From 46009264ebe1f0cd894eb827f93cb6e78d1d9ca5 Mon Sep 17 00:00:00 2001 From: Daniel Berteaud Date: Wed, 19 Jul 2023 18:00:26 +0200 Subject: [PATCH] Update to 2023-07-19 18:00 --- roles/consul/templates/consul.hcl.j2 | 2 +- roles/consul/templates/reload.hcl.j2 | 9 ++++++--- roles/gitea/defaults/main.yml | 4 ++-- roles/gitea/templates/app.ini.j2 | 4 +++- roles/gitea/templates/gitea.service.j2 | 2 +- roles/matrix_element/defaults/main.yml | 4 ++-- roles/matrix_synapse/defaults/main.yml | 2 +- roles/sftpgo/defaults/main.yml | 4 ++-- roles/squid/files/acl/software_various.domains | 4 ++++ roles/taiga/tasks/install.yml | 2 ++ .../templates/nomad/agent_bundle.pem.tpl.j2 | 16 ++++++++-------- .../templates/nomad/cli_bundle.pem.tpl.j2 | 8 ++++---- .../templates/nomad/update_nomad_cert.sh.j2 | 2 +- roles/vault_agent/templates/vault-agent.hcl.j2 | 2 +- 14 files changed, 38 insertions(+), 27 deletions(-) diff --git a/roles/consul/templates/consul.hcl.j2 b/roles/consul/templates/consul.hcl.j2 index bcb8c9a..f5bf046 100644 --- a/roles/consul/templates/consul.hcl.j2 +++ b/roles/consul/templates/consul.hcl.j2 @@ -102,7 +102,7 @@ acl { {% endfor %} default_policy = "{{ consul_conf.acl.default_policy }}" tokens { -{% for key in ['initial_management', 'default', 'agent', 'agent_recovery', 'replication'] %} +{% for key in ['initial_management', 'default', 'agent', 'agent_recovery', 'replication', 'config_file_service_registration'] %} {% if consul_conf.acl.tokens[key] is defined %} {{ key }} = "{{ consul_conf.acl.tokens[key] }}" {% endif %} diff --git a/roles/consul/templates/reload.hcl.j2 b/roles/consul/templates/reload.hcl.j2 index c0095d3..2e88fcb 100644 --- a/roles/consul/templates/reload.hcl.j2 +++ b/roles/consul/templates/reload.hcl.j2 @@ -9,9 +9,12 @@ node_meta { {% for service in consul_catalog_services.keys() | list %} services { id = "{{ service }}" - name = "{{ consul_extra_catalog_services[service].name }}" - address = "{{ consul_extra_catalog_services[service].address }}" - port = {{ consul_extra_catalog_services[service].port }} + name = "{{ consul_catalog_services[service].name }}" + address = "{{ consul_catalog_services[service].address }}" + port = {{ consul_catalog_services[service].port }} +{% if consul_catalog_services[service].token is defined %} + token = "{{ consul_catalog_services[service].token }}" +{% endif %} } {% endfor %} diff --git a/roles/gitea/defaults/main.yml b/roles/gitea/defaults/main.yml index beb77dc..a05f380 100644 --- a/roles/gitea/defaults/main.yml +++ b/roles/gitea/defaults/main.yml @@ -1,11 +1,11 @@ --- # Version to install -gitea_version: 1.19.4 +gitea_version: 1.20.0 # URL to the binary gitea_bin_url: https://dl.gitea.io/gitea/{{ gitea_version }}/gitea-{{ gitea_version }}-linux-amd64 # sha256 of the binary -gitea_bin_sha256: bf68e8e39c70dc54a7876527d463b517f8af51a2d2924511cd047f479cd8aefd +gitea_bin_sha256: a4db83051bcd5019ecb7879301f849a6513a5c074f1f684be1b39135747c70c9 # Handle updates. If set to false, ansible will only install # Gitea and then won't touch an