Update to 2022-08-01 12:00

2025-04-16 02:03:09 +02:00 · 2022-08-01 12:00:18 +02:00 · 2022-08-01 12:00:18 +02:00 · 1650198b44
commit 1650198b44
parent 75fd1e984a
8 changed files with 84 additions and 72 deletions
--- a/roles/gitea/defaults/main.yml
+++ b/roles/gitea/defaults/main.yml
@ -1,11 +1,11 @@
 ---

 # Version to install
-gitea_version: 1.16.9
+gitea_version: 1.17.0
 # URL to the binary
 gitea_bin_url: https://dl.gitea.io/gitea/{{ gitea_version }}/gitea-{{ gitea_version }}-linux-amd64
 # sha256 of the binary
-gitea_bin_sha256: 821dd30afed9ae42b18e727174b078ea9118a6ccc5106d8246bebf8180fcbef3
+gitea_bin_sha256: bc4a8e1f5d5f64d4be2e50c387de08d07c062aecdba2f742c2f61c20accfcc46
 # Handle updates. If set to false, ansible will only install
 # Gitea and then won't touch an existing installation
 gitea_manage_upgrade: True
@ -31,6 +31,9 @@ gitea_web_src_ip: []
 # Enable user registration
 gitea_registration: False

+# Default branch name
+gitea_default_branch: master
+
 # Database settings
 gitea_db_server: "{{ mysql_server | default('localhost') }}"
 gitea_db_name: gitea
--- a/roles/gitea/templates/app.ini.j2
+++ b/roles/gitea/templates/app.ini.j2
@ -52,6 +52,7 @@ LOG_SQL  = false

 [repository]
 ROOT = {{ gitea_root_dir }}/data/repositories
+DEFAULT_BRANCH = {{ gitea_default_branch }}

 [mailer]
 ENABLED = true
--- a/roles/nomad/defaults/main.yml
+++ b/roles/nomad/defaults/main.yml
@ -12,43 +12,51 @@ nomad_root_dir: /opt/nomad

 # user under which nomad will run.
 # Servers can run under an unprivileged user, while clients should run as root (or with equivalent privileges)
-nomad_user: "{{ nomad_client_enabled | ternary('root', 'nomad') }}"
+nomad_user: "{{ nomad_conf.client.enabled | ternary('root', 'nomad') }}"

 # List of nomad servers (not clients !)
 nomad_servers: []

-# Client related settings
-nomad_client:
-  # Should client be enabled
-  enabled: "{{ (inventory_hostname in nomad_servers) | ternary(False, True) }}"
-  # hostçvolumes:
-  #   - name: mysql
-  #     path: /data/mysql
-  #     read_only: False
-  host_volumes: []
+# Nomad configuration
+nomad_base_conf:
+  log_level: INFO
+  # Client related settings
+  # The default is to act as a client if the hostname is not listed in nomad servers
+  client:
+    # Should client be enabled
+    enabled: "{{ (inventory_hostname in nomad_servers) | ternary(False, True) }}"
+    # host_volumes:
+    #   - name: mysql
+    #     path: /data/mysql
+    #     read_only: False
+    host_volumes: []

-# Server related settings
-nomad_server:
-  # Should server be enabled
-  enabled: "{{ (inventory_hostname in nomad_servers) | ternary(True, False) }}"
-  # Expected number of servers to bootstrap the cluster. The default is to wait for all the servers
-  # listed in nomad_servers to be ready, and then to do the bootstrap
-  bootstrap_expect: "{{ nomad_servers | length }}"
-  # Encryption key to use to encrypt inter-server communications
-  # You can generate one with nomad operator keygen command. It must be the same
-  # on all the servers of the cluster. If not defined (the default), the trafic will
-  # not be encrypted
-  # encrypt: NVlG6VKgsTbMim041S5nbWmmaQKS7YchV+9G3XxcZDs=
+  # Server related settings
+  server:
+    # Should server be enabled
+    # The default is to act as a server if the hostname is listed in nomad_servers
+    enabled: "{{ (inventory_hostname in nomad_servers) | ternary(True, False) }}"
+    # Expected number of servers to bootstrap the cluster. The default is to wait for all the servers
+    # listed in nomad_servers to be ready, and then to do the bootstrap
+    bootstrap_expect: "{{ nomad_servers | length }}"
+    # Encryption key to use to encrypt inter-server communications
+    # You can generate one with nomad operator keygen command. It must be the same
+    # on all the servers of the cluster. If not defined (the default), the trafic will
+    # not be encrypted
+    # encrypt: NVlG6VKgsTbMim041S5nbWmmaQKS7YchV+9G3XxcZDs=

