mirror of
https://github.com/rocky-linux/infrastructure
synced 2025-01-05 09:10:54 +00:00
95 lines
2.2 KiB
YAML
95 lines
2.2 KiB
YAML
---
|
|
- name: Install nginx normally
|
|
yum:
|
|
name: nginx
|
|
state: present
|
|
|
|
- name: Reconfigure Main nginx configuration
|
|
template:
|
|
src: "etc/nginx/nginx.conf.j2"
|
|
dest: "/etc/nginx/nginx.conf"
|
|
owner: root
|
|
group: root
|
|
mode: '0644'
|
|
backup: true
|
|
|
|
- name: Add omnibus nginx configuration
|
|
template:
|
|
src: "etc/nginx/conf.d/omnibus.conf.j2"
|
|
dest: "/etc/nginx/conf.d/omnibus.conf"
|
|
owner: root
|
|
group: root
|
|
mode: '0644'
|
|
backup: true
|
|
|
|
- name: Copy self-signed certificates from GitLab
|
|
copy:
|
|
src: "/etc/gitlab/ssl/{{ gitlab_domain }}.crt"
|
|
dest: "/etc/nginx/ssl/{{ gitlab_domain }}.crt"
|
|
owner: root
|
|
group: root
|
|
mode: '0644'
|
|
remote_src: true
|
|
when: gitlab_create_self_signed_cert
|
|
|
|
- name: Copy self-signed certificate key
|
|
copy:
|
|
src: "/etc/gitlab/ssl/{{ gitlab_domain }}.key"
|
|
dest: "/etc/nginx/ssl/{{ gitlab_domain }}.key"
|
|
owner: root
|
|
group: root
|
|
mode: '0644'
|
|
remote_src: true
|
|
when: gitlab_create_self_signed_cert
|
|
|
|
- name: Symlink the IPA CA
|
|
file:
|
|
src: "/etc/ipa/ca.crt"
|
|
dest: "/etc/gitlab/trusted-certs/ipa-ca.crt"
|
|
owner: root
|
|
group: root
|
|
state: link
|
|
|
|
- name: Turn on necessary SELinux booleans
|
|
ansible.posix.seboolean:
|
|
name: "{{ item }}"
|
|
state: true
|
|
persistent: true
|
|
loop:
|
|
- httpd_can_network_connect
|
|
- httpd_can_network_relay
|
|
- httpd_read_user_content
|
|
|
|
- name: Change fcontext to GitLab unix socket for nginx
|
|
community.general.sefcontext:
|
|
target: "/var/opt/gitlab/gitlab-workhorse/sockets/socket"
|
|
setype: httpd_var_run_t
|
|
state: present
|
|
|
|
- name: Apply fcontext to GitLab unix socket for nginx
|
|
command: restorecon -v /var/opt/gitlab/gitlab-workhorse/sockets/socket
|
|
register: restorecon_result
|
|
changed_when: "restorecon_result.rc == 0"
|
|
|
|
- name: Add firewall rules - http/s
|
|
ansible.posix.firewalld:
|
|
service: "{{ item }}"
|
|
permanent: true
|
|
state: enabled
|
|
immediate: true
|
|
loop:
|
|
- http
|
|
- https
|
|
|
|
- name: Add nginx user to git groups
|
|
user:
|
|
name: nginx
|
|
shell: /sbin/nologin
|
|
groups: gitlab-www,git
|
|
append: yes
|
|
|
|
- name: Enable and Start nginx
|
|
service:
|
|
name: nginx
|
|
enabled: true
|
|
state: started
|