From 158503b6cae8510ea735d1c06770187626a36265 Mon Sep 17 00:00:00 2001 From: Larry Fox Date: Fri, 21 Mar 2014 16:29:57 -0400 Subject: [PATCH 1/4] add cgit --- roles/git/tasks/cgit.yml | 26 ++++++++++++++ roles/git/tasks/main.yml | 1 + .../etc_apache2_sites-available_cgit.j2 | 36 +++++++++++++++++++ site.yml | 1 + vars/defaults.yml | 4 +++ 5 files changed, 68 insertions(+) create mode 100644 roles/git/tasks/cgit.yml create mode 100644 roles/git/tasks/main.yml create mode 100644 roles/git/templates/etc_apache2_sites-available_cgit.j2 diff --git a/roles/git/tasks/cgit.yml b/roles/git/tasks/cgit.yml new file mode 100644 index 00000000..0a6dcef8 --- /dev/null +++ b/roles/git/tasks/cgit.yml @@ -0,0 +1,26 @@ + +- name: Download cgit release + get_url: url=http://git.zx2c4.com/cgit/snapshot/cgit-{{ cgit_version }}.tar.xz + dest=/root/cgit-{{ cgit_version }}.tar.xz + +- name: Decompress cgit source + command: tar xvfJ /root/cgit-{{ cgit_version }}.tar.xz + chdir=/root + creates=/root/cgit-{{ cgit_version }}/configure + +- name: Build and install cgit + shell: make get-git ; make ; make install + executable=/bin/bash + chdir=/root/cgit-{{ cgit_version }} + creates=/var/www/htdocs/cgit/cgit.cgi + +- name: Copy cgit apache config + template: src=etc_apache2_sites-available_cgit.j2 + dest=/etc/apache2/sites-available/cgit + group=www-data + owner=www-data + notify: restart apache + +- name: Enable the cgit server + command: a2ensite cgit creates=/etc/apache2/sites-enabled/cgit + notify: restart apache \ No newline at end of file diff --git a/roles/git/tasks/main.yml b/roles/git/tasks/main.yml new file mode 100644 index 00000000..f396e7d9 --- /dev/null +++ b/roles/git/tasks/main.yml @@ -0,0 +1 @@ +- include: cgit.yml tags=cgit \ No newline at end of file diff --git a/roles/git/templates/etc_apache2_sites-available_cgit.j2 b/roles/git/templates/etc_apache2_sites-available_cgit.j2 new file mode 100644 index 00000000..75099d26 --- /dev/null +++ b/roles/git/templates/etc_apache2_sites-available_cgit.j2 @@ -0,0 +1,36 @@ + + ServerName {{ cgit_domain }} + + Redirect permanent / https://{{ cgit_domain }}/ + + + + ServerName {{ cgit_domain }} + + SSLEngine on + SSLProtocol ALL -SSLv2 + SSLHonorCipherOrder On + SSLCipherSuite ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AES:RSA+3DES:!ADH:!AECDH:!MD5:!DSS + SSLCertificateFile /etc/ssl/certs/wildcard_public_cert.crt + SSLCertificateKeyFile /etc/ssl/private/wildcard_private.key + SSLCACertificateFile /etc/ssl/certs/wildcard_ca.pem + Header add Strict-Transport-Security "max-age=15768000; includeSubdomains" + + DocumentRoot /var/www/htdocs/cgit/ + + + AllowOverride None + Options +ExecCGI + Order allow,deny + Allow from all + + + Alias /cgit.png /var/www/htdocs/cgit/cgit.png + Alias /cgit.css /var/www/htdocs/cgit/cgit.css + ScriptAlias / /var/www/htdocs/cgit/cgit.cgi/ + RewriteRule ^$ / [R] + RewriteRule ^/(.*)$ /cgit.cgi/$1 [PT] + + CustomLog /var/log/apache2/cgit_access.log combined + ErrorLog /var/log/apache2/cgit_error.log + diff --git a/site.yml b/site.yml index 61d479c1..b79a617f 100644 --- a/site.yml +++ b/site.yml @@ -21,3 +21,4 @@ - vpn - tarsnap - news + - git diff --git a/vars/defaults.yml b/vars/defaults.yml index b3c71ab7..7b6bb821 100644 --- a/vars/defaults.yml +++ b/vars/defaults.yml @@ -97,3 +97,7 @@ selfoss_domain: "news.{{ domain }}" selfoss_db_username: selfoss # selfoss_db_password: (required) selfoss_db_database: selfoss + +# git +cgit_version: 0.10.1 +cgit_domain: "git.