113 lines
3.3 KiB
YAML
113 lines
3.3 KiB
YAML
---
|
|
- name: Prepare for image repository
|
|
block:
|
|
- name: Remove dockerrepo dir
|
|
ansible.builtin.file:
|
|
path: "{{ dockerrepo_dir }}"
|
|
state: absent
|
|
|
|
- name: Create dockerrepo dir
|
|
ansible.builtin.file:
|
|
path: "{{ dockerrepo_dir }}"
|
|
state: directory
|
|
|
|
- name: Create repo dir
|
|
ansible.builtin.file:
|
|
path: "{{ dockerrepo_data_dir }}"
|
|
state: directory
|
|
|
|
- name: Create certs dir
|
|
ansible.builtin.file:
|
|
path: "{{ dockerrepo_dir }}/certs"
|
|
state: directory
|
|
|
|
- name: Create certificates for image repository
|
|
block:
|
|
- name: Kinit
|
|
ansible.builtin.shell:
|
|
cmd: "echo '{{ ansible_password }}' | kinit"
|
|
become: false
|
|
become_user: "{{ ansible_user }}"
|
|
|
|
- name: Create SPN for HTTP
|
|
ansible.builtin.shell:
|
|
cmd: "ipa service-add HTTP/{{ ansible_facts['hostname'] }}.{{ ansible_facts['domain'] }}"
|
|
become: false
|
|
become_user: "{{ ansible_user }}"
|
|
ignore_errors: true
|
|
|
|
- name: Request certificate via ipa-getcert
|
|
ansible.builtin.command: >
|
|
ipa-getcert request
|
|
-f {{ rproxy_dir }}/certs/dockerrepo.crt
|
|
-k {{ rproxy_dir }}/certs/dockerrepo.key
|
|
-K HTTP/{{ ansible_facts['hostname'] }}.{{ ansible_facts['domain'] }}
|
|
-N CN={{ ansible_facts['hostname'] }}.{{ ansible_facts['domain'] }}
|
|
|
|
# sudo ipa-getcert stop-tracking -i 20250813210258 if track already exists
|
|
|
|
- name: Wait for certificate to appear
|
|
ansible.builtin.wait_for:
|
|
path: "{{ rproxy_dir }}/certs/dockerrepo.crt"
|
|
timeout: 60
|
|
|
|
- name: Change certificate permissions
|
|
ansible.builtin.file:
|
|
path: "{{ rproxy_dir }}/certs/dockerrepo.crt"
|
|
mode: "0744"
|
|
|
|
- name: Wait for certificate key to appear
|
|
ansible.builtin.wait_for:
|
|
path: "{{ rproxy_dir }}/certs/dockerrepo.key"
|
|
timeout: 60
|
|
|
|
- name: Change certificate key permissions
|
|
ansible.builtin.file:
|
|
path: "{{ rproxy_dir }}/certs/dockerrepo.key"
|
|
mode: "0744"
|
|
|
|
- name: Start image repository
|
|
block:
|
|
- name: Pull repo image
|
|
containers.podman.podman_image:
|
|
name: registry:latest
|
|
state: present
|
|
|
|
- name: Delete image repository container if exists
|
|
containers.podman.podman_container:
|
|
name: registry
|
|
state: absent
|
|
|
|
- name: Start registry
|
|
containers.podman.podman_container:
|
|
name: registry
|
|
image: registry:latest
|
|
state: started
|
|
ports:
|
|
- "5000:5000"
|
|
env:
|
|
REGISTRY_HTTP_TLS_CERTIFICATE: "/certs/dockerrepo.crt"
|
|
REGISTRY_HTTP_TLS_KEY: "/certs/dockerrepo.key"
|
|
volumes:
|
|
- "{{ dockerrepo_data_dir }}:/var/lib/registry:z,rw"
|
|
- "{{ dockerrepo_dir }}/certs:/certs:z,rw"
|
|
- "/etc/localtime:/etc/localtime:ro"
|
|
privileged: true
|
|
security_opt:
|
|
- "label=disable"
|
|
log_driver: journald
|
|
generate_systemd:
|
|
path: /etc/systemd/system/
|
|
restart_policy: always
|
|
stop_timeout: 120
|
|
names: true
|
|
|
|
- name: Daemon reload
|
|
ansible.builtin.shell:
|
|
cmd: systemctl daemon-reload
|
|
|
|
- name: Enable registry service
|
|
ansible.builtin.systemd:
|
|
name: "container-registry.service"
|
|
state: started
|
|
enabled: yes |