Divide add config and rproxy installation

2025-10-21 01:25:24 +03:00
parent 36c6511ed6
commit 8c2afbcac9
19 changed files with 370 additions and 326 deletions
--- a/roles/addconfig/tasks/addconfig.yml
+++ b/roles/addconfig/tasks/addconfig.yml
@@ -0,0 +1,5 @@
+---
+- name: Copy server.conf
+  ansible.builtin.template:
+    src: templates/server.conf.j2
+    dest: "{{ rproxy_dir }}/sites/{{  rproxy_service_name  }}.conf"
--- a/roles/addconfig/tasks/certificates.yml
+++ b/roles/addconfig/tasks/certificates.yml
@@ -0,0 +1,83 @@
+---
+- name: Create CNAME dns record
+  community.general.ipa_dnsrecord:
+    ipa_user: "{{ ansible_user }}"
+    ipa_pass: "{{ ansible_password }}"
+    zone_name: "{{ ansible_facts['domain'] }}"
+    record_name: "{{  rproxy_service_name  }}"
+    record_type: 'CNAME'
+    record_value: "{{ ansible_facts['hostname'] }}"
+    state: present
+  ignore_errors: true
+
+- name: Kinit
+  ansible.builtin.shell:
+    cmd: "echo '{{ ansible_password }}' | kinit"
+  become: false
+  become_user: "{{ ansible_user }}"
+
+- name: Create fake host for certificate
+  ansible.builtin.shell:
+    cmd: "ipa host-add {{ rproxy_service_name }}.{{ ansible_facts['domain'] }} --force --desc=\"Fake host for SPN\""
+  become: false
+  become_user: "{{ ansible_user }}"
+  ignore_errors: true
+
+- name: Create SPN for HTTP
+  ansible.builtin.shell:
+    cmd: "ipa service-add HTTP/{{ rproxy_service_name }}.{{ ansible_facts['domain'] }} --skip-host-check --force"
+  become: false
+  become_user: "{{ ansible_user }}"
+  ignore_errors: true
+
+- name: "Allow {{ ansible_facts['hostname'] }}.{{ ansible_facts['domain'] }} to get certificates for HTTP/{{ rproxy_service_name }}.{{ ansible_facts['domain'] }} SPN"
+  ansible.builtin.shell:
+    cmd: "ipa service-add-host --hosts={{ ansible_facts['hostname'] }}.{{ ansible_facts['domain'] }} HTTP/{{ rproxy_service_name }}.{{ ansible_facts['domain'] }}"
+  become: false
+  become_user: "{{ ansible_user }}"
+  ignore_errors: true
+
+- name: Kdestroy
+  ansible.builtin.shell:
+    cmd: kdestroy
+  become: false
+  become_user: "{{ ansible_user }}"
+
+- name: Get all tracking certificates
+  ansible.builtin.shell:
+    cmd: "ipa-getcert list | grep -m1 -B5 \"{{ rproxy_dir }}/certs/{{ rproxy_service_name }}\" | grep Request | awk '{print $NF}' | tr -d \"'\\|:\""
+  register: tracking_list
+
+- name: Remove certificates from IPA tracking
+  ansible.builtin.shell:
+    cmd: "ipa-getcert stop-tracking -i {{ item }}"
+  loop: "{{ tracking_list.stdout_lines }}"
+  ignore_errors: true
+
+- name: Request certificate via ipa-getcert
+  ansible.builtin.command: >
+    ipa-getcert request
+    -f {{ rproxy_dir }}/certs/{{ rproxy_service_name }}.{{ ansible_facts['domain'] }}.crt
+    -k {{ rproxy_dir }}/certs/{{ rproxy_service_name }}.{{ ansible_facts['domain'] }}.key
+    -K HTTP/{{ rproxy_service_name }}.{{ ansible_facts['domain'] }}
+    -N CN={{ rproxy_service_name }}.{{ ansible_facts['domain'] }}
+
+- name: Wait for certificate to appear
+  ansible.builtin.wait_for:
+    path: "{{ rproxy_dir }}/certs/{{ rproxy_service_name }}.{{ ansible_facts['domain'] }}.crt"
+    timeout: 60
+
+- name: Change certificate permissions
+  ansible.builtin.file:
+    path: "{{ rproxy_dir }}/certs/{{ rproxy_service_name }}.{{ ansible_facts['domain'] }}.crt"
+    mode: "0744"
+
+- name: Wait for certificate key to appear
+  ansible.builtin.wait_for:
+    path: "{{ rproxy_dir }}/certs/{{ rproxy_service_name }}.{{ ansible_facts['domain'] }}.key"
+    timeout: 60
+
+- name: Change certificate key permissions
+  ansible.builtin.file:
+    path: "{{ rproxy_dir }}/certs/{{ rproxy_service_name }}.{{ ansible_facts['domain'] }}.key"
+    mode: "0744"
--- a/roles/addconfig/tasks/main.yml
+++ b/roles/addconfig/tasks/main.yml
@@ -0,0 +1,14 @@
+---
+- name: Add config
+  ansible.builtin.include_tasks: 
+    file: addconfig.yml
+
+- name: Generate certificates
+  ansible.builtin.include_tasks: 
+    file: certificates.yml
+
+- name: Restart rproxy service
+  ansible.builtin.systemd:
+    name: "container-rproxy.service"
+    state: restarted
+    enabled: yes
--- a/roles/addconfig/templates/server.conf.j2
+++ b/roles/addconfig/templates/server.conf.j2
@@ -0,0 +1,35 @@
+upstream {{ rproxy_service_name }}.{{ ansible_domain }} {
+    server {{ rproxy_service_address }}:{{ rproxy_service_port }};
+}
+
+server {
+    listen 80;
+    server_name {{ rproxy_service_name }}.{{ ansible_domain }};
+    access_log /var/log/nginx/{{ rproxy_service_name }}.access.log;
+    error_log /var/log/nginx/{{ rproxy_service_name }}.error.log;
+    return 301 https://$server_name$request_uri;
+}
+
+server {
+    listen 443 ssl;
+    server_name {{ rproxy_service_name }}.{{ ansible_domain }};
+    access_log /var/log/nginx/{{ rproxy_service_name }}.access.log;
+    error_log /var/log/nginx/{{ rproxy_service_name }}.error.log;
+    ssl_certificate /etc/nginx/certs/{{  rproxy_service_name  }}.{{ ansible_domain }}.crt;
+    ssl_certificate_key /etc/nginx/certs/{{  rproxy_service_name  }}.{{ ansible_domain }}.key;
+    ssl_protocols TLSv1.2;
+    ssl_ciphers EECDH:+AES256:-3DES:!RSA+AES:!RSA+3DES:!NULL:!RC4;
+    ssl_prefer_server_ciphers on;
+    proxy_connect_timeout 600s;
+    fastcgi_request_buffering off;
+    fastcgi_buffers 64 4K;
+
+    location / {
+        proxy_pass_header Server;
+        proxy_set_header Host $host;
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Proto $scheme;
+        proxy_pass http://{{ rproxy_service_name }}.{{ ansible_domain }}/;
+     }
+}
--- a/roles/addconfig/vars/main.yml
+++ b/roles/addconfig/vars/main.yml
@@ -0,0 +1,5 @@
+---
+ansible_python_interpreter: /usr/bin/python3
+
+# Rproxy
+rproxy_dir: /opt/rproxy