From a308b31e036266db228ed756f946018649132812 Mon Sep 17 00:00:00 2001
From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com>
Date: Tue, 12 Mar 2024 09:11:09 +0100
Subject: [PATCH] chore(deps): update dependency pytest to v8.1.1 (#201)

chore(deps): update dependency pytest to v8.1.1
fix(ubuntu): add docker plugin to ubuntu template
fix(consul): add ansible plugin to consul template
feat(vault): add autojoin token
fix(vault): fix plugin declaration in vault template
ci(vault): add vault autojoin token to vault secrets

Signed-off-by: Bruce Becker <brucellino@protonmail.com>

---------

Signed-off-by: Bruce Becker <brucellino@protonmail.com>
Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
Co-authored-by: Bruce Becker <brucellino@protonmail.com>
---
 .github/workflows/main.yaml               |  2 ++
 .pre-commit-config.yaml                   |  4 +++-
 consul/consul-do.pkr.hcl                  |  4 ++++
 requirements.txt                          |  2 +-
 ubuntu-server/ubuntu_server_amd64.pkr.hcl |  6 +++++
 vault/playbook.yml                        | 13 +++++------
 vault/vault-do.pkr.hcl                    | 28 +++++++++++++++++++----
 vault/vault.hcl.j2                        | 14 ++++++++----
 8 files changed, 56 insertions(+), 17 deletions(-)

diff --git a/.github/workflows/main.yaml b/.github/workflows/main.yaml
index 5c91df6..e170d53 100644
--- a/.github/workflows/main.yaml
+++ b/.github/workflows/main.yaml
@@ -44,6 +44,8 @@ jobs:
           ${HOME}/bin/vault secrets enable -path="kv" kv-v2
       - name: Populate the DO secret
         run: ${HOME}/bin/vault kv put -mount="digitalocean" tokens packer=${{ secrets.DO_TOKEN }}
+      - name: Populate vault autojoin token
+        run: ${HOME}/bin/vault kv patch -mount="digitalocean" tokens vault_auto_join=${{ secrets.DO_TOKEN }}
       - name: Populate the GH secret
         run: ${HOME}/bin/vault kv put -mount="kv" github ghcr_token=${{ secrets.GITHUB_TOKEN }}
       - name: Populate Consul Encryption Key
diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml
index 87a635e..fa77bfa 100644
--- a/.pre-commit-config.yaml
+++ b/.pre-commit-config.yaml
@@ -30,7 +30,9 @@ repos:
     hooks:
       - id: commitlint
         stages: [commit-msg]
-        additional_dependencies: ['@commitlint/config-conventional']
+        additional_dependencies:
+          - "@commitlint/config-conventional"
+          - "@commitlint/cli"
   - repo: https://github.com/ansible-community/ansible-lint
     rev: v24.2.0
     hooks:
diff --git a/consul/consul-do.pkr.hcl b/consul/consul-do.pkr.hcl
index 2bf5129..15747c8 100644
--- a/consul/consul-do.pkr.hcl
+++ b/consul/consul-do.pkr.hcl
@@ -8,6 +8,10 @@ packer {
       version = ">= v1.0.8"
       source  = "github.com/hashicorp/docker"
     }
+    ansible = {
+      version = "~> 1"
+      source = "github.com/hashicorp/ansible"
+    }
   }
 }
 variable "consul_version" {
diff --git a/requirements.txt b/requirements.txt
index 5380c1a..ed4c9d6 100644
--- a/requirements.txt
+++ b/requirements.txt
@@ -2,6 +2,6 @@
 ansible-lint==24.2.0
 ansible==9.3.0
 pyhcl==0.4.5
-pytest==8.1.0
+pytest==8.1.1
 pytest-testinfra==10.1.0
 python-consul==1.1.0
diff --git a/ubuntu-server/ubuntu_server_amd64.pkr.hcl b/ubuntu-server/ubuntu_server_amd64.pkr.hcl
index 6f9e11d..a706c4e 100644
--- a/ubuntu-server/ubuntu_server_amd64.pkr.hcl
+++ b/ubuntu-server/ubuntu_server_amd64.pkr.hcl
@@ -1,5 +1,11 @@
 packer {
   required_version = ">=1.7.0"
+  required_plugins {
+    docker = {
+      source = "github.com/hashicorp/docker"
+      version = "~> 1"
+    }
+  }
 }
 
