diff --git a/Jenkinsfile b/Jenkinsfile index e802635..b6475d4 100644 --- a/Jenkinsfile +++ b/Jenkinsfile @@ -11,13 +11,8 @@ pipeline { timestamps() } parameters { - string(name: "target_host", defaultValue: "", trim: true, description: "Target host") - booleanParam(name: "rproxy_install", defaultValue: true, description: "Install Rproxy") - string(name: "images_repo_url", defaultValue: "", trim: true, description: "Repository host with podman images (ex. rproxy.olsson.ul:5000)\n(for 'rproxy_install' job only)") - booleanParam(name: "config_add", defaultValue: true, description: "Add config") - string(name: "rproxy_service_name", defaultValue: "", trim: true, description: "Service name (for 'Add config' job only)") - string(name: "rproxy_service_port", defaultValue: "", trim: true, description: "Service port (for 'Add config' job only)") - string(name: "rproxy_service_address", defaultValue: "", trim: true, description: "Service address (for 'Add config' job only)") + string(name: "target_host", defaultValue: "", trim: true, description: "Target host for rproxy installation") + string(name: "images_repo_url", defaultValue: "", trim: true, description: "Repository host with podman images (ex. rproxy.olsson.ul:5000)") booleanParam(name: 'update_job', defaultValue: false, description: 'Update job, free run, no changes') } stages { @@ -45,11 +40,6 @@ pipeline { } } stage('Install Rproxy') { - when { - expression { - return params.rproxy_install - } - } steps { script { withCredentials([ @@ -61,14 +51,10 @@ pipeline { ansiblePlaybook( playbook: 'rproxy.yml', inventory: 'hosts.ini', - tags: 'install', colorized: true, extras: '''--private-key ${SSH_KEY} -e "ansible_user=${username} ansible_password=${password} - rproxy_service_name=${rproxy_service_name} - rproxy_service_port=${rproxy_service_port} - rproxy_service_address=${rproxy_service_address} image_repo=${images_repo_url}"''' ) } @@ -77,38 +63,6 @@ pipeline { } } } - stage('Add config') { - when { - expression { - return params.config_add - } - } - steps { - script { - withCredentials([ - sshUserPrivateKey(credentialsId: 'JENKINS_DEPLOYER_KEY', keyFileVariable: 'SSH_KEY'), - usernamePassword(credentialsId:'JENKINS_DEPLOYER_PASS', usernameVariable: 'username', passwordVariable: 'password') - ]) { - wrap([$class: 'MaskPasswordsBuildWrapper', varPasswordPairs: [[password: env.password]]]) { - wrap([$class: 'AnsiColorBuildWrapper', colorMapName: "xterm"]) { - ansiblePlaybook( - playbook: 'rproxy.yml', - inventory: 'hosts.ini', - tags: 'add_config', - colorized: true, - extras: '''--private-key ${SSH_KEY} - -e "ansible_user=${username} - ansible_password=${password} - rproxy_service_name=${rproxy_service_name} - rproxy_service_port=${rproxy_service_port} - rproxy_service_address=${rproxy_service_address}"''' - ) - } - } - } - } - } - } } post { always { diff --git a/addconfig.yml b/addconfig.yml new file mode 100644 index 0000000..e1ce100 --- /dev/null +++ b/addconfig.yml @@ -0,0 +1,19 @@ +--- +- hosts: all + become: yes + + vars_prompt: + - name: rproxy_service_name + prompt: Enter service for rproxy + private: false + + - name: rproxy_service_port + prompt: Enter service for rproxy + private: false + + - name: rproxy_service_address + prompt: Enter service for rproxy + private: false + + roles: + - addconfig diff --git a/ansible.cfg b/ansible.cfg index b1c8e00..501720c 100644 --- a/ansible.cfg +++ b/ansible.cfg @@ -2,4 +2,7 @@ hostfile = hosts.ini host_key_checking = false interpreter_python = /usr/bin/python3 -forks = 30 \ No newline at end of file +forks = 30 + +[ssh_connection] +pipelining = true \ No newline at end of file diff --git a/management/AddService.groovy b/management/AddService.groovy new file mode 100644 index 0000000..f9a5839 --- /dev/null +++ b/management/AddService.groovy @@ -0,0 +1,80 @@ +pipeline { + agent any + options { + buildDiscarder logRotator ( + numToKeepStr: '5', + daysToKeepStr: '7', + artifactNumToKeepStr: '10', + artifactDaysToKeepStr: '7' + ) + ansiColor('xterm') + timestamps() + } + parameters { + string(name: "target_host", defaultValue: "", trim: true, description: "Target host with rproxy installed") + string(name: "rproxy_service_name", defaultValue: "", trim: true, description: "Service name (ex. jenkins)") + string(name: "rproxy_service_port", defaultValue: "", trim: true, description: "Service port (ex. 8080)") + string(name: "rproxy_service_address", defaultValue: "", trim: true, description: "Service address (ex. jenkins-master.olsson.ul)") + booleanParam(name: 'update_job', defaultValue: false, description: 'Update job, free run, no changes') + } + stages { + stage('Update Job') { + when { + expression { + return params.update_job + } + } + steps { + script { + currentBuild.getRawBuild().getExecutor().interrupt(Result.SUCCESS) + sleep(1) + } + } + } + stage('Prepare inventory') { + steps { + script { + def hostsFile = new File("${WORKSPACE}/hosts.ini") + hostsFile.append('[all]') + hostsFile.append('\n' + params.target_host) + println hostsFile.getText('UTF-8') + } + } + } + stage('Add config') { + steps { + script { + withCredentials([ + sshUserPrivateKey(credentialsId: 'JENKINS_DEPLOYER_KEY', keyFileVariable: 'SSH_KEY'), + usernamePassword(credentialsId:'JENKINS_DEPLOYER_PASS', usernameVariable: 'username', passwordVariable: 'password') + ]) { + wrap([$class: 'MaskPasswordsBuildWrapper', varPasswordPairs: [[password: env.password]]]) { + wrap([$class: 'AnsiColorBuildWrapper', colorMapName: "xterm"]) { + dir("${env.WORKSPACE}") { + ansiblePlaybook( + playbook: 'addconfig.yml', + inventory: 'hosts.ini', + colorized: true, + extras: '''--private-key ${SSH_KEY} + -e "ansible_user=${username} + ansible_password=${password} + rproxy_service_name=${rproxy_service_name} + rproxy_service_port=${rproxy_service_port} + rproxy_service_address=${rproxy_service_address}"''' + ) + } + } + } + } + } + } + } + } + post { + always { + cleanWs(patterns: [ + [pattern: 'hosts.ini', type: 'INCLUDE'] + ]) + } + } +} \ No newline at end of file diff --git a/roles/addconfig/tasks/addconfig.yml b/roles/addconfig/tasks/addconfig.yml new file mode 100644 index 0000000..bda1eea --- /dev/null +++ b/roles/addconfig/tasks/addconfig.yml @@ -0,0 +1,5 @@ +--- +- name: Copy server.conf + ansible.builtin.template: + src: templates/server.conf.j2 + dest: "{{ rproxy_dir }}/sites/{{ rproxy_service_name }}.conf" \ No newline at end of file diff --git a/roles/addconfig/tasks/certificates.yml b/roles/addconfig/tasks/certificates.yml new file mode 100644 index 0000000..973d351 --- /dev/null +++ b/roles/addconfig/tasks/certificates.yml @@ -0,0 +1,83 @@ +--- +- name: Create CNAME dns record + community.general.ipa_dnsrecord: + ipa_user: "{{ ansible_user }}" + ipa_pass: "{{ ansible_password }}" + zone_name: "{{ ansible_facts['domain'] }}" + record_name: "{{ rproxy_service_name }}" + record_type: 'CNAME' + record_value: "{{ ansible_facts['hostname'] }}" + state: present + ignore_errors: true + +- name: Kinit + ansible.builtin.shell: + cmd: "echo '{{ ansible_password }}' | kinit" + become: false + become_user: "{{ ansible_user }}" + +- name: Create fake host for certificate + ansible.builtin.shell: + cmd: "ipa host-add {{ rproxy_service_name }}.