version: 7.4.4

.github/workflows/version_check.yml

@@ -60,7 +60,7 @@ jobs:
 
             echo -n -e "${C_RED}"
             echo -e "Pull request version $PR_VERSION is <= than current version $CURRENT_VERSION."
-            echo -e "Please update the version in $VERSION_FILE file."
+            echo -e "Please update the version in $PR_VERSION_URL file."
             echo -n -e "${C_RST}"
             exit 1
 

nova/core/galaxy.yml

@@ -1,6 +1,6 @@
 namespace: nova
 name: core
-version: 7.4.2
+version: 7.4.3
 readme: README.md
 authors:
   - https://github.com/novateams

nova/core/roles/accounts/tasks/create_domain_groups.yml

@@ -3,7 +3,7 @@
   microsoft.ad.group:
     name: "{{ item.name }}"
     scope: "{{ item.scope | default(domainlocal) }}"
-    path: "{{ item.ou }}"
+    path: "{{ item.ou | default(omit) }}"
     description: "{{ item.description | default(omit) }}"
   loop: "{{ domain_groups }}"
   loop_control:
@@ -14,7 +14,7 @@
   microsoft.ad.group:
     name: "{{ item.name }}"
     scope: "{{ item.scope | default(domainlocal) }}"
-    path: "{{ item.ou }}"
+    path: "{{ item.ou | default(omit) }}"
     description: "{{ item.description | default(omit) }}"
     members:
       set: "{{ item.members }}"
@@ -29,7 +29,7 @@
   microsoft.ad.group:
     name: "{{ item.name }}"
     scope: "{{ item.scope | default(domainlocal) }}"
-    path: "{{ item.ou }}"
+    path: "{{ item.ou | default(omit) }}"
     description: "{{ item.description | default(omit) }}"
     members:
       add: "{{ item.members }}"

nova/core/roles/accounts/tasks/unix_create.yml

@@ -38,7 +38,7 @@
     groups: "{{ item.groups | default(root_group if item.username in admin_accounts | map(attribute='username') else 'users') }}"
     name: "{{ item.username }}"
     password: "{{ item.password | password_hash('sha512') }}"
-    shell: "{{ item.shell | default(unix_distro_shell_map[ansible_facts.distribution] | default('/bin/bash')) }}"
+    shell: "{{ item.shell | default(ansible_facts.env.SHELL) }}"
     skeleton: "{{ unix_distro_skel_map[ansible_facts.distribution] | default('/etc/skel') }}"
     uid: "{{ item.uid | default(omit) }}"
     update_password: "{{ item.update_password | default('always') }}" # always or on_create

nova/core/roles/accounts/tasks/windows_create.yml

@@ -168,9 +168,6 @@
     - item.username == ansible_deployer_username # Because C:\ProgramData\ssh\administrators_authorized_keys supports only one key
     - item.ssh_key is defined
 
-- name: Setting correct administrators_authorized_keys permissions...
-  ansible.windows.win_shell: icacls.exe C:\ProgramData\ssh\administrators_authorized_keys /inheritance:r /grant "Administrators:F" /grant "SYSTEM:F"
-
 - name: Configuring SSHD in cloud environments...
   when: accounts_configure_ssh_maxauthtries
   block:

nova/core/roles/caddy/defaults/main.yml

@@ -18,7 +18,7 @@ caddy_api_container_ports:
   - "{{ '127.0.0.1:' if caddy_api_from_localhost_only else '' }}2019:2019" # Caddy API port
 
 caddy_config_folder: /srv/caddy
-caddy_version: 2.11.1
+caddy_version: 2.11.2
 
 # caddy_template_caddyfile mode variables
 caddy_caddyfile_src: caddyfile_src # Will look for the file in templates folder for the role that includes this role

nova/core/roles/configure_networking/tasks/vsphere/interfaces_alpine.yml

@@ -143,6 +143,8 @@
           ansible.builtin.set_fact:
             configure_networking_rescue_count: "{{ configure_networking_rescue_count | default(0) | int + 1 }}"
 
