mode 0o2775
end
-git "/var/lib/chef" do
- action :checkout
- repository node[:chef][:repository]
- revision "master"
- user "chefrepo"
- group "chefrepo"
-end
+%w[public private].each do |repository|
+ repository_directory = node[:chef][:"#{repository}_repository"]
-directory "/var/lib/chef/.chef" do
- owner "chefrepo"
- group "chefrepo"
- mode 0o2775
-end
+ git "/var/lib/chef/#{repository}" do
+ action :checkout
+ repository repository_directory
+ revision "master"
+ user "chefrepo"
+ group "chefrepo"
+ end
-file "/var/lib/chef/.chef/client.pem" do
- content keys["git"].join("\n")
- owner "chefrepo"
- group "chefrepo"
- mode 0o660
-end
+ directory "/var/lib/chef/#{repository}/.chef" do
+ owner "chefrepo"
+ group "chefrepo"
+ mode 0o2775
+ end
-cookbook_file "/var/lib/chef/.chef/knife.rb" do
- source "knife.rb"
- owner "chefrepo"
- group "chefrepo"
- mode 0o660
-end
+ file "/var/lib/chef/#{repository}/.chef/client.pem" do
+ content keys["git"].join("\n")
+ owner "chefrepo"
+ group "chefrepo"
+ mode 0o660
+ end
-template "#{node[:chef][:repository]}/hooks/post-receive" do
- source "post-receive.erb"
- owner "chefrepo"
- group "chefrepo"
- mode 0o750
-end
+ cookbook_file "/var/lib/chef/#{repository}/.chef/knife.rb" do
+ source "knife.rb"
+ owner "chefrepo"
+ group "chefrepo"
+ mode 0o660
+ end
-template "/etc/cron.daily/chef-repository-backup" do
- source "repository-backup.cron.erb"
- owner "root"
- group "root"
- mode 0o755
+ template "#{repository_directory}/hooks/post-receive" do
+ source "post-receive.erb"
+ owner "chefrepo"
+ group "chefrepo"
+ mode 0o750
+ variables :repository => repository
+ end
end
subscribes :restart, "systemd_service[chef-server]"
end
-git_allowed = search(:node, node[:git][:allowed_nodes]).collect do |n|
- n.ipaddresses(:role => :external)
-end.flatten
-
apache_module "alias"
apache_module "proxy_http"
apache_site "chef.openstreetmap.org" do
template "apache.erb"
- variables :git_allowed => git_allowed
end
template "/etc/cron.daily/chef-server-backup" do
ProxyPassMatch ^/.*\.git/ !
ProxyPass / https://<%= node[:fqdn] %>:4443/
ProxyPreserveHost on
-
- SetEnv GIT_PROJECT_ROOT /var/lib/git
- SetEnv GIT_HTTP_EXPORT_ALL
- ScriptAlias / /usr/lib/git-core/git-http-backend/
</VirtualHost>
-
-<Directory /usr/lib/git-core>
- Options ExecCGI
- Require ip <%= @git_allowed.sort.join(" ") %>
-</Directory>
do
if [[ "$refname" = "refs/heads/master" ]]
then
- cd /var/lib/chef
+ cd /var/lib/chef/<%= @repository %>
rm -f cookbooks/*/metadata.json(N)
+++ /dev/null
-#!/bin/sh
-
-T=$(mktemp -d -t -p /var/tmp chef-repository.XXXXXXXXXX)
-D=$(date +%Y-%m-%d)
-B=chef-repository-$D.tar.gz
-
-ln -s /var/lib/git/chef.git $T/chef-repository-$D
-
-export GZIP="--rsyncable -9"
-
-nice tar --create --gzip --dereference --directory=$T --file=$T/$B chef-repository-$D
-nice rsync --preallocate --fuzzy $T/$B backup::backup
-
-rm -rf $T
if [ ! -d .git ]
then
- git clone /var/lib/git/dns.git /var/lib/dns
+ git clone /var/lib/git/public/dns.git /var/lib/dns
fi
git pull -q
default[:git][:directory] = "/var/lib/git"
-default[:git][:user] = "git"
-default[:git][:group] = "git"
+default[:git][:public_user] = "git"
+default[:git][:public_group] = "git"
+default[:git][:private_user] = "git"
+default[:git][:private_group] = "git"
long_description IO.read(File.join(File.dirname(__FILE__), "README.md"))
version "1.0.0"
supports "ubuntu"
