diff --git a/Ansible/ansible_collections/jfrog/platform/roles/artifactory/defaults/main.yml b/Ansible/ansible_collections/jfrog/platform/roles/artifactory/defaults/main.yml index 5aea0421..e35ce3e2 100644 --- a/Ansible/ansible_collections/jfrog/platform/roles/artifactory/defaults/main.yml +++ b/Ansible/ansible_collections/jfrog/platform/roles/artifactory/defaults/main.yml @@ -3,11 +3,11 @@ # The version of artifactory to install artifactory_version: 7.84.14 -# Set this to true when SSL is enabled (to use artifactory_nginx_ssl role), default to false (implies artifactory uses artifactory_nginx role ) -artifactory_nginx_ssl_enabled: false +# [NGINX] Install and configure NGINX with Artifactory (default: true). Set to false if NGINX is not required. +artifactory_nginx_installed: true -# Set this to false when ngnix is disabled, defaults to true (implies artifactory uses artifactory_nginx role ) -artifactory_nginx_enabled: true +# [NGINX] Enable and configure NGINX with SSL (default: false) +artifactory_nginx_enable_ssl: false # Provide single or HA individual licenses file separated by new line and 2-space indentation and for HA, set artifactory_ha_enabled: true. # Example: Replace , , with original licenses diff --git a/Ansible/ansible_collections/jfrog/platform/roles/artifactory/tasks/install.yml b/Ansible/ansible_collections/jfrog/platform/roles/artifactory/tasks/install.yml index c3d54258..a7d60e43 100644 --- a/Ansible/ansible_collections/jfrog/platform/roles/artifactory/tasks/install.yml +++ b/Ansible/ansible_collections/jfrog/platform/roles/artifactory/tasks/install.yml @@ -12,19 +12,10 @@ - name: Install prerequisite packages ansible.builtin.include_tasks: "{{ ansible_os_family }}.yml" -- name: Install nginx +- name: Install NGINX ansible.builtin.include_role: name: artifactory_nginx - when: - - artifactory_nginx_enabled | bool - - not artifactory_nginx_ssl_enabled | bool - -- name: Install nginx with SSL - ansible.builtin.include_role: - name: artifactory_nginx_ssl - when: - - not artifactory_nginx_enabled | bool - - artifactory_nginx_ssl_enabled | bool + when: artifactory_nginx_installed | bool - name: Ensure group artifactory exist become: true diff --git a/Ansible/ansible_collections/jfrog/platform/roles/artifactory_nginx/README.md b/Ansible/ansible_collections/jfrog/platform/roles/artifactory_nginx/README.md index 6162ac15..b52b7f89 100644 --- a/Ansible/ansible_collections/jfrog/platform/roles/artifactory_nginx/README.md +++ b/Ansible/ansible_collections/jfrog/platform/roles/artifactory_nginx/README.md @@ -1,8 +1,24 @@ # artifactory_nginx -This role installs NGINX for artifactory. This role is automatically called by the artifactory role and isn't intended to be used separately. +This role installs NGINX for artifactory and is invoked by the artifactory role; it should not be used independently. ## Role Variables -* _server_name_: **mandatory** This is the server name. eg. "artifactory.54.175.51.178.xip.io" -* _artifactory_docker_registry_subdomain_: Whether to add a redirect directive to the nginx config for the use of docker subdomains. \ No newline at end of file +``` +| Variable Name | Default Value | Description | +|------------------------------------------------|-----------------------------------------|-------------| +| `artifactory_server_name` | `inventory_hostname` | Mandatory. The hostname used to access the Artifactory server. Adjust for production environments. | +| `artifactory_nginx_worker_processes` | `auto` | Specifies the number of NGINX worker processes, Defaults to auto to match the number of CPU cores. | +| `artifactory_nginx_enable_docker_registry_rewrite` | `false` | If true, enables a rewrite rule for Docker registry requests in the NGINX configuration. | +| `artifactory_nginx_enable_ssl` | `false` | Enables SSL configuration on NGINX. Important to secure connections. | +| `artifactory_nginx_enable_http_to_https_redirection` | `false` | Enables HTTP to HTTPS redirection; requires `nginx_enable_ssl` to be true. | +| `artifactory_ca_chain_name` | `ca_chain.pem` | File