From 812ce4d302f37acd368dd5c39e5c9b34d8e6e6cd Mon Sep 17 00:00:00 2001 From: Christian Pointner Date: Tue, 15 Nov 2022 00:02:44 +0100 Subject: gitolite: add git-fsck script --- roles/gitolite/base/tasks/main.yml | 26 ++++++++++++++- roles/gitolite/base/templates/git-fsck-.timer.j2 | 9 +++++ roles/gitolite/base/templates/git-fsck.sh.j2 | 39 ++++++++++++++++++++++ roles/gitolite/base/templates/git-fsck@.service.j2 | 29 ++++++++++++++++ 4 files changed, 102 insertions(+), 1 deletion(-) create mode 100644 roles/gitolite/base/templates/git-fsck-.timer.j2 create mode 100644 roles/gitolite/base/templates/git-fsck.sh.j2 create mode 100644 roles/gitolite/base/templates/git-fsck@.service.j2 (limited to 'roles/gitolite') diff --git a/roles/gitolite/base/tasks/main.yml b/roles/gitolite/base/tasks/main.yml index fe552b00..9bcdc0c1 100644 --- a/roles/gitolite/base/tasks/main.yml +++ b/roles/gitolite/base/tasks/main.yml @@ -99,4 +99,28 @@ include_role: name: gitolite/http -## TODO: add systemd-timer for `git fsck` + +- name: install git-fsck script + template: + src: git-fsck.sh.j2 + dest: "{{ gitolite_base_path }}/git-fsck.sh" + mode: 0755 + +- name: install template systemd unit for git-fsck + template: + src: git-fsck@.service.j2 + dest: /etc/systemd/system/git-fsck@.service + +- name: install systemd timer unit for git-fsck + loop: "{{ gitolite_instances | list }}" + template: + src: git-fsck-.timer.j2 + dest: "/etc/systemd/system/git-fsck-{{ item }}.timer" + +- name: start/enable git-fsck systemd timer + loop: "{{ gitolite_instances | list }}" + systemd: + daemon_reload: yes + name: "git-fsck-{{ item }}.timer" + state: started + enabled: yes diff --git a/roles/gitolite/base/templates/git-fsck-.timer.j2 b/roles/gitolite/base/templates/git-fsck-.timer.j2 new file mode 100644 index 00000000..08ac5e02 --- /dev/null +++ b/roles/gitolite/base/templates/git-fsck-.timer.j2 @@ -0,0 +1,9 @@ +[Unit] +Description=Git fsck for gitolite instance %i + +[Timer] +OnCalendar={{ '%02d:%02d' | format(24 | random(seed=item), 60 | random(seed=item)) }} +Unit=git-fsck@{{ item }}.service + +[Install] +WantedBy=timers.target diff --git a/roles/gitolite/base/templates/git-fsck.sh.j2 b/roles/gitolite/base/templates/git-fsck.sh.j2 new file mode 100644 index 00000000..05ac6bfb --- /dev/null +++ b/roles/gitolite/base/templates/git-fsck.sh.j2 @@ -0,0 +1,39 @@ +#!/bin/bash + +INST="$1" +if [ -z "$1" ]; then + echo "Usage: $0 " + exit 1 +fi + +REPOS_D="{{ gitolite_base_path }}/$INST/repositories" +if [ ! -d "$REPOS_D" ]; then + echo "instance $INST not found." + exit 2 +fi + +repos=$(find $REPOS_D -type d -name '*.git') + +declare -A results +for repo in $repos; do + echo "*** $repo ***" + git --bare --git-dir "$repo" fsck --full --strict --root + results[$repo]=$? + echo "" +done + +if [ -d "/var/lib/prometheus-node-exporter/textfile-collector/" ]; then + echo "reporting results to prometheus" + { + echo "# HELP git_fsck_run Last time git-fsck has been run." + echo "# TYPE git_fsck_run gauge" + echo "git_fsck_run{gitolite_instance=\"$INST\"} $(date +"%s")" + echo "" + echo "# HELP git_fsck_failed Result of git-fsck (0 means OK)." + echo "# TYPE git_fsck_failed gauge" + for repo in "${!results[@]}"; do + repo_name=$(realpath --relative-to "$REPOS_D" "$repo") + echo "git_fsck_failed{repository=\"$repo_name\",gitolite_instance=\"$INST\"} ${results[$repo]}" + done + } | sponge "/var/lib/prometheus-node-exporter/textfile-collector/git-fsck-$INST.prom" +fi diff --git a/roles/gitolite/base/templates/git-fsck@.service.j2 b/roles/gitolite/base/templates/git-fsck@.service.j2 new file mode 100644 index 00000000..51bf43d9 --- /dev/null +++ b/roles/gitolite/base/templates/git-fsck@.service.j2 @@ -0,0 +1,29 @@ +[Unit] +Description=Git fsck for gitolite instance %i + +[Service] +Type=oneshot +ExecStart={{ gitolite_base_path }}/git-fsck.sh %i +TimeoutStartSec=10m + +# systemd hardening-options +AmbientCapabilities=CAP_DAC_READ_SEARCH +CapabilityBoundingSet=CAP_DAC_READ_SEARCH +DeviceAllow=/dev/null rw +DevicePolicy=strict +LockPersonality=true +MemoryDenyWriteExecute=true +NoNewPrivileges=true +PrivateDevices=true +PrivateTmp=true +ProtectControlGroups=true +ProtectHome=yes +ProtectKernelModules=true +ProtectKernelTunables=true +ProtectSystem=strict +ReadWritePaths=/var/lib/prometheus-node-exporter/textfile-collector +RemoveIPC=true +RestrictNamespaces=true +RestrictRealtime=true +RestrictAddressFamilies=AF_UNIX +SystemCallArchitectures=native -- cgit v1.2.3