iac/rproxy
3
0
Fork 0
Code Issues Pull Requests Packages Releases 9 Activity

Merge pull request 'Divide add config and rproxy installation' (#46) from dev into master

Browse Source 
Reviewed-on: https://remvpn.olssonul.com/IaC/rproxy/pulls/46
This commit is contained in:
Pavlov Makar
2025-10-21 01:39:48 +03:00
parent 414976a4bc 8c2afbcac9
commit 07a4586486
23 changed files with 388 additions and 444 deletions
Download Patch File Download Diff File Expand all files Collapse all files

46
Jenkinsfile vendored
View File

@@ -11,12 +11,8 @@ pipeline {
timestamps() timestamps()
} }
parameters { parameters {
string(name: "target_host", defaultValue: "", trim: true, description: "Target host") string(name: "target_host", defaultValue: "", trim: true, description: "Target host for rproxy installation")
booleanParam(name: "rproxy_install", defaultValue: true, description: "Install Rproxy") string(name: "images_repo_url", defaultValue: "", trim: true, description: "Repository host with podman images (ex. rproxy.olsson.ul:5000)")
booleanParam(name: "config_add", defaultValue: true, description: "Add config")
string(name: "rproxy_service_name", defaultValue: "", trim: true, description: "Service name (for 'Add config' job only)")
string(name: "rproxy_service_port", defaultValue: "", trim: true, description: "Service port (for 'Add config' job only)")
string(name: "rproxy_service_address", defaultValue: "", trim: true, description: "Service address (for 'Add config' job only)")
booleanParam(name: 'update_job', defaultValue: false, description: 'Update job, free run, no changes') booleanParam(name: 'update_job', defaultValue: false, description: 'Update job, free run, no changes')
} }
stages { stages {
@@ -44,11 +40,6 @@ pipeline {
} }
} }
stage('Install Rproxy') { stage('Install Rproxy') {
when {
expression {
return params.rproxy_install
}
}
steps { steps {
script { script {
withCredentials([ withCredentials([
@@ -60,36 +51,11 @@ pipeline {
ansiblePlaybook( ansiblePlaybook(
playbook: 'rproxy.yml', playbook: 'rproxy.yml',
inventory: 'hosts.ini', inventory: 'hosts.ini',
tags: 'install',
colorized: true, colorized: true,
extras: '--private-key ${SSH_KEY} -e "ansible_user=${username} ansible_password=${password} rproxy_service_name=${rproxy_service_name} rproxy_service_port=${rproxy_service_port} rproxy_service_address=${rproxy_service_address}"' extras: '''--private-key ${SSH_KEY}
) -e "ansible_user=${username}
} ansible_password=${password}
} image_repo=${images_repo_url}"'''
}
}
}
}
stage('Add config') {
when {
expression {
return params.config_add
}
}
steps {
script {
withCredentials([
sshUserPrivateKey(credentialsId: 'JENKINS_DEPLOYER_KEY', keyFileVariable: 'SSH_KEY'),
usernamePassword(credentialsId:'JENKINS_DEPLOYER_PASS', usernameVariable: 'username', passwordVariable: 'password')
]) {
wrap([$class: 'MaskPasswordsBuildWrapper', varPasswordPairs: [[password: env.password]]]) {
wrap([$class: 'AnsiColorBuildWrapper', colorMapName: "xterm"]) {
ansiblePlaybook(
playbook: 'rproxy.yml',
inventory: 'hosts.ini',
tags: 'add_config',
colorized: true,
extras: '--private-key ${SSH_KEY} -e "ansible_user=${username} ansible_password=${password} rproxy_service_name=${rproxy_service_name} rproxy_service_port=${rproxy_service_port} rproxy_service_address=${rproxy_service_address}"'
) )
} }
} }

13
README.md
View File

@@ -3,12 +3,11 @@
## Content ## Content
* Reverse proxy * Reverse proxy
* HTTPS file share * HTTPS file share
* Docker-registry
## Installation ## Installation
```yml ```yml
target_host: Enter FQDN or IP Address of target host target_host: Enter FQDN or IP Address of target host
rproxy_install: Install rproxy, https repo and docker-registry if checked rproxy_install: Install rproxy and https repo if checked
config_add: Will config be created config_add: Will config be created
rproxy_service_name: Server/service name without domain suffix rproxy_service_name: Server/service name without domain suffix
@@ -34,13 +33,7 @@ Allows redirecting requests based on fqdn to the required address and ports with
Would be installed with rproxy service. Hosted on port 9000. \ Would be installed with rproxy service. Hosted on port 9000. \
Files should be stored in /opt/rproxy/repo/ to be shared. Files should be stored in /opt/rproxy/repo/ to be shared.