{{ domain }}" \ No newline at end of file From 092cb287e09a717e7efaf28e7468d0420c60d008 Mon Sep 17 00:00:00 2001 From: Larry Fox Date: Sun, 23 Mar 2014 00:50:05 -0400 Subject: [PATCH 2/4] add gitolite and some cgit settings --- roles/git/files/home_git_.gitolite.rc | 176 ++++++++++++++++++ roles/git/tasks/cgit.yml | 25 ++- roles/git/tasks/gitolite.yml | 43 +++++ roles/git/tasks/main.yml | 1 + .../etc_apache2_sites-available_cgit.j2 | 8 +- roles/git/templates/etc_cgitrc.j2 | 137 ++++++++++++++ vars/defaults.yml | 3 +- 7 files changed, 386 insertions(+), 7 deletions(-) create mode 100644 roles/git/files/home_git_.gitolite.rc create mode 100644 roles/git/tasks/gitolite.yml create mode 100644 roles/git/templates/etc_cgitrc.j2 diff --git a/roles/git/files/home_git_.gitolite.rc b/roles/git/files/home_git_.gitolite.rc new file mode 100644 index 00000000..07bab4fb --- /dev/null +++ b/roles/git/files/home_git_.gitolite.rc @@ -0,0 +1,176 @@ +# configuration variables for gitolite + +# This file is in perl syntax. But you do NOT need to know perl to edit it -- +# just mind the commas, use single quotes unless you know what you're doing, +# and make sure the brackets and braces stay matched up! + +# (Tip: perl allows a comma after the last item in a list also!) + +# HELP for commands can be had by running the command with "-h". + +# HELP for all the other FEATURES can be found in the documentation (look for +# "list of non-core programs shipped with gitolite" in the master index) or +# directly in the corresponding source file. + +%RC = ( + + # ------------------------------------------------------------------ + + # default umask gives you perms of '0700'; see the rc file docs for + # how/why you might change this + UMASK => 0027, + + # look for "git-config" in the documentation + GIT_CONFIG_KEYS => 'gitweb\.(owner|description|category)', + + # comment out if you don't need all the extra detail in the logfile + LOG_EXTRA => 1, + + # roles. add more roles (like MANAGER, TESTER, ...) here. + # WARNING: if you make changes to this hash, you MUST run 'gitolite + # compile' afterward, and possibly also 'gitolite trigger POST_COMPILE' + ROLES => { + READERS => 1, + WRITERS => 1, + }, + + # ------------------------------------------------------------------ + + # rc variables used by various features + + # the 'info' command prints this as additional info, if it is set + # SITE_INFO => 'Please see http://blahblah/gitolite for more help', + + # the 'desc' command uses this + # WRITER_CAN_UPDATE_DESC => 1, + + # the CpuTime feature uses these + # display user, system, and elapsed times to user after each git operation + # DISPLAY_CPU_TIME => 1, + # display a warning if total CPU times (u, s, cu, cs) crosses this limit + # CPU_TIME_WARN_LIMIT => 0.1, + + # the Mirroring feature needs this + # HOSTNAME => "foo", + + # if you enabled 'Shell', you need this + # SHELL_USERS_LIST => "$ENV{HOME}/.gitolite.shell-users", + + # ------------------------------------------------------------------ + + # suggested locations for site-local gitolite code (see cust.html) + + # this one is managed directly on the server + # LOCAL_CODE => "$ENV{HOME}/local", + + # or you can use this, which lets you put everything in a subdirectory + # called "local" in your gitolite-admin repo. For a SECURITY WARNING + # on this, see http://gitolite.com/gitolite/cust.html#pushcode + # LOCAL_CODE => "$rc{GL_ADMIN_BASE}/local", + + # ------------------------------------------------------------------ + + # List of commands and features to enable + + ENABLE => [ + + # COMMANDS + + # These are the commands enabled by default + 'help', + 'desc', + 'info', + 'perms', + 'writable', + + # Uncomment or add new commands here. + # 'create', + # 'fork', + # 'mirror', + # 'sskm', + # 'D', + + # These FEATURES are enabled by default. + + # essential (unless you're using smart-http mode) + 'ssh-authkeys', + + # creates git-config enties from gitolite.conf file entries like 'config foo.bar = baz' + 'git-config', + + # creates git-daemon-export-ok files; if you don't use git-daemon, comment this out + 