Do not export everything with git-daemon

We should export only repositories with git-daemon-export-ok file
inside.

2 files changed, 24 insertions, 1 deletions

diff --git a/roles/gitserver/files/git-daemon.service b/roles/gitserver/files/git-daemon.service
new file mode 100644
index 0000000..e08d066
--- /dev/null
+++ b/roles/gitserver/files/git-daemon.service
@@ -0,0 +1,14 @@
+[Unit]
+Description=Git Daemon Instance
+
+[Service]
+User=git
+# The '-' is to ignore non-zero exit statuses
+ExecStart=-/usr/lib/git-core/git-daemon --inetd --base-path=/srv/git
+StandardInput=socket
+StandardOutput=inherit
+StandardError=journal
+ProtectSystem=full
+ProtectHome=on
+PrivateDevices=on
+NoNewPrivileges=on
diff --git a/roles/gitserver/tasks/main.yml b/roles/gitserver/tasks/main.yml
index fb1377e..fdcf55a 100644
--- a/roles/gitserver/tasks/main.yml
+++ b/roles/gitserver/tasks/main.yml
@@ -65,11 +65,20 @@
     group: git
     mode: u+rwx,g+r,o+r
 
+- name: Configure git-daemon systemd service
+  ansible.builtin.copy:
+    src: files/git-daemon.service
+    dest: /usr/lib/systemd/system/git-daemon@.service
+    owner: root
+    group: root
+    mode: u+rw,g+r,o+r
+
 - name: Enable git-daemon
-  ansible.builtin.service:
+  ansible.builtin.systemd_service:
     name: git-daemon.socket
     enabled: yes
     state: started
+    daemon_reload: true
 
 - name: Setup auth directory for git
   ansible.builtin.file: