removing nginx

2024-11-21 20:51:27 +00:00 · 2021-07-18 15:02:50 -07:00 · 2021-07-18 15:02:50 -07:00 · e9589a3985
commit e9589a3985
parent f755147df9
4 changed files with 37 additions and 71 deletions
--- a/ansible/playbooks/tasks/gitlab-reconfigure.yml
+++ b/ansible/playbooks/tasks/gitlab-reconfigure.yml
@ -1,46 +1,23 @@
 ---
- name: Install nginx normally
-  yum:
-    name: nginx
-    state: present
-
- name: Reconfigure Main nginx configuration
-  template:
-    src: "etc/nginx/nginx.conf.j2"
-    dest: "/etc/nginx/nginx.conf"
-    owner: root
-    group: root
-    mode: '0644'
-    backup: true
-
- name: Add omnibus nginx configuration
-  template:
-    src: "etc/nginx/conf.d/omnibus.conf.j2"
-    dest: "/etc/nginx/conf.d/omnibus.conf"
-    owner: root
-    group: root
-    mode: '0644'
-    backup: true
-
- name: Copy self-signed certificates from GitLab
+- name: Copy certificates from ipa-getcert directory
  copy:
-    src: "/etc/gitlab/ssl/{{ gitlab_domain }}.crt"
-    dest: "/etc/nginx/ssl/{{ gitlab_domain }}.crt"
-    owner: root
+    src: "/etc/pki/tls/certs/{{ gitlab_domain }}.crt"
+    dest: "/etc/gitlab/ssl/{{ gitlab_domain }}.crt"
+    owner: gitlab-www
    group: root
    mode: '0644'
    remote_src: true
-  when: gitlab_create_self_signed_cert
+  when: not gitlab_create_self_signed_cert

- name: Copy self-signed certificate key
+- name: Copy keys from ipa-getcert directory
  copy:
-    src: "/etc/gitlab/ssl/{{ gitlab_domain }}.key"
-    dest: "/etc/nginx/ssl/{{ gitlab_domain }}.key"
-    owner: root
+    src: "/etc/pki/tls/private/{{ gitlab_domain }}.key"
+    dest: "/etc/gitlab/ssl/{{ gitlab_domain }}.key"
+    owner: gitlab-www
    group: root
-    mode: '0644'
+    mode: '0600'
    remote_src: true
-  when: gitlab_create_self_signed_cert
+  when: not gitlab_create_self_signed_cert

 - name: Symlink the IPA CA
  file:
@ -50,10 +27,6 @@
    group: root
    state: link

- name: Symlink the hash
-  command: "openssl rehash /etc/gitlab/trusted-certs"
-  changed_when: "1 != 1"
-
 - name: Turn on necessary SELinux booleans
  ansible.posix.seboolean:
    name: "{{ item }}"
@ -65,21 +38,12 @@
    - httpd_can_connect_ldap
    - httpd_read_user_content

- name: Stop nginx
-  service:
-    name: nginx
-    state: stopped
-
- name: Change fcontext to GitLab unix socket for nginx
-  community.general.sefcontext:
-    target: "/var/opt/gitlab/gitlab-workhorse/sockets/socket"
-    setype: httpd_var_run_t
-    state: present
-
- name: Apply fcontext to GitLab unix socket for nginx
-  command: restorecon -v /var/opt/gitlab/gitlab-workhorse/sockets/socket
-  register: restorecon_result
-  changed_when: "restorecon_result.rc == 0"
+- name: Reconfigure gitlab is we're asked to
+  command: /usr/bin/gitlab-ctl reconfigure
+  register: gitlab_ctl_result
+  changed_when: "gitlab_ctl_result.rc == 0"
+  when:
+    - gitlab_reconfigure_only

 - name: Add firewall rules - http/s
  ansible.posix.firewalld:
@ -91,15 +55,10 @@
    - http
    - https

