Merge pull request 'HOTFIX remove tracking certs' (#40 ) from dev into master

Reviewed-on: https://remvpn.olssonul.com/IaC/rproxy/pulls/40
HOTFIX remove tracking certs
2025-08-17 01:50:35 +03:00 · 2025-08-17 01:50:17 +03:00 · 2025-08-16 15:30:31 +03:00 · 2025-08-16 15:28:48 +03:00 · 2025-08-15 00:16:54 +03:00 · 2025-08-15 00:15:32 +03:00
8 changed files with 160 additions and 248 deletions
--- a/19
+++ b/19
@@ -33,25 +33,6 @@ pipeline {
                }
            }
        }
        stage('Save certs') {
            when {
                expression {
                    return params.rproxy_install
                }
            }
            steps {
                script {
                    withCredentials([
                            file(credentialsId: "ROOTCA_CERT", variable: "rootca"),
                            file(credentialsId: "ROOTCA_KEY", variable: "rootca_key")
                        ]) {
                        sh(script: "cp ${rootca} roles/gitlab/files/RootCA.crt", returnStdout: false)
                        sh(script: "cp ${rootca_key} roles/gitlab/files/RootCA.key", returnStdout: false)
                        sh(script: "chmod 700 roles/patroni/files/RootCA*", returnStdout: false)
                    } 
                }
            }
        }
        stage('Prepare inventory') {
            steps {
                script {
--- a/README.md
+++ b/README.md
@@ -37,17 +37,7 @@ Files should be stored in /opt/rproxy/repo/ to be shared.
 ## Docker-registry
 Would be installed with rproxy service. Hosted on port 5000.
 Images would be stored in /opt/dockerrepo/repo/. Uses SSL so you should have trust with root certificate. \
-Install trust with root certificate:
+Install trust with root certificate
 ```bash
 # RHEL based
 openssl x509 -in RootCA.crt -out RootCA.pem -outform PEM
 mv RootCA.pem /etc/pki/ca-trust/source/anchors/
 update-ca-trust force-enable
 # Debian based
 mv RootCA.crt /usr/local/share/ca-certificates/
 update-ca-certificates
 ```
 How to store image:
 ```bash
 # After image build
--- a/roles/rproxy/tasks/addconfig.yml
+++ b/roles/rproxy/tasks/addconfig.yml
@@ -8,95 +8,75 @@
 - name: Generate certificates for {{  rproxy_service_name  }}
  block:
-    - name: "Generate {{  rproxy_service_name  }}.key"
+    - name: Create CNAME dns record
-      community.crypto.openssl_privatekey: 
+      community.general.ipa_dnsrecord:
-        path: "{{ rproxy_dir }}/certs/{{  rproxy_service_name  }}.key"
+        ipa_user: "{{ ansible_user }}"
-        size: "2048"
+        ipa_pass: "{{ ansible_password }}"
        zone_name: "{{ ansible_facts['domain'] }}"
        record_name: "{{  rproxy_service_name  }}"
        record_type: 'CNAME'
        record_value: "{{ ansible_facts['hostname'] }}"
        state: present
-    - name: "Generate {{  rproxy_service_name  }}.csr"
+    - name: Kinit
      community.crypto.openssl_csr:
        path: "{{ rproxy_dir }}/certs/{{  rproxy_service_name  }}.csr"
        privatekey_path: "{{ rproxy_dir }}/certs/{{  rproxy_service_name  }}.key"
        country_name: "RU"
        state_or_province_name: "RU"
        locality_name: "MSK"
        organization_name: "{{ ansible_domain }}"
        organizational_unit_name: "IT"
        common_name: "{{  rproxy_service_name  }}.{{ ansible_facts['domain'] }}"
        email_address: "admin@{{ ansible_domain }}"
