Add gitolite/cgit git hosting

bootstrap_arch_container.yml

@@ -13,9 +13,9 @@
 
 - name: Download arch bootstrap image
   get_url:
-      url: http://mirror.rackspace.com/archlinux/iso/2019.09.01/archlinux-bootstrap-2019.09.01-x86_64.tar.gz
+      url: http://mirror.rackspace.com/archlinux/iso/2020.03.01/archlinux-bootstrap-2020.03.01-x86_64.tar.gz
       dest: /tmp/arch-bootstrap.tar.xz
-      checksum: sha256:9fc9f178db6f5c188be8884c0abf10c69418e7cd38a4389e866fac5d9961297d
+      checksum: sha256:49c7aa8718e48f5a4ec570624520fa50616ed3e044af101ec3aa16c155136f82
   when: create_container is changed
 
 - name: Create container image filesystem

cgitrc

@@ -0,0 +1,20 @@
+css=/cgit.css
+logo= /cgit.png
+
+enable-http-clone=1
+robots=noindex, nofollow
+virtual-root=/
+
+readme=:README.rst
+about-filter=/usr/libexec/cgit/filters/about-formatting.sh
+
+enable-index-links=1
+enable-commit-grpah=1
+enable-log-filecount=1
+enable-log-linecount=1
+enable-git-config=1
+
+source-filter=/usr/libexec/cgit/filters/syntax-highlighting.py
+
+project-list=/var/lib/gitolite3/projects.list
+scan-path=/var/lib/gitolite3/repositories

gitolite.rc

@@ -0,0 +1,202 @@
+# configuration variables for gitolite
+
+# This file is in perl syntax.  But you do NOT need to know perl to edit it --
+# just mind the commas, use single quotes unless you know what you're doing,
+# and make sure the brackets and braces stay matched up!
+
+# (Tip: perl allows a comma after the last item in a list also!)
+
+# HELP for commands can be had by running the command with "-h".
+
+# HELP for all the other FEATURES can be found in the documentation (look for
+# "list of non-core programs shipped with gitolite" in the master index) or
+# directly in the corresponding source file.
+
+%RC = (
+
+    # ------------------------------------------------------------------
+
+    # default umask gives you perms of '0700'; see the rc file docs for
+    # how/why you might change this
+    UMASK                           =>  0027,
+
+    # look for "git-config" in the documentation
+    GIT_CONFIG_KEYS                 =>  'core\.sharedRepository',
+
+    # comment out if you don't need all the extra detail in the logfile
+    LOG_EXTRA                       =>  1,
+    # logging options
+    # 1. leave this section as is for 'normal' gitolite logging (default)
+    # 2. uncomment this line to log ONLY to syslog:
+    # LOG_DEST                      => 'syslog',
+    # 3. uncomment this line to log to syslog and the normal gitolite log:
+    # LOG_DEST                      => 'syslog,normal',
+    # 4. prefixing "repo-log," to any of the above will **also** log just the
+    #    update records to "gl-log" in the bare repo directory:
+    # LOG_DEST                      => 'repo-log,normal',
+    # LOG_DEST                      => 'repo-log,syslog',
+    # LOG_DEST                      => 'repo-log,syslog,normal',
+    # syslog 'facility': defaults to 'local0', uncomment if needed.  For example:
+    # LOG_FACILITY                  => 'local4',
+
+    # roles.  add more roles (like MANAGER, TESTER, ...) here.
+    #   WARNING: if you make changes to this hash, you MUST run 'gitolite
+    #   compile' afterward, and possibly also 'gitolite trigger POST_COMPILE'
+    ROLES => {
+        READERS                     =>  1,
+        WRITERS                     =>  1,
+    },
+
+    # enable caching (currently only Redis).  PLEASE RTFM BEFORE USING!!!
+    # CACHE                         =>  'Redis',
+
+    # ------------------------------------------------------------------
+
+    # rc variables used by various features
+
+    # the 'info' command prints this as additional info, if it is set
+        # SITE_INFO                 =>  'Please see http://blahblah/gitolite for more help',
+
+    # the CpuTime feature uses these
+        # display user, system, and elapsed times to user after each git operation
+        # DISPLAY_CPU_TIME          =>  1,
+        # display a warning if total CPU times (u, s, cu, cs) crosses this limit
+        # CPU_TIME_WARN_LIMIT       =>  0.1,
+
+    # the Mirroring feature needs this
+        # HOSTNAME                  =>  "foo",
+
+    # TTL for redis cache; PLEASE SEE DOCUMENTATION BEFORE UNCOMMENTING!
+        # CACHE_TTL                 =>  600,
+
+    # ------------------------------------------------------------------
+
+    # suggested locations for site-local gitolite code (see cust.html)
+
+        # this one is managed directly on the server
+        # LOCAL_CODE                =>  "$ENV{HOME}/local",
+
+        # or you can use this, which lets you put everything in a subdirectory
+        # called "local" in your gitolite-admin repo.  For a SECURITY WARNING
+        # on this, see http://gitolite.com/gitolite/non-core.html#pushcode
+        # LOCAL_CODE                =>  "$rc{GL_ADMIN_BASE}/local",
+
+    # ------------------------------------------------------------------
+
+    # List of commands and features to enable
+
+    ENABLE => [
+
+        # COMMANDS
+
+            # These are the commands enabled by default
+            'help',
+            'desc',
+            'info',
+            'perms',
+            'writable',
+
+            # Uncomment or add new commands here.
+            # 'create',
+            # 'fork',
+            # 'mirror',
+            # 'readme',
+            # 'sskm',
+            # 'D',
+
+        # These FEATURES are enabled by default.
+
+            # essential (unless you're using smart-http mode)
+            'ssh-authkeys',
+
+            # creates git-config entries from gitolite.conf file entries like 'config foo.bar = baz'
+            'git-config',
+
+            # creates git-daemon-export-ok files; if you don't use git-daemon, comment this out
+            'daemon',
+
+            # creates projects.list file; if you don't use gitweb, comment this out
+            'gitweb',
+
+        # These FEATURES are disabled by default; uncomment to enable.  If you
+        # need to add new ones, ask on the mailing list :-)
+
+        # user-visible behaviour
+
+            # prevent wild repos auto-create on fetch/clone
+            # 'no-create-on-read',
+            # no auto-create at all (don't forget to enable the 'create' command!)
+            # 'no-auto-create',
+
+            # access a repo by another (possibly legacy) name
+            # 'Alias',
+
+            # give some users direct shell access.  See documentation in
+            # sts.html for details on the following two choices.
+            # "Shell $ENV{HOME}/.gitolite.shell-users",
+            # 'Shell alice bob',
+
+            # set default roles from lines like 'option default.roles-1 = ...', etc.
+            # 'set-default-roles',
+
+            # show more detailed messages on deny
+            # 'expand-deny-messages',
+
+            # show a message of the day
+            # 'Motd',
+
+        # system admin stuff
+
+            # enable mirroring (don't forget to set the HOSTNAME too!)
+            # 'Mirroring',
+
+            # allow people to submit pub files with more than one key in them
+            # 'ssh-authkeys-split',
+
+            # selective read control hack
+            # 'partial-copy',
+
+            # manage local, gitolite-controlled, copies of read-only upstream repos
+            # 'upstream',
+
+            # updates 'description' file instead of 'gitweb.description' config item
+            # 'cgit',
+
+            # allow repo-specific hooks to be added
+            # 'repo-specific-hooks',
+
+        # performance, logging, monitoring...
+
+            # be nice
+            # 'renice 10',
+
+            # log CPU times (user, system, cumulative user, cumulative system)
+            # 'CpuTime',
+
+        # syntactic_sugar for gitolite.conf and included files
+
+            # allow backslash-escaped continuation lines in gitolite.conf
+            # 'continuation-lines',
+
+            # create implicit user groups from directory names in keydir/
+            # 'keysubdirs-as-groups',
+
+            # allow simple line-oriented macros
+            # 'macros',
+
+        # Kindergarten mode
+
+            # disallow various things that sensible people shouldn't be doing anyway
+            # 'Kindergarten',
+    ],
+
+);
+
+# ------------------------------------------------------------------------------
+# per perl rules, this should be the last line in such a file:
+1;
+
+# Local variables:
+# mode: perl
+# End:
+# vim: set syn=perl:

nginx.conf

@@ -322,5 +322,53 @@ http {
             root         /usr/share/nginx/html;
         }
     }
+
+    server {
+        listen       443 ssl http2;
+        listen       [::]:443 ssl http2;
+        server_name  git.jaseg.net;
+        root         /usr/share/nginx/html;
+
+        ssl_certificate "/etc/letsencrypt/live/git.jaseg.net/fullchain.pem";
+        ssl_certificate_key "/etc/letsencrypt/live/git.jaseg.net/privkey.pem";
+        ssl_dhparam "/etc/letsencrypt/ssl-dhparams.pem";
+        include /etc/letsencrypt/options-ssl-nginx.conf;
+
+        ssl_stapling on;
+        ssl_stapling_verify on;
+
+        resolver 67.207.67.2 67.207.67.3 valid=300s;
+        resolver_timeout 10s;
+
+        add_header Strict-Transport-Security "max-age=86400";
+
+        # Load configuration files for the default server block.
+        include /etc/nginx/default.d/*.conf;
+
+        location ~ ^/(cgit.css|robots.txt) {
+            root /usr/share/cgit;
+            expires 30d;
+        }
+
+        location ~ ^/(cgit.png|favicon.png) {
+            alias /var/www/git.jaseg.net/cgit.png;
+        }
+
+        location / {
+            include uwsgi_params;
+            uwsgi_modifier1 9;
+            uwsgi_pass unix:/run/uwsgi/cgit.socket;
+        }
+
+        error_page 404 /404.html;
+        location = /40x.html {
+            root /usr/share/nginx/html;
+        }
+
+        error_page 500 502 503 504 /50x.html;
+        location = /50x.html {
+            root /usr/share/nginx/html;
+        }
+    }
 }
 

playbook.yml

@@ -74,3 +74,6 @@
     - name: Setup notification proxy
       include_tasks: setup_notification_proxy.yml
 
