diff options
Diffstat (limited to 'roles/gitserver')
| -rw-r--r-- | roles/gitserver/files/git.conf | 6 | ||||
| -rw-r--r-- | roles/gitserver/files/gitconfig | 2 | ||||
| -rw-r--r-- | roles/gitserver/files/htpasswd | 7 | ||||
| -rw-r--r-- | roles/gitserver/tasks/main.yml | 33 |
4 files changed, 10 insertions, 38 deletions
diff --git a/roles/gitserver/files/git.conf b/roles/gitserver/files/git.conf index 3d6d6a3..575d977 100644 --- a/roles/gitserver/files/git.conf +++ b/roles/gitserver/files/git.conf @@ -1,19 +1,13 @@ # Source: https://gist.github.com/kierdwyn/3745400e6a184f621b92 location ~ /.+/(info/refs|git-upload-pack|git-receive-pack) { - auth_basic "Restricted"; - auth_basic_user_file /etc/nginx/auth/git/.htpasswd; - # Set chunks to unlimited, as the body's can be huge. client_max_body_size 0; include fastcgi_params; fastcgi_param SCRIPT_FILENAME /usr/lib/git-core/git-http-backend; - fastcgi_param GIT_HTTP_EXPORT_ALL ""; fastcgi_param GIT_PROJECT_ROOT /srv/git; fastcgi_param PATH_INFO $uri; - # Forward REMOTE_USER as we want to know when we are authenticated. - fastcgi_param REMOTE_USER $remote_user; fastcgi_pass unix:/run/fcgiwrap.sock; } diff --git a/roles/gitserver/files/gitconfig b/roles/gitserver/files/gitconfig new file mode 100644 index 0000000..3209b9f --- /dev/null +++ b/roles/gitserver/files/gitconfig @@ -0,0 +1,2 @@ +[safe] + directory = /srv/git/* diff --git a/roles/gitserver/files/htpasswd b/roles/gitserver/files/htpasswd deleted file mode 100644 index 1402a2f..0000000 --- a/roles/gitserver/files/htpasswd +++ /dev/null @@ -1,7 +0,0 @@ -$ANSIBLE_VAULT;1.1;AES256 -61343632623939306230623762623761363339376231646232313165353432643830383064663066 -6163383831306632333339653130323764393166333464380a613264613935633336643734376161 -37643564663361646564376437663431343937663937656233323164393837626163386430643063 -6234633164303239310a663961373664666465353234373261633662653864633830336132316139 -33616333643963353630623866613765363131656137653561393733633361303138383662626364 -3930656564303830646333306666643262383263313939373266 diff --git a/roles/gitserver/tasks/main.yml b/roles/gitserver/tasks/main.yml index c007c6e..cdb7765 100644 --- a/roles/gitserver/tasks/main.yml +++ b/roles/gitserver/tasks/main.yml @@ -65,6 +65,14 @@ group: git mode: u+rwx,g+r,o+r +- name: Configure git system-wide + ansible.builtin.copy: + src: files/gitconfig + dest: /etc/gitconfig + owner: git + group: git + mode: u+rwx,g+r,o+r + - name: Configure git-daemon systemd service ansible.builtin.copy: src: files/git-daemon.service @@ -80,29 +88,6 @@ state: started daemon_reload: true -- name: Setup auth directory for git - ansible.builtin.file: - path: /etc/nginx/auth/git - state: directory - owner: root - group: root - mode: u+rw,g+r,o+r - -# Alternative approach is to use community.general.htpasswd module to manage -# .htpasswd file. Unfortunetly, there are couple of drawbacks: -# * Target systems should have passlib Python library installed. -# * Passwords might leak in the Ansible debug output, or even non-debug -# without no_log. -# Seems like managing good old file is more convenient at the moment. - -- name: Copy git .htpasswd file to manage HTTP passwords - ansible.builtin.copy: - src: files/htpasswd - dest: /etc/nginx/auth/git/.htpasswd - owner: root - group: root - mode: u+rw,g+rw,o+r - - name: Copy git.conf to handle git HTTP requests ansible.builtin.copy: src: files/git.conf @@ -141,5 +126,3 @@ owner: git group: git mode: u+rwx,g-rwx,o-rwx - -# TODO: figure out proper permissions to fix HTTP protocol push. |