Update to 2022-04-29 11:00

2025-10-31 02:41:36 +01:00 · 2022-04-29 11:00:10 +02:00
parent ed77591a35
commit 17cd763bf4
30 changed files with 619 additions and 6 deletions
--- a/roles/ampache/defaults/main.yml
+++ b/roles/ampache/defaults/main.yml
@@ -3,10 +3,10 @@
 ampache_id: "1"
 ampache_manage_upgrade: True

-ampache_version: '5.3.1'
+ampache_version: '5.3.2'
 ampache_config_version: 61
 ampache_zip_url: https://github.com/ampache/ampache/releases/download/{{ ampache_version }}/ampache-{{ ampache_version }}_all.zip
-ampache_zip_sha256: dda828eda42e2f16637495e77388867c79ca023537dc06e19b54ef598927eef6
+ampache_zip_sha256: 786b3a4899185196ba39004bf69af91b2ecc6cae4f5d5cf3603ab009292883e7

 ampache_root_dir: /opt/ampache_{{ ampache_id }}

--- a/roles/matrix_synapse/defaults/main.yml
+++ b/roles/matrix_synapse/defaults/main.yml
@@ -1,7 +1,7 @@
 ---

 # Synapse version to deploy
-synapse_version: 1.56.0
+synapse_version: 1.57.0

 # Should ansible handle Synapse upgrades ? If false, only initial install will be done
 synapse_manage_upgrade: True
--- a/roles/nginx/defaults/main.yml
+++ b/roles/nginx/defaults/main.yml
@@ -84,6 +84,8 @@ nginx_default_vhost_base:

 nginx_default_vhost_extra: {}
 nginx_default_vhost: "{{ nginx_default_vhost_base | combine(nginx_default_vhost_extra,recursive=True) }}"
+# Should HSTS header be added on the default vhost
+nginx_hsts: True

 # List of IP addresses which won't be affected by maintenance redirections
 nginx_maintenance_ip: []
--- a/roles/nginx/templates/nginx.conf.j2
+++ b/roles/nginx/templates/nginx.conf.j2
@@ -90,7 +90,9 @@ http {
    add_header X-Frame-Options SAMEORIGIN;
    add_header X-Content-Type-Options nosniff;
    add_header X-XSS-Protection "1; mode=block";
+{% if nginx_hsts %}
    add_header Strict-Transport-Security $hsts_header;
+{% endif %}

    include /etc/nginx/ansible_conf.d/acme.inc;

--- a/roles/penpot/vars/RedHat-8.yml
+++ b/roles/penpot/vars/RedHat-8.yml
@@ -14,3 +14,5 @@ penpot_packages:
  - liberation-fonts
  - fontforge
  - woff2-tools
+  - git
+  - bzip2
--- a/roles/repo_samba4/defaults/main.yml
+++ b/roles/repo_samba4/defaults/main.yml
@@ -1,3 +1,3 @@
 ---
 # Select a branch from https://samba.tranquil.it/centos7/ or https://samba.tranquil.it/centos7/
-samba_major_version: samba-{{ (ansible_distribution_major_version is version('8','<')) | ternary('4.12.15','4.15.6') }}
+samba_major_version: samba-{{ (ansible_distribution_major_version is version('8','<')) | ternary('4.12.15','4.15.7') }}
--- a/roles/squash_tm/defaults/main.yml
+++ b/roles/squash_tm/defaults/main.yml
@@ -0,0 +1,36 @@
+---
+
+# Version of Shash TM to install
+squashtm_version: 3.0.4
+# Archive URL which will be downloaded during install/upgrades
+squashtm_archive_url: https://nexus.squashtest.org/nexus/repository/public-releases/tm/core/squash-tm-distribution/{{ squashtm_version }}.RELEASE/squash-tm-{{ squashtm_version }}.RELEASE.tar.gz
+# Expected checksum of the archive
+squashtm_archive_sha256: 9f11049505e5f9678fe7f7454127c697e0e0fe3cc9596adb6f52fef4ee06d6f2
+# Should ansible handle upgrades ? (if False, only initial install and configuration will be done)
+squashtm_manage_upgrade: True
+
+# Directory where Squash TM will be installed
+squashtm_root_dir: /opt/squash_tm
+# User account under which the software will run (will be created if needed)
+squashtm_user: squashtm
+
+# TCP port on which Squash TM will listen
+squashtm_port: 8088
+# List of IP/CIDR for which this port will be reachable (with iptable_manage is True)
+# Empty list means the port won't be opened
+squashtm_src_ip: []
+
+# Database settings
+# Engine can be mysql or postgres
+squashtm_db_engine: mysql
+# Database server
+squashtm_db_server: "{{ (squashtm_db_engine == 'postgres') | ternary(pg_server, mysql_server) | default('localhost') }}"
+squashtm_db_port: "{{ (squashtm_db_engine == 'postgres') | ternary('5432', '3306') }}"
+squashtm_db_user: squashtm
+squashtm_db_name: squashtm
+# If the password is not set, a random one will be created and stored in {{ squashtm_root_dir }}/meta/ansible_dbpass
+# squashtm_db_pass: 'S3cr3t.'
