aboutsummaryrefslogtreecommitdiff
path: root/gerboweb/deploy
diff options
context:
space:
mode:
Diffstat (limited to 'gerboweb/deploy')
-rw-r--r--gerboweb/deploy/bootstrap_arch_container.yml4
-rw-r--r--gerboweb/deploy/cgit-logo.pngbin0 -> 104376 bytes
-rw-r--r--gerboweb/deploy/cgitrc20
-rw-r--r--gerboweb/deploy/gitolite.rc202
-rw-r--r--gerboweb/deploy/nginx.conf48
-rw-r--r--gerboweb/deploy/playbook.yml3
-rw-r--r--gerboweb/deploy/setup_gerboweb.yml2
-rw-r--r--gerboweb/deploy/setup_git.yml115
-rw-r--r--gerboweb/deploy/setup_webserver.yml2
-rw-r--r--gerboweb/deploy/uwsgi-app@.service2
-rw-r--r--gerboweb/deploy/uwsgi-cgit.ini8
11 files changed, 402 insertions, 4 deletions
diff --git a/gerboweb/deploy/bootstrap_arch_container.yml b/gerboweb/deploy/bootstrap_arch_container.yml
index 11bbf3d..e983f5c 100644
--- a/gerboweb/deploy/bootstrap_arch_container.yml
+++ b/gerboweb/deploy/bootstrap_arch_container.yml
@@ -13,9 +13,9 @@
- name: Download arch bootstrap image
get_url:
- url: http://mirror.rackspace.com/archlinux/iso/2019.09.01/archlinux-bootstrap-2019.09.01-x86_64.tar.gz
+ url: http://mirror.rackspace.com/archlinux/iso/2020.03.01/archlinux-bootstrap-2020.03.01-x86_64.tar.gz
dest: /tmp/arch-bootstrap.tar.xz
- checksum: sha256:9fc9f178db6f5c188be8884c0abf10c69418e7cd38a4389e866fac5d9961297d
+ checksum: sha256:49c7aa8718e48f5a4ec570624520fa50616ed3e044af101ec3aa16c155136f82
when: create_container is changed
- name: Create container image filesystem
diff --git a/gerboweb/deploy/cgit-logo.png b/gerboweb/deploy/cgit-logo.png
new file mode 100644
index 0000000..f781fdd
--- /dev/null
+++ b/gerboweb/deploy/cgit-logo.png
Binary files differ
diff --git a/gerboweb/deploy/cgitrc b/gerboweb/deploy/cgitrc
new file mode 100644
index 0000000..d77778b
--- /dev/null
+++ b/gerboweb/deploy/cgitrc
@@ -0,0 +1,20 @@
+css=/cgit.css
+logo= /cgit.png
+
+enable-http-clone=1
+robots=noindex, nofollow
+virtual-root=/
+
+readme=:README.rst
+about-filter=/usr/libexec/cgit/filters/about-formatting.sh
+
+enable-index-links=1
+enable-commit-grpah=1
+enable-log-filecount=1
+enable-log-linecount=1
+enable-git-config=1
+
+source-filter=/usr/libexec/cgit/filters/syntax-highlighting.py
+
+project-list=/var/lib/gitolite3/projects.list
+scan-path=/var/lib/gitolite3/repositories
diff --git a/gerboweb/deploy/gitolite.rc b/gerboweb/deploy/gitolite.rc
new file mode 100644
index 0000000..33ecfb2
--- /dev/null
+++ b/gerboweb/deploy/gitolite.rc
@@ -0,0 +1,202 @@
+# configuration variables for gitolite
+
+# This file is in perl syntax. But you do NOT need to know perl to edit it --
+# just mind the commas, use single quotes unless you know what you're doing,
+# and make sure the brackets and braces stay matched up!
+
+# (Tip: perl allows a comma after the last item in a list also!)
+
+# HELP for commands can be had by running the command with "-h".
+
+# HELP for all the other FEATURES can be found in the documentation (look for
+# "list of non-core programs shipped with gitolite" in the master index) or
+# directly in the corresponding source file.
+
+%RC = (
+
+ # ------------------------------------------------------------------
+
+ # default umask gives you perms of '0700'; see the rc file docs for
+ # how/why you might change this
+ UMASK => 0027,
+
+ # look for "git-config" in the documentation
+ GIT_CONFIG_KEYS => 'core\.sharedRepository',
+
+ # comment out if you don't need all the extra detail in the logfile
+ LOG_EXTRA => 1,
+ # logging options
+ # 1. leave this section as is for 'normal' gitolite logging (default)
+ # 2. uncomment this line to log ONLY to syslog:
+ # LOG_DEST => 'syslog',
+ # 3. uncomment this line to log to syslog and the normal gitolite log:
+ # LOG_DEST => 'syslog,normal',
+ # 4. prefixing "repo-log," to any of the above will **also** log just the
+ # update records to "gl-log" in the bare repo directory:
+ # LOG_DEST => 'repo-log,normal',
+ # LOG_DEST => 'repo-log,syslog',
+ # LOG_DEST => 'repo-log,syslog,normal',
+ # syslog 'facility': defaults to 'local0', uncomment if needed. For example:
+ # LOG_FACILITY => 'local4',
+
+ # roles. add more roles (like MANAGER, TESTER, ...) here.
