diff --git a/Jenkinsfile b/Jenkinsfile index cf14be9..7f6bc30 100644 --- a/Jenkinsfile +++ b/Jenkinsfile @@ -7,6 +7,8 @@ pipeline { artifactNumToKeepStr: '10', artifactDaysToKeepStr: '7' ) + ansiColor('xterm') + timestamps() } parameters { string(name: "target_host", defaultValue: "", trim: true, description: "Target host") @@ -15,8 +17,22 @@ pipeline { string(name: "rproxy_service_name", defaultValue: "", trim: true, description: "Service name (for 'Add config' job only)") string(name: "rproxy_service_port", defaultValue: "", trim: true, description: "Service port (for 'Add config' job only)") string(name: "rproxy_service_address", defaultValue: "", trim: true, description: "Service address (for 'Add config' job only)") + booleanParam(name: 'update_job', defaultValue: false, description: 'Update job, free run, no changes') } stages { + stage('Update Job') { + when { + expression { + return params.update_job + } + } + steps { + script { + currentBuild.getRawBuild().getExecutor().interrupt(Result.SUCCESS) + sleep(1) + } + } + } stage('Save certs') { when { expression { @@ -31,6 +47,16 @@ pipeline { } } } + stage('Prepare inventory') { + steps { + script { + def hostsFile = new File("${WORKSPACE}/hosts.ini") + hostsFile.append('[all]') + hostsFile.append('\n' + params.target_host) + println hostsFile.getText('UTF-8') + } + } + } stage('Install Rproxy') { when { expression { @@ -44,7 +70,15 @@ pipeline { usernamePassword(credentialsId:'JENKINS_DEPLOYER_PASS', usernameVariable: 'username', passwordVariable: 'password') ]) { wrap([$class: 'MaskPasswordsBuildWrapper', varPasswordPairs: [[password: env.password]]]) { - sh 'ansible-playbook rproxy.yml -i ${target_host}, -t install --private-key ${SSH_KEY} -u ${username} -e "ansible_password=${password} rproxy_service_name=${rproxy_service_name} rproxy_service_port=${rproxy_service_port} rproxy_service_address=${rproxy_service_address}"' + wrap([$class: 'AnsiColorBuildWrapper', colorMapName: "xterm"]) { + ansiblePlaybook( + playbook: 'rproxy.yml', + inventory: 'hosts.ini', + tags: 'install', + colorized: true, + extras: '--private-key ${SSH_KEY} -e "ansible_user=${username} ansible_password=${password} rproxy_service_name=${rproxy_service_name} rproxy_service_port=${rproxy_service_port} rproxy_service_address=${rproxy_service_address}"' + ) + } } } } @@ -63,11 +97,26 @@ pipeline { usernamePassword(credentialsId:'JENKINS_DEPLOYER_PASS', usernameVariable: 'username', passwordVariable: 'password') ]) { wrap([$class: 'MaskPasswordsBuildWrapper', varPasswordPairs: [[password: env.password]]]) { - sh 'ansible-playbook rproxy.yml -i ${target_host}, -t add_config --private-key ${SSH_KEY} -u ${username} -e "ansible_password=${password} rproxy_service_name=${rproxy_service_name} rproxy_service_port=${rproxy_service_port} rproxy_service_address=${rproxy_service_address}"' + wrap([$class: 'AnsiColorBuildWrapper', colorMapName: "xterm"]) { + ansiblePlaybook( + playbook: 'rproxy.yml', + inventory: 'hosts.ini', + tags: 'add_config', + colorized: true, + extras: '--private-key ${SSH_KEY} -e "ansible_user=${username} ansible_password=${password} rproxy_service_name=${rproxy_service_name} rproxy_service_port=${rproxy_service_port} rproxy_service_address=${rproxy_service_address}"' + ) + } } } } } } } + post { + always { + cleanWs(patterns: [ + [pattern: 'hosts.ini', type: 'INCLUDE'] + ]) + } + } } \ No newline at end of file diff --git a/ansible.cfg b/ansible.cfg index 4e4796a..b1c8e00 100644 --- a/ansible.cfg +++ b/ansible.cfg @@ -1,6 +1,5 @@ [defaults] hostfile = hosts.ini -log_path = ansible-log.log host_key_checking = false interpreter_python = /usr/bin/python3 forks = 30 \ No newline at end of file diff --git a/roles/rproxy/tasks/addconfig.yml b/roles/rproxy/tasks/addconfig.yml new file mode 100644 index 0000000..6cc5dbf --- /dev/null +++ b/roles/rproxy/tasks/addconfig.yml @@ -0,0 +1,102 @@ +--- +- name: Create server configs + block: + - name: Copy server.conf + ansible.builtin.template: + src: templates/server.conf.j2 + dest: "{{ rproxy_dir }}/sites/{{ rproxy_service_name }}.conf" + +- name: Generate certificates for {{ rproxy_service_name }} + block: + - name: "Generate {{ rproxy_service_name }}.key" + community.crypto.openssl_privatekey: + path: "{{ rproxy_dir }}/certs/{{ rproxy_service_name }}.key" + size: "2048" + + - name: "Generate {{ rproxy_service_name }}.csr" + community.crypto.openssl_csr: + path: "{{ rproxy_dir }}/certs/{{ rproxy_service_name }}.csr" + privatekey_path: "{{ rproxy_dir }}/certs/{{ rproxy_service_name }}.key" + country_name: "RU" + state_or_province_name: "RU" + locality_name: "MSK" + organization_name: "{{ ansible_domain }}" + organizational_unit_name: "IT" + common_name: "{{ rproxy_service_name }}.{{ ansible_facts['domain'] }}" + email_address: "admin@{{ ansible_domain }}" + subject_alt_name: "DNS:{{ rproxy_service_name }}.{{ ansible_facts['domain'] }},DNS:{{ ansible_facts['hostname'] }}.{{ ansible_facts['domain'] }},IP:{{ ansible_facts['default_ipv4']['address'] }}" + key_usage: + - digitalSignature + - nonRepudiation + - keyEncipherment + - dataEncipherment + extended_key_usage: + - serverAuth + + - name: "Generate {{ rproxy_service_name }}.crt" + community.crypto.x509_certificate: + csr_path: "{{ rproxy_dir }}/certs/{{ rproxy_service_name }}.csr" + path: "{{ rproxy_dir }}/certs/{{ rproxy_service_name }}.crt" + privatekey_path: "{{ rproxy_dir }}/certs/{{ rproxy_service_name }}.key" + provider: ownca + ownca_create_subject_key_identifier: always_create + ownca_path: "{{ rproxy_dir }}/certs/RootCA.crt" + ownca_privatekey_path: "{{ rproxy_dir }}/certs/RootCA.key" + ownca_not_after: "+365d" + + - name: Create fullchain certificate + ansible.builtin.shell: + cmd: 'cat {{ rproxy_dir }}/certs/RootCA.crt >> {{ rproxy_dir }}/certs/{{ rproxy_service_name }}.crt' + + - name: Delete csr + ansible.builtin.file: + path: "{{ rproxy_dir }}/certs/{{ rproxy_service_name }}.csr" + state: absent + +- name: Restart rproxy + block: + - name: Restart container + containers.podman.podman_container: + name: rproxy + image: "docker.io/library/nginx:{{ rproxy_version }}" + state: started + restart: true + ports: + - "443:443" + - "80:80" + - "9000:9000" + volumes: + - '{{ rproxy_dir }}/nginx.conf:/etc/nginx/nginx.conf:z,rw' + - '{{ rproxy_dir }}/sites:/etc/nginx/sites:z,rw' + - '{{ rproxy_dir }}/certs:/etc/nginx/certs:z,rw' + - '{{ repo_data_dir }}:/repo:z,rw' + - "/etc/localtime:/etc/localtime:ro" + privileged: true + security_opt: + - "label=disable" + log_driver: journald + generate_systemd: + path: /etc/systemd/system/ + restart_policy: always + stop_timeout: 120 + names: true + + - name: Daemon reload + ansible.builtin.shell: + cmd: systemctl daemon-reload + + - name: Enable rproxy service + ansible.builtin.systemd: + name: "container-rproxy.service" + state: started + enabled: yes + +- name: Create CNAME dns record + community.general.ipa_dnsrecord: + ipa_user: "{{ ansible_user }}" + ipa_pass: "{{ ansible_password }}" + zone_name: "{{ ansible_facts['domain'] }}" + record_name: "{{ rproxy_service_name }}" + record_type: 'CNAME' + record_value: "{{ ansible_facts['hostname'] }}" + state: present \ No newline at end of file diff --git a/roles/rproxy/tasks/dockerrepo.yml b/roles/rproxy/tasks/dockerrepo.yml new file mode 100644 index 0000000..6e3e5d9 --- /dev/null +++ b/roles/rproxy/tasks/dockerrepo.yml @@ -0,0 +1,115 @@ +--- +- name: Prepare for image repository + block: + - name: Remove dockerrepo dir + ansible.builtin.file: + path: "{{ dockerrepo_dir }}" + state: absent + + - name: Create dockerrepo dir + ansible.builtin.file: + path: "{{ dockerrepo_dir }}" + state: directory + + - name: Create repo dir + ansible.builtin.file: + path: "{{ dockerrepo_data_dir }}" + state: directory + + - name: Create certs dir + ansible.builtin.file: + path: "{{ dockerrepo_dir }}/certs" + state: directory + +- name: Create certificates for image repository + block: + - name: "Generate dockerrepo.key" + community.crypto.openssl_privatekey: + path: "{{ dockerrepo_dir }}/certs/dockerrepo.key" + size: "2048" + + - name: "Generate server.csr" + community.crypto.openssl_csr: + path: "{{ dockerrepo_dir }}/certs/dockerrepo.csr" + privatekey_path: "{{ dockerrepo_dir }}/certs/dockerrepo.key" + country_name: "RU" + state_or_province_name: "RU" + locality_name: "MSK" + organization_name: "{{ ansible_domain }}" + organizational_unit_name: "IT" + common_name: "{{ ansible_facts['hostname'] }}.{{ ansible_facts['domain'] }}" + email_address: "admin@{{ ansible_domain }}" + subject_alt_name: "DNS:{{ ansible_facts['hostname'] }}.{{ ansible_facts['domain'] }},DNS:imagerepo.{{ ansible_facts['domain'] }},IP:{{ ansible_facts['default_ipv4']['address'] }}" + key_usage: + - digitalSignature + - nonRepudiation + - keyEncipherment + - dataEncipherment + extended_key_usage: + - serverAuth + + - name: "Generate server.crt" + community.crypto.x509_certificate: + csr_path: "{{ dockerrepo_dir }}/certs/dockerrepo.csr" + path: "{{ dockerrepo_dir }}/certs/dockerrepo.crt" + privatekey_path: "{{ dockerrepo_dir }}/certs/dockerrepo.key" + provider: ownca + ownca_create_subject_key_identifier: always_create + ownca_path: "{{ rproxy_dir }}/certs/RootCA.crt" + ownca_privatekey_path: "{{ rproxy_dir }}/certs/RootCA.key" + ownca_not_after: "+365d" + + - name: Create fullchain certificate + ansible.builtin.shell: + cmd: 'cat {{ rproxy_dir }}/certs/RootCA.crt >> {{ dockerrepo_dir }}/certs/dockerrepo.crt' + + - name: Delete csr + ansible.builtin.file: + path: "{{ dockerrepo_dir }}/certs/dockerrepo.csr" + state: absent + +- name: Start image repository + block: + - name: Pull repo image + containers.podman.podman_image: + name: registry:latest + state: present + + - name: Delete image repository container if exists + containers.podman.podman_container: + name: registry + state: absent + + - name: Start registry + containers.podman.podman_container: + name: registry + image: registry:latest + state: started + ports: + - "5000:5000" + env: + REGISTRY_HTTP_TLS_CERTIFICATE: "/certs/dockerrepo.crt" + REGISTRY_HTTP_TLS_KEY: "/certs/dockerrepo.key" + volumes: + - "{{ dockerrepo_data_dir }}:/var/lib/registry:z,rw" + - "{{ dockerrepo_dir }}/certs:/certs:z,rw" + - "/etc/localtime:/etc/localtime:ro" + privileged: true + security_opt: + - "label=disable" + log_driver: journald + generate_systemd: + path: /etc/systemd/system/ + restart_policy: always + stop_timeout: 120 + names: true + + - name: Daemon reload + ansible.builtin.shell: + cmd: systemctl daemon-reload + + - name: Enable registry service + ansible.builtin.systemd: + name: "container-registry.service" + state: started + enabled: yes \ No newline at end of file diff --git a/roles/rproxy/tasks/main.yml b/roles/rproxy/tasks/main.yml index 2669452..2d528d5 100644 --- a/roles/rproxy/tasks/main.yml +++ b/roles/rproxy/tasks/main.yml @@ -1,251 +1,40 @@ --- -- name: Get domain - ansible.builtin.shell: - cmd: hostname -d - register: domain +- name: Podman install + ansible.builtin.include_tasks: + file: podman.yml + apply: + tags: install tags: - - install - - add_config + - install -- name: Get IP address - ansible.builtin.shell: - cmd: hostname -I | awk '{print $1}' - register: IP +- name: Rproxy install + ansible.builtin.include_tasks: + file: rproxy.yml + apply: + tags: install tags: - - install + - install -- name: Install docker (Debian) - ansible.builtin.apt: - name: - - docker.io - - docker-compose - update_cache: yes - when: ansible_facts['os_family'] == "Debian" - tags: install +- name: Repo install + ansible.builtin.include_tasks: + file: repo.yml + apply: + tags: install + tags: + - install -- name: Install dependencies RHEL - block: - - name: Install docker (RHEL) - ansible.builtin.pip: - name: - - docker - - docker-compose - when: ansible_facts['os_family'] == "RedHat" - - - name: Enable docker (RHEL) - ansible.builtin.systemd: - name: docker - state: restarted - enabled: true - daemon_reload: true - when: ansible_facts['os_family'] == "RedHat" - tags: install - -- name: Install rproxy - block: - - name: Remove rproxy dir - ansible.builtin.file: - path: "{{ rproxy_dir }}" - state: absent - - - name: Create rproxy dir - ansible.builtin.file: - path: "{{ rproxy_dir }}" - state: directory - - - name: Create sites dir - ansible.builtin.file: - path: "{{ rproxy_dir }}/sites" - state: directory - - - name: Create certs dir - ansible.builtin.file: - path: "{{ rproxy_dir }}/certs" - state: directory - - - name: Copy docker-compose - ansible.builtin.template: - src: templates/docker-compose.rproxy.yml.j2 - dest: "{{ rproxy_dir }}/docker-compose.yml" - - - name: Copy nginx.conf - ansible.builtin.copy: - src: files/nginx.conf - dest: "{{ rproxy_dir }}/nginx.conf" - - - name: Copy RootCA certificate - ansible.builtin.copy: - src: files/RootCA.crt - dest: '{{ rproxy_dir }}/certs/RootCA.crt' - - - name: Copy RootCA key - ansible.builtin.copy: - src: files/RootCA.key - dest: '{{ rproxy_dir }}/certs/RootCA.key' - - - name: Start rproxy - community.docker.docker_compose: - project_src: "{{ rproxy_dir }}" - tags: install - -- name: Create https repository - block: - - name: Create repo dir - ansible.builtin.file: - path: "{{ repo_data_dir }}" - state: directory - mode: 0777 - - - name: Copy repo.conf - ansible.builtin.copy: - src: files/repo.conf - dest: "{{ rproxy_dir }}/sites/repo.conf" - - - name: Copy repo certificate cnf - ansible.builtin.template: - src: templates/repo.cnf.j2 - dest: '{{ rproxy_dir }}/certs/repo.cnf' - - - name: Generate repo certificate key - ansible.builtin.shell: - cmd: 'openssl genrsa -out {{ rproxy_dir }}/certs/repo.key 2048' - - - name: Generate server csr - ansible.builtin.shell: - cmd: 'openssl req -key {{ rproxy_dir }}/certs/repo.key -new -out {{ rproxy_dir }}/certs/repo.csr -config {{ rproxy_dir }}/certs/repo.cnf' - - - name: Sign server certificate - ansible.builtin.shell: - cmd: 'openssl x509 -req -CA {{ rproxy_dir }}/certs/RootCA.crt -CAkey {{ rproxy_dir }}/certs/RootCA.key -in {{ rproxy_dir }}/certs/repo.csr -out {{ rproxy_dir }}/certs/repo.crt -CAcreateserial -extfile {{ rproxy_dir }}/certs/repo.cnf -days 365 -extensions v3_x509' - - - name: Create fullchain certificate - ansible.builtin.shell: - cmd: 'cat {{ rproxy_dir }}/certs/RootCA.crt >> {{ rproxy_dir }}/certs/repo.crt' - - - name: Delete csr - ansible.builtin.file: - path: "{{ rproxy_dir }}/certs/repo.csr" - state: absent - - - name: Delete cnf - ansible.builtin.file: - path: "{{ rproxy_dir }}/certs/repo.cnf" - state: absent - - - name: Restart rproxy - community.docker.docker_compose: - project_src: "{{ rproxy_dir }}" - build: false - restarted: true - tags: install - -- name: Create docker repository - block: - - name: Remove dockerrepo dir - ansible.builtin.file: - path: "{{ dockerrepo_dir }}" - state: absent - - - name: Create dockerrepo dir - ansible.builtin.file: - path: "{{ dockerrepo_dir }}" - state: directory - - - name: Create repo dir - ansible.builtin.file: - path: "{{ dockerrepo_data_dir }}" - state: directory - - - name: Create certs dir - ansible.builtin.file: - path: "{{ dockerrepo_dir }}/certs" - state: directory - - - name: Copy docker-compose - ansible.builtin.template: - src: templates/docker-compose.dockerrepo.yml.j2 - dest: "{{ dockerrepo_dir }}/docker-compose.yml" - - - name: Copy dockerrepo certificate cnf - ansible.builtin.template: - src: templates/dockerrepo.cnf.j2 - dest: '{{ dockerrepo_dir }}/certs/dockerrepo.cnf' - - - name: Generate dockerrepo certificate key - ansible.builtin.shell: - cmd: 'openssl genrsa -out {{ dockerrepo_dir }}/certs/dockerrepo.key 2048' - - - name: Generate dockerrepo csr - ansible.builtin.shell: - cmd: 'openssl req -key {{ dockerrepo_dir }}/certs/dockerrepo.key -new -out {{ dockerrepo_dir }}/certs/dockerrepo.csr -config {{ dockerrepo_dir }}/certs/dockerrepo.cnf' - - - name: Sign dockerrepo certificate - ansible.builtin.shell: - cmd: 'openssl x509 -req -CA {{ rproxy_dir }}/certs/RootCA.crt -CAkey {{ rproxy_dir }}/certs/RootCA.key -in {{ dockerrepo_dir }}/certs/dockerrepo.csr -out {{ dockerrepo_dir }}/certs/dockerrepo.crt -CAcreateserial -extfile {{ dockerrepo_dir }}/certs/dockerrepo.cnf -days 365 -extensions v3_x509' - - - name: Create fullchain certificate - ansible.builtin.shell: - cmd: 'cat {{ rproxy_dir }}/certs/RootCA.crt >> {{ dockerrepo_dir }}/certs/dockerrepo.crt' - - - name: Delete csr - ansible.builtin.file: - path: "{{ dockerrepo_dir }}/certs/dockerrepo.csr" - state: absent - - - name: Delete cnf - ansible.builtin.file: - path: "{{ dockerrepo_dir }}/certs/dockerrepo.cnf" - state: absent - - - name: Restart rproxy - community.docker.docker_compose: - project_src: "{{ dockerrepo_dir }}" - build: false - restarted: true - tags: install - -- name: Create configs - block: - - name: Copy server.conf - ansible.builtin.template: - src: templates/server.conf.j2 - dest: "{{ rproxy_dir }}/sites/{{ rproxy_service_name }}.conf" - - - name: Copy server certificate cnf - ansible.builtin.template: - src: templates/server.cnf.j2 - dest: '{{ rproxy_dir }}/certs/{{ rproxy_service_name }}.cnf' - - - name: Generate server key - ansible.builtin.shell: - cmd: 'openssl genrsa -out {{ rproxy_dir }}/certs/{{ rproxy_service_name }}.key 2048' - - - name: Generate server csr - ansible.builtin.shell: - cmd: 'openssl req -key {{ rproxy_dir }}/certs/{{ rproxy_service_name }}.key -new -out {{ rproxy_dir }}/certs/{{ rproxy_service_name }}.csr -config {{ rproxy_dir }}/certs/{{ rproxy_service_name }}.cnf' - - - name: Sign server certificate - ansible.builtin.shell: - cmd: 'openssl x509 -req -CA {{ rproxy_dir }}/certs/RootCA.crt -CAkey {{ rproxy_dir }}/certs/RootCA.key -in {{ rproxy_dir }}/certs/{{ rproxy_service_name }}.csr -out {{ rproxy_dir }}/certs/{{ rproxy_service_name }}.crt -CAcreateserial -extfile {{ rproxy_dir }}/certs/{{ rproxy_service_name }}.cnf -days 365 -extensions v3_x509' - - - name: Create fullchain certificate - ansible.builtin.shell: - cmd: 'cat {{ rproxy_dir }}/certs/RootCA.crt >> {{ rproxy_dir }}/certs/{{ rproxy_service_name }}.crt' - - - name: Delete csr - ansible.builtin.file: - path: "{{ rproxy_dir }}/certs/{{ rproxy_service_name }}.csr" - state: absent - - - name: Delete cnf - ansible.builtin.file: - path: "{{ rproxy_dir }}/certs/{{ rproxy_service_name }}.cnf" - state: absent - - - name: Restart rproxy - community.docker.docker_compose: - project_src: "{{ rproxy_dir }}" - build: false - restarted: true - tags: add_config +- name: Docker repo install + ansible.builtin.include_tasks: + file: dockerrepo.yml + apply: + tags: install + tags: + - install +- name: Add config + ansible.builtin.include_tasks: + file: addconfig.yml + apply: + tags: add_config + tags: + - add_config \ No newline at end of file diff --git a/roles/rproxy/tasks/podman.yml b/roles/rproxy/tasks/podman.yml new file mode 100644 index 0000000..c835554 --- /dev/null +++ b/roles/rproxy/tasks/podman.yml @@ -0,0 +1,17 @@ +--- +- name: Install podman + ansible.builtin.yum: + name: + - podman + - podman-compose + - podman-docker + - podman-remote + - podman-tui + - buildah + update_cache: yes + +- name: Enable Podman + ansible.builtin.systemd: + name: podman + state: started + enabled: yes \ No newline at end of file diff --git a/roles/rproxy/tasks/repo.yml