6p4ewy0f2h6pau5d5sz6z8cq66hm4u4tpzx3an496a2sljx7x5
       enc: |
         -----BEGIN AGE ENCRYPTED FILE-----
-        YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBaUERGWmwvRW5tQzJleExq
+        YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBNVWdMQXMvUHI3YVNqa3hn
-        VXhmQ0dkMFJuWEwzbHlGMTNudE9UbUwrNEc0CmdMK0hCb0h3NjRuSVZRNEFwYlVl
+        QTF1V3lDZHB0ekVIcUVURUFGeURWaE92U0dVCjl5WnQ4Q0hGWGVhSnVqSXdIM3Qr
-        L3VnTnpad2tJL0dCamVrT082ZmUxWUEKLS0tIGJFbG5ZU0Q2b0xQNFNjT3NBTE9I
+        eTBWcW9MRDdsZzY0S1puTmt6bk5BVDAKLS0tIDlNaHF4VUt0YzMrVEtIaXhtMkh0
-        Z2MwSm95Vy9XUDkrWDZMZUEvY3VHcDQKJanzV+qzgfuBpNzHLl2DS1GvXLV+UEKa
+        d1BJZHNOakIrejNHWXBkT2JnMDE2TlEKgFgEPOc7lgUvi/gBJi4qX8mJQQ0Lb+0J
-        wD/2s/EkL4RR4F9mV/9+1vwFTNw6Lc8T8ezzxl3/Iu+VpziFgx8ypg==
+        oKgia+lWN+f0dMoQApxtH0R1vvrQB1CyKmYRgvYfEv1z2yibftxFJA==
         -----END AGE ENCRYPTED FILE-----
     - recipient: age1p7pxgq5kwcpdkhkh3qq4pvnltrdk4gwf60hdhv8ka0mdxmgnjepqyleyen
       enc: |
         -----BEGIN AGE ENCRYPTED FILE-----
-        YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBHVXdkSHNOSHZmZ3pLWC9B
+        YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBtWDBLRXVXUVVQNkZzVDZp
-        emc2S0NpenVZSW5GMWZha2ovS1VsbGs5OGhBCmZIWDBDaGVYMDhHRDR0bFgzbDN1
+        cjNaNzNseUxFZ3JDTkF3RjZ2Q0FnN09Ub0Y4CkpsaHl4VGtCRDBiaTc5cDErcUM3
-        MlBnOW43Ky9PV0VwZ3VlekJPa2xwMTAKLS0tIGNEVUVkbWIwVmFzaS9vdGhPU2s4
+        eXYyK0tGdFVhblo0eUhHVkJWbERVakUKLS0tIHpmektqRjBHZDdDd0hEbWYvWnFr
-        a09LaU05VnVBa3ZGcUNMdFFZRXdaYkkKp1TYQXMSlZoGWgfSK9s4WXFu9xG7VFXP
+        S3BoWW9QYytMZ3RJSld2R0h0dXlZeEUKcifFwdLTAse4HxN48X/iErdi3evc/Hbt
-        3O+FYTXTRTVVnZCPE5V0P0/v3H/BRgdbM2yuIiXTtmz69J8DNjFaNA==
+        dRgCkzWjb0Qc1DEPLm9MLHZqugcm1y0XStdWHCMIwXuh2fcoDUv0mQ==
         -----END AGE ENCRYPTED FILE-----
     - recipient: age1sv7uhpnk9d3u3je9zzvlux0kd83f627aclpamnz2h3ksg599838qjgrvqs
       enc: |
         -----BEGIN AGE ENCRYPTED FILE-----
-        YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBtcUJ3cTNUZGp6Q29wTEgx
+        YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBrWGpORGVrclo5N2ZTSUxE
-        UjQ1RU1uSHREVEhwZGtmbUV0azJEQmtGbG1jCkQxbGZhSmRXTE1uUURaSUhZTlNF
+        WFBYUVRjRlFyVFFXTFIwUDJNR04zYXgwSnprCitVT0JidGp1OEdXdm16WGY5am9R
-        U2loMmR5ZExXS2Y4eTBybGFsNFp0WGsKLS0tIHJjRDhDelB5N1BvbHFydW84ak1Z
+        djkxckJEUFpzbHNNZnhqb20rbzBTZEUKLS0tIFpheWIrMkpWalJNS3ZJMVhVNGJC
-        YndpUERJbDJSZlBLQWdnVXpUU3dLdUEKQYddtnDd4U7bkjBeMnCQuYVddCCApnzQ
+        dzFuYXBGMTNRVHRrb2wxTlMyZ0FJWGMKnEtMyof3DN+9rIWRCYn4y0SLpIJbDEbN
-        L/LgjBXfUav5ipWWUjW/loZJiHBsxrG5NkCYEyf72WMyDusd8mCN+A==
+        iXmjwiEtlPIKZjQ34r54g1tsJd5b4fulRFYd6lqTzxtjYYFXDa76BQ==
         -----END AGE ENCRYPTED FILE-----
     - recipient: age1dkecypmfuj0tcm2cz8vnvq5drpu2ddhgnfkzxvscs7m4e79gpseqyhr9pg
       enc: |
         -----BEGIN AGE ENCRYPTED FILE-----
-        YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBOei9SYzNGMjAyUVJGYlJy
+        YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBnWkw2NmJjdzdPbnBhNURh
-        QlFBVnV0cDN1TmI4VEt3aGNtbWtvZHJFcXg0CkltM1V4UVp1THFrZEswOEZUUTJy
+        SFRBTVhUanpvdFVNLzFWak52bWVJZnV1NHlzCk1SQzA4M3YwZHZIOG82d2lCUE4x
-        WVVPUDU2emNabFBDek9jMkhScUh4cjQKLS0tIGgrSytmcTZkbTJuUVE3Snp2RERn
+        dDVWMUNuTW8xdVlkRG5RSnVJUFI2Z0UKLS0tIE9nOXA0LzgrenJKQ21xZ0o2M2hr
-        SnUrSUlvMXhnY3JrbER0TkxBcGJucmsKdBDkRY5FUtOo8zQ0QtfPFGJn0O2Fg5xn
+        R3puc1ZOVFJ5Sm5qTks5M0JTbW9yZkkKv20552DPjujiVyr4a4KvTUN4pW8Sh7zA
-        mSloxLaFwdXAR9L1QfUdsW+9Vgez4s5bxMJtn8hkwqIfyJc25FEEcA==
+        Yxh4nx5mXAwfL4JxIwbvggy4AE3kbc2P3P9qUrRjQ4Iha2X11+fSCA==
         -----END AGE ENCRYPTED FILE-----
-  lastmodified: "2025-10-13T23:45:06Z"
+    - recipient: age1mdtnk78aeqnwqadjqje5pfha04wu92d3ecchyqajjmy434kwq98qksq2wa
-  mac: ENC[AES256_GCM,data:QxH4lnNyCAAEJhzbgCrq7QeLs+OAtYgwQP4oFm93NE4Fbz7/Hz2dvL/2SopOdW7nYVeb1scuG1ra+yvgzuQDhg4lcgt9eBJoBiynM3qiHBs+FtcSJoKs16I/ACAadQwClALb4E0xxwKFJI8ewMZu5BAxi5EhYbgNfnKCIbhvgWo=,iv:LRa2vX0HUBugeEAVeOqXbPsMQrfrCpyzGUGjK6+VaQc=,tag:/sfhJM8V1IYBh94ZS/TDxQ==,type:str]
+      enc: |
+        -----BEGIN AGE ENCRYPTED FILE-----
+        YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBFZ0hYeG5hTWxtVFlTaUpY
+        V3lOMUJUNDZxRUhtMnFjK2IyTW9NZ3ZvNTBVCmVHVnFQTGMyd2JIZjZYSmtjZnZ1
+        THBMZW55RTZSR2IrSVd1NWppR0k5UFUKLS0tIEkxRlBsWHFxTlQ2S0xUQ293cHlU
+        ZUhwMUJCVmgyZmlVbDRtV2YxUW95Q2sK8JtVLO86dkYtrxMzXY3mj+S19+S2jIzV
+        MjAkijrdhz9XyEPNsZo38liiO0vwXUVpzmX9xcTTArzWvs/LHYDzQQ==
+        -----END AGE ENCRYPTED FILE-----
+    - recipient: age16pxqxdj25xz6w200sf8duc62vyk0xkhzc7y63nyhg29sm077vp8qy4sywv
+      enc: |
+        -----BEGIN AGE ENCRYPTED FILE-----
+        YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAwRXpCQUJxZ1JBWnZkZHRM
+        ejdtdkdqMzNMY1BvOWVuVlZuOXR5YS9UeFMwCjhtYTIyMnhBVm1CT25mRytkdm04
+        ZWg5TGllazVDZEpXNHQvZzUwclFEbTgKLS0tIGxDSDhJcVMvUlg3VkV6YTE2SE4v
+        QnBqalBlY2FqY3lsWEF4elVzamp5elkKaVNJrQ4wNJt0FrQ8PMz0R9VAhk4zIAri
+        QTojz+1HuRMZyDr5wmXz2Jg39yZsBsm4ZmaXSEGw5y/XHeg0ud0DAg==
+        -----END AGE ENCRYPTED FILE-----
+  lastmodified: "2026-01-25T18:06:26Z"
+  mac: ENC[AES256_GCM,data:plHNLOgGWwNWbakKG6X5EOxwERE3rvYO4EOAzY/sz+uM7cZBEnqU5LZwjlD8B75hgRHqpnDBF0JbHgsEwVxfJJRL1phkeMJFOapQMjZVWMz6j7eb1hOwpdktd+bpuimy4XCD1aOxOoInKpFSK33usxLfyqSxjFDM5+i6D22qBTs=,iv:/iOIfNuSIDsa/UKLP0d63tpOrYMFO3Bk1qPssY0AzuI=,tag:k+824MXD+r0lNUcuvisudw==,type:str]
   pgp:
-    - created_at: "2025-10-20T19:03:07Z"
+    - created_at: "2026-01-27T08:41:15Z"
       enc: |-
         -----BEGIN PGP MESSAGE-----
 
-        hQIMAxK/JaB2/SdtAQ//QVwiv+sO4ibaxO8UMPFnMnLuNfaTJ+Nry109XkTwLkvp
+        hQIMAxK/JaB2/SdtAQ//SuDQLIlXIx+E1BfvxQFL4c8TmxEWat2nXHE5CHyuQ9bH
-        +6I2TW9nAhL+M6cWBcWTJIm8Q9/EAKu0jFrmsmlJg1g7am2DcARoyDTXA2W7RM8x
+        esOqdKYtnBMP1iRwQzAi9jVnNUtctCurMK5Lwr093BRHDLhpWqBErBz8FuoTFXGE
-        kSshBHJxCjQn15cwWpMcGboKJDnn5uGqfdf1rbFLiJxWlFlIstO8Bia9YF2qSYXe
+        7WP8ylzno9OUjhhsg9sTrUAxghzU7r3Nr5alypnE3KsEprtEiAKqqqWhaGyMCK+G
-        z/w5PQot7GDKa9AFC77I/I0k6hJduVX3jC88N0GZZO7oz017yit24QyOwTSaQtmO
+        v3shSx4XmB/MItuHM0BRI80M0uqRn5aQME0KpgTTD5/wsH6NKcPHEiNJTqc2I8K/
-        J0NgoyC6uN50buRJ6cXbONwU1rOGYvMBc+I7mZrEBho8RbQObkNy8ndQpDbpMqSy
+        0dfqa9Hr0WcxooX+UwH/owfzHEkTFWP/3SHqz16osLzO9KOsqw3M4QIoeZwBpAOf
-        /FVECVfhAo1KOGsTSS/i8z+maBcFNnia2+hbOZTpq1gCJ7sgE/pJG9CKWltD8U0G
+        +aICTHV3nsbClQ8hQ0XI6xrOqwXYo7SXtx4uNVJdqBO5zfhSGx1yI2OAY258XQ+d
-        DkgO086x2xuuXGAksJpeiRelbjM4C3ScvFuQu0p+pbsG+0f2pNnkCm3Fi9zFYpqo
+        As9k4e/oHkzs72qOwCRa2OShDWA0oEWIJ1DZY85yaTyl3qMZJuOweR7lg3eXzITI
-        xzlOKxwwcBRpy76jWIQbVRodnaN8thinT/ySIfuIisfn8TgM6O0IA83jJEMy/CBc
+        y4uYAWDfJBXdAOnFgkxQBgb5KSfm3GXQh4Gtu+yfoYqaAibjyJleOPIJFMcwb0yb
-        QGwWiLFWOED864OOV4kFTBO2rGAi0rLPBoAfWPCpP/z5vpRHICCg35i+Y/Mg9tDJ
+        Y0gr5NflTZooJy2zMZg0u1Ndhike/BdMRQMiTZf8HXk3iiyNXCYTCqnIZRfzZGdy
-        ToFbH/Q8ZpWaN3kM2J6wNKY58/AoVutODbJkC3ZydLA+m++fKsD122Sk4er335Ev
+        C9Fur0KAOM1h8x6dqXGctMhy1sOmbI6LRyz5feejtE55qHIn9fkyR5wDObsIeiZd
-        MH2txLTAcBXq6CAUTIYvEb1vSurIxh4vbgC1lN/Sg/b1p5IWKYmOx3onq0kUa7PS
+        OuT6josorB43aotD/XSDwGU8ZeYrUZ9zlwszGASHoji/kI1yXRMCPuNVax86v1HU
-        XgFmbb6fq6VVS8GOD4bMCDheVGAwYG1z/1utYoiLcuyp3YKAWtwGB3WdawglzRWt
+        ZgEJAhAWCZPbbgU8qPifr7naCkxmR2TxtkOJ3Pq/JOeqxMqXXjdGa86A/+1baGdc
-        ceLfKBRuHl+CnMyMjdTNcRq9ATpupHPniCaoYMRpNy7GuLGHXgRybqxnqSySj0E=
+        3z3ygenp34mYIGi4vSCqz7rApU8PHdlpCw2N94buR9/OFN1wHiIoYtVfT79mJsoK
-        =68mZ
+        yKswIQ1CXQ==
+        =yexT
         -----END PGP MESSAGE-----
       fp: EF643F59E008414882232C78FFA8331EEB7D6B70
-    - created_at: "2025-10-20T19:03:07Z"
+    - created_at: "2026-01-27T08:41:15Z"
       enc: |-
         -----BEGIN PGP MESSAGE-----
 
-        hQIMA6EyPtWBEI+2ARAAgWVVIYSzPJeeRYdO7SHudkxO1miNVhEaTa6ArJXhvj9X
+        hQIMA6EyPtWBEI+2AQ/8CBUEfUOkvYlMChlGuHKv4CzbEqUrr0aKDbECK/8qGyqE
-        f7Onb+kPRJ2H45O06+k4QUBN//Jl2wsAayHGvGKb9NmlO1wT8cd8yAe4AllebcTA
+        UQeZPMnVvwFL/l5lU1dky2PIqFDebd274h19CfLIcBGZZPwzg/XNJcYcEqeTN640
-        FGBhWpgD1f8RNyhU6s9YQEmUMFFuze3Frkf5pF36KmSO9Kb0yXNgQebURbUKIwt7
+        H2ze2Uz/tA79BSfo9Z+W0NfAnzsOZ+I0pPCIqSN1tmMNCNy/m4SxEc8wye5FdV6e
-        W6KVBdlh9+y/8liH78X+QXFMneb8RA50mFvkSp4NxPyHGLV/S74jKaMv28q70ukC
+        YLu0dTatwMG6jsK/PYYoAapNO1CRUDvQHHF8jsAmYlL6eYoYbuikrp5JEyk7Jcmc
-        3ExtiLu22ACzA3jdn+BGTh/0bp/WRRYEt1TBmt3HFnVcKDkdgxOub2cwYug6YeYt
+        5OyW49fTAaxmFYF6hjLnORI/WqdF9nTztfFAoH5eU+uzd3Exmunzw+hsZXdbDTWb
-        dvA61xnK0mmkt39WfR3wFtmrnMQywJn0r9cRZZwdjfuuKzWmkDGKoaiX4oXcq8hl
+        6YJ7uqwVTxziKwpB7lOxca1B/axYyvLYHNoV6A3Eu9/0ceUcjjLwtcBBAn43UAd6
-        GJsljraNnRdSZsYCWKeQwM9VnQdTumZZpeyzH99AgbPanNEocLNG3s3WB1MOTBMC
+        eEwNr3RJ3LY3G6o1QD6tYPXNhY7J8vxb/MKGo7SzB5+Z3TItd1wUlnHDY7kfUtW0
-        SdktojCvHSKg2HBykxApLY1wUOLiYdVGNuTjNyTg8lo8IlNgeEEIa/8MxtPN1U57
+        hk1R8gug6mV4YEQtgPW3CPOGPsquN6zvxuRPcVqkNyN8+H3q3n0hg8i0xVr3ZyHB
-        GDPXDvE9oJy3SvP7Tf0j4KVC7B30UYhb/jwqsG2wzjGKw3JMYucDX2JjgoTEXFxj
+        G6pSNoQLaJ+x0oFhIgzy3Ndf6AH8MNxzh8Se5gLIhKQCN41wm1ZTguOgcklKdAAX
-        YqGDr+4/Vfd8bEadcQ8XJnoeCr/cUykflqO7EJnXt7kigQ8P5Jo+Vwu7oRFFlxRW
+        s0QlHXGsJLtev3HeZOfuR6D87rN9HNAaGqPxuKuoZWQBcxzOnsXSGsjJLJUN5bpt
-        H9YZV0dOeVi3ux5Tw8ft5BRtYym7k0GP5ypQFzSSTeTTUa6QnZMWPssHMHQ+8xbS
+        RSy2UPlsV2iP9cE2/PTx7cQ3HWHIAjNNz65aJQQnfEM6uog85JRGoY8x6rns6xvS
-        XgEARDjMMwp6cl8adFfGJnuQmTC8pGCzOPLEhPY00t3Paz/WYvEwhioS6Lz2IsrF
+        XAHHUsw6hc0xHxgBE8nkVJfU+ynqtk27n+A9h/EaAFvuyHE00yRPM2cJwcSapOuI
-        QMgw8d2RrOZPJAAv9wq2ztTKk07aFxrQ8WYT9gscYPEgIpPmMUFR4nJ/fzSeiZ0=
+        gXSLjIoiRfbVNxFCgTFEA4KN6B/eqmOyiEoUhEhHXmwzb65bMB7puGbb7jET
-        =1N3o
+        =e4QR
         -----END PGP MESSAGE-----
       fp: F155144FC925A1BEA1F8A2C59A2A4CD59BFDC5EC
-    - created_at: "2025-10-20T19:03:07Z"
+    - created_at: "2026-01-27T08:41:15Z"
       enc: |-
         -----BEGIN PGP MESSAGE-----
 
-        hQIMAz5uSgHG2iMJARAAl+0vmB2+PBg2aAZHZ1Fa9r/4zByhvLrjZ+5yWWcyf7fS
+        hQIMAz5uSgHG2iMJARAAw43j5wveIlxO0Pi4ayjy6RxnIvB1cy4A3X3rIdbL0TVI
-        T/1Q2VbnDFvUwsEdbDs2RJYVejGxs5cyIge2ptn/9rnp1aMTu+FG1uQrY3lhGP6L
+        lBJfO4ErBitBtWy4F5MQDL5UmKnSvamG0G3Uo1z/PzAob2Fyb8nBM0P/jOcWB8KP
-        vpyDZWa2e1+bapttkrBBe79TZGZ4ABv+FCqHqWiH2HJ3V6ELXaooNhTrtlURCDqT
+        Lzv0IM2cQ308HrYsUSpxRBAApc1JWX7PAZgRBhvvm7KW3vLFOgm+aMEHAjLYxFNN
-        Cqgs8gH1qdVgISI9kvsxS8uGa58assuM/WW2+jATIoxBzUG9iHTugr75HWJw8xb7
+        zlrWFhe8kLNZFMHr8GnWv4XhwHgicaXfP+hJQs4gHnKsZ1je3dhurgHRdu0PBu8b
-        R4Xbtfpev5exXicbbAvO8b3scnBU3Y1OUERo7xPxxskVSCu8q2gDtyeckOY9SN0i
+        QUHd+PB8S3dt4dacHGlMdqRRl61jj+ufYqQAVgPfj3m5bvDanJqQNXQubFDMW6kp
-        V4sr+bUBfvPChlfoIq9kifZPo4Pv2yP8EhH6D5pVRqO/aiBYr9l0XtxDaHB+d1Dj
+        j6U/rYY0GwZ+r2xFHBr10zbx4TR+bxMQMqJ/YA+PZGVT7Y1S2rwLLdmMg66ENKQn
-        Q2f7azUuM5MDRotUM8mhn09hd61haag4R6dVAOq3mL9rxXLj8sdHS4A4ufkjn+dc
+        Hbk/rMibXTUab/uc17STBsOAdLam313WpTaa7kfqFZhqaiTARlmULtdPWyRBvOvi
-        PI/Q93gL+sFy9N0wgCvHZEhY1QoKssSBCu03q2ZVlLFuYfcXWEIQU3XpbzyCmAA6
+        PB+NrFI7hboakG8kOaiitdfD/NUanz/p1RKGBPkpL7GZE6B63SHxTKtLm/A141nI
-        VkCvwXEA8xRs2ClrBpMOj7wRKzYoS3ATc3nFx0XL5pL74rUE68yiRlsZLccRB+9/
+        9cPNeXNZWhkSZv/2akQ9ea91yBMeIuiydFJnBuZR6ygqvC+ShhAUV5Ag7h8AAlTi
-        nJSY72QzR9FFUhFFv0/DxUFs4OVCUzLwQVVUT+Wi8EZen0aY4zFG1u59F6E03Pre
+        2gDoZZvGqsXjRO7FtR82SSaWk+buzVbDtLRdzHiPPgIaDkLtVfXabqEhw2bqaP8/
-        wC9TIxDCR5MY6/SGgYPep5qheeYVdXw7a0TQWrwXpaTPSj7tm2FFQES5DRkVNN3S
+        UeH2gZW6MPuO4AWYRgpvQX0XOYJqA2RNsxO83HF3EjvvbUeJhz84iC+OD790ElPS
-        XgEMoELXGpBjzixYKSsQ0/yT5qX9v7vjrZ/a3EuXtkdh7MAfMbRV+YDl2hlN9IJM
+        XAHizPVvoinf9dfxckUvFm1RUA5V7xwlHUh2a0Zj4mBkxFAJqGzOINAkg6UAV4sh
-        vpAo/V/vH1AyWqBL0oQ00xZzNvxi4RiPk0KPZg2zH1C4aokELI7i8D4Dz3L83Tc=
+        K9zPafVtVO/SiBdnR8JApH+rb7kXwal/jAOHJYjPtz2JRGeCrFz8YJR9lkaa
-        =LofD
+        =jeRO
         -----END PGP MESSAGE-----
       fp: 18DFCE01456DAB52EA38A6584EDC64F35FA1D6A5
-    - created_at: "2025-10-20T19:03:07Z"
+    - created_at: "2026-01-27T08:41:15Z"
       enc: |-
         -----BEGIN PGP MESSAGE-----
 
-        hQIMAw5vwmoEJHQ1AQ/+Pr/ATDoZJGDuIOTI2RgXFefWN0/iz3KeI8n/8F9/1vkY
+        hQIMAw5vwmoEJHQ1ARAAuuTaQOJdkhaTei934YczQbjX1g7cX4yWuxS4BHQ0+Jw+
-        1G/Bs0X9NkuzT6A/oIjBDa3630DMMvfdbY5Gclqrdwobft9dqhP05naf7BujX2DY
+        MtZnUUYcjVY4hErlm+w9/iwr/ua6lvsTigHHy8IKiz7F/xuG3qAoQwIR4+bNP730
-        oL2SbTnfB06NUPiSsZ9aE/2yyzvnZjAxRczXZCi9DmhBhaXicILiJpJMUReldGtB
+        En1EYlczxFw4Xaa2WIayaRy4M34W5zvdDuUwN5SW0XDahcmmut/9WGRmz0K8chGp
-        zbGtRzMUojwXqc1Fi52mXvn8XVTgrD//jX1IOUnpXmaFKa7zJCHe7Qfl0P7LMCw/
+        8opG1KldRY4ynOgXcB00x8w2NnQ5kjisyk+zjtTNas1E9c4m2MJlvrGHy4ffVg9X
-        vTDAXSazVFqvgyASPPHgVFw9oFdJ9Na02ML4jynRnIIra9WoBe+9+aPoaNG5WePP
+        ID9/66wXr3nimAlaYvHmVW75hd2+MfWyqtrLccThPrB2aNPs2mN1xH2TODX4gEP6
-        Lqxmaj3uz5Uh2S4Lr8Qr+n7swjPUlYkZKSRY0WDfhoi+aCC1ejtysZaAwH32+CQA
+        pFHyyrAsjK9zP7M195pXw+WE3QnBPgbW2/zmCbPHwPGgP6ljLsDjo1SDXWsxZ6vt
-        sbnh4m+/qnEiNZlgy2vS/6yQKMAQ6HnLkBfkXYTseI4egVw2X7byMFpmAlqo1pwl
+        88bCECCJCrurkP00HJdnbXd+dXddNMXfYLT15aQvta1nYPp8UmVahCN/QyaNthkN
-        kr4cKaYGYDBT7/fDDrB8AAdXUq+guABm+8UO4GHvvSCzWY+8ie2/wrTSB4O9rLnQ
+        rclV1jmr0sEtG44p4R0SV3yIsATCnFGmr/4pbI/r+aEakIVIPEK6GM/69o/6kW8b
-        WQABESou4c/w2hKordim25w1UWWPhiX6TdumBjtep/SPNMrVNShn8s+G8uh+eAwQ
+        7KGEc4riDefZn93jNEGmC4oqotSPLaLlaNg86gWazRrMUBu9hJ2QFpeqSX5Vl5uG
-        blNH7H6EwHW1b7gvSmKrlczW5/TXsi5URl+cuel0C5/ckdWej+jIIbfCPd+D3BbH
+        XnIokcaWjZmDgZgDOFa5inQBDfT/7wTJ7mGnLpt6Lnibnp/ATvIYBEI4zakHAJpz
-        pFkQWZR0vFpvUZcUfU5kSTUz8N6jh/nGvOuOKZ07645ZFAKHjxE1JqjhqcJEqDDS
+        0qWN89fpS4senq2bZJ2WZYfpLvHpspchxMhmNfjalQaEVdqPfEqQCImJv4h7VlfS
-        XgFphkUBFPhmz2FJdIQvfkyl6/CCj+MUfNLsB1hZAd4GRxcBPFyLB1rAkB0kV1QY
+        XAFGcZB2DSkd1fIxKcOB6XMDEbxGfBAVZq+k7Qw1oBdCa1Wi8uBoVS6QHLEUccbO
-        RdIXX5ahmk6JmtkwJsO+m5aAWu0ft5xpsX3jJKqAyoVWcRO/3kER8b1K9IL57nA=
+        01Ptf7jWdTYgujdxRvyYSYS9YY4z0nR2GmFzynCB/oCylEwmsBR2ie8J1Ew4
-        =I4Bv
+        =Gjvk
         -----END PGP MESSAGE-----
       fp: 87AB00D45D37C9E9167B5A5A333448678B60E505
-    - created_at: "2025-10-20T19:03:07Z"
+    - created_at: "2026-01-27T08:41:15Z"
       enc: |-
         -----BEGIN PGP MESSAGE-----
 
-        hF4DerEtaFuTeewSAQdA3oIk2sfUn8ZzJf8T1xFQ/gSWqIoOXZvpAf8R88A5+2ow
+        hF4DerEtaFuTeewSAQdAgd5EW7q2vIPAOqEzhHiEI5O0WzrC59UqNnagUK8u5T4w
-        kM6YFiCCShgt2qGZi1k9xNxoRO1aRmSdEqdwMHAwpFRtEr+tOcE1pq0o1HQUzqqR
+        e6e9sEaNfzsZE3Ep61sWLZkDDddE1RqF8riVaBRHjFzpj4mNptePNQCCDJSU8jYf
-        0l4BUDcJXeyrY44ufOXKRVd9J9LuwSf0GHfvSzGxCfFGQVKAtRx69TUwyo25Xwdb
+        0lwBJmRslhasFEdMhQjqJVWLyVeG+z45mcfkXT0VFkBWWs/RDchgiYQjXxi+tMXy
-        mN/mmVecb+atPqdB5uMSvsMC2Tw+F313Y+uvgjK6B54iK9wjTiudD1TvzrTeaOPY
+        iIUKjmu2bb3Cr3KTEglA9P69aVkDtdDvol5LflkzlB925aDev6arSnqFuoZIcQ==
-        =QmFT
+        =xwmU
         -----END PGP MESSAGE-----
       fp: 057870A2C72CD82566A3EC983695F4FCBCAE4912
-    - created_at: "2025-10-20T19:03:07Z"
+    - created_at: "2026-01-27T08:41:15Z"
       enc: |-
         -----BEGIN PGP MESSAGE-----
 
-        hQIMAxjNhCKPP69fAQ//QqFgN/hbCgpEB/KyJ+5uc8Nmi1FLWFBEPhnstvIlGx34
+        hQIMAxjNhCKPP69fAQ//bv/NiT6dblP4GWghe9w9O4u/cwF9rF5x35lNaXUesu5a
-        rPkmO+mLxa39ikwNg2bAwFxDRdwFREj/5lcdEPaKMgyxNxngS4PSs7TtHroNvyXk
+        b7mz1DkK2xzAIPFXpp2EhX4iRj6cQmEIDN4IrknsiKD18tMA6pqv5/1RA4DrjAWm
-        jEsNsyanhaajctcBJNSEcDWNFItTn2gLGmHOuribULXBdixI3sXCjrrDKceNs5YS
+        hlURDAJy3Q3kA92pgDcCOhIJu5gKFMUVUL6xG8TeNOr48VCw5LgmnxZ/6PuTJ9hm
-        XUIw4SIl4NS2nCUQcFlMqVlKOiw5d5aNfPND0UzFI2CFGo1740F/G9wugOIzsLwP
+        L0r+OnWfUKZGxKPev5/N6hIWCGKuCpZ44IyPVHU48CK8+yJWRwK2Fb8WAy775RVz
-        C69o2JZDmsvs7rwgfWYbS5prxD0hHzXrjuHnONyPD9NdtIRVU0jDEPrcmxJfbj4D
+        NhTxD+IqQuHZlXnYy/6WunlkEmuV/G4bUzByjG0Uun9J9COaaLC+8OFVVm3MMD/l
-        nzkTqeEyNmcIGnVhCCM0ysk54e/VxI6Xl3upp8qgz21h0vBu88liJFeQo+uegNsa
+        R7JbZlXigj80IHPGybB+FVNu8rUk3JbGo9tOux1H21CTdd0Hmi4YtritLKpt37tK
-        ozLyvzsFSdbxbIzcqnXxMurWIoDZW59d0AsitmACez1PFHXmC4KEH28bxFNek0/u
+        I8lYNCFgfWOTcllRFB582BomMSObeDjffG4tASqtZ7lFYAA1tHO3akM7iQGWnsxE
-        hpxFiPRvr4hxPouCTSx1pP7HnDGUfJtNOu4BLigO9hjU2K628WBkZt95L4wprBIm
+        oES2Ibp/bP+tKCh9BnXKzHbSlIiv6g/4AIALRyyLskM/LH1FP6Xwc2wAsck/DfOK
-        kgt/st3Bk96EC6bWLtn4n6Zb6l7+mdv+6qg1XBzbLFDxcu+L62qtd4j7BjI3ckGY
+        ApQRNpkqn0dnGCb8ZIDeT1EWlc2ZSzkP+X3yy71wX0TBZOs26n6crIAjR3LUiHt9
-        hO5tkGroSyRdOkqw9IJ7KoDyk90IE4Q0xy/XM5dqAXQz59sPhIOPBxje1FursyaV
+        UzT09TAHk2Si3dSBcRr54Xitjg/f4lfKhQv9hV0tG1qFdITYjv6JFqihtBUEnNiT
-        RY7tZARigq/JEWwwTLlbOYPd3XGdbw6N5LfDZoXe2Lz+isHsxL2cAqJ+wgYgfb3S
+        BR5udNvLMKw5KOergEUl2EGPWlXDK9LsjI9vzWq9ZOS4cNWAR0zwTjC3LK7BNBLS
-        XgEIk9UCAztF21PD6IC4E4OkK1ARhpwIGwdluazSGzYeTqKEB2g7N9iowAlp+bcG
+        XAEBjZUJhvPKpa/f8oMGcZ18HP/m4M5MEKCrCbQkk+bYDy5zBjU3I3hqN2MpnGb6
-        aZ2DU/R6XYdU5jch6fiU0zz421Li5gngNwg3FOVdZzhdrSiWdjRUFCJEbituyvs=
+        UMGEx2tgHxuksdjSaDb1nTNfsanTC5UgqFAfsn5QAiBxQmeXRnjFpj2a4pc0
-        =Msjh
+        =R+3P
         -----END PGP MESSAGE-----
       fp: F38C9D4228FC6F674E322D9C3326D914EB9B8F55
-    - created_at: "2025-10-20T19:03:07Z"
+    - created_at: "2026-01-27T08:41:15Z"
       enc: |-
         -----BEGIN PGP MESSAGE-----
 
-        hQIMA1Hthzn+T1OoARAAlYlRUFLenIg5rQuMsq6Qd/3V1L+EomZcDTeVWUlvNBhJ
+        hQIMA1Hthzn+T1OoAQ//dfpU2ARKiqEam2TD2QF79ujIPoofrJXX+Rf9zwe9TBNC
-        wdh58x2OqaXRbujPT7ekJY1xDg3S541yG+7al5eR3Sv4zcE5ZgNoM/rY/Ik4hnWr
+        rZCZLdWLECZzJcE1R/VHM1Np3AFPmze8FZ4onGBgI0Go2vwCrrYtBe6AomAlzXho
-        03+a/jIRQxoFeIVKAhAMcj9hxjBUCaQeNwvfYRrkWRC2fKAe9X26oTRlk0oEobMI
+        WXABvr56Eoe1ZmzDHZLPeGs6j2OfsQmq5UYDXOLEPZ6T32jA2f4dvI/k0UEFEbsb
-        5EZTi558D8ZVxIlK+LCBk5jGFepGkts0FlPjzH0+S43FLtFOqRVV5UGGahbUZ6aq
+        Oi3gbmpQgiub4WDE8Czy2o9Jmcsxwq4NhmnGxx+ogXO3rS8jYQjaBG3P5mz8oA3R
-        mF8ULy6+V0LxIqOaDYRwfUhX+BvPdCiBRf14yhkMIWKDpDa3lVuKWAzSF/CKk2z6
+        P5zauE4sZ56WzT2z8rD6NPuNuMc5Dv8OMISQey+WfR9ysco7288v4qr2hMgJF+uc
-        lO12dlpI3+50zwEuG5hyei0UlMPV9rR7nLL4kG7cjIaJKCeXtbgt6Qf9Ml3uAF+t
+        uDQtH8ZFsRXwknyKFaph+KLkmvDBzSKoGiRtcaACzK1WWDbowN+KYcLsCf2WE76T
-        xBjsQmnPstsBJZlj3cBlo+U6RKktkfeiU2Fg2OGUxf+iER6rBfGwBiPLME6RPiXc
+        VJPWzZn0tjjyIWWaDLEqrKWuezXajMxW64zSjDje3oqIlJf41Sqr3yVtBI+Willn
-        26RiEMMyIMqzgaM+2I0GL/cMEcsYj3OR/Q3q34EIFFTQXjz7dsWFjuRIELg3lxB2
+        m0iW883quAICS4ECaaY85+N5vwtaRntlYEGdYUm3k11Io4erEl1qw1fMplD0/E+P
-        hNJfn8JnDYsP/yw7GMZM9TQCHOcLL2+vzh/GhIy6kBEeI6DSbnMR92REezSUclHi
+        I1jA790vOS9PDYzdK8nvGrEoGURW+Y3/q+fSKMBsfHATBCBSGRL6G/SHFvlDBLhK
-        g1292f8mDidAmb7aVFkMPnVkTFrriKiXDMO7Lh6qkIWmnGfcecsLONGif2olW9e4
+        ivJOOeQ2Hw4G7h0GGgQAEGk47EijL0j0+eEYDDvw8DQjVuUe9dWNr0K2qmBfm7p7
-        /PZb4d44UrHdG7FIn+iuTqWcwkIY0AuOZg0eDa6qi0pcePPG1IaGnF34R8amkYHS
+        7ERZuLn2BPkk++h3IMTQL/OnaEgX+dIbGiekw5a26mVi3BB1t0Di8q6gtmThlTbS
-        XgFP1eurU9GajS2HDU5Ghd4KMFncCiibP5xA22inFdGwHK0Rc0JH5LbOwWugU/yC
+        XAHBzItP/jn8txvNRSHHZN5AvuU3TMyaEjFmhYf59x5vBa047U9WyTqGuwNj1IQR
-        5a60wP3Sg7LIxYriI4a4kpmKpqE7+ZhfuqQ10wC3eCXmca5bkqIOFd91X7gfnFc=
+        oLJNQXb/qo4Lo1gd397zTecG2KDhHl/ael8SlZsaLkG5Lp/V7LGr9J2FX4Xe
-        =m//a
+        =76+h
         -----END PGP MESSAGE-----
       fp: 5DA93D5C9D7320E1BD3522C79C78172B3551C9FD
-    - created_at: "2025-10-20T19:03:07Z"
+    - created_at: "2026-01-27T08:41:15Z"
       enc: |-
         -----BEGIN PGP MESSAGE-----
 