+
+# Credentials in Squash TM database are encrypted with a passphrase. If not defined,
+# a random one will be created and stored in {{ squashtm_root_dir }}/meta/ansible_secret
+# squashtm_secret: p@ssw0rd
--- a/roles/squash_tm/handlers/main.yml
+++ b/roles/squash_tm/handlers/main.yml
@@ -0,0 +1,5 @@
+---
+
+- name: restart squash-tm
+  service: name=squash-tm state=restarted
+  when: squashtm_service is not defined or not squashtm_service.changed
--- a/roles/squash_tm/meta/main.yml
+++ b/roles/squash_tm/meta/main.yml
@@ -0,0 +1,8 @@
+---
+
+dependencies:
+  - role: mkdir
+  - role: mysql_server
+    when: squashtm_db_engine == 'mysql' and squashtm_db_server in ['localhost', '127.0.0.1']
+  - role: postgresql_server
+    when: squashtm_db_engine == 'postgres' and squashtm_db_server in ['localhost', '127.0.0.1']
--- a/roles/squash_tm/tasks/archive_post.yml
+++ b/roles/squash_tm/tasks/archive_post.yml
@@ -0,0 +1,15 @@
+---
+
+- name: Compress previous version
+  command: tar cf {{ squashtm_root_dir }}/archives/{{ squashtm_current_version }}.tar.zst --use-compress-program=zstd ./
+  args:
+    chdir: "{{ squashtm_root_dir }}/archives/{{ squashtm_current_version }}"
+    warn: False
+  environment:
+    ZSTD_CLEVEL: 10
+    ZSTD_NBTHREADS: 0
+  tags: squashtm
+
+- name: Remove archive dir
+  file: path={{ squashtm_root_dir }}/archives/{{ squashtm_current_version }} state=absent
+  tags: squashtm
--- a/roles/squash_tm/tasks/archive_pre.yml
+++ b/roles/squash_tm/tasks/archive_pre.yml
@@ -0,0 +1,60 @@
+---
+
+- name: Create archive dir
+  file: path={{ squashtm_root_dir }}/archives/{{ squashtm_current_version }} state=directory
+  tags: squashtm
+
+- name: Stop service during upgrade
+  service: name={{ item }} state=stopped
+  loop:
+    - squash-tm
+  tags: squashtm
+
+- name: Archive current version
+  synchronize:
+    src: "{{ squashtm_root_dir }}/{{ item }}"
+    dest: "{{ squashtm_root_dir }}/archives/{{ squashtm_current_version }}/"
+    delete: True
+    compress: False
+  delegate_to: "{{ inventory_hostname }}"
+  loop:
+    - app
+  tags: squashtm
+
+- when: squashtm_db_engine == 'mysql'
+  block:
+    - name: Install mysqldump
+      package: name=mariadb
+
+    - name: Dump the database
+      mysql_db:
+        state: dump
+        name: "{{ squashtm_db_name }}"
+        target: "{{ squashtm_root_dir }}/archives/{{ squashtm_current_version }}/{{ squashtm_db_name }}.sql"
+        login_host: "{{ squashtm_db_server }}"
+        login_port: "{{ squashtm_db_port }}"
+        login_user: "{{ squashtm_db_user }}"
+        login_password: "{{ squashtm_db_pass }}"
+        quick: True
+        single_transaction: True
+
+  tags: squashtm
+
+- when: squashtm_db_engine == 'postgres'
+  block:
+    - name: Install pg_dump
+      package: name=postgresql14
+
+    - name: Dump the database
+      command: >
+        /usr/pgsql-14/bin/pg_dump
+          --clean
+          --create
+          --host={{ squashtm_db_server | quote }}
+          --port={{ squashtm_db_port | quote }}
+          --username={{ squashtm_db_user | quote }} {{ squashtm_db_name | quote }}
