Update to 2022-09-02 10:00

2025-10-30 18:31:28 +01:00 · 2022-09-02 10:00:20 +02:00
parent c6ecd988cf
commit 67bfcd5db3
12 changed files with 73 additions and 25 deletions
--- a/roles/drbdtop/tasks/.archive_pre.yml.swp
+++ b/roles/drbdtop/tasks/.archive_pre.yml.swp
--- a/roles/n8n/defaults/main.yml
+++ b/roles/n8n/defaults/main.yml
@@ -1,7 +1,7 @@
 ---
 # Version to deploy
-n8n_version: 0.188.0
+n8n_version: 0.192.2
 # Root directory where n8n will be installed
 n8n_root_dir: /opt/n8n
 # User account under which n8n will run
--- a/roles/vault/defaults/main.yml
+++ b/roles/vault/defaults/main.yml
@@ -1,11 +1,11 @@
 ---
 # Version of Vault to install
-vault_version: 1.11.2
+vault_version: 1.11.3
 # URL of the archive
 vault_archive_url: https://releases.hashicorp.com/vault/{{ vault_version }}/vault_{{ vault_version }}_linux_amd64.zip
 # Expected sha256 of the archive
-vault_archive_sha256: ace4138269cb7214c73529f984b793d66074e3a3ad373eaa77bc9b39490d9ef9
+vault_archive_sha256: b433413ce524f26abe6292f7fc95f267e809daeacdf7ba92b68dead322f92deb
 # Root dir where Nomad will be installed
 vault_root_dir: /opt/vault
@@ -19,6 +19,10 @@ vault_user: vault
 # expose your vault server on the public internet
 # vault_letsencrypt_cert: "{{ inventory_hostname }}"
 # A token having backup (raft snapshot) permission. If set, ansible will
 # take a snapshot of the data before upgrading vault
 # vault_bkp_token: XXXXX
 # Ports used by vault, and the IP/CIDR for which the port will be opened on the local firewall
 vault_base_services:
  api:
--- a/roles/vault/tasks/archive_pre.yml
+++ b/roles/vault/tasks/archive_pre.yml
@@ -4,6 +4,17 @@
  file: path={{ vault_root_dir }}/archives/{{ vault_current_version }} state=directory
  tags: vault
 #- name: Take a snapshot of the data
 #  command: vault operator raft snapshot save {{ vault_root_dir }}/archives/{{ vault_current_version }}/vault.snap
 #  when:
 #    - vault_bkp_token is defined
 #    - vault_sys_services.ansible_facts.services['nomad.service'] is defined
 #    - vault_sys_services.ansible_facts.services['nomad.service'].state == 'started'
 #    - vault_status.initialized is defined and vault_status.initialized
 #    - vault_status.sealed is defined and not vault_status.sealed
 #    - vault_status.leader_address == vault_conf.api_addr
 #  tags: vault
 - name: Backup previous version
  copy: src={{ vault_root_dir }}/bin/vault dest={{ vault_root_dir }}/archives/{{ vault_current_version }}/ remote_src=True
  tags: vault
--- a/roles/vault/tasks/conf.yml
+++ b/roles/vault/tasks/conf.yml
@@ -18,3 +18,7 @@
    mode: 0400
  notify: restart vault
  tags: vault
 - name: Setup logrotate
  template: src=logrotate.conf.j2 dest=/etc/logrotate.d/vault
  tags: vault
--- a/roles/vault/tasks/directories.yml
+++ b/roles/vault/tasks/directories.yml
@@ -15,6 +15,11 @@
      owner: root
      group: root
      mode: 700
    - dir: log
      owner: "{{ vault_user }}"
      group: "{{ vault_user }}"
      mode: u=rwX,g=-,o=-
      recurse: True
    - dir: meta
      owner: root
      group: root
--- a/roles/vault/tasks/facts.yml
+++ b/roles/vault/tasks/facts.yml
@@ -1,12 +1,40 @@
 ---
- name: Detect installed version
+- set_fact:
-  block:
+    vault_install_mode: 'none'
