From e2842db8080b1de54a1485da81a5f007c6a0f543 Mon Sep 17 00:00:00 2001 From: Pavlov Makar Date: Sun, 20 Jul 2025 17:58:55 +0300 Subject: [PATCH] Prepare ansible role for AlmaLinux 10 * Moved from docker to podman * Refactored certificate generation --- ansible.cfg | 1 - roles/rproxy/tasks/addconfig.yml | 96 ++++++++++++---- roles/rproxy/tasks/docker.yml | 33 ------ roles/rproxy/tasks/dockerrepo.yml | 107 +++++++++++++----- roles/rproxy/tasks/main.yml | 4 +- roles/rproxy/tasks/podman.yml | 17 +++ roles/rproxy/tasks/repo.yml | 96 ++++++++++++---- roles/rproxy/tasks/rproxy.yml | 54 +++++++-- .../docker-compose.dockerrepo.yml.j2 | 15 --- .../templates/docker-compose.rproxy.yml.j2 | 16 --- roles/rproxy/templates/dockerrepo.cnf.j2 | 29 ----- roles/rproxy/templates/repo.cnf.j2 | 29 ----- roles/rproxy/templates/server.cnf.j2 | 29 ----- roles/rproxy/vars/main.yml | 1 + 14 files changed, 289 insertions(+), 238 deletions(-) delete mode 100644 roles/rproxy/tasks/docker.yml create mode 100644 roles/rproxy/tasks/podman.yml delete mode 100644 roles/rproxy/templates/docker-compose.dockerrepo.yml.j2 delete mode 100644 roles/rproxy/templates/docker-compose.rproxy.yml.j2 delete mode 100644 roles/rproxy/templates/dockerrepo.cnf.j2 delete mode 100644 roles/rproxy/templates/repo.cnf.j2 delete mode 100644 roles/rproxy/templates/server.cnf.j2 diff --git a/ansible.cfg b/ansible.cfg index 4e4796a..b1c8e00 100644 --- a/ansible.cfg +++ b/ansible.cfg @@ -1,6 +1,5 @@ [defaults] hostfile = hosts.ini -log_path = ansible-log.log host_key_checking = false interpreter_python = /usr/bin/python3 forks = 30 \ No newline at end of file diff --git a/roles/rproxy/tasks/addconfig.yml b/roles/rproxy/tasks/addconfig.yml index 4735146..e72231b 100644 --- a/roles/rproxy/tasks/addconfig.yml +++ b/roles/rproxy/tasks/addconfig.yml @@ -1,27 +1,48 @@ --- -- name: Create configs +- name: Create server configs block: - name: Copy server.conf ansible.builtin.template: src: templates/server.conf.j2 dest: "{{ rproxy_dir }}/sites/{{ rproxy_service_name }}.conf" - - name: Copy server certificate cnf - ansible.builtin.template: - src: templates/server.cnf.j2 - dest: '{{ rproxy_dir }}/certs/{{ rproxy_service_name }}.cnf' +- name: Generate certificates for {{ rproxy_service_name }} + block: + - name: "Generate {{ rproxy_service_name }}.key" + community.crypto.openssl_privatekey: + path: "{{ rproxy_dir }}/certs/{{ rproxy_service_name }}.key" + size: "2048" - - name: Generate server key - ansible.builtin.shell: - cmd: 'openssl genrsa -out {{ rproxy_dir }}/certs/{{ rproxy_service_name }}.key 2048' + - name: "Generate {{ rproxy_service_name }}.csr" + community.crypto.openssl_csr: + path: "{{ rproxy_dir }}/certs/{{ rproxy_service_name }}.csr" + privatekey_path: "{{ rproxy_dir }}/certs/{{ rproxy_service_name }}.key" + country_name: "RU" + state_or_province_name: "RU" + locality_name: "MSK" + organization_name: "{{ ansible_domain }}" + organizational_unit_name: "IT" + common_name: "{{ rproxy_service_name }}.{{ ansible_facts['domain'] }}" + email_address: "admin@{{ ansible_domain }}" + subject_alt_name: "DNS:{{ rproxy_service_name }}.{{ ansible_facts['domain'] }},DNS:{{ ansible_facts['hostname'] }}.