'daemon', + + # creates projects.list file; if you don't use gitweb, comment this out + 'gitweb', + + # These FEATURES are disabled by default; uncomment to enable. If you + # need to add new ones, ask on the mailing list :-) + + # user-visible behaviour + + # prevent wild repos auto-create on fetch/clone + # 'no-create-on-read', + # no auto-create at all (don't forget to enable the 'create' command!) + # 'no-auto-create', + + # access a repo by another (possibly legacy) name + # 'Alias', + + # give some users direct shell access + # 'Shell', + + # set default roles from lines like 'option default.roles-1 = ...', etc. + # 'set-default-roles', + + # system admin stuff + + # enable mirroring (don't forget to set the HOSTNAME too!) + # 'Mirroring', + + # allow people to submit pub files with more than one key in them + # 'ssh-authkeys-split', + + # selective read control hack + # 'partial-copy', + + # manage local, gitolite-controlled, copies of read-only upstream repos + # 'upstream', + + # updates 'description' file instead of 'gitweb.description' config item + # 'cgit', + + # allow repo-specific hooks to be added + # 'repo-specific-hooks', + + # performance, logging, monitoring... + + # be nice + # 'renice 10', + + # log CPU times (user, system, cumulative user, cumulative system) + # 'CpuTime', + + # syntactic_sugar for gitolite.conf and included files + + # allow backslash-escaped continuation lines in gitolite.conf + # 'continuation-lines', + + # create implicit user groups from directory names in keydir/ + # 'keysubdirs-as-groups', + + # allow simple line-oriented macros + # 'macros', + + ], + +); + +# ------------------------------------------------------------------------------ +# per perl rules, this should be the last line in such a file: +1; + +# Local variables: +# mode: perl +# End: +# vim: set syn=perl: diff --git a/roles/git/tasks/cgit.yml b/roles/git/tasks/cgit.yml index 0a6dcef8..600cecd7 100644 --- a/roles/git/tasks/cgit.yml +++ b/roles/git/tasks/cgit.yml @@ -1,4 +1,16 @@ +- name: Install cgit dependencies + apt: pkg={{ item }} state=installed + with_items: + - groff + - python-pip + +- name: Install cgit pip dependencies + pip: name={{ item }} + with_items: + - pygments + - docutils + - name: Download cgit release get_url: url=http://git.zx2c4.com/cgit/snapshot/cgit-{{ cgit_version }}.tar.xz dest=/root/cgit-{{ cgit_version }}.tar.xz @@ -14,13 +26,22 @@ chdir=/root/cgit-{{ cgit_version }} creates=/var/www/htdocs/cgit/cgit.cgi -- name: Copy cgit apache config +- name: Copy cgitrc + template: src=etc_cgitrc.j2 dest=/etc/cgitrc + group=www-data + owner=www-data + +- name: Configure the Apache HTTP server for cgit template: src=etc_apache2_sites-available_cgit.j2 dest=/etc/apache2/sites-available/cgit group=www-data owner=www-data notify: restart apache -- name: Enable the cgit server +- name: Enable Apache rewrite module + command: a2enmod rewrite creates=/etc/apache2/mods-enabled/rewrite.load + notify: restart apache + +- name: Enable cgit site command: a2ensite cgit creates=/etc/apache2/sites-enabled/cgit notify: restart apache \ No newline at end of file diff --git a/roles/git/tasks/gitolite.yml b/roles/git/tasks/gitolite.yml new file mode 100644 index 00000000..78323ed0 --- /dev/null +++ b/roles/git/tasks/gitolite.yml @@ -0,0 +1,43 @@ +- name: Create gitolite group + group: name=git state=present + +- name: Create gitolite user + user: name=git state=present home=/home/git system=yes group=git + +- name: Add www-data to the git group + user: name=www-data groups=git append=yes + +- name: Download gitolite release + git: repo=git://github.com/sitaramc/gitolite + dest=/home/git/gitolite + version=v{{ gitolite_version }} + +- name: Give git user file permissions + file: path=/home/git/gitolite + state=directory + recurse=yes + owner=git + group=git + +- name: Install gitolite + command: ./gitolite/install -ln /usr/local/bin + chdir=/home/git + creates=/usr/local/bin/gitolite + +- name: Copy .gitolite.rc file + copy: src=home_git_.gitolite.rc + dest=/home/git/.gitolite.rc + group=git + owner=git + mode=0644 + +- name: Copy SSH public key to server + copy: src=gitolite.pub + dest=/home/git/{{ main_user_name }}.pub + group=git + owner=git + mode=0644 + +- name: Setup gitolite + command: su - git -c 'gitolite setup -pk {{ main_user_name }}.pub' + chdir=/home/git \ No newline at end of file diff --git a/roles/git/tasks/main.yml b/roles/git/tasks/main.yml index f396e7d9..5269416a 100644 --- a/roles/git/tasks/main.yml +++ b/roles/git/tasks/main.yml @@ -1 +1,2 @@ +- include: gitolite.yml tags=gitolite - include: cgit.yml tags=cgit \ No newline at end of file diff --git a/roles/git/templates/etc_apache2_sites-available_cgit.j2 b/roles/git/templates/etc_apache2_sites-available_cgit.j2 index 75099d26..45817f1d 100644 --- a/roles/git/templates/etc_apache2_sites-available_cgit.j2 +++ b/roles/git/templates/etc_apache2_sites-available_cgit.j2 @@ -25,11 +25,11 @@ Allow from all - Alias /cgit.png /var/www/htdocs/cgit/cgit.png - Alias /cgit.css /var/www/htdocs/cgit/cgit.css + Alias /cgit.png /var/www/htdocs/cgit/cgit.png + Alias /cgit.css /var/www/htdocs/cgit/cgit.css + Alias /favicon.ico /var/www/htdocs/cgit/favicon.ico + Alias /robots.txt /var/www/htdocs/cgit/robots.txt ScriptAlias / /var/www/htdocs/cgit/cgit.cgi/ - RewriteRule ^$ / [R] - RewriteRule ^/(.*)$ /cgit.cgi/$1 [PT] CustomLog /var/log/apache2/cgit_access.log combined ErrorLog /var/log/apache2/cgit_error.log diff --git a/roles/git/templates/etc_cgitrc.j2 b/roles/git/templates/etc_cgitrc.j2 new file mode 100644 index 00000000..abba9719 --- /dev/null +++ b/roles/git/templates/etc_cgitrc.j2 @@ -0,0 +1,137 @@ +# Enable caching of up to 1000 output entries +cache-size=1000 + + +# Specify some default clone urls using macro expansion +clone-url=git@{{ domain }}:$CGIT_REPO_URL + + +# Specify the css url +# css=/css/cgit.css + + +# Show owner on index page +enable-index-owner=1 + + +# Allow http transport git clone +enable-http-clone=0 + + +# Show extra links for each repository on the index page +enable-index-links=1 + + +# Enable ASCII art commit history graph on the log pages +enable-commit-graph=1 + + +# Show number of affected files per commit on the log pages +enable-log-filecount=1 + + +# Show number of added/removed lines per commit on the log pages +enable-log-linecount=1 + + +# Sort branches by date +branch-sort=age + + +# Add a cgit favicon +# favicon=/favicon.ico + + +# Use a custom logo +# logo=/img/mylogo.png + + +# Enable statistics per week, month and quarter +max-stats=quarter + + +# Set the title and heading of the repository index page +root-title={{ domain }} git repository + + +# Set a subheading for the repository index page +# root-desc=tracking the foobar development + + +# Include some more info about example.com on the index page +# root-readme=/var/www/htdocs/about.html + + +# Allow download of tar.gz, tar.bz2 and zip-files +snapshots=tar.gz tar.bz2 zip + + +## +## List of common mimetypes +## + +mimetype.gif=image/gif +mimetype.html=text/html +mimetype.jpg=image/jpeg +mimetype.jpeg=image/jpeg +mimetype.pdf=application/pdf +mimetype.png=image/png +mimetype.svg=image/svg+xml + + +# Highlight source code with python pygments-based highlighter +source-filter=/usr/local/lib/cgit/filters/syntax-highlighting.py + +# Format markdown, restructuredtext, manpages, text files, and html files +# through the right converters +about-filter=/usr/local/lib/cgit/filters/about-formatting.sh + +## +## Search for these files in the root of the default branch of repositories +## for coming up