+          --file="{{ squashtm_root_dir }}/archives/{{ squashtm_current_version }}/{{ squashtm_db_name }}.sql"
+      environment:
+        - PGPASSWORD: "{{ squashtm_db_pass }}"
+  tags: squashtm
+
--- a/roles/squash_tm/tasks/cleanup.yml
+++ b/roles/squash_tm/tasks/cleanup.yml
@@ -0,0 +1,11 @@
+---
+
+- name: Remove tmp and obsolete files
+  file: path={{ item }} state=absent
+  loop:
+    - "{{ squashtm_root_dir }}/tmp/squash-tm-{{ squashtm_version }}.RELEASE.tar.gz"
+    - "{{ squashtm_root_dir }}/tmp/squash-tm"
+    - "{{ squashtm_root_dir }}/app/logs"
+    - "{{ squashtm_root_dir }}/app/conf"
+    - "{{ squashtm_root_dir }}/app/data"
+  tags: squashtm
--- a/roles/squash_tm/tasks/conf.yml
+++ b/roles/squash_tm/tasks/conf.yml
@@ -0,0 +1,11 @@
+---
+
+- name: Deploy Squash TM configuration
+  template: src={{ item }}.j2 dest={{ squashtm_root_dir }}/etc/{{ item }} owner=root group={{ squashtm_user }} mode=640
+  loop:
+    - env
+    - squash.tm.cfg.properties
+    - log4j2.xml
+  notify: restart squash-tm
+  tags: squashtm
+
--- a/roles/squash_tm/tasks/directories.yml
+++ b/roles/squash_tm/tasks/directories.yml
@@ -0,0 +1,40 @@
+---
+
+- name: Create directories
+  file: path={{ item.dir }} state=directory owner={{ item.owner | default(omit) }} group={{ item.group | default(omit) }} mode={{ item.mode | default(omit) }}
+  loop:
+    - dir: "{{ squashtm_root_dir }}/archives"
+      owner: root
+      group: root
+      mode: 700
+    - dir: "{{ squashtm_root_dir }}/meta"
+      owner: root
+      group: root
+      mode: 700
+    - dir: "{{ squashtm_root_dir }}/backup"
+      owner: root
+      group: root
+      mode: 700
+    - dir: "{{ squashtm_root_dir }}/app"
+      mode: 755
+    - dir: "{{ squashtm_root_dir }}/logs"
+      owner: "{{ squashtm_user }}"
+      group: "{{ squashtm_user }}"
+      mode: 755
+    - dir: "{{ squashtm_root_dir }}/etc"
+      owner: "{{ squashtm_user }}"
+      group: "{{ squashtm_user }}"
+      mode: 755
+    - dir: "{{ squashtm_root_dir }}/tmp"
+      owner: root
+      group: "{{ squashtm_user }}"
+      mode: 770
+    - dir: "{{ squashtm_root_dir }}/data"
+      owner: "{{ squashtm_user }}"
+      group: "{{ squashtm_user }}"
+      mode: 700
+    - dir: "{{ squashtm_root_dir }}/data/tomcat"
+      owner: "{{ squashtm_user }}"
+      group: "{{ squashtm_user }}"
+      mode: 700
+  tags: squashtm
--- a/roles/squash_tm/tasks/facts.yml
+++ b/roles/squash_tm/tasks/facts.yml
@@ -0,0 +1,39 @@
+---
+
+# Load distribution specific variables
+- include_vars: "{{ item }}"
+  with_first_found:
+    - "{{ role_path }}/vars/{{ ansible_distribution }}-{{ ansible_distribution_major_version }}.yml"
+    - "{{ role_path }}/vars/{{ ansible_os_family }}-{{ ansible_distribution_major_version }}.yml"
+    - "{{ role_path }}/vars/{{ ansible_distribution }}.yml"
+    - "{{ role_path }}/vars/{{ ansible_os_family }}.yml"
+  tags: squashtm
+
+# Detect installed version (if any)
+- block:
+    - import_tasks: ../includes/webapps_set_install_mode.yml
+      vars:
+        - root_dir: "{{ squashtm_root_dir }}"
+        - version: "{{ squashtm_version }}"
+    - set_fact: squashtm_install_mode={{ (install_mode == 'upgrade' and not squashtm_manage_upgrade) | ternary('none',install_mode) }}
