Update to 2024-10-08 16:00

roles/consul/defaults/main.yml

@@ -92,7 +92,7 @@ consul_base_conf:
     enabled: False
     # The default_policy is also used for intentions in the service mesh
     default_policy: deny
-    enable_token_persistence: True
+    # enable_token_persistence: True
     # You can set tokens used by the agent
     # tokens:
     #   default: ab47bc38-d97f-19af-93a5-17b528d154c9

roles/consul/templates/consul.hcl.j2

@@ -135,9 +135,13 @@ acl {
   {{ key }} = {{ consul_conf.acl[key] | ternary('true', 'false') }}
 {% endif %}
 {% endfor %}
-  default_policy = "{{ consul_conf.acl.default_policy }}"
+{% for key in ['token_ttl', 'policy_ttl', 'role_ttl', 'default_policy', 'down_policy', 'enable_key_list_policy'] %}
+{% if consul_conf.acl[key] is defined %}
+  {{ key }} = "{{ consul_conf.acl[key] }}"
+{% endif %}
+{% endfor %}
   tokens {
-{% for key in ['initial_management', 'default', 'agent', 'agent_recovery', 'replication', 'config_file_service_registration'] %}
+{% for key in ['initial_management', 'default', 'agent', 'agent_recovery', 'replication', 'config_file_service_registration', 'dns'] %}
 {% if consul_conf.acl.tokens[key] is defined %}
     {{ key }} = "{{ consul_conf.acl.tokens[key] }}"
 {% endif %}
@@ -180,8 +184,8 @@ auto_encrypt {
 
 limits {
 {% for key in ['http_max_conns_per_client'] %}
-  {%- if consul_conf.limits[key] is defined %}
+{% if consul_conf.limits[key] is defined %}
   {{ key }} = {{ consul_conf.limits[key] }}
-  {%- endif %}
-{%- endfor %}
+{% endif %}
+{% endfor %}
 }

roles/ldap2pg/defaults/main.yml

@@ -1,13 +1,13 @@
 ---
 
 # The version of ldap2pg to deploy
-ldap2pg_version: 6.1
+ldap2pg_version: 6.2
 
 # The URL where the ldap2pg archive can be fetched
 ldap2pg_archive_url: https://github.com/dalibo/ldap2pg/releases/download/v{{ ldap2pg_version }}/ldap2pg_{{ ldap2pg_version }}_linux_amd64.tar.gz
 
 # The expected sha256 checksum of the archive
-ldap2pg_archive_sha256: 887bf2a247273e18597ccb949d9500faba24a150cfb403967a5d93d185c450e3
+ldap2pg_archive_sha256: 875fbee44c3831907e84fbc24cb80f6badccc33310c7b4cbe6346d9ac405f565
 
 # How often ldap2pg will sync (eg hourly, '*:0:15', systemd timer syntaxe)
 ldap2pg_sync_freq: hourly

roles/nomad/defaults/main.yml

@@ -221,15 +221,24 @@ nomad_base_conf:
     ca_file: "{{ nomad_root_dir }}/tls/consul_ca.crt"
     cert_file: "{{ nomad_root_dir }}/tls/consul.crt"
     key_file: "{{ nomad_root_dir }}/tls/consul.key"
+    #service_identity:
+    #  aud: ['consul.io']
+    #  ttl: 1h
+    #task_identity:
+    #  aud: ['consul.io']
+    #  ttl: 1h
 
   # Vault integration
   vault:
     enabled: False
-    create_from_role: nomad-cluster
+    #create_from_role: nomad-cluster
     #address: https://vault.exaple.org:8200
     #ca_path: /opt/nomad/tls/vault_ca.crt
     #cert_file: /opt/nomad/tls/vault.crt
     #key_file: /opt/nomad/tls/vault.key
+    #default_identity:
+    #  aud: ['vault.io']
+    #  ttl: 1h
 
 
 # You can override part of the default config without rewriting everything else

roles/nomad/tasks/conf.yml

@@ -40,6 +40,7 @@
 
     - name: Deploy logrotate conf
       template: src=logrotate.conf.j2 dest=/etc/logrotate.d/nomad-jwks-proxy
+
   tags: nomad
 
 - name: Deploy jwks-proxy unit
@@ -152,25 +153,37 @@
   template: src=profile.sh.j2 dest=/etc/profile.d/nomad.sh
   tags: nomad
 