+        # Using shutdown > poweron instead of reboot to avoid potential race conditions
+        # where next tasks are already executing while the machine is still rebooting.
         - name: Shutting down {{ custom_vm_name | default(vm_name) }} VM...
           ansible.builtin.include_role:
             name: nova.core.powerstate

nova/core/roles/configure_networking/tasks/vsphere/panos.yml

@@ -15,17 +15,15 @@
     - name: Including network configuration tasks...
       block:
         - name: Configuring MGMT interface on fresh deploy...
-          when: fresh_deploy
+          when: fresh_deploy or reconfigure_network | bool
           block:
             # When an IP address is reported by VMware Tools, it is ready to accept console input
             # Otherwise initial login attempt will just fail
             - name: Waiting for {{ custom_vm_name | default(vm_name) }} to be ready for console input...
               community.vmware.vmware_guest_tools_wait:
                 name: "{{ custom_vm_name | default(vm_name) }}"
               register: panos_boot_status
-              until:
-                panos_boot_status.instance.ipv4 is not ansible.builtin.falsy
-                or panos_boot_status.instance.ipv6 is not ansible.builtin.falsy
+              until: panos_boot_status.instance.hw_guest_id != none
               retries: "{{ (configure_networking_panos_boot_wait_time if configure_networking_panos_boot_wait_time >= 5 else 5) // 5 }}"
               delay: 5
 
@@ -293,11 +291,19 @@
           ansible.builtin.set_fact:
             configure_networking_rescue_count: "{{ configure_networking_rescue_count | default(0) | int + 1 }}"
 
-        - name: Restarting {{ custom_vm_name | default(vm_name) }} VM...
+        # Using shutdown > poweron instead of reboot to avoid potential race conditions
+        # where next tasks are already executing while the machine is still rebooting.
+        - name: Shutting down {{ custom_vm_name | default(vm_name) }} VM...
           ansible.builtin.include_role:
             name: nova.core.powerstate
           vars:
-            restart: true
+            shutdown: true
+
+        - name: Starting {{ custom_vm_name | default(vm_name) }} VM...
+          ansible.builtin.include_role:
+            name: nova.core.powerstate
+          vars:
+            poweron: true
 
         - name: Re-including vSphere network configuration tasks...
           ansible.builtin.include_tasks: main.yml

nova/core/roles/configure_networking/tasks/vsphere/proxmox.yml

@@ -93,6 +93,8 @@
             - name: Re-including vSphere network configuration tasks...
               ansible.builtin.include_tasks: main.yml
 
+        # Using shutdown > poweron instead of reboot to avoid potential race conditions
+        # where next tasks are already executing while the machine is still rebooting.
         - name: Shutting down {{ custom_vm_name | default(vm_name) }} VM...
           ansible.builtin.include_role:
             name: nova.core.powerstate

nova/core/roles/configure_networking/tasks/vsphere/vyos_legacy.yml

@@ -39,6 +39,8 @@
       ansible.builtin.include_tasks: command_run_check.yml
 
     # This will reset all interfaces
+    # Using shutdown > poweron instead of reboot to avoid potential race conditions
+    # where next tasks are already executing while the machine is still rebooting.
     - name: Shutting down {{ custom_vm_name | default(vm_name) }} VM...
       ansible.builtin.include_role:
         name: nova.core.powerstate

nova/core/roles/configure_networking/tasks/vsphere/vyos_stream.yml

@@ -84,6 +84,8 @@
           ansible.builtin.include_tasks: main.yml
 
     # This will reset all interfaces
+    # Using shutdown > poweron instead of reboot to avoid potential race conditions
+    # where next tasks are already executing while the machine is still rebooting.
     - name: Shutting down {{ custom_vm_name | default(vm_name) }} VM...
       ansible.builtin.include_role:
         name: nova.core.powerstate

nova/core/roles/expo/defaults/main.yml

@@ -1,6 +1,7 @@
 ---
 ### general ###
 expo_git_repo:
+expo_git_branch: main
 expo_fqdn: expo.localhost
 expo_configuration_folder: XS/2023/XS23TR
 expo_project_mode: production

nova/core/roles/expo/tasks/sync-code.yml

@@ -23,6 +23,8 @@
     dest: /tmp/expo-{{ fqdn }}
     recursive: true
     depth: 1
+    single_branch: yes
+    version: "{{ expo_git_branch }}"
   delegate_to: localhost
   become: false
 

