version: 3.1.16

.github/workflows/release.yml

@@ -24,6 +24,7 @@ jobs:
           VERSION_FILE="nova/core/galaxy.yml"
 
           VERSION=$(cat $VERSION_FILE | grep "version:" | cut -d " " -f 2)
+          CURRENT_TAG=$(git tag --sort=-creatordate | head -n 1)
 
           TAG_NAME="v$VERSION"
           echo "LATEST_TAG=$TAG_NAME" >> $GITHUB_ENV
@@ -33,7 +34,7 @@ jobs:
           git push origin $TAG_NAME
 
           # Creating temp changelog file
-          git log --pretty=format:"- %s" $(git describe --tags --abbrev=0 HEAD^^)..HEAD > CHANGELOG.md
+          git log $CURRENT_TAG..$TAG_NAME --pretty=format:"- %s" > CHANGELOG.md
 
       - name: Releasing a new version...
         uses: ncipollo/release-action@v1

nova/core/galaxy.yml

@@ -8,7 +8,7 @@ namespace: nova
 name: core
 
 # The version of the collection. Must be compatible with semantic versioning
-version: 3.1.7
+version: 3.1.16
 
 # The path to the Markdown (.md) readme file. This path is relative to the root of the collection
 readme: README.md

nova/core/plugins/inventory/providentia_v3.py

@@ -30,11 +30,6 @@
       description: SSO client id for Providentia.
       type: string
       default: "Providentia"
-    credentials_lookup_env:
-      description: ENV var used to lookup Providentia credentials KeePass path
-      type: string
-      default: KEEPASS_DEPLOYER_CREDENTIALS_PATH
-      required: False
 """
 
 import os, json, socket, aiohttp, asyncio
@@ -95,12 +90,9 @@ def init_inventory(self):
     self.inventory.set_variable("all", "providentia_api_version", 3)
 
   async def store_access_token(self):
-    keepass_creds = os.environ.get(self.get_option('credentials_lookup_env'),"").strip()
-    sso_creds = self.fetch_creds(keepass_creds)
-
-    self._access_token = self.fetch_access_token(sso_creds)
+    self._access_token = self.fetch_access_token(self.fetch_creds())
 
-  def fetch_creds(self, creds_path):
+  def fetch_creds(self):
 
     # Feature to allow project specific deployer credentials from Ansible vault
     project_deployer_username = self._options.get(self.project + '_deployer_username')
@@ -117,31 +109,6 @@ def fetch_creds(self, creds_path):
         'password': project_deployer_password
       }
 
-    # Feature to get deployer credentials from KeePass
-    elif 'KEEPASS_DEPLOYER_CREDENTIALS_PATH' in os.environ and os.environ['KEEPASS_DEPLOYER_CREDENTIALS_PATH'].strip() != "":
-
-      kp_soc = "/tmp/ansible-keepass.sock"
-      sock = socket.socket(socket.AF_UNIX, socket.SOCK_STREAM)
-      sock.connect(kp_soc)
-
-      username = {'attr': "username", 'path': creds_path}
-      sock.send(json.dumps(username).encode())
-      username = json.loads(sock.recv(1024).decode())
-
-      password = {'attr': "password", 'path': creds_path}
-      sock.send(json.dumps(password).encode())
-      password = json.loads(sock.recv(1024).decode())
-
-      sock.close()
-
-      if(username['status']=='error' or password['status']=='error'):
-        raise AnsibleParserError('Error retrieving credentials from KeePass')
-
-      return {
-        'username': username['text'],
-        'password': password['text']
-      }
-
     # Feature to get deployer credentials from Ansible vault
     else:
 

nova/core/requirements/pyproject.toml

@@ -6,7 +6,7 @@ authors = ["CCDCOE <[email protected]>"]
 
 [tool.poetry.dependencies]
 aiohttp = "*"
-ansible-core = "2.17.0"
+ansible-core = "2.17.2"
 ansible-lint = "*"
 ansible-pylibssh = "*"
 ansible-specdoc = "*"

nova/core/roles/caddy/README.md

@@ -8,6 +8,8 @@ none
 
 ## Role Variables
 
+Refer to the [defaults/main.yml](https://github.com/novateams/nova.core/blob/main/nova/core/roles/caddy/defaults/main.yml) file for a list and description of the variables used in this role.
+
 ## Dependencies
 
