git: add role to build and start gitolite-cgit

This contains a role to build and start a gitolite-cgit container.
Additionally this installed a firewall rule to open the gitolite sshd
port.

8 files changed, 371 insertions, 0 deletions

diff --git a/memzero.yml b/memzero.yml
index a48a4c4..b6a6f73 100644
--- a/memzero.yml
+++ b/memzero.yml
@@ -14,5 +14,6 @@
   roles:
     - sshd
     - packages
+    - git
     - baikal
     - webserver
diff --git a/roles/git/files/gitolite-cgit/Dockerfile b/roles/git/files/gitolite-cgit/Dockerfile
new file mode 100644
index 0000000..509a611
--- /dev/null
+++ b/roles/git/files/gitolite-cgit/Dockerfile
@@ -0,0 +1,25 @@
+FROM alpine:latest
+
+RUN apk add --update-cache --upgrade --no-cache --purge \
+      gitolite openssh                                  \
+      cgit nginx fcgiwrap spawn-fcgi                    \
+      py3-markdown py3-pygments                         \
+    && rm -rf /var/cache/apk
+
+VOLUME /var/lib/git
+EXPOSE 22 80
+
+# -- sshd
+COPY etc/sshd_config /etc/ssh/sshd_config
+
+# -- nginx
+COPY etc/cgit.conf /etc/nginx/http.d
+
+# -- cgit
+COPY etc/cgitrc /etc/cgitrc
+
+# -- gitolite
+COPY etc/gitolite.rc /etc/gitolite.rc
+
+COPY entrypoint.sh /
+ENTRYPOINT ["/entrypoint.sh"]
diff --git a/roles/git/files/gitolite-cgit/entrypoint.sh b/roles/git/files/gitolite-cgit/entrypoint.sh
new file mode 100755
index 0000000..905bf97
--- /dev/null
+++ b/roles/git/files/gitolite-cgit/entrypoint.sh
@@ -0,0 +1,43 @@
+#!/bin/sh
+
+# Fixup permissions.
+chown git:git -R /var/lib/git
+# Ensure password is set for git user (required for gitolite).
+echo "git:$(head -c 16 /dev/urandom | base64)" | chpasswd
+
+# -- SETUP: gitolite -----------------------------------------------------------
+
+if [ ! -f /var/lib/git/.gitolite.rc ]; then
+    cp /etc/gitolite.rc /var/lib/git/.gitolite.rc
+    chown git:git /var/lib/git/.gitolite.rc
+fi
+
+if [ ! -f /var/lib/git/.ssh/authorized_keys ]; then
+    if [ -z ${SSH_KEY} ]; then
+        echo "ERROR: Must pass admin key ass SSH_KEY!"
+        exit 1
+    fi
+
+    echo "${SSH_KEY}" > /tmp/admin.pub
+    su - git -c 'gitolite setup --pubkey /tmp/admin.pub'
+    rm -f /tmp/admin.pub
+else
+    su - git -c 'gitolite setup'
+fi
+
+# -- SETUP: sshd ---------------------------------------------------------------
+
+# Generate ssh host keys (nop if keys already exist).
+ssh-keygen -A
+
+# -- SETUP: nginx --------------------------------------------------------------
+
+rm -f /etc/nginx/http.d/default.conf
+
+# -- Launch processes ----------------------------------------------------------
+
+spawn-fcgi -s /run/fcgiwrap.sock -U nginx -- /usr/bin/fcgiwrap
+nginx
+
+# Start sshd non-detached.
+/usr/sbin/sshd -D
diff --git a/roles/git/files/gitolite-cgit/etc/cgit.conf b/roles/git/files/gitolite-cgit/etc/cgit.conf
new file mode 100644
index 0000000..84b6716
--- /dev/null
+++ b/roles/git/files/gitolite-cgit/etc/cgit.conf
@@ -0,0 +1,14 @@
+server {
+  listen                80 default_server;
+
+  root                  /usr/share/webapps/cgit;
+  try_files             $uri @cgit;
+
+  location @cgit {
+    include             fastcgi_params;
+    fastcgi_param       SCRIPT_FILENAME $document_root/cgit.cgi;
+    fastcgi_param       PATH_INFO       $uri;
+    fastcgi_param       QUERY_STRING    $args;
+    fastcgi_pass        unix:/run/fcgiwrap.sock;
+  }
+}
diff --git a/roles/git/files/gitolite-cgit/etc/cgitrc b/roles/git/files/gitolite-cgit/etc/cgitrc
new file mode 100644
index 0000000..e60b893
--- /dev/null
+++ b/roles/git/files/gitolite-cgit/etc/cgitrc
@@ -0,0 +1,32 @@
+# cgitrc(5)
+
+root-title=git.memzero.de
+root-desc=private git repostitory
+
+virtual-root=/
+
+enable-blame=1
+enable-git-config=1
+enable-http-clone=1
+enable-commit-graph=1
+enable-index-links=1
+enable-log-filecount=1
+enable-log-linecount=1
+
+snapshots=tar.gz zip
+
+# -- Cosmetics
+
+source-filter=/usr/lib/cgit/filters/syntax-highlighting.py
+about-filter=/usr/lib/cgit/filters/about-formatting.sh
+
+remove-suffix=1
+section-from-path=1
+
+# -- Repositories
+#
+# Scan *scan-path* for repositories. Since *project-list* is specified before,
+# only look for paths from the project list relative to the scan path.
