From 4ff90c67c6d7de83a06a6635eeaed385d7c3c1fe Mon Sep 17 00:00:00 2001 From: Pavlov Makar Date: Sun, 8 Jun 2025 01:38:44 +0300 Subject: [PATCH 01/11] Refactor Jenkinsfile --- Jenkinsfile | 39 +++++++++++++++++++++++++++++++++++++-- 1 file changed, 37 insertions(+), 2 deletions(-) diff --git a/Jenkinsfile b/Jenkinsfile index cf14be9..aa18731 100644 --- a/Jenkinsfile +++ b/Jenkinsfile @@ -7,6 +7,8 @@ pipeline { artifactNumToKeepStr: '10', artifactDaysToKeepStr: '7' ) + ansiColor('xterm') + timestamps() } parameters { string(name: "target_host", defaultValue: "", trim: true, description: "Target host") @@ -31,6 +33,16 @@ pipeline { } } } + stage('Prepare inventory') { + steps { + script { + def hostsFile = new File("${WORKSPACE}/hosts.ini") + hostsFile.append('[all]') + hostsFile.append('\n' + params.target_host) + println hostsFile.getText('UTF-8') + } + } + } stage('Install Rproxy') { when { expression { @@ -44,7 +56,15 @@ pipeline { usernamePassword(credentialsId:'JENKINS_DEPLOYER_PASS', usernameVariable: 'username', passwordVariable: 'password') ]) { wrap([$class: 'MaskPasswordsBuildWrapper', varPasswordPairs: [[password: env.password]]]) { - sh 'ansible-playbook rproxy.yml -i ${target_host}, -t install --private-key ${SSH_KEY} -u ${username} -e "ansible_password=${password} rproxy_service_name=${rproxy_service_name} rproxy_service_port=${rproxy_service_port} rproxy_service_address=${rproxy_service_address}"' + wrap([$class: 'AnsiColorBuildWrapper', colorMapName: "xterm"]) { + ansiblePlaybook( + playbook: 'rproxy.yml', + inventory: 'hosts.ini', + tags: 'install', + colorized: true, + extras: '--private-key ${SSH_KEY} -e "ansible_user=${username} ansible_password=${password} rproxy_service_name=${rproxy_service_name} rproxy_service_port=${rproxy_service_port} rproxy_service_address=${rproxy_service_address}"' + ) + } } } } @@ -63,11 +83,26 @@ pipeline { usernamePassword(credentialsId:'JENKINS_DEPLOYER_PASS', usernameVariable: 'username', passwordVariable: 'password') ]) { wrap([$class: 'MaskPasswordsBuildWrapper', varPasswordPairs: [[password: env.password]]]) { - sh 'ansible-playbook rproxy.yml -i ${target_host}, -t add_config --private-key ${SSH_KEY} -u ${username} -e "ansible_password=${password} rproxy_service_name=${rproxy_service_name} rproxy_service_port=${rproxy_service_port} rproxy_service_address=${rproxy_service_address}"' + wrap([$class: 'AnsiColorBuildWrapper', colorMapName: "xterm"]) { + ansiblePlaybook( + playbook: 'rproxy.yml', + inventory: 'hosts.ini', + tags: 'add_config', + colorized: true, + extras: '--private-key ${SSH_KEY} -e "ansible_user=${username} ansible_password=${password} rproxy_service_name=${rproxy_service_name} rproxy_service_port=${rproxy_service_port} rproxy_service_address=${rproxy_service_address}"' + ) + } } } } } } } + post { + always { + cleanWs(patterns: [ + [pattern: 'hosts.ini', type: 'INCLUDE'] + ]) + } + } } \ No newline at end of file From 26aa6b6cc361ad14aab418c1340fbcddbff4f860 Mon Sep 17 00:00:00 2001 From: Pavlov Makar Date: Sun, 8 Jun 2025 02:43:22 +0300 Subject: [PATCH 02/11] Change docker installation --- roles/rproxy/tasks/main.yml | 32 +++++++++----------------------- 1 file changed, 9 insertions(+), 23 deletions(-) diff --git a/roles/rproxy/tasks/main.yml b/roles/rproxy/tasks/main.yml index 2669452..69560c9 100644 --- a/roles/rproxy/tasks/main.yml +++ b/roles/rproxy/tasks/main.yml @@ -14,30 +14,16 @@ tags: - install -- name: Install docker (Debian) - ansible.builtin.apt: - name: - - docker.io - - docker-compose - update_cache: yes - when: ansible_facts['os_family'] == "Debian" - tags: install +- name: Install docker + ansible.builtin.shell: + cmd: "curl -fsSL https://get.docker.com | sh" -- name: Install dependencies RHEL - block: - - name: Install docker (RHEL) - ansible.builtin.pip: - name: - - docker - - docker-compose - when: ansible_facts['os_family'] == "RedHat" - - - name: Enable docker (RHEL) - ansible.builtin.systemd: - name: docker - state: restarted - enabled: true - daemon_reload: true +- name: Enable docker (RHEL) + ansible.builtin.systemd: + name: docker + state: restarted + enabled: true + daemon_reload: true when: ansible_facts['os_family'] == "RedHat" tags: install From 740968eac912a4cfe7059880eabb6a34e65ee2ea Mon Sep 17 00:00:00 2001 From: Pavlov Makar Date: Sun, 8 Jun 2025 02:55:09 +0300 Subject: [PATCH 03/11] Refactor anislbe role * Divide tasks to different files --- roles/rproxy/tasks/addconfig.yml | 44 ++++ roles/rproxy/tasks/docker.yml | 33 +++ roles/rproxy/tasks/dockerrepo.yml | 64 ++++++ roles/rproxy/tasks/main.yml | 263 +++-------------------- roles/rproxy/tasks/repo.yml | 50 +++++ roles/rproxy/tasks/rproxy.yml | 46 ++++ roles/rproxy/templates/dockerrepo.cnf.j2 | 14 +- roles/rproxy/templates/repo.cnf.j2 | 14 +- roles/rproxy/templates/server.cnf.j2 | 12 +- roles/rproxy/templates/server.conf.j2 | 8 +- roles/rproxy/vars/main.yml | 5 + rproxy.yml | 4 - 12 files changed, 299 insertions(+), 258 deletions(-) create mode 100644 roles/rproxy/tasks/addconfig.yml create mode 100644 roles/rproxy/tasks/docker.yml create mode 100644 roles/rproxy/tasks/dockerrepo.yml create mode 100644 roles/rproxy/tasks/repo.yml create mode 100644 roles/rproxy/tasks/rproxy.yml create mode 100644 roles/rproxy/vars/main.yml diff --git a/roles/rproxy/tasks/addconfig.yml b/roles/rproxy/tasks/addconfig.yml new file mode 100644 index 0000000..4735146 --- /dev/null +++ b/roles/rproxy/tasks/addconfig.yml @@ -0,0 +1,44 @@ +--- +- name: Create configs + block: + - name: Copy server.conf + ansible.builtin.template: + src: templates/server.conf.j2 + dest: "{{ rproxy_dir }}/sites/{{ rproxy_service_name }}.conf" + + - name: Copy server certificate cnf + ansible.builtin.template: + src: templates/server.cnf.j2 + dest: '{{ rproxy_dir }}/certs/{{ rproxy_service_name }}.cnf' + + - name: Generate server key + ansible.builtin.shell: + cmd: 'openssl genrsa -out {{ rproxy_dir }}/certs/{{ rproxy_service_name }}.key 2048' + + - name: Generate server csr + ansible.builtin.shell: + cmd: 'openssl req -key {{ rproxy_dir }}/certs/{{ rproxy_service_name }}.key -new -out {{ rproxy_dir }}/certs/{{ rproxy_service_name }}.csr -config {{ rproxy_dir }}/certs/{{ rproxy_service_name }}.cnf' + + - name: Sign server certificate + ansible.builtin.shell: + cmd: 'openssl x509 -req -CA {{ rproxy_dir }}/certs/RootCA.crt -CAkey {{ rproxy_dir }}/certs/RootCA.key -in {{ rproxy_dir }}/certs/{{ rproxy_service_name }}.csr -out {{ rproxy_dir }}/certs/{{ rproxy_service_name }}.crt -CAcreateserial -extfile {{ rproxy_dir }}/certs/{{ rproxy_service_name }}.cnf -days 365 -extensions v3_x509' + + - name: Create fullchain certificate + ansible.builtin.shell: + cmd: 'cat {{ rproxy_dir }}/certs/RootCA.crt >> {{ rproxy_dir }}/certs/{{ rproxy_service_name }}.crt' + + - name: Delete csr + ansible.builtin.file: + path: "{{ rproxy_dir }}/certs/{{ rproxy_service_name }}.csr" + state: absent + + - name: Delete cnf + ansible.builtin.file: + path: "{{ rproxy_dir }}/certs/{{ rproxy_service_name }}.cnf" + state: absent + + - name: Restart rproxy + community.docker.docker_compose: + project_src: "{{ rproxy_dir }}" + build: false + restarted: true diff --git a/roles/rproxy/tasks/docker.yml b/roles/rproxy/tasks/docker.yml new file mode 100644 index 0000000..576c7ac --- /dev/null +++ b/roles/rproxy/tasks/docker.yml @@ -0,0 +1,33 @@ +--- +- name: Install python3.11 + ansible.builtin.yum: + name: + - python3.11 + - python3.11-setuptools + - python3.11-pip + update_cache: yes + +- name: Change default python3 to v3.11 + ansible.builtin.alternatives: + name: python3 + path: /usr/bin/python3.11 + +- name: Upgrade pip + ansible.builtin.pip: + name: pip + state: latest + executable: pip3 + +- name: Install docker + ansible.builtin.pip: + name: + - docker + - docker-compose + +- name: Enable docker (RHEL) + ansible.builtin.systemd: + name: docker + state: restarted + enabled: true + daemon_reload: true + when: ansible_facts['os_family'] == "RedHat" \ No newline at end of file diff --git a/roles/rproxy/tasks/dockerrepo.yml b/roles/rproxy/tasks/dockerrepo.yml new file mode 100644 index 0000000..2bd792c --- /dev/null +++ b/roles/rproxy/tasks/dockerrepo.yml @@ -0,0 +1,64 @@ +--- +- name: Create docker repository + block: + - name: Remove dockerrepo dir + ansible.builtin.file: + path: "{{ dockerrepo_dir }}" + state: absent + + - name: Create dockerrepo dir + ansible.builtin.file: + path: "{{ dockerrepo_dir }}" + state: directory + + - name: Create repo dir + ansible.builtin.file: + path: "{{ dockerrepo_data_dir }}" + state: directory + + - name: Create certs dir + ansible.builtin.file: + path: "{{ dockerrepo_dir }}/certs" + state: directory + + - name: Copy docker-compose + ansible.builtin.template: + src: templates/docker-compose.dockerrepo.yml.j2 + dest: "{{ dockerrepo_dir }}/docker-compose.yml" + + - name: Copy dockerrepo certificate cnf + ansible.builtin.template: + src: templates/dockerrepo.cnf.j2 + dest: '{{ dockerrepo_dir }}/certs/dockerrepo.cnf' + + - name: Generate dockerrepo certificate key + ansible.builtin.shell: + cmd: 'openssl genrsa -out {{ dockerrepo_dir }}/certs/dockerrepo.key 2048' + + - name: Generate dockerrepo csr + ansible.builtin.shell: + cmd: 'openssl req -key {{ dockerrepo_dir }}/certs/dockerrepo.key -new -out {{ dockerrepo_dir }}/certs/dockerrepo.csr -config {{ dockerrepo_dir }}/certs/dockerrepo.cnf' + + - name: Sign dockerrepo certificate + ansible.builtin.shell: + cmd: 'openssl x509 -req -CA {{ rproxy_dir }}/certs/RootCA.crt -CAkey {{ rproxy_dir }}/certs/RootCA.key -in {{ dockerrepo_dir }}/certs/dockerrepo.csr -out {{ dockerrepo_dir }}/certs/dockerrepo.crt -CAcreateserial -extfile {{ dockerrepo_dir }}/certs/dockerrepo.cnf -days 365 -extensions v3_x509' + + - name: Create fullchain certificate + ansible.builtin.shell: + cmd: 'cat {{ rproxy_dir }}/certs/RootCA.crt >> {{ dockerrepo_dir }}/certs/dockerrepo.crt' + + - name: Delete csr + ansible.builtin.file: + path: "{{ dockerrepo_dir }}/certs/dockerrepo.csr" + state: absent + + - name: Delete cnf + ansible.builtin.file: + path: "{{ dockerrepo_dir }}/certs/dockerrepo.cnf" + state: absent + + - name: Restart rproxy + community.docker.docker_compose: + project_src: "{{ dockerrepo_dir }}" + build: false + restarted: true \ No newline at end of file diff --git a/roles/rproxy/tasks/main.yml b/roles/rproxy/tasks/main.yml index 69560c9..ff16ac7 100644 --- a/roles/rproxy/tasks/main.yml +++ b/roles/rproxy/tasks/main.yml @@ -1,237 +1,40 @@ --- -- name: Get domain - ansible.builtin.shell: - cmd: hostname -d - register: domain +- name: Docker install + ansible.builtin.include_tasks: + file: docker.yml + apply: + tags: install tags: - - install - - add_config + - install -- name: Get IP address - ansible.builtin.shell: - cmd: hostname -I | awk '{print $1}' - register: IP +- name: Rproxy install + ansible.builtin.include_tasks: + file: rproxy.yml + apply: + tags: install tags: - - install + - install -- name: Install docker - ansible.builtin.shell: - cmd: "curl -fsSL https://get.docker.com | sh" +- name: Repo install + ansible.builtin.include_tasks: + file: repo.yml + apply: + tags: install + tags: + - install -- name: Enable docker (RHEL) - ansible.builtin.systemd: - name: docker - state: restarted - enabled: true - daemon_reload: true - when: ansible_facts['os_family'] == "RedHat" - tags: install - -- name: Install rproxy - block: - - name: Remove rproxy dir - ansible.builtin.file: - path: "{{ rproxy_dir }}" - state: absent - - - name: Create rproxy dir - ansible.builtin.file: - path: "{{ rproxy_dir }}" - state: directory - - - name: Create sites dir - ansible.builtin.file: - path: "{{ rproxy_dir }}/sites" - state: directory - - - name: Create certs dir - ansible.builtin.file: - path: "{{ rproxy_dir }}/certs" - state: directory - - - name: Copy docker-compose - ansible.builtin.template: - src: templates/docker-compose.rproxy.yml.j2 - dest: "{{ rproxy_dir }}/docker-compose.yml" - - - name: Copy nginx.conf - ansible.builtin.copy: - src: files/nginx.conf - dest: "{{ rproxy_dir }}/nginx.conf" - - - name: Copy RootCA certificate - ansible.builtin.copy: - src: files/RootCA.crt - dest: '{{ rproxy_dir }}/certs/RootCA.crt' - - - name: Copy RootCA key - ansible.builtin.copy: - src: files/RootCA.key - dest: '{{ rproxy_dir }}/certs/RootCA.key' - - - name: Start rproxy - community.docker.docker_compose: - project_src: "{{ rproxy_dir }}" - tags: install - -- name: Create https repository - block: - - name: Create repo dir - ansible.builtin.file: - path: "{{ repo_data_dir }}" - state: directory - mode: 0777 - - - name: Copy repo.conf - ansible.builtin.copy: - src: files/repo.conf - dest: "{{ rproxy_dir }}/sites/repo.conf" - - - name: Copy repo certificate cnf - ansible.builtin.template: - src: templates/repo.cnf.j2 - dest: '{{ rproxy_dir }}/certs/repo.cnf' - - - name: Generate repo certificate key - ansible.builtin.shell: - cmd: 'openssl genrsa -out {{ rproxy_dir }}/certs/repo.key 2048' - - - name: Generate server csr - ansible.builtin.shell: - cmd: 'openssl req -key {{ rproxy_dir }}/certs/repo.key -new -out {{ rproxy_dir }}/certs/repo.csr -config {{ rproxy_dir }}/certs/repo.cnf' - - - name: Sign server certificate - ansible.builtin.shell: - cmd: 'openssl x509 -req -CA {{ rproxy_dir }}/certs/RootCA.crt -CAkey {{ rproxy_dir }}/certs/RootCA.key -in {{ rproxy_dir }}/certs/repo.csr -out {{ rproxy_dir }}/certs/repo.crt -CAcreateserial -extfile {{ rproxy_dir }}/certs/repo.cnf -days 365 -extensions v3_x509' - - - name: Create fullchain certificate - ansible.builtin.shell: - cmd: 'cat {{ rproxy_dir }}/certs/RootCA.crt >> {{ rproxy_dir }}/certs/repo.crt' - - - name: Delete csr - ansible.builtin.file: - path: "{{ rproxy_dir }}/certs/repo.csr" - state: absent - - - name: Delete cnf - ansible.builtin.file: - path: "{{ rproxy_dir }}/certs/repo.cnf" - state: absent - - - name: Restart rproxy - community.docker.docker_compose: - project_src: "{{ rproxy_dir }}" - build: false - restarted: true - tags: install - -- name: Create docker repository - block: - - name: Remove dockerrepo dir - ansible.builtin.file: - path: "{{ dockerrepo_dir }}" - state: absent - - - name: Create dockerrepo dir - ansible.builtin.file: - path: "{{ dockerrepo_dir }}" - state: directory - - - name: Create repo dir - ansible.builtin.file: - path: "{{ dockerrepo_data_dir }}" - state: directory - - - name: Create certs dir - ansible.builtin.file: - path: "{{ dockerrepo_dir }}/certs" - state: directory - - - name: Copy docker-compose - ansible.builtin.template: - src: templates/docker-compose.dockerrepo.yml.j2 - dest: "{{ dockerrepo_dir }}/docker-compose.yml" - - - name: Copy dockerrepo certificate cnf - ansible.builtin.template: - src: templates/dockerrepo.cnf.j2 - dest: '{{ dockerrepo_dir }}/certs/dockerrepo.cnf' - - - name: Generate dockerrepo certificate key - ansible.builtin.shell: - cmd: 'openssl genrsa -out {{ dockerrepo_dir }}/certs/dockerrepo.key 2048' - - - name: Generate dockerrepo csr - ansible.builtin.shell: - cmd: 'openssl req -key {{ dockerrepo_dir }}/certs/dockerrepo.key -new -out {{ dockerrepo_dir }}/certs/dockerrepo.csr -config {{ dockerrepo_dir }}/certs/dockerrepo.cnf' - - - name: Sign dockerrepo certificate - ansible.builtin.shell: - cmd: 'openssl x509 -req -CA {{ rproxy_dir }}/certs/RootCA.crt -CAkey {{ rproxy_dir }}/certs/RootCA.key -in {{ dockerrepo_dir }}/certs/dockerrepo.csr -out {{ dockerrepo_dir }}/certs/dockerrepo.crt -CAcreateserial -extfile {{ dockerrepo_dir }}/certs/dockerrepo.cnf -days 365 -extensions v3_x509' - - - name: Create fullchain certificate - ansible.builtin.shell: - cmd: 'cat {{ rproxy_dir }}/certs/RootCA.crt >> {{ dockerrepo_dir }}/certs/dockerrepo.crt' - - - name: Delete csr - ansible.builtin.file: - path: "{{ dockerrepo_dir }}/certs/dockerrepo.csr" - state: absent - - - name: Delete cnf - ansible.builtin.file: - path: "{{ dockerrepo_dir }}/certs/dockerrepo.cnf" - state: absent - - - name: Restart rproxy - community.docker.docker_compose: - project_src: "{{ dockerrepo_dir }}" - build: false - restarted: true - tags: install - -- name: Create configs - block: - - name: Copy server.conf - ansible.builtin.template: - src: templates/server.conf.j2 - dest: "{{ rproxy_dir }}/sites/{{ rproxy_service_name }}.conf" - - - name: Copy server certificate cnf - ansible.builtin.template: - src: templates/server.cnf.j2 - dest: '{{ rproxy_dir }}/certs/{{ rproxy_service_name }}.cnf' - - - name: Generate server key - ansible.builtin.shell: - cmd: 'openssl genrsa -out {{ rproxy_dir }}/certs/{{ rproxy_service_name }}.key 2048' - - - name: Generate server csr - ansible.builtin.shell: - cmd: 'openssl req -key {{ rproxy_dir }}/certs/{{ rproxy_service_name }}.key -new -out {{ rproxy_dir }}/certs/{{ rproxy_service_name }}.csr -config {{ rproxy_dir }}/certs/{{ rproxy_service_name }}.cnf' - - - name: Sign server certificate - ansible.builtin.shell: - cmd: 'openssl x509 -req -CA {{ rproxy_dir }}/certs/RootCA.crt -CAkey {{ rproxy_dir }}/certs/RootCA.key -in {{ rproxy_dir }}/certs/{{ rproxy_service_name }}.csr -out {{ rproxy_dir }}/certs/{{ rproxy_service_name }}.crt -CAcreateserial -extfile {{ rproxy_dir }}/certs/{{ rproxy_service_name }}.cnf -days 365 -extensions v3_x509' - - - name: Create fullchain certificate - ansible.builtin.shell: - cmd: 'cat {{ rproxy_dir }}/certs/RootCA.crt >> {{ rproxy_dir }}/certs/{{ rproxy_service_name }}.crt' - - - name: Delete csr - ansible.builtin.file: - path: "{{ rproxy_dir }}/certs/{{ rproxy_service_name }}.csr" - state: absent - - - name: Delete cnf - ansible.builtin.file: - path: "{{ rproxy_dir }}/certs/{{ rproxy_service_name }}.cnf" - state: absent - - - name: Restart rproxy - community.docker.docker_compose: - project_src: "{{ rproxy_dir }}" - build: false - restarted: true - tags: add_config +- name: Docker repo install + ansible.builtin.include_tasks: + file: dockerrepo.yml + apply: + tags: install + tags: + - install +- name: Add config + ansible.builtin.include_tasks: + file: addconfig.yml + apply: + tags: add_config + tags: + - add_config \ No newline at end of file diff --git a/roles/rproxy/tasks/repo.yml b/roles/rproxy/tasks/repo.yml new file mode 100644 index 0000000..8b0be4c --- /dev/null +++ b/roles/rproxy/tasks/repo.yml @@ -0,0 +1,50 @@ +--- +- name: Create https repository + block: + - name: Create repo dir + ansible.builtin.file: + path: "{{ repo_data_dir }}" + state: directory + mode: 0777 + + - name: Copy repo.conf + ansible.builtin.copy: + src: files/repo.conf + dest: "{{ rproxy_dir }}/sites/repo.conf" + + - name: Copy repo certificate cnf + ansible.builtin.template: + src: templates/repo.cnf.j2 + dest: '{{ rproxy_dir }}/certs/repo.cnf' + + - name: Generate repo certificate key + ansible.builtin.shell: + cmd: 'openssl genrsa -out {{ rproxy_dir }}/certs/repo.key 2048' + + - name: Generate server csr + ansible.builtin.shell: + cmd: 'openssl req -key {{ rproxy_dir }}/certs/repo.key -new -out {{ rproxy_dir }}/certs/repo.csr -config {{ rproxy_dir }}/certs/repo.cnf' + + - name: Sign server certificate + ansible.builtin.shell: + cmd: 'openssl x509 -req -CA {{ rproxy_dir }}/certs/RootCA.crt -CAkey {{ rproxy_dir }}/certs/RootCA.key -in {{ rproxy_dir }}/certs/repo.csr -out {{ rproxy_dir }}/certs/repo.crt -CAcreateserial -extfile {{ rproxy_dir }}/certs/repo.cnf -days 365 -extensions v3_x509' + + - name: Create fullchain certificate + ansible.builtin.shell: + cmd: 'cat {{ rproxy_dir }}/certs/RootCA.crt >> {{ rproxy_dir }}/certs/repo.crt' + + - name: Delete csr + ansible.builtin.file: + path: "{{ rproxy_dir }}/certs/repo.csr" + state: absent + + - name: Delete cnf + ansible.builtin.file: + path: "{{ rproxy_dir }}/certs/repo.cnf" + state: absent + + - name: Restart rproxy + community.docker.docker_compose: + project_src: "{{ rproxy_dir }}" + build: false + restarted: true \ No newline at end of file diff --git a/roles/rproxy/tasks/rproxy.yml b/roles/rproxy/tasks/rproxy.yml new file mode 100644 index 0000000..ad40481 --- /dev/null +++ b/roles/rproxy/tasks/rproxy.yml @@ -0,0 +1,46 @@ +--- +- name: Install rproxy + block: + - name: Remove rproxy dir + ansible.builtin.file: + path: "{{ rproxy_dir }}" + state: absent + + - name: Create rproxy dir + ansible.builtin.file: + path: "{{ rproxy_dir }}" + state: directory + + - name: Create sites dir + ansible.builtin.file: + path: "{{ rproxy_dir }}/sites" + state: directory + + - name: Create certs dir + ansible.builtin.file: + path: "{{ rproxy_dir }}/certs" + state: directory + + - name: Copy docker-compose + ansible.builtin.template: + src: templates/docker-compose.rproxy.yml.j2 + dest: "{{ rproxy_dir }}/docker-compose.yml" + + - name: Copy nginx.conf + ansible.builtin.copy: + src: files/nginx.conf + dest: "{{ rproxy_dir }}/nginx.conf" + + - name: Copy RootCA certificate + ansible.builtin.copy: + src: files/RootCA.crt + dest: '{{ rproxy_dir }}/certs/RootCA.crt' + + - name: Copy RootCA key + ansible.builtin.copy: + src: files/RootCA.key + dest: '{{ rproxy_dir }}/certs/RootCA.key' + + - name: Start rproxy + community.docker.docker_compose: + project_src: "{{ rproxy_dir }}" \ No newline at end of file diff --git a/roles/rproxy/templates/dockerrepo.cnf.j2 b/roles/rproxy/templates/dockerrepo.cnf.j2 index 0167769..09cf6e5 100644 --- a/roles/rproxy/templates/dockerrepo.cnf.j2 +++ b/roles/rproxy/templates/dockerrepo.cnf.j2 @@ -1,18 +1,18 @@ [ req ] prompt = no -distinguished_name = dockerrepo.{{ domain.stdout }} +distinguished_name = dockerrepo.{{ ansible_domain }} req_extensions = v3_req x509_extensions = v3_x509 -[ dockerrepo.{{ domain.stdout }} ] +[ dockerrepo.{{ ansible_domain }} ] countryName = RU stateOrProvinceName = RU localityName = MSK -organizationName = {{ domain.stdout }} +organizationName = {{ ansible_domain }} organizationalUnitName = IT -commonName = dockerrepo.{{ domain.stdout }} -emailAddress = admin@{{ domain.stdout }} +commonName = dockerrepo.{{ ansible_domain }} +emailAddress = admin@{{ ansible_domain }} [ v3_req ] basicConstraints = CA:false @@ -25,5 +25,5 @@ keyUsage = digitalSignature, keyEncipherment subjectAltName = @sans [ sans ] -DNS.1 = dockerrepo.{{ domain.stdout }} -IP.1 = {{ IP.stdout }} \ No newline at end of file +DNS.1 = dockerrepo.{{ ansible_domain }} +IP.1 = {{ {{ ansible_facts['default_ipv4']['address'] }} }} \ No newline at end of file diff --git a/roles/rproxy/templates/repo.cnf.j2 b/roles/rproxy/templates/repo.cnf.j2 index 515937e..0a44d46 100644 --- a/roles/rproxy/templates/repo.cnf.j2 +++ b/roles/rproxy/templates/repo.cnf.j2 @@ -1,18 +1,18 @@ [ req ] prompt = no -distinguished_name = repo.{{ domain.stdout }} +distinguished_name = repo.{{ ansible_domain }} req_extensions = v3_req x509_extensions = v3_x509 -[ repo.{{ domain.stdout }} ] +[ repo.{{ ansible_domain }} ] countryName = RU stateOrProvinceName = RU localityName = MSK -organizationName = {{ domain.stdout }} +organizationName = {{ ansible_domain }} organizationalUnitName = IT -commonName = repo.{{ domain.stdout }} -emailAddress = admin@{{ domain.stdout }} +commonName = repo.{{ ansible_domain }} +emailAddress = admin@{{ ansible_domain }} [ v3_req ] basicConstraints = CA:false @@ -25,5 +25,5 @@ keyUsage = digitalSignature, keyEncipherment subjectAltName = @sans [ sans ] -DNS.1 = repo.{{ domain.stdout }} -IP.1 = {{ IP.stdout }} \ No newline at end of file +DNS.1 = repo.{{ ansible_domain }} +IP.1 = {{ {{ ansible_facts['default_ipv4']['address'] }} }} \ No newline at end of file diff --git a/roles/rproxy/templates/server.cnf.j2 b/roles/rproxy/templates/server.cnf.j2 index 323b0c9..d415f6c 100644 --- a/roles/rproxy/templates/server.cnf.j2 +++ b/roles/rproxy/templates/server.cnf.j2 @@ -1,18 +1,18 @@ [ req ] prompt = no -distinguished_name = {{ rproxy_service_name }}.{{ domain.stdout }} +distinguished_name = {{ rproxy_service_name }}.{{ ansible_domain }} req_extensions = v3_req x509_extensions = v3_x509 -[ {{ rproxy_service_name }}.{{ domain.stdout }} ] +[ {{ rproxy_service_name }}.{{ ansible_domain }} ] countryName = RU stateOrProvinceName = RU localityName = MSK -organizationName = {{ domain.stdout }} +organizationName = {{ ansible_domain }} organizationalUnitName = IT -commonName = {{ rproxy_service_name }}.{{ domain.stdout }} -emailAddress = admin@{{ domain.stdout }} +commonName = {{ rproxy_service_name }}.{{ ansible_domain }} +emailAddress = admin@{{ ansible_domain }} [ v3_req ] basicConstraints = CA:false @@ -25,5 +25,5 @@ keyUsage = digitalSignature, keyEncipherment subjectAltName = @sans [ sans ] -DNS.1 = {{ rproxy_service_name }}.{{ domain.stdout }} +DNS.1 = {{ rproxy_service_name }}.{{ ansible_domain }} IP.1 = {{ rproxy_service_address }} \ No newline at end of file diff --git a/roles/rproxy/templates/server.conf.j2 b/roles/rproxy/templates/server.conf.j2 index c833687..bc3603b 100644 --- a/roles/rproxy/templates/server.conf.j2 +++ b/roles/rproxy/templates/server.conf.j2 @@ -1,10 +1,10 @@ -upstream {{ rproxy_service_name }}.{{ domain.stdout }} { +upstream {{ rproxy_service_name }}.{{ ansible_domain }} { server {{ rproxy_service_address }}:{{ rproxy_service_port }}; } server { listen 80; - server_name {{ rproxy_service_name }}.{{ domain.stdout }}; + server_name {{ rproxy_service_name }}.{{ ansible_domain }}; access_log /var/log/nginx/{{ rproxy_service_name }}.access.log; error_log /var/log/nginx/{{ rproxy_service_name }}.error.log; return 301 https://$server_name$request_uri; @@ -12,7 +12,7 @@ server { server { listen 443 ssl; - server_name {{ rproxy_service_name }}.{{ domain.stdout }}; + server_name {{ rproxy_service_name }}.{{ ansible_domain }}; access_log /var/log/nginx/{{ rproxy_service_name }}.access.log; error_log /var/log/nginx/{{ rproxy_service_name }}.error.log; ssl_certificate /etc/nginx/certs/{{ rproxy_service_name }}.crt; @@ -30,6 +30,6 @@ server { proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; - proxy_pass http://{{ rproxy_service_name }}.{{ domain.stdout }}/; + proxy_pass http://{{ rproxy_service_name }}.{{ ansible_domain }}/; } } diff --git a/roles/rproxy/vars/main.yml b/roles/rproxy/vars/main.yml new file mode 100644 index 0000000..ed91197 --- /dev/null +++ b/roles/rproxy/vars/main.yml @@ -0,0 +1,5 @@ +ansible_python_interpreter: /usr/bin/python3 +rproxy_dir: /opt/rproxy +repo_data_dir: /opt/data/repo +dockerrepo_dir: /opt/dockerrepo +dockerrepo_data_dir: /opt/data/dockerrepo \ No newline at end of file diff --git a/rproxy.yml b/rproxy.yml index 2477006..1f910d8 100644 --- a/rproxy.yml +++ b/rproxy.yml @@ -4,10 +4,6 @@ vars: ansible_python_interpreter: /usr/bin/python3 - rproxy_dir: /opt/rproxy - repo_data_dir: /opt/data/repo - dockerrepo_dir: /opt/dockerrepo - dockerrepo_data_dir: /opt/data/dockerrepo vars_prompt: - name: rproxy_service_name From e2842db8080b1de54a1485da81a5f007c6a0f543 Mon Sep 17 00:00:00 2001 From: Pavlov Makar Date: Sun, 20 Jul 2025 17:58:55 +0300 Subject: [PATCH 04/11] Prepare ansible role for AlmaLinux 10 * Moved from docker to podman * Refactored certificate generation --- ansible.cfg | 1 - roles/rproxy/tasks/addconfig.yml | 96 ++++++++++++---- roles/rproxy/tasks/docker.yml | 33 ------ roles/rproxy/tasks/dockerrepo.yml | 107 +++++++++++++----- roles/rproxy/tasks/main.yml | 4 +- roles/rproxy/tasks/podman.yml | 17 +++ roles/rproxy/tasks/repo.yml | 96 ++++++++++++---- roles/rproxy/tasks/rproxy.yml | 54 +++++++-- .../docker-compose.dockerrepo.yml.j2 | 15 --- .../templates/docker-compose.rproxy.yml.j2 | 16 --- roles/rproxy/templates/dockerrepo.cnf.j2 | 29 ----- roles/rproxy/templates/repo.cnf.j2 | 29 ----- roles/rproxy/templates/server.cnf.j2 | 29 ----- roles/rproxy/vars/main.yml | 1 + 14 files changed, 289 insertions(+), 238 deletions(-) delete mode 100644 roles/rproxy/tasks/docker.yml create mode 100644 roles/rproxy/tasks/podman.yml delete mode 100644 roles/rproxy/templates/docker-compose.dockerrepo.yml.j2 delete mode 100644 roles/rproxy/templates/docker-compose.rproxy.yml.j2 delete mode 100644 roles/rproxy/templates/dockerrepo.cnf.j2 delete mode 100644 roles/rproxy/templates/repo.cnf.j2 delete mode 100644 roles/rproxy/templates/server.cnf.j2 diff --git a/ansible.cfg b/ansible.cfg index 4e4796a..b1c8e00 100644 --- a/ansible.cfg +++ b/ansible.cfg @@ -1,6 +1,5 @@ [defaults] hostfile = hosts.ini -log_path = ansible-log.log host_key_checking = false interpreter_python = /usr/bin/python3 forks = 30 \ No newline at end of file diff --git a/roles/rproxy/tasks/addconfig.yml b/roles/rproxy/tasks/addconfig.yml index 4735146..e72231b 100644 --- a/roles/rproxy/tasks/addconfig.yml +++ b/roles/rproxy/tasks/addconfig.yml @@ -1,27 +1,48 @@ --- -- name: Create configs +- name: Create server configs block: - name: Copy server.conf ansible.builtin.template: src: templates/server.conf.j2 dest: "{{ rproxy_dir }}/sites/{{ rproxy_service_name }}.conf" - - name: Copy server certificate cnf - ansible.builtin.template: - src: templates/server.cnf.j2 - dest: '{{ rproxy_dir }}/certs/{{ rproxy_service_name }}.cnf' +- name: Generate certificates for {{ rproxy_service_name }} + block: + - name: "Generate {{ rproxy_service_name }}.key" + community.crypto.openssl_privatekey: + path: "{{ rproxy_dir }}/certs/{{ rproxy_service_name }}.key" + size: "2048" - - name: Generate server key - ansible.builtin.shell: - cmd: 'openssl genrsa -out {{ rproxy_dir }}/certs/{{ rproxy_service_name }}.key 2048' + - name: "Generate {{ rproxy_service_name }}.csr" + community.crypto.openssl_csr: + path: "{{ rproxy_dir }}/certs/{{ rproxy_service_name }}.csr" + privatekey_path: "{{ rproxy_dir }}/certs/{{ rproxy_service_name }}.key" + country_name: "RU" + state_or_province_name: "RU" + locality_name: "MSK" + organization_name: "{{ ansible_domain }}" + organizational_unit_name: "IT" + common_name: "{{ rproxy_service_name }}.{{ ansible_facts['domain'] }}" + email_address: "admin@{{ ansible_domain }}" + subject_alt_name: "DNS:{{ rproxy_service_name }}.{{ ansible_facts['domain'] }},DNS:{{ ansible_facts['hostname'] }}.{{ ansible_facts['domain'] }},IP:{{ ansible_facts['default_ipv4']['address'] }}" + key_usage: + - digitalSignature + - nonRepudiation + - keyEncipherment + - dataEncipherment + extended_key_usage: + - serverAuth - - name: Generate server csr - ansible.builtin.shell: - cmd: 'openssl req -key {{ rproxy_dir }}/certs/{{ rproxy_service_name }}.key -new -out {{ rproxy_dir }}/certs/{{ rproxy_service_name }}.csr -config {{ rproxy_dir }}/certs/{{ rproxy_service_name }}.cnf' - - - name: Sign server certificate - ansible.builtin.shell: - cmd: 'openssl x509 -req -CA {{ rproxy_dir }}/certs/RootCA.crt -CAkey {{ rproxy_dir }}/certs/RootCA.key -in {{ rproxy_dir }}/certs/{{ rproxy_service_name }}.csr -out {{ rproxy_dir }}/certs/{{ rproxy_service_name }}.crt -CAcreateserial -extfile {{ rproxy_dir }}/certs/{{ rproxy_service_name }}.cnf -days 365 -extensions v3_x509' + - name: "Generate {{ rproxy_service_name }}.crt" + community.crypto.x509_certificate: + csr_path: "{{ rproxy_dir }}/certs/{{ rproxy_service_name }}.csr" + path: "{{ rproxy_dir }}/certs/{{ rproxy_service_name }}.crt" + privatekey_path: "{{ rproxy_dir }}/certs/{{ rproxy_service_name }}.key" + provider: ownca + ownca_create_subject_key_identifier: always_create + ownca_path: "{{ rproxy_dir }}/certs/RootCA.crt" + ownca_privatekey_path: "{{ rproxy_dir }}/certs/RootCA.key" + ownca_not_after: "+365d" - name: Create fullchain certificate ansible.builtin.shell: @@ -32,13 +53,40 @@ path: "{{ rproxy_dir }}/certs/{{ rproxy_service_name }}.csr" state: absent - - name: Delete cnf - ansible.builtin.file: - path: "{{ rproxy_dir }}/certs/{{ rproxy_service_name }}.cnf" - state: absent +- name: Restart rproxy + block: + - name: Restart container + containers.podman.podman_container: + name: rproxy + image: "nginx:{{ rproxy_version }}" + state: started + restart: true + ports: + - "443:443" + - "80:80" + - "9000:9000" + volumes: + - '{{ rproxy_dir }}/nginx.conf:/etc/nginx/nginx.conf:z,rw' + - '{{ rproxy_dir }}/sites:/etc/nginx/sites:z,rw' + - '{{ rproxy_dir }}/certs:/etc/nginx/certs:z,rw' + - '{{ repo_data_dir }}:/repo:z,rw' + - "/etc/localtime:/etc/localtime:ro" + privileged: true + security_opt: + - "label=disable" + log_driver: journald + generate_systemd: + path: /etc/systemd/system/ + restart_policy: always + stop_timeout: 120 + names: true - - name: Restart rproxy - community.docker.docker_compose: - project_src: "{{ rproxy_dir }}" - build: false - restarted: true + - name: Daemon reload + ansible.builtin.shell: + cmd: systemctl daemon-reload + + - name: Enable rproxy service + ansible.builtin.systemd: + name: "container-rproxy.service" + state: started + enabled: yes diff --git a/roles/rproxy/tasks/docker.yml b/roles/rproxy/tasks/docker.yml deleted file mode 100644 index 576c7ac..0000000 --- a/roles/rproxy/tasks/docker.yml +++ /dev/null @@ -1,33 +0,0 @@ ---- -- name: Install python3.11 - ansible.builtin.yum: - name: - - python3.11 - - python3.11-setuptools - - python3.11-pip - update_cache: yes - -- name: Change default python3 to v3.11 - ansible.builtin.alternatives: - name: python3 - path: /usr/bin/python3.11 - -- name: Upgrade pip - ansible.builtin.pip: - name: pip - state: latest - executable: pip3 - -- name: Install docker - ansible.builtin.pip: - name: - - docker - - docker-compose - -- name: Enable docker (RHEL) - ansible.builtin.systemd: - name: docker - state: restarted - enabled: true - daemon_reload: true - when: ansible_facts['os_family'] == "RedHat" \ No newline at end of file diff --git a/roles/rproxy/tasks/dockerrepo.yml b/roles/rproxy/tasks/dockerrepo.yml index 2bd792c..b3b6151 100644 --- a/roles/rproxy/tasks/dockerrepo.yml +++ b/roles/rproxy/tasks/dockerrepo.yml @@ -1,5 +1,5 @@ --- -- name: Create docker repository +- name: Prepare for image repository block: - name: Remove dockerrepo dir ansible.builtin.file: @@ -21,27 +21,43 @@ path: "{{ dockerrepo_dir }}/certs" state: directory - - name: Copy docker-compose - ansible.builtin.template: - src: templates/docker-compose.dockerrepo.yml.j2 - dest: "{{ dockerrepo_dir }}/docker-compose.yml" +- name: Create certificates for image repository + block: + - name: "Generate dockerrepo.key" + community.crypto.openssl_privatekey: + path: "{{ dockerrepo_dir }}/certs/dockerrepo.key" + size: "2048" - - name: Copy dockerrepo certificate cnf - ansible.builtin.template: - src: templates/dockerrepo.cnf.j2 - dest: '{{ dockerrepo_dir }}/certs/dockerrepo.cnf' + - name: "Generate server.csr" + community.crypto.openssl_csr: + path: "{{ dockerrepo_dir }}/certs/dockerrepo.csr" + privatekey_path: "{{ dockerrepo_dir }}/certs/dockerrepo.key" + country_name: "RU" + state_or_province_name: "RU" + locality_name: "MSK" + organization_name: "{{ ansible_domain }}" + organizational_unit_name: "IT" + common_name: "{{ ansible_facts['hostname'] }}.{{ ansible_facts['domain'] }}" + email_address: "admin@{{ ansible_domain }}" + subject_alt_name: "DNS:{{ ansible_facts['hostname'] }}.{{ ansible_facts['domain'] }},DNS:imagerepo.