{{ ansible_facts['domain'] }} --force --desc=\"Fake host for SPN\"" + become: false + become_user: "{{ ansible_user }}" + ignore_errors: true + +- name: Create SPN for HTTP + ansible.builtin.shell: + cmd: "ipa service-add HTTP/{{ rproxy_service_name }}.{{ ansible_facts['domain'] }} --skip-host-check --force" + become: false + become_user: "{{ ansible_user }}" + ignore_errors: true + +- name: "Allow {{ ansible_facts['hostname'] }}.{{ ansible_facts['domain'] }} to get certificates for HTTP/{{ rproxy_service_name }}.{{ ansible_facts['domain'] }} SPN" + ansible.builtin.shell: + cmd: "ipa service-add-host --hosts={{ ansible_facts['hostname'] }}.{{ ansible_facts['domain'] }} HTTP/{{ rproxy_service_name }}.{{ ansible_facts['domain'] }}" + become: false + become_user: "{{ ansible_user }}" + ignore_errors: true + +- name: Kdestroy + ansible.builtin.shell: + cmd: kdestroy + become: false + become_user: "{{ ansible_user }}" + +- name: Get all tracking certificates + ansible.builtin.shell: + cmd: "ipa-getcert list | grep -m1 -B5 \"{{ rproxy_dir }}/certs/{{ rproxy_service_name }}\" | grep Request | awk '{print $NF}' | tr -d \"'\\|:\"" + register: tracking_list + +- name: Remove certificates from IPA tracking + ansible.builtin.shell: + cmd: "ipa-getcert stop-tracking -i {{ item }}" + loop: "{{ tracking_list.stdout_lines }}" + ignore_errors: true + +- name: Request certificate via ipa-getcert + ansible.builtin.command: > + ipa-getcert request + -f {{ rproxy_dir }}/certs/{{ rproxy_service_name }}.{{ ansible_facts['domain'] }}.crt + -k {{ rproxy_dir }}/certs/{{ rproxy_service_name }}.{{ ansible_facts['domain'] }}.key + -K HTTP/{{ rproxy_service_name }}.{{ ansible_facts['domain'] }} + -N CN={{ rproxy_service_name }}.{{ ansible_facts['domain'] }} + +- name: Wait for certificate to appear + ansible.builtin.wait_for: + path: "{{ rproxy_dir }}/certs/{{ rproxy_service_name }}.{{ ansible_facts['domain'] }}.crt" + timeout: 60 + +- name: Change certificate permissions + ansible.builtin.file: + path: "{{ rproxy_dir }}/certs/{{ rproxy_service_name }}.{{ ansible_facts['domain'] }}.crt" + mode: "0744" + +- name: Wait for certificate key to appear + ansible.builtin.wait_for: + path: "{{ rproxy_dir }}/certs/{{ rproxy_service_name }}.{{ ansible_facts['domain'] }}.key" + timeout: 60 + +- name: Change certificate key permissions + ansible.builtin.file: + path: "{{ rproxy_dir }}/certs/{{ rproxy_service_name }}.{{ ansible_facts['domain'] }}.key" + mode: "0744" diff --git a/roles/addconfig/tasks/main.yml b/roles/addconfig/tasks/main.yml new file mode 100644 index 0000000..e9e548f --- /dev/null +++ b/roles/addconfig/tasks/main.yml @@ -0,0 +1,14 @@ +--- +- name: Add config + ansible.builtin.include_tasks: + file: addconfig.yml + +- name: Generate certificates + ansible.builtin.include_tasks: + file: certificates.yml + +- name: Restart rproxy service + ansible.builtin.systemd: + name: "container-rproxy.service" + state: restarted + enabled: yes \ No newline at end of file diff --git a/roles/rproxy/templates/server.conf.j2 b/roles/addconfig/templates/server.conf.j2 similarity index 100% rename from roles/rproxy/templates/server.conf.j2 rename to roles/addconfig/templates/server.conf.j2 diff --git a/roles/addconfig/vars/main.yml b/roles/addconfig/vars/main.yml new file mode 100644 index 0000000..f013a80 --- /dev/null +++ b/roles/addconfig/vars/main.yml @@ -0,0 +1,5 @@ +--- +ansible_python_interpreter: /usr/bin/python3 + +# Rproxy +rproxy_dir: /opt/rproxy \ No newline at end of file diff --git a/roles/rproxy/tasks/podman.yml