+
+project-list=/var/lib/git/projects.list
+scan-path=/var/lib/git/repositories
diff --git a/roles/git/files/gitolite-cgit/etc/gitolite.rc b/roles/git/files/gitolite-cgit/etc/gitolite.rc
new file mode 100644
index 0000000..c69fdda
--- /dev/null
+++ b/roles/git/files/gitolite-cgit/etc/gitolite.rc
@@ -0,0 +1,202 @@
+# configuration variables for gitolite
+
+# This file is in perl syntax.  But you do NOT need to know perl to edit it --
+# just mind the commas, use single quotes unless you know what you're doing,
+# and make sure the brackets and braces stay matched up!
+
+# (Tip: perl allows a comma after the last item in a list also!)
+
+# HELP for commands can be had by running the command with "-h".
+
+# HELP for all the other FEATURES can be found in the documentation (look for
+# "list of non-core programs shipped with gitolite" in the master index) or
+# directly in the corresponding source file.
+
+%RC = (
+
+    # ------------------------------------------------------------------
+
+    # default umask gives you perms of '0700'; see the rc file docs for
+    # how/why you might change this
+    UMASK                           =>  0077,
+
+    # look for "git-config" in the documentation
+    GIT_CONFIG_KEYS                 =>  '.*',
+
+    # comment out if you don't need all the extra detail in the logfile
+    LOG_EXTRA                       =>  1,
+    # logging options
+    # 1. leave this section as is for 'normal' gitolite logging (default)
+    # 2. uncomment this line to log ONLY to syslog:
+    # LOG_DEST                      => 'syslog',
+    # 3. uncomment this line to log to syslog and the normal gitolite log:
+    # LOG_DEST                      => 'syslog,normal',
+    # 4. prefixing "repo-log," to any of the above will **also** log just the
+    #    update records to "gl-log" in the bare repo directory:
+    # LOG_DEST                      => 'repo-log,normal',
+    # LOG_DEST                      => 'repo-log,syslog',
+    # LOG_DEST                      => 'repo-log,syslog,normal',
+    # syslog 'facility': defaults to 'local0', uncomment if needed.  For example:
+    # LOG_FACILITY                  => 'local4',
+
+    # roles.  add more roles (like MANAGER, TESTER, ...) here.
+    #   WARNING: if you make changes to this hash, you MUST run 'gitolite
+    #   compile' afterward, and possibly also 'gitolite trigger POST_COMPILE'
+    ROLES => {
+        READERS                     =>  1,
+        WRITERS                     =>  1,
+    },
+
+    # enable caching (currently only Redis).  PLEASE RTFM BEFORE USING!!!
+    # CACHE                         =>  'Redis',
+
+    # ------------------------------------------------------------------
+
+    # rc variables used by various features
+
+    # the 'info' command prints this as additional info, if it is set
+        # SITE_INFO                 =>  'Please see http://blahblah/gitolite for more help',
+
+    # the CpuTime feature uses these
+        # display user, system, and elapsed times to user after each git operation
+        # DISPLAY_CPU_TIME          =>  1,
+        # display a warning if total CPU times (u, s, cu, cs) crosses this limit
+        # CPU_TIME_WARN_LIMIT       =>  0.1,
+
+    # the Mirroring feature needs this
+        # HOSTNAME                  =>  "foo",
+
+    # TTL for redis cache; PLEASE SEE DOCUMENTATION BEFORE UNCOMMENTING!
+        # CACHE_TTL                 =>  600,
+
+    # ------------------------------------------------------------------
+
+    # suggested locations for site-local gitolite code (see cust.html)
+
+        # this one is managed directly on the server
+        # LOCAL_CODE                =>  "$ENV{HOME}/local",
+
+        # or you can use this, which lets you put everything in a subdirectory
+        # called "local" in your gitolite-admin repo.  For a SECURITY WARNING
+        # on this, see http://gitolite.com/gitolite/non-core.html#pushcode
+        # LOCAL_CODE                =>  "$rc{GL_ADMIN_BASE}/local",
+
+    # ------------------------------------------------------------------
+
+    # List of commands and features to enable
+
+    ENABLE => [
+
+        # COMMANDS
+
+            # These are the commands enabled by default
+            'help',
+            'desc',
+            'info',
+            #'perms',
+            #'writable',
+
+            # Uncomment or add new commands here.
+            # 'create',
+            # 'fork',
+            # 'mirror',
+            # 'readme',
+            # 'sskm',
+            # 'D',
+
+        # These FEATURES are enabled by default.