-        hQIMA46L6MuPqfJqARAAlOnbIDuRQI95foLsmVkTz3iBPoAGWP4T+BmwRXbBzchI
+        hQIMA46L6MuPqfJqARAAhGXnruY2sbbMVeOpJKn0MfDowextWNPVlhRAcltNO6Pk
-        xnb2bVuSp2XS8ndofmqwPVfIA/XzQeS6+R1wE8z7IxBZEr25Oe+l/vnz/iIHfoMy
+        PUWbX3IOs2ardDbxPJ8QeVPG0QoLAVGwLqbfOulAvRXWoA/NSm+EpW96ofqTNA+P
-        LpJYqP4dAMf/VLQ0h2X/WfN0QYkxbBEHj4vwR8NIjYxb1iygIcZuBEl28/ZqNAAs
+        CK9/ZHcef9wv4DK6kJ2Rkyu2rotToMYi9Hxpr7joOVIsI9ewb8s6SSa5S4qAAw/G
-        0CogIZpD057gX+SUdnL4HmpZJu1VcduOxEQq+4TBZELPw7yQ+obCtalncubnXGOh
+        Y7mH8XMFqwZBKzmWP/9kXxACwas6vlx61s4F0cj0XCcAzmU9fKORydljrcc6hNI9
-        COyjN4DkMeLNyZ5B8JKnsCCEzssn6/gI3nNzR8gTozvVdiPqmItix/lWgNZlxxnD
+        MRRS7j63it0fckq2v7IBQDgJyuNsLvZD6bZ1P/rdZUUqjTSOIQyb5yT6am1T+DvY
-        yxHtqs+RRxQrZxMBrVo7Z/2hNm15rT2XmpOYvs6eIKn0NILs46erKSFHi5Vbgu0f
+        0ClubdaXhEaQplSL2D0VUEqZmTY7Cmw0yiDBgmyhU5zqjc4MHlJ8S2gssGySWTRo
-        rNshtzt8zwPsrGS2gyMauXBq4vB11hXMuOS1zgi9gA/mIzGbLLPl8JYVKjpZdRXj
+        tR+yEFgemtuIiUVFTJN9Set40968hAlN4jYPOqxjC6U7oC6YLah8nXRJasEN3lEg
-        BelPHOpEVEI+6Rk02+QuEGjN5XJnnLOshEt7Gg+be6APCpDsf9KhoxIPeG1e1MV0
+        9+fdaCAIQPfK6U/C4j8tEZ1sCXfxaZfaVGpHWrArcxN4L2nei2hT136yLkrIuo4j
-        W5yfykmCC4E059Q7jJp7npNzAk8Xnk6zkScUT1zibXi+DYcaN3sSKqB7UgmjpqJ6
+        vfDTBK77Rpwfc6bmg1Nf94ed7XWn9ZQgVvPKPANvvyhXmflE/wVxg2atofzCIe5i
-        vBn17pmhJYCa7CwlJif9abliw6mHt5qN8Xrg2064I3cPwJpzOSaTI/G+kl73Wn4Q
+        1IXX/YHn6MiixqaSbHnzCAaqVQuJKC3b/EO8b3GZJfCcBHZratAQVZq1emnaK0id
-        x4G2l2XTHAMnvAoL7I4r2F0I1MpmDiubj4BnKp3/C2YhICDOpsCE7e6ceuYI4HHS
+        35OwtOXKOagvk8YoIPY1vCVDvVrrT1RK2XGrRfnwoC2plg4cNws1aUhENEDt4NjS
-        XgHNkVi8iHF/02oV2nLDAfPASomsCTDQYRE6/dLbt4d38BaGJ6iIIcNMxGbUByMj
+        XAE9IcqCFTz5RXO6A7/Q03Ge2GEXrXmI39CTT4gTzy6USEDUiniE7PRudm/2dY8c
-        nAEWtH7+8crR42yJp/OxVPLlXLHKoDEd0IydLpFl9dnsaYAqdPYUqCQ8merJlPg=
+        ZA+AvTFrEdoGK1b/snAvw8dGTFv9lwQqkBr0JDqwD9SGQPIXD6CIUKioxQ78
-        =5z9a
+        =KPcz
         -----END PGP MESSAGE-----
       fp: 8996B62CBD159DCADD3B6DC08BB33A8ABCF7BC4A
-    - created_at: "2025-10-20T19:03:07Z"
+    - created_at: "2026-01-27T08:41:15Z"
       enc: |-
         -----BEGIN PGP MESSAGE-----
 
-        hF4DQrf1tCqiJxoSAQdATdhehHCg+P5ryd+GcDKRDMHgwv5c88CHXI+L/6meUSEw
+        hF4DQrf1tCqiJxoSAQdAagtCn66tLHM3wXjb8nCEH8nh0g5pKSTzcx/re43tLCYw
-        EXNK49Y4NeLrDllZuDdS8Xd/U3BJtdw/Ef744lhv/CvSCEIBOVu0n7hsHZ6E+MQd
+        IbatYjkYoqBofEDr0m4QHTyN7JAtq11Yk106M9zkktUHUPG0H/NG7TKOK65OC1U1
-        0l4BFNDMgxj51IVlf/vNyWKHrcf3iYLLJdDL31sSHiRk/zTElaM2W3s2zujSOgiB
+        0lwBA0l+mdaX06nBkQE8xzXafXcJYJkTp0RvXrzZkXb6K0NBuQwcXO3A0xcJMIZ9
-        cveF2p4/0TZ1lt+kzSWPdKZ7gixngC1vKtb1uok7sAzStAM3wdvpBjvouti/yduQ
+        A3tWaza1HnUdtlUj3vj/0ykrYaUywLL4rdVgu5FunOMbg0QQV8zy2Kn1dNh6Jg==
-        =Nvpr
+        =wy66
         -----END PGP MESSAGE-----
       fp: B71138A6A8964A3C3B8899857B4F70C356765BAB
-    - created_at: "2025-10-20T19:03:07Z"
+    - created_at: "2026-01-27T08:41:15Z"
       enc: |-
         -----BEGIN PGP MESSAGE-----
 
-        hF4DzAGzViGx4qcSAQdAVM1+fV0H62T2slKovp8/rIF6CBYl28z6hbbAyixUQFYw
+        hF4DzAGzViGx4qcSAQdAuK7fsRq3IfaTb8M+wFYeMoAGK7pbIPnuC/i9GAVmaHIw
-        0qeyMu6ujpCHiSx9xps+FHYONtfEcjxpZHPk4C9fP6h3D+l4xnfGtzVXo7t1budp
+        7iTd9Gh7qjZ4Z7BNvD9cH+MMoeKNYEI4iIgzyZBSwADiCwq+GOeeN752uTFzvysY
-        0lgBJZCP7JuE7omAuo00L3hjTSaYpa6UWE8cZEbwkOGsm47m1xzMlEzSExBZ61wj
+        0lYBs4Ny83rYbSQU5eaA0VNrc2blc9D+3gc0NB1czac9pUsJ6w4P6vb8TdtrzvlS
-        dKkSNVFLd7z/5SlKFgFJgbgwuAl7umjDVQjItyrqRNnhuPBUmZbYBEEJ
+        zAUSYYWaU2aX1dI8274dFmHmF9o+9/kPsJLSTqkLUFaV8cje170cVQ==
-        =Xu7e
+        =4Es4
         -----END PGP MESSAGE-----
       fp: D2E9C0807BF681F5E164DAFC5EE1B61CD90954CD
-    - created_at: "2025-10-20T19:03:07Z"
+    - created_at: "2026-01-27T08:41:15Z"
       enc: |-
         -----BEGIN PGP MESSAGE-----
 
-        hQIMA2pVdGTIrZI+AQ//R6I646qRFql6ouszDIf24Jc1HU49sWK00jfEgfDAMXVX
+        hQIMA2pVdGTIrZI+ARAAypV2oZNd7o5dKeu+croXx4IgcbjGPl+jM4v4EwIa8kQ3
-        FcHyARVKbjq+4Luzf0ut/KrHaGC17iEcohvfaWVds/j8fOA40RWXXG5wkiqmrXQ9
+        mqRDXYjz4XdFqoCO5Q7sALx06a3V/Gg3VBhxEmPwYtWIBOaEBjIuFy1TieVNCIz7
-        xgPpV418jCpLhrE85W5emNVH8a0sX746sulslm5NhCBbYsKgmvWB0NW/kSmPBAD7
+        xZlDKUsUFVCMiaF7geRPvN1QMhP37HbKZEWWL3Dtp6d+9W8N3jjFS7qv+26nlhyT
-        xnx6ZysaDEt2kgFy+GhCBMjm+WUOEypF1xoH8YlOO8rtJPVwTX3QPkgEYxrEtloJ
+        QUtMc4wXYXsfuX+wI+Edb3Ibe2tN6s6rK03XiR456TG4Q5XlT0yuWfLA+uF4WMSe
-        T7cScRPJo66y5ne1E4FKFUApH5cDlD4et9/TpJKR76y1hml+geCM9S7oOD1LmHIM
+        9HmPmggwbZgTjagnzkf8/mLwROqFm+KDpCR0vfTGTW+XZOZxS19A3VRM4oCoPCqm
-        PxQFfNVL8/RWUSxNtkA+4ixlERitMbW3x4rqq864m1MnZEyYGOiUgF4uU8t7VruJ
+        78t2XkLjoddqL/baJLdSsoFjrHh74+eYTvaBAorOXowfc/MTzXGTHlth9r2/HjJ2
-        bE+qbqOdy+HROi5vBgB7NZ3S1k7iBweGll7xcEfRHWd+lIunezzb/V/lJoShuSBL
+        9gXiQATn9fl7sxdRko4mKOn0ff0DhoC4gGgfxopUs2v/bu9dj5VTsyAe5TqGNnHU
-        WEetGEijGGDLPwTWG2ZSGQQsrPZH0VoA2rRS/aZ75Bau3ctIFAEPuNLS2+AnSh1C
+        Oeo1AaboJfWFRlQhsCT3Fpowuc8kRgHalVbARZqTtdRRZHNuf+ob5BYJq1SDFJiN
-        hWMCXsGu3JVwq53TS0Lg5scquaXWPcuEQPJ6ZEmQOGfq+zjJKCp0Wq3W1GqkMAR+
+        vxg01gUsqzcvcfZSc1IpLr0vF7tdSvmrKE4nq6GgkJEhHm6wwNftobjSxTYQPO3l
-        9WFvAeh8/fLFTuDnqGLqHoeO9YQ3AK8uraMRf+hVco7RjXOAYks1JvbGDCijlUhv
+        mXI7wghCU4G03zVhbIAwsUvdZ9K6K3ylUOf1MOkVEy78N5rR63FVzqpibPsTQCnc
-        pUrmkELbYnZgnVvAy/uwpYhVdJkQq4Hev+ELFFfTjcX5i3lO9V9iZJ2UUrXj5cnS
+        myhdrYX8fN3GG/QlXF8NwNPFFwOW57577YQJ1d/K0ksiOEWKBzJlBgOu6Z99i8bU
-        XgEBs+srIKZqr9mNQlfc6t3+JfaRtRPs5ozaSgJIJx+K9x2e7Guci+ZSAoEP7kn6
+        ZgEJAhAZ128S/PPndkywgDN8PEvtH2tRvwt+tS+gMI3o2WiPltT28KmWJv9PoG/s
-        163uoxaZiP3W7vW/fVe8IDnPsPAc2FuvI0MbpDlEmUcoHWU/s3aY6foYtwg+w0I=
+        9ZAp6mtI6UDoc8yDVuy5BfTH+MuG0IpJLjkqZkY8XSuRD4zAXYIj+a2xHNuWOMhq
-        =/9CT
+        8471dLH2IQ==
+        =UCus
         -----END PGP MESSAGE-----
       fp: 878FEA3CB6A6F6E7CD80ECBE28506E3585F9F533
   unencrypted_suffix: _unencrypted
-  version: 3.10.2
+  version: 3.11.0

inventories/chaosknoten/group_vars/all.yaml

@@ -3,7 +3,7 @@
 ansible_pull__repo_url: https://git.hamburg.ccc.de/CCCHH/ansible-infra.git
 ansible_pull__inventory: inventories/chaosknoten
 ansible_pull__playbook: playbooks/maintenance.yaml
-ansible_pull__timer_on_calendar: "*-*-* 04:00:00 Europe/Berlin"
+ansible_pull__timer_on_calendar: "*-*-* 04:30:00 Europe/Berlin"
 ansible_pull__failure_notification_address: noc-notifications@lists.hamburg.ccc.de
 ansible_pull__timer_randomized_delay_sec: 30min
 
@@ -14,3 +14,46 @@ msmtp__smtp_port: 465
 msmtp__smtp_tls_method: smtps
 msmtp__smtp_user: any@hosts.hamburg.ccc.de
 msmtp__smtp_from: "{{ inventory_hostname }}@hosts.hamburg.ccc.de"
+
+alloy_config_default: |
+  prometheus.remote_write "default" {
+    endpoint {
+      url = "https://metrics.hamburg.ccc.de/api/v1/write"
+      basic_auth {
+        username = "chaos"
+        password = "{{ metrics__chaos_password }}"
+      }
+    }
+  }
+
+  prometheus.relabel "chaosknoten_common" {
+    forward_to = [prometheus.remote_write.default.receiver]
+    rule {
+      target_label = "org"
+      replacement = "ccchh"
+    }
+    rule {
+      target_label = "site"
+      replacement = "wieske"
+    }
+    rule {
+      source_labels = ["instance"]
+      target_label = "instance"
+      regex  = "([^:]+)"
+      replacement = "${1}.hosts.hamburg.ccc.de"
+      action = "replace"
+    }
+  }
+
+  logging {
+    level = "info"
+  }
+
+  prometheus.exporter.unix "local_system" {
+    enable_collectors = ["systemd"]
+  }
+
+  prometheus.scrape "scrape_metrics" {
+    targets           = prometheus.exporter.unix.local_system.targets
+    forward_to        = [prometheus.relabel.chaosknoten_common.receiver]
+  }

inventories/chaosknoten/host_vars/acmedns.sops.yaml

@@ -0,0 +1,214 @@
+ansible_pull__age_private_key: ENC[AES256_GCM,data:R0FZVQXrUgqW04VltXpYhEuI8Q8i0gE4K1EI05NTZyTO+9QOynMVzfLOzOOT1Yh+oQNLsE0MFELX8eo3EFKyXIrkE/wr2ECgFqY=,iv:m4N6t03tklKRaRZ9eVl2vv9T8WUy6AiPQDNuyU0UEtI=,tag:XJMnT5GZthv9RPQFZTWZaA==,type:str]
+secret__oidc_client_secret: ENC[AES256_GCM,data:UHbIuftvyPHxtHGRvH+ydMetiCRu3z3JL+zFzLwVaSQ=,iv:1/KKB9IHZEWgEULoab1aVwbPIW7mxfRK7NABiSP2yIQ=,tag:8g3ej7ZJwAuPk9eGdPGyog==,type:str]
+secret__oidc_cookie_secret: ENC[AES256_GCM,data:epKralmaga5W0TK0njjTBP0GIlkUK2ogKEbWQ/zlIhQ=,iv:rDBiSE+DPkX2I2i2fJQ/SrkltlCnPOEyeMfud2xXbFA=,tag:SOGIJHiaKq1t+Dg0NJGnxA==,type:str]
+sops:
+  age:
+    - recipient: age16pxqxdj25xz6w200sf8duc62vyk0xkhzc7y63nyhg29sm077vp8qy4sywv
+      enc: |
+        -----BEGIN AGE ENCRYPTED FILE-----
+        YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA5SDJ0NHZkK3hvUSt2K2hV
+        TWNKUkFlUFVkaEFlM1lDVTdnZU5EeURiOURzCnQzcWE2RnpiZ3BmRzIwbFRDdkRr
+        VmcreVJvdTl2Z3lBVFJTNmNLZWdyMWcKLS0tIEkwcXAwY0NoNmhCZm9JUDMyRjVC
+        bUM2WC9QeWFrdm43a2N1eStEOFFXVGcKCCqwLQ67aEEjTAyXXabZ2AoBag/QY4HW
+        WwgmI8KNYpC0YXzDJ3fUUL6g4oiSqMxTGvQ+0oABOk+XFnVx+++aoQ==
+        -----END AGE ENCRYPTED FILE-----
+  lastmodified: "2026-01-25T16:16:15Z"
+  mac: ENC[AES256_GCM,data:dBBAJIXeVUXXPXB8Eq4gH5F/0jTpvb79hdu4KD9gV5RL36Tr3iU92SKAZdMcw3/+8zq5L32YWWpYR5HFVPXaSdgls3wtWdrz/1j/C/zRxup+Y8DSOdiebCtz1lJJvglQMZNznRvo7N58lTdF/XqJA4tY51xZZi/krsJXDxtlTgA=,iv:yhwXbXu1MKl4sSYaCKPVUK9aedmIMnt/rzXTcGqmqpk=,tag:hZX6YZrzkrr1mPe6FOs7Xw==,type:str]
+  pgp:
+    - created_at: "2026-01-25T14:20:25Z"
+      enc: |-
+        -----BEGIN PGP MESSAGE-----
+
+        hQIMAxK/JaB2/SdtARAAi+qxfJ++qxSRxZLZiJ6njtlaOvrmE3uDCxbBwK5/lc7K
+        rt1liJ3Ue1hR1Bt6ozbH72shd5EOQzDuwQiRLZSR/7q6dcM0wdGRrfXuNvsRbQFf
+        Mb1D5L5Md1zOH4HuUx38+GGoB1CchpQwdZpjzcU2+MI5O5YIw3DDcKOAAMa+Nfpy
+        m0aezDSM6zDYYrYKjZUrMCXZFn0cnWAosod1ZJDz+rNMfFaVCPUlcUO4/p8cPzvr
+        rz+B5MV6Nyft3FUpHntFAgGjwlt31ZANZoWeJxJ5/zFlmieXMihjC4x1QPBs42E2
+        den7NPprSZX1ynGdImaZfTHwuwP1bpLrVFegG1EPrMIUwjRbSZDdmWxaR0uvajgM
+        GcbJLRFdvOcc7g7NWh2n4AwjpjcPN0cNrAit5/S0PG7JYdZFi4abfxTur12p9BPk
+        xJacN4ZVnT5qRRnqinPDCCiR4MLg/L9fxG6Dap6xboBTnHS5GksuLiDFMjsSAVh7
+        /63SOn6/Po1BUiiZPRHkvlm1uhkP7k5iDT/cP+gV1QDjdrXbD27D3c2eJveBaX03
+        oLhXi+2/tmitsRw5vp+jTwHP3RDC9ZsORdEoshaGJ7Axbmai1wmUAabaz60vbTzV
+        W5KHaEAdC97YsUFUn4ZgqORJ5MlPRUGUGGmlYJq6peihLYx/wdCLw9DywhZAYiTU
+        aAEJAhACPP4YiVUAbMaXB3q7AJWnoF20oJVBcGD7nvAVIaJJL0zuYe3lsujo2O2L
+        wqzIw80YE0tSaHx9GWJorF3vQQ1/jxrgiZofZNrsrQ5mzVADGO5+JLuU1THyDWXV
+        PPvkTEc7AdD6
+        =GWYV
+        -----END PGP MESSAGE-----
+      fp: EF643F59E008414882232C78FFA8331EEB7D6B70
+    - created_at: "2026-01-25T14:20:25Z"
+      enc: |-
+        -----BEGIN PGP MESSAGE-----
+
+        hQIMA6EyPtWBEI+2AQ/+KKOoBqMu5MXGmEM70WGKs7qGiqcJ4jizWaf2BjO8JtcU
+        DUJ31xy+KOnZh4pNP3bYptBtv/FehKHfaC1HB+sXBqT7hhAT5k2WyNo6Y1EdsGeG
+        HuccJ8rEMxwRSp3rdpca/53mtFzYHFHDT2nOEc5wkl0KqPITIJAiaGVVeS/ANy6X
+        qijabdecK8Ekb0Ev7OHwxFQT92DdtN7xdQns4bUoxSy9j/7SDUII7btG3alhlH2Z
+        XF+aZ4Fo+P/O8yavyTuwm6GlKWaWtGn9xRhNXvMkpBXIa4rwHC0re3DJNlMqN7EV
+        gW2sxnAxBShNU/ZtpqaQ2ku8L7FPB4Y8hhbk08PVlqz6F1xFm9x5PEriuaIPd1pp
+        0TQtekvntBWiRAQ8QPmrfg96BaLqvL+Hffb3PlIRvnXHmaJY/5Ci0HGgoUjodKIT
+        0tZzP0xcElbm3Mf5z/uyRzCwpx7oLn+q9xiJ2yoYwn4IkMWd2VaJZJlVcKH1RRXS
+        A4OUERkDSV3Fz6VjnI0VQ/hpfLDLCaQp8TzUOtNy4MqzsB0fQbDWnPR1KFrmNmSv
+        SSkS04tSt9CMNDFllrwQg6fbaZMmS97JeXb723mfUrPa0o3MeTxa9EuB/NQvWYuS
+        iBqC+NxIAvUw/IJtKg3unA9ysigCDUTbi6P7F69NMJM9qHet7PSLgqsM9RPdPlLS
+        XgH+T9DivFMWNnGvAS+wMckvKcTtskHWnQMCYdx62VsXzS/LU3iWq+OBz/xf8yhD
+        2vS25oi54fQKz6diOrq/TgO0Cx2/1LXqOYL5m/6+Qvv7wxHHZHeLcdwCRVceLZs=
+        =5SxJ
+        -----END PGP MESSAGE-----
+      fp: F155144FC925A1BEA1F8A2C59A2A4CD59BFDC5EC
+    - created_at: "2026-01-25T14:20:25Z"
+      enc: |-
+        -----BEGIN PGP MESSAGE-----
+
+        hQIMAz5uSgHG2iMJARAArv3KHUknyw89o/HA+T9vv1orrq0uztAOtOYLXIxF0mPL
+        S+Yrqs8uT0UmIJ/vdNZpf6HYw7Cmk4XErSsT4l15/5JbGfvqbc1ECdoz6j6kNfID
+        eHP3iJkySKbxSqflZ/3Hs8UXV65RU4F1HHK2SsQVvb0FCl03KNqkNAMicqiYZyzH
+        CAKOje7fnCHQ2oClUXakwXDQMnQwboXmhC26ghTvCYHIcb/VD8z91TSjxNitA1nG
+        7Ky1VvBWTuC0qcfaxkrkkwDPcxdfA2BXyxwm7b/w2IwmQX1cce25MCgIhMCFuf0C
+        rvw8GgfJEQ/qI3Rk1R87cpyRte4itrl1cCJI1UgS088+eHhmeS8XOZL860Eiqho4
+        tQJLUCr0P+LSBgOxj6/hnzY56bpPxa1NjRjqCGh+WF9XzeM8vY1MkzIjqHXxq9bD
+        9yGnFujzTcFbpEzdigPfAt6VgMe3jAEWqnr9fTK/f4qKWdXfycEHAJgL9UqHCtR0
+        DMy2+ZsHy5Hn9S5hmXLWpKo579FEWMLeCRA2DZvCHKIWUPhv3O4BAGovh8px9wRR
+        V7HeNK0efhiPm80alIQUGn+JEyNOaBrjAQmS0+ELF1S1AaHzXoLNrxfBCQJJCHd6
+        BvZIC6mVWF9DSeD+s/twk6qGNwAl17OAi3fyahunefODNqMcW73RI6x0BhkBfvnS
+        XgGEHYtdIiwWW+nCWBCrlXHrZ2AqgFKqNInB8lR5t7GtSjVxF6blysWXyv4JtegX
+        A3gMULNrOAZiPMe5Q1DDMNJ34jEnveojMIAOb/j+w7bvcgh7wbrUIUhNQSDgoaY=
+        =H3mo
+        -----END PGP MESSAGE-----
+      fp: 18DFCE01456DAB52EA38A6584EDC64F35FA1D6A5
+    - created_at: "2026-01-25T14:20:25Z"
+      enc: |-
+        -----BEGIN PGP MESSAGE-----
+
+        hQIMAw5vwmoEJHQ1ARAAqbv66yl/dyRf3f1ejNWsZxwD5oo99rHvbfWDCjTEFpzo
+        QUHgi7h+uF3GfRqkbE8YK7oFmTdxDS7DEkiQHw3jbJwI2+K1umubwq5sL1IMhSyG
+        SHZL+3r4ytBj6kuraXoTGqBFjNNht+3rRUEvgK8eXAixp8aHbx2LAVzjhxGTa9WY
+        yT9H4XJgEac5ODiyhyu3wxzZFmcr9VVNpja7C3iJ5PymjKPnzMFHzdhYflVG4ptP
+        lscRsl5TakEL7p4wsjLszeXTSq38ueaH3Bhvts3Kl72BU2rICDzlBOzGszq3gI2c
+        o97Vydku1MBsIwbUdKAOdhjA4BFyPAg1z1VkeEOrH1ThaZ0cfalN6TxBfCeKftSv
+        VAn9ErK6cRjM5peyJPSHUjpXZEcomtZonhAIBUfDeFW3Sk4lE7+SnIvJkLtrvSZy
+        QDgbA4dE19d8MUL0uu+fyp85+OkXI+e1QOOoZX+7/Mco3wKbCbP5T21T/+SLsH0N
+        oNrQpQlDch5YB+vLISUE7+buFdlMpIlcHAnL9scjgIdU0Z/X75p/5t7g99D/0nc/
+        WGu4l2n9fbrvimnqc6wWzBHgQZVcPKr5tMB6jVQu4WCdHX9VkI+Ru2IfCFsQ09TD
+        RQMybPT3tTdYODVCeoE3NmilqE+igEzFYRDwFdKjR2eLnuli5mI7GlXrboPGjWPS
+        XgEpnUxHg7oik0vO8YsyRldQ2Vyw1vIskRq9cdUY0Ix3u0gyqUF56aWhA+4fhr3H
+        Q8RsT8OXXswSozzkw3AvKi3VaGjwDr1Wasq6YVRtV5pjS0Rx/ILo85grKi5vgpk=
+        =bY3Q
+        -----END PGP MESSAGE-----
+      fp: 87AB00D45D37C9E9167B5A5A333448678B60E505
+    - created_at: "2026-01-25T14:20:25Z"
+      enc: |-
+        -----BEGIN PGP MESSAGE-----
+
+        hF4DerEtaFuTeewSAQdAh8vUqXwXAq615cIswD1e2FbDgcFp4pDKWP4Of9bDRWYw
+        5UMSvrCgWei0lytGCaApC6J+Ppd5o9D34fux8X0/ztoRopIV1RlrcepPr9jo3ROk
+        0l4B4T+mFz+FNrO79ldBuysOEo6qX7kSfJ63cpy48nDNVi0pTDr87OiJTQQD3gfx
+        wQdkqjYs204YvFP8Zp/+Ow+52z0W2ecLwgByVxsiusf8JLlYQMHOL9QisPxWMErr
+        =C2Ii
+        -----END PGP MESSAGE-----
+      fp: 057870A2C72CD82566A3EC983695F4FCBCAE4912
+    - created_at: "2026-01-25T14:20:25Z"
+      enc: |-
+        -----BEGIN PGP MESSAGE-----
+
+        hQIMAxjNhCKPP69fAQ//YH0pZvxXkXYi9tRWPSVllAsKgwzZsKkXS2LrfysCvnNS
+        LmcLrWNV8upH8g6ubHwwq1Q6WcpaoraIGB2Pw7OPKvynqqhMamk6jAzuYF1hMsd/
+        efGlsIF/wE/MLo0AizDZ5H/k6g/BfdSm3VFvAYbdHObQld/+uEMdotBrUjtXJlA/
+        lare1GFxSt+P9J+h5U0kf8VFWbgzf7SkViWBvEpyUaBa0VLgyOc59e9BZzWX8h2R
+        FjNX40MkZHxdbqBx3Bw8MZmQz+Q1O8w7uNcf6YZxl7+tYka99DSoK2T6YxTqqqrt
+        FtqDAUAS+yweg4hP7CwUK05VzmH/y6S4brVJz73NzahVNUBRpPXJUWs8QsR96xx/
+        hUMRGOrfd0qJ/jv2P+oMJipGsWZ5b6rkj/LX9ZAyGW7TgWbelr4zwM2C/n5xDkKf
+        LSQFH1Nx9QG0Aq6JT6staq+xiw/w1ipn0IDL18YPvX5kkO3KNUZk1F7zF6rbXRXa
+        LQIY+lhDnslkOMHmUIvqPSFWDQT/a/ttg0jVazz9IHnCz/+ShCh8nwiXXa6swlGC
+        XFzJS0Lyz55JfRcEN2h4lc6U7sE7MN9WEo8DWNv2UJwIZtu5dHBI9PjFSAxm73KJ
+        FSQDFxqlR7a7BXKw+KfvHUzWcRInWLE3bMQlg9ECJX1sQf2Bu8/YxU9bFT2fzfLS
+        XgHsHSJqqcZ3gwwUPNeQMadRylccXoPOCns3rf3W+7zKRBb8poRpj0hK2J2eIkGG
+        M5kRRudGy07hLV2wQGitucekIFUStxumRSQqpcUhk+RKTOyTMIqT4o6ykVBgke0=
+        =/EHL
+        -----END PGP MESSAGE-----
+      fp: F38C9D4228FC6F674E322D9C3326D914EB9B8F55
+    - created_at: "2026-01-25T14:20:25Z"
+      enc: |-
+        -----BEGIN PGP MESSAGE-----
+
+        hQIMA1Hthzn+T1OoAQ/+IxC99h9NXy1lKs8K3O6zNPE4vvoUdlHyU7MngSUe7FID
+        cfVoJmqumGJ2VL052PyGNuJl4wwI0Bk4GJ1B17sDiROM21BgV2xJN44I8DzU/s2i
+        1P/WOcpofsng7xBPib5vETo2ypfiNzurNwKidID6rc8k3TL2Eq3U9gPajdgaHWTx
+        jCBEiBs4B2H0Jv0teH7NK7VY21v/GQ6wCATUdFugjOocWT/Up9SbIKgvzXgxmoB7
+        glmOZGtqMsorMw7Rr9fy5qdL6HK50dYbzQ8IppZFG7PrFLyLsp//S7fReFbtp8oD
+        yCBbhOfywLuhyWmLu78F32l5upv4Q/RPfsOEQVRd13+4XeYIYqbVlBRI4c38iA8k
+        sKgN/l5mH4FPmFWhRfeMOQn51tTDiq/n8G86EJETJJxC2kAhfLXi5YLECH693Vzw
+        Mad81jxssJP5pTTUDBzog6oMNyCvs9paRgb0O4Bt0Zpox+BFdQcTNJahj9wDyfZV
+        TjV6lUtuQ7QvHDYyujxhkJWUOyd2Urfk9Ku8A/xeCGwLRJS9BKYgwvatc49zL5zZ
+        3GZ59gBGERbBCBPoFZgpVh73ZF/riAMHbgh+ZzUlFxJNY4fVvCk79bMitsihAbp8
+        NAELn1kiDPjlW1SsiiIzkdq87ttJ7aVtR1vQBYWapWmU9eSkn8XZcX4PxFot68zS
+        XgEvZxgH4TgGrPuTYusDaopSObkq19jiEJ/A44Jiy2yvU9hXeOn8CeXHTJnwcSeQ
+        ey3QV0vu+gYPL26T5M8fp3DwgZYr+dtAX2jydweT9MKjgeUyZAZmIieY1gdguIw=
+        =WwLj
+        -----END PGP MESSAGE-----
+      fp: 5DA93D5C9D7320E1BD3522C79C78172B3551C9FD
+    - created_at: "2026-01-25T14:20:25Z"
+      enc: |-
+        -----BEGIN PGP MESSAGE-----
+
+        hQIMA46L6MuPqfJqAQ/9FcgBwOTVqwohN7+iNCiq13Na/qcvFvFxymSo5ZhtjB/q
+        rMfLaSwsVAZuN9ishdip+a9tFb4oBPpwZjztvsgetoVNvLOrP/ZQag9SDy1fe8KH
+        DDlPFFRjTYtPdS+5ScHc8pGTLmyQzYDfieD0FCdZsNwz5PpAtUu7itvpZKtNWMXr
+        k/N3Mjena5iv79ngDsRlc9O/YXWsAPf8scgApwi+lVilJ7E/jTkrXxiku0knrlfl
+        NnNJKqh5iT2NWXB3Dgw0fQMLbAuDUOlkvrdwxnaJsIyjo8D5g/gh9rXBCJsMMFCp
+        1qppPBTV2f/gZb1gKFpnlBJAiDhmBWoBhlgbmFXv0E/V7F/7bFtsHagb50nEHZlA
+        QH0JjRHN83eGCR9ZBUttxMh0FWV2ND3YlxnCNb43TEoCx9f5ml7L5GbGqu0+8Yrc
+        fHCGPW8DSUh7zTrmB0bn6R60hXcWchNcPdorPopROhGTSC4pkAKn+mt3jvEkyLsW
+        TGqNCEbFbMBJlhhn9w5fxT7vEX0Rt/vO4gXKIzPfcyzsgORIW1YxwtaGyRQErlqo
+        ITnLtowfgrlvU1hI+hwivD9kQ32kmEyYKa9J8fBx07XArYRR64+Eyaaq4lOeZbE4
+        1l0zskD5i1R8NO3yzxpIAqi+H7VPhYLwidjXT54QT8vyqrkmvksANR8UqydYUgnS
+        XgGuO1O1pKkiHHLcb8EydlgW61sLIZZjlkYynMRM5MjgPD5Z3ikeD6VaNSYnOw6c
+        gkisHXqY9EFSPfw8EHnGspyD/mvzDUz63GrylUO+wXgMKdByrsYRaj93j7vfYZ4=
+        =Bk3g
+        -----END PGP MESSAGE-----
+      fp: 8996B62CBD159DCADD3B6DC08BB33A8ABCF7BC4A
+    - created_at: "2026-01-25T14:20:25Z"
+      enc: |-
+        -----BEGIN PGP MESSAGE-----
+
+        hF4DQrf1tCqiJxoSAQdADv1xBEY68JQ6Xo2ZT1FV2BJgeB7Yaahi9OQ/aypT0i8w
+        FJRRTtmWVBRtOecoG6SrHLtmYozuLyNFG8/ZFOU7jTSZL6lXr5NV6GIyNZPFTjvE
+        0l4Bqjjh871cqN4Cq5CF3kDibHTyZYsvcQ0BmxSZy2v+moYqZGFPEjNiniS6JrK/
+        Ch+cZvlsGIjTmP96IZfHbO3+hL+tVhO78bmixnN6SE6UDOzdmWcMkQ9DHSZp+p4j
+        =xd/t
+        -----END PGP MESSAGE-----
+      fp: B71138A6A8964A3C3B8899857B4F70C356765BAB
+    - created_at: "2026-01-25T14:20:25Z"
+      enc: |-
+        -----BEGIN PGP MESSAGE-----
+
+        hF4DzAGzViGx4qcSAQdASnWlOX4oItUMy2BNF+UdGfSkijvIKK1WohLp2rJmQGMw
+        /rpiFcCiX7rZNyn3f+eOULjCPbNtfwqG5Ji6YzGJPEaLg9J/CCYDP7eZ0M13tK9V
+        0lgBjTZZwa7SYs+c49UkhUN92Jrt439mTud3Sa6hvfQTntISOUF3QsMyQO+2h0EH
+        zvaV7dmtiLZZ6ukp9vJG2asPcA1McYBHABUUcjlmFkQ74CYhPFU03/kb
+        =9oyC
+        -----END PGP MESSAGE-----
+      fp: D2E9C0807BF681F5E164DAFC5EE1B61CD90954CD
+    - created_at: "2026-01-25T14:20:25Z"
+      enc: |-
+        -----BEGIN PGP MESSAGE-----
+
+        hQIMA2pVdGTIrZI+ARAAvugr3SudoqZm6B9o/a2bYVlR8eee3Cxtqb/SDfFKJ42J
+        /KIJHOpfs0iyoJzeq4GXn89RU08EHz+1/rAqIHN/cMGc/IjOOXcqKcKVBqhb68+I
+        OyEyxx0YAV939Jc+L9rxb4FnqV/HFJuA087jqP43NgPWySoUzWZshK57Yw/VJNxd
+        U5zDMAciWNVISL/ArcJFroK0n9dvRRsHHHx3/OgQ9Lnl73X5JEAleIPJVb1SDV4e
+        HgmBrlRFpp9e/Mu94Gp9yFd9PqziSA47lkdMwjMYHntTwbT3dqUGOJLF1D1oqC9V
+        +t+5FO5fP+LbnmuFQIGRGqdPpCy4S60d2EqocwBl6q6xn/DLQw1j9hGNpMl3GwBI
+        O7zquV2MyXJR9JqyklWoCmKldLIhpsnPtTx/AhIsMLWq2hvNfbBBNA41sMkofcvl
+        H2Hggi+TkpOh6bre1/uPkr8T3MLsiZIUB/1uHcgYO3FH13K2Ow9ChxmkeLsW6Afu
+        hbQcG7SKr0sCHAmvzbTsIRCpryORDRw4vwrsKuVVgA7neD8HtCItJ/Vk1JmV2xYZ
+        96ilVPPpDs0tmQ/6dZZosoXLGi37Hs+FRgcAUuAdZ3bzb65e+CxtSVjRALG7hz9R
+        XPKmsD6tTgdLpau/zugxdKx3yKMCHzC+AouD+esea8GNuoeGug58IEoglLXDctbU
+        aAEJAhC0Js4STROmS43wGXP2v4umeLw9iF3Wp9L6o12BL3FZXi121py2ogosjAY2
+        30wzFU2KJGqS25/pnXw6r9ycgxdXeKsddR94Q4TOulO3SSEdjs7B+iOKwUkGKoBq
+        9iHTzz6Gpajo
+        =bBZ5
+        -----END PGP MESSAGE-----
+      fp: 878FEA3CB6A6F6E7CD80ECBE28506E3585F9F533
+  unencrypted_suffix: _unencrypted
+  version: 3.11.0

inventories/chaosknoten/host_vars/acmedns.yaml

@@ -0,0 +1,23 @@
+---
+docker_compose__compose_file_content: "{{ lookup('ansible.builtin.template', 'resources/chaosknoten/acmedns/docker_compose/compose.yaml.j2') }}"
+docker_compose__configuration_files:
+  - name: acmedns.cfg
+    content: "{{ lookup('ansible.builtin.template', 'resources/chaosknoten/acmedns/docker_compose/acmedns.cfg.j2') }}"
+  - name: oauth2-proxy.cfg
+    content: "{{ lookup('ansible.builtin.template', 'resources/chaosknoten/acmedns/docker_compose/oauth2-proxy.cfg.j2') }}"
+  - name: html/index.html
+    content: "{{ lookup('ansible.builtin.template', 'resources/chaosknoten/acmedns/docker_compose/index.html.j2') }}"
+docker_compose__pull: missing
+
+certbot__version_spec: ""
+certbot__acme_account_email_address: le-admin@hamburg.ccc.de
+certbot__certificate_domains:
+  # - "spaceapi.ccc.de" # after DNS has been adjusted
+  - "acmedns.hamburg.ccc.de"
+certbot__new_cert_commands:
+  - "systemctl reload nginx.service"
+
+nginx__version_spec: ""
+nginx__configurations:
+  - name: acmedns.hamburg.ccc.de
+    content: "{{ lookup('ansible.builtin.file', 'resources/chaosknoten/acmedns/nginx/acmedns.hamburg.ccc.de.conf') }}"

inventories/chaosknoten/host_vars/cloud.yaml

@@ -1,11 +1,11 @@
 # renovate: datasource=docker depName=git.hamburg.ccc.de/ccchh/oci-images/nextcloud
 nextcloud__version: 32
 # renovate: datasource=docker depName=docker.io/library/postgres
-nextcloud__postgres_version: 15.14
+nextcloud__postgres_version: 15.15
 nextcloud__fqdn: cloud.hamburg.ccc.de
 nextcloud__data_dir: /data/nextcloud
 nextcloud__extra_configuration: "{{ lookup('ansible.builtin.template', 'resources/chaosknoten/cloud/nextcloud/extra_configuration.config.php.j2') }}"
 nextcloud__use_custom_new_user_skeleton: true
 nextcloud__custom_new_user_skeleton_directory: "resources/chaosknoten/cloud/nextcloud/new_user_skeleton_directory/"
-nextcloud__proxy_protocol_reverse_proxy_ip: 172.31.17.140
+nextcloud__proxy_protocol_reverse_proxy_ip: "2a00:14b0:4200:3000:125::1"
 nextcloud__certbot_acme_account_email_address: le-admin@hamburg.ccc.de

inventories/chaosknoten/host_vars/grafana.yaml

@@ -53,17 +53,7 @@ nginx__configurations:
   - name: metrics.hamburg.ccc.de
     content: "{{ lookup('ansible.builtin.file', 'resources/chaosknoten/grafana/nginx/metrics.hamburg.ccc.de.conf') }}"
 
