iac/rproxy
3
0
Fork 0
Code Issues Pull Requests Packages Releases 9 Activity

Compare commits

base: iac:v2.1
Branches Tags
iac:master iac:dev
iac:v4.1 iac:v4.0 iac:v3.0 iac:v2.1HF1 iac:v2.1 iac:v2.0 iac:v1.2 iac:v1.1 iac:v1.0
...
compare: iac:v4.1
Branches Tags
iac:master iac:dev
iac:v4.1 iac:v4.0 iac:v3.0 iac:v2.1HF1 iac:v2.1 iac:v2.0 iac:v1.2 iac:v1.1 iac:v1.0

12 Commits
v2.1 ... v4.1

Author SHA1 Message Date
Pavlov Makar
ed382d8d41 Merge pull request 'ICR integration' (#51) from dev into master 
Reviewed-on: https://remvpn.olssonul.com/iac/rproxy/pulls/51
 2026-02-13 01:04:08 +03:00
Pavlov Makar
a11ad65e98 Merge pull request 'ICR integration' (#50) from feature/icr into dev 
Reviewed-on: https://remvpn.olssonul.com/iac/rproxy/pulls/50
 2026-02-13 01:03:54 +03:00
Pavlov Makar
7c3b63c8c9 ICR integration 2026-02-13 01:03:38 +03:00
Pavlov Makar
ed7594cea8 Merge pull request 'Create dirs for repo and add pypiserver service' (#49) from dev into master 
Reviewed-on: https://remvpn.olssonul.com/iac/rproxy/pulls/49
 2025-12-02 23:19:44 +03:00
Pavlov Makar
05578db75b Create dirs for repo and add pypiserver service 2025-12-02 23:18:56 +03:00
Pavlov Makar
fa5b88c272 Merge pull request 'Improved README' (#47) from dev into master 
Reviewed-on: https://remvpn.olssonul.com/IaC/rproxy/pulls/47
 2025-10-24 20:08:37 +03:00
Pavlov Makar
0527945668 Improved README 2025-10-24 19:59:20 +03:00
Pavlov Makar
07a4586486 Merge pull request 'Divide add config and rproxy installation' (#46) from dev into master 
Reviewed-on: https://remvpn.olssonul.com/IaC/rproxy/pulls/46
 2025-10-21 01:39:48 +03:00
Pavlov Makar
8c2afbcac9 Divide add config and rproxy installation 2025-10-21 01:25:24 +03:00
Pavlov Makar
36c6511ed6 Remove registry installation from job 2025-10-21 00:46:04 +03:00
Pavlov Makar
414976a4bc Merge pull request 'HOTFIX remove tracking certs' (#40) from dev into master 
Reviewed-on: https://remvpn.olssonul.com/IaC/rproxy/pulls/40
 2025-08-17 01:50:35 +03:00
Pavlov Makar
196477798b HOTFIX remove tracking certs 2025-08-17 01:50:17 +03:00
25 changed files with 539 additions and 461 deletions
Expand all files Collapse all files

58
Jenkinsfile vendored
View File

@@ -10,13 +10,13 @@ pipeline {
ansiColor('xterm')
timestamps()
}
environment {
INFRA_CONFIG_REPO = credentials("INFRA_CONFIG_REPO")
}
parameters {
string(name: "target_host", defaultValue: "", trim: true, description: "Target host")
booleanParam(name: "rproxy_install", defaultValue: true, description: "Install Rproxy")
booleanParam(name: "config_add", defaultValue: true, description: "Add config")
string(name: "rproxy_service_name", defaultValue: "", trim: true, description: "Service name (for 'Add config' job only)")
string(name: "rproxy_service_port", defaultValue: "", trim: true, description: "Service port (for 'Add config' job only)")
string(name: "rproxy_service_address", defaultValue: "", trim: true, description: "Service address (for 'Add config' job only)")
choice(name: "infra", choices: ['prod', 'dev'], description: "Select infrastructure type")
choice(name: "repo_location", choices: ['local', 'remote'], description: "Select repository location")
string(name: "target_host", defaultValue: "", trim: true, description: "Target host for rproxy installation")
booleanParam(name: 'update_job', defaultValue: false, description: 'Update job, free run, no changes')
}
stages {
@@ -43,41 +43,25 @@ pipeline {
}
}
}
stage('Install Rproxy') {
when {
expression {
return params.rproxy_install
}
}
stage('Get environment') {
steps {
script {
withCredentials([
sshUserPrivateKey(credentialsId: 'JENKINS_DEPLOYER_KEY', keyFileVariable: 'SSH_KEY'),
usernamePassword(credentialsId:'JENKINS_DEPLOYER_PASS', usernameVariable: 'username', passwordVariable: 'password')
]) {
wrap([$class: 'MaskPasswordsBuildWrapper', varPasswordPairs: [[password: env.password]]]) {
wrap([$class: 'AnsiColorBuildWrapper', colorMapName: "xterm"]) {
ansiblePlaybook(
playbook: 'rproxy.yml',
inventory: 'hosts.ini',
tags: 'install',
colorized: true,
extras: '--private-key ${SSH_KEY} -e "ansible_user=${username} ansible_password=${password} rproxy_service_name=${rproxy_service_name} rproxy_service_port=${rproxy_service_port} rproxy_service_address=${rproxy_service_address}"'
)
}
}
dir('infra-config') {
git url: env.INFRA_CONFIG_REPO,
branch: params.infra,
credentialsId: 'JENKINS_GIT_ACCESS'
sh "ansible-playbook render.yml"
infraVars = readYaml file: "./global.yml"
}
}
}
}
stage('Add config') {
when {
expression {
return params.config_add
}
}
stage('Install Rproxy') {
steps {
script {
images_repo_url = infraVars["${params.repo_location}"]["repos"]["registry_url"]
withCredentials([
sshUserPrivateKey(credentialsId: 'JENKINS_DEPLOYER_KEY', keyFileVariable: 'SSH_KEY'),
usernamePassword(credentialsId:'JENKINS_DEPLOYER_PASS', usernameVariable: 'username', passwordVariable: 'password')
@@ -87,9 +71,13 @@ pipeline {
ansiblePlaybook(
playbook: 'rproxy.yml',
inventory: 'hosts.ini',
tags: 'add_config',
colorized: true,
extras: '--private-key ${SSH_KEY} -e "ansible_user=${username} ansible_password=${password} rproxy_service_name=${rproxy_service_name} rproxy_service_port=${rproxy_service_port} rproxy_service_address=${rproxy_service_address}"'
extras: "--private-key ${SSH_KEY}",
extraVars: [
ansible_user: [value: "${username}", hidden: false],
ansible_password: [value: "${password}", hidden: true],
image_repo: [value: "${images_repo_url}", hidden: false]
]
)
}
}

