iac/rproxy
3
0
Fork 0
Code Issues Pull Requests Packages Releases 9 Activity

Compare commits

base: iac:v1.0
Branches Tags
iac:master iac:dev
iac:v4.1 iac:v4.0 iac:v3.0 iac:v2.1HF1 iac:v2.1 iac:v2.0 iac:v1.2 iac:v1.1 iac:v1.0
...
compare: iac:v4.0
Branches Tags
iac:master iac:dev
iac:v4.1 iac:v4.0 iac:v3.0 iac:v2.1HF1 iac:v2.1 iac:v2.0 iac:v1.2 iac:v1.1 iac:v1.0

25 Commits
v1.0 ... v4.0

Author SHA1 Message Date
Pavlov Makar
ed7594cea8 Merge pull request 'Create dirs for repo and add pypiserver service' (#49) from dev into master 
Reviewed-on: https://remvpn.olssonul.com/iac/rproxy/pulls/49
 2025-12-02 23:19:44 +03:00
Pavlov Makar
05578db75b Create dirs for repo and add pypiserver service 2025-12-02 23:18:56 +03:00
Pavlov Makar
fa5b88c272 Merge pull request 'Improved README' (#47) from dev into master 
Reviewed-on: https://remvpn.olssonul.com/IaC/rproxy/pulls/47
 2025-10-24 20:08:37 +03:00
Pavlov Makar
0527945668 Improved README 2025-10-24 19:59:20 +03:00
Pavlov Makar
07a4586486 Merge pull request 'Divide add config and rproxy installation' (#46) from dev into master 
Reviewed-on: https://remvpn.olssonul.com/IaC/rproxy/pulls/46
 2025-10-21 01:39:48 +03:00
Pavlov Makar
8c2afbcac9 Divide add config and rproxy installation 2025-10-21 01:25:24 +03:00
Pavlov Makar
36c6511ed6 Remove registry installation from job 2025-10-21 00:46:04 +03:00
Pavlov Makar
414976a4bc Merge pull request 'HOTFIX remove tracking certs' (#40) from dev into master 
Reviewed-on: https://remvpn.olssonul.com/IaC/rproxy/pulls/40
 2025-08-17 01:50:35 +03:00
Pavlov Makar
196477798b HOTFIX remove tracking certs 2025-08-17 01:50:17 +03:00
Pavlov Makar
c5dead142f Merge pull request 'Remove certificates from IPA tracking on repo rebuild' (#39) from dev into master 
Reviewed-on: https://remvpn.olssonul.com/IaC/rproxy/pulls/39
 2025-08-16 15:30:31 +03:00
Pavlov Makar
11cf16ff53 Remove certificates from IPA tracking on repo rebuild 2025-08-16 15:28:48 +03:00
Pavlov Makar
81af5f3922 Merge pull request 'Move to FreeIPA CA certificate generation' (#38) from dev into master 
Reviewed-on: https://remvpn.olssonul.com/IaC/rproxy/pulls/38
 2025-08-15 00:16:54 +03:00
Pavlov Makar
de3484c826 Ignore if rproxy already allow to fetch certificates 2025-08-15 00:15:32 +03:00
Pavlov Makar
a738ee71a8 Fix certs name for service 2025-08-15 00:13:45 +03:00
Pavlov Makar
d9ec475184 Ignore if fake host already exists 2025-08-15 00:11:47 +03:00
Pavlov Makar
d7919a4a45 Allow rproxy generate certificates for proxy host 2025-08-15 00:09:06 +03:00
Pavlov Makar
f4717d9d69 Add fake host creation for certificate create 2025-08-15 00:03:23 +03:00
Pavlov Makar
eae462797c Fix SPN name request 2025-08-14 23:54:13 +03:00
Pavlov Makar
18a1e94100 Qa FreeIPA CA certificate generation 2025-08-14 23:50:01 +03:00
Pavlov Makar
191fe274bf Merge pull request 'Allow users PUT, DELETE or MKCOL in public repo' (#36) from dev into master 
Reviewed-on: https://remvpn.olssonul.com/IaC/rproxy/pulls/36
 2025-08-05 23:52:44 +03:00
Pavlov Makar
ce83125591 Merge pull request 'Allow users PUT, DELETE or MKCOL in public repo' (#35) from feature/webdav_module into dev 
Reviewed-on: https://remvpn.olssonul.com/IaC/rproxy/pulls/35
 2025-08-05 23:52:18 +03:00
Pavlov Makar
0aa2ab5c69 Allow users PUT, DELETE or MKCOL in public repo 2025-08-05 23:52:00 +03:00
Pavlov Makar
821cc7502c Fix rebuild errors on RootCA files permissions 2025-08-02 17:21:58 +03:00
Pavlov Makar
0edadd8325 Merge pull request 'Auto pull root certificate and key from Jenkins vault' (#33) from dev into master 
Reviewed-on: https://remvpn.olssonul.com/IaC/rproxy/pulls/33
 2025-07-29 01:27:49 +03:00
Pavlov Makar
e699b31105 Auto pull root certificate and key from Jenkins vault 2025-07-29 01:26:59 +03:00
25 changed files with 533 additions and 554 deletions
Expand all files Collapse all files

60
Jenkinsfile vendored
View File

@@ -11,12 +11,8 @@ pipeline {
timestamps()
}
parameters {
string(name: "target_host", defaultValue: "", trim: true, description: "Target host")
booleanParam(name: "rproxy_install", defaultValue: true, description: "Install Rproxy")
booleanParam(name: "config_add", defaultValue: true, description: "Add config")
string(name: "rproxy_service_name", defaultValue: "", trim: true, description: "Service name (for 'Add config' job only)")
string(name: "rproxy_service_port", defaultValue: "", trim: true, description: "Service port (for 'Add config' job only)")