+ # WARNING: if you make changes to this hash, you MUST run 'gitolite
+ # compile' afterward, and possibly also 'gitolite trigger POST_COMPILE'
+ ROLES => {
+ READERS => 1,
+ WRITERS => 1,
+ },
+
+ # enable caching (currently only Redis). PLEASE RTFM BEFORE USING!!!
+ # CACHE => 'Redis',
+
+ # ------------------------------------------------------------------
+
+ # rc variables used by various features
+
+ # the 'info' command prints this as additional info, if it is set
+ # SITE_INFO => 'Please see http://blahblah/gitolite for more help',
+
+ # the CpuTime feature uses these
+ # display user, system, and elapsed times to user after each git operation
+ # DISPLAY_CPU_TIME => 1,
+ # display a warning if total CPU times (u, s, cu, cs) crosses this limit
+ # CPU_TIME_WARN_LIMIT => 0.1,
+
+ # the Mirroring feature needs this
+ # HOSTNAME => "foo",
+
+ # TTL for redis cache; PLEASE SEE DOCUMENTATION BEFORE UNCOMMENTING!
+ # CACHE_TTL => 600,
+
+ # ------------------------------------------------------------------
+
+ # suggested locations for site-local gitolite code (see cust.html)
+
+ # this one is managed directly on the server
+ # LOCAL_CODE => "$ENV{HOME}/local",
+
+ # or you can use this, which lets you put everything in a subdirectory
+ # called "local" in your gitolite-admin repo. For a SECURITY WARNING
+ # on this, see http://gitolite.com/gitolite/non-core.html#pushcode
+ # LOCAL_CODE => "$rc{GL_ADMIN_BASE}/local",
+
+ # ------------------------------------------------------------------
+
+ # List of commands and features to enable
+
+ ENABLE => [
+
+ # COMMANDS
+
+ # These are the commands enabled by default
+ 'help',
+ 'desc',
+ 'info',
+ 'perms',
+ 'writable',
+
+ # Uncomment or add new commands here.
+ # 'create',
+ # 'fork',
+ # 'mirror',
+ # 'readme',
+ # 'sskm',
+ # 'D',
+
+ # These FEATURES are enabled by default.
+
+ # essential (unless you're using smart-http mode)
+ 'ssh-authkeys',
+
+ # creates git-config entries from gitolite.conf file entries like 'config foo.bar = baz'
+ 'git-config',
+
+ # creates git-daemon-export-ok files; if you don't use git-daemon, comment this out
+ 'daemon',
+
+ # creates projects.list file; if you don't use gitweb, comment this out
+ 'gitweb',
+
+ # These FEATURES are disabled by default; uncomment to enable. If you
+ # need to add new ones, ask on the mailing list :-)
+
+ # user-visible behaviour
+
+ # prevent wild repos auto-create on fetch/clone
+ # 'no-create-on-read',
+ # no auto-create at all (don't forget to enable the 'create' command!)
+ # 'no-auto-create',
+
+ # access a repo by another (possibly legacy) name
+ # 'Alias',
+
+ # give some users direct shell access. See documentation in
+ # sts.html for details on the following two choices.
+ # "Shell $ENV{HOME}/.gitolite.shell-users",
+ # 'Shell alice bob',
+
+ # set default roles from lines like 'option default.roles-1 = ...', etc.
+ # 'set-default-roles',
+
+ # show more detailed messages on deny
+ # 'expand-deny-messages',
+
+ # show a message of the day
+ # 'Motd',
+
+ # system admin stuff
+
+ # enable mirroring (don't forget to set the HOSTNAME too!)
+ # 'Mirroring',
+
+ # allow people to submit pub files with more than one key in them
+ # 'ssh-authkeys-split',
+
+ # selective read control hack
+ # 'partial-copy',
+
+ # manage local, gitolite-controlled, copies of read-only upstream repos
+ # 'upstream',
+
+ # updates 'description' file instead of 'gitweb.description' config item
+ # 'cgit',
+
+ # allow repo-specific hooks to be added
+ # 'repo-specific-hooks',
+
+ # performance, logging, monitoring...