- name: Add nginx user to git groups
-  user:
-    name: nginx
-    shell: /sbin/nologin
-    groups: gitlab-www,git
-    append: yes
-
- name: Enable and Start nginx
-  service:
-    name: nginx
-    enabled: true
-    state: started
+- name: Deploy correct script
+  template:
+    src: "usr/local/bin/fix_gitlab_certs.sh"
+    dest: "/usr/local/bin/fix_gitlab_certs.sh"
+    owner: root
+    group: root
+    mode: '0750'
--- a/ansible/playbooks/templates/etc/gitlab/rocky_gitlab.rb
+++ b/ansible/playbooks/templates/etc/gitlab/rocky_gitlab.rb
@ -18,6 +18,7 @@ gitlab_rails['gitlab_default_theme'] = "{{ gitlab_default_theme }}"
 nginx['redirect_http_to_https'] = {{ gitlab_redirect_http_to_https }}
 nginx['ssl_certificate'] = "{{ gitlab_ssl_certificate }}"
 nginx['ssl_certificate_key'] = "{{ gitlab_ssl_certificate_key }}"
+letsencrypt['enable'] = false

 # The directory where Git repositories will be stored.
 git_data_dirs({"default" => {"path" => "{{ gitlab_git_data_dir }}"} })
@ -120,8 +121,8 @@ registry_nginx['ssl_certificate_key'] = "{{ gitlab_registry_nginx_ssl_certificat

 # To change other settings, see:
 # https://gitlab.com/gitlab-org/omnibus-gitlab/blob/master/README.md#changing-gitlab-yml-settings
-nginx['enable'] = false
-nginx['external_users'] = ['nginx']
+#nginx['enable'] = false
+#nginx['external_users'] = ['nginx']

 {% if gitlab_external_db %}
 postgresql['enable'] = false
--- a/ansible/playbooks/templates/usr/local/bin/fix_gitlab_certs.sh
+++ b/ansible/playbooks/templates/usr/local/bin/fix_gitlab_certs.sh
@ -0,0 +1,7 @@
+#!/bin/bash
+
+/bin/cp "{{ gitlab_ssl_key }}" /etc/gitlab/ssl/
+/bin/cp "{{ gitlab_ssl_cert }}" /etc/gitlab/ssl/
+/bin/chown gitlab-www /etc/gitlab/ssl/*.{crt,key}
+/bin/chmod 600 /etc/gitlab/ssl/*.key
+/usr/bin/gitlab-ctl hup nginx
--- a/ansible/playbooks/vars/gitlab.yml
+++ b/ansible/playbooks/vars/gitlab.yml
@ -58,8 +58,7 @@ gitlab_smtp_ca_path: "/etc/pki/tls/certs"
 gitlab_smtp_ca_file: "/etc/pki/tls/certs/ca-bundle.crt"

 # In case of reverse proxy
-gitlab_nginx_listen_port: 8080
-gitlab_nginx_listen_https: "false"
+gitlab_nginx_listen_https: "true"

 gitlab_default_theme: 2

@ -71,7 +70,7 @@ gitlab_external_db_password: "{{ gitlab_db_pass }}"
 gitlab_registry_enable: "true"
 gitlab_registry_external_url: "https://git.rockylinux.org:5050"
 gitlab_registry_nginx_ssl_certificate: "{{ gitlab_ssl_certificate }}"
-gitlab_registry_nginx_ssl_certificate_key: "{{ gitlab_registry_nginx_ssl_certificate_key }}"
+gitlab_registry_nginx_ssl_certificate_key: "{{ gitlab_ssl_certificate_key }}"
 gitlab_trusted_proxies:
  - 10.100.20.20/32

@ -80,6 +79,6 @@ ipa_getcert_requested_hostnames:
    owner: nginx
    key_location: "{{ gitlab_ssl_key }}"
    cert_location: "{{ gitlab_ssl_cert }}"
-    postcmd: "/bin/systemctl restart nginx"
+    postcmd: "/usr/local/bin/fix_gitlab_certs.sh"
    cnames:
      - "git.rockylinux.org"