Compare commits
7 Commits
| Author | SHA1 | Date | |
|---|---|---|---|
| 07a4586486 | |||
| 8c2afbcac9 | |||
| 36c6511ed6 | |||
| 414976a4bc | |||
| 196477798b | |||
| c5dead142f | |||
| 11cf16ff53 |
46
Jenkinsfile
vendored
46
Jenkinsfile
vendored
@@ -11,12 +11,8 @@ pipeline {
|
||||
timestamps()
|
||||
}
|
||||
parameters {
|
||||
string(name: "target_host", defaultValue: "", trim: true, description: "Target host")
|
||||
booleanParam(name: "rproxy_install", defaultValue: true, description: "Install Rproxy")
|
||||
booleanParam(name: "config_add", defaultValue: true, description: "Add config")
|
||||
string(name: "rproxy_service_name", defaultValue: "", trim: true, description: "Service name (for 'Add config' job only)")
|
||||
string(name: "rproxy_service_port", defaultValue: "", trim: true, description: "Service port (for 'Add config' job only)")
|
||||
string(name: "rproxy_service_address", defaultValue: "", trim: true, description: "Service address (for 'Add config' job only)")
|
||||
string(name: "target_host", defaultValue: "", trim: true, description: "Target host for rproxy installation")
|
||||
string(name: "images_repo_url", defaultValue: "", trim: true, description: "Repository host with podman images (ex. rproxy.olsson.ul:5000)")
|
||||
booleanParam(name: 'update_job', defaultValue: false, description: 'Update job, free run, no changes')
|
||||
}
|
||||
stages {
|
||||
@@ -44,11 +40,6 @@ pipeline {
|
||||
}
|
||||
}
|
||||
stage('Install Rproxy') {
|
||||
when {
|
||||
expression {
|
||||
return params.rproxy_install
|
||||
}
|
||||
}
|
||||
steps {
|
||||
script {
|
||||
withCredentials([
|
||||
@@ -60,36 +51,11 @@ pipeline {
|
||||
ansiblePlaybook(
|
||||
playbook: 'rproxy.yml',
|
||||
inventory: 'hosts.ini',
|
||||
tags: 'install',
|
||||
colorized: true,
|
||||
extras: '--private-key ${SSH_KEY} -e "ansible_user=${username} ansible_password=${password} rproxy_service_name=${rproxy_service_name} rproxy_service_port=${rproxy_service_port} rproxy_service_address=${rproxy_service_address}"'
|
||||
)
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
stage('Add config') {
|
||||
when {
|
||||
expression {
|
||||
return params.config_add
|
||||
}
|
||||
}
|
||||
steps {
|
||||
script {
|
||||
withCredentials([
|
||||
sshUserPrivateKey(credentialsId: 'JENKINS_DEPLOYER_KEY', keyFileVariable: 'SSH_KEY'),
|
||||
usernamePassword(credentialsId:'JENKINS_DEPLOYER_PASS', usernameVariable: 'username', passwordVariable: 'password')
|
||||
]) {
|
||||
wrap([$class: 'MaskPasswordsBuildWrapper', varPasswordPairs: [[password: env.password]]]) {
|
||||
wrap([$class: 'AnsiColorBuildWrapper', colorMapName: "xterm"]) {
|
||||
ansiblePlaybook(
|
||||
playbook: 'rproxy.yml',
|
||||
inventory: 'hosts.ini',
|
||||
tags: 'add_config',
|
||||
colorized: true,
|
||||
extras: '--private-key ${SSH_KEY} -e "ansible_user=${username} ansible_password=${password} rproxy_service_name=${rproxy_service_name} rproxy_service_port=${rproxy_service_port} rproxy_service_address=${rproxy_service_address}"'
|
||||
extras: '''--private-key ${SSH_KEY}
|
||||
-e "ansible_user=${username}
|
||||
ansible_password=${password}
|
||||
image_repo=${images_repo_url}"'''
|
||||
)
|
||||
}
|
||||
}
|
||||
|
||||
13
README.md
13
README.md
@@ -3,12 +3,11 @@
|
||||
## Content
|
||||
* Reverse proxy
|
||||
* HTTPS file share
|
||||
* Docker-registry
|
||||
|
||||
## Installation
|
||||
```yml
|
||||
target_host: Enter FQDN or IP Address of target host
|
||||
rproxy_install: Install rproxy, https repo and docker-registry if checked
|
||||
rproxy_install: Install rproxy and https repo if checked
|
||||
config_add: Will config be created
|
||||
|
||||
rproxy_service_name: Server/service name without domain suffix
|
||||
@@ -34,13 +33,7 @@ Allows redirecting requests based on fqdn to the required address and ports with
|
||||
Would be installed with rproxy service. Hosted on port 9000. \
|
||||
Files should be stored in /opt/rproxy/repo/ to be shared.
|
||||
|
||||
## Docker-registry
|
||||
Would be installed with rproxy service. Hosted on port 5000.
