Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add molecule configuration for nginx role #58

Merged
merged 45 commits into from
Jan 19, 2024
Merged
Show file tree
Hide file tree
Changes from 42 commits
Commits
Show all changes
45 commits
Select commit Hold shift + click to select a range
be5d84e
Add molecule setup for nginx
p-j-smith Jan 15, 2024
0089d13
Fix path to verify playbooks
p-j-smith Jan 15, 2024
19df1e5
Use flat naming rather than nested for nignx role
p-j-smith Jan 15, 2024
1a1f1bb
Use flat naming rather than nested for nignx role
p-j-smith Jan 15, 2024
10f502d
use flat variable names in nginx config template
p-j-smith Jan 16, 2024
36b0f4b
Use flat variable names in xnat playbook molecule config
p-j-smith Jan 16, 2024
9e0a55e
publish port 80 in xnat molecule config
p-j-smith Jan 16, 2024
d75ae33
add molecule config for nginx role
p-j-smith Jan 16, 2024
d58fa8b
run gunicorn on localhost
p-j-smith Jan 16, 2024
f4fe7ea
Update nginx role variables
p-j-smith Jan 16, 2024
a5e9ce7
Make ansible lint happy
p-j-smith Jan 16, 2024
76b5442
Set permission mode for flask app and gunicorn config
p-j-smith Jan 16, 2024
ed7337c
Publish nginx port in xnat playbook molecule configuration
p-j-smith Jan 16, 2024
51c0c4d
use flat variable names for nginx template
p-j-smith Jan 16, 2024
a18bfac
remove stream from reverse proxy config
p-j-smith Jan 16, 2024
a8d2f8b
use tomcat as default server for nginx reverse proxy in xnat playbook…
p-j-smith Jan 16, 2024
600c0a4
set defaults for nginx role to be consistent with current values
p-j-smith Jan 16, 2024
f354329
set nginx variables for xnat playbook molecule setup
p-j-smith Jan 16, 2024
e0f9576
Add verify playbook for nginx role
p-j-smith Jan 16, 2024
91e87d1
Fix typo in task description
p-j-smith Jan 16, 2024
d370b5e
Add verify file for xnat molecule config
p-j-smith Jan 16, 2024
dee847f
Fix vars for nginx role in xnat playbook
p-j-smith Jan 16, 2024
2aef7a1
Move gunicorn nginx template to testing inventory
p-j-smith Jan 16, 2024
9c86fe5
Don't use ssl for nginx in testing the role
p-j-smith Jan 16, 2024
94539a6
Add molecule setup for testing nginx role on rocky 9
p-j-smith Jan 16, 2024
863b812
Add workflow for testing nginx role with molecule
p-j-smith Jan 16, 2024
01672b1
Move gunicorn service file to templates
p-j-smith Jan 16, 2024
fc39135
Run xnat tests when molecule config changes
p-j-smith Jan 16, 2024
0861270
remove jinja tempalting from verify assertion
p-j-smith Jan 16, 2024
a9865ff
remove exposed and published ports from base molecule configs
p-j-smith Jan 16, 2024
e2d2989
Add nginx role readme
p-j-smith Jan 16, 2024
0c62327
rename ipv6_enabled to nginx_ipv6_enabled
p-j-smith Jan 17, 2024
9a56f97
fix typo in nginx readme for https port default
p-j-smith Jan 17, 2024
5dc91c3
Make nginx xnat configs more general
p-j-smith Jan 17, 2024
108d39f
make nginx_root optional in the config
p-j-smith Jan 17, 2024
88351f5
update install_xnat nginx vars
p-j-smith Jan 17, 2024
2ad6fb6
use general nginx config for tests
p-j-smith Jan 17, 2024
c077dda
more logical ordering of nginx variables
p-j-smith Jan 17, 2024
c7d855d
Update description of variables
p-j-smith Jan 17, 2024
c69df49
remove tomcat port from firewall
p-j-smith Jan 17, 2024
ac8ca63
fix name of nginx config tempalte to use for testing xnat playbook
p-j-smith Jan 17, 2024
8b0b21e
Merge branch 'main' into tests/nginx
p-j-smith Jan 17, 2024
08ef842
remove unnecessary " from string variables
p-j-smith Jan 18, 2024
b8f4dd1
fix typo in name of proxy server in nginx config template
p-j-smith Jan 19, 2024
02ec02c
Add nginx_add_default_server variable
p-j-smith Jan 19, 2024
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 1 addition & 0 deletions .github/workflows/molecule-install-xnat.yml
Original file line number Diff line number Diff line change
Expand Up @@ -6,6 +6,7 @@ on:
- "roles/xnat_container_service/**"
- "playbooks/install_xnat.yml"
- "playbooks/install_container_service.yml"
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
- "playbooks/install_container_service.yml"
- "playbooks/install_container_service.yml"
- "playbooks/molecule/*_xnat"

