Rename git role to gitserver

10 files changed, 396 insertions, 0 deletions

diff --git a/roles/gitserver/files/.htpasswd b/roles/gitserver/files/.htpasswd
new file mode 100644
index 0000000..1402a2f
--- /dev/null
+++ b/roles/gitserver/files/.htpasswd
@@ -0,0 +1,7 @@
+$ANSIBLE_VAULT;1.1;AES256
+61343632623939306230623762623761363339376231646232313165353432643830383064663066
+6163383831306632333339653130323764393166333464380a613264613935633336643734376161
+37643564663361646564376437663431343937663937656233323164393837626163386430643063
+6234633164303239310a663961373664666465353234373261633662653864633830336132316139
+33616333643963353630623866613765363131656137653561393733633361303138383662626364
+3930656564303830646333306666643262383263313939373266
diff --git a/roles/gitserver/files/git.conf b/roles/gitserver/files/git.conf
new file mode 100644
index 0000000..1434cda
--- /dev/null
+++ b/roles/gitserver/files/git.conf
@@ -0,0 +1,16 @@
+# Source: https://gist.github.com/kierdwyn/3745400e6a184f621b92
+
+location ~ /.+/(info/refs|git-upload-pack|git-receive-pack) {
+    # Set chunks to unlimited, as the body's can be huge.
+    client_max_body_size 0;
+
+    include fastcgi_params;
+    fastcgi_param SCRIPT_FILENAME /usr/lib/git-core/git-http-backend;
+    fastcgi_param GIT_HTTP_EXPORT_ALL "";
+    fastcgi_param GIT_PROJECT_ROOT /srv/git;
+    fastcgi_param PATH_INFO $uri;
+    # Forward REMOTE_USER as we want to know when we are authenticated.
+    fastcgi_param REMOTE_USER $remote_user;
+
+    fastcgi_pass unix:/run/fcgiwrap.sock;
+}
diff --git a/roles/gitserver/files/git.ilvokhin.com b/roles/gitserver/files/git.ilvokhin.com
new file mode 100644
index 0000000..d94585f
--- /dev/null
+++ b/roles/gitserver/files/git.ilvokhin.com
@@ -0,0 +1,26 @@
+server {
+    server_name git.ilvokhin.com;
+
+    auth_basic "Restricted";
+    auth_basic_user_file /etc/nginx/auth/git/.htpasswd;
+
+    # Asterisk (*) is here to match both git.conf and cgit.conf (if the latter
+    # exists), because cgit comes with a separate role, but they share one
+    # server (git.ilvokhin.com) for usage convenience.
+    include includes/*git.conf;
+
+    listen 443 ssl;
+    ssl_certificate /etc/letsencrypt/live/git.ilvokhin.com/fullchain.pem;
+    ssl_certificate_key /etc/letsencrypt/live/git.ilvokhin.com/privkey.pem;
+}
+
+server {
+    if ($host = git.ilvokhin.com) {
+        return 301 https://$host$request_uri;
+    }
+
+    server_name git.ilvokhin.com;
+    listen 80;
+
+    return 404;
+}
diff --git a/roles/gitserver/files/id_rsa b/roles/gitserver/files/id_rsa
new file mode 100644
index 0000000..4398f82
--- /dev/null
+++ b/roles/gitserver/files/id_rsa
@@ -0,0 +1,136 @@
+$ANSIBLE_VAULT;1.1;AES256
+34336539613662653738386238613339326134393961643237383132653634373939363663396161
+6536323463323938303138623433653837346639353530330a336132353837323062396231303033
+34313230383637623938316231306432653237636463636464653438393736363331633436626534
+6437323539636337340a333465666561353362626162616130376163643363643536653262313835
+30613037613430386363663733383466373434396634346439656638626332386361643536353565
+63653662653134353939343632356231386436393334643564363561643663316632613166303832
+65393663656233303039633461376534313231333833613134316161303462656335616439313039
+66343166396136383362303539383961336166373334333163646133303232373433396163633331
+65333536666231623038333165356137396532313034613431666333313337313836336538326465
+31373136376138353863303035653961313330323264633465653163653235306164303164346366
+63343238343866353332306461666465613932306232633738646330346563343330653737643265
+39623930623339383539303634613638343436366530626139656662313364666637363232396234
+35393135366562363966636263316534643530333432393564336230343336633565626236343837
+33626335336565643364363062643764353439346365623862623935303331633339353138303831
+30353762313332323230626561623964326633623030383661346539643566323530623564353832
