diff --git a/Ansible/ansible_collections/jfrog/platform/roles/artifactory/tasks/install.yml b/Ansible/ansible_collections/jfrog/platform/roles/artifactory/tasks/install.yml index c3d54258..a45d897f 100644 --- a/Ansible/ansible_collections/jfrog/platform/roles/artifactory/tasks/install.yml +++ b/Ansible/ansible_collections/jfrog/platform/roles/artifactory/tasks/install.yml @@ -15,16 +15,7 @@ - name: Install nginx ansible.builtin.include_role: name: artifactory_nginx - when: - - artifactory_nginx_enabled | bool - - not artifactory_nginx_ssl_enabled | bool - -- name: Install nginx with SSL - ansible.builtin.include_role: - name: artifactory_nginx_ssl - when: - - not artifactory_nginx_enabled | bool - - artifactory_nginx_ssl_enabled | bool + when: ( artifactory_nginx_enabled | bool ) or ( artifactory_nginx_ssl_enabled | bool ) - name: Ensure group artifactory exist become: true @@ -235,4 +226,4 @@ delay: 5 when: - not ansible_check_mode - - artifactory_start_service | bool \ No newline at end of file + - artifactory_start_service | bool diff --git a/Ansible/ansible_collections/jfrog/platform/roles/artifactory_nginx/README.md b/Ansible/ansible_collections/jfrog/platform/roles/artifactory_nginx/README.md index 6162ac15..d8bd5a3b 100644 --- a/Ansible/ansible_collections/jfrog/platform/roles/artifactory_nginx/README.md +++ b/Ansible/ansible_collections/jfrog/platform/roles/artifactory_nginx/README.md @@ -1,8 +1,13 @@ -# artifactory_nginx - -This role installs NGINX for artifactory. This role is automatically called by the artifactory role and isn't intended to be used separately. +# artifactory_nginx_ssl +The artifactory_nginx_ssl role installs and configures nginx for SSL. ## Role Variables - -* _server_name_: **mandatory** This is the server name. eg. "artifactory.54.175.51.178.xip.io" -* _artifactory_docker_registry_subdomain_: Whether to add a redirect directive to the nginx config for the use of docker subdomains. \ No newline at end of file +* _server_name_: This is the server name. eg. "artifactory.54.175.51.178.xip.io" +* _ssl_certificate_install_: `true` - install the SSL certificate and private key. When `false` you need to manage certs yourself. +* _ssl_certificate_: This is the filename of the SSL certificate. +* _ssl_certificate_path_: This is the full directory path for the SSL certificate, excluding _ssl_certificate_. +* _ssl_certificate_key_: This is the filename of the SSL private key. +* _ssl_certificate_key_path_: This is the full directory path for the SSL private key, excluding _ssl_certificate_key_. +* _nginx_worker_processes_: The worker_processes configuration for nginx. Defaults to 1. +* _artifactory_docker_registry_subdomain_: Whether to add a redirect directive to the nginx config for the use of docker + subdomains. \ No newline at end of file diff --git a/Ansible/ansible_collections/jfrog/platform/roles/artifactory_nginx/defaults/main.yml b/Ansible/ansible_collections/jfrog/platform/roles/artifactory_nginx/defaults/main.yml index 478f912c..674a3af1 100644 --- a/Ansible/ansible_collections/jfrog/platform/roles/artifactory_nginx/defaults/main.yml +++ b/Ansible/ansible_collections/jfrog/platform/roles/artifactory_nginx/defaults/main.yml @@ -1,12 +1,23 @@ ---- -# defaults file for artifactory_nginx +# defaults file for artifactory_nginx_ssl + ## For production deployments,You SHOULD change it. -server_name: test.artifactory.com +# server_name: test.artifactory.com nginx_daemon: nginx +nginx_upstream: true +nginx_upstream_repo_key: https://nginx.org/keys/nginx_signing.key +nginx_upstream_repo_baseurl: https://nginx.org/packages +nginx_module: '1.22' +redirect_http_to_https_enabled: true nginx_worker_processes: 1 artifactory_docker_registry_subdomain: false artifactory_conf_template: artifactory.conf.j2 nginx_conf_template: nginx.conf.j2 + +ssl_certificate_install: true +ssl_certificate_path: /etc/pki/tls/certs +ssl_certificate_key_path: /etc/pki/tls/private +ssl_certificate: cert.pem +ssl_certificate_key: cert.key diff --git a/Ansible/ansible_collections/jfrog/platform/roles/artifactory_nginx_ssl/files/redirect_http_to_https.conf b/Ansible/ansible_collections/jfrog/platform/roles/artifactory_nginx/files/redirect_http_to_https.conf similarity index 100% rename from Ansible/ansible_collections/jfrog/platform/roles/artifactory_nginx_ssl/files/redirect_http_to_https.conf rename to Ansible/ansible_collections/jfrog/platform/roles/artifactory_nginx/files/redirect_http_to_https.conf diff --git a/Ansible/ansible_collections/jfrog/platform/roles/artifactory_nginx/handlers/main.yml b/Ansible/ansible_collections/jfrog/platform/roles/artifactory_nginx/handlers/main.yml index 71390f0f..c294166b 100644 --- a/Ansible/ansible_collections/jfrog/platform/roles/artifactory_nginx/handlers/main.yml +++ b/Ansible/ansible_collections/jfrog/platform/roles/artifactory_nginx/handlers/main.yml @@ -1,5 +1,5 @@ --- -# handlers file for artifactory_nginx +# handlers file for artifactory_nginx_ssl - name: Restart nginx become: true ansible.builtin.systemd: diff --git a/Ansible/ansible_collections/jfrog/platform/roles/artifactory_nginx/meta/main.yml b/Ansible/ansible_collections/jfrog/platform/roles/artifactory_nginx/meta/main.yml index f6e3295e..4a7633f3 100644 --- a/Ansible/ansible_collections/jfrog/platform/roles/artifactory_nginx/meta/main.yml +++ b/Ansible/ansible_collections/jfrog/platform/roles/artifactory_nginx/meta/main.yml @@ -3,7 +3,7 @@ dependencies: [] galaxy_info: author: "JFrog Maintainers Team " - description: "This role installs NGINX for artifactory. This role is automatically called by the artifactory role and isn't intended to be used separately." + description: "The artifactory_nginx_ssl role installs and optionally configures nginx for SSL." company: JFrog issue_tracker_url: "https://github.com/jfrog/JFrog-Cloud-Installers/issues" license: license (Apache-2.0) diff --git a/Ansible/ansible_collections/jfrog/platform/roles/artifactory_nginx/tasks/Debian-ownstream.yml b/Ansible/ansible_collections/jfrog/platform/roles/artifactory_nginx/tasks/Debian-ownstream.yml new file mode 100644 index 00000000..253d9ef5 --- /dev/null +++ b/Ansible/ansible_collections/jfrog/platform/roles/artifactory_nginx/tasks/Debian-ownstream.yml @@ -0,0 +1,25 @@ +- name: ensure apt-transport-https is installed + anible.builtin.napt: + name: apt-transport-https + state: present + +- name: Add upstream nginx apt key + become: true + ansible.builtin.apt_key: + url: "{{ nginx_upstream_repo_key }}" + state: present + +- name: Add nginx stable repo + become: true + ansible.builtin.apt_repository: + repo: 'deb {{ nginx_upstream_repo_baseurl }}/{{ ansible_distribution | lower }}/ {{ ansible_distribution_release }} nginx' + state: present + +- name: Update apt cache + become: true + ansible.builtin.apt: + update_cache: true + cache_valid_time: 3600 + register: apt_update_cache + retries: 5 + delay: 60 diff --git a/Ansible/ansible_collections/jfrog/platform/roles/artifactory_nginx/tasks/Debian.yml