Infrastructure/ansible
1
0
Fork 0
Code Issues Pull requests 6 Projects Releases Packages Wiki Activity Actions

distgit: Update the gitolite.rc file to Gitolite3

Browse source
This commit is contained in:
Mathieu Bridon 2014-12-15 18:38:24 +01:00 committed by Mathieu Bridon
parent fc1554c967
commit 08d6bc634f
3 changed files with 137 additions and 169 deletions
Download patch file Download diff file Expand all files Collapse all files

1
roles/distgit/files/genacls.sh
View file

@ -1,7 +1,6 @@
#!/bin/sh
TEMPDIR=`mktemp -d -p /var/tmp genacls.XXXXX`
export GL_RC=/etc/gitolite/gitolite.rc
export GL_BINDIR=/usr/bin
cd $TEMPDIR

298
roles/distgit/files/gitolite.rc
View file

@ -1,229 +1,191 @@
# paths and configuration variables for gitolite
# configuration variables for gitolite
# please read comments before editing
# This file is in perl syntax. But you do NOT need to know perl to edit it --
# just mind the commas, use single quotes unless you know what you're doing,
# and make sure the brackets and braces stay matched up!
# this file is meant to be pulled into a perl program using "do" or "require".
# (Tip: perl allows a comma after the last item in a list also!)
# You do NOT need to know perl to edit the paths; it should be fairly
# self-explanatory and easy to maintain perl syntax :-)
# HELP for commands can be had by running the command with "-h".
# --------------------------------------
# Do not uncomment these values unless you know what you're doing
# $GL_PACKAGE_CONF = "";
# $GL_PACKAGE_HOOKS = "";
# HELP for all the other FEATURES can be found in the documentation (look for
# "list of non-core programs shipped with gitolite" in the master index) or
# directly in the corresponding source file.
# --------------------------------------
%RC = (
# --------------------------------------
# ------------------------------------------------------------------
# this is where the repos go. If you provide a relative path (not starting
# with "/"), it's relative to your $HOME. You may want to put in something
# like "/bigdisk" or whatever if your $HOME is too small for the repos, for
# example
# default umask gives you perms of '0700'; see the rc file docs for
# how/why you might change this
UMASK => 0077,
$REPO_BASE="/srv/git/rpms/";
# look for "git-config" in the documentation
GIT_CONFIG_KEYS => '',
# the default umask for repositories is 0077; change this if you run stuff
# like gitweb and find it can't read the repos. Please note the syntax; the
# leading 0 is required
# comment out if you don't need all the extra detail in the logfile
LOG_EXTRA => 1,
# syslog options
# 1. leave this section as is for normal gitolite logging
# 2. uncomment this line to log only to syslog:
LOG_DEST => 'syslog',
# 3. uncomment this line to log to syslog and the normal gitolite log:
# LOG_DEST => 'syslog,normal',
$REPO_UMASK = 0002;
# $REPO_UMASK = 0027; # gets you 'rwxr-x---'
# $REPO_UMASK = 0022; # gets you 'rwxr-xr-x'
# roles. add more roles (like MANAGER, TESTER, ...) here.
# WARNING: if you make changes to this hash, you MUST run 'gitolite
# compile' afterward, and possibly also 'gitolite trigger POST_COMPILE'
ROLES => {
READERS => 1,
WRITERS => 1,
},
# part of the setup of gitweb is a variable called $projects_list (please see
# gitweb documentation for more on this). Set this to the same value:
# enable caching (currently only Redis). PLEASE RTFM BEFORE USING!!!
# CACHE => 'Redis',
$PROJECTS_LIST = $ENV{HOME} . "/projects.list";
# ------------------------------------------------------------------
# --------------------------------------
# rc variables used by various features
# I see no reason anyone may want to change the gitolite admin directory, but
# feel free to do so. However, please note that it *must* be an *absolute*
# path (i.e., starting with a "/" character)
# the 'info' command prints this as additional info, if it is set
# SITE_INFO => 'Please see http://blahblah/gitolite for more help',
# gitolite admin directory, files, etc
# the CpuTime feature uses these
# display user, system, and elapsed times to user after each git operation
# DISPLAY_CPU_TIME => 1,
# display a warning if total CPU times (u, s, cu, cs) crosses this limit
# CPU_TIME_WARN_LIMIT => 0.1,
$GL_ADMINDIR="/etc/gitolite";
# the Mirroring feature needs this
# HOSTNAME => "foo",
# --------------------------------------
# TTL for redis cache; PLEASE SEE DOCUMENTATION BEFORE UNCOMMENTING!
# CACHE_TTL => 600,
# templates for location of the log files and format of their names
# ------------------------------------------------------------------
# I prefer this template (note the %y and %m placeholders)
# it produces files like `~/.gitolite/logs/gitolite-2009-09.log`
# suggested locations for site-local gitolite code (see cust.html)
$GL_LOGT="/var/log/gitolite/gitolite-%y-%m.log";
