add nginx as a reverse proxy option

This commit is contained in:
Louis Abel 2023-07-25 02:43:32 -07:00
parent 9bdc4d66a6
commit d2b86597a8
Signed by: label
GPG key ID: 2A6975660E424560
7 changed files with 89 additions and 17 deletions

View file

@ -20,6 +20,7 @@ gerrit_allow_insecure_passwords: false
# Gerrit vars
gerrit_config_base_path: "git"
gerrit_config_canonical_domain: "git.rockylinux.org"
gerrit_config_canonical_weburl: "https://git.rockylinux.org"
# Gerrit index. Default LUCENE
@ -33,6 +34,8 @@ gerrit_sshd_listen_address: "*:22220"
gerrit_sshd_threads: "32"
# Gerrit httpd
reverse_proxy: "httpd"
cert_owner: "{{ 'nginx' if reverse_proxy == 'nginx' else 'apache' }}"
gerrit_httpd_listen_url: "proxy-https://127.0.0.1:8080/"
gerrit_httpd_proxy_url: "http://127.0.0.1:8080/"
gerrit_referenced_objects_reachable: false

View file

@ -8,4 +8,9 @@
- name: reload_systemd
ansible.builtin.systemd:
daemon_reload: true
- name: restart_httpd
ansible.builtin.systemd:
name: httpd.service
state: restarted
...

View file

@ -30,6 +30,13 @@
success_msg: "We are on a supported system"
fail_msg: "Only Rocky Linux versions 9 or higher are supported."
- name: Verify that reverse_proxy is proper
ansible.builtin.assert:
that:
- (reverse_proxy == 'httpd') or (reverse_proxy == 'nginx')
fail_msg: "Only httpd or nginx is supported"
success_msg: "reverse proxy is set"
- name: Import vault if available
ansible.builtin.include_vars:
file: "{{ vault_file }}"

View file

@ -4,18 +4,52 @@
name: "{{ installed_packages }}"
state: present
- name: Deploy reverse proxy
ansible.builtin.template:
src: "gerrit.httpd.j2"
dest: "/etc/httpd/conf.d/gerrit.conf"
owner: root
group: root
mode: "0644"
notify: restart_httpd
- name: Deploy reverse proxy (httpd)
when: reverse_proxy == "httpd"
block:
- name: Install packages as needed
ansible.builtin.package:
name:
- httpd
- mod_ssl
state: present
- name: Ensure httpd is enabled and running
ansible.builtin.systemd:
name: httpd.service
state: running
enabled: true
- name: Deploy httpd configuration
ansible.builtin.template:
src: "gerrit.httpd.j2"
dest: "/etc/httpd/conf.d/gerrit.conf"
owner: root
group: root
mode: "0644"
notify: restart_httpd
- name: Ensure httpd is enabled and running
ansible.builtin.systemd:
name: httpd.service
state: started
enabled: true
- name: Deploy reverse proxy (nginx)
when: reverse_proxy == "nginx"
block:
- name: Install packages as needed
ansible.builtin.package:
name:
- nginx
state: present
- name: Deploy nginx configuration
ansible.builtin.template:
src: "gerrit.nginx.j2"
dest: "/etc/nginx/conf.d/gerrit.conf"
owner: root
group: root
mode: "0644"
notify: restart_nginx
- name: Ensure nginx is enabled and running
ansible.builtin.systemd:
name: nginx.service
state: started
enabled: true
...

25
templates/gerrit.nginx.j2 Normal file
View file

@ -0,0 +1,25 @@
server {
listen 80;
server_name {{ gerrit_config_canonical_domain }};
location ^~ / {
proxy_pass {{ gerrit_httpd_proxy_url }};
proxy_set_header X-Forwarded-For $remote_addr;
proxy_set_header Host $host;
}
}
server {
listen 443;
server_name {{ gerrit_config_canonical_domain }};
ssl on;
ssl_certificate /etc/pki/tls/certs/{{ ansible_fqdn }}.crt;
ssl_certificate_key /etc/pki/tls/private/{{ ansible_fqdn }}.key;
location ^~ / {
proxy_pass {{ gerrit_httpd_proxy_url }};
proxy_set_header X-Forwarded-For $remote_addr;
proxy_set_header Host $host;
}
}

View file

@ -21,6 +21,4 @@ installed_packages:
- java-11-openjdk-headless
- tzdata-java
- postfix
- httpd
- mod_ssl
...

View file

@ -1,10 +1,10 @@
---
ipa_getcert_requested_hostnames:
- name: "{{ ansible_fqdn }}"
owner: apache
owner: "{{ cert_owner }}"
key_location: "/etc/pki/tls/private/{{ ansible_fqdn }}.key"
cert_location: "/etc/pki/tls/certs/{{ ansible_fqdn }}.crt"
postcmd: "/bin/systemctl reload httpd"
cnames:
- "git.rockylinux.org"
- "{{ gerrit_config_canonical_domain }}"
...