Update to 2023-06-16 18:00

roles/common/vars/RedHat-9.yml

@@ -0,0 +1,13 @@
+---
+
+system_distro_utils:
+  - openssh-clients
+  - nc
+  - xz
+  - lz4
+  - yum-utils
+  - fuse-sshfs
+  - policycoreutils-python-utils
+  - python3-mysqlclient
+  - python3-psycopg2
+  - zstd

roles/ntp_client/vars/RedHat-9.yml

@@ -0,0 +1,6 @@
+---
+
+ntp_ntpd_service: ntpd
+ntp_chrony_service: chronyd
+ntp_chrony_conf: /etc/chrony.conf
+ntp_chrony_keyfile: /etc/chrony.keys

roles/repo_base/tasks/AlmaLinux-9.yml

@@ -1,5 +1,21 @@
 ---
 
+- set_fact:
+    base_repos:
+      - name: baseos
+        file: almalinux
+        dir: BaseOS
+      - name: appstream
+        file: almalinux
+        dir: AppStream
+      - name: crb
+        file: almalinux
+        dir: CRB
+      - name: extras
+        file: almalinux
+        dir: extras
+  tags: repo
+
 - name: Configure repositories
   yum_repository:
     file: "{{ item.file }}"
@@ -9,19 +25,25 @@
     gpgcheck: True
     gpgkey: file:///etc/pki/rpm-gpg/RPM-GPG-KEY-AlmaLinux-9
     enabled: "{{ item.enabled | default(True) }}"
-  loop:
-    - name: baseos
-      file: almalinux
-      dir: BaseOS
-    - name: appstream
-      file: almalinux
-      dir: AppStream
-    - name: crb
-      file: almalinux
-      dir: CRB
-    - name: extras
-      file: almalinux
-      dir: extras
+  loop: "{{ base_repos }}"
+  tags: repo
+
+- name: Empty default file
+  yum_repository:
+    file: almalinux-{{ item.name }}
+    name: "{{ item.name }}"
+    state: absent
+  loop: "{{ base_repos }}"
+  tags: repo
+
+- name: Configure COPR for FusionInventory
+  yum_repository:
+    name: fusioninventory
+    description: Copr repo for FusionInventory
+    file: fusioninventory
+    baseurl: https://download.copr.fedorainfracloud.org/results/frsoftware/FusionInventory/epel-$releasever-$basearch/
+    gpgcheck: True
+    gpgkey: https://download.copr.fedorainfracloud.org/results/frsoftware/FusionInventory/pubkey.gpg
   tags: repo
 
 - include_tasks: epel_{{ ansible_os_family }}-{{ ansible_distribution_major_version }}.yml
@@ -32,3 +54,4 @@
 
 - include_tasks: postgres_client_{{ ansible_os_family }}.yml
   tags: always
+

roles/repo_samba4/defaults/main.yml

@@ -1,3 +1,3 @@
 ---
 # Select a branch from https://samba.tranquil.it/centos7/ or https://samba.tranquil.it/centos7/
-samba_major_version: samba-{{ (ansible_distribution_major_version is version('8','<')) | ternary('4.12.15','4.18.2') }}
+samba_major_version: samba-{{ (ansible_distribution_major_version is version('8','<')) | ternary('4.12.15','4.18.3') }}