with the about page: +## +readme=:README.md +readme=:readme.md +readme=:README.mkd +readme=:readme.mkd +readme=:README.rst +readme=:readme.rst +readme=:README.html +readme=:readme.html +readme=:README.htm +readme=:readme.htm +readme=:README.txt +readme=:readme.txt +readme=:README +readme=:readme +readme=:INSTALL.md +readme=:install.md +readme=:INSTALL.mkd +readme=:install.mkd +readme=:INSTALL.rst +readme=:install.rst +readme=:INSTALL.html +readme=:install.html +readme=:INSTALL.htm +readme=:install.htm +readme=:INSTALL.txt +readme=:install.txt +readme=:INSTALL +readme=:install + + +# Allow cgit to use git config to set any repo specific settings +enable-git-config=1 + + +# Removes .git suffix for the url and name +remove-suffix=1 + + +# A list of subdirectories inside of scan-path +# that should loaded as git repositories +project-list=/home/git/projects.list + + +# A path which will be scanned for repositories +scan-path=/home/git/repositories \ No newline at end of file diff --git a/vars/defaults.yml b/vars/defaults.yml index 7b6bb821..09eb060f 100644 --- a/vars/defaults.yml +++ b/vars/defaults.yml @@ -100,4 +100,5 @@ selfoss_db_database: selfoss # git cgit_version: 0.10.1 -cgit_domain: "git.{{ domain }}" \ No newline at end of file +cgit_domain: "git.{{ domain }}" +gitolite_version: 3.5.3.1 \ No newline at end of file From e67ef75d635f2f0db0104d70ce8eb6f4fbea7c74 Mon Sep 17 00:00:00 2001 From: Larry Fox Date: Sun, 23 Mar 2014 01:41:20 -0400 Subject: [PATCH 3/4] add cgit test --- tests.py | 14 ++++++++++++++ 1 file changed, 14 insertions(+) diff --git a/tests.py b/tests.py index 3155ba03..d045e106 100644 --- a/tests.py +++ b/tests.py @@ -122,6 +122,20 @@ def test_znc_http(self): r.content ) + def test_cgit_http(self): + """CGit web interface is displaying home page""" + r = requests.get('http://git.' + TEST_SERVER, verify=False) + + # We should be redirected to https + self.assertEquals(r.history[0].status_code, 301) + self.assertEquals(r.url, 'https://git.' + TEST_SERVER + '/') + + # 200 - We should be at the repository page + self.assertEquals(r.status_code, 200) + self.assertIn( + 'git repository', + r.content + ) class IRCTests(unittest.TestCase): def test_irc_auth(self): From 22a71efc24f211a51bef01aa12aa59df64db67c5 Mon Sep 17 00:00:00 2001 From: Larry Fox Date: Mon, 31 Mar 2014 21:35:44 -0400 Subject: [PATCH 4/4] add short blurb about git hosting --- README.textile | 3 +++ 1 file changed, 3 insertions(+) diff --git a/README.textile b/README.textile index 5fc6b52d..09eacd0a 100644 --- a/README.textile +++ b/README.textile @@ -48,6 +48,7 @@ What do you get if you point this thing at a VPS? All kinds of good stuff! * Intrusion prevention via "fail2ban":http://www.fail2ban.org/ and rootkit detection via "rkhunter":http://rkhunter.sourceforge.net. * SSH configuration preventing root login and insecure password authentication * Nightly backups to "Tarsnap":https://www.tarsnap.com/. +* Git hosting via "cgit":http://git.zx2c4.com/cgit/about/ and "gitolite":https://github.com/sitaramc/gitolite. * A bunch of nice-to-have tools like "mosh":http://mosh.mit.edu and "htop":http://htop.sourceforge.net that make life with a server a little easier. No setup is perfect, but the general idea is to provide a bunch of useful services while being reasonably secure and low-maintenance. Set it up, SSH in every couple weeks, but mostly forget about it. @@ -145,6 +146,8 @@ bc. # znc --makepass Take the string beginning with @sha256#@ and insert it as the value for @irc_password_hash@. +For git hosting, copy your public key into place. @cp ~/.ssh/id_rsa.pub roles/git/files/gitolite.pub@ or similar. + h3. 5. Run the Ansible Playbooks First, make sure you've "got Ansible installed":http://ansibleworks.com/docs/gettingstarted.html#getting-ansible.