From e033ed4f4410ad680d6e253dc18abf76c34fe2df Mon Sep 17 00:00:00 2001
From: Daniel Berteaud <dbd@ehtrace.com>
Date: Tue, 25 Jul 2023 10:00:20 +0200
Subject: [PATCH] Update to 2023-07-25 10:00

---
 roles/documize/defaults/main.yml                          | 4 ++--
 roles/gitea/defaults/main.yml                             | 4 ++--
 roles/miniflux/defaults/main.yml                          | 4 ++--
 roles/nomad_bin/defaults/main.yml                         | 4 ++--
 roles/odoo/defaults/main.yml                              | 4 ++--
 roles/odoo/tasks/install.yml                              | 1 +
 roles/odoo/templates/nginx.conf.j2                        | 2 +-
 roles/odoo/templates/odoo-server.conf.j2                  | 2 +-
 roles/unifi/tasks/main.yml                                | 4 ++--
 roles/unifi/templates/system.properties.j2                | 2 +-
 roles/unifi/templates/unifi.service.j2                    | 2 +-
 roles/vault_agent/templates/nomad/nomad.hcl.j2            | 2 +-
 roles/vault_agent/templates/nomad/update_nomad_cert.sh.j2 | 4 ++++
 13 files changed, 22 insertions(+), 17 deletions(-)

diff --git a/roles/documize/defaults/main.yml b/roles/documize/defaults/main.yml
index 26f1be6..218335a 100644
--- a/roles/documize/defaults/main.yml
+++ b/roles/documize/defaults/main.yml
@@ -1,11 +1,11 @@
 ---
 
 # Version of cocumize to deploy
-documize_version: 5.7.0
+documize_version: 5.8.0
 # URL of the binary to install
 documize_bin_url: https://github.com/documize/community/releases/download/v{{ documize_version }}/documize-community-linux-amd64
 # Expected sha1 of the binary
-documize_bin_sha256: b0a139b25e8e0650b0ca961d79034efafa7da464eb888277ec90ffab6622fa67
+documize_bin_sha256: 0de3277f22638cf0d2bb0efeecaa422a4cdeb02f895a3dc11bd4d97f9835f904
 
 # Should documize handle upgrades or only initial install ?
 documize_manage_upgrade: True
diff --git a/roles/gitea/defaults/main.yml b/roles/gitea/defaults/main.yml
index a05f380..c7ee509 100644
--- a/roles/gitea/defaults/main.yml
+++ b/roles/gitea/defaults/main.yml
@@ -1,11 +1,11 @@
 ---
 
 # Version to install
-gitea_version: 1.20.0
+gitea_version: 1.20.1
 # URL to the binary
 gitea_bin_url: https://dl.gitea.io/gitea/{{ gitea_version }}/gitea-{{ gitea_version }}-linux-amd64
 # sha256 of the binary
-gitea_bin_sha256: a4db83051bcd5019ecb7879301f849a6513a5c074f1f684be1b39135747c70c9
+gitea_bin_sha256: 02985552f00ea68bbba717611ab1cca2ee42a35ac1cb39374d12a0141d704c58
 # Handle updates. If set to false, ansible will only install
 # Gitea and then won't touch an existing installation
 gitea_manage_upgrade: True
diff --git a/roles/miniflux/defaults/main.yml b/roles/miniflux/defaults/main.yml
index 503e168..6492b86 100644
--- a/roles/miniflux/defaults/main.yml
+++ b/roles/miniflux/defaults/main.yml
@@ -1,11 +1,11 @@
 ---
 
 # Version to install
-miniflux_version: 2.0.45
+miniflux_version: 2.0.46
 # URL of the binary to install
 miniflux_bin_url: https://github.com/miniflux/v2/releases/download/{{ miniflux_version }}/miniflux-linux-amd64
 # Expected sha256 of the binary
-miniflux_bin_sha256: 88699075efaed7b79986a2bfd072a17553065a2c7c151287465c1f659aa45cc9
+miniflux_bin_sha256: 651382232979e4a2f1c37087f0140cb4e2dff5dbe40a62e5144a2cbe08e9a6f3
 # Should ansible handle upgrades ? If false, only initial install will be done
 miniflux_manage_upgrade: True
 
diff --git a/roles/nomad_bin/defaults/main.yml b/roles/nomad_bin/defaults/main.yml
index 049bd86..b5b2e0e 100644
--- a/roles/nomad_bin/defaults/main.yml
+++ b/roles/nomad_bin/defaults/main.yml
@@ -1,9 +1,9 @@
 ---
 
 # Version of Nomad to install
-nomad_version: 1.6.0
+nomad_version: 1.6.1
 # URL of the archive
 nomad_archive_url: https://releases.hashicorp.com/nomad/{{ nomad_version }}/nomad_{{ nomad_version }}_linux_amd64.zip
 # Expected sha256 of the archive
-nomad_archive_sha256: c67a4874439b74a25751ebc5549f9873bc9db937d4509403c84e32cef4dae001
+nomad_archive_sha256: e4c01c51c393b266aee4ff184dd97704ae3d838c233a6189425a9f1c31a55f4f
 
diff --git a/roles/odoo/defaults/main.yml b/roles/odoo/defaults/main.yml
index 8f664f8..668089c 100644
--- a/roles/odoo/defaults/main.yml
+++ b/roles/odoo/defaults/main.yml
@@ -27,8 +27,8 @@ odoo_src_ip: []
 # odoo_public_url: https://erp.domain.tld/
 
 odoo_http_port: 8069
-odoo_longpolling_port: 8072
-odoo_ports: [ "{{ odoo_http_port }}", "{{ odoo_longpolling_port }}" ]
+odoo_gevent_port: 8072
+odoo_ports: [ "{{ odoo_http_port }}", "{{ odoo_gevent_port }}" ]
 
 odoo_workers: 4
 odoo_email: "{{ system_admin_email | default('admin' + ansible_domain ) }}"
diff --git a/roles/odoo/tasks/install.yml b/roles/odoo/tasks/install.yml
index c1a3e9f..ad33306 100644
--- a/roles/odoo/tasks/install.yml
+++ b/roles/odoo/tasks/install.yml
@@ -55,6 +55,7 @@
   loop:
     - phonenumbers
     - python-jose
+    - flanker
   tags: odoo
 
 - name: Create the PostgreSQL role
diff --git a/roles/odoo/templates/nginx.conf.j2 b/roles/odoo/templates/nginx.conf.j2
index 33a700c..9450d07 100644
--- a/roles/odoo/templates/nginx.conf.j2
+++ b/roles/odoo/templates/nginx.conf.j2
@@ -5,7 +5,7 @@ server {
   root /usr/share/nginx;
 
   location /websocket {
-    proxy_pass http://localhost:{{ odoo_longpolling_port }};
+    proxy_pass http://localhost:{{ odoo_gevent_port }};
     proxy_set_header Upgrade $http_upgrade;
     proxy_set_header Connection "upgrade";
     proxy_set_header X-Forwarded-Host $host;
diff --git a/roles/odoo/templates/odoo-server.conf.j2 b/roles/odoo/templates/odoo-server.conf.j2
index 7b5a6a6..f974295 100644
--- a/roles/odoo/templates/odoo-server.conf.j2
+++ b/roles/odoo/templates/odoo-server.conf.j2
@@ -8,7 +8,7 @@ addons_path = {{ odoo_root_dir }}/enterprise, {{ odoo_root_dir }}/app/odoo/addon
 workers = {{ odoo_workers }}
 max_cron_threads = 1
 http_port = {{ odoo_http_port }}
-longpolling_port = {{ odoo_longpolling_port }}
+gevent_port = {{ odoo_gevent_port }}
 email_from = {{ odoo_email }}
 smtp_server = localhost
 data_dir = {{ odoo_root_dir }}/data
diff --git a/roles/unifi/tasks/main.yml b/roles/unifi/tasks/main.yml
index 10c0b1e..e9cea05 100644
--- a/roles/unifi/tasks/main.yml
+++ b/roles/unifi/tasks/main.yml
@@ -190,9 +190,9 @@
     line: "{{ item.option }}={{ item.value }}"
   with_items:
     - option: unifi.xmx
-      value: 4096
+      value: "{{ unifi_mem_limit }}"
     - option: unifi.xms
-      value: 4096
+      value: "{{ (unifi_mem_limit * 0.5) | int }}"
     - option: unifi.G1GC.enabled
       value: 'true'
     - option: autobackup.dir
diff --git a/roles/unifi/templates/system.properties.j2 b/roles/unifi/templates/system.properties.j2
index bfd2a51..80c0c5f 100644
--- a/roles/unifi/templates/system.properties.j2
+++ b/roles/unifi/templates/system.properties.j2
@@ -1,5 +1,5 @@
 unifi.xmx={{ unifi_mem_limit }}
-unifi.xms={{ unifi_mem_limit }}
+unifi.xms={{ unifi_mem_limit * 0.5 | int }}
 unifi.G1GC.enabled=true
 autobackup.dir={{ unifi_root_dir }}/backup
 unifi.http.port={{ unifi_http_port }}
diff --git a/roles/unifi/templates/unifi.service.j2 b/roles/unifi/templates/unifi.service.j2
index 30d3305..0b24eeb 100644
--- a/roles/unifi/templates/unifi.service.j2
+++ b/roles/unifi/templates/unifi.service.j2
@@ -6,7 +6,7 @@ After=syslog.target network.target
 Type=simple
 User=unifi
 WorkingDirectory={{ unifi_root_dir }}/app
-ExecStart=/usr/bin/java -Djava.awt.headless=true -Xmx{{ unifi_mem_limit }}M -Xms{{ unifi_mem_limit }}M -Djava.net.preferIPv4Stack=true {% if system_proxy is defined and system_proxy != '' %}-Dhttp.proxyHost={{ system_proxy | urlsplit('hostname') }} -Dhttp.proxyPort={{ system_proxy | urlsplit('port') }} -Dhttps.proxyHost={{ system_proxy | urlsplit('hostname') }} -Dhttps.proxyPort={{ system_proxy | urlsplit('port') }} {% endif %}-jar {{ unifi_root_dir }}/app/lib/ace.jar start
+ExecStart=/usr/bin/java -Djava.awt.headless=true -Xmx{{ unifi_mem_limit }}M -Xms{{ (unifi_mem_limit * 0.5) | int }}M -Djava.net.preferIPv4Stack=true {% if system_proxy is defined and system_proxy != '' %}-Dhttp.proxyHost={{ system_proxy | urlsplit('hostname') }} -Dhttp.proxyPort={{ system_proxy | urlsplit('port') }} -Dhttps.proxyHost={{ system_proxy | urlsplit('hostname') }} -Dhttps.proxyPort={{ system_proxy | urlsplit('port') }} {% endif %}-jar {{ unifi_root_dir }}/app/lib/ace.jar start
 ExecStop=/usr/bin/java -jar {{ unifi_root_dir }}/app/lib/ace.jar stop
 SuccessExitStatus=143
 PrivateTmp=yes
diff --git a/roles/vault_agent/templates/nomad/nomad.hcl.j2 b/roles/vault_agent/templates/nomad/nomad.hcl.j2
index d54ca09..642d9bf 100644
--- a/roles/vault_agent/templates/nomad/nomad.hcl.j2
+++ b/roles/vault_agent/templates/nomad/nomad.hcl.j2
@@ -34,7 +34,7 @@ template {
   perms           = 0640
 {% if vault_agent_nomad.nomad_pki.cli.enabled and vault_agent_nomad.nomad_pki.cli.secret_path is defined %}
   exec {
-    command = ["sh", "-c", "export $(cat /run/nomad/vault.env) && {{ vault_agent_root_dir }}/bin/update_nomad_cert.sh"]
+    command = ["{{ vault_agent_root_dir }}/bin/update_nomad_cert.sh"]
   }
 {% endif %}
 }
diff --git a/roles/vault_agent/templates/nomad/update_nomad_cert.sh.j2 b/roles/vault_agent/templates/nomad/update_nomad_cert.sh.j2
index d06ba56..fd1d93c 100644
--- a/roles/vault_agent/templates/nomad/update_nomad_cert.sh.j2
+++ b/roles/vault_agent/templates/nomad/update_nomad_cert.sh.j2
@@ -13,6 +13,10 @@ elif [ "$(echo ${VAULT_STATUS} | jq .initialized)" != "true" ]; then
   echo "Vault is not initialized yet, exiting"
 else
   echo Updating Vault certificate to access Nomad API
+  if [ -z "${VAULT_TOKEN}" -a -e /run/nomad/vault.env ]; then
+    echo "Using VAULT_TOKEN from Nomad agent"
+    export $(cat /run/nomad/vault.env)
+  fi
   vault write {{ vault_agent_nomad.nomad_pki.cli.secret_path | default('nomad') }}/config/access \
     ca_cert="$(cat {{ nomad_root_dir }}/tls/ca.crt)" \
     client_cert="$(cat {{ nomad_root_dir }}/tls/cli.crt)" \