## Docker-registry Put file in repo
Would be installed with rproxy service. Hosted on port 5000.
Images would be stored in /opt/dockerrepo/repo/. Uses SSL so you should have trust with root certificate. \
Install trust with root certificate
How to store image:
```bash ```bash
# After image build curl -T kafka_4.1.tar https://rproxy.olsson.ul:9000/podman/kafka/4.1/kafka_4.1.tar -k
docker tag $image $registry_address:5000/$image
docker push $registry_address:5000/$image
``` ```

19
addconfig.yml Normal file
View File

@@ -0,0 +1,19 @@
---
- hosts: all
become: yes
vars_prompt:
- name: rproxy_service_name
prompt: Enter service for rproxy
private: false
- name: rproxy_service_port
prompt: Enter service for rproxy
private: false
- name: rproxy_service_address
prompt: Enter service for rproxy
private: false
roles:
- addconfig

3
ansible.cfg
View File

@@ -3,3 +3,6 @@ hostfile = hosts.ini
host_key_checking = false host_key_checking = false
interpreter_python = /usr/bin/python3 interpreter_python = /usr/bin/python3
forks = 30 forks = 30
[ssh_connection]
pipelining = true

80
management/AddService.groovy Normal file
View File

@@ -0,0 +1,80 @@
pipeline {
agent any
options {
buildDiscarder logRotator (
numToKeepStr: '5',
daysToKeepStr: '7',
artifactNumToKeepStr: '10',
artifactDaysToKeepStr: '7'
)
ansiColor('xterm')
timestamps()
}
parameters {
string(name: "target_host", defaultValue: "", trim: true, description: "Target host with rproxy installed")
string(name: "rproxy_service_name", defaultValue: "", trim: true, description: "Service name (ex. jenkins)")
string(name: "rproxy_service_port", defaultValue: "", trim: true, description: "Service port (ex. 8080)")
string(name: "rproxy_service_address", defaultValue: "", trim: true, description: "Service address (ex. jenkins-master.olsson.ul)")
booleanParam(name: 'update_job', defaultValue: false, description: 'Update job, free run, no changes')
}
stages {
stage('Update Job') {
when {
expression {
return params.update_job
}
}
steps {
script {
currentBuild.getRawBuild().getExecutor().interrupt(Result.SUCCESS)
sleep(1)
}
}
}
stage('Prepare inventory') {
steps {
script {
def hostsFile = new File("${WORKSPACE}/hosts.ini")
hostsFile.append('[all]')
hostsFile.append('\n' + params.target_host)
println hostsFile.getText('UTF-8')
}
}
}
stage('Add config') {
steps {
script {
withCredentials([
sshUserPrivateKey(credentialsId: 'JENKINS_DEPLOYER_KEY', keyFileVariable: 'SSH_KEY'),
usernamePassword(credentialsId:'JENKINS_DEPLOYER_PASS', usernameVariable: 'username', passwordVariable: 'password')
]) {
wrap([$class: 'MaskPasswordsBuildWrapper', varPasswordPairs: [[password: env.password]]]) {
wrap([$class: 'AnsiColorBuildWrapper', colorMapName: "xterm"]) {
dir("${env.WORKSPACE}") {
ansiblePlaybook(
playbook: 'addconfig.yml',
inventory: 'hosts.ini',
colorized: true,
extras: '''--private-key ${SSH_KEY}
-e "ansible_user=${username}
ansible_password=${password}
rproxy_service_name=${rproxy_service_name}
rproxy_service_port=${rproxy_service_port}
rproxy_service_address=${rproxy_service_address}"'''
)
}
}
}
}
}
}
}
}
post {
always {
cleanWs(patterns: [
[pattern: 'hosts.ini', type: 'INCLUDE']
])
}
}
}

5
roles/addconfig/tasks/addconfig.yml Normal file
View File

@@ -0,0 +1,5 @@
---
- name: Copy server.conf
