From 6d4a1738fb712056288e90ebf22036c131423ec9 Mon Sep 17 00:00:00 2001 From: Trial97 Date: Thu, 5 Mar 2020 17:40:49 +0200 Subject: [PATCH] Updated ansible docker script --- data/ansible/docker/ca.crt | 24 ++++++++++++++++++++++++ data/ansible/docker/docker.yaml | 2 +- data/ansible/docker/main.yaml | 5 +++-- data/ansible/docker/nginx.conf.j2 | 16 +++++++++++++--- data/ansible/docker/nginx.yaml | 22 +++++++++++++++++++--- data/ansible/docker/server.crt | 23 +++++++++++++++++++++++ data/ansible/docker/server.key | 28 ++++++++++++++++++++++++++++ 7 files changed, 111 insertions(+), 9 deletions(-) create mode 100644 data/ansible/docker/ca.crt create mode 100644 data/ansible/docker/server.crt create mode 100644 data/ansible/docker/server.key diff --git a/data/ansible/docker/ca.crt b/data/ansible/docker/ca.crt new file mode 100644 index 000000000..b0fcb7eae --- /dev/null +++ b/data/ansible/docker/ca.crt @@ -0,0 +1,24 @@ +-----BEGIN CERTIFICATE----- +MIIEDDCCAvSgAwIBAgIJAPMIQXNTuPkzMA0GCSqGSIb3DQEBCwUAMIGaMQswCQYD +VQQGEwJERTEQMA4GA1UECAwHQmF2YXJpYTEYMBYGA1UEBwwPQmFkIFJlaWNoZW5o +YWxsMREwDwYDVQQKDAhJVHN5c0NPTTENMAsGA1UECwwEcm9vdDEYMBYGA1UEAwwP +ZGtyLmNncmF0ZXMub3JnMSMwIQYJKoZIhvcNAQkBFhRjb250YWN0QGl0c3lzY29t +LmNvbTAeFw0yMDAzMDUxNDA2NDhaFw0zMDAzMDMxNDA2NDhaMIGaMQswCQYDVQQG +EwJERTEQMA4GA1UECAwHQmF2YXJpYTEYMBYGA1UEBwwPQmFkIFJlaWNoZW5oYWxs +MREwDwYDVQQKDAhJVHN5c0NPTTENMAsGA1UECwwEcm9vdDEYMBYGA1UEAwwPZGty +LmNncmF0ZXMub3JnMSMwIQYJKoZIhvcNAQkBFhRjb250YWN0QGl0c3lzY29tLmNv +bTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAN+BKO7MNSTqoerYbVcB +fvnCo3oNeV0qxFXECxkLgmXgB86sVLiF3qc6246PWStslajvGtODnMfV4GNZWklW +BW0mqIrU0ZKIaPEeaOPGMDJuFmwdnWHIeHXCIkG1lO1EWI3m3iDNVIPiMAb8yRMc +UaCJJmK40Pb8rHedkO6w4aImQvpLRvopx4y6psvV+fXdnDBXwsvz0Yp+SwmEx5bS +ZjEoZUjY3dSP3WFEsO+QG2ED2sCg3lNnrZE5MKT68bUY+RTYybmeEQiWn+CRKkov +QAkM+Tkmr8x6EZ6NdrE33mYU5sxS9vvY05haDKj698Gy0PbbUQh9/Hx3+RbSgzsd +5ysCAwEAAaNTMFEwHQYDVR0OBBYEFACYtAH/RSDNgd9r1/5I3vlBxm48MB8GA1Ud +IwQYMBaAFACYtAH/RSDNgd9r1/5I3vlBxm48MA8GA1UdEwEB/wQFMAMBAf8wDQYJ +KoZIhvcNAQELBQADggEBACX0baD0OSMBF6zaS0TTtgAYrwopTe0yDhtugrfKJkPX +q7FMeInhHOPHZzz2aufYcln1y76ztvzzd0HdXi4UIW/VEDDfOCBlo7JbkFhOlnZX +Kmd09TPGR0szHMVBsqu4I6Uu27L+JuUT26IgaYUaIZV7F3nSPr2KXmuU1eZSRa6x +qb1HqjS6OTD8Er2C4eZ0zkw5/7rcHg/FZB0bEzNKahthwFRoR5WCLij7gz0fxDxo +RrrYXvw8MwhQwmAk+YN/nwkTzqcgupNvhstWNqn6IgzbN5Fcg17xjsdBkZ9qjg+9 +wFBfKNxvlfg8VBzT4ZG8ExWDhD+phytw3aFa29Io45w= +-----END