107
README.md
View File

@@ -1,46 +1,83 @@
# PROXY
# Rproxy
## Content
* Reverse proxy
* HTTPS file share
* Docker-registry
## Description
## Installation
```yml
target_host: Enter FQDN or IP Address of target host
rproxy_install: Install rproxy, https repo and docker-registry if checked
config_add: Will config be created
This job handles Nginx 1.29 installation and includes the following components:
rproxy_service_name: Server/service name without domain suffix
rproxy_service_port: Port to redirect the request to
rproxy_service_address: Address to redirect the request to
- **Nginx as Reverse Proxy**:
- Acts as a reverse proxy for secure traffic routing
- Supports SSL termination
Example:
domain: olsson.ul
jenkins_host: http://10.10.10.1:8080/
- **HTTP Repository**:
- Provides a base for hosting and managing web content
rproxy_service_name: jenkins
rproxy_service_port: 8080
rproxy_service_address: 10.10.10.1
- **Infrastructure**:
- ✅ Includes Podman installation
- ✅ Contains a management job for proxy configuration
- Allows seamless addition of new services (e.g., enabling SSL access to Jenkins)
# After adding alias jenkins.olsson.ul => rproxy.olsson.ul
result_address: https://jenkins.olsson.ul/
```
### Nginx as Reverse Proxy
## Reverse Proxy
Allows redirecting requests based on fqdn to the required address and ports with ssl certificate substitution
**Setup**:
- Installs Nginx container in Podman environment
## HTTPS repository
Would be installed with rproxy service. Hosted on port 9000. \
Files should be stored in /opt/rproxy/repo/ to be shared.
**Configuration Structure**:
- **Root directory**: `/opt/rproxy`
- **Main config**: `/opt/rproxy/nginx.conf`
- **Site-specific configs**: `/opt/rproxy/sites/*.conf`
- **Certificates**: `/opt/rproxy/certs/` (stores unique certificates for each connected site)
## Docker-registry
Would be installed with rproxy service. Hosted on port 5000.
Images would be stored in /opt/dockerrepo/repo/. Uses SSL so you should have trust with root certificate. \
Install trust with root certificate
How to store image:
**Operation**:
- Listens on `https://$hostname/`
- Maps incoming requests to `/opt/rproxy/sites/$hostname.conf`
- Forwards traffic to `https://$hostname:[port]` with SSL termination
**Entrypoint**:
- Proxy endpoint: `https://$hostname/`
### HTTP Repository
**Configuration**:
- A `repo.conf` file is added to the `/opt/rproxy/sites/` directory
- **DAVFS** functionality is enabled for file management
- **Data storage path**: `/opt/repodata`
**Access Point**:
- Proxy endpoint: `https://localhost:9000/`
#### Example Usage
Upload a file to the repository using `curl`:
```bash
# After image build
docker tag $image $registry_address:5000/$image
docker push $registry_address:5000/$image
# Upload example: kafka_4.1.tar to /podman/kafka/4.1/
curl -T kafka_4.1.tar https://rproxy.olsson.ul:9000/podman/kafka/4.1/kafka_4.1.tar
```
## Add configuration via management job
Import management/AddService.groovy to Jenkins
To integrate `http://jenkins-master.olsson.ul:8080` with the SSL proxy, configure these parameters:
- **target_host**: Host with rproxy installed
- **rproxy_service_name**: Service identifier (e.g., `jenkins`)
- **rproxy_service_port**: Port (e.g., `8080`)
- **rproxy_service_address**: Address (e.g., `jenkins-master.olsson.ul` or `10.10.10.1`)
**Result**:
`https://jenkins.olsson.ul/` will securely route to `http://jenkins-master.olsson.ul:8080`.
CNAME configuration (`jenkins.olsson.ul → rproxy`) is automatically handled during deployment in FreeIPA.
## Software Requirements
* OS - AlmaLinux 10
* FreeIPA domain (for certificates request)
## Jenkins credentials
* JENKINS_DEPLOYER_PASS (domain)
* JENKINS_DEPLOYER_KEY (domain)
## Jenkins paramethers
* target_hosts - is basic inventory line for ansible
* images_repo_url - image registry with nginx repository
* update_job - download changes from git and finish job