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Do we need the above to catch changes to the molecule configuration?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think the molecule config changes should be included with the line below (- "playbooks/molecule/**/xnat/**")

- "playbooks/molecule/**/xnat/**"
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

ensure the tests run whenever the molecule molecule configuration or inventory changes

- ".github/workflows/molecule-install-xnat.yml"
release:
types: [published]
Expand Down
13 changes: 13 additions & 0 deletions .github/workflows/molecule-nginx.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,13 @@
name: Test nginx
on:
pull_request:
paths:
- "roles/nginx/**"
- ".github/workflows/molecule.yml"
- ".github/workflows/molecule-nginx.yml"

jobs:
molecule-nginx:
uses: ./.github/workflows/molecule.yml
with:
tests-path: ansible_collections/mirsg/infrastructure/roles/nginx
2 changes: 1 addition & 1 deletion molecule_configs/centos7_base_config.yml
Original file line number Diff line number Diff line change
Expand Up @@ -48,7 +48,7 @@ provisioner:
playbooks:
prepare: ../resources/prepare.yml
converge: ../resources/converge.yml
verify: ../resources/converge.yml
verify: ../resources/verify.yml
env:
ANSIBLE_VERBOSITY: "1"

Expand Down
2 changes: 1 addition & 1 deletion molecule_configs/rocky9_base_config.yml
Original file line number Diff line number Diff line change
Expand Up @@ -49,7 +49,7 @@ provisioner:
playbooks:
prepare: ../resources/prepare.yml
converge: ../resources/converge.yml
verify: ../resources/converge.yml
verify: ../resources/verify.yml
env:
ANSIBLE_VERBOSITY: "1"

Expand Down
10 changes: 10 additions & 0 deletions playbooks/group_vars/web.yml
Original file line number Diff line number Diff line change
Expand Up @@ -76,3 +76,13 @@ firewalld_public_zone_open_services:
firewalld_work_zone_open_services:
- http
- https

# mirsg.infrastructure.nginx
nginx_use_ssl: "{{ ssl.use_ssl }}"
nginx_server_name: "{{ xnat_web_server.host }}"
nginx_upstream_port: 8104
nginx_upstream_listen_port: 8104
nginx_proxy_port: 8080 # tomcat
nginx_root: "/usr/share/tomcat/webapps/ROOT"
p-j-smith marked this conversation as resolved.
Show resolved Hide resolved
nginx_app_access_log: "{{ nginx_log_folder }}/xnat.access.log"
nginx_app_error_log: "{{ nginx_log_folder }}/xnat.error.log"
9 changes: 3 additions & 6 deletions playbooks/molecule/centos7_xnat/molecule.yml
Original file line number Diff line number Diff line change
Expand Up @@ -64,9 +64,10 @@ platforms:
exposed_ports:
- 80
- 443
- 8080
- 8104
published_ports:
- 127.0.0.1:8104:8104
- 127.0.0.1:8000:80
etc_hosts:
xnat.db.local: 192.168.56.2
xnat.cserv.local: 192.168.56.4
Expand Down Expand Up @@ -111,11 +112,7 @@ provisioner:
playbooks:
prepare: ../resources/xnat/prepare.yml
converge: ../resources/xnat/converge.yml
env:
ANSIBLE_VERBOSITY: 1

verifier:
name: ansible
verify: ../resources/xnat/verify.yml
env:
ANSIBLE_VERBOSITY: 1

Expand Down
10 changes: 0 additions & 10 deletions playbooks/molecule/resources/xnat/inventory/group_vars/all/all.yml
Original file line number Diff line number Diff line change
@@ -1,14 +1,4 @@
---
# Bit size for OpenSSL Diffie-Hellman Parameters. Higher bit sizes are more
# secure, but require exponentially larger times for the one-off parameter
# generation. Use 4096 for production. These may take 10mins+ to generate but
# are only generated once per server.
# For local testing (non-production), use 2096 to speed up deployment.
diffie_helman_size_bits: 2048