existing installation gitea_manage_upgrade: True diff --git a/roles/gitea/templates/app.ini.j2 b/roles/gitea/templates/app.ini.j2 index 607bdf1..f733f61 100644 --- a/roles/gitea/templates/app.ini.j2 +++ b/roles/gitea/templates/app.ini.j2 @@ -24,12 +24,14 @@ ROOT_URL = {{ gitea_public_url }} DISABLE_SSH = false SSH_PORT = {{ gitea_ssh_port }} LFS_START_SERVER = true -LFS_CONTENT_PATH = {{ gitea_root_dir }}/data/lfs LFS_JWT_SECRET = {{ gitea_tokens.results | selectattr('item','equalto','LFS_JWT_SECRET') | map(attribute='stdout') | first | string }} OFFLINE_MODE = true STATIC_ROOT_PATH = {{ gitea_root_dir }} LANDING_PAGE = explore +[LFS] +PATH = {{ gitea_root_dir }}/data/lfs + [oauth2] JWT_SECRET = {{ gitea_tokens.results | selectattr('item','equalto','JWT_SECRET') | map(attribute='stdout') | first | string }} diff --git a/roles/gitea/templates/gitea.service.j2 b/roles/gitea/templates/gitea.service.j2 index e5c9eb0..f5495b0 100644 --- a/roles/gitea/templates/gitea.service.j2 +++ b/roles/gitea/templates/gitea.service.j2 @@ -4,7 +4,7 @@ After=syslog.target After=network.target [Service] -Type=simple +Type=notify User=gitea Group=gitea WorkingDirectory={{ gitea_root_dir }} diff --git a/roles/matrix_element/defaults/main.yml b/roles/matrix_element/defaults/main.yml index 7d9b1ae..d3b9373 100644 --- a/roles/matrix_element/defaults/main.yml +++ b/roles/matrix_element/defaults/main.yml @@ -5,8 +5,8 @@ element_id: element # Version to deploy, and expected sha256 -element_version: 1.11.35 -element_archive_sha256: b17c11950dbc41c8f9a3c2f89440335d5862432e1b028f6d8529c319099002f6 +element_version: 1.11.36 +element_archive_sha256: ee6f3e1d9350bd64b4751d5b1cd25a19f38577734e177650bd982d261555a905 # Where to install element element_root_dir: /opt/matrix/element diff --git a/roles/matrix_synapse/defaults/main.yml b/roles/matrix_synapse/defaults/main.yml index d53df0f..7acc7ed 100644 --- a/roles/matrix_synapse/defaults/main.yml +++ b/roles/matrix_synapse/defaults/main.yml @@ -1,7 +1,7 @@ --- # Synapse version to deploy -synapse_version: '1.87.0' +synapse_version: '1.88.0' # Should ansible handle Synapse upgrades ? If false, only initial install will be done synapse_manage_upgrade: True diff --git a/roles/sftpgo/defaults/main.yml b/roles/sftpgo/defaults/main.yml index 30fe65a..51a60c9 100644 --- a/roles/sftpgo/defaults/main.yml +++ b/roles/sftpgo/defaults/main.yml @@ -1,11 +1,11 @@ --- # Version to deploy -sftpgo_version: 2.5.3 +sftpgo_version: 2.5.4 # URL of the archive sftpgo_archive_url: https://github.com/drakkan/sftpgo/releases/download/v{{ sftpgo_version }}/sftpgo_v{{ sftpgo_version }}_linux_x86_64.tar.xz # Expected sha1 of the archive -sftpgo_archive_sha256: d4b97469052bc67cdc8d833d81a854669e7c3c0d9159de6ca2c2614694dc1c07 +sftpgo_archive_sha256: f2b18ff11d4720c9dc1feb9c688c6b1030afbfda4c2ae553fec58d92e97384e1 # Should ansible handle upgrades ? If False, only initial install will be done sftpgo_manage_upgrade: True diff --git a/roles/squid/files/acl/software_various.domains b/roles/squid/files/acl/software_various.domains