From 9c1159e3dea752515820cca0272f463bc29349dd Mon Sep 17 00:00:00 2001 From: Daniel Berteaud Date: Mon, 23 Sep 2024 23:00:09 +0200 Subject: [PATCH] Update to 2024-09-23 23:00 --- roles/backuppc/tasks/main.yml | 2 +- roles/gitea/defaults/main.yml | 4 +- roles/kimai/defaults/main.yml | 4 +- roles/metabase/defaults/main.yml | 6 +- roles/nginx/tasks/install.yml | 9 +++ .../ansible_conf.d/30-vhosts.conf.j2 | 4 +- roles/nomad_bin/defaults/main.yml | 4 +- roles/ntp_client/tasks/conf.yml | 28 ++++++++++ roles/ntp_client/tasks/facts.yml | 19 +++++++ roles/ntp_client/tasks/install.yml | 17 ++++++ roles/ntp_client/tasks/main.yml | 55 +++---------------- roles/ntp_client/tasks/services.yml | 5 ++ roles/ntp_client/templates/chrony.conf.j2 | 7 ++- roles/repo_zabbix/tasks/Debian.yml | 32 ++++++----- .../squid/files/acl/software_various.domains | 3 + roles/unifi/defaults/main.yml | 4 +- 16 files changed, 127 insertions(+), 76 deletions(-) create mode 100644 roles/ntp_client/tasks/conf.yml create mode 100644 roles/ntp_client/tasks/facts.yml create mode 100644 roles/ntp_client/tasks/install.yml create mode 100644 roles/ntp_client/tasks/services.yml diff --git a/roles/backuppc/tasks/main.yml b/roles/backuppc/tasks/main.yml index bfb5dc3..470c34c 100644 --- a/roles/backuppc/tasks/main.yml +++ b/roles/backuppc/tasks/main.yml @@ -23,7 +23,7 @@ - tar - samba-client - openssh-clients - - BackupPC-server-scripts + #- BackupPC-server-scripts - fuse-chunkfs tags: bpc diff --git a/roles/gitea/defaults/main.yml b/roles/gitea/defaults/main.yml index 471e9b1..80b7c2d 100644 --- a/roles/gitea/defaults/main.yml +++ b/roles/gitea/defaults/main.yml @@ -1,11 +1,11 @@ --- # Version to install -gitea_version: '1.22.1' +gitea_version: '1.22.2' # URL to the binary gitea_bin_url: https://dl.gitea.io/gitea/{{ gitea_version }}/gitea-{{ gitea_version }}-linux-amd64 # sha256 of the binary -gitea_bin_sha256: b8043324545eec269fc8f18c22b49fc365ed367e0dd41e081b79832de2570f9c +gitea_bin_sha256: 310d7dfa48680f3eaa5fe2998ca7a8a1f707518c1772b64d85fb3b9e197188d3 # Handle updates. If set to false, ansible will only install # Gitea and then won't touch an existing installation gitea_manage_upgrade: True diff --git a/roles/kimai/defaults/main.yml b/roles/kimai/defaults/main.yml index cefcd35..14d82d6 100644 --- a/roles/kimai/defaults/main.yml +++ b/roles/kimai/defaults/main.yml @@ -5,12 +5,12 @@ # You can set it to a number or a simple string (no special chars) kimai_id: 1 # Kimai version to deploy -kimai_version: '2.21.0' +kimai_version: '2.22.0' # URL of the archive kimai_archive_url: https://github.com/kevinpapst/kimai2/archive/refs/tags/{{ kimai_version }}.tar.gz # Expected sha256 of the archive -kimai_archive_sha256: f6da56211d392d5749d3e56d242f529d03b2fc1b803d33d642b5e0097281b05f +kimai_archive_sha256: 575fd83d5bfe24e2a0516bb667d4b2d5b337cd83d9b92e2bb42057fa7a81e43f # Directory where kimai will be installed kimai_root_dir: /opt/kimai_{{ kimai_id }} # Should ansible handle upgrades or only initial install diff --git a/roles/metabase/defaults/main.yml b/roles/metabase/defaults/main.yml index 9bb323d..4237dab 100644 --- a/roles/metabase/defaults/main.yml +++ b/roles/metabase/defaults/main.yml @@ -1,15 +1,15 @@ --- # Version to deploy -metabase_version: 0.50.23 +metabase_version: 0.50.25 # URL to fetch the jar metabase_jar_url: https://downloads.metabase.com/v{{ metabase_version }}/metabase.jar # Expected sha256 of the jar -metabase_jar_sha256: 5f5b14f42772b43f42ac28baffed2c36fd543fd8787442749bd0d6c63ff17b44 +metabase_jar_sha256: 88ba6666488e1279b0cb6080a649e52a747b86320a0ebe3fb6060b095cf57650 # When building from source metabase_archive_url: https://github.com/metabase/metabase/archive/refs/tags/v{{ metabase_version }}.tar.gz # Expected sha256 of the archive -metabase_archive_sha256: 1d44872a6d415bbae2138f68e5a60cdc7707c1d08fd63148ef9cc65ce8dfb200 +metabase_archive_sha256: 045fbf31a1421e857799e1791eb7e4b8163cf186b0a0c6ab854cbfe0fc9aa75f # Should ansible handle upgrades ? If set to false, only the initial install (and the config) will be handled metabase_manage_upgrade: True diff --git a/roles/nginx/tasks/install.yml b/roles/nginx/tasks/install.yml index 902e804..65f81c3 100644 --- a/roles/nginx/tasks/install.yml +++ b/roles/nginx/tasks/install.yml @@ -13,3 +13,12 @@ when: not nginx_openresty tags: always +- block: + - name: Detect installed version + shell: | + nginx -v 2>&1| sed -E 's/nginx version: (nginx|openresty)\/([[:digit:]]+(\.[[:digit:]]+)*)/\2/' + register: nginx_installed_version + changed_when: false + - set_fact: nginx_installed_version={{ nginx_installed_version.stdout }} + tags: web,quickweb + diff --git a/roles/nginx/templates/ansible_conf.d/30-vhosts.conf.j2 b/roles/nginx/templates/ansible_conf.d/30-vhosts.conf.j2 index 6c0423a..7158c0c 100644 --- a/roles/nginx/templates/ansible_conf.d/30-vhosts.conf.j2 +++ b/roles/nginx/templates/ansible_conf.d/30-vhosts.conf.j2 @@ -21,9 +21,11 @@ server { listen {{ port }} ssl{% if vhost.name == '_' %} default_server{% endif %}; {% endfor %} {% else %} - listen {{ vhost.ssl.port }} ssl{% if vhost.name == '_' %} default_server{% endif %}; + listen {{ vhost.ssl.port }} ssl{% if nginx_installed_version is version('1.25.1', '<') %} http2{% endif %}{% if vhost.name == '_' %} default_server{% endif %}; {% endif %} +{% if nginx_installed_version is version('1.25.1', '>=') %} http2 on; +{% endif %} {% if vhost.ssl.cert is defined and vhost.ssl.key is defined %} ssl_certificate {{ vhost.ssl.cert }}; diff --git a/roles/nomad_bin/defaults/main.yml b/roles/nomad_bin/defaults/main.yml index 7a0ee4a..9144300 100644 --- a/roles/nomad_bin/defaults/main.yml +++ b/roles/nomad_bin/defaults/main.yml @@ -1,9 +1,9 @@ --- # Version of Nomad to install -nomad_version: 1.8.3 +nomad_version: 1.8.4 # URL of the archive nomad_archive_url: https://releases.hashicorp.com/nomad/{{ nomad_version }}/nomad_{{ nomad_version }}_linux_amd64.zip # Expected sha256 of the archive -nomad_archive_sha256: a0c92d427fe8839bf3aab9c62b2d12190483f953a3483c08891e53f65f676797 +nomad_archive_sha256: 681832b4ffaff0626119420569f117fb7ad1e323d6c929ef3c0bccb432165c6b diff --git a/roles/ntp_client/tasks/conf.yml b/roles/ntp_client/tasks/conf.yml new file mode 100644 index 0000000..0537bf6 --- /dev/null +++ b/roles/ntp_client/tasks/conf.yml @@ -0,0 +1,28 @@ +--- + +- when: + - ansible_virtualization_role == 'guest' + - ansible_virtualization_type == 'kvm' + block: + - name: Configure ptp_kvm to be loaded + copy: content=ptp_kvm dest=/etc/modules-load.d/ptp_kvm.conf + register: ntp_ptp_kvm_mod + + - name: Load ptp_kvm + service: name=systemd-modules-load state=restarted + when: ntp_ptp_kvm_mod.changed + tags: ntp + +- when: ansible_virtualization_role != 'guest' or ansible_virtualization_type != 'kvm' + file: path=/etc/modules-load.d/ptp_kvm.conf state=absent + tags: ntp + +- name: Check if /dev/ptp_kvm exists + stat: path=/dev/ptp_kvm + register: ntp_ptp_kvm_dev + tags: ntp + +- name: Deploy chrony configuration + template: src=chrony.conf.j2 dest={{ ntp_chrony_conf }} + notify: restart chrony + tags: ntp diff --git a/roles/ntp_client/tasks/facts.yml b/roles/ntp_client/tasks/facts.yml new file mode 100644 