summaryrefslogtreecommitdiff
path: root/per-service
diff options
context:
space:
mode:
authorAndy Doan <andy.doan@linaro.org>2016-11-14 15:41:08 -0600
committerAndy Doan <andy.doan@linaro.org>2016-12-16 15:26:06 +0000
commit4898220b6d3855982169293b9df10f8e1ffdf5ff (patch)
tree115a0c3d32c254bbe2800e751187e38747c79137 /per-service
parent4e363ab129babb493c53fcb9ce79d376a8335b3e (diff)
downloadansible-playbooks-4898220b6d3855982169293b9df10f8e1ffdf5ff.tar.gz
cgit: convert dev-private-git
This converts dev-private-git over to cgit. It requires a new option we've patched into our version of cgit: https://git.linaro.org/infrastructure/cgit.git/commit/?h=linaro-patches&id=f85c40c4ed1c8bfca09acd1fccaf9bb77baa0c0f As the "allowed-repos.sh" script and sudo entry are harmless for a non-private server, I just install them always to keep our playbook logic simple. Change-Id: I7e11f5bdc4c4be12341cc5f62d2d71c4ae655055 Reviewed-on: https://review.linaro.org/15530 Reviewed-by: Ben Copeland <ben.copeland@linaro.org>
Diffstat (limited to 'per-service')
-rw-r--r--per-service/git-servers/files/dev-private-git.linaro.org.conf33
-rw-r--r--per-service/git-servers/gitolite.yml2
-rw-r--r--per-service/git-servers/group_vars/dev-private9
-rw-r--r--per-service/git-servers/roles/cgit/tasks/main.yml12
-rw-r--r--per-service/git-servers/roles/cgit/templates/allowed-repo.sh17
-rw-r--r--per-service/git-servers/roles/cgit/templates/allowed-repos.sh4
-rw-r--r--per-service/git-servers/roles/cgit/templates/cgitrc4
-rw-r--r--per-service/git-servers/roles/cgit/templates/sudoers3
8 files changed, 58 insertions, 26 deletions
diff --git a/per-service/git-servers/files/dev-private-git.linaro.org.conf b/per-service/git-servers/files/dev-private-git.linaro.org.conf
index 730eae5..3d48c96 100644
--- a/per-service/git-servers/files/dev-private-git.linaro.org.conf
+++ b/per-service/git-servers/files/dev-private-git.linaro.org.conf
@@ -2,9 +2,6 @@
ServerSignature Off
ServerTokens Prod
-Suexec On
-SuexecUserGroup {{ git_user }} {{ git_user }}
-
LDAPCacheEntries 2048
LDAPCacheTTL 36000
LDAPOpCacheEntries 1024
@@ -108,33 +105,11 @@ LDAPOpCacheTTL 36000
MaxKeepAliveRequests 150
AllowEncodedSlashes On
-
- SetEnv GIT_PROJECT_ROOT {{ repo_root }}
- SetEnv GITWEB_CONFIG /etc/gitweb.{{ git_host }}.conf
-
EnableSendfile On
AcceptPathInfo On
- <Directory "{{ apache_root }}/{{ git_host }}/">
- Options +ExecCGI +FollowSymLinks
- Require all granted
- AddHandler cgi-script cgi
- DirectoryIndex gitweb.cgi
-
- RewriteEngine On
- RewriteCond %{REQUEST_FILENAME} !-f
- RewriteCond %{REQUEST_FILENAME} !-d
- RewriteRule ^.* /gitweb.cgi/$0 [L,PT,B]
- </Directory>
-
DefineExternalGroup linaro-groups pipe /usr/local/bin/grpcheck.cgi
- # In case of error, we show a custom page and we need to be able to access
- # the resources.
