aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorAaron LI <aly@aaronly.me>2018-05-14 12:58:25 +0800
committerAaron LI <aly@aaronly.me>2018-05-14 12:58:59 +0800
commitc8dc9e163b50272bf8e3972c8ef37ea3e871b247 (patch)
tree515686d24df67aaf10c244efb09f855ccbb4e188
parent7a1b276f7b2c9478e28c16bb18e3095bd4b49e15 (diff)
downloadansible-dfly-vps-c8dc9e163b50272bf8e3972c8ef37ea3e871b247.tar.bz2
git: Use gitolite to replace the git-shell shipped with git
-rw-r--r--.gitignore1
-rw-r--r--group_vars/all/vars.yml4
-rw-r--r--roles/git/files/gitolite.rc198
-rw-r--r--roles/git/tasks/main.yml72
4 files changed, 256 insertions, 19 deletions
diff --git a/.gitignore b/.gitignore
index ebda476..c4bfc81 100644
--- a/.gitignore
+++ b/.gitignore
@@ -6,3 +6,4 @@
*.retry
/private/
+/gitolite-admin/
diff --git a/group_vars/all/vars.yml b/group_vars/all/vars.yml
index 4776fe3..5c7cead 100644
--- a/group_vars/all/vars.yml
+++ b/group_vars/all/vars.yml
@@ -6,7 +6,7 @@
deploy_user: ansible
-ansible_ssh_private_key_file: ./private/ssh/ansible.key
+ansible_ssh_private_key_file: "{{ playbook_dir }}/private/ssh/ansible.key"
pf:
# number of simulataneous connections allowed from one host
@@ -190,8 +190,6 @@ git:
name: git # user & group name
id: 5001 # uid & gid
home: /home/git
- shell: /usr/local/libexec/git-core/git-shell
- ssh_keydir: "{{ playbook_dir }}/private/git/keys"
# Name of the directory that contains links to the public repos
public_dir: repos.public
# Sync public repos to GitHub
diff --git a/roles/git/files/gitolite.rc b/roles/git/files/gitolite.rc
new file mode 100644
index 0000000..1bd11f5
--- /dev/null
+++ b/roles/git/files/gitolite.rc
@@ -0,0 +1,198 @@
+#
+# Configurations for gitolite
+#
+# * http://gitolite.com/gitolite/
+# * http://gitolite.com/gitolite/rc/index.html
+#
+# Aaron LI
+# 2018-05-13
+#
+
+%RC = (
+
+ # ------------------------------------------------------------------
+
+ # default umask gives you perms of '0700'; see the rc file docs for
+ # how/why you might change this
+ UMASK => 0077,
+
+ # look for "git-config" in the documentation
+ GIT_CONFIG_KEYS => '',
+
+ # comment out if you don't need all the extra detail in the logfile
+ LOG_EXTRA => 1,
+ # logging options
+ # 1. leave this section as is for 'normal' gitolite logging (default)
+ # 2. uncomment this line to log ONLY to syslog:
+ # LOG_DEST => 'syslog',
+ # 3. uncomment this line to log to syslog and the normal gitolite log:
+ # LOG_DEST => 'syslog,normal',
+ # 4. prefixing "repo-log," to any of the above will **also** log just the
+ # update records to "gl-log" in the bare repo directory:
+ # LOG_DEST => 'repo-log,normal',
+ # LOG_DEST => 'repo-log,syslog',
+ # LOG_DEST => 'repo-log,syslog,normal',
+ # syslog 'facility': defaults to 'local0', uncomment if needed. For example:
+ # LOG_FACILITY => 'local4',
+
+ # roles. add more roles (like MANAGER, TESTER, ...) here.
+ # WARNING: if you make changes to this hash, you MUST run 'gitolite
+ # compile' afterward, and possibly also 'gitolite trigger POST_COMPILE'
+ ROLES => {
+ READERS => 1,
+ WRITERS => 1,
+ },
+
+ # enable caching (currently only Redis). PLEASE RTFM BEFORE USING!!!