+
+ # be nice
+ # 'renice 10',
+
+ # log CPU times (user, system, cumulative user, cumulative system)
+ # 'CpuTime',
+
+ # syntactic_sugar for gitolite.conf and included files
+
+ # allow backslash-escaped continuation lines in gitolite.conf
+ # 'continuation-lines',
+
+ # create implicit user groups from directory names in keydir/
+ # 'keysubdirs-as-groups',
+
+ # allow simple line-oriented macros
+ # 'macros',
+
+ # Kindergarten mode
+
+ # disallow various things that sensible people shouldn't be doing anyway
+ # 'Kindergarten',
+ ],
+
+);
+
+# ------------------------------------------------------------------------------
+# per perl rules, this should be the last line in such a file:
+1;
+
+# Local variables:
+# mode: perl
+# End:
+# vim: set syn=perl:
diff --git a/gerboweb/deploy/nginx.conf b/gerboweb/deploy/nginx.conf
index f3400cc..b4245fa 100644
--- a/gerboweb/deploy/nginx.conf
+++ b/gerboweb/deploy/nginx.conf
@@ -322,5 +322,53 @@ http {
root /usr/share/nginx/html;
}
}
+
+ server {
+ listen 443 ssl http2;
+ listen [::]:443 ssl http2;
+ server_name git.jaseg.net;
+ root /usr/share/nginx/html;
+
+ ssl_certificate "/etc/letsencrypt/live/git.jaseg.net/fullchain.pem";
+ ssl_certificate_key "/etc/letsencrypt/live/git.jaseg.net/privkey.pem";
+ ssl_dhparam "/etc/letsencrypt/ssl-dhparams.pem";
+ include /etc/letsencrypt/options-ssl-nginx.conf;
+
+ ssl_stapling on;
+ ssl_stapling_verify on;
+
+ resolver 67.207.67.2 67.207.67.3 valid=300s;
+ resolver_timeout 10s;
+
+ add_header Strict-Transport-Security "max-age=86400";
+
+ # Load configuration files for the default server block.
+ include /etc/nginx/default.d/*.conf;
+
+ location ~ ^/(cgit.css|robots.txt) {
+ root /usr/share/cgit;
+ expires 30d;
+ }
+
+ location ~ ^/(cgit.png|favicon.png) {
+ alias /var/www/git.jaseg.net/cgit.png;
+ }
+
+ location / {
+ include uwsgi_params;
+ uwsgi_modifier1 9;
+ uwsgi_pass unix:/run/uwsgi/cgit.socket;
+ }
+
+ error_page 404 /404.html;
+ location = /40x.html {
+ root /usr/share/nginx/html;
+ }
+
+ error_page 500 502 503 504 /50x.html;
+ location = /50x.html {
+ root /usr/share/nginx/html;
+ }
+ }
}
diff --git a/gerboweb/deploy/playbook.yml b/gerboweb/deploy/playbook.yml
index 7c7c95d..777d079 100644
--- a/gerboweb/deploy/playbook.yml
+++ b/gerboweb/deploy/playbook.yml
@@ -74,3 +74,6 @@
- name: Setup notification proxy
include_tasks: setup_notification_proxy.yml
+ - name: Setup semi-public git server
+ include_tasks: setup_git.yml
+
diff --git a/gerboweb/deploy/setup_gerboweb.yml b/gerboweb/deploy/setup_gerboweb.yml
index 29e83d3..6a20eed 100644
--- a/gerboweb/deploy/setup_gerboweb.yml
+++ b/gerboweb/deploy/setup_gerboweb.yml
@@ -58,7 +58,7 @@
dest: /etc/uwsgi.d/gerboweb.ini
owner: uwsgi-gerboweb
group: uwsgi
- mode: 440
+ mode: 0440
- name: Copy job processor systemd service config
template:
diff --git a/gerboweb/deploy/setup_git.yml b/gerboweb/deploy/setup_git.yml
new file mode 100644
index 0000000..9d351e5
--- /dev/null
+++ b/gerboweb/deploy/setup_git.yml
@@ -0,0 +1,115 @@
+- name: Install host requisites
+ dnf:
+ name: cgit,gitolite3,python3-pygments,python3-docutils,nodejs-markdown
+ state: latest
+
+- name: Copy cgit favicon
+ copy:
+ src: cgit-logo.png
+ dest: /var/www/git.jaseg.net/cgit.png
+
+- name: Create cgit instance config dir
+ file:
+ path: /var/lib/cgit
+ state: directory
+ mode: 0755
+
+- name: Copy cgit rc
+ copy:
+ src: cgitrc
+ dest: /var/lib/cgit/cgitrc-gitolite-public
+ mode: 0644
+
+- name: Create uwsgi worker user and group
+ user:
+ name: uwsgi-cgit
+ create_home: no
+ group: uwsgi
+ password: '!'