# Support for ipv6
ipv6_enabled: false

# XNAT configuration shared between all servers
xnat_common_config:
admin_email: "xnatadmin@{{ hostvars['xnat_web']['hostname'] }}"
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -26,10 +26,6 @@ ssl:
use_ssl: false
validate_certs: false

# nginx config
dicom_port: 8104
xnat_dicom_port: 8105

# XNAT configuration
xnat_config:
site_name: "MIRSG XNAT"
Expand Down
13 changes: 7 additions & 6 deletions playbooks/molecule/resources/xnat/inventory/group_vars/web.yml
Original file line number Diff line number Diff line change
Expand Up @@ -6,19 +6,20 @@ firewalld_public_zone_sources:
- "0.0.0.0/0"

firewalld_internal_zone_ports:
- "{{ dicom_port }}"
- "{{ tomcat_port }}"
- "{{ nginx_upstream_listen_port }}"

firewalld_work_zone_ports:
- "{{ dicom_port }}"
- "{{ tomcat_port }}"
- "{{ nginx_upstream_listen_port }}"

firewalld_public_zone_ports:
- "{{ dicom_port }}"
- "{{ tomcat_port }}"
- "{{ nginx_upstream_listen_port }}"

# mirsg.xnat.xnat
# Some times the default admin account hasn't finished creating even after tomcat has started
# Add a delay here to give the admin account a chance to be created
# Note, this issue only seems to happen in CI
xnat_wait_for_tomcat: 15

# nginx config
nginx_diffie_helman_size_bits: 2048
nginx_conf_template: "nginx_reverse_proxy_as_default.j2"
p-j-smith marked this conversation as resolved.
Show resolved Hide resolved
18 changes: 18 additions & 0 deletions playbooks/molecule/resources/xnat/verify.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,18 @@
---
- name: Verify XNAT instance is running
hosts: localhost
tasks:
- name: Get server status
ansible.builtin.uri:
url: http://localhost:8000
method: GET
validate_certs: false
return_content: true
register: response

- name: Check server status and response
ansible.builtin.assert:
that:
- response.status == 200
- response.server == "nginx"
- "{{ response.content is search('MIRSG XNAT') }}"
p-j-smith marked this conversation as resolved.
Show resolved Hide resolved
6 changes: 4 additions & 2 deletions playbooks/molecule/rocky9_xnat/molecule.yml
Original file line number Diff line number Diff line change
Expand Up @@ -66,9 +66,10 @@ platforms:
exposed_ports:
- 80
- 443
- 8080
- 8104
published_ports:
- 127.0.0.1:8104:8104
- 127.0.0.1:8000:80
etc_hosts:
xnat.db.local: 192.168.56.2
xnat.cserv.local: 192.168.56.4
Expand All @@ -95,7 +96,7 @@ platforms:
- name: xnat
ipv4_address: 192.168.56.4
exposed_ports:
- "2376"
- 2376
extra_hosts:
xnat.db.local: 192.168.56.2
xnat.web.local: 192.168.56.3
Expand All @@ -114,6 +115,7 @@ provisioner:
playbooks:
prepare: ../resources/xnat/prepare.yml
converge: ../resources/xnat/converge.yml
verify: ../resources/xnat/verify.yml
env:
ANSIBLE_VERBOSITY: "1"

Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -12,6 +12,6 @@ firewalld_work_zone_open_services:
- http
- https
firewalld_public_zone_ports:
- "8080"
- "80"
firewalld_internal_zone_ports:
- "5432"
56 changes: 56 additions & 0 deletions roles/nginx/README.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,56 @@
# mirsg.infrastructure.nginx

This role is for configuring [nginx](https://www.nginx.com/) as a
[reverse proxy](https://docs.nginx.com/nginx/admin-guide/web-server/reverse-proxy/)
on CentOS 7 or RockyLinux 9.

## Role Variables

| Name | Description |
| ---------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| `nginx_owner` | The OS user that will have ownership of the nginx service file and directory. Defaults to `root` |
| `nginx_group` | The OS group that will have ownership of the nginx service file and directory. Defaults to `root` |
| `nginx_log_folder` | The path to the nginx logs. Defaults to `/var/log/nginx` |
| `nginx_access_log` | File in which to write access logs for the default server. Defaults to `/var/log/access.log` |
| `nginx_error_log` | File in which to write error logs for the default server. Defaults to `/var/log/error.log` |
| `nginx_app_access_log` | File in which to write access logs for the application server. Defaults to `/var/log/app.access.log` |
| `nginx_app_error_log` | File in which to write error logs for the application server. Defaults to `/var/log/app.error.log` |
| `nginx_http_port` | The port to listen on for HTTP connections. Defaults to `80` |
| `nginx_https_port` | The port to listen on for HTTPS connections. Defaults to `443` |
| `nginx_proxy_port` | The port to forward requests to. Required variable; no default |
| `nginx_root` | The path to search for static files. Optional variable; no default |
| `nginx_conf_template` | The template to use for generating the NGINX config. See currently available [templates](templates/). Defaults to `nginx_xnat.j2`, which is used to configure NGINX as a reverse proxy for XNAT |
p-j-smith marked this conversation as resolved.
Show resolved Hide resolved
| `nginx_conf_file` | The path to write the NGINX config to. Defaults to `/etc/nginx/nginx.conf` |
| `nginx_ipv6_enabled` | Whether to enable support for IPv6. Defaults to `false` |

If you would like to use SSL with NGINX, you will need to have the
certificate and key on your Ansible Controller, and may also need to set
the following variables:

| Name | Description |
| ------------------------------- | ----------------------------------------------------------------------------------------- |
| `nginx_use_ssl` | Whether to use SSL. Defaults to `true` |
| `nginx_certs_dir` | Where to store the certificates. Defaults to `/etc/nginx/ssl` |
| `nginx_server_cert_cache` | Path to SSL certificate on the Ansible Controller. Required if using SSL; no default |
| `nginx_server_key_cache` | Path to SSL certificate on the Ansible Controller. Required if using SSL; no default |
| `nginx_ssl_cert_file` | Path to copy the SSL certificate to. Defaults to `/etc/nginx/ssl/server.cert` |
| `nginx_ssl_key_file` | Path to copy the SSL key to. Defaults to `/etc/nginx/ssl/server.key` |
| `nginx_diffie_helman_size_bits` | Bit size for OpenSSL Diffie-Hellman Parameters. Defaults to `4096` |
| `nginx_dh_params_file` | Path to write the Diffie-Hellman Parameters to. Defaults to `"/etc/nginx/ssl/dhparam.pem` |

## Dependencies

You will need to install the following collections before using `mirsg.infrastructure.nginx`:

- `ansible.posix`
- `community.crypto`
- `community.general`

## Example Playbook

```yaml
- name: Configure nginx
hosts: all
roles:
- mirsg.infrastructure.nginx
```
33 changes: 22 additions & 11 deletions roles/nginx/defaults/main.yml
Original file line number Diff line number Diff line change
@@ -1,19 +1,30 @@
---
nginx: # noqa: var-naming[no-role-prefix]
owner: root
group: root
log_folder: "/var/log/nginx"
http_port: 80
https_port: 443
certs_dir: "/etc/nginx/ssl"
dh_params_file: "/etc/nginx/ssl/dhparam.pem"
conf_file: "/etc/nginx/nginx.conf"
ssl_cert_file: "/etc/nginx/ssl/server.cert"
ssl_key_file: "/etc/nginx/ssl/server.key"
nginx_owner: root
nginx_group: root

nginx_log_folder: "/var/log/nginx"
p-j-smith marked this conversation as resolved.
Show resolved Hide resolved
nginx_access_log: "{{ nginx_log_folder }}/access.log"
nginx_error_log: "{{ nginx_log_folder }}/error.log"
nginx_app_access_log: "{{ nginx_log_folder }}/app.access.log"
nginx_app_error_log: "{{ nginx_log_folder }}/app.error.log"

nginx_http_port: 80
nginx_https_port: 443

nginx_conf_template: "nginx_reverse_proxy.j2" # check the template file for the variables it requires
p-j-smith marked this conversation as resolved.
Show resolved Hide resolved
nginx_conf_file: "/etc/nginx/nginx.conf"
p-j-smith marked this conversation as resolved.
Show resolved Hide resolved

nginx_ipv6_enabled: false

nginx_use_ssl: true
nginx_certs_dir: "/etc/nginx/ssl"
p-j-smith marked this conversation as resolved.
Show resolved Hide resolved
nginx_ssl_cert_file: "/etc/nginx/ssl/server.cert"
p-j-smith marked this conversation as resolved.
Show resolved Hide resolved
nginx_ssl_key_file: "/etc/nginx/ssl/server.key"
p-j-smith marked this conversation as resolved.
Show resolved Hide resolved