+    - set_fact: squashtm_current_version={{ current_version | default('') }}
+  tags: squashtm
+
+# Create a random pass for the DB if needed
+- block:
+    - import_tasks: ../includes/get_rand_pass.yml
+      vars:
+        - pass_file: "{{ squashtm_root_dir }}/meta/ansible_dbpass"
+    - set_fact: squashtm_db_pass={{ rand_pass }}
+  when: squashtm_db_pass is not defined
+  tags: squashtm
+
+# Create a random pass to encrypt credentials in the database
+- block:
+    - import_tasks: ../includes/get_rand_pass.yml
+      vars:
+        - pass_file: "{{ squashtm_root_dir }}/meta/ansible_secret"
+    - set_fact: squashtm_secret={{ rand_pass }}
+  when: squashtm_secret is not defined
+  tags: squashtm
+
--- a/roles/squash_tm/tasks/install.yml
+++ b/roles/squash_tm/tasks/install.yml
@@ -0,0 +1,154 @@
+---
+
+- name: Install dependencies
+  package: name={{ squashtm_packages }}
+  tags: squashtm
+
+- name: Detect exact JRE version
+  block:
+    - command: rpm -q java-11-openjdk
+      args:
+        warn: False
+      changed_when: False
+      register: squashtm_jre11_version
+    - set_fact: squashtm_jre11_version={{ squashtm_jre11_version.stdout | trim }}
+  tags: squashtm
+
+- when: squashtm_install_mode != 'none'
+  block:
+
+    - name: Download Squash TM
+      get_url:
+        url: "{{ squashtm_archive_url }}"
+        dest: "{{ squashtm_root_dir }}/tmp/"
+        checksum: sha256:{{ squashtm_archive_sha256 }}
+
+    - name: Extract Squash TM archive
+      unarchive:
+        src: "{{ squashtm_root_dir }}/tmp/squash-tm-{{ squashtm_version }}.RELEASE.tar.gz"
+        dest: "{{ squashtm_root_dir }}/tmp/"
+        remote_src: True
+
+    - name: Move Squash TM to the app dir
+      synchronize:
+        src: "{{ squashtm_root_dir }}/tmp/squash-tm/"
+        dest: "{{ squashtm_root_dir }}/app/"
+        delete: True
+        compress: False
+      delegate_to: "{{ inventory_hostname }}"
+
+  tags: squashtm
+
+- name: Install the permission script
+  template: src=perms.sh.j2 dest={{ squashtm_root_dir }}/perms.sh mode=755
+  register: squashtm_perm_script
+  tags: squashtm
+
+- name: Fix permissions
+  command: "{{ squashtm_root_dir }}/perms.sh"
+  when: squashtm_install_mode != none or squashtm_perm_script.changed
+  tags: squashtm
+
+- name: Install backup hooks
+  template: src={{ item }}-backup.j2 dest=/etc/backup/{{ item }}.d/squashtm owner=root group=root mode=700
+  loop:
+    - pre
+    - post
+  tags: squashtm
+
+- name: Install service unit
+  template: src=squash-tm.service.j2 dest=/etc/systemd/system/squash-tm.service
+  notify: restart squash-tm
+  register: squashtm_unit
+  tags: squashtm
+
+- name: Reload systemd
+  systemd: daemon_reload=True
+  when: squashtm_unit.changed
+  tags: squashtm
+
+- when: squashtm_db_engine == 'postgres'
+  block:
+    - name: Create the PostgreSQL role
+      postgresql_user:
+        db: postgres
+        name: "{{ squashtm_db_user }}"
+        password: "{{ squashtm_db_pass }}"
+        login_host: "{{ squashtm_db_server }}"
+        login_port: "{{ squashtm_db_port }}"
+        login_user: sqladmin
