Update to 2023-07-19 18:00

2025-04-12 00:03:17 +02:00 · 2023-07-19 18:00:26 +02:00 · 2023-07-19 18:00:26 +02:00 · 46009264eb
commit 46009264eb
parent a47b4985b2
14 changed files with 38 additions and 27 deletions
--- a/roles/consul/templates/consul.hcl.j2
+++ b/roles/consul/templates/consul.hcl.j2
@ -102,7 +102,7 @@ acl {
 {% endfor %}
  default_policy = "{{ consul_conf.acl.default_policy }}"
  tokens {
-{% for key in ['initial_management', 'default', 'agent', 'agent_recovery', 'replication'] %}
+{% for key in ['initial_management', 'default', 'agent', 'agent_recovery', 'replication', 'config_file_service_registration'] %}
 {% if consul_conf.acl.tokens[key] is defined %}
    {{ key }} = "{{ consul_conf.acl.tokens[key] }}"
 {% endif %}
--- a/roles/consul/templates/reload.hcl.j2
+++ b/roles/consul/templates/reload.hcl.j2
@ -9,9 +9,12 @@ node_meta {
 {% for service in consul_catalog_services.keys() | list %}
 services {
  id = "{{ service }}"
-  name = "{{ consul_extra_catalog_services[service].name }}"
-  address = "{{ consul_extra_catalog_services[service].address }}"
-  port = {{ consul_extra_catalog_services[service].port }}
+  name = "{{ consul_catalog_services[service].name }}"
+  address = "{{ consul_catalog_services[service].address }}"
+  port = {{ consul_catalog_services[service].port }}
+{% if consul_catalog_services[service].token is defined %}
+  token = "{{ consul_catalog_services[service].token }}"
+{% endif %}
 }
 {% endfor %}

--- a/roles/gitea/defaults/main.yml
+++ b/roles/gitea/defaults/main.yml
@ -1,11 +1,11 @@
 ---

 # Version to install
-gitea_version: 1.19.4
+gitea_version: 1.20.0
 # URL to the binary
 gitea_bin_url: https://dl.gitea.io/gitea/{{ gitea_version }}/gitea-{{ gitea_version }}-linux-amd64
 # sha256 of the binary
-gitea_bin_sha256: bf68e8e39c70dc54a7876527d463b517f8af51a2d2924511cd047f479cd8aefd
+gitea_bin_sha256: a4db83051bcd5019ecb7879301f849a6513a5c074f1f684be1b39135747c70c9
 # Handle updates. If set to false, ansible will only install
 # Gitea and then won't touch an existing installation
 gitea_manage_upgrade: True
--- a/roles/gitea/templates/app.ini.j2
+++ b/roles/gitea/templates/app.ini.j2
@ -24,12 +24,14 @@ ROOT_URL         = {{ gitea_public_url }}
 DISABLE_SSH      = false
 SSH_PORT         = {{ gitea_ssh_port }}
 LFS_START_SERVER = true
-LFS_CONTENT_PATH = {{ gitea_root_dir }}/data/lfs
 LFS_JWT_SECRET   = {{ gitea_tokens.results | selectattr('item','equalto','LFS_JWT_SECRET') | map(attribute='stdout') | first | string }}
 OFFLINE_MODE     = true
 STATIC_ROOT_PATH = {{ gitea_root_dir }}
 LANDING_PAGE     = explore

+[LFS]
+PATH = {{ gitea_root_dir }}/data/lfs
+
 [oauth2]
 JWT_SECRET = {{ gitea_tokens.results | selectattr('item','equalto','JWT_SECRET') | map(attribute='stdout') | first | string }}

--- a/roles/gitea/templates/gitea.service.j2
+++ b/roles/gitea/templates/gitea.service.j2
@ -4,7 +4,7 @@ After=syslog.target
 After=network.target

 [Service]
-Type=simple
+Type=notify
 User=gitea
 Group=gitea
 WorkingDirectory={{ gitea_root_dir }}
--- a/roles/matrix_element/defaults/main.yml
+++ b/roles/matrix_element/defaults/main.yml
@ -5,8 +5,8 @@
 element_id: element

 # Version to deploy, and expected sha256
-element_version: 1.11.35
-element_archive_sha256: b17c11950dbc41c8f9a3c2f89440335d5862432e1b028f6d8529c319099002f6
+element_version: 1.11.36
+element_archive_sha256: ee6f3e1d9350bd64b4751d5b1cd25a19f38577734e177650bd982d261555a905