index 0000000..b939d48 --- /dev/null +++ b/roles/ntp_client/tasks/facts.yml @@ -0,0 +1,19 @@ +--- + +- include_vars: "{{ item }}" + with_first_found: + - vars/{{ ansible_distribution }}-{{ ansible_distribution_major_version }}.yml + - vars/{{ ansible_os_family }}-{{ ansible_distribution_major_version }}.yml + - vars/{{ ansible_distribution }}.yml + - vars/{{ ansible_os_family }}.yml + tags: ntp + +- name: Check if systemd-timesyncd is available + stat: path=/lib/systemd/systemd-timesyncd + register: systemd_timesyncd + tags: ntp + +- name: Check if ntpd is installed + stat: path=/lib/systemd/system/{{ ntp_ntpd_service }}.service + register: ntp_unit + tags: ntp diff --git a/roles/ntp_client/tasks/install.yml b/roles/ntp_client/tasks/install.yml new file mode 100644 index 0000000..58efc96 --- /dev/null +++ b/roles/ntp_client/tasks/install.yml @@ -0,0 +1,17 @@ +--- + + # If systemd-timesyncd is installed, stop and disable it +- name: Disable systemd-timesyncd + service: name=systemd-timesyncd state=stopped enabled=False + when: systemd_timesyncd.stat.exists + tags: ntp + + # If ntpd is installed, stop and disable it +- name: Handle ntpd service + service: name={{ ntp_ntpd_service }} state=stopped enabled=False + when: ntp_unit.stat.exists + tags: ntp + +- name: Install Chrony + package: name=chrony + tags: ntp diff --git a/roles/ntp_client/tasks/main.yml b/roles/ntp_client/tasks/main.yml index 8143ce1..6a888ea 100644 --- a/roles/ntp_client/tasks/main.yml +++ b/roles/ntp_client/tasks/main.yml @@ -1,53 +1,14 @@ --- -- include_vars: "{{ item }}" - with_first_found: - - vars/{{ ansible_distribution }}-{{ ansible_distribution_major_version }}.yml - - vars/{{ ansible_os_family }}-{{ ansible_distribution_major_version }}.yml - - vars/{{ ansible_distribution }}.yml - - vars/{{ ansible_os_family }}.yml - tags: ntp +- include_tasks: facts.yml + tags: always -- name: Check if systemd-timesyncd is available - stat: path=/lib/systemd/systemd-timesyncd - register: systemd_timesyncd - tags: ntp +- include_tasks: install.yml + tags: always -- name: Disable systemd-timesyncd - service: name=systemd-timesyncd state=stopped enabled=False - when: systemd_timesyncd.stat.exists - tags: ntp +- include_tasks: conf.yml + tags: always -- name: Install Chrony - package: name=chrony - tags: ntp - -- name: Deploy chrony configuration - template: src=chrony.conf.j2 dest={{ ntp_chrony_conf }} - notify: restart chrony - tags: ntp - - # Always close port, it's only used as a server on samba DC, where port 123 is opened - # by the samba role -- name: Handle ntpd port - iptables_raw: - name: ntpd_port - state: absent - when: iptables_manage | default(True) - tags: ntp - -- name: Check if ntpd is installed - stat: path=/lib/systemd/system/{{ ntp_ntpd_service }}.service - register: ntp_unit - tags: ntp - - # If ntpd is installed, stop and disable it -- name: Handle ntpd service - service: name={{ ntp_ntpd_service }} state=stopped enabled=False - when: ntp_unit.stat.exists - tags: ntp - -- name: Start and enable chrony - service: name={{ ntp_chrony_service }} state=started enabled=True - tags: ntp +- include_tasks: services.yml + tags: always diff --git a/roles/ntp_client/tasks/services.yml b/roles/ntp_client/tasks/services.yml new file mode 100644 index 0000000..0ac7ef2 --- /dev/null +++ b/roles/ntp_client/tasks/services.yml @@ -0,0 +1,5 @@ +--- + +- name: Start and enable chrony + service: name={{ ntp_chrony_service }} state=started enabled=True + tags: ntp diff --git a/roles/ntp_client/templates/chrony.conf.j2 b/roles/ntp_client/templates/chrony.conf.j2 index