|
||||
Images would be stored in /opt/dockerrepo/repo/. Uses SSL so you should have trust with root certificate. \
|
||||
Install trust with root certificate
|
||||
How to store image:
|
||||
Put file in repo
|
||||
```bash
|
||||
# After image build
|
||||
docker tag $image $registry_address:5000/$image
|
||||
docker push $registry_address:5000/$image
|
||||
curl -T kafka_4.1.tar https://rproxy.olsson.ul:9000/podman/kafka/4.1/kafka_4.1.tar -k
|
||||
```
|
||||
19
addconfig.yml
Normal file
19
addconfig.yml
Normal file
@@ -0,0 +1,19 @@
|
||||
---
|
||||
- hosts: all
|
||||
become: yes
|
||||
|
||||
vars_prompt:
|
||||
- name: rproxy_service_name
|
||||
prompt: Enter service for rproxy
|
||||
private: false
|
||||
|
||||
- name: rproxy_service_port
|
||||
prompt: Enter service for rproxy
|
||||
private: false
|
||||
|
||||
- name: rproxy_service_address
|
||||
prompt: Enter service for rproxy
|
||||
private: false
|
||||
|
||||
roles:
|
||||
- addconfig
|
||||
@@ -3,3 +3,6 @@ hostfile = hosts.ini
|
||||
host_key_checking = false
|
||||
interpreter_python = /usr/bin/python3
|
||||
forks = 30
|
||||
|
||||
[ssh_connection]
|
||||
pipelining = true
|
||||
80
management/AddService.groovy
Normal file
80
management/AddService.groovy
Normal file
@@ -0,0 +1,80 @@
|
||||
pipeline {
|
||||
agent any
|
||||
options {
|
||||
buildDiscarder logRotator (
|
||||
numToKeepStr: '5',
|
||||
daysToKeepStr: '7',
|
||||
artifactNumToKeepStr: '10',
|
||||
artifactDaysToKeepStr: '7'
|
||||
)
|
||||
ansiColor('xterm')
|
||||
timestamps()
|
||||
}
|
||||
parameters {
|
||||
string(name: "target_host", defaultValue: "", trim: true, description: "Target host with rproxy installed")
|
||||
string(name: "rproxy_service_name", defaultValue: "", trim: true, description: "Service name (ex. jenkins)")
|
||||
string(name: "rproxy_service_port", defaultValue: "", trim: true, description: "Service port (ex. 8080)")
|
||||
string(name: "rproxy_service_address", defaultValue: "", trim: true, description: "Service address (ex. jenkins-master.olsson.ul)")
|
||||
booleanParam(name: 'update_job', defaultValue: false, description: 'Update job, free run, no changes')
|
||||
}
|
||||
stages {
|
||||
stage('Update Job') {
|
||||
when {
|
||||
expression {
|
||||
return params.update_job
|
||||
}
|
||||
}
|
||||
steps {
|
||||
script {
|
||||
currentBuild.getRawBuild().getExecutor().interrupt(Result.SUCCESS)
|
||||
sleep(1)
|
||||
}
|
||||
}
|
||||
}
|
||||
stage('Prepare inventory') {
|
||||
steps {
|
||||
script {
|
||||
def hostsFile = new File("${WORKSPACE}/hosts.ini")
|
||||
hostsFile.append('[all]')
|
||||
hostsFile.append('\n' + params.target_host)
|
||||
println hostsFile.getText('UTF-8')
|
||||
}
|
||||
}
|
||||
}
|
||||
stage('Add config') {
|
||||
steps {
|
||||
script {
|
||||
withCredentials([
|
||||
sshUserPrivateKey(credentialsId: 'JENKINS_DEPLOYER_KEY', keyFileVariable: 'SSH_KEY'),
|
||||
usernamePassword(credentialsId:'JENKINS_DEPLOYER_PASS', usernameVariable: 'username', passwordVariable: 'password')
|
||||
]) {
|
||||
wrap([$class: 'MaskPasswordsBuildWrapper', varPasswordPairs: [[password: env.password]]]) {
|
||||
wrap([$class: 'AnsiColorBuildWrapper', colorMapName: "xterm"]) {
|
||||
dir("${env.WORKSPACE}") {
|
||||
ansiblePlaybook(
|
||||
playbook: 'addconfig.yml',
|
||||
inventory: 'hosts.ini',
|
||||
colorized: true,
|
||||
extras: '''--private-key ${SSH_KEY}
|
||||
-e "ansible_user=${username}
|
||||
ansible_password=${password}
|
||||
rproxy_service_name=${rproxy_service_name}
|
||||
rproxy_service_port=${rproxy_service_port}
|
||||
rproxy_service_address=${rproxy_service_address}"'''
|
||||
)
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
post {
|
||||
always {
|
||||
cleanWs(patterns: [
|
||||
[pattern: 'hosts.ini', type: 'INCLUDE']
|
||||
])
|
||||
}
|
||||
}
|
||||
}
|
||||
5
roles/addconfig/tasks/addconfig.yml
Normal file
5
roles/addconfig/tasks/addconfig.yml
Normal file
@@ -0,0 +1,5 @@
|
||||
---
|
||||
- name: Copy server.conf
|
||||
ansible.builtin.template:
|
||||
src: templates/server.conf.j2
|
||||
dest: "{{ rproxy_dir }}/sites/{{ rproxy_service_name }}.conf"
|
||||
83
roles/addconfig/tasks/certificates.yml
Normal file
83
roles/addconfig/tasks/certificates.yml
Normal file
@@ -0,0 +1,83 @@
|
||||
---
|
||||
- name: Create CNAME dns record
|
||||
community.general.ipa_dnsrecord:
|
||||
ipa_user: "{{ ansible_user }}"
|
||||
ipa_pass: "{{ ansible_password }}"
|
||||
zone_name: "{{ ansible_facts['domain'] }}"
|
||||
record_name: "{{ rproxy_service_name }}"
|
||||
record_type: 'CNAME'
|
||||
record_value: "{{ ansible_facts['hostname'] }}"
|
||||
state: present
|
||||
ignore_errors: true
|
||||
|
||||
- name: Kinit
|
||||
ansible.builtin.shell:
|
||||
cmd: "echo '{{ ansible_password }}' | kinit"
|
||||
become: false
|
||||
become_user: "{{ ansible_user }}"
|
||||
|
||||
- name: Create fake host for certificate
|
||||
ansible.builtin.shell:
|
||||
cmd: "ipa host-add {{ rproxy_service_name }}.{{ ansible_facts['domain'] }} --force --desc=\"Fake host for SPN\""
|
||||
become: false
|
||||
become_user: "{{ ansible_user }}"
|
||||
ignore_errors: true
|
||||
|
||||
- name: Create SPN for HTTP
|
||||
ansible.builtin.shell:
|
||||
cmd: "ipa service-add HTTP/{{ rproxy_service_name }}.{{ ansible_facts['domain'] }} --skip-host-check --force"
|
||||
become: false
|
||||
become_user: "{{ ansible_user }}"
|
||||
ignore_errors: true
|
||||
|
||||
- name: "Allow {{ ansible_facts['hostname'] }}.{{ ansible_facts['domain'] }} to get certificates for HTTP/{{ rproxy_service_name }}.{{ ansible_facts['domain'] }} SPN"
|
||||
ansible.builtin.shell:
|
||||
cmd: "ipa service-add-host --hosts={{ ansible_facts['hostname'] }}.{{ ansible_facts['domain'] }} HTTP/{{ rproxy_service_name }}.{{ ansible_facts['domain'] }}"
|
||||
become: false
|
||||
become_user: "{{ ansible_user }}"
|
||||
ignore_errors: true
|
||||
|
||||
- name: Kdestroy
|
||||
ansible.builtin.shell:
|
||||
cmd: kdestroy
|
||||
become: false
|
||||
become_user: "{{ ansible_user }}"
|
||||
|
||||
- name: Get all tracking certificates
|
||||
ansible.builtin.shell:
|
||||
cmd: "ipa-getcert list | grep -m1 -B5 \"{{ rproxy_dir }}/certs/{{ rproxy_service_name }}\" | grep Request | awk '{print $NF}' | tr -d \"'\\|:\""
|
||||
register: tracking_list
|
||||
|
||||
- name: Remove certificates from IPA tracking
|
||||
ansible.builtin.shell:
|
||||
cmd: "ipa-getcert stop-tracking -i {{ item }}"
|
||||
loop: "{{ tracking_list.stdout_lines }}"
|
||||
ignore_errors: true
|
||||
|
||||
- name: Request certificate via ipa-getcert
|
||||
ansible.builtin.command: >
|
||||
ipa-getcert request
|
||||
-f {{ rproxy_dir }}/certs/{{ rproxy_service_name }}.{{ ansible_facts['domain'] }}.crt
|
||||
-k {{ rproxy_dir }}/certs/{{ rproxy_service_name }}.{{ ansible_facts['domain'] }}.key
|
||||
-K HTTP/{{ rproxy_service_name }}.{{ ansible_facts['domain'] }}
|
||||
-N CN={{ rproxy_service_name }}.{{ ansible_facts['domain'] }}
|
||||
|
||||
- name: Wait for certificate to appear
|
||||
ansible.builtin.wait_for:
|
||||
path: "{{ rproxy_dir }}/certs/{{ rproxy_service_name }}.{{ ansible_facts['domain'] }}.crt"
|
||||
timeout: 60
|
||||
|
||||
- name: Change certificate permissions
|
||||
ansible.builtin.file:
|
||||
path: "{{ rproxy_dir }}/certs/{{ rproxy_service_name }}.{{ ansible_facts['domain'] }}.crt"
|
||||
mode: "0744"
|
||||
|
||||
- name: Wait for certificate key to appear
|
||||
ansible.builtin.wait_for:
|
||||
path: "{{ rproxy_dir }}/certs/{{ rproxy_service_name }}.{{ ansible_facts['domain'] }}.key"
|
||||
timeout: 60
|
||||
|
||||
- name: Change certificate key permissions
|
||||
ansible.builtin.file:
|
||||
path: "{{ rproxy_dir }}/certs/{{ rproxy_service_name }}.{{ ansible_facts['domain'] }}.key"
|
||||
mode: "0744"
|
||||
14
roles/addconfig/tasks/main.yml
Normal file
14
roles/addconfig/tasks/main.yml
Normal file
@@ -0,0 +1,14 @@