+        login_password: "{{ pg_admin_pass }}"
+
+    - name: Create the PostgreSQL database
+      postgresql_db:
+        name: "{{ squashtm_db_name }}"
+        encoding: UTF-8
+        template: template0
+        owner: "{{ squashtm_db_user }}"
+        login_host: "{{ squashtm_db_server }}"
+        login_port: "{{ squashtm_db_port }}"
+        login_user: sqladmin
+        login_password: "{{ pg_admin_pass }}"
+
+  tags: squashtm
+
+- when: squashtm_db_engine == 'mysql'
+  import_tasks: ../includes/webapps_create_mysql_db.yml
+  vars:
+    - db_name: "{{ squashtm_db_name }}"
+    - db_user: "{{ squashtm_db_user }}"
+    - db_server: "{{ squashtm_db_server }}"
+    - db_port: "{{ squashtm_db_port }}"
+    - db_pass: "{{ squashtm_db_pass }}"
+  tags: squashtm
+
+- name: Import initial DB structure (postgresql)
+  postgresql_db:
+    db: "{{ squashtm_db_name }}"
+    state: restore
+    target: "{{ squashtm_root_dir }}/app/database-scripts/postgresql-full-install-version-{{ squashtm_version }}.RELEASE.sql"
+    login_host: "{{ squashtm_db_server }}"
+    login_port: "{{ squashtm_db_port }}"
+    login_user: "{{ squashtm_db_user }}"
+    login_password: "{{ squashtm_db_pass }}"
+  when: squashtm_install_mode == 'install' and squashtm_db_engine == 'postgres'
+  tags: squashtm
+
+- name: Import the initial DB structure (mysql)
+  mysql_db:
+    db: "{{ squashtm_db_name }}"
+    state: import
+    target: "{{ squashtm_root_dir }}/app/database-scripts/mysql-full-install-version-{{ squashtm_version }}.RELEASE.sql"
+    login_host: "{{ squashtm_db_server }}"
+    login_port: "{{ squashtm_db_port }}"
+    login_user: "{{ squashtm_db_user }}"
+    login_password: "{{ squashtm_db_pass }}"
+  when: squashtm_install_mode == 'install' and squashtm_db_engine == 'mysql'
+  tags: squashtm
+
+- name: List database upgrade scripts
+  shell: >
+    ls /opt/squash_tm/app/database-scripts/{{ (squashtm_db_engine == 'postgres') | ternary('postgresql', 'mysql') }}-* |
+      grep 'upgrade-to' |
+      perl -pe 's/.*upgrade\-to\-(\d+(\.\d+)+).*/$1/' |
+      sort --version-sort
+  register: squashtm_db_upgrade_scripts
+  changed_when: False
+  tags: squashtm
+
+- name: Upgrade the database
+  mysql_db:
+    db: "{{ squashtm_db_name }}"
+    state: import
+    target: "{{ squashtm_root_dir }}/app/database-scripts/{{ (squashtm_db_engine == 'postgres') | ternary('postgresql', 'mysql') }}-upgrade-to-{{ item }}.sql"
+    login_host: "{{ squashtm_db_server }}"
+    login_port: "{{ squashtm_db_port }}"
+    login_user: "{{ squashtm_db_user }}"
+    login_password: "{{ squashtm_db_pass }}"
+  when:
+    - squashtm_install_mode == 'upgrade'             # Only apply scripts when upgrading Squash TM
+    - squashtm_current_version is version(item, '<') # Apply DB scripts if they are for a more recent version than currently installed
+    - squashtm_version is version(item, '>=')        # Do not apply scripts for more recent version than the one being installed
+  ignore_errors: True
+  loop: "{{ squashtm_db_upgrade_scripts.stdout_lines }}"
+  tags: squashtm
--- a/roles/squash_tm/tasks/iptables.yml
+++ b/roles/squash_tm/tasks/iptables.yml
@@ -0,0 +1,8 @@