b/roles/rproxy/tasks/repo.yml new file mode 100644 index 0000000..cad5fb7 --- /dev/null +++ b/roles/rproxy/tasks/repo.yml @@ -0,0 +1,98 @@ +--- +- name: Prepare for https repository + block: + - name: Create repo dir + ansible.builtin.file: + path: "{{ repo_data_dir }}" + state: directory + mode: 0777 + + - name: Copy repo.conf + ansible.builtin.copy: + src: files/repo.conf + dest: "{{ rproxy_dir }}/sites/repo.conf" + +- name: Create https certificates for repository + block: + - name: "Generate repo.key" + community.crypto.openssl_privatekey: + path: "{{ rproxy_dir }}/certs/repo.key" + size: "2048" + + - name: "Generate server.csr" + community.crypto.openssl_csr: + path: "{{ rproxy_dir }}/certs/repo.csr" + privatekey_path: "{{ rproxy_dir }}/certs/repo.key" + country_name: "RU" + state_or_province_name: "RU" + locality_name: "MSK" + organization_name: "{{ ansible_domain }}" + organizational_unit_name: "IT" + common_name: "{{ ansible_facts['hostname'] }}.{{ ansible_facts['domain'] }}" + email_address: "admin@{{ ansible_domain }}" + subject_alt_name: "DNS:{{ ansible_facts['hostname'] }}.{{ ansible_facts['domain'] }},DNS:repo.{{ ansible_facts['domain'] }},IP:{{ ansible_facts['default_ipv4']['address'] }}" + key_usage: + - digitalSignature + - nonRepudiation + - keyEncipherment + - dataEncipherment + extended_key_usage: + - serverAuth + + - name: "Generate server.crt" + community.crypto.x509_certificate: + csr_path: "{{ rproxy_dir }}/certs/repo.csr" + path: "{{ rproxy_dir }}/certs/repo.crt" + privatekey_path: "{{ rproxy_dir }}/certs/repo.key" + provider: ownca + ownca_create_subject_key_identifier: always_create + ownca_path: "{{ rproxy_dir }}/certs/RootCA.crt" + ownca_privatekey_path: "{{ rproxy_dir }}/certs/RootCA.key" + ownca_not_after: "+365d" + + - name: Create fullchain certificate + ansible.builtin.shell: + cmd: 'cat {{ rproxy_dir }}/certs/RootCA.crt >> {{ rproxy_dir }}/certs/repo.crt' + + - name: Delete csr + ansible.builtin.file: + path: "{{ rproxy_dir }}/certs/repo.csr" + state: absent + +- name: Restart rproxy + block: + - name: Restart container + containers.podman.podman_container: + name: rproxy + image: "docker.io/library/nginx:{{ rproxy_version }}" + state: started + restart: true + ports: + - "443:443" + - "80:80" + - "9000:9000" + volumes: + - '{{ rproxy_dir }}/nginx.conf:/etc/nginx/nginx.conf:z,rw' + - '{{ rproxy_dir }}/sites:/etc/nginx/sites:z,rw' + - '{{ rproxy_dir }}/certs:/etc/nginx/certs:z,rw' + - '{{ repo_data_dir }}:/repo:z,rw' + - "/etc/localtime:/etc/localtime:ro" + privileged: true + security_opt: + - "label=disable" + log_driver: journald + generate_systemd: + path: /etc/systemd/system/ + restart_policy: always + stop_timeout: 120 + names: true + + - name: Daemon reload + ansible.builtin.shell: + cmd: systemctl daemon-reload + + - name: Enable rproxy service + ansible.builtin.systemd: + name: "container-rproxy.service" + state: started + enabled: yes \ No newline at end of file diff --git a/roles/rproxy/tasks/rproxy.yml b/roles/rproxy/tasks/rproxy.yml new file mode 100644 index 0000000..cf2884e --- /dev/null +++ b/roles/rproxy/tasks/rproxy.yml @@ -0,0 +1,94 @@ +--- +- name: Prepare dirs for rproxy + block: + - name: Remove rproxy dir + ansible.builtin.file: + path: "{{ rproxy_dir }}" + state: absent + + - name: Create data dir + ansible.builtin.file: + path: "{{ data_dir }}" + state: directory + + - name: Create rproxy dir + ansible.builtin.file: + path: "{{ rproxy_dir }}" + state: directory + + - name: Create rproxy data dir + ansible.builtin.file: + path: "{{ repo_data_dir }}" + state: directory + + - name: Create sites dir + ansible.builtin.file: + path: "{{ rproxy_dir }}/sites" + state: directory + + - name: Create certs dir + ansible.builtin.file: + path: "{{ rproxy_dir }}/certs" + state: directory + + - name: Copy nginx.conf + ansible.builtin.copy: + src: files/nginx.conf + dest: "{{ rproxy_dir }}/nginx.conf" + + - name: Copy RootCA certificate + ansible.builtin.copy: + src: files/RootCA.crt + dest: '{{ rproxy_dir }}/certs/RootCA.crt' + + - name: Copy RootCA key + ansible.builtin.copy: + src: files/RootCA.key + dest: '{{ rproxy_dir }}/certs/RootCA.key' + +- name: Install rproxy + block: + - name: Pull rproxy image + containers.podman.podman_image: + name: "docker.io/library/nginx:{{ rproxy_version }}" + state: present + + - name: Delete rproxy container if exists + containers.podman.podman_container: + name: rproxy + state: absent + + - name: Start rproxy + containers.podman.podman_container: + name: rproxy + image: "docker.io/library/nginx:{{ rproxy_version }}" + state: started + ports: + - "443:443" + - "80:80" + - "9000:9000" + volumes: + - '{{ rproxy_dir }}/nginx.conf:/etc/nginx/nginx.conf:z,rw' + - '{{ rproxy_dir }}/sites:/etc/nginx/sites:z,rw' + - '{{ rproxy_dir }}/certs:/etc/nginx/certs:z,rw' + - '{{ repo_data_dir }}:/repo:z,rw' + - "/etc/localtime:/etc/localtime:ro" + privileged: true + security_opt: + - "label=disable" + log_driver: journald + generate_systemd: + path: /etc/systemd/system/ + restart_policy: always + stop_timeout: 120 + names: true + + - name: Daemon reload + ansible.builtin.shell: + cmd: systemctl daemon-reload + + - name: Enable rproxy service + ansible.builtin.systemd: + name: "container-rproxy.service" + state: started + enabled: yes \ No newline at end of file diff --git a/roles/rproxy/templates/docker-compose.dockerrepo.yml.j2 b/roles/rproxy/templates/docker-compose.dockerrepo.yml.j2 deleted file mode 100644 index 09fb7c3..0000000 --- a/roles/rproxy/templates/docker-compose.dockerrepo.yml.j2 +++ /dev/null @@ -1,15 +0,0 @@ -version: '3.3' - -services: - nginx: - image: registry:latest - container_name: dockerrepo - restart: always - environment: - - REGISTRY_HTTP_TLS_CERTIFICATE=/certs/dockerrepo.crt - - REGISTRY_HTTP_TLS_KEY=/certs/dockerrepo.key - volumes: - - '{{ dockerrepo_data_dir }}:/var/lib/registry' - - '{{ dockerrepo_dir }}/certs:/certs' - ports: - - 5000:5000 \ No newline at end of file diff --git a/roles/rproxy/templates/docker-compose.rproxy.yml.j2 b/roles/rproxy/templates/docker-compose.rproxy.yml.j2 deleted file mode 100644 index 1230303..0000000 --- a/roles/rproxy/templates/docker-compose.rproxy.yml.j2 +++ /dev/null @@ -1,16 +0,0 @@ -version: '3.3' - -services: - nginx: - image: nginx:latest - container_name: rproxy - restart: always - volumes: - - '{{ rproxy_dir }}/nginx.conf:/etc/nginx/nginx.conf' - - '{{ rproxy_dir }}/sites:/etc/nginx/sites' - - '{{ rproxy_dir }}/certs:/etc/nginx/certs' - - '{{ repo_data_dir }}:/repo' - ports: - - 443:443 - - 80:80 - - 9000:9000 \ No newline at end of file diff --git a/roles/rproxy/templates/dockerrepo.cnf.j2 b/roles/rproxy/templates/dockerrepo.cnf.j2 deleted file mode 100644 index 0167769..0000000 --- a/roles/rproxy/templates/dockerrepo.cnf.j2 +++ /dev/null @@ -1,29 +0,0 @@ -[ req ] -prompt = no -distinguished_name = dockerrepo.{{ domain.stdout }} -req_extensions = v3_req -x509_extensions = v3_x509 - - -[ dockerrepo.{{ domain.stdout }} ] -countryName = RU -stateOrProvinceName = RU -localityName = MSK -organizationName = {{ domain.stdout }} -organizationalUnitName = IT -commonName = dockerrepo.{{ domain.stdout }} -emailAddress = admin@{{ domain.stdout }} - -[ v3_req ] -basicConstraints = CA:false -keyUsage = digitalSignature, keyEncipherment -subjectAltName = @sans - -[ v3_x509 ] -basicConstraints = CA:false -keyUsage = digitalSignature, keyEncipherment -subjectAltName = @sans - -[ sans ] -DNS.1 = dockerrepo.{{ domain.stdout }} -IP.1 = {{ IP.stdout }} \ No newline at end of file diff --git a/roles/rproxy/templates/repo.cnf.j2 b/roles/rproxy/templates/repo.cnf.j2 deleted file mode 100644 index 515937e..0000000 --- a/roles/rproxy/templates/repo.cnf.j2 +++ /dev/null @@ -1,29 +0,0 @@ -[ req ] -prompt = no -distinguished_name = repo.