string(name: "rproxy_service_address", defaultValue: "", trim: true, description: "Service address (for 'Add config' job only)")
string(name: "target_host", defaultValue: "", trim: true, description: "Target host for rproxy installation")
string(name: "images_repo_url", defaultValue: "", trim: true, description: "Repository host with podman images (ex. rproxy.olsson.ul:5000)")
booleanParam(name: 'update_job', defaultValue: false, description: 'Update job, free run, no changes')
}
stages {
@@ -33,20 +29,6 @@ pipeline {
}
}
}
stage('Save certs') {
when {
expression {
return params.rproxy_install
}
}
steps {
script {
def userInput = input message: 'Upload RootCA certificate and key', parameters: [base64File(name: 'rootca'), base64File(name: 'rootca_key')]
writeFile(file: 'roles/rproxy/files/RootCA.crt', text: new String(userInput['rootca'].decodeBase64()))
writeFile(file: 'roles/rproxy/files/RootCA.key', text: new String(userInput['rootca_key'].decodeBase64()))
}
}
}
stage('Prepare inventory') {
steps {
script {
@@ -58,11 +40,6 @@ pipeline {
}
}
stage('Install Rproxy') {
when {
expression {
return params.rproxy_install
}
}
steps {
script {
withCredentials([
@@ -74,36 +51,11 @@ pipeline {
ansiblePlaybook(
playbook: 'rproxy.yml',
inventory: 'hosts.ini',
tags: 'install',
colorized: true,
extras: '--private-key ${SSH_KEY} -e "ansible_user=${username} ansible_password=${password} rproxy_service_name=${rproxy_service_name} rproxy_service_port=${rproxy_service_port} rproxy_service_address=${rproxy_service_address}"'
)
}
}
}
}
}
}
stage('Add config') {
when {
expression {
return params.config_add
}
}
steps {
script {
withCredentials([
sshUserPrivateKey(credentialsId: 'JENKINS_DEPLOYER_KEY', keyFileVariable: 'SSH_KEY'),
usernamePassword(credentialsId:'JENKINS_DEPLOYER_PASS', usernameVariable: 'username', passwordVariable: 'password')
]) {
wrap([$class: 'MaskPasswordsBuildWrapper', varPasswordPairs: [[password: env.password]]]) {
wrap([$class: 'AnsiColorBuildWrapper', colorMapName: "xterm"]) {
ansiblePlaybook(
playbook: 'rproxy.yml',
inventory: 'hosts.ini',
tags: 'add_config',
colorized: true,
extras: '--private-key ${SSH_KEY} -e "ansible_user=${username} ansible_password=${password} rproxy_service_name=${rproxy_service_name} rproxy_service_port=${rproxy_service_port} rproxy_service_address=${rproxy_service_address}"'
extras: '''--private-key ${SSH_KEY}
-e "ansible_user=${username}
ansible_password=${password}
image_repo=${images_repo_url}"'''
)
}
}

117
README.md
View File

@@ -1,56 +1,83 @@
# PROXY
# Rproxy
## Content
* Reverse proxy
* HTTPS file share
* Docker-registry
## Description
## Installation
```yml
target_host: Enter FQDN or IP Address of target host
rproxy_install: Install rproxy, https repo and docker-registry if checked
config_add: Will config be created
This job handles Nginx 1.29 installation and includes the following components:
rproxy_service_name: Server/service name without domain suffix
rproxy_service_port: Port to redirect the request to
rproxy_service_address: Address to redirect the request to
- **Nginx as Reverse Proxy**:
- Acts as a reverse proxy for secure traffic routing
- Supports SSL termination
Example:
domain: olsson.ul
jenkins_host: http://10.10.10.1:8080/
- **HTTP Repository**:
- Provides a base for hosting and managing web content
rproxy_service_name: jenkins
rproxy_service_port: 8080
rproxy_service_address: 10.10.10.1
- **Infrastructure**:
- ✅ Includes Podman installation
- ✅ Contains a management job for proxy configuration
- Allows seamless addition of new services (e.g., enabling SSL access to Jenkins)
# After adding alias jenkins.olsson.ul => rproxy.olsson.ul
result_address: https://jenkins.olsson.ul/
```
### Nginx as Reverse Proxy
## Reverse Proxy
Allows redirecting requests based on fqdn to the required address and ports with ssl certificate substitution
**Setup**:
- Installs Nginx container in Podman environment
## HTTPS repository
Would be installed with rproxy service. Hosted on port 9000. \
Files should be stored in /opt/rproxy/repo/ to be shared.
**Configuration Structure**:
- **Root directory**: `/opt/rproxy`
- **Main config**: `/opt/rproxy/nginx.conf`
- **Site-specific configs**: `/opt/rproxy/sites/*.conf`
- **Certificates**: `/opt/rproxy/certs/` (stores unique certificates for each connected site)
## Docker-registry
Would be installed with rproxy service. Hosted on port 5000.