+35336236333562333533646337343539623237643431653734623831333036363064613832356337
+32333136633134656430643336646237636230626165346534633230373561666464316636306631
+30653137653737663337393839323533393166306634663636613262336330366562356464393563
+64643432323936616263356562343131376631356162623039666531653137363736343631393532
+39303835663431376261393561383233333930333334363036383036376235366562373534383336
+66646436633935386539363466393035353837633632656665616466313231613239656638306235
+33313334633437636533323965356361383761613332663336376661613262386263323131613338
+63653565313961303361313133653638376430663833383166393634366137643461393231316266
+66633262663935373233303065313636326663336232663630343531396639396263343964313836
+37373230636238626561316434376230356434383536663663363538313465306331623761313633
+39623136666632623261663832383433626633313365623662326138303135616234653366346638
+66303066343034353336656466663662353038626566613038613139323032613233333364666563
+66356365396136323831383165636532346630633736643236663134633234663832306563366637
+38666261343662393766316366366239633331356662333239363832653738323337623530333836
+39363462626661306531333535666138393165363037643333353230306161653537323730386631
+34623232333766373030383866323832333063363761333261643938303037653564666632646164
+38373934656338643865373162626262386432383931633132356636383637353865646665663161
+63623630343535663031616664363731663964626265356635383437363364663863666434323033
+39343262623561346631643763653738633832646336303764356633623635613930323035663265
+32653166663535643163643139383261363235333934386335363537303263613437393430643633
+64323866366534346130623737383539353536353233383033316561323863383561383032623165
+33633864386236633137313336346633316166633466623763383837323339366364343837373638
+32383733663465613038356338356633626461623537363930613439316163333131663331366333
+64613031336337623234313734343966326533396263336361653637613633326536303461613662
+38333439616364666637316463623239353134666430646139363363633530336234353334313131
+64396239353632636662313162643336373663613239643264333638393533346530396461393732
+38663334626236313266656463363630326131356230663963636138383466353465643135396532
+30646333393931383033343138663866633663633365633666353663326630363466396338316136
+38643739376336653134343132336330383935393236326536356138323139383264396639663265
+65316664656433643766646364393733386338616662316335303435643436316537643734343263
+38323437343065396261613763346661663930386434323730663264363338303330663664386135
+39336135663735643838663030343138393939343033356536343038343333343361643838396635
+34643865326261613139346561326661663837336438376633316165323065333332633532336433
+32653832643137653830663737623936363733626561313963313865366361333830666131653766
+39623862636632316537323963376534363266386535646262343439373665393331313534636338
+33343139313564313463346530346665323435633535343164633038363865303239393838663636
+65356139656432653466343833346266623333313034343063326331343738383462396339363062
+64663565633338303034666234663665613231343662376261306636303766383239343639666539
+30323534333336346530396264656132363862316434393737663832323437333934383538316664
+31303833313539623835343537373263333962393931353666626162366464616561316462366431
+34383736633530646633353439376562613966323335383936376234373464373534353665386563
+66393563353862333732386335346437623336646261383366366262376165633939373861643239
+35643434336638613339323361323539626632353165313930376661303834373231613735313433
+31303465393037633363333565643565636531623630646366633137346333643531623361303433
+64376634643338363635353037313537366339323037376662653939323965396363343133633164
+37323835336438623662613933376264633133656666323234353133363733396363393739636137
+61323434353965323638633231366239663332356165373064336438313037623136333431376362