-
+alloy_config_additional: |
-alloy_config: |
-  prometheus.remote_write "default" {
-    endpoint {
-      url = "https://metrics.hamburg.ccc.de/api/v1/write"
-      basic_auth {
-        username = "chaos"
-        password = "{{ secret__metrics_chaos }}"
-      }
-    }
-  }
   loki.write "default" {
     endpoint {
       url = "https://loki.hamburg.ccc.de/loki/api/v1/push"
@@ -99,9 +89,9 @@ alloy_config: |
     }
     rule {
       source_labels = ["__journal__hostname"]
-      target_label = "host"
+      target_label = "instance"
       regex  = "([^:]+)"
-      replacement = "${1}.hamburg.ccc.de"
+      replacement = "${1}.hosts.hamburg.ccc.de"
       action = "replace"
     }
   }
@@ -112,30 +102,3 @@ alloy_config: |
     format_as_json = true
     labels        = {component = "loki.source.journal", org = "ccchh"}
   }
-
-  logging {
-    level = "info"
-  }
-  prometheus.exporter.unix "local_system" {
-    enable_collectors = ["systemd"]
-  }
-
-  prometheus.relabel "default" {
-    forward_to = [prometheus.remote_write.default.receiver]
-    rule {
-      target_label = "org"
-      replacement = "ccchh"
-    }
-    rule {
-      source_labels = ["instance"]
-      target_label = "host"
-      regex  = "([^:]+)"
-      replacement = "${1}.hamburg.ccc.de"
-      action = "replace"
-    }
-  }
-
-  prometheus.scrape "scrape_metrics" {
-    targets           = prometheus.exporter.unix.local_system.targets
-    forward_to        = [prometheus.relabel.default.receiver]
-  }

inventories/chaosknoten/host_vars/netbox.yaml

@@ -1,5 +1,5 @@
 # renovate: datasource=github-releases depName=netbox packageName=netbox-community/netbox
-netbox__version: "v4.4.5"
+netbox__version: "v4.5.0"
 netbox__config: "{{ lookup('ansible.builtin.template', 'resources/chaosknoten/netbox/netbox/configuration.py.j2') }}"
 netbox__custom_pipeline_oidc_group_and_role_mapping: true
 

inventories/chaosknoten/host_vars/ntfy.sops.yaml

@@ -1,5 +1,3 @@
-secret__loki_chaos: ENC[AES256_GCM,data:LWFTOyER+m021ogmXYBrcr/2fUe3XuZhs5ho0KbM,iv:808LWnSUAPeclhsIgOyR6SutTvJGOu7mrGaVayo7v8M=,tag:f2WCPyUESfMiGDQ4Km5Dyw==,type:str]
-secret__metrics_chaos: ENC[AES256_GCM,data:lAepzCI4pwkF8KiGYzGnC4dPASdHDn+LfbJTFSvt,iv:EUW+CGeYUqhY4G1kb2bbU16j9iLwABHfRCdn2vac5gY=,tag:IcyscB9lZuZgC04XTxDb5w==,type:str]
 secret__ntfy_web_push_private_key: ENC[AES256_GCM,data:YqNEYa1Ln3NFpNoIuBUN1V/WRzod5HAtYueBJYHOwyM59cCaYhQR1S9aQg==,iv:t8bEs5ZAEe6pqbbOb0mpJdfgruX1P9Jd+sbNurGqkng=,tag:Cdy5HKkvb55V6AeRt+MVHg==,type:str]
 ntfy:
   user:
@@ -18,8 +16,8 @@ sops:
         bUhGdEFwOEVxUzVZdERReVF6cmcxeDgKDlO+jacsYgWXqjoxAIKJiB8mCHZ8U7TM
         sGD3oaCi9x6Uvse7hq0BaUe/LaJt2tDaqve9nm3n06V93HNcR9/cdw==
         -----END AGE ENCRYPTED FILE-----
-  lastmodified: "2025-10-20T19:01:39Z"
+  lastmodified: "2026-01-25T18:41:48Z"
-  mac: ENC[AES256_GCM,data:a87jRAGBIypZfYCILYCOM+H8KCVUBgb2/1sG05wDbPmLe9IfDT6rzlljbRFOUozq9xsqxpFLsPQx1wPVDi1lhaRT+5oE/NDgVH8aQCofA96DQd3SeB8fWn3LhYjOpmo9ZsFSemvGcXYk/SjVvoU9aN8KG4DHYCOOseGIBTa/a2Y=,iv:5Atem3ACdfdCPUp184cAf/EI9BEXQ1i719l+sIlOnUY=,tag:LWQCxrsZ3660UCcOjY4gMQ==,type:str]
+  mac: ENC[AES256_GCM,data:2+628ZxPIto0AUhRExTB0UF/XKD7l0qz/NVncKbk+E5nZ5IRGwnhvY5DPiaDNWxskngaYhSYaQZTJTuvC1TuflCr8+IsZRYobj22mYEsrK2KWbozQvYsuooK2HdSWAkE2U5xKKodev2KqxMT+ZY0AIq8ifCo033ro6t0rnIEVQI=,iv:ncKxlhfZ+04rylNmMtOaWyonCJO4gbsuABMAJfVDDIQ=,tag:6c141UrWXNuGM5giTS7Ecw==,type:str]
   pgp:
     - created_at: "2025-10-20T19:03:04Z"
       enc: |-

inventories/chaosknoten/host_vars/ntfy.yaml

@@ -15,90 +15,8 @@ nginx__configurations:
   - name: ntfy.hamburg.ccc.de
     content: "{{ lookup('ansible.builtin.file', 'resources/chaosknoten/ntfy/nginx/ntfy.hamburg.ccc.de.conf') }}"
 
-alloy_config: |
+alloy_config_additional: |
-  prometheus.remote_write "default" {
-    endpoint {
-      url = "https://metrics.hamburg.ccc.de/api/v1/write"
-      basic_auth {
-        username = "chaos"
-        password = "{{ secret__metrics_chaos }}"
-      }
-    }
-  }
-  loki.write "default" {
-    endpoint {
-      url = "https://loki.hamburg.ccc.de/loki/api/v1/push"
-      basic_auth {
-        username = "chaos"
-        password = "{{ secret__loki_chaos }}"
-      }
-    }
-  }
-
-  loki.relabel "journal" {
-    forward_to = []
-
-    rule {
-      source_labels = ["__journal__systemd_unit"]
-      target_label  = "systemd_unit"
-    }
-    rule {
-      source_labels = ["__journal__hostname"]
-      target_label = "instance"
-    }
-    rule {
-      source_labels = ["__journal__transport"]
-      target_label = "systemd_transport"
-    }
-    rule {
-      source_labels = ["__journal_syslog_identifier"]
-      target_label = "syslog_identifier"
-    }
-    rule {
-      source_labels = ["__journal_priority_keyword"]
-      target_label  = "level"
-    }
-    rule {
-      source_labels = ["__journal__hostname"]
-      target_label = "host"
-      regex  = "([^:]+)"
-      replacement = "${1}.hamburg.ccc.de"
-      action = "replace"
-    }
-  }
-
-  loki.source.journal "read_journal"  {
-    forward_to    = [loki.write.default.receiver]
-    relabel_rules = loki.relabel.journal.rules
-    format_as_json = true
-    labels        = {component = "loki.source.journal", org = "ccchh"}
-  }
-
-  prometheus.exporter.unix "local_system" {
-    enable_collectors = ["systemd"]
-  }
-
-  prometheus.relabel "default" {
-    forward_to = [prometheus.remote_write.default.receiver]
-    rule {
-      target_label = "org"
-      replacement = "ccchh"
-    }
-    rule {
-      source_labels = ["instance"]
-      target_label = "host"
-      regex  = "([^:]+)"
-      replacement = "${1}.hamburg.ccc.de"
-      action = "replace"
-    }
-  }
-
-  prometheus.scrape "unix_metrics" {
-    targets           = prometheus.exporter.unix.local_system.targets
-    forward_to        = [prometheus.relabel.default.receiver]
-  }
-
   prometheus.scrape "ntfy_metrics" {
     targets     = [{"__address__" = "localhost:9586", job = "ntfy", instance = "ntfy", __scrape_interval__ = "120s"}]
-    forward_to  = [prometheus.relabel.default.receiver]
+    forward_to  = [prometheus.relabel.chaosknoten_common.receiver]
   }

inventories/chaosknoten/host_vars/router.yaml

@@ -0,0 +1,5 @@
+systemd_networkd__config_dir: 'resources/chaosknoten/router/systemd_networkd/'
+systemd_networkd__global_config: "{{ lookup('ansible.builtin.file', 'resources/chaosknoten/router/systemd_networkd_global_config.conf') }}"
+nftables__config: "{{ lookup('ansible.builtin.file', 'resources/chaosknoten/router/nftables/nftables.conf') }}"
+ansible_pull__timer_on_calendar: "*-*-* 04:00:00 Europe/Berlin"
+ansible_pull__timer_randomized_delay_sec: 0min

inventories/chaosknoten/host_vars/spaceapiccc.sops.yaml

@@ -0,0 +1,215 @@
+ansible_pull__age_private_key: ENC[AES256_GCM,data:ZQJCVOcc2UTH/3tZRZEZAig2A7Vc/zBBz5IY+gKYMYpIKhLZN9S/OGrRdCc8VbXkN7pmZhzDL531PapI54cmFeCKr2yFJMlfXdE=,iv:1ilb+njcqgYVdownNiMNcAcG/TNpyRnLtAjEUGsCsl0=,tag:Od7kvNn8ZBl1LUnMyFwxpA==,type:str]
+secret__spaceapiccc__shared_secret: ENC[AES256_GCM,data:0foffl4HF1SeL9rE3g==,iv:GzRTZAmr7zSBs1W+Vhyv6sMGhPnSy/SUZOSO39lzWHk=,tag:8IAS6Lt9vfpsJQwQfcunXg==,type:str]
+secret__spaceapiccc__doku_ccc_de__username: ENC[AES256_GCM,data:fbrZROQz8Fzg/vI=,iv:LaR5UmkS3IhtroJp3C3xNF4ja7IhIiPRzGBHAfQbQGw=,tag:/VCNMKkw5qRbnRNHDnPj/w==,type:str]
+secret__spaceapiccc__doku_ccc_de__password: ENC[AES256_GCM,data:mwkjOjRT7gOv,iv:wBzSeLzSWWe0j3LJesN/wnZ0tmUmXMVkRIBnp00qRhg=,tag:JSsbq1+qs2yA9BM2LouG1w==,type:str]
+sops:
+  age:
+    - recipient: age1mdtnk78aeqnwqadjqje5pfha04wu92d3ecchyqajjmy434kwq98qksq2wa
+      enc: |
+        -----BEGIN AGE ENCRYPTED FILE-----
+        YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBCY1Z0Slg4UmpQQUhGKzJX
+        S0ROZ2owdmNVRUFzbDhjWEJpNkxGQnF1RFFVClgrZDlZRDNCbllWeElEWFN4Uy95
+        YXNzUGptcU9adjdJQVphSS9NQ1NaVTQKLS0tIEtQUlIyTURXK2lDbWtmMXU2OWtx
+        TnNtQjVpMUIzZjgzQnZicHV6OXE3ZlUKtChQKJlUmTV42FEpO2S1sTAI2+K/mro+
+        C3cvwiqydpOlbH6tulcP6HSeDVExAAMeDZMfjebg/5cfq7Yfh6xa5Q==
+        -----END AGE ENCRYPTED FILE-----
+  lastmodified: "2026-01-25T11:18:43Z"
+  mac: ENC[AES256_GCM,data:4s5GiYhU/+kieEGUY9bS5W0MAQ/AUS3TbvLezSypH8Div5HRoM7YfMeqgLq4jC+TjUL9d+ZfusjAmsOEG9PjHbIH051gg8U5TvB38wzmw3RpJxnpDtmiFrRh9QbXl+Fz8V/Oigf6hhXbgu01zZpZY9jy6YLNtUZc6AoqAQh27us=,iv:YUS/vGXcbgQPM1CKcK8YjOH5+KPlzBXcOtx3jmUblqA=,tag:jYzqaMfHv4Tyv2NelSSVvQ==,type:str]
+  pgp:
+    - created_at: "2026-01-25T11:17:03Z"
+      enc: |-
+        -----BEGIN PGP MESSAGE-----
+
+        hQIMAxK/JaB2/SdtARAAoP0ZuYWL+Z9vrnMN+ISg6/yx8Z3Oq2GufmYMowk/nQ7A
+        wk+xQQcywn7zLCweaTNtNb8CXtAcInnLhXZNRjviOecyAexZdFxcX+SIiT9x32aZ
+        xk2M3Bgnrtf9GQMV9q/mr7fgn+iaILyRjWTQMjUYFGuA5Hu7PNICxZZtA1y6p3G8
+        iBDROt1vZS2M6WorA5n3FGSwCRFUCqWnRsBR+AkR0vjb/0xEmS4YpDZCdsqWVITq
+        fBxDZntznqQpmlTH9AxJV48QlfYMLAYFV7seHxp5VSjgDxaPJD4QIiNZMOylRa/y
+        9hx1S5VN8KIfT9eW5piOeyNikE3Wv7hdwd4zOQ/ObESADh/QWFN582Smk+fxf76Q
+        /KlP7BM8JW7afjkvTHXg7cvc1qo9+GilWcWX9pK04v9bZtXTbO6H+uOhydlSmtUe
+        FGoHgQsMi52S4vHTFF1A8o76pvpQAIYNC2Zif2zZYq9ERvbLeAcgoIoo7bQihttc
+        lY8ZOqxQj9KbkFNbyLTlyekebNhfa512XjJij14YkYUVU2Y65kxtimZ3WpwKvLO2
+        JcDWHOJduhUC+21TGTq6QFo1LNhpowyC447eybi8T0/WxMCBms/fhW+m4Mkt4bRi
+        ByjgQe8makgLqw2/EUlFl1qyF4zU0zjn+97pISvg0YBfQYhPIb5k8AWWkUF4mHHU
+        aAEJAhDMVlvoC4bopmVlgoCrCejX5wb+ULW9hle6S69440PVK4uN94Ral+NSH99o
+        CU4gmqngD9N6sw8SBp8lFFUzjhoqfcNwJ9cv8T9PIPgHLriPnRqwPsy4dHSYSsv1
+        wWY4KUeOqk6Y
+        =Wm7O
+        -----END PGP MESSAGE-----
+      fp: EF643F59E008414882232C78FFA8331EEB7D6B70
+    - created_at: "2026-01-25T11:17:03Z"
+      enc: |-
+        -----BEGIN PGP MESSAGE-----
+
+        hQIMA6EyPtWBEI+2ARAAh2b51c4cFL0wOPTuQtxjthkEZGVv0sQC19PiDOWAy/zi
+        457Ix+QPA31Wmun4uGQF8E+vJC9StDXvOuEku2639wK7Gx8UVHSJM+QhFt+f9tiI
+        df5mVRPz4R1tVMU6P/f2rTOqqQyugR2pi3wCcwntnZplEuL/Gxw2SI4gGAq9B1Kb
+        FVVdMkJOxhx33QWFhIEOqLLfMU+gdvGPtRaDPkMA5KJD5FDO0xYzgd+5j6wKLsdb
+        rY7MVvaP3HWbmsMOpJD+8zo3ONBeaG3OwdhhF8KgbHxGP/49r25WwI5YWqXI44K9
+        xIQvtBJFTLaisO3q5rTOZgqKEvWAAX3e82cY3tCUG4aDyKEeF8dOqQ9GbI+KWaKh
+        kqTFDz3gh9sWI3Ex2/JHxq4xGJE433x4ArxHgSmXxfKWfc9zhiDuhtE1GBfEWP8t
+        a+07FWvsG8TCbS8pzFu40z/6we2O/VGXnZBa+vlc/9YPyLBN+zmAH3+jfhgYzV22
+        oF0HPQTzLdd6FoUx771ETTOqDgwg2H8Lqv+cC5MjPgxUPyScP4G7t0r9TMSydxFv
+        85Yo7ZWiBjo5TgdiU7agCCLKYct1C1R+9M20uRyrttDBhrVSjDlsIKmuStIdI7jk
+        k/PPLjxUKf5osTw8KKsSLvHTxt0G+rRzt38HgOCsOPBSoE6zlMTn79rgy+Ipm7fS
+        XgHPPTT78/y2Xvx3QGx9C2X9YqPDGhs12uzQ7HdcRlUu3Ay9akrSiV99CKCFb6ZZ
+        lDzOZrWvuWHcOLLqykhK3x8uhieMmwsM5WCNopr1j7i74b8UlVCmItXFXCaTRqg=
+        =ytkN
+        -----END PGP MESSAGE-----
+      fp: F155144FC925A1BEA1F8A2C59A2A4CD59BFDC5EC
+    - created_at: "2026-01-25T11:17:03Z"
+      enc: |-
+        -----BEGIN PGP MESSAGE-----
+
+        hQIMAz5uSgHG2iMJARAA7Wenq30iYLUH7qTgwPJyIyPz0blUzqEpEeDyVjfLVxee
+        VzXUfrxL8ybD+1JNISQNogDRP+gi4Sa/kTwAwEudqg9nv8DTff2l+Ge7YRifTgoO
+        tK1yjPKpl/iH33s2tIRRPI9DJ38NKtIN7pFrZ9Icyinyx8O+Tx0U/rVOs+4I4i0K
+        eIhsjG2tD6z5AvDkTqJ70S16LWdlr+hrHfEFmZ9NDbesoVj6YlDjx8yXr6UAdBAd
+        nx4aVjy2vygBJFZHN3iqitD6pnBvFC6QM1SZTRfe1l0lb1NXiVbT42ir7hsQ1/Di
+        MKRw/GuD+5jwHWLAzFbmMeirLY1hw418AzMPmCUqg3xJxmm53v4abD/j6cnHaM8h
+        vkSEsO9iA9exDjM9RPqS5GXCGx3E2MdBzgBMZIdvRmEV8G7FTqBZAJZsElAA/wTl
+        WhCEB3iDqdTSuDUnEj2FHIrUGNG4IDKOm9mIexqkpdvF6ByXYHeOAVbeb0ByJmgO
+        3QIYGsOYiWW2Uq1OCT2F+sP9ogn2GxInfMgPK7shFcUiXUbUKSnfBh4b5DbKPcJJ
+        wFtuJA4NbWgXbDPn0k2Lwbv33tMVuwQBRbCjseXD5JYUA+wEbNg341oNEl7gIBCp
+        oNyNJ0y2rkp8rxvf5mYLjk6VsMs0VO4vgRItg8oi78cZMmSrk2zdCda9yZA+JeHS
+        XgGnSemRkXBLcDcZMa1M178H/YTxispkRvsGyscxn7sjBRUgrFHnWM9j9P0GHtHE
+        RzBflQuBiG60jDb14l0SBEGDAm3Dp1bT5Up8attUJ0+03ta6E4G6iAR+fMXiBJA=
+        =LEoh
+        -----END PGP MESSAGE-----
+      fp: 18DFCE01456DAB52EA38A6584EDC64F35FA1D6A5
+    - created_at: "2026-01-25T11:17:03Z"
+      enc: |-
+        -----BEGIN PGP MESSAGE-----
+
+        hQIMAw5vwmoEJHQ1AQ/7Be0MaQ6HSb4N2DW+z2ALOuKSljRhSHLiLXt6bmhot+2Z
+        RRMsfsPGHWwDFzy5WWL6117ViPsxdFy88ZC8IhfT2ysf9d7IsNqBAj/W/a1kUXBg
+        b3PLPGXT3yHRitmRA0PxBWjmKBHuiKJgpj2AvKPBqmpJOpyWU8Yr0yu+fdPgHHmO
+        9gMPwmoeDKCuVUQMtg78cxx3b9v3WzBXbx+VuhPepVPPUr7/iTWYnLWy8+s55hOV
+        A6qQS8f6JH9rhS7dqoSCMQ3wrqkSVzXhluhjfUXa/FW/EVp0g1r+lLMXHARA1Gtp
+        EGQS2SfwDB95xl6uLfqKblezzxt52yPvGp+hisAhgkCyoLonhL27fMTmtZ0+q9RX
+        FJoT2pPNTSP/zoLxfEJzsa9MgTCDKQL55215hTGHS2I/2ZeDtfINyc+/4LE/AhSc
+        4OOdPSbgG7bIPkCepphBAccjbCVmPOQqaEOk5C9TfLbZREEBv0mQA7pzWVIsa6Gc
+        xep0qJGMSmRT5rmqs9pFFISAx57H7w91cRaEtwtGkg9/90+wTW2kIvnHMLXV/T6z
+        wxVG4RHn7eXlDdh9oz0ncpA1uh2A4fvEJN5dAbQHawiAUaOokm8cmv42LQ1zTF0x
+        4EcZPQ1VAFzKsZE7/3TnCWoLPOUSNSOG+uJm2Gaps8P1DzIfgUAcSybaB+3cbGjS
+        XgEVALzLzyRrFB48McT/fU4l0dMiQ49OdFmWm5oWgOWDCCrHBomxPmWRQ5cUzVSV
+        wvgo/MrfGVOLrwinfeu/izoy9U0LxFcJtqiVLyxtUTARDlDcjv6OYWoRzvb0DzA=
+        =KudR
+        -----END PGP MESSAGE-----
+      fp: 87AB00D45D37C9E9167B5A5A333448678B60E505
+    - created_at: "2026-01-25T11:17:03Z"
+      enc: |-
+        -----BEGIN PGP MESSAGE-----
+
+        hF4DerEtaFuTeewSAQdAlSeQVBNgJ8WxD85XYmcCHmlNXIyIkAJPEu0coBpNpVQw
+        mGZKY6j0WkQSmHdCVAeh8/z6LOEgXMphP2jn0ZpZHiMu3FGNJJtWFloRKxOvOxr5
+        0l4BXq0oVpIYhcxeVxS1prF1F2EJf/OuRX8Zz9ngZuL7UlMoToBYHksPMaBfLlKB
+        iFcXPURafpmhvWpRaqD9CRqM3XRagm1nYPS6Zg8Yae9cfSmU7UnYMtJZwdMmJ+x4
+        =gfNC
+        -----END PGP MESSAGE-----
+      fp: 057870A2C72CD82566A3EC983695F4FCBCAE4912
+    - created_at: "2026-01-25T11:17:03Z"
+      enc: |-
+        -----BEGIN PGP MESSAGE-----
+
+        hQILAxjNhCKPP69fAQ/4mdGngFM8WhiX5P5RFo679yRMp5iHtiPqD0V1dE1byyje
+        d7WzceQwOYfYq/UEEw2ruiqIPhUjHlzB/GQ6wqFbj0+1tm7+/X2B42tO7vkO9gQf
+        2mvG0gCGB1iykMnfARQ6EH1s90oAHCBcPFamjBZ3oawS0sI34aSInQGqLl7Ss+O+
+        UgoOc2fbhYmRriZW7Elyx+8DuQg4RZ6/oPs18mtwQdLfKB8dwrt1TQrJvBx7iPh4
+        RQWrRf3id+C8EeysmWPtMotukh1FgvBtBFEXIL66wntJTDC65AlNU1c2xkgUTATI
+        rA6ucSoyROTGDOTAWhBdwA+yV9Tf2zw5hzu8G2vT1nFLU+DFQiuQWj6TNn1s5xzc
+        63bQ9bFzY/0pKKB2T1TLdeU6xoSt9QoJukagFS86Tgh3NcoMi69dFSSlchldgeX2
+        wiJwpUjl8DgeJFEXcQES1vbn+MNJHYZHSSAcZecQX5rauSj6EmTFTXxYg7Vp98D9
+        S4lVnXl6P7OByxqRJyQUzBmSD21KYeVXs6O4hY4cAxKx+pXYXqlGMmSpQi4SqJKF
+        xyD0f7Iz1FjB1u3dpcJmf5/71wLkZWc9smKfJICLaFZzYKfbfrF32xbAPGRuTq50
+        Fv5d3R1YJKA9afQUI3HT0PpCEOnsI44WPqgnoOPHyT032gruZt9geL7yM1sRj9Je
+        AfCwLc18oeiRWhnZLw/K1YMTnDACVhMMRufyoE7MEEixsV3xhuG54+5FIufERSO3
+        aW2vmDt65mLjqGVcepqbEz/Ip4hfGeMOnPfNbNil79Hc6TV1SzTcPnem40QPAA==
+        =7Qbv
+        -----END PGP MESSAGE-----
+      fp: F38C9D4228FC6F674E322D9C3326D914EB9B8F55
+    - created_at: "2026-01-25T11:17:03Z"
+      enc: |-
+        -----BEGIN PGP MESSAGE-----
+
+        hQIMA1Hthzn+T1OoAQ//QizKfdVMoIVzretcwqPNQPhXnKYbHNI/AHhpsK2AeOFw
+        N2pP+8itgzpoJ+l3qYc1s7HnUYqN69cVXNOkuB9+EKUmEoubj9oLJEJQdfr1apux
+        wrqgvIfeXuQZWp4E4aI/02ndyWzzedfVV3/qf+JC0ZColccmKFReSsMedz7dOmWK
+        BM2bieM1PajS65leCAO2VVFTrwayKiHWpURMUY8HvrMk8N6GQkXqe1XDdxXNJqFr
+        irXgWtBaKbl/KJgrxnT9HwlH9YkCebsyCi2sZKmJEqyIi78SOrhmWzeoTs5Mgg/M
+        EqZLWrGhOOD2/ineOxiDhFPOEDVjgoprghxei2Ef0i9pYITJmGMuB76KayMW3nbY
+        mEJgASKsWFN10zTiZK5DjxJoDEq4fyqtzFhYhRenwcvZqiklr2JudSzBWkKfx4Y/
+        TOoLwwn93TQDLoIIEsOlLaWMBxm3LsAe4MAr2k9/gAkGGMzeOiTRISHJeFtaNRPe
+        xPv2hJBKqAJJkWu5nlcn5FEtAqdG8hPRPqEZWDyWRmQDlk0Rx286UFIS+BKSfwvo
+        Ak52YxruVlkwxn4lRJ8yCrIneZocLFlBgTNoqbr0uYSHkg6XHwzniN+qGRHxjrm8
+        hDYcnVeAnLCDGEwPpMcx7KYVtLeEcr2Tm5btAlHugpQ1pNrUuZ3Lf47AdneMSY7S
+        XgE32gbAcEaZVQRl1fnehRIwqqNIuFDxjhFpDYpvX1Rep2NEUtEaxd50aqMh3PKm
+        XE6ZBkKbhSylRnOs8dgVZK3nqEe1xDsdcx5hFAoyyhs1QhWVT/MHUtfuB2PBcjo=
+        =T4dN
+        -----END PGP MESSAGE-----
+      fp: 5DA93D5C9D7320E1BD3522C79C78172B3551C9FD
+    - created_at: "2026-01-25T11:17:03Z"
+      enc: |-
+        -----BEGIN PGP MESSAGE-----
+
+        hQIMA46L6MuPqfJqAQ//SZac3kFkPkHZ4CveGECwnJLKA/UJO/XoV44mjiQDtY4Q
+        tFJ+YauR7GHK3CYMvpx8uWejiW6PzMkuqVuKwk5QMBsRA7q/6SmQeLUNNIPx8AAm
+        s1Lo1Cdjv5Ku8AnR7gAJ9w3O+qM635xo7zgtvEv5qJuPrwbqy8kstvS2fnxg9Zb3
+        Dl4J+Wp1kRs8hHsFIkECKPqKNB0LfP57s63Vwd5tI2TltDMlMkvKvjgsQSPhUqQl
+        z0AIPT+zON37P4EW5buJ5NKvojYZ/QyzoqJ+Zb+2jn3uyMRDo4lqaT+uiVDcmB6w
+        jg2yBGKgU5XGAU5NyCSldBGW3yQfNHAEjTPHWIvcplfUOUQ2mKIV31c3ci8cBWa5
+        zfA4K2UOFPSHSraohaT770Ani/qvm5XH9HvAA2HOI50LuIh4t8cWGocbW1f5PfvZ
+        gMIuA27UfWWD10tz+J3qvz2RGcfBPV+3BS8BJUh2SRC80ba8nDM/VSuQUkxQA1go
+        AHogKohH7v5vIPEN6ggRxZ3yCroQ3zfdABekrP8sfKXU652/vhw5MFPtqp8ow5hU
+        uJ3S3lCoKQCKE8tc+288WuJXIGaYG4LKhaVlFWFqQDib+0jfm8RfwqqxV5vis7np
+        mbPMIyl/MTAeevsQC2yqbHeZ+nDXhrb8b4lfWCnn5jpNwZFpP+RZpJT6XxFbONTS
+        XgGQowdDlIEa1Hs1klR8lPOScW3VyhWbTyfWkhg4cI6js21/0MMsC22myhjxjZKU
+        rCn8k0mgZw+HyB9qfm3eM4fYXHs+CXQM22eBQK+IK2VvzT9jbpSBIoJEDW0B47c=
+        =PbAZ
+        -----END PGP MESSAGE-----
+      fp: 8996B62CBD159DCADD3B6DC08BB33A8ABCF7BC4A
+    - created_at: "2026-01-25T11:17:03Z"
+      enc: |-
+        -----BEGIN PGP MESSAGE-----
+
+        hF4DQrf1tCqiJxoSAQdArbiHTkrjSYBSPIIgSNnEoAWkU43Zn8/6rtksEivhPVgw
+        ik9/LvTH3VUSS1pDtLNoJq3wfE8aCoGTVXHjCtaEQqp7PJ9c83afZuT0/jSs20vo
+        0l4Bbp+AopvK8wlLakYZM0rbXzJw7LyW7hyA3wSN/gL0MwT8sW6hb08BB3+zRY+f
+        dQGtPMDNZ0aJ8nzJ/WLVxi4GdC3pAWxqw/1AX0SwwMb0PEf9kdYSgnrmYQsqx9KU
+        =Cbzj
+        -----END PGP MESSAGE-----
+      fp: B71138A6A8964A3C3B8899857B4F70C356765BAB
+    - created_at: "2026-01-25T11:17:03Z"
+      enc: |-
+        -----BEGIN PGP MESSAGE-----
+
+        hF4DzAGzViGx4qcSAQdAQKsWq8NPJbW2SBhKhlgkW1gzYnx9baL8spEk1Wv31Asw
+        fuq75JZ/m8yR6+jnchE8ikuWrVQ1IRwyQBB2qlaArrdwnVpkF5HG/ggpDy4l5UYK
+        0lgBhuKG36g1P7G0incMXR+S+UswYQhzm+19LqoB247HvZZoyIT4m0k7XndHBpUw
+        fzQyFTKdwQpmWyQWsbkW/ycvxkKyKcEce6xkga0e8UbB8w1fJ0P6gErz
+        =g5Ck
+        -----END PGP MESSAGE-----
+      fp: D2E9C0807BF681F5E164DAFC5EE1B61CD90954CD
+    - created_at: "2026-01-25T11:17:03Z"
+      enc: |-
+        -----BEGIN PGP MESSAGE-----
+
+        hQIMA2pVdGTIrZI+AQ//X0eMLW5Con7f2J4S15RwQX/uMc+p0tabrfSYAT8cg1oR
+        X8qyFgBWL4EK/VAcgS+Loe6cOCO8pDv7R81nn18wg2D6hVN3BOcotgLtLpqWEdMz
+        FguVIc++/Nh5+s+H1oDxqfwO6LbcuewBvvNS9xvBUtHBMuoAGVO0mUu7jpxrg+4k
+        dh2QeA/YWc4hGly/lO6eOhq61arAY4tukqs1K4JRY7z1vZYb2658HamfruLcRP1j
+        kM6yvJ9bgrg3hIEPG48lWX3SATRpKDP4ukyTYMFPN5rePUu67rnkwCvXwvBzWV4v
+        fvjmDZ4U2AD6Ihn5Be3ThZyQivZJPmxBlgit6uQOdu08Q5/S0DDWSS/MnbRnElQt
+        caQMnIcSbwLJfum2/0AS/dcl6f36vOl5t9eiy3nnrgufFEUcAMgJ2bJk8+6nPRli
+        MImBTXLMor97XD4DS+xyQ8NjYzf8XxEDduCzWA/EQborLkkaXj5J9ZmQSKDfv6bb
+        wcGfxt0+JGEPmOuOD/BwZHhEcd6eV8k3cM6k4oQ3k9cMGele+dtSkrlkyFKnnBNV
+        NrZVBE5j62sgnUUgKCesbKPfauETE5Z+R2uvOK5Y0gqjTfaw8hV1YF2q+x2qRWig
+        6NjHheUtjigCgF61OK4x1a5WDJmVeuAe03JnwKYMujN4H5Oi9YMhSX65lX1+fhrU
+        aAEJAhCV01dJAuYksyvp+F5Dx62eKZj7gL/MHL3zHw97WbONvI7ApC3/Q7fkupYm
+        oPfYKQD5ov77V3u+Y8nVOoYM+Hb4thFQdEV01r90g9WUj8LrXvxd08j3GwAnzDMG
+        xU5hdDPzz/jT
+        =zb8A
+        -----END PGP MESSAGE-----
+      fp: 878FEA3CB6A6F6E7CD80ECBE28506E3585F9F533
+  unencrypted_suffix: _unencrypted
+  version: 3.11.0

inventories/chaosknoten/host_vars/spaceapiccc.yaml

@@ -0,0 +1,15 @@
+docker_compose__compose_file_content: "{{ lookup('ansible.builtin.template', 'resources/chaosknoten/spaceapiccc/docker_compose/compose.yaml.j2') }}"
+docker_compose__build: never
+docker_compose__pull: never
+
+certbot__version_spec: ""
+certbot__acme_account_email_address: le-admin@hamburg.ccc.de
+certbot__certificate_domains:
+  - "spaceapi.ccc.de"
+certbot__new_cert_commands:
+  - "systemctl reload nginx.service"
+
+nginx__version_spec: ""
+nginx__configurations:
+  - name: spaceapi.ccc.de
+    content: "{{ lookup('ansible.builtin.file', 'resources/chaosknoten/spaceapiccc/nginx/spaceapi.ccc.de.conf') }}"

inventories/chaosknoten/hosts.yaml

@@ -1,31 +1,31 @@
 all:
   hosts:
     ccchoir:
-      ansible_host: ccchoir-intern.hamburg.ccc.de
+      ansible_host: ccchoir.hosts.hamburg.ccc.de
       ansible_user: chaos
-      ansible_ssh_common_args: -J ssh://chaos@public-reverse-proxy.hamburg.ccc.de
+      ansible_ssh_common_args: -J ssh://chaos@router.hamburg.ccc.de
     chaosknoten:
       ansible_host: chaosknoten.hamburg.ccc.de
     cloud:
-      ansible_host: cloud-intern.hamburg.ccc.de
+      ansible_host: cloud.hosts.hamburg.ccc.de
       ansible_user: chaos
-      ansible_ssh_common_args: -J ssh://chaos@public-reverse-proxy.hamburg.ccc.de
+      ansible_ssh_common_args: -J ssh://chaos@router.hamburg.ccc.de
     eh22-wiki:
-      ansible_host: eh22-wiki-intern.hamburg.ccc.de
+      ansible_host: eh22-wiki.hosts.hamburg.ccc.de
       ansible_user: chaos
-      ansible_ssh_common_args: -J ssh://chaos@public-reverse-proxy.hamburg.ccc.de
+      ansible_ssh_common_args: -J ssh://chaos@router.hamburg.ccc.de
     grafana:
-      ansible_host: grafana-intern.hamburg.ccc.de
+      ansible_host: grafana.hosts.hamburg.ccc.de
       ansible_user: chaos
-      ansible_ssh_common_args: -J ssh://chaos@public-reverse-proxy.hamburg.ccc.de
+      ansible_ssh_common_args: -J ssh://chaos@router.hamburg.ccc.de
     tickets:
-      ansible_host: tickets-intern.hamburg.ccc.de
+      ansible_host: tickets.hosts.hamburg.ccc.de
       ansible_user: chaos
-      ansible_ssh_common_args: -J ssh://chaos@public-reverse-proxy.hamburg.ccc.de
+      ansible_ssh_common_args: -J ssh://chaos@router.hamburg.ccc.de
     keycloak:
-      ansible_host: keycloak-intern.hamburg.ccc.de
+      ansible_host: keycloak.hosts.hamburg.ccc.de
       ansible_user: chaos
-      ansible_ssh_common_args: -J ssh://chaos@public-reverse-proxy.hamburg.ccc.de
+      ansible_ssh_common_args: -J ssh://chaos@router.hamburg.ccc.de
     lists:
       ansible_host: lists.hamburg.ccc.de
       ansible_user: chaos
@@ -33,49 +33,61 @@ all:
       ansible_host: mumble.hamburg.ccc.de
       ansible_user: chaos
     netbox:
-      ansible_host: netbox-intern.hamburg.ccc.de
+      ansible_host: netbox.hosts.hamburg.ccc.de
       ansible_user: chaos
-      ansible_ssh_common_args: -J ssh://chaos@public-reverse-proxy.hamburg.ccc.de
+      ansible_ssh_common_args: -J ssh://chaos@router.hamburg.ccc.de
     onlyoffice:
-      ansible_host: onlyoffice-intern.hamburg.ccc.de
+      ansible_host: onlyoffice.hosts.hamburg.ccc.de
       ansible_user: chaos
-      ansible_ssh_common_args: -J ssh://chaos@public-reverse-proxy.hamburg.ccc.de
+      ansible_ssh_common_args: -J ssh://chaos@router.hamburg.ccc.de
     pad:
-      ansible_host: pad-intern.hamburg.ccc.de
+      ansible_host: pad.hosts.hamburg.ccc.de
       ansible_user: chaos
-      ansible_ssh_common_args: -J ssh://chaos@public-reverse-proxy.hamburg.ccc.de
+      ansible_ssh_common_args: -J ssh://chaos@router.hamburg.ccc.de
     pretalx:
-      ansible_host: pretalx-intern.hamburg.ccc.de
+      ansible_host: pretalx.hosts.hamburg.ccc.de
       ansible_user: chaos
-      ansible_ssh_common_args: -J ssh://chaos@public-reverse-proxy.hamburg.ccc.de
+      ansible_ssh_common_args: -J ssh://chaos@router.hamburg.ccc.de
     public-reverse-proxy:
       ansible_host: public-reverse-proxy.hamburg.ccc.de
       ansible_user: chaos
+    router:
+      ansible_host: router.hamburg.ccc.de
+      ansible_user: chaos
     wiki:
-      ansible_host: wiki-intern.hamburg.ccc.de
+      ansible_host: wiki.hosts.hamburg.ccc.de
       ansible_user: chaos
-      ansible_ssh_common_args: -J ssh://chaos@public-reverse-proxy.hamburg.ccc.de
+      ansible_ssh_common_args: -J ssh://chaos@router.hamburg.ccc.de
     zammad:
-      ansible_host: zammad-intern.hamburg.ccc.de
+      ansible_host: zammad.hosts.hamburg.ccc.de
       ansible_user: chaos
-      ansible_ssh_common_args: -J ssh://chaos@public-reverse-proxy.hamburg.ccc.de
+      ansible_ssh_common_args: -J ssh://chaos@router.hamburg.ccc.de
     ntfy:
-      ansible_host: ntfy-intern.hamburg.ccc.de
+      ansible_host: ntfy.hosts.hamburg.ccc.de
       ansible_user: chaos
-      ansible_ssh_common_args: -J ssh://chaos@public-reverse-proxy.hamburg.ccc.de
+      ansible_ssh_common_args: -J ssh://chaos@router.hamburg.ccc.de
     sunders:
-      ansible_host: sunders-intern.hamburg.ccc.de
+      ansible_host: sunders.hosts.hamburg.ccc.de
       ansible_user: chaos
-      ansible_ssh_common_args: -J ssh://chaos@public-reverse-proxy.hamburg.ccc.de
+      ansible_ssh_common_args: -J ssh://chaos@router.hamburg.ccc.de
     renovate:
-      ansible_host: renovate-intern.hamburg.ccc.de
+      ansible_host: renovate.hosts.hamburg.ccc.de
       ansible_user: chaos
-      ansible_ssh_common_args: -J ssh://chaos@public-reverse-proxy.hamburg.ccc.de
+      ansible_ssh_common_args: -J ssh://chaos@router.hamburg.ccc.de
+    spaceapiccc:
+      ansible_host: spaceapiccc.hosts.hamburg.ccc.de
+      ansible_user: chaos
+      ansible_ssh_common_args: -J ssh://chaos@router.hamburg.ccc.de
+    acmedns:
+      ansible_host: acmedns.hosts.hamburg.ccc.de
+      ansible_user: chaos
+      ansible_ssh_common_args: -J ssh://chaos@router.hamburg.ccc.de
 hypervisors:
   hosts:
     chaosknoten:
 base_config_hosts:
   hosts:
+    acmedns:
     ccchoir:
     cloud:
     eh22-wiki:
@@ -88,14 +100,23 @@ base_config_hosts:
     pad:
     pretalx:
     public-reverse-proxy:
+    router:
     tickets:
     wiki:
     zammad:
     ntfy:
     sunders:
     renovate:
-docker_compose_hosts:
+    spaceapiccc:
+systemd_networkd_hosts:
   hosts:
+    router:
+nftables_hosts:
+  hosts:
+    router:
+docker_compose_hosts:
+  hosts: 
+    acmedns:
     ccchoir:
     grafana:
     tickets:
@@ -107,11 +128,13 @@ docker_compose_hosts:
     zammad:
     ntfy:
     sunders:
+    spaceapiccc:
 nextcloud_hosts:
   hosts:
     cloud:
 nginx_hosts:
   hosts:
+    acmedns:
     ccchoir:
     eh22-wiki:
     grafana:
@@ -128,11 +151,13 @@ nginx_hosts:
     zammad:
     ntfy:
     sunders:
+    spaceapiccc:
 public_reverse_proxy_hosts:
   hosts:
     public-reverse-proxy:
 certbot_hosts:
   hosts:
+    acmedns:
     ccchoir:
     eh22-wiki:
     grafana:
@@ -148,11 +173,11 @@ certbot_hosts:
     zammad:
     ntfy:
     sunders:
-prometheus_node_exporter_hosts:
+    spaceapiccc:
+alloy_hosts:
   hosts:
     ccchoir:
     eh22-wiki:
-    tickets:
     keycloak:
     netbox:
     onlyoffice:
@@ -160,6 +185,15 @@ prometheus_node_exporter_hosts:
     pretalx:
     wiki:
     zammad:
+    grafana:
+    ntfy:
+    tickets:
+    renovate:
+    cloud:
+    public-reverse-proxy:
+    router:
+    sunders:
+    spaceapiccc:
 infrastructure_authorized_keys_hosts:
   hosts:
     ccchoir:
@@ -173,11 +207,13 @@ infrastructure_authorized_keys_hosts:
     pad:
     pretalx:
     public-reverse-proxy:
+    router:
     wiki:
     zammad:
     ntfy:
     sunders:
     renovate:
+    spaceapiccc:
 wiki_hosts:
   hosts:
     eh22-wiki:
@@ -188,10 +224,6 @@ netbox_hosts:
 proxmox_vm_template_hosts:
   hosts:
     chaosknoten:
-alloy_hosts:
-  hosts:
-    grafana:
-    ntfy:
 ansible_pull_hosts:
   hosts:
     netbox:
@@ -212,6 +244,7 @@ ansible_pull_hosts:
     public-reverse-proxy:
     zammad:
     ntfy:
+    spaceapiccc:
 msmtp_hosts:
   hosts:
 renovate_hosts:

inventories/external/group_vars/all.sops.yaml

@@ -0,0 +1,210 @@
+msmtp__smtp_password: ENC[AES256_GCM,data:0vb2d0BMSiG4DLwNeKk52/kGYM9rQpfRrtYiarbyVW9YOP/WIdpwesUZuad+o6XSODkAGqnU2RQZFs1h,iv:a/LwVf+tQKviYR4mIoSDiEgmsVyCl2v1vWXVFQkn6M4=,tag:bNf+N1bTIk8ppMEabcC6jg==,type:str]
+sops:
+  age:
+    - recipient: age1yl9ts8k6ceymaxjs72r5puetes5mtuzxuger7qgme9qkagfrm9hqzxx9qr
+      enc: |
+        -----BEGIN AGE ENCRYPTED FILE-----
+        YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBkL1F2VVhGTGZ3QWlrZi8w
+        c2JVMVlnNGVHdUxJQVRZeDBlSkJjR3V4NHowCmdQVVJRVEZlWWVHZjdSYzRlcnRN
+        clVuRU1rRXdDSUJ6Tk4rajl1R3U3YzAKLS0tIFg0QXBieXdjYmRab2duckNsNWRQ
+        aGdmdDcwY3RPc28waGt0cm1salpNRkkK+X6LF1lCpxIS8P8nEUE7t3VxB817jm4Y
+        mXjKqdaM39MR3CyXWq8bVQ/QRxg1xA6MV7mLrQpJCSpr6uDJD84iJQ==
+        -----END AGE ENCRYPTED FILE-----
+  lastmodified: "2026-01-15T21:28:28Z"
+  mac: ENC[AES256_GCM,data:Z9uyXhnckrVJ0LZM1aT8cSUZCPdQ0ufBC1HYxpzAGb6FS/p3Jni5tFfgijaCT3/T3yDGiV1zQqoSDLwjd48UaMjCtJYCUCAiVo7i4YJ3+aZfS87b4h4VsOFlTLFlBklNYxHd4pcPFl5X9fZGdD10Tvmtm6TlJ33Ma7gmuFs3Og4=,iv:tNeG2I9qNAgzbGwxTbCrrN7KorCneJtFildGvtPVX88=,tag:e0rXgetLFenA3zNBNe631A==,type:str]
+  pgp:
+    - created_at: "2026-01-15T21:28:06Z"
+      enc: |-
+        -----BEGIN PGP MESSAGE-----
+
+        hQIMAxK/JaB2/SdtARAAlJ6HHQZKe3t86f1Y/DsKmO4f+xaMRd9mw9sNlxvmuX3I
+        b8Tvyl1abbJSEf+6SV3SXxlu+05DZEzerMQHdSNHCpO6oSMBH/fEBbtJh3mxYzwY
+        /fS09/CPpq1HYcaOUEB8YHKGDY7okN8ZCHYFF2fWmWsPNLq38nmtCQY3lKPdhKDu
+        Jg8w+9XT/kHJEjQRPjlJG0iRk90cMMBLaR5ToJVzpM3rOSkK/dFALP9PUGhjDVT/
+        e27KW0OQERCxoc401DXFPJg5xrGMJaDpMlDxm+kzNC2/rt/OhhFd1pqMEMGHwZ8B
+        inHjCL8SNy4w3jKs3xvpE38vEUmKgbHavjjd4j8PU/z8PnIAKBCZClTbBARevMYw
+        P1qgwbAXEv0LwN6/Eu4mN6ogbREFk671PTabJ1O9zWFZBPKSOWVjvs6ka/5nRdow
+        RMobY/t6FDOe1i4eQM90QKyTcyBzyFZCl3piBKDvpG9tTEVHriX4bTXNtnGw3h1W
+        XoMUz27G0IZmKZRcYFkqSNPeg3yLXBgsL6by+euw/OwOXuxcR3G/5HpiO4XgWdDn
+        gYvOGvVa4WbG3yASWPJNJZ6ivtLhAgts44ClMIk5mjDgHz0yL2iwx93g6bUzmswV
+        HcpCLSy7wm5XNl4l5p4l90iy6/K32Zp0a7ftobA7U7VyeWfPalE3IYE3s6b+1gTS
+        XAFWL49B69eVA4YJ/iRSZcfqEPMkKzQUplODPUfaHHtLRwR7BhpFX/u3lly/YNQH
+        tCN+vKShpC2PM/Jw8+UxDZXoXNiGCtTIDFq5+VaifkYsEAIVqEFv5noY95/a
+        =Xw0f
+        -----END PGP MESSAGE-----
+      fp: EF643F59E008414882232C78FFA8331EEB7D6B70
+    - created_at: "2026-01-15T21:28:06Z"
+      enc: |-
+        -----BEGIN PGP MESSAGE-----
+
+        hQIMA6EyPtWBEI+2ARAAqcJfa4paWWvQxKnNQT230iT2iRCCskzkzrG9z9rnSbR+
+        U4BO0QVcKZ06+4/WatZC6HuxIPyajAQthNsmMMBr83OFiT8FPHnOOGHc9lemO0/L
+        eshneJhJ7LeYUh3dOeN5lVwCQuw2Hy4MXmKJgdt2Nr5dXmRD8ypKxD/i5Nc4nkXW
+        TY61C/Q9QJF+HZG4toHt+zq+ROjdsTbIhNceRWnt4mIGvqIzhRwk65o5WILbCFQc
+        OL7R+JyyqouN579tO1O6bRT594ufnyQ6oxLRDQqKMdTHYwWijRuA/FyzieuYGbmo
+        b7e6tZeJzlm3H8sSz1WwAD6RoA/O3yyCw1gL9UWFLSfF7iwEKmr+oSN+mEUPJdhR
+        8zZqSQUH3n59IVNdD4UyJB/I5AHmGW6QV3ZF42lwmmstIoY3uDzgf3US+ZvPPsem
+        Scg3PIDSxg+SV9G/53TJM+Og7V2XAA02EWIemiIaJZ7rPiySq1RmQOjnx4ZX+ORk
+        +PDF0gDpA10sTPXQM5NoN8YSilIV1VENjUnESfo+36BlCepmbC88Yr6oexIK2xoq
+        5SnDYNOkVClYcEV6/URo0zr6Eh6+pWaK1MqruyZpRrZFbribK+5t65eIq0fc8oNb
+        ip7VfArpcpYINfL1GuWoFMI0Uj/IMevlN64Ci/Ub9NddCWCQy5WF7u8lAVNMoVbS
+        XAE70ICHJqH9SqHe/dchwYcsLIPwX7r2KoaI23XkK7iROX1NL6LC2nISh/Y5P+X7
+        RX5sBhgiaSwY8L6QseSQzyqTmwxCaq7e/f/+grSUYKmf1FSJe+VxGsJ6Ji0u
+        =k6m5
+        -----END PGP MESSAGE-----
+      fp: F155144FC925A1BEA1F8A2C59A2A4CD59BFDC5EC
+    - created_at: "2026-01-15T21:28:06Z"
+      enc: |-
+        -----BEGIN PGP MESSAGE-----
+
+        hQIMAz5uSgHG2iMJARAAzD/3ycZW/qMLjjSG2T/7378ogylYenCyV5r97m7//MTJ
+        z2jCtWiAPDkiuDDfcqt5LxthPxCr3A/WSTaSsfZQ/zWedQlm/U/RBMEs30DBIUQr
+        AIckqIrJUrgPEo8A0/SnCBNS116BVspI+9n/u7PBPVb70JX3j4Xp3dRGrEYHVpwX
+        EGSk4GirHwutIRE6xP9fnvQxyK64jYTDCfo4t6cIUf2/we0LyK+fU4zrm6wRffzd
+        txiEu4YXvsGbxWeAV3/7/BRo2HJBc/Xqb7mzTnfScltC7hiRD2McmFJs1Hfv0Lg3
+        CGaMOJ5w6Gk8Q+9pgg6R2MQu8DZA7PILm51Bc98ZdiVwg0i8l24ndswUx9+WIWeX
+        AeOxvIVvF0XtQK/JJAkoyoVssIQSFI1OjTDnSHWjFw0Vgev8hRzwqS6HKJUfCrnt
+        KeuGuUOa9QBf3bnbIINyL8QEj9/cnNDCQGoXSZIqPXUs7tIqcLgNryGVnrEn4dDf
+        53Tudml438QRgzV1d87jEKSmUBtqzUDRNQdZqNbzOdaCQaQgkgZlQvWQtbZNMSdQ
+        iQ+v3Hz7pI4yKHhqxXrWrxPwC3KdGTA5qymUS1d1G0BwOWSr+cU6xJBeSqRc6fZn
+        Q8rBKS/gL2Lm3BAVhHBVWGwtbdBhV5ZL/bdT436pJd5ku3cWFTuiMY2SEC1ZvNXS
+        XAFb+jgjB5XzlRZhRosWl1X/qyWO4GXN4aypi14eAQDsbCjGnFZh6utoV3rNmNFX
+        OJ3kRhyHmF+gbp/e0YRq/BnWu+5uzTZQso4fzepgjui+rF/qk/2Oe1nODtM0
+        =seAB
+        -----END PGP MESSAGE-----
+      fp: 18DFCE01456DAB52EA38A6584EDC64F35FA1D6A5
+    - created_at: "2026-01-15T21:28:06Z"
+      enc: |-
+        -----BEGIN PGP MESSAGE-----
+
+        hQIMAw5vwmoEJHQ1AQ/+J9MXLZrMucsbcgdZ/yflnA7Ai2WynSZ9NEzLX24NybGZ
+        ynq9daa+61w5S5thnEV1Be4YEyFXIXfD0bs9KEO2kv41HUySD9FR5QXXSiad5Ij7
+        vPzZMMwjCfNg/JvGQ9p4h2Syc5LYtJ+4BNnl52zjKCJdp1scJqAist3aWbaHoCAh
+        GiJCjv/02NP25WoVShw9pNvvYPEhtPbvO1j3bnvUARXT8IzhblNbfntDwPb+fK4R
+        ksMBIvAN1171l530s0zPzzkJTkxRBohyCixvtgZKoEnYeUAAHk5Clah6GrLGErvA
+        q0XUAEridgDwe4xG+WpzFWwTaGzQPBLR5NPqtph13/02CdaABctbr80WQPoch5vN
+        F1BnObne8ZE+do30v0KYNTkFKhK5ek+w4RS/1rlBEgQMaNyGHsjUtoO1/6JfFXyT
+        968gsga/YR/shZwLaxLQePi5qTcvUzGNgNvFLjy4sRlbWiNCrtZo0JpMmRc1YTXb
+        Tq7KhivgEB3gCYLdzWTCeYw3aZXsTFUFM8MpH0BMABpfpNCdiDrd+RZmgDa2KShH
+        RlpqvN1cXPVY4niGqb0TjQJGbmCrMfSbEXCCYLMP+T+jH+MUs0Br4IVcuXIV9EWM
+        WrYY/r2tCblU9DaVbgzLlIIu/2BtKV0/Iu4KLV2vWBocLPNlKnbhS8NxnIf1eHbS
+        XAFxlY0r1uOCI7d55ZRpih3NnccBWYKmxs/WZavFdooPcRS6QKV6d2ByZtjqlO0T
+        X8xmDpyoxkNahauxi3Vw4o78HyxEqQz2u0HNBJlFC6iFQJnylkOyitIyNCTt
+        =t5WG
+        -----END PGP MESSAGE-----
+      fp: 87AB00D45D37C9E9167B5A5A333448678B60E505
+    - created_at: "2026-01-15T21:28:06Z"
+      enc: |-
+        -----BEGIN PGP MESSAGE-----
+
+        hF4DerEtaFuTeewSAQdArBEh0/AnTDRmDT2r74ejRgmbbZpWjVBmvC7mgFdEq0gw
+        OdEsqFl/ihieW3XkAC0UWxUhacc03Vq3FTY4Fpj7eQTQdfDdn8X10YQcH94XGLxu
+        0lwBvUseBCslA8gjyzFEtFp4TnDEi2JZV3nhfQg8SxrYIQ2Uo6vlsTzvYBvikwaD
+        kLu7fV7lxV09qoROlSpXVm6II6sIk0nmiajb49HM15md3ZElulGZf7A+6d86Wg==
+        =8Qs3
+        -----END PGP MESSAGE-----
+      fp: 057870A2C72CD82566A3EC983695F4FCBCAE4912
+    - created_at: "2026-01-15T21:28:06Z"
+      enc: |-
+        -----BEGIN PGP MESSAGE-----
+
+        hQIMAxjNhCKPP69fAQ/7B2zWxGFqZr98hAyQwNaXp+/T534xRU63dXkYV15EL9q2
+        SlmbEWhl5iVwWoZHl3r7yqy4zXZJkH0XX7g/MlwMTHIu/Sslvb+9ME+QmpI26Awm
+        +0pQN6gZXEhQ4RFtDMSc3PIZYgaJ5AdEk1p/nMwYsQ17Gu6RZeuSL/5b4oXEsIwB
+        nc8kqskd846KDspSoa4HprP3QUyfwChy5+d3/S/SMak/iY97UgYm3iyHXWr+sbAm
+        ykXGQo6Y/QpSiBBc9Z8hyekBQBjiftTpH5T/nzSn5O1p2G56NqK837SZj8CgyanH
+        xOIy1JZYbSfYiEzqXVSj7KGs3aNFFUi9H+Fy+wzDaOWeEYt76koTWZnutOg+JwCP
+        2N5DiDOhoYGygh5aO+dAIoGLQufoTDrlMO9FWnNXXCPIwCUoyH5daiMyn7G9jfwv
+        4rTkXe2mHXXkoNCDHzjNcAEpndpczdUO0CbDNyOuaZzyEYWObJMOdBP0+fmwhaRP
+        AWd0OSbUUkl6RTI7R9l+3wBC0A/be7kOvqvTru0RSZaY4Ba7zokZaNJsoUTvjjL5
+        fjT5MhV/93wEvaHNmGy+IiXipS7ItTmW0xckaFkEbQUbw9p+9UZMxNqF3l5pw8hV
+        J5tTo+rlHda5KBDpTEEz3vUK7MgbgAzzERqqDaUqzWTJy4KeOjYCUfvNyQiT7m3S
+        XAFxCx0poAo6GCoNMhjyQT00iBfpjvUhDrWSHezKW/J/U+Z+TkcICC3Orsxy35uD
+        QtOZIayVIF5scDAIQa31zETB/Jjaq7YeUZvTzUv7Shhq+sJhVUQ7iUEVEXZn
+        =NJUn
+        -----END PGP MESSAGE-----
+      fp: F38C9D4228FC6F674E322D9C3326D914EB9B8F55
+    - created_at: "2026-01-15T21:28:06Z"
+      enc: |-
+        -----BEGIN PGP MESSAGE-----
+
+        hQIMA1Hthzn+T1OoARAAsc5cxMwr0YCwJq1j5EcQ2AF2LvyxH4dvwuCkyrqxuV33
+        rTxOt40kqHcatZgHLfHt1qvfR/lGisUyvvtJ7Gdw/MEzunqwux6cKisRoyTB0dSU
+        b0DBQdNAxujVuBng6v2aoZDXAZNZ9I0epuGnBRcq2+FRAWjRH3YtwuRuChd/VtqB
+        VJJjUJDczermc0kvdrZ6AZ8bSemOIFOYWfZ1iw7qXMiuIXKJqY23KzWSpYC3F9S6
+        z1XKviqJlWcb7VyCA7LDLfjYCAb6/yvj1mB0+fxYJJps6DWsbxvoZWF5mdh5f4oc
+        y74XZehQZTHp4JMs0uSdsuMV3w8zMGUXvFPEJXB1mvPlYAsyjwusf2fqeAJk3JZk
+        pPF/hkwR+LpbVNKk9KbauQLkt+p6E5YWDir1pzeIN6rsl0Carau0TRT9EEn04f/6
+        DL1nF7crXl+7KTgEOt+ih4VuHpXz9lrboUD/WnUpjVu6XwmMH4wrxJggTq+tJzdS
+        55PAZ0qiTGwnxtOn8NGa+01JGcrmtLnfwRUGUO6xxpyy4AtcyyHwEvBSjKRlBvV2
+        Yx6v6l6OlpBdYdlKjEeOLPnQqn+iRolQtUTWWk1Hu/a2sfJjZPMpXNSKbgN9tMOS
+        2zGLe8OOU1M9V9ESdD6He49GRCWNXD00Yv+IUdqFuY7laqxBQCcyIthGA2wfLITS
+        XAGKF54TE7VkuCQ2vw0HZG4TgQtmw7W/hBMcbSatGwFwyPSs2+9wsJFmJUniArCZ
+        e7RUz4C1MIFP97ZSFtfLd8tsIO0zTyK9fRAOUwh8wdAZhvS9Fv5/Mwmctj9h
+        =gUj7
+        -----END PGP MESSAGE-----
+      fp: 5DA93D5C9D7320E1BD3522C79C78172B3551C9FD
+    - created_at: "2026-01-15T21:28:06Z"
+      enc: |-
+        -----BEGIN PGP MESSAGE-----
+
+        hQIMA46L6MuPqfJqAQ/8CKPe91CQYybuRlIb4bRl3sZ2nXYw0OS2p8NYo3sawcsw
+        YFwgwT4GHMAMviZ3U/Dm1VVtUEH0dSZ/tYoPFE0pCOLWYrVjqLY69uM23ZHV1IX4
+        W7A+jzNTv3ODj/lc/azjgBcBVZpSxgAQG2wiyX1Dq4Lx5cpOCYQm4KYp9hD6ddly
+        m6zk8vH3MBRvPAlacg3C6PSy1PV7sTgBZMBIE3DY/HIjv4nzV3/itIPZcf27dYTl
+        AEjiI6eGH6sUWTFRF5mCP4sRycaU2g8iZ471nZdHe7PpldginWJEN9SD06oewZJB
+        QjvXpVNjVu+RQ/hOl5LwIllAAkk0ghK2bRsh7gVB5b5Kjv+mKKNe8yjKxKcpZuVW
+        fUEaRpyILTCwe6aFnmUa6vUtpgU2QRKzv2ycqO1FGil1yZJ/RPVCc0RQoLSpZRsT
+        XvrZzw/OVfLespNRPcC/PTvNwhIhBYyIDvEAgQOnEnRCGoijnPAOE4Z5zA6Rtxfw
+        Kxw+E5s+xV1ff+qo5Dm0J/LyC90FR3vstzSkM5n2HEy5OkbACi9CiLRaIiYxlDfv
+        v5H3Gc0hdVRELkK1T9ND3I2RAyJVdDq0WvxjWRIfdRULLsk86pFoFjus0acx3ukt
+        zotRh1wI1o319j517B06v+Jn49bLx81ipeHfsiz69P0sDSRKyOcN/i4TA/Tj0OfS
+        XAFfmEOJHnhD1WOlbJO2EiGY3QD9PIV/lipja4lQKv7ROWlIPVtdvgBnaaNYAvUb
+        YLIA3oTcZB43vm5QW3hXsTz2cn/w/JvnuojtD0kKzT643dR5BC3D2XsWpHWV
+        =pL2f
+        -----END PGP MESSAGE-----
+      fp: 8996B62CBD159DCADD3B6DC08BB33A8ABCF7BC4A
+    - created_at: "2026-01-15T21:28:06Z"
+      enc: |-
+        -----BEGIN PGP MESSAGE-----
+
+        hF4DQrf1tCqiJxoSAQdAxf+RXofQmgst0qgbY34RgfqVKCCYHHH3mbCdGKbfXiQw
+        0307FFijrW2i+wHW/Ugob489EH46zUENkmEjxPcOao+p5TWqOhryWOmj+5K5iKin
+        0lwBDuM+y3AsogL5PAerDRGMIqmUO9AAuRlKJb67O+n31fA0CSlRdYIlR/0IiXk8
+        KmagDpdTyNWD0M8PRohazoKEiB6OrEuLfRiDwyMhyuRtIXRnckwZ8anC2B2cLg==
+        =slU2
+        -----END PGP MESSAGE-----
+      fp: B71138A6A8964A3C3B8899857B4F70C356765BAB
+    - created_at: "2026-01-15T21:28:06Z"
+      enc: |-
+        -----BEGIN PGP MESSAGE-----
+
+        hF4DzAGzViGx4qcSAQdAYTkme6X4+jr7/5qNidpUZjiwQzR9nhJMHU9ALot5mQkw
+        bVYbs+lqddtYRVKLh4jhqFb9WGjC05JMnb8o/OVqgvOV516WqCzg9qmn2JMn5CvL
+        0lYBtBwzrQfqM7RbckekoQcabirca/67RzCAqB9O7Lud85+aQxBR/GB9qE/7FLfp
+        JVT42+KjcKSQBYWS+lyjgfXs7H4WhNYsai8OFn+JzqswG+MpWPQ+Fw==
+        =1DIj
+        -----END PGP MESSAGE-----
+      fp: D2E9C0807BF681F5E164DAFC5EE1B61CD90954CD
+    - created_at: "2026-01-15T21:28:06Z"
+      enc: |-
+        -----BEGIN PGP MESSAGE-----
+
+        hQIMA2pVdGTIrZI+ARAAvoshi1af/mG21B9x8XOtYn2CmsjZCLWYWuhdM+oMe204
+        CJglTK8C8CzuJcXu84IKrdV8nx5Yk0VvtgtSXiKSouDKWeQDHHqhKEsPlc6+FL99
+        e95uzp8ozvODxch4xaBP3FZkbgGgFHDZSF47NIC9AkyyGe4GARq+OvtADUMjpb4R
+        6WXCzqaH976KRMcgH4PXlWIUiYvFJz+6k+chbLfcf+uJxWL02mvPV+ArSbGc1Ns1
+        M2kRYdEPZ4c6FCU6DYaneJp22ywPNgJm3dL8WU7Nn5uv7iYGDyceh3dnGtF0p0jN
+        Mo5TT8MzobIGgD2RtsP4NrufV56+Y4G5oqk9jPMofC8QUeVR1j2GHDfHrls2N/2L
+        vt0VX1wsv7ToAY9bUUNDLutLnwQlpHNP/sacudw0VpYDl55ULa1dLC97qG/4va8G
+        k3wdzqwNwgzIOPDIiQ3P8xkn4RZ9b4SwPNFb9BRqufFaA+neZcNelfpTqsT3WNfm
+        MYdzDQtQdTNi9u0ADsuZ2JIX2uUVsB1ol5Wgw9D5+yksTeC3n89TTmbmt4PYkCZ/
+        3MH3gLGGlPLfc9w/q9JqfQ8idiPgWc6CMO83gGXUWbe0SkDCBY4evyP41s9ojSdF
+        XrkZQycNoardD+co14Se4d5g0oxYfhNUCIYEo2JwLkuE11iMXG1bjt8JB+F514vS
+        XAHzAelcyBaqqwZqKw1OKWz1Vr+hy9S+uOs+8Qg5G/H0nxa7BG+PhUB+O5i8x4Dn
+        96Eq2r2OsVJ3z8YeLcH2FbnVECX+/nj8a4z8yqfpajmoKswOfhp2b2G49aYz
+        =IYeC
+        -----END PGP MESSAGE-----
+      fp: 878FEA3CB6A6F6E7CD80ECBE28506E3585F9F533
+  unencrypted_suffix: _unencrypted
+  version: 3.11.0

inventories/external/group_vars/all.yaml

@@ -0,0 +1,16 @@
+# ansible_pull
+# ansible_pull__age_private_key needs to be defined per host (probably HOST.sops.yaml).
+ansible_pull__repo_url: https://git.hamburg.ccc.de/CCCHH/ansible-infra.git
+ansible_pull__inventory: inventories/external
+ansible_pull__playbook: playbooks/maintenance.yaml
+ansible_pull__timer_on_calendar: "*-*-* 04:30:00 Europe/Berlin"
+ansible_pull__failure_notification_address: noc-notifications@lists.hamburg.ccc.de
+ansible_pull__timer_randomized_delay_sec: 30min
+
+# msmtp
+# msmtp__smtp_password is defined in the all.sops.yaml.
+msmtp__smtp_host: cow.hamburg.ccc.de
+msmtp__smtp_port: 465
+msmtp__smtp_tls_method: smtps
+msmtp__smtp_user: any@external-hosts.hamburg.ccc.de
+msmtp__smtp_from: "{{ inventory_hostname }}@external-hosts.hamburg.ccc.de"

inventories/external/host_vars/status.sops.yaml

@@ -0,0 +1,213 @@
+ansible_pull__age_private_key: ENC[AES256_GCM,data:u0tluAG5YmXTs71/F6RjuTITCrEoJco0K7+o/F7An4OMdOAwJVBvvMCnEaYsKhLhdesnMIoA24oz2j22lKRFgZUNtkF08ZwH9gw=,iv:oqTTeOi8l6ig4vvqOKict5bqxjmiBW+kwlZhbozoCSU=,tag:ZL2wuIczCHguGJIhbY0NuQ==,type:str]
+secret__gatus_db_password: ENC[AES256_GCM,data:fwtdWmXVTA7odBsKnlxH7mKKGtplAt/rQqscFBAxbDky6DNqgk6PP2OsqbIEpnpzs9Yn7Kd2VAxzfJfK,iv:ox/Lm+LlxxRcssOPc++nRp6nVa2DF3/46eEsGzTOBmA=,tag:i1e71Gm01ojHr5pGy0S9rA==,type:str]
+secret__gatus_matrix_access_token: ENC[AES256_GCM,data:adNtFvg2LXwRiNE7mvTZNO1hXxN3qasWZrDEQOGk5mYEVH0t9pglNrM=,iv:30xXR31qmrywLP3M34u6YgsyQY348zVvt9RM4/bGhtY=,tag:vhgpON0IdQ+FS4uQ/0TpsQ==,type:str]
+secret__gatus_acme_dns_update_test_x_api_key: ENC[AES256_GCM,data:rBMHvYT7g+o6Rc+edjikYT2jn4wKnkOJWOMf5Ys1zjKpsRCKEF0PZA==,iv:Tp4ELKMfhxtwaJljW4sMCVgW3KCTL89NfW2/LQTmO1Y=,tag:YMbvE0xgLTYCFXche/mvFA==,type:str]
+sops:
+  age:
+    - recipient: age1yl9ts8k6ceymaxjs72r5puetes5mtuzxuger7qgme9qkagfrm9hqzxx9qr
+      enc: |
+        -----BEGIN AGE ENCRYPTED FILE-----
+        YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA2Y0Vib1U3ZGpyZTlBNWMx
+        UEtCbnArRzAvZ0o1dmdJL0hSZERTR241RlNrCjZ6QzlJSEFhWk0wazlwRVlDeUlq
+        M0syWDZlc0o2d2NDYmVyUmJpWUdwdzAKLS0tIGR5NUVwMkprRnkxZnI0TmlGUGVk
+        RFl1MnI1K0h2MUhvYk40d2JjbDRaUmMKNlPo1s06hVdxAamKhJy4HhNDX8PKQlq2
+        13PjdTJub64fydGEJng5NigcnNcPo7goGLz5QV7vE+6bO0gNZxBmmw==
+        -----END AGE ENCRYPTED FILE-----
+  lastmodified: "2026-02-01T21:17:51Z"
+  mac: ENC[AES256_GCM,data:YO5RoJnkjZeouYJa3ui/cRGLcpSzbs1Ou4D+XU9fZ6ZEc8snmLoN/e8vK91+9qigQECOc/WHHaln4ghYs6wNH+xje4ImCYL92p1RbMPvT8OoS3qu+pTF3sUfQfV/Rju61njNHA7XNAmGCxSiJQxgq2o92aoEB7qKs+AwCFEmTpE=,iv:QrRkSv4novqk3+YCnfFW59df1mvcGONTDO3zCUyXUME=,tag:oBy402SSczs3qyHhBpQqnw==,type:str]
+  pgp:
+    - created_at: "2026-01-15T21:23:56Z"
+      enc: |-
+        -----BEGIN PGP MESSAGE-----
+
+        hQIMAxK/JaB2/SdtAQ/+ORxsmaobaTVCnVlaaTlvG3GRPlL0G1NG18eF3Mra2FU/
+        HSY4/QTu4BjGRzwOlKJt3NBMGlFZucwklIecAl1cCDXPSvIRnwuIsAI8gxNnjmVW
+        w7URAscgfVobWxpLqFhlnQ+8ozMPXW7D0ZDLe4wKPa5wNuE/kdzM5ZCl3NB4q3fi
+        o0C8uSnsTAp8clay/xnTtnJxOsyzyJ29JVsinxAyg64m6AYNa53yNZoy5kL6VIIr
+        dnNx4DtOsxFuNhKuvENePoGjuB68i0NWitsfei3G+GLUp+CbPisrzElM6vsXQ0wT
+        QAu2OpTnrQSv/YWi8Dv+1YXIKu6nOuMc+avQGLsiuZ6hagrvfRTmoQirbx6THDB+
+        97N/ZZUoGVdCtb5BRoBxzl7prwYGXsW+fP7B/PlBBBM5pI/s5jasFMOBfrrlJiDE
+        dyBcE2rjcehmZ0DN0YddZoo1UMYzsn6HEMH+kFp/VD3+y4A47Kk9Ou0d9+Q7ufsf
+        j8ThNihOBrwz8DlvOb5/5HacBFOH5T9b42j6yOmyrlAXnC8sQwFDMDERs7XcVSXT
+        B9SlX6OVZ6/xgG1UjkY5aqYiWkIBUO/9k1OP3OMoZM7WPitIJS0a92u8EASX4zT9
+        cJjyym8oDojsM4+/GWMCHcEA5QVSEFsz5JBONiEJkv9UCYXOWj375SH6WjTHQyPS
+        XgFA0rCYobVrmH4oQ3EzmbqTGwBuejwcDVA++KiUePb6jhK9DGrETHEOzUyOonpI
+        tNfgyohULH3eDRjC/4gR9JDr+UCC2t31Rx5kNmonz4H3KQlgm/5UulKZZfFk6VQ=
+        =HCWY
+        -----END PGP MESSAGE-----
+      fp: EF643F59E008414882232C78FFA8331EEB7D6B70
+    - created_at: "2026-01-15T21:23:56Z"
+      enc: |-
+        -----BEGIN PGP MESSAGE-----
+
+        hQIMA6EyPtWBEI+2AQ/+Is5OSeCOwUDFocaFiGIpKKicsRkF5WJXcV0eTquCvn3M
+        UeDpYww0CatCOmx0u5/ELzyvr2NhLGwoblLxwwb2HA+dTWRzRiTGZrpGJ3DUwEK6
+        KvqFgrOIDttnSCqrGiPsNBkGP3oIH/WIYXF4SJl5stlnujTOW+wNP8f+9gZspyY4
+        JdDXIGL7cbvzEzionilKbroKgDTNCm/o/ATWnlvsd5qv8lsIVkZlaJqldRR+xXuu
+        RLHz9Mav9NgzzFERA0YY0Z56jpGikoywB7iBCbozXvPO5oY9YcuvdLoXELi3Rimf
+        LoqIyGv/dHepZvIIy/d+E7ltlQHLXdH0LMNyBRartVChR/p0G/YAzXDAgnARJm+J
+        SB7vUPBqFwFpkiIE0bRRDVDYW8VlNZta4V+hxb3iXuVHljuYUrIDh77VW3xNQyi5
+        YfKxO9c9PRhq7sfeBj3iB2qAGoODOU1whdaWXJeNIvYmkQJw81eu2rzHT6NHsbrD
+        CcUGvbVAO7cx8xZxLiT2jZlbeRrTM68Uq8zC0ujzHavrLUWvCcAcFdk8Un8UJbaF
+        W4B5La8ZAQUg0HwDavrOEXFbbdkuMT0BIMIxysxrcetqMdRcMjQlbjHz7RuROp4q
+        melLD0F7L8cXAafDRXXkTTpDmaLN8s9v2j953/RzY7lS1FPQMTduWbn4Pg75HrbS
+        XgEWsmhgtxSNSgtg/c+VyS9VAykAaP0J4mVWUJZtpw3T8wtkAVeb2zFjmOWay98e
+        GC9m9N32zdg6MZDLnAABIEhDCGhuB0QjHJaXHcQxbuy8T0mgG081s8spTZnU/74=
+        =v7Jf
+        -----END PGP MESSAGE-----
+      fp: F155144FC925A1BEA1F8A2C59A2A4CD59BFDC5EC
+    - created_at: "2026-01-15T21:23:56Z"
+      enc: |-
+        -----BEGIN PGP MESSAGE-----
+
+        hQIMAz5uSgHG2iMJAQ//f4YuazCNqBuU6RxLg7gbh2RQ7KQ9QDIPSh+YIBr2k9RJ
+        zSjTIR2cPu4JX7Bf9w378oyExhxe6bU00DKvfmQv+CPwjR/4NfzB+/UjmrOEmZqv
+        y/Gc/2ciT2csHiuAgmck/tKCdVLyXmlMpR+ru3LBVpXLc0wRqDLze9RKM22L5o5Y
+        Tkf5LCoj77ixhVWZJ/MUm1GlCKmtAJ5tZpSOUenSApSZ0mbRUMI6SEmLhf7ApmNo
+        FInztB8eMcgyV7vhEmhAiLTkB29kGh8Oe/TtDSmywhn/pTcs4tlY7fRfcxkJaYgw
+        sZFaF3b7/xhF04kJNEugKemTZTCOoXuPvjvDKQ0glojQQ36P5S01uyH1FOHAbItz
+        8xilRiU5lHuu7BsZcb8rU8qNYnpEzY3DX/Ccpl0AoPWjY925XB7C8H8z1kk8UxR1
+        +b3XXMktUugeTZeiFG2pJsp9dhiRqyuzvW73yJSdHjqZW+Tq4U2D9Je1WeZT4+Au
+        qTQh1uC2dRgQ0PMafX50aTxIK7lPxva+cOPgYeALXP58TCUqeNUyYQmvAGba7yyU
+        yec3Hz/SNLqEhSnOqCx+TXZOhV4PM8fTzpnNhqZQ2RX2uUXwXjuyAZ8fv3v5se8F
+        HvQGW8EvJaDSvLD5GjKblQqwNlFWf0HOPUf5UZSXV3MHsHLzYHKlOE4cJ778ih7S
+        XgGY+6q602ciOETbXexRAK4G0AaAY06iQqIvjqzTRmRgkftMI/8HAV2mfjfRuTXF
+        9DClJje/SpRp/fS6jXFyRCc1MysABsxcyopIhHPxf2iy4UiipC1c15Z9VVK4cL4=
+        =l9vN
+        -----END PGP MESSAGE-----
+      fp: 18DFCE01456DAB52EA38A6584EDC64F35FA1D6A5
+    - created_at: "2026-01-15T21:23:56Z"
+      enc: |-
+        -----BEGIN PGP MESSAGE-----
+
+        hQIMAw5vwmoEJHQ1ARAAr6u7xDPFlylAf002AQkjASgSyCdLMD0LxXmTEihOxBnp
+        +ZcJN9cpuyCuDaIfSqGdDLUqZ6TuAfVaixtXbxT6Odl2q1DN/GaVkZbDVwGk/W3w
+        +lSjBz4miAcU9kaSFeeJ9BDEdqROduj8/fFc8jLyxpa51nnp6ON7wI3Uup3uNZN1
+        oEwcav8u9hrbE5glS6IMFpGQAhJmvzWH9mHWCQT7A3GGK3DsYBWPH685vVk80VBw
+        8IO35N2SMVD+ebvFbSnitBSOmSNUzHgv8DaBgJkcHb5EM8bCiZNI3VkbGdi8AmRx
+        wvuAclYkemq/bNu5I0sjpt/uxEOVqsymdPs+gOVgKceEy458ZfyRUPxV0Xp5Yi26
+        MzAas8LCL+m561L8MTt01CfXJKllIh1aeNJEWYKyTtIxnWfhHnhAfiwiRaX+sAdK
+        ApLFSCtwAf2fvpqaUY0PvAwKUNKyEBrncu9cBuqK6EDx5YVQul6Mo2nx6W64G7mj
+        IUGQOoRATZP4y9bJJJMNU5BfK9j7Fdhh/VirB1XSSWSlkUduv8PVx99iLejfnknB
+        b0LVS0RW0W+XgbM0yvjRhDATalrcuBX4R7voQPeGFlw//fdg0qepSe9OeAPA+RNm
+        YTjWVWqXOmGJQ46sms4P1Fhd5NKgyv7qAaZDVf2lDZOensbhwWFKw1R65PSbi4DS
+        XgEDIaRdmRPMHOGoHzcSieR+sxDvklEAWyfUMn8D8u8dkgs1u8WL3gGixDaPMvcF
+        JgS3PA6hl0JOi3+UgBWGh6gx+C/mr+6jly+IhWd78HAsbsJcGIrs4Zlu54T8jV4=
+        =8IWz
+        -----END PGP MESSAGE-----
+      fp: 87AB00D45D37C9E9167B5A5A333448678B60E505
+    - created_at: "2026-01-15T21:23:56Z"
+      enc: |-
+        -----BEGIN PGP MESSAGE-----
+
+        hF4DerEtaFuTeewSAQdA7STwRBnvhKhEh9mdHz/GWujTMli/vbMrXv8WnZ1boUkw
+        9Qtj+soJcdr8XxDREm//Q7wgGZJSJe6dBdxW5NC10H7bYDFc9aNkbT0/ceMj0tBM
+        0l4BNU1LT9rZrkhGUTqA3Gs+bzP4xazBGuiucCkM1mbSvRAjWO2abLb17GKUWODr
+        1uDStVFrPOTqN/0/O1lAfk/Xv5LQO2X/xVMDD42i9txP9G8+rCF42gKdODWF+DsQ
+        =FVIu
+        -----END PGP MESSAGE-----
+      fp: 057870A2C72CD82566A3EC983695F4FCBCAE4912
+    - created_at: "2026-01-15T21:23:56Z"
+      enc: |-
+        -----BEGIN PGP MESSAGE-----
+
+        hQIMAxjNhCKPP69fARAAkUEvumeteWHZ31xbvLAWezQr75Q45DVzBAX6MJIPnCcz
+        ofMYuDjz/ujOES7UtAYrRekCW4R+PZQ2pcC3tbNHxKQjdxsA6cY68mBQLj+TJ0+F
+        15jlkAkL7utwOxOh8P1/yxO+hr3qZl6rmncQwiynRnyiAJa6FHK8dvAHVKhLWcRN
+        pxx2O5m8I/+sF2/XgVs0iq0KWG+WbwJWUlvWKJ+2LNvXDoPYD0sdo8G1hkuQGOLW
+        Lmc1xN4hbTzvgjTBoUt1HUEOgohau8TMWnT7x1jpMLBNqm0hQfcyNmBuK4vA3NYR
+        PjtMUvEuucjOrFvF1g+OaTQ3ZSkd431yqTHRbktZDXdCvhYhSfxJ2TKdqX5U+3p+
+        27hPOX5cVISd36T8Oxm7LTt2GSZp5JZJ2gzRuSn8HDEHHBa39+jmdsqmGMFjAJfU
+        amK3TNpLx9U/AGw9CYVyQxfnrRPArjuPXE+nVmuZVJhgOcex+5SAA6YRpzPLj5/I
+        bHv0zOQ+84ghaIPvA7OlehgE2DYQjFC7qMGV0Q/jEomzHmwaFLlbDiSX97SQM4+P
+        dwe2gbz5EfgVdXeSwyPH03W5Uq/D8GiNFASxe6ctfwY6G9cUJaY7gj+br2/WSjzc
+        bSQxbyA36q6tSR8sty4lOkRqfhvCsopnACe3UaPDD9aUPu5dkrPFD2DwGZqALjrS
+        XgGQM27HAK2eAWtmQk7wWZcK8EyeO4bPl/JX8hMU8xSnbHrFpY26RNY1C4mjqcnD
+        QoyU68TbPmGX522sseuygCNmEEM/5rhx6wwePH1X+C8WRHMmXyLjKD3eVkFJ3tA=
+        =EPrs
+        -----END PGP MESSAGE-----
+      fp: F38C9D4228FC6F674E322D9C3326D914EB9B8F55
+    - created_at: "2026-01-15T21:23:56Z"
+      enc: |-
+        -----BEGIN PGP MESSAGE-----
+
+        hQIMA1Hthzn+T1OoAQ//arOC3Dpt+X+GzGZFPngYFGl8SHgx9vrbNcNdRQBEBhX0
+        RmkT3rBbXRNbJvZHW6YPzoMRzhDMHEs9osbr7RwpTQxpL4owFd1hx8bhDjZYQplC
+        Gfj1xNjL1iFsQV1kWx7dagpkDEoPVlPaDyTDyHkj/fmgg/aU4y5GVUHc6l7iClN9
+        fn5HL8/sCROAPteReXnwxIWmn/03lldh7VMYwKaVIpiTf3QZzEsHAOYT0EdEcapC
+        3d5ZhTDmOvOwy2PMfx5w5RpKXKe2cbhoS1N3KEHaZIochlvnvQHpVJ3jhn8YG8j9
+        bJ5tklEauoi1YHsnj5vzm8sgQMj/p5DJHALfVKxzAMCCe0AqcVpVGTW9SR1ZMUXW
+        p0UZOmeNBfqhcOIbKXW+Hj2oSZ25KGxiXZwydF51xnUT8rsau7nPYOgg+9YARAVl
+        USZd85OX/dZcDqhfK1YZjdV3GPiTHGFUrTz53sW/nHrcCCKXL17uADLr1Z/rk3Dm
+        dayNuUVhlqgV6Z0ts0Z9blz2X/Bz2c95TUTze+pUoXCP6oKcxGbrEfHBzJrhqeFa
+        PYGRyna1t96c3Az94bz2orX69Ij3QPyd2p2B0nlv+qYNk55J/aVPIfioZSamnDk9
+        NAQJksb2M7KIq1rjheWsf/CLZYHC1rcrhUnz5SYIXVDe8f3+uNc0JFGYPYZuF7DS
+        XgEa4Lw21RwQs3Es0wAZSnkku+yg1Lg2YJ6/d5xSZJs0c5mCYvvW3q9oTc8u+D3n
+        H1/Lu8HvZtHtGARagLqHw2MORNvoJXoCT0EhcPBK4PlJKSNye96U1ooNfwxbUMo=
+        =0Nal
+        -----END PGP MESSAGE-----
+      fp: 5DA93D5C9D7320E1BD3522C79C78172B3551C9FD
+    - created_at: "2026-01-15T21:23:56Z"
+      enc: |-
+        -----BEGIN PGP MESSAGE-----
+
+        hQIMA46L6MuPqfJqARAAlYT9Xqnfvd7uWr/V8Ca5oKJ003yWKGwAMd06zyPmIYOK
+        ErTHC98r7LXuGaMcIUrJ+oLf6YipYB7PyHwfz+zpxhDRTPAxXTqkF1ecLi7qg2AV
+        Ez3Q1hpPJv1DWASrVfJgpnlQnQtnpqXQsInL7klGc10mtbgc2zHUndWFqjxtkAhl
+        IinLZHZVFaijFw10W+e6T0UUZ9WfIPdCOChcqVp5/86DDyl3S9dBLmAd7wywzbuH
+        i0y1uelIxLyYmzLxYTNgJwEHKzQvF6jrj40AjT8HtUD473ILD5M4p2vdvNCUANu9
+        1iF4q7YM5g6cgjGC29Y31wOAM4YzdkwNXJsUhn4ACzYNBAItXK7Aw0I8WK9AnUfq
+        lwmSirx5hi870GIfu/OYeNt4I3fWjm4qY1aFwoJJRWrUdH94I4P1O6xXZyTVqpmG
+        m0Ich3O16Ir1vS9oFLdFSFGP7UZgU7D5314OKXNsEGpFLGa9U7AG1ZPHGSb6tAQi
+        9Df7TsWxYVWKBU2PbI/D9StVlWDVilt2QiKtIcRwLs3/3JrzTPJd9tvUtw6Tyjw7
+        N12/SE3yHwWxVPUXF2AsopmOoHGh67Ki+6oc7xTmxtcJWSITUhBL16ZjMEEXFeHy
+        FMODciBLrXO1jWz65mkB32ttV+oPQuCdtFPTzuKneDhVBybuMJrx7DEIFaf5CmvS
+        XgFrqRe9fua4zRd9r9tJE4RSosQOAhmVgRVCJIg5B+qUGC0l2AwO4ro1+a02t6o7
+        uBGGRHeQYrGv6HVUd/xfirUj/mtrguiSSpOy3UZ5SHIlPxuj/2jf3WxVkU0QP5k=
+        =e4Qe
+        -----END PGP MESSAGE-----
+      fp: 8996B62CBD159DCADD3B6DC08BB33A8ABCF7BC4A
+    - created_at: "2026-01-15T21:23:56Z"
+      enc: |-
+        -----BEGIN PGP MESSAGE-----
+
+        hF4DQrf1tCqiJxoSAQdAqRvfYgKUyKqP1jy9+s3UQ+vqUWQVxC/zXkcXOs/G3kQw
+        27MDd3dcADzCI4qrHxc0umrFegUizTg9UmseMgSJnr7oWXtuh6ocjuEe+irXw0Di
+        0l4B7cvZtRObjrOUf0lupPAp2xPIIKekUcVSxiecn6z7zVUVUwpYvPmS8MBCFc5h
+        7ad0LWml36Rj5UkBE/ph0YgLvz7ZDoC1yiagBGVX59MTjjZsZBVpRecxZ+ztuaci
+        =68na
+        -----END PGP MESSAGE-----
+      fp: B71138A6A8964A3C3B8899857B4F70C356765BAB
+    - created_at: "2026-01-15T21:23:56Z"
+      enc: |-
+        -----BEGIN PGP MESSAGE-----
+
+        hF4DzAGzViGx4qcSAQdA95lt4L0inJjhMwQ2v5lvhW74zuvdpgktHsp5BSycbxcw
+        oUR2v3CcCHtNzWzgeWPm8L6JHRUJQWdg+XHsLujlZXsoqKirGI67NvToOk+yttsK
+        0lgBW9AG8bUVUdXNNPfhc/FN8OJbQ2cj3E2z5kI05ZrkcOoZVXaRfXJiZPQDg1Kz
+        LhuKymMDmXXsSVd/VdLbSXpfeEqMJjTsDS+bU/TZAcRRPKxj9PPDJIWQ
+        =Kpzf
+        -----END PGP MESSAGE-----
+      fp: D2E9C0807BF681F5E164DAFC5EE1B61CD90954CD
+    - created_at: "2026-01-15T21:23:56Z"
+      enc: |-
+        -----BEGIN PGP MESSAGE-----
+
+        hQIMA2pVdGTIrZI+ARAA2IaYLn8z593Kh+wAw2ecOXkW+B3qhi/x0qQLVw7Jc1hO
+        rVhrcTQoabL3elIIPZtxyTYIXq6EpPkSBMOBHO+tmqI8YsB5GvWtcGV1OBpRaZ3I
+        hgKjnxkJtaQizSZqZLgGUVXjMjcdkzTlIQfu7oGeTu8Ke1cwtOE1lvleDpHHK6gc
+        yRLJWsUfHdv3rCOmRCDtguc3NG7qzUUYcknPiFGx66hfnIaA0aJav2pqS3uuRwSD
+        Ay78U2PB7kYVg//Omz9BEuiUVhYsA0sl3hFVpJuKv7FQ9OcJOevQddfq90m2KGyo
+        2Lpligwtj3evPfPReLR1D16HaGuzknoB9883jD027+fGr4/IFWx7ieVZ9iGeD3jR
+        yw/GdHCMueq1pdtyw8ArREspGmZldEKY3Qw6sfRdd71DAeTkD1zzWORCEk6OQefY
+        YX5ByUAOTUHvTey4Uy5WCj3HOUMW71CnVpsU6lDSuqBUnFlMvELtcjlmEAwvscXz
+        WFpTzphaX1fIqruS4BAzMxpKVTI1V3bnrb6wFRFnsErVjrty24R2auaoHvgslROu
+        1QUTInC7JpFUpxiK9ke8xbhYlZ5JEhcxOXlfrZcVwlxziEZEqp429L/4gVz+IGVv
+        YQ4wU8ARBcXiEDEOmEl3tCxiprDlCeLpdSrqhq57/y7IMs6Fo7QrkA5XZG+mnfPS
+        XgHFg3iMBk0qKb6AiWiN8g3SHJtcehJgmAZsRxFRP329QKGGa+azQqT7Vp066keY
+        rOsmP8iwl+4KS71+cN9rLx/3U8EcSxRuMU6KtIKvhp7yfr2bhYo8P9JH2vrPTlk=
+        =lbdI
+        -----END PGP MESSAGE-----
+      fp: 878FEA3CB6A6F6E7CD80ECBE28506E3585F9F533
+  unencrypted_suffix: _unencrypted
+  version: 3.11.0

