Update to 2024-09-23 23:00

2025-04-12 00:03:17 +02:00 · 2024-09-23 23:00:09 +02:00 · 2024-09-23 23:00:09 +02:00 · 9c1159e3de
commit 9c1159e3de
parent abb4d79e6c
16 changed files with 127 additions and 76 deletions
--- a/roles/backuppc/tasks/main.yml
+++ b/roles/backuppc/tasks/main.yml
@ -23,7 +23,7 @@
      - tar
      - samba-client
      - openssh-clients
-      - BackupPC-server-scripts
+      #- BackupPC-server-scripts
      - fuse-chunkfs
  tags: bpc
--- a/roles/gitea/defaults/main.yml
+++ b/roles/gitea/defaults/main.yml
@ -1,11 +1,11 @@
 ---
 # Version to install
-gitea_version: '1.22.1'
+gitea_version: '1.22.2'
 # URL to the binary
 gitea_bin_url: https://dl.gitea.io/gitea/{{ gitea_version }}/gitea-{{ gitea_version }}-linux-amd64
 # sha256 of the binary
-gitea_bin_sha256: b8043324545eec269fc8f18c22b49fc365ed367e0dd41e081b79832de2570f9c
+gitea_bin_sha256: 310d7dfa48680f3eaa5fe2998ca7a8a1f707518c1772b64d85fb3b9e197188d3
 # Handle updates. If set to false, ansible will only install
 # Gitea and then won't touch an existing installation
 gitea_manage_upgrade: True
--- a/roles/kimai/defaults/main.yml
+++ b/roles/kimai/defaults/main.yml
@ -5,12 +5,12 @@
 # You can set it to a number or a simple string (no special chars)
 kimai_id: 1
 # Kimai version to deploy
-kimai_version: '2.21.0'
+kimai_version: '2.22.0'
 # URL of the archive
 kimai_archive_url: https://github.com/kevinpapst/kimai2/archive/refs/tags/{{ kimai_version }}.tar.gz
 # Expected sha256 of the archive
-kimai_archive_sha256: f6da56211d392d5749d3e56d242f529d03b2fc1b803d33d642b5e0097281b05f
+kimai_archive_sha256: 575fd83d5bfe24e2a0516bb667d4b2d5b337cd83d9b92e2bb42057fa7a81e43f
 # Directory where kimai will be installed
 kimai_root_dir: /opt/kimai_{{ kimai_id }}
 # Should ansible handle upgrades or only initial install
--- a/roles/metabase/defaults/main.yml
+++ b/roles/metabase/defaults/main.yml
@ -1,15 +1,15 @@
 ---
 # Version to deploy
-metabase_version: 0.50.23
+metabase_version: 0.50.25
 # URL to fetch the jar
 metabase_jar_url: https://downloads.metabase.com/v{{ metabase_version }}/metabase.jar
 # Expected sha256 of the jar
-metabase_jar_sha256: 5f5b14f42772b43f42ac28baffed2c36fd543fd8787442749bd0d6c63ff17b44
+metabase_jar_sha256: 88ba6666488e1279b0cb6080a649e52a747b86320a0ebe3fb6060b095cf57650
 # When building from source
 metabase_archive_url: https://github.com/metabase/metabase/archive/refs/tags/v{{ metabase_version }}.tar.gz
 # Expected sha256 of the archive
-metabase_archive_sha256: 1d44872a6d415bbae2138f68e5a60cdc7707c1d08fd63148ef9cc65ce8dfb200
+metabase_archive_sha256: 045fbf31a1421e857799e1791eb7e4b8163cf186b0a0c6ab854cbfe0fc9aa75f
 # Should ansible handle upgrades ? If set to false, only the initial install (and the config) will be handled
 metabase_manage_upgrade: True
--- a/roles/nginx/tasks/install.yml
+++ b/roles/nginx/tasks/install.yml
@ -13,3 +13,12 @@
  when: not nginx_openresty
  tags: always
 - block:
    - name: Detect installed version
      shell: |
        nginx -v 2>&1| sed -E 's/nginx version: (nginx|openresty)\/([[:digit:]]+(\.[[:digit:]]+)*)/\2/'
      register: nginx_installed_version
      changed_when: false
    - set_fact: nginx_installed_version={{ nginx_installed_version.stdout }}
  tags: web,quickweb
--- a/roles/nginx/templates/ansible_conf.d/30-vhosts.conf.j2
+++ b/roles/nginx/templates/ansible_conf.d/30-vhosts.conf.j2
@ -21,9 +21,11 @@ server {
  listen {{ port }} ssl{% if vhost.name == '_' %} default_server{% endif %};
 {% endfor %}
 {% else %}
-  listen {{ vhost.ssl.port }} ssl{% if vhost.name == '_' %} default_server{% endif %};
+  listen {{ vhost.ssl.port }} ssl{% if nginx_installed_version is version('1.25.1', '<') %} http2{% endif %}{% if vhost.name == '_' %} default_server{% endif %};
 {% endif %}
 {% if nginx_installed_version is version('1.25.1', '>=') %}
  http2 on;
 {% endif %}
 {% if vhost.ssl.cert is defined and vhost.ssl.key is defined %}
