From 70b6576e96270be177fb63ef2837206920c6a3e5 Mon Sep 17 00:00:00 2001
From: Asara <amarpreet@minhas.io>
Date: Sun, 20 Sep 2020 01:14:59 -0400
Subject: [PATCH] Add nexus with ssl

---
 ansible/group_vars/all/main.yml               |   2 +-
 ansible/host_vars/ivyking.minhas.io/main.yml  |   3 +-
 ansible/inventory.txt                         |   2 +-
 ansible/playbooks/docker-registry.yml         |   5 -
 ansible/playbooks/docker.yml                  |   2 +-
 ansible/playbooks/nexus.yml                   |   5 +
 ansible/playbooks/site.yml                    |   2 +-
 ansible/roles/docker_registry/tasks/main.yml  |  96 --------------
 ansible/roles/nexus/tasks/main.yml            | 119 ++++++++++++++++++
 .../roles/nexus/templates/nexus.properties.j2 |  13 ++
 10 files changed, 143 insertions(+), 106 deletions(-)
 delete mode 100644 ansible/playbooks/docker-registry.yml
 create mode 100644 ansible/playbooks/nexus.yml
 delete mode 100644 ansible/roles/docker_registry/tasks/main.yml
 create mode 100644 ansible/roles/nexus/tasks/main.yml
 create mode 100644 ansible/roles/nexus/templates/nexus.properties.j2

diff --git a/ansible/group_vars/all/main.yml b/ansible/group_vars/all/main.yml
index 031bd24..72b0073 100644
--- a/ansible/group_vars/all/main.yml
+++ b/ansible/group_vars/all/main.yml
@@ -3,7 +3,7 @@
 main_dc_name: columbia
 
 # consul
-consul_version: 1.8.3
+consul_version: 1.8.4
 consul_domain: masked.name
 
 # vault
diff --git a/ansible/host_vars/ivyking.minhas.io/main.yml b/ansible/host_vars/ivyking.minhas.io/main.yml
index 1d23bc5..e837b02 100644
--- a/ansible/host_vars/ivyking.minhas.io/main.yml
+++ b/ansible/host_vars/ivyking.minhas.io/main.yml
@@ -1,3 +1,4 @@
 ---
-docker_registry_mnt: /mnt/raid/docker_registry
+nexus_storage: /opt/nexus
+nexus_config_dir: /opt/nexus-config
 ...
diff --git a/ansible/inventory.txt b/ansible/inventory.txt
index 4124a52..577f4b2 100644
--- a/ansible/inventory.txt
+++ b/ansible/inventory.txt
@@ -9,7 +9,7 @@ fatman.minhas.io
 ivyking.minhas.io
 sedan.minhas.io
 