Images would be stored in /opt/dockerrepo/repo/. Uses SSL so you should have trust with root certificate. \
Install trust with root certificate:
**Operation**:
- Listens on `https://$hostname/`
- Maps incoming requests to `/opt/rproxy/sites/$hostname.conf`
- Forwards traffic to `https://$hostname:[port]` with SSL termination
**Entrypoint**:
- Proxy endpoint: `https://$hostname/`
### HTTP Repository
**Configuration**:
- A `repo.conf` file is added to the `/opt/rproxy/sites/` directory
- **DAVFS** functionality is enabled for file management
- **Data storage path**: `/opt/repodata`
**Access Point**:
- Proxy endpoint: `https://localhost:9000/`
#### Example Usage
Upload a file to the repository using `curl`:
```bash
# RHEL based
openssl x509 -in RootCA.crt -out RootCA.pem -outform PEM
mv RootCA.pem /etc/pki/ca-trust/source/anchors/
update-ca-trust force-enable
# Upload example: kafka_4.1.tar to /podman/kafka/4.1/
curl -T kafka_4.1.tar https://rproxy.olsson.ul:9000/podman/kafka/4.1/kafka_4.1.tar
```
# Debian based
mv RootCA.crt /usr/local/share/ca-certificates/
update-ca-certificates
```
How to store image:
```bash
# After image build
docker tag $image $registry_address:5000/$image
docker push $registry_address:5000/$image
```
## Add configuration via management job
Import management/AddService.groovy to Jenkins
To integrate `http://jenkins-master.olsson.ul:8080` with the SSL proxy, configure these parameters:
- **target_host**: Host with rproxy installed
- **rproxy_service_name**: Service identifier (e.g., `jenkins`)
- **rproxy_service_port**: Port (e.g., `8080`)
- **rproxy_service_address**: Address (e.g., `jenkins-master.olsson.ul` or `10.10.10.1`)
**Result**:
`https://jenkins.olsson.ul/` will securely route to `http://jenkins-master.olsson.ul:8080`.
CNAME configuration (`jenkins.olsson.ul → rproxy`) is automatically handled during deployment in FreeIPA.
## Software Requirements
* OS - AlmaLinux 10
* FreeIPA domain (for certificates request)
## Jenkins credentials
* JENKINS_DEPLOYER_PASS (domain)
* JENKINS_DEPLOYER_KEY (domain)
## Jenkins paramethers
* target_hosts - is basic inventory line for ansible
* images_repo_url - image registry with nginx repository
* update_job - download changes from git and finish job

19
addconfig.yml Normal file
View File

@@ -0,0 +1,19 @@
---
- hosts: all
become: yes
vars_prompt:
- name: rproxy_service_name
prompt: Enter service for rproxy
private: false
- name: rproxy_service_port
prompt: Enter service for rproxy
private: false
- name: rproxy_service_address
prompt: Enter service for rproxy
private: false
roles:
- addconfig

3
ansible.cfg
View File

@@ -3,3 +3,6 @@ hostfile = hosts.ini
host_key_checking = false
interpreter_python = /usr/bin/python3
forks = 30
[ssh_connection]
pipelining = true

80
management/AddService.groovy Normal file
View File

@@ -0,0 +1,80 @@
pipeline {
agent any
options {
buildDiscarder logRotator (
numToKeepStr: '5',
daysToKeepStr: '7',
artifactNumToKeepStr: '10',
artifactDaysToKeepStr: '7'
)
ansiColor('xterm')
timestamps()
}
parameters {
string(name: "target_host", defaultValue: "", trim: true, description: "Target host with rproxy installed")
string(name: "rproxy_service_name", defaultValue: "", trim: true, description: "Service name (ex. jenkins)")
string(name: "rproxy_service_port", defaultValue: "", trim: true, description: "Service port (ex. 8080)")
string(name: "rproxy_service_address", defaultValue: "", trim: true, description: "Service address (ex. jenkins-master.olsson.ul)")
booleanParam(name: 'update_job', defaultValue: false, description: 'Update job, free run, no changes')
}
stages {
stage('Update Job') {
when {
expression {
return params.update_job
}
}
steps {
script {
currentBuild.getRawBuild().getExecutor().interrupt(Result.SUCCESS)
sleep(1)
}
}
}
stage('Prepare inventory') {
steps {
script {
def hostsFile = new File("${WORKSPACE}/hosts.ini")
hostsFile.append('[all]')
hostsFile.append('\n' + params.target_host)
println hostsFile.getText('UTF-8')
}
}
}
stage('Add config') {
steps {
script {
withCredentials([
sshUserPrivateKey(credentialsId: 'JENKINS_DEPLOYER_KEY', keyFileVariable: 'SSH_KEY'),
usernamePassword(credentialsId:'JENKINS_DEPLOYER_PASS', usernameVariable: 'username', passwordVariable: 'password')
]) {
wrap([$class: 'MaskPasswordsBuildWrapper', varPasswordPairs: [[password: env.password]]]) {
wrap([$class: 'AnsiColorBuildWrapper', colorMapName: "xterm"]) {
dir("${env.WORKSPACE}") {
ansiblePlaybook(
playbook: 'addconfig.yml',
