--- - name: Install nginx normally yum: name: nginx state: present - name: Reconfigure Main nginx configuration template: src: "etc/nginx/nginx.conf.j2" dest: "/etc/nginx/nginx.conf" owner: root group: root mode: '0644' backup: true - name: Add omnibus nginx configuration template: src: "etc/nginx/conf.d/omnibus.conf.j2" dest: "/etc/nginx/conf.d/omnibus.conf" owner: root group: root mode: '0644' backup: true - name: Copy self-signed certificates from GitLab copy: src: "/etc/gitlab/ssl/{{ gitlab_domain }}.crt" dest: "/etc/nginx/ssl/{{ gitlab_domain }}.crt" owner: root group: root mode: '0644' remote_src: true when: gitlab_create_self_signed_cert - name: Copy self-signed certificate key copy: src: "/etc/gitlab/ssl/{{ gitlab_domain }}.key" dest: "/etc/nginx/ssl/{{ gitlab_domain }}.key" owner: root group: root mode: '0644' remote_src: true when: gitlab_create_self_signed_cert - name: Symlink the IPA CA file: src: "/etc/ipa/ca.crt" dest: "/etc/gitlab/trusted-certs/ipa-ca.crt" owner: root group: root state: link - name: Turn on necessary SELinux booleans ansible.posix.seboolean: name: "{{ item }}" state: true persistent: true loop: - httpd_can_network_connect - httpd_can_network_relay - httpd_read_user_content - name: Change fcontext to GitLab unix socket for nginx community.general.sefcontext: target: "/var/opt/gitlab/gitlab-workhorse/sockets/socket" setype: httpd_var_run_t state: present - name: Apply fcontext to GitLab unix socket for nginx command: restorecon -v /var/opt/gitlab/gitlab-workhorse/sockets/socket register: restorecon_result changed_when: "restorecon_result == 0" - name: Add firewall rules - http/s ansible.posix.firewalld: service: "{{ item }}" permanent: true state: enabled immediate: true loop: - http - https - name: Add nginx user to git groups user: name: nginx shell: /sbin/nologin groups: gitlab-www,git append: yes - name: Enable and Start nginx service: name: nginx enabled: true state: started