diff options
author | jaseg <code@jaseg.net> | 2020-03-30 00:55:33 +0200 |
---|---|---|
committer | jaseg <code@jaseg.net> | 2020-03-30 00:55:33 +0200 |
commit | 10b4f62b6aad0f5f460925a40d6ab7e4920a8b05 (patch) | |
tree | db8dfd093d16a1dc86b8047b993b80ff661b3cdf | |
parent | b595518607d567b9d0de010d2ff40985c8076cba (diff) | |
download | infra-10b4f62b6aad0f5f460925a40d6ab7e4920a8b05.tar.gz infra-10b4f62b6aad0f5f460925a40d6ab7e4920a8b05.tar.bz2 infra-10b4f62b6aad0f5f460925a40d6ab7e4920a8b05.zip |
Add gitolite/cgit git hosting
-rw-r--r-- | bootstrap_arch_container.yml | 4 | ||||
-rw-r--r-- | cgit-logo.png | bin | 0 -> 104376 bytes | |||
-rw-r--r-- | cgitrc | 20 | ||||
-rw-r--r-- | gitolite.rc | 202 | ||||
-rw-r--r-- | nginx.conf | 48 | ||||
-rw-r--r-- | playbook.yml | 3 | ||||
-rw-r--r-- | setup_gerboweb.yml | 2 | ||||
-rw-r--r-- | setup_git.yml | 115 | ||||
-rw-r--r-- | setup_webserver.yml | 2 | ||||
-rw-r--r-- | uwsgi-app@.service | 2 | ||||
-rw-r--r-- | uwsgi-cgit.ini | 8 |
11 files changed, 402 insertions, 4 deletions
diff --git a/bootstrap_arch_container.yml b/bootstrap_arch_container.yml index 11bbf3d..e983f5c 100644 --- a/bootstrap_arch_container.yml +++ b/bootstrap_arch_container.yml @@ -13,9 +13,9 @@ - name: Download arch bootstrap image get_url: - url: http://mirror.rackspace.com/archlinux/iso/2019.09.01/archlinux-bootstrap-2019.09.01-x86_64.tar.gz + url: http://mirror.rackspace.com/archlinux/iso/2020.03.01/archlinux-bootstrap-2020.03.01-x86_64.tar.gz dest: /tmp/arch-bootstrap.tar.xz - checksum: sha256:9fc9f178db6f5c188be8884c0abf10c69418e7cd38a4389e866fac5d9961297d + checksum: sha256:49c7aa8718e48f5a4ec570624520fa50616ed3e044af101ec3aa16c155136f82 when: create_container is changed - name: Create container image filesystem diff --git a/cgit-logo.png b/cgit-logo.png Binary files differnew file mode 100644 index 0000000..f781fdd --- /dev/null +++ b/cgit-logo.png @@ -0,0 +1,20 @@ +css=/cgit.css +logo= /cgit.png + +enable-http-clone=1 +robots=noindex, nofollow +virtual-root=/ + +readme=:README.rst +about-filter=/usr/libexec/cgit/filters/about-formatting.sh + +enable-index-links=1 +enable-commit-grpah=1 +enable-log-filecount=1 +enable-log-linecount=1 +enable-git-config=1 + +source-filter=/usr/libexec/cgit/filters/syntax-highlighting.py + +project-list=/var/lib/gitolite3/projects.list +scan-path=/var/lib/gitolite3/repositories diff --git a/gitolite.rc b/gitolite.rc new file mode 100644 index 0000000..33ecfb2 --- /dev/null +++ b/gitolite.rc @@ -0,0 +1,202 @@ +# configuration variables for gitolite + +# This file is in perl syntax. But you do NOT need to know perl to edit it -- +# just mind the commas, use single quotes unless you know what you're doing, +# and make sure the brackets and braces stay matched up! + +# (Tip: perl allows a comma after the last item in a list also!) + +# HELP for commands can be had by running the command with "-h". + +# HELP for all the other FEATURES can be found in the documentation (look for +# "list of non-core programs shipped with gitolite" in the master index) or +# directly in the corresponding source file. + +%RC = ( + + # ------------------------------------------------------------------ + + # default umask gives you perms of '0700'; see the rc file docs for + # how/why you might change this + UMASK => 0027, + + # look for "git-config" in the documentation + GIT_CONFIG_KEYS => 'core\.sharedRepository', + + # comment out if you don't need all the extra detail in the