From 67bfcd5db3e6550f4841aac4af9728a5bf5147c1 Mon Sep 17 00:00:00 2001
From: Daniel Berteaud <dbd@ehtrace.com>
Date: Fri, 2 Sep 2022 10:00:20 +0200
Subject: [PATCH] Update to 2022-09-02 10:00

---
 roles/drbdtop/tasks/.archive_pre.yml.swp | Bin 12288 -> 0 bytes
 roles/n8n/defaults/main.yml              |   2 +-
 roles/vault/defaults/main.yml            |   8 +++--
 roles/vault/tasks/archive_pre.yml        |  11 ++++++
 roles/vault/tasks/conf.yml               |   4 +++
 roles/vault/tasks/directories.yml        |   5 +++
 roles/vault/tasks/facts.yml              |  44 ++++++++++++++++++-----
 roles/vault/tasks/main.yml               |   3 --
 roles/vault/tasks/write_version.yml      |   5 ---
 roles/vault/templates/dehydrated_hook.j2 |   2 +-
 roles/vault/templates/logrotate.conf.j2  |   8 +++++
 roles/vault/templates/vault.hcl.j2       |   6 +---
 12 files changed, 73 insertions(+), 25 deletions(-)
 delete mode 100644 roles/drbdtop/tasks/.archive_pre.yml.swp
 delete mode 100644 roles/vault/tasks/write_version.yml
 create mode 100644 roles/vault/templates/logrotate.conf.j2

diff --git a/roles/drbdtop/tasks/.archive_pre.yml.swp b/roles/drbdtop/tasks/.archive_pre.yml.swp
deleted file mode 100644
index 0a70390d221288f7023284e9c435fbe909c3cc6a..0000000000000000000000000000000000000000
GIT binary patch
literal 0
HcmV?d00001

literal 12288
zcmeI&zi-n(6bJAN%urMY)<>9ar*x{NN<e5uhpH04R_km(YOD60b$5xBmV#Iq`Fr>a
zm{{5PPhj9Vbr7^5m9gS`(pOIGyXWVRlp)FGlb3t@v=vX3j9W?_9IqAer@hhEm+Pv`
z%LhA8o<Ds!-HE3M`~8eRjz)LEcG1RUGv+EdU2t63_Ttnx=L#m?6^S;!&KpjgZP+KJ
z%S)-11nrM}qFqtdbIv-)@uF=mR>T<yK;ZHMH`M0+jpaxE-uN!vUVm}<rI-l;2tWV=
z5P$##AOHafTzP@ejnrFtifhA@$WH*vF*<h~-r@iO2tWV=5P$##AOHafKmY;|fWQ?L
z(4|uAH<dDy{{R2g_y6x}N_~@jmAsP#iI+T+JeJ&%e3msIB_Aa3C9fq`(${Jw7!ZH}
z1Rwwb2tWV=5P$##An@M`5CwhcQ|kA5E0PgWUK@GUSlgv?EV<!B9XJa%rSZuL)n?8n
zShvV3>x0oP)9LA0W)jIJbJ-d0rQEJ=JTK3c?8Di@VJms&tPNRNJ6X2cQ0@~cyt-b@
zoRd3bb9TPArk{3JUUsMdy;9#<;CAT6FHBK6YwBZ8RYZN4DLvA~(X1nBabDY*r{M-l
x`uq*yRo%$!PKRpym$v@BZSq0jw&hW|=)rzAGIcB$C{#?tj(U<wN<~qmegN*>!zus(

diff --git a/roles/n8n/defaults/main.yml b/roles/n8n/defaults/main.yml
index 54b9c3b..56feda8 100644
--- a/roles/n8n/defaults/main.yml
+++ b/roles/n8n/defaults/main.yml
@@ -1,7 +1,7 @@
 ---
 
 # Version to deploy
-n8n_version: 0.188.0
+n8n_version: 0.192.2
 # Root directory where n8n will be installed
 n8n_root_dir: /opt/n8n
 # User account under which n8n will run
diff --git a/roles/vault/defaults/main.yml b/roles/vault/defaults/main.yml
index c0614c4..98b7af1 100644
--- a/roles/vault/defaults/main.yml
+++ b/roles/vault/defaults/main.yml
@@ -1,11 +1,11 @@
 ---
 