+ shell: /sbin/nologin
+ system: yes
+
+- name: Copy uwsgi config
+ copy:
+ src: uwsgi-cgit.ini
+ dest: /etc/uwsgi.d/cgit.ini
+ owner: uwsgi-cgit
+ group: uwsgi
+ mode: 0440
+
+- name: Enable uwsgi systemd socket
+ systemd:
+ daemon-reload: yes
+ name: uwsgi-app@cgit.socket
+ enabled: yes
+
+- name: Copy gitolite admin pubkey
+ copy:
+ src: ~/.ssh/id_ed25519.gitolite.pub
+ dest: /tmp/jaseg-gitolite.pub
+ owner: gitolite3
+ group: gitolite3
+
+- name: Run gitolite initialization
+ command: gitolite setup -pk /tmp/jaseg-gitolite.pub
+ become: true
+ become_method: su
+ become_user: gitolite3
+ become_flags: '-s /bin/sh'
+ args:
+ creates: /var/lib/gitolite3/projects.list
+
+- name: Remove leftover admin pubkey
+ file:
+ state: absent
+ path: /tmp/jaseg-gitolite.pub
+
+- name: Allow uwsgi group to access gitolite repo dir
+ file:
+ path: /var/lib/gitolite3
+ state: directory
+ owner: gitolite3
+ group: uwsgi
+
+- name: Add cgit uwsgi user to gitolite group
+ user:
+ name: uwsgi-cgit
+ groups: gitolite3
+ append: yes
+
+- name: Allow cgit uwsgi user to access gitolite repos
+ file:
+ path: /var/lib/gitolite3/repositories
+ mode: 0750
+
+- name: Allow cgit uwsgi user to gitolite repo list
+ file:
+ path: /var/lib/gitolite3/projects.list
+ mode: 0640
+
+- name: Copy gitolite rc
+ copy:
+ src: gitolite.rc
+ dest: /var/lib/gitolite3/.gitolite.rc
+ owner: gitolite3
+ group: gitolite3
+ mode: 0600
+
+- name: Query system user account info
+ getent:
+ database: passwd
+ key: gitolite3
+
+- name: Create git alias user
+ user:
+ name: git
+ create_home: no
+ group: gitolite3
+ password: '!'
+ comment: Alias for gitolite3 user
+ shell: "{{ getent_passwd['gitolite3'][5] }}"
+ system: yes
+ non_unique: yes
+ home: "{{ getent_passwd['gitolite3'][4] }}"
+ uid: "{{ getent_passwd['gitolite3'][1] }}"
+
diff --git a/gerboweb/deploy/setup_webserver.yml b/gerboweb/deploy/setup_webserver.yml
index 8f1f429..748bef8 100644
--- a/gerboweb/deploy/setup_webserver.yml
+++ b/gerboweb/deploy/setup_webserver.yml
@@ -17,6 +17,7 @@
group: nginx
mode: 0550
loop:
+ - git.jaseg.net
- blog.jaseg.net
- kochbuch.jaseg.net
- tracespace.jaseg.net
@@ -49,6 +50,7 @@
args:
creates: /etc/letsencrypt/live/{{item}}/fullchain.pem
loop:
+ - git.jaseg.net
- blog.jaseg.net
- kochbuch.jaseg.net
- gerbolyze.jaseg.net
diff --git a/gerboweb/deploy/uwsgi-app@.service b/gerboweb/deploy/uwsgi-app@.service
index 8398456..bdae8fd 100644
--- a/gerboweb/deploy/uwsgi-app@.service
+++ b/gerboweb/deploy/uwsgi-app@.service
@@ -5,7 +5,7 @@ After=syslog.target
[Service]
ExecStart=/usr/sbin/uwsgi \
--ini /etc/uwsgi.d/%i.ini \
- --chmod-socket=660 \
+ --chmod-socket=660 \
--socket=/run/uwsgi/%i.socket
User=uwsgi-%i
Group=uwsgi
diff --git a/gerboweb/deploy/uwsgi-cgit.ini b/gerboweb/deploy/uwsgi-cgit.ini
new file mode 100644
index 0000000..9a10350
--- /dev/null
+++ b/gerboweb/deploy/uwsgi-cgit.ini
@@ -0,0 +1,8 @@
+[uwsgi]
+master = True
+plugins = cgi
+chdir = /var/lib/gitolite3
+processes = 1
+threads = 2
+cgi = /var/www/cgi-bin/cgit
+env = CGIT_CONFIG=/var/lib/cgit/cgitrc-gitolite-public