Merge pull request 'ICR integration' (#51) from dev into master

Reviewed-on: https://remvpn.olssonul.com/iac/rproxy/pulls/51

Jenkinsfile

@@ -10,9 +10,13 @@ pipeline {
         ansiColor('xterm')
         timestamps()
     }
+    environment {
+        INFRA_CONFIG_REPO = credentials("INFRA_CONFIG_REPO")
+    }
     parameters {
+        choice(name: "infra", choices: ['prod', 'dev'], description: "Select infrastructure type")
+        choice(name: "repo_location", choices: ['local', 'remote'], description: "Select repository location")
         string(name: "target_host", defaultValue: "", trim: true, description: "Target host for rproxy installation")
-        string(name: "images_repo_url", defaultValue: "", trim: true, description: "Repository host with podman images (ex. rproxy.olsson.ul:5000)")
         booleanParam(name: 'update_job', defaultValue: false, description: 'Update job, free run, no changes')
     }
     stages {
@@ -39,9 +43,25 @@ pipeline {
                 }
             }
         }
+        stage('Get environment') {
+            steps {
+                script {
+                    dir('infra-config') {
+                        git url: env.INFRA_CONFIG_REPO,
+                            branch: params.infra,
+                            credentialsId: 'JENKINS_GIT_ACCESS'
+
+                        sh "ansible-playbook render.yml"
+                        infraVars = readYaml file: "./global.yml"
+                    }
+                }
+            }
+        }
         stage('Install Rproxy') {
             steps {
                 script {
+                    images_repo_url = infraVars["${params.repo_location}"]["repos"]["registry_url"]
+
                     withCredentials([
                         sshUserPrivateKey(credentialsId: 'JENKINS_DEPLOYER_KEY', keyFileVariable: 'SSH_KEY'), 
                         usernamePassword(credentialsId:'JENKINS_DEPLOYER_PASS', usernameVariable: 'username', passwordVariable: 'password')
@@ -52,10 +72,12 @@ pipeline {
                                     playbook: 'rproxy.yml',
                                     inventory: 'hosts.ini',
                                     colorized: true,
-                                    extras: '''--private-key ${SSH_KEY} 
+                                    extras: "--private-key ${SSH_KEY}",
-                                    -e "ansible_user=${username} 
+                                    extraVars: [
-                                    ansible_password=${password} 
+                                        ansible_user: [value: "${username}", hidden: false],
-                                    image_repo=${images_repo_url}"'''
+                                        ansible_password: [value: "${password}", hidden: true],
+                                        image_repo: [value: "${images_repo_url}", hidden: false]
+                                    ]
                                 )
                             }                            
                         }

README.md

@@ -1,39 +1,83 @@
-# PROXY
+# Rproxy
 
-## Content
+## Description
-* Reverse proxy
-* HTTPS file share
 
-## Installation
+This job handles Nginx 1.29 installation and includes the following components:
-```yml
-target_host: Enter FQDN or IP Address of target host
-rproxy_install: Install rproxy and https repo if checked
-config_add: Will config be created
 
-rproxy_service_name: Server/service name without domain suffix
+- **Nginx as Reverse Proxy**:  
-rproxy_service_port: Port to redirect the request to 
+  - Acts as a reverse proxy for secure traffic routing  
-rproxy_service_address: Address to redirect the request to 
+  - Supports SSL termination  
 
-Example:
+- **HTTP Repository**:  
-domain: olsson.ul
+  - Provides a base for hosting and managing web content  
-jenkins_host: http://10.10.10.1:8080/
 
-rproxy_service_name: jenkins
+- **Infrastructure**:  
-rproxy_service_port: 8080
+  - ✅ Includes Podman installation  
-rproxy_service_address: 10.10.10.1
+  - ✅ Contains a management job for proxy configuration  
+    - Allows seamless addition of new services (e.g., enabling SSL access to Jenkins)  
 
-# After adding alias jenkins.olsson.ul => rproxy.olsson.ul
+### Nginx as Reverse Proxy
-result_address: https://jenkins.olsson.ul/
-```
 
-## Reverse Proxy
+**Setup**:  
-Allows redirecting requests based on fqdn to the required address and ports with ssl certificate substitution
+- Installs Nginx container in Podman environment  
 
-## HTTPS repository
+**Configuration Structure**:  
-Would be installed with rproxy service. Hosted on port 9000. \
+- **Root directory**: `/opt/rproxy`  
-Files should be stored in /opt/rproxy/repo/ to be shared.
+  - **Main config**: `/opt/rproxy/nginx.conf`  
+  - **Site-specific configs**: `/opt/rproxy/sites/*.conf`  
+  - **Certificates**: `/opt/rproxy/certs/` (stores unique certificates for each connected site)  
 
