diff options
| author | Christian Pointner <equinox@spreadspace.org> | 2023-08-30 15:07:28 +0200 |
|---|---|---|
| committer | Christian Pointner <equinox@spreadspace.org> | 2023-08-30 15:07:28 +0200 |
| commit | ac9829aad8a0e2266eca9132f26ef541b80bf7f3 (patch) | |
| tree | 0e74d59267e93f9258da0e3e5ae60dd9f6299880 | |
| parent | prometheus/smartmon textfile collector: since this unit needs CAP_SYS_ADMIN w... (diff) | |
gitolite: allow custom user to be defined and refactor handling of http role
| -rw-r--r-- | chaos-at-home/ch-mimas.yml | 1 | ||||
| -rw-r--r-- | roles/gitolite/base/defaults/main.yml | 1 | ||||
| -rw-r--r-- | roles/gitolite/base/tasks/main.yml | 42 | ||||
| -rw-r--r-- | roles/gitolite/base/templates/git-fsck@.service.j2 | 2 | ||||
| -rw-r--r-- | roles/gitolite/http/defaults/main.yml | 2 | ||||
| -rw-r--r-- | roles/gitolite/http/tasks/main.yml | 103 | ||||
| -rw-r--r-- | roles/gitolite/http/tasks/nginx-vhost.yml | 60 | ||||
| -rw-r--r-- | roles/gitolite/http/templates/cgitrc.j2 | 14 | ||||
| -rw-r--r-- | roles/gitolite/http/templates/fcgiwrap.service.j2 | 8 | ||||
| -rw-r--r-- | roles/gitolite/http/templates/fcgiwrap.socket.j2 | 2 |
10 files changed, 127 insertions, 108 deletions
diff --git a/chaos-at-home/ch-mimas.yml b/chaos-at-home/ch-mimas.yml index fec7b0e5..20d34bd0 100644 --- a/chaos-at-home/ch-mimas.yml +++ b/chaos-at-home/ch-mimas.yml @@ -27,6 +27,7 @@ - role: nginx/base - role: monitoring/prometheus/exporter - role: gitolite/base + - role: gitolite/http tasks: - name: create zfs volume for pub.chaos-at-home.org vars: diff --git a/roles/gitolite/base/defaults/main.yml b/roles/gitolite/base/defaults/main.yml index 3c2e8fa3..507c8c00 100644 --- a/roles/gitolite/base/defaults/main.yml +++ b/roles/gitolite/base/defaults/main.yml @@ -6,6 +6,7 @@ gitolite_base_path: /srv/git # gitolite_instances: # example: +# user: git # umask: '0077' # primary_admin_key: "ssh-ed25519 ..." # http: diff --git a/roles/gitolite/base/tasks/main.yml b/roles/gitolite/base/tasks/main.yml index 9bcdc0c1..7b4600d8 100644 --- a/roles/gitolite/base/tasks/main.yml +++ b/roles/gitolite/base/tasks/main.yml @@ -13,21 +13,25 @@ name: "storage/{{ gitolite_storage.type }}/volume" - name: create gitolite instance user - loop: "{{ gitolite_instances | list }}" + loop: "{{ gitolite_instances | dict2items }}" + loop_control: + label: "{{ item.key }}" user: - name: "git-{{ item }}" - home: "{{ gitolite_base_path }}/{{ item }}" + name: "{{ item.value.user | default('git-' + item.key) }}" + home: "{{ gitolite_base_path }}/{{ item.key }}" shell: /bin/sh system: yes state: present - name: make sure base dir is owned by gitolite user - loop: "{{ gitolite_instances | list }}" + loop: "{{ gitolite_instances | dict2items }}" + loop_control: + label: "{{ item.key }}" file: - path: "{{ gitolite_base_path }}/{{ item }}" + path: "{{ gitolite_base_path }}/{{ item.key }}" mode: 0750 - owner: "git-{{ item }}" - group: "git-{{ item }}" + owner: "{{ item.value.user | default('git-' + item.key) }}" + group: "{{ item.value.user | default('git-' + item.key) }}" - name: deploy primary admin key loop: "{{ gitolite_instances | dict2items }}" @@ -38,23 +42,25 @@ dest: "{{ gitolite_base_path }}/{{ item.key }}/primary-admin.pub" - name: run initial gitolite setup - loop: "{{ gitolite_instances | list }}" + loop: "{{ gitolite_instances | dict2items }}" + loop_control: + label: "{{ item.key }}" become: yes become_method: su - become_user: "git-{{ item }}" + become_user: "{{ item.value.user | default('git-' + item.key) }}" args: - creates: "{{ gitolite_base_path }}/{{ item }}/.gitolite.rc" - chdir: "{{ gitolite_base_path }}/{{ item }}" - command: gitolite setup -pk "{{ gitolite_base_path }}/{{ item }}/primary-admin.pub" + creates: "{{ gitolite_base_path }}/{{ item.key }}/.gitolite.rc" + chdir: "{{ gitolite_base_path }}/{{ item.key }}" + command: gitolite setup -pk "{{ gitolite_base_path }}/{{ item.key }}/primary-admin.pub" register: gitolite_instance_initial_setup - name: remove testing repository loop: "{{ gitolite_instance_initial_setup.results }}" loop_control: - label: "{{ item.item }}" + label: "{{ item.item.key }}" when: item is changed file: - path: "{{ gitolite_base_path }}/{{ item.item }}/repositories/testing.git" + path: "{{ gitolite_base_path }}/{{ item.item.key }}/repositories/testing.git" state: absent - name: configure umask @@ -91,14 +97,6 @@ regexp: "^(\\s*)#?\\s*('daemon'.*)$" line: '\1\2' -- name: enable http - loop: "{{ gitolite_instances | list }}" - loop_control: - loop_var: gitolite_instance - when: "'http' in gitolite_instances[gitolite_instance]" - include_role: - name: gitolite/http - - name: install git-fsck script template: diff --git a/roles/gitolite/base/templates/git-fsck@.service.j2 b/roles/gitolite/base/templates/git-fsck@.service.j2 index 51bf43d9..ce5b7373 100644 --- a/roles/gitolite/base/templates/git-fsck@.service.j2 +++ b/roles/gitolite/base/templates/git-fsck@.service.j2 @@ -21,7 +21,7 @@ ProtectHome=yes ProtectKernelModules=true ProtectKernelTunables=true ProtectSystem=strict -ReadWritePaths=/var/lib/prometheus-node-exporter/textfile-collector +ReadWritePaths=-/var/lib/prometheus-node-exporter/textfile-collector RemoveIPC=true RestrictNamespaces=true RestrictRealtime=true diff --git a/roles/gitolite/http/defaults/main.yml b/roles/gitolite/http/defaults/main.yml new file mode 100644 index 00000000..2e77c869 --- /dev/null +++ b/roles/gitolite/http/defaults/main.yml @@ -0,0 +1,2 @@ +--- +gitolite_base_path: /srv/git diff --git a/roles/gitolite/http/tasks/main.yml b/roles/gitolite/http/tasks/main.yml index ee5b226c..afd3dd8d 100644 --- a/roles/gitolite/http/tasks/main.yml +++ b/roles/gitolite/http/tasks/main.yml @@ -18,91 +18,48 @@ masked: yes - name: install fcgiwrap systemd units - loop: - - socket - - service + loop: "{{ gitolite_instances | dict2items | selectattr('value.http', 'defined') | product(['socket', 'service']) }}" + loop_control: + label: "{{ item.0.key }}.{{ item.1 }}" template: - src: "fcgiwrap.{{ item }}.j2" - dest: "/etc/systemd/system/fcgiwrap-gitolite-{{ gitolite_instance }}.{{ item }}" + src: "fcgiwrap.{{ item.1 }}.j2" + dest: "/etc/systemd/system/fcgiwrap-gitolite-{{ item.0.key }}.