inventories/external/host_vars/status.yaml

@@ -0,0 +1,27 @@
+docker_compose__compose_file_content: "{{ lookup('ansible.builtin.template', 'resources/external/status/docker_compose/compose.yaml.j2') }}"
+docker_compose__configuration_files:
+  - name: "general.yaml"
+    content: "{{ lookup('ansible.builtin.file', 'resources/external/status/docker_compose/config/general.yaml') }}"
+  - name: "sites.yaml"
+    content: "{{ lookup('ansible.builtin.file', 'resources/external/status/docker_compose/config/sites.yaml') }}"
+  - name: "services-chaosknoten.yaml"
+    content: "{{ lookup('ansible.builtin.file', 'resources/external/status/docker_compose/config/services-chaosknoten.yaml') }}"
+  - name: "websites.yaml"
+    content: "{{ lookup('ansible.builtin.file', 'resources/external/status/docker_compose/config/websites.yaml') }}"
+  - name: "easterhegg-websites.yaml"
+    content: "{{ lookup('ansible.builtin.file', 'resources/external/status/docker_compose/config/easterhegg-websites.yaml') }}"
+
+nginx__version_spec: ""
+nginx__deploy_redirect_conf: false
+nginx__configurations:
+  - name: status.hamburg.ccc.de
+    content: "{{ lookup('ansible.builtin.file', 'resources/external/status/nginx/status.hamburg.ccc.de.conf') }}"
+  - name: http_handler
+    content: "{{ lookup('ansible.builtin.file', 'resources/external/status/nginx/http_handler.conf') }}"
+
+certbot__version_spec: ""
+certbot__acme_account_email_address: le-admin@hamburg.ccc.de
+certbot__certificate_domains:
+  - "status.hamburg.ccc.de"
+certbot__new_cert_commands:
+  - "systemctl reload nginx.service"

inventories/external/hosts.yaml

@@ -0,0 +1,24 @@
+all:
+  hosts:
+    status:
+      # TODO: Manually set up ufw on the host. Create a role for ufw.
+      ansible_host: status.hamburg.ccc.de
+      ansible_user: chaos
+base_config_hosts:
+  hosts:
+    status:
+docker_compose_hosts:
+  hosts:
+    status:
+nginx_hosts:
+  hosts:
+    status:
+certbot_hosts:
+  hosts:
+    status:
+infrastructure_authorized_keys_hosts:
+  hosts:
+    status:
+ansible_pull_hosts:
+  hosts:
+    status:

inventories/z9/group_vars/all.sops.yaml

@@ -0,0 +1,200 @@
+metrics__chaos_password: ENC[AES256_GCM,data:seOU504dZ9K21+NK1MBf9isee2L2rueP6Bl0F66R,iv:ZtQ516gzJQSSgvOOAzPF9MuarXqHSLXy37/9z85KoQ8=,tag:dIal6OxPLli+7DbzhjNFsA==,type:str]
+sops:
+  lastmodified: "2026-01-25T19:52:03Z"
+  mac: ENC[AES256_GCM,data:6JXc+K8fmANf22puWyllV5wVSxZSVnN+U7GM9lNhkxbUBM4AaIedIHOXz9zDaZh/nT6onrW2nhKNC00kWziaddOnBxBUCWUk7bDGea6qJMIk4GfyU0f/xX7mHpgYorF/KmQP1uvNNAryn7zeSfS8Vk27GFDPbBO3GvYlOZFUJD8=,iv:6X6uf9obhNix/qLrpiP3bw1CWM7dY+XAEdfhuTTmuVc=,tag:KJHK1Hc/uV8DOw/7txHfEw==,type:str]
+  pgp:
+    - created_at: "2026-01-25T19:51:13Z"
+      enc: |-
+        -----BEGIN PGP MESSAGE-----
+
+        hQIMAxK/JaB2/SdtAQ/9GKyJ+6SzK5xucxIxUKPRdsxirJwd6LHuIDkVTr7JTjfi
+        sXQZKVtQ7ZXbbVgZKURLtsdbhayZoU/8xYCQsX4vzDeAKc4bS6X25PLxs2oBKCYB
+        2oWl/jhKSAtVjtgnPnxljiEGxkDKW2sKlfjdjMj9yOYyif35AoQ8pIr2Tg4U8Z9C
+        ofaWBejvqxgaIShXe4jio3SIiOLYwTnaYmkoSY3QEA3RjckzNmqRE4aX+csB27cI
+        Vt8aGrcNzM8gCfi8IM1ypLHLw7Fg0OntF91RAUExG9OZJm2rGZabUixxhOCf/ttk
+        UOq7Eq29xFr9mTzyoZC2zmaOt7O+PIu8FDOvkvCgNv89ewn00DjT7DYSXB0AnPRD
+        VahAi4VAjKU2RXXbfZArdCXJpCTM2OPnXBh8Bfx/7eTnu2O8EK8OFbWuOWja8Ogr
+        7z9bgsoK4Uva6F3BQcLlZppKmkLk0P8detZihvwNbS55kkkdsA9LiyYEoHpasWpG
+        HW4dcQOqyuKwGjLE7FsqPtlxmWD6psCK3GdHzKGQR9fbXfUyD+c0DmPgPh6roFW8
+        XzvRGw6YUrP7/wtvUH4zSLQbB6kqz6nO88isPoLpClyQ/3Khj9QLljCDQB+yRBIu
+        p3a2HISwt4HQzuckk8W4yKIDdzf86dXVEMqUe4JTe+vW9PPobnUEXrPgRBNZYD7S
+        XgHOfGiWknFPa8s4KCHZK9sLB2joWAJTtQnk4cuaXoIgamiXB0qgiArc43PsjstE
+        N6kvVXrFVgQ9Xlrp8XDJHOsUYAy8admA8KNQF+XQ+KeHgQGKKX1RjbBFunIkaOc=
+        =1Rdp
+        -----END PGP MESSAGE-----
+      fp: EF643F59E008414882232C78FFA8331EEB7D6B70
+    - created_at: "2026-01-25T19:51:13Z"
+      enc: |-
+        -----BEGIN PGP MESSAGE-----
+
+        hQIMA6EyPtWBEI+2AQ//QgGTp9DYSoNWI5n0+9gMUP7asTRdRl7T+xT88k7cCO9Z
+        lNi86qeqiGGkqTffARBJNaq+ut/D7EKc6ivp+ewfySimM5E3ape3C6rulHybE/j8
+        3EpP4VW+5yA4Nq+CbZvzQb60oXR8LnGzVX1gePWwyQozVzRS72/hnxyecQYsc1IJ
+        OTQPSfclZXJO3k6fK+BrfHsjJkOpHYoLAnI/9ty9JBSuwGfzI+ur2Jimn0Y783Ou
+        orZNzxrRKfkIPjdFnWGY3i31nW9tnkEXLdsdOHfOu8Ahtdi2NhwReSv5hMKPXbOw
+        lxhL/Y1bG4ChgAAFVG5QYZ69tuzSov8XP2Wv6auVA7HC3H+689fNeO0C6GhDcVgc
+        LBF1nK/zJq95uxlSNy5dpTSzKqwlwRzvLOCPByXc3pLcDDW9Zp194bS/iDGfnfqe
+        UUPK9e0gX8TYOeQhF3K+H6JMdFO/uYbiaeVZWmvOV6jSiii0CXoGe4oVZqcfcfA3
+        RScUjLx0f2w4xQwU60ZmHsmvs2PmdBsNDPeQXrqeyAfgFReDoI1RLo+k+3khoAJE
+        LzzNFg6bVBx3rRazWoASlHYK8i6dTHpMBompPC+kmjorZnoqnTRX4bix0atsFY7g
+        vt8CVfqy8YKrVIGPZnDAsrZ3ecShIQFB6OfxgSb6nqN1K3NwFcjXWH05SJOfFR3S
+        XgGrU49/hKqHTmAGHbWoe54qkPj+WvRkeGccEnvtum8yrPpDpmYg+wyEm3JeQf1S
+        gCHS/j0pJS/CnnfgoUgkYCMokGvtSoTJgIE/2XTA/BFNRg0vc1Dgk/WonG33PDU=
+        =ev2Q
+        -----END PGP MESSAGE-----
+      fp: F155144FC925A1BEA1F8A2C59A2A4CD59BFDC5EC
+    - created_at: "2026-01-25T19:51:13Z"
+      enc: |-
+        -----BEGIN PGP MESSAGE-----
+
+        hQIMAz5uSgHG2iMJAQ//SxqxshraAR0pQf1lzhtZ5RHoNZJnaZKwic/pvJvIDUCA
+        6zotOpu478rK4w8zWdX1gfjve+iu4BkaB16lZqvsV6lLq80dT3yfeil9ETFElKuA
+        womIEdAafq8W71eTffUZ3Klrg/WjDVjeDRRKqz8vv9pd9MQbYmDhrjRG/ySP5qgZ
+        +/apRAOrYnbtzgjlPAfLIGD65jvS3JRE3gbZfpzzkLB8P5M1JVOUf15FxAZ2tyhO
+        PZ3FYC2JbCzftp0Iiksq8sl42Fl0FzOTLFQb0GhQ60tJatFVWhG31NeXdRRuLnQU
+        5bmanb2nJBroQJWM/8piG8npG8jhzRzeMTHboW5TezYAXBLxRQJct7pR9ZwDje2U
+        5j9VkNyKQ+wMJ2vMiyshserEe6gjc2/E+XYDheAPrFPqwGNklb6OSemm4vWwd6GK
+        HNqDxA/C0du1b1vm9CTLgk7utbEpspnNQnZh32iifSfiQ3Zl7FwTxnA/2Bj0csQ/
+        xrck7T2gzY39tOqXbq0QqIQA31BW4ukmxcAKn8pmJpguW0cBxDTaGNXQ4jo+8YtQ
+        MYYT4dR9S95MsOKWGREvMA0GMxzwbA2eMwZ7yUARCLVGD48MMiiDZcYqd03cnOO3
+        hGj+vy0FbsVdknztBDeGttUYHOtjb+XO4gF4sHdpaWxdF7kVVknNUtciWa+Kw4LS
+        XgGqWekdWhsKZ+bPboinUPY9e5vkgLueSWrQ0aqi5Pte9lQ3pYPqT2U51fJG5G9/
+        tYiofc0K7CB/qyxB7LpF5rtUla9oQQJd36xC0eO7laSapWiag2rzuIsMxR+4egA=
+        =a2qJ
+        -----END PGP MESSAGE-----
+      fp: 18DFCE01456DAB52EA38A6584EDC64F35FA1D6A5
+    - created_at: "2026-01-25T19:51:13Z"
+      enc: |-
+        -----BEGIN PGP MESSAGE-----
+
+        hQIMAw5vwmoEJHQ1AQ//U6R7Cb1kfojFwzVy9ky+y7Puhk7Jyog+jLabWhurkV30
+        RO4EeTXMEJ1gVU9qJDeHn7Fr1HbYr9cdTf1yw5Y23p+pBZA1wRTkxHctEk1KNDRW
+        8QdCmQOu8jTDc5cq0F6d6lD6vJpfjaQez5cT7dN9Eqp0jUsmQCSLmqmXvbNEv3fW
+        n+o/VsvtaqMTjhlPUHvhe/d0/YWvkp4xPycDVW/oYh2KE3QUV5AKUJSOLuSIFENy
+        f0hjnoz8xmY7eA20uXvTWPgUU9J+KCSgmy87wM/WkM3kjKWOUkijDFCsCWSEIx4W
+        E2iY6N7yaYBkKfQ6s+f77xg+vc7g1plheK3pdyYkYvgfeqg27QFV/3m80f0gULS4
+        bNrZKNRrMD+grgjB75cj14PRHGQcaZEouE7l2uCUNbR/hFIF1M2F91HAW61mVLv6
+        ZNluofRYqHf+YWUO4KtJwpfgfh0gsCF3KaeHnAA/Xy9e+7KRgWbAbsDIQr40Nqm1
+        Cbv/HqjHCeS7ylw3TmYcwFoGO1XoL/toSQQ4/y0JPMCae+MGslDm2o/1X1VqAnIZ
+        sdhcTKY8HJWxn8uc5MFG4Mr0PhMIXirhBBQLYXdVJ/tOj9yVU+gJZe3lv64uQgDZ
+        Ey1KESfJu98uwrPS3Dzy2YPbT7Gh58sOfHeaDoeZAu+YzQMOQ7V260vu0XXMgSfS
+        XgE3PiMBjbW4eypClEK6H5iSL4SjEm+NweQNkwGaxqLSsb7LuOtSkiEmf4mdQEnI
+        SI14d0nNv7ki0T59Ssmi65A49SXjvLzsCBE1DgeqVD8IwKCewma0dgkNErdyG4s=
+        =rV/a
+        -----END PGP MESSAGE-----
+      fp: 87AB00D45D37C9E9167B5A5A333448678B60E505
+    - created_at: "2026-01-25T19:51:13Z"
+      enc: |-
+        -----BEGIN PGP MESSAGE-----
+
+        hF4DerEtaFuTeewSAQdAdDLPgKw0A+eoKiYGIKxOFZHYVg0V4UmuIti0XC5RJCIw
+        IPu2/Y45X9L40RRhH8N9lazjLeJv5Lbo08hMlo/CgshZ0BJVot8mBAiH/R2DsVRC
+        0l4BL6ctQ/xivjWQBBhy/DCYVtDRv8JXIEXNJgU/+UjkSE8Auh4NASANg9GTcBBn
+        lukzOBGYF9nH69fAkVtZbNL5+dFoPLDPUzZTU19D15J6IJkt+gKPSzjbtWaJqIsQ
+        =dGU4
+        -----END PGP MESSAGE-----
+      fp: 057870A2C72CD82566A3EC983695F4FCBCAE4912
+    - created_at: "2026-01-25T19:51:13Z"
+      enc: |-
+        -----BEGIN PGP MESSAGE-----
+
+        hQIMAxjNhCKPP69fAQ/+LQ3yEzhjYXoDkE9olsl0lVxQ9FdCbqDHFJZAIReI0jqg
+        WF+0GmoMuG4kFZu+ju3vCWpT5kH84SUxOFXyaXp1TCfcJ1zCUno93fVssOL/9Sma
+        vVPVIXpTqJqFBOWJNOe7wNjvQiDE4TxjGC/FXr+hOoLZXrf7gdNaUXxZOb+vPZih
+        t79eZhxALGwmwsMdZxkA8ERCmNJet1/wn7s5vUjwrDYRZL2zGf4yocSCjwGYHOCs
+        j+DcrYG7Cd5J+CS8rKu2Yh5KEAfMhgMxGjK0HKUVPk1cQxOgronnM1vrij30S4+9
+        avNlOwAerg3RaFhXPj9UY7FGV+rZQY1CQKEWqr4AANkdDXb/LnLalwMBMcm+EDwT
+        zHxBhJ69QJmsZUP3Z5WQqxmyAux9+oodgehWKkY4sCR2huHuysbJNEStuI1HaTRj
+        ZJafiniHkFyQyTqc4wwJrRxkwJM6mVvcZdXuV7+QaEWr3FEF0t7tyEYUIRkUlJOQ
+        IUPDClDRLJnQGq11XT/QOlGfxET9fGoAkij1LrPqpvHxJ6IEGLMOPN4kw1yg02yO
+        u0HiB2wIUzKHJJ6vMR6zK3WY4MXCQISTZXpK7mILleRIIOWhw7C7gvlfuYkMT3fM
+        dXUQRhTblZXaeTxRuCUPqa0eGzac4UJBVoRAWXYiZWhdKxNJbyCMRQDcaOeho9/S
+        XgGENH9zFjI//pveCrlxx5BKDxTdqIn9R3iskbKbZRhVr+pU3IK4uCsUQlOBG3++
+        zxQinHgNbqA22clcuRMZ1NeDrzDfBLndsWuSeyWaAA9qEG9XjmjCRRzPGACoDLs=
+        =dywj
+        -----END PGP MESSAGE-----
+      fp: F38C9D4228FC6F674E322D9C3326D914EB9B8F55
+    - created_at: "2026-01-25T19:51:13Z"
+      enc: |-
+        -----BEGIN PGP MESSAGE-----
+
+        hQIMA1Hthzn+T1OoAQ/+P4h9d4LPElJbVr4L3cE+6/9mhLF6n1hre14cCTSxTe20
+        HqpY7U9yE4G/1IfAE3pueOgc5FsLRPn8VnHAzy6ygt4/xXXzH6aACDiUtweqyExE
+        K39J9PLjczWb7XGbZc3YKoz5x0Q/93s+CdjK7piamb41bMRVbmffNtEceH8Gld9u
+        t8SI18F1yrRtXpK8FvzFLvA1jEt9sduPVq51bWG2LjMFaMrsm7hXt1ArUGsOoGN3
+        36E4VrVp6gp8BVa+apsUY3mHBi3hUE0h2tO4iEsi1qYr1OTn3v4Dn9oxKrYIIom2
+        hHszqVSq0fnIqoKOZbyUe2AdXtnTGpQQRxCBvtIEBNB1FS/CKCe7ceXVBZujU2Kd
+        JD3Lg5uXgkolfyjFCPzOp292xvJ83i7QMoTuVEw14PSjux3jAa4K3wpKUvF80ja2
+        ugGj3zTLAHdAV37lKO2WYZuMMJLKWKX1p9yKZqteJdiLQHH8f24dFZ2Vtoly/GKM
+        KzGJ1fimB6divQ8TOHVFAr1qDksk8zf1PBJ/IlWoBKv5IWwoikf42IOL/P2c/nk7
+        4pYwHrlk8y71Cgjw50K9/T/Ul0Ov6ay4FK+0vy+zbokSVczZKsrL4/Tc6s0S9ty6
+        SVKm7yL+BSGgZWmDNesYoRzboBT2mSb1N45ThUaeW7AwMo3hDJPjEkaFtZN3bqzS
+        XgEIFYvxWH6OEIl+VZ/J5qxxmi3Cz6XVzTliCnoTFUoVxHyOxN6HX0Jn/qRqmmlN
+        mJX4OT1FJ3WnqOHQ5Cm4403bm2H79mGCBKYiXPQeO/bVBh0mTbeYKRr8bjsm+rc=
+        =lIEt
+        -----END PGP MESSAGE-----
+      fp: 5DA93D5C9D7320E1BD3522C79C78172B3551C9FD
+    - created_at: "2026-01-25T19:51:13Z"
+      enc: |-
+        -----BEGIN PGP MESSAGE-----
+
+        hQIMA46L6MuPqfJqAQ//Ue74vm+2K7chQcfdrY5GR0rPUKNiX9MMw9zgHpdyHlXa
+        FfL0NQbG8Rfc/6Yf7LH1sWMGED5Yvci3z+YkTWg8Fcv1pYQGj6Kul2L0aL4tvq/a
+        tdIJi+Ajp92jr+5jdae+GvJZedaHZYxykyeSe4/nk1j6k4u3TiVMBczk7z9701F+
+        ZFtG1SBRcqjZ/Vx36B6s+10f9ft7TWCIJfeTimBJV3fFt7r698vTQ+S1/uxo5Ik0
+        kQOtYDxsigBBeE0OX2ZBDyeGhfl/PZgN7GD7bgpjnfzDi+8kMXEMu4z88tOQulhk
+        qj+63irEydFCsMEC22XhLaqW8bjld0VAnkXv7DfoEbMt84XN6SejjDy6aXK9C0Qd
+        BIyQwTvsmgbInluw8Qu+GJPLLbY9qYjjuo5BbwUeBfiVxQaBYcm5lmPSKM0lq+Uq
+        fUYowpMS417L5kkp2yE/NmKOzi2ZuiFWMCpvPIvKea9zJxvEtIjohwtM86b4LH+j
+        7yie9gWu0bhBw9keKtIbRmgbsilp8E5OUHXgOT0sNWTLenQDsWQ9dmgvtpeEb9ax
+        6mw1QUpFz4CcHhuQixoI+q4y0SXcWxyN0U78U8igaELUtwpaRR7yf4VUJOEid+m1
+        Rzu5jLCuhlLmmW03W6Y/Vl+n0QOyEl0uPCRiRgYeUzKiYw6NRYHPezbJnmNAeKnS
+        XgFCdzLc5Jl6OqJfy4V0yJucGq72oKK1wdJi74PqTNs44CaeEW8tDhxVWm367e5b
+        Ve88LJyDhOrMi57aKcAJ12HoL8pI5hambJ0qSs9RKpnQIJH7U60MBBTCBHN3H4k=
+        =az/q
+        -----END PGP MESSAGE-----
+      fp: 8996B62CBD159DCADD3B6DC08BB33A8ABCF7BC4A
+    - created_at: "2026-01-25T19:51:13Z"
+      enc: |-
+        -----BEGIN PGP MESSAGE-----
+
+        hF4DQrf1tCqiJxoSAQdA04/sIHLMEFJO8wCB5+N5QWPzwyefW49JuNr/O2A+tTcw
+        Rm/CybmXPnSCx7p8QLruOG0tz8kM+YoSthSWlC9/B6TZgKLyrMOvx1U/fSNjKC4Q
+        0l4BDFhVCnXKTQmfZtj5Qpwuj3H5fZ7QzKUQz542pvqN/fJVnc0Q4rQapKcU4AOx
+        JTdXpu6gP3FRGviA342GHJU0gq220vSzPu889dsdmtgNfAEQWPLVKKwjigDQN+SV
+        =2Eki
+        -----END PGP MESSAGE-----
+      fp: B71138A6A8964A3C3B8899857B4F70C356765BAB
+    - created_at: "2026-01-25T19:51:13Z"
+      enc: |-
+        -----BEGIN PGP MESSAGE-----
+
+        hF4DzAGzViGx4qcSAQdAxLZsKVzF30df0Zk7Eg9u7fLJzApid00aEcZVxHQnZ0kw
+        5SDeSOzzTue71lKcCyunbO1/e20jMrNVvYKQp0kKkNHpTWgjN0hW3vZt6zeLcrSo
+        0lgBTOoJykoj24Y9WvIaQbae2K6M35drO2c7nhVmTzibUe7XEJ3C+vbUySdSTd+0
+        WL1IjqZUGSUL4SUIW6kW0WFdSJ01O6vbXhw1gw7KwKMfBHgIUAzpENTW
+        =S45t
+        -----END PGP MESSAGE-----
+      fp: D2E9C0807BF681F5E164DAFC5EE1B61CD90954CD
+    - created_at: "2026-01-25T19:51:13Z"
+      enc: |-
+        -----BEGIN PGP MESSAGE-----
+
+        hQIMA2pVdGTIrZI+AQ/8Dd/YnYUP9OA6qxJcerf9mCkQkC5PLehCPAOLOn4sNV5x
+        DnpdfAvgej1Vuy0CHK8//PAiEC7idLN+ictIdQgy0RaObp50tca44U2ssQOkmxcd
+        j5WpKKunHsKomksr7bRpwm/vtN4LoldQc7g1qaBlsaJE7iEOrB8I3n3fFhWD6xBG
+        TUzRe8r/M2/c25Agky9caILYvjm/etCsf/gZq3RwVvV48912JNqb+7o04vpj3MbO
+        AOsiEBCTNSZqN5XuRi/jCpQNe0p18M9irYkFWVe2be6Cb4wE2cdg904rC3K+v0QA
+        nwD6/bXWGI7WAF6nhvuiAS0vxmbvOePNI3KZ1CdEDeScqnAWUdkFuuAwmw0K7tHt
+        UJe/SlML6strnnjOGR6p3eeIjoDKtGBiqEjXYyEcXPVi8vFSd7muGcjLieyJUmfH
+        FVGA7bF+a6c4iTFSM2GNpANFV0qzZ/wa4aj9MqzOATTglQnr2LZJP7chnzoLyzx6
+        7cjTcWHsb3E+D7X37yF+mZAT6yvOoxaQNqTY6u1ZoY9NrGdJ1reudAlzg6k10cpf
+        O4Zww2Jjz5yEhvS9cTh8+bKOJYgKnbg/LLty/ade+rio4E0jn+a6VgRCqIMbGwgx
+        vf9ATU8S10/Es2cT6f99EpPgV0w9QCfhAGel/sjXk/zIT8rF2SbIlXf0/GK3yaXS
+        XgGrocZNe2RNZd3ZjsvtU6bBsPd9tekQLjC1vE6U/WXXPKapb6aOq2eL7Qb7QFu7
+        XSGN+YA/c9OwmtJLP3y5mGBowa6vWT1Uf6NweamPYJBpNG27Bt5yLlnEnaDZokw=
+        =9ri7
+        -----END PGP MESSAGE-----
+      fp: 878FEA3CB6A6F6E7CD80ECBE28506E3585F9F533
+  unencrypted_suffix: _unencrypted
+  version: 3.11.0

inventories/z9/group_vars/all.yaml

@@ -0,0 +1,43 @@
+alloy_config_default: |
+  prometheus.remote_write "default" {
+    endpoint {
+      url = "https://metrics.hamburg.ccc.de/api/v1/write"
+      basic_auth {
+        username = "chaos"
+        password = "{{ metrics__chaos_password }}"
+      }
+    }
+  }
+
+  prometheus.relabel "z9_common" {
+    forward_to = [prometheus.remote_write.default.receiver]
+    rule {
+      target_label = "org"
+      replacement = "ccchh"
+    }
+    rule {
+      target_label = "site"
+      replacement = "z9"
+    }
+    rule {
+      source_labels = ["instance"]
+      target_label = "instance"
+      regex  = "([^:]+)"
+      replacement = "${1}.z9.ccchh.net"
+      action = "replace"
+    }
+  }
+
+  logging {
+    level = "info"
+  }
+
+  prometheus.exporter.unix "local_system" {
+    enable_collectors = ["systemd"]
+  }
+
+  prometheus.scrape "scrape_metrics" {
+    targets           = prometheus.exporter.unix.local_system.targets
+    forward_to        = [prometheus.relabel.z9_common.receiver]
+  }
+

inventories/z9/host_vars/dooris.yaml

@@ -7,9 +7,11 @@ certbot__certificate_domains:
   - "dooris.ccchh.net"
 certbot__new_cert_commands:
   - "systemctl reload nginx.service"
-certbot__http_01_port: 80
 
 nginx__version_spec: ""
+nginx__deploy_redirect_conf: false
 nginx__configurations:
   - name: dooris.ccchh.net
     content: "{{ lookup('ansible.builtin.file', 'resources/z9/dooris/nginx/dooris.ccchh.net.conf') }}"
+  - name: http_handler
+    content: "{{ lookup('ansible.builtin.file', 'resources/z9/dooris/nginx/http_handler.conf') }}"

inventories/z9/host_vars/light.yaml

@@ -50,10 +50,22 @@ ola__configs:
     content: "{{ lookup('ansible.builtin.file', 'resources/z9/light/ola/ola-usbdmx.conf') }}"
   - name: ola-usbserial
     content: "{{ lookup('ansible.builtin.file', 'resources/z9/light/ola/ola-usbserial.conf') }}"
+
 nginx__version_spec: ""
 nginx__deploy_redirect_conf: false
 nginx__configurations:
   - name: light
     content: "{{ lookup('ansible.builtin.file', 'resources/z9/light/nginx/light.conf') }}"
   - name: http_handler
-    content: "{{ lookup('ansible.builtin.file', 'resources/z9/light/nginx/http_handler.conf') }}"
+    content: "{{ lookup('ansible.builtin.file', 'resources/z9/dooris/nginx/http_handler.conf') }}"
+
+certbot__version_spec: ""
+certbot__acme_account_email_address: le-admin@hamburg.ccc.de
+certbot__certificate_domains:
+  - "light-werkstatt.ccchh.net"
+  - "light.ccchh.net"
+  - "light.z9.ccchh.net"
+certbot__new_cert_commands:
+  - "systemctl reload nginx.service"
+
+

inventories/z9/host_vars/yate.yaml

@@ -6,4 +6,3 @@ docker_compose__configuration_files:
     content: "{{ lookup('ansible.builtin.template', 'resources/z9/yate/docker_compose/regexroute.conf.j2') }}"
   - name: regfile.conf
     content: "{{ lookup('ansible.builtin.template', 'resources/z9/yate/docker_compose/regfile.conf.j2') }}"
-docker_compose__restart_cmd: "exec yate sh -c 'kill -1 1'"

inventories/z9/hosts.yaml

@@ -4,7 +4,7 @@ all:
       ansible_host: authoritative-dns.z9.ccchh.net
       ansible_user: chaos
     dooris:
-      ansible_host: 10.31.208.201
+      ansible_host: dooris.z9.ccchh.net
       ansible_user: chaos
     light:
       ansible_host: light.z9.ccchh.net
@@ -20,6 +20,7 @@ all:
 certbot_hosts:
   hosts:
     dooris:
+    light:
 docker_compose_hosts:
   hosts:
     dooris:
@@ -49,5 +50,11 @@ ola_hosts:
 proxmox_vm_template_hosts:
   hosts:
     thinkcccore0:
+alloy_hosts:
+  hosts:
+    authoritative-dns:
+    light:
+    yate:
+    dooris:
 ansible_pull_hosts:
   hosts:

playbooks/deploy.yaml

@@ -4,6 +4,16 @@
   roles:
     - base_config
 
+- name: Ensure systemd-networkd config deployment on systemd_networkd_hosts
+  hosts: systemd_networkd_hosts
+  roles:
+    - systemd_networkd
+
+- name: Ensure nftables deployment on nftables_hosts
+  hosts: nftables_hosts
+  roles:
+    - nftables
+
 - name: Ensure deployment of infrastructure authorized keys
   hosts: infrastructure_authorized_keys_hosts
   roles:
@@ -54,11 +64,6 @@
   roles:
     - nginx
 
