diff --git a/roles/rproxy/files/repo.conf b/roles/rproxy/files/repo.conf index 9bca367..835d514 100644 --- a/roles/rproxy/files/repo.conf +++ b/roles/rproxy/files/repo.conf @@ -1,8 +1,16 @@ server { - listen 9000; + listen 9000 default ssl; server_name _; root /repo; + ssl_certificate /etc/nginx/certs/repo.crt; + ssl_certificate_key /etc/nginx/certs/repo.key; + ssl_protocols TLSv1.2; + ssl_ciphers EECDH:+AES256:-3DES:!RSA+AES:!RSA+3DES:!NULL:!RC4; + ssl_prefer_server_ciphers on; + + error_page 497 301 =307 https://$host:$server_port$request_uri; + location / { charset utf-8; autoindex on; diff --git a/roles/rproxy/tasks/main.yml b/roles/rproxy/tasks/main.yml index 58e2672..729856d 100644 --- a/roles/rproxy/tasks/main.yml +++ b/roles/rproxy/tasks/main.yml @@ -51,12 +51,6 @@ path: "{{ rproxy_dir }}/sites" state: directory - - name: Create repo dir - ansible.builtin.file: - path: "{{ rproxy_dir }}/repo" - state: directory - mode: 0777 - - name: Create certs dir ansible.builtin.file: path: "{{ rproxy_dir }}/certs" @@ -81,19 +75,68 @@ ansible.builtin.copy: src: files/RootCA.key dest: '{{ rproxy_dir }}/certs/RootCA.key' - - - name: HTTPS repository - block: - - name: Copy repo.conf - ansible.builtin.copy: - src: files/repo.conf - dest: "{{ rproxy_dir }}/sites/repo.conf" - name: Start rproxy community.docker.docker_compose: project_src: "{{ rproxy_dir }}" tags: install +- name: Create https repository + block: + - name: Get IP address + ansible.builtin.shell: + cmd: hostname -I | awk '{print $1}' + register: IP + + - name: Create repo dir + ansible.builtin.file: + path: "{{ rproxy_dir }}/repo" + state: directory + mode: 0777 + + - name: Copy repo.conf + ansible.builtin.copy: + src: files/repo.conf + dest: "{{ rproxy_dir }}/sites/repo.conf" + + - name: Copy repo certificate cnf + ansible.builtin.template: + src: templates/repo.cnf.j2 + dest: '{{ rproxy_dir }}/certs/repo.cnf' + + - name: Generate repo certificate key + ansible.builtin.shell: + cmd: 'openssl genrsa -out {{ rproxy_dir }}/certs/repo.key 2048' + + - name: Generate server csr + ansible.builtin.shell: + cmd: 'openssl req -key {{ rproxy_dir }}/certs/repo.key -new -out {{ rproxy_dir }}/certs/repo.csr -config {{ rproxy_dir }}/certs/repo.cnf' + + - name: Sign server certificate + ansible.builtin.shell: + cmd: 'openssl x509 -req -CA {{ rproxy_dir }}/certs/RootCA.crt -CAkey {{ rproxy_dir }}/certs/RootCA.key -in {{ rproxy_dir }}/certs/repo.csr -out {{ rproxy_dir }}/certs/repo.crt -CAcreateserial -extfile {{ rproxy_dir }}/certs/repo.cnf -days 365 -extensions v3_x509' + + - name: Create fullchain certificate + ansible.builtin.shell: + cmd: 'cat {{ rproxy_dir }}/certs/RootCA.crt >> {{ rproxy_dir }}/certs/repo.crt' + + - name: Delete csr + ansible.builtin.file: + path: "{{ rproxy_dir }}/certs/repo.csr" + state: absent + + - name: Delete cnf + ansible.builtin.file: + path: "{{ rproxy_dir }}/certs/repo.cnf" + state: absent + + - name: Restart rproxy + community.docker.docker_compose: + project_src: "{{ rproxy_dir }}" + build: false + restarted: true + tags: install + - name: Create configs block: - name: Copy server.conf diff --git a/roles/rproxy/templates/repo.cnf.j2 b/roles/rproxy/templates/repo.cnf.j2 new file mode 100644 index 0000000..515937e --- /dev/null +++ b/roles/rproxy/templates/repo.cnf.j2 @@ -0,0 +1,29 @@ +[ req ] +prompt = no +distinguished_name = repo.{{ domain.stdout }} +req_extensions = v3_req +x509_extensions = v3_x509 + + +[ repo.{{ domain.stdout }} ] +countryName = RU +stateOrProvinceName = RU +localityName = MSK +organizationName = {{ domain.stdout }} +organizationalUnitName = IT +commonName = repo.{{ domain.stdout }} +emailAddress = admin@{{ domain.stdout }} + +[ v3_req ] +basicConstraints = CA:false +keyUsage = digitalSignature, keyEncipherment +subjectAltName = @sans + +[ v3_x509 ] +basicConstraints = CA:false +keyUsage = digitalSignature, keyEncipherment +subjectAltName = @sans + +[ sans ] +DNS.1 = repo.{{ domain.stdout }} +IP.1 = {{ IP.stdout }} \ No newline at end of file