# Bit size for OpenSSL Diffie-Hellman Parameters. Higher bit sizes are more
# secure, but require exponentially larger times for the one-off parameter
# generation. Use 4096 for production. These may take 10mins+ to generate but
# are only generated once per server.
# For local testing (non-production), use 2048 to speed up deployment.
nginx_diffie_helman_size_bits: 4096
nginx_dh_params_file: "/etc/nginx/ssl/dhparam.pem"
p-j-smith marked this conversation as resolved.
Show resolved Hide resolved
35 changes: 35 additions & 0 deletions roles/nginx/molecule/centos7/molecule.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,35 @@
---
# test this scenario from the roles/provision directory with the command
# molecule --base-config ../../molecule_configs/centos7_base_config.yml test --scenario centos7
platforms:
- name: instance
hostname: molecule.instance.local
image: ${MOLECULE_DOCKER_IMAGE:-geerlingguy/docker-centos7-ansible:latest}
required: true
command: ""
cgroupns_mode: host
privileged: true
pre_build_image: ${MOLECULE_PRE_BUILD_IMAGE:-true}
volumes:
- ./molecule-data:/storage/molecule
keep_volumes: false
groups:
- all
- molecule
- centos7
docker_networks:
- name: molecule
ipam_config:
- subnet: 192.168.56.0/24
gateway: 192.168.56.1
networks:
- name: molecule
ipv4_address: 192.168.56.2
exposed_ports:
- 80
- 443
- 8000
published_ports:
- 127.0.0.1:8080:80
etc_hosts:
molecule.instance.local: 192.168.56.2
7 changes: 7 additions & 0 deletions roles/nginx/molecule/resources/converge.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,7 @@
---
- name: Configure nginx as a reverse proxy
hosts: all
become: true
gather_facts: true
roles:
- role: mirsg.infrastructure.nginx
7 changes: 7 additions & 0 deletions roles/nginx/molecule/resources/files/app.py
Original file line number Diff line number Diff line change
@@ -0,0 +1,7 @@
from flask import Flask

app = Flask(__name__)

@app.route("/")
def index():
return "<h1>Hello World!</h1>"
7 changes: 7 additions & 0 deletions roles/nginx/molecule/resources/inventory/group_vars/all.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,7 @@
---
nginx_conf_template: "nginx_reverse_proxy_as_default.j2"
p-j-smith marked this conversation as resolved.
Show resolved Hide resolved
nginx_server_name: molecule.instance.local
nginx_proxy_port: 8000
nginx_diffie_helman_size_bits: 2048
nginx_root: "/home/"
nginx_use_ssl: false
17 changes: 17 additions & 0 deletions roles/nginx/molecule/resources/inventory/group_vars/centos7.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,17 @@
---
# mirsg.infrastructure.install_python
install_python:
version: "2"
pip_version: "20.3.4"
pip_executable: "pip"
p-j-smith marked this conversation as resolved.
Show resolved Hide resolved
system_packages:
- python
- python-pip
- python-setuptools
- libselinux-python
- policycoreutils-python
pip_packages:
- gunicorn
- Flask

gunicorn_executable: /usr/bin/gunicorn
17 changes: 17 additions & 0 deletions roles/nginx/molecule/resources/inventory/group_vars/rocky9.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,17 @@
---
# mirsg.infrastructure.install_python
install_python:
version: "3"
pip_version: "21.3.1"
pip_executable: "/usr/local/bin/pip3"
p-j-smith marked this conversation as resolved.
Show resolved Hide resolved
system_packages:
- python3
- python3-pip
- python3-setuptools
- python3-libselinux
- policycoreutils-python-utils
pip_packages:
- gunicorn
- flask

gunicorn_executable: /usr/local/bin/gunicorn
Loading