Use systemd socket activation for Foreman

src/roles/foreman/defaults/main.yaml

@@ -12,7 +12,8 @@ foreman_database_ssl_mode: disable
 foreman_database_ssl_ca:
 foreman_database_ssl_ca_path: /etc/foreman/db-ca.crt
 
-foreman_url: "http://{{ ansible_facts['fqdn'] }}:3000"
+foreman_listen_stream: localhost:3000
+foreman_url: "http://{{ foreman_listen_stream }}"
 
 # Puma threads calculation:
 # Max calculation is based on the default for MRI https://puma.io/puma6/#thread-pool

src/roles/foreman/tasks/main.yaml

@@ -95,6 +95,12 @@
     - Restart foreman
     - Restart dynflow-sidekiq@
 
+- name: Deploy Foreman socket
+  ansible.builtin.template:
+    src: foreman.socket.j2
+    dest: /etc/systemd/system/foreman.socket
+    mode: '0644'
+
 - name: Deploy Foreman Container
   containers.podman.podman_container:
     name: "foreman"
@@ -122,6 +128,8 @@
       FOREMAN_ENABLED_PLUGINS: "{{ foreman_plugins | join(' ') }}"
     quadlet_options:
       - |
+        [Unit]
+        Requires=foreman.socket
         [Install]
         WantedBy=default.target foreman.target
         [Unit]
@@ -268,7 +276,7 @@
 - name: Wait for Foreman service to be accessible
   ansible.builtin.uri:
     url: '{{ foreman_url }}/api/v2/ping'
-    validate_certs: false
+    ca_path: '{{ ca_certificate }}'
   until: foreman_status.status == 200
   retries: 60
   delay: 5
@@ -287,7 +295,7 @@
 - name: Wait for Foreman tasks to be ready
   ansible.builtin.uri:
     url: '{{ foreman_url }}/api/v2/ping'
-    validate_certs: false
+    ca_path: '{{ ca_certificate }}'
   until:
     - foreman_tasks_status.status == 200
     - foreman_tasks_status.json['results']['katello']['services']['foreman_tasks']['status'] == 'ok'
@@ -304,4 +312,4 @@
     server_url: "{{ foreman_url }}"
     username: "{{ foreman_initial_admin_username }}"
     password: "{{ foreman_initial_admin_password }}"
-    validate_certs: false
+    ca_path: '{{ ca_certificate }}'

src/roles/foreman/templates/foreman.socket.j2

@@ -0,0 +1,14 @@
+[Unit]
+Description=Foreman socket
+
+[Socket]
+ListenStream={{ foreman_listen_stream }}
+SocketUser=apache
+SocketMode=0600
+
+NoDelay=false
+ReusePort=true
+Backlog=1024
+
+[Install]
+WantedBy=sockets.target

src/roles/httpd/defaults/main.yml

@@ -1,7 +1,7 @@
 httpd_ssl_dir: /etc/pki/httpd
 httpd_pulp_api_backend: http://localhost:24817
 httpd_pulp_content_backend: http://localhost:24816
-httpd_foreman_backend: http://localhost:3000
+httpd_foreman_backend: http://localhost:3000/
 httpd_pub_dir: /var/www/html/pub
 
 # External authentication configuration

src/roles/httpd/tasks/main.yml

@@ -13,6 +13,13 @@
     persistent: true
   when: ansible_facts['selinux']['status'] == "enabled"
 
+# TODO: probably not the right boolean
+- name: Set daemons_enable_cluster_mode so Apache can connect to unix sockets
+  ansible.posix.seboolean:
+    name: daemons_enable_cluster_mode
+    state: true
+    persistent: true
+
 - name: Disable welcome page
   ansible.builtin.file:
     path: /etc/httpd/conf.d/welcome.conf

src/roles/httpd/templates/foreman-ssl-vhost.conf.j2

@@ -95,8 +95,8 @@
   ProxyPass /icons !
   ProxyPass /images !
   ProxyPass /server-status !
-  ProxyPass / {{ httpd_foreman_backend }}/ retry=0 timeout=900 upgrade=websocket
-  ProxyPassReverse / {{ httpd_foreman_backend }}/
+  ProxyPass / {{ httpd_foreman_backend }} retry=0 timeout=900 upgrade=websocket
+  ProxyPassReverse / {{ httpd_foreman_backend }}
 
   AddDefaultCharset UTF-8
 </VirtualHost>

src/vars/base.yaml

@@ -23,6 +23,9 @@ foreman_oauth_consumer_secret: abcdefghijklmnopqrstuvwxyz123456
 foreman_plugins: "{{ enabled_features | features_to_foreman_plugins }}"
 foreman_url: "https://{{ ansible_facts['fqdn'] }}"
 
+foreman_listen_stream: /run/httpd.foreman.sock
+httpd_foreman_backend: "unix://{{ foreman_listen_stream }}|http://%{HTTP_HOST}/"
+
 httpd_server_ca_certificate: "{{ server_ca_certificate }}"
 httpd_client_ca_certificate: "{{ client_ca_certificate }}"
 httpd_server_certificate: "{{ server_certificate }}"