Update ansible

ansible/ansible.cfg

@@ -13,8 +13,8 @@ poll_interval           = 15
 transport               = smart
 remote_port             = 22
 gathering               = smart
-stdout_callback         = skippy
+stdout_callback         = default
-callback_whitelist      = timer
+callbacks_enabled	= timer
 timeout                 = 10
 remote_user             = cfgmgmt
 private_key_file        = ~/personal/keys/cfgmgmt
@@ -29,3 +29,6 @@ become_user             = root
 
 [diff]
 always                  = True
+
+[hashi_vault_collection]
+token_validate = True

ansible/group_vars/haproxy/main.yml

@@ -1,4 +1,4 @@
 ---
 lego_email_address: amarpreet@minhas.io
-letsencrypt_account_id: "{{ lookup('hashi_vault', 'secret=kv/data/acme:data ca_cert=/etc/pki/certs/MaskedName_Root_CA.crt')['account_id'] }}"
+letsencrypt_account_id: "{{ lookup('hashi_vault', 'secret=kv/data/acme:account_id ca_cert=/etc/pki/certs/MaskedName_Root_CA.crt') }}"
 ...

ansible/requirements.txt

@@ -1,16 +1,22 @@
-ansible==2.9.12
+ansible==6.5.0
-certifi==2020.6.20
+ansible-core==2.13.5
-cffi==1.14.2
+certifi==2022.9.24
-chardet==3.0.4
+cffi==1.15.1
-cryptography==3.0
+chardet==5.0.0
-docker==4.3.1
+charset-normalizer==2.1.1
-hvac==0.10.5
+cryptography==38.0.3
-idna==2.10
+docker==6.0.1
-Jinja2==2.11.2
+hvac==1.0.2
-MarkupSafe==1.1.1
+idna==3.4
-pycparser==2.20
+Jinja2==3.1.2
-PyYAML==5.3.1
+MarkupSafe==2.1.1
-requests==2.24.0
+packaging==21.3
-six==1.15.0
+pycparser==2.21
-urllib3==1.25.10
+pyhcl==0.4.4
-websocket-client==0.57.0
+pyparsing==3.0.9
+PyYAML==6.0
+requests==2.28.1
+resolvelib==0.8.1
+six==1.16.0
+urllib3==1.26.12
+websocket-client==1.4.2

ansible/roles/common/tasks/main.yml

@@ -1,4 +1,4 @@
 ---
-- include: "{{ ansible_os_family }}_pki.yml"
+- include_tasks: "{{ ansible_os_family }}_pki.yml"
-- include: "{{ ansible_os_family }}.yml"
+- include_tasks: "{{ ansible_os_family }}.yml"
 ...

ansible/roles/consul/tasks/main.yml

@@ -1,3 +1,3 @@
 ---
-- include: "{{ ansible_os_family }}.yml"
+- include_tasks: "{{ ansible_os_family }}.yml"
 ...

ansible/roles/consul/templates/consul.hcl.j2

@@ -3,7 +3,7 @@ primary_datacenter  = "{{ main_dc_name }}"
 domain              = "{{ consul_domain }}"
 node_name           = "{{ inventory_hostname_short }}"
 
-encrypt             = "{{ lookup('hashi_vault', 'secret=kv/data/consul:data ca_cert=/etc/pki/certs/MaskedName_Root_CA.crt')['gossip'] }}"
+encrypt             = "{{ lookup('hashi_vault', 'secret=kv/data/consul:gossip ca_cert=/etc/pki/certs/MaskedName_Root_CA.crt') }}"
 
 verify_incoming         = false
 verify_outgoing         = true
@@ -32,6 +32,6 @@ acl {
   default_policy = "deny"
   enable_token_persistence = true
   tokens {
-    default = "{{ lookup('hashi_vault', 'secret=kv/data/consul:data ca_cert=/etc/pki/certs/MaskedName_Root_CA.crt')['server-acl-token'] }}"
+    default = "{{ lookup('hashi_vault', 'secret=kv/data/consul:server-acl-token ca_cert=/etc/pki/certs/MaskedName_Root_CA.crt') }}"
   }
 }

ansible/roles/consul_server/tasks/main.yml

@@ -1,3 +1,3 @@
 ---
-- include: "{{ ansible_os_family }}.yml"
+- include_tasks: "{{ ansible_os_family }}.yml"
 ...

ansible/roles/consul_server/templates/consul.hcl.j2

@@ -6,7 +6,7 @@ server              = true
 bootstrap_expect    = 3
 ui                  = true
 
