From 38b2f1c66161076cd94d419eff07059f7930208e Mon Sep 17 00:00:00 2001
From: Asara <amarpreet@minhas.io>
Date: Sat, 25 Jun 2022 10:03:10 -0400
Subject: [PATCH] Replace nexus with docker-repo

---
 ansible/playbooks/docker-repo.yml             |   5 +
 ansible/playbooks/nexus.yml                   |   5 -
 ansible/playbooks/site.yml                    |   2 +-
 ansible/roles/docker-repo/defaults/main.yml   |   2 +
 .../roles/docker-repo/files/docker-repo.hcl   |  12 ++
 .../{nexus => docker-repo}/handlers/main.yml  |   6 +-
 ansible/roles/docker-repo/tasks/main.yml      |  94 ++++++++++++
 ansible/roles/nexus/files/nexus.hcl           |  24 ---
 ansible/roles/nexus/files/nexus.properties    |  12 --
 ansible/roles/nexus/tasks/main.yml            | 143 ------------------
 10 files changed, 117 insertions(+), 188 deletions(-)
 create mode 100644 ansible/playbooks/docker-repo.yml
 delete mode 100644 ansible/playbooks/nexus.yml
 create mode 100644 ansible/roles/docker-repo/defaults/main.yml
 create mode 100644 ansible/roles/docker-repo/files/docker-repo.hcl
 rename ansible/roles/{nexus => docker-repo}/handlers/main.yml (62%)
 create mode 100644 ansible/roles/docker-repo/tasks/main.yml
 delete mode 100644 ansible/roles/nexus/files/nexus.hcl
 delete mode 100644 ansible/roles/nexus/files/nexus.properties
 delete mode 100644 ansible/roles/nexus/tasks/main.yml

diff --git a/ansible/playbooks/docker-repo.yml b/ansible/playbooks/docker-repo.yml
new file mode 100644
index 0000000..ffa575c
--- /dev/null
+++ b/ansible/playbooks/docker-repo.yml
@@ -0,0 +1,5 @@
+---
+- hosts: docker-repo
+  roles:
+    - role: docker-repo
+...
diff --git a/ansible/playbooks/nexus.yml b/ansible/playbooks/nexus.yml
deleted file mode 100644
index 9c82369..0000000
--- a/ansible/playbooks/nexus.yml
+++ /dev/null
@@ -1,5 +0,0 @@
----
-- hosts: nexus
-  roles:
-    - role: nexus
-...
diff --git a/ansible/playbooks/site.yml b/ansible/playbooks/site.yml
index f59ff4c..c587d24 100644
--- a/ansible/playbooks/site.yml
+++ b/ansible/playbooks/site.yml
@@ -6,7 +6,7 @@
 - import_playbook: docker.yml
 - import_playbook: nomad.yml
 - import_playbook: k3s.yml
-- import_playbook: nexus.yml
+- import_playbook: docker-repo.yml
 - import_playbook: lnd.yml
 - import_playbook: wekan.yml
 - import_playbook: haproxy.yml
diff --git a/ansible/roles/docker-repo/defaults/main.yml b/ansible/roles/docker-repo/defaults/main.yml
new file mode 100644
index 0000000..bb61874
--- /dev/null
+++ b/ansible/roles/docker-repo/defaults/main.yml
@@ -0,0 +1,2 @@
+---
+docker_repo_storage: /mnt/raid/docker-repo
diff --git a/ansible/roles/docker-repo/files/docker-repo.hcl b/ansible/roles/docker-repo/files/docker-repo.hcl
new file mode 100644
index 0000000..0fdbc0f
--- /dev/null
+++ b/ansible/roles/docker-repo/files/docker-repo.hcl
@@ -0,0 +1,12 @@
+services {
+  id = "docker-repo"
+  name = "docker-repo"
+  port = 5000
+  checks = [
+    {
+      args = ["nc", "-z", "-v", "localhost", "5000"]
+      interval = "5s"
+      timeout = "20s"
+    }
+  ]
+}
diff --git a/ansible/roles/nexus/handlers/main.yml b/ansible/roles/docker-repo/handlers/main.yml
similarity index 62%
rename from ansible/roles/nexus/handlers/main.yml
rename to ansible/roles/docker-repo/handlers/main.yml
index 8d28a5a..ca1a927 100644
--- a/ansible/roles/nexus/handlers/main.yml
+++ b/ansible/roles/docker-repo/handlers/main.yml
@@ -4,8 +4,8 @@
     name: consul
     state: reloaded
 
-- name: restart nexus
+- name: restart docker
   docker_container:
-    name: nexus
-    image:  sonatype/nexus3
+    name: docker-repo
+    image:  registry:2
     restart: True
diff --git a/ansible/roles/docker-repo/tasks/main.yml b/ansible/roles/docker-repo/tasks/main.yml
new file mode 100644
index 0000000..478b220
--- /dev/null
+++ b/ansible/roles/docker-repo/tasks/main.yml
@@ -0,0 +1,94 @@
+---
