From 08d6bc634f55589628aed6fc046b1674645af9f8 Mon Sep 17 00:00:00 2001 From: Mathieu Bridon Date: Mon, 15 Dec 2014 18:38:24 +0100 Subject: [PATCH] distgit: Update the gitolite.rc file to Gitolite3 --- roles/distgit/files/genacls.sh | 1 - roles/distgit/files/gitolite.rc | 298 ++++++++++++++------------------ roles/distgit/tasks/main.yml | 7 + 3 files changed, 137 insertions(+), 169 deletions(-) diff --git a/roles/distgit/files/genacls.sh b/roles/distgit/files/genacls.sh index 8473e6647a..0df8df005c 100644 --- a/roles/distgit/files/genacls.sh +++ b/roles/distgit/files/genacls.sh @@ -1,7 +1,6 @@ #!/bin/sh TEMPDIR=`mktemp -d -p /var/tmp genacls.XXXXX` -export GL_RC=/etc/gitolite/gitolite.rc export GL_BINDIR=/usr/bin cd $TEMPDIR diff --git a/roles/distgit/files/gitolite.rc b/roles/distgit/files/gitolite.rc index 03149e3ce5..d24a901f08 100644 --- a/roles/distgit/files/gitolite.rc +++ b/roles/distgit/files/gitolite.rc @@ -1,229 +1,191 @@ -# paths and configuration variables for gitolite +# configuration variables for gitolite -# please read comments before editing +# This file is in perl syntax. But you do NOT need to know perl to edit it -- +# just mind the commas, use single quotes unless you know what you're doing, +# and make sure the brackets and braces stay matched up! -# this file is meant to be pulled into a perl program using "do" or "require". +# (Tip: perl allows a comma after the last item in a list also!) -# You do NOT need to know perl to edit the paths; it should be fairly -# self-explanatory and easy to maintain perl syntax :-) +# HELP for commands can be had by running the command with "-h". -# -------------------------------------- -# Do not uncomment these values unless you know what you're doing -# $GL_PACKAGE_CONF = ""; -# $GL_PACKAGE_HOOKS = ""; +# HELP for all the other FEATURES can be found in the documentation (look for +# "list of non-core programs shipped with gitolite" in the master index) or +# directly in the corresponding source file. -# -------------------------------------- +%RC = ( -# -------------------------------------- + # ------------------------------------------------------------------ -# this is where the repos go. If you provide a relative path (not starting -# with "/"), it's relative to your $HOME. You may want to put in something -# like "/bigdisk" or whatever if your $HOME is too small for the repos, for -# example + # default umask gives you perms of '0700'; see the rc file docs for + # how/why you might change this + UMASK => 0077, -$REPO_BASE="/srv/git/rpms/"; + # look for "git-config" in the documentation + GIT_CONFIG_KEYS => '', -# the default umask for repositories is 0077; change this if you run stuff -# like gitweb and find it can't read the repos. Please note the syntax; the -# leading 0 is required + # comment out if you don't need all the extra detail in the logfile + LOG_EXTRA => 1, + # syslog options + # 1. leave this section as is for normal gitolite logging + # 2. uncomment this line to log only to syslog: + LOG_DEST => 'syslog', + # 3. uncomment this line to log to syslog and the normal gitolite log: + # LOG_DEST => 'syslog,normal', -$REPO_UMASK = 0002; -# $REPO_UMASK = 0027; # gets you 'rwxr-x---' -# $REPO_UMASK = 0022; # gets you 'rwxr-xr-x' + # roles. add more roles (like MANAGER, TESTER, ...) here. + # WARNING: if you make changes to this hash, you MUST run 'gitolite + # compile' afterward, and possibly also 'gitolite trigger POST_COMPILE' + ROLES => { + READERS => 1, + WRITERS => 1, + }, -# part of the setup of gitweb is a variable called $projects_list (please see -# gitweb documentation for more on this). Set this to the same value: + # enable caching (currently only Redis). PLEASE RTFM BEFORE USING!!! + # CACHE => 'Redis', -$PROJECTS_LIST = $ENV{HOME} . "/projects.list"; + # ------------------------------------------------------------------ -# -------------------------------------- + # rc variables used by various features -# I see no reason anyone may want to change the gitolite admin directory, but -# feel free to do so. However, please note that it *must* be an *absolute* -# path (i.e., starting with a "/" character) + # the 'info' command prints this as additional info, if it is set + # SITE_INFO => 'Please see http://blahblah/gitolite for more help', -# gitolite admin directory, files, etc + # the CpuTime feature uses these + # display user, system, and elapsed times to user after each git operation + # DISPLAY_CPU_TIME => 1, + # display a warning if total CPU times (u, s, cu, cs) crosses this limit + # CPU_TIME_WARN_LIMIT => 0.1, -$GL_ADMINDIR="/etc/gitolite"; + # the Mirroring feature needs this + # HOSTNAME => "foo", -# -------------------------------------- + # TTL for redis cache; PLEASE SEE DOCUMENTATION BEFORE UNCOMMENTING! + # CACHE_TTL => 600, -# templates for location of the log files and format of their names + # ------------------------------------------------------------------ -# I prefer this template (note the %y and %m placeholders) -# it produces files like `~/.gitolite/logs/gitolite-2009-09.log` + # suggested