From ac9829aad8a0e2266eca9132f26ef541b80bf7f3 Mon Sep 17 00:00:00 2001 From: Christian Pointner Date: Wed, 30 Aug 2023 15:07:28 +0200 Subject: gitolite: allow custom user to be defined and refactor handling of http role --- roles/gitolite/base/defaults/main.yml | 1 + roles/gitolite/base/tasks/main.yml | 42 +++++++++++----------- roles/gitolite/base/templates/git-fsck@.service.j2 | 2 +- 3 files changed, 22 insertions(+), 23 deletions(-) (limited to 'roles/gitolite/base') diff --git a/roles/gitolite/base/defaults/main.yml b/roles/gitolite/base/defaults/main.yml index 3c2e8fa3..507c8c00 100644 --- a/roles/gitolite/base/defaults/main.yml +++ b/roles/gitolite/base/defaults/main.yml @@ -6,6 +6,7 @@ gitolite_base_path: /srv/git # gitolite_instances: # example: +# user: git # umask: '0077' # primary_admin_key: "ssh-ed25519 ..." # http: diff --git a/roles/gitolite/base/tasks/main.yml b/roles/gitolite/base/tasks/main.yml index 9bcdc0c1..7b4600d8 100644 --- a/roles/gitolite/base/tasks/main.yml +++ b/roles/gitolite/base/tasks/main.yml @@ -13,21 +13,25 @@ name: "storage/{{ gitolite_storage.type }}/volume" - name: create gitolite instance user - loop: "{{ gitolite_instances | list }}" + loop: "{{ gitolite_instances | dict2items }}" + loop_control: + label: "{{ item.key }}" user: - name: "git-{{ item }}" - home: "{{ gitolite_base_path }}/{{ item }}" + name: "{{ item.value.user | default('git-' + item.key) }}" + home: "{{ gitolite_base_path }}/{{ item.key }}" shell: /bin/sh system: yes state: present - name: make sure base dir is owned by gitolite user - loop: "{{ gitolite_instances | list }}" + loop: "{{ gitolite_instances | dict2items }}" + loop_control: + label: "{{ item.key }}" file: - path: "{{ gitolite_base_path }}/{{ item }}" + path: "{{ gitolite_base_path }}/{{ item.key }}" mode: 0750 - owner: "git-{{ item }}" - group: "git-{{ item }}" + owner: "{{ item.value.user | default('git-' + item.key) }}" + group: "{{ item.value.user | default('git-' + item.key) }}" - name: deploy primary admin key loop: "{{ gitolite_instances | dict2items }}" @@ -38,23 +42,25 @@ dest: "{{ gitolite_base_path }}/{{ item.key }}/primary-admin.pub" - name: run initial gitolite setup - loop: "{{ gitolite_instances | list }}" + loop: "{{ gitolite_instances | dict2items }}" + loop_control: + label: "{{ item.key }}" become: yes become_method: su - become_user: "git-{{ item }}" + become_user: "{{ item.value.user | default('git-' + item.key) }}" args: - creates: "{{ gitolite_base_path }}/{{ item }}/.gitolite.rc" - chdir: "{{ gitolite_base_path }}/{{ item }}" - command: gitolite setup -pk "{{ gitolite_base_path }}/{{ item }}/primary-admin.pub" + creates: "{{ gitolite_base_path }}/{{ item.key }}/.gitolite.rc" + chdir: "{{ gitolite_base_path }}/{{ item.key }}" + command: gitolite setup -pk "{{ gitolite_base_path }}/{{ item.key }}/primary-admin.pub" register: gitolite_instance_initial_setup - name: remove testing repository loop: "{{ gitolite_instance_initial_setup.results }}" loop_control: - label: "{{ item.item }}" + label: "{{ item.item.key }}" when: item is changed file: - path: "{{ gitolite_base_path }}/{{ item.item }}/repositories/testing.git" + path: "{{ gitolite_base_path }}/{{ item.item.key }}/repositories/testing.git" state: absent - name: configure umask @@ -91,14 +97,6 @@ regexp: "^(\\s*)#?\\s*('daemon'.*)$" line: '\1\2' -- name: enable http - loop: "{{ gitolite_instances | list }}" - loop_control: - loop_var: gitolite_instance - when: "'http' in gitolite_instances[gitolite_instance]" - include_role: - name: gitolite/http - - name: install git-fsck script template: diff --git a/roles/gitolite/base/templates/git-fsck@.service.j2 b/roles/gitolite/base/templates/git-fsck@.service.j2 index 51bf43d9..ce5b7373 100644 --- a/roles/gitolite/base/templates/git-fsck@.service.j2 +++ b/roles/gitolite/base/templates/git-fsck@.service.j2 @@ -21,7 +21,7 @@ ProtectHome=yes ProtectKernelModules=true ProtectKernelTunables=true ProtectSystem=strict -ReadWritePaths=/var/lib/prometheus-node-exporter/textfile-collector +ReadWritePaths=-/var/lib/prometheus-node-exporter/textfile-collector RemoveIPC=true RestrictNamespaces=true RestrictRealtime=true -- cgit v1.2.3