-depends "networking"
-depends "xinetd"
depends "apache"
+depends "networking"
#
include_recipe "networking"
-include_recipe "xinetd"
git_directory = node[:git][:directory]
directory git_directory do
- owner node[:git][:user]
- group node[:git][:group]
+ owner "root"
+ group "root"
+ mode 0o775
+end
+
+directory "#{git_directory}/public" do
+ owner node[:git][:public_user]
+ group node[:git][:public_group]
mode 0o2775
end
-if node[:git][:allowed_nodes]
- search(:node, node[:git][:allowed_nodes]).sort_by { |n| n[:fqdn] }.each do |n|
- n.interfaces(:role => :external).each do |interface|
- firewall_rule "accept-git" do
- action :accept
- family interface[:family]
- source "#{interface[:zone]}:#{interface[:address]}"
- dest "fw"
- proto "tcp:syn"
- dest_ports "git"
- source_ports "1024:"
- end
- end
- end
-else
- firewall_rule "accept-git" do
- action :accept
- source "net"
- dest "fw"
- proto "tcp:syn"
- dest_ports "git"
- source_ports "1024:"
- end
+directory "#{git_directory}/private" do
+ owner node[:git][:private_user]
+ group node[:git][:private_group]
+ mode 0o2775
end
-Dir.new(git_directory).select { |name| name =~ /\.git$/ }.each do |repository|
- template "#{git_directory}/#{repository}/hooks/post-update" do
+Dir.glob("#{git_directory}/*/*.git").each do |repository|
+ template "#{repository}/hooks/post-update" do
source "post-update.erb"
owner "root"
group node[:git][:group]
mode 0o755
end
-
- next unless node[:recipes].include?("trac") && repository != "dns.git" && repository != "chef.git"
-
- template "#{git_directory}/#{repository}/hooks/post-receive" do
- source "post-receive.erb"
- owner "root"
- group node[:git][:group]
- mode 0o755
- variables :repository => "#{git_directory}/#{repository}"
- end
end
template "/etc/cron.daily/git-backup" do
group "root"
mode 0o755
end
-
-template "/etc/xinetd.d/git" do
- source "xinetd.erb"
- owner "root"
- group "root"
- mode 0o644
- notifies :reload, "service[xinetd]"
-end
apache_module "rewrite"
-git_directory = node[:git][:directory]
+git_site = node[:git][:host]
template "/etc/gitweb.conf" do
source "gitweb.conf.erb"
mode 0o644
end
-ssl_certificate node[:git][:host] do
- domains [node[:git][:host]] + Array(node[:git][:aliases])
- notifies :reload, "service[apache2]"
-end
-
-apache_site node[:git][:host] do
- template "apache.erb"
- directory git_directory
- variables :aliases => Array(node[:git][:aliases])
+directory "/srv/#{git_site}" do
+ owner "root"
+ group "root"
+ mode 0o755
end
-template "#{git_directory}/robots.txt" do
+template "/srv/#{git_site}/robots.txt" do
source "robots.txt.erb"
owner "root"
group "root"
mode 0o644
end
+
+ssl_certificate git_site do
+ domains [git_site] + Array(node[:git][:aliases])
+ notifies :reload, "service[apache2]"
+end
+
+private_allowed = search(:node, node[:git][:private_nodes]).collect do |n|
+ n.ipaddresses(:role => :external)
+end.flatten
+
+apache_site git_site do
+ template "apache.erb"
+ directory "/srv/#{git_site}"
+ variables :aliases => Array(node[:git][:aliases]),
+ :private_allowed => private_allowed
+end
CustomLog /var/log/apache2/<%= @name %>-access.log combined
ErrorLog /var/log/apache2/<%= @name %>-error.log
- DocumentRoot <%= @directory %>
- HeaderName HEADER
+ SetEnv GIT_PROJECT_ROOT /var/lib/git
+ SetEnv GIT_HTTP_EXPORT_ALL
+
+ ScriptAlias /public /usr/lib/git-core/git-http-backend/public