name of the CA chain. | +| `artifactory_ssl_certificate_name` | `{{ inventory_hostname ~ '.crt.pem' }}` | File name of the SSL certificate. | +| `artifactory_ssl_private_key_name` | `{{ inventory_hostname ~ '.key.pem' }}` | File name of the SSL private key. | +| `artifactory_ca_chain_content` | `''` | Content of the CA Chain. Store this variable in a vault file using block scalar. | +| `artifactory_ssl_certificate_content` | `''` | Content of the Certificate. Store this variable in a vault file using block scalar. | +| `artifactory_ssl_private_key_content` | `''` | Content of the Private key. Store this variable in a vault file using block scalar. | +| `artifactory_nginx_use_official_repos` | `false` | Set to true to use NGINX's official repositories for package installations. | +| `artifactory_nginx_enabled_repositories` | `[]` | List of repositories to enable when installing NGINX. Only applicable for CentOS/RHEL. | +| `artifactory_nginx_disabled_repositories` | `[]` | List of repositories to disable when installing NGINX. Only applicable for CentOS/RHEL. | +``` diff --git a/Ansible/ansible_collections/jfrog/platform/roles/artifactory_nginx/defaults/main.yml b/Ansible/ansible_collections/jfrog/platform/roles/artifactory_nginx/defaults/main.yml index 478f912c..907e0ec8 100644 --- a/Ansible/ansible_collections/jfrog/platform/roles/artifactory_nginx/defaults/main.yml +++ b/Ansible/ansible_collections/jfrog/platform/roles/artifactory_nginx/defaults/main.yml @@ -1,12 +1,39 @@ --- # defaults file for artifactory_nginx -## For production deployments,You SHOULD change it. -server_name: test.artifactory.com -nginx_daemon: nginx +# For production deployments, you SHOULD change it. +server_name: "{{ artifactory_server_name | d(inventory_hostname if '.' in inventory_hostname else 'test.artifactory.com') }}" -nginx_worker_processes: 1 -artifactory_docker_registry_subdomain: false +# [NGINX] Tune the number of worker processes used by NGINX. This variable determines how +# many concurrent requests NGINX can handle. Default is `auto` so that NGINX determines +# the optimal number based on the number of available CPU cores. +nginx_worker_processes: "{{ artifactory_nginx_worker_processes | d('auto') }}" -artifactory_conf_template: artifactory.conf.j2 -nginx_conf_template: nginx.conf.j2 +# [NGINX] If true, creates a rewrite rule for docker registry requests in the NGINX artifactory config. +nginx_enable_docker_registry_rewrite: "{{ artifactory_nginx_enable_docker_registry_rewrite | d(false) }}" + +# [SSL Settings] Important - Set this to true if you want to configure SSL +nginx_enable_ssl: "{{ artifactory_nginx_enable_ssl | d(false) }}" + +# [SSL Settings] Configure NGINX for HTTP to HTTPS redirection +# Requires `nginx_enable_ssl` to be true +nginx_enable_http_to_https_redirection: "{{ artifactory_nginx_enable_http_to_https_redirection | d(false) }}" + +# [SSL Settings] In a vault file, using a block scalar override the following +# variables to pass the CA chain, SSL certificate and private key content. +ca_chain_content: "{{ artifactory_ca_chain_content | d('') }}" +ssl_certificate_content: "{{ artifactory_ssl_certificate_content | d('') }}" +ssl_private_key_content: "{{ artifactory_ssl_private_key_content | d('') }}" + +# [SSL Settings] Define the CA Chain, certificate and private name when created +ca_chain_name: "{{ artifactory_ca_chain_name | d('ca_chain.pem') }}" +ssl_certificate_name: "{{ artifactory_ssl_certificate_name | d(inventory_hostname ~ '.crt.pem') }}" +ssl_private_key_name: "{{ artifactory_ssl_private_key_name | d(inventory_hostname ~ '.key.pem') }}" + +# [Repository] Optional - If you want to use the NGINX official repository set this +# value to true otherwise leave it to false to install NGINX provided with OS. +nginx_use_official_repos: "{{ artifactory_nginx_use_official_repos | d(false) }}" + +# [Repository] Optional - Centos/RHEL only - pass a list of enabled/disabled repositories if needed. +nginx_enabled_repositories: "{{ artifactory_nginx_enabled_repositories |d([]) }}" +nginx_disabled_repositories: "{{ artifactory_nginx_disabled_repositories |d([]) }}" diff --git a/Ansible/ansible_collections/jfrog/platform/roles/artifactory_nginx/handlers/main.yml b/Ansible/ansible_collections/jfrog/platform/roles/artifactory_nginx/handlers/main.yml index 71390f0f..d17367f5 100644 --- a/Ansible/ansible_collections/jfrog/platform/roles/artifactory_nginx/handlers/main.yml +++ b/Ansible/ansible_collections/jfrog/platform/roles/artifactory_nginx/handlers/main.yml @@ -1,8 +1,12 @@ --- # handlers file for artifactory_nginx -- name: Restart nginx + +- name: Update CA trust store become: true - ansible.builtin.systemd: - name: "{{ nginx_daemon }}" + ansible.builtin.command: "{{ system_trust_store_update | quote }}" + +- name: Restart NGINX + become: true + ansible.builtin.systemd_service: + name: "{{ nginx_system_daemon }}" state: restarted - enabled: true diff --git a/Ansible/ansible_collections/jfrog/platform/roles/artifactory_nginx/meta/main.yml b/Ansible/ansible_collections/jfrog/platform/roles/artifactory_nginx/meta/main.yml index f6e3295e..7806538e 100644 --- a/Ansible/ansible_collections/jfrog/platform/roles/artifactory_nginx/meta/main.yml +++ b/Ansible/ansible_collections/jfrog/platform/roles/artifactory_nginx/meta/main.yml @@ -7,17 +7,18 @@ galaxy_info: company: JFrog issue_tracker_url: "https://github.com/jfrog/JFrog-Cloud-Installers/issues" license: license (Apache-2.0) - min_ansible_version: 2.9 + min_ansible_version: '2.9' platforms: - name: EL versions: - - 7 - 8 + - 9 - name: Ubuntu versions: - bionic - focal - jammy + - noble - name: Debian versions: - buster diff --git a/Ansible/ansible_collections/jfrog/platform/roles/artifactory_nginx/tasks/Debian.yml b/Ansible/ansible_collections/jfrog/platform/roles/artifactory_nginx/tasks/Debian.yml deleted file mode 100644 index d8185b98..00000000 --- a/Ansible/ansible_collections/jfrog/platform/roles/artifactory_nginx/tasks/Debian.yml +++ /dev/null @@ -1,27 +0,0 @@ -- name: Import nginx signing key - become: true - ansible.builtin.apt_key: - url: https://nginx.org/keys/nginx_signing.key - state: present - -- name: Add nginx stable repo - become: true - ansible.builtin.copy: - dest: /etc/apt/sources.list.d/nginx.list - owner: root - group: root - mode: '0644' - content: deb https://nginx.org/packages/{{ distro_family }} {{ distro_codename }} nginx - vars: - distro_family: "{{ ansible_distribution | lower }}" - distro_codename: "{{ ansible_distribution_release }}" - -- name: Update apt cache - become: true - ansible.builtin.apt: - update_cache: true - cache_valid_time: 3600 - register: apt_update_cache - retries: 5 - delay: 60 - until: apt_update_cache is succeeded diff --git a/Ansible/ansible_collections/jfrog/platform/roles/artifactory_nginx/tasks/RedHat.yml b/Ansible/ansible_collections/jfrog/platform/roles/artifactory_nginx/tasks/RedHat.yml deleted file mode 100644 index a212a43c..00000000 --- a/Ansible/ansible_collections/jfrog/platform/roles/artifactory_nginx/tasks/RedHat.yml +++ /dev/null @@ -1,39 +0,0 @@ -- name: Import nginx signing key - become: true - ansible.builtin.rpm_key: - key: https://nginx.org/keys/nginx_signing.key - state: present - -- name: Add nginx stable repo - become: true - ansible.builtin.copy: - dest: /etc/yum.repos.d/nginx-stable.repo - owner: root - group: root - mode: '0644' - content: | - [nginx-stable] - name=nginx stable repo - baseurl=https://nginx.org/packages/{{ (ansible_distribution == 'Amazon') | ternary('amzn2','centos') }}/$releasever/$basearch/ - gpgcheck=1 - enabled=1 - gpgkey=https://nginx.org/keys/nginx_signing.key - module_hotfixes=true - -- name: Update yum cache - become: true - ansible.builtin.yum: - state: present - update_cache: true - -- name: Gather selinux facts - ansible.builtin.setup: - gather_subset: selinux - -- name: Set httpd_can_network_connect - become: true - ansible.posix.seboolean: - name: httpd_can_network_connect - state: true - persistent: true - when: ansible_facts.selinux.status == 'enabled' \ No