refactoring of artifactory_nginx role

Ansible/ansible_collections/jfrog/platform/roles/artifactory/defaults/main.yml

@@ -3,11 +3,11 @@
 # The version of artifactory to install
 artifactory_version: 7.84.14
 
-# Set this to true when SSL is enabled (to use artifactory_nginx_ssl role), default to false (implies artifactory uses artifactory_nginx role )
-artifactory_nginx_ssl_enabled: false
+# [NGINX] Install and configure NGINX with Artifactory (default: true). Set to false if NGINX is not required.
+artifactory_nginx_installed: true
 
-# Set this to false when ngnix is disabled, defaults to true (implies artifactory uses artifactory_nginx role )
-artifactory_nginx_enabled: true
+# [NGINX] Enable and configure NGINX with SSL (default: false)
+artifactory_nginx_enable_ssl: false
 
 # Provide single or HA individual licenses file separated by new line and 2-space indentation and for HA, set artifactory_ha_enabled: true.
 # Example: Replace <license_1> , <license_2> , <license_3> with original licenses

Ansible/ansible_collections/jfrog/platform/roles/artifactory/tasks/install.yml

@@ -12,19 +12,10 @@
 - name: Install prerequisite packages
   ansible.builtin.include_tasks: "{{ ansible_os_family }}.yml"
 
-- name: Install nginx
+- name: Install NGINX
   ansible.builtin.include_role:
     name: artifactory_nginx
-  when:
-    - artifactory_nginx_enabled | bool
-    - not artifactory_nginx_ssl_enabled | bool
-
-- name: Install nginx with SSL
-  ansible.builtin.include_role:
-    name: artifactory_nginx_ssl
-  when:
-    - not artifactory_nginx_enabled | bool
-    - artifactory_nginx_ssl_enabled | bool
+  when: artifactory_nginx_installed | bool
 
 - name: Ensure group artifactory exist
   become: true

Ansible/ansible_collections/jfrog/platform/roles/artifactory_nginx/README.md

@@ -1,8 +1,24 @@
 # artifactory_nginx
 
-This role installs NGINX for artifactory. This role is automatically called by the artifactory role and isn't intended to be used separately.
+This role installs NGINX for artifactory and is invoked by the artifactory role; it should not be used independently.
 
 ## Role Variables
 
-* _server_name_: **mandatory** This is the server name. eg. "artifactory.54.175.51.178.xip.io"
-* _artifactory_docker_registry_subdomain_: Whether to add a redirect directive to the nginx config for the use of docker subdomains.
+```
+| Variable Name                                  | Default Value                           | Description |
+|------------------------------------------------|-----------------------------------------|-------------|
+| `artifactory_server_name`                      | `inventory_hostname`                    | Mandatory. The hostname used to access the Artifactory server. Adjust for production environments. |
+| `artifactory_nginx_worker_processes`           | `auto`                                  | Specifies the number of NGINX worker processes, Defaults to auto to match the number of CPU cores. |
+| `artifactory_nginx_enable_docker_registry_rewrite` | `false`                             | If true, enables a rewrite rule for Docker registry requests in the NGINX configuration. |
+| `artifactory_nginx_enable_ssl`                | `false`                                  | Enables SSL configuration on NGINX. Important to secure connections. |
+| `artifactory_nginx_enable_http_to_https_redirection` | `false`                           | Enables HTTP to HTTPS redirection; requires `nginx_enable_ssl` to be true. |
+| `artifactory_ca_chain_name`                   | `ca_chain.pem`                           | File name of the CA chain. |
+| `artifactory_ssl_certificate_name`            | `{{ inventory_hostname ~ '.crt.pem' }}`  | File name of the SSL certificate. |
+| `artifactory_ssl_private_key_name`            | `{{ inventory_hostname ~ '.key.pem' }}`  | File name of the SSL private key. |
+| `artifactory_ca_chain_content`                | `''`                                     | Content of the CA Chain. Store this variable in a vault file using block scalar. |
+| `artifactory_ssl_certificate_content`         | `''`                                     | Content of the Certificate. Store this variable in a vault file using block scalar. |
+| `artifactory_ssl_private_key_content`         | `''`                                     | Content of the Private key. Store this variable in a vault file using block scalar. |
+| `artifactory_nginx_use_official_repos`        | `false`                                  | Set to true to use NGINX's official repositories for package installations. |
+| `artifactory_nginx_enabled_repositories`      | `[]`                                     | List of repositories to enable when installing NGINX. Only applicable for CentOS/RHEL. |
+| `artifactory_nginx_disabled_repositories`     | `[]`                                     | List of repositories to disable when installing NGINX. Only applicable for CentOS/RHEL. |
+```

