build-nginx-openssl.yml

---
- hosts: all
  vars_files:
  - variables.yml
  vars:
    nginx_src_rpm: "nginx-{{ nginx_ver }}.el7.ngx.src.rpm"
  tasks:
  - name: Install EPEL Yum repo
    yum: name=epel-release state=present
    become: yes
    become_user: root
  - name: Install build tools from CentOS repos
    yum: name={{ item }} state=present
    become: yes
    become_user: root
    with_items:
    - ca-certificates
    - curl
    - libcurl
    - git
    - glib2
    - rsync
    - make
    - patch
    - bzip2
    - xz
    - tar
    - autoconf
    - automake
    - libtool
    - zlib-devel
    - glibc-devel
    - libaio-devel
    - pcre-devel
    - nss-devel
    - nss-softokn-devel
    - nss-softokn-freebl-devel
    - nspr-devel
    - libgcrypt-devel
    - libgpg-error-devel
    - libatomic_ops-devel
    - libxslt-devel
    - gd-devel
    - GeoIP-devel
    - rpm-build
    - redhat-rpm-config
    - mock
    - scl-utils
    - centos-release-scl-rh
    - sudo
    - GeoIP-devel
  - name: Install build tools from Devtoolset-6 repo
    yum: name={{ item }} state=present
    become: yes
    become_user: root
    with_items:
    - devtoolset-6-make
    - devtoolset-6-binutils
    - devtoolset-6-gcc
    - devtoolset-6-gcc-c++
  - name: Create directory for signing keys
    file: dest=~/keys state=directory
  - name: Copy OpenSSL signing keys
    copy: src=openssl_signers.asc dest=~/keys/openssl_signers.asc
  - name: Copy Nginx signing key
    copy: src=nginx_signing.key dest=~/keys/nginx_signing.key
  - name: Import OpenSSL signing keys
    command: gpg --import ~/keys/openssl_signers.asc
  - name: Import Nginx signign key
    command: sudo rpm --import ~/keys/nginx_signing.key
  - name: Delete recursively old rpmbuild directory
    file: dest=~/rpmbuild state=absent
  - name: Create new rpmbuild directory
    file: dest=~/rpmbuild/BUILD state=directory recurse=yes
  - name: Download Nginx RPM source package
    get_url:
      url: http://nginx.org/packages/mainline/centos/7/SRPMS/{{ nginx_src_rpm }}
      dest: ~/rpmbuild/nginx-src.rpm
  - name: Verify Nginx RPM source package signature
    command: rpmkeys -v -K ~/rpmbuild/nginx-src.rpm
  - name: Extract Nginx RPM source package
    shell: rpm -i ~/rpmbuild/nginx-src.rpm
  - name: Download OpenSSL
    get_url:
      url: http://www.openssl.org/source/{{ openssl_src }}.tar.gz
      dest: ~/rpmbuild/SOURCES/{{ openssl_src }}.tar.gz
  - name: Download OpenSSL source package signature file
    get_url:
      url: http://www.openssl.org/source/{{ openssl_src }}.tar.gz.asc
      dest: ~/rpmbuild/openssl.tar.gz.asc
  - name: Verify OpenSSL source signature
    command: gpgv --keyring pubring.gpg -v ~/rpmbuild/openssl.tar.gz.asc ~/rpmbuild/SOURCES/{{ openssl_src }}.tar.gz
  - name: 'Modify RPM spec: remove openssl package dependencies'
    replace:
      dest: ~/rpmbuild/SPECS/nginx.spec
      regexp: '^(Build)?Requires: (lib)?openssl[^\n]*\n'
  - name: Download PCRE
    get_url:
      url: https://ftp.pcre.org/pub/pcre/pcre-{{ pcre_version }}.tar.bz2
      dest: ~/rpmbuild/SOURCES/pcre-{{ pcre_version }}.tar.bz2
  - name: 'Modify RPM spec: remove pcre package dependencies'
    replace:
      dest: ~/rpmbuild/SPECS/nginx.spec
      regexp: '^(Build)?Requires: (lib)?pcre[^\n]*\n'
  - name: 'Modify RPM spec: build with static PCRE library'