19
addconfig.yml Normal file
View File

@@ -0,0 +1,19 @@
---
- hosts: all
become: yes
vars_prompt:
- name: rproxy_service_name
prompt: Enter service for rproxy
private: false
- name: rproxy_service_port
prompt: Enter service for rproxy
private: false
- name: rproxy_service_address
prompt: Enter service for rproxy
private: false
roles:
- addconfig

3
ansible.cfg
View File

@@ -3,3 +3,6 @@ hostfile = hosts.ini
host_key_checking = false
interpreter_python = /usr/bin/python3
forks = 30
[ssh_connection]
pipelining = true

80
management/AddService.groovy Normal file
View File

@@ -0,0 +1,80 @@
pipeline {
agent any
options {
buildDiscarder logRotator (
numToKeepStr: '5',
daysToKeepStr: '7',
artifactNumToKeepStr: '10',
artifactDaysToKeepStr: '7'
)
ansiColor('xterm')
timestamps()
}
parameters {
string(name: "target_host", defaultValue: "", trim: true, description: "Target host with rproxy installed")
string(name: "rproxy_service_name", defaultValue: "", trim: true, description: "Service name (ex. jenkins)")
string(name: "rproxy_service_port", defaultValue: "", trim: true, description: "Service port (ex. 8080)")
string(name: "rproxy_service_address", defaultValue: "", trim: true, description: "Service address (ex. jenkins-master.olsson.ul)")
booleanParam(name: 'update_job', defaultValue: false, description: 'Update job, free run, no changes')
}
stages {
stage('Update Job') {
when {
expression {
return params.update_job
}
}
steps {
script {
currentBuild.getRawBuild().getExecutor().interrupt(Result.SUCCESS)
sleep(1)
}
}
}
stage('Prepare inventory') {
steps {
script {
def hostsFile = new File("${WORKSPACE}/hosts.ini")
hostsFile.append('[all]')
hostsFile.append('\n' + params.target_host)
println hostsFile.getText('UTF-8')
}
}
}
stage('Add config') {
steps {
script {
withCredentials([
sshUserPrivateKey(credentialsId: 'JENKINS_DEPLOYER_KEY', keyFileVariable: 'SSH_KEY'),
usernamePassword(credentialsId:'JENKINS_DEPLOYER_PASS', usernameVariable: 'username', passwordVariable: 'password')
]) {
wrap([$class: 'MaskPasswordsBuildWrapper', varPasswordPairs: [[password: env.password]]]) {
wrap([$class: 'AnsiColorBuildWrapper', colorMapName: "xterm"]) {
dir("${env.WORKSPACE}") {
ansiblePlaybook(
playbook: 'addconfig.yml',
inventory: 'hosts.ini',
colorized: true,
extras: '''--private-key ${SSH_KEY}
-e "ansible_user=${username}
ansible_password=${password}
rproxy_service_name=${rproxy_service_name}
rproxy_service_port=${rproxy_service_port}
rproxy_service_address=${rproxy_service_address}"'''
)
}
}
}
}
}
}
}
}
post {
always {
cleanWs(patterns: [
[pattern: 'hosts.ini', type: 'INCLUDE']
])
}
}
}

5
roles/addconfig/tasks/addconfig.yml Normal file
View File

@@ -0,0 +1,5 @@
---
- name: Copy server.conf
ansible.builtin.template:
src: templates/server.conf.j2
dest: "{{ rproxy_dir }}/sites/{{ rproxy_service_name }}.conf"

