removing nginx

2024-11-21 20:51:27 +00:00 · 2021-07-18 15:02:50 -07:00 · 2021-07-18 15:02:50 -07:00 · e9589a3985
commit e9589a3985
parent f755147df9
4 changed files with 37 additions and 71 deletions
--- a/ansible/playbooks/tasks/gitlab-reconfigure.yml
+++ b/ansible/playbooks/tasks/gitlab-reconfigure.yml
@ -1,46 +1,23 @@
 ---
- name: Install nginx normally
+- name: Copy certificates from ipa-getcert directory
  yum:
    name: nginx
    state: present
 - name: Reconfigure Main nginx configuration
  template:
    src: "etc/nginx/nginx.conf.j2"
    dest: "/etc/nginx/nginx.conf"
    owner: root
    group: root
    mode: '0644'
    backup: true
 - name: Add omnibus nginx configuration
  template:
    src: "etc/nginx/conf.d/omnibus.conf.j2"
    dest: "/etc/nginx/conf.d/omnibus.conf"
    owner: root
    group: root
    mode: '0644'
    backup: true
 - name: Copy self-signed certificates from GitLab
  copy:
-    src: "/etc/gitlab/ssl/{{ gitlab_domain }}.crt"
+    src: "/etc/pki/tls/certs/{{ gitlab_domain }}.crt"
-    dest: "/etc/nginx/ssl/{{ gitlab_domain }}.crt"
+    dest: "/etc/gitlab/ssl/{{ gitlab_domain }}.crt"
-    owner: root
+    owner: gitlab-www
    group: root
    mode: '0644'
    remote_src: true
-  when: gitlab_create_self_signed_cert
+  when: not gitlab_create_self_signed_cert
- name: Copy self-signed certificate key
+- name: Copy keys from ipa-getcert directory
  copy:
-    src: "/etc/gitlab/ssl/{{ gitlab_domain }}.key"
+    src: "/etc/pki/tls/private/{{ gitlab_domain }}.key"
-    dest: "/etc/nginx/ssl/{{ gitlab_domain }}.key"
+    dest: "/etc/gitlab/ssl/{{ gitlab_domain }}.key"
-    owner: root
+    owner: gitlab-www
    group: root
-    mode: '0644'
+    mode: '0600'
    remote_src: true
-  when: gitlab_create_self_signed_cert
+  when: not gitlab_create_self_signed_cert
 - name: Symlink the IPA CA
  file:
@ -50,10 +27,6 @@
    group: root
    state: link
 - name: Symlink the hash
  command: "openssl rehash /etc/gitlab/trusted-certs"
  changed_when: "1 != 1"
 - name: Turn on necessary SELinux booleans
  ansible.posix.seboolean:
    name: "{{ item }}"
@ -65,21 +38,12 @@
    - httpd_can_connect_ldap
    - httpd_read_user_content
- name: Stop nginx
+- name: Reconfigure gitlab is we're asked to
-  service:
+  command: /usr/bin/gitlab-ctl reconfigure
-    name: nginx
+  register: gitlab_ctl_result
-    state: stopped
+  changed_when: "gitlab_ctl_result.rc == 0"
-
+  when:
- name: Change fcontext to GitLab unix socket for nginx
+    - gitlab_reconfigure_only
  community.general.sefcontext:
    target: "/var/opt/gitlab/gitlab-workhorse/sockets/socket"
    setype: httpd_var_run_t
    state: present
 - name: Apply fcontext to GitLab unix socket for nginx
  command: restorecon -v /var/opt/gitlab/gitlab-workhorse/sockets/socket
  register: restorecon_result
  changed_when: "restorecon_result.rc == 0"
 - name: Add firewall rules - http/s
  ansible.posix.firewalld:
@ -91,15 +55,10 @@
    - http
    - https
- name: Add nginx user to git groups
+- name: Deploy correct script
-  user:
+  template:
-    name: nginx
+    src: "usr/local/bin/fix_gitlab_certs.sh"
-    shell: /sbin/nologin
+    dest: "/usr/local/bin/fix_gitlab_certs.sh"
-    groups: gitlab-www,git
+    owner: root
-    append: yes
+    group: root
-
+    mode: '0750'
 - name: Enable and Start nginx
  service:
    name: nginx
    enabled: true
    state: started
--- a/ansible/playbooks/templates/etc/gitlab/rocky_gitlab.rb
+++ b/ansible/playbooks/templates/etc/gitlab/rocky_gitlab.rb
@ -18,6 +18,7 @@ gitlab_rails['gitlab_default_theme'] = "{{ gitlab_default_theme }}"
 nginx['redirect_http_to_https'] = {{ gitlab_redirect_http_to_https }}
 nginx['ssl_certificate'] = "{{ gitlab_ssl_certificate }}"
 nginx['ssl_certificate_key'] = "{{ gitlab_ssl_certificate_key }}"