b/Ansible/ansible_collections/jfrog/platform/roles/artifactory_nginx/tasks/Debian-upstream.yml similarity index 84% rename from Ansible/ansible_collections/jfrog/platform/roles/artifactory_nginx/tasks/Debian.yml rename to Ansible/ansible_collections/jfrog/platform/roles/artifactory_nginx/tasks/Debian-upstream.yml index d8185b98..ea418dea 100644 --- a/Ansible/ansible_collections/jfrog/platform/roles/artifactory_nginx/tasks/Debian.yml +++ b/Ansible/ansible_collections/jfrog/platform/roles/artifactory_nginx/tasks/Debian-upstream.yml @@ -11,7 +11,7 @@ owner: root group: root mode: '0644' - content: deb https://nginx.org/packages/{{ distro_family }} {{ distro_codename }} nginx + content: deb https://nginx.org/packages/{{ ansible_distribution | lower }}/ {{ ansible_distribution_release }} nginx vars: distro_family: "{{ ansible_distribution | lower }}" distro_codename: "{{ ansible_distribution_release }}" diff --git a/Ansible/ansible_collections/jfrog/platform/roles/artifactory_nginx/tasks/RedHat-ownstream.yml b/Ansible/ansible_collections/jfrog/platform/roles/artifactory_nginx/tasks/RedHat-ownstream.yml new file mode 100644 index 00000000..454e204d --- /dev/null +++ b/Ansible/ansible_collections/jfrog/platform/roles/artifactory_nginx/tasks/RedHat-ownstream.yml @@ -0,0 +1,21 @@ +- name: Enable nginx from AppStream + become: true + ansible.builtin.command: "yum module enable -y nginx:{{ nginx_module }}" + +- name: Update yum cache + become: true + ansible.builtin.yum: + state: present + update_cache: true + +- name: Gather selinux facts + ansible.builtin.setup: + gather_subset: selinux + +- name: Set httpd_can_network_connect + become: true + ansible.posix.seboolean: + name: httpd_can_network_connect + state: true + persistent: true + when: ansible_facts.selinux.status == 'enabled' diff --git a/Ansible/ansible_collections/jfrog/platform/roles/artifactory_nginx_ssl/tasks/RedHat.yml b/Ansible/ansible_collections/jfrog/platform/roles/artifactory_nginx/tasks/RedHat-upstream.yml similarity index 100% rename from Ansible/ansible_collections/jfrog/platform/roles/artifactory_nginx_ssl/tasks/RedHat.yml rename to Ansible/ansible_collections/jfrog/platform/roles/artifactory_nginx/tasks/RedHat-upstream.yml diff --git a/Ansible/ansible_collections/jfrog/platform/roles/artifactory_nginx/tasks/RedHat.yml b/Ansible/ansible_collections/jfrog/platform/roles/artifactory_nginx/tasks/RedHat.yml deleted file mode 100644 index a212a43c..00000000 --- a/Ansible/ansible_collections/jfrog/platform/roles/artifactory_nginx/tasks/RedHat.yml +++ /dev/null @@ -1,39 +0,0 @@ -- name: Import nginx signing key - become: true - ansible.builtin.rpm_key: - key: https://nginx.org/keys/nginx_signing.key - state: present - -- name: Add nginx stable repo - become: true - ansible.builtin.copy: - dest: /etc/yum.repos.d/nginx-stable.repo - owner: root - group: root - mode: '0644' - content: | - [nginx-stable] - name=nginx stable repo - baseurl=https://nginx.org/packages/{{ (ansible_distribution == 'Amazon') | ternary('amzn2','centos') }}/$releasever/$basearch/ - gpgcheck=1 - enabled=1 - gpgkey=https://nginx.org/keys/nginx_signing.key - module_hotfixes=true - -- name: Update yum cache - become: true - ansible.builtin.yum: - state: present - update_cache: true - -- name: Gather selinux facts - ansible.builtin.setup: - gather_subset: selinux - -- name: Set httpd_can_network_connect - become: true - ansible.posix.seboolean: - name: httpd_can_network_connect - state: true - persistent: true - when: ansible_facts.selinux.status == 'enabled' \ No newline at end of file diff --git a/Ansible/ansible_collections/jfrog/platform/roles/artifactory_nginx/tasks/main.yml b/Ansible/ansible_collections/jfrog/platform/roles/artifactory_nginx/tasks/main.yml index 8286deb2..dcadaf32 100644 --- a/Ansible/ansible_collections/jfrog/platform/roles/artifactory_nginx/tasks/main.yml +++ b/Ansible/ansible_collections/jfrog/platform/roles/artifactory_nginx/tasks/main.yml @@ -1,5 +1,18 @@ -- name: Install prerequisite packages - ansible.builtin.include_tasks: "{{ ansible_os_family }}.yml" +- name: Check required variables + ansible.builtin.fail: msg="Variable '{{ item }}' is not defined" + when: item not in vars + loop: + - certificate + - certificate_key + - server_name + +- name: Install upstream packages + when: nginx_upstream | bool + ansible.builtin.include_tasks: "{{ ansible_os_family }}-upstream.yml" + +- name: Install packages from distribution server + when: not nginx_upstream | bool + ansible.builtin.include_tasks: "{{ ansible_os_family }}-ownstream.yml" - name: Install nginx become: true @@ -9,9 +22,9 @@ register: install_nginx retries: 5 delay: 60 - until: install_nginx is succeeded + until: install_nginx is success -- name: Copy nginx.conf file +- name: Configure main nginx conf file. become: true ansible.builtin.template: src: "{{ nginx_conf_template }}" @@ -20,7 +33,21 @@ group: root mode: '0755' -- name: Generate artifactory.conf +- name: Configure redirect nginx conf + when: + - artifactory_nginx_ssl_enabled is defined + - artifactory_nginx_ssl_enabled | bool + become: true + ansible.builtin.copy: + src: redirect_http_to_https.conf + dest: /etc/nginx/conf.d/redirect_http_to_https.conf + owner: root + group: root + mode: '0755' + when: redirect_http_to_https_enabled | bool + notify: Restart nginx + +- name: Configure the artifactory nginx conf become: true ansible.builtin.template: src: "{{ artifactory_conf_template }}" @@ -30,5 +57,50 @@ mode: '0755' notify: Restart nginx +- name: Configure SSL + when: + - artifactory_nginx_ssl_enabled is defined + - artifactory_nginx_ssl_enabled | bool + - ssl_certificate_install | bool + block: + - name: Create directory + become: true + ansible.builtin.file: + path: "/var/opt/jfrog/nginx/ssl" + state: directory + mode: '0755' + + - name: Ensure ssl_certificate_path exists + become: true + ansible.builtin.file: + path: "{{ ssl_certificate_path }}" + state: directory + mode: '0755' + + - name: Ensure ssl_certificate_key_path exists + become: true + ansible.builtin.file: + path: "{{ ssl_certificate_key_path }}" + state: directory + mode: '0700' + + - name: Configure certificate + become: true + ansible.builtin.template: + src: certificate.pem.j2 + dest: "{{ ssl_certificate_path }}/{{ ssl_certificate }}" + mode: '0644' + notify: Restart nginx + no_log: true + + - name: Configure key + become: true + ansible.builtin.template: + src: certificate.key.j2 + dest: "{{ ssl_certificate_key_path }}/{{ ssl_certificate_key }}" + mode: '0600' + notify: Restart nginx + no_log: true + - name: Restart nginx ansible.builtin.meta: flush_handlers diff --git a/Ansible/ansible_collections/jfrog/platform/roles/artifactory_nginx/templates/artifactory.conf.j2 b/Ansible/ansible_collections/jfrog/platform/roles/artifactory_nginx/templates/artifactory.conf.j2 index 0023d59a..2bb1add8 100644 --- a/Ansible/ansible_collections/jfrog/platform/roles/artifactory_nginx/templates/artifactory.conf.j2 +++ b/Ansible/ansible_collections/jfrog/platform/roles/artifactory_nginx/templates/artifactory.conf.j2 @@ -1,5 +1,5 @@ ########################################################### -## this configuration was generated by JFrog Artifactory ## +## this configuration was generated for JFrog Artifactory ## ########################################################### ## add HA entries when ha is configure @@ -9,9 +9,21 @@ upstream artifactory-direct { server 127.0.0.1:8081; } +{% if artifactory_nginx_ssl_enabled is defined and artifactory_nginx_ssl_enabled %} + ssl_protocols TLSv1.2 TLSv1.3; + ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384; + ssl_certificate {{ ssl_certificate_path }}/{{ ssl_certificate }}; + ssl_certificate_key {{ ssl_certificate_key_path }}/{{ ssl_certificate_key }}; + ssl_session_cache shared:SSL:1m; + ssl_prefer_server_ciphers on; + {% endif %} ## server configuration server { - listen 80 ; +{% if artifactory_nginx_ssl_enabled is defined and artifactory_nginx_ssl_enabled %} + listen 443 ssl http2; +{% else %} + listen 80; +{% endif %} server_name {{ server_name }}; if ($http_x_forwarded_proto = '') { set $http_x_forwarded_proto $scheme; @@ -41,4 +53,4 @@ proxy_pass http://artifactory-direct; } } -} \ No newline at end of file +} diff --git a/Ansible/ansible_collections/jfrog/platform/roles/artifactory_nginx_ssl/templates/certificate.key.j2 b/Ansible/ansible_collections/jfrog/platform/roles/artifactory_nginx/templates/certificate.key.j2 similarity index 100% rename from Ansible/ansible_collections/jfrog/platform/roles/artifactory_nginx_ssl/templates/certificate.key.j2 rename to Ansible/ansible_collections/jfrog/platform/roles/artifactory_nginx/templates/certificate.key.j2 diff --git a/Ansible/ansible_collections/jfrog/platform/roles/artifactory_nginx_ssl/templates/certificate.pem.j2 b/Ansible/ansible_collections/jfrog/platform/roles/artifactory_nginx/templates/certificate.pem.j2 similarity index 100% rename from Ansible/ansible_collections/jfrog/platform/roles/artifactory_nginx_ssl/templates/certificate.pem.j2 rename to Ansible/ansible_collections/jfrog/platform/roles/artifactory_nginx/templates/certificate.pem.j2 diff --git a/Ansible/ansible_collections/jfrog/platform/roles/artifactory_nginx/vars/main.yml b/Ansible/ansible_collections/jfrog/platform/roles/artifactory_nginx/vars/main.yml deleted file mode 100644 index 3a9dbfa8..00000000 --- a/Ansible/ansible_collections/jfrog/platform/roles/artifactory_nginx/vars/main.yml +++ /dev/null @@ -1 +0,0 @@ -# vars file for artifactory_nginx diff --git a/Ansible/ansible_collections/jfrog/platform/roles/artifactory_nginx_ssl/README.md b/Ansible/ansible_collections/jfrog/platform/roles/artifactory_nginx_ssl/README.md deleted file mode 100644 index d8bd5a3b..00000000 --- a/Ansible/ansible_collections/jfrog/platform/roles/artifactory_nginx_ssl/README.md +++ /dev/null @@ -1,13 +0,0 @@ -# artifactory_nginx_ssl -The artifactory_nginx_ssl role installs and configures nginx for SSL. - -## Role Variables -* _server_name_: This is the server name. eg. "artifactory.54.175.51.178.xip.io" -* _ssl_certificate_install_: `true` - install the SSL certificate and private key. When `false` you need to manage certs yourself. -* _ssl_certificate_: This is the filename of the SSL certificate. -* _ssl_certificate_path_: This is the full directory path for the SSL certificate, excluding _ssl_certificate_. -* _ssl_certificate_key_: This is the filename of the SSL private key. -* _ssl_certificate_key_path_: This