 # Where to install element
 element_root_dir: /opt/matrix/element
--- a/roles/matrix_synapse/defaults/main.yml
+++ b/roles/matrix_synapse/defaults/main.yml
@ -1,7 +1,7 @@
 ---

 # Synapse version to deploy
-synapse_version: '1.87.0'
+synapse_version: '1.88.0'

 # Should ansible handle Synapse upgrades ? If false, only initial install will be done
 synapse_manage_upgrade: True
--- a/roles/sftpgo/defaults/main.yml
+++ b/roles/sftpgo/defaults/main.yml
@ -1,11 +1,11 @@
 ---

 # Version to deploy
-sftpgo_version: 2.5.3
+sftpgo_version: 2.5.4
 # URL of the archive
 sftpgo_archive_url: https://github.com/drakkan/sftpgo/releases/download/v{{ sftpgo_version }}/sftpgo_v{{ sftpgo_version }}_linux_x86_64.tar.xz
 # Expected sha1 of the archive
-sftpgo_archive_sha256: d4b97469052bc67cdc8d833d81a854669e7c3c0d9159de6ca2c2614694dc1c07
+sftpgo_archive_sha256: f2b18ff11d4720c9dc1feb9c688c6b1030afbfda4c2ae553fec58d92e97384e1

 # Should ansible handle upgrades ? If False, only initial install will be done
 sftpgo_manage_upgrade: True
--- a/roles/squid/files/acl/software_various.domains
+++ b/roles/squid/files/acl/software_various.domains
@ -390,3 +390,7 @@ releases.hashicorp.com

 # COPR repositories
 download.copr.fedorainfracloud.org
+
+# TrueNAS
+update.ixsystems.com
+update.freenas.org
--- a/roles/taiga/tasks/install.yml
+++ b/roles/taiga/tasks/install.yml
@ -38,6 +38,8 @@
        name:
          - pip
          - wheel
+          - reportlab
+          - svglib
        virtualenv: "{{ taiga_root_dir }}/venv"
        virtualenv_command: /bin/python3.9 -m venv