# this one is managed directly on the server
# LOCAL_CODE => "$ENV{HOME}/local",
# other choices are below, or you can make your own -- but PLEASE MAKE SURE
# the directory exists and is writable; gitolite won't do that for you (unless
# it is the default, which is "$GL_ADMINDIR/logs")
# or you can use this, which lets you put everything in a subdirectory
# called "local" in your gitolite-admin repo. For a SECURITY WARNING
# on this, see http://gitolite.com/gitolite/non-core.html#pushcode
# LOCAL_CODE => "$rc{GL_ADMIN_BASE}/local",
# $GL_LOGT="$GL_ADMINDIR/logs/gitolite-%y-%m-%d.log";
# $GL_LOGT="$GL_ADMINDIR/logs/gitolite-%y.log";
# ------------------------------------------------------------------
# --------------------------------------
# List of commands and features to enable
# Please DO NOT change these three paths
ENABLE => [
$GL_CONF="$GL_ADMINDIR/conf/gitolite.conf";
$GL_KEYDIR="$GL_ADMINDIR/keydir";
$GL_CONF_COMPILED="$GL_ADMINDIR/conf/gitolite.conf-compiled.pm";
# COMMANDS
# --------------------------------------
# These are the commands enabled by default
'help',
'desc',
'info',
'perms',
'writable',
# if git on your server is on a standard path (that is
# ssh git@server git --version
# works), leave this setting as is. Otherwise, choose one of the
# alternatives, or write your own
# Uncomment or add new commands here.
# 'create',
# 'fork',
# 'mirror',
# 'readme',
# 'sskm',
# 'D',
$GIT_PATH="";
# $GIT_PATH="/opt/bin/";
# These FEATURES are enabled by default.
# --------------------------------------
# essential (unless you're using smart-http mode)
'ssh-authkeys',
# ----------------------------------------------------------------------
# BIG CONFIG SETTINGS
# creates git-config enties from gitolite.conf file entries like 'config foo.bar = baz'
'git-config',
# Please read doc/big-config.mkd for details
# creates git-daemon-export-ok files; if you don't use git-daemon, comment this out
# 'daemon',
$GL_BIG_CONFIG = 1;
$GL_NO_DAEMON_NO_GITWEB = 1;
$GL_NO_CREATE_REPOS = 1;
$GL_NO_SETUP_AUTHKEYS = 1;
# creates projects.list file; if you don't use gitweb, comment this out
# 'gitweb',
# These FEATURES are disabled by default; uncomment to enable. If you
# need to add new ones, ask on the mailing list :-)
# ----------------------------------------------------------------------
# SECURITY SENSITIVE SETTINGS
#
# Settings below this point may have security implications. That
# usually means that I have not thought hard enough about all the
# possible ways to crack security if these settings are enabled.
# user-visible behaviour
# Please see details on each setting for specifics, if any.
# ----------------------------------------------------------------------
# prevent wild repos auto-create on fetch/clone
# 'no-create-on-read',
# no auto-create at all (don't forget to enable the 'create' command!)
'no-auto-create',
# access a repo by another (possibly legacy) name
# 'Alias',
# give some users direct shell access. See documentation in
# sts.html for details on the following two choices.
# "Shell $ENV{HOME}/.gitolite.shell-users",
# 'Shell alice bob',
# --------------------------------------
# ALLOW REPO ADMIN TO SET GITCONFIG KEYS
#
# Gitolite allows you to set git repo options using the "config" keyword; see
# conf/example.conf for details and syntax.
#
# However, if you are in an installation where the repo admin does not (and
# should not) have shell access to the server, then allowing him to set
# arbitrary repo config options *may* be a security risk -- some config
# settings may allow executing arbitrary commands.
#
# You have 3 choices. By default $GL_GITCONFIG_KEYS is left empty, which
# completely disables this feature (meaning you cannot set git configs from
# the repo config).
# set default roles from lines like 'option default.roles-1 = ...', etc.
# 'set-default-roles',
$GL_GITCONFIG_KEYS = "";
# show more detailed messages on deny
# 'expand-deny-messages',
# The second choice is to give it a space separated list of settings you
# consider safe. (These are actually treated as a set of regular expression
# patterns, and any one of them must match). For example:
# $GL_GITCONFIG_KEYS = "core\.logAllRefUpdates core\..*compression";
# allows repo admins to set one of those 3 config keys (yes, that second
# pattern matches two settings from "man git-config", if you look)
#
# The third choice (which you may have guessed already if you're familiar with
# regular expressions) is to allow anything and everything:
# $GL_GITCONFIG_KEYS = ".*";
# show a message of the day
# 'Motd',
# --------------------------------------
# EXTERNAL COMMAND HELPER -- HTPASSWD
# system admin stuff
# security note: runs an external command (htpasswd) with specific arguments,
# including a user-chosen "password".
# enable mirroring (don't forget to set the HOSTNAME too!)
# 'Mirroring',
# if you want to enable the "htpasswd" command, give this the absolute path to
# whatever file apache (etc) expect to find the passwords in.
# allow people to submit pub files with more than one key in them
# 'ssh-authkeys-split',
$HTPASSWD_FILE = "";
