From 376182014744fe7ed78e2873139687c01211a18b Mon Sep 17 00:00:00 2001
From: Louis Abel <tucklesepk@gmail.com>
Date: Sun, 27 Aug 2023 18:17:49 -0700
Subject: [PATCH] update repopool playbooks

---
 ...ervers.yml => role-rocky-repopool-http.yml | 15 +++-
 ...opool.yml => role-rocky-repopool-rsync.yml |  7 +-
 tasks/efs_mount.yml                           |  7 ++
 tasks/repository.yml                          | 22 ++++++
 tasks/rsyncd.yml                              |  3 +-
 .../conf.d/repopool-http-production.conf.j2   | 68 +++++++++++++++++++
 vars/repopool.yml                             | 18 +++++
 7 files changed, 136 insertions(+), 4 deletions(-)
 rename init-rocky-repo-servers.yml => role-rocky-repopool-http.yml (71%)
 rename role-rocky-repopool.yml => role-rocky-repopool-rsync.yml (92%)
 create mode 100644 templates/etc/nginx/conf.d/repopool-http-production.conf.j2
 create mode 100644 vars/repopool.yml

diff --git a/init-rocky-repo-servers.yml b/role-rocky-repopool-http.yml
similarity index 71%
rename from init-rocky-repo-servers.yml
rename to role-rocky-repopool-http.yml
index de2c03e..669343f 100644
--- a/init-rocky-repo-servers.yml
+++ b/role-rocky-repopool-http.yml
@@ -1,8 +1,12 @@
 ---
 # Preps a system to be a repository
-- name: Configure repository system
+- name: Configure Repo Pool hosts (http)
   hosts: all
   become: true
+  vars_files:
+    - vars/common.yml
+    - vars/repopool.yml
+    - vars/mounts/repopool.yml
 
   handlers:
     - import_tasks: handlers/main.yml
@@ -21,8 +25,17 @@
         fail_msg: "/etc/no-ansible exists - skipping run on this node"
 
   tasks:
+    - name: "Setup shared filesystem mount"
+      include_tasks: tasks/efs_mount.yml
+      with_items: "{{ mounts }}"
+      tags:
+        - koji_efs_mount
+
     - name: Configure repository system
       import_tasks: tasks/repository.yml
+      tags:
+        - nginx
+        - httpd
 
   post_tasks:
     - name: Touching run file that ansible has ran here
diff --git a/role-rocky-repopool.yml b/role-rocky-repopool-rsync.yml
similarity index 92%
rename from role-rocky-repopool.yml
rename to role-rocky-repopool-rsync.yml
index 0a2ce89..5c0d14d 100644
--- a/role-rocky-repopool.yml
+++ b/role-rocky-repopool-rsync.yml
@@ -6,6 +6,7 @@
   vars_files:
     # vars/vaults/encpass.yml
     - vars/common.yml
+    - vars/repopool.yml
     - vars/mounts/repopool.yml
 
   # This is to try to avoid the handler issue in pre/post tasks
@@ -29,11 +30,13 @@
     - name: "Setup shared filesystem mount"
       include_tasks: tasks/efs_mount.yml
       with_items: "{{ mounts }}"
-      tags: ["koji_efs_mount"]
+      tags:
+        - koji_efs_mount
 
     - name: "Setup rsyncd"
       include_tasks: tasks/rsyncd.yml
-      tags: ["rsyncd"]
+      tags: 
+        - rsyncd
 
   post_tasks:
     - name: Touching run file that ansible has ran here
diff --git a/tasks/efs_mount.yml b/tasks/efs_mount.yml
index 0a58354..d2de19a 100644
--- a/tasks/efs_mount.yml
+++ b/tasks/efs_mount.yml
@@ -1,6 +1,13 @@
 ---
 # Requires amazon-efs-utils; included, but should probably be split out?
 #
+- name: "Create directories"
+  ansible.builtin.file:
+    name: "{{ item.mount_point }}"
+    mode: '0755'
+    owner: root
+    group: root
+    state: directory
 