        subject_alt_name: "DNS:{{  rproxy_service_name  }}.{{ ansible_facts['domain'] }},DNS:{{ ansible_facts['hostname'] }}.{{ ansible_facts['domain'] }},IP:{{ ansible_facts['default_ipv4']['address'] }}"
        key_usage:
          - digitalSignature
          - nonRepudiation
          - keyEncipherment
          - dataEncipherment
        extended_key_usage:
          - serverAuth
    - name: "Generate {{  rproxy_service_name  }}.crt"
      community.crypto.x509_certificate:
        csr_path: "{{ rproxy_dir }}/certs/{{  rproxy_service_name  }}.csr"
        path: "{{ rproxy_dir }}/certs/{{  rproxy_service_name  }}.crt"
        privatekey_path: "{{ rproxy_dir }}/certs/{{  rproxy_service_name  }}.key"
        provider: ownca
        ownca_create_subject_key_identifier: always_create
        ownca_path: "{{ rproxy_dir }}/certs/RootCA.crt"
        ownca_privatekey_path: "{{ rproxy_dir }}/certs/RootCA.key"
        ownca_not_after: "+365d"
    - name: Create fullchain certificate
      ansible.builtin.shell:
-        cmd: 'cat {{ rproxy_dir }}/certs/RootCA.crt >> {{ rproxy_dir }}/certs/{{  rproxy_service_name  }}.crt'
+        cmd: "echo '{{ ansible_password }}' | kinit"
      become: false
      become_user: "{{ ansible_user }}"
-    - name: Delete csr
+    - name: Create fake host for certificate
      ansible.builtin.shell:
        cmd: "ipa host-add {{ rproxy_service_name }}.{{ ansible_facts['domain'] }} --force --desc=\"Fake host for SPN\""
      become: false
      become_user: "{{ ansible_user }}"
      ignore_errors: true
    - name: Create SPN for HTTP
      ansible.builtin.shell:
        cmd: "ipa service-add HTTP/{{ rproxy_service_name }}.{{ ansible_facts['domain'] }} --skip-host-check --force"
      become: false
      become_user: "{{ ansible_user }}"
      ignore_errors: true
    - name: "Allow {{ ansible_facts['hostname'] }}.{{ ansible_facts['domain'] }} to get certificates for HTTP/{{ rproxy_service_name }}.{{ ansible_facts['domain'] }} SPN "
      ansible.builtin.shell:
        cmd: "ipa service-add-host --hosts={{ ansible_facts['hostname'] }}.{{ ansible_facts['domain'] }} HTTP/{{ rproxy_service_name }}.{{ ansible_facts['domain'] }}"
      become: false
      become_user: "{{ ansible_user }}"
      ignore_errors: true
    - name: Request certificate via ipa-getcert
      ansible.builtin.command: >
        ipa-getcert request
        -f {{ rproxy_dir }}/certs/{{ rproxy_service_name }}.{{ ansible_facts['domain'] }}.crt
        -k {{ rproxy_dir }}/certs/{{ rproxy_service_name }}.{{ ansible_facts['domain'] }}.key
        -K HTTP/{{ rproxy_service_name }}.{{ ansible_facts['domain'] }}
        -N CN={{ rproxy_service_name }}.{{ ansible_facts['domain'] }}
    # sudo ipa-getcert stop-tracking -i 20250813210258 if track already exists
    - name: Wait for certificate to appear
      ansible.builtin.wait_for:
        path: "{{ rproxy_dir }}/certs/{{ rproxy_service_name }}.{{ ansible_facts['domain'] }}.crt"
        timeout: 60
    - name: Change certificate permissions
      ansible.builtin.file:
-        path: "{{ rproxy_dir }}/certs/{{  rproxy_service_name  }}.csr"
+        path: "{{ rproxy_dir }}/certs/{{ rproxy_service_name }}.{{ ansible_facts['domain'] }}.crt"
-        state: absent
+        mode: "0744"
- name: Restart rproxy
+    - name: Wait for certificate key to appear
-  block:
+      ansible.builtin.wait_for:
-    - name: Restart container