nova/core/roles/gitlab/defaults/main.yml

@@ -1,6 +1,6 @@
 ---
 ### gitlab general
-gitlab_version: 18.9.1-ee.0
+gitlab_version: 18.9.2-ee.0
 gitlab_ssh_port: 10022
 # Increase gitlab ssh MaxAuthTries to avoid connection issues for users with more than 6 keys in their SSH agent set to {} to disable
 gitlab_ssh_max_auth_tries: 20

nova/core/roles/keycloak/defaults/main.yml

@@ -1,10 +1,10 @@
 ---
 # The Keycloak version and the Keycloak Config CLI version should be compatible
-keycloak_version: 26.5.4
+keycloak_version: 26.5.6
 
 # https://github.com/adorsys/keycloak-config-cli
 # https://hub.docker.com/r/adorsys/keycloak-config-cli/tags
-keycloak_config_cli_version: 6.4.1-26
+keycloak_config_cli_version: 6.5.0-26
 
 keycloak_postgres_version: 15 # POSTGRES_VERSION_TAG
 keycloak_container_config_folder: /srv/keycloak

nova/core/roles/linux_xrdp_server/defaults/main.yml

@@ -1,6 +1,7 @@
 ---
 # Can be used to lock to a specific version when the latest is not desired or is temporarily broken
 linux_xrdp_server_xorgxrdp_version: {}
+linux_xrdp_server_xrdp_version: {}
 
 # Kali & Ubuntu 24 and later
 

nova/core/roles/linux_xrdp_server/tasks/debian_os.yml

@@ -2,7 +2,7 @@
 - name: Installing xrdp...
   ansible.builtin.package:
     name:
-      - xrdp
+      - xrdp{{ '=' + linux_xrdp_server_xrdp_version if linux_xrdp_server_xrdp_version != {} else '' }}
       - xorgxrdp{{ '=' + linux_xrdp_server_xorgxrdp_version if linux_xrdp_server_xorgxrdp_version != {} else '' }}
     state: present
     update_cache: true
@@ -14,6 +14,11 @@
   notify: linux_xrdp_server_reboot
 
 # This is to avoid updating xorgxrdp with apt upgrade when it's versioned
+- name: "{{ 'Locking' if linux_xrdp_server_xrdp_version != {} else 'Unlocking' }} xrdp version..."
+  ansible.builtin.dpkg_selections:
+    name: xrdp
+    selection: "{{ 'hold' if linux_xrdp_server_xrdp_version != {} else 'install' }}"
+
 - name: "{{ 'Locking' if linux_xrdp_server_xorgxrdp_version != {} else 'Unlocking' }} xorgxrdp version..."
   ansible.builtin.dpkg_selections:
     name: xorgxrdp

nova/core/roles/machine_operations/tasks/main.yml

@@ -28,7 +28,7 @@
     - name: Including metadata generation role...
       ansible.builtin.include_role:
         name: nova.core.role_metadata_post
-      when: (just_create) or (deploy_mode == "undeploy") # Post metadata here only when undeploying or just creating the machine
+      when: (just_create | bool) or (deploy_mode == "undeploy") # Post metadata here only when undeploying or just creating the machine
 
 - name: Including type - host machine operations...
   when: customization_context == "host" # Alternative is container and then it's not creating it with this role

nova/core/roles/nexus/defaults/main.yml

@@ -9,7 +9,7 @@ nexus_configure_ldap: false # Set to true to also configure LDAP after installat
 nexus_create_repos: false # Set to true to also create default repositories after installation
 nexus_allow_anonymous_access: true # Set to false to disable anonymous access
 nexus_active_encryption_key_id: Primary Encryption Key # Name of the active encryption key that comes with this role
-nexus_version: 3.89.1 # Nexus version to install
+nexus_version: 3.90.1 # Nexus version to install
 
