move non-template out of templates, add docker registry configuration to nexus, add nexus service for dns
This commit is contained in:
parent
ce0b27f5d0
commit
1b18334068
3 changed files with 46 additions and 21 deletions
|
|
@ -10,3 +10,15 @@ services {
|
||||||
}
|
}
|
||||||
]
|
]
|
||||||
}
|
}
|
||||||
|
services {
|
||||||
|
id = "docker"
|
||||||
|
name = "docker"
|
||||||
|
port = 8082
|
||||||
|
checks = [
|
||||||
|
{
|
||||||
|
args = ["nc", "-z", "-v", "localhost", "8082"]
|
||||||
|
interval = "5s"
|
||||||
|
timeout = "20s"
|
||||||
|
}
|
||||||
|
]
|
||||||
|
}
|
||||||
|
|
|
||||||
|
|
@ -1,6 +1,5 @@
|
||||||
# Jetty section
|
# Jetty section
|
||||||
application-port-ssl=8081
|
application-port-ssl=8081
|
||||||
application-port=8082
|
|
||||||
application-host=0.0.0.0
|
application-host=0.0.0.0
|
||||||
nexus-args=${jetty.etc}/jetty.xml,${jetty.etc}/jetty-https.xml,${jetty.etc}/jetty-requestlog.xml
|
nexus-args=${jetty.etc}/jetty.xml,${jetty.etc}/jetty-https.xml,${jetty.etc}/jetty-requestlog.xml
|
||||||
ssl.etc=/opt/sonatype/nexus/etc/ssl/
|
ssl.etc=/opt/sonatype/nexus/etc/ssl/
|
||||||
|
|
@ -1,4 +1,9 @@
|
||||||
---
|
---
|
||||||
|
- name: ensure pexpect exists
|
||||||
|
pip:
|
||||||
|
name: pexpect
|
||||||
|
state: present
|
||||||
|
|
||||||
- name: check if server cert is expiring in the next 5 days
|
- name: check if server cert is expiring in the next 5 days
|
||||||
shell: "openssl x509 -checkend 432000 -noout -in /etc/pki/certs/nexus.crt"
|
shell: "openssl x509 -checkend 432000 -noout -in /etc/pki/certs/nexus.crt"
|
||||||
args:
|
args:
|
||||||
|
|
@ -9,7 +14,7 @@
|
||||||
register: exp
|
register: exp
|
||||||
|
|
||||||
- name: get cert
|
- name: get cert
|
||||||
shell: "vault write pki_int/issue/{{ vault_pki_policy }} common_name=nexus.service.{{ main_dc_name }}.{{ consul_domain }} ttl=43200m"
|
shell: "vault write pki_int/issue/{{ vault_pki_policy }} common_name=nexus.service.{{ consul_domain }} alt_names=nexus.service.{{ main_dc_name }}.{{ consul_domain }},docker.service.{{ consul_domain }},docker.service.{{ main_dc_name }}.{{ consul_domain }} ttl=43200m"
|
||||||
args:
|
args:
|
||||||
executable: /bin/bash
|
executable: /bin/bash
|
||||||
environment:
|
environment:
|
||||||
|
|
@ -27,6 +32,7 @@
|
||||||
owner: root
|
owner: root
|
||||||
group: root
|
group: root
|
||||||
when: cert_data.changed
|
when: cert_data.changed
|
||||||
|
register: cert_written
|
||||||
loop:
|
loop:
|
||||||
- {
|
- {
|
||||||
content: "{{ (cert_data.stdout | from_json).data.certificate }}",
|
content: "{{ (cert_data.stdout | from_json).data.certificate }}",
|
||||||
|
|
@ -38,6 +44,30 @@
|
||||||
path: "keys/nexus.key",
|
path: "keys/nexus.key",
|
||||||
mode: "0600"
|
mode: "0600"
|
||||||
}
|
}
|
||||||
|
|
||||||
|
# I hate this
|
||||||
|
- name: create cert for keystore
|
||||||
|
shell: for i in nexus.crt MaskedName_Root_CA.pem; do (cat "/etc/pki/certs/${i}"; echo) >> /tmp/keystore.crt; done
