From 010ec37bf3a9f2d79d0140647a0cb6460eb39ae9 Mon Sep 17 00:00:00 2001
From: Daniel Berteaud <dbd@ehtrace.com>
Date: Wed, 26 Jan 2022 16:00:08 +0100
Subject: [PATCH] Update to 2022-01-26 16:00

---
 roles/rabbitmq_server/tasks/conf.yml          | 14 +++++++++++--
 roles/rabbitmq_server/tasks/facts.yml         |  6 ++++--
 .../templates/rabbitmq.conf.j2                |  2 ++
 roles/repo_elasticsearch/defaults/main.yml    |  2 +-
 .../tasks/install_Debian.yml                  |  4 ++--
 .../tasks/install_RedHat.yml                  | 21 +++++++++++++++----
 roles/repo_samba4/defaults/main.yml           |  2 +-
 roles/repo_zabbix/tasks/Debian.yml            |  4 ++--
 roles/repo_zabbix/tasks/RedHat.yml            |  6 +++---
 9 files changed, 44 insertions(+), 17 deletions(-)

diff --git a/roles/rabbitmq_server/tasks/conf.yml b/roles/rabbitmq_server/tasks/conf.yml
index 7f39e21..2595396 100644
--- a/roles/rabbitmq_server/tasks/conf.yml
+++ b/roles/rabbitmq_server/tasks/conf.yml
@@ -6,8 +6,8 @@
   notify: restart rabbitmq-server
   tags: rabbit
 
-  # Create a self signed cert. This is needed even if a cert is later obtained with dehydrated as
-  # turnserver must be started before that
+# Create a self signed cert. This is needed even if a cert is later obtained with dehydrated as
+# rabbitmq must be started before that
 - import_tasks: ../includes/create_selfsigned_cert.yml
   vars:
     - cert_path: /etc/rabbitmq/ssl/cert.pem
@@ -15,6 +15,16 @@
     - cert_user: rabbitmq
   tags: rabbitmq
 
+- name: Check if the cert chain exists
+  stat: path=/etc/rabbitmq/ssl/chain.pem
+  register: rabbitmq_ssl_chain
+  tags: rabbitmq
+
+- name: Copy the cert on the chain file
+  copy: src=/etc/rabbitmq/ssl/cert.pem dest=/etc/rabbitmq/ssl/chain.pem remote_src=True
+  when: not rabbitmq_ssl_chain.stat.exists
+  tags: rabbitmq
+
 - name: Deploy configuration
   template: src={{ rabbitmq_conf }}.j2 dest=/etc/rabbitmq/{{ rabbitmq_conf }}
   notify: restart rabbitmq-server
diff --git a/roles/rabbitmq_server/tasks/facts.yml b/roles/rabbitmq_server/tasks/facts.yml
index 748712e..da2420b 100644
--- a/roles/rabbitmq_server/tasks/facts.yml
+++ b/roles/rabbitmq_server/tasks/facts.yml
@@ -1,12 +1,14 @@
 ---
 
-  # On EL8 and newer, rabbitmq config uses the new format
+# On EL8 and newer, rabbitmq config uses the new format
 - set_fact: rabbitmq_conf={{ ansible_distribution_major_version is version('8','>=') | ternary('rabbitmq.conf','rabbitmq.config') }}
   tags: rabbitmq
 
-- when: rabbitmq_letsencrypt_cert is defined or rabbitmq_ssl_cert_path is not defined or rabbitmq_ssl_key_path is not defined
+# When obtaining the cert with Let's Encrypt, or when using the default self-signed certificate
+- when: rabbitmq_letsencrypt_cert is defined or (rabbitmq_ssl_cert_path is not defined or rabbitmq_ssl_key_path is not defined)
   block:
     - set_fact: rabbitmq_ssl_cacert_path='/etc/rabbitmq/ssl/chain.pem'
     - set_fact: rabbitmq_ssl_cert_path='/etc/rabbitmq/ssl/cert.pem'
     - set_fact: rabbitmq_ssl_key_path='/etc/rabbitmq/ssl/key.pem'
   tags: rabbitmq
+
diff --git a/roles/rabbitmq_server/templates/rabbitmq.conf.j2 b/roles/rabbitmq_server/templates/rabbitmq.conf.j2
index fb69b88..42cadc8 100644
--- a/roles/rabbitmq_server/templates/rabbitmq.conf.j2
+++ b/roles/rabbitmq_server/templates/rabbitmq.conf.j2
@@ -3,8 +3,10 @@ listeners.ssl.default = {{ rabbitmq_ssl_port }}
 {% if rabbitmq_ssl_cacert_path is defined %}
 ssl_options.cacertfile = {{ rabbitmq_ssl_cacert_path }}
 {% endif %}
+{% if rabbitmq_ssl_cert_path is defined and rabbitmq_ssl_key_path is defined %}
 ssl_options.certfile = {{ rabbitmq_ssl_cert_path }}
 ssl_options.keyfile = {{ rabbitmq_ssl_key_path }}
+{% endif %}
 loopback_users.guest = {{ rabbitmq_guest_from_anywhere | ternary('false','true') }}
 management.tcp.port = {{ rabbitmq_web_port }}
 management.tcp.ip = 0.0.0.0
diff --git a/roles/repo_elasticsearch/defaults/main.yml b/roles/repo_elasticsearch/defaults/main.yml
index b4e2605..761ac68 100644
--- a/roles/repo_elasticsearch/defaults/main.yml
+++ b/roles/repo_elasticsearch/defaults/main.yml
@@ -1,3 +1,3 @@
 ---
 