newline at end of file diff --git a/Ansible/ansible_collections/jfrog/platform/roles/artifactory_nginx/tasks/config/default.yml b/Ansible/ansible_collections/jfrog/platform/roles/artifactory_nginx/tasks/config/default.yml new file mode 100644 index 00000000..0db33bce --- /dev/null +++ b/Ansible/ansible_collections/jfrog/platform/roles/artifactory_nginx/tasks/config/default.yml @@ -0,0 +1,98 @@ +--- +- name: Enable httpd_can_network_connect + become: true + ansible.posix.seboolean: + name: httpd_can_network_connect + state: true + persistent: true + when: + - ansible_facts['os_family'] | lower == 'redhat' + - ansible_facts['selinux']['status'] | lower == 'enabled' + +- name: Copy NGINX config file + become: true + ansible.builtin.template: + src: "{{ template_nginx_config.src }}" + dest: "{{ template_nginx_config.dst }}" + owner: "{{ template_nginx_config.owner }}" + group: "{{ template_nginx_config.group }}" + mode: "{{ template_nginx_config.mode }}" + notify: Restart NGINX + +- name: Copy NGINX artifactory config + become: true + ansible.builtin.template: + src: "{{ template_nginx_artifactory.src }}" + dest: "{{ template_nginx_artifactory.dst }}" + owner: "{{ template_nginx_artifactory.owner }}" + group: "{{ template_nginx_artifactory.group }}" + mode: "{{ template_nginx_artifactory.mode }}" + notify: Restart NGINX + +- name: Ensure NGINX dir exists + become: true + ansible.builtin.file: + path: "{{ jfrog_ssl_directory.path }}" + state: directory + mode: "{{ jfrog_ssl_directory.mode }}" + when: nginx_enable_ssl | bool + +- name: Copy NGINX redirect config + become: true + ansible.builtin.template: + src: "{{ template_https_redirect.src }}" + dest: "{{ template_https_redirect.dst }}" + owner: "{{ template_https_redirect.owner }}" + group: "{{ template_https_redirect.group }}" + mode: "{{ template_https_redirect.mode }}" + notify: Restart NGINX + when: + - nginx_enable_ssl | bool + - nginx_enable_http_to_https_redirection | bool + +- name: Copy CA Certificate chain + become: true + ansible.builtin.copy: + content: "{{ ca_chain_content }}" + dest: "{{ system_trust_store.path }}/{{ ca_chain_name }}" + owner: root + group: root + mode: '0644' + no_log: true + notify: Update CA trust store + when: ca_chain_content is defined and ca_chain_content | length > 0 + +- name: Copy SSL Key and Certificate + become: true + ansible.builtin.copy: + content: "{{ item.src }}" + dest: "{{ item.dst }}" + owner: "{{ item.owner }}" + group: "{{ item.group }}" + mode: "{{ item.mode }}" + notify: Restart NGINX + no_log: true + loop: + - src: "{{ ssl_certificate }}" + dst: "{{ system_certs.path }}/{{ ssl_certificate_name }}" + owner: 'root' + group: 'root' + mode: '0644' + - src: "{{ ssl_private_key }}" + dst: "{{ system_private_key.path }}/{{ ssl_private_key_name}}" + owner: 'root' + group: 'root' + mode: '0600' + when: + - nginx_enable_ssl | bool + - ssl_certificate_content is defined and ssl_certificate_content | length > 0 + - ssl_private_key_content is defined and ssl_private_key_content | length > 0 + +- name: Ensure NGINX is Enabled + become: true + ansible.builtin.systemd_service: + name: "{{ nginx_system_daemon }}" + enabled: true + +- name: Flush all handlers + ansible.builtin.meta: flush_handlers diff --git a/Ansible/ansible_collections/jfrog/platform/roles/artifactory_nginx/tasks/install/debian.yml b/Ansible/ansible_collections/jfrog/platform/roles/artifactory_nginx/tasks/install/debian.yml new file mode 100644 index 00000000..109fe73f --- /dev/null +++ b/Ansible/ansible_collections/jfrog/platform/roles/artifactory_nginx/tasks/install/debian.yml @@ -0,0 +1,26 @@ +--- +- name: Configure NGINX repositories + when: nginx_use_official_repos | bool + block: + + - name: Import NGINX signing key + become: true + ansible.builtin.apt_key: + url: "{{ nginx_repo_signing_key }}" + state: present + + - name: Add NGINX stable repo + become: true + ansible.builtin.apt_repository: + repo: "deb {{ nginx_official_repo_url }} {{ ansible_facts['ansible_distribution_release'] | lower }} nginx" + filename: "{{ nginx_official_repo_filename }}" + state: present + update_cache: true + +- name: Install NGINX packages + become: true + ansible.builtin.apt: + name: "{{ nginx_packages }}" + state: present + update_cache: true + cache_valid_time: 3600 diff --git a/Ansible/ansible_collections/jfrog/platform/roles/artifactory_nginx/tasks/install/redhat.yml b/Ansible/ansible_collections/jfrog/platform/roles/artifactory_nginx/tasks/install/redhat.yml new file mode 100644 index 00000000..f9db90a1 --- /dev/null +++ b/Ansible/ansible_collections/jfrog/platform/roles/artifactory_nginx/tasks/install/redhat.yml @@ -0,0 +1,54 @@ +--- +- name: Configure NGINX repositories + when: nginx_use_official_repos | bool + block: + + - name: Import NGINX signing key + become: true + ansible.builtin.rpm_key: + key: "{{ nginx_official_repo_signing_key }}" + state: present + + - name: Add NGINX stable repo + become: true + ansible.builtin.yum_repository: + name: "{{ nginx_official_repo_filename }}" + description: "{{ nginx_official_repo_description }}" + file: "{{ nginx_official_repo_filename }}" + baseurl: "{{ nginx_official_repo_url }}" + gpgcheck: true + enabled: true + module_hotfixes: true + register: __nginx_setup_repo + ignore_errors: true + + - name: Fallback to manually adding the repo if the previous task failed + become: true + ansible.builtin.copy: + dest: "/etc/yum.repos.d/{{ nginx_official_repo_filename }}.repo" + owner: root + group: root + mode: '0644' + content: | + [{{ nginx_official_repo_filename }}] + name={{ nginx_official_repo_description }} + baseurl={{ nginx_official_repo_url }}/$releasever/$basearch + gpgcheck=1 + enabled=1 + gpgkey={{ nginx_official_repo_signing_key }} + module_hotfixes=true + when: __nginx_setup_repo is failed + + - name: Update cache + become: true + ansible.builtin.dnf: + state: present + update_cache: true + +- name: Install NGINX + become: true + ansible.builtin.dnf: + name: "{{ nginx_packages }}" + state: present + disablerepo: "{{ nginx_disabled_repositories | d(omit, true) }}" + enablerepo: "{{ nginx_enabled_repositories | d(omit, true) }}" diff --git a/Ansible/ansible_collections/jfrog/platform/roles/artifactory_nginx/tasks/main.yml b/Ansible/ansible_collections/jfrog/platform/roles/artifactory_nginx/tasks/main.yml index 8286deb2..042d453b 100644 --- a/Ansible/ansible_collections/jfrog/platform/roles/artifactory_nginx/tasks/main.yml +++ b/Ansible/ansible_collections/jfrog/platform/roles/artifactory_nginx/tasks/main.yml @@ -1,34 +1,42 @@ -- name: Install prerequisite packages - ansible.builtin.include_tasks: "{{ ansible_os_family }}.yml" - -- name: Install nginx - become: true - ansible.builtin.package: - name: nginx - state: present - register: install_nginx - retries: 5 - delay: 60 - until: install_nginx is succeeded - -- name: Copy nginx.conf file - become: true - ansible.builtin.template: - src: "{{ nginx_conf_template }}" - dest: /etc/nginx/nginx.conf - owner: root - group: root - mode: '0755' - -- name: Generate artifactory.conf - become: true - ansible.builtin.template: - src: "{{ artifactory_conf_template }}" - dest: /etc/nginx/conf.d/artifactory.conf - owner: root - group: root - mode: '0755' - notify: Restart nginx - -- name: Restart nginx - ansible.builtin.meta: flush_handlers +--- +- name: Gather system facts + ansible.builtin.setup: + +- name: Assert that we support the distribution + ansible.builtin.assert: + that: ansible_facts['os_family'] | lower in ['redhat', 'debian'] + fail_msg: 'Host is unsupported. Aborting.' + success_msg: 'Host is supported. Proceeding.' + quiet: true + +- name: Assert that Red Hat OS family is version 8+ + ansible.builtin.assert: + that: ansible_facts['distribution_major_version'] | int is version('8', '>=') + fail_msg: 'Host is unsupported. Aborting.' + success_msg: 'Host is supported. Proceeding.' + quiet: true + when: ansible_facts['os_family'] | lower == 'redhat' + +- name: Include variables for all distributions + ansible.builtin.include_vars: "vars/all.yml" + +- name: Include variables for distribution + ansible.builtin.include_vars: "{{ item }}" + with_first_found: + - "vars/{{ ansible_facts['distribution'] | lower }}.yml" + - "vars/{{ ansible_facts['os_family'] | lower }}.yml" + - "vars/default.yml" + +- name: Include tasks to install NGINX + ansible.builtin.include_tasks: "{{ item }}" + with_first_found: + - "install/{{ ansible_facts['distribution'] | lower }}.yml" + - "install/{{ ansible_facts['os_family'] | lower }}.yml" + - "install/default.yml" + +- name: Include tasks to configure NGINX + ansible.builtin.include_tasks: "{{ item }}" + with_first_found: + - "config/{{ ansible_facts['distribution'] | lower }}.yml" + - "config/{{ ansible_facts['os_family'] | lower }}.yml" + - "config/default.yml" diff --git a/Ansible/ansible_collections/jfrog/platform/roles/artifactory_nginx/templates/artifactory.conf.j2 b/Ansible/ansible_collections/jfrog/platform/roles/artifactory_nginx/templates/artifactory.conf.j2 index 0023d59a..36485582 100644 --- a/Ansible/ansible_collections/jfrog/platform/roles/artifactory_nginx/templates/artifactory.conf.j2 +++ b/Ansible/ansible_collections/jfrog/platform/roles/artifactory_nginx/templates/artifactory.conf.j2 @@ -1,44 +1,73 @@ -########################################################### -## this configuration was generated by JFrog Artifactory ## -########################################################### - - ## add HA entries when ha is configure - upstream artifactory { - server 127.0.0.1:8082; -} - upstream artifactory-direct { - server 127.0.0.1:8081; -} - ## server configuration - server { - listen 80 ; - server_name {{ server_name }}; - if ($http_x_forwarded_proto = '') { - set $http_x_forwarded_proto $scheme; - } - ## Application specific logs - access_log /var/log/nginx/artifactory-access.log; - error_log /var/log/nginx/artifactory-error.log; - rewrite ^/$ /ui/ redirect; - rewrite ^/ui$ /ui/ redirect; - {% if artifactory_docker_registry_subdomain %}rewrite ^/(v1|v2)/(.*) /artifactory/api/docker/$repo/$1/$2;{% endif %} - chunked_transfer_encoding on; - client_max_body_size 0; - location / { - proxy_read_timeout 2400s; - proxy_pass_header Server; - proxy_cookie_path ~*^/.* /; - proxy_pass "http://artifactory"; - proxy_next_upstream error timeout non_idempotent; - proxy_next_upstream_tries 1; - proxy_set_header X-JFrog-Override-Base-Url $http_x_forwarded_proto://$host:$server_port; - proxy_set_header X-Forwarded-Port $server_port; - proxy_set_header X-Forwarded-Proto $http_x_forwarded_proto; - proxy_set_header Host $http_host; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - - location ~ ^/artifactory/ { - proxy_pass http://artifactory-direct; - } - } -} \ No newline at end of file +########################################################### +## this configuration was generated by JFrog Artifactory ## +########################################################### + +## add HA entries when ha is configure +upstream artifactory { + server 127.0.0.1:8082; +} +upstream artifactory-direct { + server 127.0.0.1:8081; +} + +{% if nginx_enable_ssl %} +ssl_protocols TLSv1.2 TLSv1.3; +ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384; +ssl_certificate {{ system_certs.path }}/{{ ssl_certificate_name }}; +ssl_certificate_key {{ system_private_key.path }}/{{ ssl_private_key_name }}; + {% if ca_chain_content is defined and ca_chain_content | length > 0 %} +ssl_trusted_certificate {{ system_trust_store.path }}/{{ ca_chain_name }}; +ssl_stapling on; +ssl_stapling_verify on; + {% endif %} +ssl_session_cache shared:SSL:1m; +ssl_prefer_server_ciphers on; +{% endif %} + +## server configuration +server { + + {% if nginx_enable_ssl %} + listen 443 ssl http2; + {% else %} + listen 80; + {% endif %} + + server_name {{ server_name }}; + + if ($http_x_forwarded_proto = '') { + set $http_x_forwarded_proto $scheme; + } + + ## Application specific logs + access_log /var/log/nginx/artifactory-access.log; + error_log /var/log/nginx/artifactory-error.log; + + rewrite ^/$ /ui/ redirect; + rewrite ^/ui$ /ui/ redirect; + + {% if nginx_enable_docker_registry_rewrite %} + rewrite ^/(v1|v2)/(.