    lineinfile:
      dest: ~/rpmbuild/SPECS/nginx.spec
      regexp: '^(%define BASE_CONFIGURE_ARGS.*)"\)$'
      line: '\1 --with-pcre=../pcre-{{ pcre_version }}")'
      backrefs: yes
  - name: 'Modify RPM spec: add libatomic_ops-devel as a build requirement'
    replace:
      dest: ~/rpmbuild/SPECS/nginx.spec
      regexp: '^(BuildRequires: zlib-devel\n)'
      replace: '\1BuildRequires: libatomic_ops-devel\n'
  - name: 'Modify RPM spec: add CentOS SCL release as a build requirement'
    replace:
      dest: ~/rpmbuild/SPECS/nginx.spec
      regexp: '(if 0%\{\?rhel\} == .*\n)'
      replace: '\1BuildRequires: centos-release-scl-rh\n'
  - name: 'Modify RPM spec: add devtoolset-6 as a build requirement'
    replace:
      dest: ~/rpmbuild/SPECS/nginx.spec
      regexp: '(%if 0%\{\?rhel\} == .*\n)'
      replace: '\1BuildRequires: devtoolset-6-gcc\nBuildRequires: devtoolset-6-gcc-c++\nBuildRequires: devtoolset-6-binutils\nBuildRequires: devtoolset-6-make\n'
  - name: 'Modify RPM spec: use devtoolset-6'
    replace:
      dest: ~/rpmbuild/SPECS/nginx.spec
      regexp: '(^(?:\./configure|make) )'
      replace: 'source /opt/rh/devtoolset-6/enable && \1'
  - name: 'Modify RPM spec: enable PCRE JIT'
    lineinfile:
      dest: ~/rpmbuild/SPECS/nginx.spec
      regexp: '^(%define BASE_CONFIGURE_ARGS.*)"\)$'
      line: '\1 --with-pcre-jit")'
      backrefs: yes
  - name: 'Modify RPM spec: build PCRE with PIC option'
    lineinfile:
      dest: ~/rpmbuild/SPECS/nginx.spec
      regexp: '^(%define BASE_CONFIGURE_ARGS.*)"\)$'
      line: '\1 --with-pcre-opt=\"-fPIC\"")'
      backrefs: yes
  - name: 'Modify RPM spec: build with static OpenSSL library'
    lineinfile:
      dest: ~/rpmbuild/SPECS/nginx.spec
      regexp: '^(%define BASE_CONFIGURE_ARGS.*)"\)$'
      line: '\1 --with-openssl=../{{ openssl_src }}")'
      backrefs: yes
  - name: 'Modify RPM spec: build OpenSSL with custom options'
    replace:
      dest: ~/rpmbuild/SPECS/nginx.spec
      regexp: '(./configure %{BASE_CONFIGURE_ARGS} \\\n)( *--with-cc-opt="%{WITH_CC_OPT}" \\\n)'
      replace: '\1    --with-openssl-opt="no-dtls" \\\n\2'
  - name: 'Modify RPM spec: build with dynamic libatomic_ops'
    lineinfile:
      dest: ~/rpmbuild/SPECS/nginx.spec
      regexp: '^(%define BASE_CONFIGURE_ARGS.*)"\)$'
      line: '\1 --with-libatomic")'
      backrefs: yes
  - name: 'Modify RPM spec: add build identifier'
    replace:
      dest: ~/rpmbuild/SPECS/nginx.spec
      regexp: '(./configure %{BASE_CONFIGURE_ARGS} \\\n)( *--with-openssl-opt=[^\n]* \\\n)'
      replace: '\1    --build="github.com/istenrot/centos-nginx-http2: SSE2, {{ openssl_src }}, PCRE JIT, TCP Fast Open" \\\n\2'
  - name: 'Modify RPM spec: CC options'
    lineinfile:
      dest: ~/rpmbuild/SPECS/nginx.spec
      regexp: '^(%define WITH_CC_OPT.*)$'
      line: '\1 -mmmx -msse -msse2 -DTCP_FASTOPEN=23'
      backrefs: yes
  - name: 'Modify RPM spec: update release'
    lineinfile:
      dest: ~/rpmbuild/SPECS/nginx.spec
      regexp: '^%define main_release .*\.ngx$'
      line: '%define main_release {{ rpm_release }}.el7.exove'
  - name: 'Modify RPM spec: update package vendor'
    lineinfile:
      dest: ~/rpmbuild/SPECS/nginx.spec
      regexp: '^Vendor: .*$'
      line: 'Vendor: Nginx, Inc. and Google, Inc.'
