diff --git a/ansible/roles/nexus/files/nexus.hcl b/ansible/roles/nexus/files/nexus.hcl index b4551cf..cf88dd2 100644 --- a/ansible/roles/nexus/files/nexus.hcl +++ b/ansible/roles/nexus/files/nexus.hcl @@ -10,3 +10,15 @@ services { } ] } +services { + id = "docker" + name = "docker" + port = 8082 + checks = [ + { + args = ["nc", "-z", "-v", "localhost", "8082"] + interval = "5s" + timeout = "20s" + } + ] +} diff --git a/ansible/roles/nexus/templates/nexus.properties.j2 b/ansible/roles/nexus/files/nexus.properties similarity index 94% rename from ansible/roles/nexus/templates/nexus.properties.j2 rename to ansible/roles/nexus/files/nexus.properties index 3232604..c210695 100644 --- a/ansible/roles/nexus/templates/nexus.properties.j2 +++ b/ansible/roles/nexus/files/nexus.properties @@ -1,6 +1,5 @@ # Jetty section application-port-ssl=8081 -application-port=8082 application-host=0.0.0.0 nexus-args=${jetty.etc}/jetty.xml,${jetty.etc}/jetty-https.xml,${jetty.etc}/jetty-requestlog.xml ssl.etc=/opt/sonatype/nexus/etc/ssl/ diff --git a/ansible/roles/nexus/tasks/main.yml b/ansible/roles/nexus/tasks/main.yml index 60a3e1b..c63e546 100644 --- a/ansible/roles/nexus/tasks/main.yml +++ b/ansible/roles/nexus/tasks/main.yml @@ -1,4 +1,9 @@ --- +- name: ensure pexpect exists + pip: + name: pexpect + state: present + - name: check if server cert is expiring in the next 5 days shell: "openssl x509 -checkend 432000 -noout -in /etc/pki/certs/nexus.crt" args: @@ -9,7 +14,7 @@ register: exp - name: get cert - shell: "vault write pki_int/issue/{{ vault_pki_policy }} common_name=nexus.service.{{ main_dc_name }}.{{ consul_domain }} ttl=43200m" + shell: "vault write pki_int/issue/{{ vault_pki_policy }} common_name=nexus.service.{{ consul_domain }} alt_names=nexus.service.{{ main_dc_name }}.{{ consul_domain }},docker.service.{{ consul_domain }},docker.service.{{ main_dc_name }}.{{ consul_domain }} ttl=43200m" args: executable: /bin/bash environment: @@ -27,6 +32,7 @@ owner: root group: root when: cert_data.changed + register: cert_written loop: - { content: "{{ (cert_data.stdout | from_json).data.certificate }}", @@ -38,6 +44,30 @@ path: "keys/nexus.key", mode: "0600" } + +# I hate this +- name: create cert for keystore + shell: for i in nexus.crt MaskedName_Root_CA.pem; do (cat "/etc/pki/certs/${i}"; echo) >> /tmp/keystore.crt; done + args: + executable: /bin/bash + when: cert_written.changed + +- name: write keystore + expect: + command: "openssl pkcs12 -inkey /etc/pki/keys/nexus.key -in /tmp/keystore.crt -export -out {{ nexus_config_dir }}/etc/ssl/keystore.jks" + responses: + Enter Export Password: + - password + Verifying - Enter Export Password: + - password + when: cert_written.changed + +- name: remove tmp keystore + file: + path: /tmp/keystore.crt + state: absent + when: cert_written.changed + - name: ensure python-docker is installed apt: name: python3-docker @@ -56,14 +86,6 @@ uid: 200 create_home: False -- name: ensure nexus ssl dir exists - file: - path: /etc/nexus/ - state: directory - owner: root - group: root - mode: 0755 - - name: ensure nexus data dir exists file: path: "{{ nexus_storage }}" @@ -88,17 +110,9 @@ group: nexus mode: 0755 -- name: ensure keystore exists +- name: copy nexus.properties copy: - content: "{{ lookup('hashi_vault', 'secret=kv/data/nexus:data')['keystore'] | b64decode }}" - dest: "{{ nexus_config_dir }}/etc/ssl/keystore.jks" - owner: nexus - group: nexus - mode: 0700 - -- name: template nexus.properties - template: - src: templates/nexus.properties.j2 + src: files/nexus.properties dest: "{{ nexus_storage }}/etc/nexus.properties" - name: run nexus3 @@ -111,10 +125,10 @@ REGISTRY_HTTP_SECRET: "{{ lookup('hashi_vault', 'secret=kv/data/nexus:data')['REGISTRY_HTTP_SECRET'] }}" ports: - "8081:8081" + - "8082:8082" volumes: - "{{ nexus_storage }}:/nexus-data" - "{{ nexus_config_dir }}/etc/ssl:/opt/sonatype/nexus/etc/ssl/" - - /etc/nexus:/certs restart_policy: always - name: ensure nexus consul service config exists