|
||||
---
|
||||
- name: Add config
|
||||
ansible.builtin.include_tasks:
|
||||
file: addconfig.yml
|
||||
|
||||
- name: Generate certificates
|
||||
ansible.builtin.include_tasks:
|
||||
file: certificates.yml
|
||||
|
||||
- name: Restart rproxy service
|
||||
ansible.builtin.systemd:
|
||||
name: "container-rproxy.service"
|
||||
state: restarted
|
||||
enabled: yes
|
||||
5
roles/addconfig/vars/main.yml
Normal file
5
roles/addconfig/vars/main.yml
Normal file
@@ -0,0 +1,5 @@
|
||||
---
|
||||
ansible_python_interpreter: /usr/bin/python3
|
||||
|
||||
# Rproxy
|
||||
rproxy_dir: /opt/rproxy
|
||||
@@ -5,8 +5,6 @@
|
||||
- podman
|
||||
- podman-compose
|
||||
- podman-docker
|
||||
- podman-remote
|
||||
- podman-tui
|
||||
- buildah
|
||||
update_cache: yes
|
||||
|
||||
2
roles/podman/vars/main.yml
Normal file
2
roles/podman/vars/main.yml
Normal file
@@ -0,0 +1,2 @@
|
||||
---
|
||||
ansible_python_interpreter: /usr/bin/python3
|
||||
@@ -20,7 +20,7 @@ server {
|
||||
dav_methods PUT DELETE MKCOL;
|
||||
dav_access user:rw group:r all:r;
|
||||
create_full_put_path on;
|
||||
client_max_body_size 100m;
|
||||
client_max_body_size 5g;
|
||||
|
||||
# auth_basic "Needs to auth";
|
||||
# auth_basic_user_file /etc/nginx/.htpasswd;
|
||||
|
||||
@@ -1,82 +0,0 @@
|
||||
---
|
||||
- name: Create server configs
|
||||
block:
|
||||
- name: Copy server.conf
|
||||
ansible.builtin.template:
|
||||
src: templates/server.conf.j2
|
||||
dest: "{{ rproxy_dir }}/sites/{{ rproxy_service_name }}.conf"
|
||||
|
||||
- name: Generate certificates for {{ rproxy_service_name }}
|
||||
block:
|
||||
- name: Create CNAME dns record
|
||||
community.general.ipa_dnsrecord:
|
||||
ipa_user: "{{ ansible_user }}"
|
||||
ipa_pass: "{{ ansible_password }}"
|
||||
zone_name: "{{ ansible_facts['domain'] }}"
|
||||
record_name: "{{ rproxy_service_name }}"
|
||||
record_type: 'CNAME'
|
||||
record_value: "{{ ansible_facts['hostname'] }}"
|
||||
state: present
|
||||
|
||||
- name: Kinit
|
||||
ansible.builtin.shell:
|
||||
cmd: "echo '{{ ansible_password }}' | kinit"
|
||||
become: false
|
||||
become_user: "{{ ansible_user }}"
|
||||
|
||||
- name: Create fake host for certificate
|
||||
ansible.builtin.shell:
|
||||
cmd: "ipa host-add {{ rproxy_service_name }}.{{ ansible_facts['domain'] }} --force --desc=\"Fake host for SPN\""
|
||||
become: false
|
||||
become_user: "{{ ansible_user }}"
|
||||
ignore_errors: true
|
||||
|
||||
- name: Create SPN for HTTP
|
||||
ansible.builtin.shell:
|
||||
cmd: "ipa service-add HTTP/{{ rproxy_service_name }}.{{ ansible_facts['domain'] }} --skip-host-check --force"
|
||||
become: false
|
||||
become_user: "{{ ansible_user }}"
|
||||
ignore_errors: true
|
||||
|
||||
- name: "Allow {{ ansible_facts['hostname'] }}.{{ ansible_facts['domain'] }} to get certificates for HTTP/{{ rproxy_service_name }}.{{ ansible_facts['domain'] }} SPN "
|
||||
ansible.builtin.shell:
|
||||
cmd: "ipa service-add-host --hosts={{ ansible_facts['hostname'] }}.{{ ansible_facts['domain'] }} HTTP/{{ rproxy_service_name }}.{{ ansible_facts['domain'] }}"
|
||||
become: false
|
||||
become_user: "{{ ansible_user }}"
|
||||
ignore_errors: true
|
||||
|
||||
- name: Request certificate via ipa-getcert
|
||||
ansible.builtin.command: >
|
||||
ipa-getcert request
|
||||
-f {{ rproxy_dir }}/certs/{{ rproxy_service_name }}.{{ ansible_facts['domain'] }}.crt
|
||||
-k {{ rproxy_dir }}/certs/{{ rproxy_service_name }}.{{ ansible_facts['domain'] }}.key
|
||||
-K HTTP/{{ rproxy_service_name }}.{{ ansible_facts['domain'] }}
|
||||
-N CN={{ rproxy_service_name }}.{{ ansible_facts['domain'] }}
|
||||
|
||||
# sudo ipa-getcert stop-tracking -i 20250813210258 if track already exists
|
||||
|
||||
- name: Wait for certificate to appear
|
||||
ansible.builtin.wait_for:
|
||||
path: "{{ rproxy_dir }}/certs/{{ rproxy_service_name }}.{{ ansible_facts['domain'] }}.crt"
|
||||
timeout: 60
|
||||
|
||||