{{ ansible_facts['domain'] }},IP:{{ ansible_facts['default_ipv4']['address'] }}" + key_usage: + - digitalSignature + - nonRepudiation + - keyEncipherment + - dataEncipherment + extended_key_usage: + - serverAuth - - name: Generate server csr - ansible.builtin.shell: - cmd: 'openssl req -key {{ rproxy_dir }}/certs/{{ rproxy_service_name }}.key -new -out {{ rproxy_dir }}/certs/{{ rproxy_service_name }}.csr -config {{ rproxy_dir }}/certs/{{ rproxy_service_name }}.cnf' - - - name: Sign server certificate - ansible.builtin.shell: - cmd: 'openssl x509 -req -CA {{ rproxy_dir }}/certs/RootCA.crt -CAkey {{ rproxy_dir }}/certs/RootCA.key -in {{ rproxy_dir }}/certs/{{ rproxy_service_name }}.csr -out {{ rproxy_dir }}/certs/{{ rproxy_service_name }}.crt -CAcreateserial -extfile {{ rproxy_dir }}/certs/{{ rproxy_service_name }}.cnf -days 365 -extensions v3_x509' + - name: "Generate {{ rproxy_service_name }}.crt" + community.crypto.x509_certificate: + csr_path: "{{ rproxy_dir }}/certs/{{ rproxy_service_name }}.csr" + path: "{{ rproxy_dir }}/certs/{{ rproxy_service_name }}.crt" + privatekey_path: "{{ rproxy_dir }}/certs/{{ rproxy_service_name }}.key" + provider: ownca + ownca_create_subject_key_identifier: always_create + ownca_path: "{{ rproxy_dir }}/certs/RootCA.crt" + ownca_privatekey_path: "{{ rproxy_dir }}/certs/RootCA.key" + ownca_not_after: "+365d" - name: Create fullchain certificate ansible.builtin.shell: @@ -32,13 +53,40 @@ path: "{{ rproxy_dir }}/certs/{{ rproxy_service_name }}.csr" state: absent - - name: Delete cnf - ansible.builtin.file: - path: "{{ rproxy_dir }}/certs/{{ rproxy_service_name }}.cnf" - state: absent +- name: Restart rproxy + block: + - name: Restart container + containers.podman.podman_container: + name: rproxy + image: "nginx:{{ rproxy_version }}" + state: started + restart: true + ports: + - "443:443" + - "80:80" + - "9000:9000" + volumes: + - '{{ rproxy_dir }}/nginx.conf:/etc/nginx/nginx.conf:z,rw' + - '{{ rproxy_dir }}/sites:/etc/nginx/sites:z,rw' + - '{{ rproxy_dir }}/certs:/etc/nginx/certs:z,rw' + - '{{ repo_data_dir }}:/repo:z,rw' + - "/etc/localtime:/etc/localtime:ro" + privileged: true + security_opt: + - "label=disable" + log_driver: journald + generate_systemd: + path: /etc/systemd/system/ + restart_policy: always + stop_timeout: 120 + names: true - - name: Restart rproxy - community.docker.docker_compose: - project_src: "{{ rproxy_dir }}" - build: false - restarted: true + - name: Daemon reload + ansible.builtin.shell: + cmd: systemctl daemon-reload + + - name: Enable rproxy service + ansible.builtin.systemd: + name: "container-rproxy.service" + state: started + enabled: yes diff --git a/roles/rproxy/tasks/docker.yml b/roles/rproxy/tasks/docker.yml deleted file mode 100644 index 576c7ac..0000000 --- a/roles/rproxy/tasks/docker.yml +++ /dev/null @@ -1,33 +0,0 @@ ---- -- name: Install python3.11 - ansible.builtin.yum: - name: - - python3.11 - - python3.11-setuptools - - python3.11-pip - update_cache: yes - -- name: Change default python3 to v3.11 - ansible.builtin.alternatives: - name: python3 - path: /usr/bin/python3.11 - -- name: Upgrade pip - ansible.builtin.pip: - name: pip - state: latest - executable: pip3 - -- name: Install docker - ansible.builtin.pip: - name: - - docker - - docker-compose - -- name: Enable docker (RHEL) - ansible.builtin.systemd: - name: docker - state: restarted - enabled: true - daemon_reload: true - when: ansible_facts['os_family'] == "RedHat" \ No newline at end of file diff --git a/roles/rproxy/tasks/dockerrepo.yml b/roles/rproxy/tasks/dockerrepo.yml index 2bd792c..b3b6151 100644 --- a/roles/rproxy/tasks/dockerrepo.yml +++ b/roles/rproxy/tasks/dockerrepo.yml @@ -1,5 +1,5 @@ --- -- name: Create docker repository +- name: Prepare for image repository block: - name: Remove dockerrepo dir ansible.builtin.file: @@ -21,27 +21,43 @@ path: "{{ dockerrepo_dir }}/certs" state: directory - - name: Copy docker-compose - ansible.builtin.template: - src: templates/docker-compose.dockerrepo.yml.j2 - dest: "{{ dockerrepo_dir }}/docker-compose.yml" +- name: Create certificates for image repository + block: + - name: "Generate dockerrepo.key" + community.crypto.openssl_privatekey: + path: "{{ dockerrepo_dir }}/certs/dockerrepo.key" + size: "2048" - - name: Copy dockerrepo certificate cnf - ansible.builtin.template: - src: templates/dockerrepo.cnf.j2 - dest: '{{ dockerrepo_dir }}/certs/dockerrepo.cnf' + - name: "Generate server.csr" + community.crypto.openssl_csr: + path: "{{ dockerrepo_dir }}/certs/dockerrepo.csr" + privatekey_path: "{{ dockerrepo_dir }}/certs/dockerrepo.key" + country_name: "RU" + state_or_province_name: "RU" + locality_name: "MSK" + organization_name: "{{ ansible_domain }}" + organizational_unit_name: "IT" + common_name: "{{ ansible_facts['hostname'] }}.{{ ansible_facts['domain'] }}" + email_address: "admin@{{ ansible_domain }}" + subject_alt_name: "DNS:{{ ansible_facts['hostname'] }}.{{ ansible_facts['domain'] }},DNS:imagerepo.{{ ansible_facts['domain'] }},IP:{{ ansible_facts['default_ipv4']['address'] }}" + key_usage: + - digitalSignature + - nonRepudiation + - keyEncipherment + - dataEncipherment + extended_key_usage: + - serverAuth - - name: Generate dockerrepo certificate key - ansible.builtin.shell: - cmd: 'openssl genrsa -out {{ dockerrepo_dir }}/certs/dockerrepo.key 2048' - - - name: Generate dockerrepo csr - ansible.builtin.shell: - cmd: 'openssl req -key {{ dockerrepo_dir }}/certs/dockerrepo.key -new -out {{ dockerrepo_dir }}/certs/dockerrepo.csr -config {{ dockerrepo_dir }}/certs/dockerrepo.cnf' - - - name: Sign dockerrepo certificate - ansible.builtin.shell: - cmd: 'openssl x509 -req -CA {{ rproxy_dir }}/certs/RootCA.crt -CAkey {{ rproxy_dir }}/certs/RootCA.key -in {{ dockerrepo_dir }}/certs/dockerrepo.csr -out {{ dockerrepo_dir }}/certs/dockerrepo.crt -CAcreateserial -extfile {{ dockerrepo_dir }}/certs/dockerrepo.cnf -days 365 -extensions v3_x509' + - name: "Generate server.crt" + community.crypto.x509_certificate: + csr_path: "{{ dockerrepo_dir }}/certs/dockerrepo.csr" + path: "{{ dockerrepo_dir }}/certs/dockerrepo.crt" + privatekey_path: "{{ dockerrepo_dir }}/certs/dockerrepo.key" + provider: ownca + ownca_create_subject_key_identifier: always_create + ownca_path: "{{ rproxy_dir }}/certs/RootCA.crt" + ownca_privatekey_path: "{{ rproxy_dir }}/certs/RootCA.key" + ownca_not_after: "+365d" - name: Create fullchain certificate ansible.builtin.shell: @@ -52,13 +68,48 @@ path: "{{ dockerrepo_dir }}/certs/dockerrepo.csr" state: absent - - name: Delete cnf - ansible.builtin.file: - path: "{{ dockerrepo_dir }}/certs/dockerrepo.cnf" +- name: Start image repository + block: + - name: Pull repo image + containers.podman.podman_image: + name: registry:latest + state: present + + - name: Delete image repository container if exists + containers.podman.podman_container: + name: registry state: absent - - name: Restart rproxy - community.docker.docker_compose: - project_src: "{{ dockerrepo_dir }}" - build: false - restarted: true \ No newline at end of file + - name: Start registry + containers.podman.podman_container: + name: registry + image: registry:latest + state: started + ports: + - "5000:5000" + environment: + - REGISTRY_HTTP_TLS_CERTIFICATE=/certs/dockerrepo.crt + - REGISTRY_HTTP_TLS_KEY=/certs/dockerrepo.key + volumes: + - "{{ dockerrepo_data_dir }}:/var/lib/registry:z,rw" + - "{{ dockerrepo_dir }}/certs:/certs:z,rw" + - "/etc/localtime:/etc/localtime:ro" + privileged: true + security_opt: + - "label=disable" + log_driver: journald + generate_systemd: + path: /etc/systemd/system/ + restart_policy: always + stop_timeout: 120 + names: true + + - name: Daemon reload + ansible.builtin.shell: + cmd: systemctl daemon-reload + + - name: Enable registry service + ansible.builtin.systemd: + name: "container-registry.service" + state: started + enabled: yes \ No newline at end of file diff --git a/roles/rproxy/tasks/main.yml b/roles/rproxy/tasks/main.yml index ff16ac7..2d528d5 100644 --- a/roles/rproxy/tasks/main.yml +++ b/roles/rproxy/tasks/main.yml @@ -1,7 +1,7 @@ --- -- name: Docker install +- name: Podman install ansible.builtin.include_tasks: - file: docker.yml + file: podman.yml apply: tags: install tags: diff --git a/roles/rproxy/tasks/podman.yml b/roles/rproxy/tasks/podman.yml new file mode 100644 index 0000000..c835554 --- /dev/null +++ b/roles/rproxy/tasks/podman.yml @@ -0,0 +1,17 @@ +--- +- name: Install podman + ansible.builtin.yum: + name: + - podman + - podman-compose + - podman-docker + - podman-remote + - podman-tui + - buildah + update_cache: yes + +- name: Enable Podman + ansible.builtin.systemd: + name: podman + state: started + enabled: yes \ No newline at end of file diff --git a/roles/rproxy/tasks/repo.yml b/roles/rproxy/tasks/repo.yml index 8b0be4c..c5347dc 100644 --- a/roles/rproxy/tasks/repo.yml +++ b/roles/rproxy/tasks/repo.yml @@ -1,5 +1,5 @@ --- -- name: Create https repository +- name: Prepare for https repository block: - name: Create repo dir ansible.builtin.file: @@ -12,22 +12,43 @@ src: files/repo.conf dest: "{{ rproxy_dir }}/sites/repo.conf" - - name: Copy repo certificate cnf - ansible.builtin.template: - src: templates/repo.cnf.j2 - dest: '{{ rproxy_dir }}/certs/repo.cnf' +- name: Create https certificates for repository + block: + - name: "Generate repo.key" + community.crypto.openssl_privatekey: + path: "{{ rproxy_dir }}/certs/repo.key" + size: "2048" - - name: Generate repo certificate key - ansible.builtin.shell: - cmd: 'openssl genrsa -out {{ rproxy_dir }}/certs/repo.key 2048' + - name: "Generate server.csr" + community.crypto.openssl_csr: + path: "{{ rproxy_dir }}/certs/repo.csr" + privatekey_path: "{{ rproxy_dir }}/certs/repo.key" + country_name: "RU" + state_or_province_name: "RU" + locality_name: "MSK" + organization_name: "{{ ansible_domain }}" + organizational_unit_name: "IT" + common_name: "{{ ansible_facts['hostname'] }}.