+- name: ensure docker repo cert directory exists
+  file:
+    path: /etc/docker-repo/certs
+    recurse: True
+    state: directory
+    owner: root
+    group: root
+    mode: 0755
+
+- name: ensure docker data directory exists
+  file:
+    path: '{{ docker_repo_storage }}'
+    recurse: True
+    state: directory
+    owner: root
+    group: root
+    mode: 0755
+
+- name: check if server cert is expiring in the next 5 days
+  shell: "openssl x509 -checkend 432000 -noout -in /etc/docker-repo/certs/docker-repo.crt"
+  args:
+    executable: /bin/bash
+  failed_when: False
+  check_mode: False
+  changed_when: False
+  register: exp
+
+- name: get cert
+  shell: "vault write pki_int/issue/{{ vault_pki_policy }} common_name=docker-repo.service.{{ consul_domain }} alt_names=docker-repo.service.{{ main_dc_name }}.{{ consul_domain }} ttl=43200m"
+  args:
+    executable: /bin/bash
+  environment:
+    VAULT_ADDR: https://vault.service.masked.name:8200
+    VAULT_TOKEN: "{{ lookup('file', lookup('env', 'HOME') + '/.vault-token') }}"
+    VAULT_FORMAT: json
+  register: cert_data
+  when: exp.rc != 0
+
+- name: write cert data to server
+  copy:
+    content: "{{ item.content }}"
+    dest: "/etc/docker-repo/{{ item.path }}"
+    mode: '{{ item.mode }}'
+    owner: root
+    group: root
+  when: cert_data.changed
+  register: cert_written
+  loop:
+    - {
+        content: "{{ (cert_data.stdout | from_json).data.certificate }}",
+        path: "certs/docker-repo.crt",
+        mode: "0755"
+    }
+    - {
+        content: "{{ (cert_data.stdout | from_json).data.private_key }}",
+        path: "certs/docker-repo.key",
+        mode: "0600"
+    }
+
+- name: ensure python-docker is installed
+  apt:
+    name: python3-docker
+    state: present
+
+- name: ensure docker repo data dir exists
+  file:
+    path: "{{ docker_repo_storage }}"
+    state: directory
+    mode: 0755
+
+- name: run docker-repo
+  docker_container:
+    name: docker-repo
+    image: registry:2
+    env:
+      REGISTRY_HTTP_TLS_CERTIFICATE: /certs/docker-repo.crt
+      REGISTRY_HTTP_TLS_KEY: /certs/docker-repo.key
+    ports:
+      - "5000:5000"
+    volumes:
+      - "{{ docker_repo_storage }}:/data"
+      - "/etc/docker-repo/certs:/certs"
+    restart_policy: always
+
+- name: ensure docker repo service config exists
+  copy:
+    src: files/docker-repo.hcl
+    dest: /etc/consul.d/docker-repo.hcl
+    mode: 0750
+    owner: consul
+    group: consul
+  notify: reload consul
+...
diff --git a/ansible/roles/nexus/files/nexus.hcl b/ansible/roles/nexus/files/nexus.hcl
deleted file mode 100644
index cf88dd2..0000000
--- a/ansible/roles/nexus/files/nexus.hcl
+++ /dev/null
@@ -1,24 +0,0 @@
-services {
-  id = "nexus"
-  name = "nexus"
-  port = 8081
-  checks = [
-    {
-      args = ["nc", "-z", "-v", "localhost", "8081"]
-      interval = "5s"
-      timeout = "20s"
-    }
-  ]
-}
-services {
-  id = "docker"
-  name = "docker"
-  port = 8082
-  checks = [
-    {
-      args = ["nc", "-z", "-v", "localhost", "8082"]
-      interval = "5s"
-      timeout = "20s"
-    }
-  ]
-}
diff --git a/ansible/roles/nexus/files/nexus.properties b/ansible/roles/nexus/files/nexus.properties
deleted file mode 100644
index c210695..0000000
--- a/ansible/roles/nexus/files/nexus.properties
+++ /dev/null
@@ -1,12 +0,0 @@
-# Jetty section
-application-port-ssl=8081
-application-host=0.0.0.0
-nexus-args=${jetty.etc}/jetty.xml,${jetty.etc}/jetty-https.xml,${jetty.etc}/jetty-requestlog.xml
-ssl.etc=/opt/sonatype/nexus/etc/ssl/
-# nexus-context-path=/${NEXUS_CONTEXT}
-
-# Nexus section
-# nexus-edition=nexus-pro-edition
-# nexus-features=\
-#  nexus-pro-feature
-# nexus.clustered=false
diff --git a/ansible/roles/nexus/tasks/main.yml b/ansible/roles/nexus/tasks/main.yml
deleted file mode 100644
index dfdaf96..0000000
--- a/ansible/roles/nexus/tasks/main.yml