+    - name: Setup semi-public git server
+      include_tasks: setup_git.yml
+

setup_gerboweb.yml

@@ -58,7 +58,7 @@
       dest: /etc/uwsgi.d/gerboweb.ini
       owner: uwsgi-gerboweb
       group: uwsgi
-      mode: 440
+      mode: 0440
 
 - name: Copy job processor systemd service config
   template:

setup_git.yml

@@ -0,0 +1,115 @@
+- name: Install host requisites
+  dnf:
+      name: cgit,gitolite3,python3-pygments,python3-docutils,nodejs-markdown
+      state: latest
+
+- name: Copy cgit favicon
+  copy:
+      src: cgit-logo.png
+      dest: /var/www/git.jaseg.net/cgit.png
+
+- name: Create cgit instance config dir
+  file:
+    path: /var/lib/cgit
+    state: directory
+    mode: 0755
+
+- name: Copy cgit rc
+  copy:
+      src: cgitrc
+      dest: /var/lib/cgit/cgitrc-gitolite-public
+      mode: 0644
+
+- name: Create uwsgi worker user and group
+  user:
+      name: uwsgi-cgit
+      create_home: no
+      group: uwsgi
+      password: '!'
+      shell: /sbin/nologin
+      system: yes
+
+- name: Copy uwsgi config
+  copy:
+      src: uwsgi-cgit.ini
+      dest: /etc/uwsgi.d/cgit.ini
+      owner: uwsgi-cgit
+      group: uwsgi
+      mode: 0440
+
+- name: Enable uwsgi systemd socket
+  systemd:
+      daemon-reload: yes
+      name: uwsgi-app@cgit.socket
+      enabled: yes
+
+- name: Copy gitolite admin pubkey
+  copy:
+      src: ~/.ssh/id_ed25519.gitolite.pub
+      dest: /tmp/jaseg-gitolite.pub
+      owner: gitolite3
+      group: gitolite3
+
+- name: Run gitolite initialization
+  command: gitolite setup -pk /tmp/jaseg-gitolite.pub
+  become: true
+  become_method: su
+  become_user: gitolite3
+  become_flags: '-s /bin/sh'
+  args:
+      creates: /var/lib/gitolite3/projects.list
+
+- name: Remove leftover admin pubkey
+  file:
+      state: absent
+      path: /tmp/jaseg-gitolite.pub
+
+- name: Allow uwsgi group to access gitolite repo dir
+  file:
+    path: /var/lib/gitolite3
+    state: directory
+    owner: gitolite3
+    group: uwsgi
+
+- name: Add cgit uwsgi user to gitolite group
+  user:
+      name: uwsgi-cgit
+      groups: gitolite3
+      append: yes
+
+- name: Allow cgit uwsgi user to access gitolite repos
+  file:
+      path: /var/lib/gitolite3/repositories
+      mode: 0750
+
+- name: Allow cgit uwsgi user to gitolite repo list
+  file:
+      path: /var/lib/gitolite3/projects.list
+      mode: 0640
+
+- name: Copy gitolite rc
+  copy:
+      src: gitolite.rc
+      dest: /var/lib/gitolite3/.gitolite.rc
+      owner: gitolite3
+      group: gitolite3
+      mode: 0600
+
+- name: Query system user account info
+  getent:
+      database: passwd
+      key: gitolite3
+
+- name: Create git alias user
+  user:
+      name: git
+      create_home: no
+      group: gitolite3
+      password: '!'
+      comment: Alias for gitolite3 user
+      shell: "{{ getent_passwd['gitolite3'][5] }}"
+      system: yes
+      non_unique: yes
+      home: "{{ getent_passwd['gitolite3'][4] }}"
+      uid: "{{ getent_passwd['gitolite3'][1] }}"
+

setup_webserver.yml

@@ -17,6 +17,7 @@
     group: nginx
     mode: 0550
   loop:
+      - git.jaseg.net
       - blog.jaseg.net
       - kochbuch.jaseg.net
       - tracespace.jaseg.net
@@ -49,6 +50,7 @@
   args:
       creates: /etc/letsencrypt/live/{{item}}/fullchain.pem
   loop:
+      - git.jaseg.net
       - blog.jaseg.net
       - kochbuch.jaseg.net
       - gerbolyze.jaseg.net

uwsgi-app@.service

@@ -5,7 +5,7 @@ After=syslog.target
 [Service]
 ExecStart=/usr/sbin/uwsgi \
         --ini /etc/uwsgi.d/%i.ini \
-	--chmod-socket=660 \
+        --chmod-socket=660 \
         --socket=/run/uwsgi/%i.socket
 User=uwsgi-%i
 Group=uwsgi

uwsgi-cgit.ini

@@ -0,0 +1,8 @@
+[uwsgi]
+master = True
+plugins = cgi
+chdir = /var/lib/gitolite3
+processes = 1
+threads = 2
+cgi = /var/www/cgi-bin/cgit
+env = CGIT_CONFIG=/var/lib/cgit/cgitrc-gitolite-public