inventory: 'hosts.ini',
colorized: true,
extras: '''--private-key ${SSH_KEY}
-e "ansible_user=${username}
ansible_password=${password}
rproxy_service_name=${rproxy_service_name}
rproxy_service_port=${rproxy_service_port}
rproxy_service_address=${rproxy_service_address}"'''
)
}
}
}
}
}
}
}
}
post {
always {
cleanWs(patterns: [
[pattern: 'hosts.ini', type: 'INCLUDE']
])
}
}
}

5
roles/addconfig/tasks/addconfig.yml Normal file
View File

@@ -0,0 +1,5 @@
---
- name: Copy server.conf
ansible.builtin.template:
src: templates/server.conf.j2
dest: "{{ rproxy_dir }}/sites/{{ rproxy_service_name }}.conf"

83
roles/addconfig/tasks/certificates.yml Normal file
View File

@@ -0,0 +1,83 @@
---
- name: Create CNAME dns record
community.general.ipa_dnsrecord:
ipa_user: "{{ ansible_user }}"
ipa_pass: "{{ ansible_password }}"
zone_name: "{{ ansible_facts['domain'] }}"
record_name: "{{ rproxy_service_name }}"
record_type: 'CNAME'
record_value: "{{ ansible_facts['hostname'] }}"
state: present
ignore_errors: true
- name: Kinit
ansible.builtin.shell:
cmd: "echo '{{ ansible_password }}' | kinit"
become: false
become_user: "{{ ansible_user }}"
- name: Create fake host for certificate
ansible.builtin.shell:
cmd: "ipa host-add {{ rproxy_service_name }}.{{ ansible_facts['domain'] }} --force --desc=\"Fake host for SPN\""
become: false
become_user: "{{ ansible_user }}"
ignore_errors: true
- name: Create SPN for HTTP
ansible.builtin.shell:
cmd: "ipa service-add HTTP/{{ rproxy_service_name }}.{{ ansible_facts['domain'] }} --skip-host-check --force"
become: false
become_user: "{{ ansible_user }}"
ignore_errors: true
- name: "Allow {{ ansible_facts['hostname'] }}.{{ ansible_facts['domain'] }} to get certificates for HTTP/{{ rproxy_service_name }}.{{ ansible_facts['domain'] }} SPN"
ansible.builtin.shell:
cmd: "ipa service-add-host --hosts={{ ansible_facts['hostname'] }}.{{ ansible_facts['domain'] }} HTTP/{{ rproxy_service_name }}.{{ ansible_facts['domain'] }}"
become: false
become_user: "{{ ansible_user }}"
ignore_errors: true
- name: Kdestroy
ansible.builtin.shell:
cmd: kdestroy
become: false
become_user: "{{ ansible_user }}"
- name: Get all tracking certificates
ansible.builtin.shell:
cmd: "ipa-getcert list | grep -m1 -B5 \"{{ rproxy_dir }}/certs/{{ rproxy_service_name }}\" | grep Request | awk '{print $NF}' | tr -d \"'\\|:\""
register: tracking_list
- name: Remove certificates from IPA tracking
ansible.builtin.shell:
cmd: "ipa-getcert stop-tracking -i {{ item }}"
loop: "{{ tracking_list.stdout_lines }}"
ignore_errors: true
- name: Request certificate via ipa-getcert
ansible.builtin.command: >
ipa-getcert request
-f {{ rproxy_dir }}/certs/{{ rproxy_service_name }}.{{ ansible_facts['domain'] }}.crt
-k {{ rproxy_dir }}/certs/{{ rproxy_service_name }}.{{ ansible_facts['domain'] }}.key
-K HTTP/{{ rproxy_service_name }}.{{ ansible_facts['domain'] }}
-N CN={{ rproxy_service_name }}.{{ ansible_facts['domain'] }}
- name: Wait for certificate to appear
ansible.builtin.wait_for:
path: "{{ rproxy_dir }}/certs/{{ rproxy_service_name }}.{{ ansible_facts['domain'] }}.crt"
timeout: 60
- name: Change certificate permissions
ansible.builtin.file:
path: "{{ rproxy_dir }}/certs/{{ rproxy_service_name }}.{{ ansible_facts['domain'] }}.crt"
mode: "0744"
- name: Wait for certificate key to appear
ansible.builtin.wait_for:
path: "{{ rproxy_dir }}/certs/{{ rproxy_service_name }}.{{ ansible_facts['domain'] }}.key"
timeout: 60
- name: Change certificate key permissions
ansible.builtin.file:
path: "{{ rproxy_dir }}/certs/{{ rproxy_service_name }}.{{ ansible_facts['domain'] }}.key"
mode: "0744"

14
roles/addconfig/tasks/main.yml Normal file
View File

@@ -0,0 +1,14 @@
---
- name: Add config
ansible.builtin.include_tasks:
file: addconfig.yml
- name: Generate certificates
ansible.builtin.include_tasks:
file: certificates.yml
- name: Restart rproxy service
ansible.builtin.systemd:
name: "container-rproxy.service"
state: restarted
enabled: yes

4
roles/rproxy/templates/server.conf.j2 → roles/addconfig/templates/server.conf.j2
View File

@@ -15,8 +15,8 @@ server {
server_name {{ rproxy_service_name }}.{{ ansible_domain }};
access_log /var/log/nginx/{{ rproxy_service_name }}.access.log;
error_log /var/log/nginx/{{ rproxy_service_name }}.error.log;
ssl_certificate /etc/nginx/certs/{{ rproxy_service_name }}.crt;
ssl_certificate_key /etc/nginx/certs/{{ rproxy_service_name }}.key;
ssl_certificate /etc/nginx/certs/{{ rproxy_service_name }}.{{ ansible_domain }}.crt;