CERTIFICATE----- diff --git a/data/ansible/docker/docker.yaml b/data/ansible/docker/docker.yaml index a75af8d41..75ebc19f7 100644 --- a/data/ansible/docker/docker.yaml +++ b/data/ansible/docker/docker.yaml @@ -53,7 +53,7 @@ - name: Start registry become: yes - shell: sudo docker run -d --name registry --restart=always -v "$(pwd)":/var/lib/registry -p 5000:5000 registry:2 + shell: docker run -d --name registry --restart=always -v "$(pwd)":/var/lib/registry -p 5000:5000 registry:2 args: chdir: /var/docker/registry when: continerList.stdout_lines|length == 0 diff --git a/data/ansible/docker/main.yaml b/data/ansible/docker/main.yaml index 5ba07d970..467595330 100644 --- a/data/ansible/docker/main.yaml +++ b/data/ansible/docker/main.yaml @@ -121,6 +121,7 @@ - name: copy default config copy: + remote_src: yes src: "{{ cgrates_dir }}/data/conf/cgrates/cgrates.json" dest: "{{ cgrates_dir }}/data/docker/scratch/cgrates.json" @@ -132,8 +133,8 @@ - name: tag docker image become: yes - shell: "sudo docker tag cgrates 127.0.0.1:5000/cgrates:{{ cgrates_branch }}" + shell: "docker tag cgrates 127.0.0.1:5000/cgrates:{{ cgrates_branch }}" - name: push docker image to repo become: yes - shell: "sudo docker image push 127.0.0.1:5000/cgrates:{{ cgrates_branch }}" + shell: "docker image push 127.0.0.1:5000/cgrates:{{ cgrates_branch }}" diff --git a/data/ansible/docker/nginx.conf.j2 b/data/ansible/docker/nginx.conf.j2 index 5dbe31b71..a717d8f13 100644 --- a/data/ansible/docker/nginx.conf.j2 +++ b/data/ansible/docker/nginx.conf.j2 @@ -4,8 +4,18 @@ map $upstream_http_docker_distribution_api_version $docker_distribution_api_vers } server { - listen 80; - server_name 192.168.59.203; + listen 80; # ssl; + server_name dkr.cgrates.org; + + # SSL + # ssl_certificate /etc/nginx/conf.d/domain.crt; + # ssl_certificate_key /etc/nginx/conf.d/domain.key; + + # Recommendations from https://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx.html + # ssl_protocols TLSv1.1 TLSv1.2; + # ssl_ciphers 'EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH'; + # ssl_prefer_server_ciphers on; + # ssl_session_cache shared:SSL:10m; access_log /var/log/nginx/docker-error.log; error_log /var/log/nginx/docker-error.log; @@ -35,7 +45,7 @@ server { proxy_set_header Host $http_host; # required for docker client's sake proxy_set_header X-Real-IP $remote_addr; # pass on real client's IP proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - # proxy_set_header X-Forwarded-Proto $scheme; + proxy_set_header X-Forwarded-Proto $scheme; proxy_read_timeout 900; } } diff --git a/data/ansible/docker/nginx.yaml b/data/ansible/docker/nginx.yaml index a5cfcebf6..15864fbe4 100644 --- a/data/ansible/docker/nginx.yaml +++ b/data/ansible/docker/nginx.yaml @@ -1,17 +1,33 @@ --- +- name: copy certificates nginx + become: true + copy: + src: server.crt + dest: "/etc/nginx/conf.d/domain.crt" + mode: '0600' + owner: "{{ rootUser }}" + +- name: copy certificates key nginx + become: true + copy: + src: server.key + dest: "/etc/nginx/conf.d/domain.key" + mode: '0600' + owner: "{{ rootUser }}" + - name: Add apt.cgrates.vhost in nginx become: true template: src: nginx.conf.j2 - dest: "/etc/nginx/sites-available/docker.cgrates.org.vhost" + dest: "/etc/nginx/sites-available/dkr.cgrates.org.vhost" mode: '0600' owner: "{{ rootUser }}" - name: Create a symlink for docker.cgrates.org become: true file: - src: "/etc/nginx/sites-available/docker.cgrates.org.vhost" - dest: "/etc/nginx/sites-enabled/docker.cgrates.org.vhost" + src: "/etc/nginx/sites-available/dkr.cgrates.org.vhost" + dest: "/etc/nginx/sites-enabled/dkr.cgrates.org.vhost" state: link - name: Restart the nginx so the change take effects diff --git a/data/ansible/docker/server.crt b/data/ansible/docker/server.crt new file mode 100644 index 000000000..2f78a9f9d --- /dev/null +++ b/data/ansible/docker/server.crt @@ -0,0 +1,23 @@ +-----BEGIN CERTIFICATE----- +MIID3zCCAsegAwIBAgIJAMgc8s+Vkiu5MA0GCSqGSIb3DQEBCwUAMIGaMQswCQYD +VQQGEwJERTEQMA4GA1UECAwHQmF2YXJpYTEYMBYGA1UEBwwPQmFkIFJlaWNoZW5o +YWxsMREwDwYDVQQKDAhJVHN5c0NPTTENMAsGA1UECwwEcm9vdDEYMBYGA1UEAwwP +ZGtyLmNncmF0ZXMub3JnMSMwIQYJKoZIhvcNAQkBFhRjb250YWN0QGl0c3lzY29t +LmNvbTAeFw0yMDAzMDUxNDA2NDhaFw0zMDAzMDMxNDA2NDhaMIGcMQswCQYDVQQG +EwJERTEQMA4GA1UECAwHQmF2YXJpYTEYMBYGA1UEBwwPQmFkIFJlaWNoZW5oYWxs +MREwDwYDVQQKDAhJVHN5c0NPTTEPMA0GA1UECwwGc2VydmVyMRgwFgYDVQQDDA9k +a3IuY2dyYXRlcy5vcmcxIzAhBgkqhkiG9w0BCQEWFGNvbnRhY3RAaXRzeXNjb20u +Y29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAoEYBsygGv+60RtKS +zaa9oD9LSGILeggUWyw6nC3dLNlKajDsJSIn6Vv3aB9Kf9MR4X+Vpe50yBxdR8K2 +fdNPedwFTkZrctUWmfIGkmgvfde2kXvMcdvAAWcMqNnZu8xiRD1KxfHQvh/glC/9 +K8lqiMmfKD/tToG9SUbNwhos6HLAkEgR9rSwscRv6jflpG2p/1dCgExwjU2ipGn7 +r8udKqSDJviTaPUo4SU8VeqAPkx6j7xs50tcA+cl06kCJdG2FJlpGuhwjuzt/V30 +9fssv7Fc7cMjqEPqHkKaHzECWTE7UlVIOERf+6+8rZXVlmEZ8JG2Ssj1+WX9uKAA +DaNLUQIDAQABoyQwIjAgBgNVHREEGTAXgg9ka3IuY2dyYXRlcy5vcmeHBH8AAAEw +DQYJKoZIhvcNAQELBQADggEBAESGUFEvlR96lddxgT1NPJ4Ay3a39Qoxl8Mkg0Yb +dCUEWEkyDQxyVmcirUtSEsMjUAMr0+NATEF7Ay43yhO93flSsEru3lvp2QM88iVq +l/Gfz0H6WoE9H9hd8c2E+vpnUzCyLyfntnq3Kg0WgrzHUmNmlE8UcnIuJQAT1zTI +3I639AFL9RtbkYXwqVkWXqp2mq79skqplZlHhgENkhuFWPHq3ZhLzlOlDyl4YNND +6p6VMcxy9aTMrGfGSn0hzrTWO33RfVBVx15UxqBtq0JejLRD6WwgK2dd5RvmZFLC +NrYQnfHREA2/xsW4SyNlFRz1NeFIdNDvSNyHT5XxCSZqvNM= +-----END CERTIFICATE----- diff --git a/data/ansible/docker/server.key b/data/ansible/docker/server.key new file mode 100644 index 000000000..355876c9a --- /dev/null +++ b/data/ansible/docker/server.key @@ -0,0 +1,28 @@ +-----BEGIN PRIVATE KEY----- +MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQCgRgGzKAa/7rRG +0pLNpr2gP0tIYgt6CBRbLDqcLd0s2UpqMOwlIifpW/doH0p/0xHhf5Wl7nTIHF1H +wrZ900953AVORmty1RaZ8gaSaC9917aRe8xx28ABZwyo2dm7zGJEPUrF8dC+H+CU +L/0ryWqIyZ8oP+1Ogb1JRs3CGizocsCQSBH2tLCxxG/qN+Wkban/V0KATHCNTaKk +afuvy50qpIMm+JNo9SjhJTxV6oA+THqPvGznS1wD5yXTqQIl0bYUmWka6HCO7O39 +XfT1+yy/sVztwyOoQ+oeQpofMQJZMTtSVUg4RF/7r7ytldWWYRnwkbZKyPX5Zf24 +oAANo0tRAgMBAAECggEAMbBCiqaYIR0CKwrRlIxjMbEtx80NvdGPbgyyRwU5EtRy +66UrMP/72681bsR0tlhbrMt/O6hH8FpK2RqWtT+z3hXGV1Qhr8I8dZHBU9aVErCz +2zrEUXBNgKHQHPEdPcnJlVpjOicUDj2XxJl0JgUV0D6h5zqaecJjSrp2w/yVe6LK +PWgelrJKp6vdm+XBcyWZTy34cWwnJqcHpN2yH4xUAaUkLaEV9/hqXlc75+QDc8F9 +6fWi3hMNmtfxattjz+FryfmT8uXkW0sPJpJ9R99mooCGUv7tN3WxIzNqux7C/nza +oCeaYoEHjZJuq7pjNtPsgDo681nAlfwCw3eikqjqIQKBgQDSMbT9TaFounfyZuDv +bDezsQ+4FWTX2r6A1T84vJjeeE7ySdNFQZAv6d9k0r8U7gV9BuWmS03x46an7Oo6 +RHnZHpQNEr/V+MMNt9dg4JGk0ZkKBjKwPN9Nw8/eIhJqM4jhjw9+5DQ1mctCRSqk +aTF0+UW1bqUoHyzfiPNwGY2qVQKBgQDDM1P02T7O/AeauNiLg6T1nZdAPQjNTbWI +OHu9XYItxo4KMFz5xfGbEEz+zyWH5HzlWZ7/0MIf49rVnDIIujFwNVRitCVjQlUw +KHm0FQ0EkTIXpEqe7xLBfGJ7S5i76hab34Sm55zT1x61866dFwWFAueRtgEhcSJn +ZZh6WpoRDQKBgBxf523WX/ayTWTkrHLFqhNQ0K1p/e4BsnvTzbAMDZripM2iV6ne +uucs7CJBLNhXdVg2aSP0wHXp5GKA4fGxsr0zmorVQB5TcYlVivah+idEwCMRSSBv +ZzmpOFNlSBUcFdtVI6NejQm7VCwDCEmfhbSjvdxLLnJnGvimFS7J1EztAoGAEcE0 +bLvp25fO9ULE54O02GZaIIyspUfhMB+7GZFMyu8ZclHN0yYvAKSt7CtZRZAB0Daj +oK8TSSVHfVB0uJh+8K7ZGxU5pVqeNwAnebrEcVrnjID0DJrAQPsYVhCdNtJm9gyR +m0DL4fTaJUCh7EXwyZVnDLjaR3lr4K27/b0J8G0CgYEAr3i6sZ6eGtIUefAqWg8J +hWysE6BSA5CnxLsU/eUMY6EYE3Tup/dT5N/MFXQyJvtx/L4wmCXrVSUOereK7gVM +Jg+NDS5Likssu4CnwiRI5omislqMxxHZWl/EvE4yi/ZJ+ZemGfyR5UJPAbssE/2l +vAY/GWwlQM7c68F2zDU1UgU= +-----END PRIVATE KEY-----