ansible.builtin.template:
src: templates/server.conf.j2
dest: "{{ rproxy_dir }}/sites/{{ rproxy_service_name }}.conf"

83
roles/addconfig/tasks/certificates.yml Normal file
View File

@@ -0,0 +1,83 @@
---
- name: Create CNAME dns record
community.general.ipa_dnsrecord:
ipa_user: "{{ ansible_user }}"
ipa_pass: "{{ ansible_password }}"
zone_name: "{{ ansible_facts['domain'] }}"
record_name: "{{ rproxy_service_name }}"
record_type: 'CNAME'
record_value: "{{ ansible_facts['hostname'] }}"
state: present
ignore_errors: true
- name: Kinit
ansible.builtin.shell:
cmd: "echo '{{ ansible_password }}' | kinit"
become: false
become_user: "{{ ansible_user }}"
- name: Create fake host for certificate
ansible.builtin.shell:
cmd: "ipa host-add {{ rproxy_service_name }}.{{ ansible_facts['domain'] }} --force --desc=\"Fake host for SPN\""
become: false
become_user: "{{ ansible_user }}"
ignore_errors: true
- name: Create SPN for HTTP
ansible.builtin.shell:
cmd: "ipa service-add HTTP/{{ rproxy_service_name }}.{{ ansible_facts['domain'] }} --skip-host-check --force"
become: false
become_user: "{{ ansible_user }}"
ignore_errors: true
- name: "Allow {{ ansible_facts['hostname'] }}.{{ ansible_facts['domain'] }} to get certificates for HTTP/{{ rproxy_service_name }}.{{ ansible_facts['domain'] }} SPN"
ansible.builtin.shell:
cmd: "ipa service-add-host --hosts={{ ansible_facts['hostname'] }}.{{ ansible_facts['domain'] }} HTTP/{{ rproxy_service_name }}.{{ ansible_facts['domain'] }}"
become: false
become_user: "{{ ansible_user }}"
ignore_errors: true
- name: Kdestroy
ansible.builtin.shell:
cmd: kdestroy
become: false
become_user: "{{ ansible_user }}"
- name: Get all tracking certificates
ansible.builtin.shell:
cmd: "ipa-getcert list | grep -m1 -B5 \"{{ rproxy_dir }}/certs/{{ rproxy_service_name }}\" | grep Request | awk '{print $NF}' | tr -d \"'\\|:\""
register: tracking_list
- name: Remove certificates from IPA tracking
ansible.builtin.shell:
cmd: "ipa-getcert stop-tracking -i {{ item }}"
loop: "{{ tracking_list.stdout_lines }}"
ignore_errors: true
- name: Request certificate via ipa-getcert
ansible.builtin.command: >
ipa-getcert request
-f {{ rproxy_dir }}/certs/{{ rproxy_service_name }}.{{ ansible_facts['domain'] }}.crt
-k {{ rproxy_dir }}/certs/{{ rproxy_service_name }}.{{ ansible_facts['domain'] }}.key
-K HTTP/{{ rproxy_service_name }}.{{ ansible_facts['domain'] }}
-N CN={{ rproxy_service_name }}.{{ ansible_facts['domain'] }}
- name: Wait for certificate to appear
ansible.builtin.wait_for:
path: "{{ rproxy_dir }}/certs/{{ rproxy_service_name }}.{{ ansible_facts['domain'] }}.crt"
timeout: 60
- name: Change certificate permissions
ansible.builtin.file:
path: "{{ rproxy_dir }}/certs/{{ rproxy_service_name }}.{{ ansible_facts['domain'] }}.crt"
mode: "0744"
- name: Wait for certificate key to appear
ansible.builtin.wait_for:
path: "{{ rproxy_dir }}/certs/{{ rproxy_service_name }}.{{ ansible_facts['domain'] }}.key"
timeout: 60
- name: Change certificate key permissions
ansible.builtin.file:
path: "{{ rproxy_dir }}/certs/{{ rproxy_service_name }}.{{ ansible_facts['domain'] }}.key"
mode: "0744"

14
roles/addconfig/tasks/main.yml Normal file
View File

@@ -0,0 +1,14 @@
---
- name: Add config
ansible.builtin.include_tasks:
file: addconfig.yml