-Put file in repo
+**Operation**:  
+- Listens on `https://$hostname/`  
+- Maps incoming requests to `/opt/rproxy/sites/$hostname.conf`  
+- Forwards traffic to `https://$hostname:[port]` with SSL termination  
+
+**Entrypoint**:  
+- Proxy endpoint: `https://$hostname/`  
+
+
+### HTTP Repository
+
+**Configuration**:  
+- A `repo.conf` file is added to the `/opt/rproxy/sites/` directory  
+- **DAVFS** functionality is enabled for file management  
+- **Data storage path**: `/opt/repodata`  
+
+**Access Point**:  
+- Proxy endpoint: `https://localhost:9000/`  
+
+#### Example Usage
+
+Upload a file to the repository using `curl`:
 ```bash
-curl -T kafka_4.1.tar https://rproxy.olsson.ul:9000/podman/kafka/4.1/kafka_4.1.tar -k
+# Upload example: kafka_4.1.tar to /podman/kafka/4.1/
+curl -T kafka_4.1.tar https://rproxy.olsson.ul:9000/podman/kafka/4.1/kafka_4.1.tar
 ```
+
+## Add configuration via management job
+Import management/AddService.groovy to Jenkins
+
+To integrate `http://jenkins-master.olsson.ul:8080` with the SSL proxy, configure these parameters:
+
+- **target_host**: Host with rproxy installed  
+- **rproxy_service_name**: Service identifier (e.g., `jenkins`)  
+- **rproxy_service_port**: Port (e.g., `8080`)  
+- **rproxy_service_address**: Address (e.g., `jenkins-master.olsson.ul` or `10.10.10.1`)  
+
+✅ **Result**:  
+`https://jenkins.olsson.ul/` will securely route to `http://jenkins-master.olsson.ul:8080`.  
+ 
+CNAME configuration (`jenkins.olsson.ul → rproxy`) is automatically handled during deployment in FreeIPA.
+
+## Software Requirements
+* OS - AlmaLinux 10
+* FreeIPA domain (for certificates request)
+
+## Jenkins credentials
+* JENKINS_DEPLOYER_PASS (domain)
+* JENKINS_DEPLOYER_KEY (domain)
+
+## Jenkins paramethers
+* target_hosts - is basic inventory line for ansible
+* images_repo_url - image registry with nginx repository
+* update_job - download changes from git and finish job

roles/rproxy/tasks/dirs.yml

@@ -14,6 +14,36 @@
     path: "{{ repo_data_dir }}"
     state: directory
 
+- name: "Create {{ repo_data_dir }}/archive"
+  ansible.builtin.file:
+    path: "{{ repo_data_dir }}/archive"
+    state: directory
+
+- name: "Create {{ repo_data_dir }}/pip"
+  ansible.builtin.file:
+    path: "{{ repo_data_dir }}/pip"
+    state: directory
+
+- name: "Create {{ repo_data_dir }}/pip/py3"
+  ansible.builtin.file:
+    path: "{{ repo_data_dir }}/pip/py3"
+    state: directory
+
+- name: "Create {{ repo_data_dir }}/repo"
+  ansible.builtin.file:
+    path: "{{ repo_data_dir }}/repo"
+    state: directory
+
+- name: "Create {{ repo_data_dir }}/repo/almalinux"
+  ansible.builtin.file:
+    path: "{{ repo_data_dir }}/repo/almalinux"
+    state: directory
+
+- name: "Create {{ repo_data_dir }}/repo/almalinux/10"
+  ansible.builtin.file:
+    path: "{{ repo_data_dir }}/repo/almalinux/10"
+    state: directory
+
 - name: Create sites dir
   ansible.builtin.file:
     path: "{{ rproxy_dir }}/sites"

roles/rproxy/tasks/main.yml

@@ -18,3 +18,7 @@
 - name: Repository install
   ansible.builtin.include_tasks: 
     file: repo.yml
+
+- name: Pypi repository install
+  ansible.builtin.include_tasks: 
+    file: pypi.yml

roles/rproxy/tasks/pypi.yml

@@ -0,0 +1,17 @@
+---
+- name: Install pypi-server
+  ansible.builtin.pip:
+    name:
+      - pypiserver
+
+- name: Copy pypi-server service file
+  ansible.builtin.template:
+    src: "templates/pypiserver.service.j2"
+    dest: "/etc/systemd/system/pypiserver.service"
+
+- name: Enable pypiserver service
+  ansible.builtin.systemd:
+    name: "pypiserver.service"
+    state: started
+    enabled: yes
+    daemon_reload: yes

roles/rproxy/templates/pypiserver.service.j2

@@ -0,0 +1,17 @@
+[Unit]
+Description=PyPI Server (pypiserver)
+After=network.target
+Wants=network.target
+
+[Service]
+Type=simple
+WorkingDirectory={{ repo_data_dir }}/pip/py3
+ExecStart=/usr/bin/python3 -m pypiserver -p 10000 -o {{ repo_data_dir }}/pip/py3
+Restart=always
+RestartSec=5
+StandardOutput=journal
+StandardError=journal
+ReadWriteDirectories={{ repo_data_dir }}/pip/py3
+
+[Install]
+WantedBy=multi-user.target