{{ ansible_facts['domain'] }},IP:{{ ansible_facts['default_ipv4']['address'] }}" + key_usage: + - digitalSignature + - nonRepudiation + - keyEncipherment + - dataEncipherment + extended_key_usage: + - serverAuth - - name: Generate dockerrepo certificate key - ansible.builtin.shell: - cmd: 'openssl genrsa -out {{ dockerrepo_dir }}/certs/dockerrepo.key 2048' - - - name: Generate dockerrepo csr - ansible.builtin.shell: - cmd: 'openssl req -key {{ dockerrepo_dir }}/certs/dockerrepo.key -new -out {{ dockerrepo_dir }}/certs/dockerrepo.csr -config {{ dockerrepo_dir }}/certs/dockerrepo.cnf' - - - name: Sign dockerrepo certificate - ansible.builtin.shell: - cmd: 'openssl x509 -req -CA {{ rproxy_dir }}/certs/RootCA.crt -CAkey {{ rproxy_dir }}/certs/RootCA.key -in {{ dockerrepo_dir }}/certs/dockerrepo.csr -out {{ dockerrepo_dir }}/certs/dockerrepo.crt -CAcreateserial -extfile {{ dockerrepo_dir }}/certs/dockerrepo.cnf -days 365 -extensions v3_x509' + - name: "Generate server.crt" + community.crypto.x509_certificate: + csr_path: "{{ dockerrepo_dir }}/certs/dockerrepo.csr" + path: "{{ dockerrepo_dir }}/certs/dockerrepo.crt" + privatekey_path: "{{ dockerrepo_dir }}/certs/dockerrepo.key" + provider: ownca + ownca_create_subject_key_identifier: always_create + ownca_path: "{{ rproxy_dir }}/certs/RootCA.crt" + ownca_privatekey_path: "{{ rproxy_dir }}/certs/RootCA.key" + ownca_not_after: "+365d" - name: Create fullchain certificate ansible.builtin.shell: @@ -52,13 +68,48 @@ path: "{{ dockerrepo_dir }}/certs/dockerrepo.csr" state: absent - - name: Delete cnf - ansible.builtin.file: - path: "{{ dockerrepo_dir }}/certs/dockerrepo.cnf" +- name: Start image repository + block: + - name: Pull repo image + containers.podman.podman_image: + name: registry:latest + state: present + + - name: Delete image repository container if exists + containers.podman.podman_container: + name: registry state: absent - - name: Restart rproxy - community.docker.docker_compose: - project_src: "{{ dockerrepo_dir }}" - build: false - restarted: true \ No newline at end of file + - name: Start registry + containers.podman.podman_container: + name: registry + image: registry:latest + state: started + ports: + - "5000:5000" + environment: + - REGISTRY_HTTP_TLS_CERTIFICATE=/certs/dockerrepo.crt + - REGISTRY_HTTP_TLS_KEY=/certs/dockerrepo.key + volumes: + - "{{ dockerrepo_data_dir }}:/var/lib/registry:z,rw" + - "{{ dockerrepo_dir }}/certs:/certs:z,rw" + - "/etc/localtime:/etc/localtime:ro" + privileged: true + security_opt: + - "label=disable" + log_driver: journald + generate_systemd: + path: /etc/systemd/system/ + restart_policy: always + stop_timeout: 120 + names: true + + - name: Daemon reload + ansible.builtin.shell: + cmd: systemctl daemon-reload + + - name: Enable registry service + ansible.builtin.systemd: + name: "container-registry.service" + state: started + enabled: yes \ No newline at end of file diff --git a/roles/rproxy/tasks/main.yml b/roles/rproxy/tasks/main.yml index ff16ac7..2d528d5 100644 --- a/roles/rproxy/tasks/main.yml +++ b/roles/rproxy/tasks/main.yml @@ -1,7 +1,7 @@ --- -- name: Docker install +- name: Podman install ansible.builtin.include_tasks: - file: docker.yml + file: podman.yml apply: tags: install tags: diff --git a/roles/rproxy/tasks/podman.yml b/roles/rproxy/tasks/podman.yml new file mode 100644 index 0000000..c835554 --- /dev/null +++ b/roles/rproxy/tasks/podman.yml @@ -0,0 +1,17 @@ +--- +- name: Install podman + ansible.builtin.yum: + name: + - podman + - podman-compose + - podman-docker + - podman-remote + - podman-tui + - buildah + update_cache: yes + +- name: Enable Podman + ansible.builtin.systemd: + name: podman + state: started + enabled: yes \ No newline at end of file diff --git a/roles/rproxy/tasks/repo.yml b/roles/rproxy/tasks/repo.yml index 8b0be4c..c5347dc 100644 --- a/roles/rproxy/tasks/repo.yml +++ b/roles/rproxy/tasks/repo.yml @@ -1,5 +1,5 @@ --- -- name: Create https repository +- name: Prepare for https repository block: - name: Create repo dir ansible.builtin.file: @@ -12,22 +12,43 @@ src: files/repo.conf dest: "{{ rproxy_dir }}/sites/repo.conf" - - name: Copy repo certificate cnf - ansible.builtin.template: - src: templates/repo.cnf.j2 - dest: '{{ rproxy_dir }}/certs/repo.cnf' +- name: Create https certificates for repository + block: + - name: "Generate repo.key" + community.crypto.openssl_privatekey: + path: "{{ rproxy_dir }}/certs/repo.key" + size: "2048" - - name: Generate repo certificate key - ansible.builtin.shell: - cmd: 'openssl genrsa -out {{ rproxy_dir }}/certs/repo.key 2048' + - name: "Generate server.csr" + community.crypto.openssl_csr: + path: "{{ rproxy_dir }}/certs/repo.csr" + privatekey_path: "{{ rproxy_dir }}/certs/repo.key" + country_name: "RU" + state_or_province_name: "RU" + locality_name: "MSK" + organization_name: "{{ ansible_domain }}" + organizational_unit_name: "IT" + common_name: "{{ ansible_facts['hostname'] }}.{{ ansible_facts['domain'] }}" + email_address: "admin@{{ ansible_domain }}" + subject_alt_name: "DNS:{{ ansible_facts['hostname'] }}.{{ ansible_facts['domain'] }},DNS:repo.{{ ansible_facts['domain'] }},IP:{{ ansible_facts['default_ipv4']['address'] }}" + key_usage: + - digitalSignature + - nonRepudiation + - keyEncipherment + - dataEncipherment + extended_key_usage: + - serverAuth - - name: Generate server csr - ansible.builtin.shell: - cmd: 'openssl req -key {{ rproxy_dir }}/certs/repo.key -new -out {{ rproxy_dir }}/certs/repo.csr -config {{ rproxy_dir }}/certs/repo.cnf' - - - name: Sign server certificate - ansible.builtin.shell: - cmd: 'openssl x509 -req -CA {{ rproxy_dir }}/certs/RootCA.crt -CAkey {{ rproxy_dir }}/certs/RootCA.key -in {{ rproxy_dir }}/certs/repo.csr -out {{ rproxy_dir }}/certs/repo.crt -CAcreateserial -extfile {{ rproxy_dir }}/certs/repo.cnf -days 365 -extensions v3_x509' + - name: "Generate server.crt" + community.crypto.x509_certificate: + csr_path: "{{ rproxy_dir }}/certs/repo.csr" + path: "{{ rproxy_dir }}/certs/repo.crt" + privatekey_path: "{{ rproxy_dir }}/certs/repo.key" + provider: ownca + ownca_create_subject_key_identifier: always_create + ownca_path: "{{ rproxy_dir }}/certs/RootCA.crt" + ownca_privatekey_path: "{{ rproxy_dir }}/certs/RootCA.key" + ownca_not_after: "+365d" - name: Create fullchain certificate ansible.builtin.shell: @@ -38,13 +59,40 @@ path: "{{ rproxy_dir }}/certs/repo.csr" state: absent - - name: Delete cnf - ansible.builtin.file: - path: "{{ rproxy_dir }}/certs/repo.cnf" - state: absent +- name: Restart rproxy + block: + - name: Restart container + containers.podman.podman_container: + name: rproxy + image: "nginx:{{ rproxy_version }}" + state: started + restart: true + ports: + - "443:443" + - "80:80" + - "9000:9000" + volumes: + - '{{ rproxy_dir }}/nginx.conf:/etc/nginx/nginx.conf:z,rw' + - '{{ rproxy_dir }}/sites:/etc/nginx/sites:z,rw' + - '{{ rproxy_dir }}/certs:/etc/nginx/certs:z,rw' + - '{{ repo_data_dir }}:/repo:z,rw' + - "/etc/localtime:/etc/localtime:ro" + privileged: true + security_opt: + - "label=disable" + log_driver: journald + generate_systemd: + path: /etc/systemd/system/ + restart_policy: always + stop_timeout: 120 + names: true - - name: Restart rproxy - community.docker.docker_compose: - project_src: "{{ rproxy_dir }}" - build: false - restarted: true \ No newline at end of file + - name: Daemon reload + ansible.builtin.shell: + cmd: systemctl daemon-reload + + - name: Enable rproxy service + ansible.builtin.systemd: + name: "container-rproxy.service" + state: started + enabled: yes \ No newline at end of file diff --git a/roles/rproxy/tasks/rproxy.yml b/roles/rproxy/tasks/rproxy.yml index ad40481..a2792c2 100644 --- a/roles/rproxy/tasks/rproxy.yml +++ b/roles/rproxy/tasks/rproxy.yml @@ -1,5 +1,5 @@ --- -- name: Install rproxy +- name: Prepare dirs for rproxy block: - name: Remove rproxy dir ansible.builtin.file: @@ -21,11 +21,6 @@ path: "{{ rproxy_dir }}/certs" state: directory - - name: Copy docker-compose - ansible.builtin.template: - src: templates/docker-compose.rproxy.yml.j2 - dest: "{{ rproxy_dir }}/docker-compose.yml" - - name: Copy nginx.conf ansible.builtin.copy: src: files/nginx.conf @@ -41,6 +36,49 @@ src: files/RootCA.key dest: '{{ rproxy_dir }}/certs/RootCA.key' +- name: Install rproxy + block: + - name: Pull rproxy image + containers.podman.podman_image: + name: "nginx:{{ rproxy_version }}" + state: present + + - name: Delete rproxy container if exists + containers.podman.podman_container: + name: rproxy + state: absent + - name: Start rproxy - community.docker.docker_compose: - project_src: "{{ rproxy_dir }}" \ No newline at end of file + containers.podman.podman_container: + name: rproxy + image: "nginx:{{ rproxy_version }}" + state: started + ports: + - "443:443" + - "80:80" + - "9000:9000" + volumes: + - '{{ rproxy_dir }}/nginx.conf:/etc/nginx/nginx.conf:z,rw' + - '{{ rproxy_dir }}/sites:/etc/nginx/sites:z,rw' + - '{{ rproxy_dir }}/certs:/etc/nginx/certs:z,rw' + - '{{ repo_data_dir }}:/repo:z,rw' + - "/etc/localtime:/etc/localtime:ro" + privileged: true + security_opt: + - "label=disable" + log_driver: journald + generate_systemd: + path: /etc/systemd/system/ + restart_policy: always + stop_timeout: 120 + names: true + + - name: Daemon reload + ansible.builtin.shell: + cmd: systemctl daemon-reload + + - name: Enable rproxy service + ansible.builtin.systemd: + name: "container-rproxy.service" + state: started + enabled: yes \ No newline at end of file diff --git a/roles/rproxy/templates/docker-compose.dockerrepo.yml.j2 b/roles/rproxy/templates/docker-compose.dockerrepo.yml.j2 deleted file mode 100644 index 09fb7c3..0000000 --- a/roles/rproxy/templates/docker-compose.dockerrepo.yml.j2 +++ /dev/null @@ -1,15 +0,0 @@ -version: '3.3' - -services: - nginx: - image: registry:latest - container_name: dockerrepo - restart: always - environment: - - REGISTRY_HTTP_TLS_CERTIFICATE=/certs/dockerrepo.crt - - REGISTRY_HTTP_TLS_KEY=/certs/dockerrepo.key - volumes: - - '{{ dockerrepo_data_dir }}:/var/lib/registry' - - '{{ dockerrepo_dir }}/certs:/certs' - ports: - - 5000:5000 \ No newline at end of file diff --git a/roles/rproxy/templates/docker-compose.rproxy.yml.j2 b/roles/rproxy/templates/docker-compose.rproxy.yml.j2 deleted file mode 100644 index 1230303..0000000 --- a/roles/rproxy/templates/docker-compose.rproxy.yml.j2 +++ /dev/null @@ -1,16 +0,0 @@ -version: '3.3' - -services: - nginx: - image: nginx:latest - container_name: rproxy - restart: always - volumes: - - '{{ rproxy_dir }}/nginx.conf:/etc/nginx/nginx.conf' - - '{{ rproxy_dir }}/sites:/etc/nginx/sites' - - '{{ rproxy_dir }}/certs:/etc/nginx/certs' - - '{{ repo_data_dir }}:/repo' - ports: - - 443:443 - - 80:80 - - 9000:9000 \ No newline at end of file diff --git a/roles/rproxy/templates/dockerrepo.cnf.j2 b/roles/rproxy/templates/dockerrepo.cnf.j2 deleted file mode 100644 index 09cf6e5..0000000 --- a/roles/rproxy/templates/dockerrepo.cnf.j2 +++ /dev/null @@ -1,29 +0,0 @@ -[ req ] -prompt = no -distinguished_name = dockerrepo.{{ ansible_domain }} -req_extensions = v3_req -x509_extensions = v3_x509 - - -[ dockerrepo.{{ ansible_domain }} ] -countryName = RU -stateOrProvinceName = RU -localityName = MSK -organizationName = {{ ansible_domain }} -organizationalUnitName = IT -commonName = dockerrepo.{{ ansible_domain }} -emailAddress = admin@{{ ansible_domain }} - -[ v3_req ] -basicConstraints = CA:false -keyUsage = digitalSignature, keyEncipherment -subjectAltName = @sans - -[ v3_x509 ] -basicConstraints = CA:false -keyUsage = digitalSignature, keyEncipherment -subjectAltName = @sans - -[ sans ] -DNS.1 = dockerrepo.{{ ansible_domain }} -IP.1 = {{ {{ ansible_facts['default_ipv4']['address'] }} }} \ No newline at end of file diff --git a/roles/rproxy/templates/repo.cnf.j2 b/roles/rproxy/templates/repo.cnf.j2 deleted file mode 100644 index 0a44d46..0000000 --- a/roles/rproxy/templates/repo.cnf.j2 +++ /dev/null @@ -1,29 +0,0 @@ -[ req ] -prompt = no -distinguished_name = repo.{{ ansible_domain }} -req_extensions = v3_req -x509_extensions = v3_x509 - - -[ repo.{{ ansible_domain }} ] -countryName = RU -stateOrProvinceName = RU -localityName = MSK -organizationName = {{ ansible_domain }} -organizationalUnitName = IT -commonName = repo.{{ ansible_domain }} -emailAddress = admin@{{ ansible_domain }} - -[ v3_req ] -basicConstraints = CA:false -keyUsage = digitalSignature, keyEncipherment -subjectAltName = @sans - -[ v3_x509 ] -basicConstraints = CA:false -keyUsage = digitalSignature, keyEncipherment -subjectAltName = @sans - -[ sans ] -DNS.1 = repo.{{ ansible_domain }} -IP.1 = {{ {{ ansible_facts['default_ipv4']['address'] }} }} \ No newline at end of file diff --git a/roles/rproxy/templates/server.cnf.j2 b/roles/rproxy/templates/server.cnf.j2 deleted file mode 100644 index d415f6c..0000000 --- a/roles/rproxy/templates/server.cnf.j2 +++ /dev/null @@ -1,29 +0,0 @@ -[ req ] -prompt = no -distinguished_name = {{ rproxy_service_name }}.{{ ansible_domain }} -req_extensions = v3_req -x509_extensions = v3_x509 - - -[ {{ rproxy_service_name }}.{{ ansible_domain }} ] -countryName = RU -stateOrProvinceName = RU -localityName = MSK -organizationName = {{ ansible_domain }} -organizationalUnitName = IT -commonName = {{ rproxy_service_name }}.{{ ansible_domain }} -emailAddress = admin@{{ ansible_domain }} - -[ v3_req ] -basicConstraints = CA:false -keyUsage = digitalSignature, keyEncipherment -subjectAltName = @sans - -[ v3_x509 ] -basicConstraints = CA:false -keyUsage = digitalSignature, keyEncipherment -subjectAltName = @sans - -[ sans ] -DNS.1 = {{ rproxy_service_name }}.