From c8dc9e163b50272bf8e3972c8ef37ea3e871b247 Mon Sep 17 00:00:00 2001 From: Aaron LI Date: Mon, 14 May 2018 12:58:25 +0800 Subject: git: Use gitolite to replace the git-shell shipped with git --- .gitignore | 1 + group_vars/all/vars.yml | 4 +- roles/git/files/gitolite.rc | 198 ++++++++++++++++++++++++++++++++++++++++++++ roles/git/tasks/main.yml | 72 ++++++++++++---- 4 files changed, 256 insertions(+), 19 deletions(-) create mode 100644 roles/git/files/gitolite.rc diff --git a/.gitignore b/.gitignore index ebda476..c4bfc81 100644 --- a/.gitignore +++ b/.gitignore @@ -6,3 +6,4 @@ *.retry /private/ +/gitolite-admin/ diff --git a/group_vars/all/vars.yml b/group_vars/all/vars.yml index 4776fe3..5c7cead 100644 --- a/group_vars/all/vars.yml +++ b/group_vars/all/vars.yml @@ -6,7 +6,7 @@ deploy_user: ansible -ansible_ssh_private_key_file: ./private/ssh/ansible.key +ansible_ssh_private_key_file: "{{ playbook_dir }}/private/ssh/ansible.key" pf: # number of simulataneous connections allowed from one host @@ -190,8 +190,6 @@ git: name: git # user & group name id: 5001 # uid & gid home: /home/git - shell: /usr/local/libexec/git-core/git-shell - ssh_keydir: "{{ playbook_dir }}/private/git/keys" # Name of the directory that contains links to the public repos public_dir: repos.public # Sync public repos to GitHub diff --git a/roles/git/files/gitolite.rc b/roles/git/files/gitolite.rc new file mode 100644 index 0000000..1bd11f5 --- /dev/null +++ b/roles/git/files/gitolite.rc @@ -0,0 +1,198 @@ +# +# Configurations for gitolite +# +# * http://gitolite.com/gitolite/ +# * http://gitolite.com/gitolite/rc/index.html +# +# Aaron LI +# 2018-05-13 +# + +%RC = ( + + # ------------------------------------------------------------------ + + # default umask gives you perms of '0700'; see the rc file docs for + # how/why you might change this + UMASK => 0077, + + # look for "git-config" in the documentation + GIT_CONFIG_KEYS => '', + + # comment out if you don't need all the extra detail in the logfile + LOG_EXTRA => 1, + # logging options + # 1. leave this section as is for 'normal' gitolite logging (default) + # 2. uncomment this line to log ONLY to syslog: + # LOG_DEST => 'syslog', + # 3. uncomment this line to log to syslog and the normal gitolite log: + # LOG_DEST => 'syslog,normal', + # 4. prefixing "repo-log," to any of the above will **also** log just the + # update records to "gl-log" in the bare repo directory: + # LOG_DEST => 'repo-log,normal', + # LOG_DEST => 'repo-log,syslog', + # LOG_DEST => 'repo-log,syslog,normal', + # syslog 'facility': defaults to 'local0', uncomment if needed. For example: + # LOG_FACILITY => 'local4', + + # roles. add more roles (like MANAGER, TESTER, ...) here. + # WARNING: if you make changes to this hash, you MUST run 'gitolite + # compile' afterward, and possibly also 'gitolite trigger POST_COMPILE' + ROLES => { + READERS => 1, + WRITERS => 1, + }, + + # enable caching (currently only Redis). PLEASE RTFM BEFORE USING!!! + # CACHE => 'Redis', + + # ------------------------------------------------------------------ + + # rc variables used by various features + + # the 'info' command prints this as additional info, if it is set + # SITE_INFO => 'Please see http://blahblah/gitolite for more help', + + # the CpuTime feature uses these + # display user, system, and elapsed times to user after each git operation + # DISPLAY_CPU_TIME => 1, + # display a warning if total CPU times (u, s, cu, cs) crosses this limit + # CPU_TIME_WARN_LIMIT => 0.1, + + # the Mirroring feature needs this + # HOSTNAME => "foo", + + # TTL for redis cache; PLEASE SEE DOCUMENTATION BEFORE UNCOMMENTING! + # CACHE_TTL => 600, + + # ------------------------------------------------------------------ + + # suggested locations for site-local gitolite code (see cust.html) + + # this one is managed directly on the server + # LOCAL_CODE => "$ENV{HOME}/local", + + # or you can use this, which lets you put everything in a subdirectory + # called "local" in your gitolite-admin repo. For a SECURITY WARNING + # on this, see http://gitolite.com/gitolite/non-core.html#pushcode + LOCAL_CODE => "$rc{GL_ADMIN_BASE}/local", + + # ------------------------------------------------------------------ + + # List of commands and features to enable + + ENABLE => [ + + # COMMANDS + + # These are the commands enabled by default + 'help', + 'desc', + 'info', + 'perms', + 'writable', + + # Uncomment or add new commands here. + # 'create', + # 'fork', + # 'mirror', + # 'readme', + # 'sskm', + # 'D', + + # These FEATURES are enabled by default. + + # essential (unless you're using smart-http mode) + 'ssh-authkeys', + + # creates git-config entries from gitolite.conf file entries like 'config foo.bar = baz' + 'git-config', + + # creates git-daemon-export-ok files; if you don't use git-daemon, comment this out + 'daemon', + + # creates projects.list file; if