+35653930373934653365333538646363616164613430393538303830313335346463306336303233
+32616261646435346366663736626430383234336530663239383331326466353562316162366663
+35623531636335666238376265656230326366336532333233356632376461653961346435613161
+38633363323065393635313362336537383461653232643533613161383931383435613138373339
+38396463663261336335343864633165386562656536313939323863653439653764363839366137
+61646664356332636361383235343634616335616135356439306531333338376234316538303764
+35353830356361373266373734636534376661636662336366343232386465623730346535663836
+31366563653266353337323239666231356435323933626463663466646364303762666162373863
+33663031663837313035313962393864356438623565393835613939306432393166363536636232
+66613062346237396362373263613861356138393632376535306438653766623732366333396365
+31633064636365643162316136656137303536353537393962623066366130613139366664643038
+38323634623438393337396162323964636539393731363030633064663362656132336262323161
+33616231396630323336333230326535353332643734633362616332633763646531396466376263
+33336265313933656435333363363266623237326231396561333131373738336664303963363762
+61613536393065316130316234363463656439356566386566333461353336393231646237663338
+64326131383735303765383437643463383931366162396261306238636361626437363564383837
+61383462663238643036396439393937323465613930393936663338363932363234356531366430
+33363362383930343966636662373764616264613365313863643131623966656164646263626531
+33366465336565633161663433343034356236646666373436346338393066333135383130656331
+61653731373630663034656334613864623835643862663361353738346265626237663462316634
+66383039323830323364343631363463663931356461656436666339376665373362383437643831
+33613965633436366661343034646537653937613165323030303630373737653136636537333132
+66366464663066616336366664366563373439383730343130656236376666313466363562353235
+61646461336531613337303365613965643064336437623664636638373866616264313437346162
+66333065306561343465343463303032663539303536363837623734363339666465343761636533
+65376563343835326432356432643335343961303263653066623661326639626565363232346564
+63333238363862343765653963306663366361626230353733306262386165333736646565326565
+64383737663030636332663262373333613961363731646137663265626165643439336563356431
+30373432363864656661626235653262613038313066626539396662633730303837316566333361
+37336563343232376330316238303966353361656235356566643366376464666632383064356135
+62616262366238303035646630353432633735656337333666316333653462333235396534666462
+38643135643964386139303039663136343365663764643533323533393630313562336339333338
+64616666363730323438386638386137396463636665393736383537363439633836313738363438
+36666433303333633038353363646663373631336335393932653361633132353439313439663937
+63623964663333376337386434306261326166653535326232333337316337656530613865323530
+63333964323836613132346638346439356638396436666438383064626461393534353766656134
+34636161613133336239393335353734306562303039616639316330643535386234336538306530
+39616234376263353166326431353266653136303132343434346235383663303861393865643230
+62623035626630313435643333386234613965353636666134353637653739393730343633653037
+39326337623663616133653632306634343339633132303539353165313536636636353764353833
+34353130373837653962306462646634653662666432373030363432653237366661393565623735
+34356635613666363035633465663835663434323833323163643265643562343266343465306637
+32386439353139623439393861666561343062333031313665363039666135633930366463643539
+66343265376161643234353838303030363666326366323664623033353061393538663335323363
+64313265343236303337613366636566393136643761643565336338663732306432366130666139
+32376437316635343465363233623230343365306336396361396233313662323465633161666435
+36386632373863353963636337373032393430346636663063316262363238346637643534326133
+65636531333965376163613739356637346233323236666264343866373637633933656661656339