83
roles/addconfig/tasks/certificates.yml Normal file
View File

@@ -0,0 +1,83 @@
---
- name: Create CNAME dns record
community.general.ipa_dnsrecord:
ipa_user: "{{ ansible_user }}"
ipa_pass: "{{ ansible_password }}"
zone_name: "{{ ansible_facts['domain'] }}"
record_name: "{{ rproxy_service_name }}"
record_type: 'CNAME'
record_value: "{{ ansible_facts['hostname'] }}"
state: present
ignore_errors: true
- name: Kinit
ansible.builtin.shell:
cmd: "echo '{{ ansible_password }}' | kinit"
become: false
become_user: "{{ ansible_user }}"
- name: Create fake host for certificate
ansible.builtin.shell:
cmd: "ipa host-add {{ rproxy_service_name }}.{{ ansible_facts['domain'] }} --force --desc=\"Fake host for SPN\""
become: false
become_user: "{{ ansible_user }}"
ignore_errors: true
- name: Create SPN for HTTP
ansible.builtin.shell:
cmd: "ipa service-add HTTP/{{ rproxy_service_name }}.{{ ansible_facts['domain'] }} --skip-host-check --force"
become: false
become_user: "{{ ansible_user }}"
ignore_errors: true
- name: "Allow {{ ansible_facts['hostname'] }}.{{ ansible_facts['domain'] }} to get certificates for HTTP/{{ rproxy_service_name }}.{{ ansible_facts['domain'] }} SPN"
ansible.builtin.shell:
cmd: "ipa service-add-host --hosts={{ ansible_facts['hostname'] }}.{{ ansible_facts['domain'] }} HTTP/{{ rproxy_service_name }}.{{ ansible_facts['domain'] }}"
become: false
become_user: "{{ ansible_user }}"
ignore_errors: true
- name: Kdestroy
ansible.builtin.shell:
cmd: kdestroy
become: false
become_user: "{{ ansible_user }}"
- name: Get all tracking certificates
ansible.builtin.shell:
cmd: "ipa-getcert list | grep -m1 -B5 \"{{ rproxy_dir }}/certs/{{ rproxy_service_name }}\" | grep Request | awk '{print $NF}' | tr -d \"'\\|:\""
register: tracking_list
- name: Remove certificates from IPA tracking
ansible.builtin.shell:
cmd: "ipa-getcert stop-tracking -i {{ item }}"
loop: "{{ tracking_list.stdout_lines }}"
ignore_errors: true
- name: Request certificate via ipa-getcert
ansible.builtin.command: >
ipa-getcert request
-f {{ rproxy_dir }}/certs/{{ rproxy_service_name }}.{{ ansible_facts['domain'] }}.crt
-k {{ rproxy_dir }}/certs/{{ rproxy_service_name }}.{{ ansible_facts['domain'] }}.key
-K HTTP/{{ rproxy_service_name }}.{{ ansible_facts['domain'] }}
-N CN={{ rproxy_service_name }}.{{ ansible_facts['domain'] }}
- name: Wait for certificate to appear
ansible.builtin.wait_for:
path: "{{ rproxy_dir }}/certs/{{ rproxy_service_name }}.{{ ansible_facts['domain'] }}.crt"
timeout: 60
- name: Change certificate permissions
ansible.builtin.file:
path: "{{ rproxy_dir }}/certs/{{ rproxy_service_name }}.{{ ansible_facts['domain'] }}.crt"
mode: "0744"
- name: Wait for certificate key to appear
ansible.builtin.wait_for:
path: "{{ rproxy_dir }}/certs/{{ rproxy_service_name }}.{{ ansible_facts['domain'] }}.key"
timeout: 60
- name: Change certificate key permissions
ansible.builtin.file:
path: "{{ rproxy_dir }}/certs/{{ rproxy_service_name }}.{{ ansible_facts['domain'] }}.key"
mode: "0744"

14
roles/addconfig/tasks/main.yml Normal file
View File

@@ -0,0 +1,14 @@
---
- name: Add config
ansible.builtin.include_tasks:
file: addconfig.yml
- name: Generate certificates
ansible.builtin.include_tasks:
file: certificates.yml
- name: Restart rproxy service
ansible.builtin.systemd:
name: "container-rproxy.service"
state: restarted
enabled: yes

0
roles/rproxy/templates/server.conf.j2 → roles/addconfig/templates/server.conf.j2
View File

5
roles/addconfig/vars/main.yml Normal file
View File

@@ -0,0 +1,5 @@
---
ansible_python_interpreter: /usr/bin/python3
# Rproxy
rproxy_dir: /opt/rproxy

2
roles/rproxy/tasks/podman.yml → roles/podman/tasks/main.yml
View File

@@ -5,8 +5,6 @@
- podman
- podman-compose
- podman-docker
- podman-remote
- podman-tui
- buildah
update_cache: yes

2
roles/podman/vars/main.yml Normal file
View File

@@ -0,0 +1,2 @@
---
ansible_python_interpreter: /usr/bin/python3

2
roles/rproxy/files/repo.conf
View File

@@ -20,7 +20,7 @@ server {
dav_methods PUT DELETE MKCOL;
dav_access user:rw group:r all:r;
create_full_put_path on;
client_max_body_size 100m;
client_max_body_size 5g;
# auth_basic "Needs to auth";
# auth_basic_user_file /etc/nginx/.htpasswd;