 letsencrypt['enable'] = false
 # The directory where Git repositories will be stored.
 git_data_dirs({"default" => {"path" => "{{ gitlab_git_data_dir }}"} })
@ -120,8 +121,8 @@ registry_nginx['ssl_certificate_key'] = "{{ gitlab_registry_nginx_ssl_certificat
 # To change other settings, see:
 # https://gitlab.com/gitlab-org/omnibus-gitlab/blob/master/README.md#changing-gitlab-yml-settings
-nginx['enable'] = false
+#nginx['enable'] = false
-nginx['external_users'] = ['nginx']
+#nginx['external_users'] = ['nginx']
 {% if gitlab_external_db %}
 postgresql['enable'] = false
--- a/ansible/playbooks/templates/usr/local/bin/fix_gitlab_certs.sh
+++ b/ansible/playbooks/templates/usr/local/bin/fix_gitlab_certs.sh
@ -0,0 +1,7 @@
 #!/bin/bash
 /bin/cp "{{ gitlab_ssl_key }}" /etc/gitlab/ssl/
 /bin/cp "{{ gitlab_ssl_cert }}" /etc/gitlab/ssl/
 /bin/chown gitlab-www /etc/gitlab/ssl/*.{crt,key}
 /bin/chmod 600 /etc/gitlab/ssl/*.key
 /usr/bin/gitlab-ctl hup nginx
--- a/ansible/playbooks/vars/gitlab.yml
+++ b/ansible/playbooks/vars/gitlab.yml
@ -58,8 +58,7 @@ gitlab_smtp_ca_path: "/etc/pki/tls/certs"
 gitlab_smtp_ca_file: "/etc/pki/tls/certs/ca-bundle.crt"
 # In case of reverse proxy
-gitlab_nginx_listen_port: 8080
+gitlab_nginx_listen_https: "true"
 gitlab_nginx_listen_https: "false"
 gitlab_default_theme: 2
@ -71,7 +70,7 @@ gitlab_external_db_password: "{{ gitlab_db_pass }}"
 gitlab_registry_enable: "true"
 gitlab_registry_external_url: "https://git.rockylinux.org:5050"
 gitlab_registry_nginx_ssl_certificate: "{{ gitlab_ssl_certificate }}"
-gitlab_registry_nginx_ssl_certificate_key: "{{ gitlab_registry_nginx_ssl_certificate_key }}"
+gitlab_registry_nginx_ssl_certificate_key: "{{ gitlab_ssl_certificate_key }}"
 gitlab_trusted_proxies:
  - 10.100.20.20/32
@ -80,6 +79,6 @@ ipa_getcert_requested_hostnames:
    owner: nginx
    key_location: "{{ gitlab_ssl_key }}"
    cert_location: "{{ gitlab_ssl_cert }}"
-    postcmd: "/bin/systemctl restart nginx"
+    postcmd: "/usr/local/bin/fix_gitlab_certs.sh"
    cnames:
      - "git.rockylinux.org"