Merge pull request sovereign#192 from larryfox/cgit

Add git hosting

README.textile

@@ -49,6 +49,7 @@ What do you get if you point this thing at a VPS? All kinds of good stuff!
 * SSH configuration preventing root login and insecure password authentication
 * "RFC6238":http://tools.ietf.org/html/rfc6238 two-factor authentication compatible with "Google Authenticator":http://en.wikipedia.org/wiki/Google_Authenticator and various hardware tokens
 * Nightly backups to "Tarsnap":https://www.tarsnap.com/.
+* Git hosting via "cgit":http://git.zx2c4.com/cgit/about/ and "gitolite":https://github.com/sitaramc/gitolite.
 * A bunch of nice-to-have tools like "mosh":http://mosh.mit.edu and "htop":http://htop.sourceforge.net that make life with a server a little easier.
 
 No setup is perfect, but the general idea is to provide a bunch of useful services while being reasonably secure and low-maintenance. Set it up, SSH in every couple weeks, but mostly forget about it.
@@ -146,6 +147,8 @@ bc. # znc --makepass
 
 Take the string beginning with @sha256#@ and insert it as the value for @irc_password_hash@.
 
+For git hosting, copy your public key into place. @cp ~/.ssh/id_rsa.pub roles/git/files/gitolite.pub@ or similar.
+
 h3. 5. Run the Ansible Playbooks
 
 First, make sure you've "got Ansible installed":http://docs.ansible.com/intro_installation.html#getting-ansible.