+ # CACHE => 'Redis',
+
+ # ------------------------------------------------------------------
+
+ # rc variables used by various features
+
+ # the 'info' command prints this as additional info, if it is set
+ # SITE_INFO => 'Please see http://blahblah/gitolite for more help',
+
+ # the CpuTime feature uses these
+ # display user, system, and elapsed times to user after each git operation
+ # DISPLAY_CPU_TIME => 1,
+ # display a warning if total CPU times (u, s, cu, cs) crosses this limit
+ # CPU_TIME_WARN_LIMIT => 0.1,
+
+ # the Mirroring feature needs this
+ # HOSTNAME => "foo",
+
+ # TTL for redis cache; PLEASE SEE DOCUMENTATION BEFORE UNCOMMENTING!
+ # CACHE_TTL => 600,
+
+ # ------------------------------------------------------------------
+
+ # suggested locations for site-local gitolite code (see cust.html)
+
+ # this one is managed directly on the server
+ # LOCAL_CODE => "$ENV{HOME}/local",
+
+ # or you can use this, which lets you put everything in a subdirectory
+ # called "local" in your gitolite-admin repo. For a SECURITY WARNING
+ # on this, see http://gitolite.com/gitolite/non-core.html#pushcode
+ LOCAL_CODE => "$rc{GL_ADMIN_BASE}/local",
+
+ # ------------------------------------------------------------------
+
+ # List of commands and features to enable
+
+ ENABLE => [
+
+ # COMMANDS
+
+ # These are the commands enabled by default
+ 'help',
+ 'desc',
+ 'info',
+ 'perms',
+ 'writable',
+
+ # Uncomment or add new commands here.
+ # 'create',
+ # 'fork',
+ # 'mirror',
+ # 'readme',
+ # 'sskm',
+ # 'D',
+
+ # These FEATURES are enabled by default.
+
+ # essential (unless you're using smart-http mode)
+ 'ssh-authkeys',
+
+ # creates git-config entries from gitolite.conf file entries like 'config foo.bar = baz'
+ 'git-config',
+
+ # creates git-daemon-export-ok files; if you don't use git-daemon, comment this out
+ 'daemon',
+
+ # creates projects.list file; if you don't use gitweb, comment this out
+ 'gitweb',
+
+ # These FEATURES are disabled by default; uncomment to enable. If you
+ # need to add new ones, ask on the mailing list :-)
+
+ # user-visible behaviour
+
+ # prevent wild repos auto-create on fetch/clone
+ # 'no-create-on-read',
+ # no auto-create at all (don't forget to enable the 'create' command!)
+ # 'no-auto-create',
+
+ # access a repo by another (possibly legacy) name
+ # 'Alias',
+
+ # give some users direct shell access. See documentation in
+ # sts.html for details on the following two choices.
+ # "Shell $ENV{HOME}/.gitolite.shell-users",
+ # 'Shell alice bob',
+
+ # set default roles from lines like 'option default.roles-1 = ...', etc.
+ # 'set-default-roles',
+
+ # show more detailed messages on deny
+ # 'expand-deny-messages',
+
+ # show a message of the day
+ # 'Motd',
+
+ # system admin stuff
+
+ # enable mirroring (don't forget to set the HOSTNAME too!)
+ # 'Mirroring',
+
+ # allow people to submit pub files with more than one key in them
+ # 'ssh-authkeys-split',
+
+ # selective read control hack
+ # 'partial-copy',
+
+ # manage local, gitolite-controlled, copies of read-only upstream repos
+ # 'upstream',
+
+ # updates 'description' file instead of 'gitweb.description' config item
+ # 'cgit',
+
+ # allow repo-specific hooks to be added
+ # 'repo-specific-hooks',
+
+ # performance, logging, monitoring...
