version: 3.3.13

.github/workflows/version_check.yml

@@ -1,8 +1,11 @@
 ---
-name: Comparing PR version with the latest version
+name: Comparing PR version with the main version
 
 on:
-  pull_request:
+  pull_request_target:
+    types:
+      - opened
+      - synchronize
     branches:
       - main
 
@@ -20,6 +23,13 @@ jobs:
           fetch-depth: 0
           ref: ${{ github.event.pull_request.head.ref }}
           repository: ${{ github.event.pull_request.head.repo.full_name }}
+          path: pr
+
+      - name: Cloning Catapult main repository...
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+          path: main
 
       - name: Comparing PR version with main...
         run: |
@@ -30,10 +40,9 @@ jobs:
           export C_RST="\x1b[0m"
 
           VERSION_FILE="nova/core/galaxy.yml"
-          REMOTE_VERSION_URL="${{ vars.PROJECT_VERSION_FILE_URL }}"
 
-          PR_VERSION=$(cat $VERSION_FILE | grep "version:" | cut -d " " -f 2)
-          CURRENT_VERSION=$(curl "$REMOTE_VERSION_URL" -s | grep "version:" | cut -d " " -f 2)
+          PR_VERSION=$(cat pr/$VERSION_FILE | grep "version:" | cut -d " " -f 2)
+          CURRENT_VERSION=$(cat main/$VERSION_FILE | grep "version:" | cut -d " " -f 2)
 
           echo -n -e "${C_YELLOW}"
           echo -e "Pull Request Version - $PR_VERSION"

nova/core/galaxy.yml

@@ -1,6 +1,6 @@
 namespace: nova
 name: core
-version: 3.3.2
+version: 3.4.14
 readme: README.md
 authors:
   - https://github.com/novateams

nova/core/roles/accounts/tasks/windows_create.yml

@@ -59,13 +59,16 @@
       loop_control:
         label: "{{ item.username }}"
 
-    - name: Setting correct password for {{ ansible_deployer_username }}...
-      ansible.builtin.set_fact:
-        ansible_deployer_password: "{{ item.password | default(pregenerated_password) }}"
-      loop: "{{ domain_accounts_list }}"
-      loop_control:
-        label: "{{ item.username }}"
-      when: item.username == ansible_deployer_username
+# To make sure that we are setting the password for the correct account on all domain contollers
+- name: Setting correct password for {{ ansible_deployer_username }}...
+  ansible.builtin.set_fact:
+    ansible_deployer_password: "{{ item.password | default(pregenerated_password) }}"
+  loop: "{{ domain_accounts_list }}"
+  loop_control:
+    label: "{{ item.username }}"
+  when:
+    - item.username == ansible_deployer_username
+    - ansible_facts.windows_domain_role in ["Primary domain controller", "Backup domain controller"]
 
 - name: Creating a profiles for...
   community.windows.win_user_profile:

nova/core/roles/configure_package_mirrors/tasks/debian.yml

@@ -9,15 +9,17 @@
     src: /etc/apt/sources.list
     dest: /etc/apt/sources.list_backup
     remote_src: true
+    mode: "0644"
   when: not apt_backup_file.stat.exists
 
 - name: Templating custom debian-{{ ansible_distribution_release }}.list to {{ inventory_hostname }}...
   ansible.builtin.template:
     src: debian-{{ ansible_distribution_release }}.list
     dest: /etc/apt/sources.list
+    mode: "0644"
   register: apt_sources
 
-- name: Running apt update...
+- name: Running apt update... # noqa: no-handler
   ansible.builtin.apt:
-    update_cache: yes
+    update_cache: true
   when: apt_sources.changed

nova/core/roles/configure_package_mirrors/tasks/kali.yml

@@ -9,15 +9,17 @@
     src: /etc/apt/sources.list
     dest: /etc/apt/sources.list_backup
     remote_src: true
+    mode: "0644"
   when: not apt_backup_file.stat.exists
 
 - name: Templating custom kali.list to {{ inventory_hostname }}...
   ansible.builtin.template:
     src: kali-sources.list
     dest: /etc/apt/sources.list
+    mode: "0644"
   register: apt_sources
 
