add nginx as a reverse proxy option

This commit is contained in:
Louis Abel 2023-07-25 02:43:32 -07:00
parent 9bdc4d66a6
commit d2b86597a8
Signed by: label
GPG Key ID: 2A6975660E424560
7 changed files with 89 additions and 17 deletions

View File

@ -20,6 +20,7 @@ gerrit_allow_insecure_passwords: false
# Gerrit vars # Gerrit vars
gerrit_config_base_path: "git" gerrit_config_base_path: "git"
gerrit_config_canonical_domain: "git.rockylinux.org"
gerrit_config_canonical_weburl: "https://git.rockylinux.org" gerrit_config_canonical_weburl: "https://git.rockylinux.org"
# Gerrit index. Default LUCENE # Gerrit index. Default LUCENE
@ -33,6 +34,8 @@ gerrit_sshd_listen_address: "*:22220"
gerrit_sshd_threads: "32" gerrit_sshd_threads: "32"
# Gerrit httpd # Gerrit httpd
reverse_proxy: "httpd"
cert_owner: "{{ 'nginx' if reverse_proxy == 'nginx' else 'apache' }}"
gerrit_httpd_listen_url: "proxy-https://127.0.0.1:8080/" gerrit_httpd_listen_url: "proxy-https://127.0.0.1:8080/"
gerrit_httpd_proxy_url: "http://127.0.0.1:8080/" gerrit_httpd_proxy_url: "http://127.0.0.1:8080/"
gerrit_referenced_objects_reachable: false gerrit_referenced_objects_reachable: false

View File

@ -8,4 +8,9 @@
- name: reload_systemd - name: reload_systemd
ansible.builtin.systemd: ansible.builtin.systemd:
daemon_reload: true daemon_reload: true
- name: restart_httpd
ansible.builtin.systemd:
name: httpd.service
state: restarted
... ...

View File

@ -30,6 +30,13 @@
success_msg: "We are on a supported system" success_msg: "We are on a supported system"
fail_msg: "Only Rocky Linux versions 9 or higher are supported." fail_msg: "Only Rocky Linux versions 9 or higher are supported."
- name: Verify that reverse_proxy is proper
ansible.builtin.assert:
that:
- (reverse_proxy == 'httpd') or (reverse_proxy == 'nginx')
fail_msg: "Only httpd or nginx is supported"
success_msg: "reverse proxy is set"
- name: Import vault if available - name: Import vault if available
ansible.builtin.include_vars: ansible.builtin.include_vars:
file: "{{ vault_file }}" file: "{{ vault_file }}"

View File

@ -4,7 +4,17 @@
name: "{{ installed_packages }}" name: "{{ installed_packages }}"
state: present state: present
- name: Deploy reverse proxy - name: Deploy reverse proxy (httpd)
when: reverse_proxy == "httpd"
block:
- name: Install packages as needed
ansible.builtin.package:
name:
- httpd
- mod_ssl
state: present
- name: Deploy httpd configuration
ansible.builtin.template: ansible.builtin.template:
src: "gerrit.httpd.j2" src: "gerrit.httpd.j2"
dest: "/etc/httpd/conf.d/gerrit.conf" dest: "/etc/httpd/conf.d/gerrit.conf"
@ -16,6 +26,30 @@
- name: Ensure httpd is enabled and running - name: Ensure httpd is enabled and running
ansible.builtin.systemd: ansible.builtin.systemd:
name: httpd.service name: httpd.service
state: running state: started
enabled: true
- name: Deploy reverse proxy (nginx)
when: reverse_proxy == "nginx"
block:
- name: Install packages as needed
ansible.builtin.package:
name:
- nginx
state: present
- name: Deploy nginx configuration
ansible.builtin.template:
src: "gerrit.nginx.j2"
dest: "/etc/nginx/conf.d/gerrit.conf"
owner: root
group: root
mode: "0644"
notify: restart_nginx
- name: Ensure nginx is enabled and running
ansible.builtin.systemd:
name: nginx.service
state: started
enabled: true enabled: true
... ...

25
templates/gerrit.nginx.j2 Normal file
View File

@ -0,0 +1,25 @@
server {
listen 80;
server_name {{ gerrit_config_canonical_domain }};
location ^~ / {
proxy_pass {{ gerrit_httpd_proxy_url }};
proxy_set_header X-Forwarded-For $remote_addr;
proxy_set_header Host $host;
}
}
server {
listen 443;
server_name {{ gerrit_config_canonical_domain }};
ssl on;
ssl_certificate /etc/pki/tls/certs/{{ ansible_fqdn }}.crt;
ssl_certificate_key /etc/pki/tls/private/{{ ansible_fqdn }}.key;
location ^~ / {
proxy_pass {{ gerrit_httpd_proxy_url }};
proxy_set_header X-Forwarded-For $remote_addr;
proxy_set_header Host $host;
}
}

View File

@ -21,6 +21,4 @@ installed_packages:
- java-11-openjdk-headless - java-11-openjdk-headless
- tzdata-java - tzdata-java
- postfix - postfix
- httpd
- mod_ssl
... ...

View File

@ -1,10 +1,10 @@
--- ---
ipa_getcert_requested_hostnames: ipa_getcert_requested_hostnames:
- name: "{{ ansible_fqdn }}" - name: "{{ ansible_fqdn }}"
owner: apache owner: "{{ cert_owner }}"
key_location: "/etc/pki/tls/private/{{ ansible_fqdn }}.key" key_location: "/etc/pki/tls/private/{{ ansible_fqdn }}.key"
cert_location: "/etc/pki/tls/certs/{{ ansible_fqdn }}.crt" cert_location: "/etc/pki/tls/certs/{{ ansible_fqdn }}.crt"
postcmd: "/bin/systemctl reload httpd" postcmd: "/bin/systemctl reload httpd"
cnames: cnames:
- "git.rockylinux.org" - "{{ gerrit_config_canonical_domain }}"
... ...