+++ /dev/null
@@ -1,143 +0,0 @@
----
-- name: ensure pexpect exists
-  pip:
-    name: pexpect
-    state: present
-
-- name: check if server cert is expiring in the next 5 days
-  shell: "openssl x509 -checkend 432000 -noout -in /etc/pki/certs/nexus.crt"
-  args:
-    executable: /bin/bash
-  failed_when: False
-  check_mode: False
-  changed_when: False
-  register: exp
-
-- name: get cert
-  shell: "vault write pki_int/issue/{{ vault_pki_policy }} common_name=nexus.service.{{ consul_domain }} alt_names=nexus.service.{{ main_dc_name }}.{{ consul_domain }},docker.service.{{ consul_domain }},docker.service.{{ main_dc_name }}.{{ consul_domain }} ttl=43200m"
-  args:
-    executable: /bin/bash
-  environment:
-    VAULT_ADDR: https://vault.service.masked.name:8200
-    VAULT_TOKEN: "{{ lookup('file', lookup('env', 'HOME') + '/.vault-token') }}"
-    VAULT_FORMAT: json
-  register: cert_data
-  when: exp.rc != 0
-
-- name: write cert data to server
-  copy:
-    content: "{{ item.content }}"
-    dest: "/etc/pki/{{ item.path }}"
-    mode: '{{ item.mode }}'
-    owner: root
-    group: root
-  when: cert_data.changed
-  register: cert_written
-  loop:
-    - {
-        content: "{{ (cert_data.stdout | from_json).data.certificate }}",
-        path: "certs/nexus.crt",
-        mode: "0755"
-    }
-    - {
-        content: "{{ (cert_data.stdout | from_json).data.private_key }}",
-        path: "keys/nexus.key",
-        mode: "0600"
-    }
-
-# I hate this
-- name: create cert for keystore
-  shell: for i in nexus.crt MaskedName_Root_CA.pem; do (cat "/etc/pki/certs/${i}"; echo) >> /tmp/keystore.crt; done
-  args:
-    executable: /bin/bash
-  when: cert_written.changed
-
-- name: write keystore
-  expect:
-    command: "openssl pkcs12 -inkey /etc/pki/keys/nexus.key -in /tmp/keystore.crt -export -out {{ nexus_config_dir }}/etc/ssl/keystore.jks"
-    responses:
-      Enter Export Password:
-        - password
-      Verifying - Enter Export Password:
-        - password
-  when: cert_written.changed
-  notify: restart nexus
-
-- name: remove tmp keystore
-  file:
-    path: /tmp/keystore.crt
-    state: absent
-  when: cert_written.changed
-
-- name: ensure python-docker is installed
-  apt:
-    name: python3-docker
-    state: present
-
-- name: ensure nexus group exists
-  group:
-    name: nexus
-    state: present
-    gid: 200
-
-- name: ensure nexus user exists
-  user:
-    name: nexus
-    group: nexus
-    uid: 200
-    create_home: False
-
-- name: ensure nexus data dir exists
-  file:
-    path: "{{ nexus_storage }}"
-    state: directory
-    owner: nexus
-    group: nexus
-    mode: 0755
-
-- name: ensure nexus data dir exists
-  file:
-    path: "{{ nexus_config_dir }}"
-    state: directory
-    owner: nexus
-    group: nexus
-    mode: 0755
-
-- name: ensure nexus keystore dir exists
-  file:
-    path: "{{ nexus_config_dir }}/etc/ssl/"
-    state: directory
-    owner: nexus
-    group: nexus
-    mode: 0755
-
-- name: copy nexus.properties
-  copy:
-    src: files/nexus.properties
-    dest: "{{ nexus_storage }}/etc/nexus.properties"
-
-- name: run nexus3
-  docker_container:
-    name: nexus
-    image:  sonatype/nexus3:latest
-    env:
-      REGISTRY_HTTP_TLS_CERTIFICATE: /certs/nexus.crt
-      REGISTRY_HTTP_TLS_KEY: /certs/nexus.key
-      REGISTRY_HTTP_SECRET: "{{ lookup('hashi_vault', 'secret=kv/data/nexus:data')['REGISTRY_HTTP_SECRET'] }}"
-    ports:
-      - "8081:8081"
-      - "8082:8082"
-    volumes:
-      - "{{ nexus_storage }}:/nexus-data"
-      - "{{ nexus_config_dir }}/etc/ssl:/opt/sonatype/nexus/etc/ssl/"
-    restart_policy: always
-
-- name: ensure nexus consul service config exists
-  copy:
-    src: files/nexus.hcl
-    dest: /etc/consul.d/nexus.hcl
-    mode: 0750
-    owner: consul
-    group: consul
-  notify: reload consul
-...