-- name: Ensure prometheus_node_exporter deployment on prometheus_node_exporter_hosts
-  hosts: prometheus_node_exporter_hosts
-  roles:
-    - prometheus_node_exporter
-
 - name: Configure unattended upgrades for all non-hypervisors
   hosts: all:!hypervisors
   become: true
@@ -73,10 +78,8 @@
 - name: Ensure Alloy is installed and Setup on alloy_hosts
   hosts: alloy_hosts
   become: true
-  tasks:
+  roles:
-    - name: Setup Alloy
+    - alloy
-      ansible.builtin.include_role:
-        name: grafana.grafana.alloy
 
 - name: Ensure ansible_pull deployment on ansible_pull_hosts
   hosts: ansible_pull_hosts

renovate.json

@@ -1,13 +1,17 @@
 {
   "$schema": "https://docs.renovatebot.com/renovate-schema.json",
   "extends": [
-    "config:recommended", // Included in config:best-practices anyway, but added for clarity.
+    "config:recommended",
-    "config:best-practices",
+    // Parts from config:best-practices:
+    // https://docs.renovatebot.com/presets-config/#configbest-practices
+    ":configMigration",
+    "abandonments:recommended",
+    "security:minimumReleaseAgeNpm",
+
     ":ignoreUnstable",
     ":disableRateLimiting",
     ":rebaseStalePrs",
-    ":label(renovate)",
+    ":label(renovate)"
-    "group:allDigest"
   ],
   "semanticCommits": "disabled",
   "packageRules": [
@@ -29,11 +33,10 @@
       "matchPackageNames": ["docker.io/pretix/standalone"],
       "versioning": "regex:^(?<major>\\d+\\.\\d+)(?:\\.(?<minor>\\d+))$"
     },
-    // Since Forgejo seems to clean up older tag versions, so older digests, disable digest pinning for our images.
     {
       "matchDatasources": ["docker"],
-      "matchPackageNames": ["git.hamburg.ccc.de/*"],
+      "matchPackageNames": ["docker.io/pretalx/standalone"],
-      "pinDigests": false
+      "versioning": "regex:^v(?<major>\\d+\\.\\d+)(?:\\.(?<minor>\\d+))$"
     }
   ],
   "customManagers": [

requirements.yml

@@ -1,8 +1,17 @@
 collections:
-  # Install a collection from Ansible Galaxy.
+  # debops.debops
-  - name: debops.debops
+  - source: https://github.com/debops/debops
-    version: ">=3.1.0"
+    type: git
-    source: https://galaxy.ansible.com
+    version: "v3.2.5"
-  - name: community.sops
+  # community.sops
-    version: ">=2.2.4"
+  - source: https://github.com/ansible-collections/community.sops
-    source: https://galaxy.ansible.com
+    type: git
+    version: "2.2.7"
+  # community.docker
+  - source: https://github.com/ansible-collections/community.docker
+    type: git
+    version: "5.0.5"
+  # grafana.grafana
+  - source: https://github.com/grafana/grafana-ansible-collection
+    type: git
+    version: "6.0.6"

resources/chaosknoten/acmedns/docker_compose/acmedns.cfg.j2

@@ -0,0 +1,27 @@
+# https://github.com/joohoi/acme-dns?tab=readme-ov-file#configuration
+[general]
+protocol = "both"
+domain = "auth.acmedns.hamburg.ccc.de"
+nsname = "acmedns.hosts.hamburg.ccc.de"
+nsadmin = "noc.lists.hamburg.ccc.de"
+records = [
+    "auth.acmedns.hamburg.ccc.de. CNAME public-reverse-proxy.hamburg.ccc.de.",
+    "auth.acmedns.hamburg.ccc.de. NS acmedns.hosts.hamburg.ccc.de.",
+]
+
+[database]
+engine = "sqlite3"
+connection = "/var/lib/acme-dns/acme-dns.db"
+
+[api]
+ip = "0.0.0.0"
+port = "80"
+tls = "none"
+corsorigins = [
+    "*"
+]
+
+[logconfig]
+loglevel = "debug"
+logtype = "stdout"
+logformat = "text"

resources/chaosknoten/acmedns/docker_compose/compose.yaml.j2

@@ -0,0 +1,22 @@
+---
+services:
+  oauth2-proxy:
+    container_name: oauth2-proxy
+    image: quay.io/oauth2-proxy/oauth2-proxy:v7.14.2
+    command: --config /oauth2-proxy.cfg
+    hostname: oauth2-proxy
+    volumes:
+      - "./configs/oauth2-proxy.cfg:/oauth2-proxy.cfg"
+    restart: unless-stopped
+    ports:
+      - 4180:4180
+
+  acmedns:
+    image: docker.io/joohoi/acme-dns:latest
+    ports:
+      - "[::]:53:53"
+      - "[::]:53:53/udp"
+      - 8080:80
+    volumes:
+      - ./configs/acmedns.cfg:/etc/acme-dns/config.cfg:ro
+      - ./data/acmedns:/var/lib/acme-dns

resources/chaosknoten/acmedns/docker_compose/index.html.j2

@@ -0,0 +1,74 @@
+<html>
+<head>
+<title>ACME DNS Register</title>
+<style>
+table, tr, th, td {
+    border-collapse: collapse;
+}
+caption {
+    caption-side: bottom;
+    padding: 2px 4px;
+}
+th, td {
+    border: 1px solid black;
+    padding: 2px 4px;
+}
+th {
+    text-align: left;
+}
+td {
+    font-family: "Courier", monospace;
+}
+</style>
+</head>
+<body>
+<h1>Register an Entry in ACME DNS</h1>
+
+<p>This is the page where you can create an entry in ACME DNS. Please only do so when you need a new entry; there is currently no way to remove entries once they have been created.</p>
+<p>See <a href="https://wiki.hamburg.ccc.de/infrastructure:services:acme_dns">the ACME DNS service</a> entry in the wiki for further details.</p>
+
+<p><button id="register">Register a new entry</button></p>
+
+<table id="results" style="display: none">
+<tr>
+    <th>Full Domain</th><td id="fulldomain">undefined</td>
+</tr>
+<tr>
+    <th>Subdomain</th><td id="subdomain">undefined</td>
+</tr>
+<tr>
+    <th>X-Api-User</th><td id="username">undefined</td>
+</tr>
+<tr>
+    <th>X-Api-Key</th><td id="password">undefined</td>
+</tr>
+<caption><b>Important!</b> This information will only be shown once. Please
+copy or otherwise save it immediately.</caption>
+</table>
+
+<p><b>Note: there is no way to delete registrations.</b> Each registration is small, so it's not an immediate problem, but please do not click register unless you are planning to really create a new entry.</p>
+
+<script>
+document.getElementById("register").addEventListener("click", (event) => {
+    const register = async () => {
+        const response = await fetch("/register", {
+            method: "POST"
+        });
+        if (!response.ok) {
+            console.log(response);
+            alert("Unable to register a new entry.");
+            return;
+        }
+        const registration = await response.json()
+        for (const key in registration) {
+            const e = document.getElementById(key);
+            if (e !== null) {
+                e.innerText = registration[key];
+            }
+        }
+        document.getElementById("results").style.display = "block";
+    }
+    register();
+});
+</script>
+</body>

resources/chaosknoten/acmedns/docker_compose/oauth2-proxy.cfg.j2

@@ -0,0 +1,13 @@
+reverse_proxy = true
+http_address="0.0.0.0:4180"
+cookie_secret="{{ secret__oidc_cookie_secret }}"
+email_domains="*"
+
+# dex provider
+oidc_issuer_url="https://id.hamburg.ccc.de/realms/ccchh"
+provider="oidc"
+provider_display_name="CCCHH ID"
+client_id="acmedns"
+client_secret="{{ secret__oidc_client_secret }}"
+redirect_url="https://acmedns.hamburg.ccc.de/oauth2/callback"
+

resources/chaosknoten/acmedns/nginx/acmedns.hamburg.ccc.de.conf

@@ -0,0 +1,87 @@
+# partly generated 2022-01-08, Mozilla Guideline v5.6, nginx 1.17.7, OpenSSL 1.1.1k, intermediate configuration
+# https://ssl-config.mozilla.org/#server=nginx&version=1.17.7&config=intermediate&openssl=1.1.1k&guideline=5.6
+server {
+    # Listen on a custom port for the proxy protocol.
+    listen [::]:8443 ssl http2 proxy_protocol;
+    # Make use of the ngx_http_realip_module to set the $remote_addr and
+    # $remote_port to the client address and client port, when using proxy
+    # protocol.
+    # First set our proxy protocol proxy as trusted.
+    set_real_ip_from 2a00:14b0:4200:3000:125::1;
+    # Then tell the realip_module to get the addreses from the proxy protocol
+    # header.
+    real_ip_header proxy_protocol;
+
+    server_name acmedns.hamburg.ccc.de;
+
+    root /ansible_docker_compose/configs/html/;
+
+    ssl_certificate /etc/letsencrypt/live/acmedns.hamburg.ccc.de/fullchain.pem;
+    ssl_certificate_key /etc/letsencrypt/live/acmedns.hamburg.ccc.de/privkey.pem;
+    # verify chain of trust of OCSP response using Root CA and Intermediate certs
+    ssl_trusted_certificate /etc/letsencrypt/live/acmedns.hamburg.ccc.de/chain.pem;
+
+    # HSTS (ngx_http_headers_module is required) (63072000 seconds)
+    add_header Strict-Transport-Security "max-age=63072000" always;
+
+    proxy_set_header Host $host;
+    proxy_set_header X-Forwarded-Host $host;
+    proxy_set_header X-Real-IP $remote_addr;
+    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+    proxy_set_header X-Forwarded-Port 443;
+    # This is https in any case.
+    proxy_set_header X-Forwarded-Proto https;
+    # Hide the X-Forwarded header.
+    proxy_hide_header X-Forwarded;
+    # Assume we are the only Reverse Proxy (well using Proxy Protocol, but that
+    # is transparent).
+    # Also provide "_hidden" for by, since it's not relevant.
+    proxy_set_header Forwarded "for=$remote_addr;proto=https;host=$host;by=_hidden";
+    proxy_buffer_size 8k; # needed for oauth2-proxy to work correctly
+    port_in_redirect off;
+
+    location /oauth2/ {
+        proxy_pass       http://127.0.0.1:4180;
+        proxy_set_header Host                    $host;
+        proxy_set_header X-Real-IP               $remote_addr;
+        proxy_set_header X-Auth-Request-Redirect $request_uri;
+        # or, if you are handling multiple domains:
+        # proxy_set_header X-Auth-Request-Redirect $scheme://$host$request_uri;
+    }
+
+    location = /oauth2/auth {
+        proxy_pass       http://127.0.0.1:4180;
+        proxy_set_header Host             $host;
+        proxy_set_header X-Real-IP        $remote_addr;
+        proxy_set_header X-Forwarded-Uri  $request_uri;
+        # nginx auth_request includes headers but not body
+        proxy_set_header Content-Length   "";
+        proxy_pass_request_body           off;
+    }
+
+    location = / {
+        auth_request /oauth2/auth;
+        error_page 401 = @oauth2_signin;
+
+        index index.html;
+    }
+
+    location = /register {
+        auth_request /oauth2/auth;
+        error_page 401 = @oauth2_signin;
+
+        proxy_pass http://127.0.0.1:8080/register;
+    }
+
+    location = /update { # no auth by proxy required
+        proxy_pass http://127.0.0.1:8080/update;
+    }
+
+    location = /health { # no auth by proxy required
+        proxy_pass http://127.0.0.1:8080/health;
+    }
+
+    location @oauth2_signin {
+        return 302 /oauth2/sign_in?rd=$scheme://$host$request_uri;
+    }
+}

resources/chaosknoten/ccchoir/docker_compose/compose.yaml.j2

@@ -3,7 +3,7 @@
 
 services:
   database:
-    image: docker.io/library/mariadb:11@sha256:ae6119716edac6998ae85508431b3d2e666530ddf4e94c61a10710caec9b0f71
+    image: docker.io/library/mariadb:11
     environment:
       - "MARIADB_DATABASE=wordpress"
       - "MARIADB_ROOT_PASSWORD={{ secret__mariadb_root_password }}"
@@ -17,7 +17,7 @@ services:
     restart: unless-stopped
 
   app:
-    image: docker.io/library/wordpress:6-php8.1@sha256:75f79f9c45a587b283e47fd21c6e51077d0c9dbbba529377faaa0c28d5b8f5a4
+    image: docker.io/library/wordpress:6-php8.1
     environment:
       - "WORDPRESS_DB_HOST=database"
       - "WORDPRESS_DB_NAME=wordpress"

resources/chaosknoten/ccchoir/nginx/ccchoir.de.conf

@@ -2,12 +2,12 @@
 # https://ssl-config.mozilla.org/#server=nginx&version=1.17.7&config=intermediate&openssl=1.1.1k&guideline=5.6
 server {
     # Listen on a custom port for the proxy protocol.
-    listen 8443 ssl http2 proxy_protocol;
+    listen [::]:8443 ssl http2 proxy_protocol;
     # Make use of the ngx_http_realip_module to set the $remote_addr and
     # $remote_port to the client address and client port, when using proxy
     # protocol.
     # First set our proxy protocol proxy as trusted.
-    set_real_ip_from 172.31.17.140;
+    set_real_ip_from 2a00:14b0:4200:3000:125::1;
     # Then tell the realip_module to get the addreses from the proxy protocol
     # header.
     real_ip_header proxy_protocol;
@@ -43,12 +43,12 @@ server {
 
 server {
     # Listen on a custom port for the proxy protocol.
-    listen 8443 ssl http2 proxy_protocol;
+    listen [::]:8443 ssl http2 proxy_protocol;
     # Make use of the ngx_http_realip_module to set the $remote_addr and
     # $remote_port to the client address and client port, when using proxy
     # protocol.
     # First set our proxy protocol proxy as trusted.
-    set_real_ip_from 172.31.17.140;
+    set_real_ip_from 2a00:14b0:4200:3000:125::1;
     # Then tell the realip_module to get the addreses from the proxy protocol
     # header.
     real_ip_header proxy_protocol;

resources/chaosknoten/eh22-wiki/nginx/eh22.easterhegg.eu.conf

@@ -2,12 +2,12 @@
 # https://ssl-config.mozilla.org/#server=nginx&version=1.17.7&config=intermediate&openssl=1.1.1k&guideline=5.6
 server {
     # Listen on a custom port for the proxy protocol.
-    listen 8443 ssl http2 proxy_protocol;
+    listen [::]:8443 ssl http2 proxy_protocol;
     # Make use of the ngx_http_realip_module to set the $remote_addr and
     # $remote_port to the client address and client port, when using proxy
     # protocol.
     # First set our proxy protocol proxy as trusted.
-    set_real_ip_from 172.31.17.140;
+    set_real_ip_from 2a00:14b0:4200:3000:125::1;
     # Then tell the realip_module to get the addreses from the proxy protocol
     # header.
     real_ip_header proxy_protocol;

resources/chaosknoten/grafana/docker_compose/alertmanager.yaml.j2

@@ -3,11 +3,11 @@
 # - https://github.com/prometheus/alertmanager/blob/48a99764a1fc9279fc828de83e7a03ae2219abc7/doc/examples/simple.yml
 
 route:
-  receiver: 'ccchh-infrastructure-alerts'
+  receiver: 'ntfy-ccchh'
-  group_by: [ "alertname", "site", "type", "hypervisor" ]
+  group_by: [ "alertname", "site", "job", "hypervisor" ]
   group_wait: 30s
   group_interval: 5m
-  repeat_interval: 6h
+  repeat_interval: 26h
   routes:
     - receiver: "null"
       matchers:
@@ -16,49 +16,38 @@ route:
       matchers:
         - org = "ccchh"
         - severity = "critical",
-      repeat_interval: 18h
+      repeat_interval: 26h
       continue: true
     - receiver: ntfy-ccchh
       matchers:
       - org = "ccchh"
       - severity =~ "info|warning",
-      repeat_interval: 36h
+      repeat_interval: 52h
       continue: true
     - receiver: ntfy-fux-critical
       matchers:
         - org = "fux"
         - severity = "critical",
-      repeat_interval: 18h
+      repeat_interval: 26h
       continue: true
     - receiver: email-fux-critical
       matchers:
         - org = "fux"
         - severity = "critical",
-      repeat_interval: 36h
+      repeat_interval: 52h
       continue: true
     - receiver: ntfy-fux
       matchers:
         - org = "fux"
         - severity =~ "info|warning",
-      repeat_interval: 36h
+      repeat_interval: 52h
       continue: true
-    - receiver: ccchh-infrastructure-alerts
-      matchers:
-        - org = "ccchh"
-        - severity =~ "info|warning|critical"
 
 templates:
   - "/etc/alertmanager/templates/*.tmpl"
 
 receivers:
   - name: "null"
-  - name: "ccchh-infrastructure-alerts"
-    telegram_configs:
-      - send_resolved: true
-        bot_token: {{ secret__alertmanager_telegram_bot_token }}
-        chat_id: -1002434372415
-        parse_mode: HTML
-        message: {{ "'{{ template \"alert-message.telegram.ccchh\" . }}'" }}
 
   - name: "ntfy-ccchh-critical"
     webhook_configs:

resources/chaosknoten/grafana/docker_compose/compose.yaml.j2

@@ -2,12 +2,13 @@
 services:
 
   prometheus:
-    image: docker.io/prom/prometheus:v3.7.2@sha256:23031bfe0e74a13004252caaa74eccd0d62b6c6e7a04711d5b8bf5b7e113adc7
+    image: docker.io/prom/prometheus:v3.9.1
     container_name: prometheus
     command:
       - '--config.file=/etc/prometheus/prometheus.yml'
       - '--web.enable-remote-write-receiver'
       - '--enable-feature=promql-experimental-functions'
+      - '--storage.tsdb.retention.time=28d'
     ports:
       - 9090:9090
     restart: unless-stopped
@@ -18,7 +19,7 @@ services:
       - prom_data:/prometheus
 
   alertmanager:
-    image: docker.io/prom/alertmanager:v0.28.1@sha256:27c475db5fb156cab31d5c18a4251ac7ed567746a2483ff264516437a39b15ba
+    image: docker.io/prom/alertmanager:v0.30.1
     container_name: alertmanager
     command:
       - '--config.file=/etc/alertmanager/alertmanager.yaml'
@@ -31,7 +32,7 @@ services:
       - alertmanager_data:/alertmanager
 
   grafana:
-    image: docker.io/grafana/grafana:12.2.1@sha256:35c41e0fd0295f5d0ee5db7e780cf33506abfaf47686196f825364889dee878b
+    image: docker.io/grafana/grafana:12.3.1
     container_name: grafana
     ports:
       - 3000:3000
@@ -45,7 +46,7 @@ services:
       - graf_data:/var/lib/grafana
 
   pve-exporter:
-    image: docker.io/prompve/prometheus-pve-exporter:3.5.5@sha256:79a5598906697b1a5a006d09f0200528a77c6ff1568faf018539ac65824454df
+    image: docker.io/prompve/prometheus-pve-exporter:3.8.0
     container_name: pve-exporter
     ports:
       - 9221:9221
@@ -58,7 +59,7 @@ services:
       - /dev/null:/etc/prometheus/pve.yml
 
   loki:
-    image: docker.io/grafana/loki:3.5.7@sha256:0eaee7bf39cc83aaef46914fb58f287d4f4c4be6ec96b86c2ed55719a75e49c8
+    image: docker.io/grafana/loki:3.6.4
     container_name: loki
     ports:
       - 13100:3100
@@ -69,7 +70,7 @@ services:
       - loki_data:/var/loki
 
   ntfy-alertmanager-ccchh-critical:
-    image: docker.io/xenrox/ntfy-alertmanager:0.5.0@sha256:5fea88db3bf0257d98c007ab0c4ef064c6d67d7b7ceead7d6956dfa0a5cb333b
+    image: docker.io/xenrox/ntfy-alertmanager:0.5.0
     container_name: ntfy-alertmanager-ccchh-critical
     volumes:
       - ./configs/ntfy-alertmanager-ccchh-critical:/etc/ntfy-alertmanager/config
@@ -78,7 +79,7 @@ services:
     restart: unless-stopped
 
   ntfy-alertmanager-fux-critical:
-    image: docker.io/xenrox/ntfy-alertmanager:0.5.0@sha256:5fea88db3bf0257d98c007ab0c4ef064c6d67d7b7ceead7d6956dfa0a5cb333b
+    image: docker.io/xenrox/ntfy-alertmanager:0.5.0
     container_name: ntfy-alertmanager-fux-critical
     volumes:
       - ./configs/ntfy-alertmanager-fux-critical:/etc/ntfy-alertmanager/config
@@ -87,7 +88,7 @@ services:
     restart: unless-stopped
 
   ntfy-alertmanager-ccchh:
-    image: docker.io/xenrox/ntfy-alertmanager:0.5.0@sha256:5fea88db3bf0257d98c007ab0c4ef064c6d67d7b7ceead7d6956dfa0a5cb333b
+    image: docker.io/xenrox/ntfy-alertmanager:0.5.0
     container_name: ntfy-alertmanager-ccchh
     volumes:
       - ./configs/ntfy-alertmanager-ccchh:/etc/ntfy-alertmanager/config
@@ -96,7 +97,7 @@ services:
     restart: unless-stopped
 
   ntfy-alertmanager-fux:
-    image: docker.io/xenrox/ntfy-alertmanager:0.5.0@sha256:5fea88db3bf0257d98c007ab0c4ef064c6d67d7b7ceead7d6956dfa0a5cb333b
+    image: docker.io/xenrox/ntfy-alertmanager:0.5.0
     container_name: ntfy-alertmanager-fux
     volumes:
       - ./configs/ntfy-alertmanager-fux:/etc/ntfy-alertmanager/config

resources/chaosknoten/grafana/docker_compose/prometheus.yml

@@ -82,41 +82,6 @@ scrape_configs:
         target_label: instance
       - target_label: __address__
         replacement: pve-exporter:9221
-  - job_name: hosts
-    static_configs:
-      # Wieske Chaosknoten VMs
-      - labels:
-          org: ccchh
-          site: wieske
-          type: virtual_machine
-          hypervisor: chaosknoten
-        targets:
-          - netbox-intern.hamburg.ccc.de:9100
-          - matrix-intern.hamburg.ccc.de:9100
-          - public-web-static-intern.hamburg.ccc.de:9100
-          - git-intern.hamburg.ccc.de:9100
-          - forgejo-actions-runner-intern.hamburg.ccc.de:9100
-          - eh22-wiki-intern.hamburg.ccc.de:9100
-          - mjolnir-intern.hamburg.ccc.de:9100
-          - woodpecker-intern.hamburg.ccc.de:9100
-          - penpot-intern.hamburg.ccc.de:9100
-          - jitsi.hamburg.ccc.de:9100
-          - onlyoffice-intern.hamburg.ccc.de:9100
-          - ccchoir-intern.hamburg.ccc.de:9100
-          - tickets-intern.hamburg.ccc.de:9100
-          - keycloak-intern.hamburg.ccc.de:9100
-          - onlyoffice-intern.hamburg.ccc.de:9100
-          - pad-intern.hamburg.ccc.de:9100
-          - wiki-intern.hamburg.ccc.de:9100
-          - zammad-intern.hamburg.ccc.de:9100
-          - pretalx-intern.hamburg.ccc.de:9100
-      - labels:
-          org: ccchh
-          site: wieske
-          type: physical_machine
-        targets:
-          - chaosknoten.hamburg.ccc.de:9100
-
 
 storage:
   tsdb:

resources/chaosknoten/grafana/nginx/grafana.hamburg.ccc.de.conf

@@ -2,13 +2,13 @@
 # https://ssl-config.mozilla.org/#server=nginx&version=1.17.7&config=intermediate&openssl=1.1.1k&guideline=5.6
 server {
     # Listen on a custom port for the proxy protocol.
-    listen 8443 ssl proxy_protocol;
+    listen [::]:8443 ssl proxy_protocol;
     http2 on;
     # Make use of the ngx_http_realip_module to set the $remote_addr and
     # $remote_port to the client address and client port, when using proxy
     # protocol.
     # First set our proxy protocol proxy as trusted.
-    set_real_ip_from 172.31.17.140;
+    set_real_ip_from 2a00:14b0:4200:3000:125::1;
     # Then tell the realip_module to get the addreses from the proxy protocol
     # header.
     real_ip_header proxy_protocol;

resources/chaosknoten/grafana/nginx/loki.hamburg.ccc.de.conf

@@ -17,7 +17,6 @@ server {
     server_name loki.hamburg.ccc.de;
 
     listen [::]:50051 ssl;
-    listen 172.31.17.145:50051 ssl;
 
     http2 on;
 
@@ -59,7 +58,6 @@ server {
     server_name loki.hamburg.ccc.de;
 
     listen [::]:443 ssl;
-    listen 172.31.17.145:443 ssl;
 
     http2 on;
 

resources/chaosknoten/grafana/nginx/metrics.hamburg.ccc.de.conf

@@ -9,7 +9,6 @@ server {
     allow 2a00:14b0:4200:3380::/64;
     allow 2a00:14b0:f000:23::/64; #CCCHH v6 bei Wieske, geroutet über turing
     # Z9
-    allow 2a07:c480:0:100::/56;
     allow 2a07:c481:1::/48;
     # fuxnoc
     allow 2a07:c481:0:1::/64;
@@ -18,7 +17,6 @@ server {
     server_name metrics.hamburg.ccc.de;
 
     listen [::]:443 ssl;
-    listen 172.31.17.145:443 ssl;
     http2 on;
 
     client_body_buffer_size 512k;

resources/chaosknoten/keycloak/docker_compose/compose.yaml.j2

@@ -46,7 +46,7 @@ services:
       - "8080:8080"
 
   db:
-    image: docker.io/library/postgres:15.14@sha256:424e79b81868f5fc5cf515eaeac69d288692ebcca7db86d98f91b50d4bce64bb
+    image: docker.io/library/postgres:15.15
     restart: unless-stopped
     networks:
       - keycloak

resources/chaosknoten/keycloak/nginx/id.hamburg.ccc.de.conf

@@ -3,12 +3,12 @@
 # Also see: https://www.keycloak.org/server/reverseproxy
 server {
     # Listen on a custom port for the proxy protocol.
-    listen 8443 ssl http2 proxy_protocol;
+    listen [::]:8443 ssl http2 proxy_protocol;
     # Make use of the ngx_http_realip_module to set the $remote_addr and
     # $remote_port to the client address and client port, when using proxy
     # protocol.
     # First set our proxy protocol proxy as trusted.
-    set_real_ip_from 172.31.17.140;
+    set_real_ip_from 2a00:14b0:4200:3000:125::1;
     # Then tell the realip_module to get the addreses from the proxy protocol
     # header.
     real_ip_header proxy_protocol;

resources/chaosknoten/keycloak/nginx/invite.hamburg.ccc.de.conf

@@ -3,12 +3,12 @@
 # Also see: https://www.keycloak.org/server/reverseproxy
 server {
     # Listen on a custom port for the proxy protocol.
-    listen 8443 ssl http2 proxy_protocol;
+    listen [::]:8443 ssl http2 proxy_protocol;
     # Make use of the ngx_http_realip_module to set the $remote_addr and
     # $remote_port to the client address and client port, when using proxy
     # protocol.
     # First set our proxy protocol proxy as trusted.
-    set_real_ip_from 172.31.17.140;
+    set_real_ip_from 2a00:14b0:4200:3000:125::1;
     # Then tell the realip_module to get the addreses from the proxy protocol
     # header.
     real_ip_header proxy_protocol;

resources/chaosknoten/keycloak/nginx/keycloak-admin.hamburg.ccc.de.conf

@@ -7,12 +7,12 @@ server {
     ##listen [::]:443 ssl http2;
 
     # Listen on a custom port for the proxy protocol.
-    listen 8444 ssl http2 proxy_protocol;
+    listen [::]:8443 ssl http2 proxy_protocol;
     # Make use of the ngx_http_realip_module to set the $remote_addr and
     # $remote_port to the client address and client port, when using proxy
     # protocol.
     # First set our proxy protocol proxy as trusted.
-    set_real_ip_from 172.31.17.140;
+    set_real_ip_from 2a00:14b0:4200:3000:125::1;
     # Then tell the realip_module to get the addreses from the proxy protocol
     # header.
     real_ip_header proxy_protocol;

resources/chaosknoten/lists/docker_compose/compose.yaml

@@ -1,7 +1,7 @@
 services:
   mailman-core:
     restart: unless-stopped
-    image: docker.io/maxking/mailman-core:0.5@sha256:cb8e412bb18d74480f996da68f46e92473b6103995e71bc5aeba139b255cc3d2 # Use a specific version tag (tag latest is not published)
+    image: docker.io/maxking/mailman-core:0.5 # Use a specific version tag (tag latest is not published)
     container_name: mailman-core
     hostname: mailman-core
     volumes:
@@ -25,7 +25,7 @@ services:
 
   mailman-web:
     restart: unless-stopped
-    image: docker.io/maxking/mailman-web:0.5@sha256:014726db85586fb53541f66f6ce964bf07e939791cfd5ffc796cd6d243696a18 # Use a specific version tag (tag latest is not published)
+    image: docker.io/maxking/mailman-web:0.5 # Use a specific version tag (tag latest is not published)
     container_name: mailman-web
     hostname: mailman-web
     depends_on:
@@ -56,7 +56,7 @@ services:
       - POSTGRES_DB=mailmandb
       - POSTGRES_USER=mailman
       - POSTGRES_PASSWORD=wvQjbMRnwFuxGEPz
-    image: docker.io/library/postgres:12-alpine@sha256:7c8f4870583184ebadf7f17a6513620aac5f365a7938dc6a6911c1d5df2f481a
+    image: docker.io/library/postgres:12-alpine
     volumes:
       - /opt/mailman/database:/var/lib/postgresql/data
     networks:

resources/chaosknoten/netbox/nginx/netbox.hamburg.ccc.de.conf

@@ -2,12 +2,12 @@
 # https://ssl-config.mozilla.org/#server=nginx&version=1.17.7&config=intermediate&openssl=1.1.1k&guideline=5.6
 server {
     # Listen on a custom port for the proxy protocol.
-    listen 8443 ssl http2 proxy_protocol;
+    listen [::]:8443 ssl http2 proxy_protocol;
     # Make use of the ngx_http_realip_module to set the $remote_addr and
     # $remote_port to the client address and client port, when using proxy
     # protocol.
     # First set our proxy protocol proxy as trusted.
-    set_real_ip_from 172.31.17.140;
+    set_real_ip_from 2a00:14b0:4200:3000:125::1;
     # Then tell the realip_module to get the addreses from the proxy protocol
     # header.
     real_ip_header proxy_protocol;

resources/chaosknoten/ntfy/docker_compose/compose.yaml.j2

@@ -1,7 +1,7 @@
 ---
 services:
   ntfy:
-    image: docker.io/binwiederhier/ntfy:v2.14.0@sha256:5a051798d14138c3ecb12c038652558ab6a077e1aceeb867c151cbf5fa8451ef
+    image: docker.io/binwiederhier/ntfy:v2.15.0
     container_name: ntfy
     command:
       - serve

resources/chaosknoten/ntfy/nginx/ntfy.hamburg.ccc.de.conf

@@ -2,13 +2,13 @@
 # https://ssl-config.mozilla.org/#server=nginx&version=1.17.7&config=intermediate&openssl=1.1.1k&guideline=5.6
 server {
     # Listen on a custom port for the proxy protocol.
-    listen 8443 ssl proxy_protocol;
+    listen [::]:8443 ssl proxy_protocol;
     http2 on;
     # Make use of the ngx_http_realip_module to set the $remote_addr and
     # $remote_port to the client address and client port, when using proxy
     # protocol.
     # First set our proxy protocol proxy as trusted.
-    set_real_ip_from 172.31.17.140;
+    set_real_ip_from 2a00:14b0:4200:3000:125::1;
     # Then tell the realip_module to get the addreses from the proxy protocol
     # header.
     real_ip_header proxy_protocol;

resources/chaosknoten/onlyoffice/docker_compose/compose.yaml.j2

@@ -4,7 +4,7 @@
 
 services:
   onlyoffice:
-    image: docker.io/onlyoffice/documentserver:9.1.0@sha256:34b92f4a67bfd939bd6b75893e8217556e3b977f81e49472f7e28737b741ba1d
+    image: docker.io/onlyoffice/documentserver:9.2.1
     restart: unless-stopped
     volumes:
       - "./onlyoffice/DocumentServer/logs:/var/log/onlyoffice"

resources/chaosknoten/onlyoffice/nginx/onlyoffice.hamburg.ccc.de.conf

@@ -2,12 +2,13 @@
 # https://ssl-config.mozilla.org/#server=nginx&version=1.17.7&config=intermediate&openssl=1.1.1k&guideline=5.6
 server {
     # Listen on a custom port for the proxy protocol.
-    listen 8443 ssl http2 proxy_protocol;
+    listen [::]:8443 ssl http2 proxy_protocol;
     # Make use of the ngx_http_realip_module to set the $remote_addr and
     # $remote_port to the client address and client port, when using proxy
     # protocol.
     # First set our proxy protocol proxy as trusted.
-    set_real_ip_from 172.31.17.140;
+    set_real_ip_from 2a00:14b0:4200:3000:125::1;
+
     # Then tell the realip_module to get the addreses from the proxy protocol
     # header.
     real_ip_header proxy_protocol;

resources/chaosknoten/pad/docker_compose/compose.yaml.j2

@@ -3,7 +3,7 @@
 
 services:
   database:
-    image: docker.io/library/postgres:15-alpine@sha256:64583b3cb4f2010277bdd9749456de78e5c36f8956466ba14b0b96922e510950
+    image: docker.io/library/postgres:15-alpine
     environment:
       - "POSTGRES_USER=hedgedoc"
       - "POSTGRES_PASSWORD={{ secret__hedgedoc_db_password }}"
@@ -13,7 +13,7 @@ services:
     restart: unless-stopped
 
   app:
-    image: quay.io/hedgedoc/hedgedoc:1.10.3@sha256:ca58fd73ecf05c89559b384fb7a1519c18c8cbba5c21a0018674ed820b9bdb73
+    image: quay.io/hedgedoc/hedgedoc:1.10.5
     environment:
       - "CMD_DB_URL=postgres://hedgedoc:{{ secret__hedgedoc_db_password }}@database:5432/hedgedoc"
       - "CMD_DOMAIN=pad.hamburg.ccc.de"

resources/chaosknoten/pad/nginx/pad.hamburg.ccc.de.conf

@@ -2,12 +2,12 @@
 # https://ssl-config.mozilla.org/#server=nginx&version=1.17.7&config=intermediate&openssl=1.1.1k&guideline=5.6
 server {
     # Listen on a custom port for the proxy protocol.
-    listen 8443 ssl http2 proxy_protocol;
+    listen [::]:8443 ssl http2 proxy_protocol;
     # Make use of the ngx_http_realip_module to set the $remote_addr and
     # $remote_port to the client address and client port, when using proxy
     # protocol.
     # First set our proxy protocol proxy as trusted.
-    set_real_ip_from 172.31.17.140;
+    set_real_ip_from 2a00:14b0:4200:3000:125::1;
     # Then tell the realip_module to get the addreses from the proxy protocol
     # header.
     real_ip_header proxy_protocol;

resources/chaosknoten/pretalx/docker_compose/compose.yaml.j2

@@ -3,7 +3,7 @@
 
 services:
   database:
-    image: docker.io/library/postgres:15-alpine@sha256:64583b3cb4f2010277bdd9749456de78e5c36f8956466ba14b0b96922e510950
+    image: docker.io/library/postgres:15-alpine
     environment:
       - "POSTGRES_USER=pretalx"
       - "POSTGRES_PASSWORD={{ secret__pretalx_db_password }}"
@@ -15,7 +15,7 @@ services:
       - pretalx_net
 
   redis:
-    image: docker.io/library/redis:8.2.2@sha256:4521b581dbddea6e7d81f8fe95ede93f5648aaa66a9dacd581611bf6fe7527bd
+    image: docker.io/library/redis:8.4.0
     restart: unless-stopped
     volumes:
       - redis:/data
@@ -23,7 +23,7 @@ services:
       - pretalx_net
 
   static:
-    image: docker.io/library/nginx:1.29.3@sha256:f547e3d0d5d02f7009737b284abc87d808e4252b42dceea361811e9fc606287f
+    image: docker.io/library/nginx:1.29.4
     restart: unless-stopped
     volumes:
       - public:/usr/share/nginx/html
@@ -33,7 +33,7 @@ services:
       - pretalx_net
 
   pretalx:
-    image: docker.io/pretalx/standalone:v2025.1.0@sha256:fb2d15f11bcae8bb15430084ed81a150cfdf7c79705450583b51e352ba486e8e
+    image: docker.io/pretalx/standalone:v2025.1.0
     entrypoint: gunicorn
     command:
       - "pretalx.wsgi"
@@ -78,7 +78,7 @@ services:
       - pretalx_net
 
   celery:
-    image: docker.io/pretalx/standalone:v2025.1.0@sha256:fb2d15f11bcae8bb15430084ed81a150cfdf7c79705450583b51e352ba486e8e
+    image: docker.io/pretalx/standalone:v2025.1.0
     command:
       - taskworker
     restart: unless-stopped