+
+ # be nice
+ # 'renice 10',
+
+ # log CPU times (user, system, cumulative user, cumulative system)
+ # 'CpuTime',
+
+ # syntactic_sugar for gitolite.conf and included files
+
+ # allow backslash-escaped continuation lines in gitolite.conf
+ # 'continuation-lines',
+
+ # create implicit user groups from directory names in keydir/
+ # 'keysubdirs-as-groups',
+
+ # allow simple line-oriented macros
+ # 'macros',
+
+ # Kindergarten mode
+
+ # disallow various things that sensible people shouldn't be doing anyway
+ # 'Kindergarten',
+ ],
+
+);
+
+# ------------------------------------------------------------------------------
+# per perl rules, this should be the last line in such a file:
+1;
+
+# Local variables:
+# mode: perl
+# End:
+# vim: set syn=perl:
diff --git a/roles/git/tasks/main.yml b/roles/git/tasks/main.yml
index 615927a..5348810 100644
--- a/roles/git/tasks/main.yml
+++ b/roles/git/tasks/main.yml
@@ -8,6 +8,7 @@
- cgit
- uwsgi-py36
- highlight
+ - gitolite
- name: check user group existence
command: pw groupshow {{ git.user.name }}
@@ -30,18 +31,9 @@
pw useradd {{ git.user.name }}
-u {{ git.user.id }} -g {{ git.user.name }}
-d {{ git.user.home }} -m -M 0700
- -s {{ git.user.shell }}
-c "Git Repositories Owner"
when: pw_cmd.rc != 0
-- name: add ssh keys
- authorized_key:
- user: "{{ git.user.name }}"
- state: present
- key: "{{ lookup('file', item) }}"
- with_fileglob:
- - "{{ git.user.ssh_keydir }}/*.pub"
-
- name: generate vars.conf file
template:
src: vars.conf.j2
@@ -51,14 +43,7 @@
copy:
src: git-shell-commands/ # trailing '/' -> directory contents
dest: "{{ git.user.home }}/git-shell-commands/"
- tags: git-cmds
-
-- name: add execution permission to git-shell commands
- file:
- path: "{{ git.user.home }}/git-shell-commands"
mode: 0755
- recurse: true
- tags: git-cmds
- name: (local) github sync - check ssh key existence
become: false
@@ -98,6 +83,61 @@
group: "{{ git.user.name }}"
#
+# gitolite
+#
+
+- name: gitolite - copy the admin ssh key to the server
+ copy:
+ src: "{{ ansible_ssh_private_key_file }}.pub"
+ dest: "{{ git.user.home }}/admin.pub"
+ mode: 0644
+ tags: gitolite
+
+- name: gitolite - setup
+ become_user: "{{ git.user.name }}"
+ command: gitolite setup -pk "{{ git.user.home }}/admin.pub"
+ args:
+ chdir: "{{ git.user.home }}"
+ creates: "{{ git.user.home }}/.gitolite.rc"
+ tags: gitolite
+
+- name: gitolite - copy config
+ copy:
+ src: gitolite.rc
+ dest: "{{ git.user.home }}/.gitolite.rc"
+ mode: 0644
+ tags: gitolite
+
+- name: (local) gitolite - check local admin repo existence
+ become: false
+ stat:
+ path: "{{ playbook_dir }}/gitolite-admin"
+ delegate_to: localhost
+ register: stat_result
+ tags: gitolite
+
+- name: (local) gitolite - clone admin repo to local
+ become: false
+ command: >
+ env GIT_SSH_COMMAND="ssh -F /dev/null -p {{ ansible_ssh_port }} -i {{ ansible_ssh_private_key_file }} -o IdentitiesOnly=yes"
+ git clone
+ "{{ git.user.name }}@{{ domains[0].name }}:gitolite-admin.git"
+ "{{ playbook_dir }}/gitolite-admin"
+ delegate_to: localhost
+ when: not stat_result.stat.exists
+ tags: gitolite
+
+- name: (local) gitolite - note about the push command
+ become: false
+ copy:
+ content: >
+ env GIT_SSH_COMMAND="ssh -F /dev/null -p {{ ansible_ssh_port }} -i {{ ansible_ssh_private_key_file }} -o IdentitiesOnly=yes"
+ git push
+ dest: "{{ playbook_dir }}/gitolite-admin/GIT_PUSH_CMD.sh"
+ delegate_to: localhost
+ tags: gitolite
+
+#
# cgit
#