-- name: Running apt update...
+- name: Running apt update... # noqa: no-handler
   ansible.builtin.apt:
-    update_cache: yes
+    update_cache: true
   when: apt_sources.changed

nova/core/roles/configure_package_mirrors/tasks/main.yml

@@ -3,32 +3,32 @@
   when: ansible_network_os is not defined
   block:
     - name: Including Windows Chocolatey mirror tasks...
-      include_tasks: choco.yml
+      ansible.builtin.include_tasks: choco.yml
       when: ansible_os_family == "Windows"
 
     - name: Configuring Debian family sources.list
       when: ansible_os_family == "Debian"
       block:
         - name: Including Kali mirror tasks...
-          include_tasks: kali.yml
+          ansible.builtin.include_tasks: kali.yml
           when:
             - ansible_distribution == "Kali"
             - package_mirror_kali_uri != {}
 
         - name: Including Ubuntu mirror tasks...
-          include_tasks: ubuntu.yml
+          ansible.builtin.include_tasks: ubuntu.yml
           when:
             - ansible_distribution == "Ubuntu"
             - package_mirror_ubuntu_uri != {}
 
         - name: Including Debian mirror tasks...
-          include_tasks: debian.yml
+          ansible.builtin.include_tasks: debian.yml
           when:
             - ansible_distribution == "Debian"
             - package_mirror_debian_uri != {}
 
         - name: Including Parrot mirror tasks...
-          include_tasks: parrot.yml
+          ansible.builtin.include_tasks: parrot.yml
           when:
             - ansible_distribution == "Parrot"
             - package_mirror_parrot_uri != {}

nova/core/roles/configure_package_mirrors/tasks/parrot.yml

@@ -9,6 +9,7 @@
     src: /etc/apt/sources.list
     dest: /etc/apt/sources.list_backup
     remote_src: true
+    mode: "0644"
   when: not default_apt_backup_file.stat.exists
 
 - name: Checking if parrot.list (second file) backup exists...
@@ -21,12 +22,14 @@
     src: /etc/apt/sources.list.d/parrot.list
     dest: /etc/apt/sources.list.d/parrot.list_backup
     remote_src: true
+    mode: "0644"
   when: not apt_backup_file.stat.exists
 
 - name: Templating custom parrot-sources.list to {{ inventory_hostname }}...
   ansible.builtin.template:
     src: "{{ item.src }}"
     dest: "{{ item.dest }}"
+    mode: "0644"
   register: apt_sources
   loop:
     - src: parrot-sources-1.list
@@ -36,5 +39,5 @@
 
 - name: Running apt update...
   ansible.builtin.apt:
-    update_cache: yes
+    update_cache: true
   when: apt_sources.results[0].changed or apt_sources.results[1].changed

nova/core/roles/configure_package_mirrors/tasks/ubuntu.yml

@@ -1,23 +1,58 @@
 ---
-- name: Checking if sources.list backup exists...
-  ansible.builtin.stat:
-    path: /etc/apt/sources.list_backup
-  register: apt_backup_file
+- name: Configuring Ubuntu < 24.04 sources.list
+  when: ansible_distribution_release != "noble"
+  block:
+    - name: Checking if sources.list backup exists...
+      ansible.builtin.stat:
+        path: /etc/apt/sources.list_backup
+      register: non_noble_apt_backup_file
 
-- name: Backing up existing sources.list...
-  ansible.builtin.copy:
-    src: /etc/apt/sources.list
-    dest: /etc/apt/sources.list_backup
-    remote_src: true
-  when: not apt_backup_file.stat.exists
+    - name: Backing up existing {{ ansible_distribution_release }} sources.list...
+      ansible.builtin.copy:
+        src: /etc/apt/sources.list
+        dest: /etc/apt/sources.list_backup
+        remote_src: true
+        mode: "0644"
+      when: not non_noble_apt_backup_file.stat.exists
 