resources/chaosknoten/pretalx/nginx/cfp.eh22.easterhegg.eu.conf

@@ -2,12 +2,12 @@
 # https://ssl-config.mozilla.org/#server=nginx&version=1.17.7&config=intermediate&openssl=1.1.1k&guideline=5.6
 server {
     # Listen on a custom port for the proxy protocol.
-    listen 8443 ssl http2 proxy_protocol;
+    listen [::]:8443 ssl http2 proxy_protocol;
     # Make use of the ngx_http_realip_module to set the $remote_addr and
     # $remote_port to the client address and client port, when using proxy
     # protocol.
     # First set our proxy protocol proxy as trusted.
-    set_real_ip_from 172.31.17.140;
+    set_real_ip_from 2a00:14b0:4200:3000:125::1;
     # Then tell the realip_module to get the addreses from the proxy protocol
     # header.
     real_ip_header proxy_protocol;

resources/chaosknoten/pretalx/nginx/pretalx.hamburg.ccc.de.conf

@@ -2,12 +2,12 @@
 # https://ssl-config.mozilla.org/#server=nginx&version=1.17.7&config=intermediate&openssl=1.1.1k&guideline=5.6
 server {
     # Listen on a custom port for the proxy protocol.
-    listen 8443 ssl http2 proxy_protocol;
+    listen [::]:8443 ssl http2 proxy_protocol;
     # Make use of the ngx_http_realip_module to set the $remote_addr and
     # $remote_port to the client address and client port, when using proxy
     # protocol.
     # First set our proxy protocol proxy as trusted.
-    set_real_ip_from 172.31.17.140;
+    set_real_ip_from 2a00:14b0:4200:3000:125::1;
     # Then tell the realip_module to get the addreses from the proxy protocol
     # header.
     real_ip_header proxy_protocol;

resources/chaosknoten/public-reverse-proxy/nginx/acme_challenge.conf

@@ -4,33 +4,33 @@ map $host $upstream_acme_challenge_host {
     c3cat.de 172.31.17.151:31820;
     www.c3cat.de 172.31.17.151:31820;
     staging.c3cat.de 172.31.17.151:31820;
-    ccchoir.de ccchoir-intern.hamburg.ccc.de:31820;
+    ccchoir.de ccchoir.hosts.hamburg.ccc.de:31820;
-    www.ccchoir.de ccchoir-intern.hamburg.ccc.de:31820;
+    www.ccchoir.de ccchoir.hosts.hamburg.ccc.de:31820;
-    cloud.hamburg.ccc.de 172.31.17.143:31820;
+    cloud.hamburg.ccc.de cloud.hosts.hamburg.ccc.de:31820;
     element.hamburg.ccc.de 172.31.17.151:31820;
     git.hamburg.ccc.de 172.31.17.154:31820;
-    grafana.hamburg.ccc.de 172.31.17.145:31820;
+    grafana.hamburg.ccc.de grafana.hosts.hamburg.ccc.de:31820;
     hackertours.hamburg.ccc.de 172.31.17.151:31820;
     staging.hackertours.hamburg.ccc.de 172.31.17.151:31820;
     hamburg.ccc.de 172.31.17.151:31820;
-    id.hamburg.ccc.de 172.31.17.144:31820;
+    id.hamburg.ccc.de keycloak.hosts.hamburg.ccc.de:31820;
-    invite.hamburg.ccc.de 172.31.17.144:31820;
+    invite.hamburg.ccc.de keycloak.hosts.hamburg.ccc.de:31820;
-    keycloak-admin.hamburg.ccc.de 172.31.17.144:31820;
+    keycloak-admin.hamburg.ccc.de keycloak.hosts.hamburg.ccc.de:31820;
     matrix.hamburg.ccc.de 172.31.17.150:31820;
     mas.hamburg.ccc.de 172.31.17.150:31820;
     element-admin.hamburg.ccc.de 172.31.17.151:31820;
-    netbox.hamburg.ccc.de 172.31.17.167:31820;
+    netbox.hamburg.ccc.de netbox.hosts.hamburg.ccc.de:31820;
-    onlyoffice.hamburg.ccc.de 172.31.17.147:31820;
+    onlyoffice.hamburg.ccc.de onlyoffice.hosts.hamburg.ccc.de:31820;
-    pad.hamburg.ccc.de 172.31.17.141:31820;
+    pad.hamburg.ccc.de pad.hosts.hamburg.ccc.de:31820;
-    pretalx.hamburg.ccc.de 172.31.17.157:31820;
+    pretalx.hamburg.ccc.de pretalx.hosts.hamburg.ccc.de:31820;
     spaceapi.hamburg.ccc.de 172.31.17.151:31820;
     staging.hamburg.ccc.de 172.31.17.151:31820;
-    wiki.ccchh.net 172.31.17.146:31820;
+    wiki.ccchh.net wiki.hosts.hamburg.ccc.de:31820;
-    wiki.hamburg.ccc.de 172.31.17.146:31820;
+    wiki.hamburg.ccc.de wiki.hosts.hamburg.ccc.de:31820;
     www.hamburg.ccc.de 172.31.17.151:31820;
-    tickets.hamburg.ccc.de 172.31.17.148:31820;
+    tickets.hamburg.ccc.de tickets.hosts.hamburg.ccc.de:31820;
-    sunders.hamburg.ccc.de 172.31.17.170:31820;
+    sunders.hamburg.ccc.de sunders.hosts.hamburg.ccc.de:31820;
-    zammad.hamburg.ccc.de 172.31.17.152:31820;
+    zammad.hamburg.ccc.de zammad.hosts.hamburg.ccc.de:31820;
     eh03.easterhegg.eu 172.31.17.151:31820;
     eh05.easterhegg.eu 172.31.17.151:31820;
     eh07.easterhegg.eu 172.31.17.151:31820;
@@ -38,7 +38,7 @@ map $host $upstream_acme_challenge_host {
     eh11.easterhegg.eu 172.31.17.151:31820;
     eh20.easterhegg.eu 172.31.17.151:31820;
     www.eh20.easterhegg.eu 172.31.17.151:31820;
-    eh22.easterhegg.eu 172.31.17.165:31820;
+    eh22.easterhegg.eu eh22-wiki.hosts.hamburg.ccc.de:31820;
     easterheggxxxx.hamburg.ccc.de 172.31.17.151:31820;
     eh2003.hamburg.ccc.de 172.31.17.151:31820;
     www.eh2003.hamburg.ccc.de 172.31.17.151:31820;
@@ -73,11 +73,16 @@ map $host $upstream_acme_challenge_host {
     design.hamburg.ccc.de 172.31.17.162:31820;
     hydra.hamburg.ccc.de 172.31.17.163:31820;
     cfp.eh22.easterhegg.eu 172.31.17.157:31820;
-    ntfy.hamburg.ccc.de 172.31.17.149:31820;
+    ntfy.hamburg.ccc.de ntfy.hosts.hamburg.ccc.de:31820;
     cryptoparty-hamburg.de 172.31.17.151:31820;
     cryptoparty.hamburg.ccc.de 172.31.17.151:31820;
     staging.cryptoparty-hamburg.de 172.31.17.151:31820;
     staging.cryptoparty.hamburg.ccc.de 172.31.17.151:31820;
+    spaceapi.ccc.de spaceapiccc.hosts.hamburg.ccc.de:31820;
+    cpu.ccc.de 172.31.17.151:31820;
+    lokal.ccc.de 172.31.17.151:31820;
+    local.ccc.de 172.31.17.151:31820;
+    acmedns.hamburg.ccc.de acmedns.hosts.hamburg.ccc.de:31820;
     default "";
 }
 

resources/chaosknoten/public-reverse-proxy/nginx/nginx.conf

@@ -18,21 +18,21 @@ stream {
     resolver 212.12.50.158 192.76.134.90;
 
     map $ssl_preread_server_name $address {
-        ccchoir.de ccchoir-intern.hamburg.ccc.de:8443;
+        ccchoir.de ccchoir.hosts.hamburg.ccc.de:8443;
-        www.ccchoir.de ccchoir-intern.hamburg.ccc.de:8443;
+        www.ccchoir.de ccchoir.hosts.hamburg.ccc.de:8443;
-        cloud.hamburg.ccc.de cloud-intern.hamburg.ccc.de:8443;
+        cloud.hamburg.ccc.de cloud.hosts.hamburg.ccc.de:8443;
-        pad.hamburg.ccc.de pad-intern.hamburg.ccc.de:8443;
+        pad.hamburg.ccc.de pad.hosts.hamburg.ccc.de:8443;
-        pretalx.hamburg.ccc.de pretalx-intern.hamburg.ccc.de:8443;
+        pretalx.hamburg.ccc.de pretalx.hosts.hamburg.ccc.de:8443;
-        id.hamburg.ccc.de 172.31.17.144:8443;
+        id.hamburg.ccc.de keycloak.hosts.hamburg.ccc.de:8443;
-        invite.hamburg.ccc.de 172.31.17.144:8443;
+        invite.hamburg.ccc.de keycloak.hosts.hamburg.ccc.de:8443;
-        keycloak-admin.hamburg.ccc.de 172.31.17.144:8444;
+        keycloak-admin.hamburg.ccc.de keycloak.hosts.hamburg.ccc.de:8443;
-        grafana.hamburg.ccc.de 172.31.17.145:8443;
+        grafana.hamburg.ccc.de grafana.hosts.hamburg.ccc.de:8443;
-        wiki.ccchh.net 172.31.17.146:8443;
+        wiki.ccchh.net wiki.hosts.hamburg.ccc.de:8443;
-        wiki.hamburg.ccc.de 172.31.17.146:8443;
+        wiki.hamburg.ccc.de wiki.hosts.hamburg.ccc.de:8443;
-        onlyoffice.hamburg.ccc.de 172.31.17.147:8443;
+        onlyoffice.hamburg.ccc.de onlyoffice.hosts.hamburg.ccc.de:8443;
         hackertours.hamburg.ccc.de 172.31.17.151:8443;
         staging.hackertours.hamburg.ccc.de 172.31.17.151:8443;
-        netbox.hamburg.ccc.de 172.31.17.167:8443;
+        netbox.hamburg.ccc.de netbox.hosts.hamburg.ccc.de:8443;
         matrix.hamburg.ccc.de 172.31.17.150:8443;
         mas.hamburg.ccc.de 172.31.17.150:8443;
         element-admin.hamburg.ccc.de 172.31.17.151:8443;
@@ -42,9 +42,9 @@ stream {
         hamburg.ccc.de 172.31.17.151:8443;
         staging.hamburg.ccc.de 172.31.17.151:8443;
         spaceapi.hamburg.ccc.de 172.31.17.151:8443;
-        tickets.hamburg.ccc.de 172.31.17.148:8443;
+        tickets.hamburg.ccc.de tickets.hosts.hamburg.ccc.de:8443;
-        sunders.hamburg.ccc.de 172.31.17.170:8443;
+        sunders.hamburg.ccc.de sunders.hosts.hamburg.ccc.de:8443;
-        zammad.hamburg.ccc.de 172.31.17.152:8443;
+        zammad.hamburg.ccc.de zammad.hosts.hamburg.ccc.de:8443;
         c3cat.de 172.31.17.151:8443;
         www.c3cat.de 172.31.17.151:8443;
         staging.c3cat.de 172.31.17.151:8443;
@@ -56,7 +56,7 @@ stream {
         eh11.easterhegg.eu 172.31.17.151:8443;
         eh20.easterhegg.eu 172.31.17.151:8443;
         www.eh20.easterhegg.eu 172.31.17.151:8443;
-        eh22.easterhegg.eu 172.31.17.165:8443;
+        eh22.easterhegg.eu eh22-wiki.hosts.hamburg.ccc.de:8443;
         easterheggxxxx.hamburg.ccc.de 172.31.17.151:8443;
         eh2003.hamburg.ccc.de 172.31.17.151:8443;
         www.eh2003.hamburg.ccc.de 172.31.17.151:8443;
@@ -90,12 +90,17 @@ stream {
         woodpecker.hamburg.ccc.de 172.31.17.160:8443;
         design.hamburg.ccc.de 172.31.17.162:8443;
         hydra.hamburg.ccc.de 172.31.17.163:8443;
-        cfp.eh22.easterhegg.eu pretalx-intern.hamburg.ccc.de:8443;
+        cfp.eh22.easterhegg.eu pretalx.hosts.hamburg.ccc.de:8443;
-        ntfy.hamburg.ccc.de 172.31.17.149:8443;
+        ntfy.hamburg.ccc.de ntfy.hosts.hamburg.ccc.de:8443;
         cryptoparty-hamburg.de 172.31.17.151:8443;
         cryptoparty.hamburg.ccc.de 172.31.17.151:8443;
         staging.cryptoparty-hamburg.de 172.31.17.151:8443;
         staging.cryptoparty.hamburg.ccc.de 172.31.17.151:8443;
+        spaceapi.ccc.de spaceapiccc.hosts.hamburg.ccc.de:8443;
+        cpu.ccc.de 172.31.17.151:8443;
+        lokal.ccc.de 172.31.17.151:8443;
+        local.ccc.de 172.31.17.151:8443;
+        acmedns.hamburg.ccc.de acmedns.hosts.hamburg.ccc.de:8443;
     }
 
     server {

resources/chaosknoten/router/nftables/nftables.conf

@@ -0,0 +1,95 @@
+#!/usr/sbin/nft -f
+
+## Variables
+
+# Interfaces
+define if_net1_v4_wan = "net1"
+define if_net2_v6_wan = "net2"
+define if_net0_2_v4_nat = "net0.2"
+define if_net0_3_ci_runner = "net0.3"
+
+# Interface Groups
+define wan_ifs = { $if_net1_v4_wan,
+                   $if_net2_v6_wan }
+define lan_ifs = { $if_net0_2_v4_nat,
+                   $if_net0_3_ci_runner }
+# define v4_exposed_ifs = { }
+define v6_exposed_ifs = { $if_net0_2_v4_nat }
+
+
+## Rules
+
+table inet reverse-path-forwarding {
+    chain rpf-filter {
+        type filter hook prerouting priority mangle + 10; policy drop;
+
+        # Only allow packets if their source address is routed via their incoming interface.
+        # https://github.com/NixOS/nixpkgs/blob/d9d87c51960050e89c79e4025082ed965e770d68/nixos/modules/services/networking/firewall-nftables.nix#L100
+        fib saddr . mark . iif oif exists accept
+    }
+}
+
+table inet host {
+    chain input {
+        type filter hook input priority filter; policy drop;
+
+        iifname "lo" accept comment "allow loopback"
+
+        ct state invalid drop
+        ct state established,related accept
+
+		ip protocol icmp accept
+        # ICMPv6
+        # https://datatracker.ietf.org/doc/html/rfc4890#autoid-24
+        # Allowlist consisting of: "Traffic That Must Not Be Dropped" and "Traffic That Normally Should Not Be Dropped"
+        # Error messages that are essential to the establishment and maintenance of communications:
+        icmpv6 type { destination-unreachable, packet-too-big } accept
+        icmpv6 type { time-exceeded } accept
+        icmpv6 type { parameter-problem } accept
+        # Connectivity checking messages:
+        icmpv6 type { echo-request, echo-reply } accept
+        # Address Configuration and Router Selection messages:
+        icmpv6 type { nd-router-solicit, nd-router-advert, nd-neighbor-solicit, nd-neighbor-advert, ind-neighbor-solicit, ind-neighbor-advert } accept
+        # Link-Local Multicast Receiver Notification messages:
+        icmpv6 type { mld-listener-query, mld-listener-report, mld-listener-done, mld2-listener-report } accept
+        # SEND Certificate Path Notification messages:
+        icmpv6 type { 148, 149 } accept
+        # Multicast Router Discovery messages:
+        icmpv6 type { 151, 152, 153 } accept
+
+        # Allow SSH access.
+        tcp dport 22 accept comment "allow ssh access"
+
+        # Allow DHCP server access.
+		iifname { $if_net0_2_v4_nat, $if_net0_3_ci_runner } udp dport 67 accept comment "allow dhcp server access"
+    }
+}
+
+table ip v4nat {
+    chain prerouting {
+        type nat hook prerouting priority dstnat; policy accept;
+    }
+
+    chain postrouting {
+        type nat hook postrouting priority srcnat; policy accept;
+
+        oifname $if_net1_v4_wan masquerade
+    }
+}
+
+table inet forward {
+    chain forward {
+        type filter hook forward priority filter; policy drop;
+
+        ct state invalid drop
+        ct state established,related accept
+
+        # Allow internet access.
+		meta nfproto ipv6 iifname $lan_ifs oifname $if_net2_v6_wan accept comment "allow v6 internet access"
+		meta nfproto ipv4 iifname $lan_ifs oifname $if_net1_v4_wan accept comment "allow v4 internet access"
+
+        # Allow access to exposed networks from internet.
+        # meta nfproto ipv4 oifname $v4_exposed_ifs accept comment "allow v4 exposed network access"
+        meta nfproto ipv6 oifname $v6_exposed_ifs accept comment "allow v6 exposed network access"
+    }
+}

resources/chaosknoten/router/systemd_networkd/00-net0.link

@@ -0,0 +1,6 @@
+[Match]
+MACAddress=BC:24:11:54:11:15
+Type=ether
+
+[Link]
+Name=net0

resources/chaosknoten/router/systemd_networkd/00-net1.link

@@ -0,0 +1,6 @@
+[Match]
+MACAddress=BC:24:11:9A:FB:34
+Type=ether
+
+[Link]
+Name=net1

resources/chaosknoten/router/systemd_networkd/00-net2.link

@@ -0,0 +1,6 @@
+[Match]
+MACAddress=BC:24:11:AE:C7:04
+Type=ether
+
+[Link]
+Name=net2

resources/chaosknoten/router/systemd_networkd/10-net0.2-v4_nat.netdev

@@ -0,0 +1,7 @@
+[NetDev]
+Name=net0.2
+Kind=vlan
+
+[VLAN]
+Id=2
+

resources/chaosknoten/router/systemd_networkd/10-net0.3-ci_runner.netdev

@@ -0,0 +1,7 @@
+[NetDev]
+Name=net0.3
+Kind=vlan
+
+[VLAN]
+Id=3
+

resources/chaosknoten/router/systemd_networkd/20-net0.network

@@ -0,0 +1,12 @@
+[Match]
+Name=net0
+
+[Link]
+RequiredForOnline=no
+
+[Network]
+VLAN=net0.2
+VLAN=net0.3
+
+LinkLocalAddressing=no
+

resources/chaosknoten/router/systemd_networkd/20-net1.network

@@ -0,0 +1,12 @@
+[Match]
+Name=net1
+
+[Network]
+DNS=212.12.50.158
+IPv6AcceptRA=no
+
+[Address]
+Address=212.12.48.123/24
+
+[Route]
+Gateway=212.12.48.55

resources/chaosknoten/router/systemd_networkd/20-net2.network

@@ -0,0 +1,12 @@
+[Match]
+Name=net2
+
+[Network]
+#DNS=212.12.50.158
+IPv6AcceptRA=no
+
+[Address]
+Address=2a00:14b0:4200:3500::130:2/112
+
+[Route]
+Gateway=2a00:14b0:4200:3500::130:1

resources/chaosknoten/router/systemd_networkd/21-net0.2-v4_nat.network

@@ -0,0 +1,29 @@
+[Match]
+Name=net0.2
+Type=vlan
+
+[Link]
+RequiredForOnline=no
+
+[Network]
+Description=v4-NAT
+
+# Masquerading done in nftables (nftables.conf).
+IPv6SendRA=yes
+
+DHCPServer=true
+
+[DHCPServer]
+PoolOffset=100
+PoolSize=150
+
+[Address]
+Address=10.32.2.1/24
+
+[IPv6SendRA]
+UplinkInterface=net2
+
+[IPv6Prefix]
+Prefix=2a00:14b0:42:102::/64
+Assign=true
+Token=static:::1

resources/chaosknoten/router/systemd_networkd/21-net0.3-ci_runners.network

@@ -0,0 +1,29 @@
+[Match]
+Name=net0.3
+Type=vlan
+
+[Link]
+RequiredForOnline=no
+
+[Network]
+Description=ci-runners
+
+# Masquerading done in nftables (nftables.conf).
+IPv6SendRA=yes
+
+DHCPServer=true
+
+[DHCPServer]
+PoolOffset=100
+PoolSize=150
+
+[Address]
+Address=10.32.3.1/24
+
+[IPv6SendRA]
+UplinkInterface=net2
+
+[IPv6Prefix]
+Prefix=2a00:14b0:42:103::/64
+Assign=true
+Token=static:::1

resources/chaosknoten/router/systemd_networkd_global_config.conf

@@ -0,0 +1,3 @@
+[Network]
+IPv4Forwarding=true
+IPv6Forwarding=true

resources/chaosknoten/spaceapiccc/docker_compose/compose.yaml.j2

@@ -0,0 +1,39 @@
+---
+services:
+    frontend:
+        #build: ./frontend
+        networks:
+            spaceapi-network:
+                ipv4_address: 172.16.238.10
+        image: gidsi/spaceapi-ccc-frontend:saved_from_old_host
+        restart: always
+        expose:
+            - "80"
+        depends_on:
+            - backend
+    backend:
+        #build: ./backend
+        networks:
+          - spaceapi-network
+        image: gidsi/spaceapi-ccc-backend:saved_from_old_host
+        restart: always
+        environment:
+            SHARED_SECRET: "{{ secret__spaceapiccc__shared_secret }}"
+            DOKU_WIKI_USER: "{{ secret__spaceapiccc__doku_ccc_de__username }}"
+            DOKU_WIKI_PASSWORD: "{{ secret__spaceapiccc__doku_ccc_de__password }}"
+        depends_on:
+            - database
+    database:
+        image: mongo:saved_from_old_host
+        networks:
+          - spaceapi-network
+        restart: always
+        volumes:
+          - ./data/database:/data/db
+
+networks:
+    spaceapi-network:
+        ipam:
+            driver: default
+            config:
+                - subnet: 172.16.238.0/24

resources/chaosknoten/spaceapiccc/nginx/spaceapi.ccc.de.conf

@@ -0,0 +1,42 @@
+# partly generated 2022-01-08, Mozilla Guideline v5.6, nginx 1.17.7, OpenSSL 1.1.1k, intermediate configuration
+# https://ssl-config.mozilla.org/#server=nginx&version=1.17.7&config=intermediate&openssl=1.1.1k&guideline=5.6
+server {
+    # Listen on a custom port for the proxy protocol.
+    listen [::]:8443 ssl http2 proxy_protocol;
+    # Make use of the ngx_http_realip_module to set the $remote_addr and
+    # $remote_port to the client address and client port, when using proxy
+    # protocol.
+    # First set our proxy protocol proxy as trusted.
+    set_real_ip_from 2a00:14b0:4200:3000:125::1;
+    # Then tell the realip_module to get the addreses from the proxy protocol
+    # header.
+    real_ip_header proxy_protocol;
+
+    server_name spaceapi.ccc.de;
+
+    ssl_certificate /etc/letsencrypt/live/spaceapi.ccc.de/fullchain.pem;
+    ssl_certificate_key /etc/letsencrypt/live/spaceapi.ccc.de/privkey.pem;
+    # verify chain of trust of OCSP response using Root CA and Intermediate certs
+    ssl_trusted_certificate /etc/letsencrypt/live/spaceapi.ccc.de/chain.pem;
+
+    # HSTS (ngx_http_headers_module is required) (63072000 seconds)
+    add_header Strict-Transport-Security "max-age=63072000" always;
+
+    proxy_set_header Host $host;
+    proxy_set_header X-Forwarded-Host $host;
+    proxy_set_header X-Real-IP $remote_addr;
+    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+    proxy_set_header X-Forwarded-Port 443;
+    # This is https in any case.
+    proxy_set_header X-Forwarded-Proto https;
+    # Hide the X-Forwarded header.
+    proxy_hide_header X-Forwarded;
+    # Assume we are the only Reverse Proxy (well using Proxy Protocol, but that
+    # is transparent).
+    # Also provide "_hidden" for by, since it's not relevant.
+    proxy_set_header Forwarded "for=$remote_addr;proto=https;host=$host;by=_hidden";
+
+    location / {
+        proxy_pass http://172.16.238.10/;
+    }
+}

resources/chaosknoten/sunders/docker_compose/compose.yaml.j2

@@ -3,7 +3,7 @@
 
 services:
   db:
-    image: mariadb:12.0.2
+    image: mariadb:12.1.2
     command: --max_allowed_packet=3250585600
     environment:
       MYSQL_ROOT_PASSWORD: "{{ secret__sunders_db_root_password }}"

resources/chaosknoten/sunders/nginx/sunders.hamburg.ccc.de.conf

@@ -2,12 +2,12 @@
 # https://ssl-config.mozilla.org/#server=nginx&version=1.17.7&config=intermediate&openssl=1.1.1k&guideline=5.6
 server {
     # Listen on a custom port for the proxy protocol.
-    listen 8443 ssl http2 proxy_protocol;
+    listen [::]:8443 ssl http2 proxy_protocol;
     # Make use of the ngx_http_realip_module to set the $remote_addr and
     # $remote_port to the client address and client port, when using proxy
     # protocol.
     # First set our proxy protocol proxy as trusted.
-    set_real_ip_from 172.31.17.140;
+    set_real_ip_from 2a00:14b0:4200:3000:125::1;
     # Then tell the realip_module to get the addreses from the proxy protocol
     # header.
     real_ip_header proxy_protocol;

resources/chaosknoten/tickets/docker_compose/compose.yaml.j2

@@ -1,7 +1,7 @@
 ---
 services:
   database:
-    image: docker.io/library/postgres:15-alpine@sha256:64583b3cb4f2010277bdd9749456de78e5c36f8956466ba14b0b96922e510950
+    image: docker.io/library/postgres:15-alpine
     environment:
       - "POSTGRES_USER=pretix"
       - "POSTGRES_PASSWORD={{ secret__pretix_db_password }}"
@@ -13,7 +13,7 @@ services:
     restart: unless-stopped
 
   redis:
-    image: docker.io/library/redis:7.4.6@sha256:a9cc41d6d01da2aa26c219e4f99ecbeead955a7b656c1c499cce8922311b2514
+    image: docker.io/library/redis:7.4.7
     ports:
       - "6379:6379"
     volumes:
@@ -25,7 +25,7 @@ services:
       backend:
 
   pretix:
-    image: docker.io/pretix/standalone:2024.8@sha256:110bac37efa5f736227f158f38e421ed738d03dccc274dfb415b258ab0f75cfe
+    image: docker.io/pretix/standalone:2024.8
     command: ["all"]
     ports:
       - "8345:80"

resources/chaosknoten/tickets/nginx/tickets.hamburg.ccc.de.conf

@@ -2,12 +2,12 @@
 # https://ssl-config.mozilla.org/#server=nginx&version=1.17.7&config=intermediate&openssl=1.1.1k&guideline=5.6
 server {
     # Listen on a custom port for the proxy protocol.
-    listen 8443 ssl http2 proxy_protocol;
+    listen [::]:8443 ssl http2 proxy_protocol;
     # Make use of the ngx_http_realip_module to set the $remote_addr and
     # $remote_port to the client address and client port, when using proxy
     # protocol.
     # First set our proxy protocol proxy as trusted.
-    set_real_ip_from 172.31.17.140;
+    set_real_ip_from 2a00:14b0:4200:3000:125::1;
     # Then tell the realip_module to get the addreses from the proxy protocol
     # header.
     real_ip_header proxy_protocol;
@@ -38,11 +38,7 @@ server {
 
     location = / {
         #return 302 https://wiki.hamburg.ccc.de/infrastructure:service-overview#tickets_pretix;
-        return 302 https://tickets.hamburg.ccc.de/hackertours/eh22ht/;
+        return 302 https://tickets.hamburg.ccc.de/hackertours/39c3ht/;
-    }
-
-    location = /hackertours/eh22/ {
-        return 302 https://tickets.hamburg.ccc.de/hackertours/eh22ht/;
     }
 
     location / {

resources/chaosknoten/wiki/nginx/wiki.ccchh.net.conf

@@ -2,12 +2,12 @@
 # https://ssl-config.mozilla.org/#server=nginx&version=1.17.7&config=intermediate&openssl=1.1.1k&guideline=5.6
 server {
     # Listen on a custom port for the proxy protocol.
-    listen 8443 ssl http2 proxy_protocol;
+    listen [::]:8443 ssl http2 proxy_protocol;
     # Make use of the ngx_http_realip_module to set the $remote_addr and
     # $remote_port to the client address and client port, when using proxy
     # protocol.
     # First set our proxy protocol proxy as trusted.
-    set_real_ip_from 172.31.17.140;
+    set_real_ip_from 2a00:14b0:4200:3000:125::1;
     # Then tell the realip_module to get the addreses from the proxy protocol
     # header.
     real_ip_header proxy_protocol;
@@ -21,6 +21,6 @@ server {
 
     # HSTS (ngx_http_headers_module is required) (63072000 seconds)
     add_header Strict-Transport-Security "max-age=63072000" always;
-    
+
     return 302 https://wiki.hamburg.ccc.de$request_uri;
 }

resources/chaosknoten/wiki/nginx/wiki.hamburg.ccc.de.conf

@@ -2,12 +2,12 @@
 # https://ssl-config.mozilla.org/#server=nginx&version=1.17.7&config=intermediate&openssl=1.1.1k&guideline=5.6
 server {
     # Listen on a custom port for the proxy protocol.
-    listen 8443 ssl http2 proxy_protocol;
+    listen [::]:8443 ssl http2 proxy_protocol;
     # Make use of the ngx_http_realip_module to set the $remote_addr and
     # $remote_port to the client address and client port, when using proxy
     # protocol.
     # First set our proxy protocol proxy as trusted.
-    set_real_ip_from 172.31.17.140;
+    set_real_ip_from 2a00:14b0:4200:3000:125::1;
     # Then tell the realip_module to get the addreses from the proxy protocol
     # header.
     real_ip_header proxy_protocol;

resources/chaosknoten/zammad/nginx/zammad.hamburg.ccc.de.conf

@@ -2,12 +2,12 @@
 # https://ssl-config.mozilla.org/#server=nginx&version=1.17.7&config=intermediate&openssl=1.1.1k&guideline=5.6
 server {
     # Listen on a custom port for the proxy protocol.
-    listen 8443 ssl http2 proxy_protocol;
+    listen [::]:8443 ssl http2 proxy_protocol;
     # Make use of the ngx_http_realip_module to set the $remote_addr and
     # $remote_port to the client address and client port, when using proxy
     # protocol.
     # First set our proxy protocol proxy as trusted.
-    set_real_ip_from 172.31.17.140;
+    set_real_ip_from 2a00:14b0:4200:3000:125::1;
     # Then tell the realip_module to get the addreses from the proxy protocol
     # header.
     real_ip_header proxy_protocol;

resources/external/status/docker_compose/compose.yaml.j2

@@ -0,0 +1,37 @@
+# https://gatus.io/
+# https://github.com/TwiN/gatus
+# https://github.com/TwiN/gatus/blob/master/.examples/docker-compose-postgres-storage/compose.yaml
+
+services:
+  database:
+    image: docker.io/library/postgres:18.1
+    volumes:
+      - ./database:/var/lib/postgresql
+    environment:
+      - "POSTGRES_DB=gatus"
+      - "POSTGRES_USER=gatus"
+      - "POSTGRES_PASSWORD={{ secret__gatus_db_password }}"
+    networks:
+      - gatus
+
+  gatus:
+    image: ghcr.io/twin/gatus:v5.34.0
+    restart: always
+    ports:
+      - "8080:8080"
+    environment:
+      - "GATUS_CONFIG_PATH=/config"
+      - "POSTGRES_DB=gatus"
+      - "POSTGRES_USER=gatus"
+      - "POSTGRES_PASSWORD={{ secret__gatus_db_password }}"
+      - "MATRIX_ACCESS_TOKEN={{ secret__gatus_matrix_access_token }}"
+      - "ACME_DNS_UPDATE_TEST_X_API_KEY={{ secret__gatus_acme_dns_update_test_x_api_key }}"
+    volumes:
+      - ./configs:/config
+    networks:
+      - gatus
+    depends_on:
+      - database
+
+networks:
+  gatus:

resources/external/status/docker_compose/config/easterhegg-websites.yaml

@@ -0,0 +1,305 @@
+# Easterhegg Websites and Websites (Redirects)
+# (hosted on public-web-static)
+# One could probably also generate this list from the public-web-static config.
+easterhegg-websites-defaults: &easterhegg_websites_defaults
+  group: Websites
+  interval: 5m
+  alerts:
+    # - type: matrix
+    - type: custom
+      failure-threshold: 3
+      success-threshold: 1
+      minimum-reminder-interval: "12h"
+      send-on-resolved: true
+
+easterhegg-websites-redirects-defaults: &easterhegg_websites_redirects_defaults
+  group: Websites (Redirects)
+  interval: 15m
+  alerts:
+    # - type: matrix
+    - type: custom
+      failure-threshold: 3
+      success-threshold: 1
+      minimum-reminder-interval: "24h"
+      send-on-resolved: true
+
+endpoints:
+  # Websites
+  - name: eh03.easterhegg.eu
+    url: "https://eh03.easterhegg.eu"
+    <<: *easterhegg_websites_defaults
+    conditions:
+      - "[STATUS] == 200"
+      - "[CERTIFICATE_EXPIRATION] > 48h"
+      - "[BODY] == pat(*Easter(h)egg 2003*)"
+
+  - name: eh05.easterhegg.eu
+    url: "https://eh05.easterhegg.eu"
+    <<: *easterhegg_websites_defaults
+    conditions:
+      - "[STATUS] == 200"
+      - "[CERTIFICATE_EXPIRATION] > 48h"
+      - "[BODY] == pat(*Easterhegg 2005 - The workshop weekend*)"
+
+  - name: eh07.easterhegg.eu
+    url: "https://eh07.easterhegg.eu"
+    <<: *easterhegg_websites_defaults
+    conditions:
+      - "[STATUS] == 200"
+      - "[CERTIFICATE_EXPIRATION] > 48h"
+      - "[BODY] == pat(*Easterhegg 2007 - The Workshop weekend*)"
+
+  - name: eh09.easterhegg.eu
+    url: "https://eh09.easterhegg.eu"
+    <<: *easterhegg_websites_defaults
+    conditions:
+      - "[status] == 200"
+      - "[certificate_expiration] > 48h"
+      - "[BODY] == pat(*Easterhegg 2009*)"
+
+  - name: eh11.easterhegg.eu
+    url: "https://eh11.easterhegg.eu"
+    <<: *easterhegg_websites_defaults
+    conditions:
+      - "[status] == 200"
+      - "[certificate_expiration] > 48h"
+      - "[BODY] == pat(*Easterhegg 2011*)"
+
+  - name: eh20.easterhegg.eu
+    url: "https://eh20.easterhegg.eu"
+    <<: *easterhegg_websites_defaults
+    conditions:
+      - "[status] == 200"
+      - "[certificate_expiration] > 48h"
+      - "[BODY] == pat(*EH20 - Back to root*)"
+
+  # Websites (Redirects)
+  # eh03.easterhegg.eu
+  - name: eh2003.hamburg.ccc.de
+    url: "https://eh2003.hamburg.ccc.de"
+    <<: *easterhegg_websites_redirects_defaults
+    conditions:
+      - "[STATUS] == 200"
+      - "[CERTIFICATE_EXPIRATION] > 48h"
+      - "[BODY] == pat(*Easter(h)egg 2003*)"
+
+  - name: www.eh2003.hamburg.ccc.de
+    url: "https://www.eh2003.hamburg.ccc.de"
+    <<: *easterhegg_websites_redirects_defaults
+    conditions:
+      - "[STATUS] == 200"
+      - "[CERTIFICATE_EXPIRATION] > 48h"
+      - "[BODY] == pat(*Easter(h)egg 2003*)"
+
+  - name: easterhegg2003.hamburg.ccc.de
+    url: "https://easterhegg2003.hamburg.ccc.de"
+    <<: *easterhegg_websites_redirects_defaults
+    conditions:
+      - "[STATUS] == 200"
+      - "[CERTIFICATE_EXPIRATION] > 48h"
+      - "[BODY] == pat(*Easter(h)egg 2003*)"
+
+  - name: www.easterhegg2003.hamburg.ccc.de
+    url: "https://www.easterhegg2003.hamburg.ccc.de"
+    <<: *easterhegg_websites_redirects_defaults
+    conditions:
+      - "[STATUS] == 200"
+      - "[CERTIFICATE_EXPIRATION] > 48h"
+      - "[BODY] == pat(*Easter(h)egg 2003*)"
+
+  # eh05.easterhegg.eu
+  - name: eh2005.hamburg.ccc.de
+    url: "https://eh2005.hamburg.ccc.de"
+    <<: *easterhegg_websites_redirects_defaults
+    conditions:
+      - "[STATUS] == 200"
+      - "[CERTIFICATE_EXPIRATION] > 48h"
+      - "[BODY] == pat(*Easterhegg 2005 - The workshop weekend*)"
+
+  - name: www.eh2005.hamburg.ccc.de
+    url: "https://www.eh2005.hamburg.ccc.de"
+    <<: *easterhegg_websites_redirects_defaults
+    conditions:
+      - "[STATUS] == 200"
+      - "[CERTIFICATE_EXPIRATION] > 48h"
+      - "[BODY] == pat(*Easterhegg 2005 - The workshop weekend*)"
+
+  - name: easterhegg2005.hamburg.ccc.de
+    url: "https://easterhegg2005.hamburg.ccc.de"
+    <<: *easterhegg_websites_redirects_defaults
+    conditions:
+      - "[STATUS] == 200"
+      - "[CERTIFICATE_EXPIRATION] > 48h"
+      - "[BODY] == pat(*Easterhegg 2005 - The workshop weekend*)"
+
+  - name: www.easterhegg2005.hamburg.ccc.de
+    url: "https://www.easterhegg2005.hamburg.ccc.de"
+    <<: *easterhegg_websites_redirects_defaults
+    conditions:
+      - "[STATUS] == 200"
+      - "[CERTIFICATE_EXPIRATION] > 48h"
+      - "[BODY] == pat(*Easterhegg 2005 - The workshop weekend*)"
+
+  # eh07.easterhegg.eu
+  - name: eh2007.hamburg.ccc.de
+    url: "https://eh2007.hamburg.ccc.de"
+    <<: *easterhegg_websites_redirects_defaults
+    conditions:
+      - "[STATUS] == 200"
+      - "[CERTIFICATE_EXPIRATION] > 48h"
+      - "[BODY] == pat(*Easterhegg 2007 - The Workshop weekend*)"
+
+  - name: www.eh2007.hamburg.ccc.de
+    url: "https://www.eh2007.hamburg.ccc.de"
+    <<: *easterhegg_websites_redirects_defaults
+    conditions:
+      - "[STATUS] == 200"
+      - "[CERTIFICATE_EXPIRATION] > 48h"
+      - "[BODY] == pat(*Easterhegg 2007 - The Workshop weekend*)"
+
+  - name: eh07.hamburg.ccc.de
+    url: "https://eh07.hamburg.ccc.de"
+    <<: *easterhegg_websites_redirects_defaults
+    conditions:
+      - "[STATUS] == 200"
+      - "[CERTIFICATE_EXPIRATION] > 48h"
+      - "[BODY] == pat(*Easterhegg 2007 - The Workshop weekend*)"
+
+  - name: www.eh07.hamburg.ccc.de
+    url: "https://www.eh07.hamburg.ccc.de"
+    <<: *easterhegg_websites_redirects_defaults
+    conditions:
+      - "[STATUS] == 200"
+      - "[CERTIFICATE_EXPIRATION] > 48h"
+      - "[BODY] == pat(*Easterhegg 2007 - The Workshop weekend*)"
+
+  - name: easterhegg2007.hamburg.ccc.de
+    url: "https://easterhegg2007.hamburg.ccc.de"
+    <<: *easterhegg_websites_redirects_defaults
+    conditions:
+      - "[STATUS] == 200"
+      - "[CERTIFICATE_EXPIRATION] > 48h"
+      - "[BODY] == pat(*Easterhegg 2007 - The Workshop weekend*)"
+
+  - name: www.easterhegg2007.hamburg.ccc.de
+    url: "https://www.easterhegg2007.hamburg.ccc.de"
+    <<: *easterhegg_websites_redirects_defaults
+    conditions:
+      - "[STATUS] == 200"
+      - "[CERTIFICATE_EXPIRATION] > 48h"
+      - "[BODY] == pat(*Easterhegg 2007 - The Workshop weekend*)"
+
+  # eh09.easterhegg.eu
+  - name: eh2009.hamburg.ccc.de
+    url: "https://eh2009.hamburg.ccc.de"
+    <<: *easterhegg_websites_redirects_defaults
+    conditions:
+      - "[status] == 200"
+      - "[certificate_expiration] > 48h"
+      - "[BODY] == pat(*Easterhegg 2009*)"
+
+  - name: www.eh2009.hamburg.ccc.de
+    url: "https://www.eh2009.hamburg.ccc.de"
+    <<: *easterhegg_websites_redirects_defaults
+    conditions:
+      - "[status] == 200"
+      - "[certificate_expiration] > 48h"
+      - "[BODY] == pat(*Easterhegg 2009*)"
+
+  - name: eh09.hamburg.ccc.de
+    url: "https://eh09.hamburg.ccc.de"
+    <<: *easterhegg_websites_redirects_defaults
+    conditions:
+      - "[status] == 200"
+      - "[certificate_expiration] > 48h"
+      - "[BODY] == pat(*Easterhegg 2009*)"
+
+  - name: www.eh09.hamburg.ccc.de
+    url: "https://www.eh09.hamburg.ccc.de"
+    <<: *easterhegg_websites_redirects_defaults
+    conditions:
+      - "[status] == 200"
+      - "[certificate_expiration] > 48h"
+      - "[BODY] == pat(*Easterhegg 2009*)"
+
+  - name: easterhegg2009.hamburg.ccc.de
+    url: "https://easterhegg2009.hamburg.ccc.de"
+    <<: *easterhegg_websites_redirects_defaults
+    conditions:
+      - "[status] == 200"
+      - "[certificate_expiration] > 48h"
+      - "[BODY] == pat(*Easterhegg 2009*)"
+
+  - name: www.easterhegg2009.hamburg.ccc.de
+    url: "https://www.easterhegg2009.hamburg.ccc.de"
+    <<: *easterhegg_websites_redirects_defaults
+    conditions:
+      - "[status] == 200"
+      - "[certificate_expiration] > 48h"
+      - "[BODY] == pat(*Easterhegg 2009*)"
+
+  # eh11.easterhegg.eu
+  - name: eh2011.hamburg.ccc.de
+    url: "https://eh2011.hamburg.ccc.de"
+    <<: *easterhegg_websites_redirects_defaults
+    conditions:
+      - "[status] == 200"
+      - "[certificate_expiration] > 48h"
+      - "[BODY] == pat(*Easterhegg 2011*)"
+
+  - name: www.eh2011.hamburg.ccc.de
+    url: "https://www.eh2011.hamburg.ccc.de"
+    <<: *easterhegg_websites_redirects_defaults
+    conditions:
+      - "[status] == 200"
+      - "[certificate_expiration] > 48h"
+      - "[BODY] == pat(*Easterhegg 2011*)"
+
+  - name: eh11.hamburg.ccc.de
+    url: "https://eh11.hamburg.ccc.de"
+    <<: *easterhegg_websites_redirects_defaults
+    conditions:
+      - "[status] == 200"
+      - "[certificate_expiration] > 48h"
+      - "[BODY] == pat(*Easterhegg 2011*)"
+
+  - name: www.eh11.hamburg.ccc.de
+    url: "https://www.eh11.hamburg.ccc.de"
+    <<: *easterhegg_websites_redirects_defaults
+    conditions:
+      - "[status] == 200"
+      - "[certificate_expiration] > 48h"
+      - "[BODY] == pat(*Easterhegg 2011*)"
+
+  - name: easterhegg2011.hamburg.ccc.de
+    url: "https://easterhegg2011.hamburg.ccc.de"
+    <<: *easterhegg_websites_redirects_defaults
+    conditions:
+      - "[status] == 200"
+      - "[certificate_expiration] > 48h"
+      - "[BODY] == pat(*Easterhegg 2011*)"
+
+  - name: www.easterhegg2011.hamburg.ccc.de
+    url: "https://www.easterhegg2011.hamburg.ccc.de"
+    <<: *easterhegg_websites_redirects_defaults
+    conditions:
+      - "[status] == 200"
+      - "[certificate_expiration] > 48h"
+      - "[BODY] == pat(*Easterhegg 2011*)"
+
+  # eh20.easterhegg.eu
+  - name: www.eh20.easterhegg.eu
+    url: "https://www.eh20.easterhegg.eu"
+    <<: *easterhegg_websites_redirects_defaults
+    conditions:
+      - "[status] == 200"
+      - "[certificate_expiration] > 48h"
+      - "[BODY] == pat(*EH20 - Back to root*)"
+
+  - name: eh20.hamburg.ccc.de
+    url: "https://eh20.hamburg.ccc.de"
+    <<: *easterhegg_websites_redirects_defaults
+    conditions:
+      - "[status] == 200"
+      - "[certificate_expiration] > 48h"
+      - "[BODY] == pat(*EH20 - Back to root*)"