+65613139393763643734646233356238383930623739386666363930656562633262376636353466
+31326433333330383234326231383139346263353435356337633966383165653863383533316235
+61313266386365633538353366643538653866313033666365633966623965613666306564313139
+32323339333266646633353964313333616437653837353663383037616465346437313635343766
+39653263323566646431633339663330316631346135643334303065336437613134666364623665
+39396662656331313865376439616330653061626562356438633962626630383163356437326364
+38333266323663313764366561626165646434663565346438383134643832663836626537306534
+34343638313537396134343061323330383538343536656461643938663766353562353836393163
+33623762326661306166383135666164356435643638346432386132663766363232396332623831
+39306433326238326663316533393833316461373935633063303637383733646162366662356432
+36616336383565353264386536356632363164646565313834316165643932333033343136326561
+66376561653639303166656530356632613237653232373665323339636536393066336437613865
+66623865663132623061346263353062376133633361376639336230343233356133613565613862
+36636234313961306565623734633133646663393465383461623166373530366464396166346131
+31616630633930333661323935363731363266393064363738633066356566643234366630646336
+66393631643733656465353436363134646331663363633264356232666266393137353139323039
+62303433623338616438303538333861386237363234343632373863613230313761656265626462
+36626563343339313938326364323765643638303633656631363436613835326535323737623833
+32613634353735616539326362346665636365326461353263333039623432366362376566333166
+35313665353066356439656665353035306163303266623831326438613363656263656239316530
+32643736333862316165306162346561323063303635653930303763343661623931393662376235
+64633238613831303636393235353062373866356235643334383732303962326464373334376439
+35356534396265623535303464313364373833363764346132636335336232663736313034643165
+63353830386239363464666263643261323839323166306636646238663430383331313138333736
+333330303436663236336564306366636564
diff --git a/roles/gitserver/files/id_rsa.pub b/roles/gitserver/files/id_rsa.pub
new file mode 100644
index 0000000..b8b0d6c
--- /dev/null
+++ b/roles/gitserver/files/id_rsa.pub
@@ -0,0 +1 @@
+ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQC4CIFGDMVLHw34NaBVmf1lPlHOF3LtUYkw5S+TTzwgLdKwFcUPV9wHZrCmuIRyAlvEx51h+wqx9HCOZowLt5cYtCspsxrV49xkXmEUUShTmRMMGGsRa06LfYl2S528bl95XRyqqngiUROLWjpWpj4grsfkc+cgnJ8gOK0OAhWZq/w0ip8rNS0ZYc9HR0R5g8lxZtblB7hc4MveIJYmLWC1x+H2jHlZN68I8urGCITigCgKQrGN0wCUNW27m+alAeVXUSk9xI8ALDwu8pwajLVAlYL+FlB588uQ8/4QdPYtrpsxrR9weEVDf7fpLInxQ2bvD9y5XKosL4y20evLmHozykHHf6WhDvEaF4ojq21luVltpBQriTGWlxB4YQCZVU3YoTfvUEbdDXPrvss9+foMK/vY69gQAn0daQ0ZZwzN0kimXJVO9vbQwIc5H0RTjB8ltVYZKWTIEq6YLLxKeaeib8MjyCvjL53KLa/Xyrinj5gzdOwyi1cvuYmlBYf6Lbs= git@git.ilvokhin.com
diff --git a/roles/gitserver/files/init-git-repo.sh b/roles/gitserver/files/init-git-repo.sh
new file mode 100755
index 0000000..881ee55
--- /dev/null
+++ b/roles/gitserver/files/init-git-repo.sh
@@ -0,0 +1,58 @@
+#! /usr/bin/env bash
+
+# Usage examples
+#
+# Init private repository and mirror it to github.
+# ./init-git-repo.sh --private --mirror repo.git
+
+private=0
+mirror=0
+repo=""
+
+while [[ $# -gt 0 ]]; do
+    case $1 in
+        -p|--private)
+            private=1
+            shift
+            ;;
+        -m|--mirror)
+            mirror=1
+            shift
+            ;;
+    -*|--*)
+      echo "Unknown option $1" 1>&2
+      exit 1
+      ;;
+    *)
+      repo=$1
+      shift
+      ;;
+  esac
+done
+
+if [ -z $repo ]; then
+    echo "Provide repository name!" 1>&2
+    exit 1
+fi
+
+mkdir $repo
+cd $repo
+git init --bare
+
+if [ $private -eq 0 ]; then
+    touch git-daemon-export-ok
+fi
+
+if [ $mirror -eq 1 ]; then
+    git remote add --mirror github git@github.com:ilvokhin/$repo
+
+    cat > hooks/post-receive <<EOF
+#! /bin/sh
+
+git push --quiet github &
+EOF
+
+    chmod +x hooks/post-receive
+fi
+
+cd ..