roles/git/files/home_git_.gitolite.rc

@@ -0,0 +1,176 @@
+# configuration variables for gitolite
+
+# This file is in perl syntax.  But you do NOT need to know perl to edit it --
+# just mind the commas, use single quotes unless you know what you're doing,
+# and make sure the brackets and braces stay matched up!
+
+# (Tip: perl allows a comma after the last item in a list also!)
+
+# HELP for commands can be had by running the command with "-h".
+
+# HELP for all the other FEATURES can be found in the documentation (look for
+# "list of non-core programs shipped with gitolite" in the master index) or
+# directly in the corresponding source file.
+
+%RC = (
+
+    # ------------------------------------------------------------------
+
+    # default umask gives you perms of '0700'; see the rc file docs for
+    # how/why you might change this
+    UMASK                           =>  0027,
+
+    # look for "git-config" in the documentation
+    GIT_CONFIG_KEYS                 =>  'gitweb\.(owner|description|category)',
+
+    # comment out if you don't need all the extra detail in the logfile
+    LOG_EXTRA                       =>  1,
+
+    # roles.  add more roles (like MANAGER, TESTER, ...) here.
+    #   WARNING: if you make changes to this hash, you MUST run 'gitolite
+    #   compile' afterward, and possibly also 'gitolite trigger POST_COMPILE'
+    ROLES => {
+        READERS                     =>  1,
+        WRITERS                     =>  1,
+    },
+
+    # ------------------------------------------------------------------
+
+    # rc variables used by various features
+
+    # the 'info' command prints this as additional info, if it is set
+        # SITE_INFO                 =>  'Please see http://blahblah/gitolite for more help',
+
+    # the 'desc' command uses this
+        # WRITER_CAN_UPDATE_DESC    =>  1,
+
+    # the CpuTime feature uses these
+        # display user, system, and elapsed times to user after each git operation
+        # DISPLAY_CPU_TIME          =>  1,
+        # display a warning if total CPU times (u, s, cu, cs) crosses this limit
+        # CPU_TIME_WARN_LIMIT       =>  0.1,
+
+    # the Mirroring feature needs this
+        # HOSTNAME                  =>  "foo",
+
+    # if you enabled 'Shell', you need this
+        # SHELL_USERS_LIST          =>  "$ENV{HOME}/.gitolite.shell-users",
+
+    # ------------------------------------------------------------------
+
+    # suggested locations for site-local gitolite code (see cust.html)
+
+        # this one is managed directly on the server
+        # LOCAL_CODE                =>  "$ENV{HOME}/local",
+
+        # or you can use this, which lets you put everything in a subdirectory
+        # called "local" in your gitolite-admin repo.  For a SECURITY WARNING
+        # on this, see http://gitolite.com/gitolite/cust.html#pushcode
+        # LOCAL_CODE                =>  "$rc{GL_ADMIN_BASE}/local",
+
+    # ------------------------------------------------------------------
+
+    # List of commands and features to enable
+
+    ENABLE => [
+
+        # COMMANDS
+
+            # These are the commands enabled by default
+            'help',
+            'desc',
+            'info',
+            'perms',
+            'writable',
+
+            # Uncomment or add new commands here.
+            # 'create',
+            # 'fork',
+            # 'mirror',
+            # 'sskm',
+            # 'D',
+
+        # These FEATURES are enabled by default.
+
+            # essential (unless you're using smart-http mode)
+            'ssh-authkeys',
+
+            # creates git-config enties from gitolite.conf file entries like 'config foo.bar = baz'
+            'git-config',
+
+            # creates git-daemon-export-ok files; if you don't use git-daemon, comment this out
+            'daemon',
+
+            # creates projects.list file; if you don't use gitweb, comment this out
+            'gitweb',
+
+        # These FEATURES are disabled by default; uncomment to enable.  If you
+        # need to add new ones, ask on the mailing list :-)
+
+        # user-visible behaviour
+
+            # prevent wild repos auto-create on fetch/clone
+            # 'no-create-on-read',
+            # no auto-create at all (don't forget to enable the 'create' command!)
+            # 'no-auto-create',
+
+            # access a repo by another (possibly legacy) name
+            # 'Alias',
+
+            # give some users direct shell access
+            # 'Shell',
+
+            # set default roles from lines like 'option default.roles-1 = ...', etc.
+            # 'set-default-roles',
+
+        # system admin stuff
+
+            # enable mirroring (don't forget to set the HOSTNAME too!)
+            # 'Mirroring',
+
+            # allow people to submit pub files with more than one key in them
+            # 'ssh-authkeys-split',
+
+            # selective read control hack
+            # 'partial-copy',
+
+            # manage local, gitolite-controlled, copies of read-only upstream repos
+            # 'upstream',
+
+            # updates 'description' file instead of 'gitweb.description' config item
+            # 'cgit',
+
+            # allow repo-specific hooks to be added
+            # 'repo-specific-hooks',
+
+        # performance, logging, monitoring...
+
+            # be nice
+            # 'renice 10',
+
+            # log CPU times (user, system, cumulative user, cumulative system)
+            # 'CpuTime',
+
+        # syntactic_sugar for gitolite.conf and included files
+
+            # allow backslash-escaped continuation lines in gitolite.conf
+            # 'continuation-lines',
+
+            # create implicit user groups from directory names in keydir/
+            # 'keysubdirs-as-groups',
+
+            # allow simple line-oriented macros
+            # 'macros',
+
+    ],
+
+);
+
+# ------------------------------------------------------------------------------
+# per perl rules, this should be the last line in such a file:
+1;
+
+# Local variables:
+# mode: perl
+# End:
+# vim: set syn=perl:

roles/git/tasks/cgit.yml

@@ -0,0 +1,47 @@
+
+- name: Install cgit dependencies
+  apt: pkg={{ item }} state=installed
+  with_items:
+    - groff
+    - python-pip
+
+- name: Install cgit pip dependencies
+  pip: name={{ item }}
+  with_items:
+    - pygments
+    - docutils
+
+- name: Download cgit release
+  get_url: url=http://git.zx2c4.com/cgit/snapshot/cgit-{{ cgit_version }}.tar.xz
+           dest=/root/cgit-{{ cgit_version }}.tar.xz
+
+- name: Decompress cgit source
+  command: tar xvfJ /root/cgit-{{ cgit_version }}.tar.xz
+           chdir=/root
+           creates=/root/cgit-{{ cgit_version }}/configure
+
+- name: Build and install cgit
+  shell: make get-git ; make ; make install
+         executable=/bin/bash
+         chdir=/root/cgit-{{ cgit_version }}
+         creates=/var/www/htdocs/cgit/cgit.cgi
+
+- name: Copy cgitrc
+  template: src=etc_cgitrc.j2 dest=/etc/cgitrc
+            group=www-data
+            owner=www-data
+
+- name: Configure the Apache HTTP server for cgit
+  template: src=etc_apache2_sites-available_cgit.j2
+            dest=/etc/apache2/sites-available/cgit
+            group=www-data
+            owner=www-data
+  notify: restart apache
+
+- name: Enable Apache rewrite module
+  command: a2enmod rewrite creates=/etc/apache2/mods-enabled/rewrite.load
+  notify: restart apache
+
+- name:  Enable cgit site
+  command: a2ensite cgit creates=/etc/apache2/sites-enabled/cgit
+  notify: restart apache