- name: Change certificate permissions
|
||||
ansible.builtin.file:
|
||||
path: "{{ rproxy_dir }}/certs/{{ rproxy_service_name }}.{{ ansible_facts['domain'] }}.crt"
|
||||
mode: "0744"
|
||||
|
||||
- name: Wait for certificate key to appear
|
||||
ansible.builtin.wait_for:
|
||||
path: "{{ rproxy_dir }}/certs/{{ rproxy_service_name }}.{{ ansible_facts['domain'] }}.key"
|
||||
timeout: 60
|
||||
|
||||
- name: Change certificate key permissions
|
||||
ansible.builtin.file:
|
||||
path: "{{ rproxy_dir }}/certs/{{ rproxy_service_name }}.{{ ansible_facts['domain'] }}.key"
|
||||
mode: "0744"
|
||||
|
||||
- name: Restart rproxy service
|
||||
ansible.builtin.systemd:
|
||||
name: "container-rproxy.service"
|
||||
state: restarted
|
||||
enabled: yes
|
||||
59
roles/rproxy/tasks/certificates.yml
Normal file
59
roles/rproxy/tasks/certificates.yml
Normal file
@@ -0,0 +1,59 @@
|
||||
---
|
||||
- name: Kinit
|
||||
ansible.builtin.shell:
|
||||
cmd: "echo '{{ ansible_password }}' | kinit"
|
||||
become: false
|
||||
become_user: "{{ ansible_user }}"
|
||||
|
||||
- name: Create SPN for HTTP
|
||||
ansible.builtin.shell:
|
||||
cmd: "ipa service-add HTTP/{{ ansible_facts['hostname'] }}.{{ ansible_facts['domain'] }}"
|
||||
become: false
|
||||
become_user: "{{ ansible_user }}"
|
||||
ignore_errors: true
|
||||
|
||||
- name: Kdestroy
|
||||
ansible.builtin.shell:
|
||||
cmd: kdestroy
|
||||
become: false
|
||||
become_user: "{{ ansible_user }}"
|
||||
|
||||
- name: Get all tracking certificates
|
||||
ansible.builtin.shell:
|
||||
cmd: "ipa-getcert list | grep -m1 -B5 \"{{ rproxy_dir }}/certs/repo\" | grep Request | awk '{print $NF}' | tr -d \"'\\|:\""
|
||||
register: tracking_list
|
||||
|
||||
- name: Remove certificates from IPA tracking
|
||||
ansible.builtin.shell:
|
||||
cmd: "ipa-getcert stop-tracking -i {{ item }}"
|
||||
loop: "{{ tracking_list.stdout_lines }}"
|
||||
ignore_errors: true
|
||||
|
||||
- name: Request certificate via ipa-getcert
|
||||
ansible.builtin.command: >
|
||||
ipa-getcert request
|
||||
-f {{ rproxy_dir }}/certs/repo.crt
|
||||
-k {{ rproxy_dir }}/certs/repo.key
|
||||
-K HTTP/{{ ansible_facts['hostname'] }}.{{ ansible_facts['domain'] }}
|
||||
-N CN={{ ansible_facts['hostname'] }}.{{ ansible_facts['domain'] }}
|
||||
-F {{ rproxy_dir }}/certs/RootCA.crt
|
||||
|
||||
- name: Wait for certificate to appear
|
||||
ansible.builtin.wait_for:
|
||||
path: "{{ rproxy_dir }}/certs/repo.crt"
|
||||
timeout: 60
|
||||
|
||||
- name: Change certificate permissions
|
||||
ansible.builtin.file:
|
||||
path: "{{ rproxy_dir }}/certs/repo.crt"
|
||||
mode: "0744"
|
||||
|
||||
- name: Wait for certificate key to appear
|
||||
ansible.builtin.wait_for:
|
||||
path: "{{ rproxy_dir }}/certs/repo.key"
|
||||
timeout: 60
|
||||
|
||||
- name: Change certificate key permissions
|
||||
ansible.builtin.file:
|
||||
path: "{{ rproxy_dir }}/certs/repo.key"
|
||||
mode: "0744"
|
||||
10
roles/rproxy/tasks/configs.yml
Normal file
10
roles/rproxy/tasks/configs.yml
Normal file
@@ -0,0 +1,10 @@
|
||||
---
|
||||
- name: Copy repo.conf
|
||||
ansible.builtin.copy:
|
||||
src: files/repo.conf
|
||||
dest: "{{ rproxy_dir }}/sites/repo.conf"
|
||||
|
||||
- name: Copy nginx.conf
|
||||
ansible.builtin.copy:
|
||||
src: files/nginx.conf
|
||||
dest: "{{ rproxy_dir }}/nginx.conf"
|
||||
31
roles/rproxy/tasks/dirs.yml
Normal file
31
roles/rproxy/tasks/dirs.yml
Normal file
@@ -0,0 +1,31 @@
|
||||
---
|
||||
- name: Remove rproxy dir
|
||||
ansible.builtin.file:
|
||||
path: "{{ rproxy_dir }}"
|
||||
state: absent
|
||||
|
||||
- name: Create rproxy dir
|
||||
ansible.builtin.file:
|
||||
path: "{{ rproxy_dir }}"
|
||||
state: directory
|
||||
|
||||
- name: Create rproxy data dir
|
||||
ansible.builtin.file:
|
||||
path: "{{ repo_data_dir }}"
|
||||
state: directory
|
||||
|
||||
- name: Create sites dir
|
||||
ansible.builtin.file:
|
||||
path: "{{ rproxy_dir }}/sites"
|