+---
+
+- name: Handle Squash TM port
+  iptables_raw:
+    name: squashtm_port
+    state: "{{ (squashtm_src_ip | length > 0) | ternary('present','absent') }}"
+    rules: "-A INPUT -m state --state NEW -p tcp --dport {{ squashtm_port }} -s {{ squashtm_src_ip | join(',') }} -j ACCEPT"
+  tags: squashtm
--- a/roles/squash_tm/tasks/main.yml
+++ b/roles/squash_tm/tasks/main.yml
@@ -0,0 +1,37 @@
+---
+
+- include_tasks: user.yml
+  tags: always
+
+- include_tasks: directories.yml
+  tags: always
+
+- include_tasks: facts.yml
+  tags: always
+
+- include_tasks: archive_pre.yml
+  when: squashtm_install_mode | default('none') == 'upgrade'
+  tags: always
+
+- include_tasks: install.yml
+  tags: always
+
+- include_tasks: conf.yml
+  tags: always
+
+- include_tasks: iptables.yml
+  when: iptables_manage | default(True)
+  tags: always
+
+- include_tasks: services.yml
+  tags: always
+
+- include_tasks: write_version.yml
+  tags: always
+
+- include_tasks: archive_post.yml
+  when: squashtm_install_mode | default('none') == 'upgrade'
+  tags: always
+
+- include_tasks: cleanup.yml
+  tags: always
--- a/roles/squash_tm/tasks/services.yml
+++ b/roles/squash_tm/tasks/services.yml
@@ -0,0 +1,6 @@
+---
+
+- name: Start and enable Squash TM service
+  service: name=squash-tm state=started enabled=True
+  register: squashtm_service
+  tags: squashtm
--- a/roles/squash_tm/tasks/user.yml
+++ b/roles/squash_tm/tasks/user.yml
@@ -0,0 +1,9 @@
+---
+
+- name: Create user account
+  user:
+    name: "{{ squashtm_user }}"
+    system: True
+    home: "{{ squashtm_root_dir }}"
+    shell: /sbin/nologin
+  tags: squashtm
--- a/roles/squash_tm/tasks/write_version.yml
+++ b/roles/squash_tm/tasks/write_version.yml
@@ -0,0 +1,5 @@
+---
+
+- name: Write installed version
+  copy: content={{ squashtm_version }} dest={{ squashtm_root_dir }}/meta/ansible_version
+  tags: squashtm
--- a/roles/squash_tm/templates/env.j2
+++ b/roles/squash_tm/templates/env.j2
@@ -0,0 +1,9 @@
+JAR_NAME="squash-tm.war"
+HTTP_PORT={{ squashtm_port }}
+TMP_DIR={{ squashtm_root_dir }}/tmp
+BUNDLES_DIR={{ squashtm_root_dir }}/app/bundles
+CONF_DIR={{ squashtm_root_dir }}/etc
+LOG_DIR={{ squashtm_root_dir }}/logs
+TOMCAT_HOME={{ squashtm_root_dir }}/data/tomcat
+PLUGINS_DIR={{ squashtm_root_dir }}/app/plugins
+DB_TYPE={{ (squashtm_db_engine == 'postgres') | ternary('postgresql', 'mysql') }}
--- a/roles/squash_tm/templates/log4j2.xml.j2
+++ b/roles/squash_tm/templates/log4j2.xml.j2
@@ -0,0 +1,52 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<Configuration status="WARN">
+  <Appenders>
+    <Console name="Console" target="SYSTEM_OUT">
+        <PatternLayout pattern="${sys:PID} %5p [%t] [%X{requestInfo}] --- %c: %m%n"/>
+    </Console>
+  </Appenders>
+  <Loggers>
+    <Root level="info">
+      <AppenderRef ref="Console"/>
+    </Root>
+    <Logger name="org.apache.catalina.startup.DigesterFactory" level="error" additivity="false" >
+      <AppenderRef ref="Console"/>
+    </Logger>    
+	<Logger name="org.apache.catalina.util.LifecycleBase" level="error" additivity="false" >
+      <AppenderRef ref="Console"/>
+    </Logger>