-    - import_tasks: ../includes/webapps_set_install_mode.yml
+    vault_status: {}
-      vars:
+  tags: vault
-        - root_dir: "{{ vault_root_dir }}"
+
-        - version: "{{ vault_version }}"
+- name: Detect if vault is installed
-    - set_fact: vault_install_mode={{ install_mode | default('none') }}
+  stat: path=/usr/local/bin/vault
-    - set_fact: vault_current_version={{ current_version | default('') }}
+  register: vault_bin
  tags: vault
 - when: not vault_bin.stat.exists
  set_fact: vault_install_mode='install'
  tags: vault
 - when: vault_bin.stat.exists
  block:
    - name: Detect installed version
      shell: /usr/local/bin/vault version | perl -pe 's/Vault v(\d+(\.\d+)*)\s.*/$1/'
      changed_when: False
      register: vault_current_version
     #- command: /usr/local/bin/vault status -format=json -tls-skip-verify
     #  changed_when: False
     #  register: vault_status
     #  failed_when: False # do not fail if vault is not running
    - set_fact:
        vault_current_version: "{{ vault_current_version.stdout }}"
     #   vault_status: "{{ (vault_status.rc == 0) | ternary(vault_status.stdout | from_json, {}) }}"
  tags: vault
 - when: vault_bin.stat.exists and vault_current_version != vault_version
  set_fact: vault_install_mode='upgrade'
  tags: vault
 - name: Check the state of the services
  service_facts:
  register: vault_sys_services
  tags: vault
--- a/roles/vault/tasks/main.yml
+++ b/roles/vault/tasks/main.yml
@@ -26,9 +26,6 @@
 - include_tasks: services.yml
  tags: always
 - include_tasks: write_version.yml
  tags: always
 - include_tasks: archive_post.yml
  when: vault_install_mode | default('none') == 'upgrade'
  tags: always
--- a/roles/vault/tasks/write_version.yml
+++ b/roles/vault/tasks/write_version.yml
@@ -1,5 +0,0 @@
 ---
 - name: Write installed version
  copy: content={{ vault_version }} dest={{ vault_root_dir }}/meta/ansible_version
  tags: vault
--- a/roles/vault/templates/dehydrated_hook.j2
+++ b/roles/vault/templates/dehydrated_hook.j2
@@ -4,7 +4,7 @@ set -eo pipefail
 {% if vault_letsencrypt_cert is defined %}
-if [ $1 == "{{ pg_letsencrypt_cert }}" ]; then
+if [ $1 == "{{ vault_letsencrypt_cert }}" ]; then
  cp /var/lib/dehydrated/certificates/certs/{{ vault_letsencrypt_cert }}/fullchain.pem {{ vault_root_dir }}/tls/vault.crt
  cp /var/lib/dehydrated/certificates/certs/{{ vault_letsencrypt_cert }}/privkey.pem {{ vault_root_dir }}/tls/vault.key
  chown root:vault {{ vault_root_dir }}/tls/vault.key
--- a/roles/vault/templates/logrotate.conf.j2
+++ b/roles/vault/templates/logrotate.conf.j2
@@ -0,0 +1,8 @@
 {{ vault_root_dir }}/log/*.log {{ vault_root_dir }}/log/*.json {
  daily
  rotate 365
  compress
  missingok
  copytruncate
  su {{ vault_user }} {{ vault_user }}
 }
--- a/roles/vault/templates/vault.hcl.j2
+++ b/roles/vault/templates/vault.hcl.j2
@@ -51,11 +51,7 @@ service_registration "consul" {
 {% endif %}
 {% endfor %}
 {% if vault_conf.service_registration.service_tags is defined %}
-  service_tags = [
+  service_tags = "{{ vault_conf.service_registration.service_tags | join(',') }}"
 {% for tag in vault_conf.service_registration.service_tags %}
    "{{ tag }}",
 {% endfor %}
  ]
 {% endif %}
 }
 {% endif %}