dca6c03..4fb352e 100644 --- a/roles/ntp_client/templates/chrony.conf.j2 +++ b/roles/ntp_client/templates/chrony.conf.j2 @@ -3,9 +3,12 @@ server {{ server }} iburst {% endfor %} keyfile {{ ntp_chrony_keyfile }} driftfile /var/lib/chrony/drift +{% if ansible_virtualization_role == "guest" and ansible_virtualization_type == "kvm" and ntp_ptp_kvm_dev.stat.exists %} +refclock PHC /dev/ptp0 poll 2 trust +{% endif %} {% if ansible_virtualization_role == "guest" %} -# Virtualization guest, so allow unlimited steps if the clock is more than 5sec off -makestep 5 -1 +# Virtualization guest, so allow unlimited steps if the clock is more than 15sec off +makestep 15 -1 {% else %} makestep 1.0 3 {% endif %} diff --git a/roles/repo_zabbix/tasks/Debian.yml b/roles/repo_zabbix/tasks/Debian.yml index b654afc..8b0a143 100644 --- a/roles/repo_zabbix/tasks/Debian.yml +++ b/roles/repo_zabbix/tasks/Debian.yml @@ -1,22 +1,26 @@ --- -- name: Add Zabbix repo key - apt_key: - data: "{{ lookup('url', 'https://repo.zabbix.com/zabbix-official-repo.key', split_lines=False) }}" - environment: - https_proxy: "{{ system_proxy | default('') }}" - tags: repo,zabbix - -- name: Add Zabbix repo - apt_repository: - repo: deb http://repo.zabbix.com/zabbix/{{ zabbix_major_version }}/{{ ansible_distribution | lower }} {{ ansible_distribution_release }} main - filename: zabbix - tags: repo,zabbix - -- name: Add Zabbix Agent2 plugins repo +- name: Remove Zabbix Agent2 plugins repo apt_repository: # Zabbix plugin repo doesn't have bookworm yet, so use bullseye for now in this case repo: deb http://repo.zabbix.com/zabbix-agent2-plugins/1/{{ ansible_distribution | lower }} {{ (ansible_distribution_major_version is version('12', '>=')) | ternary('bullseye', ansible_distribution_release) }} main filename: zabbix state: absent tags: repo,zabbix + +- name: Add Zabbix repo key + apt_key: + url: "{{ item }}" + environment: + https_proxy: "{{ system_proxy | default('') }}" + loop: + - https://repo.zabbix.com/zabbix-official-repo-apr2024.gpg + - https://repo.zabbix.com/zabbix-official-repo.key + tags: repo,zabbix + +- name: Add Zabbix repo + apt_repository: + repo: deb https://repo.zabbix.com/zabbix/{{ zabbix_major_version }}/{{ ansible_distribution | lower }} {{ ansible_distribution_release }} main + filename: zabbix + tags: repo,zabbix + diff --git a/roles/squid/files/acl/software_various.domains b/roles/squid/files/acl/software_various.domains index 6d6f1aa..84eccad 100644 --- a/roles/squid/files/acl/software_various.domains +++ b/roles/squid/files/acl/software_various.domains @@ -287,6 +287,9 @@ get.docker.com gcr.io ghcr.io pkg-containers.githubusercontent.com +registry.k8s.io +europe-west9-docker.pkg.dev +prod-registry-k8s-io-eu-west-1.s3.dualstack.eu-west-1.amazonaws.com # Artifactory (jfrog) docker.bintray.io diff --git a/roles/unifi/defaults/main.yml b/roles/unifi/defaults/main.yml index 6891b59..7c08887 100644 --- a/roles/unifi/defaults/main.yml +++ b/roles/unifi/defaults/main.yml @@ -3,11 +3,11 @@ # Where unifi will be installed unifi_root_dir: /opt/unifi # Version to deploy -unifi_version: 8.4.59 +unifi_version: 8.4.62 # URL to get the installation tarball unifi_archive_url: https://www.ubnt.com/downloads/unifi/{{ unifi_version }}/UniFi.unix.zip # Expected sha256 -unifi_archive_sha256: 17a254f81b9c95078ce71e76631925596d3e500313fc9037e940035fdc20cae3 +unifi_archive_sha256: fb9d9ed74dd751435c4877d63d1be92d040d9589b02886949660ea2ad161f49d # Should ansible handle upgrades (if False, only initial install will be done) unifi_manage_upgrade: True # List of ports used by UniFi controler