roles/repo_zabbix/tasks/RedHat.yml

@@ -1,48 +1,12 @@
 ---
 
-- name: Install GPG Key for Zabbix repo
-  copy:
-    content: |
-      -----BEGIN PGP PUBLIC KEY BLOCK-----
-      Version: GnuPG v1.4.10 (GNU/Linux)
-      
-      mQENBFeIdv0BCADAzkjO9jHoDRfpJt8XgfsBS8FpANfHF2L29ntRwd8ocDwxXSbt
-      BuGIkUSkOPUTx6i/e9hd8vYh4mcX3yYpiW8Sui4aXbJu9uuSdU5KvPOaTsFeit9j
-      BDK4b0baFYBDpcBBrgQuyviMAVAczu5qlwolA/Vu6DWqah1X9p+4EFa1QitxkhYs
-      3br2ZGy7FZA3f2sZaVhHAPAOBSuQ1W6tiUfTIj/Oc7N+FBjmh3VNfIvMBa0E3rA2
-      JlObxUEywsgGo7FPWnwjZyv883slHp/I3H4Or9VBouTWA2yICeROmMwjr4mOZtJT
-      z9e4v/a2cG/mJXgxCe+FjBvTvrgOVHAXaNwLABEBAAG0IFphYmJpeCBMTEMgPHBh
-      Y2thZ2VyQHphYmJpeC5jb20+iQE4BBMBAgAiBQJXiHb9AhsDBgsJCAcDAgYVCAIJ
-      CgsEFgIDAQIeAQIXgAAKCRAIKrVroU/lkbO8B/4/MhxoUN2RPmH7BzFGIntKEWAw
-      bRkDzyQOk9TjXVegfsBnzmDSdowh7gyteVauvr62jiVtowlE/95vbXqbBCISLqKG
-      i9Wmbrj7lUXBd2sP7eApFzMUhb3G3GuV5pCnRBIzerDfhXiLE9EWRN89JYDxwCLY
-      ctQHieZtdmlnPyCbFF6wcXTHUEHBPqdTa6hvUqQL2lHLFoduqQz4Q47Cz7tZxnbr
-      akAewEToPcjMoteCSfXwF/BRxSUDlN7tKFfBpYQawS8ZtN09ImHOO6CZ/pA0qQim
-      iNiRUfA25onIDWLLY/NMWg+gK94NVVZ7KmFG3upDB5/uefK6Xwu2PsgiXSQguQEN
-      BFeIdv0BCACZgfqgz5YoX+ujVlw1gX1J+ygf10QsUM9GglLEuDiSS/Aa3C2UbgEa
-      +N7JuvzZigGFCvxtAzaerMMDzbliTqtMGJOTjWEVGxWQ3LiY6+NWgmV46AdXik7s
-      UXM155f1vhOzYp6EZj/xtGvyUzTLUkAlnZNrhEUbUmOhDLassVi32hIyMR5W7w6I
-      Ii0zIM1mSuLR0H6oDEpR3GzuGVHGj4/sLeAg7iY5MziGwySBQk0Dg0xH5YqHb+uK
-      zCTH/ILu3srPJq+237Px/PctAZCEA96ogc/DNF2XjdUpMSaEybR0LuHHstAqkrq8
-      AyRtDJNYE+09jDFdUIukhErLuo1YPWqFABEBAAGJAR8EGAECAAkFAleIdv0CGwwA
-      CgkQCCq1a6FP5ZH8+wf/erZneDXqM6xYT8qncFpc1GtOCeODNb19Ii22lDEXd9qN
-      UlAz2SB6zC5oywlnR0o1cglcrW96MD/uuCL/+tTczeB2C455ofs2mhpK7nKiA4FM
-      +JZZ6XSBnq7sfsYD6knbvS//SXQV/qYb4bKMvwYnyMz63escgQhOsTT20ptc/w7f
-      C+YPBR/rHImKspyIwxyqU8EXylFW8f3Ugi2+Fna3CAPR9yQIAChkCjUawUa2VFmm
-      5KP8DHg6oWM5mdqcpvU5DMqpi8SA26DEFvULs8bR+kgDd5AU3I4+ei71GslOdfk4
-      s1soKT4X2UK+dCCXui+/5ZJHakC67t5OgbMas3Hz4Q==
-      =5TOS
-      -----END PGP PUBLIC KEY BLOCK-----
-    dest: /etc/pki/rpm-gpg/RPM-GPG-KEY-zabbix
-  tags: repo,zabbix
-
 - name: Configure Zabbix repo
   yum_repository:
     name: zabbix
     description: Zabbix Repository
     baseurl: http://repo.zabbix.com/zabbix/{{ zabbix_major_version }}/rhel/$releasever/$basearch/
     gpgcheck: True
-    gpgkey: file:///etc/pki/rpm-gpg/RPM-GPG-KEY-zabbix
+    gpgkey: "{{ zabbix_repo_key }}"
     priority: 50
     includepkgs:
       - zabbix*

roles/repo_zabbix/tasks/facts.yml

@@ -0,0 +1,10 @@
+---
+
+# Load distribution specific variables
+- include_vars: "{{ item }}"
+  with_first_found:
+    - "{{ role_path }}/vars/{{ ansible_distribution }}-{{ ansible_distribution_major_version }}.yml"
+    - "{{ role_path }}/vars/{{ ansible_os_family }}-{{ ansible_distribution_major_version }}.yml"
+    - "{{ role_path }}/vars/{{ ansible_distribution }}.yml"
+    - "{{ role_path }}/vars/{{ ansible_os_family }}.yml"
+  tags: repo,zabbix