is the full directory path for the SSL private key, excluding _ssl_certificate_key_. -* _nginx_worker_processes_: The worker_processes configuration for nginx. Defaults to 1. -* _artifactory_docker_registry_subdomain_: Whether to add a redirect directive to the nginx config for the use of docker - subdomains. \ No newline at end of file diff --git a/Ansible/ansible_collections/jfrog/platform/roles/artifactory_nginx_ssl/defaults/main.yml b/Ansible/ansible_collections/jfrog/platform/roles/artifactory_nginx_ssl/defaults/main.yml deleted file mode 100644 index 181c6714..00000000 --- a/Ansible/ansible_collections/jfrog/platform/roles/artifactory_nginx_ssl/defaults/main.yml +++ /dev/null @@ -1,20 +0,0 @@ -# defaults file for artifactory_nginx_ssl - -## For production deployments,You SHOULD change it. -# server_name: test.artifactory.com - -nginx_daemon: nginx - -redirect_http_to_https_enabled: true - -nginx_worker_processes: 1 -artifactory_docker_registry_subdomain: false - -artifactory_conf_template: artifactory.conf.j2 -nginx_conf_template: nginx.conf.j2 - -ssl_certificate_install: true -ssl_certificate_path: /etc/pki/tls/certs -ssl_certificate_key_path: /etc/pki/tls/private -ssl_certificate: cert.pem -ssl_certificate_key: cert.key diff --git a/Ansible/ansible_collections/jfrog/platform/roles/artifactory_nginx_ssl/handlers/main.yml b/Ansible/ansible_collections/jfrog/platform/roles/artifactory_nginx_ssl/handlers/main.yml deleted file mode 100644 index c294166b..00000000 --- a/Ansible/ansible_collections/jfrog/platform/roles/artifactory_nginx_ssl/handlers/main.yml +++ /dev/null @@ -1,8 +0,0 @@ ---- -# handlers file for artifactory_nginx_ssl -- name: Restart nginx - become: true - ansible.builtin.systemd: - name: "{{ nginx_daemon }}" - state: restarted - enabled: true diff --git a/Ansible/ansible_collections/jfrog/platform/roles/artifactory_nginx_ssl/meta/main.yml b/Ansible/ansible_collections/jfrog/platform/roles/artifactory_nginx_ssl/meta/main.yml deleted file mode 100644 index 20e8450e..00000000 --- a/Ansible/ansible_collections/jfrog/platform/roles/artifactory_nginx_ssl/meta/main.yml +++ /dev/null @@ -1,30 +0,0 @@ ---- -dependencies: [] - -galaxy_info: - author: "JFrog Maintainers Team " - description: "The artifactory_nginx_ssl role installs and configures nginx for SSL." - company: JFrog - issue_tracker_url: "https://github.com/jfrog/JFrog-Cloud-Installers/issues" - license: license (Apache-2.0) - min_ansible_version: 2.9 - platforms: - - name: EL - versions: - - 7 - - 8 - - name: Ubuntu - versions: - - bionic - - focal - - jammy - - name: Debian - versions: - - buster - - bullseye - - name: Amazon - versions: - - 2 - galaxy_tags: - - artifactory - - jfrog diff --git a/Ansible/ansible_collections/jfrog/platform/roles/artifactory_nginx_ssl/tasks/Debian.yml b/Ansible/ansible_collections/jfrog/platform/roles/artifactory_nginx_ssl/tasks/Debian.yml deleted file mode 100644 index d8185b98..00000000 --- a/Ansible/ansible_collections/jfrog/platform/roles/artifactory_nginx_ssl/tasks/Debian.yml +++ /dev/null @@ -1,27 +0,0 @@ -- name: Import nginx signing key - become: true - ansible.builtin.apt_key: - url: https://nginx.org/keys/nginx_signing.key - state: present - -- name: Add nginx stable repo - become: true - ansible.builtin.copy: - dest: /etc/apt/sources.list.d/nginx.list - owner: root - group: root - mode: '0644' - content: deb https://nginx.org/packages/{{ distro_family }} {{ distro_codename }} nginx - vars: - distro_family: "{{ ansible_distribution | lower }}" - distro_codename: "{{ ansible_distribution_release }}" - -- name: Update apt cache - become: true - ansible.builtin.apt: - update_cache: true - cache_valid_time: 3600 - register: apt_update_cache - retries: 5 - delay: 60 - until: apt_update_cache is succeeded diff --git a/Ansible/ansible_collections/jfrog/platform/roles/artifactory_nginx_ssl/tasks/main.yml b/Ansible/ansible_collections/jfrog/platform/roles/artifactory_nginx_ssl/tasks/main.yml deleted file mode 100644 index a6e91103..00000000 --- a/Ansible/ansible_collections/jfrog/platform/roles/artifactory_nginx_ssl/tasks/main.yml +++ /dev/null @@ -1,96 +0,0 @@ -- name: Check required variables - ansible.builtin.fail: msg="Variable '{{ item }}' is not defined" - when: item not in vars - loop: - - certificate - - certificate_key - - server_name - -- name: Install prerequisite packages - ansible.builtin.include_tasks: "{{ ansible_os_family }}.yml" - -- name: Install nginx - become: true - ansible.builtin.package: - name: nginx - state: present - register: install_nginx - retries: 5 - delay: 60 - until: install_nginx is success - -- name: Configure main nginx conf file. - become: true - ansible.builtin.template: - src: "{{ nginx_conf_template }}" - dest: /etc/nginx/nginx.conf - owner: root - group: root - mode: 0755 - -- name: Configure redirect nginx conf - become: true - ansible.builtin.copy: - src: redirect_http_to_https.conf - dest: /etc/nginx/conf.d/redirect_http_to_https.conf - owner: root - group: root - mode: 0755 - when: redirect_http_to_https_enabled | bool - notify: Restart nginx - -- name: Configure the artifactory nginx conf - become: true - ansible.builtin.template: - src: "{{ artifactory_conf_template }}" - dest: /etc/nginx/conf.d/artifactory.conf - owner: root - group: root - mode: 0755 - notify: Restart nginx - -- name: Ensure nginx dir exists - become: true - ansible.builtin.file: - path: "/var/opt/jfrog/nginx/ssl" - state: directory - mode: 0755 - -- name: Ensure ssl_certificate_path exists - become: true - ansible.builtin.file: - path: "{{ ssl_certificate_path }}" - state: directory - mode: 0755 - when: ssl_certificate_install - -- name: Ensure ssl_certificate_key_path exists - become: true - ansible.builtin.file: - path: "{{ ssl_certificate_key_path }}" - state: directory - mode: 0700 - when: ssl_certificate_install - -- name: Configure certificate - become: true - ansible.builtin.template: - src: certificate.pem.j2 - dest: "{{ ssl_certificate_path }}/{{ ssl_certificate }}" - mode: 0644 - notify: Restart nginx - no_log: true - when: ssl_certificate_install - -- name: Configure key - become: true - ansible.builtin.template: - src: certificate.key.j2 - dest: "{{ ssl_certificate_key_path }}/{{ ssl_certificate_key }}" - mode: 0600 - notify: Restart nginx - no_log: true - when: ssl_certificate_install - -- name: Restart nginx - ansible.builtin.meta: flush_handlers diff --git a/Ansible/ansible_collections/jfrog/platform/roles/artifactory_nginx_ssl/templates/artifactory.conf.j2 b/Ansible/ansible_collections/jfrog/platform/roles/artifactory_nginx_ssl/templates/artifactory.conf.j2 deleted file mode 100644 index 4d3976ee..00000000 --- a/Ansible/ansible_collections/jfrog/platform/roles/artifactory_nginx_ssl/templates/artifactory.conf.j2 +++ /dev/null @@ -1,50 +0,0 @@ -########################################################### -## this configuration was generated by JFrog Artifactory ## -########################################################### - - ## add