aboutsummaryrefslogtreecommitdiffstats
path: root/roles/gitolite/templates
diff options
context:
space:
mode:
Diffstat (limited to 'roles/gitolite/templates')
-rw-r--r--roles/gitolite/templates/etc/ssh/sshd_config.d/gitolite.conf.j24
-rw-r--r--roles/gitolite/templates/usr/local/bin/gitolite-authorizedkeys.j237
-rw-r--r--roles/gitolite/templates/usr/local/bin/gitolite-grouplist.j242
-rw-r--r--roles/gitolite/templates/var/www/cgi-bin/gitolite-wrapper.j214
-rw-r--r--roles/gitolite/templates/var/www/git/.gitolite.rc.j228
-rw-r--r--roles/gitolite/templates/var/www/git/.gitolite/conf/gitolite.conf.j211
6 files changed, 136 insertions, 0 deletions
diff --git a/roles/gitolite/templates/etc/ssh/sshd_config.d/gitolite.conf.j2 b/roles/gitolite/templates/etc/ssh/sshd_config.d/gitolite.conf.j2
new file mode 100644
index 0000000..38da41f
--- /dev/null
+++ b/roles/gitolite/templates/etc/ssh/sshd_config.d/gitolite.conf.j2
@@ -0,0 +1,4 @@
+Match User {{ gitolite_ssh_user }}
+ AuthenticationMethods "publickey"
+ AuthorizedKeysCommand {{ gitolite_authorizedkeys_script }}
+ AuthorizedKeysCommandUser {{ gitolite_user }}
diff --git a/roles/gitolite/templates/usr/local/bin/gitolite-authorizedkeys.j2 b/roles/gitolite/templates/usr/local/bin/gitolite-authorizedkeys.j2
new file mode 100644
index 0000000..23bfee9
--- /dev/null
+++ b/roles/gitolite/templates/usr/local/bin/gitolite-authorizedkeys.j2
@@ -0,0 +1,37 @@
+#!/usr/libexec/platform-python
+
+import os
+import ldap
+import ldap.sasl
+import ldap.filter
+
+GITOLITE_ACCESS_GROUP = '{{ gitolite_access_group }}'
+GITOLITE_ADMIN_GROUP = '{{ gitolite_admin_group }}'
+GITOLITE_SHELL = '{{ gitolite_shell }}'
+
+LDAP_URI = '{{ freeipa_ldap_uri }}'
+USER_BASEDN = '{{ freeipa_user_basedn }}'
+GROUP_BASEDN = '{{ freeipa_group_basedn }}'
+
+GITOLITE_KEY_TEMPLATE = 'command="{shell} {uid}",no-port-forwarding,no-X11-forwarding,no-agent-forwarding,no-pty {pubkey}'
+
+os.environ['GSS_USE_PROXY'] = 'yes'
+conn = ldap.initialize(LDAP_URI)
+conn.protocol_version = ldap.VERSION3
+conn.sasl_interactive_bind_s('', ldap.sasl.sasl({}, 'GSSAPI'))
+
+filter = ldap.filter.filter_format(
+ '(&(ipaSshPubKey=*)(|(memberOf=cn=%s,%s)(memberOf=cn=%s,%s)))',
+ [GITOLITE_ADMIN_GROUP, GROUP_BASEDN, GITOLITE_ACCESS_GROUP, GROUP_BASEDN])
+
+results = conn.search_s(
+ USER_BASEDN,
+ ldap.SCOPE_SUBTREE,
+ filter,
+ ['uid', 'ipaSshPubKey'])
+
+for (dn, attributes) in results:
+ uid = attributes['uid'][0].decode('utf-8')
+ for pubkey in [pk.decode('utf-8') for pk in attributes['ipaSshPubKey']]:
+ if pubkey.startswith('ssh-'):
+ print(GITOLITE_KEY_TEMPLATE.format(shell=GITOLITE_SHELL, uid=uid, pubkey=pubkey))
diff --git a/roles/gitolite/templates/usr/local/bin/gitolite-grouplist.j2 b/roles/gitolite/templates/usr/local/bin/gitolite-grouplist.j2
new file mode 100644
index 0000000..2060620
--- /dev/null
+++ b/roles/gitolite/templates/usr/local/bin/gitolite-grouplist.j2
@@ -0,0 +1,42 @@
+#!/usr/libexec/platform-python
+
+import os
+import sys