-# ui related settings
-nomad_ui:
-  enabled: True
-  # Consul and vault optional URL. This is just to add a shortcut in Nomad's UI
-  # consul_ui: https://consul.example.org
-  # vault_ui: https://vault.example.org
-
-# Log level of the daemon
-nomad_log_level: INFO
+  # UI related settings
+  ui:
+    # Default is to enable the UI on server only
+    enabled: "{{ (inventory_hostname in nomad_servers) | ternary(True, False) }}"
+    # Consul and vault optional URL. This is just to add a shortcut in Nomad's UI
+    # consul_ui: https://consul.example.org
+    # vault_ui: https://vault.example.org
+# You can override part of the default config without rewriting everything else
+# the dict will get merged
+nomad_extra_conf: {}
+nomad_host_conf: {}
+nomad_conf: "{{ nomad_base_conf | combine(nomad_extra_conf, recursive=True) | combine(nomad_host_conf, recursive=True) }}"

 # Ports used by Nomad, the protocols, and the list of IP/CIDR for which the ports will be opened in the firewall
 # You can also specify which address/port to advertise (not needed most of the time)
@ -62,12 +70,12 @@ nomad_base_services:
    port: 4647
    proto: [tcp]
    src_ip: []
-    # advertise: 
+    # advertise: y.y.y.y
  serf:
    port: 4648
    proto: [tcp,udp]
    src_ip: []
    # advertise: x.x.x.x
 nomad_extra_services: {}
-nomad_services: "{{ nomad_base_services | combine(nomad_extra_services, recursive=True) }}"
-
+nomad_host_services: {}
+nomad_services: "{{ nomad_base_services | combine(nomad_extra_services, recursive=True) | combine(nomad_host_services, recursive=True) }}"
--- a/roles/nomad/tasks/facts.yml
+++ b/roles/nomad/tasks/facts.yml
@ -1,12 +1,25 @@
 ---

- name: Detect installed version
-  block:
-    - import_tasks: ../includes/webapps_set_install_mode.yml
-      vars:
-        - root_dir: "{{ nomad_root_dir }}"
-        - version: "{{ nomad_version }}"
-    - set_fact: nomad_install_mode={{ install_mode | default('none') }}
-    - set_fact: nomad_current_version={{ current_version | default('') }}
+- set_fact: nomad_install_mode='none'
  tags: nomad

+- name: Detect if nomad is installed
+  stat: path=/usr/local/bin/nomad
+  register: nomad_bin
+  tags: nomad
+
+- when: not nomad_bin.stat.exists
+  set_fact: nomad_install_mode='install'
+  tags: nomad
+
+- when: nomad_bin.stat.exists
+  block:
+    - name: Detect installed version
+      shell: /usr/local/bin/nomad version | perl -pe 's/Nomad v(\d+(\.\d+)*)\s.*/$1/'
+      changed_when: False
+      register: nomad_current_version
+    - set_fact: nomad_current_version={{ nomad_current_version.stdout }}
+  tags: nomad
+
+- when: nomad_bin.stat.exists and nomad_current_version != nomad_version
+  set_fact: nomad_install_mode='upgrade'
--- a/roles/nomad/tasks/iptables.yml
+++ b/roles/nomad/tasks/iptables.yml
@ -6,10 +6,10 @@
    state: "{{ (('tcp' in nomad_services[item].proto or 'udp' in nomad_services[item].proto) and nomad_services[item].src_ip | length > 0) | ternary('present', 'absent') }}"
    rules: |
      {% if 'tcp' in nomad_services[item].proto %}
-      -A INPUT -m state --state NEW -p tcp --dport {{ nomad_services[item].port }} -j ACCEPT
+      -A INPUT -m state --state NEW -p tcp --dport {{ nomad_services[item].port }} -s {{  nomad_services[item].src_ip | join(',') }} -j ACCEPT
      {% endif %}
      {% if 'udp' in nomad_services[item].proto %}
-      -A INPUT -m state --state NEW -p udp --dport {{ nomad_services[item].port }} -j ACCEPT
+      -A INPUT -m state --state NEW -p udp --dport {{ nomad_services[item].port }} -s {{  nomad_services[item].src_ip | join(',') }} -j ACCEPT
      {% endif %}
  loop: "{{ nomad_services.keys() | list }}"
  tags: firewall,nomad
--- a/roles/nomad/tasks/main.yml
+++ b/roles/nomad/tasks/main.yml
@ -27,9 +27,6 @@
 - include_tasks: services.yml
  tags: always