|
||||||
|
args:
|
||||||
|
executable: /bin/bash
|
||||||
|
when: cert_written.changed
|
||||||
|
|
||||||
|
- name: write keystore
|
||||||
|
expect:
|
||||||
|
command: "openssl pkcs12 -inkey /etc/pki/keys/nexus.key -in /tmp/keystore.crt -export -out {{ nexus_config_dir }}/etc/ssl/keystore.jks"
|
||||||
|
responses:
|
||||||
|
Enter Export Password:
|
||||||
|
- password
|
||||||
|
Verifying - Enter Export Password:
|
||||||
|
- password
|
||||||
|
when: cert_written.changed
|
||||||
|
|
||||||
|
- name: remove tmp keystore
|
||||||
|
file:
|
||||||
|
path: /tmp/keystore.crt
|
||||||
|
state: absent
|
||||||
|
when: cert_written.changed
|
||||||
|
|
||||||
- name: ensure python-docker is installed
|
- name: ensure python-docker is installed
|
||||||
apt:
|
apt:
|
||||||
name: python3-docker
|
name: python3-docker
|
||||||
|
|
@ -56,14 +86,6 @@
|
||||||
uid: 200
|
uid: 200
|
||||||
create_home: False
|
create_home: False
|
||||||
|
|
||||||
- name: ensure nexus ssl dir exists
|
|
||||||
file:
|
|
||||||
path: /etc/nexus/
|
|
||||||
state: directory
|
|
||||||
owner: root
|
|
||||||
group: root
|
|
||||||
mode: 0755
|
|
||||||
|
|
||||||
- name: ensure nexus data dir exists
|
- name: ensure nexus data dir exists
|
||||||
file:
|
file:
|
||||||
path: "{{ nexus_storage }}"
|
path: "{{ nexus_storage }}"
|
||||||
|
|
@ -88,17 +110,9 @@
|
||||||
group: nexus
|
group: nexus
|
||||||
mode: 0755
|
mode: 0755
|
||||||
|
|
||||||
- name: ensure keystore exists
|
- name: copy nexus.properties
|
||||||
copy:
|
copy:
|
||||||
content: "{{ lookup('hashi_vault', 'secret=kv/data/nexus:data')['keystore'] | b64decode }}"
|
src: files/nexus.properties
|
||||||
dest: "{{ nexus_config_dir }}/etc/ssl/keystore.jks"
|
|
||||||
owner: nexus
|
|
||||||
group: nexus
|
|
||||||
mode: 0700
|
|
||||||
|
|
||||||
- name: template nexus.properties
|
|
||||||
template:
|
|
||||||
src: templates/nexus.properties.j2
|
|
||||||
dest: "{{ nexus_storage }}/etc/nexus.properties"
|
dest: "{{ nexus_storage }}/etc/nexus.properties"
|
||||||
|
|
||||||
- name: run nexus3
|
- name: run nexus3
|
||||||
|
|
@ -111,10 +125,10 @@
|
||||||
REGISTRY_HTTP_SECRET: "{{ lookup('hashi_vault', 'secret=kv/data/nexus:data')['REGISTRY_HTTP_SECRET'] }}"
|
REGISTRY_HTTP_SECRET: "{{ lookup('hashi_vault', 'secret=kv/data/nexus:data')['REGISTRY_HTTP_SECRET'] }}"
|
||||||
ports:
|
ports:
|
||||||
- "8081:8081"
|
- "8081:8081"
|
||||||
|
- "8082:8082"
|
||||||
volumes:
|
volumes:
|
||||||
- "{{ nexus_storage }}:/nexus-data"
|
- "{{ nexus_storage }}:/nexus-data"
|
||||||
- "{{ nexus_config_dir }}/etc/ssl:/opt/sonatype/nexus/etc/ssl/"
|
- "{{ nexus_config_dir }}/etc/ssl:/opt/sonatype/nexus/etc/ssl/"
|
||||||
- /etc/nexus:/certs
|
|
||||||
restart_policy: always
|
restart_policy: always
|
||||||
|
|
||||||
- name: ensure nexus consul service config exists
|
- name: ensure nexus consul service config exists
|
||||||
|
|
|
||||||
Loading…
Reference in a new issue