||||
state: directory
|
||||
|
||||
- name: Create certs dir
|
||||
ansible.builtin.file:
|
||||
path: "{{ rproxy_dir }}/certs"
|
||||
state: directory
|
||||
|
||||
- name: Create repo dir
|
||||
ansible.builtin.file:
|
||||
path: "{{ repo_data_dir }}"
|
||||
state: directory
|
||||
mode: 0777
|
||||
@@ -1,113 +0,0 @@
|
||||
---
|
||||
- name: Prepare for image repository
|
||||
block:
|
||||
- name: Remove dockerrepo dir
|
||||
ansible.builtin.file:
|
||||
path: "{{ dockerrepo_dir }}"
|
||||
state: absent
|
||||
|
||||
- name: Create dockerrepo dir
|
||||
ansible.builtin.file:
|
||||
path: "{{ dockerrepo_dir }}"
|
||||
state: directory
|
||||
|
||||
- name: Create repo dir
|
||||
ansible.builtin.file:
|
||||
path: "{{ dockerrepo_data_dir }}"
|
||||
state: directory
|
||||
|
||||
- name: Create certs dir
|
||||
ansible.builtin.file:
|
||||
path: "{{ dockerrepo_dir }}/certs"
|
||||
state: directory
|
||||
|
||||
- name: Create certificates for image repository
|
||||
block:
|
||||
- name: Kinit
|
||||
ansible.builtin.shell:
|
||||
cmd: "echo '{{ ansible_password }}' | kinit"
|
||||
become: false
|
||||
become_user: "{{ ansible_user }}"
|
||||
|
||||
- name: Create SPN for HTTP
|
||||
ansible.builtin.shell:
|
||||
cmd: "ipa service-add HTTP/{{ ansible_facts['hostname'] }}.{{ ansible_facts['domain'] }}"
|
||||
become: false
|
||||
become_user: "{{ ansible_user }}"
|
||||
ignore_errors: true
|
||||
|
||||
- name: Request certificate via ipa-getcert
|
||||
ansible.builtin.command: >
|
||||
ipa-getcert request
|
||||
-f {{ rproxy_dir }}/certs/dockerrepo.crt
|
||||
-k {{ rproxy_dir }}/certs/dockerrepo.key
|
||||
-K HTTP/{{ ansible_facts['hostname'] }}.{{ ansible_facts['domain'] }}
|
||||
-N CN={{ ansible_facts['hostname'] }}.{{ ansible_facts['domain'] }}
|
||||
|
||||
# sudo ipa-getcert stop-tracking -i 20250813210258 if track already exists
|
||||
|
||||
- name: Wait for certificate to appear
|
||||
ansible.builtin.wait_for:
|
||||
path: "{{ rproxy_dir }}/certs/dockerrepo.crt"
|
||||
timeout: 60
|
||||
|
||||
- name: Change certificate permissions
|
||||
ansible.builtin.file:
|
||||
path: "{{ rproxy_dir }}/certs/dockerrepo.crt"
|
||||
mode: "0744"
|
||||
|
||||
- name: Wait for certificate key to appear
|
||||
ansible.builtin.wait_for:
|
||||
path: "{{ rproxy_dir }}/certs/dockerrepo.key"
|
||||
timeout: 60
|
||||
|
||||
- name: Change certificate key permissions
|
||||
ansible.builtin.file:
|
||||
path: "{{ rproxy_dir }}/certs/dockerrepo.key"
|
||||
mode: "0744"
|
||||
|
||||
- name: Start image repository
|
||||
block:
|
||||
- name: Pull repo image
|
||||
containers.podman.podman_image:
|
||||
name: registry:latest
|
||||
state: present
|
||||
|
||||
- name: Delete image repository container if exists
|
||||
containers.podman.podman_container:
|
||||
name: registry
|
||||
state: absent
|
||||
|
||||
- name: Start registry
|
||||
containers.podman.podman_container:
|
||||
name: registry
|
||||
image: registry:latest
|
||||
state: started
|
||||
ports:
|
||||
- "5000:5000"
|
||||
env:
|
||||
REGISTRY_HTTP_TLS_CERTIFICATE: "/certs/dockerrepo.crt"
|
||||
REGISTRY_HTTP_TLS_KEY: "/certs/dockerrepo.key"
|
||||
volumes:
|
||||
- "{{ dockerrepo_data_dir }}:/var/lib/registry:z,rw"
|
||||
- "{{ dockerrepo_dir }}/certs:/certs:z,rw"
|
||||
- "/etc/localtime:/etc/localtime:ro"
|
||||
privileged: true
|
||||
security_opt:
|
||||
- "label=disable"
|
||||
log_driver: journald
|
||||
generate_systemd:
|
||||
path: /etc/systemd/system/
|
||||
restart_policy: always
|
||||
stop_timeout: 120
|
||||
names: true
|
||||
|
||||
- name: Daemon reload
|
||||
ansible.builtin.shell:
|
||||
cmd: systemctl daemon-reload
|
||||
|
||||
- name: Enable registry service
|
||||
ansible.builtin.systemd:
|
||||
name: "container-registry.service"
|
||||
state: started
|
||||
enabled: yes
|
||||
@@ -1,40 +1,20 @@
|
||||
---
|
||||
- name: Podman install
|
||||
- name: Prepare directories
|
||||
