From 1650198b44f25af15433ff4c8cd2494c8c8afa2f Mon Sep 17 00:00:00 2001
From: Daniel Berteaud <dbd@ehtrace.com>
Date: Mon, 1 Aug 2022 12:00:18 +0200
Subject: [PATCH] Update to 2022-08-01 12:00

---
 roles/gitea/defaults/main.yml       |  7 ++-
 roles/gitea/templates/app.ini.j2    |  1 +
 roles/nomad/defaults/main.yml       | 76 ++++++++++++++++-------------
 roles/nomad/tasks/facts.yml         | 29 ++++++++---
 roles/nomad/tasks/iptables.yml      |  4 +-
 roles/nomad/tasks/main.yml          |  3 --
 roles/nomad/tasks/write_version.yml |  5 --
 roles/nomad/templates/nomad.hcl.j2  | 31 +++++-------
 8 files changed, 84 insertions(+), 72 deletions(-)
 delete mode 100644 roles/nomad/tasks/write_version.yml

diff --git a/roles/gitea/defaults/main.yml b/roles/gitea/defaults/main.yml
index 72b5c59..333a08f 100644
--- a/roles/gitea/defaults/main.yml
+++ b/roles/gitea/defaults/main.yml
@@ -1,11 +1,11 @@
 ---
 
 # Version to install
-gitea_version: 1.16.9
+gitea_version: 1.17.0
 # URL to the binary
 gitea_bin_url: https://dl.gitea.io/gitea/{{ gitea_version }}/gitea-{{ gitea_version }}-linux-amd64
 # sha256 of the binary
-gitea_bin_sha256: 821dd30afed9ae42b18e727174b078ea9118a6ccc5106d8246bebf8180fcbef3
+gitea_bin_sha256: bc4a8e1f5d5f64d4be2e50c387de08d07c062aecdba2f742c2f61c20accfcc46
 # Handle updates. If set to false, ansible will only install
 # Gitea and then won't touch an existing installation
 gitea_manage_upgrade: True
@@ -31,6 +31,9 @@ gitea_web_src_ip: []
 # Enable user registration
 gitea_registration: False
 
+# Default branch name
+gitea_default_branch: master
+
 # Database settings
 gitea_db_server: "{{ mysql_server | default('localhost') }}"
 gitea_db_name: gitea
diff --git a/roles/gitea/templates/app.ini.j2 b/roles/gitea/templates/app.ini.j2
index d6c249a..607bdf1 100644
--- a/roles/gitea/templates/app.ini.j2
+++ b/roles/gitea/templates/app.ini.j2
@@ -52,6 +52,7 @@ LOG_SQL  = false
 
 [repository]
 ROOT = {{ gitea_root_dir }}/data/repositories
+DEFAULT_BRANCH = {{ gitea_default_branch }}
 
 [mailer]
 ENABLED = true
diff --git a/roles/nomad/defaults/main.yml b/roles/nomad/defaults/main.yml
index a086418..978912c 100644
--- a/roles/nomad/defaults/main.yml
+++ b/roles/nomad/defaults/main.yml
@@ -12,43 +12,51 @@ nomad_root_dir: /opt/nomad
 
 # user under which nomad will run.
 # Servers can run under an unprivileged user, while clients should run as root (or with equivalent privileges)
-nomad_user: "{{ nomad_client_enabled | ternary('root', 'nomad') }}"
+nomad_user: "{{ nomad_conf.client.enabled | ternary('root', 'nomad') }}"
 
 # List of nomad servers (not clients !)
 nomad_servers: []
 
-# Client related settings
-nomad_client:
-  # Should client be enabled
-  enabled: "{{ (inventory_hostname in nomad_servers) | ternary(False, True) }}"
-  # hostçvolumes:
-  #   - name: mysql
-  #     path: /data/mysql
-  #     read_only: False
-  host_volumes: []
+# Nomad configuration
+nomad_base_conf:
+  log_level: INFO
+  # Client related settings
+  # The default is to act as a client if the hostname is not listed in nomad servers
+  client:
+    # Should client be enabled
+    enabled: "{{ (inventory_hostname in nomad_servers) | ternary(False, True) }}"
+    # host_volumes:
+    #   - name: mysql
+    #     path: /data/mysql
+    #     read_only: False
+    host_volumes: []
 
-# Server related settings
-nomad_server:
-  # Should server be enabled
-  enabled: "{{ (inventory_hostname in nomad_servers) | ternary(True, False) }}"
-  # Expected number of servers to bootstrap the cluster. The default is to wait for all the servers
-  # listed in nomad_servers to be ready, and then to do the bootstrap
-  bootstrap_expect: "{{ nomad_servers | length }}"
-  # Encryption key to use to encrypt inter-server communications
-  # You can generate one with nomad operator keygen command. It must be the same
-  # on all the servers of the cluster. If not defined (the default), the trafic will
-  # not be encrypted
-  # encrypt: NVlG6VKgsTbMim041S5nbWmmaQKS7YchV+9G3XxcZDs=
+  # Server related settings
+  server:
+    # Should server be enabled
+    # The default is to act as a server if the hostname is listed in nomad_servers
+    enabled: "{{ (inventory_hostname in nomad_servers) | ternary(True, False) }}"
+    # Expected number of servers to bootstrap the cluster. The default is to wait for all the servers
+    # listed in nomad_servers to be ready, and then to do the bootstrap
+    bootstrap_expect: "{{ nomad_servers | length }}"
+    # Encryption key to use to encrypt inter-server communications
+    # You can generate one with nomad operator keygen command. It must be the same
+    # on all the servers of the cluster. If not defined (the default), the trafic will
+    # not be encrypted
+    # encrypt: NVlG6VKgsTbMim041S5nbWmmaQKS7YchV+9G3XxcZDs=
 
-# ui related settings
-nomad_ui:
-  enabled: True
-  # Consul and vault optional URL. This is just to add a shortcut in Nomad's UI
-  # consul_ui: https://consul.example.org
-  # vault_ui: https://vault.example.org
-
-# Log level of the daemon
-nomad_log_level: INFO
+  # UI related settings
+  ui:
+    # Default is to enable the UI on server only
+    enabled: "{{ (inventory_hostname in nomad_servers) | ternary(True, False) }}"
+    # Consul and vault optional URL. This is just to add a shortcut in Nomad's UI
+    # consul_ui: https://consul.example.org
+    # vault_ui: https://vault.example.org
+# You can override part of the default config without rewriting everything else
+# the dict will get merged
+nomad_extra_conf: {}
+nomad_host_conf: {}
+nomad_conf: "{{ nomad_base_conf | combine(nomad_extra_conf, recursive=True) | combine(nomad_host_conf, recursive=True) }}"
 
 # Ports used by Nomad, the protocols, and the list of IP/CIDR for which the ports will be opened in the firewall
 # You can also specify which address/port to advertise (not needed most of the time)
@@ -62,12 +70,12 @@ nomad_base_services:
     port: 4647
     proto: [tcp]
     src_ip: []
-    # advertise: 
+    # advertise: y.y.y.y
   serf:
     port: 4648
     proto: [tcp,udp]
     src_ip: []
     # advertise: x.x.x.x
 nomad_extra_services: {}
-nomad_services: "{{ nomad_base_services | combine(nomad_extra_services, recursive=True) }}"
-
+nomad_host_services: {}
+nomad_services: "{{ nomad_base_services | combine(nomad_extra_services, recursive=True) | combine(nomad_host_services, recursive=True) }}"
diff --git a/roles/nomad/tasks/facts.yml b/roles/nomad/tasks/facts.yml
index b4c7d2e..9b815d3 100644
--- a/roles/nomad/tasks/facts.yml
+++ b/roles/nomad/tasks/facts.yml
@@ -1,12 +1,25 @@
 ---
 
-- name: Detect installed version
-  block:
-    - import_tasks: ../includes/webapps_set_install_mode.yml
-      vars:
-        - root_dir: "{{ nomad_root_dir }}"
-        - version: "{{ nomad_version }}"
-    - set_fact: nomad_install_mode={{ install_mode | default('none') }}
-    - set_fact: nomad_current_version={{ current_version | default('') }}
+- set_fact: nomad_install_mode='none'
   tags: nomad
 