 # Default is the built-in Nexus admin user. If set to a different value than admin, the role will create the user.
 nexus_admin_username: admin

nova/core/roles/os_configuration/tasks/opnsense.yml

@@ -40,6 +40,10 @@
     owner: root
     group: wheel
 
+- name: Reloading OPNsense configuration for {{ inventory_hostname }}...
+  ansible.builtin.command: /etc/rc.reload_all
+  changed_when: true
+
 - name: Removing local config.xml file...
   ansible.builtin.file:
     path: /tmp/{{ project_fullname | default('') }}_{{ inventory_hostname }}_opnsense_config.xml

nova/core/roles/os_configuration/tasks/pfsense.yml

@@ -56,6 +56,10 @@
     group: wheel
   notify: pf_sense_reboot
 
+- name: Reloading pfSense configuration for {{ inventory_hostname }}...
+  ansible.builtin.command: /etc/rc.reload_all
+  changed_when: true
+
 - name: Removing local config.xml file...
   ansible.builtin.file:
     path: /tmp/{{ project_fullname | default('') }}_{{ inventory_hostname }}_pfsense_config.xml

nova/core/roles/outline/defaults/main.yml

@@ -1,5 +1,5 @@
 ---
-outline_version: 1.5.0
+outline_version: 1.6.1
 outline_postgres_version: 17 # POSTGRES_VERSION_TAG
 
 # Pre-generated secret key for Outline

nova/core/roles/snapshots/vsphere/revert.yml

@@ -1,10 +1,9 @@
 ---
 - name: Reverting to {{ snapshot_name | default(vcenter_vm_info.guests[0].current_snapshot.name) | default('') }} snapshot...
-  community.vmware.vmware_guest_snapshot:
+  vmware.vmware.vm_snapshot_revert:
     datacenter: "{{ datacenter }}"
     folder: "{{ folder }}"
     name: "{{ custom_vm_name | default(vm_name) }}"
-    state: revert
     snapshot_name: "{{ snapshot_name | default(vcenter_vm_info.guests[0].current_snapshot.name) }}"
   delegate_to: localhost
   become: false

nova/core/roles/updates/tasks/macos.yml

@@ -22,6 +22,21 @@
           Check that the host is up and running and try again.
       when: updates_rescue_loop_count | int > 3
 
+    # In some cases, MacOS update process can cause the machine to become temporarily unreachable.
+    # For those cases will try to use the Hypervisor to power cycle the machine and wait for it to come back up.
+    - name: Shutting down {{ custom_vm_name | default(vm_name) }} VM...
+      ansible.builtin.include_role:
+        name: nova.core.powerstate
+      vars:
+        powerstate_agent_info_timeout: 600
+        shutdown: true
+
+    - name: Starting {{ custom_vm_name | default(vm_name) }} VM...
+      ansible.builtin.include_role:
+        name: nova.core.powerstate
+      vars:
+        poweron: true
+
     - name: Waiting until ssh is up for {{ inventory_hostname }}...
       ansible.builtin.wait_for:
         host: "{{ ansible_host }}"

nova/core/roles/vault/defaults/main.yml

@@ -10,7 +10,7 @@ vault_configure: false # Run the initial default configuration for Vault
 vault_configure_ldap: false # Configuring LDAP authentication for Vault
 vault_configuration_uri: "https://{{ fqdn }}" # Defined separately for when configuring multiple Vaults
 vault_config_folder: /srv/vault
-vault_version: 1.21.2 # Default Vault Docker image version
+vault_version: 1.21.4 # Default Vault Docker image version
 vault_container_name: vault
 vault_server_log_level: debug # Debug gives better info about LDAP login failures and their reasons
 vault_audit_logging: false # Enable Vault audit logging

nova/core/roles/vault/tasks/ca_intermediates.yml

@@ -135,7 +135,7 @@
       cn_validations: disabled
       code_signing_flag: "{{ certificate_role.vault_cert_code_signing | default(false) }}"
       country: "{{ certificate_role.vault_cert_country | default('') }}"
-      enforce_hostnames: true
+      enforce_hostnames: "{{ certificate_role.vault_cert_enforce_hostnames | default(true) }}"
       key_bits: "{{ certificate_role.vault_cert_key_bits }}"
       key_type: "{{ certificate_role.vault_cert_key_type }}"
       key_usage: "{{ certificate_role.vault_cert_key_usage | join(', ') | default('DigitalSignature, KeyAgreement, KeyEncipherment') }}"