+	<Logger name="org.apache.coyote.http11.Http11NioProtocol" level="warn" additivity="false" >
+      <AppenderRef ref="Console"/>
+    </Logger>
+	<Logger name="org.apache.sshd.common.util.SecurityUtils" level="warn" additivity="false" >
+      <AppenderRef ref="Console"/>
+    </Logger>	
+	<Logger name="org.apache.tomcat.util.net.NioSelectorPool" level="warn" additivity="false" >
+      <AppenderRef ref="Console"/>
+    </Logger>
+	<Logger name="org.crsh.plugin" level="warn" additivity="false" >
+      <AppenderRef ref="Console"/>
+    </Logger>
+	<Logger name="org.crsh.ssh" level="warn" additivity="false" >
+      <AppenderRef ref="Console"/>
+    </Logger>
+	<Logger name="org.hibernate.validator.internal.util.Version" level="warn" additivity="false" >
+      <AppenderRef ref="Console"/>
+    </Logger>
+	<Logger name="org.springframework.boot.actuate.autoconfigure.CrshAutoConfiguration" level="warn" additivity="false" >
+      <AppenderRef ref="Console"/>
+    </Logger>
+	<Logger name="org.springframework.boot.actuate.endpoint.jmx" level="warn" additivity="false" >
+      <AppenderRef ref="Console"/>
+    </Logger>
+	<Logger name="org.thymeleaf" level="warn" additivity="false" >
+      <AppenderRef ref="Console"/>
+    </Logger>
+	<Logger name="org.squashtest.csp.tm.testautomation" level="error" additivity="false" >
+      <AppenderRef ref="Console"/>
+    </Logger>
+	<Logger name="org.squashtest.tm.plugin.testautomation" level="error" additivity="false" >
+      <AppenderRef ref="Console"/>
+    </Logger>
+  </Loggers>
+</Configuration>
--- a/roles/squash_tm/templates/perms.sh.j2
+++ b/roles/squash_tm/templates/perms.sh.j2
@@ -0,0 +1,6 @@
+#!/bin/bash -e
+
+chown -R root:root {{ squashtm_root_dir }}/app
+find {{ squashtm_root_dir }}/app -type f -exec chmod 644 "{}" \;
+find {{ squashtm_root_dir }}/app -type d -exec chmod 755 "{}" \;
+restorecon -Rv {{ squashtm_root_dir }}
--- a/roles/squash_tm/templates/post-backup.j2
+++ b/roles/squash_tm/templates/post-backup.j2
@@ -0,0 +1,5 @@
+#!/bin/sh
+
+set -eo pipefail
+
+rm -f {{ squashtm_root_dir }}/backup/*.sql.zst
--- a/roles/squash_tm/templates/pre-backup.j2
+++ b/roles/squash_tm/templates/pre-backup.j2
@@ -0,0 +1,30 @@
+#!/bin/sh
+
+set -eo pipefail
+
+{% if squashtm_db_engine == 'postgres' %}
+{% if squashtm_db_server not in ['localhost', '127.0.0.1'] %}
+PGPASSWORD={{ squashtm_db_pass | quote }} \
+  /usr/pgsql-14/bin/pg_dump \
+  --clean \
+  --create \
+  --username={{ squashtm_db_user | quote }} \
+  --host={{ squashtm_db_server | quote }} \
+  --port={{ squashtm_db_port }} \
+  {{ squashtm_db_name }} | \
+{% else %}
+su - postgres -c "/usr/pgsql-14/bin/pg_dump --clear {{ squashtm_db_name }}" | \
+{% endif %}
+  zstd -c > {{ squashtm_root_dir }}/backup/{{ squashtm_db_name }}.sql.zst
+{% else %}
+/usr/bin/mysqldump \
+{% if squashtm_db_server not in ['localhost', '127.0.0.1'] %}
+  --user={{ squashtm_db_user | quote }} \
+  --password={{ squashtm_db_pass | quote }} \
+  --host={{ squashtm_db_server | quote }} \
+  --port={{ squashtm_db_port }} \
+{% endif %}
+  --quick --single-transaction \
+  --add-drop-table {{ squashtm_db_name }} | \
+  zstd -c > {{ squashtm_root_dir }}/backup/{{ squashtm_db_name }}.sql.zst