 variable "version" {
diff --git a/vault/playbook.yml b/vault/playbook.yml
index a1578b3..6f84af9 100644
--- a/vault/playbook.yml
+++ b/vault/playbook.yml
@@ -3,7 +3,7 @@
   hosts: all
   become: true
   vars:
-    vault_version: 1.13.0
+    vault_version: 1.15.1
     vault_config_dir: /etc/vault
     vault_bin_dir: /usr/local/bin
     raft_data_dir: /data/raft
@@ -16,12 +16,11 @@
       - unzip
     region: "ams3"
   pre_tasks:
-    - name: Wait
-      ansible.builtin.pause:
-        seconds: 60
-    - name: Force update
-      ansible.builtin.raw: apt-get -y update
-      changed_when: false
+    - name: Wait for cloud-init to finish
+      ansible.builtin.wait_for:
+        state: present
+        path: /var/log/cloud-init-output.log
+        search_regex: "^Cloud-init.*finished.*$"
   tasks:
     - name: Ensure prerequisites
       ansible.builtin.package:
diff --git a/vault/vault-do.pkr.hcl b/vault/vault-do.pkr.hcl
index a935ac3..a90a1a3 100644
--- a/vault/vault-do.pkr.hcl
+++ b/vault/vault-do.pkr.hcl
@@ -1,9 +1,13 @@
 packer {
   required_plugins {
     digitalocean = {
-      version = ">= v1.1.0"
+      version = ">= v1.2.0"
       source  = "github.com/digitalocean/digitalocean"
     }
+    ansible = {
+      version = "~> 1"
+      source = "github.com/hashicorp/ansible"
+    }
   }
 }
 
@@ -21,7 +25,7 @@ variable "size" {
 variable "base_image_name" {
   type      = string
   sensitive = false
-  default   = "20.04 (LTS) x64"
+  default   = "23.10 x64"
 }
 
 local "do_token" {
@@ -29,6 +33,14 @@ local "do_token" {
   sensitive  = true
 }
 
+local "autojoin_token" {
+  expression = vault("digitalocean/data/tokens", "vault_auto_join")
+  sensitive = true
+}
+
+local "build_tag" {
+  expression = join("-", ["created", "at", formatdate("YYYY-MM-DD-hh-mm", timestamp())])
+}
 
 variable "vpc_uuid" {
   type      = string
@@ -56,7 +68,7 @@ source "digitalocean" "server" {
   monitoring         = true
   private_networking = true
   droplet_name       = "vault-build-${formatdate("YYYY-MM-DD-hh-mm", timestamp())}"
-  tags               = ["packer", "vault"]
+  tags               = ["packer", "vault", "auto-destroy", local.build_tag]
   vpc_uuid           = var.vpc_uuid
 }
 
@@ -67,7 +79,15 @@ build {
     playbook_file = "playbook.yml"
     extra_arguments = [
       "--extra-vars",
-      "region=${var.region}"
+      "region=${var.region}",
+      "--extra-vars",
+      "autojoin_token=${local.autojoin_token}"
+    ]
+  }
+  provisioner "shell" {
+    inline = [
+      "ls -lht /etc/vault.d",
+      "cat /etc/vault.d/vault.hcl"
     ]
   }
 }
diff --git a/vault/vault.hcl.j2 b/vault/vault.hcl.j2
index 6ff84ea..12d0ead 100644
--- a/vault/vault.hcl.j2
+++ b/vault/vault.hcl.j2
@@ -1,3 +1,5 @@
+ui = true
+
 storage "raft" {
  path = "[[ raft_data_dir ]]"
  node_id = "digitalocean-host"
@@ -19,12 +21,12 @@ listener "tcp" {
 
 {% raw %}
 listener "tcp" {
-  address = "{{ GetInterfaceIP \"eth0\" }}:8200"
+  address = "{{ GetInterfaceIP \"eth1\" }}:8200"
   tls_disable = true
 }
 
-api_addr = "http://{{ GetInterfaceIP \"eth0\" }}:8200"
-cluster_addr = "http://{{ GetInterfaceIP \"eth0\" }}:8201"
+api_addr = "http://{{ GetInterfaceIP \"eth1\" }}:8200"
+cluster_addr = "http://{{ GetInterfaceIP \"eth1\" }}:8201"
 {% endraw %}
 
 {% if consul_agent | default (false) %}
@@ -36,4 +38,8 @@ service_registration "consul" {
 }
 {% endif %}
 
-ui = true
+
+telemetry {
+  disable_hostname = false
+  prometheus_retention_time = "24h"
+}