  - name: 'Modify RPM spec: update package URL'
    lineinfile:
      dest: ~/rpmbuild/SPECS/nginx.spec
      regexp: '^URL: .*$'
      line: 'URL: https://github.com/istenrot/centos-nginx-http2'
  - name: 'Register last number of Source lines in RPM spec file'
    shell: grep -P "^Source[0-9]+:" ~/rpmbuild/SPECS/nginx.spec | tail -n 1 | sed "s/^Source\([0-9]\+\):.*$/\1/"
    register: num_sources
  - name: 'Modify RPM spec: add OpenSSL sources to src rpm build'
    replace:
      dest: ~/rpmbuild/SPECS/nginx.spec
      regexp: '^(Source\d+: [^\n]+\n)(^\n)'
      replace: '\1Source{{ num_sources.stdout | int + 1 }}: http://www.openssl.org/source/{{ openssl_src }}.tar.gz\n\2'
  - name: 'Modify RPM spec: add PCRE sources to src rpm build'
    replace:
      dest: ~/rpmbuild/SPECS/nginx.spec
      regexp: '^(Source\d+: [^\n]+\n)(^\n)'
      replace: '\1Source{{ num_sources.stdout | int + 2 }}: https://ftp.pcre.org/pub/pcre/pcre-{{ pcre_version }}.tar.bz2\n\2'
  - name: 'Modify RPM spec: modify %prep macros to extract OpenSSL tar file'
    replace:
      dest: ~/rpmbuild/SPECS/nginx.spec
      regexp: '^(%prep\n)(%setup -q\n)'
      replace: '\1%setup -q -T -D -n {{ openssl_src }} -b {{ num_sources.stdout | int + 1 }}\nsource /opt/rh/devtoolset-6/enable && ./config\n\2'
  - name: 'Modify RPM spec: modify %prep macros to extract PCRE tar file'
    replace:
      dest: ~/rpmbuild/SPECS/nginx.spec
      regexp: '^(%prep\n%setup -q -T -D -n {{ openssl_src }} -b {{ num_sources.stdout | int + 1 }}\nsource /opt/rh/devtoolset-6/enable && ./config\n)'
      replace: '\1%setup -q -T -D -n pcre-{{ pcre_version }} -b {{ num_sources.stdout | int + 2 }}\n'
  - name: Download ngx_pagespeed
    get_url:
      url: https://github.com/pagespeed/ngx_pagespeed/archive/v{{ ngx_pagespeed_version }}-beta.tar.gz
      dest: ~/rpmbuild/SOURCES/ngx_pagespeed-{{ ngx_pagespeed_version }}-beta.tar.gz
    when: build_ngx_pagespeed_module
  - name: Download PSOL library
    get_url:
      url: https://dl.google.com/dl/page-speed/psol/{{ ngx_pagespeed_version }}.tar.gz
      dest: ~/rpmbuild/SOURCES/psol-{{ ngx_pagespeed_version }}.tar.gz
    when: build_ngx_pagespeed_module
  - name: 'Modify RPM spec: add nginx-module-pagespeed as a subpackage'
    blockinfile:
      dest: ~/rpmbuild/SPECS/nginx.spec
      marker: "\n"
      block: |
        %package module-pagespeed
        Summary: ngx_pagespeed dynamic module for Nginx
        Vendor: Google, Inc. and contributors
        License: ASL 2.0
        Provides: ngx_pagespeed-{{ ngx_pagespeed_version }}-beta
        Requires: nginx = %{?epoch:%{epoch}:}%{main_version}-%{main_release}
        %description module-pagespeed
        ngx_pagespeed dynamic module for Nginx.

        %files module-pagespeed
        %defattr(-,root,root)
        %attr(0755,root,root) %dir %{_libdir}/nginx
        %attr(0755,root,root) %dir %{_libdir}/nginx/modules
        %{_libdir}/nginx/modules/ngx_pagespeed.so
    when: build_ngx_pagespeed_module
  - name: 'Modify RPM spec: add ngx_pagespeed as dynamic module'
    lineinfile:
      dest: ~/rpmbuild/SPECS/nginx.spec
      regexp: '^(%define BASE_CONFIGURE_ARGS.*)"\)$'
      line: '\1 --add-dynamic-module=../ngx_pagespeed-{{ ngx_pagespeed_version }}-beta")'
      backrefs: yes
    when: build_ngx_pagespeed_module
  - name: 'Modify RPM spec: add ngx_pagespeed sources to src rpm build'
    replace:
      dest: ~/rpmbuild/SPECS/nginx.spec
      regexp: '^(Source\d+: [^\n]+\n)(^\n)'
      replace: '\1Source{{ num_sources.stdout | int + 3 }}: ngx_pagespeed-{{ ngx_pagespeed_version }}-beta.tar.gz\n\2'
    when: build_ngx_pagespeed_module
  - name: 'Modify RPM spec: add PSOL sources to src rpm build'
    replace:
      dest: ~/rpmbuild/SPECS/nginx.spec
      regexp: '^(Source\d+: [^\n]+\n)(^\n)'
      replace: '\1Source{{ num_sources.stdout | int + 4 }}: psol-{{ ngx_pagespeed_version }}.tar.gz\n\2'
    when: build_ngx_pagespeed_module
  - name: 'Modify RPM spec: modify %prep macros to extract ngx_pagespeed tar files'
    replace:
      dest: ~/rpmbuild/SPECS/nginx.spec
      regexp: '^(%prep\n%setup -q -T -D -n {{ openssl_src }} -b {{ num_sources.stdout | int + 1 }}\nsource /opt/rh/devtoolset-6/enable && ./config\n)'
      replace: '\1%setup -q -T -D -n ngx_pagespeed-{{ ngx_pagespeed_version }}-beta -b {{ num_sources.stdout | int + 3 }}\n%setup -q -T -D -n ngx_pagespeed-{{ ngx_pagespeed_version }}-beta -a {{ num_sources.stdout | int + 4 }}\n'
    when: build_ngx_pagespeed_module
  - name: Build RPM packages
    shell: source /opt/rh/devtoolset-6/enable && rpmbuild -ba ~/rpmbuild/SPECS/nginx.spec