logfile + LOG_EXTRA => 1, + # logging options + # 1. leave this section as is for 'normal' gitolite logging (default) + # 2. uncomment this line to log ONLY to syslog: + # LOG_DEST => 'syslog', + # 3. uncomment this line to log to syslog and the normal gitolite log: + # LOG_DEST => 'syslog,normal', + # 4. prefixing "repo-log," to any of the above will **also** log just the + # update records to "gl-log" in the bare repo directory: + # LOG_DEST => 'repo-log,normal', + # LOG_DEST => 'repo-log,syslog', + # LOG_DEST => 'repo-log,syslog,normal', + # syslog 'facility': defaults to 'local0', uncomment if needed. For example: + # LOG_FACILITY => 'local4', + + # roles. add more roles (like MANAGER, TESTER, ...) here. + # WARNING: if you make changes to this hash, you MUST run 'gitolite + # compile' afterward, and possibly also 'gitolite trigger POST_COMPILE' + ROLES => { + READERS => 1, + WRITERS => 1, + }, + + # enable caching (currently only Redis). PLEASE RTFM BEFORE USING!!! + # CACHE => 'Redis', + + # ------------------------------------------------------------------ + + # rc variables used by various features + + # the 'info' command prints this as additional info, if it is set + # SITE_INFO => 'Please see http://blahblah/gitolite for more help', + + # the CpuTime feature uses these + # display user, system, and elapsed times to user after each git operation + # DISPLAY_CPU_TIME => 1, + # display a warning if total CPU times (u, s, cu, cs) crosses this limit + # CPU_TIME_WARN_LIMIT => 0.1, + + # the Mirroring feature needs this + # HOSTNAME => "foo", + + # TTL for redis cache; PLEASE SEE DOCUMENTATION BEFORE UNCOMMENTING! + # CACHE_TTL => 600, + + # ------------------------------------------------------------------ + + # suggested locations for site-local gitolite code (see cust.html) + + # this one is managed directly on the server + # LOCAL_CODE => "$ENV{HOME}/local", + + # or you can use this, which lets you put everything in a subdirectory + # called "local" in your gitolite-admin repo. For a SECURITY WARNING + # on this, see http://gitolite.com/gitolite/non-core.html#pushcode + # LOCAL_CODE => "$rc{GL_ADMIN_BASE}/local", + + # ------------------------------------------------------------------ + + # List of commands and features to enable + + ENABLE => [ + + # COMMANDS + + # These are the commands enabled by default + 'help', + 'desc', + 'info', + 'perms', + 'writable', + + # Uncomment or add new commands here. + # 'create', + # 'fork', + # 'mirror', + # 'readme', + # 'sskm', + # 'D', + + # These FEATURES are enabled by default. + + # essential (unless you're using smart-http mode) + 'ssh-authkeys', + + # creates git-config entries from gitolite.conf file entries like 'config foo.bar = baz' + 'git-config', + + # creates git-daemon-export-ok files; if you don't use git-daemon, comment this out + 'daemon', + + # creates projects.list file; if you don't use gitweb, comment this out + 'gitweb', + + # These FEATURES are disabled by default; uncomment to enable. If you + # need to add new ones, ask on the mailing list :-) + + # user-visible behaviour + + # prevent wild repos auto-create on fetch/clone + # 'no-create-on-read', + # no auto-create at all (don't forget to enable the 'create' command!) + # 'no-auto-create', + + # access a repo by another (possibly legacy) name + # 'Alias', + + # give some users direct shell access. See documentation in + # sts.html for details on the following two choices. + # "Shell $ENV{HOME}/.gitolite.shell-users", + # 'Shell alice bob', + + # set default roles from lines like 'option default.roles-1 = ...', etc. + # 'set-default-roles', + + # show more detailed messages on deny + # 'expand-deny-messages', + + # show a message of the day + # 'Motd', + + # system admin stuff + + # enable mirroring (don't forget to set the HOSTNAME too!) + # 'Mirroring', + + # allow people to submit pub files with more than one key in them + # 'ssh-authkeys-split', + + # selective read control hack + # 'partial-copy', + + # manage local, gitolite-controlled, copies of read-only upstream repos + # 'upstream', + + # updates 'description' file instead of 'gitweb.description' config item + # 'cgit', + + # allow repo-specific hooks to be added + # 'repo-specific-hooks', + + # performance, logging, monitoring... + + # be nice + # 'renice 10', + + # log CPU times (user, system, cumulative user, cumulative system) + # 'CpuTime', + + # syntactic_sugar for gitolite.conf and included files + + # allow backslash-escaped continuation lines in gitolite.conf + # 'continuation-lines', + + # create implicit user groups from directory names in keydir/ + # 'keysubdirs-as-groups', + + # allow simple line-oriented macros + # 'macros', + + # Kindergarten mode + + # disallow various things that sensible people shouldn't be doing anyway + # 'Kindergarten', + ], + +); + +# ------------------------------------------------------------------------------ +# per perl rules, this should be the last line in such a file: +1; + +# Local variables: +# mode: perl +# End: +# vim: set syn=perl: @@ -322,5 +322,53 @@ http { root /usr/share/nginx/html; } } + + server { + listen 443 ssl http2; + listen [::]:443 ssl http2; + server_name git.jaseg.net; + root /usr/share/nginx/html; + + ssl_certificate "/etc/letsencrypt/live/git.jaseg.net/fullchain.pem"; + ssl_certificate_key "/etc/letsencrypt/live/git.jaseg.net/privkey.pem"; + ssl_dhparam "/etc/letsencrypt/ssl-dhparams.pem"; + include /etc/letsencrypt/options-ssl-nginx.conf; + + ssl_stapling on; + ssl_stapling_verify on; + + resolver 67.207.67.2 67.207.67.3 valid=300s; + resolver_timeout 10s; + + add_header Strict-Transport-Security "max-age=86400"; + + # Load configuration files for the default server block. + include /etc/nginx/default.d/*.conf; + + location ~ ^/(cgit.css|robots.txt) { + root /usr/share/cgit; + expires 30d; + } + + location ~ ^/(cgit.png|favicon.png) { + alias /var/www/git.jaseg.net/cgit.png; + } + + location / { + include uwsgi_params; + uwsgi_modifier1 9; + uwsgi_pass unix:/run/uwsgi/cgit.socket; + } + + error_page 404 /404.html; + location = /40x.html { + root /usr/share/nginx/html; + } + + error_page 500 502 503 504 /50x.html; + location = /50x.html { + root /usr/share/nginx/html; + } + } } diff --git a/playbook.yml b/playbook.yml index 7c7c95d..777d079 100644 --- a/playbook.yml +++ b/playbook.yml @@ -74,3 +74,6 @@ - name: Setup notification proxy include_tasks: setup_notification_proxy.yml + - name: Setup semi-public git server + include_tasks: setup_git.yml + diff --git a/setup_gerboweb.yml b/setup_gerboweb.yml index 29e83d3..6a20eed 100644 --- a/setup_gerboweb.yml +++ b/setup_gerboweb.yml @@ -58,7 +58,7 @@ dest: /etc/uwsgi.d/gerboweb.ini owner: uwsgi-gerboweb group: uwsgi - mode: 440 + mode: 0440 - name: Copy job processor systemd service config template: diff --git a/setup_git.yml b/setup_git.yml new file mode 100644 index 0000000..9d351e5 --- /dev/null +++ b/setup_git.yml @@ -0,0 +1,115 @@ +- name: Install host requisites + dnf: + name: cgit,gitolite3,python3-pygments,python3-docutils,nodejs-markdown + state: latest + +- name: Copy cgit favicon + copy: + src: cgit-logo.png + dest: /var/www/git.jaseg.net/cgit.png + +- name: Create cgit instance config dir + file: + path: /var/lib/cgit + state: directory + mode: 0755 + +- name: Copy cgit rc + copy: + src: cgitrc + dest: /var/lib/cgit/cgitrc-gitolite-public + mode: 0644 + +- name: Create uwsgi worker user and group + user: + name: uwsgi-cgit + create_home: no + group: uwsgi + password: '!' + shell: /sbin/nologin + system: yes + +- name: Copy uwsgi config + copy: + src: uwsgi-cgit.ini + dest: /etc/uwsgi.d/cgit.ini + owner: uwsgi-cgit + group: uwsgi + mode: 0440 + +- name: Enable uwsgi systemd socket + systemd: + daemon-reload: yes + name: uwsgi-app@cgit.socket + enabled: yes + +- name: Copy gitolite admin pubkey + copy: + src: ~/.ssh/id_ed25519.gitolite.pub + dest: /tmp/jaseg-gitolite.pub + owner: gitolite3 + group: gitolite3 + +- name: Run gitolite initialization + command: gitolite setup -pk /tmp/jaseg-gitolite.pub + become: true + become_method: su + become_user: gitolite3 + become_flags: '-s /bin/sh' + args: + creates: /var/lib/gitolite3/projects.list + +- name: Remove leftover admin pubkey + file: + state: absent + path: /tmp/jaseg-gitolite.pub + +- name: Allow uwsgi group to access gitolite repo dir + file: + path: /var/lib/gitolite3 + state: directory + owner: gitolite3 + group: uwsgi + +- name: Add cgit uwsgi user to gitolite group + user: + name: uwsgi-cgit + groups: gitolite3 + append: yes + +- name: Allow cgit uwsgi user to access gitolite repos + file: + path: /var/lib/gitolite3/repositories + mode: 0750 + +- name: Allow cgit uwsgi user to gitolite repo list + file: + path: /var/lib/gitolite3/projects.list + mode: 0640 + +- name: Copy gitolite rc + copy: + src: gitolite.rc + dest: /var/lib/gitolite3/.gitolite.rc + owner: gitolite3 + group: gitolite3 + mode: 0600 + +- name: Query system user account info + getent: + database: passwd + key: gitolite3 + +- name: Create git alias user + user: + name: git + create_home: no + group: gitolite3 + password: '!' + comment: Alias for gitolite3 user + shell: "{{ getent_passwd['gitolite3'][5] }}" + system: yes + non_unique: yes + home: "{{ getent_passwd['gitolite3'][4] }}" + uid: "{{ getent_passwd['gitolite3'][1] }}" + diff --git a/setup_webserver.yml b/setup_webserver.yml index 8f1f429..748bef8 100644 --- a/setup_webserver.yml +++ b/setup_webserver.yml @@ -17,6 +17,7 @@ group: nginx mode: 0550 loop: + - git.jaseg.net - blog.jaseg.net - kochbuch.jaseg.net - tracespace.jaseg.net @@ -49,6 +50,7 @@ args: creates: /etc/letsencrypt/live/{{item}}/fullchain.pem loop: + - git.jaseg.net - blog.jaseg.net - kochbuch.jaseg.net - gerbolyze.jaseg.net diff --git a/uwsgi-app@.service b/uwsgi-app@.service index 8398456..bdae8fd 100644 --- a/uwsgi-app@.service +++ b/uwsgi-app@.service @@ -5,7 +5,7 @@ After=syslog.target [Service] ExecStart=/usr/sbin/uwsgi \ --ini /etc/uwsgi.d/%i.ini \ - --chmod-socket=660 \ + --chmod-socket=660 \ --socket=/run/uwsgi/%i.socket User=uwsgi-%i Group=uwsgi diff --git a/uwsgi-cgit.ini b/uwsgi-cgit.ini new file mode 100644 index 0000000..9a10350 --- /dev/null +++ b/uwsgi-cgit.ini @@ -0,0 +1,8 @@ +[uwsgi] +master = True +plugins = cgi +chdir = /var/lib/gitolite3 +processes = 1 +threads = 2 +cgi = /var/www/cgi-bin/cgit +env = CGIT_CONFIG=/var/lib/cgit/cgitrc-gitolite-public |