Refactored Nginx role (DRY).

Author: bbaassssiiee

Ansible/ansible_collections/jfrog/platform/roles/artifactory/tasks/install.yml

@@ -15,16 +15,7 @@
 - name: Install nginx
   ansible.builtin.include_role:
     name: artifactory_nginx
-  when:
-    - artifactory_nginx_enabled | bool
-    - not artifactory_nginx_ssl_enabled | bool
-
-- name: Install nginx with SSL
-  ansible.builtin.include_role:
-    name: artifactory_nginx_ssl
-  when:
-    - not artifactory_nginx_enabled | bool
-    - artifactory_nginx_ssl_enabled | bool
+  when: ( artifactory_nginx_enabled | bool ) or ( artifactory_nginx_ssl_enabled | bool )
 
 - name: Ensure group artifactory exist
   become: true
@@ -239,4 +230,4 @@
   delay: 5
   when:
     - not ansible_check_mode
-    - artifactory_start_service | bool
+    - artifactory_start_service | bool

Ansible/ansible_collections/jfrog/platform/roles/artifactory_nginx/README.md

@@ -1,8 +1,13 @@
-# artifactory_nginx
-
-This role installs NGINX for artifactory. This role is automatically called by the artifactory role and isn't intended to be used separately.
+# artifactory_nginx_ssl
+The artifactory_nginx_ssl role installs and configures nginx for SSL.
 
 ## Role Variables
-
-* _server_name_: **mandatory** This is the server name. eg. "artifactory.54.175.51.178.xip.io"
-* _artifactory_docker_registry_subdomain_: Whether to add a redirect directive to the nginx config for the use of docker subdomains.
+* _server_name_: This is the server name. eg. "artifactory.54.175.51.178.xip.io"
+* _ssl_certificate_install_: `true` - install the SSL certificate and private key. When `false` you need to manage certs yourself.  
+* _ssl_certificate_: This is the filename of the SSL certificate.
+* _ssl_certificate_path_: This is the full directory path for the SSL certificate, excluding _ssl_certificate_.
+* _ssl_certificate_key_: This is the filename of the SSL private key.
+* _ssl_certificate_key_path_: This is the full directory path for the SSL private key, excluding _ssl_certificate_key_.
+* _nginx_worker_processes_: The worker_processes configuration for nginx. Defaults to 1.
+* _artifactory_docker_registry_subdomain_: Whether to add a redirect directive to the nginx config for the use of docker
+  subdomains.

Ansible/ansible_collections/jfrog/platform/roles/artifactory_nginx/defaults/main.yml

@@ -1,12 +1,23 @@
----
-# defaults file for artifactory_nginx
+# defaults file for artifactory_nginx_ssl
+
 ## For production deployments,You SHOULD change it.
-server_name: test.artifactory.com
+# server_name: test.artifactory.com
 
 nginx_daemon: nginx
+nginx_upstream: false
+nginx_upstream_repo_key: https://nginx.org/keys/nginx_signing.key
+nginx_upstream_repo_baseurl: https://nginx.org/packages
+nginx_module: '1.22'
+redirect_http_to_https_enabled: true
 
 nginx_worker_processes: 1
 artifactory_docker_registry_subdomain: false
 
 artifactory_conf_template: artifactory.conf.j2
 nginx_conf_template: nginx.conf.j2
+
+ssl_certificate_install: true
+ssl_certificate_path: /etc/pki/tls/certs
+ssl_certificate_key_path: /etc/pki/tls/private
+ssl_certificate: cert.pem
+ssl_certificate_key: cert.key

Ansible/ansible_collections/jfrog/platform/roles/artifactory_nginx_ssl/files/redirect_http_to_https.conf renamed to Ansible/ansible_collections/jfrog/platform/roles/artifactory_nginx/files/redirect_http_to_https.conf

@@ -1,5 +1,5 @@
 ---
-# handlers file for artifactory_nginx
+# handlers file for artifactory_nginx_ssl
 - name: Restart nginx
   become: true
   ansible.builtin.systemd:

Ansible/ansible_collections/jfrog/platform/roles/artifactory_nginx/handlers/main.yml

@@ -3,7 +3,7 @@ dependencies: []
 
 galaxy_info:
   author: "JFrog Maintainers Team <[email protected]>"
-  description: "This role installs NGINX for artifactory. This role is automatically called by the artifactory role and isn't intended to be used separately."
+  description: "The artifactory_nginx_ssl role installs and optionally configures nginx for SSL."
   company: JFrog
   issue_tracker_url: "https://github.com/jfrog/JFrog-Cloud-Installers/issues"
   license: license (Apache-2.0)

Ansible/ansible_collections/jfrog/platform/roles/artifactory_nginx/meta/main.yml

@@ -0,0 +1,25 @@
+- name: ensure apt-transport-https is installed
+  anible.builtin.napt:
+    name: apt-transport-https
+    state: present
+
+- name: Add upstream nginx apt key
+  become: true
+  ansible.builtin.apt_key:
+    url: "{{ nginx_upstream_repo_key }}"
+    state: present
+
+- name: Add nginx stable repo
+  become: true
+  ansible.builtin.apt_repository:
+    repo: 'deb {{ nginx_upstream_repo_baseurl }}/{{ ansible_distribution | lower }}/ {{ ansible_distribution_release }} nginx'
+    state: present
+
+- name: Update apt cache
+  become: true
+  ansible.builtin.apt:
+    update_cache: true
+    cache_valid_time: 3600
+  register: apt_update_cache
+  retries: 5
+  delay: 60

Ansible/ansible_collections/jfrog/platform/roles/artifactory_nginx/tasks/Debian-ownstream.yml

@@ -11,7 +11,7 @@
     owner: root
     group: root
     mode: '0644'
-    content: deb https://nginx.org/packages/{{ distro_family }} {{ distro_codename }} nginx
+    content: deb https://nginx.org/packages/{{ ansible_distribution | lower }}/ {{ ansible_distribution_release }} nginx
   vars:
     distro_family: "{{ ansible_distribution | lower }}"
     distro_codename: "{{ ansible_distribution_release }}"

Ansible/ansible_collections/jfrog/platform/roles/artifactory_nginx/tasks/Debian.yml renamed to Ansible/ansible_collections/jfrog/platform/roles/artifactory_nginx/tasks/Debian-upstream.yml

@@ -0,0 +1,21 @@
+- name: Enable nginx from AppStream
+  become: true
+  ansible.builtin.command: "yum module enable -y nginx:{{ nginx_module }}"
+
+- name: Update yum cache
+  become: true
+  ansible.builtin.yum:
+    state: present
+    update_cache: true
+
+- name: Gather selinux facts
+  ansible.builtin.setup:
+    gather_subset: selinux
+
+- name: Set httpd_can_network_connect
+  become: true
+  ansible.posix.seboolean:
+    name: httpd_can_network_connect
+    state: true
+    persistent: true
+  when: ansible_facts.selinux.status == 'enabled'

Ansible/ansible_collections/jfrog/platform/roles/artifactory_nginx/tasks/RedHat-ownstream.yml

@@ -1,5 +1,18 @@
-- name: Install prerequisite packages
-  ansible.builtin.include_tasks: "{{ ansible_os_family }}.yml"
+- name: Check required variables
+  ansible.builtin.fail: msg="Variable '{{ item }}' is not defined"
+  when: item not in vars
+  loop:
+    - certificate
+    - certificate_key
+    - server_name
+
+- name: Install upstream packages
+  when: nginx_upstream | bool
+  ansible.builtin.include_tasks: "{{ ansible_os_family }}-upstream.yml"
+
+- name: Install packages from distribution server
+  when: not nginx_upstream | bool
+  ansible.builtin.include_tasks: "{{ ansible_os_family }}-ownstream.yml"
 
 - name: Install nginx
   become: true
@@ -9,9 +22,9 @@
   register: install_nginx
   retries: 5
   delay: 60
-  until: install_nginx is succeeded
+  until: install_nginx is success
 
