Update to 2022-09-02 10:00

roles/n8n/defaults/main.yml

@@ -1,7 +1,7 @@
 ---
 
 # Version to deploy
-n8n_version: 0.188.0
+n8n_version: 0.192.2
 # Root directory where n8n will be installed
 n8n_root_dir: /opt/n8n
 # User account under which n8n will run

roles/vault/defaults/main.yml

@@ -1,11 +1,11 @@
 ---
 
 # Version of Vault to install
-vault_version: 1.11.2
+vault_version: 1.11.3
 # URL of the archive
 vault_archive_url: https://releases.hashicorp.com/vault/{{ vault_version }}/vault_{{ vault_version }}_linux_amd64.zip
 # Expected sha256 of the archive
-vault_archive_sha256: ace4138269cb7214c73529f984b793d66074e3a3ad373eaa77bc9b39490d9ef9
+vault_archive_sha256: b433413ce524f26abe6292f7fc95f267e809daeacdf7ba92b68dead322f92deb
 
 # Root dir where Nomad will be installed
 vault_root_dir: /opt/vault
@@ -19,6 +19,10 @@ vault_user: vault
 # expose your vault server on the public internet
 # vault_letsencrypt_cert: "{{ inventory_hostname }}"
 
+# A token having backup (raft snapshot) permission. If set, ansible will
+# take a snapshot of the data before upgrading vault
+# vault_bkp_token: XXXXX
+
 # Ports used by vault, and the IP/CIDR for which the port will be opened on the local firewall
 vault_base_services:
   api:

roles/vault/tasks/archive_pre.yml

@@ -4,6 +4,17 @@
   file: path={{ vault_root_dir }}/archives/{{ vault_current_version }} state=directory
   tags: vault
 
+#- name: Take a snapshot of the data
+#  command: vault operator raft snapshot save {{ vault_root_dir }}/archives/{{ vault_current_version }}/vault.snap
+#  when:
+#    - vault_bkp_token is defined
+#    - vault_sys_services.ansible_facts.services['nomad.service'] is defined
+#    - vault_sys_services.ansible_facts.services['nomad.service'].state == 'started'
+#    - vault_status.initialized is defined and vault_status.initialized
+#    - vault_status.sealed is defined and not vault_status.sealed
+#    - vault_status.leader_address == vault_conf.api_addr
+#  tags: vault
+
 - name: Backup previous version
   copy: src={{ vault_root_dir }}/bin/vault dest={{ vault_root_dir }}/archives/{{ vault_current_version }}/ remote_src=True
   tags: vault

roles/vault/tasks/conf.yml

@@ -18,3 +18,7 @@
     mode: 0400
   notify: restart vault
   tags: vault
+
+- name: Setup logrotate
+  template: src=logrotate.conf.j2 dest=/etc/logrotate.d/vault
+  tags: vault

roles/vault/tasks/directories.yml

@@ -15,6 +15,11 @@
       owner: root
       group: root
       mode: 700
+    - dir: log
+      owner: "{{ vault_user }}"
+      group: "{{ vault_user }}"
+      mode: u=rwX,g=-,o=-
+      recurse: True
     - dir: meta
       owner: root
       group: root

roles/vault/tasks/facts.yml

@@ -1,12 +1,40 @@
 ---
 
-- name: Detect installed version
-  block:
-    - import_tasks: ../includes/webapps_set_install_mode.yml
-      vars:
-        - root_dir: "{{ vault_root_dir }}"
-        - version: "{{ vault_version }}"
-    - set_fact: vault_install_mode={{ install_mode | default('none') }}
-    - set_fact: vault_current_version={{ current_version | default('') }}
+- set_fact:
+    vault_install_mode: 'none'
+    vault_status: {}
+  tags: vault
+
+- name: Detect if vault is installed
+  stat: path=/usr/local/bin/vault
+  register: vault_bin
+  tags: vault
+
+- when: not vault_bin.stat.exists
+  set_fact: vault_install_mode='install'
+  tags: vault
+
+- when: vault_bin.stat.exists
+  block:
+    - name: Detect installed version
+      shell: /usr/local/bin/vault version | perl -pe 's/Vault v(\d+(\.\d+)*)\s.*/$1/'
+      changed_when: False
+      register: vault_current_version
+     #- command: /usr/local/bin/vault status -format=json -tls-skip-verify
+     #  changed_when: False
+     #  register: vault_status
+     #  failed_when: False # do not fail if vault is not running
+    - set_fact:
+        vault_current_version: "{{ vault_current_version.stdout }}"
+     #   vault_status: "{{ (vault_status.rc == 0) | ternary(vault_status.stdout | from_json, {}) }}"
+  tags: vault
+
+- when: vault_bin.stat.exists and vault_current_version != vault_version
+  set_fact: vault_install_mode='upgrade'
+  tags: vault
+
+- name: Check the state of the services
+  service_facts:
+  register: vault_sys_services
   tags: vault
 

roles/vault/tasks/main.yml

@@ -26,9 +26,6 @@
 - include_tasks: services.yml
   tags: always
 
-- include_tasks: write_version.yml
-  tags: always
-
 - include_tasks: archive_post.yml
   when: vault_install_mode | default('none') == 'upgrade'
   tags: always

roles/vault/tasks/write_version.yml

@@ -1,5 +0,0 @@
----
-
-- name: Write installed version
-  copy: content={{ vault_version }} dest={{ vault_root_dir }}/meta/ansible_version
-  tags: vault

roles/vault/templates/dehydrated_hook.j2

@@ -4,7 +4,7 @@ set -eo pipefail
 
 {% if vault_letsencrypt_cert is defined %}
 
-if [ $1 == "{{ pg_letsencrypt_cert }}" ]; then
+if [ $1 == "{{ vault_letsencrypt_cert }}" ]; then
   cp /var/lib/dehydrated/certificates/certs/{{ vault_letsencrypt_cert }}/fullchain.pem {{ vault_root_dir }}/tls/vault.crt
   cp /var/lib/dehydrated/certificates/certs/{{ vault_letsencrypt_cert }}/privkey.pem {{ vault_root_dir }}/tls/vault.key
   chown root:vault {{ vault_root_dir }}/tls/vault.key

roles/vault/templates/logrotate.conf.j2

@@ -0,0 +1,8 @@
+{{ vault_root_dir }}/log/*.log {{ vault_root_dir }}/log/*.json {
+  daily
+  rotate 365
+  compress
+  missingok
+  copytruncate
+  su {{ vault_user }} {{ vault_user }}
+}

roles/vault/templates/vault.hcl.j2

@@ -51,11 +51,7 @@ service_registration "consul" {
 {% endif %}
 {% endfor %}
 {% if vault_conf.service_registration.service_tags is defined %}
-  service_tags = [
-{% for tag in vault_conf.service_registration.service_tags %}
-    "{{ tag }}",
-{% endfor %}
-  ]
+  service_tags = "{{ vault_conf.service_registration.service_tags | join(',') }}"
 {% endif %}
 }
 {% endif %}