roles/repo_zabbix/tasks/main.yml

@@ -1,4 +1,7 @@
 ---
 
+- include_tasks: facts.yml
+  tags: always
+
 - include_tasks: "{{ ansible_os_family }}.yml"
   tags: always

roles/repo_zabbix/vars/RedHat-7.yml

@@ -0,0 +1,3 @@
+---
+
+zabbix_repo_key: https://repo.zabbix.com/RPM-GPG-KEY-ZABBIX-79EA5ED4

roles/repo_zabbix/vars/RedHat-8.yml

@@ -0,0 +1,3 @@
+---
+
+zabbix_repo_key: https://repo.zabbix.com/RPM-GPG-KEY-ZABBIX-79EA5ED4

roles/repo_zabbix/vars/RedHat-9.yml

@@ -0,0 +1,3 @@
+---
+
+zabbix_repo_key: https://repo.zabbix.com/RPM-GPG-KEY-ZABBIX-08EFA7DD

roles/seafile/defaults/main.yml

@@ -11,11 +11,11 @@
 #   MaxUsers = "9"
 #   Mode = "subscription"
 #   etc...
-seafile_version: "{{ seafile_license is defined | ternary('9.0.16','9.0.10') }}"
+seafile_version: "{{ seafile_license is defined | ternary('10.0.5','10.0.1') }}"
 
 # Archive URL and sha256 are only used for the community version
 seafile_archive_url: https://s3.eu-central-1.amazonaws.com/download.seadrive.org/seafile-server_{{ seafile_version }}_x86-64.tar.gz
-seafile_archive_sha256: cb2a22482e3383c53d5be0d54845a88727f4c42b9cd0e1381e01d9fadbc20670
+seafile_archive_sha256: 4ce8d51c464ccde8478dfb5f6c92a43b6beece210a939e799b647521ce5baf42
 
 seafile_root_dir: /opt/seafile
 seafile_data_dir: "{{ seafile_root_dir }}/data"
@@ -34,6 +34,8 @@ seafile_memcached_server: 127.0.0.1:11211
 # Elasticsearch is only used with pro edition
 seafile_es_server: localhost
 seafile_es_port: 9200
+# Number of shards. Each shard should be between 10 and 50GB for optimal perf
+seafile_es_shards: 1
 
 # Account under which services will run
 seafile_user: seafile
@@ -45,6 +47,8 @@ seafile_group: "{{ seafile_user }}"
 
 # Main seafile daemon port
 seafile_seafile_port: 8082
+# Notification server port
+seafile_notification_port: 8083
 # Seahub port
 seafile_seahub_port: 8000
 
@@ -56,6 +60,10 @@ seafile_webdav_port: 8080
 # empty means only loopback
 seafile_src_ip: []
 
+# JWT private key used by the notification server
+# A random one will be created if not defined
+# seafile_jwt_key: MSjQej7wFv4vxMNvfubfN3wswUE9firjKQ/wnzsGP0g=
+
 # Public URL of the service
 seafile_public_url: http://{{ inventory_hostname }}:{{ seafile_seahub_port }}
 

roles/seafile/files/seafile-pro-server_10.0.5_x86-64_CentOS.tar.gz

@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:1769a7734571c0abaecc71dafcbc3683a150951f7196eb626bc21ab658958f97
+size 144175847

roles/seafile/files/seafile-pro-server_9.0.16_x86-64_CentOS.tar.gz

@@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:bf8c1c9b7d0dfb92f2dd1d306605efe4bf99809639487566a4426e6cd33d2454
-size 98137375

roles/seafile/meta/main.yml

@@ -8,9 +8,6 @@ dependencies:
   - role: mysql_server
     when: seafile_db_server in ['127.0.0.1', 'localhost']
   - role: elasticsearch
-    vars:
-      es_version: 7.16.3
-      es_archive_sha512: d9ad7a510b8bad63788f5081b9431519e0581242499394f7a2c59f6097f8956603b28881e30697c50fe440b0ced7a2eb66afadb0e12bf97126db1d468d3818ff
     when:
       - seafile_license is defined
       - seafile_es_server in ['127.0.0.1', 'localhost']

roles/seafile/tasks/facts.yml

@@ -80,9 +80,20 @@
   when: seafile_db_pass is not defined
   tags: seafile
 
+- name: Generate a JWT private key
+  block:
+    - import_tasks: ../includes/get_rand_pass.yml
+      vars:
+        - pass_file: "{{ seafile_root_dir }}/meta/ansible_jwt_key"
+        - size: 45
+        - complex: False
+    - set_fact: seafile_jwt_key={{ rand_pass }}
+  when: seafile_jwt_key is not defined
+  tags: seafile
+
 - name: Set seafile ports
   set_fact:
-    seafile_ports: "{{ [ seafile_seafile_port ] + [ seafile_seahub_port ] }}"
+    seafile_ports: "{{ [ seafile_seafile_port ] + [ seafile_notification_port ] + [ seafile_seahub_port ] }}"
   tags: seafile
 