{{ ansible_facts['domain'] }}" + email_address: "admin@{{ ansible_domain }}" + subject_alt_name: "DNS:{{ ansible_facts['hostname'] }}.{{ ansible_facts['domain'] }},DNS:repo.{{ ansible_facts['domain'] }},IP:{{ ansible_facts['default_ipv4']['address'] }}" + key_usage: + - digitalSignature + - nonRepudiation + - keyEncipherment + - dataEncipherment + extended_key_usage: + - serverAuth - - name: Generate server csr - ansible.builtin.shell: - cmd: 'openssl req -key {{ rproxy_dir }}/certs/repo.key -new -out {{ rproxy_dir }}/certs/repo.csr -config {{ rproxy_dir }}/certs/repo.cnf' - - - name: Sign server certificate - ansible.builtin.shell: - cmd: 'openssl x509 -req -CA {{ rproxy_dir }}/certs/RootCA.crt -CAkey {{ rproxy_dir }}/certs/RootCA.key -in {{ rproxy_dir }}/certs/repo.csr -out {{ rproxy_dir }}/certs/repo.crt -CAcreateserial -extfile {{ rproxy_dir }}/certs/repo.cnf -days 365 -extensions v3_x509' + - name: "Generate server.crt" + community.crypto.x509_certificate: + csr_path: "{{ rproxy_dir }}/certs/repo.csr" + path: "{{ rproxy_dir }}/certs/repo.crt" + privatekey_path: "{{ rproxy_dir }}/certs/repo.key" + provider: ownca + ownca_create_subject_key_identifier: always_create + ownca_path: "{{ rproxy_dir }}/certs/RootCA.crt" + ownca_privatekey_path: "{{ rproxy_dir }}/certs/RootCA.key" + ownca_not_after: "+365d" - name: Create fullchain certificate ansible.builtin.shell: @@ -38,13 +59,40 @@ path: "{{ rproxy_dir }}/certs/repo.csr" state: absent - - name: Delete cnf - ansible.builtin.file: - path: "{{ rproxy_dir }}/certs/repo.cnf" - state: absent +- name: Restart rproxy + block: + - name: Restart container + containers.podman.podman_container: + name: rproxy + image: "nginx:{{ rproxy_version }}" + state: started + restart: true + ports: + - "443:443" + - "80:80" + - "9000:9000" + volumes: + - '{{ rproxy_dir }}/nginx.conf:/etc/nginx/nginx.conf:z,rw' + - '{{ rproxy_dir }}/sites:/etc/nginx/sites:z,rw' + - '{{ rproxy_dir }}/certs:/etc/nginx/certs:z,rw' + - '{{ repo_data_dir }}:/repo:z,rw' + - "/etc/localtime:/etc/localtime:ro" + privileged: true + security_opt: + - "label=disable" + log_driver: journald + generate_systemd: + path: /etc/systemd/system/ + restart_policy: always + stop_timeout: 120 + names: true - - name: Restart rproxy - community.docker.docker_compose: - project_src: "{{ rproxy_dir }}" - build: false - restarted: true \ No newline at end of file + - name: Daemon reload + ansible.builtin.shell: + cmd: systemctl daemon-reload + + - name: Enable rproxy service + ansible.builtin.systemd: + name: "container-rproxy.service" + state: started + enabled: yes \ No newline at end of file diff --git a/roles/rproxy/tasks/rproxy.yml b/roles/rproxy/tasks/rproxy.yml index ad40481..a2792c2 100644 --- a/roles/rproxy/tasks/rproxy.yml +++ b/roles/rproxy/tasks/rproxy.yml @@ -1,5 +1,5 @@ --- -- name: Install rproxy +- name: Prepare dirs for rproxy block: - name: Remove rproxy dir ansible.builtin.file: @@ -21,11 +21,6 @@ path: "{{ rproxy_dir }}/certs" state: directory - - name: Copy docker-compose - ansible.builtin.template: - src: templates/docker-compose.rproxy.yml.j2 - dest: "{{ rproxy_dir }}/docker-compose.yml" - - name: Copy nginx.conf ansible.builtin.copy: src: files/nginx.conf @@ -41,6 +36,49 @@ src: files/RootCA.key dest: '{{ rproxy_dir }}/certs/RootCA.key' +- name: Install rproxy + block: + - name: Pull rproxy image + containers.podman.podman_image: + name: "nginx:{{ rproxy_version }}" + state: present + + - name: Delete rproxy container if exists + containers.podman.podman_container: + name: rproxy + state: absent + - name: Start rproxy - community.docker.docker_compose: - project_src: "{{ rproxy_dir }}" \ No newline at end of file + containers.podman.podman_container: + name: rproxy + image: "nginx:{{ rproxy_version }}" + state: started + ports: + - "443:443" + - "80:80" + - "9000:9000" + volumes: + - '{{ rproxy_dir }}/nginx.conf:/etc/nginx/nginx.conf:z,rw' + - '{{ rproxy_dir }}/sites:/etc/nginx/sites:z,rw' + - '{{ rproxy_dir }}/certs:/etc/nginx/certs:z,rw' + - '{{ repo_data_dir }}:/repo:z,rw' + - "/etc/localtime:/etc/localtime:ro" + privileged: true + security_opt: + - "label=disable" + log_driver: journald + generate_systemd: + path: /etc/systemd/system/ + restart_policy: always + stop_timeout: 120 + names: true + + - name: Daemon reload + ansible.builtin.shell: + cmd: systemctl daemon-reload + + - name: Enable rproxy service + ansible.builtin.systemd: + name: "container-rproxy.service" + state: started + enabled: yes \ No newline at end of file diff --git a/roles/rproxy/templates/docker-compose.dockerrepo.yml.j2 b/roles/rproxy/templates/docker-compose.dockerrepo.yml.j2 deleted file mode 100644 index 09fb7c3..0000000 --- a/roles/rproxy/templates/docker-compose.dockerrepo.yml.j2 +++ /dev/null @@ -1,15 +0,0 @@ -version: '3.3' - -services: - nginx: - image: registry:latest - container_name: dockerrepo - restart: always - environment: - - REGISTRY_HTTP_TLS_CERTIFICATE=/certs/dockerrepo.crt - - REGISTRY_HTTP_TLS_KEY=/certs/dockerrepo.key - volumes: - - '{{ dockerrepo_data_dir }}:/var/lib/registry' - - '{{ dockerrepo_dir }}/certs:/certs' - ports: - - 5000:5000 \ No newline at end of file diff --git a/roles/rproxy/templates/docker-compose.rproxy.yml.j2 b/roles/rproxy/templates/docker-compose.rproxy.yml.j2 deleted file mode 100644 index 1230303..0000000 --- a/roles/rproxy/templates/docker-compose.rproxy.yml.j2 +++ /dev/null @@ -1,16 +0,0 @@ -version: '3.3' - -services: - nginx: - image: nginx:latest - container_name: rproxy - restart: always - volumes: - - '{{ rproxy_dir }}/nginx.conf:/etc/nginx/nginx.conf' - - '{{ rproxy_dir }}/sites:/etc/nginx/sites' - - '{{ rproxy_dir }}/certs:/etc/nginx/certs' - - '{{ repo_data_dir }}:/repo' - ports: - - 443:443 - - 80:80 - - 9000:9000 \ No newline at end of file diff --git a/roles/rproxy/templates/dockerrepo.cnf.j2 b/roles/rproxy/templates/dockerrepo.cnf.j2 deleted file mode 100644 index 09cf6e5..0000000 --- a/roles/rproxy/templates/dockerrepo.cnf.j2 +++ /dev/null @@ -1,29 +0,0 @@ -[ req ] -prompt = no -distinguished_name = dockerrepo.