 # Version of Vault to install
-vault_version: 1.11.2
+vault_version: 1.11.3
 # URL of the archive
 vault_archive_url: https://releases.hashicorp.com/vault/{{ vault_version }}/vault_{{ vault_version }}_linux_amd64.zip
 # Expected sha256 of the archive
-vault_archive_sha256: ace4138269cb7214c73529f984b793d66074e3a3ad373eaa77bc9b39490d9ef9
+vault_archive_sha256: b433413ce524f26abe6292f7fc95f267e809daeacdf7ba92b68dead322f92deb
 
 # Root dir where Nomad will be installed
 vault_root_dir: /opt/vault
@@ -19,6 +19,10 @@ vault_user: vault
 # expose your vault server on the public internet
 # vault_letsencrypt_cert: "{{ inventory_hostname }}"
 
+# A token having backup (raft snapshot) permission. If set, ansible will
+# take a snapshot of the data before upgrading vault
+# vault_bkp_token: XXXXX
+
 # Ports used by vault, and the IP/CIDR for which the port will be opened on the local firewall
 vault_base_services:
   api:
diff --git a/roles/vault/tasks/archive_pre.yml b/roles/vault/tasks/archive_pre.yml
index 236f6e5..56e26cd 100644
--- a/roles/vault/tasks/archive_pre.yml
+++ b/roles/vault/tasks/archive_pre.yml
@@ -4,6 +4,17 @@
   file: path={{ vault_root_dir }}/archives/{{ vault_current_version }} state=directory
   tags: vault
 
+#- name: Take a snapshot of the data
+#  command: vault operator raft snapshot save {{ vault_root_dir }}/archives/{{ vault_current_version }}/vault.snap
+#  when:
+#    - vault_bkp_token is defined
+#    - vault_sys_services.ansible_facts.services['nomad.service'] is defined
+#    - vault_sys_services.ansible_facts.services['nomad.service'].state == 'started'
+#    - vault_status.initialized is defined and vault_status.initialized
+#    - vault_status.sealed is defined and not vault_status.sealed
+#    - vault_status.leader_address == vault_conf.api_addr
+#  tags: vault
+
 - name: Backup previous version
   copy: src={{ vault_root_dir }}/bin/vault dest={{ vault_root_dir }}/archives/{{ vault_current_version }}/ remote_src=True
   tags: vault
diff --git a/roles/vault/tasks/conf.yml b/roles/vault/tasks/conf.yml
index e0a6b84..a99a6c4 100644
--- a/roles/vault/tasks/conf.yml
+++ b/roles/vault/tasks/conf.yml
@@ -18,3 +18,7 @@
     mode: 0400
   notify: restart vault
   tags: vault
+
+- name: Setup logrotate
+  template: src=logrotate.conf.j2 dest=/etc/logrotate.d/vault
+  tags: vault
diff --git a/roles/vault/tasks/directories.yml b/roles/vault/tasks/directories.yml
index 7bc2963..a20ee92 100644
--- a/roles/vault/tasks/directories.yml
+++ b/roles/vault/tasks/directories.yml
@@ -15,6 +15,11 @@
       owner: root
       group: root
       mode: 700
+    - dir: log
+      owner: "{{ vault_user }}"
+      group: "{{ vault_user }}"
+      mode: u=rwX,g=-,o=-
+      recurse: True
     - dir: meta
       owner: root
       group: root
diff --git a/roles/vault/tasks/facts.yml b/roles/vault/tasks/facts.yml
index e72cabd..8b27ea5 100644
--- a/roles/vault/tasks/facts.yml
+++ b/roles/vault/tasks/facts.yml
@@ -1,12 +1,40 @@
 ---
 