-- name: Ensure the bridge module is loaded
-  modprobe: name=bridge state=present
-  when: nomad_conf.client.enabled and 'docker' in nomad_enabled_task_drivers
-  tags: nomad
+- when: nomad_conf.client.enabled and 'docker' in nomad_enabled_task_drivers
+  block:
+    - name: Ensure the bridge module is loaded
+      modprobe: name={{ item }} state=present
+      loop:
+        - bridge
+        - br_netfilter
 
-#- name: Set sysctl
-#  sysctl:
-#    name: "{{ item.key }}"
-#    value: "{{ item.val }}"
-#    sysctl_file: /etc/sysctl.d/nomad.conf
-#    state: "{{ (nomad_conf.client.enabled and 'docker' in nomad_enabled_task_drivers) | ternary('present', 'absent') }}"
-#  loop:
-#    - key: net.bridge.bridge-nf-call-arptables
-#      val: 1
-#    - key: net.bridge.bridge-nf-call-ip6tables
-#      val: 1
-#    - key: net.bridge.bridge-nf-call-iptables
-#      val: 1
-#  tags: nomad
+    - name: Configure br_netfilter to be loaded
+      copy:
+        content: |
+          bridge
+          br_netfilter
+        dest: /etc/modules-load.d/nomad.conf
+      tags: nomad
+
+    - name: Set sysctl
+      sysctl:
+        name: "{{ item.key }}"
+        value: "{{ item.val }}"
+        sysctl_file: /etc/sysctl.d/nomad.conf
+        state: "{{ (nomad_conf.client.enabled and 'docker' in nomad_enabled_task_drivers) | ternary('present', 'absent') }}"
+      loop:
+        - key: net.bridge.bridge-nf-call-arptables
+          val: 1
+        - key: net.bridge.bridge-nf-call-ip6tables
+          val: 1
+        - key: net.bridge.bridge-nf-call-iptables
+          val: 0
+
+  tags: nomad
 
 - name: Deploy Docker auth config
   template: src=docker_auth.json.j2 dest={{ nomad_root_dir }}/docker/auth.json owner={{ nomad_user }} group={{ nomad_user }} mode=600

roles/nomad/tasks/directories.yml

@@ -19,6 +19,26 @@
     - dir: tmp
       owner: "{{ nomad_user }}"
       group: "{{ nomad_user }}"
+    - dir: tmp/proxy_temp
+      owner: "{{ nomad_user }}"
+      group: "{{ nomad_user }}"
+      mode: 700
+    - dir: tmp/client_temp
+      owner: "{{ nomad_user }}"
+      group: "{{ nomad_user }}"
+      mode: 700
+    - dir: tmp/fastcgi_temp
+      owner: "{{ nomad_user }}"
+      group: "{{ nomad_user }}"
+      mode: 700
+    - dir: tmp/uwsgi_temp
+      owner: "{{ nomad_user }}"
+      group: "{{ nomad_user }}"
+      mode: 700
+    - dir: tmp/scgi_temp
+      owner: "{{ nomad_user }}"
+      group: "{{ nomad_user }}"
+      mode: 700
     - dir: data
       owner: "{{ nomad_user }}"
       group: "{{ nomad_user }}"

roles/nomad/tasks/main.yml

@@ -20,6 +20,10 @@
   when: iptables_manage | default(True)
   tags: always
 
+- include_tasks: selinux.yml
+  when: ansible_selinux.status == 'enabled'
+  tags: always
+
 - include_tasks: services.yml
   tags: always
 

roles/nomad/tasks/selinux.yml

@@ -0,0 +1,21 @@
+---
+
+- name: Set correct SELinux context
+  sefcontext:
+    target: "{{ nomad_root_dir }}/log(/.*)?"
+    setype: httpd_log_t
+    state: present
+  register: nomad_fcontext
+  when:
+    - nomad_conf.tls.http
+    - nomad_conf.server.enabled
+  tags: nomad
+
+- name: Fix context for log dir
+  command: restorecon -R {{ nomad_root_dir }}/log
+  changed_when: false
+  tags: nomad
+
+- name: Allow nginx to bind on other ports
+  seboolean: name=nis_enabled state=true persistent=true
+  tags: nomad

roles/nomad/templates/jwks-proxy.conf.j2

@@ -56,8 +56,9 @@ http {
     if ($request_method !~ ^(GET|HEAD|OPTIONS)$ ) {
       return 405;
     }
-    location /.well-known/jwks.json {
-      proxy_pass https://localhost:{{ nomad_services.http.port }};
+    location / {
+      proxy_pass https://localhost:{{ nomad_services.http.port }}/.well-known/jwks.json;
+      proxy_cache off;
     }
   }
 }