{{ item.1 }}" - name: make sure fcgiwrap systemd socket unit is enabled and started + loop: "{{ gitolite_instances | dict2items | selectattr('value.http', 'defined') }}" + loop_control: + label: "{{ item.key }}" systemd: daemon_reload: yes - name: "fcgiwrap-gitolite-{{ gitolite_instance }}.socket" + name: "fcgiwrap-gitolite-{{ item.key }}.socket" state: started enabled: yes - name: generate cgitrc + loop: "{{ gitolite_instances | dict2items | selectattr('value.http', 'defined') }}" + loop_control: + label: "{{ item.key }}" template: src: cgitrc.j2 - dest: "{{ gitolite_base_path }}/{{ gitolite_instance }}/cgitrc" - -- name: install custom logo - when: "'logo' in gitolite_instances[gitolite_instance].http" - block: - - name: create logo base directory - file: - path: /usr/local/share/cgit - state: directory - - - name: copy logo file - copy: - src: "{{ gitolite_instances[gitolite_instance].http.logo }}" - dest: "/usr/local/share/cgit/{{ gitolite_instance }}.png" - - - name: compute nginx location directive for logo - set_fact: - nginx_locations_logo: - '= /logo.png': - alias: "/usr/local/share/cgit/{{ gitolite_instance }}.png" - -- name: compute nginx locations directives - set_fact: - nginx_locations_base: - '= /': - return: "303 /cgit/" - '/cgit-css/': - alias: "/usr/share/cgit/" - nginx_locations_main: - '/cgit/': - custom: |- - include fastcgi_params; - fastcgi_split_path_info ^(/cgit)(.*)$; - - fastcgi_param SCRIPT_FILENAME /usr/lib/cgit/cgit.cgi; - fastcgi_param PATH_INFO $fastcgi_path_info; - fastcgi_param QUERY_STRING $args; - fastcgi_param HTTP_HOST $server_name; - fastcgi_param CGIT_CONFIG {{ gitolite_base_path }}/{{ gitolite_instance }}/cgitrc; - - fastcgi_pass unix:/run/fcgiwrap/gitolite-{{ gitolite_instance }}.sock; - -- name: compute nginx location directive for git_backend - when: "'enable_git_backend' in gitolite_instances[gitolite_instance].http and gitolite_instances[gitolite_instance].http.enable_git_backend" - set_fact: - nginx_locations_git_backend: - '~ ^.*/git-receive-pack$': - return: "403" - '~ ^.*/(HEAD|info/refs|objects/(info/.*|[0-9a-f]+/[0-9a-f]+|pack/pack-[0-9a-f]+.(pack|idx))|git-upload-pack)$': - custom: |- - include fastcgi_params; + dest: "{{ gitolite_base_path }}/{{ item.key }}/cgitrc" - fastcgi_param SCRIPT_FILENAME /usr/lib/git-core/git-http-backend; - fastcgi_param PATH_INFO $uri; - fastcgi_param GIT_PROJECT_ROOT {{ gitolite_base_path }}/{{ gitolite_instance }}/repositories; +- name: create base directory for custom logos + when: (gitolite_instances | dict2items | selectattr('value.http.logo', 'defined') | length) > 0 + file: + path: /usr/local/share/cgit + state: directory - fastcgi_pass unix:/run/fcgiwrap/gitolite-{{ gitolite_instance }}.sock; +- name: copy logo file + loop: "{{ gitolite_instances | dict2items | selectattr('value.http.logo', 'defined') }}" + loop_control: + label: "{{ item.key }}" + copy: + src: "{{ item.value.http.logo }}" + dest: "/usr/local/share/cgit/{{ item.key }}.png" - name: install nginx vhost - vars: - nginx_vhost: - name: "gitolite-{{ gitolite_instance }}" - template: generic - tls: "{{ gitolite_instances[gitolite_instance].http.tls }}" - hostnames: "{{ gitolite_instances[gitolite_instance].http.hostnames }}" - logs: - access: "/var/log/nginx/git-{{ gitolite_instance }}_access.log" - error: "/var/log/nginx/git-{{ gitolite_instance }}_error.log" - locations: "{{ nginx_locations_base | combine(nginx_locations_logo | default({})) | combine(nginx_locations_main) | combine(nginx_locations_git_backend | default({})) }}" - include_role: - name: nginx/vhost + loop: "{{ gitolite_instances | dict2items | selectattr('value.http', 'defined') }}" + loop_control: + loop_var: gitolite_instance + label: "{{ gitolite_instance.key }}" + include_tasks: nginx-vhost.yml diff --git a/roles/gitolite/http/tasks/nginx-vhost.yml b/roles/gitolite/http/tasks/nginx-vhost.yml new file mode 100644 index 00000000..6b7d2bd0 --- /dev/null +++ b/roles/gitolite/http/tasks/nginx-vhost.yml @@ -0,0 +1,60 @@ +--- +- name: compute nginx locations directives + set_fact: + nginx_locations_base: + '= /': + return: "303 /cgit/" + '/cgit-css/': + alias: "/usr/share/cgit/" + nginx_locations_logo: {} + nginx_locations_main: + '/cgit/': + custom: |- + include fastcgi_params; + fastcgi_split_path_info ^(/cgit)(.*)$; + + fastcgi_param SCRIPT_FILENAME /usr/lib/cgit/cgit.cgi; + fastcgi_param PATH_INFO $fastcgi_path_info; + fastcgi_param QUERY_STRING $args; + fastcgi_param HTTP_HOST $server_name; + fastcgi_param CGIT_CONFIG {{ gitolite_base_path }}/{{ gitolite_instance.key }}/cgitrc; + + fastcgi_pass unix:/run/fcgiwrap/gitolite-{{ gitolite_instance.key }}.sock; + nginx_locations_git_backend: {} + +- name: compute nginx extra location directive for logo + when: "'logo' in gitolite_instance.value.http" + set_fact: + nginx_locations_logo: + '= /logo.png': + alias: "/usr/local/share/cgit/{{ gitolite_instance.key }}.png" + +- name: compute nginx extra location directive for git_backend + when: "'enable_git_backend' in gitolite_instance.value.http and gitolite_instance.value.http.enable_git_backend" + set_fact: + nginx_locations_git_backend: + '~ ^.*/git-receive-pack$': + return: "403" + '~ ^.*/(HEAD|info/refs|objects/(info/.*|[0-9a-f]+/[0-9a-f]+|pack/pack-[0-9a-f]+.(pack|idx))|git-upload-pack)$': + custom: |- + include fastcgi_params; + + fastcgi_param SCRIPT_FILENAME /usr/lib/git-core/git-http-backend; + fastcgi_param PATH_INFO $uri; + fastcgi_param GIT_PROJECT_ROOT {{ gitolite_base_path }}/{{ gitolite_instance.key }}/repositories; + + fastcgi_pass unix:/run/fcgiwrap/gitolite-{{ gitolite_instance.key }}.sock; + +- name: install nginx vhost + vars: + nginx_vhost: + name: "gitolite-{{ gitolite_instance.key }}" + template: generic + tls: "{{ gitolite_instance.value.http.tls }}" + hostnames: "{{ gitolite_instance.value.http.hostnames }}" + logs: + access: "/var/log/nginx/git-{{ gitolite_instance.key }}_access.log" + error: "/var/log/nginx/git-{{ gitolite_instance.key }}_error.log" + locations: "{{ nginx_locations_base | combine(nginx_locations_logo) | combine(nginx_locations_main) | combine(nginx_locations_git_backend) }}" + include_role: + name: nginx/vhost diff --git a/roles/gitolite/http/templates/cgitrc.j2 b/roles/gitolite/http/templates/cgitrc.j2 