+        path: "{{ rproxy_dir }}/certs/{{ rproxy_service_name }}.{{ ansible_facts['domain'] }}.key"
-      containers.podman.podman_container:
+        timeout: 60
        name: rproxy
        image: "docker.io/library/nginx:{{ rproxy_version }}"
        state: started
        restart: true
        ports:
            - "443:443"
            - "80:80"
            - "9000:9000"
        volumes:
          - '{{ rproxy_dir }}/nginx.conf:/etc/nginx/nginx.conf:z,rw'
          - '{{ rproxy_dir }}/sites:/etc/nginx/sites:z,rw'
          - '{{ rproxy_dir }}/certs:/etc/nginx/certs:z,rw'
          - '{{ repo_data_dir }}:/repo:z,rw'
          - "/etc/localtime:/etc/localtime:ro"
        privileged: true
        security_opt:
          - "label=disable"
        log_driver: journald
        generate_systemd:
          path: /etc/systemd/system/
          restart_policy: always
          stop_timeout: 120
          names: true
-    - name: Daemon reload
+    - name: Change certificate key permissions
-      ansible.builtin.shell:
+      ansible.builtin.file:
-        cmd: systemctl daemon-reload
+        path: "{{ rproxy_dir }}/certs/{{ rproxy_service_name }}.{{ ansible_facts['domain'] }}.key"
        mode: "0744"
-    - name: Enable rproxy service
+- name: Restart rproxy service
-      ansible.builtin.systemd:
+  ansible.builtin.systemd:
-        name: "container-rproxy.service"
+    name: "container-rproxy.service"
-        state: started
+    state: restarted
-        enabled: yes
+    enabled: yes
 - name: Create CNAME dns record
  community.general.ipa_dnsrecord:
    ipa_user: "{{ ansible_user }}"
    ipa_pass: "{{ ansible_password }}"
    zone_name: "{{ ansible_facts['domain'] }}"
    record_name: "{{  rproxy_service_name  }}"
    record_type: 'CNAME'
    record_value: "{{ ansible_facts['hostname'] }}"
    state: present
--- a/roles/rproxy/tasks/dockerrepo.yml
+++ b/roles/rproxy/tasks/dockerrepo.yml
@@ -23,50 +23,48 @@
 - name: Create certificates for image repository
  block:
-    - name: "Generate dockerrepo.key"
+    - name: Kinit
      community.crypto.openssl_privatekey: 
        path: "{{ dockerrepo_dir }}/certs/dockerrepo.key"
        size: "2048"
    - name: "Generate server.csr"
      community.crypto.openssl_csr:
        path: "{{ dockerrepo_dir }}/certs/dockerrepo.csr"
        privatekey_path: "{{ dockerrepo_dir }}/certs/dockerrepo.key"
        country_name: "RU"
        state_or_province_name: "RU"
        locality_name: "MSK"
        organization_name: "{{ ansible_domain }}"
        organizational_unit_name: "IT"
        common_name: "{{ ansible_facts['hostname'] }}.{{ ansible_facts['domain'] }}"
        email_address: "admin@{{ ansible_domain }}"
        subject_alt_name: "DNS:{{ ansible_facts['hostname'] }}.{{ ansible_facts['domain'] }},DNS:imagerepo.{{ ansible_facts['domain'] }},IP:{{ ansible_facts['default_ipv4']['address'] }}"
        key_usage:
          - digitalSignature
          - nonRepudiation
          - keyEncipherment
          - dataEncipherment
        extended_key_usage:
          - serverAuth
    - name: "Generate server.crt"
      community.crypto.x509_certificate:
        csr_path: "{{ dockerrepo_dir }}/certs/dockerrepo.csr"
        path: "{{ dockerrepo_dir }}/certs/dockerrepo.crt"
        privatekey_path: "{{ dockerrepo_dir }}/certs/dockerrepo.key"
        provider: ownca
