From d2b86597a82b4939e8ba666f105fa5f9223dff45 Mon Sep 17 00:00:00 2001
From: Louis Abel <label@rockylinux.org>
Date: Tue, 25 Jul 2023 02:43:32 -0700
Subject: [PATCH] add nginx as a reverse proxy option

---
 defaults/main.yml         |  3 ++
 handlers/main.yml         |  5 ++++
 install-gerrit.yml        |  7 +++++
 tasks/pkg.yml             | 60 ++++++++++++++++++++++++++++++---------
 templates/gerrit.nginx.j2 | 25 ++++++++++++++++
 vars/gerrit.yml           |  2 --
 vars/internal.yml         |  4 +--
 7 files changed, 89 insertions(+), 17 deletions(-)
 create mode 100644 templates/gerrit.nginx.j2

diff --git a/defaults/main.yml b/defaults/main.yml
index a8c0dec..52854a6 100644
--- a/defaults/main.yml
+++ b/defaults/main.yml
@@ -20,6 +20,7 @@ gerrit_allow_insecure_passwords: false
 
 # Gerrit vars
 gerrit_config_base_path: "git"
+gerrit_config_canonical_domain: "git.rockylinux.org"
 gerrit_config_canonical_weburl: "https://git.rockylinux.org"
 
 # Gerrit index. Default LUCENE
@@ -33,6 +34,8 @@ gerrit_sshd_listen_address: "*:22220"
 gerrit_sshd_threads: "32"
 
 # Gerrit httpd
+reverse_proxy: "httpd"
+cert_owner: "{{ 'nginx' if reverse_proxy == 'nginx' else 'apache' }}"
 gerrit_httpd_listen_url: "proxy-https://127.0.0.1:8080/"
 gerrit_httpd_proxy_url: "http://127.0.0.1:8080/"
 gerrit_referenced_objects_reachable: false
diff --git a/handlers/main.yml b/handlers/main.yml
index 7411166..65733c4 100644
--- a/handlers/main.yml
+++ b/handlers/main.yml
@@ -8,4 +8,9 @@
 - name: reload_systemd
   ansible.builtin.systemd:
     daemon_reload: true
+
+- name: restart_httpd
+  ansible.builtin.systemd:
+    name: httpd.service
+    state: restarted
 ...
diff --git a/install-gerrit.yml b/install-gerrit.yml
index ec4e8f1..628e67e 100644
--- a/install-gerrit.yml
+++ b/install-gerrit.yml
@@ -30,6 +30,13 @@
         success_msg: "We are on a supported system"
         fail_msg: "Only Rocky Linux versions 9 or higher are supported."
 
+    - name: Verify that reverse_proxy is proper
+      ansible.builtin.assert:
+        that:
+          - (reverse_proxy == 'httpd') or (reverse_proxy == 'nginx')
+        fail_msg: "Only httpd or nginx is supported"
+        success_msg: "reverse proxy is set"
+
     - name: Import vault if available
       ansible.builtin.include_vars:
         file: "{{ vault_file }}"
diff --git a/tasks/pkg.yml b/tasks/pkg.yml
index 3fb9289..2f47960 100644
--- a/tasks/pkg.yml
+++ b/tasks/pkg.yml
@@ -4,18 +4,52 @@
     name: "{{ installed_packages }}"
     state: present
 
-- name: Deploy reverse proxy
-  ansible.builtin.template:
-    src: "gerrit.httpd.j2"
-    dest: "/etc/httpd/conf.d/gerrit.conf"
-    owner: root
-    group: root
-    mode: "0644"
-  notify: restart_httpd
+- name: Deploy reverse proxy (httpd)
+  when: reverse_proxy == "httpd"
+  block:
+    - name: Install packages as needed
+      ansible.builtin.package:
+        name:
+          - httpd
+          - mod_ssl
+        state: present
 
-- name: Ensure httpd is enabled and running
-  ansible.builtin.systemd:
-    name: httpd.service
-    state: running
-    enabled: true
+    - name: Deploy httpd configuration
+      ansible.builtin.template:
+        src: "gerrit.httpd.j2"
+        dest: "/etc/httpd/conf.d/gerrit.conf"
+        owner: root
+        group: root
+        mode: "0644"
+      notify: restart_httpd
+
+    - name: Ensure httpd is enabled and running
+      ansible.builtin.systemd:
+        name: httpd.service
+        state: started
+        enabled: true
+
+- name: Deploy reverse proxy (nginx)
+  when: reverse_proxy == "nginx"
+  block:
+    - name: Install packages as needed
+      ansible.builtin.package:
+        name:
+          - nginx
+        state: present
+
+    - name: Deploy nginx configuration
+      ansible.builtin.template:
+        src: "gerrit.nginx.j2"
+        dest: "/etc/nginx/conf.d/gerrit.conf"
+        owner: root
+        group: root
+        mode: "0644"
+      notify: restart_nginx
+
+    - name: Ensure nginx is enabled and running
+      ansible.builtin.systemd:
+        name: nginx.service
+        state: started
+        enabled: true
 ...
diff --git a/templates/gerrit.nginx.j2 b/templates/gerrit.nginx.j2
new file mode 100644
index 0000000..8aab099
--- /dev/null
+++ b/templates/gerrit.nginx.j2
@@ -0,0 +1,25 @@
+	server {
+	  listen 80;
+	  server_name {{ gerrit_config_canonical_domain }};
+
+	  location ^~ / {
+	    proxy_pass        {{ gerrit_httpd_proxy_url }};
+	    proxy_set_header  X-Forwarded-For $remote_addr;
+	    proxy_set_header  Host $host;
+	  }
+	}
+
+  server {
+	  listen 443;
+	  server_name {{ gerrit_config_canonical_domain }};
+
+	  ssl on;
+	  ssl_certificate      /etc/pki/tls/certs/{{ ansible_fqdn }}.crt;
+	  ssl_certificate_key  /etc/pki/tls/private/{{ ansible_fqdn }}.key;
+
+	  location ^~ / {
+	    proxy_pass        {{ gerrit_httpd_proxy_url }};
+	    proxy_set_header  X-Forwarded-For $remote_addr;
+	    proxy_set_header  Host $host;
+	  }
+	}
diff --git a/vars/gerrit.yml b/vars/gerrit.yml
index e1d21cf..c798ac3 100644
--- a/vars/gerrit.yml
+++ b/vars/gerrit.yml
@@ -21,6 +21,4 @@ installed_packages:
   - java-11-openjdk-headless
   - tzdata-java
   - postfix
-  - httpd
-  - mod_ssl
 ...
diff --git a/vars/internal.yml b/vars/internal.yml
index a2822d6..30d8791 100644
--- a/vars/internal.yml
+++ b/vars/internal.yml
@@ -1,10 +1,10 @@
 ---
 ipa_getcert_requested_hostnames:
   - name: "{{ ansible_fqdn }}"
-    owner: apache
+    owner: "{{ cert_owner }}"
     key_location: "/etc/pki/tls/private/{{ ansible_fqdn }}.key"
     cert_location: "/etc/pki/tls/certs/{{ ansible_fqdn }}.crt"
     postcmd: "/bin/systemctl reload httpd"
     cnames:
-      - "git.rockylinux.org"
+      - "{{ gerrit_config_canonical_domain }}"
 ...