index b433627..0089ea8 100644 --- a/roles/squid/files/acl/software_various.domains +++ b/roles/squid/files/acl/software_various.domains @@ -390,3 +390,7 @@ releases.hashicorp.com # COPR repositories download.copr.fedorainfracloud.org + +# TrueNAS +update.ixsystems.com +update.freenas.org diff --git a/roles/taiga/tasks/install.yml b/roles/taiga/tasks/install.yml index 60c1dee..fc9e4bb 100644 --- a/roles/taiga/tasks/install.yml +++ b/roles/taiga/tasks/install.yml @@ -38,6 +38,8 @@ name: - pip - wheel + - reportlab + - svglib virtualenv: "{{ taiga_root_dir }}/venv" virtualenv_command: /bin/python3.9 -m venv diff --git a/roles/vault_agent/templates/nomad/agent_bundle.pem.tpl.j2 b/roles/vault_agent/templates/nomad/agent_bundle.pem.tpl.j2 index 5c8044f..8df8deb 100644 --- a/roles/vault_agent/templates/nomad/agent_bundle.pem.tpl.j2 +++ b/roles/vault_agent/templates/nomad/agent_bundle.pem.tpl.j2 @@ -1,11 +1,11 @@ -[[ with pkiCert "{{ vault_agent_nomad.nomad_pki.path }}/issue/{{ vault_agent_nomad.nomad_pki.role }}" "common_name={{ (nomad_conf.server.enabled) | ternary('server', 'client') }}-{{ ansible_fqdn | regex_replace('\\.', '-') }}.{{ nomad_conf.region | default('global') }}.nomad" "alt_names=localhost,{{ (nomad_conf.server.enabled) | ternary('server', 'client') }}.{{ nomad_conf.region | default('global') }}.nomad{% if nomad_conf.server.enabled and nomad_conf.client.enabled %},client.{{ nomad_conf.region | default('global') }}.nomad{% endif %}{% if consul_conf is defined %},nomad{{ nomad_conf.server.enabled | ternary('', '-client') }}.service.{{ consul_conf.domain | default('consul') }}{% if consul_conf is defined and consul_conf.alt_domain is defined %},nomad{{ nomad_conf.server.enabled | ternary('', '-client') }}.service.{{ consul_conf.alt_domain }}{% endif %}{% endif %}"{% if nomad_vault_secrets.pki.ttl is defined %} "ttl={{ vault_agent_nomad.nomad_pki.ttl }}"{% endif %} ]] +[[- with pkiCert "{{ vault_agent_nomad.nomad_pki.path }}/issue/{{ vault_agent_nomad.nomad_pki.role }}" "common_name={{ (nomad_conf.server.enabled) | ternary('server', 'client') }}-{{ ansible_fqdn | regex_replace('\\.', '-') }}.{{ nomad_conf.region | default('global') }}.nomad" "alt_names=localhost,{{ (nomad_conf.server.enabled) | ternary('server', 'client') }}.{{ nomad_conf.region | default('global') }}.nomad{% if nomad_conf.server.enabled and nomad_conf.client.enabled %},client.{{ nomad_conf.region | default('global') }}.nomad{% endif %}{% if consul_conf is defined %},nomad{{ nomad_conf.server.enabled | ternary('', '-client') }}.service.{{ consul_conf.domain | default('consul') }}{% if consul_conf is defined and consul_conf.alt_domain is defined %},nomad{{ nomad_conf.server.enabled | ternary('', '-client') }}.service.