commit dacf3e8666afa23ba934d207f148ce46455b6758
Author: Dmitriy Rabotyagov <dmitriy.rabotyagov@citynetwork.eu>
Date:   Fri Sep 25 15:54:27 2020 +0300

    Fix keystone nginx behaviour
    
    When keystone and horizon are both deployed on metal, it's important that
    after keystone run horizon won't get stopped.
    
    Also this patch replaces of default listen on 80, in case it's set
    in /etc/nginx/nginx.conf rather as an include file (like in CentOS8) with
    port 8008 which is not used by any OpenStack services [1] and is stated
    as alternate http port [2]
    
    [1] https://docs.openstack.org/install-guide/firewalls-default-ports.html
    [2] https://www.iana.org/assignments/service-names-port-numbers/service-names-port-numbers.xhtml?search=http-alt
    
    Change-Id: I064c2a432b1b8de26d93dc26932874a106e2cf58

diff --git a/tasks/keystone_nginx.yml b/tasks/keystone_nginx.yml
index 875cedd..1fb3078 100644
--- a/tasks/keystone_nginx.yml
+++ b/tasks/keystone_nginx.yml
@@ -18,6 +18,7 @@
     name: "{{ keystone_system_service_name }}"
     state: stopped
   failed_when: false
+  when: ('horizon_all' in groups and inventory_hostname not in groups['horizon_all']) or ('horizon_all' not in groups)
 
 - name: Disable default configuration
   file:
@@ -35,6 +36,18 @@
     - Manage LB
     - Restart web server
 
+- name: Ensure nginx does not listen on 80 port
+  replace:
+    path: /etc/nginx/nginx.conf
+    regexp: "{{ item.regexp }}"
+    replace: "{{ item.replace }}"
+    validate: nginx -t -c %s
+  with_items:
+    - regexp: '(\s+listen\s+)[\[,\],:]+80'
+      replace: '\1 [::1]:8008'
+    - regexp: '(\s+listen\s+)80'
+      replace: '\1 127.0.0.1:8008'
+
 - name: Ensure configuration directories exist
   file:
     path: "{{ item }}"