rproxy/roles/rproxy/tasks/repo.yml

---
- name: Prepare for https repository
  block:
    - name: Create repo dir
      ansible.builtin.file:
        path: "{{ repo_data_dir }}"
        state: directory
        mode: 0777

    - name: Copy repo.conf
      ansible.builtin.copy:
        src: files/repo.conf
        dest: "{{ rproxy_dir }}/sites/repo.conf"

    - name: Install createrepo
      ansible.builtin.yum:
        name:
          - createrepo
        update_cache: yes

- name: Create https certificates for repository
  block:
    - name: Kinit
      ansible.builtin.shell:
        cmd: "echo '{{ ansible_password }}' | kinit"
      become: false
      become_user: "{{ ansible_user }}"

    - name: Create SPN for HTTP
      ansible.builtin.shell:
        cmd: "ipa service-add HTTP/{{ ansible_facts['hostname'] }}.{{ ansible_facts['domain'] }}"
      become: false
      become_user: "{{ ansible_user }}"
      ignore_errors: true

    - name: Get all tracking certificates
      ansible.builtin.shell:
        cmd: ipa-getcert list | grep "ID" | awk '{print $NF}' | tr -d "'\|:"
      register: tracking_list

    - name: Remove certificates from IPA tracking
      ansible.builtin.shell:
        cmd: "ipa-getcert stop-tracking -i {{ item }}"
      loop: "{{ tracking_list.stdout_lines }}"
      ignore_errors: true

    - name: Request certificate via ipa-getcert
      ansible.builtin.command: >
        ipa-getcert request
        -f {{ rproxy_dir }}/certs/repo.crt
        -k {{ rproxy_dir }}/certs/repo.key
        -K HTTP/{{ ansible_facts['hostname'] }}.{{ ansible_facts['domain'] }}
        -N CN={{ ansible_facts['hostname'] }}.{{ ansible_facts['domain'] }}
        -F {{ rproxy_dir }}/certs/RootCA.crt

    - name: Wait for certificate to appear
      ansible.builtin.wait_for:
        path: "{{ rproxy_dir }}/certs/repo.crt"
        timeout: 60

    - name: Change certificate permissions
      ansible.builtin.file:
        path: "{{ rproxy_dir }}/certs/repo.crt"
        mode: "0744"

    - name: Wait for certificate key to appear
      ansible.builtin.wait_for:
        path: "{{ rproxy_dir }}/certs/repo.key"
        timeout: 60

    - name: Change certificate key permissions
      ansible.builtin.file:
        path: "{{ rproxy_dir }}/certs/repo.key"
        mode: "0744"

- name: Restart rproxy service
  ansible.builtin.systemd:
    name: "container-rproxy.service"
    state: restarted
    enabled: yes