ansible.builtin.include_tasks:
|
||||
file: podman.yml
|
||||
apply:
|
||||
tags: install
|
||||
tags:
|
||||
- install
|
||||
file: dirs.yml
|
||||
|
||||
- name: Copy configs
|
||||
ansible.builtin.include_tasks:
|
||||
file: configs.yml
|
||||
|
||||
- name: Generate certificates
|
||||
ansible.builtin.include_tasks:
|
||||
file: certificates.yml
|
||||
|
||||
- name: Rproxy install
|
||||
ansible.builtin.include_tasks:
|
||||
file: rproxy.yml
|
||||
apply:
|
||||
tags: install
|
||||
tags:
|
||||
- install
|
||||
|
||||
- name: Repo install
|
||||
- name: Repository install
|
||||
ansible.builtin.include_tasks:
|
||||
file: repo.yml
|
||||
apply:
|
||||
tags: install
|
||||
tags:
|
||||
- install
|
||||
|
||||
- name: Docker repo install
|
||||
ansible.builtin.include_tasks:
|
||||
file: dockerrepo.yml
|
||||
apply:
|
||||
tags: install
|
||||
tags:
|
||||
- install
|
||||
|
||||
- name: Add config
|
||||
ansible.builtin.include_tasks:
|
||||
file: addconfig.yml
|
||||
apply:
|
||||
tags: add_config
|
||||
tags:
|
||||
- add_config
|
||||
@@ -1,62 +1,9 @@
|
||||
---
|
||||
- name: Prepare for https repository
|
||||
block:
|
||||
- name: Create repo dir
|
||||
ansible.builtin.file:
|
||||
path: "{{ repo_data_dir }}"
|
||||
state: directory
|
||||
mode: 0777
|
||||
|
||||
- name: Copy repo.conf
|
||||
ansible.builtin.copy:
|
||||
src: files/repo.conf
|
||||
dest: "{{ rproxy_dir }}/sites/repo.conf"
|
||||
|
||||
- name: Create https certificates for repository
|
||||
block:
|
||||
- name: Kinit
|
||||
ansible.builtin.shell:
|
||||
cmd: "echo '{{ ansible_password }}' | kinit"
|
||||
become: false
|
||||
become_user: "{{ ansible_user }}"
|
||||
|
||||
- name: Create SPN for HTTP
|
||||
ansible.builtin.shell:
|
||||
cmd: "ipa service-add HTTP/{{ ansible_facts['hostname'] }}.{{ ansible_facts['domain'] }}"
|
||||
become: false
|
||||
become_user: "{{ ansible_user }}"
|
||||
ignore_errors: true
|
||||
|
||||
- name: Request certificate via ipa-getcert
|
||||
ansible.builtin.command: >
|
||||
ipa-getcert request
|
||||
-f {{ rproxy_dir }}/certs/repo.crt
|
||||
-k {{ rproxy_dir }}/certs/repo.key
|
||||
-K HTTP/{{ ansible_facts['hostname'] }}.{{ ansible_facts['domain'] }}
|
||||
-N CN={{ ansible_facts['hostname'] }}.{{ ansible_facts['domain'] }}
|
||||
-F {{ rproxy_dir }}/certs/RootCA.crt
|
||||
|
||||
# sudo ipa-getcert stop-tracking -i 20250813210258 if track already exists
|
||||
|
||||
- name: Wait for certificate to appear
|
||||
ansible.builtin.wait_for:
|
||||
path: "{{ rproxy_dir }}/certs/repo.crt"
|
||||
timeout: 60
|
||||
|
||||
- name: Change certificate permissions
|
||||
ansible.builtin.file:
|
||||
path: "{{ rproxy_dir }}/certs/repo.crt"
|
||||
mode: "0744"
|
||||
|
||||
- name: Wait for certificate key to appear
|
||||
ansible.builtin.wait_for:
|
||||
path: "{{ rproxy_dir }}/certs/repo.key"
|
||||
timeout: 60
|
||||
|
||||
- name: Change certificate key permissions
|
||||
ansible.builtin.file:
|
||||
path: "{{ rproxy_dir }}/certs/repo.key"
|
||||
mode: "0744"
|
||||
- name: Install createrepo
|
||||
ansible.builtin.yum:
|
||||
name:
|
||||
- createrepo
|
||||
update_cache: yes
|
||||
|
||||
- name: Restart rproxy service
|
||||
ansible.builtin.systemd:
|
||||
|
||||
@@ -1,81 +1,42 @@
|
||||
---
|
||||
- name: Prepare dirs for rproxy
|
||||
block:
|
||||
- name: Remove rproxy dir
|
||||
ansible.builtin.file:
|
||||
path: "{{ rproxy_dir }}"
|
||||
state: absent
|
||||
- name: Pull rproxy image
|
||||
containers.podman.podman_image:
|
||||
name: "{{ image_repo }}/{{ rproxy_image }}:{{ rproxy_version }}"
|
||||
state: present
|
||||
|
||||
- name: Create data dir
|
||||
ansible.builtin.file:
|
||||
path: "{{ data_dir }}"
|
||||
state: directory
|
||||
- name: Delete rproxy container if exists
|
||||
containers.podman.podman_container:
|
||||
name: rproxy
|
||||
state: absent
|
||||
|
||||
- name: Create rproxy dir
|
||||
ansible.builtin.file:
|
||||
path: "{{ rproxy_dir }}"