+- name: Detect if nomad is installed
+  stat: path=/usr/local/bin/nomad
+  register: nomad_bin
+  tags: nomad
+
+- when: not nomad_bin.stat.exists
+  set_fact: nomad_install_mode='install'
+  tags: nomad
+
+- when: nomad_bin.stat.exists
+  block:
+    - name: Detect installed version
+      shell: /usr/local/bin/nomad version | perl -pe 's/Nomad v(\d+(\.\d+)*)\s.*/$1/'
+      changed_when: False
+      register: nomad_current_version
+    - set_fact: nomad_current_version={{ nomad_current_version.stdout }}
+  tags: nomad
+
+- when: nomad_bin.stat.exists and nomad_current_version != nomad_version
+  set_fact: nomad_install_mode='upgrade'
diff --git a/roles/nomad/tasks/iptables.yml b/roles/nomad/tasks/iptables.yml
index 42f29fd..95b4ee5 100644
--- a/roles/nomad/tasks/iptables.yml
+++ b/roles/nomad/tasks/iptables.yml
@@ -6,10 +6,10 @@
     state: "{{ (('tcp' in nomad_services[item].proto or 'udp' in nomad_services[item].proto) and nomad_services[item].src_ip | length > 0) | ternary('present', 'absent') }}"
     rules: |
       {% if 'tcp' in nomad_services[item].proto %}
-      -A INPUT -m state --state NEW -p tcp --dport {{ nomad_services[item].port }} -j ACCEPT
+      -A INPUT -m state --state NEW -p tcp --dport {{ nomad_services[item].port }} -s {{  nomad_services[item].src_ip | join(',') }} -j ACCEPT
       {% endif %}
       {% if 'udp' in nomad_services[item].proto %}
-      -A INPUT -m state --state NEW -p udp --dport {{ nomad_services[item].port }} -j ACCEPT
+      -A INPUT -m state --state NEW -p udp --dport {{ nomad_services[item].port }} -s {{  nomad_services[item].src_ip | join(',') }} -j ACCEPT
       {% endif %}
   loop: "{{ nomad_services.keys() | list }}"
   tags: firewall,nomad
diff --git a/roles/nomad/tasks/main.yml b/roles/nomad/tasks/main.yml
index 356d1e4..3ff02fe 100644
--- a/roles/nomad/tasks/main.yml
+++ b/roles/nomad/tasks/main.yml
@@ -27,9 +27,6 @@
 - include_tasks: services.yml
   tags: always
 
-- include_tasks: write_version.yml
-  tags: always
-
 - include_tasks: archive_post.yml
   when: nomad_install_mode | default('none') == 'upgrade'
   tags: always
diff --git a/roles/nomad/tasks/write_version.yml b/roles/nomad/tasks/write_version.yml
deleted file mode 100644
index f4b5428..0000000
--- a/roles/nomad/tasks/write_version.yml
+++ /dev/null
@@ -1,5 +0,0 @@
----
-
-- name: Write installed version
-  copy: content={{ nomad_version }} dest={{ nomad_root_dir }}/meta/ansible_version
-  tags: nomad
diff --git a/roles/nomad/templates/nomad.hcl.j2 b/roles/nomad/templates/nomad.hcl.j2
index ec49052..25e8a7e 100644
--- a/roles/nomad/templates/nomad.hcl.j2
+++ b/roles/nomad/templates/nomad.hcl.j2
@@ -1,5 +1,5 @@
 data_dir = "{{ nomad_root_dir }}/data"
-log_level = "{{ nomad_log_level }}"
+log_level = "{{ nomad_conf.log_level }}"
 bind_addr = "0.0.0.0"
 
 advertise {
@@ -16,12 +16,11 @@ ports {
 {% endfor %}
 }
 
-{% if nomad_server.enabled %}
 server {
-  enabled = true
-  bootstrap_expect = {{ nomad_server.bootstrap_expect }}
-{% if nomad_server.encrypt is defined %}
-  encrypt = "{{ nomad_server.encrypt }}"
+  enabled = {{ nomad_conf.server.enabled | ternary('true', 'false') }}
+  bootstrap_expect = {{ nomad_conf.server.bootstrap_expect }}
+{% if nomad_conf.server.encrypt is defined %}
+  encrypt = "{{ nomad_conf.server.encrypt }}"
 {% endif %}
   server_join {
     retry_join = [
@@ -32,37 +31,33 @@ server {
   }
 }
 
-{% if nomad_client.enabled %}
 client {
-  enabled = true
+  enabled = {{ nomad_conf.client.enabled | ternary('true', 'false') }}
   servers = [
 {% for server in nomad_servers %}
     "{{ server }}",
 {% endfor %}
   ]
-{% for volume in nomad_client.host_volumes %}
+{% for volume in nomad_conf.client.host_volumes %}
   host_volume "{{ volume.name }}" {
     path = "{{ volume.path }}"
 {% if volume.read_only is defined %}
-    read_only = "{{ volume.read_only | ternary('true', 'false') }}
+    read_only = "{{ volume.read_only | ternary('true', 'false') }}"
 {% endif %}
   }
 {% endfor %}
 }
-{% endif %}
 
-{% if nomad_ui.enabled %}
 ui {
-  enabled = true
-{% if nomad_ui.consul_ui is defined %}
+  enabled = {{ nomad_conf.ui.enabled | ternary('true', 'false') }}
+{% if nomad_conf.ui.consul_ui is defined %}
   consul {
-    ui_url = "{{ nomad_ui.consul_ui }}"
+    ui_url = "{{ nomad_conf.ui.consul_ui }}"
   }
 {% endif %}
-{% if nomad_ui.vault_ui is defined %}
+{% if nomad_conf.ui.vault_ui is defined %}
   vault {
-    ui_url = "{{ nomad_ui.vault_ui }}"
+    ui_url = "{{ nomad_conf.ui.vault_ui }}"
   }
 {% endif %}
 }
-{% endif %}