- name: Generate certificates
ansible.builtin.include_tasks:
file: certificates.yml
- name: Restart rproxy service
ansible.builtin.systemd:
name: "container-rproxy.service"
state: restarted
enabled: yes

0
roles/rproxy/templates/server.conf.j2 → roles/addconfig/templates/server.conf.j2
View File

5
roles/addconfig/vars/main.yml Normal file
View File

@@ -0,0 +1,5 @@
---
ansible_python_interpreter: /usr/bin/python3
# Rproxy
rproxy_dir: /opt/rproxy

2
roles/rproxy/tasks/podman.yml → roles/podman/tasks/main.yml
View File

@@ -5,8 +5,6 @@
- podman - podman
- podman-compose - podman-compose
- podman-docker - podman-docker
- podman-remote
- podman-tui
- buildah - buildah
update_cache: yes update_cache: yes

2
roles/podman/vars/main.yml Normal file
View File

@@ -0,0 +1,2 @@
---
ansible_python_interpreter: /usr/bin/python3

2
roles/rproxy/files/repo.conf
View File

@@ -20,7 +20,7 @@ server {
dav_methods PUT DELETE MKCOL; dav_methods PUT DELETE MKCOL;
dav_access user:rw group:r all:r; dav_access user:rw group:r all:r;
create_full_put_path on; create_full_put_path on;
client_max_body_size 100m; client_max_body_size 5g;
# auth_basic "Needs to auth"; # auth_basic "Needs to auth";
# auth_basic_user_file /etc/nginx/.htpasswd; # auth_basic_user_file /etc/nginx/.htpasswd;

82
roles/rproxy/tasks/addconfig.yml
View File

@@ -1,82 +0,0 @@
---
- name: Create server configs
block:
- name: Copy server.conf
ansible.builtin.template:
src: templates/server.conf.j2
dest: "{{ rproxy_dir }}/sites/{{ rproxy_service_name }}.conf"
- name: Generate certificates for {{ rproxy_service_name }}
block:
- name: Create CNAME dns record
community.general.ipa_dnsrecord:
ipa_user: "{{ ansible_user }}"
ipa_pass: "{{ ansible_password }}"
zone_name: "{{ ansible_facts['domain'] }}"
record_name: "{{ rproxy_service_name }}"
record_type: 'CNAME'
record_value: "{{ ansible_facts['hostname'] }}"
state: present
- name: Kinit
ansible.builtin.shell:
cmd: "echo '{{ ansible_password }}' | kinit"
become: false
become_user: "{{ ansible_user }}"
- name: Create fake host for certificate
ansible.builtin.shell:
cmd: "ipa host-add {{ rproxy_service_name }}.{{ ansible_facts['domain'] }} --force --desc=\"Fake host for SPN\""
become: false
become_user: "{{ ansible_user }}"
ignore_errors: true
- name: Create SPN for HTTP
ansible.builtin.shell:
cmd: "ipa service-add HTTP/{{ rproxy_service_name }}.{{ ansible_facts['domain'] }} --skip-host-check --force"
become: false
become_user: "{{ ansible_user }}"
ignore_errors: true
- name: "Allow {{ ansible_facts['hostname'] }}.{{ ansible_facts['domain'] }} to get certificates for HTTP/{{ rproxy_service_name }}.{{ ansible_facts['domain'] }} SPN "
ansible.builtin.shell:
cmd: "ipa service-add-host --hosts={{ ansible_facts['hostname'] }}.{{ ansible_facts['domain'] }} HTTP/{{ rproxy_service_name }}.{{ ansible_facts['domain'] }}"
become: false
become_user: "{{ ansible_user }}"
ignore_errors: true
- name: Request certificate via ipa-getcert
ansible.builtin.command: >
ipa-getcert request
-f {{ rproxy_dir }}/certs/{{ rproxy_service_name }}.{{ ansible_facts['domain'] }}.crt
-k {{ rproxy_dir }}/certs/{{ rproxy_service_name }}.{{ ansible_facts['domain'] }}.key
-K HTTP/{{ rproxy_service_name }}.{{ ansible_facts['domain'] }}