ssl_certificate_key /etc/nginx/certs/{{ rproxy_service_name }}.{{ ansible_domain }}.key;
ssl_protocols TLSv1.2;
ssl_ciphers EECDH:+AES256:-3DES:!RSA+AES:!RSA+3DES:!NULL:!RC4;
ssl_prefer_server_ciphers on;

5
roles/addconfig/vars/main.yml Normal file
View File

@@ -0,0 +1,5 @@
---
ansible_python_interpreter: /usr/bin/python3
# Rproxy
rproxy_dir: /opt/rproxy

2
roles/rproxy/tasks/podman.yml → roles/podman/tasks/main.yml
View File

@@ -5,8 +5,6 @@
- podman
- podman-compose
- podman-docker
- podman-remote
- podman-tui
- buildah
update_cache: yes

2
roles/podman/vars/main.yml Normal file
View File

@@ -0,0 +1,2 @@
---
ansible_python_interpreter: /usr/bin/python3

6
roles/rproxy/files/repo.conf
View File

@@ -16,6 +16,12 @@ server {
autoindex on;
autoindex_exact_size off;
autoindex_localtime on;
dav_methods PUT DELETE MKCOL;
dav_access user:rw group:r all:r;
create_full_put_path on;
client_max_body_size 5g;
# auth_basic "Needs to auth";
# auth_basic_user_file /etc/nginx/.htpasswd;
}

102
roles/rproxy/tasks/addconfig.yml
View File

@@ -1,102 +0,0 @@
---
- name: Create server configs
block:
- name: Copy server.conf
ansible.builtin.template:
src: templates/server.conf.j2
dest: "{{ rproxy_dir }}/sites/{{ rproxy_service_name }}.conf"
- name: Generate certificates for {{ rproxy_service_name }}
block:
- name: "Generate {{ rproxy_service_name }}.key"
community.crypto.openssl_privatekey:
path: "{{ rproxy_dir }}/certs/{{ rproxy_service_name }}.key"
size: "2048"
- name: "Generate {{ rproxy_service_name }}.csr"
community.crypto.openssl_csr:
path: "{{ rproxy_dir }}/certs/{{ rproxy_service_name }}.csr"
privatekey_path: "{{ rproxy_dir }}/certs/{{ rproxy_service_name }}.key"
country_name: "RU"
state_or_province_name: "RU"
locality_name: "MSK"
organization_name: "{{ ansible_domain }}"
organizational_unit_name: "IT"
common_name: "{{ rproxy_service_name }}.{{ ansible_facts['domain'] }}"
email_address: "admin@{{ ansible_domain }}"
subject_alt_name: "DNS:{{ rproxy_service_name }}.{{ ansible_facts['domain'] }},DNS:{{ ansible_facts['hostname'] }}.{{ ansible_facts['domain'] }},IP:{{ ansible_facts['default_ipv4']['address'] }}"
key_usage:
- digitalSignature
- nonRepudiation
- keyEncipherment
- dataEncipherment
extended_key_usage:
- serverAuth
- name: "Generate {{ rproxy_service_name }}.crt"
community.crypto.x509_certificate:
csr_path: "{{ rproxy_dir }}/certs/{{ rproxy_service_name }}.csr"
path: "{{ rproxy_dir }}/certs/{{ rproxy_service_name }}.crt"
privatekey_path: "{{ rproxy_dir }}/certs/{{ rproxy_service_name }}.key"
provider: ownca
ownca_create_subject_key_identifier: always_create
ownca_path: "{{ rproxy_dir }}/certs/RootCA.crt"
ownca_privatekey_path: "{{ rproxy_dir }}/certs/RootCA.key"
ownca_not_after: "+365d"
- name: Create fullchain certificate
ansible.builtin.shell:
cmd: 'cat {{ rproxy_dir }}/certs/RootCA.crt >> {{ rproxy_dir }}/certs/{{ rproxy_service_name }}.crt'
- name: Delete csr
ansible.builtin.file:
path: "{{ rproxy_dir }}/certs/{{ rproxy_service_name }}.csr"
state: absent
- name: Restart rproxy
block:
- name: Restart container
containers.podman.podman_container:
name: rproxy
image: "docker.io/library/nginx:{{ rproxy_version }}"
state: started
restart: true
ports:
- "443:443"
- "80:80"
- "9000:9000"
volumes:
- '{{ rproxy_dir }}/nginx.conf:/etc/nginx/nginx.conf:z,rw'
- '{{ rproxy_dir }}/sites:/etc/nginx/sites:z,rw'
- '{{ rproxy_dir }}/certs:/etc/nginx/certs:z,rw'
- '{{ repo_data_dir }}:/repo:z,rw'
- "/etc/localtime:/etc/localtime:ro"
privileged: true
security_opt:
- "label=disable"
log_driver: journald
generate_systemd:
path: /etc/systemd/system/
restart_policy: always
stop_timeout: 120
names: true
- name: Daemon reload
ansible.builtin.shell:
cmd: systemctl daemon-reload
- name: Enable rproxy service
ansible.builtin.systemd:
name: "container-rproxy.service"
state: started
enabled: yes
- name: Create CNAME dns record
community.general.ipa_dnsrecord:
ipa_user: "{{ ansible_user }}"
ipa_pass: "{{ ansible_password }}"
zone_name: "{{ ansible_facts['domain'] }}"
record_name: "{{ rproxy_service_name }}"
record_type: 'CNAME'
record_value: "{{ ansible_facts['hostname'] }}"
state: present

59
roles/rproxy/tasks/certificates.yml Normal file
View File

@@ -0,0 +1,59 @@
---
- name: Kinit
ansible.builtin.shell:
cmd: "echo '{{ ansible_password }}' | kinit"
become: false
become_user: "{{ ansible_user }}"
- name: Create SPN for HTTP
ansible.builtin.shell:
cmd: "ipa service-add HTTP/{{ ansible_facts['hostname'] }}.{{ ansible_facts['domain'] }}"
become: false