 - name: Add webdav port

roles/seafile/tasks/install.yml

@@ -18,28 +18,53 @@
   register: seafile_py2
   tags: seafile
 
-- name: Clear the venv as we migrate to py3
+- name: Check if venv uses py 3.6
+  stat: path={{ seafile_root_dir }}/bin/python3.6
+  register: seafile_py36
+  tags: seafile
+
+- name: Clear the venv as we migrate to python 3.9
   file: path={{ seafile_root_dir }}/{{ item }} state=absent
   loop:
     - lib
     - lib64
     - bin
     - include
-  when: seafile_py2.stat.exists
+  when: seafile_py2.stat.exists or seafile_py36.stat.exists
   tags: seafile
 
 - name: Install or update python modules in the virtualenv
   pip:
     state: "{{ (seafile_install_mode == 'upgrade') | ternary('latest', 'present') }}"
     virtualenv: "{{ seafile_root_dir }}"
-    virtualenv_command: /usr/bin/virtualenv-3
-    virtualenv_python: /usr/bin/python3
+    virtualenv_command: /bin/python3.9 -m venv
     name: "{{ seafile_python_libs }}"
   notify:
     - restart seafile
     - restart seahub
   tags: seafile
 
+- name: Installer version specific python modules
+  pip:
+    virtualenv: "{{ seafile_root_dir }}"
+    virtualenv_command: /bin/python3.9 -m venv
+    name:
+      - future==0.18.*
+      - mysqlclient==2.1.*
+      - pillow==9.3.*
+      - captcha==0.4
+      - django_simple_captcha==0.5.*
+      - djangosaml2==1.5.*
+      - pysaml2==7.2.*
+      - pycryptodome==3.16.*
+      - cffi==1.15.1
+      - SQLAlchemy==1.4.3
+      - chardet
+  notify:
+    - restart seafile
+    - restart seahub
+  tags: seafile
+
 - name: Install Seafile pro license
   copy: content={{ seafile_license }} dest={{ seafile_root_dir }}/seafile-license.txt
   when:
@@ -96,6 +121,16 @@
   register: seafile_avatar
   tags: seafile
 
+- name: Check if python2.7 lib dir exists
+  stat: path={{ seafile_root_dir }}/seafile-server/seafile/lib64/python2.7
+  register: seafile_py27_lib
+  tags: seafile
+
+- name: Link py27 lib dir to py3 lib dir
+  file: src={{ seafile_root_dir }}/seafile-server/seafile/lib64/python2.7 dest={{ seafile_root_dir }}/seafile-server/seafile/lib64/python3 state=link force=True
+  when: seafile_py27_lib.stat.exists
+  tags: seafile
+
 - name: Remove default avatar directory
   file: path={{ seafile_root_dir }}/seafile-server/seahub/media/avatars state=absent
   when: seafile_avatar.stat.isdir is defined and seafile_avatar.stat.isdir
@@ -269,7 +304,7 @@
   copy:
     content: |
       #!/bin/bash -e
-      export PYTHONPATH={{ seafile_root_dir }}/lib/python3.6/site-packages/
+      export PYTHONPATH={{ seafile_root_dir }}/lib/python3.9/site-packages/
       {{ seafile_root_dir }}/bin/python3 $@
     dest: /usr/local/bin/seafpy
     mode: 0755

roles/seafile/templates/clean_db.sh.j2

@@ -3,7 +3,6 @@
 set -eo pipefail
 
 PATH=/opt/seafile/bin:/bin:/usr/bin
-PYTHONPATH=/opt/seafile/lib64/python3.6/site-packages/
 PYTHON=/opt/seafile/bin/python
 cd {{ seafile_root_dir }}/seafile-server
 ./seahub.sh python-env python3 seahub/manage.py clearsessions

roles/seafile/templates/perms.sh.j2

@@ -1,5 +1,6 @@
 #!/bin/bash
 
-chown -R seafile:seafile {{ seafile_root_dir }}/seafile-server/pro/elasticsearch/
+chown -R seafile:seafile {{ seafile_root_dir }}/seafile-server/pro
 chown -R seafile:seafile {{ seafile_root_dir }}/seahub-data
+
 restorecon -R {{ seafile_root_dir }}/

roles/seafile/templates/seafevents.conf.j2

@@ -22,6 +22,7 @@ index_office_pdf = true
 external_es_server = true
 es_host = {{ seafile_es_server }}
 es_port = {{ seafile_es_port }}
+shards = {{ seafile_es_shards }}
 