- <FilesMatch "\.(jpeg|css|html|htm|png|js)$">
- Satisfy any
- </FilesMatch>
-
<Files "robots.txt">
Satisfy any
</Files>
@@ -156,4 +131,12 @@ LDAPOpCacheTTL 36000
Require external-group {{ security_groups }}
</RequireAll>
</Location>
+
+ Alias /cgit-css "{{ apache_root}}/cgit/cgit-css/"
+ ScriptAlias / "{{ apache_root}}/cgit/cgit/"
+ <Directory "{{ apache_root }}/cgit/">
+ AllowOverride None
+ Options ExecCGI FollowSymlinks
+ Require all granted
+ </Directory>
</VirtualHost>
diff --git a/per-service/git-servers/gitolite.yml b/per-service/git-servers/gitolite.yml
index fd6c5a4..433b29d 100644
--- a/per-service/git-servers/gitolite.yml
+++ b/per-service/git-servers/gitolite.yml
@@ -18,7 +18,7 @@
- {role: apache-website, tags: [website-conf]}
- {role: apache-site, src: "{{git_host}}.conf", config: "{{git_host}}", tags: [apache, website-conf] }
- {role: cronjobs}
- - {role: cgit, when: server_access == "public", tags: [cgit]}
+ - {role: cgit, tags: [cgit]}
- {role: gitweb, tags: [gitweb]}
- {role: upstart-git-daemon, when: server_access == "public", tags: [upstart]}
- {role: grokmirror, when: grokmirror_slave or grokmirror_master, tags: [grokmirror]}
diff --git a/per-service/git-servers/group_vars/dev-private b/per-service/git-servers/group_vars/dev-private
index 90cbedd..a1ffbe1 100644
--- a/per-service/git-servers/group_vars/dev-private
+++ b/per-service/git-servers/group_vars/dev-private
@@ -8,3 +8,12 @@ gitolite_help_url: https://wiki.linaro.org/Internal/Platform/Systems/GitPrivate
mirror_fetch_cronspec: "0 0,6,12,18 * * *"
mirror_push_cronspec: "0 2,8,14,20 * * *"
+
+clone_urls:
+ - ssh://git@{{git_host}}
+
+cgit_strict_export: false
+collapsible_sections:
+ - android
+ - android-internal
+ - android-pdk
diff --git a/per-service/git-servers/roles/cgit/tasks/main.yml b/per-service/git-servers/roles/cgit/tasks/main.yml
index c645b27..0e44ff8 100644
--- a/per-service/git-servers/roles/cgit/tasks/main.yml
+++ b/per-service/git-servers/roles/cgit/tasks/main.yml
@@ -51,3 +51,15 @@
- name: Create a symlink for rst2html.py
file: src=/usr/bin/rst2html dest=/usr/bin/rst2html.py state=link
+
+- name: Install authentication commands command (only used by private servers)
+ template: src={{ item }} dest={{ apache_root }}/cgit/
+ owner=root group=root mode=0755
+ with_items:
+ - allowed-repo.sh
+ - allowed-repos.sh
+
+- name: Install sudoers rule for private server
+ template: src=sudoers dest=/etc/sudoers.d/cgit
+ owner=root group=root mode=0755
+ validate='visudo -cf %s'
diff --git a/per-service/git-servers/roles/cgit/templates/allowed-repo.sh b/per-service/git-servers/roles/cgit/templates/allowed-repo.sh
new file mode 100644
index 0000000..57c373e
--- /dev/null
+++ b/per-service/git-servers/roles/cgit/templates/allowed-repo.sh
@@ -0,0 +1,17 @@
+#!/bin/sh
+# {{ MANAGED_HEADER }}
+
+if [ "$1" = "authenticate-cookie" ] ; then
+ if [ -n "$9" ] ; then
+ repo=$(echo $9 | sed -e 's/\.git$//')
+ sudo -u git {{tools_checkout_dir}}/linaro-git-tools/gitolite-tools/gitolite-can-read $AUTHENTICATE_UID $repo && exit 1
+ exit 0
+ else
+ # user is viewing front-page, allow
+ exit 1
+ fi
+fi
+
+if [ "$1" = "body" ] ; then
+ echo '<div class="error">No repositories found</div>'
+fi
diff --git a/per-service/git-servers/roles/cgit/templates/allowed-repos.sh b/per-service/git-servers/roles/cgit/templates/allowed-repos.sh
new file mode 100644
index 0000000..081df0f
--- /dev/null
+++ b/per-service/git-servers/roles/cgit/templates/allowed-repos.sh
@@ -0,0 +1,4 @@
+#!/bin/sh
+# {{ MANAGED_HEADER }}
+
+sudo -u git {{tools_checkout_dir}}/linaro-git-tools/gitolite-tools/user_repos.pl $AUTHENTICATE_UID
diff --git a/per-service/git-servers/roles/cgit/templates/cgitrc b/per-service/git-servers/roles/cgit/templates/cgitrc
index 9de0147..4fa1f46 100644
--- a/per-service/git-servers/roles/cgit/templates/cgitrc
+++ b/per-service/git-servers/roles/cgit/templates/cgitrc
@@ -10,6 +10,10 @@ virtual-root=/
{% if cgit_strict_export %}
strict-export=git-daemon-export-ok
{% endif %}
+{% if server_role == "git-private" %}
+auth-filter={{apache_root}}/cgit/allowed-repo.sh
+allowed-repos-cmd={{apache_root}}/cgit/allowed-repos.sh
+{% endif %}
enable-git-config=1
enable-index-owner=0
clone-prefix={%for x in clone_urls%}{{x}} {%endfor%}
diff --git a/per-service/git-servers/roles/cgit/templates/sudoers b/per-service/git-servers/roles/cgit/templates/sudoers
new file mode 100644
index 0000000..85e32d9
--- /dev/null
+++ b/per-service/git-servers/roles/cgit/templates/sudoers
@@ -0,0 +1,3 @@
+# {{ MANAGED_HEADER }}
+www-data ALL=(git) NOPASSWD: {{tools_checkout_dir}}/linaro-git-tools/gitolite-tools/user_repos.pl
+www-data ALL=(git) NOPASSWD: {{tools_checkout_dir}}/linaro-git-tools/gitolite-tools/gitolite-can-read