From 9f87fa02256e794719c57e98f22a76c88692c712 Mon Sep 17 00:00:00 2001 From: June Date: Wed, 23 Jul 2025 20:56:19 +0200 Subject: [PATCH 1/5] reverse proxy configuration for cryptoparty website and staging env. --- .../public-reverse-proxy/nginx/acme_challenge.conf | 4 ++++ resources/chaosknoten/public-reverse-proxy/nginx/nginx.conf | 4 ++++ 2 files changed, 8 insertions(+) diff --git a/resources/chaosknoten/public-reverse-proxy/nginx/acme_challenge.conf b/resources/chaosknoten/public-reverse-proxy/nginx/acme_challenge.conf index 1b998fc..e37ae7a 100644 --- a/resources/chaosknoten/public-reverse-proxy/nginx/acme_challenge.conf +++ b/resources/chaosknoten/public-reverse-proxy/nginx/acme_challenge.conf @@ -71,6 +71,10 @@ map $host $upstream_acme_challenge_host { hydra.hamburg.ccc.de 172.31.17.163:31820; cfp.eh22.easterhegg.eu 172.31.17.157:31820; ntfy.hamburg.ccc.de 172.31.17.149:31820; + cryptoparty-hamburg.de 172.31.17.151:31820; + cryptoparty.hamburg.ccc.de 172.31.17.151:31820; + staging.cryptoparty-hamburg.de 172.31.17.151:31820; + staging.cryptoparty.hamburg.ccc.de 172.31.17.151:31820; default ""; } diff --git a/resources/chaosknoten/public-reverse-proxy/nginx/nginx.conf b/resources/chaosknoten/public-reverse-proxy/nginx/nginx.conf index 37f62a1..4fcc86b 100644 --- a/resources/chaosknoten/public-reverse-proxy/nginx/nginx.conf +++ b/resources/chaosknoten/public-reverse-proxy/nginx/nginx.conf @@ -89,6 +89,10 @@ stream { hydra.hamburg.ccc.de 172.31.17.163:8443; cfp.eh22.easterhegg.eu pretalx-intern.hamburg.ccc.de:8443; ntfy.hamburg.ccc.de 172.31.17.149:8443; + cryptoparty-hamburg.de 172.31.17.151:8443; + cryptoparty.hamburg.ccc.de 172.31.17.151:8443; + staging.cryptoparty-hamburg.de 172.31.17.151:8443; + staging.cryptoparty.hamburg.ccc.de 172.31.17.151:8443; } server { From cbb4beceb680a96b67df96253a94af9cb0c83c0c Mon Sep 17 00:00:00 2001 From: Stefan Bethke Date: Sat, 2 Aug 2025 09:41:42 +0200 Subject: [PATCH 2/5] Add Werkstatt phone --- inventories/z9/host_vars/yate.sops.yaml | 6 ++++-- resources/z9/yate/docker_compose/regfile.conf.j2 | 12 ++++++++++++ 2 files changed, 16 insertions(+), 2 deletions(-) diff --git a/inventories/z9/host_vars/yate.sops.yaml b/inventories/z9/host_vars/yate.sops.yaml index fdfffef..ea0e25f 100644 --- a/inventories/z9/host_vars/yate.sops.yaml +++ b/inventories/z9/host_vars/yate.sops.yaml @@ -2,13 +2,15 @@ secret__yate__sip_trunk_epvpn: ENC[AES256_GCM,data:BkdNaCooUjsDlCXJ,iv:saO4IGsz1HAinvW5ZGAMA4WEtBbo+UNdfBkr0g29uag=,tag:t8RM0GNYhl1w/RMNO8wKbQ==,type:str] secret__yate__sip_trunk_fonial: ENC[AES256_GCM,data:N18C3XZHIi1/IA==,iv:vs9dCYNRp+1ptxRajdUO5ODTOmNREJslF99xnFL92XM=,tag:IUmnlPeRI1WTRYELzZRk/w==,type:str] secret__yate__sip_trunk_fux: ENC[AES256_GCM,data:zcVxNjyS3BE2dw==,iv:Prmy8nP1yeFrVI5mQaPJPKHGFCzuZp84f6fH04I9zJM=,tag:X15wqvaaifMU2/kcqLqUZQ==,type:str] +secret__yate__sip_extension_ewerkstatt: ENC[AES256_GCM,data:qbatVvfXZiUcpVnOJUpzYw==,iv:E/fCmKGrwYvQP1gGvwT0UrL0DZ/PcMwKG+NteiukB5M=,tag:PFmU0DX56+IbSQqMtY5NSQ==,type:str] secret__yate__sip_extension_fritzbox_analog1: ENC[AES256_GCM,data:+ayQ6P4P34D5hTNOFv3HVA==,iv:UD71G07Z633mDmvnJVei9SKgHyM+JFXJdtOhyBhvKGY=,tag:0ISsYGQCIMMgToLWA09JwQ==,type:str] secret__yate__sip_extension_fritzbox_analog2: ENC[AES256_GCM,data:DbFmTcZ8wW2fqstm09yUWw==,iv:jKUqtSXaGF/QpIwPJ6hKQWZvv9xtZeIQBiPHt2xm+3I=,tag:MkWzODFnWZc8o+pVLR3KJw==,type:str] secret__yate__sip_extension_fritzbox_dect1: ENC[AES256_GCM,data:87MFTNA0DXmfhesT/M++ug==,iv:qDM8HWZhG9FADLFNPRJXkadN2jXD6/CfroDShNPzA+o=,tag:Ylf56nCczEdDaOGko5GrBw==,type:str] +secret__yate__sip_extension_flausch: ENC[AES256_GCM,data:eIieA4A/ZmU8e7t20xwmCw==,iv:oDMgZIjQBDcwIVPK4/qIT1HyQKc+vImdr1iPZE1LEn4=,tag:RgS+enGC6DP6dwE8u30a6g==,type:str] secret__yate__sip_extension_legacy: ENC[AES256_GCM,data:gC43eKUOAYU9dgNV1JQ+nw==,iv:xN7aad2NPaihlMT4Ym2xanpKU4eX04V0FS4m6XRgZFo=,tag:Oq0yBCSf+CB8Xkx4D4TH5w==,type:str] sops: - lastmodified: "2025-07-11T17:10:24Z" - mac: ENC[AES256_GCM,data:aO2kEoKvWccDkF9lnaNeoBWfgUetZ3W4ImappoPU4emLpWMtRGWFiKUbTwQCbLGBdQ/C+Dk0bZYV1wJjotmSIiEyPzijINX+d5obH7Gm2XSkqFHGlz+XnVg11PY91enBbHSQTiOyCzS1Ez/xWAVdztTHWA5r8lhaojmAHSe3UHo=,iv:VAEnZscqlPmVuEypiNRdhfGoooGa1qet9FBht/NNUK0=,tag:o2Q5GsHRS5GaZuQm3chZDA==,type:str] + lastmodified: "2025-07-11T19:06:23Z" + mac: ENC[AES256_GCM,data:llPh9WhUZCYsd2C7CH57/n19luVgHQDduyj0x9rcv7zEYAIm191Lcfou7muX2wgNL4Hn60MYSgyt9HQqXlxPhClNjnwGen5jvNBudFlxFwmt5+en4V4CpGHRo3rm56RITywXTyt7w87Nq2LPive5SKydlZZxjtrEyohYLb/S3Hw=,iv:NYGs+Kd+iaVw7zwV0aYVdMXZYOk2nbSVqJwJ+zFeYWI=,tag:5azDIFhgmJXMWECac2dN3A==,type:str] pgp: - created_at: "2025-07-20T18:28:37Z" enc: |- diff --git a/resources/z9/yate/docker_compose/regfile.conf.j2 b/resources/z9/yate/docker_compose/regfile.conf.j2 index 5501839..bf618c7 100644 --- a/resources/z9/yate/docker_compose/regfile.conf.j2 +++ b/resources/z9/yate/docker_compose/regfile.conf.j2 @@ -10,6 +10,18 @@ alternatives=0,1008,1337 callername=Legacy # Yealink im großen Raum am Fenster +[502] +password={{ secret__yate__sip_extension_flausch}} +alternatives=0,1008,1337 +callername=Flausch +# Yealink im großen Raum am Sofa + +[503] +password={{ secret__yate__sip_extension_ewerkstatt }} +alternatives=0,1008,1337 +callername=E-Werkstatt +# Yealink in der E-Werkstatt + [610] password={{ secret__yate__sip_extension_fritzbox_dect1 }} alternatives=0,1008,1337 From 9c50708b4ef7b3e6c0c4bb2cc277c3ab89ebaccd Mon Sep 17 00:00:00 2001 From: Stefan Bethke Date: Sat, 2 Aug 2025 09:43:18 +0200 Subject: [PATCH 3/5] Add second DECT --- inventories/z9/host_vars/yate.sops.yaml | 5 +++-- resources/z9/yate/docker_compose/regfile.conf.j2 | 5 +++++ 2 files changed, 8 insertions(+), 2 deletions(-) diff --git a/inventories/z9/host_vars/yate.sops.yaml b/inventories/z9/host_vars/yate.sops.yaml index ea0e25f..f5c8f32 100644 --- a/inventories/z9/host_vars/yate.sops.yaml +++ b/inventories/z9/host_vars/yate.sops.yaml @@ -6,11 +6,12 @@ secret__yate__sip_extension_ewerkstatt: ENC[AES256_GCM,data:qbatVvfXZiUcpVnOJUpz secret__yate__sip_extension_fritzbox_analog1: ENC[AES256_GCM,data:+ayQ6P4P34D5hTNOFv3HVA==,iv:UD71G07Z633mDmvnJVei9SKgHyM+JFXJdtOhyBhvKGY=,tag:0ISsYGQCIMMgToLWA09JwQ==,type:str] secret__yate__sip_extension_fritzbox_analog2: ENC[AES256_GCM,data:DbFmTcZ8wW2fqstm09yUWw==,iv:jKUqtSXaGF/QpIwPJ6hKQWZvv9xtZeIQBiPHt2xm+3I=,tag:MkWzODFnWZc8o+pVLR3KJw==,type:str] secret__yate__sip_extension_fritzbox_dect1: ENC[AES256_GCM,data:87MFTNA0DXmfhesT/M++ug==,iv:qDM8HWZhG9FADLFNPRJXkadN2jXD6/CfroDShNPzA+o=,tag:Ylf56nCczEdDaOGko5GrBw==,type:str] +secret__yate__sip_extension_fritzbox_dect2: ENC[AES256_GCM,data:KOUKexyzJqZPj1HKJxFl4Q==,iv:OCChQmSF1s8C/VYuw9D3hHA1CAoCnwC4adyTpWO5Iac=,tag:VFFuYi5Nd49ChU1Ki/nHiA==,type:str] secret__yate__sip_extension_flausch: ENC[AES256_GCM,data:eIieA4A/ZmU8e7t20xwmCw==,iv:oDMgZIjQBDcwIVPK4/qIT1HyQKc+vImdr1iPZE1LEn4=,tag:RgS+enGC6DP6dwE8u30a6g==,type:str] secret__yate__sip_extension_legacy: ENC[AES256_GCM,data:gC43eKUOAYU9dgNV1JQ+nw==,iv:xN7aad2NPaihlMT4Ym2xanpKU4eX04V0FS4m6XRgZFo=,tag:Oq0yBCSf+CB8Xkx4D4TH5w==,type:str] sops: - lastmodified: "2025-07-11T19:06:23Z" - mac: ENC[AES256_GCM,data:llPh9WhUZCYsd2C7CH57/n19luVgHQDduyj0x9rcv7zEYAIm191Lcfou7muX2wgNL4Hn60MYSgyt9HQqXlxPhClNjnwGen5jvNBudFlxFwmt5+en4V4CpGHRo3rm56RITywXTyt7w87Nq2LPive5SKydlZZxjtrEyohYLb/S3Hw=,iv:NYGs+Kd+iaVw7zwV0aYVdMXZYOk2nbSVqJwJ+zFeYWI=,tag:5azDIFhgmJXMWECac2dN3A==,type:str] + lastmodified: "2025-08-02T07:43:00Z" + mac: ENC[AES256_GCM,data:Irv3y4/QbofyM5BvE4h/T6zNF3A6oTjDssMOcqmGxUOGpqL11Am1DMHBivkUgEYe4ir9N0kvPUmed1XOyDwImrl06E1mGAT6hOlfVSYKtZP0Pwvi4VVeeP6IAYN56zu8k4X8oIxv7AEfS3Fq94sJ52Fd3xDPPCG4aVtUXxxDuwQ=,iv:HdqbgUVR0lIysZnnPkOkW9gDp9G/EOrHDkwmQH6LVKQ=,tag:amVPLxjvx1Qtv+v27SGtGA==,type:str] pgp: - created_at: "2025-07-20T18:28:37Z" enc: |- diff --git a/resources/z9/yate/docker_compose/regfile.conf.j2 b/resources/z9/yate/docker_compose/regfile.conf.j2 index bf618c7..d082b77 100644 --- a/resources/z9/yate/docker_compose/regfile.conf.j2 +++ b/resources/z9/yate/docker_compose/regfile.conf.j2 @@ -27,6 +27,11 @@ password={{ secret__yate__sip_extension_fritzbox_dect1 }} alternatives=0,1008,1337 callername=DECT-1 +[610] +password={{ secret__yate__sip_extension_fritzbox_dect2 }} +alternatives=0,1008,1337 +callername=DECT-2 + [100] password=test100 callername=stb 100 From 13a8dc9b6f6205b7be2353bb7bb8a3e520cd7f99 Mon Sep 17 00:00:00 2001 From: Stefan Bethke Date: Sat, 2 Aug 2025 10:05:58 +0200 Subject: [PATCH 4/5] Fix name, cleanup --- .../z9/yate/docker_compose/regfile.conf.j2 | 66 +------------------ 1 file changed, 1 insertion(+), 65 deletions(-) diff --git a/resources/z9/yate/docker_compose/regfile.conf.j2 b/resources/z9/yate/docker_compose/regfile.conf.j2 index d082b77..95cf70d 100644 --- a/resources/z9/yate/docker_compose/regfile.conf.j2 +++ b/resources/z9/yate/docker_compose/regfile.conf.j2 @@ -27,7 +27,7 @@ password={{ secret__yate__sip_extension_fritzbox_dect1 }} alternatives=0,1008,1337 callername=DECT-1 -[610] +[611] password={{ secret__yate__sip_extension_fritzbox_dect2 }} alternatives=0,1008,1337 callername=DECT-2 @@ -35,67 +35,3 @@ callername=DECT-2 [100] password=test100 callername=stb 100 - - -;;;;; old stuff, please clean up stb 2025-07-11 - -[echt] -password=test -alternatives=0,9,91,3248,1337 - -[test] -password=test -alternatives=0,9,92,3248,1337 - -[unittest1] -password=test -alternatives=93,3248,1337 - -[unittest2] -password=test -alternatives=94,3248,1337 - -[door] -password=test -alternatives=0,1,11,3248,1337 -callername=Main Door - -[kitchen] -password=test -alternatives=0,1,12,3248,1337 -callername=Kitchen - -[desk] -password=test -alternatives=0,1,13,3248,1337 -callername=Desk - -[workshop] -password=test -alternatives=0,2,21,3248,1337 -callername=Workshop Lobby - -[clean] -password=test -alternatives=0,2,22,3248,1337 -callername=Clean Workshop - -[dirty] -password=test -alternatives=0,2,23,3248,1337 -callername=Dirty Workshop - -[dect1] -password=test -alternatives=0,3,31,3248,1337 -callername=DECT-1 - -[analog1] -password=test -alternatives=0,4,41,3248,1337 -callername=Analog-1 - -[analog2] -password=test -alternatives=0,4,42,3248,1337 -callername=Analog-2 From 4a617ce50a908126416a3389d2053d9224b5877f Mon Sep 17 00:00:00 2001 From: Sophia Date: Thu, 14 Aug 2025 22:39:43 +0200 Subject: [PATCH 5/5] [role] add kitchenowl --- roles/kitchenowl/README.md | 39 +++++++++++++++++++ roles/kitchenowl/defaults/main.yml | 10 +++++ roles/kitchenowl/handlers/main.yml | 18 +++++++++ roles/kitchenowl/tasks/main.yml | 41 ++++++++++++++++++++ roles/kitchenowl/templates/docker-compose.j2 | 24 ++++++++++++ 5 files changed, 132 insertions(+) create mode 100644 roles/kitchenowl/README.md create mode 100644 roles/kitchenowl/defaults/main.yml create mode 100644 roles/kitchenowl/handlers/main.yml create mode 100644 roles/kitchenowl/tasks/main.yml create mode 100644 roles/kitchenowl/templates/docker-compose.j2 diff --git a/roles/kitchenowl/README.md b/roles/kitchenowl/README.md new file mode 100644 index 0000000..2edaf16 --- /dev/null +++ b/roles/kitchenowl/README.md @@ -0,0 +1,39 @@ +# Ansible Kitchenowl deployment with docker + +## Introduction + +KitchenOwl is a smart self-hosted grocery list and recipe manager. Easily add items to your shopping list before you go shopping. You can also create recipes and get suggestions on what you want to cook. Track your expenses so you know how much you've spent. + +- Native Mobile/Web/Desktop apps with a great design +- Add items to your shopping list and sync them in real-time with multiple users +- Partial offline support, so you don't lose track of what to buy even when there is no signal +- Manage recipes and add them to your shopping list +- Share recipes with friends and family +- Create a meal plan to always know what you'll be eating +- Manage balances and track expenses of your household + +Checkout more: https://github.com/tombursch/kitchenowl + +## Why docker + +Whilst I try to refrain from using docker, especially together with ansible, it is the recommended way of installation: https://docs.kitchenowl.org/latest/self-hosting/ . + +One could also decide to build from source, but I fear that the chance of brakage is higher than just using docker. + +### Notice + +This role does not care about creating a rootless docker installation and should primarily used inside a vm. + +Checkout https://docs.docker.com/engine/security/rootless/ or https://wiki.archlinux.org/title/Docker#Rootless_Docker_daemon for more information on rootless docker. + +## Variables + +See [defaults](./defaults/main.yml) for needed variables. + +### OIDC + +OIDC can be used as decribed in https://docs.kitchenowl.org/latest/self-hosting/oidc/ by enabling `kitchenowl_oidc` and using the respected variables. + +### Secrets + +Please use secrets as described in [README#Secrets](../../README.md#secrets) \ No newline at end of file diff --git a/roles/kitchenowl/defaults/main.yml b/roles/kitchenowl/defaults/main.yml new file mode 100644 index 0000000..ad69fcc --- /dev/null +++ b/roles/kitchenowl/defaults/main.yml @@ -0,0 +1,10 @@ +kitchenowl_dockertag: "latest" +kitchenowl_port: "80" +kitchenowl_path: "/opt/kitchenowl" +kitchenowl_jwt: USESECRET +kitchenowl_oidc: + enabled: false + front_url: + oidc_issuer: + oidc_client_id: + oidc_client_secret: diff --git a/roles/kitchenowl/handlers/main.yml b/roles/kitchenowl/handlers/main.yml new file mode 100644 index 0000000..63eda54 --- /dev/null +++ b/roles/kitchenowl/handlers/main.yml @@ -0,0 +1,18 @@ +- name: docker compose down + community.docker.docker_compose_v2: + project_src: "{{ kitchenowl_path }}" + state: absent + +- name: docker compose up + community.docker.docker_compose_v2: + project_src: "{{ kitchenowl_path }}" + +- name: docker compose stop + community.docker.docker_compose_v2: + project_src: "{{ kitchenowl_path }}" + state: stopped + +- name: docker compose restart + community.docker.docker_compose_v2: + project_src: "{{ kitchenowl_path }}" + state: restarted diff --git a/roles/kitchenowl/tasks/main.yml b/roles/kitchenowl/tasks/main.yml new file mode 100644 index 0000000..530d468 --- /dev/null +++ b/roles/kitchenowl/tasks/main.yml @@ -0,0 +1,41 @@ +- name: Install latest docker & docker-compose package + ansible.builtin.package: + name: + - docker + - docker-compose + state: present + +- name: Start and enable docker service + ansible.builtin.service: + name: docker + state: started + enabled: true + +- name: Ensure kitchenowl directory exists + ansible.builtin.file: + path: "{{ kitchenowl_path }}" + state: directory + owner: root + group: root + mode: '0755' + +- name: Ensure kitchenowl docker-compose.yaml + ansible.builtin.template: + src: docker-compose.j2 + dest: "{{ kitchenowl_path }}/docker-compose.yml" + owner: root + group: root + mode: '0644' + notify: docker compose up + register: output + +- name: Ensure latest kitchenowl image pulled + community.docker.docker_compose_v2_pull: + project_src: "{{ kitchenowl_path }}" + notify: + - docker compose down + - docker compose up + +- name: Show results + ansible.builtin.debug: + var: output diff --git a/roles/kitchenowl/templates/docker-compose.j2 b/roles/kitchenowl/templates/docker-compose.j2 new file mode 100644 index 0000000..10ad91f --- /dev/null +++ b/roles/kitchenowl/templates/docker-compose.j2 @@ -0,0 +1,24 @@ +services: + front: + image: tombursch/kitchenowl-web:{{ kitchenowl_dockertag }} + restart: unless-stopped + ports: + - "{{ kitchenowl_port }}:80" + depends_on: + - back + back: + image: tombursch/kitchenowl-backend:{{ kitchenowl_dockertag }} + restart: unless-stopped + environment: + - JWT_SECRET_KEY={{ kitchenowl_jwt }} +{% if kitchenowl_oidc['enabled'] %} + - FRONT_URL={{ kitchenowl_oidc['front_url'] }} + - OIDC_ISSUER={{ kitchenowl_oidc['oidc_issuer'] }} + - OIDC_CLIENT_ID={{ kitchenowl_oidc['oidc_client_id'] }} + - OIDC_CLIENT_SECRET: {{ kitchenowl_oidc['oidc_client_secret'] }} +{% endif %} + volumes: + - kitchenowl_data:/data + +volumes: + kitchenowl_data: \ No newline at end of file