 - Depends on Docker and Docker Compose being installed on the host. Docker can be installed using the [nova.core.docker](https://github.com/novateams/nova.core/tree/main/nova/core/roles/caddy) role.

nova/core/roles/deploy_vars/defaults/main.yml

@@ -4,7 +4,7 @@
 ###################
 
 # These are defined here because it's the first role loaded and these defaults will then be used for subsequent roles
-# It's better to define different lookups (vault, keepass etc.) in this role because then they'll be loaded only once
+# It's better to define different lookups (vault,etc.) in this role because then they'll be loaded only once
 
 template: false # Set to yes to include the template role in start.yml
 customization_context: host # Default value, Providentia also can give out type: container

nova/core/roles/gitlab/defaults/main.yml

@@ -48,6 +48,12 @@ gitlab_ldap_user_dn: CN=gitlab.service,OU=Service Accounts,DC=example,DC=com
 gitlab_ldap_domain_groups_ou: OU=Gitlab,OU=Groups,DC=example,DC=com
 gitlab_ldap_verify_certificates: true
 
+## gitlab internal nginx
+gitlab_nginx_real_ip_trusted_addresses:
+  - 172.18.0.0/16
+  - fd42::/64
+gitlab_nginx_real_ip_header: X-Real-IP
+
 ### supporting defaults
 gitlab_docker_network: local-network
 gitlab_container_name: gitlab

nova/core/roles/gitlab/templates/gitlab.rb

@@ -29,10 +29,9 @@
 nginx['redirect_http_to_https'] = false
 nginx['hsts_max_age'] = 0
 nginx['proxy_protocol'] = false
-# nginx['real_ip_trusted_addresses'] = [ '127.0.0.1/8', '0.0.0.0/0', '::1', '::/0' ]
-# nginx['real_ip_trusted_addresses'] = [ '172.0.0.0/8','10.42.0.0/16', '10.17.0.0/16', '10.18.0.0/16', 'fd42::/64', 'fd69::/64' ]
 
-nginx['real_ip_header'] = 'X-Forwarded-For'
+nginx['real_ip_trusted_addresses'] = {{ gitlab_nginx_real_ip_trusted_addresses }}
+nginx['real_ip_header'] = '{{ gitlab_nginx_real_ip_header }}'
 nginx['real_ip_recursive'] = 'on'
 
 ### gitlab smtp https://docs.gitlab.com/omnibus/settings/smtp.html

nova/core/roles/machine_operations/defaults/main.yml

@@ -89,6 +89,8 @@ vmwarews_custom_params: []
 # AWS defaults #
 ################
 
+aws_access_key: {} # Can be defined in your Ansible Vault
+
 # Temporary ssh key path on your container
 temp_ssh_key_path: /tmp/{{ project_fullname | default('') }}_{{ inventory_hostname }}_aws_key
 
@@ -135,6 +137,8 @@ aws_security_group_rules:
 # Linode defaults #
 ###################
 
+linode_api_token: {} # Can be defined in your Ansible Vault
+
 # The default root password for Linode VM
 machine_operations_linode_vm_password: "{{ lookup('community.hashi_vault.hashi_vault', vault_lookup_fragment + 'secret=' + secrets_vault_engine_path + '/data/' + secrets_vault_secrets_path + ':' + inventory_hostname + '_' + admin_account) }}"
 rebuild: false # Use ctp-rebuild alias to rebuild the VM with different size but keeping the data

nova/core/roles/machine_operations/tasks/aws/main.yml

@@ -1,16 +1,10 @@
 ---
-- name: Checking for AWS API key...
-  when: aws_access_key is not defined or aws_access_key in [none, '']
-  block:
-    - name: MISSING AWS API KEY
-      ansible.builtin.debug:
-        msg: |
-          KEEPASS_AWS_ACCESS_KEY not defined in .makerc-vars.
-          or
-          aws_access_key_id and aws_access_key are not set in Ansible Vault.
-
-    - name: Stopping play...
-      ansible.builtin.meta: end_host
+- name: Missing required variables...
+  ansible.builtin.fail:
+    msg: |
+      Following variables are required to run this role:
+      - aws_access_key
+  when: aws_access_key == {}
 
