From 41bcd91195375021904063d9efe9ba7e63528d8c Mon Sep 17 00:00:00 2001 From: apavlov Date: Sun, 30 Jun 2024 18:30:49 +0300 Subject: [PATCH] progress --- Jenkinsfile | 47 +++++++- roles/rproxy/files/nginx.conf | 7 -- roles/rproxy/tasks/main.yml | 119 ++++++++++++++----- roles/rproxy/templates/docker-compose.yml.j2 | 4 +- roles/rproxy/templates/server.cnf.j2 | 23 ++++ roles/rproxy/templates/server.conf.j2 | 25 ++-- rproxy.yml | 11 +- 7 files changed, 179 insertions(+), 57 deletions(-) create mode 100644 roles/rproxy/templates/server.cnf.j2 diff --git a/Jenkinsfile b/Jenkinsfile index df7363a..97e6292 100644 --- a/Jenkinsfile +++ b/Jenkinsfile @@ -4,6 +4,14 @@ pipeline { string(name: "target_host", defaultValue: "", trim: true, description: "Target host") string(name: "username", defaultValue: "", trim: true, description: "Ansible user") password(name: "password", defaultValue: "", description: "Ansible password") + booleanParam(name: "rproxy_install", defaultValue: true, description: "Install Rproxy") + base64File(name: "rootca", description: "RootCA (only for 'Install Rproxy')") + base64File(name: "rootca_key", description: "RootCA key (only for 'Install Rproxy')") + booleanParam(name: "config_add", defaultValue: true, description: "Add config") + string(name: "rproxy_service_name", defaultValue: "", trim: true, description: "Service name (for 'Add config' job only)") + string(name: "rproxy_service_port", defaultValue: "", trim: true, description: "Service port (for 'Add config' job only)") + string(name: "rproxy_service_address", defaultValue: "", trim: true, description: "Service address (for 'Add config' job only)") + } stages { stage('Download') { @@ -11,11 +19,46 @@ pipeline { git branch: 'dev', url:'${git_url}/Ansible/rproxy.git', credentialsId: 'git' } } - stage('Run') { + stage('Save certs') { + when { + expression { + return params.rproxy_install + } + } + steps { + sh 'mkdir roles/rproxy/files/certs' + withFileParameter('rootca') { + sh 'mv ${rootca} roles/rproxy/files/certs/RootCA.crt' + } + withFileParameter('rootca_key') { + sh 'mv ${rootca_key} roles/rproxy/files/certs/RootCA.key' + } + } + } + stage('Install Rproxy') { + when { + expression { + return params.rproxy_install + } + } steps { script { wrap([$class: 'MaskPasswordsBuildWrapper', varPasswordPairs: [[password: params.password]]]) { - sh 'ansible-playbook rproxy.yml -i ${target_host}, -u ${username} -e "ansible_password=${password}"' + sh 'ansible-playbook rproxy.yml -i ${target_host}, -t install -u ${username} -e "ansible_password=${password} rproxy_service_name=${rproxy_service_name} rproxy_service_port=${rproxy_service_port} rproxy_service_address=${rproxy_service_address}"' + } + } + } + } + stage('Add config') { + when { + expression { + return params.config_add + } + } + steps { + script { + wrap([$class: 'MaskPasswordsBuildWrapper', varPasswordPairs: [[password: params.password]]]) { + sh 'ansible-playbook rproxy.yml -i ${target_host}, -t add_config -u ${username} -e "ansible_password=${password} rproxy_service_name=${rproxy_service_name} rproxy_service_port=${rproxy_service_port} rproxy_service_address=${rproxy_service_address}"' } } } diff --git a/roles/rproxy/files/nginx.conf b/roles/rproxy/files/nginx.conf index c92b4e8..5c5ab7d 100644 --- a/roles/rproxy/files/nginx.conf +++ b/roles/rproxy/files/nginx.conf @@ -1,4 +1,3 @@ -load_module modules/ngx_http_headers_more_filter_module.so; user nginx; worker_processes auto; @@ -20,14 +19,8 @@ http { '"$http_user_agent" "$http_x_forwarded_for"'; access_log /var/log/nginx/access.log main; - sendfile on; - #tcp_nopush on; - keepalive_timeout 65; - - #gzip on; - include /etc/nginx/sites/*.conf; server_tokens off; } \ No