From 9920d404374275ef80b21421ae3a1ab8211fd88d Mon Sep 17 00:00:00 2001 From: Dmitry Ilvokhin Date: Sun, 3 Mar 2024 14:11:45 +0000 Subject: Rename git role to gitserver --- roles/gitserver/tasks/main.yml | 136 +++++++++++++++++++++++++++++++++++++++++ 1 file changed, 136 insertions(+) create mode 100644 roles/gitserver/tasks/main.yml (limited to 'roles/gitserver/tasks/main.yml') diff --git a/roles/gitserver/tasks/main.yml b/roles/gitserver/tasks/main.yml new file mode 100644 index 0000000..49d52a6 --- /dev/null +++ b/roles/gitserver/tasks/main.yml @@ -0,0 +1,136 @@ +- name: Install git + ansible.builtin.package: + name: + - git + state: present + +- name: Create git user + ansible.builtin.user: + name: git + shell: /usr/bin/git-shell + home: /srv/git + +- name: Setup SSH directory for Git + ansible.builtin.file: + path: /srv/git/.ssh + state: directory + owner: git + group: git + mode: u+rw,g-w,o-rwx + +- name: Update authorized_keys for Git + ansible.posix.authorized_key: + user: git + state: present + # Workaround to make it work `with_fileglob`. + # https://github.com/ansible/ansible/issues/48819#issuecomment-623851751 + key: "{{ lookup('file', item) }}" + key_options: no-port-forwarding,no-X11-forwarding,no-agent-forwarding,no-pty + with_fileglob: + - misc/pubkeys/*.pub + +# Private key is required to mirror repositories to GitHub. +- name: Copy private key for Git + ansible.builtin.copy: + src: files/id_rsa + dest: /srv/git/.ssh/id_rsa + owner: git + group: git + mode: u+rw,g-rwx,o-rwx + +# We need to know github.com ssh keys before pushing there, otherwise +# post-receive will fail asking to verify authenticity of host. +# Run `ssh-keyscan github.com` to re-generate keys if required. +- name: Copy known_hosts for Git + ansible.builtin.copy: + src: files/known_hosts + dest: /srv/git/.ssh/known_hosts + owner: git + group: git + mode: u+rw,g-rwx,o-rwx + +- name: Setup git-shell-commands directory + ansible.builtin.file: + path: /srv/git/git-shell-commands + state: directory + owner: git + group: git + mode: u+rwx,g+r,o+rx + +- name: Copy no-interactive-login command + ansible.builtin.copy: + src: files/no-interactive-login + dest: /srv/git/git-shell-commands + owner: git + group: git + mode: u+rwx,g+r,o+r + +- name: Enable git-daemon + ansible.builtin.service: + name: git-daemon.socket + enabled: yes + state: started + +- name: Setup auth directory for git + ansible.builtin.file: + path: /etc/nginx/auth/git + state: directory + owner: root + group: root + mode: u+rw,g+r,o+r + +# Alternative approach is to use community.general.htpasswd module to manage +# .htpasswd file. Unfortunetly, there are couple of drawbacks: +# * Target systems should have passlib Python library installed. +# * Passwords might leak in the Ansible debug output, or even non-debug +# without no_log. +# Seems like managing good old file is more convenient at the moment. + +- name: Copy git .htpasswd file to manage HTTP passwords + ansible.builtin.copy: + src: files/.htpasswd + dest: /etc/nginx/auth/git/.htpasswd + owner: root + group: root + mode: u+rw,g+rw,o+r + +- name: Copy git.conf to handle git HTTP requests + ansible.builtin.copy: + src: files/git.conf + dest: /etc/nginx/includes/git.conf + owner: root + group: root + mode: u+rw,g+rw,o+r + notify: + - Reload nginx + +- name: Configure nginx for git.ilvokhin.com + ansible.builtin.copy: + src: files/git.ilvokhin.com + dest: /etc/nginx/sites-available + owner: root + group: root + mode: u+rw,g+r,o+r + notify: + - Reload nginx + +- name: Enable git.ilvokhin.com site + ansible.builtin.file: + src: /etc/nginx/sites-available/git.ilvokhin.com + dest: /etc/nginx/sites-enabled/git.ilvokhin.com + owner: root + group: root + mode: u+rw,g+r,o+r + state: link + notify: + - Reload nginx + +- name: Copy managing scripts + ansible.builtin.copy: + src: files/init-git-repo.sh + dest: /srv/git/init-git-repo.sh + owner: git + group: git + mode: u+rwx,g-rwx,o-rwx + +# TODO: figure out proper permissions to fix HTTP protocol push. -- cgit v1.2.3-70-g09d2