 - name: Including {{ custom_vm_name | default(vm_name) }} removal tasks...
   ansible.builtin.include_tasks: remove.yml

nova/core/roles/machine_operations/tasks/linode/main.yml

@@ -1,16 +1,10 @@
 ---
-- name: Checking for Linode API token...
-  when: linode_api_token is not defined or linode_api_token in [none, '']
-  block:
-    - name: MISSING LINODE API TOKEN
-      ansible.builtin.debug:
-        msg: |
-          KEEPASS_LINODE_API_TOKEN not defined in .makerc-vars.
-          or
-          linode_api_token is not set in Ansible Vault.
-
-    - name: Stopping play...
-      ansible.builtin.meta: end_host
+- name: Missing required variables...
+  ansible.builtin.fail:
+    msg: |
+      Following variables are required to run this role:
+      - linode_api_token
+  when: linode_api_token == {}
 
 - name: Including {{ custom_vm_name | default(vm_name) }} rebuild tasks...
   ansible.builtin.include_tasks: rebuild.yml

nova/core/roles/nexus/tasks/configure.yml

@@ -38,6 +38,7 @@
 - name: Increasing HTTP timeout to 10 minutes... # Required for large file/slow connection upload/download
   ansible.builtin.lineinfile:
     path: "{{ nexus_container_config_folder }}/data/etc/nexus.properties"
+    regexp: "^jetty.http.timeout="
     line: jetty.http.timeout=600000
   notify: Restarting Nexus container...
 

nova/core/roles/providentia/defaults/main.yml

@@ -26,7 +26,7 @@ providentia_builtin_reverse_proxy_tls_pregenerated_key: # path to TLS key on hos
 
 # app config
 providentia_app_fqdn: "{{ fqdn }}" # fqdn for deployed instance
-providentia_deploy_branch: main # gitref used for deployment, can be overriden to deploy other tags or branches
+providentia_deploy_branch: main # gitref used for deployment, can be overridden to deploy other tags or branches
 providentia_redis_url: redis://redis:6379/0 # URL for app redis, defaults to builtin
 providentia_db_url: postgres://providentia:{{ providentia_builtin_database_db_password }}@postgresql/providentia?pool=5 # full database URL used by the app, defaults to builtin postgres
 providentia_sentry_dsn: # Sentry exception tracking endpoint

nova/core/roles/role_metadata_post/README.md

@@ -0,0 +1,31 @@
+# role_metadata_post
+
+This is a role for gathering posting role specific metadata to Providentia or custom metadata server at the end of the deploy. The metadata itself can be gathered with the `nova.core.role_metadata_generate` role.
+
+## Requirements
+
+none
+
+## Role Variables
+
+Required variables are:
+
+- `role_metadata_post_keycloak_uri` - The URI of the Keycloak server used for Providentia authentication.
+- `role_metadata_post_providentia_uri` - The URI of the Providentia server.
+- `role_metadata_post_keycloak_realm_name` - The name of the Keycloak realm used for Providentia authentication.
+
+Refer to the [defaults/main.yml](https://github.com/novateams/nova.core/blob/main/nova/core/roles/role_metadata_generate/defaults/main.yml) file for a list and description of the variables used in this role.
+
+## Dependencies
+
+none
+
+## Example
+
+```yaml
+# all.yml or some other group_vars file
+generate_role_metadata: true # Generates role metadata where applicable and posts it to Providentia in nova.core.finalize role
+role_metadata_post_providentia_uri: https://providentia.example.com
+role_metadata_post_keycloak_uri: https://keycloak.example.com
+role_metadata_post_keycloak_realm_name: master
+```

nova/core/roles/role_metadata_post/defaults/main.yml

@@ -1,4 +1,8 @@
 ---
 role_metadata_post_clear_existing: false # Set to true to clear existing metadata before uploading new metadata.
-role_metadata_post_endpoint: providentia # Options: providentia, custom. In case of custom, provide the path to the custom task to include.
 role_metadata_post_custom_task_path: none # Path to the custom task to include when posting metadata to non-providentia endpoint.
+role_metadata_post_endpoint: providentia # Options: providentia, custom. In case of custom, provide the path to the custom task to include.
+role_metadata_post_keycloak_realm_name: {} # Keycloak realm name for authentication.
+role_metadata_post_keycloak_uri_fullpath: "{{ role_metadata_post_keycloak_uri }}/realms/{{ role_metadata_post_keycloak_realm_name }}/protocol/openid-connect/token" # Can be fully overridden if older Keycloak is used.
+role_metadata_post_keycloak_uri: "{{ keycloak_uri | default({}) }}" # Keycloak used for authentication to Providentia.
+role_metadata_post_providentia_uri: "{{ providentia_uri | default({}) }}" # Providentia URI.