-[docker_registry]
+[nexus]
 ivyking.minhas.io
 
 [nomad_client]
diff --git a/ansible/playbooks/docker-registry.yml b/ansible/playbooks/docker-registry.yml
deleted file mode 100644
index dcb20d0..0000000
--- a/ansible/playbooks/docker-registry.yml
+++ /dev/null
@@ -1,5 +0,0 @@
----
-- hosts: docker_registry
-  roles:
-    - role: docker_registry
-...
diff --git a/ansible/playbooks/docker.yml b/ansible/playbooks/docker.yml
index 2fa1cb5..db93e58 100644
--- a/ansible/playbooks/docker.yml
+++ b/ansible/playbooks/docker.yml
@@ -1,5 +1,5 @@
 ---
-- hosts: docker_registry:nomad_client
+- hosts: nexus:nomad_client
   roles:
     - role: docker
 ...
diff --git a/ansible/playbooks/nexus.yml b/ansible/playbooks/nexus.yml
new file mode 100644
index 0000000..9c82369
--- /dev/null
+++ b/ansible/playbooks/nexus.yml
@@ -0,0 +1,5 @@
+---
+- hosts: nexus
+  roles:
+    - role: nexus
+...
diff --git a/ansible/playbooks/site.yml b/ansible/playbooks/site.yml
index dfd6b71..31da08a 100644
--- a/ansible/playbooks/site.yml
+++ b/ansible/playbooks/site.yml
@@ -4,5 +4,5 @@
 - import_playbook: vault-server.yml
 - import_playbook: consul-client.yml
 - import_playbook: nomad.yml
-- import_playbook: docker-registry.yml
+- import_playbook: nexus.yml
 ...
diff --git a/ansible/roles/docker_registry/tasks/main.yml b/ansible/roles/docker_registry/tasks/main.yml
deleted file mode 100644
index 866a4b8..0000000
--- a/ansible/roles/docker_registry/tasks/main.yml
+++ /dev/null
@@ -1,96 +0,0 @@
----
-- name: check if server cert is expiring in the next 5 days
-  shell: "openssl x509 -checkend 432000 -noout -in /etc/pki/certs/docker_registry.crt"
-  args:
-    executable: /bin/bash
-  failed_when: False
-  check_mode: False
-  changed_when: False
-  register: exp
-
-- name: get cert
-  shell: "vault write pki_int/issue/{{ vault_pki_policy }} common_name=docker.service.{{ main_dc_name }}.{{ consul_domain }} ttl=43200m"
-  args:
-    executable: /bin/bash
-  environment:
-    VAULT_ADDR: http://ivyking.minhas.io:8200
-    VAULT_TOKEN: "{{ lookup('file', lookup('env', 'HOME') + '/.vault-token') }}"
-    VAULT_FORMAT: json
-  register: cert_data
-  when: exp.rc != 0
-
-- name: write cert data to server
-  copy:
-    content: "{{ item.content }}"
-    dest: "/etc/pki/{{ item.path }}"
-    mode: '{{ item.mode }}'
-    owner: root
-    group: root
-  when: cert_data.changed
-  loop:
-    - {
-        content: "{{ (cert_data.stdout | from_json).data.certificate }}",
-        path: "certs/docker_registry.crt",
-        mode: "0755"
-    }
-    - {
-        content: "{{ (cert_data.stdout | from_json).data.private_key }}",
-        path: "keys/docker_registry.key",
-        mode: "0600"
-    }
-- name: ensure python-docker is installed
-  apt:
-    name: python3-docker
-    state: present
-
-- name: ensure docker registry ssl dir
-  file:
-    path: /etc/docker_registry/
-    state: directory
-    owner: root
-    group: root
-    mode: 0755
-
-- name: ensure docker registry cert
-  file:
-    state: hard
-    src: /etc/pki/certs/docker_registry.crt
-    dest: /etc/docker_registry/docker_registry.crt
-    owner: root
-    group: root
-    mode: 0644
-
-- name: ensure docker registry private key
-  file:
-    state: hard
-    src: /etc/pki/keys/docker_registry.key
-    dest: /etc/docker_registry/docker_registry.key
-    owner: root
-    group: root
-    mode: 0644
-
-- name: ensure docker registry key and cert are available
-  file:
-    src: "{{ item.src }}"
-    dest: "{{ item.dest }}"
-    state: hard
-  loop:
-    - { src: /etc/pki/certs/docker_registry.crt, dest: /etc/docker_registry/docker_registry.crt }
-    - { src: /etc/pki/keys/docker_registry.key, dest: /etc/docker_registry/docker_registry.key }
-
-- name: run docker registry
-  docker_container:
-    name: registry
-    image: registry:2
-    env:
-      REGISTRY_HTTP_ADDR: 0.0.0.0:443
-      REGISTRY_HTTP_TLS_CERTIFICATE: /certs/docker_registry.crt
-      REGISTRY_HTTP_TLS_KEY: /certs/docker_registry.key
-      REGISTRY_HTTP_SECRET: "{{ lookup('hashi_vault', 'secret=kv/data/docker:data')['REGISTRY_HTTP_SECRET'] }}"