--- a/roles/vault_agent/templates/nomad/agent_bundle.pem.tpl.j2
+++ b/roles/vault_agent/templates/nomad/agent_bundle.pem.tpl.j2
@ -1,11 +1,11 @@
-[[ with pkiCert "{{ vault_agent_nomad.nomad_pki.path }}/issue/{{ vault_agent_nomad.nomad_pki.role }}" "common_name={{ (nomad_conf.server.enabled) | ternary('server', 'client') }}-{{ ansible_fqdn | regex_replace('\\.', '-') }}.{{ nomad_conf.region | default('global') }}.nomad" "alt_names=localhost,{{ (nomad_conf.server.enabled) | ternary('server', 'client') }}.{{ nomad_conf.region | default('global') }}.nomad{% if nomad_conf.server.enabled and nomad_conf.client.enabled %},client.{{ nomad_conf.region | default('global') }}.nomad{% endif %}{% if consul_conf is defined %},nomad{{ nomad_conf.server.enabled | ternary('', '-client') }}.service.{{ consul_conf.domain | default('consul') }}{% if consul_conf is defined and consul_conf.alt_domain is defined %},nomad{{ nomad_conf.server.enabled | ternary('', '-client') }}.service.{{ consul_conf.alt_domain }}{% endif %}{% endif %}"{% if nomad_vault_secrets.pki.ttl is defined %} "ttl={{ vault_agent_nomad.nomad_pki.ttl }}"{% endif %} ]]
+[[- with pkiCert "{{ vault_agent_nomad.nomad_pki.path }}/issue/{{ vault_agent_nomad.nomad_pki.role }}" "common_name={{ (nomad_conf.server.enabled) | ternary('server', 'client') }}-{{ ansible_fqdn | regex_replace('\\.', '-') }}.{{ nomad_conf.region | default('global') }}.nomad" "alt_names=localhost,{{ (nomad_conf.server.enabled) | ternary('server', 'client') }}.{{ nomad_conf.region | default('global') }}.nomad{% if nomad_conf.server.enabled and nomad_conf.client.enabled %},client.{{ nomad_conf.region | default('global') }}.nomad{% endif %}{% if consul_conf is defined %},nomad{{ nomad_conf.server.enabled | ternary('', '-client') }}.service.{{ consul_conf.domain | default('consul') }}{% if consul_conf is defined and consul_conf.alt_domain is defined %},nomad{{ nomad_conf.server.enabled | ternary('', '-client') }}.service.{{ consul_conf.alt_domain }}{% endif %}{% endif %}"{% if nomad_vault_secrets.pki.ttl is defined %} "ttl={{ vault_agent_nomad.nomad_pki.ttl }}"{% endif %} -]]
 [[ .CA ]]
 [[ .Cert ]]
 [[ .Key ]]
-[[ .Cert | writeToFile "{{ nomad_conf.tls.cert_file }}" "root" "{{ nomad_user }}" "0644" ]]
-[[ .CA | writeToFile "{{ nomad_conf.tls.cert_file }}" "" "" "0644" "append,newline" ]]
-[[ .Key | writeToFile "{{ nomad_conf.tls.key_file }}" "root" "{{ nomad_user }}" "0640" ]]
-[[ end ]]
-[[ with secret "{{ vault_agent_nomad.nomad_pki.path }}/cert/ca_chain" ]]
-[[ .Data.certificate | writeToFile "{{ nomad_conf.tls.ca_file }}" "{{ nomad_user }}" "{{ nomad_user }}" "0644" ]]
-[[ end ]]
+[[- .Cert | writeToFile "{{ nomad_conf.tls.cert_file }}" "root" "{{ nomad_user }}" "0644" -]]
+[[- .CA | writeToFile "{{ nomad_conf.tls.cert_file }}" "" "" "0644" "append,newline" -]]
+[[- .Key | writeToFile "{{ nomad_conf.tls.key_file }}" "root" "{{ nomad_user }}" "0640" -]]
+[[- end ]]
+[[- with secret "{{ vault_agent_nomad.nomad_pki.path }}/cert/ca_chain" ]]
+[[ .Data.certificate | writeToFile "{{ nomad_conf.tls.ca_file }}" "{{ nomad_user }}" "{{ nomad_user }}" "0644" -]]
+[[- end -]]
--- a/roles/vault_agent/templates/nomad/cli_bundle.pem.tpl.j2
+++ b/roles/vault_agent/templates/nomad/cli_bundle.pem.tpl.j2
@ -1,6 +1,6 @@
-[[ with pkiCert "{{ vault_agent_nomad.nomad_pki.path }}/issue/{{ vault_agent_nomad.nomad_pki.role }}" "common_name=cli-{{ ansible_fqdn | regex_replace('\\.', '-') }}.{{ nomad_conf.region | default('global') }}.nomad" ]]
+[[- with pkiCert "{{ vault_agent_nomad.nomad_pki.path }}/issue/{{ vault_agent_nomad.nomad_pki.role }}" "common_name=cli-{{ ansible_fqdn | regex_replace('\\.', '-') }}.{{ nomad_conf.region | default('global') }}.nomad" -]]
 [[ .Cert ]]
 [[ .Key ]]
-[[ .Cert | writeToFile "{{ nomad_root_dir }}/tls/cli.crt" "{{ nomad_user }}" "{{ nomad_user }}" "0644" ]]
-[[ .Key | writeToFile "{{ nomad_root_dir }}/tls/cli.key" "{{ nomad_user }}" "{{ nomad_user }}" "0640" ]]
-[[ end ]]
+[[- .Cert | writeToFile "{{ nomad_root_dir }}/tls/cli.crt" "{{ nomad_user }}" "{{ nomad_user }}" "0644" -]]
+[[- .Key | writeToFile "{{ nomad_root_dir }}/tls/cli.key" "{{ nomad_user }}" "{{ nomad_user }}" "0640" -]]
+[[- end -]]
--- a/roles/vault_agent/templates/nomad/update_nomad_cert.sh.j2
+++ b/roles/vault_agent/templates/nomad/update_nomad_cert.sh.j2
@ -2,7 +2,7 @@
  
 set -eo pipefail

-VAULT_ADDR={{ vault_agent_vault_address }}
+VAULT_ADDR=https://{{ inventory_hostname }}:{{ vault_services.api.port | default('8200') }}
 VAULT_STATUS=$(vault status -format=json)

 if [ "$(echo ${VAULT_STATUS} | jq .is_self)" != "true" ]; then
--- a/roles/vault_agent/templates/vault-agent.hcl.j2
+++ b/roles/vault_agent/templates/vault-agent.hcl.j2
@ -27,7 +27,7 @@ auto_auth {
    wrap_ttl = "1s"
    config = {
      path = "/run/vault_agent/vault.token"
-      mode = 600
+      mode = 0600
    }
  }
 }