b/roles/podman/tasks/main.yml similarity index 86% rename from roles/rproxy/tasks/podman.yml rename to roles/podman/tasks/main.yml index c835554..d9e1b8d 100644 --- a/roles/rproxy/tasks/podman.yml +++ b/roles/podman/tasks/main.yml @@ -5,8 +5,6 @@ - podman - podman-compose - podman-docker - - podman-remote - - podman-tui - buildah update_cache: yes diff --git a/roles/podman/vars/main.yml b/roles/podman/vars/main.yml new file mode 100644 index 0000000..c4efc1d --- /dev/null +++ b/roles/podman/vars/main.yml @@ -0,0 +1,2 @@ +--- +ansible_python_interpreter: /usr/bin/python3 \ No newline at end of file diff --git a/roles/rproxy/tasks/addconfig.yml b/roles/rproxy/tasks/addconfig.yml deleted file mode 100644 index 9b44dbc..0000000 --- a/roles/rproxy/tasks/addconfig.yml +++ /dev/null @@ -1,91 +0,0 @@ ---- -- name: Create server configs - block: - - name: Copy server.conf - ansible.builtin.template: - src: templates/server.conf.j2 - dest: "{{ rproxy_dir }}/sites/{{ rproxy_service_name }}.conf" - -- name: Generate certificates for {{ rproxy_service_name }} - block: - - name: Create CNAME dns record - community.general.ipa_dnsrecord: - ipa_user: "{{ ansible_user }}" - ipa_pass: "{{ ansible_password }}" - zone_name: "{{ ansible_facts['domain'] }}" - record_name: "{{ rproxy_service_name }}" - record_type: 'CNAME' - record_value: "{{ ansible_facts['hostname'] }}" - state: present - - - name: Kinit - ansible.builtin.shell: - cmd: "echo '{{ ansible_password }}' | kinit" - become: false - become_user: "{{ ansible_user }}" - - - name: Create fake host for certificate - ansible.builtin.shell: - cmd: "ipa host-add {{ rproxy_service_name }}.{{ ansible_facts['domain'] }} --force --desc=\"Fake host for SPN\"" - become: false - become_user: "{{ ansible_user }}" - ignore_errors: true - - - name: Create SPN for HTTP - ansible.builtin.shell: - cmd: "ipa service-add HTTP/{{ rproxy_service_name }}.{{ ansible_facts['domain'] }} --skip-host-check --force" - become: false - become_user: "{{ ansible_user }}" - ignore_errors: true - - - name: "Allow {{ ansible_facts['hostname'] }}.{{ ansible_facts['domain'] }} to get certificates for HTTP/{{ rproxy_service_name }}.{{ ansible_facts['domain'] }} SPN " - ansible.builtin.shell: - cmd: "ipa service-add-host --hosts={{ ansible_facts['hostname'] }}.{{ ansible_facts['domain'] }} HTTP/{{ rproxy_service_name }}.{{ ansible_facts['domain'] }}" - become: false - become_user: "{{ ansible_user }}" - ignore_errors: true - - - name: Get all tracking certificates - ansible.builtin.shell: - cmd: ipa-getcert list | grep "ID" | awk '{print $NF}' | tr -d "'\|:" - register: tracking_list - - - name: Remove certificates from IPA tracking - ansible.builtin.shell: - cmd: "ipa-getcert stop-tracking -i {{ item }}" - loop: "{{ tracking_list.stdout_lines }}" - ignore_errors: true - - - name: Request certificate via ipa-getcert - ansible.builtin.command: > - ipa-getcert request - -f {{ rproxy_dir }}/certs/{{ rproxy_service_name }}.{{ ansible_facts['domain'] }}.crt - -k {{ rproxy_dir }}/certs/{{ rproxy_service_name }}.{{ ansible_facts['domain'] }}.key - -K HTTP/{{ rproxy_service_name }}.{{ ansible_facts['domain'] }} - -N CN={{ rproxy_service_name }}.{{ ansible_facts['domain'] }} - - - name: Wait for certificate to appear - ansible.builtin.wait_for: - path: "{{ rproxy_dir }}/certs/{{ rproxy_service_name }}.{{ ansible_facts['domain'] }}.crt" - timeout: 60 - - - name: Change certificate permissions - ansible.builtin.file: - path: "{{ rproxy_dir }}/certs/{{ rproxy_service_name }}.