|
||||
state: directory
|
||||
- name: Start rproxy
|
||||
containers.podman.podman_container:
|
||||
name: rproxy
|
||||
image: "{{ image_repo }}/{{ rproxy_image }}:{{ rproxy_version }}"
|
||||
state: started
|
||||
ports:
|
||||
- "443:443"
|
||||
- "80:80"
|
||||
- "9000:9000"
|
||||
volumes:
|
||||
- '{{ rproxy_dir }}/nginx.conf:/etc/nginx/nginx.conf:z,rw'
|
||||
- '{{ rproxy_dir }}/sites:/etc/nginx/sites:z,rw'
|
||||
- '{{ rproxy_dir }}/certs:/etc/nginx/certs:z,rw'
|
||||
- '{{ repo_data_dir }}:/repo:z,rw'
|
||||
- "/etc/localtime:/etc/localtime:ro"
|
||||
privileged: true
|
||||
security_opt:
|
||||
- "label=disable"
|
||||
log_driver: journald
|
||||
generate_systemd:
|
||||
path: /etc/systemd/system/
|
||||
restart_policy: always
|
||||
stop_timeout: 120
|
||||
names: true
|
||||
|
||||
- name: Create rproxy data dir
|
||||
ansible.builtin.file:
|
||||
path: "{{ repo_data_dir }}"
|
||||
state: directory
|
||||
|
||||
- name: Create sites dir
|
||||
ansible.builtin.file:
|
||||
path: "{{ rproxy_dir }}/sites"
|
||||
state: directory
|
||||
|
||||
- name: Create certs dir
|
||||
ansible.builtin.file:
|
||||
path: "{{ rproxy_dir }}/certs"
|
||||
state: directory
|
||||
|
||||
- name: Copy nginx.conf
|
||||
ansible.builtin.copy:
|
||||
src: files/nginx.conf
|
||||
dest: "{{ rproxy_dir }}/nginx.conf"
|
||||
|
||||
- name: Install rproxy
|
||||
block:
|
||||
- name: Pull rproxy image
|
||||
containers.podman.podman_image:
|
||||
name: "docker.io/library/nginx:{{ rproxy_version }}"
|
||||
state: present
|
||||
|
||||
- name: Delete rproxy container if exists
|
||||
containers.podman.podman_container:
|
||||
name: rproxy
|
||||
state: absent
|
||||
|
||||
- name: Start rproxy
|
||||
containers.podman.podman_container:
|
||||
name: rproxy
|
||||
image: "docker.io/library/nginx:{{ rproxy_version }}"
|
||||
state: started
|
||||
ports:
|
||||
- "443:443"
|
||||
- "80:80"
|
||||
- "9000:9000"
|
||||
volumes:
|
||||
- '{{ rproxy_dir }}/nginx.conf:/etc/nginx/nginx.conf:z,rw'
|
||||
- '{{ rproxy_dir }}/sites:/etc/nginx/sites:z,rw'
|
||||
- '{{ rproxy_dir }}/certs:/etc/nginx/certs:z,rw'
|
||||
- '{{ repo_data_dir }}:/repo:z,rw'
|
||||
- "/etc/localtime:/etc/localtime:ro"
|
||||
privileged: true
|
||||
security_opt:
|
||||
- "label=disable"
|
||||
log_driver: journald
|
||||
generate_systemd:
|
||||
path: /etc/systemd/system/
|
||||
restart_policy: always
|
||||
stop_timeout: 120
|
||||
names: true
|
||||
|
||||
- name: Enable rproxy service
|
||||
ansible.builtin.systemd:
|
||||
name: "container-rproxy.service"
|
||||
state: started
|
||||
enabled: yes
|
||||
daemon_reload: yes
|
||||
- name: Enable rproxy service
|
||||
ansible.builtin.systemd:
|
||||
name: "container-rproxy.service"
|
||||
state: started
|
||||
enabled: yes
|
||||
daemon_reload: yes
|
||||
@@ -1,7 +1,9 @@
|
||||
---
|
||||
# General
|
||||
ansible_python_interpreter: /usr/bin/python3
|
||||
|
||||
# Rproxy
|
||||
rproxy_image: nginx
|
||||
rproxy_version: 1.29
|
||||
rproxy_dir: /opt/rproxy
|
||||
rproxy_version: 1.29.0
|
||||
data_dir: /opt/data
|
||||
repo_data_dir: /opt/data/repo
|
||||
dockerrepo_dir: /opt/dockerrepo
|
||||
dockerrepo_data_dir: /opt/data/dockerrepo
|
||||
repo_data_dir: /opt/repodata
|
||||
16
rproxy.yml
16
rproxy.yml
@@ -2,21 +2,11 @@
|
||||
- hosts: all
|
||||
become: yes
|
||||
|
||||
vars:
|
||||
ansible_python_interpreter: /usr/bin/python3
|
||||
|
||||
vars_prompt:
|
||||
- name: rproxy_service_name
|
||||
prompt: Enter service for rproxy
|
||||
private: false
|
||||
|
||||
- name: rproxy_service_port
|
||||
prompt: Enter service for rproxy
|
||||
private: false
|
||||
|
||||
- name: rproxy_service_address
|
||||
prompt: Enter service for rproxy
|
||||
- name: image_repo
|
||||
prompt: Enter repository address with podman images (ex. rproxy.olsson.ul:5000)
|
||||
private: false
|
||||
|
||||
roles:
|
||||
- podman
|
||||
- rproxy
|
||||
|
||||
Reference in New Issue
Block a user