        ownca_create_subject_key_identifier: always_create
        ownca_path: "{{ rproxy_dir }}/certs/RootCA.crt"
        ownca_privatekey_path: "{{ rproxy_dir }}/certs/RootCA.key"
        ownca_not_after: "+365d"
    - name: Create fullchain certificate
      ansible.builtin.shell:
-        cmd: 'cat {{ rproxy_dir }}/certs/RootCA.crt >> {{ dockerrepo_dir }}/certs/dockerrepo.crt'
+        cmd: "echo '{{ ansible_password }}' | kinit"
      become: false
      become_user: "{{ ansible_user }}"
-    - name: Delete csr
+    - name: Create SPN for HTTP
      ansible.builtin.shell:
        cmd: "ipa service-add HTTP/{{ ansible_facts['hostname'] }}.{{ ansible_facts['domain'] }}"
      become: false
      become_user: "{{ ansible_user }}"
      ignore_errors: true
    - name: Request certificate via ipa-getcert
      ansible.builtin.command: >
        ipa-getcert request
        -f {{ rproxy_dir }}/certs/dockerrepo.crt
        -k {{ rproxy_dir }}/certs/dockerrepo.key
        -K HTTP/{{ ansible_facts['hostname'] }}.{{ ansible_facts['domain'] }}
        -N CN={{ ansible_facts['hostname'] }}.{{ ansible_facts['domain'] }}
    # sudo ipa-getcert stop-tracking -i 20250813210258 if track already exists
    - name: Wait for certificate to appear
      ansible.builtin.wait_for:
        path: "{{ rproxy_dir }}/certs/dockerrepo.crt"
        timeout: 60
    - name: Change certificate permissions
      ansible.builtin.file:
-        path: "{{ dockerrepo_dir }}/certs/dockerrepo.csr"
+        path: "{{ rproxy_dir }}/certs/dockerrepo.crt"
-        state: absent
+        mode: "0744"
    - name: Wait for certificate key to appear
      ansible.builtin.wait_for:
        path: "{{ rproxy_dir }}/certs/dockerrepo.key"
        timeout: 60
    - name: Change certificate key permissions
      ansible.builtin.file:
        path: "{{ rproxy_dir }}/certs/dockerrepo.key"
        mode: "0744"
 - name: Start image repository
  block:
--- a/roles/rproxy/tasks/repo.yml
+++ b/roles/rproxy/tasks/repo.yml
@@ -14,85 +14,61 @@
 - name: Create https certificates for repository
  block:
-    - name: "Generate repo.key"
+    - name: Kinit
-      community.crypto.openssl_privatekey: 
+      ansible.builtin.shell:
-        path: "{{ rproxy_dir }}/certs/repo.key"
+        cmd: "echo '{{ ansible_password }}' | kinit"
-        size: "2048"
+      become: false
      become_user: "{{ ansible_user }}"
-    - name: "Generate server.csr"
+    - name: Create SPN for HTTP
-      community.crypto.openssl_csr:
+      ansible.builtin.shell:
-        path: "{{ rproxy_dir }}/certs/repo.csr"
+        cmd: "ipa service-add HTTP/{{ ansible_facts['hostname'] }}.{{ ansible_facts['domain'] }}"
-        privatekey_path: "{{ rproxy_dir }}/certs/repo.key"
+      become: false
-        country_name: "RU"
+      become_user: "{{ ansible_user }}"
-        state_or_province_name: "RU"
+      ignore_errors: true
        locality_name: "MSK"
        organization_name: "{{ ansible_domain }}"
        organizational_unit_name: "IT"
        common_name: "{{ ansible_facts['hostname'] }}.{{ ansible_facts['domain'] }}"
        email_address: "admin@{{ ansible_domain }}"
        subject_alt_name: "DNS:{{ ansible_facts['hostname'] }}.{{ ansible_facts['domain'] }},DNS:repo.{{ ansible_facts['domain'] }},IP:{{ ansible_facts['default_ipv4']['address'] }}"
        key_usage:
          - digitalSignature
          - nonRepudiation