{{ ansible_facts['domain'] }}.crt" - mode: "0744" - - - name: Wait for certificate key to appear - ansible.builtin.wait_for: - path: "{{ rproxy_dir }}/certs/{{ rproxy_service_name }}.{{ ansible_facts['domain'] }}.key" - timeout: 60 - - - name: Change certificate key permissions - ansible.builtin.file: - path: "{{ rproxy_dir }}/certs/{{ rproxy_service_name }}.{{ ansible_facts['domain'] }}.key" - mode: "0744" - -- name: Restart rproxy service - ansible.builtin.systemd: - name: "container-rproxy.service" - state: restarted - enabled: yes \ No newline at end of file diff --git a/roles/rproxy/tasks/certificates.yml b/roles/rproxy/tasks/certificates.yml new file mode 100644 index 0000000..0104c95 --- /dev/null +++ b/roles/rproxy/tasks/certificates.yml @@ -0,0 +1,59 @@ +--- +- name: Kinit + ansible.builtin.shell: + cmd: "echo '{{ ansible_password }}' | kinit" + become: false + become_user: "{{ ansible_user }}" + +- name: Create SPN for HTTP + ansible.builtin.shell: + cmd: "ipa service-add HTTP/{{ ansible_facts['hostname'] }}.{{ ansible_facts['domain'] }}" + become: false + become_user: "{{ ansible_user }}" + ignore_errors: true + +- name: Kdestroy + ansible.builtin.shell: + cmd: kdestroy + become: false + become_user: "{{ ansible_user }}" + +- name: Get all tracking certificates + ansible.builtin.shell: + cmd: "ipa-getcert list | grep -m1 -B5 \"{{ rproxy_dir }}/certs/repo\" | grep Request | awk '{print $NF}' | tr -d \"'\\|:\"" + register: tracking_list + +- name: Remove certificates from IPA tracking + ansible.builtin.shell: + cmd: "ipa-getcert stop-tracking -i {{ item }}" + loop: "{{ tracking_list.stdout_lines }}" + ignore_errors: true + +- name: Request certificate via ipa-getcert + ansible.builtin.command: > + ipa-getcert request + -f {{ rproxy_dir }}/certs/repo.crt + -k {{ rproxy_dir }}/certs/repo.key + -K HTTP/{{ ansible_facts['hostname'] }}.{{ ansible_facts['domain'] }} + -N CN={{ ansible_facts['hostname'] }}.{{ ansible_facts['domain'] }} + -F {{ rproxy_dir }}/certs/RootCA.crt + +- name: Wait for certificate to appear + ansible.builtin.wait_for: + path: "{{ rproxy_dir }}/certs/repo.crt" + timeout: 60 + +- name: Change certificate permissions + ansible.builtin.file: + path: "{{ rproxy_dir }}/certs/repo.crt" + mode: "0744" + +- name: Wait for certificate key to appear + ansible.builtin.wait_for: + path: "{{ rproxy_dir }}/certs/repo.key" + timeout: 60 + +- name: Change certificate key permissions + ansible.builtin.file: + path: "{{ rproxy_dir }}/certs/repo.key" + mode: "0744" \ No newline at end of file diff --git a/roles/rproxy/tasks/configs.yml b/roles/rproxy/tasks/configs.yml new file mode 100644 index 0000000..357e188 --- /dev/null +++ b/roles/rproxy/tasks/configs.yml @@ -0,0 +1,10 @@ +--- +- name: Copy repo.conf + ansible.builtin.copy: + src: files/repo.conf + dest: "{{ rproxy_dir }}/sites/repo.conf" + +- name: Copy nginx.conf + ansible.builtin.copy: + src: files/nginx.conf + dest: "{{ rproxy_dir }}/nginx.conf" \ No newline at end of file diff --git a/roles/rproxy/tasks/dirs.yml b/roles/rproxy/tasks/dirs.yml new file mode 100644 index 0000000..dffb35d --- /dev/null +++ b/roles/rproxy/tasks/dirs.yml @@ -0,0 +1,31 @@ +--- +- name: Remove rproxy dir + ansible.builtin.file: + path: "{{ rproxy_dir }}" + state: absent + +- name: Create rproxy dir + ansible.builtin.file: + path: "{{ rproxy_dir }}" + state: directory + +- name: Create rproxy data dir + ansible.builtin.file: + path: "{{ repo_data_dir }}" + state: directory + +- name: Create sites dir + ansible.builtin.file: + path: "{{ rproxy_dir }}/sites" + state: directory + +- name: Create certs dir + ansible.builtin.file: + path: "{{ rproxy_dir }}/certs" + state: directory + +- name: Create repo dir + ansible.builtin.file: + path: "{{ repo_data_dir }}" + state: directory + mode: 0777 \ No newline at end of file diff --git a/roles/rproxy/tasks/main.yml b/roles/rproxy/tasks/main.yml index 68a2643..701c44c 100644 --- a/roles/rproxy/tasks/main.yml +++ b/roles/rproxy/tasks/main.yml @@ -1,32 +1,20 @@ --- -- name: Podman install +- name: Prepare directories ansible.builtin.include_tasks: - file: podman.yml - apply: - tags: install - tags: - - install + file: dirs.yml + +- name: Copy configs + ansible.builtin.include_tasks: + file: configs.yml + +- name: Generate certificates + ansible.builtin.include_tasks: + file: certificates.yml - name: Rproxy install ansible.builtin.include_tasks: file: rproxy.yml - apply: - tags: install - tags: - - install -- name: Repo install +- name: Repository install ansible.builtin.include_tasks: - file: repo.yml - apply: - tags: install - tags: - - install - -- name: Add config - ansible.builtin.include_tasks: - file: addconfig.yml - apply: - tags: add_config - tags: - - add_config \ No newline at end of file + file: repo.yml \ No newline at end of file diff --git a/roles/rproxy/tasks/repo.yml b/roles/rproxy/tasks/repo.yml index 21452e2..eb9c7ce 100644 --- a/roles/rproxy/tasks/repo.yml +++ b/roles/rproxy/tasks/repo.yml @@ -1,77 +1,9 @@ --- -- name: Prepare for https repository - block: - - name: Create repo dir - ansible.builtin.file: - path: "{{ repo_data_dir }}" - state: directory - mode: 0777 - - - name: Copy repo.conf - ansible.builtin.copy: - src: files/repo.conf - dest: "{{ rproxy_dir }}/sites/repo.conf" - - - name: Install createrepo - ansible.builtin.yum: - name: - - createrepo - update_cache: yes - -- name: Create https certificates for repository - block: - - name: Kinit - ansible.builtin.shell: - cmd: "echo '{{ ansible_password }}' | kinit" - become: false - become_user: "{{ ansible_user }}" - - - name: Create SPN for HTTP - ansible.builtin.shell: - cmd: "ipa service-add HTTP/{{ ansible_facts['hostname'] }}.{{ ansible_facts['domain'] }}" - become: false - become_user: "{{ ansible_user }}" - ignore_errors: true - - - name: Get all tracking certificates - ansible.builtin.shell: - cmd: ipa-getcert list | grep "ID" | awk '{print $NF}' | tr -d "'\|:" - register: tracking_list - - - name: Remove certificates from IPA tracking - ansible.builtin.shell: - cmd: "ipa-getcert stop-tracking -i {{ item }}" - loop: "{{ tracking_list.stdout_lines }}" - ignore_errors: true - - - name: Request certificate via ipa-getcert - ansible.builtin.command: > - ipa-getcert request - -f {{ rproxy_dir }}/certs/repo.crt - -k {{ rproxy_dir }}/certs/repo.key - -K HTTP/{{ ansible_facts['hostname'] }}.{{ ansible_facts['domain'] }} - -N CN={{ ansible_facts['hostname'] }}.{{ ansible_facts['domain'] }} - -F {{ rproxy_dir }}/certs/RootCA.crt - - - name: Wait for certificate to appear - ansible.builtin.wait_for: - path: "{{ rproxy_dir }}/certs/repo.crt" - timeout: 60 - - - name: Change certificate permissions - ansible.builtin.file: - path: "{{ rproxy_dir }}/certs/repo.crt" - mode: "0744" - - - name: Wait for certificate key to appear - ansible.builtin.wait_for: - path: "{{ rproxy_dir }}/certs/repo.key" - timeout: 60 - - - name: Change certificate key permissions - ansible.builtin.file: - path: "{{ rproxy_dir }}/certs/repo.key" - mode: "0744" +- name: Install createrepo + ansible.builtin.yum: + name: + - createrepo + update_cache: yes - name: Restart rproxy service ansible.builtin.systemd: diff --git a/roles/rproxy/tasks/rproxy.yml b/roles/rproxy/tasks/rproxy.yml index 