add nginx as a reverse proxy option

defaults/main.yml

@@ -20,6 +20,7 @@ gerrit_allow_insecure_passwords: false
 
 # Gerrit vars
 gerrit_config_base_path: "git"
+gerrit_config_canonical_domain: "git.rockylinux.org"
 gerrit_config_canonical_weburl: "https://git.rockylinux.org"
 
 # Gerrit index. Default LUCENE
@@ -33,6 +34,8 @@ gerrit_sshd_listen_address: "*:22220"
 gerrit_sshd_threads: "32"
 
 # Gerrit httpd
+reverse_proxy: "httpd"
+cert_owner: "{{ 'nginx' if reverse_proxy == 'nginx' else 'apache' }}"
 gerrit_httpd_listen_url: "proxy-https://127.0.0.1:8080/"
 gerrit_httpd_proxy_url: "http://127.0.0.1:8080/"
 gerrit_referenced_objects_reachable: false

handlers/main.yml

@@ -8,4 +8,9 @@
 - name: reload_systemd
   ansible.builtin.systemd:
     daemon_reload: true
+
+- name: restart_httpd
+  ansible.builtin.systemd:
+    name: httpd.service
+    state: restarted
 ...

install-gerrit.yml

@@ -30,6 +30,13 @@
         success_msg: "We are on a supported system"
         fail_msg: "Only Rocky Linux versions 9 or higher are supported."
 
+    - name: Verify that reverse_proxy is proper
+      ansible.builtin.assert:
+        that:
+          - (reverse_proxy == 'httpd') or (reverse_proxy == 'nginx')
+        fail_msg: "Only httpd or nginx is supported"
+        success_msg: "reverse proxy is set"
+
     - name: Import vault if available
       ansible.builtin.include_vars:
         file: "{{ vault_file }}"

tasks/pkg.yml

@@ -4,7 +4,17 @@
     name: "{{ installed_packages }}"
     state: present
 
-- name: Deploy reverse proxy
+- name: Deploy reverse proxy (httpd)
+  when: reverse_proxy == "httpd"
+  block:
+    - name: Install packages as needed
+      ansible.builtin.package:
+        name:
+          - httpd
+          - mod_ssl
+        state: present
+
+    - name: Deploy httpd configuration
       ansible.builtin.template:
         src: "gerrit.httpd.j2"
         dest: "/etc/httpd/conf.d/gerrit.conf"
@@ -13,9 +23,33 @@
         mode: "0644"
       notify: restart_httpd
 
-- name: Ensure httpd is enabled and running
+    - name: Ensure httpd is enabled and running
       ansible.builtin.systemd:
         name: httpd.service
-    state: running
+        state: started
+        enabled: true
+
+- name: Deploy reverse proxy (nginx)
+  when: reverse_proxy == "nginx"
+  block:
+    - name: Install packages as needed
+      ansible.builtin.package:
+        name:
+          - nginx
+        state: present
+
+    - name: Deploy nginx configuration
+      ansible.builtin.template:
+        src: "gerrit.nginx.j2"
+        dest: "/etc/nginx/conf.d/gerrit.conf"
+        owner: root
+        group: root
+        mode: "0644"
+      notify: restart_nginx
+
+    - name: Ensure nginx is enabled and running
+      ansible.builtin.systemd:
+        name: nginx.service
+        state: started
         enabled: true
 ...

templates/gerrit.nginx.j2

@@ -0,0 +1,25 @@
+	server {
+	  listen 80;
+	  server_name {{ gerrit_config_canonical_domain }};
+
+	  location ^~ / {
+	    proxy_pass        {{ gerrit_httpd_proxy_url }};
+	    proxy_set_header  X-Forwarded-For $remote_addr;
+	    proxy_set_header  Host $host;
+	  }
+	}
+
+  server {
+	  listen 443;
+	  server_name {{ gerrit_config_canonical_domain }};
+
+	  ssl on;
+	  ssl_certificate      /etc/pki/tls/certs/{{ ansible_fqdn }}.crt;
+	  ssl_certificate_key  /etc/pki/tls/private/{{ ansible_fqdn }}.key;
+
+	  location ^~ / {
+	    proxy_pass        {{ gerrit_httpd_proxy_url }};
+	    proxy_set_header  X-Forwarded-For $remote_addr;
+	    proxy_set_header  Host $host;
+	  }
+	}

vars/gerrit.yml

@@ -21,6 +21,4 @@ installed_packages:
   - java-11-openjdk-headless
   - tzdata-java
   - postfix
-  - httpd
-  - mod_ssl
 ...

vars/internal.yml

@@ -1,10 +1,10 @@
 ---
 ipa_getcert_requested_hostnames:
   - name: "{{ ansible_fqdn }}"
-    owner: apache
+    owner: "{{ cert_owner }}"
     key_location: "/etc/pki/tls/private/{{ ansible_fqdn }}.key"
     cert_location: "/etc/pki/tls/certs/{{ ansible_fqdn }}.crt"
     postcmd: "/bin/systemctl reload httpd"
     cnames:
-      - "git.rockylinux.org"
+      - "{{ gerrit_config_canonical_domain }}"
 ...