*) /artifactory/api/docker/$repo/$1/$2; + + {% endif %} + chunked_transfer_encoding on; + client_max_body_size 0; + + location / { + proxy_read_timeout 2400s; + proxy_pass_header Server; + proxy_cookie_path ~*^/.* /; + proxy_pass "http://artifactory"; + proxy_next_upstream error timeout non_idempotent; + proxy_next_upstream_tries 1; + proxy_set_header X-JFrog-Override-Base-Url $http_x_forwarded_proto://$host:$server_port; + proxy_set_header X-Forwarded-Port $server_port; + proxy_set_header X-Forwarded-Proto $http_x_forwarded_proto; + proxy_set_header Host $http_host; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + } + + location ~ ^/artifactory/ { + proxy_pass http://artifactory-direct; + } +} diff --git a/Ansible/ansible_collections/jfrog/platform/roles/artifactory_nginx/templates/nginx.conf.j2 b/Ansible/ansible_collections/jfrog/platform/roles/artifactory_nginx/templates/nginx.conf.j2 index 31fd4984..59079a20 100644 --- a/Ansible/ansible_collections/jfrog/platform/roles/artifactory_nginx/templates/nginx.conf.j2 +++ b/Ansible/ansible_collections/jfrog/platform/roles/artifactory_nginx/templates/nginx.conf.j2 @@ -1,37 +1,41 @@ -#user nobody; -worker_processes {{ nginx_worker_processes }}; -error_log /var/log/nginx/error.log info; -#pid logs/nginx.pid; -events { - worker_connections 1024; -} -http { - include mime.types; - variables_hash_max_size 1024; - variables_hash_bucket_size 64; - server_names_hash_max_size 4096; - server_names_hash_bucket_size 128; - types_hash_max_size 2048; - types_hash_bucket_size 64; - proxy_read_timeout 2400s; - client_header_timeout 2400s; - client_body_timeout 2400s; - proxy_connect_timeout 75s; - proxy_send_timeout 2400s; - proxy_buffer_size 32k; - proxy_buffers 40 32k; - proxy_busy_buffers_size 64k; - proxy_temp_file_write_size 250m; - proxy_http_version 1.1; - client_body_buffer_size 128k; - include /etc/nginx/conf.d/*.conf; - default_type application/octet-stream; - log_format main '$remote_addr - $remote_user [$time_local] "$request" ' -'$status $body_bytes_sent "$http_referer" ' -'"$http_user_agent" "$http_x_forwarded_for"'; - access_log /var/log/nginx/access.log main; - sendfile on; - #tcp_nopush on; - #keepalive_timeout 0; - keepalive_timeout 65; -} +#user nobody; +worker_processes {{ nginx_worker_processes }}; +error_log /var/log/nginx/error.log info; +#pid logs/nginx.pid; + +events { + worker_connections 1024; +} + +http { + include mime.types; + variables_hash_max_size 1024; + variables_hash_bucket_size 64; + server_names_hash_max_size 4096; + server_names_hash_bucket_size 128; + types_hash_max_size 2048; + types_hash_bucket_size 64; + proxy_read_timeout 2400s; + client_header_timeout 2400s; + client_body_timeout 2400s; + proxy_connect_timeout 75s; + proxy_send_timeout 2400s; + proxy_buffer_size 32k; + proxy_buffers 40 32k; + proxy_busy_buffers_size 64k; + proxy_temp_file_write_size 250m; + proxy_http_version 1.1; + client_body_buffer_size 128k; + include /etc/nginx/conf.d/*.conf; + default_type application/octet-stream; + + log_format main '$remote_addr - $remote_user [$time_local] "$request" ' + '$status $body_bytes_sent "$http_referer" ' + '"$http_user_agent" "$http_x_forwarded_for"'; + + access_log /var/log/nginx/access.log main; + sendfile on; + #tcp_nopush on; + #keepalive_timeout 0; + keepalive_timeout 65; +} diff --git a/Ansible/ansible_collections/jfrog/platform/roles/artifactory_nginx/templates/redirect_http_to_https.conf.j2 b/Ansible/ansible_collections/jfrog/platform/roles/artifactory_nginx/templates/redirect_http_to_https.conf.j2 new file mode 100644 index 00000000..0576e0d7 --- /dev/null +++ b/Ansible/ansible_collections/jfrog/platform/roles/artifactory_nginx/templates/redirect_http_to_https.conf.j2 @@ -0,0 +1,10 @@ +{% raw %} +server { + listen 80 default_server; + listen [::]:80 default_server; + + location / { + return 301 https://$host$request_uri; + } +} +{% endraw %} diff --git a/Ansible/ansible_collections/jfrog/platform/roles/artifactory_nginx/vars/all.yml