Alfresco · pmacius · Feb 19, 2025 · Feb 17, 2025 · Feb 17, 2025 · Feb 18, 2025
diff --git a/.secrets.baseline b/.secrets.baseline
@@ -144,7 +144,7 @@
         "filename": "playbooks/acs.yml",
         "hashed_secret": "0ca8f28152882e5edb182fc3f7d4ae10a5b10dc5",
         "is_verified": false,
-        "line_number": 449,
+        "line_number": 457,
         "is_secret": false
       }
     ],
@@ -178,16 +178,6 @@
         "is_secret": false
       }
     ],
-    "roles/sfs/tasks/main.yml": [
-      {
-        "type": "Secret Keyword",
-        "filename": "roles/sfs/tasks/main.yml",
-        "hashed_secret": "0eeb6b7bb932e8594b4ffe039dc15332f670cbd9",
-        "is_verified": false,
-        "line_number": 30,
-        "is_secret": false
-      }
-    ],
     "roles/sync/tasks/configure.yml": [
       {
         "type": "Secret Keyword",
@@ -239,5 +229,5 @@
       }
     ]
   },
-  "generated_at": "2025-02-19T08:30:50Z"
+  "generated_at": "2025-02-19T10:55:07Z"
 }
diff --git a/7.3.N-extra-vars.yml b/7.3.N-extra-vars.yml
@@ -29,10 +29,6 @@ trouter:
   artifact_name: alfresco-transform-router
   repository: "{{ nexus_repository.enterprise_releases }}"
   version: 4.1.6
-sfs:
-  artifact_name: alfresco-shared-file-store-controller
-  repository: "{{ nexus_repository.enterprise_releases }}"
-  version: 4.1.6
 sync:
   repository: "{{ nexus_repository.enterprise_releases }}/services/sync/sync-dist-6.x"
   version: 3.11.3

diff --git a/7.4.N-extra-vars.yml b/7.4.N-extra-vars.yml
@@ -32,10 +32,6 @@ trouter:
   artifact_name: alfresco-transform-router
   repository: "{{ nexus_repository.enterprise_releases }}"
   version: 4.1.6
-sfs:
-  artifact_name: alfresco-shared-file-store-controller
-  repository: "{{ nexus_repository.enterprise_releases }}"
-  version: 4.1.6
 sync:
   repository: >-
     {{ nexus_repository.enterprise_releases }}/services/sync/sync-dist-6.x

diff --git a/group_vars/all.yml b/group_vars/all.yml
@@ -55,10 +55,6 @@ trouter:
   artifact_name: alfresco-transform-router
   repository: "{{ nexus_repository.enterprise_releases }}"
   version: 4.1.6
-sfs:
-  artifact_name: alfresco-shared-file-store-controller
-  repository: "{{ nexus_repository.enterprise_releases }}"
-  version: 4.1.6
 sync:
   repository: >-
     {{ nexus_repository.enterprise_releases }}/services/sync/sync-dist-6.x
@@ -68,10 +64,6 @@ downloads:
     {{ acs.repository }}/{{ acs.artifact_name }}/{{ acs.version }}/{{ acs.artifact_name }}-{{ acs.version }}.zip
   acs_zip_sha1_checksum_url: >-
     {{ acs.repository }}/{{ acs.artifact_name }}/{{ acs.version }}/{{ acs.artifact_name }}-{{ acs.version }}.zip.sha1
-  sfs_jar_url: >-
-    {{ sfs.repository }}/{{ sfs.artifact_name }}/{{ sfs.version }}/{{ sfs.artifact_name }}-{{ sfs.version }}.jar
-  sfs_jar_sha1_checksum_url: >-
-    {{ sfs.repository }}/{{ sfs.artifact_name }}/{{ sfs.version }}/{{ sfs.artifact_name }}-{{ sfs.version }}.jar.sha1
   trouter_jar_url: >-
     {{ trouter.repository }}/{{ trouter.artifact_name }}/{{ trouter.version }}/{{ trouter.artifact_name }}-{{ trouter.version }}.jar
   trouter_jar_sha1_checksum_url: >-
@@ -150,12 +142,5 @@ use_ssl: false
 # Needs to be empty if unused (don't use dummy values)
 fqdn_alfresco: ""
 autogen_unsecure_secrets: false
-ats_mtls_capable: >
-  {{
-    acs.version is version('7.4', 'ge') and
-    transform.version is version('3.1', 'ge') and
-    trouter.version is version('2.1', 'ge') and
-    sfs.version is version('2.1', 'ge')
-  }}
 skip_upgrade_checks: false
 ansible_installation_status_file: "/opt/alfresco/.ansible_alfresco_components.status"
diff --git a/playbooks/acs.yml b/playbooks/acs.yml
@@ -338,14 +338,22 @@
   roles:
     - role: "../roles/sfs"
       ats_keystore: "{{ sfs_keystore | default({}) }}"
+      sfs_version: "{{ acs_play_sfs_version }}"
+      sfs_zip_url: "{{ acs_play_sfs_download_zip_url }}"
+      sfs_zip_checksum_url: "{{ acs_play_sfs_download_zip_sha1_checksum_url }}"
+      sfs_zip_username: "{{ nexus_user }}"
+      sfs_zip_password: "{{ nexus_password }}"
       when: acs.edition == "Enterprise"
   post_tasks:
     - name: Update installation status file with SFS
       when: acs.edition == "Enterprise"
       become: true
       vars:
         sfs_components:
-          sfs: "{{ sfs }}"
+          sfs:
+            artifact_name: "{{ acs_play_sfs_artifact_name }}"
+            repository: "{{ acs_play_sfs_repository }}"
+            version: "{{ acs_play_sfs_version }}"
       ansible.builtin.blockinfile:
         block: "{{ sfs_components | to_nice_yaml(indent=2) }}"
         create: true

