diff --git a/roles/distgit/files/gitolite-suexec-wrapper.sh b/roles/distgit/files/gitolite-suexec-wrapper.sh
new file mode 100644
index 0000000000..eefe2c4108
--- /dev/null
+++ b/roles/distgit/files/gitolite-suexec-wrapper.sh
@@ -0,0 +1,20 @@
+#!/bin/bash
+#
+# Suexec wrapper for gitolite-shell
+#
+
+export GIT_PROJECT_ROOT="/srv/git/repositories"
+export PAGURE_CONFIG=/etc/pagure/pagure_hook.cfg
+export HOME=/srv/git
+export GITOLITE_HTTP_HOME=/srv/git
+
+# Hacky workaround because we set ScriptAlias more specific
+export PATH_INFO="$SCRIPT_URL"
+
+if [ -z "$REMOTE_USER" ];
+then
+ # Fall back to default user
+ export REMOTE_USER="anonymous"
+fi
+
+exec /usr/share/gitolite3/gitolite-shell
diff --git a/roles/distgit/files/httppush.conf b/roles/distgit/files/httppush.conf
new file mode 100644
index 0000000000..f4a118deaf
--- /dev/null
+++ b/roles/distgit/files/httppush.conf
@@ -0,0 +1,32 @@
+SetEnv GIT_PROJECT_ROOT /srv/git/repositories
+
+AliasMatch ^/(.*/objects/[0-9a-f]{2}/[0-9a-f]{38})$ /srv/git/repositories/$1
+AliasMatch ^/(.*/objects/pack/pack-[0-9a-f]{40}.(pack|idx))$ /srv/git/repositories/$1
+
+
+ AuthType oauth20
+ Require all granted
+
+
+ AuthType oauth20
+ Require claims_expr '(.scope | index("https://src.fedoraproject.org/push") != null)'
+
+
+
+
+ Require all granted
+
+
+ AuthType oauth20
+ Require claims_expr '(.scope | index("https://src.fedoraproject.org/push") != null)'
+
+
+
+SuexecUserGroup pagure packager
+
+ScriptAliasMatch \
+ "(?x)^/(.*/(HEAD | \
+ info/refs | \
+ objects/info/[^/]+ | \
+ git-(upload|receive)-pack))$" \
+ /var/www/bin/gitolite-suexec-wrapper.sh/
diff --git a/roles/distgit/pagure/templates/z_pagure.conf b/roles/distgit/pagure/templates/z_pagure.conf
index 4c390130ad..c958a895ed 100644
--- a/roles/distgit/pagure/templates/z_pagure.conf
+++ b/roles/distgit/pagure/templates/z_pagure.conf
@@ -19,7 +19,7 @@ WSGIDaemonProcess pagureproc user=pagure group=packager maximum-requests=1000 di
Alias /static /usr/lib/python2.7/site-packages/pagure/static/
Alias /grokmirror /srv/git/grokmirror
-
+{% if env != "staging" %}
SetEnv GIT_PROJECT_ROOT /srv/git/repositories
AliasMatch ^/(.*/objects/[0-9a-f]{2}/[0-9a-f]{38})$ /srv/git/repositories/$1
@@ -30,7 +30,7 @@ WSGIDaemonProcess pagureproc user=pagure group=packager maximum-requests=1000 di
objects/info/[^/]+ | \
git-(upload|receive)-pack))$" \
/usr/libexec/git-core/git-http-backend/$1
-
+{% endif %}
WSGIProcessGroup pagureproc
diff --git a/roles/distgit/tasks/main.yml b/roles/distgit/tasks/main.yml
index 40c66d53b4..30ad1015e5 100644
--- a/roles/distgit/tasks/main.yml
+++ b/roles/distgit/tasks/main.yml
@@ -31,6 +31,30 @@
- distgit
when: env == "staging"
+- name: install the http push configuration
+ copy: src=htpppush.conf dest=/etc/httpd/conf.d/htppush.conf
+ notify:
+ - reload httpd
+ tags:
+ - distgit
+ when: env == "staging"
+
+- name: Create suexec wrapper directory
+ file: path=/var/www/bin state=directory owner=pagure group=packager
+ tags:
+ - distgit
+ when: env == "staging"
+
+- name: Install suexec wrapper
+ copy:
+ src=gitolite-suexec-wrapper.sh
+ dest=/var/www/bin/gitolite-suexec-wrapper.sh
+ owner=pagure
+ group=packager
+ tags:
+ - distgit
+ when: env == "staging"
+
- name: Put in git service config
copy: src=git@.service dest=/etc/systemd/system/git@.service
tags:
diff --git a/roles/distgit/templates/auth_openidc.conf b/roles/distgit/templates/auth_openidc.conf
index ffd564e9ab..22513d160f 100644
--- a/roles/distgit/templates/auth_openidc.conf
+++ b/roles/distgit/templates/auth_openidc.conf
@@ -9,4 +9,4 @@ OIDCOAuthIntrospectionEndpointAuth client_secret_basic
OIDCOAuthIntrospectionEndpointMethod POST
OIDCOAuthTokenIntrospectionInterval 60
OIDCOAuthSSLValidateServer On
-OIDCOAuthAcceptTokenAs basic
+OIDCOAuthAcceptTokenAs header