become_user: "{{ ansible_user }}"
ignore_errors: true
- name: Kdestroy
ansible.builtin.shell:
cmd: kdestroy
become: false
become_user: "{{ ansible_user }}"
- name: Get all tracking certificates
ansible.builtin.shell:
cmd: "ipa-getcert list | grep -m1 -B5 \"{{ rproxy_dir }}/certs/repo\" | grep Request | awk '{print $NF}' | tr -d \"'\\|:\""
register: tracking_list
- name: Remove certificates from IPA tracking
ansible.builtin.shell:
cmd: "ipa-getcert stop-tracking -i {{ item }}"
loop: "{{ tracking_list.stdout_lines }}"
ignore_errors: true
- name: Request certificate via ipa-getcert
ansible.builtin.command: >
ipa-getcert request
-f {{ rproxy_dir }}/certs/repo.crt
-k {{ rproxy_dir }}/certs/repo.key
-K HTTP/{{ ansible_facts['hostname'] }}.{{ ansible_facts['domain'] }}
-N CN={{ ansible_facts['hostname'] }}.{{ ansible_facts['domain'] }}
-F {{ rproxy_dir }}/certs/RootCA.crt
- name: Wait for certificate to appear
ansible.builtin.wait_for:
path: "{{ rproxy_dir }}/certs/repo.crt"
timeout: 60
- name: Change certificate permissions
ansible.builtin.file:
path: "{{ rproxy_dir }}/certs/repo.crt"
mode: "0744"
- name: Wait for certificate key to appear
ansible.builtin.wait_for:
path: "{{ rproxy_dir }}/certs/repo.key"
timeout: 60
- name: Change certificate key permissions
ansible.builtin.file:
path: "{{ rproxy_dir }}/certs/repo.key"
mode: "0744"

10
roles/rproxy/tasks/configs.yml Normal file
View File

@@ -0,0 +1,10 @@
---
- name: Copy repo.conf
ansible.builtin.copy:
src: files/repo.conf
dest: "{{ rproxy_dir }}/sites/repo.conf"
- name: Copy nginx.conf
ansible.builtin.copy:
src: files/nginx.conf
dest: "{{ rproxy_dir }}/nginx.conf"

61
roles/rproxy/tasks/dirs.yml Normal file
View File

@@ -0,0 +1,61 @@
---
- name: Remove rproxy dir
ansible.builtin.file:
path: "{{ rproxy_dir }}"
state: absent
- name: Create rproxy dir
ansible.builtin.file:
path: "{{ rproxy_dir }}"
state: directory
- name: Create rproxy data dir
ansible.builtin.file:
path: "{{ repo_data_dir }}"
state: directory
- name: "Create {{ repo_data_dir }}/archive"
ansible.builtin.file:
path: "{{ repo_data_dir }}/archive"
state: directory
- name: "Create {{ repo_data_dir }}/pip"
ansible.builtin.file:
path: "{{ repo_data_dir }}/pip"
state: directory
- name: "Create {{ repo_data_dir }}/pip/py3"
ansible.builtin.file:
path: "{{ repo_data_dir }}/pip/py3"
state: directory
- name: "Create {{ repo_data_dir }}/repo"
ansible.builtin.file:
path: "{{ repo_data_dir }}/repo"
state: directory
- name: "Create {{ repo_data_dir }}/repo/almalinux"
ansible.builtin.file:
path: "{{ repo_data_dir }}/repo/almalinux"
state: directory
- name: "Create {{ repo_data_dir }}/repo/almalinux/10"
ansible.builtin.file:
path: "{{ repo_data_dir }}/repo/almalinux/10"
state: directory
- name: Create sites dir
ansible.builtin.file:
path: "{{ rproxy_dir }}/sites"
state: directory
- name: Create certs dir
ansible.builtin.file:
path: "{{ rproxy_dir }}/certs"
state: directory
- name: Create repo dir
ansible.builtin.file:
path: "{{ repo_data_dir }}"
state: directory
mode: 0777

115
roles/rproxy/tasks/dockerrepo.yml
View File

@@ -1,115 +0,0 @@
---
- name: Prepare for image repository
block:
- name: Remove dockerrepo dir
ansible.builtin.file:
path: "{{ dockerrepo_dir }}"
state: absent
- name: Create dockerrepo dir
ansible.builtin.file:
path: "{{ dockerrepo_dir }}"
state: directory
- name: Create repo dir
ansible.builtin.file:
path: "{{ dockerrepo_data_dir }}"
state: directory
- name: Create certs dir
ansible.builtin.file:
path: "{{ dockerrepo_dir }}/certs"
state: directory
- name: Create certificates for image repository
block:
- name: "Generate dockerrepo.key"
community.crypto.openssl_privatekey:
path: "{{ dockerrepo_dir }}/certs/dockerrepo.key"
size: "2048"
- name: "Generate server.csr"
community.crypto.openssl_csr:
path: "{{ dockerrepo_dir }}/certs/dockerrepo.csr"
privatekey_path: "{{ dockerrepo_dir }}/certs/dockerrepo.key"
country_name: "RU"
state_or_province_name: "RU"
locality_name: "MSK"
organization_name: "{{ ansible_domain }}"
organizational_unit_name: "IT"
common_name: "{{ ansible_facts['hostname'] }}.{{ ansible_facts['domain'] }}"
email_address: "admin@{{ ansible_domain }}"
subject_alt_name: "DNS:{{ ansible_facts['hostname'] }}.{{ ansible_facts['domain'] }},DNS:imagerepo.{{ ansible_facts['domain'] }},IP:{{ ansible_facts['default_ipv4']['address'] }}"
key_usage:
- digitalSignature
- nonRepudiation
- keyEncipherment
- dataEncipherment
extended_key_usage:
- serverAuth
- name: "Generate server.crt"
community.crypto.x509_certificate:
