Prepare ansible role for AlmaLinux 10

* Moved from docker to podman * Refactored certificate generation
2025-07-20 17:58:55 +03:00
parent 740968eac9
commit e2842db808
14 changed files with 289 additions and 238 deletions
--- a/roles/rproxy/tasks/dockerrepo.yml
+++ b/roles/rproxy/tasks/dockerrepo.yml
@@ -1,5 +1,5 @@
 ---
- name: Create docker repository
+- name: Prepare for image repository
  block:
    - name: Remove dockerrepo dir
      ansible.builtin.file:
@@ -21,27 +21,43 @@
        path: "{{ dockerrepo_dir }}/certs"
        state: directory

-    - name: Copy docker-compose
-      ansible.builtin.template:
-        src: templates/docker-compose.dockerrepo.yml.j2
-        dest: "{{ dockerrepo_dir }}/docker-compose.yml"
+- name: Create certificates for image repository
+  block:
+    - name: "Generate dockerrepo.key"
+      community.crypto.openssl_privatekey: 
+        path: "{{ dockerrepo_dir }}/certs/dockerrepo.key"
+        size: "2048"

-    - name: Copy dockerrepo certificate cnf
-      ansible.builtin.template:
-        src: templates/dockerrepo.cnf.j2
-        dest: '{{ dockerrepo_dir }}/certs/dockerrepo.cnf'
+    - name: "Generate server.csr"
+      community.crypto.openssl_csr:
+        path: "{{ dockerrepo_dir }}/certs/dockerrepo.csr"
+        privatekey_path: "{{ dockerrepo_dir }}/certs/dockerrepo.key"
+        country_name: "RU"
+        state_or_province_name: "RU"
+        locality_name: "MSK"
+        organization_name: "{{ ansible_domain }}"
+        organizational_unit_name: "IT"
+        common_name: "{{ ansible_facts['hostname'] }}.{{ ansible_facts['domain'] }}"
+        email_address: "admin@{{ ansible_domain }}"
+        subject_alt_name: "DNS:{{ ansible_facts['hostname'] }}.{{ ansible_facts['domain'] }},DNS:imagerepo.{{ ansible_facts['domain'] }},IP:{{ ansible_facts['default_ipv4']['address'] }}"
+        key_usage:
+          - digitalSignature
+          - nonRepudiation
+          - keyEncipherment
+          - dataEncipherment
+        extended_key_usage:
+          - serverAuth

-    - name: Generate dockerrepo certificate key
-      ansible.builtin.shell:
-        cmd: 'openssl genrsa -out {{ dockerrepo_dir }}/certs/dockerrepo.key 2048'
-
-    - name: Generate dockerrepo csr
-      ansible.builtin.shell:
-        cmd: 'openssl req -key {{ dockerrepo_dir }}/certs/dockerrepo.key -new -out {{ dockerrepo_dir }}/certs/dockerrepo.csr -config {{ dockerrepo_dir }}/certs/dockerrepo.cnf'
-
-    - name: Sign dockerrepo certificate
-      ansible.builtin.shell:
-        cmd: 'openssl x509 -req -CA {{ rproxy_dir }}/certs/RootCA.crt -CAkey {{ rproxy_dir }}/certs/RootCA.key -in {{ dockerrepo_dir }}/certs/dockerrepo.csr -out {{ dockerrepo_dir }}/certs/dockerrepo.crt -CAcreateserial -extfile {{ dockerrepo_dir }}/certs/dockerrepo.cnf -days 365 -extensions v3_x509'
+    - name: "Generate server.crt"
+      community.crypto.x509_certificate:
+        csr_path: "{{ dockerrepo_dir }}/certs/dockerrepo.csr"
+        path: "{{ dockerrepo_dir }}/certs/dockerrepo.crt"
+        privatekey_path: "{{ dockerrepo_dir }}/certs/dockerrepo.key"
+        provider: ownca
+        ownca_create_subject_key_identifier: always_create
+        ownca_path: "{{ rproxy_dir }}/certs/RootCA.crt"
+        ownca_privatekey_path: "{{ rproxy_dir }}/certs/RootCA.key"
+        ownca_not_after: "+365d"

    - name: Create fullchain certificate
      ansible.builtin.shell:
@@ -52,13 +68,48 @@
        path: "{{ dockerrepo_dir }}/certs/dockerrepo.csr"
        state: absent

-    - name: Delete cnf
-      ansible.builtin.file:
-        path: "{{ dockerrepo_dir }}/certs/dockerrepo.cnf"
+- name: Start image repository
+  block:
+    - name: Pull repo image
+      containers.podman.podman_image:
+        name: registry:latest
+        state: present
+
+    - name: Delete image repository container if exists
+      containers.podman.podman_container:
+        name: registry
        state: absent

-    - name: Restart rproxy
-      community.docker.docker_compose:
-        project_src: "{{ dockerrepo_dir }}"
-        build: false
-        restarted: true
+    - name: Start registry
+      containers.podman.podman_container:
+        name: registry
+        image: registry:latest
+        state: started
+        ports:
+            - "5000:5000"
+        environment:
+          - REGISTRY_HTTP_TLS_CERTIFICATE=/certs/dockerrepo.crt
+          - REGISTRY_HTTP_TLS_KEY=/certs/dockerrepo.key
+        volumes:
+          - "{{ dockerrepo_data_dir }}:/var/lib/registry:z,rw"
+          - "{{ dockerrepo_dir }}/certs:/certs:z,rw"
+          - "/etc/localtime:/etc/localtime:ro"
+        privileged: true
+        security_opt:
+          - "label=disable"
+        log_driver: journald
+        generate_systemd:
+          path: /etc/systemd/system/
+          restart_policy: always
+          stop_timeout: 120
+          names: true
+
+    - name: Daemon reload
+      ansible.builtin.shell:
+        cmd: systemctl daemon-reload
+
+    - name: Enable registry service
+      ansible.builtin.systemd:
+        name: "container-registry.service"
+        state: started
+        enabled: yes