-encrypt             = "{{ lookup('hashi_vault', 'secret=kv/data/consul:data ca_cert=/etc/pki/certs/MaskedName_Root_CA.crt')['gossip'] }}"
+encrypt             = "{{ lookup('hashi_vault', 'secret=kv/data/consul:gossip ca_cert=/etc/pki/certs/MaskedName_Root_CA.crt') }}"
 
 verify_outgoing         = true
 verify_server_hostname  = true
@@ -49,6 +49,6 @@ acl {
   default_policy = "deny"
   enable_token_persistence = true
   tokens {
-    default = "{{ lookup('hashi_vault', 'secret=kv/data/consul:data ca_cert=/etc/pki/certs/MaskedName_Root_CA.crt')['server-acl-token'] }}"
+    default = "{{ lookup('hashi_vault', 'secret=kv/data/consul:server-acl-token ca_cert=/etc/pki/certs/MaskedName_Root_CA.crt') }}"
   }
 }

ansible/roles/k3s/tasks/main.yml

@@ -1,7 +1,7 @@
 ---
-- include: get_k3s.yml
+- include_tasks: get_k3s.yml
-- include: server.yml
+- include_tasks: server.yml
   when: k3s_role == "server"
-- include: clients.yml
+- include_tasks: clients.yml
   when: k3s_role == "client"
 ...

ansible/roles/lego/templates/amarpreet@minhas.io.key.j2

@@ -1 +1 @@
-{{ lookup('hashi_vault', 'secret=kv/data/acme:data ca_cert=/etc/pki/certs/MaskedName_Root_CA.crt')['private_key'] }}
+{{ lookup('hashi_vault', 'secret=kv/data/acme:private_key ca_cert=/etc/pki/certs/MaskedName_Root_CA.crt') }}

ansible/roles/lego/templates/defaults

@@ -1,5 +1,5 @@
-export NAMECHEAP_API_USER={{ lookup('hashi_vault', 'secret=kv/data/namecheap:data ca_cert=/etc/pki/certs/MaskedName_Root_CA.crt')['api_user'] }}
+export NAMECHEAP_API_USER={{ lookup('hashi_vault', 'secret=kv/data/namecheap:api_user ca_cert=/etc/pki/certs/MaskedName_Root_CA.crt') }}
-export NAMECHEAP_API_KEY={{ lookup('hashi_vault', 'secret=kv/data/namecheap:data ca_cert=/etc/pki/certs/MaskedName_Root_CA.crt')['api_key'] }}
+export NAMECHEAP_API_KEY={{ lookup('hashi_vault', 'secret=kv/data/namecheap:api_key ca_cert=/etc/pki/certs/MaskedName_Root_CA.crt') }}
-export AWS_ACCESS_KEY_ID={{ lookup('hashi_vault', 'secret=kv/data/aws:data ca_cert=/etc/pki/certs/MaskedName_Root_CA.crt')['access_key'] }}
+export AWS_ACCESS_KEY_ID={{ lookup('hashi_vault', 'secret=kv/data/aws:access_key ca_cert=/etc/pki/certs/MaskedName_Root_CA.crt') }}
-export AWS_SECRET_ACCESS_KEY={{ lookup('hashi_vault', 'secret=kv/data/aws:data ca_cert=/etc/pki/certs/MaskedName_Root_CA.crt')['secret_key'] }}
+export AWS_SECRET_ACCESS_KEY={{ lookup('hashi_vault', 'secret=kv/data/aws:secret_key ca_cert=/etc/pki/certs/MaskedName_Root_CA.crt') }}
-export AWS_HOSTED_ZONE_ID={{ lookup('hashi_vault', 'secret=kv/data/aws:data ca_cert=/etc/pki/certs/MaskedName_Root_CA.crt')['hosted_zone_id'] }}
+export AWS_HOSTED_ZONE_ID={{ lookup('hashi_vault', 'secret=kv/data/aws:hosted_zone_id ca_cert=/etc/pki/certs/MaskedName_Root_CA.crt') }}

ansible/roles/nomad_client/templates/nomad.hcl.j2

@@ -14,13 +14,13 @@ client {
 }
 
 consul {
-  token     = "{{ lookup('hashi_vault', 'secret=kv/data/nomad:data ca_cert=/etc/pki/certs/MaskedName_Root_CA.crt')['consul-acl-client'] }}"
+  token     = "{{ lookup('hashi_vault', 'secret=kv/data/nomad:consul-acl-client ca_cert=/etc/pki/certs/MaskedName_Root_CA.crt') }}"
 }
 