-es_major_version: 6
+es_major_version: 7
diff --git a/roles/repo_elasticsearch/tasks/install_Debian.yml b/roles/repo_elasticsearch/tasks/install_Debian.yml
index d3d3b7b..5d2ff03 100644
--- a/roles/repo_elasticsearch/tasks/install_Debian.yml
+++ b/roles/repo_elasticsearch/tasks/install_Debian.yml
@@ -2,10 +2,10 @@
 - name: Add ElasticSearch repo key
   apt_key:
     url: https://artifacts.elastic.co/GPG-KEY-elasticsearch
-  tags: repo
+  tags: repo,logs
 
 - name: Add ElasticSearch repository
   apt_repository:
     repo: deb https://artifacts.elastic.co/packages/{{ es_major_version }}.x/apt stable main
     filename: elasticsearch
-  tags: repo
+  tags: repo,logs
diff --git a/roles/repo_elasticsearch/tasks/install_RedHat.yml b/roles/repo_elasticsearch/tasks/install_RedHat.yml
index 38aa2fd..3b8bde3 100644
--- a/roles/repo_elasticsearch/tasks/install_RedHat.yml
+++ b/roles/repo_elasticsearch/tasks/install_RedHat.yml
@@ -1,10 +1,23 @@
 ---
-- name: Add ElasticSearch repository
+- name: Add ElasticSearch OSS repository
   yum_repository:
-    name: elasticsearch
-    description: ElasticSearch
+    name: elasticsearch-oss
+    file: elasticsearch
+    description: ElasticSearch OSS
     baseurl: https://artifacts.elastic.co/packages/oss-{{ es_major_version }}.x/yum
     gpgcheck: True
     repo_gpgcheck: True
     gpgkey: https://artifacts.elastic.co/GPG-KEY-elasticsearch
-  tags: repo
+  tags: repo,logs
+
+- name: Handle Elasticsearch (non OSS) repository
+  yum_repository:
+    name: elasticsearch
+    file: elasticsearch
+    description: ElasticSearch
+    baseurl: https://artifacts.elastic.co/packages/{{ es_major_version }}.x/yum
+    gpgcheck: True
+    repo_gpgcheck: True
+    gpgkey: https://artifacts.elastic.co/GPG-KEY-elasticsearch
+    state: absent
+  tags: repo,logs
diff --git a/roles/repo_samba4/defaults/main.yml b/roles/repo_samba4/defaults/main.yml
index 9094f7c..cf41117 100644
--- a/roles/repo_samba4/defaults/main.yml
+++ b/roles/repo_samba4/defaults/main.yml
@@ -1,3 +1,3 @@
 ---
 # Select a branch from https://samba.tranquil.it/centos7/ or https://samba.tranquil.it/centos7/
-samba_major_version: samba-{{ (ansible_distribution_major_version is version('8','<')) | ternary('4.12.15','4.15.3') }}
+samba_major_version: samba-{{ (ansible_distribution_major_version is version('8','<')) | ternary('4.12.15','4.15.4') }}
diff --git a/roles/repo_zabbix/tasks/Debian.yml b/roles/repo_zabbix/tasks/Debian.yml
index 26287d8..7257025 100644
--- a/roles/repo_zabbix/tasks/Debian.yml
+++ b/roles/repo_zabbix/tasks/Debian.yml
@@ -5,10 +5,10 @@
     data: "{{ lookup('url', 'https://repo.zabbix.com/zabbix-official-repo.key', split_lines=False) }}"
   environment:
     https_proxy: "{{ system_proxy | default('') }}"
-  tags: repo
+  tags: repo,zabbix
 
 - name: Add Zabbix repo
   apt_repository:
     repo: deb http://repo.zabbix.com/zabbix/{{ zabbix_major_version }}/{{ ansible_distribution | lower }} {{ ansible_distribution_release }} main
     filename: zabbix
-  tags: repo
+  tags: repo,zabbix
diff --git a/roles/repo_zabbix/tasks/RedHat.yml b/roles/repo_zabbix/tasks/RedHat.yml
index f071c0f..cfa58df 100644
--- a/roles/repo_zabbix/tasks/RedHat.yml
+++ b/roles/repo_zabbix/tasks/RedHat.yml
@@ -34,7 +34,7 @@
       =5TOS
       -----END PGP PUBLIC KEY BLOCK-----
     dest: /etc/pki/rpm-gpg/RPM-GPG-KEY-zabbix
-  tags: repo
+  tags: repo,zabbix
 
 - name: Configure Zabbix repo
   yum_repository:
@@ -46,7 +46,7 @@
     priority: 50
     includepkgs:
       - zabbix*
-  tags: repo
+  tags: repo,zabbix
 
 - name: Configure Zabbix frontend repo
   yum_repository:
@@ -60,4 +60,4 @@
     includepkgs:
       - zabbix*
     state: "{{ (zabbix_major_version is version('5.0', '>=') and zabbix_major_version is version('5.4', '<') and ansible_distribution_major_version is version('8', '<')) | ternary('present', 'absent') }}"
-  tags: repo
+  tags: repo,zabbix