add Final Infrastructure Setup

2026-03-29 13:45:10 +02:00 · 2026-03-29 13:45:10 +02:00 · 7733dde658
commit 7733dde658
174 changed files with 204949 additions and 0 deletions
--- a/infrastructure/ansible/roles/mft-setup-nginx/tasks/main.yml
+++ b/infrastructure/ansible/roles/mft-setup-nginx/tasks/main.yml
@ -0,0 +1,86 @@
+---
+
+- sefcontext:
+    target: "{{ configs.mft_services.nginx.log_dir }}(/.*)?"
+    setype: httpd_sys_rw_content_t
+    state: present
+  when: ansible_distribution == 'CentOS'
+
+- name: Apply SELinux context changes
+  command: restorecon -R -v "{{ configs.mft_services.nginx.log_dir }}"
+  when: ansible_distribution == 'CentOS'
+
+- name: Allow nginx to access cifs shares
+  seboolean: name=httpd_use_cifs state=yes persistent=yes
+  when: ansible_distribution == 'CentOS'
+
+- name: Create nginx group for ubuntu
+  group:
+    name: "{{ configs.mft_services.nginx.user }}"
+    state: present
+  when: ansible_distribution == 'Ubuntu' or ansible_distribution == 'Debian'
+
+- name: Create nginx user for ubuntu
+  user:
+    name: "{{ configs.mft_services.nginx.user }}"
+    groups: "{{ configs.mft_services.nginx.group }}"
+    state: present
+    createhome: no
+  when: ansible_distribution == 'Ubuntu' or ansible_distribution == 'Debian'
+
+- name: Find nginx config
+  find:
+    paths: "{{ remote_deployment_dir }}"
+    patterns: nginx_https.conf
+    file_type: file
+    recurse: yes
+  register: found_nginx_config
+
+- name: Copy nginx configuration
+  command: cp {{ found_nginx_config.files[0].path }} {{ configs.mft_services.nginx.config }}
+  notify:
+    - Restart nginx with config check
+
+- name: Open port 60011 in nginx config
+  lineinfile:
+    path: "{{ configs.mft_services.nginx.config }}"
+    insertbefore: '[ \t]* access_log /var/log/nginx/access.log;'
+    line: '                listen {{ configs.mft_services.access_manager.proxy_port }};'
+  become: true
+
+- name: Add Access Manager forwarding in nginx configuration
+  blockinfile:
+    path: "{{ configs.mft_services.nginx.config }}"
+    insertafter:  '[ \t]* access_log /var/log/nginx/access.log;'
+    block: |
+      location /access-manager/oauth/token {
+          proxy_pass http://127.0.0.1:9001/access-manager/oauth/token;
+      }
+      location /access-manager/v1/admin/clients {
+          proxy_pass http://127.0.0.1:9001/access-manager/v1/admin/clients;
+      }
+      location /access-manager/v1/greeting {
+          proxy_pass http://127.0.0.1:9001/access-manager/v1/greeting;
+      }
+      location /access-manager/v1/admin/roles {
+          proxy_pass http://127.0.0.1:9001/access-manager/v1/admin/roles;
+      }
+      location /access-manager/v1/admin/users {
+          proxy_pass http://127.0.0.1:9001/access-manager/v1/admin/users;
+      }
+      location /access-manager/v1/me {
+          proxy_pass http://127.0.0.1:9001/access-manager/v1/me;
+      }
+      location /access-manager/v1/admin/user-role-membership {
+          proxy_pass http://127.0.0.1:9001/access-manager/v1/admin/user-role-membership;
+      }
+  become: true
+
+- name: Set nginx config ownership
+  file:
+    path: "{{ configs.mft_services.nginx.config }}"
+    owner: "{{ configs.mft_services.nginx.user }}"
+    group: "{{ configs.mft_services.nginx.group }}"
+    mode: "0660"
+
+# vim:ft=ansible