Update to 2022-09-20 13:00

2022-09-20 13:00:08 +02:00 · 2022-09-20 13:00:08 +02:00 · e6019f8e32
commit e6019f8e32
parent 66df749295
12 changed files with 50 additions and 26 deletions
--- a/roles/ampache/defaults/main.yml
+++ b/roles/ampache/defaults/main.yml
@ -3,10 +3,10 @@
 ampache_id: "1"
 ampache_manage_upgrade: True

-ampache_version: '5.5.1'
+ampache_version: '5.5.2'
 ampache_config_version: 62
 ampache_zip_url: https://github.com/ampache/ampache/releases/download/{{ ampache_version }}/ampache-{{ ampache_version }}_all.zip
-ampache_zip_sha256: 3e37839058c263be990915759eecab9b5da3ec324638a7ff7d8094516f56a85c
+ampache_zip_sha256: 7cd9327bb8cb3015fd3a360645a720ab60ff7af2a0622cecb027543a1a8132b5

 ampache_root_dir: /opt/ampache_{{ ampache_id }}

--- a/roles/consul/tasks/conf.yml
+++ b/roles/consul/tasks/conf.yml
@ -8,7 +8,7 @@
    cert_path: "{{ consul_conf.tls.defaults.cert_file }}"
    cert_key_path: "{{ consul_conf.tls.defaults.key_file }}"
    cert_key_group: "{{ consul_user }}"
-    cert_key_mode: 0640
+    cert_key_mode: 640
  tags: consul

 - name: Check if CA exists
--- a/roles/documize/defaults/main.yml
+++ b/roles/documize/defaults/main.yml
@ -1,11 +1,11 @@
 ---

 # Version of cocumize to deploy
-documize_version: 5.2.2
+documize_version: 5.3.0
 # URL of the binary to install
 documize_bin_url: https://github.com/documize/community/releases/download/v{{ documize_version }}/documize-community-linux-amd64
 # Expected sha1 of the binary
-documize_bin_sha256: 86d635d804853f10bbe190ba40253293b692869ad0efff707005ec6a08f23163
+documize_bin_sha256: d12e55eab88b1920e230c86d115cff6d5d794c1cfa113a66eaa629719e1bb91e

 # Should documize handle upgrades or only initial install ?
 documize_manage_upgrade: True
--- a/roles/metabase/defaults/main.yml
+++ b/roles/metabase/defaults/main.yml
@ -1,15 +1,15 @@
 ---

 # Version to deploy
-metabase_version: 0.44.2
+metabase_version: 0.44.3
 # URL to fetch the jar
 metabase_jar_url: https://downloads.metabase.com/v{{ metabase_version }}/metabase.jar
 # Expected sha256 of the jar
-metabase_jar_sha256: 23471284af7fdbd9088cbb4f0c6972cacca9a1f155f408b80dbaade08c13480f
+metabase_jar_sha256: ef8fc6d12251bf2062208b02821f4b948345e8c4b952b08a9a77d328f2c8a6bd
 # When building from source
 metabase_archive_url: https://github.com/metabase/metabase/archive/refs/tags/v{{ metabase_version }}.tar.gz
 # Expected sha256 of the archive
-metabase_archive_sha256: bdbfff6f2a7bd0434b8a9885e10f5b0d5c52d0e1918a4b9d091c596b5e5d06ca
+metabase_archive_sha256: 98a51d1f3f5408a8da008745032790e0b32213fb9defa135211cbf44556f30c5
 # Should ansible handle upgrades ? If set to false, only the initial install (and the config) will be handled
 metabase_manage_upgrade: True

--- a/roles/nomad/tasks/conf.yml
+++ b/roles/nomad/tasks/conf.yml
@ -133,7 +133,7 @@