  ssl_certificate     {{ vhost.ssl.cert }};
--- a/roles/nomad_bin/defaults/main.yml
+++ b/roles/nomad_bin/defaults/main.yml
@ -1,9 +1,9 @@
 ---
 # Version of Nomad to install
-nomad_version: 1.8.3
+nomad_version: 1.8.4
 # URL of the archive
 nomad_archive_url: https://releases.hashicorp.com/nomad/{{ nomad_version }}/nomad_{{ nomad_version }}_linux_amd64.zip
 # Expected sha256 of the archive
-nomad_archive_sha256: a0c92d427fe8839bf3aab9c62b2d12190483f953a3483c08891e53f65f676797
+nomad_archive_sha256: 681832b4ffaff0626119420569f117fb7ad1e323d6c929ef3c0bccb432165c6b
--- a/roles/ntp_client/tasks/conf.yml
+++ b/roles/ntp_client/tasks/conf.yml
@ -0,0 +1,28 @@
 ---
 - when:
    - ansible_virtualization_role == 'guest'
    - ansible_virtualization_type == 'kvm'
  block:
    - name: Configure ptp_kvm to be loaded
      copy: content=ptp_kvm dest=/etc/modules-load.d/ptp_kvm.conf
      register: ntp_ptp_kvm_mod
    - name: Load ptp_kvm
      service: name=systemd-modules-load state=restarted
      when: ntp_ptp_kvm_mod.changed
  tags: ntp
 - when: ansible_virtualization_role != 'guest' or ansible_virtualization_type != 'kvm'
  file: path=/etc/modules-load.d/ptp_kvm.conf state=absent
  tags: ntp
 - name: Check if /dev/ptp_kvm exists
  stat: path=/dev/ptp_kvm
  register: ntp_ptp_kvm_dev
  tags: ntp
 - name: Deploy chrony configuration
  template: src=chrony.conf.j2 dest={{ ntp_chrony_conf }}
  notify: restart chrony
  tags: ntp
--- a/roles/ntp_client/tasks/facts.yml
+++ b/roles/ntp_client/tasks/facts.yml
@ -0,0 +1,19 @@
 ---
 - include_vars: "{{ item }}"
  with_first_found:
    - vars/{{ ansible_distribution }}-{{ ansible_distribution_major_version }}.yml
    - vars/{{ ansible_os_family }}-{{ ansible_distribution_major_version }}.yml
    - vars/{{ ansible_distribution }}.yml
    - vars/{{ ansible_os_family }}.yml
  tags: ntp
 - name: Check if systemd-timesyncd is available
  stat: path=/lib/systemd/systemd-timesyncd
  register: systemd_timesyncd
  tags: ntp
 - name: Check if ntpd is installed
  stat: path=/lib/systemd/system/{{ ntp_ntpd_service }}.service
  register: ntp_unit
  tags: ntp
--- a/roles/ntp_client/tasks/install.yml
+++ b/roles/ntp_client/tasks/install.yml
@ -0,0 +1,17 @@
 ---
  # If systemd-timesyncd is installed, stop and disable it
 - name: Disable systemd-timesyncd
  service: name=systemd-timesyncd state=stopped enabled=False
  when: systemd_timesyncd.stat.exists
  tags: ntp
  # If ntpd is installed, stop and disable it
 - name: Handle ntpd service
  service: name={{ ntp_ntpd_service }} state=stopped enabled=False
  when: ntp_unit.stat.exists
  tags: ntp
 - name: Install Chrony
  package: name=chrony
  tags: ntp
--- a/roles/ntp_client/tasks/main.yml
+++ b/roles/ntp_client/tasks/main.yml
@ -1,53 +1,14 @@
 ---
- include_vars: "{{ item }}"
+- include_tasks: facts.yml
-  with_first_found:
+  tags: always
    - vars/{{ ansible_distribution }}-{{ ansible_distribution_major_version }}.yml
    - vars/{{ ansible_os_family }}-{{ ansible_distribution_major_version }}.yml
    - vars/{{ ansible_distribution }}.yml
    - vars/{{ ansible_os_family }}.yml
  tags: ntp
- name: Check if systemd-timesyncd is available
+- include_tasks: install.yml
-  stat: path=/lib/systemd/systemd-timesyncd
+  tags: always
  register: systemd_timesyncd
  tags: ntp
- name: Disable systemd-timesyncd
+- include_tasks: conf.yml
-  service: name=systemd-timesyncd state=stopped enabled=False
+  tags: always
  when: systemd_timesyncd.stat.exists
  tags: ntp
- name: Install Chrony
+- include_tasks: services.yml
-  package: name=chrony
+  tags: always
  tags: ntp
 - name: Deploy chrony configuration
  template: src=chrony.conf.j2 dest={{ ntp_chrony_conf }}
  notify: restart chrony
  tags: ntp
  # Always close port, it's only used as a server on samba DC, where port 123 is opened
  # by the samba role
 - name: Handle ntpd port
  iptables_raw:
    name: ntpd_port
    state: absent
  when: iptables_manage | default(True)