diff --git a/playbooks/group_vars/transformers.yml b/playbooks/group_vars/transformers.yml
@@ -0,0 +1,4 @@
+acs_play_sfs_artifact_name: alfresco-shared-file-store-controller
+acs_play_sfs_repository: "{{ nexus_repository.enterprise_releases }}"
+acs_play_sfs_download_zip_url: "{{ acs_play_sfs_repository }}/{{ acs_play_sfs_artifact_name }}/{{ acs_play_sfs_version }}/{{ acs_play_sfs_artifact_name }}-{{ acs_play_sfs_version }}.jar"
+acs_play_sfs_download_zip_sha1_checksum_url: "sha1:{{ acs_play_sfs_download_zip_url }}.sha1"
diff --git a/playbooks/include-vars.yml b/playbooks/include-vars.yml
@@ -1,6 +1,6 @@
 ---
 - name: Include vars based on acs major version
-  hosts: all
+  hosts: localhost:all
   gather_facts: false
   vars:
     base_folder: "{{ playbook_dir }}/.."

diff --git a/playbooks/prerun-upgrade-checks.yml b/playbooks/prerun-upgrade-checks.yml
@@ -66,7 +66,7 @@
           ansible.builtin.fail:
           when:
             - installed_components.sfs is defined
-            - sfs.version != installed_components.sfs.version
+            - acs_play_sfs_version != installed_components.sfs.version
 
         - name: Fail on unsupported Search upgrades
           ansible.builtin.fail:

diff --git a/playbooks/secrets-init.yml b/playbooks/secrets-init.yml
@@ -67,12 +67,12 @@
         - name: Append password_loop when certs_p12_passphrase is needed
           ansible.builtin.set_fact:
             password_loop: "{{ password_loop + ['certs_p12_passphrase'] }}"
-          when: (ats_mtls_required and ats_mtls_capable) or empty_inventory
+          when: empty_inventory or (ats_mtls_required and ats_mtls_capable)
 
         - name: Append password_loop when ca_signing_key_passphrase is needed
           ansible.builtin.set_fact:
             password_loop: "{{ password_loop + ['ca_signing_key_passphrase'] }}"
-          when: (ats_mtls_required and ats_mtls_capable) or empty_inventory
+          when: empty_inventory or (ats_mtls_required and ats_mtls_capable)
 
         - name: Append password_loop when reposearch_shared_secret is needed
           ansible.builtin.set_fact:

diff --git a/roles/search_enterprise/molecule/default/converge.yml b/roles/search_enterprise/molecule/default/converge.yml
@@ -8,6 +8,9 @@
     - name: "Include sfs"
       ansible.builtin.include_role:
         name: "sfs"
+      vars:
+        sfs_zip_username: "{{ lookup('env', 'NEXUS_USERNAME') }}"
+        sfs_zip_password: "{{ lookup('env', 'NEXUS_PASSWORD') }}"
     - name: "Include transformers"
       ansible.builtin.include_role:
         name: "transformers"