Ansible/ansible_collections/jfrog/platform/roles/artifactory_nginx/defaults/main.yml

@@ -1,12 +1,39 @@
 ---
 # defaults file for artifactory_nginx
-## For production deployments,You SHOULD change it.
-server_name: test.artifactory.com
 
-nginx_daemon: nginx
+# For production deployments, you SHOULD change it.
+server_name: "{{ artifactory_server_name | d(inventory_hostname if '.' in inventory_hostname else 'test.artifactory.com') }}"
 
-nginx_worker_processes: 1
-artifactory_docker_registry_subdomain: false
+# [NGINX] Tune the number of worker processes used by NGINX. This variable determines how 
+# many concurrent requests NGINX can handle. Default is `auto` so that NGINX determines
+# the optimal number based on the number of available CPU cores.
+nginx_worker_processes: "{{ artifactory_nginx_worker_processes | d('auto') }}"
 
-artifactory_conf_template: artifactory.conf.j2
-nginx_conf_template: nginx.conf.j2
+# [NGINX] If true, creates a rewrite rule for docker registry requests in the NGINX artifactory config.
+nginx_enable_docker_registry_rewrite: "{{ artifactory_nginx_enable_docker_registry_rewrite | d(false) }}"
+
+# [SSL Settings] Important - Set this to true if you want to configure SSL
+nginx_enable_ssl: "{{ artifactory_nginx_enable_ssl | d(false) }}"
+
+# [SSL Settings] Configure NGINX for HTTP to HTTPS redirection
+# Requires `nginx_enable_ssl` to be true
+nginx_enable_http_to_https_redirection: "{{ artifactory_nginx_enable_http_to_https_redirection | d(false) }}"
+
+# [SSL Settings] In a vault file, using a block scalar override the following
+# variables to pass the CA chain, SSL certificate and private key content.
+ca_chain_content: "{{ artifactory_ca_chain_content | d('') }}"
+ssl_certificate_content: "{{ artifactory_ssl_certificate_content | d('') }}"
+ssl_private_key_content: "{{ artifactory_ssl_private_key_content | d('') }}"
+
+# [SSL Settings] Define the CA Chain, certificate and private name when created
+ca_chain_name: "{{ artifactory_ca_chain_name | d('ca_chain.pem') }}"
+ssl_certificate_name: "{{ artifactory_ssl_certificate_name | d(inventory_hostname ~ '.crt.pem') }}"
+ssl_private_key_name: "{{ artifactory_ssl_private_key_name | d(inventory_hostname ~ '.key.pem') }}"
+
+# [Repository] Optional - If you want to use the NGINX official repository set this
+# value to true otherwise leave it to false to install NGINX provided with OS.
+nginx_use_official_repos: "{{ artifactory_nginx_use_official_repos | d(false) }}"
+
+# [Repository] Optional - Centos/RHEL only - pass a list of enabled/disabled repositories if needed.
+nginx_enabled_repositories: "{{ artifactory_nginx_enabled_repositories |d([]) }}"
+nginx_disabled_repositories: "{{ artifactory_nginx_disabled_repositories |d([]) }}" 

Ansible/ansible_collections/jfrog/platform/roles/artifactory_nginx/handlers/main.yml

@@ -1,8 +1,12 @@
 ---
 # handlers file for artifactory_nginx
-- name: Restart nginx
+
+- name: Update CA trust store
   become: true
-  ansible.builtin.systemd:
-    name: "{{ nginx_daemon }}"
+  ansible.builtin.command: "{{ system_trust_store_update | quote }}"
+
+- name: Restart NGINX
+  become: true
+  ansible.builtin.systemd_service:
+    name: "{{ nginx_system_daemon }}"
     state: restarted
-    enabled: true

Ansible/ansible_collections/jfrog/platform/roles/artifactory_nginx/meta/main.yml

@@ -7,17 +7,18 @@ galaxy_info:
   company: JFrog
   issue_tracker_url: "https://github.com/jfrog/JFrog-Cloud-Installers/issues"
   license: license (Apache-2.0)
-  min_ansible_version: 2.9
+  min_ansible_version: '2.9'
   platforms:
     - name: EL
       versions:
-        - 7
         - 8
+        - 9
     - name: Ubuntu
       versions:
         - bionic
         - focal
         - jammy
+        - noble
     - name: Debian
       versions:
         - buster

Ansible/ansible_collections/jfrog/platform/roles/artifactory_nginx/tasks/config/default.yml

