diff options
Diffstat (limited to 'roles/gitolite/templates')
6 files changed, 136 insertions, 0 deletions
diff --git a/roles/gitolite/templates/etc/ssh/sshd_config.d/gitolite.conf.j2 b/roles/gitolite/templates/etc/ssh/sshd_config.d/gitolite.conf.j2 new file mode 100644 index 0000000..38da41f --- /dev/null +++ b/roles/gitolite/templates/etc/ssh/sshd_config.d/gitolite.conf.j2 @@ -0,0 +1,4 @@ +Match User {{ gitolite_ssh_user }} + AuthenticationMethods "publickey" + AuthorizedKeysCommand {{ gitolite_authorizedkeys_script }} + AuthorizedKeysCommandUser {{ gitolite_user }} diff --git a/roles/gitolite/templates/usr/local/bin/gitolite-authorizedkeys.j2 b/roles/gitolite/templates/usr/local/bin/gitolite-authorizedkeys.j2 new file mode 100644 index 0000000..23bfee9 --- /dev/null +++ b/roles/gitolite/templates/usr/local/bin/gitolite-authorizedkeys.j2 @@ -0,0 +1,37 @@ +#!/usr/libexec/platform-python + +import os +import ldap +import ldap.sasl +import ldap.filter + +GITOLITE_ACCESS_GROUP = '{{ gitolite_access_group }}' +GITOLITE_ADMIN_GROUP = '{{ gitolite_admin_group }}' +GITOLITE_SHELL = '{{ gitolite_shell }}' + +LDAP_URI = '{{ freeipa_ldap_uri }}' +USER_BASEDN = '{{ freeipa_user_basedn }}' +GROUP_BASEDN = '{{ freeipa_group_basedn }}' + +GITOLITE_KEY_TEMPLATE = 'command="{shell} {uid}",no-port-forwarding,no-X11-forwarding,no-agent-forwarding,no-pty {pubkey}' + +os.environ['GSS_USE_PROXY'] = 'yes' +conn = ldap.initialize(LDAP_URI) +conn.protocol_version = ldap.VERSION3 +conn.sasl_interactive_bind_s('', ldap.sasl.sasl({}, 'GSSAPI')) + +filter = ldap.filter.filter_format( + '(&(ipaSshPubKey=*)(|(memberOf=cn=%s,%s)(memberOf=cn=%s,%s)))', + [GITOLITE_ADMIN_GROUP, GROUP_BASEDN, GITOLITE_ACCESS_GROUP, GROUP_BASEDN]) + +results = conn.search_s( + USER_BASEDN, + ldap.SCOPE_SUBTREE, + filter, + ['uid', 'ipaSshPubKey']) + +for (dn, attributes) in results: + uid = attributes['uid'][0].decode('utf-8') + for pubkey in [pk.decode('utf-8') for pk in attributes['ipaSshPubKey']]: + if pubkey.startswith('ssh-'): + print(GITOLITE_KEY_TEMPLATE.format(shell=GITOLITE_SHELL, uid=uid, pubkey=pubkey)) diff --git a/roles/gitolite/templates/usr/local/bin/gitolite-grouplist.j2 b/roles/gitolite/templates/usr/local/bin/gitolite-grouplist.j2 new file mode 100644 index 0000000..2060620 --- /dev/null +++ b/roles/gitolite/templates/usr/local/bin/gitolite-grouplist.j2 @@ -0,0 +1,42 @@ +#!/usr/libexec/platform-python + +import os +import sys +import ldap +import ldap.sasl +import ldap.filter + +LDAP_URI = '{{ freeipa_ldap_uri }}' +USER_BASEDN = '{{ freeipa_user_basedn }}' +GROUP_BASEDN = '{{ freeipa_group_basedn }}' + +if len(sys.argv) != 2: + sys.exit('must specify one username') + +if sys.argv[1] == 'nobody': + exit(0) + +os.environ['GSS_USE_PROXY'] = 'yes' +conn = ldap.initialize(LDAP_URI) +conn.protocol_version = ldap.VERSION3 +conn.sasl_interactive_bind_s('', ldap.sasl.sasl({}, 'GSSAPI')) + +user = conn.search_s( + USER_BASEDN, + ldap.SCOPE_SUBTREE, + ldap.filter.filter_format('uid=%s', [sys.argv[1]]), + ['memberOf']) + +if not user: + exit(1) + +groups = [] + +for group_dn in [ldap.dn.explode_dn(dn) for dn in user[0][1]['memberOf']]: + if ','.join(group_dn[1:]) == GROUP_BASEDN: + rdn = ldap.dn.str2dn(group_dn[0])[0][0] + if rdn[0] == 'cn': + # replace whitespace with underscore + groups.append('_'.join(rdn[1].split())) + +print(' '.join(groups)) diff --git a/roles/gitolite/templates/var/www/cgi-bin/gitolite-wrapper.j2 b/roles/gitolite/templates/var/www/cgi-bin/gitolite-wrapper.j2 new file mode 100644 index 0000000..38dc426 --- /dev/null +++ b/roles/gitolite/templates/var/www/cgi-bin/gitolite-wrapper.j2 @@ -0,0 +1,14 @@ +#!/bin/bash + +# Strip realm from REMOTE_USER. +# This is a hack around GssapiLocalName not working on RHEL 8: +# https://bugzilla.redhat.com/show_bug.cgi?id=1787630 +if [ -v REMOTE_USER ]; then + export REMOTE_USER=${REMOTE_USER%@*} +fi + +export GIT_PROJECT_ROOT='{{ gitolite_home }}/repositories' +export GITOLITE_HTTP_HOME='{{ gitolite_home }}' +export GIT_HTTP_EXPORT_ALL=1 + +exec {{ gitolite_shell }} diff --git a/roles/gitolite/templates/var/www/git/.gitolite.rc.j2 b/roles/gitolite/templates/var/www/git/.gitolite.rc.j2 new file mode 100644 index 0000000..b78ca08 --- /dev/null +++ b/roles/gitolite/templates/var/www/git/.gitolite.rc.j2 @@ -0,0 +1,28 @@ +$ENV{PATH} .= ":{{ gitolite_home }}/bin"; + +%RC = ( + UMASK => 0027, + GIT_CONFIG_KEYS => '.*', + LOG_DEST => 'syslog', + ROLES => { + READERS => 1, + WRITERS => 1, + }, + ENABLE => [ + 'help', + 'desc', + 'info', + 'perms', + 'writable', + 'D', + 'git-config', + 'gitweb', + 'set-default-roles', + 'upstream', + 'cgit', + ], + GROUPLIST_PGM => '{{ gitolite_groups_script }}', + HTTP_ANON_USER => '{{ gitolite_anon_user }}', +); + +1; diff --git a/roles/gitolite/templates/var/www/git/.gitolite/conf/gitolite.conf.j2 b/roles/gitolite/templates/var/www/git/.gitolite/conf/gitolite.conf.j2 new file mode 100644 index 0000000..7fc1d59 --- /dev/null +++ b/roles/gitolite/templates/var/www/git/.gitolite/conf/gitolite.conf.j2 @@ -0,0 +1,11 @@ +repo gitolite-admin + RW+ = @{{ gitolite_admin_group }} + +repo CREATOR/[A-Za-z0-9/_-]+ + C = @{{ gitolite_admin_group }} @{{ gitolite_access_group }} + RW+ = CREATOR + RW = WRITERS + R = READERS + option default.roles-1 = READERS @all + config gitweb.owner = %GL_CREATOR + config gitweb.category = user repositories |