-- name: Templating custom ubuntu-sources.list to {{ inventory_hostname }}...
-  ansible.builtin.template:
-    src: ubuntu-sources.list
-    dest: /etc/apt/sources.list
-  register: apt_sources
+    - name: Templating custom ubuntu-sources.list to {{ inventory_hostname }}...
+      ansible.builtin.template:
+        src: ubuntu-sources.list
+        dest: /etc/apt/sources.list
+        mode: "0644"
+      register: non_noble_apt_sources
+
+- name: Configuring Ubuntu 24.04 sources.list
+  when: ansible_distribution_release == "noble"
+  block:
+    - name: Checking if ubuntu.sources backup exists...
+      ansible.builtin.stat:
+        path: /etc/apt/ubuntu.sources_backup
+      register: noble_apt_backup_file
+
+    - name: Backing up and removing original ubuntu.sources...
+      when: not noble_apt_backup_file.stat.exists
+      block:
+        - name: Backing up existing {{ ansible_distribution_release }} sources.list...
+          ansible.builtin.copy:
+            src: /etc/apt/sources.list.d/ubuntu.sources
+            dest: /etc/apt/ubuntu.sources_backup
+            remote_src: true
+            mode: "0644"
+
+        - name: Removing original ubuntu.sources...
+          ansible.builtin.file:
+            path: /etc/apt/sources.list.d/ubuntu.sources
+            state: absent
+
+    - name: Templating custom ubuntu-sources.list to {{ inventory_hostname }}...
+      ansible.builtin.template:
+        src: ubuntu-sources.list
+        dest: /etc/apt/sources.list
+        mode: "0644"
+      register: noble_apt_sources
 
 - name: Running apt update...
   ansible.builtin.apt:
-    update_cache: yes
-  when: apt_sources.changed
+    update_cache: true
+  when: non_noble_apt_sources.changed or noble_apt_sources.changed

nova/core/roles/expo/defaults/main.yml

@@ -101,5 +101,5 @@ expo_sentry_backend_tracing: 1
 
 ### NETWORK ###
 expo_network_name: expo-network
-expo_network_ipv4_subnet: 172.19.0.0/16
+expo_network_ipv6_enabled: true
 expo_network_ipv6_subnet: fd71::/64

nova/core/roles/expo/templates/srv/expo/env/override.expo-network.env

@@ -3,5 +3,5 @@
 ###########################################################################
 
 CONTAINER_NETWORK_NAME={{ expo_network_name }}
-CONTAINER_NETWORK_IPV4_SUBNET="{{ expo_network_ipv4_subnet }}"
+CONTAINER_NETWORK_IPV6_ENABLED={{ expo_network_ipv6_enabled }}
 CONTAINER_NETWORK_IPV6_SUBNET="{{ expo_network_ipv6_subnet }}"

nova/core/roles/keycloak/defaults/main.yml

@@ -1,6 +1,6 @@
 ---
-keycloak_version: 24.0.5
-keycloak_config_cli_version: 6.0.0 # https://github.com/adorsys/keycloak-config-cli
+keycloak_version: 25.0.5
+keycloak_config_cli_version: 6.1.4-25 # https://github.com/adorsys/keycloak-config-cli
 keycloak_postgres_version: 15
 keycloak_container_config_folder: /srv/keycloak
 keycloak_docker_network: local-network # Comes from nova.core.docker

nova/core/roles/linux_xrdp_keyboard/tasks/main.yml

@@ -1,9 +1,10 @@
 ---
 # If other languages are needed then corresponding km-#.ini file is needed and xrdp_keyboard.ini needs to be updated
-- name: Copying keymap(s) to kali...
+- name: Copying keymap(s) to {{ inventory_hostname }}...
   ansible.builtin.copy:
     src: "{{ xrdp_keymap.src }}"
     dest: "{{ xrdp_keymap.dest }}"
+    mode: "0644"
   loop_control:
     loop_var: xrdp_keymap
   loop:

nova/core/roles/machine_operations/tasks/aws/remove.yml

@@ -2,7 +2,7 @@
 - name: NO UNDEPLOY OR IMMUTABLE SET
   ansible.builtin.fail:
     msg: "{{ inventory_hostname }} HAS no_undeploy or immutable SET AND WON'T BE REMOVED"
-  when: immutable or no_undeploy or 'immutable' in group_names or 'no_undeploy' in group_names
+  when: immutable or no_undeploy or 'immutable' in group_names or 'no_undeploy' in group_names or 'custom_no_undeploy' in group_names
 
 - name: Terminating {{ custom_vm_name | default(vm_name) }} EC2 instance...
   amazon.aws.ec2_instance:

nova/core/roles/machine_operations/tasks/linode/remove.yml

@@ -2,7 +2,7 @@
 - name: NO UNDEPLOY OR IMMUTABLE SET
   ansible.builtin.fail:
     msg: "{{ inventory_hostname }} HAS no_undeploy or immutable SET AND WON'T BE REMOVED"
-  when: immutable or no_undeploy or 'immutable' in group_names or 'no_undeploy' in group_names
+  when: immutable or no_undeploy or 'immutable' in group_names or 'no_undeploy' in group_names or 'custom_no_undeploy' in group_names
 
