diff options
Diffstat (limited to 'scripts')
-rw-r--r-- | scripts/hostclass/git_server | 163 |
1 files changed, 163 insertions, 0 deletions
diff --git a/scripts/hostclass/git_server b/scripts/hostclass/git_server new file mode 100644 index 0000000..c7ac63d --- /dev/null +++ b/scripts/hostclass/git_server @@ -0,0 +1,163 @@ +#!/bin/sh + +: ${git_public_fqdn:="$fqdn"} +: ${git_basic_auth:='on'} +: ${gitolite_username:='s-gitolite'} +: ${gitolite_access_role:='gitolite-access'} +: ${gitolite_admin_role:='gitolite-admin'} +: ${cgit_clone_urls:="https://${fqdn} ssh://git@${fqdn}"} +: ${cgit_root_title:="${site} Git Repo"} +: ${cgit_root_desc:="Source code for various ${site} projects."} +: ${cgit_pygments_style:='xcode'} +: ${cgit_cache_size:='16000'} + +gitolite_dn="uid=${gitolite_username},${robots_basedn}" +git_keytab="${keytab_dir}/nginx.keytab" +git_https_cert="${nginx_conf_dir}/git.crt" +git_https_key="${nginx_conf_dir}/git.key" +gitolite_home=/usr/local/git +gitolite_client_keytab="${keytab_dir}/gitolite.client.keytab" +gitolite_fcgiwrap_socket=/var/run/fcgiwrap/gitolite.sock +cgit_cache_dir=/var/cache/cgit +cgit_fcgiwrap_socket=/var/run/fcgiwrap/cgit.sock +cgit_webroot=/usr/local/www/cgit + +# Install packages. +pkg install -y \ + python \ + nginx \ + cgit \ + gitolite \ + fcgiwrap \ + py${python_version}-pygments \ + py${python_version}-docutils \ + py${python_version}-markdown + +# Create ZFS dataset for gitolite repositories. +create_dataset -o "mountpoint=${gitolite_home}" "${state_dataset}/git" +zfs set \ + com.sun:auto-snapshot:hourly=true \ + com.sun:auto-snapshot:daily=true \ + com.sun:auto-snapshot:weekly=true \ + com.sun:auto-snapshot:monthly=true \ + "${state_dataset}/git" + +# Set ownership on gitolite dataset. +install_directory -o "$gitolite_local_user" -g "$gitolite_local_user" -m 0700 "$gitolite_home" + +# Add www user to git group, so it can read git repositories. +pw groupmod "$gitolite_local_user" -m "$nginx_user" + +# Create gitolite principal and keytab. +ldap_add "$gitolite_dn" <<EOF +objectClass: account +uid: ${gitolite_username} +EOF +add_principal -nokey -x "dn=${gitolite_dn}" "$gitolite_username" + +ktadd -k "$gitolite_client_keytab" "$gitolite_username" +chgrp "$gitolite_local_user" "$gitolite_client_keytab" +chmod 640 "$gitolite_client_keytab" + +gitolite_uid=$(id -u "$gitolite_local_user") +install_directory -o "$gitolite_local_user" -m 0700 "/var/krb5/user/${gitolite_uid}" +ln -snfv "$gitolite_client_keytab" "/var/krb5/user/${gitolite_uid}/client.keytab" + +# Generate gitolite configuration. +install_directory -o "$gitolite_local_user" -g "$gitolite_local_user" -m 0750 \ + "$gitolite_home" \ + "${gitolite_home}/.gitolite" \ + "${gitolite_home}/.gitolite/conf" \ + "${gitolite_home}/.gitolite/logs" +install_file -o "$gitolite_local_user" -g "$gitolite_local_user" -m 0600 "${gitolite_home}/.gitolite.rc" + +[ -f "${gitolite_home}/.gitolite/conf/gitolite.conf" ] \ + || install_template -o "$gitolite_local_user" -g "$gitolite_local_user" -m 0640 "${gitolite_home}/.gitolite/conf/gitolite.conf" + +[ -f "${gitolite_home}/.gitolite/conf/gitolite.conf-compiled.pm" ] \ + || su "$gitolite_local_user" -c 'gitolite setup' + +install_file -m 0555 \ + /usr/local/libexec/gitolite-grouplist \ + /usr/local/libexec/gitolite-authorizedkeys + +# Generate cgit configuration. +install_template -m 0644 /usr/local/etc/cgitrc +install_template -m 0555 /usr/local/lib/cgit/filters/syntax-highlighting-custom.py + +# Create cgit cache directory. +install_directory -o root -g "$nginx_user" -m 0770 "$cgit_cache_dir" + +# Copy custom assets. +install_file -m 0644 \ + "${cgit_webroot}/custom-style.css" \ + "${cgit_webroot}/custom-favicon.ico" \ + "${cgit_webroot}/custom-logo.png" \ + "${cgit_webroot}/custom-robots.txt" \ + "${cgit_webroot}/custom-head-include.html" \ + "${cgit_webroot}/custom-header.html" + +# Generate nginx configuration. +install_file -m 0644 /usr/local/etc/nginx/fastcgi_params +install_template -m 0644 /usr/local/etc/nginx/nginx.conf +[ -f "${nginx_conf_dir}/vhosts.conf" ] || install -Cv -m 0644 /dev/null "${nginx_conf_dir}/vhosts.conf" +sysrc -v nginx_enable=YES +service nginx restart + +if [ "$git_public_fqdn" != "$fqdn" ]; then + # Acquire public TLS certificate. + install_template -m 0600 /usr/local/etc/sudoers.d/acme + acme_install_certificate \ + -g "$nginx_user" \ + -r 'sudo service nginx reload' \ + nginx \ + "$git_public_fqdn" +else + # Copy local TLS certificate for nginx. + install_certificate -m 0644 nginx "$git_https_cert" + install_certificate_key -m 0600 nginx "$git_https_key" +fi + +# Generate nginx vhosts (once certificate is acquired). +install_template -m 0644 /usr/local/etc/nginx/vhosts.conf +service nginx restart + +# Create HTTP principal and keytab. +nginx_uid=$(id -u "$nginx_user") +add_principal -nokey -x "containerdn=${services_basedn}" "HTTP/${fqdn}" +ktadd -k "$git_keytab" "HTTP/${fqdn}" +chgrp "$nginx_user" "$git_keytab" +chmod 640 "$git_keytab" +install_directory -o "$nginx_user" -m 0700 "/var/krb5/user/${nginx_uid}" +ln -snfv "$git_keytab" "/var/krb5/user/${nginx_uid}/keytab" + +# Generate sshd configuration. +install_template -m 0600 /usr/local/etc/ssh/sshd_config.d/gitolite.conf + +# Enable and start daemons. +sysrc -v \ + fcgiwrap_enable=YES \ + fcgiwrap_profiles+='cgit gitolite' \ + fcgiwrap_cgit_flags='-f' \ + fcgiwrap_cgit_user="$nginx_user" \ + fcgiwrap_cgit_group="$nginx_user" \ + fcgiwrap_cgit_socket_owner="$nginx_user" \ + fcgiwrap_cgit_socket_group="$nginx_user" \ + fcgiwrap_cgit_socket="unix:${cgit_fcgiwrap_socket}" \ + fcgiwrap_gitolite_flags='-f' \ + fcgiwrap_gitolite_user="$gitolite_local_user" \ + fcgiwrap_gitolite_group="$gitolite_local_user" \ + fcgiwrap_gitolite_socket_owner="$nginx_user" \ + fcgiwrap_gitolite_socket_group="$nginx_user" \ + fcgiwrap_gitolite_socket="unix:${gitolite_fcgiwrap_socket}" + +service fcgiwrap restart +service openssh restart + +# Create access role. +for role in "$gitolite_access_role" "$gitolite_admin_role"; do + ldap_add "cn=${role},${roles_basedn}" <<EOF +objectClass: groupOfMembers +cn: ${role} +EOF +done |