+ ScriptAlias /private /usr/lib/git-core/git-http-backend/private
Alias /gitweb /usr/share/gitweb
Alias /git /var/cache/git
- ScriptAlias /gitweb.cgi /usr/lib/cgi-bin/gitweb.cgi
+ ScriptAlias / /usr/lib/cgi-bin/gitweb.cgi/
+
+ <Location />
+ Require all granted
+ </Location>
- RewriteEngine On
- RewriteRule ^/$ /gitweb.cgi%{REQUEST_URI} [L,PT]
- RewriteRule ^/(.*\.git/(?!/?(HEAD|info|objects|refs)).*)?$ /gitweb.cgi%{REQUEST_URI} [L,PT]
+ <Location /private>
+ Require ip <%= @private_allowed.sort.join(" ") %>
+ </Location>
</VirtualHost>
-<Directory <%= @directory %>>
- Require all granted
+<Directory /usr/lib/git-core>
+ Options ExecCGI
</Directory>
T=$(mktemp -d -t -p /var/tmp git.XXXXXXXXXX)
D=$(date +%Y-%m-%d)
-B=<%= node[:git][:backup] %>-$D.tar.gz
+B=git-$D.tar.gz
ln -s /var/lib/git $T/git-$D
# DO NOT EDIT - This file is being maintained by Chef
# path to git projects (<project>.git)
-$projectroot = "<%= node[:git][:directory] %>";
+$projectroot = "<%= node[:git][:directory] %>/public";
# directory to use for temp files
$git_temp = "/tmp";
$feature{'pathinfo'}{'default'} = [1];
# define roots for cloning
-@git_base_url_list = qw(git://<%= node[:git][:host] %>);
+@git_base_url_list = qw(https://<%= node[:git][:host] %>/public);
+++ /dev/null
-#!/bin/zsh
-
-# DO NOT EDIT - This file is being maintained by Chef
-
-while read oldrev newrev refname
-do
- if [[ "$refname" = "refs/heads/master" ]]
- then
- for rev in $(git rev-list ${oldrev}..${newrev})
- do
- sudo -u trac /usr/bin/trac-admin /var/lib/trac changeset added "<%= @repository %>" "${rev}"
- done
- fi
-done
+++ /dev/null
-# DO NOT EDIT - This file is being maintained by Chef
-
-service git
-{
- disable = no
- socket_type = stream
- wait = no
- user = nobody
- server = /usr/lib/git-core/git-daemon
- server_args = --base-path=<%= node[:git][:directory] %> --export-all --syslog --inetd --verbose
- log_on_failure += USERID
- flags = ipv6
-}
}
},
:chef => {
- :repository => "/var/lib/git/chef.git"
+ :public_repository => "/var/lib/git/public/chef.git",
+ :private_repository => "/var/lib/git/private/chef.git"
}
)
default_attributes(
:dns => {
- :repository => "/var/lib/git/dns.git"
+ :repository => "/var/lib/git/public/dns.git"
}
)
default_attributes(
:accounts => {
:users => {
+ :bretth => {
+ :status => :user,
+ :shell => "/usr/bin/git-shell"
+ },
:lonvia => {
:status => :user,
:shell => "/usr/bin/git-shell"
},
:git => {
:host => "git.openstreetmap.org",
- :aliases => ["git.osm.org"],
- :backup => "git"
+ :aliases => ["git.osm.org"]
}
)
default_attributes(
:git => {
- :allowed_nodes => "fqdn:*",
- :user => "chefrepo",
- :group => "chefrepo",
- :backup => "chef-git"
+ :private_user => "chefrepo",
+ :private_group => "chefrepo",
+ :private_nodes => "fqdn:*"
},
:networking => {
:interfaces => {
"role[chef-server]",
"role[chef-repository]",
"role[letsencrypt]",
- "recipe[git::server]",
+ "role[git]",
+ "role[dns]",
"recipe[serverinfo]"
)
description "Master role applied to shenron"
default_attributes(
- :accounts => {
- :users => {
- :bretth => {
- :status => :user,
- :shell => "/usr/bin/git-shell"
- }
- }
- },
:apache => {
:mpm => "event",
:event => {
"role[bytemark]",
"role[mail]",
"role[lists]",
- "role[git]",
"role[subversion]",
"role[trac]",
"role[osqa]",
"role[irc]",
- "role[dns]",
"role[geodns]",
- "role[chef-repository]",
"recipe[blogs]",
"recipe[openvpn]"
)
projects / chef.git / commitdiff