gitolite: add git-fsck script

4 files changed, 102 insertions, 1 deletions

diff --git a/roles/gitolite/base/tasks/main.yml b/roles/gitolite/base/tasks/main.yml
index fe552b00..9bcdc0c1 100644
--- a/roles/gitolite/base/tasks/main.yml
+++ b/roles/gitolite/base/tasks/main.yml
@@ -99,4 +99,28 @@
   include_role:
     name: gitolite/http
 
-## TODO: add systemd-timer for `git fsck`
+
+- name: install git-fsck script
+  template:
+    src: git-fsck.sh.j2
+    dest: "{{ gitolite_base_path }}/git-fsck.sh"
+    mode: 0755
+
+- name: install template systemd unit for git-fsck
+  template:
+    src: git-fsck@.service.j2
+    dest: /etc/systemd/system/git-fsck@.service
+
+- name: install systemd timer unit for git-fsck
+  loop: "{{ gitolite_instances | list }}"
+  template:
+    src: git-fsck-.timer.j2
+    dest: "/etc/systemd/system/git-fsck-{{ item }}.timer"
+
+- name: start/enable git-fsck systemd timer
+  loop: "{{ gitolite_instances | list }}"
+  systemd:
+    daemon_reload: yes
+    name: "git-fsck-{{ item }}.timer"
+    state: started
+    enabled: yes
diff --git a/roles/gitolite/base/templates/git-fsck-.timer.j2 b/roles/gitolite/base/templates/git-fsck-.timer.j2
new file mode 100644
index 00000000..08ac5e02
--- /dev/null
+++ b/roles/gitolite/base/templates/git-fsck-.timer.j2
@@ -0,0 +1,9 @@
+[Unit]
+Description=Git fsck for gitolite instance %i
+
+[Timer]
+OnCalendar={{ '%02d:%02d' | format(24 | random(seed=item), 60 | random(seed=item)) }}
+Unit=git-fsck@{{ item }}.service
+
+[Install]
+WantedBy=timers.target
diff --git a/roles/gitolite/base/templates/git-fsck.sh.j2 b/roles/gitolite/base/templates/git-fsck.sh.j2
new file mode 100644
index 00000000..05ac6bfb
--- /dev/null
+++ b/roles/gitolite/base/templates/git-fsck.sh.j2
@@ -0,0 +1,39 @@
+#!/bin/bash
+
+INST="$1"
+if [ -z "$1" ]; then
+  echo "Usage: $0 <gitolite-instance>"
+  exit 1
+fi
+
+REPOS_D="{{ gitolite_base_path }}/$INST/repositories"
+if [ ! -d "$REPOS_D" ]; then
+  echo "instance $INST not found."
+  exit 2
+fi
+
+repos=$(find $REPOS_D -type d -name '*.git')
+
+declare -A results
+for repo in $repos; do
+  echo "*** $repo ***"
+  git --bare --git-dir "$repo" fsck --full --strict --root
+  results[$repo]=$?
+  echo ""
+done
+
+if [ -d "/var/lib/prometheus-node-exporter/textfile-collector/" ]; then
+  echo "reporting results to prometheus"
+  {
+  echo "# HELP git_fsck_run Last time git-fsck has been run."
+  echo "# TYPE git_fsck_run gauge"
+  echo "git_fsck_run{gitolite_instance=\"$INST\"} $(date +"%s")"
+  echo ""
+  echo "# HELP git_fsck_failed Result of git-fsck (0 means OK)."
+  echo "# TYPE git_fsck_failed gauge"
+  for repo in "${!results[@]}"; do
+    repo_name=$(realpath --relative-to "$REPOS_D" "$repo")
+    echo "git_fsck_failed{repository=\"$repo_name\",gitolite_instance=\"$INST\"} ${results[$repo]}"
+  done
+  } | sponge "/var/lib/prometheus-node-exporter/textfile-collector/git-fsck-$INST.prom"
+fi
diff --git a/roles/gitolite/base/templates/git-fsck@.service.j2 b/roles/gitolite/base/templates/git-fsck@.service.j2
new file mode 100644
index 00000000..51bf43d9
--- /dev/null
+++ b/roles/gitolite/base/templates/git-fsck@.service.j2
@@ -0,0 +1,29 @@
+[Unit]
+Description=Git fsck for gitolite instance %i
+
+[Service]
+Type=oneshot
+ExecStart={{ gitolite_base_path }}/git-fsck.sh %i
+TimeoutStartSec=10m
+
+# systemd hardening-options
+AmbientCapabilities=CAP_DAC_READ_SEARCH
+CapabilityBoundingSet=CAP_DAC_READ_SEARCH
+DeviceAllow=/dev/null rw
+DevicePolicy=strict
+LockPersonality=true
+MemoryDenyWriteExecute=true
+NoNewPrivileges=true
+PrivateDevices=true
+PrivateTmp=true
+ProtectControlGroups=true
+ProtectHome=yes
+ProtectKernelModules=true
+ProtectKernelTunables=true
+ProtectSystem=strict
+ReadWritePaths=/var/lib/prometheus-node-exporter/textfile-collector
+RemoveIPC=true
+RestrictNamespaces=true
+RestrictRealtime=true
+RestrictAddressFamilies=AF_UNIX
+SystemCallArchitectures=native