 vault {
   enabled           = true
   ca_file           = "/etc/pki/certs/{{ vault_ca_cert_name }}"
-  token             = "{{ lookup('hashi_vault', 'secret=kv/data/nomad:data ca_cert=/etc/pki/certs/MaskedName_Root_CA.crt')['vault-token'] }}"
+  token             = "{{ lookup('hashi_vault', 'secret=kv/data/nomad:vault-token ca_cert=/etc/pki/certs/MaskedName_Root_CA.crt') }}"
   address           = "https://vault.service.{{ consul_domain }}:8200"
   create_from_role  = "nomad-cluster"
   unwrap_token      = true

ansible/roles/nomad_server/templates/nomad.hcl.j2

@@ -9,14 +9,14 @@ server {
 vault {
   enabled           = true
   ca_file           = "/etc/pki/certs/{{ vault_ca_cert_name }}"
-  token             = "{{ lookup('hashi_vault', 'secret=kv/data/nomad:data ca_cert=/etc/pki/certs/MaskedName_Root_CA.crt')['vault-token'] }}"
+  token             = "{{ lookup('hashi_vault', 'secret=kv/data/nomad:vault-token ca_cert=/etc/pki/certs/MaskedName_Root_CA.crt') }}"
   address           = "https://vault.service.{{ consul_domain }}:8200"
   create_from_role  = "nomad-cluster"
   unwrap_token      = true
 }
 
 consul {
-  token     = "{{ lookup('hashi_vault', 'secret=kv/data/nomad:data ca_cert=/etc/pki/certs/MaskedName_Root_CA.crt')['consul-acl-server'] }}"
+  token     = "{{ lookup('hashi_vault', 'secret=kv/data/nomad:consul-acl-server ca_cert=/etc/pki/certs/MaskedName_Root_CA.crt') }}"
 }
 
 tls {

ansible/roles/vault_server/templates/vault.hcl.j2

@@ -18,5 +18,5 @@ cluster_addr      = "https://{{ ansible_default_ipv4.address }}:8201"
 storage "consul" {
   address   = "localhost:8500"
   path      = "vault/"
-  token     = "{{ lookup('hashi_vault', 'secret=kv/data/vault:data ca_cert=/etc/pki/certs/MaskedName_Root_CA.crt')['consul-acl'] }}"
+  token     = "{{ lookup('hashi_vault', 'secret=kv/data/vault:consul-acl ca_cert=/etc/pki/certs/MaskedName_Root_CA.crt') }}"
 }

docker/satdress/Dockerfile

@@ -0,0 +1,19 @@
+FROM golang:alpine
+
+RUN apk add --no-cache ca-certificates git && \
+    go install -tags 'postgres' github.com/golang-migrate/migrate/v4/cmd/migrate@latest && \
+    mkdir -p ${GOPATH}/src/git.minhas.io/asara && \
+    cd ${GOPATH}/src/git.minhas.io/asara && \
+    git clone https://git.minhas.io/asara/sudoscientist-go-backend && \
+    cd ${GOPATH}/src/git.minhas.io/asara/sudoscientist-go-backend && \
+    go mod init && go get && go build -o /go/bin/sudoscientist-go-backend main.go && \
+    mv /go/bin/* /usr/local/bin/ && \
+    rm -rf /go/src && \
+    apk del git
+
+# Copy masked.name root cert
+COPY files/MaskedName_Root_CA.crt /usr/local/share/ca-certificates/MaskedName_Root_CA.crt
+
+# update ca certs
+RUN update-ca-certificates 2>/dev/null
+CMD ["/usr/local/bin/sudoscientist-go-backend"]

