diff --git a/defaults/main.yml b/defaults/main.yml index 0e31899..a8c0dec 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -34,6 +34,7 @@ gerrit_sshd_threads: "32" # Gerrit httpd gerrit_httpd_listen_url: "proxy-https://127.0.0.1:8080/" +gerrit_httpd_proxy_url: "http://127.0.0.1:8080/" gerrit_referenced_objects_reachable: false # Gerrit setup @@ -54,4 +55,7 @@ oauth_client_secret: "NONE" # ldap if enabled ldap_url_list: - ldap://ipa-us-east-2.rockylinux.org + +# Use freeipa CA +tls_use_internal_freeipa: true ... diff --git a/install-gerrit.yml b/install-gerrit.yml index 700fe59..ec4e8f1 100644 --- a/install-gerrit.yml +++ b/install-gerrit.yml @@ -5,6 +5,7 @@ become: true vars_files: - vars/gerrit.yml + - vars/internal.yml handlers: - import_tasks: handlers/main.yml @@ -43,6 +44,11 @@ fail_msg: "Please set a proper database password." when: not gerrit_allow_insecure_passwords|bool + roles: + - role: rockylinux.ipagetcert + state: present + when: tls_use_internal_freeipa|bool + tasks: - name: Deploy gerrit as needed ansible.builtin.import_tasks: tasks/install.yml diff --git a/roles/requirements.yml b/roles/requirements.yml new file mode 100644 index 0000000..791b158 --- /dev/null +++ b/roles/requirements.yml @@ -0,0 +1,7 @@ +--- +# Roles +roles: + - name: rockylinux.ipagetcert + src: https://github.com/rocky-linux/ansible-role-ipa-getcert + version: main +... diff --git a/tasks/install.yml b/tasks/install.yml index 47eec4c..2900dde 100644 --- a/tasks/install.yml +++ b/tasks/install.yml @@ -2,6 +2,9 @@ - name: Setup gerrit basics ansible.builtin.include_tasks: setup.yml +- name: Install and configure packages + ansible.builtin.include_tasks: pkg.yml + - name: Install gerrit ansible.builtin.include_tasks: deploy.yml ... diff --git a/tasks/pkg.yml b/tasks/pkg.yml new file mode 100644 index 0000000..3fb9289 --- /dev/null +++ b/tasks/pkg.yml @@ -0,0 +1,21 @@ +--- +- name: Install packages as needed + ansible.builtin.package: + name: "{{ installed_packages }}" + state: present + +- name: Deploy reverse proxy + ansible.builtin.template: + src: "gerrit.httpd.j2" + dest: "/etc/httpd/conf.d/gerrit.conf" + owner: root + group: root + mode: "0644" + notify: restart_httpd + +- name: Ensure httpd is enabled and running + ansible.builtin.systemd: + name: httpd.service + state: running + enabled: true +... diff --git a/templates/gerrit.httpd.j2 b/templates/gerrit.httpd.j2 new file mode 100644 index 0000000..425f0f9 --- /dev/null +++ b/templates/gerrit.httpd.j2 @@ -0,0 +1,19 @@ + + SSLEngine on + SSLCertificateFile /etc/pki/tls/certs/{{ ansible_fqdn }}.crt + SSLCertificateKeyFile /etc/pki/tls/private/{{ ansible_fqdn }}.key + ProxyRequests Off + ProxyVia Off + ProxyPreserveHost On + + + #Order deny,allow + #Allow from all + # Use following line instead of the previous two on Apache >= 2.4 + Require all granted + + + AllowEncodedSlashes On + ProxyPass / {{ gerrit_httpd_proxy_url }} nocanon + #ProxyPassReverse / {{ gerrit_httpd_proxy_url }} nocanon + diff --git a/vars/internal.yml b/vars/internal.yml new file mode 100644 index 0000000..a2822d6 --- /dev/null +++ b/vars/internal.yml @@ -0,0 +1,10 @@ +--- +ipa_getcert_requested_hostnames: + - name: "{{ ansible_fqdn }}" + owner: apache + key_location: "/etc/pki/tls/private/{{ ansible_fqdn }}.key" + cert_location: "/etc/pki/tls/certs/{{ ansible_fqdn }}.crt" + postcmd: "/bin/systemctl reload httpd" + cnames: + - "git.rockylinux.org" +...