Enable https access to private git repositories

diff --git a/cookbooks/chef/recipes/server.rb b/cookbooks/chef/recipes/server.rb
index 12c43840a1774913567bdf113f21b82b024319d4..9581b1a56e625f97b1f5f582960fea024093f4b3 100644 (file)
--- a/cookbooks/chef/recipes/server.rb
+++ b/cookbooks/chef/recipes/server.rb
@@ -84,6 +84,10 @@ service "chef-server" do
   subscribes :restart, "systemd_service[chef-server]"
 end
 
+git_allowed = search(:node, node[:git][:allowed_nodes]).collect do |n|
+  n.ipaddresses(:role => :external)
+end.flatten
+
 apache_module "alias"
 apache_module "proxy_http"
 
@@ -95,6 +99,7 @@ end
 
 apache_site "chef.openstreetmap.org" do
   template "apache.erb"
+  variables :git_allowed => git_allowed
 end
 
 template "/etc/cron.daily/chef-server-backup" do

diff --git a/cookbooks/chef/templates/default/apache.erb b/cookbooks/chef/templates/default/apache.erb
index 88684b82c4ca7d2221be4d32d3b1973efff1c768..4f57bba7de7ca2d6844cba5a076082803216fb9f 100644 (file)
--- a/cookbooks/chef/templates/default/apache.erb
+++ b/cookbooks/chef/templates/default/apache.erb
@@ -19,11 +19,18 @@
        CustomLog /var/log/apache2/chef.openstreetmap.org-access.log combined
        ErrorLog /var/log/apache2/chef.openstreetmap.org-error.log
 
+       DocumentRoot /var/lib/git
+
        SSLEngine on
        SSLProxyEngine on
        SSLCertificateFile /etc/ssl/certs/chef.openstreetmap.org.pem
        SSLCertificateKeyFile /etc/ssl/private/chef.openstreetmap.org.key
 
+       ProxyPassMatch ^/.*\.git/ !
        ProxyPass / https://<%= node[:fqdn] %>:4443/
        ProxyPreserveHost on
 </VirtualHost>
+
+<Directory /var/lib/git>
+       Require ip <%= @git_allowed.sort.join(" ") %>
+</Directory>