 - name: "Installing amazon-efs-utils"
   become: true
diff --git a/tasks/repository.yml b/tasks/repository.yml
index ca86fa3..7937df1 100644
--- a/tasks/repository.yml
+++ b/tasks/repository.yml
@@ -1,3 +1,25 @@
 ---
 # no tasks yet
+- name: Configure seboolean
+  ansible.posix.seboolean:
+    name: "{{ item }}"
+    persistent: true
+    state: true
+  notify: restart_nginx
+  with_items: "{{ repopool_http_booleans }}"
+
+- name: Install http packages
+  ansible.builtin.dnf:
+    name: "{{ repopool_http_packages }}"
+    state: present
+
+- name: Deploy nginx config
+  ansible.builtin.template:
+    src: "etc/nginx/conf.d/repopool-http-production.conf.j2"
+    dest: "/etc/nginx/conf.d/repopool-http-production.conf"
+    owner: root
+    group: root
+    mode: '0644'
+    backup: true
+  notify: restart_nginx
 ...
diff --git a/tasks/rsyncd.yml b/tasks/rsyncd.yml
index 1f46e89..da626c2 100644
--- a/tasks/rsyncd.yml
+++ b/tasks/rsyncd.yml
@@ -19,10 +19,11 @@
 
 - name: Configure seboolean
   ansible.posix.seboolean:
-    name: rsync_export_all_ro
+    name: "{{ item }}"
     persistent: true
     state: true
   notify: restart_rsyncd
+  with_items: "{{ repopool_rsync_booleans }}"
 
 - name: Ensure postfix is running and enabled
   ansible.builtin.service:
diff --git a/templates/etc/nginx/conf.d/repopool-http-production.conf.j2 b/templates/etc/nginx/conf.d/repopool-http-production.conf.j2
new file mode 100644
index 0000000..6c49ce0
--- /dev/null
+++ b/templates/etc/nginx/conf.d/repopool-http-production.conf.j2
@@ -0,0 +1,68 @@
+    server {
+        listen       80 default_server backlog=4096;
+        server_name  _;
+        root         /mnt/repos-production/mirror;
+
+        location / {
+                autoindex on;
+        }
+
+        location /stg {
+                autoindex on;
+                alias /mnt/repos-staging/mirror/pub;
+        }
+
+        location ~* .*(\.manifest|CHECKSUM|COMMUNITY-CHARTER|COMPOSE_ID|Contributors|EULA|LICENSE|\.yaml|\.json|README|fullfile.*)$ {
+                #add_header Content-Type text/plain;
+                types { } default_type "text/plain; charset=utf-8";
+        }
+
+        location ~* RPM-GPG-KEY-.*$ {
+        #        add_header Content-Type text/plain;
+                types { } default_type "text/plain; charset=utf-8";
+        }
+
+        error_page 404 /404.html;
+            location = /40x.html {
+        }
+
+        error_page 500 502 503 504 /50x.html;
+            location = /50x.html {
+        }
+    }
+
+    server {
+        listen       443 ssl;
+        server_name  _;
+        root         /mnt/repos-production/mirror;
+        ssl_certificate /etc/pki/tls/certs/dl.rockylinux.org.crt;
+        ssl_certificate_key /etc/pki/tls/private/dl.rockylinux.org.key;
+        ssl_ciphers  HIGH:!aNULL:!MD5;
+
+        location / {
+                autoindex on;
+        }
+
+        location /stg {
+                autoindex on;
+                alias /mnt/repos-staging/mirror/pub;
+        }
+
+        location ~* .*(\.manifest|CHECKSUM|COMMUNITY-CHARTER|COMPOSE_ID|Contributors|EULA|LICENSE|\.yaml|\.json|README|fullfile.*)$ {
+                #add_header Content-Type text/plain;
+                types { } default_type "text/plain; charset=utf-8";
+        }
+
+        location ~* RPM-GPG-KEY-.*$ {
+        #        add_header Content-Type text/plain;
+                types { } default_type "text/plain; charset=utf-8";
+        }
+
+        error_page 404 /404.html;
+            location = /40x.html {
+        }
+
+        error_page 500 502 503 504 /50x.html;
+            location = /50x.html {
+        }
+    }
diff --git a/vars/repopool.yml b/vars/repopool.yml
new file mode 100644
index 0000000..2b75d0f
--- /dev/null
+++ b/vars/repopool.yml
@@ -0,0 +1,18 @@
+---
+repopool_http_packages:
+  - nginx
+  - nginx-all-modules
+  - nginx-mod-http-image-filter
+  - nginx-mod-mail
+  - nginx-mod-perl
+  - nginx-mod-stream
+repopool_rsync_booleans:
+  - use_nfs_home_dirs
+  - rsync_export_all_ro
+repopool_http_booleans:
+  - httpd_use_nfs
+  - git_system_use_nfs
+  - use_nfs_home_dirs
+repopool_http_domain: dl.rockylinux.org
+repopool_rsync_domain: msync.rockylinux.org
+...