{{ consul_conf.alt_domain }}{% endif %}{% endif %}"{% if nomad_vault_secrets.pki.ttl is defined %} "ttl={{ vault_agent_nomad.nomad_pki.ttl }}"{% endif %} -]] [[ .CA ]] [[ .Cert ]] [[ .Key ]] -[[ .Cert | writeToFile "{{ nomad_conf.tls.cert_file }}" "root" "{{ nomad_user }}" "0644" ]] -[[ .CA | writeToFile "{{ nomad_conf.tls.cert_file }}" "" "" "0644" "append,newline" ]] -[[ .Key | writeToFile "{{ nomad_conf.tls.key_file }}" "root" "{{ nomad_user }}" "0640" ]] -[[ end ]] -[[ with secret "{{ vault_agent_nomad.nomad_pki.path }}/cert/ca_chain" ]] -[[ .Data.certificate | writeToFile "{{ nomad_conf.tls.ca_file }}" "{{ nomad_user }}" "{{ nomad_user }}" "0644" ]] -[[ end ]] +[[- .Cert | writeToFile "{{ nomad_conf.tls.cert_file }}" "root" "{{ nomad_user }}" "0644" -]] +[[- .CA | writeToFile "{{ nomad_conf.tls.cert_file }}" "" "" "0644" "append,newline" -]] +[[- .Key | writeToFile "{{ nomad_conf.tls.key_file }}" "root" "{{ nomad_user }}" "0640" -]] +[[- end ]] +[[- with secret "{{ vault_agent_nomad.nomad_pki.path }}/cert/ca_chain" ]] +[[ .Data.certificate | writeToFile "{{ nomad_conf.tls.ca_file }}" "{{ nomad_user }}" "{{ nomad_user }}" "0644" -]] +[[- end -]] diff --git a/roles/vault_agent/templates/nomad/cli_bundle.pem.tpl.j2 b/roles/vault_agent/templates/nomad/cli_bundle.pem.tpl.j2 index eade2b3..797a332 100644 --- a/roles/vault_agent/templates/nomad/cli_bundle.pem.tpl.j2 +++ b/roles/vault_agent/templates/nomad/cli_bundle.pem.tpl.j2 @@ -1,6 +1,6 @@ -[[ with pkiCert "{{ vault_agent_nomad.nomad_pki.path }}/issue/{{ vault_agent_nomad.nomad_pki.role }}" "common_name=cli-{{ ansible_fqdn | regex_replace('\\.', '-') }}.{{ nomad_conf.region | default('global') }}.nomad" ]] +[[- with pkiCert "{{ vault_agent_nomad.nomad_pki.path }}/issue/{{ vault_agent_nomad.nomad_pki.role }}" "common_name=cli-{{ ansible_fqdn | regex_replace('\\.', '-') }}.{{ nomad_conf.region | default('global') }}.nomad" -]] [[ .Cert ]] [[ .Key ]] -[[ .Cert | writeToFile "{{ nomad_root_dir }}/tls/cli.crt" "{{ nomad_user }}" "{{ nomad_user }}" "0644" ]] -[[ .Key | writeToFile "{{ nomad_root_dir }}/tls/cli.key" "{{ nomad_user }}" "{{ nomad_user }}" "0640" ]] -[[ end ]] +[[- .Cert | writeToFile "{{ nomad_root_dir }}/tls/cli.crt" "{{ nomad_user }}" "{{ nomad_user }}" "0644" -]] +[[- .Key | writeToFile "{{ nomad_root_dir }}/tls/cli.key" "{{ nomad_user }}" "{{ nomad_user }}" "0640" -]] +[[- end -]] diff --git a/roles/vault_agent/templates/nomad/update_nomad_cert.sh.j2 b/roles/vault_agent/templates/nomad/update_nomad_cert.sh.j2 index 8882018..d06ba56 100644 --- a/roles/vault_agent/templates/nomad/update_nomad_cert.sh.j2 +++ b/roles/vault_agent/templates/nomad/update_nomad_cert.sh.j2 @@ -2,7 +2,7 @@ set -eo pipefail -VAULT_ADDR={{ vault_agent_vault_address }} +VAULT_ADDR=https://{{ inventory_hostname }}:{{ vault_services.api.port | default('8200') }} VAULT_STATUS=$(vault status -format=json) if [ "$(echo ${VAULT_STATUS} | jq .is_self)" != "true" ]; then diff --git a/roles/vault_agent/templates/vault-agent.hcl.j2 b/roles/vault_agent/templates/vault-agent.hcl.j2 index 00aa47b..83100d4 100644 --- a/roles/vault_agent/templates/vault-agent.hcl.j2 +++ b/roles/vault_agent/templates/vault-agent.hcl.j2 @@ -27,7 +27,7 @@ auto_auth { wrap_ttl = "1s" config = { path = "/run/vault_agent/vault.token" - mode = 600 + mode = 0600 } } }