+
+            # essential (unless you're using smart-http mode)
+            'ssh-authkeys',
+
+            # creates git-config entries from gitolite.conf file entries like 'config foo.bar = baz'
+            'git-config',
+
+            # creates git-daemon-export-ok files; if you don't use git-daemon, comment this out
+            #'daemon',
+
+            # creates projects.list file; if you don't use gitweb, comment this out
+            'gitweb',
+
+        # These FEATURES are disabled by default; uncomment to enable.  If you
+        # need to add new ones, ask on the mailing list :-)
+
+        # user-visible behaviour
+
+            # prevent wild repos auto-create on fetch/clone
+            # 'no-create-on-read',
+            # no auto-create at all (don't forget to enable the 'create' command!)
+            # 'no-auto-create',
+
+            # access a repo by another (possibly legacy) name
+            # 'Alias',
+
+            # give some users direct shell access.  See documentation in
+            # sts.html for details on the following two choices.
+            # "Shell $ENV{HOME}/.gitolite.shell-users",
+            # 'Shell alice bob',
+
+            # set default roles from lines like 'option default.roles-1 = ...', etc.
+            # 'set-default-roles',
+
+            # show more detailed messages on deny
+            # 'expand-deny-messages',
+
+            # show a message of the day
+            # 'Motd',
+
+        # system admin stuff
+
+            # enable mirroring (don't forget to set the HOSTNAME too!)
+            # 'Mirroring',
+
+            # allow people to submit pub files with more than one key in them
+            # 'ssh-authkeys-split',
+
+            # selective read control hack
+            # 'partial-copy',
+
+            # manage local, gitolite-controlled, copies of read-only upstream repos
+            # 'upstream',
+
+            # updates 'description' file instead of 'gitweb.description' config item
+            # 'cgit',
+
+            # allow repo-specific hooks to be added
+            # 'repo-specific-hooks',
+
+        # performance, logging, monitoring...
+
+            # be nice
+            # 'renice 10',
+
+            # log CPU times (user, system, cumulative user, cumulative system)
+            # 'CpuTime',
+
+        # syntactic_sugar for gitolite.conf and included files
+
+            # allow backslash-escaped continuation lines in gitolite.conf
+            # 'continuation-lines',
+
+            # create implicit user groups from directory names in keydir/
+            # 'keysubdirs-as-groups',
+
+            # allow simple line-oriented macros
+            # 'macros',
+
+        # Kindergarten mode
+
+            # disallow various things that sensible people shouldn't be doing anyway
+            # 'Kindergarten',
+    ],
+
+);
+
+# ------------------------------------------------------------------------------
+# per perl rules, this should be the last line in such a file:
+1;
+
+# Local variables:
+# mode: perl
+# End:
+# vim: set syn=perl:
diff --git a/roles/git/files/gitolite-cgit/etc/sshd_config b/roles/git/files/gitolite-cgit/etc/sshd_config
new file mode 100644
index 0000000..b6da391
--- /dev/null
+++ b/roles/git/files/gitolite-cgit/etc/sshd_config
@@ -0,0 +1,14 @@
+# sshd_config(5)
+
+AuthorizedKeysFile .ssh/authorized_keys
+
+PermitRootLogin no
+PubkeyAuthentication yes
+HostbasedAuthentication yes
+IgnoreUserKnownHosts no
+PasswordAuthentication no
+PermitEmptyPasswords no
+
+AllowTcpForwarding no
+GatewayPorts no
+X11Forwarding no
diff --git a/roles/git/tasks/main.yml b/roles/git/tasks/main.yml
new file mode 100644
index 0000000..0557615
--- /dev/null
+++ b/roles/git/tasks/main.yml
@@ -0,0 +1,40 @@
+---
+- name: Copy container build files
+  ansible.builtin.copy:
+    src: gitolite-cgit
+    dest: "{{ DATA_ROOT }}/git"
+    owner: "{{ USER }}"
+    group: "{{ USER }}"
+    mode: preserve
+
+- name: Build gitolite cgit image
+  containers.podman.podman_image:
+    name: gitolite-cgit
+    path: "{{ DATA_ROOT }}/git/gitolite-cgit"
+    force: true
+  register: cgito_build
+
+- name: Gitolite cgit
+  containers.podman.podman_container:
+    name: cgito
+    image: gitolite-cgit
+    network: "{{ NETWORK }}"
+    ports:
+      - "2222:22"
+    env:
+      SSH_KEY: "{{ lookup('file', lookup('env', 'HOME') + '/.ssh/memzero.pub') }}"
+    volumes:
+      # Use 'Z' to privately relable selinux contexts.
+      - "{{ DATA_ROOT }}/git/repos:/var/lib/git:Z"
+    recreate: "{{ cgito_build.changed }}"
+  notify: Restart nginx
+
+- name: Open port for gitolite ssh port
+  ansible.builtin.iptables:
+    chain: INPUT
+    protocol: tcp
+    match: tcp
+    destination_port: 2222
+    jump: ACCEPT
+    comment: Accept gitolite SSH connections.
+  become: true