# selective read control hack
# 'partial-copy',
# Look in doc/3 ("easier to link gitweb authorisation with gitolite" section)
# for more details on using this feature.
# manage local, gitolite-controlled, copies of read-only upstream repos
# 'upstream',
# --------------------------------------
# EXTERNAL COMMAND HELPER -- RSYNC
# updates 'description' file instead of 'gitweb.description' config item
'cgit',
# security note: runs an external command (rsync) with specific arguments, all
# presumably filled in correctly by the client-side rsync.
# allow repo-specific hooks to be added
'repo-specific-hooks',
# base path of all the files that are accessible via rsync. Must be an
# absolute path. Leave it undefined or set to the empty string to disable the
# rsync helper.
# performance, logging, monitoring...
$RSYNC_BASE = "";
# be nice
# 'renice 10',
# $RSYNC_BASE = "/home/git/up-down";
# $RSYNC_BASE = "/tmp/up-down";
# log CPU times (user, system, cumulative user, cumulative system)
# 'CpuTime',
# --------------------------------------
# EXTERNAL COMMAND HELPER -- SVNSERVE
# syntactic_sugar for gitolite.conf and included files
# security note: runs an external command (svnserve) with specific arguments,
# as specified below. %u is substituted with the username.
# allow backslash-escaped continuation lines in gitolite.conf
# 'continuation-lines',
# This setting allows launching svnserve when requested by the ssh client.
# This allows using the same SSH setup (hostname/username/public key) for both
# SVN and git access. Leave it undefined or set to the empty string to disable
# svnserve access.
# create implicit user groups from directory names in keydir/
# 'keysubdirs-as-groups',
$SVNSERVE = "";
# $SVNSERVE = "/usr/bin/svnserve -r /var/svn/ -t --tunnel-user=%u";
# allow simple line-oriented macros
# 'macros',
# --------------------------------------
# ALLOW REPO CONFIG TO USE WILDCARDS
# Kindergarten mode
# security note: this used to in a separate "wildrepos" branch. You can
# create repositories based on wild cards, give "ownership" to the specific
# user who created it, allow him/her to hand out R and RW permissions to other
# users to collaborate, etc. This is powerful stuff, and I've made it as
# secure as I can, but it hasn't had the kind of rigorous line-by-line
# analysis that the old "master" branch had.
# disallow various things that sensible people shouldn't be doing anyway
# 'Kindergarten',
],
# This has now been rolled into master, with all the functionality gated by
# this variable. Set this to 1 if you want to enable the wildrepos features.
# Please see doc/4-wildcard-repositories.mkd for details.
);
$GL_WILDREPOS = 0;
# --------------------------------------
# DEFAULT WILDCARD PERMISSIONS
# If set, this value will be used as the default user-level permission rule of
# new wildcard repositories. The user can change this value with the setperms command
# as desired after repository creation; it is only a default. Note that @all can be
# used here but is special; no other groups can be used in user-level permissions.
# $GL_WILDREPOS_DEFPERMS = 'R = @all';
# --------------------------------------
# HOOK CHAINING
# by default, the update hook in every repo chains to "update.secondary".
# Similarly, the post-update hook in the admin repo chains to
# "post-update.secondary". If you're fine with the defaults, there's no need
# to do anything here. However, if you want to use different names or paths,
# change these variables
# $UPDATE_CHAINS_TO = "hooks/update.secondary";
# $ADMIN_POST_UPDATE_CHAINS_TO = "hooks/post-update.secondary";
# --------------------------------------
# ADMIN DEFINED COMMANDS
# WARNING: Use this feature only if (a) you really really know what you're
# doing or (b) you really don't care too much about security. Please read
# doc/admin-defined-commands.mkd for details.
# $GL_ADC_PATH = "";
# --------------------------------------
# ------------------------------------------------------------------------------
# per perl rules, this should be the last line in such a file:
1;

7
roles/distgit/tasks/main.yml
View file

@ -112,6 +112,13 @@
- config
- distgit
- name: Create the gitolite.rc symlink
command: ln -s /etc/gitolite/gitolite.rc /srv/git/.gitolite.rc
creates=/srv/git/.gitolite.rc
tags:
- config
- distgit
- name: Create the gitolite configuration symlink
command: ln -s /etc/gitolite/ /srv/git/.gitolite
creates=/srv/git/.gitolite