82
roles/rproxy/tasks/addconfig.yml
View File

@@ -1,82 +0,0 @@
---
- name: Create server configs
block:
- name: Copy server.conf
ansible.builtin.template:
src: templates/server.conf.j2
dest: "{{ rproxy_dir }}/sites/{{ rproxy_service_name }}.conf"
- name: Generate certificates for {{ rproxy_service_name }}
block:
- name: Create CNAME dns record
community.general.ipa_dnsrecord:
ipa_user: "{{ ansible_user }}"
ipa_pass: "{{ ansible_password }}"
zone_name: "{{ ansible_facts['domain'] }}"
record_name: "{{ rproxy_service_name }}"
record_type: 'CNAME'
record_value: "{{ ansible_facts['hostname'] }}"
state: present
- name: Kinit
ansible.builtin.shell:
cmd: "echo '{{ ansible_password }}' | kinit"
become: false
become_user: "{{ ansible_user }}"
- name: Create fake host for certificate
ansible.builtin.shell:
cmd: "ipa host-add {{ rproxy_service_name }}.{{ ansible_facts['domain'] }} --force --desc=\"Fake host for SPN\""
become: false
become_user: "{{ ansible_user }}"
ignore_errors: true
- name: Create SPN for HTTP
ansible.builtin.shell:
cmd: "ipa service-add HTTP/{{ rproxy_service_name }}.{{ ansible_facts['domain'] }} --skip-host-check --force"
become: false
become_user: "{{ ansible_user }}"
ignore_errors: true
- name: "Allow {{ ansible_facts['hostname'] }}.{{ ansible_facts['domain'] }} to get certificates for HTTP/{{ rproxy_service_name }}.{{ ansible_facts['domain'] }} SPN "
ansible.builtin.shell:
cmd: "ipa service-add-host --hosts={{ ansible_facts['hostname'] }}.{{ ansible_facts['domain'] }} HTTP/{{ rproxy_service_name }}.{{ ansible_facts['domain'] }}"
become: false
become_user: "{{ ansible_user }}"
ignore_errors: true
- name: Request certificate via ipa-getcert
ansible.builtin.command: >
ipa-getcert request
-f {{ rproxy_dir }}/certs/{{ rproxy_service_name }}.{{ ansible_facts['domain'] }}.crt
-k {{ rproxy_dir }}/certs/{{ rproxy_service_name }}.{{ ansible_facts['domain'] }}.key
-K HTTP/{{ rproxy_service_name }}.{{ ansible_facts['domain'] }}
-N CN={{ rproxy_service_name }}.{{ ansible_facts['domain'] }}
# sudo ipa-getcert stop-tracking -i 20250813210258 if track already exists
- name: Wait for certificate to appear
ansible.builtin.wait_for:
path: "{{ rproxy_dir }}/certs/{{ rproxy_service_name }}.{{ ansible_facts['domain'] }}.crt"
timeout: 60
- name: Change certificate permissions
ansible.builtin.file:
path: "{{ rproxy_dir }}/certs/{{ rproxy_service_name }}.{{ ansible_facts['domain'] }}.crt"
mode: "0744"
- name: Wait for certificate key to appear
ansible.builtin.wait_for:
path: "{{ rproxy_dir }}/certs/{{ rproxy_service_name }}.{{ ansible_facts['domain'] }}.key"
timeout: 60
- name: Change certificate key permissions
ansible.builtin.file:
path: "{{ rproxy_dir }}/certs/{{ rproxy_service_name }}.{{ ansible_facts['domain'] }}.key"
mode: "0744"
- name: Restart rproxy service
ansible.builtin.systemd:
name: "container-rproxy.service"
state: restarted
enabled: yes

59
roles/rproxy/tasks/certificates.yml Normal file
View File

@@ -0,0 +1,59 @@
---
- name: Kinit
ansible.builtin.shell:
cmd: "echo '{{ ansible_password }}' | kinit"
become: false
become_user: "{{ ansible_user }}"
- name: Create SPN for HTTP
ansible.builtin.shell:
cmd: "ipa service-add HTTP/{{ ansible_facts['hostname'] }}.{{ ansible_facts['domain'] }}"
become: false
become_user: "{{ ansible_user }}"
ignore_errors: true
- name: Kdestroy
ansible.builtin.shell:
cmd: kdestroy
become: false
become_user: "{{ ansible_user }}"
- name: Get all tracking certificates
ansible.builtin.shell:
cmd: "ipa-getcert list | grep -m1 -B5 \"{{ rproxy_dir }}/certs/repo\" | grep Request | awk '{print $NF}' | tr -d \"'\\|:\""
register: tracking_list
- name: Remove certificates from IPA tracking
ansible.builtin.shell:
cmd: "ipa-getcert stop-tracking -i {{ item }}"
loop: "{{ tracking_list.stdout_lines }}"
ignore_errors: true
- name: Request certificate via ipa-getcert
ansible.builtin.command: >
ipa-getcert request
-f {{ rproxy_dir }}/certs/repo.crt
-k {{ rproxy_dir }}/certs/repo.key
-K HTTP/{{ ansible_facts['hostname'] }}.{{ ansible_facts['domain'] }}
-N CN={{ ansible_facts['hostname'] }}.{{ ansible_facts['domain'] }}
-F {{ rproxy_dir }}/certs/RootCA.crt
- name: Wait for certificate to appear
ansible.builtin.wait_for:
path: "{{ rproxy_dir }}/certs/repo.crt"
timeout: 60
- name: Change certificate permissions
ansible.builtin.file:
path: "{{ rproxy_dir }}/certs/repo.crt"
mode: "0744"
- name: Wait for certificate key to appear
ansible.builtin.wait_for:
path: "{{ rproxy_dir }}/certs/repo.key"
timeout: 60
- name: Change certificate key permissions
ansible.builtin.file:
path: "{{ rproxy_dir }}/certs/repo.key"
mode: "0744"