-N CN={{ rproxy_service_name }}.{{ ansible_facts['domain'] }}
# sudo ipa-getcert stop-tracking -i 20250813210258 if track already exists
- name: Wait for certificate to appear
ansible.builtin.wait_for:
path: "{{ rproxy_dir }}/certs/{{ rproxy_service_name }}.{{ ansible_facts['domain'] }}.crt"
timeout: 60
- name: Change certificate permissions
ansible.builtin.file:
path: "{{ rproxy_dir }}/certs/{{ rproxy_service_name }}.{{ ansible_facts['domain'] }}.crt"
mode: "0744"
- name: Wait for certificate key to appear
ansible.builtin.wait_for:
path: "{{ rproxy_dir }}/certs/{{ rproxy_service_name }}.{{ ansible_facts['domain'] }}.key"
timeout: 60
- name: Change certificate key permissions
ansible.builtin.file:
path: "{{ rproxy_dir }}/certs/{{ rproxy_service_name }}.{{ ansible_facts['domain'] }}.key"
mode: "0744"
- name: Restart rproxy service
ansible.builtin.systemd:
name: "container-rproxy.service"
state: restarted
enabled: yes

59
roles/rproxy/tasks/certificates.yml Normal file
View File

@@ -0,0 +1,59 @@
---
- name: Kinit
ansible.builtin.shell:
cmd: "echo '{{ ansible_password }}' | kinit"
become: false
become_user: "{{ ansible_user }}"
- name: Create SPN for HTTP
ansible.builtin.shell:
cmd: "ipa service-add HTTP/{{ ansible_facts['hostname'] }}.{{ ansible_facts['domain'] }}"
become: false
become_user: "{{ ansible_user }}"
ignore_errors: true
- name: Kdestroy
ansible.builtin.shell:
cmd: kdestroy
become: false
become_user: "{{ ansible_user }}"
- name: Get all tracking certificates
ansible.builtin.shell:
cmd: "ipa-getcert list | grep -m1 -B5 \"{{ rproxy_dir }}/certs/repo\" | grep Request | awk '{print $NF}' | tr -d \"'\\|:\""
register: tracking_list
- name: Remove certificates from IPA tracking
ansible.builtin.shell:
cmd: "ipa-getcert stop-tracking -i {{ item }}"
loop: "{{ tracking_list.stdout_lines }}"
ignore_errors: true
- name: Request certificate via ipa-getcert
ansible.builtin.command: >
ipa-getcert request
-f {{ rproxy_dir }}/certs/repo.crt
-k {{ rproxy_dir }}/certs/repo.key
-K HTTP/{{ ansible_facts['hostname'] }}.{{ ansible_facts['domain'] }}
-N CN={{ ansible_facts['hostname'] }}.{{ ansible_facts['domain'] }}
-F {{ rproxy_dir }}/certs/RootCA.crt
- name: Wait for certificate to appear
ansible.builtin.wait_for:
path: "{{ rproxy_dir }}/certs/repo.crt"
timeout: 60
- name: Change certificate permissions
ansible.builtin.file:
path: "{{ rproxy_dir }}/certs/repo.crt"
mode: "0744"
- name: Wait for certificate key to appear
ansible.builtin.wait_for:
path: "{{ rproxy_dir }}/certs/repo.key"
timeout: 60
- name: Change certificate key permissions
ansible.builtin.file:
path: "{{ rproxy_dir }}/certs/repo.key"
mode: "0744"

10
roles/rproxy/tasks/configs.yml Normal file
View File

@@ -0,0 +1,10 @@
---
- name: Copy repo.conf
ansible.builtin.copy:
src: files/repo.conf
dest: "{{ rproxy_dir }}/sites/repo.conf"
- name: Copy nginx.conf
ansible.builtin.copy:
src: files/nginx.conf
dest: "{{ rproxy_dir }}/nginx.conf"

31
roles/rproxy/tasks/dirs.yml Normal file
View File

@@ -0,0 +1,31 @@
---
- name: Remove rproxy dir
ansible.builtin.file:
path: "{{ rproxy_dir }}"
state: absent
- name: Create rproxy dir
ansible.builtin.file:
path: "{{ rproxy_dir }}"
state: directory
- name: Create rproxy data dir
ansible.builtin.file:
path: "{{ repo_data_dir }}"
state: directory