newline at end of file diff --git a/roles/rproxy/tasks/main.yml b/roles/rproxy/tasks/main.yml index f4b22d9..f5a1d8c 100644 --- a/roles/rproxy/tasks/main.yml +++ b/roles/rproxy/tasks/main.yml @@ -3,44 +3,97 @@ ansible.builtin.shell: cmd: hostname -d register: domain + tags: + - install + - add_config -- name: Install dependencies - ansible.builtin.apt: - name: - - docker.io - - docker-compose - update_cache: yes +- name: Install rproxy + block: + - name: Install dependencies + ansible.builtin.apt: + name: + - docker.io + - docker-compose + update_cache: yes -- name: Remove rproxy dir - ansible.builtin.file: - path: "{{ rproxy_dir }}" - state: absent + - name: Remove rproxy dir + ansible.builtin.file: + path: "{{ rproxy_dir }}" + state: absent -- name: Create rproxy dir - ansible.builtin.file: - path: "{{ rproxy_dir }}" - state: directory + - name: Create rproxy dir + ansible.builtin.file: + path: "{{ rproxy_dir }}" + state: directory -- name: Create sites dir - ansible.builtin.file: - path: "{{ rproxy_dir }}/sites" - state: directory + - name: Create sites dir + ansible.builtin.file: + path: "{{ rproxy_dir }}/sites" + state: directory -- name: Copy docker-compose - ansible.builtin.template: - src: templates/docker-compose.yml.j2 - dest: "{{ rproxy_dir }}/docker-compose.yml" + - name: Create certs dir + ansible.builtin.file: + path: "{{ rproxy_dir }}/certs" + state: directory -- name: Copy nginx.conf - ansible.builtin.copy: - src: files/nginx.conf - dest: "{{ rproxy_dir }}/nginx.conf" + - name: Copy docker-compose + ansible.builtin.template: + src: templates/docker-compose.yml.j2 + dest: "{{ rproxy_dir }}/docker-compose.yml" -- name: Copy server.conf - ansible.builtin.template: - src: templates/server.conf.j2 - dest: "{{ rproxy_dir }}/sites/server.conf" + - name: Copy nginx.conf + ansible.builtin.copy: + src: files/nginx.conf + dest: "{{ rproxy_dir }}/nginx.conf" + + - name: Copy RootCA certificate + ansible.builtin.copy: + src: files/RootCA.crt + dest: '{{ rproxy_dir }}/certs/RootCA.crt' + + - name: Copy RootCA key + ansible.builtin.copy: + src: files/RootCA.key + dest: '{{ rproxy_dir }}/certs/RootCA.key' + + - name: Copy server certificate cnf + ansible.builtin.template: + src: templates/server.cnf.j2 + dest: '{{ rproxy_dir }}/certs/server.cnf' + + - name: Generate server key + ansible.builtin.shell: + cmd: 'openssl genrsa -out {{ rproxy_dir }}/certs/{{ domain.stdout }}.key 2048' + + - name: Generate server csr + ansible.builtin.shell: + cmd: 'openssl req -key {{ rproxy_dir }}/certs/{{ domain.stdout }}.key -new -out {{ rproxy_dir }}/certs/{{ domain.stdout }}.csr -config {{ rproxy_dir }}/certs/server.cnf' + + - name: Sign server certificate + ansible.builtin.shell: + cmd: 'openssl x509 -req -CA {{ rproxy_dir }}/certs/RootCA.crt -CAkey {{ rproxy_dir }}/certs/RootCA.key -in {{ rproxy_dir }}/certs/{{ domain.stdout }}.csr -out {{ rproxy_dir }}/certs/{{ domain.stdout }}.crt -CAcreateserial' + + - name: Delete csr + ansible.builtin.file: + path: "{{ rproxy_dir }}/certs/{{ domain.stdout }}.csr" + state: absent + + - name: Start rproxy + community.docker.docker_compose: + project_src: "{{ rproxy_dir }}" + tags: install + +- name: Create configs + block: + - name: Copy server.conf + ansible.builtin.template: + src: templates/server.conf.j2 + dest: "{{ rproxy_dir }}/sites/{{ rproxy_service_name }}.conf" + + - name: Restart rproxy + community.docker.docker_compose: + project_src: "{{ rproxy_dir }}" + build: false + restarted: true + tags: add_config -- name: Start rproxy - community.docker.docker_compose: - project_src: "{{ rproxy_dir }}" \ No newline at end of file diff --git a/roles/rproxy/templates/docker-compose.yml.j2 b/roles/rproxy/templates/docker-compose.yml.j2 