-- name: Copy nginx.conf file
+- name: Configure main nginx conf file.
   become: true
   ansible.builtin.template:
     src: "{{ nginx_conf_template }}"
@@ -20,7 +33,21 @@
     group: root
     mode: '0755'
 
-- name: Generate artifactory.conf
+- name: Configure redirect nginx conf
+  when:
+    - artifactory_nginx_ssl_enabled is defined
+    - artifactory_nginx_ssl_enabled | bool
+  become: true
+  ansible.builtin.copy:
+    src: redirect_http_to_https.conf
+    dest: /etc/nginx/conf.d/redirect_http_to_https.conf
+    owner: root
+    group: root
+    mode: '0755'
+  when: redirect_http_to_https_enabled | bool
+  notify: Restart nginx
+
+- name: Configure the artifactory nginx conf
   become: true
   ansible.builtin.template:
     src: "{{ artifactory_conf_template }}"
@@ -30,5 +57,50 @@
     mode: '0755'
   notify: Restart nginx
 
+- name: Configure SSL
+  when:
+    - artifactory_nginx_ssl_enabled is defined
+    - artifactory_nginx_ssl_enabled | bool
+    - ssl_certificate_install | bool
+  block:
+    - name: Create directory
+      become: true
+      ansible.builtin.file:
+        path: "/var/opt/jfrog/nginx/ssl"
+        state: directory
+        mode: '0755'
+
+    - name: Ensure ssl_certificate_path exists
+      become: true
+      ansible.builtin.file:
+        path: "{{ ssl_certificate_path }}"
+        state: directory
+        mode: '0755'
+
+    - name: Ensure ssl_certificate_key_path exists
+      become: true
+      ansible.builtin.file:
+        path: "{{ ssl_certificate_key_path }}"
+        state: directory
+        mode: '0700'
+
+    - name: Configure certificate
+      become: true
+      ansible.builtin.template:
+        src: certificate.pem.j2
+        dest: "{{ ssl_certificate_path }}/{{ ssl_certificate }}"
+        mode: '0644'
+      notify: Restart nginx
+      no_log: true
+
+    - name: Configure key
+      become: true
+      ansible.builtin.template:
+        src: certificate.key.j2
+        dest: "{{ ssl_certificate_key_path }}/{{ ssl_certificate_key }}"
+        mode: '0600'
+      notify: Restart nginx
+      no_log: true
+
 - name: Restart nginx
   ansible.builtin.meta: flush_handlers

Ansible/ansible_collections/jfrog/platform/roles/artifactory_nginx_ssl/tasks/RedHat.yml renamed to Ansible/ansible_collections/jfrog/platform/roles/artifactory_nginx/tasks/RedHat-upstream.yml

@@ -1,5 +1,5 @@
 ###########################################################
-## this configuration was generated by JFrog Artifactory ##
+## this configuration was generated for JFrog Artifactory ##
 ###########################################################
 
   ## add HA entries when ha is configure
@@ -9,9 +9,21 @@
   upstream artifactory-direct {
   server 127.0.0.1:8081;
 }
+{% if artifactory_nginx_ssl_enabled is defined and artifactory_nginx_ssl_enabled %}
+  ssl_protocols TLSv1.2 TLSv1.3;
+  ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
+  ssl_certificate      {{ ssl_certificate_path }}/{{ ssl_certificate }};
+  ssl_certificate_key  {{ ssl_certificate_key_path }}/{{ ssl_certificate_key }};
+  ssl_session_cache shared:SSL:1m;
+  ssl_prefer_server_ciphers   on;
+  {% endif %}
   ## server configuration
   server {
-  listen 80 ;
+{% if artifactory_nginx_ssl_enabled is defined and artifactory_nginx_ssl_enabled %}
+  listen 443 ssl http2;
+{% else %}
+  listen 80;
+{% endif %}
   server_name {{ server_name }};
   if ($http_x_forwarded_proto = '') {
   set $http_x_forwarded_proto  $scheme;
@@ -41,4 +53,4 @@
     proxy_pass    http://artifactory-direct;
     }
   }
-}
+}