          - keyEncipherment
          - dataEncipherment
        extended_key_usage:
          - serverAuth
-    - name: "Generate server.crt"
+    - name: Get all tracking certificates
-      community.crypto.x509_certificate:
+      ansible.builtin.shell:
-        csr_path: "{{ rproxy_dir }}/certs/repo.csr"
+        cmd: ipa-getcert list | grep "ID" | awk '{print $NF}' | tr -d "'\|:"
      register: tracking_list
    - name: Remove certificates from IPA tracking
      ansible.builtin.shell:
        cmd: "ipa-getcert stop-tracking -i {{ item }}"
      loop: "{{ tracking_list.stdout_lines }}"
      ignore_errors: true
    - name: Request certificate via ipa-getcert
      ansible.builtin.command: >
        ipa-getcert request
        -f {{ rproxy_dir }}/certs/repo.crt
        -k {{ rproxy_dir }}/certs/repo.key
        -K HTTP/{{ ansible_facts['hostname'] }}.{{ ansible_facts['domain'] }}
        -N CN={{ ansible_facts['hostname'] }}.{{ ansible_facts['domain'] }}
        -F {{ rproxy_dir }}/certs/RootCA.crt
    - name: Wait for certificate to appear
      ansible.builtin.wait_for:
        path: "{{ rproxy_dir }}/certs/repo.crt"
-        privatekey_path: "{{ rproxy_dir }}/certs/repo.key"
+        timeout: 60
        provider: ownca
        ownca_create_subject_key_identifier: always_create
        ownca_path: "{{ rproxy_dir }}/certs/RootCA.crt"
        ownca_privatekey_path: "{{ rproxy_dir }}/certs/RootCA.key"
        ownca_not_after: "+365d"
-    - name: Create fullchain certificate
+    - name: Change certificate permissions
      ansible.builtin.shell:
        cmd: 'cat {{ rproxy_dir }}/certs/RootCA.crt >> {{ rproxy_dir }}/certs/repo.crt'
    - name: Delete csr
      ansible.builtin.file:
-        path: "{{ rproxy_dir }}/certs/repo.csr"
+        path: "{{ rproxy_dir }}/certs/repo.crt"
-        state: absent
+        mode: "0744"
- name: Restart rproxy
+    - name: Wait for certificate key to appear
-  block:
+      ansible.builtin.wait_for:
-    - name: Restart container
+        path: "{{ rproxy_dir }}/certs/repo.key"
-      containers.podman.podman_container:
+        timeout: 60
        name: rproxy
        image: "docker.io/library/nginx:{{ rproxy_version }}"
        state: started
        restart: true
        ports:
            - "443:443"
            - "80:80"
            - "9000:9000"
        volumes:
          - '{{ rproxy_dir }}/nginx.conf:/etc/nginx/nginx.conf:z,rw'
          - '{{ rproxy_dir }}/sites:/etc/nginx/sites:z,rw'
          - '{{ rproxy_dir }}/certs:/etc/nginx/certs:z,rw'
          - '{{ repo_data_dir }}:/repo:z,rw'
          - "/etc/localtime:/etc/localtime:ro"
        privileged: true
        security_opt:
          - "label=disable"
        log_driver: journald
        generate_systemd:
          path: /etc/systemd/system/
          restart_policy: always
          stop_timeout: 120
          names: true
-    - name: Daemon reload
+    - name: Change certificate key permissions
-      ansible.builtin.shell:
+      ansible.builtin.file:
-        cmd: systemctl daemon-reload
+        path: "{{ rproxy_dir }}/certs/repo.key"
        mode: "0744"
-    - name: Enable rproxy service
+- name: Restart rproxy service
-      ansible.builtin.systemd:
+  ansible.builtin.systemd:
-        name: "container-rproxy.service"
+    name: "container-rproxy.service"
-        state: started
+    state: restarted
-        enabled: yes