- name: Create sites dir
ansible.builtin.file:
path: "{{ rproxy_dir }}/sites"
state: directory
- name: Create certs dir
ansible.builtin.file:
path: "{{ rproxy_dir }}/certs"
state: directory
- name: Create repo dir
ansible.builtin.file:
path: "{{ repo_data_dir }}"
state: directory
mode: 0777

113
roles/rproxy/tasks/dockerrepo.yml
View File

@@ -1,113 +0,0 @@
---
- name: Prepare for image repository
block:
- name: Remove dockerrepo dir
ansible.builtin.file:
path: "{{ dockerrepo_dir }}"
state: absent
- name: Create dockerrepo dir
ansible.builtin.file:
path: "{{ dockerrepo_dir }}"
state: directory
- name: Create repo dir
ansible.builtin.file:
path: "{{ dockerrepo_data_dir }}"
state: directory
- name: Create certs dir
ansible.builtin.file:
path: "{{ dockerrepo_dir }}/certs"
state: directory
- name: Create certificates for image repository
block:
- name: Kinit
ansible.builtin.shell:
cmd: "echo '{{ ansible_password }}' | kinit"
become: false
become_user: "{{ ansible_user }}"
- name: Create SPN for HTTP
ansible.builtin.shell:
cmd: "ipa service-add HTTP/{{ ansible_facts['hostname'] }}.{{ ansible_facts['domain'] }}"
become: false
become_user: "{{ ansible_user }}"
ignore_errors: true
- name: Request certificate via ipa-getcert
ansible.builtin.command: >
ipa-getcert request
-f {{ rproxy_dir }}/certs/dockerrepo.crt
-k {{ rproxy_dir }}/certs/dockerrepo.key
-K HTTP/{{ ansible_facts['hostname'] }}.{{ ansible_facts['domain'] }}
-N CN={{ ansible_facts['hostname'] }}.{{ ansible_facts['domain'] }}
# sudo ipa-getcert stop-tracking -i 20250813210258 if track already exists
- name: Wait for certificate to appear
ansible.builtin.wait_for:
path: "{{ rproxy_dir }}/certs/dockerrepo.crt"
timeout: 60
- name: Change certificate permissions
ansible.builtin.file:
path: "{{ rproxy_dir }}/certs/dockerrepo.crt"
mode: "0744"
- name: Wait for certificate key to appear
ansible.builtin.wait_for:
path: "{{ rproxy_dir }}/certs/dockerrepo.key"
timeout: 60
- name: Change certificate key permissions
ansible.builtin.file:
path: "{{ rproxy_dir }}/certs/dockerrepo.key"
mode: "0744"
- name: Start image repository
block:
- name: Pull repo image
containers.podman.podman_image:
name: registry:latest
state: present
- name: Delete image repository container if exists
containers.podman.podman_container:
name: registry
state: absent
- name: Start registry
containers.podman.podman_container:
name: registry
image: registry:latest
state: started
ports:
- "5000:5000"
env:
REGISTRY_HTTP_TLS_CERTIFICATE: "/certs/dockerrepo.crt"
REGISTRY_HTTP_TLS_KEY: "/certs/dockerrepo.key"
volumes:
- "{{ dockerrepo_data_dir }}:/var/lib/registry:z,rw"
- "{{ dockerrepo_dir }}/certs:/certs:z,rw"
- "/etc/localtime:/etc/localtime:ro"
privileged: true
security_opt:
- "label=disable"
log_driver: journald
generate_systemd:
path: /etc/systemd/system/
restart_policy: always
stop_timeout: 120
names: true
- name: Daemon reload
ansible.builtin.shell:
cmd: systemctl daemon-reload
- name: Enable registry service
ansible.builtin.systemd:
name: "container-registry.service"
state: started
enabled: yes

42
roles/rproxy/tasks/main.yml
View File

@@ -1,40 +1,20 @@
--- ---
- name: Podman install - name: Prepare directories
ansible.builtin.include_tasks: ansible.builtin.include_tasks:
file: podman.yml file: dirs.yml
apply:
tags: install - name: Copy configs
tags: ansible.builtin.include_tasks:
- install file: configs.yml
- name: Generate certificates
ansible.builtin.include_tasks:
file: certificates.yml
- name: Rproxy install - name: Rproxy install
ansible.builtin.include_tasks: ansible.builtin.include_tasks:
file: rproxy.yml file: rproxy.yml
apply:
tags: install
tags:
- install
- name: Repo install - name: Repository install
ansible.builtin.include_tasks: ansible.builtin.include_tasks:
file: repo.yml file: repo.yml
apply:
tags: install
tags:
- install
- name: Docker repo install
ansible.builtin.include_tasks:
file: dockerrepo.yml
apply:
tags: install
tags:
- install
- name: Add config
ansible.builtin.include_tasks:
file: addconfig.yml
apply:
tags: add_config
tags:
- add_config

72
roles/rproxy/tasks/repo.yml
View File

@@ -1,71 +1,9 @@
--- ---
- name: Prepare for https repository - name: Install createrepo
block: ansible.builtin.yum:
- name: Create repo dir name:
ansible.builtin.file: - createrepo
path: "{{ repo_data_dir }}" update_cache: yes
state: directory
mode: 0777
- name: Copy repo.conf
ansible.builtin.copy:
src: files/repo.conf
dest: "{{ rproxy_dir }}/sites/repo.conf"
- name: Create https certificates for repository
block:
- name: Kinit
ansible.builtin.shell:
cmd: "echo '{{ ansible_password }}' | kinit"
become: false
become_user: "{{ ansible_user }}"
- name: Create SPN for HTTP
ansible.builtin.shell:
cmd: "ipa service-add HTTP/{{ ansible_facts['hostname'] }}.{{ ansible_facts['domain'] }}"
become: false
become_user: "{{ ansible_user }}"
ignore_errors: true
- name: Get all tracking certificates
ansible.builtin.shell:
cmd: ipa-getcert list | grep "ID" | awk '{print $NF}' | tr -d "'\|:"
register: tracking_list
- name: Remove certificates from IPA tracking
ansible.builtin.shell:
cmd: "ipa-getcert stop-tracking -i {{ item }}"
loop: "{{ tracking_list.stdout_lines }}"
ignore_errors: true
- name: Request certificate via ipa-getcert
ansible.builtin.command: >
ipa-getcert request
-f {{ rproxy_dir }}/certs/repo.crt
-k {{ rproxy_dir }}/certs/repo.key
-K HTTP/{{ ansible_facts['hostname'] }}.{{ ansible_facts['domain'] }}
-N CN={{ ansible_facts['hostname'] }}.{{ ansible_facts['domain'] }}
-F {{ rproxy_dir }}/certs/RootCA.crt
- name: Wait for certificate to appear
ansible.builtin.wait_for:
path: "{{ rproxy_dir }}/certs/repo.crt"
timeout: 60
- name: Change certificate permissions
ansible.builtin.file:
path: "{{ rproxy_dir }}/certs/repo.crt"
mode: "0744"
- name: Wait for certificate key to appear
ansible.builtin.wait_for:
path: "{{ rproxy_dir }}/certs/repo.key"
timeout: 60
- name: Change certificate key permissions
ansible.builtin.file:
path: "{{ rproxy_dir }}/certs/repo.key"
mode: "0744"
- name: Restart rproxy service - name: Restart rproxy service
ansible.builtin.systemd: ansible.builtin.systemd:

115
roles/rproxy/tasks/rproxy.yml
View File

@@ -1,81 +1,42 @@
--- ---
- name: Prepare dirs for rproxy - name: Pull rproxy image
block: containers.podman.podman_image:
- name: Remove rproxy dir name: "{{ image_repo }}/{{ rproxy_image }}:{{ rproxy_version }}"
ansible.builtin.file: state: present
path: "{{ rproxy_dir }}"
state: absent
- name: Create data dir - name: Delete rproxy container if exists
ansible.builtin.file: containers.podman.podman_container:
path: "{{ data_dir }}" name: rproxy
state: directory state: absent
- name: Create rproxy dir - name: Start rproxy
ansible.builtin.file: containers.podman.podman_container:
path: "{{ rproxy_dir }}" name: rproxy
state: directory image: "{{ image_repo }}/{{ rproxy_image }}:{{ rproxy_version }}"
state: started
ports:
- "443:443"
- "80:80"
- "9000:9000"
volumes:
- '{{ rproxy_dir }}/nginx.conf:/etc/nginx/nginx.conf:z,rw'
- '{{ rproxy_dir }}/sites:/etc/nginx/sites:z,rw'
- '{{ rproxy_dir }}/certs:/etc/nginx/certs:z,rw'
- '{{ repo_data_dir }}:/repo:z,rw'
- "/etc/localtime:/etc/localtime:ro"
privileged: true
security_opt:
- "label=disable"
log_driver: journald
generate_systemd:
path: /etc/systemd/system/
restart_policy: always
stop_timeout: 120
names: true
- name: Create rproxy data dir - name: Enable rproxy service
ansible.builtin.file: ansible.builtin.systemd:
path: "{{ repo_data_dir }}" name: "container-rproxy.service"
state: directory state: started
enabled: yes
- name: Create sites dir daemon_reload: yes
ansible.builtin.file:
path: "{{ rproxy_dir }}/sites"
state: directory
- name: Create certs dir
ansible.builtin.file:
path: "{{ rproxy_dir }}/certs"
state: directory
- name: Copy nginx.conf
ansible.builtin.copy:
src: files/nginx.conf
dest: "{{ rproxy_dir }}/nginx.conf"
- name: Install rproxy
block:
- name: Pull rproxy image
containers.podman.podman_image:
name: "docker.io/library/nginx:{{ rproxy_version }}"
state: present
- name: Delete rproxy container if exists
containers.podman.podman_container:
name: rproxy
state: absent
- name: Start rproxy
containers.podman.podman_container:
name: rproxy
image: "docker.io/library/nginx:{{ rproxy_version }}"
state: started
ports:
- "443:443"
- "80:80"
- "9000:9000"
volumes:
- '{{ rproxy_dir }}/nginx.conf:/etc/nginx/nginx.conf:z,rw'
- '{{ rproxy_dir }}/sites:/etc/nginx/sites:z,rw'
- '{{ rproxy_dir }}/certs:/etc/nginx/certs:z,rw'
- '{{ repo_data_dir }}:/repo:z,rw'
- "/etc/localtime:/etc/localtime:ro"
privileged: true
security_opt:
- "label=disable"
log_driver: journald
generate_systemd:
path: /etc/systemd/system/
restart_policy: always
stop_timeout: 120
names: true
- name: Enable rproxy service
ansible.builtin.systemd:
name: "container-rproxy.service"
state: started
enabled: yes
daemon_reload: yes

12
roles/rproxy/vars/main.yml
View File

@@ -1,7 +1,9 @@
---
# General
ansible_python_interpreter: /usr/bin/python3 ansible_python_interpreter: /usr/bin/python3
# Rproxy
rproxy_image: nginx
rproxy_version: 1.29
rproxy_dir: /opt/rproxy rproxy_dir: /opt/rproxy
rproxy_version: 1.29.0 repo_data_dir: /opt/repodata
data_dir: /opt/data
repo_data_dir: /opt/data/repo
dockerrepo_dir: /opt/dockerrepo
dockerrepo_data_dir: /opt/data/dockerrepo

16
rproxy.yml
View File

@@ -2,21 +2,11 @@
- hosts: all - hosts: all
become: yes become: yes
vars:
ansible_python_interpreter: /usr/bin/python3
vars_prompt: vars_prompt:
- name: rproxy_service_name - name: image_repo
prompt: Enter service for rproxy prompt: Enter repository address with podman images (ex. rproxy.olsson.ul:5000)
private: false
- name: rproxy_service_port
prompt: Enter service for rproxy
private: false
- name: rproxy_service_address
prompt: Enter service for rproxy
private: false private: false
roles: roles:
- podman
- rproxy - rproxy