+{% endif %}
--- a/roles/squash_tm/templates/squash-tm.service.j2
+++ b/roles/squash_tm/templates/squash-tm.service.j2
@@ -0,0 +1,44 @@
+[Unit]
+Description=Squash TM
+After=syslog.target network.target mariadb.service postgresql.service postgresql-11.service postgresql-12.service postgresql-13.service postgresql-14.service
+
+[Service]
+Type=simple
+User={{ squashtm_user }}
+Group={{ squashtm_user }}
+WorkingDirectory={{ squashtm_root_dir }}/app
+EnvironmentFile={{ squashtm_root_dir }}/etc/env
+ExecStart=/usr/lib/jvm/{{ squashtm_jre11_version }}/bin/java \
+            -Xms128m -Xmx2048m -server \
+            -Duser.language=en \
+            -Djava.io.tmpdir=${TMP_DIR} \
+            -Dlogging.dir=${LOG_DIR} \
+            -jar ${BUNDLES_DIR}/${JAR_NAME} \
+            --spring.config.additional-location=${CONF_DIR}/ \
+            --spring.profiles.active=${DB_TYPE} \
+            --spring.config.name=application,squash.tm.cfg \
+            --logging.config=${CONF_DIR}/log4j2.xml
+UMask=007
+SuccessExitStatus=143
+PrivateTmp=yes
+NoNewPrivileges=true
+MemoryLimit=3072M
+SyslogIdentifier=squash-tm
+Restart=on-failure
+StartLimitInterval=0
+RestartSec=30
+PrivateDevices=true
+ProtectControlGroups=true
+ProtectHome=true
+ProtectSystem=full
+ProtectKernelModules=true
+ProtectKernelTunables=true
+ProtectSystem=strict
+RestrictRealtime=true
+RestrictNamespaces=true
+ReadWritePaths=/run {{ squashtm_root_dir }}/logs {{ squashtm_root_dir }}/data {{ squashtm_root_dir }}/tmp
+LockPersonality=true
+
+[Install]
+WantedBy=multi-user.target
+
--- a/roles/squash_tm/templates/squash.tm.cfg.properties.j2
+++ b/roles/squash_tm/templates/squash.tm.cfg.properties.j2
@@ -0,0 +1,11 @@
+spring.datasource.url=jdbc:{{ (squashtm_db_engine == 'postgres') | ternary('postgresql', 'mysql') }}://{{ squashtm_db_server }}:{{ squashtm_db_port }}/{{ squashtm_db_name }}
+spring.datasource.username={{ squashtm_db_user }}
+spring.datasource.password={{ squashtm_db_pass }}
+
+server.servlet.session.timeout=3600
+server.port={{ squashtm_port }}
+server.tomcat.basedir={{ squashtm_root_dir }}/data/tomcat
+
+squash.crypto.secret={{ squashtm_secret }}
+squash.path.bundles-path={{ squashtm_root_dir }}/app/bundles
+squash.path.plugins-path={{ squashtm_root_dir }}/plugins
--- a/roles/squash_tm/vars/RedHat-8.yml
+++ b/roles/squash_tm/vars/RedHat-8.yml
@@ -0,0 +1,6 @@
+---
+
+squashtm_packages:
+  - java-11-openjdk
+  - tar
+  - zstd
--- a/roles/unifi/defaults/main.yml
+++ b/roles/unifi/defaults/main.yml
@@ -3,11 +3,11 @@
 # Where unifi will be installed
 unifi_root_dir: /opt/unifi
 # Version to deploy
-unifi_version: 7.0.25
+unifi_version: 7.1.61
 # URL to get the installation tarball
 unifi_archive_url: https://www.ubnt.com/downloads/unifi/{{ unifi_version }}/UniFi.unix.zip
 # Expected sha256
-unifi_archive_sha256: 1b18006832dae6830b72925bcb1d7ae1a2e7b82faaddfacd778419c2c8744133
+unifi_archive_sha256: cd42fe6d5d0237718ada796fb011e071ba45429ac9addc72c4534fef1fcdb514
 # Should ansible handle upgrades (if False, only initial install will be done)
 unifi_manage_upgrade: True
 # List of ports used by UniFi controler