- include_tasks: write_version.yml
-  tags: always
-
 - include_tasks: archive_post.yml
  when: nomad_install_mode | default('none') == 'upgrade'
  tags: always
--- a/roles/nomad/tasks/write_version.yml
+++ b/roles/nomad/tasks/write_version.yml
@ -1,5 +0,0 @@
---
-
- name: Write installed version
-  copy: content={{ nomad_version }} dest={{ nomad_root_dir }}/meta/ansible_version
-  tags: nomad
--- a/roles/nomad/templates/nomad.hcl.j2
+++ b/roles/nomad/templates/nomad.hcl.j2
@ -1,5 +1,5 @@
 data_dir = "{{ nomad_root_dir }}/data"
-log_level = "{{ nomad_log_level }}"
+log_level = "{{ nomad_conf.log_level }}"
 bind_addr = "0.0.0.0"

 advertise {
@ -16,12 +16,11 @@ ports {
 {% endfor %}
 }

-{% if nomad_server.enabled %}
 server {
-  enabled = true
-  bootstrap_expect = {{ nomad_server.bootstrap_expect }}
-{% if nomad_server.encrypt is defined %}
-  encrypt = "{{ nomad_server.encrypt }}"
+  enabled = {{ nomad_conf.server.enabled | ternary('true', 'false') }}
+  bootstrap_expect = {{ nomad_conf.server.bootstrap_expect }}
+{% if nomad_conf.server.encrypt is defined %}
+  encrypt = "{{ nomad_conf.server.encrypt }}"
 {% endif %}
  server_join {
    retry_join = [
@ -32,37 +31,33 @@ server {
  }
 }

-{% if nomad_client.enabled %}
 client {
-  enabled = true
+  enabled = {{ nomad_conf.client.enabled | ternary('true', 'false') }}
  servers = [
 {% for server in nomad_servers %}
    "{{ server }}",
 {% endfor %}
  ]
-{% for volume in nomad_client.host_volumes %}
+{% for volume in nomad_conf.client.host_volumes %}
  host_volume "{{ volume.name }}" {
    path = "{{ volume.path }}"
 {% if volume.read_only is defined %}
-    read_only = "{{ volume.read_only | ternary('true', 'false') }}
+    read_only = "{{ volume.read_only | ternary('true', 'false') }}"
 {% endif %}
  }
 {% endfor %}
 }
-{% endif %}

-{% if nomad_ui.enabled %}
 ui {
-  enabled = true
-{% if nomad_ui.consul_ui is defined %}
+  enabled = {{ nomad_conf.ui.enabled | ternary('true', 'false') }}
+{% if nomad_conf.ui.consul_ui is defined %}
  consul {
-    ui_url = "{{ nomad_ui.consul_ui }}"
+    ui_url = "{{ nomad_conf.ui.consul_ui }}"
  }
 {% endif %}
-{% if nomad_ui.vault_ui is defined %}
+{% if nomad_conf.ui.vault_ui is defined %}
  vault {
-    ui_url = "{{ nomad_ui.vault_ui }}"
+    ui_url = "{{ nomad_conf.ui.vault_ui }}"
  }
 {% endif %}
 }
-{% endif %}