+    enabled: yes
--- a/roles/rproxy/tasks/rproxy.yml
+++ b/roles/rproxy/tasks/rproxy.yml
@@ -36,16 +36,6 @@
        src: files/nginx.conf
        dest: "{{ rproxy_dir }}/nginx.conf"
    - name: Copy RootCA certificate
      ansible.builtin.copy:
        src: files/RootCA.crt
        dest: '{{ rproxy_dir }}/certs/RootCA.crt'
    - name: Copy RootCA key
      ansible.builtin.copy:
        src: files/RootCA.key
        dest: '{{ rproxy_dir }}/certs/RootCA.key'
 - name: Install rproxy
  block:
    - name: Pull rproxy image
@@ -83,12 +73,9 @@
          stop_timeout: 120
          names: true
    - name: Daemon reload
      ansible.builtin.shell:
        cmd: systemctl daemon-reload
    - name: Enable rproxy service
      ansible.builtin.systemd:
        name: "container-rproxy.service"
        state: started
-        enabled: yes
+        enabled: yes
        daemon_reload: yes
--- a/roles/rproxy/templates/server.conf.j2
+++ b/roles/rproxy/templates/server.conf.j2
@@ -15,8 +15,8 @@ server {
    server_name {{ rproxy_service_name }}.{{ ansible_domain }};
    access_log /var/log/nginx/{{ rproxy_service_name }}.access.log;
    error_log /var/log/nginx/{{ rproxy_service_name }}.error.log;
-    ssl_certificate /etc/nginx/certs/{{  rproxy_service_name  }}.crt;
+    ssl_certificate /etc/nginx/certs/{{  rproxy_service_name  }}.{{ ansible_domain }}.crt;
-    ssl_certificate_key /etc/nginx/certs/{{  rproxy_service_name  }}.key;
+    ssl_certificate_key /etc/nginx/certs/{{  rproxy_service_name  }}.{{ ansible_domain }}.key;
    ssl_protocols TLSv1.2;
    ssl_ciphers EECDH:+AES256:-3DES:!RSA+AES:!RSA+3DES:!NULL:!RC4;
    ssl_prefer_server_ciphers on;
--- a/roles/rproxy/vars/main.yml
+++ b/roles/rproxy/vars/main.yml
@@ -1,6 +1,6 @@
 ansible_python_interpreter: /usr/bin/python3
 rproxy_dir: /opt/rproxy
-rproxy_version: latest
+rproxy_version: 1.29.0
 data_dir: /opt/data
 repo_data_dir: /opt/data/repo
 dockerrepo_dir: /opt/dockerrepo
Author	SHA1	Message	Date
Pavlov Makar	414976a4bc	Merge pull request 'HOTFIX remove tracking certs' (#40 ) from dev into master Reviewed-on: https://remvpn.olssonul.com/IaC/rproxy/pulls/40	2025-08-17 01:50:35 +03:00
Pavlov Makar	196477798b	HOTFIX remove tracking certs	2025-08-17 01:50:17 +03:00
Pavlov Makar	c5dead142f	Merge pull request 'Remove certificates from IPA tracking on repo rebuild' (#39 ) from dev into master Reviewed-on: https://remvpn.olssonul.com/IaC/rproxy/pulls/39	2025-08-16 15:30:31 +03:00
Pavlov Makar	11cf16ff53	Remove certificates from IPA tracking on repo rebuild	2025-08-16 15:28:48 +03:00
Pavlov Makar	81af5f3922	Merge pull request 'Move to FreeIPA CA certificate generation' (#38 ) from dev into master Reviewed-on: https://remvpn.olssonul.com/IaC/rproxy/pulls/38	2025-08-15 00:16:54 +03:00
Pavlov Makar	de3484c826	Ignore if rproxy already allow to fetch certificates	2025-08-15 00:15:32 +03:00
Pavlov Makar	a738ee71a8	Fix certs name for service	2025-08-15 00:13:45 +03:00
Pavlov Makar	d9ec475184	Ignore if fake host already exists	2025-08-15 00:11:47 +03:00
Pavlov Makar	d7919a4a45	Allow rproxy generate certificates for proxy host	2025-08-15 00:09:06 +03:00
Pavlov Makar	f4717d9d69	Add fake host creation for certificate create	2025-08-15 00:03:23 +03:00
Pavlov Makar	eae462797c	Fix SPN name request	2025-08-14 23:54:13 +03:00
Pavlov Makar	18a1e94100	Qa FreeIPA CA certificate generation	2025-08-14 23:50:01 +03:00