{{ domain.stdout }} -req_extensions = v3_req -x509_extensions = v3_x509 - - -[ repo.{{ domain.stdout }} ] -countryName = RU -stateOrProvinceName = RU -localityName = MSK -organizationName = {{ domain.stdout }} -organizationalUnitName = IT -commonName = repo.{{ domain.stdout }} -emailAddress = admin@{{ domain.stdout }} - -[ v3_req ] -basicConstraints = CA:false -keyUsage = digitalSignature, keyEncipherment -subjectAltName = @sans - -[ v3_x509 ] -basicConstraints = CA:false -keyUsage = digitalSignature, keyEncipherment -subjectAltName = @sans - -[ sans ] -DNS.1 = repo.{{ domain.stdout }} -IP.1 = {{ IP.stdout }} \ No newline at end of file diff --git a/roles/rproxy/templates/server.cnf.j2 b/roles/rproxy/templates/server.cnf.j2 deleted file mode 100644 index 323b0c9..0000000 --- a/roles/rproxy/templates/server.cnf.j2 +++ /dev/null @@ -1,29 +0,0 @@ -[ req ] -prompt = no -distinguished_name = {{ rproxy_service_name }}.{{ domain.stdout }} -req_extensions = v3_req -x509_extensions = v3_x509 - - -[ {{ rproxy_service_name }}.{{ domain.stdout }} ] -countryName = RU -stateOrProvinceName = RU -localityName = MSK -organizationName = {{ domain.stdout }} -organizationalUnitName = IT -commonName = {{ rproxy_service_name }}.{{ domain.stdout }} -emailAddress = admin@{{ domain.stdout }} - -[ v3_req ] -basicConstraints = CA:false -keyUsage = digitalSignature, keyEncipherment -subjectAltName = @sans - -[ v3_x509 ] -basicConstraints = CA:false -keyUsage = digitalSignature, keyEncipherment -subjectAltName = @sans - -[ sans ] -DNS.1 = {{ rproxy_service_name }}.{{ domain.stdout }} -IP.1 = {{ rproxy_service_address }} \ No newline at end of file diff --git a/roles/rproxy/templates/server.conf.j2 b/roles/rproxy/templates/server.conf.j2 index c833687..bc3603b 100644 --- a/roles/rproxy/templates/server.conf.j2 +++ b/roles/rproxy/templates/server.conf.j2 @@ -1,10 +1,10 @@ -upstream {{ rproxy_service_name }}.{{ domain.stdout }} { +upstream {{ rproxy_service_name }}.{{ ansible_domain }} { server {{ rproxy_service_address }}:{{ rproxy_service_port }}; } server { listen 80; - server_name {{ rproxy_service_name }}.{{ domain.stdout }}; + server_name {{ rproxy_service_name }}.{{ ansible_domain }}; access_log /var/log/nginx/{{ rproxy_service_name }}.access.log; error_log /var/log/nginx/{{ rproxy_service_name }}.error.log; return 301 https://$server_name$request_uri; @@ -12,7 +12,7 @@ server { server { listen 443 ssl; - server_name {{ rproxy_service_name }}.{{ domain.stdout }}; + server_name {{ rproxy_service_name }}.{{ ansible_domain }}; access_log /var/log/nginx/{{ rproxy_service_name }}.access.log; error_log /var/log/nginx/{{ rproxy_service_name }}.error.log; ssl_certificate /etc/nginx/certs/{{ rproxy_service_name }}.crt; @@ -30,6 +30,6 @@ server { proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; - proxy_pass http://{{ rproxy_service_name }}.{{ domain.stdout }}/; + proxy_pass http://{{ rproxy_service_name }}.{{ ansible_domain }}/; } } diff --git a/roles/rproxy/vars/main.yml b/roles/rproxy/vars/main.yml new file mode 100644 index 0000000..d98cc9c --- /dev/null +++ b/roles/rproxy/vars/main.yml @@ -0,0 +1,7 @@ +ansible_python_interpreter: /usr/bin/python3 +rproxy_dir: /opt/rproxy +rproxy_version: latest +data_dir: /opt/data +repo_data_dir: /opt/data/repo +dockerrepo_dir: /opt/dockerrepo +dockerrepo_data_dir: /opt/data/dockerrepo \ No newline at end of file diff --git a/rproxy.yml b/rproxy.yml index 2477006..1f910d8 100644 --- a/rproxy.yml +++ b/rproxy.yml @@ -4,10 +4,6 @@ vars: ansible_python_interpreter: /usr/bin/python3 - rproxy_dir: /opt/rproxy - repo_data_dir: /opt/data/repo - dockerrepo_dir: /opt/dockerrepo - dockerrepo_data_dir: /opt/data/dockerrepo vars_prompt: - name: rproxy_service_name