-- name: Detect installed version
-  block:
-    - import_tasks: ../includes/webapps_set_install_mode.yml
-      vars:
-        - root_dir: "{{ vault_root_dir }}"
-        - version: "{{ vault_version }}"
-    - set_fact: vault_install_mode={{ install_mode | default('none') }}
-    - set_fact: vault_current_version={{ current_version | default('') }}
+- set_fact:
+    vault_install_mode: 'none'
+    vault_status: {}
+  tags: vault
+
+- name: Detect if vault is installed
+  stat: path=/usr/local/bin/vault
+  register: vault_bin
+  tags: vault
+
+- when: not vault_bin.stat.exists
+  set_fact: vault_install_mode='install'
+  tags: vault
+
+- when: vault_bin.stat.exists
+  block:
+    - name: Detect installed version
+      shell: /usr/local/bin/vault version | perl -pe 's/Vault v(\d+(\.\d+)*)\s.*/$1/'
+      changed_when: False
+      register: vault_current_version
+     #- command: /usr/local/bin/vault status -format=json -tls-skip-verify
+     #  changed_when: False
+     #  register: vault_status
+     #  failed_when: False # do not fail if vault is not running
+    - set_fact:
+        vault_current_version: "{{ vault_current_version.stdout }}"
+     #   vault_status: "{{ (vault_status.rc == 0) | ternary(vault_status.stdout | from_json, {}) }}"
+  tags: vault
+
+- when: vault_bin.stat.exists and vault_current_version != vault_version
+  set_fact: vault_install_mode='upgrade'
+  tags: vault
+
+- name: Check the state of the services
+  service_facts:
+  register: vault_sys_services
   tags: vault
 
diff --git a/roles/vault/tasks/main.yml b/roles/vault/tasks/main.yml
index ed739f9..a517c66 100644
--- a/roles/vault/tasks/main.yml
+++ b/roles/vault/tasks/main.yml
@@ -26,9 +26,6 @@
 - include_tasks: services.yml
   tags: always
 
-- include_tasks: write_version.yml
-  tags: always
-
 - include_tasks: archive_post.yml
   when: vault_install_mode | default('none') == 'upgrade'
   tags: always
diff --git a/roles/vault/tasks/write_version.yml b/roles/vault/tasks/write_version.yml
deleted file mode 100644
index 8ca57ec..0000000
--- a/roles/vault/tasks/write_version.yml
+++ /dev/null
@@ -1,5 +0,0 @@
----
-
-- name: Write installed version
-  copy: content={{ vault_version }} dest={{ vault_root_dir }}/meta/ansible_version
-  tags: vault
diff --git a/roles/vault/templates/dehydrated_hook.j2 b/roles/vault/templates/dehydrated_hook.j2
index 6a360a2..16d1e04 100644
--- a/roles/vault/templates/dehydrated_hook.j2
+++ b/roles/vault/templates/dehydrated_hook.j2
@@ -4,7 +4,7 @@ set -eo pipefail
 
 {% if vault_letsencrypt_cert is defined %}
 
-if [ $1 == "{{ pg_letsencrypt_cert }}" ]; then
+if [ $1 == "{{ vault_letsencrypt_cert }}" ]; then
   cp /var/lib/dehydrated/certificates/certs/{{ vault_letsencrypt_cert }}/fullchain.pem {{ vault_root_dir }}/tls/vault.crt
   cp /var/lib/dehydrated/certificates/certs/{{ vault_letsencrypt_cert }}/privkey.pem {{ vault_root_dir }}/tls/vault.key
   chown root:vault {{ vault_root_dir }}/tls/vault.key
diff --git a/roles/vault/templates/logrotate.conf.j2 b/roles/vault/templates/logrotate.conf.j2
new file mode 100644
index 0000000..1c2016e
--- /dev/null
+++ b/roles/vault/templates/logrotate.conf.j2
@@ -0,0 +1,8 @@
+{{ vault_root_dir }}/log/*.log {{ vault_root_dir }}/log/*.json {
+  daily
+  rotate 365
+  compress
+  missingok
+  copytruncate
+  su {{ vault_user }} {{ vault_user }}
+}
diff --git a/roles/vault/templates/vault.hcl.j2 b/roles/vault/templates/vault.hcl.j2
index 6fd19d7..cd00876 100644
--- a/roles/vault/templates/vault.hcl.j2
+++ b/roles/vault/templates/vault.hcl.j2
@@ -51,11 +51,7 @@ service_registration "consul" {
 {% endif %}
 {% endfor %}
 {% if vault_conf.service_registration.service_tags is defined %}
-  service_tags = [
-{% for tag in vault_conf.service_registration.service_tags %}
-    "{{ tag }}",
-{% endfor %}
-  ]
+  service_tags = "{{ vault_conf.service_registration.service_tags | join(',') }}"
 {% endif %}
 }
 {% endif %}