index fd3a4681..131042d2 100644 --- a/roles/gitolite/http/templates/cgitrc.j2 +++ b/roles/gitolite/http/templates/cgitrc.j2 @@ -1,16 +1,16 @@ ## {{ ansible_managed }} css=/cgit-css/cgit.css -{% if 'logo' in gitolite_instances[gitolite_instance].http %} +{% if 'logo' in item.value.http %} logo=/logo.png {% else %} logo=/cgit-css/cgit.png {% endif %} -{% if 'title' in gitolite_instances[gitolite_instance].http %} -root-title={{ gitolite_instances[gitolite_instance].http.title }} +{% if 'title' in item.value.http %} +root-title={{ item.value.http.title }} {% endif %} -{% if 'description' in gitolite_instances[gitolite_instance].http %} -root-desc={{ gitolite_instances[gitolite_instance].http.description }} +{% if 'description' in item.value.http %} +root-desc={{ item.value.http.description }} {% endif %} enable-blame=1 @@ -25,7 +25,7 @@ enable-tree-linenumbers=1 virtual-root=/cgit/ source-filter=/usr/lib/cgit/filters/syntax-highlighting.py -clone-url=ssh://git-{{ gitolite_instance }}@{{ gitolite_instances[gitolite_instance].http.hostnames[0] }}{% if ansible_port is defined %}:{{ ansible_port }}{% endif %}/$CGIT_REPO_URL{% if gitolite_instances[gitolite_instance].http.enable_git_backend | default(false) %} https://{{ gitolite_instances[gitolite_instance].http.hostnames[0] }}/$CGIT_REPO_URL{% endif %} +clone-url=ssh://{{ item.value.user | default('git-' + item.key) }}@{{ item.value.http.hostnames[0] }}{% if ansible_port is defined %}:{{ ansible_port }}{% endif %}/$CGIT_REPO_URL{% if item.value.http.enable_git_backend | default(false) %} https://{{ item.value.http.hostnames[0] }}/$CGIT_REPO_URL{% endif %} strict-export=git-daemon-export-ok -scan-path={{ gitolite_base_path }}/{{ gitolite_instance }}/repositories +scan-path={{ gitolite_base_path }}/{{ item.key }}/repositories diff --git a/roles/gitolite/http/templates/fcgiwrap.service.j2 b/roles/gitolite/http/templates/fcgiwrap.service.j2 index 92fa3209..a36d2a7e 100644 --- a/roles/gitolite/http/templates/fcgiwrap.service.j2 +++ b/roles/gitolite/http/templates/fcgiwrap.service.j2 @@ -1,12 +1,12 @@ [Unit] Description=Simple CGI Server After=nss-user-lookup.target -Requires=fcgiwrap-gitolite-{{ gitolite_instance }}.socket +Requires=fcgiwrap-gitolite-{{ item.0.key }}.socket [Service] ExecStart=/usr/sbin/fcgiwrap -f -User=git-{{ gitolite_instance }} -Group=git-{{ gitolite_instance }} +User={{ item.0.value.user | default('git-' + item.0.key) }} +Group={{ item.0.value.user | default('git-' + item.0.key) }} [Install] -Also=fcgiwrap-gitolite-{{ gitolite_instance }}.socket +Also=fcgiwrap-gitolite-{{ item.0.key }}.socket diff --git a/roles/gitolite/http/templates/fcgiwrap.socket.j2 b/roles/gitolite/http/templates/fcgiwrap.socket.j2 index 6a4c58e7..f71a5fe0 100644 --- a/roles/gitolite/http/templates/fcgiwrap.socket.j2 +++ b/roles/gitolite/http/templates/fcgiwrap.socket.j2 @@ -5,7 +5,7 @@ Description=fcgiwrap Socket SocketMode=0600 SocketUser=www-data SocketGroup=www-data -ListenStream=/run/fcgiwrap/gitolite-{{ gitolite_instance }}.sock +ListenStream=/run/fcgiwrap/gitolite-{{ item.0.key }}.sock [Install] WantedBy=sockets.target |