115 lines
3.7 KiB
YAML
115 lines
3.7 KiB
YAML
---
|
|
- name: Prepare for image repository
|
|
block:
|
|
- name: Remove dockerrepo dir
|
|
ansible.builtin.file:
|
|
path: "{{ dockerrepo_dir }}"
|
|
state: absent
|
|
|
|
- name: Create dockerrepo dir
|
|
ansible.builtin.file:
|
|
path: "{{ dockerrepo_dir }}"
|
|
state: directory
|
|
|
|
- name: Create repo dir
|
|
ansible.builtin.file:
|
|
path: "{{ dockerrepo_data_dir }}"
|
|
state: directory
|
|
|
|
- name: Create certs dir
|
|
ansible.builtin.file:
|
|
path: "{{ dockerrepo_dir }}/certs"
|
|
state: directory
|
|
|
|
- name: Create certificates for image repository
|
|
block:
|
|
- name: "Generate dockerrepo.key"
|
|
community.crypto.openssl_privatekey:
|
|
path: "{{ dockerrepo_dir }}/certs/dockerrepo.key"
|
|
size: "2048"
|
|
|
|
- name: "Generate server.csr"
|
|
community.crypto.openssl_csr:
|
|
path: "{{ dockerrepo_dir }}/certs/dockerrepo.csr"
|
|
privatekey_path: "{{ dockerrepo_dir }}/certs/dockerrepo.key"
|
|
country_name: "RU"
|
|
state_or_province_name: "RU"
|
|
locality_name: "MSK"
|
|
organization_name: "{{ ansible_domain }}"
|
|
organizational_unit_name: "IT"
|
|
common_name: "{{ ansible_facts['hostname'] }}.{{ ansible_facts['domain'] }}"
|
|
email_address: "admin@{{ ansible_domain }}"
|
|
subject_alt_name: "DNS:{{ ansible_facts['hostname'] }}.{{ ansible_facts['domain'] }},DNS:imagerepo.{{ ansible_facts['domain'] }},IP:{{ ansible_facts['default_ipv4']['address'] }}"
|
|
key_usage:
|
|
- digitalSignature
|
|
- nonRepudiation
|
|
- keyEncipherment
|
|
- dataEncipherment
|
|
extended_key_usage:
|
|
- serverAuth
|
|
|
|
- name: "Generate server.crt"
|
|
community.crypto.x509_certificate:
|
|
csr_path: "{{ dockerrepo_dir }}/certs/dockerrepo.csr"
|
|
path: "{{ dockerrepo_dir }}/certs/dockerrepo.crt"
|
|
privatekey_path: "{{ dockerrepo_dir }}/certs/dockerrepo.key"
|
|
provider: ownca
|
|
ownca_create_subject_key_identifier: always_create
|
|
ownca_path: "{{ rproxy_dir }}/certs/RootCA.crt"
|
|
ownca_privatekey_path: "{{ rproxy_dir }}/certs/RootCA.key"
|
|
ownca_not_after: "+365d"
|
|
|
|
- name: Create fullchain certificate
|
|
ansible.builtin.shell:
|
|
cmd: 'cat {{ rproxy_dir }}/certs/RootCA.crt >> {{ dockerrepo_dir }}/certs/dockerrepo.crt'
|
|
|
|
- name: Delete csr
|
|
ansible.builtin.file:
|
|
path: "{{ dockerrepo_dir }}/certs/dockerrepo.csr"
|
|
state: absent
|
|
|
|
- name: Start image repository
|
|
block:
|
|
- name: Pull repo image
|
|
containers.podman.podman_image:
|
|
name: registry:latest
|
|
state: present
|
|
|
|
- name: Delete image repository container if exists
|
|
containers.podman.podman_container:
|
|
name: registry
|
|
state: absent
|
|
|
|
- name: Start registry
|
|
containers.podman.podman_container:
|
|
name: registry
|
|
image: registry:latest
|
|
state: started
|
|
ports:
|
|
- "5000:5000"
|
|
env:
|
|
REGISTRY_HTTP_TLS_CERTIFICATE: "/certs/dockerrepo.crt"
|
|
REGISTRY_HTTP_TLS_KEY: "/certs/dockerrepo.key"
|
|
volumes:
|
|
- "{{ dockerrepo_data_dir }}:/var/lib/registry:z,rw"
|
|
- "{{ dockerrepo_dir }}/certs:/certs:z,rw"
|
|
- "/etc/localtime:/etc/localtime:ro"
|
|
privileged: true
|
|
security_opt:
|
|
- "label=disable"
|
|
log_driver: journald
|
|
generate_systemd:
|
|
path: /etc/systemd/system/
|
|
restart_policy: always
|
|
stop_timeout: 120
|
|
names: true
|
|
|
|
- name: Daemon reload
|
|
ansible.builtin.shell:
|
|
cmd: systemctl daemon-reload
|
|
|
|
- name: Enable registry service
|
|
ansible.builtin.systemd:
|
|
name: "container-registry.service"
|
|
state: started
|
|
enabled: yes |