move non-template out of templates, add docker registry configuration to nexus, add nexus service for dns

2020-09-20 23:03:54 -04:00 · 2020-09-20 23:03:54 -04:00 · 1b18334068
commit 1b18334068
parent ce0b27f5d0
3 changed files with 46 additions and 21 deletions
--- a/ansible/roles/nexus/files/nexus.hcl
+++ b/ansible/roles/nexus/files/nexus.hcl
@ -10,3 +10,15 @@ services {
    }
  ]
 }
+services {
+  id = "docker"
+  name = "docker"
+  port = 8082
+  checks = [
+    {
+      args = ["nc", "-z", "-v", "localhost", "8082"]
+      interval = "5s"
+      timeout = "20s"
+    }
+  ]
+}
--- a/ansible/roles/nexus/templates/nexus.properties.j2
+++ b/ansible/roles/nexus/templates/nexus.properties.j2
@ -1,6 +1,5 @@
 # Jetty section
 application-port-ssl=8081
-application-port=8082
 application-host=0.0.0.0
 nexus-args=${jetty.etc}/jetty.xml,${jetty.etc}/jetty-https.xml,${jetty.etc}/jetty-requestlog.xml
 ssl.etc=/opt/sonatype/nexus/etc/ssl/
--- a/ansible/roles/nexus/tasks/main.yml
+++ b/ansible/roles/nexus/tasks/main.yml
@ -1,4 +1,9 @@
 ---
+- name: ensure pexpect exists
+  pip:
+    name: pexpect
+    state: present
+
 - name: check if server cert is expiring in the next 5 days
  shell: "openssl x509 -checkend 432000 -noout -in /etc/pki/certs/nexus.crt"
  args:
@ -9,7 +14,7 @@
  register: exp

 - name: get cert
-  shell: "vault write pki_int/issue/{{ vault_pki_policy }} common_name=nexus.service.{{ main_dc_name }}.{{ consul_domain }} ttl=43200m"
+  shell: "vault write pki_int/issue/{{ vault_pki_policy }} common_name=nexus.service.{{ consul_domain }} alt_names=nexus.service.{{ main_dc_name }}.{{ consul_domain }},docker.service.{{ consul_domain }},docker.service.{{ main_dc_name }}.{{ consul_domain }} ttl=43200m"
  args:
    executable: /bin/bash
  environment:
@ -27,6 +32,7 @@
    owner: root
    group: root
  when: cert_data.changed
+  register: cert_written
  loop:
    - {
        content: "{{ (cert_data.stdout | from_json).data.certificate }}",
@ -38,6 +44,30 @@
        path: "keys/nexus.key",
        mode: "0600"
    }
+
+# I hate this
+- name: create cert for keystore
+  shell: for i in nexus.crt MaskedName_Root_CA.pem; do (cat "/etc/pki/certs/${i}"; echo) >> /tmp/keystore.crt; done
+  args:
+    executable: /bin/bash
+  when: cert_written.changed
+
+- name: write keystore
+  expect:
+    command: "openssl pkcs12 -inkey /etc/pki/keys/nexus.key -in /tmp/keystore.crt -export -out {{ nexus_config_dir }}/etc/ssl/keystore.jks"
+    responses:
+      Enter Export Password:
+        - password
+      Verifying - Enter Export Password:
+        - password
+  when: cert_written.changed
+
+- name: remove tmp keystore
+  file:
+    path: /tmp/keystore.crt
+    state: absent
+  when: cert_written.changed
+
 - name: ensure python-docker is installed
  apt:
    name: python3-docker
@ -56,14 +86,6 @@
    uid: 200
    create_home: False

- name: ensure nexus ssl dir exists
-  file:
-    path: /etc/nexus/
-    state: directory
-    owner: root
-    group: root
-    mode: 0755
-
 - name: ensure nexus data dir exists
  file:
    path: "{{ nexus_storage }}"
@ -88,17 +110,9 @@
    group: nexus
    mode: 0755

- name: ensure keystore exists
+- name: copy nexus.properties
  copy:
-    content: "{{ lookup('hashi_vault', 'secret=kv/data/nexus:data')['keystore'] | b64decode }}"
-    dest: "{{ nexus_config_dir }}/etc/ssl/keystore.jks"
-    owner: nexus
-    group: nexus
-    mode: 0700
-
- name: template nexus.properties
-  template:
-    src: templates/nexus.properties.j2
+    src: files/nexus.properties
    dest: "{{ nexus_storage }}/etc/nexus.properties"

 - name: run nexus3
@ -111,10 +125,10 @@
      REGISTRY_HTTP_SECRET: "{{ lookup('hashi_vault', 'secret=kv/data/nexus:data')['REGISTRY_HTTP_SECRET'] }}"
    ports:
      - "8081:8081"
+      - "8082:8082"
    volumes:
      - "{{ nexus_storage }}:/nexus-data"
      - "{{ nexus_config_dir }}/etc/ssl:/opt/sonatype/nexus/etc/ssl/"
-      - /etc/nexus:/certs
    restart_policy: always

 - name: ensure nexus consul service config exists