102 lines
3.7 KiB
YAML
102 lines
3.7 KiB
YAML
---
|
|
- name: Create server configs
|
|
block:
|
|
- name: Copy server.conf
|
|
ansible.builtin.template:
|
|
src: templates/server.conf.j2
|
|
dest: "{{ rproxy_dir }}/sites/{{ rproxy_service_name }}.conf"
|
|
|
|
- name: Generate certificates for {{ rproxy_service_name }}
|
|
block:
|
|
- name: "Generate {{ rproxy_service_name }}.key"
|
|
community.crypto.openssl_privatekey:
|
|
path: "{{ rproxy_dir }}/certs/{{ rproxy_service_name }}.key"
|
|
size: "2048"
|
|
|
|
- name: "Generate {{ rproxy_service_name }}.csr"
|
|
community.crypto.openssl_csr:
|
|
path: "{{ rproxy_dir }}/certs/{{ rproxy_service_name }}.csr"
|
|
privatekey_path: "{{ rproxy_dir }}/certs/{{ rproxy_service_name }}.key"
|
|
country_name: "RU"
|
|
state_or_province_name: "RU"
|
|
locality_name: "MSK"
|
|
organization_name: "{{ ansible_domain }}"
|
|
organizational_unit_name: "IT"
|
|
common_name: "{{ rproxy_service_name }}.{{ ansible_facts['domain'] }}"
|
|
email_address: "admin@{{ ansible_domain }}"
|
|
subject_alt_name: "DNS:{{ rproxy_service_name }}.{{ ansible_facts['domain'] }},DNS:{{ ansible_facts['hostname'] }}.{{ ansible_facts['domain'] }},IP:{{ ansible_facts['default_ipv4']['address'] }}"
|
|
key_usage:
|
|
- digitalSignature
|
|
- nonRepudiation
|
|
- keyEncipherment
|
|
- dataEncipherment
|
|
extended_key_usage:
|
|
- serverAuth
|
|
|
|
- name: "Generate {{ rproxy_service_name }}.crt"
|
|
community.crypto.x509_certificate:
|
|
csr_path: "{{ rproxy_dir }}/certs/{{ rproxy_service_name }}.csr"
|
|
path: "{{ rproxy_dir }}/certs/{{ rproxy_service_name }}.crt"
|
|
privatekey_path: "{{ rproxy_dir }}/certs/{{ rproxy_service_name }}.key"
|
|
provider: ownca
|
|
ownca_create_subject_key_identifier: always_create
|
|
ownca_path: "{{ rproxy_dir }}/certs/RootCA.crt"
|
|
ownca_privatekey_path: "{{ rproxy_dir }}/certs/RootCA.key"
|
|
ownca_not_after: "+365d"
|
|
|
|
- name: Create fullchain certificate
|
|
ansible.builtin.shell:
|
|
cmd: 'cat {{ rproxy_dir }}/certs/RootCA.crt >> {{ rproxy_dir }}/certs/{{ rproxy_service_name }}.crt'
|
|
|
|
- name: Delete csr
|
|
ansible.builtin.file:
|
|
path: "{{ rproxy_dir }}/certs/{{ rproxy_service_name }}.csr"
|
|
state: absent
|
|
|
|
- name: Restart rproxy
|
|
block:
|
|
- name: Restart container
|
|
containers.podman.podman_container:
|
|
name: rproxy
|
|
image: "docker.io/library/nginx:{{ rproxy_version }}"
|
|
state: started
|
|
restart: true
|
|
ports:
|
|
- "443:443"
|
|
- "80:80"
|
|
- "9000:9000"
|
|
volumes:
|
|
- '{{ rproxy_dir }}/nginx.conf:/etc/nginx/nginx.conf:z,rw'
|
|
- '{{ rproxy_dir }}/sites:/etc/nginx/sites:z,rw'
|
|
- '{{ rproxy_dir }}/certs:/etc/nginx/certs:z,rw'
|
|
- '{{ repo_data_dir }}:/repo:z,rw'
|
|
- "/etc/localtime:/etc/localtime:ro"
|
|
privileged: true
|
|
security_opt:
|
|
- "label=disable"
|
|
log_driver: journald
|
|
generate_systemd:
|
|
path: /etc/systemd/system/
|
|
restart_policy: always
|
|
stop_timeout: 120
|
|
names: true
|
|
|
|
- name: Daemon reload
|
|
ansible.builtin.shell:
|
|
cmd: systemctl daemon-reload
|
|
|
|
- name: Enable rproxy service
|
|
ansible.builtin.systemd:
|
|
name: "container-rproxy.service"
|
|
state: started
|
|
enabled: yes
|
|
|
|
- name: Create CNAME dns record
|
|
community.general.ipa_dnsrecord:
|
|
ipa_user: "{{ ansible_user }}"
|
|
ipa_pass: "{{ ansible_password }}"
|
|
zone_name: "{{ ansible_facts['domain'] }}"
|
|
record_name: "{{ rproxy_service_name }}"
|
|
record_type: 'CNAME'
|
|
record_value: "{{ ansible_facts['hostname'] }}"
|
|
state: present |