diff --git a/roles/sfs/defaults/main.yml b/roles/sfs/defaults/main.yml
@@ -7,3 +7,13 @@ sfs_environment:
     - $JAVA_OPTS
 utils_sfs: []
 ats_keystore: {}
+
+sfs_artifact_name: alfresco-shared-file-store-controller
+sfs_repository: https://artifacts.alfresco.com/nexus/content/groups/private/org/alfresco
+
+sfs_version: 4.1.6
+sfs_zip_url: "{{ sfs_repository }}/{{ sfs_artifact_name }}/{{ sfs_version }}/{{ sfs_artifact_name }}-{{ sfs_version }}.jar"
+sfs_zip_checksum_url: "sha1:{{ sfs_zip_url }}.sha1"
+
+sfs_zip_username: null
+sfs_zip_password: null
diff --git a/roles/sfs/meta/argument_specs.yml b/roles/sfs/meta/argument_specs.yml
@@ -13,3 +13,24 @@ argument_specs:
           and server configuration. The object needs to be passed as expected
           by the java role. Check the java role's arguments specification for
           details.
+      sfs_version:
+        type: str
+        required: false
+        description: The version of the SFS artifact to be installed
+      sfs_zip_url:
+        type: str
+        required: false
+        description: The URL to download the SFS artifact from
+      sfs_zip_checksum_url:
+        type: str
+        required: false
+        description: The URL to download the checksum of the SFS artifact from
+      sfs_zip_username:
+        type: str
+        required: false
+        description: The username to use for basic authentication when downloading the SFS artifact
+      sfs_zip_password:
+        type: str
+        required: false
+        no_log: true
+        description: The password to use for basic authentication when downloading the SFS artifact
diff --git a/roles/sfs/molecule/default/converge.yml b/roles/sfs/molecule/default/converge.yml
@@ -11,3 +11,5 @@
             - -Xms128m
             - -Xmx900m
             - $JAVA_OPTS
+        sfs_zip_username: "{{ lookup('env', 'NEXUS_USERNAME') }}"
+        sfs_zip_password: "{{ lookup('env', 'NEXUS_PASSWORD') }}"
diff --git a/roles/sfs/tasks/main.yml b/roles/sfs/tasks/main.yml
@@ -23,16 +23,16 @@
         group: "{{ group_name }}"
         mode: "0755"
 
-    - name: Download {{ sfs.artifact_name }}.jar
+    - name: Download {{ sfs_artifact_name }}-{{ sfs_version }}.jar
       ansible.builtin.get_url:
-        url: "{{ downloads.sfs_jar_url }}"
-        dest: "{{ ats_home }}/{{ sfs.artifact_name }}-{{ sfs.version }}.jar"
-        checksum: sha1:{{ lookup('url', downloads.sfs_jar_sha1_checksum_url, username=nexus_user, password=nexus_password) }}
+        url: "{{ sfs_zip_url }}"
+        dest: "{{ ats_home }}/{{ sfs_artifact_name }}-{{ sfs_version }}.jar"
+        checksum: "{{ sfs_zip_checksum_url }}"
         owner: "{{ username }}"
         group: "{{ group_name }}"
         mode: "0644"
-        url_username: "{{ nexus_user }}"
-        url_password: "{{ nexus_password }}"
+        url_username: "{{ sfs_zip_username | default(omit) }}"
+        url_password: "{{ sfs_zip_password | default(omit) }}"
         timeout: 570
 
     - name: Add sfs startup script

diff --git a/vars/acs23.yml b/vars/acs23.yml
@@ -17,10 +17,12 @@ supported_os:
     versions:
       - 22.04
       - 24.04 # Testing for the upcoming 25.x acs version
+ats_mtls_capable: true
 acs_play_activemq_version: 5.18.6
 acs_play_audit_storage_version: 1.0.0
 acs_play_acc_version: 9.3.0
 acs_play_adw_version: 5.3.0
 acs_play_search_version: 2.0.14
 acs_play_java_version: "{{ default_java_version }}"
 acs_play_search_enterprise_version: 4.2.0
+acs_play_sfs_version: 4.1.6
diff --git a/vars/acs73.yml b/vars/acs73.yml
@@ -8,8 +8,10 @@ supported_os:
   Ubuntu:
     versions:
       - 22.04
+ats_mtls_capable: true
 acs_play_activemq_version: 5.17.6
 acs_play_adw_version: 4.4.1
 acs_play_search_version: 2.0.14
 acs_play_java_version: "{{ default_java_version }}"
 acs_play_search_enterprise_version: 3.2.1
+acs_play_sfs_version: 4.1.6
diff --git a/vars/acs74.yml b/vars/acs74.yml
@@ -16,9 +16,11 @@ supported_os:
   Ubuntu:
     versions:
       - 22.04
+ats_mtls_capable: false
 acs_play_activemq_version: 5.17.6
 acs_play_acc_version: 8.0.0
 acs_play_adw_version: 5.0.0
 acs_play_search_version: 2.0.14
 acs_play_java_version: "{{ default_java_version }}"
 acs_play_search_enterprise_version: 3.3.3
+acs_play_sfs_version: 4.1.6