8a18152..3107006 100644 --- a/roles/rproxy/tasks/rproxy.yml +++ b/roles/rproxy/tasks/rproxy.yml @@ -1,76 +1,42 @@ --- -- name: Prepare dirs for rproxy - block: - - name: Remove rproxy dir - ansible.builtin.file: - path: "{{ rproxy_dir }}" - state: absent +- name: Pull rproxy image + containers.podman.podman_image: + name: "{{ image_repo }}/{{ rproxy_image }}:{{ rproxy_version }}" + state: present - - name: Create rproxy dir - ansible.builtin.file: - path: "{{ rproxy_dir }}" - state: directory +- name: Delete rproxy container if exists + containers.podman.podman_container: + name: rproxy + state: absent - - name: Create rproxy data dir - ansible.builtin.file: - path: "{{ repo_data_dir }}" - state: directory +- name: Start rproxy + containers.podman.podman_container: + name: rproxy + image: "{{ image_repo }}/{{ rproxy_image }}:{{ rproxy_version }}" + state: started + ports: + - "443:443" + - "80:80" + - "9000:9000" + volumes: + - '{{ rproxy_dir }}/nginx.conf:/etc/nginx/nginx.conf:z,rw' + - '{{ rproxy_dir }}/sites:/etc/nginx/sites:z,rw' + - '{{ rproxy_dir }}/certs:/etc/nginx/certs:z,rw' + - '{{ repo_data_dir }}:/repo:z,rw' + - "/etc/localtime:/etc/localtime:ro" + privileged: true + security_opt: + - "label=disable" + log_driver: journald + generate_systemd: + path: /etc/systemd/system/ + restart_policy: always + stop_timeout: 120 + names: true - - name: Create sites dir - ansible.builtin.file: - path: "{{ rproxy_dir }}/sites" - state: directory - - - name: Create certs dir - ansible.builtin.file: - path: "{{ rproxy_dir }}/certs" - state: directory - - - name: Copy nginx.conf - ansible.builtin.copy: - src: files/nginx.conf - dest: "{{ rproxy_dir }}/nginx.conf" - -- name: Install rproxy - block: - - name: Pull rproxy image - containers.podman.podman_image: - name: "{{ image_repo }}/{{ rproxy_image }}:{{ rproxy_version }}" - state: present - - - name: Delete rproxy container if exists - containers.podman.podman_container: - name: rproxy - state: absent - - - name: Start rproxy - containers.podman.podman_container: - name: rproxy - image: "{{ image_repo }}/{{ rproxy_image }}:{{ rproxy_version }}" - state: started - ports: - - "443:443" - - "80:80" - - "9000:9000" - volumes: - - '{{ rproxy_dir }}/nginx.conf:/etc/nginx/nginx.conf:z,rw' - - '{{ rproxy_dir }}/sites:/etc/nginx/sites:z,rw' - - '{{ rproxy_dir }}/certs:/etc/nginx/certs:z,rw' - - '{{ repo_data_dir }}:/repo:z,rw' - - "/etc/localtime:/etc/localtime:ro" - privileged: true - security_opt: - - "label=disable" - log_driver: journald - generate_systemd: - path: /etc/systemd/system/ - restart_policy: always - stop_timeout: 120 - names: true - - - name: Enable rproxy service - ansible.builtin.systemd: - name: "container-rproxy.service" - state: started - enabled: yes - daemon_reload: yes \ No newline at end of file +- name: Enable rproxy service + ansible.builtin.systemd: + name: "container-rproxy.service" + state: started + enabled: yes + daemon_reload: yes \ No newline at end of file diff --git a/rproxy.yml b/rproxy.yml index debe606..85fa356 100644 --- a/rproxy.yml +++ b/rproxy.yml @@ -1,26 +1,12 @@ --- - hosts: all become: yes - - vars: - ansible_python_interpreter: /usr/bin/python3 vars_prompt: - - name: rproxy_service_name - prompt: Enter service for rproxy - private: false - - - name: rproxy_service_port - prompt: Enter service for rproxy - private: false - - - name: rproxy_service_address - prompt: Enter service for rproxy - private: false - - name: image_repo prompt: Enter repository address with podman images (ex. rproxy.olsson.ul:5000) private: false roles: + - podman - rproxy