{{ ansible_domain }} -req_extensions = v3_req -x509_extensions = v3_x509 - - -[ dockerrepo.{{ ansible_domain }} ] -countryName = RU -stateOrProvinceName = RU -localityName = MSK -organizationName = {{ ansible_domain }} -organizationalUnitName = IT -commonName = dockerrepo.{{ ansible_domain }} -emailAddress = admin@{{ ansible_domain }} - -[ v3_req ] -basicConstraints = CA:false -keyUsage = digitalSignature, keyEncipherment -subjectAltName = @sans - -[ v3_x509 ] -basicConstraints = CA:false -keyUsage = digitalSignature, keyEncipherment -subjectAltName = @sans - -[ sans ] -DNS.1 = dockerrepo.{{ ansible_domain }} -IP.1 = {{ {{ ansible_facts['default_ipv4']['address'] }} }} \ No newline at end of file diff --git a/roles/rproxy/templates/repo.cnf.j2 b/roles/rproxy/templates/repo.cnf.j2 deleted file mode 100644 index 0a44d46..0000000 --- a/roles/rproxy/templates/repo.cnf.j2 +++ /dev/null @@ -1,29 +0,0 @@ -[ req ] -prompt = no -distinguished_name = repo.{{ ansible_domain }} -req_extensions = v3_req -x509_extensions = v3_x509 - - -[ repo.{{ ansible_domain }} ] -countryName = RU -stateOrProvinceName = RU -localityName = MSK -organizationName = {{ ansible_domain }} -organizationalUnitName = IT -commonName = repo.{{ ansible_domain }} -emailAddress = admin@{{ ansible_domain }} - -[ v3_req ] -basicConstraints = CA:false -keyUsage = digitalSignature, keyEncipherment -subjectAltName = @sans - -[ v3_x509 ] -basicConstraints = CA:false -keyUsage = digitalSignature, keyEncipherment -subjectAltName = @sans - -[ sans ] -DNS.1 = repo.{{ ansible_domain }} -IP.1 = {{ {{ ansible_facts['default_ipv4']['address'] }} }} \ No newline at end of file diff --git a/roles/rproxy/templates/server.cnf.j2 b/roles/rproxy/templates/server.cnf.j2 deleted file mode 100644 index d415f6c..0000000 --- a/roles/rproxy/templates/server.cnf.j2 +++ /dev/null @@ -1,29 +0,0 @@ -[ req ] -prompt = no -distinguished_name = {{ rproxy_service_name }}.{{ ansible_domain }} -req_extensions = v3_req -x509_extensions = v3_x509 - - -[ {{ rproxy_service_name }}.{{ ansible_domain }} ] -countryName = RU -stateOrProvinceName = RU -localityName = MSK -organizationName = {{ ansible_domain }} -organizationalUnitName = IT -commonName = {{ rproxy_service_name }}.{{ ansible_domain }} -emailAddress = admin@{{ ansible_domain }} - -[ v3_req ] -basicConstraints = CA:false -keyUsage = digitalSignature, keyEncipherment -subjectAltName = @sans - -[ v3_x509 ] -basicConstraints = CA:false -keyUsage = digitalSignature, keyEncipherment -subjectAltName = @sans - -[ sans ] -DNS.1 = {{ rproxy_service_name }}.{{ ansible_domain }} -IP.1 = {{ rproxy_service_address }} \ No newline at end of file diff --git a/roles/rproxy/vars/main.yml b/roles/rproxy/vars/main.yml index ed91197..8deebd5 100644 --- a/roles/rproxy/vars/main.yml +++ b/roles/rproxy/vars/main.yml @@ -1,5 +1,6 @@ ansible_python_interpreter: /usr/bin/python3 rproxy_dir: /opt/rproxy +rproxy_version: 1.29 repo_data_dir: /opt/data/repo dockerrepo_dir: /opt/dockerrepo dockerrepo_data_dir: /opt/data/dockerrepo \ No newline at end of file