docker/satdress/files/MaskedName_Root_CA.crt

@@ -0,0 +1,43 @@
+-----BEGIN CERTIFICATE-----
+MIIDNTCCAh2gAwIBAgIUYp8xo5t2lJFP3SiD1fJirgGUQJ0wDQYJKoZIhvcNAQEL
+BQAwFjEUMBIGA1UEAxMLbWFza2VkLm5hbWUwHhcNMjAwODI5MTkyMzEyWhcNMzAw
+ODI3MTkyMzQyWjAWMRQwEgYDVQQDEwttYXNrZWQubmFtZTCCASIwDQYJKoZIhvcN
+AQEBBQADggEPADCCAQoCggEBAMI7oR+KHvvznfnaAXDMO5qpSTCAYCyfjFEohYJf
+lOcnLONXb3f6sP5d1eltL+UTq0RVU5UP0aNW7hqDTa41MRw0JCDtB68yKdYq2hZf
+97gA+lj3MEJU6RTAKLrg75GRh/AbNEIgwvPuHKW6hMbtwOyM9DFU//W3xpusalXy
+RMFzAHfSDj9ci+UygUt9HINWd/SmMGG/8PghaRhfE44wRFMqYezeliIt2JIs43BV
+7HqG0Oev9WPeXmiaZUYKQetHiQqR14Mxiv1IGzCmwwN+9b4tZtZTa58oM5dPXfbb
+lrELQE5OsPaNtMtER3MgxovDN3VSCGH/O/GyaEWVanY5UF8CAwEAAaN7MHkwDgYD
+VR0PAQH/BAQDAgEGMA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYEFBY8jW3fDVUp
+URt1prhmDMjkVikgMB8GA1UdIwQYMBaAFBY8jW3fDVUpURt1prhmDMjkVikgMBYG
+A1UdEQQPMA2CC21hc2tlZC5uYW1lMA0GCSqGSIb3DQEBCwUAA4IBAQAWQz4d3QzE
+W8NGA16ZPamlVubOLB5DtZz2qrSrn3DeObLIDShInV3qtRlDx9HYJLTCA75Ket0J
+NTsyMcTy2txd4I8hgdF30XJeEciN9wZ0mKEeP/YKDwe8V2XwWq4XYkDechlWHpZo
+PfWcoLprKwVUI4HzaqkNmwcmMUI4xAsC+SLe1mrebseKm49oOwdQs/oPVLK+0nEp
+RvD0aOvohILIa/2ZtKczvhB/L3fo5pg9Ex/0JDBdDHIedMabD3qn8Idse+P5Dfwa
+Ju2Ctyb+n1TTPxRDMxs2cFbA5irr+2ARJd8jtGS+1fyxogjOWS1RR523F+qIS3su
+KibGel+gFPpq
+-----END CERTIFICATE-----
+-----BEGIN CERTIFICATE-----
+MIID0zCCArugAwIBAgIUM52uhXSeTCim1pmzucm/cnIgNp8wDQYJKoZIhvcNAQEL
+BQAwFjEUMBIGA1UEAxMLbWFza2VkLm5hbWUwHhcNMjAwODI5MTkyNzAwWhcNMjUw
+ODI4MTkyNzMwWjAtMSswKQYDVQQDEyJtYXNrZWQubmFtZSBJbnRlcm1lZGlhdGUg
+QXV0aG9yaXR5MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA8LuGo+As
+ICYWdJjBCY0snF/X+jF1tdcrQzNiRKESEb5dsDiy979bugCblPQDQ+g5WGqXX4pj
+UyZZE3ZwhOufISlGK0ow1aMjqS+pFlQ85KRD/jUtLPRUJuQF+m2YwId/Mg6/B7Qk
+d166uJkNxS+MGZCi2OYXeoivnOY7Q0Kj/0vIbc5Vt3kCRVg2ljLSQhoBd+85AHMR
+jeRjZMeYEYF2HTVwrg4DrC/r00MVtDcNqs6+M7YZ/rzny73GvfJWfWoB1C4piZlg
+fvUcSDL5HAhjiu5cSeIR7DTuVx7t4PoK6AqUkPygDtq1ZaLybXT7X6d072dR5AXO
+nWFLPaaGJ979iwIDAQABo4IBADCB/TAOBgNVHQ8BAf8EBAMCAQYwDwYDVR0TAQH/
+BAUwAwEB/zAdBgNVHQ4EFgQUIkhVYBaK9CcvXG8FM2jKVZ16oZAwHwYDVR0jBBgw
+FoAUFjyNbd8NVSlRG3WmuGYMyORWKSAwUQYIKwYBBQUHAQEERTBDMEEGCCsGAQUF
+BzAChjVodHRwOi8vdmF1bHQuY29sdW1iaWEubWFza2VkLm5hbWU6ODIwMC92MS9w
+a2lfcm9vdC9jYTBHBgNVHR8EQDA+MDygOqA4hjZodHRwOi8vdmF1bHQuY29sdW1i
+aWEubWFza2VkLm5hbWU6ODIwMC92MS9wa2lfcm9vdC9jcmwwDQYJKoZIhvcNAQEL
+BQADggEBAK6HMgR+hpwjZCmf5NszDSHr7dYKZXP4LrcHPWs94nLM33UZ572ubGHs
+dKjRw8YD0cncrsypsYmEgR57U+DHkys394wkb7UOwy1Zvd5IIRXdP0cDylz0QzqM
+APnQYN+ismkoljhk9ey0Qbo3CmPjM+UQcAxuZQtA4M+riC1+jkude1uYL0szC6Y9
+4KetfvbNkedSaV5yJaRKCBhRcC4/GjpBG/odQ/5AfBPAFjZqhcIJWBrVYbTQVC79
+hMA1iwWJPmT9LsjMSUfxFTPzxRnNXQiKFz5kT2OiS1nqh8aOcyU9YC928pkifNJV
+KokuDezJFM7ie3d+EcBk1V9lHwOWdto=
+-----END CERTIFICATE-----