 - name: Set ACL on the TLS dir
  shell: |
-    setfacl -R -b -k {{ nomad_root_dir }}/tls
+    setfacl -R -k -b {{ nomad_root_dir }}/tls
    {% if nomad_admin_groups | length > 0 %}
    setfacl -m {% for group in nomad_admin_groups %}g:{{ group }}:rx{{ ',' if not loop.last }}{% endfor %} {{ nomad_root_dir }}/tls
    setfacl -m {% for group in nomad_admin_groups %}d:g:{{ group }}:r{{ ',' if not loop.last }}{% endfor %} {{ nomad_root_dir }}/tls
@ -153,3 +153,22 @@
  when: nomad_vault_secrets.consul_pki.enabled and nomad_conf.consul.ssl
  tags: nomad

+- name: Ensure the bridge module is loaded
+  modprobe: name=bridge state=present
+  when: nomad_conf.client.enabled and 'docker' in nomad_enabled_task_drivers
+  tags: nomad
+
+- name: Set sysctl
+  sysctl:
+    name: "{{ item.key }}"
+    value: "{{ item.val }}"
+    sysctl_file: /etc/sysctl.d/nomad.conf
+    state: "{{ (nomad_conf.client.enabled and 'docker' in nomad_enabled_task_drivers) | ternary('present', 'absent') }}"
+  loop:
+    - key: net.bridge.bridge-nf-call-arptables
+      val: 1
+    - key: net.bridge.bridge-nf-call-ip6tables
+      val: 1
+    - key: net.bridge.bridge-nf-call-iptables
+      val: 1
+  tags: nomad
--- a/roles/nomad/templates/consul-template.hcl.j2
+++ b/roles/nomad/templates/consul-template.hcl.j2
@ -31,7 +31,7 @@ template {
 {% if nomad_vault_secrets.consul_pki.enabled and nomad_conf.consul.ssl %}
 template {
  source          = "{{ nomad_root_dir }}/consul-template/consul_bundle.pem.tpl"
-  destination     = "{{ nomad_root_dir }}/tlc/consul_bundle.pem"
+  destination     = "{{ nomad_root_dir }}/tls/consul_bundle.pem"
  left_delimiter  = "[["
  right_delimiter = "]]"
  perms           = 0640
--- a/roles/sftpgo/defaults/main.yml
+++ b/roles/sftpgo/defaults/main.yml
@ -1,11 +1,11 @@
 ---

 # Version to deploy
-sftpgo_version: 2.3.4
+sftpgo_version: 2.3.5
 # URL of the archive
 sftpgo_archive_url: https://github.com/drakkan/sftpgo/releases/download/v{{ sftpgo_version }}/sftpgo_v{{ sftpgo_version }}_linux_x86_64.tar.xz
 # Expected sha1 of the archive
-sftpgo_archive_sha256: b18ed2ce34ebff4eeadc4c7025a3e870f9a5635a321a946325c1865dd6fa038a
+sftpgo_archive_sha256: 6d80910fcf70d6f1fbcf1ef87a37ada3a7dbdd2b522736eb6e9248eeadbd19ad

 # Should ansible handle upgrades ? If False, only initial install will be done
 sftpgo_manage_upgrade: True
--- a/roles/vault/tasks/conf.yml
+++ b/roles/vault/tasks/conf.yml
@ -19,6 +19,10 @@
  notify: restart vault
  tags: vault

+- name: Ensure correct permission on vault private key
+  file: path={{ vault_root_dir }}/tls/vault.key mode=640 owner=root group={{ vault_user }}
+  tags: vault
+
 - name: Setup logrotate
  template: src=logrotate.conf.j2 dest=/etc/logrotate.d/vault
  tags: vault
@ -30,8 +34,8 @@
      template: src=consul-template.hcl.j2 dest={{ vault_root_dir }}/consul-template/consul-template.hcl mode=600 owner=root group=root
      notify: restart consul-template-vault

-    - name: Deploy Nomad certificate bundle template for consul-template
-      template: src=nomad_client_bundle.json.tpl.j2 dest={{ vault_root_dir }}/consul-template/nomad_client_bundle.json.tpl
+    - name: Deploy Nomad certificate bundle template
+      template: src=nomad_client_bundle.pem.tpl.j2 dest={{ vault_root_dir }}/consul-template/nomad_client_bundle.pem.tpl
      notify: restart consul-template-vault