HA entries when ha is configure - upstream artifactory { - server 127.0.0.1:8082; -} - upstream artifactory-direct { - server 127.0.0.1:8081; -} - ssl_protocols TLSv1.2 TLSv1.3; - ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384; - ssl_certificate {{ ssl_certificate_path }}/{{ ssl_certificate }}; - ssl_certificate_key {{ ssl_certificate_key_path }}/{{ ssl_certificate_key }}; - ssl_session_cache shared:SSL:1m; - ssl_prefer_server_ciphers on; - ## server configuration - server { - listen 443 ssl http2; - server_name {{ server_name }}; - if ($http_x_forwarded_proto = '') { - set $http_x_forwarded_proto $scheme; - } - ## Application specific logs - access_log /var/log/nginx/artifactory-access.log; - error_log /var/log/nginx/artifactory-error.log; - rewrite ^/$ /ui/ redirect; - rewrite ^/ui$ /ui/ redirect; - {% if artifactory_docker_registry_subdomain %}rewrite ^/(v1|v2)/(.*) /artifactory/api/docker/$repo/$1/$2;{% endif %} - chunked_transfer_encoding on; - client_max_body_size 0; - location / { - proxy_read_timeout 2400s; - proxy_pass_header Server; - proxy_cookie_path ~*^/.* /; - proxy_pass "http://artifactory"; - proxy_next_upstream error timeout non_idempotent; - proxy_next_upstream_tries 1; - proxy_set_header X-JFrog-Override-Base-Url $http_x_forwarded_proto://$host:$server_port; - proxy_set_header X-Forwarded-Port $server_port; - proxy_set_header X-Forwarded-Proto $http_x_forwarded_proto; - proxy_set_header Host $http_host; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - - location ~ ^/artifactory/ { - proxy_pass http://artifactory-direct; - } - } -} \ No newline at end of file diff --git a/Ansible/ansible_collections/jfrog/platform/roles/artifactory_nginx_ssl/templates/nginx.conf.j2 b/Ansible/ansible_collections/jfrog/platform/roles/artifactory_nginx_ssl/templates/nginx.conf.j2 deleted file mode 100644 index 31fd4984..00000000 --- a/Ansible/ansible_collections/jfrog/platform/roles/artifactory_nginx_ssl/templates/nginx.conf.j2 +++ /dev/null @@ -1,37 +0,0 @@ -#user nobody; -worker_processes {{ nginx_worker_processes }}; -error_log /var/log/nginx/error.log info; -#pid logs/nginx.pid; -events { - worker_connections 1024; -} -http { - include mime.types; - variables_hash_max_size 1024; - variables_hash_bucket_size 64; - server_names_hash_max_size 4096; - server_names_hash_bucket_size 128; - types_hash_max_size 2048; - types_hash_bucket_size 64; - proxy_read_timeout 2400s; - client_header_timeout 2400s; - client_body_timeout 2400s; - proxy_connect_timeout 75s; - proxy_send_timeout 2400s; - proxy_buffer_size 32k; - proxy_buffers 40 32k; - proxy_busy_buffers_size 64k; - proxy_temp_file_write_size 250m; - proxy_http_version 1.1; - client_body_buffer_size 128k; - include /etc/nginx/conf.d/*.conf; - default_type application/octet-stream; - log_format main '$remote_addr - $remote_user [$time_local] "$request" ' -'$status $body_bytes_sent "$http_referer" ' -'"$http_user_agent" "$http_x_forwarded_for"'; - access_log /var/log/nginx/access.log main; - sendfile on; - #tcp_nopush on; - #keepalive_timeout 0; - keepalive_timeout 65; -} diff --git a/Ansible/ansible_collections/jfrog/platform/roles/artifactory_nginx_ssl/vars/main.yml b/Ansible/ansible_collections/jfrog/platform/roles/artifactory_nginx_ssl/vars/main.yml deleted file mode 100644 index ac7fbaf6..00000000 --- a/Ansible/ansible_collections/jfrog/platform/roles/artifactory_nginx_ssl/vars/main.yml +++ /dev/null @@ -1 +0,0 @@ -# vars file for artifactory_nginx_ssl