{{ ansible_domain }} -IP.1 = {{ rproxy_service_address }} \ No newline at end of file diff --git a/roles/rproxy/vars/main.yml b/roles/rproxy/vars/main.yml index ed91197..8deebd5 100644 --- a/roles/rproxy/vars/main.yml +++ b/roles/rproxy/vars/main.yml @@ -1,5 +1,6 @@ ansible_python_interpreter: /usr/bin/python3 rproxy_dir: /opt/rproxy +rproxy_version: 1.29 repo_data_dir: /opt/data/repo dockerrepo_dir: /opt/dockerrepo dockerrepo_data_dir: /opt/data/dockerrepo \ No newline at end of file From 56e001e2a8ac24d4a67999676ef7135ffb256754 Mon Sep 17 00:00:00 2001 From: Pavlov Makar Date: Sun, 20 Jul 2025 18:04:47 +0300 Subject: [PATCH 05/11] Add Update Job stage --- Jenkinsfile | 14 ++++++++++++++ 1 file changed, 14 insertions(+) diff --git a/Jenkinsfile b/Jenkinsfile index aa18731..7f6bc30 100644 --- a/Jenkinsfile +++ b/Jenkinsfile @@ -17,8 +17,22 @@ pipeline { string(name: "rproxy_service_name", defaultValue: "", trim: true, description: "Service name (for 'Add config' job only)") string(name: "rproxy_service_port", defaultValue: "", trim: true, description: "Service port (for 'Add config' job only)") string(name: "rproxy_service_address", defaultValue: "", trim: true, description: "Service address (for 'Add config' job only)") + booleanParam(name: 'update_job', defaultValue: false, description: 'Update job, free run, no changes') } stages { + stage('Update Job') { + when { + expression { + return params.update_job + } + } + steps { + script { + currentBuild.getRawBuild().getExecutor().interrupt(Result.SUCCESS) + sleep(1) + } + } + } stage('Save certs') { when { expression { From c764df247208a183ad2bbad975a6ee16f6ae5c01 Mon Sep 17 00:00:00 2001 From: Pavlov Makar Date: Sun, 20 Jul 2025 18:13:04 +0300 Subject: [PATCH 06/11] Set nginx tag to latest --- roles/rproxy/vars/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/rproxy/vars/main.yml b/roles/rproxy/vars/main.yml index 8deebd5..cdea2fe 100644 --- a/roles/rproxy/vars/main.yml +++ b/roles/rproxy/vars/main.yml @@ -1,6 +1,6 @@ ansible_python_interpreter: /usr/bin/python3 rproxy_dir: /opt/rproxy -rproxy_version: 1.29 +rproxy_version: latest repo_data_dir: /opt/data/repo dockerrepo_dir: /opt/dockerrepo dockerrepo_data_dir: /opt/data/dockerrepo \ No newline at end of file From 225371dea01d40791daea44c1ad6d94dbc819cd1 Mon Sep 17 00:00:00 2001 From: Pavlov Makar Date: Sun, 20 Jul 2025 18:20:08 +0300 Subject: [PATCH 07/11] Fix nginx image name --- roles/rproxy/tasks/addconfig.yml | 2 +- roles/rproxy/tasks/repo.yml | 2 +- roles/rproxy/tasks/rproxy.yml | 4 ++-- 3 files changed, 4 insertions(+), 4 deletions(-) diff --git a/roles/rproxy/tasks/addconfig.yml b/roles/rproxy/tasks/addconfig.yml index e72231b..af30785 100644 --- a/roles/rproxy/tasks/addconfig.yml +++ b/roles/rproxy/tasks/addconfig.yml @@ -58,7 +58,7 @@ - name: Restart container containers.podman.podman_container: name: rproxy - image: "nginx:{{ rproxy_version }}" + image: "docker.io/library/nginx:{{ rproxy_version }}" state: started restart: true ports: diff --git a/roles/rproxy/tasks/repo.yml b/roles/rproxy/tasks/repo.yml index c5347dc..cad5fb7 100644 --- a/roles/rproxy/tasks/repo.yml +++ b/roles/rproxy/tasks/repo.yml @@ -64,7 +64,7 @@ - name: Restart container containers.podman.podman_container: name: rproxy - image: "nginx:{{ rproxy_version }}" + image: "docker.io/library/nginx:{{ rproxy_version }}" state: started restart: true ports: diff --git a/roles/rproxy/tasks/rproxy.yml b/roles/rproxy/tasks/rproxy.yml index a2792c2..6c19e27 100644 --- a/roles/rproxy/tasks/rproxy.yml +++ b/roles/rproxy/tasks/rproxy.yml @@ -40,7 +40,7 @@ block: - name: Pull rproxy image containers.podman.podman_image: - name: "nginx:{{ rproxy_version }}" + name: "docker.io/library/nginx:{{ rproxy_version }}" state: present - name: Delete rproxy container if exists @@ -51,7 +51,7 @@ - name: Start rproxy containers.podman.podman_container: name: rproxy - image: "nginx:{{ rproxy_version }}" + image: "docker.io/library/nginx:{{ rproxy_version }}" state: started ports: - "443:443" From 7155070c9eabcfba88b444735e7738eead78386e Mon Sep 17 00:00:00 2001 From: Pavlov Makar Date: Sun, 20 Jul 2025 18:24:57 +0300 Subject: [PATCH 08/11] Add creation of data dir --- roles/rproxy/tasks/rproxy.yml | 10 ++++++++++ roles/rproxy/vars/main.yml | 1 + 2 files changed, 11 insertions(+) diff --git a/roles/rproxy/tasks/rproxy.yml b/roles/rproxy/tasks/rproxy.yml index 6c19e27..cf2884e 100644 --- a/roles/rproxy/tasks/rproxy.yml +++ b/roles/rproxy/tasks/rproxy.yml @@ -6,11 +6,21 @@ path: "{{ rproxy_dir }}" state: absent + - name: Create data dir + ansible.builtin.file: + path: "{{ data_dir }}" + state: directory + - name: Create rproxy dir ansible.builtin.file: path: "{{ rproxy_dir }}" state: directory + - name: Create rproxy data dir + ansible.builtin.file: + path: "{{ repo_data_dir }}" + state: directory + - name: Create sites dir ansible.builtin.file: path: "{{ rproxy_dir }}/sites" diff --git a/roles/rproxy/vars/main.yml b/roles/rproxy/vars/main.yml index cdea2fe..d98cc9c 100644 --- a/roles/rproxy/vars/main.yml +++ b/roles/rproxy/vars/main.yml @@ -1,6 +1,7 @@ ansible_python_interpreter: /usr/bin/python3 rproxy_dir: /opt/rproxy rproxy_version: latest +data_dir: /opt/data repo_data_dir: /opt/data/repo dockerrepo_dir: /opt/dockerrepo dockerrepo_data_dir: /opt/data/dockerrepo \ No newline at end of file From d9640fc8913c2579a0c3a1cf810b75d902ff5b37 Mon Sep 17 00:00:00 2001 From: Pavlov Makar Date: Sun, 20 Jul 2025 18:27:23 +0300 Subject: [PATCH 09/11] Change env pass to dockerrepo container --- roles/rproxy/tasks/dockerrepo.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/roles/rproxy/tasks/dockerrepo.yml b/roles/rproxy/tasks/dockerrepo.yml index b3b6151..6e3e5d9 100644 --- a/roles/rproxy/tasks/dockerrepo.yml +++ b/roles/rproxy/tasks/dockerrepo.yml @@ -87,9 +87,9 @@ state: started ports: - "5000:5000" - environment: - - REGISTRY_HTTP_TLS_CERTIFICATE=/certs/dockerrepo.crt - - REGISTRY_HTTP_TLS_KEY=/certs/dockerrepo.key + env: + REGISTRY_HTTP_TLS_CERTIFICATE: "/certs/dockerrepo.crt" + REGISTRY_HTTP_TLS_KEY: "/certs/dockerrepo.key" volumes: - "{{ dockerrepo_data_dir }}:/var/lib/registry:z,rw" - "{{ dockerrepo_dir }}/certs:/certs:z,rw" From e16bd7b208de7ca299b82f18c5cf01b5eb7046a6 Mon Sep 17 00:00:00 2001 From: Pavlov Makar Date: Sun, 20 Jul 2025 18:56:34 +0300 Subject: [PATCH 10/11] Test CNAME auto creation --- roles/rproxy/tasks/addconfig.yml | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/roles/rproxy/tasks/addconfig.yml b/roles/rproxy/tasks/addconfig.yml index af30785..d6cc7be 100644 --- a/roles/rproxy/tasks/addconfig.yml +++ b/roles/rproxy/tasks/addconfig.yml @@ -90,3 +90,12 @@ name: "container-rproxy.service" state: started enabled: yes + +- name: Create CNAME dns record + community.general.ipa_dnsrecord: + ipa_pass: "{{ ansible_password }}" + zone_name: "{{ ansible_facts['domain'] }}" + record_name: "{{ rproxy_service_name }}" + record_type: 'CNAME' + record_value: "{{ ansible_facts['hostname'] }}" + state: present \ No newline at end of file From 317d144c02a5c747377b62e592c59f461ec29c06 Mon Sep 17 00:00:00 2001 From: Pavlov Makar Date: Sun, 20 Jul 2025 18:58:58 +0300 Subject: [PATCH 11/11] Add ipa_user for CNAME creation task --- roles/rproxy/tasks/addconfig.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/roles/rproxy/tasks/addconfig.yml b/roles/rproxy/tasks/addconfig.yml index d6cc7be..6cc5dbf 100644 --- a/roles/rproxy/tasks/addconfig.yml +++ b/roles/rproxy/tasks/addconfig.yml @@ -93,6 +93,7 @@ - name: Create CNAME dns record community.general.ipa_dnsrecord: + ipa_user: "{{ ansible_user }}" ipa_pass: "{{ ansible_password }}" zone_name: "{{ ansible_facts['domain'] }}" record_name: "{{ rproxy_service_name }}"