roles/git/tasks/gitolite.yml

@@ -0,0 +1,43 @@
+- name: Create gitolite group
+  group: name=git state=present
+
+- name: Create gitolite user
+  user: name=git state=present home=/home/git system=yes group=git
+
+- name: Add www-data to the git group
+  user: name=www-data groups=git append=yes
+
+- name: Download gitolite release
+  git: repo=git://github.com/sitaramc/gitolite
+       dest=/home/git/gitolite
+       version=v{{ gitolite_version }}
+
+- name: Give git user file permissions
+  file: path=/home/git/gitolite
+        state=directory
+        recurse=yes
+        owner=git
+        group=git
+
+- name: Install gitolite
+  command: ./gitolite/install -ln /usr/local/bin
+           chdir=/home/git
+           creates=/usr/local/bin/gitolite
+
+- name: Copy .gitolite.rc file
+  copy: src=home_git_.gitolite.rc
+        dest=/home/git/.gitolite.rc
+        group=git
+        owner=git
+        mode=0644
+
+- name: Copy SSH public key to server
+  copy: src=gitolite.pub
+        dest=/home/git/{{ main_user_name }}.pub
+        group=git
+        owner=git
+        mode=0644
+
+- name: Setup gitolite
+  command: su - git -c 'gitolite setup -pk {{ main_user_name }}.pub'
+           chdir=/home/git

roles/git/tasks/main.yml

@@ -0,0 +1,2 @@
+- include: gitolite.yml tags=gitolite
+- include: cgit.yml tags=cgit

roles/git/templates/etc_apache2_sites-available_cgit.j2

@@ -0,0 +1,36 @@
+<VirtualHost *:80>
+    ServerName {{ cgit_domain }}
+
+    Redirect permanent / https://{{ cgit_domain }}/
+</VirtualHost>
+
+<VirtualHost *:443>
+    ServerName {{ cgit_domain }}
+
+    SSLEngine on
+    SSLProtocol ALL -SSLv2
+    SSLHonorCipherOrder On
+    SSLCipherSuite ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AES:RSA+3DES:!ADH:!AECDH:!MD5:!DSS
+    SSLCertificateFile      /etc/ssl/certs/wildcard_public_cert.crt
+    SSLCertificateKeyFile   /etc/ssl/private/wildcard_private.key
+    SSLCACertificateFile    /etc/ssl/certs/wildcard_ca.pem
+    Header add Strict-Transport-Security "max-age=15768000; includeSubdomains"
+
+    DocumentRoot /var/www/htdocs/cgit/
+
+    <Directory "/var/www/htdocs/cgit/">
+        AllowOverride None
+        Options +ExecCGI
+        Order allow,deny
+        Allow from all
+    </Directory>
+
+    Alias /cgit.png         /var/www/htdocs/cgit/cgit.png
+    Alias /cgit.css         /var/www/htdocs/cgit/cgit.css
+    Alias /favicon.ico      /var/www/htdocs/cgit/favicon.ico
+    Alias /robots.txt       /var/www/htdocs/cgit/robots.txt
+    ScriptAlias /           /var/www/htdocs/cgit/cgit.cgi/
+
+    CustomLog /var/log/apache2/cgit_access.log combined
+    ErrorLog /var/log/apache2/cgit_error.log
+</VirtualHost>