1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
|
- name: Install git
ansible.builtin.package:
name:
- git
state: present
- name: Create git user
ansible.builtin.user:
name: git
shell: /usr/bin/git-shell
home: /srv/git
- name: Update authorized_keys for Git
ansible.posix.authorized_key:
user: git
state: present
# Workaround to make it work `with_fileglob`.
# https://github.com/ansible/ansible/issues/48819#issuecomment-623851751
key: "{{ lookup('file', item) }}"
key_options: no-port-forwarding,no-X11-forwarding,no-agent-forwarding,no-pty
with_fileglob:
- misc/pubkeys/*.pub
- name: Setup SSH directory for Git
ansible.builtin.file:
path: /srv/git/.ssh
state: directory
owner: git
group: git
mode: u+rw,g-w,o-rwx
# Private key is required to mirror repositories to GitHub.
- name: Copy private key for Git
ansible.builtin.copy:
src: files/id_rsa
dest: /srv/git/.ssh/id_rsa
owner: git
group: git
mode: u+rw,g-rwx,o-rwx
- name: Setup git-shell-commands directory
ansible.builtin.file:
path: /srv/git/git-shell-commands
state: directory
owner: git
group: git
mode: u+rwx,g-w,o-rwx
- name: Copy no-interactive-login command
ansible.builtin.copy:
src: files/no-interactive-login
dest: /srv/git/git-shell-commands
owner: git
group: git
mode: u+rwx,g+rwx,o-rwx
- name: Enable git-daemon
ansible.builtin.service:
name: git-daemon.socket
enabled: yes
state: started
- ansible.builtin.include_role:
name: fcgiwrap
- name: Request SSL certificate for git.ilvokhin.com
ansible.builtin.include_role:
name: certificate
vars:
domains:
- git.ilvokhin.com
- ansible.builtin.include_role:
name: nginx
- name: Setup auth directory for git
ansible.builtin.file:
path: /etc/nginx/auth/git
state: directory
owner: root
group: root
mode: u+rw,g+r,o+r
# Alternative approach is to use community.general.htpasswd module to manage
# .htpasswd file. Unfortunetly, there are couple of drawbacks:
# * Target systems should have passlib Python library installed.
# * Passwords might leak in the Ansible debug output, or even non-debug
# without no_log.
# Seems like managing good old file is more convenient at the moment.
- name: Copy git .htpasswd file to manage HTTP passwords
ansible.builtin.copy:
src: files/.htpasswd
dest: /etc/nginx/auth/git/.htpasswd
owner: root
group: root
mode: u+rw,g+rw,o+r
- name: Copy git.conf to handle git HTTP requests
ansible.builtin.copy:
src: files/git.conf
dest: /etc/nginx/includes/git.conf
owner: root
group: root
mode: u+rw,g+rw,o+r
notify:
- Reload nginx
- name: Configure nginx for git.ilvokhin.com
ansible.builtin.copy:
src: files/git.ilvokhin.com
dest: /etc/nginx/sites-available
owner: root
group: root
mode: u+rw,g+r,o+r
notify:
- Reload nginx
- name: Enable git.ilvokhin.com site
ansible.builtin.file:
src: /etc/nginx/sites-available/git.ilvokhin.com
dest: /etc/nginx/sites-enabled/git.ilvokhin.com
owner: root
group: root
mode: u+rw,g+r,o+r
state: link
notify:
- Reload nginx
- name: Copy managing scripts
ansible.builtin.copy:
src: files/init-git-repo.sh
dest: /srv/git/init-git-repo.sh
owner: git
group: git
mode: u+rwx,g-rwx,o-rwx
|