    - name: Deploy the update cert hook
--- a/roles/vault/templates/consul-template.hcl.j2
+++ b/roles/vault/templates/consul-template.hcl.j2
@ -6,10 +6,10 @@ vault {

 {% if vault_secrets.nomad.enabled %}
 template {
-  source          = "{{ vault_root_dir }}/consul-template/nomad_client_bundle.json.tpl"
+  source          = "{{ vault_root_dir }}/consul-template/nomad_client_bundle.pem.tpl"
  left_delimiter  = "[["
  right_delimiter = "]]"
-  destination     = "{{ vault_root_dir }}/tmp/nomad_client_bundle.json"
+  destination     = "{{ vault_root_dir }}/tls/nomad_client_bundle.pem"
  perms           = 0600
  exec {
    command = "{{ vault_root_dir }}/bin/update_nomad_cert {{ vault_secrets.nomad.token }} {{ vault_secrets.vault_token }}"
--- a/roles/vault/templates/nomad_client_bundle.json.tpl.j2
+++ b/roles/vault/templates/nomad_client_bundle.json.tpl.j2
@ -1,3 +0,0 @@
-[[ with secret "{{ vault_secrets.nomad.pki.path }}/issue/{{ vault_secrets.nomad.pki.role }}" "ttl={{ vault_secrets.nomad.pki.ttl }}" "common_name={{ vault_secrets.nomad.pki.cn }}" ]]
-[[ .Data | toJSONPretty ]]
-[[ end ]]
--- a/roles/vault/templates/nomad_client_bundle.pem.tpl.j2
+++ b/roles/vault/templates/nomad_client_bundle.pem.tpl.j2
@ -0,0 +1,8 @@
+[[ with pkiCert "{{ vault_secrets.nomad.pki.path }}/issue/{{ vault_secrets.nomad.pki.role }}" "ttl={{ vault_secrets.nomad.pki.ttl }}" "common_name={{ vault_secrets.nomad.pki.cn }}" ]]
+[[ .CA ]]
+[[ .Cert ]]
+[[ .Key ]]
+[[ .CA | writeToFile "{{ vault_root_dir }}/tls/nomad_ca.crt" "root" "root" "0644" ]]
+[[ .Cert | writeToFile "{{ vault_root_dir }}/tls/nomad_client.crt" "root" "root" "0644" ]]
+[[ .Key | writeToFile "{{ vault_root_dir }}/tls/nomad_client.key" "root" "root" "0600" ]]
+[[ end ]]
--- a/roles/vault/templates/update_nomad_cert.j2
+++ b/roles/vault/templates/update_nomad_cert.j2
@ -5,7 +5,6 @@ set -eo pipefail
 NOMAD_TOKEN=$1
 VAULT_TOKEN=$2

-NOMAD_CERT_BUNDLE={{ vault_root_dir }}/tmp/nomad_client_bundle.json
 VAULT_ADDR={{ vault_conf.api_addr }}

 if [ "$(vault status -format=json| jq .is_self)" != "true" ]; then
@ -20,10 +19,7 @@ else
    vault write {{ vault_secrets.nomad.secret.path }}/config/access \
      address="{{ vault_secrets.nomad.address }}" \
      token="$NOMAD_TOKEN" \
-      ca_cert="$(cat $NOMAD_CERT_BUNDLE | jq -r .issuing_ca)" \
-      client_cert="$(cat $NOMAD_CERT_BUNDLE | jq -r .certificate)" \
-      client_key="$(cat $NOMAD_CERT_BUNDLE | jq -r .private_key)"
+      ca_cert="$(cat {{ vault_root_dir }}/tls/nomad_ca.crt)" \
+      client_cert="$(cat {{ vault_root_dir }}/tls/nomad_client.crt)" \
+      client_key="$(cat {{ vault_root_dir }}/tls/nomad_client.key)"
 fi
-
-echo Removing Nomad client certificate from the filesystem
-rm -f $NOMAD_CERT_BUNDLE