diff options
author | Stonewall Jackson <stonewall@sacredheartsc.com> | 2023-02-04 01:23:43 -0500 |
---|---|---|
committer | Stonewall Jackson <stonewall@sacredheartsc.com> | 2023-02-04 01:52:13 -0500 |
commit | 0261e875679f1bf63c8d689da7fc7e014597885d (patch) | |
tree | 3f19cd74a0c1070944f75437f30b098d6ef2ffcb /roles/gitolite/tasks | |
download | selfhosted-0261e875679f1bf63c8d689da7fc7e014597885d.tar.gz selfhosted-0261e875679f1bf63c8d689da7fc7e014597885d.zip |
initial commit
Diffstat (limited to 'roles/gitolite/tasks')
-rw-r--r-- | roles/gitolite/tasks/freeipa.yml | 49 | ||||
-rw-r--r-- | roles/gitolite/tasks/main.yml | 119 | ||||
-rw-r--r-- | roles/gitolite/tasks/sshd.yml | 24 |
3 files changed, 192 insertions, 0 deletions
diff --git a/roles/gitolite/tasks/freeipa.yml b/roles/gitolite/tasks/freeipa.yml new file mode 100644 index 0000000..f94b9e0 --- /dev/null +++ b/roles/gitolite/tasks/freeipa.yml @@ -0,0 +1,49 @@ +- name: create service account + ipauser: + ipaadmin_principal: '{{ ipa_user }}' + ipaadmin_password: '{{ ipa_pass }}' + name: '{{ gitolite_freeipa_user }}' + loginshell: /sbin/nologin + homedir: '{{ gitolite_home }}' + givenname: Gitolite + sn: Service Account + state: present + run_once: True + +- name: retrieve user keytab + include_role: + name: freeipa_keytab + vars: + keytab_principal: '{{ gitolite_freeipa_user }}' + keytab_path: '{{ gitolite_keytab }}' + +- name: configure gssproxy for kerberized LDAP + include_role: + name: gssproxy_client + vars: + gssproxy_priority: 51 + gssproxy_name: gitolite + gssproxy_section: service/gitolite + gssproxy_client_keytab: '{{ gitolite_keytab }}' + gssproxy_cred_usage: initiate + gssproxy_euid: '{{ gitolite_user }}' + +- name: create admin group + ipagroup: + ipaadmin_principal: '{{ ipa_user }}' + ipaadmin_password: '{{ ipa_pass }}' + name: '{{ gitolite_admin_group }}' + description: gitolite admins + nonposix: yes + state: present + run_once: True + +- name: create access group + ipagroup: + ipaadmin_principal: '{{ ipa_user }}' + ipaadmin_password: '{{ ipa_pass }}' + name: '{{ gitolite_access_group }}' + description: gitolite users + nonposix: yes + state: present + run_once: True diff --git a/roles/gitolite/tasks/main.yml b/roles/gitolite/tasks/main.yml new file mode 100644 index 0000000..8226557 --- /dev/null +++ b/roles/gitolite/tasks/main.yml @@ -0,0 +1,119 @@ +- name: install gitolite + dnf: + name: '{{ gitolite_packages }}' + state: present + +- import_tasks: freeipa.yml + +- name: disable gitolite user + user: + name: gitolite3 + shell: /sbin/nologin + +- name: get apache uid + getent: + database: passwd + key: '{{ gitolite_user }}' + +- name: create git ssh user + user: + name: '{{ gitolite_ssh_user }}' + comment: Git Pseudo-User + uid: '{{ ansible_facts.getent_passwd[gitolite_user][1] }}' + group: '{{ gitolite_user }}' + home: '{{ gitolite_home }}' + create_home: no + non_unique: yes + shell: '{{ gitolite_shell }}' + +- name: create git home + file: + path: '{{ gitolite_home }}' + mode: 0750 + owner: '{{ gitolite_user }}' + group: '{{ gitolite_user }}' + state: directory + setype: _default + +- name: copy gitolite wrapper script + template: + src: '{{ gitolite_cgi_script[1:] }}.j2' + dest: '{{ gitolite_cgi_script }}' + mode: 0555 + setype: httpd_unconfined_script_exec_t + tags: selinux + +- name: set unconfined selinux context on gitolite wrapper + sefcontext: + target: '{{ gitolite_cgi_script }}' + setype: httpd_unconfined_script_exec_t + state: present + tags: selinux + register: gitolite_cgi_sefcontext + +- name: apply selinux context to gitolite wrapper + command: 'restorecon -R {{ gitolite_cgi_script }}' + when: gitolite_cgi_sefcontext.changed + tags: selinux + +- name: generate gitolite scripts + template: + src: '{{ item[1:] }}.j2' + dest: '{{ item }}' + mode: 0555 + loop: + - '{{ gitolite_groups_script }}' + - '{{ gitolite_authorizedkeys_script }}' + +- import_tasks: sshd.yml + +- name: create SELinux policy for gitolite + include_role: + name: selinux_policy + apply: + tags: selinux + vars: + selinux_policy_name: gitolite_sshd_httpd + selinux_policy_te: '{{ gitolite_selinux_policy_te }}' + tags: selinux + +- name: generate gitolite.rc + template: + src: '{{ gitolite_home[1:] }}/.gitolite.rc.j2' + dest: '{{ gitolite_home }}/.gitolite.rc' + owner: '{{ gitolite_user }}' + group: '{{ gitolite_user }}' + mode: 0600 + setype: _default + +- name: create gitolite config directories + file: + path: '{{ gitolite_home }}/{{ item }}' + state: directory + owner: '{{ gitolite_user }}' + group: '{{ gitolite_user }}' + mode: 0750 + setype: _default + loop: + - .gitolite + - .gitolite/conf + - .gitolite/logs + +- name: create initial gitolite.conf + template: + src: '{{ gitolite_home[1:] }}/.gitolite/conf/gitolite.conf.j2' + dest: '{{ gitolite_home }}/.gitolite/conf/gitolite.conf' + owner: '{{ gitolite_user }}' + group: '{{ gitolite_user }}' + mode: 0640 + force: no + +- name: initialize gitolite + command: + cmd: gitolite setup + chdir: '{{ gitolite_home }}' + creates: '{{ gitolite_home }}/.gitolite/conf/gitolite.conf-compiled.pm' + environment: + HOME: '{{ gitolite_home }}' + become: yes + become_user: '{{ gitolite_user }}' diff --git a/roles/gitolite/tasks/sshd.yml b/roles/gitolite/tasks/sshd.yml new file mode 100644 index 0000000..37a74e4 --- /dev/null +++ b/roles/gitolite/tasks/sshd.yml @@ -0,0 +1,24 @@ +# TODO: ssh_config.d is included by default starting with EL9 +- name: create sshd config directory + file: + path: /etc/ssh/sshd_config.d + state: directory + +- name: add sshd include directive + lineinfile: + path: /etc/ssh/sshd_config + line: Include sshd_config.d/* + insertafter: EOF + +- name: generate sshd configuration for gitolite + template: + src: etc/ssh/sshd_config.d/gitolite.conf.j2 + dest: /etc/ssh/sshd_config.d/gitolite.conf + notify: restart sshd + +- name: allow sshd to query ldap + seboolean: + name: authlogin_nsswitch_use_ldap + state: yes + persistent: yes + tags: selinux |