b/Ansible/ansible_collections/jfrog/platform/roles/artifactory_nginx/vars/all.yml new file mode 100644 index 00000000..a10fc6d4 --- /dev/null +++ b/Ansible/ansible_collections/jfrog/platform/roles/artifactory_nginx/vars/all.yml @@ -0,0 +1,17 @@ +--- +## [Repository] variables for NGINX official repository +nginx_official_repo_filename: 'nginx-stable' +nginx_official_repo_description: 'nginx stable repo' +nginx_official_repo_signing_key: 'https://nginx.org/keys/nginx_signing.key' +nginx_official_repo_url: "https://nginx.org/packages/{{ nginx_official_repo_mapping[ansible_facts['distribution'] | lower] }}" + +## [Repository] OS mapping variable for NGINX official repository +nginx_official_repo_mapping: + amazon: amzn + redhat: rhel + centos: centos + debian: debian + ubuntu: ubuntu + alpine: alpine + sles: sles + aix: aix diff --git a/Ansible/ansible_collections/jfrog/platform/roles/artifactory_nginx/vars/debian.yml b/Ansible/ansible_collections/jfrog/platform/roles/artifactory_nginx/vars/debian.yml new file mode 100644 index 00000000..d197c423 --- /dev/null +++ b/Ansible/ansible_collections/jfrog/platform/roles/artifactory_nginx/vars/debian.yml @@ -0,0 +1,59 @@ +--- +nginx_packages: + - nginx + +nginx_system_daemon: nginx +nginx_system_repositories: [] + +########################### +## CERTIFICATES ## +########################### + +system_trust_store_update: 'update-ca-certificates' + +system_trust_store: + path: '/usr/local/share/ca-certificates' + owner: root + group: root + mode: '0755' + +system_certs: + path: '/etc/ssl/certs' + owner: root + group: root + mode: '0755' + +system_private_key: + path: '/etc/ssl/private' + owner: root + group: root + mode: '0700' + +jfrog_ssl_directory: + path: '/var/opt/jfrog/nginx/ssl' + mode: '0755' + +########################### +## TEMPLATES ## +########################### + +template_nginx_config: + src: 'nginx.conf.j2' + dst: '/etc/nginx/nginx.conf' + owner: root + group: root + mode: '0755' + +template_https_redirect: + src: 'redirect_http_to_https.conf.j2' + dst: '/etc/nginx/conf.d/redirect_http_to_https.conf' + owner: root + group: root + mode: '0755' + +template_nginx_artifactory: + src: 'artifactory.conf.j2' + dst: '/etc/nginx/conf.d/artifactory.conf' + owner: root + group: root + mode: '0755' diff --git a/Ansible/ansible_collections/jfrog/platform/roles/artifactory_nginx/vars/main.yml b/Ansible/ansible_collections/jfrog/platform/roles/artifactory_nginx/vars/main.yml deleted file mode 100644 index 3a9dbfa8..00000000 --- a/Ansible/ansible_collections/jfrog/platform/roles/artifactory_nginx/vars/main.yml +++ /dev/null @@ -1 +0,0 @@ -# vars file for artifactory_nginx diff --git a/Ansible/ansible_collections/jfrog/platform/roles/artifactory_nginx/vars/redhat.yml b/Ansible/ansible_collections/jfrog/platform/roles/artifactory_nginx/vars/redhat.yml new file mode 100644 index 00000000..ab9b47a5 --- /dev/null +++ b/Ansible/ansible_collections/jfrog/platform/roles/artifactory_nginx/vars/redhat.yml @@ -0,0 +1,57 @@ +--- +nginx_packages: ['nginx'] + +nginx_system_daemon: 'nginx' + +########################### +## CERTIFICATES ## +########################### + +system_trust_store_update: 'update-ca-trust' + +system_trust_store: + path: '/etc/pki/ca-trust/source/anchors' + owner: root + group: root + mode: '0755' + +system_certs: + path: '/etc/pki/tls/certs' + owner: root + group: root + mode: '0755' + +system_private_key: + path: '/etc/pki/tls/private' + owner: root + group: root + mode: '0700' + +jfrog_ssl_directory: + path: '/var/opt/jfrog/nginx/ssl' + mode: '0755' + +########################### +## TEMPLATES ## +########################### + +template_nginx_config: + src: 'nginx.conf.j2' + dst: '/etc/nginx/nginx.conf' + owner: root + group: root + mode: '0755' + +template_https_redirect: + src: 'redirect_http_to_https.conf.j2' + dst: '/etc/nginx/conf.d/redirect_http_to_https.conf' + owner: root + group: root + mode: '0755' + +template_nginx_artifactory: + src: 'artifactory.conf.j2' + dst: '/etc/nginx/conf.d/artifactory.conf' + owner: root + group: root + mode: '0755'