index 7cc197b..7908b6b 100644 --- a/roles/rproxy/templates/docker-compose.yml.j2 +++ b/roles/rproxy/templates/docker-compose.yml.j2 @@ -8,9 +8,7 @@ services: volumes: - {{ rproxy_dir }}/nginx.conf:/etc/nginx/nginx.conf - {{ rproxy_dir }}/sites:/etc/nginx/sites - - {{ rproxy_dir }}/sites/default.conf:/etc/nginx/conf.d/default.conf - - {{ rproxy_dir }}/{{ domain.stdout }}.crt:/etc/nginx/{{ domain.stdout }}.crt - - {{ rproxy_dir }}/{{ domain.stdout }}.key:/etc/nginx/{{ domain.stdout }}.key + - {{ rproxy_dir }}/certs:/etc/nginx/certs ports: - 443:443 - 80:80 \ No newline at end of file diff --git a/roles/rproxy/templates/server.cnf.j2 b/roles/rproxy/templates/server.cnf.j2 new file mode 100644 index 0000000..441cb7b --- /dev/null +++ b/roles/rproxy/templates/server.cnf.j2 @@ -0,0 +1,23 @@ +[ req ] +prompt = no +days = 365 +distinguished_name = {{ domain.stdout }} +req_extensions = v3_req + + +[ olsson.ul ] +countryName = RU +stateOrProvinceName = RU +localityName = MSK +organizationName = {{ domain.stdout }} +organizationalUnitName = IT +commonName = {{ domain.stdout }} +emailAddress = admin@{{ domain.stdout }} + +[ v3_req ] +basicConstraints = CA:false +extendedKeyUsage = serverAuth +subjectAltName = @sans + +[ sans ] +DNS.0 = *.{{ domain.stdout }} \ No newline at end of file diff --git a/roles/rproxy/templates/server.conf.j2 b/roles/rproxy/templates/server.conf.j2 index 1cd5b63..22a21af 100644 --- a/roles/rproxy/templates/server.conf.j2 +++ b/roles/rproxy/templates/server.conf.j2 @@ -1,32 +1,35 @@ -{% for rproxy_service in rproxy_service_list %} +upstream {{ rproxy_service_name }}.{{ domain.stdout }} { + server {{ rproxy_service_address }}:{{ rproxy_service_port }}; +} + server { listen 80; - server_name {{ rproxy_service }}.{{ domain.stdout }}; - access_log /var/log/nginx/{{ rproxy_service }}.access.log; - error_log /var/log/nginx/{{ rproxy_service }}.error.log; + server_name {{ rproxy_service_name }}.{{ domain.stdout }}; + access_log /var/log/nginx/{{ rproxy_service_name }}.access.log; + error_log /var/log/nginx/{{ rproxy_service_name }}.error.log; return 301 https://$server_name$request_uri; } server { listen 443 ssl; - server_name {{ rproxy_service }}.{{ domain.stdout }}; - access_log /var/log/nginx/{{ rproxy_service }}.access.log; - error_log /var/log/nginx/{{ rproxy_service }}.error.log; - ssl_certificate /etc/nginx/{{ domain.stdout }}.crt; - ssl_certificate_key /etc/nginx/{{ domain.stdout }}.key; + server_name {{ rproxy_service_name }}.{{ domain.stdout }}; + access_log /var/log/nginx/{{ rproxy_service_name }}.access.log; + error_log /var/log/nginx/{{ rproxy_service_name }}.error.log; + ssl_certificate /etc/nginx/certs/{{ domain.stdout }}.crt; + ssl_certificate_key /etc/nginx/certs/{{ domain.stdout }}.key; ssl_protocols TLSv1.2; ssl_ciphers EECDH:+AES256:-3DES:!RSA+AES:!RSA+3DES:!NULL:!RC4; ssl_prefer_server_ciphers on; proxy_connect_timeout 600s; fastcgi_request_buffering off; fastcgi_buffers 64 4K; + location / { proxy_pass_header Server; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; - proxy_pass https://{{ rproxy_service }}.{{ domain.stdout }}/; + proxy_pass https://{{ rproxy_service_name }}.{{ domain.stdout }}/; } } -{% endfor %} \ No newline at end of file diff --git a/rproxy.yml b/rproxy.yml index 6acc338..9ee0785 100644 --- a/rproxy.yml +++ b/rproxy.yml @@ -5,7 +5,16 @@ vars: ansible_python_interpreter: /usr/bin/python3 rproxy_dir: /opt/rproxy - rproxy_service_list: [jenkins] + vars_prompt: + - name: rproxy_service_name + prompt: Enter service for rproxy + + - name: rproxy_service_port + prompt: Enter service for rproxy + + - name: rproxy_service_address + prompt: Enter service for rproxy + roles: - rproxy