-    ports:
-      - "5000:443"
-    volumes:
-      - "{{ docker_registry_mnt }}:/var/lib/registry"
-      - "/etc/docker_registry:/certs"
-    restart_policy: always
-...
diff --git a/ansible/roles/nexus/tasks/main.yml b/ansible/roles/nexus/tasks/main.yml
new file mode 100644
index 0000000..278c905
--- /dev/null
+++ b/ansible/roles/nexus/tasks/main.yml
@@ -0,0 +1,119 @@
+---
+- name: check if server cert is expiring in the next 5 days
+  shell: "openssl x509 -checkend 432000 -noout -in /etc/pki/certs/nexus.crt"
+  args:
+    executable: /bin/bash
+  failed_when: False
+  check_mode: False
+  changed_when: False
+  register: exp
+
+- name: get cert
+  shell: "vault write pki_int/issue/{{ vault_pki_policy }} common_name=nexus.service.{{ main_dc_name }}.{{ consul_domain }} ttl=43200m"
+  args:
+    executable: /bin/bash
+  environment:
+    VAULT_ADDR: http://ivyking.minhas.io:8200
+    VAULT_TOKEN: "{{ lookup('file', lookup('env', 'HOME') + '/.vault-token') }}"
+    VAULT_FORMAT: json
+  register: cert_data
+  when: exp.rc != 0
+
+- name: write cert data to server
+  copy:
+    content: "{{ item.content }}"
+    dest: "/etc/pki/{{ item.path }}"
+    mode: '{{ item.mode }}'
+    owner: root
+    group: root
+  when: cert_data.changed
+  loop:
+    - {
+        content: "{{ (cert_data.stdout | from_json).data.certificate }}",
+        path: "certs/nexus.crt",
+        mode: "0755"
+    }
+    - {
+        content: "{{ (cert_data.stdout | from_json).data.private_key }}",
+        path: "keys/nexus.key",
+        mode: "0600"
+    }
+- name: ensure python-docker is installed
+  apt:
+    name: python3-docker
+    state: present
+
+- name: ensure nexus group exists
+  group:
+    name: nexus
+    state: present
+    gid: 200
+
+- name: ensure nexus user exists
+  user:
+    name: nexus
+    group: nexus
+    uid: 200
+    create_home: False
+
+- name: ensure nexus ssl dir exists
+  file:
+    path: /etc/nexus/
+    state: directory
+    owner: root
+    group: root
+    mode: 0755
+
+- name: ensure nexus data dir exists
+  file:
+    path: "{{ nexus_storage }}"
+    state: directory
+    owner: nexus
+    group: nexus
+    mode: 0755
+
+- name: ensure nexus data dir exists
+  file:
+    path: "{{ nexus_config_dir }}"
+    state: directory
+    owner: nexus
+    group: nexus
+    mode: 0755
+
+- name: ensure nexus keystore dir exists
+  file:
+    path: "{{ nexus_config_dir }}/etc/ssl/"
+    state: directory
+    owner: nexus
+    group: nexus
+    mode: 0755
+
+- name: ensure keystore exists
+  copy:
+    content: "{{ lookup('hashi_vault', 'secret=kv/data/nexus:data')['keystore'] | b64decode }}"
+    dest: "{{ nexus_config_dir }}/etc/ssl/keystore.jks"
+    owner: nexus
+    group: nexus
+    mode: 0700
+
+- name: template nexus.properties
+  template:
+    src: templates/nexus.properties.j2
+    dest: "{{ nexus_storage }}/etc/nexus.properties"
+
+- name: run nexus3
+  docker_container:
+    name: nexus
+    image:  sonatype/nexus3
+    env:
+      REGISTRY_HTTP_TLS_CERTIFICATE: /certs/nexus.crt
+      REGISTRY_HTTP_TLS_KEY: /certs/nexus.key
+      REGISTRY_HTTP_SECRET: "{{ lookup('hashi_vault', 'secret=kv/data/nexus:data')['REGISTRY_HTTP_SECRET'] }}"
+    ports:
+      - "8081:8081"
+    volumes:
+      - "{{ nexus_storage }}:/nexus-data"
+      - "{{ nexus_config_dir }}/etc/ssl:/opt/sonatype/nexus/etc/ssl/"
+      - /etc/nexus:/certs
+    restart_policy: always
+...
diff --git a/ansible/roles/nexus/templates/nexus.properties.j2 b/ansible/roles/nexus/templates/nexus.properties.j2
new file mode 100644
index 0000000..3232604
--- /dev/null
+++ b/ansible/roles/nexus/templates/nexus.properties.j2
@@ -0,0 +1,13 @@
+# Jetty section
+application-port-ssl=8081
+application-port=8082
+application-host=0.0.0.0
+nexus-args=${jetty.etc}/jetty.xml,${jetty.etc}/jetty-https.xml,${jetty.etc}/jetty-requestlog.xml
+ssl.etc=/opt/sonatype/nexus/etc/ssl/
+# nexus-context-path=/${NEXUS_CONTEXT}
+
+# Nexus section
+# nexus-edition=nexus-pro-edition
+# nexus-features=\
+#  nexus-pro-feature
+# nexus.clustered=false