- name: configure git repository
  hosts: git_servers
  tags: git
  roles:
    - role: common
      tags: common

    - role: gitolite
      tags: gitolite

    - role: archive_job
      archive_name: gitolite
      archive_user: '{{ gitolite_user }}'
      archive_shell: '{{ gitolite_archive_shell }}'
      tags: archive

    - role: cgit
      tags: cgit

    - role: apache_vhost
      apache_default_vhost: yes
      apache_document_root: '{{ cgit_static_dir }}'
      apache_config: |
        SetEnv "GIT_PROJECT_ROOT" "{{ gitolite_home }}/repositories"
        SetEnv "GIT_HTTP_EXPORT_ALL" "1"

        <LocationMatch "{{ git_backend_regex }}">
          AuthType GSSAPI
          AuthName "FreeIPA Single Sign-On"
          AuthLDAPUrl "{{ apache_ldap_url }}?krbprincipalname"
          {{ apache_ldap_creds }}
          <RequireAny>
            <RequireAll>
              Require ip {{ kerberized_cidrs | join(" ") }}
              <RequireAny>
                Require ldap-attribute memberof=cn={{ gitolite_access_group }},{{ freeipa_group_basedn }}
                Require ldap-attribute memberof=cn={{ gitolite_admin_group }},{{ freeipa_group_basedn }}
              </RequireAny>
            </RequireAll>
            <RequireAll>
              Require not ip {{ kerberized_cidrs | join(" ") }}
              Require all granted
            </RequireAll>
          </RequireAny>
        </LocationMatch>

        Alias /static "{{ cgit_static_dir }}"

        ScriptAliasMatch "{{ git_backend_regex }}" "{{ gitolite_cgi_script }}/$1"
        ScriptAlias "/" "{{ cgit_cgi_script }}/"
      vars:
        git_backend_regex: '(?x)^/(.*/(HEAD | info/refs | objects/(info/[^/]+ | [0-9a-f]{2}/[0-9a-f]{38} | pack/pack-[0-9a-f]{40}\.(pack|idx)) | git-(upload|receive)-pack))$'
      tags: apache