locations for site-local gitolite code (see cust.html) -$GL_LOGT="/var/log/gitolite/gitolite-%y-%m.log"; + # this one is managed directly on the server + # LOCAL_CODE => "$ENV{HOME}/local", -# other choices are below, or you can make your own -- but PLEASE MAKE SURE -# the directory exists and is writable; gitolite won't do that for you (unless -# it is the default, which is "$GL_ADMINDIR/logs") + # or you can use this, which lets you put everything in a subdirectory + # called "local" in your gitolite-admin repo. For a SECURITY WARNING + # on this, see http://gitolite.com/gitolite/non-core.html#pushcode + # LOCAL_CODE => "$rc{GL_ADMIN_BASE}/local", -# $GL_LOGT="$GL_ADMINDIR/logs/gitolite-%y-%m-%d.log"; -# $GL_LOGT="$GL_ADMINDIR/logs/gitolite-%y.log"; + # ------------------------------------------------------------------ -# -------------------------------------- + # List of commands and features to enable -# Please DO NOT change these three paths + ENABLE => [ -$GL_CONF="$GL_ADMINDIR/conf/gitolite.conf"; -$GL_KEYDIR="$GL_ADMINDIR/keydir"; -$GL_CONF_COMPILED="$GL_ADMINDIR/conf/gitolite.conf-compiled.pm"; + # COMMANDS -# -------------------------------------- + # These are the commands enabled by default + 'help', + 'desc', + 'info', + 'perms', + 'writable', -# if git on your server is on a standard path (that is -# ssh git@server git --version -# works), leave this setting as is. Otherwise, choose one of the -# alternatives, or write your own + # Uncomment or add new commands here. + # 'create', + # 'fork', + # 'mirror', + # 'readme', + # 'sskm', + # 'D', -$GIT_PATH=""; -# $GIT_PATH="/opt/bin/"; + # These FEATURES are enabled by default. -# -------------------------------------- + # essential (unless you're using smart-http mode) + 'ssh-authkeys', -# ---------------------------------------------------------------------- -# BIG CONFIG SETTINGS + # creates git-config enties from gitolite.conf file entries like 'config foo.bar = baz' + 'git-config', -# Please read doc/big-config.mkd for details + # creates git-daemon-export-ok files; if you don't use git-daemon, comment this out + # 'daemon', -$GL_BIG_CONFIG = 1; -$GL_NO_DAEMON_NO_GITWEB = 1; -$GL_NO_CREATE_REPOS = 1; -$GL_NO_SETUP_AUTHKEYS = 1; + # creates projects.list file; if you don't use gitweb, comment this out + # 'gitweb', + # These FEATURES are disabled by default; uncomment to enable. If you + # need to add new ones, ask on the mailing list :-) -# ---------------------------------------------------------------------- -# SECURITY SENSITIVE SETTINGS -# -# Settings below this point may have security implications. That -# usually means that I have not thought hard enough about all the -# possible ways to crack security if these settings are enabled. + # user-visible behaviour -# Please see details on each setting for specifics, if any. -# ---------------------------------------------------------------------- + # prevent wild repos auto-create on fetch/clone + # 'no-create-on-read', + # no auto-create at all (don't forget to enable the 'create' command!) + 'no-auto-create', + # access a repo by another (possibly legacy) name + # 'Alias', + # give some users direct shell access. See documentation in + # sts.html for details on the following two choices. + # "Shell $ENV{HOME}/.gitolite.shell-users", + # 'Shell alice bob', -# -------------------------------------- -# ALLOW REPO ADMIN TO SET GITCONFIG KEYS -# -# Gitolite allows you to set git repo options using the "config" keyword; see -# conf/example.conf for details and syntax. -# -# However, if you are in an installation where the repo admin does not (and -# should not) have shell access to the server, then allowing him to set -# arbitrary repo config options *may* be a security risk -- some config -# settings may allow executing arbitrary commands. -# -# You have 3 choices. By default $GL_GITCONFIG_KEYS is left empty, which -# completely disables this feature (meaning you cannot set git configs from -# the repo config). + # set default roles from lines like 'option default.roles-1 = ...', etc. + # 'set-default-roles', -$GL_GITCONFIG_KEYS = ""; + # show more detailed messages on deny + # 'expand-deny-messages', -# The second choice is to give it a space separated list of settings you -# consider safe. (These are actually treated as a set of regular expression -# patterns, and any one of them must match). For example: -# $GL_GITCONFIG_KEYS = "core\.logAllRefUpdates core\..*compression"; -# allows repo admins to set one of those 3 config keys (yes, that second -# pattern matches two settings from "man git-config", if you look) -# -# The third choice (which you may have guessed already if you're familiar with -# regular expressions) is to allow anything and everything: -# $GL_GITCONFIG_KEYS = ".