resources/external/status/docker_compose/config/general.yaml

@@ -0,0 +1,38 @@
+storage:
+  type: postgres
+  path: "postgres://${POSTGRES_USER}:${POSTGRES_PASSWORD}@database:5432/${POSTGRES_DB}?sslmode=disable"
+  maximum-number-of-results: 240 # Default are 100. 240 are 4h for 1m interval checks.
+  maximum-number-of-events: 1000 # Default are 50. Let's keep a long history here - 1000 should suffice for a year with around 3 events a day.
+
+ui:
+  title: CCCHH Status
+  description: Automated uptime monitoring and status page for CCCHH services. Powered by Gatus.
+  header: CCCHH Status
+  buttons:
+    - name: Website
+      link: "https://hamburg.ccc.de"
+    - name: Git
+      link: "https://git.hamburg.ccc.de"
+    - name: Kontakt & Impressum
+      link: "https://hamburg.ccc.de/imprint/"
+  default-sort-by: group
+
+alerting:
+  # matrix:
+  #   server-url: "https://matrix.nekover.se"
+  #   access-token: "${MATRIX_ACCESS_TOKEN}"
+  #   internal-room-id: "!jG755onbGAH-lZsZo8SRKtlsncSMvq7nzPhwCi5CgdQ"
+  custom:
+    url: "https://matrix.nekover.se/_matrix/client/v3/rooms/%21jG755onbGAH-lZsZo8SRKtlsncSMvq7nzPhwCi5CgdQ/send/m.room.message"
+    method: "POST"
+    body: |
+      {
+        "msgtype": "m.text",
+        "body": "[ALERT_TRIGGERED_OR_RESOLVED]: [ENDPOINT_GROUP] - [ENDPOINT_NAME] - [ALERT_DESCRIPTION] - [RESULT_ERRORS]"
+      }
+    headers:
+      Authorization: "Bearer ${MATRIX_ACCESS_TOKEN}"
+
+
+# A bit more than the default 5 concurrent checks should be fine.
+concurrency: 15

resources/external/status/docker_compose/config/services-chaosknoten.yaml

@@ -0,0 +1,311 @@
+# Services (Chaosknoten)
+services-chaosknoten-defaults: &services_chaosknoten_defaults
+  group: Services (Chaosknoten)
+  interval: 1m
+  alerts:
+    # - type: matrix
+    - type: custom
+      failure-threshold: 5
+      success-threshold: 2
+      minimum-reminder-interval: "6h"
+      send-on-resolved: true
+
+endpoints:
+  - name: ACME DNS (main page/login)
+    url: "https://acmedns.hamburg.ccc.de"
+    <<: *services_chaosknoten_defaults
+    conditions:
+      - "[STATUS] == 200"
+      - "[CERTIFICATE_EXPIRATION] > 48h"
+      - "[BODY] == pat(*OAuth2 Proxy*)"
+
+  - name: ACME DNS (health endpoint)
+    url: "https://acmedns.hamburg.ccc.de/health"
+    <<: *services_chaosknoten_defaults
+    conditions:
+      - "[STATUS] == 200"
+      - "[CERTIFICATE_EXPIRATION] > 48h"
+
+  - name: ACME DNS (update endpoint)
+    url: "https://acmedns.hamburg.ccc.de/update"
+    <<: *services_chaosknoten_defaults
+    method: POST
+    # acme-dns validates that the value for the txt is 43 characters long.
+    # https://github.com/joohoi/acme-dns/blob/b7a0a8a7bcef39f6158dd596fe716594a170d362/validation.go#L34-L41
+    body: |
+      {
+        "subdomain": "c621ef99-3da9-4ef6-a152-3a82b9b720f8",
+        "txt": "________________gatus_test_________________"
+      }
+    headers:
+      X-Api-User: "b897048a-1526-42aa-bc24-e4dfd654b722"
+      X-Api-Key: "${ACME_DNS_UPDATE_TEST_X_API_KEY}"
+    conditions:
+      - "[STATUS] == 200"
+      - "[CERTIFICATE_EXPIRATION] > 48h"
+      - "[BODY].txt == ________________gatus_test_________________"
+
+  - name: ACME DNS (DNS)
+    url: "acmedns.hosts.hamburg.ccc.de"
+    <<: *services_chaosknoten_defaults
+    dns:
+      query-name: "c621ef99-3da9-4ef6-a152-3a82b9b720f8.auth.acmedns.hamburg.ccc.de"
+      query-type: "TXT"
+    conditions:
+      - "[DNS_RCODE] == NOERROR"
+      # error: query type is not supported yet
+      # apparently TXT records aren't supported yet.
+      # - "[BODY] == ________________gatus_test_________________"
+
+  - name: CCCHH ID/Keycloak (main page/account console)
+    url: "https://id.hamburg.ccc.de/"
+    <<: *services_chaosknoten_defaults
+    conditions:
+      - "[STATUS] == 200"
+      - "[CERTIFICATE_EXPIRATION] > 48h"
+      - "[BODY] == pat(*JavaScript is required to use the Account Console.*)"
+
+  - name: CCCHH ID/Keycloak (ccchh realm)
+    url: "https://id.hamburg.ccc.de/realms/ccchh/"
+    <<: *services_chaosknoten_defaults
+    conditions:
+      - "[STATUS] == 200"
+      - "[CERTIFICATE_EXPIRATION] > 48h"
+      - "[BODY].realm == ccchh"
+
+  - name: ccchoir
+    url: "https://ccchoir.de/"
+    <<: *services_chaosknoten_defaults
+    conditions:
+      - "[STATUS] == 200"
+      - "[CERTIFICATE_EXPIRATION] > 48h"
+      - "[BODY] == pat(*The Choir of the Chaos Computer Club*)"
+
+  - name: Cloud (status info)
+    url: "https://cloud.hamburg.ccc.de/status.php"
+    <<: *services_chaosknoten_defaults
+    conditions:
+      - "[STATUS] == 200"
+      - "[CERTIFICATE_EXPIRATION] > 48h"
+      - "[BODY].installed == true"
+      - "[BODY].maintenance == false"
+
+  - name: Cloud (main page/login)
+    url: "https://cloud.hamburg.ccc.de/"
+    <<: *services_chaosknoten_defaults
+    conditions:
+      - "[STATUS] == 200"
+      - "[CERTIFICATE_EXPIRATION] > 48h"
+      - "[BODY] == pat(*Sign in to CCCHH*)"
+
+  - name: cow (main page/login)
+    url: "https://cow.hamburg.ccc.de/"
+    <<: *services_chaosknoten_defaults
+    conditions:
+      - "[STATUS] == 200"
+      - "[CERTIFICATE_EXPIRATION] > 48h"
+      - "[BODY] == pat(*mailcow UI*)"
+
+  - name: cow (SMTP port 25)
+    url: "tcp://cow.hamburg.ccc.de:25"
+    <<: *services_chaosknoten_defaults
+    conditions:
+      - "[CONNECTED] == true"
+
+  - name: cow (SMTPS port 465)
+    url: "tls://cow.hamburg.ccc.de:465"
+    <<: *services_chaosknoten_defaults
+    conditions:
+      - "[CONNECTED] == true"
+
+  - name: cow (SMTP with STARTTLS port 587)
+    url: "starttls://cow.hamburg.ccc.de:587"
+    <<: *services_chaosknoten_defaults
+    conditions:
+      - "[CONNECTED] == true"
+
+  - name: cow (IMAP port 143)
+    url: "tcp://cow.hamburg.ccc.de:143"
+    <<: *services_chaosknoten_defaults
+    conditions:
+      - "[CONNECTED] == true"
+
+  - name: cow (IMAPS port 465)
+    url: "tls://cow.hamburg.ccc.de:465"
+    <<: *services_chaosknoten_defaults
+    conditions:
+      - "[CONNECTED] == true"
+
+  - name: Design/penpot
+    url: "https://design.hamburg.ccc.de/"
+    <<: *services_chaosknoten_defaults
+    conditions:
+      - "[STATUS] == 200"
+      - "[CERTIFICATE_EXPIRATION] > 48h"
+      - "[BODY] == pat(*Penpot - Design Freedom for Teams*)"
+
+  - name: EH22 Website/Wiki
+    url: "https://eh22.easterhegg.eu/"
+    <<: *services_chaosknoten_defaults
+    conditions:
+      - "[STATUS] == 200"
+      - "[CERTIFICATE_EXPIRATION] > 48h"
+      - "[BODY] == pat(*Easterhegg 2025*)"
+
+  - name: Git
+    url: "https://git.hamburg.ccc.de/"
+    <<: *services_chaosknoten_defaults
+    conditions:
+      - "[STATUS] == 200"
+      - "[CERTIFICATE_EXPIRATION] > 48h"
+      - "[BODY] == pat(*CCCHH Git*)"
+
+  - name: GitLab
+    url: "https://gitlab.hamburg.ccc.de/"
+    <<: *services_chaosknoten_defaults
+    conditions:
+      - "[STATUS] == 200"
+      - "[CERTIFICATE_EXPIRATION] > 48h"
+      - "[BODY] == pat(*Moin beim Gitlab des CCC Hamburg!*)"
+
+  - name: Grafana
+    url: "https://grafana.hamburg.ccc.de/"
+    <<: *services_chaosknoten_defaults
+    conditions:
+      - "[STATUS] == 200"
+      - "[CERTIFICATE_EXPIRATION] > 48h"
+      - "[BODY] == pat(*Sign in to CCCHH*)"
+
+  - name: Jitsi
+    url: "https://jitsi.hamburg.ccc.de/"
+    <<: *services_chaosknoten_defaults
+    conditions:
+      - "[STATUS] == 200"
+      - "[CERTIFICATE_EXPIRATION] > 48h"
+      - "[BODY] == pat(*Jitsi Meet*)"
+
+  - name: Lists
+    url: "https://lists.hamburg.ccc.de/"
+    <<: *services_chaosknoten_defaults
+    conditions:
+      - "[STATUS] == 200"
+      - "[CERTIFICATE_EXPIRATION] > 48h"
+      - "[BODY] == pat(*Mailing Lists*)"
+
+  - name: Matrix
+    url: "https://matrix.hamburg.ccc.de/_matrix/client/versions"
+    <<: *services_chaosknoten_defaults
+    conditions:
+      - "[STATUS] == 200"
+      - "[CERTIFICATE_EXPIRATION] > 48h"
+      - "has([BODY].versions) == true"
+      - "has([BODY].unstable_features) == true"
+
+  - name: Mumble (tcp)
+    url: "tcp://mumble.hamburg.ccc.de:64738"
+    <<: *services_chaosknoten_defaults
+    conditions:
+      - "[CONNECTED] == true"
+
+  - name: Mumble (udp)
+    url: "udp://mumble.hamburg.ccc.de:64738"
+    <<: *services_chaosknoten_defaults
+    conditions:
+      - "[CONNECTED] == true"
+
+  - name: NetBox
+    url: "https://NetBox.hamburg.ccc.de/"
+    <<: *services_chaosknoten_defaults
+    conditions:
+      - "[STATUS] == 200"
+      - "[CERTIFICATE_EXPIRATION] > 48h"
+      - "[BODY] == pat(*NetBox*)"
+
+  - name: ntfy
+    url: "https://ntfy.hamburg.ccc.de/"
+    <<: *services_chaosknoten_defaults
+    conditions:
+      - "[STATUS] == 200"
+      - "[CERTIFICATE_EXPIRATION] > 48h"
+      - "[BODY] == pat(*ntfy web requires JavaScript*)"
+
+  - name: OnlyOffice
+    url: "https://onlyoffice.hamburg.ccc.de/"
+    <<: *services_chaosknoten_defaults
+    conditions:
+      - "[STATUS] == 200"
+      - "[CERTIFICATE_EXPIRATION] > 48h"
+      - "[BODY] == pat(*ONLYOFFICE Docs Community Edition installed*)"
+
+  - name: Pad
+    url: "https://pad.hamburg.ccc.de/"
+    <<: *services_chaosknoten_defaults
+    conditions:
+      - "[STATUS] == 200"
+      - "[CERTIFICATE_EXPIRATION] > 48h"
+      - "[BODY] == pat(*HedgeDoc - Ideas grow better together*)"
+
+  - name: Pretalx (main page)
+    url: "https://pretalx.hamburg.ccc.de/"
+    <<: *services_chaosknoten_defaults
+    conditions:
+      - "[STATUS] == 200"
+      - "[CERTIFICATE_EXPIRATION] > 48h"
+      - "[BODY] == pat(*pretalx*)"
+
+  - name: Pretalx (EH22/Easterhegg 2025)
+    url: "https://cfp.eh22.easterhegg.eu/"
+    <<: *services_chaosknoten_defaults
+    conditions:
+      - "[STATUS] == 200"
+      - "[CERTIFICATE_EXPIRATION] > 48h"
+      - "[BODY] == pat(*Easterhegg 2025*)"
+      - "[BODY] == pat(*pretalx*)"
+
+  - name: SpaceAPI
+    url: "https://spaceapi.hamburg.ccc.de/"
+    <<: *services_chaosknoten_defaults
+    conditions:
+      - "[STATUS] == 200"
+      - "[CERTIFICATE_EXPIRATION] > 48h"
+      - "[BODY].space == CCCHH"
+
+  - name: Surveillance under Surveillance
+    url: "https://sunders.hamburg.ccc.de/"
+    <<: *services_chaosknoten_defaults
+    conditions:
+      - "[STATUS] == 200"
+      - "[CERTIFICATE_EXPIRATION] > 48h"
+      - "[BODY] == pat(*Surveillance under Surveillance*)"
+
+  - name: Tickets/pretix
+    url: "https://tickets.hamburg.ccc.de/"
+    <<: *services_chaosknoten_defaults
+    conditions:
+      - "[STATUS] == 200"
+      - "[CERTIFICATE_EXPIRATION] > 48h"
+      - "[BODY] == pat(*pretix*)"
+
+  - name: Wiki
+    url: "https://wiki.hamburg.ccc.de/"
+    <<: *services_chaosknoten_defaults
+    conditions:
+      - "[STATUS] == 200"
+      - "[CERTIFICATE_EXPIRATION] > 48h"
+      - "[BODY] == pat(*CCCHH Wiki*)"
+
+  - name: Woodpecker
+    url: "https://woodpecker.hamburg.ccc.de/"
+    <<: *services_chaosknoten_defaults
+    conditions:
+      - "[STATUS] == 200"
+      - "[CERTIFICATE_EXPIRATION] > 48h"
+      - "[BODY] == pat(*Woodpecker*)"
+
+  - name: Zammad
+    url: "https://zammad.hamburg.ccc.de/"
+    <<: *services_chaosknoten_defaults
+    conditions:
+      - "[STATUS] == 200"
+      - "[CERTIFICATE_EXPIRATION] > 48h"
+      - "[BODY] == pat(*zammad*)"

resources/external/status/docker_compose/config/sites.yaml

@@ -0,0 +1,24 @@
+# Sites
+sites-defaults: &sites_defaults
+  group: Sites
+  interval: 1m
+  alerts:
+    # - type: matrix
+    - type: custom
+      failure-threshold: 5
+      success-threshold: 2
+      minimum-reminder-interval: "6h"
+      send-on-resolved: true
+
+endpoints:
+  - name: Chaosknoten/IRZ42
+    url: "icmp://chaosknoten.hamburg.ccc.de"
+    <<: *sites_defaults
+    conditions:
+      - "[CONNECTED] == true"
+
+  - name: Z9
+    url: "icmp://185.161.129.129"
+    <<: *sites_defaults
+    conditions:
+      - "[CONNECTED] == true"

resources/external/status/docker_compose/config/websites.yaml

@@ -0,0 +1,209 @@
+# Websites, Websites (Staging) and Websites (Redirects)
+# (hosted on public-web-static)
+# One could probably also generate this list from the public-web-static config.
+websites-defaults: &websites_defaults
+  group: Websites
+  interval: 1m
+  alerts:
+    # - type: matrix
+    - type: custom
+      failure-threshold: 5
+      success-threshold: 2
+      minimum-reminder-interval: "6h"
+      send-on-resolved: true
+
+websites-staging-defaults: &websites_staging_defaults
+  group: Websites (Staging)
+  interval: 5m
+  alerts:
+    # - type: matrix
+    - type: custom
+      failure-threshold: 3
+      success-threshold: 1
+      minimum-reminder-interval: "24h"
+      send-on-resolved: true
+
+websites-redirects-defaults: &websites_redirects_defaults
+  group: Websites (Redirects)
+  interval: 5m
+  alerts:
+    # - type: matrix
+    - type: custom
+      failure-threshold: 3
+      success-threshold: 1
+      minimum-reminder-interval: "24h"
+      send-on-resolved: true
+
+endpoints:
+  # Websites
+  - name: branding-resources.hamburg.ccc.de
+    url: "https://branding-resources.hamburg.ccc.de/logo/sources.txt"
+    <<: *websites_defaults
+    conditions:
+      - "[STATUS] == 200"
+      - "[CERTIFICATE_EXPIRATION] > 48h"
+      - "[BODY] == pat(*file:       ccchh-logo.png*)"
+
+  - name: c3cat.de
+    url: "https://c3cat.de"
+    <<: *websites_defaults
+    conditions:
+      - "[STATUS] == 200"
+      - "[CERTIFICATE_EXPIRATION] > 48h"
+      - "[BODY] == pat(*Cat Ears Operation Center*)"
+
+  - name: cpu.ccc.de
+    url: "https://cpu.ccc.de"
+    <<: *websites_defaults
+    conditions:
+      - "[STATUS] == 200"
+      - "[CERTIFICATE_EXPIRATION] > 48h"
+      - "[BODY] == pat(*cpu.ccc.de | aus den Dezentralen*)"
+
+  - name: cryptoparty-hamburg.de
+    url: "https://cryptoparty-hamburg.de"
+    <<: *websites_defaults
+    conditions:
+      - "[STATUS] == 200"
+      - "[CERTIFICATE_EXPIRATION] > 48h"
+      - "[BODY] == pat(*Digitale Selbstverteidigung in Hamburg*)"
+
+  - name: element-admin.hamburg.ccc.de
+    url: "https://element-admin.hamburg.ccc.de"
+    <<: *websites_defaults
+    conditions:
+      - "[STATUS] == 200"
+      - "[CERTIFICATE_EXPIRATION] > 48h"
+      - "[BODY] == pat(*Loading Element Admin*)"
+
+  - name: element.hamburg.ccc.de
+    url: "https://element.hamburg.ccc.de"
+    <<: *websites_defaults
+    conditions:
+      - "[STATUS] == 200"
+      - "[CERTIFICATE_EXPIRATION] > 48h"
+      - "[BODY] == pat(*Sorry, Element requires JavaScript to be enabled.*)"
+
+  - name: hacker.tours
+    url: "https://hacker.tours"
+    <<: *websites_defaults
+    conditions:
+      - "[STATUS] == 200"
+      - "[CERTIFICATE_EXPIRATION] > 48h"
+      # Once suites support alerting, we can also monitor the target as well.
+      - "[BODY] == pat(*<meta http-equiv=\"refresh\" content=\"0; url=https://hacker.tours/de/\">*)"
+
+  - name: hackertours.hamburg.ccc.de
+    url: "https://hackertours.hamburg.ccc.de"
+    <<: *websites_defaults
+    conditions:
+      - "[STATUS] == 200"
+      - "[CERTIFICATE_EXPIRATION] > 48h"
+      # Once suites support alerting, we can also monitor the target as well.
+      - "[BODY] == pat(*<meta http-equiv=\"refresh\" content=\"0; url=https://hackertours.hamburg.ccc.de/de/\">*)"
+
+  - name: hamburg.ccc.de
+    url: "https://hamburg.ccc.de"
+    <<: *websites_defaults
+    conditions:
+      - "[STATUS] == 200"
+      - "[CERTIFICATE_EXPIRATION] > 48h"
+      - "[BODY] == pat(*Wir sind der Chaos Computer Club der Hansestadt Hamburg.*)"
+
+  - name: spaceapi.ccc.de
+    url: "https://spaceapi.ccc.de"
+    <<: *websites_defaults
+    conditions:
+      - "[STATUS] == 200"
+      - "[CERTIFICATE_EXPIRATION] > 48h"
+      - "[BODY] == pat(*Kein Javascript, keine Kekse.*)"
+
+# Websites (Staging)
+  - name: staging.c3cat.de
+    url: "https://staging.c3cat.de"
+    <<: *websites_staging_defaults
+    conditions:
+      - "[STATUS] == 200"
+      - "[CERTIFICATE_EXPIRATION] > 48h"
+      - "[BODY] == pat(*c3cat.de Staging Environment*)"
+
+  - name: staging.cryptoparty-hamburg.de
+    url: "https://staging.cryptoparty-hamburg.de"
+    <<: *websites_staging_defaults
+    conditions:
+      - "[STATUS] == 200"
+      - "[CERTIFICATE_EXPIRATION] > 48h"
+      - "[BODY] == pat(*cryptoparty-hamburg.de Staging Environment*)"
+
+  - name: staging.hacker.tours
+    url: "https://staging.hacker.tours"
+    <<: *websites_staging_defaults
+    conditions:
+      - "[STATUS] == 200"
+      - "[CERTIFICATE_EXPIRATION] > 48h"
+      - "[BODY] == pat(*hacker.tours Staging Environment*)"
+
+  - name: staging.hackertours.hamburg.ccc.de
+    url: "https://staging.hackertours.hamburg.ccc.de"
+    <<: *websites_staging_defaults
+    conditions:
+      - "[STATUS] == 200"
+      - "[CERTIFICATE_EXPIRATION] > 48h"
+      - "[BODY] == pat(*hackertours.hamburg.ccc.de Staging Environment*)"
+
+  - name: staging.hamburg.ccc.de
+    url: "https://staging.hamburg.ccc.de"
+    <<: *websites_staging_defaults
+    conditions:
+      - "[STATUS] == 200"
+      - "[CERTIFICATE_EXPIRATION] > 48h"
+      - "[BODY] == pat(*hamburg.ccc.de Staging Environment*)"
+
+# Website (Redirects)
+  - name: www.c3cat.de
+    url: "https://www.c3cat.de"
+    <<: *websites_redirects_defaults
+    conditions:
+      - "[STATUS] == 200"
+      - "[CERTIFICATE_EXPIRATION] > 48h"
+      - "[BODY] == pat(*Cat Ears Operation Center*)"
+
+  - name: cryptoparty.hamburg.ccc.de
+    url: "https://cryptoparty.hamburg.ccc.de"
+    <<: *websites_redirects_defaults
+    conditions:
+      - "[STATUS] == 200"
+      - "[CERTIFICATE_EXPIRATION] > 48h"
+      - "[BODY] == pat(*Digitale Selbstverteidigung in Hamburg*)"
+
+  - name: local.ccc.de
+    url: "https://local.ccc.de"
+    <<: *websites_redirects_defaults
+    conditions:
+      - "[STATUS] == 200"
+      - "[CERTIFICATE_EXPIRATION] > 48h"
+      - "[BODY] == pat(*cpu.ccc.de | aus den Dezentralen*)"
+
+  - name: lokal.ccc.de
+    url: "https://lokal.ccc.de"
+    <<: *websites_redirects_defaults
+    conditions:
+      - "[STATUS] == 200"
+      - "[CERTIFICATE_EXPIRATION] > 48h"
+      - "[BODY] == pat(*cpu.ccc.de | aus den Dezentralen*)"
+
+  - name: staging.cryptoparty.hamburg.ccc.de
+    url: "https://staging.cryptoparty.hamburg.ccc.de"
+    <<: *websites_redirects_defaults
+    conditions:
+      - "[STATUS] == 200"
+      - "[CERTIFICATE_EXPIRATION] > 48h"
+      - "[BODY] == pat(*cryptoparty-hamburg.de Staging Environment*)"
+
+  - name: www.hamburg.ccc.de
+    url: "https://www.hamburg.ccc.de"
+    <<: *websites_redirects_defaults
+    conditions:
+      - "[STATUS] == 200"
+      - "[CERTIFICATE_EXPIRATION] > 48h"
+      - "[BODY] == pat(*Wir sind der Chaos Computer Club der Hansestadt Hamburg.*)"

resources/external/status/nginx/http_handler.conf

@@ -0,0 +1,14 @@
+server {
+    listen 80 default_server;
+    listen [::]:80 default_server;
+
+    server_name status.hamburg.ccc.de;
+
+    location / {
+        return 301 https://$host$request_uri;
+    }
+
+    location /.well-known/acme-challenge/ {
+        proxy_pass http://127.0.0.1:31820/.well-known/acme-challenge/;
+    }
+}

resources/external/status/nginx/status.hamburg.ccc.de.conf

@@ -0,0 +1,33 @@
+# partly generated 2022-01-08, Mozilla Guideline v5.6, nginx 1.17.7, OpenSSL 1.1.1k, intermediate configuration
+# https://ssl-config.mozilla.org/#server=nginx&version=1.17.7&config=intermediate&openssl=1.1.1k&guideline=5.6
+server {
+    listen 443 ssl http2 default_server;
+    listen [::]:443 ssl http2 default_server;
+
+    server_name status.hamburg.ccc.de;
+
+    ssl_certificate /etc/letsencrypt/live/status.hamburg.ccc.de/fullchain.pem;
+    ssl_certificate_key /etc/letsencrypt/live/status.hamburg.ccc.de/privkey.pem;
+    # verify chain of trust of OCSP response using Root CA and Intermediate certs
+    ssl_trusted_certificate /etc/letsencrypt/live/status.hamburg.ccc.de/chain.pem;
+
+    # HSTS (ngx_http_headers_module is required) (63072000 seconds)
+    add_header Strict-Transport-Security "max-age=63072000" always;
+
+    proxy_set_header Host $host;
+    proxy_set_header X-Forwarded-Host $host;
+    proxy_set_header X-Real-IP $remote_addr;
+    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+    proxy_set_header X-Forwarded-Port 443;
+    # This is https in any case.
+    proxy_set_header X-Forwarded-Proto https;
+    # Hide the X-Forwarded header.
+    proxy_hide_header X-Forwarded;
+    # Assume we are the only Reverse Proxy.
+    # Also provide "_hidden" for by, since it's not relevant.
+    proxy_set_header Forwarded "for=$remote_addr;proto=https;host=$host;by=_hidden";
+
+    location / {
+        proxy_pass http://127.0.0.1:8080/;
+    }
+}

resources/z9/dooris/nginx/http_handler.conf

@@ -0,0 +1,12 @@
+server {
+    listen 80 default_server;
+    listen [::]:80 default_server;
+
+    location / {
+        return 301 https://$host$request_uri;
+    }
+
+    location /.well-known/acme-challenge/ {
+        proxy_pass http://127.0.0.1:31820/.well-known/acme-challenge/;
+    }
+}

resources/z9/light/nginx/http_handler.conf

@@ -1,14 +1,12 @@
 server {
     listen 80 default_server;
     listen [::]:80 default_server;
-    server_name _;
-
-    location /.well-known/acme-challenge/ {
-        autoindex on;
-        root /webroot-for-acme-challenge;
-    }
 
     location / {
         return 301 https://$host$request_uri;
     }
+
+    location /.well-known/acme-challenge/ {
+        proxy_pass http://127.0.0.1:31820/.well-known/acme-challenge/;
+    }
 }

resources/z9/light/nginx/light.conf

@@ -1,15 +1,16 @@
 # partly generated 2022-01-08, Mozilla Guideline v5.6, nginx 1.17.7, OpenSSL 1.1.1k, intermediate configuration
 # https://ssl-config.mozilla.org/#server=nginx&version=1.17.7&config=intermediate&openssl=1.1.1k&guideline=5.6
 server {
-    listen 443 ssl http2;
+    listen 443 ssl;
-    listen [::]:443 ssl http2;
+    listen [::]:443 ssl;
+    http2 on;
 
     server_name light-werkstatt.ccchh.net;
 
-    ssl_certificate /etc/letsencrypt/live/light.ccchh.net/fullchain.pem;
+    ssl_certificate /etc/letsencrypt/live/light-werkstatt.ccchh.net/fullchain.pem;
-    ssl_certificate_key /etc/letsencrypt/live/light.ccchh.net/privkey.pem;
+    ssl_certificate_key /etc/letsencrypt/live/light-werkstatt.ccchh.net/privkey.pem;
     # verify chain of trust of OCSP response using Root CA and Intermediate certs
-    ssl_trusted_certificate /etc/letsencrypt/live/light.ccchh.net/chain.pem;
+    ssl_trusted_certificate /etc/letsencrypt/live/light-werkstatt.ccchh.net/chain.pem;
 
     # replace with the IP address of your resolver
     resolver 10.31.208.1;
@@ -25,15 +26,16 @@ server {
 }
 
 server {
-    listen 443 ssl http2;
+    listen 443 ssl;
-    listen [::]:443 ssl http2;
+    listen [::]:443 ssl;
+    http2 on;
 
-    server_name light.z9.ccchh.net ;
+    server_name light.z9.ccchh.net;
 
-    ssl_certificate /etc/letsencrypt/live/light.ccchh.net/fullchain.pem;
+    ssl_certificate /etc/letsencrypt/live/light.z9.ccchh.net/fullchain.pem;
-    ssl_certificate_key /etc/letsencrypt/live/light.ccchh.net/privkey.pem;
+    ssl_certificate_key /etc/letsencrypt/live/light.z9.ccchh.net/privkey.pem;
     # verify chain of trust of OCSP response using Root CA and Intermediate certs
-    ssl_trusted_certificate /etc/letsencrypt/live/light.ccchh.net/chain.pem;
+    ssl_trusted_certificate /etc/letsencrypt/live/light.z9.ccchh.net/chain.pem;
 
     location / {
         return 307 https://light.ccchh.net$request_uri;
@@ -41,8 +43,9 @@ server {
 }
 
 server {
-    listen 443 ssl http2;
+    listen 443 ssl;
-    listen [::]:443 ssl http2;
+    listen [::]:443 ssl;
+    http2 on;
 
     server_name light.ccchh.net;
 

resources/z9/waybackproxy/docker_compose/compose.yaml.j2

@@ -1,7 +1,7 @@
 services:
   # https://github.com/richardg867/WaybackProxy
   waybackproxy:
-    image: cttynul/waybackproxy:latest@sha256:e001d5b1d746522cd1ab2728092173c0d96f08086cbd3e49cdf1e298b8add22e
+    image: cttynul/waybackproxy:latest
     environment:
       DATE: 19990101
       DATE_TOLERANCE: 730

roles/alloy/defaults/main.yaml

@@ -0,0 +1,44 @@
+alloy_config_default: |
+  prometheus.remote_write "default" {
+    endpoint {
+      url = "https://metrics.hamburg.ccc.de/api/v1/write"
+      basic_auth {
+        username = "chaos"
+        password = "chaos_password"
+      }
+    }
+  }
+
+  prometheus.relabel "common" {
+    forward_to = [prometheus.remote_write.default.receiver]
+    rule {
+      target_label = "org"
+      replacement = "noorg"
+    }
+    rule {
+      target_label = "site"
+      replacement = "nosite"
+    }
+    rule {
+      source_labels = ["instance"]
+      target_label = "instance"
+      regex  = "([^:]+)"
+      replacement = "${1}.hosts.test"
+      action = "replace"
+    }
+  }
+
+  logging {
+    level = "info"
+  }
+
+  prometheus.exporter.unix "local_system" {
+    enable_collectors = ["systemd"]
+  }
+
+  prometheus.scrape "scrape_metrics" {
+    targets           = prometheus.exporter.unix.local_system.targets
+    forward_to        = [prometheus.relabel.common.receiver]
+  }
+
+alloy_config_additional: ""

roles/alloy/tasks/main.yaml

@@ -0,0 +1,50 @@
+# https://github.com/grafana/grafana-ansible-collection/blob/main/roles/alloy/tasks/deploy.yml#L124
+- name: ensure alloy user exists
+  ansible.builtin.user:
+    name: alloy
+    system: true
+    append: true
+    create_home: false
+    state: present
+
+- name: ensure the `/etc/alloy/` config directory exists
+  ansible.builtin.file:
+    path: /etc/alloy
+    state: directory
+    mode: "0770"
+    owner: root
+    group: alloy
+  become: true
+
+- name: synchronize the additional configuration files directory, if present
+  when: alloy__additional_configs_dir is defined and alloy__additional_configs_dir != ""
+  block:
+    - name: ensure rsync is installed
+      ansible.builtin.apt:
+        name: rsync
+      become: true
+
+    - name: synchronize the additional configuration files directory, if present
+      ansible.posix.synchronize:
+        src: "{{ alloy__additional_configs_dir }}"
+        dest: /etc/alloy/additional
+        delete: true
+        recursive: true
+        use_ssh_args: true
+        rsync_opts:
+          - "--chown=root:alloy"
+      become: true
+
+- name: delete the additional configuration files directory, if not present
+  when: alloy__additional_configs_dir is not defined or alloy__additional_configs_dir == ""
+  ansible.builtin.file:
+    path: /etc/alloy/additional
+    state: absent
+  become: true
+
+- name: Setup Alloy
+  ansible.builtin.import_role:
+    name: grafana.grafana.alloy
+  vars:
+    alloy_config: "{{ alloy_config_default ~ alloy_config_additional }}"
+  become: true

roles/ansible_pull/tasks/main.yaml

@@ -3,6 +3,7 @@
     - name: ensure apt dependencies are installed
       ansible.builtin.apt:
         name:
+          - python3-pip
           - virtualenv
           - git
         state: present

roles/base_config/tasks/main.yaml

@@ -0,0 +1,34 @@
+# Ensure the ssh module is disabled, so a cloud-init config change doesn't regenerate the host keys for no reason.
+- name: check if cloud-init config file exists
+  ansible.builtin.stat:
+    path: /etc/cloud/cloud.cfg
+  register: base_config__stat_cloud_cfg
+
+- name: ensure the cloud-init ssh module is disabled
+  ansible.builtin.replace:
+    path: /etc/cloud/cloud.cfg
+    regexp: " - ssh$"
+    replace: " #- ssh"
+  become: true
+  when: base_config__stat_cloud_cfg.stat.exists
+
+# Ensure a base set of admin tools is installed.
+- name: ensure a base set of admin tools is installed
+  ansible.builtin.apt:
+    name:
+      - vim
+      - joe
+      - nano
+      - htop
+      - btop
+      - ripgrep
+      - fd-find
+      - tmux
+      - git
+      - curl
+      - rsync
+      - dnsutils
+      - usbutils
+      - kitty
+      - gpg
+  become: true

roles/certbot/meta/main.yaml

@@ -7,3 +7,4 @@ dependencies:
           major_versions:
             - 11
             - 12
+            - 13