diff --git a/roles/gitserver/files/known_hosts b/roles/gitserver/files/known_hosts
new file mode 100644
index 0000000..5f2b86f
--- /dev/null
+++ b/roles/gitserver/files/known_hosts
@@ -0,0 +1,3 @@
+github.com ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBEmKSENjQEezOmxkZMy7opKgwFB9nkt5YRrYMjNuG5N87uRgg6CLrbo5wAdT/y6v0mKV0U2w0WZ2YB/++Tpockg=
+github.com ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCj7ndNxQowgcQnjshcLrqPEiiphnt+VTTvDP6mHBL9j1aNUkY4Ue1gvwnGLVlOhGeYrnZaMgRK6+PKCUXaDbC7qtbW8gIkhL7aGCsOr/C56SJMy/BCZfxd1nWzAOxSDPgVsmerOBYfNqltV9/hWCqBywINIR+5dIg6JTJ72pcEpEjcYgXkE2YEFXV1JHnsKgbLWNlhScqb2UmyRkQyytRLtL+38TGxkxCflmO+5Z8CSSNY7GidjMIZ7Q4zMjA2n1nGrlTDkzwDCsw+wqFPGQA179cnfGWOWRVruj16z6XyvxvjJwbz0wQZ75XK5tKSb7FNyeIEs4TT4jk+S4dhPeAUC5y+bDYirYgM4GC7uEnztnZyaVWQ7B381AK4Qdrwt51ZqExKbQpTUNn+EjqoTwvqNj4kqx5QUCI0ThS/YkOxJCXmPUWZbhjpCg56i+2aB6CmK2JGhn57K5mj0MNdBXA4/WnwH6XoPWJzK5Nyu2zB3nAZp+S5hpQs+p1vN1/wsjk=
+github.com ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOMqqnkVzrm0SdG6UOoqKLsabgH5C9okWi0dh2l9GKJl
diff --git a/roles/gitserver/files/no-interactive-login b/roles/gitserver/files/no-interactive-login
new file mode 100644
index 0000000..7e6f6c5
--- /dev/null
+++ b/roles/gitserver/files/no-interactive-login
@@ -0,0 +1,6 @@
+#! /usr/bin/env sh
+
+echo "Hello! You've successfully authenticated," \
+     "but I do not provide interactive shell access."
+
+exit 128
diff --git a/roles/gitserver/meta/main.yml b/roles/gitserver/meta/main.yml
new file mode 100644
index 0000000..db5df62
--- /dev/null
+++ b/roles/gitserver/meta/main.yml
@@ -0,0 +1,7 @@
+dependencies:
+  - role: certificate
+    vars:
+      domains:
+        - git.ilvokhin.com
+  - role: nginx
+  - role: fcgiwrap
diff --git a/roles/gitserver/tasks/main.yml b/roles/gitserver/tasks/main.yml
new file mode 100644
index 0000000..49d52a6
--- /dev/null
+++ b/roles/gitserver/tasks/main.yml
@@ -0,0 +1,136 @@
+- name: Install git
+  ansible.builtin.package:
+    name:
+      - git
+    state: present
+
+- name: Create git user
+  ansible.builtin.user:
+    name: git
+    shell: /usr/bin/git-shell
+    home: /srv/git
+
+- name: Setup SSH directory for Git
+  ansible.builtin.file:
+    path: /srv/git/.ssh
+    state: directory
+    owner: git
+    group: git
+    mode: u+rw,g-w,o-rwx
+
+- name: Update authorized_keys for Git
+  ansible.posix.authorized_key:
+    user: git
+    state: present
+    # Workaround to make it work `with_fileglob`.
