3 files changed, 94 insertions, 59 deletions

diff --git a/roles/git/tasks/cgit.yml b/roles/git/tasks/cgit.yml
index a8be1fc..120f204 100644
--- a/roles/git/tasks/cgit.yml
+++ b/roles/git/tasks/cgit.yml
@@ -1,111 +1,144 @@
 - name: Install cgit
-  apt: pkg={{ item }}
-  with_items:
+  apt: pkg={{ packages }}
+  vars:
+    packages:
     - cgit
     - highlight
-    - uwsgi
+    - fcgiwrap
+
+- name: Stop and disable fcgiwrap socket
+  service: name=fcgiwrap.socket state=stopped enabled=false
+
+- name: Stop fcgiwrap service
+  service: name=fcgiwrap.service state=stopped
 
 - name: Configure cgit
   copy: src=etc/cgitrc
         dest=/etc/cgitrc
         owner=root group=root
         mode=0644
-  register: r1
   notify:
-    - Restart uWSGI
+    - Stop cgit
 
 - name: Copy /usr/lib/cgit/filters/syntax-highlighting2.sh
   copy: src=usr/lib/cgit/filters/syntax-highlighting2.sh
         dest=/usr/lib/cgit/filters/syntax-highlighting2.sh
         owner=root group=root
         mode=0755
-  register: r2
   notify:
-    - Restart uWSGI
+    - Stop cgit
 
-- name: Create a user 'cgit'
-  user: name=cgit system=yes
-        home=/var/www
+- name: Create '_cgit' user
+  user: name=_cgit system=yes
+        group=nogroup
+        home=/nonexistent
         shell=/usr/sbin/nologin
         password=!
         state=present
-  register: r3
   notify:
-    - Restart uWSGI
+    - Stop cgit
 
-- name: Create /etc/uwsgi/apps-available/{cgit,git-http-backend}.ini
-  copy: src=etc/uwsgi/apps-available/{{ item }}.ini
-        dest=/etc/uwsgi/apps-available/{{ item }}.ini
+# Make it sticky: `dpkg-statoverride --add _cgit nogroup 0700 /var/cache/cgit`
+- name: Create cache directory /var/cache/cgit
+  file: path=/var/cache/cgit
+        state=directory
+        owner=_cgit group=nogroup
+        mode=0700
+
+- name: Copy cgit service unit
+  copy: src=etc/systemd/system/cgit.service
+        dest=/etc/systemd/system/cgit.service
         owner=root group=root
         mode=0644
-  register: r4
-  with_items:
-    - cgit
-    - git-http-backend
   notify:
-    - Restart uWSGI
+    - systemctl daemon-reload
+    - Stop cgit
 
-- name: Create /etc/uwsgi/apps-enabled/{cgit,git-http-backend}.ini
-  file: src=../apps-available/{{ item }}.ini
-        dest=/etc/uwsgi/apps-enabled/{{ item }}.ini
+- name: Copy cgit socket unit
+  copy: src=etc/systemd/system/cgit.socket
+        dest=/etc/systemd/system/cgit.socket
         owner=root group=root
-        state=link force=yes
-  register: r5
-  with_items:
-    - cgit
-    - git-http-backend
+        mode=0644
   notify:
-    - Restart uWSGI
+    - systemctl daemon-reload
+    - Restart cgit
 
-- name: Start uWSGI
-  service: name=nginx state=started
-  when: not (r1.changed or r2.changed or r3.changed or r4.changed or r5.changed)
+- name: Disable cgit service
+  service: name=cgit.service enabled=false
+
+- name: Start cgit socket
+  service: name=cgit.socket state=started enabled=true
 
 - meta: flush_handlers
 
-- name: Add 'cgit' & 'www-data' to the group 'gitolite'
-  user: name={{ item }} groups=gitolite append=yes
-  with_items:
-    # for the cgit interface
-    - cgit
-    # for pulls over HTTP/HTTPS
-    - www-data
 
+- name: Copy git-http-backend service unit
+  copy: src=etc/systemd/system/git-http-backend.service
+        dest=/etc/systemd/system/git-http-backend.service
+        owner=root group=root
+        mode=0644
+  notify:
+    - systemctl daemon-reload
+    - Stop git-http-backend
 
-- name: Generate a private key and a X.509 certificate for Nginx
-  command: genkeypair.sh x509
-                         --pubkey=/etc/nginx/ssl/git.fripost.org.pem
-                         --privkey=/etc/nginx/ssl/git.fripost.org.key
-                         --ou=WWW --cn=git.fripost.org --dns=git.fripost.org
-                         -t rsa -b 4096 -h sha512
-  register: r1
-  changed_when: r1.rc == 0
-  failed_when: r1.rc > 1
+- name: Copy git-http-backend socket unit
+  copy: src=etc/systemd/system/git-http-backend.socket
+        dest=/etc/systemd/system/git-http-backend.socket
+        owner=root group=root
+        mode=0644
   notify:
-    - Restart Nginx
-  tags:
-    - genkey
+    - systemctl daemon-reload
+    - Restart git-http-backend
+
+- name: Disable git-http-backend service
+  service: name=git-http-backend.service enabled=false
+
+- name: Start git-http-backend socket
+  service: name=git-http-backend.socket state=started enabled=true
+
+- meta: flush_handlers
+
 
 - name: Copy /etc/nginx/sites-available/git
   copy: src=etc/nginx/sites-available/git
         dest=/etc/nginx/sites-available/git
         owner=root group=root
         mode=0644
-  register: r2
+  register: r1
   notify:
     - Restart Nginx
 
 - name: Create /etc/nginx/sites-enabled/git
   file: src=../sites-available/git
         dest=/etc/nginx/sites-enabled/git
         owner=root group=root
         state=link force=yes
+  register: r2
+  notify:
+    - Restart Nginx
+
+- name: Copy HPKP header snippet
+  # never modify the pined pubkeys as we don't want to lock out our users
+  template: src=etc/nginx/snippets/git.fripost.org.hpkp-hdr.j2
+            dest=/etc/nginx/snippets/git.fripost.org.hpkp-hdr
+            validate=/bin/false
+            owner=root group=root
+            mode=0644
   register: r3
   notify:
     - Restart Nginx
 
 - name: Start Nginx
   service: name=nginx state=started
   when: not (r1.changed or r2.changed or r3.changed)
 
 - meta: flush_handlers
+
+- name: Fetch Nginx's X.509 certificate
+  # Ensure we don't fetch private data
+  become: False
+  fetch_cmd: cmd="openssl x509 -noout -pubkey"
+             stdin=/etc/nginx/ssl/git.fripost.org.pem
+             dest=certs/public/git.fripost.org.pub
+  tags:
+    - genkey
diff --git a/roles/git/tasks/gitolite.yml b/roles/git/tasks/gitolite.yml
index 5cbce23..e7d1fe3 100644
--- a/roles/git/tasks/gitolite.yml
+++ b/roles/git/tasks/gitolite.yml
@@ -9,28 +9,28 @@
         password=*
         state=present
 
 - name: Create directory ~gitolite/.ssh
   file: path=/var/lib/gitolite/.ssh
         state=directory
         owner=gitolite group=gitolite
         mode=0700
 
 - name: Create /var/lib/gitolite/projects.list
   file: path=/var/lib/gitolite/projects.list
         owner=gitolite group=gitolite
         mode=0644
 
 # See /usr/share/doc/gitolite3/README.txt.gz for gitolite initiation or
 # migration.
 #   sudo -u gitolite gitolite setup -pk /path/to/id_rsa
 
 - name: Configure gitolite
   lineinfile: dest=/var/lib/gitolite/.gitolite.rc
-              "regexp=^(\\s*{{ item.var }}\\s*=>\\s*)"
-              "line=    {{ item.var }} =>  {{ item.value }},"
+              regexp='^(\\s*{{ item.var }}\\s*=>\\s*)'
+              line='    {{ item.var }} =>  {{ item.value }},'
               owner=root group=root
               mode=0644
   with_items:
-    # See /usr/share/doc/gitolite3/README.txt.gz
-    - { var: UMASK,           value: "0027"                  }
-    - { var: GIT_CONFIG_KEYS, value: "'gitweb\\..* gc\\..*'" }
+    # See /usr/share/doc/gitolite3/README.markdown.gz
+    - { var: UMASK,           value: "0027"                            }
+    - { var: GIT_CONFIG_KEYS, value: "'gitweb\\..* gc\\..* hook\\..*'" }
diff --git a/roles/git/tasks/main.yml b/roles/git/tasks/main.yml
index da9f876..f65824e 100644
--- a/roles/git/tasks/main.yml
+++ b/roles/git/tasks/main.yml
@@ -1,2 +1,4 @@
-- include: gitolite.yml tags=gitolite
-- include: cgit.yml     tags=cgit
+- import_tasks: gitolite.yml
+  tags: gitolite
+- import_tasks: cgit.yml
+  tags: cgit