*"; + # show a message of the day + # 'Motd', -# -------------------------------------- -# EXTERNAL COMMAND HELPER -- HTPASSWD + # system admin stuff -# security note: runs an external command (htpasswd) with specific arguments, -# including a user-chosen "password". + # enable mirroring (don't forget to set the HOSTNAME too!) + # 'Mirroring', -# if you want to enable the "htpasswd" command, give this the absolute path to -# whatever file apache (etc) expect to find the passwords in. + # allow people to submit pub files with more than one key in them + # 'ssh-authkeys-split', -$HTPASSWD_FILE = ""; + # selective read control hack + # 'partial-copy', -# Look in doc/3 ("easier to link gitweb authorisation with gitolite" section) -# for more details on using this feature. + # manage local, gitolite-controlled, copies of read-only upstream repos + # 'upstream', -# -------------------------------------- -# EXTERNAL COMMAND HELPER -- RSYNC + # updates 'description' file instead of 'gitweb.description' config item + 'cgit', -# security note: runs an external command (rsync) with specific arguments, all -# presumably filled in correctly by the client-side rsync. + # allow repo-specific hooks to be added + 'repo-specific-hooks', -# base path of all the files that are accessible via rsync. Must be an -# absolute path. Leave it undefined or set to the empty string to disable the -# rsync helper. + # performance, logging, monitoring... -$RSYNC_BASE = ""; + # be nice + # 'renice 10', -# $RSYNC_BASE = "/home/git/up-down"; -# $RSYNC_BASE = "/tmp/up-down"; + # log CPU times (user, system, cumulative user, cumulative system) + # 'CpuTime', -# -------------------------------------- -# EXTERNAL COMMAND HELPER -- SVNSERVE + # syntactic_sugar for gitolite.conf and included files -# security note: runs an external command (svnserve) with specific arguments, -# as specified below. %u is substituted with the username. + # allow backslash-escaped continuation lines in gitolite.conf + # 'continuation-lines', -# This setting allows launching svnserve when requested by the ssh client. -# This allows using the same SSH setup (hostname/username/public key) for both -# SVN and git access. Leave it undefined or set to the empty string to disable -# svnserve access. + # create implicit user groups from directory names in keydir/ + # 'keysubdirs-as-groups', -$SVNSERVE = ""; -# $SVNSERVE = "/usr/bin/svnserve -r /var/svn/ -t --tunnel-user=%u"; + # allow simple line-oriented macros + # 'macros', -# -------------------------------------- -# ALLOW REPO CONFIG TO USE WILDCARDS + # Kindergarten mode -# security note: this used to in a separate "wildrepos" branch. You can -# create repositories based on wild cards, give "ownership" to the specific -# user who created it, allow him/her to hand out R and RW permissions to other -# users to collaborate, etc. This is powerful stuff, and I've made it as -# secure as I can, but it hasn't had the kind of rigorous line-by-line -# analysis that the old "master" branch had. + # disallow various things that sensible people shouldn't be doing anyway + # 'Kindergarten', + ], -# This has now been rolled into master, with all the functionality gated by -# this variable. Set this to 1 if you want to enable the wildrepos features. -# Please see doc/4-wildcard-repositories.mkd for details. +); -$GL_WILDREPOS = 0; - -# -------------------------------------- -# DEFAULT WILDCARD PERMISSIONS - -# If set, this value will be used as the default user-level permission rule of -# new wildcard repositories. The user can change this value with the setperms command -# as desired after repository creation; it is only a default. Note that @all can be -# used here but is special; no other groups can be used in user-level permissions. - -# $GL_WILDREPOS_DEFPERMS = 'R = @all'; - -# -------------------------------------- -# HOOK CHAINING - -# by default, the update hook in every repo chains to "update.secondary". -# Similarly, the post-update hook in the admin repo chains to -# "post-update.secondary". If you're fine with the defaults, there's no need -# to do anything here. However, if you want to use different names or paths, -# change these variables - -# $UPDATE_CHAINS_TO = "hooks/update.secondary"; -# $ADMIN_POST_UPDATE_CHAINS_TO = "hooks/post-update.secondary"; - -# -------------------------------------- -# ADMIN DEFINED COMMANDS - -# WARNING: Use this feature only if (a) you really really know what you're -# doing or (b) you really don't care too much about security. Please read -# doc/admin-defined-commands.mkd for details. - -# $GL_ADC_PATH = ""; - -# -------------------------------------- +# ------------------------------------------------------------------------------ # per perl rules, this should be the last line in such a file: 1; diff --git a/roles/distgit/tasks/main.yml b/roles/distgit/tasks/main.yml index 39486a762e..2fa0f6f423 100644 --- a/roles/distgit/tasks/main.yml +++ b/roles/distgit/tasks/main.yml @@ -112,6 +112,13 @@ - config - distgit +- name: Create the gitolite.rc symlink + command: ln -s /etc/gitolite/gitolite.rc /srv/git/.gitolite.rc + creates=/srv/git/.gitolite.rc + tags: + - config + - distgit + - name: Create the gitolite configuration symlink command: ln -s /etc/gitolite/ /srv/git/.gitolite creates=/srv/git/.gitolite