  tags: ntp
 - name: Check if ntpd is installed
  stat: path=/lib/systemd/system/{{ ntp_ntpd_service }}.service
  register: ntp_unit
  tags: ntp
  # If ntpd is installed, stop and disable it
 - name: Handle ntpd service
  service: name={{ ntp_ntpd_service }} state=stopped enabled=False
  when: ntp_unit.stat.exists
  tags: ntp
 - name: Start and enable chrony
  service: name={{ ntp_chrony_service }} state=started enabled=True
  tags: ntp
--- a/roles/ntp_client/tasks/services.yml
+++ b/roles/ntp_client/tasks/services.yml
@ -0,0 +1,5 @@
 ---
 - name: Start and enable chrony
  service: name={{ ntp_chrony_service }} state=started enabled=True
  tags: ntp
--- a/roles/ntp_client/templates/chrony.conf.j2
+++ b/roles/ntp_client/templates/chrony.conf.j2
@ -3,9 +3,12 @@ server {{ server }} iburst
 {% endfor %}
 keyfile {{ ntp_chrony_keyfile }}
 driftfile /var/lib/chrony/drift
 {% if ansible_virtualization_role == "guest" and ansible_virtualization_type == "kvm" and ntp_ptp_kvm_dev.stat.exists %}
 refclock PHC /dev/ptp0 poll 2 trust
 {% endif %}
 {% if ansible_virtualization_role == "guest" %}
-# Virtualization guest, so allow unlimited steps if the clock is more than 5sec off
+# Virtualization guest, so allow unlimited steps if the clock is more than 15sec off
-makestep 5 -1
+makestep 15 -1
 {% else %}
 makestep 1.0 3
 {% endif %}
--- a/roles/repo_zabbix/tasks/Debian.yml
+++ b/roles/repo_zabbix/tasks/Debian.yml
@ -1,22 +1,26 @@
 ---
- name: Add Zabbix repo key
+- name: Remove Zabbix Agent2 plugins repo
  apt_key:
    data: "{{ lookup('url', 'https://repo.zabbix.com/zabbix-official-repo.key', split_lines=False) }}"
  environment:
    https_proxy: "{{ system_proxy | default('') }}"
  tags: repo,zabbix
 - name: Add Zabbix repo
  apt_repository:
    repo: deb http://repo.zabbix.com/zabbix/{{ zabbix_major_version }}/{{ ansible_distribution | lower }} {{ ansible_distribution_release }} main
    filename: zabbix
  tags: repo,zabbix
 - name: Add Zabbix Agent2 plugins repo
  apt_repository:
    # Zabbix plugin repo doesn't have bookworm yet, so use bullseye for now in this case
    repo: deb http://repo.zabbix.com/zabbix-agent2-plugins/1/{{ ansible_distribution | lower }} {{ (ansible_distribution_major_version is version('12', '>=')) | ternary('bullseye', ansible_distribution_release) }} main
    filename: zabbix
    state: absent
  tags: repo,zabbix
 - name: Add Zabbix repo key
  apt_key:
    url: "{{ item }}"
  environment:
    https_proxy: "{{ system_proxy | default('') }}"
  loop:
    - https://repo.zabbix.com/zabbix-official-repo-apr2024.gpg
    - https://repo.zabbix.com/zabbix-official-repo.key
  tags: repo,zabbix
 - name: Add Zabbix repo
  apt_repository:
    repo: deb https://repo.zabbix.com/zabbix/{{ zabbix_major_version }}/{{ ansible_distribution | lower }} {{ ansible_distribution_release }} main
    filename: zabbix
  tags: repo,zabbix
--- a/roles/squid/files/acl/software_various.domains
+++ b/roles/squid/files/acl/software_various.domains
@ -287,6 +287,9 @@ get.docker.com
 gcr.io
 ghcr.io
 pkg-containers.githubusercontent.com
 registry.k8s.io
 europe-west9-docker.pkg.dev
 prod-registry-k8s-io-eu-west-1.s3.dualstack.eu-west-1.amazonaws.com
 # Artifactory (jfrog)
 docker.bintray.io
--- a/roles/unifi/defaults/main.yml
+++ b/roles/unifi/defaults/main.yml
@ -3,11 +3,11 @@
 # Where unifi will be installed
 unifi_root_dir: /opt/unifi
 # Version to deploy
-unifi_version: 8.4.59
+unifi_version: 8.4.62
 # URL to get the installation tarball
 unifi_archive_url: https://www.ubnt.com/downloads/unifi/{{ unifi_version }}/UniFi.unix.zip
 # Expected sha256
-unifi_archive_sha256: 17a254f81b9c95078ce71e76631925596d3e500313fc9037e940035fdc20cae3
+unifi_archive_sha256: fb9d9ed74dd751435c4877d63d1be92d040d9589b02886949660ea2ad161f49d
 # Should ansible handle upgrades (if False, only initial install will be done)
 unifi_manage_upgrade: True
 # List of ports used by UniFi controler