10
roles/rproxy/tasks/configs.yml Normal file
View File

@@ -0,0 +1,10 @@
---
- name: Copy repo.conf
ansible.builtin.copy:
src: files/repo.conf
dest: "{{ rproxy_dir }}/sites/repo.conf"
- name: Copy nginx.conf
ansible.builtin.copy:
src: files/nginx.conf
dest: "{{ rproxy_dir }}/nginx.conf"

61
roles/rproxy/tasks/dirs.yml Normal file
View File

@@ -0,0 +1,61 @@
---
- name: Remove rproxy dir
ansible.builtin.file:
path: "{{ rproxy_dir }}"
state: absent
- name: Create rproxy dir
ansible.builtin.file:
path: "{{ rproxy_dir }}"
state: directory
- name: Create rproxy data dir
ansible.builtin.file:
path: "{{ repo_data_dir }}"
state: directory
- name: "Create {{ repo_data_dir }}/archive"
ansible.builtin.file:
path: "{{ repo_data_dir }}/archive"
state: directory
- name: "Create {{ repo_data_dir }}/pip"
ansible.builtin.file:
path: "{{ repo_data_dir }}/pip"
state: directory
- name: "Create {{ repo_data_dir }}/pip/py3"
ansible.builtin.file:
path: "{{ repo_data_dir }}/pip/py3"
state: directory
- name: "Create {{ repo_data_dir }}/repo"
ansible.builtin.file:
path: "{{ repo_data_dir }}/repo"
state: directory
- name: "Create {{ repo_data_dir }}/repo/almalinux"
ansible.builtin.file:
path: "{{ repo_data_dir }}/repo/almalinux"
state: directory
- name: "Create {{ repo_data_dir }}/repo/almalinux/10"
ansible.builtin.file:
path: "{{ repo_data_dir }}/repo/almalinux/10"
state: directory
- name: Create sites dir
ansible.builtin.file:
path: "{{ rproxy_dir }}/sites"
state: directory
- name: Create certs dir
ansible.builtin.file:
path: "{{ rproxy_dir }}/certs"
state: directory
- name: Create repo dir
ansible.builtin.file:
path: "{{ repo_data_dir }}"
state: directory
mode: 0777

113
roles/rproxy/tasks/dockerrepo.yml
View File

@@ -1,113 +0,0 @@
---
- name: Prepare for image repository
block:
- name: Remove dockerrepo dir
ansible.builtin.file:
path: "{{ dockerrepo_dir }}"
state: absent
- name: Create dockerrepo dir
ansible.builtin.file:
path: "{{ dockerrepo_dir }}"
state: directory
- name: Create repo dir
ansible.builtin.file:
path: "{{ dockerrepo_data_dir }}"
state: directory
- name: Create certs dir
ansible.builtin.file:
path: "{{ dockerrepo_dir }}/certs"
state: directory
- name: Create certificates for image repository
block:
- name: Kinit
ansible.builtin.shell:
cmd: "echo '{{ ansible_password }}' | kinit"
become: false
become_user: "{{ ansible_user }}"
- name: Create SPN for HTTP
ansible.builtin.shell:
cmd: "ipa service-add HTTP/{{ ansible_facts['hostname'] }}.{{ ansible_facts['domain'] }}"
become: false
become_user: "{{ ansible_user }}"
ignore_errors: true
- name: Request certificate via ipa-getcert
ansible.builtin.command: >
ipa-getcert request
-f {{ rproxy_dir }}/certs/dockerrepo.crt
-k {{ rproxy_dir }}/certs/dockerrepo.key
-K HTTP/{{ ansible_facts['hostname'] }}.{{ ansible_facts['domain'] }}
-N CN={{ ansible_facts['hostname'] }}.{{ ansible_facts['domain'] }}
# sudo ipa-getcert stop-tracking -i 20250813210258 if track already exists
- name: Wait for certificate to appear
ansible.builtin.wait_for:
path: "{{ rproxy_dir }}/certs/dockerrepo.crt"
timeout: 60
- name: Change certificate permissions
ansible.builtin.file:
path: "{{ rproxy_dir }}/certs/dockerrepo.crt"
mode: "0744"
- name: Wait for certificate key to appear
ansible.builtin.wait_for:
path: "{{ rproxy_dir }}/certs/dockerrepo.key"
timeout: 60
- name: Change certificate key permissions
ansible.builtin.file:
path: "{{ rproxy_dir }}/certs/dockerrepo.key"
mode: "0744"
- name: Start image repository
block:
- name: Pull repo image
containers.podman.podman_image:
name: registry:latest
state: present
- name: Delete image repository container if exists
containers.podman.podman_container:
name: registry
state: absent
- name: Start registry
containers.podman.podman_container:
name: registry
image: registry:latest
state: started
ports:
- "5000:5000"
env:
REGISTRY_HTTP_TLS_CERTIFICATE: "/certs/dockerrepo.crt"
REGISTRY_HTTP_TLS_KEY: "/certs/dockerrepo.key"
volumes:
- "{{ dockerrepo_data_dir }}:/var/lib/registry:z,rw"
- "{{ dockerrepo_dir }}/certs:/certs:z,rw"
- "/etc/localtime:/etc/localtime:ro"
privileged: true
security_opt:
- "label=disable"
log_driver: journald
generate_systemd:
path: /etc/systemd/system/
restart_policy: always
stop_timeout: 120
names: true
- name: Daemon reload
ansible.builtin.shell:
cmd: systemctl daemon-reload
- name: Enable registry service
ansible.builtin.systemd:
name: "container-registry.service"
state: started
enabled: yes