csr_path: "{{ dockerrepo_dir }}/certs/dockerrepo.csr"
path: "{{ dockerrepo_dir }}/certs/dockerrepo.crt"
privatekey_path: "{{ dockerrepo_dir }}/certs/dockerrepo.key"
provider: ownca
ownca_create_subject_key_identifier: always_create
ownca_path: "{{ rproxy_dir }}/certs/RootCA.crt"
ownca_privatekey_path: "{{ rproxy_dir }}/certs/RootCA.key"
ownca_not_after: "+365d"
- name: Create fullchain certificate
ansible.builtin.shell:
cmd: 'cat {{ rproxy_dir }}/certs/RootCA.crt >> {{ dockerrepo_dir }}/certs/dockerrepo.crt'
- name: Delete csr
ansible.builtin.file:
path: "{{ dockerrepo_dir }}/certs/dockerrepo.csr"
state: absent
- name: Start image repository
block:
- name: Pull repo image
containers.podman.podman_image:
name: registry:latest
state: present
- name: Delete image repository container if exists
containers.podman.podman_container:
name: registry
state: absent
- name: Start registry
containers.podman.podman_container:
name: registry
image: registry:latest
state: started
ports:
- "5000:5000"
env:
REGISTRY_HTTP_TLS_CERTIFICATE: "/certs/dockerrepo.crt"
REGISTRY_HTTP_TLS_KEY: "/certs/dockerrepo.key"
volumes:
- "{{ dockerrepo_data_dir }}:/var/lib/registry:z,rw"
- "{{ dockerrepo_dir }}/certs:/certs:z,rw"
- "/etc/localtime:/etc/localtime:ro"
privileged: true
security_opt:
- "label=disable"
log_driver: journald
generate_systemd:
path: /etc/systemd/system/
restart_policy: always
stop_timeout: 120
names: true
- name: Daemon reload
ansible.builtin.shell:
cmd: systemctl daemon-reload
- name: Enable registry service
ansible.builtin.systemd:
name: "container-registry.service"
state: started
enabled: yes

42
roles/rproxy/tasks/main.yml
View File

@@ -1,40 +1,24 @@
---
- name: Podman install
- name: Prepare directories
ansible.builtin.include_tasks:
file: podman.yml
apply:
tags: install
tags:
- install
file: dirs.yml
- name: Copy configs
ansible.builtin.include_tasks:
file: configs.yml
- name: Generate certificates
ansible.builtin.include_tasks:
file: certificates.yml
- name: Rproxy install
ansible.builtin.include_tasks:
file: rproxy.yml
apply:
tags: install
tags:
- install
- name: Repo install
- name: Repository install
ansible.builtin.include_tasks:
file: repo.yml
apply:
tags: install
tags:
- install
- name: Docker repo install
- name: Pypi repository install
ansible.builtin.include_tasks:
file: dockerrepo.yml
apply:
tags: install
tags:
- install
- name: Add config
ansible.builtin.include_tasks:
file: addconfig.yml
apply:
tags: add_config
tags:
- add_config
file: pypi.yml

17
roles/rproxy/tasks/pypi.yml Normal file
View File

@@ -0,0 +1,17 @@
---
- name: Install pypi-server
ansible.builtin.pip:
name:
- pypiserver
- name: Copy pypi-server service file
ansible.builtin.template:
src: "templates/pypiserver.service.j2"
dest: "/etc/systemd/system/pypiserver.service"
- name: Enable pypiserver service
ansible.builtin.systemd:
name: "pypiserver.service"
state: started
enabled: yes
daemon_reload: yes

100
roles/rproxy/tasks/repo.yml
View File

@@ -1,98 +1,12 @@
---
- name: Prepare for https repository
block:
- name: Create repo dir
ansible.builtin.file:
path: "{{ repo_data_dir }}"
state: directory
mode: 0777
- name: Install createrepo
ansible.builtin.yum:
name:
- createrepo
update_cache: yes
- name: Copy repo.conf
ansible.builtin.copy:
src: files/repo.conf
dest: "{{ rproxy_dir }}/sites/repo.conf"
- name: Create https certificates for repository
block:
- name: "Generate repo.key"
community.crypto.openssl_privatekey:
path: "{{ rproxy_dir }}/certs/repo.key"
size: "2048"
- name: "Generate server.csr"
community.crypto.openssl_csr:
path: "{{ rproxy_dir }}/certs/repo.csr"
privatekey_path: "{{ rproxy_dir }}/certs/repo.key"
country_name: "RU"
state_or_province_name: "RU"
locality_name: "MSK"
organization_name: "{{ ansible_domain }}"
organizational_unit_name: "IT"
common_name: "{{ ansible_facts['hostname'] }}.{{ ansible_facts['domain'] }}"
email_address: "admin@{{ ansible_domain }}"
subject_alt_name: "DNS:{{ ansible_facts['hostname'] }}.{{ ansible_facts['domain'] }},DNS:repo.{{ ansible_facts['domain'] }},IP:{{ ansible_facts['default_ipv4']['address'] }}"
key_usage:
- digitalSignature
- nonRepudiation
- keyEncipherment
- dataEncipherment
extended_key_usage:
- serverAuth
- name: "Generate server.crt"
community.crypto.x509_certificate:
csr_path: "{{ rproxy_dir }}/certs/repo.csr"
path: "{{ rproxy_dir }}/certs/repo.crt"
privatekey_path: "{{ rproxy_dir }}/certs/repo.key"
provider: ownca
ownca_create_subject_key_identifier: always_create
