1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
|
- name: Install git
ansible.builtin.package:
name:
- git
state: present
- name: Create git user
ansible.builtin.user:
name: git
shell: /usr/bin/git-shell
home: /srv/git
- name: Setup SSH directory for Git
ansible.builtin.file:
path: /srv/git/.ssh
state: directory
owner: git
group: git
mode: u+rw,g-w,o-rwx
- name: Update authorized_keys for Git
ansible.posix.authorized_key:
user: git
state: present
# Workaround to make it work `with_fileglob`.
# https://github.com/ansible/ansible/issues/48819#issuecomment-623851751
key: "{{ lookup('file', item) }}"
key_options: no-port-forwarding,no-X11-forwarding,no-agent-forwarding,no-pty
with_fileglob:
- misc/pubkeys/*.pub
# Private key is required to mirror repositories to GitHub.
- name: Copy private key for Git
ansible.builtin.copy:
src: files/id_rsa
dest: /srv/git/.ssh/id_rsa
owner: git
group: git
mode: u+rw,g-rwx,o-rwx
# We need to know github.com ssh keys before pushing there, otherwise
# post-receive will fail asking to verify authenticity of host.
# Run `ssh-keyscan github.com` to re-generate keys if required.
- name: Copy known_hosts for Git
ansible.builtin.copy:
src: files/known_hosts
dest: /srv/git/.ssh/known_hosts
owner: git
group: git
mode: u+rw,g-rwx,o-rwx
- name: Setup git-shell-commands directory
ansible.builtin.file:
path: /srv/git/git-shell-commands
state: directory
owner: git
group: git
mode: u+rwx,g+r,o+rx
- name: Copy no-interactive-login command
ansible.builtin.copy:
src: files/no-interactive-login
dest: /srv/git/git-shell-commands
owner: git
group: git
mode: u+rwx,g+r,o+r
- name: Configure git-daemon systemd service
ansible.builtin.copy:
src: files/git-daemon.service
dest: /usr/lib/systemd/system/git-daemon@.service
owner: root
group: root
mode: u+rw,g+r,o+r
- name: Enable git-daemon
ansible.builtin.systemd_service:
name: git-daemon.socket
enabled: yes
state: started
daemon_reload: true
- name: Setup auth directory for git
ansible.builtin.file:
path: /etc/nginx/auth/git
state: directory
owner: root
group: root
mode: u+rw,g+r,o+r
# Alternative approach is to use community.general.htpasswd module to manage
# .htpasswd file. Unfortunetly, there are couple of drawbacks:
# * Target systems should have passlib Python library installed.
# * Passwords might leak in the Ansible debug output, or even non-debug
# without no_log.
# Seems like managing good old file is more convenient at the moment.
- name: Copy git .htpasswd file to manage HTTP passwords
ansible.builtin.copy:
src: files/htpasswd
dest: /etc/nginx/auth/git/.htpasswd
owner: root
group: root
mode: u+rw,g+rw,o+r
- name: Copy git.conf to handle git HTTP requests
ansible.builtin.copy:
src: files/git.conf
dest: /etc/nginx/includes/git.conf
owner: root
group: root
mode: u+rw,g+rw,o+r
notify:
- Reload nginx
- name: Configure nginx for git.ilvokhin.com
ansible.builtin.copy:
src: files/git.ilvokhin.com
dest: /etc/nginx/sites-available
owner: root
group: root
mode: u+rw,g+r,o+r
notify:
- Reload nginx
- name: Enable git.ilvokhin.com site
ansible.builtin.file:
src: /etc/nginx/sites-available/git.ilvokhin.com
dest: /etc/nginx/sites-enabled/git.ilvokhin.com
owner: root
group: root
mode: u+rw,g+r,o+r
state: link
notify:
- Reload nginx
- name: Copy managing scripts
ansible.builtin.copy:
src: files/init-git-repo.sh
dest: /srv/git/init-git-repo.sh
owner: git
group: git
mode: u+rwx,g-rwx,o-rwx
# TODO: figure out proper permissions to fix HTTP protocol push.
|