nova/core/roles/role_metadata_post/tasks/main.yml

@@ -1,4 +1,13 @@
 ---
+- name: Missing required variables...
+  ansible.builtin.fail:
+    msg: |
+      Following variables are required to run this role:
+      - role_metadata_post_keycloak_realm_name
+      - role_metadata_post_providentia_uri
+      - role_metadata_post_keycloak_uri
+  when: role_metadata_post_keycloak_realm_name == {} or role_metadata_post_providentia_uri == {} or role_metadata_post_keycloak_uri == {}
+
 - name: Including post role metadata to Providentia tasks...
   ansible.builtin.include_tasks: providentia.yml
   when: role_metadata_post_endpoint == "providentia"

nova/core/roles/role_metadata_post/tasks/providentia.yml

@@ -5,7 +5,7 @@
   block:
     - name: Getting Providentia authentication token...
       ansible.builtin.uri:
-        url: "{{ keycloak_uri }}/realms/Apps/protocol/openid-connect/token"
+        url: "{{ role_metadata_post_keycloak_uri_fullpath }}"
         method: POST
         headers:
           Content-Type: application/x-www-form-urlencoded
@@ -20,7 +20,7 @@
 
     - name: Clearing existing metadata for {{ inventory_hostname }}...
       ansible.builtin.uri:
-        url: "{{ providentia_uri }}/api/v3/{{ providentia_project_name | default(project_fullname) }}/hosts/{{ main_id }}/instances/{{ inventory_hostname }}"
+        url: "{{ role_metadata_post_providentia_uri }}/api/v3/{{ providentia_project_name | default(project_fullname) }}/hosts/{{ main_id }}/instances/{{ inventory_hostname }}"
         method: PUT
         headers:
           accept: application/json
@@ -33,7 +33,7 @@
 
     - name: Uploading metadata for {{ inventory_hostname }}...
       ansible.builtin.uri:
-        url: "{{ providentia_uri }}/api/v3/{{ providentia_project_name | default(project_fullname) }}/hosts/{{ main_id }}/instances/{{ inventory_hostname }}"
+        url: "{{ role_metadata_post_providentia_uri }}/api/v3/{{ providentia_project_name | default(project_fullname) }}/hosts/{{ main_id }}/instances/{{ inventory_hostname }}"
         method: PATCH
         headers:
           accept: application/json

nova/core/roles/updates/tasks/debian_family.yml

@@ -34,11 +34,13 @@
 
     - name: Enable unattended upgrades...
       ansible.builtin.lineinfile:
-        path: /etc/apt/apt.conf.d/{{ item.file }}
-        regexp: "{{ item.match }}"
-        line: "{{ item.value }}"
+        path: /etc/apt/apt.conf.d/{{ update_enable.file }}
+        regexp: "{{ update_enable.match }}"
+        line: "{{ update_enable.value }}"
         create: true
         mode: "0644"
+      loop_control:
+        loop_var: update_enable
       loop:
         - file: 20auto-upgrades
           match: .*Update-Package-Lists
@@ -73,10 +75,12 @@
     - name: Disabling unattended upgrades & updates...
       ansible.builtin.lineinfile:
         path: /etc/apt/apt.conf.d/20auto-upgrades
-        regexp: "{{ item.regexp }}"
-        line: "{{ item.line }}"
+        regexp: "{{ update_disable.regexp }}"
+        line: "{{ update_disable.line }}"
         create: true
         mode: "0644"
+      loop_control:
+        loop_var: update_disable
       loop:
         - regexp: .*Unattended-Upgrade
           line: APT::Periodic::Unattended-Upgrade "0";

nova/core/roles/vault/defaults/main.yml

@@ -9,7 +9,7 @@ vault_configure: false # Run the initial default configuration for Vault
 vault_configure_ldap: false # Configuring LDAP authentication for Vault
 vault_configuration_uri: "https://{{ fqdn }}" # Defined separately for when configuring multiple Vaults
 vault_config_folder: /srv/vault
-vault_version: 1.17.0 # Default Vault Docker image version
+vault_version: 1.17.2 # Default Vault Docker image version
 vault_container_name: vault
 vault_server_log_level: debug # Debug gives better info about LDAP login failures and their reasons
 vault_validate_cert: true # Validate certificates when connecting to Vault