you don't use gitweb, comment this out + 'gitweb', + + # These FEATURES are disabled by default; uncomment to enable. If you + # need to add new ones, ask on the mailing list :-) + + # user-visible behaviour + + # prevent wild repos auto-create on fetch/clone + # 'no-create-on-read', + # no auto-create at all (don't forget to enable the 'create' command!) + # 'no-auto-create', + + # access a repo by another (possibly legacy) name + # 'Alias', + + # give some users direct shell access. See documentation in + # sts.html for details on the following two choices. + # "Shell $ENV{HOME}/.gitolite.shell-users", + # 'Shell alice bob', + + # set default roles from lines like 'option default.roles-1 = ...', etc. + # 'set-default-roles', + + # show more detailed messages on deny + # 'expand-deny-messages', + + # show a message of the day + # 'Motd', + + # system admin stuff + + # enable mirroring (don't forget to set the HOSTNAME too!) + # 'Mirroring', + + # allow people to submit pub files with more than one key in them + # 'ssh-authkeys-split', + + # selective read control hack + # 'partial-copy', + + # manage local, gitolite-controlled, copies of read-only upstream repos + # 'upstream', + + # updates 'description' file instead of 'gitweb.description' config item + # 'cgit', + + # allow repo-specific hooks to be added + # 'repo-specific-hooks', + + # performance, logging, monitoring... + + # be nice + # 'renice 10', + + # log CPU times (user, system, cumulative user, cumulative system) + # 'CpuTime', + + # syntactic_sugar for gitolite.conf and included files + + # allow backslash-escaped continuation lines in gitolite.conf + # 'continuation-lines', + + # create implicit user groups from directory names in keydir/ + # 'keysubdirs-as-groups', + + # allow simple line-oriented macros + # 'macros', + + # Kindergarten mode + + # disallow various things that sensible people shouldn't be doing anyway + # 'Kindergarten', + ], + +); + +# ------------------------------------------------------------------------------ +# per perl rules, this should be the last line in such a file: +1; + +# Local variables: +# mode: perl +# End: +# vim: set syn=perl: diff --git a/roles/git/tasks/main.yml b/roles/git/tasks/main.yml index 615927a..5348810 100644 --- a/roles/git/tasks/main.yml +++ b/roles/git/tasks/main.yml @@ -8,6 +8,7 @@ - cgit - uwsgi-py36 - highlight + - gitolite - name: check user group existence command: pw groupshow {{ git.user.name }} @@ -30,18 +31,9 @@ pw useradd {{ git.user.name }} -u {{ git.user.id }} -g {{ git.user.name }} -d {{ git.user.home }} -m -M 0700 - -s {{ git.user.shell }} -c "Git Repositories Owner" when: pw_cmd.rc != 0 -- name: add ssh keys - authorized_key: - user: "{{ git.user.name }}" - state: present - key: "{{ lookup('file', item) }}" - with_fileglob: - - "{{ git.user.ssh_keydir }}/*.pub" - - name: generate vars.conf file template: src: vars.conf.j2 @@ -51,14 +43,7 @@ copy: src: git-shell-commands/ # trailing '/' -> directory contents dest: "{{ git.user.home }}/git-shell-commands/" - tags: git-cmds - -- name: add execution permission to git-shell commands - file: - path: "{{ git.user.home }}/git-shell-commands" mode: 0755 - recurse: true - tags: git-cmds - name: (local) github sync - check ssh key existence become: false @@ -97,6 +82,61 @@ owner: "{{ git.user.name }}" group: "{{ git.user.name }}" +# +# gitolite +# + +- name: gitolite - copy the admin ssh key to the server + copy: + src: "{{ ansible_ssh_private_key_file }}.pub" + dest: "{{ git.user.home }}/admin.pub" + mode: 0644 + tags: gitolite + +- name: gitolite - setup + become_user: "{{ git.user.name }}" + command: gitolite setup -pk "{{ git.user.home }}/admin.pub" + args: + chdir: "{{ git.user.home }}" + creates: "{{ git.user.home }}/.gitolite.rc" + tags: gitolite + +- name: gitolite - copy config + copy: + src: gitolite.rc + dest: "{{ git.user.home }}/.gitolite.rc" + mode: 0644 + tags: gitolite + +- name: (local) gitolite - check local admin repo existence + become: false + stat: + path: "{{ playbook_dir }}/gitolite-admin" + delegate_to: localhost + register: stat_result + tags: gitolite + +- name: (local) gitolite - clone admin repo to local + become: false + command: > + env GIT_SSH_COMMAND="ssh -F /dev/null -p {{ ansible_ssh_port }} -i {{ ansible_ssh_private_key_file }} -o IdentitiesOnly=yes" + git clone + "{{ git.user.name }}@{{ domains[0].name }}:gitolite-admin.git" + "{{ playbook_dir }}/gitolite-admin" + delegate_to: localhost + when: not stat_result.stat.exists + tags: gitolite + +- name: (local) gitolite - note about the push command + become: false + copy: + content: > + env GIT_SSH_COMMAND="ssh -F /dev/null -p {{ ansible_ssh_port }} -i {{ ansible_ssh_private_key_file }} -o IdentitiesOnly=yes" + git push + dest: "{{ playbook_dir }}/gitolite-admin/GIT_PUSH_CMD.sh" + delegate_to: localhost + tags: gitolite + # # cgit # -- cgit v1.2.2