+import ldap
+import ldap.sasl
+import ldap.filter
+
+LDAP_URI = '{{ freeipa_ldap_uri }}'
+USER_BASEDN = '{{ freeipa_user_basedn }}'
+GROUP_BASEDN = '{{ freeipa_group_basedn }}'
+
+if len(sys.argv) != 2:
+ sys.exit('must specify one username')
+
+if sys.argv[1] == 'nobody':
+ exit(0)
+
+os.environ['GSS_USE_PROXY'] = 'yes'
+conn = ldap.initialize(LDAP_URI)
+conn.protocol_version = ldap.VERSION3
+conn.sasl_interactive_bind_s('', ldap.sasl.sasl({}, 'GSSAPI'))
+
+user = conn.search_s(
+ USER_BASEDN,
+ ldap.SCOPE_SUBTREE,
+ ldap.filter.filter_format('uid=%s', [sys.argv[1]]),
+ ['memberOf'])
+
+if not user:
+ exit(1)
+
+groups = []
+
+for group_dn in [ldap.dn.explode_dn(dn) for dn in user[0][1]['memberOf']]:
+ if ','.join(group_dn[1:]) == GROUP_BASEDN:
+ rdn = ldap.dn.str2dn(group_dn[0])[0][0]
+ if rdn[0] == 'cn':
+ # replace whitespace with underscore
+ groups.append('_'.join(rdn[1].split()))
+
+print(' '.join(groups))
diff --git a/roles/gitolite/templates/var/www/cgi-bin/gitolite-wrapper.j2 b/roles/gitolite/templates/var/www/cgi-bin/gitolite-wrapper.j2
new file mode 100644
index 0000000..38dc426
--- /dev/null
+++ b/roles/gitolite/templates/var/www/cgi-bin/gitolite-wrapper.j2
@@ -0,0 +1,14 @@
+#!/bin/bash
+
+# Strip realm from REMOTE_USER.
+# This is a hack around GssapiLocalName not working on RHEL 8:
+# https://bugzilla.redhat.com/show_bug.cgi?id=1787630
+if [ -v REMOTE_USER ]; then
+ export REMOTE_USER=${REMOTE_USER%@*}
+fi
+
+export GIT_PROJECT_ROOT='{{ gitolite_home }}/repositories'
+export GITOLITE_HTTP_HOME='{{ gitolite_home }}'
+export GIT_HTTP_EXPORT_ALL=1
+
+exec {{ gitolite_shell }}
diff --git a/roles/gitolite/templates/var/www/git/.gitolite.rc.j2 b/roles/gitolite/templates/var/www/git/.gitolite.rc.j2
new file mode 100644
index 0000000..b78ca08
--- /dev/null
+++ b/roles/gitolite/templates/var/www/git/.gitolite.rc.j2
@@ -0,0 +1,28 @@
+$ENV{PATH} .= ":{{ gitolite_home }}/bin";
+
+%RC = (
+ UMASK => 0027,
+ GIT_CONFIG_KEYS => '.*',
+ LOG_DEST => 'syslog',
+ ROLES => {
+ READERS => 1,
+ WRITERS => 1,
+ },
+ ENABLE => [
+ 'help',
+ 'desc',
+ 'info',
+ 'perms',
+ 'writable',
+ 'D',
+ 'git-config',
+ 'gitweb',
+ 'set-default-roles',
+ 'upstream',
+ 'cgit',
+ ],
+ GROUPLIST_PGM => '{{ gitolite_groups_script }}',
+ HTTP_ANON_USER => '{{ gitolite_anon_user }}',
+);
+
+1;
diff --git a/roles/gitolite/templates/var/www/git/.gitolite/conf/gitolite.conf.j2 b/roles/gitolite/templates/var/www/git/.gitolite/conf/gitolite.conf.j2
new file mode 100644
index 0000000..7fc1d59
--- /dev/null
+++ b/roles/gitolite/templates/var/www/git/.gitolite/conf/gitolite.conf.j2
@@ -0,0 +1,11 @@
+repo gitolite-admin
+ RW+ = @{{ gitolite_admin_group }}
+
+repo CREATOR/[A-Za-z0-9/_-]+
+ C = @{{ gitolite_admin_group }} @{{ gitolite_access_group }}
+ RW+ = CREATOR
+ RW = WRITERS
+ R = READERS
+ option default.roles-1 = READERS @all
+ config gitweb.owner = %GL_CREATOR
+ config gitweb.category = user repositories
generated by cgit (git 2.34.1) at 2024-09-19 17:22:42 -0400