+    # https://github.com/ansible/ansible/issues/48819#issuecomment-623851751
+    key: "{{ lookup('file', item) }}"
+    key_options: no-port-forwarding,no-X11-forwarding,no-agent-forwarding,no-pty
+  with_fileglob:
+    - misc/pubkeys/*.pub
+
+# Private key is required to mirror repositories to GitHub.
+- name: Copy private key for Git
+  ansible.builtin.copy:
+    src: files/id_rsa
+    dest: /srv/git/.ssh/id_rsa
+    owner: git
+    group: git
+    mode: u+rw,g-rwx,o-rwx
+
+# We need to know github.com ssh keys before pushing there, otherwise
+# post-receive will fail asking to verify authenticity of host.
+# Run `ssh-keyscan github.com` to re-generate keys if required.
+- name: Copy known_hosts for Git
+  ansible.builtin.copy:
+    src: files/known_hosts
+    dest: /srv/git/.ssh/known_hosts
+    owner: git
+    group: git
+    mode: u+rw,g-rwx,o-rwx
+
+- name: Setup git-shell-commands directory
+  ansible.builtin.file:
+    path: /srv/git/git-shell-commands
+    state: directory
+    owner: git
+    group: git
+    mode: u+rwx,g+r,o+rx
+
+- name: Copy no-interactive-login command
+  ansible.builtin.copy:
+    src: files/no-interactive-login
+    dest: /srv/git/git-shell-commands
+    owner: git
+    group: git
+    mode: u+rwx,g+r,o+r
+
+- name: Enable git-daemon
+  ansible.builtin.service:
+    name: git-daemon.socket
+    enabled: yes
+    state: started
+
+- name: Setup auth directory for git
+  ansible.builtin.file:
+    path: /etc/nginx/auth/git
+    state: directory
+    owner: root
+    group: root
+    mode: u+rw,g+r,o+r
+
+# Alternative approach is to use community.general.htpasswd module to manage
+# .htpasswd file. Unfortunetly, there are couple of drawbacks:
+# * Target systems should have passlib Python library installed.
+# * Passwords might leak in the Ansible debug output, or even non-debug
+#   without no_log.
+# Seems like managing good old file is more convenient at the moment.
+
+- name: Copy git .htpasswd file to manage HTTP passwords
+  ansible.builtin.copy:
+    src: files/.htpasswd
+    dest: /etc/nginx/auth/git/.htpasswd
+    owner: root
+    group: root
+    mode: u+rw,g+rw,o+r
+
+- name: Copy git.conf to handle git HTTP requests
+  ansible.builtin.copy:
+    src: files/git.conf
+    dest: /etc/nginx/includes/git.conf
+    owner: root
+    group: root
+    mode: u+rw,g+rw,o+r
+  notify:
+    - Reload nginx
+
+- name: Configure nginx for git.ilvokhin.com
+  ansible.builtin.copy:
+    src: files/git.ilvokhin.com
+    dest: /etc/nginx/sites-available
+    owner: root
+    group: root
+    mode: u+rw,g+r,o+r
+  notify:
+    - Reload nginx
+
+- name: Enable git.ilvokhin.com site
+  ansible.builtin.file:
+    src: /etc/nginx/sites-available/git.ilvokhin.com
+    dest: /etc/nginx/sites-enabled/git.ilvokhin.com
+    owner: root
+    group: root
+    mode: u+rw,g+r,o+r
+    state: link
+  notify:
+    - Reload nginx
+
+- name: Copy managing scripts
+  ansible.builtin.copy:
+    src: files/init-git-repo.sh
+    dest: /srv/git/init-git-repo.sh
+    owner: git
+    group: git
+    mode: u+rwx,g-rwx,o-rwx
+
+# TODO: figure out proper permissions to fix HTTP protocol push.