42
roles/rproxy/tasks/main.yml
View File

@@ -1,40 +1,24 @@
---
- name: Podman install
- name: Prepare directories
ansible.builtin.include_tasks:
file: podman.yml
apply:
tags: install
tags:
- install
file: dirs.yml
- name: Copy configs
ansible.builtin.include_tasks:
file: configs.yml
- name: Generate certificates
ansible.builtin.include_tasks:
file: certificates.yml
- name: Rproxy install
ansible.builtin.include_tasks:
file: rproxy.yml
apply:
tags: install
tags:
- install
- name: Repo install
- name: Repository install
ansible.builtin.include_tasks:
file: repo.yml
apply:
tags: install
tags:
- install
- name: Docker repo install
- name: Pypi repository install
ansible.builtin.include_tasks:
file: dockerrepo.yml
apply:
tags: install
tags:
- install
- name: Add config
ansible.builtin.include_tasks:
file: addconfig.yml
apply:
tags: add_config
tags:
- add_config
file: pypi.yml

17
roles/rproxy/tasks/pypi.yml Normal file
View File

@@ -0,0 +1,17 @@
---
- name: Install pypi-server
ansible.builtin.pip:
name:
- pypiserver
- name: Copy pypi-server service file
ansible.builtin.template:
src: "templates/pypiserver.service.j2"
dest: "/etc/systemd/system/pypiserver.service"
- name: Enable pypiserver service
ansible.builtin.systemd:
name: "pypiserver.service"
state: started
enabled: yes
daemon_reload: yes

72
roles/rproxy/tasks/repo.yml
View File

@@ -1,71 +1,9 @@
---
- name: Prepare for https repository
block:
- name: Create repo dir
ansible.builtin.file:
path: "{{ repo_data_dir }}"
state: directory
mode: 0777
- name: Copy repo.conf
ansible.builtin.copy:
src: files/repo.conf
dest: "{{ rproxy_dir }}/sites/repo.conf"
- name: Create https certificates for repository
block:
- name: Kinit
ansible.builtin.shell:
cmd: "echo '{{ ansible_password }}' | kinit"
become: false
become_user: "{{ ansible_user }}"
- name: Create SPN for HTTP
ansible.builtin.shell:
cmd: "ipa service-add HTTP/{{ ansible_facts['hostname'] }}.{{ ansible_facts['domain'] }}"
become: false
become_user: "{{ ansible_user }}"
ignore_errors: true
- name: Request certificate via ipa-getcert
ansible.builtin.command: >
ipa-getcert request
-f {{ rproxy_dir }}/certs/repo.crt
-k {{ rproxy_dir }}/certs/repo.key
-K HTTP/{{ ansible_facts['hostname'] }}.{{ ansible_facts['domain'] }}
-N CN={{ ansible_facts['hostname'] }}.{{ ansible_facts['domain'] }}
-F {{ rproxy_dir }}/certs/RootCA.crt
- name: Get all tracking certificates
ansible.builtin.shell:
cmd: ipa-getcert list | grep "ID" | awk '{print $NF}' | tr -d "'\|:"
register: tracking_list
- name: Remove certificates from IPA tracking
ansible.builtin.shell:
cmd: "ipa-getcert stop-tracking -i {{ item }}"
loop: "{{ tracking_list.stdout_lines }}"
ignore_errors: true
- name: Wait for certificate to appear
ansible.builtin.wait_for:
path: "{{ rproxy_dir }}/certs/repo.crt"
timeout: 60
- name: Change certificate permissions
ansible.builtin.file:
path: "{{ rproxy_dir }}/certs/repo.crt"
mode: "0744"
- name: Wait for certificate key to appear
ansible.builtin.wait_for:
path: "{{ rproxy_dir }}/certs/repo.key"
timeout: 60
- name: Change certificate key permissions
ansible.builtin.file:
path: "{{ rproxy_dir }}/certs/repo.key"
mode: "0744"
- name: Install createrepo
ansible.builtin.yum:
name:
- createrepo
update_cache: yes
- name: Restart rproxy service
ansible.builtin.systemd:

115
roles/rproxy/tasks/rproxy.yml
View File

@@ -1,81 +1,42 @@
---
- name: Prepare dirs for rproxy
block:
- name: Remove rproxy dir
ansible.builtin.file:
path: "{{ rproxy_dir }}"
state: absent
- name: Pull rproxy image
containers.podman.podman_image:
name: "{{ image_repo }}/{{ rproxy_image }}:{{ rproxy_version }}"
state: present
- name: Create data dir
ansible.builtin.file:
path: "{{ data_dir }}"
state: directory
- name: Delete rproxy container if exists
containers.podman.podman_container:
name: rproxy
state: absent
- name: Create rproxy dir
ansible.builtin.file:
path: "{{ rproxy_dir }}"
state: directory
- name: Start rproxy
containers.podman.podman_container:
name: rproxy
image: "{{ image_repo }}/{{ rproxy_image }}:{{ rproxy_version }}"
state: started
ports:
- "443:443"
- "80:80"
- "9000:9000"
volumes:
- '{{ rproxy_dir }}/nginx.conf:/etc/nginx/nginx.conf:z,rw'
- '{{ rproxy_dir }}/sites:/etc/nginx/sites:z,rw'
- '{{ rproxy_dir }}/certs:/etc/nginx/certs:z,rw'
- '{{ repo_data_dir }}:/repo:z,rw'
- "/etc/localtime:/etc/localtime:ro"
privileged: true
security_opt:
- "label=disable"
log_driver: journald
generate_systemd:
path: /etc/systemd/system/
restart_policy: always
stop_timeout: 120
names: true
- name: Create rproxy data dir
ansible.builtin.file:
path: "{{ repo_data_dir }}"
state: directory
- name: Create sites dir
ansible.builtin.file:
path: "{{ rproxy_dir }}/sites"
state: directory
- name: Create certs dir
ansible.builtin.file:
path: "{{ rproxy_dir }}/certs"
state: directory
- name: Copy nginx.conf
ansible.builtin.copy:
src: files/nginx.conf
dest: "{{ rproxy_dir }}/nginx.conf"
- name: Install rproxy
block:
- name: Pull rproxy image
containers.podman.podman_image:
name: "docker.io/library/nginx:{{ rproxy_version }}"
state: present
- name: Delete rproxy container if exists
containers.podman.podman_container:
name: rproxy
state: absent
- name: Start rproxy
containers.podman.podman_container:
name: rproxy
image: "docker.io/library/nginx:{{ rproxy_version }}"
state: started
ports:
- "443:443"
- "80:80"
- "9000:9000"
volumes:
- '{{ rproxy_dir }}/nginx.conf:/etc/nginx/nginx.conf:z,rw'
- '{{ rproxy_dir }}/sites:/etc/nginx/sites:z,rw'
- '{{ rproxy_dir }}/certs:/etc/nginx/certs:z,rw'
- '{{ repo_data_dir }}:/repo:z,rw'
- "/etc/localtime:/etc/localtime:ro"
privileged: true
security_opt:
- "label=disable"
log_driver: journald
generate_systemd:
path: /etc/systemd/system/
restart_policy: always
stop_timeout: 120
names: true
- name: Enable rproxy service
ansible.builtin.systemd:
name: "container-rproxy.service"
state: started
enabled: yes
daemon_reload: yes
- name: Enable rproxy service
ansible.builtin.systemd:
name: "container-rproxy.service"
state: started
enabled: yes
daemon_reload: yes

17
roles/rproxy/templates/pypiserver.service.j2 Normal file
View File

@@ -0,0 +1,17 @@
[Unit]
Description=PyPI Server (pypiserver)
After=network.target
Wants=network.target
[Service]
Type=simple
WorkingDirectory={{ repo_data_dir }}/pip/py3
ExecStart=/usr/bin/python3 -m pypiserver -p 10000 -o {{ repo_data_dir }}/pip/py3
Restart=always
RestartSec=5
StandardOutput=journal
StandardError=journal
ReadWriteDirectories={{ repo_data_dir }}/pip/py3
[Install]
WantedBy=multi-user.target

12
roles/rproxy/vars/main.yml
View File

@@ -1,7 +1,9 @@
---
# General
ansible_python_interpreter: /usr/bin/python3
# Rproxy
rproxy_image: nginx
rproxy_version: 1.29
rproxy_dir: /opt/rproxy
rproxy_version: 1.29.0
data_dir: /opt/data
repo_data_dir: /opt/data/repo
dockerrepo_dir: /opt/dockerrepo
dockerrepo_data_dir: /opt/data/dockerrepo
repo_data_dir: /opt/repodata

16
rproxy.yml
View File

@@ -2,21 +2,11 @@
- hosts: all
become: yes
vars:
ansible_python_interpreter: /usr/bin/python3
vars_prompt:
- name: rproxy_service_name
prompt: Enter service for rproxy
private: false
- name: rproxy_service_port
prompt: Enter service for rproxy
private: false
- name: rproxy_service_address
prompt: Enter service for rproxy
- name: image_repo
prompt: Enter repository address with podman images (ex. rproxy.olsson.ul:5000)
private: false
roles:
- podman
- rproxy