 [OFFICE CONVERTER]
 enabled = true

roles/seafile/templates/seafile.conf.j2

@@ -32,6 +32,12 @@ web_token_expire_time = 7200
 {% if seafile_version is version('9.0.1', '>') %}
 use_go_fileserver = {{ seafile_use_go_fileserver | ternary('true', 'false') }}
 {% endif %}
+{% if seafile_license is defined %}
+use_locked_file_cache = true
+
+[memcached]
+memcached_options = --SERVER={{ seafile_memcached_server }} --POOL-MIN=10 --POOL-MAX=100
+{% endif %}
 
 {% if seafile_license is defined and seafile_scan_av == True %}
 [virus_scan]
@@ -39,3 +45,9 @@ scan_command = {{ seafile_root_dir }}/seafile-server/clamdscan.sh
 virus_code = 1
 nonvirus_code = 0
 {% endif %}
+
+[notification]
+enabled = true
+port = {{ seafile_notification_port }}
+log_level = info
+jwt_private_key = {{ seafile_jwt_key }}

roles/seafile/templates/seafile.service.j2

@@ -5,7 +5,7 @@ After=network.target mariadb.service elasticsearch.service
 [Service]
 Type=forking
 Environment=PATH={{ seafile_root_dir }}/bin:/bin:/usr/bin
-Environment=PYTHONPATH={{ seafile_root_dir }}/lib64/python3.6/site-packages/
+Environment=PYTHONPATH={{ seafile_root_dir }}/lib64/python3.9/site-packages/
 Environment=PYTHON={{ seafile_root_dir }}/bin/python
 ExecStart={{ seafile_root_dir }}/seafile-server/seafile.sh start
 ExecStop={{ seafile_root_dir }}/seafile-server/seafile.sh stop

roles/seafile/templates/seahub.service.j2

@@ -4,7 +4,7 @@ After=network.target seafile.service
 
 [Service]
 Type=forking
-Environment=PYTHONPATH={{ seafile_root_dir }}/lib64/python3.6/site-packages/
+Environment=PYTHONPATH={{ seafile_root_dir }}/lib64/python3.9/site-packages/
 Environment=PYTHON={{ seafile_root_dir }}/bin/python
 ExecStart={{ seafile_root_dir }}/seafile-server/seahub.sh start {{ seafile_seahub_port }}
 ExecStop={{ seafile_root_dir }}/seafile-server/seahub.sh stop

roles/seafile/templates/seahub_settings.py.j2

@@ -4,6 +4,9 @@
 SERVICE_URL = '{{ seafile_public_url }}'
 {% endif %}
 
+CSRF_COOKIE_SECURE = True
+CSRF_COOKIE_SAMESITE = 'Strict'
+
 SECRET_KEY = "{{ seafile_seahub_secret }}"
 
 DATABASES = {
@@ -84,6 +87,9 @@ LOGGING = {
     },
 }
 
+ENABLE_WEBDAV_SECRET = True
+WEBDAV_SECRET_MIN_LENGTH = 12
+
 EMAIL_USE_TLS = False
 EMAIL_HOST = 'localhost'
 EMAIL_HOST_USER = ''

roles/seafile/vars/RedHat-8.yml

@@ -1,12 +1,10 @@
 ---
 
 seafile_packages:
-  - python3
-  - python3-setuptools
-  - python3-pip
-  - python3-virtualenv
-  - python3-mysql
-  - python3-devel
+  - python39
+  - python39-setuptools
+  - python39-pip
+  - python39-devel
   - gcc
   - gcc-c++
   - ffmpeg
@@ -14,6 +12,7 @@ seafile_packages:
   - libmemcached-devel
   - mysql-devel
   - zlib-devel
+  - openldap-devel
   - gcc
   - tar
   - mariadb
@@ -32,7 +31,7 @@ seafile_python_libs:
   - psd-tools
   - django-pylibmc
   - django-simple-captcha
-  - python3-ldap
+  - python-ldap
   - requests_oauthlib
   - future
   - mysqlclient