 - name: Deleting {{ custom_vm_name | default(vm_name) }} VM from Linode...
   linode.cloud.instance:

nova/core/roles/machine_operations/tasks/vmware_workstation/remove.yml

@@ -2,7 +2,7 @@
 - name: NO UNDEPLOY OR IMMUTABLE SET
   ansible.builtin.fail:
     msg: "{{ inventory_hostname }} HAS no_undeploy or immutable SET AND WON'T BE REMOVED"
-  when: immutable or no_undeploy or 'immutable' in group_names or 'no_undeploy' in group_names
+  when: immutable or no_undeploy or 'immutable' in group_names or 'no_undeploy' in group_names or 'custom_no_undeploy' in group_names
 
 - name: Including VMware Workstation remove tasks...
   become: false

nova/core/roles/machine_operations/tasks/vsphere/remove.yml

@@ -2,7 +2,7 @@
 - name: NO UNDEPLOY OR IMMUTABLE SET
   ansible.builtin.fail:
     msg: "{{ inventory_hostname }} HAS no_undeploy or immutable SET AND WON'T BE REMOVED"
-  when: immutable or no_undeploy or 'immutable' in group_names or 'no_undeploy' in group_names
+  when: immutable or no_undeploy or 'immutable' in group_names or 'no_undeploy' in group_names or 'custom_no_undeploy' in group_names
 
 - name: Deleting {{ custom_vm_name | default(vm_name) }} VM...
   community.vmware.vmware_guest:

nova/core/roles/nexus/defaults/main.yml

@@ -8,7 +8,7 @@ nexus_admin_username: admin # Built-in Nexus admin user
 nexus_configure: false # Set to true to also configure Nexus after installation
 nexus_configure_ldap: false # Set to true to also configure LDAP after installation
 nexus_allow_anonymous_access: true # Set to false to disable anonymous access
-nexus_version: 3.70.1 # Nexus version to install
+nexus_version: 3.70.2 # Nexus version to install
 
 nexus_realms_to_activate: # List of authentication realms to activate
   - NexusAuthenticatingRealm

nova/core/roles/providentia/README.md

@@ -23,7 +23,9 @@ If included, the keycloak will be using `keycloak.{{ providentia_app_fqdn }}` as
 
 ## Notes
 
-The builtin keycloak is configured with HTTP by default, as Providentia does not trust self-signed certificates. This can and should be altered in real deployments.
+The builtin Keycloak is _not_ secure by default: it is configured with HTTP (as Providentia does not trust self-signed certificates) by default and very weak passwords. This can and should be altered in real deployments!
+
+By default, the prebuilt image will be pulled from github - setting `providentia_deploy_branch` variable will clone the repository and build the image on host instead.
 
 ## Example
 

nova/core/roles/providentia/defaults/main.yml

@@ -1,8 +1,6 @@
 ---
 # host config
 providentia_install_docker: true # whether to install nova.core.docker on host
-providentia_install_dir: /srv/providentia # path where providentia will be installed
-providentia_install_dir_git: /srv/providentia.git # path where git configuration will be stored
 providentia_external_docker_network: false # Set to true if providentia should use an external docker network with the default config below
 providentia_external_docker_network_config:
   networks:
@@ -25,8 +23,15 @@ providentia_builtin_reverse_proxy_tls_pregenerated_cert: # path to TLS cert on h
 providentia_builtin_reverse_proxy_tls_pregenerated_key: # path to TLS key on host
 
 # app config
+# if providentia_deploy_branch is set, the code is cloned from github and image will be built on host
+# the value accepts a gitref and can be used deploy other tags or branches
+# otherwise, the image built in github will be used instead
+providentia_deploy_branch: null
+providentia_image_version: latest
+providentia_install_dir: /srv/providentia # path where providentia will be installed
+providentia_install_dir_git: /srv/providentia.git # path where git configuration will be stored
+
 providentia_app_fqdn: "{{ fqdn }}" # fqdn for deployed instance
-providentia_deploy_branch: main # gitref used for deployment, can be overridden to deploy other tags or branches
 providentia_redis_url: redis://redis:6379/0 # URL for app redis, defaults to builtin
 providentia_db_url: postgres://providentia:{{ providentia_builtin_database_db_password }}@postgresql/providentia?pool=5 # full database URL used by the app, defaults to builtin postgres
 providentia_sentry_dsn: # Sentry exception tracking endpoint