@@ -0,0 +1,98 @@
+---
+- name: Enable httpd_can_network_connect
+  become: true
+  ansible.posix.seboolean:
+    name: httpd_can_network_connect
+    state: true
+    persistent: true
+  when:
+    - ansible_facts['os_family'] | lower == 'redhat'
+    - ansible_facts['selinux']['status'] | lower == 'enabled'
+
+- name: Copy NGINX config file
+  become: true
+  ansible.builtin.template:
+    src: "{{ template_nginx_config.src }}"
+    dest: "{{ template_nginx_config.dst }}"
+    owner: "{{ template_nginx_config.owner }}"
+    group: "{{ template_nginx_config.group }}"
+    mode: "{{ template_nginx_config.mode }}"
+  notify: Restart NGINX
+
+- name: Copy NGINX artifactory config
+  become: true
+  ansible.builtin.template:
+    src: "{{ template_nginx_artifactory.src }}"
+    dest: "{{ template_nginx_artifactory.dst }}"
+    owner: "{{ template_nginx_artifactory.owner }}"
+    group: "{{ template_nginx_artifactory.group }}"
+    mode: "{{ template_nginx_artifactory.mode }}"
+  notify: Restart NGINX
+
+- name: Ensure NGINX dir exists
+  become: true
+  ansible.builtin.file:
+    path: "{{ jfrog_ssl_directory.path }}"
+    state: directory
+    mode: "{{ jfrog_ssl_directory.mode }}"
+  when: nginx_enable_ssl | bool
+
+- name: Copy NGINX redirect config
+  become: true
+  ansible.builtin.template:
+    src: "{{ template_https_redirect.src }}"
+    dest: "{{ template_https_redirect.dst }}"
+    owner: "{{ template_https_redirect.owner }}"
+    group: "{{ template_https_redirect.group }}"
+    mode: "{{ template_https_redirect.mode }}"
+  notify: Restart NGINX
+  when:
+    - nginx_enable_ssl | bool
+    - nginx_enable_http_to_https_redirection | bool
+
+- name: Copy CA Certificate chain
+  become: true
+  ansible.builtin.copy:
+    content: "{{ ca_chain_content }}"
+    dest: "{{ system_trust_store.path }}/{{ ca_chain_name }}"
+    owner: root
+    group: root
+    mode: '0644'
+  no_log: true
+  notify: Update CA trust store
+  when: ca_chain_content is defined and ca_chain_content | length > 0
+
+- name: Copy SSL Key and Certificate
+  become: true
+  ansible.builtin.copy:
+    content: "{{ item.src }}"
+    dest: "{{ item.dst }}"
+    owner: "{{ item.owner }}"
+    group: "{{ item.group }}"
+    mode: "{{ item.mode }}"
+  notify: Restart NGINX
+  no_log: true
+  loop:
+    - src: "{{ ssl_certificate }}"
+      dst: "{{ system_certs.path }}/{{ ssl_certificate_name }}"
+      owner: 'root'
+      group: 'root'
+      mode: '0644'
+    - src: "{{ ssl_private_key }}"
+      dst: "{{ system_private_key.path }}/{{ ssl_private_key_name}}"
+      owner: 'root'
+      group: 'root'
+      mode: '0600'
+  when:
+    - nginx_enable_ssl | bool
+    - ssl_certificate_content is defined and ssl_certificate_content | length > 0
+    - ssl_private_key_content is defined and ssl_private_key_content | length > 0
+
+- name: Ensure NGINX is Enabled
+  become: true
+  ansible.builtin.systemd_service:
+    name: "{{ nginx_system_daemon }}"
+    enabled: true
+
+- name: Flush all handlers
+  ansible.builtin.meta: flush_handlers

Ansible/ansible_collections/jfrog/platform/roles/artifactory_nginx/tasks/install/debian.yml

@@ -0,0 +1,26 @@
+---
+- name: Configure NGINX repositories
+  when: nginx_use_official_repos | bool
+  block:
+
+    - name: Import NGINX signing key
+      become: true
+      ansible.builtin.apt_key:
+        url: "{{ nginx_repo_signing_key }}"
+        state: present
+
+    - name: Add NGINX stable repo
+      become: true
+      ansible.builtin.apt_repository:
+        repo: "deb {{ nginx_official_repo_url }} {{ ansible_facts['ansible_distribution_release'] | lower }} nginx"
+        filename: "{{ nginx_official_repo_filename }}"
+        state: present
+        update_cache: true
+
+- name: Install NGINX packages
+  become: true
+  ansible.builtin.apt:
+    name: "{{ nginx_packages }}"
+    state: present
+    update_cache: true
+    cache_valid_time: 3600