ownca_path: "{{ rproxy_dir }}/certs/RootCA.crt"
ownca_privatekey_path: "{{ rproxy_dir }}/certs/RootCA.key"
ownca_not_after: "+365d"
- name: Create fullchain certificate
ansible.builtin.shell:
cmd: 'cat {{ rproxy_dir }}/certs/RootCA.crt >> {{ rproxy_dir }}/certs/repo.crt'
- name: Delete csr
ansible.builtin.file:
path: "{{ rproxy_dir }}/certs/repo.csr"
state: absent
- name: Restart rproxy
block:
- name: Restart container
containers.podman.podman_container:
name: rproxy
image: "docker.io/library/nginx:{{ rproxy_version }}"
state: started
restart: true
ports:
- "443:443"
- "80:80"
- "9000:9000"
volumes:
- '{{ rproxy_dir }}/nginx.conf:/etc/nginx/nginx.conf:z,rw'
- '{{ rproxy_dir }}/sites:/etc/nginx/sites:z,rw'
- '{{ rproxy_dir }}/certs:/etc/nginx/certs:z,rw'
- '{{ repo_data_dir }}:/repo:z,rw'
- "/etc/localtime:/etc/localtime:ro"
privileged: true
security_opt:
- "label=disable"
log_driver: journald
generate_systemd:
path: /etc/systemd/system/
restart_policy: always
stop_timeout: 120
names: true
- name: Daemon reload
ansible.builtin.shell:
cmd: systemctl daemon-reload
- name: Enable rproxy service
- name: Restart rproxy service
ansible.builtin.systemd:
name: "container-rproxy.service"
state: started
state: restarted
enabled: yes

66
roles/rproxy/tasks/rproxy.yml
View File

@@ -1,67 +1,18 @@
---
- name: Prepare dirs for rproxy
block:
- name: Remove rproxy dir
ansible.builtin.file:
path: "{{ rproxy_dir }}"
state: absent
- name: Create data dir
ansible.builtin.file:
path: "{{ data_dir }}"
state: directory
- name: Create rproxy dir
ansible.builtin.file:
path: "{{ rproxy_dir }}"
state: directory
- name: Create rproxy data dir
ansible.builtin.file:
path: "{{ repo_data_dir }}"
state: directory
- name: Create sites dir
ansible.builtin.file:
path: "{{ rproxy_dir }}/sites"
state: directory
- name: Create certs dir
ansible.builtin.file:
path: "{{ rproxy_dir }}/certs"
state: directory
- name: Copy nginx.conf
ansible.builtin.copy:
src: files/nginx.conf
dest: "{{ rproxy_dir }}/nginx.conf"
- name: Copy RootCA certificate
ansible.builtin.copy:
src: files/RootCA.crt
dest: '{{ rproxy_dir }}/certs/RootCA.crt'
- name: Copy RootCA key
ansible.builtin.copy:
src: files/RootCA.key
dest: '{{ rproxy_dir }}/certs/RootCA.key'
- name: Install rproxy
block:
- name: Pull rproxy image
- name: Pull rproxy image
containers.podman.podman_image:
name: "docker.io/library/nginx:{{ rproxy_version }}"
name: "{{ image_repo }}/{{ rproxy_image }}:{{ rproxy_version }}"
state: present
- name: Delete rproxy container if exists
- name: Delete rproxy container if exists
containers.podman.podman_container:
name: rproxy
state: absent
- name: Start rproxy
- name: Start rproxy
containers.podman.podman_container:
name: rproxy
image: "docker.io/library/nginx:{{ rproxy_version }}"
image: "{{ image_repo }}/{{ rproxy_image }}:{{ rproxy_version }}"
state: started
ports:
- "443:443"
@@ -83,12 +34,9 @@
stop_timeout: 120
names: true
- name: Daemon reload
ansible.builtin.shell:
cmd: systemctl daemon-reload
- name: Enable rproxy service
- name: Enable rproxy service
ansible.builtin.systemd:
name: "container-rproxy.service"
state: started
enabled: yes
daemon_reload: yes

17
roles/rproxy/templates/pypiserver.service.j2 Normal file
View File

@@ -0,0 +1,17 @@
[Unit]
Description=PyPI Server (pypiserver)
After=network.target
Wants=network.target
[Service]
Type=simple
WorkingDirectory={{ repo_data_dir }}/pip/py3
ExecStart=/usr/bin/python3 -m pypiserver -p 10000 -o {{ repo_data_dir }}/pip/py3
Restart=always
RestartSec=5
StandardOutput=journal
StandardError=journal
ReadWriteDirectories={{ repo_data_dir }}/pip/py3
[Install]
WantedBy=multi-user.target

12
roles/rproxy/vars/main.yml
View File

@@ -1,7 +1,9 @@
---
# General
ansible_python_interpreter: /usr/bin/python3
# Rproxy
rproxy_image: nginx
rproxy_version: 1.29
rproxy_dir: /opt/rproxy
rproxy_version: latest
data_dir: /opt/data
repo_data_dir: /opt/data/repo
dockerrepo_dir: /opt/dockerrepo
dockerrepo_data_dir: /opt/data/dockerrepo
repo_data_dir: /opt/repodata

16
rproxy.yml
View File

@@ -2,21 +2,11 @@
- hosts: all
become: yes
vars:
ansible_python_interpreter: /usr/bin/python3
vars_prompt:
- name: rproxy_service_name
prompt: Enter service for rproxy
private: false
- name: rproxy_service_port
prompt: Enter service for rproxy
private: false
- name: rproxy_service_address
prompt: Enter service for rproxy
- name: image_repo
prompt: Enter repository address with podman images (ex. rproxy.olsson.ul:5000)
private: false
roles:
- podman
- rproxy