From f0481cc8a3a7ba234226a511460d73be630ad669 Mon Sep 17 00:00:00 2001
From: Daniel Berteaud <daniel@firewall-services.com>
Date: Wed, 27 May 2020 13:00:05 +0200
Subject: [PATCH] Update to 2020-05-27 13:00

---
 roles/elasticsearch/templates/post-backup.j2 | 1 +
 roles/graylog/defaults/main.yml              | 5 +++++
 roles/graylog/templates/server.conf.j2       | 4 ++++
 3 files changed, 10 insertions(+)

diff --git a/roles/elasticsearch/templates/post-backup.j2 b/roles/elasticsearch/templates/post-backup.j2
index 7332fc8..59afb96 100644
--- a/roles/elasticsearch/templates/post-backup.j2
+++ b/roles/elasticsearch/templates/post-backup.j2
@@ -6,3 +6,4 @@ rm -rf {{ es_backup_dir }}/*
 # Can't delete elasticsearch dumps, set es_backup_dir to a non empty path
 {% endif %}
 umount /home/lbkp/es
+fstrim -a -v
diff --git a/roles/graylog/defaults/main.yml b/roles/graylog/defaults/main.yml
index 1d02908..fcc628c 100644
--- a/roles/graylog/defaults/main.yml
+++ b/roles/graylog/defaults/main.yml
@@ -61,3 +61,8 @@ graylog_mongodb_uri:
 # If you want to obtain a cert with dehydrated
 # it'll be deployed as {{ graylog_root_dir }}/ssl/cert.pem and {{ graylog_root_dir }}/ssl/key.pem
 # graylog_letsencrypt_cert: graylog.domain.tls
+
+# If set, will populate enabled_tls_protocols
+# on el7, TLSv1.3 seems to break filebeat connections, so, just enable TLSv1.2
+graylog_tls_versions:
+  - TLSv1.2
diff --git a/roles/graylog/templates/server.conf.j2 b/roles/graylog/templates/server.conf.j2
index 0bc7f38..432caee 100644
--- a/roles/graylog/templates/server.conf.j2
+++ b/roles/graylog/templates/server.conf.j2
@@ -43,3 +43,7 @@ allow_leading_wildcard_searches = true
 {% if 'dnsresolver' in graylog_plugins_to_install %}
 dns_resolver_enabled = true
 {% endif %}
+
+{% if graylog_tls_versions | length > 0 %}
+enabled_tls_protocols = {{ graylog_tls_versions | join(',') }}
+{% endif %}