roles/nomad/templates/nomad.hcl.j2

@@ -281,6 +281,35 @@ consul {
   ]
 {% endif %}
 
+{% if nomad_conf.server.enabled %}
+{% if nomad_conf.consul.service_identity is defined %}
+  service_identity {
+    aud = [
+{% for aud in nomad_conf.consul.service_identity.aud | default(['consul.io']) %}
+      "{{ aud }}",
+{% endfor %}
+    ]
+    ttl = "{{  nomad_conf.consul.service_identity.ttl | default('1h') }}"
+  }
+{% endif %}
+
+{% if nomad_conf.consul.task_identity is defined %}
+  task_identity {
+    aud = [
+{% for aud in nomad_conf.consul.task_identity.aud | default(['consul.io']) %}
+      "{{ aud }}",
+{% endfor %}
+    ]
+    ttl = "{{  nomad_conf.consul.task_identity.ttl | default('1h') }}"
+{% for key in ['env', 'file'] %}
+{% if nomad_conf.consul.task_identity[key] is defined %}
+    {{ key }} = {{ nomad_conf.consul.task_identity[key] | ternary('true', 'false') }}
+{% endif %}
+{% endfor %}
+  }
+{% endif %}
+{% endif %}
+
 {% if nomad_conf.consul.ssl %}
   ssl = true
 {% for key in ['ca_file', 'cert_file', 'key_file'] %}
@@ -304,19 +333,38 @@ vault {
   {{ key }} = {{ nomad_conf.vault[key] | ternary('true', 'false') }}
 {% endif %}
 {% endfor %}
+{% for key in ['create_from_role'] %}
+{% if nomad_conf.vault[key] is defined %}
+  {{ key }} = "{{ nomad_conf.vault[key] }}"
+{% endif %}
+{% endfor %}
 {% if nomad_conf.server.enabled %}
-{% for key in ['address', 'create_from_role', 'task_token_ttl', 'ca_file', 'ca_path', 'cert_file', 'key_file', 'namespace', 'tls_server_name', 'token'] %}
+{% for key in ['address', 'task_token_ttl', 'ca_file', 'ca_path', 'cert_file', 'key_file', 'tls_server_name', 'token'] %}
 {% if nomad_conf.vault[key] is defined %}
   {{ key }} = "{{ nomad_conf.vault[key] }}"
 {% endif %}
 {% endfor %}
+{% if nomad_conf.vault.default_identity is defined %}
+  default_identity {
+    aud = [
+{% for aud in nomad_conf.vault.default_identity.aud | default(['vault.io']) %}
+      "{{ aud }}",
+{% endfor %}
+    ]
+    ttl = "{{  nomad_conf.vault.default_identity.ttl | default('1h') }}"
+{% for key in ['env', 'file'] %}
+{% if nomad_conf.consul.task_identity[key] is defined %}
+    {{ key }} = {{ nomad_conf.vault.default_identity[key] | ternary('true', 'false') }}
+{% endif %}
+{% endfor %}
+  }
+{% endif %}
 {% elif nomad_conf.client.enabled and not nomad_conf.server.enabled %}
-{% for key in ['address', 'ca_file', 'ca_path', 'cert_file', 'key_file', 'namespace', 'tls_server_name'] %}
+{% for key in ['namespace', 'address', 'ca_file', 'ca_path', 'cert_file', 'key_file', 'namespace', 'tls_server_name', 'jwt_auth_backend_path'] %}
 {% if nomad_conf.vault[key] is defined %}
   {{ key }} = "{{ nomad_conf.vault[key] }}"
 {% endif %}
 {% endfor %}
-
 {% endif %}
 }
 

roles/squash_tm/defaults/main.yml

@@ -1,11 +1,11 @@
 ---
 
 # Version of Shash TM to install
-squashtm_version: 7.3.0
+squashtm_version: 7.4.0
 # Archive URL which will be downloaded during install/upgrades
 squashtm_archive_url: https://nexus.squashtest.org/nexus/repository/public-releases/tm/core/squash-tm-distribution/{{ squashtm_version }}.RELEASE/squash-tm-{{ squashtm_version }}.RELEASE.tar.gz
 # Expected checksum of the archive
-squashtm_archive_sha256: 5336d850b109527281ae4278f9e1b89a82c053dd9f9968d79e0ad5d8e2bea9ff
+squashtm_archive_sha256: 46e5c3b4363ddb78f2e49f70e43ba426eb50e08e1c93a56b821de80daa751eb3
 # Should ansible handle upgrades ? (if False, only initial install and configuration will be done)
 squashtm_manage_upgrade: True