add nginx as a reverse proxy option
This commit is contained in:
parent
9bdc4d66a6
commit
d2b86597a8
7 changed files with 89 additions and 17 deletions
|
@ -20,6 +20,7 @@ gerrit_allow_insecure_passwords: false
|
|||
|
||||
# Gerrit vars
|
||||
gerrit_config_base_path: "git"
|
||||
gerrit_config_canonical_domain: "git.rockylinux.org"
|
||||
gerrit_config_canonical_weburl: "https://git.rockylinux.org"
|
||||
|
||||
# Gerrit index. Default LUCENE
|
||||
|
@ -33,6 +34,8 @@ gerrit_sshd_listen_address: "*:22220"
|
|||
gerrit_sshd_threads: "32"
|
||||
|
||||
# Gerrit httpd
|
||||
reverse_proxy: "httpd"
|
||||
cert_owner: "{{ 'nginx' if reverse_proxy == 'nginx' else 'apache' }}"
|
||||
gerrit_httpd_listen_url: "proxy-https://127.0.0.1:8080/"
|
||||
gerrit_httpd_proxy_url: "http://127.0.0.1:8080/"
|
||||
gerrit_referenced_objects_reachable: false
|
||||
|
|
|
@ -8,4 +8,9 @@
|
|||
- name: reload_systemd
|
||||
ansible.builtin.systemd:
|
||||
daemon_reload: true
|
||||
|
||||
- name: restart_httpd
|
||||
ansible.builtin.systemd:
|
||||
name: httpd.service
|
||||
state: restarted
|
||||
...
|
||||
|
|
|
@ -30,6 +30,13 @@
|
|||
success_msg: "We are on a supported system"
|
||||
fail_msg: "Only Rocky Linux versions 9 or higher are supported."
|
||||
|
||||
- name: Verify that reverse_proxy is proper
|
||||
ansible.builtin.assert:
|
||||
that:
|
||||
- (reverse_proxy == 'httpd') or (reverse_proxy == 'nginx')
|
||||
fail_msg: "Only httpd or nginx is supported"
|
||||
success_msg: "reverse proxy is set"
|
||||
|
||||
- name: Import vault if available
|
||||
ansible.builtin.include_vars:
|
||||
file: "{{ vault_file }}"
|
||||
|
|
|
@ -4,18 +4,52 @@
|
|||
name: "{{ installed_packages }}"
|
||||
state: present
|
||||
|
||||
- name: Deploy reverse proxy
|
||||
ansible.builtin.template:
|
||||
src: "gerrit.httpd.j2"
|
||||
dest: "/etc/httpd/conf.d/gerrit.conf"
|
||||
owner: root
|
||||
group: root
|
||||
mode: "0644"
|
||||
notify: restart_httpd
|
||||
- name: Deploy reverse proxy (httpd)
|
||||
when: reverse_proxy == "httpd"
|
||||
block:
|
||||
- name: Install packages as needed
|
||||
ansible.builtin.package:
|
||||
name:
|
||||
- httpd
|
||||
- mod_ssl
|
||||
state: present
|
||||
|
||||
- name: Ensure httpd is enabled and running
|
||||
ansible.builtin.systemd:
|
||||
name: httpd.service
|
||||
state: running
|
||||
enabled: true
|
||||
- name: Deploy httpd configuration
|
||||
ansible.builtin.template:
|
||||
src: "gerrit.httpd.j2"
|
||||
dest: "/etc/httpd/conf.d/gerrit.conf"
|
||||
owner: root
|
||||
group: root
|
||||
mode: "0644"
|
||||
notify: restart_httpd
|
||||
|
||||
- name: Ensure httpd is enabled and running
|
||||
ansible.builtin.systemd:
|
||||
name: httpd.service
|
||||
state: started
|
||||
enabled: true
|
||||
|
||||
- name: Deploy reverse proxy (nginx)
|
||||
when: reverse_proxy == "nginx"
|
||||
block:
|
||||
- name: Install packages as needed
|
||||
ansible.builtin.package:
|
||||
name:
|
||||
- nginx
|
||||
state: present
|
||||
|
||||
- name: Deploy nginx configuration
|
||||
ansible.builtin.template:
|
||||
src: "gerrit.nginx.j2"
|
||||
dest: "/etc/nginx/conf.d/gerrit.conf"
|
||||
owner: root
|
||||
group: root
|
||||
mode: "0644"
|
||||
notify: restart_nginx
|
||||
|
||||
- name: Ensure nginx is enabled and running
|
||||
ansible.builtin.systemd:
|
||||
name: nginx.service
|
||||
state: started
|
||||
enabled: true
|
||||
...
|
||||
|
|
25
templates/gerrit.nginx.j2
Normal file
25
templates/gerrit.nginx.j2
Normal file
|
@ -0,0 +1,25 @@
|
|||
server {
|
||||
listen 80;
|
||||
server_name {{ gerrit_config_canonical_domain }};
|
||||
|
||||
location ^~ / {
|
||||
proxy_pass {{ gerrit_httpd_proxy_url }};
|
||||
proxy_set_header X-Forwarded-For $remote_addr;
|
||||
proxy_set_header Host $host;
|
||||
}
|
||||
}
|
||||
|
||||
server {
|
||||
listen 443;
|
||||
server_name {{ gerrit_config_canonical_domain }};
|
||||
|
||||
ssl on;
|
||||
ssl_certificate /etc/pki/tls/certs/{{ ansible_fqdn }}.crt;
|
||||
ssl_certificate_key /etc/pki/tls/private/{{ ansible_fqdn }}.key;
|
||||
|
||||
location ^~ / {
|
||||
proxy_pass {{ gerrit_httpd_proxy_url }};
|
||||
proxy_set_header X-Forwarded-For $remote_addr;
|
||||
proxy_set_header Host $host;
|
||||
}
|
||||
}
|
|
@ -21,6 +21,4 @@ installed_packages:
|
|||
- java-11-openjdk-headless
|
||||
- tzdata-java
|
||||
- postfix
|
||||
- httpd
|
||||
- mod_ssl
|
||||
...
|
||||
|
|
|
@ -1,10 +1,10 @@
|
|||
---
|
||||
ipa_getcert_requested_hostnames:
|
||||
- name: "{{ ansible_fqdn }}"
|
||||
owner: apache
|
||||
owner: "{{ cert_owner }}"
|
||||
key_location: "/etc/pki/tls/private/{{ ansible_fqdn }}.key"
|
||||
cert_location: "/etc/pki/tls/certs/{{ ansible_fqdn }}.crt"
|
||||
postcmd: "/bin/systemctl reload httpd"
|
||||
cnames:
|
||||
- "git.rockylinux.org"
|
||||
- "{{ gerrit_config_canonical_domain }}"
|
||||
...
|
||||
|
|
Loading…
Reference in a new issue